PDF - Complete Book

Cisco 4700 Series Application Control
Engine Appliance Administration Guide
Software Version A3(1.0)
August 2008
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-16198-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
CCDE, CCVP, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We
Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE,
CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the
Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Event Center, Fast
Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness
Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy,
Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to
Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the
United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (0801R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and
figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and
coincidental.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
Copyright © 2007-2008 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface xiii
Audience xiv
How to Use This Guide xiv
Related Documentation xvi
Symbols and Conventions xix
Obtaining Documentation, Obtaining Support, and Security Guidelines xx
Open Source License Acknowledgements xxi
OpenSSL/Open SSL Project xxi
License Issues xxi
CHAPTER
1
Setting Up the ACE 1-1
Establishing a Console Connection on the ACE 1-2
Using the Setup Script to Enable Connectivity to the Device Manager 1-3
Connecting and Logging into the ACE 1-7
Changing the Administrative Password 1-9
Recovering the Administrator CLI Account Password 1-10
Assigning a Name to the ACE 1-12
Configuring an ACE Inactivity Timeout 1-12
Configuring a Message-of-the-Day Banner 1-13
Configuring the Time, Date, and Time Zone 1-15
Setting the System Time and Date 1-15
Setting the Time Zone 1-16
Adjusting for Daylight Saving Time 1-19
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
iii
Contents
Viewing the System Clock Settings 1-21
Synchronizing the ACE with an NTP Server 1-21
Configuring NTP Server and Peer Associations 1-22
Viewing NTP Statistics and Information 1-23
.Clearing NTP Statistics 1-28
Configuring Terminal Settings 1-29
Configuring Terminal Display Attributes 1-29
Configuring Virtual Terminal Line Settings 1-31
Modifying the Boot Configuration 1-33
Setting the Boot Method from the Configuration Register 1-33
Setting the BOOT Environment Variable 1-35
Configuring the ACE to Bypass the Startup Configuration File During the Boot
Process 1-36
Displaying the ACE Boot Configuration 1-39
Restarting the ACE 1-39
Shutting Down the ACE 1-40
CHAPTER
2
Enabling Remote Access to the ACE 2-1
Remote Access Configuration Quick Start 2-2
Configuring Remote Network Management Traffic Services 2-4
Creating and Configuring a Remote Management Class Map 2-5
Defining a Class Map Description 2-6
Defining Remote Network Management Protocol Match Criteria 2-7
Creating a Layer 3 and Layer 4 Remote Access Policy Map 2-9
Creating a Layer 3 and Layer 4 Policy Map for Network Management
Traffic Received by the ACE 2-9
Defining a Layer 3 and Layer 4 Policy Map Description 2-10
Specifying a Layer 3 and Layer 4 Traffic Class With the Traffic
Policy 2-11
Defining Layer 3 and Layer 4 Management Traffic Policy Actions 2-12
Cisco 4700 Series Application Control Engine Appliance Administration Guide
iv
OL-16198-01
Contents
Applying a Service Policy 2-13
Configuring Telnet Management Sessions 2-15
Configuring SSH Management Sessions 2-16
Configuring Maximum Number of SSH Sessions 2-16
Generating SSH Host Key Pairs 2-17
Terminating an Active User Session 2-19
Enabling ICMP Messages to the ACE 2-19
Directly Accessing a User Context Through SSH 2-21
Example of a Remote Access Configuration 2-23
Viewing Session Information 2-24
Showing Telnet Session Information 2-24
Showing SSH Session Information 2-25
Showing SSH Session Information 2-25
Showing SSH Key Details 2-26
CHAPTER
3
Managing ACE Software Licenses 3-1
Available ACE Licenses 3-2
Ordering an Upgrade License and Generating a Key 3-6
Copying a License File to the ACE 3-7
Installing a New or Upgrade License File 3-8
Replacing a Demo License with a Permanent License 3-9
Removing a License 3-10
Removing an Appliance Performance Throughput License 3-11
Removing an SSL TPS License 3-11
Removing a Virtualization Context License 3-12
Removing an HTTP Compression Performance License 3-15
Removing the Application Acceleration Software Feature Pack License 3-16
Backing Up a License File 3-16
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
v
Contents
Displaying License Configurations and Statistics 3-18
CHAPTER
5
Managing the ACE Software 5-1
Saving Configuration Files 5-1
Saving the Configuration File in Flash Memory 5-3
Saving Configuration Files to a Remote Server 5-4
Copying the Configuration File to the disk0: File System 5-5
Merging the Startup-Configuration File with the Running-Configuration
File 5-6
Viewing Configuration Files 5-7
Viewing User Context Running-Config Files from the Admin Context 5-10
Clearing the Startup-Configuration File 5-10
Loading Configuration Files from a Remote Server 5-11
Using the File System on the ACE 5-13
Listing the Files in a Directory 5-14
Copying Files 5-15
Copying Files to Another Directory on the ACE 5-16
Copying Licenses 5-16
Copying a Packet Capture Buffer 5-17
Copying Files to a Remote Server 5-18
Copying Files from a Remote Server 5-20
Copying an ACE Software System Image to a Remote Server 5-21
Uncompressing Files in the disk0: File System 5-22
Untarring Files in the disk0: File System 5-23
Creating a New Directory 5-23
Deleting an Existing Directory 5-24
Moving Files 5-24
Deleting Files 5-25
Displaying File Contents 5-26
Saving show Command Output to a File 5-27
Cisco 4700 Series Application Control Engine Appliance Administration Guide
vi
OL-16198-01
Contents
Viewing and Copying Core Dumps 5-28
Copying Core Dumps 5-29
Clearing the Core Directory 5-30
Deleting a Core Dump File 5-30
Capturing and Copying Packet Information 5-31
Capturing Packet Information 5-31
Copying Capture Buffer Information 5-35
Viewing Packet Capture Information 5-36
Using the Configuration Checkpoint and Rollback Service 5-40
Overview 5-40
Creating a Configuration Checkpoint 5-41
Deleting a Configuration Checkpoint 5-42
Rolling Back a Running Configuration 5-42
Displaying Checkpoint Information 5-43
Reformatting Flash Memory 5-43
CHAPTER
5
Viewing ACE Hardware and Software Configuration Information 5-1
Displaying Software Version Information 5-2
Displaying Software Copyright Information 5-3
Displaying Hardware Information 5-3
Displaying the Hardware Inventory 5-4
Displaying System Processes 5-5
Displaying Process Status Information and Memory Resource Limits 5-10
Displaying System Information 5-13
Displaying ICMP Statistics 5-15
Displaying Technical Support Information 5-16
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
vii
Contents
CHAPTER
6
Configuring Redundant ACE Appliances 6-1
Overview of Redundancy 6-1
Redundancy Protocol 6-2
Stateful Failover 6-5
FT VLAN 6-6
Configuration Synchronization 6-7
Redundancy State for Software Upgrade or Downgrade 6-8
Configuration Requirements and Restrictions 6-8
Redundancy Configuration Quick Start 6-9
Configuring Redundancy 6-12
Configuring an FT VLAN 6-12
Creating an FT VLAN 6-13
Configuring an FT VLAN IP Address 6-14
Configuring the Peer IP Address 6-15
Enabling the FT VLAN 6-16
Configuring an FT Peer 6-16
Associating the FT VLAN with the Local Peer 6-17
Configuring the Heartbeat Interval and Count 6-17
Configuring a Query Interface 6-19
Configuring an FT Group 6-20
Associating a Context with an FT Group 6-21
Associating a Peer with an FT Group 6-21
Assigning a Priority to the Active FT Group Member 6-22
Assigning a Priority to the Standby FT Group Member 6-22
Configuring Preemption 6-23
Placing an FT Group in Service 6-24
Modifying an FT Group 6-25
Specifying the Peer Hostname 6-25
Specifying the MAC Address Banks for a Shared VLAN 6-25
Forcing a Failover 6-26
Cisco 4700 Series Application Control Engine Appliance Administration Guide
viii
OL-16198-01
Contents
Synchronizing Redundant Configurations 6-27
Configuring Tracking and Failure Detection 6-30
Overview of Tracking and Failure Detection 6-30
Configuring Tracking and Failure Detection for a Host or Gateway 6-31
Creating a Tracking and Failure Detection Process for a Host or
Gateway 6-32
Configuring the Gateway or Host IP Address Tracked by the Active
Member 6-32
Configuring a Probe on the Active Member for Host Tracking 6-33
Configuring a Priority on the Active Member for Multiple Probes 6-34
Configuring the Gateway or Host IP Address Tracked by the Standby
Member 6-34
Configuring a Probe on the Standby Member for Host Tracking 6-35
Configuring a Priority on the Standby Member for Multiple Probes 6-35
Example of a Tracking Configuration for a Gateway 6-36
Configuring Tracking and Failure Detection for an Interface 6-37
Creating a Tracking and Failure Detection Process for an Interface 6-37
Configuring the Interface Tracked by the Active Member 6-38
Configuring a Priority for a Tracked Interface on the Active Member 6-38
Configuring the Interface Tracked by the Standby Member 6-39
Configuring a Priority for a Tracked Interface on the Standby
Member 6-39
Example of a Tracking Configuration for an Interface 6-40
Example of a Redundancy Configuration 6-40
Displaying Redundancy Information 6-43
Displaying Redundancy Configurations 6-43
Displaying FT Group Information 6-43
Displaying the IDMAP Table 6-49
Displaying the Redundancy Internal Software History 6-50
Displaying Memory Statistics 6-50
Displaying Peer Information 6-50
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
ix
Contents
Displaying FT Statistics 6-55
Displaying FT Tracking Information 6-59
Clearing Redundancy Statistics 6-64
Clearing Transport-Layer Statistics 6-64
Clearing Heartbeat Statistics 6-65
Clearing Tracking-Related Statistics 6-65
Clearing All Redundancy Statistics 6-66
Clearing the Redundancy History 6-66
CHAPTER
7
Configuring SNMP 7-1
SNMP Overview 7-2
Managers and Agents 7-3
SNMP Manager and Agent Communication 7-4
SNMP Traps and Informs 7-5
SNMPv3 CLI User Management and AAA Integration 7-6
CLI and SNMP User Synchronization 7-6
Supported MIBs, Tables, and Notifications 7-7
SNMP Limitations 7-45
SNMP Configuration Quick Start 7-46
Configuring SNMP Users 7-48
Defining SNMP Communities 7-50
Configuring an SNMP Contact 7-52
Configuring an SNMP Location 7-52
Configuring SNMP Notifications 7-53
Configuring SNMP Notification Hosts 7-53
Enabling SNMP Notifications 7-55
Enabling the IETF Standard for SNMP linkUp and linkDown Traps 7-57
Assigning a Trap-Source Interface for SNMP Traps 7-58
Accessing ACE User Context Data Through the Admin Context IP Address 7-59
Cisco 4700 Series Application Control Engine Appliance Administration Guide
x
OL-16198-01
Contents
Accessing User Context Data When Using SNMPv1/v2 7-59
Accessing User Context Data When Using SNMPv3 7-60
Configuring an SNMPv3 Engine ID for an ACE Context 7-60
Configuring SNMP Management Traffic Services 7-62
Creating and Configuring a Layer 3 and Layer 4 Class Map 7-63
Defining a Class Map Description 7-64
Defining SNMP Protocol Match Criteria 7-65
Creating a Layer 3 and Layer 4 Policy Map 7-66
Creating a Layer 3 and Layer 4 Policy Map for SNMP Network
Management Traffic Received by the ACE 7-66
Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy 7-67
Specifying Layer 3 and Layer 4 Policy Actions 7-68
Applying a Service Policy 7-69
Example of an SNMP Configuration 7-71
Displaying SNMP Statistics 7-74
CHAPTER
8
Configuring the XML Interface 8-1
XML Overview 8-2
XML Usage with the ACE 8-2
HTTP and HTTPS Support with the ACE 8-3
HTTP Return Codes 8-5
Document Type Definition 8-7
Sample XML Configuration 8-9
XML Configuration Quick Start 8-11
Configuring HTTP and HTTPS Management Traffic Services 8-13
Creating and Configuring a Class Map 8-14
Defining a Class Map Description 8-15
Defining HTTP and HTTPS Protocol Match Criteria 8-16
Creating a Layer 3 and Layer 4 Policy Map 8-17
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
xi
Contents
Creating a Layer 3 and Layer 4 Policy Map for Network Management
Traffic Received by the ACE 8-18
Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy 8-18
Specifying Layer 3 and Layer 4 Policy Actions 8-20
Applying a Service Policy 8-20
Enabling the Display of Raw XML Request show Command Output in XML
Format 8-24
Accessing the ACE DTD File 8-27
APPENDIX
A
Upgrading or Downgrading Your ACE Software A-1
Overview of Upgrading ACE Software A-1
Before You Begin A-2
Changing the Admin Password A-3
Changing the www User Password A-3
Checking Your ft-port vlan Configuration A-3
Checking Your Configuration for FT Priority and Preempt A-4
Creating a Checkpoint A-4
Redundancy State for Software Upgrade or Downgrade A-5
Updating Your Application Protocol Inspection Configurations A-6
Software Upgrade and Downgrade Quick Starts A-8
Copying the Software Upgrade Image to the ACE A-16
Configuring the ACE to Autoboot the Software Image A-18
Setting the Boot Variable A-18
Configuring the Configuration Register to Autoboot the Boot Variable A-19
Verifying the Boot Variable and Configuration Register A-20
Reloading the ACE A-20
Displaying Software Image Information A-21
INDEX
Cisco 4700 Series Application Control Engine Appliance Administration Guide
xii
OL-16198-01
Preface
This guide provides instructions for the administration of the Cisco 4700 Series
Application Control Engine (ACE) appliance. It describes how to perform
administration tasks on the ACE, including initial setup, establish remote access,
manage software licenses, configure class maps and policy maps, manage the
ACE software, configure SNMP, configure redundancy, configure the XML
interface, and upgrade your ACE software.
You can configure the ACE by using the following interfaces:
•
The command-line interface (CLI), a line-oriented user interface that
provides commands for configuring, managing, and monitoring the ACE.
•
Device Manager graphic user interface (GUI), a Web browser-based GUI
interface that provides a graphical user interface for configuring, managing,
and monitoring the ACE.
This preface contains the following major sections:
•
Audience
•
How to Use This Guide
•
Related Documentation
•
Symbols and Conventions
•
Obtaining Documentation, Obtaining Support, and Security Guidelines
•
Open Source License Acknowledgements
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
xiii
Preface
Audience
This guide is intended for the following trained and qualified service personnel
who are responsible for configuring the ACE:
•
System administrator
•
System operator
How to Use This Guide
This guide is organized as follows:
Chapter
Description
Chapter 1, Setting Up
the ACE
Describes how to configure basic settings on the ACE,
including topics such as how to session and log in to
the ACE, change the administrative username and
password, assign a name to the ACE, configure a
message-of-the-day banner, configure date and time,
configure terminal settings, modify the boot
configuration, and restart the ACE.
Chapter 2, Enabling
Remote Access to the
ACE
Describes how to configure remote access to the Cisco
4700 Series Application Control Engine (ACE)
appliance by establishing a remote connection using
the Secure Shell (SSH) or Telnet protocols. It also
describes how to configure the ACE to provide direct
access to a user context from SSH. This chapter also
covers how to configure the ACE to receive ICMP
messages from a host.
Chapter 3, Managing
ACE Software
Licenses
Describes how to manage the software licenses for
your ACE.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
xiv
OL-16198-01
Preface
Chapter
Description
Chapter 4, Managing
the ACE Software
Describes how to save and download configuration
files, use the file system, view and copy core dumps,
capture and copy packet information, use the
configuration checkpoint and rollback service, display
configuration information, and display technical
support information.
Chapter 5, Viewing
ACE Hardware and
Software
Configuration
Information
Describes how to display ACE hardware and software
configuration information, and display technical
support information.
Chapter 6, Configuring Describes how to configure the ACE for redundancy,
Redundant ACE
which provides fault tolerance for the stateful failover
of flows.
Appliances
Chapter 7, Configuring Describes how to configure Simple Network
SNMP
Management Protocol (SNMP) to query the ACE for
Cisco Management Information Bases (MIBs) and to
send event notifications to a network management
system (NMS).
Chapter 8, Configuring Describes how to provide a mechanism using XML to
the XML Interface
transfer, configure, and monitor objects in the ACE.
This XML capability allows you to easily shape or
extend the CLI query and reply data in XML format to
meet different specific business needs.
Appendix A,
Upgrading or
Downgrading Your
ACE Software
Describes how to upgrade or downgrade the software
on your ACE.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
xv
Preface
Related Documentation
In addition to this document, the ACE documentation set includes the following:
Document Title
Description
Release Note for the Cisco Provides information about operating
considerations, caveats, and command-line
4700 Series Application
Control Engine Appliance interface (CLI) commands for the ACE.
Cisco Application Control Provides information for installing the ACE
appliance.
Engine Appliance
Hardware Installation
Guide
Regulatory Compliance
Regulatory compliance and safety information for
and Safety Information for the ACE appliance.
the Cisco Application
Control Engine Appliance
Cisco 4700 Series
Application Control
Engine Appliance Quick
Start Guide
Describes how to use the ACE appliance Device
Manager and CLI to perform the initial setup and
VIP load-balancing configuration tasks.
Cisco 4700 Series
Application Control
Engine Appliance
Virtualization
Configuration Guide
Describes how to operate your ACE in a single
context or in multiple contexts.
Cisco 4700 Series
Describes how to perform the following routing
Application Control
and bridging tasks on the ACE:
Engine Appliance Routing • Configuring Ethernet ports
and Bridging
• Configuring VLAN interfaces
Configuration Guide
•
Configuring routing
•
Configuring bridging
•
Configuring Dynamic Host Configuration
Protocol (DHCP)
Cisco 4700 Series Application Control Engine Appliance Administration Guide
xvi
OL-16198-01
Preface
Document Title
Description
Cisco 4700 Series
Application Control
Engine Appliance Server
Load-Balancing
Configuration Guide
Describes how to configure the following server
load-balancing tasks on the ACE:
Cisco 4700 Series
Application Control
Engine Appliance
Application Acceleration
and Optimization
Configuration Guide
•
Real servers and server farms
•
Class maps and policy maps to load-balance
traffic to real servers in server farms
•
Server health monitoring (probes)
•
Stickiness
•
Firewall load balancing
•
TCL scripts
Describes the configuration of the application
acceleration and optimization features of the ACE.
It also provides an overview and description of
those features.
Cisco 4700 Series
Describes how to perform following ACE security
configuration tasks:
Application Control
Engine Appliance Security • Security access control lists (ACLs)
Configuration Guide
• User authentication and accounting using a
Terminal Access Controller Access Control
System Plus (TACACS+), Remote
Authentication Dial-In User Service
(RADIUS), or Lightweight Directory Access
Protocol (LDAP) server
•
Application protocol and HTTP deep packet
inspection
•
TCP/IP normalization and termination
parameters
•
Network address translation (NAT)
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
xvii
Preface
Document Title
Description
Cisco 4700 Series
Application Control
Engine Appliance SSL
Configuration Guide
Describes how to configure the following Secure
Sockets Layer (SSL) tasks on the ACE:
•
SSL certificates and keys
•
SSL initiation
•
SSL termination
•
End-to-end SSL
Cisco 4700 Series
Application Control
Engine Appliance System
Message Guide
Describes how to configure system message
logging on the ACE. This guide also lists and
describes the system log (syslog) messages generated
by the ACE.
Cisco 4700 Series
Application Control
Engine Appliance
Command Reference
Provides an alphabetical list and descriptions of all
CLI commands by mode, including syntax,
options, and related commands.
Cisco 4700 Series
Application Control
Engine Appliance Device
Manager Configuration
Guide
Describes how to use the Device Manager GUI,
which resides in flash memory on the ACE, to
provide a browser-based interface for configuring
and managing the appliance.
Cisco CSS-to-ACE
Conversion Tool User
Guide
Describes how to use the CSS-to-ACE conversion
tool to migrate Cisco Content Services Switches
(CSS) running-configuration or
startup-configuration files to the ACE.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
xviii
OL-16198-01
Preface
Symbols and Conventions
This publication uses the following conventions:
Convention
Description
boldface font
Commands, command options, and keywords are in
boldface. Bold text also indicates a command in a
paragraph.
italic font
Arguments for which you supply values are in italics.
Italic text also indicates the first occurrence of a new
term, book title, emphasized text.
{ }
Encloses required arguments and keywords.
[ ]
Encloses optional arguments and keywords.
{x | y | z}
Required alternative keywords are grouped in braces and
separated by vertical bars.
[x | y | z]
Optional alternative keywords are grouped in brackets
and separated by vertical bars.
string
A nonquoted set of characters. Do not use quotation
marks around the string or the string will include the
quotation marks.
screen
font
boldface screen
Terminal sessions and information the system displays
are in screen font.
Information you must enter in a command line is in
font.
font
boldface screen
italic screen font
Arguments for which you supply values are in italic
screen font.
^
The symbol ^ represents the key labeled Control—for
example, the key combination ^D in a screen display
means hold down the Control key while you press the D
key.
< >
Nonprinting characters, such as passwords are in angle
brackets.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
xix
Preface
Notes use the following conventions:
Note
Means reader take note. Notes contain helpful suggestions or references to
material not covered in the publication.
Cautions use the following conventions:
Caution
Means reader be careful. In this situation, you might do something that could
result in equipment damage or loss of data.
Warnings use the following conventions:
Warning
Means possible physical harm or equipment damage. A warning describes an
action that could cause you physical harm or damage the equipment.
For additional information about CLI syntax formatting, see the Cisco 4700
Series Application Control Engine Appliance Command Reference.
Obtaining Documentation, Obtaining Support, and
Security Guidelines
For information on obtaining documentation, obtaining support, providing
documentation feedback, security guidelines, and also recommended aliases and
general Cisco documents, see the monthly What’s New in Cisco Product
Documentation, which also lists all new and revised Cisco technical
documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Cisco 4700 Series Application Control Engine Appliance Administration Guide
xx
OL-16198-01
Preface
Open Source License Acknowledgements
The following acknowledgements pertain to this software license.
OpenSSL/Open SSL Project
This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit (http://www.openssl.org/).
This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the
OpenSSL License and the original SSLeay license apply to the toolkit. See below
for the actual license texts. Actually both licenses are BSD-style Open Source
licenses. In case of any license issues related to OpenSSL please contact
openssl-core@openssl.org.
OpenSSL License:
© 1998-1999 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1.
Redistributions of source code must retain the copyright notice, this list of
conditions and the following disclaimer.
2.
Redistributions in binary form must reproduce the above copyright notice,
this list of conditions, and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3.
All advertising materials mentioning features or use of this software must
display the following acknowledgment: “This product includes software
developed by the OpenSSL Project for use in the OpenSSL Toolkit.
(http://www.openssl.org/)”
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
xxi
Preface
4.
The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to
endorse or promote products derived from this software without prior written
permission. For written permission, please contact
openssl-core@openssl.org.
5.
Products derived from this software may not be called “OpenSSL” nor may
“OpenSSL” appear in their names without prior written permission of the
OpenSSL Project.
6.
Redistributions of any form whatsoever must retain the following
acknowledgment:
“This product includes software developed by the OpenSSL Project for use in
the OpenSSL Toolkit (http://www.openssl.org/)”
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND
ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com). This product includes software written by Tim Hudson
(tjh@cryptsoft.com).
Original SSLeay License:
© 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
This package is an SSL implementation written by Eric Young
(eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
xxii
OL-16198-01
Preface
This library is free for commercial and non-commercial use as long as the
following conditions are adhered to. The following conditions apply to all code
found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the
SSL code. The SSL documentation included with this distribution is covered by
the same copyright terms except that the holder is Tim Hudson
(tjh@cryptsoft.com).
Copyright remains Eric Young’s, and as such any Copyright notices in the code
are not to be removed. If this package is used in a product, Eric Young should be
given attribution as the author of the parts of the library used. This can be in the
form of a textual message at program startup or in documentation (online or
textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1.
Redistributions of source code must retain the copyright notice, this list of
conditions and the following disclaimer.
2.
Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3.
All advertising materials mentioning features or use of this software must
display the following acknowledgement:
“This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)”.
The word ‘cryptographic’ can be left out if the routines from the library being
used are not cryptography-related.
4.
If you include any Windows specific code (or a derivative thereof) from the
apps directory (application code) you must include an acknowledgement:
“This product includes software written by Tim Hudson
(tjh@cryptsoft.com)”.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
xxiii
Preface
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative
of this code cannot be changed. i.e. this code cannot simply be copied and put
under another distribution license [including the GNU Public License].
Cisco 4700 Series Application Control Engine Appliance Administration Guide
xxiv
OL-16198-01
CH A P T E R
1
Setting Up the ACE
This chapter describes how to initially configure basic settings on the Cisco 4700
Series Application Control Engine (ACE) appliance. It includes the following
major sections:
•
Establishing a Console Connection on the ACE
•
Using the Setup Script to Enable Connectivity to the Device Manager
•
Connecting and Logging into the ACE
•
Changing the Administrative Password
•
Assigning a Name to the ACE
•
Configuring an ACE Inactivity Timeout
•
Configuring a Message-of-the-Day Banner
•
Configuring the Time, Date, and Time Zone
•
Synchronizing the ACE with an NTP Server
•
Configuring Terminal Settings
•
Modifying the Boot Configuration
•
Restarting the ACE
•
Shutting Down the ACE
For details on configuring the GigabitEthernet ports, assigning VLANs to the
ACE, configuring VLAN interfaces on the ACE, and configuring a default or
static route on the ACE, see the Cisco 4700 Series Application Control Engine
Appliance Routing and Bridging Configuration Guide.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-1
Chapter 1
Setting Up the ACE
Establishing a Console Connection on the ACE
Establishing a Console Connection on the ACE
You establish a direct serial connection between your terminal or a PC and the
ACE by making a serial connection to the console port on the rear panel of the
ACE. The ACE has one standard RS-232 serial port found on the rear panel that
operates as the console port. The integrated serial port uses a 9-pin male D-shell
connector. Use a straight-through cable with a null modem to connect the ACE to
a DTE device, such as a terminal or a PC. For instructions on connecting a console
cable to your ACE appliance, see the Cisco Application Control Engine Appliance
Hardware Installation Guide.
Any device connected to this port must be capable of asynchronous transmission.
Connection requires a terminal configured as 9600 baud, 8 data bits, hardware
flow control on, 1 stop bit, no parity.
Note
Only the Admin context is accessible through the console port; all other contexts
can be reached through Telnet or SSH sessions.
Once connected, use any terminal communications application to access the ACE
CLI. The following procedure uses HyperTerminal for Windows.
To access the ACE by using a direct serial connection, perform the following
steps:
Step 1
Launch HyperTerminal. The Connection Description window appears.
Step 2
Enter a name for your session in the Name field.
Step 3
Click OK. The Connect To window appears.
Step 4
From the drop-down list, choose the COM port to which the device is connected.
Step 5
Click OK. The Port Properties window appears.
Step 6
Set the following port properties as follows:
Step 7
•
Baud Rate = 9600
•
Data Bits = 8
•
Hardware Flow Control = On
•
Parity = none
•
Stop Bits = 1
Click OK to connect.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-2
OL-16198-01
Chapter 1
Setting Up the ACE
Using the Setup Script to Enable Connectivity to the Device Manager
Step 8
Press Enter to access the CLI prompt.
switch login:
Once a session is created, choose Save As from the File menu to save the
connection description. Saving the connection description has the following two
advantages:
•
The next time that you launch HyperTerminal, the session is listed as an
option under Start > Programs > Accessories > HyperTerminal >
Name_of_session. This option lets you reach the CLI prompt directly
without going through the configuration steps.
•
You can connect your cable to a different device without configuring a new
HyperTerminal session. If you use this option, make sure that you connect to
the same port on the new device as was configured in the saved
HyperTerminal session. Otherwise, a blank screen appears without a prompt.
Using the Setup Script to Enable Connectivity to the
Device Manager
When you boot the ACE for the first time and the appliance does not detect a
startup-configuration file, a setup script appears to guide you through the process
of configuring a management VLAN on the ACE through one of its Gigabit
Ethernet ports. The primary intent of the setup script is to simplify connectivity
to the Device Manager GUI (as described in the Cisco 4700 Series Application
Control Engine Appliance Device Manager GUI Quick Configuration Guide).
After you specify a gigabit Ethernet port, port mode, and a management VLAN,
the setup script automatically applies the following default configuration:
•
Management VLAN allocated to the specified Ethernet port.
•
VLAN 1000 assigned as the management VLAN interface.
•
GigabitEthernet port mode configured as VLAN access port.
•
Extended IP access list that allows IP traffic originating from any other host
addresses.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-3
Chapter 1
Setting Up the ACE
Using the Setup Script to Enable Connectivity to the Device Manager
•
Traffic classification (class map and policy map) created for management
protocols HTTP, HTTPS, ICMP, SSH, Telnet, and XML-HTTPS. HTTPS is
dedicated for connectivity with the Device Manager GUI.
•
VLAN interface configured on the ACE and a policy map assigned to the
VLAN interface.
The ACE provides a default answer in brackets [ ] for each question in the setup
script. To accept a default configuration prompt, press Enter, and the ACE
accepts the setting. To skip the remaining configuration prompts, press Ctrl-C
any time during the configuration sequence.
Note
The script configuration process described in this section is identical to the script
configuration process performed using the setup CLI command.
To configure the ACE from the setup script, perform the following steps:
Step 1
Ensure that you have established a direct serial connection between your terminal
or a PC and the ACE (see the “Establishing a Console Connection on the ACE”
section).
Step 2
Press the power button on the front of the ACE and the boot process occurs. See
the Cisco Application Control Engine Appliance Hardware Installation Guide for
details.
Step 3
At the login prompt, log into the ACE by entering the login username and
password. By default, the username and password are admin. For example, enter:
Starting sysmgr processes.. Please wait...Done!!!
switch login: admin
Password: admin
Step 4
At the prompt “Enter the password for “admin:”, change the default Admin
password. If you do not change the default Admin password, after you upgrade
the ACE software you will only be able to log in to the ACE through the console
port.
Enter the new password for "admin": xxxxx
Confirm the new password for "admin": xxxxx
admin user password successfully changed.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-4
OL-16198-01
Chapter 1
Setting Up the ACE
Using the Setup Script to Enable Connectivity to the Device Manager
Step 5
At the prompt “Enter the password for “www:”, change the default www user
password. If you do change the default www user password, the www user will be
disabled and you will not be able to use Extensible Markup Language (XML) to
remotely configure an ACE until you change the default www user password.
Enter the new password for "www": xxxxx
Confirm the new password for "www": xxxxx
www user password successfully changed.
Step 6
At the prompt “Would you like to enter the basic configuration dialog? (yes/no):”,
type yes to continue the setup (or select no to or bypass its operation and directly
access the CLI).
Step 7
At the prompt “Enter the Ethernet port number to be used as the management port
(1-4):? [1]:”, specify the Ethernet port that you want to use to access the Device
Manager GUI. Valid entries are 1 through 4. The default is Ethernet port 1. Press
Enter.
Step 8
At the prompt “Enter the management port IP Address (n.n.n.n): [192.168.1.10]:”,
assign an IP address to the management VLAN interface. When you assign an IP
address to a VLAN interface, the ACE automatically makes it a routed mode
interface. Press Enter.
Step 9
At the prompt “Enter the management port Netmask(n.n.n.n): [255.255.255.0]:”,
assign a subnet mask to the management VLAN interface. Press Enter.
Step 10
At the prompt “Enter the default route next hop IP Address (n.n.n.n) or <enter>
to skip this step:”, choose whether to assign an IP address of the gateway router
(the next-hop address for this route). If you specify yes, enter the IP address of
default gateway. The gateway address must be in the same network as specified in
the IP address for a VLAN interface. Press Enter.
Step 11
After you configure the Ethernet port, the setup script displays a summary of
entered values:
Management Port: 3
Ip address 12.3.4.5
Netmask: 255.255.255.0
Default Route: 23.4.5.6
Step 12
At the prompt “Submit the configuration including security settings to the ACE
Appliance? (yes/no/details): [y]:”, enter one of the following replies:
•
Type y to apply the appropriate configuration and save the
running-configuration to the startup-configuration file. This is the default.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-5
Chapter 1
Setting Up the ACE
Using the Setup Script to Enable Connectivity to the Device Manager
Step 13
•
Type n to bypass applying the configuration and saving the
running-configuration to the startup-configuration file.
•
Type d to view a detailed summary of the entered configuration values before
you apply those configuration values to the ACE.
If you select d, the configuration summary appears:
interface gigabitEthernet 1/3
switchport access vlan 1000
no shut
access-list ALL extended permit ip any any class-map type management
match-any remote_access
match protocol xml-https any
match protocol dm-telnet any
match protocol icmp any
match protocol telnet any
match protocol ssh any
match protocol http any
match protocol https any
match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 192.168.1.10 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ssh key rsa
ip route 0.0.0.0 0.0.0.0 172.16.2.1
The prompt “Submit the configuration including security settings to the ACE
Appliance? (yes/no/details): [y]:” reappears. Enter one of the following replies:
Step 14
•
Type y to apply the appropriate configuration and save the
running-configuration to the startup-configuration file. This is the default.
•
Type n to bypass applying the configuration and saving the
running-configuration to the startup-configuration file.
When you select y, the following message appears:
Configuration successfully applied. You can now manage this ACE
Appliance by entering the url 'https://192.168.1.10' into a web
browser to access the Device Manager GUI.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-6
OL-16198-01
Chapter 1
Setting Up the ACE
Connecting and Logging into the ACE
Connecting and Logging into the ACE
This section describes how to connect to the ACE as the default user from the ACE
console port. Once you connect to the ACE as the default user, you can then log
in and enter the configuration mode to configure the ACE. Only the Admin
context is accessible through the console port; all other contexts can be reached
through a Telnet or SSH remote access session.
The ACE creates the following default users at startup: admin, dm, and www.
•
The admin user is the global administrator and cannot be deleted.
•
The dm user is for accessing the Device Manager GUI and cannot be deleted.
The dm user is an internal user required by the Device Manager GUI; it is
hidden on the ACE CLI.
Note
•
Do not modify the dm user password from the ACE CLI. If the password
is changed, the Device Manager GUI will become inoperative. If this
occurs, restart the Device Manager using the dm reload command (you
must be the global administrator to access the dm reload command). Note
that restarting the Device Manager does not impact ACE functionality;
however, it may take a few minutes for the Device Manager to reinitialize
as it reads the ACE CLI configuration.
The ACE uses the www user account for the XML interface and cannot be
deleted.
Later, when you configure interfaces and IP addresses on the ACE itself, you can
remotely access the ACE CLI through an ACE interface by using a Telnet or SSH
session. To configure remote access to the ACE CLI, see Chapter 2, Enabling
Remote Access to the ACE. For details on configuring interfaces on the ACE, see
the Cisco 4700 Series Application Control Engine Appliance Routing and
Bridging Configuration Guide.
You can configure the ACE to provide a higher level of security for users
accessing the ACE. For information about configuring user authentication for
login access, see the Cisco 4700 Series Application Control Engine Appliance
Security Configuration Guide.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-7
Chapter 1
Setting Up the ACE
Connecting and Logging into the ACE
To connect to the ACE and access configuration mode to perform initial
configuration, perform the following steps:
Step 1
Access the ACE directly by its console port, attach a terminal to the asynchronous
RS-232 serial port on the rear panel of the ACE. The ACE has one standard
RS-232 serial port found on the rear panel that operates as the console port. Any
device connected to this port must be capable of asynchronous transmission.
Connection requires a terminal configured as 9600 baud, 8 data bits, hardware
flow control on, 1 stop bit, no parity.See the “Establishing a Console Connection
on the ACE” section.
Step 2
Log into the ACE by entering the login username and password at the following
prompt:
switch login: admin
Password: admin
By default, both the username and password are admin.
The prompt changes to the following:
switch/Admin#
Change the default admin login password (see the “Changing the Administrative
Password” section).
Note
Step 3
When you boot the ACE for the first time and the appliance does not
detect a startup-configuration file, a setup script appears to enable
connectivity to the ACE Device Manager GUI. The start-up script is not
intended for use with the CLI. Select no to skip the use of the setup script
and proceed directly to the CLI. See “Using the Setup Script to Enable
Connectivity to the Device Manager” section for details.
To access configuration mode, enter the following command:
switch/Admin# configure
Enter configuration commands, one per line. End with CNTL/Z
The prompt changes to the following:
switch/Admin(config)#
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-8
OL-16198-01
Chapter 1
Setting Up the ACE
Changing the Administrative Password
Changing the Administrative Password
During the initial login process to the ACE, you enter the default user name
admin and the default password admin in lowercase text. You cannot modify or
delete the default administrative username; however, for security reasons, you
should change the administrative password. If you do not change the
administrative password, security on your ACE can be compromised because the
administrative password is configured to be the same for every ACE shipped from
Cisco Systems.
The administrative username and password are stored in Flash memory. Each time
that you reboot the ACE, it reads the username and password from Flash memory.
Global administrative status is assigned to the administrative username by default.
Note
For users that you create in the Admin context, the default scope of access is for
the entire ACE. If you do not assign a user role to a new user, the default user role
is Network-Monitor. For users that you create in other contexts, the default scope
of access is the entire context. To verify the account and permission for each user,
use the show user-account Exec command. For details on contexts, user roles,
and domains, see the Cisco 4700 Series Application Control Engine Appliance
Virtualization Configuration Guide.
To change the default administrative password, use the username command in
configuration mode. The syntax of this command is as follows:
username admin [password [0 | 5] {password}]
The keywords, arguments, and options are:
•
admin—Specifies the default administrative user name.
•
password—(Optional) Keyword that indicates that a password follows.
•
0—(Optional) Specifies a clear text password.
•
5—(Optional) Specifies an MD5-hashed strong encryption password.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-9
Chapter 1
Setting Up the ACE
Changing the Administrative Password
•
password—The password in clear text, encrypted text, or MD5 strong
encryption, depending on the numbered option (0 or 5) that you enter. If you
do not enter a numbered option, the password is in clear text by default. Enter
a password as an unquoted text string with a maximum of 64 characters.
Note
If you specify an MD5-hashed strong encryption password, the ACE
considers a password to be weak if it is less than eight characters in
length.
The ACE supports the following special characters in a password:
,./=+-^@!%~#$*()
Note that the ACE encrypts clear text passwords in the running-config.
For example, to create a user named user1 that uses the clear text password
mysecret_801, enter the following command:
switch/Admin(config)# username user1 password 0 mysecret_801
To remove the username from the configuration, enter the following command:
switch/Admin(config)# no username user1
Recovering the Administrator CLI Account Password
If you forget the password for the ACE administrator account and cannot access
the ACE, you can recover the admin password during the initial bootup sequence
of the ACE. You must have access to the ACE through the console port to be able
to reset the password for the Admin user back to the factory-default value of
admin.
Note
Only the Admin context is accessible through the console port.
To reset the password that allows the Admin user access to the ACE, perform the
following steps:
Step 1
Connect to the console port on the ACE.
Step 2
Log in to the ACE. See the “Connecting and Logging into the ACE” section.
Step 3
Reboot the ACE. See the “Restarting the ACE” section.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-10
OL-16198-01
Chapter 1
Setting Up the ACE
Changing the Administrative Password
Step 4
During the bootup process, output appears on the console terminal. Press ESC
when the “Starting services...” message appears on the terminal (see the example
below). The setup mode appears. If you miss the time window, wait for the ACE
to properly complete booting, reboot the ACE, and try again to access the setup
mode by pressing ESC.
Daughter Card Found. Continuing...
INIT: Entering runlevel: 3
Testing PCI path ....
This may take some time, Please wait ....
PCI test loop , count 0
PCI path is ready
Starting services... <<<<< Press ESC when you see this message
Entering setup sequence...
Reset Admin password [y/n] (default: n): y
Resetting admin password to factory default...
.
Starting sysmgr processes.. Please wait...Done!!!
switch login:
Step 5
The setup mode prompts if you want to reset the admin password. Enter y. The
“Resetting admin password to factory default” message appears. The ACE deletes
the admin user password configuration from the startup-configuration and resets
the password back to the factory default value of admin.
The boot process continues as normal and you are able to enter the admin
password at the login prompt.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-11
Chapter 1
Setting Up the ACE
Assigning a Name to the ACE
Assigning a Name to the ACE
The hostname is used to identify the ACE and for the command-line prompts. If
you establish sessions to multiple devices, the hostname helps you track where
you enter commands. By default, the hostname for the ACE is “switch.” To
specify a hostname for the ACE, use the hostname configuration mode command.
To specify a hostname for the peer ACE in a redundant configuration, use the peer
hostname command.
The syntax of this command is as follows:
hostname name
The name argument specifies a new hostname for the ACE. Enter a case-sensitive
text string that contains from 1 to 32 alphanumeric characters.
For example, to change the hostname of the ACE from switch to ACE_1, enter the
following command:
switch/Admin(config)# hostname ACE_1
ACE_1/Admin(config)#
Configuring an ACE Inactivity Timeout
By default, the inactivity timeout value is 5 minutes. You can modify the length
of time that can occur before the ACE automatically logs off an inactive user by
using the login timeout command in configuration mode. This command
specifies the length of time that a user session can be idle before the ACE
terminates the console, Telnet, or SSH session.
Note
The login timeout command setting overrides the terminal session-timeout
setting (see the “Configuring Terminal Display Attributes” section).
The syntax for the login timeout command is as follows:
login timeout minutes
The minutes argument specifies the length of time that a user can be idle before
the ACE terminates the session. Valid entries are from 0 to 60 minutes. A value
of 0 instructs the ACE never to timeout. The default is 5 minutes.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-12
OL-16198-01
Chapter 1
Setting Up the ACE
Configuring a Message-of-the-Day Banner
For example, to specify a timeout period of 10 minutes, enter the following
command:
host1/Admin(config)# login timeout 10
To restore the default timeout value of 5 minutes, enter the following command.
host1/Admin(config)# no login timeout
To display the configured login time value, use the show login timeout command
in Exec mode. For example, enter the following command:
host1/Admin# show login timeout
Login Timeout 10 minutes.
Configuring a Message-of-the-Day Banner
You can configure a message in configuration mode to display as the
message-of-the-day banner when a user connects to the ACE. Once connected to
the ACE, the message-of-the-day banner appears, followed by the login banner
and Exec mode prompt.
The syntax of this command is as follows:
banner motd text
The text argument is a line of message text to be displayed as the
message-of-the-day banner. The text string consists of all characters following the
first space until the end of the line (carriage return or line feed).
Note
If you connect to the ACE by using an SSH version 1 remote access session, the
message-of-the-day banner is not displayed.
The pound (#) character functions as the delimiting character for each line. For
the banner text, spaces are allowed but tabs cannot be entered at the CLI. To
instruct the ACE to display multiple lines in a message-of -the-day banner, enter
a new banner motd command for each line that you wish to add.
The banner message is a maximum of 80 characters per line, up to a maximum of
3000 characters (3000 bytes) total for a message-of-the-day banner. This
maximum value includes all line feeds and the last delimiting character in the
message.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-13
Chapter 1
Setting Up the ACE
Configuring a Message-of-the-Day Banner
To add multiple lines in a message-of -the-day banner, precede each line by using
the banner motd command. The ACE appends each line to the end of the existing
banner. If the text is empty, the ACE adds a carriage return (CR) to the banner.
You can include tokens in the form $(token) in the message text. Tokens will be
replaced with the corresponding configuration variable. For example:
•
$(hostname)—Displays the hostname for the ACE during run time.
•
$(line)—Displays the tty (teletypewriter) line or name (for example,
"/dev/console", "/dev/pts/0", or "1").
To use the $(hostname) in single line banner motd input, you must include double
quotes (") around the $(hostname) so that the $ is interpreted as a special character
at the beginning of a variable in the single line. For example:
switch/Admin(config)# banner motd #Welcome to "$(hostname)"...#
Do not use the double quote character (") or the percent sign character (%) as a
delimiting character in a single line message string.
For multi-line input, double quotes (") are not required for the token because the
input mode is different from the single line mode. When you operate in multi-line
mode, the ACE interprets the double quote character (") literally. The following
example shows how to span multiple lines and uses tokens to configure the banner
message:
switch/Admin(config)# banner motd #
Enter TEXT message. End with the character '#'.
================================
Welcome to Admin Context
-------------------------------Hostname: $(hostname)
Tty Line: $(line)
=================================
#
To replace a banner or a line in a multi-line banner, use the no banner motd command
before adding the new lines.
To display the configured banner message, use the show banner motd command
in Exec mode as follows:
host1/Admin# show banner motd
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-14
OL-16198-01
Chapter 1
Setting Up the ACE
Configuring the Time, Date, and Time Zone
Configuring the Time, Date, and Time Zone
To manually configure the date, time, and time zone settings for an ACE, use the
clock command.
You can automatically set the date and time of the ACE by synchronizing to a
Network Time Protocol (NTP) server. For details, see the “Synchronizing the
ACE with an NTP Server” section.
This section includes the following topics:
•
Setting the System Time and Date
•
Setting the Time Zone
•
Adjusting for Daylight Saving Time
•
Viewing the System Clock Settings
Setting the System Time and Date
To set the time and the date for an ACE, use the clock set command in Exec mode.
When you enter this command, the ACE displays the current configured date and
time.
The syntax of this command is as follows:
clock set hh:mm:ss DD MONTH YYYY
The arguments are:
•
hh:mm:ss—Current time to which the ACE clock is being reset. Specify two
digits for the hours, minutes, and seconds.
•
DD MONTH YYYY—Current date to which the ACE clock is being reset.
Specify one or two digits for the day, the full name of the month, and four
digits for the year. The following month names are recognized: January,
February, March, April, May, June, July, August, September, October,
November, and December.
For example, to specify a time of 1:38:30 and a date of August 1, 2008, enter:
host1/Admin# clock set 01:38:30 1 August 2008
Fri Aug 1 01:38:30 PST 2008
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-15
Chapter 1
Setting Up the ACE
Configuring the Time, Date, and Time Zone
Follow these guidelines when you use NTP to automatically configure the ACE
system clock:
•
If you wish to use the Network Time Protocol (NTP) to automatically
synchronize the ACE system clock to an authoritative time server (such as a
radio clock or an atomic clock), see the “Synchronizing the ACE with an NTP
Server” section. In this case, the NTP time server automatically sets the ACE
system clock.
•
If you previously configured NTP on an ACE, the ACE prevents you from
using the clock set command and displays an error message. To manually set
the ACE system clock, remove the NTP peer and NTP server from the
configuration before setting the clock on an ACE. See the “Synchronizing the
ACE with an NTP Server” section for more information.
Setting the Time Zone
To set the time zone for the ACE, use the clock timezone command in
configuration mode. The ACE keeps time internally in Universal Time
Coordinated (UTC) offset.
The syntax of this command is as follows:
clock timezone {zone_name{+ | –} hours minutes} | {standard timezone}
The keywords, arguments, and options are:
•
zone_name—Eight-character name of the time zone (for example, PDT) to be
displayed when the time zone is in effect. Table 1-1 lists the common time
zone acronyms used for the zone argument.
•
{+ | –} hours—Hours offset from UTC (plus or minus).
•
minutes—Minutes offset from UTC. The range is from 0 to 59 minutes.
•
standard timezone—Displays a list of well-known time zones that include an
applicable UTC hours offset. Available choices are as follows:
– ACST—Australian Central Standard Time as UTC +9.5 hours
– AKST—Alaska Standard Time as UTC –9 hours
– AST—Atlantic Standard Time as UTC –4 hours
– BST—British Summer Time as UTC +1 hour
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-16
OL-16198-01
Chapter 1
Setting Up the ACE
Configuring the Time, Date, and Time Zone
– CEST—Central Europe Summer Time as UTC +2 hours
– CET—Central Europe Time as UTC +1 hour
– CST—Central Standard Time as UTC –6 hours
– EEST—Eastern Europe Summer Time as UTC +3 hours
– EET—Eastern Europe Time as UTC +2 hours
– EST—Eastern Standard Time as UTC –5 hours
– GMT—Greenwich Mean Time as UTC
– HST—Hawaiian Standard Time as UTC –10 hours
– IST—Irish Summer Time as UTC +1 hour
– MSD—Moscow Summer Time as UTC +4 hours
– MSK—Moscow Time as UTC +3 hours
– MST—Mountain Standard Time as UTC –7 hours
– PST—Pacific Standard Time as UTC –8 hours
– WEST—Western Europe Summer Time as UTC +1 hour
– WST—Western Standard Time as UTC +8 hours
Table 1-1 lists the common time zone acronyms that you can specify for the
zone_name argument.
Table 1-1
Acronym
Common Time Zone Acronyms
Time Zone Name and UTC Offset
Europe
BST
British Summer Time, as UTC +1 hour
CET
Central Europe Time, as UTC +1 hour
CEST
Central Europe Summer Time, as UTC +2 hours
EET
Eastern Europe Time, as UTC +2 hours
EEST
Eastern Europe Summer Time, as UTC +3 hours
GMT
Greenwich Mean Time, as UTC
IST
Irish Summer Time, as UTC +1 hour
MSD
Moscow Summer Time as UTC +4 hours
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-17
Chapter 1
Setting Up the ACE
Configuring the Time, Date, and Time Zone
Table 1-1
Common Time Zone Acronyms (continued)
Acronym
Time Zone Name and UTC Offset
MSK
Moscow Time, as UTC +3 hours
WET
Western Europe Time as UTC
WEST
Western Europe Summer Time as UTC +1 hour
United States and Canada
AST
Atlantic Standard Time as UTC –4 hours
ADT
Atlantic Daylight Time as UTC –3 hours
CT
Central Time, either as CST or CDT, depending on the place and
the time of year
CST
Central Standard Time as UTC –6 hours
CDT
Central Daylight Saving Time as UTC –5 hours
ET
Eastern Time, either as EST or EDT, depending on the place and
the time of year
EST
Eastern Standard Time as UTC –5 hours
EDT
Eastern Daylight Saving Time as UTC –4 hours
MT
Mountain Time, either as MST or MDT, depending on the place
and the time of year
MDT
Mountain Daylight Saving Time as UTC –6 hours
MST
Mountain Standard Time as UTC –7 hours
PT
Pacific Time, either as PST or PDT, depending on place and time
of year
PDT
Pacific Daylight Saving Time as UTC –7 hours
PST
Pacific Standard Time as UTC –8 hours
AKST
Alaska Standard Time as UTC –9 hours
AKDT
Alaska Standard Daylight Saving Time as UTC –8 hours
HST
Hawaiian Standard Time as UTC –10 hours
Australia
CST
Central Standard Time as UTC +9.5 hours
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-18
OL-16198-01
Chapter 1
Setting Up the ACE
Configuring the Time, Date, and Time Zone
Table 1-1
Common Time Zone Acronyms (continued)
Acronym
Time Zone Name and UTC Offset
EST
Eastern Standard/Summer Time as UTC +10 hours (+11 hours
during summer time)
WST
Western Standard Time as UTC +8 hours
For example, to set the time zone to PDT and to set an UTC offset of –8 hours,
enter:
host1/Admin(config)# clock timezone PDT -8 0
To remove the clock timezone setting, use the no form of this command. For
example, enter:
host1/Admin(config)# no clock timezone
Adjusting for Daylight Saving Time
To configure the ACE to change the time automatically to summer time (daylight
savings time), use the clock summer-time command in configuration mode.
The first part of the command specifies when summer time begins, and the second
part of the command specifies when summer time ends. All times are relative to
the local time zone; the start time is relative to the standard time and the end time
is relative to the summer time. If the starting month is after the ending month, the
ACE assumes that you are found in the Southern Hemisphere.
The syntax of this command is as follows:
clock summer-time {daylight_timezone_name start_week start_day
start_month start_time end_week end_day end_month end_time
daylight_offset | standard timezone}
The keywords, arguments, and options are:
•
daylight_timezone_name—Eight-character name of the time zone (for
example, PDT) to be displayed when summer time is in effect. See Table 1-1
for the list the common time zone acronyms used for the
daylight_timezone_name argument.
•
start_week end_week—The week, ranging from 1 through 5.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-19
Chapter 1
Setting Up the ACE
Configuring the Time, Date, and Time Zone
•
start_day end_day—The day, ranging from Sunday through Saturday.
•
start_month end_month—The month, ranging from January through
December.
•
start_time end_time—Time, in military format, specified in hours and
minutes.
•
daylight_offset—Number of minutes to add during the summer time. Valid
entries are from 1 to 1440.
•
standard timezone—Displays a list of well known time zones that include an
applicable daylight time start and end range along with a daylight offset.
Available choices are:
– ADT—Atlantic Daylight Time: 2 am on the first Sunday in April to 2 am
on the last Sunday in October, +60 min
– AKDT—Alaska Standard Daylight Time: 2 am on the first Sunday in
April to 2 am on the last Sunday in October, +60 min
– CDT—Central Daylight Time: 2 am on the first Sunday in April to 2 am
on the last Sunday in October, +60 min
– EDT—Eastern Daylight Time: 2 am on the first Sunday in April to 2 am
on the last Sunday in October, +60 min
– MDT—Mountain Daylight Time: 2 am on the first Sunday in April to 2
am on the last Sunday in October, +60 min
– PDT—Pacific Daylight Time: 2 am on the first Sunday in April to 2 am
on the last Sunday in October, +60 min
For example, to specify that summer time begins on the first Sunday in April at
02:00 and ends on the last Sunday in October at 02:00, with a daylight offset of
60 minutes, enter:
host1/Admin(config)# clock summer-time Pacific 1 Sun Apr 02:00 5 Sun
Oct 02:00 60
To remove the clock summer-time setting, use the no form of this command. For
example, enter:
host1/Admin(config)# no clock summer-time
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-20
OL-16198-01
Chapter 1
Setting Up the ACE
Synchronizing the ACE with an NTP Server
Viewing the System Clock Settings
To display the system clock of the ACE, use the show clock command in Exec
mode. The syntax of this command is as follows:
show clock
For example, to view the current clock settings, enter:
host1/Admin# show clock
Sun Aug 307:43:02 UTC 2008
Synchronizing the ACE with an NTP Server
The Network Time Protocol (NTP) enables you to synchronize the ACE system
clock to a time server. NTP is an Internet protocol designed to synchronize the
clocks of computers over a network. Typically, an NTP network receives its time
from an authoritative time source, such as a radio clock or an atomic clock
attached to a time server, and assures accurate local time-keeping. NTP distributes
this time across the network. The NTP protocol can synchronize distributed
clocks within milliseconds over long time periods.
NTP runs over User Datagram Protocol (UDP), which runs over IP. NTP is
documented in RFC 1305. All NTP communication uses Coordinated Universal
Time (UTC), which is the same as Greenwich Mean Time.
An NTP server must be accessible by the client ACE.
Note
If you are configuring application acceleration and optimization functionality (as
described in the Cisco 4700 Series Application Control Engine Appliance
Application Acceleration and Optimization Configuration Guide), and you plan
to use an optional Cisco AVS 3180A Management Console with multiple ACE
nodes, we strongly recommend that you synchronize the system clock of each
ACE node with an NTP server. AppScope performance monitoring relies on very
accurate time measurement, in the millisecond range. If you instal multiple ACE
appliances, you must synchronize the clocks so that different parts of a single
transaction can be handled by different nodes.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-21
Chapter 1
Setting Up the ACE
Synchronizing the ACE with an NTP Server
This section contains the following topics:
•
Configuring NTP Server and Peer Associations
•
Viewing NTP Statistics and Information
•
.Clearing NTP Statistics
Configuring NTP Server and Peer Associations
An NTP association can be a peer association, which means that the ACE is
willing to synchronize to the other system or to allow the other system to
synchronize to the ACE. An NTP association can also be a server association,
which means that only this system will synchronize to the other system, not the
other way around. You can identify multiple servers; the ACE uses the most
accurate server. To configure the ACE system clock to synchronize a peer (or to
be synchronized by a peer) or to be synchronized by a time server, use the ntp
command.
The syntax of this command is as follows:
ntp {peer ip_address1 [prefer] | server ip_address2 [prefer]}
Note
Only users authenticated in the Admin context can use the ntp peer and ntp
server commands.
The keywords, arguments, and options are:
•
peer—Configure the ACE system clock to synchronize a peer or to be
synchronized by a peer. You can specify multiple associations.
•
ip_address1—IP address of the peer providing or being provided by the clock
synchronization.
•
prefer—(Optional) Makes this peer the preferred peer that provides
synchronization. Using the prefer keyword reduces switching back and forth
between peers.
•
server—Configures the ACE system clock to be synchronized by a time
server. You can specify multiple associations.
•
ip_address2—IP address of the time server that provides the clock
synchronization.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-22
OL-16198-01
Chapter 1
Setting Up the ACE
Synchronizing the ACE with an NTP Server
•
prefer—(Optional) Makes this server the preferred server that provides
synchronization. The prefer keyword sets this NTP server as the preferred
server if multiple servers have similar accuracy. NTP uses an algorithm to
determine which server is the most accurate and synchronizes to that one. If
servers have similar accuracy, then the prefer keyword specifies which server
to use.
For example, to specify multiple NTP server IP addresses and identify a preferred
server, enter:
host1/Admin(config)# ntp server 192.168.10.10 prefer
host1/Admin(config)# ntp server 192.168.4.143
host1/Admin(config)# ntp server 192.168.5.10
For example, to form a peer association with a preferred peer, enter:
host1/Admin(config)# ntp peer 192.168.10.0 prefer
To remove an NTP peer or server from the configuration, use the no form of this
command. For example:
host1/Admin(config)# no ntp peer 192.168.10.0
Viewing NTP Statistics and Information
You can configure the ACE to display the following NTP statistics and
information:
•
NTP peer statistics
•
Input/output statistics
•
Counters maintained by the local NTP
•
Counters related to the memory code
•
Listing of all associated peers
The syntax of this command is as follows:
show ntp {peer-status | peers | statistics [io | local | memory | peer
ip_address]
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-23
Chapter 1
Setting Up the ACE
Synchronizing the ACE with an NTP Server
Note
Only users who are authenticated in the Admin context can use the show ntp
command.
The keywords, arguments, and options are:
•
peer-status—Displays the status for all configured NTP servers and peers.
•
peers—Displays a listing of all NTP peers.
•
statistics—Displays the NTP statistics.
•
io—Displays the input/output statistics.
•
local—Displays the counters maintained by the local NTP.
•
memory—Displays the statistic counters related to the memory code.
•
peer—Displays the per-peer statistics counter of a peer.
•
ip_address—Displays the peer statistics for the specified IP address.
For example, to display the status for all NTP servers and peers, enter:
switch/Admin# show ntp peer-status
Table 1-2 describes the fields in the show ntp peer-status command output.
Table 1-2
Field Descriptions for the show ntp peer-status Command
Field
Description
Total Peers
Number of associated peers
Remote
IP addresses that correspond to the remote server and
peer entries listed in the configuration file
Local
IP addresses that correspond to the local server and peer
entries listed in the configuration file
St
The stratum
Poll
The poll interval (in seconds)
Reach
The status of the reachability register (see RFC-1305)
in octal
Delay
The latest delay (in microseconds)
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-24
OL-16198-01
Chapter 1
Setting Up the ACE
Synchronizing the ACE with an NTP Server
Table 1-2
Field Descriptions for the show ntp peer-status Command
Field
Description
Peer IP Address
IP address of each associated peer
Serv/Peer
Indication of whether the peer functions as an NTP
server or NTP peer
For example, to display a summary of all peers, enter:
switch/Admin# show ntp peers
Table 1-3 describes the fields in the show ntp peers command output.
Table 1-3
Field Descriptions for the show ntp peers Command
Field
Description
Peer IP Address
The IP address of each associated peer
Serv/Peer
Indicates whether the peer functions as an NTP server
or NTP peer
For example, to display the NTP input/output statistics, enter:
switch/Admin# show ntp statistics io
Table 1-4 describes the fields in the show ntp statistics io command output.
Table 1-4
Field Descriptions for show ntp statistics io Command
Field
Description
Time since reset
Time since the last reset of the NTP software on the
primary server
Receive buffers
Total number of UDP client-receive buffers
Free receive buffers
Current number of available client-receive buffers
Used receive buffers
Current number of unavailable client-receive buffers
Low water refills
Total number of times buffers were added, which also
indicates the number of times there have been low
memory resources during buffer creation
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-25
Chapter 1
Setting Up the ACE
Synchronizing the ACE with an NTP Server
Table 1-4
Field Descriptions for show ntp statistics io Command (continued)
Field
Description
Dropped packets
Total number of NTP packets dropped by the ACE
Ignored packets
Total number of NTP packets ignored by the ACE
Received packets
Total number of NTP packets received by the ACE
Packets sent
Total number of NTP packets transmitted by the ACE
Packets not sent
Total number of NTP packets not sent by the ACE due
to an error
Interrupts handled
Total number of NTP timer interrupts handled by the
ACE
Received by int
Total number of pulses received that triggered an
interrupt
For example, to display the counters maintained by the local NTP, enter:
switch/Admin# show ntp statistics local
Table 1-5 describes the fields in the show ntp statistics local command output.
Table 1-5
Field Descriptions for show ntp statistics local Command
Field
Description
System uptime
Length of time that the ACE has been running.
Time since reset
Time in hours since the ACE was last rebooted.
Old version packets
Number of packets that match the previous NTP
version. The version number is in every NTP packet.
New version packets
Number of packets that match the current NTP version.
The version number is in every NTP packet.
Unknown version number Number of packets with an unknown NTP version.
Bad packet format
Number of NTP packets that were received and
dropped by the ACE due to an invalid packet format.
Packets processed
Number of NTP packets received and processed by the
ACE.
Bad authentication
Number of packets not verified as authentic.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-26
OL-16198-01
Chapter 1
Setting Up the ACE
Synchronizing the ACE with an NTP Server
For example, to display the statistic counters related to the memory code, enter:
switch/Admin# show ntp statistics memory
Table 1-6 describes the fields in the show ntp statistics memory command
output.
Table 1-6
Field Descriptions for show ntp statistics memory Command
Field
Description
Time since reset
Time in hours since the ACE was last rebooted.
Total peer memory
Total peer memory available for the allocation of
memory to peer structures.
Free peer memory
Current available peer memory.
Calls to findpeer
The number of calls to findpeer.
Note
findpeer is an entry point to the allocation of
memory to peer structures that looks for
matching peer structures in the peer list.
New peer allocations
Number of allocations from the free list.
Peer demobilizations
Number of structures freed to the free list.
Hash table counts
The count of peers in each hash table.
For example, to display the per-peer statistics counter of a peer, enter:
switch/Admin# show ntp statistics peer 192.168.1.2
Table 1-7 describes the fields in the show ntp statistics peer command output.
Table 1-7
Field Descriptions for show ntp statistics peer Command
Field
Description
Remote Host
IP address of the specified peer.
Local Interface
IP address of specified local interface.
Time Last Received
Time that the last NTP response was received.
Time Until Next Send
Length of time until the next send attempt.
Reachability Change
The reachability status for the peer.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-27
Chapter 1
Setting Up the ACE
Synchronizing the ACE with an NTP Server
Table 1-7
Field Descriptions for show ntp statistics peer Command
Field
Description
Packets Sent
Number of packets sent to the NTP peer.
Packets Received
Number of packets received from the NTP peer.
Bogus Origin
Number of packets received from the NTP peer of a
suspect origin.
Duplicate
Number of duplicate packets received from the NTP
peer.
Bad Dispersion
Number of packets with an invalid dispersion.
Note
Dispersion measures the errors of the offset
values, based on the round-trip delay and the
precision of the system and the server.
Bad Reference Time
Number of packets with an invalid reference time
source.
Candidate Order
Order in which the ACE may consider this server when
it chooses the master.
Clearing NTP Statistics
.
To clear NTP information, use the clear ntp statistics command in Exec mode.
The syntax of this command is as follows:
clear ntp statistics {all-peers | io | local | memory}
The keywords are:
•
all-peers—Clears I/O statistics for all peers
•
io—Clears I/O statistics for I/O devices
•
local—Clears I/O statistics for local devices
•
memory—Clears I/O statistics for memory
For example, to clear the NTP statistics for all peers, enter:
host1/Admin# clear ntp statistics all-peers
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-28
OL-16198-01
Chapter 1
Setting Up the ACE
Configuring Terminal Settings
For example, to clear the NTP statistics for the I/O devices, enter:
host1/Admin# clear ntp statistics io
For example, to clear the NTP statistics for the local devices, enter:
host1/Admin# clear ntp statistics local
For example, to clear the NTP statistics for memory, enter:
host1/Admin# clear ntp statistics memory
Configuring Terminal Settings
You can access the ACE CLI as follows:
Note
•
Make a direct connection using a dedicated terminal attached to the console
port on the front of the ACE.
•
Establish a remote connection to the ACE by using the Secure Shell (SSH) or
Telnet protocols.
Only the Admin context is accessible through the console port; all other contexts
can be reached through Telnet or SSH.
This section contains the following topics:
•
Configuring Terminal Display Attributes
•
Configuring Virtual Terminal Line Settings
For details on configuring remote access to the ACE CLI using SSH or Telnet, see
Chapter 2, Enabling Remote Access to the ACE.
Configuring Terminal Display Attributes
You can specify the number of lines and the width for displaying information on
a terminal during a console session. The maximum number of displayed screen
lines is 511 columns. To configure the terminal display settings, use the terminal
command in Exec mode. The terminal command allows you to set the width for
displaying command output.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-29
Chapter 1
Setting Up the ACE
Configuring Terminal Settings
The syntax of the command is as follows:
terminal {length lines | monitor | session-timeout minutes | terminal-type
text | width characters}
The keywords, arguments, and options are as follows:
•
length lines—Sets the number of lines displayed on the current terminal
screen. This command is specific to only the console port. Telnet and SSH
sessions set the length automatically. Valid entries are from 0 to 511. The
default is 24 lines. A value of 0 instructs the ACE to scroll continuously (no
pausing) and overrides the terminal width value. If you later change the
terminal length to any other value, the originally configured terminal width
value takes effect.
•
monitor—Displays syslog output on the terminal for the current terminal and
session. To enable the various levels of syslog messages to the terminal, use
the logging monitor command (see the Cisco 4700 Series Application
Control Engine Appliance System Message Guide for details).
•
session-timeout minutes—Specifies the inactivity timeout value in minutes
to configure the automatic logout time for the current terminal session on the
ACE. When inactivity exceeds the time limit configured by this command, the
ACE closes the session and exits. The range is from 0 to 525600. The default
is 5 minutes. You can set the terminal session-timeout value to 0 to disable
this feature so that the terminal remains active until you choose to exit the
ACE. The ACE does not save this change in the configuration file.
Note
The login timeout command setting overrides the terminal
session-timeout setting (see the “Configuring an ACE Inactivity
Timeout” section).
•
terminal-type text—Specifies the name and type of the terminal used to
access the ACE. If a Telnet or SSH session specifies an unknown terminal
type, the ACE uses the VT100 terminal by default. Specify a text string from
1 to 80 alphanumeric characters.
•
width characters—Sets the number of characters displayed on the current
terminal screen. This command is specific to only the console port. Telnet and
SSH sessions set the width automatically. Valid entries are from 24 to 512.
The default is 80 columns.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-30
OL-16198-01
Chapter 1
Setting Up the ACE
Configuring Terminal Settings
For example, to specify the VT200 terminal, set the number of screen lines to 35,
and set the number of characters to 250, enter:
host1/Admin# terminal terminal-type vt200
host1/Admin# terminal length 35
host1/Admin# terminal width 250
For example, to specify a terminal timeout of 600 minutes for the current session,
enter:
host1/Admin# terminal session-timeout 600
To reset a terminal setting to its default value, such as the screen line length, use
the no form of the command:
host1/Admin# terminal no width
For example, to start the current terminal monitoring session, enter:
host1/Admin# terminal monitor
host/Admin# %ACE-7-111009: User 'admin' executed cmd: terminal monitor
%ACE-7-111009: User 'admin' executed cmd: terminal monitor......
To stop the current terminal monitoring session, enter:
host1/Admin# terminal no monitor
To display the console terminal settings, use the show terminal Exec mode
command. For example, enter:
host1/Admin# show terminal
TTY: /dev/pts/0 Type: "vt100"
Length: 25 lines, Width: 80 columns
Session Timeout: 60 minutes
Configuring Virtual Terminal Line Settings
Virtual terminal lines allow remote access to the ACE. A virtual terminal line is
not associated with the console port; instead, it is a virtual port that allows you to
access the ACE.
Use the line vty configuration mode command to configure the virtual terminal line
settings. The CLI displays the line configuration mode. Use the session-limit
command to configure the maximum number of terminal sessions per line.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-31
Chapter 1
Setting Up the ACE
Configuring Terminal Settings
The syntax of this command is as follows:
session-limit number
The number argument configures the maximum number of terminal sessions per line.
The range is from 1 to 251.
For example, to configure a virtual terminal line, enter:
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)#
host1/Admin(config)# line vty
host1/Admin(config-line)# session-limit 23
To disable a setting for the configured virtual terminal line, use the no form of the
command. For example:
host1/Admin(config-line)# no session-limit 23
Use the clear line command in Exec mode to close a specified vty session. The
syntax for this command is as follows:
clear line vty_name
The vty_name argument specifies the name of the VTY session. Enter a maximum
of 64 alphanumeric characters without spaces for the name of the virtual terminal.
For example, to close a specified vty session, enter:
host1/Admin# clear line vty vty1
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-32
OL-16198-01
Chapter 1
Setting Up the ACE
Modifying the Boot Configuration
Modifying the Boot Configuration
You can control how the ACE performs its boot process. You can instruct the ACE
to automatically boot the system image identified in the BOOT environment
variable or you can manually identify the system boot image to use. In addition,
you can choose to have the ACE load the startup-configuration file or ignore the
startup-configuration file upon reboot.
This section describes how to modify the boot configuration of the ACE. It
contains the following procedures:
•
Setting the Boot Method from the Configuration Register
•
Setting the BOOT Environment Variable
•
Configuring the ACE to Bypass the Startup Configuration File During the
Boot Process
•
Displaying the ACE Boot Configuration
Setting the Boot Method from the Configuration Register
The configuration register can be used to modify how the ACE performs its boot
process, automatically or manually.
You can modify the boot method that the ACE uses at the next startup by setting
the boot field in the software configuration register. The configuration register
identifies how the ACE should boot.
To specify the configuration register boot setting, use the config-register
configuration command. This command affects only the configuration register
bits that control the boot field and leaves the remaining bits unaltered.
The syntax for the command is as follows:
config-register value
The supported value entries are as follows:
•
0x0—Upon reboot, the ACE boots to the GNU GRand Unified Bootloader
(GRUB). From the GRUB boot loader, you specify the system boot image to
use to boot the ACE. Upon startup, the ACE loads the startup-configuration
file stored in the Flash memory (nonvolatile memory) to the
running-configuration file stored in RAM (volatile memory).
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-33
Chapter 1
Setting Up the ACE
Modifying the Boot Configuration
•
0x1—Upon reboot, the ACE boots the system image identified in the BOOT
environment variable (see the “Setting the BOOT Environment Variable”
section). The BOOT environment variable specifies a list of image files on
various devices from which the ACE can boot at startup. If the ACE
encounters an error or if the image is not valid, it will try the second image
(if one is specified). Upon startup, the ACE loads the startup-configuration
file stored in the Flash memory (nonvolatile memory) to the
running-configuration file stored in RAM (volatile memory).
To set the boot field in the configuration register to automatically boot the system
image identified in the BOOT environment variable upon reboot and to load the
startup-configuration file stored in Flash memory, enter:
host1/Admin(config)# config-register 0x1
To reset the config-register setting, enter:
host1/Admin(config)# no config-register 0x1
Press Esc when the count down initiates on the GNU GRUB multiboot loader.
The following GRUB menu appears.
GNU GRUB
version 0.95
(639K lower / 3144640K upper memory)
******************************************************************
* image(c4710ace-mz.A3_1_0.bin)
*
* image(c4710ace-mz.A1_8_0A.bin)
*
*
*
*
* ****************************************************************
In the GRUB menu, use the arrow keys to select from the ACE images loaded in
the Flash memory. The ACE image entry is highlighted in the list.
Perform one of the following actions:
•
Press enter to boot the selected software version.
•
Type e to edit the commands before booting.
•
Type c to access a command line.
If no ACE images are loaded in the Flash memory, the GNU GRUB multiboot
loader appears as follows:
grub>
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-34
OL-16198-01
Chapter 1
Setting Up the ACE
Modifying the Boot Configuration
Setting the BOOT Environment Variable
The BOOT environment variable specifies a list of image files on various devices
from which the ACE can boot at startup. You can add several images to the BOOT
environment variable to provide a fail-safe boot configuration. If the first file fails
to boot the ACE, subsequent images that are specified in the BOOT environment
variable are tried until the ACE boots or there are no additional images to attempt
to boot. If there is no valid image to boot, the ACE enters ROMMON mode where
you can manually specify an image to boot.
The ACE stores and executes images in the order in which you added them to the
BOOT environment variable. If you want to change the order in which images are
tried at startup, you can either prepend and clear images from the BOOT
environment variable to attain the desired order or you can clear the entire BOOT
environment variable and then redefine the list in the desired order.
To set the BOOT environment variable, use the boot system image: command.
The syntax for this command is as follows:
boot system image:image_name
The image_name argument specifies the name of the system image file. If the file
does not exist (for example, if you entered the wrong filename), then the filename
is appended to the bootstring, and this message displays, “Warning: File not found
but still added in the bootstring.” If the file does exist, but is not a valid image, the
file is not added to the bootstring, and the message “Warning: file found but it is
not a valid boot image” displays.
For example, to set the BOOT environment variable, enter:
host1/Admin(config)# boot system image:c4710ace-mz.A3_1_0.bin
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-35
Chapter 1
Setting Up the ACE
Modifying the Boot Configuration
Configuring the ACE to Bypass the Startup Configuration File
During the Boot Process
From the GRUB bootloader, the ACE includes an option that allows you to
instruct the ACE to bypass the startup-configuration file stored on the appliance
in the Flash memory (nonvolatile memory) during the boot process. You may
require the ACE to bypass the startup configuration file during bootup in the
following instances:
•
Certain configurations cause problems that result in the ACE becoming
nonresponsive. You can bypass the startup configuration file to safely boot
the ACE and then resolve issues with the configuration.
•
You forget the password for the ACE administrator CLI account and cannot
access the ACE. You can bypass the startup configuration file and log in with
the default password of admin.
Note
For the procedure on resetting the administrator CLI account password,
see the “Recovering the Administrator CLI Account Password” section.
To instruct the ACE to bypass the startup-configuration file during the boot
process from the GRUB bootloader, perform the following steps:
1.
Enter the config-register command so that upon reboot the ACE boots to the
GRUB bootloader. See the “Setting the Boot Method from the Configuration
Register” section.
2.
Reboot the ACE. See the “Restarting the ACE” section. Upon reboot, the
ACE boots to the GRUB bootloader.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-36
OL-16198-01
Chapter 1
Setting Up the ACE
Modifying the Boot Configuration
3.
Press Esc when the countdown initiates on the GNU GRUB multiboot loader.
The following GRUB menu appears.
GNU GRUB
version 0.95
(639K lower / 3144640K upper memory)
******************************************************************
* image(c4710ace-mz.A3_1_0.bin)
*
* image(c4710ace-mz.A1_8_0A.bin)
*
*
*
*
*
******************************************************************
4.
In the GRUB menu, use the arrow keys to select from the ACE images loaded
in Flash memory. The ACE image entry is highlighted in the list.
5.
Type e to edit the kernel command line. If the boot string is greater than one
line, you must press e a second time. Append ignorestartupcfg=1. to the end
of the boot.
For example, the following illustrates the screen output when you first type e:
******************************************************************
* kernel=(hd0,1)/c4710ace-mz.A3_1_0.bin ro root=LABEL=/ auto
consol* *
*
*
******************************************************************
For example, the following illustrates the screen output when you press e a
second time:
< auto console=ttyS0,9600n8 quiet bigphysarea=32768
At this point, append ignorestartupcfg=1 after the second edit.
< auto console=ttyS0,9600n8 quiet bigphysarea=32768
ignorestartupcfg=1
6.
Press enter to return to the previous GRUB menu.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-37
Chapter 1
Setting Up the ACE
Modifying the Boot Configuration
7.
Note
Press b to boot with this modified boot string.The ACE boot screen appears
as follows:
When you instruct the ACE to bypass the startup-configuration file stored
on the appliance, after you boot the ACE and the startup-configuration file
is empty (typically for a new ACE), the ACE will automatically launch
the setup script to enable connectivity to the ACE Device Manager GUI
(see the “Using the Setup Script to Enable Connectivity to the Device
Manager” section). Otherwise, the ACE boot screens appears as described
in the output below. If necessary, you can manually launch the setup script
using the setup command in Exec mode.
kernel=(hd0,1)/c4710ace-mz.A3_1_0.bin ro root=LABEL=/ auto
console=ttyS0,96
00n8 quiet bigphysarea=32768
[Linux-bzImage, setup=0x1400, size=0xb732b7a]
INIT: version 2.85 booting
Daughter Card Found. Continuing...
INIT: Entering runlevel: 3
Testing PCI path ....
This may take some time, Please wait ....
PCI test loop , count 0
PCI path is ready
Starting services...
Installing MySQL
groupadd: group nobody exists
useradd: user nobody exists
MySQL Installed
Installing JRE
JRE Installed
Starting sysmgr processes.. Please wait...Done!!!
switch login: admin
password# xxxxx
You may now configure the ACE to define basic configuration settings for the
appliance.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-38
OL-16198-01
Chapter 1
Setting Up the ACE
Restarting the ACE
Displaying the ACE Boot Configuration
To display the current BOOT environment variable and configuration register
setting, use the show bootvar command in Exec mode.
For example, to display the BOOT environment variable settings, enter:
host1/Admin# show bootvar
BOOT variable =
"image:/c4710ace-mz.A3_1_0.bin;image:/c4710ace-mz.A1_8_0A.bin"
Configuration register is 0x1
Restarting the ACE
To reboot the ACE directly from its CLI and reload the configuration, use the reload
command in Exec mode. The reload command reboots the ACE and performs a
full power cycle of both the hardware and software. The reset process can take
several minutes. Any open connections with the ACE are dropped after you enter
the reload command.
Caution
Configuration changes that are not written to the Flash partition are lost after a
reload. Before rebooting, enter the copy running-conf startup-config command
in Exec mode to store the current configuration in Flash memory. If you fail to save
your configuration changes, the ACE reverts to its previous settings upon restart.
When you specify reload, the ACE prompts you for confirmation and performs a
cold restart of the ACE:
host1/Admin# reload
This command will reboot the system
Save configurations for all the contexts. Save? [yes/no]: yes
Generating configuration....
running config of context Admin saved
Perform system reload. [yes/no]: [yes] yes
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
1-39
Chapter 1
Setting Up the ACE
Shutting Down the ACE
Shutting Down the ACE
To remove power from the ACE, press the power button found on the front panel.
Caution
Configuration changes that are not written to the Flash partition are lost after a
shutdown. Before you shut down the ACE, enter the copy running-conf
startup-config command in Exec mode to store the current configuration in Flash
memory. If you fail to save your configuration changes, the ACE reverts to its
previous settings upon restart.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
1-40
OL-16198-01
CH A P T E R
2
Enabling Remote Access to the ACE
This chapter describes how to configure remote access to the Cisco 4700 Series
Application Control Engine (ACE) appliance by establishing a remote connection
by using the Secure Shell (SSH) or Telnet protocols. It also describes how to
configure the ACE to provide direct access to a user context from SSH. This
chapter also covers how to configure the ACE to receive ICMP messages from a
host.
This chapter contains the following major sections:
Note
•
Remote Access Configuration Quick Start
•
Configuring Remote Network Management Traffic Services
•
Configuring Telnet Management Sessions
•
Configuring SSH Management Sessions
•
Terminating an Active User Session
•
Enabling ICMP Messages to the ACE
•
Directly Accessing a User Context Through SSH
•
Example of a Remote Access Configuration
•
Viewing Session Information
For information about how to make a direct connection using a dedicated terminal
attached to the Console port on the front of the ACE, configure terminal display
attributes, and configure terminal line settings for accessing the ACE by console
or virtual terminal connection, see Chapter 1, Setting Up the ACE.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
2-1
Chapter 2
Enabling Remote Access to the ACE
Remote Access Configuration Quick Start
Remote Access Configuration Quick Start
Table 2-1 provides a quick overview of the steps required to configure remote
network management access for the ACE. Each step includes the CLI command
required to complete the task.
Table 2-1
Remote Network Management Configuration
Quick Start
Task and Command Example
1.
If you are operating in multiple contexts, observe the CLI prompt to verify
that you are operating in the desired context. If necessary, log directly in to,
or change to, the correct context.
host1/Admin# changeto C1
host1/C1#
The rest of the examples in this table use the Admin context, unless
otherwise specified. For details on creating contexts, see the Cisco 4700
Series Application Control Engine Appliance Virtualization Configuration
Guide.
2.
Enter configuration mode.
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)#
3.
Create a class map that permits network management traffic to be received
by the ACE based on the network management protocol (SSH or Telnet) and
client source IP address.
host1/Admin(config)# class-map type management match-all
SSH-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# match protocol ssh source-address
172.16.10.0 255.255.255.254
host1/Admin(config-cmap-mgmt)# exit
host1/Admin(config)#
host1/Admin(config)# class-map type management match-all
TELNET-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# match protocol telnet
source-address 172.16.10.0 255.255.255.254
host1/Admin(config-cmap-mgmt)# exit
host1/Admin(config)#
Cisco 4700 Series Application Control Engine Appliance Administration Guide
2-2
OL-16198-01
Chapter 2
Enabling Remote Access to the ACE
Remote Access Configuration Quick Start
Table 2-1
Remote Network Management Configuration
Quick Start (continued)
Task and Command Example
4.
Configure a policy map that activates the SSH and Telnet management
protocol classifications.
host1/Admin(config)# policy-map type management first-match
REMOTE_MGMT_ALLOW_POLICY
host1/Admin(config-pmap-mgmt)# class SSH-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# class TELNET-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# exit
host1/Admin(config)#
5.
Attach the traffic policy to a single VLAN interface or globally to all VLAN
interfaces in the same context. For example, to specify an interface VLAN
and apply the remote management policy map to the VLAN, enter:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ip address 172.16.1.100 255.255.0.0
host1/Admin(config-if)# service-policy input
REMOTE_MGMT_ALLOW_POLICY
host1/Admin(config-if)# exit
6.
(Optional) Configure the maximum number of Telnet sessions allowed for
each context.
host1/Admin(config)# telnet maxsessions 3
7.
(Optional) Configure the maximum number of SSH sessions allowed for
each context.
host1/Admin(config)# ssh maxsessions 3
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
2-3
Chapter 2
Enabling Remote Access to the ACE
Configuring Remote Network Management Traffic Services
Table 2-1
Remote Network Management Configuration
Quick Start (continued)
Task and Command Example
8.
If you have global administrator privileges, use the ssh key command to
generate the SSH private key and the corresponding public key for use by
the SSH server. There is only one host-key pair. For example, to generate an
RSA1 key pair in the Admin context, enter:
host1/Admin(config)# ssh key rsa1 1024
generating rsa1 key
.....
generated rsa1 key
9.
(Optional) Save your configuration changes to Flash memory.
host1/Admin(config)# exit
host1/Admin# copy running-config startup-config
Configuring Remote Network Management Traffic
Services
You configure rules for remote access to the ACE through the use of class maps,
policy maps, and service policies. The following items summarize the role of each
function in configuring remote network management access to the ACE:
•
Class map—Provides the remote network traffic match criteria to permit
traffic based on:
– Remote access network management protocols (SSH, Telnet, or ICMP)
– Client source IP address
•
Policy map—Enables remote network management access for a traffic
classification that matches the criteria listed in the class map.
•
Service policy—Activates the policy map and attaches the traffic policy to an
interface or globally on all interfaces.
This section provides an overview on creating a class map, policy map, and
service policy for remote network access.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
2-4
OL-16198-01
Chapter 2
Enabling Remote Access to the ACE
Configuring Remote Network Management Traffic Services
Telnet and SSH remote access sessions are established to the ACE on a per context
basis. For details on creating users and contexts, see the Cisco 4700 Series
Application Control Engine Appliance Virtualization Configuration Guide.
This section contains the following topics:
•
Creating and Configuring a Remote Management Class Map
•
Creating a Layer 3 and Layer 4 Remote Access Policy Map
•
Applying a Service Policy
Creating and Configuring a Remote Management Class Map
To create a Layer 3 and Layer 4 class map to classify the remote network
management traffic received by the ACE, use the class-map type management
configuration-mode command. This command permits network management
traffic to be received by the ACE by identifying the incoming IP protocols that the
ACE can receive as well as the client source IP address and subnet mask as the
matching criteria. The type management keywords define the allowed network
traffic to manage security for protocols such as SSH, Telnet, and ICMP.
A class map can have multiple match commands. You can configure class maps
to define multiple management protocol and source IP address match commands
in a group that you then associate with a traffic policy. The match-all and
match-any keywords determine how the ACE evaluates multiple match
statements operations when multiple match criteria exist in a class map.
The syntax of this command is as follows:
class-map type management [match-all | match-any] map_name
The keywords, arguments, and options are as follows:
•
match-all | match-any—(Optional) Determines how the ACE evaluates
Layer 3 and Layer 4 network management traffic when multiple match
criteria exist in a class map. The class map is considered a match if the match
commands meet one of the following conditions:
– match-all —(Default) All of the match criteria listed in the class map are
satisfied to match the network traffic class in the class map, typically
match commands of the same type.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
2-5
Chapter 2
Enabling Remote Access to the ACE
Configuring Remote Network Management Traffic Services
– match-any—Any one of the match criteria listed in the class map is
satisfied to match the network traffic class in the class map, typically
match commands of different types.
•
map_name—Specifies the name assigned to the class map. Enter an unquoted
text string with no spaces and a maximum of 64 alphanumeric characters.
The CLI enters the class map management configuration mode. To classify the
remote network management traffic received by the ACE, include one or more of
the match protocol commands to configure the match criteria for the class map:
For example, to allow SSH and Telnet access to the ACE from IP address
172.16.10.0, enter:
host1/Admin(config)# class-map
SSH-TELNET_ALLOW_CLASS
host1/Admin(config-cmap-mgmt)#
172.16.10.0 255.255.255.254
host1/Admin(config-cmap-mgmt)#
172.16.10.0 255.255.255.254
host1/Admin(config-cmap-mgmt)#
host1/Admin(config)#
type management match-all
match protocol ssh source-address
match protocol telnet source-address
exit
To remove a Layer 3 and Layer 4 network management class map from the ACE,
enter:
host1/Admin(config)# no class-map type management match-all
SSH-TELNET_ALLOW_CLASS
This section contains the following topics:
•
Defining a Class Map Description
•
Defining Remote Network Management Protocol Match Criteria
Defining a Class Map Description
To provide a brief summary about the Layer 3 and Layer 4 remote management
class map, use the description command in class map configuration mode.
The syntax of this command is as follows:
description text
Use the text argument to enter an unquoted text string with a maximum of 240
alphanumeric characters.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
2-6
OL-16198-01
Chapter 2
Enabling Remote Access to the ACE
Configuring Remote Network Management Traffic Services
For example, to specify a description that the class map is to allow remote Telnet
access, enter:
host1/Admin(config)# class-map type management TELNET-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# description Allow Telnet access to the
ACE
To remove the description from the class map, enter:
host1/Admin(config-cmap-mgmt)# no description
Defining Remote Network Management Protocol Match Criteria
To configure the class map to identify the remote network access management
protocols that can be received by the ACE, use the match protocol command in
class map management configuration mode. You configure the associated policy
map to permit access to the ACE for the specified management protocols. As part
of the network management access traffic classification, you also specify either a
client source host IP address and subnet mask as the matching criteria or instruct
the ACE to allow any client source address for the management traffic
classification.
The syntax of this command is as follows:
[line_number] match protocol {http | https | icmp | kalap-udp | snmp | ssh
| telnet | xml-https} {any | source-address ip_address mask}
•
line_number—(Optional) Assists you in editing or deleting individual match
commands. Enter an integer from 2 to 255 as the line number. You can enter
no line_number to delete long match commands instead of entering the entire
line. The line numbers do not dictate a priority or sequence for the match
statements.
•
http—Specifies the Hypertext Transfer Protocol (HTTP). The configuration
of the HTTP management protocol is described in Chapter 8, Configuring the
XML Interface.
•
https—Specifies secure (SSL) Hypertext Transfer Protocol (HTTP) for
connectivity with the Device Manager GUI on the ACE using port 443.
•
icmp—Specifies Internet Control Message Protocol messages to the ACE.
The configuration of the ICMP management protocol is described in the
“Enabling ICMP Messages to the ACE” section.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
2-7
Chapter 2
Enabling Remote Access to the ACE
Configuring Remote Network Management Traffic Services
•
kalap-udp—Specifies management access using KAL-AP over UDP. The
configuration of the KAL-AP management access is described in the
“Configuring Health Monitoring” chapter of the Cisco 4700 Series
Application Control Engine Appliance Server Load-Balancing Configuration
Guide.
•
snmp—Specifies the Simple Network Management Protocol (SNMP). The
configuration of the SNMP management protocol is described in Chapter 7,
Configuring SNMP.
•
ssh—Specifies a Secure Shell (SSH) remote connection to the ACE. The ACE
supports the SSH remote shell functionality provided in SSH Version 1 and
supports DES and 3DES ciphers. The configuration of the SSH management
protocol is described in the “Configuring SSH Management Sessions”
section.
Note
SSH v1.x and v2 are entirely different protocols and are not
compatible. Make sure that you use an SSH v1.x client when
accessing the ACE.
•
telnet—Specifies a Telnet remote connection to the ACE. The configuration
of the Telnet management protocol is described in the “Configuring Telnet
Management Sessions” section.
•
xml-https—Specifies HTTPS as transfer protocol to send and receive XML
documents between the ACE and a Network Management System (NMS).
Communication is performed using port 10443. The use of the HTTPS
management protocol for XML usage is described in Chapter 8, Configuring
the XML Interface.
Note
You can enable both https and xml-https in a Layer 3 and Layer 4
network management class map.
•
any—Specifies any client source address for the management traffic
classification.
•
source-address—Specifies a client source host IP address and subnet mask
as the network traffic matching criteria. As part of the classification, the ACE
implicitly obtains the destination IP address from the interface on which you
apply the policy map.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
2-8
OL-16198-01
Chapter 2
Enabling Remote Access to the ACE
Configuring Remote Network Management Traffic Services
•
ip_address—Source IP address of the client. Enter the IP address in
dotted-decimal notation (for example, 192.168.11.1).
•
mask—Subnet mask of the client in dotted-decimal notation (for example,
255.255.255.0).
For example, to specify that the class map allows SSH access to the ACE from
source IP address 192.168.10.1 255.255.255.0, enter:
host1/Admin(config)# class-map type management SSH-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# match protocol ssh source-address
192.168.10.1 255.255.255.0
To deselect the specified network management protocol match criteria from the
class map, enter:
host1/Admin(config-cmap-mgmt)# no match protocol ssh source-address
192.168.10.1 255.255.255.0
Creating a Layer 3 and Layer 4 Remote Access Policy Map
For a Layer 3 and Layer 4 traffic classification, you create a Layer 3 and Layer 4
policy map with actions to configure the network management traffic received by
the ACE This section outlines the general steps to configure a Layer 3 and Layer
4 network traffic policy and contains the following topics:
•
Creating a Layer 3 and Layer 4 Policy Map for Network Management Traffic
Received by the ACE
•
Defining a Layer 3 and Layer 4 Policy Map Description
•
Specifying a Layer 3 and Layer 4 Traffic Class With the Traffic Policy
•
Defining Layer 3 and Layer 4 Management Traffic Policy Actions
Creating a Layer 3 and Layer 4 Policy Map for Network Management Traffic
Received by the ACE
To configure a Layer 3 and Layer 4 policy map that defines the different actions
that are applied to the IP management traffic received by the ACE, use the
policy-map type management first-match configuration command. The ACE
executes the specified action only for traffic that meets the first matching
classification with a policy map. The ACE does not execute any additional
actions.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
2-9
Chapter 2
Enabling Remote Access to the ACE
Configuring Remote Network Management Traffic Services
The syntax of this command is as follows:
policy-map type management first-match map_name
The map_name argument specifies the name assigned to the Layer 3 and Layer 4
network management policy map. Enter an unquoted text string with no spaces
and a maximum of 64 alphanumeric characters.
When you use this command, you will access policy map management
configuration mode.
For example, to create a Layer 3 and Layer 4 network traffic management policy
map, enter:
host1/Admin(config) # policy-map type management first-match
REMOTE_MGMT_ALLOW_POLICY
host1/Admin(config-pmap-mgmt) #
To remove a policy map from the ACE, enter:
host1/Admin(config) # no policy-map type management first-match
REMOTE_MGMT_ALLOW_POLICY
Defining a Layer 3 and Layer 4 Policy Map Description
To provide a brief summary about the Layer 3 and Layer 4 remote management
policy map, use the description command in policy map configuration mode.
The syntax of this command is as follows:
description text
The text argument specifies the description that you want to provide. Enter an
unquoted text string with a maximum of 240 alphanumeric characters.
For example, to specify a description that the policy map is to allow remote Telnet
access, enter:
host1/Admin(config-pmap-mgmt)# description Allow Telnet access to the
ACE
To remove a description from the policy map, enter:
host1/Admin(config-pmap-mgmt)# no description
Cisco 4700 Series Application Control Engine Appliance Administration Guide
2-10
OL-16198-01
Chapter 2
Enabling Remote Access to the ACE
Configuring Remote Network Management Traffic Services
Specifying a Layer 3 and Layer 4 Traffic Class With the Traffic Policy
To specify a Layer 3 and Layer 4 traffic class created with the class-map
command to associate network traffic with the traffic policy, use the class
command in policy map configuration mode. This command enters the policy map
management class configuration mode.
The syntax of this command is as follows:
class {name1 [insert-before name2] | class-default}
The arguments, keywords, and options are as follows:
•
name1—Name of a previously defined Layer 3 and Layer 4 traffic class,
configured with the class-map command, to associate traffic to the traffic
policy. Enter an unquoted text string with no spaces and a maximum of 64
alphanumeric characters.
•
insert-before name2—(Optional) Places the current class map ahead of an
existing class map or inline match condition specified by the name2 argument
in the policy map configuration. The ACE does not save the sequence
reordering as part of the configuration. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
•
class-default—Specifies the class-default class map for the Layer 3 and
Layer 4 traffic policy. This class map is a reserved class map created by the
ACE. You cannot delete or modify this class. All network traffic that fails to
meet the other matching criteria in the named class map belongs to the default
traffic class. If none of the specified classifications match, the ACE then
matches the action specified under the class class-default command. The
class-default class map has an implicit match any statement in it and is used
to match any traffic classification. The class-default class map has an implicit
match any statement that matches all traffic.
For example, to specify an existing class map within the Layer 3 and Layer 4
remote access policy map, enter:
host1/Admin(config-pmap-mgmt)# class L4_REMOTE_ACCESS_CLASS
host1/Admin(config-pmap-mgmt-c)#
To use the insert-before command to define the sequential order of two class
maps in the policy map, enter:
host1/Admin(config-pmap-mgmt)# class L4_SSH_CLASS insert-before
L4_REMOTE_ACCESS_CLASS
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
2-11
Chapter 2
Enabling Remote Access to the ACE
Configuring Remote Network Management Traffic Services
To specify the class-default class map for the Layer 3 and Layer 4 traffic policy,
enter:
host1/Admin(config-pmap-mgmt)# class class-default
host1/Admin(config-pmap-mgmt-c)#
To remove a class map from a Layer 3 and Layer 4 policy map, enter:
host1/Admin(config-pmap-mgmt)# no class L4_REMOTE_ACCESS_CLASS
Defining Layer 3 and Layer 4 Management Traffic Policy Actions
To allow the network management traffic listed in the Layer 3 and Layer 4 class
map to be received or rejected by the ACE, specify either the permit or deny
command in policy map class configuration mode as follows:
•
Use the permit command in policy map class configuration mode to allow the
remote management protocols listed in the class map to be received by the
ACE.
•
Use the deny command in policy map class configuration mode to refuse the
remote management protocols listed in the class map to be received by the
ACE.
For example, to create a Layer 3 and Layer 4 remote network traffic management
policy map that permits SSH, Telnet, and ICMP connections to be received by the
ACE, enter:
host1/Admin(config)# policy-map type management first-match
REMOTE_MGMT_ALLOW_POLICY
host1/Admin(config-pmap-mgmt)# class SSH-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# class TELNET-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# class ICMP-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
For example, to create a policy map that restricts an ICMP connection by the ACE,
enter:
host1/Admin(config)# policy-map type management first-action
ICMP_RESTRICT_POLICY
host1/Admin(config-pmap-mgmt)# class ICMP-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# deny
Cisco 4700 Series Application Control Engine Appliance Administration Guide
2-12
OL-16198-01
Chapter 2
Enabling Remote Access to the ACE
Configuring Remote Network Management Traffic Services
Applying a Service Policy
Use the service-policy command to perform the following tasks:
•
Apply a previously created policy map.
•
Attach the traffic policy to a specific VLAN interface or globally to all VLAN
interfaces in the same context.
•
Specify that the traffic policy is to be attached to the input direction of an
interface.
The service-policy command is available at both the interface configuration mode
and at the configuration mode. Specifying a policy map in the interface
configuration mode applies the policy map to a specific VLAN interface.
Specifying a policy map in the configuration mode applies the policy to all of the
VLAN interfaces associated with a context.
The syntax of this command is as follows:
service-policy input policy_name
The keywords, arguments, and options are as follows:
•
input—Specifies that the traffic policy is to be attached to the input direction
of an interface. The traffic policy evaluates all traffic received by that
interface.
•
policy_name—Name of a previously defined policy map, configured with a
previously created policy-map command. The name can be a maximum of 40
alphanumeric characters.
For example, to specify an interface VLAN and apply the remote access policy
map to a VLAN, enter:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ip address 172.16.1.100 255.255.0.0
host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY
For example, to globally apply the remote access policy map to all of the VLANs
associated with a context, enter:
host1/Admin(config)# service-policy input REMOTE_MGMT_ALLOW_POLICY
To detach the remote access traffic policy from an interface, enter:
host1/Admin(config-if)# no service-policy input
REMOTE_MGMT_ALLOW_POLICY
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
2-13
Chapter 2
Enabling Remote Access to the ACE
Configuring Remote Network Management Traffic Services
To globally detach the remote access traffic policy from all VLANs associated
with a context, enter:
host1/Admin(config)# no service-policy input REMOTE_MGMT_ALLOW_POLICY
You can detach a traffic policy by either of the following methods:
•
Individually from the last VLAN interface on which you applied the service
policy
•
Globally from all VLAN interfaces in the same context
The ACE automatically resets the associated service policy statistics to provide a
new starting point for the service policy statistics the next time that you attach a
traffic policy to a specific VLAN interface or globally to all VLAN interfaces in
the same context.
Note the following guidelines and restrictions when creating a service policy:
•
Policy maps, applied globally in a context, are internally applied on all
interfaces existing in the context.
•
A policy activated on an interface overwrites any specified global policies for
overlapping classification and actions.
•
The ACE allows only one policy of a specific feature type to be activated on
a given interface.
To display service policy statistics for all policy maps or a specific Layer 3 and
Layer 4 remote network traffic management policy map, use the show
service-policy command in Exec mode.
The syntax of this command is as follows:
show service-policy [policy_name [detail]]
The keywords, options, and arguments are as follows:
•
policy_name—(Optional) Existing policy map that is currently in service
(applied to an interface) as an unquoted text string with a maximum of 64
alphanumeric characters. If you do not enter the name of an existing policy
map, the ACE displays information and statistics for all policy maps.
•
detail—(Optional) Displays a more detailed listing of policy map statistics
and status information.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
2-14
OL-16198-01
Chapter 2
Enabling Remote Access to the ACE
Configuring Telnet Management Sessions
Note
The ACE updates the counters that the show service-policy command displays
after the applicable connections are closed.
For example, to display service policy statistics for the
REMOTE_MGMT_ALLOW_POLICY policy map, enter:
host1/Admin# show service-policy REMOTE_MGMT_ALLOW_POLICY
Status
: ACTIVE
Description: Allow mgmt protocols
----------------------------------------Context Global Policy:
service-policy: REMOTE_MGMT_ALLOW_POLICY
To clear the service policy statistics for a policy map, use the clear service-policy
command. The syntax of this command is as follows:
clear service-policy policy_name
For the policy_name argument, enter the identifier of an existing policy map that
is currently in service (applied to an interface).
For example, to clear the statistics for the policy map
REMOTE_MGMT_ALLOW_POLICY that is currently in service, enter:
host1/Admin# clear service-policy REMOTE_MGMT_ALLOW_POLICY
Configuring Telnet Management Sessions
The ACE supports a maximum 16 concurrent Telnet management sessions for the
Admin context and 4 concurrent Telnet management sessions for each user
context.
To control the maximum number of Telnet sessions allowed for each context, use
the telnet maxsessions command in configuration mode. The ACE supports a
total maximum of 256 concurrent Telnet sessions.
Telnet remote access sessions are established on the ACE per context. You can
create a context, assign an interface and IP address to it, and then log into the ACE
by using Telnet to connect to that IP address. This capability allows you to specify
a particular context when accessing the ACE. For details on creating users and
contexts, see the Cisco 4700 Series Application Control Engine Appliance
Virtualization Configuration Guide.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
2-15
Chapter 2
Enabling Remote Access to the ACE
Configuring SSH Management Sessions
The syntax of this command is as follows:
telnet maxsessions max_sessions
The max_sessions argument sets the maximum number of concurrent Telnet
sessions allowed for the associated context. The range is from 1 to 16 Telnet
sessions for the Admin context and from 1 to 4 Telnet sessions for each user
context. The defaults are 16 (Admin context) and 4 (user context).
For example, to configure the maximum number of concurrent Telnet sessions
to 3 in the Admin context, enter:
host1/Admin(config)# telnet maxsessions 3
To revert to the default of 16 Telnet sessions for the Admin context, enter:
host1/Admin(config)# no telnet maxsessions
Configuring SSH Management Sessions
This section contains the following topics:
•
Configuring Maximum Number of SSH Sessions
•
Generating SSH Host Key Pairs
SSH remote access sessions are established on the ACE per context. You can
create a context, assign an interface and IP address to it, and then log into the ACE
by using SSH to connect to that IP address. This capability allows you to specify
a particular context when accessing the ACE. For details on creating users and
contexts, see the Cisco 4700 Series Application Control Engine Appliance
Virtualization Configuration Guide.
Configuring Maximum Number of SSH Sessions
The ACE supports a maximum of 16 concurrent SSH management sessions for the
Admin context and 4 concurrent SSH management sessions for each user context.
To control the maximum number of SSH sessions allowed for each context, use
the ssh maxsessions command in configuration mode. The ACE supports a total
maximum of 256 concurrent SSH sessions.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
2-16
OL-16198-01
Chapter 2
Enabling Remote Access to the ACE
Configuring SSH Management Sessions
The syntax of this command is as follows:
ssh maxsessions max_sessions
The max_sessions argument sets the maximum number of concurrent SSH
sessions allowed for the associated context. The range is from 1 to 16 SSH
sessions for the Admin context and from 1 to 4 SSH sessions for each user
context. The defaults are 16 (Admin context) and 4 (user context).
For example, to configure the maximum number of concurrent SSH sessions in
the Admin context to 3, enter:
host1/Admin(config)# ssh maxsessions 3
To revert to the default of 16 Telnet sessions for the Admin context, enter:
host1/Admin(config)# no ssh maxsessions
Generating SSH Host Key Pairs
The ACE supports remote login over an SSH session that uses private and public
key pairs to perform authentication for the context. DSA and RSA keys are
generated in pairs—one public key and one private key. With this method of
remote connection, use a generated private and public key pair to participate in a
secure communication by encrypting and decrypting messages.
The global administrator performs the key generation in the Admin context. All
contexts associated with the ACE share the common key. There is only a single
host-key pair.
Note
If you are the administrator or another user authorized in the Admin context, use
the changeto command in Exec mode to move to the Admin context. An
administrator can perform all allowable functions within the Admin context.
Ensure that you have an SSH host key pair with the appropriate version before
enabling the SSH service. The SSH service accepts three types of key pairs for
use by SSH versions 1 and 2. Generate the SSH host key pair according to the SSH
client version used. The number of bits specified for each key pair ranges from
768 to 4096.
To generate the SSH private key and the corresponding public key for use by the
SSH server, use the ssh key command in configuration mode.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
2-17
Chapter 2
Enabling Remote Access to the ACE
Configuring SSH Management Sessions
The syntax of this command is as follows:
ssh key {dsa | rsa | rsa1} [bits [force]]
The arguments, keywords, and options are as follows:
•
dsa—Generates the DSA key pair for the SSH version 2 protocol.
•
rsa—Generates the RSA key pair for the SSH version 2 protocol.
•
rsa1—Generates the RSA1 key pair for the SSH version 1 protocol.
•
bits—(Optional) Number of bits for the key pair. For DSA, the range is from
768 to 2048. For RSA and RSA1, the range is from 768 to 4096. The greater
the number of bits that you specify, the longer it takes to generate the key. The
default is 768.
•
force—(Optional) Forces the generation of a DSA or RSA key even when
previous keys exist. If the SSH key pair option is already generated for the
required version, use the force option to overwrite the previously generated
key pair.
Before you generate the key, set the hostname. This setting is used in the
generation of the key. See Chapter 1, Setting Up the ACE, for details on setting a
hostname.
For example, to generate an RSA1 key pair in the Admin context, enter:
host1/Admin(config)# ssh key rsa1 1024
generating rsa1 key
.....
generated rsa1 key
To remove the SSH host key pair, enter:
host1/Admin(config)# no ssh key rsa1
To clear the public keys of all trusted hosts, use the clear ssh hosts Exec
command. These keys are either sent to an SSH client by an SSH server or are
entered manually. When a SSH connection is made from the ACE, the SSH client
receives the public key and stores it locally. To clear all these keys, use the clear
ssh hosts command in Exec mode.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
2-18
OL-16198-01
Chapter 2
Enabling Remote Access to the ACE
Terminating an Active User Session
Terminating an Active User Session
To terminate an active SSH or Telnet session for the active context, use one of the
following commands in Exec mode:
•
clear ssh {session_id | hosts}
•
clear telnet {session_id}
The arguments, keywords, and options are as follows:
•
session_id—Specifies the identifier of the SSH or Telnet session to
disconnect. You can obtain the specific session_id value using either the show
ssh session-info command or the show telnet command in Exec mode. See
the “Directly Accessing a User Context Through SSH” section for details.
•
hosts—Clears the list of trusted SSH hosts from the ACE configuration.
For example, to terminate an SSH session, enter:
host1/Admin # clear ssh 345
Enabling ICMP Messages to the ACE
By default, the ACE does not allow ICMP messages to be received by an ACE
interface or to pass through the ACE interface. ICMP is an important tool for
testing your network connectivity; however, network hackers can also use ICMP
to attack the ACE or your network. We recommend that you allow ICMP during
your initial testing, but then disallow it during normal operation.
To permit or deny address(es) to reach an ACE interface with ICMP messages,
either from a host to the ACE, or from the ACE to a host which requires the ICMP
reply to be allowed back, configure one of the following:
•
Class map to provide the ICMP network traffic match criteria for the ACE.
•
Policy map to enable ICMP network management access to and from the
ACE.
•
Service policy to activate the policy map, attach the traffic policy to an
interface or globally on all interfaces, and specify the direction in which the
policy should be applied.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
2-19
Chapter 2
Enabling Remote Access to the ACE
Enabling ICMP Messages to the ACE
See the “Configuring Remote Network Management Traffic Services” section for
details on configuring a network management class map, policy map, and service
policy for the ACE.
To allow ICMP messages to pass through the ACE, configure an ICMP ACL to
permit or deny network connections based on the ICMP type (for example, echo,
echo-reply, or unreachable). See the Cisco 4700 Series Application Control
Engine Appliance Security Configuration Guide for details.
Note
If you want only to allow the ACE to ping a host (and allow the echo reply back
to the interface), but not allow hosts to ping the ACE, enable the ICMP application
protocol inspection function instead of defining a class map and policy map. See
the Cisco 4700 Series Application Control Engine Appliance Security
Configuration Guide for details.
For example, to allow the ACE to receive ICMP pings, enter:
host1/Admin(config)# class-map type management match-all
ICMP-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# description Allow ICMP packets
host1/Admin(config-cmap-mgmt)# match protocol icmp source-address
172.16.10.0 255.255.255.254
host1/Admin(config-cmap-mgmt)# exit
host1/Admin(config)# policy-map type management first-action
ICMP_ALLOW_POLICY
host1/Admin(config-pmap-mgmt)# class ICMP-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# exit
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ip address 172.16.1.100 255.255.0.0
host1/Admin(config-if)# service-policy input ICMP_ALLOW_POLICY
Cisco 4700 Series Application Control Engine Appliance Administration Guide
2-20
OL-16198-01
Chapter 2
Enabling Remote Access to the ACE
Directly Accessing a User Context Through SSH
Directly Accessing a User Context Through SSH
As the global administrator, from the Admin context, you can configure a user
context and enable direct login access to that user context from a remote SSH
session. To configure the ACE to provide direct access to a user context from SSH,
perform the following steps:
Step 1
Create a user context by entering the following command:
host1/Admin(config)# context C1
host1/Admin(config-context)#
See the Cisco 4700 Series Application Control Engine Appliance Virtualization
Configuration Guide.
Step 2
Associate an existing VLAN with the user context so that the context can receive
traffic classified for it by entering the following command:
host1/Admin(config-context)# allocate-interface vlan 100
See the Cisco 4700 Series Application Control Engine Appliance Routing and
Bridging Configuration Guide.
Step 3
Generate the SSH host key pair by entering the following command:
host1/Admin(config-context)# ssh key rsa1 1024
generating rsa1 key
.....
generated rsa1 key
See the “Generating SSH Host Key Pairs” section.
Step 4
Change to the C1 context that you created in Step 1 and enter configuration mode
in that context by entering the following commands:
host1/Admin(config-context)# do changeto C1
host1/C1(config-context)# exit
host1/C1(config)#
Only users authenticated in the Admin context can use the changeto command.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
2-21
Chapter 2
Enabling Remote Access to the ACE
Directly Accessing a User Context Through SSH
Step 5
Configure the VLAN interface that you allocated to the user context in Step 2 by
entering the following commands:
host1/C1(config)# interface vlan 50
host1/C1(config-if)# ip address 192.168.1.1 255.255.255.0
host1/C1(config-if)# no shutdown
host1/C1(config-if)# exit
host1/C1(config)#
For example, assign an IP address to the interface and reenable the interface
within the context with the no shutdown command. See the Cisco 4700 Series
Application Control Engine Appliance Routing and Bridging Configuration
Guide.
Step 6
Create an SSH remote management policy and apply the associated service policy
to all VLAN interfaces or just to the VLAN interface allocated to the user context
by entering the following commands:
host1/C1(config)# class-map type management match-all SSH-ALLOW_CLASS
host1/C1(config-cmap-mgmt)# match protocol ssh source-address
172.16.10.0 255.255.255.254
host1/C1(config-cmap-mgmt)# exit
host1/C1(config)#
host1/C1(config)# policy-map type management first-match
REMOTE_MGMT_ALLOW_POLICY
host1/C1(config-pmap-mgmt)# class SSH-ALLOW_CLASS
host1/C1(config-pmap-mgmt-c)# permit
host1/C1(config-pmap-mgmt-c)# exit
host1/C1(config)# interface vlan 50
host1/C1(config-if)# ip address 192.168.1.1 255.255.255.0
host1/C1(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY
host1/C1(config-if)# exit
host1/C1(config)#
See the “Configuring Remote Network Management Traffic Services” section.
Step 7
Create an IP route by entering the following command:
host1/C1(config)# ip route 0.0.0.0 255.255.255.0 192.168.4.8
See the Cisco 4700 Series Application Control Engine Appliance Security
Configuration Guide.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
2-22
OL-16198-01
Chapter 2
Enabling Remote Access to the ACE
Example of a Remote Access Configuration
To directly access the user context from an SSH client, perform the following
steps:
Step 1
From the SSH client, establish a remote SSH session to the IP address of the user
context VLAN interface.
Step 2
Enter the password for the user context VLAN interface. The ACE CLI prompt
appears in Exec mode of the user context.
host1/C1#
Example of a Remote Access Configuration
The following example illustrates a running-configuration that defines rules for
remote access to the ACE through the use of class maps, policy maps, and service
policies. The remote access configuration appears in bold in the example.
telnet maxsessions 3
ssh maxsessions 3
access-list ACL1 line 10 extended permit ip any any
class-map type management match-any L4_REMOTE-MGT_CLASS
description Allows Telnet, SSH, and ICMP protocols
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match L4_REMOTE-MGT_POLICY
class L4_REMOTE-MGT_CLASS
permit
interface vlan 50
ip address 192.168.1.1 255.255.255.0
access-group input ACL1
service-policy input L4_REMOTE-MGT_POLICY
no shutdown
ssh key rsa1 1024 force
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
2-23
Chapter 2
Enabling Remote Access to the ACE
Viewing Session Information
Viewing Session Information
This section contains the following topics:
•
Showing Telnet Session Information
•
Showing SSH Session Information
Showing Telnet Session Information
To display information related to the Telnet session, use the show telnet command
in Exec mode. Only the context administrator can view Telnet information
associated with a particular context.
The syntax of this command is as follows:
show telnet [context_name]
The optional context_name argument specifies the name of the context for which
you want to view specific Telnet session information. The context_name argument
is case sensitive.
For example, enter:
host1/Admin# show telnet
Table 2-2 describes the fields in the show telnet command output.
Table 2-2
Field Descriptions for the show telnet Command
Field
Description
SessionID
Unique session identifier for the Telnet session.
Remote Host
IP address and port of the remote Telnet client.
Active Time
Time since the Telnet connection request was
received by the ACE.
To display the maximum number of enabled Telnet sessions, use the show telnet
maxsessions command in Exec mode. Only context administrators can view
Telnet session information associated with a particular context.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
2-24
OL-16198-01
Chapter 2
Enabling Remote Access to the ACE
Viewing Session Information
The syntax of this command is as follows:
show telnet maxsessions [context_name]
The optional context_name argument specifies the name of the context for which
you want to view the maximum number of Telnet sessions. The context_name
argument is case sensitive.
For example, enter:
host1/Admin# show telnet maxsessions
Maximum Sessions Allowed is 4
Showing SSH Session Information
This section contains the following topics:
•
Showing SSH Session Information
•
Showing SSH Key Details
Showing SSH Session Information
To display information related to the SSH session, use the show ssh session-info
command in Exec mode. Only context administrators can view SSH session
information associated with a particular context.
The syntax of this command is as follows:
show ssh session-info [context_name]
The optional context_name argument specifies the name of the context for which
you want to view specific SSH session information. The context_name argument
is case sensitive.
For example, enter:
host1/Admin# show ssh session-info
Table 2-3 describes the fields in the show ssh session-info command output.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
2-25
Chapter 2
Enabling Remote Access to the ACE
Viewing Session Information
Table 2-3
Field Descriptions for the show ssh session-info Command
Field
Description
SessionID
Unique session identifier for the SSH session.
Remote Host
IP address and port of the remote SSH client.
Active Time
Time since the SSH connection request was received
by the ACE.
To display the maximum number of enabled SSH sessions, use the show ssh
maxsessions command in Exec mode. Only context administrators can view SSH
session information associated with a particular context.
The syntax of this command is as follows:
show ssh maxsessions [context_name]
The optional context_name argument specifies the name of the context for which
the context administrator wants to view the maximum number of SSH sessions.
The context_name argument is case sensitive.
For example, enter:
host1/Admin# show ssh maxsessions
Maximum Sessions Allowed is 4(SSH Server is enabled)
Showing SSH Key Details
Use the show ssh key command in Exec mode to display the host key pair details
for the specified key or for all keys if you do not specify a key.
The syntax of this command is as follows:
show ssh key [dsa | rsa | rsa1]
The arguments, keywords, and options are as follows:
•
dsa—Specifies the DSA key pair for the SSH version 2 protocol.
•
rsa—Specifies the RSA key pair for the SSH version 2 protocol.
•
rsa1—Specifies the RSA1 key pair for the SSH version 1 protocol.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
2-26
OL-16198-01
Chapter 2
Enabling Remote Access to the ACE
Viewing Session Information
For example, enter:
host1/Admin # show ssh key
**************************************
could not retrieve rsa1 key information
**************************************
rsa Keys generated:Tue Mar 7 19:37:17 2006
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEA4v4DQ8aNl482qDTRju9G07hEIxCgTWanPm+WOCU1ki
hZ
QNd5ZwA50CBAJSfIIIB4iED6iQbhOkbXSneCvTb5mVoish2wvJrETpIDIeGxxh/jWVsU/M
eBbA/7o5tv
gCeT6p7pGF5oUNYFP0OeZ9BiIWDc4jBmYEQLEqJHPrMhSFE=
bitcount:1024
fingerprint:
f5:55:00:18:bc:af:41:74:b6:bc:aa:8e:46:31:74:4f
**************************************
dsa Keys generated:Tue Dec 20 19:37:17 2005
ssh-dss
AAAAB3NzaC1kc3MAAACBAPqDdEqU+0gNtKRXM+DQAXnvcB+H89nq8jA4WgJ7uQcuDCLaG7
Lq
jtKTltJjA6aZVywsQWQ6n4kTlkavZy3cj6PUbSyqvmCTsaYyYo4UQ6CKrK9V+NsfgzTSLW
TH8iDUvYjL
c3nU51QEKjy7mPsQeX31y1M1rhp8qhkbMKxkc49XAAAAFQCPM0QJrq6+kkaghJpeNxeXhU
H9HwAAAIEA
keZ1ZJM6sfKqJDYPLHkTro+lpbV9uR4VyYoZmSoehi/LmSaZDq+Mc8UN1LM+i5vkOgnKce
arD9lM4/hK
zZGYx5hJOiYCKj/ny2a5p/8HK152cnsOAg6ebkiTTWAprcWrcHDS/1mcaI5GzLrZCdlXW5
gBFZtMTJGs
tICmVWjibewAAACBAJQ66zdZQqYiCWtZfmakridEGDTLV6ixIDjBNgb84qlj+Y1XMzqLL0
D4oMSb7idE
L3BmhQYQW7hkTK0oS4kVawI1VmW2kvrqoGQnLNQRMvisAXuJWKk1Ln6vWPGZZe8KoALv0G
XxsOv2gk/z
TDk01oCaTVw//bXJtoVRgIlWXLIP
bitcount:1024
fingerprint:
8e:13:5c:3e:1a:9c:7a:ed:d0:84:eb:96:12:db:82:be
**************************************
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
2-27
Chapter 2
Enabling Remote Access to the ACE
Viewing Session Information
Cisco 4700 Series Application Control Engine Appliance Administration Guide
2-28
OL-16198-01
CH A P T E R
3
Managing ACE Software Licenses
This chapter describes how to manage the software licenses for your Cisco 4700
Series Application Control Engine (ACE) appliance. It contains the following
major sections:
Note
•
Available ACE Licenses
•
Ordering an Upgrade License and Generating a Key
•
Copying a License File to the ACE
•
Installing a New or Upgrade License File
•
Replacing a Demo License with a Permanent License
•
Removing a License
•
Backing Up a License File
•
Displaying License Configurations and Statistics
You can access the license and show license commands only in the Admin
context. You must have the Admin role in the Admin context to install, remove,
and update the license file.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
3-1
Chapter 3
Managing ACE Software Licenses
Available ACE Licenses
Available ACE Licenses
By default, the ACE supports the following features and capabilities:
•
Performance: 1 gigabit per second (Gbps) appliance throughput
•
Virtualization: 1 admin context and 5 user contexts
•
Secure Sockets Layer (SSL): 1000 transactions per second (TPS)
•
Hypertext Transfer Protocol (HTTP) compression: 100 megabits per second
(Mbps)
You can increase the performance and operating capabilities of your ACE product
by purchasing one of the licensing options.
There are two methods to order your ACE product:
•
Ordering a license bundle. Each license bundles includes the ACE appliance
and a series of software licenses.
•
Ordering separate license options.
Table 3-1 summarizes the contents of the available license bundles. Table 3-2
provides a list of the default and upgrade ACE appliance licensing options.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
3-2
OL-16198-01
Chapter 3
Managing ACE Software Licenses
Available ACE Licenses
Table 3-1
ACE Licensing Bundles
License Model
Description
ACE-4710-2F-K9
This license bundle includes the following items:
ACE-4710-1F-K9
•
ACE 4710 appliance
•
2 Gbps throughput license
•
7500 SSL transactions per second (TPS) license
•
1 Gbps compression license
•
5 virtual contexts license (default)
•
Application acceleration license (50
connections)
This license bundle includes the following items:
•
ACE 4710 appliance
•
1 Gbps throughput license
•
5000 SSL TPS license
•
500 Mbps compression license
•
5 virtual contexts license (default)
•
Application acceleration license (50
connections)
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
3-3
Chapter 3
Managing ACE Software Licenses
Available ACE Licenses
Table 3-2
ACE Licensing Options
Feature
License Model
Description
Performance
Throughput
ACE-AP-01-LIC
(default)
1-Gbps throughput.
ACE-AP-02-LIC
2-Gbps throughput.
ACE-AP-04-LIC
4-Gbps throughput.
ACE-AP-02-UP1
Upgrade from 1-Gbps to 2-Gbps
throughput.
ACE-AP-04-UP1
Upgrade from 1-Gbps to 4-Gbps
throughput.
ACE-AP-04-UP2
Upgrade from 2-Gbps to 4-Gbps
throughput.
Default
1 admin/5 user contexts.
ACE-AP-VIRT-020
1 admin/20 user contexts.
Default
1000 TPS.
ACE-AP-SSL-05K-K9
5000 TPS.
ACE-AP-SSL-07K-K9
7500 TPS.
ACE-AP-SSL-UP1-K9
Upgrade from 5000 TPS to
7500 TPS.
Default
100-Mbps.
ACE-AP-C-500-LIC
500-Mbps.
ACE-AP-C-1000-LIC
1-Gbps.
ACE-AP-C-2000-LIC
2-Gbps.
ACE-AP-C-UP1
Upgrade from 500 Mbps to 1 Gbps.
ACE-AP-C-UP2
Upgrade from 500 Mbps to 2 Gbps.
ACE-AP-C-UP3
Upgrade from 1 Gbps to 2 Gbps.
Virtualization
SSL
HTTP
Compression
Cisco 4700 Series Application Control Engine Appliance Administration Guide
3-4
OL-16198-01
Chapter 3
Managing ACE Software Licenses
Available ACE Licenses
Table 3-2
ACE Licensing Options
Feature
License Model
Description
Application
Acceleration
Feature Pack
License
ACE-AP-OPT-LIC-K9
Application acceleration and
optimization. By default, the ACE
performs up to 50 concurrent
connections. With the application
acceleration and optimization
software feature pack installed, the
ACE can provide greater than 50
concurrent connections. This license
increases the operating capabilities
of the following features:
•
Delta optimization
•
Adaptive dynamic caching
•
Flashforward
•
Dynamic Etag
ACE demo licenses are available through your Cisco account representative. A
demo license is valid for only 60 days. At the end of this period, you must update
the demo license with a permanent license to continue to use the ACE software.
To view the expiration of a demo license, use the show license usage command
in Exec mode.
Note
If you need to replace the ACE, you can copy and install the license file for the
license onto the replacement appliance.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
3-5
Chapter 3
Managing ACE Software Licenses
Ordering an Upgrade License and Generating a Key
Ordering an Upgrade License and Generating a Key
This section describes the process that you use to order an upgrade license and to
generate a license key for your ACE. To order an upgrade license, perform the
following steps:
Step 1
Order one of the licenses from the list in Table 3-2 using any of the available
Cisco ordering tools on cisco.com.
Step 2
When you receive the Software License Claim Certificate from Cisco, follow the
instructions that direct you to the following Cisco.com website:
http://www.cisco.com/go/license
Step 3
Enter the Product Authorization Key (PAK) number found on the Software
License Claim Certificate as your proof of purchase.
Step 4
Provide all the requested information to generate a license key.
Step 5
Once the system generates the license key, you will receive a license key e-mail
with an attached license file and installation instructions. (The installation
instructions are also described in the “Copying a License File to the ACE” section
of this chapter.) Save the license key e-mail in a safe place in case you need it in
the future (for example, to transfer the license to another ACE).
Cisco 4700 Series Application Control Engine Appliance Administration Guide
3-6
OL-16198-01
Chapter 3
Managing ACE Software Licenses
Copying a License File to the ACE
Copying a License File to the ACE
When you receive the software license key e-mail from Cisco Systems, you must
copy the attached license file to a network server. Then use the copy command in
Exec mode from the Admin context to copy the file from the network server to
disk0: on the ACE. For detailed information on the copying files from a remote
server, see Chapter 4, Managing the ACE Software.
For example, the syntax of the copy tftp command is:
copy tftp:[//server[/path/][/filename]] disk0:[path/]filename
The arguments are:
•
[//server[/path/][/filename]]—The path to the network server. This path is
optional because the ACE prompts you for this information if you omit it.
•
disk0:[path/]filename—Specifies that the file destination is the disk0:
directory of the current context and the filename. If you do not provide the
optional path, the ACE copies the file to the root directory on the disk0: file
system.
For example, to copy the ACE-AP-VIRT-020.lic license file from the license
directory on the track network server to the root directory on disk0:, enter:
host1/Admin# copy tftp://track/license/ACE-AP-VIRT-020.lic disk0:
If the license is a demo or permanent license for a new or upgrade installation, see
the “Installing a New or Upgrade License File” section.
If the license is a permanent license replacing a demo license, see the “Replacing
a Demo License with a Permanent License” section.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
3-7
Chapter 3
Managing ACE Software Licenses
Installing a New or Upgrade License File
Installing a New or Upgrade License File
After you copy a demo or permanent license file to the ACE for a new or upgrade
installation, you can install it. All license installations except one have no adverse
impact to an operating ACE. No reboot is required and existing connections are
not interrrupted. In a redundant configuration, mismatched context licenses cause
the active ACE to generate a syslog message if logging is enabled and to disable
configuration synchronization. After you install the correct matching license on
the standby ACE, the software automatically detects the license and restores
normal operation. For information on replacing a demo license with a permanent
one, see the “Replacing a Demo License with a Permanent License” section.
Caution
If you install a context demo license, make sure that you save the Admin running
configuration and all user context running configurations to a remote server. If
you allow a context license to expire, the ACE automatically removes all user
contexts from the Admin running configuration and all configurations for the user
contexts.
To install or upgrade a license on your ACE, use the license install disk0:
command in Exec mode from the Admin context. The syntax of this command is:
license install disk0:[path/]filename [target_filename]
The arguments are:
•
[path/]filename—Installs the license stored on the disk0: file system. If you
do not specify the optional path, the ACE looks for the file in the root
directory.
•
target_filename—(Optional) Target filename for the license file.
For example, to install the 2 Gbps appliance throughout performance license,
enter:
host1/Admin# license install disk0:ACE-AP-02-LIC.lic
To install a license file for an SSL 5000 TPS license, enter:
host1/Admin# license install disk0:ACE-AP-SSL-05K-K9.lic
To install a license file for a 20 context license, enter:
host1/Admin# license install disk0:ACE-AP-VIRT-020.lic
Cisco 4700 Series Application Control Engine Appliance Administration Guide
3-8
OL-16198-01
Chapter 3
Managing ACE Software Licenses
Replacing a Demo License with a Permanent License
Replacing a Demo License with a Permanent
License
The ACE demo license is valid for only 60 days. Four weeks before the license
expires, the ACE generates warning syslog messages once a day. During the final
week, a warning syslog message occurs once an hour. Before this period ends, you
must update the demo license with a permanent license. Otherwise, the ACE will
revert to its previous throughout performance, SSL TPS, or number of contexts.
Caution
If you replace the context demo license with a permanent license, you can
continue to use the configured user contexts on the ACE. However, if you allow a
context license to expire, the ACE automatically removes all user contexts from
the Admin running configuration and all configurations for the user contexts.
Before a context license expires, save the Admin running configuration and the
user context running configurations to a remote server.
To view the expiration of the demo license, use the show license usage command
in Exec mode from the Admin context.
After you copy the permanent license file to the ACE, you can install it. To replace
a demo license with a permanent license, use the license update disk0: command
in Exec mode from the Admin context. The syntax of this command is:
license update disk0:[path/]permanent_filename demo_filename
The keyword and arguments are:
•
[path/]permanent_filename—Filename for the permanent license file that
you copied onto the ACE.
•
demo_filename—Filename for the demo license file that the permanent
license file is replacing.
For example, enter:
host1/Admin# license update disk0:ACE-AP-VIRT-020.lic
ACE-AP-VIRT-020-DEMO.lic
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
3-9
Chapter 3
Managing ACE Software Licenses
Removing a License
Removing a License
To remove an installed license, use the license uninstall command in Exec mode
from the Admin context. The syntax for this command is:
license uninstall license_filename
The license_filename argument specifies the filename of the license file that you
want to remove. Enter the license filename as an unquoted text string with no
spaces.
Note
When you enter the clear startup-config or the write erase command, the ACE
does not remove license files from the startup-configuration file. You must use the
license uninstall command to remove license files from the ACE.
The following sections provides information about how to remove licences:
Caution
•
Removing an Appliance Performance Throughput License
•
Removing an SSL TPS License
•
Removing a Virtualization Context License
•
Removing an HTTP Compression Performance License
•
Removing the Application Acceleration Software Feature Pack License
When you remove a demo or permanent virtual context license, the ACE removes
all user contexts from the Admin running configuration. By removing the user
contexts, their running and startup configurations are also removed from the ACE.
Before removing any virtual context license, save the Admin running
configuration and the user context running configurations to a remote server. For
more information, see the “Removing a Virtualization Context License” section.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
3-10
OL-16198-01
Chapter 3
Managing ACE Software Licenses
Removing a License
Removing an Appliance Performance Throughput License
To remove a performance throughput license, use the license uninstall command
in Exec mode from the Admin context. Table 3-4 lists the currently installed
performance throughput, the type of license on the ACE, and the remaining
number of context after the license is removed.
Table 3-3
Performance Throughput License Removal
Current performance
throughput
Applicable licenses
Results of license
removal
1-Gbps throughput
Not applicable
—
2-Gbps throughput
ACE-AP-02-LIC
1-Gbps throughput
4-Gbps throughput
ACE-AP-04-LIC
1-Gbps throughput
ACE-AP-02-UP1
1-Gbps throughput
ACE-AP-04-UP1
1-Gbps throughput
ACE-AP-04-UP2
2-Gbps throughput
For example, to remove a performance throughput license, enter:
host1/Admin# license uninstall ACE-AP-04-LIC.lic
Removing an SSL TPS License
To remove an ACE SSL TPS license, use the license uninstall command in Exec
mode from the Admin context. When you uninstall an SSL license, it reduces SSL
TPS performance to 1000 TPS on the ACE.
For example, to remove an SSL TPS license, enter:
host1/Admin# license uninstall ACE-AP-SSL-05K-K9.lic
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
3-11
Chapter 3
Managing ACE Software Licenses
Removing a License
Removing a Virtualization Context License
The number of virtual contexts and type of licenses currently installed on the ACE
determines which license you can remove. Table 3-4 lists the currently installed
contexts, the type of license on the ACE, and the remaining number of context
after the license is removed.
Table 3-4
Caution
VIrtual Context License Removal
Current number of contexts
Applicable licenses
Results of license
removal
5 (default)
Not applicable
—
20
ACE-AP-VIRT-020
5 contexts
When you remove a demo or permanent virtual context license, the ACE removes
all user contexts from the Admin running configuration. By removing the user
contexts, their running and startup configurations are also removed from the ACE.
Before removing any virtual context license, save the Admin running
configuration and the user context running configurations to a remote server.
To remove a context license, perform the following steps:
Step 1
Save the Admin and user context running configurations to a remote server by
entering the copy running-config command in Exec mode in each context. For
more information on this command, see Chapter 4, Managing the ACE Software.
For example, to copy the Admin running configuration to an TFTP server as
R-CONFIG-ADM, enter:
host1/Admin# copy running-config tftp://192.168.1.2/R-CONFIG-ADM
To copy the C1 user context running configuration to an TFTP server, access the
C1 context and enter:
host1/C1# copy running-config tftp://192.168.1.2/R-CONFIG-C1
Step 2
Remove the license with the license uninstall command. For example, to remove
the ACE-AP-VIRT-020.LIC license, enter:
host1/Admin# license uninstall ACE-AP-VIRT-020.lic
Cisco 4700 Series Application Control Engine Appliance Administration Guide
3-12
OL-16198-01
Chapter 3
Managing ACE Software Licenses
Removing a License
The ACE displays the following messages and prompt:
Clearing license ACE-AP-VIRT-020.lic:
SERVER this_host ANY
VENDOR cisco
INCREMENT ACE-AP-VIRT-020 cisco 1.0 permanent 1 \
VENDOR_STRING=<count>1</count> HOSTID=ANY \
NOTICE="<LicFileID>20051103151315824</LicFileID><LicLineID>1</LicLineI
D> \
<PAK></PAK>" SIGN=86A13B1EA2F2
INCREMENT ACE-AP-VIRT-020 cisco 1.0 permanent 1 \
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! WARNING: Uninstalling virtual context license will automatically!!
!!! cleanup all the user context configurations, please backup the !!
!!! configurations before proceeding further with uninstallation
!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Do you want to continue? (y/n)
Step 3
If you have not saved the running configurations for the Admin and user contexts
to a remote server, enter n. Go to Step 1
If you saved the running configurations for the Admin and user contexts to a
remote server, enter y.
During the license removal, the ACE removes the user context configurations
from the Admin running configuration, causing the deletion of all user contexts
including their running and startup configurations.
Step 4
Display the current number of supported contexts on the ACE by entering the
show license status command in Exec mode of the Admin context.
Step 5
Determine which contexts you want to keep in the Admin running configuration.
Using a text editor, manually remove the extra context configurations from the
Admin running configuration on the remote server.
If the Admin running configuration contains more contexts than what the ACE
supports and you copy this configuration to the ACE, the ACE rejects contexts
that exceed the supported limit. For example, if the running configuration
contains 20 contexts, when you remove the license, the ACE supports five
contexts. If you attempt to copy the configuration with all 20 contexts, the ACE
allows the first five contexts, fails the remaining contexts, and displays error
messages on the console.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
3-13
Chapter 3
Managing ACE Software Licenses
Removing a License
Note
You can also manually recreate the user contexts in the running configuration that
is currently on the ACE. If you do, go to Step 7
Step 6
Retrieve the modified Admin running configuration from the remote server. For
example, to copy the R-CONFIG-ADM Admin running configuration from the
TFTP server, enter:
host1/Admin# copy tftp://192.168.1.2/R-CONFIG-ADM running-config
Step 7
Copy the Admin running configuration to the startup-configuration file. For
example, enter:
host1/Admin# copy running-config startup-config
Note
If you do not update the startup configuration with the latest running
configuration, when the ACE restarts, it uses the startup configuration with the
extra contexts. The ACE allows the number of contexts that the license supports,
but fails the remaining contexts.
Step 8
Access the user context, and copy its running configurations from the remote
server. For example, to copy the C1 user context running configuration from the
TFTP server, access the C1 context and enter:
host1/C1# tftp://192.168.1.2/R-CONFIG-C1 copy running-config
Step 9
Copy the user context running configuration to the startup-configuration file. For
example, enter:
host1/Admin# copy running-config startup-config
Step 10
Repeat Steps 8 and 9 until you retrieve the running configurations for all user
contexts configured in the Admin configuration.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
3-14
OL-16198-01
Chapter 3
Managing ACE Software Licenses
Removing a License
Removing an HTTP Compression Performance License
To remove an ACE HTTP compression performance license, use the license
uninstall command in Exec mode from the Admin context. The current
compression capability and type of compression licenses currently installed on
the ACE determines which license you can remove. Table 3-5 lists the currently
installed compression license on the ACE and the remaining compression
capability after the license is removed.
Table 3-5
Compression License Removal
Current compression
capability
Applicable licenses
Results of license
removal
100 Mbps (default)
Not applicable
—
500 Mbps
ACE-AP-C-500-LIC
100 Mbps
1 Gbps
ACE-AP-C-1000-LIC
100 Mbps
ACE-AP-C-UP1
500 Mbps
ACE-AP-C-2000-LIC
100 Mbps
ACE-AP-C-UP2
500 Mbps
ACE-AP-C-UP3
1 Gbps
2 Gbps
For example, to remove an HTTP compression license, enter:
host1/Admin# license uninstall ACE-APP-C-2000-LIC.lic
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
3-15
Chapter 3
Managing ACE Software Licenses
Backing Up a License File
Removing the Application Acceleration Software Feature Pack
License
To remove the application acceleration software feature pack, use the license
uninstall command in Exec mode from the Admin context. With the application
acceleration software feature pack installed, the ACE can support up to 1,000
concurrent connections under normal usage. When you uninstall the software
feature pack, the ACE is capable of 50 connections per second. For more
information on the application acceleration and optimization capabilities of the
ACE and how to configure them, see the Cisco 4700 Series Application Control
Engine Appliance Application Acceleration and Optimization Configuration Guide.
For example, to remove the license for the application acceleration software
feature pack, enter:
host1/Admin# license uninstall ACE-AP-OPT-LIC-K9.lic
Backing Up a License File
To safeguard your license files, we recommend that you back up your license files
to the ACE Flash disk as tar files. To back up license files in .tar format, use the
copy licenses command in Exec mode from the Admin context. The syntax for
this command is:
copy licenses disk0:[path/]filename.tar
The keyword and argument are:
•
disk0:—Specifies that the backup license file is copied to the disk0: file
system.
•
[path/]filename.tar—The destination filename for the backup licenses. The
destination filename must have a .tar file extension.
For example, enter:
host1/Admin# copy licenses disk0:mylicenses.tar
Cisco 4700 Series Application Control Engine Appliance Administration Guide
3-16
OL-16198-01
Chapter 3
Managing ACE Software Licenses
Backing Up a License File
If you accidently remove or lose the license on the ACE, you can untar the backup
file and reinstall it. To untar the license, use the untar command in Exec mode.
The syntax for this command is:
untar disk0:[path/]filename.tar
The [path/]filename.tar argument is the filename of the .tar backup license file.
For example, to untar the mylicenses.tar file on disk0:, enter:
host1/Admin# untar disk0:mylicenses.tar
For information on installing the license, see the “Installing a New or Upgrade
License File” section.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
3-17
Chapter 3
Managing ACE Software Licenses
Displaying License Configurations and Statistics
Displaying License Configurations and Statistics
This section describes the show commands that you can use to display license
information about your ACE. To display license information, use the show license
command in Exec mode from the Admin context. The syntax for this command is:
show license brief | file filename | internal event-history | status | usage
The options and arguments for this command are:
Note
•
brief—Displays a list of the currently installed licenses
•
file filename—Displays the file contents of the specified license
•
internal event-history—Displays a history of licensing-related events
•
status—Displays the status of licensed features
•
usage—Displays the usage table for all licenses
Entering the show license command without any options and arguments displays
all installed ACE license files and their contents.
For example, to display a list of the current installed licenses, enter
host1/Admin# show license brief
ACE-AP-VIRT-020.lic
ACE-AP-04-LIC.lic
ACE-APP-C-2000-LIC.lic
ACE-AP-OPT-LIC-K9.lic
ACE-AP-SSL-10K-K9.lic
Cisco 4700 Series Application Control Engine Appliance Administration Guide
3-18
OL-16198-01
Chapter 3
Managing ACE Software Licenses
Displaying License Configurations and Statistics
Table 3-6 describes the fields in the show license status command output.
Table 3-6
Field Descriptions for the show license status Command Output
Field
Description
Licensed Feature List including the ACE virtualized contexts, the SSL
transactions per second, and the appliance throughout
performance feature.
Count
Number of ACE supported contexts, SSL transactions per
second (TPS), and throughput in gigabits per second (Gbps).
This information also provides the default number of
contexts, SSL TPS, and appliance throughout that the ACE
supports when a license is not installed.
Table 3-7 describes the fields in the show license usage command output.
Table 3-7
Field Descriptions for the show license usage Command Output
Field
Description
License
Name of the license.
Ins
Whether the license is installed (Yes or No).
Lic Count
Number of licenses for this feature.
Status
Current state of the feature (In use or Unused).
Expiry Date
Date when the demo license expires, as defined in the license
file. If the license is permanent, this field displays never.
Comments
Licensing errors, if any.
You can also view the ACE license by using the show version command in Exec
mode on the ACE.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
3-19
Chapter 3
Managing ACE Software Licenses
Displaying License Configurations and Statistics
Cisco 4700 Series Application Control Engine Appliance Administration Guide
3-20
OL-16198-01
CH A P T E R
4
Managing the ACE Software
This chapter describes how to manage the software running on the Cisco 4700
Series Application Control Engine (ACE) appliance and contains the following
sections:
•
Saving Configuration Files
•
Loading Configuration Files from a Remote Server
•
Using the File System on the ACE
•
Viewing and Copying Core Dumps
•
Capturing and Copying Packet Information
•
Using the Configuration Checkpoint and Rollback Service
•
Reformatting Flash Memory
Saving Configuration Files
Upon startup, the ACE loads the startup-configuration file stored in Flash memory
(nonvolatile memory) to the running-configuration file stored in RAM (volatile
memory). When you partition your ACE into multiple contexts, each context
contains its own startup-configuration file.
Flash memory stores the startup-configuration files for each existing context.
When you create a new context, the ACE creates a new context directory in Flash
memory to store the context-specific startup-configuration files. When you copy
a configuration file from the ACE, you create a copy of the configuration
information of the context from where you executed the command.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-1
Chapter 4
Managing the ACE Software
Saving Configuration Files
To display the contents of the startup-configuration file associated with the
current context, use the show startup-config command in Exec mode (see the
“Viewing Configuration Files” section).
When you make configuration changes, the ACE places those changes in a virtual
running-configuration file called the running-config, which is associated with the
context that you are working in. When you enter a CLI command, the change is
made only to the running-configuration file in volatile memory. Before you log
out or reboot the ACE, copy the contents of the running-configuration file to the
startup-configuration file (startup-config) to save configuration changes for the
current context to Flash memory. The ACE uses the startup-configuration file on
subsequent reboots.
This section contains the following topics:
•
Saving the Configuration File in Flash Memory
•
Saving Configuration Files to a Remote Server
•
Copying the Configuration File to the disk0: File System
•
Merging the Startup-Configuration File with the Running-Configuration File
•
Viewing Configuration Files
•
Viewing User Context Running-Config Files from the Admin Context
•
Clearing the Startup-Configuration File
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-2
OL-16198-01
Chapter 4
Managing the ACE Software
Saving Configuration Files
Saving the Configuration File in Flash Memory
After you create or update the running-configuration file in RAM (volatile
memory), save the contents to the startup-configuration file for the current context
in Flash memory (nonvolatile memory) on the ACE. To copy the contents of the
running-configuration file to the startup-configuration file, use the copy
running-config startup-config command from Exec mode.
The syntax for the command is:
copy running-config startup-config
For example, to save the running-configuration file to the startup-configuration
file in Flash memory on the ACE, enter:
host1/Admin# copy running-config startup-config
You can also use the write memory command to copy the contents of the
running-configuration file for the current context to the startup-configuration file.
The write memory command is equivalent to the copy running-config
startup-config command.
The syntax for the command is:
write memory [all]
The optional write memory all keyword saves configurations for all existing
contexts. This keyword is available only in the Admin context.
If you intend to use the write memory command to save the contents of the
running-configuration file for the current context to the startup-configuration file,
be sure to also specify this command in the Admin context. You should save
changes to the Admin context startup-configuration file; the Admin context
startup-configuration file contains all configurations that are used to create each
user context.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-3
Chapter 4
Managing the ACE Software
Saving Configuration Files
Saving Configuration Files to a Remote Server
To save the running-configuration file or startup-configuration file to a remote
server using File Transfer Protocol (FTP), Secure Transfer Protocol (SFTP), or
Trivial Transfer Protocol (TFTP), use the copy running-config or copy
startup-config command in Exec mode. The copy serves as a backup file for the
running-configuration file or startup-configuration file for the current context.
Before installing or migrating to a new software version, back up the ACE
startup-configuration file to a remote server using FTP, SFTP, or TFTP. When you
name the backup file, we recommend that you name it in such a way that you can
easily tell the context source of the file (for example, running-config-ctx1,
startup-config-ctx1).
The syntax for the command is:
copy {running-config | startup-config} {ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] |
tftp://server[:port]/path[/filename]}
The keywords, arguments, and options are:
•
running-config—Specifies the running-configuration file currently residing
on the ACE in volatile memory.
•
startup-config—Specifies the startup-configuration file currently residing
on the ACE in Flash memory.
•
ftp://server/path[/filename]—Specifies the FTP network server and,
optionally, the renamed configuration file.
•
sftp://[username@]server/path[/filename]—Specifies the SFTP network
server and, optionally, the renamed configuration file.
•
tftp://server[:port]/path[/filename]—Specifies the TFTP network server and,
optionally, the renamed configuration file.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-4
OL-16198-01
Chapter 4
Managing the ACE Software
Saving Configuration Files
When you select a destination file system using ftp:, sftp:, or tftp:, the ACE
performs the following tasks:
•
Prompts you for your username and password if the destination file system
requires user authentication.
•
Prompts you for the server information if you do not provide the information
with the command.
•
Copies the file to the root directory of the destination file system if you do not
provide the path information.
For example, to save a startup-configuration file to a remote FTP server, enter:
host1/Admin# copy running-config
ftp://192.168.1.2/running-config_Adminctx
Enter username[]? user1
Enter the file transfer mode[bin/ascii]: [bin]
Password: password1
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
####
Note
The bin (binary) file transfer mode is intended for transferring compiled files
(executables). The ascii file transfer mode is intended for transferring text files,
such as config files. The default selection of bin should be sufficient in all cases
when copying files to a remote FTP server.
Copying the Configuration File to the disk0: File System
After you create or update the running-configuration file or the
startup-configuration file, you can copy the file to the disk0: file system in Flash
memory on the ACE by using the following commands:
•
To save the contents of the running-configuration file to the disk0: file system,
use the copy running-config disk0: command in Exec mode.
•
To save the contents of the startup-configuration file to the disk0: file system, use
the copy startup-config disk0: command in Exec mode.
The syntax for the command is:
copy {running-config | startup-config} disk0:[path/]filename
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-5
Chapter 4
Managing the ACE Software
Saving Configuration Files
The keywords, arguments, and options are:
•
running-config—Specifies the running-configuration file currently residing
on the ACE in RAM (volatile memory).
•
startup-config—Specifies the startup-configuration file currently residing
on the ACE in Flash memory (nonvolatile memory).
•
disk0:—Specifies that the running-configuration file or startup-configuration
file is copied to the disk0: file system.
•
[path/]filename—(Optional) The path in the disk0: file system. If you do not
provide the optional path, the ACE copies the file to the root directory on the
disk0: file system.
For example, to save the running-configuration file to the disk0: file system as
running-config_copy, enter:
host1/Admin# copy running-config disk0:running-config_copy
Merging the Startup-Configuration File with the
Running-Configuration File
To merge the contents of the startup-configuration file into the
running-configuration file, use the copy startup-config running-config
command in Exec mode. This command copies any additional configurations
from the startup-configuration file into the running-configuration file. If any
common commands exist in both files, the startup-configuration file overwrites
the attributes in the running-configuration file.
The syntax for the command is:
copy startup-config running-config
For example, enter:
host1/Admin# copy startup-config running-config
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-6
OL-16198-01
Chapter 4
Managing the ACE Software
Saving Configuration Files
Viewing Configuration Files
To display the ACE running-configuration file associated with the current context,
use the show running-config command in Exec mode. Configuration entries
within each mode in the running-configuration file appear in chronological order,
based on the order in which you configure the ACE. The ACE does not display
default configurations in the ACE running-configuration file.
Note
The write terminal command can also be used to display the ACE
running-configuration file. The write terminal command is equivalent to the
copy running-config command.
To view the content of the running- and startup-configuration files, use the
following commands:
•
To view the running-configuration file, use the show running-config
command.
•
To view the startup-configuration file, use the show startup-config
command.
The syntax for the show startup-config command is as follows:
show startup-config
The syntax for the show running-config command is as follows:
show running-config [aaa | access-list | action-list | class-map | context |
dhcp | domain | ft | interface | object-group | parameter-map |
policy-map | probe | resource-class | role | rserver | serverfarm |
sticky]
The keywords and options are:
•
aaa—(Optional) Displays AAA information.
•
access-list—(Optional) Displays access control list (ACL) information.
•
action-list—(Optional) Displays action list information. You use action lists
to group together certain Layer 7 policy-map actions.
•
class-map—(Optional) Displays the list of all class maps configured for the
current context. The ACE also displays configuration information for each
class map listed.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-7
Chapter 4
Managing the ACE Software
Saving Configuration Files
•
context—(Optional) Displays the list of contexts configured on the ACE. The
ACE also displays the resource class (member) assigned to each context. The
context keyword works only from within the Admin context.
•
dhcp—(Optional) Displays Dynamic Host Configuration Protocol (DHCP)
information.
•
domain—(Optional) Displays the list of domains configured for the current
context. The ACE also displays configuration information for each domain
listed.
•
ft—(Optional) Displays the list of redundancy or fault-tolerance (FT)
configurations configured for the current context. The ACE also displays
configuration information for each ft configuration listed.
•
interface—(Optional) Displays interface information.
•
object-group—(Optional) Displays ACL object-group information.
•
parameter-map—(Optional) Displays parameter map information.
•
policy-map—(Optional) Displays policy map information.
•
probe—(Optional) Displays probe information.
•
resource-class—(Optional) Displays resource class information.
•
role—(Optional) Displays the list of roles configured for the current context.
The ACE also displays configuration information for each role on the list.
•
rserver—(Optional) Displays real server information.
•
serverfarm—(Optional) Displays serverfarm information.
•
sticky—(Optional) Displays sticky information.
For details on the show running-config output associated with the optional
keywords, see the chapters in the ACE documentation set related to the specific
software functions.
For example, to view the entire contents of the running-configuration file on the
ACE, enter:
host1/Admin# show running-config
Generating configuration....
logging enable
access-list acl1 line 10 extended permit ip any any
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-8
OL-16198-01
Chapter 4
Managing the ACE Software
Saving Configuration Files
rserver type host real1
address 16.1.1.102
inservice
rserver type host real2
address 16.1.1.103
inservice
rserver type host real3
address 16.1.1.105
inservice
serverfarm type host serverfarm1
predictor hash address
real real1
inservice
real real2
inservice
real real3
inservice
class-map match-any vipmap1
10 match virtual-address 17.1.2.1 tcp any
policy-map type loadbalance first-match policymap1
class class-default
serverfarm serverfarm1
policy-map multi-match policy1
class vipmap1
loadbalance vip inservice
loadbalance policymap1
interface vlan 16
ip address 16.1.1.12 255.0.0.0
access-group input acl1
no shutdown
interface vlan 17
ip address 17.1.1.12 255.0.0.0
access-group input acl1
service-policy input policy1
no shutdown
context Admin
member default
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-9
Chapter 4
Managing the ACE Software
Saving Configuration Files
username admin password 5 $1$faXJEFBj$TJR1Nx7sLPTi5BZ97v08c/ role
Admin domain
default-domain
username www password 5 $1$UZIiwUk7$QMVYN1JASaycabrHkhGcS/ role Admin
domain de
fault-domain
snmp-server user www Network-Monitor
snmp-server user admin Network-Monitor
Viewing User Context Running-Config Files from the Admin
Context
To display the ACE running-configuration file of a user context from the Admin
context, use the invoke context command in Exec mode. The syntax of this
command is as follows:
invoke context context_name show running-config
The context_name argument is the name of the user context.
For example, to view the running-configuration file of the C1 context from the
Admin context, enter:
host1/Admin# invoke context C1 show running-config
Generating configuration....
Clearing the Startup-Configuration File
To clear the contents of the ACE startup-configuration file of the current context
in Flash memory, use either the clear startup-config or write erase command in
Exec mode. Both commands reset the startup-configuration file to the default
settings and take effect immediately. The running-configuration file is not
affected. In addition, the clear startup-config or write erase commands do not
clear the boot variables, such as config-register and boot system settings.
Note
The clear startup-config and write erase commands do not remove license files
or crypto files from the ACE startup-configuration file. To remove license files,
use the license uninstall filename command. To remove crypto files, use the
crypto delete filename or the crypto delete all command.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-10
OL-16198-01
Chapter 4
Managing the ACE Software
Loading Configuration Files from a Remote Server
Before you clear the contents of the ACE startup-configuration file, back up your
startup-configuration file to a remote server (see the “Saving Configuration Files
to a Remote Server” section). Once you clear the startup-configuration file, you
can perform one of the following processes to recover a copy of an existing
configuration:
•
Copy the contents of the existing running-configuration file to the
startup-configuration file by using the copy running-config startup-config
command. See the “Saving the Configuration File in Flash Memory” section
•
Upload a backup of a previously saved startup-configuration file from a
remote server. See the “Loading Configuration Files from a Remote Server”
section.
For example, to reset the ACE startup-configuration file, enter:
host1/Admin# clear startup-config
Loading Configuration Files from a Remote Server
You can configure the ACE by loading configuration files previously backed up
to a remote FTP, SFTP, or TFTP server. Before you begin loading a configuration
file from a remote server, ensure the following:
•
You know the location of the configuration file to be loaded from the remote
server.
•
The configuration file permissions are set to world-read.
•
The ACE has a route to the remote server. The ACE and the remote server
must be in the same subnetwork if you do not have a router or default gateway
to route the traffic between subnets. To check connectivity to the remote
server, use the ping or traceroute command in Exec mode. See the Cisco
4700 Series Application Control Engine Appliance Routing and Bridging
Configuration Guide for details on how to use the ping and traceroute
commands.
When you copy the backup configuration file to the ACE, you copy the
configuration information to the context from where you initially executed the
copy command. When you copy a configuration file to the ACE, ensure that the
configuration file is appropriate for use in the current context. For example, you
would copy the backup configuration file startup-config-ctx1 to context 1.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-11
Chapter 4
Managing the ACE Software
Loading Configuration Files from a Remote Server
To configure the ACE using a running-configuration file or startup-configuration
file downloaded from a remote server, use the copy command in Exec mode.
The syntax for the command is:
copy {ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] |
tftp://server[:port]/path[/filename]} {running-config | startup-config}
The keywords, arguments, and options are:
•
ftp://server/path[/filename]—Specifies the FTP network server and,
optionally, the configuration filename.
•
sftp://[username@]server/path[/filename]—Specifies the SFTP network
server and, optionally, the configuration filename.
•
tftp://server[:port]/path[/filename]—Specifies the TFTP network server and,
optionally, the configuration filename.
•
running-config—Specifies to replace the running-configuration file
currently residing on the ACE in RAM (volatile memory).
•
startup-config—Specifies to replace the startup-configuration file currently
residing on the ACE in Flash memory (nonvolatile memory).
For example, to copy a startup-configuration file from a remote FTP server to the
ACE, enter:
Host/Admin# copy ftp://192.168.1.2/configs/startup-config-Adm_ctx
startup-config
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-12
OL-16198-01
Chapter 4
Managing the ACE Software
Using the File System on the ACE
Using the File System on the ACE
Flash memory stores the operating system, startup-configuration files, software
licenses, core dump files, system message log files, SSL certificates and keys, and
other data on the ACE. Flash memory comprises a number of individual file
systems, or partitions, that include this data.
The ACE contains the following file systems, or partitions:
•
disk0:—Contains all startup-configuration files, software licenses, system
message log files, SSL certificates and keys, and user-generated data for all
existing contexts on the ACE.
•
image:—Contains the system software images.
•
core:—Contains the core files generated after each time that the ACE
becomes unresponsive.
•
probe:—Displays the contents of the probe: file system. This directory
contains the Cisco-supplied scripts. For more information about these scripts,
see the Cisco 4700 Series Application Control Engine Appliance Server
Load-Balancing Configuration Guide. Both the Admin context and user
contexts support the probe: directory.
•
volatile:—Contains the files residing in the temporary (volatile:) directory.
The volatile: directory provides temporary storage; files in temporary storage
are erased when the ACE reboots.
The Admin context supports all five file systems in the ACE. The user context
supports only the disk0: and volatile: file systems.
When you create a new context, the ACE creates a new context directory in Flash
memory to store context-specific data such as startup- configuration files.
The ACE provides a number of useful commands to help you manage software
configuration and image and files.This section contains the following topics that
will help you to manage files on the ACE:
•
Listing the Files in a Directory
•
Copying Files
•
Uncompressing Files in the disk0: File System
•
Untarring Files in the disk0: File System
•
Creating a New Directory
•
Deleting an Existing Directory
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-13
Chapter 4
Managing the ACE Software
Using the File System on the ACE
•
Moving Files
•
Deleting Files
•
Displaying File Contents
•
Saving show Command Output to a File
Listing the Files in a Directory
To display the directory contents of a specified file system, use the dir command in
Exec mode. This command displays a detailed list of directories and files
contained within the specified file system on the ACE, including names, sizes, and
time created. You may optionally specify the name of a directory to list.
The syntax for this command is:
dir {core: | disk0:[directory/][filename] | image:[filename] |
probe:[filename] | volatile:[filename]}
The keywords and arguments are:
•
core:—Displays the contents of the core: file system.
•
disk0:—Displays the contents of the disk0: file system.
•
image:—Displays the contents of the image: file system.
•
probe:—Displays the contents of the probe: file system. This directory
contains the Cisco-supplied scripts. For more information about these scripts,
see the Cisco 4700 Series Application Control Engine Appliance Server
Load-Balancing Configuration Guide.
•
volatile:—Displays the contents of the volatile: file system.
•
directory/—(Optional) Contents of the specified directory.
•
filename—(Optional) Information that relates to the specified file, such as the
file size and the date it was created. You can use wildcards in the filename. A
wildcard character (*) matches all patterns. Strings after a wildcard are
ignored.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-14
OL-16198-01
Chapter 4
Managing the ACE Software
Using the File System on the ACE
For example, to list the files in the disk0: file system, enter:
host1/Admin# dir disk0:
host/Admin# dir disk0:
7465
2218
1024
1024
1024
12
7843
4320
1024
Jan
Mar
Feb
Jan
Mar
Jan
Mar
Jan
Jan
03
07
16
01
13
30
09
05
01
00:13:22
18:38:03
12:47:24
00:02:07
13:53:08
17:54:26
22:19:56
14:37:52
00:02:28
2007
2007
2007
2007
2007
2007
2007
2007
2007
C2_dsb
ECHO_PROBE_SCRIPT4
core_copies_dsb/
cv/
dsb_dir/
messages
running-config
startup-config
www/
Usage for disk0: filesystem
4254720 bytes total used
6909952 bytes free
For example, to list the core dump files in Flash memory, enter:
host1/Admin# dir core:
253151
262711
250037
Mar 14 21:23:33 2007 0x401_vsh_log.8249.tar.gz
Mar 15 21:22:18 2007 0x401_vsh_log.15592.tar.gz
Mar 15 18:35:27 2007 0x401_vsh_log.16296.tar.gz
Usage for core: filesystem
1847296 bytes total used
64142336 bytes free
65989632 bytes available
Copying Files
This section contains the following topics:
•
Copying Files to Another Directory on the ACE
•
Copying Licenses
•
Copying a Packet Capture Buffer
•
Copying Files to a Remote Server
•
Copying Files from a Remote Server
•
Copying an ACE Software System Image to a Remote Server
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-15
Chapter 4
Managing the ACE Software
Using the File System on the ACE
Copying Files to Another Directory on the ACE
To copy a file from one directory in the disk0: file system of Flash memory to another
directory in disk0:, use the copy disk0: command.
Note
To view the content of the running- and startup-configuration files, use the dir
disk0: command.
The syntax for this command is:
copy disk0:[path/]filename1 {disk0:[path]filename2}
The keywords and arguments are:
•
[path/]filename1—Name of the file to copy. Use the dir disk0: command to
view the files available in the disk0: file system. If you do not provide the
optional path, the ACE copies the file from the root directory on the disk0:
file system.
•
disk0:[path]filename2—The file destination in the disk0: directory of the
current context. If you do not provide the optional path, the ACE copies the
file to the root directory on the disk0: file system.
For example, to copy the file called SAMPLEFILE to the MYSTORAGE
directory in the disk0: file system, enter:
host1/Admin# copy disk0:samplefile disk0:MYSTORAGE/SAMPLEFILE
Copying Licenses
To protect your license files, we recommend that you back up your license files to
the ACE Flash memory as tar files. To create a backup license for the ACE
licenses in .tar format and copy it to the disk0: file system, use the copy licenses
command in Exec mode.
The syntax of this command is:
copy licenses disk0:[path/]filename.tar
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-16
OL-16198-01
Chapter 4
Managing the ACE Software
Using the File System on the ACE
The keyword and argument are:
•
disk0:—Specifies that the backup license file is copied to the disk0: file
system.
•
[path/]filename.tar—Destination filename for the backup licenses. The
destination filename must have a .tar file extension. If you do not provide the
optional path, the ACE copies the file to the root directory on the disk0: file
system.
For example, enter:
host1/Admin# copy licenses disk0:mylicenses.tar
If you accidently remove or lose the license on the ACE, you can untar the backup
file and reinstall it. To untar the backup license, use the untar command in Exec
mode. The syntax for this command is:
untar disk0:[path/]filename.tar
The filename.tar is the filename of the .tar backup license file.
For example, to untar the mylicense.tar file on disk0, enter:
host1/Admin# untar disk0:mylicenses.tar
Copying a Packet Capture Buffer
To copy an existing packet capture buffer to the disk0: file system, use the copy
capture command in Exec mode.
The syntax for the command is:
copy capture capture_name disk0:[path/]destination_name
The keywords, arguments, and options are:
•
capture_name—Name of the packet capture buffer on Flash memory. Enter
an unquoted text string with no spaces and a maximum of 64 alphanumeric
characters. If necessary, use the show capture command to view the files
available in the disk0: file system. This list includes the name of existing
packet capture buffers.
•
disk0:—Specifies that the buffer is copied to the disk0: file system.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-17
Chapter 4
Managing the ACE Software
Using the File System on the ACE
•
[path/]destination_name—Destination path (optional) and name for the
packet capture buffer. Specify a text string from 1 to 80 alphanumeric
characters. If you do not provide the optional path, the ACE copies the file to
the root directory on the disk0: file system.
For example, to copy a packet capture buffer to the disk0: file system, enter:
host1/Admin# copy capture packet_capture_Jul_17_08 disk0:
Copying Files to a Remote Server
To copy a file from Flash memory on the ACE to a remote server using FTP, SFTP,
or TFTP, use the copy command in Exec mode. The copy serves as a backup file
for such files as the capture buffer file, core dump, ACE licenses in .tar format,
running-configuration file, or startup-configuration file.
The syntax for the command is as follows:
copy {core:filename | disk0:[path/]filename | running-config |
startup-config} {ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] |
tftp://server[:port]/path[/filename]}
The keywords, arguments, and options are:
•
core:filename—Specifies a core dump residing on the ACE in Flash memory
(see the “Viewing and Copying Core Dumps” section). The copy core:
command is available only in the Admin context. Use the dir core: command
to view the core dump files available in the core: file system. Copy the
complete filename (for example, 0x401_vsh_log.25256.tar.gz) by using the
copy core: command.
•
disk0:[path/]filename—Specifies a file in the disk0: file system of Flash
memory (for example, a packet capture buffer file, ACE licenses in .tar
format, or a system message log). Use the dir disk0: command to view the
files available in the disk0: file system.
•
running-config—Specifies the running-configuration file residing on the
ACE in volatile memory.
•
startup-config—Specifies the startup-configuration file currently residing
on the ACE in Flash memory.
•
ftp://server/path[/filename]—Specifies the FTP network server and,
optionally, the renamed file.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-18
OL-16198-01
Chapter 4
Managing the ACE Software
Using the File System on the ACE
•
sftp://[username@]server/path[/filename]—Specifies the SFTP network
server and, optionally, the renamed file.
•
tftp://server[:port]/path[/filename]—Specifies the TFTP network server and,
optionally, the renamed file.
When you select a destination file system using ftp:, sftp:, or tftp:, the ACE
performs the following tasks:
•
Prompts you for your username and password if the destination file system
requires user authentication.
•
Prompts you for the server information if you do not provide the information
with the command.
•
Copies the file to the root directory of the destination file system if you do not
provide path information.
For example, to save a running-configuration file to a remote FTP server, enter:
host1/Admin# copy running-config
ftp://192.168.215.124/running-config_Adminctx
Enter username[]? user1
Enter the file transfer mode[bin/ascii]: [bin]
Password: password1
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
####
Note
The bin (binary) file transfer mode is intended for transferring compiled files
(executables). The ascii file transfer mode is intended for transferring text files,
such as config files. The default selection of bin should be sufficient in all cases
when copying files to a remote FTP server.
For example, to save a core dump file to a remote FTP server, enter:
host1/Admin# copy core:0x401_vsh_log.8249.tar.gz ftp://192.168.1.2
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-19
Chapter 4
Managing the ACE Software
Using the File System on the ACE
Copying Files from a Remote Server
To copy a file from a remote server to a location on the ACE using FTP, SFTP, or
TFTP, use the copy command in Exec mode.
The syntax for the command is:
copy {ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] |
tftp://server[:port]/path[/filename]} {disk0:[path/]filename |
image:image_name | running-config | startup-config}
The keywords, arguments, and options are:
•
ftp://server/path[/filename]—Specifies the FTP network server and,
optionally, the filename.
•
sftp://[username@]server/path[/filename]—Specifies the SFTP network
server and, optionally, the filename.
•
tftp://server[:port]/path[/filename]—Specifies the TFTP network server and,
optionally, the filename.
•
disk0:[path/]filename—Specifies a file destination in the disk0: file system
of Flash memory. If you do not provide the optional path, the ACE copies the
file to the root directory on the disk0: file system.
•
image:image_name—Specifies to copy a system software image to Flash
memory. Use the boot system command as described in Chapter 1, Setting
Up the ACE to specify the BOOT environment variable. The BOOT
environment variable specifies a list of image files on various devices from
which the ACE can boot at startup.
•
running-config—Specifies to replace the running-configuration file
currently residing on the ACE in RAM (volatile memory).
•
startup-config—Specifies to replace the startup-configuration file currently
residing on the ACE in Flash memory (nonvolatile memory).
For example, to copy a startup-configuration file from a remote FTP server to the
disk0: file system, enter:
host1/Admin# copy ftp://192.168.1.2/ startup-config
Enter source filename[]? startup_config_Adminctx
File already exists, do you want to overwrite?[y/n]: [y] y
Enter username[]? user1
Enter the file transfer mode[bin/ascii]: [bin]
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-20
OL-16198-01
Chapter 4
Managing the ACE Software
Using the File System on the ACE
Note
The bin (binary) file transfer mode is intended for transferring compiled files
(executables). The ascii file transfer mode is intended for transferring text files,
such as config files. The default selection of bin should be sufficient in all cases
when copying files to a remote FTP server.
Copying an ACE Software System Image to a Remote Server
To copy an ACE software system image from Flash memory to a remote server
using FTP, SFTP, or TFTP, use the copy image: command in Exec mode. The
copy image: command is available only in the Admin context.
Note
To view the software system images available in Flash memory, use the dir
image: command and the show version command.
The syntax for the command is:
copy image:filename {ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] |
tftp://server[:port]/path[/filename]}
The keywords, arguments, and options are:
•
filename—Name of the ACE system software image.
•
ftp://server/path[/filename]—Specifies the FTP network server and,
optionally, the renamed software system image.
•
sftp://[username@]server/path[/filename]—Specifies the SFTP network
server and, optionally, the renamed software system image.
•
tftp://server[:port]/path[/filename]—Specifies the TFTP network server and,
optionally, the renamed software system image.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-21
Chapter 4
Managing the ACE Software
Using the File System on the ACE
When you select a destination file system using ftp:, sftp:, or tftp:, the ACE
performs the following tasks:
•
Prompts you for your username and password if the destination file system
requires user authentication.
•
Prompts you for the server information if you do not provide the information
with the command.
•
Copies the file to the root directory of the destination file system if you do not
provide path information.
For example, to save a software system image to a remote FTP server, enter:
host1/Admin# copy image:sb-ace.NOV_11 ftp://192.168.1.2
Uncompressing Files in the disk0: File System
To uncompress (unzip) LZ77 coded files in the disk0: file system (for example,
zipped probe script files), use the gunzip command in Exec mode. This command
is useful in uncompressing large files. The filename must end with a .gz extension
for the file to be uncompressed using the gunzip command. The .gz extension
indicates a file zipped by the gzip (GNU zip) compression utility.
The syntax for the command is:
gunzip disk0:filename
The filename argument identifies the name of the compressed file on the disk0:
file system. The filename must end with a .gz extension. To display a list of
available zipped files on disk0:, use the dir command.
For example, to unzip a compressed series of probe script files residing in the
disk0: file system, enter:
host1/Admin# gunzip disk0:PROBE_SCRIPTS.gz
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-22
OL-16198-01
Chapter 4
Managing the ACE Software
Using the File System on the ACE
Untarring Files in the disk0: File System
A .tar file keeps related files together and facilitates the transfer of multiple files.
A .tar file is a series of separate files, typically not compressed, added together
into a single file by a UNIX TAR program. The resulting file is known as a tarball,
which is similar to a ZIP file but without the compression. The files in a .tar file
must be extracted before they can be used.
To untar a single file with a .tar extension in the disk0: file system, use the untar
command in Exec mode. Use this command to untar the sample scripts file. You
can also use this command to unzip a back-up licenses if a license becomes
corrupted or lost. Before you can use the untar command, the filename must end
with a .tar extension.
Note
The copy licenses disk0: command creates backup .tar license files on the ACE.
If a license becomes corrupted or lost, or you accidently remove the license on the
ACE, you can untar the license and reinstall it. See the “Copying Licenses”
section.
The syntax for the command is:
untar disk0:[path/]filename
The filename argument identifies the name of the .tar file in the disk0: file system.
The filename must end with a .tar extension. You can optionally provide a path to
the .tar file if it exists in another directory in the disk0: file system.
For example, to untar a series of license files in the mylicense.tar file in the disk0:
file system, enter:
host1/Admin# untar disk0:mylicenses.tar
Creating a New Directory
To create a directory in the disk0: file system of Flash memory, use the mkdir
disk0: command in Exec mode. The syntax for this command is:
mkdir disk0:[path/]directory
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-23
Chapter 4
Managing the ACE Software
Using the File System on the ACE
The directory argument provides the name of the directory to create in disk0:. If
a directory with the same name already exists, the ACE does not create the new
directory and the “Directory already exists” message appears.
For example, to create a directory called TEST_DIRECTORY in the disk0: file
system, enter:
host1/Admin# mkdir disk0:TEST_DIRECTORY
Deleting an Existing Directory
To remove an existing directory from the disk0: file system of Flash memory, use
the rmdir disk0: command in Exec mode. The directory must be empty before
you can delete it.
Note
To remove a file from the ACE file system, use the delete command (see the
“Deleting Files” section).
The syntax for this command is:
rmdir disk0:[path/]directory
The directory argument provides the name of the directory to delete from the
disk0: file system. The directory must be empty before you can delete it. You can
optionally provide a path to a directory in the disk0: file system.
For example, to delete a directory called TEST_DIRECTORY from the disk0: file
system, enter:
host1/Admin# rmdir disk0:TEST_DIRECTORY
Moving Files
To move a file between directories in the disk0: file system, use the move
command in Exec mode. If a file with the same name already exists in the
destination directory, that file is overwritten by the moved file.
Note
To view the files available in the disk0: file system, use the dir disk0: command.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-24
OL-16198-01
Chapter 4
Managing the ACE Software
Using the File System on the ACE
The syntax for this command is:
move disk0:[source_directory/]filename
disk0:[destination_directory/]filename
The keywords and arguments are:
•
source_directory—(Optional) Name of the source directory in the disk0: file
system.
•
destination_directory—(Optional) Name of the destination directory in the
disk0: file system.
•
filename—Name of the file to move in the disk0: file system.
For example, to move the file called SAMPLEFILE to the MYSTORAGE
directory in the disk0: file system, enter:
host1/Admin# move disk0:SAMPLEFILE disk0:MYSTORAGE/SAMPLEFILE
Deleting Files
To delete a file from a specific file system in the ACE, use the delete command in
Exec mode. When you delete a file, the ACE erases the file from the specified file
system.
Note
To remove a directory from the ACE file system, use the rmdir command (see the
“Deleting an Existing Directory” section).
The syntax for this command is:
delete {core:filename | disk0:[directory/]filename | image:filename |
volatile:filename}
The keywords and arguments are:
•
core:filename—Deletes the specified file from the core: file system (see the
“Viewing and Copying Core Dumps” section). The delete cores: command is
available only in the Admin context.
•
disk0:[directory/]filename— Deletes the specified file from the disk0: file
system (for example, a packet capture buffer file or system message log). You
can optionally provide a path to a file in directory in the disk0: file system.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-25
Chapter 4
Managing the ACE Software
Using the File System on the ACE
•
image:filename—Deletes the specified file from the image: file system. The
delete image: command is available only in the Admin context.
•
volatile:filename—Deletes the specified file from the volatile: file system.
For example, to delete a copy of the running-configuration file called
MY_RUNNING-CONFIG1 from the MYSTORAGE directory on the disk0: file
system, enter:
host1/Admin# delete disk0:MYSTORAGE/MY_RUNNING-CONFIG1
Displaying File Contents
To display the contents of a specified file in a directory in Flash memory or in
nonvolatile memory, use the show file command. The syntax for this command is:
show file {disk0: [path/]filename | volatile: filename} [cksum | md5sum]
The keywords, arguments, and options are:
•
disk0: [path/]filename—The name of a file residing in the disk0: file system
of Flash memory (for example, a packet capture buffer file or system message
log). You can optionally provide a path to a file in a directory in the disk0: file
system.
•
volatile: filename—Specifies the name of a file in the volatile memory file
system of the ACE.
•
cksum—(Optional) Displays the cyclic redundancy check (CRC) checksum
for the file. The checksum values compute a CRC for each named file. Use
this command to verify that the file is not corrupt. You compare the checksum
output for the received file against the checksum output for the original file.
•
md5sum—(Optional) Displays the MD5 checksum for the file. MD5 is an
electronic fingerprint for the file. MD5 is the latest implementation of the
internet standards described in RFC 1321 and is useful for data security and
integrity.
For example, to display the contents of a file residing in the current directory,
enter:
host1/Admin# show file disk0:myfile md5sum
3d8e05790155150734eb8639ce98a331
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-26
OL-16198-01
Chapter 4
Managing the ACE Software
Using the File System on the ACE
Saving show Command Output to a File
You can force all show screen output to be directed to a file by appending >
filename to any command. For example, you can enter show interface > filename
at the Exec mode CLI prompt to redirect the interface configuration command
output to a file created at the same directory level.
The syntax for redirecting show command output is as follows:
show keyword [| {begin pattern | count | end | exclude pattern | include
pattern | next | prev}] [> {filename | {disk0:| volatile}:[path/][filename]
| {ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] |
tftp://server[:port]/path[/filename]}
The arguments, keywords, and options include:
•
|—(Optional) Enables an output modifier that filters the command output.
•
begin pattern—Begins with the line that matches the pattern that you specify.
•
count—Counts the number of lines in the output.
•
end pattern—Ends with the line that matches the pattern that you specify.
•
exclude pattern—Excludes the lines that match the pattern that you specify.
•
include pattern—Includes the lines that match the pattern that you specify.
•
next—Displays the lines next to the matching pattern that you specify.
•
prev—Displays the lines before the matching pattern that you specify.
•
>—(Optional) Enables an output modifier that redirects the command output
to a file.
•
filename—Name of the file that the ACE saves the output to on the volatile:
file system.
•
disk0:—Specifies that the destination is the disk0: file system on the ACE
Flash memory.
•
volatile:—Specifies that the destination is the volatile: file system on the
ACE.
•
[path/][filename]—(Optional) Path and filename to the disk0: or volatile: file
system.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-27
Chapter 4
Managing the ACE Software
Viewing and Copying Core Dumps
•
ftp://server/path[/filename]—Specifies the FTP network server and,
optionally, a filename.
•
sftp://[username@]server/path[/filename]—Specifies the SFTP network
server and, optionally, a filename.
•
tftp://server[:port]/path[/filename]—Specifies the TFTP network server and,
optionally, a filename.
Viewing and Copying Core Dumps
A core dump occurs when the ACE experiences a fatal error. The ACE writes
information about the fatal error to the core: file system in Flash memory before
a switchover or reboot occurs. The core: file system is the storage location for all
core files generated during a fatal error. Three minutes after the ACE reboots, the
saved last core file is restored from the core: file system back to its original RAM
location. This restoration is a background process and is not visible to the user.
You can view the list of core files in the core: file system by using the dir core:
command in Exec mode.
The core: file system is available only from the Admin context.
Note
Core dump information is for Cisco Technical Assistance Center (TAC) use only.
If the ACE becomes unresponsive, you can view the dump information in the core
through the show cores command. We recommend that you contact TAC for
assistance in interpreting the information in the core dump.
The time stamp on the restored last core file displays the time when the ACE
booted up, not when the last core was actually dumped. To obtain the exact time
of the last core dump, check the corresponding log file with the same process
identifier (PID).
This section contains the following topics:
•
Copying Core Dumps
•
Clearing the Core Directory
•
Deleting a Core Dump File
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-28
OL-16198-01
Chapter 4
Managing the ACE Software
Viewing and Copying Core Dumps
Copying Core Dumps
You can save a core dump from the ACE to the disk0: file system or to a remote
server. To save a core to a remote server, use the copy core: command in Exec mode.
The ACE copies a single file based on the provided process identifier. The copy core:
command is available only in the Admin context.
To display the list of available core files, use the dir core: command. Copy the
complete filename (for example, 0x401_vsh_log.25256.tar.gz) into the copy
core: command.
The syntax for the copy core: Exec mode command is:
copy core:filename {disk0:[path/][filename] | ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] |
tftp://server[:port]/path[/filename]}
The keywords, arguments, and options are:
•
filename—Core dump that resides on the ACE in Flash memory. Use the dir
core: command to view the core dump files available in the core: file system.
•
disk0:[path/][filename]—Specifies a file location for the core dump in the
disk0: file system and a filename for the core.
•
ftp://server/path[/filename]—Specifies the FTP network server and,
optionally, the renamed core dump.
•
sftp://[username@]server/path[/filename]—Specifies the SFTP network
server and, optionally, the renamed core dump.
•
tftp://server[:port]/path[/filename]—Specifies the TFTP network server and,
optionally, the renamed core dump.
When you select a destination file system using ftp:, sftp:, or tftp:, the ACE
performs the following tasks:
•
Prompts you for your username and password if the destination file system
requires user authentication.
•
Prompts you for the server information if you do not provide the information
with the command.
•
Copies the file to the root directory of the destination file system if you do not
provide path information.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-29
Chapter 4
Managing the ACE Software
Viewing and Copying Core Dumps
For example, to copy a core file from the ACE to a remote FTP server, enter:
host1/Admin# copy core:0x401_vsh_log.8249.tar.gz ftp://192.168.1.2
Enter the destination filename[]? [0x401_vsh_log.8249.tar.gz]
Enter username[]? user1
Enter the file transfer mode[bin/ascii]: [bin]
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
Note
The bin (binary) file transfer mode is intended for transferring compiled files
(executables). The ascii file transfer mode is intended for transferring text files,
such as config files. The default selection of bin should be sufficient in all cases
when copying files to a remote FTP server.
Clearing the Core Directory
To clear out all of the core dumps stored in the core: file system, use the clear
cores command in Exec mode of the Admin context. The syntax for the command
is:
clear cores
For example, to clear out all of the core dumps stored in the core: file system,
enter:
host1/Admin# clear cores
Deleting a Core Dump File
To delete a core dump file from the core: file system in Flash memory, use the
delete core: command in Exec mode of the Admin context. To view the core dump
files available in Flash memory, use the dir core: command.
The syntax for the command is:
delete core:filename
The filename argument specifies the name of a core dump file located in the core:
file system.
For example, to delete the file 0x401_VSH_LOG.25256.TAR.GZ from the core:
file system, enter:
host1/Admin# delete core:0x401_VSH_LOG.25256.TAR.GZ
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-30
OL-16198-01
Chapter 4
Managing the ACE Software
Capturing and Copying Packet Information
Capturing and Copying Packet Information
Capturing packets is a useful aid in troubleshooting connectivity problems with
the ACE or for monitoring suspicious activity. The ACE can track packet
information for network traffic that passes through the ACE. The attributes of the
packet are defined by an ACL. The ACE buffers the captured packets, and you can
copy the buffered contents to a file in Flash memory on the ACE or to a remote
server. You can also display the captured packet information on your console or
terminal.
This section contains the following topics:
•
Capturing Packet Information
•
Copying Capture Buffer Information
•
Viewing Packet Capture Information
Capturing Packet Information
To enable the packet capture function on the ACE for packet sniffing and network
fault isolation, use the capture command in Exec mode. As part of the packet
capture process, you specify whether to capture packets from all input interfaces
or an individual VLAN interface.
Caution
The packet capture function uses ACL resources as can be seen with the show np
1 access-list resource command. If you have a large ACL configuration and you
enable packet capturing, the ACE may oversubscribe the allocated ACL
resources. If this happens, you may see one of the following error messages:
In exec mode,
Error: Device Name:[0x3FF] Instance:[63] Error Type:[(null)]
code:[255]
In config mode,
Error: ACL merge add acl to list failed
For information about using the show np 1 access-list resource command to
monitor ACL resources and how to resolve ACL oversubscription problems, see
the “Troubleshooting ACLs” section of the ACE Troubleshooting Wiki.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-31
Chapter 4
Managing the ACE Software
Capturing and Copying Packet Information
Note
The packet capture function enables access-control lists (ACLs) to control which
packets are captured by the ACE on the input interface. If the ACLs are selecting
an excessive amount of traffic for the packet capture operation, the ACE will see
a heavy load, which can cause a degradation in performance. We recommend that
you avoid using the packet capture function when high network performance is
critical.
In addition, probe traffic will not hit a security ACL so ACLs cannot control the
capture of those packets. In this case, probe traffic cannot be captured by the
packet capture function.
The capture packet function works on an individual context basis. The ACE traces
only the packets that belong to the current context where you execute the capture
Exec command. The context ID, which is passed along with the packet, can be
used to isolate packets that belong to a specific context. To trace the packets for a
specific context, use the changeto Exec command to enter the specified context
and then use the capture command.
Note
If you enable packet capture for jumbo packets, the ACE captures only the first
1,860 bytes of data.
The ACE does not automatically save the packet capture to a file. To copy the
capture buffer information as a file in Flash memory or to a remote server, use the
copy capture command (see the “Copying Capture Buffer Information” section).
The syntax for this command is:
capture buffer_name {{all | {interface vlan number}} access-list name
[bufsize buf_size [circular-buffer]]} | remove | start | stop
The keywords, arguments, and options are:
•
buffer_name—Name of the packet capture buffer. The buffer_name argument
associates the packet capture with a name. Specify a text string from 1 to 80
alphanumeric characters with no spaces.
•
all—Specifies capture packets for all input interfaces.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-32
OL-16198-01
Chapter 4
Managing the ACE Software
Capturing and Copying Packet Information
Note
•
To capture application acceleration and optimization traffic bound for the
optional Cisco AVS 3180A Management Station interface, use the all
keyword. This keyword captures all the traffic on all interfaces. You can
then transfer the packet capture file to a remote machine to be scanned for
traffic that is specific to the Management Station interface.
interface—Specifies the interface from which to capture packets.
Note
If you delete an interface that is in use by the packet capture function,
the ACE stops the capture automatically. If you check the status of the
packet capture using the show capture status command, you will
notice that the capture stopped because of an interface deletion. At
this point, you can perform any operation (for example, saving the old
capture) on the capture except starting the capture. To restart the
capture, you must delete the old capture and configure a new one.
•
vlan number—Specifies the VLAN identifier associated with the specified
input interface.
•
access-list name—Selects packets based on a specific access list
identification. A packet must pass the access list filters before the packet is
stored in the capture buffer. Specify a previously created access list identifier.
Enter an unquoted text string with a maximum of 64 alphanumeric characters.
Note
Ensure that the access list is for an input interface. If you configure
the packet capture on the output interface, the ACE will fail to match
any packets.
•
bufsize buf_size—(Optional) Specifies the buffer size, in kilobytes (KB),
used to store the packet capture. The range is from 1 to 5000 KB. The default
is 64 KB.
•
circular-buffer—(Optional) Enables the packet capture buffer to overwrite
itself, starting from the beginning, when the buffer is full.
•
remove—Clears the packet capture configuration.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-33
Chapter 4
Managing the ACE Software
Capturing and Copying Packet Information
•
start— Starts the packet capture function and displays the messages on the
session console as the ACE receives the packets. The CLI prompt returns and
you can type other commands at the same time that the ACE is capturing
packets. To stop the capture process, enter stop. The packet capture function
automatically stops when the buffer is full unless you enable the circular
buffer function.
•
stop— Stops the packet capture function.
Note
Under high traffic conditions, you may observe up to 64 packets
printing on the console after you enter the stop keyword. These
additional messages can occur because the packets were in transit or
buffered before you entered the stop keyword.
If you delete an interface that is in use by the packet capture function, the ACE
stops the capture automatically. If you check the status of the packet capture using
the show capture buffer_name status command (see the “Viewing Packet
Capture Information” section), you will notice that the capture stopped because
of an interface deletion. At this point, you can perform any operation (for
example, saving the old capture) on the capture except starting the capture. To
restart the capture, you must delete the old capture and configure a new one. The
ACE handles the deletion of an ACL or an ACL entry in a similar manner.
If you add an interface while you are already capturing all interfaces, the capture
continues using all the original interfaces. If you add an ACL entry during an
existing ACL capture, the capture continues normally using the original ACL
criteria.
If the ACE stops a packet capture because of an interface or ACL deletion, the
following additional information appears in the output of the show capture
buffer_name status command:
Capture forced to stop due to change in [interface | access-list]
config.
To restart the capture, remove and add the capture again.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-34
OL-16198-01
Chapter 4
Managing the ACE Software
Capturing and Copying Packet Information
To enable packet capture on an interface VLAN, enter the following:
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)# access-list acl1 line 10 extended permit ip any
any
host1/Admin(config)# exit
host1/Admin# capture capture1 interface vlan50 access-list acl1
host1/Admin# capture capture1 start
To stop the packet capture function on the interface VLAN, enter the following:
host1/Admin# capture capture1 stop
Copying Capture Buffer Information
To copy an existing packet capture buffer to the disk0: file system, use the copy
capture command in Exec mode.
The syntax for the command is:
copy capture capture_name disk0: [path/]destination_name
The keywords, arguments, and options are:
•
capture_name—Name of the packet capture buffer in Flash memory. Specify
a text string from 1 to 80 alphanumeric characters with no spaces. If
necessary, use the show capture command to view the files available in Flash
memory. This list includes the name of existing packet capture buffers.
•
disk0:—Specifies that the buffer is copied to the disk0: file system. Include
a space between disk0: and a destination path.
•
[path/]destination_name—Destination path (optional) and name for the
packet capture buffer. Specify a text string from 1 to 80 alphanumeric
characters. If you do not provide the optional path, the ACE copies the file to
the root directory on the disk0: file system.
For example, to copy a packet capture buffer to the disk0: file system as a file on
disk0: called MYCAPTURE1, enter:
host1/Admin# copy capture packet_capture_Jul_17_08 disk0: MYCAPTURE1
To clear the capture packet buffer, use the clear capture command in Exec mode.
The syntax for this command is:
clear capture buffer_name
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-35
Chapter 4
Managing the ACE Software
Capturing and Copying Packet Information
The buffer_name argument specifies the name of the existing packet capture
buffer to clear.
For example, to clear the capture buffer for the capture buffer
packet_capture_Jan_17_06, enter:
host1/Admin# clear capture packet_capture_Jul_17_08
Viewing Packet Capture Information
To display the captured packet information on your console or terminal, use the show
capture command in Exec mode. The syntax for this command is:
show capture buffer_name [detail [connid connection_id | range
packet_start packet_end] | status]
The keywords, arguments, and options are:
•
buffer_name—Name of the packet capture buffer. Specify a text string from
1 to 80 alphanumeric characters.
•
detail—(Optional) Displays additional protocol information for each packet.
•
connid connection_id—(Optional) Displays protocol information for a
specified connection identifier.
•
range packet_start packet_end—(Optional) Displays protocol information
for a range of captured packets.
•
status—(Optional) Displays capture status information for each packet.
For all types of received packets, the console display is in tcpdump format.
For example, to display captured packet information for packet capture buffer
CAPTURE1, enter:
host1/Admin# show capture CAPTURE1
0001: msg_type: ACE_HIT ace_id: 41 action_flag: 11
0002: msg_type: CON_SETUP con_id: 1090519041 out_con_id:
0003: msg_type: PKT_RCV con_id: 16777218 other_con_id: 0
0004: msg_type: PKT_RCV con_id: 1090519041 other_con_id:
0005: msg_type: PKT_RCV con_id: 16777218 other_con_id: 0
0006: msg_type: PKT_RCV con_id: 16777218 other_con_id: 0
0007: msg_type: PKT_RCV con_id: 16777218 other_con_id: 0
0008: msg_type: PKT_RCV con_id: 1090519041 other_con_id:
0009: msg_type: PKT_RCV con_id: 1090519041 other_con_id:
0010: msg_type: PKT_RCV con_id: 16777218 other_con_id: 0
0011: msg_type: PKT_RCV con_id: 16777218 other_con_id: 0
16777218
0
0
0
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-36
OL-16198-01
Chapter 4
Managing the ACE Software
Capturing and Copying Packet Information
0012:
0013:
0014:
0015:
msg_type:
msg_type:
msg_type:
msg_type:
PKT_RCV
PKT_RCV
PKT_RCV
PKT_RCV
con_id:
con_id:
con_id:
con_id:
1090519041 other_con_id: 0
16777218 other_con_id: 0
16777218 other_con_id: 0
1090519041 other_con_id: 0
For example, to display packet capture status information, enter:
host1/Admin# show
Capture session :
Buffer size
:
Circular
:
Buffer usage
:
Status
:
capture capture1 status
cap1
64 K
no
19.00%
stopped
For example, to display protocol information for a range of captured packets,
enter:
host1/Admin# show capture capture1 detail range 2-3
0002: msg_type: CON_SETUP
con_id: 1090519041
out_con_id: 16777218
src_addr: 10.7.107.11
src_port: 30212
dst_addr: 10.7.107.15
dst_port: 23
l3_protocol: 0
l4_protocol: 0
message_hex_dump:
0x0000: 0000 0101 4100 0001 0100 0002 0000 0000 ....A...........
0x0010: 0a07 6b0b 0a07 6b0f 0619 0001 7604 0017 ..k...k.....v...
0x0020: 0000 0000 0002 0000 05b4 0000 0100 0002 ................
0x0030: 0000 0000 0010 0481 0208 0000 0000 0000 ................
0x0040: 0000 0000 1020 0010 0000 0000 19b2 fb3c ...............<
0x0050: 000c 40ae 0000 0029 0000 0000 000c 40ae ..@....)......@.
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070: 0a07 6b0f 0a07 6b0b 0610 0001 0017 7604 ..k...k.......v.
0x0080: 0000 0000 0002 0000 05b4 0004 4100 0001 ............A...
0x0090: 0000 0000 0010 0480 0208 0000 0000 0000 ................
0x00a0: 0000 0000 1020 0010 0000 0000 19b2 fb3c ...............<
0x00b0: 000c 40ae 0000 0029 0000 0000 000c 40ae ..@....)......@.
0x00c0: 0000 0000 0000 0000 0000 0000
............
0003: msg_type: PKT_RCV
con_id: 16777218
message_hex_dump:
0x0000: 8900 004e 0050 8034
0x0010: 0000 0005 9a3b 95d9
0x0020: 45c0 002c b0de 0000
0x0030: 0a07 6b0f 7604 0017
0x0040: 6002 1020 12d5 00
other_con_id: 0
0038
0011
ff06
19b2
000a
5d6a
2005
fb3b
0010
f800
0a07
0000
0a06
0800
6b0b
0000
...N.P.4.8......
.....;....]j....
E..,..........k.
..k.v......;....
`......
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-37
Chapter 4
Managing the ACE Software
Capturing and Copying Packet Information
For example, to display captured packet information in tcpdump format, enter:
host1/Admin# show capture capture1 detail
0001: msg_type: ACE_HIT
ace_id: 41
action_flag: 0xb
src_addr: 10.7.107.11
src_port: 30212
dst_addr: 10.7.107.15
dst_port: 23
l3_protocol: 0
l4_protocol: 6
message_hex_dump:
0x0000: 0000 0104 0000 0029 0000 0000 0a07
0x0010: 0a07 6b0f 0609 0001 7604 0017 0000
0x0020: 0000 0000 0000 0000 0000 0029 0b06
0x0030: 0000 0000 0000 0000 0000 0000 0000
0x0040: 0000 0000 0000 0001
6b0b
0000
0000
0000
.......)......k.
..k.....v.......
...........)....
................
........
0002: msg_type: CON_SETUP
con_id: 1090519041
out_con_id: 16777218
src_addr: 10.7.107.11
src_port: 30212
dst_addr: 10.7.107.15
dst_port: 23
l3_protocol: 0
l4_protocol: 0
message_hex_dump:
0x0000: 0000 0101 4100 0001 0100 0002 0000 0000
0x0010: 0a07 6b0b 0a07 6b0f 0619 0001 7604 0017
0x0020: 0000 0000 0002 0000 05b4 0000 0100 0002
0x0030: 0000 0000 0010 0481 0208 0000 0000 0000
0x0040: 0000 0000 1020 0010 0000 0000 19b2 fb3c
0x0050: 000c 40ae 0000 0029 0000 0000 000c 40ae
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000
0x0070: 0a07 6b0f 0a07 6b0b 0610 0001 0017 7604
0x0080: 0000 0000 0002 0000 05b4 0004 4100 0001
0x0090: 0000 0000 0010 0480 0208 0000 0000 0000
0x00a0: 0000 0000 1020 0010 0000 0000 19b2 fb3c
0x00b0: 000c 40ae 0000 0029 0000 0000 000c 40ae
0x00c0: 0000 0000 0000 0000 0000 0000
....A...........
..k...k.....v...
................
................
...............<
..@....)......@.
................
..k...k.......v.
............A...
................
...............<
..@....)......@.
............
0003: msg_type: PKT_RCV
con_id: 16777218
message_hex_dump:
0x0000: 8900 004e 0050 8034
0x0010: 0000 0005 9a3b 95d9
0x0020: 45c0 002c b0de 0000
0x0030: 0a07 6b0f 7604 0017
0x0040: 6002 1020 12d5 00
...N.P.4.8......
.....;....]j....
E..,..........k.
..k.v......;....
`......
other_con_id: 0
0038
0011
ff06
19b2
000a
5d6a
2005
fb3b
0010
f800
0a07
0000
0a06
0800
6b0b
0000
0004: msg_type: PKT_RCV
con_id: 1090519041
other_con_id: 0
message_hex_dump:
0x0000: 0840 004e 0050 8034 0000 000a 0000 0000
0x0010: 0004 0011 5d6a f800 0005 9a3b 95d9 0800
.@.N.P.4........
....]j.....;....
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-38
OL-16198-01
Chapter 4
Managing the ACE Software
Capturing and Copying Packet Information
0x0020: 4500 002c 0000 4000 4006 50a4 0a07 6b0f
0x0030: 0a07 6b0b 0017 7604 f31b 6f71 19b2 fb3c
0x0040: 6012 16d0 a986 00
E..,..@.@.P...k.
..k...v...oq...<
`......
0005: msg_type: PKT_RCV
con_id: 16777218
message_hex_dump:
0x0000: 8900 004e 0050 8034
0x0010: 0000 0005 9a3b 95d9
0x0020: 45c0 0028 b0df 0000
0x0030: 0a07 6b0f 7604 0017
0x0040: 5010 1020 c7f3 00
...N.P.4.8......
.....;....]j....
E..(..........k.
..k.v......<..or
P......
0006: msg_type: PKT_RCV
con_id: 16777218
message_hex_dump:
0x0000: 8900 005a 0050 8034
0x0010: 0000 0005 9a3b 95d9
0x0020: 45c0 003a b0e0 0000
0x0030: 0a07 6b0f 7604 0017
0x0040: 5018 1020 9a8a 0000
0x0050: 17ff fb
0007: msg_type: PKT_RCV
con_id: 16777218
message_hex_dump:
0x0000: 8900 004e 0050 8034
0x0010: 0000 0005 9a3b 95d9
0x0020: 45c0 0028 b0e1 0000
0x0030: 0a07 6b0f 7604 0017
0x0040: 5010 1020 c7e1 00
0008: msg_type: PKT_RCV
con_id: 1090519041
message_hex_dump:
0x0000: 0840 004e 0050 8034
0x0010: 0004 0011 5d6a f800
0x0020: 4500 0028 7b6e 4000
0x0030: 0a07 6b0b 0017 7604
0x0040: 5010 16d0 c131 00
other_con_id: 0
0038
0011
ff06
19b2
000a
5d6a
2008
fb3c
0010
f800
0a07
f31b
0a06
0800
6b0b
6f72
other_con_id: 0
0038
0011
ff06
19b2
fffd
000a
5d6a
1ff5
fb3c
03ff
0010
f800
0a07
f31b
fb18
0a06
0800
6b0b
6f72
fffb
...Z.P.4.8......
.....;....]j....
E..:..........k.
..k.v......<..or
P...............
...
other_con_id: 0
0038
0011
ff06
19b2
000a
5d6a
2006
fb4e
0010
f800
0a07
f31b
0a06
0800
6b0b
6f72
...N.P.4.8......
.....;....]j....
E..(..........k.
..k.v......N..or
P......
other_con_id: 0
0000
0005
4006
f31b
000a
9a3b
d539
6f72
0000
95d9
0a07
19b2
0000
0800
6b0f
fb4e
.@.N.P.4........
....]j.....;....
E..({n@.@..9..k.
..k...v...or...N
P....1.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-39
Chapter 4
Managing the ACE Software
Using the Configuration Checkpoint and Rollback Service
Using the Configuration Checkpoint and Rollback
Service
This section describes how to make a checkpoint (or snapshot) of a running
configuration on your ACE and how to use the rollback service to revert to the last
known stable configuration. It contains the following topics:
•
Overview
•
Creating a Configuration Checkpoint
•
Deleting a Configuration Checkpoint
•
Rolling Back a Running Configuration
•
Displaying Checkpoint Information
Overview
At some point, you may want to modify your running configuration. If you run
into a problem with the modified configuration, you may need to reboot your
ACE. To prevent having to reboot your ACE after unsuccessfully modifying a
running configuration, you can create a checkpoint (a snapshot in time) of a
known stable running configuration before you begin to modify it. If you
encounter a problem with the modifications to the running configuration, you can
roll back the configuration to the previous stable configuration checkpoint.
Note
Before you upgrade your ACE software, we strongly recommend that you create
a checkpoint in your running configuration. For details about upgrading your ACE
software, see Appendix A, Upgrading or Downgrading Your ACE Software.
The ACE allows you to make a checkpoint configuration at the context level. The
ACE stores the checkpoint for each context in a hidden directory in Flash memory.
If, after you enter additional commands to modify the current running
configuration, you enter the rollback command option, the ACE causes the
running configuration to revert to the checkpointed configuration.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-40
OL-16198-01
Chapter 4
Managing the ACE Software
Using the Configuration Checkpoint and Rollback Service
This section contains the following topics:
•
Creating a Configuration Checkpoint
•
Deleting a Configuration Checkpoint
•
Rolling Back a Running Configuration
Creating a Configuration Checkpoint
To create a configuration checkpoint, use the checkpoint create command in
Exec mode in the context for which you want to create a checkpoint. The ACE
supports a maximum of 10 checkpoints for each context.
Be sure that the current running configuration is stable and is the configuration
that you want to make a checkpoint. If you change your mind after creating the
checkpoint, you can delete it. See the “Deleting a Configuration Checkpoint”
section.
The syntax of this command is:
checkpoint create name
The name argument specifies the unique identifier of the checkpoint. Enter a text
string with no spaces and a maximum of 25 alphanumeric characters.
For example, enter:
host1/Admin# checkpoint create MYCHECKPOINT
Generating configuration....
Created checkpoint 'MYCHECKPOINT'
If the checkpoint already exists, you are prompted to overwrite it as follows:
Checkpoint already exists
Do you want to overwrite it? (y/n)
Created checkpoint 'MYCHECKPOINT'
[n] y Generating configuration....
The default is n. If you do not want to overwrite the existing checkpoint, press
Enter. To overwrite the existing checkpoint, enter y.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-41
Chapter 4
Managing the ACE Software
Using the Configuration Checkpoint and Rollback Service
Deleting a Configuration Checkpoint
To delete a configuration checkpoint, use the checkpoint delete command in
Exec mode. Before you use this command, make sure that you want to delete the
checkpoint. When you enter this command, the ACE removes the checkpoint from
Flash memory. The syntax of this command is:
checkpoint delete name
The name argument specifies the unique identifier of the checkpoint. Enter a text
string with no spaces and a maximum of 25 alphanumeric characters.
For example, enter:
host1/Admin# checkpoint delete MYCHECKPOINT
Deleted checkpoint 'MYCHECKPOINT'
Rolling Back a Running Configuration
To roll back the current running configuration to the previously checkpointed
running configuration for the current context, use the checkpoint rollback
command in Exec mode. The syntax of this command is:
checkpoint rollback name
The name argument specifies the unique identifier of the checkpoint. Enter a text
string with no spaces and a maximum of 25 alphanumeric characters.
For example, enter:
host1/Admin# checkpoint rollback MYCHECKPOINT
This operation will rollback the system's running configuration to the
checkpoint's configuration.
Do you wish to proceed? (y/n) [n] y
Rollback in progress, please wait...
Generating configuration....
Rollback succeeded
switch/Admin#
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-42
OL-16198-01
Chapter 4
Managing the ACE Software
Reformatting Flash Memory
Displaying Checkpoint Information
To display checkpoint information, use the show checkpoint command in Exec
mode. The syntax of this command is:
show checkpoint {all | detail name}
The options and arguments are:
•
all—Displays a list of all existing checkpoints The output for the show
checkpoint all command includes checkpoint time stamps.
•
detail name—Displays the running configuration of the specified checkpoint
For example, to display the running configuration for all checkpoints, enter:
host1/Admin# show checkpoint all
-----------------------------------------------------Checkpoint
Size (in bytes) Date (created on)
-----------------------------------------------------Checkpt1
14246
Wed May 14 09:16:18 2008
blank
0
Wed May 14 09:16:18 2008
Checkpt2
11694
Wed May 14 09:16:18 2008
For example, to display the running configuration for a specific checkpoint, enter:
host1/Admin# show checkpoint detail MYCHECKPOINT
Reformatting Flash Memory
Caution
We recommend that you use the format flash command to reformat the ACE
Flash memory only under the guidance and supervision of Cisco Technical
Assistance Center (TAC).
The ACE uses the third extended file system (ext3) as the base file system. The
file system is used to allocate and organize storage space for various types of
storage, such as startup-configuration files, SSL certificate storage, core files,
image storage, and log files.
To erase all data on the Flash memory and reformat it with the ext3 base file
system, use the format flash: command. All user-defined configuration
information is erased.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-43
Chapter 4
Managing the ACE Software
Reformatting Flash Memory
The ACE performs the following verification sequence prior to reformatting Flash
memory:
•
If the system image (the current loaded image) is present in the GNU GRand
Unified Bootloader (GRUB) boot loader, the ACE automatically performs a
backup of that image and then performs the reformat of Flash memory.
•
If the system image is not present in the Grub boot loader, the ACE prompts
you for the location of an available image to backup prior to reformatting the
Flash memory.
•
If you choose not to backup an available image file, the ACE searches for the
ACE-APPLIANCE-RECOVERY-IMAGE.bin image in the Grub partition of
Flash memory. ACE-APPLIANCE-RECOVERY-IMAGE.bin is the recovery
software image that the ACE uses if the disk partition in Flash memory is
corrupted.
– If ACE-APPLIANCE-RECOVERY-IMAGE.bin is present, the ACE
continues with the Flash memory reformat. The CLI prompt changes to
“switch(RECOVERY-IMAGE)/Admin#” as a means for you to copy the
regular ACE software image.
– If ACE-APPLIANCE-RECOVERY-IMAGE.bin is not present, the ACE
stops the Flash memory reformat because there is no image to boot after
format.
Before you reformat Flash memory, we recommend that you copy the following
ACE operation and configuration files or objects to a remote server:
•
ACE software image
•
ACE license
•
Startup-configuration file of each context
•
Running-configuration file of each context
•
Core dump files of each context
•
Packet capture buffers of each context
•
SSL certificate and key pair files of each context
See the “Copying Files” section for details on how to use the copy command to
save configuration files or objects, such as the existing startup-configuration files,
running-configuration file, licenses, core dump files, or packet capture buffers, to
a remote FTP, SFTP, or TFTP server.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-44
OL-16198-01
Chapter 4
Managing the ACE Software
Reformatting Flash Memory
See the Cisco 4700 Series Application Control Engine Appliance SSL
Configuration Guide for details on how to use the crypto export command to
export SSL certificate and key pair files to a remote FTP, SFTP, or TFTP server.
The syntax for the command is as follows:
format flash:
For example, to erase all information in Flash memory and reformat it, enter:
host1/Admin# format flash:
Warning!! This will erase everything in the compact flash
including startup configs for all the contexts and reboot
the system!!
Do you wish to proceed anyway? (yes/no) [no] yes
If the ACE fails to extract a system image from the Grub bootloader, it prompts
you to provide the location of an available system image to backup:
Failed to extract system image Information from Grub
backup specific imagefile? (yes/no) [no] yes
Enter Image name: c4710ace-mz.A3_1_0.bin
Saving Image [c4710ace-mz.A3_1_0.bin]
Formatting the cf.....
Unmounting ext3 filesystems...
Unmounting FAT filesystems...
Unmounting done...
Unmounting compact flash filesystems...
format completed successfully
Restoring Image backupimage/scimi-3.bin
kjournald starting. Commit interval 5 seconds
REXT3 FS on hdb2, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
starting graceful shutdown
switch/Admin# Unmounting ext3 filesystems...
Unmounting FAT filesystems...
Unmounting done...
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
4-45
Chapter 4
Managing the ACE Software
Reformatting Flash Memory
After you reformat the Flash memory, perform the following actions:
•
Reinstall the ACE software image by using the copy image: command (see
Appendix A, Upgrading or Downgrading Your ACE Software).
•
Reinstall the ACE license by using the license install command (see
Chapter 3, Managing ACE Software Licenses).
•
Import the startup and running-configuration files into the associated context
by using the copy command (see the “Loading Configuration Files from a
Remote Server” section).
•
Import SSL certificate files and key pair files into the associated context using
by the crypto import command (see the Cisco 4700 Series Application
Control Engine Appliance SSL Configuration Guide).
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-46
OL-16198-01
CH A P T E R
5
Viewing ACE Hardware and Software
Configuration Information
This chapter describes how to view Cisco 4700 Series Application Control Engine
(ACE) appliance hardware and software configuration information. The ACE CLI
provides a comprehensive set of show commands in Exec mode that you can use
to gather ACE hardware and software configuration information.
This chapter contains the following major sections:
•
Displaying Software Version Information
•
Displaying Software Copyright Information
•
Displaying Hardware Information
•
Displaying the Hardware Inventory
•
Displaying System Processes
•
Displaying Process Status Information and Memory Resource Limits
•
Displaying System Information
•
Displaying ICMP Statistics
•
Displaying Technical Support Information
To view the contents of the current running-configuration file and
startup-configuration file, see Chapter 4, Managing the ACE Software.
Note
The show buffer, show fifo, show netio, show np, and show vnet commands
display internal system-level hardware show output for use by trained Cisco
personnel as an aid in debugging and troubleshooting the ACE. See the Cisco
4700 Series Application Control Engine Appliance Command Reference for
background information about those show commands.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
5-1
Chapter 5
Viewing ACE Hardware and Software Configuration Information
Displaying Software Version Information
Displaying Software Version Information
To display the version of system software that is currently running on the ACE in
Flash memory, use the show version command. You use the show version
command to verify the software version on the ACE before and after an upgrade.
The syntax of this command is:
show version
For example, to display the entire output for the show version command, enter:
host1/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader:
Version 0.95
system:
Version A3(1.0) [build 3.0(0)A3(0.0.148)
adbuild_03:31:25-2008/08/0
6_/auto/adbure_nightly2/nightly_rel_a3_1_0_throttle/REL_3_0_0_A3_0_0
system image file: (nd)/192.168.65.31/scimitar.bin
Device Manager version 1.1 (0) 20080805:0415
installed license: ACE-AP-VIRT-020 ACE-AP-C-1000-LIC
Hardware
cpu info:
Motherboard:
number of cpu(s): 2
Daughtercard:
number of cpu(s): 16
memory info:
total: 6226392 kB, free: 4315836 kB
shared: 0 kB, buffers: 17164 kB, cached 0 kB
cf info:
filesystem: /dev/hdb2
total: 935560 kB, used: 611564 kB, available: 276472 kB
last boot reason: Unknown
configuration register: 0x1
kernel uptime is 0 days 21 hours 25 minute(s) 17 second(s)
Cisco 4700 Series Application Control Engine Appliance Administration Guide
5-2
OL-16198-01
Chapter 5
Viewing ACE Hardware and Software Configuration Information
Displaying Software Copyright Information
Displaying Software Copyright Information
To display the software copyright information for the ACE, use the show
copyright command. The syntax of this command is:
show copyright
For example, enter:
host1/Admin# show copyright
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Displaying Hardware Information
To display ACE hardware inventory details, use the show hardware command.
The syntax of this command is:
show hardware
For example, to display the ACE hardware inventory details, enter:
host1/Admin # show hardware
Hardware
Product Number: ACE-4710-K9
Serial Number: QCN21220038
Hardware Rev: 1.1
VID: V01
CLEI: COUCADFCAA
MFG Part Num: 800-29070-01
MFG Revision: 01
Slot No. : 1
Type: ACE Appliance
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
5-3
Chapter 5
Viewing ACE Hardware and Software Configuration Information
Displaying the Hardware Inventory
Table 5-1 describes the fields in the show hardware command output.
Table 5-1
Field Descriptions for the show hardware Command
Field
Description
Product Number
Product number of the ACE
Serial Number
Serial number of the ACE
Hardware Rev
Hardware revision of the ACE
VID
Version identification number of the ACE
MFG Part Num
Manufacturing part number of the ACE
MFG Revision
Manufacturing revision of the ACE
Slot No.
Not applicable
Type
Identifies the type of ACE, appliance or module
Displaying the Hardware Inventory
To display the system hardware inventory of the ACE, use the show inventory
command. This command displays information about the field replaceable units
(FRUs) in the ACE, including product identifiers, serial numbers, and version
identifiers.
The syntax of this command is:
show inventory [raw]
The optional raw keyword displays information about each component in the
ACE.
For example, to display the ACE hardware inventory details, enter:
host1/Admin # show inventory
Cisco 4700 Series Application Control Engine Appliance Administration Guide
5-4
OL-16198-01
Chapter 5
Viewing ACE Hardware and Software Configuration Information
Displaying System Processes
Table 5-2 describes the fields in the show inventory command output.
Table 5-2
Field Descriptions for the show inventory Command
Field
Description
Name
Name assigned to the ACE component.
Note
If you do not specify the raw keyword, the
only named object that displays is the ACE
chassis. If you specify the raw keyword,
each monitored component of the chassis
displays.
Descr
Description of the ACE component.
PID
Product identifier of the ACE.
VID
Version identifier of the ACE.
SN
Serial number of the ACE.
Displaying System Processes
To display general information about all of the processes running on the ACE, use the
show processes command. The show processes command displays summary CPU
information for the Intel Pentium processor.
The show processes command is available only to users with an Admin role across
all contexts. The displayed system processes information is at the CPU system level
(the total CPU usage) and is not on a per-context level.
The syntax of this command is:
show processes [cpu | log [details | pid process_id] | memory]
The keywords, arguments, and options are:
•
cpu—Displays CPU information for the Intel Pentium processor.
•
log—Displays information about process logs.
•
details—Displays process log information for all process identifiers.
•
pid process_id—Displays information about a specific process identifier.
•
memory—Displays memory information about the processes.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
5-5
Chapter 5
Viewing ACE Hardware and Software Configuration Information
Displaying System Processes
For example, to display memory information for the Intel Pentium processor,
enter:
host1/Admin# show processes mem
PID
MemAlloc StackBase/Ptr
----- -------- ----------------1
495616 bffffed0/bffff9c0
2
0
0/0
3
0
0/0
4
0
0/0
5
0
0/0
10
0
0/0
18
0
0/0
110
0
0/0
161
0
0/0
162
0
0/0
163
0
0/0
164
0
0/0
241
0
0/0
320
0
0/0
451
0
0/0
453
0
0/0
511
0
0/0
512
0
0/0
518
0
0/0
--More--
Process
---------------init
ksoftirqd/0
desched/0
events/0
khelper
kthread
kacpid
kblockd/0
pdflush
pdflush
kswapd0
aio/0
kseriod
loop0
kjournald
kjournald
loop1
kjournald
loop2
Cisco 4700 Series Application Control Engine Appliance Administration Guide
5-6
OL-16198-01
Chapter 5
Viewing ACE Hardware and Software Configuration Information
Displaying System Processes
Table 5-3 describes the fields in the show processes command output. The show
processes command displays summary CPU information for the Intel Pentium
processor.
Table 5-3
Field Descriptions for the show processes Command
Field
Description
PID
Process identifier.
State
Process state. Included below is a summary of the
different process state codes that can appear to
describe the state of a process:
•
D—Uninterruptible sleep (usually I/O related)
•
ER—Error while running
•
NR—Not running
•
R—Running or runnable (on run queue)
•
S—Interruptible sleep (waiting for an event to
complete)
•
T—Stopped, either by a job control signal or
because it is being traced
•
W—Paging
•
X—Process is dead
•
Z—Defunct (“zombie”) process, terminated but
not reaped by its parent
PC
Current program counter in hex format.
Start_cnt
Number of times a process has been started.
TTY
Terminal that controls the process. A “—” usually
means a daemon is not running on any particular tty.
Process
Name of the process.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
5-7
Chapter 5
Viewing ACE Hardware and Software Configuration Information
Displaying System Processes
Table 5-4 describes the fields in the show processes cpu command output.
Table 5-4
Field Descriptions for the show processes cpu Command
Field
Description
CPU Utilization
Lists the percentage of CPU utilization for the ACE
for a 5-second interval, 1-minute interval, and a
5-minute interval
PID
Process identifier
Runtime (ms)
CPU time the process has used, expressed in
milliseconds
Invoked
Number of times that the process has been invoked
uSecs
Microseconds of CPU time as an average for each
process invocation
1 Sec
CPU utilization as a percentage for the last second
5 Sec
CPU utilization as a percentage for the last 5 seconds
1 Min
CPU utilization as a percentage for the last minute
5 Min
CPU utilization as a percentage for the last 5 minutes
Process
Name of the process
Table 5-5 describes the fields in the show processes log command output.
Table 5-5
Field Descriptions for the show processes log Command
Field
Description
Process
Name of the process
PID
Process identifier
Normal-exit
Status of whether the process exited normally
Stack
Status of whether a stack trace is in the log
Core
Status of whether a core file exists
Log-create-time
Time when the log file was generated
Cisco 4700 Series Application Control Engine Appliance Administration Guide
5-8
OL-16198-01
Chapter 5
Viewing ACE Hardware and Software Configuration Information
Displaying System Processes
Table 5-6 describes the fields in the show processes log details | pid command
output.
Table 5-6
Field Descriptions for the show processes log | pid details
Command
Field
Description
Service
Name of the service.
Description
Brief description of the service.
Started at
Time the process started.
Stopped at
Time the process stopped.
Uptime
Length of time that the process was active.
Start type
System manager option that indicates the process
restartability characteristics (that is, whether it is a
stateless restart or stateful restart).
Death reason
Reason that the system manager killed the process
(for example, no sysmgr heartbeats).
Exit code
Exit code with which the process exited.
Note
Normally, the Exit code provides the signal
number which killed the process.
CWD
Current working directory.
Virtual memory
Virtual memory addresses where the code, data heap,
and stack of the process are located.
PID
Process identifier.
SAP
Service access point.
UUID
Universal unique identifier of the Intel Pentium
processor
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
5-9
Chapter 5 Viewing ACE Hardware and Software Configuration Information
Displaying Process Status Information and Memory Resource Limits
Table 5-7 describes the fields in the show processes memory command output.
Table 5-7
Field Descriptions for the show processes memory Command
Field
Description
PID
Process identifier
MemAlloc
Total memory allocated by the process
StackBase/Ptr
Process stack base and current stack pointer in hex
format
Process
Name of the process
Displaying Process Status Information and Memory
Resource Limits
To display detailed process status information and memory resource limits, use the
show terminal internal info Exec mode command.
The syntax of this command is:
show terminal internal info
For example, enter:
host1/Admin# show terminal internal info
Table 5-8 describes the fields in the show terminal internal info command output.
Table 5-8
Field Descriptions for the show terminal internal info
Command
Field
Description
Process Information
Name
Name of the executable that started the process.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
5-10
OL-16198-01
Chapter 5
Viewing ACE Hardware and Software Configuration Information
Displaying Process Status Information and Memory Resource Limits
Table 5-8
Field Descriptions for the show terminal internal info
Command (continued)
Field
Description
State
Process state. Included below is a summary of the
different process state codes that can appear to
describe the state of a process:
•
D—Uninterruptible sleep (usually I/O related)
•
ER—Error while running
•
NR—Not running
•
R—Running or runnable (on run queue)
•
S—Interruptible sleep (waiting for an event to
complete)
•
T—Stopped, either by a job control signal or
because it is being traced
•
W—Paging
•
X—Process is dead
•
Z—Defunct (“zombie”) process, terminated but
not reaped by its parent
SleepAVG
Percentage sleep rate of the task.
TGID
Terminal group identifier.
PID
Process identifier.
PPID
Parent process identification number.
TracerPID
Tracer process identification number.
UID
Identifier of the user that started the process (four
element list).
GID
Identifier of the group the process belongs to (four
element list).
FDSize
Process file descriptor size.
Groups
Total number of groups.
VmSize
Total amount of virtual memory used by the process
(in kBytes).
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
5-11
Chapter 5 Viewing ACE Hardware and Software Configuration Information
Displaying Process Status Information and Memory Resource Limits
Table 5-8
Field Descriptions for the show terminal internal info
Command (continued)
Field
Description
VmLck
Total locked virtual memory (in kBytes).
VmRSS
Total amount of physical memory used by the
process (in kBytes).
VmData
Virtual memory data size (in kBytes).
VmStk
Virtual memory stack size (in kBytes).
VmExe
Executable virtual memory (in kBytes).
VmLib
Virtual memory library size (in kBytes).
VmPTE
Virtual memory pointer size (in kBytes).
Threads
Number of threads.
SigPnd
Signals pending.
ShdPnd
Shared pending signals.
SigBlk
Signals blocked.
SigIgn
Signals ignored.
SigCat
Signals caught.
CapInh
Capability inherited privilege
CapPrm
Capability privilege (processor resource manager)
CapEff
Capability effective privilege
Memory Limits
Core file size
Maximum size of core file (in blocks) that may be
created.
Data seg size
Maximum size (in kbytes) of the data segment for a
process.
File size
Maximum size (in blocks) of files created by the
shell.
Max locked memory
Maximum size (in kbytes) which a process may lock
into memory.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
5-12
OL-16198-01
Chapter 5
Viewing ACE Hardware and Software Configuration Information
Displaying System Information
Table 5-8
Field Descriptions for the show terminal internal info
Command (continued)
Field
Description
Max memory size
Maximum size (in kbytes) to which a process's
resident set size may grow. This imposes a limit on
the amount of physical memory to be given to a
process.
Open files
Maximum number of open files for this process.
Pipe size
Pipe buffer size (in bytes).
Stack size
Maximum size (in kbytes) of the stack segment for a
process.
CPU time
Maximum amount of CPU time (in seconds) to be
used by each process
Max user processes
Maximum number of simultaneous processes for the
user identifier.
Virtual memory
Maximum amount (in kbytes) of available virtual
memory available to the process.
Displaying System Information
To display the system information, use the show system command. The syntax of this
command is:
show system {cpuhog | error-id {hex_id | list} | internal | kmemtrack |
resources | skbtrack | uptime}
The keywords, arguments, and options are:
•
cpuhog—Displays information related to the process watchdog timer that
monitors CPU usage by any currently active processes.
•
error-id—Displays description about errors.
•
hex_id—The error ID in hexadecimal format. The range is 0x0 to 0xffffffff.
•
list—Specifies all error IDs.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
5-13
Chapter 5
Viewing ACE Hardware and Software Configuration Information
Displaying System Information
•
internal—Specifies a series of internal system-level commands for use by
trained Cisco personnel only. This option is available in the Admin context
only.
•
kmemtrack—Displays the kernal memory allocations in the kernel loadable
modules.
•
resources—Displays system-related CPU and memory statistics.
•
skbtrack—Displays the socket buffer (network buffer) allocations in the
kernel loadable modules.
•
uptime—Displays how long the ACE has been up and running.
For example, to display CPU and memory statistics for the ACE, enter:
host1/Admin# show system resources
Table 5-9 describes the fields in the show system resources command output.
Table 5-9
Field Descriptions for the show system resources
Command
Field
Description
Load average
Load that is defined as the number of running
processes. The average reflects the system load over
the past 1-minute, 5-minute, and 15-minute interval.
Processes
Number of processes in the system, and how many
processes are actually running when you enter the
command.
CPU states
CPU usage percentage in user mode, kernel mode,
and idle time in the last second.
Memory usage
Total memory, used memory, free memory, memory
used for buffers, and memory used for cache in KB.
Buffers and cache are also included in the used
memory statistics.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
5-14
OL-16198-01
Chapter 5
Viewing ACE Hardware and Software Configuration Information
Displaying ICMP Statistics
Table 5-10 describes the fields in the show system uptime command output.
Table 5-10 Field Descriptions for the show system uptime Command
Field
Description
System start time
Date and time when the ACE was turned on
System uptime
Length of time that the ACE hardware and software
have been running
Kernel uptime
Length of time that the operating system (OS) has
been running
Displaying ICMP Statistics
To display Internet Control Message Protocol (ICMP) statistics, use the show icmp
statistics command. The syntax of this command is:
show icmp statistics
For example, enter:
host1/Admin # show icmp statistics
Use the clear icmp statistics command to clear the ICMP statistics.
Table 5-11 describes the fields in the show icmp statistics command output.
Table 5-11 Field Descriptions for the show icmp-statistics Command
Field
Description
Total Messages
Total number of ICMP messages transmitted or
received by the ACE
Errors
Number of ICMP error messages transmitted or
received by the ACE
Echo Request
Number of ICMP echo request messages transmitted
or received by the ACE
Echo Reply
Number of ICMP echo reply messages transmitted or
received by the ACE
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
5-15
Chapter 5
Viewing ACE Hardware and Software Configuration Information
Displaying Technical Support Information
Table 5-11 Field Descriptions for the show icmp-statistics Command
Field
Description
Unreachable
Number of ICMP unreachable packets transmitted or
received by the ACE
TTL Expired
Number of ICMP TTL-expired messages transmitted
or received by the ACE
Redirect
Number of ICMP redirect messages transmitted or
received by the ACE
Address Mask
Number of ICMP Address Mask Request messages
transmitted or received by the ACE
Param problem
Number of ICMP Parameter Problem messages
transmitted or received by the ACE
Source Quench
Number of ICMP Source Quench messages
transmitted or received by the ACE
Time Stamp
Number of ICMP Time Stamp (request) messages
transmitted or received by the ACE
Displaying Technical Support Information
To display general information about the ACE when you report a problem, use the
show tech-support command in Exec mode. You can also use this command to
collect a large amount of information about your ACE and provide the output of
this command to technical support representatives when you report a problem.
The show tech-support command displays the output of several show commands
at once. The output from this command varies depending on your configuration.
You can choose to have detailed information for each command or even specify
the output for a particular interface or appliance. Each command output is
separated by the line and the command that precedes the output.
Note
Explicitly set the terminal length command to 0 (zero) to disable autoscrolling and
enable manual scrolling. Use the show terminal command to view the configured
terminal size. After obtaining the output of this command, reset your terminal
length as required (see Chapter 1, Setting Up the ACE).
Cisco 4700 Series Application Control Engine Appliance Administration Guide
5-16
OL-16198-01
Chapter 5
Viewing ACE Hardware and Software Configuration Information
Displaying Technical Support Information
Note
You can save the output of this command to a file by appending > filename to the
show tech-support command (see Chapter 4, Managing the ACE Software). If
you save this file, verify that you have sufficient space to do so; each file may take
about 1.8 MB.
The default output of the show tech-support command includes the output of the
following commands:
•
show hardware—See the “Displaying Hardware Information” section
•
show interface—See the Cisco 4700 Series Application Control Engine
Appliance Routing and Bridging Configuration Guide
•
show process—See the “Displaying System Processes” section
•
show running-config—See the Chapter 4, Managing the ACE Software
•
show version—See the “Displaying Software Version Information” section
The syntax of this command is:
show tech-support [details]
The optional details keyword provides detailed information for each show
command.
For example, to display an excerpt of the current running state of the ACE, enter:
host1/Admin# show tech-support
`show version`
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader:
Version 0.95
system:
Version A3(1.0) [build 3.0(0)A3(0.0.148)
adbuild_03:31:25-2008/08/06_/auto/adbure_nightly2/nightly_rel_a3_1_0_
throttle/REL_3_0_0_A3_0_0
system image file: (nd)/192.168.65.31/scimitar.bin
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
5-17
Chapter 5
Viewing ACE Hardware and Software Configuration Information
Displaying Technical Support Information
Device Manager version 1.1 (0) 20080805:0415
installed license: ACE-AP-VIRT-020 ACE-AP-C-1000-LIC
Hardware
cpu info:
Motherboard:
number of cpu(s): 2
Daughtercard:
number of cpu(s): 16
memory info:
total: 6226392 kB, free: 4315836 kB
shared: 0 kB, buffers: 17164 kB, cached 0 kB
cf info:
filesystem: /dev/hdb2
total: 935560 kB, used: 611564 kB, available: 276472 kB
last boot reason: Unknown
configuration register: 0x1
kernel uptime is 0 days 21 hours 25 minute(s) 17 second(s)
`show pvlans`
*** Context 0: cmd parse error ***
cpu: 0, model: Intel(R) Pentium(R) 4, speed: 3399.991 MHz
memory info:
total: 6226704 kB, free: 4637164 kB
shared: kB, buffers: 19436 kB, cached 0 kB
cf info:
filesystem: /dev/hdb2
total: 861668 kB, used: 348552 kB, available: 469344 kB
last boot reason: reload command by root
configuration register: 0x1
switch kernel uptime is 0 days 18 hours 59 minute(s) 49 second(s)
`show clock`
Tue Aug 5 10:13:57 UTC 2008
`show inventory`
NAME: "chassis", DESCR: "ACE 4710 Application Control Engine
Appliance"
, SN: 2061
PID: ACE-4710-K9
, VID:
--More--
Cisco 4700 Series Application Control Engine Appliance Administration Guide
5-18
OL-16198-01
Chapter 5
Viewing ACE Hardware and Software Configuration Information
Displaying Technical Support Information
To redirect the output of the show tech-support command to a file to the disk0:
file system on the ACE or to a remote server using File Transfer Protocol (FTP),
Secure Copy Protocol (SCP), Secure Transfer Protocol (SFTP), or Trivial
Transfer Protocol (TFTP), use the tac-pac command in Exec mode.
Note
The output of the tac-pac command is in gzip format. We recommend that you
include the .gz extension in the filename so that it can be easily unzipped from the
destination filesystem.
The syntax of this command is:
tac-pac {disk0:[path/]filename | ftp://server/path[/filename] |
scp://[username@]server/path[/filename] |
sftp://[username@]server/path[/filename] |
tftp://server[:port]/path[/filename]}
The keywords, arguments, and options are:
•
disk0:[path/]filename—Specifies that the file destination is the disk0: file
system of the current context. If you do not provide the optional path, the
ACE copies the file to the root directory on the disk0: file system.
•
ftp://server/path[/filename]—Specifies the FTP network server and optional
file name.
•
scp://[username@]server/path[/filename]—Specifies the SCP network
server and optional file name.
•
sftp://[username@]server/path[/filename]—Specifies the SFTP network
server and optional file name.
•
tftp://server[:port]/path[/filename]—Specifies the TFTP network server and
optional file name.
For example, to send the output of the show tech-support command to a remote
FTP server, enter:
host1/Admin# tac-pac ftp://192.168.1.2/tac-output_7-7-08.gz
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
5-19
Chapter 5
Viewing ACE Hardware and Software Configuration Information
Displaying Technical Support Information
Cisco 4700 Series Application Control Engine Appliance Administration Guide
5-20
OL-16198-01
CH A P T E R
6
Configuring Redundant ACE
Appliances
This chapter describes how to configure the Cisco 4700 Series Application
Control Engine (ACE) appliance for redundancy, which provides fault tolerance
for the stateful switchover of flows. It contains the following major sections:
•
Overview of Redundancy
•
Configuration Requirements and Restrictions
•
Redundancy Configuration Quick Start
•
Configuring Redundancy
•
Configuring Tracking and Failure Detection
•
Example of a Redundancy Configuration
•
Displaying Redundancy Information
•
Clearing Redundancy Statistics
Overview of Redundancy
Redundancy (or fault tolerance) uses a maximum of two ACE appliances to ensure
that your network remains operational even if one of the appliances becomes
unresponsive. Redundancy ensures that your network services and applications
are always available.
Note
Redundancy is not supported between an ACE appliance and an ACE module
operating as peers. Redundancy must be of the same ACE device type and
software release.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-1
Chapter 6
Configuring Redundant ACE Appliances
Overview of Redundancy
Redundancy provides seamless switchover of flows in case an ACE becomes
unresponsive or a critical host or interface fails. Redundancy supports the
following network applications that require fault tolerance:
•
Mission-critical enterprise applications
•
Banking and financial services
•
E-commerce
•
Long-lived flows such as FTP and HTTP file transfers
This section contains the following topics:
•
Redundancy Protocol
•
Stateful Failover
•
FT VLAN
•
Configuration Synchronization
•
Redundancy State for Software Upgrade or Downgrade
Redundancy Protocol
You can configure a maximum of two ACE appliances (peers) for redundancy.
Each peer appliance can contain one or more fault-tolerant (FT) groups. Each FT
group consists of two members: one active context and one standby context. For
more information about contexts, see the Cisco 4700 Series Application Control
Engine Appliance Virtualization Configuration Guide. An FT group has a unique
group ID that you assign.
One virtual MAC address (VMAC) is associated with each FT group. The format
of the VMAC is: 00-0b-fc-fe-1b-groupID. Because a VMAC does not change
upon switchover, the client and server ARP tables does not require updating. The
ACE selects a VMAC from a pool of virtual MACs available to it. You can specify
the pool of MAC addresses that the local ACE and the peer ACE use by
configuring the shared-vlan-hostid command and the peer shared-vlan-hostid
command, respectively. To avoid MAC address conflicts, be sure that the two
pools are different on the two ACEs. For more information about VMACs, see the
Cisco 4700 Series Application Control Engine Appliance Routing and Bridging
Configuration Guide.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-2
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Overview of Redundancy
Each FT group acts as an independent redundancy instance. When a switchover
occurs, the active member in the FT group becomes the standby member and the
original standby member becomes the active member. A switchover can occur for
the following reasons:
•
The active member becomes unresponsive.
•
A tracked host or interface fails (see the “Configuring Tracking and Failure
Detection” section).
•
You enter the ft switchover command to force a switchover (see the
“Specifying the Peer Hostname” section).
Figure 6-1 shows two possible redundancy configurations, where N is the number
of ACEs configured for redundancy. The letters (A, B, C, and D) represent the
active contexts in each redundancy group, while the primed letters (A’, B’, C’, and
D’) are the standby contexts. The contexts are evenly distributed between the two
ACEs. You always configure the active and the standby contexts on different
ACEs.
Even Distribution of Contexts
N=2
# redundant groups
=2
N=2
# redundant groups
=4
A
B’
B
A’
A
B
C’
D’
C
D
A’
B’
153639
Figure 6-1
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-3
Chapter 6
Configuring Redundant ACE Appliances
Overview of Redundancy
Figure 6-2 shows the uneven distribution of contexts between the two ACEs. As
an example, it is possible that the FT groups A,B, C, and D use only half the
resources that E and F require.
Uneven Distribution of Contexts
N=2
# redundant groups
=6
A
B
E
C
E’
D
F
A’
F’
B’
C’
D’
153640
Figure 6-2
To outside nodes (clients and servers), the active and standby FT group members
appear as one node with respect to their IP addresses and associated VMAC. The
ACE provides active-active redundancy with multiple-contexts only when there
are multiple FT groups configured on each appliance and both appliances contain
at least one active group member (context). With a single context, the ACE
supports active-backup redundancy and each group member is an Admin context.
For details about configuring contexts, see the Cisco 4700 Series Application
Control Engine Appliance Virtualization Configuration Guide.
The ACE sends and receives all redundancy-related traffic (protocol packets,
configuration data, heartbeats, and state replication packets) on a dedicated FT
VLAN. You cannot use this dedicated VLAN for normal traffic.
To optimize the transmission of heartbeat packets for multiple FT groups and to
minimize network traffic, the ACE sends and receives heartbeat messages using a
separate process. The ACE uses the heartbeat to probe the peer ACE, rather than
probe each context. When an ACE does not receive a heartbeat from the peer
ACE, all the contexts in the standby state become active. The ACE sends heartbeat
packets over UDP. You can set the frequency with which the ACE sends heartbeat
packets as part of the FT peer configuration. For details about configuring the
heartbeat, see the “Configuring an FT Peer” section.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-4
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Overview of Redundancy
The election of the active member within each FT group is based on a priority
scheme. The member configured with the higher priority is elected as the active
member. If a member with a higher priority is found after the other member
becomes active, the new member becomes active because it has a higher priority.
This behavior is known as preemption and is enabled by default. You can override
this default behavior by disabling preemption. To disable preemption, use the
preempt command. Entering this command causes the member with the higher
priority always to assert itself and become active. See the “Configuring an FT
Group” section.
Stateful Failover
The ACE replicates flows on the active FT group member to the standby group
member per connection for each context. The replicated flows contain all the
flow-state information necessary for the standby member to take over the flow if
the active member becomes unresponsive. If the active member becomes
unresponsive, the replicated flows on the standby member become active when
the standby member assumes mastership of the context. The active flows on the
former active member transition to a standby state to fully back up the active flows
on the new active member.
Note
By default, connection replication is enabled in the ACE.
After a switchover occurs, the same connection information is available on the
new active member. Supported end-user applications do not need to reconnect to
maintain the same network session.
Note
The ACE does not replicate SSL and other terminated (proxied) connections from
the active context to the standby context.
The state information passed to the standby appliance includes the following data:
•
Network Address Translation (NAT) table based on information synchronized
with the connection record
•
All Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
connections not terminated by the ACE
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-5
Chapter 6
Configuring Redundant ACE Appliances
Overview of Redundancy
Note
•
HTTP connection states (Optional)
•
Sticky table
The ACE does not support the stateful falover of any connectons that are proxied.
Such connections include Layer 7 connections, inspection, and HTTP
compression. Also, any connections that are candidates for compression in the
VIP but are not being compressed because of the mime type of the data, for
example, will remain proxied and will not be supported by stateful failover.
In a user context, the ACE allows a switchover only of the FT group that belongs
to that context. In the Admin context, the ACE allows a switchover of all FT
groups in all configured contexts in the appliance.
To ensure that bridge learning occurs quickly upon a switchover in a Layer 2
configuration in the case where a VMAC moves to a new location, the new active
member sends a gratuitous ARP on every interface associated with the active
context. Also, when there are two VLANs on the same subnet and servers need to
send packets to clients directly, the servers must know the location of the gateway
on the client-side VLAN. The active member acts as the bridge for the two
VLANs. In order to initiate learning of the new location of the gateway, the new
active member sends an ARP request to the gateway on the client VLAN and
bridges the ARP response onto the server VLAN.
FT VLAN
Redundancy uses a dedicated FT VLAN between redundant ACEs to transmit
flow-state information and the redundancy heartbeat. You must configure this
same VLAN on both peer appliances. You also must configure a different IP
address within the same subnet on each appliance for the FT VLAN.
Note
Do not use this dedicated VLAN for any other network traffic, including HSRP
and data.
The two redundant appliances constantly communicate over the FT VLAN to
determine the operating status of each appliance. The standby member uses the
heartbeat packet to monitor the health of the active member. The active member
uses the heartbeat packet to monitor the health of the standby member.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-6
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Overview of Redundancy
Communications over the switchover link include the following data:
•
Redundancy protocol packets
•
State information replication data
•
Configuration synchronization information
•
Heartbeat packets
For multiple contexts, the FT VLAN resides in the system configuration file. Each
FT VLAN on the ACE has one unique MAC address associated with it. The ACE
uses these device MAC addresses as the source or destination MACs for sending
or receiving redundancy protocol state and configuration replication packets.
Note
The IP address and the MAC address of the FT VLAN do not change at
switchover.
Configuration Synchronization
For redundancy to function properly, both members of an FT group must have
identical configurations. Ensure that both ACE appliances include the same
bandwidth software license (2G or 1G) and the same virtual context software
license. If there is a mismatch in software license between the two ACE
appliances in an FT group, the following operational behavior can occur:
•
If there is a mismatch in virtual context software license, synchronization
between the active ACE and standby ACE may not work properly.
•
If both the active and the standby ACE appliances have the same virtual
content software license but have a different bandwidth software license,
synchronization will work properly but the standby ACE may experience a
potential loss of traffic on switchover from the 2G ACE appliance to the 1G
ACE appliance.
For details about the available ACE software licenses, see Chapter 3, Managing
ACE Software Licenses.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-7
Chapter 6
Configuring Redundant ACE Appliances
Configuration Requirements and Restrictions
The ACE automatically replicates the active configuration on the standby member
using a process called configuration synchronization (config sync). Config sync
automatically replicates any changes made to the configuration of the active
member to the standby member. After the ACE synchronizes the redundancy
configuration from the active member to the standby peer, it disables
configuration mode on the standby.
For information about configuring config sync, see the “Synchronizing
Redundant Configurations” section.
Redundancy State for Software Upgrade or Downgrade
The STANDBY_WARM redundancy state is used when upgrading or
downgrading the ACE software. When you upgrade or downgrade the ACE from
one software version to another, there is a point in the process when the two ACEs
have different software versions and, therefore, a CLI incompatibility.
When the software versions are different while upgrading or downgrading, the
STANDBY_WARM state allows the configuration and state synchronization
process to continue on a best-effort basis, which means that the active ACE will
continue to synchronize configuration and state information to the standby even
though the standby may not recognize or understand the CLI commands or state
information. This standby state allows the standby ACE to come up with
best-effort support. In the STANDBY_WARM state, as with the STANDBY_HOT
state, the configuration mode is disabled and configuration and state
synchronization continues. A failover from the active to the standby based on
priorities and preempt can still occur while the standby is in the
STANDBY_WARM state.
Configuration Requirements and Restrictions
Follow these requirements and restrictions when configuring the redundancy
feature.
•
Redundancy is not supported between an ACE appliance and an ACE module
operating as peers. Redundancy must be of the same ACE device type and
software release.
•
In bridged mode (Layer 2), two contexts cannot share the same VLAN.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-8
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Redundancy Configuration Quick Start
•
To achieve active-active redundancy, a minimum of two contexts and two FT
groups are required on each ACE.
•
When you configure redundancy, the ACE keeps all interfaces that do not
have an IP address in the Down state. The IP address and the peer IP address
that you assign to a VLAN interface should be in the same subnet, but
different IP addresses. For more information about configuring VLAN
interfaces, see the Cisco 4700 Series Application Control Engine Appliance
Routing and Bridging Configuration Guide.
Redundancy Configuration Quick Start
Table 6-1 provides a quick overview of the steps required to configure redundancy
for each ACE in the redundancy configuration. Each step includes the CLI
command or a reference to the procedure required to complete the task. For a
complete description of each feature and all the options associated with the CLI
commands, see the sections following Table 6-1.
Table 6-1
Redundancy Configuration Quick Start
Task and Command Example
1.
If you are operating in multiple contexts, observe the CLI prompt to verify
that you are operating in the desired context. If necessary, change to the
correct context.
host1/Admin# changeto C1
host1/C1#
The rest of the examples in this table use the Admin context, unless
otherwise specified. For details on creating contexts, see the Cisco 4700
Series Application Control Engine Appliance Virtualization Configuration
Guide.
2.
Enter configuration mode.
host1/Admin# config
host1/Admin(config)#
3.
Configure one of the Ethernet ports on the ACE for fault tolerance using a
dedicated fault-tolerant (FT) VLAN for communication between the
members of an FT group.
host1/Admin(config-if)# ft-port vlan 60
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-9
Chapter 6
Configuring Redundant ACE Appliances
Redundancy Configuration Quick Start
Table 6-1
Redundancy Configuration Quick Start (continued)
Task and Command Example
4.
Configure a dedicated FT VLAN for communication between the members
of the FT group. This FT VLAN is global and is shared by all contexts.
Specify the IP address and netmask of the FT VLAN and the IP address and
netmask of the remote peer.
host1/Admin(config)# ft interface vlan 60
host1/Admin(config-ft-intf)# ip address 192.168.12.1
255.255.255.0
host1/Admin(config-ft-intf)# peer ip address 192.168.12.15
255.255.255.0
host1/Admin(config-ft-intf)# no shutdown
host1/Admin(config-ft-intf)# exit
5.
Configure the local redundancy peer appliance, associate the FT VLAN
with the peer, and configure the heartbeat interval and count.
host1/Admin(config)# ft peer
host1/Admin(config-ft-peer)#
host1/Admin(config-ft-peer)#
host1/Admin(config-ft-peer)#
host1/Admin(config-ft-peer)#
6.
1
ft-interface vlan 60
heartbeat count 20
heartbeat interval 300
exit
Create at least one FT group on each ACE.
host1/Admin(config)# ft group 1
host1/Admin(config-ft-group)#
7.
Associate a context with each FT group. You must associate the local
context and the corresponding peer context with the same FT group.
host1/Admin(config-ft-group)# associate-context C1
8.
Associate the peer context with the FT group.
host1/Admin(config-ft-group)# peer 1
9.
(Optional) Configure the priority of the FT group on the local appliance.
host1/Admin(config-ft-group)# priority 100
10. (Optional) Configure the priority of the FT group on the peer appliance.
host1/Admin(config-ft-group)# peer priority 200
11. Place the FT group in service.
host1/Admin(config-ft-group)# inservice
host1/Admin(config-ft-group)# exit
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-10
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Redundancy Configuration Quick Start
Table 6-1
Redundancy Configuration Quick Start (continued)
Task and Command Example
12. (Optional) Configure one or more critical objects (gateways or hosts, or
interfaces) to track for switchover. For example, to configure a critical
interface for tracking, enter:
host1/Admin(config)# ft track interface TRACK_VLAN100
host1/Admin(config-ft-track-intf)# track-interface vlan 100
host1/Admin(config-ft-track-intf)# peer track-interface vlan 200
host1/Admin(config-ft-track-intf)# priority 50
host1/Admin(config-ft-track-intf)# peer priority 150
host1/Admin(config-ft-track-intf)# exit
13. (Optional) Enable autosynchronization of the running- and/or
startup-configuration file from the active to the standby context.
host1/Admin(config)# ft auto-sync running-config
host1/Admin(config)# ft auto-sync startup-config
14. (Optional) Save your configuration changes to Flash memory.
host1/Admin(config)# exit
host1/Admin# copy running-config startup-config
15. (Recommended) Verify your redundancy configuration by using the
following commands in Exec mode:
host1/Admin# show running-config ft
host1/Admin# show running-config interface
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-11
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
Configuring Redundancy
To configure redundancy on the ACE, use the commands in the following
sections. You must configure the ft interface, ft peer, and ft group commands on
all ACEs that participate in the redundancy configuration. This section contains
the following topics:
•
Configuring an FT VLAN
•
Configuring an FT Peer
•
Configuring an FT Group
•
Specifying the Peer Hostname
•
Specifying the MAC Address Banks for a Shared VLAN
•
Specifying the Peer Hostname
•
Synchronizing Redundant Configurations
Configuring an FT VLAN
Peer ACEs communicate with each other over a dedicated FT VLAN. These
redundant peers use the FT VLAN to transmit and receive heartbeat packets and
state and configuration replication packets. You must configure the same VLAN
on each peer appliance.
Note
Do not use the dedicated FT VLAN for any other network traffic, including HSRP
and data.
To configure one of the Ethernet ports or a port-channel interface on the ACE for
fault tolerance using a dedicated FT VLAN for communication between the
members of an FT group, use the ft-port vlan command in interface configuration
mode (see the Cisco 4700 Series Application Control Engine Appliance Routing
and Bridging Configuration Guide).
Note
When you specify the ft-port vlan command, the ACE modifies the associated
Ethernet port or port-channel interface to a trunk port.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-12
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
On both peer ACE appliances, you must configure the same Ethernet port or
port-channel interface as the FT VLAN port. For example:
Note
•
If you configure ACE appliance 1 to use Ethernet port 4 as the FT VLAN port,
then be sure to configure ACE appliance 2 to use Ethernet port 4 as the FT
VLAN port.
•
If you configure ACE appliance 1 to use port-channel interface255 as the FT
VLAN port, then be sure to configure ACE appliance 2 to use port-channel
interface 255 as the FT VLAN.
We recommend that you enable Quality of Service (QoS) on the FT VLAN port
to provide higher priorty for FT traffic. See the Cisco 4700 Series Application
Control Engine Appliance Routing and Bridging Configuration Guide for details.
Creating an FT VLAN
To create an FT VLAN, use the ft interface command in configuration mode. The
syntax of this command is:
ft interface vlan vlan_id
The vlan_id argument specifies a unique identifier for the FT VLAN. Enter an
integer from 2 to 4094.
For example, enter:
host1/Admin(config)# ft interface vlan 200
host1/Admin(config-ft-intf)#
Note
To remove an FT VLAN, first remove it from the FT peer by using the no
ft-interface vlan command in FT peer configuration mode. See the “Associating
the FT VLAN with the Local Peer” section.
To remove the FT VLAN from the redundancy configuration, enter:
host1/Admin(config)# no ft interface vlan 200
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-13
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
Configuring an FT VLAN IP Address
After you create the FT VLAN, you must assign an IP address to the VLAN. To
assign an IP address to the VLAN, use the ip command in FT interface
configuration mode. The syntax of this command is:
ip address ip_address netmask
The keyword and arguments of this command are:
•
address ip_address—Specifies the IP address of the FT VLAN. Enter an IP
address in dotted-decimal notation (for example, 192.168.12.1).
•
netmask—Subnet mask of the FT VLAN. Enter a subnet mask in
dotted-decimal notation (for example, 255.255.255.0).
For example, to configure an IP address for the FT VLAN, enter:
host1/Admin(config-ft-intf)# ip address 192.168.12.1 255.255.255.0
To remove the IP address from an FT VLAN, enter:
host1/Admin(config-ft-intf)# no ip address
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-14
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
Configuring the Peer IP Address
The local member of the FT group communicates with the remote peer over the
FT VLAN. To allow the local member to communicate with the remote peer, use
the peer ip command in FT interface configuration mode. The syntax of this
command is:
peer ip address ip_address netmask
The keyword and arguments of this command are:
•
address ip_address—Specifies the IP address of the remote peer. Enter an IP
address in dotted-decimal notation (for example, 192.168.12.15).
•
netmask—Subnet mask of the remote peer. Enter a subnet mask in
dotted-decimal notation (for example, 255.255.255.0).
For example, to configure an IP address on the remote peer, enter:
host1/Admin(config-ft-intf)# peer ip address 192.168.12.15
255.255.255.0
To remove an IP address from the remote peer, enter:
host1/Admin(config-ft-intf)# no peer ip address 192.168.12.15
255.255.255.0
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-15
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
Enabling the FT VLAN
To enable the FT VLAN, use the no shutdown command in FT interface
configuration mode. The syntax of this command is:
no shutdown
For example, to enable the FT VLAN, enter:
host1/Admin(config-ft-intf)# no shutdown
To disable the FT VLAN after you have enabled it, enter:
host1/Admin(config-ft-intf)# shutdown
Configuring an FT Peer
On both peer ACEs, configure an FT peer definition in the Admin context only.
You can configure a maximum of two ACEs as redundancy peers.
To create an FT peer, use the ft peer command in configuration mode. The syntax
of this command is:
ft peer peer_id
The peer_id argument specifies a unique identifier for the peer. You can only
enter 1.
For example, enter:
host1/Admin(config)# ft peer 1
Note
Before you can remove an FT peer from the configuration, remove the peer from
the FT group. See the “Associating a Peer with an FT Group” section.
To remove the FT peer from the configuration, enter:
host1/Admin(config)# no ft peer 1
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-16
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
After you create an FT peer, configure the peer attributes as described in the
following topics:
•
Associating the FT VLAN with the Local Peer
•
Configuring the Heartbeat Interval and Count
•
Configuring a Query Interface
Associating the FT VLAN with the Local Peer
After you create an FT peer, associate the existing FT VLAN with that local peer
so that it can communicate with the remote peer. The redundancy peers use this
dedicated FT VLAN to exchange heartbeat packets and flow-state information.
For information about configuring an FT VLAN, see the “Configuring an FT
VLAN” section.
To associate an FT VLAN with a peer, use the ft-interface command in FT peer
configuration mode. The syntax of this command is:
ft-interface vlan vlan_id
The vlan_id argument specifies the identifier of an existing VLAN. Enter an
integer from 2 to 4094.
For example, enter:
host1/Admin(config-ft-peer)# ft-interface vlan 200
To remove the FT VLAN from the peer configuration, enter:
host1/Admin(config-ft-peer)# no ft-interface vlan 200
Configuring the Heartbeat Interval and Count
The heartbeat interval determines the frequency in milliseconds (ms) at which the
active member of the FT group sends the heartbeat packets to the standby member.
The heartbeat count is the number of missed heartbeats that the standby member
must detect before determining that the active member is not available. To
configure the heartbeat interval and count, use the heartbeat command in peer
configuration mode. The syntax of this command is:
heartbeat {count number | interval frequency}
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-17
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
The keywords and arguments are:
•
count number—Specifies the number of heartbeat intervals that must
transpire with no heartbeat packet received by the standby member before the
standby member determines that the active member is not available. Enter an
integer from 10 to 50. The default is 10 heartbeat intervals. If the standby
member of the FT group does not receive a heartbeat packet from the active
member, a time period equal to count number times interval frequency must
elapse before a switchover can occur. For example, in the default case, where
the heartbeat frequency is 300 ms and the heartbeat count is 10, if the standby
member does not receive a heartbeat packet from the active member for
3000 ms (3 seconds), a switchover occurs.
•
interval frequency—Specifies the interval in milliseconds (ms) between
heartbeats. Enter an integer from 100 to 1000 ms. The default is 300 ms.
For example, to set the heartbeat count to 20, enter:
host1/Admin(config-ft-peer)# heartbeat count 20
To reset the heartbeat count to the default of 10, enter:
host1/Admin(config-ft-peer)# no heartbeat count
For example, to set the heartbeat interval to 500 ms, enter:
host1/Admin(config-ft-peer)# heartbeat interval 500
To reset the heartbeat interval to the default of 100 ms, enter:
host1/Admin(config-ft-peer)# no heartbeat interval
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-18
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
Configuring a Query Interface
Configure a query interface to allow the standby member to determine whether the
active member is down or if there is a connectivity problem with the FT VLAN.
A query interface helps prevent two redundant contexts from becoming active at
the same time for the same FT group. Before triggering a switchover, the ACE
pings the active member to make sure that it is down. Configuring a query
interface allows you to assess the health of the active member, but it increases
switchover time.
To configure a query interface, use the query-interface command in FT peer
configuration mode. The syntax of this command is:
query-interface vlan vlan_id
The vlan_id argument specifies the identifier of an existing VLAN. Enter an
integer from 2 to 4094.
For example, to configure a query interface, enter:
host1/Admin(config-ft-peer)# query-interface vlan 400
To remove the query interface from the peer configuration, enter:
host1/Admin(config-ft-peer)# no query-interface vlan 400
Note
You cannot delete a query interface if it is associated with a peer. You must
disassociate the interface from the peer first, and then you can delete the interface.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-19
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
Configuring an FT Group
On each ACE, you can create multiple FT groups, up to a maximum of 21 groups
(20 user contexts and 1 Admin context). Each group consists of a maximum of two
members (contexts): one active context on one appliance and one standby context
on the peer appliance.
To create an FT group, use the ft group command in configuration mode. You
must configure the same group ID on both peer appliances. The syntax of this
command is:
ft group group_id
The group_id argument specifies a unique identifier of the group. Enter an integer
from 1 to 20.
For example, enter:
host1/Admin(config)# ft group 1
host1/Admin(config-ft-group)#
To remove the group from the configuration, enter:
host1/Admin(config)# no ft group 1
After you create an FT group, configure the FT group attributes as described in
the following topics:
•
Associating a Context with an FT Group
•
Associating a Peer with an FT Group
•
Assigning a Priority to the Active FT Group Member
•
Configuring Preemption
•
Placing an FT Group in Service
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-20
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
Associating a Context with an FT Group
An FT group consists of two members (contexts) with the same name, each
residing on a different ACE. To associate a context with an FT group, use the
associate-context command in FT group configuration mode. You need to make
this association for both redundant contexts in an FT group. The syntax of this
command is:
associate-context name
For the name argument, enter the unique identifier of the context that you want to
associate with the FT group.
For example, enter:
host1/Admin(config-ft-group)# associate-context C1
Note
Before you can remove a context from an FT group, you must first take the group
out of service by using the no inservice command. See the “Placing an FT Group
in Service” section.
To remove a context from an FT group, enter:
host1/Admin(config-ft-group)# no associate-context C1
Associating a Peer with an FT Group
To associate a peer ACE with an FT group, use the peer command in FT group
configuration mode. The syntax of this command is:
peer peer_id
For the peer_id argument, enter 1 as the identifier of an existing peer appliance.
You can only enter 1.
For example, enter:
host1/Admin(config-ft-group)# peer 1
To remove the peer association with the FT group, enter:
host1/Admin(config-ft-group)# no peer
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-21
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
Assigning a Priority to the Active FT Group Member
A member (context) of an FT group becomes the active member through an
election process based on the priority that you configure for the group on each
peer. The group member with the higher priority becomes the active member. To
ensure that the member with the higher priority always becomes the active
member, use the preempt command, which is enabled by default. For details, see
the “Configuring Preemption” section.
To configure the priority of an FT group on the active member, use the priority
command in FT group configuration mode. You must configure the priority of an
FT group on both appliances. Configure a higher priority for the group on the
ACE where you want the active member to initially reside. The syntax of this
command is:
priority number
The number argument specifies the priority of the FT group on the local peer.
Enter an integer from 1 to 255. The default is 100.
Tip
Configure a higher priority on the FT group member that you want to be the active
member.
For example, to configure the priority of the FT group on the active member,
enter:
host1/Admin(config-ft-group)# priority 150
To restore the default priority of 100, enter:
host1/Admin(config-ft-group)# no priority
Assigning a Priority to the Standby FT Group Member
To configure the priority of an FT group on the remote standby member, use the
peer priority command in FT group configuration mode. You must configure the
priority of an FT group on both redundant appliances. Configure a lower priority
for the FT group on the ACE where you want the standby member to initially
reside. The syntax of this command is:
peer priority number
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-22
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
The number argument specifies the priority of the FT group on the standby
member. Enter an integer from 1 to 255. The default is 100.
Tip
Configure a lower priority on the FT group member that you want to be the
standby member.
Note
The ACE does not perform bulk config synchronization (sync) on the peer
priority command value in the FT group associated with the Admin context to the
peer. Therefore, you may observe a peer priority value in the
running-configuration file that is different from the actual operating value. For
information on bulk config sync, see the “Synchronizing Redundant
Configurations” section.
For example, to configure the priority of the FT group member on the remote
standby member, enter:
host1/Admin(config-ft-group)# peer priority 50
To restore the default priority of 100, enter:
host1/Admin(config-ft-group)# no peer priority
Configuring Preemption
Preemption ensures that the group member with the higher priority always asserts
itself and becomes the active member. By default, preemption is enabled. To
configure preemption after it has been disabled, use the preempt command in FT
group configuration mode. The syntax of this command is:
preempt
For example, enter:
host1/Admin(config-ft-group)# preempt
To disable preemption, enter:
host1/Admin(config-ft-group)# no preempt
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-23
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
Note
If you disable preemption by using the no preempt command and a member with
a higher priority is found after the other member has become active, the electing
member becomes the standby member even though it has a higher priority.
Placing an FT Group in Service
Note
Before you place an FT group in service, be sure that you have associated one
context with the FT group and that you have properly configured the two peers.
To place an FT group in service, use the inservice command in FT group
configuration mode. The syntax of this command is:
inservice
For example, to place an FT group in service, enter:
host1/Admin(config-ft-group)# inservice
To take the FT group out of service, enter:
host1/Admin(config-ft-group)# no inservice
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-24
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
Modifying an FT Group
If you need to modify an FT group, perform the following steps in FT group
configuration mode:
Note
1.
Remove the FT group from service by using the no inservice command.
2.
Make the necessary modifications to the FT group.
3.
Place the FT group back in service by using the inservice command.
You can modify the priority, peer priority, and preempt command values
without taking the FT group out of service.
Specifying the Peer Hostname
To specify the hostname of a peer ACE, use the peer hostname command in
configuration mode in the Admin context. For details about this command, see
Chapter 1, Setting Up the ACE.
Specifying the MAC Address Banks for a Shared VLAN
To specify the MAC address banks to be used by the local ACE and the peer ACE
with a shared VLAN (FT VLAN), use the shared-vlan-hostid command and the
peer shared-vlan-hostid command, respectively, in configuration mode in the
Admin context. You configure these commands to prevent MAC address conflicts
between the two peer ACEs. Be sure to select a bank of MAC addresses for the
peer that is different from that used by the local ACE. For details about this
command, see the Cisco 4700 Series Application Control Engine Appliance
Routing and Bridging Configuration Guide.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-25
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
Forcing a Failover
You may need to cause a switchover when you want to make a particular context
the standby (for example, for maintenance or a software upgrade on the currently
active context). If the standby group member can statefully becoming the active
member of the FT group, a switchover occurs.
To cause a switchover, use the ft switchover command in Exec mode. To use this
command, you must disable preemption by using the no preempt command. For
information on the preempt command, see the “Configuring Preemption”
section.
When you specify the ft switchover command, there may be brief periods of time
when the configuration mode is enabled on the new active group member to allow
the administrator to make configuration changes. However, any configuration
changes made during this time are not synchronized with the standby group
member and will exist only on the active group member. We recommend that you
refrain from making any configuration changes after you enter the ft switchover
command until the FT states stabilize to Active and Standby_hot. Once the FT
group reaches the steady state of Active and Standby_hot, any configuration
changes performed on the active group member will be incrementally
synchronized to the standby group member, assuming that configuration
synchronization is enabled.
The syntax of the ft switchover command is:
ft switchover [all [force] | force | [group_id [force]]]
The arguments and options are:
•
all—(Optional) Causes a switchover of all FT groups configured in the ACE
simultaneously.
•
force—(Optional) Causes a switchover while ignoring the state of the
standby member. Use this option only when the FT VLAN is down.
•
group_id—(Optional) FT group that you want to switch over. Enter the ID of
an existing FT group as an integer from 1 to 255.
The ft switchover command exhibits the following behavior, depending on
whether you enter the command from the Admin context or a user context:
•
Admin context—If you specify an FT group ID, then the FT group specified
by the group ID switches over. If you do not specify a group ID, then the
Admin context switches over.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-26
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
•
User context—Because you cannot specify an FT group ID in a user context,
the context in which you enter the command switches over.
For example, to cause a failover from the active appliance to the standby appliance
of FT group1, enter:
host1/Admin# ft switchover 1
This command will cause card to switchover (yes/no)? [no] yes
host1/Admin#
Synchronizing Redundant Configurations
To ensure that the running configurations on both the active and the standby
contexts of an FT group are identical, the ACE automatically synchronizes the
running configurations between the two contexts. After the active context has
accepted either a new configuration or modifications to an existing configuration,
the ACE automatically applies the new configuration or configuration changes to
the standby context.
The ACE supports the following two types of configuration synchronizations:
•
Bulk config sync—Synchronizes the entire active context configuration to the
standby context when the peer comes up or when autosynchronization is
enabled
•
Dynamic config sync—Synchronizes the configuration applied to the active
context to the standby context if the peer is already up
To enable automatic synchronization of the running-configuration and the
startup-configuration files, use the ft auto-sync command in configuration mode.
Note
If the standby ACE has reached the maximum resource limit for a configuration
object even if some of the configuration objects are not in the redundant context,
if you configure one more object of the same type in the redundant context of the
active ACE, configuration synchronization will fail. For example, suppose that
you have configured two contexts on each ACE (Admin and C1) and the C1
context is the only one in the FT group. On the standby ACE, you have configured
8,192 match source-address statements in the Admin context and in the C1
context for a total of 16,384 match source-address statements (the ACE limit).
When you configure one new match source-address statement on the active ACE
in C1, configuration synchronization will fail, the new match statement will not
be replicated to the standby, and syslog ACE-1-727005 is generated.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-27
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
If you temporarily disable ft auto-sync running-config on the active ACE (for
example, to test changes to your configuration), when you subsequently reenable
config sync, any changes that you made to the active ACE are duplicated on the
standby ACE. Note that the standby ACE remains in the STANDBY_HOT state
even when config sync is disabled on the active ACE. (For more information about
FT states, see Table 6-2). If you operate the active ACE with config sync disabled
for a prolonged period of time, you must manually duplicate any changes that you
make to the active ACE on the standby ACE to ensure that connection replication
works properly.
Note
If a license mismatch occurs between the two ACEs in a redundant configuration,
the auto-sync command is automatically disabled and a syslog message is
generated.
The syntax of this command is:
ft auto-sync {running-config | startup-config}
The keywords are:
Caution
Note
•
running-config—Enables autosynchronization of the running-configuration
file. The default is enabled.
•
startup-config—Enables autosynchronization of the startup-configuration
file. The default is disabled.
Toggling ft auto-sync running-config in the Admin context may have
undesirable side effects if the same command is also disabled in an active user
context. If ft auto-sync running-config is disabled in the active Admin context
and in an active user context, and you subsequently enable ft auto-sync
running-config in the active Admin context first, the entire configuration of the
standby user context will be lost. Always enable ft auto-sync running-config in
the active user context first, then enable the command in the active Admin context.
If the config sync fails, the running-configuration file reverts to the
startup-configuration file.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-28
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Configuring Redundancy
The ACE does not copy or write changes in the running-configuration file to the
startup-configuration file unless you enter the copy running-config
startup-config command or the write memory command for the current context.
To write the contents of the running-configuration file to the startup-configuration
file for all contexts, use the write memory all command. At this time, if the ft
auto-sync startup-config command is enabled, the ACE syncs the
startup-configuration file on the active ACE to the standby ACE.
The ACE does not synchronize the SSL certificates and key pairs that are present
in the active context with the standby context of an FT group. If the ACE performs
a configuration synchronization and does not find the necessary certs and keys on
the standby context, config sync fails and the standby context enters the
STANDBY_COLD state. or more information about FT states, see Table 6-2.
Caution
Do not enter the no inservice command followed by the inservice command on
the active context of an FT group when the standby context is in the
STANDBY_COLD state. Doing so may cause the standby context
running-configuration file to overwrite the active context running-configuration
file.
To copy the certificates and keys to the standby context, you must export the
certificates and keys from the active context to an FTP or TFTP server using the
crypto export command, and then import the certificates and keys to the standby
context using the crypto import command. For more information about
importing and exporting certs and keys, see the Cisco 4700 Series Application
Control Engine Appliance SSL Configuration Guide.
To return the standby context to the STANDBY_HOT state in this case, ensure
that you have imported the necessary SSL certs and keys to the standby context,
and then perform a bulk sync of the active context configuration by entering the
following commands in configuration mode in the active context of the FT group:
1.
no ft auto-sync running-config
2.
ft auto-sync running-config
For example, to enable autosynchronization of the running-configuration file in
the C1 context, enter:
host1/C1(config)# ft auto-sync running-config
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-29
Chapter 6
Configuring Redundant ACE Appliances
Configuring Tracking and Failure Detection
Configuring Tracking and Failure Detection
This section describes the tracking and failure detection feature of the ACE. This
feature allows you to designate certain network items as critical so that, if one or
more items fail, the ACE reduces the priority of the associated active FT group
accordingly. If the priority of the active FT group falls below the priority of the
corresponding FT group on the standby, a switchover occurs.
This section contains the following topics:
•
Overview of Tracking and Failure Detection
•
Configuring Tracking and Failure Detection for a Host or Gateway
•
Configuring Tracking and Failure Detection for an Interface
Overview of Tracking and Failure Detection
The ACE supports the tracking and failure detection of several network items. You
can configure an ACE to track and detect failures in the following items in the
Admin context and any user context:
•
Gateways or hosts
•
Interfaces
If one of the items that you configure for tracking and failure detection becomes
unresponsive and is associated with the active member of an FT group, by default,
the ACE subtracts a value of 0 from the configured priority of the active member.
If you configure a nonzero value for the tracking priority and the resulting priority
value of the active member is less than that of the standby member, the active
member switches over and the standby member becomes the new active member.
All active flows that exist at the time of the switchover continue uninterrupted on
the new active member of the FT group.
When the failed item comes back up, the ACE increments the priority of the
associated group member by a value of 0 by default. If you configure a non-zero
value for the tracking priority and the resulting priority of the standby member is
greater than the priority of the active member, a switchover occurs back to the
original active group member.
You can configure the unit priority associated with tracked items to be greater than
0. This option allows you to fine tune the switchover scenario so that a switchover
occurs when either all or any of the tracked objects fails.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-30
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Configuring Tracking and Failure Detection
Note
You must configure preemption for tracking switchover to work. For details on
preemption, see the “Configuring Preemption” section.
For example, suppose that on ACE 1 you configure the active FT group member
with a priority of 100 and on ACE 2 you configure the standby FT group member
with a priority of 70. Assume that you configure the FT group to track three
critical interfaces, each with a unit priority of 15. To trigger a switchover, all three
interfaces must fail so that the priority of the active member is less than the
priority of the standby member (100 – 45 = 55).
To illustrate the “any” scenario, assume the FT group members have the same
individual priorities as in the previous example (100 and 70, respectively).
However, this time you configure the three tracked interfaces, each with a unit
priority of 40. If any one of the interfaces associated with the active member goes
down, then the priority of the active member falls below the priority of the standby
member and a switchover occurs. If that failed interface later returns to service,
the ACE increments the associated group member priority by 40, and a switchover
would occur back to the original active member. To guarantee a switchover if any
tracked item goes down, configure the unit priority on each tracked item equal to
the group member’s priority. In this case, you could configure the unit priority to
be 100.
Configuring Tracking and Failure Detection for a Host or Gateway
This section describes how to configure tracking and failure detection for a
gateway or a host. It contains the following topics:
•
Creating a Tracking and Failure Detection Process for a Host or Gateway
•
Configuring the Gateway or Host IP Address Tracked by the Active Member
•
Configuring a Probe on the Active Member for Host Tracking
•
Configuring a Priority on the Active Member for Multiple Probes
•
Configuring the Gateway or Host IP Address Tracked by the Standby Member
•
Configuring a Probe on the Standby Member for Host Tracking
•
Configuring a Priority on the Standby Member for Multiple Probes
•
Example of a Tracking Configuration for a Gateway
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-31
Chapter 6
Configuring Redundant ACE Appliances
Configuring Tracking and Failure Detection
Creating a Tracking and Failure Detection Process for a Host or Gateway
To create a tracking and failure detection process for a gateway or host, use the ft
track host command in configuration mode. The syntax of this command is:
ft track host name
For the name argument, enter a unique identifier of the tracking process as an
unquoted text string with no spaces and a maximum of 64 alphanumeric
characters.
For example, to create a tracking process for a gateway, enter:
host1/Admin(config)# ft track host TRACK_GATEWAY1
host1/Admin(config-ft-track-host)#
To remove the gateway-tracking process, enter:
host1/Admin(config)# no ft track host TRACK_GATEWAY1
Configuring the Gateway or Host IP Address Tracked by the Active Member
To allow the active member to track a gateway or host, you need to configure the
IP address of the gateway or host. To configure the IP address, use the track-host
command in FT track host configuration mode. The syntax of this command is:
track-host ip_address
The ip_address argument specifies the IP address of the gateway or host that you
want the active FT group member to track. Enter the IP address in dotted-decimal
notation (for example, 192.168.12.101).
For example, to track the gateway located at 192.168.12.101, enter:
host1/Admin(config-ft-track-host)# track-host 192.168.12.101
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-32
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Configuring Tracking and Failure Detection
Configuring a Probe on the Active Member for Host Tracking
Configure one or more probes on the active FT group member to track the health
of the gateway or host. For details about creating probes, see the Cisco 4700
Series Application Control Engine Appliance Server Load-Balancing
Configuration Guide. To associate an existing probe with a gateway or host for
tracking by the active member, use the probe command in FT track host
configuration mode. The syntax of this command is:
probe name priority number
The keyword and arguments are:
Note
•
name—Identifier of an existing probe that you want to associate with a
gateway or host for tracking.
•
priority number—Specifies the priority of the probe sent by the active
member. Enter an integer from 0 to 255. The default is 0. Higher values
indicate higher priorities. Assign a priority value based on the relative
importance of the gateway or host that the probe is tracking. If the probe goes
down, the ACE decrements the priority of the FT group on the active member
by the value of the number argument. If the resulting priority of the FT group
on the active member is less than the priority of the FT group on the standby
member, a switchover occurs.
If you remove a probe from the active FT group member configuration and you
have not configured a tracking priority for the FT group (see the “Configuring a
Priority on the Active Member for Multiple Probes” section), the ACE increments
the net FT group priority by the priority value of the deleted probe. You cannot
delete a probe from the running-configuration file if the ACE is using the probe
for tracking.
For example, enter:
host1/Admin(config-ft-track-host)# probe TCP_PROBE1 priority 50
To remove the tracking probe from the active member, enter:
host1/Admin(config-ft-track-host)# no probe TCP_PROBE1
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-33
Chapter 6
Configuring Redundant ACE Appliances
Configuring Tracking and Failure Detection
Configuring a Priority on the Active Member for Multiple Probes
You can assign a tracking priority that the active member uses when multiple
tracking probes are defined. To assign a priority for multiple probes on the active
member, use the priority command in FT track host configuration mode. The
syntax of this command is:
priority number
The number argument specifies the priority of the probes on the active member.
Enter a priority value as an integer from 0 to 255. The default is 0. Higher values
indicate higher priorities. Assign a priority value based on the relative importance
of the gateway or host that the probes are tracking. If all the probes go down, the
ACE decrements the priority of the FT group on the active member by the value
of the number argument. If the resulting priority of the FT group on the active
member is less than the priority of the FT group on the standby member, a
switchover occurs.
For example, enter:
host1/Admin(config-ft-track-host)# priority 50
To reset the priority to the default value of 0, enter:
host1/Admin(config-ft-track-host)# no priority 50
Configuring the Gateway or Host IP Address Tracked by the Standby Member
To allow the standby member to track a gateway or host, you need to configure
the IP address of the gateway or host. To configure the IP address, use the peer
track-host command in FT track host configuration mode. The syntax of this
command is:
peer track-host ip_address
The ip_address argument specifies the IP address of the gateway or host that you
want the standby FT group member to track. Enter the IP address in
dotted-decimal notation (for example, 172.16.27.1).
For example, to track the gateway located at 172.16.27.1, enter:
host1/Admin(config-ft-track-host)# peer track-host 172.16.27.1
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-34
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Configuring Tracking and Failure Detection
To remove the host tracked by the standby member, enter:
host1/Admin(config-ft-track-host)# no peer track-host 172.16.27.1
Configuring a Probe on the Standby Member for Host Tracking
Configure one or more probes on the standby member to track the health of the
gateway or host. For details about creating probes, see the Cisco 4700 Series
Application Control Engine Appliance Server Load-Balancing Configuration
Guide. To associate an existing probe with a gateway or host for tracking by the
standby member, use the peer probe command in FT track host configuration
mode. The syntax of this command is:
peer probe name priority number
The keyword and arguments are:
•
name—Identifier of an existing probe that you want to associate with a
gateway or host for tracking
•
priority number—Specifies the priority of the probe sent by the standby
member. Enter an integer from 0 to 255. The default is 0. Higher values
indicate higher priorities. Assign a priority value based on the relative
importance of the gateway or host that the probe is tracking. If the probe goes
down, the ACE decrements the priority of the FT group on the standby
member by the value of the number argument.
For example, enter:
host1/Admin(config-ft-track-host)# peer probe TCP_PROBE1 priority 25
To remove the tracking probe from the standby member, enter:
host1/Admin(config-ft-track-host)# no peer probe TCP_PROBE1
Configuring a Priority on the Standby Member for Multiple Probes
You can configure a tracking priority that the standby member of an FT group uses
when multiple tracking probes are defined. To assign a priority for multiple
probes on the standby member, use the peer priority command in FT track host
configuration mode. The syntax of this command is:
peer priority number
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-35
Chapter 6
Configuring Redundant ACE Appliances
Configuring Tracking and Failure Detection
The number argument specifies the priority of the probes configured for the
gateway or host on the standby member. Enter a priority value as an integer from
0 to 255. The default is 0. Higher values indicate higher priorities. Assign a
priority value based on the relative importance of the gateway or host that the
probes are tracking. If all the probes go down, the ACE decrements the priority of
the FT group on the standby member by the value of the number argument.
For example, enter:
host1/Admin(config-ft-track-host)# peer priority 25
To reset the multiple-probe priority to the default value of 0 on the standby
member, enter:
host1/Admin(config-ft-track-host)# no peer priority 25
Example of a Tracking Configuration for a Gateway
The following example demonstrates a tracking configuration for a gateway on
the active member of an FT group:
ft track host TRACK_GATEWAY
track-host 192.161.100.1
probe GATEWAY_TRACK1 priority 10
probe GATEWAY_TRACK2 priority 20
priority 50
In this configuration example, if the GATEWAY_TRACK1 probe goes down, the
ACE reduces the priority of the FT group on the active member by 10. If the
GATEWAY_TRACK2 probe goes down, the ACE reduces the priority of the FT
group on the active member by 20. If both probes go down, the ACE reduces the
priority of the FT group on the active member by 50. If at any time the priority of
the FT group on the active member falls below the priority of the FT group on the
standby member, a switchover occurs.
To configure tracking on the standby member, use the peer commands described
in the “Configuring a Probe on the Standby Member for Host Tracking” and the
“Configuring a Priority on the Standby Member for Multiple Probes” sections.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-36
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Configuring Tracking and Failure Detection
Configuring Tracking and Failure Detection for an Interface
This section describes the commands that you enter to configure tracking and
failure detection for an interface. It contains the following topics:
•
Creating a Tracking and Failure Detection Process for an Interface
•
Configuring the Interface Tracked by the Active Member
•
Configuring a Priority for a Tracked Interface on the Active Member
•
Configuring the Interface Tracked by the Standby Member
•
Configuring a Priority for a Tracked Interface on the Standby Member
•
Example of a Tracking Configuration for an Interface
Creating a Tracking and Failure Detection Process for an Interface
To create a tracking and failure detection process for an interface, use the ft track
interface command in configuration mode. The syntax of this command is:
ft track interface name
For the name argument, enter a unique identifier for the tracking process as an
unquoted text string with no spaces and a maximum of 64 alphanumeric
characters.
Note
You cannot delete an interface if the ACE is using the interface for tracking. Also,
you cannot configure the FT VLAN for tracking.
For example, enter:
host1/Admin(config)# ft track interface TRACK_VLAN100
To remove the interface-tracking process, enter:
host1/Admin(config)# no ft track interface TRACK_VLAN100
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-37
Chapter 6
Configuring Redundant ACE Appliances
Configuring Tracking and Failure Detection
Configuring the Interface Tracked by the Active Member
To configure the interface that you want the active member to track, use the
track-interface vlan command in FT track interface configuration mode. The
syntax of this command is:
track-interface vlan vlan_id
For the vlan_id argument, enter the VLAN ID of an existing VLAN configured on
the active member as an integer from 2 to 4094.
For example, to track the critical interface VLAN 100, enter:
host1/Admin(config-ft-track-intf)# track-interface vlan 100
To remove VLAN 100 from the tracking process, enter:
host1/Admin(config-ft-track-intf)# no track-interface vlan 100
Configuring a Priority for a Tracked Interface on the Active Member
To assign a priority to the interface that the active member is tracking, use the
priority command in FT track interface configuration mode. The syntax of this
command is:
priority number
The number argument specifies the priority of the interface on the active member.
Enter a priority value as an integer from 0 to 255. The default is 0. Higher values
indicate higher priorities. Assign a priority value based on the relative importance
of the interface that you are tracking.
If the tracked interface goes down, the ACE decrements the priority of the FT
group on the active member by the value of the number argument. If the priority
of the FT group on the active member falls below the priority of the FT group on
the standby member, a switchover occurs.
For example, enter:
host1/Admin(config-ft-track-intf)# priority 50
To reset the interface priority on the active member to the default value of 0, enter:
host1/Admin(config-ft-track-intf)# no priority 50
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-38
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Configuring Tracking and Failure Detection
Configuring the Interface Tracked by the Standby Member
To configure the interface that you want the standby member to track, use the peer
track-interface vlan command in FT track interface configuration mode. The
syntax of this command is:
peer track-interface vlan vlan_id
For the vlan_id argument, enter the VLAN ID of an existing VLAN configured on
the standby member as an integer from 2 to 4094.
For example, to track the critical interface VLAN 200, enter:
host1/Admin(config-ft-track-intf)# peer track-interface vlan 200
To remove VLAN 200 from the tracking process, enter:
host1/Admin(config-ft-track-intf)# no peer track-interface vlan 200
Configuring a Priority for a Tracked Interface on the Standby Member
To assign a priority to the tracked interface that the standby member is tracking,
use the peer priority command in FT track interface configuration mode. The
syntax of this command is:
peer priority number
The number argument specifies the priority of the interface on the standby
member. Enter a priority value as an integer from 0 to 255. The default is 0. Higher
values indicate higher priorities. Assign a priority value based on the relative
importance of the interface that you are tracking.
If the tracked interface goes down, the ACE decrements the priority of the FT
group on the standby member by the value of the number argument. If the priority
of the FT group on the active member falls below the priority of the FT group on
the standby member, a switchover occurs.
For example, enter:
host1/Admin(config-ft-track-intf)# peer priority 25
To reset the interface priority on the standby member to the default value of 0,
enter:
host1/Admin(config-ft-track-intf)# no peer priority 25
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-39
Chapter 6
Configuring Redundant ACE Appliances
Example of a Redundancy Configuration
Example of a Tracking Configuration for an Interface
The following example demonstrates a tracking configuration for an interface on
the active member of an FT group:
ft track interface TRACK_VLAN100
track-interface vlan 100
priority 50
In the above configuration example, if VLAN 100 goes down, the ACE reduces
the priority of the FT group on the active member by 50. If at any time the priority
of the FT group on the active member falls below the priority of the FT group on
the standby member, a switchover occurs.
To configure tracking on the standby member, use the peer commands described
in the “Configuring the Interface Tracked by the Standby Member” and the
“Configuring a Priority for a Tracked Interface on the Standby Member” sections.
Example of a Redundancy Configuration
The following example illustrates a running-configuration that defines fault
tolerance (FT) for a single ACE appliance operating in a redundancy
configuration. You must configure a maximum of two ACE appliances (peers) for
redundancy to failover from the active appliance to the standby appliance.
Note
All FT parameters are configured in the Admin context.
This configuration addresses the following redundancy components:
•
A dedicated FT VLAN for communication between the members of an FT
group. You must configure this same VLAN on both peer appliances.
•
An FT peer definition.
•
An FT group that is associated with the Admin context.
•
A critical tracking and failure detection process for an interface.
The redundancy configuration appears in bold in the example.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-40
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Example of a Redundancy Configuration
hostname ACE_Appliance_1
interface gigabitEthernet 1/2
speed 1000M
duplex FULL
ft-port vlan 200
no shutdown
access-list ACL1 line 10 extended permit ip any any
class-map
2 match
3 match
4 match
5 match
7 match
8 match
type management match-any L4_REMOTE-MGT_CLASS
protocol telnet any
protocol ssh any
protocol icmp any
protocol http any
protocol snmp any
protocol xml-https any
policy-map type management first-match L4_REMOTE-MGT_POLICY
class L4_REMOTE-MGT_CLASS
permit
interface vlan 100
ip address 192.168.83.219 255.255.255.0
peer ip address 192.168.83.230 255.255.255.0
alias 192.168.83.200 255.255.255.0
access-group input ACL1
service-policy input L4_REMOTE-MGT_POLICY
no shutdown
ft interface vlan 200
ip address 192.168.1.1 255.255.255.0
peer ip address 192.168.1.2 255.255.255.0
no shutdown
ft peer 1
ft-interface vlan 200
heartbeat interval 300
heartbeat count 10
ft group 1
peer 1
priority 200
associate-context Admin
inservice
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-41
Chapter 6
Configuring Redundant ACE Appliances
Example of a Redundancy Configuration
ft track interface TRACK_VLAN100
track-interface vlan 100
peer track-interface vlan 200
priority 50
peer priority 5
ip route 0.0.0.0 0.0.0.0 192.168.83.1
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-42
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Displaying Redundancy Information
This section describes how you can use the show commands to display
configuration information and statistics for your redundancy configuration and
contains the following topics:
•
Displaying Redundancy Configurations
•
Displaying FT Group Information
•
Displaying the IDMAP Table
•
Displaying the Redundancy Internal Software History
•
Displaying Memory Statistics
•
Displaying Peer Information
•
Displaying FT Statistics
•
Displaying FT Tracking Information
Displaying Redundancy Configurations
To display redundancy configurations, use the show running-config ft command
in Exec mode. The syntax of this command is:
show running-config ft
For example, enter:
host1/Admin# show running-config ft
Displaying FT Group Information
To display redundancy statistics per context, use the show ft group command in
Exec mode. The syntax of this command is:
show ft group {brief | {[group_id]{detail | status | summary}}}
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-43
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
The keywords and options are:
•
brief—Displays the group ID, local state, peer state, context name, and
context ID of all the FT groups that are configured in the ACE.
•
group group_id—Displays FT group statistics for the specified FT group. In
the Admin context, this keyword displays statistics for all FT groups in the
ACE. Also, in the Admin context, you can specify an FT group number to
display statistics for an individual group. In a user context, this keyword
displays statistics only for the FT group to which the user context belongs.
•
detail—Displays detailed information for all FT groups or the specified FT
group.
•
status—Displays the current operating status for all FT groups or the
specified FT group.
•
summary—Displays summary information for all FT groups or the specified
FT group.
For example, enter:
host1/Admin# show ft group group1 detail
Table 6-2 describes the fields in the show ft group command output.
Table 6-2
Field Descriptions for the show ft group Command Output
Field
Description
FT Group
FT group identifier.
No. of Contexts
Number of contexts associated with the FT group.
Context Name
Name of the context associated with the FT group.
Context ID
Identifier of the context associated with the FT group.
Configured Status
Configured state of the FT group. Possible states are the
in-service or out-of-service states.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-44
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Table 6-2
Field Descriptions for the show ft group Command Output
(continued)
Field
Description
Maintenance
Mode
Current maintenance mode of the local context in an FT
group. Applications can turn on maintenance mode when
there is an inability to communicate with the peer, license
mismatches, too many application errors, and so on.
Possible states are:
•
MAINT_MODE_OFF—Maintenance mode is turned
off.
•
MAINT_MODE_PARTIAL— All standby contexts
transition to the FSM_FT_STATE_STANDBY_COLD
state (see the “My State” field description). The ACE
enters this mode if configuration synchronization fails.
•
MAINT_MODE_FULL—All contexts on the ACE
become nonredundant causing their peer contexts to
become active. The ACE enters this mode just before
you reboot the appliance and is used primarily when
you upgrade the ACE software.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-45
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Table 6-2
Field Descriptions for the show ft group Command Output
(continued)
Field
Description
My State
State of the FT group member in the local ACE. Possible
states are:
•
FSM_FT_STATE_INIT—Configuration for the FT
group exists but the group is not in service. This is the
initial state for each member (local and peer) of an FT
group.
•
FSM_FT_STATE_ELECT—When you configure the
inservice command for an FT group, the local group
member enters this state. Through the election process,
the local context negotiates with its peer context in the
FT group to determine their states. One member enters
the ACTIVE state and the other member enters the
STANDBY_CONFIG state.
•
FSM_FT_STATE_ACTIVE—Local member of the FT
group is active and processing flows.
•
FSM_FT_STATE_STANDBY_COLD—State that
indicates if the FT VLAN is down but the peer device
is still alive, or the configuration or application state
synchronization failed. When a context is in this state
and a switchover occurs, the transition to the ACTIVE
state is stateless.
•
FSM_FT_STATE_STANDBY_CONFIG—Local
standby context is waiting to receive configuration
information from its active peer context in the FT
group. The active peer context receives a notification
to send a snapshot of its running-configuration file to
the local standby context.
•
FSM_FT_STATE_STANDBY_BULK—Local
standby context is waiting to receive state information
from its active peer context. The active peer context
receives a notification to send a snapshot of the current
state information for all applications to the standby
context.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-46
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Table 6-2
Field Descriptions for the show ft group Command Output
(continued)
Field
Description
My State (Cont.)
•
FSM_FT_STATE_STANDBY_HOT—Local standby
context has all the state information it needs to
statefully assume the active state if a switchover
occurs.
•
FSM_FT_STATE_STANDBY_WARM—State used
when upgrading or downgrading the ACE software.
When you upgrade or downgrade the ACE from one
software version to another, there is a point in the
process when the two ACEs have different software
versions and, therefore, a CLI incompatibility.
When the software versions are different while
upgrading or downgrading, the STANDBY_WARM
state allows the configuration and state
synchronization process to continue on a best-effort
basis, which means that the active ACE will continue
to synchronize configuration and state information to
the standby even though the standby may not recognize
or understand the CLI commands or state information.
This standby state allows the standby ACE to come up
with best-effort support. In the STANDBY_WARM
state, as with the STANDBY_HOT state, the
configuration mode is disabled and configuration and
state synchronization continues. A failover from the
active to the standby based on priorities and preempt
can still occur while the standby is in the
STANDBY_WARM state.
My Config Priority Priority configured on the FT group in the local ACE.
My Net Priority
Priority of the FT group equal to the configured priority
minus the priority of the FT tracking failures if any.
My Preempt
Preemption value of the FT group in the local ACE.
Possible values are Enabled or Disabled.
Peer State
State of the FT group in the remote ACE. For possible state
values, see the “My State” field description.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-47
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Table 6-2
Field Descriptions for the show ft group Command Output
(continued)
Field
Description
Peer Config
Priority
Priority configured for the FT group in the remote ACE.
Peer Net Priority
Priority of the FT group in the remote ACE computed from
the configured priority and the priority of the FT tracking
failures.
Peer Preempt
Preemption value of the FT group in the remote ACE.
Possible values are Enabled or Disabled.
Peer ID
FT peer identifier.
Last State Change
Time
Time and date that the peer last changed from the active to
standby state, or standby to active state.
Running Cfg Sync Configured state of config sync for the running-config.
Enabled
Possible values are Enabled or Disabled.
Running Cfg Sync Current status of config sync for the running-config. For
Status
example: Running configuration sync has completed.
Startup Cfg Sync
Enabled
Configured state of config sync for the startup-config.
Possible states are Enabled or Disabled.
Startup Cfg Sync
Status
Current status of config sync for the startup-config. For
example: Startup configuration sync is disabled.
Bulk Sync Done
for ARP
Number of “bulk synchronization done” messages received
on the standby ACE during state synchronization from the
ARP module in the control plane.
Bulk Sync Done
for LB
Number of “bulk synchronization done” messages received
on the standby ACE during state synchronization from the
load balancer (LB) module in the data plane.
Bulk Sync Done
for ICM
Number of “bulk synchronization done” messages received
on the standby ACE during state synchronization from the
ICM input connection manager module in the data plane.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-48
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Displaying the IDMAP Table
The IDMAP table contains a list of the local ACE to peer (standby) ACE ID
mappings for each of the seven object types in the ACE. The local ID and the peer
ID for each object type may or may not be the same, but the mappings (local ID
to peer ID) should be the same on both the active ACE and the standby ACE. The
ACE uses these mappings for configuration synchronization and state replication.
To display the IDMAP table, use the show ft idmap command in Exec mode. The
syntax of this command is as follows:
show ft idmap
Table 6-3 lists the IDMAP table object types available in the ACE.
Table 6-3
ACE Object Types in the IDMAP Table
Object Type
Object Name
0
REAL ID
1
RSERVER ID
2
SERVERFARM ID
3
POLICY ID
4
STICKY GROUP ID
5
IF ID
6
CONTEXT ID
For example, enter:
host1/Admin# show ft idmap
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-49
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Displaying the Redundancy Internal Software History
To display the redundancy internal software history, use the show ft history
command in Exec mode. The syntax of this command is:
show ft history {cfg_cntlr | ha_dp_mgr | ha_mgr}
The keywords and options are:
•
cfg_cntlr—Displays the configuration controller debug log
•
ha_dp_mgr—Displays the high availability (HA) dataplane manager debug
log
•
ha_mgr—Displays the HA manager debug log
For example, enter:
host1/Admin# show ft history cfg_cntlr
Displaying Memory Statistics
To display redundancy statistics per context, use the show ft memory command
in Exec mode. The syntax of this command is:
show ft memory [detail]
The optional detail keyword displays detailed HA manager memory statistics in
the Admin context only.
For example, enter:
host1/Admin# show ft memory detail
Displaying Peer Information
To display peer information, use the show ft peer command in Exec mode. The
syntax of this command is:
show ft peer peer_id {detail | status | summary}
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-50
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
The keywords and arguments are:
•
peer_id—Unique identifier of the remote peer
•
detail—Displays detailed peer information
•
status—Displays the current operating status of the peer
•
summary—Displays summary peer information
For example, enter:
host1/Admin# show ft peer 1
Table 6-4 describes the fields in the show ft peer command output.
Table 6-4
Field Descriptions for the show ft peer Command Output
Field
Description
Peer ID
Identifier of the remote context in the FT group.
State
Current state of the peer. Possible states are:
FSM_PEER_STATE_INIT—Initial state of the peer after
you configure it.
FSM_PEER_STATE_MY_IPADDR—Local ACE IP
address is missing. Waiting for the local IP address to be
configured.
FSM_PEER_STATE_PEER_IPADDR—Peer IP address is
missing. Waiting for the peer IP address to be configured.
FSM_PEER_STATE_START_HB—Peer configuration is
complete. Starting the heartbeat to see if there is a peer
device.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-51
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Table 6-4
Field Descriptions for the show ft peer Command Output
(continued)
Field
Description
State (continued) FSM_PEER_STATE_TL_SETUP—Heartbeat has detected
the presence of the peer device. Redundancy is in the process
of establishing a TCP connection to the peer. This
connection carries configuration data, application state
information, and redundancy protocol packets.
FSM_PEER_STATE_SRG_CHECK—Checking for
software version compatibility with the peer device.
FSM_PEER_STATE_LIC_CHECK—Checking for license
compatibility with the peer device.
FSM_PEER_STATE_COMPATIBLE—Version and license
checks indicate that the peer is compatible for redundancy.
FSM_PEER_STATE_FT_VLAN_DOWN—FT VLAN is
down, but, through the query interface, the local ACE has
determined that the peer is still alive.
FSM_PEER_STATE_DOWN—Peer device is down.
FSM_PEER_STATE_ERROR—Status of whether an error
has occurred with the peer. Possible errors are version
mismatch, license mismatch, or failure to establish a TCP
connection to the peer. A syslog message appears with more
detailed information.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-52
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Table 6-4
Field Descriptions for the show ft peer Command Output
(continued)
Field
Description
Maintenance
Mode
Current maintenance mode of the peer context in an FT
group. Applications can turn on maintenance mode when
there is an inability to communicate with the peer, license
mismatches, too many application errors, and so on.
Possible states are:
•
MAINT_MODE_OFF—Maintenance mode is turned
off.
•
MAINT_MODE_PARTIAL— All standby contexts
transition to the STANDBY_COLD state. The ACE
enters this mode if configuration synchronization fails.
•
MAINT_MODE_FULL—All contexts on the ACE
become nonredundant causing their peer contexts to
become active. The ACE enters this mode just before
you reboot the appliance and is used primarily when you
upgrade the ACE software.
FT VLAN
Number of the interface configured as the FT VLAN or Not
Configured.
FT VLAN IF
State
Current status of the FT VLAN interface. Possible states are
UP or DOWN.
My IP Addr
IP address of the local ACE.
Peer IP Addr
IP address of the peer ACE.
Query VLAN
Identifier of the interface configured as the query VLAN or
Not Configured.
Query VLAN IF
State
Current status of the Query VLAN interface (if configured).
Possible states are UP or DOWN.
Peer Query IP
Addr
IP address of the query interface used to obtain the state of
the peer’s health when the FT VLAN is down.
Heartbeat
interval
Time in seconds that the ACE waits between sending
heartbeat packets.
Heartbeat Count
Number of missed heartbeats that an ACE must detect before
declaring the peer down.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-53
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Table 6-4
Field Descriptions for the show ft peer Command Output
(continued)
Field
Description
Tx Packets
Total number of packets that the local ACE sent to the peer.
Tx Bytes
Total number of bytes that the local ACE sent to the peer.
Rx Packets
Total number of packets that the local ACE received from
the peer.
Rx Bytes
Total number of bytes that the local ACE received from the
peer.
Rx Error Bytes
Total number of error bytes that the local ACE received from
the peer.
Tx Keepalive
Packets
Total number of keepalive packets that the local ACE sent to
the peer.
Rx Keepalive
Packets
Total number of keepalive packets that the local ACE
received from the peer.
TL_CLOSE
Count
Number of Transport Layer close events (TL_CLOSE)
received on the redundant TCP connection from the TL
driver.
FT_VLAN_
DOWN Count
Number of times that the FT VLAN was unavailable.
PEER_DOWN
Count
Number of times that the remote ACE was unavailable.
SRG
Compatibility
Status of whether the software version of the local ACE and
the software version of the peer ACE are compatible.
Possible states are the INIT, COMPATIBLE, or
INCOMPATIBLE state.
License
Compatibility
Status of whether the license of the local ACE and the
license of the peer ACE are compatible. Possible states are
the INIT, COMPATIBLE, or INCOMPATIBLE state.
FT Groups
Number of FT groups.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-54
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Displaying FT Statistics
To display peer information, use the show ft stats command in Exec mode. The
syntax of this command is:
show ft stats group_id
The group_id argument displays additional load-balancing statistics (LB
statistics) for the specified group.
For example, enter:
host1/Admin# show ft stats 1
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-55
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Table 6-5 describes the fields in the show ft stats command output.
Table 6-5
Field Descriptions for the show ft stats Command Output
Field
Description
HA Heartbeat Statistics
Number of
Heartbeats Sent
Total number of heartbeat packets sent by the local ACE.
Number of
Heartbeats
Received
Total number of heartbeat packets received by the local
ACE.
Number of
Heartbeats
Missed
Total number of heartbeat intervals that transpired with no
heartbeats received.
Number of
Unidirectional
HBs Received
Number of heartbeats (HBs) received by the local peer that
indicate the remote peer is not receiving HBs. The remote
peer is sending heartbeats, but not receiving any.
Note
Number of HB
Timeout
Mismatches
Both peer appliances send heartbeat packets and
each packet indicates whether the other peer has
been receiving heartbeats.
Number of times that the local peer received a heartbeat
(HB) from the remote peer with a mismatched heartbeat
interval. If the heartbeat intervals do not match, a peer
adjusts its interval to the lower of the two intervals.
Note
The heartbeat interval should be the same on both
peer appliances. Each heartbeat packet contains the
configured interval in the packet. When a peer
receives a heartbeat packet, it checks to see if the
interval in the heartbeat packet matches the interval
configured locally.
Num of Peer Up
Events Sent
Number of times that the local ACE sent a Peer Up message
to the remote ACE.
Num of Peer
Down Events
Sent
Number of times that the local ACE sent a Peer Down
message to the remote ACE.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-56
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Table 6-5
Field Descriptions for the show ft stats Command Output
(continued)
Field
Description
Successive HBs
Miss Intervals
Counter
Number of successive heartbeat misses detected by the
heartbeat module.
Successive Uni
HBs Recv
Counter
Number of successive unidirectional heartbeats received by
the heartbeat module.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-57
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Table 6-5
Field Descriptions for the show ft stats Command Output
(continued)
Field
Description
LB Stats for FT Group N
Send-side Stats
Number of
Sticky
Entries
Shared
Number of sticky database entries that the local ACE sent to
the remote ACE.
Number of
Replication
Packets Sent
Number of packets that contain replication information that
the local ACE sent to the remote ACE.
Number of
Send
Failures
Number of times that the local ACE attempted to send
packets to the remote ACE but failed.
Receive-side Stats
Number of
Sticky
Entries
Dropped
Number of sticky database entries that the remote ACE sent
to the local ACE, but the local ACE discarded them.
Number of
Replication
Packets
Received
Number of packets that contain replication information that
the local ACE received from the remote ACE.
Number of
Receive
Failures
Number of times that the remote ACE sent packets to the
local ACE, but the local ACE failed to receive them.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-58
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Displaying FT Tracking Information
To display tracking information, use the show ft track command in Exec mode.
The syntax of this command is:
show ft track {detail | status | summary}
The keywords and arguments are:
•
detail—Displays detailed tracking information
•
status—Displays the current operating status of the peer plus additional
information
•
summary—Displays summary peer information
For example, enter:
host1/Admin# show ft track detail
Table 6-6 describes the fields in the show ft track command output.
Table 6-6
Field Descriptions for the show ft track Command Output
Field
Description
FT Group
FT group identifier.
Status
Configured state of the FT group. Possible states are the
in-service or out-of-service state.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-59
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Table 6-6
Field Descriptions for the show ft track Command Output
(continued)
Field
Description
Maintenance
Mode
Current maintenance mode of the local context in an FT
group. Applications can turn on maintenance mode when
there is an inability to communicate with the peer, license
mismatches, too many application errors, and so on.
Possible states are:
•
MAINT_MODE_OFF—Maintenance mode is turned
off.
•
MAINT_MODE_PARTIAL— All standby contexts
transition to the FSM_FT_STATE_STANDBY_COLD
state (see the “My State” field description). The ACE
enters this mode if configuration synchronization fails.
•
MAINT_MODE_FULL—All contexts on the ACE
become nonredundant causing their peer contexts to
become active. The ACE enters this mode just before
you reboot the appliance and is used primarily when
you upgrade the ACE software.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-60
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Table 6-6
Field Descriptions for the show ft track Command Output
(continued)
Field
Description
My State
State of the FT group member in the local ACE. Possible
states are:
•
FSM_FT_STATE_INIT—Initial state for each
member (local and peer) of an FT group. The
configuration for the FT group exists but the group is
not yet in service.
•
FSM_FT_STATE_ELECT—State that the local group
member enters when you configure the inservice
command for an FT group. Through the election
process, the local context negotiates with its peer
context in the FT group to determine their states. One
member enters the ACTIVE state and the other
member enters the STANDBY_CONFIG state.
•
FSM_FT_STATE_ACTIVE—State that indicates that
the local member of the FT group is active and
processing flows.
•
FSM_FT_STATE_STANDBY_COLD—State that
indicates if either the FT VLAN is down but the peer
device is still alive, or the configuration or application
state synchronization failed. When a context is in this
state and a switchover occurs, the transition to the
ACTIVE state is stateless.
•
FSM_FT_STATE_STANDBY_CONFIG—State that
indicates that the local standby context is waiting to
receive configuration information from its active peer
context in the FT group. The active peer context
receives a notification to send a snapshot of its
running-configuration file to the local standby context.
•
FSM_FT_STATE_STANDBY_BULK—State that
indicates that the local standby context is waiting to
receive state information from its active peer context.
The active peer context receives a notification to send
a snapshot of the current state information for all
applications to the standby context.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-61
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Table 6-6
Field Descriptions for the show ft track Command Output
(continued)
Field
My State (Cont.)
Description
•
FSM_FT_STATE_STANDBY_HOT—State that
indicates that the local standby context has all the state
information it needs to statefully assume the active
state if a switchover occurs.
•
FSM_FT_STATE_STANDBY_WARM—State used
when upgrading or downgrading the ACE software.
When you upgrade or downgrade the ACE from one
software version to another, there is a point in the
process when the two ACEs have different software
versions and, therefore, a CLI incompatibility.
When the software versions are different while
upgrading or downgrading, the STANDBY_WARM
state allows the configuration and state
synchronization process to continue on a best-effort
basis, which means that the active ACE will continue
to synchronize configuration and state information to
the standby even though the standby may not recognize
or understand the CLI commands or state information.
This standby state allows the standby ACE to come up
with best-effort support. In the STANDBY_WARM
state, as with the STANDBY_HOT state, the
configuration mode is disabled and configuration and
state synchronization continues. A failover from the
active to the standby based on priorities and preempt
can still occur while the standby is in the
STANDBY_WARM state.
My Config Priority Priority configured on the FT group in the local ACE.
My Net Priority
Priority of the FT group equal to the configured priority
minus the priority of the FT tracking process failures, if
any.
My Preempt
Preemption value of the FT group in the local ACE.
Possible values are Enabled or Disabled.
Context Name
Name of the context that is associated with the FT group.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-62
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Displaying Redundancy Information
Table 6-6
Field Descriptions for the show ft track Command Output
(continued)
Field
Description
Context ID
Identifier of the context that is associated with the FT
group.
Track Type
Type of object being tracked. Possible values are
TRACK_HOST or TRACK_INTERFACE.
State
State of the tracking process. Possible values are
TRACK_UP or TRACK_DOWN.
Priority
Priority of the tracking process.
Transitions
Number of times that the active member of the FT group
switched over to the standby member.
Probe Count
Number of probes associated with a TRACK_HOST
process.
Probes Down
Number of failed probes.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-63
Chapter 6
Configuring Redundant ACE Appliances
Clearing Redundancy Statistics
Clearing Redundancy Statistics
To clear redundancy statistics, use the commands described in the following
sections.
Note
If you configure redundancy on the ACE, then you must explicitly clear statistics
on both the active and the standby ACEs. Clearing statistics on the active
appliance only does not clear the statistics on the standby appliance.
This section contains the following topics:
•
Clearing Transport-Layer Statistics
•
Clearing Heartbeat Statistics
•
Clearing Tracking-Related Statistics
•
Clearing All Redundancy Statistics
•
Clearing the Redundancy History
Clearing Transport-Layer Statistics
To clear all transport layer-related counters that the ACE displays as part of the
show ft peer detail command output, use the clear ft ha-stats command in Exec
mode. The syntax of this command is as follows:
clear ft ha-stats
This command clears the following transport-layer counters:
•
Tx Packets
•
Tx Bytes
•
Rx Packets
•
Rx Bytes
•
Rx Error Bytes
For an explanation of these fields, see the “Displaying Peer Information” section.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-64
OL-16198-01
Chapter 6
Configuring Redundant ACE Appliances
Clearing Redundancy Statistics
For example, enter:
host1/Admin# clear ft ha-stats
Clearing Heartbeat Statistics
To clear all heartbeat-related statistics, use the clear ft hb-stats command in Exec
mode. When you enter this command for the first time, the ACE sets the heartbeat
statistics counters to zero and stores a copy of the latest statistics locally. From
that point on, when you enter the show ft hb-stats command, the ACE displays
the difference between the statistics that are stored locally and the current
statistics. The syntax of this command is as follows:
clear ft hb-stats
For example, enter:
host1/Admin# clear ft hb-stats
Clearing Tracking-Related Statistics
To clear tracking-related statistics for the Admin FT group only, a user context FT
group only, or for all FT groups that are configured in the ACE, use the clear
ft-track stats command in Exec mode.The syntax of this command is as follows:
clear ft track-stats [all]
Use the optional all keyword in the Admin context only to clear tracking statistics
for all FT groups that are configured in the ACE. If you enter this command in the
Admin context without the all keyword, it clears the tracking statistics only for
the FT group associated with the Admin context. In a user context, you cannot
enter the all keyword, so you can clear the tracking statistics only for the FT group
associated with the user context.
For example, to clear tracking statistics for all FT groups that are configured in
the ACE, enter:
host1/Admin# clear ft track-stats all
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
6-65
Chapter 6
Configuring Redundant ACE Appliances
Clearing Redundancy Statistics
Clearing All Redundancy Statistics
To clear all redundancy statistics, including all TL, heartbeat, and tracking
counters, use the clear ft all command in Exec mode in the Admin context only.
The syntax of this command is as follows:
clear ft all
Note
This command does not affect the redundancy history. To clear the redundancy
history, use the clear ft history command. For details, see the “Clearing the
Redundancy History” section.
For example, enter:
host1/Admin# clear ft all
Clearing the Redundancy History
To clear the redundancy history, use the clear ft history command in Exec mode
in the Admin context only. The syntax of this command is as follows:
clear ft history {cfg_cntlr | ha_dp_mgr | ha_mgr}
The keywords are:
•
cfg_cntlr—Clears the Configuration Controller debug log
•
ha_dp_mgr—Clears the HA (redundancy) dataplane manager debug log
•
ha_mgr—Clears the HA (redundancy) manager debug log
For example, enter:
host1/Admin# clear ft history cfg_cntlr
Cisco 4700 Series Application Control Engine Appliance Administration Guide
6-66
OL-16198-01
CH A P T E R
7
Configuring SNMP
This chapter describes how to configure Simple Network Management Protocol
(SNMP) to query the Cisco 4700 Series Application Control Engine (ACE)
appliance for Cisco Management Information Bases (MIBs) and to send event
notifications to a network management system (NMS).
This chapter contains the following major sections:
•
SNMP Overview
•
SNMP Configuration Quick Start
•
Configuring SNMP Users
•
Defining SNMP Communities
•
Configuring an SNMP Contact
•
Configuring an SNMP Location
•
Configuring SNMP Notifications
•
Assigning a Trap-Source Interface for SNMP Traps
•
Accessing ACE User Context Data Through the Admin Context IP Address
•
Configuring an SNMPv3 Engine ID for an ACE Context
•
Configuring SNMP Management Traffic Services
•
Example of an SNMP Configuration
•
Displaying SNMP Statistics
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-1
Chapter 7
Configuring SNMP
SNMP Overview
SNMP Overview
SNMP is an application-layer protocol that facilitates the exchange of
management information between an NMS, SNMP agents, and managed devices
such as the ACE. You can configure the ACE to send traps (event notifications) to
an NMS, or you can use the NMS to browse the MIBs that reside on the ACE.
The ACE contains an SNMP agent that provides support for network monitoring.
The ACE supports SNMP Version 1 (SNMPv1), SNMP Version 2c (SNMPv2c),
and SNMP Version 3 (SNMPv3).
SNMPv1 and SNMPv2c use a community string match for user authentication.
Community strings provide a weaker form of access control. SNMPv3 provides
improved access control by using strong authentication and should be used over
SNMPv1 and SNMPv2c wherever possible.
SNMPv3 is an interoperable standards-based protocol for network management.
SNMPv3 provides secure access to devices by using a combination of
authenticating and encrypting frames over the network. The security features
provided in SNMPv3 are as follows:
•
Message integrity—Ensures that a packet has not been tampered with
in-transit.
•
Authentication—Determines that the message is from a valid source.
•
Encryption—Scrambles the packet contents to prfevent it from being seen by
unauthorized sources.
This section contains the following topics:
•
Managers and Agents
•
SNMP Manager and Agent Communication
•
SNMP Traps and Informs
•
SNMPv3 CLI User Management and AAA Integration
•
Supported MIBs, Tables, and Notifications
•
SNMP Limitations
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-2
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Managers and Agents
SNMP uses software entities called managers and agents to manage network
devices:
•
The manager monitors and controls all other SNMP-managed devices
(network nodes) in the network. At least one SNMP manager must be in a
managed network. The manager is installed on a workstation somewhere in
the network.
•
An agent resides in a managed device (a network node). An agent is a
specialized software module that receives instructions from the SNMP
manager and also sends management information back to the SNMP manager
as events occur. For example, an agent might report such data as the number
of bytes and packets in and out of the device or the number of broadcast
messages sent and received.
There are many different SNMP management applications, but they all perform
the same basic task. These applications allow SNMP managers to communicate
with agents to monitor, configure, and receive alerts from the network
devices.The ACE supports traps and SNMP get requests but does not support
SNMP set requests to configure values on the device. You can use any
SNMP-compatible NMS to monitor the ACE.
In SNMP, each variable is referred to as a managed object. A managed object is
anything that an agent can access and report back to the NMS. All managed
objects are contained in the MIB, which is a database of the managed objects
called MIB objects. Each MIB object controls one specific function, such as
counting how many bytes are transmitted through an agent’s port. The MIB object
consists of MIB variables, which define the MIB object name, description, and
default value.The ACE maintains a database of values for each definition.
Browsing a MIB entails issuing an SNMP get request from the NMS. You can use
any SNMPv3, MIB-II compliant browser to receive SNMP traps and browse
MIBs.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-3
Chapter 7
Configuring SNMP
SNMP Overview
SNMP Manager and Agent Communication
The SNMP manager and the agent can communicate in several ways. The Protocol
Data Unit (PDU) is the message format that SNMP managers and agents use to
send and receive information.
•
The SNMP manager can do the following:
– Retrieve a value (a get operation) from an agent. The SNMP manager
requests information from the agent, such as the number of users logged
on to the agent device, or the status of a critical process on that device.
The agent gets the value of the requested MIB object and sends the value
back to the manager (a get-response operation). The variable binding
(varbind) is a list of MIB objects that allows a request recipient to see
what the originator wants to know. Variable bindings can be thought of
as OID=value pairs that make it easy for the NMS to identify the
information that it needs when the recipient fills the request and sends
back a response.
– Retrieve the value immediately after the variable that you name (a
get-next operation). A get-next operation retrieves a group of values
from a MIB by issuing a sequence of commands. By performing a
get-next operation, you do not need to know the exact MIB object
instance you are looking for; the SNMP manager takes the variable that
you name and then uses a sequential search to find the desired variables.
– Retrieve a number of values (a get-bulk operation). The get-bulk
operation retrieves large blocks of data, such as multiple rows in a table,
which would otherwise require the transmission of many small blocks of
data.The SNMP manager performs a number of get-next operations that
you specify.
•
An agent can send an unsolicited message to the SNMP manager at any time
if a significant, predetermined event takes place on the agent. This message
is called an event notification. SNMP event notifications (traps or inform
requests) are included in many MIBs and help to alleviate the need for the
NMS to frequently poll (gather information through a get operation) the
managed devices. For details on MIB objects and SNMP notifications
supported by the ACE, see the “Supported MIBs, Tables, and Notifications”
section.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-4
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
SNMP Traps and Informs
You can configure the ACE to send notifications (such as traps or inform requests)
to SNMP managers when particular events occur. In some instances, traps can be
unreliable because the receiver does not send any acknowledgment when it
receives a trap and the sender cannot determine if the trap was received. However,
an SNMP manager that receives inform requests acknowledges the message with
an SNMP Response PDU. If the sender never receives a Response, the inform
request is usually retransmitted. Inform requests are more likely to reach their
intended destination.
Notifications may contain a list of MIB variable bindings that clarify the status
being relayed by the notification. The list of variable bindings associated with a
notification is included in the notification definition in the MIB. For standard
MIBs, Cisco has enhanced some notifications with additional variable bindings
that further clarify the cause of the notification.
Note
The clogOriginID and clogOriginIDType variable bindings appended with each
notification can be used by the NMS application to uniquely identify the device
originating the trap. You can configure the values for clogOriginID and
clogOriginIDType varbinds to uniquely identify the device by using the logging
device-id configuration mode command. For details on the logging device-id
command, see the Cisco 4700 Series Application Control Engine Appliance
System Message Guide.
Use the SNMP-TARGET-MIB to obtain more information on trap destinations
and inform requests.
For details on SNMP notifications supported by the ACE, see the “Supported
MIBs, Tables, and Notifications” section.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-5
Chapter 7
Configuring SNMP
SNMP Overview
SNMPv3 CLI User Management and AAA Integration
The ACE implements RFC 3414 and RFC 3415, including the SMNPv3
User-based Security Model (USM) for message security and role-based access
control. SNMP v3 user management can be centralized at the authentication and
accounting (AAA) server level (as described in the Cisco 4700 Series Application
Control Engine Appliance Security Configuration Guide). This centralized user
management allows the ACE SNMP agent to use the user authentication service
of a AAA server. After user authentication is verified, the SNMP protocol data
units (PDUs) further processed. The AAA server is also used to store user group
names. SNMP uses the group names to apply the user access and role policy that
is locally available in the ACE.
CLI and SNMP User Synchronization
Any configuration changes to the user group, role, or password, results in the
database synchronization for both SNMP and AAA. To create a CLI user by using
the username command, see the Cisco 4700 Series Application Control Engine
Appliance Virtualization Configuration Guide. To create an SNMP user by using
the snmp-server user command, see the “Configuring SNMP Users” section.
Users are synchronized as follows:
•
If you delete a user by using the no username command, the user is also
deleted from both SNMP and the CLI. However, if you delete a user by using
the no snmp-server user command, the user is deleted only from SNMP and
not from the CLI.
•
User-role mapping changes are synchronized in SNMP and the CLI.
Note
When you specify a password in a localized key or encrypted format for
security encryption, the password is not synchronized.
•
The password specified in the username command is synchronized as the
auth and priv passwords for the SNMP user.
•
Existing SNMP users can continue to retain the auth and priv information
without any changes.
•
If you create a new user that is not present in the SNMP database by using the
username command without a password, the SNMP user is created with the
noAuthNoPriv security level.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-6
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Supported MIBs, Tables, and Notifications
Table 7-1 identifies the supported MIBs for the ACE.
Table 7-1
SNMP MIB Support
MIB Support
Capability MIB
Description
Appliance MIBs
CISCO-ENTITY-VENDOR N/A
TYPE-OID-MIB
Defines the object identifiers (OIDs) assigned
to various ACE components. The OIDs in this
MIB are used by the entPhysicalTable of the
ENTITY-MIB as values for the
entPhysicalVendorType field in the
entPhysicalTable. Each OID uniquely
identifies a type of physical entity, such as a
chassis, line cards, or port adapters. The
entPhysicalVendorType OID values are listed
as follows:
Product Name (PID)/entPhysicalVendorType
ACE4710-K9
cevChassisACE4710K9 {cevChassis 610}
Power Supply
cevPowerSupplyAC345 {cevPowerSupply
190}
CPU fan
cevFanACE4710K9CpuFan {cevFan 91}
DIMM fan
cevFanACE4710K9DimmFan {cevFan 92}
PCI fan
cevFanACE4710K9PciFan {cevFan 93}
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-7
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-1
SNMP MIB Support (continued)
MIB Support
Capability MIB
CISCO-ENTITY-VENDOR N/A
TYPE-OID-MIB
(continued)
Description
Product Name (PID)/entPhysicalVendorType
Voltage Sensor
cevSensorPSOutput {cevSensor 39}
CPU fan sensor
cevSensorCpuFanSpeed {cevSensor 58}
DIMM fan sensor
cevSensorACE4710K9DimmFanSpeed
{cevSensor 59}
PCI fan sensor
cevSensorACE4710K9PciFanSpeed
{cevSensor 60}
CPU temperature sensor
cevSensorACE4710K9 CPUTemp
{cevSensor 56}
Ambient temperature sensor
cevSensorACE4710K9 AmbientTemp
{cevSensor 57}
ENTITY-MIB
CISCO-ENTITYCAPABILITY
Provides basic management and identification
of physical and logical entities within a
network device. Software support for the
ENTITY-MIB focuses on the physical entities
within the ACE. This MIB provides details on
each module, power supply, fan, and sensors
within the ACE appliance chassis. It provides
sufficient information to correctly map the
containment of these entities within the ACE.
The ENTITY-MIB is supported only in the
Admin context.
The ENTITY-MIB is described in RFC 4133.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-8
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-1
SNMP MIB Support (continued)
MIB Support
Capability MIB
Description
ENTITY-SENSOR-MIB
CISCO-ENTITYSENSOR-RFCCAPABILITY
Contains a single group called the
entitySensorValueGroup, which allows
objects to convey the current value and status
of a physical sensor. The
entitySensorValueGroup contains a single
table, called the entPhySensorTable, which
provides a few read-only objects that identify
the type of data units, scaling factor,
precision, current value, and operational
status of the sensor.
The ENTITY-SENSOR-MIB is supported
only in the Admin context.
The ENTITY-SENSOR-MIB is described in
RFC 3433.
SNMPv3 Agent MIBs
SNMP-COMMUNITY-MIB CISCO-SNMPCOMMUNITYCAPABILITY
Contains objects for mapping between
community strings and version-independent
SNMP message parameters. In addition, this
MIB provides a mechanism for performing
source address validation on incoming
requests and for selecting community strings
based on target addresses for outgoing
notifications.
The SNMP-COMMUNITY-MIB is described
in RFC 3584.
Note
SNMP communities are applicable
only for SNMPv1 and SNMPv2c.
SNMPv3 requires user configuration
information such as specifying the
role group that the user belongs to,
authentication parameters for the user,
the authentication password, and
message encryption parameters.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-9
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-1
SNMP MIB Support (continued)
MIB Support
Capability MIB
Description
SNMP-FRAMEWORKMIB
CISCO-SNMPFRAMEWORKCAPABILITY
Defines the elements of SNMP Management
Frameworks, including an SNMP engine and
Access Control Subsystem.
The SNMP-FRAMEWORK-MIB is described
in RFC 3411.
SNMP-MPD-MIB
CISCO-SNMP-MPDCAPABILITY.my
Describes the Message Processing Subsystem
and Dispatcher for SNMP. The Dispatcher in
the SNMP engine sends and receives SNMP
messages. It also dispatches SNMP PDUs to
SNMP applications. A Message Processing
Model processes an SNMP version-specific
message and coordinates the interaction with
the Security Subsystem to ensure that proper
security is applied to the SNMP message
being handled.
The SNMP-MPD-MIB is described in RFC
3412.
SNMP-NOTIFICATIONMIB
SNMP-TARGET-MIB
CISCO-SNMPNOTIFICATIONCAPABILITY
Defines MIB objects used by an SNMP entity
for the generation of notifications.
CISCO-SNMPTARGETCAPABILITY
Contains a table for the destination
information and SNMP parameters in the
management target message. There can be a
many-to-many relationship in the MIB
between these two types of information.
Multiple transport end points may be
associated with a particular set of SNMP
parameters, or a particular transport end point
may be associated with several sets of SNMP
parameters.
The SNMP-NOTIFICATION-MIB is
described in RFC 3413.
The SNMP-TARGET-MIB is described in
RFC 3413.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-10
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-1
SNMP MIB Support (continued)
MIB Support
Capability MIB
SNMP-USER-BASED-SM- CISCO-SNMPMIB
USM-CAPABILITY
Description
Provides management information definitions
for the User-based Security Model (USM) for
SMNPv3. The SNMPv3 architecture
introduces the User-based Security Model
(USM) for message security.
The USM module decrypts incoming
messages. The module then verifies the
authentication data and creates the PDUs. For
outgoing messages, the USM module
encrypts PDUs and generates the
authentication data. The module then passes
the PDUs to the message processor, which
then invokes the dispatcher.
The USM module's implementation of the
SNMP-USER-BASED-SM-MIB enables the
SNMP manager to issue commands to manage
users and security keys. The MIB also enables
the agent to ensure that a requesting user
exists and has the proper authentication
information. When authentication is done, the
request is carried out by the agent.
The SNMP-USER-BASED-SM-MIB is
described in RFC 3414.
Note
User configuration is applicable only
for SNMPv3; SNMPv1 and SNMPv2c
use a community string match for user
authentication.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-11
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-1
SNMP MIB Support (continued)
MIB Support
Capability MIB
Description
SNMP-VIEW-BASEDACM-MIB
CISCO-SNMPVACM-CAPABILITY
Provides the View-based Access Control
Model (VACM) for SNMPv3. The SNMPv3
architecture introduces VACM for access
control.
The SNMP-VIEW-BASED-ACM-MIB
specifies objects that are needed to control
access to all MIB data that is accessible
through the SNMP agent. Upon initialization,
the VACM registers as the access control
module with the agent infrastructure. The
VACM implements access control checks
according to several parameters that are
derived from the SNMP message.
The SNMP-VIEW-BASED-ACM-MIB is
described in RFC 3415.
Other MIBs
CISCO-AAA-SERVEREXT-MIB
CISCO-AAASERVER-EXTCAPABILITY
Acts as an extension to
CISCO-AAA-SERVER-MIB. It enhances the
casConfigTable of the
CISCO-AAA-SERVER-MIB to include other
types of server addresses. The
CISCO-AAA-SERVER-EXT-MIB manages
the following configuration functions:
•
Generic configurations as applied on the
authentication and accounting module.
•
Configuration settings (settings for all the
AAA servers instrumented in one
instance of this MIB).
•
AAA server group configuration.
•
Application-to-AAA function-to-server
group mapping configuration.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-12
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-1
SNMP MIB Support (continued)
MIB Support
Capability MIB
Description
CISCO-AAA-SERVERMIB
CISCO-AAASERVERCAPABILITY
Provides configuration information and
statistics that reflect the state of an AAA
server operation within the device and AAA
communications with external servers. The
CISCO-AAA-SERVER-MIB provides the
following information:
•
A table for configuring AAA servers.
•
Identities of external AAA servers.
•
Statistics for each AAA function.
•
Status of servers that provide AAA
functions.
A server is defined as a logical entity that
provides any of the AAA functions. The ACE
can use a Remote Access Dial-In User Service
(RADIUS), Terminal Access Controller
Access Control System Plus (TACACS+), or
Lightweight Directory Access Protocol (v3)
(LDAP) protocols for remote authentication
and designation of access rights.
CISCO-APPLICATION
ACCELERATION-MIB
CISCO-APPLICATIONACCELERATIONCAPABILITY-MIB
Manages application acceleration system(s)
in the ACE. This MIB includes
instrumentation for providing the
performance statistics and status of the
condenser which is the core of the application
acceleration system. A condenser is a
software accelerator that applies several
optimization techniques to accelerate Web
application access.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-13
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-1
SNMP MIB Support (continued)
MIB Support
Capability MIB
CISCO-ENHANCED-SLB- CISCO-ENHANCEDMIB
SLB-CAPABILITY
Description
Supports the following server load-balancing
functions:
•
A real server configuration with a real
server that is identified by a name.
•
The current state of the real server (for
example, OPERATIONAL,
OUT-OF-SERVICE, PROBE-FAILED).
•
A real server configuration in a server
farm.
•
A health probe configuration in a real
server and server farm.
•
Health probe statistics for each real
server.
•
A sticky configuration for an HTTP
header, an HTTP cookie and client IP
address, and Secure Socket Layer (SSL).
The slbEntity Index used in the table is the
slot number of the ACE. Because the slot
numbers value is not applicable for the ACE
appliance, the slbEntity Index will always
have a value of 1.
The cesRServerProbeTable table in the
CISCO-ENHANCED-SLB-MIB provides
details about the real server probe statistics
available in the show probe detail command
output.
The cesServerFarmRserverTable and
cesRserverTable tables in the
CISCO-ENHANCED-SLB-MIB provide
details about the data available in the show
rserver command output.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-14
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-1
SNMP MIB Support (continued)
MIB Support
Capability MIB
Description
CISCO-IF-EXTENSIONMIB
CISCO-IF-EXTENSION- Provides a table that returns ifName to ifIndex
CAPABILITY
mapping to assign the ifIndex to interfaces.
The CISCO-IF-EXTENSION-MIB is
described in RFC 2863.
Note
CISCO-IP-PROTOCOLFILTER-MIB
CISCO-IP-PROTOCOLFILTER-CAPABILITY
The Ethernet data port and
port-channel interfaces are available
only in Admin context. In this case,
the CISCO-IF-EXTENSION-MIB
supports all the interfaces for Admin
contexts, while each individual user
context supports only VLAN and BVI
interfaces.
Manages information to support packet
filtering on IP protocols (RFC 791).
The cippfIpProfileTable allows users to
create, delete, and get information about filter
profiles. Filter profiles are uniquely identified
by the profile names. Filter profiles can be
either simple or extended usage types. The
cippfIfIpProfileTable applies the filtering
profiles to device interfaces that run IP. A
filter profile can be applied to multiple
interfaces.
The cippfIpFilterTable contains ordered lists
of IP filters for all filtering profiles. Filters
and profiles are related if they have the same
filter profile name. Filters of the same profile
name belong to a common profile.
The cippfIpFilterHits provides the total
number of hit counts for an access control
entry.
The IP protocol is described in RFC 791.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-15
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-1
SNMP MIB Support (continued)
MIB Support
Capability MIB
Description
CISCO-L4L7MODULEREDUNDANCY-MIB
CISCO-L4L7MODULEREDUNDANCYCAPABILITY
Provides configuration information and
statistic tables that reflect the redundancy (or
fault tolerance) between an active and a
standby ACE appliances. Each peer appliance
can contain one or more fault-tolerant (FT)
groups.
The CISCO-L4L7MODULEREDUNDANCY-MIB provides redundancy
information such as: FT state, IP address, peer
FT state, peer IP address, software
compatibility, license compatibility, number
of groups to which a peer belongs, and the
number of heartbeat messages transmitted and
received.
The CISCO-L4L7MODULEREDUNDANCY-MIB provides details about
the fault tolerance statistics available in the
show ft peer, show ft group detail, and show
ft stats command output.
CISCO-L4L7RESOURCELIMIT-MIB
CISCO-L4L7MODULERESOURCE-LIMITCAPABILITY
Manages resource classes. The resources
referenced in this MIB are in addition to the
resource information that is available in other
MIBs. This MIB applies to Layer 4 through 7
modules that support managing resource
limits using a centralized approach.
The ciscoL4L7ResourceLimitTable,
ciscoL4L7ResourceRateLimitTable, and
ciscoL4L7ResourceUsageSummaryTable in
the CISCO-L4L7RESOURCE-LIMIT-MIB
provide details about the Current, Peak, and
Denied statistics available in the show
resource usage command output.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-16
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-1
SNMP MIB Support (continued)
MIB Support
Capability MIB
Description
CISCO-MODULEVIRTUALIZATION-MIB
CISCO-MODULEVIRTUALIZATIONCAPABILITY
Provides a way to create and manage ACE
user contexts (also referred as virtual
contexts). A virtual context is a logical
partition of a physical device (the ACE). A
virtual context provides different service
types that can be managed independently.
Each virtual context is an independent entity
with its own configuration. A user-created
context supports most of the options that you
can configure in the Admin context (the
default ACE context). Each context can have
a separate management IP address that allows
a user to establish a remote connection to the
ACE by using the Secure Shell (SSH) or
Telnet protocols and to send other requests
(such as SNMP or FTP).
This MIB contains tables that allow you to
create or delete virtual contexts and assigning
interfaces and interface ranges to virtual
contexts.
CISCO-PROCESS-MIB
CISCO-PROCESSCAPABILITY
Displays memory and process CPU utilization
on Cisco devices. This information should be
used only as an estimate. The value of
cpmCPUTotalPhysicalIndex will always be 1.
The displayed system processes information at
the CPU system level (the total CPU usage) and
not on a per-context level.
CISCO-PRODUCTS-MIB
N/A
Contains the OIDs that can be reported in the
sysObjectID object in the SNMPv2-MIB. The
sysObjectID OID value is listed as follows:
Product Name (PID)/sysObjectID
ACE4710-K9
ciscoACE4710K9 {ciscoProducts 824}
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-17
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-1
SNMP MIB Support (continued)
MIB Support
Capability MIB
Description
CISCO-SLB-MIB
CISCO-SLBCAPABILITY
Manages the Server Load-Balancing (SLB)
manager. This MIB monitors the SLB
connections statistics, server farms, real
servers, VIP status and statistics, and so on.
The slbVServerInfoTable table in the
CISCO-SLB-MIB provides details about the
data available in the show service-policy
command output.
The slbEntity Index used in the table is the
slot number of the ACE. Because the slot
numbers value is not applicable for the ACE
appliance, the slbEntity Index will always
have a value of one.
The following MIB objects for the ACE
include non-SLB related connections as well:
•
slbStatsCreatedConnections
•
slbStatsCreatedHCConnections
•
slbStatsEstablishedConnections
•
slbStatsEstablishedHCConnetions
•
slbStatsDestroyedConnections
•
slbStatsDestroyedHCConnections
•
slbStatsReassignedConnections
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-18
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-1
SNMP MIB Support (continued)
MIB Support
Capability MIB
Description
CISCO-SLB-EXT-MIB
CISCO-SLB-EXTCAPABILITY
Acts as an extension to the Cisco server
load-balancing MIB (CISCO-SLB-MIB). It
provides tables for the sticky configuration.
The cslbxServerFarmStatsTable table in the
CISCO-SLB-EXT-MIB provides details
about the data available in the show
serverfarm command output.
The following MIB objects for the ACE
include non-SLB related connections as well:
CISCO-SLB-HEALTHMON-MIB
CISCO-SLB-HEALTHMON-CAPABILITY
•
cslbxStatsCurrConnections
•
cslbxStatsTimedOutConnections
Acts as an extension to the Cisco server
load-balancing MIB (CISCO-SLB-MIB). It
provides tables for the health probe
configuration and statistics of the ACE.
The cshMonSfarmRealProbeStatsTable and
cslbxProbeCfgTable tables in the
CISCO-SLB-HEALTH-MON-MIB provide
details about the probe data available in the
show probe detail command output.
CISCO-SSL-PROXY-MIB
CISCO-SSL-PROXYCAPABILITY
Manages a Secure Socket Layer (SSL) Proxy
device which terminates and accelerates SSL
and Transport Layer Security (TLS)
transactions. The proxy device can act as a
SSL server or a SSL client depending on the
configuration and the application.
This MIB is used for monitoring the statistics
of the proxy services and the protocols
including TCP, SSL, and TLS.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-19
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-1
SNMP MIB Support (continued)
MIB Support
Capability MIB
Description
CISCO-SYSLOG-EXTMIB
CISCO-SYSLOG-EXTCAPABILITY
Extends the CISCO-SLB-MIB, provides
additional server farm configuration
parameters (cslbxServerFarmTable), and
configures and monitors system log (syslog)
management parameters for the ACE. Use this
MIB to set up syslog servers and set logging
severity levels.
Syslog is described by RFC 3164.
CISCO-SYSLOG-MIB
CISCO-SYSLOGCAPABILITY
Describes and stores the system messages
(syslog messages) generated by the ACE. The
CISCO-SYSLOG-MIB provides access to the
syslog messages through SNMP. The MIB
also contains a history of syslog messages and
objects to enable or disable the transmission
of syslog notifications.
Note
This MIB does not track messages
that are generated from debug
commands entered through the CLI.
Syslog is described by RFC 3164.
IF-MIB
CISCO-IF-CAPABILITY Reports generic information on interfaces (for
example, VLANs).
The IF-MIB is described in RFC 2863.
Note
The Ethernet data port and
port-channel interfaces are available
only in Admin context. In this case,
the IF-MIB supports all the interfaces
for Admin contexts, while each
individual user context supports only
VLAN and BVI interfaces.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-20
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-1
SNMP MIB Support (continued)
MIB Support
Capability MIB
Description
IP-MIB
CISCO-IP-CAPABILITY Defines managed objects for managing
implementations of the IP and its associated
Internet Control Message Protocol (ICMP),
but excludes their management of IP routes.
The IP-MIB is described in RFC 4293.
SNMPv2-MIB
CISCO-SNMPv2CAPABILITY
Provides the Management Information Base
for SNMPv2. The management protocol,
SNMPv2, provides for the exchange of
messages that convey management
information between the agents and the
management stations.
The SNMPv2-MIB is described in RFC 3418.
TCP-MIB
CISCO-TCP-STDCAPABILITY
Defines managed objects for managing the
implementation of the Transmission Control
Protocol (TCP).
The TCP MIB is described in RFC 4022.
UDP-MIB
CISCO-UDP-STDCAPABILITY
Defines managed objects for managing
implementation of the User Datagram
Protocol (UDP).
The UDP MIB is described in RFC 4113.
Table 7-2 identifies the supported and unsupported tables and objects for each
MIB used by the ACE.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-21
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support
MIB Name
Supported Tables and Objects
Unsupported Tables and Objects
SNMPv2-MIB
Scalar Objects:
All tables and objects are supported.
sysDescr
sysName
sysLocation
sysContact
sysObjectID
sysServices
sysORLastChange
snmpInPkts
snmpOutPkts
snmpInBadVersions
snmpInBadCommunityNames
snmpInBadCommunityUses
snmpInASNParseErrs
snmpInTooBigs
snmpInNoSuchNames
snmpInBadValues
snmpInReadOnlys
snmpInGenErrs
snmpInTotalReqVars
snmpInTotalSetVars
snmpInGetRequests
snmpInGetNexts
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-22
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support (continued)
MIB Name
Supported Tables and Objects
SNMPv2-MIB
snmpInSetRequests
(continued)
snmpInGetResponses
Unsupported Tables and Objects
snmpInTraps
snmpOutTooBigs
snmpOutNoSuchNames
snmpOutBadValues
snmpOutGenErrs
snmpOutGetRequests
snmpOutGetNexts
snmpOutSetRequests
snmpOutGetResponses
snmpOutTraps
snmpEnableAuthenTraps
snmpSilentDrops
snmpProxyDrops
Tables:
sysORTable
SNMP-COMMUNITYMIB
Tables:
All tables and objects are supported.
snmpCommunityTable
snmpTargetAddrExtTable
SNMP-MPD-MIB
Scalar Objects:
All tables and objects are supported.
snmpUnknownSecurityModels
snmpInvalidMsgs
snmpUnknownPDUHandlers
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-23
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support (continued)
MIB Name
Supported Tables and Objects
Unsupported Tables and Objects
SNMP-NOTIFICATION
-MIB
Tables:
All tables and objects are supported.
snmpNotifyTable
snmpNotifyFilterProfileTable
snmpNotifyFilterTable
SNMP-TARGET-MIB
Scalar Objects:
Scalar Objects:
snmpUnavailableContexts
snmpTargetSpinLock
snmpUnknownContexts
Tables:
snmpTargetAddrTable
snmpTargetParamsTable
SNMP-USER-BASEDSM-MIB
Scalar Objects:
Scalar Objects:
usmStatsUnsupportedSecLevels
usmUserSpinLock
usmStatsNotInTimeWindows
usmStatsUnknownUserNames
usmStatsUnknownEngineIDs
usmStatsWrongDigests
usmStatsDecryptionErrors
Tables:
usmUserTable
SNMP-VIEW-BASEDACM-MIB
Tables:
Scalar Objects:
vacmContextTable
vacmViewSpinLock
vacmSecurityToGroupTable
vacmAccessTable
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-24
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support (continued)
MIB Name
Supported Tables and Objects
Unsupported Tables and Objects
ENTITY-MIB
Tables:
Tables:
entPhysicalTable
entLogicalTable
entLPMappingTable
entAliasMappingTable
entPhysicalContainsTable
Objects:
entPhysicalAlias
entPhysicalAssetID
entPhysicalMfgDate
ENTITY-SENSOR-MIB
entPhySensorTable
All tables and objects are supported.
IF-MIB
Scalar Objects:
Tables:
ifNumber
ifStackTable
ifTableLastChange
ifRcvAddressTable
Tables:
ifTestTable
ifTable
Objects:
ifXTable
ifStackLastChange
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-25
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support (continued)
MIB Name
Supported Tables and Objects
Unsupported Tables and Objects
IP-MIB
Scalar Objects:
Tables:
icmpInMsgs
ipNetToMediaTable
icmpInErrors
ipv4InterfaceTable
icmpInDestUnreachs
ipv6InterfaceTable
icmpInTimeExcds
ipAddressTable
icmpInParmProbs
ipAddressPrefixTable
icmpInSrcQuenchs
ipNetToPhysicalTable
icmpInRedirects
ipDefaultRouterTable
icmpInEchos
ipv6RouterAdvertTable
icmpInEchoReps
ipv6ScopeZoneIndexTable
icmpInTimestamps
icmpInTimestampReps
Objects:
icmpInAddrMasks
ipSystemStatsInMcastOctets
icmpInAddrMaskRepsicmp
ipSystemStatsHCInMcastOctet
OutMsg
ipSystemStatsOutMcastOctets
icmpOutErrors
ipSystemStatsHCOutMcastOctets
icmpOutDestUnreachs
ipIfStatsInMcastOctets
icmpOutTimeExcds
ipIfStatsHCInMcastOctets
icmpOutParmProbs
ipIfStatsOutMcastOctets
icmpOutSrcQuenchs
ipIfStatsHCOutMcastOctets
icmpOutRedirects
icmpOutEchos
icmpOutEchoReps
icmpOutTimestamps
icmpOutTimestampReps
icmpOutAddrMasks
icmpOutAddrMaskReps
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-26
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support (continued)
MIB Name
Supported Tables and Objects
IP-MIB
Tables:
(continued)
ipAddrTable
Unsupported Tables and Objects
ipSystemStatsTable
ipIfStatsTable
icmpStatsTable
icmpMsgStatsTable
TCP-MIB
Scalar Objects:
Scalar Objects:
tcpRtoAlgorithm
tcpHCInSegs
tcpRtoMin
tcpHCOutSegs
tcpRtoMax
tcpMaxConn
Tables:
tcpActiveOpens
tcpConnTable
tcpPassiveOpens
tcpConnectionTable
tcpAttemptFails
tcpListenerTable
tcpEstabResets
tcpCurrEstab
tcpInSegs
tcpOutSegs
tcpRetransSegs
tcpInErrs
tcpOutRsts
UDP-MIB
Scalar Objects:
Scalar Objects:
udpInDatagrams
udpHCInDatagrams
udpNoPorts
udpHCOutDatagrams
udpInErrors
udpOutDatagrams
Tables:
udpTable
udpEndpointTable
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-27
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support (continued)
MIB Name
Supported Tables and Objects
Unsupported Tables and Objects
CISCO-PROCESS-MIB
Tables:
Tables:
cpmProcessTable
cpmProcessExtTable
cpmCPUTotalTable
cpmCPUThresholdTable
cpmProcessExtRevTable
cpmCPUHistoryTable
cpmCPUProcessHistoryTable
Scalar Objects:
cpmCPUHistoryThreshold
cpmCPUHistorySize
Objects:
cpmCPUInterruptMonIntervalValue
CISCO-SYSLOG-EXTMIB
Scalar Objects:
Scalar Objects:
cseSyslogConsoleEnable
cseSyslogLogFileName
cseSyslogConsoleMsgSeverity
cseSyslogLogFileMsgSeverity
cseSyslogServerTableMaxEntries
cseSyslogFileLoggingDisable
cseSyslogTerminalEnable
cseSyslogLinecardEnable
cseSyslogTerminalMsgSeverity
cseSyslogLinecardMsgSeverity
Tables:
Tables:
cseSyslogServerTable
cseSyslogMessageControlTable
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-28
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support (continued)
MIB Name
Supported Tables and Objects
Unsupported Tables and Objects
CISCO-SYSLOG-MIB
Scalar Objects:
Scalar Objects:
clogNotificationsSent
clogMaxservers
clogNotificationsEnabled
clogMaxSeverity
Tables:
clogMsgIgnores
clogServerConfigTable
clogMsgDrops
clogOriginIDType
clogOriginID
clogHistTableMaxLength
clogHistMsgsFlushed
Tables:
clogHistoryTable
CISCO-SYSTEM-MIB
Scalar Objects:
Scalar Objects:
csyClockDateAndTime
csySummerTimeStatus
csyClockLostOnReboot
csySummerTimeOffset
csyLocationCountry
csySummerTimeRecurringStart
csySummerTimeRecurringEnd
csyScheduledResetTime
csyScheduledResetAction
csyScheduledResetReason
csySnmpAuthFail
csySnmpAuthFailAddressType
csySnmpAuthFailAddress
csyNotificationsEnable
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-29
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support (continued)
MIB Name
Supported Tables and Objects
Unsupported Tables and Objects
CISCO-SLB-MIB
Scalar Objects:
Scalar Objects:
cSlbVServerStateChangeNotifEnab cSlbVirtStateChangeNotifEnabled
led
cSlbRealStateChangeNotifEnabled
Tables:
cSlbRealServerStateChangeNotifEnable
d
slbStatsTable
slbServerFarmTable
Tables:
slbVServerInfoTable
slbRealTable
slbVirtualServerTable
slbVServerTable
slbConnectionTable
slbVirtualClientTable
slbStickyObjectTable
slbDfpPasswordTable
slbDfpAgentTable
slbDfpRealTable
slbSaspTable
slbSaspAgentTable
slbSaspGroupTable
slbSaspMemberTable
slbSaspStatsTable
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-30
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support (continued)
MIB Name
CISCO-SLB-MIB
(continued)
Supported Tables and Objects
Unsupported Tables and Objects
Unsupported Objects from
slbStatsTable:
slbStatsUnassistedSwitchingPkts
slbStatsUnassistedSwitchingHCPks
slbStatsAssistedSwitchingPkts
slbStatsAssistedSwitchingHCPkts
slbStatsZombies
slbStatsHCZombies
Unsupported Objects from
slbServerFarmTable:
slbServerFarmPredictor
slbServerFarmNat
slbServerFarmBindId
Unsupported Objects from
slbVServerInfoTable:
slbVServerL4Decisions
slbVServerL7Decisions
slbVServerEstablishedConnections
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-31
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support (continued)
MIB Name
Supported Tables and Objects
Unsupported Tables and Objects
CISCO-SLB-EXT-MIB
Tables:
Tables:
cslbxStatsTable
cslbxConnTable
cslbxServerFarmTable
cslbxRedirectSvrTable
cslbxServerFarmProbeTable
cslbxSfarmHttpReturnCodeTable
cslbxServerFarmStatsTable
cslbxNatPoolTable
cslbxStickyGroupTable
cslbxStickyObjectTable
cslbxStickyGroupExtTable
cslbxMapTable
cslbxHttpExpressionTable
cslbxHttpReturnCodeTable
cslbxPolicyTable
cslbxVirtualServerTable
cslbxRuleTable
cslbxVlanTable
cslbxAliasAddrTable
cslbxStaticRouteTable
cslbxFtTable
cslbxXmlConfigTable
cslbxOwnerTable
cslbxScriptFileTable
cslbxScriptTaskTable
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-32
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support (continued)
MIB Name
CISCO-SLB-EXT-MIB
(continued)
Supported Tables and Objects
Unsupported Tables and Objects
Unsupported Objects from
cslbxStatsTable:
cslbxStatsServerInitConns
cslbxStatsServerInitHCConns
cslbxStatsCurrServerInitConns
cslbxStatsFailedServerInitConns
cslbxStatsNoActiveServerRejects
Unsupported Objects from
cslbxServerFarmTable:
cslbxServerFarmClientNatPool
cslbxServerFarmHttpReturnCodeMap
Unsupported Objects from
cslbxServerFarmStatsTable:
cslbxServerFarmNumOfTimeFailOvers
cslbxServerFarmNumOfTimeBkInServs
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-33
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support (continued)
MIB Name
Supported Tables and Objects
Unsupported Tables and Objects
CISCO-SLB-HEALTHMON-MIB
Tables:
cslbxDnsProbeIpTable
cslbxProbeCfgTable
cslbxProbeSIPCfgTable
cslbxProbeHeaderCfgTable
cslbxProbeTFTPCfgTable
cslbxProbeHTTPCfgTable
cslbxProbeExpectStatusCfgTable
cslbxProbeFTPCfgTable
cshMonProbeTypeStatsTable
cslbxProbeIMAPCfgTable
cshMonServerfarmRealProbe
StatsTable
Unsupported objects from
cslbxProbeCfgTable:
cslbxProbePassword
cslbxProbeSocketReuse
cslbxProbeSendDataType
cslbxProbePriority
Unsupported objects from
cslbxProbeHTTPCfgTable:
cslbxProbeHTTPCfgPersistence
Unsupported objects from
cshMonServerfarmRealProbeLastPro
beTime:
cshMonServerfarmRealProbeLast
ActiveTime
cshMonServerfarmRealProbeLast
FailedTime
cshMonProbeInheritedPortType
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-34
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support (continued)
MIB Name
Supported Tables and Objects
Unsupported Tables and Objects
CISCO-ENHANCEDSLB-MIB
Scalar Objects:
Unsupported objects from
cesServerFarmRserverTable:
cesRealServerNotifEnable
cesServerFarmRserverDroppedConns
Tables:
cesRserverTable
Tables:
cesServerFarmRserverTable
cesRealServerProbeTable
cesRserverProbeTable
CISCO-IFEXTENSION-MIB
Tables:
Tables:
cieIfNameMappingTable
cieIfPacketStatsTable
cieIfInterfaceTable
cieIfStatusListTable
cieIfDot1qCustomEtherTypeTable
cieIfUtilTable
cieIfDot1dBaseMappingTable
CISCO-IP-PROTOCOL- Tables:
FILTER-MIB
cippfIpProfileTable
cippfIpFilterTable
Tables:
cippfIfIpProfileTable
cippfIpFilterExtTable
cippfIpFilterStatsTable
Unsupported Objects from
cippfIpFilterTable:
cippfIpFilterSrcIPGroupName
cippfIpFilterDstIPGroupName
cippfIpFilterProtocolGroupName
cippfIpFilterSrcServiceGroupName
cippfIpFilterDstServiceGroupName
cippfIpFilterICMPGroupName
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-35
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support (continued)
MIB Name
Supported Tables and Objects
Unsupported Tables and Objects
CISCO-MODULEVIRTUALIZATIONMIB
Scalar Objects:
Unsupported objects from
cmVirtualContextTable:
cmVirtContextNotifEnable
cmVirtContextURL
Tables:
cmVirtualContextTable
cmVirtContextIfMapTable
CISCO-L4L7MODULE- Tables:
RESOURCE-LIMITciscoL4L7ResourceClassTable
MIB
ciscoL4L7ResourceLimitTable
ciscoL4L7ResourceRateLimitTable
Scalar Objects:
clrResourceLimitReachedNotifEnabled
clrResourceRateLimitReachedNotifEna
bled
ciscoL4L7ResourceUsage
SummaryTable
CISCO-AAA-SERVERMIB
Tables:
Scalar Objects:
casConfigTable
casServerStateChangeEnable
Tables:
casStatisticsTable
Unsupported Objects from
casConfigTable:
casPriority
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-36
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support (continued)
MIB Name
Supported Tables and Objects
Unsupported Tables and Objects
CISCO-AAA-SERVEREXT-MIB
Scalar Objects:
Scalar Objects:
cAAASvrExtSvrGrpSvrListMaxEnt cAAASvrExtLocalAccLogMaxSize
cAAASvrExtAppToSvrGrpMaxEnt
cAAASvrExtClearAccLog
cAAALoginAuthTypeMSCHAP
Unsupported Objects in
cAAASvrExtConfigTable:
cAAAServerDeadTime
Tables:
cAAAServerIdleTime
cAAASvrExtConfigTable
cAAAServerTestUser
cAAASvrExtProtocolParamTable
cAAAServerTestPassword
cAAASvrExtSvrGrpConfigTable
cAAASvrExtSvrGrpLDAPConfig
Table
cAAASvrExtAppSvrGrpConfig
Table
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-37
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support (continued)
MIB Name
Supported Tables and Objects
Unsupported Tables and Objects
CISCO-LICENSEMGR-MIB
Scalar Objects:
Scalar Objects:
clmNotificationsEnable
clmHostId
clmNoOfLicenseFilesInstalled
clmLicenseConfigSpinLock
clmNoOfLicensedFeatures
clmLicenseFileURI
clmLicenseViolationWarnFlag
clmLicenseFileTargetName
clmLicenseConfigCommand
Tables:
clmLicenseRequestCommandStatus
clmLicenseFileContentsTable
clmLicenseRequestSpinLock
clmLicenseFeatureUsageTable
clmLicenseRequestFeatureName
clmFeatureUsageDetailsTable
clmLicenseRequestAppName
clmLicenseRequestCommand
clmLicenseRequestCommandStatus
Unsupported Objects from
clmLicenseFeatureUsageTable:
clmLicenseGracePeriod
clmLicenseEnabled
CISCO-APPLICATION- Tables:
ACCELERATIONcaaStatTable
MIB
Unsupported Objects from
caaStatTable:
caaState
caaRequests
caaLastRestartedTime
caaRequestSize
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-38
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
MIB Name
SNMP Table and Object Support (continued)
Supported Tables and Objects
CISCO-L4L7MODULE- Tables:
REDUNDANCY-MIB
clrRedundancyInfoTable
Unsupported Tables and Objects
Scalar Objects:
clrStateChangeNotifEnabled
clrPeerInfoTable
clrHAStatsTable
Tables:
clrRedundancyConfigTable
clrPeerConfigTable
clrLBStatsTable
Unsupported Objects from Objects
clrRedundancyInfoTable:
clrRedundancyPriority
clrRedundancyStateChangeTime
Unsupported Objects from
clrHAStatsTable:
clrHAStatsMissedHeartBeatMsgs
clrHAStatsRxUniDirectionalHeartBeat
Msgs
clrHAStatsHeartBeatTimeout
Mismatches
clrHAStatsPeerUpEvents
clrHAStatsPeerDownEvents
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-39
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-2
SNMP Table and Object Support (continued)
MIB Name
Supported Tables and Objects
Unsupported Tables and Objects
CISCO-SSL-PROXYMIB
Scalar Objects:
All remaining tables and objects are not
supported.
cspTlcFullHandShake
cspTlcResumedHandShake
cspS3cFullHandShake
cspS3cResumedHandShake
cspTlcHandShakeFailed
cspTlcDataFailed
cspS3cHandShakeFailed
cspS3cDataFailed
cspScActiveSessions
cspScConnInHandShake
cspScConnInDataPhase
cspScConnInReneg
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-40
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-3 identifies the supported SNMP notifications (traps) for the ACE.
Note
Table 7-3
The clogOrigin ID and clogOriginIDType variable bindings are appended to each
notification listed in Table 7-3 to identify from which chassis, slot, and context
combination that the event trap has originated.
SNMP Trap Support
Notification Name
Location of the
Notification
authenticationFailure
SNMPv2-MIB
SNMP request fails because the NMS did
not authenticate with the correct
community string.
cesRealServerStateUp
CISCO-ENHANCEDSLB-MIB
State of a real server configured in a server
farm is up due to user intervention.
cesRealServerStateDown
CISCO-ENHANCEDSLB-MIB
State of a real server configured in a server
farm is down due to user intervention.
cesRealServerStateChange
CISCO-ENHANCEDSLB-MIB
State of a real server configured in a server
farm changed to a new state as a result of
something other than a user intervention.
This notification is sent for situations such
as ARP failures, probe failures, and so on.
cesRserverStateUp
CISCO-ENHANCEDSLB-MIB
State of a global real server is up due to user
intervention.
Description
Note
cesRserverStateDown
CISCO-ENHANCEDSLB-MIB
No separate cesRealServerStateUp
notifications are sent for each real
server that listens on this rserver.
State of a global real server is down due to
user intervention.
Note
No separate
cesRealServerStateDown
notifications are sent for each real
server that listens on this rserver.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-41
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-3
SNMP Trap Support (continued)
Notification Name
cesRserverStateChange
Location of the
Notification
CISCO-ENHANCEDSLB-MIB
Description
State of a global real server changed to a
new state as a result of something other than
a user intervention. This notification is sent
for situations such as ARP failures, probe
failures, and so on.
Note
ciscoSlbVServerVIPState
Change
CISCO-SLB-MIB.my
No separate
cesRealServerStateChange
notifications are sent for each real
server that listens on this rserver.
State of Vserver changes. This notification
is sent with the following var-binds:
•
slbVServerState
•
slbVServerStateChangeDescr
•
slbVServerClassMap
•
slbVServerPolicyMap
•
slbVServerIpAddressType
•
slbVServerIpAddress
•
slbVServerProtocol
The change in the Vserver state could be
due to different reasons, such as binding to
the interface, removing an active serverfarm
from the policy, and associating the virtual
IP address (VIP) with a class map.
The ciscoSlbVServerVIPStateChange is
specified in the CISCO-SLB-MIB.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-42
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-3
SNMP Trap Support (continued)
Notification Name
Location of the
Notification
ciscoSlbVServerStateChange
CISCO-SLB-MIB.my
Description
Notification that a virtual IP address (VIP)
when the state of the virtual server changes,
and also when the VIP is removed from a
class map. This notification is sent with the
following var-binds:
•
slbVServerState
•
slbVServerStateChangeDescr
•
slbVServerClassMap
•
slbVServerPolicyMap
The ciscoSlbVServerVIPStateChange
notification will be sent when the
configuration or association of the VIP
address changes.
The ciscoSlbVServerStateChange is
specified in the CISCO-SLB-MIB.
clogMessageGenerated
CISCO-SYSLOG-MIB
ACE generated one or more syslog
messages.
clmLicenseExpiryNotify
CISCO-LICENSEMGR-MIB
Notification that an installed feature license
expires.
clmLicenseFileMissing
Notify
CISCO-LICENSEMGR-MIB
Notification that the system detects that one
or more installed license files are missing.
clmLicenseExpiryWarning
Notify
CISCO-LICENSEMGR-MIB
Notification that an installed feature license
is about to expire.
clmNoLicenseForFeature
Notify
CISCO-LICENSEMGR-MIB
Notification that there is no license installed
for a specific feature.
cmVirtContextAdded,
cmVirtContextRemoved
CISCO-MODULEVIRTUALIZATIONMIB
Notification that you created or deleted a
virtual context.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-43
Chapter 7
Configuring SNMP
SNMP Overview
Table 7-3
SNMP Trap Support (continued)
Notification Name
Location of the
Notification
coldStart
SNMPv2-MIB
SNMP agent started after a cold restart (full
power cycle) of the ACE.
linkUp, linkDown
SNMPv2-MIB
VLAN interface is up or down. A VLAN
interface can be down, for example, if you
specified the shut command followed by
the no shut command, or the VLAN was
removed from the switch configuration.
Description
Note
The Ethernet data port and
port-channel interfaces are
available only in Admin context. In
this case, the linkUp and link Down
notifications support all the
interfaces for Admin contexts,
while each individual user context
supports only VLAN and BVI
interfaces.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-44
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Overview
SNMP Limitations
If an SNMP MIB table has more than one string index that contains more than 48
characters, the index may not appear in the MIB table when you perform an
SNMP walk. According to SNMP standards, the SNMP requests, response, or
traps cannot have more than 128 subidentifiers.
The list of object names includes:
•
Context name
•
Real server name
•
Server farm name
•
Probe name
•
HTTP header name
•
ACL name
•
Class map name
•
Policy map name
•
Resource class name
Table 7-4 identifies a list of tables that have more than one string index.
Table 7-4
SNMP MIB Tables with More Than One String Index
MIB Name
Table
Sting Indices
CISCO-ENHANCEDSLB-MIB.my
cesRserverProbeTable
cesRserverName,
cesRserverProbeName
CISCO-ENHANCED-SLB- cesServerFarmRserverTable
MIB.my
slbServerFarmName,
cesRserverName
CISCO-SLB-EXT-MIB.my cslbxServerFarmProbeFarmName
cslbxServerFarmProbeFarmName,
cslbxServerFarmProbeTableName
CISCO-SLB-HEALTHMON-MIB.my
cshMonServerfarmRealProbeStats cslbxProbeName,
slbServerFarmName,
Table
cshMonServerfarmRealServerName
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-45
Chapter 7
Configuring SNMP
SNMP Configuration Quick Start
SNMP Configuration Quick Start
Table 7-5 provides a quick overview of the steps required to configure SNMP on
the ACE. Each step includes the CLI command required to complete the task.
Table 7-5
SNMP Management Configuration Quick Start
Task and Command Example
1.
If you are operating in multiple contexts, observe the CLI prompt to verify
that you are operating in the desired context. If necessary, log directly in to,
or change to, the correct context.
host1/Admin# changeto C1
host1/C1#
The rest of the examples in this table use the Admin context, unless
otherwise specified. For details on creating contexts, see the Cisco 4700
Series Application Control Engine Appliance Virtualization Configuration
Guide.
2.
Enter configuration mode.
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)#
3.
Configure one or more SNMP users from the ACE CLI.
host1/Admin(config)# snmp-server user joe Network-Monitor auth
sha abcd1234
host1/Admin(config)# snmp-server user sam Network-Monitor auth
md5 abcdefgh
host1/Admin(config)# snmp-server user Bill Network-Monitor auth
sha abcd1234 priv abcdefgh
4.
Create an SNMP community and identify access privileges.
host1/Admin(config)# snmp-server community SNMP_Community1 group
Network-Monitor
5.
Specify the contact name for the SNMP system.
host1/Admin(config)# snmp-server contact User1 “user1@cisco.com”
6.
Specify the SNMP system location.
host1/Admin(config)# snmp-server location “Boxborough MA”
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-46
OL-16198-01
Chapter 7
Configuring SNMP
SNMP Configuration Quick Start
Table 7-5
SNMP Management Configuration Quick Start (continued)
Task and Command Example
7.
Specify which host is to receive SNMP notifications.
host1/Admin(config)# snmp-server host 192.168.1.1 traps version
2c SNMP_Community1 udp-port 500
8.
Enable the ACE to send SNMP traps and inform requests to the NMS.
host1/Admin(config)# snmp-server enable traps slb
9.
Create a class map that permits network management traffic to be received
by the ACE based on the SNMP management protocol and client source IP
address.
host1/Admin(config)# class-map type management match-all
SNMP-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# match protocol snmp source-address
172.16.10.0 255.255.255.254
host1/Admin(config-cmap-mgmt)# exit
host1/Admin(config)#
10. Configure a policy map that activates the SNMP management protocol
classifications.
host1/Admin(config)# policy-map type management first-match
SNMP-ALLOW_POLICY
host1/Admin(config-pmap-mgmt)# class SNMP-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# exit
host1/Admin(config)#
11. Attach the traffic policy to a single VLAN interface or globally to all VLAN
interfaces in the same context. For example, to specify an interface VLAN
and apply the SNMP management policy map to the VLAN, enter:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ip address 172.16.10.0 255.255.255.254
host1/Admin(config-if)# service-policy input SNMP-ALLOW_POLICY
host1/Admin(config-if)# exit
12. (Optional) Save your configuration changes to Flash memory.
host1/Admin(config)# exit
host1/Admin# copy running-config startup-config
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-47
Chapter 7
Configuring SNMP
Configuring SNMP Users
Configuring SNMP Users
You configure SNMP users from the ACE CLI. User configuration includes
information such as specifying the role group that the user belongs to,
authentication parameters for the user, the authentication password, and message
encryption parameters. Use the snmp-server user command in configuration
mode to configure SNMP user information. You can create a maximum of 28
SNMP users for each context.
Note
User configuration through the snmp-server user command is applicable only for
SNMPv3; SNMPv1 and SNMPv2c use a community string match for user
authentication (see the “Defining SNMP Communities” section).
The ACE synchronizes the interactions between the user created by the username
command and by the snmp-server user command; updates to a user through the
ACE CLI are automatically reflected in the SNMP server. For example, deleting
a user automatically results in the user being deleted for both SNMP and CLI. In
addition, user-role mapping changes are reflected in SNMP.
The syntax of this command is as follows:
snmp-server user user_name [group_name] [auth {md5 | sha} password1
[localizedkey | priv {password2 | aes-128 password2}]]
The keywords, arguments, and options are as follows:
•
user_name—User name. Enter an unquoted text string with no spaces and a
maximum of 24 alphanumeric characters.
•
group_name—(Optional) User role group to which the user belongs. Enter an
unquoted text string with no space and a maximum of 32 characters. SNMP
access rights are organized by groups. Each group in SNMP is similar to a
role when accessed from the CLI. The groupname is defined by the role
configuration mode command, as described in the Cisco 4700 Series
Application Control Engine Appliance Virtualization Configuration Guide.
To assign multiple roles to a user, enter multiple snmp-server user
commands.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-48
OL-16198-01
Chapter 7
Configuring SNMP
Configuring SNMP Users
Note
Only network monitoring operations are supported through the ACE
implementation of SNMP. In this case, all SNMP users are
automatically assigned the system-defined default group of
Network-Monitor. For details on creating users, see the Cisco 4700
Series Application Control Engine Appliance Virtualization
Configuration Guide.
•
auth—(Optional) Sets authentication parameters for the user. Authentication
determines that the message is from a valid source.
•
md5—Specifies the HMAC Message Digest 5 (MD5) encryption algorithm
for user authentication.
•
sha—Specifies the HMAC Secure Hash Algorithm (SHA) encryption
algorithm for user authentication.
•
password1—User authentication password. Enter an unquoted text string
with no space and a maximum of 130 alphanumeric characters. The ACE
automatically synchronizes the SNMP authentication password as the
password for the CLI user. The ACE supports the following special characters
in a password:
,./=+-^@!%~#$*()
Note that the ACE encrypts clear text passwords in the running-config.
•
localizedkey—(Optional) Specifies that the password is in a localized key
format for security encryption.
•
priv—(Optional) Specifies encryption parameters for the user. The priv
option and the aes-128 option indicate that this privacy password is for
generating a 128-bit AES key.
•
aes-128—Specifies the 128-byte Advanced Encryption Standard (AES)
algorithm for privacy. AES is a symmetric cipher algorithm and is one of the
privacy protocols for SNMP message encryption. It conforms with
RFC 3826.
Note
For an SNMPv3 operation using the external AAA server, user
configurations on this server require AES for SNMP PDU encryption.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-49
Chapter 7
Configuring SNMP
Defining SNMP Communities
•
password2—Encryption password for the user. The AES priv password can
have a minimum of eight characters. If the passphrases are specified in clear
text, you can specify a maximum of 64 alphanumeric characters. If you use
the localized key, you can specify a maximum of 130 alphanumeric
characters. Spaces are not allowed. The ACE supports the following special
characters in a password:
,./=+-^@!%~#$*()
Note that the ACE encrypts clear text passwords in the running-config.
For example, to set the user information, enter:
host1/Admin# config
Enter configuration commands, one per
host1/Admin(config)# snmp-server user
abcd1234
host1/Admin(config)# snmp-server user
abcdefgh
host1/Admin(config)# snmp-server user
abcd1234 priv abcdefgh
line. End with CNTL/Z
joe Network-Monitor auth sha
sam Network-Monitor auth md5
Bill Network-Monitor auth sha
To disable the SNMP user configuration or to remove an SNMP user, use the no
form of the command. For example:
host1/Admin(config)# no snmp-server user Bill Network-Monitor auth sha
abcd1234 priv abcdefgh
Defining SNMP Communities
Each SNMP device or member is part of a community. An SNMP community
determines the access rights for each SNMP device. SNMP uses communities to
establish trust between managers and agents.
You supply a name to the community. After that, all SNMP devices assigned to
that community as members have the same access rights (as described in
RFC 2576). The ACE allows read-only access to the MIB tree for devices
included in this community. The read-only community string allows a user to read
data values, but prevents that user from modifying modify the data.
Use the snmp-server community command in configuration mode to create or
modify SNMP community names and access privileges.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-50
OL-16198-01
Chapter 7
Configuring SNMP
Defining SNMP Communities
Note
SNMP communities are applicable only for SNMPv1 and SNMPv2c. SNMPv3
requires user configuration information such as specifying the role group that the
user belongs to, authentication parameters for the user, authentication password,
and message encryption parameters (see the “Configuring SNMP Users” section).
The syntax of this command is as follows:
snmp-server community community_name [group group_name | ro]
The keywords, arguments, and options are as follows:
•
community_name—SNMP community name for this system. Enter an
unquoted text string with no spaces and a maximum of 32 alphanumeric
characters.
•
group group_name—(Optional) Identifies the role group to which the user
belongs. Enter an unquoted text string with no spaces and a maximum of
32 alphanumeric characters.
Note
•
Only network monitoring operations are supported through the ACE
implementation of SNMP. In this case, all SNMP users are
automatically assigned the system-defined default group of
Network-Monitor. For details on creating users, refer to the Cisco
Application Control Engine Module Virtualization Configuration
Guide.
ro—(Optional) Allows read-only access for this community.
For example, to specify an SNMP community called SNMP_Community1, a
member of the Network-Monitor group, with read-only access privileges for the
community, enter:
host1/Admin(config)# snmp-server community SNMP_Community1 group
Network-Monitor
To remove an SNMP community, enter:
host1/Admin(config)# no snmp-server community SNMP_Community1 group
Network-Monitor
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-51
Chapter 7
Configuring SNMP
Configuring an SNMP Contact
Configuring an SNMP Contact
To specify the contact information for the SNMP system, use the snmp-server
contact command in configuration mode. You can specify information for only
one contact name. The syntax of this command is as follows:
snmp-server contact contact_information
Enter the contact_information argument as a text string with a maximum of 240
alphanumeric characters including spaces. If the string contains more than one
word, enclose the string in quotation marks (“ ”). You can include information on
how to contact the person; for example, a phone number or an e-mail address.
For example, to specify SNMP system contact information, enter:
host1/Admin(config-context)# snmp-server contact “User1
user1@cisco.com”
To remove the specified SNMP contact name, enter:
host1/Admin(config)# no snmp-server contact
Configuring an SNMP Location
To specify the SNMP system location, use the snmp-server location command in
configuration mode. You can specify only one location. The syntax of this
command is as follows:
snmp-server location location
Enter the location as the physical location of the system. Enter a text string with
a maximum of 240 alphanumeric characters including spaces. If the string
contains more than one word, enclose the string in quotation marks (“ ”).
For example, to specify SNMP system location information, enter:
host1/Admin(config)# snmp-server location “Boxborough MA”
To remove the specified SNMP system location information, enter:
host1/Admin(config)# no snmp-server location
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-52
OL-16198-01
Chapter 7
Configuring SNMP
Configuring SNMP Notifications
Configuring SNMP Notifications
You can configure the ACE to send traps or inform requests as notifications to an
SNMP manager when a particular event occurs. In some instances, traps are
unreliable because the receiver does not send any acknowledgment when it
receives a trap. The sender cannot determine if the trap was received. However,
an SNMP manager that receives inform requests acknowledges the message with
an SNMP Response PDU. If the sender never receives a Response, the inform
request is normally retransmitted. Inform requests are more likely to reach their
intended destination.
Note
Use the SNMP-TARGET-MIB to obtain more information on the destinations to
which notifications are to be sent either as traps or as SNMP inform requests. See
the “Supported MIBs, Tables, and Notifications” section for details.
This section contains the following topics:
•
Configuring SNMP Notification Hosts
•
Enabling SNMP Notifications
•
Enabling the IETF Standard for SNMP linkUp and linkDown Traps
Configuring SNMP Notification Hosts
Use the snmp-server host command in configuration mode to specify which host
receives SNMP notifications. In order to send notifications, you must configure at
least one snmp-server host command. The ACE supports a maximum of
10 SNMP hosts per context.
The syntax of this command is as follows:
snmp-server host host_address {community-string_username | informs |
traps | version {1{udp-port} | 2c {udp-port} | 3 [auth | noauth |
priv]}}
The keywords, arguments, and options are as follows:
•
host_address—The IP address of the host (the targeted recipient). Enter the
address in dotted-decimal IP notation (for example, 192.168.11.1).
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-53
Chapter 7
Configuring SNMP
Configuring SNMP Notifications
•
community-string_username—SNMP community string or username with
the notification operation. Enter an unquoted text string with no space and a
maximum of 32 alphanumeric characters.
•
informs—Sends SNMP inform requests to the identified host, which allows
for manager-to-manager communication. Inform requests can be useful when
the need arises for more than one NMS in the network.
•
traps—Sends SNMP traps to the identified host. A trap is the method for an
agent to tell the NMS that a problem has occurred. The trap originates from
the agent and is sent to the trap destination, as configured within the agent
itself. Typically, the trap destination is the IP address of the NMS.
•
version—Specifies the version of SNMP used to send the traps. SNMPv3 is
the most secure model because it allows packet encryption with the priv
keyword.
•
1—Specifies SNMPv1. This option is not available for use with SNMP
inform requests. SNMPv1 has one optional keyword (udp-port) that
specifies the UDP port of the host to use. The default is 162.
•
2c—Specifies SNMPv2C. SNMPv2C has one optional keyword (udp-port)
that specifies the UDP port of the host to use. The default is 162.
•
3—Specifies SNMPv3. SNMPv3 has three optional keywords (auth, no
auth, or priv).
•
auth—(Optional) Enables Message Digest 5 (MD5) and Secure Hash
Algorithm (SHA) packet authentication.
•
noauth—(Optional) Specifies the noAuthNoPriv security level.
•
priv—(Optional) Enables Data Encryption Standard (DES) packet
encryption (privacy).
For example, to specify the recipient of an SNMP notification, enter:
host1/Admin(config)# snmp-server host 192.168.1.1 traps version 2c
SNMP_Community1 udp-port 500
To remove the specified host, use the no form of the command. For example:
host1/Admin(config)# no snmp-server host 192.168.1.1 traps version 2c
SNMP_Community1 udp-port 500
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-54
OL-16198-01
Chapter 7
Configuring SNMP
Configuring SNMP Notifications
Enabling SNMP Notifications
Notification traps and inform requests are system alerts that the ACE generates
when certain events occur. SNMP notifications can be sent to the NMS as traps or
inform requests. By default, no notification is defined or issued. To enable the
ACE to send SNMP traps and informs to the NMS, use the snmp-server enable
traps command in configuration mode. This command enables both traps and
inform requests for the specified notification types.
To configure the ACE to send the SNMP notifications, specify at least one
snmp-server enable traps command. To enable multiple types of notifications,
you must enter a separate snmp-server enable traps command for each
notification type and notification option. If you enter the command without any
keywords, the ACE enables all notification types and traps.
The snmp-server enable traps command is used with the snmp-server host
command (see the “Configuring SNMP Notification Hosts” section). The
snmp-server host command specifies which host receives the SNMP
notifications. To send notifications, you must configure at least one SNMP server
host.
Note
The notification types used in the snmp-server enable traps command all have
an associated MIB object that globally enables or disables them. However, not all
of the notification types available in the snmp-server host command have
notificationEnable MIB objects, so some of the notification types cannot be
controlled by using the snmp-server enable command.
The syntax of this command is as follows:
snmp-server enable traps [notification_type] [notification_option]
The keywords, arguments, and options are as follows:
•
notification_type—(Optional) Type of notification to enable. If no type is
specified, the ACE sends all notifications. Specify one of the following
keywords as the notification_type:
– license—Sends SNMP license manager notifications. This keyword
appears only in the Admin context.
– slb—Sends server load-balancing notifications. When you specify the
slb keyword, you can specify a notification_option value.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-55
Chapter 7
Configuring SNMP
Configuring SNMP Notifications
– snmp—Sends SNMP notifications. When you specify the snmp
keyword, you can specify a notification_option value.
– syslog—Sends error message notifications (Cisco Syslog MIB). Specify
the level of messages to be sent with the logging history level command.
To enable system messages to be sent as traps to the NMS, you can
specify the logging history command. You must also enable syslog
traps by using the snmp-server enable traps command. See the
Cisco 4700 Series Application Control Engine Appliance System
Message Guide for details.
Note
– virtual-context—Sends virtual context change notifications. This
keyword appears only in the Admin context.
•
notification_option—(Optional) Enables the following SNMP notifications:
– When you specify the snmp keyword, specify the authentication,
coldstart, linkdown, or linkup keyword to enable SNMP notifications.
This selection generates a notification if the community string provided
in the SNMP request is incorrect, or when a VLAN interface is either up
or down. The coldstart keyword appears only in the Admin context.
– When you specify the slb keyword, specify the real or vserver keyword
to enable server load-balancing notifications. This selection generates a
notification if the following occurs:
•
The real server changes state (up or down) due to user intervention,
ARP failures, or probe failures.
•
The virtual server changes state (up or down). The virtual server
represents the servers behind the content switch in the ACE to the
outside world and consists of the following attributes: the destination
address (can be a range of IP addresses), the protocol, the destination
port, or the incoming VLAN.
For example, to enable the ACE to send server load-balancing traps to the host at
IP address 192.168.1.1 by using the community string public, enter:
host1/Admin(config)# snmp-server host 192.168.1.1
host1/Admin(config)# snmp-server community SNMP_Community1 group
Network-Monitor
host1/Admin(config)# snmp-server enable traps slb real
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-56
OL-16198-01
Chapter 7
Configuring SNMP
Configuring SNMP Notifications
To disable SNMP server notifications, use the no form of the command. For
example:
host1/Admin(config)# no snmp-server enable traps slb real
Enabling the IETF Standard for SNMP linkUp and linkDown Traps
By default, the ACE sends the Cisco implementation of linkUp and linkDown
traps to the NMS. The ACE sends the Cisco Systems IF-MIB variable bindings,
which consists of ifIndex, ifAdminStatus, ifOperStatus, ifName, ifType,
clogOriginID, and clogOriginIDType. You can configure the ACE to send the
Internet Engineering Task Force (IETF) standards-based implementation for
linkUp and linkDown traps (as outlined in RFC 2863). The snmp-server trap
link ietf configuration mode command instructs the ACE to send the linkUp and
linkDown traps with the IETF standard IF-MIB (RFC 2863) variable bindings,
consisting of ifIndex, ifAdminStatus, and ifOperStatus.
Note
The Cisco var-binds are sent by default. To receive RFC 2863-compliant traps,
you must specify the snmp-server trap link ietf command.
The syntax of this command is as follows:
snmp-server trap link ietf
For example, to configure the linkUp and linkDown traps the comply with
RFC 2863, enter:
host1/Admin(config)# snmp-server trap link ietf
To revert to the Cisco implementation of linkUp and linkDown traps:
host1/Admin(config)# no snmp-server trap link ietf
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-57
Chapter 7
Configuring SNMP
Assigning a Trap-Source Interface for SNMP Traps
Assigning a Trap-Source Interface for SNMP Traps
To specify the VLAN interface that is the trap source address contained in the
SNMP v1 trap PDU, use the snmp-server trap-source command in configuration
mode.
The syntax of this command is as follows:
snmp-server trap-source vlan number
The number argument specifies the number of the VLAN interface that is the trap
source address contained in the SNMP v1 trap PDU. Enter a value from 2 to 4094
for an existing VLAN interface.
Note the following operating considerations for the snmp-server trap-source
vlan number command:
•
If you do not configure the snmp-server trap-source command, the ACE
takes the source IP address from the internal routing table, which is
dependant on the destination host address where the notification is to be sent.
•
If you specify a VLAN number of an interface that does not have a valid IP
address, the ACE fails in sending notifications for SNMP v1 traps.
For example, to specify VLAN 50 as the VLAN interface that is trap source
address contained in the SNMP v1 trap PDU, enter:
host1/Admin(config)# snmp-server trap-source vlan 50
To remove the specified VLAN interface that is trap source address contained in
the SNMP v1 trap PDU, enter:
host1/Admin(config)# no snmp-server trap-source
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-58
OL-16198-01
Chapter 7
Configuring SNMP
Accessing ACE User Context Data Through the Admin Context IP Address
Accessing ACE User Context Data Through the
Admin Context IP Address
The ACE Admin context and each ACE user context has its own IP address. The
SNMP agent supports a community string for SNMPv1 and SNMPv2 and a
username for SNMPv3 on a per-context basis. SNMP managers can send requests
to a context by using the IP address to get the data that corresponds to the context.
You can also retrieve data for user contexts by using the IP address for the Admin
context. The Admin context credentials also allow access to user context data,
such as performance and configuration information.
Note
The notifications for user contexts cannot be sent through the Admin context.
This section contains the following topics:
•
Accessing User Context Data When Using SNMPv1/v2
•
Accessing User Context Data When Using SNMPv3
Accessing User Context Data When Using SNMPv1/v2
For SNMPv1/v2, SNMP managers can access MIBs available for a user context
through an Admin context IP address by specifying the appropriate SNMP
version, the Admin context IP address, and the Admin context community string
embedded with the name of the user context. The format for the community string
is as follows:
admin_community_string@ACE_context_name
The ACE_context_name can be Admin or any ACE user context. If you do not
specify a context name, the request is for the Admin context.
For example, to return data for user context C1 when the Admin context has a
configured community string of adminCommunity and an IP address of
10.6.252.63, enter:
snmpget -v2c -c adminCommunity@C1 10.6.252.63 udpDatagrams.0
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-59
Chapter 7
Configuring SNMP
Configuring an SNMPv3 Engine ID for an ACE Context
Accessing User Context Data When Using SNMPv3
For SNMPv3, SNMP managers can access MIBs for a user context through an
Admin context IP address by using the Admin context IP address, the appropriate
SNMP version, the Admin context username, and the user context name supported
by the Admin context in the SNMPv3 packet. The ACE uses the user context name
in the SNMPv3 context field of the request.
Note
The SNMPv3 engine represents a logically separate SNMP agent. The ACE
automatically creates an SNMP engine ID for each context or you can configure
it. For more information on configuring an SNMPv3 engine ID, see the
“Configuring an SNMPv3 Engine ID for an ACE Context” section.
For example, to return data from user context C2 when the Admin context has a
configured SNMP user snmpuser and an IP address of 10.6.252.63, enter:
snmpgetnext -v 3 - a MD5 -A cisco123 -u snmpuser -1 authNoPriv
10.6.252.63 system -n C2
The ACE uses the user context C2 in place of the SNMPv3 context field in the
request.
Note
The SNMPv3 request is dropped if the request is sent to the IP address of the user
context with a SNMPv3 context name field set to an empty string (“”).
Configuring an SNMPv3 Engine ID for an ACE
Context
By default, the ACE automatically creates an SNMP engine ID for the Admin
context and each user context. The SNMP engine represents a logically separate
SNMP agent. The IP address for an ACE context provides access to only one
SNMP engine ID.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-60
OL-16198-01
Chapter 7
Configuring SNMP
Configuring an SNMPv3 Engine ID for an ACE Context
Caution
If you change the SNMP engine ID for an Admin or user context, all configured
SNMP users become invalid and all SNMP communities are deleted. You must
recreate all SNMP users by using the snmp-server user command in
configuration mode, and recreate all SNMP communities by using the
snmp-server community command in configuration mode.
The ACE allows you to configure an SNMP engine ID for the Admin or user
context. To configure the SNMP engine ID for an ACE context, use the
snmp-server engineid command in configuration mode for the context. The
syntax of this command is as follows:
snmp-server engineid number
The number argument is the SNMPv3 engine ID that you want to configure. Enter
a range of 10 to 64 hexadecimal digits.
For example, to configure an engine ID 88439573498573888843957349857388
for the Admin context, enter:
host1/Admin(config)# snmp-server engineID
88439573498573888843957349857388
To reset the default engine ID for the Admin context, enter:
host1/Admin(config)# no snmp-server engineID
To display the engine ID for a context, use the show snmp engineID command in
Exec mode for the context. For example, to display the engine ID for the Admin
context, enter:
host1/Admin# show snmp engineID
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-61
Chapter 7
Configuring SNMP
Configuring SNMP Management Traffic Services
Configuring SNMP Management Traffic Services
You configure SNMP management traffic to and from the ACE through the use of
class maps, policy maps, and service policies. The following items summarize the
role of each function in configuring remote network management access to the
ACE:
•
Class map—Provides the remote network traffic match criteria to permit
SNMP management traffic based on the SNMP management protocol and the
client source IP address.
•
Policy map—Enables remote network management access for a traffic
classification that matches the criteria listed the class map.
•
Service policy—Activates the policy map and attaches the traffic policy to a
VLAN interface or globally on all VLAN interfaces.
This section provides an overview on creating a class map, policy map, and
service policy for SNMP access.
SNMP remote access sessions are established to the ACE per context. For details
on creating contexts and users, see the Cisco 4700 Series Application Control
Engine Appliance Virtualization Configuration Guide.
This section contains the following topics:
•
Creating and Configuring a Layer 3 and Layer 4 Class Map
•
Creating a Layer 3 and Layer 4 Policy Map
•
Applying a Service Policy
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-62
OL-16198-01
Chapter 7
Configuring SNMP
Configuring SNMP Management Traffic Services
Creating and Configuring a Layer 3 and Layer 4 Class Map
To create a Layer 3 and Layer 4 class map to classify the SNMP management
traffic that can be received by the ACE, use the class-map type management
command in configuration mode. This command allows the ACE to receive
network management traffic by identifying the incoming IP protocols that the
ACE can receive by using the client source host IP address and subnet mask as the
matching criteria. A class map of type management defines the allowed network
traffic as a form of management security for protocols such as SNMP.
A class map can have multiple match commands. You can configure class maps
to define multiple SNMP management protocol and source IP address commands
in a group that you then associate with a traffic policy. The match-all and
match-any keywords determine how the ACE evaluates multiple match
statements operations when multiple match criteria exist in a class map.
The syntax of this command is as follows:
class-map type management [match-all | match-any] map_name
The keywords, arguments, and options are as follows:
•
match-all | match-any—(Optional) Determines how the ACE evaluates
Layer 3 and Layer 4 network traffic when multiple match criteria exist in a
class map. The class map is considered a match if the match commands meet
one of the following conditions:
– match-all —All of the match criteria listed in the class map match the
network traffic class in the class map (typically, match commands of the
same type).
– match-any—Only one of the match criteria listed in the class map
matches the network traffic class in the class map (typically, match
commands of different types).
The default setting is to meet all of the match criteria (match-all) in a class
map.
•
map_name—Name assigned to the class map. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-63
Chapter 7
Configuring SNMP
Configuring SNMP Management Traffic Services
The CLI displays the class map management configuration mode. To classify the
remote SNMP protocol management traffic received by the ACE, include one or
more of the associated commands to configure the match criteria for the class
map:
•
description—See the “Defining a Class Map Description” section
•
match protocol—See the “Defining SNMP Protocol Match Criteria” section
You may include multiple match protocol commands in a class map.
For example, to allow SNMP access between the ACE and the host located at IP
address 192.168.1.1 255.255.255.0, enter:
host1/Admin(config)# class-map type management match-all
SNMP-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# match protocol snmp source-address
192.168.1.1 255.255.255.0
host1/Admin(config-cmap-mgmt)# exit
To remove a Layer 3 and Layer 4 SNMP protocol management class map from the
ACE, enter:
host1/Admin(config)# no class-map type management match-all
SNMP-ALLOW_CLASS
Defining a Class Map Description
Use the description command to provide a brief summary about the Layer 3 and
Layer 4 remote management class map.
Access the class map management configuration mode to specify the description
command.
The syntax of this command is as follows:
description text
Use the text argument to enter an unquoted text string with a maximum of
240 alphanumeric characters.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-64
OL-16198-01
Chapter 7
Configuring SNMP
Configuring SNMP Management Traffic Services
For example, to specify a description that the class map is to allow SNMP access,
enter:
host1/Admin(config)# class-map type management SNMP-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# description Allow SNMP access
To remove the description from the class map, enter:
host1/Admin(config-cmap-mgmt)# no description
Defining SNMP Protocol Match Criteria
Use the match protocol snmp command to configure the class map to specify
SNMP can be received by the ACE and an NMS. You configure the associated
policy map to permit SNMP access to the ACE. As part of the network
management access traffic classification, you also specify either a client source
host IP address and subnet mask as the matching criteria or instruct the ACE to
allow any client source address for the management traffic classification.
Access the class map management configuration mode to specify the match
protocol snmp command.
The syntax of this command is as follows:
[line_number] match protocol snmp {any | source-address ip_address
mask}
The keywords, arguments, and options are as follows:
•
line_number—(Optional) Allows you to edit or delete individual match
commands. Enter an integer from 2 to 255 as the line number. For example,
you can enter no line_number to delete long match commands instead of
entering the entire line.
•
snmp—Specifies Simple Network Management Protocol (SNMP).
•
any—Specifies any client source address for the management traffic
classification.
•
source-address—Specifies a client source host IP address and subnet mask
as the network traffic matching criteria. As part of the classification, the ACE
implicitly obtains the destination IP address from the interface on which you
apply the policy map.
•
ip_address—Source IP address of the client. Enter the IP address in
dotted-decimal notation (for example, 192.168.11.1).
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-65
Chapter 7
Configuring SNMP
Configuring SNMP Management Traffic Services
•
mask—Subnet mask of the client in dotted-decimal notation (for example,
255.255.255.0).
For example, to specify that the class map allows SNMP access to the ACE from
source address 192.168.10.1 255.255.255.0, enter:
host1/Admin(config)# class-map type management SNMP-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# match protocol snmp source-address
192.168.10.1 255.255.255.0
To deselect the specified SNMP protocol match criteria from the class map, enter:
host1/Admin(config-cmap-mgmt)# no match protocol snmp
Creating a Layer 3 and Layer 4 Policy Map
A Layer 3 and Layer 4 policy map defines the actions executed on SNMP network
management traffic that matches the specified classifications. This section
contains the following topics:
•
Creating a Layer 3 and Layer 4 Policy Map for SNMP Network Management
Traffic Received by the ACE
•
Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy
•
Specifying Layer 3 and Layer 4 Policy Actions
Creating a Layer 3 and Layer 4 Policy Map for SNMP Network Management Traffic
Received by the ACE
To configure a Layer 3 and Layer 4 policy map that permits the ACE to receive
the SNMP management protocol, use the policy-map type management
command in configuration mode. The ACE executes the action for the first
matching classification. The ACE does not execute any additional actions.
The syntax of this command is as follows:
policy-map type management first-match map_name
The map_name argument specifies the name assigned to the Layer 3 and Layer 4
network management policy map. Enter an unquoted text string with no spaces
and a maximum of 64 alphanumeric characters.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-66
OL-16198-01
Chapter 7
Configuring SNMP
Configuring SNMP Management Traffic Services
When you use this command, you will access policy map management
configuration mode.
For example, to create a Layer 3 and Layer 4 network traffic management policy
map, enter:
host1/Admin(config) # policy-map type management first-match
SNMP-ALLOW_POLICY
host1/Admin(config-pmap-mgmt) #
To remove a network traffic management policy map from the ACE, enter:
host1/Admin(config)# no policy-map type management first-match
SNMP-ALLOW_POLICY
Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy
To specify a Layer 3 and Layer 4 traffic class created with the class-map
command to associate network traffic with the traffic policy, use the class
command. his command enters the policy map management class configuration
mode.
The syntax of this command is as follows:
class {name1 [insert-before name2] | class-default}
The arguments and keywords, and options are as follows:
•
name1—The name of a previously defined Layer 3 and Layer 4 traffic class,
configured with the class-map command, to associate traffic to the traffic
policy. Enter an unquoted text string with no spaces and a maximum of 64
alphanumeric characters.
•
insert-before name2—(Optional) Places the current class map ahead of an
existing class map or inline match condition specified by the name2 argument
in the policy map configuration. The ACE does not save the sequence
reordering as part of the configuration. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-67
Chapter 7
Configuring SNMP
Configuring SNMP Management Traffic Services
•
class-default—Specifies the class-default class map for the Layer 3 and
Layer 4 traffic policy. This class map is a reserved class map created by the
ACE. You cannot delete or modify this class. All network traffic that fails to
meet the other matching criteria in the named class map belongs to the default
traffic class. If none of the specified classifications match, the ACE then
matches the action specified under the class class-default command. The
class-default class map has an implicit match any statement in it and is used
to match any traffic classification. The class-default class map has an
implicit match any statement that matches all traffic.
For example, to specify an existing class map within the Layer 3 and Layer 4
remote access policy map, enter:
host1/Admin(config-pmap-mgmt)# class SNMP-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)#
To use the insert-before command to define the sequential order of two class
maps in the policy map, enter:
host1/Admin(config-pmap-mgmt)# class L4_SSH_CLASS insert-before
L4_REMOTE_ACCESS_CLASS
To specify the class-default class map for the Layer 3 and Layer 4 traffic policy,
enter:
host1/Admin(config-pmap-mgmt)# class class-default
host1/Admin(config-pmap-mgmt-c)#
To remove a class map from a Layer 3 and Layer 4 policy map, enter:
host1/Admin(config-pmap-mgmt)# no class SNMP-ALLOW_CLASS
Specifying Layer 3 and Layer 4 Policy Actions
To allow the network management traffic listed in the Layer 3 and Layer 4 class
map to be received or rejected by the ACE, specify either the permit or deny
command in policy map class configuration mode.
•
Use the permit command in policy map class configuration mode to allow the
SNMP management protocols listed in the class map to be received by the
ACE.
•
Use the deny command in policy map class configuration mode to refuse the
SNMP management protocols listed in the class map to be received by the
ACE.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-68
OL-16198-01
Chapter 7
Configuring SNMP
Configuring SNMP Management Traffic Services
For example, to specify the permit action for the Layer 3 and Layer 4 policy map,
enter:
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
Applying a Service Policy
Use the service-policy command to perform the following:
•
Apply a previously created policy map.
•
Attach the traffic policy to a specific VLAN interface or globally to all VLAN
interfaces in the same context.
•
Specify that the traffic policy is to be attached to the input direction of an
interface.
The service-policy command is available at both configuration mode and
interface configuration mode. Specifying a policy map in the interface
configuration mode applies the policy map to a specific VLAN interface.
Specifying a policy map in the configuration mode applies the policy to all of the
VLAN interfaces associated with a context.
The syntax of this command is as follows:
service-policy input policy_name
The keywords, arguments, and options are as follows:
•
input—Specifies that the traffic policy is to be attached to the input direction
of an interface. The traffic policy evaluates all traffic received by that
interface.
•
policy_name—Name of a previously defined policy map, configured with a
previously created policy-map command. The name can be a maximum of 40
alphanumeric characters.
For example, to specify an interface VLAN and apply the SNMP management
policy map to a VLAN, enter:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ip address 172.20.1.100 255.255.0.0
host1/Admin(config-if)# service-policy input SNMP_MGMT_ALLOW_POLICY
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-69
Chapter 7
Configuring SNMP
Configuring SNMP Management Traffic Services
For example, to globally apply the SNMP management policy map to all of the
VLANs associated with a context, enter:
host1/Admin(config)# service-policy input SNMP_MGMT_ALLOW_POLICY
To detach the SNMP management policy from an interface VLAN, enter:
host1/Admin(config-if)# no service-policy input SNMP_MGMT_ALLOW_POLICY
To globally detach the SNMP management policy from all VLANs associated
with a context, enter:
host1/Admin(config)# no service-policy input SNMP_MGMT_ALLOW_POLICY
When you detach a traffic policy either individually from the last VLAN interface
on which you applied the service policy or globally from all VLAN interfaces in
the same context, the ACE automatically resets the associated service policy
statistics. The ACE performs this action to provide a new starting point for the
service policy statistics the next time that you attach a traffic policy to a specific
VLAN interface or globally to all VLAN interfaces in the same context.
Follow these guidelines when you create a service policy:
•
Policy maps, applied globally in a context, are internally applied on all
interfaces existing in the context.
•
A policy activated on an interface overwrites any specified global policies for
overlapping classification and actions.
•
The ACE allows only one policy of a specific feature type to be activated on
an interface.
To display service policy statistics for a Layer 3 and Layer 4 SNMP management
policy map, use the show service-policy command in Exec mode.
The syntax of this command is as follows:
show service-policy policy_name [detail]
The keywords, options, and arguments are as follows:
•
policy_name—Identifier of an existing policy map that is currently in service
(applied to an interface) as an unquoted text string with a maximum of 64
alphanumeric characters.
•
detail—(Optional) Displays a more detailed listing of policy map statistics
and status information.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-70
OL-16198-01
Chapter 7
Configuring SNMP
Example of an SNMP Configuration
Note
The ACE updates the counters that the show service-policy command displays
after the applicable connections are closed.
For example, to display service policy statistics for the
SNMP_MGMT_ALLOW_POLICY policy map, enter:
host1/Admin# show service-policy SNMP_MGMT_ALLOW_POLICY
Status
: ACTIVE
Description: Allow mgmt protocols
----------------------------------------Context Global Policy:
service-policy: SNMP_MGMT_ALLOW_POLICY
To clear the service policy statistics, use the clear service-policy command. The
syntax of this command is as follows:
clear service-policy policy_name
For the policy_name argument, enter the identifier of an existing policy map that
is currently in service (applied to an interface).
For example, to clear the statistics for the policy map
SNMP_MGMT_ALLOW_POLICY that is currently in service, enter:
host1/Admin# clear service-policy SNMP_MGMT_ALLOW_POLICY
Example of an SNMP Configuration
The following example illustrates a running-configuration that verifies the current
status of a real server through SNMP and the CLI. It also verifies that SNMP traps
are sent when a real server or virtual server is not operational. This example
illustrates that you can restrict the client source host IP address allowed to
connect to the ACE. The policy map is applied to all of the VLAN interfaces
associated with the context. The SNMP configuration appears in bold in the
example.
access-list ACL1 line 10 extended permit ip any any
rserver host SERVER1
ip address 192.168.252.245
inservice
rserver host SERVER2
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-71
Chapter 7
Configuring SNMP
Example of an SNMP Configuration
ip address 192.168.252.246
inservice
rserver host SERVER3
ip address 192.168.252.247
inservice
serverfarm host SFARM1
probe HTTP_PROBE
rserver SERVER1
conn-limit max 3 min 2
inservice
serverfarm host SFARM2
probe HTTP
rserver SERVER2
conn-limit max 500 min 2
inservice
rserver SERVER3
conn-limit max 500 min 2
inservice
class-map type http loadbalance match-all L7_INDEX-HTML_CLASS
2 match http url /index.html
class-map match-all L4_MAX-CONN-VIP_105_CLASS
2 match virtual-address 192.168.120.105 any
class-map type management match-any L4_REMOTE-ACCESS-LOCAL_CLASS
description Enables SNMP remote management for local users
1 match protocol snmp source-address 192.168.0.0 255.248.0.0
2 match protocol snmp source-addess 172.16.64.0 255.255.252.0
class-map type http loadbalance match-all L7_URL*_CLASS
2 match http url .*
policy-map type management first-match L4_SNMP-REMOTE-MGT_POLICY
class L4_REMOTE-ACCESS-LOCAL_CLASS
permit
policy-map type loadbalance first-match L7_LB-SF_MAX-CONN_POLICY
class L7_INDEX-HTML_CLASS
serverfarm SFARM1
class L7_URL*_CLASS
serverfarm SFARM2
policy-map multi-match L4_VIP_POLICY
class L4_MAX-CONN-VIP_105_CLASS
loadbalance vip inservice
loadbalance policy L7_LB-SF_MAX-CONN_POLICY
loadbalance vip icmp-reply
appl-parameter http advanced-options PERSIST-REBALANCE
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-72
OL-16198-01
Chapter 7
Configuring SNMP
Example of an SNMP Configuration
service-policy input L4_REMOTE-MGT_POLICY
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
user user1 Network-Monitor auth sha “adcd1234”
community ACE-public group ro
contact “User1 user1@cisco.com”
location “San Jose CA”
host 192.168.0.236 traps version 2c ACE-public
enable traps slb vserver
enable traps slb real
enable traps syslog
enable traps snmp authentication
enable traps snmp linkup
enable traps snmp linkdown
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-73
Chapter 7
Configuring SNMP
Displaying SNMP Statistics
Displaying SNMP Statistics
Use the show snmp commands in Exec mode to display SNMP statistics and
configured SNMP information. By default, this command displays the ACE
contact, ACE location, packet traffic information, community strings, and user
information. You can instruct the ACE to display specific SNMP information by
including the appropriate keyword.
The syntax of this command is as follows:
show snmp [community | engineID | group | host | sessions | user]
The keywords are as follows:
•
community—(Optional) Displays SNMP community strings.
•
engineID—(Optional) Displays the identification of the local SNMP engine
and all remote engines that have been configured on the ACE.
•
group—(Optional) Displays the names of groups on the ACE, the security
model, the status of the different views, and the storage type of each group.
•
host—(Optional) Displays the configured SNMP notification recipient host,
User Datagram Protocol (UDP) port number, user, and security model.
•
sessions—(Optional) Displays the IP address of the targets for which traps or
informs have been sent.
•
user—(Optional) Displays SNMPv3 user information.
Table 7-6 describes the fields in the show snmp community command output.
Table 7-6
Field Descriptions for the show snmp Command Output
Field
Description
Sys contact
Contact name for the SNMP system
Sys location
SNMP system location
SNMP packets
input
Total number of SNMP packets received by the ACE
Bad SNMP
versions
Number of packets with an invalid SNMP version
Unknown
Number of SNMP packets with an unknown community
community name name
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-74
OL-16198-01
Chapter 7
Configuring SNMP
Displaying SNMP Statistics
Table 7-6
Field Descriptions for the show snmp Command Output
Field
Description
Illegal operation
for community
name supplied
Number of packets that request an operation but are not
allowed for that community
Encoding errors
Number of SNMP packets that were improperly encoded
Number of
requested
variables
Number of variables requested by SNMP managers
Number of
altered variables
Number of variables altered by SNMP managers
Get-request
PDUs
Number of get requests received
Get-next PDUs
Number of get-next requests received
Set-request PDUs Number of set requests received
SNMP packets
output
Total number of SNMP packets sent by the ACE
Too big errors
Number of SNMP packets that were larger than the
maximum packet size
No such name
errors
Number of SNMP requests that specified a MIB object that
does not exist
Bad values errors Number of SNMP set requests that specified an invalid value
for a MIB object
General errors
Number of SNMP set requests that failed due to some other
error, such as a noSuchName error, badValue error, or any of
the other specific errors
Community
SNMP community name for the ACE
Group/Access
Access rights for the community: read-only
User
String that identifies the name of the SNMP user
Auth
Authentication of a packet without encryption
Priv
Authentication of a packet with encryption
Group
User role group to which the user belongs
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-75
Chapter 7
Configuring SNMP
Displaying SNMP Statistics
Table 7-7 describes the fields in the show snmp community command output.
Table 7-7
Field Descriptions for the show snmp community Command
Output
Field
Description
Community
SNMP community name for the ACE
Group/Access
Access rights for the community: read-only
Table 7-8 describes the fields in the show snmp engineID command output.
Table 7-8
Field Descriptions for the show snmp engineID Command Output
Field
Description
Local SNMP
engineID
Identification number of the local SNMP engine on the ACE
Table 7-9 describes the fields in the show snmp group command output.
Table 7-9
Field Descriptions for the show snmp group Command Output
Field
Description
Group name
Name of the SNMP group or collection of users that have a
common access policy
Security model
Security model used by the group, either v1, v2c, or v3
Security level
Security level used by the group
Read view
String that identifies the read view of the group
Write view
String that identifies the write view of the group
Notify view
String that identifies the notify view of the group
Storage-type
Status of whether the settings have been set in volatile or
temporary memory on the device, or in nonvolatile or
persistent memory where settings will remain after the
device has been turned off and on again
Row status
Status of whether the Row status for the SNMP group is
active or inactive
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-76
OL-16198-01
Chapter 7
Configuring SNMP
Displaying SNMP Statistics
Table 7-10 describes the fields in the show snmp host command output.
Table 7-10 Field Descriptions for the show snmp host Command Output
Field
Description
Host
IP address of the target host
Port
UDP port number to which notifications will be sent
Version
Version of SNMP used to send the trap, either v1, v2c, or v3
Level
Method for authentication and privacy
Type
Type of notification configured
SecName
Security name for scanning the target host
Table 7-11 describes the fields in the show snmp sessions command output.
Table 7-11
Field Descriptions for the show snmp sessions Command Output
Field
Description
Destination
IP address of a target for which traps or informs have been
sent
Table 7-12 describes the fields in the show snmp user command output.
Table 7-12 Field Descriptions for the show snmp user Command Output
Field
Description
User
String that identifies the name of the SNMP user
Auth
Authentication of a packet without encryption
Priv
Authentication of a packet with encryption
Group
User role group to which the user belongs
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
7-77
Chapter 7
Configuring SNMP
Displaying SNMP Statistics
Cisco 4700 Series Application Control Engine Appliance Administration Guide
7-78
OL-16198-01
CH A P T E R
8
Configuring the XML Interface
This chapter describes how to use Extensible Markup Language (XML) to
remotely configure a Cisco 4700 Series Application Control Engine (ACE)
appliance from a network management station (NMS). Any command that you
can configure from the ACE CLI can be configured remotely from a NMS by
exchanging XML documents over HTTP or secure HTTP (HTTPS). You can
transmit, exchange, and interpret data among the applications. In addition, you
can configure the ACE to transfer show command output to an NMS in XML
format for result monitoring and analysis.
Note
To use the ACE XML interface, you must have the Admin user role.
This chapter contains the following major sections:
•
XML Overview
•
XML Configuration Quick Start
•
Configuring HTTP and HTTPS Management Traffic Services
•
Enabling the Display of Raw XML Request show Command Output in XML
Format
•
Accessing the ACE DTD File
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
8-1
Chapter 8
Configuring the XML Interface
XML Overview
Note
The ACE creates the following default user accounts at startup: admin, dm, and
www. The admin user is the global administrator and cannot be deleted. The dm
user is for accessing the Device Manager GUI and cannot be deleted (it is an
internal user that is required by the Device Manager GUI and is hidden on the
CLI). The ACE uses the www user account for the XML interface and it cannot
be deleted.
XML Overview
This section contains the following topics:
•
XML Usage with the ACE
•
HTTP and HTTPS Support with the ACE
•
HTTP Return Codes
•
Document Type Definition
•
Sample XML Configuration
XML Usage with the ACE
Web services provide network-based software applications that use XML to
transmit, exchange, and interpret data among applications that would otherwise
have difficulty interoperating together.
XML provides an application-independent way of sharing data between computer
systems. Similar to HTML, XML consists of text delimited by tags so it is easily
conveyed over the Internet. In XML, the tags define the meaning and structure of
the information, enabling computer applications to use the information directly.
Unlike HTML, XML tags identify the data, rather than specifying how to display
it. An XML tag acts like a field name in your program; it puts a label on a piece
of data that identifies it (for example: <message>...</message>).
An XML document that contains configuration commands and output results is
easily transformed between the devices by using standard Internet protocols such
as HTTP or secure HTTP (HTTPS) as the transfer protocol.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
8-2
OL-16198-01
Chapter 8
Configuring the XML Interface
XML Overview
The XML application programming interface (API) allows you to automate the
programmatic configuration of the ACE by using a Document Type Definition
(DTD). The XML format is a translation of the CLI commands into an equivalent
XML syntax. Each ACE CLI command has an equivalent XML tag, and all of the
parameters of the CLI command are attributes of that element. The ACE uses an
Apache HTTP server to provide the XML management interface and to provide
HTTP services between the ACE and the management client. To use the ACE
XML API, you must have the Admin user role.
You can use XML to do the following:
•
Provide a mechanism using XML to transfer, configure, and monitor objects
in the ACE. This XML capability allows you to easily shape or extend the CLI
query and reply data in XML format to meet different specific business needs.
•
Transfer show command output from the ACE CLI interface in an XML
format for statistics and status monitoring. This capability allows you to
query and extract data from the ACE.
•
Use the ACE XML DTD schema for formatting CLI queries or parsing the
XML results from the ACE to enable third-party software development
through XML communications.
•
Provide remote user authentication through AAA.
•
Provide session and context management by the global administrator and
other users with the Admin user role.
A network management station (NMS), such as the CiscoWorks Hosting Solution
Engine (HSE), can connect to the ACE and push new configurations to it over
HTTP or HTTPS.
HTTP and HTTPS Support with the ACE
The ACE and an NMS can easily send and receive an XML document containing
configuration commands or output results by using standard Internet protocols,
such as HTTP or secure HTTP (HTTPS), as the transfer protocol. HTTPS uses
Secure Sockets Layer (SSL) to provide encrypted communication between the
management client and the ACE.
The administrator of the system designates a website as the entry point to the API,
and all requests and queries are made through those URLs. This website also
provides the DTDs that define the XML for requests, queries, and responses.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
8-3
Chapter 8
Configuring the XML Interface
XML Overview
The XML input is submitted through the data portion of an HTTP POST request.
A field named “xml” contains the XML string that defines the request or query.
The response to this HTTP POST represents a pure XML response with either a
success or failure indicator for a request or the response to a query.
When you use XML to transfer configuration data and results, the NMS connects
to the ACE and sends a new configuration in an XML document to the ACE over
HTTP or HTTPS. The ACE then applies the new configuration.
The following example shows the HTTP conversation between the client and the
server, as related to the XML implementation on the ACE:
******** Client **************
POST /bin/xml_agent HTTP/1.1
Authorization: Basic VTpQ
Content-Length: 95
xml_cmd=<request_xml>
<interface type=”vlan” number=”80”>
<access-group access-type=”input” name=”acl1”/>
<ip_address address="60.0.0.145" netmask="255.255.255.0"/>
<shutdown sense="no"/>
</interface>
<show_running-config/>
</request_xml>
******** Server **************
HTTP/1.1 200 OK
Content-Length: 21
<response_xml>
<config_command>
<command>
interface vlan 80
ip address 60.0.0.145 255.255.255.0
access-group input acl1
no shutdown
</command>
<status code="100" text="XML_CMD_SUCCESS"/>
</config_command>
</response_xml>
******** Client **************
POST /bin/xml_agent HTTP/1.1
Content-Length: 95
xml_cmd=<request_xml>
<show_running-config/>
</request_xml>
******** Server **************
Cisco 4700 Series Application Control Engine Appliance Administration Guide
8-4
OL-16198-01
Chapter 8
Configuring the XML Interface
XML Overview
HTTP/1.1 401 Unauthorized
Connection: close
WWW-Authenticate: Basic realm=/xml-config
HTTP Return Codes
HTTP return codes indicate the status of the request and reports errors between
the server and the client. The Apache HTTP server return status codes follow the
standards outlined in RFC 2616. Table 8-1 lists the supported HTTP return codes.
Table 8-1
Supported HTTP Return Codes for XML
Return Code
Description
200
OK
201
Created
202
Accepted
203
Non-Authoritative Information
206
Partial Content
301
Moved Permanently
302
Found
400
Bad Request
401
Unauthorized (credentials required, but not provided)
403
Forbidden (illegal credentials submitted; syslog also generated)
404
Not Found (“/xml-config” not specified)
405
Method Not Allowed
406
Not Acceptable
408
Request Time-out (more than 30 seconds has passed waiting on
receive)
411
Missing Content-Length (missing or zero Content-Length
field)
500
Internal Server Error
501
Not Implemented (“POST” not specified)
505
HTTP Version Not Supported (“1.0” or “1.1” not specified)
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
8-5
Chapter 8
Configuring the XML Interface
XML Overview
The following HTTP headers are supported:
•
Content-Length (nonzero value required for all POSTs)
•
Connection (close value indicates that a request should not be persistent)
•
WWW-Authenticate (sent to the client when credentials are required and
missing)
•
Authorization (sent from the client to specify basic credentials in base 64
encoding)
For example, when an XML error occurs, the HTTP response contains a 200
return code. The portion of the original XML document with the error is returned
with an error element that contains the error type and description.
The following is a typical example of an XML error response:
<response_xml>
<config_command>
<command>
interface vlan 20
no shut
description xyz
exit
</command>
<status code = ‘200’ text=’XML_CMD_FAILURE’>
<error_command> description xyz </error_command>
<error_message> unrecognized element - description </error_message>
</status>
</config_command>
</response_xml>
Cisco 4700 Series Application Control Engine Appliance Administration Guide
8-6
OL-16198-01
Chapter 8
Configuring the XML Interface
XML Overview
The returned error codes correspond to the attributes of the configuration element.
The possible returned XML error can include:
XML_ERR_WELLFORMEDNESS
XML_ERR_ATTR_INVALID
XML_ERR_ELEM_INVALID
XML_ERR_CDL_NOT_FOUN
XML_ERR_INTERNAL
XML_ERR_COMM_FAILURE
XML_ERR_VSH_PARSER
XML_ERR_VSH_CONF_APPLY
/*
/*
/*
/*
/*
/*
/*
/*
not a well formed xml document */
found invalid value attribute */
found invalid value unrecognized */
parser cdl file not found */
internal memory or coding error */
communication failure */
vsh parse error on the given command */
vsh unable to apply the configuration */
Document Type Definition
A DTD is the basis for XML configuration documents that you create using the
ACE. The purpose of a DTD is to define the legal building blocks of an XML
document by defining the document structure with a list of legal elements.
DTD designates an XML list that specifies precisely which elements can appear
in a request, query, or response document. It also specifies the contents and
attributes of the elements. A DTD can be declared inline in your XML document
or as an external reference.
The ACE DTD file, ace_appliance.dtd, is included as part of the software image
and is accessible from a web browser using either HTTP or HTTPS. See the
“Accessing the ACE DTD File” section for details. You can use a web browser to
directly access the ace_appliance.dtd file or open the ace_appliance.dtd file from
the Cisco ACE Appliance Management page.
Note
By default, XML responses will automatically appear in XML format if the
corresponding CLI show command output supports the XML format. However, if
you are running commands on the CLI console or you are running raw XML
responses from NMS, the XML responses appear in regular CLI display format.
See the “Enabling the Display of Raw XML Request show Command Output in
XML Format” section for details. For details on the show command output
supported in XML format, consult the ace_appliance.dtd file.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
8-7
Chapter 8
Configuring the XML Interface
XML Overview
The following example shows the sequence of ACE CLI commands for creating a
real server followed by the associated DTD XML rserver elements for the
commands.
[no] rserver [host | redirect] name
[no] conn-limit max maxconns [min minconns]
[no] description string
[no] inservice
[no] ip address {ip_address}
[no] probe name
[no] weight number
**********************************************************************
Elements, Attributes and Entities required for rserver
**********************************************************************
-->
<!-probe-name is a string of length 1 to 32.
-->
<!ELEMENT probe_rserver EMPTY>
<!ATTLIST probe_rserver
sense
CDATA
#FIXED
"no"
probe-name
CDATA
#REQUIRED
>
<!-relocation-str length is 1 to 127
-->
<!ELEMENT webhost-redirection EMPTY>
<!ATTLIST webhost-redirection
sense
(yes | no)
#IMPLIED
relocation-string
CDATA
#REQUIRED
redirection-code
(301 | 302)
#IMPLIED
>
<!-tyep is optional for host.
ip, probe and weight are valid only when type = host.
address-type is valid only when type=host.
name length is 1 to 32.
webhost-redirection is valid only if type=redirect.
-->
Cisco 4700 Series Application Control Engine Appliance Administration Guide
8-8
OL-16198-01
Chapter 8
Configuring the XML Interface
XML Overview
<!ELEMENT rserver (description, ip_address, conn-limit, probe_rserver,
weight, inservice,
webhost-redirection)*>
<!ATTLIST rserver
sense
CDATA
#FIXED
"no"
type
(redirect | host)
#IMPLIED
name
CDATA
#REQUIRED
>
Sample XML Configuration
The following example shows a typical VShell (VSH) CLI command
configuration and its equivalent XML configuration commands:
##############################
## TO/FROM CP CONFIGURATION ##
##############################
conf t
access-list acl1 extended permit ip any any
int vlan 80
access-group input acl1
ip address 60.0.0.145 255.255.255.0
no shut
exit
ip route 0.0.0.0 0.0.0.0 60.0.0.1
end
<access-list id="acl1" config-type="extended" perm-value="permit"
protocol-name="ip" src- type="any" dest-type="any"/>
<interface type="vlan" number="80">
<access-group type="input" name="acl1"/>
<ip_address address="60.0.0.145" netmask="255.255.255.0"/>
<shutdown sense="no"/>
</interface>
<ip_route dest-address="0.0.0.0" dest-mask="0.0.0.0"
gateway="60.0.0.1"/>
############################
## BRIDGING CONFIGURATION ##
############################
conf t
access-list acl1 extended permit ip any any
int vlan 80
access-group input acl1
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
8-9
Chapter 8
Configuring the XML Interface
XML Overview
bridge-group 1
no shut
exit
int vlan 90
access-group input acl1
bridge-group 1
no shut
exit
end
<access-list id="acl1" config-type="extended" perm-value="permit"
protocol-name="ip" src-type="any" dest-type="any"/>
<interface type="vlan" number="80">
<access-group type="input" name="acl1"/>
<bridge-group value="1"/>
<shutdown sense="no"/>
</interface>
<interface type="vlan" number="90">
<access-group type="input" name="acl1"/>
<bridge-group value="1"/>
<shutdown sense="no"/>
</interface>
Cisco 4700 Series Application Control Engine Appliance Administration Guide
8-10
OL-16198-01
Chapter 8
Configuring the XML Interface
XML Configuration Quick Start
XML Configuration Quick Start
Table 8-2 provides a quick overview of the steps required to configure XML usage
with the ACE. Each step includes the CLI command required to complete the task.
Table 8-2
ACE XML Configuration Quick Start
Task and Command Example
1.
Enter configuration mode.
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z.
host1/Admin(config)#
2.
Create a Layer 3 and Layer 4 class map to classify the HTTP or HTTPS
management traffic that can be received by the ACE.
host1/Admin(config)# class-map type management match-all
XML-HTTPS-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# match protocol xml-https
source-address 192.168.1.1 255.255.255.255
host1/Admin(config-cmap-mgmt)# exit
3.
Configure a Layer 3 and Layer 4 HTTP or HTTPS traffic management
policy.
host1/Admin(config) # policy-map type management first-match
MGMT_XML-HTTPS_POLICY
host1/Admin(config-pmap-mgmt) # class XML-HTTPS-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c) # permit
host1/Admin(config-pmap-mgmt-c) # exit
4.
Attach the traffic policy to a single interface or globally on all VLAN
interfaces associated with a context, and specify the direction in which the
policy should be applied. For example, to specify an interface VLAN and
apply multiple service policies to the VLAN, enter:
host1/Admin(config)# interface vlan50
host1/Admin(config-if)# ip address 192.168.10.1 255.255.0.0
host1/Admin(config-if)# service-policy input
MGMT_XML-HTTPS_POLICY
host1/Admin(config-if)# exit
host1/Admin(config)# exit
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
8-11
Chapter 8
Configuring the XML Interface
XML Configuration Quick Start
Table 8-2
ACE XML Configuration Quick Start (continued)
Task and Command Example
5.
Note
(Optional) Enable the display of raw XML request show command output
in XML format.
True XML responses always automatically appear in XML format.
host1/Admin# xml-show on
6.
(Optional) Save your configuration changes to Flash memory.
host1/Admin# copy running-config startup-config
Cisco 4700 Series Application Control Engine Appliance Administration Guide
8-12
OL-16198-01
Chapter 8
Configuring the XML Interface
Configuring HTTP and HTTPS Management Traffic Services
Configuring HTTP and HTTPS Management Traffic
Services
The ACE provides support for remote management using XML over either HTTP
or HTTP to configure, monitor, and manage software objects. You configure
HTTP and HTTPS remote management traffic to the ACE through class maps,
policy maps, and service policies.
The following items summarize the role of each function in configuring HTTP or
HTTPS network management access to the ACE:
•
Class map—Provides the remote network traffic match criteria to permit
HTTP and HTTPS management traffic based on HTTP or HTTPS network
management protocols or host source IP addresses.
•
Policy map—Enables remote network management access for a traffic
classification that matches the criteria listed the class map.
•
Service policy—Activates the policy map and attaches the traffic policy to an
interface or globally on all interfaces.
HTTP or HTTPS sessions are established to the ACE per context. For details on
creating contexts and users, see the Cisco 4700 Series Application Control Engine
Appliance Virtualization Configuration Guide.
This section contains the following topics:
•
Creating and Configuring a Class Map
•
Creating a Layer 3 and Layer 4 Policy Map
•
Applying a Service Policy
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
8-13
Chapter 8
Configuring the XML Interface
Configuring HTTP and HTTPS Management Traffic Services
Creating and Configuring a Class Map
To create a Layer 3 and Layer 4 class map to classify the HTTP or HTTPS
management traffic that can be received by the ACE, use the class-map type
management configuration command. This command allows network
management traffic by identifying the incoming IP protocols that the ACE can
receive and the client source host IP address and subnet mask as the matching
criteria. A class map of type management defines the allowed network traffic as
a form of management security for protocols such as HTTP and HTTPS.
A class map can have multiple match commands in a class map. You can
configure class maps to define multiple HTTP or HTTPS management protocol or
source IP address match commands in a group that you then associate with a
traffic policy. The match-all and match-any keywords determine how the ACE
evaluates multiple match statements operations when multiple match criteria exist
in a class map.
The syntax of this command is:
class-map type management [match-all | match-any] map_name
The keywords, arguments, and options are:
•
match-all | match-any—(Optional) Determines how the ACE evaluates
Layer 3 and Layer 4 network traffic when multiple match criteria exist in a
class map. The class map is considered a match if the match commands meet
one of the following conditions:
– match-all —All of the match criteria listed in the class map match the
network traffic class in the class map.
– match-any—Only one of the match criteria listed in the class map
matches the network traffic class in the class map.
The default setting is to meet all of the match criteria (match-all) in a class
map.
•
map_name—Name assigned to the class map. Enter an unquoted text string
with no spaces and a maximum of 64 alphanumeric characters. The class
name is used for both the class map and to configure a policy for the class in
the policy map.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
8-14
OL-16198-01
Chapter 8
Configuring the XML Interface
Configuring HTTP and HTTPS Management Traffic Services
The CLI displays the class map management configuration mode. To classify the
remote HTTP or HTTPS management traffic received by the ACE, include one or
more of the following commands to configure the match criteria for the class map:
•
description—Se the “Defining a Class Map Description” section
•
match protocol—See the “Defining HTTP and HTTPS Protocol Match
Criteria” section
You may include multiple match protocol commands in a class map.
For example, to allow HTTPS access between the ACE HTTP server and the
management client located at IP address 192.168.1.1 255.255.255.255, enter:
host1/Admin(config)# class-map type management match-all
XML-HTTPS-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# match protocol xml-https source-address
192.168.1.1 255.255.255.255
To remove a Layer 3 and Layer 4 network management class map from the ACE,
enter:
host1/Admin(config)# no class-map type management match-all
XML-HTTPS-ALLOW_CLASS
Defining a Class Map Description
Use the description command to provide a brief summary about the Layer 3 and
Layer 4 class map.
Access the class map configuration mode to specify the description command.
The syntax of this command is:
description text
Use the text argument to enter an unquoted text string with a maximum of
240 alphanumeric characters.
For example, to specify a description that the class map is to allow HTTPS access,
enter:
host1/Admin(config)# class-map type management match-all
XML-HTTPS-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# description Allow HTTPS as the XML
transfer protocol
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
8-15
Chapter 8
Configuring the XML Interface
Configuring HTTP and HTTPS Management Traffic Services
To remove the description from the class map, enter:
host1/Admin(config-cmap-mgmt)# no description
Defining HTTP and HTTPS Protocol Match Criteria
Use the match protocol command to configure the class map to specify that the
HTTP or HTTPS remote network management protocol can be received by the
ACE. You configure the associated policy map to permit access to ACE for the
specified management protocol. For XML support, a class map of type
management allows IP protocols such as HTTP and HTTPS. As part of the
network management access traffic classification, you also specify either a client
source host IP address and subnet mask as the matching criteria or instruct the
ACE to allow any client source address for the management traffic classification.
You must access the class map configuration mode to specify the match protocol
command.
The syntax of this command is:
[line_number] match protocol {http | xml-https} {any | source-address
ip_address mask}
The keywords, arguments, and options are:
•
line_number—(Optional) Allows you to edit or delete individual match
commands. Enter an integer from 2 to 255 as the line number. For example,
you can enter no line_number to delete long match commands instead of
entering the entire line.
•
http—Specifies Hypertext Transfer Protocol (HTTP) as transfer protocol to
send and receive XML documents between the ACE and an NMS.
•
xml-https—Specifies secure (SSL) Hypertext Transfer Protocol (HTTP) as
transfer protocol to send and receive XML documents between the ACE and
an NMS. Communication is performed using port 10443.
Note
The https keyword specifies secure (SSL) Hypertext Transfer Protocol
(HTTP) for connectivity with the Device Manager GUI on the ACE using
port 443. You can enable both https and xml-https in a Layer 3 and
Layer 4 network management class map.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
8-16
OL-16198-01
Chapter 8
Configuring the XML Interface
Configuring HTTP and HTTPS Management Traffic Services
•
any—Specifies any client source address for the management traffic
classification.
•
source-address—Specifies a client source host IP address and subnet mask
as the network traffic matching criteria. As part of the classification, the ACE
implicitly obtains the destination IP address from the interface on which you
apply the policy map.
•
ip_address—Source IP address of the client. Enter the IP address in
dotted-decimal notation (for example, 192.168.11.1).
•
mask—The subnet mask of the client in dotted-decimal notation (for
example, 255.255.255.0).
For example, to specify that the class map allows HTTPS access to the ACE,
enter:
(config)# class-map type management XML-HTTPS-ALLOW_CLASS
(config-cmap-mgmt)# match protocol xml-https source-address
192.168.10.1 255.255.0.0
To deselect the specified network management protocol match criteria from the
class map, enter:
host1/Admin(config-cmap-mgmt)# no match protocol https source-address
192.168.10.1 255.255.0.0
Creating a Layer 3 and Layer 4 Policy Map
A Layer 3 and Layer 4 policy map defines the actions executed on HTTP or
HTTPS management traffic that matches the specified classifications. This
section contains the following topics:
•
Creating a Layer 3 and Layer 4 Policy Map for Network Management Traffic
Received by the ACE
•
Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy
•
Specifying Layer 3 and Layer 4 Policy Actions
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
8-17
Chapter 8
Configuring the XML Interface
Configuring HTTP and HTTPS Management Traffic Services
Creating a Layer 3 and Layer 4 Policy Map for Network Management Traffic
Received by the ACE
To configure a Layer 3 and Layer 4 policy map that permits the management
traffic received by the ACE use the policy-map type management command in
configuration mode. The ACE executes the action for the first matching
classification. The ACE does not execute any additional actions.
The syntax of this command is as follows:
policy-map type management first-match map_name
The map_name argument specifies the name assigned to the Layer 3 and Layer 4
network management policy map. Enter an unquoted text string with no spaces
and a maximum of 64 alphanumeric characters.
When you use this command, you will access policy map management
configuration mode.
For example, to create a Layer 3 and Layer 4 network traffic management policy
map, enter:
host1/Admin(config)# policy-map type management first-match
MGMT_XML-HTTPS_POLICY
host1/Admin(config-pmap-mgmt)#
To remove a policy map from the ACE, enter:
host1/Admin(config)# no policy-map type management first-match
MGMT_XML-HTTPS_POLICY
Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy
To specify the HTTP or HTTPS traffic management traffic class created with the
class-map command to associate traffic with the traffic policy buse the class
command. his command enters the policy map management class configuration
mode.
The syntax of this command is as follows:
class {name1 [insert-before name2] | class-default}
The arguments and keywords, and options are as follows:
Cisco 4700 Series Application Control Engine Appliance Administration Guide
8-18
OL-16198-01
Chapter 8
Configuring the XML Interface
Configuring HTTP and HTTPS Management Traffic Services
•
name1—The name of a previously defined Layer 3 and Layer 4 traffic class,
configured with the class-map command, to associate traffic to the traffic
policy. Enter an unquoted text string with no spaces and a maximum of 64
alphanumeric characters.
•
insert-before name2—(Optional) Places the current class map ahead of an
existing class map or inline match condition specified by the name2 argument
in the policy map configuration. The ACE does not save the sequence
reordering as part of the configuration. Enter an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
•
class-default—Specifies the class-default class map for the Layer 3 and
Layer 4 traffic policy. This class map is a reserved class map created by the
ACE. You cannot delete or modify this class. All network traffic that fails to
meet the other matching criteria in the named class map belongs to the default
traffic class. If none of the specified classifications match, the ACE then
matches the action specified under the class class-default command. The
class-default class map has an implicit match any statement in it and is used
to match any traffic classification. The class-default class map has an
implicit match any statement that matches all traffic.
For example, to specify an existing class map within the Layer 3 and Layer 4
remote access policy map, enter:
host1/Admin(config-pmap-mgmt)# class XML-HTTPS-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)#
To use the insert-before command to define the sequential order of two class
maps in the policy map, enter:
host1/Admin(config-pmap-mgmt)# class XML-HTTPS-ALLOW_CLASS
insert-before L4_REMOTE_ACCESS_CLASS
To specify the class-default class map for the Layer 3 and Layer 4 traffic policy,
enter:
host1/Admin(config-pmap-mgmt)# class class-default
host1/Admin(config-pmap-mgmt-c)#
To remove a class map from a Layer 3 and Layer 4 policy map, enter:
host1/Admin(config-pmap-mgmt)# no class XML-HTTPS-ALLOW_CLASS
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
8-19
Chapter 8
Configuring the XML Interface
Configuring HTTP and HTTPS Management Traffic Services
Specifying Layer 3 and Layer 4 Policy Actions
To allow the network management traffic listed in the Layer 3 and Layer 4 class
map to be received or rejected by the ACE, specify either the permit or deny
command in policy map class configuration mode.
•
Use the permit command in policy map class configuration mode to allow the
HTTP or HTTPS management traffic listed in the class map to be received by
the ACE.
•
Use the deny command in policy map class configuration mode to refuse the
HTTP or HTTPS management traffic listed in the class map to be received by
the ACE.
For example, to specify the permit action for the Layer 3 and Layer 4 policy map,
enter:
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
Applying a Service Policy
Use the service-policy command to do the following:
•
Apply a previously created policy map.
•
Attach the traffic policy to a specific VLAN interface or globally to all VLAN
interfaces in the same context.
•
Specify that the traffic policy is to be attached to the input direction of an
interface.
The service-policy command is available at both the VLAN interface
configuration mode and at the configuration mode. Specifying a policy map in the
interface configuration mode applies the policy map to a specific VLAN interface.
Specifying a policy map in the configuration mode applies the policy to all of the
VLAN interfaces associated with a context.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
8-20
OL-16198-01
Chapter 8
Configuring the XML Interface
Configuring HTTP and HTTPS Management Traffic Services
The syntax of this command is:
service-policy input policy_name
The keywords, arguments, and options are:
•
input—Specifies that the traffic policy is to be attached to the input direction
of an interface. The traffic policy evaluates all traffic received by that
interface.
•
policy_name—Name of a previously defined policy map, configured with a
previously created policy-map command. The name can be a maximum of 40
alphanumeric characters.
For example, to specify an interface VLAN and apply an XML HTTPS
management policy to the VLAN, enter:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ip address 192.168.10.1 255.255.0.0
host1/Admin(config-if)# service-policy input MGMT_XML-HTTPS_POLICY
For example, to globally apply an XML HTTPS management policy to all of the
VLANs associated with a context, enter:
host1/Admin(config)# service-policy input MGMT_XML-HTTPS_POLICY
To detach the XML HTTPS management policy from an interface, enter:
host1/Admin(config-if)# service-policy input MGMT_XML-HTTPS_POLICY
To detach the XML HTTPS management policy from an interface, enter:
host1/Admin(config-if)# no service-policy input MGMT_XML-HTTPS_POLICY
To globally detach the XML HTTPS management policy from all VLANs
associated with a context, enter:
host1/Admin(config)# no service-policy input MGMT_XML-HTTPS_POLICY
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
8-21
Chapter 8
Configuring the XML Interface
Configuring HTTP and HTTPS Management Traffic Services
When you detach a traffic policy either individually from the last VLAN interface
on which you applied the service policy or globally from all VLAN interfaces in
the same context, the ACE automatically resets the associated service policy
statistics. The ACE performs this action to provide a new starting point for the
service policy statistics the next time that you attach a traffic policy to a specific
VLAN interface or globally to all VLAN interfaces in the same context.
Follow these guidelines when you create a service policy:
•
Policy maps, applied globally in a context, are internally applied on all
interfaces existing in the context.
•
A policy activated on an interface overwrites any specified global policies for
overlapping classification and actions.
•
The ACE allows only one policy of a specific feature type to be activated on
a given interface.
To display service policy statistics for a Layer 3 and Layer 4 HTTP or HTTPS
traffic management policy map, use the show service-policy command in Exec
mode.
The syntax of this command is:
show service-policy policy_name [detail]
The keywords, options, and arguments are as follows:
Note
•
policy_name—Identifier of an existing policy map that is currently in service
(applied to an interface) as an unquoted text string with a maximum of 64
alphanumeric characters.
•
detail—(Optional) Displays a more detailed listing of policy map statistics
and status information.
The ACE updates the counters that the show service-policy command displays
after the applicable connections are closed.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
8-22
OL-16198-01
Chapter 8
Configuring the XML Interface
Configuring HTTP and HTTPS Management Traffic Services
For example, to display service policy statistics for the
MGMT_XML-HTTPS_POLICY policy map, enter:
host1/Admin# show service-policy MGMT_XML-HTTPS_POLICY
Status
: ACTIVE
Description: Allow mgmt protocols
----------------------------------------Context Global Policy:
service-policy: MGMT_XML-HTTPS_POLICY
To clear the service policy statistics, use the clear service-policy command. The
syntax of this command is:
clear service-policy policy_name
For the policy_name argument, enter the identifier of an existing policy map that
is currently in service (applied to an interface) as an unquoted text string with a
maximum of 64 alphanumeric characters.
For example, to clear the statistics for the policy map
MGMT_XML-HTTPS_POLICY that is currently in service, enter:
host1/Admin# clear service-policy MGMT_XML-HTTPS_POLICY
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
8-23
Chapter 8
Configuring the XML Interface
Enabling the Display of Raw XML Request show Command Output in XML Format
Enabling the Display of Raw XML Request show
Command Output in XML Format
By default, XML responses will automatically appear in XML format if the
corresponding CLI show command output supports the XML format. However, if
you are running commands on the CLI console or you are running raw XML
responses from NMS, the XML responses appear in regular CLI display format.
You can enable the display of raw XML request show command output in XML
format by performing one of the following actions:
•
Specifying the xml-show on command in Exec mode from the CLI, or
•
Including the xml-show on command in the raw XML request itself (CLI
commands included in an XML wrapper).
Specification of the xml-show on command is not required if you are running true
XML (as shown in the example below).
For details on the show command output supported in XML format, consult the
ACE DTD file, ace_appliance.dtd, that is included as part of the software image
(see the “Accessing the ACE DTD File” section). The ACE DTD File contains the
information on the XML attributes for those show commands whose output
supports XML format.
For example, if you specify the show interface vlan 10 command, the DTD for
the show interface command appears as follows:
<!-interface-number is req for show-type vlan
interface-number is between 1 and 4095 for
-->
<!ENTITY % show-interface
"interface-type
(vlan | bvi)
interface-number
CDATA
>
| bvi.
vlan and 8191 for bvi.
#IMPLIED
#IMPLIED”
The XML representation of the show interface command appears as follows:
<show_interface interface-type='vlan' interface-number='10'/>
Cisco 4700 Series Application Control Engine Appliance Administration Guide
8-24
OL-16198-01
Chapter 8
Configuring the XML Interface
Enabling the Display of Raw XML Request show Command Output in XML Format
The following example illustrates the XML representation of the show interface
command output:
<response_xml>
<exec_command>
<command>
show interface vlan 10
</command>
<status code="100" text="XML_CMD_SUCCESS"/>
<xml_show_result>
<xml_show_interface>
<xml_interface_entry>
<xml_interface>
<interface>
<interface_name>vlan10</interface_name>
<interface_status>up</interface_status>
<interface_hardware>VLAN</interface_hardware>
<interface_mac>
<macaddress>00:05:9a:3b:92:b1</macaddress>
</interface_mac>
<interface_mode>routed</interface_mode>
<interface_ip>
<ipaddress>10.20.105.101</ipaddress>
<ipmask>255.255.255.0</ipmask>
</interface_ip>
<interface_ft_status>non-redundant</interface_ft_status>
<interface_description>
<interface_description>not set</interface_description>
</interface_description>
<interface_mtu>1500</interface_mtu>
<interface_last_cleared>never</interface_last_cleared>
<interface_alias>
<ipaddress>not set</ipaddress>
</interface_alias>
<interface_standby>
<ipaddress>not set</ipaddress>
</interface_standby>
<interface_auto_status>up</interface_auto_status>
</xml_interface>
<interface_stats>
<ifs_input>
<ifs_unicast>50</ifs_unicast>
<ifs_bytes>8963</ifs_bytes>
<ifs_multicast>26</ifs_multicast>
<ifs_broadcast>1</ifs_broadcast>
<ifs_errors>0</ifs_errors>
<ifs_unknown>0</ifs_unknown>
<ifs_ignored>0</ifs_ignored>
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
8-25
Chapter 8
Configuring the XML Interface
Enabling the Display of Raw XML Request show Command Output in XML Format
<ifs_unicast_rpf>0</ifs_unicast_rpf>
</ifs_input>
<ifs_output>
<ifs_unicast>45</ifs_unicast>
<ifs_bytes>5723</ifs_bytes>
<ifs_multicast>0</ifs_multicast>
<ifs_broadcast>1</ifs_broadcast>
<ifs_errors>0</ifs_errors>
<ifs_ignored>0</ifs_ignored>
</ifs_output>
</interface_stats>
</xml_interface_entry>
</xml_show_interface>
</xml_show_result>
</exec_command>
</response_xml>
The syntax of this command is:
xml-show {off | on | status}
The keywords are:
•
off—Displays CLI show command output in regular CLI display output, not
in XML format.
•
on—Displays CLI show command output in XML format unless a specific
show command is not implemented to display its output in XML format. For
details on the show command output supported in XML format, consult the
the ACE DTD file, ace_appliance.dtd, that is included as part of the software
image (see the “Accessing the ACE DTD File” section).
•
status—Displays the results of the xml show command status: on or off. The
status keyword allows you to determine the status of the xml show command
setting.
For example, to enable the display of raw XML request show command output in
XML format from the CLI, enter:
host1/Admin# xml-show on
To return to displaying CLI show command output in regular CLI output, enter:
host1/Admin# xml-show off
Cisco 4700 Series Application Control Engine Appliance Administration Guide
8-26
OL-16198-01
Chapter 8
Configuring the XML Interface
Accessing the ACE DTD File
Accessing the ACE DTD File
The ACE DTD file, ace_appliance.dtd, is included as part of the software image
and is accessible from a web browser using either HTTP or HTTPS. The ACE
DTD file, ace_appliance.dtd, is included as part of the software image and is
accessible from a Web browser using either HTTP or HTTPS. To access the
ace_appliance.dtd file, use a Web browser to either:
•
Directly access the ace_appliance.dtd file.
•
Open the ace_appliance.dtd file from the Cisco ACE appliance Management
page.
To access and view the ace_appliance.dtd file, perform the following steps:
Step 1
If you have not done so, create a Layer 3 and Layer 4 class map and policy map
to classify the HTTP or HTTPS management traffic that can be received by the
ACE. See the “Configuring HTTP and HTTPS Management Traffic Services”
section.
Step 2
Open your preferred Internet web browser application, such as Microsoft Internet
Explorer or Netscape Navigator.
Step 3
To directly access the ace_appliance.dtd file, specify the HTTP or secure HTTP
(HTTPS) address of your ACE in the address field, followed by ace_appliance.dtd.
For example:
https://ace_ip_address/ace_appliance.dtd
http://ace_ip_address/ace_appliance.dtd
You can choose to either open the ace_appliance.dtd file or save it to your
computer.
Step 4
To access the ace_appliance.dtd file from the Cisco ACE appliance Management
page, perform the following procedure:
a.
Specify the HTTP or secure HTTP (HTTPS) address of your ACE in the address
field:
https://ace_ip_address
http://ace_ip_address
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
8-27
Chapter 8
Configuring the XML Interface
Accessing the ACE DTD File
b.
Click Yes at the prompt to accept (trust) and install the signed certificate from
Cisco. To install the signed certificate, do one of the following:
– If you are using Microsoft Internet Explorer, in the Security Alert dialog
box, click View Certificate, choose the Install Certificate option, and
follow the prompts of the Certificate Manager Import Wizard.
– If you are using Netscape Navigator, in the New Site Certificate dialog
box, click Next and follow the prompts of the New Site Certificate
Wizard.
c.
Enter your username and password in the fields provided, and then click OK.
The Cisco ACE appliance Management page appears.
d.
Click the link under the Resources column of the Cisco ACE appliance
Management page to access the ace_appliance.dtd file. You can choose to
either open the ace_appliance.dtd file or save it to your computer.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
8-28
OL-16198-01
APPENDIX
A
Upgrading or Downgrading Your ACE
Software
This appendix provides information to upgrade or downgrade your Cisco 4700
Series Application Control Engine (ACE) appliance. It contains the following
major sections:
•
Overview of Upgrading ACE Software
•
Software Upgrade and Downgrade Quick Starts
•
Copying the Software Upgrade Image to the ACE
•
Configuring the ACE to Autoboot the Software Image
•
Reloading the ACE
•
Displaying Software Image Information
Overview of Upgrading ACE Software
The ACE comes preloaded with the operating system software. To take advantage
of new features and bug fixes, you can upgrade your ACE with a new version of
software when it becomes available.
In the Admin context, you will use the copy command in Exec mode to manually
upgrade the ACE software. After the software installation is finished, set the boot
variable and configuration register to autoboot the software image. Then, reboot
the appliance to load the new image.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
A-1
Appendix A
Upgrading or Downgrading Your ACE Software
Before You Begin
To minimize any disruption to existing network traffic during a software upgrade
or downgrade, deploy your ACE appliances in a redundant configuration. For
details about redundancy, see Chapter 6, Configuring Redundant ACE
Appliances.
Note
Software version A3(1.0) introduces hardware-assisted SSL (HTTPS) probes. For
that reason, the ACE uses the all option for the default SSL version and uses the
routing table (which may bypass the real server IP address) to direct HTTPS
probes to their destination regardless of whether you specify the routed option or
not in the ip address command. If you are using HTTPS probes in your A1(x)
configuration with the default SSL version (SSLv3) or without the routed option,
you may observe that your HTTPS probes behave differently with version
A3(1.0). For more information about HTTPS probes, see the Cisco 4700 Series
Application Control Engine Appliance Server Load-Balancing Configuration
Guide.
Before You Begin
Before you upgrade your ACE software, please read this appendix in its entirety
so that you fully understand the entire upgrade process. Please be sure that your
ACE configurations meet the upgrade prerequisites in the following sections:
•
Changing the Admin Password
•
Changing the www User Password
•
Checking Your ft-port vlan Configuration
•
Creating a Checkpoint
•
Redundancy State for Software Upgrade or Downgrade
•
Updating Your Application Protocol Inspection Configurations
Cisco 4700 Series Application Control Engine Appliance Administration Guide
A-2
OL-16198-01
Appendix A
Upgrading or Downgrading Your ACE Software
Before You Begin
Changing the Admin Password
Before you upgrade your software version, you must change the default Admin
password if you have not already done so. Otherwise, after you upgrade the ACE
software, you will only be able to log in to the ACE through the console port.
See Chapter 1, Setting Up the ACE for details on changing the admin account
password.
Changing the www User Password
Before you upgrade your software version, you must change the default www user
password if you have not already done so. Otherwise, after you upgrade the ACE
software, the www user will be disabled and you will not be able to use Extensible
Markup Language (XML) to remotely configure an ACE until you change the
default www user password.
See Chapter 2, Configuring Virtualization, in the Cisco 4700 Series Application
Control Engine Appliance Virtualization Configuration Guide for details on
changing a user account password. In this case, the user would be www.
Checking Your ft-port vlan Configuration
In the software releases prior to A3(1.0), we strongly recommended that you
designate an Ethernet port or a port-channel interface as an FT VLAN interface
using the ft-port vlan command. In A3.(1.0) release, this is a mandatory
requirement.
Before you upgrade to software version A3(1.0) or higher, ensure that you have
configured an Ethernet port or a port-channel interface as an FT VLAN interface.
For example, enter:
switch/Admin# show running-config ft
ft interface vlan 260
ip address 160.0.0.5 255.255.0.0
peer ip address 160.0.0.2 255.255.0.0
no shutdown
...
switch/Admin# show running-config int
Generating configuration....
...
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
A-3
Appendix A
Upgrading or Downgrading Your ACE Software
Before You Begin
interface gigabitEthernet 1/4
ft-port vlan 260
<<< vlan 260 matching above "ft interface
vlan"
no shutdown
...
For details on configuring an Ethernet port or a port-channel interface as an FT
VLAN interface, see Chapter 1, Configuring Ethernet Interfaces, in the Cisco
4700 Series Application Control Engine Appliance Routing and Bridging
Configuration Guide.
Checking Your Configuration for FT Priority and Preempt
If you want the currently active ACE to remain active after the software upgrade,
be sure that the active ACE has a higher priority than the standby (peer) ACE and
that the preempt command is configured. To check the redundant configuration
of your ACEs, use the show running-config ft command. Note that the preempt
command is enabled by default and does not appear in the running-config.
Creating a Checkpoint
We strongly recommend that you create a checkpoint in the running-configuration
file of each context in your ACE. A checkpoint creates a snapshot of your
configuration that you can later roll back to in case a problem occurs with an
upgrade and you want to downgrade the software to a previous release. Use the
checkpoint create command in Exec mode in each context for which you want to
create a configuration checkpoint and name the checkpoint.
For details about creating a checkpoint and rolling back a configuration, see
Chapter 4, Managing the ACE Software. For information about downgrading your
ACE, see the “Software Upgrade and Downgrade Quick Starts” section.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
A-4
OL-16198-01
Appendix A
Upgrading or Downgrading Your ACE Software
Before You Begin
Redundancy State for Software Upgrade or Downgrade
The STANDBY_WARM redundancy state is used when upgrading or
downgrading the ACE software. When you upgrade or downgrade the ACE from
one software version to another, there is a point in the process when the two ACEs
have different software versions and, therefore, a CLI incompatibility.
When the software versions are different while upgrading or downgrading, the
STANDBY_WARM state allows the configuration and state synchronization
process to continue on a best-effort basis, which means that the active ACE will
continue to synchronize configuration and state information to the standby even
though the standby may not recognize or understand the CLI commands or state
information. This standby state allows the standby ACE to come up with
best-effort support. In the STANDBY_WARM state, as with the STANDBY_HOT
state, the configuration mode is disabled and configuration and state
synchronization continues. A failover from the active to the standby based on
priorities and preempt can still occur while the standby is in the
STANDBY_WARM state.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
A-5
Appendix A
Upgrading or Downgrading Your ACE Software
Before You Begin
Updating Your Application Protocol Inspection Configurations
Because the ACE version A3(1.x) software has stricter error checks for
application protocol inspection configurations than A1(x) software versions, be
sure that your inspection configurations meet the guidelines that follow. The error
checking process in A3(1.x) software denies misconfigurations in inspection
classifications (class maps) and displays error messages. If such
misconfigurations exist in your startup- or running-configuration file before you
load the A3(1.x) software, the standby ACE in a redundant configuration may
boot up to the STANDBY_COLD state. For information about redundancy states,
see Chapter 6, Configuring Redundant ACE Appliances.
If the class map for the inspection traffic is generic (match . . . any or
class-default is configured) so that noninspection traffic is also matched, the ACE
displays an error message and does not accept the inspection configuration. For
example:
switch/Admin(config)# class-map match-all TCP_ANY
switch/Admin(config-cmap)# match port tcp any
switch/Admin(config)# policy-map multi-match FTP_POLICY
switch/Admin(config-pmap)# class TCP_ANY
switch/Admin(config-pmap-c)# inspect ftp
Error: This class doesn't have tcp protocol and a specific port
The following examples show some of the generic class-map match statements
and an ACL that are not allowed in A1(7.x) inspection configurations:
•
match port tcp any
•
match port udp any
•
match port tcp range 0 65535
•
match port udp range 0 65535
•
match virtual-address 192.168.12.15 255.255.255.0 any
•
match virtual-address 192.168.12.15 255.255.255.0 tcp any
•
access-list acl1 line 10 extended permit ip any any
For application protocol inspection, the class map must have a specific protocol
(related to the inspection type) configured and a specific port or range of port
numbers.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
A-6
OL-16198-01
Appendix A
Upgrading or Downgrading Your ACE Software
Before You Begin
For HTTP, FTP, RTSP, Skinny, and ILS protocol inspection, the class map must
have TCP as the configured protocol and a specific port or range of ports. For
example, enter the following commands:
host1/Admin(config)# class-map match-all L4_CLASS
host1/Admin(config-cmap)# match port tcp eq www
For SIP protocol inspection, the class map must have TCP or UDP as the
configured protocol and a specific port or range of ports. For example, enter the
following commands:
host1/Admin(config)# class-map match-all L4_CLASS
host1/Admin(config-cmap)# match port tcp eq 124
or
host1/Admin(config-cmap)# match port udp eq 135
For DNS inspection, the class map must have UDP as the configured protocol and
a specific port or range of ports. For example, enter the following commands:
host1/Admin(config)# class-map match-all L4_CLASS
host1/Admin(config-cmap)# match port udp eq domain
For ICMP protocol inspection, the class map must have ICMP as the configured
protocol. For example, enter the following commands:
host1/Admin(config)# access-list ACL1 extended permit icmp
192.168.12.15 255.255.255.0 192.168.16.25 255.255.255.0 echo
host1/Admin(config)# class-map match-all L4_CLASS
host1/Admin(config-cmap)# match access-list ACL1
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
A-7
Appendix A
Upgrading or Downgrading Your ACE Software
Software Upgrade and Downgrade Quick Starts
Software Upgrade and Downgrade Quick Starts
Table A-1 provides a quick overview of the steps required to upgrade the software
on each ACE. Each step includes the CLI command or a reference to the
procedure required to complete the task. For a complete description of each
feature and all the options associated with the CLI commands, see the sections
that follow Table A-1. For clarity, the original active ACE is referred to as ACE-1
and the original standby ACE is referred to as ACE-2 in the following quick start.
Table A-1
Software Upgrade Quick Start
Task and Command Example
1.
Log in to both the active and standby ACEs. The Exec mode prompt appears
at the CLI. If you are operating in multiple contexts, observe the CLI
prompt to verify that you are operating in the Admin context. If necessary,
log directly in to, or change to the Admin context.
ACE-1/Admin#
2.
Save the running configurations of every context by entering the write
memory all command in Exec mode in the Admin context of each ACE.
ACE-1/Admin# write memory all
3.
Create a checkpoint in each context of both ACEs by entering the
checkpoint create command in Exec mode.
ACE-1/Admin# checkpoint create ADMIN_CHECKPOINT
ACE-1/Admin# changeto C1
ACE-1/C1# checkpoint create C1_CHECKPOINT
Do the same on the other ACE.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
A-8
OL-16198-01
Appendix A
Upgrading or Downgrading Your ACE Software
Software Upgrade and Downgrade Quick Starts
Table A-1
Software Upgrade Quick Start (continued)
Task and Command Example
4.
Enter the copy ftp, copy sftp, or the copy tftp command in Exec mode to
copy the new software image to the image: directory of each ACE. For
example, to copy the image with the name c4710ace-mz.A3_1_0.bin using
FTP, enter:
ACE-1/Admin# copy ftp://server1/images/c4710ace-mz.A3_1_0.bin
image:
Enter source filename[/images/c4710ace-mz.A3_1_0.bin]?
Enter the destination filename[]? [c4710ace-mz.A3_1_0.bin] File
already exists, do you want to overwrite?[y/n]: [y]
Enter hostname for the ftp server[server1]?
Enter username[]? user1
Enter the file transfer mode[bin/ascii]: [bin]
Enable Passive mode[Yes/No]: [Yes] no
Password:
5.
Ensure that the new software image is present on both the active and standby
ACEs by entering the dir command in Exec mode. For example, enter:
ACE-1/Admin# dir image:c4710ace-mz.A3_1_0.bin
176876624 Aug 08 2008 14:15:31 c4710ace-mz.A3_1_0.bin
176876624 Jun 9 14:15:31 2008 c4710ace-mz.A1_8_0A.bin
Usage for image:
896978944
11849728
908828672
filesystem
bytes total used
bytes free
bytes total
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
A-9
Appendix A
Upgrading or Downgrading Your ACE Software
Software Upgrade and Downgrade Quick Starts
Table A-1
Software Upgrade Quick Start (continued)
Task and Command Example
6.
Configure ACE-1 to autoboot from the new ACE software image. To set the
boot variable and configuration register to 0x1 (perform auto boot and use
startup-config file), use the boot system image: and config-register
commands in configuration mode. For example, enter:
ACE-1/Admin# config
ACE-1/Admin(config)# boot system image:c4710ace-mz.A3_1_0.bin
ACE-1/Admin(config)# config-register 0x1
ACE-1/Admin(config)# exit
ACE-1/Admin#
You can set up to two images through the boot system command. If the first
image fails, the ACE tries the second image.
Note
7.
Use the no boot system image: command to unset the previously
configured boot variable.
Verify the boot variable was synchronized to ACE-2 by entering the
following command on ACE-2:
ACE-1/Admin# show bootvar
BOOT variable = "disk0:/c4710ace-mz.A3_1_0.bin;
disk0:/disk0:c4710ace-mz.A1_8_0A.bin"
Configuration register is 0x1
Cisco 4700 Series Application Control Engine Appliance Administration Guide
A-10
OL-16198-01
Appendix A
Upgrading or Downgrading Your ACE Software
Software Upgrade and Downgrade Quick Starts
Table A-1
Software Upgrade Quick Start (continued)
Task and Command Example
8.
Enter the show ft group detail command in Exec mode to verify the state
of each appliance. Upgrade the ACE that has its Admin context in the
STANDBY_HOT state (ACE-2) first by entering the reload command in
Exec mode.
ACE-2/Admin# reload
This command will reboot the system
Save configurations for all the contexts. Save? [yes/no]: [yes]
Note
If you upgrade from A1(7a) or A1(7b) to A3(1.0), you will see that the
ACE enters the STANDBY-HOT state. However, if you upgrade from
A1(8.0) or A1(8.0a) to A3(1.0), you will see that the ACE enters the
STANDBY_WARM state.
After ACE-2 boots up, it may take a few minutes to reach the
STANDBY_HOT state again. Configuration synchronization is still enabled
and the connections through ACE-1 are still being replicated to ACE-2.
Note
9.
Do not add any more commands to the ACE-1 configuration. At this
point in the upgrade procedure, any incremental commands that you add
to the ACE-1 configuration may not be properly synchronized to the
ACE-2 configuration.
Disable preemption on ACE-1.
ACE-1/Admin# config
ACE-1/Admin(config)# ft group 1
ACE-1/Admin(config-ft-group) no preempt
Enter Ctrl-z to return to Exec mode.
10. Perform a graceful failover of all contexts from ACE-1 to ACE-2 by
entering the ft switchover all command in Exec mode on ACE-1. ACE-2
becomes the new active ACE and assumes mastership of all active
connections with no interruption to existing connections.
ACE-1/Admin# ft switchover all
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
A-11
Appendix A
Upgrading or Downgrading Your ACE Software
Software Upgrade and Downgrade Quick Starts
Table A-1
Software Upgrade Quick Start (continued)
Task and Command Example
11. Upgrade ACE-1 by reloading it and verify that ACE-1 enters the
STANDBY_HOT state (may take several minutes) by entering the show ft
group detail command in Exec mode.
Because the standby ACE has changed its state to either STANDBY_COLD
or STANDBY_HOT, the configuration mode is enabled. The configuration
is synchronized from ACE 2 (currently active) to ACE-1. If ACE-1 is
configured with a higher priority and preempt is configured on the FT
group, ACE-1 reasserts mastership after it has received all configuration
and state information from ACE-2, making ACE-2 the new standby. ACE-1
becomes the active ACE once again.
ACE-1/Admin# reload
This command will reboot the system
Save configurations for all the contexts. Save? [yes/no]: [yes]
12. Enter the show ft group detail command to verify that ACE-1 is in the
ACTIVE state and ACE-2 is in the STANDBY_HOT state.
Table A-2 provides a quick overview of the steps required to downgrade the
software on each ACE. Each step includes the CLI command or a reference to the
procedure required to complete the task. For a complete description of each
feature and all the options associated with the CLI commands, see the sections
that follow Table A-2. For clarity, the original active ACE is referred to as ACE-1
and the original standby ACE is referred to as ACE-2 in the following quick start.
Table A-2
Software Downgrade Quick Start
Task and Command Example
1.
Before you downgrade your ACE software, ensure that the following
conditions exist:
– Identical versions of the desired downgrade software images reside in
the image: directory of both ACEs.
– The active ACE has a higher priority than the standby ACE and
preempt is enabled on the FT group if you want the active ACE to
remain active after the downgrade procedure.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
A-12
OL-16198-01
Appendix A
Upgrading or Downgrading Your ACE Software
Software Upgrade and Downgrade Quick Starts
Table A-2
Software Downgrade Quick Start (continued)
Task and Command Example
2.
If your ACE includes a license that was not supported by the previous
software version, ensure that you remove this and reinstall the previous
license.
See Chapter 3, Managing ACE Software Licenses, in the Cisco 4700 Series
Application Control Engine Appliance Administration Guide.
3.
Log in to the ACE. The Exec mode prompt appears at the CLI. If you are
operating in multiple contexts, observe the CLI prompt to verify that you
are operating in the Admin context. If necessary, log directly in to, or
change to the Admin context.
host1/Admin#
4.
Save the running configurations of every context by entering the write
memory all command in Exec mode in the Admin context of each ACE.
host1/Admin# write memory all
5.
If you had created checkpoints in your previous running-configuration files
(highly recommended), roll back the configuration in each context on each
ACE to the check-pointed configuration. For example:
ACE-1/Admin# checkpoint create ADMIN_CHECKPOINT
ACE-1/Admin# changeto C1
ACE-1/C1# checkpoint create C1_CHECKPOINT
Do the same on the other ACE. For information about creating checkpoints
and rolling back configurations, see the Cisco 4700 Series Application
Control Engine Appliance Administration Guide.
6.
If necessary, enter the copy ftp, copy sftp, or the copy tftp command in
Exec mode to copy the downgrade software image to the image: directory
of each ACE. For example, to copy the image with the name
c4710ace-mz.A1_8_0A.bin using FTP, enter:
ACE-1/Admin# copy ftp://server1/images/c4710ace-mz.A1_8_0A.bin
image:
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
A-13
Appendix A
Upgrading or Downgrading Your ACE Software
Software Upgrade and Downgrade Quick Starts
Table A-2
Software Downgrade Quick Start (continued)
Task and Command Example
7.
Configure ACE-1 to autoboot from the previous image. To set the boot
variable and configuration register to 0x1 (perform auto boot and use
startup-config file), use the boot system image: and config-register
commands in configuration mode. For example, enter:
ACE-1/Admin# config
ACE-1/Admin(config)# boot system image:c4710ace-mz.A1_8_0A.bin
ACE-1/Admin(config)# config-register 0x1
ACE-1/Admin(config)# exit
ACE-1/Admin#
You can set up to two images through the boot system command. If the first
image fails, the ACE tries the second image.
Note
8.
Use the no boot system image: command to unset the previously
configured boot variable.
Verify the boot variable was synchronized to ACE-2 by entering the
following command on ACE-2:
ACE-2/Admin# show bootvar
BOOT variable = "disk0:/c4710ace-mz.A1_8_0A.bin;
disk0:/c4710ace-mz.A3_1_0.bin"
Configuration register is 0x1
Cisco 4700 Series Application Control Engine Appliance Administration Guide
A-14
OL-16198-01
Appendix A
Upgrading or Downgrading Your ACE Software
Software Upgrade and Downgrade Quick Starts
Table A-2
Software Downgrade Quick Start (continued)
Task and Command Example
9.
Enter the show ft group detail command in Exec mode to verify the state
of each appliance. Downgrade the ACE that has its Admin context in the
STANDBY_HOT state (ACE-2) first by entering the reload command.
ACE-2/Admin# reload
This command will reboot the system
Save configurations for all the contexts. Save? [yes/no]: [yes]
Note
If you downgrade from A3(1.0) to A1(7a) or A1(7b) you will see that
the ACE enters the STANDBY-HOT state. However, if you downgrade
from A3(1.0) to A1(8.0) or A1(8.0a), you will see that the ACE enters
the STANDBY_WARM state.
When ACE-2 loads the startup-configuration file, you may observe a few
errors if you did not roll back the configuration to a checkpoint. These
errors are harmless and occur because the ACE software does not recognize
the A3(1.0) commands in the startup-configuration file.
After ACE-2 boots up, note the following:
– For software version A1(8.0) or A1(8.0a), after ACE-2 boots up, it may
take a few minutes to reach the STANDBY_HOT state again.
– For software version A1(7a) or A1(7b), after ACE-2 boots up, it may
take a few minutes to reach the STANDBY_WARM state again.
Configuration synchronization is still enabled and the connections through
ACE-1 are still being replicated to ACE-2.
10. Perform a graceful failover of all contexts from ACE-1 to ACE-2 by
entering the ft switchover all command in Exec mode on ACE-1. ACE-2
becomes the new active ACE and assumes mastership of all active
connections with no interruption to existing connections.
ACE-1/Admin# ft switchover all
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
A-15
Appendix A
Upgrading or Downgrading Your ACE Software
Copying the Software Upgrade Image to the ACE
Table A-2
Software Downgrade Quick Start (continued)
Task and Command Example
11. Reload ACE-1 with the same downgrade software version as ACE-2. Again,
you may observe a few errors as ACE-1 loads the startup-configuration file.
ACE-1/Admin# reload
This command will reboot the system
Save configurations for all the contexts. Save? [yes/no]: [yes]
After ACE-1 boots up, it assumes the role of standby and enters the
STANDBY_HOT state (this may take several minutes).
12. Verify the states of both ACEs by entering the show ft group detail
command in Exec mode. Because both ACE-1 and ACE-2 are running the
same version of software now, configuration mode is enabled. The
configuration is synchronized from ACE 2 (currently active) to ACE-1. If
ACE-1 is configured with a higher priority and preempt is configured on the
FT group, ACE-1 reasserts mastership after it has received all configuration
and state information from ACE-2, making ACE-2 the new standby. ACE-1
becomes the active ACE once again.
13. Perform manual cleanup in the running-configuration files of both ACEs to
remove unnecessary version configuration elements.
14. Enter the write memory all command in both ACEs to save the
running-configuration files in all configured contexts to their respective
startup-configuration files. This action will eliminate future errors when the
ACEs reload their startup-configuration files.
Copying the Software Upgrade Image to the ACE
To copy a software image to the ACE, use the copy command in the Admin
context from the Exec mode. You can copy a software image to the ACE from a
variety of sources, including:
•
FTP server
•
SFTP server
•
TFTP server
The copy command allows you to rename the image copied to the ACE.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
A-16
OL-16198-01
Appendix A
Upgrading or Downgrading Your ACE Software
Copying the Software Upgrade Image to the ACE
The syntax for this command is:
copy {ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] |
tftp://server[:port]/path[/filename]} image:[name]
The keywords, arguments, and options are:
•
ftp://server/path[/filename]—Specifies the URL of the software image
located on an FTP server. This path is optional because the ACE prompts you
for this information if you omit it.
•
sftp://[username@]server/path[/filename]—Specifies the URL of a software
image on a secure FTP server. This path is optional because the ACE prompts
you for this information if you omit it.
•
tftp://server[:port]/path[/filename]—Specifies the URL of a software image
on a trivial FTP server. This path is optional because the ACE prompts you
for this information if you omit it.
•
image:[name]—Specifies the the name for the software image copied to the
ACE. If you do not enter the name argument, the ACE uses the default name
of the image.
For example, to copy the image c4710ace-mz.A3_1_0.bin located on an FTP
server to the ACE, enter:
host1/Admin# copy ftp://server1/images/c4710ace-mz.A3_1_0.bin image:
To set the boot variable and configure the ACE to autoboot this image, see the
“Configuring the ACE to Autoboot the Software Image” section.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
A-17
Appendix A
Upgrading or Downgrading Your ACE Software
Configuring the ACE to Autoboot the Software Image
Configuring the ACE to Autoboot the Software Image
After you copy the image on to the ACE, configure it to autoboot the image by
setting the boot variable and the configuration register. The boot variable specifies
the image from which the ACE boots at startup. The configuration variable can be
set to autoboot the image defined by the boot variable.
This section contains the following topics:
•
Setting the Boot Variable
•
Configuring the Configuration Register to Autoboot the Boot Variable
•
Verifying the Boot Variable and Configuration Register
For detailed information on the boot variable and configuration register, see
Chapter 1, Setting Up the ACE.
Setting the Boot Variable
To set the boot variable, use the boot system image: command in the Admin
context from the configuration mode. The syntax for this command is:
boot system image:image_name
The image_name argument is the name of the installed image.
You can set up to two images through the boot system command. If the first image
fails, the ACE tries the second image.
For example, to set the boot variable with the c4710ace-mz.A3_1_0.bin image,
enter:
host1/Admin(config)# boot system image:c4710ace-mz.A3_1_0.bin
Use the no boot system image: command to unset the previously configured boot
variable.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
A-18
OL-16198-01
Appendix A
Upgrading or Downgrading Your ACE Software
Configuring the ACE to Autoboot the Software Image
Configuring the Configuration Register to Autoboot the Boot
Variable
To configure the ACE to autoboot the system image identified in the boot
environment variable, use the config-register command in the Admin context
from the configuration mode and set the configuration register to 0x1.
A config-register setting of 0x1 instructs the ACE to boot the system image
identified in the BOOT environment variable and to load the startup-configuration
file stored in Flash memory. The BOOT environment variable is identified
through the boot system command to specify a list of image files on various
devices from which the ACE can boot at startup (refer to Chapter 1, Setting Up
the ACE).
If the ACE encounters an error or if the image is not valid, it will try the second
image (if one is specified). Upon startup, the ACE loads the startup-configuration
file stored in Flash memory (nonvolatile memory) to the running-configuration
file stored in RAM (volatile memory).
For details about the different settings of the config-register command, refer to
Chapter 1, Setting Up the ACE.
For example, to set the register to 0x1 to boot the system image, enter:
host1/Admin(config)# config-register 0x1
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
A-19
Appendix A
Upgrading or Downgrading Your ACE Software
Reloading the ACE
Verifying the Boot Variable and Configuration Register
To verify the boot variable and configuration register, use the show bootvar
command in the Admin context from the Exec mode. For example, enter:
host1/Admin# show bootvar
BOOT variable = "disk0:/c4710ace-mz.A3_1_0.bin;disk0:/
c4710ace-mz.A1_8_0A.bin"
Configuration register is 0x1
The “0x1” indicates that the configuration register is set to perform an automatic
boot and to apply the startup-configuration file.
Reloading the ACE
To allow the ACE to use the installed software upgrade, reload the ACE appliance.
To reload the ACE, use the reload command in the Admin context from the Exec
mode. The syntax for this command is:
reload
For example, enter:
host1/Admin# reload
This command will reboot the system
Save configurations for all the contexts. Save? [yes/no]: [yes]
Cisco 4700 Series Application Control Engine Appliance Administration Guide
A-20
OL-16198-01
Appendix A
Upgrading or Downgrading Your ACE Software
Displaying Software Image Information
Displaying Software Image Information
To display the software image on the ACE, use the show version command in
Exec mode. The syntax for this command is:
show version
For example, enter:
host1/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader:
Version 0.95
system:
Version A3(1.0) [build 3.0(0)A3(0.0.148)
adbuild_03:31:25-2008/08/0
6_/auto/adbure_nightly2/nightly_rel_a3_1_0_throttle/REL_3_0_0_A3_0_0
system image file: (nd)/192.168.65.31/scimitar.bin
Device Manager version 1.1 (0) 20080805:0415
installed license: ACE-AP-VIRT-020 ACE-AP-C-1000-LIC
Hardware
cpu info:
Motherboard:
number of cpu(s): 2
Daughtercard:
number of cpu(s): 16
memory info:
total: 6226392 kB, free: 4315836 kB
shared: 0 kB, buffers: 17164 kB, cached 0 kB
cf info:
filesystem: /dev/hdb2
total: 935560 kB, used: 611564 kB, available: 276472 kB
last boot reason: Unknown
configuration register: 0x1
kernel uptime is 0 days 21 hours 25 minute(s) 17 second(s)
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
A-21
Appendix A
Upgrading or Downgrading Your ACE Software
Displaying Software Image Information
Cisco 4700 Series Application Control Engine Appliance Administration Guide
A-22
OL-16198-01
INDEX
remote access 2-1
A
restarting 1-39
ACE
setting up 1-1
Admin account password, recovering for CLI
account 1-10
setup script 1-3
shutting down 1-40
boot configuration 1-33
SNMP 7-1
capturing packet information 5-31
terminal settings 1-29
configuration checkpoint and rollback
service 5-40
upgrading A-1
using file system 5-13
configuration files, loading from remote
server 5-11
configuration files, saving 5-1
XML, configuring 8-1
Admin
user 1-7, 8-2, A-3
console connection 1-2
date and time, configuring 1-15
Flash memory, reformatting 5-43
inactivity timeout 1-12
information, displaying 5-1
B
boot configuration
licenses, managing 3-1
BOOT environment variable 1-35, 5-20
logging in 1-7
boot method 1-33, A-18
message-of-the-day banner 1-13
MIBs 7-7
configuration register, setting boot
method 1-33, A-18
naming 1-12
displaying 1-39
password, changing administrative 1-4, 1-9,
ignoring startup-configuration file 1-36
A-3
modifying 1-33
password, changing www user 1-5, A-3
upgrading A-18
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
IN-1
Index
BOOT environment variable, setting 1-35, 5-20
boot method, setting 1-33, A-18
NTP server, sychronizing ACE system
clock 1-21
setting 1-15
timezone, setting 1-16
C
viewing system clock settings 1-21
capturing packets 5-31
copying buffer 5-35
displaying buffer 5-36
checkpoint, configuration
creating 5-41
deleting 5-42
displaying 5-43
rolling back to 5-42
communities, SNMP 7-50
configurational examples
redundancy 6-40
remote access 2-23
SNMP 7-71
configuration checkpoint and rollback service
creating configuration checkpoint 5-41
deleting configuration checkpoint 5-42
displaying checkpoint information 5-43
class map
Layer 3 and 4, creating for management
traffic 8-14
Layer 3 and 4, for SNMP 7-63
remote management 2-5
overview 5-40
rolling back configuration 5-42
using 5-40
configuration files
remote management description 2-6
clearing startup file 5-10
remote management protocol match
criteria 2-7
copying to disk0 file system 5-5
SNMP management traffic 7-63
displaying user context from the Admin
context 5-10
XML 8-14
displaying 5-7
loading from remote server 5-11
CLI
Admin password, recovering 1-10
merging startup with running 5-6
saving session 1-3
saving 5-1
user management of SNMP 7-6
saving in Flash memory 5-3
saving to remote server 5-4
clock
daylight saving time, setting 1-19
configuration register
setting boot method 1-33, A-18
Cisco 4700 Series Application Control Engine Appliance Administration Guide
IN-2
OL-16198-01
Index
values 1-33
configuring 1-15
configuration synchronization
daylight saving time setting 1-19
redundancy 6-7
time zone setting 1-16
SSL certs and keys 6-29
viewing system clock 1-21
console
daylight saving time setting 1-19
default user
connection to ACE 1-2
contact, SNMP 7-52
admin 1-7, 8-2, A-3
context
dm 1-7, 8-2
associating with FT group 6-21
directly accessing with SSH 2-21
copying
core dumps 5-29
directory
files 5-15
copying files 5-16
files from remote server 5-20
files to remote server 5-18
creating in disk0 5-23
deleting from disk0 5-24
licenses 5-16
listing files 5-14
packet capture buffer 5-17
disk0
software image 5-21
creating new directory in 5-23
upgrade image A-16
deleting directory in 5-24
copyright, displaying 5-3
moving files in 5-24
core dumps 5-28
overview 5-13
clearing core directory 5-30
deleting 5-30
demo license, replacing with permanent
license 3-9
Device Manager GUI, enabling
connectivity 1-3
configuration files 5-4, 5-5
copying 5-29
www 1-7, 8-2, A-3
uncompressing files in 5-22
untarring files in 5-23
display attributes, terminal 1-29
displaying
D
copyright 5-3
file contents 5-26
date and time
FT group information 6-43
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
IN-3
Index
FT peer information 6-50
F
FT statistics 6-55
FT tracking information 6-59
failover
hardware information 5-3
forcing 6-26
hardware inventory 5-4
stateful 6-5
ICMP statistics 5-15
failure detection 6-30
information on ACE 5-1
host or gateway 6-31
memory statistics 6-50
host or gateway, example configuration 6-36
NTP statistics and information 1-23
host or gateway, IP address 6-32, 6-34
process status 5-10
host or gateway, probe 6-33, 6-35
redundancy configuration 6-43
host or gateway, probe priority 6-34, 6-35
redundancy history 6-50
host or gateway, process 6-32
software version 5-2
interface 6-37
system information 5-13
interface, example 6-40
system processes 5-5
interface, interface priority 6-38, 6-39
technical support information 5-16
interface, interface to track 6-38, 6-39
dm user 1-7, 8-2
interface, process 6-37
downgrading
overview 6-30
before you begin A-12
quick start A-12
file system
copying files from remote server 5-20
copying files to directory 5-16
DTD
accessing 8-27
copying files to remote server 5-18
overview 8-7
copying image to remote server 5-21
copying licenses 5-16
copying packet capture buffer 5-17
E
creating new directory in disk0 5-23
deleting directory in disk0 5-24
environment
boot environment variable, setting 1-35
deleting files 5-25
displaying file contents 5-26
Cisco 4700 Series Application Control Engine Appliance Administration Guide
IN-4
OL-16198-01
Index
listing files 5-14
FT VLAN 6-6, 6-12
moving files in disk0 5-24
associating with FT peer 6-17
overview 5-13
creating 6-13
saving show command output to file 5-27
enabling 6-16
uncompressing files in disk0 5-22
IP address 6-14
untarring files in disk0 5-23
peer IP address 6-15
using ACE 5-13
Flash memory
G
file system overview 5-13
reformatting 5-43
gateway failure detection
saving configuration files in 5-3
FT group
See failure detection
GRUB bootloader 1-34, 1-37
assigning priority to group member 6-22
assigning priority to standby group
member 6-22
associating context 6-21
H
hardware information, displaying 5-3, 5-4
associating peer 6-21
heartbeat
configuring 6-20
displaying information 6-43
modifying 6-25
configuration 6-17
host failure detection
See failure detection
placing in service 6-24
preemption, configuring 6-23
FT peer
associating with FT group 6-21
HTTP
return codes between server and client 8-5
HyperTerminal
launching 1-2
associating with FT VLAN 6-17
saving session 1-3
configuring 6-16
displaying information 6-50
heartbeat configuration 6-17
query interface, configuring 6-19
FT tracking, displaying information 6-59
I
ICMP
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
IN-5
Index
displaying statistics 5-15
enabling messages to the ACE 2-19
image
specifying traffic class 2-11
licenses
backing up 3-16
autobooting image A-18
copying 5-16
BOOT environment variable 1-35
copying to ACE 3-7
copying to remote server 5-21
displaying configuration and statistics 3-18
copying upgrade image to ACE A-16
generating key 3-6
software image information, displaying A-21
installing 3-8
version A-21
list of available 3-2
inactivity timeout 1-12
managing 3-1
interface failure detection
ordering upgrade license 3-6
See failure detection
inventory, displaying hardware 5-4
removing 3-10
replacing demo with permanent 3-9
location, SNMP 7-52
logging
K
into ACE 1-7
key
generating for license 3-6
pair for SSH host 2-17
M
management access
Layer 3 and 4 traffic 8-17
L
Layer 3 and 4 traffic policy 2-9
Layer 3 and 4 class map
management traffic, creating for 8-14
SNMP, creating for 7-63
Layer 3 and 4 policy map
description 2-10
for management traffic 2-9, 8-17
SNMP, creating 7-66
SSH, configuring 2-16
Telnet 2-15
message-of-the-day banner 1-13
MIBs 7-7
monitoring
See SNMP
moving files in disk0 5-24
Cisco 4700 Series Application Control Engine Appliance Administration Guide
IN-6
OL-16198-01
Index
N
Admin password, changing for CLI
account 1-4, 1-9, A-3
naming the ACE 1-12
Admin password, recovering for CLI
account 1-10
notifications
www user password, changing for CLI
account 1-5, A-3
error messages 7-56
IETF standard, enabling 7-57
options 7-56
peer
See FT peer
SLB 7-55
ping, enabling 2-19
SNMP 7-41, 7-53, 7-56
policy map
SNMP, enabling 7-55
actions for remote access 2-12
SNMP host, configuring 7-53
actions for SNMP 7-68, 8-20
SNMP license manager 7-55
Layer 3 and 4, for management traffic 2-9,
8-17
types 7-55
virtual context change 7-56
Layer 3 and 4, for SNMP 7-66
Layer 3 and 4, specifying traffic class 2-11
NTP server
NTP peer associations, configuring 1-22
Layer 3 and 4 policy map description 2-10
NTP server associations, configuring 1-22
remote access 2-9
overview 1-21
SNMP management traffic 7-66
statistics, clearing 1-28
XML 8-17
statistics and information, viewing 1-23
probe
for failure detection 6-33, 6-35
synchronizing ACS 1-21
processes
displaying 5-5
P
displaying status of 5-10
protocol match criteria, for remote class
map 2-7
packet buffer 5-31
capturing packets 5-31
copying capture buffer 5-17, 5-35
displaying capture buffer 5-36
Q
password
query interface for FT peer 6-19
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
IN-7
Index
quick start
protocol 6-2
downgrading A-12
quick start 6-9
redundancy 6-9
software upgrade or downgrade 6-8, A-5
remote access 2-2
stateful failover 6-5
SNMP 7-46
states 6-46, 6-61
upgrading A-8
statistics, clearing 6-64
XML 8-11
synchronizing 6-27
synchronizing SSL certificates and keys 6-29
reformatting Flash memory 5-43
R
remote access
class map, creating 2-5
redundancy
configuration, displaying 6-43
class map description 2-6
configuration examples 6-40
class map protocol match criteria 2-7
configuration requirements 6-8
configuration examples 2-23
configuration synchronization 6-7
enabling 2-1
configuring 6-12
network management traffic services,
configuring 2-4
failure detection and tracking 6-30
forcing failover 6-26
FT group, configuring 6-20
FT group information, displaying 6-43
FT peer, configuring 6-16
FT peer information, displaying 6-50
FT statistics, displaying 6-55
FT tracking information, displaying 6-59
FT VLAN 6-6
FT VLAN, configuring 6-12
history, displaying 6-50
memory statistics, displaying 6-50
overview 6-1
policy actions 2-12
policy map 2-9
quick start 2-2
service policy 2-13
SSH, configuring 2-16
Telnet 2-15
terminating user session 2-19
remote server
copying files from 5-20
copying files to 5-18
copying image to 5-21
loading configuration files from 5-11
saving configuration files to 5-4
Cisco 4700 Series Application Control Engine Appliance Administration Guide
IN-8
OL-16198-01
Index
restarting ACE 1-39
to ACE 1-7
retrieving user context through the Admin
context IP address when using
SNMP 7-59
setting up ACE 1-1
setup script
configuring ACE 1-3
rollback service
See configuration checkpoint and rollback
service
Device Manager GUI, enabling
connectivity 1-3
show command
running configuration
copying to disk0 file system 5-5
enabling the exchange of output in XML 8-24
saving output to file 5-27
merging with startup 5-6
saving to startup configuration file 5-3
viewing 5-7
viewing hardware and software configuration
information 5-1
shutting down ACE 1-40
viewing user context from the Admin
context 5-10
Simple Network Management Protocol
See SNMP
SNMP
S
AAA integration 7-6
agents, communication 7-4
service policy
HTTP management policy map,
applying 8-20
agents, overview 7-3
class map, creating 7-63
HTTPS management policy map,
applying 8-20
CLI user management 7-6
remote access policy map, applying 2-13
configuration examples 7-71
SNMP management policy map,
applying 7-69
configuring the engine ID 7-60
session
communities 7-50
contact 7-52
IETF standard 7-57
maximum number for SSH 2-16
SSH information, showing 2-25
SSH key details, showing 2-26
Telnet information, showing 2-24
terminating SSH or Telnet 2-19
limitations 7-45
linkDown trap 7-57
linkUp trap 7-57
location 7-52
management traffic, configuring 7-62
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
IN-9
Index
managers, communication 7-4
managers, overview 7-3
certificates and keys, synchronizing 6-29
startup configuration
MIBs 7-7
copying to disk0 file system 5-5
notifications 7-53
ignoring 1-36
overview 7-2
merging with running 5-6
policy actions 7-68, 8-20
saving to remote server 5-4
policy map, creating 7-66
updating with running configuration 5-3
quick start 7-46
viewing 5-7
retrieving user context through the Admin
context IP address 7-59
stateful failover 6-5
statistics
service policy 7-69
FT 6-55
statistics 7-74
FT, clearing 6-65
traps 7-41
license 3-18
traps and informs 7-5
memory 6-50
users, configuring 7-48
redundancy history, clearing 6-66
VLAN interface, assigning 7-58
SNMP 7-74
software licenses
See licenses
stopping ACE 1-40
synchronizing
software version, displaying 5-2
configuration 6-7
SSH 2-16
redundant configurations 6-27
directly accessing a user context 2-21
system information, displaying 5-13
host key pairs 2-17
system processes
management access 2-16
displaying 5-5
maximum sessions 2-16
displaying status of 5-10
RSA key 2-18
showing key details 2-26
showing session information 2-25
terminating session 2-19
version 2-8
T
technical support information, displaying 5-16
Telnet
SSL
Cisco 4700 Series Application Control Engine Appliance Administration Guide
IN-10
OL-16198-01
Index
management access, configuring 2-15
V
showing information 2-24
version, software 5-2, A-21
terminating session 2-19
VLANs
terminal settings
configuring 1-29
for SNMP traps 7-58
display attributes 1-29
FT VLAN for redundancy 6-6, 6-12
volatile file system 5-13
time, setting 1-15
time zone setting 1-16
tracking
W
See failure detection
traps, SNMP 7-5, 7-41
www user 1-7, 8-2, A-3
U
X
uncompressing files in disk0 5-22
XML
untarring files in disk0 5-23
class map, creating 8-14
upgrade license 3-6
DTD, accessing 8-27
upgrading
DTD, overview 8-7
booting image A-18
HTTP and HTTPS support 8-3
copying image to ACE A-16
HTTP return codes 8-5
image information A-21
management traffic, configuring 2-8, 8-13
overview A-1
overview 8-2
quick start A-8
policy map, creating 8-17
reloading ACE A-20
quick start 8-11
user
sample configuration 8-9
configuring for SNMP 7-48
user context
service policy 8-20
show command output 8-24
accessing by SNMP through the Admin
context IP address 7-59
directly accessing with SSH 2-21
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-16198-01
IN-11
Index
Cisco 4700 Series Application Control Engine Appliance Administration Guide
IN-12
OL-16198-01