Guest

Cisco ACE 4700 Series Application Control Engine Appliances

CLI Quick Configuration Note vA1(7), Cisco ACE 4700 Series Appliance

  • Viewing Options

  • PDF (311.4 KB)
  • Feedback
Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note

Table Of Contents

Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note

ACE Features and Functionality Overview

Configuring the ACE

Establishing a Console Connection on the ACE

Logging in to the ACE

Setting the System Time and Date

Changing the Administrative Password

Assigning a Name to the ACE

Configuring an Ethernet Port

Allocating an Ethernet Port to a VLAN Trunk

Configuring VLAN Interfaces on the ACE

Configuring a Default Route

Configuring Remote Access to the ACE

Accessing the ACE through a Telnet Session

Configuring Basic VIP Load Balancing on the ACE

Configuring Real Servers

Configuring a Server Farm

Configuring the VIP Traffic Policy

Configuring an ACL

Verifying the VIP Load-Balancing Configuration

Where to Go Next

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Cisco ACE 4700 Series Application Control Engine Appliance CLI Quick Configuration Note


Software Version A1(7)

This document describes how to initially configure the Cisco 4700 Series Application Control Engine (ACE) appliance using the command-line interface (CLI) to allow traffic and perform basic virtual IP (VIP) load balancing. This document also provides references to tasks that you can perform on the ACE and where to find the information in the ACE documentation set.

By completing the quick configuration procedures in this document, your ACE will be able to perform the following tasks:

Receive network traffic

Allow network connectivity

Perform remote management through Telnet

Match VIP-destined traffic flows

Load balance these flows to real servers on the network


Note If you intend to use the Device Manager GUI to configure the ACE, see the Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Quick Configuration Note.


This document contains the following sections.

ACE Features and Functionality Overview

Configuring the ACE

Configuring Basic VIP Load Balancing on the ACE

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

ACE Features and Functionality Overview

The ACE performs high-performance server load balancing (SLB) among groups of servers, server farms, firewalls, and other network devices, based on Layer 3 and Layer 4 through Layer 7 packet information. The ACE provides the following major features and functionality:

Ethernet Interfaces—The ACE provides four physical Ethernet ports that provide an interface for connecting to 10-Mbps, 100-Mbps, or 1000-Mbps networks. Each Layer 2 Ethernet port supports autonegotiate, full-duplex, or half-duplex operation on an Ethernet LAN and can carry traffic within a designated VLAN interface. For more information, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.

Routing and Bridging—You configure the corresponding VLAN interfaces on the ACE as either routed or bridged. When you configure an IP address on an interface, the ACE automatically configures it as a routed mode interface. When you configure a bridge group on an interface VLAN, the ACE automatically configures it as a bridged interface. For more information, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.

Traffic Policies—The ACE allows you to perform advanced administration tasks such as using traffic policies to classify traffic flow and the action to take for the type of traffic. Traffic policies consist of class maps, policy maps, and service policies. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

Redundancy—Redundancy provides fault tolerance for the stateful switchover of flow and offers increased uptime for a more robust network. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

Virtualization—Virtualization allows you to manage ACE system resources and users and the services provided to your customers. Multiple contexts use virtualization to partition your ACE into multiple virtual devices or contexts. For more information, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

Server Load Balancing— Server load balancing (SLB) on the ACE provides network traffic policies for SLB, real servers and server farms, health monitoring through probes, and firewall load balancing. For more information, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.

ACE Security Features—The ACE contains several security features including ACLs, NAT, user authentication and accounting, HTTP deep packet inspection, FTP command request inspection, and application protocol inspection of DNS, HTTP, ICMP, or RTSP. For more information, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.

Secure Sockets Layer—The SSL protocol on the ACE provides encryption technology for the Internet, ensuring secure transactions. For more information, see the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide.

Application Acceleration and Optimization—The ACE includes several optimization technologies to accelerate web application performance, optimize network performance, and improve access to critical business information. For more information, see the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide.

Command-Line Interface—The CLI is a line-oriented user interface that provides commands for configuring, managing, and monitoring the ACE.

Device Manager GUI Interface—The ACE Device Manager GUI resides in Flash memory on the appliance to provide a browser-based interface for configuring and managing the ACE. For more information, see the Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Configuration Guide and the Device Manager Online help.

Configuring the ACE

This section describes the tasks to configure the ACE from the CLI:

Establishing a Console Connection on the ACE

Logging in to the ACE

Setting the System Time and Date

Changing the Administrative Password

Assigning a Name to the ACE

Configuring an Ethernet Port

Allocating an Ethernet Port to a VLAN Trunk

Configuring VLAN Interfaces on the ACE

Configuring a Default Route

Configuring Remote Access to the ACE

Accessing the ACE through a Telnet Session

For detailed command syntax information for the ACE CLI commands, see the Cisco 4700 Series Application Control Engine Appliance Command Reference.

Before performing the procedures in this section, ensure that you have completed the ACE installation instructions as described in the Cisco Application Control Engine Appliance Hardware Installation Guide.

Establishing a Console Connection on the ACE

The ACE has one standard RS-232 serial port located on its rear panel that operates as the console port. You establish a direct serial connection between your terminal or a PC and the ACE by making a serial connection to this console port. The integrated serial port uses a 9-pin male D-shell connector. Use a straight-through cable to connect the ACE to the terminal or a PC. For instructions on connecting a console cable to your ACE appliance, see the Cisco Application Control Engine Appliance Hardware Installation Guide.

Any device connected to this port must be capable of asynchronous transmission. Connection requires a terminal configured as 9600 baud, 8 data bits, hardware flow control on, 1 stop bit, no parity.


Note Only the Admin context is accessible through the console port; all other contexts can be reached through Telnet or SSH sessions on the Ethernet ports.


Once connected, you can use any terminal communications application to access the ACE CLI. The following procedure uses HyperTerminal for Windows.

To access the ACE by using a direct serial connection, perform the following steps:


Step 1 Launch HyperTerminal. The Connection Description window appears.

Step 2 Enter a name for your session in the Name field.

Step 3 Click OK. The Connect To window appears.

Step 4 From the drop-down list, choose the COM port to which the device is connected.

Step 5 Click OK. The Port Properties window appears.

Step 6 Set the port properties:

Baud Rate = 9600

Data Bits = 8

Hardware Flow Control = On

Parity = none

Stop Bits = 1

Step 7 Click OK to connect.

Step 8 Press Enter to access the CLI prompt.

switch login: 


When you boot the ACE for the first time and the appliance does not detect a startup-configuration file, the setup script appears. The setup script is intended to simplify connectivity to the Device Manager GUI on the ACE. For this quick configuration procedure, click no to bypass its operation and directly access the CLI.

Logging in to the ACE

To log in to the ACE, perform the following steps. Ensure that you have established a direct serial connection between your terminal or a PC and the ACE (see the "Establishing a Console Connection on the ACE" section).


Step 1 At the login prompt, log into the ACE by entering the login username and password. By default, the username and password are admin.

switch login: admin
Password: admin

Step 2 You are ready to use the ACE CLI when the following prompt appears:

switch/Admin# 


Note For security reasons, you should change the administrative password. If you do not change the administrative password, your ACE security can be compromised because the administrative password is configured to be the same for every ACE shipped from Cisco Systems. See the "Changing the Administrative Password" section.


Step 3 To prevent this current session from timing out, set the terminal session-timeout command to 0. By default, a session on the ACE is automatically logged out after 5 minutes of inactivity.

switch/Admin# terminal session-timeout 0

Step 4 To disable the inactivity timeout when you log in to the ACE, access configuration mode and set the login timeout command to 0. For example, enter:

switch/Admin# configure
Enter configuration commands, one per line. End with CNTL/Z
switch/Admin(config)# login timeout 0
switch/Admin(config)# exit
switch/Admin# 


Setting the System Time and Date

To manually change the time and the date for an ACE, use the clock set hh:mm:ss DD MONTH YYYY command in Exec mode. When you enter this command, the ACE displays the current configured date and time.

To enter the current time, specify two digits for the hours, minutes, and seconds, separated by colons.

To enter the current date, specify the one or two digits for the day, the full name of the month, and four digits for the year.

For example, to specify a time of 1:38:30 and a date of October 7, 2007, enter:

host1/Admin# clock set 01:38:30 7 Oct 2007
Sun Oct 7 01:38:30 PST 2007

Note If you want to use the Network Time Protocol (NTP) to automatically synchronize the ACE system clock to an authoritative time server (such as a radio clock or an atomic clock), see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. In this configuration, the NTP time server automatically sets the ACE system clock.


Changing the Administrative Password

During the initial login process to the ACE, you enter the default user name admin and the default password admin in lowercase text. You cannot modify or delete the default administrative username; however, for security reasons, you should change the administrative password. If you do not change the administrative password, your ACE security can be compromised because the administrative password is configured to be the same for every ACE shipped from Cisco Systems.

Change the default administrative password by using the username command in configuration mode.

For example, to change the password to the encrypted password mysecret_801, enter:

switch/Admin# configure
Enter configuration commands, one per line. End with CNTL/Z
switch/Admin(config)# username admin password 5 mysecret_801

Assigning a Name to the ACE

The hostname is used for the command-line prompts and default configuration filenames. If you establish sessions to multiple devices, the hostname helps you track where you enter commands. By default, the hostname for the ACE is switch.

Change the hostname for the ACE by using the host command in configuration mode. Enter a case-sensitive name that contains from 1 to 32 alphanumeric characters. For example, to change the hostname of the ACE from switch to host1, enter:

switch/Admin(config)# hostname host1

The prompt appears with the new hostname:

host1/Admin(config)# 

Configuring an Ethernet Port

The four Ethernet ports provide the physical Ethernet ports to connect servers, PCs, routers, and other devices to the ACE. You can configure the four Ethernet ports to provide an interface for connecting to 10-Mbps, 100-Mbps, or 1000-Mbps networks. Each Layer 2 Ethernet port supports autonegotiate, full-duplex, or half-duplex operation on an Ethernet LAN and can carry traffic within a designated VLAN.

To configure a Layer 2 Ethernet port on the ACE, use the interface gigabitEthernet command in configuration mode. The ACE enters the interface configuration mode where you configure the attributes for the selected Ethernet port.


Note Only users authenticated in the Admin context can use the interface gigabitEthernet command.


To configure an Ethernet port, perform the following steps:


Step 1 Configure a Layer 2 Ethernet port on the ACE by using the interface gigabitEthernet slot_number/port_number command in configuration mode.


Note The slot_number specifies the physical slot on the ACE containing the Ethernet ports. This selection is always 1.


For example, to configure Ethernet port 2 and enter interface configuration mode, enter:

host1/Admin(config)# interface gigabitEthernet 1/2
host1/Admin(config-if)#

Step 2 (Optional) Add a description about the Ethernet port by using the description command in interface configuration mode. A description can help you remember the port's function.

host1/Admin(config-if)# description Ethernet port 2 is configured for speeds of 100 Mbps 
and full-duplex operation

Step 3 Configure the interface duplex and speed (default is auto-negotiate) by using the speed and duplex commands in interface configuration mode. For example, to specify a speed of 100 Mbps and to configure Ethernet port 2 for full-duplex operation, enter:

host1/Admin(config-if)# speed 100M
host1/Admin(config-if)# duplex full

Step 4 Enable the Ethernet port by using the no shutdown command in interface configuration mode. This command puts the interface in the Up administrative state.

host1/Admin(config-if)# no shutdown

Step 5 Verify the configuration of the interface by using the do command with the show interface command.


Note When you are in a configuration mode, you can use the do command to use a show command or any other command that is only available in Exec mode.


host1/admin(config-if)# do show interface vlan 10
GigabitEthernet Port 1/2:
----------------------------
Description:
configured status: (ADMIN UP), speed: (100M), duplex: (FULL)
link status: (UP), speed: (100M), duplex: (FULL)


Allocating an Ethernet Port to a VLAN Trunk

After you configure an Ethernet port, the next step is to allocate it to a VLAN trunk by using the switchport trunk allowed vlan command in interface configuration mode.

To allocate a VLAN to an Ethernet port, perform the following steps:


Step 1 Assign one or more VLAN numbers to the Ethernet port by using the switchport trunk allowed vlan vlan_list command in interface configuration mode. The vlan_list argument can be as follows:

Single VLAN number

Range of VLAN numbers separated by a hyphen

Specific VLAN numbers separated by commas

Valid entries are 1 through 4094. Do not enter any spaces between the dash-specified ranges or the comma-separated numbers in the vlan_list argument.


Note When associating VLANs to Ethernet ports, overlapping is not allowed. For example, if you associate VLAN 10 with Ethernet port 1, you cannot associate VLAN 10 with another Ethernet port.


For example, to add VLAN 10 to the defined list of VLANs currently set for Ethernet port 2, enter:

host1/Admin(config)# interface gigabitEthernet 1/2
host1/Admin(config-if)# switchport trunk allowed vlan 10


Note It is not necessary to create a VLAN interface before allocating a VLAN to an Ethernet port. To configure a VLAN interface, use the interface vlan command in configuration mode as described in the "Configuring VLAN Interfaces on the ACE" section.


Step 2 Enable VLAN trunking for the specified Layer 2 Ethernet port by using the no shutdown command in interface configuration mode.

host1/Admin(config-if)# no shutdown

Now you are ready to create the corresponding VLAN interfaces on the ACE. See the "Configuring VLAN Interfaces on the ACE" section for details.



Configuring VLAN Interfaces on the ACE

After you allocate the configured Ethernet ports to a VLAN trunk, configure a VLAN interface by assigning an IP address to a VLAN interface on the ACE. Each configured VLAN interface provides client connectivity over the network.


Note The ACE requires a route (which may be the default route) back to the client before it can forward a request to a server. If the route back is not present, the ACE cannot establish a flow and drops the client request. Make sure that you configure the appropriate routing to the client network on the ACE VLAN where the client traffic enters the ACE.


To configure an VLAN interface on the ACE, perform the following steps:


Step 1 Access interface configuration mode for the VLAN by using the interface vlan command. For example, to create VLAN 10, enter:

host1/Admin(config)# interface vlan 10
host1/Admin(config-if)#

Step 2 Assign an IP address to a VLAN interface for client connectivity by using the ip address command. For example, to set the IP address of 172.16.110.8 and a subnet mask of 255.255.255.192 for the ACE, enter:

host1/Admin(config-if)# ip address 172.16.110.8 255.255.255.192

Step 3 (Optional) Provide a description for the interface by using the description command.

host1/Admin(config-if)# description Client side connectivity on VLAN 10

Step 4 Enable the VLAN interface by using the no shutdown command.

host1/admin(config-if)# no shutdown

Step 5 Verify that VLAN 10 is active by using the do command with the show interface command.

host1/admin(config-if)# do show interface vlan 10


Note When you are in a configuration mode, you can use the do command to use a show command or any other command that is only available in Exec mode.


Step 6 Verify the network connectivity by using the ping command. This command verifies the connectivity of a remote host or server by sending echo messages from the ACE.

host1/admin(config-if)# do ping 172.16.11.1

Step 7 Display the ARP table by using the show arp command.

host1/admin(config-if)# do show arp

Step 8 Use the exit command to reenter configuration mode.

host1/admin(config-if)# exit
host1/admin(config)# 


Configuring a Default Route

The default route identifies the IP address where the ACE sends all IP packets for which it does not have a route. To configure a default route, use the ip route dest_ip_prefix netmask gateway_ip_address command.

For example, to set the IP address and subnet mask for the default route (0.0.0.0/0) and the default gateway to 172.16.110.1, an address on the same network as VLAN 55, enter:

host1/Admin(config)# ip route 0.0.0.0 0.0.0.0 172.16.110.1

To display the ACE routing table, use the show ip route command.

host1/Admin(config)# do show ip route

Note When you are in a configuration mode, you can use the do command to use a show command or any other command that is only available in Exec mode.


Configuring Remote Access to the ACE

Before remote network access can occur on the ACE through an Ethernet port, you must create a traffic policy that identifies the network management traffic that can be received by the ACE.

To configure remote network management to enable remote access to the ACE, perform the following steps:


Step 1 Create a class map by using the class-map type management command in class map configuration mode. For example, to create a management type class map named REMOTE_ACCESS that matches any traffic, enter:

host1/Admin(config)# class-map type management match-any REMOTE_ACCESS
host1/Admin(config-cmap-mgmt)#

Step 2 (Optional) Provide a description for the class map by using the description command.

host1/Admin(config-cmap-mgmt)# description Remote access traffic match

Step 3 Configure the match protocol that permits network management traffic by using the match protocol command. For example, to permit traffic based on the protocol of SSH, Telnet, and ICMP for any source address, enter:

host1/Admin(config-cmap-mgmt)# match protocol telnet any
host1/Admin(config-cmap-mgmt)# match protocol ssh any
host1/Admin(config-cmap-mgmt)# match protocol icmp any

Step 4 Use the exit command to reenter configuration mode.

host1/Admin(config-cmap-mgmt)# exit
host1/Admin(config)# 

Step 5 Create a policy map for traffic destined to an ACE interface, and then access policy map management configuration mode by using the policy-map type management first-match command. For example, to create the REMOTE_MGMT_ALLOW_POLICY policy map, enter:

host1/Admin(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
host1/Admin(config-pmap-mgmt)#

Step 6 Apply the class map to this policy and access policy map class configuration mode by using the class command. For example, to apply the previously created REMOTE_ACCESS class map to this policy, enter:

host1/Admin(config-pmap-mgmt)# class REMOTE_ACCESS
host1/Admin(config-pmap-mgmt-c)#

Step 7 Allow the ACE to receive the configured class map management protocols by using the permit command.

host1/Admin(config-pmap-mgmt-c)# permit

Step 8 Use the exit command to reenter configuration mode.

host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# exit
host1/Admin(config)# 

Step 9 Access interface configuration mode for the VLAN to which you want to apply the policy map. For example, to access the interface configuration mode for VLAN 10, enter:

host1/Admin(config)# interface vlan 10
host1/Admin(config-if)#

Step 10 Apply the policy map to the interface by using the service-policy input command. For example, to apply the REMOTE_MGMT_ALLOW_POLICY policy map to the interface, enter:

host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY

Step 11 View the applied service policy on the interface by using the do command with the show service-policy command. For example, to display the REMOTE_MGMT_ALLOW_POLICY policy applied to the interface, enter:

host1/Admin(config-if)# do show service-policy REMOTE_MGMT_ALLOW_POLICY


Note When you are in a configuration mode, you can use the do command to use a show command or any other command that is only available in Exec mode.


Step 12 Save your configuration changes from the running configuration to the startup configuration.

host1/Admin(config-if)# do copy running-config startup-config

Step 13 Display the running configuration by using the show running-config command.

host1/Admin# show running-config
Generating configuration....

login timeout 0
hostname host1
interface gigabitEthernet 1/2
  description Ethernet port 2 is configured for speeds of 100 Mbps and 
  full-duplex
  speed 100M
  duplex FULL
  switchport trunk allowed vlan 10
  no shutdown

class-map type management match-any REMOTE_ACCESS
  10 match protocol telnet any
  20 match protocol ssh any
  30 match protocol icmp any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit

interface vlan 10
  ip address 172.16.110.8 255.255.255.192
  description Client side connectivity
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.110.1


Accessing the ACE through a Telnet Session

After you have completed the previous configurations, you should be able to use Telnet to access the ACE through an Ethernet port by using its IP address.

To initiate a Telnet connection to the ACE, perform the following steps:


Step 1 Initiate a Telnet session from a remote host to the ACE. For example, to access the ACE from the VLAN IP address of 172.16.110.8, enter:

remote_host# telnet 172.16.110.8
Trying 172.16.110.8 ... Open

Step 2 At the prompt, log in to the ACE. Enter admin as the login username and admin as the password.

host1 login: admin

Step 3 Display the Telnet session by using the show telnet command.

host1/Admin# show telnet


Configuring Basic VIP Load Balancing on the ACE

A basic load-balancing configuration allows the ACE to perform the following tasks:

Match VIP-destined traffic flows.

Load balance these flows to real servers on the network.

Class maps classify client traffic destined to a VIP address. The ACE load balances traffic to a server farm and selects one of the real servers to respond to the client request.

This section describes the tasks that you perform using the CLI to configure and perform basic VIP load balancing:

Configuring Real Servers

Configuring a Server Farm

Configuring the VIP Traffic Policy

Configuring an ACL

Verifying the VIP Load-Balancing Configuration

Where to Go Next

For detailed command syntax information for the ACE CLI commands mentioned in this section, see the Cisco 4700 Series Application Control Engine Appliance Command Reference.

Configuring Real Servers

Real servers are dedicated physical servers that you typically configure in groups called server farms. These servers provide services to clients, for example, HTTP or XML content. You identify real servers with names and characterize them with IP addresses, connection limits, and weight values.

To configure real servers on the ACE, perform the following steps:


Step 1 Enter configuration mode by using the configure command in Exec mode.

host/Admin# config 
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)#

Step 2 Create a real server and then access real server host configuration mode by using the rserver command. For example, to create a real server named SERVER1 as a type host (the default), enter:

host1/Admin(config)# rserver SERVER1
host1/Admin(config-rserver-host)# 

Step 3 Enter a description of the real server by using the description command.

host1/Admin(config-rserver-host)# description web-one content server

Step 4 Assign the real server an IP address in dotted-decimal notation by using the ip address command. For example, to assign the IP address of 192.168.4.11, enter:

host1/Admin(config-rserver-host)# ip address 192.168.4.11

Step 5 Place the real server in service by using the inservice command.

host1/Admin(config-rserver-host)# inservice

Step 6 Use the exit command to reenter configuration mode.

host1/Admin(config-rserver-host)# exit
host1/Admin(config)#

Step 7 Configure additional real servers by repeating Steps 2 through 5. For example, to add a real server named SERVER2 with an IP address of 192.168.4.12, enter:

host1/Admin(config)# rserver SERVER2
host1/Admin(config-rserver-host)# description web-two content server
host1/Admin(config-rserver-host)# ip address 192.168.4.12
host1/Admin(config-rserver-host)# inservice

Step 8 Use the exit command to reenter configuration mode.

host1/Admin(config-rserver-host)# exit
host1/Admin(config)#

Step 9 Display the configuration of the real servers by using the do command with the show running-config rserver command.

host1/Admin(config)# do show running-config rserver
Generating configuration....

rserver host SERVER1
  description web-one content server
  ip address 192.168.4.11
  inservice
rserver host SERVER2
  description web-two content server
  ip address 192.168.4.12
  inservice


Note When you are in a configuration mode, you can use the do command to use a show command or any other command that is only available in Exec mode.



Configuring a Server Farm

After you create and configure the real servers, create a server farm and associate the real servers with it. Server farms are groups of networked real servers that contain the same content and that typically reside in the same physical location in a data center. Web sites often comprise groups of servers configured in a server farm.

To create a server farm, perform the following steps:


Step 1 Create a server farm and access server farm host configuration mode by using the serverfarm command. For example, to create a server farm of type host (the default) named SFARM1, enter:

host1/Admin(config)# serverfarm SFARM1
host1/Admin(config-sfarm-host)#

Step 2 Associate an existing real server with the server farm and enter server farm host real server configuration mode by using the rserver command. For example, to associate SERVER1 real server to the server farm, enter:

host1/Admin(config-sfarm-host)# rserver SERVER1
host1/Admin(config-sfarm-host-rs)# 

Step 3 Place the real server in service by using the inservice command. Before you can start sending connections to a real server in a server farm, you must place it in service. Otherwise, the ACE considers it out of service and the server farm cannot receive or respond to client requests.

host1/Admin(config-sfarm-host-rs)# inservice

Step 4 Use the exit command to reenter server farm host configuration mode.

host1/Admin(config-sfarm-host-rs)# exit
host1/Admin(config-sfarm-host)# 

Step 5 Associate the SERVER2 real server with the server farm.

host1/Admin(config-sfarm-host)# rserver SERVER2
host1/Admin(config-sfarm-host-rs)# 

Step 6 Place the real server in service.

host1/Admin(config-sfarm-host-rs)# inservice

Step 7 Use the exit command to reenter configuration mode.

host1/Admin(config-sfarm-host-rs)# exit
host1/Admin(config-sfarm-host)# exit
host1/Admin(config)# 

Step 8 Verify that the real servers appear as operational (even though network connectivity has not been established) by using the do command with the show rserver command. For example, to display the SERVER1 real server, enter:

host1/Admin(config)# do show rserver SERVER1
rserver      : SERVER1, type: HOST
 state        : OPERATIONAL
 ---------------------------------
                                                ----------connections-----------
       real                  weight state        current    total
   ---+---------------------+------+------------+----------+--------------------
   serverfarm: SFARM1
       192.168.4.11:0                    8      OPERATIONAL  0          0

Note When you are in a configuration mode, you can use the do command to use a show command or any other command that is only available in Exec mode.


Step 9 Add an interface to allow the ACE to communicate with the real servers by using the interface vlan command. For example, to configure VLAN 57 and access its configuration mode, enter:

host1/Admin(config)# interface vlan 57
host1/Admin(config-if)#

Step 10 Configure the IP address that is associated with the real server IP addresses by using the ip address command. For example, to configure the IP address 192.168.4.1 255.255.255.0, enter:

host1/Admin(config-if)# ip address 192.168.4.1 255.255.255.0

Step 11 (Optional) Provide a description for the interface by using the description command.

host1/Admin(config-if)# description Server-side Interface

Step 12 Enable the interface by using the no shutdown command.

host1/admin(config-if)# no shutdown

Step 13 Save the running configuration to the startup configuration.

host1/Admin(config-if)# do copy running-config startup-config

Step 14 Use the exit command to reenter configuration mode.

host1/Admin(config-if)# exit
host1/Admin(config)#

Step 15 Display how the ACE populates the ARP table with the real server (RSERVER) by using the do command with the show arp command.

host1/Admin(config)# do show arp
Context Admin
================================================================================
IP ADDRESS      MAC-ADDRESS        Interface  Type      Encap  NextArp(s) Status
================================================================================
127.1.0.128     00.00.00.00.20.62  vlan1     INTERFACE  LOCAL     _         up
127.1.0.192     00.00.00.00.20.62  vlan1     STATIC     2         _         up
192.168.4.1     00.00.00.00.20.62  vlan57    INTERFACE  LOCAL     _         up
192.168.4.11    00.00.00.00.00.00  vlan57    RSERVER    -       * 2 req     dn
192.168.4.12    00.00.00.00.00.00  vlan57    RSERVER    -       * 2 req     dn
================================================================================
Total arp entries 5


Configuring the VIP Traffic Policy

You classify inbound network traffic destined to, or passing through, the ACE based on a series of flow match criteria specified by a class map. Each class map defines a traffic classification, which is network traffic that is of interest to you. A policy map defines a series of actions (functions) that you want applied to a set of classified inbound traffic.

The simplest flow match criteria is server load balancing based on a client's attempt to reach a virtual IP address and port. This type of match is a Layer 3 and Layer 4 traffic policy. It matches only the destination IP address and port and then makes the server load-balancing decision.

To create a VIP traffic policy, perform the following steps:


Step 1 Create a Layer 7 SLB policy map to match class maps in the order in which they occur for load balancing by using the policy-map type loadbalance first-match command. For example, to create a load balancing policy map named L7_VIP_LB_ORDER_POLICY, enter:

host1/Admin(config)# policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY
host1/Admin(config-pmap-lb)#

Step 2 For a simple load-balancing policy, assign the ACE default class map that contains an implicit match any statement in it for matching any traffic classification. Use the class class-default command.

host1/Admin(config-pmap-lb)# class class-default
host1/Admin(config-pmap-lb-c)# 

Step 3 Add the server farm to the Layer 7 SLB policy map by using the serverfarm command. For example, to add the previously-created SFARM1 server farm, enter:

host1/Admin(config-pmap-lb-c)# serverfarm SFARM1

Step 4 Use the exit command to reenter configuration mode.

host1/Admin(config-pmap-lb-c)# exit
host1/Admin(config-pmap-lb)# exit
host1/Admin(config)# 

Step 5 Create a Layer 3 and Layer 4 load-balancing class map by using the class-map command. For example, to create a class map named L4_VIP_ADDRESS_CLASS, enter:

host1/Admin(config)# class-map L4_VIP_ADDRESS_CLASS
host1/Admin(config-cmap)#

Step 6 Define a VIP address match statement by using the match virtual-address command. For example, to define a match statement for the IP address 172.16.110.9 for any IP protocol, enter:

host1/Admin(config-cmap)# match virtual-address 172.16.110.9 any

Step 7 Use the exit command to reenter configuration mode.

host1/Admin(config-cmap)# exit
host1/Admin(config)#

Step 8 Create a Layer 3 and Layer 4 multi-match policy map to direct classified incoming requests to the load-balancing policy map by using the policy-map multi-match command. For example, to create the policy map named L4_LB_VIP_POLICY, enter:

host1/Admin(config)# policy-map multi-match L4_LB_VIP_POLICY
host1/Admin(config-pmap)#

Step 9 Associate the Layer 3 and Layer 4 class map that defines the VIP address with the policy map by using the class command. For example, to associate the previously created L4_VIP_ADDRESS_CLASS class map, enter:

host1/Admin(config-pmap)# class L4_VIP_ADDRESS_CLASS
host1/Admin(config-pmap-c)#

Step 10 Associate the Layer 7 load-balancing policy map with the Layer 3 and Layer 4 policy map by using the loadbalance command. This association determines the actions that the ACE takes when network traffic matches a class map. For example, to associate the previously created L7_VIP_LB_ORDER_POLICY policy map, enter:

host1/Admin(config-pmap-c)# loadbalance policy L7_VIP_LB_ORDER_POLICY

Step 11 Enable a VIP for load-balancing operations by using the loadbalance vip inservice command.

host1/Admin(config-pmap-c)# loadbalance vip inservice

Step 12 Use the exit command to reenter configuration mode.

host1/Admin(config-pmap-c)# exit
host1/Admin(config-pmap)# exit
host1/Admin(config)# exit

Step 13 Access the client-facing interface to which you want to apply the multi-match policy map by using the interface vlan command. For example, to access interface configuration mode for VLAN 55, enter:

host1/Admin(config)# interface vlan 55
host1/Admin(config-if)#

Step 14 Apply the multi-match policy map by using the service-policy input command. For example, to apply the L4_LB_VIP_POLICY policy map, enter:

host1/Admin(config-if)# service-policy input L4_LB_VIP_POLICY

Step 15 Use the exit command to reenter configuration mode.

host1/Admin(config-if)# exit
host1/Admin(config)# 

Step 16 Save the running configuration to the startup configuration.

host1/Admin(config)# do copy running-config startup-config

Step 17 Verify that the ACE will respond to traffic to the VIP address by using the do command with the show service-policy command. The show service-policy command displays whether the VIP state is inservice. For example, to display the service policy state for the L4_LB_VIP_POLICY policy map, enter:

host1/Admin(config)# do show service-policy L4_LB_VIP_POLICY
Status     : ACTIVE
-----------------------------------------
Interface: vlan 1 55
  service-policy: L4_LB_VIP_POLICY
    class: L4_VIP_ADDRESS_CLASS
      loadbalance:
        L7 loadbalance policy: L7_VIP_LB_ORDER_POLICY
        VIP ICMP Reply       : DISABLED
        VIP state: OUTOFSERVICE
        curr conns       : 0         , hit count        : 0
        dropped conns    : 0
        client pkt count : 0         , client byte count: 0
        server pkt count : 0         , server byte count: 0


Note When you are in a configuration mode, you can use the do command to use a show command or any other command that is only available in Exec mode.




Configuring an ACL

An access control list (ACL) provides an extra layer of security on the services that the ACE provides. For traffic destined to a class map that is applied to a multi-match policy map, you must configure an ACL and apply it to an interface. Otherwise, the ACE denies all traffic on the interface.

To configure an ACL, perform the following steps:


Step 1 Create an ACL for the interface by using the access-list command. For example, to create an ACL named ALL for access control on IP traffic through the ACE-extended ACL and permit the forwarding of any source IP address to any destination address, enter:

host1/Admin(config)# access-list ALL extended permit any

Step 2 Access interface configuration mode for the interface that is configured with the multi-match policy map by using the interface vlan command. For example, to access interface configuration mode for VLAN 55, enter:

host1/Admin(config)# interface vlan 55
host1/Admin(config-if)#

Step 3 Apply the ACL to the interface by using the access-group input command. For example, to apply the previously created ALL ACL, enter:

host1/Admin(config-if)# access-group input ALL

Step 4 Exit the interface configuration mode and reenter Exec mode by using the end command.

host1/Admin(config-if)# end
host1/Admin#

Step 5 Verify that the ACL is applied and is active by using the show access-list command.

host1/Admin# show access-list ALL

Step 6 Save the running configuration to the startup configuration.

host1/Admin# copy running-config startup-config

Step 7 Display the configuration information by using the show running-config command. In this example, the basic load-balancing configuration is in bold.

host1/Admin# show running-config 
Generating configuration....

login timeout 0
hostname host1

interface gigabitEthernet 1/2
  description Ethernet port 2 is configured for speeds of 100 Mbps and full-duplex
  speed 100M
  duplex FULL
  switchport trunk allowed vlan 10
  no shutdown

access-list ALL line 10 extended permit any ip any any

rserver SERVER1
description web-one content server
ip address 192.168.4.11
inservice

rserver SERVER2
description web-two content server
ip address 192.168.4.12
inservice

class-map type management match-any REMOTE_ACCESS
  10 match protocol telnet any
  20 match protocol ssh any
  30 match protocol icmp any
class-map match-all L4_VIP_ADDRESS_CLASS
  10 match virtual-address 172.16.110.9 any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit

policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY
  class CLASS-DEFAULT
   serverfarm SFARM1

policy-map type multi-match L4_LB_VIP_POLICY
  class L4_VIP_ADDRESS_CLASS
   loadbalance vip inservice
   loadbalance L7_VIP_LB_ORDER_POLICY

interface vlan 55
  ip address 172.16.110.8 255.255.255.192
  description Client side connectivity
  access-group input ALL
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input L4_LB_VIP_POLICY
  no shutdown
interface vlan 57
  ip address 192.168.4.1 255.255.255.0
  description Server-side Interface
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.110.1

Verifying the VIP Load-Balancing Configuration

To verify the load-balancing configuration, use the show service-policy command to ensure the counters are incrementing as connections are handled. For example, to display the counters for the L4_LB_VIP_POLICY policy map, enter:

host1/Admin# show service-policy L4_LB_VIP_POLICY
Interface: vlan 55
  service-policy: L4_LB_VIP_POLICY
    class: L4_VIP_ADDRESS_CLASS
      loadbalance:
        L7 policy: L7_VIP_LB_ORDER_POLICY, VIP state: INSERVICE
        curr conns       : 0         , hit count        : 20
        dropped conns    : 0
        client pkt count : 100       , client byte count: 13000
        server pkt count : 127       , server byte count: 92381

You can also verify access to the real servers by using a Telnet session to connect to the VIP address if your servers support the Telnet daemon. If you are able to receive the login and password prompt from the ACE, access to the real servers is available through the VIP address. For example, enter:

linux$ telnet 172.16.110.9
Trying 172.16.110.9... Open

host1 login: admin
Password:

Where to Go Next

After you have completed the quick configuration procedures in this guide, you can configure more advanced features on the ACE such as follows:

Application acceleration and optimization

Application protocol inspection

Connection persistence using HTTP-cookie, HTTP header, or IP netmask stickiness

Health monitoring including probes

Layer 7 server load-balancing traffic policy, including class maps and policy maps

Redundancy

SSL

TCP/IP normalization

Virtualization and role-based access control (RBAC)

You can configure the ACE by using the following:

The CLI, a line-oriented user interface that provides commands for configuring, managing, and monitoring the ACE.

ACE Device Manager GUI, a web browser-based GUI interface that provides a graphical user interface for configuring, managing, and monitoring the ACE.

For details on configuring the ACE features from the Device Manager GUI, see the Online Help system provided with the GUI.

Related Documentation

To familiarize yourself with the ACE appliance hardware and software, see the following documents:

Release Note for the Cisco 4700 Series Application Control Engine Appliance

Cisco Application Control Engine Appliance Hardware Installation Guide

Regulatory Compliance and Safety Information for the Cisco Application Control Engine Appliance

For detailed configuration information on the ACE command-line interface (CLI), see the following software documents:

Cisco 4700 Series Application Control Engine Appliance Administration Guide

Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide

Cisco 4700 Series Application Control Engine Appliance Command Reference

Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide

Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide

Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide

Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide

Cisco 4700 Series Application Control Engine Appliance System Message Guide

Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide

Cisco CSS-to-ACE Conversion Tool User Guide

For detailed configuration information on the ACE Device Manager GUI, see the following software documents:

Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Quick Configuration Note

Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Configuration Guide

Cisco 4700 Series Application Control Engine Appliance Online Help

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html