Home » Cisco Manuals » Servers » Cisco ACE-4710-K9 » Manual Viewer

Cisco ACE-4710-K9 Administration Guide - Page 121

loadbalance, policy, policy-map, first-match, all-match, multi-match

Add to My Manuals
Save this manual to your list of manuals

Page 121 highlights

Chapter 4 Configuring Class Maps and Policy Maps Class Map and Policy Map Overview The ACE supports a system-wide maximum of 4096 policy maps. A Layer 7 policy map is always associated within a Layer 3 and Layer 4 policy map to provide an entry point for traffic classification. Layer 7 policy maps are considered to be child policies and can only be nested under a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface; a Layer 7 policy map cannot be directly applied on an interface. For example, to associate a Layer 7 load-balancing policy map, you nest the load-balancing policy map by using the Layer 3 and Layer 4 loadbalance policy command. Depending on the policy-map command, the ACE executes the action specified in the policy map on the network traffic as follows: • first-match-For policy-map commands that contain the first-match keyword, the ACE executes the specified action only for traffic that meets the first matching classification within a policy map. No additional actions are executed. • all-match-For policy-map commands that contain the all-match keyword, the ACE attempts to match a packet against all classes in the policy map and executes the actions of all matching classes associated with the policy map. • multi-match-For policy-map commands that contain the multi-match keyword, these commands specify that multiple sets of classes exist in the policy map and allow a multi-feature policy map. The ACE applies a first-match execution process to each class set in which a packet can match multiple classes within the policy map, but the ACE executes the action for only one matching class within each class set. The definition of which classes are in the same class set depends on the actions applied to the classes; the ACE associates each policy map action with a specific set of classes. Some ACE functions may be associated with the same class set as other features (for example, application protocol inspection actions would typically be associated with the same class set), while the ACE associates other features with a different class set. When there are multiple instances of actions of the same type configured in a policy map, the ACE performs the first action encountered of the same type that has a match. OL-11157-01 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-7

Section	Page
Cisco 4700 Series Application Control Engine Appliance Administration Guide	1
Contents	3
Preface	15
Setting Up the ACE	27
Establishing a Console Connection on the ACE	28
Using the Setup Script to Enable Connectivity to the Device Manager	29
Connecting and Logging into the ACE	33
Changing the Administrative Password	35
Resetting the Administrator CLI Account Password	36
Assigning a Name to the ACE	38
Configuring an ACE Inactivity Timeout	38
Configuring a Message-of-the-Day Banner	39
Configuring the Time, Date, and Time Zone	41
Setting the System Time and Date	41
Setting the Time Zone	42
Adjusting for Daylight Saving Time	45
Viewing the System Clock Settings	47
Synchronizing the ACE with an NTP Server	47
Configuring NTP Server and Peer Associations	48
Viewing NTP Statistics and Information	49
.Clearing NTP Statistics	54
Configuring Terminal Settings	56
Configuring Terminal Display Attributes	56
Configuring Terminal Line Settings	58
Configuring Console Line Settings	58
Configuring Virtual Terminal Line Settings	60
Modifying the Boot Configuration	61
Setting the Boot Method from the Configuration Register	61
Setting the BOOT Environment Variable	63
Configuring the ACE to Bypass the Startup Configuration File During the Boot Process	64
Displaying the ACE Boot Configuration	67
Restarting the ACE	67
Shutting Down the ACE	68
Enabling Remote Access to the ACE	69
Remote Access Configuration Quick Start	70
Configuring Remote Network Management Traffic Services	72
Creating and Configuring a Remote Management Class Map	73
Defining a Class Map Description	74
Defining Remote Network Management Protocol Match Criteria	75
Creating a Layer 3 and Layer 4 Remote Access Policy Map	77
Creating a Layer 3 and Layer 4 Policy Map for Network Management Traffic Received by the ACE	77
Defining a Layer 3 and Layer 4 Policy Map Description	78
Specifying a Layer 3 and Layer 4 Traffic Class With the Traffic Policy	78
Defining Layer 3 and Layer 4 Management Traffic Policy Actions	80
Applying a Service Policy	81
Configuring Telnet Management Sessions	83
Configuring SSH Management Sessions	84
Configuring Maximum Number of SSH Sessions	84
Generating SSH Host Key Pairs	85
Terminating an Active User Session	87
Enabling ICMP Messages to the ACE	87
Directly Accessing a User Context Through SSH	89
Example of a Remote Access Configuration	91
Viewing Session Information	92
Showing Telnet Session Information	92
Showing SSH Session Information	94
Showing SSH Session Information	94
Showing SSH Key Details	95
Managing ACE Software Licenses	97
Available ACE Licenses	98
Ordering an Upgrade License and Generating a Key	101
Copying a License File to the ACE	102
Installing a New or Upgrade License File	103
Replacing a Demo License with a Permanent License	104
Removing a License	105
Removing an Appliance Performance Throughput License	106
Removing an SSL TPS License	106
Removing a Virtualization Context License	106
Removing an HTTP Compression Performance License	109
Removing the Application Acceleration Software Feature Pack License	110
Backing Up a License File	111
Displaying License Configurations and Statistics	112
Configuring Class Maps and Policy Maps	115
Class Map and Policy Map Overview	116
Class Maps	119
Policy Maps	120
Service Policies	123
Class Map and Policy Map Configuration Quick Start	124
Configuring Layer 3 and Layer 4 Class Maps	138
Defining Layer 3 and Layer 4 Classifications for Network Traffic Passing Through the ACE	138
Creating a Layer 3 and Layer 4 Network Traffic Class Map	139
Defining a Class Map Description	141
Defining Access-List Match Criteria	142
Defining Match Any Criteria	142
Defining Destination IP Address and Subnet Mask Match Criteria	143
Defining TCP/UDP Port Number or Port Range Match Criteria	144
Defining the Source IP Address and Subnet Mask Match Criteria	145
Defining the VIP Address Match Criteria	146
Defining Layer 3 and Layer 4 Classifications for Network Management Traffic Received by the ACE	149
Creating a Layer 3 and Layer 4 Network Management Traffic Class Map	149
Defining Network Management Access Match Criteria	151
Configuring Layer 7 Class Maps	152
Defining Layer 7 Classifications for HTTP Server Load Balancing	153
Defining Layer 7 Classifications for HTTP Deep Packet Inspection	155
Defining Layer 7 Classifications for FTP Command Inspection	156
Configuring a Layer 3 and Layer 4 Policy Map	157
Creating a Layer 3 and Layer 4 Policy Map for Network Management Traffic Received by the ACE	158
Creating a Layer 3 and Layer 4 Policy Map for Network Traffic Passing Through the ACE	159
Defining a Layer 3 and Layer 4 Policy Map Description	159
Specifying a Layer 3 and Layer 4 Traffic Class With the Traffic Policy	160
Specifying Layer 3 and Layer 4 Policy Actions	161
Using Parameter Maps in a Layer 3 and Layer 4 Policy Map	163
Configuring a Layer 7 Policy Map	164
Creating a Layer 7 Policy Map	165
Adding a Layer 7 Policy Map Description	167
Including Inline Match Statements in a Layer 7 Policy Map	167
Specifying a Layer 7 Traffic Class with the Traffic Policy	168
Specifying Layer 7 Policy Actions	169
Associating the Layer 7 Policy Map with a Layer 3 and Layer 4 Policy Map	171
Applying a Service Policy	172
Class Maps and Policy Map Examples	174
Firewall Example	174
Layer 7 Load-Balancing Example	177
Layer 3 and Layer 4 Load-Balancing Example	179
VIP With Connection Parameters Example	180
Example of a Traffic Policy Configuration	182
Viewing Class Maps, Policy Maps, and Service Policies	185
Displaying Class Map Configuration Information	185
Displaying Policy Map Configuration Information	185
Displaying Service Policy Configuration Information	186
Managing the ACE Software	191
Saving Configuration Files	191
Saving the Configuration File in Flash Memory	193
Saving Configuration Files to a Remote Server	194
Copying the Configuration File to the disk0: File System	195
Merging the Startup-Configuration File with the Running-Configuration File	196
Viewing Configuration Files	197
Viewing User Context Running-Config Files from the Admin Context	200
Clearing the Startup-Configuration File	200
Loading Configuration Files from a Remote Server	201
Using the File System on the ACE	202
Listing the Files in a Directory	203
Copying Files	205
Copying Files to Another Directory on the ACE	205
Copying Licenses	206
Copying a Packet Capture Buffer	206
Copying Files to a Remote Server	207
Copying Files from a Remote Server	209
Copying an ACE Software System Image to a Remote Server	210
Uncompressing Files in the disk0: File System	211
Untarring Files in the disk0: File System	212
Creating a New Directory	212
Deleting an Existing Directory	213
Moving Files	213
Deleting Files	214
Displaying File Contents	215
Saving show Command Output to a File	216
Viewing and Copying Core Dumps	217
Copying Core Dumps	218
Clearing the Core Directory	219
Deleting a Core Dump File	219
Capturing and Copying Packet Information	220
Capturing Packet Information	220
Copying Capture Buffer Information	222
Viewing Packet Capture Information	223
Using the Configuration Checkpoint and Rollback Service	227
Overview	227
Creating a Configuration Checkpoint	228
Deleting a Configuration Checkpoint	228
Rolling Back a Running Configuration	229
Displaying Checkpoint Information	229
Reformatting Flash Memory	230
Viewing ACE Hardware and Software Configuration Information	233
Displaying Software Version Information	234
Displaying Software Copyright Information	235
Displaying Hardware Information	235
Displaying the Hardware Inventory	236
Displaying ACE Environment Information	237
Displaying System Processes	238
Displaying Process Status Information and Memory Resource Limits	243
Displaying System Information	246
Displaying ICMP Statistics	248
Displaying Technical Support Information	249
Configuring Redundant ACE Appliances	253
Overview of Redundancy	253
Redundancy Protocol	254
Stateful Failover	257
FT VLAN	258
Configuration Synchronization	259
Configuration Requirements and Restrictions	260
Redundancy Configuration Quick Start	260
Configuring Redundancy	264
Configuring an FT VLAN	264
Creating an FT VLAN	265
Configuring an FT VLAN IP Address	265
Configuring the Peer IP Address	266
Enabling the FT VLAN	267
Configuring an Alias IP Address	267
Configuring an FT Peer	268
Associating the FT VLAN with the Local Peer	268
Configuring the Heartbeat Interval and Count	269
Configuring a Query Interface	270
Configuring an FT Group	271
Associating a Context with an FT Group	271
Associating a Peer with an FT Group	272
Assigning a Priority to the Active FT Group Member	272
Assigning a Priority to the Standby FT Group Member	273
Configuring Preemption	274
Placing an FT Group in Service	275
Modifying an FT Group	275
Forcing a Failover	276
Synchronizing Redundant Configurations	277
Configuring Tracking and Failure Detection	280
Overview of Tracking and Failure Detection	280
Configuring Tracking and Failure Detection for a Host or Gateway	281
Creating a Tracking and Failure Detection Process for a Host or Gateway	282
Configuring the Gateway or Host IP Address Tracked by the Active Member	282
Configuring a Probe on the Active Member for Host Tracking	283
Configuring a Priority on the Active Member for Multiple Probes	284
Configuring the Gateway or Host IP Address Tracked by the Standby Member	284
Configuring a Probe on the Standby Member for Host Tracking	285
Configuring a Priority on the Standby Member for Multiple Probes	285
Example of a Tracking Configuration for a Gateway	286
Configuring Tracking and Failure Detection for an Interface	287
Creating a Tracking and Failure Detection Process for an Interface	287
Configuring the Interface Tracked by the Active Member	288
Configuring a Priority for a Tracked Interface on the Active Member	288
Configuring the Interface Tracked by the Standby Member	289
Configuring a Priority for a Tracked Interface on the Standby Member	289
Example of a Tracking Configuration for an Interface	290
Example of a Redundancy Configuration	290
Displaying Redundancy Information	293
Displaying Redundancy Configurations	293
Displaying FT Group Information	293
Displaying the IDMAP Table	298
Displaying the Redundancy Internal Software History	299
Displaying Memory Statistics	299
Displaying Peer Information	299
Displaying FT Statistics	303
Displaying FT Tracking Information	306
Clearing Redundancy Statistics	310
Clearing FT Statistics	310
Clearing the Redundancy History	310
Configuring SNMP	311
SNMP Overview	312
Managers and Agents	313
SNMP Manager and Agent Communication	314
SNMP Traps and Informs	315
SNMPv3 CLI User Management and AAA Integration	316
CLI and SNMP User Synchronization	316
Supported MIBs and Notifications	317
SNMP Limitations	334
SNMP Configuration Quick Start	335
Configuring SNMP Users	337
Defining SNMP Communities	339
Configuring an SNMP Contact	341
Configuring an SNMP Location	341
Configuring SNMP Notifications	342
Configuring SNMP Notification Hosts	342
Enabling SNMP Notifications	344
Enabling the IETF Standard for SNMP linkUp and linkDown Traps	346
Assigning a Trap-Source Interface for SNMP Traps	347
Configuring SNMP Management Traffic Services	348
Creating and Configuring a Layer 3 and Layer 4 Class Map	349
Defining a Class Map Description	350
Defining SNMP Protocol Match Criteria	351
Creating a Layer 3 and Layer 4 Policy Map	352
Creating a Layer 3 and Layer 4 Policy Map for SNMP Network Management Traffic Received by the ACE	352
Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy	353
Specifying Layer 3 and Layer 4 Policy Actions	354
Applying a Service Policy	355
Example of an SNMP Configuration	357
Displaying SNMP Statistics	360
Configuring the XML Interface	365
XML Overview	366
XML Usage with the ACE	366
HTTP and HTTPS Support with the ACE	368
HTTP Return Codes	369
Document Type Definition	371
Sample XML Configuration	373
XML Configuration Quick Start	375
Configuring HTTP and HTTPS Management Traffic Services	377
Creating and Configuring a Class Map	378
Defining a Class Map Description	379
Defining HTTP and HTTPS Protocol Match Criteria	380
Creating a Layer 3 and Layer 4 Policy Map	381
Creating a Layer 3 and Layer 4 Policy Map for Network Management Traffic Received by the ACE	381
Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy	382
Specifying Layer 3 and Layer 4 Policy Actions	384
Applying a Service Policy	384
Enabling the Display of Raw XML Request show Command Output in XML Format	388
Accessing the ACE DTD File	391
Upgrading Your ACE Software	393
Overview of Upgrading ACE Software	394
Before You Begin	394
Changing the Admin Password	394
Changing the www User Password	395
Checking Your Configuration for FT Priority and Preempt	395
Creating a Checkpoint	395
Software Upgrade Quick Start	396
Copying the Software Upgrade Image to the ACE	399
Configuring the ACE to Autoboot the Software Image	400
Setting the Boot Variable	400
Configuring the Configuration Register to Autoboot the Boot Variable	401
Verifying the Boot Variable and Configuration Register	402
Reloading the ACE	402
Displaying Software Image Information	403

Match case Limit results 1 per page

4-7

Cisco 4700 Series Application Control Engine Appliance Administration Guide

OL-11157-01

Chapter 4

Configuring Class Maps and Policy Maps

Class Map and Policy Map Overview

The ACE supports a system-wide maximum of 4096 policy maps.

A Layer 7 policy map is always associated within a Layer 3 and Layer 4 policy

map to provide an entry point for traffic classification. Layer 7 policy maps are

considered to be child policies and can only be nested under a Layer 3 and Layer 4

policy map.

Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface; a

Layer 7 policy map cannot be directly applied on an interface. For example, to

associate a Layer 7 load-balancing policy map, you nest the load-balancing policy

map by using the Layer 3 and Layer 4

loadbalance

policy

command.

Depending on the

policy-map

command, the ACE executes the action specified

in the policy map on the network traffic as follows:

•

first-match

—For

policy-map

commands that contain the

first-match

keyword, the ACE executes the specified action only for traffic that meets the

first matching classification within a policy map. No additional actions are

executed.

•

all-match

—For

policy-map

commands that contain the

all-match

keyword,

the ACE attempts to match a packet against all classes in the policy map and

executes the actions of all matching classes associated with the policy map.

•

multi-match

—For

policy-map

commands that contain the

multi-match

keyword, these commands specify that multiple sets of classes exist in the

policy map and allow a multi-feature policy map. The ACE applies a

first-match execution process to each class set in which a packet can match

multiple classes within the policy map, but the ACE executes the action for

only one matching class within each class set. The definition of which classes

are in the same class set depends on the actions applied to the classes; the

ACE associates each policy map action with a specific set of classes. Some

ACE functions may be associated with the same class set as other features (for

example, application protocol inspection actions would typically be

associated with the same class set), while the ACE associates other features

with a different class set.

When there are multiple instances of actions of the same type configured in a

policy map, the ACE performs the first action encountered of the same type that

has a match.