Quick Start Guide vA3(2.2), Cisco ACE 4700 Series Application Control Engine Appliance
Creating a Virtual Context
Downloads: This chapterpdf (PDF - 1.84MB) The complete bookPDF (PDF - 5.55MB) | Feedback

Creating a Virtual Context

Table Of Contents

Creating a Virtual Context

Overview

Creating a Virtual Context Using the Device Manager GUI

Creating a Resource Class

Creating a Virtual Context

Configuring the Client-Side VLAN Interface

Configuring the Server-Side VLAN Interface

Creating a Virtual Context Using the CLI

Configuring a Resource Class

Creating a Virtual Context

Configuring a Management VLAN Interface to the User Context

Configuring Remote Management Access to the User Contexts

Configuring the Client-Side VLAN Interface

Configuring the Server-Side VLAN Interface


Creating a Virtual Context


This chapter describes how to create a virtual context for the Cisco 4700 Series Application Control Engine (ACE) appliance.

This chapter contains the following sections:

Overview

Creating a Virtual Context Using the Device Manager GUI

Creating a Virtual Context Using the CLI

Overview

After reading this chapter, you should have a basic understanding of ACE appliance virtualization and be able to partition your ACE into multiple virtual devices or virtual contexts (VCs) for more efficient operation.

Virtualization allows you to create a virtual environment in which a single ACE is partitioned into multiple virtual devices, each functioning as an independent ACE appliance that is configured and managed independently.

You set up virtualization by performing the following configuration steps:

Configure resource allocation for a virtual context

Create a virtual context

Configure access to the virtual context

An example virtual environment will be used throughout this guide, with the user context VC_web, for the web traffic through the network. This user context will be associated with the custom resource class RS_web.

In this chapter, you will create a virtual context. In subsequent chapters, you will create a virtual server within the virtual context. The virtual server is associated with a server farm and real servers. The example setup is illustrated in Table 3-1.

Table 3-1 Example Virtual Contexts

Virtual Context
Virtual Server
Server Farm
Real Servers

VC_web

VS_web

SF_web

RS_web1

RS_web2

RS_web3

RS_web4


Before you begin configuring your ACE for virtualization, you should become familiar with a few concepts: virtual context, Admin and user contexts, and resource classes.

With ACE virtualization, you can create a virtual environment, called a virtual context, in which a single ACE appears as multiple virtual devices, each configured and managed independently. A virtual context allows you to closely and efficiently manage system resources, ACE users, and the services that you provide to your customers.

By default, the ACE initially provides you an Admin context, with the ability to define up to five user contexts. (With additional licenses, you can define up to 20 contexts.)

As the system administrator, you have full system administrator access to configure and manage the Admin context and all user contexts. Each context can also have its own administrator and log-in mechanism that provides access only to the specific context. When you log in to the ACE using the console or Telnet, you are authenticated in the Admin context.

Although virtualization allows you to create multiple contexts, in the physical world, you still have a single ACE with finite resources, such as the number of concurrent connections. To address this limitation, the ACE provides resource classes that allow you to manage each virtual context's access to physical ACE resources. A resource class is a definition of what portion of an ACE's overall resources will be assigned, at a minimum or maximum, to any given context. One resource class may be associated with one or more contexts.

The ACE is preconfigured with a default resource class for the Admin context. This default resource class is applied to all virtual contexts that you create. It allows a maximum of 100 percent access to all resources by all virtual contexts. When a resource is being used to its maximum limit, the ACE will deny additional requests for that resource from any other virtual contexts. To avoid oversubscribing resources and to help guarantee that resource availability is shared among multiple virtual contexts, you create custom resource classes and associate them with the virtual contexts you define.

Creating a Virtual Context Using the Device Manager GUI

This section describes how to create and configure a virtual context for server load balancing using the ACE Device Manager user interface and contains the following topics:

Creating a Resource Class

Creating a Virtual Context

Configuring the Client-Side VLAN Interface

Configuring the Server-Side VLAN Interface

Creating a Resource Class

Create a resource class by following these steps:


Step 1 Choose Config > Virtual Contexts > System > Resource Classes. The Resource Classes pane appears.

Figure 3-1 Resource Classes Pane

Step 2 Click Add. The New Resource Class window appears (Figure 3-2).

Figure 3-2 New Resource Class Window

Step 3 Enter the following Resource Class attributes. Leave the remaining attributes blank or with their default values.

Name: RC_web

Default Min: 10

Default Max: Unlimited

Step 4 Click Deploy Now. The Resource Classes pane appears with the newly added resource class (Figure 3-3).

Figure 3-3 Resource Classes Pane with a New Resource Class Added


Creating a Virtual Context

You can create a user context for server load-balancing purposes. For the example configuration, you will create a user context, VC_web, and configure a management VLAN interface to VLAN 1000, as illustrated in Figure 3-4 (previously configured settings are grayed out).

Figure 3-4 Creating a User Context

Create a virtual context by following these steps:


Step 1 Choose Config > Virtual Contexts. The All Virtual Contexts pane appears (Figure 3-5).

Figure 3-5 All Virtual Contexts Pane

Step 2 Click Add. The New Virtual Context window appears (Figure 3-6).

Figure 3-6 New Virtual Context Window

Step 3 Enter the following virtual context attributes. Leave the remaining attributes blank or with their default values.

Name: VC_web

Resource Class: RC_web

Allocate-Interface VLANs: 1000, 400, 500 (these VLANs allow the context to receive the associated traffic)

Description: Virtual context for marketing website

Policy Name: Management

Management VLAN: 1000 (this VLAN allows for remote management of the context)

Management IP: 172.25.91.111 (this IP address also allows for remote management of the context)

Management Netmask: 255.255.255.0

Protocols to Allow: SNMP (or any protocols that you allow for this virtual context)

Default Gateway IP: 172.25.91.1

Step 4 Click Deploy Now to deploy this context. Then, choose Virtual Contexts. The window refreshes with the new virtual context listed in the All Virtual Contexts pane (Figure 3-7).

Figure 3-7 All Virtual Contexts Pane After VC_web is Added


Configuring the Client-Side VLAN Interface

You can now configure a client-side VLAN interface, which is the address to which client traffic is sent. For the example configuration, you will configure VLAN 400 (Figure 3-8).

Figure 3-8 Configuring the Client-Side VLAN Interface

Configure a client-side VLAN interface by following these steps:


Step 1 Choose VC_web in the virtual contexts drop-down list.

Step 2 Choose Config > Virtual Contexts > Network > VLAN Interfaces. The VLAN Interfaces pane appears (Figure 3-9).

Figure 3-9 VLAN Interfaces Pane

Step 3 Click Add to add a new VLAN interface. The VLAN Interfaces window appears (Figure 3-10).

Figure 3-10 VLAN Interfaces Window—VLAN 400

Step 4 Enter the following VLAN attributes. Leave the remaining attributes blank or with their default values.

VLAN: 400

Description: Client-side VLAN interface

IP Address: 10.10.40.10

Netmask: 255.255.255.0

Admin Status: Up

Step 5 Click Deploy Now to save your entry. Then, choose VLAN Interfaces to return to the VLAN Interfaces pane (Figure 3-11).

Figure 3-11 VLAN Interface Pane with Two VLANs Configured


Configuring the Server-Side VLAN Interface

At this point, you can now configure the server-side VLAN interface, which is the address to which traffic is sent. For the example configuration, you will configure VLAN 500 and a NAT pool for the VLAN (Figure 3-12).


Note Network Address Translation (NAT) is designed to simplify and conserve IP addresses. It allows private IP networks that use unregistered IP addresses to connect to the Internet. You configure a NAT pool for the ACE so that the ACE exposes only one address for the entire network to the outside world. This pool, which hides the entire internal network behind that address, offers both security and address conservation.


Figure 3-12 Configuring the Server-Side VLAN Interface

Configure the VLAN interface by following these steps:


Step 1 Make sure that VC_web is selected in the virtual contexts drop-down list.

Step 2 Choose Config > Virtual Contexts > Network > VLAN Interfaces. The VLAN Interfaces pane appears (Figure 3-11).

Step 3 Click Add to add a new VLAN interface. The VLAN Interfaces window appears (Figure 3-10).

Step 4 Enter the following VLAN attributes. Leave the remaining attributes blank or with their default values.

VLAN: 500

Description: Server-side VLAN interface

IP Address: 10.10.50.1

Netmask: 255.255.255.0

Admin Status: Up

Step 5 Click Deploy Now to save your entry. Then, choose VLAN Interfaces to return to the VLAN Interfaces pane.

Step 6 Choose the row for VLAN 500, and then choose the NAT Pool tab. The NAT Pool pane appears (Figure 3-13).

Figure 3-13 NAT Pool Pane

Step 7 Click Add to add a new NAT pool. The NAT Pool pane appears (Figure 3-14).

Figure 3-14 Configuring a NAT Pool

Step 8 Enter the following NAT pool attributes. Leave the remaining attributes blank or with their default values.

NAT Id: 1

Start IP Address: 10.10.50.101

End IP Address: 10.10.50.104

Netmask: 255.255.255.0

Step 9 Click Deploy Now at the bottom of the window to save your entry and return to the NAT Pool pane (Figure 3-15).

Figure 3-15 NAT Pool Pane with a NAT Pool Configured


Creating a Virtual Context Using the CLI

You can create a virtual context using the command-line interface. This section contains the following topics:

Configuring a Resource Class

Creating a Virtual Context

Configuring a Management VLAN Interface to the User Context

Configuring Remote Management Access to the User Contexts

Configuring the Client-Side VLAN Interface

Configuring the Server-Side VLAN Interface

Configuring a Resource Class

Configure a resource class by following these steps:


Step 1 Using the console, log in to the ACE as the system administrator. For example, enter the following command at a command prompt.

Telnet 172.25.91.110

At the prompt, enter admin, then the new password you entered in Step 2 in "Enabling Management Connectivity Using the Setup Script" in Chapter 2.

host1 login: admin
Password: xxxxx

Step 2 Enter configuration mode.

host1/Admin# config
host1/Admin(config)# 

Step 3 Configure a resource class to limit the resources of a context to 10 percent of the total resources available on the ACE, and exit configuration mode.

host1/Admin(config)# resource-class RS_web
host1/Admin(config-resource)# limit-resource all minimum 10 maximum 
unlimited
host1/Admin(config-resource)# exit
host1/Admin(config)#


Creating a Virtual Context

Create a virtual context by following these steps:


Step 1 Create a new context.

host1/Admin(config)# context VC_web
host1/Admin(config-context)# 

Step 2 Associate three existing VLANs with the context so that the context can receive traffic classified for it.

host1/Admin(config-context)# allocate-interface vlan 1000
host1/Admin(config-context)# allocate-interface vlan 400
host1/Admin(config-context)# allocate-interface vlan 500

Step 3 Associate the context with the resource class that you created in the previous section, "Configuring a Resource Class."

host1/Admin(config-context)# member RC_web

Step 4 Change to the VC_web context that you created in Step 1 and exit configuration mode.

host1/Admin(config-context)# do changeto VC_web
host1/VC_web(config)# exit
host1/VC_web#

Step 5 Display the virtual context configuration.

host1/VC_web# show running-config context

Step 6 Display the resource class configuration.

host1/VC_web# show running-config resource-class


Configuring a Management VLAN Interface to the User Context

You can provide management connectivity to the user context by assigning an IP address to the VLAN interface, as illustrated in Figure 3-4. Configure a management VLAN interface by following these steps:


Step 1 Access interface configuration mode for VC_web for the VLAN 1000 on VC_web.

host1/VC_web# config
host1/VC_web(config)# interface vlan 1000
host1/VC_web(config -if)#

Step 2 Assign an IP address of 172.25.91.111 and a subnet mask of 255.255.255.0 to the VLAN interface for management connectivity.

host1/VC_web(config-if)# ip address 172.25.91.111 255.255.255.0 

Step 3 Enable the VLAN interface.

host1/VC_web(config-if)# no shutdown

Step 4 Show that VLAN 1000 is active.

host1/VC_web(config-if)# do show interface vlan 1000

Step 5 Verify network connectivity.

host1/VC_web(config-if)# do ping 172.25.91.111

Step 6 Display the ARP table.


Note The Address Resolution Protocol (ARP) allows the ACE to manage and learn the mapping of IP to Media Access Control (MAC) information to forward and transmit packets.


host1/VC_web(config-if)# do show arp

Step 7 Exit configuration mode.

host1/VC_web(config-if)# exit
host1/VC_web(config)# exit
host1/VC_web#


Configuring Remote Management Access to the User Contexts

Before remote network access can occur on the user context through an Ethernet port, you must create a traffic policy that identifies the network management traffic that can be received by the ACE. Configure remote management access by following these steps:


Step 1 Create a management type class map named REMOTE_ACCESS that matches any traffic.

host1/VC_web# config
host1/VC_web(config)# class-map type management match-any 
REMOTE_ACCESS
host1/VC_web(config-cmap-mgmt)#

Step 2 (Optional) Provide a description for the class map.

host1/VC_web(config-cmap-mgmt)# description Remote access traffic 
match

Step 3 Configure the match protocol to permit traffic based on the SSH, Telnet, and ICMP protocols for any source address.

host1/VC_web(config-cmap-mgmt)# match protocol ssh any
host1/VC_web(config-cmap-mgmt)# match protocol telnet any
host1/VC_web(config-cmap-mgmt)# match protocol icmp any
host1/VC_web(config-cmap-mgmt)# exit
host1/VC_web(config)#

Step 4 Create a REMOTE_MGMT_ALLOW_POLICY policy map for traffic destined to an ACE interface.

host1/VC_web(config)# policy-map type management first-match 
REMOTE_MGMT_ALLOW_POLICY
host1/VC_web(config-pmap-mgmt)#

Step 5 Apply the REMOTE_ACCESS class map to this policy.

host1/VC_web(config-pmap-mgmt)# class REMOTE_ACCESS
host1/VC_web(config-pmap-mgmt-c)#

Step 6 Allow the ACE to receive the configured class map management protocols.

host1/VC_web(config-pmap-mgmt-c)# permit
host1/VC_web(config-pmap-mgmt-c)# exit
host1/VC_web(config-pmap-mgmt)# exit
host1/VC_web(config)#

Step 7 Access interface configuration mode for the VLAN to which you want to apply the policy map.

host1/VC_web(config)# interface vlan 1000
host1/VC_web(config-if)#

Step 8 Apply the REMOTE_MGMT_ALLOW_POLICY policy map to the interface.

host1/VC_web(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY

Step 9 Display the REMOTE_MGMT_ALLOW_POLICY policy applied to the interface.

host1/VC_web(config-if)# do show service-policy 
REMOTE_MGMT_ALLOW_POLICY

Step 10 Copy your configuration changes from the running configuration to the startup configuration.

host1/VC_web(config-if)# do copy running-config startup-config

Generating configuration....
running config of context VC_web saved

host1/VC_web(config-if)# exit
host1/VC_web(config)# exit

Step 11 Display the running configuration.

host1/VC_web(config)# do show running-config


Configuring the Client-Side VLAN Interface

At this point, you can configure a client-side VLAN interface, the address to which the client traffic is sent, as illustrated in Figure 3-8. Configure a client-side VLAN interface by following these steps:


Step 1 Access interface configuration mode for the VLAN 400.

host1/VC_web(config)# interface vlan 400
host1/VC_web(config -if)#

Step 2 Assign an IP address of 10.10.40.1 and a subnet mask of 255.255.255.0 to the VLAN interface for client connectivity.

host1/VC_web(config-if)# ip address 10.10.40.1 255.255.255.0 

Step 3 (Optional) Provide a description for the interface.

host1/VC_web(config-if)# description Client connectivity on VLAN 400 

Step 4 Enable the VLAN interface.

host1/VC_web(config-if)# no shutdown

Step 5 Show that VLAN 400 is active.

host1/VC_web(config-if)# do show interface vlan 400

Step 6 Display the ARP table.

host1/VC_web(config-if)# do show arp

Step 7 Exit configuration mode.

host1/VC_web(config-if)# exit
host1/VC_web(config)# exit
host1/VC_web# 


Configuring the Server-Side VLAN Interface

Next, you can configure a server-side VLAN interface, the address to which the server traffic is sent, as illustrated in Figure 3-12. Configure the server-side VLAN interface by following these steps:


Step 1 Access interface configuration mode for the VLAN 500.

host1/VC_web# config
host1/VC_web(config)# interface vlan 500
host1/VC_web(config -if)#

Step 2 Assign an IP address of 10.10.50.1 and a subnet mask of 255.255.255.0 to the VLAN interface for server-side connectivity.

host1/VC_web(config-if)# ip address 10.10.50.1 255.255.255.0 

Step 3 (Optional) Provide a description for the interface.

host1/VC_web(config-if)# description Server connectivity on VLAN 500 

Step 4 Enable the VLAN interface.

host1/VC_web(config-if)# no shutdown

Step 5 Configure a NAT pool.

host1/VC_web(config-if)# nat-pool 1 10.10.50.101 10.10.50.104 netmask 
255.255.255.0

Step 6 Show that VLAN 500 is active.

host1/VC_web(config-if)# do show interface vlan 500

Step 7 Display the ARP table.

host1/VC_web(config-if)# do show arp

Step 8 Exit configuration mode.

host1/VC_web(config-if)# exit
host1/VC_web(config)# exit
host1/VC_web# 


In this chapter, you have partitioned your ACE into an Admin context and a user context VC_web. Each of the virtual contexts is now associated with a resource class that is appropriate to its intended use. You have also configured a management VLAN interface, as well as the client and server VLAN interfaces to the user context.

In the next chapter, you will configure an access control list to secure your network.