Professional Documents
Culture Documents
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public
domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Preface
This guide provides instructions for the administration of the following products:
Cisco ACE Application Control Engine Module (ACE module) in the Catalyst 6500 series switch or
Cisco 7600 series router
Cisco ACE 4700 Series Application Control Engine Appliance (ACE appliance)
The information in this guide applies to both the ACE module and the ACE appliance unless otherwise
noted.
You configure the ACE by using the following interfaces:
The command-line interface (CLI), a line-oriented user interface that provides commands for
configuring, managing, and monitoring the ACE.
(ACE appliance only) Device Manager graphic user interface (GUI), a Web browser-based GUI
interface that provides a graphical user interface for configuring, managing, and monitoring the ACE
appliance.
Audience
Related Documentation
Audience
This guide is intended for the following trained and qualified service personnel who are responsible for
configuring the ACE:
System administrator
System operator
iii
Preface
Description
Chapter 2, Enabling Remote Describes how to configure remote access to the ACE by establishing
a remote connection using the Secure Shell (SSH) or Telnet protocols.
Access to the ACE
It also describes how to configure the ACE to provide direct access to
a user context from SSH. This chapter also covers how to configure the
ACE to receive ICMP messages from a host.
Chapter 3, Managing ACE
Software Licenses
Describes how to save and download configuration files, use the file
system, view and copy core dumps, capture and copy packet
information, use the configuration checkpoint and rollback service,
display configuration information, and display technical support
information.
Chapter 6, Configuring
Redundant ACEs
Chapter 7, Configuring
SNMP
iv
OL-25343-01
Preface
Related Documentation
In addition to this document, the ACE documentation set includes the following:
Document Title
Description
CSS-to-ACE Conversion Tool Guide, Describes how to use the CSS-to-ACE conversion tool to
Cisco ACE Application Control
migrate Cisco Content Services Switches (CSS)
Engine
running-configuration or startup-configuration files to the ACE.
Device Manager Guide, Cisco ACE
4700 Series Application Control
Engine Appliance
Hardware Installation Guide, Cisco (ACE appliance only) Provides information for installing the
ACE 4710 Application Control
ACE appliance.
Engine Appliance
Installation Note, Cisco ACE
Application Control Engine ACE30
Module
Preface
Document Title
Description
VLAN interfaces
Routing
Bridging
Stickiness
TCL scripts
SSL initiation
SSL termination
End-to-end SSL
vi
OL-25343-01
Preface
Document Title
Description
Description
boldface font
Commands, command options, and keywords are in boldface. Bold text also
indicates a command in a paragraph.
italic font
Arguments for which you supply values are in italics. Italic text also indicates
the first occurrence of a new term, book title, emphasized text.
{ }
[ ]
{x | y | z}
[x | y | z]
string
A nonquoted set of characters. Do not use quotation marks around the string or
the string will include the quotation marks.
screen
font
boldface screen
Terminal sessions and information the system displays are in screen font.
Information you must enter in a command line is in boldface screen font.
font
italic screen font
Arguments for which you supply values are in italic screen font.
The symbol ^ represents the key labeled Controlfor example, the key
combination ^D in a screen display means hold down the Control key while
you press the D key.
< >
1.
A numbered list indicates that the order of the list items is important.
a. An alphabetical list indicates that the order of the secondary list items is important.
A bulleted list indicates that the order of the list topics is unimportant.
vii
Preface
An indented list indicates that the order of the list subtopics is unimportant.
Note
Caution
Means reader take note. Notes contain helpful suggestions or references to material not covered in the
publication.
Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
For additional information about CLI syntax formatting, refer to the Command Reference, Cisco ACE
Application Control Engine.
viii
OL-25343-01
CH A P T E R
Note
The information in this chapter applies to the ACE module only. For information about setting up the
ACE appliance, see the Chapter 2, Setting Up the ACE Appliance.
This chapter describes how to initially configure basic settings on the ACE module in the Catalyst
6500 series switches. It contains the following major sections:
Default Settings
For details on assigning VLANs to the ACE module, configuring VLAN interfaces on the ACE module,
and configuring a default or static route on the ACE module, see the Routing and Bridging Guide, Cisco
ACE Application Control Engine.
TerminalThe terminal that you use to communicate with the ACE module must contain a terminal
communications application, such as HyperTerminal for Windows, and be configured as follows:
Asynchronous transmission
9600 baud
8 data bits
1 stop bit
No parity
CableThe cable that connects the terminal to the ACE module must meet the following
requirements:
Serial cable with an RJ-45 connector
Cable typeRollover serial cable to connect the ACE to a DTE device
For instructions on connecting a console cable to your ACE, see the Installation Note, Cisco ACE
Application Control Engine ACE30 Module.
1-1
Chapter 1
Default Settings
Default Settings
Table 1-2 lists the default settings for the ACE module setup parameters.
Table 1-1
Parameter
Default
User accounts
Administrator account:
username: admin / password: admin
XML interface account:
username: www: / password: admin
Host name
switch
Inactivity timeout
5 minutes
9600 baud
8 data bits
1 stop bit
No parity
1-2
OL-25343-01
Chapter 1
Only the Admin context is accessible through the console port; all other contexts can be reached through
Telnet or SSH sessions.
Prerequisites
This setup procedure requires a properly configured terminal and cable as described in the Prerequisites
for Setting Up the ACE Module section.
Detailed Steps
Follow these steps to access the ACE module using a direct serial connection:
Step 1
Connect the serial cable between the ACE module and the terminal and then use any terminal
communications application to access the ACE module CLI. This procedure uses HyperTerminal for
Windows.
Step 2
Step 3
Step 4
Step 5
From the drop-down list, choose the COM port to which the device is connected.
Step 6
Step 7
Data Bits = 8
Parity = none
Stop Bits = 1
Step 8
Click OK to connect.
Step 9
1-3
Chapter 1
What to Do Next
When the login prompt displays, proceed with the following tasks:
Once a session is created, choose Save As from the File menu to save the connection description.
Saving the connection description has the following two advantages:
The next time that you launch HyperTerminal, the session is listed as an option under
Start > Programs > Accessories > HyperTerminal > Name_of_session. This option lets you
reach the CLI prompt directly without going through the configuration steps.
You can connect your cable to a different device without configuring a new HyperTerminal
session. If you use this option, make sure that you connect to the same port on the new device
as was configured in the saved HyperTerminal session. Otherwise, a blank screen appears
without a prompt.
See the Sessioning and Logging In to the ACE Module section for details on logging in and
entering the configuration mode to configure the ACE.
Only the Admin context is accessible through the console port; all other contexts can be reached through
a Telnet or SSH remote access session.
Detailed Steps
Follow these steps to session into the ACE module and access configuration mode to perform the initial
configuration:
Step 1
If you choose to access the ACE module directly by its console port, attach a terminal to the
asynchronous RS-232 serial port on the front of the module. Any device connected to this port
must be capable of asynchronous transmission. The connection requires a terminal configured
as 9600 baud, 8 data bits, 1 stop bit, no parity. See the Establishing a Console Connection on
the ACE Module section.
1-4
OL-25343-01
Chapter 1
If you choose to session into ACE module, after the module successfully boots enter the session
command from the Catalyst CLI to Telnet to the module:
Cat6k-switch# session slot
mod_num processor 0
The mod_num argument identifies the slot number in the Catalyst 6500 series chassis where the
ACE module is installed.
The default escape character sequence is Ctrl-^, and then x. You can also enter exit at the remote
prompt to end the session.
Note
Step 2
Log into the ACE module by entering the login username and password at the following prompt:
switch login: admin
Password: admin
To change the default login username and password, see the Changing or Resetting the Administrative
Password section for details.
Caution
Step 3
You must change the default Admin password if you have not already done so. Otherwise, you
will be able to log in to the ACE module only through the console port or through the
supervisor engine of the Catalyst 6500 series switch or the Cisco 7600 series router. You will
not be able to access the ACE module using Telnet or SSH until you change the default Admin
password.
1-5
Chapter 1
Note
For information about changing a user password, see the Virtualization Guide, Cisco ACE Application
Control Engine.
Caution
You must change the default Admin password if you have not already done so. Otherwise, you can log
in to the ACE module only through the console port or through the supervisor engine of the Catalyst
6500 series switch or the Cisco 7600 series router.
1-6
OL-25343-01
Chapter 1
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Note
Step 3
1-7
Chapter 1
Detailed Steps
Follow these steps to reset the password that allows the Admin user access to the ACE module:
Step 1
Step 2
Session in to the ACE module through the console port on the front panel.
Step 3
Reboot the ACE module from the Catalyst 6500 series CLI. See the Restarting the ACE Module
section for details.
Step 4
During the bootup process, output appears on the console terminal. Press ESC when the Waiting for 3
seconds to enter setup mode... message appears on the terminal (see the example below). The setup
mode appears. If you miss the time window, wait for the ACE module to properly complete booting,
reboot the ACE module from the Catalyst 6500 series CLI, and try again to access the setup mode by
pressing ESC.
IXP polling timeout interval: 120
map_pci_xram_to_uspace[149] :: mapping 4096 bytes from 0x58800000
map_pci_xram_to_uspace[149] :: mapping 4096 bytes from 0x5a800000
................................................
IXP's are up... <Sec 48 :Status of IXP1 7, IXP2 7>
map_pci_xram_to_uspace[149] :: mapping 102400 bytes from 0x4fd68000
map_pci_xram_to_usenabling intb 57 interrupts
pace[149] :: mapping 102400 bytes from 0x57d68000
Starting lcpfw process...
inserting IPCP klm
Warning: loading /itasca/klm/klm_session.klm will taint the kernel: no license
See http://www.tux.org/lkml/#export-tainted for information about tainted modu
les
Module klm_session.klm loaded, with warnings
inserting cpu_util klm
create dev node as 'mknod /dev/cpu_util c 236 0'
getting cpu_util dev major num
making new cpu_util dev node
Session Agent waiting for packets .
Waiting for 3 seconds to enter setup mode...
Entering setup sequence...
Reset Admin password [y/n] (default: n): y
Resetting admin password to factory default...
XR Serial driver version 1.0 (2004-11-08) with no serial options enabled
ttyXR major device number: 235
Create a dev file with 'mknod /dev/ttyXR c 235 [0-1]'
cux major device number: 234
Create a dev file with 'mknod /dev/cux c 234 [0-1]'
ttyXR0 at 0x10c00000 (irq = 59) is a 16550A
ttyXR1 at 0x10c00008 (irq = 59) is a 16550A
No licenses installed...
Loading.. Please wait...Done!!!
Step 5
The setup mode prompts if you want to reset the admin password. Enter y. The Resetting admin
password to factory default message appears. The ACE module deletes the admin user password
configuration from the startup configuration and resets the password back to the factory default value of
admin.
1-8
OL-25343-01
Chapter 1
The boot process continues as normal and you are able to enter the admin password at the login prompt.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
hostname
name
Example:
host1/Admin(config)# hostname ACE1
ACE1/Admin(config)#
Step 3
peer hostname
name
Example:
ACE1/Admin(config)# peer hostname ACE2
Step 4
The login timeout command setting overrides the terminal session-timeout setting (see the
Configuring Terminal Display Attributes section).
1-9
Chapter 1
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Example:
host1/Admin(config)# login timeout 10
The minutes argument specifies the length of time that a user can
be idle before the ACE module terminates the session. Valid
entries are from 0 to 60 minutes. A value of 0 instructs the ACE
module never to timeout. The default is 5 minutes.
no login timeout
Example:
host1/Admin(config)# no login timeout
Step 3
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
1-10
OL-25343-01
Chapter 1
Step 2
Command
Purpose
Example:
host1/Admin(config)# banner motd
#Welcome to $(hostname)...#
To use the $(hostname) in a single line banner motd input, you must
include double quotes () around the $(hostname) so that the $ is
interpreted as a special character at the beginning of a variable in the
single line (see the Step example).
Do not use the double quote character () or the percent sign character
(%) as a delimiting character in a single line message string.
For multi-line input, double quotes () are not required for the token
because the input mode is different from signal-line mode. When you
operate in multi-line mode, the ACE interprets the double quote
character () literally.
no banner motd
Example:
host1/Admin(config)# no banner motd
Step 3
Example:
host1/Admin(config)# do show banner
motd
1-11
Chapter 1
Step 4
Command
Purpose
do copy running-config
startup-config
Example:
host1/Admin(config)# do copy
running-config startup-config
Examples
The following example shows how to span multiple lines and use tokens to configure the banner
message:
host1/Admin(config)# banner motd #
Enter TEXT message. End with the character '#'.
================================
Welcome to Admin Context
-------------------------------Hostname: $(hostname)
Tty Line: $(line)
=================================
#
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
1-12
OL-25343-01
Chapter 1
Step 2
Command
Purpose
Example:
host1/Admin(config)# clock timezone
PST -8 0
no clock timezone
Example:
host1/Admin(config)# no clock timezone
Step 3
do show clock
Example:
host1/Admin (config)# do show clock
Fri Aug 7 01:38:30 PST 2009
1-13
Chapter 1
Step 4
Command
Purpose
Example:
host1/Admin(config)# do copy
running-config startup-config
Table 1-2 lists common time zone acronyms that you use when specifying the zone name using the
commands zone_name argument.
Table 1-2
Acronym
Europe
BST
CET
CEST
EET
EEST
GMT
IST
MSK
MSD
WET
WEST
ADT
CT
Central Time, either as CST or CDT, depending on the place and time of the year
CST
CDT
ET
Eastern Time, either as EST or EDT, depending on the place and time of the year
EST
EDT
MT
Mountain Time, either as MST or MDT, depending on the place and time of the year
MDT
MST
PT
Pacific Time, either as PST or PDT, depending on the place and time of the year
PDT
PST
AKST
AKDT
1-14
OL-25343-01
Chapter 1
Table 1-2
Acronym
HST
Australia
CST
EST
Eastern Standard/Summer Time, as UTC + 10 hours (+11 hours during summer time)
WST
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
1-15
Chapter 1
Step 2
Command
Purpose
Example:
host1/Admin(config)# clock summer-time
Pacific 1 Sun Apr 02:00 5 Sun Oct 02:00 60
Example:
host1/Admin(config)# no clock summer-time
Step 3
1-16
OL-25343-01
Chapter 1
Make a direct connection by using a dedicated terminal attached to the console port on the front of
the ACE module.
Establish a remote connection to the ACE module through the Catalyst 6500 series switch using the
Secure Shell (SSH) or Telnet protocols.
For details on configuring remote access to the ACE CLI using SSH or Telnet, see Chapter 2, Enabling
Remote Access to the ACE.
Guidelines and Restrictions
Only the Admin context is accessible through the console port; all other contexts can be reached
through Telnet or SSH.
The login timeout command setting overrides the terminal session-timeout setting (see the
Configuring an ACE Module Inactivity Timeout section).
1-17
Chapter 1
Detailed Steps
Step 1
Command
Purpose
Example:
host1/Admin# terminal lines 50
Step 2
terminal monitor
Example:
host1/Admin# terminal monitor
%ACE-7-111009: User 'admin'
executed cmd: terminal monitor
The lines argument sets the number of lines displayed on the current
terminal screen. This command is specific to only the console port. Telnet
and SSH sessions set the length automatically. Valid entries are from 0 to
511. The default is 24 lines. A value of 0 instructs the ACE module to
scroll continuously (no pausing) and overrides the terminal width value.
If you later change the terminal length to any other value, the originally
configured terminal width value takes effect.
Starts the terminal monitor session and displays syslog output on the
terminal. To enable the various levels of syslog messages to the terminal,
use the logging monitor command (see the System Message Guide, Cisco
ACE Application Control Engine for details).
Example:
host1/Admin# terminal no monitor
Step 3
Step 4
Step 5
Specifies the name and type of the terminal used to access the ACE
module. If a Telnet or SSH session specifies an unknown terminal type,
the ACE module uses the VT100 terminal by default.
The minutes argument is the terminal type. Specify a text string from 1 to
80 alphanumeric characters.
Specifies the width for displaying information on a terminal during a
console session. This command is specific to the console port only.Telnet
and SSH sessions set the width automatically.
The characters argument sets the number of characters displayed on the
current terminal screen. Valid entries are from 24 to 512. The default is
80 columns.
1-18
OL-25343-01
Chapter 1
Command
Purpose
terminal no width
Example:
host1/Admin# terminal no width
Step 6
show terminal
Example:
host1/Admin# show terminal
TTY: /dev/pts/0 Type: vt100
Length: 25 lines, Width: 80 columns
Session Timeout: 60 minutes
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
line console
Example:
host1/Admin(config)# line console
host1/Admin(config-console)#
Step 3
databits number
Example:
host1/Admin(config-console)# databits 6
no databits
Example:
host1/Admin(config-console)# no databits
Step 4
Specifies the number of data bits per character. The range is from
5 to 8. The default is 8 data bits.
(Optional) Resets the number of data bits per character to the
default value (8).
Sets the parity for the console connection. The supported choices
as even (even parity), none (no parity), or odd (odd parity). The
default is none.
(Optional) Resets the parity for the console connection to its
default value (none).
1-19
Chapter 1
Step 5
Command
Purpose
speed speed
Sets the transmit and receive speeds for the serial console. The
range is between 110 and 115200 baud (110, 150, 300, 600,
1200, 2400, 4800, 9600,19200, 28800, 38400, 57600, or
115200). The default is 9600 baud.
Example:
host1/Admin(config-console)# speed 19200
no speed
Example:
host1/Admin(config-console)# no speed
Step 6
stopbits {1 | 2}
Example:
host1/Admin(config-console)# stopbits 2
no stopbits
(Optional) Resets the transmit and receive speeds for the serial
console to its default value (9600).
Sets the stop bits for the console connection. Valid values are 1
or 2 stop bits. The default is 1 stop bit.
(Optional) Resets the stopbit setting to its default value (1).
Example:
host1/Admin(config-console)# no stopbits
Step 7
Example:
host1/Admin(config-console)# do show line
console
line Console:
Speed:
9600 bauds
Databits:
8 bits per byte
Stopbits:
1 bit(s)
Parity:
none
Step 8
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
line vty
Example:
host1/Admin(config)# line vty
host1/Admin(config-line)#
1-20
OL-25343-01
Chapter 1
Step 3
Command
Purpose
session-limit number
Example:
host1/Admin(config-line)# session-limit 23
no session-limit number
Example:
host1/Admin(config-line)# no session-limit
23
Step 4
Step 5
Press Ctrl-z.
Step 6
Example:
host1/Admin# clear line vty vty1
Detailed Steps
Command
Purpose
Step 1
Press Ctrl-z
Step 2
Example:
host1/Admin# set dc 1 console slave
Switched the console access to slave
network processor
1-21
Chapter 1
Note
You can manually enter ROMMON mode by restarting the ACE module and then pressing the Break key
during the first 60 seconds of startup. If you are connected to the ACE module through a terminal server,
you can escape to the Telnet prompt and then enter the send break command to enter the ROMMON
mode.
Restrictions
The config-register command used to change the configuration register settings affects only the
configuration register bits that control the boot field and leaves the remaining bits unaltered.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
1-22
OL-25343-01
Chapter 1
Step 2
Command
Purpose
config-register value
Example:
host1/Admin(config)# config-register 1
no config-register 1
Example:
host1/Admin(config)# no config-register 1
Step 3
Example:
host1/Admin(config)# do copy
running-config startup-config
1-23
Chapter 1
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Step 3
do show bootvar
Example:
host1/Admin(config)# BOOT variable =
disk0:c6ace-t1k9-mzg.A4_1_0.bin
Configuration register is 0x1
Step 4
Example:
host1/Admin(config)# do copy
running-config startup-config
1-24
OL-25343-01
Chapter 1
Note that for each test you can enter either the test number or the test name.
To specify the number of repetitions for the on-demand tests, enter the following command:
c6k#diagnostic ondemand iterations number
Enter the module number and either the test number or the test name.
1-25
Chapter 1
To configure the failure threshold for the health-monitoring diagnostics, enter the following command:
c6k(config)#diagnostic monitor threshold module number1 test number2 failure count number3
failure count number3Number of test failures required to mark the test as failed
You can run a single health-monitoring test on demand by entering the following command:
#c6k#diagnostic start module number1 test number2 | name | all
For each test failure, the supervisor displays a specific error code that indicates the reason for the failure.
In the failure event, an SCP message is sent to notify the application about the failure. This notification
allows the application to take appropriate action. For the ACE30, the CP collects core dumps on all the
NPs and then resets the module.
1-26
OL-25343-01
Chapter 1
Caution
Configuration changes that are not written to the Flash partition are lost after a reload. Before rebooting,
enter the copy running-conf startup-config command in Exec mode to store the current configuration
in Flash memory. If you fail to save your configuration changes, the ACE module reverts to its previous
settings upon restart.
Detailed Steps
Step 1
Command
Purpose
Example:
host1/Admin# copy running-config
startup-config
Step 2
reload
Example:
host1/Admin# reload
This command will reboot the system
Save configurations for all the contexts.
Save? [yes/no]: [yes]
Reboots the ACE module and reloads the configuration. When you
specify reload, the ACE module prompts you for confirmation
and performs a cold restart of the module.
During the reload process, the ACE module performs one of the
following actions:
Caution
Configuration changes that are not written to the Flash partition are lost after a reload. Before rebooting,
enter the copy running-conf startup-config command in Exec mode to store the current configuration
in Flash memory. If you fail to save your configuration changes, the ACE module reverts to its previous
settings upon restart.
1-27
Chapter 1
Detailed Steps
Step 1
Command
Purpose
Example:
host1/Admin# copy running-config
startup-config
Step 2
Restarts the ACE module from the Catalyst 6500. Enter this
command from the Catalyst 6500 CLI.
The arguments and keywords are as follows:
During the restart process, the ACE module performs one of the
following actions:
To manually change the configuration register setting in ROMMON mode, use the confreg
command followed by a value of 0 or 1.
To change the boot characteristics using onscreen prompts, use the confreg command without a
value.
To instruct the ACE module to manually boot from a particular system image, use the confreg command
and specify a configuration register value of 1. Identify the name of the system image file that the ACE
module uses to boot.
A confreg value of 0 instructs the ACE module to boot to the rommon prompt.
For example, to use the confreg command at the rommon prompt to instruct the ACE module to boot
from the c6ace-t1k9-mz.A4_1_0.bin system image, enter:
rommon 11 > confreg 1
rommon 12 > BOOT=disk0:c6ace-t1k9-mz.A4_1_0.bin
rommon 13 > sync
1-28
OL-25343-01
Chapter 1
To instruct the ACE module to automatically boot from the image specified in the BOOT variable (see
the Setting the BOOT Environment Variable section), use the confreg command without specifying a
configuration register value to launch the Configuration Summary menu-based utility. You can then
instruct the ACE module to boot from the system image identified in the BOOT environment variable
(see the Setting the BOOT Environment Variable section).
For example, to use the confreg command to display the onscreen prompts for changing the boot
characteristics of the ACE module, enter:
rommon 11 > confreg
Configuration Summary
(Virtual Configuration Register: 0x1)
enabled are:
break/abort has effect
console baud: 9600
boot: the ROM monitor
do you wish to change the configuration? y/n [n]: y
disable break/abort has effect? y/n [n]:
enable ignore system config info? y/n [n]:
change the boot characteristics? y/n [n]: y
enter to boot:
0 = ROM Monitor
1 = boot file specified in BOOT variable
[1]: 1
For example, to use the confreg command to instruct the ACE to boot from the
c6ace-t1k9-mz.A4_1_0.bin system image, enter:
rommon 11 > confreg
Configuration Summary
(Virtual Configuration Register: 0x1)
enabled are:
break/abort has effect
console baud: 9600
boot: the ROM monitor
do you wish to change the configuration? y/n [n]: n
rommon 12 > BOOT=disk0:c6ace-t1k9-mz.A4_1_0.bin
rommon 13 > sync
Caution
Configuration changes that are not written to the Flash partition are lost after a reload. Before rebooting,
enter the copy running-conf startup-config command in Exec mode to store the current configuration
in Flash memory. If you fail to save your configuration changes, the ACE module reverts to its previous
settings upon restart.
Caution
Do not remove the ACE module from the Catalyst 6500 series switch until the ACE has shut down
completely and the Status LED is orange. You can damage the ACE module if you remove it from the
switch before it completely shuts down.
1-29
Chapter 1
Detailed Steps
Step 1
Command
Purpose
Example:
host1/Admin# copy running-config
startup-config
Step 2
Example:
host1/Admin# no power enable module
Purpose
show bootvar
Displays the BOOT environment variable settings (see the Setting the
BOOT Environment Variable section).
show clock
Displays the current clock settings (see the Configuring the Time Zone
section).
Displays the line console settings (see the Configuring Console Line
Settings section).
Displays the configured login time value (see the Configuring an ACE
Module Inactivity Timeout section).
show terminal
1-30
OL-25343-01
CH A P T E R
Note
The information in this chapter applies to the ACE appliance only. For information about setting up the
ACE module, see the Chapter 1, Setting Up the ACE Module.
This chapter describes how to initially configure basic settings on the ACE appliance. It contains the
following major sections:
Default Settings
For details on configuring the GigabitEthernet ports, assigning VLANs to the ACE appliance,
configuring VLAN interfaces on the ACE appliance, and configuring a default or static route on the ACE
appliance, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.
TerminalThe terminal that you use to communicate with the ACE appliance must contain a
terminal communications application, such as HyperTerminal for Windows, and be configured as
follows:
Asynchronous transmission
9600 baud
8 data bits
Hardware flow control
1 stop bit
No parity
CableThe cable that connects the terminal to the ACE appliance must meet the following
requirements:
Serial cable with an RJ-45 connector
AdapterRJ45 to DB-9 male
2-1
Chapter 2
Default Settings
Cable typeRollover serial cable to connect the ACE appliance to a DTE device
For instructions on connecting a console cable to your ACE appliance, see the Hardware Installation
Guide, Cisco ACE 4710 Application Control Engine Appliance.
Default Settings
Table 2-2 lists the default settings for the ACE appliance setup parameters.
Table 2-1
Parameter
Default
User accounts
Administrator account:
username: admin / password: admin
XML interface account:
username: www: / password: admin
Device Manager GUI access account:
username: dm / password: N/A
Host name
switch
Inactivity timeout
5 minutes
2-2
OL-25343-01
Chapter 2
This setup procedure requires a properly configured terminal and cable as described in the Prerequisites
for Setting Up the ACE Appliance section.
Restrictions
Only the Admin context is accessible through the console port; all other contexts can be reached through
Telnet or SSH sessions.
Detailed Steps
Follow these steps to access the ACE appliance using a direct serial connection:
Step 1
Connect the serial cable between the ACE appliance and the terminal and then use any terminal
communications application to access the ACE appliance CLI. This procedure uses HyperTerminal for
Windows.
Step 2
Step 3
Step 4
Step 5
From the drop-down list, choose the COM port to which the device is connected.
Step 6
Step 7
Data Bits = 8
Parity = none
2-3
Chapter 2
Stop Bits = 1
Step 8
Click OK to connect.
Step 9
What to Do Next
When the login prompt displays, proceed with the following tasks:
Once a session is created, choose Save As from the File menu to save the connection description.
Saving the connection description has the following two advantages:
The next time that you launch HyperTerminal, the session is listed as an option under
Start > Programs > Accessories > HyperTerminal > Name_of_session. This option lets you
reach the CLI prompt directly without going through the configuration steps.
You can connect your cable to a different device without configuring a new HyperTerminal
session. If you use this option, make sure that you connect to the same port on the new device
as was configured in the saved HyperTerminal session. Otherwise, a blank screen appears
without a prompt.
If this is the first time that you are booting the ACE appliance, see the Using the Setup Script to
Enable Connectivity to the Device Manager section.
If this is not the first time that you are booting the ACE appliance, see the Connecting and Logging
In to the ACE Appliance section for information about logging in and entering the configuration
mode to configure the ACE appliance.
Extended IP access list that allows IP traffic originating from any other host addresses.
Traffic classification (class map and policy map) created for management protocols HTTP, HTTPS,
ICMP, SSH, Telnet, and XML-HTTPS. HTTPS is dedicated for connectivity with the Device
Manager GUI.
VLAN interface configured on the ACE and a policy map assigned to the VLAN interface.
The ACE appliance provides a default answer in brackets [ ] for each question in the setup script. To
accept a default configuration prompt, press Enter, and the ACE appliance accepts the setting. To skip
the remaining configuration prompts, press Ctrl-C any time during the configuration sequence.
2-4
OL-25343-01
Chapter 2
Note
The script configuration process described in this section is identical to the script configuration process
performed using the setup CLI command.
Detailed Steps
Follow these steps to configure the ACE appliance using the setup script:
Step 1
Ensure that you have established a direct serial connection between your terminal or a PC and the ACE
appliance (see the Establishing a Console Connection on the ACE Appliance section).
Step 2
Press the power button on the front of the ACE appliance and the boot process occurs. See the Hardware
Installation Guide, Cisco ACE 4710 Application Control Engine Appliance for details.
Step 3
At the login prompt, log into the ACE appliance by entering the login username and password. By
default, the username and password are admin. For example, enter:
Starting sysmgr processes.. Please wait...Done!!!
switch login: admin
Password: admin
Step 4
At the prompt Enter the password for admin:, change the default Admin password. If you do not
change the default Admin password, after you upgrade the ACE appliance software you will only be able
to log in to the appliance through the console port.
Enter the new password for "admin": xxxxx
Confirm the new password for "admin": xxxxx
admin user password successfully changed.
Step 5
At the prompt Enter the password for www:, change the default www user password. If you do not
change the default www user password, the www user will be disabled and you will not be able to use
Extensible Markup Language (XML) to remotely configure an ACE appliance until you change the
default www user password.
Enter the new password for "www": xxxxx
Confirm the new password for "www": xxxxx
www user password successfully changed.
Step 6
At the prompt Would you like to enter the basic configuration dialog? (yes/no):, type yes to continue
the setup (or select no to or bypass its operation and directly access the CLI).
Step 7
At the prompt Enter the Ethernet port number to be used as the management port (1-4):? [1]:, specify
the Ethernet port that you want to use to access the Device Manager GUI. Valid entries are 1 through 4.
The default is Ethernet port 1. Press Enter.
Step 8
At the prompt Enter the management port IP Address (n.n.n.n): [192.168.1.10]:, assign an IP address
to the management VLAN interface. When you assign an IP address to a VLAN interface, the ACE
appliance automatically makes it a routed mode interface. Press Enter.
Step 9
At the prompt Enter the management port Netmask(n.n.n.n): [255.255.255.0]:, assign a subnet mask
to the management VLAN interface. Press Enter.
Step 10
At the prompt Enter the default route next hop IP Address (n.n.n.n) or <enter> to skip this step:, choose
whether to assign an IP address of the gateway router (the next-hop address for this route). If you specify
yes, enter the IP address of default gateway. The gateway address must be in the same network as specified
in the IP address for a VLAN interface. Press Enter.
Step 11
After you configure the Ethernet port, the setup script displays a summary of entered values:
2-5
Chapter 2
Management Port: 3
Ip address 12.3.4.5
Netmask: 255.255.255.0
Default Route: 23.4.5.6
Step 12
Step 13
At the prompt Submit the configuration including security settings to the ACE Appliance?
(yes/no/details): [y]:, enter one of the following replies:
Type y to apply the appropriate configuration and save the running-configuration to the
startup-configuration file. This is the default.
Type n to bypass applying the configuration and saving the running-configuration to the
startup-configuration file.
Type d to view a detailed summary of the entered configuration values before you apply those
configuration values to the ACE.
The prompt Submit the configuration including security settings to the ACE Appliance?
(yes/no/details): [y]: reappears. Enter one of the following replies:
Step 14
Type y to apply the appropriate configuration and save the running-configuration to the
startup-configuration file. This is the default.
Type n to bypass applying the configuration and saving the running-configuration to the
startup-configuration file.
2-6
OL-25343-01
Chapter 2
The dm user is for accessing the Device Manager GUI and cannot be deleted. The dm user is an
internal user required by the Device Manager GUI; it is hidden on the ACE appliance CLI.
Note
Do not modify the dm user password from the ACE appliance CLI. If the password is changed,
the Device Manager GUI will become inoperative. If this occurs, restart the Device Manager
using the dm reload command (you must be the global administrator to access the dm reload
command). Note that restarting the Device Manager does not impact ACE appliance
functionality; however, it may take a few minutes for the Device Manager to reinitialize as it
reads the appliance CLI configuration.
The ACE uses the www user account for the XML interface and cannot be deleted.
Later, when you configure interfaces and IP addresses on the ACE appliance itself, you can remotely
access the appliance CLI through an ACE interface by using a Telnet or SSH session. To configure
remote access to the ACE appliance CLI, see Chapter 2, Enabling Remote Access to the ACE. For
details on configuring interfaces on the ACE appliance, see the Routing and Bridging Guide, Cisco ACE
Application Control Engine.
You can configure the ACE appliance to provide a higher level of security for users accessing the
appliance. For information about configuring user authentication for login access, see the Security
Guide, Cisco ACE Application Control Engine.
Restrictions
Only the Admin context is accessible through the console port; all other contexts can be reached through
a Telnet or SSH remote access session.
Detailed Steps
Follow these steps to session into the ACE appliance and access configuration mode to perform the
initial configuration:
Step 1
Access the ACE appliance directly by its console port, attach a terminal to the asynchronous RS-232
serial port on the rear panel of the appliance. The ACE appliance has one standard RS-232 serial port
found on the rear panel that operates as the console port. Any device connected to this port must be
capable of asynchronous transmission. Connection requires a terminal configured as 9600 baud, 8 data
bits, hardware flow control on, 1 stop bit, no parity. See the Establishing a Console Connection on the
ACE Appliance section.
Step 2
Log into the ACE appliance by entering the login username and password at the following prompt:
switch login: admin
Password: admin
2-7
Chapter 2
To change the default login username and password, see the Changing or Resetting the Administrative
Password section for details.
Caution
Note
Step 3
You must change the default Admin password if you have not already done so. Otherwise, you
will be able to log in to the ACE appliance only through the console port. You will not be able
to access the ACE using Telnet or SSH until you change the default Admin password.
When you boot the ACE appliance for the first time and it does not detect a startup-configuration
file, a setup script appears to enable connectivity to the ACE Device Manager GUI. The start-up
script is not intended for use with the CLI. Select no to skip the use of the setup script and
proceed directly to the CLI. See Connecting and Logging In to the ACE Appliance section for
details.
Note
For information about changing a user password, see the Virtualization Guide, Cisco ACE Application
Control Engine.
2-8
OL-25343-01
Chapter 2
Caution
You must change the default Admin password if you have not already done so. Otherwise, you can log
in to the ACE appliance only through the console port.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Note
Step 3
2-9
Chapter 2
Restrictions
Follow these steps to reset the password that allows the Admin user access to the ACE appliance:
Step 1
Step 2
Log in to the ACE appliance. See the Connecting and Logging In to the ACE Appliance section.
Step 3
Reboot the ACE appliance. See the Restarting the ACE Appliance section.
Step 4
During the bootup process, output appears on the console terminal. Press ESC when the Starting
services... message appears on the terminal (see the example below). The setup mode appears. If you
miss the time window, wait for the ACE appliance to properly complete booting, reboot the ACE
appliance, and try again to access the setup mode by pressing ESC.
Daughter Card Found. Continuing...
Step 5
The setup mode prompts if you want to reset the admin password. Enter y. The Resetting admin
password to factory default message appears. The ACE appliance deletes the admin user password
configuration from the startup-configuration and resets the password back to the factory default value of
admin.
The boot process continues as normal and you are able to enter the admin password at the login prompt.
2-10
OL-25343-01
Chapter 2
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
hostname
name
Example:
host1/Admin(config)# hostname ACE1
ACE1/Admin(config)#
Step 3
peer hostname
name
Example:
ACE1/Admin(config)# peer hostname ACE2
Step 4
The login timeout command setting overrides the terminal session-timeout setting (see the
Configuring Terminal Display Attributes section).
2-11
Chapter 2
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Example:
host1/Admin(config)# login timeout 10
The minutes argument specifies the length of time that a user can
be idle before the ACE appliance terminates the session. Valid
entries are from 0 to 60 minutes. A value of 0 instructs the ACE
appliance never to timeout. The default is 5 minutes.
no login timeout
Example:
host1/Admin(config)# no login timeout
Step 3
If you connect to the ACE appliance by using an SSH version 1 remote access session, the
message-of-the-day banner is not displayed.
2-12
OL-25343-01
Chapter 2
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Example:
host1/Admin(config)# banner motd
#Welcome to $(hostname)...#
To use the $(hostname) in a single line banner motd input, you must
include double quotes () around the $(hostname) so that the $ is
interpreted as a special character at the beginning of a variable in the
single line (see the Step example).
Do not use the double quote character () or the percent sign character
(%) as a delimiting character in a single line message string.
For multi-line input, double quotes () are not required for the token
because the input mode is different from signal-line mode. When you
operate in multi-line mode, the ACE appliance interprets the double
quote character () literally.
no banner motd
Example:
host1/Admin(config)# no banner motd
2-13
Chapter 2
Step 3
Command
Purpose
Example:
host1/Admin(config)# do show banner
motd
Step 4
do copy running-config
startup-config
Example:
host1/Admin(config)# do copy
running-config startup-config
Examples
The following example shows how to span multiple lines and use tokens to configure the banner
message:
host1/Admin(config)# banner motd #
Enter TEXT message. End with the character '#'.
================================
Welcome to Admin Context
-------------------------------Hostname: $(hostname)
Tty Line: $(line)
=================================
#
Note
If you wish to use the Network Time Protocol (NTP) to automatically synchronize the ACE appliance
system clock to an authoritative time server (such as a radio clock or an atomic clock), see the
Synchronizing the ACE Appliance with an NTP Server section. In this case, the NTP time server
automatically sets the ACE system clock.
2-14
OL-25343-01
Chapter 2
If you previously configured NTP on an ACE appliance, the ACE appliance prevents you from using the
clock set command to set the time and the date and displays an error message. To manually set the ACE
appliance system clock, remove the NTP peer and NTP server from the configuration before setting the
clock on an ACE. See the Synchronizing the ACE Appliance with an NTP Server section for more
information.
Detailed Steps
Step 1
Command
Purpose
Sets the time and the date for an ACE appliance. When you enter
this command, the ACE appliance displays the current
configured date and time.
Example:
host1/Admin# clock set 01:38:30 7 August
2009
Fri Aug 7 01:38:30 PST 2009
Step 2
show clock
Example:
host1/Admin# show clock
Fri Aug 7 01:38:30 PST 2009
2-15
Chapter 2
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Example:
host1/Admin(config)# clock timezone
PST -8 0
2-16
OL-25343-01
Chapter 2
Command
Purpose
no clock timezone
Example:
host1/Admin(config)# no clock timezone
Step 3
do show clock
Example:
host1/Admin (config)# do show clock
Fri Aug 7 01:38:30 PST 2009
Step 4
Table 2-2 lists common time zone acronyms that you use when specifying the zone name using the
commands zone_name argument.
Table 2-2
Acronym
Europe
BST
CET
CEST
EET
EEST
GMT
IST
MSK
MSD
WET
WEST
ADT
CT
Central Time, either as CST or CDT, depending on the place and time of the year
CST
CDT
ET
Eastern Time, either as EST or EDT, depending on the place and time of the year
EST
EDT
MT
Mountain Time, either as MST or MDT, depending on the place and time of the year
MDT
2-17
Chapter 2
Table 2-2
Acronym
MST
PT
Pacific Time, either as PST or PDT, depending on the place and time of the year
PDT
PST
AKST
AKDT
HST
Australia
CST
EST
Eastern Standard/Summer Time, as UTC + 10 hours (+11 hours during summer time)
WST
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
2-18
OL-25343-01
Chapter 2
Step 2
Command
Purpose
Example:
host1/Admin(config)# clock summer-time
Pacific 1 Sun Apr 02:00 5 Sun Oct 02:00 60
Example:
host1/Admin(config)# no clock summer-time
Step 3
2-19
Chapter 2
Only users authenticated in the Admin context can use the ntp command.
Prerequisites
If you are configuring application acceleration and optimization functionality (as described in the
Application Acceleration and Optimization Guide, Cisco ACE 4700 Series Application Control
Engine Appliance), and you plan to use an optional Cisco AVS 3180A Management Console with
multiple ACE nodes, we strongly recommend that you synchronize the system clock of each ACE
node with an NTP server. AppScope performance monitoring relies on very accurate time
measurement, in the millisecond range. If you install multiple ACEs, you must synchronize the
clocks so that different parts of a single transaction can be handled by different nodes.
2-20
OL-25343-01
Chapter 2
Detailed Steps
Step 1
Command
Purpose
config
Example:
ACE_1/Admin# config
ACE_1/Admin(config)#
Step 2
Step 3
Step 4
Examples
For example, to specify multiple NTP server IP addresses and identify a preferred server, enter:
host1/Admin(config)# ntp server 192.168.10.10 prefer
host1/Admin(config)# ntp server 192.168.4.143
host1/Admin(config)# ntp server 192.168.5.10
2-21
Chapter 2
Make a direct connection by using a dedicated terminal attached to the console port on the front of
the ACE appliance.
Establish a remote connection to the ACE appliance using the Secure Shell (SSH) or Telnet
protocols.
For details on configuring remote access to the ACE appliance CLI using SSH or Telnet, see Chapter 2,
Enabling Remote Access to the ACE.
Guidelines and Restrictions
Only the Admin context is accessible through the console port; all other contexts can be reached
through Telnet or SSH.
The login timeout command setting overrides the terminal session-timeout setting (see the
Configuring an ACE Appliance Inactivity Timeout section).
2-22
OL-25343-01
Chapter 2
Detailed Steps
Step 1
Command
Purpose
Example:
host1/Admin# terminal lines 50
Step 2
terminal monitor
Example:
host1/Admin# terminal monitor
%ACE-7-111009: User 'admin'
executed cmd: terminal monitor
The lines argument sets the number of lines displayed on the current
terminal screen. This command is specific to only the console port. Telnet
and SSH sessions set the length automatically. Valid entries are from 0 to
511. The default is 24 lines. A value of 0 instructs the ACE appliance to
scroll continuously (no pausing) and overrides the terminal width value.
If you later change the terminal length to any other value, the originally
configured terminal width value takes effect.
Starts the terminal monitor session and displays syslog output on the
terminal. To enable the various levels of syslog messages to the terminal,
use the logging monitor command (see the System Message Guide, Cisco
ACE Application Control Engine for details).
Example:
host1/Admin# terminal no monitor
Step 3
Step 4
Step 5
Specifies the name and type of the terminal used to access the ACE
appliance. If a Telnet or SSH session specifies an unknown terminal type,
the ACE appliance uses the VT100 terminal by default.
The minutes argument is the terminal type. Specify a text string from 1 to
80 alphanumeric characters.
Specifies the width for displaying information on a terminal during a
console session. This command is specific to the console port only.Telnet
and SSH sessions set the width automatically.
The characters argument sets the number of characters displayed on the
current terminal screen. Valid entries are from 24 to 512. The default is
80 columns.
2-23
Chapter 2
Command
Purpose
terminal no width
Example:
host1/Admin# terminal no width
Step 6
show terminal
Example:
host1/Admin# show terminal
TTY: /dev/pts/0 Type: vt100
Length: 25 lines, Width: 80 columns
Session Timeout: 60 minutes
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
line vty
Example:
host1/Admin(config)# line vty
host1/Admin(config-line)#
Step 3
session-limit number
Example:
host1/Admin(config-line)# session-limit 23
no session-limit number
Example:
host1/Admin(config-line)# no session-limit
23
Step 4
Step 5
Press Ctrl-z.
Step 6
clear line
vty_name
Example:
host1/Admin# clear line vty vty1
2-24
OL-25343-01
Chapter 2
Configuring the ACE Appliance to Bypass the Startup Configuration File During the Boot Process
The config-register command used to change the configuration register settings affects only the
configuration register bits that control the boot field and leaves the remaining bits unaltered.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
2-25
Chapter 2
Step 2
Command
Purpose
config-register value
Example:
host1/Admin(config)# config-register 0x1
no config-register 0x1
Example:
host1/Admin(config)# no config-register
0x1
Step 3
Example:
host1/Admin(config)# do copy
running-config startup-config
2-26
OL-25343-01
Chapter 2
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Step 3
do show bootvar
Example:
host1/Admin(config)# BOOT variable =
"image:/c4710ace-t1k9-mz.A4_1_0.bin"
Configuration register is 0x1
Step 4
Example:
host1/Admin(config)# do copy
running-config startup-config
Configuring the ACE Appliance to Bypass the Startup Configuration File During the Boot Process
This section describes how to use the GRUB bootloader to instruct the ACE appliance to bypass the
startup-configuration file stored on the ACE in the Flash memory (nonvolatile memory) during the boot
process. You may require the ACE appliance to bypass the startup configuration file during bootup in
the following instances:
Certain configurations cause problems that result in the ACE appliance becoming nonresponsive.
You can bypass the startup configuration file to safely boot the ACE appliance and then resolve
issues with the configuration.
You forget the password for the ACE administrator CLI account and cannot access the ACE
appliance. You can bypass the startup configuration file and log in with the default password of
admin.
Note
For the procedure on resetting the administrator CLI account password, see the Resetting the
Administrator Account Password section.
2-27
Chapter 2
Detailed Steps
Follow these steps to instruct the ACE appliance to bypass the startup-configuration file during the boot
process from the GRUB bootloader:
1.
Enter the config-register command so that upon reboot the ACE appliance boots to the GRUB
bootloader. See the Setting the Boot Method from the Configuration Register section.
2.
Reboot the ACE appliance. See the Restarting the ACE Appliance section. Upon reboot, the ACE
appliance boots to the GRUB bootloader.
3.
Press Esc when the countdown initiates on the GNU GRUB multiboot loader. The following GRUB
menu appears.
GNU GRUB
version 0.95
******************************************************************
* image(c4710ace-t1k9-mz.A4_1_0.bin)
*
*
* ******************************************************************
*
*
4.
In the GRUB menu, use the arrow keys to select from the ACE appliance images loaded in Flash
memory. The ACE appliance image entry is highlighted in the list.
5.
Type e to edit the kernel command line. If the boot string is greater than one line, you must press e
a second time. Append ignorestartupcfg=1. to the end of the boot.
For example, the following illustrates the screen output when you first type e:
******************************************************************
* kernel=(hd0,1)/c4710ace-t1k9-mz.A4_1_0.bin ro root=LABEL=/ auto consol* *
*
*
******************************************************************
For example, the following illustrates the screen output when you press e a second time:
< auto console=ttyS0,9600n8 quiet bigphysarea=32768
6.
7.
Press b to boot with this modified boot string.The ACE appliance boot screen appears as follows:
Note
When you instruct the ACE appliance to bypass the startup-configuration file stored on it, after
you boot the ACE appliance and the startup-configuration file is empty (typically for a new
appliance), the ACE appliance will automatically launch the setup script to enable connectivity
to the ACE appliance Device Manager GUI (see the Connecting and Logging In to the ACE
Appliance section). Otherwise, the ACE appliance boot screens appears as described in the
output below. If necessary, you can manually launch the setup script using the setup command
in Exec mode.
kernel=(hd0,1)/c4710ace-t1k9-mz.A4_1_0.bin ro root=LABEL=/ auto console=ttyS0,96
00n8 quiet bigphysarea=32768
2-28
OL-25343-01
Chapter 2
What to Do Next
You may now configure the ACE appliance to define its basic configuration settings.
Caution
Configuration changes that are not written to the Flash partition are lost after a reload. Before rebooting,
enter the copy running-conf startup-config command in Exec mode to store the current configuration in
Flash memory. If you fail to save your configuration changes, the ACE appliance reverts to its previous
settings upon restart.
This section includes the following topics:
Using the GRUB Boot Loader to Specify the System Boot Image During a Reload
2-29
Chapter 2
Detailed Steps
Step 1
Command
Purpose
Example:
host1/Admin# copy running-config
startup-config
Step 2
reload
Example:
host1/Admin# reload
This command will reboot the system
Save configurations for all the contexts.
Save? [yes/no]: yes
Generating configuration....
running config of context Admin saved
Perform system reload. [yes/no]: [yes] yes
Using the GRUB Boot Loader to Specify the System Boot Image During a Reload
This section describes how to specify a value of 0x0 for the config-register command (see the Setting
the Boot Method from the Configuration Register section) to force the ACE appliance to enter the
GRUB boot loader mode upon a reload or power cycle of the appliance. The ACE appliance remains in
GRUB boot loader mode until you identify the location of an image file to boot.
Press Esc when the count down initiates on the GRUB boot loader. The following GRUB menu appears.
GNU GRUB
version 0.95
******************************************************************
*
image(c4710ace-t1k9-mz.A4_1_0.bin)
*
*
* ****************************************************************
In the GRUB menu, use the arrow keys to select from the ACE appliance images loaded in the Flash
memory. The ACE appliance image entry is highlighted in the list.
2-30
OL-25343-01
Chapter 2
If no ACE appliance images are loaded in the Flash memory, the GNU GRUB multiboot loader appears
as follows:
grub>
Caution
Configuration changes that are not written to the Flash partition are lost after a shutdown. Before you
shut down the ACE appliance, enter the copy running-conf startup-config command in Exec mode to
store the current configuration in Flash memory. If you fail to save your configuration changes, the ACE
appliance reverts to its previous settings upon restart.
Detailed Steps
Step 1
Command
Purpose
Example:
host1/Admin# copy running-config
startup-config
Step 2
2-31
Chapter 2
Input/output statistics
Only users who are authenticated in the Admin context can use the show ntp command.
To display the NTP statistics and information, use the show ntp command from Exec mode as follows:
Command
Purpose
Example:
host1/Admin# show ntp peer-status
Table 2-3 describes the fields in the show ntp peer-status command output.
Table 2-3
Field
Description
Total Peers
Remote
IP addresses that correspond to the remote server and peer entries listed in the configuration file
Local
IP addresses that correspond to the local server and peer entries listed in the configuration file
St
The stratum
Poll
Reach
Delay
Peer IP Address
Serv/Peer
2-32
OL-25343-01
Chapter 2
Table 2-4 describes the fields in the show ntp peers command output.
Table 2-4
Field
Description
Peer IP Address
Serv/Peer
Table 2-5
Field
Description
Time since the last reset of the NTP software on the primary server.
Receive buffers
Total number of times buffers were added, which also indicates the number of times there have been
low memory resources during buffer creation.
Dropped packets
Ignored packets
Received packets
Packets sent
Total number of NTP packets not sent by the ACE appliance due to an error.
Interrupts handled
Received by int
Table 2-6
Field
Description
System uptime
Number of packets that match the previous NTP version. The version number is in every NTP packet.
Number of packets that match the current NTP version. The version number is in every NTP packet.
Number of NTP packets that were received and dropped by the ACE appliance due to an invalid packet
format.
Packets processed
Bad authentication
2-33
Chapter 2
Table 2-7 describes the fields in the show ntp statistics memory command output.
Table 2-7
Field
Description
Total peer memory available for the allocation of memory to peer structures.
Calls to findpeer
findpeer is an entry point to the allocation of memory to peer structures that looks for
matching peer structures in the peer list.
Peer demobilizations
Table 2-8
Field
Description
Remote Host
Local Interface
Reachability Change
Packets Sent
Packets Received
Bogus Origin
Duplicate
Bad Dispersion
Dispersion measures the errors of the offset values, based on the round-trip delay and the
precision of the system and the server.
Candidate Order
Order in which the ACE appliance may consider this server when it chooses the master.
2-34
OL-25343-01
Chapter 2
Purpose
show bootvar
Displays the BOOT environment variable settings (see the Setting the
BOOT Environment Variable section).
show clock
Displays the current clock settings (see the Setting the System Time and
Date or the Configuring the Time Zone sections).
Displays the configured login time value (see the Configuring an ACE
Appliance Inactivity Timeout section).
show terminal
Purpose
2-35
Chapter 2
2-36
OL-25343-01
CONTENTS
Preface
iii
Audience
iii
iv
Related Documentation
vii
CHAPTER
1-1
viii
1-1
1-2
37
Contents
CHAPTER
1-30
2-1
1-28
2-1
2-2
38
OL-25343-01
Contents
Displaying or Clearing the ACE Appliance Setup Configuration and Statistics 2-31
Displaying ACE Appliance Setup Configuration and Statistics 2-31
Displaying NTP Statistics and Information 2-32
Displaying Other ACE Appliance Setup Configuration Information 2-35
Clearing NTP Statistics 2-35
CHAPTER
2-1
2-1
2-2
2-26
CHAPTER
Prerequisites
2-26
3-1
3-1
2-13
3-2
3-3
3-3
3-4
3-4
39
Contents
CHAPTER
3-13
4-1
4-4
4-7
4-8
4-11
4-24
40
OL-25343-01
Contents
4-48
Setting Thresholds for and Displaying the Network Processor Buffer Usage
Reformatting the ACE Module Flash Memory
4-51
CHAPTER
4-51
5-1
4-49
5-1
5-2
5-5
5-14
5-17
5-19
5-21
41
Contents
CHAPTER
6-1
6-5
6-5
6-7
6-30
6-34
42
OL-25343-01
Contents
CHAPTER
Configuring SNMP
6-46
7-1
7-42
43
Contents
7-65
CHAPTER
7-70
8-1
8-2
8-6
8-7
8-21
8-21
INDEX
44
OL-25343-01
CH A P T E R
Note
The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise
noted. All features described in this chapter are supported with IPv6 unless otherwise noted.
This chapter describes how to configure remote access to the ACE by establishing a remote connection
by using the Secure Shell (SSH) or Telnet protocols. It also describes how to configure the ACE to
provide direct access to a user context from SSH. This chapter also covers how to configure the ACE to
receive ICMP messages from a host.
This chapter contains the following major sections:
Note
Default Settings
For information about how to make a direct connection using a dedicated terminal attached to the Console
port on the front of the ACE, configure terminal display attributes, and configure terminal line settings
for accessing the ACE by console or virtual terminal connection, see either Chapter 1, Setting Up the
ACE Module or Chapter 2, Setting Up the ACE Appliance.
If you configure an ACL on an interface to block certain traffic and a management policy on that
same interface allows that traffic, the management policy overrides the ACL and the ACE allows the
traffic.
2-1
Chapter 2
Default Settings
ICMP MessagesBy default, the ACE does not allow ICMP messages to be received by an ACE
interface or to pass through the ACE interface. ICMP is an important tool for testing your network
connectivity; however, network hackers can also use ICMP to attack the ACE or your network. We
recommend that you allow ICMP during your initial testing, but then disallow it during normal
operation. ICMPv6 is supported.
Default Settings
Table 2-1 lists the default settings for the ACE remote access function.
Table 2-1
Parameters
Default
Admin context: 16
User context: 4 (each)
Admin context: 16
User context: 4 (each)
Ability of an ACE interface to receive ICMP messages or allow ICMP messages to pass
through it
Disabled
Status of the following match protocol command protocols: http, https, icmp, kalap-udp,
snmp, ssh, telnet, and xml-https (ACE appliance only).
Disabled
2-2
OL-25343-01
Chapter 2
If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the
desired context. If necessary, log directly in to, or change to, the correct context.
host1/Admin# changeto C1
host1/C1#
The rest of the examples in this table use the Admin context, unless otherwise specified. For details on
creating contexts, see the Virtualization Guide, Cisco ACE Application Control Engine.
Step 2
Step 3
Create a class map that permits network management traffic to be received by the ACE based on the
ICMPv6 and the client source IP address.
host1/Admin(config)# class-map
host1/Admin(config-cmap-mgmt)#
or
host1/Admin(config-cmap-mgmt)#
host1/Admin(config-cmap-mgmt)#
host1/Admin(config)#
Step 4
Step 5
Attach the traffic policy to a single VLAN interface or globally to all VLAN interfaces in the same
context. For example, to specify an interface VLAN and apply the remote management policy map to
the VLAN, enter:
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# ipv6 enable
host1/Admin(config-if)# ip address 2001:DB8:1::/64
host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY
host1/Admin(config-if)# exit
Step 6
If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the
desired context. If necessary, log directly in to, or change to, the correct context.
2-3
Chapter 2
host1/Admin# changeto C1
host1/C1#
The rest of the examples in this table use the Admin context, unless otherwise specified. For details on
creating contexts, see the Virtualization Guide, Cisco ACE Application Control Engine.
Step 2
Step 3
Create a class map that permits network management traffic to be received by the ACE based on the
network management protocol (SSH or Telnet) and client source IP address.
host1/Admin(config)# class-map
host1/Admin(config-cmap-mgmt)#
255.255.255.254
host1/Admin(config-cmap-mgmt)#
host1/Admin(config)#
host1/Admin(config)# class-map
host1/Admin(config-cmap-mgmt)#
255.255.255.254
host1/Admin(config-cmap-mgmt)#
host1/Admin(config)#
Step 4
Configure a policy map that activates the SSH and Telnet management protocol classifications.
host1/Admin(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
host1/Admin(config-pmap-mgmt)# class SSH-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# class TELNET-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# exit
host1/Admin(config)#
Step 5
Attach the traffic policy to a single VLAN interface or globally to all VLAN interfaces in the same
context. For example, to specify an interface VLAN and apply the remote management policy map to
the VLAN, enter:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ip address 172.16.1.100 255.255.0.0
host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY
host1/Admin(config-if)# exit
Step 6
(Optional) Configure the maximum number of Telnet sessions allowed for each context.
host1/Admin(config)# telnet maxsessions 3
Step 7
(Optional) Configure the maximum number of SSH sessions allowed for each context.
host1/Admin(config)# ssh maxsessions 3
Step 8
If you have global administrator privileges, use the ssh key command to generate the SSH private key
and the corresponding public key for use by the SSH server. There is only one host-key pair. For
example, to generate an RSA1 key pair in the Admin context, enter:
host1/Admin(config)# ssh key rsa1 768
generating rsa1 key(768 bits).....
.
generated rsa1 key
Step 9
2-4
OL-25343-01
Chapter 2
host1/Admin(config)# exit
host1/Admin# copy running-config startup-config
Step 10
(Optional) Terminate an active SSH or Telnet session for the active context by using one of the following
commands in Exec mode:
Class mapProvides the remote network traffic match criteria to permit traffic based on:
Remote access network management protocols (SSH, Telnet, or ICMP)
Client source IP address
Policy mapEnables remote network management access for a traffic classification that matches
the criteria listed in the class map.
Service policyActivates the policy map and attaches the traffic policy to an interface or globally
on all interfaces.
Telnet and SSH remote access sessions are established to the ACE on a per context basis. For details on
creating users and contexts, see the Virtualization Guide, Cisco ACE Application Control Engine.
This section contains the following topics:
Applying a Service Policy Globally to All VLAN Interfaces in the Same Context
2-5
Chapter 2
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Example:
host1/Admin(config)# class-map type
management match-all
SSH-TELNET_ALLOW_CLASS
host1/Admin(config-cmap-mgmt)#
Example:
host1/Admin(config)# no class-map type
management match-all
SSH-TELNET_ALLOW_CLASS
2-6
OL-25343-01
Chapter 2
Step 3
Command
Purpose
Note
2-7
Chapter 2
Command
Purpose
2-8
OL-25343-01
Chapter 2
Step 4
Command
Purpose
description text
Example:
host1/Admin(config-cmap-mgmt)# description
Allow Telnet access to the ACE
no description text
Example:
host1/Admin(config-cmap-mgmt)# no
description
Step 5
Configure a Layer 3 and Layer 4 policy map that defines the different actions that are applied to the
IP management traffic received by the ACE. The ACE executes the specified action only for traffic
that meets the first matching classification with a policy map. The ACE does not execute any
additional actions.
Optionally, provide a brief description about the Layer 3 and Layer 4 remote management policy
map.
Specify a Layer 3 and Layer 4 traffic class that you created with the class-map command to
associate network traffic with the traffic policy.
Allow the network management traffic that is listed in the Layer 3 and Layer 4 class map to be
received or rejected by the ACE.
2-9
Chapter 2
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Example:
host1/Admin(config)# no policy-map type
management first-match
REMOTE_MGMT_ALLOW_POLICY
Step 3
description text
Example:
host1/Admin(config-pmap-mgmt)# description
Allow Telnet access to the ACE
no description
Example:
host1/Admin(config-pmap-mgmt)# no
description
2-10
OL-25343-01
Chapter 2
Step 4
Command
Purpose
Example:
host1/Admin(config-pmap-mgmt)# class
L4_REMOTE_ACCESS_CLASS
host1/Admin(config-pmap-mgmt-c)#
Example:
host1/Admin(config-pmap-mgmt)# no class
L4_REMOTE_ACCESS_CLASS
2-11
Chapter 2
Step 5
Command
Purpose
permit | deny
Example:
host1/Admin(config-pmap-mgmt-c)# permit
Step 6
Examples
The following example shows how to create a Layer 3 and Layer 4 remote network traffic management
policy map that permits SSH, Telnet, and ICMP connections to be received by the ACE:
host1/Admin(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
host1/Admin(config-pmap-mgmt)# class SSH_ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# class TELNET_ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# class ICMP_ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
The following example shows how to create a policy map that restricts an ICMP connection by the ACE:
host1/Admin(config)# policy-map type management first-action ICMP_RESTRICT_POLICY
host1/Admin(config-pmap-mgmt)# class ICMP_ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# deny
IPv6 Example
The following example shows how to create a policy map that matches any IPv6 traffic by using the
class-default-v6 class map:
host1/Admin(config)# policy-map type management first-action MATCH_ANYV6_POLICY
host1/Admin(config-pmap-mgmt)# class class-default-v6
host1/Admin(config-pmap-mgmt-c)# permit
IPv4 Example
The following example shows how to create a policy map that matches any IPv6 traffic by using the
class-default-v6 class map:
host1/Admin(config)# policy-map type management first-action MATCH_ANYV6_POLICY
host1/Admin(config-pmap-mgmt)# class class-default
host1/Admin(config-pmap-mgmt-c)# permit
2-12
OL-25343-01
Chapter 2
Applying a Service Policy Globally to All VLAN Interfaces in the Same Context
This section describes how to apply a previously created policy map globally to all VLAN interfaces in
the same context.
Note the following guidelines when applying a service policy:
Policy maps, applied globally in a context, are internally applied on all interfaces existing in the
context.
A policy activated on an interface overwrites any specified global policies for overlapping
classification and actions.
You can remove a traffic policy map from a VLAN by using either of the following methods:
Individually from the last VLAN interface on which you applied the service policy
The ACE automatically resets the associated service policy statistics to provide a new starting point for
the service policy statistics the next time that you attach a traffic policy to a specific VLAN interface or
globally to all VLAN interfaces in the same context.
Note
To apply the policy map to a specific VLAN interface only, see the Applying a Service Policy to a
Specific VLAN Interface section.
Guidelines and Restrictions
The ACE allows only one policy of a specific feature type to be activated on a given interface and only
in the input direction.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Step 3
2-13
Chapter 2
Step 4
Command
Purpose
Example:
host1/Admin(config)# do show
service-policy REMOTE_MGMT_ALLOW_POLICY
Step 5
Note
Example:
host1/Admin(config)# do clear
service-policy REMOTE_MGMT_ALLOW_POLICY
Individually from the last VLAN interface on which you applied the service policy
Globally from all VLAN interfaces in the same context (see the Applying a Service Policy Globally
to All VLAN Interfaces in the Same Context section).
The ACE automatically resets the associated service policy statistics to provide a new starting point for
the service policy statistics the next time that you attach a traffic policy to a specific VLAN interface or
globally to all VLAN interfaces in the same context.
Note
To apply the policy map globally to all VLAN interfaces in the same context, see the Applying a Service
Policy Globally to All VLAN Interfaces in the Same Context section.
Guidelines and Restrictions
The ACE allows only one policy of a specific feature type to be activated on a given interface and only
in the input direction.
2-14
OL-25343-01
Chapter 2
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Step 3
Step 4
2-15
Chapter 2
Step 5
Command
Purpose
Example:
host1/Admin(config-if)# do show
service-policy REMOTE_MGMT_ALLOW_POLICY
Step 6
Note
Example:
host1/Admin(config-if)# do clear
service-policy REMOTE_MGMT_ALLOW_POLICY
Examples
The following example shows how to specify an interface VLAN for IPv6 and apply the remote access
policy map to a VLAN:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ipv6 enable
host1/Admin(config-if)# ip address 2001:DB8:1::/64
host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY
The following example shows how to specify an interface VLAN for IPv4 and apply the remote access
policy map to a VLAN:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ip address 172.16.1.100 255.255.0.0
host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY
The following example shows how to display service policy statistics for the
REMOTE_MGMT_ALLOW_POLICY policy map:
host1/Admin# show service-policy REMOTE_MGMT_ALLOW_POLICY
Status
: ACTIVE
Description: Allow mgmt protocols
----------------------------------------Context Global Policy:
service-policy: REMOTE_MGMT_ALLOW_POLICY
2-16
OL-25343-01
Chapter 2
The ACE supports a total maximum of 256 concurrent Telnet sessions. The ACE supports a maximum
16 concurrent Telnet management sessions for the Admin context and 4 concurrent Telnet management
sessions for each user context.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
no telnet maxsessions
Example:
host1/Admin(config)# no telnet maxsessions
Step 3
Step 4
2-17
Chapter 2
The ACE supports a total maximum of 256 concurrent SSH sessions. The ACE supports a maximum
16 concurrent SSH management sessions for the Admin context and 4 concurrent SSH management
sessions for each user context.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
no ssh maxsessions
Example:
host1/Admin(config)# no ssh maxsessions
2-18
OL-25343-01
Chapter 2
Step 3
Command
Purpose
Example:
host1/Admin(config)# do show ssh
maxsessions
Maximum Sessions Allowed is 4
Step 4
Detailed Steps
Step 1
Step 2
Command
Purpose
changeto Admin
Example:
host1/context3# changeto Admin
host1/Admin#
config
Example:
host1/Admin# config
host1/Admin(config)#
2-19
Chapter 2
Step 3
Command
Purpose
hostname name
Example:
host1/Admin(config)# hostname host1
host1/Admin(config)#
The name argument specifies a new hostname for the ACE. Enter
a case-sensitive text string that contains from 1 to
32 alphanumeric characters.
For more information about setting the host name, see the
Assigning a Name to the ACE Module or Assigning a Name to
the ACE Appliance.
Step 4
Generates the SSH private key and the corresponding public key.
Example:
host1/Admin(config)# ssh key rsa1 1024
Example:
host1/Admin(config)# no ssh key rsa1
Step 5
Step 6
Step 7
exit
(Optional) Displays the host key pair details for the specified key
or for all keys if you do not specify a key.
(Optional) Copies the running configuration to the startup
configuration.
Example:
host1/Admin(config)# exit
host1/Admin#
Step 8
(Optional) Clears the public keys of all trusted host. These keys
are either sent to an SSH client by an SSH server or are entered
manually. When a SSH connection is made from the ACE, the
SSH client receives the public key and stores it locally.
2-20
OL-25343-01
Chapter 2
Examples
The following example shows the show ssh key command output:
host1/Admin # show ssh key
**************************************
could not retrieve rsa1 key information
**************************************
rsa Keys generated:Tue Mar 7 19:37:17 2006
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA4v4DQ8aNl482qDTRju9G07hEIxCgTWanPm+WOCU1kihZ
QNd5ZwA50CBAJSfIIIB4iED6iQbhOkbXSneCvTb5mVoish2wvJrETpIDIeGxxh/jWVsU/MeBbA/7o5tv
gCeT6p7pGF5oUNYFP0OeZ9BiIWDc4jBmYEQLEqJHPrMhSFE=
bitcount:1024
fingerprint:
f5:55:00:18:bc:af:41:74:b6:bc:aa:8e:46:31:74:4f
**************************************
dsa Keys generated:Tue Dec 20 19:37:17 2005
ssh-dss AAAAB3NzaC1kc3MAAACBAPqDdEqU+0gNtKRXM+DQAXnvcB+H89nq8jA4WgJ7uQcuDCLaG7Lq
jtKTltJjA6aZVywsQWQ6n4kTlkavZy3cj6PUbSyqvmCTsaYyYo4UQ6CKrK9V+NsfgzTSLWTH8iDUvYjL
c3nU51QEKjy7mPsQeX31y1M1rhp8qhkbMKxkc49XAAAAFQCPM0QJrq6+kkaghJpeNxeXhUH9HwAAAIEA
keZ1ZJM6sfKqJDYPLHkTro+lpbV9uR4VyYoZmSoehi/LmSaZDq+Mc8UN1LM+i5vkOgnKcearD9lM4/hK
zZGYx5hJOiYCKj/ny2a5p/8HK152cnsOAg6ebkiTTWAprcWrcHDS/1mcaI5GzLrZCdlXW5gBFZtMTJGs
tICmVWjibewAAACBAJQ66zdZQqYiCWtZfmakridEGDTLV6ixIDjBNgb84qlj+Y1XMzqLL0D4oMSb7idE
L3BmhQYQW7hkTK0oS4kVawI1VmW2kvrqoGQnLNQRMvisAXuJWKk1Ln6vWPGZZe8KoALv0GXxsOv2gk/z
TDk01oCaTVw//bXJtoVRgIlWXLIP
bitcount:1024
fingerprint:
8e:13:5c:3e:1a:9c:7a:ed:d0:84:eb:96:12:db:82:be
**************************************
Detailed Steps
Step 1
Command
Purpose
Example:
host1/Admin# show ssh session-info
Step 2
2-21
Chapter 2
Class map to provide the ICMP network traffic match criteria for the ACE.
Policy map to enable ICMP network management access to and from the ACE.
Service policy to activate the policy map, attach the traffic policy to an interface or globally on all
interfaces, and specify the direction in which the policy should be applied.
See the Configuring Remote Network Management Traffic Services section for details on configuring
a network management class map, policy map, and service policy for the ACE.
To allow ICMP messages to pass through the ACE, configure an ICMP ACL to permit or deny network
connections based on the ICMP type (for example, echo, echo-reply, or unreachable). See the Security
Guide, Cisco ACE Application Control Engine for details.
Note
If you want only to allow the ACE to ping a host (and allow the echo reply back to the interface), but not
allow hosts to ping the ACE, enable the ICMP application protocol inspection function instead of
defining a class map and policy map. See the Security Guide, Cisco ACE Application Control Engine for
details.
Examples
The following example shows how to allow the ACE to receive ICMPv6 pings:
host1/Admin(config)# class-map type management match-all ICMPv6_ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# description Allow ICMPv6 packets
host1/Admin(config-cmap-mgmt)# match protocol icmpv6 source-address 2001:DB8:1::/64
host1/Admin(config-cmap-mgmt)# exit
host1/Admin(config)# policy-map type management first-action ICMPv6_ALLOW_POLICY
host1/Admin(config-pmap-mgmt)# class ICMPv6_ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# exit
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ipv6 enable
host1/Admin(config-if)# ip address 2001:DB8:2::/64
host1/Admin(config-if)# service-policy input ICMPv6_ALLOW_POLICY
The following example shows how to allow the ACE to receive ICMPv4 pings:
host1/Admin(config)# class-map type management match-all ICMP-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# description Allow ICMP packets
host1/Admin(config-cmap-mgmt)# match protocol icmp source-address 172.16.10.0
255.255.255.254
host1/Admin(config-cmap-mgmt)# exit
host1/Admin(config)# policy-map type management first-action ICMP_ALLOW_POLICY
host1/Admin(config-pmap-mgmt)# class ICMP-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# exit
2-22
OL-25343-01
Chapter 2
Task Flow
Follow these steps to first configure the ACE to provide direct access to a user context from SSH and
then access the user context:
Step 1
Associate an existing VLAN with the user context so that the context can receive traffic classified for it
by entering the following command:
host1/Admin(config-context)# allocate-interface vlan 100
See the Routing and Bridging Guide, Cisco ACE Application Control Engine.
Step 3
Generate the SSH host key pair by entering the following command:
host1/Admin(config)# ssh key rsa1 768
generating rsa1 key(768 bits).....
.
generated rsa1 key
Change to the C1 context that you created in Step 1 and enter configuration mode in that context by
entering the following commands:
host1/Admin(config-context)# do changeto C1
host1/C1(config-context)# exit
host1/C1(config)#
Only users authenticated in the Admin context can use the changeto command.
Step 5
Configure the VLAN interface that you allocated to the user context in Step 2 by entering the following
commands:
host1/C1(config)# interface vlan 50
host1/C1(config-if)# ip address 192.168.1.1 255.255.255.0
host1/C1(config-if)# no shutdown
host1/C1(config-if)# exit
host1/C1(config)#
For example, assign an IP address to the interface and reenable the interface within the context with the
no shutdown command. See the Routing and Bridging Guide, Cisco ACE Application Control Engine.
2-23
Chapter 2
Step 6
Create an SSH remote management policy and apply the associated service policy to all VLAN
interfaces or just to the VLAN interface allocated to the user context by entering the following
commands:
host1/C1(config)# class-map type management match-all SSH-ALLOW_CLASS
host1/C1(config-cmap-mgmt)# match protocol ssh source-address 172.16.10.0 255.255.255.254
host1/C1(config-cmap-mgmt)# exit
host1/C1(config)#
host1/C1(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
host1/C1(config-pmap-mgmt)# class SSH-ALLOW_CLASS
host1/C1(config-pmap-mgmt-c)# permit
host1/C1(config-pmap-mgmt-c)# exit
host1/C1(config-pmap-mgmt)# exit
host1/C1(config)# interface vlan 50
host1/C1(config-if)# ip address 192.168.1.1 255.255.255.0
host1/C1(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY
host1/C1(config-if)# exit
host1/C1(config)#
Follow theses steps to directly access the user context from an SSH client:
a.
From the SSH client, establish a remote SSH session to the IP address of the user context VLAN
interface.
b.
Enter the password for the user context VLAN interface. The ACE CLI prompt appears in Exec
mode of the user context.
host1/C1#
2-24
OL-25343-01
Chapter 2
Command
Purpose
Displays information related to the Telnet session. Only the context administrator can
view Telnet information associated with a particular context.
The optional context_name argument is the name of the context for which you want to
view specific Telnet session information. The context_name argument is case sensitive.
Table 2-2 describes the fields in the show telnet command output.
Table 2-2
Field
Description
SessionID
Remote Host
Active Time
Time since the Telnet connection request was received by the ACE.
Purpose
Displays information related to the SSH session. Only context administrators can view
SSH session information associated with a particular context.
The optional context_name argument is the name of the context for which you want to
view specific SSH session information. The context_name argument is case sensitive.
Table 2-3 describes the fields in the show ssh session-info command output.
Table 2-3
Field
Description
SessionID
Remote Host
Active Time
Time since the SSH connection request was received by the ACE.
2-25
Chapter 2
Purpose
show running-config
Displays the host key pair details for the specified key or for all keys if you do not
specify a key.
See the Generating SSH Host Key Pairs section.
show telnet maxsessions [context_name] Displays the maximum number of enabled Telnet sessions. Only context
administrators can view Telnet session information associated with a particular
context.
See the Configuring the Maximum Number of Telnet Management Sessions
section.
Create and configure an access control list. The sample access control list shown in this step allows
network traffic from any source. For details about configuring an access control list, see the Security
Guide, Cisco ACE Application Control Engine.
host1/Admin(config)# access-list ACL1 line 10 extended permit ip anyv6 anyv6
Step 2
Step 3
Create and configure a management policy map that activates the SSH and Telnet management protocol
classifications.
host1/Admin(config)# policy-map type management first-match L4_REMOTE-MGT_POLICY
host1/Admin(config-pmap-mgmt)# class L4_REMOTE-MGT_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# exit
host1/Admin(config)#
Step 4
Alternatively, create and configure a management policy map that matches and permits any IPv6 traffic:
host1/Admin(config)# policy-map type management first-match L4_REMOTE-MGT_POLICY
host1/Admin(config-pmap-mgmt)# class class-deafult-v6
2-26
OL-25343-01
Chapter 2
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# exit
host1/Admin(config)#
Step 5
Apply the traffic policy to a specific VLAN interface or globally to all VLAN interfaces and enable the
interface.
Apply to a specific VLAN interface:
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# ipv6 enable
host1/Admin(config-if)# ip address 2001:DB8:1::/64
host1/Admin(config-if)# access-group input ACL1
host1/Admin(config-if)# service-policy input L4_REMOTE-MGT_POLICY
host1/Admin(config-if)# no shutdown
host1/Admin(config-if)# exit
host1/Admin(config)#
Step 6
The following example shows how to configure remote access to the ACE through the use of class maps,
policy maps, and service policies with IPv4 management traffic.
Step 1
Enter the configuration mode and set the maximum number of Telnet and SSH sessions.
host1/Admin# config
host1/Admin(config)# telnet maxsessions 3
host1/Admin(config)# ssh maxsessions 3
Step 2
Create and configure an access control list. The sample access control list shown in this step allows
network traffic from any source. For details about configuring an access control list, see the Security
Guide, Cisco ACE Application Control Engine.
host1/Admin(config)# access-list ACL1 line 10 extended permit ip any any
Step 3
Step 4
Create and configure a policy map that activates the SSH and Telnet management protocol
classifications.
host1/Admin(config)# policy-map type management first-match L4_REMOTE-MGT_POLICY
host1/Admin(config-pmap-mgmt)# class L4_REMOTE-MGT_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# exit
host1/Admin(config)#
2-27
Chapter 2
Step 5
Apply the traffic policy to a specific VLAN interface or globally to all VLAN interfaces and enable the
interface.
Apply to a specific VLAN interface:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ip address 192.168.1.1 255.255.255.0
host1/Admin(config-if)# access-group input ACL1
host1/Admin(config-if)# service-policy input L4_REMOTE-MGT_POLICY
host1/Admin(config-if)# no shutdown
host1/Admin(config-if)# exit
host1/Admin(config)#
Step 6
Generate the SSH private key and corresponding public key for use by the SSH server.
host1/Admin(config)# ssh key rsa1 1024 force
Step 7
2-28
OL-25343-01
CH A P T E R
Note
The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise
noted.
This chapter describes how to manage the software licenses for your ACE. It contains the following
major sections:
Prerequisites
License Bundle
Product ID (PID)
License File
Description
Base (default)
ACE30-BASE-04-K9
None required
4 Gbps bandwidth
1 Gbps compression
1,000 TPS SSL
5 Virtual Contexts
Base to 4 Gbps
4 Gbps Bundle
6 Gbps compression
ACE30-MOD-04-K9 ACE30-MOD-04-K9 30,000 TPS SSL
250 Virtual Contexts
3-1
Chapter 3
Table 3-1
License Bundle
Product ID (PID)
License File
Description
6 Gbps compression
8 Gbps Bundle
ACE30-MOD-08-K9 ACE30-MOD-08-K9 30,000 TPS SSL
250 virtual contexts
8 Gbps to 16 Gbps ACE30-MOD-UPG3= ACE30-MOD-UPG3 16 Gbps bandwidth
6 Gbps compression
16 Gbps Bundle
ACE30-MOD-16-K9 ACE30-MOD-16-K9 30,000 TPS SSL
250 virtual contexts
License Bundle
Product ID (PID)
License File
Description
ACE-4710-0.5-K9
ACE-4710-0.5-K9
1 Gbps Bundle
1 Gbps to 2 Gbps
2 Gbps Bundle
2 Gbps to 4 Gbps
4 Gbps Bundle
1 Gbps Bundle
(covers two ACE
Service Modules)
ACE-4710-2PAK
ACE-4710-2PAK
1 Gbps bandwidth
2.0 Gbps compression
7500 TPS SSL
20 virtual contexts
3-2
OL-25343-01
Chapter 3
Table 3-3 shows the license migration paths available to you based on the ACE appliance bandwidth
license that you owned prior to software release A4(2.0). Each migration license is free and is fully
loaded for the bandwidth you select:
Table 3-3
ACE-4710-0.5-UPG=
ACE-4710-01-UPG=
ACE-4710-02-UPG=
ACE-4710-04-UPG=
A demo license is valid for only 60 days. At the end of this period, you must update the demo license
with a permanent license to continue to use the ACE software. To view the expiration of a demo
license, use the show license usage command in Exec mode (see the Displaying ACE License
Configurations and Statistics section). ACE demo licenses are available through your Cisco
account representative.
If you turn the clock backward for any reason, you will not be able to install a demo license.
If you need to replace an ACE, you can copy and install the license file for the license into the
replacement ACE.
If you are upgrading a redundant configuration from software version A4(1.0) to software version
A4(2.0), while the two ACEs are in split mode with software version A4(1.0) running on the active
ACE and software version A4(2.0) running on the standby, config sync is disabled because of a
license incompatibility. If you make any configuration changes on the active ACE during this time,
your changes are not synchronized to the standby and are lost. After you complete the upgrade,
config sync is automatically reenabled. We recommend that you do not make any configuration
changes while the two ACEs are in split mode.
(ACE module only) You can upgrade virtualization to a maximum of 250 contexts.
(ACE module only) Licenses are platform-specific. You cannot apply an ACE10 or an ACE20
license to an ACE30.
Prerequisites
You must have the Admin role in the Admin context to install, remove, and update the license file.
3-3
Chapter 3
Parameter
Default
Virtual Contexts
Bandwidth
1. Application acceleration connections are fixed at 105 concurrent connections in ACE appliance software release A4(2.0) for all license bundles.
Detailed Steps
Step 1
Order one of the licenses from the list in the ACE Module License Bundles section or the ACE
Appliance License Bundles and Migration Paths section using any of the available Cisco ordering tools
on cisco.com.
Step 2
When you receive the Software License Claim Certificate from Cisco, follow the instructions that direct
you to the Cisco.com website. As a registered user of Cisco.com, go to this URL:
3-4
OL-25343-01
Chapter 3
http://www.cisco.com/go/license
Step 3
Enter the Product Authorization Key (PAK) number found on the Software License Claim Certificate as
your proof of purchase.
Step 4
Step 5
Save the attached license file to a remote server that you can access from the ACE. Save the license key
e-mail in a safe place in case you need it in the future (for example, to transfer the license to another
ACE).
What to Do Next
Copy the license file to the ACE (see the Copying a License File to the ACE section).
The license file must reside on a remote server that you can access from the ACE.
You must be in the Admin context to copy the file to disk0: on the ACE.
Detailed Steps
Command
Purpose
copy tftp:[//server[/path/][/filename]]
disk0:[path/]filename
What to Do Next
If the license is a demo or permanent license for a new or upgrade installation, see the Installing a New
or Upgrade License File section.
If the license is a permanent license replacing a demo license, see the Replacing a Demo License with
a Permanent License section.
3-5
Chapter 3
You must have the Admin role in the Admin context to install or upgrade the license file.
If you install a context demo license, make sure that you save the Admin running configuration and
all user context running configurations to a remote server. If you allow a context license to expire,
the ACE automatically removes all user contexts from the Admin running configuration and all
configurations for the user contexts.
Detailed Steps
Command
Purpose
Example:
host1/Admin# show license brief
Examples
(ACE module only) To install a license bundle file for 4 Gbps bandwidth, 4 Gbps compression,
30,000 TPS SSL, and 250 virtual contexts, enter:
host1/Admin# license install disk0:ACE30-MOD-04-K9.lic
(ACE appliance only) The following example shows how to install a license bundle for 2 Gbps
bandwidth, 2 Gbps compression, 7500 TPS SSL, 20 virtual contexts, and 200 app. accel. conns, enter:
host1/Admin# license install disk0:ACE-4710-02-K9.lic
3-6
OL-25343-01
Chapter 3
You must have the Admin role in the Admin context to update the demo license file with a permanent
file.
If you replace the context demo license with a permanent license, you can continue to use the
configured user contexts on the ACE. However, if you allow a context license to expire, the ACE
automatically removes all user contexts from the Admin running configuration and all
configurations for the user contexts. Before a context license expires, save the Admin running
configuration and the user context running configurations to a remote server. To view the expiration
of the demo license, use the show license usage command in Exec mode from the Admin context.
You must replace a demo license with a permanent license that has the same feature capability. For
example, if you want to replace a 4 Gbps demo license, you can replace it only with a permanent
4 Gbps license.
Detailed Steps
Command
Purpose
Note
When you use the clear startup-config or the write erase command, the ACE does not remove license
files from the startup-configuration file.
3-7
Chapter 3
You must have the Admin role in the Admin context to remove the license file.
(ACE module only) The type of licenses currently installed on the ACE module determines which
license you can remove. Table 3-6 lists the currently installed license bundles, the current licensed
features, and the remaining licensed features after the license is removed.
Table 3-5
ACE30-MOD-UPG1
ACE30-MOD-04-K9
4 Gbps bandwidth
6 Gbps compression
30,000 TPS SSL
250 virtual contexts
4 Gbps bandwidth
1 Gbps compression
1,000 TPS SSL
5 virtual contexts
ACE30-MOD-08-K9
8 Gbps bandwidth
6 Gbps compression
30,000 TPS SSL
250 virtual contexts
4 Gbps bandwidth
1 Gbps compression
1,000 TPS SSL
5 virtual contexts
ACE30-MOD-16-K9
16 Gbps bandwidth
6 Gbps compression
30,000 TPS SSL
250 virtual contexts
4 Gbps bandwidth
1 Gbps compression
1,000 TPS SSL
5 virtual contexts
ACE30-MOD-UPG2
8 Gbps bandwidth
6 Gbps compression
30,000 TPS SSL
250 virtual contexts
4 Gbps bandwidth
6 Gbps compression
30,000 TPS SSL
250 virtual contexts
ACE30-MOD-UPG3
16 Gbps bandwidth
6 Gbps compression
30,000 TPS SSL
250 virtual contexts
8 Gbps bandwidth
6 Gbps compression
30,000 TPS SSL
250 virtual contexts
(ACE appliance only) The type of licenses currently installed on the ACE appliance determines
which license you can remove. Table 3-6 lists the currently installed license bundles, the current
licensed features, and the remaining licensed features after the license is removed.
Table 3-6
ACE-4710-0.5-K9
1 Gbps bandwidth
2 Gbps compression
7500 TPS SSL
20 virtual contexts
ACE-4710-BUN-UPG1=
ACE-4710-01-K9
1 Gbps bandwidth
2 Gbps compression
7500 TPS SSL
20 virtual contexts
1 Gbps bandwidth
2 Gbps compression
7500 TPS SSL
20 virtual contexts
3-8
OL-25343-01
Chapter 3
Table 3-6
2 Gbps bandwidth
2 Gbps compression
7500 TPS SSL
20 virtual contexts
1 Gbps bandwidth
2 Gbps compression
7500 TPS SSL
20 virtual contexts
ACE4710-BUN-UPG3=
ACE-4710-04-K9
4 Gbps bandwidth
2 Gbps compression
7500 TPS SSL
20 virtual contexts
2 Gbps bandwidth
2 Gbps compression
7500 TPS SSL
20 virtual contexts
ACE-4710-2PAK
1 Gbps bandwidth
2 Gbps compression
7500 TPS SSL
20 virtual contexts
1 Gbps bandwidth
2 Gbps compression
7500 TPS SSL
20 virtual contexts
ACE-4710-BUN-UPG2=
ACE-4710-02-K9
Prerequisites
Caution
Before you remove any license bundle from the ACE, save the Admin running configuration and the user
context running configurations to a remote server. When you remove a demo or permanent license
bundle, the ACE removes all user contexts from the Admin running configuration. By removing the user
contexts, their running and startup configurations are also removed from the ACE.
Detailed Steps
Command
Purpose
license uninstall
{license_filename | all}
allRemoves all license files from the ACE and returns all
current licensed features to their default values.
Save the Admin and user context running configurations to a remote server by entering the copy
running-config command in Exec mode in each context. For more information on this command, see
Chapter 4, Managing the ACE Software.
For example, to copy the Admin running configuration to an TFTP server as R-CONFIG-ADM, enter:
host1/Admin# copy running-config tftp://192.168.1.2/R-CONFIG-ADM
To copy the C1 user context running configuration to an TFTP server, access the C1 context and enter:
host1/C1# copy running-config tftp://192.168.1.2/R-CONFIG-C1
3-9
Chapter 3
Step 2
Step 3
If you have not saved the running configurations for the Admin and user contexts to a remote server,
enter n. Go to Step 1.
If you saved the running configurations for the Admin and user contexts to a remote server, enter y.
During the license removal, the ACE removes the user context configurations from the Admin running
configuration, causing the deletion of all user contexts including their running and startup
configurations.
Step 4
Display the current number of supported contexts on the ACE by entering the show license status
command in Exec mode of the Admin context.
Step 5
Determine which contexts you want to keep in the Admin running configuration. Using a text editor,
manually remove the extra context configurations from the Admin running configuration on the remote
server.
If the Admin running configuration contains more contexts than what the ACE supports and you copy
this configuration to the ACE, the ACE rejects contexts that exceed the supported limit. For example, if
the running configuration contains 20 contexts, when you remove the license, the ACE supports five
contexts. If you attempt to copy the configuration with all 20 contexts, the ACE allows the first five
contexts, fails the remaining contexts, and displays error messages on the console.
Note
Step 6
You can also manually recreate the user contexts in the running configuration that is currently
on the ACE. If you do, go to Step 7.
Retrieve the modified Admin running configuration from the remote server. For example, to copy the
R-CONFIG-ADM Admin running configuration from the TFTP server, enter:
host1/Admin# copy tftp://192.168.1.2/R-CONFIG-ADM running-config
Step 7
Copy the Admin running configuration to the startup-configuration file. For example, enter:
host1/Admin# copy running-config startup-config
3-10
OL-25343-01
Chapter 3
Note
Step 8
If you do not update the startup configuration with the latest running configuration, when the
ACE restarts, it uses the startup configuration with the extra contexts. The ACE allows the
number of contexts that the license supports, but fails the remaining contexts.
Access the user context, and copy its running configurations from the remote server. For example, to
copy the C1 user context running configuration from the TFTP server, access the C1 context and enter:
host1/C1# tftp://192.168.1.2/R-CONFIG-C1 copy running-config
Step 9
Copy the user context running configuration to the startup-configuration file. For example, enter:
host1/Admin# copy running-config startup-config
Step 10
Repeat Steps 8 and 9 until you retrieve the running configurations for all user contexts configured in the
Admin configuration.
For more details, see the Downgrading Your ACE Software in a Redundant Configuration section in
the release note.
3-11
Chapter 3
Detailed Steps
Command
Purpose
Backs up your license files to the ACE Flash disk as tar files.
Example:
host1/Admin# copy licenses
disk0:mylicenses.tar
Detailed Steps
Command
Purpose
untar disk0:[path/]filename.tar
Untars the backup file should you need to reinstall it because you
accidently removed or lost the license.
Example:
host1/Admin# untar disk0:mylicenses.tar
3-12
OL-25343-01
Chapter 3
Purpose
usageDisplays the usage table for all licenses (see Table 3-8).
show version
Table 3-7 describes the fields in the show license status command output.
Table 3-7
Field
Description
Licensed Feature List including the ACE SSL transactions per second (TPS), virtual contexts, bandwidth, and compression.
(ACE appliance only) The list also includes application acceleration and optimization concurrent
connections.
Count
Number of ACE-supported SSL TPS, virtual contexts, bandwidth (Gbps), and compression (Gbps).
(ACE appliance only) The count also includes the application acceleration and optimization concurrent
connections.
This information also provides the default number of contexts, SSL TPS, and ACE bandwidth that the
ACE supports when a license is not installed.
Table 3-8 describes the fields in the show license usage command output.
Table 3-8
Field
Description
License
Ins
Lic Count
3-13
Chapter 3
Table 3-8
Field Descriptions for the show license usage Command Output (continued)
Field
Description
Status
Expiry Date
Date when the demo license expires, as defined in the license file. If the license is permanent, this field
displays Never.
Comments
3-14
OL-25343-01
CH A P T E R
Note
The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise
noted.
This chapter describes how to manage the software running on the ACE and contains the following major
sections:
Setting Thresholds for and Displaying the Network Processor Buffer Usage
4-1
Chapter 4
Before you log out or reboot the ACE, copy the contents of the running-configuration file to the
startup-configuration file (startup-config) to save configuration changes for the current context to Flash
memory. The ACE uses the startup-configuration file on subsequent reboots.
This section contains the following topics:
Detailed Steps
Command
Purpose
Example:
host1/Admin# copy running-config
startup-config
write memory [all]
Example:
host1/Admin# write memory all
4-2
OL-25343-01
Chapter 4
version, back up the ACE startup-configuration file to a remote server using FTP, SFTP, or TFTP. When
you name the backup file, we recommend that you name it in such a way that you can easily tell the
context source of the file (for example, running-config-ctx1, startup-config-ctx1).
Detailed Steps
Command
Purpose
Example:
host1/Admin# copy running-config
ftp://192.168.1.2/running-config_Adminctx
Enter username[]? user1
Enter the file transfer mode[bin/ascii]: [bin]
Password: password1
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
####
When you select a destination file system using ftp:, sftp:, or tftp:,
the ACE performs the following tasks:
Prompts you for the server information if you do not provide the
information with the command.
Copies the file to the root directory of the destination file system
if you do not provide the path information.
4-3
Chapter 4
Detailed Steps
Command
Purpose
Example:
host1/Admin# copy running-config
disk0:running-config_copy
Detailed Steps
Command
Purpose
Example:
host1/Admin# copy startup-config
running-config
4-4
OL-25343-01
Chapter 4
Purpose
Displays the contents of the running configuration associated with the current
context. Configuration entries within each mode appear in the chronological order in
which you configure the ACE. The ACE does not display default configurations in the
ACE running-configuration file.
write terminal
context(Optional) Displays the contexts configured on the ACE. The ACE also
displays the resource class (member) assigned to each context. The context
keyword works only from within the Admin context.
role(Optional) Displays the roles configured for the current context. The ACE
also displays configuration information for each role.
Displays the contents of the running configuration associated with the current
context. The write terminal command is equivalent to the show running-config
command.
4-5
Chapter 4
Command
Purpose
Displays the running-configuration file of a user context from the Admin context. The
context_name argument is the name of the user context.
show startup-config
Displays the contents of the startup configuration associated with the current context.
The clear startup-config and write erase commands used to clear the contents of the ACE
startup-configuration file of the current context in Flash memory include the following restrictions:
The commands do not remove the following items from the ACE startup-configuration file:
License filesTo remove license files, use the license uninstall filename command (see the
Removing a License Bundle or All License Bundles from the ACE section on page 3-7.).
Crypto filesTo remove crypto files, use the crypto delete filename or the crypto delete all
command (see the SSL Guide, Cisco ACE Application Control Engine).
Detailed Steps
Step 1
Command
Purpose
copy startup-config
{ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] |
tftp://server[:port]/path[/filename]}
Example:
host1/Admin# copy startup-config
ftp://192.168.1.2/startup-config_Adminctx
Step 2
clear startup-config
Example:
host1/Admin# clear startup-config
write erase
Example:
host1/Admin# write erase
4-6
OL-25343-01
Chapter 4
Step 3
Command
Purpose
Example:
host1/Admin# copy running-config
startup-config
copy {ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] |
tftp://server[:port]/path[/filename]}
startup-config
Example:
host1/Admin# copy
ftp://192.168.1.2/startup-config_Adminctx
startup-config
You know the location of the configuration file to be loaded from the remote server.
The ACE has a route to the remote server. The ACE and the remote server must be in the same
subnetwork if you do not have a router or default gateway to route the traffic between subnets. To
check connectivity to the remote server, use the ping or traceroute command in Exec mode. See the
Routing and Bridging Guide, Cisco ACE Application Control Engine for details on how to use the
ping and traceroute commands.
Ensure that the configuration file is appropriate for use in the current context. For example, you
would copy the backup configuration file startup-config-ctx1 to context 1.
Detailed Steps
Command
Purpose
copy {ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] |
tftp://server[:port]/path[/filename]}
{running-config | startup-config}
Example:
host1/Admin# copy
ftp://192.168.1.2/startup-config_Adminctx
startup-config
4-7
Chapter 4
A checkpoint rollback
At the start of the deferred download, the ACE displays the following message on all terminals that are
logged into the context including a terminal that you log into for the context before the download is done:
Processing has started for applied config
During the download, the ACE locks the context and denies any configuration changes until the
download is completed.
Note
We recommend that you do not execute any configuration commands during the deferred download. The
ACE does not deny you from entering configuration changes. But the changes will not occur until the
download is completed. If the command times out during the download, the following message appears:
Config application in progress. This command is queued to the system.
The ACE does not queue the command immediately, however, the ACE processes and executes the
command when the download is completed even if the command times out.
You can execute the show download information command to monitor the progress of the download.
You can also execute show commands that do not have interaction with the configuration manager
(cfgmgr). For example, these commands include the show acl-merge, show interface, show context,
show crypto files, and show fifo commands.
The show commands that have interaction with the cfgmgr do not work when the download occurs. For
example, these commands include the show access-list, show conn, show domain, show
running-config, and show service-policy commands. If you execute a cfgmgr show command during
the download, the following error message occurs:
System Busy: Config application in progress
At the end of the deferred download, the ACE displays the follow message on all terminals that are
logged into the context:
Processing has finished for applied config
4-8
OL-25343-01
Chapter 4
To display the progress status of the configuration download on a context, perform the following task:
Command
Purpose
Displays the state of the configuration download for each interface on the
context. If no option is included with this command, the status information
for all interfaces in the current context is displayed. The options are as
follows:
Example:
host1/Admin# show download information all
See Table 4-1 for information on the download states that the
Download-status field displays.
Table 4-1 describes the fields that appear in the show download information command output.
Table 4-1
Field
Description
Context
Interface
Number of the interface on the context. This field is not displayed with the summary option.
Download-Status
State of the configuration download. With no option or the all option, the possible states are as
follows:
PendingThe interface has been updated but the update has not been downloaded.
Pending/DeletedThe interface has been deleted but it has not been downloaded.
PendingOne or more of the interfaces are in the Pending state and the rest of the interfaces are
in the Completed state.
In ProgressOne or more interfaces are in the Progress state and the rest of the interfaces are in
the Completed or Pending state.
4-9
Chapter 4
disk0:Contains all startup-configuration files, software licenses, system message log files, SSL
certificates and keys, and user-generated data for all existing contexts on the ACE.
core:Contains the core files generated after each time that the ACE becomes unresponsive.
probe:Contains the Cisco-supplied scripts. For more information about these scripts, see the
Server Load-Balancing Guide, Cisco ACE Application Control Engine. Both the Admin context and
user contexts support the probe: directory.
volatile:Contains the files residing in the temporary (volatile:) directory. The volatile: directory
provides temporary storage; files in temporary storage are erased when the ACE reboots.
The Admin context supports all five file systems in the ACE. The user context supports only the disk0:,
probe:, and volatile: file systems.
When you create a new context, the ACE creates a new context directory in Flash memory to store
context-specific data such as startup-configuration files.
The ACE provides a number of useful commands to help you manage software configuration and image
and files.This section contains the following topics that will help you to manage files on the ACE:
Copying Files
Moving Files
Deleting Files
Copying Files
This section describes how create copies of a file on the ACE and how to copy files to and from the ACE.
This section contains the following topics:
Copying Files Between Directories in the disk0: File System on the ACE
Copying Licenses
4-10
OL-25343-01
Chapter 4
Copying Files Between Directories in the disk0: File System on the ACE
This section describes how to copy a file from one directory in the disk0: file system of Flash memory
to another directory in disk0:.
Detailed Steps
Step 1
Command
Purpose
dir disk0:
Example:
host1/Admin# dir disk0:
Step 2
copy disk0:[path/]filename1
{disk0:[path]filename2}
Copies a file from one directory in the disk0: file system of Flash
memory to another directory in disk0:.
Example:
host1/Admin# copy disk0:samplefile
disk0:MYSTORAGE/SAMPLEFILE
Copying Licenses
This section describes how to create a backup license for the ACE licenses in .tar format and copy it to
the disk0: file system. To protect your license files, we recommend that you back up your license files
to the ACE Flash memory as tar files.
Detailed Steps
Command
Purpose
Creates a backup license for the ACE licenses in .tar format and copies it
to the disk0: file system.
Example:
host1/Admin# copy licenses
disk0:mylicenses.tar
untar disk0:[path/]filename.tar
Example:
host1/Admin# untar disk0:mylicenses.tar
(Optional) Untars the backup file and reinstalls it if you accidently remove
or lose the license on the ACE (see the Untarring Files in the disk0: File
System section).
4-11
Chapter 4
Detailed Steps
Command
Purpose
Example:
host1/Admin# copy capture
packet_capture_Jan_17_07
disk0:capture_Jan_17_07
4-12
OL-25343-01
Chapter 4
You cannot copy a scripted probe file to the probe: directory on the ACE.
The copy probe: command is available only in the Admin context.
Detailed Steps
Command
Purpose
Copies a file from the probe: directory to the disk0: file system on the
ACE or a remote server using FTP, SFTP, or TFTP.
Example:
host1/Admin# copy probe: disk0:
Enter source filename[]? LDAP_PROBE_SCRIPT
Destination filename[]?:[LDAP_PROBE_SCRIPT]
host1/Admin#
When you select a destination file system using ftp:, sftp:, or tftp:,
the ACE performs the following tasks:
Prompts you for the server information if you do not provide the
information with the command.
Copies the file to the root directory of the destination file system
if you do not provide path information.
4-13
Chapter 4
Detailed Steps
Command
Purpose
Copies a file from Flash memory on the ACE to a remote server using
FTP, SFTP, or TFTP.
Example:
host1/Admin# copy running-config
ftp://192.168.215.124/running-config_Adminctx
Enter username[]? user1
Enter the file transfer mode[bin/ascii]: [bin]
Password: password1
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
####
When you select a destination file system using ftp:, sftp:, or tftp:,
the ACE performs the following tasks:
Prompts you for the server information if you do not provide the
information with the command.
Copies the file to the root directory of the destination file system
if you do not provide path information.
4-14
OL-25343-01
Chapter 4
Detailed Steps
Command
Purpose
copy {ftp://server/path[/filename] |
sftp://[username@]server/path[/filename] |
tftp://server[:port]/path[/filename]}
{disk0:[path/]filename | image:image_name |
running-config | startup-config}
Copies a file from a remote server to a location on the ACE using FTP,
SFTP, or TFTP.
Example:
host1/Admin# copy ftp://192.168.1.2/
startup-config
Enter source filename[]?
startup_config_Adminctx
File already exists, do you want to
overwrite?[y/n]: [y] y
Enter username[]? user1
Enter the file transfer mode[bin/ascii]: [bin]
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
4-15
Chapter 4
Detailed Steps
Step 1
Command
Purpose
dir image:
Example:
host1/Admin# dir image:
Step 2
show version
Example:
host1/Admin# show version
Step 3
copy image:filename
{ftp://server/path[/filename] |
sftp://[username@]server/path[/filename]
| tftp://server[:port]/path[/filename]}
Example:
host1/Admin# copy image:sb-ace.NOV_11
ftp://192.168.1.2
sftp://[username@]server/path[/filename]Specifies the
SFTP network server and, optionally, the renamed software
system image.
The filename must end with a .gz extension for the file to be uncompressed using the gunzip command.
The .gz extension indicates a file zipped by the gzip (GNU zip) compression utility.
4-16
OL-25343-01
Chapter 4
Detailed Steps
Step 1
Command
Purpose
dir disk0:[directory/][path/][filename]
Example:
host1/Admin# dir disk0:
Step 2
gunzip disk0:filename
Example:
host1/Admin# gunzip disk0:PROBE_SCRIPTS.gz
Detailed Steps
Command
Purpose
untar disk0:[path/]filename
Untars a single file with a .tar extension in the disk0: file system.
Example:
host1/Admin# untar disk0:mylicenses.tar
The filename argument identifies the name of the .tar file in the disk0: file
system. You can optionally provide a path to the .tar file if it exists in
another directory in the disk0: file system.
4-17
Chapter 4
Detailed Steps
Command
Purpose
mkdir disk0:[path/]directory
Example:
host1/Admin# mkdir disk0:TEST_DIRECTORY
The directory must be empty before you can delete it. To remove a file from the ACE file system, use
the delete command (see the Deleting Files section).
Detailed Steps
Step 1
Command
Purpose
dir disk0:
Example:
host1/Admin# dir disk0:
Step 2
rmdir disk0:[path/]directory
Example:
host1/Admin# rmdir disk0:TEST_DIRECTORY
4-18
OL-25343-01
Chapter 4
Moving Files
This section describes how to move a file between directories in the disk0: file system. If a file with the
same name already exists in the destination directory, that file is overwritten by the moved file.
Detailed Steps
Step 1
Command
Purpose
dir disk0:
Example:
host1/Admin# dir disk0:
Step 2
move disk0:[source_directory/]filename
disk0:[destination_directory/]filename
Example:
host1/Admin# move disk0:SAMPLEFILE
disk0:MYSTORAGE/SAMPLEFILE
Deleting Files
This section describes how to delete a file from a specific file system in the ACE. When you delete a file,
the ACE erases the file from the specified file system.
Note
To remove a directory from the ACE file system, use the rmdir command (see the Deleting an Existing
Directory section).
4-19
Chapter 4
Detailed Steps
Step 1
Command
Purpose
Example:
host1/Admin# dir disk0:
Step 2
delete {core:filename |
disk0:[directory/]filename |
image:filename | volatile:filename}
Example:
host1/Admin# delete
disk0:mystorage/my_running-config1
4-20
OL-25343-01
Chapter 4
Purpose
Examples
The following example shows the output of the dir disk0: commands:
host1/Admin# dir disk0:
4-21
Chapter 4
7465
2218
1024
1024
1024
12
7843
4320
1024
Jan
Mar
Feb
Jan
Mar
Jan
Mar
Jan
Jan
03
07
16
01
13
30
09
05
01
00:13:22
18:38:03
12:47:24
00:02:07
13:53:08
17:54:26
22:19:56
14:37:52
00:02:28
2000
2006
2006
2000
2006
2006
2006
2000
2000
C2_dsb
ECHO_PROBE_SCRIPT4
core_copies_dsb/
cv/
dsb_dir/
messages
running-config
startup-config
www/
For example, to list the core dump files in Flash memory, enter:
host1/Admin# dir core:
2261
437478
504105
500547
Jan
Apr
Apr
Apr
13
15
21
24
18:33:02
13:40:36
20:23:45
10:58:26
2010
2010
2010
2010
SYSTEM_STATS
0x201_vsh_log.29732.tar.gz
0x201_vsh_log.6957.tar.gz
0x201_vsh_log.6959.tar.gz
4-22
OL-25343-01
Chapter 4
Detailed Steps
Command
Purpose
Example:
host1/Admin# show running-config >
ftp://192.168.1.2
begin patternBegins with the line that matches the pattern that you
specify.
end patternEnds with the line that matches the pattern that you
specify.
exclude patternExcludes the lines that match the pattern that you
specify.
include patternIncludes the lines that match the pattern that you
specify.
filenameName of the file that the ACE saves the output to on the
volatile: file system.
4-23
Chapter 4
Defaults
Note
The ACE backs up the dependencies that exist at the time when the backup is performed.
This feature allows you to back up and restore the following configuration files and dependencies:
Note
Running-configuration files
Startup-configuration files
Checkpoints
SSL certificates
SSL keys
Health-monitoring scripts
Licenses
The backup feature does not back up the sample SSL certificate and key pair files.
Typical uses for this feature are as follows:
Recover a configuration that was lost because of a software failure or user error
Restore configuration files to a new ACE when a hardware failure resulted in an RMA of the old
ACE
4-24
OL-25343-01
Chapter 4
The backup and restore commands are supported in both the Admin and user contexts. If you enter these
commands in the Admin context, you can back up or restore the configuration files for either the Admin
context only or for all contexts in the ACE. If you enter the commands in a user context, you can back
up or restore the configuration files only for that context.
Both the backup and the restore commands run asynchronously (in the background). You can monitor
their progress by entering their corresponding show commands.
Archive File
The backup command runs asynchronously, that is, it runs in the background, which allows you to enter
other commands at the CLI while the ACE processes the backup. When you instruct the ACE to back up
the selected files, the ACE tars and GZIP-compresses them into a .tgz archive file and places the file in
disk0:. For the Admin context, you can store one archive for the Admin context and one archive for the
entire ACE. For a user context, you can store one archive for that context only. You can later use the
archive files to restore the state of the same ACE or a different ACE.
Each time that you create a new backup for the entire ACE or for a particular user context, the ACE
overwrites the previous ACE-wide archive or the context-specific archive, respectively.
If you back up the entire ACE, the archive filename does not include the ctxname field. So, the format
is as follows:
Hostname_timestamp.tgz
For example:
ACE-1_2009_08_30_15_45_17.tgz
4-25
Chapter 4
When you choose to encrypt the key pair files in a backup archive, the ACE appends an .enc extension
to the filename (context_name-key_name.enc).
Use the Admin context for an ACE-wide backup and the corresponding context for a user context
backup.
When you back up the running-configuration file, the ACE uses the output of the show
running-configuration command as the basis for the archive file.
License files are backed up only when you back up the Admin context.
Use a passphrase to back up SSL keys in encrypted form. Remember the passphrase or write it down
and store it in a safe location. When you restore the encrypted keys, you must enter the passphrase
to decrypt the keys. If you use a passphrase when you back up the SSL keys, the ACE encrypts the
keys with AES-256 encryption using OpenSSL software.
Only probe scripts that reside in disk0: need to be backed up. The prepackaged probe scripts in the
probe: directory are always available. When you perform a backup, the ACE automatically identifies
and backs up the scripts in disk0: that are required by the configuration.
The ACE does not resolve any other dependencies required by the configuration during a backup
except for scripts that reside in disk0:. For example, if you configured SSL certificates in an SSL
proxy in the running-configuration file, but you later deleted the certificates, the backup proceeds
as if the certificates still existed.
To perform a backup or a restore operation, you must have the admin RBAC feature in your user role.
When you instruct the ACE to restore the archive for the entire ACE in the Admin context, it restores
the Admin context completely first, and then it restores the other contexts. The ACE restores all
dependencies before it restores the running context. The order in which the ACE restores
dependencies is as follows:
License files
SSL certificates and key files
Health-monitoring scripts
Checkpoints
Startup-configuration file
Running-configuration file
After you restore license files, previously installed license files are uninstalled and the restored files
are installed in their place.
In a redundant configuration, if the archive that you want to restore is different from the peer
configurations in the FT group, redundancy may not operate properly after the restoration.
You can restore a single context from an ACE-wide backup archive provided that:
You enter the restore command in the context that you want to restore
All files dependencies for the context exist in the ACE-wide backup archive
4-26
OL-25343-01
Chapter 4
Defaults
Table 4-2 lists the default settings for the backup and restore feature parameters.
Table 4-2
Parameter
Default
Backed up files
By default, the ACE backs up the following files in the current context:
Running-configuration file
Startup-configuration file
Checkpoints
SSL certificates
SSL keys
Health-monitoring scripts
Licenses
None
To back up all contexts, you must be in the Admin context and you must specify the all keyword.
4-27
Chapter 4
Detailed Steps
Step 1
Command
Purpose
changeto
Example:
host1/Admin# changeto C1
host1/C1#
Step 2
backup [all][pass-phrase
text_string][exclude component]
Example:
host1/Admin# backup all pass-phrase
my_pass_phrase exclude checkpoints
host1/Admin#
Note
Step 3
Step 4
4-28
OL-25343-01
Chapter 4
Caution
The restore command clears any existing SSL certificate and key-pair files, license files, and
checkpoints in a context before it restores the backup archive file. If your configuration includes SSL
files or checkpoints and you excluded them when you created the backup archive, those files will no
longer exist in the context after you restore the backup archive. To preserve any existing exportable SSL
certificate and key files in the context, before you enter the restore command, export the certificates and
keys that you want to keep to an FTP, SFTP, or TFTP server by using the crypto export command. After
you restore the archive, import the SSL files into the context. For details on exporting and importing SSL
certificate and key pair files, see the SSL Guide, Cisco ACE Application Control Engine.
You can also use the exclude option of the restore command to instruct the ACE not to clear the SSL
files in disk0: and to ignore the SSL files in the backup archive when the ACE restores the backup.
Guidelines and Restrictions
The backup archive must reside in disk0: in the ACE where you want to restore the archive before
you start the restoration.
No automatic rollback will be done in case of a restore failure. We recommend that you back up the
ACE before you attempt to restore an archive.
If you excluded the SSL files from the backup archive, you must import the certificates and keys
from the FTP, SFTP, or TFTP server before you restore the archive. Then, when you enter the
restore command, enter the exclude ssl-files option.
Note
This procedure will cause an interruption in service for the current context or for all contexts, depending
on the type of backup archive that you are restoring. We recommend that you schedule the restoration of
a backup archive on an ACE during a maintenance window.
4-29
Chapter 4
Step 1
Command
Purpose
changeto
Example:
host1/Admin# changeto C1
host1/C1#
Step 2
Example:
host1/Admin# restore
disk0:switch_Admin_07_July_2009_11_08_04_A
M.tgz pass-phrase MY_PASS_PHRASE
Note
Use this option when you want to keep the license files
that are already installed in the ACE and ignore the
license files in the backup archive, if any.
Note
If you enter the exclude option first, you cannot enter the
pass-phrase option.
4-30
OL-25343-01
Chapter 4
Step 3
Command
Purpose
Example:
host1/Admin# show restore status
Step 4
Note
Step 1
Step 2
This procedure will cause an interruption in service for the two redundant contexts. We recommend that
you schedule the restoration of a backup archive on a redundant pair during a maintenance window.
Command
Purpose
changeto
Example:
host1/Admin# changeto C1
host1/C1#
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 3
ft group group_id
no inservice
Example:
host1/Admin(config)# ft group 1
host1/Admin(config-ft-group)# no inservice
Step 4
Press Ctrl-Z
4-31
Chapter 4
Step 5
Command
Purpose
Example:
host1/Admin# restore
disk0:switch_Admin_07_July_2009_11_08_04_A
M.tgz pass-phrase MY_PASS_PHRASE
Note
Use this option when you want to keep the license files
that are already installed in the ACE and ignore the
license files in the backup archive, if any.
Note
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 7
ft group group_id
inservice
Example:
host1/Admin(config)# ft group 1
host1/Admin(config-ft-group)# inservice
Step 8
Press Ctrl-Z
4-32
OL-25343-01
Chapter 4
Step 9
Command
Purpose
Example:
host1/Admin# show restore status detail
Step 10
To use the copy backup command or the copy backup-all command, you must have Admin privileges
in the context where you enter the command.
Detailed Steps
Step 1
Command
Purpose
changeto
Example:
host1/Admin# changeto C1
host1/C1#
Step 2
Note
Examples
The following example shows how to copy a backup archive file to an SFTP server:
switch/Admin# copy backup sftp:
Enter Address for the sftp server[]? 10.25.25.11
Enter the destination filename[]? [switch_Admin_2009_08_22_02_48_49.tgz]
Enter username[]? root
Connecting to 10.25.25.11...
Administration Guide, Cisco ACE Application Control Engine
OL-25343-01
4-33
Chapter 4
root@10.25.25.11's password:
sftp> Uploading /TN-HOME/Admin/switch_Admin_2009_08_22_02_48_49.tgz to
/root/switch_Admin_2009_08_22_02_48_49.tgz
/TN-HOME/Admin/switch_Admin_2009_08_22_02_48_ 100% 6737
0.0KB/s
00:00
Purpose
Displays the status of the last backup operation. Backup status details are
not stored across reboots.
Possible values in the Status column are as follows:
Examples
The following example shows the output of the show backup status command:
hello/Admin# show backup status
Backup Archive: switch_Admin_2009_08_30_15_45_17.tgz
Type
: Context
Start Time
: Wed Aug 30 15:45:16 2009
Finished Time : Wed Aug 30 15:45:17 2009
Status
: In Progress
Current vc
: Admin
Completed
: 1/1
The following example shows the output of the show backup status detail command:
host1/Admin# show backup status detail
Backup Archive: switch_Admin_2009_08_30_15_45_17.tgz
Type
: Context
Start Time
: Wed Aug 30 15:45:16 2009
Finished Time : Wed Aug 30 15:45:17 2009
Status
: SUCCESS
Current vc
: Admin
Completed
: 1/1
------------------------+---------------+--------------------------+-----------Context
component
Time
Status
------------------------+---------------+--------------------------+-----------Admin
Admin
Admin
Admin
Admin
Admin
Running-cfg
Startup-cfg
Checkpoints
Cert/Key
License
Probe script
Wed
Wed
Wed
Wed
Wed
Wed
Aug
Aug
Aug
Aug
Aug
Aug
30
30
30
30
30
30
15:45:17
15:45:17
15:45:17
15:45:17
15:45:17
15:45:17
2009
2009
2009
2009
2009
2009
SUCCESS
SUCCESS
SUCCESS
N/A
SUCCESS
N/A
4-34
OL-25343-01
Chapter 4
Purpose
Displays the status of the last restoration. Restoration status details are not
stored across reboots.
Examples
The following example shows the output of the show restore status command:
host1/Admin# show restore status
Backup Archive: switch_2009_08_30_15_45_17.tgz
Type
: Context
Start Time
: Wed Aug 30 16:45:16 2009
Finished Time : Status
: In Progress
Current vc
: Admin
Completed
: 0/1
The following example shows the output of the show restore status detail command:
host1/Admin# show restore status detail
Backup Archive: switch_2009_08_30_15_45_17.tgz
Type
: Context
Start Time
: Wed Aug 30 16:45:16 2009
Finished Time : Status
: In Progress
Current vc
: Admin
Completed
: 0/1
------------------------+---------------+--------------------------+-----------Context
component
Time
Status
------------------------+---------------+--------------------------+-----------Admin
License
Wed Aug 30 16:45:16 2009
SUCCESS
Admin
Cert/Key
Wed Aug 30 16:45:16 2009
SUCCESS
Admin
Probe script
Wed Aug 30 16:45:16 2009
SUCCESS
Admin
Checkpoints
Wed Aug 30 16:45:16 2009
SUCCESS
Admin
Startup-cfg
Wed Aug 30 16:45:17 2009
In Progress
Purpose
4-35
Chapter 4
Examples
The following example shows the output of the show backup errors command after a backup failed
because of a disk copy failure for checkpoints:
host1/Admin# show backup errors
Context: Admin
Component: Checkpoint
Error Details:
Internal Error, checkpoint copy failed
The following example shows the output of the show restore errors command after a restore failed
because the running-configuration file differences could not be applied:
host1/Admin# show restore errors
Context: Admin
Component: Running-cfg
Below diff could not be applied
--ssh key rsa 4096 force
ssh key dsa 2048 force
ssh key rsa1 4096 force
--
The following example shows the output of the show restore errors command after a restore failed
because a probe was not present in either disk0: or in the probe: directory.
host1/Admin# show backup errors
Context: Admin
Component: Probe scripts
Error Details:
Error, probe PROBE_1 not found in disk0: or probe:
The core: file system is available from the Admin context only.
Core dump information is for Cisco Technical Assistance Center (TAC) use only. If the ACE
becomes unresponsive, you can view the dump information in the core through the show cores
command. We recommend that you contact TAC for assistance in interpreting the information in the
core dump.
4-36
OL-25343-01
Chapter 4
The time stamp on the restored last core file displays the time when the ACE booted up, not when
the last core was actually dumped. To obtain the exact time of the last core dump, check the
corresponding log file with the same process identifier (PID).
You must perform this task from the Admin context only.
4-37
Chapter 4
Detailed Steps
Step 1
Command
Purpose
dir core:
(Optional) Displays the list of available core files. You can copy
the complete filename (for example,
0x401_vsh_log.25256.tar.gz) into the copy core: command.
Example:
host1/Admin# dir core:
Step 2
copy core:filename
{disk0:[path/][filename] |
ftp://server/path[/filename] |
sftp://[username@]server/path[/filename]
| tftp://server[:port]/path[/filename]}
Saves a core dump from the ACE to the disk0: file system or to a
remote server.
The keywords, arguments, and options are as follows:
Example:
host1/Admin# copy
core:0x401_vsh_log.8249.tar.gz
ftp://192.168.1.2
Enter the destination filename[]?
[0x401_vsh_log.8249.tar.gz]
Enter username[]? user1
Enter the file transfer mode[bin/ascii]:
[bin]
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash
mark).
sftp://[username@]server/path[/filename]Specifies the
SFTP network server and, optionally, the renamed core
dump.
You must perform this task from the Admin context only.
4-38
OL-25343-01
Chapter 4
Detailed Steps
Step 1
Command
Purpose
dir core:
Example:
host1/Admin# dir core:
Step 2
clear cores
Clears out all of the core dumps stored in the core: file system.
Example:
host1/Admin# clear cores
You must perform this task from the Admin context only.
Detailed Steps
Step 1
Command
Purpose
dir core:
(Optional) Displays the list of available core files. You can copy
the complete filename (for example,
0x401_vsh_log.25256.tar.gz) into the delete core: command.
Example:
host1/Admin# dir core:
Step 2
delete core:filename
Example:
host1/Admin# delete
core:0x401_VSH_LOG.25256.TAR.GZ
Deletes a core dump file from the core: file system in Flash
memory.
The filename argument specifies the name of a core dump file
located in the core: file system.
4-39
Chapter 4
Caution
The packet capture function uses ACL resources as can be seen with the show np 1 access-list resource
command. If you have a large ACL configuration and you enable packet capturing, the ACE may
oversubscribe the allocated ACL resources. If this happens, you may see one of the following error
messages:
In exec mode,
Error: Device Name:[0x3FF] Instance:[63] Error Type:[(null)] code:[255]
In configuration mode,
Error: ACL merge add acl to list failed
For information about using the show np 1 access-list resource command to monitor ACL resources
and how to resolve ACL oversubscription problems, see the Troubleshooting ACLs section of the ACE
Troubleshooting Wiki.
This section contains the following topics:
The packet capture function enables access-control lists (ACLs) to control which packets are
captured by the ACE on the input interface. If the ACLs are selecting an excessive amount of traffic
for the packet capture operation, the ACE will see a heavy load, which can cause a degradation in
performance. We recommend that you avoid using the packet capture function when high network
performance is critical.
In addition, probe traffic will not hit a security ACL so ACLs cannot control the capture of those
packets. In this case, probe traffic cannot be captured by the packet capture function.
The capture packet function works on an individual context basis. The ACE traces only the packets
that belong to the current context where you execute the capture Exec mode command. The context
ID, which is passed along with the packet, can be used to isolate packets that belong to a specific
context. To trace the packets for a specific context, use the changeto Exec mode command to enter
the specified context and then use the capture command.
If you enable packet capture for jumbo packets, the ACE captures only the first 2048 bytes of data.
To the control plane traffic (for example, neighbor discovery packets) is not captured.
The ACE does not automatically save the packet capture to a file. To copy the capture buffer
information as a file in Flash memory or to a remote server, use the copy capture command (see the
Copying Packet Capture Buffer Information section).
4-40
OL-25343-01
Chapter 4
When capturing packets based on a specific interface and you delete the interface, the ACE stops
the capture automatically. If you check the status of the packet capture using the show capture
status command, you will notice that the capture stopped because of an interface deletion. At this
point, you can perform any operation (for example, saving the old capture) on the capture except
starting the capture. To restart the capture, you must delete the old capture and configure a new one.
The ACE handles the deletion of an ACL or an ACL entry in a similar manner.
When capturing packets based on a specific access list name, ensure that the access list is for an
input interface. If you configure the packet capture on the output interface, the ACE will fail to
match any packets.
If you add an interface while you are already capturing all interfaces, the capture continues using all
the original interfaces. If you add an ACL entry during an existing ACL capture, the capture
continues normally using the original ACL criteria.
If the ACE stops a packet capture because of an interface or ACL deletion, the following additional
information appears in the output of the show capture buffer_name status command:
Capture forced to stop due to change in [interface | access-list] config.
To restart the capture, remove and add the capture again.
Under high traffic conditions, you may observe up to 64 packets printing on the console after you
enter the stop keyword. These additional messages can occur because the packets were in transit or
buffered before you entered the stop keyword.
Prerequisites
To create a capture based on an access list, the access list must already exist. For information about
creating an access list, see the Security Guide, Cisco ACE Application Control Engine.
4-41
Chapter 4
Detailed Steps
Command
Purpose
Enables the packet capture function on the ACE for packet sniffing and network
fault isolation.
Example:
host1/Admin# capture capture1
interface vlan 50 access-list
acl_v6
host1/Admin# capture capture1
interface vlan 50 access-list
acl_v4
Note
startStarts the packet capture function and displays the messages on the
session console as the ACE receives the packets. The CLI prompt returns and
you can type other commands at the same time that the ACE is capturing
packets. To stop the capture process, enter stop. The packet capture function
automatically stops when the buffer is full unless you enable the circular buffer
function.
4-42
OL-25343-01
Chapter 4
Detailed Steps
Command
Purpose
Example:
host1/Admin# copy capture
packet_capture_Jan_17_06 disk0: mycapture1
Purpose
For all types of received packets, the console display is in tcpdump format.
clear capture buffer_name
4-43
Chapter 4
You must perform this task in the Exec mode of the context for which you want to create a
checkpoint.
Avoid using opening braces, closing braces, white spaces, or any of the following symbols:
`$&*()\|;'"<>/?
Prerequisites
Be sure that the current running configuration is stable and is the configuration that you want to make a
checkpoint.
4-44
OL-25343-01
Chapter 4
Detailed Steps
Command
Purpose
Example:
host1/Admin# checkpoint create
MYCHECKPOINT
Generating configuration....
Created checkpoint 'MYCHECKPOINT'
The name argument specifies the unique identifier of the checkpoint. Enter
a text string with no spaces and a maximum of 25 alphanumeric characters.
If the checkpoint already exists, the CLI responds with the following
prompt:
Checkpoint already exists
Do you want to overwrite it? (y/n)
configuration....
Created checkpoint 'MYCHECKPOINT'
[n] y Generating
Before you use this command, make sure that you want to delete the checkpoint. When you enter this
command, the ACE removes the checkpoint from Flash memory.
Detailed Steps
Step 1
Command
Purpose
Example:
host1/Admin# show checkpoint all
Step 2
Example:
host1/Admin# checkpoint delete
MYCHECKPOINT
4-45
Chapter 4
Detailed Steps
Step 1
Command
Purpose
Example:
host1/Admin# show checkpoint all
Step 2
Step 3
If the running-configuration file has the no ft auto-sync command configured and the checkpoint has
the ft auto-sync command configured, a checkpoint rollback will fail with the following message:
Warning : 'no ft auto-sync' & 'ft auto-sync' conflict detected - Rollback will fail
Failing Scenario - running config has 'no ft auto-sync' / checkpoint has 'ft auto-sync'
4-46
OL-25343-01
Chapter 4
Copying a Checkpoint
This section describes how to copy a checkpoint to one of several destinations.
Detailed Steps
Step 1
Command
Purpose
Example:
host1/Admin# show checkpoint all
Step 2
copy checkpoint:filename
disk0:[path/]filename | image:image_name |
startup-config |
{ftp://server/path[/filename] |
sftp://[username]server/path[/filename] |
tftp://server[:port]/path[/filename]}
Example:
host1/Admin# copy
checkpoint:CHECKPOINT1.txt
ftp://192.168.1.2
Enter the destination filename[]?
[CHECKPOINT1.txt]
Enter username[]? user1
Enter the file transfer mode[bin/ascii]:
[bin]
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash
mark).
Note
sftp://[username@]server/path[/filename]Specifies the
Secure File Transfer Protocol (SFTP) network server and
optional renamed checkpoint file.
4-47
Chapter 4
Detailed Steps
Step 1
Command
Purpose
Example:
host1/Admin# show checkpoint all
Step 2
host1/Admin#
Purpose
Table 4-3 describes the fields that appear in the show checkpoint all command output.
Table 4-3
Field
Description
Checkpoint
Size
Date
4-48
OL-25343-01
Chapter 4
4-49
Chapter 4
Setting Thresholds for and Displaying the Network Processor Buffer Usage
Detailed Steps
Command
Purpose
Example:
host1/Admin(config)# buffer threshold active 88 standby 40
action reload
155648
175
0.11%
65536
0
0.00%
4-50
OL-25343-01
Chapter 4
Caution
We recommend that you reformat the ACE module Flash memory only under the guidance and
supervision of Cisco Technical Assistance Center (TAC).
Prerequisites
Before you reformat the Flash memory, we recommend that you copy the following ACE module
operation and configuration files or objects to a remote server:
See the Copying Files section for details on how to use the copy command to save configuration files
or objects, such as the existing startup-configuration files, running-configuration file, licenses, core
dump files, or packet capture buffers, to a remote FTP, SFTP, or TFTP server.
See the SSL Guide, Cisco ACE Application Control Engine for details on how to use the crypto export
command to export SSL certificate and key pair files to a remote FTP, SFTP, or TFTP server.
Detailed Steps
Command
Purpose
format disk0:
Example:
host1/Admin# format disk0:
Warning!! This will reboot the system after formatting disk0.
Do you wish to proceed anyway? (y/n) [n] y
4-51
Chapter 4
The ACE appliance performs the following verification sequence prior to reformatting Flash memory:
If the system image (the current loaded image) is present in the GNU GRand Unified Bootloader
(GRUB) boot loader, the ACE appliance automatically performs a backup of that image and then
performs the reformat of Flash memory.
If the system image is not present in the Grub boot loader, the ACE appliance prompts you for the
location of an available image to backup prior to reformatting the Flash memory.
If you choose not to backup an available image file, the ACE appliance searches for the
ACE-APPLIANCE-RECOVERY-IMAGE.bin image in the Grub partition of Flash memory.
ACE-APPLIANCE-RECOVERY-IMAGE.bin is the recovery software image that the ACE
appliance uses if the disk partition in Flash memory is corrupted.
If ACE-APPLIANCE-RECOVERY-IMAGE.bin is present, the ACE appliance continues with
Before you reformat Flash memory, we recommend that you copy the following ACE appliance
operation and configuration files or objects to a remote server:
See the Copying Files section for details on how to use the copy command to save configuration files
or objects, such as the existing startup-configuration files, running-configuration file, licenses, core
dump files, or packet capture buffers, to a remote FTP, SFTP, or TFTP server.
See the SSL Guide, Cisco ACE Application Control Engine for details on how to use the crypto export
command to export SSL certificate and key pair files to a remote FTP, SFTP, or TFTP server.
4-52
OL-25343-01
Chapter 4
Detailed Steps
Command
Purpose
format flash:
Example:
host1/Admin# format flash:
Warning!! This will erase everything in the compact flash including
startup configs for all the contexts and reboot
the system!!
Do you wish to proceed anyway? (yes/no) [no] yes
What to Do Next
After you reformat the Flash memory, perform the following actions:
Reinstall the ACE appliance software image by using the copy image: command (see the Release
Note, Cisco ACE 4700 Series Application Control Engine Appliance).
Reinstall the ACE appliance license by using the license install command (see Chapter 3, Managing
ACE Software Licenses).
Import the startup and running-configuration files into the associated context by using the copy
command (see the Copying Configuration Files from a Remote Server section).
Import SSL certificate files and key pair files into the associated context using by the crypto import
command (see the SSL Guide, Cisco ACE Application Control Engine).
4-53
Chapter 4
4-54
OL-25343-01
CH A P T E R
The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise
noted.
This chapter describes how to display ACE hardware and software system information.
This chapter does not include information for displaying the running- or startup-configuration files. To
display the contents of these files, see Chapter 4, Managing the ACE Software.
This chapter contains the following major sections:
System processes
System information
Technical support
The following commands display internal system-level hardware show output for use by trained Cisco
personnel as an aid in debugging and troubleshooting the ACE:
show buffer, show fifo, show netio, show np and show vnet commands
(ACE module only) show cde, show hyp, show lcp, and show scp commands
5-1
Chapter 5
For background information about these show commands, see the Command Reference, Cisco ACE
Application Control Engine.
Purpose
show hardware
Displays the ACE hardware details. For descriptions of the fields in the command output, see
the following table:
Displays the system hardware inventory of the ACE. This command displays information about
the field replaceable units (FRUs) in the ACE, including product identifiers, serial numbers,
and version identifiers. The raw option displays information about each temperature sensor
(ACE module) or component (ACE appliance) in the ACE.
For descriptions of the fields in the show inventory command output, see the following table:
show dc dc_number console (ACE module only) Displays whether the master or the slave network processor console is
directed to the base board front panel for the specified daughter card. For example, if the master
network processor is directed to the front panel, the following message appears:
mCPU console is directed to base board front panel
See the set dc dc_number console command in the Setting the Daughter Card Network
Processor for Console Access section.
Table 5-1
Field
Description
Hardware
Product Number
Serial Number
Card Index
Hardware Rev
Feature Bits
Slot No.
Slot number in the switch or router chassis where the ACE30 is installed
Type
Identifies the module type installed in the switch or router chassis as an ACE30 module
Module Mode
Daughter Card
Product Number
Serial Number
5-2
OL-25343-01
Chapter 5
Table 5-1
Field Descriptions for the ACE Module show hardware Command (continued)
Field
Description
Card Index
Hardware Rev
Feature Bits
Slot No.
Slot number (1) in the ACE30 where the daughter card is installed
Controller FPGA
NP 1
Network processor 1
Clock Rate
Memory Size
NP 2
Network Processor 2
Clock Rate
Memory Size
Daughter Card
Product Number
Serial Number
Card Index
Hardware Rev
Feature Bits
Slot No.
Slot number (2) in the ACE30 where the daughter card is installed
Controller FPGA
NP 3
Network processor 3
Clock Rate
Memory Size
NP 4
Network processor 4
Clock Rate
Memory Size
Table 5-2
Field
Description
Product Number
Serial Number
Hardware Rev
VID
MFG Revision
Slot No.
Not applicable
Type
5-3
Chapter 5
Table 5-3
Field
Description
Name
Name assigned to the ACE30 (module nn) and the two daughter cards (submodule 1 and 2) in the
switch or router chassis.
If you specify the raw option, the Name field displays temperature for the temperature sensor in
the ACE30.
Descr
Description of the ACE30 (Application Control Engine Service Module) and the two daughter cards
installed in the switch or router chassis.
If you specify the raw option, this field also displays a brief description of each temperature sensor
in the ACE30.
PID
VID
Hardware revision of the ACE30 and the daughter cards. If you specify the raw option, this field is
not applicable.
SN
Serial number of the ACE30 and the daughter cards. If you specify the raw option, this field is not
applicable.
Table 5-4
Field
Description
Name
Descr
PID
VID
SN
(ACE module only) The following example shows the output of the show inventory raw command for
the ACE module:
switch/Admin# show inventory raw
NAME: "module 11", DESCR: "Application Control Engine Service Module"
PID: ACE30-MOD-K9
, VID: 2.3, SN: SAD114005T7
NAME: "submodule 1", DESCR: "ACE Expansion Card"
PID: ACEMOD-EXPN-DC
, VID: 0.401, SN: SAD123000VH
5-4
OL-25343-01
Chapter 5
(ACE appliance only) The following example shows the output of the show hardware command for the
ACE appliance:
host1/Admin # show hardware
Hardware
Product Number: ACE-4710-K9
Serial Number: QCN21220038
Hardware Rev: 1.1
VID: V02
CLEI: COUCAFJCAA
MFG Part Num: 800-29070-02
MFG Revision: 01
Slot No. : 1
Type: Unknown
Purpose
show copyright
show version
Displays the version of system software that is currently running on the ACE in Flash memory.
You use the show version command to verify the software version on the ACE before and after
an upgrade.
5-5
Chapter 5
Examples
The following example shows the output for the show copyright command:
host1/Admin# show copyright
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2010, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
(ACE module only) The following example shows the output for the show version command:
switch/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2010 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader:
Version 12.2[123]
system:
Version A4(1.0) [build 3.0(0)A4(1.0) 12:57:44-2010/09
/17_REL_3_0_0_A4_1_0]
system image file: [LCP] disk0:gmt.bin
installed license: ACE30-MOD-16-K9
Hardware
Cisco ACE (slot: 11)
cpu info:
number of cpu(s): 2
cpu type: SiByte
cpu: 0, model: SiByte SB1 V0.2, speed: 11.32(BogoMIPS)
cpu: 1, model: SiByte SB1 V0.2, speed: 11.32(BogoMIPS)
memory info:
total: 1014396 kB, free: 295160 kB
shared: 0 kB, buffers: 780 kB, cached 0 kB
cf info:
filesystem: /dev/cf
total: 1014624 kB, used: 890928 kB, available: 123696 kB
last boot reason: reload command by admin
configuration register: 0
switch kernel uptime is 1 days 2 hours 27 minute(s) 7 second(s)
(ACE appliance only) The following example shows the output for the show version command:
host1/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2010 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader:
Version 0.95
5-6
OL-25343-01
Chapter 5
system:
Version A4(1.0) [build 3.0(0)A4(1.0) adbuild_03:31:25-2010/09/17
6_/auto/adbure_nightly2/nightly_rel_a4_1_0_throttle/REL_3_0_0_A4_1_0
system image file: (hd)c4710ace-t1k9-mz.A4_1_0.bin
Device Manager version 4.1 (0) 20080805:0415
installed license: ACE-AP-VIRT-020 ACE-AP-C-1000-LIC
Hardware
cpu info:
Motherboard:
number of cpu(s): 2
Daughtercard:
number of cpu(s): 16
memory info:
total: 6226392 kB, free: 4315836 kB
shared: 0 kB, buffers: 17164 kB, cached 0 kB
cf info:
filesystem: /dev/hdb2
total: 935560 kB, used: 611564 kB, available: 276472 kB
last boot reason: Unknown
configuration register: 0x1
kernel uptime is 0 days 21 hours 25 minute(s) 17 second(s)
5-7
Chapter 5
Purpose
Displays general information about all of the processes running on the ACE.
This command is available only to users with an Admin role across all
contexts. The displayed system processes information is at the CPU system
level (the total CPU usage) and is not on a per-context level.
The show processes command with no options displays summary CPU
information for the SiByte 1250 Processor (ACE module) or Intel Pentium
processor (ACE appliance). Table 5-5 describes the fields for the
command output.
The optional keywords and argument are as follows:
identifier
Table 5-8 describes the fields for the details and pid options.
5-8
OL-25343-01
Chapter 5
Table 5-5
Field
Description
PID
Process identifier.
State
Process state. Included below is a summary of the different process state codes that can appear to
describe the state of a process:
NRNot running
WPaging
XProcess is dead
PC
Start_cnt
TTY
Terminal that controls the process. A usually means a daemon is not running on any particular
tty.
Process
Table 5-6
Field
Description
CPU Utilization
Percentage of CPU utilization for the ACE for a 5-second interval, 1-minute interval, and a
5-minute interval
PID
Process identifier
Runtime (ms)
Invoked
uSecs
1 Sec
5 Sec
1 Min
5 Min
Process
5-9
Chapter 5
Table 5-7
Field
Description
Process
PID
Process identifier
Normal-exit
Stack
Core
Log-create-time
Field Descriptions for the show processes log [details | pid] Command
Table 5-8
Field
Description
Service
Description
Started at
Stopped at
Uptime
Start type
System manager option that indicates the process restartability characteristics (that is, whether
it is a stateless restart or stateful restart).
Death reason
Reason that the system manager killed the process (for example, no sysmgr heartbeats).
Exit code
CWD
Virtual memory
Virtual memory addresses where the code, data heap, and stack of the process are located.
PID
Process identifier.
SAP
UUID
Table 5-9
Field
Description
PID
Process identifier
MemAlloc
StackBase/Ptr
Process
5-10
OL-25343-01
Chapter 5
Examples
(ACE module only) The following example shows the output for the show processes mem command:
host1/Admin# show processes memory
PID
MemAlloc StackBase/Ptr
----- -------- ----------------1
630784 7fb36f20/7fb36948
2
0
0/0
3
0
0/0
4
0
0/0
5
0
0/0
6
0
0/0
7
0
0/0
8
0
0/0
9
0
0/0
10
0
0/0
11
0
0/0
12
0
0/0
13
0
0/0
14
0
0/0
15
0
0/0
16
0
0/0
17
0
0/0
18
0
0/0
19
0
0/0
20
0
0/0
21
0
0/0
22
0
0/0
23
0
0/0
24
0
0/0
25
0
0/0
26
0
0/0
27
0
0/0
114
0
0/0
152
0
0/0
159
0
0/0
166
0
0/0
173
0
0/0
180
0
0/0
736
3178496 7fc4ee60/7fc4e748
843
393216 7fc71e30/0
886
0
0/0
919
2940928 7fbe0df0/7fbe0aa0
933
1392640 7fadee40/7fadea70
936
3497984 7ffa5e70/7ffa58d8
968 54292480 7fd11cc0/7fd11878
969
1859584 7fc61ce0/7fc60c78
973
2330624 7ffe5ce0/7ffe5730
976
1863680 7fbe0df0/7fbe09b8
977
1896448 7fbe0df0/7fbe09a0
981
3170304 7fd54d00/7fd547b8
983
1449984 7faa3c30/7faa2908
984
1691648 7f8cdcf0/7f8cd4a0
985
2445312 7f88acf0/7f88aac8
986
2830336 7fd2ece0/7fd2e8f0
989
9785344 7fff3d10/7fff3720
999
1589248 7ff38c00/7ff38a30
1008
475136 7fdc6ca0/7fdc6b70
1011
2551808 7fd74cb0/7fd74a78
1012
6012928 7f9a4ce0/7f9a4680
1013
2363392 7fac5d10/7fac5620
1014
1568768 7fb6ed00/7fb6e958
1015
7155712 7fcc2cd0/7fcc1570
Process
---------------init
migration/0
posix_cpu_timer
softirq-high/0
softirq-timer/0
softirq-net-tx/
softirq-net-rx/
softirq-block/0
softirq-tasklet
softirq-rcu/0
watchdog/0
desched/0
migration/1
posix_cpu_timer
softirq-high/1
softirq-timer/1
softirq-net-tx/
softirq-net-rx/
softirq-block/1
softirq-tasklet
softirq-rcu/1
watchdog/1
desched/1
events/0
events/1
khelper
kthread
sibytecf0
loop0
loop1
loop2
loop3
loop4
lcpfw
insmod
PCI
httpd
mtsmon
sysmgr
syslogd
sdwrapd
pfmgr
httpd
httpd
ntp
lmgrd
fs-daemon
confcheck
licmgr
vshd
cisco
klogd
xinetd
vacd
ttyd
sysinfo
snmpd
5-11
Chapter 5
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1058
1066
1082
1097
1155
1249
23600
23601
23609
23634
23635
23636
2199552
2301952
3305472
1548288
1613824
47558656
2560000
3821568
32866304
1859584
8085504
1548288
4792320
2740224
3518464
1609728
4980736
2355200
1794048
5009408
1601536
2211840
47419392
211857408
3215360
2990080
3186688
7704576
107794432
2363392
0
0
4489216
765952
2400256
4255744
2314240
675840
0
7fd15cf0/7fd15918
7fef3cc0/7fef37d0
7ffd2ce0/7ffd1638
7ffb7cf0/7ffb7310
7f94fce0/7f94f958
7fe03ce0/7fdeef78
7f8cacd0/7f8ca730
7fecacc0/7feca938
7fe9dcb0/7fe9d6b8
7fb63cd0/7fb63950
7fd96ce0/7fd968e8
7fc7fcc0/7fc7f6f0
7fc7fcf0/7fc7eff0
7fdd0ce0/7fdd04c8
7fe1bcd0/7fe1b040
7f86fcd0/7f86f2f8
7fc8cce0/7fc8cb10
7fd7ecf0/7fd7e8f0
7fb15cf0/7fb156b8
7fea7cc0/7fea7120
7fa30ce0/7fa304d0
7ff5fce0/7ff5f8a8
7f940cd0/7f92bdb0
7fe82cd0/7fe822c8
7ff6ccd0/7ff6b608
7fcc8ce0/7fcc7aa0
7faf2ce0/7faf2868
7feadcd0/7feac8f0
7f828ce0/7f825a20
7f855e90/7f853838
0/0
0/0
7f890ee0/7f88fa98
7fe7dce0/7fe7d6a8
7ff2df10/7ff2b8b8
7fa5fec0/7fa5ea88
7fa5fec0/7fa5c0e0
7ffa0e70/7ffa0bb8
7fe51c90/7fe51578
sme
scripted_hm
radiusd
rad
pktcap
nd_mgr
nat_dnld
itasca_ssl
itasca_route_mgr
itasca_fm
ifmgr
hsrp_track
hm
ha_mgr
ha_dp_mgr
gslb_proto
dhcv6relay
dhcrelay
core-dmon
config_cntlr
bpdu
ascii-cfg
arp_mgr
aclmerged
tacacs
ldap
aaa
securityd
cfgmgr
login_o
TL_INIT_THREAD
Peer
vsh
telnetd
login_o
vsh
vsh
more
ps
(ACE appliance only) The following example shows the output for the show processes mem command:
host1/Admin# show processes memory
switch/Admin# show proc mem
PID
----1
2
3
4
5
6
7
8
9
10
15
24
117
118
171
172
173
MemAlloc
-------495616
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
StackBase/Ptr
----------------bffffe40/bffff930
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
Process
---------init
migration/
ksoftirqd/
desched/0
migration/
ksoftirqd/
desched/1
events/0
events/1
khelper
kthread
kacpid
kblockd/0
kblockd/1
pdflush
pdflush
kswapd0
5-12
OL-25343-01
Chapter 5
174
175
252
362
566
649
725
803
804
813
814
823
824
833
834
843
844
929
1035
1166
1609
1780
1811
1821
1831
1833
1868
1869
1874
1890
1891
1892
1893
1895
1897
1911
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
0
0
0
30277632
0
30277632
0
0
0
0
0
0
0
0
0
0
0
303104
0
0
30277632
1298432
3092480
659456
1482752
2981888
42590208
1794048
2170880
6307840
2924544
1216512
1597440
2310144
2809856
3534848
1404928
2265088
3817472
2564096
5492736
8499200
2101248
2228224
3141632
1413120
1544192
41160704
2351104
4214784
32788480
1765376
8060928
6647808
2408448
3465216
1482752
4956160
2334720
2633728
1527808
2101248
1740800
7884800
0/0
0/0
0/0
bfffe9c0/b220f8e4
0/0
bfffe9c0/b21df8e4
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
bfffeee0/0
0/0
0/0
bfffe9c0/b24808e4
bfffe3f0/bfffe06c
bffff450/bffff180
bffff000/bfffed5c
bfffeb60/bfffe7cc
bfffe970/bfffe340
bffff6a0/bffff2cc
bffff640/bfffe600
bffff3c0/bffff03c
bfffebf0/bfffe5c8
bfffeb70/bfffe400
bfffea10/bfffd2d0
bfffea50/bfffe1d0
bfffe960/bfffe780
bfffe840/bfffe468
bfffe1c0/bfffe020
bfffddf0/bfffdc30
bfffde10/bfffdc40
bfffddd0/bfffd7ac
bfffdd70/bfffd660
bffffce0/bffff97c
bffffc40/bfffe65c
bffffbd0/bffff83c
bffffb20/bffff5d0
bffffac0/bfffe400
bffffa50/bffff79c
bffff9c0/bffff67c
bffff940/bfffec7c
bffff8c0/bffff35c
bffff830/bffff4dc
bffff790/bffff1bc
bffff730/bffff3dc
bffff6c0/bffff2dc
bffff650/bfffe96c
bffff5c0/bfffed60
bffff530/bfffec40
bffff4b0/bfffeae0
bffff440/bffff2b0
bffff3d0/bffff010
bffff320/bfffe6ec
bffff2d0/bfffec8c
bffff260/bfffef1c
bffff1e0/bfffe3c8
bffff130/bfffeea0
aio/0
aio/1
kseriod
mysqld
kirqd
mysqld
kjournald
loop0
kjournald
loop1
kjournald
loop2
kjournald
loop3
kjournald
loop4
kjournald
insmod
Octeon
PCI
mysqld
mtsmon
httpd
cron
watchdog
sysmgr
syslogd
sdwrapd
pfmgr
vshd
ntp
lmgrd
fs-daemon
confcheck
licmgr
ntpd
cisco
xinetd
vacd
ttyd
sysinfo
snmpd
sme
scripted_h
radiusd
rad
pktcap
nd_mgr
nat_dnld
itasca_ssl
itasca_rou
itasca_fm
ifmgr
hm
ha_mgr
ha_dp_mgr
gslb_proto
dhcv6relay
dhcrelay
config_cnt
bpdu
avs_stat
avs_cm
avs
5-13
Chapter 5
1944
1945
1946
1947
1948
1949
1952
1958
1960
1961
1964
1965
1966
1967
1968
1972
2026
2054
3142
7196
7197
7198
7200
7511
7546
18029
18037
22335
22336
26342
31556
2117632
41406464
163233792
3198976
2859008
3010560
6647808
41160704
491520
41406464
4247552
99672064
2633728
2564096
4214784
163233792
30277632
8499200
3612672
4059136
618496
1081344
995328
430080
0
638976
4034560
651264
4001792
297897984
1105920
bffff0c0/bfffec78
bffff040/bfffe03c
bfffefb0/bfffe9dc
bfffef40/bfffd650
bfffeec0/bfffdcc0
bfffee50/bfffe9f8
bffff650/ad1a83ac
bffff940/b528d52c
bfffe900/bfffe828
bffff040/b52c808c
bfffe6b0/bfffd2e0
bfffe640/bfffbf90
bffff320/b50906ac
bfffe540/bfffdf9c
bffff830/b4d3e4bc
bfffefb0/9e643888
bfffe9c0/b22cf8e4
bffffc40/b301b7ac
bffff450/bffff11c
bfffe3a0/bfffa608
bfffefb0/bfffed7c
bfffeda0/bfffe5a8
bfffecb0/bfffe754
bffff280/bffff118
0/0
bfffe630/bfffdfa0
bfffe3a0/bfffcff8
bfffdd30/bfffd6a0
bffffe20/bfffea80
bfffe670/9025f15c
bffffaa0/bfffe958
ascii-cfg
arp_mgr
aclmerged
tacacs
ldap
aaa
hm
nd_mgr
klogd
arp_mgr
securityd
cfgmgr
config_cnt
portmgr
itasca_ssl
aclmerged
mysqld
snmpd
httpd
vsh
more
sh
sort
agetty_o
TL_INIT_TH
in.telnetd
vsh
in.telnetd
vsh
java
mysqld_saf
Purpose
Table 5-10
Field
Description
Process Information
Name
5-14
OL-25343-01
Chapter 5
Table 5-10
Field
State
Field Descriptions for the show terminal internal info Command (continued)
Description
Process state. Included below is a summary of the different process state codes that can appear
to describe the state of a process:
NRNot running
WPaging
XProcess is dead
SleepAVG
TGID
PID
Process identifier.
PPID
TracerPID
UID
Identifier of the user that started the process (four element list).
GID
Identifier of the group that the process belongs to (four element list).
FDSize
Groups
VmSize
VmLck
VmRSS
VmData
VmStk
VmExe
VmLib
VmPTE
Threads
Number of threads.
SigPnd
Signals pending.
ShdPnd
SigBlk
Signals blocked.
SigIgn
Signals ignored.
SigCat
Signals caught.
CapInh
CapPrm
5-15
Chapter 5
Table 5-10
Field Descriptions for the show terminal internal info Command (continued)
Field
Description
CapEff
Memory Limits
Core file size
File size
Maximum size (in KB) which a process may lock into memory.
Maximum size (in KB) to which a process resident set size may grow.
Note
Open files
Pipe size
Stack size
CPU time
Virtual memory
Maximum amount (in KB) of available virtual memory available to the process.
5-16
OL-25343-01
Chapter 5
Purpose
show system {cpuhog | error-id {hex_id | list} | Displays the system information. The keywords and argument are as
internal | kcache | kmem | kmemtrack |
follows:
resources | skbtrack | uptime | watchdog [lcp |
cpuhogDisplays information related to the process watchdog timer
memory | scp]}
that monitors CPU usage by any currently active processes. This
keyword is intended for use by trained Cisco personnel for
troubleshooting purposes only.
0xffffffff.
listDisplays all error IDs.
uptimeDisplays how long the ACE has been up and running, see
Table 5-13. This keyword is available in all user contexts.
(ACE module only) The LCP and SCP timeouts are not
configurable.
5-17
Chapter 5
Table 5-11
Field
Description
Mem
Total
Total usable Linux kernel RAM (physical RAM minus the reserved bits and the kernel binary code)
Used
Free
Shared
Always zero.
Buffers
Cached
RAM used for the page cache (disk cache) minus the RAM used for the swap cache.
Swap
Total
Used
Free
MemTotal
Total usable Linux kernel RAM (physical RAM minus the reserved bits and the kernel binary code).
MemFree
MemShared
Always zero.
Buffers
Cached
RAM used for the page cache (disk cache) minus the RAM used for the swap cache.
SwapCached
Memory that once was swapped out, is swapped back in, but is still in the swap file. If this memory
is needed, it does not need to be swapped out again because it is already in the swap file. This saves
I/O.
Active
Memory that has been used recently and usually not reclaimed unless it is absolutely necessary.
Inactive
HighTotal
Total amount of memory in the high memory (highmem) region. Highmem is all memory above
approximately 860 MB of physical RAM. The kernel uses indirect methods to access the high
memory region. Data cache can go in this memory region.
HighFree
LowTotal
LowFree
Amount of free memory in the low memory region. The kernel can address low memory directly. All
kernel data structures need to go into low memory.
SwapTotal
SwapFree
Committed_AS
An estimate of how much RAM you would need to make a 99.99% guarantee that there never is an
out-of-memory (OOM) condition for a particular workload. Normally, the kernel overcommits
memory. For example, if you dynamically allocate 1 GB of memory, no demand is placed on that
memory until you actually start using it. The Committed_AS is an estimate of how much RAM or
swap memory you would need in a worst-case scenario.
5-18
OL-25343-01
Chapter 5
Table 5-12
Field
Description
Load average
Load that is defined as the number of running processes. The average reflects the system load over
the past 1-minute, 5-minute, and 15-minute interval.
Processes
Number of processes in the system, and how many processes are actually running when you enter
the command.
CPU states
CPU usage percentage in user mode, kernel mode, and idle time in the last second.
Memory usage
Total memory, used memory, free memory, memory used for buffers, and memory used for cache
in KB. Buffers and cache are also included in the used memory statistics.
Table 5-13
Field
Description
System uptime
Length of time that the ACE hardware and software have been running
Kernel uptime
Length of time that the operating system (OS) has been running
Table 5-14 describes the output fields for the show system watchdog command.
Table 5-14
Field
Description
LCP watchdog
(ACE module only) State of the LCP process watchdog: Enabled or Disabled.
Memory watchdog
SCP watchdog
Timeout
Timeout interval for the enabled watchdog. When the watchdog is disabled, its timeout is not
displayed.
Purpose
5-19
Chapter 5
Table 5-15
Field
Description
Total Messages
Errors
Echo Request
Echo Reply
Unreachable
TTL Expired
Redirect
Mask
Number of ICMP Address Mask Request messages transmitted or received by the ACE
Param problem
Source Quench
Time Stamp
Number of ICMP Time Stamp (request) messages transmitted or received by the ACE
5-20
OL-25343-01
Chapter 5
Purpose
Displays general information about the ACE for use when you report a problem.
You can use this command to collect a large amount of information about your
ACE and provide the command output to technical support representatives.
This command displays the output of several show commands at once. The
command output varies depending on your configuration.
The optional details keyword provides detailed information for each show
command.
You can choose to have detailed information for each command or even specify
the output for a particular interface or ACE. Each command output is separated
by the line and the command that precedes the output.
The default output of the show tech-support command includes, for example,
the output of the following commands:
show interfaceSee the Routing and Bridging Guide, Cisco ACE Application
Control Engine.
When using this command, explicitly set the terminal length command to 0
(zero) to disable autoscrolling and enable manual scrolling. Use the show
terminal command to view the configured terminal size. After obtaining the
output of this command, reset your terminal length as required.
You can save the output of this command to a file by appending > filename to
the show tech-support command (see Chapter 4, Managing the ACE
Software). If you save this file, verify that you have sufficient space to do so;
each file may take about 1.8 MB.
5-21
Chapter 5
Command
Purpose
tac-pac {disk0:[path/]filename |
Redirects the same information as the show tech-support command output to a
{ftp://server/path[/filename] |
file on either the ACE disk0: or a remote server.
scp://[username@]server/path[/filename] |
The keywords, arguments, and options are as follows:
sftp://[username@]server/path[/filename]
disk0:[path/]filenameSpecifies that the file destination is the disk0: file
| tftp://server[:port]/path[/filename]}
system of the current context. If you do not provide the optional path, the
ACE copies the file to the root directory on the disk0: file system.
(ACE module only) The following example shows the show tech-support command output for the ACE
module:
host1/Admin# show tech-support
`show version`
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2010, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader:
Version 12.2[123]
system:
Version 3.0(0)A4(1.0) [build 3.0(0)A4(1.0) _01:26:21-2006/03/13_/auto/a
dbu-rel/ws/REL_3_0_0_A4_1_0]
system image file: [LCP] disk0:c6ace-t1k9-mzg.3.0.0_A4_1_0.bin
licensed features: ACE30-MOD-16-K9
Hardware
Cisco ACE (slot: 11)
cpu info:
number of cpu(s): 2
cpu type: SiByte
--More--Generating configuration....
cpu: 0, model: SiByte SB1 V0.2, speed: 700 MHz
cpu: 1, model: SiByte SB1 V0.2, speed: 700 MHz
memory info:
total: 957816 kB, free: 367840 kB
shared: 0 kB, buffers: 2928 kB, cached 0 kB
cf info:
filesystem: /dev/cf
5-22
OL-25343-01
Chapter 5
`show inventory`
NAME: "module 11", DESCR: "Application Control Engine Service Module"
PID: ACE20-MOD-K9
, VID: 2.3, SN: SAD114005T7
NAME: "submodule 1", DESCR: "ACE Expansion Card"
PID: ACEMOD-EXPN-DC
, VID: 0.401, SN: SAD123000VH
NAME: "submodule 2", DESCR: "ACE Expansion Card"
PID: ACEMOD-EXPN-DC
, VID: 0.401, SN: SAD123000V4
`show hardware`
Hardware
Product Number:
Serial Number:
Card Index:
Hardware Rev:
Feature Bits:
Slot No. :
Type:
ACE30-MOD-K9
SAD114005T7
207
2.3
0000 0002
11
ACE
Daughter Card
Product Number: ACEMOD-EXPN-DC
Serial Number: SAD123000VH
Card Index:
309
Hardware Rev:
0.401
Feature Bits:
0000 0000
Slot No. :
1
Controller FPGA Rev:1.5
NP 1:
Clock Rate: 600000000 Hz
Memory Size: 4096 MB
NP 2:
Clock Rate: 600000000 Hz
Memory Size: 4096 MB
Daughter Card
Product Number: ACEMOD-EXPN-DC
Serial Number: SAD123000V4
Card Index:
309
Hardware Rev:
0.401
Feature Bits:
0000 0000
Slot No. :
2
Controller FPGA Rev:1.5
NP 3:
Clock Rate: 600000000 Hz
Memory Size: 4096 MB
NP 4:
Clock Rate: 600000000 Hz
Memory Size: 4096 MB
(ACE appliance only) The following example shows the show tech-support command output for the
ACE appliance:
`show version`
Cisco Application Control Software (ACSW)
5-23
Chapter 5
`show clock`
Tue Aug 5 10:13:57 UTC 2008
`show inventory`
NAME: "Appliance", DESCR: "ACE 4710 Application Control Engine Appliance"
PID: ACE-4710-K9
, VID:
, SN: 2061
--More--
5-24
OL-25343-01
CH A P T E R
The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise
noted. All features in this chapter function with IPv4 or IPv6 unless otherwise noted.
This chapter describes how to configure the ACE for redundancy, which provides fault tolerance for the
stateful switchover of flows. It contains the following major sections:
Default Settings
Note
(ACE module only) The two ACE modules can reside in same Catalyst 6500 series switch or the
Cisco 7600 series router or in separate switches or routers.
Redundancy ensures that your network services and applications are always available by providing a
seamless switchover of flows in case an ACE becomes unresponsive or a critical host, interface, or HSRP
group (ACE module only) fails. Redundancy supports the following network applications that require
fault tolerance:
E-commerce
6-1
Chapter 6
Redundancy Protocol
Stateful Failover
FT VLAN
Configuration Synchronization
Redundancy Protocol
The ACE uses a proprietary protocol to enable redundant configurations of two ACEs (peers). You
configure a maximum of two ACEs for redundancy.
Note
(ACE module only) The two ACE modules can reside in same Catalyst 6500 series switch or the
Cisco 7600 series router or in separate switches or routers.
Each peer ACE can contain one or more fault-tolerant (FT) groups. Each FT group consists of two
members: one active context and one standby context. For more information about contexts, see the
Virtualization Guide, Cisco ACE Application Control Engine. An FT group has a unique group ID that
you assign.
One virtual MAC address (VMAC) is associated with each FT group. The format of the VMAC is:
00-0b-fc-fe-1b-groupID. Because a VMAC does not change upon switchover, the client and server ARP
tables do not require updating. The ACE selects a VMAC from a pool of virtual MACs available to it.
For more information about VMACs, see the Routing and Bridging Guide, Cisco ACE Application
Control Engine.
Each FT group acts as an independent redundancy instance. When a switchover occurs, the active
member in the FT group becomes the standby member and the original standby member becomes the
active member. A switchover can occur for the following reasons:
A tracked host, interface, or HSRP group (ACE module only) fails. See the Configuring Tracking
and Failure Detection section.
You enter the ft switchover command to force a switchover. See the Forcing a Failover section.
Figure 6-1 shows two possible redundancy configurations, where N is the number of ACEs configured
for redundancy. The letters (A, B, C, and D) represent the active contexts in each redundancy group,
while the primed letters (A, B, C, and D) are the standby contexts. The contexts are evenly distributed
between the two ACEs. You always configure the active and the standby contexts on different ACEs.
6-2
OL-25343-01
Chapter 6
N=2
# redundant groups
=2
N=2
# redundant groups
=4
153639
Figure 6-1
Figure 6-2 shows the uneven distribution of contexts between the two ACEs. As an example, it is
possible that the FT groups A,B, C, and D use only half the resources that E and F require.
Uneven Distribution of Contexts
N=2
# redundant groups
=6
153640
Figure 6-2
To outside nodes (clients and servers), the active and standby FT group members appear as one node
with respect to their IP addresses and associated VMAC. The ACE provides active-active redundancy
with multiple-contexts only when there are multiple FT groups configured on each ACE and both ACEs
contain at least one active group member (context). With a single context, the ACE supports
active-backup redundancy and each group member is an Admin context. For details about configuring
contexts, see the Virtualization Guide, Cisco ACE Application Control Engine.
The ACE sends and receives all redundancy-related traffic (protocol packets, configuration data,
heartbeats, and state replication packets) on a dedicated FT VLAN. You cannot use this dedicated VLAN
for normal traffic.
To optimize the transmission of heartbeat packets for multiple FT groups and to minimize network
traffic, the ACE sends and receives heartbeat messages using a separate process. The ACE uses the
heartbeat to probe the peer ACE, rather than probe each context. When an ACE does not receive a
heartbeat from the peer ACE, all the contexts in the standby state become active. The ACE sends
heartbeat packets over UDP. You can set the frequency with which the ACE sends heartbeat packets as
part of the FT peer configuration (see the Configuring an FT Peer section).
The election of the active member within each FT group is based on a priority scheme. The member
configured with the higher priority is elected as the active member. If a member with a higher priority is
found after the other member becomes active, the new member becomes active because it has a higher
priority. This behavior is known as preemption and is enabled by default. You can override this default
behavior by disabling preemption, causing the member with the higher priority always to assert itself
and become active (see the Configuring an FT Group section).
If the two members have the same priority, the one with the higher IP address becomes the active
member. We recommend that you always assign a higher priority to the member that you want to be the
active.
6-3
Chapter 6
Stateful Failover
The ACE replicates flows on the active FT group member to the standby group member per connection
for each context. The replicated flows contain all the flow-state information necessary for the standby
member to take over the flow if the active member becomes unresponsive. If the active member becomes
unresponsive, the replicated flows on the standby member become active when the standby member
assumes mastership of the context. The active flows on the former active member transition to a standby
state to fully back up the active flows on the new active member.
After a switchover occurs, the same connection information is available on the new active member.
Supported end-user applications do not need to reconnect to maintain the same network session.
The state information passed to the standby ACE includes the following data:
Network Address Translation (NAT) table based on information synchronized with the connection
record
All Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections not
terminated by the ACE
Sticky table
To ensure that bridge learning occurs quickly upon a switchover in a Layer 2 configuration in the case
where a VMAC moves to a new location, the new active member sends a gratuitous ARP on every
interface associated with the active context. Also, when there are two VLANs on the same subnet and
servers need to send packets to clients directly, the servers must know the location of the gateway on the
client-side VLAN. The active member acts as the bridge for the two VLANs. In order to initiate learning
of the new location of the gateway, the new active member sends an ARP request to the gateway on the
client VLAN and bridges the ARP response onto the server VLAN.
Note
During failover, the ACE sends failover traffic to destination addresses as Layer 3 unicast and Layer 2
broadcast. As a result, you may encounter high CPU utilization in the interrupt context on the switch that
connects the two ACEs in the failover setup.
FT VLAN
Redundancy uses a dedicated FT VLAN between redundant ACEs to transmit flow-state information and
the redundancy heartbeat. You configure this same VLAN on both peer ACEs. The ACE supports the FT
VLAN only with IPv4.
The two redundant ACEs constantly communicate over the FT VLAN to determine the operating status
of each ACE. The standby member uses the heartbeat packet to monitor the health of the active member.
The active member uses the heartbeat packet to monitor the health of the standby member.
Communications over the switchover link include the following data:
Heartbeat packets
For multiple contexts, the FT VLAN resides in the system configuration file. Each FT VLAN on the ACE
has one unique MAC address associated with it. The ACE uses these device MAC addresses as the source
or destination MACs for sending or receiving redundancy protocol state and configuration replication
packets.
6-4
OL-25343-01
Chapter 6
Configuration Synchronization
The ACE automatically replicates the active configuration on the standby member using a process called
configuration synchronization (config sync). Config sync automatically replicates any changes made to
the configuration of the active member to the standby member. After the ACE synchronizes the
redundancy configuration from the active member to the standby peer, it disables configuration mode on
the standby.
Note
In a redundant configuration, with a large configuration on the active ACE, you may encounter a lengthy
period of time (sometimes up to 4 hours) for the configuration to be applied and synchronized to the
standby ACE.
For information about configuring config sync, see the Synchronizing Redundant Configurations
section.
Redundancy is not supported between an ACE module and an ACE appliance operating as peers.
Redundancy must be of the same ACE device type and software release.
Each peer ACE can contain one or more fault-tolerant (FT) groups. Each FT group consists of two
members: one active context and one standby context. For more information about contexts, see the
Virtualization Guide, Cisco ACE Application Control Engine. An FT group has a unique group ID
that you assign.
6-5
Chapter 6
One virtual MAC address (VMAC) is associated with each FT group. The format of the VMAC is:
00-0b-fc-fe-1b-groupID. Because a VMAC does not change upon switchover, the client and server
ARP tables do not require updating. The ACE selects a VMAC from a pool of virtual MACs
available to it. For more information about VMACs, see the Routing and Bridging Guide, Cisco ACE
Application Control Engine.
In bridged mode (Layer 2), two contexts cannot share the same VLAN.
To achieve active-active redundancy, a minimum of two contexts and two FT groups are required on
each ACE.
When you configure redundancy, the ACE keeps all interfaces that do not have an IP address in the
Down state. The IP address and the peer IP address that you assign to a VLAN interface should be
in the same subnet, but different IP addresses. For more information about configuring VLAN
interfaces, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.
By default, the ACE does not replicate IP address sticky table entries on the standby ACE unless you
use the replicate sticky command in sticky-IP configuration mode. For details on the replicate
sticky command, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.
The ACE does not replicate SSL and other terminated (proxied) connections from the active context
to the standby context.
(ACE appliance only) If you are using IPv6 in your network, we recommend that you configure
carrier delay properly so that, before Layer 2 convergence occurs, the ACE appliance is not sending
any IPv6 packets on the wire. Carrier delay is also highly recommended for duplicate address
detection (DAD) to work properly. You can configure a value for carrier delay from 1 to 120
seconds. Generally, 30 to 60 seconds of carrier delay works well for most applications. For more
information about configuring carrier delay and DAD, see the Routing and Bridging Guide, Cisco
ACE Application Control Engine.
The FT VLAN and the query VLAN are not supported over IPv6.
The ACE does not support the stateful failover of any connections that are proxied. Such
connections include Layer 7 connections (including SSL), inspection, and HTTP compression.
Also, any connections that are candidates for compression in the VIP but are not being compressed
because of the mime type of the data, for example, will remain proxied and will not be supported by
stateful failover.
In a user context, the ACE allows a switchover only of the FT group that belongs to that context. In
the Admin context, the ACE allows a switchover of all FT groups in all configured contexts in the
ACE.
Do not use this dedicated VLAN for any other network traffic, including data and HSRP (ACE
module only).
Redundancy uses a dedicated FT VLAN between redundant ACEs to transmit flow-state information
and the redundancy heartbeat. You must configure this same VLAN on both peer ACEs. You also
must configure a different IP address within the same subnet on each ACE for the FT VLAN.
The IP address and the MAC address of the FT VLAN do not change at switchover.
For redundancy to function properly, both members of an FT group must have identical
configurations. Ensure that both ACEs include the same bandwidth software license and the same
virtual context software license (4 Gbps, 8 Gbps, or 16 Gbps for the ACE module, or 2G or 1G for
the ACE appliance). If there is a mismatch in a software license between the two ACEs in an FT
group, the following operational behavior can occur:
If there is a mismatch in the virtual context software license, synchronization between the active
6-6
OL-25343-01
Chapter 6
If both the active and the standby ACE devices have the same virtual context software license
but have a different bandwidth software license, synchronization will work properly but the
standby ACE may experience a potential loss of traffic on switchover. For example, the
switchover occurs from an 8-Gbps ACE module to a 4-Gbps ACE module, or from a 2G ACE
appliance to a 1G ACE appliance.
If normalization is disabled, the output from the show rserver command displays different
connection total values for the active and standby ACEs. The active ACE displays the total sum of
successful connections; whereas the standby ACE displays the total sum of both successful and
failed connections.
For details about the available ACE software licenses, see Chapter 3, Managing ACE Software
Licenses.
Default Settings
Table 6-1 lists the default settings for the ACE redundancy parameters.
Table 6-1
Parameter
Default
Connection replication
Enabled
Heartbeat interval (frequency in milliseconds (ms) at which the active member of the FT 300 ms
group sends the heartbeat packets to the standby member).
Heartbeat count (number of missed heartbeats that the standby member must detect
before determining that the active member is not available).
10
100
100
Automatic synchronization of the startup and running configurations between the active Enabled
and the standby contexts of an FT group.
Priority level for multiple probes on the active member.
Preempt.
Enabled
Configuring Redundancy
6-7
Chapter 6
If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the
desired context. If necessary, change to the correct context.
host1/Admin# changeto C1
host1/C1#
The rest of the examples in this table use the Admin context, unless otherwise specified. For details on
creating contexts, see the Virtualization Guide, Cisco ACE Application Control Engine.
Step 2
Step 3
(ACE appliance only) Configure one of the Ethernet ports on the ACE for fault tolerance using a
dedicated fault-tolerant (FT) VLAN for communication between the members of an FT group.
host1/Admin(config-if)# ft-port vlan 200
Step 4
Configure a dedicated FT VLAN for communication between the members of the FT group. The FT
VLAN is supported with IPv4 only. This FT VLAN is global and is shared by all contexts. Specify the
IP address and netmask of the FT VLAN and the IP address and netmask of the remote peer.
host1/Admin(config)# ft interface vlan 200
host1/Admin(config-ft-intf)# ip address 192.168.12.1 255.255.255.0
host1/Admin(config-ft-intf)# peer ip address 192.168.12.15 255.255.255.0
host1/Admin(config-ft-intf)# no shutdown
host1/Admin(config-ft-intf)# exit
Step 5
Configure a VLAN with an alias IP address that floats between the active and standby ACEs and serves
as a shared gateway for the two devices.
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# ipv6 enable
host1/Admin(config-if)# alias 2001:DB8:1::/64
or
host1/Admin(config-if)# alias 192.168.1.1 255.255.255.0
host1/Admin(config-if)# exit
Step 6
Configure the local redundancy peer ACE, associate the FT VLAN with the peer, configure the heartbeat
interval and count, and configure a query interface VLAN.
host1/Admin(config)# ft peer
host1/Admin(config-ft-peer)#
host1/Admin(config-ft-peer)#
host1/Admin(config-ft-peer)#
host1/Admin(config-ft-peer)#
host1/Admin(config-ft-intf)#
Step 7
1
ft-interface vlan 200
heartbeat count 20
heartbeat interval 300
query-interface vlan 400
exit
6-8
OL-25343-01
Chapter 6
Step 8
Associate a context with each FT group. You must associate the local context and the corresponding peer
context with the same FT group.
host1/Admin(config-ft-group)# associate-context C1
Step 9
Step 10
Step 11
Step 12
Step 13
(Optional) Configure one or more critical objects (gateways or hosts, interfaces, or HSRP groups (ACE
module only) to track for switchover. For example, to configure a critical interface for tracking, enter:
host1/Admin(config)# ft track interface VLAN100
host1/Admin(config-ft-track-intf)# track-interface vlan 100
host1/Admin(config-ft-track-intf)# peer track-interface vlan 100
host1/Admin(config-ft-track-intf)# priority 50
host1/Admin(config-ft-track-intf)# peer priority 150
host1/Admin(config-ft-track-intf)# ctrl-z
Step 14
(Optional) Enable autosynchronization of the running- and/or startup-configuration file from the active
to the standby context.
host1/Admin(config)# ft auto-sync running-config
host1/Admin(config)# ft auto-sync startup-config
Step 15
(Optional) If you want to disable connection synchronization from the active to the standby, enter the
following command:
host1/Admin(config)# ft connection-sync disable
Step 16
Step 17
(Recommended) Verify your redundancy configuration by using the following commands in Exec mode:
host1/Admin# show running-config ft
host1/Admin# show running-config interface
Configuring Redundancy
This section describes how to configure redundancy on the ACE and contains the following topics:
Configuring an FT VLAN
Configuring an FT Peer
6-9
Chapter 6
Configuring an FT Group
Forcing a Failover
Requirements
You must configure the ft interface, ft peer, and ft group commands on all ACEs that participate in the
redundancy configuration.
Configuring an FT VLAN
This section describes how to configure an FT VLAN. Peer ACEs communicate with each other over a
dedicated FT VLAN. These redundant peers use the FT VLAN to transmit and receive heartbeat packets
and state and configuration replication packets. You must configure the same VLAN on each peer ACE.
Guidelines and Restrictions
Do not use this dedicated VLAN for any other network traffic, including data and HSRP (ACE
module only).
(ACE appliance only) On both peer ACE appliances, you must configure the same Ethernet port or
port-channel interface as the FT VLAN port. For example:
If you configure ACE appliance 1 to use Ethernet port 4 as the FT VLAN port, then be sure to
be sure to configure ACE appliance 2 to use port-channel interface 255 as the FT VLAN.
ACE Appliance Prerequisites
To configure one of the Ethernet ports or a port-channel interface on the ACE appliance for fault
tolerance using a dedicated FT VLAN for communication between the members of an FT group, use the
ft-port vlan command in interface configuration mode (see the Routing and Bridging Guide, Cisco ACE
Application Control Engine).
We highly recommend that that you dedicate the specified Ethernet port or port-channel only as the FT
VLAN.
Note
When you specify the ft-port vlan command, the ACE appliance modifies the associated Ethernet port
or port-channel interface to a trunk port.
You have the option to either configure the dedicated VLAN as the only VLAN associated with the
Ethernet port or to include it as part of a VLAN trunk link (see the Routing and Bridging Guide, Cisco
ACE Application Control Engine). Note that the ACE appliance automatically includes the FT VLAN in
the VLAN trunk link. If you choose to configure VLAN trunking, it is not necessary for you to assign
the FT VLAN in the trunk link along with the other VLANs.
6-10
OL-25343-01
Chapter 6
We also highly recommend that you enable Quality of Service (QoS) on the FT VLAN port to provide higher
priority for FT traffic. It is important that you maintain QoS throughout the entire FT traffic path. You enable
QoS for a configured physical Ethernet port through the qos trust cos interface mode command QoS is based
on VLAN Class of Service (CoS) bits (priority bits that segment the traffic in eight different classes of
service). If a VLAN header is present, the CoS bits are used by the ACE appliance to map frames into class
queues. If the frame is untagged, it falls back to a default port QoS level for mapping. See the Routing and
Bridging Guide, Cisco ACE Application Control Engine for details.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
Creates an FT VLAN.
Example:
host1/Admin(config)# ft interface vlan 200
host1/Admin(config-ft-intf)#
Example:
host1/Admin(config)# no ft interface vlan
200
Step 3
Example:
host1/Admin(config-ft-intf)# ip address
192.168.12.1 255.255.255.0
Example:
host1/Admin(config-ft-intf)# no ip address
192.168.12.1 255.255.255.0
Step 4
Example:
host1/Admin(config-ft-intf)# peer ip
address 192.168.12.15 255.255.255.0
Example:
host1/Admin(config-ft-intf)# no peer ip
address 192.168.12.15 255.255.255.0
6-11
Chapter 6
Step 5
Command
Purpose
no shutdown
Example:
host1/Admin(config-ft-intf)# no shutdown
shutdown
Example:
host1/Admin(config-ft-intf)# shutdown
Step 6
exit
Example:
host1/Admin(config-ft-intf)# exit
host1/Admin(config)#
Step 7
Global-unique
Unique-local
For more information about IPv6 address types and assigning them to a VLAN, see the Routing and
Bridging Guide, Cisco ACE Application Control Engine.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
Step 3
Example:
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)#
ipv6 enable
Example:
host1/Admin(config-if)# ipv6 enable
6-12
OL-25343-01
Chapter 6
Step 4
Command
Purpose
alias ipv6_address/prefix_length
Example:
host1/Admin(config-if)# alias
2001:DB8:1::/64
no alias ipv6_address/prefix_length
Example:
host1/Admin(config-if)# no alias
2001:DB8:1::/64
Step 5
Example:
host1/Admin(config-if)# alias 192.168.1.1
255.255.255.0
Example:
host1/Admin(config-if)# no alias
192.168.1.1 255.255.255.0
Step 6
Configuring an FT Peer
This section describes how to configure an FT peer definition on both peer ACEs.
Guidelines and Restrictions
Before you can remove an FT peer from the configuration by using the no form of the command,
you must remove the peer from the FT group (see the Configuring an FT Group section).
You cannot delete a query interface if it is associated with a peer. You must disassociate the interface
from the peer first, and then you can delete the interface.
6-13
Chapter 6
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
ft peer peer_id
Creates an FT peer.
Example:
host1/Admin(config)# ft peer 1
host1/Admin(config-ft-peer)
no ft peer peer_id
Example:
host1/Admin(config)# no ft peer 1
Step 3
Example:
host1/Admin(config-ft-peer) ft-interface
vlan 200
Example:
host1/Admin(config-ft-peer) no
ft-interface vlan 200
Step 4
Example:
host1/Admin(config-ft-peer) heartbeat
interval 500
Example:
host1/Admin(config-ft-peer) no heartbeat
interval 500
6-14
OL-25343-01
Chapter 6
Step 5
Command
Purpose
Example:
host1/Admin(config-ft-peer)#
query-interface vlan 400
Step 6
Configuring an FT Group
This section describes how to configure multiple FT groups on each ACE.
Guidelines and Restrictions
Each FT group consists of a maximum of two members (contexts): one active context on one ACE
and one standby context on the peer ACE
Before you can remove a context from an FT group, you must first take the group out of service by
using the no inservice command.
The ACE does not perform bulk config synchronization (sync) on the peer priority command value
in the FT group associated with the Admin context to the peer. Therefore, you may observe a peer
priority value in the running-configuration file that is different from the actual operating value. For
information on bulk config sync, see the Synchronizing Redundant Configurations section.
If you disable preemption by using the no preempt command and a member with a higher priority
is found after the other member has become active, the electing member becomes the standby
member even though it has a higher priority.
6-15
Chapter 6
Prerequisites
Before you place an FT group in service, be sure that you have associated one context with the FT group
and that you have properly configured the two peers.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
ft group group_id
Creates an FT group.
Example:
host1/Admin(config) ft group 1
host1/Admin(config-ft-group)#
no ft group group_id
Example:
host1/Admin(config) no ft group 1
Step 3
associate-context name
Example:
host1/Admin(config-ft-group)#
associate-context C1
no associate-context name
Example:
host1/Admin(config-ft-group)# no
associate-context C1
Step 4
peer peer_id
Example:
host1/Admin(config-ft-group)# peer 1
no peer peer_id
Example:
host1/Admin(config-ft-group)# no peer 1
Step 5
priority number
Example:
host1/Admin(config-ft-group)# priority 150
no priority
Example:
host1/Admin(config-ft-group)# no priority
6-16
OL-25343-01
Chapter 6
Step 6
Command
Purpose
Example:
host1/Admin(config-ft-group)# peer
priority 150
no peer priority
Example:
host1/Admin(config-ft-group)# no peer
priority
Step 7
preempt
Example:
host1/Admin(config-ft-group)# preempt
no preempt
Example:
host1/Admin(config-ft-group)# no preempt
Step 8
inservice
Example:
host1/Admin(config-ft-group)# inservice
no inservice
Example:
host1/Admin(config-ft-group)# no inservice
Step 9
Modifying an FT Group
This section describes how to modify an FT group.
Note
You can modify the priority, peer priority, and preempt command values without taking the FT group
out of service.
Details
Follow these steps to modify an FT group:
Step 1
Step 2
Step 3
6-17
Chapter 6
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
Select a bank of MAC addresses for the peer that is different from that used by the local ACE.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
shared-vlan-hostid number
Example:
host1/Admin(config)# shared-vlan-hostid 3
Configures the bank of MAC addresses that the ACE uses. Enter
a number from 1 to 16. Be sure to configure different bank
numbers for multiple ACEs.
The number argument is the bank of MAC addresses that the ACE
uses. Enter a number from 1 to 16. Be sure to configure different
bank numbers for multiple ACEs.
For details about this command, see the Routing and Bridging
Guide, Cisco ACE Application Control Engine.
no shared-vlan-hostid
Example:
host1/Admin(config)# no shared-vlan-hostid
6-18
OL-25343-01
Chapter 6
Step 3
Command
Purpose
Example:
host1/Admin(config)# peer
shared-vlan-hostid 3
The number argument is the bank of MAC addresses that the ACE
uses. Enter a number from 1 to 16. Be sure to configure different
bank numbers for multiple ACEs.
For details about this command, see the Routing and Bridging
Guide, Cisco ACE Application Control Engine.
no peer shared-vlan-hostid
Example:
host1/Admin(config)# no peer
shared-vlan-hostid
Step 4
Forcing a Failover
This section describes how to force a failover (switchover). You may need to force a switchover when
you want to make a particular context the standby (for example, for maintenance or a software upgrade
on the currently active context). If the standby group member can statefully becoming the active member
of the FT group, a switchover occurs.
Note
During failover, the ACE sends failover traffic to destination addresses as Layer 3 unicast and Layer 2
broadcast. As a result, you may encounter high CPU utilization in the interrupt context on the switch that
connects the two ACEs in the failover setup.
The switchover process exhibits the following behavior, depending on whether you perform the task
from the Admin context or a user context:
Note
Admin contextIf you specify an FT group ID, then the FT group specified by the group ID
switches over. If you do not specify a group ID, then the Admin context switches over.
User contextBecause you cannot specify an FT group ID in a user context, the context in which
you enter the command switches over.
When you specify the ft switchover command to force a switchover, there may be brief periods of time
when the configuration mode is enabled on the new active group member to allow the administrator to
make configuration changes. However, any configuration changes made during this time are not
synchronized with the standby group member and will exist only on the active group member. We
recommend that you refrain from making any configuration changes after you enter the ft switchover
command until the FT states stabilize to ACTIVE and STANDBY_HOT. After a forced failover of an
active ACE, STANDBY_REAP state occurs on the new standby ACE during the FT transition to the
STANDBY_HOT state. Once the FT group reaches the steady state of ACTIVE and STANDBY_HOT,
any configuration changes performed on the active group member will be dynamically synchronized to
the standby group member, assuming that configuration synchronization is enabled.
6-19
Chapter 6
Prerequisites
To use the ft switchover command, you must disable preemption by using the no preempt command.
For information on the preempt command, see the Configuring an FT Group section.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
ft group group_id
Example:
host1/Admin(config) ft group 1
host1/Admin(config-ft-group)#
Step 3
Disables preemption.
no preempt
Example:
host1/Admin(config-ft-group)# no preempt
Step 4
Press Ctrl-z
Step 5
Causes a switchover.
The keywords, arguments, and options are as follows:
Example:
host1/Admin# ft switchover 1
This command will cause card to switchover
(yes/no)? [no] yes
Bulk config syncSynchronizes the entire active context configuration to the standby context when
the peer comes up or when autosynchronization is enabled
Dynamic incremental syncSynchronizes the configuration applied to the active context to the
standby context if the peer is already up
6-20
OL-25343-01
Chapter 6
Note
When you upgrade from one major release of ACE software to another major release (for example, from
A4(1.0) to A5(1.0), dynamic incremental sync is disabled while the active ACE is running A4(1.0) and
the standby is running the earlier release (split mode). We recommend that you do not make any
configuration changes during this time and that you do not keep the ACEs in this state for an extended
period of time. However, if you must make configuration changes while the ACEs are in split mode,
ensure that you manually synchronize to the standby ACE any configuration changes that you make on
the active ACE. After you complete the software upgrade of both ACEs, a bulk sync occurs automatically
and dynamic incremental sync will be enabled again.
You can enable automatic synchronization of the running-configuration and the startup-configuration
files after they have been explicitly disabled.
Caution
Toggling ft auto-sync running-config in the Admin context may have undesirable side effects if the
same command is also disabled in an active user context. If ft auto-sync running-config is disabled in
the active Admin context and in an active user context, and you subsequently enable ft auto-sync
running-config in the active Admin context first, the entire configuration of the standby user context
will be lost. Always enable ft auto-sync running-config in the active user context first, and then enable
the command in the active Admin context.
Guidelines and Restrictions
The configurations on both the active context and the standby context must be identical. If there is
a mismatch between configuration objects, then configuration synchronization may fail.
In a redundant configuration, with a large configuration on the active ACE, you may encounter a
lengthy period of time (sometimes up to 4 hours) for the configuration to be applied and
synchronized to the standby ACE.
If the standby ACE has reached the maximum resource limit for a configuration object even if some
of the configuration objects are not in the redundant context and you configure one more object of
the same type in the redundant context of the active ACE, configuration synchronization will fail.
For example, suppose that you have configured two contexts on each ACE (Admin and C1) and the
C1 context is the only one in the FT group. On the standby ACE, you have configured 8,192 match
source-address statements in the Admin context and in the C1 context for a total of 16,384 match
source-address statements (the ACE limit). When you configure one new match source-address
statement on the active ACE in C1, configuration synchronization will fail, the new match statement
will not be replicated to the standby, and syslog ACE-1-727005 is generated.
If you operate the active ACE with config sync disabled for a prolonged period of time, you must
manually duplicate any changes that you make to the active ACE on the standby ACE to ensure that
connection replication works properly.
If a license mismatch occurs between the two ACEs in a redundant configuration, the ft auto-sync
command is automatically disabled and a syslog message is generated.
If you temporarily disable ft auto-sync running-config on the active ACE (for example, to test
changes to your configuration), when you subsequently reenable config sync, any changes that you
made to the active ACE are duplicated on the standby ACE. Note that the standby ACE remains in
the STANDBY_HOT state even when config sync is disabled on the active ACE.
6-21
Chapter 6
The ACE does not copy or write changes in the running-configuration file to the
startup-configuration file unless you enter the copy running-config startup-config command or the
write memory command for the current context. To write the contents of the running-configuration
file to the startup-configuration file for all contexts, use the write memory all command. At this
time, if the ft auto-sync startup-config command is enabled, the ACE synchronizes the
startup-configuration file on the active ACE to the standby ACE.
The ACE does not synchronize the SSL certificates and key pairs that are present in the active
context with the standby context of an FT group. If the ACE performs a configuration
synchronization and does not find the necessary certificates and keys in the standby context, config
sync fails and the standby context enters the STANDBY_COLD state.
Caution
Do not enter the no inservice command followed by the inservice command on the active
context of an FT group when the standby context is in the STANDBY_COLD state. Doing so
may cause the standby context running-configuration file to overwrite the active context
running-configuration file.
To copy the certificates and keys to the standby context, you must export the certificates and keys
from the active context to an FTP or TFTP server using the crypto export command, and then
import the certificates and keys to the standby context using the crypto import command. For more
information about importing and exporting certificates and keys, see the SSL Guide, Cisco ACE
Application Control Engine.
To return the standby context to the STANDBY_HOT state in this case, ensure that you have
imported the necessary SSL certificates and keys to the standby context, and then perform a bulk
sync of the active context configuration by entering the following commands in configuration mode
in the active context of the FT group:
1.
no ft auto-sync running-config
2.
ft auto-sync running-config
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/C1# config
host1/C1#(config)#
6-22
OL-25343-01
Chapter 6
Step 2
Command
Purpose
ft auto-sync {running-config |
startup-config}
Example:
host1/C1(config) ft auto-sync
running-config
no ft auto-sync {running-config |
startup-config}
Example:
host1/C1(config) no ft auto-sync
running-config
Connections that are already synchronized on the standby are not torn down
If you enable connection replication after a bulk sync occurs, the ACE takes the following actions:
Existing connections are synced in the next periodic cycle (in approximately 3 to 4 minutes)
Sticky replication is disabled by default and you can configure it on a per sticky group basis. The
replicate sticky command takes precedence over the ft connection-sync disable command, so new
client connections can be load balanced to the same server even when connection replication is disabled.
Note the following caveats with stickiness when connection replication is disabled:
The sticky database is not always in sync on the standby. With connection replication disabled,
sticky connections on the active close normally, but on the standby the connections time out
according to the idle timeout setting.
When sticky entries are approaching their expiration time, it is possible to have a zero
active-conns-count on the standby and still have active connections on the active ACE. This
condition can lead to sticky entries that are not present after a switchover.
To reenable connection replication after you have disabled it, enter the following command:
6-23
Chapter 6
Note
Gateways or hosts
Interfaces
Note
To prevent an unexpected switchover from occurring, we strongly recommend that you disable
preemption while you are configuring tracking. After you configure tracking and before you reenable
preemption, ensure that the tracked network objects are up and operating properly. A switchover may
occur immediately when you reenable preemption. Preemption must be enabled for a tracking
switchover to work. For details about preemption, see the Configuring an FT Group section.
For example, suppose that on ACE 1 you configure the active FT group member with a priority of 100
and on ACE 2 you configure the standby FT group member with a priority of 70. Assume that you
configure the FT group to track three critical interfaces, each with a unit priority of 15. To trigger a
switchover, all three interfaces must fail so that the priority of the active member is less than the priority
of the standby member (100 45 = 55).
To illustrate the any scenario, assume that the active and the standby FT group members have the same
individual priorities as in the previous example (100 and 70, respectively). However, this time you
configure the three tracked interfaces, each with a unit priority of 40. If any one of the interfaces
associated with the active member goes down, then the priority of the active member falls below the
priority of the standby member and a switchover occurs. If that failed interface later returns to service,
6-24
OL-25343-01
Chapter 6
the ACE increments the associated group member priority by 40, and a switchover would occur back to
the original active member. To guarantee a switchover if any tracked item goes down, configure the unit
priority on each tracked item equal to the group members priority. In this case, you could configure the
unit priority to be 100.
This section contains the following topics:
Configuring ACE Module Tracking and Failure Detection for an HSRP Group
If you remove a probe from the active FT group member configuration and you have not configured a
tracking priority for the FT group, the ACE increments the net FT group priority by the priority value of
the deleted probe. You cannot delete a probe from the running-configuration file if the ACE is using the
probe for tracking.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
Step 3
track-host ip_address
IPv6 Example:
host1/Admin(config-ft-track-host)#
track-host 2001:DB8:12::/64
IPv4 Example:
host1/Admin(config-ft-track-host)#
track-host 192.168.12.101
6-25
Chapter 6
Command
Purpose
no track-host ip_address
IPv6 Example:
host1/Admin(config-ft-track-host)# no
track-host 2001:DB8:12::/64
IPv4 Example:
host1/Admin(config-ft-track-host)# no
track-host 192.168.12.101
Step 4
no probe name
Example:
host1/Admin(config-ft-track-host)# no
probe TCP_PROBE1
Step 5
priority number
Example:
host1/Admin(config-ft-track-host)#
priority 50
no priority number
Example:
host1/Admin(config-ft-track-host)# no
priority 50
Step 6
Example:
host1/Admin(config-ft-track-host)# peer
track-host 172.16.27.1
6-26
OL-25343-01
Chapter 6
Command
Purpose
Example:
host1/Admin(config-ft-track-host)# no peer
track-host 172.16.27.1
Step 7
Step 8
Example:
host1/Admin(config-ft-track-host)# peer
priority 25
Example:
host1/Admin(config-ft-track-host)# no peer
priority 25
Step 9
Examples
The following example demonstrates an IPv6 tracking configuration for a gateway on the active member
of an FT group:
ft track host TRACK_GATEWAY
track-host 2001:DB8:100::/64
probe GATEWAY_TRACK1 priority 10
probe GATEWAY_TRACK2 priority 20
priority 50
6-27
Chapter 6
The following example demonstrates an IPv4 tracking configuration for a gateway on the active member
of an FT group:
ft track host TRACK_GATEWAY
track-host 192.161.100.1
probe GATEWAY_TRACK1 priority 10
probe GATEWAY_TRACK2 priority 20
priority 50
In this configuration example, if the GATEWAY_TRACK1 probe goes down, the ACE reduces the
priority of the FT group on the active member by 10. If the GATEWAY_TRACK2 probe goes down, the
ACE reduces the priority of the FT group on the active member by 20. If both probes go down, the ACE
reduces the priority of the FT group on the active member by 50. If at any time the priority of the FT
group on the active member falls below the priority of the FT group on the standby member, a switchover
occurs.
You cannot delete an interface if the ACE is using the interface for tracking. Also, you cannot configure
the FT VLAN for tracking.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
Example:
host1/Admin(config)# ft track interface
TRACK_VLAN100
host1/Admin(config-ft-track-intf)#
For the name argument, enter a unique identifier for the tracking
process as an unquoted text string with no spaces and a maximum
of 64 alphanumeric characters.
This command enters the FT track interface configuration mode.
Step 3
Example:
host1/Admin(config)# no ft track interface
TRACK_VLAN100
Step 4
Example:
host1/Admin(config-ft-track-intf)# no
track-interface vlan 100
6-28
OL-25343-01
Chapter 6
Step 5
Command
Purpose
priority number
Example:
host1/Admin(config-ft-track-intf)#
priority 50
no priority number
Example:
host1/Admin(config-ft-track-intf)# no
priority 50
Step 6
Example:
host1/Admin(config-ft-track-intf)# no peer
track-interface vlan 200
Step 7
Step 8
Examples
The following example demonstrates a tracking configuration for an interface on the active member of
an FT group and configures the interface that you want the standby member to track:
ft track interface TRACK_VLAN100
track-interface vlan 100
priority 50
6-29
Chapter 6
In this configuration example, if VLAN 100 goes down, then the ACE reduces the priority of the FT
group on the active member by 50. If at any time the priority of the FT group on the active member falls
below the priority of the FT group on the standby member, a switchover occurs.
Configuring ACE Module Tracking and Failure Detection for an HSRP Group
This section applies to the ACE module only and describes how to configure a tracking and failure
detection process for a Hot Standby Router Protocol (HSRP) group that you have previously configured
on the Catalyst 6500 services supervisor engine or the Cisco 7600 series router. The ACE module does
not support HSRP tracking and failure detection for IPv6.
Guidelines and Restrictions
When you configure HSRP tracking on the FT group member and the HSRP group does not exist on
the supervisor engine, the ACE module marks the tracking process as TRACK_DOWN and
automatically decrements the net priority of the FT group by the tracking priority value.
Prerequisites
For best results, observe the following configurational requirements before you attempt to configure
HSRP tracking and failure detection on the ACE module:
Before you configure an HSRP tracking and failure detection process on the ACE module, you
must configure the HSRP group on the supervisor engine. For example, if the HSRP group
(including the name) is configured on the supervisor engine and it is not in the Active or the
Standby state, you will see the following output when you enter the show ft track detail
command on the ACE module:
Track type
HSRP Group Name
State
Priority
Transitions
: TRACK_HSRP
: test
: TRACK_DOWN (HSRP Group does not exist
on the Supervisor or it is in the INIT
State)
: 20
: 1
For example, if the HSRP group is in the Standby state, you will see the following output when
you enter the show ft track detail command on the ACE module:
Track type
HSRP Group Name
State
Priority
Transitions
: TRACK_HSRP
: test
: TRACK_DOWN (HSRP Group is Standby on
the Supervisor)
: 20
: 1
For example, if the HSRP group is in the Active state, you will see the following output when
you enter the show ft track detail command on the ACE module:
Track type
HSRP Group Name
State
Priority
:
:
:
:
TRACK_HSRP
test
TRACK_UP
20
6-30
OL-25343-01
Chapter 6
Transitions
: 2
If the HSRP group (including the name) is configured on the supervisor engine after the HSRP
tracking process is initially configured on the ACE module, you may or may not obtain the
expected results when you enter the show ft track detail command on the ACE module.
If the HSRP group name is changed on the supervisor engine after the HSRP tracking process
is configured on the ACE module, further state notifications will not be sent to the ACE module.
You must delete the HSRP tracking process on the ACE module after the HSRP group name is
changed on the supervisor engine.
To obtain the correct HSRP group identifier to use for tracking on the ACE module, enter the show
standby vlan command on the Catalyst 6500 series switch or 7600 series router.
For example, enter the following command:
sh-ace-6k-1# show standby vlan 120
Vlan120 - Group 120
Local state is Active, priority 200, may preempt
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 2.022
Virtual IP address is 192.168.120.254 configured
Active router is local
Standby router is 192.168.120.252 expires in 8.360
Virtual mac address is 0000.0c07.ac78
7 state changes, last state change 21:54:53
IP redundancy name is "hsrp-Vl120-120" (default)
Priority tracking 1 interface or object, 1 up:
Interface or object
Decrement State
GigabitEthernet4/35
110
Up
Use the IP redundancy name (shown in bold in the above output example) as the HSRP group name.
The switch or router automatically assigns this name to the HSRP group.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
Example:
host1/Admin(config)# ft track hsrp
HSRP_TRACK_PROCESS1
host1/Admin(config-ft-track-hsrp)#
no ft track hsrp
tracking_process_name
Example:
host1/Admin(config)# no ft track hsrp
HSRP_TRACK_PROCESS1
6-31
Chapter 6
Step 3
Command
Purpose
track-hsrp name
Example:
host1/Admin(config-ft-track-hsrp)#
track-hsrp hsrp-vl120-120
For the name argument, enter the identifier of an HSRP group previously configured on the Catalyst supervisor that you want to track on
the active member (see the last bullet in the Prerequisitessection).
Enter the name as an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters. The ACE module allows you
to track up to 250 HSRP groups.
no track-hsrp name
Example:
host1/Admin(config-ft-track-hsrp)# no
track-hsrp hsrp-vl120-120
Step 4
priority number
Example:
host1/Admin(config-ft-track-hsrp)#
priority 50
no priority number
Assigns a priority to the HSRP group that you are tracking on the
active member of an FT group.
For the number argument, enter the priority of the HSRP group as an
integer from 0 to 255. The default is 0. Higher values indicate higher
priorities. Assign a priority value based on the relative importance of
the HSRP group that you are tracking. If the HSRP group goes down,
the ACE module decrements the priority of the FT group on the active
member by the value of the number argument. If the priority of the FT
group on the active member falls below the priority of the FT group on
the standby member, a switchover occurs.
(Optional) Resets the priority to the default value of 0.
Example:
host1/Admin(config-ft-track-hsrp)# no
priority 50
Step 5
Example:
host1/Admin(config-ft-track-hsrp)#
peer track-hsrp HSRP_GRP1
For the name argument, enter the identifier of an HSRP group previously configured on the supervisor engine that you want to track on the
standby member of an FT group (see the last bullet in the Prerequisitessection). Enter the name as an unquoted text string with no
spaces and a maximum of 64 alphanumeric characters.
Example:
host1/Admin(config-ft-track-hsrp)# no
peer track-hsrp HSRP_GRP1
Step 6
Assigns a priority to the HSRP group that you are tracking on the
standby member of an FT group.
For the number argument, enter the priority of the HSRP group as an
integer from 0 to 255. The default is 0. Higher values indicate higher
priorities. Assign a priority value based on the relative importance of
the HSRP group that you are tracking. If the HSRP group goes down,
the ACE module decrements the priority of the FT group on the
standby member by the value of the number argument.
6-32
OL-25343-01
Chapter 6
Command
Purpose
Example:
host1/Admin(config-ft-track-hsrp)# no
peer priority 25
Step 7
Examples
The following example demonstrates a tracking configuration for an HSRP group on the active member
of an FT group and identifies an HSRP group that you want to track on the standby member of the FT
group:
ft track hsrp TRACK_HSRP_GRP1
track-hsrp HSRP_GRP1
priority 50
peer track-hsrp HSRP_GRP1
peer priority 25
In the configuration example, if the HSRP_GRP1 group goes down, the ACE module reduces the priority
of the FT group on the active member by 50. If at any time the priority of the FT group on the active
member falls below the priority of the FT group on the standby member, a switchover occurs.
Displaying FT Statistics
6-33
Chapter 6
Purpose
show running-config ft
Purpose
Displays the commands that fail on the standby ACE during bulk
synchronization in a redundant configuration per context. If all commands
succeed on the standby ACE, the command displays the following message:
No bulk config apply errors
In the Admin context, the optional context_name argument is the name of a user
context. If you do not enter the argument, the command uses the Admin context.
In a user context, this argument is not available.
6-34
OL-25343-01
Chapter 6
Purpose
Displays redundancy statistics per context. Table 6-2 describes the fields in the
show ft group command output.
The keywords, arguments, and options are as follows:
Table 6-2
briefDisplays the group ID, local state, peer state, context name, context
ID, and configuration synchronization status of all the FT groups that are
configured in the ACE.
Field
Description
FT Group
FT group identifier.
No. of Contexts
Context Name
Context ID
Configured Status
Configured state of the FT group. Possible states are the in-service or out-of-service states.
Maintenance Mode
Current maintenance mode of the local context in an FT group. Applications can turn on
maintenance mode when there is an inability to communicate with the peer, license mismatches, too
many application errors, and so on. Possible states are as follows:
6-35
Chapter 6
Table 6-2
Field
Description
My State
State of the FT group member in the local ACE. Possible states are as follows:
My State (Cont.)
FSM_FT_STATE_INITConfiguration for the FT group exists but the group is not in service.
This is the initial state for each member (local and peer) of an FT group.
My Config Priority
My Net Priority
Priority of the FT group equal to the configured priority minus the priority of the FT tracking
failures if any.
My Preempt
Preemption value of the FT group in the local ACE. Possible values are Enabled or Disabled.
Peer State
State of the FT group in the remote ACE. For possible state values, see the My State field
description.
Priority of the FT group in the remote ACE computed from the configured priority and the priority
of the FT tracking failures.
Peer Preempt
Preemption value of the FT group in the remote ACE. Possible values are Enabled or Disabled.
6-36
OL-25343-01
Chapter 6
Table 6-2
Field
Description
Peer ID
FT peer identifier.
Last State Change Time Time and date that the peer last changed from the active to standby state, or standby to active state.
Running Cfg Sync
Enabled
Configured state of config sync for the running-config. Possible values are Enabled or Disabled.
Current status of config sync for the running-config. For example, Running configuration sync has
completed or Config sync disabled when peer is not fully CLI compatible.
Configured state of config sync for the startup-config. Possible states are Enabled or Disabled.
Startup Cfg Sync Status Current status of config sync for the startup-config. For example, Startup configuration sync is
disabled or Config sync disabled when peer is not fully CLI compatible.
Bulk Sync Done for
ARP
Number of bulk synchronization done messages received on the standby ACE during state
synchronization from the ARP module in the control plane.
Bulk Sync Done for LB Number of bulk synchronization done messages received on the standby ACE during state
synchronization from the load balancer (LB) module in the data plane.
Bulk Sync Done for
ICM
Number of bulk synchronization done messages received on the standby ACE during state
synchronization from the ICM input connection manager module in the data plane.
Purpose
Purpose
show ft idmap
Displays the IDMAP table. Table 6-3 lists the IDMAP table object types
available in the ACE.
6-37
Chapter 6
Table 6-3
Object Type
Object Name
REAL ID
RSERVER ID
SERVERFARM ID
POLICY ID
STICKY GROUP ID
IF ID
CONTEXT ID
Purpose
Purpose
Displays redundancy statistics per context. Table 6-4 describes the fields in the
show ft peer command output.
The keywords and arguments are as follows:
6-38
OL-25343-01
Chapter 6
Table 6-4
Field
Description
Peer ID
State
State (continued)
Maintenance
Mode
FSM_PEER_STATE_ERRORStatus of whether an error has occurred with the peer. Possible errors
are version mismatch, license mismatch, or failure to establish a TCP connection to the peer. A syslog
message appears with more detailed information.
Current maintenance mode of the peer context in an FT group. Applications can turn on maintenance mode
when there is an inability to communicate with the peer, license mismatches, too many application errors,
and so on. Possible states are as follows:
MAINT_MODE_FULLAll contexts on the ACE become nonredundant causing their peer contexts
to become active. The ACE enters this mode just before you reboot the ACE and is used primarily
when you upgrade the ACE software.
FT VLAN
FT VLAN IF
State
My IP Addr
Peer IP Addr
Query VLAN
Identifier of the interface that is configured as the query VLAN or Not Configured.
Query VLAN IF
State
Current status of the Query VLAN interface (if configured). Possible states are UP or DOWN.
6-39
Chapter 6
Table 6-4
Field
Description
Peer Query IP
Addr
IP address of the query interface used to obtain the state of the peers health when the FT VLAN is down.
Heartbeat
interval
Time in seconds that the ACE waits between sending heartbeat packets.
Heartbeat Count
Number of missed heartbeats that an ACE must detect before declaring the peer down.
Tx Packets
Total number of packets that the local ACE sent to the peer.
Tx Bytes
Total number of bytes that the local ACE sent to the peer.
Rx Packets
Total number of packets that the local ACE received from the peer.
Rx Bytes
Total number of bytes that the local ACE received from the peer.
Rx Error Bytes
Total number of error bytes that the local ACE received from the peer.
Tx Keepalive
Packets
Total number of keepalive packets that the local ACE sent to the peer.
Rx Keepalive
Packets
Total number of keepalive packets that the local ACE received from the peer.
TL_CLOSE
Count
Number of Transport Layer close events (TL_CLOSE) received on the redundant TCP connection from
the TL driver.
FT_VLAN_
DOWN Count
PEER_DOWN
Count
SRG
Compatibility
Status of whether the software version of the local ACE and the software version of the peer ACE are
compatible. Possible states are the INIT, COMPATIBLE, or INCOMPATIBLE state.
License
Compatibility
Status of whether the license of the local ACE and the license of the peer ACE are compatible. Possible
states are the INIT, COMPATIBLE, or INCOMPATIBLE state.
FT Groups
Number of FT groups.
Displaying FT Statistics
To display peer information, perform the following task:
Command
Purpose
Displays peer information. Table 6-5 describes the fields in the show ft stats
command output.
The group_id argument displays additional load-balancing statistics (LB statistics)
for the specified group.
6-40
OL-25343-01
Chapter 6
Table 6-5
Field
Description
HA Heartbeat Statistics
Number of Heartbeats Sent
Number of Heartbeats
Received
Number of Heartbeats
Missed
Number of Unidirectional
HBs Received
Number of heartbeats (HBs) received by the local peer that indicate the remote peer is not
receiving HBs. The remote peer is sending heartbeats, but not receiving any.
Note
Number of HB Timeout
Mismatches
Both peer ACEs send heartbeat packets and each packet indicates whether the other
peer has been receiving heartbeats.
Number of times that the local peer received a heartbeat (HB) from the remote peer with a
mismatched heartbeat interval. If the heartbeat intervals do not match, a peer adjusts its
interval to the lower of the two intervals.
Note
The heartbeat interval should be the same on both peer ACEs. Each heartbeat packet
contains the configured interval in the packet. When a peer receives a heartbeat packet,
it checks to see if the interval in the heartbeat packet matches the interval configured
locally.
Num of Peer Up Events Sent Number of times that the local ACE sent a Peer Up message to the remote ACE.
Num of Peer Down Events
Sent
Number of times that the local ACE sent a Peer Down message to the remote ACE.
Number of sticky database entries that the local ACE sent to the remote ACE.
Number of Replication
Packets Sent
Number of packets that contain replication information that the local ACE sent to the remote
ACE.
Number of Send Failures Number of times that the local ACE attempted to send packets to the remote ACE but failed.
Receive-side Stats
Number of Sticky
Entries Dropped
Number of sticky database entries that the remote ACE sent to the local ACE, but the local
ACE discarded them.
Number of Replication
Packets Received
Number of packets that contain replication information that the local ACE received from the
remote ACE.
Number of Receive
Failures
Number of times that the remote ACE sent packets to the local ACE, but the local ACE failed
to receive them.
6-41
Chapter 6
Purpose
Displays tracking information. Table 6-6 describes the fields in the show ft track
command output.
The keywords are as follows:
Table 6-6
Field
Description
FT Group
FT group identifier.
Status
Configured state of the FT group. Possible states are the in-service or out-of-service state.
Maintenance Mode
Current maintenance mode of the local context in an FT group. Applications can turn on maintenance
mode when there is an inability to communicate with the peer, license mismatches, too many
application errors, and so on. Possible states as follows:
6-42
OL-25343-01
Chapter 6
Table 6-6
Field
Description
My State
State of the FT group member in the local ACE. Possible states are as follows:
FSM_FT_STATE_INITInitial state for each member (local and peer) of an FT group. The
configuration for the FT group exists but the group is not yet in service.
FSM_FT_STATE_ELECTState that the local group member enters when you configure the
inservice command for an FT group. Through the election process, the local context negotiates
with its peer context in the FT group to determine their states. One member enters the ACTIVE
state and the other member enters the STANDBY_CONFIG state.
FSM_FT_STATE_ACTIVEState that indicates that the local member of the FT group is active
and processing flows.
FSM_FT_STATE_STANDBY_HOTState that indicates that the local standby context has all
the state information it needs to statefully assume the active state if a switchover occurs.
My Config Priority
My Net Priority
Priority of the FT group equal to the configured priority minus the priority of the FT tracking process
failures, if any.
My Preempt
Preemption value of the FT group in the local ACE. Possible values are Enabled or Disabled.
Context Name
Context ID
6-43
Chapter 6
Table 6-6
Field
Description
Track Type
Type of object being tracked. Possible values are TRACK_HOST, TRACK_HSRP (ACE module
only), or TRACK_INTERFACE.
(ACE module only) Identifier of the HSRP group that is configured on the Catalyst 6500 series
switch that you are tracking.
State
Priority
Transitions
Number of times that the active member of the FT group switched over to the standby member.
Probe Count
Probes Down
If you configure redundancy on the ACE, then you must explicitly clear statistics on both the active and
the standby ACEs. Clearing statistics on the active ACE only does not clear the statistics on the standby
ACE.
6-44
OL-25343-01
Chapter 6
Purpose
clear ft ha-stats
Clears the following transport layer-related counters that the ACE displays as part
of the show ft peer detail command output:
Tx Packets
Tx Bytes
Rx Packets
Rx Bytes
Rx Error Bytes
For an explanation of these fields, see the Displaying Peer Information section.
Purpose
clear ft hb-stats
Purpose
Clears tracking-related statistics for the Admin FT group only, a user context FT
group only, or for all FT groups that are configured in the ACE.
Use the optional all keyword in the Admin context only to clear tracking statistics
for all FT groups that are configured in the ACE. If you enter this command in the
Admin context without the all keyword, it clears the tracking statistics only for the
FT group associated with the Admin context. In a user context, you cannot enter
the all keyword, so you can clear the tracking statistics only for the FT group
associated with the user context.
6-45
Chapter 6
Purpose
clear ft all
Clears all redundancy statistics, including all TL, heartbeat, and tracking
counters.
This command does not affect the redundancy history. To clear the redundancy
history, use the clear ft history command. For details, see the Clearing the
Redundancy History section.
Purpose
Note
A dedicated FT VLAN for communication between the members of an FT group. You must
configure this same VLAN on both peer ACEs.
An FT peer definition.
IPv6 Example
(ACE module only) The redundancy configuration appears in bold in the ACE module example that
follows:
hostname ACE_Module_1
access-list ACL1 line 10 extended permit ip any any
6-46
OL-25343-01
Chapter 6
class-map
2 match
3 match
4 match
5 match
7 match
8 match
IPv4 Example
(ACE module only) The redundancy configuration appears in bold in the ACE module example that
follows:
hostname ACE_Module_1
access-list ACL1 line 10 extended permit ip any any
class-map
2 match
3 match
4 match
5 match
7 match
8 match
6-47
Chapter 6
class L4_REMOTE-MGT_CLASS
permit
interface vlan 100
ip address 192.168.83.219 255.255.255.0
peer ip address 192.168.83.230 255.255.255.0
alias 192.168.83.200 255.255.255.0
access-group input ACL1
service-policy input L4_REMOTE-MGT_POLICY
no shutdown
ft interface vlan 200
ip address 192.168.1.1 255.255.255.0
peer ip address 192.168.1.2 255.255.255.0
no shutdown
ft peer 1
ft-interface vlan 200
heartbeat interval 300
heartbeat count 10
ft group 1
peer 1
priority 200
associate-context Admin
inservice
ft track interface TRACK_VLAN100
track-interface vlan 100
peer track-interface vlan 200
priority 50
peer priority 5
ip route 0.0.0.0 0.0.0.0 192.168.83.1
IPv6 Example
(ACE appliance only) The redundancy configuration appears in bold in the ACE appliance example that
follows:
hostname ACE_Appliance_1
interface gigabitEthernet 1/2
speed 1000M
duplex FULL
ft-port vlan 200
qos trust cos
no shutdown
access-list ACL1 line 10 extended permit ip any any
class-map
2 match
3 match
4 match
5 match
7 match
8 match
6-48
OL-25343-01
Chapter 6
IPv4 Example
(ACE appliance only) The redundancy configuration appears in bold in the ACE appliance example that
follows:
hostname ACE_Appliance_1
interface gigabitEthernet 1/2
speed 1000M
duplex FULL
ft-port vlan 200
no shutdown
access-list ACL1 line 10 extended permit ip any any
class-map
2 match
3 match
4 match
5 match
7 match
8 match
6-49
Chapter 6
6-50
OL-25343-01
CH A P T E R
Configuring SNMP
Note
The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise
noted.
This chapter describes how to configure Simple Network Management Protocol (SNMP) to query the
ACE for Cisco Management Information Bases (MIBs) and to send event notifications to a network
management system (NMS).
This chapter contains the following major sections:
Configuring SNMP
Message integrityEnsures that a packet has not been tampered with in-transit.
EncryptionScrambles the packet contents to prevent it from being seen by unauthorized sources.
7-1
Chapter 7
Configuring SNMP
The manager monitors and controls all other SNMP-managed devices (network nodes) in the
network. At least one SNMP manager must be in a managed network. The manager is installed on
a workstation somewhere in the network.
An agent resides in a managed device (a network node). An agent is a specialized software module
that receives instructions from the SNMP manager and also sends management information back to
the SNMP manager as events occur. For example, an agent might report such data as the number of
bytes and packets in and out of the device or the number of broadcast messages sent and received.
There are many different SNMP management applications, but they all perform the same basic task.
These applications allow SNMP managers to communicate with agents to monitor, configure, and
receive alerts from the network devices.The ACE supports traps and SNMP get requests but does not
support SNMP set requests to configure values on the device. You can use any SNMP-compatible NMS
to monitor the ACE.
In SNMP, each variable is referred to as a managed object. A managed object is anything that an agent
can access and report back to the NMS. All managed objects are contained in the MIB, which is a
database of the managed objects called MIB objects. Each MIB object controls one specific function,
such as counting how many bytes are transmitted through an agents port. The MIB object consists of
MIB variables, which define the MIB object name, description, and default value.The ACE maintains a
database of values for each definition.
Browsing a MIB entails issuing an SNMP get request from the NMS. You can use any SNMPv3, MIB-II
compliant browser to receive SNMP traps and browse MIBs.
7-2
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
the agent, such as the number of users logged on to the agent device, or the status of a critical
process on that device. The agent gets the value of the requested MIB object and sends the value
back to the manager (a get-response operation). The variable binding (varbind) is a list of MIB
objects that allows a request recipient to see what the originator wants to know. Variable
bindings are object identifiers (OID)=value pairs that make it easy for the NMS to identify the
information that it needs when the recipient fills the request and sends back a response.
Retrieve the value immediately after the variable that you name (a get-next operation). A
get-next operation retrieves a group of values from a MIB by issuing a sequence of commands.
By performing a get-next operation, you do not need to know the exact MIB object instance that
you are looking for; the SNMP manager takes the variable that you name and then uses a
sequential search to find the desired variables.
Retrieve a number of values (a get-bulk operation). The get-bulk operation retrieves large
blocks of data, such as multiple rows in a table, which would otherwise require the transmission
of many small blocks of data.The SNMP manager performs a number of get-next operations
that you specify.
An agent can send an unsolicited message to the SNMP manager at any time if a significant,
predetermined event takes place on the agent. This message is called an event notification. SNMP
event notifications (traps or inform requests) are included in many MIBs and help to alleviate the
need for the NMS to frequently poll (gather information through a get operation) the managed
devices. For details on MIB objects and SNMP notifications supported by the ACE, see the
following sections:
ACE Module Supported MIBs
ACE Appliance Supported MIBs
ACE Supported and Unsupported Tables and Objects
ACE SNMP Notifications (Traps)
7-3
Chapter 7
Configuring SNMP
Note
The clogOriginID and clogOriginIDType variable bindings appended with each notification can be used
by the NMS application to uniquely identify the device originating the trap. You can configure the values
for clogOriginID and clogOriginIDType varbind to uniquely identify the device by using the logging
device-id configuration mode command. For details on the logging device-id command, see the System
Message Guide, Cisco ACE Application Control Engine.
Use the SNMP-TARGET-MIB to obtain more information on trap destinations and inform requests.
For details on SNMP notifications supported by the ACE, see the ACE SNMP Notifications (Traps)
section.
If you delete a user by using the no username command, the user is also deleted from both SNMP
and the CLI. However, if you delete a user by using the no snmp-server user command, the user is
deleted only from SNMP and not from the CLI.
Note
When you specify a password in a localized key or encrypted format for security encryption, the
password is not synchronized.
The password specified in the username command is synchronized as the auth and priv passwords
for the SNMP user.
Existing SNMP users can continue to retain the auth and priv information without any changes.
If you create a new user that is not present in the SNMP database by using the username command
without a password, the SNMP user is created with the noAuthNoPriv security level.
For information about creating a CLI user by using the username command, see the Virtualization
Guide, Cisco ACE Application Control Engine. To create an SNMP user by using the snmp-server user
command, see the Configuring SNMP Users section.
7-4
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Note
The maximum SNMP object identifier (OID) length supported by the ACE is 128 characters. If the
SNMP OID exceeds this maximum, the ACE displays the error Next OID length is greater than
permissible.
The following list contains object names:
Context name
Probe name
ACL name
Table 7-1 identifies a list of tables that have more than one string index.
Table 7-1
MIB Name
Table
String Indices
CISCO-ENHANCED- SLB-MIB.my
cesRserverProbeTable
cesRserverName,
cesRserverProbeName
CISCO-ENHANCED-SLB-MIB.my
cesServerFarmRserverTable
slbServerFarmName,
cesRserverName
CISCO-SLB-EXT-MIB.my
cslbxServerFarmProbeFarmName
cslbxServerFarmProbeFarmName,
cslbxServerFarmProbeTableName
CISCO-SLB-HEALTH-MON-MIB.my
ACE module:
cslbxProbeHeaderCfgTable
cslbxProbeHeaderProbeName,
cslbxProbeHeaderFieldName
ACE appliance:
cshMonServerfarmRealProbeStatsTable cslbxProbeName,
slbServerFarmName,
cshMonServerfarmRealServerName
7-5
Chapter 7
Configuring SNMP
Note
Table 7-2
The maximum SNMP object identifier (OID) length supported by the ACE module is 128 characters. If
the SNMP OID exceeds this maximum, the ACE displays the error Next OID length is greater than
permissible.
MIB Support
Capability MIB
Description
CISCO-ENTITY-
VENDORTYPE-OIDMIB
N/A
cevCat6kAce30K9
(cevModuleCat6000Type120)
Inlet Temperature
cevSensorModuleInletTemp
(cevSensor 36)
Outlet Temperature
cevSensorModuleOutletTemp
(cevSensor 35)
Other device
Temperature sensors
cevSensorModuleDeviceTemp
(cevSensor 31)
ENTITY-MIB
CISCO-ENTITY-
CAPABILITY
7-6
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-2
MIB Support
Capability MIB
Description
ENTITY-SENSOR-
MIB
CISCO-ENTITY-
SENSOR-RFC-
CAPABILITY
SNMP-FRAMEWORK
-MIB
SNMP-MPD-MIB
CISCO-SNMP-
FRAMEWORK-
CAPABILITY
CISCO-SNMP-
MPD-
CAPABILITY
CISCO-SNMP-
NOTIFICATION-
CAPABILITY
CISCO-SNMP-
TARGET-
CAPABILITY
7-7
Chapter 7
Configuring SNMP
Table 7-2
MIB Support
Capability MIB
Description
SNMP-USER-BASED- CISCO-SNMP-USM- Provides management information definitions for the User-based Security
SM-MIB
Model (USM) for SMNPv3. The SNMPv3 architecture introduces the
CAPABILITY
User-based Security Model (USM) for message security.
The USM module decrypts incoming messages. The module then verifies
the authentication data and creates the PDUs. For outgoing messages, the
USM module encrypts PDUs and generates the authentication data. The
module then passes the PDUs to the message processor, which then invokes
the dispatcher.
The USM module's implementation of the SNMP-USER-BASED-SM-MIB
enables the SNMP manager to issue commands to manage users and
security keys. The MIB also enables the agent to ensure that a requesting
user exists and has the proper authentication information. When
authentication is done, the request is carried out by the agent.
The SNMP-USER-BASED-SM-MIB is described in RFC 3414.
Note
SNMP-VIEW-BASED- CISCO-SNMP-
ACM-MIB
VACM-
CAPABILITY
Provides the View-based Access Control Model (VACM) for SNMPv3. The
SNMPv3 architecture introduces VACM for access control.
The SNMP-VIEW-BASED-ACM-MIB specifies objects that are needed to
control access to all MIB data that is accessible through the SNMP agent.
Upon initialization, the VACM module registers as the access control
module with the agent infrastructure. The VACM module implements
access control checks according to several parameters that are derived from
the SNMP message.
The SNMP-VIEW-BASED-ACM-MIB is described in RFC 3415.
Other MIBs
CISCO-AAA-SERVER CISCO-AAA-
-EXT-MIB
SERVER-EXT-
CAPABILITY
7-8
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-2
MIB Support
Capability MIB
CISCO-AAA-SERVER CISCO-AAA-
-MIB
SERVER-
CAPABILITY
Description
Provides configuration and statistics that reflect the state of an AAA server
operation within the device and AAA communications with external
servers. The CISCO-AAA-SERVER-MIB provides the following
information:
CISCO-
ENHANCED-SLB-
CAPABILITY
CISCO-IF-
EXTENSION-
CAPABILITY
7-9
Chapter 7
Configuring SNMP
Table 7-2
MIB Support
Capability MIB
CISCO-IP-PROTOCOL CISCO-IP-
-FILTER-MIB
PROTOCOL-
FILTER-
CAPABILITY
Description
Manages information to support packet filtering on IP protocols (RFC 791).
The cippfIpProfileTable allows users to create, delete, and get information
about filter profiles. Filter profiles are uniquely identified by the profile
names. Filter profiles can be either simple or extended usage types. The
usage type cannot be changed once it has been created. The
cippfIfIpProfileTable applies the filtering profiles to device interfaces that
run IP. A filter profile can be applied to multiple interfaces.
The cippfIpFilterTable contains ordered lists of IP filters for all filtering
profiles. Filters and profiles are related if they have the same filter profile
name. Filters can be created only if their associated filter profiles already
exist in the cippfIpProfileTable. Filters of the same profile name belong to
a common profile.
The interface-based cippfIfIpProfileTable can be configured with
information that is independent of the other tables. However, if the profile
name in this table matches any profile name in the cippfIpProfileTable and
the profile name of any filter entry in the cippfIpFilterTable, the profile is
active and the filter entry is applied to IP traffic that passes through the
attached device interfaces. Any change to the filters in the
cippfIpFilterTable or the profile in the cippfIpProfileTable affects all the
attached interfaces.
The IP protocol is described in RFC 791.
CISCO-L4L7MODULE CISCO-L4L7
-
MODULE-
REDUNDANCY-MIB REDUNDANCY-
CAPABILITY
clrRedundancyInfoTable
clrPeerInfoTable
clrHAStatsTable
7-10
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-2
MIB Support
Capability MIB
Description
CISCO-
L4L7RESOURCE-
LIMIT-MIB
CISCO-
L4L7MODULE-
RESOURCE-
LIMIT-
CAPABILITY
CISCO-MODULE-
VIRTUALIZATION-
MIB
CISCO-
MODULE-
VIRTUALIZATION-
CAPABILITY
Provides a way to create and manage ACE module user contexts (also
referred as virtual contexts). A user context is a logical partition of a
physical device (the ACE module). A user context provides different
service types that can be managed independently. Each user context is an
independent entity with its own configuration. A user-created context
supports most of the options that you can configure in the Admin context
(the default ACE module context). Each context can have a separate
management IP address that allows you to establish a remote connection to
the ACE module with the Secure Shell (SSH) or Telnet protocols and send
other requests (such as SNMP or FTP).
This MIB contains tables that allow you to create or delete ACE module
user contexts and assign interfaces and interface ranges to user contexts.
CISCO-PROCESS-
MIB
CISCO-PROCESS-
CAPABILITY
CISCO-PRODUCTS-
MIB
N/A
Contains the OIDs that can be reported in the sysObjectID object in the
SNMPv2-MIB. The sysObjectID OID value is listed below:
Product Name (PID) sysObjectID
ACE10-6500-K9
ACE20-MOD-K9
ACE30-MOD-K9
ciscoACE10K9
ciscoACE20K9
ciscoACE30K9
7-11
Chapter 7
Configuring SNMP
Table 7-2
MIB Support
Capability MIB
CISCO-SLB-EXT-MIB CISCO-SLB-EXT-
CAPABILITY
Description
Acts as an extension to the Cisco server load-balancing MIB
(CISCO-SLB-MIB). It provides tables for the sticky configuration.
The cslbxServerFarmStatsTable table provides details about the data
available in the show serverfarm command output.
The cslbxServerFarmTable table provides details about the server farm
state. It includes the following MIB objects:
cslbxServerFarmState
cslbxServerFarmStateChange
cslbxServerFarmDciCfgState
cslbxServerFarmDciOpState
dciCfgEnabledAt least one server farm has the feature enabled under
the VIP
cslbxStatsCurrConnections
cslbxStatsTimedOutConnections
The server farm can change from the inactive to active state or active to
inactive state. The reasons for changing from the active to inactive state are
as follows:
CISCO-SLB-HEALTH- CISCO-SLB-
MON-MIB
HEALTH-MON-
CAPABILITY
All real servers in a single server farm are out of service because the
real server(s) reach the maximum connection or maximum load state,
or have a probe failure or an ARP failure.
7-12
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-2
MIB Support
Capability MIB
Description
CISCO-SSL-PROXY-
MIB
CISCO-SSL-PROXY- Manages a Secure Socket Layer (SSL) Proxy device which terminates and
accelerates SSL and Transport Layer Security (TLS) transactions. The
CAPABILITY
proxy device can act as an SSL server or an SSL client depending on the
configuration and the application.
This MIB is used for monitoring the statistics of the proxy services and the
protocols including TCP, SSL, and TLS that are available in the show stats
crypto client command output. It also includes counters related to the
insertion of SSL header information and SSL client certificate information
into HTTP headers that are available in the show stats crypto server
command output. In addition, it includes counters related to a given client
certificate authentication failure type that are available in the show stats
http command output.
CISCO-SLB-MIB
CISCO-SLB-
CAPABILITY
CISCO-SYSLOG-EXT- CISCO-SYSLOG-
MIB
EXT-CAPABILITY
slbStatsCreatedConnections
slbStatsCreatedHCConnections
slbStatsEstablishedConnections
slbStatsEstablishedHCConnetions
slbStatsDestroyedConnections
slbStatsDestroyedHCConnections
slbStatsReassignedConnections
CISCO-SYSLOG-MIB
CISCO-SYSLOG-
CAPABILITY
This MIB does not track messages that are generated from debug
commands entered through the CLI.
7-13
Chapter 7
Configuring SNMP
Table 7-2
MIB Support
Capability MIB
Description
IF-MIB
CISCO-IF-
CAPABILITY
CISCO-IP-
CAPABILITY
IP-MIB
CISCO-SNMPv2-
CAPABILITY
TCP-MIB
CISCO-TCP-STD-
CAPABILITY
UDP-MIB
CISCO-UDP-STD-
CAPABILITY
Note
The maximum SNMP object identifier (OID) length supported by the ACE appliance is 128 characters.
If the SNMP OID exceeds this maximum, the ACE displays the error Next OID length is greater than
permissible.
7-14
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-3
MIB Support
Capability MIB
Description
N/A
Appliance MIBs
CISCO-ENTITY-
VENDORTYPE-OID-MIB
ACE4710-K9
cevChassisACE4710K9 {cevChassis 610}
Power Supply
cevPowerSupplyAC345 {cevPowerSupply 190}
CPU fan
cevFanACE4710K9CpuFan {cevFan 91}
DIMM fan
cevFanACE4710K9DimmFan {cevFan 92}
PCI fan
cevFanACE4710K9PciFan {cevFan 93}
CISCO-ENTITY-
VENDORTYPE-OID-MIB
(continued)
N/A
Voltage Sensor
cevSensorPSOutput {cevSensor 39}
CPU fan sensor
cevSensorCpuFanSpeed {cevSensor 58}
DIMM fan sensor
cevSensorACE4710K9DimmFanSpeed
{cevSensor 59}
PCI fan sensor
cevSensorACE4710K9PciFanSpeed
{cevSensor 60}
CPU temperature sensor
cevSensorACE4710K9 CPUTemp
{cevSensor 56}
Ambient temperature sensor
cevSensorACE4710K9 AmbientTemp
{cevSensor 57}
7-15
Chapter 7
Configuring SNMP
Table 7-3
MIB Support
Capability MIB
Description
ENTITY-MIB
CISCO-ENTITY-
CAPABILITY
ENTITY-SENSOR-MIB
CISCO-ENTITY-
SENSOR-RFC-
CAPABILITY
7-16
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-3
MIB Support
Capability MIB
Description
CISCO-SNMP-
COMMUNITY-
CAPABILITY
SNMP-FRAMEWORK-
MIB
SNMP-MPD-MIB
CISCO-SNMP-
FRAMEWORK-
CAPABILITY
CISCO-SNMP-MPD-
CAPABILITY.my
CISCO-SNMP-
NOTIFICATION-
CAPABILITY
CISCO-SNMP-
TARGET-
CAPABILITY
7-17
Chapter 7
Configuring SNMP
Table 7-3
MIB Support
Capability MIB
Description
SNMP-USER-BASED-SM-
MIB
CISCO-SNMP-
USM-CAPABILITY
SNMP-VIEW-BASED-
ACM-MIB
CISCO-SNMP-
VACM-CAPABILITY
Other MIBs
CISCO-AAA-SERVER-
EXT-MIB
CISCO-AAA-
SERVER-EXT-
CAPABILITY
7-18
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-3
MIB Support
Capability MIB
Description
CISCO-AAA-SERVER-
MIB
CISCO-AAA-
SERVER-CAPABILITY
CISCO-APPLICATIONACCELERATION-
CAPABILITY-MIB
CISCO-ENHANCED-SLBMIB
CISCO-ENHANCED-
SLB-CAPABILITY
The slbEntity Index used in the table is the slot number of the ACE
appliance. Because the slot numbers value is not applicable for the
ACE appliance, the slbEntity Index will always have a value of 1.
The cesRServerProbeTable table in the
CISCO-ENHANCED-SLB-MIB provides details about the real
server probe statistics available in the show probe detail
command output.
The cesServerFarmRserverTable and cesRserverTable tables in
the CISCO-ENHANCED-SLB-MIB provide details about the data
available in the show rserver command output.
7-19
Chapter 7
Configuring SNMP
Table 7-3
MIB Support
Capability MIB
Description
CISCO-IF-EXTENSION-
MIB
CISCO-IF-EXTENSION
-CAPABILITY
CISCO-IP-PROTOCOL-
FILTER-MIB
CISCO-L4L7MODULE-
REDUNDANCY-MIB
7-20
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-3
MIB Support
Capability MIB
Description
CISCO-L4L7RESOURCE-
LIMIT-MIB
CISCO-MODULE-
VIRTUALIZATION-MIB
CISCO-MODULE-
VIRTUALIZATION-
CAPABILITY
CISCO-PROCESS-MIB
CISCO-PROCESS-
CAPABILITY
CISCO-PRODUCTS-MIB
N/A
7-21
Chapter 7
Configuring SNMP
Table 7-3
MIB Support
Capability MIB
Description
CISCO-SLB-MIB
CISCO-SLB-
CAPABILITY
slbStatsCreatedConnections
slbStatsCreatedHCConnections
slbStatsEstablishedConnections
slbStatsEstablishedHCConnetions
slbStatsDestroyedConnections
slbStatsDestroyedHCConnections
slbStatsReassignedConnections
7-22
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-3
MIB Support
Capability MIB
Description
CISCO-SLB-EXT-MIB
CISCO-SLB-EXT-
CAPABILITY
cslbxServerFarmState
cslbxServerFarmStateChange
cslbxServerFarmDwsCfgState
cslbxServerFarmDwsOpState
cslbxStatsCurrConnections
cslbxStatsTimedOutConnections
The server farm can change from the inactive to active state or
active to inactive state. The reasons for changing from the active
to inactive state are as follows:
7-23
Chapter 7
Configuring SNMP
Table 7-3
MIB Support
Capability MIB
Description
CISCO-SLB-HEALTH-
MON-MIB
CISCO-SLB-HEALTH-
MON-CAPABILITY
CISCO-SSL-PROXY-MIB
CISCO-SSL-PROXY-
CAPABILITY
CISCO-SYSLOG-EXT-
MIB
CISCO-SYSLOG-EXT-
CAPABILITY
CISCO-SYSLOG-MIB
CISCO-SYSLOG-
CAPABILITY
This MIB does not track messages that are generated from
debug commands entered through the CLI.
IP-MIB
SNMPv2-MIB
CISCO-SNMPv2-
CAPABILITY
7-24
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-3
MIB Support
Capability MIB
Description
TCP-MIB
CISCO-TCP-STD-
CAPABILITY
UDP-MIB
CISCO-UDP-STD-
CAPABILITY
MIB Name
SNMPv2-MIB
Scalar Objects:
sysDescr
sysName
sysLocation
sysContact
sysObjectID
sysServices
sysORLastChange
snmpInPkts
snmpOutPkts
snmpInBadVersions
snmpInBadCommunityNames
snmpInBadCommunityUses
snmpInASNParseErrs
snmpInTooBigs
snmpInNoSuchNames
snmpInBadValues
snmpInReadOnlys
snmpInGenErrs
snmpInTotalReqVars
snmpInTotalSetVars
snmpInGetRequests
snmpInGetNexts
7-25
Chapter 7
Configuring SNMP
Table 7-4
MIB Name
SNMPv2-MIB
snmpInSetRequests
(continued)
snmpInGetResponses
snmpInTraps
snmpOutTooBigs
snmpOutNoSuchNames
snmpOutBadValues
snmpOutGenErrs
snmpOutGetRequests
snmpOutGetNexts
snmpOutSetRequests
snmpOutGetResponses
snmpOutTraps
snmpEnableAuthenTraps
snmpSilentDrops
snmpProxyDrops
Tables:
sysORTable
SNMP-COMMUNITY-
MIB
Tables:
snmpCommunityTable
snmpTargetAddrExtTable
SNMP-MPD-MIB
Scalar Objects:
snmpUnknownSecurityModels
snmpInvalidMsgs
snmpUnknownPDUHandlers
SNMP-NOTIFICATION-MIB
Tables:
snmpNotifyTable
snmpNotifyFilterProfileTable
snmpNotifyFilterTable
SNMP-TARGET-MIB
Scalar Objects:
Scalar Objects:
snmpUnavailableContexts
snmpTargetSpinLock
snmpUnknownContexts
Tables:
snmpTargetAddrTable
snmpTargetParamsTable
7-26
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-4
MIB Name
SNMP-USER-BASED-
SM-MIB
Scalar Objects:
Scalar Objects:
usmStatsUnsupportedSecLevels
usmUserSpinLock
usmStatsNotInTimeWindows
usmStatsUnknownUserNames
usmStatsUnknownEngineIDs
usmStatsWrongDigests
usmStatsDecryptionErrors
Tables:
usmUserTable
SNMP-VIEW-BASED-
ACM-MIB
Tables:
Scalar Objects:
vacmContextTable
vacmViewSpinLock
vacmSecurityToGroupTable
vacmAccessTable
CISCO-ENTITY-FRU-
CONTROL-MIB
Tables:
ENTITY-MIB
Tables:
Tables:
entPhysicalTable
entLogicalTable
cefcModuleTable
entLPMappingTable
entAliasMappingTable
entPhysicalContainsTable
Objects:
entPhysicalAlias
entPhysicalAssetID
entPhysicalMfgDate
ENTITY-SENSOR-MIB
entPhySensorTable
IF-MIB
Scalar Objects:
Tables:
ifNumber
ifStackTable
ifTableLastChange
ifRcvAddressTable
Tables:
ifTestTable
ifTable
Objects:
ifXTable
ifStackLastChange
7-27
Chapter 7
Configuring SNMP
Table 7-4
MIB Name
IP-MIB
Scalar Objects:
Tables:
icmpInMsgs
ipNetToMediaTable
icmpInErrors
ipv4InterfaceTable
icmpInDestUnreachs
ipv6InterfaceTable
icmpInTimeExcds
ipAddressTable
icmpInParmProbs
ipAddressPrefixTable
icmpInSrcQuenchs
ipNetToPhysicalTable
icmpInRedirects
ipDefaultRouterTable
icmpInEchos
ipv6RouterAdvertTable
icmpInEchoReps
ipv6ScopeZoneIndexTable
icmpInTimestamps
icmpInTimestampReps
Objects:
icmpInAddrMasks
ipSystemStatsInMcastOctets
icmpInAddrMaskRepsicmp
ipSystemStatsHCInMcastOctet
OutMsg
ipSystemStatsOutMcastOctets
icmpOutErrors
ipSystemStatsHCOutMcastOctets
icmpOutDestUnreachs
ipIfStatsInMcastOctets
icmpOutTimeExcds
ipIfStatsHCInMcastOctets
icmpOutParmProbs
ipIfStatsOutMcastOctets
icmpOutSrcQuenchs
ipIfStatsHCOutMcastOctets
icmpOutRedirects
icmpOutEchos
icmpOutEchoReps
icmpOutTimestamps
icmpOutTimestampReps
icmpOutAddrMasks
icmpOutAddrMaskReps
Tables:
ipAddrTable
ipSystemStatsTable
ipIfStatsTable
icmpStatsTable
icmpMsgStatsTable
7-28
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-4
MIB Name
TCP-MIB
Scalar Objects:
Scalar Objects:
tcpRtoAlgorithm
tcpHCInSegs
tcpRtoMin
tcpHCOutSegs
tcpRtoMax
tcpMaxConn
Tables:
tcpActiveOpens
tcpConnTable
tcpPassiveOpens
tcpConnectionTable
tcpAttemptFails
tcpListenerTable
tcpEstabResets
tcpCurrEstab
tcpInSegs
tcpOutSegs
tcpRetransSegs
tcpInErrs
tcpOutRsts
UDP-MIB
Scalar Objects:
Scalar Objects:
udpInDatagrams
udpHCInDatagrams
udpNoPorts
udpHCOutDatagrams
udpInErrors
udpOutDatagrams
Tables:
udpTable
udpEndpointTable
CISCO-PROCESS-MIB
Tables:
Tables:
cpmProcessTable
cpmProcessExtTable
cpmCPUTotalTable
cpmCPUThresholdTable
cpmProcessExtRevTable
cpmCPUHistoryTable
cpmCPUProcessHistoryTable
Scalar Objects:
cpmCPUHistoryThreshold
cpmCPUHistorySize
Objects:
cpmCPUInterruptMonIntervalValue
7-29
Chapter 7
Configuring SNMP
Table 7-4
MIB Name
CISCO-SYSLOG-EXT-
MIB
Scalar Objects:
Scalar Objects:
cseSyslogConsoleEnable
cseSyslogLogFileName
cseSyslogConsoleMsgSeverity
cseSyslogLogFileMsgSeverity
cseSyslogServerTableMaxEntries
cseSyslogFileLoggingDisable
cseSyslogTerminalEnable
cseSyslogLinecardEnable
cseSyslogTerminalMsgSeverity
cseSyslogLinecardMsgSeverity
Tables:
Tables:
cseSyslogServerTable
cseSyslogMessageControlTable
Scalar Objects:
Scalar Objects:
clogNotificationsSent
clogMaxservers
CISCO-SYSLOG-MIB
clogNotificationsEnabled
clogMaxSeverity
Tables:
clogMsgIgnores
clogServerConfigTable
clogMsgDrops
clogOriginIDType
clogOriginID
clogHistTableMaxLength
clogHistMsgsFlushed
Tables:
clogHistoryTable
CISCO-SYSTEM-MIB
Scalar Objects:
Scalar Objects:
csyClockDateAndTime
csySummerTimeStatus
csyClockLostOnReboot
csySummerTimeOffset
csyLocationCountry
csySummerTimeRecurringStart
csySummerTimeRecurringEnd
csyScheduledResetTime
csyScheduledResetAction
csyScheduledResetReason
csySnmpAuthFail
csySnmpAuthFailAddressType
csySnmpAuthFailAddress
csyNotificationsEnable
7-30
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-4
MIB Name
CISCO-SLB-MIB
Scalar Objects:
Scalar Objects:
cSlbVServerStateChangeNotifEnabled
cSlbVirtStateChangeNotifEnabled
cSlbRealStateChangeNotifEnabled
Tables:
cSlbRealServerStateChangeNotifEnabled
slbStatsTable
Tables:
slbServerFarmTable
slbRealTable
slbVServerInfoTable
slbVirtualServerTable
slbVServerTable
slbConnectionTable
slbVirtualClientTable
slbStickyObjectTable
slbDfpPasswordTable
slbDfpAgentTable
slbDfpRealTable
slbSaspTable
slbSaspAgentTable
slbSaspGroupTable
slbSaspMemberTable
slbSaspStatsTable
Unsupported Objects from slbStatsTable:
slbStatsUnassistedSwitchingPkts
slbStatsUnassistedSwitchingHCPks
slbStatsAssistedSwitchingPkts
slbStatsAssistedSwitchingHCPkts
slbStatsZombies
slbStatsHCZombies
Unsupported Objects from slbServerFarmTable:
slbServerFarmPredictor
slbServerFarmNat
slbServerFarmBindId
Unsupported Objects from slbVServerInfoTable:
slbVServerL4Decisions
slbVServerL7Decisions
slbVServerEstablishedConnections
7-31
Chapter 7
Configuring SNMP
Table 7-4
MIB Name
CISCO-SLB-EXT-MIB
Tables:
Tables:
cslbxStatsTable
cslbxConnTable
cslbxServerFarmTable
cslbxRedirectSvrTable
cslbxServerFarmProbeTable
cslbxSfarmHttpReturnCodeTable
cslbxServerFarmStatsTable
cslbxNatPoolTable
cslbxStickyGroupTable
Scalar Objects:
cslbxStickyObjectTable
cslbxServerFarmDwsCfgState
cslbxStickyGroupExtTable
cslbxServerFarmDwsOpState
cslbxMapTable
cslbxVServerDwsCfgState
cslbxHttpExpressionTable
cslbxVServerDwsOpState
cslbxHttpReturnCodeTable
cslbxPolicyTable
cslbxVirtualServerTable
cslbxServerFarmName
cslbxRuleTable
cslbxServerFarmState
cslbxVlanTable
cslbxServerFarmStateChangeDescr
cslbxAliasAddrTable
cslbxServerFarmNumOfTimeFailOvers
cslbxStaticRouteTable
cslbxServerFarmNumOfTimeBkInServs
cslbxFtTable
cslbxXmlConfigTable
cslbxOwnerTable
cslbxScriptFileTable
cslbxScriptTaskTable
Unsupported Objects from cslbxStatsTable:
cslbxStatsServerInitConns
cslbxStatsServerInitHCConns
cslbxStatsCurrServerInitConns
cslbxStatsFailedServerInitConns
cslbxStatsNoActiveServerRejects
Unsupported Objects from cslbxServerFarmTable:
cslbxServerFarmClientNatPool
cslbxServerFarmHttpReturnCodeMap
(ACE appliance only) Unsupported Objects
from cslbxServerFarmStatsTable:
cslbxServerFarmNumOfTimeFailOvers
cslbxServerFarmNumOfTimeBkInServs
7-32
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-4
MIB Name
CISCO-SLB-HEALTH-
MON-MIB
Tables:
cslbxDnsProbeIpTable
cslbxProbeCfgTable
cslbxProbeSIPCfgTable
cslbxProbeHeaderCfgTable
cslbxProbeTFTPCfgTable
cslbxProbeHTTPCfgTable
cslbxProbeExpectStatusCfgTable
cslbxProbeFTPCfgTable
cshMonProbeTypeStatsTable
cslbxProbeIMAPCfgTable
cshMonServerfarmRealProbe
cslbxProbePassword
StatsTable
cslbxProbeSocketReuse
cslbxProbeSendDataType
cslbxProbePriority
Unsupported objects from
cslbxProbeHTTPCfgTable:
cslbxProbeHTTPCfgPersistence
Unsupported objects from
cshMonServerfarmRealProbeLastProbeTime:
cshMonServerfarmRealProbeLast
ActiveTime
cshMonServerfarmRealProbeLast
FailedTime
cshMonProbeInheritedPortType
CISCO-ENHANCED-
SLB-MIB
Scalar Objects:
cesRealServerNotifEnable
cesRserverLocality
cesServerFarmRserverDroppedConns
Tables:
Tables:
cesRealServerProbeTable
cesRserverTable
cesServerFarmRserverTable
cesRserverProbeTable
CISCO-IF-
EXTENSION-MIB
Tables:
Tables:
cieIfNameMappingTable
cieIfPacketStatsTable
cieIfInterfaceTable
cieIfStatusListTable
cieIfDot1qCustomEtherTypeTable
cieIfUtilTable
cieIfDot1dBaseMappingTable
7-33
Chapter 7
Configuring SNMP
Table 7-4
MIB Name
CISCO-IP-PROTOCOL-FILTER-MIB
Tables:
Tables:
cippfIpProfileTable
cippfIfIpProfileTable
cippfIpFilterTable
cippfIpFilterExtTable
cippfIpFilterStatsTable
CISCO-MODULE-
VIRTUALIZATION-
MIB
Scalar Objects:
cmVirtContextNotifEnable
Tables:
cmVirtualContextTable
cmVirtContextIfMapTable
CISCO-L4L7MODULE-R Tables:
ESOURCE-LIMIT-
ciscoL4L7ResourceClassTable
MIB
ciscoL4L7ResourceLimitTable
Scalar Objects:
clrResourceLimitReachedNotifEnabled
clrResourceRateLimitReachedNotifEnabled
ciscoL4L7ResourceRateLimitTable
ciscoL4L7ResourceUsage
SummaryTable
CISCO-AAA-SERVER-MIB
Tables:
Scalar Objects:
casConfigTable
casServerStateChangeEnable
Tables:
casStatisticsTable
Unsupported Objects from casConfigTable:
casPriority
7-34
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-4
MIB Name
CISCO-AAA-SERVER-
EXT-MIB
Scalar Objects:
Scalar Objects:
cAAASvrExtSvrGrpSvrListMaxEnt
cAAASvrExtLocalAccLogMaxSize
cAAASvrExtAppToSvrGrpMaxEnt
cAAASvrExtClearAccLog
cAAALoginAuthTypeMSCHAP
cAAAServerDeadTime
cAAAServerIdleTime
Tables:
cAAAServerTestUser
cAAASvrExtConfigTable
cAAAServerTestPassword
cAAASvrExtProtocolParamTable
cAAASvrExtSvrGrpConfigTable
cAAASvrExtSvrGrpLDAPConfig
Table
cAAASvrExtAppSvrGrpConfig
Table
CISCO-LICENSE-
MGR-MIB
Scalar Objects:
Scalar Objects:
clmNotificationsEnable
clmHostId
clmNoOfLicenseFilesInstalled
clmLicenseConfigSpinLock
clmNoOfLicensedFeatures
clmLicenseFileURI
clmLicenseViolationWarnFlag
clmLicenseFileTargetName
clmLicenseConfigCommand
Tables:
clmLicenseRequestCommandStatus
clmLicenseFileContentsTable
clmLicenseRequestSpinLock
clmLicenseFeatureUsageTable
clmLicenseRequestFeatureName
clmFeatureUsageDetailsTable
clmLicenseRequestAppName
clmLicenseRequestCommand
clmLicenseRequestCommandStatus
Unsupported Objects from clmLicenseFeatureUsageTable:
clmLicenseGracePeriod
clmLicenseEnabled
Tables:
caaStatTable
caaState
caaRequests
caaLastRestartedTime
caaRequestSize
7-35
Chapter 7
Configuring SNMP
Table 7-4
MIB Name
CISCO-L4L7MODULE-R Tables:
EDUNDANCY-MIB
clrRedundancyInfoTable
clrPeerInfoTable
Tables:
clrHAStatsTable
clrRedundancyConfigTable
clrPeerConfigTable
clrLBStatsTable
Unsupported Objects from Objects clrRedundancyInfoTable:
clrRedundancyPriority
clrRedundancyStateChangeTime
Unsupported Objects from clrHAStatsTable:
clrHAStatsMissedHeartBeatMsgs
clrHAStatsRxUniDirectionalHeartBeatMsgs
clrHAStatsHeartBeatTimeout
Mismatches
clrHAStatsPeerUpEvents
clrHAStatsPeerDownEvents
7-36
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-4
MIB Name
CISCO-SSL-PROXY-
MIB
Scalar Objects:
cspTlcFullHandShake
cspTlcResumedHandShake
cspS3cFullHandShake
cspS3cResumedHandShake
cspTlcHandShakeFailed
cspTlcDataFailed
cspS3cHandShakeFailed
cspS3cDataFailed
cspScActiveSessions
cspScConnInHandShake
cspScConnInDataPhase
cspScConnInReneg
(ACE module only) Scalar Objects:
cspNumOfSslInfoSuccessInserted
cspNumOfSslInfoFailedInserted
cspNumOfSpoofHttpHeaderDeleted
cspNumOfSslSessHeaderInserted
cspNumOfSslSessHeaderFailedInserted
cspNumOfSslServerCertHeaderInserted
cspNumOfSslServerCerHeaderFailedInser
ted
cspNumOfTimesSslHeaderTruncated
cspNumOfSslClientCertHeaderInserted
cspNumOfSslClientCertHeaderFailedInse
rted
cspCertNotYetValidRedirect
cspCertExpiredRedirect
cspIssuerCertNotFoundRedirect
cspCertRevokedRedirect
cspNoClientCertSentRedirect
cspNoCrlAvailableRedirect
cspCrlExpiredRedirect
cspCertSignatureFailedRedirect
cspOtherCertErrorRedirect
7-37
Chapter 7
Configuring SNMP
Note
Table 7-5
The clogOrigin ID and clogOriginIDType variable bindings are appended to each notification listed in
Table 7-5 to identify from which chassis, slot, and context combination that the event trap has originated.
Notification Name
Location of the
Notification
authenticationFailure
SNMPv2-MIB
SNMP request fails because the NMS did not authenticate with
the correct community string.
CISCO-ENHANCED-
SLB-MIB
CISCO-ENHANCED-
SLB-MIB
CISCO-ENHANCED-
SLB-MIB
CISCO-ENHANCED-
SLB-MIB
Description
cesRealServerName
cesServerFarmRserverBackupPort
cesServerFarmName
cesServerFarmRserverAdminStatus
cesServerFarmRserverOperStatus
cesRserverIpAddressType
cesRserverIpAddress
cesServerFarmRserverDescr
7-38
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-5
Notification Name
Location of the
Notification
CISCO-ENHANCED-
SLB-MIB
cesRserverStateUp
cesRserverStateDown
CISCO-ENHANCED-
SLB-MIB
Description
State of a real server configured in a server farm is down due to
user intervention. The notification is sent with the following
varbinds:
cesRealServerName
cesServerFarmRserverBackupPort
cesServerFarmName
cesServerFarmRserverAdminStatus
cesServerFarmRserverOperStatus
cesServerFarmRserverStateDescr
cesRserverIpAddressType
cesRserverIpAddress
cesServerFarmRserverDescr
cesRealServerName
cesServerFarmRserverBackupPort
cesServerFarmName
cesServerFarmRserverAdminStatus
cesServerFarmRserverOperStatus
cesServerFarmRserverStateDescr
cesRserverIpAddressType
cesRserverIpAddress
cesProbeName
cesServerFarmRserverDescr
CISCO-ENHANCED-
SLB-MIB
CISCO-ENHANCED-
SLB-MIB
Note
Note
7-39
Chapter 7
Configuring SNMP
Table 7-5
Notification Name
cesRserverStateChange
Location of the
Notification
CISCO-ENHANCED-
SLB-MIB
Description
State of a global real server changed to a new state as a result
of something other than a user intervention. This notification is
sent for situations such as ARP failures, probe failures, and so
on.
Note
cesRserverLocalityChange
ciscoSlbVServerVIPState
Change
CISCO-ENHANCED-
SLB-MIB
CISCO-SLB-MIB.my
cesRserverLocality
slbVServerState
slbVServerStateChangeDescr
slbVServerClassMap
slbVServerPolicyMap
slbVServerIpAddressType
slbVServerIpAddress
slbVServerProtocol
CISCO-SLB-MIB.my
slbVServerStateChangeDescr
slbVServerClassMap
slbVServerPolicyMap
7-40
OL-25343-01
Chapter 7
Configuring SNMP
Information About SNMP
Table 7-5
Notification Name
Location of the
Notification
Description
clogMessageGenerated
CISCO-SYSLOG-MIB
clmLicenseExpiryNotify
CISCO-LICENSE-
MGR-MIB
clmLicenseFileMissing
Notify
CISCO-LICENSE-
MGR-MIB
clmLicenseExpiryWarningNotify CISCO-LICENSE-
MGR-MIB
clmNoLicenseForFeature
Notify
CISCO-LICENSE-
MGR-MIB
cmVirtContextAdded,
cmVirtContextRemoved
CISCO-MODULE-
VIRTUALIZATION-
MIB
cslbxServerFarmStateChange
CISCO-SLB-EXT-MIB
Notification that all real servers in a server farm are down and
the server farm has changed state. The varbind contains the
following details:
cslbxServerFarmDwsOpState
Change
CISCO-SLB-EXT-MIB
cslbxServerFarmName
cslbxServerFarmState
cslbxServerFarmStateChangeDescr
cslbxServerFarmNumOfTimeFailOvers
cslbxServerFarmNumOfTimeBkInServs
cslbxServerFarmDwsOpState
coldStart
SNMPv2-MIB
SNMP agent started after a cold restart (full power cycle) of the
ACE.
linkUp, linkDown
SNMPv2-MIB
7-41
Chapter 7
Configuring SNMP
Parameter
Default
SNMP notifications
SNMP engine ID for the Admin context and each The ACE automatically creates the engine ID.
user context
snmpCommunityName and
snmpCommunitySecurityName OIDs of the
SNMP-COMMUNITY-MIB
Configuring SNMP
This section describes how to configure SNMP and includes the following topics:
Unmasking the SNMP Community Name and Community Security Name OIDs
Accessing ACE User Context Data Through the Admin Context IP Address
If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the
desired context. If necessary, log directly in to, or change to, the correct context.
host1/Admin# changeto C1
host1/C1#
The rest of the examples in this procedure use the Admin context, unless otherwise specified. For details
on creating contexts, see the Virtualization Guide, Cisco ACE Application Control Engine.
7-42
OL-25343-01
Chapter 7
Configuring SNMP
Configuring SNMP
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Enable the ACE to send SNMP traps and inform requests to the NMS.
host1/Admin(config)# snmp-server enable traps slb
Step 9
Create a class map that permits network management traffic to be received by the ACE based on the
SNMP management protocol and client source IP address.
host1/Admin(config)# class-map type management match-all SNMP-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# match protocol snmp source-address 172.16.10.0
255.255.255.254
host1/Admin(config-cmap-mgmt)# exit
host1/Admin(config)#
Step 10
Configure a policy map that activates the SNMP management protocol classifications.
host1/Admin(config)# policy-map type management first-match SNMP-ALLOW_POLICY
host1/Admin(config-pmap-mgmt)# class SNMP-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# exit
host1/Admin(config)#
Step 11
Attach the traffic policy to a single VLAN interface or globally to all VLAN interfaces in the same
context. For example, to specify an interface VLAN and apply the SNMP management policy map to the
VLAN, enter:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ip address 172.16.10.0 255.255.255.254
host1/Admin(config-if)# service-policy input SNMP-ALLOW_POLICY
host1/Admin(config-if)# exit
Step 12
7-43
Chapter 7
Configuring SNMP
Configuring SNMP
Caution
If you change the SNMP engine ID for an Admin or user context, all configured SNMP users become
invalid. You must recreate all SNMP users by using the snmp-server user command in configuration
mode. For more information on the SNMPv3 engine ID, see the Configuring an SNMPv3 Engine ID
for an ACE Context section.
Guidelines and Restrictions
User configuration through the snmp-server user command is applicable for SNMPv3 only;
SNMPv1 and SNMPv2c use a community string match for user authentication (see the Defining
SNMP Communities section).
7-44
OL-25343-01
Chapter 7
Configuring SNMP
Configuring SNMP
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/host1/Admin# config
host1/Admin(config)#
Step 2
Note
7-45
Chapter 7
Configuring SNMP
Configuring SNMP
Command
Purpose
(continued)
Note
Example:
host1/Admin(config)# no snmp-server user
joe Network-Monitor auth sha abcd1234
Step 3
Examples
The following example shows how to set the SNMP user information:
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
7-46
OL-25343-01
Chapter 7
Configuring SNMP
Configuring SNMP
Caution
If you change the SNMP engine ID for an Admin or user context, all configured SNMP communities are
deleted. You must recreate all SNMP communities by using the snmp-server community command in
configuration mode. For more information on the SNMPv3 engine ID, see the Configuring an SNMPv3
Engine ID for an ACE Context section.
Guidelines and Restrictions
SNMP communities are applicable for SNMPv1 and SNMPv2c only. SNMPv3 requires user
configuration information such as specifying the role group that the user belongs to, authentication
parameters for the user, authentication password, and message encryption parameters (see the
Configuring SNMP Users section).
Only network monitoring operations are supported through the ACE implementation of SNMP. In
this case, all SNMP users are automatically assigned the system-defined default group of
Network-Monitor. For details on creating users, see the Virtualization Guide, Cisco ACE
Application Control Engine.
7-47
Chapter 7
Configuring SNMP
Configuring SNMP
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Example:
host1/Admin(config)# snmp-server community
SNMP_Community1 group Network-Monitor
Note
Example:
host1/Admin(config)# no snmp-server
community SNMP_Community1 group
Network-Monitor
Step 3
7-48
OL-25343-01
Chapter 7
Configuring SNMP
Configuring SNMP
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Example:
host1/Admin(config)# snmp-server contact
User1 user1@cisco.com
no snmp-server contact
Example:
host1/Admin(config)# snmp-server contact
Step 3
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Example:
host1/Admin(config)# snmp-server location
Boxborough MA
7-49
Chapter 7
Configuring SNMP
Configuring SNMP
Command
Purpose
no snmp-server location
Example:
host1/Admin(config)# no snmp-server
location
Step 3
Enabling the IETF Standard for SNMP linkUp and linkDown Traps
To send notifications, you must specify at least one host to receive SNMP notifications.
7-50
OL-25343-01
Chapter 7
Configuring SNMP
Configuring SNMP
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
7-51
Chapter 7
Configuring SNMP
Configuring SNMP
Command
Purpose
Example:
host1/Admin(config)# no snmp-server host
192.168.1.1 traps version 2c
SNMP_Community1 udp-port 500
Step 3
To configure the ACE to send the SNMP notifications, specify at least one snmp-server enable
traps command. To enable multiple types of notifications, you must enter a separate snmp-server
enable traps command for each notification type and notification option. If you enter the command
without any keywords, the ACE enables all notification types and traps.
The notification types used in the snmp-server enable traps command all have an associated MIB
object that globally enables or disables them. However, not all of the notification types available in
the snmp-server host command have notificationEnable MIB objects, so some of the notification
types cannot be controlled by using the snmp-server enable command.
Prerequisites
The snmp-server enable traps command is used with the snmp-server host command (see the
Configuring SNMP Notification Hosts section). The snmp-server host command specifies which host
receives the SNMP notifications. To send notifications, you must configure at least one SNMP server
host.
7-52
OL-25343-01
Chapter 7
Configuring SNMP
Configuring SNMP
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Enables the ACE to send SNMP traps and informs to the NMS.
The keywords, arguments, and options are as follows:
Example:
host1/Admin(config)# snmp-server enable
traps slb real
Syslog MIB).
Note
7-53
Chapter 7
Configuring SNMP
Configuring SNMP
Command
Purpose
(continued)
Example:
host1/Admin(config)# no snmp-server enable
traps slb real
Step 3
Examples
The following example shows how to enable the ACE to send server load-balancing traps to the host at
IP address 192.168.1.1 using a community string:
host1/Admin(config)# snmp-server host 192.168.1.1
host1/Admin(config)# snmp-server community SNMP_Community1 group Network-Monitor
host1/Admin(config)# snmp-server enable traps slb real
Enabling the IETF Standard for SNMP linkUp and linkDown Traps
This section describes how to configure the ACE to send the Internet Engineering Task Force (IETF)
standards-based implementation for linkUp and linkDown traps (as outlined in RFC 2863) rather than
send the Cisco implementation of linkUp and linkDown traps to the NMS. By default, the ACE sends
7-54
OL-25343-01
Chapter 7
Configuring SNMP
Configuring SNMP
the Cisco implementation of linkUp and linkDown traps to the NMS. The ACE sends the Cisco Systems
IF-MIB variable bindings, which consists of ifIndex, ifAdminStatus, ifOperStatus, ifName, ifType,
clogOriginID, and clogOriginIDType.
Note
The Cisco variable bindings are sent by default. To receive RFC 2863-compliant traps, you must specify
the snmp-server trap link ietf command.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Step 3
Unmasking the SNMP Community Name and Community Security Name OIDs
This section describes how to unmask the snmpCommunityName and snmpCommunitySecurityName
OIDs of the SNMP-COMMUNITY-MIB. These OIDs are masked by default.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
snmp-server unmask-community
Example:
host1/host1/Admin(config)# snmp-server
unmask-community
7-55
Chapter 7
Configuring SNMP
Configuring SNMP
Command
Purpose
no snmp-server unmask-community
Example:
host1/Admin(config)# no snmp-server
unmask-community
Step 3
If you do not configure the snmp-server trap-source command, the ACE takes the source IP
address from the internal routing table, which is dependent on the destination host address where
the notification is to be sent.
If you specify a VLAN number of an interface that does not have a valid IP address, the ACE fails
in sending notifications for SNMP v1 traps.
The ACE restricts you from selecting the VLAN number of the FT VLAN interface that has been
specified between redundant ACEs as the trap source address contained in the SNMP v1 trap PDU.
7-56
OL-25343-01
Chapter 7
Configuring SNMP
Configuring SNMP
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Step 3
Accessing ACE User Context Data Through the Admin Context IP Address
This section describes how SNMP managers can send requests to a context by using the IP address to
get the data that corresponds to the context.The ACE Admin context and each ACE user context has its
own IP address. The SNMP agent supports a community string for SNMPv1 and SNMPv2 and a
username for SNMPv3 on a per-context basis.
You can also retrieve data for user contexts by using the IP address for the Admin context. The Admin
context credentials also allow access to user context data, such as performance and configuration
information.
This section contains the following topics:
Notifications for user contexts cannot be sent through the Admin context.
7-57
Chapter 7
Configuring SNMP
Configuring SNMP
The following example shows how to return data for user context C1 when the Admin context has a
configured community string of adminCommunity and an IP address of 10.6.252.63:
snmpget -v2c -c adminCommunity@C1 10.6.252.63 udpDatagrams.0
Note
The SNMPv3 engine represents a logically separate SNMP agent. The ACE automatically creates an
SNMP engine ID for each context or you can configure it. For more information on configuring an
SNMPv3 engine ID, see the Configuring an SNMPv3 Engine ID for an ACE Context section.
Examples
The following example shows how to return data from user context C2 when the Admin context has a
configured SNMP user snmpuser and an IP address of 10.6.252.63:
snmpgetnext -v 3 - a MD5 -A cisco123 -u snmpuser -1 authNoPriv 10.6.252.63 system -n C2
The ACE uses the user context C2 in place of the SNMPv3 context field in the request.
Note
The SNMPv3 request is dropped if the request is sent to the IP address of the user context with a
SNMPv3 context name field set to an empty string ().
7-58
OL-25343-01
Chapter 7
Configuring SNMP
Configuring SNMP
Caution
If you change the SNMP engine ID for an Admin or user context, all configured SNMP users become
invalid and all SNMP communities are deleted. You must recreate all SNMP users by using the
snmp-server user command in configuration mode, and recreate all SNMP communities by using the
snmp-server community command in configuration mode (see the Defining SNMP Communities
section).
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin(config)#
Step 2
Example:
host1/Admin(config)# snmp-server engineID
88439573498573888843957349857388
Example:
host1/Admin(config)# snmp-server engineID
88439573498573888843957349857388
Step 3
Example:
host1/Admin(config)# do show snmp engineID
Step 4
Class mapProvides the remote network traffic match criteria to permit SNMP management traffic
based on the SNMP management protocol and the client source IP address.
Policy mapEnables remote network management access for a traffic classification that matches
the criteria listed the class map.
Service policyActivates the policy map, and attaches the traffic policy to a VLAN interface or
globally on all VLAN interfaces.
This section provides an overview on creating a class map, policy map, and service policy for SNMP
access.
SNMP remote access sessions are established to the ACE per context. For details on creating contexts
and users, see the Virtualization Guide, Cisco ACE Application Control Engine.
7-59
Chapter 7
Configuring SNMP
Configuring SNMP
Applying a Service Policy Globally to All VLAN Interfaces in the Same Context
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
Example:
host1/Admin(config)# class-map type
management match-all SNMP-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)#
the class map match the network traffic class in the class
map (typically, match commands of the same type).
match-anyOnly one of the match criteria listed in the
7-60
OL-25343-01
Chapter 7
Configuring SNMP
Configuring SNMP
Command
Purpose
Example:
host1/Admin(config)# no class-map type
management match-all SNMP-ALLOW_CLASS
Step 3
description text
Example:
host1/Admin(config-cmap-mgmt)# description
Allow SNMP access
no description
Example:
host1/Admin(config-cmap-mgmt)# no
description
Step 4
Step 5
7-61
Chapter 7
Configuring SNMP
Configuring SNMP
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
Example:
host1/Admin(config)# no policy-map type
management first-match SNMP-ALLOW_POLICY
7-62
OL-25343-01
Chapter 7
Configuring SNMP
Configuring SNMP
Step 3
Command
Purpose
Example:
host1/Admin(config-pmap-mgmt)# class
SNMP-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)#
Example:
host1/Admin(config-cmap-mgmt)# no class
SNMP-ALLOW_CLASS
Step 4
permit
Example:
host1/Admin(config-pmap-mgmt-c)# permit
7-63
Chapter 7
Configuring SNMP
Configuring SNMP
Command
Purpose
deny
Example:
host1/Admin(config-pmap-mgmt-c)# deny
Step 5
Examples
The following example shows how to use the insert-before command to define the sequential order of
two class maps in the policy map:
host1/Admin(config-pmap-mgmt)# class L4_SSH_CLASS insert-before L4_REMOTE_ACCESS_CLASS
Applying a Service Policy Globally to All VLAN Interfaces in the Same Context
This section describes how to apply an existing policy map globally to all VLAN interfaces in the same
context.
Note the following guidelines when applying a service policy:
Note
Policy maps, applied globally in a context, are internally applied on all interfaces existing in the
context.
A policy activated on an interface overwrites any specified global policies for overlapping
classification and actions.
To apply the policy map to a specific VLAN interface only, see the Applying a Service Policy to a
Specific VLAN Interface section.
Guidelines and Restrictions
The ACE allows only one policy of a specific feature type to be activated on a given interface.
7-64
OL-25343-01
Chapter 7
Configuring SNMP
Configuring SNMP
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
If you are applying the policy map globally to all of the VLANs
associated with a context
no service-policy input policy_name
Example:
host1/Admin(config)# no service-policy
input SNMP_MGMT_ALLOW_POLICY
Step 3
Note
To apply the policy map globally to all VLAN interfaces in the same context, see the Applying a Service
Policy Globally to All VLAN Interfaces in the Same Context section.
Guidelines and Restrictions
The ACE allows only one policy of a specific feature type to be activated on a given interface.
7-65
Chapter 7
Configuring SNMP
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
Step 3
Example:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)#
ip address
Example:
host1/Admin(config-if)# ip address
172.20.1.100 255.255.0.0
Step 4
Example:
host1/Admin(config-if)# service-policy
input SNMP_MGMT_ALLOW_POLICY
Step 5
7-66
OL-25343-01
Chapter 7
Configuring SNMP
Displaying SNMP and Service Policy Statistics
Purpose
show snmp [community | engineID | group Displays SNMP statistics and configured SNMP information. By default, this
| host | sessions | user]
command displays the ACE contact, ACE location, packet traffic information,
community strings, and user information. Table 7-7 describes the fields in the
show snmp command output.
You can instruct the ACE to display specific SNMP information by including
the appropriate keyword.
The keywords are as follows:
Table 7-7
Field
Description
Sys contact
Sys location
Number of packets that request an operation not allowed for that community
Encoding errors
7-67
Chapter 7
Configuring SNMP
Table 7-7
Field
Description
Get-request PDUs
Get-next PDUs
Set-request PDUs
Number of SNMP packets that were larger than the maximum packet size
Number of SNMP requests that specified a MIB object that does not exist
Number of SNMP set requests that specified an invalid value for a MIB object
General errors
Number of SNMP set requests that failed due to some other error, such as a noSuchName
error, badValue error, or any of the other specific errors
Community
Group/Access
User
Auth
Priv
Group
Table 7-8
Field
Description
Community
SNMP community name for the ACE. Since the output of the show snmp community
command is sorted on an index that is a randomly-generated string, the communities are
not displayed in any given order.
Group/Access
Table 7-9
Field
Description
Table 7-10
Field
Description
Group name
Name of the SNMP group or collection of users that have a common access policy
Security model
Security level
Read view
Write view
Notify view
7-68
OL-25343-01
Chapter 7
Configuring SNMP
Displaying SNMP and Service Policy Statistics
Table 7-10
Field Descriptions for the show snmp group Command Output (continued)
Field
Description
Storage-type
Status of whether the settings have been set in volatile or temporary memory on the
device or in nonvolatile or persistent memory where settings will remain after the device
has been turned off and on again
Row status
Indicates whether the Row status for the SNMP group is active or inactive
Table 7-11
Field
Description
Host
Port
Version
Level
Type
SecName
Table 7-12
Field
Description
Destination
Table 7-13
Field
Description
User
Auth
Priv
Group
7-69
Chapter 7
Configuring SNMP
Purpose
Note
Examples
The following example shows how to display service policy statistics for the
SNMP_MGMT_ALLOW_POLICY policy map:
host1/Admin# show service-policy SNMP_MGMT_ALLOW_POLICY
Status
: ACTIVE
Description: Allow mgmt protocols
----------------------------------------Context Global Policy:
service-policy: SNMP_MGMT_ALLOW_POLICY
SERVER1
192.168.252.245
SERVER2
192.168.252.246
SERVER3
192.168.252.247
7-70
OL-25343-01
Chapter 7
Configuring SNMP
Example of an SNMP Configuration
7-71
Chapter 7
Configuring SNMP
7-72
OL-25343-01
CH A P T E R
Note
The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise
noted.
This chapter describes how to use Extensible Markup Language (XML) to remotely configure an ACE
from a network management station (NMS). You can transmit, exchange, and interpret data among the
applications.
This chapter contains the following major sections:
Default Settings
8-1
Chapter 8
all of the parameters of the CLI command are attributes of that element. The ACE uses an Apache HTTP
server to provide the XML management interface and to provide HTTP services between the ACE and
the management client. To use the ACE XML API, you must have the Admin user role.
There are three categories of commands as follows:
Configuration
Show
Executable
Ping and traceroute are executable commands. All executable commands are treated by the XML agent
as follows:
The raw mode launches executable commands, but it does not report any output; only the status of
the launch.
The XML mode does not support any executable commands; it is meant to operate only on
configuration and show commands.
Provide a mechanism using XML to transfer, configure, and monitor objects in the ACE. This XML
capability allows you to easily shape or extend the CLI query and reply data in XML format to meet
different specific business needs.
Transfer show command output from the ACE CLI interface in an XML format for statistics and
status monitoring. This capability allows you to query and extract data from the ACE.
Use the ACE XML schema for formatting CLI queries or parsing the XML results from the ACE to
enable third-party software development through XML communications.
Provide session and context management by the global administrator and other privileged users that
have the Admin user role.
XML Schema
8-2
OL-25343-01
Chapter 8
When you use XML to transfer configuration data and results, the NMS connects to the ACE and sends
a new configuration in an XML document to the ACE over HTTP or HTTPS. The ACE then applies the
new configuration. The XML agent on the ACE checks the XML output that the ACE generates before
sending it to the client. If the output contains incorrect syntax including unsupported characters, the
agent displays the following error message:
Generated XML was not well-formed.
response instead.
The following example shows the HTTP conversation between the client and the server, as related to the
XML implementation on the ACE:
******** Client **************
POST /bin/xml_agent HTTP/1.1
Authorization: Basic VTpQ
Content-Length: 95
xml_cmd=<request_xml>
<interface type=vlan number=80>
<access-group access-type=input name=acl1/>
<ip_address =60.0.0.145 netmask=255.255.255.0/>
<shutdown sense=no"/>
</interface>
<show_running-config/>
</request_xml>
******** Server **************
HTTP/1.1 200 OK
Content-Length: 21
<response_xml>
<config_command>
<command>
interface vlan 80
ip address 60.0.0.145 255.255.255.0
access-group input acl1
no shutdown
</command>
<status code="100" text="XML_CMD_SUCCESS"/>
</config_command>
</response_xml>
******** Client **************
POST /bin/xml_agent HTTP/1.1
Content-Length: 95
xml_cmd=<request_xml>
<show_running-config/>
</request_xml>
******** Server **************
HTTP/1.1 401 Unauthorized
Connection: close
WWW-Authenticate: Basic realm=/xml-config
8-3
Chapter 8
Table 8-1
Return Code
Description
200
OK
201
Created
202
Accepted
203
Non-Authoritative Information
206
Partial Content
301
Moved Permanently
302
Found
400
Bad Request
401
403
404
405
406
Not Acceptable
408
411
500
501
505
WWW-Authenticate (sent to the client when credentials are required and missing)
Authorization (sent from the client to specify basic credentials in base 64 encoding)
For example, when an XML error occurs, the HTTP response contains a 200 return code. The portion of
the original XML document with the error is returned with an error element that contains the error type
and description.
The following is a typical example of an XML error response:
<response_xml>
<config_command>
<command>
interface vlan 20
no shut
description xyz
exit
</command>
<status code = 200 text=XML_CMD_FAILURE>
<error_command> description xyz </error_command>
<error_message> unrecognized element - description </error_message>
</status>
</config_command>
</response_xml>
8-4
OL-25343-01
Chapter 8
The returned error codes correspond to the attributes of the configuration element. The possible returned
XML error can include any of the following:
XML_ERR_WELLFORMEDNESS
XML_ERR_ATTR_INVALID
XML_ERR_ELEM_INVALID
XML_ERR_CDL_NOT_FOUN
XML_ERR_INTERNAL
XML_ERR_COMM_FAILURE
XML_ERR_VSH_PARSER
XML_ERR_VSH_CONF_APPLY
/*
/*
/*
/*
/*
/*
/*
/*
XML Schema
A n XML schema is the basis for XML configuration documents that you create using the ACE. The
purpose of an XML schema is to define the legal building blocks of an XML document by defining the
document structure with a list of legal elements.
The schema designates an XML list that specifies precisely which elements can appear in a request,
query, or response document. It also specifies the contents and attributes of the elements. A schema can
be declared inline in your XML document or as an external reference.
The ACE XML schema file, schema.xsd, is included as part of the software image and is accessible from
a web browser using either HTTP or HTTPS. See the Accessing the ACE XML Schema File section
for details.
You can use a web browser to access the ACE XML schema file as follows:
(ACE module only) Directly access the schema.xsd file or open the file from the Cisco ACE Module
Management page.
(ACE appliance only) Directly access the schema.xsd file or open the file from the Cisco ACE
Appliance Management page.
The following example shows the sequence of ACE CLI commands for creating a real server followed
by the associated XML schema rserver elements for the commands:
[no] rserver [host | redirect] name
[no] conn-limit max maxconns [min minconns]
[no] description string
[no] inservice
[no] ip address {ip_address}
[no] probe name
[no] weight number
**********************************************************************
Elements, Attributes and Entities required for rserver
**********************************************************************
-->
<!-probe-name is a string of length 1 to 32.
-->
<!ELEMENT probe_rserver EMPTY>
<!ATTLIST probe_rserver
sense
CDATA
#FIXED
"no"
probe-name
CDATA
#REQUIRED
8-5
Chapter 8
>
<!-relocation-str length is 1 to 127
-->
<!ELEMENT webhost-redirection EMPTY>
<!ATTLIST webhost-redirection
sense
(yes | no)
#IMPLIED
relocation-string
CDATA
#REQUIRED
redirection-code
(301 | 302)
#IMPLIED
>
<!-type is optional for host.
ipaddress, probe and weight are valid only when type = host.
-type is valid only when type=host.
name length is 1 to 32.
webhost-redirection is valid only if type=redirect.
-->
<!ELEMENT rserver (description, ip_address, conn-limit, probe_rserver,
weight, inservice, webhost-redirection)*>
<!ATTLIST rserver
sense
CDATA
#FIXED
"no"
type
(redirect | host)
#IMPLIED
name
CDATA
#REQUIRED
>
Caution
To use the ACE XML interface, you must have the Admin user role.
If you use XML mode (request_xml), you cannot run the ping or the traceroute command. If you
use raw mode (request_raw), the ping and the traceroute commands always return success,
regardless of the actual command result.
(ACE module only) The ACE module creates two default user accounts at startup: admin and www.
The admin user is the global administrator and cannot be deleted. The ACE module uses the www
user account for the XML interface and www cannot be deleted.
(ACE appliance only) The ACE appliance creates the following default user accounts at startup:
admin, dm, and www. The admin user is the global administrator and cannot be deleted. The dm user
is for accessing the Device Manager GUI and cannot be deleted (it is an internal user that is required
by the Device Manager GUI and is hidden on the CLI). The ACE appliance uses the www user
account for the XML interface and it cannot be deleted.
When you upgrade your ACE software as follows, you must change the default www user password if
you have not already done so:
- (ACE module only) to version A2(1.1) or higher
- (ACE appliance only) to version A3(1.0) or higher
Otherwise, after you upgrade the ACE software, the www user will be disabled and you will not be able
to use XML to remotely configure an ACE until you change the default www user password. See Chapter
2, Configuring Virtualization, in the Virtualization Guide, Cisco ACE Application Control Engine for
details on changing a user account password. In this case, the user would be www.
8-6
OL-25343-01
Chapter 8
Default Settings
XML responses automatically appear in XML format if the corresponding CLI show command output
supports the XML format. However, if you are running commands on the CLI console or you are running
raw XML responses from NMS, the XML responses appear in regular CLI display format. See the
Enabling the Display of Raw XML Request show Command Output in XML Format section for
details. For details on the show command output supported in XML format, consult the schema.xsd file.
Enabling the Display of Raw XML Request show Command Output in XML Format
If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the
desired context. If necessary, log directly in to, or change to, the correct context.
host1/Admin# changeto C1
host1/C1#
The rest of the examples in this table use the Admin context, unless otherwise specified. For details on
creating contexts, see the Virtualization Guide, Cisco ACE Application Control Engine.
Step 2
Step 3
Create a Layer 3 and Layer 4 class map to classify the HTTP or HTTPS management traffic that can be
received by the ACE.
(ACE module only)
host1/Admin(config)# class-map type management match-all HTTPS-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# match protocol https source-address 192.168.1.1
255.255.255.255
host1/Admin(config-cmap-mgmt)# exit
Step 4
8-7
Chapter 8
Step 5
Attach the traffic policy to a single interface or globally on all VLAN interfaces associated with a
context, and specify the direction in which the policy should be applied. For example, to specify an
interface VLAN and apply multiple service policies to the VLAN, enter:
(ACE module only)
host1/Admin(config)# interface vlan50
host1/Admin(config-if)# ip address 192.168.10.1 255.255.0.0
host1/Admin(config-if)# service-policy input MGMT_HTTPS_POLICY
host1/Admin(config-if)# exit
host1/Admin(config)# exit
Step 6
(Optional) Enable the display of raw XML request show command output in XML format.
Note
host1/Admin# xml-show on
Step 7
Class mapProvides the remote network traffic match criteria to permit HTTP and HTTPS
management traffic based on HTTP or HTTPS network management protocols or host source IP es.
Policy mapEnables remote network management access for a traffic classification that matches
the criteria listed the class map.
Service policyActivates the policy map and attaches the traffic policy to an interface or globally
on all interfaces.
8-8
OL-25343-01
Chapter 8
HTTP or HTTPS sessions are established to the ACE per context. For details on creating contexts and
users, see the Virtualization Guide, Cisco ACE Application Control Engine.
This section contains the following topics:
Applying a Service Policy Globally to All VLAN Interfaces in the Same Context
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
Creates a Layer 3 and Layer 4 class map to classify the HTTP or HTTPS
management traffic that can be received by the ACE.
class map match the network traffic class in the class map.
match-anyOnly one of the match criteria listed in the class
8-9
Chapter 8
Command
Purpose
Step 3
description text
Example:
host1/Admin(config-cmap-mgmt)#
description Allow HTTPS access to
the ACE
no description
Example:
host1/Admin(config-cmap-mgmt)# no
description
8-10
OL-25343-01
Chapter 8
Step 4
Command
Purpose
Configures the class map to specify that the HTTP or HTTPS remote
network management protocol can be received by the ACE. You
configure the associated policy map to permit access to ACE for the
specified management protocol. For XML support, a class map of type
management allows IP protocols such as HTTP and HTTPS. As part of
the network management access traffic classification, you also specify
either a client source host IP address and subnet mask as the matching
criteria or instruct the ACE to allow any client source for the
management traffic classification.
8-11
Chapter 8
Command
Purpose
Step 5
do copy running-config
startup-config
Example:
host1/Admin(config-cmap-mgmt)# do
copy running-config startup-config
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
8-12
OL-25343-01
Chapter 8
Command
Purpose
Step 3
8-13
Chapter 8
Command
Purpose
Step 4
permit
Example:
host1/Admin(config-pmap-mgmt-c)# permit
no permit
Example:
host1/Admin(config-pmap-mgmt-c)# no permit
deny
Example:
host1/Admin(config-pmap-mgmt-c)# deny
no deny
Example:
host1/Admin(config-pmap-mgmt-c)# no deny
Step 5
Examples
The following examples shows how to use the insert-before command to define the sequential order of
two class maps in the policy map:
(ACE module only)
host1/Admin(config-pmap-mgmt)# class HTTPS-ALLOW_CLASS insert-before
L4_REMOTE_ACCESS_CLASS
IPv6 Example
The following example shows how to specify the IPv6 class-default-v6 class map for the Layer 3 and
Layer 4 traffic policy:
host1/Admin(config-pmap-mgmt)# class class-default-v6
host1/Admin(config-pmap-mgmt-c)#
8-14
OL-25343-01
Chapter 8
IPv4 Example
The following example shows how to specify the IPv4 class-default class map for the Layer 3 and
Layer 4 traffic policy:
host1/Admin(config-pmap-mgmt)# class class-default
host1/Admin(config-pmap-mgmt-c)#
Applying a Service Policy Globally to All VLAN Interfaces in the Same Context
This section describes how to apply an existing policy map globally to all VLAN interfaces in the same
context.
Note the following guidelines when applying a service policy:
Note
Policy maps, applied globally in a context, are internally applied on all interfaces existing in the
context.
A policy activated on an interface overwrites any specified global policies for overlapping
classification and actions.
To apply the policy map to a specific VLAN interface only, see the Applying a Service Policy to a
Specific VLAN Interface section.
Guidelines and Restrictions
The ACE allows only one policy of a specific feature type to be activated on an interface.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
8-15
Chapter 8
Command
Purpose
Step 3
Note
To apply the policy map globally to all VLAN interfaces in the same context, see the Applying a Service
Policy Globally to All VLAN Interfaces in the Same Context section.
Guidelines and Restrictions
The ACE allows only one policy of a specific feature type to be activated on an interface.
Detailed Steps
Step 1
Command
Purpose
config
Example:
host1/Admin# config
host1/Admin#(config)#
Step 2
Step 3
Example:
host1/Admin(config)# interface vlan 50
host1/Admin(config-if)#
ip address
Example:
host1/Admin(config-if)# ip address
192.168.10.1 255.255.0.0
8-16
OL-25343-01
Chapter 8
Step 4
Command
Purpose
Step 5
Enabling the Display of Raw XML Request show Command Output in XML
Format
This section describes how to enable the display of raw XML request show command output in XML
format. By default, XML responses will automatically appear in XML format if the corresponding CLI
show command output supports the XML format. However, if you are running commands on the CLI
console or you are running raw XML responses from NMS, the XML responses appear in regular CLI
display format.
You can enable the display of raw XML request show command output in XML format by performing
one of the following actions:
Including the xml-show on command in the raw XML request itself (CLI commands included in an
XML wrapper).
Selection of the xml-show on command is not required if you are running true XML (as shown in the
example below).
For details on the show command output supported in XML format, consult the ACE XML schema file,
schema.xsd, that is included as part of the software image (see the Accessing the ACE XML Schema
File section). The ACE XML schema file contains the information on the XML attributes for those
show commands that have output that supports the XML format.
For example, if you specify the show interface vlan 10 command, the XML schema for the show
interface command appears as follows:
<!-interface-number is req for show-type vlan | bvi.
8-17
Chapter 8
interface-number is between 1 and 4095 for vlan and 8191 for bvi.
-->
<!ENTITY % show-interface
"interface-type
(vlan | bvi | eobc)
#IMPLIED
interface-number
CDATA
#IMPLIED
>
The following example illustrates the XML representation of the show interface command output:
<response_xml>
<exec_command>
<command>
show interface vlan 10
</command>
<status code="100" text="XML_CMD_SUCCESS"/>
<xml_show_result>
<xml_show_interface>
<xml_interface_entry>
<xml_interface>
<interface_name>vlan10</interface_name>
<interface_status>up</interface_status>
<interface_hardware>VLAN</interface_hardware>
<interface_mac>
<macaddress>00:05:9a:3b:92:b1</macaddress>
</interface_mac>
<interface_mode>routed</interface_mode>
<interface_ip>
<ipaddress>10.20.105.101</ipaddress>
<ipmask>255.255.255.0</ipmask>
</interface_ip>
<interface_ft_status>non-redundant</interface_ft_status>
<interface_description>
<interface_description>not set</interface_description>
</interface_description>
<interface_mtu>1500</interface_mtu>
<interface_last_cleared>never</interface_last_cleared>
<interface_alias>
<ipaddress>not set</ipaddress>
</interface_alias>
<interface_standby>
<ipaddress>not set</ipaddress>
</interface_standby>
<interface_sup_enabled>Assigned</interface_sup_enabled>
<interface_auto_status>up</interface_auto_status>
</xml_interface>
<interface_stats>
<ifs_input>
<ifs_unicast>50</ifs_unicast>
<ifs_bytes>8963</ifs_bytes>
<ifs_multicast>26</ifs_multicast>
<ifs_broadcast>1</ifs_broadcast>
<ifs_errors>0</ifs_errors>
<ifs_unknown>0</ifs_unknown>
<ifs_ignored>0</ifs_ignored>
<ifs_unicast_rpf>0</ifs_unicast_rpf>
</ifs_input>
<ifs_output>
<ifs_unicast>45</ifs_unicast>
<ifs_bytes>5723</ifs_bytes>
8-18
OL-25343-01
Chapter 8
<ifs_multicast>0</ifs_multicast>
<ifs_broadcast>1</ifs_broadcast>
<ifs_errors>0</ifs_errors>
<ifs_ignored>0</ifs_ignored>
</ifs_output>
</interface_stats>
</xml_interface_entry>
</xml_show_interface>
</xml_show_result>
</exec_command>
</response_xml>
Details
Command
Purpose
Example:
host1/Admin# xml-show on
Details
Perform these steps to access and display the ACE XML schema file:
Step 1
If you have not done so, create a Layer 3 and Layer 4 class map and policy map to classify the HTTP or
HTTPS management traffic that can be received by the ACE. See the Configuring HTTP and HTTPS
Management Traffic Services section.
Step 2
Open your preferred Internet web browser application, such as Microsoft Internet Explorer or Netscape
Navigator.
8-19
Chapter 8
Step 3
Access the ACE XML schema file using either of the following methods (Direct Access Method, or
Cisco ACE Module or Appliance Management Page Method):
Direct Access Method
To directly access the ACE XML schema file, specify the HTTP or secure HTTP (HTTPS) of your ACE
in the address field of your Web browser, followed by schema.xsd. For example, enter:
https://ace_ip_address/schema.xsd
http://ace_ip_address/schema.xsd
You can choose to either open the ACE XML schema file or save it to your computer.
Cisco ACE Module or Appliance Management Page Method
To access the ACE XML schema file from the Cisco ACE Module Management or Cisco ACE Appliance
Management page, perform the following steps:
a.
Specify the HTTP or secure HTTP (HTTPS) of your ACE in the field:
https://ace_ip_address
http://ace_ip_address
b.
Click Yes at the prompt to accept (trust) and install the signed certificate from Cisco. To install the
signed certificate, do one of the following:
If you are using Microsoft Internet Explorer, in the Security Alert dialog box, click View
Certificate, choose the Install Certificate option, and follow the prompts of the Certificate
Manager Import Wizard.
If you are using Netscape Navigator, in the New Site Certificate dialog box, click Next and
Enter your username and password in the fields provided, and then click OK. The Cisco ACE Module
Management or Cisco ACE Appliance Management page appears depending on the device type that
you are accessing.
d.
Click the CISCO ACE XML Schema link under the Resources column of the Cisco ACE Module
Management or Cisco ACE Appliance Management page to access the ACE XML schema file. You
can choose to either open the ACE XML schema file or save it to your computer.
8-20
OL-25343-01
Chapter 8
Purpose
Note
Clears the service policy statistics associated with your XML configuration.
For the policy_name argument, enter the identifier of an existing policy map
that is currently in service (applied to an interface) as an unquoted text
string with a maximum of 64 alphanumeric characters.
Examples
The following examples shows the output for the MGMT_HTTPS_POLICY (ACE module) and
MGMT_XML-HTTPS_POLICY (ACE appliance) policy maps by using the show service-policy
command:
(ACE module only)
host1/Admin# show service-policy MGMT_HTTPS_POLICY
Status
: ACTIVE
Description: Allow mgmt protocols
----------------------------------------Context Global Policy:
service-policy: MGMT_HTTPS_POLICY
8-21
Chapter 8
conf t
access-list acl1 extended permit ip any any
int vlan 80
access-group input acl1
ip address 60.0.0.145 255.255.255.0
no shut
exit
ip route 0.0.0.0 0.0.0.0 60.0.0.1
end
<access-list id="acl1" config-type="extended" perm-value="permit"
protocol-name="ip" src-address type="any" dest-type="any"/>
<interface type="vlan" number="80">
<access-group type="input" name="acl1"/>
<ip_address ="60.0.0.145" netmask="255.255.255.0"/>
<shutdown sense="no"/>
</interface>
<ip_route dest-address="0.0.0.0" dest-mask="0.0.0.0"
gateway="60.0.0.1"/>
############################
## BRIDGING CONFIGURATION ##
############################
conf t
8-22
OL-25343-01
INDEX
information, displaying 5-1
ACE
boot configuration
ACE appliance 2-25
ACE module 1-21
logging in
ACE appliance 2-7
ACE module 1-4
message-of-the-day banner
naming
ACE appliance 2-10
ACE module 1-9
password, changing administrative
ACE appliance 2-5, 2-8
ACE module 1-5
password, changing CLI account
ACE appliance 2-9
ACE module 1-7
password, changing www user (ACE
appliance only) 2-5
inactivity timeout
restarting
IN-1
Index
setting up
overview 4-24
procedure 4-27
shutting down
uses 4-24
boot configuration
BOOT environment variable
terminal settings
username, changing
ACE module
displaying
admin user
backup
archive file 4-25
defaults 4-27
directory structure 4-25
errors, displaying 4-35
guidelines and limitations 4-26
IN-2
OL-25343-01
Index
C
capturing packets 4-40
copying buffer 4-43
checkpoint, configuration
creating 4-44
deleting 4-45
displaying 4-48
rolling back to 4-46
class map
Layer 3 and 4, creating for management
traffic 8-9
XML 8-9
clearing
ICMP statistics 5-19
using 4-44
configuration command failures
displaying bulk synchronization 6-34
CLI
account password, changing
configuration files
displaying 4-5
saving session
saving 4-1
OL-25343-01
IN-3
Index
D
date and time
configuring
overview 6-5
console
context
licenses 4-11
www
IN-4
OL-25343-01
Index
disk0
creating new directory in 4-18
deleting directory in 4-18
failover
overview 4-10
forcing 6-19
stateful 6-4
displaying
copyright 5-5
FT bulk synchronization configuration
command failures 6-34
FT group information 6-35
FT peer information 6-38
FT statistics 6-40
FT tracking information 6-42
hardware information 5-2
ICMP statistics 5-19
information on ACE 5-1
memory statistics 6-38
NTP statistics and information (ACE
appliance only) 2-32
interface 6-28
overview 6-24
fault tolerance
See redundancy
file system
copying files from remote server 4-15
copying files to directory 4-11
copying files to remote server 4-14
copying image to remote server 4-15
copying licenses 4-11
copying packet capture buffer 4-12
copying scripted probe files to 4-13
creating new directory in disk0 4-18
IN-5
Index
overview 4-10
saving show command output to file 4-23
reformatting
HTTP
FT group
launching
configuring 6-15
modifying 6-17
saving session
FT peer
configuring 6-13
I
ICMP
clearing statistics 5-19
2-30
IN-6
OL-25343-01
Index
installing 3-6
inactivity timeout
managing 3-1
logging
IP address
alias 6-12
key
management access
See SNMP
licenses
backing up 3-11, 3-12
copying 4-11
notifications
IN-7
Index
options 7-54
SLB 7-53
SNMP 7-38, 7-50, 7-53
peer
See FT peer
types 7-53
overview 2-20
XML 8-12
processes
displaying 5-8
P
Q
packet buffer 4-39
capturing packets 4-40
quick start
remote access 2-3
redundancy 6-1
configuration command failures,
displaying 6-34
configuration examples 6-46
configuration synchronization overview 6-5
configuring 6-9
IN-8
OL-25343-01
Index
Telnet 2-17
remote server
FT VLAN 6-4
restarting
overview 6-1
protocol 6-2
restore
synchronizing 6-20
defaults 4-27
overview 4-24
procedure 4-28
remote access
class map, creating 2-5
enabling 2-1
network management traffic services,
configuring 2-5
policy map 2-9, 2-13, 2-14
uses 4-24
retrieving user context through the Admin
context IP address when using
SNMP 7-57
rollback service
See configuration checkpoint and rollback
service
IN-9
Index
rommon
accessing 8-19
overview 8-5
See SNMP
SNMP
service policy
session
maximum number for SSH 2-18
contact 7-48
setting up
ACE appliance 2-1
setup script
IN-10
OL-25343-01
Index
notifications 7-50
overview 7-1
viewing 4-5
statistics 7-66
FT 6-40
traps 7-38
license 3-13
memory 6-38
stopping
software licenses
See licenses
synchronizing
SSH 2-18
configuration 6-5
system processes
displaying 5-8
task flow
redundancy 6-8
IN-11
Index
SNMP 7-42
XML 8-7
user
configuring for SNMP 7-44
user context
accessing by SNMP through the Admin
context IP address 7-57
directly accessing with SSH 2-23
username
changing
ACE appliance 2-8
VLANs
for SNMP traps 7-56
FT VLAN for redundancy 6-4, 6-10
volatile file system 4-10
tracking
See failure detection
traps, SNMP 7-3, 7-38
W
www user
ACE appliance 2-7
IN-12
OL-25343-01
Index
X
XML
class map, creating 8-9
example of CLI command and XML
equivalent 8-21
HTTP and HTTPS support 8-2
HTTP return codes 8-3
management traffic, configuring 2-8, 8-8
overview 8-1
policy map, creating 8-12
schema, accessing 8-19
schema, overview 8-5
service policy 8-15, 8-16
show command output 8-17
task flow 8-7
IN-13
Index
IN-14
OL-25343-01