Ace

Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note
Software Version A1(7) This document describes how to initially configure the Cisco 4700 Series Application Control Engine (ACE) appliance using the command-line interface (CLI) to allow traffic and perform basic virtual IP (VIP) load balancing. This document also provides references to tasks that you can perform on the ACE and where to find the information in the ACE documentation set. By completing the quick configuration procedures in this document, your ACE will be able to perform the following tasks:

Receive network traffic Allow network connectivity Perform remote management through Telnet Match VIP-destined traffic flows Load balance these flows to real servers on the network
Note
If you intend to use the Device Manager GUI to configure the ACE, see the Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Quick Configuration Note. This document contains the following sections.

ACE Features and Functionality Overview, page 2 Configuring the ACE, page 3 Configuring Basic VIP Load Balancing on the ACE, page 11 Related Documentation, page 20 Obtaining Documentation, Obtaining Support, and Security Guidelines, page 21
Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
2007 Cisco Systems, Inc. All rights reserved.
ACE Features and Functionality Overview
ACE Features and Functionality Overview

The ACE performs high-performance server load balancing (SLB) among groups of servers, server farms, firewalls, and other network devices, based on Layer 3 and Layer 4 through Layer 7 packet information. The ACE provides the following major features and functionality:
Ethernet InterfacesThe ACE provides four physical Ethernet ports that provide an interface for connecting to 10-Mbps, 100-Mbps, or 1000-Mbps networks. Each Layer 2 Ethernet port supports autonegotiate, full-duplex, or half-duplex operation on an Ethernet LAN and can carry traffic within a designated VLAN interface. For more information, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide. Routing and BridgingYou configure the corresponding VLAN interfaces on the ACE as either routed or bridged. When you configure an IP address on an interface, the ACE automatically configures it as a routed mode interface. When you configure a bridge group on an interface VLAN, the ACE automatically configures it as a bridged interface. For more information, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide. Traffic PoliciesThe ACE allows you to perform advanced administration tasks such as using traffic policies to classify traffic flow and the action to take for the type of traffic. Traffic policies consist of class maps, policy maps, and service policies. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. RedundancyRedundancy provides fault tolerance for the stateful switchover of flow and offers increased uptime for a more robust network. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. VirtualizationVirtualization allows you to manage ACE system resources and users and the services provided to your customers. Multiple contexts use virtualization to partition your ACE into multiple virtual devices or contexts. For more information, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Server Load Balancing Server load balancing (SLB) on the ACE provides network traffic policies for SLB, real servers and server farms, health monitoring through probes, and firewall load balancing. For more information, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide. ACE Security FeaturesThe ACE contains several security features including ACLs, NAT, user authentication and accounting, HTTP deep packet inspection, FTP command request inspection, and application protocol inspection of DNS, HTTP, ICMP, or RTSP. For more information, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide. Secure Sockets LayerThe SSL protocol on the ACE provides encryption technology for the Internet, ensuring secure transactions. For more information, see the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide. Application Acceleration and OptimizationThe ACE includes several optimization technologies to accelerate web application performance, optimize network performance, and improve access to critical business information. For more information, see the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide. Command-Line InterfaceThe CLI is a line-oriented user interface that provides commands for configuring, managing, and monitoring the ACE. Device Manager GUI InterfaceThe ACE Device Manager GUI resides in Flash memory on the appliance to provide a browser-based interface for configuring and managing the ACE. For more information, see the Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Configuration Guide and the Device Manager Online help.
OL-11156-01
Configuring the ACE
Configuring the ACE

This section describes the tasks to configure the ACE from the CLI:

Establishing a Console Connection on the ACE, page 3 Logging in to the ACE, page 4 Setting the System Time and Date, page 5 Changing the Administrative Password, page 5 Assigning a Name to the ACE, page 5 Configuring an Ethernet Port, page 6 Allocating an Ethernet Port to a VLAN Trunk, page 7 Configuring VLAN Interfaces on the ACE, page 8 Configuring a Default Route, page 9 Configuring Remote Access to the ACE, page 9 Accessing the ACE through a Telnet Session, page 11
For detailed command syntax information for the ACE CLI commands, see the Cisco 4700 Series Application Control Engine Appliance Command Reference. Before performing the procedures in this section, ensure that you have completed the ACE installation instructions as described in the Cisco Application Control Engine Appliance Hardware Installation Guide.
Establishing a Console Connection on the ACE

The ACE has one standard RS-232 serial port located on its rear panel that operates as the console port. You establish a direct serial connection between your terminal or a PC and the ACE by making a serial connection to this console port. The integrated serial port uses a 9-pin male D-shell connector. Use a straight-through cable to connect the ACE to the terminal or a PC. For instructions on connecting a console cable to your ACE appliance, see the Cisco Application Control Engine Appliance Hardware Installation Guide. Any device connected to this port must be capable of asynchronous transmission. Connection requires a terminal configured as 9600 baud, 8 data bits, hardware flow control on, 1 stop bit, no parity.
Note
Only the Admin context is accessible through the console port; all other contexts can be reached through Telnet or SSH sessions on the Ethernet ports. Once connected, you can use any terminal communications application to access the ACE CLI. The following procedure uses HyperTerminal for Windows. To access the ACE by using a direct serial connection, perform the following steps:
Step 1 Step 2 Step 3 Step 4
Launch HyperTerminal. The Connection Description window appears. Enter a name for your session in the Name field. Click OK. The Connect To window appears. From the drop-down list, choose the COM port to which the device is connected.
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note OL-11156-01
Configuring the ACE
Step 5 Step 6
Click OK. The Port Properties window appears. Set the port properties:

Baud Rate = 9600 Data Bits = 8 Hardware Flow Control = On Parity = none Stop Bits = 1
Step 7 Step 8
Click OK to connect. Press Enter to access the CLI prompt.

switch login:
When you boot the ACE for the first time and the appliance does not detect a startup-configuration file, the setup script appears. The setup script is intended to simplify connectivity to the Device Manager GUI on the ACE. For this quick configuration procedure, click no to bypass its operation and directly access the CLI.
Logging in to the ACE

To log in to the ACE, perform the following steps. Ensure that you have established a direct serial connection between your terminal or a PC and the ACE (see the Establishing a Console Connection on the ACE section).
Step 1
At the login prompt, log into the ACE by entering the login username and password. By default, the username and password are admin.
switch login: admin Password: admin
Step 2
You are ready to use the ACE CLI when the following prompt appears:
switch/Admin#
Note
For security reasons, you should change the administrative password. If you do not change the administrative password, your ACE security can be compromised because the administrative password is configured to be the same for every ACE shipped from Cisco Systems. See the Changing the Administrative Password section.
Step 3
To prevent this current session from timing out, set the terminal session-timeout command to 0. By default, a session on the ACE is automatically logged out after 5 minutes of inactivity.
switch/Admin# terminal session-timeout 0
OL-11156-01
Configuring the ACE
Step 4
To disable the inactivity timeout when you log in to the ACE, access configuration mode and set the login timeout command to 0. For example, enter:
switch/Admin# configure Enter configuration commands, one per line. End with CNTL/Z switch/Admin(config)# login timeout 0 switch/Admin(config)# exit switch/Admin#
Setting the System Time and Date

To manually change the time and the date for an ACE, use the clock set hh:mm:ss DD MONTH YYYY command in Exec mode. When you enter this command, the ACE displays the current configured date and time.

To enter the current time, specify two digits for the hours, minutes, and seconds, separated by colons. To enter the current date, specify the one or two digits for the day, the full name of the month, and four digits for the year.
For example, to specify a time of 1:38:30 and a date of October 7, 2007, enter:
host1/Admin# clock set 01:38:30 7 Oct 2007 Sun Oct 7 01:38:30 PST 2007
Note
If you want to use the Network Time Protocol (NTP) to automatically synchronize the ACE system clock to an authoritative time server (such as a radio clock or an atomic clock), see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. In this configuration, the NTP time server automatically sets the ACE system clock.
Changing the Administrative Password

During the initial login process to the ACE, you enter the default user name admin and the default password admin in lowercase text. You cannot modify or delete the default administrative username; however, for security reasons, you should change the administrative password. If you do not change the administrative password, your ACE security can be compromised because the administrative password is configured to be the same for every ACE shipped from Cisco Systems. Change the default administrative password by using the username command in configuration mode. For example, to change the password to the encrypted password mysecret_801, enter:
switch/Admin# configure Enter configuration commands, one per line. End with CNTL/Z switch/Admin(config)# username admin password 5 mysecret_801
Assigning a Name to the ACE

The hostname is used for the command-line prompts and default configuration filenames. If you establish sessions to multiple devices, the hostname helps you track where you enter commands. By default, the hostname for the ACE is switch.
Configuring the ACE
Change the hostname for the ACE by using the host command in configuration mode. Enter a case-sensitive name that contains from 1 to 32 alphanumeric characters. For example, to change the hostname of the ACE from switch to host1, enter:
switch/Admin(config)# hostname host1
The prompt appears with the new hostname:

host1/Admin(config)#
Configuring an Ethernet Port

The four Ethernet ports provide the physical Ethernet ports to connect servers, PCs, routers, and other devices to the ACE. You can configure the four Ethernet ports to provide an interface for connecting to 10-Mbps, 100-Mbps, or 1000-Mbps networks. Each Layer 2 Ethernet port supports autonegotiate, full-duplex, or half-duplex operation on an Ethernet LAN and can carry traffic within a designated VLAN. To configure a Layer 2 Ethernet port on the ACE, use the interface gigabitEthernet command in configuration mode. The ACE enters the interface configuration mode where you configure the attributes for the selected Ethernet port.
Note
Only users authenticated in the Admin context can use the interface gigabitEthernet command. To configure an Ethernet port, perform the following steps:
Step 1
Configure a Layer 2 Ethernet port on the ACE by using the interface gigabitEthernet slot_number/port_number command in configuration mode.
Note
The slot_number specifies the physical slot on the ACE containing the Ethernet ports. This selection is always 1.
For example, to configure Ethernet port 2 and enter interface configuration mode, enter:
host1/Admin(config)# interface gigabitEthernet 1/2 host1/Admin(config-if)#
Step 2
(Optional) Add a description about the Ethernet port by using the description command in interface configuration mode. A description can help you remember the ports function.
host1/Admin(config-if)# description Ethernet port 2 is configured for speeds of 100 Mbps and full-duplex operation
Step 3
Configure the interface duplex and speed (default is auto-negotiate) by using the speed and duplex commands in interface configuration mode. For example, to specify a speed of 100 Mbps and to configure Ethernet port 2 for full-duplex operation, enter:
host1/Admin(config-if)# speed 100M host1/Admin(config-if)# duplex full
Step 4
Enable the Ethernet port by using the no shutdown command in interface configuration mode. This command puts the interface in the Up administrative state.
host1/Admin(config-if)# no shutdown
Step 5
Verify the configuration of the interface by using the do command with the show interface command.
OL-11156-01
Configuring the ACE
Note
When you are in a configuration mode, you can use the do command to use a show command or any other command that is only available in Exec mode.
host1/admin(config-if)# do show interface vlan 10 GigabitEthernet Port 1/2: ---------------------------Description: configured status: (ADMIN UP), speed: (100M), duplex: (FULL) link status: (UP), speed: (100M), duplex: (FULL)
Allocating an Ethernet Port to a VLAN Trunk

After you configure an Ethernet port, the next step is to allocate it to a VLAN trunk by using the switchport trunk allowed vlan command in interface configuration mode. To allocate a VLAN to an Ethernet port, perform the following steps:
Step 1
Assign one or more VLAN numbers to the Ethernet port by using the switchport trunk allowed vlan vlan_list command in interface configuration mode. The vlan_list argument can be as follows:

Single VLAN number Range of VLAN numbers separated by a hyphen Specific VLAN numbers separated by commas
Valid entries are 1 through 4094. Do not enter any spaces between the dash-specified ranges or the comma-separated numbers in the vlan_list argument.
Note
When associating VLANs to Ethernet ports, overlapping is not allowed. For example, if you associate VLAN 10 with Ethernet port 1, you cannot associate VLAN 10 with another Ethernet port.
For example, to add VLAN 10 to the defined list of VLANs currently set for Ethernet port 2, enter:
host1/Admin(config)# interface gigabitEthernet 1/2 host1/Admin(config-if)# switchport trunk allowed vlan 10
Note
It is not necessary to create a VLAN interface before allocating a VLAN to an Ethernet port. To configure a VLAN interface, use the interface vlan command in configuration mode as described in the Configuring VLAN Interfaces on the ACE section.
Step 2
Enable VLAN trunking for the specified Layer 2 Ethernet port by using the no shutdown command in interface configuration mode.
host1/Admin(config-if)# no shutdown
Now you are ready to create the corresponding VLAN interfaces on the ACE. See the Configuring VLAN Interfaces on the ACE section for details.
Configuring the ACE
Configuring VLAN Interfaces on the ACE

After you allocate the configured Ethernet ports to a VLAN trunk, configure a VLAN interface by assigning an IP address to a VLAN interface on the ACE. Each configured VLAN interface provides client connectivity over the network.
Note
The ACE requires a route (which may be the default route) back to the client before it can forward a request to a server. If the route back is not present, the ACE cannot establish a flow and drops the client request. Make sure that you configure the appropriate routing to the client network on the ACE VLAN where the client traffic enters the ACE. To configure an VLAN interface on the ACE, perform the following steps:
Step 1
Access interface configuration mode for the VLAN by using the interface vlan command. For example, to create VLAN 10, enter:
host1/Admin(config)# interface vlan 10 host1/Admin(config-if)#
Step 2
Assign an IP address to a VLAN interface for client connectivity by using the ip address command. For example, to set the IP address of 172.16.110.8 and a subnet mask of 255.255.255.192 for the ACE, enter:
host1/Admin(config-if)# ip address 172.16.110.8 255.255.255.192
Step 3
(Optional) Provide a description for the interface by using the description command.
host1/Admin(config-if)# description Client side connectivity on VLAN 10
Step 4
Enable the VLAN interface by using the no shutdown command.

host1/admin(config-if)# no shutdown
Step 5
Verify that VLAN 10 is active by using the do command with the show interface command.
host1/admin(config-if)# do show interface vlan 10
Note
Step 6
Verify the network connectivity by using the ping command. This command verifies the connectivity of a remote host or server by sending echo messages from the ACE.
host1/admin(config-if)# do ping 172.16.11.1
Step 7
Display the ARP table by using the show arp command.

host1/admin(config-if)# do show arp
Step 8
Use the exit command to reenter configuration mode.

host1/admin(config-if)# exit host1/admin(config)#
OL-11156-01
Configuring the ACE
Configuring a Default Route

The default route identifies the IP address where the ACE sends all IP packets for which it does not have a route. To configure a default route, use the ip route dest_ip_prefix netmask gateway_ip_address command. For example, to set the IP address and subnet mask for the default route (0.0.0.0/0) and the default gateway to 172.16.110.1, an address on the same network as VLAN 55, enter:
host1/Admin(config)# ip route 0.0.0.0 0.0.0.0 172.16.110.1
To display the ACE routing table, use the show ip route command.
host1/Admin(config)# do show ip route
Note
Configuring Remote Access to the ACE

Before remote network access can occur on the ACE through an Ethernet port, you must create a traffic policy that identifies the network management traffic that can be received by the ACE. To configure remote network management to enable remote access to the ACE, perform the following steps:
Step 1
Create a class map by using the class-map type management command in class map configuration mode. For example, to create a management type class map named REMOTE_ACCESS that matches any traffic, enter:
host1/Admin(config)# class-map type management match-any REMOTE_ACCESS host1/Admin(config-cmap-mgmt)#
Step 2
(Optional) Provide a description for the class map by using the description command.
host1/Admin(config-cmap-mgmt)# description Remote access traffic match
Step 3
Configure the match protocol that permits network management traffic by using the match protocol command. For example, to permit traffic based on the protocol of SSH, Telnet, and ICMP for any source address, enter:
host1/Admin(config-cmap-mgmt)# match protocol telnet any host1/Admin(config-cmap-mgmt)# match protocol ssh any host1/Admin(config-cmap-mgmt)# match protocol icmp any
Step 4

host1/Admin(config-cmap-mgmt)# exit host1/Admin(config)#
Step 5
Create a policy map for traffic destined to an ACE interface, and then access policy map management configuration mode by using the policy-map type management first-match command. For example, to create the REMOTE_MGMT_ALLOW_POLICY policy map, enter:
host1/Admin(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY host1/Admin(config-pmap-mgmt)#
Configuring the ACE
Step 6
Apply the class map to this policy and access policy map class configuration mode by using the class command. For example, to apply the previously created REMOTE_ACCESS class map to this policy, enter:
host1/Admin(config-pmap-mgmt)# class REMOTE_ACCESS host1/Admin(config-pmap-mgmt-c)#
Step 7
Allow the ACE to receive the configured class map management protocols by using the permit command.
host1/Admin(config-pmap-mgmt-c)# permit
Step 8

host1/Admin(config-pmap-mgmt-c)# exit host1/Admin(config-pmap-mgmt)# exit host1/Admin(config)#
Step 9
Access interface configuration mode for the VLAN to which you want to apply the policy map. For example, to access the interface configuration mode for VLAN 10, enter:
Step 10
Apply the policy map to the interface by using the service-policy input command. For example, to apply the REMOTE_MGMT_ALLOW_POLICY policy map to the interface, enter:
host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY
Step 11
View the applied service policy on the interface by using the do command with the show service-policy command. For example, to display the REMOTE_MGMT_ALLOW_POLICY policy applied to the interface, enter:
host1/Admin(config-if)# do show service-policy REMOTE_MGMT_ALLOW_POLICY
Note
Step 12
Save your configuration changes from the running configuration to the startup configuration.
host1/Admin(config-if)# do copy running-config startup-config
Step 13
Display the running configuration by using the show running-config command.

host1/Admin# show running-config Generating configuration.... login timeout 0 hostname host1 interface gigabitEthernet 1/2 description Ethernet port 2 is configured for speeds of 100 Mbps and full-duplex speed 100M duplex FULL switchport trunk allowed vlan 10 no shutdown class-map type management match-any REMOTE_ACCESS 10 match protocol telnet any 20 match protocol ssh any 30 match protocol icmp any
10
OL-11156-01
Configuring Basic VIP Load Balancing on the ACE
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY class REMOTE_ACCESS permit interface vlan 10 ip address 172.16.110.8 255.255.255.192 description Client side connectivity service-policy input REMOTE_MGMT_ALLOW_POLICY no shutdown ip route 0.0.0.0 0.0.0.0 172.16.110.1
Accessing the ACE through a Telnet Session

After you have completed the previous configurations, you should be able to use Telnet to access the ACE through an Ethernet port by using its IP address. To initiate a Telnet connection to the ACE, perform the following steps:
Step 1
Initiate a Telnet session from a remote host to the ACE. For example, to access the ACE from the VLAN IP address of 172.16.110.8, enter:
remote_host# telnet 172.16.110.8 Trying 172.16.110.8 ... Open
Step 2
At the prompt, log in to the ACE. Enter admin as the login username and admin as the password.
host1 login: admin
Step 3
Display the Telnet session by using the show telnet command.

host1/Admin# show telnet

A basic load-balancing configuration allows the ACE to perform the following tasks:

Match VIP-destined traffic flows. Load balance these flows to real servers on the network.
Class maps classify client traffic destined to a VIP address. The ACE load balances traffic to a server farm and selects one of the real servers to respond to the client request. This section describes the tasks that you perform using the CLI to configure and perform basic VIP load balancing:

Configuring Real Servers, page 12 Configuring a Server Farm, page 13 Configuring the VIP Traffic Policy, page 15 Configuring an ACL, page 17 Verifying the VIP Load-Balancing Configuration, page 19 Where to Go Next, page 19
For detailed command syntax information for the ACE CLI commands mentioned in this section, see the Cisco 4700 Series Application Control Engine Appliance Command Reference.
11
Configuring Real Servers

Real servers are dedicated physical servers that you typically configure in groups called server farms. These servers provide services to clients, for example, HTTP or XML content. You identify real servers with names and characterize them with IP addresses, connection limits, and weight values. To configure real servers on the ACE, perform the following steps:
Step 1
Enter configuration mode by using the configure command in Exec mode.

host/Admin# config Enter configuration commands, one per line. End with CNTL/Z host1/Admin(config)#
Step 2
Create a real server and then access real server host configuration mode by using the rserver command. For example, to create a real server named SERVER1 as a type host (the default), enter:
host1/Admin(config)# rserver SERVER1 host1/Admin(config-rserver-host)#
Step 3
Enter a description of the real server by using the description command.

host1/Admin(config-rserver-host)# description web-one content server
Step 4
Assign the real server an IP address in dotted-decimal notation by using the ip address command. For example, to assign the IP address of 192.168.4.11, enter:
host1/Admin(config-rserver-host)# ip address 192.168.4.11
Step 5
Place the real server in service by using the inservice command.

host1/Admin(config-rserver-host)# inservice
Step 6

host1/Admin(config-rserver-host)# exit host1/Admin(config)#
Step 7
Configure additional real servers by repeating Steps 2 through 5. For example, to add a real server named SERVER2 with an IP address of 192.168.4.12, enter:
host1/Admin(config)# rserver SERVER2 host1/Admin(config-rserver-host)# description web-two content server host1/Admin(config-rserver-host)# ip address 192.168.4.12 host1/Admin(config-rserver-host)# inservice
Step 8

host1/Admin(config-rserver-host)# exit host1/Admin(config)#
Step 9
Display the configuration of the real servers by using the do command with the show running-config rserver command.
host1/Admin(config)# do show running-config rserver Generating configuration.... rserver host SERVER1 description web-one content server ip address 192.168.4.11 inservice rserver host SERVER2 description web-two content server ip address 192.168.4.12 inservice
12
OL-11156-01
Note
Configuring a Server Farm

After you create and configure the real servers, create a server farm and associate the real servers with it. Server farms are groups of networked real servers that contain the same content and that typically reside in the same physical location in a data center. Web sites often comprise groups of servers configured in a server farm. To create a server farm, perform the following steps:
Step 1
Create a server farm and access server farm host configuration mode by using the serverfarm command. For example, to create a server farm of type host (the default) named SFARM1, enter:
host1/Admin(config)# serverfarm SFARM1 host1/Admin(config-sfarm-host)#
Step 2
Associate an existing real server with the server farm and enter server farm host real server configuration mode by using the rserver command. For example, to associate SERVER1 real server to the server farm, enter:
host1/Admin(config-sfarm-host)# rserver SERVER1 host1/Admin(config-sfarm-host-rs)#
Step 3
Place the real server in service by using the inservice command. Before you can start sending connections to a real server in a server farm, you must place it in service. Otherwise, the ACE considers it out of service and the server farm cannot receive or respond to client requests.
host1/Admin(config-sfarm-host-rs)# inservice
Step 4
Use the exit command to reenter server farm host configuration mode.
host1/Admin(config-sfarm-host-rs)# exit host1/Admin(config-sfarm-host)#
Step 5
Associate the SERVER2 real server with the server farm.

host1/Admin(config-sfarm-host)# rserver SERVER2 host1/Admin(config-sfarm-host-rs)#
Step 6
Place the real server in service.

host1/Admin(config-sfarm-host-rs)# inservice
Step 7

host1/Admin(config-sfarm-host-rs)# exit host1/Admin(config-sfarm-host)# exit host1/Admin(config)#
13
Step 8
Verify that the real servers appear as operational (even though network connectivity has not been established) by using the do command with the show rserver command. For example, to display the SERVER1 real server, enter:
host1/Admin(config)# do show rserver SERVER1 rserver : SERVER1, type: HOST state : OPERATIONAL ------------------------------------------connections----------real weight state current total ---+---------------------+------+------------+----------+-------------------serverfarm: SFARM1 192.168.4.11:0 8 OPERATIONAL 0 0
Note
Step 9
Add an interface to allow the ACE to communicate with the real servers by using the interface vlan command. For example, to configure VLAN 57 and access its configuration mode, enter:
Step 10
Configure the IP address that is associated with the real server IP addresses by using the ip address command. For example, to configure the IP address 192.168.4.1 255.255.255.0, enter:
host1/Admin(config-if)# ip address 192.168.4.1 255.255.255.0
Step 11
(Optional) Provide a description for the interface by using the description command.
host1/Admin(config-if)# description Server-side Interface
Step 12
Enable the interface by using the no shutdown command.

host1/admin(config-if)# no shutdown
Step 13
Save the running configuration to the startup configuration.

host1/Admin(config-if)# do copy running-config startup-config
Step 14

host1/Admin(config-if)# exit host1/Admin(config)#
Step 15
Display how the ACE populates the ARP table with the real server (RSERVER) by using the do command with the show arp command.
host1/Admin(config)# do show arp Context Admin ================================================================================ IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status ================================================================================ 127.1.0.128 00.00.00.00.20.62 vlan1 INTERFACE LOCAL _ up 127.1.0.192 00.00.00.00.20.62 vlan1 STATIC 2 _ up 192.168.4.1 00.00.00.00.20.62 vlan57 INTERFACE LOCAL _ up 192.168.4.11 00.00.00.00.00.00 vlan57 RSERVER * 2 req dn 192.168.4.12 00.00.00.00.00.00 vlan57 RSERVER * 2 req dn ================================================================================ Total arp entries 5
14
OL-11156-01
Configuring the VIP Traffic Policy

You classify inbound network traffic destined to, or passing through, the ACE based on a series of flow match criteria specified by a class map. Each class map defines a traffic classification, which is network traffic that is of interest to you. A policy map defines a series of actions (functions) that you want applied to a set of classified inbound traffic. The simplest flow match criteria is server load balancing based on a clients attempt to reach a virtual IP address and port. This type of match is a Layer 3 and Layer 4 traffic policy. It matches only the destination IP address and port and then makes the server load-balancing decision. To create a VIP traffic policy, perform the following steps:
Step 1
Create a Layer 7 SLB policy map to match class maps in the order in which they occur for load balancing by using the policy-map type loadbalance first-match command. For example, to create a load balancing policy map named L7_VIP_LB_ORDER_POLICY, enter:
host1/Admin(config)# policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY host1/Admin(config-pmap-lb)#
Step 2
For a simple load-balancing policy, assign the ACE default class map that contains an implicit match any statement in it for matching any traffic classification. Use the class class-default command.
host1/Admin(config-pmap-lb)# class class-default host1/Admin(config-pmap-lb-c)#
Step 3
Add the server farm to the Layer 7 SLB policy map by using the serverfarm command. For example, to add the previously-created SFARM1 server farm, enter:
host1/Admin(config-pmap-lb-c)# serverfarm SFARM1
Step 4

host1/Admin(config-pmap-lb-c)# exit host1/Admin(config-pmap-lb)# exit host1/Admin(config)#
Step 5
Create a Layer 3 and Layer 4 load-balancing class map by using the class-map command. For example, to create a class map named L4_VIP_ADDRESS_CLASS, enter:
host1/Admin(config)# class-map L4_VIP_ADDRESS_CLASS host1/Admin(config-cmap)#
Step 6
Define a VIP address match statement by using the match virtual-address command. For example, to define a match statement for the IP address 172.16.110.9 for any IP protocol, enter:
host1/Admin(config-cmap)# match virtual-address 172.16.110.9 any
Step 7

host1/Admin(config-cmap)# exit host1/Admin(config)#
Step 8
Create a Layer 3 and Layer 4 multi-match policy map to direct classified incoming requests to the load-balancing policy map by using the policy-map multi-match command. For example, to create the policy map named L4_LB_VIP_POLICY, enter:
host1/Admin(config)# policy-map multi-match L4_LB_VIP_POLICY host1/Admin(config-pmap)#
15
Step 9
Associate the Layer 3 and Layer 4 class map that defines the VIP address with the policy map by using the class command. For example, to associate the previously created L4_VIP_ADDRESS_CLASS class map, enter:
host1/Admin(config-pmap)# class L4_VIP_ADDRESS_CLASS host1/Admin(config-pmap-c)#
Step 10
Associate the Layer 7 load-balancing policy map with the Layer 3 and Layer 4 policy map by using the loadbalance command. This association determines the actions that the ACE takes when network traffic matches a class map. For example, to associate the previously created L7_VIP_LB_ORDER_POLICY policy map, enter:
host1/Admin(config-pmap-c)# loadbalance policy L7_VIP_LB_ORDER_POLICY
Step 11
Enable a VIP for load-balancing operations by using the loadbalance vip inservice command.
host1/Admin(config-pmap-c)# loadbalance vip inservice
Step 12

host1/Admin(config-pmap-c)# exit host1/Admin(config-pmap)# exit host1/Admin(config)# exit
Step 13
Access the client-facing interface to which you want to apply the multi-match policy map by using the interface vlan command. For example, to access interface configuration mode for VLAN 55, enter:
Step 14
Apply the multi-match policy map by using the service-policy input command. For example, to apply the L4_LB_VIP_POLICY policy map, enter:
host1/Admin(config-if)# service-policy input L4_LB_VIP_POLICY
Step 15

host1/Admin(config-if)# exit host1/Admin(config)#
Step 16

host1/Admin(config)# do copy running-config startup-config
Step 17
Verify that the ACE will respond to traffic to the VIP address by using the do command with the show service-policy command. The show service-policy command displays whether the VIP state is inservice. For example, to display the service policy state for the L4_LB_VIP_POLICY policy map, enter:
host1/Admin(config)# do show service-policy L4_LB_VIP_POLICY Status : ACTIVE ----------------------------------------Interface: vlan 1 55 service-policy: L4_LB_VIP_POLICY class: L4_VIP_ADDRESS_CLASS loadbalance: L7 loadbalance policy: L7_VIP_LB_ORDER_POLICY VIP ICMP Reply : DISABLED VIP state: OUTOFSERVICE curr conns : 0 , hit count : 0 dropped conns : 0 client pkt count : 0 , client byte count: 0 server pkt count : 0 , server byte count: 0
16
OL-11156-01
Note
Configuring an ACL
An access control list (ACL) provides an extra layer of security on the services that the ACE provides. For traffic destined to a class map that is applied to a multi-match policy map, you must configure an ACL and apply it to an interface. Otherwise, the ACE denies all traffic on the interface. To configure an ACL, perform the following steps:
Step 1
Create an ACL for the interface by using the access-list command. For example, to create an ACL named ALL for access control on IP traffic through the ACE-extended ACL and permit the forwarding of any source IP address to any destination address, enter:
host1/Admin(config)# access-list ALL extended permit any
Step 2
Access interface configuration mode for the interface that is configured with the multi-match policy map by using the interface vlan command. For example, to access interface configuration mode for VLAN 55, enter:
Step 3
Apply the ACL to the interface by using the access-group input command. For example, to apply the previously created ALL ACL, enter:
host1/Admin(config-if)# access-group input ALL
Step 4
Exit the interface configuration mode and reenter Exec mode by using the end command.
host1/Admin(config-if)# end host1/Admin#
Step 5
Verify that the ACL is applied and is active by using the show access-list command.
host1/Admin# show access-list ALL
Step 6

host1/Admin# copy running-config startup-config
Step 7
Display the configuration information by using the show running-config command. In this example, the basic load-balancing configuration is in bold.
host1/Admin# show running-config Generating configuration.... login timeout 0 hostname host1 interface gigabitEthernet 1/2 description Ethernet port 2 is configured for speeds of 100 Mbps and full-duplex speed 100M duplex FULL
17
switchport trunk allowed vlan 10 no shutdown access-list ALL line 10 extended permit any ip any any rserver SERVER1 description web-one content server ip address 192.168.4.11 inservice rserver SERVER2 description web-two content server ip address 192.168.4.12 inservice class-map type management match-any REMOTE_ACCESS 10 match protocol telnet any 20 match protocol ssh any 30 match protocol icmp any class-map match-all L4_VIP_ADDRESS_CLASS 10 match virtual-address 172.16.110.9 any policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY class REMOTE_ACCESS permit policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY class CLASS-DEFAULT serverfarm SFARM1 policy-map type multi-match L4_LB_VIP_POLICY class L4_VIP_ADDRESS_CLASS loadbalance vip inservice loadbalance L7_VIP_LB_ORDER_POLICY interface vlan 55 ip address 172.16.110.8 255.255.255.192 description Client side connectivity access-group input ALL service-policy input REMOTE_MGMT_ALLOW_POLICY service-policy input L4_LB_VIP_POLICY no shutdown interface vlan 57 ip address 192.168.4.1 255.255.255.0 description Server-side Interface no shutdown ip route 0.0.0.0 0.0.0.0 172.16.110.1
18
OL-11156-01
Verifying the VIP Load-Balancing Configuration

To verify the load-balancing configuration, use the show service-policy command to ensure the counters are incrementing as connections are handled. For example, to display the counters for the L4_LB_VIP_POLICY policy map, enter:
host1/Admin# show service-policy L4_LB_VIP_POLICY Interface: vlan 55 service-policy: L4_LB_VIP_POLICY class: L4_VIP_ADDRESS_CLASS loadbalance: L7 policy: L7_VIP_LB_ORDER_POLICY, VIP state: INSERVICE curr conns : 0 , hit count : 20 dropped conns : 0 client pkt count : 100 , client byte count: 13000 server pkt count : 127 , server byte count: 92381
You can also verify access to the real servers by using a Telnet session to connect to the VIP address if your servers support the Telnet daemon. If you are able to receive the login and password prompt from the ACE, access to the real servers is available through the VIP address. For example, enter:
linux$ telnet 172.16.110.9 Trying 172.16.110.9... Open host1 login: admin Password:
Where to Go Next
After you have completed the quick configuration procedures in this guide, you can configure more advanced features on the ACE such as follows:

Application acceleration and optimization Application protocol inspection Connection persistence using HTTP-cookie, HTTP header, or IP netmask stickiness Health monitoring including probes Layer 7 server load-balancing traffic policy, including class maps and policy maps Redundancy SSL TCP/IP normalization Virtualization and role-based access control (RBAC) The CLI, a line-oriented user interface that provides commands for configuring, managing, and monitoring the ACE. ACE Device Manager GUI, a web browser-based GUI interface that provides a graphical user interface for configuring, managing, and monitoring the ACE.
You can configure the ACE by using the following:

For details on configuring the ACE features from the Device Manager GUI, see the Online Help system provided with the GUI.
19
Related Documentation
Related Documentation
To familiarize yourself with the ACE appliance hardware and software, see the following documents:

Release Note for the Cisco 4700 Series Application Control Engine Appliance Cisco Application Control Engine Appliance Hardware Installation Guide Regulatory Compliance and Safety Information for the Cisco Application Control Engine Appliance
For detailed configuration information on the ACE command-line interface (CLI), see the following software documents:

Cisco 4700 Series Application Control Engine Appliance Administration Guide Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide Cisco 4700 Series Application Control Engine Appliance Command Reference Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide Cisco 4700 Series Application Control Engine Appliance System Message Guide Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide Cisco CSS-to-ACE Conversion Tool User Guide
20
OL-11156-01
Obtaining Documentation, Obtaining Support, and Security Guidelines
For detailed configuration information on the ACE Device Manager GUI, see the following software documents:

Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Quick Configuration Note Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Configuration Guide Cisco 4700 Series Application Control Engine Appliance Online Help

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note Copyright 2007, Cisco Systems, Inc. All rights reserved.
21
22
OL-11156-01

Ace

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ace

Uploaded by

Copyright:

Available Formats

Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note

2007 Cisco Systems, Inc. All rights reserved.

ACE Features and Functionality Overview

ACE Features and Functionality Overview

Configuring the ACE

Configuring the ACE

Establishing a Console Connection on the ACE

Step 1 Step 2 Step 3 Step 4

Configuring the ACE

Click OK to connect. Press Enter to access the CLI prompt.

Logging in to the ACE

Configuring the ACE

Setting the System Time and Date

Changing the Administrative Password

Assigning a Name to the ACE

Configuring the ACE

The prompt appears with the new hostname:

Configuring an Ethernet Port

Configuring the ACE

Allocating an Ethernet Port to a VLAN Trunk

Configuring the ACE

Configuring VLAN Interfaces on the ACE

Enable the VLAN interface by using the no shutdown command.

Display the ARP table by using the show arp command.

Use the exit command to reenter configuration mode.

Configuring the ACE

Configuring a Default Route

Configuring Remote Access to the ACE

Use the exit command to reenter configuration mode.

Configuring the ACE

Use the exit command to reenter configuration mode.

Display the running configuration by using the show running-config command.

Configuring Basic VIP Load Balancing on the ACE

Accessing the ACE through a Telnet Session

Display the Telnet session by using the show telnet command.

Configuring Basic VIP Load Balancing on the ACE

Configuring Basic VIP Load Balancing on the ACE

Configuring Real Servers

Enter configuration mode by using the configure command in Exec mode.

Enter a description of the real server by using the description command.

Place the real server in service by using the inservice command.

Use the exit command to reenter configuration mode.

Use the exit command to reenter configuration mode.

Configuring Basic VIP Load Balancing on the ACE

Configuring a Server Farm

Associate the SERVER2 real server with the server farm.

Place the real server in service.

Use the exit command to reenter configuration mode.

Configuring Basic VIP Load Balancing on the ACE

Enable the interface by using the no shutdown command.

Save the running configuration to the startup configuration.

Use the exit command to reenter configuration mode.

Configuring Basic VIP Load Balancing on the ACE

Configuring the VIP Traffic Policy

Use the exit command to reenter configuration mode.

Use the exit command to reenter configuration mode.

Configuring Basic VIP Load Balancing on the ACE

Use the exit command to reenter configuration mode.

Use the exit command to reenter configuration mode.

Save the running configuration to the startup configuration.

Configuring Basic VIP Load Balancing on the ACE

Save the running configuration to the startup configuration.

Configuring Basic VIP Load Balancing on the ACE