Professional Documents
Culture Documents
Software Version A1(7) This document describes how to initially configure the Cisco 4700 Series Application Control Engine (ACE) appliance using the command-line interface (CLI) to allow traffic and perform basic virtual IP (VIP) load balancing. This document also provides references to tasks that you can perform on the ACE and where to find the information in the ACE documentation set. By completing the quick configuration procedures in this document, your ACE will be able to perform the following tasks:
Receive network traffic Allow network connectivity Perform remote management through Telnet Match VIP-destined traffic flows Load balance these flows to real servers on the network
Note
If you intend to use the Device Manager GUI to configure the ACE, see the Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Quick Configuration Note. This document contains the following sections.
ACE Features and Functionality Overview, page 2 Configuring the ACE, page 3 Configuring Basic VIP Load Balancing on the ACE, page 11 Related Documentation, page 20 Obtaining Documentation, Obtaining Support, and Security Guidelines, page 21
Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Ethernet InterfacesThe ACE provides four physical Ethernet ports that provide an interface for connecting to 10-Mbps, 100-Mbps, or 1000-Mbps networks. Each Layer 2 Ethernet port supports autonegotiate, full-duplex, or half-duplex operation on an Ethernet LAN and can carry traffic within a designated VLAN interface. For more information, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide. Routing and BridgingYou configure the corresponding VLAN interfaces on the ACE as either routed or bridged. When you configure an IP address on an interface, the ACE automatically configures it as a routed mode interface. When you configure a bridge group on an interface VLAN, the ACE automatically configures it as a bridged interface. For more information, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide. Traffic PoliciesThe ACE allows you to perform advanced administration tasks such as using traffic policies to classify traffic flow and the action to take for the type of traffic. Traffic policies consist of class maps, policy maps, and service policies. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. RedundancyRedundancy provides fault tolerance for the stateful switchover of flow and offers increased uptime for a more robust network. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. VirtualizationVirtualization allows you to manage ACE system resources and users and the services provided to your customers. Multiple contexts use virtualization to partition your ACE into multiple virtual devices or contexts. For more information, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Server Load Balancing Server load balancing (SLB) on the ACE provides network traffic policies for SLB, real servers and server farms, health monitoring through probes, and firewall load balancing. For more information, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide. ACE Security FeaturesThe ACE contains several security features including ACLs, NAT, user authentication and accounting, HTTP deep packet inspection, FTP command request inspection, and application protocol inspection of DNS, HTTP, ICMP, or RTSP. For more information, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide. Secure Sockets LayerThe SSL protocol on the ACE provides encryption technology for the Internet, ensuring secure transactions. For more information, see the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide. Application Acceleration and OptimizationThe ACE includes several optimization technologies to accelerate web application performance, optimize network performance, and improve access to critical business information. For more information, see the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide. Command-Line InterfaceThe CLI is a line-oriented user interface that provides commands for configuring, managing, and monitoring the ACE. Device Manager GUI InterfaceThe ACE Device Manager GUI resides in Flash memory on the appliance to provide a browser-based interface for configuring and managing the ACE. For more information, see the Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Configuration Guide and the Device Manager Online help.
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note
OL-11156-01
Establishing a Console Connection on the ACE, page 3 Logging in to the ACE, page 4 Setting the System Time and Date, page 5 Changing the Administrative Password, page 5 Assigning a Name to the ACE, page 5 Configuring an Ethernet Port, page 6 Allocating an Ethernet Port to a VLAN Trunk, page 7 Configuring VLAN Interfaces on the ACE, page 8 Configuring a Default Route, page 9 Configuring Remote Access to the ACE, page 9 Accessing the ACE through a Telnet Session, page 11
For detailed command syntax information for the ACE CLI commands, see the Cisco 4700 Series Application Control Engine Appliance Command Reference. Before performing the procedures in this section, ensure that you have completed the ACE installation instructions as described in the Cisco Application Control Engine Appliance Hardware Installation Guide.
Note
Only the Admin context is accessible through the console port; all other contexts can be reached through Telnet or SSH sessions on the Ethernet ports. Once connected, you can use any terminal communications application to access the ACE CLI. The following procedure uses HyperTerminal for Windows. To access the ACE by using a direct serial connection, perform the following steps:
Launch HyperTerminal. The Connection Description window appears. Enter a name for your session in the Name field. Click OK. The Connect To window appears. From the drop-down list, choose the COM port to which the device is connected.
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note OL-11156-01
Step 5 Step 6
Click OK. The Port Properties window appears. Set the port properties:
Baud Rate = 9600 Data Bits = 8 Hardware Flow Control = On Parity = none Stop Bits = 1
Step 7 Step 8
When you boot the ACE for the first time and the appliance does not detect a startup-configuration file, the setup script appears. The setup script is intended to simplify connectivity to the Device Manager GUI on the ACE. For this quick configuration procedure, click no to bypass its operation and directly access the CLI.
At the login prompt, log into the ACE by entering the login username and password. By default, the username and password are admin.
switch login: admin Password: admin
Step 2
You are ready to use the ACE CLI when the following prompt appears:
switch/Admin#
Note
For security reasons, you should change the administrative password. If you do not change the administrative password, your ACE security can be compromised because the administrative password is configured to be the same for every ACE shipped from Cisco Systems. See the Changing the Administrative Password section.
Step 3
To prevent this current session from timing out, set the terminal session-timeout command to 0. By default, a session on the ACE is automatically logged out after 5 minutes of inactivity.
switch/Admin# terminal session-timeout 0
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note
OL-11156-01
Step 4
To disable the inactivity timeout when you log in to the ACE, access configuration mode and set the login timeout command to 0. For example, enter:
switch/Admin# configure Enter configuration commands, one per line. End with CNTL/Z switch/Admin(config)# login timeout 0 switch/Admin(config)# exit switch/Admin#
To enter the current time, specify two digits for the hours, minutes, and seconds, separated by colons. To enter the current date, specify the one or two digits for the day, the full name of the month, and four digits for the year.
For example, to specify a time of 1:38:30 and a date of October 7, 2007, enter:
host1/Admin# clock set 01:38:30 7 Oct 2007 Sun Oct 7 01:38:30 PST 2007
Note
If you want to use the Network Time Protocol (NTP) to automatically synchronize the ACE system clock to an authoritative time server (such as a radio clock or an atomic clock), see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. In this configuration, the NTP time server automatically sets the ACE system clock.
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note OL-11156-01
Change the hostname for the ACE by using the host command in configuration mode. Enter a case-sensitive name that contains from 1 to 32 alphanumeric characters. For example, to change the hostname of the ACE from switch to host1, enter:
switch/Admin(config)# hostname host1
Only users authenticated in the Admin context can use the interface gigabitEthernet command. To configure an Ethernet port, perform the following steps:
Step 1
Configure a Layer 2 Ethernet port on the ACE by using the interface gigabitEthernet slot_number/port_number command in configuration mode.
Note
The slot_number specifies the physical slot on the ACE containing the Ethernet ports. This selection is always 1.
For example, to configure Ethernet port 2 and enter interface configuration mode, enter:
host1/Admin(config)# interface gigabitEthernet 1/2 host1/Admin(config-if)#
Step 2
(Optional) Add a description about the Ethernet port by using the description command in interface configuration mode. A description can help you remember the ports function.
host1/Admin(config-if)# description Ethernet port 2 is configured for speeds of 100 Mbps and full-duplex operation
Step 3
Configure the interface duplex and speed (default is auto-negotiate) by using the speed and duplex commands in interface configuration mode. For example, to specify a speed of 100 Mbps and to configure Ethernet port 2 for full-duplex operation, enter:
host1/Admin(config-if)# speed 100M host1/Admin(config-if)# duplex full
Step 4
Enable the Ethernet port by using the no shutdown command in interface configuration mode. This command puts the interface in the Up administrative state.
host1/Admin(config-if)# no shutdown
Step 5
Verify the configuration of the interface by using the do command with the show interface command.
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note
OL-11156-01
Note
When you are in a configuration mode, you can use the do command to use a show command or any other command that is only available in Exec mode.
host1/admin(config-if)# do show interface vlan 10 GigabitEthernet Port 1/2: ---------------------------Description: configured status: (ADMIN UP), speed: (100M), duplex: (FULL) link status: (UP), speed: (100M), duplex: (FULL)
Assign one or more VLAN numbers to the Ethernet port by using the switchport trunk allowed vlan vlan_list command in interface configuration mode. The vlan_list argument can be as follows:
Single VLAN number Range of VLAN numbers separated by a hyphen Specific VLAN numbers separated by commas
Valid entries are 1 through 4094. Do not enter any spaces between the dash-specified ranges or the comma-separated numbers in the vlan_list argument.
Note
When associating VLANs to Ethernet ports, overlapping is not allowed. For example, if you associate VLAN 10 with Ethernet port 1, you cannot associate VLAN 10 with another Ethernet port.
For example, to add VLAN 10 to the defined list of VLANs currently set for Ethernet port 2, enter:
host1/Admin(config)# interface gigabitEthernet 1/2 host1/Admin(config-if)# switchport trunk allowed vlan 10
Note
It is not necessary to create a VLAN interface before allocating a VLAN to an Ethernet port. To configure a VLAN interface, use the interface vlan command in configuration mode as described in the Configuring VLAN Interfaces on the ACE section.
Step 2
Enable VLAN trunking for the specified Layer 2 Ethernet port by using the no shutdown command in interface configuration mode.
host1/Admin(config-if)# no shutdown
Now you are ready to create the corresponding VLAN interfaces on the ACE. See the Configuring VLAN Interfaces on the ACE section for details.
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note OL-11156-01
Note
The ACE requires a route (which may be the default route) back to the client before it can forward a request to a server. If the route back is not present, the ACE cannot establish a flow and drops the client request. Make sure that you configure the appropriate routing to the client network on the ACE VLAN where the client traffic enters the ACE. To configure an VLAN interface on the ACE, perform the following steps:
Step 1
Access interface configuration mode for the VLAN by using the interface vlan command. For example, to create VLAN 10, enter:
host1/Admin(config)# interface vlan 10 host1/Admin(config-if)#
Step 2
Assign an IP address to a VLAN interface for client connectivity by using the ip address command. For example, to set the IP address of 172.16.110.8 and a subnet mask of 255.255.255.192 for the ACE, enter:
host1/Admin(config-if)# ip address 172.16.110.8 255.255.255.192
Step 3
(Optional) Provide a description for the interface by using the description command.
host1/Admin(config-if)# description Client side connectivity on VLAN 10
Step 4
Step 5
Verify that VLAN 10 is active by using the do command with the show interface command.
host1/admin(config-if)# do show interface vlan 10
Note
When you are in a configuration mode, you can use the do command to use a show command or any other command that is only available in Exec mode.
Step 6
Verify the network connectivity by using the ping command. This command verifies the connectivity of a remote host or server by sending echo messages from the ACE.
host1/admin(config-if)# do ping 172.16.11.1
Step 7
Step 8
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note
OL-11156-01
To display the ACE routing table, use the show ip route command.
host1/Admin(config)# do show ip route
Note
When you are in a configuration mode, you can use the do command to use a show command or any other command that is only available in Exec mode.
Create a class map by using the class-map type management command in class map configuration mode. For example, to create a management type class map named REMOTE_ACCESS that matches any traffic, enter:
host1/Admin(config)# class-map type management match-any REMOTE_ACCESS host1/Admin(config-cmap-mgmt)#
Step 2
(Optional) Provide a description for the class map by using the description command.
host1/Admin(config-cmap-mgmt)# description Remote access traffic match
Step 3
Configure the match protocol that permits network management traffic by using the match protocol command. For example, to permit traffic based on the protocol of SSH, Telnet, and ICMP for any source address, enter:
host1/Admin(config-cmap-mgmt)# match protocol telnet any host1/Admin(config-cmap-mgmt)# match protocol ssh any host1/Admin(config-cmap-mgmt)# match protocol icmp any
Step 4
Step 5
Create a policy map for traffic destined to an ACE interface, and then access policy map management configuration mode by using the policy-map type management first-match command. For example, to create the REMOTE_MGMT_ALLOW_POLICY policy map, enter:
host1/Admin(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY host1/Admin(config-pmap-mgmt)#
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note OL-11156-01
Step 6
Apply the class map to this policy and access policy map class configuration mode by using the class command. For example, to apply the previously created REMOTE_ACCESS class map to this policy, enter:
host1/Admin(config-pmap-mgmt)# class REMOTE_ACCESS host1/Admin(config-pmap-mgmt-c)#
Step 7
Allow the ACE to receive the configured class map management protocols by using the permit command.
host1/Admin(config-pmap-mgmt-c)# permit
Step 8
Step 9
Access interface configuration mode for the VLAN to which you want to apply the policy map. For example, to access the interface configuration mode for VLAN 10, enter:
host1/Admin(config)# interface vlan 10 host1/Admin(config-if)#
Step 10
Apply the policy map to the interface by using the service-policy input command. For example, to apply the REMOTE_MGMT_ALLOW_POLICY policy map to the interface, enter:
host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY
Step 11
View the applied service policy on the interface by using the do command with the show service-policy command. For example, to display the REMOTE_MGMT_ALLOW_POLICY policy applied to the interface, enter:
host1/Admin(config-if)# do show service-policy REMOTE_MGMT_ALLOW_POLICY
Note
When you are in a configuration mode, you can use the do command to use a show command or any other command that is only available in Exec mode.
Step 12
Save your configuration changes from the running configuration to the startup configuration.
host1/Admin(config-if)# do copy running-config startup-config
Step 13
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note
10
OL-11156-01
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY class REMOTE_ACCESS permit interface vlan 10 ip address 172.16.110.8 255.255.255.192 description Client side connectivity service-policy input REMOTE_MGMT_ALLOW_POLICY no shutdown ip route 0.0.0.0 0.0.0.0 172.16.110.1
Initiate a Telnet session from a remote host to the ACE. For example, to access the ACE from the VLAN IP address of 172.16.110.8, enter:
remote_host# telnet 172.16.110.8 Trying 172.16.110.8 ... Open
Step 2
At the prompt, log in to the ACE. Enter admin as the login username and admin as the password.
host1 login: admin
Step 3
Match VIP-destined traffic flows. Load balance these flows to real servers on the network.
Class maps classify client traffic destined to a VIP address. The ACE load balances traffic to a server farm and selects one of the real servers to respond to the client request. This section describes the tasks that you perform using the CLI to configure and perform basic VIP load balancing:
Configuring Real Servers, page 12 Configuring a Server Farm, page 13 Configuring the VIP Traffic Policy, page 15 Configuring an ACL, page 17 Verifying the VIP Load-Balancing Configuration, page 19 Where to Go Next, page 19
For detailed command syntax information for the ACE CLI commands mentioned in this section, see the Cisco 4700 Series Application Control Engine Appliance Command Reference.
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note OL-11156-01
11
Step 2
Create a real server and then access real server host configuration mode by using the rserver command. For example, to create a real server named SERVER1 as a type host (the default), enter:
host1/Admin(config)# rserver SERVER1 host1/Admin(config-rserver-host)#
Step 3
Step 4
Assign the real server an IP address in dotted-decimal notation by using the ip address command. For example, to assign the IP address of 192.168.4.11, enter:
host1/Admin(config-rserver-host)# ip address 192.168.4.11
Step 5
Step 6
Step 7
Configure additional real servers by repeating Steps 2 through 5. For example, to add a real server named SERVER2 with an IP address of 192.168.4.12, enter:
host1/Admin(config)# rserver SERVER2 host1/Admin(config-rserver-host)# description web-two content server host1/Admin(config-rserver-host)# ip address 192.168.4.12 host1/Admin(config-rserver-host)# inservice
Step 8
Step 9
Display the configuration of the real servers by using the do command with the show running-config rserver command.
host1/Admin(config)# do show running-config rserver Generating configuration.... rserver host SERVER1 description web-one content server ip address 192.168.4.11 inservice rserver host SERVER2 description web-two content server ip address 192.168.4.12 inservice
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note
12
OL-11156-01
Note
When you are in a configuration mode, you can use the do command to use a show command or any other command that is only available in Exec mode.
Create a server farm and access server farm host configuration mode by using the serverfarm command. For example, to create a server farm of type host (the default) named SFARM1, enter:
host1/Admin(config)# serverfarm SFARM1 host1/Admin(config-sfarm-host)#
Step 2
Associate an existing real server with the server farm and enter server farm host real server configuration mode by using the rserver command. For example, to associate SERVER1 real server to the server farm, enter:
host1/Admin(config-sfarm-host)# rserver SERVER1 host1/Admin(config-sfarm-host-rs)#
Step 3
Place the real server in service by using the inservice command. Before you can start sending connections to a real server in a server farm, you must place it in service. Otherwise, the ACE considers it out of service and the server farm cannot receive or respond to client requests.
host1/Admin(config-sfarm-host-rs)# inservice
Step 4
Use the exit command to reenter server farm host configuration mode.
host1/Admin(config-sfarm-host-rs)# exit host1/Admin(config-sfarm-host)#
Step 5
Step 6
Step 7
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note OL-11156-01
13
Step 8
Verify that the real servers appear as operational (even though network connectivity has not been established) by using the do command with the show rserver command. For example, to display the SERVER1 real server, enter:
host1/Admin(config)# do show rserver SERVER1 rserver : SERVER1, type: HOST state : OPERATIONAL ------------------------------------------connections----------real weight state current total ---+---------------------+------+------------+----------+-------------------serverfarm: SFARM1 192.168.4.11:0 8 OPERATIONAL 0 0
Note
When you are in a configuration mode, you can use the do command to use a show command or any other command that is only available in Exec mode.
Step 9
Add an interface to allow the ACE to communicate with the real servers by using the interface vlan command. For example, to configure VLAN 57 and access its configuration mode, enter:
host1/Admin(config)# interface vlan 57 host1/Admin(config-if)#
Step 10
Configure the IP address that is associated with the real server IP addresses by using the ip address command. For example, to configure the IP address 192.168.4.1 255.255.255.0, enter:
host1/Admin(config-if)# ip address 192.168.4.1 255.255.255.0
Step 11
(Optional) Provide a description for the interface by using the description command.
host1/Admin(config-if)# description Server-side Interface
Step 12
Step 13
Step 14
Step 15
Display how the ACE populates the ARP table with the real server (RSERVER) by using the do command with the show arp command.
host1/Admin(config)# do show arp Context Admin ================================================================================ IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status ================================================================================ 127.1.0.128 00.00.00.00.20.62 vlan1 INTERFACE LOCAL _ up 127.1.0.192 00.00.00.00.20.62 vlan1 STATIC 2 _ up 192.168.4.1 00.00.00.00.20.62 vlan57 INTERFACE LOCAL _ up 192.168.4.11 00.00.00.00.00.00 vlan57 RSERVER * 2 req dn 192.168.4.12 00.00.00.00.00.00 vlan57 RSERVER * 2 req dn ================================================================================ Total arp entries 5
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note
14
OL-11156-01
Create a Layer 7 SLB policy map to match class maps in the order in which they occur for load balancing by using the policy-map type loadbalance first-match command. For example, to create a load balancing policy map named L7_VIP_LB_ORDER_POLICY, enter:
host1/Admin(config)# policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY host1/Admin(config-pmap-lb)#
Step 2
For a simple load-balancing policy, assign the ACE default class map that contains an implicit match any statement in it for matching any traffic classification. Use the class class-default command.
host1/Admin(config-pmap-lb)# class class-default host1/Admin(config-pmap-lb-c)#
Step 3
Add the server farm to the Layer 7 SLB policy map by using the serverfarm command. For example, to add the previously-created SFARM1 server farm, enter:
host1/Admin(config-pmap-lb-c)# serverfarm SFARM1
Step 4
Step 5
Create a Layer 3 and Layer 4 load-balancing class map by using the class-map command. For example, to create a class map named L4_VIP_ADDRESS_CLASS, enter:
host1/Admin(config)# class-map L4_VIP_ADDRESS_CLASS host1/Admin(config-cmap)#
Step 6
Define a VIP address match statement by using the match virtual-address command. For example, to define a match statement for the IP address 172.16.110.9 for any IP protocol, enter:
host1/Admin(config-cmap)# match virtual-address 172.16.110.9 any
Step 7
Step 8
Create a Layer 3 and Layer 4 multi-match policy map to direct classified incoming requests to the load-balancing policy map by using the policy-map multi-match command. For example, to create the policy map named L4_LB_VIP_POLICY, enter:
host1/Admin(config)# policy-map multi-match L4_LB_VIP_POLICY host1/Admin(config-pmap)#
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note OL-11156-01
15
Step 9
Associate the Layer 3 and Layer 4 class map that defines the VIP address with the policy map by using the class command. For example, to associate the previously created L4_VIP_ADDRESS_CLASS class map, enter:
host1/Admin(config-pmap)# class L4_VIP_ADDRESS_CLASS host1/Admin(config-pmap-c)#
Step 10
Associate the Layer 7 load-balancing policy map with the Layer 3 and Layer 4 policy map by using the loadbalance command. This association determines the actions that the ACE takes when network traffic matches a class map. For example, to associate the previously created L7_VIP_LB_ORDER_POLICY policy map, enter:
host1/Admin(config-pmap-c)# loadbalance policy L7_VIP_LB_ORDER_POLICY
Step 11
Enable a VIP for load-balancing operations by using the loadbalance vip inservice command.
host1/Admin(config-pmap-c)# loadbalance vip inservice
Step 12
Step 13
Access the client-facing interface to which you want to apply the multi-match policy map by using the interface vlan command. For example, to access interface configuration mode for VLAN 55, enter:
host1/Admin(config)# interface vlan 55 host1/Admin(config-if)#
Step 14
Apply the multi-match policy map by using the service-policy input command. For example, to apply the L4_LB_VIP_POLICY policy map, enter:
host1/Admin(config-if)# service-policy input L4_LB_VIP_POLICY
Step 15
Step 16
Step 17
Verify that the ACE will respond to traffic to the VIP address by using the do command with the show service-policy command. The show service-policy command displays whether the VIP state is inservice. For example, to display the service policy state for the L4_LB_VIP_POLICY policy map, enter:
host1/Admin(config)# do show service-policy L4_LB_VIP_POLICY Status : ACTIVE ----------------------------------------Interface: vlan 1 55 service-policy: L4_LB_VIP_POLICY class: L4_VIP_ADDRESS_CLASS loadbalance: L7 loadbalance policy: L7_VIP_LB_ORDER_POLICY VIP ICMP Reply : DISABLED VIP state: OUTOFSERVICE curr conns : 0 , hit count : 0 dropped conns : 0 client pkt count : 0 , client byte count: 0 server pkt count : 0 , server byte count: 0
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note
16
OL-11156-01
Note
When you are in a configuration mode, you can use the do command to use a show command or any other command that is only available in Exec mode.
Configuring an ACL
An access control list (ACL) provides an extra layer of security on the services that the ACE provides. For traffic destined to a class map that is applied to a multi-match policy map, you must configure an ACL and apply it to an interface. Otherwise, the ACE denies all traffic on the interface. To configure an ACL, perform the following steps:
Step 1
Create an ACL for the interface by using the access-list command. For example, to create an ACL named ALL for access control on IP traffic through the ACE-extended ACL and permit the forwarding of any source IP address to any destination address, enter:
host1/Admin(config)# access-list ALL extended permit any
Step 2
Access interface configuration mode for the interface that is configured with the multi-match policy map by using the interface vlan command. For example, to access interface configuration mode for VLAN 55, enter:
host1/Admin(config)# interface vlan 55 host1/Admin(config-if)#
Step 3
Apply the ACL to the interface by using the access-group input command. For example, to apply the previously created ALL ACL, enter:
host1/Admin(config-if)# access-group input ALL
Step 4
Exit the interface configuration mode and reenter Exec mode by using the end command.
host1/Admin(config-if)# end host1/Admin#
Step 5
Verify that the ACL is applied and is active by using the show access-list command.
host1/Admin# show access-list ALL
Step 6
Step 7
Display the configuration information by using the show running-config command. In this example, the basic load-balancing configuration is in bold.
host1/Admin# show running-config Generating configuration.... login timeout 0 hostname host1 interface gigabitEthernet 1/2 description Ethernet port 2 is configured for speeds of 100 Mbps and full-duplex speed 100M duplex FULL
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note OL-11156-01
17
switchport trunk allowed vlan 10 no shutdown access-list ALL line 10 extended permit any ip any any rserver SERVER1 description web-one content server ip address 192.168.4.11 inservice rserver SERVER2 description web-two content server ip address 192.168.4.12 inservice class-map type management match-any REMOTE_ACCESS 10 match protocol telnet any 20 match protocol ssh any 30 match protocol icmp any class-map match-all L4_VIP_ADDRESS_CLASS 10 match virtual-address 172.16.110.9 any policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY class REMOTE_ACCESS permit policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY class CLASS-DEFAULT serverfarm SFARM1 policy-map type multi-match L4_LB_VIP_POLICY class L4_VIP_ADDRESS_CLASS loadbalance vip inservice loadbalance L7_VIP_LB_ORDER_POLICY interface vlan 55 ip address 172.16.110.8 255.255.255.192 description Client side connectivity access-group input ALL service-policy input REMOTE_MGMT_ALLOW_POLICY service-policy input L4_LB_VIP_POLICY no shutdown interface vlan 57 ip address 192.168.4.1 255.255.255.0 description Server-side Interface no shutdown ip route 0.0.0.0 0.0.0.0 172.16.110.1
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note
18
OL-11156-01
You can also verify access to the real servers by using a Telnet session to connect to the VIP address if your servers support the Telnet daemon. If you are able to receive the login and password prompt from the ACE, access to the real servers is available through the VIP address. For example, enter:
linux$ telnet 172.16.110.9 Trying 172.16.110.9... Open host1 login: admin Password:
Where to Go Next
After you have completed the quick configuration procedures in this guide, you can configure more advanced features on the ACE such as follows:
Application acceleration and optimization Application protocol inspection Connection persistence using HTTP-cookie, HTTP header, or IP netmask stickiness Health monitoring including probes Layer 7 server load-balancing traffic policy, including class maps and policy maps Redundancy SSL TCP/IP normalization Virtualization and role-based access control (RBAC) The CLI, a line-oriented user interface that provides commands for configuring, managing, and monitoring the ACE. ACE Device Manager GUI, a web browser-based GUI interface that provides a graphical user interface for configuring, managing, and monitoring the ACE.
For details on configuring the ACE features from the Device Manager GUI, see the Online Help system provided with the GUI.
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note OL-11156-01
19
Related Documentation
Related Documentation
To familiarize yourself with the ACE appliance hardware and software, see the following documents:
Release Note for the Cisco 4700 Series Application Control Engine Appliance Cisco Application Control Engine Appliance Hardware Installation Guide Regulatory Compliance and Safety Information for the Cisco Application Control Engine Appliance
For detailed configuration information on the ACE command-line interface (CLI), see the following software documents:
Cisco 4700 Series Application Control Engine Appliance Administration Guide Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide Cisco 4700 Series Application Control Engine Appliance Command Reference Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide Cisco 4700 Series Application Control Engine Appliance System Message Guide Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide Cisco CSS-to-ACE Conversion Tool User Guide
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note
20
OL-11156-01
For detailed configuration information on the ACE Device Manager GUI, see the following software documents:
Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Quick Configuration Note Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Configuration Guide Cisco 4700 Series Application Control Engine Appliance Online Help
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note Copyright 2007, Cisco Systems, Inc. All rights reserved.
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note OL-11156-01
21
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note
22
OL-11156-01