Cisco ACE-4710-K9 Administration Guide
Cisco ACE-4710-K9 Manual
 |
View all Cisco ACE-4710-K9 manuals
Add to My Manuals
Save this manual to your list of manuals |
Cisco ACE-4710-K9 manual content summary:
- Cisco ACE-4710-K9 | Administration Guide - Page 1
4700 Series Application Control Engine Appliance Administration Guide Software Version A1(7) November 2007 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL - Cisco ACE-4710-K9 | Administration Guide - Page 2
. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco 4700 Series Application Control Engine Appliance Administration Guide Copyright - Cisco ACE-4710-K9 | Administration Guide - Page 3
Script to Enable Connectivity to the Device Manager 1-3 Connecting and Logging into the ACE 1-7 Changing the Administrative Password 1-9 Resetting the Administrator CLI Account Password 1-10 Assigning a Name to the ACE 1-12 Configuring an ACE Inactivity Timeout 1-12 Configuring a Message-of-the - Cisco ACE-4710-K9 | Administration Guide - Page 4
a Layer 3 and Layer 4 Remote Access Policy Map 2-9 Creating a Layer 3 and Layer 4 Policy Map for Network Management Traffic Received by the ACE 2-9 Defining a Layer 3 and Layer 4 Policy Map Description 2-10 Cisco 4700 Series Application Control Engine Appliance Administration Guide iv OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 5
User Context Through SSH 2-21 Example of a Remote Access Configuration 2-23 Viewing Session Information 2-24 Showing Telnet Session Information 2-24 Showing SSH Session Information 2-26 Showing SSH Session Information 2-26 Showing SSH Key Details 2-27 Managing ACE Software Licenses 3-1 Available ACE - Cisco ACE-4710-K9 | Administration Guide - Page 6
38 Defining Layer 7 Classifications for HTTP Server Load Balancing 4-39 Defining Layer 7 Classifications for HTTP Deep Packet Inspection 4-41 Defining Layer 7 Classifications for FTP Command Inspection 4-42 Cisco 4700 Series Application Control Engine Appliance Administration Guide vi OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 7
a Layer 3 and Layer 4 Policy Map 4-57 Applying a Service Policy 4-58 Class Maps and Policy Map Examples 4-60 Firewall Example 4-60 Layer 7 Load-Balancing Example 4-63 Layer 3 and Layer 4 Load-Balancing Example 4-65 VIP With Connection Parameters Example 4-66 Example of a Traffic Policy Configuration - Cisco ACE-4710-K9 | Administration Guide - Page 8
Deleting an Existing Directory 5-23 Moving Files 5-23 Deleting Files 5-24 Displaying File Contents 5-25 Saving show Command Output to a File 5-26 Viewing and Copying Core Dumps 5-27 Copying Core Dumps 5-28 Cisco 4700 Series Application Control Engine Appliance Administration Guide viii OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 9
and Memory Resource Limits 6-11 Displaying System Information 6-14 Displaying ICMP Statistics 6-16 Displaying Technical Support Information 6-17 Configuring Redundant ACE Appliances 7-1 Overview of Redundancy 7-1 Cisco 4700 Series Application Control Engine Appliance Administration Guide ix - Cisco ACE-4710-K9 | Administration Guide - Page 10
Failover 7-24 Synchronizing Redundant Configurations 7-25 Configuring Tracking and Failure Detection 7-28 Overview of Tracking and Failure Detection 7-28 Configuring Tracking and Failure Detection for a Host or Gateway 7-29 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 11
Example of a Tracking Configuration for a Gateway 7-34 Configuring Tracking and Failure Detection for an Interface 7-35 Creating a Tracking and Failure Detection Process for an Interface 7-35 Configuring FT Statistics 7-58 Cisco 4700 Series Application Control Engine Appliance Administration Guide xi - Cisco ACE-4710-K9 | Administration Guide - Page 12
and Layer 4 Policy Map 8-42 Creating a Layer 3 and Layer 4 Policy Map for SNMP Network Management Traffic Received by the ACE 8-42 Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy 8-43 Cisco 4700 Series Application Control Engine Appliance Administration Guide xii OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 13
9-20 Applying a Service Policy 9-20 Enabling the Display of Raw XML Request show Command Output in XML Format 9-24 Accessing the ACE DTD File 9-27 Upgrading Your ACE Software A-1 Overview of Upgrading ACE Software A-2 Cisco 4700 Series Application Control Engine Appliance Administration Guide xiii - Cisco ACE-4710-K9 | Administration Guide - Page 14
A-8 Configuring the Configuration Register to Autoboot the Boot Variable A-9 Verifying the Boot Variable and Configuration Register A-10 Reloading the ACE A-10 Displaying Software Image Information A-11 Cisco 4700 Series Application Control Engine Appliance Administration Guide xiv OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 15
Preface This guide provides instructions for the administration of the Cisco 4700 Series Application Control Engine (ACE) appliance. It describes how to perform administration tasks on the ACE, including initial setup, establish remote access, manage software licenses, configure class maps and - Cisco ACE-4710-K9 | Administration Guide - Page 16
4, Configuring Describes how to configure class maps and policy Class Maps and Policy maps to provide a global level of classification for Maps filtering traffic received by or passing through the ACE. Cisco 4700 Series Application Control Engine Appliance Administration Guide xvi OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 17
to configure the ACE for redundancy, Redundant ACE which provides fault tolerance for the stateful failover Appliances of flows. Chapter 8, Configuring Describes how to configure Simple Network SNMP Management Protocol (SNMP) to query the ACE for Cisco Management Information Bases (MIBs) and - Cisco ACE-4710-K9 | Administration Guide - Page 18
Configuration Guide Describes how to use the ACE Device Manager GUI to perform the initial setup and VIP load-balancing configuration tasks. Describes how to operate your ACE in a single context or in multiple contexts. xviii Cisco 4700 Series Application Control Engine Appliance Administration - Cisco ACE-4710-K9 | Administration Guide - Page 19
tasks on the ACE: • Configuring Ethernet ports • Configuring VLAN interfaces • Configuring routing • Configuring bridging • Configuring Dynamic Host Configuration Protocol (DHCP) Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide Describes how to - Cisco ACE-4710-K9 | Administration Guide - Page 20
ACE. Cisco 4700 Series Application Control Engine Appliance Command Reference Provides an alphabetical list and descriptions of all CLI commands by mode, including syntax, options, and related commands. Cisco 4700 Series Application Control Engine Appliance Administration Guide xx OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 21
to-ACE Conversion Tool User Guide Description Describes how to use the Device Manager GUI, which resides in flash memory on the ACE, to provide a browser-based interface for configuring and managing the appliance. Describes how to use the CSS-to-ACE conversion tool to migrate Cisco Content Services - Cisco ACE-4710-K9 | Administration Guide - Page 22
action that could cause you physical harm or damage the equipment. For additional information about CLI syntax formatting, see the Cisco 4700 Series Application Control Engine Appliance Command Reference. Cisco 4700 Series Application Control Engine Appliance Administration Guide xxii OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 23
both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact [email protected]. OpenSSL License: © 1998-1999 The OpenSSL Project. All rights reserved. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 24
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY OF THE POSSIBILITY OF SUCH DAMAGE. xxiv Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 25
This product includes software written by Tim Hudson ([email protected]). Original SSLeay License: © 1995-1998 Eric Young ([email protected]). All rights reserved. This used are not cryptography-related. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide xxv - Cisco ACE-4710-K9 | Administration Guide - Page 26
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND distribution license [including the GNU Public License]. xxvi Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 27
(ACE) appliance. It includes the following major sections: • Establishing a Console Connection on the ACE • Using the Setup Script to Enable Connectivity to the Device Manager • Connecting and Logging into the ACE • Changing the Administrative Password • Assigning a Name to the ACE • Configuring an - Cisco ACE-4710-K9 | Administration Guide - Page 28
. For instructions on connecting a console cable to your ACE appliance, see the Cisco Application Control Engine Appliance Hardware Installation Guide. Any device connected to this port must be capable of asynchronous transmission. Connection requires a terminal configured as 9600 baud, 8 data bits - Cisco ACE-4710-K9 | Administration Guide - Page 29
HTTP, HTTPS, ICMP, SSH, Telnet, and XML-HTTPS. HTTPS is dedicated for connectivity with the Device Manager GUI. • VLAN interface configured on the ACE and a policy map assigned to the VLAN interface. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-3 - Cisco ACE-4710-K9 | Administration Guide - Page 30
are admin. For example, enter: switch login: admin Password: admin ---- Basic System Configuration Dialog ---- This setup utility will guide you through the basic configuration of the system. Setup configures only enough connectivity to the ACE appliance Device Manager GUI of the system. *Note - Cisco ACE-4710-K9 | Administration Guide - Page 31
access the Device Manager GUI. Valid entries are 1 through 4. The default is Ethernet port 1. Press Enter. At the prompt "Configure GigabitEthernet port mode (Access/Trunk) [Trunk]:", identify whether the Ethernet port is to be configured as a VLAN access port or as a VLAN trunk port. The default is - Cisco ACE-4710-K9 | Administration Guide - Page 32
Using the Setup Script to Enable Connectivity to the Device Manager Chapter 1 Setting Up the ACE policy-map type management first-match first-match remote_mgmt_allow_policy class remote_access permit interface vlan 2 ip address 192.168.1.10 255.255.255.0 access-group input ALL service-policy input - Cisco ACE-4710-K9 | Administration Guide - Page 33
the console port; all other contexts can be reached through a Telnet or SSH remote access session. The ACE creates the following default users at startup: admin, dm, and www. • The admin user is the global administrator and cannot be deleted. • The dm user is for accessing the Device Manager GUI and - Cisco ACE-4710-K9 | Administration Guide - Page 34
the default login password, see the "Changing the Administrative Password" section for details. Note When you boot the ACE for the first time and the appliance does not detect a startup-configuration file, a setup script appears to enable connectivity to the ACE Device Manager GUI. The start-up - Cisco ACE-4710-K9 | Administration Guide - Page 35
mode, enter the following command: switch/Admin# configure Enter configuration commands, one per line. End with CNTL/Z The prompt changes to the following: switch/Admin(config)# Changing the Administrative Password During the initial login process to the ACE, you enter the default user - Cisco ACE-4710-K9 | Administration Guide - Page 36
to the ACE through the console port to be able to reset the password for the Admin user back to the factory-default value of admin. Note Only the Admin context is accessible through the console port. 1-10 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 37
from the startup-configuration and resets the password back to the factory default value of admin. The boot process continues as normal and you are able to enter the admin password at the login prompt. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-11 - Cisco ACE-4710-K9 | Administration Guide - Page 38
the length of time that a user can be idle before the ACE terminates the session. Valid entries are from 0 to 60 minutes. A value of 0 instructs the ACE never to timeout. The default is 5 minutes. 1-12 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 39
mode. For example, enter the following command: host1/Admin# show login timeout Login Timeout 10 minutes. Configuring a Message-of-the-Day Banner You can configure a message in configuration mode to display as the message-of-the-day banner when a user connects to the ACE. Once connected to the ACE - Cisco ACE-4710-K9 | Administration Guide - Page 40
-line banner, use the no banner motd command before adding the new lines. To display the configured banner message, use the show banner motd command in Exec mode as follows: host1/Admin# show banner motd 1-14 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 41
Exec mode. When you enter this command, the ACE displays the current configured date and time. The syntax of this command is as follows: clock set hh:mm:ss DD MONTH YYYY The arguments are: • hh:mm:ss-Current time to which the ACE clock is being reset. Specify two digits for the hours, minutes, and - Cisco ACE-4710-K9 | Administration Guide - Page 42
set the time zone for the ACE, use the clock timezone command in configuration mode. The ACE keeps time internally in Universal Time Coordinated (UTC) offset. The syntax of this command is as follows: clock timezone {zone_name{+ | -} hours minutes} | {standard timezone} The keywords, arguments, and - Cisco ACE-4710-K9 | Administration Guide - Page 43
Chapter 1 Setting Up the ACE Configuring the Time, Date, and Time Zone OL-11157-01 - CEST-Central Europe Summer Time as UTC +2 hours - CET-Central Europe Time, as UTC +1 hour Moscow Summer Time as UTC +4 hours Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-17 - Cisco ACE-4710-K9 | Administration Guide - Page 44
Configuring the Time, Date, and Time Zone Chapter 1 Setting Up the ACE Saving Time as UTC -8 hours HST Hawaiian Standard Time as UTC -10 hours Australia CST Central Standard Time as UTC +9.5 hours 1-18 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 45
summer time (daylight savings time), use the clock summer-time command in configuration mode. The first part of the command specifies when summer time begins, and the second part of the command specifies when summer time ends. All times are relative to the local time zone; the start time is relative - Cisco ACE-4710-K9 | Administration Guide - Page 46
)# clock summer-time Pacific 1 Sun Apr 02:00 5 Sun Oct 02:00 60 To remove the clock summer-time setting, use the no form of this command. For example, enter: host1/Admin(config)# no clock summer-time 1-20 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 47
and optimization functionality (as described in the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide), and you plan to use an optional Cisco AVS 3180A Management Console with multiple ACE nodes, we strongly recommend that you - Cisco ACE-4710-K9 | Administration Guide - Page 48
. • server-Configures the ACE system clock to be synchronized by a time server. You can specify multiple associations. • ip_address2-IP address of the time server that provides the clock synchronization. 1-22 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 49
the local NTP • Counters related to the memory code • Listing of all associated peers The syntax of this command is as follows: show ntp {peer-status | peers | statistics [io | local | memory | peer ip_address] OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 50
local server and peer entries listed in the configuration file The stratum The poll interval (in seconds) The status of the reachability register (see RFC-1305) in octal The latest delay (in microseconds) 1-24 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 51
buffers Current number of unavailable client-receive buffers Total number of times buffers were added, which also indicates the number of times there have been low memory resources during buffer creation OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-25 - Cisco ACE-4710-K9 | Administration Guide - Page 52
and dropped by the ACE due to an invalid packet format. Packets processed Number of NTP packets received and processed by the ACE. Bad authentication Number of packets not verified as authentic. 1-26 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 53
Description IP address of the specified peer. IP address of specified local interface. Time that the last NTP response was received. Length of time until the next send attempt. The reachability status for the peer. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-27 - Cisco ACE-4710-K9 | Administration Guide - Page 54
devices • local-Clears I/O statistics for local devices • memory-Clears I/O statistics for memory For example, to clear the NTP statistics for all peers, enter: host1/Admin# clear ntp statistics all-peers 1-28 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 55
example, to clear the NTP statistics for the local devices, enter: host1/Admin# clear ntp statistics local For example, to clear the NTP statistics for memory, enter: host1/Admin# clear ntp statistics memory OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 56
the console port. Telnet and SSH sessions set the length automatically. Valid entries are from 0 to 511. The default is 24 lines. A selection of 0 instructs the ACE to scroll continuously (no pausing). 1-30 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 57
logging monitor command (see the Cisco 4700 Series Application Control Engine Appliance System Message Guide for details). • session-timeout minutes-Specifies the inactivity timeout value in minutes to configure the automatic logout time for the current terminal session on the ACE. When inactivity - Cisco ACE-4710-K9 | Administration Guide - Page 58
from the console configuration mode, specify one or more of the following commands: • databits number-Specifies the number of data bits per character. The range is from 5 to 8. The default is 8 data bits. 1-32 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 59
connection status. For example, to display the configured console settings, enter: host1/Admin# show line console line Console: Speed: 9600 bauds Databits: 8 bits per byte Stopbits: 1 bit(s) Parity: none OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration - Cisco ACE-4710-K9 | Administration Guide - Page 60
associated with the console port; instead, it is a virtual port that allows you to access the ACE. Use the line vty configuration mode command to configure the virtual terminal line settings. The CLI displays the line configuration mode. Use the session-limit command to configure the maximum number - Cisco ACE-4710-K9 | Administration Guide - Page 61
image to use to boot the ACE. Upon startup, the ACE loads the startup-configuration file stored in the Flash memory (nonvolatile memory) to the running-configuration file stored in RAM (volatile memory). OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-35 - Cisco ACE-4710-K9 | Administration Guide - Page 62
ACE image entry is highlighted in the list. Perform one of the following actions: • Press enter to boot the selected software version. • Type e to edit the commands before booting. • Type c to access a command line. 1-36 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 63
message "Warning: file found but it is not a valid boot image" displays. For example, to set the BOOT environment variable, enter: host1/Admin(config)# boot system image:c4710ace-mz.3.0.0_AB0_0.488.bin OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-37 - Cisco ACE-4710-K9 | Administration Guide - Page 64
on resetting the administrator CLI account password, see the "Resetting the Administrator CLI Account Password" section. To instruct the ACE to bypass the startup-configuration file during the boot process from the GRUB bootloader, perform the following steps: 1. Enter the config-register command so - Cisco ACE-4710-K9 | Administration Guide - Page 65
path .... This may take some time, Please wait .... PCI test loop , count 0 PCI path is ready Starting services... . Starting sysmgr processes.. Please wait...Done!!! switch login: admin Password: admin OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-39 - Cisco ACE-4710-K9 | Administration Guide - Page 66
to the CLI. See the "Using the Setup Script to Enable Connectivity to the Device Manager" section for details. You may now configure the ACE to define basic configuration settings for the appliance. 1-40 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157 - Cisco ACE-4710-K9 | Administration Guide - Page 67
the ACE To reboot the ACE directly from its CLI and reload the configuration, use the reload command in Exec mode. The reload command reboots the ACE and performs a full power cycle of both the hardware and software. The reset process can take several minutes. Any open connections with the ACE are - Cisco ACE-4710-K9 | Administration Guide - Page 68
running-conf startup-config command in Exec mode to store the current configuration in Flash memory. If you fail to save your configuration changes, the ACE reverts to its previous settings upon restart. 1-42 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 69
port on the front of the ACE, configure terminal display attributes, and configure terminal line settings for accessing the ACE by console or virtual terminal connection, see Chapter 1, Setting Up the ACE. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 70
, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. 2. Enter configuration mode. host1/Admin# config Enter configuration commands, one per line. End with CNTL/Z host1/Admin(config)# 3. Create a class map that permits network management traffic to be - Cisco ACE-4710-K9 | Administration Guide - Page 71
sessions allowed for each context. host1/Admin(config)# telnet maxsessions 3 7. (Optional) Configure the maximum number of SSH sessions allowed for each context. host1/Admin(config)# ssh maxsessions 3 OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-3 - Cisco ACE-4710-K9 | Administration Guide - Page 72
map, policy map, and service policy for remote network access. For detailed information on creating class maps, policy maps, and service policies, see Chapter 4, Configuring Class Maps and Policy Maps. Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-4 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 73
users and contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. This section includes the following topics: • Creating and Configuring a Remote Management Class Map • Creating a Layer 3 and Layer 4 Remote Access Policy Map • Applying a Service - Cisco ACE-4710-K9 | Administration Guide - Page 74
that the class map is to allow remote Telnet access, enter: host1/Admin(config)# class-map type management TELNET-ALLOW_CLASS host1/Admin(config-cmap-mgmt)# description Allow Telnet access to the ACE Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-6 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 75
ACE supports the SSH remote shell functionality provided in SSH Version 1 and supports DES and 3DES ciphers. The configuration of SSH sessions is described in the "Configuring SSH Management Sessions" section. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 76
.255.255.254 To deselect the specified network management protocol match criteria from the class map, enter: host1/Admin(config-cmap-mgmt)# no match protocol ssh source-address 172.16.10.0 255.255.255.254 Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-8 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 77
For example, to create a Layer 3 and Layer 4 network traffic management policy map, enter: host1/Admin(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY host1/Admin(config-pmap-mgmt)# OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-9 - Cisco ACE-4710-K9 | Administration Guide - Page 78
in policy map configuration mode. This command enters the policy map management class configuration mode. The syntax of this command is as follows: class {name1 [insert-before name2] | class-default} 2-10 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 79
(config-pmap-mgmt)# class class-default host1/Admin(config-pmap-mgmt-c)# To remove a class map from a Layer 3 and Layer 4 policy map, enter: host1/Admin(config-pmap-mgmt)# no class L4_REMOTE_ACCESS_CLASS OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-11 - Cisco ACE-4710-K9 | Administration Guide - Page 80
the ACE. • Use the deny command in policy map class configuration mode to refuse the remote management protocols listed in the class map to be received by the ACE. For example, to create a Layer 3 and Layer 4 remote network traffic management policy map that permits SSH, Telnet, and ICMP connections - Cisco ACE-4710-K9 | Administration Guide - Page 81
Chapter 2 Enabling Remote Access to the ACE Configuring Remote Network Management Traffic Services Applying a Service Policy Use the service-policy command to perform the following tasks: • Apply a previously created policy map. • Attach the traffic policy to a specific VLAN interface or globally - Cisco ACE-4710-K9 | Administration Guide - Page 82
Layer 4 remote network traffic management policy map, use the show service-policy command in Exec mode. The syntax of this command is: show service-policy policy_name [detail] The keywords, options, and arguments are as follows: • policy_name-The identifies an existing policy map that is currently - Cisco ACE-4710-K9 | Administration Guide - Page 83
you to specify a particular context when accessing the ACE. For details on creating users and contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-15 - Cisco ACE-4710-K9 | Administration Guide - Page 84
each user context. To control the maximum number of SSH sessions allowed for each context, use the ssh maxsessions command in configuration mode. The ACE supports a total maximum of 256 concurrent SSH sessions. 2-16 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL - Cisco ACE-4710-K9 | Administration Guide - Page 85
1 to 4 SSH sessions for each user context. The defaults are 16 (Admin context) and 4 (user context). For example, to configure the maximum number of concurrent SSH sessions command in configuration mode. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-17 - Cisco ACE-4710-K9 | Administration Guide - Page 86
or are entered manually. When a SSH connection is made from the ACE, the SSH client receives the public key and stores it locally. To clear all these keys, use the clear ssh hosts command in Exec mode. 2-18 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 87
to and from the ACE. • Service policy to activate the policy map, attach the traffic policy to an interface or globally on all interfaces, and specify the direction in which the policy should be applied. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-19 - Cisco ACE-4710-K9 | Administration Guide - Page 88
service policy for the ACE. To allow ICMP messages to pass through the ACE, configure an ICMP ACL to permit or deny network connections based on the ICMP type (for example, echo, echo-reply, or unreachable). See the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 89
following steps: Step 1 Step 2 Step 3 Step 4 Create a user context by entering the following command: host1/Admin(config)# context C1 host1/Admin(config-context)# See the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Associate an existing VLAN with the - Cisco ACE-4710-K9 | Administration Guide - Page 90
no shutdown command. See the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide. Create an SSH remote management policy and apply the associated service policy to all VLAN interfaces or just to the VLAN interface allocated to the user context by entering - Cisco ACE-4710-K9 | Administration Guide - Page 91
-MGT_POLICY class L4_REMOTE-MGT_CLASS permit interface vlan 50 ip address 192.168.1.1 255.255.255.0 access-group input ACL1 service-policy input L4_REMOTE-MGT_POLICY no shutdown ssh key rsa1 1024 force OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-23 - Cisco ACE-4710-K9 | Administration Guide - Page 92
argument specifies the name of the context for which you want to view specific Telnet session information. The context_name argument is case sensitive. For example, enter: host1/Admin# show telnet 2-24 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 93
session. IP address and port of the remote Telnet client. Time since the Telnet connection request was received by the ACE. To display the maximum number of enabled Telnet sessions, use the show telnet maxsessions command in Exec mode. Only context administrators can view Telnet session information - Cisco ACE-4710-K9 | Administration Guide - Page 94
ACE. To display the maximum number of enabled SSH sessions, use the show ssh maxsessions command in Exec mode. Only context administrators can view SSH session information associated with a particular context. 2-26 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL - Cisco ACE-4710-K9 | Administration Guide - Page 95
/jWVsU/M eBbA/7o5tv gCeT6p7pGF5oUNYFP0OeZ9BiIWDc4jBmYEQLEqJHPrMhSFE= bitcount:1024 fingerprint: f5:55:00:18:bc:af:41:74:b6:bc:aa:8e:46:31:74:4f OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-27 - Cisco ACE-4710-K9 | Administration Guide - Page 96
Viewing Session Information Chapter 2 Enabling Remote Access to the ACE dsa Keys generated:Tue May 8 19:37:17 2007 ssh-dss fingerprint: 8e:13:5c:3e:1a:9c:7a:ed:d0:84:eb:96:12:db:82:be 2-28 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 97
Configurations and Statistics Note You can access the license and show license commands only in the Admin context. You must have the Admin role in the Admin context to install, remove, and update the license file. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration - Cisco ACE-4710-K9 | Administration Guide - Page 98
licenses. • Ordering separate license options. Table 3-1 summarizes the contents of the available license bundles. Table 3-2 provides a list of the default and upgrade ACE appliance licensing options. Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-2 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 99
Chapter 3 Managing ACE Software Licenses Available ACE Licenses OL-11157-01 Table 3-1 ACE Licensing Bundles License Model ACE-4710-2F-K9 ACE-4710-1F-K9 Description This license bundle includes the following items: • ACE 4710 appliance • 2 Gbps throughput license • 7500 SSL transactions per - Cisco ACE-4710-K9 | Administration Guide - Page 100
expiration of a demo license, use the show license usage command in Exec mode. Note If you need to replace the ACE, you can copy and install the license file for the license onto the replacement appliance. Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-4 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 101
in the "Copying a License File to the ACE" section of this chapter.) Save the license key e-mail in a safe place in case you need it in the future (for example, to transfer the license to another ACE). OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-5 - Cisco ACE-4710-K9 | Administration Guide - Page 102
installation, see the "Installing a New or Upgrade License File" section. If the license is a permanent license replacing a demo license, see the "Replacing a Demo License with a Permanent License" section. Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-6 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 103
for an SSL 5000 TPS license, enter: host1/Admin# license install disk0:ACE-AP-SSL-05K-K9.lic To install a license file for a 20 context license, enter: host1/Admin# license install disk0:ACE-AP-VIRT-020.lic OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-7 - Cisco ACE-4710-K9 | Administration Guide - Page 104
expires, save the Admin running configuration and the user context running configurations to a remote server. To view the expiration of the demo license, use the show license usage command in Exec mode from the Admin context. After you copy the permanent license file to the ACE, you can install it - Cisco ACE-4710-K9 | Administration Guide - Page 105
context license, save the Admin running configuration and the user context running configurations to a remote server. For more information, see the "Removing a Virtualization Context License" section. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-9 - Cisco ACE-4710-K9 | Administration Guide - Page 106
license is removed. Table 3-3 VIrtual Context License Removal Current number of contexts Applicable licenses 5 (default) Not applicable 20 ACE-AP-VIRT-020 Results of license removal - 5 contexts 3-10 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 107
license, perform the following steps: Step 1 Step 2 Save the Admin and user context running configurations to a remote server by entering the copy running-config command in Exec mode in each context. For more information on this command, see Chapter 5, Managing the ACE Software. For example - Cisco ACE-4710-K9 | Administration Guide - Page 108
running and startup configurations. Display the current number of supported contexts on the ACE by entering the show license status command in Exec mode of the Admin context. Determine which contexts you want to keep in the Admin running configuration. Using a text editor, manually remove the extra - Cisco ACE-4710-K9 | Administration Guide - Page 109
license is removed. Table 3-4 Compression License Removal Current compression capability 100 Mbps (default) 500 Mbps Applicable licenses Not applicable ACE-AP-C-500-LIC Results of license removal - 100 Mbps OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 110
Acceleration and Optimization Configuration Guide. For example, to remove the license for the application acceleration software feature pack, enter: host1/Admin# license uninstall ACE-AP-OPT-LIC-K9.lic 3-14 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 111
. For example, to untar the mylicenses.tar file on disk0:, enter: host1/Admin# untar disk0:mylicenses.tar For information on installing the license, see the "Installing a New or Upgrade License File" section. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 112
license files and their contents. For example, to display a list of the current installed licenses, enter host1/Admin# show license brief ACE-AP-VIRT-020.lic ACE-AP-OPT-LIC-K9.lic ACE-AP-SSL-10K-K9.lic 3-16 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 113
defined in the license file. If the license is permanent, this field displays never. Licensing errors, if any. You can also view the ACE license by using the show version command in Exec mode on the ACE. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-17 - Cisco ACE-4710-K9 | Administration Guide - Page 114
Displaying License Configurations and Statistics Chapter 3 Managing ACE Software Licenses 3-18 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 115
FTP command inspection, or application protocol inspection • Secure Sockets Layer (SSL) security services between a web browser (the client) and the HTTP connection (the server) • TCP/IP normalization and termination OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration - Cisco ACE-4710-K9 | Administration Guide - Page 116
Layer 7 protocol classifications. 2. Creating a policy map by using the policy-map command, which refers to the class maps and identifies a series of actions to perform based on the traffic match criteria. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-2 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 117
configure class maps and policy maps (application protocol inspection). The figure also illustrates how the ACE associates the various components of the class map and policy map configuration with each other. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 118
in the context Specific Service Policy/VLAN (config)# interface vlan 50 (config-if)# service-policy input HTTP_INSPECT_L4POLICY Service policy applies policy map to a specific VLAN interface 153381 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-4 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 119
that can pass through the ACE or network management traffic that can be received by the ACE. • Layer 7 protocol-specific classes identify server load balancing based on HTTP traffic, deep inspection of HTTP traffic, or the inspection of FTP commands by the ACE. A traffic class contains the following - Cisco ACE-4710-K9 | Administration Guide - Page 120
created traffic class map or, optionally, the class-default class map • One or more of the individual Layer 3 and Layer 4 or Layer 7 policies that specify the actions (functions) to be performed by the ACE Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-6 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 121
with a different class set. When there are multiple instances of actions of the same type configured in a policy map, the ACE performs the first action encountered of the same type that has a match. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-7 - Cisco ACE-4710-K9 | Administration Guide - Page 122
policy lookup order of the ACE is as follows: 1. Access control (permit or deny a packet) 2. Permit or deny management traffic 3. TCP/UDP connection parameters 4. Load balancing based on a virtual IP (VIP) Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-8 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 123
)# interface vlan 50 host1/Admin(config-if)# ip address 172.16.1.100 255.255.255.0 host1/Admin(config-if)# service-policy input L4_HTTP_SLB_POLICY host1/Admin(config-if)# service-policy input L4_MGMT_POLICY OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-9 - Cisco ACE-4710-K9 | Administration Guide - Page 124
Application Control Engine Appliance Virtualization Configuration Guide. 2. Enter configuration mode. host1/Admin# config Enter configuration commands, one per line. End with CNTL/Z host1/Admin(config)# 4-10 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 125
Quick Start Table 4-1 Layer 3 and Layer 4 Network Traffic Class Configuration Quick Start (continued) Task and Command Example 3. Create one or more Layer 3 and Layer 4 class maps that classify the network traffic that passes through the ACE. If you do not specify the match-all or match - Cisco ACE-4710-K9 | Administration Guide - Page 126
Application Control Engine Appliance Virtualization Configuration Guide. 2. Enter configuration mode. host1/Admin# config Enter configuration commands, one per line. End with CNTL/Z host1/Admin(config)# 4-12 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 127
Policy Map Configuration Quick Start Table 4-2 Layer 3 and Layer 4 Network Management Traffic Class Configuration Quick Start (continued) Task and Command Example 3. Create one or more class maps that permit network management traffic to be received by the ACE based on a network management protocol - Cisco ACE-4710-K9 | Administration Guide - Page 128
Control Engine Appliance Virtualization Configuration Guide. 2. Enter configuration mode. host1/Admin# config Enter configuration commands, one per line. End with CNTL/Z host1/Admin(config)# 3. (Optional) Create one or more class maps that define Layer 7 HTTP content load-balancing decisions based - Cisco ACE-4710-K9 | Administration Guide - Page 129
as part of the traffic class. After you create a class map, you will enter class map HTTP load balancing configuration mode. host1/Admin(config)# class-map type http loadbalance cmap-http-insp)# exit OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-15 - Cisco ACE-4710-K9 | Administration Guide - Page 130
create and configure a Layer 3 and Layer 4 traffic policy map and to apply the policy to one or all of the VLAN interfaces associated with the context. Each step includes the CLI command required to complete the task. 4-16 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 131
details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. 2. Enter configuration mode. host1/Admin# config Enter configuration commands, one per line. End with CNTL/Z host1/Admin(config)# 3. Configure a Layer 3 and Layer 4 policy - Cisco ACE-4710-K9 | Administration Guide - Page 132
configure a Layer 3 and Layer 4 network management policy map and to apply the policy to one or all of the VLAN interfaces associated with the context. Each step includes the CLI command required to complete the task. 4-18 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 133
details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. 2. Enter configuration mode. host1/Admin# config Enter configuration commands, one per line. End with CNTL/Z host1/Admin(config)# 3. Configure a Layer 3 and Layer 4 policy - Cisco ACE-4710-K9 | Administration Guide - Page 134
255.0.0 host1/Admin(config-if)# service-policy input L4_MGMT_POLICY 7. (Optional) Save your configuration changes to Flash memory. host1/Admin(config)# exit host1/Admin# copy running-config startup-config 4-20 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 135
Control Engine Appliance Virtualization Configuration Guide. 2. Enter configuration mode. host1/Admin# config Enter configuration commands, one per line. End with CNTL/Z host1/Admin(config)# 3. (Optional) Create and configure a policy map that defines Layer 7 HTTP content load-balancing decisions - Cisco ACE-4710-K9 | Administration Guide - Page 136
command inspection of incoming traffic host1/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7_CLASS host1/Admin(config-pmap-ftp-ins-c)# match request-method stou host1/Admin(config-pmap-ftp-ins-c)# deny 4-22 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 137
-01 Table 4-6 Layer 7 Policy Map Configuration Quick Start (continued) Task and Command Example 7. Associate the Layer 7 policy map with a Layer 3 and Layer 4 policy map by using the policy-map multi-match command as specified below. • To associate a Layer 7 load-balancing policy map, nest the load - Cisco ACE-4710-K9 | Administration Guide - Page 138
Address and Subnet Mask Match Criteria • Defining TCP/UDP Port Number or Port Range Match Criteria • Defining the Source IP Address and Subnet Mask Match Criteria • Defining the VIP Address Match Criteria 4-24 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 139
Class Map To create a Layer 3 and Layer 4 class map to classify network traffic passing through the ACE, use the class-map command in configuration mode. A single class map can have multiple match commands that you can use to specify the matching criteria. For example, you can configure class maps - Cisco ACE-4710-K9 | Administration Guide - Page 140
be combined with the other types of match commands in a class map. This command is intended to define a 3-tuple flow of VIP address, protocol, and port as matching criteria for server load balancing. 4-26 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 141
Configuring Layer 3 and Layer 4 Class Maps For example, to define the Layer 3 and Layer 4 HTTP_APP_PROTOCOL_ INSPECTION_CLASS class map and specify that all commands in the class map must be satisfied for the ACE -01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-27 - Cisco ACE-4710-K9 | Administration Guide - Page 142
ACE blocks the matching result. Refer to the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide for details about creating ACLs in the ACE. The syntax of this command match destination-address, and match port commands in a class map. For example, to specify that the - Cisco ACE-4710-K9 | Administration Guide - Page 143
. • ip_address-Destination IP address. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1). • mask-Subnet mask entry in dotted-decimal notation (for example, 255.255.255.0). OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-29 - Cisco ACE-4710-K9 | Administration Guide - Page 144
| udp-Specifies the protocol, TCP or UDP. • any-Specifies a wildcard value for the TCP or UDP port number. With any used in place of either the eq or range values, packets from any incoming port match. 4-30 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 145
not dictate a priority or sequence for the match statements. • ip_address-Source IP address of the client. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1). OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-31 - Cisco ACE-4710-K9 | Administration Guide - Page 146
virtual-address command in class map configuration mode.You can configure multiple match criteria statements to define the VIPs for server load balancing. See the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide for details about configuring the ACE to - Cisco ACE-4710-K9 | Administration Guide - Page 147
A value of 0 instructs the ACE to match all ports. Table 4-7 Well-Known TCP Port Numbers and Keywords Keyword domain ftp ftp-data http https irc matip-a nntp pop2 pop3 Port Number Description 53 Domain Name System (DNS) 21 File Transfer Protocol (FTP) 20 FTP data connections 80 Hyper Text - Cisco ACE-4710-K9 | Administration Guide - Page 148
(config-cmap)# match virtual-address 192.168.1.10 tcp port eq 80 To remove the VIP match statement from the class map, enter: host1/Admin(config-cmap)# no match virtual-address 192.168.1.10 tcp port eq 80 4-34 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 149
how the ACE evaluates multiple match statements operations when multiple match criteria exist in a class map. The syntax of this command is: class-map type management [match-all | match-any] map_name OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-35 - Cisco ACE-4710-K9 | Administration Guide - Page 150
(config-cmap-mgmt)# match protocol ssh any To remove a Layer 3 and Layer 4 network management class map from the ACE, enter: host1/Admin(config)# no class-map type management match-any MGMT-ACCESS_CLASS 4-36 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 151
HTTPS as transfer protocol to send and receive XML documents between the ACE and a Network Management System (NMS). • any-Specifies any client source address for the management traffic classification. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-37 - Cisco ACE-4710-K9 | Administration Guide - Page 152
topics: • Defining Layer 7 Classifications for HTTP Server Load Balancing • Defining Layer 7 Classifications for HTTP Deep Packet Inspection • Defining Layer 7 Classifications for FTP Command Inspection 4-38 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 153
match statements operations when multiple match criteria exist in a Layer 7 HTTP load-balancing class map. The syntax of this command is: class-map type http loadbalance [match-all | match-any] map_name OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-39 - Cisco ACE-4710-K9 | Administration Guide - Page 154
mode. For details on specifying the match criteria for a HTTP server load-balancing class map, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide. 4-40 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 155
• Content type verification and filtering • Port 80 misuse • URL logging To create a Layer 7 class map to be used for the deep packet inspection of HTTP traffic through the ACE, use the class-map type http inspect command in configuration mode. The syntax of this command is: class-map type http - Cisco ACE-4710-K9 | Administration Guide - Page 156
configuration mode. For details on specifying the match criteria for the FTP command inspection class map, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide. 4-42 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 157
Map Configuring a Layer 3 and Layer 4 Policy Map For a Layer 3 and Layer 4 traffic classification, you create a Layer 3 and Layer 4 policy map with actions to configure the following tasks: • Network management traffic received by the ACE (HTTP, HTTPS, ICMP, SSH, or Telnet) • Server load balancing - Cisco ACE-4710-K9 | Administration Guide - Page 158
an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. When you use this command, you will access policy map management configuration mode. For example, to create a Layer 3 and Layer 4 network traffic management policy map, enter: host1/Admin(config)# policy-map type - Cisco ACE-4710-K9 | Administration Guide - Page 159
Layer 4 Policy Map Description To provide a brief summary about the Layer 3 and Layer 4 policy map, use the description command in policy map configuration mode. The syntax of this command is: description text OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 160
manually insert the class map ahead of a previously specified class map, use the class command with the insert-before keyword. However, the ACE does not save this reordering as part of the configuration. 4-46 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 161
the class map to be received by the ACE. • Use the deny command in policy map class configuration mode to refuse the remote network management protocols listed in the class map to be received by the ACE. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-47 - Cisco ACE-4710-K9 | Administration Guide - Page 162
3, Configuring Traffic Policies for Server Load Balancing Chapter 4, Configuring a Traffic Policy for HTTP Optimization Chapter 3, Configuring SSL Termination and Chapter 4, Configuring SSL Initiation 4-48 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 163
for details. • parameter-map type http-Configures advanced HTTP behavior for HTTP load-balanced connections. See the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide for details. • parameter-map type http-Configures advanced HTTP behavior for HTTP deep - Cisco ACE-4710-K9 | Administration Guide - Page 164
with actions to configure the following tasks: • HTTP content load-balancing decisions • Application acceleration and optimization • Deep packet inspection of the HTTP protocol • FTP command inspection 4-50 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 165
policy map HTTP inspection configuration mode. The ACE attempts to match a packet against all classes in the policy map and executes the actions of all matching classes associated with the policy map. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-51 - Cisco ACE-4710-K9 | Administration Guide - Page 166
of the ACE in this configuration is to always perform a "first-match" on the specified class maps. If none of the class maps within the policy map match, and you include the class-default class map, the ACE will match the traffic classification. For example, to create a Layer 7 load-balancing policy - Cisco ACE-4710-K9 | Administration Guide - Page 167
, use a class map as described in the "Specifying a Layer 7 Traffic Class with the Traffic Policy" section. The syntax for an inline match command is: match name match_statement [insert-before map_name] OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-53 - Cisco ACE-4710-K9 | Administration Guide - Page 168
command, you will access policy map class configuration mode. For example, to specify an existing class map in the Layer Layer 7 policy map, enter: host1/Admin(config-pmap-lb)# no class L7_SLB_SERVER_CLASS 4-54 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 169
appropriate ACE document and chapter as outlined in Table 4-10. Table 4-10 defines the associated actions for the different Layer 7 application policies based on the function of the Layer 7 policy map. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-55 - Cisco ACE-4710-K9 | Administration Guide - Page 170
Series Application Control Engine Appliance Security Configuration Guide FTP command inspection Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide Chapter Chapter 3, Configuring Traffic Policies for Server Load Balancing Chapter 4, Configuring a Traffic Policy for - Cisco ACE-4710-K9 | Administration Guide - Page 171
"Configuring a Layer 3 and Layer 4 Policy Map" section and the documents listed in Table 4-9 for the specific procedure to create a Layer 3 and Layer 4 policy map that associates a Layer 7 HTTP server load balancing, HTTP deep packet inspection, or FTP command inspection policy map. For example, to - Cisco ACE-4710-K9 | Administration Guide - Page 172
apply multiple service policies to all VLANs associated with the context, enter: host1/Admin(config)# service-policy input L4_SLB_POLICY host1/Admin(config)# service-policy input REMOTE_MGMT_ALLOW_POLICY 4-58 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 173
ACE automatically resets the associated service policy statistics to provide a new starting point for the service ACE allows only one policy of a specific feature type to be activated on a VLAN interface. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 174
various operations on the ACE. This section contains the following examples: • Firewall Example • Layer 7 Load-Balancing Example • Layer 3 and Layer 4 Load-Balancing Example • VIP With Connection Parameters Example Firewall Example This example shows how to create a firewall traffic policy (for - Cisco ACE-4710-K9 | Administration Guide - Page 175
/Admin(config-cmap-http-insp)# match header accept header-value html host1/Admin(config-cmap-http-insp)# match header length request eq 255 OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-61 - Cisco ACE-4710-K9 | Administration Guide - Page 176
)# interface vlan 50 host1/Admin(config-if)# ip address 172.16.1.100 255.255.255.0 host1/Admin(config-if)# service-policy input L4_MGMT_POLICY host1/Admin(config-if)# service-policy input L4_FILTER_POLICY 4-62 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 177
Chapter 4 Configuring Class Maps and Policy Maps Class Maps and Policy Map Examples Layer 7 Load-Balancing Example This example shows how to create a Layer 7 load-balancing traffic policy that enables the following processes to occur on the ACE: • Load balances traffic to the SPORTS-SERVER and - Cisco ACE-4710-K9 | Administration Guide - Page 178
host1/Admin(config)# Apply the completed policies to interface VLAN 10 by entering the following commands: host1/Admin(config)# interface VLAN 10 host1/Admin(config-if)# service-policy input L4_SLB_POLICY 4-64 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 179
Chapter 4 Configuring Class Maps and Policy Maps Class Maps and Policy Map Examples Layer 3 and Layer 4 Load-Balancing Example This example shows how to create a Layer 3 and 4 load-balancing traffic policy that enables the following processes to occur on the ACE: • Load balances traffic to the - Cisco ACE-4710-K9 | Administration Guide - Page 180
the following commands: host1/Admin(config)# interface VLAN 10 host1/Admin(config-if)# service-policy input L4_SLB_POLICY VIP With Connection Parameters Example This example creates a Layer 3 and 4 traffic policy that enables the following processes to occur on the ACE: • Load balances traffic to - Cisco ACE-4710-K9 | Administration Guide - Page 181
host1/Admin(config)# Apply the completed policies to interface VLAN 10 by entering the following commands: host1/Admin(config)# interface VLAN 10 host1/Admin(config-if)# service-policy input L4_SLB_POLICY OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-67 - Cisco ACE-4710-K9 | Administration Guide - Page 182
map and policy map configuration appears in bold in the example. In this configuration, when a server farm is chosen for a connection, the connection is sent to a real server based on one of several load-balancing predictors. The leastconns predictor method load balances connections to the server - Cisco ACE-4710-K9 | Administration Guide - Page 183
Class Maps and Policy Maps Example of a Traffic Policy Configuration OL-11157-01 serverfarm host PRED-CONNS-UDP tcp eq www policy-map type management first-match L4_REMOTE-MGT_POLICY class L4_REMOTE-MGT_CLASS permit Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-69 - Cisco ACE-4710-K9 | Administration Guide - Page 184
min-mtu 68 access-group input ACL1 nat-pool 1 192.168.120.70 192.168.120.70 netmask 255.255.255.0 pat service-policy input L4SH-Gold-VIPs_POLICY no shutdown ip route 10.1.0.0 255.255.255.0 192.168.120.254 4-70 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 185
Generating configuration.... policy-map type management first-match REMOTE_MGMT_ALLOW class SSH-ALLOW permit class TELNET-ALLOW permit policy-map type loadbalance first-match L4_SLB_policy class L4_SLB_class OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 186
in service (applied to an interface). For example, to clear the statistics for the policy map REMOTE_MGMT_POLICY that is currently in service, enter: host1/Admin# clear service-policy REMOTE_MGMT_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 187
of the ICMP error function for ICMP application protocol inspection: Enabled or Disabled. Nat Dynamic NAT pool identifier with the configured interface VLAN. VIP Route Metric Not applicable for the ACE appliance. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-73 - Cisco ACE-4710-K9 | Administration Guide - Page 188
Maps, Policy Maps, and Service Policies Chapter 4 Configuring Class Maps and Policy Maps Table 4-11 Field Descriptions for the show service-policy detail Command Output (continued) Field Description VIP Route Advertise Not applicable for the ACE appliance. VIP State Operational state of - Cisco ACE-4710-K9 | Administration Guide - Page 189
command. Applicable to only the FTP SYST command and its associated reply. Total Total number of packets dropped due to an error in the Dropped On match. Error TotalLogged Total number of errors logged. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 190
Viewing Class Maps, Policy Maps, and Service Policies Chapter 4 Configuring Class Maps and Policy Maps 4-76 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 191
the context-specific startup-configuration files. When you copy a configuration file from the ACE, you create a copy of the configuration information of the context from where you executed the command. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-1 - Cisco ACE-4710-K9 | Administration Guide - Page 192
the Startup-Configuration File with the Running-Configuration File • Viewing Configuration Files • Viewing User Context Running-Config Files from the Admin Context • Clearing the Startup-Configuration File Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-2 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 193
Admin context. You should save changes to the Admin context startup-configuration file; the Admin context startup-configuration file contains all configurations that are used to create each user context. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-3 - Cisco ACE-4710-K9 | Administration Guide - Page 194
startup-config command in Exec mode. The copy serves as a backup file for the running-configuration file or startup-configuration file for the current context. Before installing or migrating to a new software version, back up the ACE startup-configuration file to a remote server using FTP, SFTP, or - Cisco ACE-4710-K9 | Administration Guide - Page 195
the startup-configuration file to the disk0: file system, use the copy startup-config disk0: command in Exec mode. The syntax for the command is: copy {running-config | startup-config} disk0:[path/]filename OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-5 - Cisco ACE-4710-K9 | Administration Guide - Page 196
file overwrites the attributes in the running-configuration file. The syntax for the command is: copy startup-config running-config For example, enter: host1/Admin# copy startup-config running-config Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-6 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 197
Chapter 5 Managing the ACE Software Saving Configuration Files Viewing Configuration Files To display the ACE running-configuration file associated with the current context, use the show running-config command in Exec mode. Configuration entries within each mode in the running-configuration file - Cisco ACE-4710-K9 | Administration Guide - Page 198
Saving Configuration Files Chapter 5 Managing the ACE Software • dhcp-(Optional) Displays Dynamic Host Configuration Protocol (DHCP) information. • domain-(Optional) Displays the list of domains configured for the current context. The ACE also displays configuration information for each domain - Cisco ACE-4710-K9 | Administration Guide - Page 199
/ role Admin domain default-domain username www password 5 $1$UZIiwUk7$QMVYN1JASaycabrHkhGcS/ role Admin domain de fault-domain snmp-server user www Network-Monitor snmp-server user admin Network-Monitor OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-9 - Cisco ACE-4710-K9 | Administration Guide - Page 200
the contents of the existing running-configuration file to the startup-configuration file by using the copy running-config startup-config command. See the "Saving the Configuration File in Flash Memory" section Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 201
copy command in Exec mode. The syntax for the command is: copy {ftp://server/path[/filename] | sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]} {running-config | startup-config} OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 202
storage; files in temporary storage are erased when the ACE reboots. The Admin context supports all four file systems in the ACE. The user context supports only the disk0: and volatile: file systems. 5-12 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 203
the File System on the ACE When you create a new context, the ACE creates a new context directory in Flash memory to store context-specific data such as startup- configuration files. The ACE provides a number of useful commands to help you manage software configuration and image and files.This - Cisco ACE-4710-K9 | Administration Guide - Page 204
Mar 15 18:35:27 2007 0x401_vsh_log.16296.tar.gz Usage for core: filesystem 1847296 bytes total used 64142336 bytes free 65989632 bytes available 5-14 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 205
on the disk0: file system. For example, to copy the file called SAMPLEFILE to the MYSTORAGE directory in the disk0: file system, enter: host1/Admin# copy disk0:samplefile disk0:MYSTORAGE/SAMPLEFILE OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-15 - Cisco ACE-4710-K9 | Administration Guide - Page 206
To copy an existing packet capture buffer to the disk0: file system, use the copy capture command in Exec mode. The syntax for the command is: copy capture capture_name disk0:[path/]destination_name 5-16 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 207
system of Flash memory (for example, a packet capture buffer file, ACE licenses in .tar format, or a system message log). Use the dir disk0: command to view the files available in the disk0: file system. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-17 - Cisco ACE-4710-K9 | Administration Guide - Page 208
sufficient in all cases when copying files to a remote FTP server. For example, to save a core dump file to a remote FTP server, enter: host1/Admin# copy core:0x401_vsh_log.8249.tar.gz ftp://192.168.1.2 5-18 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 209
File already exists, do you want to overwrite?[y/n]: [y] y Enter username[]? user1 Enter the file transfer mode[bin/ascii]: [bin] Password: Passive mode on. Hash mark printing on (1024 bytes/hash mark). OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-19 - Cisco ACE-4710-K9 | Administration Guide - Page 210
the SFTP network server and, optionally, the renamed software system image. • tftp://server[:port]/path[/filename]-Specifies the TFTP network server and, optionally, the renamed software system image. 5-20 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 211
available zipped files on disk0:, use the dir command. For example, to unzip a compressed series of probe script files residing in the disk0: file system, enter: host1/Admin# gunzip disk0:PROBE_SCRIPTS.gz OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-21 - Cisco ACE-4710-K9 | Administration Guide - Page 212
.tar Creating a New Directory To create a directory in the disk0: file system of Flash memory, use the mkdir disk0: command in Exec mode. The syntax for this command is: mkdir disk0:[path/]directory 5-22 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 213
destination directory, that file is overwritten by the moved file. Note To view the files available in the disk0: file system, use the dir disk0: command. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-23 - Cisco ACE-4710-K9 | Administration Guide - Page 214
- Deletes the specified file from the disk0: file system (for example, a packet capture buffer file or system message log). You can optionally provide a path to a file in directory in the disk0: file system. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 215
useful for data security and integrity. For example, to display the contents of a file residing in the current directory, enter: host1/Admin# show file disk0:myfile md5sum 3d8e05790155150734eb8639ce98a331 OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-25 - Cisco ACE-4710-K9 | Administration Guide - Page 216
5 Managing the ACE Software Saving show Command Output to a File You can force all show screen output to be directed to a file by appending > filename to any command. For example, you can enter show interface > filename at the Exec mode CLI prompt to redirect the interface configuration command - Cisco ACE-4710-K9 | Administration Guide - Page 217
with the same process identifier (PID). This section contains the following topics: • Copying Core Dumps • Clearing the Core Directory • Deleting a Core Dump File OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-27 - Cisco ACE-4710-K9 | Administration Guide - Page 218
you for the server information if you do not provide the information with the command. • Copies the file to the root directory of the destination file system if you do not provide path information. 5-28 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 219
name of a core dump file located in the core: file system. For example, to delete the file 0x401_VSH_LOG.25256.TAR.GZ from the core: file system, enter: host1/Admin# delete core:0x401_VSH_LOG.25256.TAR.GZ OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-29 - Cisco ACE-4710-K9 | Administration Guide - Page 220
be used to isolate packets that belong to a specific context. To trace the packets for a specific context, use the changeto Exec command to enter the specified context and then use the capture command. 5-30 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 221
the ACE will fail to match any packets. • bufsize buf_size-(Optional) Specifies the buffer size, in kilobytes (KB), used to store the packet capture. The range is from 1 to 5000 KB. The default is 64 kilobytes. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 222
for the packet capture buffer. Specify a text string from 1 to 80 alphanumeric characters. If you do not provide the optional path, the ACE copies the file to the root directory on the disk0: file system. 5-32 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 223
all types of received packets, the console display is in tcpdump format. For example, to display captured packet information for packet capture buffer CAPTURE1, enter: host1/Admin# show capture CAPTURE1 OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-33 - Cisco ACE-4710-K9 | Administration Guide - Page 224
Copying Packet Information Chapter 5 Managing the ACE Software 0001: msg_type: ACE_HIT no Buffer usage : 19.00% Status : stopped For example, to display protocol information for a range of captured packets Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 225
Managing the ACE Software Capturing and Copying Packet Information OL-11157-01 1020 12d5 00 ...N.P.4.8 j.... E k. ..k.v For example, to display captured packet information in tcpdump format, ...N.P.4.8 j.... Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-35 - Cisco ACE-4710-K9 | Administration Guide - Page 226
Capturing and Copying Packet Information Chapter 5 Managing the ACE Software 5-36 0x0020: 45c0 002c b0de 0000 ff06 2005 : 5010 16d0 c131 00 [email protected] j.....;.... E..({n@[email protected]. ..k...v...or...N P....1. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 227
to revert to the checkpointed configuration. This section contains the following topics: • Creating a Configuration Checkpoint • Deleting a Configuration Checkpoint • Rolling Back a Running Configuration OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-37 - Cisco ACE-4710-K9 | Administration Guide - Page 228
Using the Configuration Checkpoint and Rollback Service Chapter 5 Managing the ACE Software Creating a Configuration Checkpoint To create a configuration checkpoint, use the checkpoint create command in Exec mode in the context for which you want to create a checkpoint. The ACE supports a maximum - Cisco ACE-4710-K9 | Administration Guide - Page 229
this command is: show checkpoint {all | detail name} The options and arguments are: • all-Displays a list of all existing checkpoints • detail name-Displays the running configuration of the specified checkpoint OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 230
all data on the Flash memory and reformat it with the ext3 base file system, use the format flash: command. All user-defined configuration information is erased. The ACE performs the following verification sequence prior to reformatting Flash memory: • If the system image (the current loaded image - Cisco ACE-4710-K9 | Administration Guide - Page 231
existing startup-configuration files, running-configuration file, licenses, core dump files, or packet capture buffers, to a remote FTP, SFTP, or TFTP server. See the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide for details on how to use the crypto export command to - Cisco ACE-4710-K9 | Administration Guide - Page 232
• Import SSL certificate files and key pair files into the associated context using by the crypto import command (see the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide). 5-42 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 233
Displaying ICMP Statistics • Displaying Technical Support Information To view the contents of the current running-configuration file and startup-configuration file, see Chapter 5, Managing the ACE Software. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-1 - Cisco ACE-4710-K9 | Administration Guide - Page 234
information unavailable from GRUB Device Manager version 1.0 (0) 20071009:0434 installed license: ACE-AP-VIRT-020 ACE-AP-OPT-LIC-K9 ACE-AP-SSL-10K-K9 Hardware cpu info: number of cpu(s): 1 cpu type: Pentium(R) Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-2 OL-11157 - Cisco ACE-4710-K9 | Administration Guide - Page 235
display ACE hardware inventory details, use the show hardware command. The syntax of this command is: show hardware For example, to display the ACE hardware inventory details, enter: host1/Admin # show hardware OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 236
of this command is: show inventory [raw] The optional raw keyword displays information about each component in the ACE. For example, to display the ACE hardware inventory details, enter: host1/Admin # show inventory Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-4 OL - Cisco ACE-4710-K9 | Administration Guide - Page 237
the temperature thresholds and the alarm status of temperature sensors. For example, to display the status and alarm states of the temperature sensors in the ACE, enter: host1/Admin # show environment OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-5 - Cisco ACE-4710-K9 | Administration Guide - Page 238
ACE Hardware and Software Configuration Information Table 6-3 describes the fields in the show environment command output. Table 6-3 Field Descriptions for the show environment Command process identifiers. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-6 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 239
kjournald kjournald loop1 kjournald loop2 Table 6-4 describes the fields in the show processes command output. The show processes command displays summary CPU information for the Intel Pentium processor. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-7 - Cisco ACE-4710-K9 | Administration Guide - Page 240
Current program counter in hex format. Number of times a process has been started. Terminal that controls the process. A "-" usually means a daemon is not running on any particular tty. Name of the process. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-8 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 241
normally Status of whether a stack trace is in the log Status of whether a core file exists Time when the log file was generated OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-9 - Cisco ACE-4710-K9 | Administration Guide - Page 242
Current working directory. Virtual memory addresses where the code, data heap, and stack of the process are located. Process identifier. Service access point. Universal unique identifier of the Intel Pentium processor 6-10 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 243
internal info command output. Table 6-9 Field Descriptions for the show terminal internal info Command Field Process Information Name Description Name of the executable that started the process. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-11 - Cisco ACE-4710-K9 | Administration Guide - Page 244
element list). Identifier of the group the process belongs to (four element list). Process file descriptor size. Total number of groups. Total amount of virtual memory used by the process (in kBytes). 6-12 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 245
) that may be created. Maximum size (in kbytes) of the data segment for a process. Maximum size (in blocks) of files created by the shell. M aximum size (in kbytes) which a process may lock into memory. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-13 - Cisco ACE-4710-K9 | Administration Guide - Page 246
The error ID in hexadecimal format. The range is 0x0 to 0xffffffff. • list-Specifies all error IDs. • internal-Specifies a series of internal system-level commands for use by trained Cisco personnel only. 6-14 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 247
mode, and idle time in the last second. Total memory, used memory, free memory, memory used for buffers, and memory used for cache in KB. Buffers and cache are also included in the used memory statistics. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 248
of ICMP error messages transmitted or received by the ACE Number of ICMP echo request messages transmitted or received by the ACE Number of ICMP echo reply messages transmitted or received by the ACE 6-16 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 249
manual scrolling. Use the show terminal command to view the configured terminal size. After obtaining the output of this command, reset your terminal length as required (see Chapter 1, Setting Up the ACE). OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 250
Displaying Technical Support Information Chapter 6 Viewing ACE Hardware and Software Configuration Information Note You can save the output of this command to a file by appending > filename to the show tech-support command (see Chapter 5, Managing the ACE Software). If you save this file, verify - Cisco ACE-4710-K9 | Administration Guide - Page 251
59 minute(s) 49 second(s) `show clock` Tue Mar 20 10:13:57 UTC 2007 `show inventory` NAME: "chassis", DESCR: "ACE 4710 Application Control Engine Appliance" PID: ACE-4710-K9 , VID: , SN: 2061 --More-- OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 252
the TFTP network server and optional file name. For example, to send the output of the show tech-support command to a remote FTP server, enter: host1/Admin# tac-pac ftp://192.168.1.2/tac-output_10-7-07.gz 6-20 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 253
of two ACE appliances to ensure that your network remains operational even if one of the appliances becomes unresponsive. Redundancy ensures that your network services and applications are always available. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-1 - Cisco ACE-4710-K9 | Administration Guide - Page 254
The ACE selects a VMAC from a pool of virtual MACs available to it. For more information about VMACs, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-2 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 255
configure the active and the standby contexts on different ACEs. Figure 7-1 Even Distribution of Contexts N=2 A B' # redundant groups =2 B A' A N=2 # redundant groups =4 C B C' D' D A' B' 153639 OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration - Cisco ACE-4710-K9 | Administration Guide - Page 256
(context). With a single context, the ACE supports active-backup redundancy and each group member is an Admin context. For details about configuring contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. The ACE sends and receives all redundancy - Cisco ACE-4710-K9 | Administration Guide - Page 257
Address Translation (NAT) table based on information synchronized with the connection record • All Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections not terminated by the ACE OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-5 - Cisco ACE-4710-K9 | Administration Guide - Page 258
member. Communications over the switchover link include the following data: • Redundancy protocol packets • State information replication data • Configuration synchronization information • Heartbeat packets Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-6 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 259
configuration from the active member to the standby peer, it disables configuration mode on the standby. For information about configuring config sync, see the "Synchronizing Redundant Configurations" section. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 260
Application Control Engine Appliance Routing and Bridging Configuration Guide. Redundancy Configuration Quick Start Table 7-1 provides a quick overview of the steps required to configure redundancy for each ACE in the redundancy configuration. Each step includes the CLI command or a reference to the - Cisco ACE-4710-K9 | Administration Guide - Page 261
host1/C1# The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. 2. Enter configuration mode. host1/Admin# config host1/Admin(config - Cisco ACE-4710-K9 | Administration Guide - Page 262
Configuring Redundant ACE Appliances Table 7-1 Redundancy Configuration Quick Start (continued) Task and Command Example 6. Create at least one FT group on each ACE. host1/Admin(config)# ft group 1 host1/Admin(config-ft-group)# 7. Associate a context with each FT group. You must associate the local - Cisco ACE-4710-K9 | Administration Guide - Page 263
-config startup-config 15. (Recommended) Verify your redundancy configuration by using the following commands in Exec mode: host1/Admin# show running-config ft host1/Admin# show running-config interface OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-11 - Cisco ACE-4710-K9 | Administration Guide - Page 264
port-channel interface on the ACE for fault tolerance using a dedicated FT VLAN for communication between the members of an FT group, use the ft-port vlan command in interface configuration mode (see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 265
FT VLAN port. • If you configure ACE appliance 1 to use port-channel interface255 as the FT VLAN port, then be sure to configure ACE appliance 2 to use port-channel interface 255 as the FT VLAN. Creating an FT VLAN To create an FT VLAN, use the ft interface command in configuration mode. The syntax - Cisco ACE-4710-K9 | Administration Guide - Page 266
-intf)# no ip address Configuring the Peer IP Address The local member of the FT group communicates with the remote peer over the FT VLAN. To allow the local member to communicate with the remote peer, use the peer ip command in FT interface configuration mode. The syntax of this command is: peer ip - Cisco ACE-4710-K9 | Administration Guide - Page 267
Redundant ACE Appliances Configuring Redundancy Enabling the FT VLAN To enable the FT VLAN, use the no shutdown command in FT interface configuration mode. The syntax of this command is: no shutdown For example, to enable the FT VLAN, enter: host1/Admin(config-ft-intf)# no shutdown To disable the - Cisco ACE-4710-K9 | Administration Guide - Page 268
FT VLAN, see the "Configuring an FT VLAN" section. To associate an FT VLAN with a peer, use the ft-interface command in FT peer configuration mode. The syntax of this command is: ft-interface vlan vlan_id 7-16 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 269
. For example, to set the heartbeat count to 20, enter: host1/Admin(config-ft-peer)# heartbeat count 20 To reset the heartbeat count to the default of 10, enter: host1/Admin(config-ft-peer)# no heartbeat count OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 270
500 To reset the heartbeat interval to the default of 100 ms, enter: host1/Admin(config-ft-peer)# no heartbeat interval Configuring a Query Interface Configure a query interface to allow the standby member to determine whether the active member is down or if there is a connectivity problem with the - Cisco ACE-4710-K9 | Administration Guide - Page 271
an FT group, use the associate-context command in FT group configuration mode. You need to make this association for both redundant contexts in an FT group. The syntax of this command is: OL-11157-01 associate-context name Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 272
member. To ensure that the member with the higher priority always becomes the active member, use the preempt command, which is enabled by default. For details, see the "Configuring Preemption" section. 7-20 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 273
the priority of the FT group on the standby member. Enter an integer from 1 to 255. The default is 100. Tip Configure a lower priority on the FT group member that you want to be the standby member. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-21 - Cisco ACE-4710-K9 | Administration Guide - Page 274
the active member. By default, preemption is enabled. To configure preemption after it has been disabled, use the preempt command in FT group configuration mode. The syntax of this command is: preempt For example, enter: host1/Admin(config-ft-group)# preempt To disable preemption, enter: host1/Admin - Cisco ACE-4710-K9 | Administration Guide - Page 275
the FT group. 3. Place the FT group back in service by using the inservice command. Note You can modify the priority, peer priority, and preempt command values without taking the FT group out of service. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-23 - Cisco ACE-4710-K9 | Administration Guide - Page 276
example, to cause a failover from the active appliance to the standby appliance of FT group1, enter: host1/Admin# ft switchover 1 This command will cause card to switchover (yes/no)? [no] yes host1/Admin# 7-24 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 277
the two ACEs in a redundant configuration, the auto-sync command is automatically disabled and a syslog message is generated. The syntax of this command is: ft auto-sync {running-config | startup-config} OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-25 - Cisco ACE-4710-K9 | Administration Guide - Page 278
context of an FT group when the standby context is in the STANDBY_COLD state. Doing so may cause the standby context running-configuration file to overwrite the active context running-configuration file. 7-26 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 279
auto-sync running-config 2. ft auto-sync running-config For example, to enable autosynchronization of the running-configuration file in the C1 context, enter: host1/C1(config)# ft auto-sync running-config OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-27 - Cisco ACE-4710-K9 | Administration Guide - Page 280
for an Interface Overview of Tracking and Failure Detection The ACE supports the tracking and failure detection of several network items. You can configure an ACE to track and detect failures in the following items in the Admin context and any user context: • Gateways or hosts • Interfaces If one - Cisco ACE-4710-K9 | Administration Guide - Page 281
by the Standby Member • Configuring a Probe on the Standby Member for Host Tracking • Configuring a Priority on the Standby Member for Multiple Probes • Example of a Tracking Configuration for a Gateway OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-29 - Cisco ACE-4710-K9 | Administration Guide - Page 282
and Failure Detection Chapter 7 Configuring Redundant ACE Appliances Creating a Tracking and Failure Detection Process for a Host or Gateway To create a tracking and failure detection process for a gateway or host, use the ft track host command in configuration mode. The syntax of this command is - Cisco ACE-4710-K9 | Administration Guide - Page 283
creating probes, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide. To associate an existing probe with a gateway or host for tracking by the active member, use the probe command in FT track host configuration mode. The syntax of this command - Cisco ACE-4710-K9 | Administration Guide - Page 284
Enter the IP address in dotted-decimal notation (for example, 172.16.27.1). For example, to track the gateway located at 172.16.27.1, enter: host1/Admin(config-ft-track-host)# peer track-host 172.16.27.1 7-32 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 285
about creating probes, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide. To associate an existing probe with a gateway or host for tracking by the standby member, use the peer probe command in FT track host configuration mode. The syntax - Cisco ACE-4710-K9 | Administration Guide - Page 286
standby member, use the peer commands described in the "Configuring a Probe on the Standby Member for Host Tracking" and the "Configuring a Priority on the Standby Member for Multiple Probes" sections. 7-34 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 287
Configuring Redundant ACE Appliances Configuring Tracking and Failure Detection Configuring Tracking and Failure Detection for an Interface This section describes the commands that you enter to configure tracking and failure detection for an interface. It contains the following topics: • Creating - Cisco ACE-4710-K9 | Administration Guide - Page 288
For example, enter: host1/Admin(config-ft-track-intf)# priority 50 To reset the interface priority on the active member to the default value of 0, enter: host1/Admin(config-ft-track-intf)# no priority 50 7-36 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 289
example, enter: host1/Admin(config-ft-track-intf)# peer priority 25 To reset the interface priority on the standby member to the default value of 0, enter: host1/Admin(config-ft-track-intf)# no peer priority 25 OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 290
peer definition. • An FT group that is associated with the Admin context. • A critical tracking and failure detection process for an interface. The redundancy configuration appears in bold in the example. 7-38 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 291
Chapter 7 Configuring Redundant ACE Appliances Example of a Redundancy Configuration hostname ACE_Appliance_1 interface gigabitEthernet 1/2 speed 1000M duplex FULL ft-port vlan 200 no shutdown access-list ACL1 line 10 extended permit ip any any class-map type management match-any L4_REMOTE- - Cisco ACE-4710-K9 | Administration Guide - Page 292
Chapter 7 Configuring Redundant ACE Appliances ft track interface TRACK_VLAN100 track-interface vlan 100 peer track-interface vlan 200 priority 50 peer priority 5 ip route 0.0.0.0 0.0.0.0 192.168.83.1 7-40 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 293
FT Group Information To display redundancy statistics per context, use the show ft group command in Exec mode. The syntax of this command is: show ft group {brief | {[group_id]{detail | status | summary}}} OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 294
for the show ft group Command Output Field Description FT Group FT group identifier. Configured Status Configured state of the FT group. Possible states are the in-service or out-of-service states. 7-42 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 295
7 Configuring Redundant ACE Appliances Displaying Redundancy Information Table 7-2 Field Descriptions for the show ft group Command Output (continued) Field Maintenance Mode Description Current maintenance mode of the local context in an FT group. Applications can turn on maintenance mode when - Cisco ACE-4710-K9 | Administration Guide - Page 296
Redundant ACE Appliances Table 7-2 Field Descriptions for the show ft group Command Output (continued) Field My State Description State of the FT group member in the local ACE. Possible states are: • FSM_FT_STATE_INIT-Configuration for the FT group exists but the group is not in service. This - Cisco ACE-4710-K9 | Administration Guide - Page 297
or Disabled. Startup Cfg Sync Current status of config sync for the startup-config. For Status example: Startup configuration sync is disabled. No. of Contexts Number of contexts associated with the FT group. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-45 - Cisco ACE-4710-K9 | Administration Guide - Page 298
7-3 ACE Object Types in the IDMAP Table Object Type 0 1 2 3 4 5 6 Object Name REAL ID RSERVER ID SERVERFARM ID POLICY ID STICKY GROUP ID IF ID CONTEXT ID For example, enter: host1/Admin# show ft idmap 7-46 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 299
# show ft memory detail Displaying Peer Information To display peer information, use the show ft peer command in Exec mode. The syntax of this command is: show ft peer peer_id {detail | status | summary} OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-47 - Cisco ACE-4710-K9 | Administration Guide - Page 300
-Peer IP address is missing. Waiting for the peer IP address to be configured. FSM_PEER_STATE_START_HB-Peer configuration is complete. Starting the heartbeat to see if there is a peer device. 7-48 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157 - Cisco ACE-4710-K9 | Administration Guide - Page 301
an error has occurred with the peer. Possible errors are version mismatch, license mismatch, or failure to establish a TCP connection to the peer. A syslog message appears with more detailed information. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-49 - Cisco ACE-4710-K9 | Administration Guide - Page 302
sent to the peer. Total number of bytes that the local ACE sent to the peer. Total number of packets that the local ACE received from the peer. Total number of bytes that the local ACE received from the peer. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 303
of this command is: show ft stats group_id The group_id argument displays additional load-balancing statistics (LB statistics) for the specified group. For example, enter: host1/Admin# show ft stats 1 OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-51 - Cisco ACE-4710-K9 | Administration Guide - Page 304
Up Number of times that the local ACE sent a Peer Up message Events Sent to the remote ACE. Num of Peer Down Events Sent Number of times that the local ACE sent a Peer Down message to the remote ACE. 7-52 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 305
information that the local ACE received from the remote ACE. Number of Receive Failures Number of times that the remote ACE sent packets to the local ACE, but the local ACE failed to receive them. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-53 - Cisco ACE-4710-K9 | Administration Guide - Page 306
Descriptions for the show ft track Command Output Field FT Group Status Description FT group identifier. Configured state of the FT group. Possible states are the in-service or out-of-service state. 7-54 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 307
7 Configuring Redundant ACE Appliances Displaying Redundancy Information Table 7-6 Field Descriptions for the show ft track Command Output (continued) Field Maintenance Mode Description Current maintenance mode of the local context in an FT group. Applications can turn on maintenance mode when - Cisco ACE-4710-K9 | Administration Guide - Page 308
the local ACE. Possible states are: • FSM_FT_STATE_INIT-Initial state for each member (local and peer) of an FT group. The configuration for the FT group exists but the group is not yet in service. • FSM_FT_STATE_ELECT-State that the local group member enters when you configure the inservice command - Cisco ACE-4710-K9 | Administration Guide - Page 309
on the FT group in the local ACE. My Net Priority Priority of the FT group equal to the configured priority minus the priority of the FT tracking process failures, if any. My Preempt Preemption value of the FT group in the local ACE. Possible values are Enabled or Disabled. Context Name Name - Cisco ACE-4710-K9 | Administration Guide - Page 310
Controller debug log • ha_dp_mgr-Clears the HA (redundancy) dataplane manager debug log • ha_mgr-Clears the HA (redundancy) manager debug log For example, enter: host1/Admin# clear ft history cfg_cntlr 7-58 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 311
Location • Configuring SNMP Notifications • Assigning a Trap-Source Interface for SNMP Traps • Configuring SNMP Management Traffic Services • Example of an SNMP Configuration • Displaying SNMP Statistics OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-1 - Cisco ACE-4710-K9 | Administration Guide - Page 312
following topics: • Managers and Agents • SNMP Manager and Agent Communication • SNMP Traps and Informs • SNMPv3 CLI User Management and AAA Integration • Supported MIBs and Notifications • SNMP Limitations Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-2 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 313
ACE maintains a database of values for each definition. Browsing a MIB entails issuing an SNMP get request from the NMS. You can use any SNMPv3, MIB-II compliant browser to receive SNMP traps and browse MIBs. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 314
to frequently poll (gather information through a get operation) the managed devices. For details on MIB objects and SNMP notifications supported by the ACE, see the "Supported MIBs and Notifications" section. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-4 OL-11157 - Cisco ACE-4710-K9 | Administration Guide - Page 315
-id configuration mode command. For details on the logging device-id command, see the Cisco 4700 Series Application Control Engine Appliance System Message Guide. Use the SNMP-TARGET-MIB to obtain more information on trap destinations and inform requests. For details on SNMP notifications supported - Cisco ACE-4710-K9 | Administration Guide - Page 316
changes to the user group, role, or password, results in the database synchronization for both SNMP and AAA. To create a CLI user by using the username command, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. To create an SNMP user by using the - Cisco ACE-4710-K9 | Administration Guide - Page 317
using the username command without a password, the SNMP user is created with the noAuthNoPriv security level. Supported MIBs and Notifications Table 8-1 identifies the supported MIBs for the ACE. Table 8-1 SNMP MIB Support MIB Support Capability MIB Appliance MIBs CISCO-ENTITY-VENDOR N/A TYPE - Cisco ACE-4710-K9 | Administration Guide - Page 318
chassis. It provides sufficient information to correctly map the containment of these entities within the ACE. The ENTITY-MIB is supported only in the Admin context. The ENTITY-MIB is described in RFC 4133. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-8 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 319
requires user configuration information such as specifying the role group that the user belongs to, authentication parameters for the user, the authentication password, and message encryption parameters. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-9 - Cisco ACE-4710-K9 | Administration Guide - Page 320
points may be associated with a particular set of SNMP parameters, or a particular transport end point may be associated with several sets of SNMP parameters. The SNMP-TARGET-MIB is described in RFC 3413. 8-10 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 321
out by the agent. The SNMP-USER-BASED-SM-MIB is described in RFC 3414. Note User configuration is applicable only for SNMPv3; SNMPv1 and SNMPv2c use a community string match for user authentication. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-11 - Cisco ACE-4710-K9 | Administration Guide - Page 322
• Configuration settings (settings for all the AAA servers instrumented in one instance of this MIB). • AAA server group configuration. • Application-to-AAA function-to-server group mapping configuration. 8-12 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 323
Support (continued) MIB Support CISCO-AAA-SERVERMIB CISCO-APPLICATION ACCELERATION-MIB Capability MIB CISCO-AAASERVERCAPABILITY CISCO-APPLICATIONACCELERATIONCAPABILITY-MIB Description Provides configuration and statistics that reflect the state of an AAA server operation within the device and AAA - Cisco ACE-4710-K9 | Administration Guide - Page 324
port-channel interfaces are available only in Admin context. In this case, the CISCO-IF-EXTENSION-MIB supports all the interfaces for Admin contexts, while each individual user context supports only VLAN and BVI interfaces. 8-14 Cisco 4700 Series Application Control Engine Appliance Administration - Cisco ACE-4710-K9 | Administration Guide - Page 325
Table 8-1 SNMP MIB Support (continued) MIB Support CISCO-IP-PROTOCOLFILTER-MIB Capability MIB CISCO-IP-PROTOCOLFILTER-CAPABILITY Description Manages information to support packet filtering on IP protocols (RFC 791). The cippfIpProfileTable allows users to create, delete, and get information about - Cisco ACE-4710-K9 | Administration Guide - Page 326
protocols and to send other requests (such as SNMP or FTP). This MIB contains tables that allow you to create or delete virtual contexts and assigning interfaces and interface ranges to virtual contexts. 8-16 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 327
connections as well: • cslbxStatsCurrConnections • cslbxStatsTimedOutConnections Acts as an extension to the Cisco server load-balancing MIB (CISCO-SLB-MIB). It provides tables for the probe configuration. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 328
Configures and monitors system log (syslog) management parameters for the ACE. Use this MIB to set up syslog servers and set logging severity levels. Syslog is described by RFC 3164. 8-18 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 329
SNMPv2. The management protocol, SNMPv2, provides for the exchange of messages that convey management information between the agents and the management stations. The SNMPv2-MIB is described in RFC 3418. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-19 - Cisco ACE-4710-K9 | Administration Guide - Page 330
server configured in a server farm changed to a new state as a result of something other than a user intervention. This notification is sent for situations such as ARP failures, probe failures, and so on. 8-20 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 331
notification is sent for situations such as ARP failures, probe failures, and so on. Note No separate cesRealServerStateChange notifications are sent for each real server that listens on this rserver. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-21 - Cisco ACE-4710-K9 | Administration Guide - Page 332
: • slbVServerState • slbVServerStateChangeDescr • slbVServerClassMap • slbVServerPolicyMap The ciscoSlbVServerStateChange is specified in the CISCO-SLB-MIB. ACE generated one or more syslog messages. 8-22 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 333
, for example, if you specified the shut command followed by the no shut command, or the VLAN was removed from the switch configuration. Note The Ethernet data port and port-channel interfaces are available only in Admin context. In this case, the linkUp and link Down notifications support all the - Cisco ACE-4710-K9 | Administration Guide - Page 334
SNMP Overview Chapter 8 Configuring SNMP SNMP Limitations If an SNMP MIB table has more than one string index that contains more than 48 characters, the index may not appear in the MIB table when you perform Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 335
on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. 2. Enter configuration mode. host1/Admin# config Enter configuration commands, one per line. End with CNTL/Z host1/Admin(config)# 3. Configure one or more SNMP users from the ACE - Cisco ACE-4710-K9 | Administration Guide - Page 336
-if)# service-policy input SNMP-ALLOW_POLICY host1/Admin(config-if)# exit 12. (Optional) Save your configuration changes to Flash memory. host1/Admin(config)# exit host1/Admin# copy running-config startup-config 8-26 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL - Cisco ACE-4710-K9 | Administration Guide - Page 337
configuration mode command, as described in the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. To assign multiple roles to a user, enter multiple snmp-server user commands. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration - Cisco ACE-4710-K9 | Administration Guide - Page 338
of SNMP. In this case, all SNMP users are automatically assigned the system-defined default group of Network-Monitor. For details on creating users, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. • auth-(Optional) Sets authentication parameters for - Cisco ACE-4710-K9 | Administration Guide - Page 339
a user to read data values, but prevents that user from modifying modify the data. Use the snmp-server community command in configuration mode to create or modify SNMP community names and access privileges. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 340
automatically assigned the system-defined default group of Network-Monitor. For details on creating users, refer to the Cisco Application Control Engine Module Virtualization Configuration Guide. • ro-(Optional) Allows read-only access for this community. For example, to specify an SNMP community - Cisco ACE-4710-K9 | Administration Guide - Page 341
location, use the snmp-server location command in configuration mode. You can specify only one location. The syntax of this command is as follows: snmp-server location location )# no snmp-server location OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-31 - Cisco ACE-4710-K9 | Administration Guide - Page 342
, arguments, and options are as follows: • host_address-The IP address of the host (the targeted recipient). Enter the address in dotted-decimal IP notation (for example, 192.168.11.1). 8-32 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 343
SNMP_Community1 udp-port 500 To remove the specified host, use the no form of the command. For example: host1/Admin(config)# no snmp-server host 192.168.1.1 traps version 2c SNMP_Community1 udp-port 500 OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-33 - Cisco ACE-4710-K9 | Administration Guide - Page 344
SNMP license manager notifications. This keyword appears only in the Admin context. - slb-Sends server load-balancing notifications. When you specify the slb keyword, you can specify a notification_option value. 8-34 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL - Cisco ACE-4710-K9 | Administration Guide - Page 345
protocol, the destination port, or the incoming VLAN. For example, to enable the ACE to send server load-balancing traps to the host group Network-Monitor host1/Admin(config)# snmp-server enable traps slb real OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 346
-server trap link ietf configuration mode command instructs the ACE to send the linkUp and linkDown traps with the IETF standard IF-MIB (RFC 2863) variable bindings, consisting of ifIndex, ifAdminStatus, and ifOperStatus. Note The Cisco var-binds are sent by default. To receive RFC 2863-compliant - Cisco ACE-4710-K9 | Administration Guide - Page 347
snmp-server trap-source command in configuration mode. The syntax of this command is as follows: snmp a valid IP address, the ACE fails in sending notifications for SNMP v1 traps. For example, to specify VLAN 50 as 01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-37 - Cisco ACE-4710-K9 | Administration Guide - Page 348
Configuration Guide. This section contains the following topics: • Creating and Configuring a Layer 3 and Layer 4 Class Map • Creating a Layer 3 and Layer 4 Policy Map • Applying a Service Policy 8-38 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 349
Configuring SNMP Configuring SNMP Management Traffic Services Creating and Configuring a Layer 3 and Layer 4 Class Map To create a Layer 3 and Layer 4 class map to classify the SNMP management traffic that can be received by the ACE, use the class-map type management command in configuration mode - Cisco ACE-4710-K9 | Administration Guide - Page 350
configuration mode to specify the description command. The syntax of this command is as follows: description text Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters. 8-40 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 351
subnet mask as the matching criteria or instruct the ACE to allow any client source address for the management traffic classification. Access the class map management configuration mode to specify the match protocol snmp command. The syntax of this command is as follows: [line_number] match protocol - Cisco ACE-4710-K9 | Administration Guide - Page 352
Actions Creating a Layer 3 and Layer 4 Policy Map for SNMP Network Management Traffic Received by the ACE To configure a Layer 3 and Layer 4 policy map that permits the ACE to receive the SNMP management protocol, use the policy-map type management command in configuration mode. The ACE executes - Cisco ACE-4710-K9 | Administration Guide - Page 353
8 Configuring SNMP Configuring SNMP Management Traffic Services When you use this command, you will access policy map management configuration mode. For example, to create a Layer 3 and Layer 4 network traffic management policy map, enter: host1/Admin(config) # policy-map type management first - Cisco ACE-4710-K9 | Administration Guide - Page 354
listed in the class map to be received by the ACE. • Use the deny command in policy map class configuration mode to refuse the SNMP management protocols listed in the class map to be received by the ACE. 8-44 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 355
management policy map to a VLAN, enter: host1/Admin(config)# interface vlan 50 host1/Admin(config-if)# ip address 172.20.1.100 255.255.0.0 host1/Admin(config-if)# service-policy input SNMP_MGMT_ALLOW_POLICY OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 356
3 and Layer 4 SNMP management policy map, use the show service-policy command in Exec mode. The syntax of this command is as follows: show service-policy policy_name [detail] The keywords, options, and arguments are as follows: • policy_name-Identifier of an existing policy map that is currently in - Cisco ACE-4710-K9 | Administration Guide - Page 357
with the context. The SNMP configuration appears in bold in the example. access-list ACL1 line 10 extended permit ip any any rserver host SERVER1 ip address 192.168.252.245 inservice rserver host SERVER2 OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-47 - Cisco ACE-4710-K9 | Administration Guide - Page 358
Example of an SNMP Configuration Chapter 8 Configuring any class-map type management match-any L4_REMOTE-ACCESS-LOCAL_CLASS description Enables SNMP remote management for local users 1 match protocol snmp 48 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 359
Chapter 8 Configuring SNMP Example of an SNMP Configuration service-policy input L4_REMOTE-MGT_POLICY snmp-server user user1 Network-Monitor auth sha "adcd1234" snmp-server community ACE-public group ro snmp-server contact "User1 [email protected]" snmp-server location "San Jose CA" snmp-server host - Cisco ACE-4710-K9 | Administration Guide - Page 360
Use the show snmp commands in Exec mode to display SNMP statistics and configured SNMP information. By default, this command displays the ACE contact, ACE location, packet traffic information, community strings, and user information. You can instruct the ACE to display specific SNMP information - Cisco ACE-4710-K9 | Administration Guide - Page 361
-only User String that identifies the name of the SNMP user Auth Authentication of a packet without encryption Priv Authentication of a packet with encryption Group User role group to which the user belongs Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-51 - Cisco ACE-4710-K9 | Administration Guide - Page 362
on the device, or in nonvolatile or persistent memory where settings will remain after the device has been turned off and on again Status of whether the Row status for the SNMP group is active or inactive 8-52 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157 - Cisco ACE-4710-K9 | Administration Guide - Page 363
Priv Group Description String that identifies the name of the SNMP user Authentication of a packet without encryption Authentication of a packet with encryption User role group to which the user belongs OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-53 - Cisco ACE-4710-K9 | Administration Guide - Page 364
Displaying SNMP Statistics Chapter 8 Configuring SNMP 8-54 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 365
The ACE creates the following default user accounts at startup: admin, dm, and www. • The admin user is the global administrator and cannot be deleted. • The dm user is for accessing the Device Manager GUI and cannot be deleted. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance - Cisco ACE-4710-K9 | Administration Guide - Page 366
with the ACE Web services provide network-based software applications that use XML to transmit, exchange, and interpret data among applications that would otherwise have difficulty interoperating together. Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-2 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 367
other users with the Admin user role. A network management station (NMS), such as the CiscoWorks Hosting Solution Engine (HSE), can connect to the ACE and push new configurations to it over HTTP or HTTPS. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-3 - Cisco ACE-4710-K9 | Administration Guide - Page 368
/> ******** Server HTTP/1.1 200 OK Content-Length: 21 interface vlan 80 ip address 60.0.0.145 255.255.255.0 access-group input acl1 no shutdown Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-4 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 369
Configuring the XML Interface XML Overview REVIEW DRAFT - CISCO CONFIDENTIAL - Cisco ACE-4710-K9 | Administration Guide - Page 370
exit description xyz unrecognized element - description Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 371
. See the "Enabling the Display of Raw XML Request show Command Output in XML Format" section for details. For details on the show command output supported in XML format, consult the ace_appliance.dtd file. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-7 - Cisco ACE-4710-K9 | Administration Guide - Page 372
XML Overview Chapter 9 Configuring the XML Interface REVIEW DRAFT - CISCO CONFIDENTIAL The following example shows the sequence of ACE CLI commands for creating a real server followed by the associated DTD XML rserver elements for the commands. [no] rserver [host | redirect] name [no] conn-limit - Cisco ACE-4710-K9 | Administration Guide - Page 373
no"/> BRIDGING CONFIGURATION conf t access-list acl1 extended permit ip any any int vlan 80 access-group input acl1 OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-9 - Cisco ACE-4710-K9 | Administration Guide - Page 374
"/> 9-10 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 375
Quick Start Task and Command Example 1. Enter configuration mode. host1/Admin# config Enter configuration commands, one per line. End with CNTL/Z. host1/Admin(config)# 2. Create a Layer 3 and Layer 4 class map to classify the HTTP or HTTPS management traffic that can be received by the ACE. host1 - Cisco ACE-4710-K9 | Administration Guide - Page 376
Note True XML responses always automatically appear in XML format. host1/Admin# xml-show on 6. (Optional) Save your configuration changes to Flash memory. host1/Admin# copy running-config startup-config 9-12 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 377
Engine Appliance Virtualization Configuration Guide. This section contains the following topics: • Creating and Configuring a Class Map • Creating a Layer 3 and Layer 4 Policy Map • Applying a Service Policy OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 378
DRAFT - CISCO CONFIDENTIAL Creating and Configuring a Class Map To create a Layer 3 and Layer 4 class map to classify the HTTP or HTTPS management traffic that can be received by the ACE, use the class-map type management configuration command. This command allows network management traffic by - Cisco ACE-4710-K9 | Administration Guide - Page 379
HTTP and HTTPS Management Traffic Services REVIEW DRAFT - CISCO CONFIDENTIAL The CLI displays the class map management configuration mode. To classify the remote HTTP or HTTPS management traffic received by the ACE, include one or more of the following commands to configure the match criteria - Cisco ACE-4710-K9 | Administration Guide - Page 380
keyword specifies secure (SSL) Hypertext Transfer Protocol (HTTP) for connectivity with the Device Manager GUI on the ACE • any-Specifies any client source address for the management traffic classification. 9-16 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157 - Cisco ACE-4710-K9 | Administration Guide - Page 381
received by the ACE use the policy-map type management command in configuration mode. The ACE executes the action for the first matching classification. The ACE does not execute any additional actions. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-17 - Cisco ACE-4710-K9 | Administration Guide - Page 382
3 and Layer 4 traffic class, configured with the class-map command, to associate traffic to the traffic policy. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. 9-18 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 383
(config-pmap-mgmt)# class class-default host1/Admin(config-pmap-mgmt-c)# To remove a class map from a Layer 3 and Layer 4 policy map, enter: host1/Admin(config-pmap-mgmt)# no class XML-HTTPS-ALLOW_CLASS OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-19 - Cisco ACE-4710-K9 | Administration Guide - Page 384
configuration mode applies the policy map to a specific VLAN interface. Specifying a policy map in the configuration mode applies the policy to all of the VLAN interfaces associated with a context. 9-20 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 385
service-policy input MGMT_XML-HTTPS_POLICY To globally detach the XML HTTPS management policy from all VLANs associated with a context, enter: host1/Admin(config)# no service-policy input MGMT_XML-HTTPS_POLICY OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 386
a more detailed listing of policy map statistics and status information. Note The ACE updates the counters that the show service-policy command displays after the applicable connections are closed. 9-22 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 387
of 64 alphanumeric characters. For example, to clear the statistics for the policy map MGMT_XML-HTTPS_POLICY that is currently in service, enter: host1/Admin# clear service-policy MGMT_XML-HTTPS_POLICY OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-23 - Cisco ACE-4710-K9 | Administration Guide - Page 388
-type (vlan | bvi) #IMPLIED interface-number CDATA #IMPLIED" > The XML representation of the show interface command appears as follows: 9-24 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 389
>50 8963 26 1 0 0 0 OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-25 - Cisco ACE-4710-K9 | Administration Guide - Page 390
of raw XML request show command output in XML format from the CLI, enter: host1/Admin# xml-show on To return to displaying CLI show command output in regular CLI output, enter: host1/Admin# xml-show off 9-26 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 391
the Cisco ACE appliance Management page, perform the following procedure: a. Specify the HTTP or secure HTTP (HTTPS) address of your ACE in the address field: https://ace_ip_address http://ace_ip_address OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-27 - Cisco ACE-4710-K9 | Administration Guide - Page 392
the link under the Resources column of the Cisco ACE appliance Management page to access the ace_appliance.dtd file. You can choose to either open the ace_appliance.dtd file or save it to your computer. 9-28 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 393
ACE Software • Software Upgrade Quick Start • Copying the Software Upgrade Image to the ACE • Configuring the ACE to Autoboot the Software Image • Reloading the ACE • Displaying Software Image Information OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide - Cisco ACE-4710-K9 | Administration Guide - Page 394
so. Otherwise, after you upgrade the ACE software, you will only be able to log in to the ACE through the console port. See Chapter 1, Setting Up the ACE for details on changing the admin account password. Cisco 4700 Series Application Control Engine Appliance Administration Guide A-2 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 395
context for which you want to create a configuration checkpoint and name the checkpoint. For details about creating a checkpoint and rolling back a configuration, see Chapter 5, Managing the ACE Software. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide A-3 - Cisco ACE-4710-K9 | Administration Guide - Page 396
image to the image: directory of each ACE. For example, to copy the image with the name c4710ace-t1k9-mz.A1_7.bin using FTP, enter: host1/Admin# copy ftp://server1/images/c4710ace-t1k9-mz.A1_7.bin image: Cisco 4700 Series Application Control Engine Appliance Administration Guide A-4 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 397
to ACE-2 by entering the following command on ACE-2: host1/Admin# show bootvar BOOT variable = "disk0:/c4710ace-t1k9-mz.A1_7.bin; disk0:/c4710ace-mz.3.0.0_AB0_0.488.bin" Configuration register is 0x1 OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide A-5 - Cisco ACE-4710-K9 | Administration Guide - Page 398
the system Save configurations for all the contexts. Save? [yes/no]: [yes] 10. Enter the show ft group detail command to verify that ACE-1 is in the ACTIVE state and ACE-2 is in the STANDBY_HOT state. Cisco 4700 Series Application Control Engine Appliance Administration Guide A-6 OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 399
Admin# copy ftp://server1/images/c4710ace-t1k9-mz.A1_7.bin image: To set the boot variable and configure the ACE to autoboot this image, see the "Configuring the ACE to Autoboot the Software Image" section. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide A-7 - Cisco ACE-4710-K9 | Administration Guide - Page 400
context from the configuration mode. The syntax for this command is: boot system image:image_name The image_name argument is the name of the installed image. You can set up to two images through the boot system command. If the first image fails, the ACE tries the second image. For example, to set - Cisco ACE-4710-K9 | Administration Guide - Page 401
different settings of the config-register command, refer to Chapter 1, Setting Up the ACE. For example, to set the register to 0x1 to boot the system image, enter: host1/Admin(config)# config-register 0x1 OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide A-9 - Cisco ACE-4710-K9 | Administration Guide - Page 402
from the Exec mode. The syntax for this command is: reload For example, enter: host1/Admin# reload This command will reboot the system Save configurations for all the contexts. Save? [yes/no]: [yes] A-10 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 403
: /dev/hdb2 total: 861668 kB, used: 348552 kB, available: 469344 kB last boot reason: reload command by root configuration register: 0x1 switch kernel uptime is 0 days 18 hours 52 minute(s) 58 second(s) OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide A-11 - Cisco ACE-4710-K9 | Administration Guide - Page 404
Displaying Software Image Information Chapter A Upgrading Your ACE Software A-12 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 405
5-11 configuration files, saving 5-1 console connection 1-2 date and time, configuring 1-15 Flash memory, reformatting 5-40 inactivity timeout 1-12 information, displaying 6-1 licenses, managing 3-1 logging in 1-7 message-of-the-day banner 1-13 MIBs 8-7 naming 1-12 password, changing administrative - Cisco ACE-4710-K9 | Administration Guide - Page 406
criteria 4-32 Layer 3 and 4 quick start for management traffic 4-12 Layer 3 and 4 quick start for network traffic 4-10 Layer 7, configuring 4-38 Layer 7, for FTP command inspection 4-42 Layer 7, for HTTP deep packet inspection 4-41 Layer 7, for HTTP load balancing 4-39 Layer 7 quick start 4-14 - Cisco ACE-4710-K9 | Administration Guide - Page 407
5-10 loading from remote server 5-11 merging startup with running 5-6 saving 5-1 saving in Flash memory 5-3 saving to remote server 5-4 configuration register setting boot method 1-35, A-8 values 1-35 configuration synchronization redundancy 7-7 SSL certs and keys 7-26 console connection to ACE - Cisco ACE-4710-K9 | Administration Guide - Page 408
configuring 1-15 daylight saving time setting 1-19 time zone setting 1-16 viewing system clock 1-21 daylight saving time setting 1-19 default user admin 1-7, 9-1 dm 1-7, 9-1 www 1-7, 9-1 demo license, replacing with permanent license 3-8 Device Manager GUI, enabling connectivity 1-3, 2-7 directory - Cisco ACE-4710-K9 | Administration Guide - Page 409
7-41 modifying 7-23 placing in service 7-23 preemption, configuring 7-22 FTP command inspection class map 4-42 FT peer associating with FT group 7-20 associating with FT VLAN 7-16 configuring 7-16 OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-5 - Cisco ACE-4710-K9 | Administration Guide - Page 410
A-11 version A-11 inactivity timeout 1-12 interface failure detection See failure detection inventory, displaying hardware 6-4 IP address alias 7-15 K key generating for license 3-5 pair for SSH host 2-17 IN-6 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01 - Cisco ACE-4710-K9 | Administration Guide - Page 411
4-54 licenses backing up 3-15 copying 5-16 copying to ACE 3-6 displaying configuration and statistics 3-16 generating key 3-5 installing 3-7 list of available 3-2 managing 3-1 ordering upgrade license 3-5 OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide IN - Cisco ACE-4710-K9 | Administration Guide - Page 412
SNMP 8-31 logging into ACE 1-7 M management access Layer 3 and 4 traffic 9-17 Layer 3 and 4 traffic classification 4-35 Layer 3 and 4 traffic policy 2-9, 4-44 quick start 4-10 service policy, applying 4-58 SSH, configuring 2-16 Telnet 2-15 message-of-the-day banner 1-13 MIBs 8-7 monitoring See SNMP - Cisco ACE-4710-K9 | Administration Guide - Page 413
4-71 configuration example 4-68 connection redundancy 4-49 example, firewall 4-60 example, Layer 3 and 4 load balancing 4-65 example, Layer 7 load balancing 4-63 example, VIP 4-66 IP, TCP, and UDP connection behavior 4-49 Layer 3 and 4, configuring 4-43 Layer 3 and 4, for management traffic - Cisco ACE-4710-K9 | Administration Guide - Page 414
, configuring 2-4 policy actions 2-12 policy map 2-9 quick start 2-2 service policy 2-13 Telnet 2-15 terminating user session 2-19 remote server copying files from 5-19 copying files to 5-17 copying image to 5-20 IN-10 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL - Cisco ACE-4710-K9 | Administration Guide - Page 415
Network Management Protocol See SNMP SNMP AAA integration 8-6 agents, communication 8-4 agents, overview 8-3 class map, creating 8-39 CLI user management 8-6 communities 8-29 configuration examples 8-47 OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide IN - Cisco ACE-4710-K9 | Administration Guide - Page 416
8-4 managers, overview 8-3 MIBs 8-7 notifications 8-32 overview 8-2 policy actions 8-44, 9-20 policy map, creating 8-42 quick start 8-25 service policy 8-45 statistics 8-50 traps 8-20 traps and informs 8-5 users, configuring 8-27 VLAN interface, assigning 8-37 software licenses See licenses software - Cisco ACE-4710-K9 | Administration Guide - Page 417
1-16 tracking See failure detection traps, SNMP 8-5, 8-20 U uncompressing files in disk0 5-21 untarring files in disk0 5-22 upgrade license 3-5 upgrading booting image A-8 copying image to ACE A-7 image information A-11 overview A-2 quick start A-4 reloading ACE A-10 user configuring for SNMP 8-27 - Cisco ACE-4710-K9 | Administration Guide - Page 418
support 9-4 HTTP return codes 9-5 management traffic, configuring 2-8, 9-13 overview 9-2 policy map, creating 9-17 quick start 9-11 sample configuration 9-9 service policy 9-20 show command output 9-24 IN-14 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
 |
 |
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Tel:
408 526-4000
800 553-NETS (6387)
Fax:
408 527-0883
Text Part Number: OL-11157-01
Cisco 4700 Series Application Control
Engine Appliance Administration Guide
Software Version A1(7)
November 2007