Preface This documentation describes how to use the Device Manager to configure the Cisco ACE 4700 Series Application Control Engine Appliance.
Preface • Chapter 4, “Configuring Virtual Contexts” describes how to configure virtual contexts on the ACE appliance so that you can effectively and efficiently manage and allocate resources, users, and services. • Chapter 5, “Configuring Virtual Servers” contains procedures for configuring virtual servers for load balancing on the ACE.
Preface Related Documentation In addition to this documentation, the ACE appliance documentation set includes the following: Document Title Description Administration Guide, Cisco ACE Application Control Engine Describes how to perform the following administration tasks on the ACE: Application Acceleration and Optimization Guide, Cisco ACE 4700 Series Application Control Engine Appliance • Setting up the ACE • Establishing remote access • Managing software licenses • Configuring class maps and
Preface Document Title Description Release Note, Cisco ACE 4700 Series Application Control Engine Appliance Provides information about operating considerations, caveats, and command-line interface (CLI) commands for the ACE appliance.
Preface Document Title Description User Guide, Cisco Application Networking Manager Describes how to use Cisco Application Networking Manager (ANM), a networking management application for monitoring and configuring network devices, including the ACE. Virtualization Guide, Cisco ACE Application Control Engine Describes how to operate your ACE in a single context or in multiple contexts.
Preface Open-Source Software Included in Cisco ACE Application Control Engine • Cisco ACE Application Control Engine includes the following open-source software, which is covered by the Apache 2.0 license (http://www.apache.org/): Ant, Apache Axis, Avalon Logkit, Commons, Ehcache, Globus Toolkit, Jetty, Log4J, Oro, Tomcat. • Cisco ACE Application Control Engine includes the following open-source software, which is covered by The Legion of the Bouncy Castle (http://www.bouncycastle.org/licence.
Preface 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)” 4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. 5.
Preface The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related. 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”.
C H A P T E R 1 Overview This chapter contains the following sections: • ACE Appliance Device Manager Overview, page 1-1 • Information About the ACE No Payload Encryption Software Version, page 1-2 • Finding Information on CLI Tasks, page 1-3 • Logging into ACE Appliance Device Manager, page 1-4 • Changing Your Account Password, page 1-6 • ACE Appliance Device Manager Interface Overview, page 1-6 • Configuration Overview, page 1-18 • Understanding ACE Features, page 1-19 • IPv6 Considerat
Chapter 1 Overview Information About the ACE No Payload Encryption Software Version • Helps you manage ACE appliance licenses and role-based access control (RBAC). • Provides a monitoring interface with a flexible choice of statistics and graphs. • Enables you report any problem with the ACE appliance using the Lifeline feature, which allows you to forward critical information about the problem to Cisco Technical Support.
Chapter 1 Overview Finding Information on CLI Tasks Finding Information on CLI Tasks ACE Appliance Device Manager does not include a one-to-one mapping of all the possible command line interface (CLI) tasks for the ACE appliance. Table 1-1 identifies some of the individual tasks to be performed from the CLI and provides a reference to the applicable configuration guide. For tasks not found in this table, see the Getting Started Guide, Cisco ACE 4700 Series Application Control Engine Appliance.
Chapter 1 Overview Logging into ACE Appliance Device Manager Note When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names with an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
Chapter 1 Overview Logging into ACE Appliance Device Manager The admin account was created when the system was installed. Once you are logged in using this account, you can create additional user accounts and manage virtual contexts, roles, and domains. For information on changing account passwords, see Changing User Passwords, page 15-13. Step 4 In the Password field, type the password for the admin user account, admin.
Chapter 1 Overview Changing Your Account Password Changing Your Account Password All ACE appliances are shipped from Cisco Systems with the same administrative username and password. If you do not change the default Admin password, you will only be able to log in to the ACE through the console port. Use this procedure to change your account password.
Chapter 1 Overview ACE Appliance Device Manager Interface Overview Figure 1-1 is the All Virtual Contexts table (Config > Virtual Contexts) as an example of the DM interface components. Table 1-2 describes the numbered fields. A description of the buttons in the ACE Appliance Device Manager window are in Table 1-4 on page 1-9. Features that are not accessible from your user login or context due to permission settings will not display or may display grayed out.
Chapter 1 Overview ACE Appliance Device Manager Interface Overview Table 1-2 ACE Appliance Device Manager Interface Components Descriptions (continued) Field Description 4 Content area, which contains the display and input area of the window. It can include tables, graphical maps, configuration screens, graphs, buttons, or combinations of these items. For a description of buttons, see Table 1-4 on page 1-9.
Chapter 1 Overview ACE Appliance Device Manager Interface Overview Table 1-3 Example ACE Appliance Device Manager Screen Descriptions Numbe r Description 1 The high-level navigation path within the ACE Appliance Device Manager interface, which includes Config, Monitor, and Admin functions. You can click a tab in the navigation path to view the next level of menus below the tabs. 2 Content area. Contains the display and input area of the window.
Chapter 1 Overview ACE Appliance Device Manager Interface Overview Table 1-4 Button Button and Element Descriptions (continued) Name Description Auto Refresh Pauses the automatic refresh feature. You can pause the automatic refresh for 30, 60, 120, 300, 600, or 3600 seconds. If you disable the automatic refresh feature, ACE Appliance Device Manager times out after 30 minutes. Help Launches context-sensitive help for the current screen.
Chapter 1 Overview ACE Appliance Device Manager Interface Overview Related Topics • Understanding ACE Appliance Device Manager Screens and Menus, page 1-8 • Understanding Table Buttons, page 1-11 • ACE Appliance Device Manager Screen Conventions, page 1-15 Understanding Table Buttons When the content area of the ACE Appliance Device Manager screen contains a table, there are several buttons that appear as described in Table 1-5.
Chapter 1 Overview ACE Appliance Device Manager Interface Overview Conventions in Tables Selecting Table Entries Double-clicking an entry in a table opens its corresponding configuration screen. You can select multiple entries in a table in two ways: • To select all table entries, check the check box at the top of the first column (where available). • To select multiple entries individually, select the desired entries.
Chapter 1 Overview ACE Appliance Device Manager Interface Overview Filtering Entries Click Filter to view table entries using criteria you select. When filtering is enabled, a filter row appears above the first table entry that allows you to filter entries in the following ways: • In a drop-down list, select one of the ACE Appliance Device Manager-identified categories (see Figure 1-4). The table refreshes automatically with the entries that match the selected criterion.
Chapter 1 Overview ACE Appliance Device Manager Interface Overview Using the Advanced Editing Option By default, tables include columns that contain configured attributes, or a subset of columns related to a key field. To view all configurable attributes in table format, click Advanced Editing Mode (the highlighted button in Figure 1-5). When advanced editing mode is enabled, all columns appear for your review (see Figure 1-5).
Chapter 1 Overview ACE Appliance Device Manager Interface Overview ACE Appliance Device Manager Screen Conventions Table 1-6 describes other conventions used in ACE Appliance Device Manager screens. Table 1-6 Convention ACE Appliance Device Manager Screen Conventions Example Description Dimmed field Dimmed fields signify items that cannot be modified or that are not accessible from the current screen. Some buttons are dimmed if more than one item is selected in the list.
Chapter 1 Overview ACE Appliance Device Manager Interface Overview Viewing Monitoring Results Figure 1-6 shows an example graph from the Monitor component. Figure 1-6 Monitoring Results Screen Monitor graphs offer many options including graph type, viewing raw data, graph layout, and values to be included. Table 1-7 identifies these options and their associated buttons. When viewing a graph, click the button to select the option. ACE Appliance Device Manager displays graph data in GMT.
Chapter 1 Overview ACE Appliance Device Manager Interface Overview Table 1-7 Button ACE Appliance Device Manager Monitor Buttons (unsure if all of these are still available) Name Description Bar graph Creates a bar graph using the displayed information. Show raw data Displays the raw data in table format. Viewing Options Output to Excel Displays the raw data in Excel format in a separate browser window. Layout, Value, and Time Options Change Legend Displays the location of the legend.
Chapter 1 Overview Configuration Overview Configuration Overview Use the flow chart in Figure 1-7 to get started with the ACE Appliance Device Manager. Table 1-8 describes these tasks in more detail.
Chapter 1 Overview Understanding ACE Features Table 1-8 Configuration Task Overview (continued) Task Description Step 5 Add user accounts. In this step you set up tiered access for users. See Managing the ACE Appliance, page 15-1 for details. Step 6 Perform administrative tasks. This step includes ongoing maintenance and administrative tasks, such as follows: • Updating ACE appliance software (see Managing ACE Appliance Licenses, page 4-29).
Chapter 1 Overview IPv6 Considerations • Application Acceleration and Optimization—The ACE includes several optimization technologies to accelerate Web application performance, optimize network performance, and improve access to critical business information. • Command-Line Interface—The command-line interface (CLI) is a line-oriented user interface that provides commands for configuring, managing, and monitoring the ACE.
Chapter 1 Overview IPv6 Considerations When you configure redundancy with active and standby ACEs, you can configure a VLAN interface that has an alias global IPv6 address that is shared between the active and standby ACEs. The alias IPv6 address serves as a shared gateway for the two ACEs in a redundant configuration. You can configure only one alias global IPv6 address on an interface. • A multicast address is used for communications from one source to many destinations.
Chapter 1 Overview Understanding ACE Appliance Device Manager Terminology • ICMPv6 traffic is not automatically allowed. You must configure the corresponding management traffic policy to allow the ping request to ACE. However, the necessary ND (neighbor Discovery) messages for ARP, duplication address detection are automatically permitted. • All the management traffic used by the network management server or DM is required to send over IPv4 protocol. IPv6 is not supported.
Chapter 1 Overview Understanding ACE Appliance Device Manager Terminology For more information on RBAC, see Controlling Access to the Cisco ACE Appliance, page 15-3. • Resource class A resource class is a defined set of resources and allocations available for use by a virtual context. Using resource classes prevents a single context from using all available resources and can be used to ensure that every context is guaranteed the minimum set of resources necessary.
Chapter 1 Overview Understanding ACE Appliance Device Manager Terminology Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance 1-24 OL-26645-02
CHAPTER 2 Using Homepage Homepage is a launching point for quick access to selected areas within Cisco Device Manager (DM). It allows you to have quick access to the following operations and guided setup tasks in DM: • Operational tasks that you can access: – The Real Servers table to view information for each configured real server, activate or suspend real servers listed in the table, or modify the server weight.
Chapter 2 Using Homepage The DM Homepage (see Figure 2-1) is the first page that appears in DM after you log in. Figure 2-1 Homepage Window Table 2-1 identifies the Homepage links, associated pages in DM, and related topics that can be found in this document.
Chapter 2 Using Homepage Table 2-1 Homepage Links (continued) Homepage Link DM Page Related Topics Documentation Cisco DM Documentation N/A (link to documentation set on www.cisco.com) N/A N/A Cisco ACE Appliance Documentation (link to documentation set on www.cisco.
Chapter 2 Using Homepage Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance 2-4 OL-26645-01
CHAPTER 3 Using DM Guided Setup This chapter describes how to use Cisco Device Manager (DM) Guided Setup. Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
Chapter 3 Using DM Guided Setup Information About Guided Setup Note The available menu and button options on the Guided Setup tasks are under Role-Based Access Control (RBAC). Menu and button options will be grayed if proper permission has not been granted to the logged in user by the administrator. See the “Controlling Access to the Cisco ACE Appliance” section on page 15-3 for more information about RBAC in DM. Table 3-1 identifies the individual guided setup tasks and related topics.
Chapter 3 Using DM Guided Setup Guidelines and Limitations Guidelines and Limitations As you perform a Guided Setup task, use the following operating conventions: • To move between steps, click the name of the step in the menu to the left. • The steps for each task are listed in an order that is designed to prevent problems during later steps; however, you can skip steps if you know they are not applicable to your application.
Chapter 3 Using DM Guided Setup Using ACE Hardware Setup Procedure Step 1 Choose Config > Guided Setup > ACE Hardware Setup. The ACE Hardware Setup window appears with the Configuration Type drop-down list. Step 2 From the Configuration Type drop-down list, choose whether to set up the ACE as a standalone device or as a member of a high-availability (HA) ACE pair: • Standalone—The ACE is not to be used in an HA configuration.
Chapter 3 Using DM Guided Setup Using ACE Hardware Setup Step 6 If you are configuring an ACE appliance, to group physical ports together on the ACE appliance to form a logical Layer 2 interface called the port-channel (sometimes known as EtherChannels), click Port Channel Interfaces under ACE Hardware Setup. The Port Channel Interfaces window appears (Config > Guided Setup > ACE Hardware Setup > Port Channel Interfaces).
Chapter 3 Using DM Guided Setup Using ACE Hardware Setup Note a. To prevent loss of management connectivity during an HA configuration, you must configure the IP addresses of the management VLAN interface correctly for your HA setup. During this procedure, choose the management VLAN interface (and click the Edit button) and make sure its IP address, alias IP address, and peer IP address are all set correctly. You can repeat this process for any VLAN interfaces that you want.
Chapter 3 Using DM Guided Setup Using Virtual Context Setup Note Step 10 To display statistics and status information for a particular HA group, choose the group from the ACE HA Groups table and click Details. The show ft group group_id detail CLI command output appears. See the “Displaying High Availability Group Statistics and Status Information” section on page 11-16 for details.
Chapter 3 Using DM Guided Setup Using Virtual Context Setup Perform the following tasks to create or modify a resource class: a. If you want to create a resource class, click Add (+). The New Resource Class configuration window appears. Enter the resource information as described in the “Managing Resource Classes” section on page 4-35. b. If you want to modify an existing resource, choose the resource class that you want to modify, and then click Edit.
Chapter 3 Using DM Guided Setup Using Application Setup • Step 6 If you want to set up a separate management VLAN interface for the virtual context, under Management Settings, configure the management interface for this virtual context and create an admin user. Each context also has its own management VLAN that you can access using the DM GUI. In this case, you would assign an independent VLAN and IP address for management traffic to access the virtual context.
Chapter 3 Using DM Guided Setup Using Application Setup Figure 3-1 Example of a One-Armed Network Topology Client to ACE Request Client IP (src): VIP (dst): 172.16.5.10 Router/ Switch Client to ACE Request Nat Pool IP (src): 172.16.5.101 Server IP (dst): 192.168.1.11 Client Network Server VLAN e.g. 192.168.1.0/16 247750 ACE VLAN e.g. 172.16.5.0/16 Real Servers ACE Virtual Context Figure 3-2 illustrates the routed mode network topology.
Chapter 3 Using DM Guided Setup Using Application Setup Step 2 From the Select Virtual Context drop-down list, choose an existing ACE virtual context. Step 3 If your ACE is to use HTTPS when communicating with either the client or with real servers, in the Use HTTPS (SSL) field, choose Yes to specify that the ACE should be set up for secure (SSL) Hypertext Transfer Protocol (HTTP). Note Step 4 The HTTPS option does not apply to the ACE NPE software version.
Chapter 3 Using DM Guided Setup Using Application Setup Note Step 8 After you define the BVI, write down the client-side VLAN number. You will need this BVI number in the ACL and virtual server steps (Steps 9 and 11) of this procedure. c. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. d.
Chapter 3 Using DM Guided Setup Using Application Setup The SSL Proxy window appears (Config > Guided Setup > Application Setup > SSL Proxy). Note To terminate or initiate HTTPS connections with ACE, the virtual context must have at least one SSL proxy service. An SSL proxy contains the certificate and key information needed to terminate HTTPS connections from the client or initiate them to the servers. Perform the following actions to create or modify an SSL proxy service: a.
Chapter 3 Using DM Guided Setup Using Application Setup – Create a server farm that contains one or more real servers for this application (see Table 5-10 in the “Configuring Virtual Server Layer 7 Load Balancing” section for details on setting server farm attributes). – If the ACE is to initiate HTTPS connections to the real servers, choose the desired SSL proxy for initiation to this application from the menu next to SSL Initiation. – (One-Armed Topology) Under NAT, enter the NAT pool ID from Step 8.
C H A P T E R 4 Configuring Virtual Contexts Cisco Application Control Engine Appliance Device Manager (ACE Appliance Device Manager) provides a number of options for creating, configuring, and managing ACE appliances.
Chapter 4 Configuring Virtual Contexts Using Virtual Contexts Using Virtual Contexts Virtual contexts use the concept of virtualization to partition your ACE appliance into multiple virtual devices or contexts. Each context contains its own set of policies, interfaces, resources, and administrators. This feature enables you to more closely and efficiently manage resources, users, and the services you provide to your customers.
Chapter 4 Configuring Virtual Contexts Creating Virtual Contexts Table 4-1 Virtual Context Configuration Attributes Field Description Basic Settings Name Enter a unique name for the virtual context. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. This field is read-only for existing contexts. Description Enter a brief description of the virtual context. Enter a description as an unquoted text string with a maximum of 240 alphanumeric characters.
Chapter 4 Configuring Virtual Contexts Creating Virtual Contexts Table 4-1 Virtual Context Configuration Attributes (continued) Field Description Interface Mode Choose the topology that reflects the relationship of the selected ACE virtual context to the real servers in the network: • Routed—The ACE virtual context acts as a router between the client-side network and the server-side network.
Chapter 4 Configuring Virtual Contexts Creating Virtual Contexts Table 4-1 Virtual Context Configuration Attributes (continued) Field Description Match Conditions When you enter the VLAN ID for the management interface, the Match Conditions table appears. To add or modify the protocols allowed on this management VLAN, do the following: 1. Click Add to choose a protocol for the management interface, or choose an existing protocol entry listed in the Match Conditions table and click Edit to modify it.
Chapter 4 Configuring Virtual Contexts Creating Virtual Contexts Table 4-1 Virtual Context Configuration Attributes (continued) Field Description SNMP v2c Read-Only Community String When you check the Enable SNMP Get check box, this field appears. Enter the SNMPv2c read-only community string to be used as the SNMP Get community string. This field is read-only if configured for existing contexts.
Chapter 4 Configuring Virtual Contexts Configuring Virtual Contexts Configuring Virtual Contexts After creating a virtual context, you can configure it. Configuring a virtual context involves configuring a number of attributes, grouped into configuration subsets. Table 4-2 describes ACE Appliance Device Manager configuration subsets and provides links to related topics.
Chapter 4 Configuring Virtual Contexts Configuring Virtual Contexts Table 4-2 ACE Appliance and Virtual Context Configuration Options Configuration Subset Description System System configuration options allow you to configure: Related Topics • Configuring Virtual Context Primary Attributes, page 4-11 • Syslog attributes including the type and severity of syslog messages that are to be logged, the syslog log host, log messages, and log rate limits.
Chapter 4 Configuring Virtual Contexts Configuring Virtual Contexts Table 4-2 ACE Appliance and Virtual Context Configuration Options (continued) Configuration Subset Description Load Balancing Related Topics Load-balancing attributes allow you to: • Configure virtual servers, real servers, and server farms for load balancing. • Establish the predictor method and return code checking. • Implement sticky groups for session persistence.
Chapter 4 Configuring Virtual Contexts Configuring Virtual Contexts Table 4-2 ACE Appliance and Virtual Context Configuration Options (continued) Configuration Subset Description Network Network configuration options allow you to configure: • Port channel interfaces • Gigabit Ethernet interfaces • VLAN interfaces • BVI interfaces • Network Address Translation (NAT) pools for a VLAN interface • Static routes • DHCP relay agents Note High Availability High Availability (HA) attributes
Chapter 4 Configuring Virtual Contexts Configuring Virtual Context System Attributes Configuring Virtual Context System Attributes Table 4-3 identifies the ACE Appliance Device Manager virtual context System configuration options and related topics for more information.
Chapter 4 Configuring Virtual Contexts Configuring Virtual Context Syslog Logging Procedure Step 1 Choose Config > Virtual Contexts > context > System > Primary Attributes. The Primary Attributes configuration screen appears. Step 2 Enter the primary attributes for this virtual context as described in Table 4-1. Step 3 Click Deploy Now to deploy this configuration on the ACE appliance. To exit this procedure without accepting your entries, select a different configuration option.
Chapter 4 Configuring Virtual Contexts Configuring Virtual Context Syslog Logging The severity level that you specify indicates that you want syslog messages at that level and the more severe levels. For example, if you specify Error, syslog displays Error, Critical, Alert, and Emergency messages. Note If you set all syslog levels to Debug, some commands like switchover are not processed successfully.
Chapter 4 Configuring Virtual Contexts Configuring Virtual Context Syslog Logging Table 4-5 Virtual Context Syslog Configuration Attributes (continued) Field History Level Description Action This option specifies the maximum level Choose the desired level for sending system log for system log messages sent as traps to messages as traps to an SNMP network management an SNMP network management station. station. This option is disabled by default.
Chapter 4 Configuring Virtual Contexts Configuring Virtual Context Syslog Logging Table 4-5 Virtual Context Syslog Configuration Attributes (continued) Field Description Action Enable Fastpath Logging This option indicates whether connection Check the check box to enable the logging of setup and setup and teardown messages are logged. teardown messages or clear the check box to disable the logging of setup and teardown messages. This option is disabled by default.
Chapter 4 Configuring Virtual Contexts Configuring Virtual Context Syslog Logging • Configuring Syslog Log Hosts, page 4-16 • Configuring Syslog Log Messages, page 4-17 • Configuring Syslog Log Rate Limits, page 4-18 Configuring Syslog Log Hosts After configuring basic syslog characteristics (see the “Configuring Virtual Context Syslog Logging” section on page 4-12), you can configure the log host, log messages, and log rate limits.
Chapter 4 Configuring Virtual Contexts Configuring Virtual Context Syslog Logging Related Topics • Configuring Virtual Context Syslog Logging, page 4-12 • Configuring Syslog Log Messages, page 4-17 • Configuring Syslog Log Rate Limits, page 4-18 Configuring Syslog Log Messages After configuring basic syslog characteristics (see the “Configuring Virtual Context Syslog Logging” section on page 4-12), you can configure the log host, log messages, and log rate limits.
Chapter 4 Configuring Virtual Contexts Configuring Virtual Context Syslog Logging Configuring Syslog Log Rate Limits After configuring basic syslog characteristics (see the “Configuring Virtual Context Syslog Logging” section on page 4-12), you can configure the log host, log messages, and log rate limits. The tabs for these attributes appear beneath the Syslog configuration screen. Use this procedure to limit the rate at which the ACE appliance generates messages in the syslog.
Chapter 4 Configuring Virtual Contexts Configuring SNMP for Virtual Contexts • Configuring Syslog Log Messages, page 4-17 Configuring SNMP for Virtual Contexts This section describes how to configure the SNMP attributes for a virtual context and contains the following topics: • Configuring Basic SNMP Attributes, page 4-19 • Configuring SNMP Version 2c Communities, page 4-20 • Configuring SNMP Version 3 Users, page 4-21 • Configuring SNMP Trap Destination Hosts, page 4-23 • Configuring SNMP Noti
Chapter 4 Configuring Virtual Contexts Configuring SNMP for Virtual Contexts Table 4-6 SNMP Attributes (continued) Field Description Trap Source Interface Enter a valid VLAN number that identifies the interface from which the SNMP traps originate. IETF Trap Check the check box to indicate that the ACE appliance is to send linkUp and linkDown traps with the IETF standard IF-MIB (RFC 2863) variable bindings, consisting of ifIndex, ifAdminStatus, and ifOperStatus.
Chapter 4 Configuring Virtual Contexts Configuring SNMP for Virtual Contexts Step 2 Click the SNMP v2c Configuration tab. The SNMP v2c Configuration table appears. Step 3 Click Add to add an SNMP v2c community. The SNMP v2c Configuration screen appears. Note Step 4 You cannot modify an existing SNMP v2c community. Instead, delete the existing SNMP v2c community, and then add a new one. In the Read-Only Community field, enter the SNMP v2c community name for this context.
Chapter 4 Configuring Virtual Contexts Configuring SNMP for Virtual Contexts Step 3 Click Add to add users, or select an existing entry, and then Edit to modify it. The SNMP v3 Configuration screen appears. Step 4 Enter SNMP v3 user attributes (see Table 4-7). Table 4-7 SNMP v3 User Configuration Attributes Field Description User Name Enter the SNMP v3 username. Valid entries are unquoted text strings with no spaces and a maximum of 24 characters.
Chapter 4 Configuring Virtual Contexts Configuring SNMP for Virtual Contexts Table 4-7 SNMP v3 User Configuration Attributes (continued) Field Description AES 128 Appears if you set Privacy to True. Indicate whether the 128-byte Advanced Encryption standard (AES) algorithm is to be used for privacy. AES is a symmetric cipher algorithm and is one of the privacy protocols for SNMP message encryption. Privacy Password • N/A—Indicates that no standard is specified.
Chapter 4 Configuring Virtual Contexts Configuring SNMP for Virtual Contexts After configuring basic SNMP information for a virtual context (see the “Configuring SNMP for Virtual Contexts” section on page 4-19), you can configure other SNMP attributes such as SNMP version 2c communities, SNMP version 3 users, trap destination hosts, and SNMP notification. The tabs for these attributes appear below the SNMP configuration screen.
Chapter 4 Configuring Virtual Contexts Configuring SNMP for Virtual Contexts • Click Cancel to exit this procedure without saving your entries and to return to the Trap Destination Host table. • Click Add Another to save your entries and to add another entry to the Trap Destination Host table. The screen refreshes and you can add another trap destination host.
Chapter 4 Configuring Virtual Contexts Configuring SNMP for Virtual Contexts For the notification types, see Table 4-9. Table 4-9 Types of Notification Notification Type Description Bandwidth Notifications are sent that indicate changes to the bandwidth usage (see the All “Setting Resource Usage Thresholds to Receive SNMP Notifications” section on page 4-42).
Chapter 4 Configuring Virtual Contexts Configuring SNMP for Virtual Contexts Table 4-9 Types of Notification (continued) Notification Type Description Context System Active SSL Connections Notifications are sent that indicate changes to the aggregated active SSL connections. For more information, see the “Setting Resource Usage Thresholds to Receive SNMP Notifications” section on page 4-42).
Chapter 4 Configuring Virtual Contexts Configuring Virtual Context Global Traffic Policies Configuring Virtual Context Global Traffic Policies With the ACE Appliance Device Manager, you can apply traffic policies to a specific VLAN interface or to all VLAN interfaces in the same virtual context. Use this procedure to apply a policy to all VLAN interfaces in the selected context. To apply a policy to a specific VLAN, see the “Configuring Traffic Policies” section on page 12-1.
Chapter 4 Configuring Virtual Contexts Managing ACE Appliance Licenses Managing ACE Appliance Licenses Note This functionality is available for only Admin contexts. Cisco offers licenses for ACE appliances that let you increase performance throughput, the number of default contexts, SSL TPS (transactions per second), and HTTP compression performance. For more information on these licenses, refer to the Administration Guide, Cisco ACE Application Control Engine on cisco.com.
Chapter 4 Configuring Virtual Contexts Managing ACE Appliance Licenses – SSL transactions per second Note The SSL transactions per second license does not apply to the ACE NPE software version (see the “Information About the ACE No Payload Encryption Software Version” section on page 1-2). – Number of supported virtual contexts – ACE appliance bandwidth in Gigabits per second • Installed License Files Table—Lists all installed licenses with their filenames, vendors, and expiration (expiry) dates.
Chapter 4 Configuring Virtual Contexts Managing ACE Appliance Licenses The Install an ACE License dialog box appears. Step 4 (Optional) If the license currently exists on the ACE disk0: file system in Flash memory, do the following: a. In the Select an Option to Locate a License File section of the dialog box, click the Select a license file on the ACE option. b. In the Select a License File on the Device (disk0) section of the dialog box, from the drop-down list, choose the name of the license file.
Chapter 4 Configuring Virtual Contexts Managing ACE Appliance Licenses • Uninstalling ACE Appliance Licenses, page 4-33 • Displaying the File Contents of a License, page 4-34 Updating ACE Appliance Licenses Note This functionality is available for only Admin contexts. ACE Appliance Device Manager allows you to convert demonstration licenses to permanent licenses and to upgrade permanent licenses to increase the number of virtual contexts. Use this procedure to install ACE appliance update licenses.
Chapter 4 Configuring Virtual Contexts Managing ACE Appliance Licenses Step 7 Step 8 (Optional) If you chose FTP or SFTP, do the following: a. In the User Name field, enter the username of the account on the network server. b. In the Password field, enter the password for the user account. In the Remote System IP Address field, enter the host IPv4 address of the remote server. For example, your entry might be 192.168.11.2.
Chapter 4 Configuring Virtual Contexts Managing ACE Appliance Licenses Assumption This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the ssh key rsa 1024 force command is applied on the appliance. Procedure Step 1 Choose Config > Virtual Contexts. The All Virtual Contexts table appears. Step 2 Choose the Admin context with the license you want to remove, and then click System > Licenses.
Chapter 4 Configuring Virtual Contexts Managing Resource Classes Procedure Step 1 Choose Config > Virtual Contexts. The All Virtual Contexts table appears. Step 2 Choose the Admin context with the license information you want to view, and then choose System > Licenses. The License Status Table and Installed License Files Table appear listing all installed licenses. Step 3 Choose the installed license file with the information that you want to display, and click View.
Chapter 4 Configuring Virtual Contexts Managing Resource Classes • Concurrent connections (through-the-ACE traffic) • Management connections (to-the-ACE traffic) • HTTP compression percentage • Proxy connections • Set resource limit as a rate (number per second) • Regular expression (regexp) memory • SSL connections Note Managing the SSL connections resource does not apply to the ACE NPE software version (see the “Information About the ACE No Payload Encryption Software Version” section on
Chapter 4 Configuring Virtual Contexts Managing Resource Classes Table 4-10 Resource Class Attributes Resource Definition All Limits all resources to the specified value for all contexts assigned to this resource class, except for management traffic bandwidth. Management traffic bandwidth remains at the default values until you explicitly configure a minimum value for management traffic. Acceleration Connections Percentage of application acceleration connections.
Chapter 4 Configuring Virtual Contexts Managing Resource Classes Table 4-10 Resource Class Attributes (continued) Resource Definition Rate Inspect Connection Percentage of application protocol inspection connections for FTP and RTSP. Rate MAC Miss Percentage of messages destined for the ACE appliance that are sent to the control plane when the encapsulation is not correct in packets. Rate Management Traffic Percentage of management traffic connections.
Chapter 4 Configuring Virtual Contexts Managing Resource Classes Procedure Step 1 Choose Config > Virtual Contexts > admin context > System > Resource Class. The Resource Classes table appears. Step 2 Click Add to create a new resource class. The New Resource Class configuration screen appears. Step 3 In the Name field, enter a unique name for this resource class. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
Chapter 4 Configuring Virtual Contexts Managing Resource Classes • Deleting Resource Classes, page 4-41 • Viewing Resource Class Use on Virtual Contexts, page 4-41 Modifying Resource Classes Note This functionality is available for only Admin contexts. When you modify a resource class, the ACE Appliance Device Manager applies the changes to virtual contexts that are associated with the resource class going forward.
Chapter 4 Configuring Virtual Contexts Managing Resource Classes • Adding Resource Classes, page 4-38 • Modifying Resource Classes, page 4-40 • Deleting Resource Classes, page 4-41 • Viewing Resource Class Use on Virtual Contexts, page 4-41 Deleting Resource Classes Note This functionality is available for only Admin contexts. Use this procedure to remove resource classes from the ACE Appliance Device Manager database.
Chapter 4 Configuring Virtual Contexts Setting Resource Usage Thresholds to Receive SNMP Notifications Use this procedure to view a list of all virtual contexts using a selected resource class. Procedure Step 1 Choose Config > Virtual Contexts > admin context > System > Resource Class. The Resource Classes table lists the number of virtual contexts using each resource class in the second column. Step 2 Choose the resource class whose usage you want to view and then click Virtual Contexts.
Chapter 4 Configuring Virtual Contexts Setting Resource Usage Thresholds to Receive SNMP Notifications Table 4-11 Monitored Resources with the Virtual Context Resources Virtual Context Concurrent connections All Connection rate All For each resource, you can specify the high, low, and watermark thresholds, which operate as follows: • High—Indicates the highest value of the threshold defined.
Chapter 4 Configuring Virtual Contexts Setting Resource Usage Thresholds to Receive SNMP Notifications Related Topics • Configuring the Resource Usage Threshold for Real Server, page 4-44 • Configuring the Resource Usage Threshold for VIP, page 4-45 • Configuring SNMP for Virtual Contexts, page 4-19 • Managing Resource Classes, page 4-35 Configuring the Resource Usage Threshold for Real Server You can configure the ACE to issue SNMP traps and syslog messages at the real server level for the follo
Chapter 4 Configuring Virtual Contexts Setting Resource Usage Thresholds to Receive SNMP Notifications • Configuring SNMP for Virtual Contexts, page 4-19 • Managing Resource Classes, page 4-35 Configuring the Resource Usage Threshold for VIP You can configure the ACE to issue SNMP traps and syslog messages for a VIP for the following monitored resources: • Bandwidth—Thresholds are applied to the aggregated bandwidth for a particular VIP.
Chapter 4 Configuring Virtual Contexts Using the Configuration Checkpoint and Rollback Service Using the Configuration Checkpoint and Rollback Service At some point, you may want to modify your ACE running configuration. If you run into a problem with the modified configuration, you may need to reboot your ACE.
Chapter 4 Configuring Virtual Contexts Using the Configuration Checkpoint and Rollback Service Procedure Step 1 Choose Config > Virtual Contexts > admin context > System > Checkpoints. The Checkpoints table appears. For descriptions of the checkpoints, see Table 4-12. Table 4-12 Step 2 Checkpoints Table Field Description Name Unique identifier of the checkpoint. Size (In Bytes) Size of the configuration checkpoint, shown in bytes.
Chapter 4 Configuring Virtual Contexts Using the Configuration Checkpoint and Rollback Service Step 2 In the Checkpoints table, choose the radio button to the left of any table entry, and click the Trash icon to delete the checkpoint. Rolling Back a Running Configuration You can roll back the current running configuration of a context to the previously checkpointed running configuration. Note This functionality on the DM requires that SSH is enabled on the appliance.
Chapter 4 Configuring Virtual Contexts Performing Device Backup and Restore Functions If the checkpoint configuration is different from the running-config, the output will be the difference between the two configurations. The items in red are in the current running configuration and will be removed. The items in green are not in the current running configuration and will be added. Step 3 Click Close to exit the dialog box and return to the Checkpoints table.
Chapter 4 Configuring Virtual Contexts Performing Device Backup and Restore Functions Note The backup feature does not back up the sample SSL certificate and key pair files.
Chapter 4 Configuring Virtual Contexts Performing Device Backup and Restore Functions context_name-cert_name.cert context_name-key_name.key context_name-script_name.tcl context_name-license_name.lic Guidelines and Limitations The backup and restore functions have the following configuration guidelines and limitations: • This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the ssh key rsa 1024 force command is applied on the appliance.
Chapter 4 Configuring Virtual Contexts Performing Device Backup and Restore Functions – All files dependencies for the context exist in the full backup archive • To enable the ACE Device Manager to synchronize the CLI after a successful restore, do not navigate from the Backup / Restore page until the Latest Restore status changes from In Progress to Success.
Chapter 4 Configuring Virtual Contexts Performing Device Backup and Restore Functions The Backup / Restore table appears and displays the latest backup and restore statistics. Note To refresh the table content at any time, click Poll Now. Note When you choose the Backup / Restore operation, the Appliance Device Manager must poll a context if that context has not been accessed previously for this operation.
Chapter 4 Configuring Virtual Contexts Performing Device Backup and Restore Functions Step 3 Step 4 Step 5 In the Backup window, click the radio button of the location where the ACE is to save the backup files: • Backup config on ACE (disk0:)—This is the default. Go to Step 9. • Backup config on ACE (disk0:) and then copy to remote system—The Remote System attributes step appears. Go to Step 4.
Chapter 4 Configuring Virtual Contexts Performing Device Backup and Restore Functions Step 13 • disk0: only—The Device Manager permits continued GUI functionality during the backup process and polls the ACE for the backup status, which it displays on the Backup / Restore page. • disk0: and a remote server—The Device Manager suspends GUI operation and displays a “Please Wait” message in the Backup dialog box until the process is complete.
Chapter 4 Configuring Virtual Contexts Performing Device Backup and Restore Functions Prerequisites If you are going to restore the Admin context files plus all user context files, use a backup file that was created from the Admin context with the Backup All Contexts check box checked (see the “Backing Up Device Configuration and Dependencies” section on page 4-52). Procedure Step 1 Choose Config > Virtual Contexts > System > Backup / Restore. The Backup / Restore table appears.
Chapter 4 Configuring Virtual Contexts Performing Device Backup and Restore Functions This field appears for the Admin context only. Step 10 Check the Exclude SSL Files check box if you want to preserver the SSL files currently loaded on the ACE and not use the backup file’s SSL files. Note Caution Step 11 This check box is not available with the ACE NPE software version (see the “Information About the ACE No Payload Encryption Software Version” section on page 1-2).
Chapter 4 Configuring Virtual Contexts Configuring Security with ACLs automatically updates the status information displayed. The polling continues until the ACE Device Manager receives a status of either Success or Failed. If the restored status is Failed, then the Show Restored Errors popup window appears, displaying the reason for the failed restore attempt.
Chapter 4 Configuring Virtual Contexts Configuring Security with ACLs Creating ACLs Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly allowed in an ACL can pass. All other traffic is denied. Use this procedure to create, modify, or delete ACLs. Procedure Step 1 Choose Config > Virtual Contexts > context > Security > ACLs. The ACL summary table appears, listing the existing ACLs. ACL summary fields are described in Table 4-15.
Chapter 4 Configuring Virtual Contexts Configuring Security with ACLs Table 4-15 Step 2 Step 3 ACL Summary Table (continued) Field Description Interface VLAN interface(s) that is/are associated with this ACL, for example in4,5:4out where, in denotes the input direction, out denotes the output direction. Remark Enter any comments you want to include for this ACL. Valid entries are unquoted text strings with a maximum of 100 characters.
Chapter 4 Configuring Virtual Contexts Configuring Security with ACLs Table 4-16 ACL Configuration Attributes (continued) Field Description Interfaces Allows you to associate the ACL with one or more interfaces allowing only one input and one output ACL for each interface. The top left check box under the Interfaces section allows you to select and apply to all interfaces Currently Assigned “access-group input.
Chapter 4 Configuring Virtual Contexts Configuring Security with ACLs Step 2 Click Add. The New Access List configuration screen appears. Step 3 Enter the ACL name in the ACL Properties pane and choose the type as Extended. Choose the IP Address Type as either IPV6 or IPv4. Step 4 Table 4-17 Configure extended ACL entries using the information in Table 4-17.
Chapter 4 Configuring Virtual Contexts Configuring Security with ACLs Table 4-17 Extended ACL Configuration Options (continued) Field Description Source Source Network Source Port Operator Defines the network traffic being received from the source network to the ACE: • Any—Select the Any radio button to indicate that network traffic from any source is allowed. • IP/Netmask—(IPv4 address type) Use this field to limit access to a specific source IP address.
Chapter 4 Configuring Virtual Contexts Configuring Security with ACLs Table 4-17 Extended ACL Configuration Options (continued) Field Description Destination Destination Network Defines the network traffic being transmitted to the destination network from the ACE: Destination Port Operator • Any—Select the Any radio button to indicate that network traffic to any destination is allowed. • IP/Netmask—(IPv4 address type) Use this field to limit access to a specific destination IP address.
Chapter 4 Configuring Virtual Contexts Configuring Security with ACLs Table 4-18 Protocol Names and Numbers (continued) Protocol Name1 Protocol Number Description ESP 50 Encapsulated Security Payload GRE 47 Generic Routing Encapsulation 1 Internet Control Message Protocol version 4 58 Internet Control Message Protocol version 6 IGMP 2 Internet Group Management Protocol IP 0 (Any) Internet Protocol IP-In-IP 4 IP-in-IP Layer 3 Tunneling Protocol OSPF 89 Open Shortest Path First PI
Chapter 4 Configuring Virtual Contexts Configuring Security with ACLs Table 4-20 Step 5 ICMPv6 Type Names and Numbers ICMP Type Name Number Echo 128 Echo-Reply 129 Information-Reply 140 Information-Request 139 Parameter-Problem 4 Redirect 137 Time-Exceeded 3 Traceroute 30 Unreachable 1 Click Add To Table if you want to add one or more ACL entries to the table. See Step 4 for information on configuring the extended ACL entries.
Chapter 4 Configuring Virtual Contexts Configuring Security with ACLs Valid entries are 1 to 2147483647. Step 4 In the Increment field, enter the number that is to be added to each entry in the ACL after the first entry. You can enter any integer. Valid entries are 1 to 2147483647. Step 5 Do one of the following: • Click Resequence to save your entries and to return to the ACLs table. • Click Cancel to exit this procedure without saving your entries and to return to the ACLs table.
Chapter 4 Configuring Virtual Contexts Configuring Security with ACLs • BPDU—Specifies Bridge Protocol Data Units. The ACE receives trunk port (Cisco proprietary) BPDUs because ACE ports are trunk ports. Trunk BPDUs have VLAN information inside the payload, so the ACE modifies the payload with the outgoing VLAN if you allow BPDUs. If you configure redundancy, you must allow BPDUs on both interfaces with an EtherType ACL to avoid bridging loops.
Chapter 4 Configuring Virtual Contexts Configuring Security with ACLs • Setting Extended ACL Attributes, page 4-61 • Editing or Deleting ACLs, page 4-69 Editing or Deleting ACLs Use this procedure to delete or edit an ACL or any of its subentries. Considerations • You cannot mix IPv6 and IPv4 access-list entries in the same ACL. • Before you change the IP address type for an existing ACL, you must remove the entries that are not applicable to the new IP address type.
Chapter 4 Configuring Virtual Contexts Configuring Object Groups The ACLs table appears listing the existing ACLs. Step 2 In the ACLs table, choose an ACL, and click Details. The show access-list access-list detail CLI command output appears. For details about the displayed output fields, see the Security Guide, Cisco ACE Application Control Engine, Chapter 1, Configuring Security Access Control Lists.
Chapter 4 Configuring Virtual Contexts Configuring Object Groups Step 7 • Click Cancel to exit without saving your entries and to return to the Object Groups table. • Click Next to deploy your entries and to add another entry to the Object Groups table. Configure objects for the object group.
Chapter 4 Configuring Virtual Contexts Configuring Object Groups • Click Next to deploy your entries and to add another entry to the Host Setting table.
Chapter 4 Configuring Virtual Contexts Configuring Object Groups Configuring Protocols for Object Groups Use this procedure to specify protocols for a service-type object group. Procedure Step 1 Choose Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table appears, listing existing object groups. Step 2 Choose an existing service-type object group and then click the Protocol Selection tab. The Protocol Selection table appears.
Chapter 4 Configuring Virtual Contexts Configuring Object Groups Table 4-21 TCP and UDP Service Parameters Field Description Protocol Select the protocol for this service object: Source Port Operator Source Port • TCP—TCP is the protocol for this service object. • UDP—UDP is the protocol for this service object. • TCP And UDP—Both TCP and UDP are the protocols for this service object.
Chapter 4 Configuring Virtual Contexts Configuring Object Groups Table 4-21 TCP and UDP Service Parameters (continued) Field Description Lower Destination Port This field appears if you select Range in the Destination Port Operator field. Enter the number that is the beginning value for a range of services for this service object. Valid entries are integers from 0 to 65535. The number in this field must be less than the number entered in the Upper Destination Port field.
Chapter 4 Configuring Virtual Contexts Configuring Object Groups Configuring ICMP Service Parameters for an Object Group Use this procedure to add ICMP service parameters to a service-type object group. Procedure Step 1 Choose Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table appears, listing existing object groups. Step 2 Choose an existing service-type object group and then click the ICMP Service Parameters tab. The ICMP Service Parameters table appears.
Chapter 4 Configuring Virtual Contexts Configuring Object Groups Table 4-22 ICMP Type Service Parameters (continued) Field Description Min. Message Code This field appears if you select Range in the Message Code Operator field. Enter the number that is the beginning value for a range of services for this service object. Valid entries are integers from 0 to 255. The number in this field must be less than the number entered in the Max. Message Code field. Max.
Chapter 4 Configuring Virtual Contexts Configuring Object Groups Table 4-24 Step 5 ICMPv6 Type Names and Numbers (continued) ICMP Type Name Number Information-Reply 140 Information-Request 139 Parameter-Problem 4 Redirect 137 Time-Exceeded 3 Traceroute 30 Unreachable 1 Do one of the following: • Click Deploy Now to immediately deploy this configuration. This option appears for virtual contexts. • Click Cancel to exit this procedure without saving your entries.
Chapter 4 Configuring Virtual Contexts Configuring Virtual Context Expert Options Configuring Virtual Context Expert Options Table 4-25 identifies ACE Appliance Device Manager virtual context Expert configuration options and related topics for more information.
Chapter 4 Configuring Virtual Contexts Managing Virtual Contexts The status bar at the bottom right of the ACE Appliance Device Manager displays two indicators for you to monitor CLI and DM GUI synchronization status (Figure 4-1). One indicator displays ACE appliance Device Manager GUI and CLI synchronization status along with a summary count of the contexts in the various synchronization states, and the other indicator displays CLI synchronization and polling status for the active context.
Chapter 4 Configuring Virtual Contexts Managing Virtual Contexts • Sync Failed—The last synchronization attempt failed and you must perform a manual synchronization using either the CLI Sync or CLI Sync All buttons. The failed state could be due to an unrecognized CLI command on the context, or due to an internal error on the ACE Appliance Device Manager. Once the problem is resolved, another manual synchronization will be required to move the context into the OK synchronization state.
Chapter 4 Configuring Virtual Contexts Managing Virtual Contexts For information on synchronizing out-of-sync virtual context configurations, see the following topics: • Manually Synchronizing Individual Virtual Context Configurations, page 4-82 • Manually Synchronizing All Virtual Context Configurations, page 4-83 Related Topics • Viewing Virtual Context Synchronization Status, page 4-80 • Configuring ACE High Availability, page 11-8 Manually Synchronizing Individual Virtual Context Configuratio
Chapter 4 Configuring Virtual Contexts Managing Virtual Contexts Manually Synchronizing All Virtual Context Configurations Use this procedure to manually synchronize all virtual context configurations. This procedure removes all virtual context configurations from ACE Appliance Device Manager and replaces them with their CLI configurations from the ACE appliance.
Chapter 4 Configuring Virtual Contexts Managing Virtual Contexts Editing Virtual Contexts Use this procedure to modify the configuration of an existing virtual context. Procedure Step 1 Choose Config > Virtual Contexts. The All Virtual Contexts table appears. Step 2 Choose the virtual context and then select the configuration attributes you want to modify. For information on configuration options, see the “Configuring Virtual Contexts” section on page 4-7.
Chapter 4 Configuring Virtual Contexts Managing Virtual Contexts Note Clicking the summary count in the status bar from any context-specific page accesses the All Virtual Contexts table. You can then review the synchronization configuration details for all of the available contexts. If you are not the administrator, you will only see the details for your user context.
Chapter 4 Configuring Virtual Contexts Managing Virtual Contexts Related Topic • Managing Virtual Contexts, page 4-79 Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance 4-86 OL-26645-02
C H A P T E R 5 Configuring Virtual Servers This chapter provides an overview of server load balancing and procedures for configuring virtual servers for load balancing on an ACE appliance.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers • Sticky groups—See Configuring Sticky Groups, page 7-11. • Parameter maps—See Configuring Parameter Maps, page 8-1.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers • A Layer 3/Layer 4 class map • A multi-match policy map, a class-map match, and an action In addition: • The virtual server multi-match policy map is associated with an interface or is global. • The name of the virtual server is derived from the name of the Layer 3/Layer 4 class map. Example 5-1 shows the minimum configuration statements required for a virtual server.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers • Configuration options and roles To support and maintain the separation of roles, some objects cannot be configured using the Virtual Server configuration screen. These objects include SSL certificates, SSL keys, NAT pools, interface IP addresses, and ACLs.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Information About Using Device Manager to Configure Virtual Servers It is important to understand the following when using the ACE Appliance Device Manager to configure virtual servers: • Virtual server configuration screens The ACE Appliance Device Manager Virtual Server configuration screens are designed to aid you in configuring virtual servers by presenting configuration options that are relevant to your choices.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Virtual Server Usage Guidelines The Virtual Server configuration window provides you with numerous configuration options. However, instead of setting every option in one pass, configure your virtual server in stages. The first stage should always be to establish basic “pass through” connectivity with simple load balancing and include minimal additional features.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers 4. Verify the Hit Count in the show service-policy CLI command output. Hit Count shows the number of requests received by ACE. This value should increase for each request attempted by your client. If the hit count does not increase with each request, this indicates that the request is not reaching your virtual server configuration. This could be a problem with one of the following: – A physical connection.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers The Virtual Servers table appears. Step 2 Click Add to add a new virtual server, or select an existing virtual server, and then click Edit to modify it. The Virtual Server configuration screen appears with a number of configuration subsets. The subsets that you see depend on whether you use the Basic View or the Advanced View and configuration entries you make in the Properties subset.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-1 Virtual Server Configuration Subsets (continued) Configuration Subset Description Related Topics Application Acceleration And Optimization This subset appears only in the Advanced View and when HTTP or HTTPS is the selected application protocol. Configuring Application Acceleration and Optimization, page 5-57 This subset allows you to configure application acceleration and optimization options for HTTP or HTTPS traffic.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers • Real servers • Server farms • SSL services • Sticky groups Because these objects are shared, modifying an object’s configuration in one virtual server can impact other virtual servers that use the same object.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Procedure Step 1 Choose Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears. Step 2 Click Add to add a new virtual server, or select an existing virtual server, and then click Edit to modify it. The Virtual Server configuration screen appears. The Properties configuration subset is open by default.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-2 Virtual Server Properties – Advanced View (continued) Field Description Application Protocol This field appears if TCP or UDP is selected. Select the application protocol to be supported by the virtual server. Note This field is read-only if you are editing an existing virtual server. The Device Manager does not allow changes between protocols that require a change to the Layer 7 server load-balancing policy map.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-2 Virtual Server Properties – Advanced View (continued) Field Description Port By default, this field appears with the default port number for the specified protocol. To change the port number, enter the port to be used for the specified protocol. Valid entries are integers from 0 to 65535 or a range of integers, such as 10-20. Enter 0 (zero) to indicate all ports.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-2 Virtual Server Properties – Advanced View (continued) Field Description VLAN This field appears if the All VLANs check box is cleared. In the Available list, select the VLANs to use for incoming traffic, and then click Add to Selection. The items appear in the Selected list. To remove VLANs, select them in the Selected lists and then click Remove from Selection. The items appear in the Available list.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-2 Virtual Server Properties – Advanced View (continued) Field Description KAL-AP-TAG Name The KAL-AP-TAG feature allows the Cisco Global Site Selector (GSS) proprietary KAL-AP protocol to extract load and availability information from the ACE when a firewall is positioned between the GSS and the ACE. This feature allows you to configure a tag (name) per VIP for a maximum of 4,096 tags on an ACE.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-2 Virtual Server Properties – Advanced View (continued) Field Description Generic Parameter Map This field appears if Generic is the selected application protocol over TCP or UDP. Select an existing Generic parameter map or click *New* to create a new one: RTSP Parameter Map • If you select an existing parameter map, you can view, modify, or duplicate the existing configuration.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-3 Virtual Server Properties – Basic View Field Description Virtual Server Name Enter the name for the virtual server. IP Address Type Select either IPv4 or IPv6 for the address type of the virtual server. Virtual IP Address Enter the IP address for the virtual server.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-3 Virtual Server Properties – Basic View (continued) Field Description Port By default, this field appears with the default port number for the specified protocol. To change the port number, enter the port to be used for the specified protocol. Valid entries are integers from 0 to 65535 or a range of integers, such as 10-20. Enter 0 (zero) to indicate all ports.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Assumption A virtual server has been configured for HTTPS over TCP or Other over TCP in the Properties configuration subset. For more information, see the “Configuring Virtual Server Properties” section on page 5-10. Procedure Step 1 Choose Config > Virtual Contexts > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers • Click Cancel to exit this procedure without saving your entries. Related Topics • Configuring Virtual Servers, page 5-2 • Configuring Virtual Server Properties, page 5-10 Configuring Virtual Server Protocol Inspection Configuring protocol inspection allows the virtual server to verify protocol behavior and identify unwanted or malicious traffic passing through the ACE appliance.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Step 6 For FTP protocol inspection, do the following: a. Check the Use Strict check box to indicate that the virtual server is to perform enhanced inspection of FTP traffic and enforce compliance with RFC standards. Clear this check box to indicate that the virtual server is not to perform enhanced FTP inspection. b.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-5 Protocol Inspection Match Criteria Configuration (continued) Selection Action *New* 1. In the Name field, specify a unique name for this class map. 2. In the Match field, select the method to be used to evaluate multiple match statements when multiple match conditions exist: – All—Indicates that a match exists only if all match conditions are satisfied.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-6 HTTP and HTTPS Protocol Inspection Conditions and Options Condition Description Content Specific content contained within the HTTP entity-body is to be used for application inspection decisions. Content Length 1. In the Content Expression field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters. 2.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-6 HTTP and HTTPS Protocol Inspection Conditions and Options (continued) Condition Description Header The name and value in an HTTP header are used for application inspection decisions. Header Length 1. In the Header field, select one of the predefined HTTP headers to match, or select HTTP Header to specify a different HTTP header. 2.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-6 HTTP and HTTPS Protocol Inspection Conditions and Options (continued) Condition Description Port Misuse The misuse of port 80 (or any other port running HTTP) is to be used for application inspection decisions. Indicate the application category to use for this match condition: Request Method • IM—Instant messaging applications are to be checked. • P2P—Peer-to-peer applications are to be checked.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-6 HTTP and HTTPS Protocol Inspection Conditions and Options (continued) Condition Description URL URL names are to be used for application inspection decisions. In the URL field, enter a URL or a portion of a URL to match. Valid entries are URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL following www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Step 8 For SIP inspection, do the following: a. In the Actions subset, click Add to add a new match condition and action, or select an existing match condition and action, and then click Edit to modify it. The Actions configuration pane appears. b. In the Matches field, select an existing class map or *New* or *Inline Match* to configure new match criteria for protocol inspection.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-7 SIP Protocol Inspection Conditions and Options (continued) Condition Description SIP Content Length The SIP message body content length is used for SIP protocol inspection decisions. To specify SIP traffic based on SIP message body length: SIP Request Method 1. In the Content Operator field, confirm that Greater Than is selected. 2.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers d. In the Action field, select the action that the virtual server is to take when the specified match conditions are met: – Drop—The specified SIP traffic is to be discarded by the virtual server. – Permit—The specified SIP traffic is to be received by the virtual server. – Reset—The specified SIP traffic is to be denied by the virtual server. e. Do the following: – Click OK to save your entries.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Configuring Virtual Server Layer 7 Load Balancing Layer 7 load balancing is available for virtual servers configured with one of the following protocol combinations: • TCP with Generic, HTTP, HTTPS, RTSP, or SIP • UDP with Generic, RADIUS, or SIP See the “Configuring Virtual Server Properties” section on page 5-10 for information on configuring these protocols. Use this procedure to configure Layer 7 load balancing on a virtual server.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-8 Layer 7 Load-Balancing Match Criteria Configuration Selection Action Existing class map 1. Click View to review the match condition information for the selected class map. 2. Do the following: – Click Cancel to continue without making changes and to return to the previous screen. – Click Edit to modify the existing configuration.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-9 Layer 7 HTTP/HTTPS Load-Balancing Rule Match Configuration Match Condition Description Class Map Indicates that this rule is to use an existing class map to establish match conditions. If you select this method, in the Class Map field, select the class map to be used. Note HTTP Content HTTP Cookie This option is not available for inline match conditions.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-9 Layer 7 HTTP/HTTPS Load-Balancing Rule Match Configuration (continued) Match Condition Description HTTP URL Indicates that this rule is to perform regular expression matching against the received packet data from a particular connections based on the HTTP URL string. If you select this method: 1. In the URL Expression field, enter a URL, or portion of a URL, to match.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-9 Layer 7 HTTP/HTTPS Load-Balancing Rule Match Configuration (continued) Match Condition Description Source Address Indicates that this rule is to use a client source IP address to establish match conditions. If you select this method: 1. In the Source Address field, enter the source IP address of the client. Enter the IP address in dotted-decimal notation (for example, 192.168.11.2). 2.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Step 7 Step 8 In the Primary Action field, indicate the action that the virtual server is to perform on the traffic if it matches the specified match criteria: • Drop—Indicates that client requests for content are to be discarded when match conditions are met. Continue with Step 10. • Forward—Indicates that client requests for content are to be forwarded without performing load balancing on the requests when match conditions are met.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-10 Virtual Server Load-Balancing Options (continued) To configure... Do this... Load balancing using an existing sticky group 1. In the Server Farm field, select the primary server farm1 to use for load balancing. This must be the primary server farm specified in the existing sticky group. 2. In the Backup Server Farm field, select the backup server farm1 to use for load balancing.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-11 New Server Farm Attributes Field Description Name Enter a unique name for this server farm. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. Type Select the type of server farm: • Host—A typical server farm that consists of real servers that provide content and services to clients.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-11 New Server Farm Attributes (continued) Field Description Failaction Reassign Across Vlans This field appears only when the L7 Load-Balancing Action parameters are set as follows: Primary Action: LoadBalance, ServerFarm: New, Fail Action: Reassign.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-11 New Server Farm Attributes (continued) Field Description Transparent This field appears only for real servers identified as host servers. Check the check box to specify that network address translation from the VIP address to the server IP is to occur. Clear the check box to indicates that network address translation from the VIP address to the server IP address is not to occur (default).
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-11 New Server Farm Attributes (continued) Field Description Inband-Health Check This field appears only for host server farms. By default, the ACE monitors the health of all real servers in a configuration through the use of ARPs and health probes. However, there is latency period between when the real server goes down and when the ACE becomes aware of the state.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-11 New Server Farm Attributes (continued) Field Description Resume Service (Seconds) This field appears only when the Inband-Health Check is set to Remove. Predictor Enter the number of seconds after a server has been marked as failed to reconsider it for sending live connections. Valid entries are integers from 30 to 3600. The default setting is 0.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-11 New Server Farm Attributes (continued) Field Description Probes Specify the health monitoring probes to use: • To include a probe that you want to use for health monitoring, select it in the Available list, and then click Add. The probe appears in the Selected list.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-11 New Server Farm Attributes (continued) Field Description Probes (Cont.) • Probe Expect Status—To configure probe expect status for an FTP, HTTP, HTTPS, RTSP, SIP-TCP, SIP-UDP, or SMTP probe, in the Probe Expect Status field enter the following information: – To configure a single expect status code, enter the minimum expect status code for this probe followed by the same expect status code that you entered as the minimum.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-11 New Server Farm Attributes (continued) Field Description Real Servers The Real Servers table allows you to add, modify, remove, or change the order of real servers. 1. Select an existing server, or click Add to add a real server to the server farm: – If you select an existing server, you can view, modify, or duplicate the server’s existing configuration.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-11 New Server Farm Attributes (continued) Field Description Real Servers (continued) 12. In the Buddy Real Group field, associate the real server with a buddy group by creating a buddy real server group or select an existing one (for more information, see the “Buddy Sticky Groups” section on page 7-6). 13.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-12 Predictor Methods and Attributes Predictor Method Description / Action Hash Address The ACE selects the server using a hash value based on the source or destination IP address. To configure the hash address predictor method: 1. In the Mask Type field, indicate whether server selection is based on the source IP address or the destination IP address: – N/A—Indicates that this option is not defined.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-12 Predictor Methods and Attributes (continued) Predictor Method Description / Action Hash Secondary Cookie The ACE selects the server by using the hash value based on the specified cookie name in the URL query string, not the cookie header. In the Cookie Name field, enter a cookie name in the form of an unquoted text string with no spaces and a maximum of 64 characters.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-12 Predictor Methods and Attributes (continued) Predictor Method Description / Action Hash URL The ACE selects the server by using a hash value based on the URL. Use this method to load balance firewalls. Enter values in one or both of the pattern fields: • In the URL Begin Pattern field, enter the beginning pattern of the URL and the pattern string to parse.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-12 Predictor Methods and Attributes (continued) Predictor Method Description / Action Response The ACE selects the server with the lowest response time for a requested response-time measurement. 1.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-13 Sticky Group Attributes Field Description Group Name Enter a unique identifier for the sticky type. You can either accept the automatically incremented entry given or you can enter your own. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-13 Sticky Group Attributes (continued) Field Description Enable Insert This option appears for sticky type HTTP Cookie. Check this check box if the virtual server is to insert a cookie in the Set-Cookie header of the response from the server to the client. This option is useful when you want to use a session cookie for persistence but the server is not currently setting the appropriate cookie.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-13 Sticky Group Attributes (continued) Field Description Backup Server Farm Select an existing server farm to act as the backup server farm this sticky group, or select *New* to create a new server farm. If you select *New*, configure the server farm using the information in Table 5-11.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers • N/A—HTTP compression is disabled. When configuring HTTP compression, we recommend that you exclude the following MIME types from HTTP compression: “.*gif”, “.*css”, “.*js”, “.*class”, “.*jar”, “.*cab”, “.*txt”, “.*ps”, “.*vbs”, “.*xsl”, “.*xml”, “.*pdf”, “.*swf”, “.*jpg”, “.*jpeg”, “.*jpe”, or “.*png”.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-14 Virtual Server SSL Initiation Attributes Field Description CRL Name This option appears if the CRL Best-Effort check box is clear. Select the Certificate Revocation List if the ACE is to use for this proxy service. Parameter Maps Select the SSL parameter map to associate with this proxy server service. For more information about SSL, see the “Configuring SSL” section on page 9-1.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers • Configuring Virtual Server Protocol Inspection, page 5-20 Configuring Virtual Server Default Layer 7 Load Balancing Use this procedure configure default Layer 7 load-balancing actions for all network traffic that does not meet previously specified match conditions. Assumption A virtual server has been configured. See the “Configuring Virtual Servers” section on page 5-2 for information on configuring a virtual server.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Note Step 7 If you chose an existing sticky group, you can view, modify, or duplicate the selected object’s existing configuration. See the “Shared Objects and Virtual Servers” section on page 5-9 for more information about modifying shared objects in virtual servers.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Note The SSL initiation option does not apply to the ACE NPE software version (see the “Information About the ACE No Payload Encryption Software Version” section on page 1-2). SSL initiation allows the virtual server to act as an SSL proxy client to initiate and maintain an SSL connection between itself and an SSL server.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers the ACE appliance enables enterprises to optimize network performance and improve access to critical business information. This capability accelerates the performance of Web applications, including customer relationship management (CRM), portals, and online collaboration by up to 10 times.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Step 6 If you select Custom, the Actions configuration pane appears with a table listing match criteria and actions. Click Add to add an entry to this table, or select an existing entry, and then click Edit to modify it. The configuration subset refreshes with the available configuration options.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-16 Optimization Action List Configuration Options Field Description Action List Name Enter a unique name for the optimization action list. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters. Enable Delta Delta optimization dynamically updates client browser caches directly with content differences, or deltas, resulting in faster page downloads.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers Table 5-16 Optimization Action List Configuration Options (continued) Field Description Dynamic Entity Tag This feature enables the acceleration of noncacheable embedded objects, which results in improved application response time. When enabled, this feature eliminates the need for users to download noncacheable objects on each request.
Chapter 5 Configuring Virtual Servers Configuring Virtual Servers • A VLAN has been configured. See the “Configuring Virtual Context VLAN Interfaces” section on page 10-10 for information on configuring a VLAN interface. • At least one NAT pool has been configured on a VLAN interface. See the “Configuring VLAN Interface NAT Pools and Displaying NAT Utilization” section on page 10-32 for information on configuring a NAT pool.
Chapter 5 Configuring Virtual Servers Managing Virtual Servers The Virtual Servers table appears. Step 2 In the Virtual Servers table, choose a virtual server from the Virtual Servers table, and click Details. The show service-policy policy_name class-map class_name detail CLI command output appears. For details about the displayed fields, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine. Note This feature requires ACE software Version A3(2.1) or later.
Chapter 5 Configuring Virtual Servers Managing Virtual Servers • Port • Associated VLANs • Associated server farms • Virtual context name Related Topics • Configuring Virtual Servers, page 5-2 • Managing Virtual Servers, page 5-63 Displaying Virtual Server Statistics and Status Information You can display virtual server statistics and status information for a particular virtual server by using the Details button.
Chapter 5 Configuring Virtual Servers Managing Virtual Servers Step 2 Select the server that you want to activate, and then click Activate. The server is activated and the screen refreshes with updated information in the Configured State column. Related Topics • Managing Virtual Servers, page 5-63 • Viewing All Virtual Servers, page 5-65 • Suspending Virtual Servers, page 5-65 Suspending Virtual Servers Use this procedure to suspend a virtual server.
Chapter 5 Configuring Virtual Servers Managing Virtual Servers Table 5-17 Virtual Server Table Fields Item Description Name Server farm name sorted by virtual context. Policy Map Associated policy map. IP Address/Protocol/Port Server farm IP address, protocol, and port number used for communications. Context Virtual context associated with the server farm. Admin Administrative state of the virtual server: Up or Down. Oper Operational state of the virtual server: Up or Down.
C H A P T E R 6 Configuring Real Servers and Server Farms This chapter provides an overview of server load balancing and procedures for configuring real servers and server farms for load balancing on an ACE appliance.
Chapter 6 Configuring Real Servers and Server Farms Server Load Balancing Overview The ACE Appliance Device Manager allows you to configure load balancing using: • Virtual servers—See Configuring Virtual Servers, page 5-2. • Real servers—See Configuring Real Servers, page 6-5. • Dynamic Workload Scaling—See Configuring Dynamic Workload Scaling, page 6-14. • Server farms—See Configuring Server Farms, page 6-18. • Sticky groups—See Configuring Sticky Groups, page 7-11.
Chapter 6 Configuring Real Servers and Server Farms Server Load Balancing Overview configuration, the cache servers continue to work even if the active ACE appliance switches over to the standby ACE appliance. For information about configuring redundancy, see Configuring High Availability, page 11-1. Note • Least Bandwidth—Selects the server with the least amount of network traffic or a specified sampling period. Use this type for server farms with heavy traffic, such as downloading video clips.
Chapter 6 Configuring Real Servers and Server Farms Server Load Balancing Overview The ACE appliance uses traffic classification maps (class maps) within policy maps to filter out interesting traffic and to apply specific actions to that traffic based on the SLB configuration. You use class maps to configure a virtual server address and definition. If a primary real server fails, the ACE appliance takes that server out of service and no longer includes it in load-balancing decisions.
Chapter 6 Configuring Real Servers and Server Farms Configuring Real Servers Related Topic • Configuring Dynamic Workload Scaling, page 6-14 Server Farms Typically, in data centers, servers are organized into related groups called server farms. Servers within server farms often contain identical content (referred to as mirrored content) so that if one server becomes inoperative, another server can take its place immediately.
Chapter 6 Configuring Real Servers and Server Farms Configuring Real Servers Table 6-1 Real Server Attributes Field Description Name Either accept the automatically incremented value in this field, or enter a unique name for this server. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. Type Select the type of server: State • Host—Indicates that this is a typical real server that provides content and services to clients.
Chapter 6 Configuring Real Servers and Server Farms Configuring Real Servers Table 6-1 Real Server Attributes (continued) Field Description Weight This field appears only for real servers identified as hosts. Enter the weight to be assigned to this real server in a server farm. Valid entries are integers from 1 to 100, and the default is 8. Web Host Redirection URL string used to redirect requests to another server. This field appears only for real servers identified as redirect servers.
Chapter 6 Configuring Real Servers and Server Farms Configuring Real Servers Table 6-1 Real Server Attributes (continued) Field Description Rate Bandwidth The bandwidth rate is the number of bytes per second and applies to the network traffic exchanged between the ACE and the real server in both directions. Specify the real server bandwidth limit in bytes per second. Valid entries are integers from 1 to 300000000.
Chapter 6 Configuring Real Servers and Server Farms Managing Real Servers Step 4 Click Close to return to the Real Servers table.
Chapter 6 Configuring Real Servers and Server Farms Managing Real Servers Activating Real Servers Use this procedure to activate a real server. Procedure Step 1 Choose Config > Operations > Real Servers. The Real Servers table appears. Step 2 Select the servers that you want to activate, and then click Activate. The Activate Server screen appears. Step 3 In the Task field, confirm that this is the server that you want to activate. Step 4 In the Reason field, enter a reason for this action.
Chapter 6 Configuring Real Servers and Server Farms Managing Real Servers Step 5 Do the following: • Click Deploy Now to deploy this configuration and to return to the Real Servers table. The server appears in the table with the status Out Of Service. • Click Cancel to exit this procedure without suspending the server and to return to the Real Servers table.
Chapter 6 Configuring Real Servers and Server Farms Managing Real Servers Viewing All Real Servers To view all real servers, choose Config > Operations > Real Servers. The Real Servers table displays the following information in Table 6-2 by default: Table 6-2 Real Server Table Fields Item Description Name Real server name. IP address Real server IP address. Port Port used to by the real server for communications. Vservers Associated virtual server. Context Associated virtual context.
Chapter 6 Configuring Real Servers and Server Farms Managing Real Servers Table 6-3 Real Server Operational States (continued) State Description Inservice The server is in use as a destination for server load balancing client connections. Inservice standby The server is in standby state. No connections will be assigned to it unless the primary server fails. Max. Load The server is under maximum load and cannot receive any additional connections.
Chapter 6 Configuring Real Servers and Server Farms Configuring Dynamic Workload Scaling Configuring Dynamic Workload Scaling This section describes how to configure the ACE Dynamic Workload Scaling (DWS) feature. DWS enables an ACE to burst traffic to a remote pool of VMs when the average CPU or memory usage of the local VMs has reached a specified maximum threshold value. When the usage drops to a specified minimum threshold value, the ACE stops bursting traffic to the remote VMs.
Chapter 6 Configuring Real Servers and Server Farms Configuring Dynamic Workload Scaling Configuring and Verifying a Cisco Nexus 7000 Connection This procedure describes how to configure an ACE with the Cisco Nexus 7000 Series switch attributes required to allow the ACE to communicate with the Cisco Nexus 7000 Series switch using SSH. The ACE uses the Cisco Nexus 7000 Series swtich to obtain VM location information (local or remote). Note With Device Manager software Version A5(1.
Chapter 6 Configuring Real Servers and Server Farms Configuring Dynamic Workload Scaling a. From the Name field, click the radio button for the drop down list that contains the list of existing switch profile names. b. From the drop down list, choose the switch profile to edit. The current profile attributes display. c. Edit the profile fields as described in the procedure above for creating a new profile and go to Step 3.
Chapter 6 Configuring Real Servers and Server Farms Configuring Dynamic Workload Scaling Prerequisites The ACE is configured to communicate with the local Nexus 7000 that enables the ACE to discover the locality of the VM Controller VMs (see the “Configuring and Verifying a Cisco Nexus 7000 Connection” section on page 6-15). Procedure Step 1 Choose Config > Virtual Contexts > Load Balancing > Dynamic Workload Scaling > VM Controller Setup. The VM Controller Setup pane appears.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Related Topics • Configuring and Verifying a Cisco Nexus 7000 Connection, page 6-15 • Configuring Health Monitoring, page 6-39 • Configuring Dynamic Workload Scaling, page 6-14 • Dynamic Workload Scaling Overview, page 6-4 • Configuring Real Servers, page 6-5 • Configuring Server Farms, page 6-18 Configuring Server Farms Server farms are groups of networked real servers (physical servers and VMs) that contain the sam
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Table 6-5 Server Farm Attributes Field Description Name Either accept the automatically incremented value in this field, or enter a unique name for this server farm. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Table 6-5 Server Farm Attributes (continued) Field Description Failaction Reassign Across Vlans This field appears only when the Fail Action is set to Reassign. Check the check box to specify that the ACE reassigns the existing server connections to the backup real server on a different VLAN interface (commonly referred to as a bypass VLAN) if the real server fails.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Table 6-5 Server Farm Attributes (continued) Field Description Dynamic Workload Scaling This field appears only for host server farms. Allows the ACE to burst traffic to remote VMs when the average CPU or memory usage of the local VMs has reached it’s specified maximum threshold value.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Table 6-5 Server Farm Attributes (continued) Field Description Inband-Health Check This field appears only for host server farms. By default, the ACE monitors the health of all real servers in a configuration through the use of ARPs and health probes. However, there is latency period between when the real server goes down and when the ACE becomes aware of the state.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Table 6-5 Server Farm Attributes (continued) Field Description Resume Service (Seconds) This field appears only when the Inband-Health Check is set to Remove. Transparent Enter the number of seconds after a server has been marked as failed to reconsider it for sending live connections. Valid entries are integers from 30 to 3600. By default, this field is not configured.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Table 6-5 Server Farm Attributes (continued) Field Description Back Inservice This field appears only for host server farms. Enter the percentage of real servers in the primary server farm that must be active again for the ACE to place the server farm back into service. Valid entries are integers from 0 to 99. The value in this field must be greater than or equal the value in the Partial Threshold Percentage field.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms • Configuring Dynamic Workload Scaling, page 6-14 Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance OL-26645-02 6-25
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Adding Real Servers to a Server Farm After adding a server farm, (see Configuring Server Farms, page 6-18), you can associate real servers with it and configure predictors and retcode maps. The configuration screens for these attributes appear beneath the Server Farms table or after you have successfully added a new server farm.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Table 6-6 Real Server Configuration Attributes (continued) Field Description State Select the state of this server: • In Service—Indicates that this server is in service. • In Service Standby—Indicates that this server is a backup server and is to remain inactive unless the primary server fails. If the primary server fails, the backup server becomes active and starts accepting connections.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Table 6-6 Real Server Configuration Attributes (continued) Field Description Probes Select the probes in the Available list that you want to apply to this server, and then click Add. The selected probes appear in the Selected list. To remove probes you do not want to apply to this server, select the probes in the Selected list, and then click Remove.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Configuring the Predictor Method for Server Farms After adding a server farm, (Configuring Server Farms, page 6-18), you can associate real servers with it and configure the predictor method and retcode maps. The configuration screens for these attributes appear beneath the Server Farms table or after you have successfully added a new server farm.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Table 6-7 Predictor Method Attributes Predictor Method Description / Action Hash Address The ACE selects the server using a hash value based on the source or destination IP address. To configure the hash address predictor method: 1. In the Mask Type field, indicate whether server selection is based on source IP address or the destination IP address: – N/A—This option is not defined.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Table 6-7 Predictor Method Attributes (continued) Predictor Method Description / Action Hash Content The ACE selects the server by using a hash value based on the specified content string of the HTTP packet body. 1. In the Begin Pattern field, enter the beginning pattern of the content string and the pattern string to match before hashing.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Table 6-7 Predictor Method Attributes (continued) Predictor Method Description / Action Hash Header The ACE selects the server by using a hash value based on the header name.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Table 6-7 Predictor Method Attributes (continued) Predictor Method Description / Action Hash URL The ACE selects the server using a hash value based on the URL. Use this method to load balance firewalls. Enter values in one or both of the pattern fields: • In the URL Begin Pattern field, enter the beginning pattern of the URL and the pattern string to parse.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Table 6-7 Predictor Method Attributes (continued) Predictor Method Description / Action Least Loaded The ACE selects the server with the lowest load based on information from SNMP probes. 1. In the SNMP Probe Name field, select the name of the SNMP probe to use. 2.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Table 6-7 Predictor Method Attributes (continued) Predictor Method Description / Action Response The ACE selects the server with the lowest response time for a requested response-time measurement. 1.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Configuring Server Farm HTTP Return Error-Code Checking After adding a server farm, (see the “Configuring Server Farms” section on page 6-18), you can associate real servers with it and configure the predictor method and retcode maps. The configuration screens for these attributes appear beneath the Server Farms table or after you have successfully added a new server farm.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms Step 6 Table 6-8 In the Type field, specify the action to be taken and related options using the information in Table 6-8. Return-Code Type Configuration Options Option Description Count The ACE tracks the total number of return codes received for each return code number that you specify. Log The ACE generates a syslog error message when the number of events reaches a specified threshold. 1.
Chapter 6 Configuring Real Servers and Server Farms Configuring Server Farms • Configuring Virtual Context Policy Maps, page 12-34 • Configuring Real Servers, page 6-5 • Configuring Sticky Groups, page 7-11 • Configuring Dynamic Workload Scaling, page 6-14 Viewing All Server Farms Use this procedure to view all server farms associated with a virtual context. Procedure Step 1 Choose Config > Virtual Contexts. The All Virtual Contexts table appears.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Related Topics • Configuring Server Farms, page 6-18 • Adding Real Servers to a Server Farm, page 6-26 • Configuring Health Monitoring, page 6-39 • Configuring Server Farm HTTP Return Error-Code Checking, page 6-36 • Configuring Dynamic Workload Scaling, page 6-14 Displaying Server Farm Statistics and Status Information You can display statistics and status information for a particular server farm.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring The ACE appliance sends out probes periodically to determine the status of a server, verifies the server response, and checks for other network problems that may prevent a client from reaching a server. Based on the server response, the ACE appliance can place the server in or out of service, and, based on the status of the servers in the server farm, can make reliable load-balancing decisions.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring • HTTP_PROBE_SCRIPT • HTTPCONTENT_PROBE • HTTPHEADER_PROBE • HTTPPROXY_PROBE • IMAP_PROBE • LDAP_PROBE • MAIL_PROBE • POP3_PROBE • PROBENOTICE_PROBE • RTSP_PROBE • SSL_PROBE_SCRIPT These scripts are located in the probe: directory and are accessible in both the Admin and user contexts. Note that the script files in the probe: directory are read-only, so you cannot copy or modify them.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-9 Probe Types Probe Type Description DNS Sends a request to a DNS server giving it a configured domain. To determine if the server is up, the ACE appliance must receive the configured IP address for that domain. ECHO-TCP Sends a string to the server and compares the response with the original string. If the response string matches the original, the server is marked as passed.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-9 Probe Types (continued) Probe Type Description SIP-TCP Establishes a TCP connection and sends an OPTIONS request packet to the user agent on the server. The ACE compares the response with the configured response code or expected string, or both, to determine whether the probe has succeeded. If you do not configure an expected status code, any response from the server is marked as failed.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Step 5 Note Enter health monitoring general attributes (see Table 6-10). Click More Settings to access the additional general attributes for the selected probe type. By default, the Device Manager hides the probe attributes with default values and the probe attributes which are not commonly used. Table 6-10 Health Monitoring General Attributes Field Action Description Enter a description for this probe.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-10 Health Monitoring General Attributes (continued) Field Action More Settings (Not applicable for the VM probe type) Pass Detect Count Enter the number of successful probe responses from the server before the server is marked as passed. Valid entries are integers from 1 to 65535 with a default of 3.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-11 Step 6 Default Port Numbers for Probe Types (continued) Probe Type Default Port Number HTTPS 443 ICMP Not applicable IMAP 143 POP3 110 RADIUS 1812 RTSP 554 Scripted 1 SIP (both TCP and UDP) 5060 SMTP 25 SNMP 161 Telnet 23 TCP 80 UDP 53 VM 443 Enter the attributes for the specific probe type selected: • For DNS probes, see Table 6-12. • For Echo-TCP probes, see Table 6-13.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring • Step 7 Step 8 For VM probes, see Table 6-31. Do the following: • Click Deploy Now to deploy this configuration on the ACE appliance. • Click Cancel to exit this procedure without saving your entries and to return to the Health Monitoring table. • Click Next to save your entries and to configure another probe.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring • Telnet Probe Attributes, page 6-62 • UDP Probe Attributes, page 6-63 • VM Probe Attributes, page 6-65 Refer to the following topics for additional configuration options for health monitoring probes: • Configuring DNS Probe Expect Addresses, page 6-66 • Configuring Headers for HTTP and HTTPS Probes, page 6-66 • Configuring Health Monitoring Expect Status, page 6-67 • Configuring an OID for SNMP Probes, page 6-
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-13 Echo-TCP Probe Attributes (continued) Field Action More Settings TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully by sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP connection by sending an RST. Open Timeout (Seconds) Enter the number of seconds to wait when opening a connection with a real server.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-15 Finger Probe Attributes (continued) Field Action TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully by sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP connection by sending an RST. Open Timeout (Seconds) Enter the number of seconds to wait when opening a connection with a real server.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-17 HTTP Probe Attributes Field Action Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. Request Method Type Select the type of HTTP request method that is to be used for this probe: Request HTTP URL • N/A—This option is not defined.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-17 HTTP Probe Attributes (continued) Field Action Hash Check the Hash check box to indicate that the ACE is to use an MD5 hash for an HTTP GET probe. Clear the Hash check box to indicate that the ACE should not use an MD5 hash for an HTTP GET probe. Hash String This field appears if the Hash check box is selected.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-18 HTTPS Probe Attributes (continued) Field Action Request HTTP URL This field appears if you select Head or Get in the Request Method Type field. Enter the URL path on the remote server. Valid entries are strings of up to 255 characters specifying the URL path. The default path is “/’.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-18 HTTPS Probe Attributes (continued) Field Action Password Enter the password to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters. Reenter the password in the Confirm field. Expect Regular Expression Enter the expected response data from the probe destination.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-19 IMAP Probe Attributes Field Action User Name Enter the user identifier to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters. Password Enter the password to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters. Reenter the password in the Confirm field.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-20 POP Probe Attributes (continued) Field Action Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully by sending a FIN to the server.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-22 RTSP Probe Attributes Field Action Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. RTSP Require Header Value Enter the Require header for this probe. RTSP Proxy Require Header Value Enter the Proxy-Require header for this probe.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-23 Scripted Probe Attributes Field Action Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. Script Name Enter the local name that you want to assign to this file on the ACE.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring SIP-TCP Probe Attributes Note Click More Settings to access the additional attributes for the SIP-TCP probe type. By default, ACE appliance Device Manager hides the probe attributes with default values and the probe attributes which are not commonly used. Table 6-24 SIP-TCP Probe Attributes Field Action More Settings Port Enter the port number that the probe is to use.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-25 SIP-UDP Probe Attributes (continued) Field Action Enable Rport Check the check box to indicate that the server will be forced to send a reply from the same port on which the request was received. Clear the check box to indicate that the server can send the reply from a different port than the port from which the request was received.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-27 SNMP Probe Attributes Field Action SNMP Community Enter the SNMP community string. Valid entries are unquoted text strings with no spaces and a maximum of 255 characters. More Settings Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-28 TCP Probe Attributes (continued) Field Action Open Timeout (Seconds) Enter the number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535, and the default value is 1. Expect Regular Expression Enter the expected response data from the probe destination. Valid entries are text strings (quotes allowed) with a maximum of 255 characters.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-29 Telnet Probe Attributes Field Action More Settings Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully by sending a FIN to the server.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 6-30 UDP Probe Attributes (continued) Field Action Expect Hex Regex Enter the expected response data from the probe destination. The Hex data entered must be of even numbers and must be a single string consisting of alphanumeric within the range of 0-9,a-f or A-F, and a maximum of 255 characters. Expect Hex Regex Offset Enter the expected response data in Hex format.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring VM Probe Attributes Note Use a VM probe when you configure the ACE for Dynamic Workload Scaling (see the “Configuring Dynamic Workload Scaling” section on page 6-14). Configure the VM probe attributes to control when the ACE bursts traffic to remote VMs based on an average of local VM CPU usage, memory usage, or both.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Configuring DNS Probe Expect Addresses When a DNS probe sends a domain name resolve request to the server, it verifies the returned IP address by matching the received IP address with the configured addresses. Use this procedure to specify the IP address that the ACE appliance expects to receive in response to a DNS request. Assumption A DNS probe has been configured.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Procedure Step 1 Choose Config > Virtual Contexts > context > Load Balancing > Health Monitoring. The Health Monitoring table appears. Step 2 Select the HTTP or HTTPS probe that you want to configure with header. The Probe Headers subtable appears. Step 3 Click Add to add an entry, or select an existing entry, and then click Edit to modify it. The Probe Headers configuration screen appears.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Step 3 Click Add to add an entry, or select an existing entry, and then click Edit to modify it. The Expect Status configuration screen appears. Step 4 To configure a single expect status code: Step 5 Step 6 a. In the Min. Expect Status Code field, enter the expect status code for this probe. Valid entries are integers from 0 to 999. b. In the Max.
Chapter 6 Configuring Real Servers and Server Farms Configuring Health Monitoring Step 3 Click Add to add an entry, or select an existing entry, and then click Edit to modify it. The SNMP OID configuration pane appears. Step 4 In the SNMP OID field, enter the OID that the probe is to use to query the server for a value. Valid entries are unquoted strings with a maximum of 255 alphanumeric characters in dotted-decimal notation, such as .1.3.6.1.4.2021.10.1.3.1.
Chapter 6 Configuring Real Servers and Server Farms Configuring Secure KAL-AP Step 3 Click Update Details to refresh the output for the show probe name detail CLI command. Step 4 Click Close to return to the Health Monitoring table.
Chapter 6 Configuring Real Servers and Server Farms Configuring Secure KAL-AP The Secure KAL-AP table appears. Step 2 Click Add to configure secure KAL-AP for MD5 encryption of data. The Secure KAL-AP configuration screen appears. Step 3 In the IP Address field, enable secure KAL-AP by configuring the IP address for the GSS. Using dotted-decimal notation (for example, 192.168.11.1), enter the IP address of a specific GSS device or enter the wildcard value (0.0.0.
Chapter 6 Configuring Real Servers and Server Farms Configuring Secure KAL-AP Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance 6-72 OL-26645-02
C H A P T E R 7 Configuring Stickiness This chapter provides an information about sticky behavior and procedures for configuring stickiness with an ACE appliance. Note When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names with an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.
Chapter 7 Configuring Stickiness Stickiness Overview minutes to several hours). This feature is particularly useful for e-commerce applications where a client needs to maintain multiple connections with the same server while shopping online, especially while building a shopping cart using HTTP requests and during the checkout process using HTTPS.
Chapter 7 Configuring Stickiness Stickiness Overview • Layer 4 Payload Stickiness, page 7-4 • RADIUS Stickiness, page 7-5 • RTSP Header Stickiness, page 7-5 • SIP Header Stickiness, page 7-5 • SSL Stickiness, page 7-5 HTTP Content Stickiness HTTP content stickiness allows you to stick a client to a server based on the content of an HTTP packet.
Chapter 7 Configuring Stickiness Stickiness Overview Related Topics • Configuring Sticky Groups, page 7-11 • Sticky Types, page 7-2 • Sticky Groups, page 7-6 • Sticky Table, page 7-11 HTTP Header Stickiness You can use HTTP-header information to provide stickiness. With HTTP header stickiness, you can specify a header offset to provide stickiness based on a unique portion of the HTTP header.
Chapter 7 Configuring Stickiness Stickiness Overview RADIUS Stickiness RADIUS stickiness can be based on the following RADIUS attributes: • Calling station ID • Username Related Topics • Configuring Sticky Groups, page 7-11 • Sticky Types, page 7-2 • Sticky Groups, page 7-6 • Sticky Table, page 7-11 RTSP Header Stickiness RTSP stickiness is based on information in the RTSP session header.
Chapter 7 Configuring Stickiness Stickiness Overview Sticky Groups Sticky groups allow the ACE to keep a client stuck to a real server or group of real servers within a server farm. The ACE uses the concept of sticky groups to configure stickiness. A sticky group allows you to specify the sticky attributes. After you configure a sticky group and its attributes, you associate the sticky group with a Layer 7 policy-map action in a Layer 7 SLB policy map.
Chapter 7 Configuring Stickiness Stickiness Overview • Many-to-One Association Example, page 7-9 Guidelines and Restrictions Observe the following guidelines and restrictions when using the buddy sticky group feature: • When two sticky groups with different timeout values are buddied together, the ACE uses the shortest timeout value for the buddy group. • Sticky groups that are buddied together must of the same type, such as all IP-sticky, all http-cookie, and so forth.
Chapter 7 Configuring Stickiness Stickiness Overview Buddy Sticky Groups: One-to-One Association Int: 172.16.1.5 VIP 172.16.1.100 Internet Client VLAN 20 172.16.1.1 Multilayer Switch Feature Card 1nx1 192.168.1.11:80 192.168.1.11:443 Server Farm http (alpha) blue VLAN 40 192.168.1.1 ACE 1nx2 192.168.1.12:80 192.168.1.12:443 red Server Farm https (alpha) 332431 Figure 7-1 The ACE is configured to load balance HTTP requests to server farm http using either real server 1nx1:192.168.1.
Chapter 7 Configuring Stickiness Stickiness Overview Figure 7-2 Buddy Sticky Groups: Asymmetric Association Server Farm foo (alpha) Int: 172.16.1.5 VIP 172.16.1.100 Internet Client VLAN 20 172.16.1.1 Multilayer Switch Feature Card VLAN 40 192.168.1.1 ACE 1nx1 192.168.1.11 blue Server Farm bar (alpha) Server Farm foobar (alpha) 332433 1nx2 192.168.1.12 red The ACE is configured to send client traffic with Layer 3 matches to server farm foobar, which contains the nested server farms foo and bar.
Chapter 7 Configuring Stickiness Stickiness Overview Server Farm Server Farm Buddy Member Group Real Server Real Server Buddy Group web (first tier) alpha 1nx1:192.168.1.11:80 blue 1nx2:192.168.1.12:80 blue 1nx3:192.168.1.13:80 red 1nx4:192.168.1.14:80 red db1:192.168.1.21:123 blue db1:192.168.1.
Chapter 7 Configuring Stickiness Configuring Sticky Groups Sticky Table To keep track of sticky connections, the ACE appliance uses a sticky table. Table entries include the following items: • Sticky groups • Sticky methods • Sticky connections • Real servers The sticky table can hold a maximum of four million entries (four million simultaneous users).
Chapter 7 Configuring Stickiness Configuring Sticky Groups Procedure Step 1 Select Config > Virtual Contexts > context > Load Balancing > Stickiness. The Sticky Groups table appears. Step 2 Click Add to add a new sticky group, or select an existing sticky group you want to modify, and then click Edit. Step 3 Enter the sticky group attributes (see Table 7-1). Table 7-1 Sticky Group Attributes Field Description Group Name The sticky group identifier.
Chapter 7 Configuring Stickiness Configuring Sticky Groups Table 7-1 Sticky Group Attributes (continued) Field Description Type The method to be used when establishing sticky connections: • HTTP Content—The ACE sticks client connections to the same real server based on a string in the data portion of the HTTP packet. See Table 7-2 for additional configuration options.
Chapter 7 Configuring Stickiness Configuring Sticky Groups Table 7-1 Sticky Group Attributes (continued) Field Description Enable Insert This option appears only for sticky type HTTP Cookie. Check this check box if the ACE appliance is to insert a cookie in the Set-Cookie header of the response from the server to the client. This option is useful when you want to use a session cookie for persistence but the server is not currently setting the appropriate cookie.
Chapter 7 Configuring Stickiness Configuring Sticky Groups Table 7-1 Sticky Group Attributes (continued) Field Description Enable Sticky For Response This check box option appears for sticky types: Layer 4 Payload and SSL. Sticky Server Farm Select a server farm you want to associate with this sticky group. Backup Server Farm This field appears when a server farm is selected. Check this check box to instruct the ACE to parse the response bytes from a server and perform sticky learning.
Chapter 7 Configuring Stickiness Configuring Sticky Groups Related Topics • Configuring Sticky Statics, page 7-21 • Configuring Virtual Context Class Maps, page 12-8 • Configuring Virtual Context Policy Maps, page 12-34 • Configuring Real Servers, page 6-5 • Configuring Server Farms, page 6-18 Sticky Group Attribute Tables Refer to the following topics for sticky group type-specific attributes: • HTTP Content Sticky Group Attributes, page 7-16 • HTTP Cookie Sticky Group Attributes, page 7-17
Chapter 7 Configuring Stickiness Configuring Sticky Groups Table 7-2 HTTP Content Sticky Group Attributes (continued) Field Description Begin Pattern Enter the beginning pattern of the HTTP content payload and the pattern string to match before hashing. If you do not specify a beginning pattern, the ACE begins parsing immediately after the offset byte. You cannot configure different beginning and ending patterns for different server farms that are part of the same traffic classification.
Chapter 7 Configuring Stickiness Configuring Sticky Groups Table 7-3 HTTP Cookie Sticky Group Attributes (continued) Field Description Length (Bytes) Enter the length of the portion of the cookie (starting with the byte after the offset value) that the ACE is to use for sticking the client to the server. Valid entries are integers from 1 to 1000. Secondary Name Enter an alternate cookie name that is to appear in the URL string of the Web page on the server.
Chapter 7 Configuring Stickiness Configuring Sticky Groups Layer 4 Payload Sticky Group Attributes Table 7-6 Layer 4 Payload Sticky Group Attributes Field Description Offset (Bytes) Enter the number of bytes the virtual server is to ignore starting with the first byte of the cookie. Valid entries are integers from 0 to 999. The default is 0 (zero), which indicates that the virtual server does not exclude any portion of the cookie.
Chapter 7 Configuring Stickiness Configuring Sticky Groups RADIUS Sticky Group Attributes Table 7-7 RADIUS Sticky Group Attributes Field Description RADIUS Types Select the RADIUS attribute to use for sticking client connections: Enter User IPv6Prefix Length • N/A—This option is not configured. • RADIUS Calling ID—Stickiness is based on the RADIUS framed IP attribute and the calling station ID attribute.
Chapter 7 Configuring Stickiness Configuring Sticky Statics SSL Header Sticky Group Attributes Table 7-9 SSL Sticky Group Attributes Field Description Enable Sticky For Response Check the check box to instruct the ACE to parse the response bytes from a server and perform sticky learning. Clear the check box when you do not want the ACE to perform this operation. Length (Bytes) Length of the SSL session ID that needs to be parsed. Valid entries are integers from 1 to 1000.
Chapter 7 Configuring Stickiness Configuring Sticky Statics Step 4 In the Sequence Number field, either accept the automatically incremented number for this entry or enter a new sequence number.The sequence number indicates the order in which multiple sticky static configurations are applied. Step 5 In the Type field, confirm that the correct sticky group type is selected.
Chapter 7 Configuring Stickiness Configuring Sticky Statics Step 6 If you select either HTTP Cookie, HTTP Header, HTTP Content, Layer 4 Payload, RTSP header, or SIP header for sticky type, in the Static Value field, enter the cookie string value. Valid entries are unquoted text strings with a maximum of 255 alphanumeric characters. If the string includes spaces, enclose the string with quotes. Step 7 If you select IP Netmask or IPv6 Prefix for the sticky type: a.
Chapter 7 Configuring Stickiness Configuring Sticky Statics Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance 7-24 OL-26645-02
C H A P T E R 8 Configuring Parameter Maps This chapter describes how to configure parameter maps. Parameter maps provide a means of performing actions on traffic received by the ACE, based on certain criteria such as protocol or connection attributes. After you configure a parameter map, you associate it with a policy map to implement configured behavior. Table 8-1 describes the parameter maps you can configure using the ACE.
Chapter 8 Configuring Parameter Maps Configuring HTTP Parameter Maps If you use the ACE CLI to configure a named object with special characters that the DM does not support, you may not be able to configure the ACE using DM.
Chapter 8 Configuring Parameter Maps Configuring HTTP Parameter Maps Table 8-2 HTTP Parameter Map Attributes (continued) Field Description Header Modify Per-Request Check the check box to require SSL information be inserted for every HTTP GET request. Current functionality only requires that the information be inserted at the first GET request. Exceed Max.
Chapter 8 Configuring Parameter Maps Configuring HTTP Parameter Maps Table 8-2 HTTP Parameter Map Attributes (continued) Field Description Enable Non Strict on Parsing Error Check this check box to configure the ACE to allow the presence of a CRLF in the header before the header name, which is inserted for header name continuation purposes. Normally, the ACE considers a CRLF in the header a parse error.
Chapter 8 Configuring Parameter Maps Configuring Connection Parameter Maps • Click Next to accept your entries and to add another parameter map.
Chapter 8 Configuring Parameter Maps Configuring Connection Parameter Maps Table 8-3 Connection Parameter Map Attributes (continued) Field Description More Settings Exceeds MSS Indicate how the ACE is to handle segments that exceed the maximum segment size (MSS): • Allow—The ACE is to permit segments that exceed the configured MSS. • Drop—The ACE is to discard segments that exceed the configured MSS.
Chapter 8 Configuring Parameter Maps Configuring Connection Parameter Maps Table 8-3 Connection Parameter Map Attributes (continued) Field Description TCP Buffer Share (Bytes) To improve throughput and overall performance, the ACE buffers the number of bytes you specify before processing received data or transmitting data. Use this option to increase the default buffer size and thereby realize improved network performance. Enter the maximum size of the TCP buffer in bytes.
Chapter 8 Configuring Parameter Maps Configuring Connection Parameter Maps Table 8-3 Connection Parameter Map Attributes (continued) Field Description Slow Start Algorithm When enabled, the slow start algorithm increases the TCP window size as ACK handshakes arrive so that new segments are injected into the network at the rate at which acknowledgements are returned by the host at the other end of the connection.
Chapter 8 Configuring Parameter Maps Configuring Connection Parameter Maps Table 8-3 Connection Parameter Map Attributes (continued) Field Description Timestamps Indicate how the ACE is to handle the timestamp option that is specified in SYN segments: Action For TCP Window Scale Factor • Allow—The ACE is to allow any segment with the specified option set. • Clear—The ACE is to clear the specified option from any segment that has it set and allow the segment.
Chapter 8 Configuring Parameter Maps Configuring Connection Parameter Maps Step 5 Do the following: • Click Deploy Now to deploy this configuration on the ACE appliance. • Click Cancel to exit this procedure without accepting your entries and to return to the Parameter Maps table. • Click Next to accept your entries and to add another parameter map.
Chapter 8 Configuring Parameter Maps Configuring Optimization Parameter Maps Configuring Optimization Parameter Maps Use this procedure to configure an Optimization parameter map for use with a Layer 3/Layer 4 policy map. See the “Configuring Application Acceleration and Optimization” section on page 13-1 or the Application Acceleration and Optimization Guide, Cisco ACE 4700 Series Application Control Engine Appliance for more information about application acceleration and optimization.
Chapter 8 Configuring Parameter Maps Configuring Optimization Parameter Maps Table 8-5 Optimization Parameter Map Attributes (continued) Field Description Max. Number for Parameter Summary Log (Bytes) Enter the maximum number of bytes that are to be logged for each parameter value in the parameter summary of a transaction log entry in the statistics log. If a parameter value exceeds this limit, it is truncated at the specified limit. Valid entries are 0 to 10,000 bytes. Max.
Chapter 8 Configuring Parameter Maps Configuring Optimization Parameter Maps Table 8-5 Optimization Parameter Map Attributes (continued) Field Description Cache Time-To-Live Duration (%) Enter the percent of an object’s age at which an embedded object without an explicit expiration time is considered fresh. Valid entries are 0 to 100 percent.
Chapter 8 Configuring Parameter Maps Configuring Optimization Parameter Maps Table 8-5 Optimization Parameter Map Attributes (continued) Field Description Exclude JavaScripts From Delta Optimization Check the check box to indicate that delta optimization is not to be applied to JavaScript. Clear the check box to indicate that delta optimization is to be applied to JavaScript. MIME Types To Exclude From Delta Optimization 1.
Chapter 8 Configuring Parameter Maps Configuring Optimization Parameter Maps Table 8-5 Optimization Parameter Map Attributes (continued) Field Description Override Server Response Headers Indicate how the ACE is to handle origin server response headers (primarily for embedded objects): UTF-8 Character Set Threshold • N/A—This feature is not enabled. • All Cache Request Headers Are Ignored—The ACE is to ignore all response headers.
Chapter 8 Configuring Parameter Maps Configuring Optimization Parameter Maps Table 8-6 lists the parameter expander functions that you can use. Table 8-6 Parameter Expander Functions Variable Description $(number) Expands to the corresponding matching subexpression (by number) in the URL pattern. Subexpressions are marked in a URL pattern using parentheses (). The numbering of the subexpressions begins with 1 and is the number of the left-parenthesis “(“ counting from the left.
Chapter 8 Configuring Parameter Maps Configuring Generic Parameter Maps Table 8-6 Parameter Expander Functions (continued) Variable Description Boolean Functions: Evaluates to a Boolean value: True or False, depending on the presence or absence of the element in the request. The elements are a specific query parameter (query-param-name), a specific cookie (cookie-name), a specific request header (request-header-name), or a specific HTTP method (method-name).
Chapter 8 Configuring Parameter Maps Configuring Generic Parameter Maps Procedure Step 1 Choose Config > Virtual Contexts > context > Load Balancing > Parameter Maps > Generic Parameter Maps. The Generic Parameter Maps table appears. Step 2 Click Add to add a new parameter map, or select an existing parameter map, and then click Edit to modify it. The Generic Parameter Maps configuration screen appears. Step 3 Configure the parameter map using the information in Table 8-7.
Chapter 8 Configuring Parameter Maps Configuring RTSP Parameter Maps Configuring RTSP Parameter Maps RTSP parameter maps allow you to configure advanced RTSP behavior for server load-balancing connections. Use this procedure to configure an RTSP parameter map. Procedure Step 1 Select Config > Virtual Contexts > context > Load Balancing > Parameter Maps > RTSP Parameter Maps. The RTSP Parameter Maps table appears.
Chapter 8 Configuring Parameter Maps Configuring SIP Parameter Maps Configuring SIP Parameter Maps SIP parameter maps allow you to configure SIP deep-packet inspection policy maps on the ACE. Use this procedure to configure a SIP parameter map. Procedure Step 1 Choose Config > Virtual Contexts > context > Load Balancing > Parameter Maps > SIP Parameter Maps. The SIP Parameter Maps table appears.
Chapter 8 Configuring Parameter Maps Configuring SIP Parameter Maps Table 8-9 SIP Parameter Map Attributes (continued) Field Description Mask UA Software Version If the software version of a user agent is exposed, that user agent might be vulnerable to attacks from hackers who exploit the security holes present in that particular software version. This option allows you to mask or log the user agent software version so that it is not exposed.
Chapter 8 Configuring Parameter Maps Configuring Skinny Parameter Maps Step 4 Do the following: • Click Deploy Now to deploy this configuration. • Click Cancel to exit this procedure without saving your entries and to return to the SIP Parameter Maps table. • Click Next to deploy your entries and to configure another SIP parameter map.
Chapter 8 Configuring Parameter Maps Configuring DNS Parameter Maps Table 8-10 Skinny Parameter Map Attributes (continued) Field Description Message Id Max. Enter the largest value for the station message ID in hexadecimal that the ACE is to accept. Valid entries are hexadecimal values from 0x0 to 0x4000. The default value is 0x181. Note The Message Id Max. hexadecimal value should always start with 0x or 0X.
Chapter 8 Configuring Parameter Maps Configuring RDP Parameter Maps Step 3 Table 8-11 Configure the parameter map using the information in Table 8-11. DNS Parameter Map Attributes Field Description Parameter Name Enter a unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. Description Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric characters (A–Z, a–z, 0–9).
Chapter 8 Configuring Parameter Maps Supported MIME Types Table 8-12 RDP Parameter Map Attributes Field Description Parameter Name Enter a unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. Description Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double quotes must be entered as matching pairs.
Chapter 8 Configuring Parameter Maps Supported MIME Types • audio/midi • audio/mpeg • audio/x-adpcm • audio/x-aiff • audio/x-ogg • audio/x-wav • image/* • image/gif • image/jpeg • image/png • image/tiff • image/x-3ds • image/x-bitmap • image/x-niff • image/x-portable-bitmap • image/x-portable-greymap • image/x-xpm • text/* • text/css • text/html • text/plain • text/richtext • text/sgml • text/xmcd • text/xml • video/* • video/flc • video/mpeg • vid
Chapter 8 Configuring Parameter Maps Supported MIME Types Viewing All Parameter Maps by Context Use this procedure to view all parameter maps associated with a virtual context. Procedure Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears. Step 2 Select the virtual context with the parameter maps you want to view, and then select Load Balancing > Parameter Maps. The Parameter Maps table appears listing each parameter map and its type.
Chapter 8 Configuring Parameter Maps Supported MIME Types Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance 8-28 OL-26645-01
C H A P T E R 9 Configuring SSL Note The information in this chapter does not apply to the ACE NPE software version in which payload encryption protocols are removed (see the “Information About the ACE No Payload Encryption Software Version” section on page 1-2). This chapter describes the steps required to configure your ACE appliance as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination.
Chapter 9 Configuring SSL SSL Overview SSL Overview SSL is an application-level protocol that provides encryption technology for the Internet, ensuring secure transactions such as the transmission of credit card numbers for e-commerce Web sites. SSL initiation occurs when the ACE appliance acts as a client and initiates the SSL session between it and the SSL server.
Chapter 9 Configuring SSL SSL Configuration Prerequisites SSL Configuration Prerequisites Before configuring your ACE for SSL operation, you must first ensure: • Your ACE hardware is configured for server load balancing (SLB). Note During the real server and server farm configuration process, when you associate a real server with a server farm, ensure that you assign an appropriate port number for the real server.
Chapter 9 Configuring SSL Summary of SSL Configuration Steps Summary of SSL Configuration Steps Table 9-1 describes the steps for using SSL keys and certificates. Table 9-1 Step 1 SSL Key and Certificate Procedure Overview Task Description Create an SSL parameter map. Create an SSL parameter map to specify the options that apply to SSL sessions such as the method to be used to close SSL connections, the cipher suite, and version of SSL or TLS. See Configuring SSL Parameter Maps, page 9-19.
Chapter 9 Configuring SSL SSL Setup Sequence Table 9-1 SSL Key and Certificate Procedure Overview (continued) Task Description Step 11 Configure CRL. See Configuring CRLs for Client Authentication, page 9-33. Step 12 Configure an SSL OCSP service See Configuring SSL OCSP Service, page 9-30. For more information about using SSL with ACE appliances, see the SSL Guide, Cisco ACE Application Control Engine.
Chapter 9 Configuring SSL Using SSL Certificates For more information on SSL configuration features, see Summary of SSL Configuration Steps.
Chapter 9 Configuring SSL Using SSL Certificates Note The ACE supports the creation of a maximum of eight CRLs for any context. ACE appliances require certificates and corresponding key pairs for: • SSL termination—The ACE appliance acts as an SSL proxy server and terminates the SSL session between it and the client. For SSL termination, you must obtain a server certificate and corresponding key pair.
Chapter 9 Configuring SSL Importing SSL Certificates The ACE allows you to export these files but does not allow you to import any files with these names. When you upgrade the ACE software, these files are overwritten with the files provided in the upgrade image. You cannot use the crypto delete CLI command to delete these files unless you downgrade the ACE software because a software downgrade preserves these files as if they were user-installed SSL files.
Chapter 9 Configuring SSL Importing SSL Certificates Note Step 3 SSL bulk import can take longer based on the number of SSL certificates being imported. It will progress to completion on the ACE. To see the imported certificates in the ACE Device Manager, perform a CLI synchronization for this context once the SSL bulk import has completed. For information on synchronizing contexts, see the “Synchronizing Virtual Context Configurations” section on page 4-79.
Chapter 9 Configuring SSL Importing SSL Certificates Table 9-2 SSL Certificate Management Import Attributes (continued) Field Description Confirm This field appears for FTP, SFTP, and TERMINAL. Reenter the passphrase. Non-Exportable The ability to export SSL certificates allows you to copy signed certificates to another server on your network so that you can then import them onto another ACE appliance or Web server. Exporting is similar to copying in that the original files are not deleted.
Chapter 9 Configuring SSL Using SSL Keys Step 4 Do the following: • Click OK to accept your entries and to return to the Certificates table. The ACE Appliance Device Manager updates the Certificates table with the newly installed certificate. • Click Cancel to exit this procedure without saving your entries and to return to the Certificates table.
Chapter 9 Configuring SSL Using SSL Keys Importing SSL Key Pairs Use this procedure to import an SSL key pair file. Note The ACE supports a maximum of 4,096 key pairs. Assumptions • You have configured an ACE appliance for server load balancing. (See Load Balancing Overview, page 5-1.) • You have obtained an SSL key pair from a certificate authority (CA) and have placed the pair on a network server accessible by the ACE appliance.
Chapter 9 Configuring SSL Using SSL Keys Table 9-4 SSL Key Pair Import Attributes Field Description Protocol Specify the method to be used for accessing the network server: IP Address • FTP—Indicates that FTP is to be used to access the network server when importing the SSL key pair file. • SFTP—Indicates that SFTP is to be used to access the network server when importing the SSL key pair file.
Chapter 9 Configuring SSL Using SSL Keys Table 9-5 SSL Key Pair Bulk Import Attributes Field Description Protocol SFTP is to be used to access the network server when importing the SSL key pairs. SFTP is the only supported protocol for bulk import. IP Address Enter the IPv4 address of the remote server on which the SSL key pair files resides. Remote Path Enter the path to the key pair files that reside on the remote server.
Chapter 9 Configuring SSL Using SSL Keys • Configuring SSL Chain Group Parameters, page 9-25 • Configuring SSL CSR Parameters, page 9-26 • Configuring SSL Proxy Service, page 9-28 Generating SSL Key Pairs If you do not have any matching key pairs, you can use the ACE appliance to generate a key pair. Use this procedure to generate SSL RSA key pairs. Procedure Step 1 Choose Config > Virtual Contexts > context > SSL > Keys. The Keys table appears. Step 2 Click Add to add a new key pair.
Chapter 9 Configuring SSL Using SSL Keys After generating an RSA key pair, you can: • Create a CSR parameter set. The CSR parameter set defines the distinguished name attributes for the ACE appliance to use during the CSR-generating process. For details on defining a CSR parameter set, see the Configuring SSL CSR Parameters, page 9-26. • Generate a CSR for the RSA key pair file and transfer the CSR request to the certificate authority for signing.
Chapter 9 Configuring SSL Using SSL Keys Table 9-6 SSL Certificate Export Attributes Field Description Protocol Specify the method to be used for exporting the SSL certificate: IP Address • FTP—Indicates that FTP is to be used to access the network server when exporting the SSL certificate. • SFTP—Indicates that SFTP is to be used to access the network server when exporting the SSL certificate.
Chapter 9 Configuring SSL Using SSL Keys Exporting SSL Key Pairs The ability to export SSL key pairs allows you copy SSL key pair files to another server on your network so that you can then import them onto another ACE appliance or Web server. Exporting key pair files is similar to copying in that the original key pairs are not deleted. Use this procedure to export SSL key pairs from an ACE appliance to a remote server.
Chapter 9 Configuring SSL Configuring SSL Parameter Maps Step 4 Do the following: • Click OK to export the key pair and to return to the Keys table. • Click Cancel to exit this procedure without exporting the key pair and to return to the Keys table.
Chapter 9 Configuring SSL Configuring SSL Parameter Maps the SSL negotiation process.The default value is 300 seconds (5 minutes), and can be adjusted from 0 (to indicate an infinite timeout, so that session IDs are removed from the cache only when the cache becomes full), up to 72000 seconds (20 hours). Specifying 0 causes the ACE to implement a least recently used (LRU) timeout policy. By disabling this option, the full SSL handshake occurs for each new connection with the ACE.
Chapter 9 Configuring SSL Configuring SSL Parameter Maps Table 9-9 Table 9-10 Step 10 Step 11 Cipher suites supported by TLS 1.
Chapter 9 Configuring SSL Configuring SSL Parameter Maps Step 12 In the Parameter Map Cipher table, click Add to add a cipher, or select an existing cipher, and then click Edit. The Parameter Map Cipher configuration screen appears. Enter the information in Table 9-11. Table 9-11 SSL Parameter Map Cipher Configuration Attributes Field Description Cipher Name Cipher to use. For more information on the SSL cipher suites that ACE supports, see SSL Guide, Cisco ACE Application Control Engine.
Chapter 9 Configuring SSL Configuring SSL Parameter Maps Table 9-12 SSL Parameter Map Redirect Configuration Attributes Field Description Client Certificate Validation Select the type of certificate validation failure to redirect. From the drop-down list, choose the type to redirect: Redirect Type • Any—Associates any of the certificate failures with the redirect. You can configure the authentication-failure redirect any command with individual reasons for redirection.
Chapter 9 Configuring SSL Configuring SSL Parameter Maps Step 16 In the Parameter Map table, do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your entries and to return to the Parameter Map table. • Click Next to deploy your entries and to add another entry to the Parameter Map table.
Chapter 9 Configuring SSL Configuring SSL Chain Group Parameters Configuring SSL Chain Group Parameters A chain group specifies the certificate chains that the ACE appliance sends to its peer during the handshake process. A certificate chain is a hierarchal list of certificates that includes the ACE appliance’s certificate, the root certificate authority certificate, and any intermediate certificate authority certificates.
Chapter 9 Configuring SSL Configuring SSL CSR Parameters Related Topics • Configuring SSL, page 9-1 • Importing SSL Certificates, page 9-8 • Importing SSL Key Pairs, page 9-12 • Generating SSL Key Pairs, page 9-15 • Configuring SSL Parameter Maps, page 9-19 • Configuring SSL CSR Parameters, page 9-26 • Configuring SSL Proxy Service, page 9-28 Configuring SSL CSR Parameters A certificate signing request (CSR) is a message you send to a certificate authority such as VeriSign and Thawte to app
Chapter 9 Configuring SSL Generating CSRs Step 8 In the Serial Number field, enter a serial number to assign to the certificate. Valid entries are alphanumeric strings with a maximum of 16 characters. Step 9 In the Organization Name field, enter the name of the organization to include in the certificate. Valid entries are alphanumeric strings with a maximum of 64 characters. Step 10 In the Email field, enter the site e-mail address.
Chapter 9 Configuring SSL Configuring SSL Proxy Service Step 3 In the CSR Parameter field, select the CSR parameter to be used. Step 4 Do the following: • Click OK to generate the CSR. The CSR appears in a popup window which you can now submit to a certificate authority for approval. Work with your certificate authority to determine the method of submission, such as e-mail or a Web-based application. Click Close to close the popup window and to return to the Keys table.
Chapter 9 Configuring SSL Configuring SSL Proxy Service Note If you use SSL Setup Sequence to create the proxy service, ACE appliance Device Manager selects the keys that correspond to the certificate that you choose. If ACE appliance Device Manager cannot detect a corresponding key pair, you can select a key pair from the drop-down list and click Verify Key to have ACE appliance Device Manager verify that the keys correspond to the selected certificate.
Chapter 9 Configuring SSL Configuring SSL OCSP Service Step 11 In the Parameter Maps field, select the SSL parameter map to associate with this SSL proxy server service. Step 12 For the Revcheck priority order, select one of the following to set the priority for the revocation check: Step 13 • N/A—Indicates that this field is not applicable. • CRL-OCSP—The ACE uses the CRLs first to determine the revocation status, and then the OCSP servers.
Chapter 9 Configuring SSL Enabling Client Authentication Procedure Step 1 Choose Config > Virtual Contexts > context > SSL > OCSP Service. The OCSP Service table appears. Step 2 Click Add to add a new OCSP service, or select an existing service, and then click Edit to modify it. The OCSP Service configuration screen appears. Step 3 In the Name field, enter a unique name for this OCSP service. Valid entries are alphanumeric strings with a maximum of 64 characters.
Chapter 9 Configuring SSL Enabling Client Authentication • At least one SSL certificate is available. Use the following procedures to enable or disable client authentication: • Configuring SSL Proxy Service, page 9-28 • Configuring SSL Authentication Groups, page 9-32 • Configuring CRLs for Client Authentication, page 9-33 Configuring SSL Authentication Groups On the ACE, you can implement a group of certificates that are trusted as certificate signers by creating an authentication group.
Chapter 9 Configuring SSL Enabling Client Authentication Step 7 Do the following: • Click Deploy Now to deploy this configuration on the ACE. • Click Cancel to exit the procedure without saving your entries and to return to the Auth Group Parameters table. • Click Next to deploy your entries and to add another entry to the Auth Group Parameters table. Step 8 You can repeat the previous step to add more certificates to the auth group or click Deploy Now.
Chapter 9 Configuring SSL Enabling Client Authentication Step 3 Enter the information in Table 9-13. Table 9-13 Step 4 SSL Certificate Revocation List Field Description Name Enter the CRL name. Valid entries are unquoted alphanumeric strings with a maximum of 64 characters. URL Enter the URL where the ACE retrieves the CRL. Valid entries are unquoted alphanumeric strings with a maximum of 255 characters. Only HTTP URLs are supported. ACE checks the URL and displays an error if it does not match.
C H A P T E R 10 Configuring Network Access This chapter describes how to configure network access. The ACE appliance has four physical Ethernet interface ports. All VLANs are allocated to the physical ports. After the VLANs are assigned, you can configure the corresponding VLAN interfaces as either routed or bridged for use. When you configure an IP address on an interface, the ACE appliance automatically makes it a routed mode interface.
Chapter 10 Configuring Network Access Configuring Port Channel Interfaces Configuring Port Channel Interfaces This section discusses how to configure port channel interfaces for the ACE appliance. It consists of the following topics: • Why Use Port Channels?, page 10-2 • Configuring a Port-Channel Interface, page 10-3 Why Use Port Channels? A port channel groups multiple physical ports into a single logical port. This is also called “port aggregation” or “channel aggregation.
Chapter 10 Configuring Network Access Configuring Port Channel Interfaces Configuring a Port-Channel Interface You can group physical ports together on the ACE to form a logical Layer 2 interface called the port-channel. All the ports belonging to the same port-channel must be configured with same values; for example, port parameters, VLAN membership, and trunk configuration. Only one port-channel in a channel group is allowed, and a physical port can belong to only to a single port-channel interface.
Chapter 10 Configuring Network Access Configuring Port Channel Interfaces Table 10-1 Port Channel Interface Attributes (continued) Field Description Switch Port Type Specify the interface switchport type: • N/A—Indicates that the switchport type is not specified. • Access—Specifies that the port interface is an access port. You must specify a VLAN as an access port in the Access VLAN field. • Trunk—Specifies that the port interface is a trunk port.
Chapter 10 Configuring Network Access Configuring Gigabit Ethernet Interfaces Displaying Port Channel Interface Statistics and Status Information You can display statistics and status information for a particular port-channel interface. Procedure Step 1 Choose Config > Virtual Contexts > context > Network > Port Channel Interfaces. The Port Channel Interfaces table appears.
Chapter 10 Configuring Network Access Configuring Gigabit Ethernet Interfaces Step 2 Select an existing Gigabit Ethernet interface, and then click Edit to modify it. Step 3 Enter the Gigabit Ethernet physical interface attributes (see Table 10-2).
Chapter 10 Configuring Network Access Configuring Gigabit Ethernet Interfaces Table 10-2 Gigabit Ethernet Physical Interface Attributes (continued) Field Description Port Operation Mode Specifies the port operation mode, which can be: • N/A—Indicates that this option is not to be used. • Channel Group—Specifies to map the port to a port channel.
Chapter 10 Configuring Network Access Configuring Gigabit Ethernet Interfaces Table 10-2 Gigabit Ethernet Physical Interface Attributes (continued) Field Description Carrier Delay Adds a configurable delay at the physical port level to address any issues with transition time, based on the variety of peers. Valid values are 0 to 120 seconds. The default is 0 (no carrier delay).
Chapter 10 Configuring Network Access Configuring Gigabit Ethernet Interfaces Displaying Gigabit Ethernet Interface Statistics and Status Information You can display statistics and status information for a particular Gigabit Ethernet interface. Procedure Step 1 Choose Config > Virtual Contexts > context > Network > GigabitEthernet Interfaces. The GigabitEthernet Interfaces table appears.
Chapter 10 Configuring Network Access Configuring Virtual Context VLAN Interfaces Configuring Virtual Context VLAN Interfaces The ACE Appliance Device Manager uses class maps and policy maps to classify (filter) traffic and to direct it to different contexts. A virtual context uses VLANs to receive packets classified for that context.
Chapter 10 Configuring Network Access Configuring Virtual Context VLAN Interfaces Table 10-3 VLAN Interface Attributes (continued) Field Description Interface Type Select the role of the virtual context in the network topology of the VLAN interface: • Routed—In a routed topology, the ACE virtual context acts as a router between the client-side network and the server-side network.
Chapter 10 Configuring Network Access Configuring Virtual Context VLAN Interfaces Table 10-3 VLAN Interface Attributes (continued) Field Description Enable Normalization Check the check boxes to indicate that normalization is to be enabled on this interface for IPv4, IPv6, or both. Clear the check box to indicate that normalization is to be disabled on this interface. Caution Enable IPv6 Disabling normalization may expose your ACE appliance and network to potential security risks.
Chapter 10 Configuring Network Access Configuring Virtual Context VLAN Interfaces Table 10-3 VLAN Interface Attributes (continued) Field Description Alias IPv6 Address When you configure redundancy with active and standby ACEs, you can configure a VLAN interface that has an alias global IPv6 address that is shared between the active and standby ACEs. The alias IPv6 address serves as a shared gateway for the two ACEs in a redundant configuration.
Chapter 10 Configuring Network Access Configuring Virtual Context VLAN Interfaces Table 10-3 VLAN Interface Attributes (continued) Field IPv6 Address Description To configure a unique local address, enter a complete IPv6 address with an FC00::/7 prefix in the first field. In the second field after the /, enter the prefix length to specify how many of the most significant bits (MSBs) are used for the network identifier.
Chapter 10 Configuring Network Access Configuring Virtual Context VLAN Interfaces Table 10-3 VLAN Interface Attributes (continued) Field Description IPv6 Peer Link-Local Address In a redundant configuration, you can configure an IPv6 peer link local address for the standby ACE. You can configure only one peer link local address on an interface. To configure the peer link local address, enter a complete IPv6 address with an FE80::/10 prefix in this field.
Chapter 10 Configuring Network Access Configuring Virtual Context VLAN Interfaces Table 10-3 VLAN Interface Attributes (continued) Field Description Min. Fragment MTU Value Enter the minimum fragment size that the ACE appliance accepts for reassembly for a VLAN interface. Action For IP Header Options • For IPv4, valid entries are 28 to 9216 bytes. The default is 576. • For IPv6, valid entries are 56 to 9216 bytes. The default is 1280.
Chapter 10 Configuring Network Access Configuring Virtual Context VLAN Interfaces Table 10-3 VLAN Interface Attributes (continued) Field ARP Inspection Type Description By default, ARP inspection is disabled on all interfaces, allowing all ARP packets through the ACE. When you enable ARP inspection, the ACE appliance uses the IPv4 address and interface ID (ifID) of an incoming ARP packet as an index into the ARP table. ARP inspection operates only on ingress bridged interfaces.
Chapter 10 Configuring Network Access Configuring Virtual Context VLAN Interfaces Table 10-3 VLAN Interface Attributes (continued) Field Description Secondary IP Groups This option appears only when Interface Type is set to Routed. Enter a maximum of four secondary IP groups for the VLAN. The IP, alias IP, and peer IP addresses of each Secondary IP Group should be in the same subnet. Note You cannot configure secondary IP addresses on FT VLANs.
Chapter 10 Configuring Network Access Configuring Virtual Context VLAN Interfaces Table 10-3 VLAN Interface Attributes (continued) Field Description Output Access Group From the Available list, double-click an ACL name for the ACL output access group that is associated with this VLAN interface or use the right arrow to move it to the Selected list.
Chapter 10 Configuring Network Access Configuring Virtual Context VLAN Interfaces Table 10-3 VLAN Interface Attributes (continued) Field Description NS Interval The ACE sends neighbor solicitation messages through ICMPv6 on the local link to determine the IPv6 addresses of nearby nodes (hosts or routers). You can configure the rate at which the ACE sends these neighbor solicitation messages. By default, the interval at which the ACE sends NS messages for DAD default is 1000 milliseconds (msecs).
Chapter 10 Configuring Network Access Configuring Virtual Context VLAN Interfaces Table 10-3 VLAN Interface Attributes (continued) Field Description IPv6 Routing Prefix Advertisement Click the Add button to configure the IPv6 prefixes that the ACE advertises in RA messages on the local link. IPv6 Address/Prefix Length To configure IPv6 address advertised in the RA messages, enter a complete IPv6 address in the first field.
Chapter 10 Configuring Network Access Configuring Virtual Context VLAN Interfaces Step 4 Step 5 Do the following: • Click Deploy Now to save your entries and to return to the VLAN Interface table. • Click Cancel to exit the procedure without saving your changes and to return to the VLAN Interface table. (Optional) To display statistics and status information for a VLAN interface, choose the VLAN interface from the VLAN Interface table, and then click Details.
Chapter 10 Configuring Network Access Configuring Virtual Context BVI Interfaces Related Topic • Configuring Virtual Context VLAN Interfaces, page 10-10 Displaying VLAN Interface Statistics and Status Information You can display statistics and status information for a particular VLAN interface. Procedure Step 1 Choose Config > Virtual Contexts > context > Network > VLAN Interfaces. The VLAN Interfaces table appears. Step 2 Choose a VLAN interface from the VLAN Interfaces table, and click Details.
Chapter 10 Configuring Network Access Configuring Virtual Context BVI Interfaces Table 10-5 BVI Interface Attributes (continued) Field Description IP Address Enter the IPv4 address assigned to this interface. This address must be a unique IP address that is not used in another context. Duplicate IP addresses in different contexts are not supported. Note If this interface is only used for IPv6 traffic, entering an IPv4 address is optional.
Chapter 10 Configuring Network Access Configuring Virtual Context BVI Interfaces Table 10-5 BVI Interface Attributes (continued) Field Second VLAN Description Second VLAN Description Enter a brief description for the second VLAN. Enable IPv6 Check the check box to enable IPv6 on this interface. By default, IPv6 is disabled. The interface cannot be in bridged mode.
Chapter 10 Configuring Network Access Configuring Virtual Context BVI Interfaces Table 10-5 BVI Interface Attributes (continued) Field Peer IPv6 Address Description To configure an IPv6 peer global address, enter a complete IPv6 address with a prefix of 2000::/3 to 3fff::/3. For example, enter 2001:DB8:1::0. Check the EUI-64 box to specify that the low order 64 bits are automatically generated in the IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373.
Chapter 10 Configuring Network Access Configuring Virtual Context BVI Interfaces Table 10-5 BVI Interface Attributes (continued) Field Description Peer IPv6 Address In a redundant configuration, you can configure an IPv6 peer unique local address on the active that is synchronized to the standby ACE. You can configure only one peer unique local IPv6 address on an interface. To configure a peer unique local address, enter a complete IPv6 address with an FC00::/7 prefix in the first field.
Chapter 10 Configuring Network Access Configuring Virtual Context BVI Interfaces Table 10-5 BVI Interface Attributes (continued) Field Description Other-Config Check the check box to indicate that the interface use the stateful autoconfiguration mechanism to configure parameters other than IPv6 addresses. Clear the check box to indicate that the interface does not use the stateful autoconfiguration mechanism to configure parameters other than IPv6 addresses.
Chapter 10 Configuring Network Access Configuring Virtual Context BVI Interfaces Table 10-5 BVI Interface Attributes (continued) Field Description Suppress RA By default, the ACE automatically responds to RS messages that it receives from neighbors with RA messages that include, for example, the network prefix. Check the check box to instruct the ACE to not respond to RS messages. The ACE also stops periodic unsolicited RAs that it sends at the RA interval.
Chapter 10 Configuring Network Access Configuring Virtual Context BVI Interfaces Table 10-5 BVI Interface Attributes (continued) Field Description Off-link: This option appears when you enter a Preferred Lifetime field. Check this check box to indicate that the route prefix is on a different subnet for a router to route to it. Clear the check box to indicate that the route prefix is on the same subnet for a router to route to it.
Chapter 10 Configuring Network Access Configuring Virtual Context BVI Interfaces Table 10-6 BVI Interface Fields Field Description IP Address IP address assigned to this interface including the netmask for an IPv4 address or a prefix length for an IPv6 address. IPv6 Config Status The status whether IPv6 is enabled or disabled on the interface. Admin Status The status of the interface, which can be Up or Down. Operational Status Operational state of the ACE (Up or Down).
Chapter 10 Configuring Network Access Configuring VLAN Interface NAT Pools and Displaying NAT Utilization Configuring VLAN Interface NAT Pools and Displaying NAT Utilization You can configure Network Address Translation (NAT) pools, which are designed to simplify and conserve IP addresses. A NAT pool allows private IP networks that use unregistered IP addresses to connect to the Internet.
Chapter 10 Configuring Network Access Configuring VLAN Interface NAT Pools and Displaying NAT Utilization Step 7 In the End IP Address field, enter the highest IP address in a range of global IP addresses for this NAT pool. Enter the IP address for the selected IP Address Type. Leave this field blank if you want to identify only the single IP address in the Start IP Address field. Step 8 In the Netmask field for an IPv4 address, select the subnet mask for the global IP addresses in the NAT pool.
Chapter 10 Configuring Network Access Configuring Virtual Context Static Routes Step 3 From the pop-up window, do one of the following: • Click Update Details to refresh the information displayed. • Click Close to close the pop-up window.
Chapter 10 Configuring Network Access Configuring Global IP DHCP • Click Cancel to exit this procedure without saving your entries and to return to the Static Route table. • Click Next to save your entries and to add another static route.
Chapter 10 Configuring Network Access Configuring Global IP DHCP Procedure Step 1 Choose Config > Virtual Contexts > context > Network > Global IP DHCP. The Global IP DHCP configuration table appears. Step 2 For Enable DHCP Relay For The Context, click IPv4, IPv6 or both to enable DHCP relay for the context and all interfaces associated with this context.
C H A P T E R 11 Configuring High Availability This chapter describes how to configure high availability. High Availability (or fault tolerance) uses a maximum of two ACE appliances to ensure that your network remains operational even if one of the appliances becomes unresponsive. Redundancy ensures that your network services and applications are always available. Note Redundancy is not supported between an ACE appliance and an ACE module operating as peers.
Chapter 11 Configuring High Availability Understanding ACE Redundancy Understanding ACE Redundancy Redundancy provides seamless switchover of flows in case an ACE appliance becomes unresponsive or a critical host or interface fails.
Chapter 11 Configuring High Availability Understanding ACE Redundancy Note When you upgrade or downgrade the ACE from one software version to another, there is a point in the process when the two ACEs have different software versions and, therefore, a software incompatibility.
Chapter 11 Configuring High Availability Understanding ACE Redundancy The election of the active member within each FT group is based on a priority scheme. The member configured with the higher priority is elected as the active member. If a member with a higher priority is found after the other member becomes active, the new member becomes active because it has a higher priority. This behavior is known as preemption and is enabled by default.
Chapter 11 Configuring High Availability Understanding ACE Redundancy Fault-Tolerant VLAN Redundancy uses a dedicated fault-tolerant VLAN between redundant ACEs to transmit flow-state information and the redundancy heartbeat. Do not use this dedicated VLAN for normal network traffic. You must configure this same VLAN on both peer ACEs. You also must configure a different IP address within the same subnet on each ACE for the fault-tolerant VLAN.
Chapter 11 Configuring High Availability Understanding ACE Redundancy Synchronizing High Availability Configurations with ACE Appliance Device Manager When two ACE appliances are configured as high availability peers, their configurations must be synchronized at all times so that the standby ACE peer can seamlessly take over for the active ACE peer.
Chapter 11 Configuring High Availability Understanding ACE Redundancy • When you configure redundancy, the ACE keeps all interfaces that do not have an IP address in the Down state. The IP address and the peer IP address that you assign to a VLAN interface should be in the same subnet, but different IP addresses. For more information about configuring VLAN interfaces, see Configuring Virtual Context VLAN Interfaces, page 10-10.
Chapter 11 Configuring High Availability Configuring ACE High Availability Configuring ACE High Availability The tasks involved with configuring high availability are described in Table 11-1. Table 11-1 High Availability Task Overview Task Reference Step 1 Create a fault-tolerant VLAN and identify peer IP Configuring High Availability Peers, page 11-8 addresses and configure peer appliances for heartbeat count and interval.
Chapter 11 Configuring High Availability Configuring High Availability Peers Assumption • At least one fault-tolerant VLAN has been configured. Note A fault-tolerant VLAN cannot be used for other network traffic. Procedure Step 1 Choose Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management window appears with two columns: One for the selected ACE appliance and one for a peer ACE appliance.
Chapter 11 Configuring High Availability Configuring High Availability Peers Table 11-2 Step 3 ACE High Availability Management Configuration Attributes (continued) Field This Appliance Peer Appliance Heartbeat Count Not applicable. Enter the number of heartbeat intervals that must occur when no heartbeat packet is received by the standby appliance before the standby appliance determines that the active member is not available. Valid entries are integers from 10 to 50.
Chapter 11 Configuring High Availability Configuring ACE High Availability Groups Clearing High Availability Pairs Note This functionality is available for only Admin contexts. Use this procedure to remove a high availability link between two ACE appliances. Procedure Step 1 Choose Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management screen appears. Step 2 Select the ACE appliance pair whose high availability configuration you want to remove, and then click Clear.
Chapter 11 Configuring High Availability Configuring ACE High Availability Groups Assumption At least one high availability pair has been configured. (See Configuring High Availability Peers, page 11-8.) Procedure Step 1 Config > Virtual Contexts > High Availability (HA) > Setup. The ACE HA Management screen appears at the top of the content area and the ACE HA Groups table appears at the bottom. Step 2 In the ACE HA Groups table, click Add to add a new high availability group.
Chapter 11 Configuring High Availability Configuring ACE High Availability Groups • Step 11 Click Cancel to exit this procedure without saving your entries and to return to the ACE HA Management screen and ACE HA Groups table. (Optional) To display statistics and status information for a particular high availability group, choose the group from the ACE HA Groups table, and click Details. The show ft group group_id detail CLI command output appears.
Chapter 11 Configuring High Availability Configuring ACE High Availability Groups Editing ACE High Availability Groups Note This functionality is available for only Admin contexts. Use this procedure to modify the attributes of a high availability group. Note If you need to modify a fault-tolerant group, take the group out of service before making any other changes (see Taking a High Availability Group Out of Service, page 11-15).
Chapter 11 Configuring High Availability Configuring ACE High Availability Groups Taking a High Availability Group Out of Service Note This functionality is available for only Admin contexts. If you need to modify a fault-tolerant group, you must first take the group out of service before making any other changes. Use this procedure to take a high availability group out of service. Procedure Step 1 Choose Config > Virtual Contexts > High Availability (HA) > Setup.
Chapter 11 Configuring High Availability Switching Over a High Availability Group Displaying High Availability Group Statistics and Status Information You can display statistics and status information for a particular high availability group by using the Details button. DM accesses the show ft group group_id detail CLI command to display detailed ACE HA group information. Procedure Step 1 Choose Config > Virtual Contexts > High Availability (HA) > Setup.
Chapter 11 Configuring High Availability Deleting ACE High Availability Groups Related Topics • Understanding ACE Redundancy, page 11-2 • Configuring High Availability Peers, page 11-8 • Configuring ACE High Availability Groups, page 11-11 • Tracking VLAN Interfaces for High Availability, page 11-19 Deleting ACE High Availability Groups Note This functionality is available for only Admin contexts. Use this procedure to remove a high availability group from ACE Appliance Device Manager management.
Chapter 11 Configuring High Availability High Availability Tracking and Failure Detection Overview Note 2. If the resulting priority value is less than that of the standby member, the active member switches over and the standby member becomes the new active member. All active flows continue uninterrupted. 3. When the failed member comes back up, its priority is incremented by 10. 4.
Chapter 11 Configuring High Availability Tracking VLAN Interfaces for High Availability Tracking VLAN Interfaces for High Availability Use this procedure to configure a tracking and failure detection process for a VLAN interface. Note When a virtual context is in either the Standby Hot or Standby Warm state (see High Availability Polling, page 11-2), the virtual context may receive configuration changes from its ACE peer without updating the Device Manager GUI.
Chapter 11 Configuring High Availability Tracking Hosts for High Availability • Tracking Hosts for High Availability, page 11-20 Tracking Hosts for High Availability Use this procedure to configure a tracking and failure detection process for a gateway or host. Procedure Step 1 Choose Config > Virtual Contexts > HA Tracking And Failure Detection > Hosts. The Track Host table appears.
Chapter 11 Configuring High Availability Configuring Host Tracking Probes Configuring Host Tracking Probes Use this procedure to configure probes on the active high availability group member to track the health of the gateway or host. Assumptions • At least one host tracking process for high availability has been configured (see Tracking Hosts for High Availability, page 11-20.) • At least one health monitoring probe has been configured (see Configuring Health Monitoring for Real Servers, page 6-41).
Chapter 11 Configuring High Availability Configuring Peer Host Tracking Probes Deleting Host Tracking Probes Use this procedure to remove a high availability host tracking probe. Procedure Step 1 Choose Config > Virtual Contexts > HA Tracking And Failure Detection > Hosts. The Track Host table appears. Step 2 Select the tracking process you want to modify, and then select the Track Host Probe tab. The Track Host Probe table appears.
Chapter 11 Configuring High Availability Configuring Peer Host Tracking Probes Step 5 In the Priority field, enter a priority for the host you are tracking by the standby member of the high availability group. Valid entries are integers from 1 to 255 with higher values indicating higher priorities. Assign a priority value based on the relative importance of the gateway or host that the probes are tracking.
Chapter 11 Configuring High Availability Configuring Peer Host Tracking Probes Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance 11-24 OL-26645-02
C H A P T E R 12 Configuring Traffic Policies This chapter describes how to configure traffic policies. ACE Appliance Device Manager helps you configure class maps and policy maps to provide a global level of classification for filtering traffic received by or passing through the ACE appliance. You create traffic policies and attach these policies to one or more VLAN interfaces associated with the ACE appliance to apply feature-specific actions to the matching traffic.
Chapter 12 Configuring Traffic Policies Class Map and Policy Map Overview Class Map and Policy Map Overview You classify inbound network traffic destined to, or passing through, the ACE appliance based on a series of flow match criteria specified by a class map. Each class map defines a traffic classification; that is, network traffic that is of interest to you. A policy map defines a series of actions (functions) that you want applied to a set of classified inbound traffic.
Chapter 12 Configuring Traffic Policies Class Map and Policy Map Overview 2. Creating a policy map, which refers to the class maps and identifies a series of actions to perform based on the traffic match criteria. 3. Activating the policy map and attaching it to a specific VLAN interface or globally to all VLAN interfaces associated with a context by configuring a virtual context global traffic policy to filter traffic received by the ACE appliance.
Chapter 12 Configuring Traffic Policies Class Map and Policy Map Overview • Application Protocol Inspection Overview, page 12-5 • Configuring Traffic Policies, page 12-1 • Configuring Virtual Context Class Maps, page 12-8 Policy Maps A policy map creates the traffic policy. The purpose of a traffic policy is to implement specific ACE appliance functions associated with a traffic class.
Chapter 12 Configuring Traffic Policies Class Map and Policy Map Overview • Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps, page 12-5 • Application Protocol Inspection Overview, page 12-5 • Configuring Traffic Policies, page 12-1 • Configuring Virtual Context Policy Maps, page 12-34 Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps Parameter maps allow you to combine related actions in a Layer 3 and Layer 4 policy map.
Chapter 12 Configuring Traffic Policies Class Map and Policy Map Overview traffic based on user-defined traffic policies. HTTP deep packet inspection focuses mainly on HTTP attributes such as the HTTP header, the URL, and the payload. For FTP, the ACE performs FTP command inspection for FTP sessions, allowing you to restrict specific commands by the ACE. Application inspection helps you to identify the location of the embedded IP addressing information in the TCP or UDP flow.
Chapter 12 Configuring Traffic Policies Class Map and Policy Map Overview Table 12-2 Application Inspection Support (continued) Application Protocol Transpo rt Protocol Port NAT/PA Enabled T by Standards Support Default 1 Comments/Limitations ICMP error ICMP Src—N/A NAT No — NAT No RFC 2251 Referral requests and (LDAPv3) responses are not supported. Includes support for Users in multiple RFC 1777 directories are not unified.
Chapter 12 Configuring Traffic Policies Configuring Virtual Context Class Maps Related Topics • Configuring Virtual Context Policy Maps, page 12-34 • Setting Match Conditions for Class Maps, page 12-10 • Configuring Virtual Context Policy Maps, page 12-34 • Configuring Rules and Actions for Policy Maps, page 12-36 Configuring Virtual Context Class Maps Class maps are used to define each Layer 3 and Layer 4 traffic class and each Layer 7 protocol class.
Chapter 12 Configuring Traffic Policies Configuring Virtual Context Class Maps Table 12-3 Class Maps Types Class Map Related Topic Layer 3/4 Management Traffic Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps, page 12-14 Layer 3/4 Network Traffic Setting Match Conditions for Class Maps, page 12-10 Layer 7 Command Inspection - FTP Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps, page 12-30 Layer 7 Deep Packet Inspection HTTP Setting Match Conditio
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps • Configuring Virtual Context Policy Maps, page 12-34 Deleting Class Maps To successfully delete a class map from a context, the class map must no longer be in use. To delete multiple class maps, none of the class maps must be in use. Assumption The class map to be deleted is not being used. Procedure Step 1 Choose Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Table 12-4 Class Maps and Match Conditions (continued) Class Map Related Topic Server Load Balancing - Generic Setting Match Conditions for Generic Server Load Balancing Class Maps, page 12-19 Server Load Balancing - RADIUS Setting Match Conditions for RADIUS Server Load Balancing Class Maps, page 12-20 Server Load Balancing - RTSP Setting Match Conditions for RTSP Server Load Balancing Class Maps, page 12-21 Server
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Table 12-5 Layer 3/Layer 4 Network Traffic Class Map Match Condition Attributes (continued) Match Condition Type Description Destination Address Indicates that a destination address is the match type for this match condition. 1. For the IP Address Type, select either IPv4 or IPv6 for the address type. 2.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Table 12-5 Layer 3/Layer 4 Network Traffic Class Map Match Condition Attributes (continued) Match Condition Type Description Source Address Indicates that a source IP address is the match type for this match condition. 1. For the IP Address Type, select either IPv4 or IPv6 for the address type. 2.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Step 6 Do the following: • Click Deploy Now to deploy this configuration on the ACE appliance and to return to the Match Condition table. Note If you click Deploy Now, the ACE appliance drops the traffic and then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Table 12-6 Management Class Map Match Conditions Field Description Sequence Number Enter an integer from 2 to 255 as the line number. The number entered here does not indicate a priority or sequence for the match conditions. Match Condition Type Select Management to confirm that this is for Layer 3/Layer 4 management traffic.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Step 5 Do the following: • Click Deploy Now to deploy this configuration on the ACE appliance and to return to the Match Condition table. Note If you click Deploy Now, the ACE appliance drops the traffic and then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Table 12-7 Layer 7 Server Load Balancing Class Map Match Conditions Match Condition Description Class Map A class map is to be used to establish a match condition. In the Class Map field, select the class map to apply to this match condition. HTTP Content HTTP Cookie Specific content contained within the HTTP entity-body is used to establish a match condition. 1.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Table 12-7 Layer 7 Server Load Balancing Class Map Match Conditions (continued) Match Condition Description HTTP URL A portion of an HTTP URL is to be used to establish a match condition. Source Address 1. In the URL Expression field, enter a URL or a portion of a URL to match. Valid entries are URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL following www.hostname.domain.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Setting Match Conditions for Generic Server Load Balancing Class Maps Use this procedure to set match conditions for a generic server load balancing class map. Assumption You have configured a generic server load balancing class map and want to establish match criteria. Procedure Step 1 Choose Config > Virtual Contexts > context > Expert > Class Maps. The Class Maps table appears.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Step 6 Do the following: • Click Deploy Now to deploy this configuration on the ACE and to return to the Match Condition table. Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Table 12-9 RADIUS Server Load Balancing Class Map Match Conditions Match Condition Description Calling Station ID A unique identifier of the calling station is used to establish a match condition. In the RADIUS Calling Station ID field, enter the calling station identifier to match. Valid entries are strings containing 1 to 64 alphanumeric characters.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Step 5 Table 12-10 In the Match Condition Type field, select the match condition type for this class map and configure any match-specific criteria as described in Table 12-10. RTSP Server Load Balancing Class Map Match Conditions Match Condition Description Class Map A class map is used to establish a match condition. In the Class Map field, select the class map to use for this match condition.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Step 6 Do the following: • Click Deploy Now to deploy this configuration on the ACE and to return to the Match Condition table. Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Table 12-11 SIP Server Load Balancing Class Map Match Conditions Match Condition Description Class Map A class map is used to establish a match condition. In the Class Map field, select the class map to use for this match condition. SIP Header A SIP header name and value are used to establish a match condition. 1.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Setting Match Conditions for Layer 7 HTTP Deep Packet Inspection Class Maps The ACE Appliance Device Manager allows you to create Layer 7 class maps and policy maps to be used for HTTP deep packet inspection by the ACE appliance. When these features are configured, the ACE appliance performs a stateful deep packet inspection of the HTTP protocol and permits or restricts traffic based on the actions in the defined policy maps.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Table 12-12 HTTP Protocol Inspection Match Condition Types Match Condition Type Description Content Specific content contained within the HTTP entity-body is to be used for application inspection decisions. Content Length 1. In the Content Expression field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters. 2.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Table 12-12 HTTP Protocol Inspection Match Condition Types (continued) Match Condition Type Description Header Header Length The name and value in an HTTP header are to be used for application inspection decisions. 1. In the Header field, select one of the predefined HTTP headers to be matched, or select HTTP Header to specify a different HTTP header. 2.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Table 12-12 HTTP Protocol Inspection Match Condition Types (continued) Match Condition Type Description Header MIME Type Multipurpose Internet Mail Extension (MIME) message types are to be used for application inspection decisions. In the Header MIME Type field, select the MIME message type to use for this match condition.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Table 12-12 HTTP Protocol Inspection Match Condition Types (continued) Match Condition Type Description URL URL names are to be used for application inspection decisions. In the URL field, enter a URL or a portion of a URL to match. Valid entries are URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL following www.hostname.domain. For example, in the URL www.anydomain.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Related Topics • Configuring Virtual Context Policy Maps, page 12-34 • Setting Match Conditions for Class Maps, page 12-10 • Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps, page 12-14 • Setting Match Conditions for Layer 7 Server Load-Balancing Class Maps, page 12-16 • Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps, page 12-30 Setting Match Conditions for Layer 7 F
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Table 12-13 Step 7 FTP Commands for Inspection (continued) FTP Command Description Site Execute a site-specific command. Stou Store a file on the remote host and give it a unique name. Syst Query the remote host for operating system information. Do the following: • Click Deploy Now to deploy this configuration on the ACE appliance and to return to the Match Condition table.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Table 12-14 Layer 7 SIP Deep Packet Inspection Class Map Match Conditions Match Condition Description Called Party The destination or called party in the URI of the SIP To header is used to establish a match condition. In the Called Party field, enter a regular expression that identifies the called party in the URI of the SIP To header for this match condition.
Chapter 12 Configuring Traffic Policies Setting Match Conditions for Class Maps Table 12-14 Layer 7 SIP Deep Packet Inspection Class Map Match Conditions (continued) Match Condition Description Third Party A third party who is authorized to register other users on their behalf is used to establish a match condition. In the Third Party Registration Entities field, enter a regular expression that identifies a privileged user authorized for third-party registrations for this match condition.
Chapter 12 Configuring Traffic Policies Configuring Virtual Context Policy Maps Configuring Virtual Context Policy Maps Policy maps establish traffic policy for the ACE appliance. The purpose of a traffic policy is to implement specific ACE appliance functions associated with a traffic class. A traffic policy contains: • A policy map name. • A previously created traffic class map or, optionally, the default class map.
Chapter 12 Configuring Traffic Policies Configuring Virtual Context Policy Maps Table 12-15 Policy Maps (continued) Policy Map Description Layer 7 HTTP Optimization (First-Match) Layer 7 policy map for optimizing HTTP traffic Setting Policy Map Rules and Actions for Layer 7 HTTP Optimization, page 12-86 Layer 7 Server Load Balancing (First-Match) Layer 7 policy map for HTTP server load balancing Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic, page 12-46 Server Load
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps • Click Deploy Now to deploy this configuration on the ACE appliance. To define rules and actions for this policy map, see Configuring Rules and Actions for Policy Maps, page 12-36. • Click Cancel to exit this procedure without saving your entries and to return to the Policy Maps table. • Click Next to save your entries and to configure another policy map.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-16 Topic Reference for Policy Map Rules and Actions (continued) Policy Map Type Topic for Setting Rules and Actions Server Load Balancing - HTTPS (First-Match) Setting Policy Map Rules and Actions for HTTPS Server Load Balancing, page 12-58 Note The SLB HTTPS (First Match) feature does not apply to the ACE NPE software version (see the“Information About the ACE No Payload Encryption Software Version” secti
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 6 To use a previously created class map for this rule, perform the following a. In the Use Class Map field, select the others radio button. b. In the Class Map Name field, select the class map to be used. c. In the Insert Before field, indicate whether this rule is to precede another rule in this policy map: – N/A—Indicates that this option is not configured.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-17 Layer 3/Layer 4 Network Traffic Policy Map Actions (continued) Action Description/Steps Appl-Parameter-RTSP An RTSP parameter map containing RTSP-related actions is to be implemented for this rule. In the Parameter Map field, specify the name of the RTSP parameter map to use. Appl-Parameter-SIP A SIP parameter map containing SIP-related actions is to be implemented for this rule.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-17 Layer 3/Layer 4 Network Traffic Policy Map Actions (continued) Action Description/Steps NAT The ACE is to implement network address translation (NAT) for this rule. 1. In the NAT Mode field, select the type of NAT to be used: – Dynamic NAT—NAT is to translate local addresses to a pool of global addresses. Continue with Step 3.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-17 Layer 3/Layer 4 Network Traffic Policy Map Actions (continued) Action Description/Steps Kal-ap-Primary-Out-ofService Enables the ACE to notify the Global Site Selector (GSS) that the primary server farm is down when the backup server farm is in use.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-17 Layer 3/Layer 4 Network Traffic Policy Map Actions (continued) Action Description/Steps VIP-In-Service A VIP is to be enabled for server load-balancing operations. KAL-AP-TAG The KAL-AP-TAG feature allows the Cisco Global Site Selector (GSS) proprietary KAL-AP protocol to extract load and availability information from the ACE when a firewall is positioned between the GSS and the ACE.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-18 Policy Map Application Inspection Options Inspection Option Description DNS Indicates that Domain Name System (DNS) query inspection is to be implemented. DNS requires application inspection so that DNS queries will not be subject to the generic UDP handling based on activity timeouts.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-18 Policy Map Application Inspection Options (continued) Inspection Option Description ICMP Indicates that Internet Control Message Protocol (ICMP) payload inspection is to be performed. ICMP inspection allows ICMP traffic to have a “session” so it can be inspected similarly to TCP and UDP traffic.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Related Topics • Configuring Traffic Policies, page 12-1 • Configuring Virtual Context Class Maps, page 12-8 • Configuring Virtual Context Policy Maps, page 12-34 • Configuring Rules and Actions for Policy Maps, page 12-36 Setting Policy Map Rules and Actions for Layer 3/Layer 4 Management Traffic Use this procedure to configure the rules and actions for IP management traffic received by the ACE appliance.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps • Click Cancel to exit this procedure without saving your entries and to return to the Policy Maps table. • Click Next to save your entries and to configure another rule. Note If you selected the Insert Before option in Step 6 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule: 1. Click the Rule tab to refresh the Rule table. 2.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Assumptions • You have configured a load-balancing policy map and want to establish the corresponding rules and actions. • If you want to configure an SSL proxy action, you have configured SSL proxy service for this context. • If you want to insert, rewrite, and delete HTTP headers, ensure that an HTTP header modify action list has been configured.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-19 Policy Match Condition Types Match Condition Description HTTP Content Specific content contained within the HTTP entity-body is used to establish a match condition. HTTP Cookie 1. In the Content Expression field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters. 2.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-19 Policy Match Condition Types (continued) Match Condition Description Source Address Indicates that this rule is to use a client source IP address to establish match conditions. If you select this method: 1. For the IP Address Type, select either IPv4 or IPv6 for the address type. 2.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-19 Policy Match Condition Types (continued) Match Condition Description SSL Defines load balancing decisions based on the specific SSL cipher or cipher strength. Note The SSL option is not available with the ACE NPE software version (see the “Information About the ACE No Payload Encryption Software Version” section on page 1-2).
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 7 For specific class maps and match conditions, in the Insert Before field, indicate whether this rule is to precede another defined policy rule: • N/A—Indicates that this option is not applicable. • False—Indicates that this rule is not to precede another defined policy rule. • True—Indicates that this rule is to precede another policy rule.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-20 Policy Map Actions for Load Balancing Action Description Action Indicates that the ACE appliance is to use an HTTP header modify action list to insert, rewrite, or delete HTTP headers.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-20 Policy Map Actions for Load Balancing (continued) Action Description Reverse Sticky Reverse IP stickiness is an enhancement to regular stickiness and is used mainly in firewall load balancing (FWLB). It ensures that multiple distinct connections that are opened by hosts at both ends (client and server) are load-balanced and stuck to the same firewall.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-20 Policy Map Actions for Load Balancing (continued) Action Description SSL-Proxy Note The SSL-Proxy action is not available with the ACE NPE software version (see the “Information About the ACE No Payload Encryption Software Version” section on page 1-2).
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 3 In the Rule table, click Add to add a new rule, or select the rule you want to modify, and then click Edit. The Rule screen appears. Step 4 In the Type field, configure rules using the information in Table 12-21. Table 12-21 Generic Server Load Balancing Policy Map Rules Option Description Class Map A class map is used for this traffic policy. 1.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-21 Generic Server Load Balancing Policy Map Rules (continued) Option Description Match Condition A match condition is used for this traffic policy. Match Condition Name Enter a name for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 5 Do the following: • Click Deploy Now to deploy this configuration. The screen refreshes and the Action table appears. Continue with Step 6. • Click Cancel to exit this procedure without saving your entries and to return to the Rule table. Note If you selected the Insert Before option and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule: 1.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-22 Generic Server Load Balancing Policy Map Actions (continued) Action Description Server Farm-NAT The ACE is to apply dynamic NAT to traffic for this policy map. Set-IP-TOS 1. In the NAT Pool ID field, enter the number of the pool of IP addresses that exist under the VLAN specified in the VLAN Id field. Valid entries are integers from 1 to 2147483647.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps • A class map has been defined for a class map rule if you do not want to use the class-default class map. Procedure Step 1 Choose Config > Virtual Contexts > context > Expert > Policy Maps. The Policy Maps table appears. Step 2 In the Policy Maps table, select the HTTPS traffic policy map you want to set rules and actions for. The Rule table appears.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-23 HTTPS Server Load Balancing Policy Map Rules (continued) Option Description Match Condition Type Source Address A client source host IPv4 address and subnet mask, or IPv6 address and prefix length are used for the network traffic matching criteria. 1. For the IP Address Type, select either IPv4 or IPv6 for the address type. 2.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 5 Do the following: • Click Deploy Now to deploy this configuration. The screen refreshes and the Action table appears. Continue with Step 6. • Click Cancel to exit this procedure without saving your entries and to return to the Rule table. Note If you selected the Insert Before option and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule: 1.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-24 Generic Server Load Balancing Policy Map Actions (continued) Action Description Server Farm The ACE is to load balance client requests for content to a server farm. Server Farm-NAT Set-IP-TOS 1. In the Server Farm field, select the server farm for this policy map action. 2. In the Backup Server Farm field, select the backup server farm for this action. 3.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Setting Policy Map Rules and Actions for RADIUS Server Load Balancing Use this procedure to configure the rules and actions for RADIUS traffic received by the ACE. Assumptions • A RADIUS server load balancing traffic policy map has been configured. • A class map has been defined for a class map rule if you do not want to use the class-default class map.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-25 RADIUS Server Load Balancing Policy Map Rules Option Description Class Map Specify a class map to use for this traffic policy: 1. To use the class-default class map, check the Use Class Default check box. The class-default class map is a reserved, well-known class map created by the ACE. You cannot delete or modify this class.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Note If you selected the Insert Before option and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule: 1. Click the Rule tab to refresh the Rule table. 2. In the Rule table, select the newly added rule. When the screen refreshes, an empty action list appears.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-26 RTSP Server Load Balancing Policy Map Rules Option Description Class Map Specify a class map to use for this traffic policy: 1. To use the class-default class map, check the Use Class Default check box. The class-default class map is a reserved, well-known class map created by the ACE. You cannot delete or modify this class.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-27 RTSP Policy Map Match Conditions Match Condition Description RTSP Header RTSP header information is used for matching criteria. 1. In the Header Name field, specify the header to match in one of the following ways: – To specify an RTSP header that is not one of the standard RTSP headers, select the first radio button, then enter the RTSP header name in the Header Name field.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps • Click Deploy Now to deploy this configuration. The screen refreshes and the Action table appears. Continue with Step 7. • Click Cancel to exit this procedure without saving your entries and to return to the Rule table. • Click Next to deploy your entries and to add another rule.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 3 In the Rule table, click Add to add a new rule, or select the rule you want to modify, and then click Edit. The Rule screen appears. Step 4 In the Type field, configure rules using the information in Table 12-28. Table 12-28 SIP Server Load Balancing Policy Map Rules Option Description Class Map Specify a class map to use for this traffic policy: 1.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-29 SIP Server Load Balancing Policy Map Match Conditions Match Condition Description SIP Header SIP header information is used for matching criteria. In the Header Name field, specify the header to match in one of the following ways: 1. – To specify a SIP header that is not one of the standard SIP headers, select the first radio button, and then enter the SIP header name in the Header Name field.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 9 Do the following: • Click Deploy Now to deploy this configuration on the ACE. • Click Cancel to exit the procedure without saving your entries and to return to the Action table. • Click Next to deploy your entries and to configure another action.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 7 In the Insert Before field, indicate whether this rule is to precede another rule for this policy map. • N/A—This option is not configured. • False—This rule is not to precede another rule in this policy map. • True—This rule is to precede another rule in this policy map. If you select True in the Insert Before field, the Insert Before Policy Rule field appears.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection Use this procedure to add rules and actions for Layer 7 HTTP deep packet inspection policy maps. Procedure Step 1 Choose Config > Virtual Contexts > context > Expert > Policy Maps. The Policy Maps table appears.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-30 HTTP Deep Packet Inspection Match Types Match Condition Type Description Content Specific content contained within the HTTP entity-body is used for application inspection decisions. Content Length 1. In the Content Expression field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters. 2.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-30 HTTP Deep Packet Inspection Match Types (continued) Match Condition Type Description Header Header Length The name and value in an HTTP header are used for application inspection decisions. 1. In the Header field, select one of the predefined HTTP headers to be matched, or select HTTP Header to specify a different HTTP header. 2.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-30 HTTP Deep Packet Inspection Match Types (continued) Match Condition Type Description Header MIME Type Multipurpose Internet Mail Extension (MIME) message types are used for application inspection decisions. In the Header MIME Type field, select the MIME message type to be used for this match condition.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-30 HTTP Deep Packet Inspection Match Types (continued) Match Condition Type Description Transfer Encoding An HTTP transfer-encoding type is used for application inspection decisions. The transfer-encoding general-header field indicates the type of transformation, if any, that has been applied to the HTTP message body to safely transfer it between the sender and the recipient.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 8 In the Insert Before field, specify whether this rule is to precede another rule in this policy map: • N/A—Indicates that this attribute is not set. • False—Indicates that this rule is not to precede another rule in the policy map. • True—Indicates that this rule is to precede another rule in the policy map. Step 9 If you set Insert Before to True, the Insert Before Policy Rule field appears.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Setting Policy Map Rules and Actions for Layer 7 FTP Command Inspection File Transfer Protocol (FTP) inspection inspects FTP sessions for address translation in a message, dynamic opening of ports, and stateful tracking of request and response messages. Each specified FTP command must be acknowledged before the ACE allows a new command. Command filtering allows you to restrict specific commands by the ACE.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Use this procedure to add rules and actions for Layer 7 FTP command inspection policy maps. Procedure Step 1 Choose Config > Virtual Contexts > context > Expert > Policy Maps. The Policy Maps table appears. Step 2 In the Policy Maps table, select the Layer 7 FTP command inspection policy map you want to set rules and actions for, and then select the Rule tab.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 10 Do the following: • Click Deploy Now to deploy this configuration on the ACE appliance. The Action table appears below the Rule table. To define actions for this rule, continue with Step 11. • Click Cancel to exit this procedure without saving your entries and to return to the Policy Maps table. • Click Next to save your entries and to configure another rule.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Setting Policy Map Rules and Actions for Layer 7 SIP Deep Packet Inspection Use this procedure to configure the rules and actions for a SIP deep packet inspection policy map. Assumptions • A SIP deep packet inspection policy map has been configured. • A class map has been defined for a class map rule if you do not want to use the class-default class map.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 5 Do the following: • Click Deploy Now to deploy this configuration. The screen refreshes and the Action table appears. Continue with Step 6. • Click Cancel to exit this procedure without saving your entries and to return to the Rule table. • Click Next to deploy your entries and to add another rule.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Setting Policy Map Rules and Actions for Layer 7 Skinny Deep Packet Inspection Use this procedure to configure the rules and actions for a Skinny Client Control Protocol (SCCP) deep packet inspection policy map. Assumptions • A Skinny deep packet inspection policy map has been configured. • A class map has been defined for a class map rule if you do not want to use the class-default class map.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 10 Do the following: • Click Deploy Now to deploy the configuration on the ACE. The screen refreshes and the Action table appears. To define the actions for this rule, continue with Step 11. • Click Cancel to exit this procedure without saving your entries and to return to the Rule table. • Click Next to deploy your entries and to configure another rule.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Setting Policy Map Rules and Actions for Layer 7 HTTP Optimization Use this procedure to add rules and actions for Layer 7 HTTP optimization policy maps. Assumptions • An HTTP optimization action list has been configured. See Configuring an HTTP Optimization Action List, page 13-3 for more information. • A class map has been defined if you are not using the class-default class map.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 12-32 Layer 7 HTTP Optimization Match Condition Types Match Condition Type Procedure Cookie Indicates that an HTTP cookie is to be used to establish a match condition. 1. In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. 2. In the Cookie Value field, enter a unique cookie value expression.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 9 Do the following: • Click Deploy Now to deploy this configuration on the ACE appliance. The Action table appears below the Rule table. To define actions for this rule, continue with Step 10. • Click Cancel to exit this procedure without saving your entries and to return to the Rule table. • Click Next to save your entries and to configure another rule.
Chapter 12 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Special Characters for Matching String Expressions Table 12-33 identifies the special characters that can be used in matching string expressions. Use parenthesized expressions for dynamic replacement using %1 and %2 in the replacement pattern. Note When matching data strings, note that the period (.) and question mark (?) characters do not have a literal meaning in regular expressions.
Chapter 12 Configuring Traffic Policies Configuring Actions Lists • Configuring Server Farms, page 6-18 • Configuring Sticky Groups, page 7-11 Configuring Actions Lists An action list is a named group of actions that you associate with a Layer 7 policy map. The ACE supports the following types action lists: • An HTTP optimization action list groups a series of individual application acceleration and optimization operations that you want the ACE to perform.
Chapter 12 Configuring Traffic Policies Configuring Actions Lists Configuring HTTP Header Insertion, Deletion, and Rewrite Use this procedure to configure an HTTP header modify action list that inserts, rewrites, or deletes HTTP headers. Procedure Step 1 Choose Config > Virtual Contexts > context > Expert > Action Lists > HTTP Header Modify Action Lists. The HTTP Header Modify Action List table appears.
Chapter 12 Configuring Traffic Policies Configuring Actions Lists Table 12-35 Header Action Configuration Screen Fields Header Action Field Description / Action Operator Select the HTTP header modify action the ACE appliance is to take in an HTTP request from a client, a response from a server, or both: • Delete—Deletes an HTTP header in a request from a client, in a response from a server, or both.
Chapter 12 Configuring Traffic Policies Configuring Actions Lists Table 12-35 Header Action Configuration Screen Fields (continued) Header Action Field Description / Action Direction Select the HTTP header modify action the ACE appliance is to take with respect to the selected operator (Insert, Delete, or Rewrite): Insert: • Both—Specifies that the ACE insert an HTTP header in both HTTP request packets and response packets.
Chapter 12 Configuring Traffic Policies Configuring Actions Lists Step 7 Do the following: • Click Deploy Now to deploy this configuration on the ACE appliance. • Click Cancel to exit this procedure without saving your entries. • Click Next to save your entries.
Chapter 12 Configuring Traffic Policies Configuring Actions Lists Table 12-36 SSL Action Configuration Screen Fields Header Action Field Description / Action URL Expression Specifies the rewriting of the URL in the Location response header based on a URL regular expression match. If the URL in the Location header matches the URL regular expression string that you specify, the ACE rewrites the URL from http:// to https:// and rewrites the port number.
Chapter 12 Configuring Traffic Policies Configuring Actions Lists Configuring SSL Header Insertion Note The SSL Header Insertion feature does not apply to the ACE NPE software version (see the “Information About the ACE No Payload Encryption Software Version” section on page 1-2). You can configure an HTTP header modify action list that performs SSL header insertion.
Chapter 12 Configuring Traffic Policies Configuring Actions Lists The SSL Header Insert configuration window appears. Enter the required information as shown in Table 12-37. Table 12-37 SSL Header Insert Configuration Window Fields Header Action Field Description / Action Request Algorithm Select the type of SSL header information to insert into the HTTP request: • Client-Certificate—Information about the client certificate that the ACE retrieves from the client.
Chapter 12 Configuring Traffic Policies Configuring Actions Lists Table 12-37 SSL Header Insert Configuration Window Fields (continued) Header Action Field Description / Action CipherKey This field appears only when the Request field is set to Session. Select the following session parameters to insert into the HTTP request: • Cipher-Key-Size—Symmetric cipher key size. • Cipher-Name—Symmetric cipher suite name. • Cipher-Use-Size—Symmetric cipher use size. • Id—SSL Session ID. The default is 0.
Chapter 12 Configuring Traffic Policies Configuring Actions Lists Step 5 Repeat Step 4 for each certificate field or session parameter that you want the ACE to insert. Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click OK to save your entries. This option appears for configuration building blocks. • Click Cancel to exit this procedure without saving your entries.
Chapter 12 Configuring Traffic Policies Configuring Actions Lists Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance 12-100 OL-26645-02
C H A P T E R 13 Configuring Application Acceleration and Optimization This chapter describes how to configure application acceleration and optimization. With application acceleration and optimization features, you can configure application delivery and application acceleration options that increase productivity and efficiency. The application acceleration features optimize network performance and improve access to critical business information.
Chapter 13 Configuring Application Acceleration and Optimization Optimization Overview non-application-accelerated traffic, the former is limited; the latter is not. If you have 50 Mbps of application-accelerated traffic, the ACE can still deliver up to 1.9 Gbps throughput for the non-application-accelerated traffic. Optimization Overview The application acceleration functions of the ACE appliance apply several optimization technologies to accelerate application performance.
Chapter 13 Configuring Application Acceleration and Optimization Configuring an HTTP Optimization Action List • Layer 7 server load-balancing class map—This class map identifies the Layer 7 server load-balancing match criteria to apply to incoming traffic, such as URL, HTTP cookie, HTTP header, or source IP address.
Chapter 13 Configuring Application Acceleration and Optimization Configuring an HTTP Optimization Action List Procedure Step 1 Select Config > Virtual Contexts > context > Expert > Action Lists > Optimization Action Lists. The Optimization Action List table appears. Step 2 Click Add to add a new optimization action list, or select an existing action list, and then click Edit to modify it. Step 3 Configure the optimization action list using the information in Table 13-1.
Chapter 13 Configuring Application Acceleration and Optimization Configuring an HTTP Optimization Action List Table 13-1 Optimization Action List Configuration Options Field Description Cache Forward Check this check box to enables the cache forward feature for the corresponding URLs.
Chapter 13 Configuring Application Acceleration and Optimization Configuring Optimization Parameter Maps Configuring Optimization Parameter Maps Use this procedure to configure an Optimization parameter map for use with a Layer 3/Layer 4 policy map. Tip You can also configure optimization parameter maps when configuring a virtual server. For more information, see Configuring Application Acceleration and Optimization, page 5-57.
Chapter 13 Configuring Application Acceleration and Optimization Configuring Traffic Policies for HTTP Optimization Assumption A virtual IP address has been configured for the context in which you configure HTTP optimization. Table 13-2 Step 1 Configuring Traffic Policies for HTTP Optimization Task Procedure Create a Layer 7 class map for server load balancing. 1. Select Config > Virtual Contexts > context > Expert > Class Maps. 2. Click Add to add a new class map. 3.
Chapter 13 Configuring Application Acceleration and Optimization Configuring Traffic Policies for HTTP Optimization Table 13-2 Step 4 Configuring Traffic Policies for HTTP Optimization (continued) Task Procedure Create a Layer 3/Layer 4 class map for server load balancing. 1. Select Config > Virtual Contexts > context > Expert > Class Maps. 2. Click Add to add a new class map. 3. In the Class Map Type field, select Layer 3/4 Network Traffic. 4.
Chapter 13 Configuring Application Acceleration and Optimization Enabling HTTP Optimization Using Virtual Servers Related Topics • Optimization Traffic Policies and Typical Configuration Flow, page 13-2 • Configuring an HTTP Optimization Action List, page 13-3 • Optimization Overview, page 13-2 Enabling HTTP Optimization Using Virtual Servers Use this procedure to configure HTTP optimization using virtual servers.
Chapter 13 Configuring Application Acceleration and Optimization Configuring Global Application Acceleration and Optimization Step 4 Click Deploy Now to deploy this configuration on the ACE appliance.
C H A P T E R 14 Monitoring Your Network The ACE Appliance Device Manager Monitor function allows you to monitor key areas of system usage.
Chapter 14 Monitoring Your Network Using Dashboards to Monitor the ACE System and Virtual Contexts • Ensure that you allow the SNMP protocol and enter the v2c community string in the Config > System > Primary Attributes page. • Select the virtual context you want to monitor. This step is reflected in the monitoring procedures as part of selecting your task; such as Monitor > Virtual Contexts > context > Load Balancing.
Chapter 14 Monitoring Your Network Using Dashboards to Monitor the ACE System and Virtual Contexts ACE System Dashboard The ACE System Dashboard displays the information related to the ACE appliance. You access the ACE System Dashboard by selecting Monitor > Virtual Contexts> Dashboard > System Dashboard.
Chapter 14 Monitoring Your Network Using Dashboards to Monitor the ACE System and Virtual Contexts The components of the individual ACE System Dashboard panes are described in the following sections.
Chapter 14 Monitoring Your Network Using Dashboards to Monitor the ACE System and Virtual Contexts High Availability Table The HA Peer Information table lists the details of the HA peer, if configured in HA mode. It includes the following information: • HA/FT Interface State—State of the local ACE. See the “High Availability Polling” section on page 11-2. • My IP Address—IP address of the local ACE. • Peer IP Address—IP address of the peer ACE.
Chapter 14 Monitoring Your Network Using Dashboards to Monitor the ACE System and Virtual Contexts • VLANs—Total count of VLANs configured and the count of VLANs based on operational status Up and Down. A hyperlink enables you to view traffic summary information based on the identified state (see the “Monitoring Traffic” section on page 14-21). For example, if you click the Up hyperlink, you will see only the VLAN interfaces that currently have an operational status of Up.
Chapter 14 Monitoring Your Network Using Dashboards to Monitor the ACE System and Virtual Contexts Context With Denied Resource Usage Detected Table The Context With Denied Resource Usage Detected table lists all contexts for which the resource request is denied after reaching the maximum limit. An increase in the deny count (that is, the deny rate) results in the relevant context resource type appearing in this table.
Chapter 14 Monitoring Your Network Using Dashboards to Monitor the ACE System and Virtual Contexts Figure 14-1 Device Resource Usage Graph To toggle the display of the Device Resource Usage graph in the monitoring window: Note • Click View As Chart to display the object data as a graph. • Click View As Grid to display the object data as a numerical line grid. If you want to save the graph as a JPEG file for archive or other purposes, click the Show As Image button.
Chapter 14 Monitoring Your Network Using Dashboards to Monitor the ACE System and Virtual Contexts This table includes the following information: • Last Hour—Plot of high resource utilization during the past hour. • Resource Name—Type of system resource in the context. • Used By—Name of the virtual context that is placing the high demands on the resource.
Chapter 14 Monitoring Your Network Using Dashboards to Monitor the ACE System and Virtual Contexts Control Plane CPU/Memory Graphs The Control Plane CPU/Memory graphs (Figure 14-3) show the utilization of the ACE CPU. This data consists of two graphs: • The Control Plane CPU Usage graph shows the utilization of the ACE CPU as a percentage. • The Control Plane Memory graph displays the consumed memory on Kbytes.
Chapter 14 Monitoring Your Network Using Dashboards to Monitor the ACE System and Virtual Contexts ACE Virtual Context Dashboard The ACE Virtual Context Dashboard displays monitoring information for an ACE virtual context selected from the device tree,. You access the ACE Virtual Context Dashboard by selecting Monitor > Virtual Contexts > Context Dashboard.
Chapter 14 Monitoring Your Network Using Dashboards to Monitor the ACE System and Virtual Contexts The components of the individual ACE Virtual Context Dashboard panes are described in the following sections.
Chapter 14 Monitoring Your Network Using Dashboards to Monitor the ACE System and Virtual Contexts • Certificates—Total count of SSL certificates and the count of SSL certificates that are expiring beyond 30 days, expired, or that are expiring within 30 days.
Chapter 14 Monitoring Your Network Using Dashboards to Monitor the ACE System and Virtual Contexts Context Resource Usage Graph The Context Resource Usage graph displays the details of each resource type utilized by the selected contexts. For each resource type, the graph includes the following monitoring statistics: Used, Global Available, and Guaranteed. This data is collected by DM by using the ACE show resource usage CLI command.
Chapter 14 Monitoring Your Network Error Monitoring Hyperlinks allow you to access the corresponding monitoring screens for more details: • Monitoring Load Balancing on Virtual Servers, page 14-23 • Monitoring Load Balancing on Real Servers, page 14-25 Figure 14-4 Load Balancing Servers Performance Graphs Error Monitoring Error monitoring displays virtual context-specific runtime polling state error messages in the bottom right status bar of the DM GUI (see Figure 14-5).
Chapter 14 Monitoring Your Network Error Monitoring Table 14-1 Polling Error States Polling States Action Required Polling Timed Out SNMP polling has timed out. This may occur if the wrong credentials were configured or may be caused by an internal error (such as SNMP protocol configured incorrectly or destination is not reachable). Verify that SNMP credentials are correct. If the problem persists, enable the SNMP collection again. Polling Failed SNMP polling failed due to some internal error.
Chapter 14 Monitoring Your Network Monitoring Resource Usage Monitoring Resource Usage DM provides resource usage so that you can easily determine if you need to reallocate resources to a particular virtual context, view traffic usage in your contexts, or determine available usage for your contexts.
Chapter 14 Monitoring Your Network Monitoring Resource Usage Table 14-2 Context Resource Usage Fields Field Description Resource List of resources which can be: • acc-connections—Number of acceleration connections • acl-memory—Memory space allocated for ACLs • bandwidth—Context throughput in bytes per second. The total bandwidth rate of a context consists of the following two resource usage fields: – throughput—Displays through-the-ACE traffic.
Chapter 14 Monitoring Your Network Monitoring Resource Usage Table 14-2 Context Resource Usage Fields (continued) Field Description Shared Available Indicates number of resource units that might be available to each context and are shared among all contexts from the oversubscription pool. Denied Number of denied resources because of oversubscription or resource depletion.
Chapter 14 Monitoring Your Network Monitoring Resource Usage Table 14-3 System Resource Usage Connections Field Descriptions (continued) Field Description SSL Conn. Rate (Trans./S) % SSL (Secure Sockets Layer) connections per second Note The SSL Conn. Rate field does not display with the ACE NPE software version (see the “Information About the ACE No Payload Encryption Software Version” section on page 1-2). Mgmt. Traffic Rate (Conn.
Chapter 14 Monitoring Your Network Monitoring Traffic Table 14-4 System Resource Usage Features Field Descriptions Field Description Context Name of the virtual context Translation Entries % Current number of network and port address translations ACL Memory (Bytes) % ACL memory usage in bytes RegEx Memory (Bytes) % Regular expressions memory usage in bytes Syslog Buffer Size (Bytes) % Syslog message buffer size in bytes Syslog Message Rate (Messages/S) % Syslog messages per second Step 2
Chapter 14 Monitoring Your Network Monitoring Traffic Table 14-5 Traffic Summary Fields (continued) Field Description Admin Status User-specified status, which can be one of the following states: Operational Status • Up • Down • Testing, which indicates that no operational packets can be passed.
Chapter 14 Monitoring Your Network Monitoring Load Balancing Monitoring Load Balancing DM monitors load balancing and allows you to view the information associated with virtual servers, real servers, probes, and load balancing statistics.
Chapter 14 Monitoring Your Network Monitoring Load Balancing Table 14-6 Load Balancing Virtual Server Monitoring Information (continued) Field Description Admin Status User-specified status of the virtual server, which can be: Operational Status DWS • In Service—Indicates the server is in service. • Out of Service—Indicates the server is out of service. The state of the server, which can be: • Inservice—Indicates the server is in service.
Chapter 14 Monitoring Your Network Monitoring Load Balancing Table 14-7 Virtual Server Monitoring Window Function Buttons Function Button Description Poll Now Instructs DM to poll the devices and display the current values. Choose one or more virtual servers and click Poll Now. Graph Displays a historical trend graph of virtual server information for a specific virtual server. Choose 1 to 4 virtual servers and click Graph. Topology Displays the network topology map for a specific virtual server.
Chapter 14 Monitoring Your Network Monitoring Load Balancing Table 14-8 Load Balancing Real Server Monitoring Information (continued) Field Description Admin Status The specified state of the server, which can be: Operational Status VM • Inservice—Indicates the server is in service. • Out of Service—Indicates the server is out of service. • In Service Standby—Indicates the server is a backup server and remains inactive unless the primary server fails.
Chapter 14 Monitoring Your Network Monitoring Load Balancing Table 14-8 Load Balancing Real Server Monitoring Information (continued) Field Description Current Conns Number of current connections to this server. If this field indicates N/A, the database does not have any information about current connections. If this field is 0, the database received an SNMP response of 0. Conns/Sec Connections per second. Dropped Conns/Sec Dropped connections per second.
Chapter 14 Monitoring Your Network Monitoring Load Balancing Depending on the virtual context that you selected from the object selector, the probe information described in Table 14-10 appears. Table 14-10 Load Balancing Probes Monitoring Information Field Description Context Name of the context. This field is displayed when the object selector is *All.* Probe Name of the probe. To view statistics for a selected probe, click the probe hyperlink.
Chapter 14 Monitoring Your Network Monitoring Application Acceleration Depending on the virtual context that you selected from the object selector, the Load Balancing Statistics Monitoring Information window displays the information described in Table 14-11. Table 14-11 Load Balancing Statistics Monitoring Information Field Description Context Name of the context. This field is displayed when the object selector is *All.* L4 Policy Conn Number of Layer 4 policy connections.
Chapter 14 Monitoring Your Network Monitoring Application Acceleration Note Table 14-12 For connection-based syslogs, the following additional parameters are displayed: Source IP, Source Port, Destination IP, Destination Port, and Protocol Information. This allows you to sort and filter on these fields if desired.
Chapter 14 Monitoring Your Network Configuring Historical Trend and Real Time Graphs for Virtual Contexts Related Topic Configuring Application Acceleration and Optimization, page 13-1 Configuring Historical Trend and Real Time Graphs for Virtual Contexts DM allows you to store historical data for a selected list of statistics calculated over the last hour, 2-hour, 4-hour, 8-hour, 24-hour, or month interval.
Chapter 14 Monitoring Your Network Configuring Historical Trend and Real Time Graphs for Virtual Contexts Table 14-13 Step 2 Selecting a Monitoring Window To Access.... Select...
Chapter 14 Monitoring Your Network Setting Up Virtual Contexts Statistics Collection Step 6 To select multiple statistics for display in a graph in the monitoring window, perform the following steps: a. In the Selected Stat(s) line in the graph of the object that you want to add statistics, click the Select button within the graph. The Select Stats pop-up window appears. b. From the Select Stats pop-up window, choose one or more statistics to add to the graph and click OK.
Chapter 14 Monitoring Your Network Displaying Network Topology Maps Note These settings are not saved if you reboot your appliance. The system defaults will be restored.
Chapter 14 Monitoring Your Network Displaying Network Topology Maps Table 14-14 Network Topology Map Components (continued) Component Description Topology Map Displays network node mapping.
Chapter 14 Monitoring Your Network Testing Ping • Display the list of real servers, choose Monitor > Virtual Contexts > Loadbalancing > Real Servers. The Real Servers window appears with the table of configured virtual servers. Step 2 From the servers table, check the check box next to the server whose topology map you want to display. Step 3 From the servers window, click Topology. The DM Topology window displays the topology map for the selected virtual or real server.
Chapter 14 Monitoring Your Network Testing Ping • Monitoring Load Balancing on Real Servers, page 14-25 • Monitoring Load Balancing on Probes, page 14-27 Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance OL-26645-02 14-37
Chapter 14 Monitoring Your Network Testing Ping Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance 14-38 OL-26645-02
C H A P T E R 15 Managing the ACE Appliance The following sections describe how to manage the ACE appliance using ACE Appliance Device Manager: • Overview of the Admin Functions, page 15-1 • Controlling Access to the Cisco ACE Appliance, page 15-3 • Managing Users, page 15-7 • Managing User Roles, page 15-14 • Managing Domains, page 15-31 • Monitoring ACE Appliance Statistics, page 15-35 • Using Admin Tools, page 15-37 For details on logging into ACE Appliance Device Manager, see Logging int
Chapter 15 Managing the ACE Appliance Overview of the Admin Functions Table 15-1 describes the options that are displayed when you click Admin.
Chapter 15 Managing the ACE Appliance Controlling Access to the Cisco ACE Appliance Controlling Access to the Cisco ACE Appliance Access to ACE Appliance Device Manager is controlled using the same username and password that access the ACE appliance. This enables authentication to a local database or to an external RADIUS, TACACS+, or LDAP server. If you choose to authenticate using AAA and not the local database, you must configure AAA using the CLI.
Chapter 15 Managing the ACE Appliance Controlling Access to the Cisco ACE Appliance Thus, role-based access control ensures that users can view only the devices or services or perform the actions that are included in the domains to which they have been given access.
Chapter 15 Managing the ACE Appliance Controlling Access to the Cisco ACE Appliance Related Topics • Types of Users, page 15-5 • Understanding Roles, page 15-5 • Understanding Operations Privileges, page 15-6 • Understanding Domains, page 15-7 • Managing Users, page 15-7 Types of Users Two types of users configure and monitor the ACE appliance: • Default user—Individuals associated with the data center or IT department where the ACE appliance is installed.
Chapter 15 Managing the ACE Appliance Controlling Access to the Cisco ACE Appliance Note If you need to restrict a user’s access, you must assign a role-domain pair. Otherwise, no matter what roles the user may have, that user will not be able to access any specific resources, and, therefore, will have no powers on the system. All users are strictly limited by the combination of their contexts, roles, and domains.
Chapter 15 Managing the ACE Appliance Managing Users Understanding Domains Cisco ACE appliance provides a predefined default domain that contains all objects. You cannot modify or delete the predefined domain. Additional domains can be defined by the system administrator. A domain is a collection of managed objects to which a user is given access. By setting up a customized domain, you are filtering a subset of objects on the network. The user is then given access to this domain.
Chapter 15 Managing the ACE Appliance Managing Users Guidelines for Managing Users • For users that you create in the Admin context, the default scope of access is for the entire ACE. • If you do not assign a role to a new user, the default user role is Network-Monitor. For users that you create in other contexts, the default scope of access is the entire context. • Users cannot log in until they are associated with a domain and a user role.
Chapter 15 Managing the ACE Appliance Managing Users Step 3 Complete the following required fields (unless otherwise noted): Table 15-2 User Attributes Field Description Name Specifies the name by which the user is to be identified in the system (up to 24 characters). Only letters, numbers, and underscore can be used. The field is case sensitive. Expiry Date1 Date the user name is usable in the system. Password Entered As Specifies whether the password is entered as Clear Text or Encrypted.
Chapter 15 Managing the ACE Appliance Managing Users • Deleting User Accounts, page 15-10 • Displaying a List of Users, page 15-8 • Managing Users, page 15-7 • Guidelines for Managing Users, page 15-8 Modifying User Accounts Note Your user role determines whether you can use this option. Procedure Step 1 Select Admin > Role-Based Access Control > Users. The Users table appears. Step 2 Select the user account you want to modify. Step 3 Click Edit. Step 4 The User details screen appears.
Chapter 15 Managing the ACE Appliance Managing Users Step 4 Click OK to delete the user account or Cancel to exit the procedure without deleting the user. If you click OK, the window refreshes with the Users table and the deleted user account no longer appears.
Chapter 15 Managing the ACE Appliance Managing Users Deleting Active Users You can delete users using this procedure. You can also delete users using the Admin > Role-Based Access Control > Users menu. Note Your user role determines whether you can use this option. Procedure Step 1 Select Admin > Role-Based Access Control > Active Users. Step 2 Select the table rows containing the user accounts to be deleted. Step 3 Click Delete.
Chapter 15 Managing the ACE Appliance Managing Users Related Topics • Displaying Current User Sessions, page 15-11 • Deleting Active Users, page 15-12 • Managing Users, page 15-7 • Controlling Access to the Cisco ACE Appliance, page 15-3 Changing User Passwords Note Your user role determines whether you can use this option. Procedure Step 1 Select Admin > Role-Based Access Control > Users. The table of users is displayed. Step 2 Select the user account you want to modify. Step 3 Click Edit.
Chapter 15 Managing the ACE Appliance Managing User Roles Managing User Roles Use the Roles feature to add, modify, and delete user-defined roles. Predefined roles display with grey italic text and background and cannot be deleted or modified. A user’s role determines the tasks the user can access. Each role is associated with permissions or rules that define what feature access this role contains.
Chapter 15 Managing the ACE Appliance Managing User Roles Table 15-4 Predefined Role Rules for Admin and User Contexts Predefined Role/Context Description Operations Features Admin Role Admin Context User Context If created in the Admin context, user has complete access to and control over all contexts, domains, roles, users, resources, and objects in the entire ACE.
Chapter 15 Managing the ACE Appliance Managing User Roles Table 15-4 Predefined Role Rules for Admin and User Contexts Predefined Role/Context Description Operations Security features Create Features Security-Admin Role Admin Context Modify User Context Security features Create Modify • Access Control Lists (ACLs) • Application Inspection • Connection parameters • Authentication, authorization and accounting (AAA) • NAT • Copy Configurations1 • changeto command • exec command
Chapter 15 Managing the ACE Appliance Managing User Roles Table 15-4 Predefined Role Rules for Admin and User Contexts Predefined Role/Context Description Operations Server maintenance, monitoring, and debugging Debug Features Server-Maintenance Role Admin Context Create Modify User Context Server maintenance, monitoring, and debugging Debug Modify • Server Farms • VIPs • Probes • Load Balancing • changeto command • exec command • Real Servers • Real Server Inservice • Serve
Chapter 15 Managing the ACE Appliance Managing User Roles Table 15-4 Predefined Role Rules for Admin and User Contexts Predefined Role/Context Description Operations User Context Load-balancing features Create Modify Features • Real Servers • Server Farms • VIP • Probes • Loadbalance • NAT • Copy Configurations1 • Real Server Inservice Interface SSL-Admin Role Admin Context SSL feature features Create Modify User Context SSL feature features SSL • PKI • Copy Configurat
Chapter 15 Managing the ACE Appliance Managing User Roles Role Mapping in ACE Appliance Device Manager When you are logged into ACE Appliance Device Manager, you see the tasks that you have been given permission to access. Table 15-5 describes the predefined roles and the menu tasks and features available to those roles. Features and menus that are not applicable for your role will not display. Since the predefined roles encompass all the role types you may need, we encourage you to use them.
Chapter 15 Managing the ACE Appliance Managing User Roles Table 15-5 Role Mapping in ACE Appliance Device Manager Menu Task Features Available Admin Predefined Role Config > Virtual Contexts > System > Primary Attributes System > Syslog System > SNMP System > Global Policies System > Licenses System > Resource Class System > Application Acceleration And Optimization Load Balancing > Virtual Servers Load Balancing > Real Servers Load Balancing > Server Farms Load Balancing > Health Monitoring Load B
Chapter 15 Managing the ACE Appliance Managing User Roles Table 15-5 Role Mapping in ACE Appliance Device Manager (continued) Menu Task Features Available Network > Port Channel Interfaces Network > GigabitEthernet Interfaces Network > VLAN Interfaces Network > BVI Interfaces Network > Static Routes Network > Global IP DHCP High Availability (HA) > Setup HA Tracking And Failure Detection > Interfaces HA Tracking And Failure Detection > Hosts Expert > Class Maps Expert > Policy Maps Expert > Action List
Chapter 15 Managing the ACE Appliance Managing User Roles Table 15-5 Role Mapping in ACE Appliance Device Manager (continued) Menu Task Features Available Network-Admin Predefined Role Config > Virtual Contexts > System > Primary Attributes System > Global Policies Load Balancing > Parameter Maps Network > VLAN Interface Network >BVI Interfaces Network > Static Routes Network > Global IP DHCP Expert > Class Maps Expert > Policy Maps Config > Operations Virtual Servers Monitor > Application Acce
Chapter 15 Managing the ACE Appliance Managing User Roles Table 15-5 Role Mapping in ACE Appliance Device Manager (continued) Menu Task Features Available Network-Monitor Predefined Role Config > Virtual Contexts > System > Primary Attributes System > Syslog System > Global Policies Load Balancing > Virtual Servers Load Balancing > Real Servers Load Balancing > Server Farms Load Balancing > Health Monitoring Load Balancing > Stickiness Load Balancing > Parameter Maps Load Balancing > Secure KAL-AP S
Chapter 15 Managing the ACE Appliance Managing User Roles Table 15-5 Role Mapping in ACE Appliance Device Manager (continued) Menu Task Features Available Monitor > Load Balancing Application Acceleration Interfaces Real Servers Probes Resource Usage Ping Security-Admin Predefined Role Config > Virtual Contexts > System > Primary Attributes System > Global Policies Load Balancing > Parameter Maps Security > ACLs Security > Object Groups Network > VLAN Interfaces Network > BVI Interfaces Network >
Chapter 15 Managing the ACE Appliance Managing User Roles Table 15-5 Role Mapping in ACE Appliance Device Manager (continued) Menu Task Features Available Server-Maintenance Predefined Role Config > Virtual Contexts > System > Primary Attributes Load Balancing > Real Servers Load Balancing > Server Farms Load Balancing > Health Monitoring Load Balancing > Parameter Maps Expert > Class Maps Expert > Policy Maps Expert > Action Lists Config > Operations Real Servers Virtual Servers Monitor > Virtua
Chapter 15 Managing the ACE Appliance Managing User Roles Table 15-5 Role Mapping in ACE Appliance Device Manager (continued) Menu Task Features Available Monitor > Virtual Contexts Load Balancing Real Servers Probes Resource Usage Ping Admin > Tools File Browser SSL-Admin Config > Virtual Contexts > System > Primary Attributes System > Global Policies Load Balancing > Parameter Maps SSL > Certificates SSL > Keys SSL > Parameter Maps SSL > Chain Group Parameters SSL > CSR Parameters SSL > Proxy
Chapter 15 Managing the ACE Appliance Managing User Roles RBAC User Role Requirements Related to Virtual Servers If you want to create, modify, or delete a virtual server, we recommend that you use the pre-defined Admin role (see Table 15-4). Only the Admin pre-defined role supports the ability to successfully deploy a functional virtual server from the ACE appliance Device Manager.
Chapter 15 Managing the ACE Appliance Managing User Roles Displaying User Roles Use this option to display the existing user roles. Note Your user role determines whether you can use this option. Procedure Step 1 Select Admin > Role-Based Access Control > Roles. A table of the defined roles and their settings appears. Step 2 You can use the options in this screen to create a new role, filter roles based on a string, or modify or delete any existing role to which you have access.
Chapter 15 Managing the ACE Appliance Managing User Roles Step 6 Note To alter rules, select changes to any of the following attributes. For a user with a customized role to perform configuration and operation changes from the ACE Appliance Device Manager, you must configure the role with rules that permit the create operation for the config-copy and exec-commands features. Table 15-7 Rule Attributes Attribute Description Rule Number The number assigned to this rule.
Chapter 15 Managing the ACE Appliance Managing User Roles Modifying User Roles You can modify any user-defined roles. Note Your user role determines whether you can use this option. Procedure Step 1 Select Admin > Role-Based Access Control > Roles. A table of the defined roles and their settings appears. Step 2 Select the role you want to modify. Step 3 Click Edit. Step 4 Make the changes. Step 5 Click Deploy Now to deploy this configuration and to return to the Roles table.
Chapter 15 Managing the ACE Appliance Managing Domains Adding, Editing, or Deleting Rules You can change or delete rules to redefine what feature access a specific role contains. Note Your user role determines whether you can use this option. Procedure Step 1 Select Admin > Role-Based Access Control > Roles. A table of the defined roles and their settings appears. Step 2 Select the role to be changed. You can only change rules if only one role is selected in the pane.
Chapter 15 Managing the ACE Appliance Managing Domains Note • Predefined domains cannot be modified or deleted. • Normally, a user is associated with the default domain, which allows the user to see all configurations within the context. When a user is configured with a customized domain, then the user can see only what is in the domain.
Chapter 15 Managing the ACE Appliance Managing Domains Creating Domains Use this option to create a new domain. Note Your user role determines whether you can use this option. Procedure Step 1 Select Admin > Role-Based Access Control > Domains. The Domains table appears. Step 2 Click Add. Step 3 Enter the name of the new domain, and then click Deploy Now. Step 4 Click Add in the Domain Object table that displays below the Domain form. Step 5 Enter the attributes displayed in Table 15-8.
Chapter 15 Managing the ACE Appliance Managing Domains Modifying Domains Use this option to change the settings in a domain. Note Your user role determines whether you can use this option. Procedure Step 1 Select Admin > Role-Based Access Control > Domains. Step 2 Select the domain you want to change. Step 3 Click Edit. Step 4 Make the changes. Step 5 Click Deploy Now to deploy this configuration.
Chapter 15 Managing the ACE Appliance Monitoring ACE Appliance Statistics Adding or Deleting Domain Objects from a Domain Use this option to add or delete a network domain from the system, as well as all the devices and domain objects it contains. You can delete domains that are not associated with a user. Note Your user role determines whether you can use this option. Procedure Step 1 Select Admin > Role-Based Access Control > Domains. The Domains table contains a list of the existing domains.
Chapter 15 Managing the ACE Appliance Monitoring ACE Appliance Statistics Procedure Select Admin > Device Management > Statistics. The ACE appliance statistics shown in Table 15-9 are displayed. Table 15-9 ACE Appliance Server Statistics Name Description Owner Process where statistics are collected. Statistic Includes the following statistics: • CPU Usage—Overall ACE appliance CPU busy percentage in the last 5-minute period. • Disk Usage—Amount of disk space being used by the ACE appliance.
Chapter 15 Managing the ACE Appliance Using Admin Tools Step 3 In the Background Polling Interval field, select the polling interval appropriate for your networking environment. The interval range is from one minute to six hours. Step 4 Click OK to save your entries. Note These settings are not saved if you reboot your appliance. The system defaults will be restored.
Chapter 15 Managing the ACE Appliance Using Admin Tools Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance 15-38 OL-26645-02
C H A P T E R 16 Using ACE Appliance Device Manager Troubleshooting Tools Use the following diagnostic tools to help troubleshoot ACE Appliance Device Manager problems: Note • Generating a Diagnostic Package, page 16-1 • Manipulating ACE Appliance Files, page 16-6 • Checking the ACE Appliance DM GUI Status, page 16-10 When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), consider that the Device Manager (DM)
Chapter 16 Using ACE Appliance Device Manager Troubleshooting Tools Generating a Diagnostic Package Tip Do not attempt to use Lifeline without first discussing it with Cisco support.
Chapter 16 Using ACE Appliance Device Manager Troubleshooting Tools Generating a Diagnostic Package Creating a Lifeline Package from the ACE Appliance DM GUI Assumptions • The ACE appliance is running. • You have reviewed the guidelines for managing lifelines (see Guidelines for Using Lifeline, page 16-2). • You have opened a case with Cisco technical support. Procedure Note Your user role determines whether you can use this option. Step 1 Select Admin > Tools > Lifeline Management.
Chapter 16 Using ACE Appliance Device Manager Troubleshooting Tools Generating a Diagnostic Package Procedure Note Your user role determines whether you can use this option. Step 1 Select Admin > Tools > Lifeline Management. Step 2 Select the package from the list. Step 3 Click Download. The File Download window displays. Step 4 Click Save. The package is sent to your Web browser, where you can save the package.
Chapter 16 Using ACE Appliance Device Manager Troubleshooting Tools Generating a Diagnostic Package Creating a Lifeline Package from the ACE Appliance CLI If you encounter issues with the ACE appliance Device Manager GUI (for example, when the Device Manager GUI is inoperative), use the dm lifeline CLI command from Exec mode to create and upload a lifeline to a remote TFTP server. The dm lifeline CLI command is useful when a lifeline cannot be generated from the ACE appliance Device Manager GUI.
Chapter 16 Using ACE Appliance Device Manager Troubleshooting Tools Manipulating ACE Appliance Files Manipulating ACE Appliance Files File Browser provides access to the ACE appliance to download or upload multiple files for viewing or tracking. This tool can be also be used to rename files or view logs or other files that help you manage your network or locate problems on the ACE appliance. You can also use this feature to copy an existing context package capture buffer to a remote server.
Chapter 16 Using ACE Appliance Device Manager Troubleshooting Tools Manipulating ACE Appliance Files Downloading Files Use this feature to download multiple files from the ACE appliance for viewing or tracking. For example, you may want to download logs and view them. Note Your user role determines whether you can use this option. Procedure Step 1 Select Admin > Tools > File Browser. Step 2 Use the drop-down list to select a directory and locate the files you want to download.
Chapter 16 Using ACE Appliance Device Manager Troubleshooting Tools Manipulating ACE Appliance Files Related Topics • Downloading Files, page 16-7 • Viewing Files, page 16-9 • Renaming Files, page 16-8 • Deleting Files, page 16-9 • About File Browser, page 16-6 Renaming Files Use this feature to rename files on the ACE appliance. Note Your user role determines whether you can use this option. Procedure Step 1 Select Admin > Tools > File Browser.
Chapter 16 Using ACE Appliance Device Manager Troubleshooting Tools Manipulating ACE Appliance Files Deleting Files Use this feature to delete files from the ACE appliance. Note Your user role determines whether you can use this option. Procedure Step 1 Select Admin > Tools > File Browser. Step 2 Use the drop-down list to select a directory and locate the files you want to delete. Traverse the folder structure until you locate the files.
Chapter 16 Using ACE Appliance Device Manager Troubleshooting Tools Checking the ACE Appliance DM GUI Status Related Topics • Uploading Files, page 16-7 • Downloading Files, page 16-7 • Renaming Files, page 16-8 • Deleting Files, page 16-9 • About File Browser, page 16-6 Checking the ACE Appliance DM GUI Status If you find that the ACE appliance Device Manager GUI appears to be inoperative, enter the dm status CLI command in Exec mode to verify the health of the Device Manager.
GLOSSARY A ACL Access Control List. A mechanism in computer security used to enforce privilege separation. An ACL identifies the privileges and access rights a user or client has to a particular object, such as a server, file system, or application. activate Places an entity into the resource pool for load balancing content requests or connections and starts the keepalive function. See also suspend.
Glossary checkpoint A snapshot in time of a known stable ACE running configuration before you begin to modify it. If you encounter a problem with the modifications to the running configuration, you can roll back the configuration to the previous stable configuration checkpoint. Cisco.com Replaces the Cisco Connection Online Web site. Use this site to access customer service and support. class map A mechanism for classifying types of network traffic.
Glossary H HSRP Hot Standby Router Protocol. A networking protocol that provides network redundancy for IP networks, ensuring that user traffic immediately and transparently recovers from first hop failures in network edge devices or access circuits. I ICMP Internet Control Message Protocol. Network layer Internet protocol that reports errors and provides other information relevant to IP packet processing. Documented in RFC 792. Internet Control Message Protocol. See ICMP. interface 1.
Glossary O object A physical entity, service, or resource that can be managed using ACE Appliance Device Manager. object group A logical grouping of similar objects, such as servers, clients, services, or networks. Creating an object group allows you to apply common attributes to a number of objects without specifying each object individually. P PAT Port Address Translation. A mechanism that allows many devices on a LAN to share one IP address by allocating a unique port address at Layer 4.
Glossary redundancy In internetworking, the duplication of devices, services, or connections so that, in the event of a failure, the redundant devices, services, or connections can perform the work of those that failed. resource class A defined set of resources and allocations available for use by a device (such as an ACE appliance). Using resource classes prevents a single device from using all available resources. role See user role. RSA Rivest, Shamir, and Adelman Signatures.
Glossary sticky A feature that ensures that the same client gets the same server for multiple connections. It is used when applications require a consistent and constant connection to the same server. If you are connecting to a system that keeps state tables about your connection, sticky allows you to get back to the same real server again and retain the statefulness of the system. suspend Removes an entity from the resource pool for future load-balancing content requests or connections.
Glossary VTP VLAN Trunking Protocol. A Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs within a VTP domain. VTP minimizes misconfigurations and configuration inconsistencies that can result in a number of problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations.
Glossary Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance GL-8 OL-26645-02
INDEX parameter maps A policy maps acceleration 5-57 13-9 button descriptions 13-2 traffic policies in monitor screens 13-2 in tables typical configuration flow 13-2 10-18 1-11 in monitor screens 1-6 in tables accounts 1-16 1-11 inoperative GUI, verifying see also users logging in user, managing 15-7 1-6 password, changing class map reloading match conditions 12-9 16-10 buttons 4-34 8-1 policy map 12-34 rules and actions traffic policies 1-16 conventions 1-12 customizing
Index configuration overview domain objects 4-58 configuring domains EtherType attributes extended ACL attributes for VLANs definition deleting 15-8 resource classes 4-61 roles 10-18 object groups 15-33 new users 4-67 15-35 4-38 15-28 SSL 4-70 parameter map cipher info GL-1 admin 4-69 changing passwords objects ICMP service parameters IP addresses protocols menu options 4-71 subnet objects 4-72 TCP/UDP service parameters administrative distance, definition GL-1 1-14 GL-1
Index naming convention of context files overview of configuration RTSP 4-50 header sticky groups 4-49 ARP probes definition 6-56 scripted probes GL-1 attributes server farms BVI interfaces 10-23 DNS probes 6-48 Echo-TCP probes Finger probes FTP probes 6-59 SIP-UDP probes 6-59 6-60 4-19 SNMP probes 7-16 6-60 SSL 6-50 health monitoring certificate bulk import 6-44 high availability 5-37, 6-19 SIP-TCP probes SNMP 6-49 for sticky group types 6-57 SMTP probes 6-48 11-9
Index configuring device configuration defaults comparing with running configuration 4-52 4-52 guidelines and limitations of overview of configuration 4-51 buddy sticky group 4-46 deleting 4-47 displaying 4-49 bandwidth optimization, configuring creating 4-49 rolling back to 5-58 4-48 Cisco 7-6 security guidelines bulk import SSL certificate attributes SSL key pair attributes What’s New 9-10 configuring 1-9 definition 1-16 deleting 1-11 BVI, definition configuring 12-9 12-8
Index for high availability virtual context 11-6 real server 6-6 server farm 4-79 5-37, 6-19 task overview 1-18 SNMP users viewing status 4-80 SSL initiation configuration attributes extended ACL health monitoring sticky group sticky type 6-44 syslog 11-9 HTTP return code maps 6-37 parameter map 8-5 8-24, 8-25 generic 8-18 HTTP 8-2 optimization RTSP SIP 8-11 5-46, 6-30 DNS Finger 6-48 6-49 6-50 HTTPS 6-52 IMAP 6-54 comparing checkpoint with running configuration 4-48 c
Index Gigabit Ethernet interfaces RTSP 10-5 health monitoring general attributes SIP 6-44 high availability groups PAT 11-11, 11-14 peer host probes 11-19 11-22 11-5 tracking and failure detection host probes for high availability HTTP probe headers 11-21 latency optimization sticky groups Layer 7 SIP deep packet inspection 6-18 RADIUS server load balancing 7-11 RDP server load balancing 4-2 SIP server load balancing ICMP service parameters IP addresses protocols port channel interf
Index for virtual servers OCSP service contact information, SNMP 5-18 context 9-30 parameter map archive naming convention for archive 9-19 parameter map cipher attributes proxy service static routes 9-22 9-28 sticky groups 5-50, 7-11 sticky statics 7-21 switch mode 4-6 configuration options configuring syslog 4-12 log hosts log rate limits virtual context 4-1, 4-2, 4-7, 4-84 expert options 4-79 global policies 4-28 global policies 4-28 load balancing 5-1 creating system attr
Index domains DES, definition 15-33 user accounts user roles device 15-8 using ping 15-28 virtual contexts GL-2 14-36 device management, monitoring 4-2 CSR DFP, definition configuring parameters definition GL-2 DHCP relay, configuring 9-26 15-2 10-19 diagnostic tools GL-2 generating for SSL file browser 9-27 16-6 disk usage, monitoring ACE 15-36 displaying D current user sessions list of users Data Center Interconnect (DCI) VM controller configuration Data Encryption Standa
Index understanding 15-7 downloading, files to ACE F 16-7 Dynamic Feedback Protocol (DFP), definition GL-2 fail action real server in a server farm Dynamic Workload Scaling reassign configure Nexus 7000 5-38, 6-20 11-4 6-14 fault, definition 5-39, 6-21 fault tolerance overview server farm failover 6-15 groups GL-2 11-3 task overview E 5-37, 6-19 11-8 file browser Echo-TCP probe attributes deleting files 6-48 16-9 downloading files e-commerce applications, sticky requirement
Index class map match conditions policy map rules and actions rewrite 12-19 header insertion 12-54 configuring HTTP getting started flowchart HTTP 1-18 task overview SSL 1-18 global acceleration and optimization 12-92 12-97 4-28 configuring 6-40 for real servers 1-16 graph 12-91 health monitoring 13-9 global policies, configuring for virtual contexts GMT 12-47 6-41 general attributes icons for inband 1-16 maximum number of statistics viewing results 1-16 1-16 graphs using G
Index homepage conditions and options 2-1 link descriptions overview policy map rules 2-1 12-74 HTTPS probe 2-1 pages in ANM attributes 2-2 Hot Standby Router Protocol (HSRP), definition HSRP, definition 5-23 6-52 configuring headers GL-3 6-66 HTTPS protocol inspection conditions and options GL-3 HTTP 5-23 HTTPS server load balancing application protocol support policy map rules and actions 12-6 12-58 configuring parameter maps retcode maps 8-2 I 6-36 content ICMP sticky gr
Index IP addresses, for object groups FTP command inspection class maps, setting match conditions 12-30 4-71 IP netmask for sticky client identification sticky group attributes sticky type FTP command inspection policy maps, setting rules and actions 12-79 7-4 7-18 HTTP deep packet inspection class maps, setting match conditions 12-25 7-4 IPv6 considerations 1-20 HTTP deep packet inspection policy maps, setting rules and actions 12-73 IPv6 prefix for sticky client identification sticky type HT
Index maximum packages 16-2 M load balancing configuration overview Management Information Base (MIB), definition 5-1 management VLAN, adding configuring for real servers real servers user accounts user roles 7-11 with virtual servers 6-2 hash header 6-2 15-7 15-14 virtual servers 4-79 5-63 match condition 6-2 hash cookie 4-35 virtual contexts 5-2 GL-3 hash address 6-9 resource classes 6-1 sticky groups 15-31 real servers 5-30 6-1 server farms definition domains 6-18
Index real servers 6-11 resource classes user accounts user roles O 4-40 object 15-10 configuring for virtual servers 15-30 virtual contexts definition 4-84 GL-4 object group monitoring buttons used in graphs load balancing prerequisites statistics configuring 1-16 4-70 ICMP service parameters 14-23, 14-25, 14-27 load balancing statistics traffic 5-9 IP addresses 14-28 protocols 14-1 4-71 4-73 subnet objects 15-35 4-76 4-72 TCP/UDP service parameters 14-21 viewing results
Index application acceleration class map configuration tasks RDP 1-18 load-balancing predictors SIP optimization traffic policies policy map overview protocol inspection 8-22 9-22 8-1 types of 12-5 8-1 using with 6-3 resource classes server farm 8-20 SSL cipher 8-1 12-2 real server 8-19 Skinny 13-6 8-11, 13-6 8-24 RTSP 6-2 13-2 parameter maps 8-2 optimization 1-18 optimization 8-17 HTTP 12-2 configuration policy maps 4-35 8-1 using with Layer 3/Layer 4 policy maps
Index management traffic, setting rules and actions 12-45 port channel interfaces attributes network traffic, setting rules and actions 12-37 Layer 7 10-3 configuring 10-2 predictor FTP command inspection, setting rules and actions 12-79 hash address HTTP deep packet inspection, setting rules and actions 12-73 hash cookie 6-2 hash header 6-2 hash secondary cookie HTTP optimization, setting rules and actions 12-86 hash url Layer 7 load-balancing traffic multi-match overview 12-46 least
Index SIP-UDP configuring load balancing 6-59 SMTP 6-60 definition SNMP 6-60 health monitoring TCP Telnet VM 6-39, 6-41 6-11 operational states 6-62 types for real server monitoring UDP GL-4 modifying 6-61 overview 6-42 6-63 6-65 6-1, 6-5 6-12 6-3 suspending 6-10 viewing all 6-12 process, for traffic classification 12-2 real time graph process uptime, monitoring ACE 15-36 Real Time Streaming Protocol (RTSP), definition protocol inspection configuring match criteria confi
Index restore configuring device configuration defaults 4-55 SCCP inspection 4-52 guidelines and limitations of overview of configuration SSL URL 12-7 screens, understanding 4-51 12-92 attributes 6-57 overview 6-40 secondary IP groups 12-95 BVI interfaces role definition deleting 1-8 scripted probe 4-49 rewrite HTTP header S 10-24 VLAN interfaces GL-6 secure KAL-AP 15-30 10-18 6-70 editing 15-30 security guidelines, Cisco options 15-9 server understanding activating 15
Index server load balancing generic class map match conditions 12-19 generic policy map rules and actions 12-54 HTTPS policy map rules and actions 12-58 RADIUS class map match conditions 12-20 RADIUS policy map rules and actions 12-71 RTSP class map match conditions 12-21 SIP class map match conditions service, definition parameter map attributes SLB, definition 12-65 8-22 GL-5 SMTP definition 12-68 GL-5 probe attributes 6-60 SNMP configuration attributes 4-70 communities TCP/UDP s
Index redirect authentication failureconfiguring SSL parameter map attributes 9-22 using redirect setup sequence auth group certificates 9-25 chain group parameters 9-25 CSR parameters OCSPservice SSL certificate, using SSL key, using parameter map cipher attributes 9-22 parameter map redirect attributes 9-22 exporting viewing by context 10-35 statistics ACE 15-35 collection 14-33, 15-35 15-35 15-35 15-35 stickiness cookie-based 12-96 importing certificates 9-8 9-12 bulk importing
Index enabled on backup server farm groups subnet objects, for object groups 7-15 support 7-6 HTTP header for client identification obtaining 7-4 IP netmask for client identification 7-4 IPv6 prefix for client identification 7-4 overview 4-72 iii-xix See Lifeline 16-3, 16-5 suspend definition 7-2 GL-6 table 7-11 real servers types 7-2 virtual servers sticky group 6-10 5-65 switch mode, configuring attributes switchover HTTP content 4-6 11-4 synchronizing 7-16 HTTP cookie
Index parent rows troubleshooting 1-12 probe attributes using file browser 6-47 protocol names and numbers sticky group attributes types of users 4-64 takeover, forcing in high availability task overview, redundancy U 11-16 UDP probe attributes 11-8 6-40 domains 6-40 roles GL-6 8-9 Telnet probe attributes files to ACE URL rewrite, configuring user roles, definition topic reference for configuring rules and actions 12-36 tracking user actions 14-36 assigned 15-8 15-5 default role
Index static routes V verifying GUI operational status 16-10 viewing system attributes 4-11 VLAN interfaces 10-10 creating ACE appliance licenses ACLs by context 4-29 all real servers deleting 6-12 all server farms 6-38 all sticky groups 7-21 all virtual contexts 10-30 4-34 15-32 static routes by context 4-84 static routes 14-15 VLANS 4-41 10-30 10-35 5-63 VLAN interfaces by context 10-35 10-22 5-64 additional options 10-22 5-3 advanced view properties virtual-address
Index SSL alias IP address, setting 5-18 definition VLAN Trunking Protocol (VTP), definition GL-6 deleting and shared objects managing VM probe attributes 5-10 VTP, definition 5-63 manually synchronizing CLI configurations minimum configuration 4-83 RBAC permissions to create, modify, or delete recommendations for configuring 5-5, 5-9 SSL initiation attributes 6-65 GL-7 VTP domain, definition GL-7 5-5 5-4, W Web server, definition GL-7 weighted roundrobin.
