Server Load-Balancing Guide vA1(7), Cisco ACE 4700 Series Application Control Engine Appliance
Configuring Traffic Policies for Server Load Balancing
Downloads: This chapterpdf (PDF - 616.0KB) The complete bookPDF (PDF - 5.81MB) | Feedback

Configuring Traffic Policies for Server Load Balancing

Table Of Contents

Configuring Traffic Policies for Server Load Balancing

Overview of SLB Traffic Policies

Layer 7 SLB Traffic Policy Configuration Quick Start

Layer 3 and Layer 4 SLB Traffic Policy Configuration Quick Start

Configuring Layer 7 Class Maps for SLB

Configuration Considerations

Defining a Cookie for HTTP Load Balancing

Defining an HTTP Header for Load Balancing

Defining a URL for HTTP Load Balancing

Excluding Files with Specific Extensions/MIME Types When Performing Regular Expression Matching and HTTP Compression

Defining Source IP Address Match Criteria

Nesting Layer 7 HTTP SLB Class Maps

Configuring a Layer 7 Policy Map for SLB

Adding a Layer 7 Policy Map Description

Defining Match Statements Inline in a Layer 7 Policy Map

Associating a Layer 7 Class Map with a Layer 7 Policy Map

Specifying Layer 7 SLB Policy Actions

Compressing Packets

Discarding Requests

Forwarding Requests Without Load Balancing

Configuring HTTP Header Insertion

Enabling Load Balancing to a Server Farm (Configuring a Backup Server Farm)

Configuring a Sorry Server Farm

Configuring a Sticky Server Farm

Specifying the IP Differentiated Services Code Point of Packets

Specifying an SSL Proxy Service

Associating a Layer 7 Policy Map with a Layer 3 and Layer 4 Policy Map

Configuring an HTTP Parameter Map

Disabling Case-Sensitivity Matching

Defining HTTP Compression Parameters

Defining URL Delimiters

Setting the Maximum Number of Bytes to Parse for Cookies, HTTP Headers, and URLs

Configuring the ACE Behavior when a URL or Cookie Exceeds the Maximum Parse Length

Enabling HTTP Persistence Rebalance

Configuring TCP Server Reuse

Configuring a Layer 3 and Layer 4 Class Map for SLB

Defining a Class Map Description

Defining VIP Address Match Criteria

Configuring a Layer 3 and Layer 4 Policy Map for SLB

Defining a Layer 3 and Layer 4 Policy Map Description

Associating a Layer 3 and Layer 4 Class Map with a Policy Map

Specifying Layer 3 and Layer 4 SLB Policy Actions

Associating a Layer 7 SLB Policy Map with a Layer 3 and Layer 4 SLB Policy Map

Associating an HTTP Parameter Map with a Layer 3 and Layer 4 Policy Map

Associating a Connection Parameter Map with a Layer 3 and Layer 4 Policy Map

Enabling a VIP to Reply to ICMP Requests

Enabling a VIP

Applying a Layer 3 and Layer 4 Policy to an Interface

Example of a Server Load-Balancing Policy Configuration

Displaying Load-Balancing Configuration Information and Statistics

Displaying Class-Map Configuration Information

Displaying Policy-Map Configuration Information

Displaying Parameter Map Configuration Information

Displaying Load-Balancing Statistics

Displaying HTTP Parameter Map Statistics

Displaying Service-Policy Statistics

Displaying HTTP Statistics

Clearing SLB Statistics

Clearing Load-Balancing Statistics

Clearing Service-Policy Statistics

Clearing HTTP Statistics

Where to Go Next


Configuring Traffic Policies for Server Load Balancing


This chapter describes how to configure the Cisco 4700 Series Application Control Engine (ACE) appliance to use classification (class) maps and policy maps to filter and match interesting network traffic based on various criteria and load balance the traffic to real servers in server farms using one of the ACE load-balancing predictor methods.

This chapter contains the following major sections:

Overview of SLB Traffic Policies

Layer 7 SLB Traffic Policy Configuration Quick Start

Layer 3 and Layer 4 SLB Traffic Policy Configuration Quick Start

Configuring Layer 7 Class Maps for SLB

Configuring a Layer 7 Policy Map for SLB

Configuring an HTTP Parameter Map

Configuring a Layer 3 and Layer 4 Class Map for SLB

Configuring a Layer 3 and Layer 4 Policy Map for SLB

Applying a Layer 3 and Layer 4 Policy to an Interface

Example of a Server Load-Balancing Policy Configuration

Displaying Load-Balancing Configuration Information and Statistics

Clearing SLB Statistics

Where to Go Next

Overview of SLB Traffic Policies

You classify inbound network traffic destined to, or passing through, the ACE based on a series of flow match criteria specified by a class map. Each class map defines a traffic classification, which is network traffic that is of interest to you. A policy map defines a series of actions (functions) that you want applied to a set of classified inbound traffic.

ACE traffic policies support the following server load-balancing (SLB) traffic attributes:

Layer 3 and Layer 4 connection information—Source or destination IP address, source or destination port, virtual IP address, and IP protocol

Layer 7 protocol information—HTTP cookie, HTTP URL, HTTP header, and SSL

The three steps in the traffic classification process consist of the following:

1. Create a class map using the class-map command and the associated match commands, which comprise a set of match criteria related to Layer 3 and Layer 4 traffic classifications or Layer 7 protocol classifications.

2. Create a policy map using the policy-map command, which refers to the class maps and identifies a series of actions to perform based on the traffic match criteria.

3. Activate the policy map by associating it with a specific VLAN interface or globally with all VLAN interfaces using the service-policy command to filter traffic received by the ACE.

Figure 3-1 provides a basic overview of the process required to build and apply the Layer 3, Layer 4, and Layer 7 policies that the ACE uses for SLB. The flow chart also shows how you associate the various components of the SLB policy configuration with each other.

Figure 3-1 Server Load-Balancing Configuration Flow Diagram

Layer 7 SLB Traffic Policy Configuration Quick Start

Table 3-1 provides a quick overview of the steps required to configure a Layer 7 class map and a Layer 7 policy map. Each step includes the CLI command and a reference to the procedure required to complete the task. For a complete description of each feature and all the options associated with the CLI commands, see the sections following Table 3-1.

Table 3-1 Layer 7 SLB Policy Configuration Quick Start 

Task and Command Example

1. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context. If necessary, change to, or directly log in to, the correct context.

host1/Admin# changeto C1
host1/C1#

The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

2. Enter configuration mode.

host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)#

3. Create a Layer 7 class map for SLB. See the "Configuring Layer 7 Class Maps for SLB" section.

host1/Admin(config)# class-map type http loadbalance match-all 
L7SLBCLASS
host1/Admin(config-cmap-http-lb)#

4. Configure one or more of the following match criteria for the Layer 7 SLB class map:

Define a cookie for HTTP load balancing. See the "Defining a Cookie for HTTP Load Balancing" section.

host1/Admin(config-cmap-http-lb)# match http cookie 
TESTCOOKIE1 cookie-value 123456

Define an HTTP header for load balancing. See the "Defining an HTTP Header for Load Balancing" section.

host1/Admin(config-cmap-http-lb)# match http header Host 
header-value .*cisco.com

Define a URL for HTTP load balancing. See the "Defining a URL for HTTP Load Balancing" section.

host1/Admin(config-cmap-http-lb)# match http url 
/WHATSNEW/LATEST.*

Define a source IP match statement. See the "Defining Source IP Address Match Criteria" section.

host1/Admin(config-cmap-http-lb)# match source-address 
192.168.11.2 255.255.255.0

5. Use the exit command to reenter configuration mode.

host1/Admin(config-cmap-http-lb)# exit
host1/Admin(config)#

6. Create a Layer 7 policy map for SLB. See the "Configuring a Layer 7 Policy Map for SLB" section.

host1/Admin(config)# policy-map type loadbalance first-match 
L7SLBPOLICY
host1/Admin(config-pmap-lb)# 

7. Associate the Layer 7 class map that you created in Step 2 with the Layer 7 policy map that you created in Step 5. See the "Associating a Layer 7 Class Map with a Layer 7 Policy Map" section.

host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)#

8. Specify one or more of the following policy-map actions that you want the ACE to execute when network traffic matches a class map:

Instruct the ACE to compress packets that match a policy map and to use the deflate or gzip compression method when the client browser supports both compression methods. See the "Compressing Packets" section.


Note The compress command option displays only when you associate an HTTP-type class map with a policy map.


host1/Admin(config-pmap-lb-c)# compress default-method gzip

Instruct the ACE to discard packets that match a policy map. See the "Discarding Requests" section.

host1/Admin(config-pmap-lb-c)# drop

Instruct the ACE to forward packets that match a policy map without load balancing them. See the "Forwarding Requests Without Load Balancing" section.

host1/Admin(config-pmap-lb-c)# forward

Enable HTTP header insertion. See the "Configuring HTTP Header Insertion" section.

host1/Admin(config-pmap-lb-c)# insert-http Host header-value 
www.cisco.com

Enable load balancing to a server farm. See the "Enabling Load Balancing to a Server Farm (Configuring a Backup Server Farm)" section.

host1/Admin(config-pmap-lb-c)# serverfarm FARM2 backup FARM3 
sticky

Specify the IP differentiated services code point (DSCP) of packets within the traffic class. See the "Configuring a Sticky Server Farm" section.

host1/Admin(config-pmap-lb-c)# set ip tos 8

If you are using SSL Initiation (ACE acting as an SSL client), specify an SSL proxy service. See the "Specifying an SSL Proxy Service" section. For more information about SSL, see the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide.

host1/Admin(config-pmap-lb-c)# ssl-proxy client 
PROXY_SERVICE1

If you want to use stickiness (connection persistence), specify a sticky server farm for load balancing. See the "Configuring a Sticky Server Farm" section.

host1/Admin(config-pmap-lb-c)# sticky-serverfarm 
STICKY_GROUP1

9. Before you can use a Layer 7 policy map for load balancing, you must associate it with a Layer 3 and Layer 4 SLB policy map. Create the Layer 3 and Layer 4 class map and policy map, then associate the Layer 7 policy map with the Layer 3 and Layer 4 policy map. Finally, associate the Layer 3 and Layer 4 policy map with an interface. See the following sections:

Configuring a Layer 3 and Layer 4 Class Map for SLB

Configuring a Layer 3 and Layer 4 Policy Map for SLB

Applying a Layer 3 and Layer 4 Policy to an Interface

10. Display your class-map and policy-map configurations and statistics (see the "Displaying Load-Balancing Configuration Information and Statistics" section):

host1/Admin# show running-config class-map
host1/Admin# show running-config policy-map

11. (Optional) Save your configuration changes to flash memory.

host1/Admin# copy running-config startup-config

Layer 3 and Layer 4 SLB Traffic Policy Configuration Quick Start

Table 3-2 provides a quick overview of the steps required to configure a Layer 3 and Layer 4 class map and a Layer 3 and Layer 4 policy map. Each step includes the CLI command and a reference to the procedure required to complete the task. For a complete description of each feature and all the options associated with the CLI commands, see the sections following Table 3-2.

Table 3-2 Layer 3 and Layer 4 SLB Policy Configuration Quick Start 

Task and Command Example

1. If you are operating in multiple contexts, observe the CLI prompt to verify you are operating in the desired context. Change to, or directly log in to, the correct context if necessary.

host1/Admin# changeto C1
host1/C1#

For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

2. Enter configuration mode.

host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)#

3. Create a Layer 3 and Layer 4 SLB class map. See the "Configuring a Layer 3 and Layer 4 Class Map for SLB" section.

host1/Admin(config)# class-map L4VIPCLASS
host1/Admin(config-cmap)#

4. Define a virtual IP (VIP) address match statement. See the "Defining VIP Address Match Criteria" section.

host1/Admin(config-cmap)# match virtual-address 192.168.1.10 tcp 
port eq 80

5. Reenter configuration mode.

host1/Admin(config-cmap)# exit
host1/Admin(config)#

6. Create a Layer 3 and Layer 4 policy map. See the "Configuring a Layer 3 and Layer 4 Policy Map for SLB" section.

host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)#

7. Associate the Layer 3 and Layer 4 class map that you created in Step 3 with the policy map you created in Step 6. See the "Associating a Layer 3 and Layer 4 Class Map with a Policy Map" section.

host1/Admin(config-pmap)# class L4VIPCLASS
host1/Admin(config-pmap-c)#

8. Specify one or more of the following policy-map SLB actions that you want the ACE to take when network traffic matches a class map:

Enable a VIP to reply to ICMP ECHO requests. For example, if a user sends an ICMP ECHO request to a VIP, this command instructs the VIP to send an ICMP ECHO-REPLY. See the "Enabling a VIP to Reply to ICMP Requests" section.

host1/Admin(config-pmap-c)# loadbalance vip icmp-reply

Associate a Layer 7 SLB policy map with the Layer 3 and Layer 4 policy map to provide an entry point for Layer 7 classifications. See the "Associating a Layer 7 SLB Policy Map with a Layer 3 and Layer 4 SLB Policy Map" section.

host1/Admin(config-pmap-c)# loadbalance policy L7SLBPOLICY

Associate an HTTP parameter map with the Layer 3 and Layer 4 policymap to define the compression parameters for the ACE to use. (To use this option, you must have the compress action option defined in your Layer 7 policymap.) See the "Associating an HTTP Parameter Map with a Layer 3 and Layer 4 Policy Map" section.

host1/Admin(config-pmap-c)# appl-parameter http 
advanced-options HTTP_PARAM_MAP1

Enable a VIP for SLB operations.

host1/Admin(config-pmap-c)# loadbalance vip inservice

9. Activate a policy map and attach it to an interface. See the "Applying a Layer 3 and Layer 4 Policy to an Interface" section.

host1/Admin(config)# interface VLAN50
host1/Admin(config-if)# service-policy input L4SLBPOLICY
host1/Admin(config-if)# Ctrl-z

10. Display your class-map and policy-map configurations and statistics (see the "Displaying Load-Balancing Configuration Information and Statistics" section).

host1/Admin# show running-config class-map
host1/Admin# show running-config policy-map
host1/Admin# show service-policy name [detail]

11. (Optional) Save your configuration changes to flash memory.

host1/Admin# copy running-config startup-config

Configuring Layer 7 Class Maps for SLB

A Layer 7 SLB class map contains match criteria that classify specific Layer 7 network traffic. This section describes how to create a class map for Layer 7 SLB based on HTTP cookies, HTTP headers, HTTP URLs, source IP addresses, or SSL ciphers.

You can create a Layer 7 class map for SLB and enter the class-map configuration mode by using the class-map type http loadbalance command in configuration mode. The syntax of this command is as follows:

class-map type http loadbalance [match-all | match-any] map_name

You can configure multiple match commands in a single class map to specify the matching criteria. For example, you can configure a Layer 7 load-balancing class map to define multiple URLs, cookies, and HTTP headers in a group that you then associate with a traffic policy. The match-all and match-any keywords determine how the ACE evaluates multiple match statement operations when multiple match criteria exist in a class map.

The keywords, arguments, and options are as follows:

http loadbalance—Specifies a Layer 7 load-balancing class map.

match-all | match-any—(Optional) Determines how the ACE evaluates Layer 7 HTTP SLB operations when multiple match criteria exist in a class map. The class map is considered a match if the match commands meet one of the following conditions:

match-all —(Default) Network traffic needs to satisfy all of the match criteria (implicit AND) to match the Layer 7 load-balancing class map. The match-all keyword is applicable only for match statements of different Layer 7 load-balancing types. For example, specifying a match-all condition for URL, HTTP header, and URL cookie statements in the same class map is valid. However, specifying a match-all condition for multiple HTTP headers or multiple cookies with the same names or multiple URLs in the same class map is invalid.

match-any—Network traffic needs to satisfy only one of the match criteria (implicit OR) to match the HTTP load-balancing class map. The match-any keyword is applicable only for match statements of the same Layer 7 load-balancing type. For example, the ACE does not allow you to specify a match-any condition for URL, HTTP header, and URL cookie statements in the same class map but does allow you to specify a match-any condition for multiple URLs, or multiple HTTP headers or multiple cookies with different names in the same class map.

map_name—Unique identifier assigned to the class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. The class-map name is used for both the class map and to associate the class map with a policy map.

For example, to create a Layer 7 load-balancing class map named L7SLBCLASS, enter:

host1/Admin(config)# class-map type http loadbalance match-any 
L7SLBCLASS
host1/Admin(config-cmap-http-lb)# 

To remove a Layer 7 load-balancing class map from the configuration, enter:

host1/Admin(config)# no class-map type http loadbalance match-any 
L7SLBCLASS

The following topics describe how to specify match criteria for the Layer 7 class map:

Configuration Considerations

Defining a Cookie for HTTP Load Balancing

Defining an HTTP Header for Load Balancing

Defining a URL for HTTP Load Balancing

Defining Source IP Address Match Criteria

Nesting Layer 7 HTTP SLB Class Maps

Configuration Considerations

When you are creating a class map for SLB, note the following configuration considerations:

You can configure a maximum of 10 cookie names and header names for each Layer 3 and Layer 4 class. You can allocate the number of cookie names and header names in any combination as long as you do not exceed the maximum of 10.

You can associate a maximum of 1024 instances of the same type of regular expression (regex) with a a Layer 4 policy map. This limit applies to all Layer 7 policy-map types. You configure regexes in:

Match statements in Layer 7 class maps

Inline match statements in Layer 7 policy maps

Layer 7 hash predictors for server farms

Layer 7 sticky expressions in sticky groups

Header insertion and rewrite (including SSL URL rewrite) expressions in Layer 7 action lists

The ACE restricts the nesting of class maps to two levels to prevent you from including one nested class map in a different class map.

The maximum number of class maps for each ACE is 8192.

Defining a Cookie for HTTP Load Balancing

The ACE performs regular expression matching against the received packet data from a particular connection based on the cookie expression. You can configure a maximum of 10 cookie names and header names per class in any combination. You can configure the class map to make Layer 7 SLB decisions based on the name and string of a cookie by using the match http cookie command in class-map configuration mode. The syntax of this command is as follows:

[line_number] match http cookie {name | secondary name} cookie-value expression

The keywords, arguments, and options are as follows:

line_number—(Optional) Line numbers that you can use for editing or deleting the individual match commands. For example, you can enter no line_number to delete long match commands instead of entering the entire line. The sequence numbers do not indicate any priority for the match statements. Enter a unique integer from 1 to 1024.

name—Unique cookie name. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Note If certain characters are used in the cookie name, such as an underscore (_), hypen (-), period (.), or semicolon (:) , replace those characters with the equivalent percent encoding (% HEX HEX) characters. For example, to configure the cookie name Regex_MatchCookie, replace the underscore (_) character with the equivalent %5F percent encoding character and enter the cookie name as Regex%5FMatchCookie in the CLI.


secondary name—Specifies a cookie in a URL string. You can specify the delimiters for cookies in a URL string using a command in an HTTP parameter map. For more information, see the "Defining URL Delimiters" section.

cookie-value expression—Specifies a unique cookie value expression. Enter an unquoted text string with no spaces and a maximum of 255 alphanumeric characters. Alternatively, you can enter a text string with spaces provided that you enclose the entire string in quotation marks ("). The ACE supports the use of regular expressions for matching string expressions. Table 3-3 lists the supported characters that you can use for matching string expressions.

Table 3-3 Special Characters for Matching String Expressions 

Convention
Description

.

One of any character.

.*

Zero or more of any character.

\.

Period (escaped).

[charset]

Match any single character from the range.

[^charset]

Do not match any character in the range. All other characters represent themselves.

()

Expression grouping.

(expr1 | expr2)

OR of expressions.

(expr)*

0 or more of expression.

(expr)+

1 or more of expression.

expr{m,n}

Repeat the expression between m and n times, where m and n have a range of 1 to 255.

expr{m}

Match the expression exactly m times. The range for m is from 1 to 255.

expr{m,}

Match the expression m or more times. The range for m is from 1 to 255.

\a

Alert (ASCII 7).

\b

Backspace (ASCII 8).

\f

Form-feed (ASCII 12).

\n

New line (ascii 10).

\r

Carriage return (ASCII 13).

\t

Tab (ASCII 9).

\v

Vertical tab (ASCII 11).

\0

Null (ASCII 0).

\\

Backslash.

\x##

Any ASCII character as specified in two-digit hexadecimal notation.


The following example specifies that the Layer 7 class map load balance on a cookie with the name of testcookie1:

host1/Admin(config)# class-map type http loadbalance match-any 
L7SLBCLASS
host1/Admin(config-cmap-http-lb)# 100 match http cookie testcookie1 
cookie-value 123456

To remove an HTTP cookie match statement from the class map, enter:

host1/Admin(config-cmap-http-lb)# no 100

Defining an HTTP Header for Load Balancing

The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP header expression. You can configure a maximum of 10 total HTTP header names and cookie names per class. To configure a class map to make Layer 7 SLB decisions based on the name and value of an HTTP header, use the match http header command in class-map configuration mode.

The syntax of this command is as follows:

[line_number] match http header name header-value expression

The keywords, arguments, and options are as follows:

line_number—(Optional) Line numbers that you can use for editing or deleting the individual match commands. For example, you can enter no line_number to delete long match commands instead of entering the entire line. The sequence numbers do not indicate any priority for the match statements. Enter a unique integer from 1 to 1024.

name—Name of the generic field in the HTTP header. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. Alternatively, you can enter a text string with spaces provided that you enclose the entire string in quotation marks ("). For a list of standard header field names, see Table 3-4.

header-value expression—Specifies the header value expression string to compare against the value in the specified field in the HTTP header. Enter a text string with a maximum of 255 alphanumeric characters. The ACE supports the use of regular expressions for header matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces, provided that the entire string that contains spaces is quoted. If you use a match-all class map, all headers in the header map must be matched. See Table 3-3 for a list of the supported characters that you can use in regular expressions.

Table 3-4 Standard HTTP Header Fields 

Field Name
Description

Accept

Semicolon-separated list of representation schemes (content type metainformation values) that will be accepted in the response to the request.

Accept-Charset

Character sets that are acceptable for the response. This field allows clients capable of understanding more comprehensive or special-purpose character sets to signal that capability to a server that can represent documents in those character sets.

Accept-Encoding

Restricts the content encoding that a user will accept from the server.

Accept-Language

ISO code for the language in which the document is written. The language code is an ISO 3316 language code with an optional ISO639 country code to specify a national variant.

Authorization

Specifies that the user agent wants to authenticate itself with a server, usually after receiving a 401 response.

Cache-Control

Directives that must be obeyed by all caching mechanisms along the request/response chain. The directives specify behavior intended to prevent caches from adversely interfering with the request or response.

Connection

Allows the sender to specify connection options.

Content-MD5

MD5 digest of the entity-body that provides an end-to-end integrity check. Only a client or an origin server can generate this header field.

Expect

Used by a client to inform the server about what behaviors the client requires.

From

E-mail address of the person that controls the requesting user agent.

Host

Internet host and port number of the resource being requested, as obtained from the original URI given by the user or referring resource. The Host field value must represent the naming authority of the origin server or gateway given by the original URL.

If-Match

Used with a method to make it conditional. A client that has one or more entities previously obtained from the resource can verify that one of those entities is current by including a list of their associated entity tags in the If-Match header field. The purpose of this feature is to allow efficient updates of cached information with a minimum amount of transaction overhead. It is also used, on updating requests, to prevent inadvertent modification of the wrong version of a resource. As a special case, the value "*" matches any current entity of the resource.

Pragma

Pragma directives understood by servers to whom the directives are relevant. The syntax is the same as for other multiple-value fields in HTTP, for example, the accept field, a comma-separated list of entries, for which the optional parameters are separated by semicolons.

Referer

Address (URI) of the resource from which the URI in the request was obtained.

Transfer-Encoding

What (if any) type of transformation has been applied to the message body in order to safely transfer it between the sender and the recipient.

User-Agent

Information about the user agent, for example a software program originating the request. This information is for statistical purposes, the tracing of protocol violations, and automated recognition of user agents to customize responses to avoid particular user agent limitations.

Via

Used by gateways and proxies to indicate the intermediate protocols and recipients between the user agent and the server on requests and between the origin server and the client on responses.


The following example specifies that the Layer 7 class map load balance on an HTTP header named Host:

host1/Admin(config)# class-map type http loadbalance match-any 
L7SLBCLASS
host1/Admin(config-cmap-http-lb)# 100 match http header Host 
header-value .*cisco.com

The following example uses regular expressions in a class map to emulate a wildcard search to match the header value expression string:

host1/Admin(config)# class-map type http loadbalance match-any 
L7SLBCLASS
host1/Admin(config-cmap-http-lb)# 10 match http header Host 
header-value .*cisco.com
host1/Admin(config-cmap-http-lb)# 20 match http header Host 
header-value .*yahoo.com

The following example specifies that the Layer 7 class map load balance on an HTTP header named Via:

host1/Admin(config)# class-map type http loadbalance match-any 
L7SLBCLASS
host1/Admin(config-cmap-http-lb)# 30 match http header Via 
header-value 192.*

To remove all HTTP header match criteria from the L7SLBCLASS class map, enter the following commands:

host1/Admin(config-cmap-http-lb)# no 10
host1/Admin(config-cmap-http-lb)# no 20
host1/Admin(config-cmap-http-lb)# no 30

Defining a URL for HTTP Load Balancing

The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP URL string. You can configure a class map to make Layer 7 SLB decisions based on the URL name and, optionally, the HTTP method, by using the match http url command in class-map configuration mode. The syntax of this command is as follows:

[line_number] match http url expression [method name]

The keywords, arguments, and options are as follows:

line_number—(Optional) Line numbers that you can use for editing or deleting the individual match commands. For example, you can enter no line_number to delete long match commands instead of entering the entire line. The line_number line numbers do not indicate any priority for the match statements. Enter a unique integer from 1 to 1024.

expression—URL, or portion of a URL, to match. Enter a URL string from 1 to 255 alphanumeric characters. The ACE performs matching on whatever URL string appears after the HTTP method, regardless of whether the URL includes the hostname. The ACE supports the use of regular expressions for matching URL strings. See Table 3-3 for a list of the supported characters that you can use in regular expressions.


Note When matching URLs, note that the period (.) and question mark (?) characters do not have a literal meaning in regular expressions. Use brackets ([]) to match these symbols (for example, enter www[.]xyz[.]com instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a question mark (?).


method name—(Optional) Specifies the HTTP method to match. Enter a method name as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. The method can either be one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example, CORVETTE).

The following example specifies that the Layer 7 class map load balance on a specific URL:

host1/Admin(config)# class-map type http loadbalance L7SLBCLASS
host1/Admin(config-cmap-http-lb)# 10 match http url /whatsnew/latest.*

The following example uses regular expressions to emulate a wildcard search to match on any .gif or .html file:

host1/Admin(config)# class-map type http loadbalance match-any 
L7SLBCLASS
host1/Admin(config-cmap-http-lb)# 100 match http url .*.gif
host1/Admin(config-cmap-http-lb)# 200 match http url .*.html

To remove a URL match statement from the L7SLBCLASS class map, enter no and the line number. For example, to remove line 100, enter:

host1/Admin(config-cmap-http-lb)# no 100


Note If you did not use line numbers to enter the original URL match statement, you can obtain the line number from your running configuration. To display the running configuration, enter the show running-config command.


Excluding Files with Specific Extensions/MIME Types When Performing Regular Expression Matching and HTTP Compression

If you intend to configure the ACE to perform regular expression matching as well as to perform HTTP compression on packets that match a particular policy map (see the "Compressing Packets" section), we recommend that you create a Layer 7 compression_exclusion SLB class map and add it to a Layer 7 SLB policy map. HTTP compression should be avoided for files containing certain extensions or Multipurpose Internet Mail Extension (MIME) types because these files can cause page breaks. In this case, avoid files with the following extensions or MIME types: .*gif, .*css, .*js, .*class, .*jar, .*cab, .*txt, .*ps, .*vbs, .*xsl, .*xml, .*pdf, .*swf, .*jpg, .*jpeg, .*jpe, .*png.


Note MIME type exclusion is not necessary when you identify specific MIME type to compress in an HTTP parameter map. See the "Defining HTTP Compression Parameters" section for details.


The following example illustrates a running configuration that includes a traffic policy that excludes a series of files that contain specific extensions. The exclusion class map and policy map configuration appear in bold in the configuration fragment example.

access-list ACL1 line 10 extended permit ip any any

rserver host SERVER1
  ip address 192.168.10.99
  inservice
 
serverfarm host SFARM1
  rserver rserv 80
    inservice
 
class-map match-any L4_COMP-TEST_CLASS
  2 match virtual-address 10.210.2.151 tcp eq www
class-map type http loadbalance match-any L7default-compression- 
exclusion-mime-type_CLASS
  description Classmap for default SLB compression exclusion 
mime-types.
  2 match http url .*gif
  3 match http url .*css
  4 match http url .*js
  5 match http url .*class
  6 match http url .*jar
  7 match http url .*cab
  8 match http url .*txt
  9 match http url .*ps
  10 match http url .*vbs
  11 match http url .*xsl
  12 match http url .*xml
  13 match http url .*pdf
  14 match http url .*swf
  15 match http url .*jpg
  16 match http url .*jpeg
  17 match http url .*jpe
  18 match http url .*png
class-map type management match-any L4_REMOTE-ACCESS_CLASS
  2 match protocol xml-https any
  4 match protocol icmp any
  5 match protocol telnet any
  6 match protocol ssh any
  7 match protocol http any
  8 match protocol https any
 
policy-map type management first-match L4_REMOTE-ACCESS_POLICY
  class L4_REMOTE-ACCESS_CLASS
    permit
policy-map type loadbalance first-match L7_COMP-TEST_SLB_POLICY
  class L7default-compression-exclusion-mime-type_CLASS
    serverfarm SFARM1
  class class-default
    serverfarm SFARM1
    compress default-method deflate
policy-map multi-match int102
  class L4_COMP-TEST_CLASS
    loadbalance vip inservice
    loadbalance policy L4_COMP-TEST-L7SLB_POLICY

interface vlan 102
  ip address 10.210.2.151 255.255.255.0
  access-group input ALL
  service-policy input L4_REMOTE-ACCESS_CLASS
  no shutdown
interface vlan 202
  ip address 192.168.10.151 255.255.255.0
  no shutdown
 
ip route 0.0.0.0 0.0.0.0 10.210.2.1

Defining Source IP Address Match Criteria

You can configure the class map to make Layer 7 SLB decisions based on a client source IP address by using the match source-address command in class-map configuration mode. If this command is the only match criteria in the class map, the ACE considers it to be a Layer 3 and Layer 4 class map.

The syntax of this command is as follows:

[line_number] match source-address ip_address [netmask]

The arguments and options are as follows:

line_number—(Optional) Line numbers that you can use for editing or deleting the individual match commands. For example, you can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not indicate any priority for the match statements. Enter a unique integer from 1 to 1024.

ip_address—Source IP address of the client. Enter the IP address in dotted-decimal notation (for example, 192.168.11.2).

netmask—(Optional) Subnet mask of the IP address. Enter the netmask in dotted-decimal notation (for example, 255.255.255.0). The default is 255.255.255.255.

The following example specifies that the class map match on source IP address 192.168.11.2 255.255.255.0:

host1/Admin(config)# class-map http type loadbalance match-any 
L7SLBCLASS
host1/Admin(config-cmap-http-lb)# 50 match source-address 192.168.11.2 
255.255.255.0

To remove the source IP address match statement from the class map, enter:

host1/Admin(config-cmap-http-lb)# no 50

Nesting Layer 7 HTTP SLB Class Maps

The nesting of class maps allows you to achieve complex logical expressions for Layer 7 HTTP-based SLB. You can identify one Layer 7 HTTP SLB class map that is to be used as a matching criterion for another Layer 7 class map by using the match class-map command in class-map configuration mode.


Note The ACE restricts the nesting of class maps to two levels to prevent you from including a nested class map under another class map.


The syntax of this command is as follows:

[line_number] match class-map map_name

The keywords, arguments, and options are as follows:

line_number—(Optional) Line numbers that you can use for editing or deleting the individual match commands. For example, you can enter no line_number to delete long match commands instead of entering the entire line.

map_name—Name of an existing Layer 7 load-balancing class map.

The match class-map command allows you to combine the use of the match-any and match-all keywords in the same class map. To combine match-all and match-any characteristics in a class map, create a class map that uses one match command (either match any or match all), and then use this class map as a match statement in a second class map that uses a different match type.

For example, assume that commands A, B, C, and D represent separate match criteria, and you want Layer 7 HTTP traffic that matches A, B, or C and D (A or B or [C and D]) to satisfy the class map. Without the use of nested class maps, traffic would either have to match all four match criteria (A and B and C and D) or match any of the match criteria (A or B or C or D) to satisfy the class map. By creating a single class map that uses the match-all keyword for match criteria C and D (criteria E), you can then create a new match-any class map that uses match criteria A, B, and E. The new traffic class contains your desired classification sequence: A or B or E, which is equivalent to A or B or [C and D].

The following example shows how to combine the characteristics of two class maps, one with match-any and one with match-all characteristics, into a single class map by using the match class-map command:

host1/Admin(config)# class-map type http loadbalance match-any CLASS3
host1/Admin(config-cmap-http-lb)# 100 match http url .*.gif
host1/Admin(config-cmap-http-lb)# 200 match http header Host 
header-value XYZ
host1/Admin(config-cmap-http-lb)# exit

host1/Admin(config)# class-map type http loadbalance match-all CLASS4
host1/Admin(config-cmap-http-lb)# 10 match class-map CLASS3
host1/Admin(config-cmap-http-lb)# 20 match source-address 192.168.11.2
host1/Admin(config-cmap-http-lb)# exit

To remove the nested class map from the Layer 7 class map, enter:

host1/Admin(config-cmap-http-lb)# no 10

Configuring a Layer 7 Policy Map for SLB

You can use a Layer 7 SLB policy map by first creating the policy map and defining match statements and policy actions. Because Layer 7 policy maps are child policies, you must then associate a Layer 7 policy map with the appropriate Layer 3 and Layer 4 policy map to provide an entry point for Layer 7 SLB traffic classification. You cannot directly apply a Layer 7 policy map on an interface; you can activate only a Layer 3 and Layer 4 policy map on an interface or globally on all interfaces in a context.

For information about the role of policy maps in the ACE, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

The ACE treats as a Layer 3 and Layer 4 policy any policy map that has only source IP configured as the match criteria in the class map or inline match, or that has the default class configured as the class map, and there are no Layer 7 policy actions configured.

You can create a Layer 7 SLB policy map and enter policy-map configuration mode by using the policy-map type command in configuration mode. The syntax of this command is as follows:

policy-map type loadbalance first-match map_name

The keywords and arguments are as follows:

loadbalance first-match—Specifies a policy map that defines Layer 7 HTTP SLB decisions. The first-match keyword defines the execution for the Layer 7 load-balancing policy-map. The ACE executes only the action specified against the first-matching classification.

map_name—Identifier assigned to the policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

The following example shows how to create a Layer 7 SLB policy map:

host1/Admin(config)# policy-map type loadbalance first-match 
L7SLBPOLICY
host1/Admin(config-pmap-lb)# 

To remove a policy map from the ACE, enter:

host1/Admin(config)# no policy-map type loadbalance first-match 
L7SLBPOLICY

The following topics describe how to enable the use of sequence numbers, define inline match statements, and define policy-map actions:

Adding a Layer 7 Policy Map Description

Defining Match Statements Inline in a Layer 7 Policy Map

Associating a Layer 7 Class Map with a Layer 7 Policy Map

Specifying Layer 7 SLB Policy Actions

Associating a Layer 7 Policy Map with a Layer 3 and Layer 4 Policy Map

Adding a Layer 7 Policy Map Description

You can use the description command to provide a brief summary about the Layer 7 policy map.

You must access the policy map configuration mode to specify the description command.

The syntax of this command is as follows:

description text

Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters.

For example, to add a description that the policy map is to insert HTTP headers, enter:

host1/Admin(config-pmap-lb)# description insert HTTP headers

To remove the description from the policy map, enter:

host1/Admin(config-pmap-lb)# no description

Defining Match Statements Inline in a Layer 7 Policy Map

Layer 7 SLB policy maps allow you to enter a single inline SLB match criteria in the policy map without specifying a traffic class. The inline Layer 7 SLB policy map match commands function similarly to the Layer 7 SLB class map match commands. However, when you use an inline match command, you can specify an action for only a single match statement in the Layer 7 policy.


Note To specify actions for multiple match statements, use a class map as described in the "Associating a Layer 7 Class Map with a Layer 7 Policy Map" section.


The syntax for an inline match command is as follows:

match name1 match_statement [insert-before name2]


Note You can associate a maximum of 1024 instances of the same type of regex with a a Layer 4 policy map. This limit applies to all Layer 7 policy-map types. You configure regexes in:

Match statements in Layer 7 class maps

Inline match statements in Layer 7 policy maps

Layer 7 hash predictors for server farms

Layer 7 sticky expressions in sticky groups

Header insertion and rewrite (including SSL URL rewrite) expressions in Layer 7 action lists


The arguments and options are as follows:

name1—Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

match_statement—Individual Layer 7 SLB match criteria.

insert-before name2—(Optional) Places the current match statement ahead of an existing class map or other match statement specified by the name2 argument in the policy-map configuration. The ACE does not save the sequence reordering as part of the configuration.

For information about configuring inline match statements in a Layer 7 SLB policy map, see the following topics in the "Configuring Layer 7 Class Maps for SLB" section:

Defining a Cookie for HTTP Load Balancing

Defining an HTTP Header for Load Balancing

Defining a URL for HTTP Load Balancing

Defining Source IP Address Match Criteria

Nesting Layer 7 HTTP SLB Class Maps


Note The line_number argument described in the above-referenced sections is only for use with match statements in class maps. Otherwise, the descriptions of match statements in Layer 7 class maps and inline match statements in Layer 7 policy maps are the same.


Associating a Layer 7 Class Map with a Layer 7 Policy Map

You can associate an existing Layer 7 class map with a Layer 7 policy map by using the class command. The syntax of this command is as follows:

class {name1 [insert-before name2] | class-default}

The keywords, arguments, and options are as follows:

name1—Name of a previously defined traffic class, configured with the class-map command, to associate traffic to the traffic policy. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

insert-before name2—(Optional) Places the current class map ahead of an existing class map or match statement specified by the name2 argument in the policy-map configuration. The ACE does not save the sequence reordering as part of the configuration.

class-default—Reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications match the traffic, then the ACE performs the action specified under the class class-default command. The class-default class map has an implicit match any statement that enables it to match all traffic.

The following example shows the use of the insert-before option to define the position of a class map in the policy map:

host1/Admin(config-pmap-lb)# class L7SLBCLASS insert-before http_class
host1/Admin(config-pmap-lb-c)# 

To remove a class map from a Layer 7 policy map, enter:

host1/Admin(config-pmap-lb)# no class L7SLBCLASS 

The following example shows the use of the class class-default command:

host1/Admin(config-pmap-lb)# class L7SLBCLASS insert-before http_class
host1/Admin(config-pmap-lb-c)# exit
host1/Admin(config-pmap-lb)# class class-default
host1/Admin(config-pmap-lb-c)#

Specifying Layer 7 SLB Policy Actions

After you associate a Layer 7 SLB class map with a Layer 7 SLB policy map or specify inline match commands, you must specify the actions that the ACE should take when network traffic matches a class map or inline match command. To specify the Layer 7 SLB policy actions, use the commands described in the following topics:

Compressing Packets

Discarding Requests

Forwarding Requests Without Load Balancing

Configuring HTTP Header Insertion

Enabling Load Balancing to a Server Farm (Configuring a Backup Server Farm)

Configuring a Sorry Server Farm

Configuring a Sticky Server Farm

Specifying the IP Differentiated Services Code Point of Packets

Specifying an SSL Proxy Service

Compressing Packets

HTTP compression is a capability built into web servers and web browsers to improve site performance by reducing the amount of time required to transfer data between the server and the client. The benefit of HTTP compression is that the number of transmitted bytes to the requesting client's browser is reduced. When you enable HTTP compression on the ACE, the appliance overwrites the client request with "Accept-Encoding identity" and turns off compression on the server side connection. HTTP compression reduces the bandwidth associated with a web content transfer from the ACE to the client.


Note For information on compression compatibility for your browser, refer to the website for the browser.


By default, HTTP compression is disabled in the ACE. When you configure HTTP compression using the ACE, the appliance compresses data in the HTTP GET responses from the real servers. The ACE does not compress HTTP requests from clients or the HTTP headers in the server responses.

The ACE can compress the data on HTTP version 1.1 or higher connections. The ACE does not compress HTTP version 1.0 responses and passes the data without compression.

HTTP 1.1 allows different encoding of the data. The encoding values that the ACE supports are:

deflate, the data format for compression described in RFC1951

gzip, the file format for compression described in RFC1952

A client typically advertises its decoding capabilities through the Accept-Encoding field in HTTP request headers. The ACE uses the compression tokens in the Accept-Encoding field to determine the type of compression encoding to use on the response.

When a client request specifies deflate or gzip encoding in the Accept-Encoding field, the ACE uses either deflate or gzip to compress and encode the response content to the client. If both encoding formats are specified in the Accept-Encoding field, the response from the ACE will be encoded according to the compress default-method command in the Layer 7 SLB policy map.

HTTP compression is intended primarily for text-based content types. For example, the following are text-based content types:

text/html

text/plain

text/xml

text/css

application/x-javascript

You instruct the ACE to compress and encode packets that match a Layer 7 SLB policy map by using the compress command in policy map load-balancing class configuration mode. You define the compression format that the ACE uses when responding to an HTTP compression request from a client.

By default, the ACE supports HTTP compression at rates of 100 megabits per second (Mbps). Installing an optional HTTP compression license allows you to increase this value to a maximum of 1 Gbps. See the Cisco 4700 Series Application Control Engine Appliance Administration Guide for information on ACE licensing options.


Note The compress command option displays only when you associate an HTTP-type class map with a policy map.


The syntax of this command is as follows:

compress default-method {deflate | gzip}

The keywords are as follows:

deflateSpecifies the deflate compression format as the method to use when the client browser supports both the deflate and gzip compression methods.

gzipSpecifies the gzip compression format as the method to use when the client browser supports both the deflate and gzip compression methods.

When you enable HTTP compression, the ACE compresses the packets using the following default compression parameter values:

Multipurpose Internet Mail Extension (MIME) type—All text formats (text/.*)

Minimum content length size—512 bytes

User agent exclusion—No user agent is excluded

You can create an HTTP parameter map to modify these compression parameters. See the "Configuring an HTTP Parameter Map" section for details.

For example, to enable compression and specify gzip as the HTTP compression method when both formats are included in the Accept-Encoding client request, enter:

host1/Admin(config-pmap-lb-c)# compress default-method gzip

To disable HTTP compression, enter:

host1/Admin(config-pmap-lb-c)# no compress default-method gzip

Discarding Requests

You can instruct the ACE to discard packets that match a particular policy map by using the drop command in policy map load-balancing class configuration mode. The syntax of this command is as follows:

drop

For example, enter:

host1/Admin(config-pmap-lb-c)# drop

To reset the ACE to the default of accepting packets that match a policy map, enter:

host1/Admin(config-pmap-lb-c)# no drop

Forwarding Requests Without Load Balancing

You can instruct the ACE to forward requests that match a particular policy map without performing load balancing on the request by using the forward command in policy map load-balancing class configuration mode. The syntax of this command is as follows:

forward

For example, enter:

host1/Admin(config-pmap-lb-c)# forward

To reset the ACE to the default of load balancing packets that match a policy map, enter:

host1/Admin(config-pmap-lb-c)# no forward

Configuring HTTP Header Insertion

When the ACE uses Network Address Translation (NAT) to translate the source IP address of a client to a VIP, servers need a way to identify that client for the TCP and IP return traffic. To identify a client whose source IP address has been translated using NAT, you can instruct the ACE to insert a generic header and string value of your choice in the client HTTP request. (For information about NAT, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.


Note With either TCP server reuse or persistence rebalance enabled, the ACE inserts a header in every client request. For information about TCP server reuse, see the "Configuring TCP Server Reuse" section. For information about persistence rebalance, see the "Enabling HTTP Persistence Rebalance" section.


You can insert a generic header and value in an HTTP request by using the insert-http command in policy map load-balancing class configuration mode. You can enter multiple insert-http commands for each class. The syntax of this command is as follows:

insert-http name header-value expression

The keywords and arguments are as follows:

nameName of the HTTP header to insert in the client HTTP request. Enter an unquoted text string with no spaces and a maximum of 255 alphanumeric characters. You can specify any custom header name that you want, subject to the maximum character length. You can also enter any of the predefined header names in Table 3-4, regardless of whether that header name already exists in the client request header. The ACE does not overwrite any existing header information in the client request.

header-value expression—Specifies the header-value expression string to insert in the HTTP header. Enter a text string with a maximum of 255 alphanumeric characters.

You can also specify the following special header-value expressions using the following special parameter values:

%is—Inserts the source IP address in the HTTP header

%id—Inserts the destination IP address in the HTTP header

%ps—Inserts the source port in the HTTP header

%pd—Inserts the destination port in the HTTP header


Note For Microsoft Outlook Web Access (OWA), specify the field name as HTTP_FRONT_END_HTTPS with a value of ON.


For example, in an SSL configuration, you could insert a generic field called ClientCert, and the header value could be the client certificate or a portion thereof.

For example, to insert the header name Host with a header value of www.cisco.com in an HTTP client request header, enter the following commands:

host1/Admin(config)# policy-map type loadbalance first-match 
L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# insert-http Host header-value 
www.cisco.com

The header name and value will appear in the HTTP header as the following:

Host: www.cisco.com

To remove the HTTP header name and value from the policy map, enter:

host1/Admin(config-pmap-c)# no insert-http Host header-value 
www.cisco.com

Enabling Load Balancing to a Server Farm (Configuring a Backup Server Farm)

You can load balance a client request for content to a server farm by using the serverfarm command in policy-map class configuration mode. Server farms are groups of networked real servers that contain the same content and that typically reside in the same physical location. The syntax of this command is as follows:

serverfarm name1 [backup name2 [sticky] [aggregate-state]]

The keywords, arguments, and options are as follows:

name1—Unique identifier of the server farm. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

backup name2—(Optional) Designates an existing server farm as a backup server farm in case all the servers in the original server farm become unavailable. When at least one server in the primary server farm becomes available again, the ACE sends all connections to the primary server farm. Enter the name of an existing server farm that you want to specify as a backup server farm as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

sticky—(Optional) Applies stickiness to the backup server farm. If all real servers in the primary server farm fail, the ACE sends client requests to the backup server farm. If you configure this sticky option, the backup server farm becomes sticky using source IP address stickiness by default. When at least one real server in the primary server farm becomes available again, the sticky backup server farm continues to service existing connections and new requests over existing sticky connections. The ACE sends all new connection requests to the primary server farm. If you want all connections to return to the primary server farm after it comes back up, do not configure this option.

aggregate-state—(Optional, but recommended) Specifies that the state of the specified server farm is tied to the state of all the real servers in that server farm and in the backup server farm if configured. The ACE declares the primary server farm down if all real servers in the primary server farm and all real servers in the backup server farm are down. See the "Configuring a Sorry Server Farm" section.

The following example specifies the serverfarm command as an action in the load-balancing policy map:

host1/Admin(config)# policy-map type loadbalance first-match 
L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# serverfarm FARM2 backup FARM3 sticky

To remove the server-farm action from the Layer 7 load-balancing policy map, enter:

host1/Admin(config-pmap-lb-c)# no serverfarm FARM2

Configuring a Sorry Server Farm

When the primary server farm and any configured redirect servers are unavailable, you can instruct the ACE to send client requests to a sorry server farm. A sorry server is a server in a backup server farm with content stating that the Web page, resource, or service that a client requested is temporarily unavailable. When at least one server in the primary server farm returns to service, the ACE directs clients back to the primary server farm.

To configure a sorry server, use the serverfarm command in policy-map class configuration mode as described in the "Enabling Load Balancing to a Server Farm (Configuring a Backup Server Farm)" section. In this case, configure a backup server farm, but do not use the sticky option of the backup keyword and do not associate the serverfarm with a sticky group. For more information about configuring stickiness, see Chapter 5, Configuring Stickiness.

Also, configure the predictor hash source-ip command as the load-balancing method for the server farms. This predictor method guarantees that client connections will return to the primary server farm when it comes back up. For information about configuring the server farm predictor, see Chapter 2, Configuring Real Servers and Server Farms.

For example, to configure a sorry server farm, enter:

host1/Admin(config)# rserver SERVER1
host1/Admin(config-rserver-host)# ip address 192.168.12.4
host1/Admin(config-rserver-host)# inservice
host1/Admin(config)# rserver SERVER2
host1/Admin(config-rserver-host)# ip address 192.168.12.5
host1/Admin(config-rserver-host)# inservice
host1/Admin(config)# rserver SERVER3
host1/Admin(config-rserver-host)# ip address 192.168.12.6
host1/Admin(config-rserver-host)# inservice
host1/Admin(config)# rserver SERVER4
host1/Admin(config-rserver-host)# ip address 192.168.12.7
host1/Admin(config-rserver-host)# inservice

host1/Admin(config)# serverfarm SFARM1
host1/Admin(config-sfarm-host)# predictor hash source-ip
host1/Admin(config-sfarm-host)# rserver SERVER1
host1/Admin(config-sfarm-host-rs)# inservice
host1/Admin(config-sfarm-host)# rserver SERVER2
host1/Admin(config-sfarm-host-rs)# inservice

host1/Admin(config)# serverfarm SFARM2
host1/Admin(config-sfarm-host)# predictor hash source-ip
host1/Admin(config-sfarm-host)# rserver SERVER3
host1/Admin(config-sfarm-host-rs)# inservice
host1/Admin(config-sfarm-host)# rserver SERVER4
host1/Admin(config-sfarm-host-rs)# inservice

host1/Admin(config)# class-map type http loadbalance match-any 
L7SLBCLASS
host1/Admin(config-cmap-http-lb)# 100 match http header Host 
header-value .*cisco.com

host1/Admin(config)# policy-map type loadbalance first-match 
L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# serverfarm SFARM1 backup SFARM2 
aggregate-state

Configuring a Sticky Server Farm

You can specify that requests matching a Layer 7 policy map be load balanced to a sticky server farm by using the sticky-serverfarm command in policy map load-balancing class configuration mode. The syntax of this command is as follows:

sticky-serverfarm name

The name argument is the identifier of an existing sticky group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. For information about sticky groups, see Chapter 5, Configuring Stickiness.

For example, enter:

host1/Admin(config-pmap-lb-c)# sticky-serverfarm STICKY_GROUP1

To remove the sticky server farm from the policy map, enter:

host1/Admin(config-pmap-lb-c)# no sticky-serverfarm STICKY_GROUP1

Specifying the IP Differentiated Services Code Point of Packets

You can specify the IP differentiated services code point (DSCP) of packets in a policy map by using the set ip tos command in policy-map class configuration mode. This command marks a packet by setting the IP DSCP bit in the Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can operate on the bit settings.

The syntax of this command is as follows:

set ip tos value

The value argument is the IP DSCP value. Enter an integer from 0 to 255. The default is to not modify the ToS field.

The following example specifies the set ip tos command as a QoS action in the Layer 7 load-balancing policy map. All packets that satisfy the match criteria of L7SLBCLASS are marked with the IP DSCP value of 8. How packets marked with the IP DSCP value of 8 are treated is determined by the network configuration.

host1/Admin(config)# policy-map type loadbalance first-match 
L7SLBPOLICY
host1/Admin(config-pmap)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# set ip tos 8

To reset the ACE behavior to the default of not modifying the TOS byte value, enter:

host1/Admin(config-pmap-lb-c)# no set ip tos 8

Specifying an SSL Proxy Service

The ACE uses an SSL proxy service in a Layer 7 policy map to load balance outbound SSL initiation requests to SSL servers. The ACE acts as an SSL client sending an encrypted request to an SSL server. For more information about SSL initiation, see the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide.

You can specify an SSL proxy service in a policy map by using the ssl-proxy command in policy map load-balancing class configuration mode. The syntax of this command is as follows:

ssl-proxy client name

The name argument is the identifier of an existing SSL proxy service. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, enter:

host1/Admin(config-pmap-lb-c)# ssl-proxy client PROXY_SERVICE1

To remove the SSL proxy service from the policy map, enter:

host1/Admin(config-pmap-lb-c)# no ssl-proxy client PROXY_SERVICE1

Associating a Layer 7 Policy Map with a Layer 3 and Layer 4 Policy Map

You can associate a Layer 7 SLB policy with a Layer 3 and Layer 4 SLB policy by using the service-policy type loadbalance command in policy-map class configuration mode. For details, see the "Associating a Layer 7 SLB Policy Map with a Layer 3 and Layer 4 SLB Policy Map" section.

Configuring an HTTP Parameter Map

You can use a parameter map to combine related HTTP actions in a Layer 3 and Layer 4 policy map. You reference this parameter map in the policy map by using the appl-parameter http advanced-options command. See the "Associating an HTTP Parameter Map with a Layer 3 and Layer 4 Policy Map" section.

You can configure the advanced HTTP behavior for SLB connections by using the parameter-map type http command in configuration mode. The syntax of this command is as follows:

parameter-map type http name

The name argument is the identifier assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 32 alphanumeric characters.

For example, enter:

host1/Admin(config)# parameter-map type http HTTP_PARAMETER_MAP

To remove an HTTP parameter map from the configuration, enter:

host1/Admin(config)# no parameter-map type http HTTP_PARAMETER_MAP

The following topics describes the commands that you can use to define the advanced HTTP parameter map:

Disabling Case-Sensitivity Matching

Defining HTTP Compression Parameters

Defining URL Delimiters

Setting the Maximum Number of Bytes to Parse for Cookies, HTTP Headers, and URLs

Enabling HTTP Persistence Rebalance

Configuring TCP Server Reuse

Disabling Case-Sensitivity Matching

By default, the ACE CLI is case sensitive. You can disable case-sensitivity matching for HTTP only by using the case-insensitive command in HTTP parameter-map configuration mode. With case-insensitive matching enabled, uppercase and lowercase letters are considered the same. When case sensitivity is disabled, it applies to the following:

HTTP header names and values

HTTP cookie names and values

URL strings

HTTP deep inspection (for details, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide)

The syntax of this command is as follows:

case-insensitive

For example, to disable case sensitivity, enter:

host1/Admin(config-parammap-http)# case-insensitive

To reenable case-sensitive matching after it has been disabled, enter:

host1/Admin(config-parammap-http)# no case-insensitive

Defining HTTP Compression Parameters

When HTTP compression is enabled in the ACE, the appliance compresses the packets using the following default compression parameter values:

Multipurpose Internet Mail Extension (MIME) type—All text formats (text/.*)

Minimum content length size—512 bytes

User agent exclusion—No user agent is excluded

You can modify the parameters that the ACE uses when compressing HTTP traffic by using the compress command.

You instruct the ACE to perform HTTP compression and compress packets by including the compress command as an action in a Layer 7 SLB policy map. You define the compression method that the ACE is to use when responding to an HTTP compression request from a client. See the "Specifying Layer 7 SLB Policy Actions" section.

The syntax of this command is as follows:

compress {mimetype type/subtype | minimum-size size | user-agent string}

The keywords and arguments are as follows:

mimetype type/subtype—Specifies the Multipurpose Internet Mail Extension (MIME) type to compress. The default is text/.* which includes all text MIME types, such as text/html, text/plain, and so on.

minimum-size size—Specifies the threshold at which compression occurs. The ACE compresses files that are the minimum size or larger. The range is from 1 to 4096 bytes. The default is 512 bytes.

user-agent string—Specifies the text string in the request to match. A user agent is a client that initiates a request. Examples of user agents include browsers, editors, or other end user tools. The ACE does not compress the response to a request when the request contains a matching user agent string. The maximum size is 64 characters. The default is none.

For example, to specify compression of all image MIME types, enter:

host1/Admin(config-parammap-http)# compress mimetype image/.*

For example, to specify the threshold at which compression occurs, enter:

host1/Admin(config-parammap-http)# compress minimum-size 1000

For example, to specify the user-agent string .*Konqueror.*, enter:

host1/Admin(config-parammap-http)# compress user-agent .*Konqueror.*

Defining URL Delimiters

You can define a list of ASCII-character delimiters that you can use to separate the cookies in a URL string by using the set secondary-cookie-delimiters command in HTTP parameter-map configuration mode. The syntax of this command is as follows:

set secondary-cookie-delimiters text

The text argument identifies the list of delimiters. Enter an unquoted text string with no spaces and a maximum of 4 characters. The order of the delimiters in the list does not matter. The default list of delimiters is /&#+.

Cookies and their delimiters appear in GET request lines. In the following example of a GET request line, the ampersand (&) that appears between name-value pairs is the secondary cookie delimiter. The question mark (?) begins the URL query and is not configurable.

GET /default.cgi?user=me&hello=world&id=2 HTTP/1.1

For example, to specify the secondary cookie delimiters as !@#$, enter:

host1/Admin(config-parammap-http)# set secondary-cookie-delimiters 
!@#$

To reset the delimiter list to the default of /&#+, enter:

host1/Admin(config-parammap-http)# no set secondary-cookie-delimiters 
!@#$

Setting the Maximum Number of Bytes to Parse for Cookies, HTTP Headers, and URLs

By default, the maximum number of bytes that the ACE parses to check for a cookie, HTTP header, or URL is 2048. If a cookie, HTTP header, or URL exceeds the default value, the ACE drops the packet and sends a RST (reset) to the client browser. You can increase the number of bytes that the ACE parses using the set header-maxparse-length command in HTTP parameter-map configuration mode. The syntax of this command is as follows:

set header-maxparse-length bytes

The bytes argument is the maximum number of bytes to parse for the total length of all cookies, HTTP headers, and URLs. Enter an integer from 1 to 65535. The default is 2048 bytes.

For example, to set the HTTP header maximum parse length to 8192, enter:

host1/Admin(config-parammap-http)# set header-maxparse-length 8192

To reset the HTTP header maximum parse length to the default of 2048 bytes, enter:

host1/Admin(config-parammap-http)# no set-header maxparse-length

Configuring the ACE Behavior when a URL or Cookie Exceeds the Maximum Parse Length

You can configure how the ACE handles cookies, HTTP headers, and URLs that exceed the maximum parse length by using the length-exceed command in HTTP parameter-map configuration mode. The syntax of this command is as follows:

length-exceed {continue | drop}

The keywords are as follows:

continue—Specifies to continue load balancing. When you specify this keyword, the persistence-rebalance command is disabled if the total length of all cookies, HTTP headers, and URLs exceeds the maximum parse length value. For details on setting the maximum parse length, see the "Setting the Maximum Number of Bytes to Parse for Cookies, HTTP Headers, and URLs" section.

drop—(Default) Specifies to stop load balancing and discard the packet.

For example, enter:

host1/Admin(config-parammap-http)# length-exceed continue

To reset the ACE to the default of stopping load balancing and discarding a packet when its URL or cookie exceeds the maximum parse length, enter:

host1/Admin(config-parammap-http)# no length-exceed continue

Enabling HTTP Persistence Rebalance

Persistence is sometimes referred to as a connection keepalive. With persistence rebalance enabled, when successive GET requests result in load balancing that chooses the same policy, the ACE sends the request to the real server used for the last GET request. This behavior prevents the ACE from load balancing every request and recreating the server-side connection on every GET request, producing less overhead and better performance.

Another effect of persistence rebalance is that header insertion and cookie insertion, if enabled, occur for every request instead of only the first request. For information about header insertion, see the "Configuring HTTP Header Insertion" section in this chapter. For information about cookie insertion, see the "Enabling Cookie Insertion" section in Chapter 5, Configuring Stickiness.

By default, persistence rebalance is disabled and after a connection is established the ACE sends all further requests to the same destination. Load balancing is not involved. You can enable the persistence rebalance feature by using the persistence-rebalance command in HTTP parameter-map configuration mode.


Note If a real server is enabled with the NTLM Microsoft authentication protocol, we recommend that you leave persistence rebalance disabled. NTLM is a security measure that is used to perform authentication with Microsoft remote access protocols. When a real server is enabled with NTLM, every connection to the real server must be authenticated; typically, each client user will see a pop-up window prompting for a username and password. Once the connection is authenticated, all subsequent requests on the same connection will not be challenged. However, when the server load balancing function is enabled and configured with persistence rebalance, a subsequent request may point to a different real server causing a new authentication handshake.


The syntax of this command is as follows:

persistence-rebalance

The following example specifies the parameter-map type http command to configure URL cookie delimiter strings, set the maximum number of bytes to parse for URLs and cookies, and enable HTTP persistence:

host1/Admin(config)# parameter-map type http http_parameter_map
host1/Admin(config-parammap-http)# secondary-cookie-delimiters !@#$
host1/Admin(config-parammap-http)# header-maxparse-length 4096 
length-exceed continue
host1/Admin(config-parammap-http)# persistence-rebalance

To reset persistence to the default setting of disabled, enter:

host1/Admin(config-parammap-http)# no persistence-rebalance

Configuring TCP Server Reuse

TCP server reuse allows the ACE to reduce the number of open connections on a server by allowing connections to persist and be reused by multiple client connections. The ACE maintains a pool of TCP connections based on TCP options. New client connections can reuse those connections in the pool provided that the new client connections and prior server connections share the same TCP options. For information about configuring how the ACE handles TCP options, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.

To ensure proper operation of this feature, follow these TCP server reuse recommendations and restrictions:

Ensure that the ACE MSS is the same as the server MSS.

Configure port address translation (PAT) on the interface that is connected to the real server. PAT prevents collisions when a client stops using a server connection, and then that connection is reused by another client. Without PAT, if the original client tries to reuse the original server connection, it is no longer available. For details about configuring PAT, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.

Configure on the ACE the same TCP options that exist on the TCP server.

Ensure that each server farm is homogeneous (all real servers within a server farm have identical configurations).

Another effect of TCP server reuse is that header insertion and cookie insertion, if enabled, occur for every request instead of only the first request. For information about header insertion, see the "Configuring HTTP Header Insertion" section in this chapter. For information about cookie insertion, see the "Enabling Cookie Insertion" section in Chapter 5, Configuring Stickiness.

To configure TCP server reuse, use the server-conn reuse command in HTTP parameter-map configuration mode. The syntax of this command is as follows:

server-conn reuse

For example, to enable TCP server reuse, enter:

host1/Admin(config-parammap-http)# server-conn reuse

To disable TCP server reuse, enter:

host1/Admin(config-parammap-http)# no server-conn reuse

Configuring a Layer 3 and Layer 4 Class Map for SLB

A Layer 3 and Layer 4 class map contains match criteria to classify network traffic that can pass through the ACE. The ACE uses these Layer 3 and Layer 4 traffic classes to perform server load balancing (SLB). For a Layer 3 and Layer 4 traffic classification, the match criteria in a class map include the VIP address, protocol, and port of the ACE. You can configure multiple commands in a single class map to specify the match criteria in a group that you then associate with a traffic policy.

You can create a Layer 3 and Layer 4 class map to classify network traffic passing through the ACE and enter class-map configuration mode by using the class-map command in configuration mode. The syntax of this command is as follows:

class-map [match-all | match-any] map_name

The arguments and options are as follows:

match-all | match-any—(Optional) Determines how the ACE evaluates Layer 3 and Layer 4 network traffic when multiple match criteria exist in a class map. The class map is considered a match if the match commands meet one of the following conditions:

match-all—(Default) Network traffic needs to satisfy all of the match criteria (implicit AND) to match the class map.

match-anyNetwork traffic needs to satisfy only one of the match criteria (implicit OR) to match the load-balancing class map.

map_name—Name assigned to the class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. The class name is used for both the class map and to configure policy for the class in the policy map.

For example, to create a class map named L4VIPCLASS that specifies the network traffic must satisfy all the match criteria (match-all is the default), enter:

host1/Admin(config)# class-map L4VIPCLASS

To remove the class map from the configuration, enter:

host1/Admin(config)# no class-map L4VIPCLASS

After you have created a Layer 3 and Layer 4 class map for SLB, use the commands in the following topics to configure a description and the VIP match criteria for the class map:

Defining a Class Map Description

Defining VIP Address Match Criteria

Defining a Class Map Description

You can provide a brief summary about the Layer 3 and Layer 4 class map by using the description command in class-map configuration mode. The syntax of this command is as follows:

description text

For the text argument, enter an unquoted text string with no spaces and a maximum of 240 alphanumeric characters.

The following example specifies a description that the class map is to filter network traffic to the server:

host1/Admin(config)# class-map match-any L4VIPCLASS 
host1/Admin(config-cmap)# description filter server traffic

To remove the description from the class map, enter:

host1/Admin(config-cmap)# no description

Defining VIP Address Match Criteria

You can define a 3-tuple flow of VIP address, protocol, and port as matching criteria for SLB, by using the match virtual-address command in class-map configuration mode. You can configure multiple match criteria statements to define the VIPs for SLB. The syntax of this command is as follows:

[line_number] match virtual-address vip_address {[mask] | any | {tcp | udp {any | eq port_number | range port1 port2}} | protocol_number}

The keywords, arguments, and options are as follows:

line_number—(Optional) Line numbers that you can use for editing or deleting individual match commands. For example, you can enter no line_number to delete long match commands instead of entering the entire line.

vip_address—Virtual IP (VIP) address of the virtual server in the ACE, specified in dotted-decimal notation (192.168.1.2). VIPs are public addresses owned by the customer.

mask—(Optional) Mask for the VIP address of the ACE to allow connections to an entire network, specified in dotted decimal format (255.255.255.0).

any—Specifies the wildcard value for the IP protocol value.

tcp | udp—Specifies the protocol: TCP or UDP.

anySpecifies the wildcard value for the TCP or UDP port number. With any used in place of either the eq or range values, packets from any incoming port match.

eq port_number—Specifies that the TCP or UDP port number must match the specified value. Enter an integer from 0 to 65535. A value of 0 instructs the ACE to include all ports. Alternatively, you can enter the keyword name of a well-known TCP port from Table 3-5 or a well-known UDP port from Table 3-6.

Table 3-5 Well-Known TCP Port Numbers and Keywords 

Keyword
Port Number
Description

domain

53

Domain Name System (DNS)

ftp

21

File Transfer Protocol (FTP)

ftp-data

20

FTP data connections

http

80

Hypertext Transfer Protocol (HTTP)

https

443

HTTP over TLS or SSL (HTTPS)

irc

194

Internet Relay Chat (IRC)

matip-a

350

Mapping of Airline Traffic over Internet Protocol (MATIP) Type A

nntp

119

Network News Transport Protocol (NNTP)

pop2

109

Post Office Protocol (POP) v2

pop3

110

Post Office Protocol (POP) v3

rtsp

554

Real Time Streaming Protocol (RTSP)

smtp

25

Simple Mail Transfer Protocol (SMTP)

telnet

23

Telnet

www

80

World Wide Web (WWW)


Table 3-6 Well-Known UDP Port Numbers and Keywords 

Keyword
Port Number
Description

domain

53

Domain Name System

wsp

9200

Connectionless Wireless Session Protocol (WSP)

wsp-wtls

9202

Secure Connectionless WSP

wsp-wtp

9201

Connection-based WSP

wsp-wtp-wtls

9203

Secure Connection-based WSP


range port1 port2—Specifies a port range to use for the TCP or UDP port. Valid port ranges are from 0 to 65535. A value of 0 instructs the ACE to match all ports.

protocol_number—Number of an IP protocol. Enter an integer from 1 to 254 that represents an IP protocol number.

The following example specifies that the class map L4VIPCLASS matches traffic destined to VIP address 192.168.1.10 and TCP port number 80:

host1/Admin(config)# class-map L4VIPCLASS
host1/Admin(config-cmap)# match virtual-address 192.168.1.10 tcp port 
eq 80

To remove the VIP match statement from the class map, enter:

host1/Admin(config-cmap)# no match virtual-address 192.168.1.10 tcp 
port eq 80

Configuring a Layer 3 and Layer 4 Policy Map for SLB

For a Layer 3 and Layer 4 SLB traffic classification, you create an SLB policy map that contains actions that are related to a VIP. A policy map associates a predefined traffic class (class map) with a series of actions to be performed on the traffic that matches the classifications defined in the traffic class. At the Layer 3 and Layer 4 network traffic level, there is a single policy map for each network traffic feature. The Layer 3 and Layer 4 policy maps are typed accordingly and, through the service-policy command, applied to a single interface or globally to all interfaces in a context.

The sequence in which the ACE applies actions for a specific policy are independent of the actions configured for a class inside a policy. The ACE follows an implicit feature lookup order that is dictated by the policy map actions and features, which can mean that the user-configured order of class maps does not necessarily have an effect on the lookup order. For example, if you configure one or more security ACLs in a policy map, an ACL may not allow a certain flow through the ACE even if you want to perform operations such as SLB on that flow. For details on the lookup order that the ACE uses, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

You can create an SLB policy map by using the policy-map command in configuration mode. The syntax of this command is as follows:

policy-map multi-match map_name

The keywords, arguments, and options are as follows:

multi-match—Allows the inclusion of multiple Layer 3 and Layer 4 network traffic-related actions in the same policy map, enabling the ACE to execute all possible actions applicable for a specific classification (for example, SLB, NAT, and AAA).

map_name—Unique identifier of the policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to create a Layer 3 and Layer 4 network traffic policy map, enter:

host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)#

To remove a policy map from the configuration, enter:

host1/Admin(config)# no policy-map multi-match L4SLBPOLICY

If there are multiple instances of actions of the same type (feature) configured in a policy map, the ACE performs the first action encountered of that type.

Defining a Layer 3 and Layer 4 Policy Map Description

You can use the description command to provide a brief summary about the Layer 3 and Layer 4 policy map.

You must access the policy map configuration mode to specify the description command.

The syntax of this command is as follows:

description text

Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters.

For example, to specify a description that the policy map is to filter network traffic to a VIP, enter:

host1/Admin(config-pmap)# description filter traffic matching a VIP

To remove the description from the class map, enter:

host1/Admin(config-pmap)# no description

Associating a Layer 3 and Layer 4 Class Map with a Policy Map

You can associate a Layer 3 and Layer 4 SLB class map with a Layer 3 and Layer 4 SLB policy map by using the class command in policy-map configuration mode. The syntax of this command is as follows:

class {name1 [insert-before name2] | class-default}

The keywords, arguments, and options are as follows:

name1—Name of a previously defined traffic class configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

class-default—Specifies a reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications match the traffic, then the ACE performs the action specified under the class class-default command. The class-default class map has an implicit match any statement in it enabling it to match all traffic.

insert-before name2—(Optional) Places the current class map ahead of an existing class map specified by the name2 argument in the policy-map configuration. The ACE does not preserve the command in the running conifguration but does retain the configured order of class maps in the policy map.

The following example shows the use of the insert-before command to define the sequential order of two class maps in the policy map:

host1/Admin(config-pmap)# class L4VIPCLASS insert-before FILTERHTML

To remove a class map from a Layer 3 and Layer 4 policy map, enter:

host1/Admin(config-pmap)# no class L4VIPCLASS

Specifying Layer 3 and Layer 4 SLB Policy Actions

After you associate a Layer 3 and Layer 4 class map with an SLB policy map, you need to specify the actions that the ACE should take when network traffic matches one or more match statements in a class map. To specify the Layer 3 and Layer 4 SLB policy actions, use the commands described in the following topics:

Associating a Layer 7 SLB Policy Map with a Layer 3 and Layer 4 SLB Policy Map

Associating an HTTP Parameter Map with a Layer 3 and Layer 4 Policy Map

Associating a Connection Parameter Map with a Layer 3 and Layer 4 Policy Map

Enabling a VIP to Reply to ICMP Requests

Enabling a VIP

Associating a Layer 7 SLB Policy Map with a Layer 3 and Layer 4 SLB Policy Map

The ACE treats all Layer 7 policy maps as child policies, so you must always associate a Layer 7 SLB policy map with a Layer 3 and Layer 4 SLB policy map. You can apply on an interface or globally on all interfaces in a context only a Layer 3 and Layer 4 policy map. For details on creating a Layer 7 load-balancing policy map, see the "Configuring a Layer 7 Policy Map for SLB" section.

You can associate a Layer 7 SLB policy map with a Layer 3 and Layer 4 SLB policy map by using the loadbalance command in policy-map class configuration mode.

The syntax of this command is as follows:

loadbalance policy name

The policy name keyword and argument are the identifiers of an existing Layer 7 SLB policy map. Enter the name as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

The following example references the Layer 7 L7SLBPOLICY policy map within the Layer 3 and Layer 4 L4SLBPOLICY policy map:

host1/Admin(config)# policy-map type loadbalance first-match 
L7SLBPOLICY
host1/Admin(config-pmap-lb)# class L7SLBCLASS
host1/Admin(config-pmap-lb-c)# serverfarm FARM2
host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class L4SLBCLASS
host1/Admin(config-pmap-c)# loadbalance policy L7SLBPOLICY

To dissociate the Layer 7 SLB policy from the Layer 3 and Layer 4 SLB policy, enter:

host1/Admin(config-pmap-c)# no loadbalance policy L7LBPOLICY

Associating an HTTP Parameter Map with a Layer 3 and Layer 4 Policy Map

You can configure advanced HTTP parameters by creating a parameter map to define related actions. See the "Configuring an HTTP Parameter Map" section.

You can associate an HTTP parameter map with a Layer 3 and Layer 4 policy map by using the appl-parameter http advanced-options command in policy-map class configuration mode.

The syntax of this command is as follows:

appl-parameter http advanced-options name

The name argument is the name of an existing HTTP parameter map. Parameter maps aggregate HTTP traffic-related actions together. For details, see the "Configuring an HTTP Parameter Map" section.

The following example specifies the appl-parameter http advanced-options command as an action for the SLB policy map:

host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class FILTERHTTP
host1/Admin(config-pmap-c)# appl-parameter http advanced-options 
HTTP_PARAM_MAP1

To dissociate the HTTP parameter map as an action from the SLB policy map, enter:

host1/Admin(config-pmap-c)# no appl-parameter http advanced-options 
HTTP_PARAM_MAP1

Associating a Connection Parameter Map with a Layer 3 and Layer 4 Policy Map

You can configure TCP/IP normalization and connection parameters by creating a connection parameter map to define related actions. See the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.

You can associate a connection parameter map with a Layer 3 and Layer 4 policy map by using the connection advanced-options command in policy-map class configuration mode. The syntax of this command is as follows:

connection advanced-options name

For the name argument, enter the name of an existing parameter map as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, enter:

host1/Admin(config-pmap-c)# connection advanced-options TCP_PARAM_MAP

To dissociate the TCP parameter map from a policy map, enter:

host1/Admin(config-pmap-c)# no connection advanced-options 
TCP_PARAM_MAP

Enabling a VIP to Reply to ICMP Requests

You can enable a VIP to reply to ICMP ECHO requests by using the loadbalance vip icmp-reply command in policy-map class configuration mode. For example, if a user sends an ICMP ECHO request to a VIP, this command instructs the VIP to send an ICMP ECHO-REPLY. The syntax of this command is as follows:

loadbalance vip icmp-reply [active]

The active option instructs the ACE to reply to an ICMP request only if the configured VIP is active. If the VIP is not active and the active option is specified, the ACE discards the ICMP request and the request times out.

To complete the configuration when you configure the active option of this command, be sure to configure a Telnet probe and associate it with the server farm. The probe monitors the health of all the real servers in the server farm and ensures that the VIP responds with an ICMP ECHO REPLY only if the server port is active. If the server port is down or unreachable, the probe fails and the VIP stops responding to the ECHO request. For details about configuring probes, see Chapter 4, Configuring Health Monitoring.

For example, enter:

host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class FILTERHTTP
host1/Admin(config-pmap-c)# loadbalance vip icmp-reply active

Enabling a VIP

You can enable a VIP for SLB operations by using the loadbalance vip inservice command in policy-map class configuration mode. The syntax of this command is as follows:

loadbalance vip inservice

The following example specifies the loadbalance vip inservice command as an action for the SLB policy map:

host1/Admin(config)# policy-map multi-match L4SLBPOLICY
host1/Admin(config-pmap)# class FILTERHTTP
host1/Admin(config-pmap-c)# loadbalance vip icmp-reply active
host1/Admin(config-pmap-c)# loadbalance vip inservice

To disable a VIP, enter:

host1/Admin(config-pmap-c)# no loadbalance vip inservice

Applying a Layer 3 and Layer 4 Policy to an Interface

You can use the service-policy command to apply a previously created policy map and attach the traffic policy to a specific VLAN interface or globally to all VLAN interfaces in the same context.

The service-policy command is available at both the interface configuration mode and at the configuration mode. Specifying a policy map in the configuration mode applies the policy to all of the VLAN interfaces associated with a context.

The syntax of this command is as follows:

service-policy input policy_name

The keywords, arguments, and options are as follows:

input—Specifies that the traffic policy is to be attached to the input direction of an interface. The traffic policy evaluates all traffic received by that interface.

policy_name—Name of a previously defined policy map, configured with a previously created policy-map command. The name can be a maximum of 64 alphanumeric characters.

Follow these guidelines when creating a service policy:

Policy maps, applied globally in a context, are internally applied on all interfaces associated with the context.

You can apply the policy in an input direction only.

A policy activated on an interface overwrites any specified global policies for overlapping classification and actions.

The ACE allows only one policy of a specific feature type to be activated on a given interface.

You can configure a maximum of 4000 policy maps per ACE.

You can apply a maximum of 128 service policies on each interface.

When you configure multiple VIPs on an interface, the match criteria for incoming traffic follow the order in which you configure the service-policy statements on that interface. Each service policy that you configure on an interface applies a Layer 3 and Layer 4 multi-match policy map to the interface. Each multi-match policy map may contain one or more features as defined in the class maps associated with the policy map.

Because service policies do not have line numbers, the order in which you configure them on an interface is extremely important. The reason is that the ACE has an implicit feature lookup order as follows:

1. Access control (permit or deny a packet)

2. Management traffic

3. TCP normalization and connection parameters

4. Server load balancing

5. Application protocol inspection

6. Source NAT

7. Destination NAT

When you apply multiple service policies to an interface, the ACE appends the last service policy at the end of the list. If you need to change the order of the service policies on an interface, you must first remove the service policies and then add them back in the appropriate order. This process is disruptive to the network.

As an alternative to reordering the service policies, you can configure multiple class maps in the same multi-match policy map, where you can define the order of the class maps. This process is not disruptive to the network. When you add new class maps to an existing policy, use the insert-before command to place the new class map in the desired order.

The following example shows how to configure two class maps in a policy map, where the VIP-ACCESS-MANAGER-80 is the more specific class map. To ensure that the ACE matches traffic to the more specific classification, configure VIP-ACCESS-MANAGER-80 class map first under the LB-TRAFFIC policy map. Note that this example and the one that follows include only the Layer 3 and Layer 4 traffic classification portions of the configuration.

class-map match-all VIP-ACCESS-MANAGER-ANY
  2 match virtual-address 10.238.45.200 tcp eq any
class-map match-all VIP-ACCESS-MANAGER-80
  2 match virtual-address 10.238.45.200 tcp eq www
policy-map multi-match LB-TRAFFIC
  class VIP-ACCESS-MANAGER-80
    loadbalance vip inservice
    loadbalance policy POLICY-ACCESS-MANAGER-80
    loadbalance vip icmp-reply active
  class VIP-ACCESS-MANAGER-ANY
    loadbalance vip inservice
    loadbalance policy POLICY-ACCESS-MANAGER-ANY
    loadbalance vip icmp-reply active

interface vlan 758
  description CLIENT-SIDE-VLAN
  bridge-group 100
  access-group input ALL
  service-policy input LB-TRAFFIC
  no shutdown

The following example shows how to use two policy maps, one for each class map, and achieve the same results as in the previous example. In this example, you configure the more specific policy map first under the interface using a service policy.


policy-map multi-match LB-TRAFFIC-80
  class VIP-ACCESS-MANAGER-80
    loadbalance vip inservice
    loadbalance policy POLICY-ACCESS-MANAGER-80
    loadbalance vip icmp-reply active

policy-map multi-match LB-TRAFFIC-ANY
  class VIP-ACCESS-MANAGER-ANY
    loadbalance vip inservice
    loadbalance policy POLICY-ACCESS-MANAGER-ANY
    loadbalance vip icmp-reply active

interface vlan 758
  description CLIENT-SIDE-VLAN
  bridge-group 100
  access-group input ALL
  service-policy input LB-TRAFFIC-80
  service-policy input LB-TRAFFIC-ANY
  no shutdown

The following example specifies an interface VLAN and applies the Layer 3 and Layer 4 SLB policy map to the VLAN:

host1/Admin(config)# interface vlan50
host1/Admin(config-if)# mtu 1500
host1/Admin(config-if)# ip address 172.20.1.100 255.255.0.0
host1/Admin(config-if)# service-policy input L4SLBPOLICY

To apply the Layer 3 and Layer 4 SLB policy map to all interfaces in the context, enter:

host1/Admin(config)# service-policy input L4SLBPOLICY

To detach a traffic policy from an interface, enter:

host1/Admin(config-if)# no service-policy input L4SLBPOLICY

To globally detach a traffic policy from a context, enter:

host1/Admin(config)# no service-policy input L4SLBPOLICY

When you detach a traffic policy using either of the following methods, the ACE automatically resets the associated service-policy statistics:

Individually from the last VLAN interface on which you applied the service policy

Globally from all VLAN interfaces in the same context

The ACE performs this action to provide a new starting point for the service-policy statistics the next time that you attach a traffic policy to a specific VLAN interface or globally to all VLAN interfaces in the same context.

Example of a Server Load-Balancing Policy Configuration

The following example illustrates a running configuration that includes multiple class maps and policy maps that define a traffic policy for SLB. The class map and policy map configuration appears in bold in the example.

In this configuration, when a server farm is chosen for a connection, the connection is sent to a real server based on one of several load-balancing predictors. The leastconns predictor method load balances connections to the server that has the lowest number of open connections.

access-list ACL1 line 10 extended permit ip any any

probe tcp TCP
  interval 5
  faildetect 2
  passdetect interval 10
  open 3

parameter-map type http PERSIST-REBALANCE
  persistence-rebalance
parameter-map type connection PRED-CONNS-UDP_CONN
  set timeout inactivity 300

serverfarm host PRED-CONNS
  predictor leastconns
  rserver SERVER1
    inservice
  rserver SERVER2
    inservice
  rserver SERVER3
    inservice
  rserver SERVER4
    inservice
  rserver SERVER5
    inservice
  rserver SERVER6
    inservice
  rserver SERVER7
    inservice
  rserver SERVER8
    inservice
serverfarm host PRED-CONNS-UDP
  failaction purge
  predictor leastconns
  rserver SERVER1
    inservice
  rserver SERVER2
    inservice
  rserver SERVER3
    probe ICMP
    inservice
  rserver SERVER5
    inservice
  rserver SERVER6
    inservice
  rserver SERVER7
    inservice
serverfarm host PREDICTOR
  probe TCP
  rserver SERVER1
    inservice
  rserver SERVER2
    inservice
  rserver SERVER6
    inservice
  rserver SERVER7
    inservice

sticky http-cookie COOKIE_TEST STKY-GRP-43
  cookie offset 1 length 999
  timeout 30
  replicate sticky
  serverfarm PREDICTOR

class-map match-all L4PRED-CONNS-UDP-VIP_128:2222_CLASS
  2 match virtual-address 192.168.120.128 udp eq 0 
class-map match-all L4PRED-CONNS-VIP_128:80_CLASS
  2 match virtual-address 192.168.120.128 tcp eq www 
class-map match-all L4PREDICTOR_117:80_CLASS
  2 match virtual-address 192.168.120.117 tcp eq www 
policy-map type loadbalance first-match L7PLBSF_PRED-CONNS_POLICY
  class class-default
    serverfarm PRED-CONNS
policy-map type loadbalance first-match L7PLBSF_PRED-CONNS-UDP_POLICY
  class class-default
    serverfarm PRED-CONNS-UDP
policy-map type loadbalance first-match L7PLBSF_PREDICTOR_POLICY
  class class-default
    serverfarm PREDICTOR
policy-map multi-match L4SH-Gold-VIPs_POLICY
  class L4PREDICTOR_117:80_CLASS
    loadbalance vip inservice
    loadbalance policy L7PLBSF_PREDICTOR_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 120
    appl-parameter http advanced-options PERSIST-REBALANCE
  class L4PRED-CONNS-VIP_128:80_CLASS
    loadbalance vip inservice
    loadbalance policy L7PLBSF_PRED-CONNS_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 120
    appl-parameter http advanced-options PERSIST-REBALANCE
  class L4PRED-CONNS-UDP-VIP_128:2222_CLASS
    loadbalance vip inservice
    loadbalance policy L7PLBSF_PRED-CONNS-UDP_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 120
    appl-parameter http advanced-options PERSIST-REBALANCE
    connection advanced-options PRED-CONNS-UDP_CONN

interface vlan 120
  description Upstream VLAN_120 - Clients and VIPs
  ip address 192.168.120.1 255.255.255.0
  fragment chain 20
  fragment min-mtu 68
  access-group input ACL1
  nat-pool 1 192.168.120.70 192.168.120.80 netmask 255.255.255.0 pat
  service-policy input L4SH-Gold-VIPs_POLICY
  no shutdown
ip route 10.1.0.0 255.255.255.0 192.168.120.254

Displaying Load-Balancing Configuration Information and Statistics

Use the commands in the following sections to display configuration information and statistics for Layer 3 and Layer 4, and Layer 7 class maps and policy maps. This section contains the following topics:

Displaying Class-Map Configuration Information

Displaying Policy-Map Configuration Information

Displaying Parameter Map Configuration Information

Displaying Load-Balancing Statistics

Displaying HTTP Parameter Map Statistics

Displaying Service-Policy Statistics

Displaying Class-Map Configuration Information

You can display class-map configuration information by using the show running-config class-map command in Exec mode. This command displays the names of all the class maps configured in the contexts to which you have access and the match statements configured in each class map. The syntax of this command is as follows:

show running-config class-map

Displaying Policy-Map Configuration Information

You can display policy-map configuration information by using the show running-config policy-map command in Exec mode. This command displays the names of all the policy maps configured in the contexts to which you have access and the class maps and actions configured in each policy map. The syntax of this command is as follows:

show running-config policy-map

Displaying Parameter Map Configuration Information

You can display a list of parameter maps and their configurations by using the show running-config parameter-map command in Exec mode. The syntax of this command is as follows:

show running-config parameter-map

Displaying Load-Balancing Statistics

You can display load-balancing statistics by using the show stats loadbalance command in Exec mode. The syntax of this command is as follows:

show stats loadbalance

For example, enter:

host1/Admin# show stats loadbalance

Table 3-7 describes the fields in the show stats loadbalance command output for an HTTP parameter map.

Table 3-7 Field Descriptions for the show stats loadbalance Command Output
 

Field
Description

Total Version Mismatch

VIP configuration changed during the load-balancing decision and the ACE rejected the connection.

Total Layer4 Decisions

Total number of times the ACE made a load-balancing decision at Layer 4.

Total Layer4 Rejections

Total number of Layer 4 connections that the ACE rejected.

Total Layer7 Decisions

Total number of times the ACE made a load-balancing decision at Layer 7.

Total Layer7 Rejections

Total number of Layer 7 connections that the ACE rejected.

Total Layer4 LB Policy Misses

Total number of connection requests that did not match a configured Layer 4 load-balancing policy.

Total Layer7 LB Policy Misses

Total number of connection requests that did not match a configured Layer 7 load-balancing policy.

Total Times Rserver Was Unavailable

Total number of times that the ACE attempted to load balance a request to a real server in a server farm, but the real server was not in service or was otherwise unavailable.

Total ACL denied

Total number of connection requests that were denied by an ACL.


Displaying HTTP Parameter Map Statistics

You can display statistics for an HTTP parameter map by using the show parameter-map command in Exec mode. The syntax of this command is as follows:

show parameter-map name

The name argument is the identifier of an HTTP parameter map. Enter an unquoted text string with a maximum of 64 alphanumeric characters.

For example, to display statistics for the HTTP parameter map called HTTP_PARAMMAP, enter:

host1/Admin# show parameter-map HTTP_PARAMMAP

Table 3-8 describes the fields in the show parameter-map command output for an HTTP parameter map.

Table 3-8 Field Descriptions for the show parameter-map Command Output
 

Field
Description

Parameter-map

Unique identifier of the HTTP parameter map.

Type

HTTP.

Server-side connection reuse

Status of TCP server reuse feature: enabled or disabled. The default is disabled.

Case-
insensitive parsing

Status of the case-insensitive command: enabled or disabled. The default is disabled.

Persistence-
rebalance

Status of the persistence-rebalance command: enabled or disabled. The default is disabled.

Header-
maxparse-
length

Configured value or the default value of the header-maxparse-length command. The default is 2048.

Content-
maxparse-
length

Configured value or the default value of the content-maxparse-length command. The default is 4096.

Parse length-
exceed action

Configured action for the length-exceed command: continue or drop. The default is drop.

Urlcookie-
delimiters

Configured URL cookie delimiters.

Minimum size

Threshold at which compression occurs. The ACE compresses files that are the minimum size or larger. The default is 512.

Mimetype

MIME type that the ACE compresses. The default is text/.* (all text MIME types).

User-agent

User-agent or class of user agent where the HTTP request originated. The default is none.


Displaying Service-Policy Statistics

You can display statistics for service policies enabled globally within a context or on a specific interface by using the show service-policy command. The syntax of this command is as follows:

show service-policy policy_name [detail]

The keywords, arguments, and options are as follows:

policy_name—Statistics for the specified existing policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

detail—(Optional) Displays detailed statistics for the specified policy map applied to an interface.


Note The ACE updates the counters that the show service-policy command displays after the applicable connections are closed.


Table 3-9 describes the fields in the show service-policy detail command output.

Table 3-9 Field Descriptions for the show service-policy detail Command Output 

Field
Description

Status

Current operational state of the service policy. Possible states are ACTIVE or INACTIVE.

Description

User-entered description of the policy map.

Interface

VLAN ID of the interface to which the policy map has been applied.

Service Policy

Unique identifier of the Layer 4 policy map.

Class

Name of the class map associated with the service policy.

Loadbalance

L7 Policy

Name of the Layer 7 policy map associated with the service policy.

VIP ICMP Reply

Operational state of the loadbalance vip icmp-reply command: ENABLED or DISABLED. This command enables a VIP to reply to ICMP ECHO requests.

VIP State

Operational state of the virtual server: INSERVICE or OUTOFSERVICE.

Curr Conns

Number of active connections to the VIP.

Dropped Conns

Number of connections that the ACE discarded.

Client Pkt Count

Number of packets received from the client.

Server Pkt Count

Number of packets received from the server.

Hit Count

Number of times a connection was established with this VIP.

Client Byte Count

Number of bytes received from the client.

Server Byte Count

Number of bytes received from the server.

L4 Policy Stats

Total Req/
Resp

Total number of requests and responses for the policy map.

Total Allowed

Total number of packets received and allowed.

Total Dropped

Total number of packets received and discarded.

Total Logged

Total number of errors logged.

L7 loadbalance policy

Identifier of the Layer 7 policy map.

Class-map

Identifier of the class map associated.

LB action

Actions specified with the Layer 7 policy map.

Hit count

Number of times a connection was established with this policy.

Dropped conns

Number of connections associated with this policy that were dropped.


Displaying HTTP Statistics

You can display HTTP statistics, including header insertion and server reuse statistics, by using the show stats http command in Exec mode. The syntax of this command is as follows:

show stats http

For example, enter:

host1/Admin# show stats http

+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
 LB parse result msgs sent : 0          , TCP data msgs sent       : 0
 Inspect parse result msgs : 0          , SSL data msgs sent       : 0
                      sent
 TCP fin/rst msgs sent     : 0          , Bounced fin/rst msgs sent: 0
 SSL fin/rst msgs sent     : 0          , Unproxy msgs sent        : 0
 Drain msgs sent           : 0          , Particles read           : 0
 Reuse msgs sent           : 0          , HTTP requests            : 0
 Reproxied requests        : 0          , Headers removed          : 0
 Headers inserted          : 0          , HTTP redirects           : 0
 HTTP chunks               : 0          , Pipelined requests       : 0
 HTTP unproxy conns        : 0          , Pipeline flushes         : 0
 Whitespace appends        : 0          , Second pass parsing      : 0
 Response entries recycled : 0          , Analysis errors          : 0
 Header insert errors      : 0          , Max parselen errors      : 0
 Static parse errors       : 0          , Resource errors          : 0
 Invalid path errors       : 0          , Bad HTTP version errors  : 0

Clearing SLB Statistics

This section describes the commands that you can use to clear load-balancing statistics. It includes the following topics:

Clearing Load-Balancing Statistics

Clearing Service-Policy Statistics

Clearing HTTP Statistics

Clearing Load-Balancing Statistics

You can clear all load-balancing statistics in the current context by using the clear stats loadbalance command in Exec mode. The syntax of this command is as follows:

clear stats loadbalance

For example, enter:

host1/Admin# clear stats loadbalance

Note If you have redundancy configured, then you need to explicitly clear load-balancing statistics on both the active and the standby ACE appliances. Clearing statistics on the active appliance only will leave the standby appliance's statistics at the old values.


Clearing Service-Policy Statistics

You can clear service policy statistics by using the clear service-policy command. The syntax of this command is as follows:

clear service-policy policy_name

For the policy_name argument, enter the identifier of an existing policy map that is currently in service (applied to an interface).

For example, to clear the statistics for the policy map L4SLBPOLICY that is currently in service, enter:

host1/Admin# clear service-policy L4SLBPOLICY


Note If you have redundancy configured, then you need to explicitly clear service-policy statistics on both the active and the standby ACEs. Clearing statistics on the active appliance only will leave the standby appliance's statistics at the old values.


Clearing HTTP Statistics

You can clear all HTTP statistics in the current context by using the clear stats http command in Exec mode. The syntax of this command is as follows:

clear stats http

For example, enter:

host1/Admin# clear stats http


Note If you have redundancy configured, then you need to explicitly clear HTTP statistics on both the active and the standby ACEs. Clearing statistics on the active appliance only will leave the standby appliance's statistics at the old values.


Where to Go Next

To configure health probes for your real servers, proceed to Chapter 4, Configuring Health Monitoring. To configure stickiness (connection persistence), see Chapter 5, Configuring Stickiness. To configure firewall load balancing (FWLB), see Chapter 6, Configuring Firewall Load Balancing.