SSL Guide vA1(7), Cisco ACE 4700 Series Application Control Engine Appliance
Configuring SSL Termination
Downloads: This chapterpdf (PDF - 271.0KB) The complete bookPDF (PDF - 1.95MB) | Feedback

Configuring SSL Termination

Table Of Contents

Configuring SSL Termination

SSL Termination Overview

ACE SSL Termination Configuration Prerequisites

SSL Termination Configuration Quick Start

Creating and Defining an SSL Parameter Map

Adding a Cipher Suite

Defining the Close-Protocol Behavior

Defining the SSL and TLS Version

Creating and Defining an SSL Proxy Service

Associating an SSL Parameter Map with the SSL Proxy Server Service

Specifying the Key Pair

Specifying the Certificate

Specifying the Certificate Chain Group

Creating a Layer 3 and Layer 4 Class Map for SSL Termination

Creating a Layer 3 and Layer 4 Policy Map for SSL Termination

Creating a Layer 3 and Layer 4 Policy Map

Associating the Layer 3 and Layer 4 Class Map with the Policy Map

Associating an SSL Proxy Server Service with the Policy Map

Applying the Policy Map to the VLANs

Applying the Policy Map Globally

Applying the Policy Map to a Specific VLAN

Example of an SSL Termination Configuration


Configuring SSL Termination


This chapter describes the steps required to configure a context on the Cisco 4700 Series Application Control Engine (ACE) appliance as a virtual SSL server for SSL termination. It contains the following major sections:

SSL Termination Overview

ACE SSL Termination Configuration Prerequisites

SSL Termination Configuration Quick Start

Creating and Defining an SSL Parameter Map

Creating and Defining an SSL Proxy Service

Creating a Layer 3 and Layer 4 Class Map for SSL Termination

Creating a Layer 3 and Layer 4 Policy Map for SSL Termination

Applying the Policy Map to the VLANs

Example of an SSL Termination Configuration

SSL Termination Overview

SSL termination occurs when the ACE, acting as an SSL proxy server, terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server. When the ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as clear text to an HTTP server.

Figure 3-1 shows the following network connections in which the ACE terminates the SSL connection with the client:

Client to ACE—SSL connection between a client and the ACE acting as an SSL proxy server

ACE to Server—TCP connection between the ACE and the HTTP server

Figure 3-1 SSL Termination with a Client

The ACE uses parameter maps, SSL proxy services, and class maps to build the policy maps that determine the flow of information between the client, the ACE, and the server. SSL termination is a Layer 3 and Layer 4 application because it is based on the destination IP addresses of the inbound traffic flow from the client. For this type of application, you create a Layer 3 and Layer 4 policy map that the ACE applies to the inbound traffic.

When configuring a policy map for SSL termination, you associate a parameter map and SSL proxy server service with the policy map to define the SSL session parameters and client/server authentication tools, such as the certificate and RSA key pair. You also associate a class map with the policy map to define the virtual SSL server IP addresses that the destination IP address of the inbound traffic must match. When a match occurs, the ACE negotiates with the client to establish an SSL connection. You can define a maximum of 250 virtual SSL servers for a single class map.

Figure 3-2 provides a basic overview of the process required to build and apply the Layer 3 and Layer 4 policy map that the ACE uses for SSL termination. The figure also shows how you associate the various components of the policy map configuration with each other.

Figure 3-2 Basic SSL Termination Configuration Flow Diagram

ACE SSL Termination Configuration Prerequisites

Before configuring your ACE for SSL operation, you must first configure it for server load balancing (SLB). During the real server and server farm configuration process, when you associate a real server with a server farm, ensure that you assign an appropriate port number for the real server. The default behavior by the ACE is to automatically assign the same destination port that was used by the inbound connection to the outbound server connection if you do not specify a port.

For example, if the incoming connection to the ACE is a secure client HTTPS connection, the connection is typically made on port 443. If you do not assign a port number to the real server, the ACE will automatically use port 443 to connect to the server, which results in the ACE making a clear-text HTTP connection over port 443. In this case, you would typically define an outbound destination port of 80, 81, or 8080 for the backend server connection.

During the SLB traffic policy configuration process, create the following configuration objects:

Layer 7 class map

Layer 3 and Layer 4 class map

Layer 7 policy map

Layer 3 and Layer 4 policy map

After configuring SLB, modify the existing SLB class maps and policy maps with the SSL configuration requirements described in this guide for SSL termination.

To configure your ACE for SLB, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.

SSL Termination Configuration Quick Start

Table 3-1 provides a quick overview of the steps required to configure the ACE for SSL termination. Each step includes the CLI command or a reference to the procedure required to complete the task. For a complete description of each feature and all the options associated with the CLI commands, see the sections following Table 3-1.


Note The following quick start does not include a procedure for creating a parameter map as shown in Figure 3-2. The ACE uses the default parameter map settings as described in Table 3-2.


Table 3-1 SSL Termination Configuration Quick Start 

Task and Command Example

1. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context. If necessary, log directly in to, or change to, the correct context.

host1/Admin# changeto C1
host1/C1#

The rest of the examples in this table use the Admin context. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

2. Enter configuration mode.

host1/Admin# config
host1/Admin(config)#

3. Create an SSL proxy server service to define the handshake parameters that the ACE, acting as an SSL server, applies to a policy map.

host1/Admin(config)# ssl-proxy service SSL_PSERVICE_SERVER
host1/Admin(config-ssl-proxy)#

4. Configure the SSL proxy server service by defining the certificate and corresponding RSA key pair.

host1/Admin(config-ssl-proxy)# key MYRSAKEY_SERVER
host1/Admin(config-ssl-proxy)# cert MYCERT_SERVER
host1/Admin(config-ssl-proxy)# exit
host1/Admin(config)#

5. Create a Layer 3 and Layer 4 class map and configure it with the input traffic match criteria as required.

host1/Admin(config)# class-map L4VIPCLASS
host1/Admin(config-cmap)# match virtual-address 192.168.10.24 tcp 
any
host1/Admin(config-cmap)# exit
host1/Admin(config)#

6. Create a policy map and associate the class map created in Step 5 with it.

host1/Admin(config)# policy-map multi-match L4POLICY
host1/Admin(config-pmap)# class L4VIPCLASS
host1/Admin(config-pmap-c)#

7. Associate the SSL proxy server service created in Step 3 with the policy map.

host1/Admin(config-pmap-c)# ssl-proxy server SSL_PSERVICE_SERVER
host1/Admin(config-pmap-c)# exit
host1/Admin(config-pmap)# exit
host1/Admin(config)#

8. Apply the policy map to the input traffic of the desired interface as follows:

Apply the policy map globally to all context VLANs.

host1/Admin(config)# service-policy input L4POLICY

Apply the policy map to a specific VLAN.

host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# service-policy input L4POLICY

9. Display the running configuration to verify the information that you just added is configured properly.

host1/Admin(config-if)# do show running-config

10. (Optional) Save the configuration changes to flash memory by copying the running configuration to the startup configuration.

host1/Admin(config-if)# do copy running-config startup-config


Creating and Defining an SSL Parameter Map

An SSL parameter map defines the SSL session parameters that the ACE applies to an SSL proxy service. Creating an SSL parameter map allows you to apply the same SSL session parameters to different proxy services. Table 3-2 describes each SSL session parameter with its default value.

Table 3-2 Default SSL Parameter Map Settings

SSL Session Parameter
Description
Default Value

Cipher suites

Defines the cipher suites that the ACE supports during the SSL handshake (see Table 3-3 for a list of available cipher suites that the ACE supports)

The ACE supports all of the available cipher suites

Close-protocol

Defines how the ACE executes close-notify messages

strict—The ACE sends a close-notify alert message to its peer when closing a session and expects to receive one back

Version

Defines the SSL and TLS versions that the ACE supports during the SSL handshake

all—The ACE supports versions SSL3 and TLS1



Note If you want an SSL proxy service to use the default SSL parameter map values, you do not need to create an SSL parameter map or associate one with the proxy service. When you do not associate a parameter map with the SSL proxy service, the ACE automatically applies the default SSL parameter map values listed in Table 3-3 to the proxy service.


You can create an SSL parameter map by using the parameter-map type ssl command in configuration mode.

The syntax of this command is as follows:

parameter-map type ssl parammap_name

The parammap_name argument is the name of the SSL parameter map. Enter an unquoted alphanumeric string with a maximum of 64 characters.

For example, to create the SSL parameter map PARAMMAP_SSL, enter:

host1/Admin(config)# parameter-map type ssl PARAMMAP_SSL

After you create an SSL proxy parameter map, the CLI enters SSL parameter map configuration mode.

host1/Admin(config-parammap-ssl)#

If you exit out of SSL parameter map configuration mode without defining any of the SSL parameter map attributes, the ACE configures the parameter map with the default values listed in Table 3-2.

To delete an existing SSL parameter map, enter:

host1/Admin(config)# no parameter-map type ssl PARAMMAP_SSL

This section contains the following procedures for defining the SSL parameter map attributes:

Adding a Cipher Suite

Defining the Close-Protocol Behavior

Defining the SSL and TLS Version

Adding a Cipher Suite

The SSL protocol supports a variety of different cryptographic algorithms, or ciphers, for use in operations such as the following:

Authenticating the server and client to each other

Transmitting certificates

Establishing session keys

Clients and servers may support different cipher suites, or sets of ciphers, depending on various factors, such as the version of SSL that they support, company policies regarding acceptable encryption strength, and government restrictions on export of SSL-enabled software. Among its other functions, the SSL handshake protocol determines how the server and client negotiate which cipher suite they will use to authenticate each other, transmit certificates, and establish session keys.

As shown in Figure 3-3, a cipher suite consists of the following three algorithms: key exchange algorithm, data encryption algorithm, and message authentication (hash) algorithm.

Figure 3-3 Cipher Suite Algorithms


Note Exportable cipher suites are those cipher suites that are not as strong as some of the other cipher suites (for example, 3DES or RC4 with 128-bit encryption) as defined by U.S. export restrictions on software products. Exportable cipher suites may be exported to most countries from the United States and provide the strongest encryption available for exportable products.


To define each of the cipher suites that you want the ACE to support during a secure session, use the cipher command in ssl parameter-map configuration mode. The cipher suite that you choose depends on your environment and security requirements and must correlate to the certificates and keys that you have loaded on the ACE.


Note By default, the ACE supports all of the cipher suites listed in Table 3-3. The default setting works only when you do not configure the SSL parameter map with any specific ciphers. To return to using the all cipher suites setting, you must delete each specifically defined cipher from the parameter map by using the no form of the command.


The syntax of this command is as follows:

cipher cipher_name [priority cipher_priority]

The keywords and arguments are as follows:

cipher_name—Name of the cipher suite that you want the ACE to support. Table 3-3 lists the cipher suites that the ACE supports. Enter one of the supported cipher suites from the table.

priority—(Optional) Assigns a priority level to the cipher suite. The priority level represents the preference ranking of the cipher suite, with 10 being the most preferred and 1 being the least preferred. By default, all configured cipher suites have a priority level of 1. When negotiating which cipher suite to use, the ACE selects from the client list based on the cipher suite configured with the highest priority level. A higher priority level will bias towards the specified cipher suite. For SSL termination applications, the ACE uses the priority level to match cipher suites in the client's ClientHello handshake message. For SSL initiation applications, the priority level represents the order in which the ACE places the cipher suites in its ClientHello handshake message to the server.

cipher_priority—Priority level of the cipher suite. Enter an integer from 1 to 10. The default is 1.

For example, to add the cipher suite rsa_with _aes_128_cbc_sha with a priority 2 level, enter:

host1/Admin(config)# parameter-map type ssl PARAMMAP_SSL
host1/Admin(config-parammap-ssl)# cipher rsa_with_aes_128_cbc_sha 
priority 2

Repeat the cipher command for each cipher suite that you want to include in the SSL parameter map.

To delete a cipher suite from the SSL parameter map, enter:

host1/Admin(config-parammap-ssl)# no cipher rsa_with_aes_128_cbc_sha

Table 3-3 lists the available cipher suites that the ACE supports and indicates which of the supported cipher suites are exportable from the ACE. The table also lists the authentication certificate and encryption key required by each cipher suite.

If you use the default setting in which the ACE implicitly supports all of the cipher suites listed in Table 3-3 or you explicitly define each cipher suite with equal priority and the client connection uses multiple ciphers, the ACE sends the cipher suites to its peer in the same order as they appear in the table, starting with RSA_WITH_RC4_128_MD5.


Caution Cipher suites with "export" in the title indicate that they are intended for use outside of the domestic United States and have encryption algorithms with limited key sizes.

Table 3-3 SSL Cipher Suites Supported by the ACE 

Cipher Suite
Exportable
Authentication Certificate Used
Key Exchange Algorithm Used

RSA_WITH_RC4_128_MD5

No

RSA certificate

RSA key exchange

RSA_WITH_RC4_128_SHA

No

RSA certificate

RSA key exchange

RSA_WITH_DES_CBC_SHA

No

RSA certificate

RSA key exchange

RSA_WITH_3DES_EDE_CBC_SHA

No

RSA certificate

RSA key exchange

RSA_WITH_AES_128_CBC_SHA

No

RSA certificate

RSA key exchange

RSA_WITH_AES_256_CBC_SHA

No

RSA certificate

RSA key exchange

RSA_EXPORT_WITH_RC4_40_MD5

Yes

RSA certificate

RSA key exchange

RSA_EXPORT1024_WITH_RC4_56_MD5

Yes

RSA certificate

RSA key exchange

RSA_EXPORT_WITH_DES40_CBC_SHA

Yes

RSA certificate

RSA key exchange

RSA_EXPORT1024_WITH_DES_CBC_SHA

Yes

RSA certificate

RSA key exchange

RSA_EXPORT1024_WITH_RC4_56_SHA

Yes

RSA certificate

RSA key exchange


Defining the Close-Protocol Behavior

You can configure how the ACE handles the sending of close-notify messages by using the close-protocol command in the ssl parameter-map configuration mode.

The syntax for this command is as follows:

close-protocol {disabled | none | strict}

The keywords are as follows:

disabled—The ACE does not send a close-notify alert message to its peer when closing a session. In this case, the ssl-proxy will only send a TCP fin to terminate the SSL connection.

none—The ACE sends a close-notify alert message to its peer when closing a session, but has no expectation of receiving one back from the peer.

strict—The ACE sends a close-notify alert message to its peer when closing a session and expects to receive one back from the client/server. This is the default setting.

For example, to set close-protocol to none, enter:

host1/Admin(config)# parameter-map type SSL_PARAMMAP_SSL
host1/Admin(config-parammap-ssl)# close-protocol none

To configure the close-protocol command with the default setting of strict, use the no form of the command:

host1/Admin(config-parammap-ssl)# no close-protocol none

Defining the SSL and TLS Version

You can specify the version of the security protocol that the ACE supports during the SSL handshake with its peer by using the version command in SSL parameter map configuration mode.

The syntax of this command is as follows:

version {all | ssl3 | tls1}

The keywords are as follows:

all—(Default) The ACE supports both SSL Version 3.0 and TLS Version 1.0.

ssl3—The ACE supports only SSL Version 3.0.

tls1—The ACE supports only TLS Version 1.0.

For example, to specify SSL Version 3.0 for the parameter map, enter:

host1/Admin(config)# parameter-map type ssl PARAMMAP_SSL
host1/Admin(config-parammap-ssl)# version ssl3

To remove a security protocol version from the SSL proxy parameter map, enter:

host1/Admin(config-parammap-ssl)# no version tlsl

Creating and Defining an SSL Proxy Service

The SSL proxy service defines the SSL parameter map, key pair, certificate, and chain group that the ACE uses during the SSL handshake. For SSL termination, you configure the ACE with an SSL proxy server service because the ACE acts as an SSL server.

You can create an SSL proxy server service by using the ssl-proxy service command in configuration mode.

The syntax of this command is as follows:

ssl-proxy service pservice_name

The pservice_name argument is the name of the SSL proxy server service. Enter an unquoted alphanumeric string with a maximum of 64 characters.

For example, to create the SSL proxy server service PSERVICE_SERVER, enter:

host1/Admin(config)# ssl-proxy service PSERVICE_SERVER

After you create an SSL proxy server service, the CLI enters SSL proxy configuration mode.

host1/Admin(config-ssl-proxy)#

To delete an existing SSL proxy server service, enter:

host1/Admin(config)# no ssl-proxy PSERVICE_SERVER

This section contains the following procedures for configuring the SSL proxy server service:

Associating an SSL Parameter Map with the SSL Proxy Server Service

Specifying the Key Pair

Specifying the Certificate

Specifying the Certificate Chain Group

Associating an SSL Parameter Map with the SSL Proxy Server Service

You can associate an SSL parameter map with the SSL proxy server service by using the ssl advanced-options command in SSL proxy configuration mode.

The syntax of this command is as follows:

ssl advanced-options parammap_name

The parammap_name argument is the name of an existing SSL parameter map (see the "Creating and Defining an SSL Parameter Map" section). Enter an unquoted alphanumeric string with a maximum of 64 characters.

For example, to associate the parameter map PARAMMAP_SSL with the SSL proxy service, enter:

host1/Admin(config)# ssl-proxy service PSERVICE_SERVER
host1/Admin(config-ssl-proxy)# ssl advanced-options PARAMMAP_SSL

To remove the association of an SSL parameter map with the SSL proxy service, enter:

host1/Admin(config-ssl-proxy)# no ssl advanced-options PARAMMAP_SSL

Specifying the Key Pair

You can specify the key pair that the ACE uses during the SSL handshake for data encryption by using the key command in SSL proxy configuration mode.


Note The public key in the key pair file that you select must match the public key embedded in the certificate that you select (see the "Specifying the Certificate" section). For information on verifying a public key match, see the "Verifying a Certificate Against a Key Pair" section in Chapter 2, "Managing Certificates and Keys."


The syntax of this command is as follows:

key key_filename

The key_filename argument is the name of an existing key pair file loaded on the ACE. Enter an unquoted alphanumeric string with a maximum of 40 characters.

For example, to specify the private key in the key pair file MYKEY.PEM, enter:

host1/Admin(config)# ssl-proxy service PSERVICE_SERVER
host1/Admin(config-ssl-proxy)# key MYKEY.PEM

To delete a private key from the SSL proxy service, enter:

host1/Admin(config-ssl-proxy)# no key MYKEY.PEM

Specifying the Certificate

You can specify the certificate that the ACE uses during the SSL handshake process to prove its identity by using the cert command in SSL proxy configuration mode.


Note The public key embedded in the certificate that you select must match the public key in the key pair file that you select (see the "Specifying the Key Pair" section). For information on verifying a public key match, see the "Verifying a Certificate Against a Key Pair" section in Chapter 2, "Managing Certificates and Keys."


The syntax of this command is as follows:

cert cert_filename

The cert_filename argument is the name of an existing certificate file loaded on the ACE. Enter an unquoted alphanumeric string with a maximum of 40 characters.

For example, to specify the certificate in the certificate file MYCERT.PEM, enter:

host1/Admin(config)# ssl-proxy service PSERVICE_SERVER
host1/Admin(config-ssl-proxy)# cert MYCERT.PEM

To delete a certificate file from the SSL proxy service, enter:

host1/Admin(config-ssl-proxy)# no cert MYCERT.PEM

Specifying the Certificate Chain Group

You can specify the certificate chain that the ACE sends to its peer during the SSL handshake by using the chaingroup command in SSL proxy configuration mode. The ACE includes the certificate chain with the certificate that you specified for the SSL proxy service (see the "Specifying the Certificate" section).

The syntax of this command is as follows:

chaingroup group_name

The group_name argument is the name of an existing certificate chain group (see the "Creating a Chain Group" section in Chapter 2, "Managing Certificates and Keys"). Enter an unquoted alphanumeric string with a maximum of 64 characters.


Note When a change occurs in a chain-group certificate, the change takes effect when you remove the associated chain group through the no chaingroup command and then readd it through the chaingroup command.


For example, to specify the certificate chain group MYCHAINGROUP, enter:

host1/Admin(config)# ssl-proxy service PSERVICE_SERVER
host1/Admin(config-ssl-proxy)# chaingroup MYCHAINGROUP

To delete a certificate chain group from the SSL proxy service, enter:

host1/Admin(config-ssl-proxy)# no chaingroup MYCHAINGROUP

Creating a Layer 3 and Layer 4 Class Map for SSL Termination

The class map that you associate with a policy map acts as a filter for traffic that matches the criteria that you specify. For SSL termination, you can define the match criteria based on one or more of the following traffic characteristics:

Access list

Virtual IP address

Source IP address and subnet mask

Destination IP address and subnet mask

TCP/UDP port number or port range

You can create a Layer 3 and Layer 4 class map by using the class-map command in configuration mode. For details on creating and configuring a Layer 3 and Layer 4 class map, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.

Creating a Layer 3 and Layer 4 Policy Map for SSL Termination

For SSL termination, you configure the ACE so that it is recognized as an SSL server by a client. To accomplish this, you configure a Layer 3 and Layer 4 policy map that the ACE applies to the inbound traffic. The policy map uses the Layer 3 and Layer 4 class map that you associate with it to determine whether the inbound traffic matches the criteria that you specify. When a match is found, the ACE engages the client in the SSL handshake and establishes an SSL session using the parameters that you specify in the associated SSL proxy server service.

This section contains the following procedures for creating and configuring a Layer 3 and Layer 4 policy map for SSL termination:

Creating a Layer 3 and Layer 4 Policy Map

Associating the Layer 3 and Layer 4 Class Map with the Policy Map

Associating an SSL Proxy Server Service with the Policy Map

Creating a Layer 3 and Layer 4 Policy Map

You can create an SSL termination policy map by using the policy-map command in configuration mode.

The syntax of this command is as follows:

policy-map multi-match policy_name

The policy_name argument is the name that you assign to the policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to create the policy map L4POLICY, enter:

host1/Admin(config)# policy-map multi-match L4POLICY

After you create a policy map, the CLI enters into policy map configuration mode.

host1/Admin(config-pmap)#

To delete an existing policy map, enter:

host1/Admin(config)# no policy-map L4POLICY

For information on associating an SSL class map with the policy map, see the "Associating the Layer 3 and Layer 4 Class Map with the Policy Map" section.

Associating the Layer 3 and Layer 4 Class Map with the Policy Map

You can associate the Layer 3 and Layer 4 class map with the policy map by using the class command in policy map configuration mode.

The syntax of this command is as follows:

class class-map

The class-map argument is the name of an existing class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to associate the class map L4VIPCLASS with the policy map, enter:

host1/Admin(config)# policy-map multi-match L4POLICY
host1/Admin(config-pmap)# class L4VIPCLASS

After you associate a class map with the policy map, the CLI enters into policy-map class-map configuration mode.

host1/Admin(config-pmap-c)# 

To remove the association of a class map to the policy map, enter:

host1/Admin(config-pmap)# no class L4VIPCLASS

For information on associating an SSL proxy service with the class map, see the "Associating an SSL Proxy Server Service with the Policy Map" section.

Associating an SSL Proxy Server Service with the Policy Map

You can associate an SSL proxy server service with the policy map by using the ssl-proxy server command in policy map class configuration mode.

The syntax of this command is as follows:

ssl-proxy server pservice

The pservice argument is the name of an existing SSL proxy server service. Enter an unquoted alphanumeric string with a maximum of 64 characters.

For example, to associate the SSL proxy server service PSERVICE_SERVER with the policy map, enter:

host1/Admin(config)# policy-map multi-match L4POLICY
host1/Admin(config-pmap)# class L4VIPCLASS
host1/Admin(config-pmap-c)# ssl-proxy server PSERVICE_SERVER

To remove the class map association, enter:

host1/Admin(config-pmap-c)# no ssl-proxy server PSERVICE_SERVER

Applying the Policy Map to the VLANs

This section describes how to apply the Layer 3 and Layer 4 policy map to the VLAN traffic. The ACE allows you to apply the policy globally to all VLANs within the current context or to a specific VLAN in the context.

This section contains the following topics:

Applying the Policy Map Globally

Applying the Policy Map to a Specific VLAN

Applying the Policy Map Globally

You can globally apply the policy map to all VLANs in the context by using the service-policy command in configuration mode.

The syntax of this command is as follows:

service-policy input policy_name

The policy_name argument is the name of an existing policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to globally apply the policy map L4POLICY to all VLANs in the context, enter:

host1/Admin(config)# service-policy input L4POLICY

To globally remove the policy from all VLANs, enter:

host1/Admin(config)# no service-policy input L4POLICY

Applying the Policy Map to a Specific VLAN

To apply a policy map to a specific VLAN interface, you must enter interface configuration mode by using the interface command in configuration mode.

The syntax of this command is as follows:

interface vlan vlan

The vlan argument is the context VLAN number. Enter an integer from 2 to 4094.

For example, to enter interface configuration mode for VLAN 10, enter:

host1/Admin(config)# interface vlan 10
host1/Admin(config-if)#

You can apply the policy map to the interface by using the service-policy command in interface configuration mode.

The syntax of this command is as follows:

service-policy input policy-name

The policy-name argument is the name of an existing policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to apply the policy map L4POLICY to VLAN 10, enter:

host1/Admin(config)# interface vlan 10
host1/Admin(config-if)# service-policy input L4POLICY

To remove the policy from the interface, enter:

host1/Admin(config-if)# no service-policy input L4POLICY

Example of an SSL Termination Configuration

The following example illustrates a running configuration of the ACE acting as a SSL proxy server; terminating SSL or TLS connections from a client and then establishing a TCP connection to an HTTP server. When the ACE terminates the SSL or TLS connection, it decrypts the cipher-text from the client and transmitted the data as clear text to the HTTP server. The SSL termination configuration appears in bold in the example.

access-list ACL1 line 10 extended permit ip any any

probe http GEN-HTTP
  port 80
  interval 50
  faildetect 5
  expect status 200 200

serverfarm host SFARM1
  description SERVER FARM 1 FOR SSL TERMINATION
  probe GEN_HTTP
  rserver SERVER1 80 
    inservice
  rserver SERVER2 80 
    inservice
  rserver SERVER3 80 
    inservice
  rserver SERVER4 80 
    inservice

serverfarm host SFARM2
  description SERVER FARM 2 FOR SSL TERMINATION
  probe GEN_HTTP
  rserver SERVER5 80 
    inservice
  rserver SERVER6 80 
    inservice
  rserver SERVER7 80 
    inservice
  rserver SERVER8 80 
    inservice

parameter-map type ssl PARAMMAP_SSL_TERMINATION
  cipher RSA_WITH_3DES_EDE_CBC_SHA
  cipher RSA_WITH_AES_128_CBC_SHA priority 2
  cipher RSA_WITH_AES_256_CBC_SHA priority 3
  version all
parameter-map type connection TCP_PARAM
  syn-data drop
  exceed-mss allow

ssl-proxy service SSL_PSERVICE_SERVER
  ssl advanced-options PARAMMAP_SSL_TERMINATION
  key MYKEY.PEM
  cert MYCERT.PEM
 
class-map type http loadbalance match-all L7_SERVER_CLASS
  description Sticky for SSL Testing
  2 match http url .*.jpg
  3 match source-address 192.168.130.0 255.255.255.0
class-map type http loadbalance match-all L7_SLB-HTTP_CLASS
  2 match http url .*
  3 match source-address 192.168.130.0 255.255.255.0
class-map match-all L4_SSL-TERM_CLASS
  description SSL Termination VIP
  2 match virtual-address 192.168.130.11 tcp eq https

policy-map type loadbalance first-match L7_SSL-TERM_POLICY
  class L7_SERVER_CLASS
    serverfarm SFARM1 
    insert-http I_AM header-value "SSL_TERM"
    insert-http SRC_Port header-value "%ps"
    insert-http DEST_IP header-value "%id"
    insert-http DEST_Port header-value "%pd"
    insert-http SRC_IP header-value "is"
  class L7_SLB-HTTP_CLASS
    serverfarm SFARM1
    insert-http I_AM header-value "SSL_TERM"
    insert-http SRC_Port header-value "%ps"
    insert-http DEST_IP header-value "%id"
    insert-http DEST_Port header-value "%pd"
    insert-http SRC_IP header-value "is"
policy-map multi-match L4_SSL-VIP_POLICY
  class L4_SSL-TERM_CLASS
    loadbalance vip inservice
    loadbalance policy L7_SSL-TERM_POLICY
    loadbalance vip icmp-reply
    ssl-proxy server SSL_PSERVICE_SERVER
    connection advanced-options TCP_PARAM

interface vlan 120
  description Upstream VLAN_120 - Clients and VIPs
  ip address 192.168.120.1 255.255.255.0
  fragment chain 20
  fragment min-mtu 68
  access-group input ACL1
  nat-pool 1 192.168.120.70 192.168.120.80 netmask 255.255.255.0 pat
  service-policy input L4_SSL-VIP_POLICY
  no shutdown
ip route 10.1.0.0 255.255.255.0 192.168.120.254