Virtualization Guide vA1(7), Cisco ACE 4700 Series Application Control Engine Appliance
Configuring Virtualization
Downloads: This chapterpdf (PDF - 221.0KB) The complete bookPDF (PDF - 1.05MB) | Feedback

Configuring Virtualization

Table Of Contents

Configuring Virtualization

Virtualization Configuration Quick Start

Creating a Resource Class for Resource Management

Allocating Resources

Configuring a Context

Configuring a Context Description

Configuring a VLAN for a Context

Associating a Context with a Resource Class

Moving Between Contexts

Creating and Configuring User Roles

Creating and Configuring Domains

Configuring a User

Example of a Virtualization Configuration


Configuring Virtualization


This chapter describes how to create and configure virtualization for your ACE. As the global administrator (SuperUser), you configure and manage all contexts through the Admin context, which contains the basic settings for each virtual device or context. Each context that you configure contains its own set of policies, interfaces, resources, and administrators.

This chapter contains the following major sections:

Virtualization Configuration Quick Start

Creating a Resource Class for Resource Management

Allocating Resources

Configuring a Context

Moving Between Contexts

Creating and Configuring User Roles

Creating and Configuring Domains

Configuring a User

Example of a Virtualization Configuration


Note By default, the ACE provides an Admin context and allows you to configure five user contexts. To create from 6 to a maximum of 20 user contexts, you must purchase a license from Cisco Systems. For details about licensing, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.


Virtualization Configuration Quick Start

Table 2-1 provides a quick overview of the steps required to create and configure the virtualization feature. Each step includes the command-line interface (CLI) command required to complete the task.

Table 2-1 VIrtualization Configuration Quick Start 

Task and Command Example

1. Log in to the ACE as the global administrator using the console. By default, the console comes up with a single context called Admin.

2. Enter configuration mode.

host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z.
host1/Admin(config)# 

3. Configure a resource class to limit resources used by user contexts. For example, to limit the resources of a context to 10 percent of the total resources available, enter the following commands:

host1/Admin(config)# resource-class RC1
host1/Admin(config-resource)# limit resource all minimum 10 
maximum equal-to-min
host1/Admin(config-resource)# exit

4. Create a new context.

host1/Admin(config)# context C1
host1/Admin(config-context)# 

5. Associate an existing VLAN with the context so that the context can receive traffic classified for it.

host1/Admin(config-context)# allocate-interface vlan 100

6. Associate the context with the resource class that you created in Step 3.

host1/Admin(config-context)# member RC1

7. Change to the C1 context that you created in Step 4 and enter configuration mode in that context.

host1/Admin(config-context)# do changeto C1
host1/C1(config-context)# exit
host1/C1(config)#

8. (Optional) Create a domain for the context.

host1/C1(config)# domain D1
host1/C1(config-domain)# 

9. Allocate objects (for example, real servers, server farms, probes, ACLs, and so on) to the domain as needed.

host1/C1(config-domain)# add-object rserver SERVER1

10. (Optional) Create roles to define the object and resource permissions for different groups of users.

host1/C1(config)# role UR1

11. Create rules to define the role permissions.

host1/C1(config-role)# rule 1 permit create feature real
host1/C1(config-role)# rule 2 deny create feature acl

12. Configure users as required and associate roles and domains with the users.

host1/C1(config)# username user1 password 5 MYPASSWORD role UR1 
domain D1

13. Verify the virtualization configuration by entering one of the following commands:

host1/C1# show running-config context
host1/C1# show running-config domain
host1/C1# show running-config resource-class
host1/C1# show running-config role

Creating a Resource Class for Resource Management

You can create a resource class to allocate and manage system resources by one or more contexts. The ACE supports a maximum of 100 resource classes. After you create and configure the resource class, use the member command in context configuration mode to assign a resource class to the context (see the "Associating a Context with a Resource Class" section). To create a resource class, use the resource-class command in configuration mode. The syntax of the command is as follows:

resource-class name

For the name argument, enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, enter:

host1/Admin(config)# resource-class RC1
host1/Admin(config-resource)

To remove the resource class from the configuration, enter:

host1/Admin(config)# no resource-class RC1

When you remove a resource class from the ACE, any contexts that were members of that resource class automatically become members of the default resource class. The default resource class allocates a minimum of 0.00 percent to a maximum of 100.00 percent of all ACE resources to each context. You cannot modify the default resource class.

Allocating Resources

When you plan the initial resource allocations for the virtual contexts in your configuration, allocate only the minimum required or estimated resources. The ACE protects resources that are in use, so to decrease a context's resources, those resources must be unused. Although it is possible to decrease the resource allocations in real time, it may require additional management overhead to clear any used resources before reducing them. Therefore, it is considered a best practice to initially keep as many resources in reserve as possible and allocate the unused reserved resources as needed.

To address scaling and capacity planning, we recommend that new ACE installations do not exceed 60 to 80 percent of the appliance's total capacity. To accomplish this goal, create a reserved resource class with a guarantee of 20 to 40 percent of all the ACE resources. Configure a virtual context dedicated solely to ensuring that these resources are reserved. Then, you can efficiently distribute such reserved resources to contexts as capacity demands for handling client traffic increase over time.

You can allocate all resources or individual resources to all member contexts of a resource class. For example, you can allocate only concurrent connections or sticky table memory. To allocate system resources to all members (contexts) of a resource class, use the limit-resource command in resource-class configuration mode. The syntax of this command is as follows:

limit-resource {acc-connections | acl-memory | all | buffer {syslog} | conc-connections | http-comp | mgmt-connections | proxy-connections | rate {bandwidth | connections | inspect-conn | mac-miss | mgmt-traffic | ssl-connections | syslog} | regexp | sticky | xlates} {minimum number} {maximum {equal-to-min | unlimited}}

The arguments and keywords are as follows:

acc-connections—Limits the number of application acceleration connections.

acl-memory—Limits memory space allocated for ACLs.

all—Limits all resources to the specified value for all contexts assigned to this resource class.

buffer—Limits the number of syslog buffers.

conc-connections—Limits the number of simultaneous connections.

http-comp—Limits the HTTP compression rate.

mgmt-connections—Limits the number of management (to-the-ACE) connections.

proxy-connections—Limits the number of proxy connections.

rate—Limits the resource as a number per second for the following:

bandwidth—Limits context throughput in bytes per second.

connections—Limits the number of connections of any kind per second.

inspect conn—Limits the number of application protocol inspection connections per second for File Transfer Protocol (FTP) and Real-Time Streaming Protocol (RTSP) only.

mac-miss—Limits the ACE traffic sent to the control plane when the encapsulation is not correct in bytes per second.

mgmt-traffic—Limits management (to-the-ACE) traffic in bytes per second.

ssl-connections—Limits the number of SSL connections per second.

syslog—Limits the number of syslog messages per second.


Note The syslog message statistics do not include the syslogs generated from the dataplane when you enable the logging of connection setup and teardown syslog messages through the logging fastpath command.


regexp—Limits the amount of regular expression memory.

sticky—Limits the number of entries in the sticky table. You must configure a minimum value for sticky to allocate resources for sticky entries, because the sticky software receives no resources under the unlimited setting.

xlates—Limits the number of network and port address translations entries.

minimum number—Specifies the lowest acceptable value. Enter an integer from 0.00 to 100.00 percent (two-decimal places of granularity). The number argument specifies a percentage value for all contexts that are members of the class. When used with the rate keyword, the number argument specifies a value per second.

maximum {equal-to-min | unlimited}—Specifies the maximum resource value: either the same as the minimum value or no limit.


Note The limit that you set for individual resources when you use the limit-resource command overrides the limit that you set for all resources when you use the limit-resource all command.


If you lower the limits for one context (context A) in order to increase the limits of another context (context B), you may experience a delay in the configuration change because the ACE will not lower the limits of context A until the resources are no longer being used by the context.

For example, to allocate 20 percent of all resources (minimum and maximum) to all member contexts of the resource class, enter:

(config-resource)# limit-resource all minimum 20% maximum equal-to-min

To restore resource allocation to the default values of 0 percent minimum and 100 percent maximum for all resources to all member contexts, enter:

(config-resource)# no limit-resource all

Table 2-2 lists the managed system resources of the ACE. You can limit these resources per context or for all contexts associated with the resource class by using the limit-resource command. See the "Allocating Resources" section.

Table 2-2 System Resource Maximum Values 

Resource
Maximum Value

Application Acceleration Connections

10000 connections

ACL Memory

34123184 bytes

Buffer Memory (Syslog)

1048576 bytes

Concurrent Connections

1,000,000 connections (Layer 4),
100,000 connections (SSL)

HTTP Compression

100 megabits per second (Mbps). You can upgrade the ACE maximum HTTP compression rate to 1 Gbps by purchasing a separate license from Cisco Systems. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

Management Connections

5000 connections

Proxy Connections (Layer 7)

256,000 connections

Rate

Bandwidth

1 gigabits per second (Gbps). You can upgrade the ACE maximum bandwidth to 2 Gbps by purchasing a separate license from Cisco Systems. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

Connections (any kind)

120,000 connections per second (Layer 4), 40, 000 connections per second (Layer 7)

MAC miss

2000 packets per second

Management traffic

125,000,000 bits per second

SSL connections

1000 transactions per second (TPS). You can upgrade the SSL bandwidth to a maximum of 7500 TPS with a separate license. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

syslog

For traffic going to the ACE (control plane), 3000 messages per second

For traffic going through the ACE (data plane), 120,000 messages per second

Regular Expression Memory

1,048,576 bytes

Sticky Entries

800,000 table entries

Xlates (network and port address translation entries)

64,000 Xlates (network entries),
1,000,000 Xlates (port address translation entries)


Configuring a Context

A context provides a user view into the ACE and determines the resources available to a user. To create a context, use the context command in configuration mode. The syntax of this command is as follows:

context name

The name argument is a unique identifier of the context. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to create a context called C1, enter:

host1/Admin(config)# context C1
host1/Admin(config-context)# 

To remove the context from the configuration, enter:

host1/Admin(config)# no context C1

Configuring a Context Description

You can enter a description for the context by using the description command in context configuration mode. The syntax of this command is as follows:

description text

For the text argument, enter a description as an unquoted text string with a maximum of 240 alphanumeric characters.

For example, enter:

host1/Admin(config-context)# description context for accounting users

To remove the context description from the configuration, enter:

host1/Admin(config-context)# no description

Configuring a VLAN for a Context

The ACE uses class maps and policy maps to classify (filter) traffic and direct it to different interfaces (VLANs) using a service policy. A context uses VLANs to receive packets classified for that VLAN. To allocate one or more existing VLANs on which a user context can receive packets, use the allocate-interface command in context configuration mode in the Admin context. You can enter this command multiple times to specify multiple VLANs for a user context.


Note You cannot configure an interface directly in a user context. You must configure the interface in the Admin context, and then allocate it to the user context using the allocate-interface command.


The syntax of this command is as follows:

allocate-interface vlan number1

For the number argument, enter the number of an existing VLAN or a range of VLANs that you want to assign to the context as integers from 2 to 4094.

For example, to allocate VLAN 100 to a context, enter:

host1/Admin(config-context)# allocate-interface vlan 100

To allocate an inclusive range of VLANs from VLAN 100 through VLAN 200 to a context, enter:

host1/Admin(config-context)# allocate-interface vlan 100-200

To deallocate a VLAN from a context, enter:

host1/Admin(config-context)# no allocate-interface vlan 100

To deallocate a range of VLANs from a context, enter:

host1/Admin(config-context)# no allocate-interface vlan 100-200

Note You cannot deallocate a VLAN from a user context if the VLAN is in use in that context.


Associating a Context with a Resource Class

Resource classes limit the resources available to one or more contexts. If you do not specify a resource class, the context automatically is a member of the default resource class. The default resource class allocates a minimum of 0.00 percent to a maximum of 100.00 percent of all ACE resources to each context. You can associate a context with only one resource class. For more information about resource classes, see the "Creating a Resource Class for Resource Management" section. To associate a context with a resource class, use the member command in context configuration mode.

The syntax of this command is as follows:

member class

For the class argument, enter the name of an existing resource class as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. For information about configuring a resource class, see the "Creating a Resource Class for Resource Management" section.

For example, to associate a context with the resource class RC1, enter:

host1/Admin(config-context)# member RC1

To disassociate a context from a resource class, enter:

host1/Admin(config-context)# no member RC1

Moving Between Contexts

You can move between contexts by using the changeto command in Exec mode or the do changeto command in configuration modes. You must have one of the predefined user roles in the Admin context to use the changeto command. For information about the predefined user roles, see the "Role-Based Access Control" section in Chapter 1, Overview. Context administrators, who have access to multiple contexts, must explicitly log in to the other contexts to which they have access. The syntax of this command is as follows:

changeto name

The name argument specifies the identifier of an existing context. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, enter:

host1/Admin# changeto C1
host1/C1#

Creating and Configuring User Roles

User roles determine the privileges that a user has, the commands that a user can enter, and the actions that a user can perform in a particular context. For a list of the predefined roles that the ACE provides, see Chapter 1, Overview. To display the predefined roles in the CLI, enter the show role command in Exec mode. The global administrator or a context administrator can configure additional roles. You can apply the roles that you create only in the context in which you create them.

To configure roles, use the role command in configuration mode. The syntax of this command is as follows:

role name

The name argument is an identifier associated with a role. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

If you do not assign a role to a new user, the default role is Network-Monitor. For users that you create in the Admin context, the default scope of access is the entire device. For users that you create in other contexts, the default scope of access is the entire context. If you need to restrict a user's access, you must assign a role-domain pair using the username command (see the "Configuring a User" section).

For example, enter:

host1/C1(config)# role TECHNICIAN
host1/C1(config-role)#

To remove the role from the configuration, enter:

host1/C1(config)# no role TECHNICIAN

After you create a user role, you can limit the features that a user has access to and the commands the user can enter for that feature by configuring rules for that role. To assign privileges per feature to a role, use the rule command in role configuration mode. The syntax of this command is as follows:

rule number {permit | deny} {create | modify | debug | monitor} [feature {AAA | access-list | config-copy | connection | dhcp | fault-tolerant | inspect | interface | loadbalance | nat | pki | probe | real-inservice | routing | rserver | serverfarm | ssl | sticky | syslog | vip}]

The keywords, arguments, and options are as follows:

number—Identifier of the rule and order of precedence. Enter a unique integer from 1 to 16. The rule number determines the order in which the ACE applies the rules, with a higher-numbered rule applied after a lower-numbered rule.

permit—Allows the role to perform the operations defined by the rest of the command keywords.

deny—Disallows the role to perform the operations defined by the rest of the command keywords.

create—Specifies commands for the creation of new objects or the deletion of existing objects (includes modify, debug, and monitor commands).

modify—Specifies commands for modifying existing configurations (includes debug and monitor commands).

debug—Specifies commands for debugging problems (includes monitor commands).

monitor—Specifies commands for monitoring resources and objects (show commands).

feature—(Optional) Specifies one of the following ACE features for configuring this rule:

AAA—Specifies commands for authentication, authorization, and accounting.

access-list—Specifies commands for access control lists (ACLs). Includes ACL configuration, class maps for ACL, and policy maps that contain ACL class maps.

config-copy—Specifies commands for copying the running-config file to the startup-config file, startup-config file to the running-config file, and copying both config files to the flash disk (disk0:) or a remote server.

connection—Specifies commands for network connections.

dhcp—Specifies commands for Dynamic Host Configuration Protocol.

fault-tolerant—Specifies commands for redundancy.

inspect—Specifies commands for packet inspection used in data-center security.

interface—Specifies all interface commands.

loadbalance—Specifies commands for load balancing (including the application acceleration and optimization functions). Allows adding a load-balancing action in a policy map.

nat—Specifies commands for Network Address Translation (NAT) associated with a class map in a policy map used in data-center security.

pki—Specifies commands for SSL public key infrastructure (PKI).

probe—Specifies commands for keepalives for real servers.

real-inservice—Specifies commands for placing a real server in service.

routing—Specifies all commands for routing, both global and per interface.

rserver—Specifies commands for physical servers.

serverfarm—Specifies commands for server farms.

ssl—Specifies commands for SSL.

sticky—Specifies commands for server persistence.

syslog—Specifies the system logging facility setup commands.

vip—Specifies commands for virtual IP addresses and virtual servers.

For example, to configure a rule that allows a role to create and configure real servers, enter:

host1/C1(config-role)# rule 1 permit create rserver

To remove the rule from a role, enter:

host1/C1(config-role)# no rule 1 permit create rserver

Creating and Configuring Domains

A domain is the namespace in which a user operates. When you create a context, the ACE creates a default domain (default-domain) for that context. You can create a maximum of 63 additional domains in each context. For information about configuring a context, see the "Configuring a Context" section. To create a domain, use the domain command in configuration mode. The syntax of this command is as follows:

domain name

For the name argument, enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to create a domain called D1, enter:

host1/C1(config)# domain D1
host1/C1(config-domain)#

To remove a domain from the configuration, enter:

host1/C1(config)# no domain D1


Note A domain does not restrict the context configuration that you can display using the show running-config command. You can still display the running configuration for the entire context. However, a domain can restrict your access to the configurable objects within a context by adding only a limited subset of all the objects available to a context to the domain. You can further restrict the operations that a user can perform on those configurable objects by assigning a role to a user. For information about configuring user roles, see the "Creating and Configuring User Roles" section.


After you create a domain, you can associate configurable objects with that domain (for example, a real server, server farm, interface, and so on). To associate a configurable object with a domain, use the add-object command in domain configuration mode.

The syntax of this command is as follows:

add-object {access-list {ethertype | extended} | all | class-map | interface {bvi | vlan} | parameter-map | policy-map | probe | rserver | script | serverfarm | sticky} name

The keywords, arguments, and option are as follows:

access-list—Specifies an existing access control list (ACL) that you want to associate with the domain.

all—Specifies that all existing configuration objects in the context are added to the domain.

class-map—Specifies an existing class map for flow classification that you want to associate with the domain.

interface—Specifies an existing interface that you want to associate with the domain.

parameter-map—Specifies an existing parameter map that you want to associate with the domain.

policy-map—Specifies an existing policy map that you want to associate with the domain.

probe—Specifies an existing real server probe (keepalive) that you want to associate with the domain.

rserver—Specifies an existing real server that you want to associate with the domain.

script—Specifies an existing script that you created with the ACE TCL scripting language.

serverfarm—Specifies an existing server farm that you want to associate with the domain.

sticky—Specifies an existing sticky group that you want to associate with the domain to maintain persistence with a server.

name—Identifier of the specified object. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to associate an interface called VLAN 10 with the domain, enter:

host1/C1(config-domain)# add-object interface vlan 10

To remove the object from the domain, enter:

host1/C1(config-domain)# no add-object interface vlan 10

Configuring a User

The ACE creates the following default user accounts at startup: admin, dm, and www.

The admin user is the global administrator and cannot be deleted.

The dm user is for accessing the Device Manager GUI and cannot be deleted. The dm user is an internal user required by the Device Manager GUI; it is hidden on the ACE CLI.


Note Do not modify the dm user password from the ACE CLI. If the password is changed, the Device Manager GUI will become inoperative. If this occurs, restart the Device Manager using the dm reload command (you must be the global administrator to access the dm reload command). Note that restarting the Device Manager does not impact ACE functionality; however, it may take a few minutes for the Device Manager to reinitialize as it reads the ACE CLI configuration. This command is available only in software versions A1(8.0) and higher.


The ACE uses the www user account for the XML interface.

The global administrator (admin) assigns one user in each context as the context administrator. The context administrator can then log in to the context or contexts for which he or she is responsible and create additional users.

If you do not assign a role to a new user, the default role is Network-Monitor. For users that you create in the Admin context, their default scope of access is the entire device. For users that you create in other contexts, their default scope of access is the entire context. If you need to restrict a user's access, you must assign a role-domain pair.

To create a user, use the username command in configuration mode. The syntax of this command is as follows:

username name1 [password [0 | 5] {password}] [expire date] [role name2 {domain name3 name4. . . namen}]

The keywords, arguments, and options areas follows:

name1—Identifier of the user that you are creating. Enter an unquoted text string with no spaces and a maximum of 24 alphanumeric characters.

password—(Optional) Keyword that indicates that a password follows.

0—(Optional) Specifies a clear text password.

5—(Optional) Specifies an MD5-hashed strong encryption password.

password—(Optional) Password in clear text, encrypted text, or MD5 strong encryption, depending on the numbered option (0 or 5) that you enter. If you do not enter a numbered option, the password is in clear text by default. If you enter the password keyword, you must enter a password. Enter a password as an unquoted text string with a maximum of 64 alphanumeric characters. The ACE supports the following special characters in a password:

, . / = + - ^ @ ! % ~ # $ * ( )

Note that the ACE encrypts clear text passwords in the running-config.

expire date—(Optional) Specifies the expiration date of the user account. Enter the expiration date in the format yyyy-mm-dd.

role name2—(Optional) Specifies an existing role that you want to assign to the user.

domain name3 name4 . . . namen—Specifies the domains in which the user can operate. You can enter multiple domain names up to a maximum of 10, including default-domain.

For example, enter:

host1/C1(config)# username USER1 password MYSECRET expire 2005-12-31 
role TECHNICIAN domain D1 default-domain

host1/C1(config)# username USER2 password HERSECRET expire 2005-12-31 
role Admin domain default-domain D2

To delete a user from the configuration, enter:

host1/C1(config)# no username USER1

Example of a Virtualization Configuration

The following running-configuration example shows a basic virtualization configuration with one user-defined context, one resource class, one domain, and one user.

resource-class RC1
  limit-resource rate syslog minimum 10.00 maximum equal-to-min
  limit-resource acl-memory minimum 10.00 maximum unlimited

access-list ACL1 line 10 extended permit ip any any

rserver host RS1
  ip address 192.168.2.251
  inservice
rserver host RS2
  ip address 192.168.2.252
  inservice
serverfarm host SF1
  rserver RS1
    inservice
  rserver RS2
    inservice

domain D1
  add-object access-list extended ACL1
  add-object rserver RS1
  add-object rserver RS2
  add-object serverfarm SF1

role SLB-Admin

context C1
  allocate-interface vlan 100-200
  description accounting department
  member RC1

username JANE password 5 adropgijaeprgja9erjg2uWgtce1 role SLB-Admin 
  domain D1