manualshive.com logo in svg

Cisco 4700 series, Administration Manual

The Cisco 4700 series Configuration Manual is a comprehensive and user-friendly guide that provides step-by-step instructions for setting up and optimizing your Cisco 4700 series product. This essential manual is available for free download exclusively at manualshive.com, offering users easy access to valuable information to enhance their product experience.

Share
Download
background image

   

4-7

Cisco 4700 Series Application Control Engine Appliance Administration Guide

OL-11157-01 

Chapter 4      Configuring Class Maps and Policy Maps

Class Map and Policy Map Overview

The ACE supports a system-wide maximum of 4096 policy maps.

A Layer 7 policy map is always associated within a Layer 3 and Layer 4 policy 
map to provide an entry point for traffic classification. Layer 7 policy maps are 
considered to be child policies and can only be nested under a Layer 3 and Layer 4 
policy map. 

Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface; a 
Layer 7 policy map cannot be directly applied on an interface. For example, to 
associate a Layer 7 load-balancing policy map, you nest the load-balancing policy 
map by using the Layer 3 and Layer 4 

loadbalance

 

policy

 command. 

Depending on the 

policy-map

 command, the ACE executes the action specified 

in the policy map on the network traffic as follows:

  •

first-match

—For 

policy-map

 commands that contain the 

first-match

 

keyword, the ACE executes the specified action only for traffic that meets the 
first matching classification within a policy map. No additional actions are 
executed. 

  •

all-match

—For 

policy-map

 commands that contain the 

all-match

 keyword, 

the ACE attempts to match a packet against all classes in the policy map and 
executes the actions of all matching classes associated with the policy map.

  •

multi-match

—For 

policy-map

 commands that contain the 

multi-match

 

keyword, these commands specify that multiple sets of classes exist in the 
policy map and allow a multi-feature policy map. The ACE applies a 
first-match execution process to each class set in which a packet can match 
multiple classes within the policy map, but the ACE executes the action for 
only one matching class within each class set. The definition of which classes 
are in the same class set depends on the actions applied to the classes; the 
ACE associates each policy map action with a specific set of classes. Some 
ACE functions may be associated with the same class set as other features (for 
example, application protocol inspection actions would typically be 
associated with the same class set), while the ACE associates other features 
with a different class set.

When there are multiple instances of actions of the same type configured in a 
policy map, the ACE performs the first action encountered of the same type that 
has a match.

Summary of Contents for 4700 series

Page 1: ...Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Text Part Number OL 11157 01 Cisco 4700 Series Application Control Engine Appliance Administration Guide Software Version A1 7 November 2007 ...

Page 2: ...ED OF THE POSSIBILITY OF SUCH DAMAGES CCDE CCVP Cisco Eos Cisco StadiumVision the Cisco logo DCE and Welcome to the Human Network are trademarks Changing the Way We Work Live Play and Learn is a service mark and Access Registrar Aironet AsyncOS Bringing the Meeting To You Catalyst CCDA CCDP CCIE CCIP CCNA CCNP CCSP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS Cisco Press Cisco Syst...

Page 3: ...es xxiii C H A P T E R 1 Setting Up the ACE 1 1 Establishing a Console Connection on the ACE 1 2 Using the Setup Script to Enable Connectivity to the Device Manager 1 3 Connecting and Logging into the ACE 1 7 Changing the Administrative Password 1 9 Resetting the Administrator CLI Account Password 1 10 Assigning a Name to the ACE 1 12 Configuring an ACE Inactivity Timeout 1 12 Configuring a Messag...

Page 4: ... Configuration Register 1 35 Setting the BOOT Environment Variable 1 37 Configuring the ACE to Bypass the Startup Configuration File During the Boot Process 1 38 Displaying the ACE Boot Configuration 1 41 Restarting the ACE 1 41 Shutting Down the ACE 1 42 C H A P T E R 2 Enabling Remote Access to the ACE 2 1 Remote Access Configuration Quick Start 2 2 Configuring Remote Network Management Traffic ...

Page 5: ...ng a User Context Through SSH 2 21 Example of a Remote Access Configuration 2 23 Viewing Session Information 2 24 Showing Telnet Session Information 2 24 Showing SSH Session Information 2 26 Showing SSH Session Information 2 26 Showing SSH Key Details 2 27 C H A P T E R 3 Managing ACE Software Licenses 3 1 Available ACE Licenses 3 2 Ordering an Upgrade License and Generating a Key 3 5 Copying a Li...

Page 6: ...Traffic Class Map 4 25 Defining a Class Map Description 4 27 Defining Access List Match Criteria 4 28 Defining Match Any Criteria 4 28 Defining Destination IP Address and Subnet Mask Match Criteria 4 29 Defining TCP UDP Port Number or Port Range Match Criteria 4 30 Defining the Source IP Address and Subnet Mask Match Criteria 4 31 Defining the VIP Address Match Criteria 4 32 Defining Layer 3 and L...

Page 7: ...Map 4 50 Creating a Layer 7 Policy Map 4 51 Adding a Layer 7 Policy Map Description 4 53 Including Inline Match Statements in a Layer 7 Policy Map 4 53 Specifying a Layer 7 Traffic Class with the Traffic Policy 4 54 Specifying Layer 7 Policy Actions 4 55 Associating the Layer 7 Policy Map with a Layer 3 and Layer 4 Policy Map 4 57 Applying a Service Policy 4 58 Class Maps and Policy Map Examples 4...

Page 8: ...guration File 5 10 Loading Configuration Files from a Remote Server 5 11 Using the File System on the ACE 5 12 Listing the Files in a Directory 5 13 Copying Files 5 15 Copying Files to Another Directory on the ACE 5 15 Copying Licenses 5 16 Copying a Packet Capture Buffer 5 16 Copying Files to a Remote Server 5 17 Copying Files from a Remote Server 5 19 Copying an ACE Software System Image to a Re...

Page 9: ... Back a Running Configuration 5 39 Displaying Checkpoint Information 5 39 Reformatting Flash Memory 5 40 C H A P T E R 6 Viewing ACE Hardware and Software Configuration Information 6 1 Displaying Software Version Information 6 2 Displaying Software Copyright Information 6 3 Displaying Hardware Information 6 3 Displaying the Hardware Inventory 6 4 Displaying ACE Environment Information 6 5 Displayi...

Page 10: ...uring an FT Peer 7 16 Associating the FT VLAN with the Local Peer 7 16 Configuring the Heartbeat Interval and Count 7 17 Configuring a Query Interface 7 18 Configuring an FT Group 7 19 Associating a Context with an FT Group 7 19 Associating a Peer with an FT Group 7 20 Assigning a Priority to the Active FT Group Member 7 20 Assigning a Priority to the Standby FT Group Member 7 21 Configuring Preem...

Page 11: ...lure Detection for an Interface 7 35 Creating a Tracking and Failure Detection Process for an Interface 7 35 Configuring the Interface Tracked by the Active Member 7 36 Configuring a Priority for a Tracked Interface on the Active Member 7 36 Configuring the Interface Tracked by the Standby Member 7 37 Configuring a Priority for a Tracked Interface on the Standby Member 7 37 Example of a Tracking C...

Page 12: ...s 8 29 Configuring an SNMP Contact 8 31 Configuring an SNMP Location 8 31 Configuring SNMP Notifications 8 32 Configuring SNMP Notification Hosts 8 32 Enabling SNMP Notifications 8 34 Enabling the IETF Standard for SNMP linkUp and linkDown Traps 8 36 Assigning a Trap Source Interface for SNMP Traps 8 37 Configuring SNMP Management Traffic Services 8 38 Creating and Configuring a Layer 3 and Layer ...

Page 13: ...9 11 Configuring HTTP and HTTPS Management Traffic Services 9 13 Creating and Configuring a Class Map 9 14 Defining a Class Map Description 9 15 Defining HTTP and HTTPS Protocol Match Criteria 9 16 Creating a Layer 3 and Layer 4 Policy Map 9 17 Creating a Layer 3 and Layer 4 Policy Map for Network Management Traffic Received by the ACE 9 17 Specifying a Layer 3 and Layer 4 Traffic Class with the T...

Page 14: ...riority and Preempt A 3 Creating a Checkpoint A 3 Software Upgrade Quick Start A 4 Copying the Software Upgrade Image to the ACE A 7 Configuring the ACE to Autoboot the Software Image A 8 Setting the Boot Variable A 8 Configuring the Configuration Register to Autoboot the Boot Variable A 9 Verifying the Boot Variable and Configuration Register A 10 Reloading the ACE A 10 Displaying Software Image ...

Page 15: ...cy configure the XML interface and upgrade your ACE software You can configure the ACE by using the following interfaces The command line interface CLI a line oriented user interface that provides commands for configuring managing and monitoring the ACE Device Manager graphic user interface GUI a Web browser based GUI interface that provides a graphical user interface for configuring managing and ...

Page 16: ...date and time configure terminal settings modify the boot configuration and restart the ACE Chapter 2 Enabling Remote Access to the ACE Describes how to configure remote access to the Cisco 4700 Series Application Control Engine ACE appliance by establishing a remote connection using the Secure Shell SSH or Telnet protocols It also describes how to configure the ACE to provide direct access to a u...

Page 17: ...ormation Chapter 7 Configuring Redundant ACE Appliances Describes how to configure the ACE for redundancy which provides fault tolerance for the stateful failover of flows Chapter 8 Configuring SNMP Describes how to configure Simple Network Management Protocol SNMP to query the ACE for Cisco Management Information Bases MIBs and to send event notifications to a network management system NMS Chapte...

Page 18: ... Regulatory Compliance and Safety Information for the Cisco Application Control Engine Appliance Regulatory compliance and safety information for the ACE appliance Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note Describes how to use the ACE CLI to perform the initial setup and VIP load balancing configuration tasks Cisco 4700 Series Application Control Engin...

Page 19: ...ation Control Engine Appliance Server Load Balancing Configuration Guide Describes how to configure the following server load balancing tasks on the ACE Real servers and server farms Class maps and policy maps to load balance traffic to real servers in server farms Server health monitoring probes Stickiness Firewall load balancing TCL scripts Cisco 4700 Series Application Control Engine Appliance ...

Page 20: ... normalization and termination parameters Network address translation NAT Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide Describes how to configure the following Secure Sockets Layer SSL tasks on the ACE SSL certificates and keys SSL initiation SSL termination End to end SSL Cisco 4700 Series Application Control Engine Appliance System Message Guide Describes how to...

Page 21: ...n files to the ACE Document Title Description Convention Description boldface font Commands command options and keywords are in boldface Bold text also indicates a command in a paragraph italic font Arguments for which you supply values are in italics Italic text also indicates the first occurrence of a new term book title emphasized text Encloses required arguments and keywords Encloses optional ...

Page 22: ...ble physical harm or equipment damage A warning describes an action that could cause you physical harm or damage the equipment For additional information about CLI syntax formatting see the Cisco 4700 Series Application Control Engine Appliance Command Reference boldface screen font Information you must enter in a command line is in boldface screen font italic screen font Arguments for which you s...

Page 23: ...following acknowledgements pertain to this software license OpenSSL Open SSL Project This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com License Issues The OpenSSL toolkit stays un...

Page 24: ...mission For written permission please contact openssl core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL To...

Page 25: ...ung s and as such any Copyright notices in the code are not to be removed If this package is used in a product Eric Young should be given attribution as the author of the parts of the library used This can be in the form of a textual message at program startup or in documentation online or textual provided with the package Redistribution and use in source and binary forms with or without modificat...

Page 26: ...AIMED IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN...

Page 27: ...nager Connecting and Logging into the ACE Changing the Administrative Password Assigning a Name to the ACE Configuring an ACE Inactivity Timeout Configuring a Message of the Day Banner Configuring the Time Date and Time Zone Synchronizing the ACE with an NTP Server Configuring Terminal Settings Modifying the Boot Configuration Restarting the ACE Shutting Down the ACE For details on assigning VLANs...

Page 28: ... connected to this port must be capable of asynchronous transmission Connection requires a terminal configured as 9600 baud 8 data bits hardware flow control on 1 stop bit no parity Note Only the Admin context is accessible through the console port all other contexts can be reached through Telnet or SSH sessions Once connected use any terminal communications application to access the ACE CLI The f...

Page 29: ...ars without a prompt Using the Setup Script to Enable Connectivity to the Device Manager When you boot the ACE for the first time and the appliance does not detect a startup configuration file a setup script appears to guide you through the process of configuring a management VLAN on the ACE through one of its Gigabit Ethernet ports The primary intent of the setup script is to simplify connectivit...

Page 30: ... on the front of the ACE and the boot process occurs See the Cisco Application Control Engine Appliance Hardware Installation Guide for details Step 3 At the login prompt log into the ACE by entering the login username and password By default the username and password are admin For example enter switch login admin Password admin Basic System Configuration Dialog This setup utility will guide you t...

Page 31: ... At the prompt What is the Management VLAN ip address 192 168 1 10 assign an IP address to the management VLAN interface When you assign an IP address to a VLAN interface the ACE automatically makes it a routed mode interface Press Enter Step 9 At the prompt What is the Management VLAN ip netmask 255 255 255 0 assign a subnet mask to the management VLAN interface Press Enter Step 10 At the prompt ...

Page 32: ...f the following replies Type y to modify the configuration at the CLI Type n to accept the configuration without any additional changes This setting is the default Step 13 At the prompt Use this configuration yes no y enter one of the following replies Type y to instruct the ACE to boot using the newly created running configuration file This is the default Type n to bypass using the newly created ...

Page 33: ...GUI will become inoperative If this occurs restart the Device Manager using the dm reload command you must be the global administrator to access the dm reload command Note that restarting the Device Manager does not impact ACE functionality however it may take a few minutes for the Device Manager to reinitialize as it reads the ACE CLI configuration This command is available only in software versi...

Page 34: ...CE section Step 2 Log into the ACE by entering the login username and password at the following prompt switch login admin Password admin By default both the username and password are admin The prompt changes to the following switch Admin To change the default login password see the Changing the Administrative Password section for details Note When you boot the ACE for the first time and the applia...

Page 35: ... the same for every ACE shipped from Cisco Systems Caution For software versions A1 8 0a and higher you must change the default Admin password if you have not already done so Otherwise you will be able to log in to the ACE only through the console port The administrative username and password are stored in Flash memory Each time that you reboot the ACE it reads the username and password from Flash...

Page 36: ...assword is in clear text by default Enter a password as an unquoted text string with a maximum of 64 characters The ACE supports the following special characters in a password Note that the ACE encrypts clear text passwords in the running config For example to create a user named user1 that uses the clear text password mysecret_801 enter the following command switch Admin config username user1 pas...

Page 37: ...ACE to properly complete booting reboot the ACE and try again to access the setup mode by pressing ESC Daughter Card Found Continuing INIT Entering runlevel 3 Testing PCI path This may take some time Please wait PCI test loop count 0 PCI path is ready Starting services Press ESC when you see this message Entering setup sequence Reset Admin password y n default n y Resetting admin password to facto...

Page 38: ...om switch to ACE_1 enter the following command switch Admin config hostname ACE_1 ACE_1 Admin config Configuring an ACE Inactivity Timeout By default the inactivity timeout value is 5 minutes You can modify the length of time that can occur before the ACE automatically logs off an inactive user by using the login timeout command in configuration mode This command specifies the length of time that ...

Page 39: ...Exec mode prompt The syntax of this command is as follows banner motd text The text argument is a line of message text to be displayed as the message of the day banner The text string consists of all characters following the first space until the end of the line carriage return or line feed The character functions as the delimiting character for each line For the banner text spaces are allowed but...

Page 40: ...switch Admin config banner motd Welcome to hostname Do not use the double quote character or the percent sign character as a delimiting character in a single line message string For multi line input double quotes are not required for the token because the input mode is different from the single line mode When you operate in multi line mode the ACE interprets the double quote character literally Th...

Page 41: ... Setting the System Time and Date To set the time and the date for an ACE use the clock set command in Exec mode When you enter this command the ACE displays the current configured date and time The syntax of this command is as follows clock set hh mm ss DD MONTH YYYY The arguments are hh mm ss Current time to which the ACE clock is being reset Specify two digits for the hours minutes and seconds ...

Page 42: ...an ACE See the Synchronizing the ACE with an NTP Server section for more information Setting the Time Zone To set the time zone for the ACE use the clock timezone command in configuration mode The ACE keeps time internally in Universal Time Coordinated UTC offset The syntax of this command is as follows clock timezone zone_name hours minutes standard timezone The keywords arguments and options are...

Page 43: ...MSD Moscow Summer Time as UTC 4 hours MSK Moscow Time as UTC 3 hours MST Mountain Standard Time as UTC 7 hours PST Pacific Standard Time as UTC 8 hours WEST Western Europe Summer Time as UTC 1 hour WST Western Standard Time as UTC 8 hours Table 1 1 lists the common time zone acronyms that you can specify for the zone_name argument Table 1 1 Common Time Zone Acronyms Acronym Time Zone Name and UTC ...

Page 44: ...either as EST or EDT depending on the place and the time of year EST Eastern Standard Time as UTC 5 hours EDT Eastern Daylight Saving Time as UTC 4 hours MT Mountain Time either as MST or MDT depending on the place and the time of year MDT Mountain Daylight Saving Time as UTC 6 hours MST Mountain Standard Time as UTC 7 hours PT Pacific Time either as PST or PDT depending on place and time of year ...

Page 45: ...e to the local time zone the start time is relative to the standard time and the end time is relative to the summer time If the starting month is after the ending month the ACE assumes that you are found in the Southern Hemisphere The syntax of this command is as follows clock summer time daylight_timezone_name start_week start_day start_month start_time end_week end_day end_month end_time dayligh...

Page 46: ...tober 60 min AKDT Alaska Standard Daylight Time 2 am on the first Sunday in April to 2 am on the last Sunday in October 60 min CDT Central Daylight Time 2 am on the first Sunday in April to 2 am on the last Sunday in October 60 min EDT Eastern Daylight Time 2 am on the first Sunday in April to 2 am on the last Sunday in October 60 min MDT Mountain Daylight Time 2 am on the first Sunday in April to...

Page 47: ...ing NTP distributes this time across the network The NTP protocol can synchronize distributed clocks within milliseconds over long time periods NTP runs over User Datagram Protocol UDP which runs over IP NTP is documented in RFC 1305 All NTP communication uses Coordinated Universal Time UTC which is the same as Greenwich Mean Time An NTP server must be accessible by the client ACE Note If you are ...

Page 48: ...ver To configure the ACE system clock to synchronize a peer or to be synchronized by a peer or to be synchronized by a time server use the ntp command The syntax of this command is as follows ntp peer ip_address1 prefer server ip_address2 prefer Note Only users authenticated in the Admin context can use the ntp peer and ntp server commands The keywords arguments and options are peer Configure the ...

Page 49: ...ify a preferred server enter host1 Admin config ntp server 192 168 10 10 prefer host1 Admin config ntp server 192 168 4 143 host1 Admin config ntp server 192 168 5 10 For example to form a peer association with a preferred peer enter host1 Admin config ntp peer 192 168 10 0 prefer To remove an NTP peer or server from the configuration use the no form of this command For example host1 Admin config ...

Page 50: ...y code peer Displays the per peer statistics counter of a peer ip_address Displays the peer statistics for the specified IP address For example to display the status for all NTP servers and peers enter switch Admin show ntp peer status Table 1 2 describes the fields in the show ntp peer status command output Table 1 2 Field Descriptions for the show ntp peer status Command Field Description Total ...

Page 51: ...ble 1 4 describes the fields in the show ntp statistics io command output Peer IP Address IP address of each associated peer Serv Peer Indication of whether the peer functions as an NTP server or NTP peer Table 1 2 Field Descriptions for the show ntp peer status Command Field Description Table 1 4 Field Descriptions for show ntp statistics io Command Field Description Time since reset Time since t...

Page 52: ...ion The version number is in every NTP packet Unknown version number Number of packets with an unknown NTP version Bad packet format Number of NTP packets that were received and dropped by the ACE due to an invalid packet format Packets processed Number of NTP packets received and processed by the ACE Bad authentication Number of packets not verified as authentic Dropped packets Total number of NT...

Page 53: ...indpeer Note findpeer is an entry point to the allocation of memory to peer structures that looks for matching peer structures in the peer list New peer allocations Number of allocations from the free list Peer demobilizations Number of structures freed to the free list Hash table counts The count of peers in each hash table For example to display the per peer statistics counter of a peer enter sw...

Page 54: ...atistics for all peers enter host1 Admin clear ntp statistics all peers Packets Sent Number of packets sent to the NTP peer Packets Received Number of packets received from the NTP peer Bogus Origin Number of packets received from the NTP peer of a suspect origin Duplicate Number of duplicate packets received from the NTP peer Bad Dispersion Number of packets with an invalid dispersion Note Disper...

Page 55: ...ng the ACE with an NTP Server For example to clear the NTP statistics for the I O devices enter host1 Admin clear ntp statistics io For example to clear the NTP statistics for the local devices enter host1 Admin clear ntp statistics local For example to clear the NTP statistics for memory enter host1 Admin clear ntp statistics memory ...

Page 56: ...H or Telnet see Chapter 2 Enabling Remote Access to the ACE Configuring Terminal Display Attributes You can specify the number of lines and the width for displaying information on a terminal during a console session The maximum number of displayed screen lines is 511 columns To configure the terminal display settings use the terminal command in Exec mode The terminal command allows you to set the ...

Page 57: ...n file Note The login timeout command setting overrides the terminal session timeout setting see the Configuring an ACE Inactivity Timeout section terminal type text Specifies the name and type of the terminal used to access the ACE If a Telnet or SSH session specifies an unknown terminal type the ACE uses the VT100 terminal by default Specify a text string from 1 to 80 alphanumeric characters wid...

Page 58: ... settings for accessing the ACE by a console or a virtual terminal It includes the following procedures Configuring Console Line Settings Configuring Virtual Terminal Line Settings Configuring Console Line Settings The console port is an asynchronous serial port on the ACE that allows you to directly access the appliance to perform an initial configuration through a standard RS 232 port with an RJ...

Page 59: ...ne settings for the ACE enter host1 Admin config Enter configuration commands one per line End with CNTL Z host1 Admin config host1 Admin config line console host1 Admin config console databits 6 host1 Admin config console parity even host1 Admin config console speed 19200 host1 Admin config console stopbits 1 To disable a setting for the configured console line use the no form of the command For ...

Page 60: ...s session limit number The number argument configures the maximum number of terminal sessions per line The range is from 1 to 251 For example to configure a virtual terminal line enter host1 Admin config Enter configuration commands one per line End with CNTL Z host1 Admin config host1 Admin config line vty host1 Admin config line session limit 23 To disable a setting for the configured virtual te...

Page 61: ...he ACE Boot Configuration Setting the Boot Method from the Configuration Register The configuration register can be used to modify how the ACE performs its boot process automatically or manually You can modify the boot method that the ACE uses at the next startup by setting the boot field in the software configuration register The configuration register identifies how the ACE should boot To specif...

Page 62: ...e memory To set the boot field in the configuration register to automatically boot the system image identified in the BOOT environment variable upon reboot and to load the startup configuration file stored in Flash memory enter host1 Admin config config register 0x1 To reset the config register setting enter host1 Admin config no config register 0x1 Press Esc when the count down initiates on the G...

Page 63: ...ages in the order in which you added them to the BOOT environment variable If you want to change the order in which images are tried at startup you can either prepend and clear images from the BOOT environment variable to attain the desired order or you can clear the entire BOOT environment variable and then redefine the list in the desired order To set the BOOT environment variable use the boot s...

Page 64: ...ive You can bypass the startup configuration file to safely boot the ACE and then resolve issues with the configuration You forget the password for the ACE administrator CLI account and cannot access the ACE You can bypass the startup configuration file and log in with the default password of admin Note For the procedure on resetting the administrator CLI account password see the Resetting the Adm...

Page 65: ... highlighted in the list 5 Type e to edit the kernel command line From the GRUB menu choose ignorestartupcfg 1 6 Press Esc to return to the GRUB menu 7 Press enter to boot the selected software version The ACE boot screen appears as follows kernel hd0 0 ACE_APPLIANCE_RECOVERY_IMAGE bin ro root LABEL auto console tt yS0 9600n8 quiet bigphysarea 32768 ignorestartupcfg 1 Linux bzImage setup 0x1400 si...

Page 66: ...Cisco Application Control Software ACSW TAC support http www cisco com tac Copyright c 1985 2007 by Cisco Systems Inc All rights reserved The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license Some parts of this software are covered under the GNU Public License A copy of the license is available at http www gnu org licenses gpl ...

Page 67: ...command reboots the ACE and performs a full power cycle of both the hardware and software The reset process can take several minutes Any open connections with the ACE are dropped after you enter the reload command Caution Configuration changes that are not written to the Flash partition are lost after a reload Before rebooting enter the copy running conf startup config command in Exec mode to stor...

Page 68: ...E press the power button found on the front panel Caution Configuration changes that are not written to the Flash partition are lost after a shutdown Before you shut down the ACE enter the copy running conf startup config command in Exec mode to store the current configuration in Flash memory If you fail to save your configuration changes the ACE reverts to its previous settings upon restart ...

Page 69: ... a host This chapter includes the following major sections Remote Access Configuration Quick Start Configuring Remote Network Management Traffic Services Configuring Telnet Management Sessions Configuring SSH Management Sessions Terminating an Active User Session Enabling ICMP Messages to the ACE Directly Accessing a User Context Through SSH Example of a Remote Access Configuration Viewing Session...

Page 70: ...les in this table use the Admin context unless otherwise specified For details on creating contexts see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide 2 Enter configuration mode host1 Admin config Enter configuration commands one per line End with CNTL Z host1 Admin config 3 Create a class map that permits network management traffic to be received by ...

Page 71: ... c exit host1 Admin config pmap mgmt exit host1 Admin config 5 Attach the traffic policy to a single VLAN interface or globally to all VLAN interfaces in the same context For example to specify an interface VLAN and apply the remote management policy map to the VLAN enter host1 Admin config interface vlan 50 host1 Admin config if ip address 172 16 1 100 255 255 0 0 host1 Admin config if service po...

Page 72: ...a listed in the class map Service policy Activates the policy map and attaches the traffic policy to an interface or globally on all interfaces This section provides an overview on creating a class map policy map and service policy for remote network access For detailed information on creating class maps policy maps and service policies see Chapter 4 Configuring Class Maps and Policy Maps 8 If you...

Page 73: ...hat the ACE can receive as well as the client source IP address and subnet mask as the matching criteria The type management keywords define the allowed network traffic to manage security for protocols such as SSH Telnet and ICMP A class map can have multiple match commands You can configure class maps to define multiple management protocol and source IP address match commands in a group that you ...

Page 74: ...t1 Admin config class map type management match all SSH TELNET_ALLOW_CLASS host1 Admin config cmap mgmt match protocol ssh source address 172 16 10 0 255 255 255 254 host1 Admin config cmap mgmt match protocol telnet source address 172 16 10 0 255 255 255 254 host1 Admin config cmap mgmt exit host1 Admin config To remove a Layer 3 and Layer 4 network management class map from the ACE enter host1 A...

Page 75: ...address ip_address mask line_number Optional Assists you in editing or deleting individual match commands Enter an integer from 2 to 255 as the line number You can enter no line_number to delete long match commands instead of entering the entire line The line numbers do not dictate a priority or sequence for the match statements http Specifies the Hypertext Transfer Protocol HTTP The use of the HT...

Page 76: ...ifies any client source address for the management traffic classification source address Specifies a client source host IP address and subnet mask as the network traffic matching criteria As part of the classification the ACE implicitly obtains the destination IP address from the interface on which you apply the policy map ip_address Source IP address of the client Enter the IP address in dotted d...

Page 77: ...ing a Layer 3 and Layer 4 Policy Map for Network Management Traffic Received by the ACE To configure a Layer 3 and Layer 4 policy map that defines the different actions that are applied to the IP management traffic received by the ACE use the policy map type management first match configuration command The ACE executes the specified action only for traffic that meets the first matching classificat...

Page 78: ...ifies the description that you want to provide Enter an unquoted text string with a maximum of 240 alphanumeric characters For example to specify a description that the policy map is to allow remote Telnet access enter host1 Admin config pmap mgmt description Allow Telnet access to the ACE To remove a description from the policy map enter host1 Admin config pmap mgmt no description Specifying a La...

Page 79: ...CE You cannot delete or modify this class All network traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class If none of the specified classifications match the ACE then matches the action specified under the class class default command The class default class map has an implicit match any statement in it and is used to match any traffic c...

Page 80: ...n the class map to be received by the ACE For example to create a Layer 3 and Layer 4 remote network traffic management policy map that permits SSH Telnet and ICMP connections to be received by the ACE enter host1 Admin config policy map type management first match REMOTE_MGMT_ALLOW_POLICY host1 Admin config pmap mgmt class SSH ALLOW_CLASS host1 Admin config pmap mgmt c permit host1 Admin config p...

Page 81: ...ssociated with a context The syntax of this command is service policy input policy_name The keywords arguments and options are input Specifies that the traffic policy is to be attached to the input direction of an interface The traffic policy evaluates all traffic received by that interface policy_name Specifies the name of a previously defined policy map configured with a previously created polic...

Page 82: ...o all VLAN interfaces in the same context Note the following guidelines and restrictions when creating a service policy Policy maps applied globally in a context are internally applied on all interfaces existing in the context A policy activated on an interface overwrites any specified global policies for overlapping classification and actions The ACE allows only one policy of a specific feature t...

Page 83: ...ied to an interface For example to clear the statistics for the policy map REMOTE_MGMT_ALLOW_POLICY that is currently in service enter host1 Admin clear service policy REMOTE_MGMT_ALLOW_POLICY Configuring Telnet Management Sessions The ACE supports a maximum 16 concurrent Telnet management sessions for the Admin context and 4 concurrent Telnet management sessions for each user context To control t...

Page 84: ...maxsessions Configuring SSH Management Sessions This section includes the following topics Configuring Maximum Number of SSH Sessions Generating SSH Host Key Pairs SSH remote access sessions are established on the ACE per context You can create a context assign an interface and IP address to it and then log into the ACE by using SSH to connect to that IP address This capability allows you to speci...

Page 85: ...or the context DSA and RSA keys are generated in pairs one public key and one private key With this method of remote connection use a generated private and public key pair to participate in a secure communication by encrypting and decrypting messages The global administrator performs the key generation in the Admin context All contexts associated with the ACE share the common key There is only a s...

Page 86: ... the SSH key pair option is already generated for the required version use the force option to overwrite the previously generated key pair Before you generate the key set the hostname and the domain name These two settings are used in the key See Chapter 1 Setting Up the ACE for details on setting a hostname and to the Cisco 4700 Series Application Control Engine Appliance Virtualization Configura...

Page 87: ...ple to terminate an SSH session enter host1 Admin clear ssh 345 Enabling ICMP Messages to the ACE By default the ACE does not allow ICMP messages to be received by an ACE interface or to pass through the ACE interface ICMP is an important tool for testing your network connectivity however network hackers can also use ICMP to attack the ACE or your network We recommend that you allow ICMP during yo...

Page 88: ...g the ACE enable the ICMP application protocol inspection function instead of defining a class map and policy map See the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide for details For example to allow the ACE to receive ICMP pings enter the following commands host1 Admin config class map type management match all ICMP ALLOW_CLASS host1 Admin config cmap mgmt d...

Page 89: ...ngine Appliance Virtualization Configuration Guide Step 2 Associate an existing VLAN with the user context so that the context can receive traffic classified for it by entering the following command host1 Admin config context allocate interface vlan 100 See the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide Step 3 Generate the SSH host key pair by e...

Page 90: ... VLAN interfaces or just to the VLAN interface allocated to the user context by entering the following commands host1 C1 config class map type management match all SSH ALLOW_CLASS host1 C1 config cmap mgmt match protocol ssh source address 172 16 10 0 255 255 255 254 host1 C1 config cmap mgmt exit host1 C1 config host1 C1 config policy map type management first match REMOTE_MGMT_ALLOW_POLICY host1...

Page 91: ...ollowing example illustrates a running configuration that defines rules for remote access to the ACE through the use of class maps policy maps and service policies The remote access configuration appears in bold in the example telnet maxsessions 3 ssh maxsessions 3 access list ACL1 line 10 extended permit ip any any class map type management match any L4_REMOTE MGT_CLASS description Allows Telnet ...

Page 92: ...ation Showing Telnet Session Information To display information related to the Telnet session use the show telnet command in Exec mode Only the context administrator can view Telnet information associated with a particular context The syntax of this command is show telnet context_name The optional context_name argument specifies the name of the context for which you want to view specific Telnet se...

Page 93: ...ient Active Time Time since the Telnet connection request was received by the ACE To display the maximum number of enabled Telnet sessions use the show telnet maxsessions command in Exec mode Only context administrators can view Telnet session information associated with a particular context The syntax of this command is show telnet maxsessions context_name The optional context_name argument speci...

Page 94: ...ontext_name The optional context_name argument specifies the name of the context for which you want to view specific SSH session information The context_name argument is case sensitive For example enter host1 Admin show ssh session info Table 2 3 describes the fields in the show ssh session info command output Table 2 3 Field Descriptions for the show ssh session info Command Field Description Ses...

Page 95: ...to display the host key pair details for the specified key or for all keys if you do not specify a key The syntax of this command is show ssh key dsa rsa rsa1 The arguments keywords and options are dsa Specifies the DSA key pair for the SSH version 2 protocol rsa Specifies the RSA key pair for the SSH version 2 protocol rsa1 Specifies the RSA1 key pair for the SSH version 1 protocol For example en...

Page 96: ...UQ6CKrK9V NsfgzTSLW TH8iDUvYjL c3nU51QEKjy7mPsQeX31y1M1rhp8qhkbMKxkc49XAAAAFQCPM0QJrq6 kkaghJpeNxeXhU H9HwAAAIEA keZ1ZJM6sfKqJDYPLHkTro lpbV9uR4VyYoZmSoehi LmSaZDq Mc8UN1LM i5vkOgnKce arD9lM4 hK zZGYx5hJOiYCKj ny2a5p 8HK152cnsOAg6ebkiTTWAprcWrcHDS 1mcaI5GzLrZCdlXW5 gBFZtMTJGs tICmVWjibewAAACBAJQ66zdZQqYiCWtZfmakridEGDTLV6ixIDjBNgb84qlj Y1XMzqLL0 D4oMSb7idE L3BmhQYQW7hkTK0oS4kVawI1VmW2kvrqoGQnLNQRM...

Page 97: ...ing major sections Available ACE Licenses Ordering an Upgrade License and Generating a Key Copying a License File to the ACE Installing a New or Upgrade License File Replacing a Demo License with a Permanent License Removing a License Backing Up a License File Displaying License Configurations and Statistics Note You can access the license and show license commands only in the Admin context You mu...

Page 98: ...r SSL 1000 transactions per second TPS Hypertext Transfer Protocol HTTP compression 100 megabits per second Mbps You can increase the performance and operating capabilities of your ACE product by purchasing one of the licensing options There are two methods to order your ACE product Ordering a license bundle Each license bundles includes the ACE appliance and a series of software licenses Ordering...

Page 99: ...ense 500 Mbps compression license 5 virtual contexts license default Application acceleration license 3 3 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL 11157 01 Chapter 3 Managing ACE Software Licenses Available ACE Licenses Table 3 2 ACE Licensing Options Feature License Model Description Performance Throughput ACE AP 01 LIC default 1 Gbps throughput ACE AP 02 LIC...

Page 100: ... and install the license file for the license onto the replacement appliance HTTP Compression Default 100 Mbps ACE AP C 500 LIC 500 Mbps ACE AP C 1000 LIC 1 Gbps ACE AP C UP1 Upgrade from 500 Mbps to 1 Gbps Application Acceleration Feature Pack License ACE AP OPT LIC K9 Application acceleration and optimization By default the ACE performs up to 50 concurrent connections per second With the applica...

Page 101: ...eive the Software License Claim Certificate from Cisco follow the instructions that direct you to the following Cisco com website http www cisco com go license Step 3 Enter the Product Authorization Key PAK number found on the Software License Claim Certificate as your proof of purchase Step 4 Provide all the requested information to generate a license key Step 5 Once the system generates the lice...

Page 102: ...The arguments are server path filename The path to the network server This path is optional because the ACE prompts you for this information if you omit it disk0 path filename Specifies that the file destination is the disk0 directory of the current context and the filename If you do not provide the optional path the ACE copies the file to the root directory on the disk0 file system For example to...

Page 103: ...all user contexts from the Admin running configuration and all configurations for the user contexts To install or upgrade a license on your ACE use the license install disk0 command in Exec mode from the Admin context The syntax of this command is license install disk0 path filename target_filename The arguments are path filename Installs the license stored on the disk0 file system If you do not s...

Page 104: ...cense to expire the ACE automatically removes all user contexts from the Admin running configuration and all configurations for the user contexts Before a context license expires save the Admin running configuration and the user context running configurations to a remote server To view the expiration of the demo license use the show license usage command in Exec mode from the Admin context After y...

Page 105: ...u must use the license uninstall command to remove license files from the ACE The following sections provides information about how to remove licences Removing an Appliance Performance Throughput License Removing an SSL TPS License Removing a Virtualization Context License Removing an HTTP Compression Performance License Removing the Application Acceleration Software Feature Pack License Caution W...

Page 106: ...TPS License To remove an ACE SSL TPS license use the license uninstall command in Exec mode from the Admin context When you uninstall an SSL license it reduces SSL TPS performance to 1000 TPS on the ACE For example to remove an SSL TPS license enter host1 Admin license uninstall ACE AP SSL 05K K9 lic Removing a Virtualization Context License The number of virtual contexts and type of licenses curr...

Page 107: ...onfig command in Exec mode in each context For more information on this command see Chapter 5 Managing the ACE Software For example to copy the Admin running configuration to an TFTP server as R CONFIG ADM enter host1 Admin copy running config tftp 192 168 1 2 R CONFIG ADM To copy the C1 user context running configuration to an TFTP server access the C1 context and enter host1 C1 copy running conf...

Page 108: ...g the show license status command in Exec mode of the Admin context Step 5 Determine which contexts you want to keep in the Admin running configuration Using a text editor manually remove the extra context configurations from the Admin running configuration on the remote server If the Admin running configuration contains more contexts than what the ACE supports and you copy this configuration to t...

Page 109: ...1 C1 tftp 192 168 1 2 R CONFIG C1 copy running config Step 9 Copy the user context running configuration to the startup configuration file For example enter host1 Admin copy running config startup config Step 10 Repeat Steps 8 and 9 until you retrieve the running configurations for all user contexts configured in the Admin configuration Removing an HTTP Compression Performance License To remove an...

Page 110: ...ation software feature pack installed the ACE can provide greater than 50 concurrent connections When you uninstall the software feature pack the ACE is capable of only five connections per second For more information on the application acceleration and optimization capabilities of the ACE and configuring these capabilities see the Cisco 4700 Series Application Control Engine Appliance Application...

Page 111: ...kup license file is copied to the disk0 file system path filename tar The destination filename for the backup licenses The destination filename must have a tar file extension For example enter host1 Admin copy licenses disk0 mylicenses tar If you accidently remove or lose the license on the ACE you can untar the backup file and reinstall it To untar the license use the untar command in Exec mode T...

Page 112: ...file filename internal event history status usage The options and arguments for this command are brief Displays a list of the currently installed licenses file filename Displays the file contents of the specified license internal event history Displays a history of licensing related events status Displays the status of licensed features usage Displays the usage table for all licenses Note Entering...

Page 113: ...put in gigabits per second Gbps This information also provides the default number of contexts SSL TPS and appliance throughout that the ACE supports when a license is not installed Table 3 6 describes the fields in the show license usage command output Table 3 6 Field Descriptions for the show license usage Command Output Field Description License Name of the license Ins Whether the license is ins...

Page 114: ...Chapter 3 Managing ACE Software Licenses Displaying License Configurations and Statistics 3 18 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL 11157 01 ...

Page 115: ...es and attach these policies to one or more VLAN interfaces associated with the ACE to apply feature specific actions to the matching traffic The ACE uses the individual traffic policies to implement the following functions Remote access using Secure Shell SSH or Telnet Server load balancing Application acceleration and optimization Network Address Translation NAT HTTP deep packet inspection FTP c...

Page 116: ...ss map defines a traffic classification network traffic that is of interest to you A policy map defines a series of actions functions that you want applied to a set of classified inbound traffic Class maps enable you to classify network traffic based on the following criteria Layer 3 and Layer 4 traffic flow information Source or destination IP address source or destination port virtual IP address...

Page 117: ... connection information virtual IP address Application acceleration and optimization Server load balancing based on Layer 7 HTTP related information such as HTTP headers cookies and URLs or client source IP address SSL security services between a web browser the client and the HTTP connection the server HTTP deep packet inspection FTP command request inspection Application protocol inspection also...

Page 118: ...ap applied globally to all VLAN interfaces or to a specific VLAN interface 7 Global Service Policy VLAN config service policy input HTTP_INSPECT_L4POLICY Service policy applies policy map to all VLAN interfaces in the context Specific Service Policy VLAN config interface vlan 50 config if service policy input HTTP_INSPECT_L4POLICY Service policy applies policy map to a specific VLAN interface Laye...

Page 119: ...the ACE A traffic class contains the following components Class map name One or more match commands that define the match criteria for the class map Instructions on how the ACE evaluates match commands when you specify more than one match command in a traffic class match any match all The ACE supports a system wide maximum of 8192 class maps The individual match commands specify the criteria for c...

Page 120: ...pe http loadbalance match any URLCHK_SLB_L7_CLASS host1 Admin config cmap http lb match http url foo host1 Admin config cmap http lb match http url bar host1 Admin config cmap http lb exit host1 Admin config class map type http loadbalance match all URLHDR_SLB_L7_CLASS host1 Admin config cmap http lb match http header host header value thishost host1 Admin config cmap http lb match class map URLCH...

Page 121: ...tion within a policy map No additional actions are executed all match For policy map commands that contain the all match keyword the ACE attempts to match a packet against all classes in the policy map and executes the actions of all matching classes associated with the policy map multi match For policy map commands that contain the multi match keyword these commands specify that multiple sets of ...

Page 122: ...1 Admin config pmap lb c exit host1 Admin config pmap lb class C3 host1 Admin config pmap lb c serverfarm SF3 host1 Admin config pmap lb c exit host1 Admin config pmap lb c class class default host1 Admin config pmap lb c serverfarm SFBACKUP If the match criteria satisfies the ACE load balances a content request to serverfarm SF1 if not the ACE evaluates the match criteria in class map C2 and clas...

Page 123: ...ed in the named traffic policy Policies and associated actions specify the behavior that you want applied to a traffic class Policy maps that are applied globally in a context are also internally applied to all interfaces that exist in the context A policy that has been activated on the interface overwrites global policies for overlapping classifications and actions The ACE allows only one policy ...

Page 124: ... define Layer 3 and Layer 4 network management traffic that can be received by the ACE Each step includes the CLI command required to complete the task Table 4 1 Layer 3 and Layer 4 Network Traffic Class Configuration Quick Start Task and Command Example 1 If you are operating in multiple contexts observe the CLI prompt to verify that you are operating in the desired context If necessary log direc...

Page 125: ...otocol deep inspection of incoming traffic 5 Optional Specify the match any command if you want the ACE to perform a match on any traffic passing through it host1 Admin config cmap match any Note The match any command cannot be combined with any other match criteria 6 Optional Specify a VIP classification to be used as the server load balancing matching criteria in the class map host1 Admin config...

Page 126: ... Traffic Class Configuration Quick Start continued Task and Command Example Table 4 2 Layer 3 and Layer 4 Network Management Traffic Class Configuration Quick Start Task and Command Example 1 If you are operating in multiple contexts observe the CLI prompt to verify that you are operating in the desired context If necessary log directly in to or change to the correct context host1 Admin changeto C...

Page 127: ... L4_MGMT_CLASS host1 Admin config cmap mgmt After you create a class map you will enter class map management configuration mode 4 Optional Specify a description about the network management traffic class map host1 Admin config cmap description enable SSH and Telnet protocols 5 Optional Configure the class map to identify the IP network management traffic received by the ACE host1 Admin config cmap...

Page 128: ...ss otherwise specified For details on creating contexts see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide 2 Enter configuration mode host1 Admin config Enter configuration commands one per line End with CNTL Z host1 Admin config 3 Optional Create one or more class maps that define Layer 7 HTTP content load balancing decisions based on cookies HTTP he...

Page 129: ...mple com host1 Admin config cmap http lb match http url html host1 Admin config cmap http lb exit 5 Optional Create one or more class maps to be used for the deep packet application protocol inspection of HTTP traffic If you do not specify the match all or match any keyword the traffic must match all the match criteria to be classified as part of the traffic class After you create a class map you ...

Page 130: ...one or more class maps to be used for the inspection of FTP commands After you create a class map you will enter FTP inspection class map configuration mode host1 Admin config class map type ftp inspect match any FTP_COMMAND_INSPECT_L7_CLASS host1 Admin config cmap ftp insp description FTP command inspection of incoming traffic host1 Admin config cmap ftp insp match request method cdup host1 Admin...

Page 131: ...uration Guide 2 Enter configuration mode host1 Admin config Enter configuration commands one per line End with CNTL Z host1 Admin config 3 Configure a Layer 3 and Layer 4 policy map that defines the different actions of traffic passing through the ACE After you configure a policy map you will enter policy map configuration mode host1 Admin config policy map multi match L4_SLB_POLICY host1 Admin co...

Page 132: ...the ACE For example to specify an SLB action for the Layer 3 and Layer 4 policy map enter host1 Admin config pmap class L4_AUTH_CLASS host1 Admin config pmap c loadbalance vip inservice host1 Admin config pmap c loadbalance policy L7SLBPOLICY host1 Admin config pmap c exit 8 Attach the Layer 3 and Layer 4 traffic policy to a single VLAN interface or globally to all VLAN interfaces in the same cont...

Page 133: ...1 Admin config Enter configuration commands one per line End with CNTL Z host1 Admin config 3 Configure a Layer 3 and Layer 4 policy map that permits specified IP management traffic to be received by the ACE After you configure a policy map you will enter policy map management configuration mode host1 Admin config policy map type management first match L4_MGMT_POLICY host1 Admin config pmap mgmt 4...

Page 134: ...face or globally to all VLAN interfaces in the same context host1 Admin config interface vlan 50 host1 Admin config if ip address 192 168 1 100 255 255 0 0 host1 Admin config if service policy input L4_MGMT_POLICY 7 Optional Save your configuration changes to Flash memory host1 Admin config exit host1 Admin copy running config startup config Table 4 5 Layer 3 and Layer 4 Network Management Policy ...

Page 135: ... Series Application Control Engine Appliance Virtualization Configuration Guide 2 Enter configuration mode host1 Admin config Enter configuration commands one per line End with CNTL Z host1 Admin config 3 Optional Create and configure a policy map that defines Layer 7 HTTP content load balancing decisions host1 Admin config policy map type loadbalance first match L7_SLB_POLICY host1 Admin config p...

Page 136: ...P protocol deep inspection of incoming traffic host1 Admin config pmap ins http class HTTP_INSPECT_L7_CLASS host1 Admin config pmap ins http c permit log 6 Optional Create and configure a Layer 7 policy map that enables FTP command inspection host1 Admin config policy map type inspect ftp first match FTP_INSPECTION_L7_POLICY host1 Admin config pmap ftp ins description FTP command inspection of inc...

Page 137: ...nspect ftp policy command For example to nest the Layer 7 L7_SLB_POLICY policy map within the Layer 3 and Layer 4 L4_SLB_POLICY policy map enter host1 Admin config policy map type loadbalance first match L7_SLB_POLICY host1 Admin config pmap lb description HTTP LOAD BALANCE PROTOCOL 1 host1 Admin config pmap lb class L7_SLB_CLASS host1 Admin config pmap lb c serverfarm FARM2 backup FARM3 sticky ho...

Page 138: ...d Layer 4 Classifications for Network Management Traffic Received by the ACE Defining Layer 3 and Layer 4 Classifications for Network Traffic Passing Through the ACE Layer 3 and Layer 4 traffic classes contain match criteria that identify the IP network traffic that can pass through the ACE You can classify network traffic based on the source or destination IP address the source or destination por...

Page 139: ...tiple match statements operations when multiple match criteria exist in a class map The syntax of this command is class map match all match any map_name The arguments and options are match all match any Optional Determines how the ACE evaluates Layer 3 and Layer 4 network traffic when multiple match criteria exist in a class map The class map is considered a match if the match commands meet one of...

Page 140: ...h Criteria section match source address See the Defining the Source IP Address and Subnet Mask Match Criteria section match virtual address See the Defining the VIP Address Match Criteria section Following these guidelines when creating a class map to define a Layer 3 and Layer 4 match classification You can include only one match any command within a class map and you cannot combine the match any...

Page 141: ... and Layer 4 network traffic class map from the ACE enter config no class map match all HTTP_APP_PROTOCOL_INSPECTION_CLASS Defining a Class Map Description To provide a brief summary about the Layer 3 and Layer 4 class map use the description command in class map configuration mode The syntax of this command is description text The text argument specifies the description that you want to provide E...

Page 142: ...long match commands instead of entering the entire line The line numbers do not dictate a priority or sequence for the match statements name Previously created access list identifier Enter an unquoted text string with a maximum of 64 characters A single class map can have multiple match access list commands You may combine multiple match access list match source address match destination address a...

Page 143: ... match any To remove the match any criteria from the class map enter host1 Admin config cmap no match any Defining Destination IP Address and Subnet Mask Match Criteria To specify the destination IP address and subnet mask as the Layer 3 and Layer 4 network traffic matching criteria use the match destination address command in class map configuration mode The syntax of this command is line_number ...

Page 144: ...fig cmap no match destination address 172 16 20 1 255 255 0 0 Defining TCP UDP Port Number or Port Range Match Criteria To specify a TCP or UDP port number or port range as the Layer 3 and Layer 4 network traffic matching criteria use the match port command in class map configuration mode The syntax of this command is line_number match port tcp udp any eq port_number range port1 port2 The keywords...

Page 145: ... specify that the class map is to match on TCP port number 23 Telnet client enter host1 Admin config class map L4_TCPPORT_CLASS host1 Admin config cmap match port tcp eq 23 To clear the TCP or UDP port number match criteria from the class map enter host1 Admin config cmap no match port tcp eq 23 Defining the Source IP Address and Subnet Mask Match Criteria To specify the client source IP address a...

Page 146: ... the VIP Address Match Criteria To define a 3 tuple flow of VIP address protocol and port as matching criteria for server load balancing use the match virtual address command in class map configuration mode You can configure multiple match criteria statements to define the VIPs for server load balancing See the Cisco 4700 Series Application Control Engine Appliance Server Load Balancing Configurat...

Page 147: ...he TCP or UDP port number must match the specified value Enter an integer from 0 to 65535 A value of 0 instructs the ACE to include all ports Alternatively you can enter the name of a well known TCP port as listed in Table 4 7 or a well known UDP port as listed in Table 4 8 range port1 port2 Specifies a port range to use for the TCP or UDP port Valid port ranges are from 0 to 65535 A value of 0 in...

Page 148: ...dmin config class map L4_SLB_VIP_CLASS host1 Admin config cmap match virtual address 192 168 1 10 tcp port eq 80 To remove the VIP match statement from the class map enter host1 Admin config cmap no match virtual address 192 168 1 10 tcp port eq 80 rtsp 554 Real Time Stream control Protocol RTSP smtp 25 Simple Mail Transfer Protocol SMTP telnet 23 Telnet www 80 World Wide Web WWW Table 4 8 Well Kn...

Page 149: ...affic Class Map To create a Layer 3 and Layer 4 class map to classify the IP network management traffic received by the ACE use the class map type management configuration command This command permits network management traffic by identifying the incoming IP management protocols that the ACE can receive as well as the client source host IP address and subnet mask as the matching criteria A class m...

Page 150: ...nter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters When you use the class map type management command you will access class map management configuration mode To classify the network management traffic received by the ACE include one or more of the following commands to configure the match criteria for the class map description See the Defining a Class Map Descr...

Page 151: ...diting or deleting individual match commands Enter an integer from 2 to 255 as the line number You can enter no line_number to delete long match commands instead of entering the entire line The line numbers do not dictate a priority or sequence for the match statements http Specifies the Hypertext Transfer Protocol HTTP https Specifies secure SSL Hypertext Transfer Protocol HTTP for connectivity w...

Page 152: ..._CLASS host1 Admin config cmap mgmt match protocol ssh source address 192 168 10 1 255 255 255 0 To deselect the specified network management protocol match criteria from the class map enter host1 Admin config cmap mgmt no match protocol ssh source address 192 168 10 1 255 255 255 0 Configuring Layer 7 Class Maps A Layer 7 class map contains match criteria that classifies specific Layer 7 protocol...

Page 153: ...ader expression Regular expression matching against the received packet data from a particular connection based on the HTTP URL string Server load balancing decisions based on a client source IP address Nesting of class maps to achieve complex logical expressions for Layer 7 HTTP based server load balancing To create a Layer 7 class map for HTTP server load balancing use the class map type http lo...

Page 154: ...ders or multiple cookies with the same names or multiple URLs in the same class map is invalid match any Network traffic needs to satisfy only one of the match criteria implicit OR to match the HTTP load balancing class map The match any keyword is applicable only for match statements of the same Layer 7 load balancing type For example the ACE does not allow you to specify a match any condition fo...

Page 155: ...ection of HTTP traffic through the ACE use the class map type http inspect command in configuration mode The syntax of this command is class map type http inspect match all match any map_name The arguments and options are match all match any Optional Determines how the ACE performs the deep packet inspection of HTTP traffic when multiple match criteria exist in a class map The class map is conside...

Page 156: ...700 Series Application Control Engine Appliance Security Configuration Guide Defining Layer 7 Classifications for FTP Command Inspection The ACE uses a Layer 7 FTP command class map to perform an FTP request inspection for FTP sessions allowing you to restrict specific commands by the ACE You can use this function to prevent web browsers from sending embedded commands to the ACE in FTP requests Th...

Page 157: ...ver Static or dynamic NATs HTTP deep packet inspection FTP command inspection Application protocol inspection IP TCP HTTP and UDP connection behavior For more information about the role of policy maps in the ACE see the Class Map and Policy Map Overview section This section outlines the general steps to configure a Layer 3 and Layer 4 network traffic policy and contains the following topics Creati...

Page 158: ...hing classification with a policy map The ACE does not execute any additional actions The syntax of this command is policy map type management first match map_name The map_name argument specifies the name assigned to the Layer 3 and Layer 4 network management policy map Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters When you use this command you will acces...

Page 159: ...he actions applied to the classes the ACE associates each policy map action with a specific set of classes The syntax of this command is policy map multi match map_name The map_name argument specifies the name assigned to the policy map Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters When you use this command you will access policy map configuration mode Fo...

Page 160: ... traffic with the traffic policy use the class command in policy map configuration mode The syntax of this command is class map_name The map_name argument specifies the name of a previously defined Layer 3 and Layer 4 traffic class configured with the class map command to associate traffic to the traffic policy Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric character...

Page 161: ...belongs to the default traffic class If none of the specified classifications match the ACE then matches the action specified under the class class default command The class default class map has an implicit match any statement in it and is used to match any traffic classification When you use this command you will access policy map class configuration mode For example to use the class class defau...

Page 162: ... 3 and Layer 4 network traffic policies based on the function of the Layer 3 and Layer 4 policy map For example to specify server load balancing actions for the Layer 3 and Layer 4 policy map enter host1 Admin config pmap class L4_SLB_CLASS host1 Admin config pmap c loadbalance vip inservice host1 Admin config pmap c loadbalance policy L7SLBPOLICY host1 Admin config pmap c exit Table 4 9 Layer 3 a...

Page 163: ...es Application Control Engine Appliance Server Load Balancing Configuration Guide for details parameter map type http Configures advanced HTTP behavior for HTTP deep packet inspection See the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide for details Connection redundancy Cisco 4700 Series Application Control Engine Appliance Administration Guide this book Chap...

Page 164: ...erved bit allow host1 Admin config parammap conn exceed mss allow host1 Admin config parammap conn nagle host1 Admin config parammap conn set conn max 64 host1 Admin config parammap conn set tcp queue limit 10 host1 Admin config parammap conn set tcp syn retry 3 host1 Admin config parammap conn set tcp timeout embryonic 60 host1 Admin config parammap conn exit host1 Admin config host1 Admin config...

Page 165: ...n a Layer 7 Policy Map Specifying a Layer 7 Traffic Class with the Traffic Policy Specifying Layer 7 Policy Actions Associating the Layer 7 Policy Map with a Layer 3 and Layer 4 Policy Map Creating a Layer 7 Policy Map To specify the type of Layer 7 traffic policy map use the policy map type command in configuration mode The syntax of this command is policy map type loadbalance first match inspect...

Page 166: ...cified action only for traffic that meets the first matching optimization classification with a policy map The ACE does not execute any additional actions map_name Specifies the name assigned to the policy map Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters Note You can include multiple Layer 7 load balancing or FTP class maps within the policy map however ...

Page 167: ... description HTTP protocol deep inspection of incoming traffic To remove the description from the policy map enter host1 Admin config pmap ins http no description Including Inline Match Statements in a Layer 7 Policy Map To include a single inline match criterion in the policy map without specifying a traffic class enter an applicable Layer 7 match command The inline Layer 7 policy map match comma...

Page 168: ...p lb match L7loadbalance http url finance host1 Admin config pmap lb m serverfarm FARM1 host1 Admin config pmap lb m class TEST_CLASS host1 Admin config pmap lb m serverfarm FARM2 Specifying a Layer 7 Traffic Class with the Traffic Policy To specify a traffic class created with the class map command to associate network traffic with the traffic policy use the class command in policy map configurat...

Page 169: ... specify the class default class map for the traffic policy use the class class default command in policy map configuration mode All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class If none of the specified classifications match the ACE then matches the action specified under the class class default command The class default class m...

Page 170: ...R HANDLE ALL Table 4 10 Layer 7 Policy Map Actions and Related Documentation Layer 7 Policy Map Actions Document Chapter HTTP server load balancing Cisco 4700 Series Application Control Engine Appliance Server Load Balancing Configuration Guide Chapter 3 Configuring Traffic Policies for Server Load Balancing Application acceleration and optimization Cisco 4700 Series Application Control Engine App...

Page 171: ... Layer 3 and Layer 4 inspect http policy command To associate a Layer 7 FTP command inspection policy map nest the FTP command inspection traffic policy by using the Layer 3 and Layer 4 inspect ftp policy command See the Configuring a Layer 3 and Layer 4 Policy Map section and the documents listed in Table 4 9 for the specific procedure to create a Layer 3 and Layer 4 policy map that associates a ...

Page 172: ...terfaces associated with a context The syntax of this command is service policy input policy_name The keywords arguments and options are input Specifies that the traffic policy is to be attached to the input direction of an interface The traffic policy evaluates all traffic received by that interface policy_name Specifies the name of a previously defined policy map configured with a previously cre...

Page 173: ...licy Globally from all VLAN interfaces in the same context When you detach a policy the ACE automatically resets the associated service policy statistics to provide a new starting point for the service policy statistics the next time that you attach a traffic policy to a specific VLAN interface or globally to all VLAN interfaces in the same context The following guidelines and restrictions apply w...

Page 174: ...oad Balancing Example VIP With Connection Parameters Example Firewall Example This example shows how to create a firewall traffic policy for inside interface VLAN50 that enables the following processes to occur on the ACE Permits ICMP packets from IP address 172 16 10 0 255 255 255 254 Permits SSH access to the ACE Includes an ACL that allows the ACE to receive any HTTP traffic through the VLAN Fi...

Page 175: ...pmap mgmt class ICMP ALLOW_CLASS host1 Admin config pmap mgmt c permit host1 Admin config pmap mgmt c exit host1 Admin config pmap mgmt class SSH ALLOW_CLASS host1 Admin config pmap mgmt c permit host1 Admin config pmap mgmt c exit host1 Admin config pmap mgmt exit host1 Admin config Step 2 Create a class map to filter HTTP traffic to include an ACL that allows the ACE to receive any HTTP traffic ...

Page 176: ...onfig pmap ins http c permit host1 Admin config pmap ins http c exit host1 Admin config pmap ins http class L7_FLTRHTML2_CLASS host1 Admin config pmap ins http c reset host1 Admin config pmap ins http c exit Step 4 Create a Layer 3 and Layer 4 policy map to activate the traffic classifications outlined in the previous steps by entering the following commands host1 Admin config policy map multi mat...

Page 177: ...ession for load balancing to the SPORTS SERVER server farm host1 Admin config class map type http loadbalance match all SPORTS MAP_CLASS host1 Admin config cmap http lb match http header host header value test com host1 Admin config cmap http lb match http url sports host1 Admin config cmap http lb exit Step 2 Create a Layer 7 class map that defines a URL expression for load balancing to the NEWS ...

Page 178: ...ameter map to enable HTTP persistence by entering the following commands host1 Admin config parameter map type http HTTP_PARAMETER_MAP host1 Admin config parammap http persistent rebalance host1 Admin config parammap http exit host1 Admin config Step 6 Create a Layer 3 and Layer 4 policy map to activate the traffic classifications outlined in the previous steps by entering the following commands h...

Page 179: ...ault host1 Admin config pmap lb c serverfarm SERVER HANDLE ALL host1 Admin config pmap lb c exit host1 Admin config pmap lb exit host1 Admin config Step 2 Create a Layer 3 and Layer 4 class map that classifies the 3 tuple flow of the VIP address protocol and port as matching criteria for server load balancing by entering the following commands host1 Admin config class map L4_SLBVIP_CLASS host1 Adm...

Page 180: ...g Utilizes a TCP connection parameter map to group together TCP connection related commands that pertain to normalization termination and reuse Perform the following steps Step 1 Create a Layer 7 server load balancing policy by entering the following commands host1 Admin config policy map type loadbalance first match L7_SLB_POLICY host1 Admin config pmap lb class class default host1 Admin config p...

Page 181: ...ammap conn set tcp timeout embryonic 60 host1 Admin config parammap conn exit host1 Admin config Step 4 Create a Layer 3 and Layer 4 policy map to activate the traffic classifications outlined in the previous steps by entering the following commands host1 Admin config policy map multi match L4_SLB_POLICY host1 Admin config pmap class L4_SLBVIP_CLASS host1 Admin config pmap c loadbalance policy L7_...

Page 182: ...onnection is sent to a real server based on one of several load balancing predictors The leastconns predictor method load balances connections to the server that has the lowest number of open connections access list ACL1 line 10 extended permit ip any any probe tcp TCP interval 5 faildetect 2 passdetect interval 10 open 3 parameter map type http PERSIST REBALANCE persistence rebalance parameter ma...

Page 183: ...service sticky http cookie COOKIE_TEST STKY GRP 43 cookie offset 1 length 999 timeout 30 replicate sticky serverfarm PREDICTOR class map type management match any L4_REMOTE MGT_CLASS description Enables remote access to the ACE 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any 5 match protocol http any 6 match protocol snmp any class map match all L4PRED CONNS UDP VIP_...

Page 184: ...amic 1 vlan 120 appl parameter http advanced options PERSIST REBALANCE class L4PRED CONNS VIP_128 80_CLASS loadbalance vip inservice loadbalance policy L7PLBSF_PRED CONNS_POLICY loadbalance vip icmp reply active nat dynamic 1 vlan 120 appl parameter http advanced options PERSIST REBALANCE class L4PRED CONNS UDP VIP_128 2222_CLASS loadbalance vip inservice loadbalance policy L7PLBSF_PRED CONNS UDP_...

Page 185: ...ap configurations in the ACE use the show running config class map command in Exec mode For example enter host1 Admin show running config class map Generating configuration class map type management match any Mgmt_allow_class 10 match protocol telnet source address 172 16 1 2 255 255 255 254 20 match protocol ssh source address 172 16 1 2 255 255 255 254 class map type http loadbalance match any L...

Page 186: ...e Identifier of an existing policy map that is currently in service applied to an interface as an unquoted text string with a maximum of 64 alphanumeric characters detail Optional Displays a more detailed listing of policy map statistics and status information Note The ACE updates the counters that the show service policy command displays after the applicable connections are closed For example to ...

Page 187: ...ice policy Service Policy Identifier of the policy map Class Identifier of the class map associated with the policy map Inspect DNS DNS application protocol inspection statistics Inspect HTTP HTTP application protocol inspection statistics Inspect FTP FTP application protocol inspection statistics Inspect ICMP ICMP application protocol inspection statistics Inspect RTSP RTSP application protocol i...

Page 188: ...r OUTOFSERVICE Curr Conns Number of active connections to the ACE Hit Count Number of times a connection was established Dropped Conns Number of connections that the ACE discarded Client Pkt Count Number of packets received from clients Client Byte Count Number of bytes received from clients Server Pkt Count Number of packets received from servers Server Byte Count Number of bytes received from se...

Page 189: ...ice policy L7 Policy Stats Current status of the Layer 7 policy map including the total number of Layer 7 rules L7 Class Match Identifier of the Layer 7 HTTP deep packet inspection class map and the associated policy map match actions Total Inspected Total number of packets inspected Total Matched Total number of packets matched Total Reply Masked Total number of masked system replies to the FTP S...

Page 190: ...Chapter 4 Configuring Class Maps and Policy Maps Viewing Class Maps Policy Maps and Service Policies 4 76 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL 11157 01 ...

Page 191: ... Rollback Service Reformatting Flash Memory Saving Configuration Files Upon startup the ACE loads the startup configuration file stored in Flash memory nonvolatile memory to the running configuration file stored in RAM volatile memory When you partition your ACE into multiple contexts each context contains its own startup configuration file Flash memory stores the startup configuration files for e...

Page 192: ...command the change is made only to the running configuration file in volatile memory Before you log out or reboot the ACE copy the contents of the running configuration file to the startup configuration file startup config to save configuration changes for the current context to Flash memory The ACE uses the startup configuration file on subsequent reboots This section contains the following topic...

Page 193: ...in Flash memory on the ACE enter host1 Admin copy running config startup config You can also use the write memory command to copy the contents of the running configuration file for the current context to the startup configuration file The write memory command is equivalent to the copy running config startup config command The syntax for the command is write memory all The optional write memory all...

Page 194: ...TFTP When you name the backup file we recommend that you name it in such a way that you can easily tell the context source of the file for example running config ctx1 startup config ctx1 The syntax for the command is copy running config startup config ftp server path filename sftp username server path filename tftp server port path filename The keywords arguments and options are running config Spe...

Page 195: ...in Password password1 Passive mode on Hash mark printing on 1024 bytes hash mark Note The bin binary file transfer mode is intended for transferring compiled files executables The ascii file transfer mode is intended for transferring text files such as config files The default selection of bin should be sufficient in all cases when copying files to a remote FTP server Copying the Configuration Fil...

Page 196: ...CE copies the file to the root directory on the disk0 file system For example to save the running configuration file to the disk0 file system as running config_copy enter host1 Admin copy running config disk0 running config_copy Merging the Startup Configuration File with the Running Configuration File To merge the contents of the startup configuration file into the running configuration file use ...

Page 197: ...ds To view the running configuration file use the show running config command To view the startup configuration file use the show startup config command The syntax for the show startup config command is as follows show startup config The syntax for the show running config command is as follows show running config aaa access list action list class map context dhcp domain ft interface parameter map ...

Page 198: ...on probe Optional Displays probe information resource class Optional Displays resource class information role Optional Displays the list of roles configured for the current context The ACE also displays configuration information for each role on the list rserver Optional Displays real server information serverfarm Optional Displays serverfarm information sticky Optional Displays sticky information...

Page 199: ...ass default serverfarm serverfarm1 policy map multi match policy1 class vipmap1 loadbalance vip inservice loadbalance policymap1 interface vlan 16 ip address 16 1 1 12 255 0 0 0 access group input acl1 no shutdown interface vlan 17 ip address 17 1 1 12 255 0 0 0 access group input acl1 service policy input policy1 no shutdown context Admin member default username admin password 5 1 faXJEFBj TJR1Nx...

Page 200: ...he startup configuration file to the default settings and take effect immediately The running configuration file is not affected In addition the clear startup config or write erase commands do not clear the boot variables such as config register and boot system settings Note The clear startup config and write erase commands do not remove license files or crypto files from the ACE startup configura...

Page 201: ...the remote server must be in the same subnetwork if you do not have a router or default gateway to route the traffic between subnets To check connectivity to the remote server use the ping or traceroute command in Exec mode See the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide for details on how to use the ping and traceroute commands When you copy...

Page 202: ... Host Admin copy ftp 192 168 1 2 configs startup config Adm_ctx startup config Using the File System on the ACE Flash memory stores the operating system startup configuration files software licenses core dump files system message log files SSL certificates and keys and other data on the ACE Flash memory comprises a number of individual file systems or partitions that include this data The ACE cont...

Page 203: ...ory Deleting an Existing Directory Moving Files Deleting Files Displaying File Contents Saving show Command Output to a File Listing the Files in a Directory To display the directory contents of a specified file system use the dir command in Exec mode This command displays a detailed list of directories and files contained within the specified file system on the ACE including names sizes and time ...

Page 204: ...2007 C2_dsb 2218 Mar 07 18 38 03 2007 ECHO_PROBE_SCRIPT4 1024 Feb 16 12 47 24 2007 core_copies_dsb 1024 Jan 01 00 02 07 2007 cv 1024 Mar 13 13 53 08 2007 dsb_dir 12 Jan 30 17 54 26 2007 messages 7843 Mar 09 22 19 56 2007 running config 4320 Jan 05 14 37 52 2007 startup config 1024 Jan 01 00 02 28 2007 www Usage for disk0 filesystem 4254720 bytes total used 6909952 bytes free For example to list th...

Page 205: ...ommand Note To view the content of the running and startup configuration files use the dir disk0 command The syntax for this command is copy disk0 path filename1 disk0 path filename2 The keywords and arguments are path filename1 Name of the file to copy Use the dir disk0 command to view the files available in the disk0 file system If you do not provide the optional path the ACE copies the file fro...

Page 206: ... backup licenses The destination filename must have a tar file extension If you do not provide the optional path the ACE copies the file to the root directory on the disk0 file system For example enter host1 Admin copy licenses disk0 mylicenses tar If you accidently remove or lose the license on the ACE you can untar the backup file and reinstall it To untar the backup license use the untar comman...

Page 207: ... to a Remote Server To copy a file from Flash memory on the ACE to a remote server using FTP SFTP or TFTP use the copy command in Exec mode The copy serves as a backup file for such files as the capture buffer file core dump ACE licenses in tar format running configuration file or startup configuration file The syntax for the command is copy core filename disk0 path filename running config startup...

Page 208: ...assword if the destination file system requires user authentication Prompts you for the server information if you do not provide the information with the command Copies the file to the root directory of the destination file system if you do not provide path information For example to save a running configuration file to a remote FTP server enter host1 Admin copy running config ftp 192 168 215 124 ...

Page 209: ...0 file system of Flash memory If you do not provide the optional path the ACE copies the file to the root directory on the disk0 file system image image_name Specifies to copy a system software image to Flash memory Use the boot system command as described in Chapter 1 Setting Up the ACE to specify the BOOT environment variable The BOOT environment variable specifies a list of image files on vario...

Page 210: ... or TFTP use the copy image command in Exec mode The copy image command is available only in the Admin context Note To view the software system images available in Flash memory use the dir image command and the show version command The syntax for the command is copy image filename ftp server path filename sftp username server path filename tftp server port path filename The keywords arguments and ...

Page 211: ...copy image sb ace NOV_11 ftp 192 168 1 2 Uncompressing Files in the disk0 File System To uncompress unzip LZ77 coded files in the disk0 file system for example zipped probe script files use the gunzip command in Exec mode This command is useful in uncompressing large files The filename must end with a gz extension for the file to be uncompressed using the gunzip command The gz extension indicates ...

Page 212: ...ses if a license becomes corrupted or lost Before you can use the untar command the filename must end with a tar extension Note The copy licenses disk0 command creates backup tar license files on the ACE If a license becomes corrupted or lost or you accidently remove the license on the ACE you can untar the license and reinstall it See the Copying Licenses section The syntax for the command is unt...

Page 213: ...ectory must be empty before you can delete it Note To remove a file from the ACE file system use the delete command see the Deleting Files section The syntax for this command is rmdir disk0 path directory The directory argument provides the name of the directory to delete from the disk0 file system The directory must be empty before you can delete it You can optionally provide a path to a director...

Page 214: ...0 MYSTORAGE SAMPLEFILE Deleting Files To delete a file from a specific file system in the ACE use the delete command in Exec mode When you delete a file the ACE erases the file from the specified file system Note To remove a directory from the ACE file system use the rmdir command see the Deleting an Existing Directory section The syntax for this command is delete core filename disk0 directory fil...

Page 215: ...guments and options are disk0 path filename The name of a file residing in the disk0 file system of Flash memory for example a packet capture buffer file or system message log You can optionally provide a path to a file in a directory in the disk0 file system volatile filename Specifies the name of a file in the volatile memory file system of the ACE cksum Optional Displays the cyclic redundancy c...

Page 216: ... arguments keywords and options include Optional Enables an output modifier that filters the command output begin pattern Begins with the line that matches the pattern that you specify count Counts the number of lines in the output end pattern Ends with the line that matches the pattern that you specify exclude pattern Excludes the lines that match the pattern that you specify include pattern Incl...

Page 217: ... saved last core file is restored from the core file system back to its original RAM location This restoration is a background process and is not visible to the user You can view the list of core files in the core file system by using the dir core command in Exec mode The core file system is available only from the Admin context Note Core dump information is for Cisco Technical Assistance Center T...

Page 218: ...The keywords arguments and options are filename Core dump that resides on the ACE in Flash memory Use the dir core command to view the core dump files available in the core file system disk0 path filename Specifies a file location for the core dump in the disk0 file system and a filename for the core ftp server path filename Specifies the FTP network server and optionally the renamed core dump sft...

Page 219: ...should be sufficient in all cases when copying files to a remote FTP server Clearing the Core Directory To clear out all of the core dumps stored in the core file system use the clear cores command in Exec mode of the Admin context The syntax for the command is clear cores For example to clear out all of the core dumps stored in the core file system enter host1 Admin clear cores Deleting a Core Du...

Page 220: ...pture function on the ACE for packet sniffing and network fault isolation use the capture command in Exec mode As part of the packet capture process you specify whether to capture packets from all input interfaces or an individual VLAN interface Note The packet capture function enables access control lists ACLs to control which packets are captured by the ACE on the input interface If the ACLs are...

Page 221: ...on traffic bound for the optional Cisco AVS 3180A Management Station interface use the all keyword This keyword captures all the traffic on all interfaces You can then transfer the packet capture file to a remote machine to be scanned for traffic that is specific to the Management Station interface interface Specifies the interface from which to capture packets vlan number Specifies the VLAN ident...

Page 222: ...e function on the interface VLAN enter the following host1 Admin capture capture1 stop Copying Capture Buffer Information To copy an existing packet capture buffer to the disk0 file system use the copy capture command in Exec mode The syntax for the command is copy capture capture_name disk0 path destination_name The keywords arguments and options are capture_name Name of the packet capture buffer...

Page 223: ...apture Information To display the captured packet information on your console or terminal use the show capture command in Exec mode The syntax for this command is show capture buffer_name detail connid connection_id range packet_start packet_end status The keywords arguments and options are buffer_name Name of the packet capture buffer Specify a text string from 1 to 80 alphanumeric characters det...

Page 224: ...con_id 1090519041 other_con_id 0 For example to display packet capture status information enter host1 Admin show capture capture1 status Capture session cap1 Buffer size 64 K Circular no Buffer usage 19 00 Status stopped For example to display protocol information for a range of captured packets enter host1 Admin show capture capture1 detail range 2 3 0002 msg_type CON_SETUP con_id 1090519041 out_...

Page 225: ...000 0000 0000 0029 0b06 0000 0x0030 0000 0000 0000 0000 0000 0000 0000 0000 0x0040 0000 0000 0000 0001 0002 msg_type CON_SETUP con_id 1090519041 out_con_id 16777218 src_addr 10 7 107 11 src_port 30212 dst_addr 10 7 107 15 dst_port 23 l3_protocol 0 l4_protocol 0 message_hex_dump 0x0000 0000 0101 4100 0001 0100 0002 0000 0000 A 0x0010 0a07 6b0b 0a07 6b0f 0619 0001 7604 0017 k k v 0x0020 0000 0000 00...

Page 226: ...a07 6b0f 7604 0017 19b2 fb3c f31b 6f72 k v or 0x0040 5010 1020 c7f3 00 P 0006 msg_type PKT_RCV con_id 16777218 other_con_id 0 message_hex_dump 0x0000 8900 005a 0050 8034 0038 000a 0010 0a06 Z P 4 8 0x0010 0000 0005 9a3b 95d9 0011 5d6a f800 0800 j 0x0020 45c0 003a b0e0 0000 ff06 1ff5 0a07 6b0b E k 0x0030 0a07 6b0f 7604 0017 19b2 fb3c f31b 6f72 k v or 0x0040 5018 1020 9a8a 0000 fffd 03ff fb18 fffb P...

Page 227: ...y need to reboot your ACE To prevent having to reboot your ACE after unsuccessfully modifying a running configuration you can create a checkpoint a snapshot in time of a known stable running configuration before you begin to modify it If you encounter a problem with the modifications to the running configuration you can roll back the configuration to the previous stable configuration checkpoint Th...

Page 228: ... The name argument specifies the unique identifier of the checkpoint Enter a text string with no spaces and a maximum of 64 alphanumeric characters For example enter host1 Admin checkpoint create MYCHECKPOINT Generating configuration Created checkpoint MYCHECKPOINT If the checkpoint already exists you are prompted to overwrite it as follows Checkpoint already exists Do you want to overwrite it y n...

Page 229: ...in Exec mode The syntax of this command is checkpoint rollback name The name argument specifies the unique identifier of the checkpoint Enter a text string with no spaces and a maximum of 64 alphanumeric characters For example enter host1 Admin checkpoint rollback MYCHECKPOINT This operation will rollback the system s running configuration to the checkpoint s configuration Do you wish to proceed y...

Page 230: ...the format flash command All user defined configuration information is erased The ACE performs the following verification sequence prior to reformatting Flash memory If the system image the current loaded image is present in the GNU GRand Unified Bootloader GRUB boot loader the ACE automatically performs a backup of that image and then performs the reformat of Flash memory If the system image is n...

Page 231: ...y pair files of each context See the Copying Files section for details on how to use the copy command to save configuration files or objects such as the existing startup configuration files running configuration file licenses core dump files or packet capture buffers to a remote FTP SFTP or TFTP server See the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide for detai...

Page 232: ...d starting Commit interval 5 seconds REXT3 FS on hdb2 internal journal EXT3 fs mounted filesystem with ordered data mode starting graceful shutdown switch Admin Unmounting ext3 filesystems Unmounting FAT filesystems Unmounting done After you reformat the Flash memory perform the following actions Reinstall the ACE software image by using the copy image command see Appendix A Upgrading Your ACE Sof...

Page 233: ...E hardware and software configuration information This chapter contains the following major sections Displaying Software Version Information Displaying Software Copyright Information Displaying Hardware Information Displaying the Hardware Inventory Displaying ACE Environment Information Displaying System Processes Displaying Process Status Information and Memory Resource Limits Displaying System I...

Page 234: ...version on the ACE before and after an upgrade The syntax of this command is show version For example to display the entire output for the show version command enter host1 Admin show version Cisco Application Control Software ACSW TAC support http www cisco com tac Copyright c 1985 2007 by Cisco Systems Inc All rights reserved The copyrights to certain works contained herein are owned by other thi...

Page 235: ... software copyright information for the ACE use the show copyright command The syntax of this command is show copyright For example enter host1 Admin show copyright Cisco Application Control Software ACSW TAC support http www cisco com tac Copyright c 1985 2007 by Cisco Systems Inc All rights reserved The copyrights to certain works contained herein are owned by other third parties and are used an...

Page 236: ... the ACE Hardware Rev Hardware revision of the ACE Slot No Not applicable Type Identifies the type of ACE appliance or module Displaying the Hardware Inventory To display the system hardware inventory of the ACE use the show inventory command This command displays information about the field replaceable units FRUs in the ACE including product identifiers serial numbers and version identifiers The ...

Page 237: ... the chassis displays Descr Description of the ACE component PID Product identifier of the ACE VID Version identifier of the ACE SN Serial number of the ACE Displaying ACE Environment Information To display all environment related information such as the status of the chassis clock chassis fan modules power supply modules power supply redundancy mode and power usage summary temperature thresholds ...

Page 238: ...1 Temperature of the IXP2800 Network Processor IXP 1 SSA Temperature of the SSA ASIC Displaying System Processes To display general information about all of the processes running on the ACE use the show processes command The show processes command displays summary CPU information for the Intel Pentium processor The show processes command is available only to users with an Admin role across all con...

Page 239: ...r enter host1 Admin show processes mem PID MemAlloc StackBase Ptr Process 1 495616 bffffed0 bffff9c0 init 2 0 0 0 ksoftirqd 0 3 0 0 0 desched 0 4 0 0 0 events 0 5 0 0 0 khelper 10 0 0 0 kthread 18 0 0 0 kacpid 110 0 0 0 kblockd 0 161 0 0 0 pdflush 162 0 0 0 pdflush 163 0 0 0 kswapd0 164 0 0 0 aio 0 241 0 0 0 kseriod 320 0 0 0 loop0 451 0 0 0 kjournald 453 0 0 0 kjournald 511 0 0 0 loop1 512 0 0 0 ...

Page 240: ...event to complete T Stopped either by a job control signal or because it is being traced W Paging X Process is dead Z Defunct zombie process terminated but not reaped by its parent PC Current program counter in hex format Start_cnt Number of times a process has been started TTY Terminal that controls the process A usually means a daemon is not running on any particular tty Process Name of the proc...

Page 241: ...times that the process has been invoked uSecs Microseconds of CPU time as an average for each process invocation 1 Sec CPU utilization as a percentage for the last second 5 Sec CPU utilization as a percentage for the last 5 seconds 1 Min CPU utilization as a percentage for the last minute 5 Min CPU utilization as a percentage for the last 5 minutes Process Name of the process Table 6 6 describes t...

Page 242: ...e the process stopped Uptime Length of time that the process was active Start type System manager option that indicates the process restartability characteristics that is whether it is a stateless restart or stateful restart Death reason Reason that the system manager killed the process for example no sysmgr heartbeats Exit code Exit code with which the process exited Note Normally the Exit code p...

Page 243: ...ss StackBase Ptr Process stack base and current stack pointer in hex format Process Name of the process Displaying Process Status Information and Memory Resource Limits To display detailed process status information and memory resource limits use the show terminal internal info Exec mode command The syntax of this command is show terminal internal info For example enter host1 Admin show terminal i...

Page 244: ...omplete T Stopped either by a job control signal or because it is being traced W Paging X Process is dead Z Defunct zombie process terminated but not reaped by its parent SleepAVG Percentage sleep rate of the task TGID Terminal group identifier PID Process identifier PPID Parent process identification number TracerPID Tracer process identification number UID Identifier of the user that started the...

Page 245: ...E Virtual memory pointer size in kBytes Threads Number of threads SigPnd Signals pending ShdPnd Shared pending signals SigBlk Signals blocked SigIgn Signals ignored SigCat Signals caught CapInh Capability inherited privilege CapPrm Capability privilege processor resource manager CapEff Capability effective privilege Memory Limits Core file size Maximum size of core file in blocks that may be creat...

Page 246: ...mat The range is 0x0 to 0xffffffff list Specifies all error IDs internal Specifies a series of internal system level commands for use by trained Cisco personnel only Max memory size Maximum size in kbytes to which a process s resident set size may grow This imposes a limit on the amount of physical memory to be given to a process Open files Maximum number of open files for this process Pipe size P...

Page 247: ...ACE enter host1 Admin show system resources Table 6 10 describes the fields in the show system resources command output Table 6 10 Field Descriptions for the show system resources Command Field Description Load average Load that is defined as the number of running processes The average reflects the system load over the past 1 minute 5 minute and 15 minute interval Processes Number of processes in ...

Page 248: ...laying ICMP Statistics To display Internet Control Message Protocol ICMP statistics use the show icmp statistics command The syntax of this command is show icmp statistics For example enter host1 Admin show icmp statistics Use the clear icmp statistics command to clear the ICMP statistics Table 6 12 describes the fields in the show icmp statistics command output Table 6 12 Field Descriptions for t...

Page 249: ...ut is separated by the line and the command that precedes the output Note Explicitly set the terminal length command to 0 zero to disable autoscrolling and enable manual scrolling Use the show terminal command to view the configured terminal size After obtaining the output of this command reset your terminal length as required see Chapter 1 Setting Up the ACE Unreachable Number of ICMP unreachable...

Page 250: ...pplication Control Engine Appliance Routing and Bridging Configuration Guide show process See the Displaying System Processes section show running config See the Chapter 5 Managing the ACE Software show version See the Displaying Software Version Information section The syntax of this command is show tech support details The optional details keyword provides detailed information for each show comm...

Page 251: ...ACE AP VIRT 020 ACE AP OPT LIC K9 ACE AP SSL 10K K9 Hardware cpu info number of cpu s 1 cpu type Pentium R More Generating configuration show pvlans Context 0 cmd parse error cpu 0 model Intel R Pentium R 4 speed 3399 991 MHz memory info total 6226704 kB free 4637164 kB shared kB buffers 19436 kB cached 0 kB cf info filesystem dev hdb2 total 861668 kB used 348552 kB available 469344 kB last boot r...

Page 252: ...is tac pac disk0 path filename ftp server path filename scp username server path filename sftp username server path filename tftp server port path filename The keywords arguments and options are disk0 path filename Specifies that the file destination is the disk0 file system of the current context If you do not provide the optional path the ACE copies the file to the root directory on the disk0 fi...

Page 253: ...ajor sections Overview of Redundancy Configuration Requirements and Restrictions Redundancy Configuration Quick Start Configuring Redundancy Configuring Tracking and Failure Detection Example of a Redundancy Configuration Displaying Redundancy Information Clearing Redundancy Statistics Overview of Redundancy Redundancy or fault tolerance uses a maximum of two ACE appliances to ensure that your net...

Page 254: ...ul Failover FT VLAN Configuration Synchronization Configuration Requirements and Restrictions Redundancy Protocol You can configure a maximum of two ACE appliances peers for redundancy Each peer appliance can contain one or more fault tolerant FT groups Each FT group consists of two members one active context and one standby context For more information about contexts see the Cisco 4700 Series App...

Page 255: ...interface fails see the Configuring Tracking and Failure Detection section You enter the ft switchover command to force a switchover see the Forcing a Failover section Figure 7 1 shows two possible redundancy configurations where N is the number of ACEs configured for redundancy The letters A B C and D represent the active contexts in each redundancy group while the primed letters A B C and D are ...

Page 256: ...CE supports active backup redundancy and each group member is an Admin context For details about configuring contexts see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide The ACE sends and receives all redundancy related traffic protocol packets configuration data heartbeats and state replication packets on a dedicated FT VLAN You cannot use this dedica...

Page 257: ...ontext The replicated flows contain all the flow state information necessary for the standby member to take over the flow if the active member becomes unresponsive If the active member becomes unresponsive the replicated flows on the standby member become active when the standby member assumes mastership of the context The active flows on the former active member transition to a standby state to f...

Page 258: ... the bridge for the two VLANs In order to initiate learning of the new location of the gateway the new active member sends an ARP request to the gateway on the client VLAN and bridges the ARP response onto the server VLAN FT VLAN Redundancy uses a dedicated FT VLAN between redundant ACEs to transmit flow state information and the redundancy heartbeat Do not use this dedicated VLAN for normal netwo...

Page 259: ...perational behavior can occur If there is a mismatch in virtual context software license synchronization between the active ACE and standby ACE may not work properly If both the active and the standby ACE appliances have the same virtual content software license but have a different bandwidth software license synchronization will work properly but the standby ACE may experience a potential loss of...

Page 260: ...re required on each ACE When you configure redundancy the ACE keeps all interfaces that do not have an IP address in the Down state The IP address and the peer IP address that you assign to a VLAN interface should be in the same subnet but different IP addresses For more information about configuring VLAN interfaces see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridgin...

Page 261: ...N for communication between the members of the FT group This FT VLAN is global and is shared by all contexts Specify the IP address and netmask of the FT VLAN and the IP address and netmask of the remote peer host1 Admin config ft interface vlan 100 host1 Admin config ft intf ip address 192 168 12 1 255 255 255 0 host1 Admin config ft intf peer ip address 192 168 12 15 255 255 255 0 host1 Admin co...

Page 262: ... host1 Admin config ft group peer priority 200 11 Place the FT group in service host1 Admin config ft group inservice host1 Admin config ft group exit 12 Optional Configure one or more critical objects gateways or hosts or interfaces to track for switchover For example to configure a critical interface for tracking enter host1 Admin config ft track interface TRACK_VLAN100 host1 Admin config ft tra...

Page 263: ...ptional Save your configuration changes to Flash memory host1 Admin config exit host1 Admin copy running config startup config 15 Recommended Verify your redundancy configuration by using the following commands in Exec mode host1 Admin show running config ft host1 Admin show running config interface Table 7 1 Redundancy Configuration Quick Start continued Task and Command Example ...

Page 264: ...figure the same VLAN on each peer appliance You cannot use this dedicated VLAN for normal network traffic it must be dedicated for redundancy only To configure one of the Ethernet ports or a port channel interface on the ACE for fault tolerance using a dedicated FT VLAN for communication between the members of an FT group use the ft port vlan command in interface configuration mode see the Cisco 4...

Page 265: ...te an FT VLAN use the ft interface command in configuration mode The syntax of this command is ft interface vlan vlan_id The vlan_id argument specifies a unique identifier for the FT VLAN Enter an integer from 2 to 4094 For example enter host1 Admin config ft interface vlan 200 host1 Admin config ft intf Note To remove an FT VLAN first remove it from the FT peer by using the no ft interface vlan c...

Page 266: ...ess Configuring the Peer IP Address The local member of the FT group communicates with the remote peer over the FT VLAN To allow the local member to communicate with the remote peer use the peer ip command in FT interface configuration mode The syntax of this command is peer ip address ip_address netmask The keyword and arguments of this command are address ip_address Specifies the IP address of t...

Page 267: ...re a VLAN interface that has an alias IP address that floats between the active and standby appliances The alias IP address serves as a shared gateway for the two ACE appliances To configure an alias IP address use the alias command in interface configuration mode The syntax of this command is alias ip_address netmask The ip_address netmask arguments specify the IP address and netmask for the VLAN...

Page 268: ...p See the Associating a Peer with an FT Group section To remove the FT peer from the configuration enter host1 Admin config no ft peer 1 After you create an FT peer configure the peer attributes as described in the following topics Associating the FT VLAN with the Local Peer Configuring the Heartbeat Interval and Count Configuring a Query Interface Associating the FT VLAN with the Local Peer After...

Page 269: ... is heartbeat count number interval frequency The keywords and arguments are count number Specifies the number of heartbeat intervals that must transpire with no heartbeat packet received by the standby member before the standby member determines that the active member is not available Enter an integer from 10 to 50 The default is 10 heartbeat intervals If the standby member of the FT group does n...

Page 270: ...for the same FT group Before triggering a switchover the ACE pings the active member to make sure that it is down Configuring a query interface allows you to assess the health of the active member but it increases switchover time To configure a query interface use the query interface command in FT peer configuration mode The syntax of this command is query interface vlan vlan_id The vlan_id argume...

Page 271: ...entifier of the group Enter an integer from 1 to 20 For example enter host1 Admin config ft group 1 host1 Admin config ft group To remove the group from the configuration enter host1 Admin config no ft group 1 After you create an FT group configure the FT group attributes as described in the following topics Associating a Context with an FT Group Associating a Peer with an FT Group Assigning a Pri...

Page 272: ...Group To associate a peer ACE with an FT group use the peer command in FT group configuration mode The syntax of this command is peer peer_id For the peer_id argument enter 1 as the identifier of an existing peer appliance You can only enter 1 For example enter host1 Admin config ft group peer 1 To remove the peer association with the FT group enter host1 Admin config ft group no peer Assigning a ...

Page 273: ...at you want to be the active member For example to configure the priority of the FT group on the active member enter host1 Admin config ft group priority 150 To restore the default priority of 100 enter host1 Admin config ft group no priority Assigning a Priority to the Standby FT Group Member To configure the priority of an FT group on the remote standby member use the peer priority command in FT...

Page 274: ...andby member enter host1 Admin config ft group peer priority 50 To restore the default priority of 100 enter host1 Admin config ft group no peer priority Configuring Preemption Preemption ensures that the group member with the higher priority always asserts itself and becomes the active member By default preemption is enabled To configure preemption after it has been disabled use the preempt comma...

Page 275: ...n mode The syntax of this command is inservice For example to place an FT group in service enter host1 Admin config ft group inservice To take the FT group out of service enter host1 Admin config ft group no inservice Modifying an FT Group If you need to modify an FT group perform the following steps in FT group configuration mode 1 Remove the FT group from service by using the no inservice comman...

Page 276: ...itchover group_id force The arguments and options are group_id Optional Identifier of the FT group Enter the ID of an existing FT group as an integer from 1 to 20 force Optional Causes a switchover while ignoring the state of the standby member Use this option only when the FT VLAN is down The ft switchover command exhibits the following behavior depending on whether you enter the command from the...

Page 277: ...ied to the active context to the standby context if the peer is already up To enable automatic synchronization of the running configuration and the startup configuration files use the ft auto sync command in configuration mode If you temporarily disable ft auto sync running config on the active ACE for example to test changes to your configuration when you subsequently reenable config sync any cha...

Page 278: ...configuration file The ACE does not copy or write changes in the running configuration file to the startup configuration file unless you enter the copy running config startup config command or the write memory command for the current context To write the contents of the running configuration file to the startup configuration file for all contexts use the write memory all command At this time if th...

Page 279: ... importing and exporting certs and keys see the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide To return the standby context to the STANDBY_HOT state in this case ensure that you have imported the necessary SSL certs and keys to the standby context and then perform a bulk sync of the active context configuration by entering the following commands in configuration mo...

Page 280: ... context and any user context Gateways or hosts Interfaces If one of the items that you configure for tracking and failure detection becomes unresponsive and is associated with the active member of an FT group by default the ACE subtracts a value of 0 from the configured priority of the active member If you configure a nonzero value for the tracking priority and the resulting priority value of the...

Page 281: ... with the active member goes down then the priority of the active member falls below the priority of the standby member and a switchover occurs If that failed interface later returns to service the ACE increments the associated group member priority by 40 and a switchover would occur back to the original active member To guarantee a switchover if any tracked item goes down configure the unit prior...

Page 282: ...teway enter host1 Admin config ft track host TRACK_GATEWAY1 host1 Admin config ft track host To remove the gateway tracking process enter host1 Admin config no ft track host TRACK_GATEWAY1 Configuring the Gateway or Host IP Address Tracked by the Active Member To allow the active member to track a gateway or host you need to configure the IP address of the gateway or host To configure the IP addre...

Page 283: ...tive member Enter an integer from 0 to 255 The default is 0 Higher values indicate higher priorities Assign a priority value based on the relative importance of the gateway or host that the probe is tracking If the probe goes down the ACE decrements the priority of the FT group on the active member by the value of the number argument If the resulting priority of the FT group on the active member i...

Page 284: ...nts the priority of the FT group on the active member by the value of the number argument If the resulting priority of the FT group on the active member is less than the priority of the FT group on the standby member a switchover occurs For example enter host1 Admin config ft track host priority 50 To reset the priority to the default value of 0 enter host1 Admin config ft track host no priority 5...

Page 285: ...f an existing probe that you want to associate with a gateway or host for tracking priority number Specifies the priority of the probe sent by the standby member Enter an integer from 0 to 255 The default is 0 Higher values indicate higher priorities Assign a priority value based on the relative importance of the gateway or host that the probe is tracking If the probe goes down the ACE decrements ...

Page 286: ... host no peer priority 25 Example of a Tracking Configuration for a Gateway The following example demonstrates a tracking configuration for a gateway on the active member of an FT group ft track host TRACK_GATEWAY track host 192 161 100 1 probe GATEWAY_TRACK1 priority 10 probe GATEWAY_TRACK2 priority 20 priority 50 In this configuration example if the gateway_track1 probe goes down the ACE reduces...

Page 287: ...r Configuring a Priority for a Tracked Interface on the Standby Member Example of a Tracking Configuration for an Interface Creating a Tracking and Failure Detection Process for an Interface To create a tracking and failure detection process for an interface use the ft track interface command in configuration mode The syntax of this command is ft track interface name For the name argument enter a ...

Page 288: ...uring a Priority for a Tracked Interface on the Active Member To assign a priority to the interface that the active member is tracking use the priority command in FT track interface configuration mode The syntax of this command is priority number The number argument specifies the priority of the interface on the active member Enter a priority value as an integer from 0 to 255 The default is 0 High...

Page 289: ... a Priority for a Tracked Interface on the Standby Member To assign a priority to the tracked interface that the standby member is tracking use the peer priority command in FT track interface configuration mode The syntax of this command is peer priority number The number argument specifies the priority of the interface on the standby member Enter a priority value as an integer from 0 to 255 The d...

Page 290: ...mands described in the Configuring the Interface Tracked by the Standby Member and the Configuring a Priority for a Tracked Interface on the Standby Member sections Example of a Redundancy Configuration The following example illustrates a running configuration that defines fault tolerance FT for a single ACE appliance operating in a redundancy configuration You must configure a maximum of two ACE ...

Page 291: ...tocol icmp any 5 match protocol http any 7 match protocol snmp any 8 match protocol xml https any policy map type management first match L4_REMOTE MGT_POLICY class L4_REMOTE MGT_CLASS permit interface vlan 100 ip address 192 168 83 219 255 255 255 0 peer ip address 192 168 83 230 255 255 255 0 alias 192 168 83 200 255 255 255 0 access group input ACL1 service policy input L4_REMOTE MGT_POLICY no s...

Page 292: ...dancy Configuration 7 40 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL 11157 01 ft track interface TRACK_VLAN100 track interface vlan 100 peer track interface vlan 200 priority 50 peer priority 5 ip route 0 0 0 0 0 0 0 0 192 168 83 1 ...

Page 293: ...p Information Displaying the IDMAP Table Displaying the Redundancy Internal Software History Displaying Memory Statistics Displaying Peer Information Displaying FT Statistics Displaying FT Tracking Information Displaying Redundancy Configurations To display redundancy configurations use the show running config ft command in Exec mode The syntax of this command is show running config ft For example...

Page 294: ...o display statistics for an individual group In a user context this keyword displays statistics only for the FT group to which the user context belongs detail Displays detailed information for all FT groups or the specified FT group status Displays the current operating status for all FT groups or the specified FT group summary Displays summary information for all FT groups or the specified FT gro...

Page 295: ...n errors and so on Possible states are MAINT_MODE_OFF Maintenance mode is turned off MAINT_MODE_PARTIAL All standby contexts transition to the FSM_FT_STATE_STANDBY_COLD state see the My State field description The ACE enters this mode if configuration synchronization fails MAINT_MODE_FULL All contexts on the ACE become nonredundant causing their peer contexts to become active The ACE enters this m...

Page 296: ...cal member of the FT group is active and processing flows FSM_FT_STATE_STANDBY_COLD State that indicates if the FT VLAN is down but the peer device is still alive or the configuration or application state synchronization failed When a context is in this state and a switchover occurs the transition to the ACTIVE state is stateless FSM_FT_STATE_STANDBY_CONFIG Local standby context is waiting to rece...

Page 297: ...ity Priority of the FT group in the remote ACE computed from the configured priority and the priority of the FT tracking failures Peer Preempt Preemption value of the FT group in the remote ACE Possible values are Enabled or Disabled Peer ID FT peer identifier Last State Change Time Time and date that the peer last changed from the active to standby state or standby to active state Running Cfg Syn...

Page 298: ...CE The ACE uses these mappings for configuration synchronization and state replication To display the IDMAP table use the show ft idmap command in Exec mode The syntax of this command is as follows show ft idmap Table 7 3 lists the IDMAP table object types available in the ACE Table 7 3 ACE Object Types in the IDMAP Table Object Type Object Name 0 REAL ID 1 RSERVER ID 2 SERVERFARM ID 3 POLICY ID 4...

Page 299: ... debug log ha_dp_mgr Displays the high availability HA dataplane manager debug log ha_mgr Displays the HA manager debug log For example enter host1 Admin show ft history cfg_cntlr Displaying Memory Statistics To display redundancy statistics per context use the show ft memory command in Exec mode The syntax of this command is show ft memory detail The optional detail keyword displays detailed HA m...

Page 300: ... 7 4 describes the fields in the show ft peer command output Table 7 4 Field Descriptions for the show ft peer Command Output Field Description Peer ID Identifier of the remote context in the FT group State Current state of the peer Possible states are FSM_PEER_STATE_INIT Initial state of the peer after you configure it FSM_PEER_STATE_MY_IPADDR Local ACE IP address is missing Waiting for the local...

Page 301: ...ity with the peer device FSM_PEER_STATE_LIC_CHECK Checking for license compatibility with the peer device FSM_PEER_STATE_COMPATIBLE Version and license checks indicate that the peer is compatible for redundancy FSM_PEER_STATE_FT_VLAN_DOWN FT VLAN is down but through the query interface the local ACE has determined that the peer is still alive FSM_PEER_STATE_DOWN Peer device is down FSM_PEER_STATE_...

Page 302: ... the appliance and is used primarily when you upgrade the ACE software FT VLAN Number of the interface configured as the FT VLAN My IP Addr IP address of the local ACE Peer IP Addr IP address of the peer ACE Query VLAN Identifier of the interface configured as the query VLAN Peer Query IP Addr IP address of the query interface used to obtain the state of the peer s health when the FT VLAN is down ...

Page 303: ...hat the local ACE received from the peer Tx Keepalive Packets Total number of keepalive packets that the local ACE sent to the peer Rx Keepalive Packets Total number of keepalive packets that the local ACE received from the peer SRG Compatibility Status of whether the software version of the local ACE and the software version of the peer ACE are compatible Possible states are the INIT COMPATIBLE o...

Page 304: ...r is not receiving HBs The remote peer is sending heartbeats but not receiving any Note Both peer appliances send heartbeat packets and each packet indicates whether the other peer has been receiving heartbeats Number of HB Timeout Mismatches Number of times that the local peer received a heartbeat HB from the remote peer with a mismatched heartbeat interval If the heartbeat intervals do not match...

Page 305: ...e ACE Number of Send Failures Number of times that the local ACE attempted to send packets to the remote ACE but failed Receive side Stats Number of Sticky Entries Dropped Number of sticky database entries that the remote ACE sent to the local ACE but the local ACE discarded them Number of Replication Packets Received Number of packets that contain replication information that the local ACE receiv...

Page 306: ... summary The keywords and arguments are detail Displays detailed tracking information status Displays the current operating status of the peer plus additional information summary Displays summary peer information For example enter host1 Admin show ft track detail Table 7 6 describes the fields in the show ft track command output Table 7 6 Field Descriptions for the show ft track Command Output Fie...

Page 307: ...n errors and so on Possible states are MAINT_MODE_OFF Maintenance mode is turned off MAINT_MODE_PARTIAL All standby contexts transition to the FSM_FT_STATE_STANDBY_COLD state see the My State field description The ACE enters this mode if configuration synchronization fails MAINT_MODE_FULL All contexts on the ACE become nonredundant causing their peer contexts to become active The ACE enters this m...

Page 308: ... group is active and processing flows FSM_FT_STATE_STANDBY_COLD State that indicates if either the FT VLAN is down but the peer device is still alive or the configuration or application state synchronization failed When a context is in this state and a switchover occurs the transition to the ACTIVE state is stateless FSM_FT_STATE_STANDBY_CONFIG State that indicates that the local standby context i...

Page 309: ...es if any My Preempt Preemption value of the FT group in the local ACE Possible values are Enabled or Disabled Context Name Name of the context that is associated with the FT group Context ID Identifier of the context that is associated with the FT group Track Type Type of object being tracked Possible values are TRACK_HOST or TRACK_INTERFACE State State of the tracking process Possible values are...

Page 310: ...ou enter this command for the first time the ACE sets the FT statistics counters to zero and stores a copy of the latest statistics locally From that point on when you enter the show ft stats command the ACE displays the difference between the statistics stored locally and the current statistics The syntax of this command is clear ft stats For example enter host1 Admin clear ft stats Clearing the ...

Page 311: ... Management Information Bases MIBs and to send event notifications to a network management system NMS This chapter contains the following major sections SNMP Overview SNMP Configuration Quick Start Configuring SNMP Users Defining SNMP Communities Configuring an SNMP Contact Configuring an SNMP Location Configuring SNMP Notifications Assigning a Trap Source Interface for SNMP Traps Configuring SNMP...

Page 312: ...trings provide a weaker form of access control SNMPv3 provides improved access control by using strong authentication and should be used over SNMPv1 and SNMPv2c wherever possible SNMPv3 is an interoperable standards based protocol for network management SNMPv3 provides secure access to devices by using a combination of authenticating and encrypting frames over the network The security features pro...

Page 313: ...nt SNMP management applications but they all perform the same basic task These applications allow SNMP managers to communicate with agents to monitor configure and receive alerts from the network devices The ACE supports traps and SNMP get requests but does not support SNMP set requests to configure values on the device You can use any SNMP compatible NMS to monitor the ACE In SNMP each variable i...

Page 314: ...ends back a response Retrieve the value immediately after the variable that you name a get next operation A get next operation retrieves a group of values from a MIB by issuing a sequence of commands By performing a get next operation you do not need to know the exact MIB object instance you are looking for the SNMP manager takes the variable that you name and then uses a sequential search to find...

Page 315: ... clarify the status being relayed by the notification The list of variable bindings associated with a notification is included in the notification definition in the MIB For standard MIBs Cisco has enhanced some notifications with additional variable bindings that further clarify the cause of the notification Note The clogOriginID and clogOriginIDType variable bindings appended with each notificati...

Page 316: ...n the ACE CLI and SNMP User Synchronization Any configuration changes to the user group role or password results in the database synchronization for both SNMP and AAA To create a CLI user by using the username command see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide To create an SNMP user by using the snmp server user command see the Configuring SNM...

Page 317: ...MIBs CISCO ENTITY VENDOR TYPE OID MIB N A Defines the object identifiers OIDs assigned to various ACE components The OIDs in this MIB are used by the entPhysicalTable of the ENTITY MIB as values for the entPhysicalVendorType field in the entPhysicalTable Each OID uniquely identifies a type of physical entity such as a chassis line cards or port adapters The entPhysicalVendorType OID values are lis...

Page 318: ...mp cevSensor 56 Ambient temperature sensor cevSensorACE4710K9 AmbientTemp cevSensor 57 ENTITY MIB CISCO ENTITY CAPABILITY Provides basic management and identification of physical and logical entities within a network device Software support for the ENTITY MIB focuses on the physical entities within the ACE This MIB provides details on each module power supply fan and sensors within the ACE applian...

Page 319: ...ntext The ENTITY SENSOR MIB is described in RFC 3433 SNMPv3 Agent MIBs SNMP COMMUNITY MIB CISCO SNMP COMMUNITY CAPABILITY Contains objects for mapping between community strings and version independent SNMP message parameters In addition this MIB provides a mechanism for performing source address validation on incoming requests and for selecting community strings based on target addresses for outgo...

Page 320: ...stem to ensure that proper security is applied to the SNMP message being handled The SNMP MPD MIB is described in RFC 3412 SNMP NOTIFICATION MIB CISCO SNMP NOTIFICATION CAPABILITY Defines MIB objects that can remotely configure the parameters used by an SNMP entity for the generation of notifications The SNMP NOTIFICATION MIB is described in RFC 3413 SNMP TARGET MIB CISCO SNMP TARGET CAPABILITY Co...

Page 321: ...crypts PDUs and generates the authentication data The module then passes the PDUs to the message processor which then invokes the dispatcher The USM module s implementation of the SNMP USER BASED SM MIB enables the SNMP manager to issue commands to manage users and security keys The MIB also enables the agent to ensure that a requesting user exists and has the proper authentication information Whe...

Page 322: ...trol checks according to several parameters that are derived from the SNMP message The SNMP VIEW BASED ACM MIB is described in RFC 3415 Other MIBs CISCO AAA SERVER EXT MIB CISCO AAA SERVER EXT CAPABILITY Acts as an extension to CISCO AAA SERVER MIB It enhances the casConfigTable of the CISCO AAA SERVER MIB to include other types of server addresses The CISCO AAA SERVER EXT MIB manages the followin...

Page 323: ...l entity that provides any of the AAA functions The ACE can use a Remote Access Dial In User Service RADIUS Terminal Access Controller Access Control System Plus TACACS or Lightweight Directory Access Protocol v3 LDAP protocols for remote authentication and designation of access rights CISCO APPLICATION ACCELERATION MIB CISCO APPLICATION ACCELERATION CAPABILITY MIB Manages application acceleration...

Page 324: ...L The slbEntity Index used in the table is the slot number of the ACE Because the slot numbers value is not applicable for the ACE appliance the slbEntity Index will always have a value of 1 CISCO IF EXTENSION MIB CISCO IF EXTENSION CAPABILITY Provides a table that returns ifName to ifIndex mapping to assign the ifIndex to interfaces The CISCO IF EXTENSION MIB is described in RFC 2863 Note The Eth...

Page 325: ...ists of IP filters for all filtering profiles Filters and profiles are related if they have the same filter profile name Filters can be created only if their associated filter profiles already exist in the cippfIpProfileTable Filters of the same profile name belong to a common profile The interface based cippfIfIpProfileTable can be configured with information that is independent of the other tabl...

Page 326: ...DULE VIRTUALIZATION MIB CISCO MODULE VIRTUALIZATION CAPABILITY Provides a way to create and manage virtual contexts A virtual context is a logical partition of a physical device the ACE A virtual context provides different service types that can be managed independently Each virtual context is an independent entity with its own configuration A user created context supports most of the options that...

Page 327: ...ed in the sysObjectID object in the SNMPv2 MIB The sysObjectID OID value is listed as follows Product Name PID sysObjectID ACE4710 K9 ciscoACE4710K9 ciscoProducts 824 CISCO SLB EXT MIB CISCO SLB EXT CAPABILITY Acts as an extension to the Cisco server load balancing MIB CISCO SLB MIB It provides tables for the sticky configuration The following MIB objects for the ACE include non SLB related connec...

Page 328: ...E appliance the slbEntity Index will always have a value of one The following MIB objects for the ACE include non SLB related connections as well slbStatsCreatedConnections slbStatsCreatedHCConnections slbStatsEstablishedConnections slbStatsEstablishedHCConnetions slbStatsDestroyedConnections slbStatsDestroyedHCConnections slbStatsReassignedConnections CISCO SYSLOG EXT MIB CISCO SYSLOG EXT CAPABIL...

Page 329: ...ple VLANs The IF MIB is described in RFC 2863 Note The Ethernet data port and port channel interfaces are available only in Admin context In this case the IF MIB supports all the interfaces for Admin contexts while each individual user context supports only VLAN and BVI interfaces IP MIB CISCO IP CAPABILITY Defines managed objects for managing implementations of the IP and its associated Internet ...

Page 330: ...the User Datagram Protocol UDP The UDP MIB is described in RFC 4113 Table 8 1 SNMP MIB Support continued MIB Support Capability MIB Description Table 8 2 SNMP Trap Support Notification Name Location of the Notification Description authenticationFailure SNMPv2 MIB SNMP request fails because the NMS did not authenticate with the correct community string cesRealServerStateUp CISCO ENHANCED SLB MIB St...

Page 331: ...real server is down due to user intervention Note No separate cesRealServerStateDown notifications are sent for each real server that listens on this rserver cesRserverStateChange CISCO ENHANCED SLB MIB State of a global real server changed to a new state as a result of something other than a user intervention This notification is sent for situations such as ARP failures probe failures and so on N...

Page 332: ...ng to the interface removing an active serverfarm from the policy and associating the virtual IP address VIP with a class map The ciscoSlbVServerVIPStateChange is specified in the CISCO SLB MIB ciscoSlbVServerStateChange CISCO SLB MIB my Notification that a virtual IP address VIP is removed from a class map This notification is sent with the following var binds slbVServerState slbVServerStateChang...

Page 333: ...ic feature cmVirtContextAdded cmVirtContextRemoved CISCO MODULE VIRTUALIZATION MIB Notification that you created or deleted a virtual context coldStart SNMPv2 MIB SNMP agent started after a cold restart full power cycle of the ACE linkUp linkDown SNMPv2 MIB VLAN interface is up or down A VLAN interface can be down for example if you specified the shut command followed by the no shut command or the...

Page 334: ... Real server name Server farm name Probe name HTTP header name ACL name Class map name Policy map name Resource class name Table 8 3 identifies a list of tables that have more than one string index Table 8 3 SNMP MIB Tables with More Than One String Index MIB Name Table Sting Indices CISCO ENHANCED SLB MIB my cesRserverProbeTable cesRserverName cesRserverProbeName CISCO ENHANCED SLB MIB my cesServ...

Page 335: ...ss otherwise specified For details on creating contexts see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide 2 Enter configuration mode host1 Admin config Enter configuration commands one per line End with CNTL Z host1 Admin config 3 Configure one or more SNMP users from the ACE CLI host1 Admin config snmp server user joe Network Monitor auth sha abcd12...

Page 336: ...t1 Admin config 10 Configure a policy map that activates the SNMP management protocol classifications host1 Admin config policy map type management first match SNMP ALLOW_POLICY host1 Admin config pmap mgmt class SNMP ALLOW_CLASS host1 Admin config pmap mgmt c permit host1 Admin config pmap mgmt c exit host1 Admin config pmap mgmt exit host1 Admin config 11 Attach the traffic policy to a single VL...

Page 337: ...o a user through the ACE CLI are automatically reflected in the SNMP server For example deleting a user automatically results in the user being deleted for both SNMP and CLI In addition user role mapping changes are reflected in SNMP The syntax of this command is as follows snmp server user user_name group_name auth md5 sha password1 localizedkey priv password2 aes 128 password2 The keywords argum...

Page 338: ... password1 User authentication password Enter an unquoted text string with no space and a maximum of 130 alphanumeric characters The ACE automatically synchronizes the SNMP authentication password as the password for the CLI user The ACE supports the following special characters in a password Note that the ACE encrypts clear text passwords in the running config localizedkey Optional Specifies that...

Page 339: ...ser sam Network Monitor auth md5 abcdefgh host1 Admin config snmp server user Bill Network Monitor auth sha abcd1234 priv abcdefgh To disable the SNMP user configuration or to remove an SNMP user use the no form of the command For example host1 Admin config no snmp server user Bill Network Monitor auth sha abcd1234 priv abcdefgh Defining SNMP Communities Each SNMP device or member is part of a com...

Page 340: ... alphanumeric characters group group_name Optional Identifies the role group to which the user belongs Enter an unquoted text string with no space and a maximum of 32 alphanumeric characters Note Only network monitoring operations are supported through the ACE implementation of SNMP In this case all SNMP users are automatically assigned the system defined default group of Network Monitor For detai...

Page 341: ...r or an e mail address For example to specify SNMP system contact information enter host1 Admin config context snmp server contact User1 user1 cisco com To remove the specified SNMP contact name enter host1 Admin config no snmp server contact Configuring an SNMP Location To specify the SNMP system location use the snmp server location command in configuration mode You can specify only one location...

Page 342: ... SNMP TARGET MIB to obtain more information on the destinations to which notifications are to be sent either as traps or as SNMP inform requests See the Supported MIBs and Notifications section for details This section contains the following topics Configuring SNMP Notification Hosts Enabling SNMP Notifications Enabling the IETF Standard for SNMP linkUp and linkDown Traps Configuring SNMP Notifica...

Page 343: ...d to send the traps SNMPv3 is the most secure model because it allows packet encryption with the priv keyword 1 Specifies SNMPv1 This option is not available for use with SNMP inform requests SNMPv1 has one optional keyword udp port that specifies the UDP port of the host to use The default is 162 2c Specifies SNMPv2C SNMPv2C has one optional keyword udp port that specifies the UDP port of the hos...

Page 344: ...ver enable traps command is used with the snmp server host command see the Configuring SNMP Notification Hosts section The snmp server host command specifies which host receives the SNMP notifications To send notifications you must configure at least one SNMP server host Note The notification types used in the snmp server enable traps command all have an associated MIB object that globally enables...

Page 345: ...p keyword to enable SNMP notifications This selection generates a notification if the community string provided in the SNMP request is incorrect or when a VLAN interface is either up or down The coldstart keyword appears only in the Admin context When you specify the slb keyword specify the real or vserver keyword to enable server load balancing notifications This selection generates a notificatio...

Page 346: ...he ACE to send the Internet Engineering Task Force IETF standards based implementation for linkUp and linkDown traps as outlined in RFC 2863 The snmp server trap link ietf configuration mode command instructs the ACE to send the linkUp and linkDown traps with the IETF standard IF MIB RFC 2863 variable bindings consisting of ifIndex ifAdminStatus and ifOperStatus Note The Cisco var binds are sent b...

Page 347: ...94 for an existing VLAN interface Note the following operating considerations for the snmp server trap source vlan number command If you do not configure the snmp server trap source command the ACE takes the source IP address from the internal routing table which is dependant on the destination host address where the notification is to be sent If you specify a VLAN number of an interface that does...

Page 348: ...etwork management access for a traffic classification that matches the criteria listed the class map Service policy Activates the policy map and attaches the traffic policy to a VLAN interface or globally on all VLAN interfaces This section provides an overview on creating a class map policy map and service policy for SNMP access For detailed information on creating class maps policy maps and serv...

Page 349: ... you then associate with a traffic policy The match all and match any keywords determine how the ACE evaluates multiple match statements operations when multiple match criteria exist in a class map The syntax of this command is as follows class map type management match all match any map_name The keywords arguments and options are as follows match all match any Optional Determines how the ACE eval...

Page 350: ...etween the ACE and the host located at IP address 192 168 1 1 255 255 255 0 enter host1 Admin config class map type management match all SNMP ALLOW_CLASS host1 Admin config cmap mgmt match protocol snmp source address 192 168 1 1 255 255 255 0 host1 Admin config cmap mgmt exit To remove a Layer 3 and Layer 4 SNMP protocol management class map from the ACE enter host1 Admin config no class map type...

Page 351: ...e ACE to allow any client source address for the management traffic classification Access the class map management configuration mode to specify the match protocol snmp command The syntax of this command is as follows line_number match protocol snmp any source address ip_address mask The keywords arguments and options are as follows line_number Optional Allows you to edit or delete individual matc...

Page 352: ...rk management traffic that matches the specified classifications This section contains the following topics Creating a Layer 3 and Layer 4 Policy Map for SNMP Network Management Traffic Received by the ACE Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy Specifying Layer 3 and Layer 4 Policy Actions CreatingaLayer3andLayer4PolicyMapforSNMPNetworkManagementTraffic Received by ...

Page 353: ... created with the class map command to associate network traffic with the traffic policy use the class command his command enters the policy map management class configuration mode The syntax of this command is as follows class name1 insert before name2 class default The arguments and keywords and options are as follows name1 The name of a previously defined Layer 3 and Layer 4 traffic class confi...

Page 354: ... enter host1 Admin config pmap mgmt class SNMP ALLOW_CLASS host1 Admin config pmap mgmt c To use the insert before command to define the sequential order of two class maps in the policy map enter host1 Admin config pmap mgmt class L4_SSH_CLASS insert before L4_REMOTE_ACCESS_CLASS To specify the class default class map for the Layer 3 and Layer 4 traffic policy enter host1 Admin config pmap mgmt cl...

Page 355: ...pecifying a policy map in the interface configuration mode applies the policy map to a specific VLAN interface Specifying a policy map in the configuration mode applies the policy to all of the VLAN interfaces associated with a context The syntax of this command is as follows service policy input policy_name The keywords arguments and options are as follows input Specifies that the traffic policy ...

Page 356: ...on to provide a new starting point for the service policy statistics the next time that you attach a traffic policy to a specific VLAN interface or globally to all VLAN interfaces in the same context Follow these guidelines when you create a service policy Policy maps applied globally in a context are internally applied on all interfaces existing in the context A policy activated on an interface o...

Page 357: ...t enter the identifier of an existing policy map that is currently in service applied to an interface For example to clear the statistics for the policy map SNMP_MGMT_ALLOW_POLICY that is currently in service enter host1 Admin clear service policy SNMP_MGMT_ALLOW_POLICY Example of an SNMP Configuration The following example illustrates a running configuration that verifies the current status of a ...

Page 358: ...l address 192 168 120 105 any class map type management match any L4_REMOTE ACCESS LOCAL_CLASS description Enables SNMP remote management for local users 1 match protocol snmp source address 192 168 0 0 255 248 0 0 2 match protocol snmp source addess 172 16 64 0 255 255 252 0 class map type http loadbalance match all L7_URL _CLASS 2 match http url policy map type management first match L4_SNMP REM...

Page 359: ... Monitor auth sha adcd1234 snmp server community ACE public group ro snmp server contact User1 user1 cisco com snmp server location San Jose CA snmp server host 192 168 0 236 traps version 2c ACE public snmp server enable traps slb vserver snmp server enable traps slb real snmp server enable traps syslog snmp server enable traps snmp authentication snmp server enable traps snmp linkup snmp server ...

Page 360: ...NMP engine and all remote engines that have been configured on the ACE group Optional Displays the names of groups on the ACE the security model the status of the different views and the storage type of each group host Optional Displays the configured SNMP notification recipient host User Datagram Protocol UDP port number user and security model sessions Optional Displays the IP address of the tar...

Page 361: ...output Total number of SNMP packets sent by the ACE Too big errors Number of SNMP packets that were larger than the maximum packet size No such name errors Number of SNMP requests that specified a MIB object that does not exist Bad values errors Number of SNMP set requests that specified an invalid value for a MIB object General errors Number of SNMP set requests that failed due to some other erro...

Page 362: ...ble 8 8 describes the fields in the show snmp group command output Table 8 8 Field Descriptions for the show snmp group Command Output Field Description Group name Name of the SNMP group or collection of users that have a common access policy Security model Security model used by the group either v1 v2c or v3 Security level Security level used by the group Read view String that identifies the read...

Page 363: ...d privacy Type Type of notification configured SecName Security name for scanning the target host Table 8 10 describes the fields in the show snmp sessions command output Table 8 10 Field Descriptions for the show snmp sessions Command Output Field Description Destination IP address of a target for which traps or informs have been sent Table 8 11 describes the fields in the show snmp user command ...

Page 364: ...Chapter 8 Configuring SNMP Displaying SNMP Statistics 8 54 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL 11157 01 ...

Page 365: ... interpret data among the applications In addition you can configure the ACE to transfer show command output to an NMS in XML format for result monitoring and analysis Note To use the ACE XML interface you must have the Admin user role This chapter contains the following major sections XML Overview XML Configuration Quick Start Configuring HTTP and HTTPS Management Traffic Services Enabling the Di...

Page 366: ...ftware the www user will be disabled and you will not be able to use XML to remotely configure an ACE until you change the default www user password See Chapter 2 Configuring Virtualization in the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide for details on changing a user account password In this case the user would be www XML Overview This section cont...

Page 367: ...a translation of the CLI commands into an equivalent XML syntax Each ACE CLI command has an equivalent XML tag and all of the parameters of the CLI command are attributes of that element The ACE uses an Apache HTTP server to provide the XML management interface and to provide HTTP services between the ACE and the management client To use the ACE XML API you must have the Admin user role You can us...

Page 368: ...ion of an HTTP POST request A field named xml contains the XML string that defines the request or query The response to this HTTP POST represents a pure XML response with either a success or failure indicator for a request or the response to a query When you use XML to transfer configuration data and results the NMS connects to the ACE and sends a new configuration in an XML document to the ACE ov...

Page 369: ... Basic realm xml config HTTP Return Codes HTTP return codes indicate the status of the request and reports errors between the server and the client The Apache HTTP server return status codes follow the standards outlined in RFC 2616 Table 9 1 lists the supported HTTP return codes Table 9 1 Supported HTTP Return Codes for XML Return Code Description 200 OK 201 Created 202 Accepted 203 Non Authorita...

Page 370: ...the original XML document with the error is returned with an error element that contains the error type and description The following is a typical example of an XML error response response_xml config_command command interface vlan 20 no shut description xyz exit command status code 200 text XML_CMD_FAILURE error_command description xyz error_command error_message unrecognized element description e...

Page 371: ...ument structure with a list of legal elements DTD designates an XML list that specifies precisely which elements can appear in a request query or response document It also specifies the contents and attributes of the elements A DTD can be declared inline in your XML document or as an external reference The ACE DTD file ace_appliance dtd is included as part of the software image and is accessible f...

Page 372: ...string no inservice no ip address ip_address no probe name no weight number Elements Attributes and Entities required for rserver probe name is a string of length 1 to 32 ELEMENT probe_rserver EMPTY ATTLIST probe_rserver sense CDATA FIXED no probe name CDATA REQUIRED relocation str length is 1 to 127 ELEMENT webhost redirection EMPTY ATTLIST webhost redirection sense yes no IMPLIED relocation stri...

Page 373: ...iguration and its equivalent XML configuration commands TO FROM CP CONFIGURATION conf t access list acl1 extended permit ip any any int vlan 80 access group input acl1 ip address 60 0 0 145 255 255 255 0 no shut exit ip route 0 0 0 0 0 0 0 0 60 0 0 1 end access list id acl1 config type extended perm value permit protocol name ip src type any dest type any interface type vlan number 80 access group...

Page 374: ...p 1 no shut exit int vlan 90 access group input acl1 bridge group 1 no shut exit end access list id acl1 config type extended perm value permit protocol name ip src type any dest type any interface type vlan number 80 access group type input name acl1 bridge group value 1 shutdown sense no interface interface type vlan number 90 access group type input name acl1 bridge group value 1 shutdown sense...

Page 375: ...map type management match all XML HTTPS ALLOW_CLASS host1 Admin config cmap mgmt match protocol xml https source address 192 168 1 1 255 255 255 255 host1 Admin config cmap mgmt exit 3 Configure a Layer 3 and Layer 4 HTTP or HTTPS traffic management policy host1 Admin config policy map type management first match MGMT_XML HTTPS_POLICY host1 Admin config pmap mgmt class XML HTTPS ALLOW_CLASS host1 ...

Page 376: ...ministration Guide OL 11157 01 5 Optional Enable the display of raw XML request show command output in XML format Note True XML responses always automatically appear in XML format host1 Admin xml show on 6 Optional Save your configuration changes to Flash memory host1 Admin copy running config startup config Table 9 2 ACE XML Configuration Quick Start continued Task and Command Example ...

Page 377: ... HTTPS network management access to the ACE Class map Provides the remote network traffic match criteria to permit HTTP and HTTPS management traffic based on HTTP or HTTPS network management protocols or host source IP addresses Policy map Enables remote network management access for a traffic classification that matches the criteria listed the class map Service policy Activates the policy map and...

Page 378: ... address match commands in a group that you then associate with a traffic policy The match all and match any keywords determine how the ACE evaluates multiple match statements operations when multiple match criteria exist in a class map The syntax of this command is class map type management match all match any map_name The keywords arguments and options are match all match any Optional Determines...

Page 379: ...t IP address 192 168 1 1 255 255 255 255 enter host1 Admin config class map type management match all XML HTTPS ALLOW_CLASS host1 Admin config cmap mgmt match protocol xml https source address 192 168 1 1 255 255 255 255 To remove a Layer 3 and Layer 4 network management class map from the ACE enter host1 Admin config no class map type management match all XML HTTPS ALLOW_CLASS Defining a Class Ma...

Page 380: ...e matching criteria or instruct the ACE to allow any client source address for the management traffic classification You must access the class map configuration mode to specify the match protocol command The syntax of this command is line_number match protocol http xml https any source address ip_address mask The keywords arguments and options are line_number Optional Allows you to edit or delete ...

Page 381: ...protocol xml https source address 192 168 10 1 255 255 0 0 To deselect the specified network management protocol match criteria from the class map enter host1 Admin config cmap mgmt no match protocol https source address 192 168 10 1 255 255 0 0 Creating a Layer 3 and Layer 4 Policy Map A Layer 3 and Layer 4 policy map defines the actions executed on HTTP or HTTPS management traffic that matches t...

Page 382: ...config policy map type management first match MGMT_XML HTTPS_POLICY host1 Admin config pmap mgmt To remove a policy map from the ACE enter host1 Admin config no policy map type management first match MGMT_XML HTTPS_POLICY Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy To specify the HTTP or HTTPS traffic management traffic class created with the class map command to associa...

Page 383: ... map belongs to the default traffic class If none of the specified classifications match the ACE then matches the action specified under the class class default command The class default class map has an implicit match any statement in it and is used to match any traffic classification The class default class map has an implicit match any statement that matches all traffic For example to specify a...

Page 384: ...use the HTTP or HTTPS management traffic listed in the class map to be received by the ACE For example to specify the permit action for the Layer 3 and Layer 4 policy map enter host1 Admin config pmap mgmt c permit host1 Admin config pmap mgmt c exit Applying a Service Policy Use the service policy command to do the following Apply a previously created policy map Attach the traffic policy to a spe...

Page 385: ...cters For example to specify an interface VLAN and apply an XML HTTPS management policy to the VLAN enter host1 Admin config interface vlan 50 host1 Admin config if ip address 192 168 10 1 255 255 0 0 host1 Admin config if service policy input MGMT_XML HTTPS_POLICY For example to globally apply an XML HTTPS management policy to all of the VLANs associated with a context enter host1 Admin config se...

Page 386: ...maps applied globally in a context are internally applied on all interfaces existing in the context A policy activated on an interface overwrites any specified global policies for overlapping classification and actions The ACE allows only one policy of a specific feature type to be activated on a given interface To display service policy statistics for a Layer 3 and Layer 4 HTTP or HTTPS traffic m...

Page 387: ...TIVE Description Allow mgmt protocols Context Global Policy service policy MGMT_XML HTTPS_POLICY To clear the service policy statistics use the clear service policy command The syntax of this command is clear service policy policy_name For the policy_name argument enter the identifier of an existing policy map that is currently in service applied to an interface as an unquoted text string with a m...

Page 388: ... from the CLI or Including the xml show on command in the raw XML request itself CLI commands included in an XML wrapper Specification of the xml show on command is not required if you are running true XML as shown in the example below For details on the show command output supported in XML format consult the ACE DTD file ace_appliance dtd that is included as part of the software image see the Acc...

Page 389: ...face_hardware interface_mac macaddress 00 05 9a 3b 92 b1 macaddress interface_mac interface_mode routed interface_mode interface_ip ipaddress 10 20 105 101 ipaddress ipmask 255 255 255 0 ipmask interface_ip interface_ft_status non redundant interface_ft_status interface_description interface_description not set interface_description interface_description interface_mtu 1500 interface_mtu interface_...

Page 390: ...n status The keywords are off Displays CLI show command output in regular CLI display output not in XML format on Displays CLI show command output in XML format unless a specific show command is not implemented to display its output in XML format For details on the show command output supported in XML format consult the the ACE DTD file ace_appliance dtd that is included as part of the software im...

Page 391: ...form the following steps Step 1 If you have not done so create a Layer 3 and Layer 4 class map and policy map to classify the HTTP or HTTPS management traffic that can be received by the ACE See the Configuring HTTP and HTTPS Management Traffic Services section Step 2 Open your preferred Internet web browser application such as Microsoft Internet Explorer or Netscape Navigator Step 3 To directly a...

Page 392: ...y Alert dialog box click View Certificate choose the Install Certificate option and follow the prompts of the Certificate Manager Import Wizard If you are using Netscape Navigator in the New Site Certificate dialog box click Next and follow the prompts of the New Site Certificate Wizard c Enter your username and password in the fields provided and then click OK The Cisco ACE appliance Management p...

Page 393: ...rovides information to upgrade your Cisco 4700 Series Application Control Engine ACE appliance It contains the following major sections Overview of Upgrading ACE Software Software Upgrade Quick Start Copying the Software Upgrade Image to the ACE Configuring the ACE to Autoboot the Software Image Reloading the ACE Displaying Software Image Information ...

Page 394: ...uring a software upgrade or downgrade deploy your ACE appliances in a redundant configuration For details about redundancy see Chapter 7 Configuring Redundant ACE Appliances Before You Begin Before you upgrade your ACE software please read this appendix in its entirety so that you fully understand the entire upgrade process Please be sure that your ACE configurations meet the upgrade prerequisites...

Page 395: ...ity and Preempt If you want the currently active ACE to remain active after the software upgrade be sure that the active ACE has a higher priority than the standby peer ACE and that the preempt command is configured To check the redundant configuration of your ACEs use the show running config ft command Note that the preempt command is enabled by default and does not appear in the running configur...

Page 396: ...in to the ACE The Exec mode prompt appears at the CLI If you are operating in multiple contexts observe the CLI prompt to verify that you are operating in the Admin context If necessary log directly in to or change to the Admin context host1 Admin 2 Save the running configurations of every context by entering the write memory all command in Exec mode in the Admin context of each ACE host1 Admin wr...

Page 397: ...fig boot system image c4710ace t1k9 mz A1_7 bin host1 Admin config config register 0x1 host1 Admin config exit host1 Admin You can set up to two images through the boot system command If the first image fails the ACE tries the second image Note Use the no boot system image command to unset the previously configured boot variable 6 Verify the boot variable was synchronized to ACE 2 by entering the ...

Page 398: ...texts from ACE 1 to ACE 2 by entering the ft switchover all command in Exec mode on ACE 1 ACE 2 becomes the new active ACE and assumes mastership of all active connections with no interruption to existing connections host1 Admin ft switchover all 9 Upgrade ACE 1 by reloading it and verify that ACE 1 enters the STANDBY_HOT state may take several minutes by entering the show ft group detail command ...

Page 399: ...mage located on an FTP server This path is optional because the ACE prompts you for this information if you omit it sftp username server path filename Specifies the URL of a software image on a secure FTP server This path is optional because the ACE prompts you for this information if you omit it tftp server port path filename Specifies the URL of a software image on a trivial FTP server This path...

Page 400: ...Configuration Register to Autoboot the Boot Variable Verifying the Boot Variable and Configuration Register For detailed information on the boot variable and configuration register see Chapter 1 Setting Up the ACE Setting the Boot Variable To set the boot variable use the boot system image command in the Admin context from the configuration mode The syntax for this command is boot system image ima...

Page 401: ...ent variable and to load the startup configuration file stored in Flash memory The BOOT environment variable is identified through the boot system command to specify a list of image files on various devices from which the ACE can boot at startup refer to Chapter 1 Setting Up the ACE If the ACE encounters an error or if the image is not valid it will try the second image if one is specified Upon st...

Page 402: ...able disk0 c4710ace t1k9 mz A1_7 bin disk0 c4710ace mz 3 0 0_AB0_0 488 bin Configuration register is 0x1 The 0x1 indicates that the configuration register is set to perform an automatic boot and to apply the startup configuration file Reloading the ACE To allow the ACE to use the installed software upgrade reload the ACE appliance To reload the ACE use the reload command in the Admin context from ...

Page 403: ...ered under the GNU Public License A copy of the license is available at http www gnu org licenses gpl html Software loader Version 0 95 system Version A1 7 0 build 3 0 0 A1 7 999 31 adbuild_22 46 11 2008 04 07_ auto adbure_nightly2 nightly_scimitar a18 rib REL_3_0_0_A1_7_999 system image file nd 192 168 65 34 scimitar bin Device Manager version 1 0 0 20080408 0435 installed license ACE AP VIRT 020...

Page 404: ...Chapter A Upgrading Your ACE Software Displaying Software Image Information A 12 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL 11157 01 ...

Page 405: ...ation displaying 6 1 licenses managing 3 1 logging in 1 7 message of the day banner 1 13 MIBs 8 7 naming 1 12 password changing administrative 1 9 password changing CLI account 1 10 policy maps configuring 4 1 remote access 2 1 restarting 1 41 setting up 1 1 setup script 1 3 shutting down 1 42 SNMP 8 1 terminal settings 1 30 upgrading A 1 username changing 1 9 using file system 5 12 XML configurin...

Page 406: ...ment traffic 4 35 9 14 Layer 3 and 4 creating for network traffic 4 25 Layer 3 and 4 criteria for management traffic 4 37 Layer 3 and 4 destination IP and subnet mask criteria 4 29 Layer 3 and 4 for SNMP 8 39 Layer 3 and 4 match any criteria 4 28 Layer 3 and 4 port number criteria 4 30 Layer 3 and 4 source IP and subnet mask criteria 4 31 Layer 3 and 4 VIP address criteria 4 32 Layer 3 and 4 quick...

Page 407: ...artup file 5 10 copying to disk0 file system 5 5 displaying 5 7 displaying user context from the Admin context 5 10 loading from remote server 5 11 merging startup with running 5 6 saving 5 1 saving in Flash memory 5 3 saving to remote server 5 4 configuration register setting boot method 1 35 A 8 values 1 35 configuration synchronization redundancy 7 7 SSL certs and keys 7 26 console connection t...

Page 408: ...ng directory in 5 23 moving files in 5 23 overview 5 12 uncompressing files in 5 21 untarring files in 5 22 display attributes terminal 1 30 displaying copyright 6 3 environment information 6 5 file contents 5 25 FT group information 7 41 FT peer information 7 47 FT statistics 7 51 FT tracking information 7 54 hardware information 6 3 hardware inventory 6 4 ICMP statistics 6 16 information on ACE ...

Page 409: ...copying image to remote server 5 20 copying licenses 5 16 copying packet capture buffer 5 16 creating new directory in disk0 5 22 deleting directory in disk0 5 23 deleting files 5 24 displaying file contents 5 25 listing files 5 13 moving files in disk0 5 23 overview 5 12 saving show command output to file 5 26 uncompressing files in disk0 5 21 untarring files in disk0 5 22 using ACE 5 12 Flash me...

Page 410: ...tbeat configuration 7 17 host failure detection See failure detection HTTP deep packet inspection class map 4 41 load balancing class map 4 39 return codes between server and client 9 5 HyperTerminal launching 1 2 saving session 1 3 I ICMP displaying statistics 6 16 enabling messages to the ACE 2 19 image autobooting image A 8 BOOT environment variable 1 37 copying to remote server 5 20 copying up...

Page 411: ...policy actions 4 47 quick start for management traffic 4 18 quick start for network traffic 4 16 SNMP creating 8 42 specifying traffic class 2 10 4 46 using parameter maps 4 49 Layer 7 class map configuring 4 38 for FTP command inspection 4 42 for HTTP deep packet inspection 4 41 for HTTP load balancing 4 39 quick start 4 14 Layer 7 policy map associating with Layer 3 and 4 policy map 4 57 configu...

Page 412: ...ming the ACE 1 12 notifications error messages 8 35 IETF standard enabling 8 36 options 8 35 SLB 8 34 SNMP 8 20 8 32 8 35 SNMP enabling 8 34 SNMP host configuring 8 32 SNMP license manager 8 34 types 8 34 virtual context change 8 35 NTP server NTP peer associations configuring 1 22 NTP server associations configuring 1 22 overview 1 21 statistics clearing 1 28 statistics and information viewing 1 ...

Page 413: ...ection 4 49 Layer 3 and 4 HTTP optimization 4 48 Layer 3 and 4 policy actions 4 47 Layer 3 and 4 policy map description 2 10 4 45 Layer 3 and 4 quick start for management traffic 4 18 Layer 3 and 4 quick start for network traffic 4 16 Layer 3 and 4 SLB 4 48 Layer 7 associating with Layer 3 and 4 policy map 4 57 Layer 7 configuring 4 50 Layer 7 creating 4 51 Layer 7 inline match statements 4 53 Lay...

Page 414: ...tion displaying 7 41 FT peer configuring 7 16 FT peer information displaying 7 47 FT statistics displaying 7 51 FT tracking information displaying 7 54 FT VLAN 7 6 FT VLAN configuring 7 12 history displaying 7 47 memory statistics displaying 7 47 overview 7 1 protocol 7 2 quick start 7 8 stateful failover 7 5 statistics clearing 7 58 synchronizing 7 25 synchronizing SSL certificates and keys 7 26 ...

Page 415: ...p applying globally to all context VLAN interfaces 4 58 Layer 3 and 4 policy map applying to VLAN interface 4 58 overview 4 9 remote access policy map applying 2 13 SNMP management policy map applying 8 45 session maximum number for SSH 2 16 SSH information showing 2 26 SSH key details showing 2 27 Telnet information showing 2 24 terminating SSH or Telnet 2 19 to ACE 1 7 setting up ACE 1 1 setup s...

Page 416: ...oftware version displaying 6 2 SSH configuring 2 16 directly accessing a user context 2 21 host key pairs 2 17 management access 2 16 maximum sessions 2 16 remote access 2 16 RSA key 2 18 showing key details 2 27 showing session information 2 26 terminating session 2 19 version 2 8 4 37 SSL certificates and keys synchronizing 7 26 startup configuration copying to disk0 file system 5 5 ignoring 1 3...

Page 417: ... line settings 1 34 time setting 1 15 time zone setting 1 16 tracking See failure detection traps SNMP 8 5 8 20 U uncompressing files in disk0 5 21 untarring files in disk0 5 22 upgrade license 3 5 upgrading booting image A 8 copying image to ACE A 7 image information A 11 overview A 2 quick start A 4 reloading ACE A 10 user configuring for SNMP 8 27 context directly accessing with SSH 2 21 userna...

Page 418: ...e OL 11157 01 class map creating 9 14 DTD accessing 9 27 DTD overview 9 7 HTTP and HTTPS support 9 4 HTTP return codes 9 5 management traffic configuring 2 8 9 13 overview 9 2 policy map creating 9 17 quick start 9 11 sample configuration 9 9 service policy 9 20 show command output 9 24 ...

Reviews:

No comments

Related manuals for 4700 series

3Com 3CR860-95 - OfficeConnect Secure Router Features And Benefits preview
3CR860-95 - OfficeConnect Secure Router
Brand: 3Com Pages: 2
3Com 3C905-TX Installation Manual preview
3C905-TX
Brand: 3Com Pages: 26
National Instruments SCXI-1121 User Manual preview
SCXI-1121
Brand: National Instruments Pages: 162
Ubiquiti NanoBeam M5 Setup preview
NanoBeam M5
Brand: Ubiquiti Pages: 3
IBM 8677 - BladeCenter Rack-mountable - Power... Planning And Installation Manual preview
8677 - BladeCenter Rack-mountable - Power...
Brand: IBM Pages: 126
LaCie 301160U - 1TB Ethernet Disk RAID Network Attached... Quick Install Manual preview
301160U - 1TB Ethernet Disk RAID Network Attached...
Brand: LaCie Pages: 5
Juniper TX MATRIX PLUS Hardware Manual preview
TX MATRIX PLUS
Brand: Juniper Pages: 502
Oracle Talari E1000 Installation Manual preview
Talari E1000
Brand: Oracle Pages: 24
TP-Link ER8411 Installation Manual preview
ER8411
Brand: TP-Link Pages: 2
ICP DAS USA PDS-734D Quick Start Manual preview
PDS-734D
Brand: ICP DAS USA Pages: 8
ICP DAS USA ZT-2024 Quick Start Manual preview
ZT-2024
Brand: ICP DAS USA Pages: 8
Galaxy Hunter Series Quick Start Manual preview
Hunter Series
Brand: Galaxy Pages: 30
VoiceLine InnoMedia MTA 3328-2R Getting Started Manual preview
InnoMedia MTA 3328-2R
Brand: VoiceLine Pages: 18
Kaptia Klever Getting Started preview
Klever
Brand: Kaptia Pages: 14
Idis DR-1204P Installation Manual preview
DR-1204P
Brand: Idis Pages: 22
BinTec BIANCA/BRI Getting Started preview
BIANCA/BRI
Brand: BinTec Pages: 34
DIGIWEB Box 7360 Quick Setup Manual preview
Box 7360
Brand: DIGIWEB Pages: 16
Paradyne Hotwire 8323 Installation Instructions Manual preview
Hotwire 8323
Brand: Paradyne Pages: 6

Brands by name

Popular brands

Load more brands