Device Manager GUI Guide vA3(2.5), Cisco ACE 4700 Series Application Control Engine Appliance
Configuring Virtual Contexts
Downloads: This chapterpdf (PDF - 653.0KB) The complete bookPDF (PDF - 14.0MB) | Feedback

Configuring Virtual Contexts

Table Of Contents

Configuring Virtual Contexts

Using Virtual Contexts

Creating Virtual Contexts

Configuring Virtual Contexts

Configuring Virtual Context System Attributes

Configuring Virtual Context Primary Attributes

Configuring Virtual Context Syslog Logging

Configuring Syslog Log Hosts

Configuring Syslog Log Messages

Configuring Syslog Log Rate Limits

Configuring SNMP for Virtual Contexts

Configuring SNMP Version 2c Communities

Configuring SNMP Version 3 Users

Configuring SNMP Trap Destination Hosts

Configuring SNMP Notification

Configuring Virtual Context Global Traffic Policies

Managing ACE Appliance Licenses

Viewing ACE Appliance Licenses

Installing ACE Appliance Licenses

Updating ACE Appliance Licenses

Uninstalling ACE Appliance Licenses

Displaying License Configuration and Statistics

Managing Resource Classes

Resource Allocation Constraints

Adding Resource Classes

Modifying Resource Classes

Deleting Resource Classes

Viewing Resource Class Use on Virtual Contexts

Configuring Security with ACLs

Creating ACLs

Setting Extended ACL Attributes

Resequencing Extended ACLs

Setting EtherType ACL Attributes

Viewing All ACLs by Context

Editing or Deleting ACLs

Configuring Object Groups

Configuring IP Addresses for Object Groups

Configuring Subnet Objects for Object Groups

Configuring Protocols for Object Groups

Configuring TCP/UDP Service Parameters for Object Groups

Configuring ICMP Service Parameters for an Object Group

Configuring Virtual Context Expert Options

Managing Virtual Contexts

Synchronizing Virtual Context Configurations

Viewing Virtual Context Synchronization Status

High Availability and Virtual Context Configuration Status

Manually Synchronizing Individual Virtual Context Configurations

Manually Synchronizing All Virtual Context Configurations

Editing Virtual Contexts

Deleting Virtual Contexts

Viewing All Virtual Contexts


Configuring Virtual Contexts


Cisco Application Control Engine Appliance Device Manager (ACE appliance Device Manager) provides a number of options for creating, configuring, and managing ACE appliances.

For information about these options, see:

Using Virtual Contexts

Creating Virtual Contexts

Configuring Virtual Contexts

Configuring Virtual Context System Attributes

Configuring Virtual Context Primary Attributes

Configuring Virtual Context Syslog Logging

Configuring SNMP for Virtual Contexts

Configuring Virtual Context Global Traffic Policies

Managing ACE Appliance Licenses

Managing Resource Classes

Configuring Security with ACLs

Configuring Object Groups

Configuring Virtual Context Expert Options

Managing Virtual Contexts

Using Virtual Contexts

Virtual contexts use the concept of virtualization to partition your ACE appliance into multiple virtual devices or contexts. Each context contains its own set of policies, interfaces, resources, and administrators. This feature enables you to more closely and efficiently manage resources, users, and the services you provide to your customers.

The first time you configure a virtual context, you will see only the Admin context. In addition to the configurable attributes of other virtual contexts, the Admin context can configure:

ACE appliance licenses

Resource classes

Port channel, management, and gigabit Ethernet interfaces

High Availability (HA or fault tolerance between ACE appliances)

Application acceleration and optimization on the ACE appliance

Related Topics

Creating Virtual Contexts

Configuring Virtual Contexts

Deleting Virtual Contexts

Creating Virtual Contexts

Use this procedure to create virtual contexts.


Note If you do not configure a management VLAN for SNMP access, the ACE appliance Device Manager will not be able to poll the context.



Note If an ACE appliance is configured as a hot standby in a high availability pair, its configuration cannot be modified and you cannot add or modify virtual contexts. ACE appliances configured as hot standby members display Standby Hot in the HA State column in the All Virtual Contexts table (Config > Virtual Contexts). For more information, see High Availability Polling, page 9-6.


Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Click Add. The New Virtual Context screen appears.

Step 3 Configure the virtual context using the information in Table 2-1.


Tip Fields with 2 or 3 choices use radio buttons. Fields with more than 3 choices use dropdown lists.


Table 2-1 Virtual Context Configuration Attributes 

Field
Description

Name

Enter a unique name for the virtual context. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

This field is read-only for existing contexts.

Resource Class

Select the resource class this virtual context is to use.

Allocate Interface VLANs

Enter the number of a VLAN or a range of VLANs so that the context can receive the associated traffic. You can specify VLANs in any of the following ways:

For a single VLAN, enter an integer from 2 to 4096.

For multiple, non-sequential VLANs, use comma-separated entries, such as 101, 201, 302.

For a range of VLANs, use the format <beginning-VLAN>-<ending-VLAN>, such as 101-150.

Note VLANs cannot be modified in an Admin context.

Description

Enter a brief description of the virtual context.

Shared VLAN Host ID

Enter a specific bank of MAC addresses that the ACE uses. Enter a number from 1 to 16. Be sure to configure different bank numbers for multiple ACEs. This field is available only in the Admin context.

Policy Name

For new a new management VLAN, enter a name for the management policy. This field is read-only for existing contexts.

Management VLAN

Enter the VLAN that is to be used for remote management of the context.

Management IP

Enter the IP address that is to be used for remote management of the context.

Note The Device Manager considers an interface as a management interface if it has a management policy map associated with the VLAN interface. See the "Configuring VLAN Interface Policy Map Use" section on page 8-10.

Management Netmask

Select the subnet mask to apply to this IP address.

Protocols To Allow

Select the protocols to allow on this VLAN:

HTTP—Specifies the Hypertext Transfer Protocol (HTTP).

HTTPS—Specifies the secure (SSL) Hypertext Transfer Protocol (HTTP) for connectivity with the ACE appliance Device Manager interface using port 443.

ICMP—Specifies the Internet Control Message Protocol (ICMP), commonly referred to as ping.

KALAP-UDP—Specifies the Keepalive Appliance Protocol over UDP.

SNMP—Specifies the Simple Network Management Protocol (SNMP).


Note If SNMP is not selected, the ACE appliance Device Manager will not be able to poll the context.


SSH—Specifies a Secure Shell (SSH) connection to the ACE appliance.

TELNET—Specifies a Telnet connection to the ACE appliance.

XML-HTTPS—Specifies HTTPS as the transfer protocol for sending and receiving XML documents between the ACE appliance and a Network Management System (NMS). Communication is performed using port 10443.

You can select multiple protocols by holding down the Shift key while selecting protocols.

Default Gateway IP

Enter the IP address of the default gateway. Use a comma-separated list to specify multiple IP addresses, such as 192.168.65.1, 192.168.64.2.

Default static routes with a netmask and IP address of 0.0.0.0 previously configured on the ACE appliance appear in this field.

SNMP v2c Read-Only Community String

If SNMP is one of the allowed protocols, enter the SNMP version 2c community string to be used.

Note If SNMP is not an allowed protocol, the ACE appliance Device Manager will not be able to poll the context.


Step 4 Click

Deploy Now to deploy this virtual context. To configure other virtual context attributes, see Configuring Virtual Contexts.

Cancel to exit this procedure without saving your entries and to return to the All Virtual Contexts table.


Related Topics

Using Virtual Contexts

Configuring Virtual Contexts

Configuring Virtual Contexts

After creating a virtual context, you can configure it. Configuring a virtual context involves configuring a number of attributes, grouped into configuration subsets. Table 2-2 describes ACE appliance Device Manager configuration subsets and provides links to related topics.


Note If an ACE appliance is configured as a hot standby in a high availability pair, its configuration cannot be modified and you cannot add or modify virtual contexts. ACE appliances configured as hot standby members display Standby Hot in the HA State column in the All Virtual Contexts table (Config > Virtual Contexts). For more information, see High Availability Polling, page 9-6.



Note To add objects such as real servers or server farms to a customized domain, use the CLI and then use the synchronize feature in ACE appliance Device Manager to add this object into its customized domain on ACE appliance Device Manager. Adding objects to customized domains directly in ACE appliance Device Manager results in the object being added to the default domain.

Synchronization options are available in the All Virtual Contexts table (Config > Virtual Contexts).



Tip Fields with 2 or 3 choices use radio buttons. Fields with more than 3 choices use dropdown lists.


Table 2-2 ACE Appliance and Virtual Context Configuration Options 

Configuration Subset
Description
Related Topics

System

System configuration options allow you to configure:

Primary attributes such as VLANs, SNMP access, and resource class.

Syslog attributes including the type and severity of syslog messages that are to be logged, the syslog log host, log messages, and log rate limits.

SNMP options.

Global policy map configuration for all VLANs on a virtual context.

ACE appliance license use on the ACE appliance.

Resource classes for allocation of ACE appliance resources.

Application acceleration and optimization on the ACE appliance.

Note ACE appliance licenses, resource classes, and acceleration and optimization can be configured only in an Admin context.

Configuring Virtual Context Primary Attributes

Configuring Virtual Context Syslog Logging

Configuring SNMP for Virtual Contexts

Configuring Virtual Context Global Traffic Policies

Managing ACE Appliance Licenses

Managing Resource Classes

Configuring Global Application Acceleration and Optimization, page 11-10

Load Balancing

Load-balancing attributes allow you to

Configure virtual servers, real servers, and server farms for load balancing

Establish the predictor method and return code checking

Implement sticky groups for session persistence

Configure parameter maps to combine related actions for policy maps

Load-balancing configuration options include:

Virtual servers

Real servers

Server farms

Health monitoring

Sticky attributes

Parameter maps

Load Balancing Overview, page 3-1

Configuring Virtual Servers, page 3-2

Configuring Server Farms, page 4-11

Configuring Health Monitoring for Real Servers, page 4-27

Configuring Sticky Groups, page 5-7

Configuring Parameter Maps, page 6-6

SSL

SSL configuration options allow you to:

Import and export SSL certificates and keys

Set up SSL parameter maps and chain group parameters

Generate certificate signing requests for submission to a certificate authority

Authenticate peer certificates

Configure certificate revocation lists for use during client authentication

Configuring SSL, page 7-1

Using SSL Certificates, page 7-6

Using SSL Keys, page 7-10

Generating CSRs, page 7-21

Configuring SSL Parameter Maps, page 7-16

Configuring SSL Chain Group Parameters, page 7-18

Configuring SSL Proxy Service, page 7-22

Configuring SSL Authentication Groups, page 7-24

Configuring CRLs for Client Authentication, page 7-25

Security

Security configuration options allow you to create access control lists, set ACL attributes, resequence ACLs, delete ACLs, and configure object groups.

Configuring Virtual Context Expert Options

Creating ACLs

Configuring Object Groups

Network

Network configuration options allow you to configure:

Port channel interfaces

Gigabit Ethernet interfaces

VLAN interfaces

BVI interfaces

Static routes

DHCP relay agents

Note You can configure port channel and gigabit Ethernet interfaces only in an Admin context.

Configuring Virtual Context BVI Interfaces, page 8-15

Configuring Gigabit Ethernet Interfaces, page 8-3

Configuring Virtual Context VLAN Interfaces, page 8-6

Configuring Virtual Context BVI Interfaces, page 8-15

Configuring Virtual Context Static Routes, page 8-16

Configuring Global IP DHCP, page 8-19

High Availability

High Availability (HA) attributes allow you to configure two ACE appliances for fault-tolerant redundancy.

Note You can set up high availability only in an Admin virtual context.

Configuring High Availability, page 9-1

Configuring High Availability Peers, page 9-8

Configuring ACE High Availability Groups, page 9-11

HA Tracking And Failure Detection

HA Tracking And Failure Detection attributes allow you to configure tracking processes that can help ensure reliable fault tolerance.

High Availability Tracking and Failure Detection Overview, page 9-17

Tracking VLAN Interfaces for High Availability, page 9-17

Tracking Hosts for High Availability, page 9-18

Expert

Expert options allow you to:

Configure traffic policies for filtering and handling traffic received by or passing through the ACE appliance.

Configure optimization action lists.

Configure HTTP header modify action lists.

Configuring Traffic Policies, page 10-1

Configuring an HTTP Optimization Action List, page 11-3

Configuring an HTTP Header Modify Action List, page 10-79


Configuring Virtual Context System Attributes

Table 2-3 identifies the ACE appliance Device Manager virtual context System configuration options and related topics for more information.

Table 2-3 Virtual Context System Configuration Options 

System Configuration Options
Related Topics

Specify virtual context primary attributes

Configuring Virtual Context Primary Attributes

Configure syslog options

Configuring Virtual Context Syslog Logging

Configuring Syslog Log Hosts

Configuring Syslog Log Messages

Configuring Syslog Log Rate Limits

Configure SNMP options

Configuring SNMP for Virtual Contexts

Configuring SNMP Version 2c Communities

Configuring SNMP Version 3 Users

Configuring SNMP Trap Destination Hosts

Configuring SNMP Notification

Establish global policy maps for all VLANs on a virtual context

Configuring Virtual Context Global Traffic Policies

Manage ACE appliance licenses

Managing ACE Appliance Licenses

Manage ACE appliance resources across virtual contexts

Managing Resource Classes

Establish application acceleration and optimization for the ACE appliance

Configuring Global Application Acceleration and Optimization, page 11-10


Configuring Virtual Context Primary Attributes

Primary attributes specify a name and resource class for each virtual context. After providing this information, you can configure other attributes, such as interfaces, monitoring, or load-balancing. For a complete list of configuration options, see Configuring Virtual Contexts.

Use this procedure to configure virtual context primary attributes.

Procedure


Step 1 Select Config > Virtual Contexts > context > System > Primary Attributes. The Primary Attributes configuration screen appears.

Step 2 Enter the primary attributes for this virtual context as described in Table 2-1.

Step 3 Click Deploy Now to deploy this configuration on the ACE appliance.

To exit this procedure without accepting your entries, select a different configuration option.


Related Topics

Using Virtual Contexts

Configuring Virtual Context VLAN Interfaces, page 8-6

Configuring Virtual Context BVI Interfaces, page 8-15

Configuring Virtual Context Syslog Logging

Configuring Traffic Policies, page 10-1

Configuring Virtual Context Syslog Logging

The ACE appliance Device Manager uses syslog logging to send log messages to a process which logs messages to designated locations asynchronously to the processes that generated the messages.

Procedure


Step 1 Select Config > Virtual Contexts > context > System > Syslog. The Syslog configuration screen appears.

Step 2 Enter the syslog logging attributes in the displayed fields (see Table 2-5).

All fields that require you to select syslog severity levels use the values in Table 2-4.

Table 2-4 Syslog Logging Levels 

Severity
Description

0-Emergency

Unusable system

1-Critical

Critical condition

2-Warning

Warning condition

3-Alert

Immediate action required

4-Error

Error condition

5-Notification

Normal but significant condition

6-Information

Informational message only

7-Debug

Appears only during debugging


The severity level that you specify indicates that you want syslog messages at that level and the more severe levels. For example, if you specify Error, syslog displays Error, Critical, Alert, and Emergency messages.


Note If you set all syslog levels to Debug, some commands like switchover are not processed successfully. These commands are issued via the CLI and ACE appliance Device Manager cannot parse the returned prompt if Debug level is enabled. Instead, a timeout message is displayed.

If you set syslog levels to Debug and then issue a command that results in a timeout message, click Refresh to view the result of the operation.



Note Setting all syslog levels to Debug during normal operation can degrade overall performance.


Table 2-5 Virtual Context Syslog Configuration Attributes 

Field
Description
Action

Enable Syslog

This option indicates whether syslog logging should be enabled or disabled.

Check the check box to enable syslog logging or clear the check box to disable syslog logging.

Facility

The syslog daemon uses the specified syslog facility to determine how to process the messages it receives. Syslog servers file or direct messages based on the facility number in the message.

For more information on the syslog daemon and facility levels, refer to your syslog daemon documentation.

Enter the facility appropriate for your network.

Valid entries are 16 (LOCAL0) through 23 (LOCAL7). The default for an ACE appliance is 20 (LOCAL4).

Buffered Level

This option enables system logging to a local buffer and limits the messages sent to the buffer based on severity.

Select the desired level for sending system log messages to a local buffer.

This option is disabled by default.

Console Level

This option specifies the maximum level for system log messages sent to the console.

Select the desired level for sending system log messages to the console.

This option is disabled by default.

Note Logging into the console can degrade system performance. Therefore, we recommend that you log messages to the console only when you are testing or debugging problems. Do not use this option when the network is busy, as it can reduce ACE appliance performance.

History Level

This option specifies the maximum level for system log messages sent as traps to an SNMP network management station.

Select the desired level for sending system log messages as traps to an SNMP network management station.

This option is disabled by default.

Note For more information about configuring SNMP, see Configuring SNMP Notification.

Monitor Level

This option specifies the maximum level for system log messages sent to a remote connection using Secure Shell (SSH) or Telnet on the ACE appliance.

Select the desired level for sending system log messages to a remote connection using SSH or Telnet on the ACE appliance.

This option is disabled by default.

Note You must enable remote access on the ACE appliance and establish a remote connection using the SSH or Telnet protocol from a PC for this option to work.

Persistence Level

This option specifies the maximum level for system log messages sent to Flash memory.

Select the desired level for sending system log messages to Flash memory.

This option is disabled by default.

Note We recommend that you use a lower severity level, such as 3, since logging at a high rate to Flash memory on the ACE appliance might impact performance.

Trap Level

This option specifies the maximum level for system log messages sent to a syslog server.

Select the desired level for sending system log messages to a syslog server.

This option is disabled by default.

Queue Size

This option specifies the size of the buffer for storing syslog messages received from other processes within the ACE appliance while they await processing. When the queue exceeds the specified value, the excess messages are discarded.

Enter the desired queue size.

Valid entries are from 0 to 8192 messages.

The default is 100 messages.

Enable Timestamp

This option indicates whether syslog messages should include the date and time that the message was generated.

Check the check box to enable timestamps on syslog messages or clear the check box to disable timestamps on syslog messages.

This option is disabled by default.

Enable Standby

This option indicates whether logging is enabled on the failover standby ACE appliance. When enabled:

This feature causes twice the message traffic on the syslog server.

The standby ACE appliance syslog messages remain synchronized if failover occurs.

Check the check box to enable logging on the failover standby ACE appliance or clear the check box to disable logging on the failover standby ACE appliance.

Enable Fastpath Logging

This option indicates whether connection setup and teardown messages are logged.

Check the check box to enable the logging of setup and teardown messages or clear the check box to disable the logging of setup and teardown messages.

This option is disabled by default.

Device Id Type

This option specifies the type of unique device identifier to be included in syslog messages sent to the syslog server.

The device identifier does not appear in EMBLEM-formatted messages, SNMP traps, or on the ACE appliance console, management session, or buffer.

Select the type of device identifier to be used:

Any String—Indicates that a test string is to be used to uniquely identify syslog messages send from the ACE appliance.

Context Name—Indicates that the name of the current virtual context is to be used to uniquely identify the syslog messages sent from the ACE appliance.

Host Name—Indicates that the hostname of the ACE appliance is to be used to uniquely identify the syslog messages sent from the ACE appliance.

Interface—Indicates that the IP address of the interface is to be used to uniquely identify the syslog messages sent from the ACE appliance.

Undefined—Indicates that no identifier is to be used.

Device Interface Name

This field appears if the Device Id Type is Interface.

This option specifies the logging device interface to be used to uniquely identify syslog messages sent from the ACE appliance.

Enter a text string that uniquely identifies the logging device interface name whose ID is to be included in system messages. The maximum string length is 64 characters without spaces. Do not use the following characters: & (ampersand), ` (single quote), " (double quote), < (less than), > (greater than), or ? (question mark).

Logging Device Id

This field appears if the Device ID Type is Any String.

This option specifies the text string to be used to uniquely identify syslog messages sent from the ACE appliance.

Enter a text string that uniquely identifies the syslog messages sent from the ACE appliance. The maximum string length is 64 characters without spaces. Do not use the following characters: & (ampersand), ` (single quote), " (double quote), < (less than), > (greater than), or ? (question mark).


Step 3 Click Deploy Now to deploy this configuration on the ACE appliance. To configure other Syslog attributes for this virtual context, see:

Configuring Syslog Log Hosts

Configuring Syslog Log Messages

Configuring Syslog Log Rate Limits


Related Topics

Configuring Virtual Contexts

Configuring Syslog Log Hosts

Configuring Syslog Log Messages

Configuring Syslog Log Rate Limits

Configuring Syslog Log Hosts

After configuring basic syslog characteristics (see Configuring Virtual Context Syslog Logging), you can configure the log host, log messages, and log rate limits. The tabs for these attributes appear beneath the Syslog configuration screen.

Use this procedure to configure Syslog log hosts.

Procedure


Step 1 Select Config > Virtual Contexts > context > System > Syslog. The Syslog configuration screen appears.

Step 2 Select the Log Host tab. The Log Host table appears.

Step 3 Click Add to add a new log host, or select an existing log host, then click Edit to modify it. The Log Host configuration screen appears.

Step 4 In the IP Address field, enter the IP address of the host to be used as the syslog server.

Step 5 In the Protocol field, select TCP or UDP as the protocol to be used.

Step 6 In the Protocol Port field, enter the number of the port that the syslog server listens to for syslog messages. Valid entries are from 1024 to 65535; the default is 514.

Step 7 The Default UDP check box appears if TCP is selected in the Protocol field (Step 5). Check the Default UDP check box to specify that the ACE appliance is to default to UDP if the TCP transport fails to communicate with the syslog server. Clear this check box to prevent the ACE appliance from defaulting to UDP if the TCP transport fails.

Step 8 In the Format field, indicate whether EMBLEM-format logging is to be used:

N/A—Indicates that you do not want to enable EMBLEM-format logging.

Emblem—Indicates that EMBLEM-format logging is to be enabled for each syslog server. If you use Cisco Resource Manager Essentials (RME) software to collect and process syslog messages on your network, enable EMBLEM-format logging so that RME can handle them. Similarly, UDP needs to be enabled because the Cisco Resource Manager Essentials (RME) syslog analyzer supports only UDP syslog messages.

Step 9 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit the procedure without saving your entries and to return to the Log Host table.

Next to configure another syslog host.


Related Topics

Configuring Virtual Context Syslog Logging

Configuring Syslog Log Messages

Configuring Syslog Log Rate Limits

Configuring Syslog Log Messages

After configuring basic syslog characteristics (see Configuring Virtual Context Syslog Logging), you can configure the log host, log messages, and log rate limits. The tabs for these attributes appear beneath the Syslog configuration screen.

Use this procedure to configure Syslog log messages.

Procedure


Step 1 Select Config > Virtual Contexts > context > System > Syslog. The Syslog configuration screen appears.

Step 2 Select the Log Message tab. The Log Message table appears.

Step 3 Click Add to add a new entry to this table, or select an existing entry, then click Edit to modify it. The Log Message configuration screen appears.

Step 4 In the Message Id field, select the system log message ID of the syslog messages that are to be sent to the syslog server or that are not to be sent to the syslog server.

Step 5 Check the Enable State check box to indicate that logging is enabled for the specified message ID. Clear the check box to indicate that logging is not enabled for the specified message ID. If you check the Enable State check box, the Log Level field appears.

Step 6 In the Log Level field, select the desired level of syslog messages to be sent to the syslog server, using the levels identified in Table 2-4.

Step 7 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit the procedure without saving your entries and to return to the Log Message table.

Next to save your entries and to configure additional syslog message entries for this virtual context.


Related Topics

Configuring Virtual Context Syslog Logging

Configuring Syslog Log Hosts

Configuring Syslog Log Rate Limits

Configuring Syslog Log Rate Limits

After configuring basic syslog characteristics (see Configuring Virtual Context Syslog Logging), you can configure the log host, log messages, and log rate limits. The tabs for these attributes appear beneath the Syslog configuration screen.

Use this procedure to limit the rate at which the ACE appliance generates messages in the syslog.

Procedure


Step 1 Select Config > Virtual Contexts > context > System > Syslog. The Syslog configuration screen appears.

Step 2 Select the Log Rate Limit tab. The Log Rate Limit table appears.

Step 3 Click Add to add a new entry to this table, or select an existing entry, then click Edit to modify it. The Log Rate Limit configuration screen appears.

Step 4 In the Type field, indicate the method by which syslog messages are to be limited:

Select Level to limit syslog messages by syslog level. In the Level field, select the level of syslog messages to be sent to the syslog server, using the levels identified in Table 2-4.

Select Message to limit syslog messages by message identification number. In the Message Id field, select the syslog message ID for those messages for which you want to suppress reporting.

Step 5 Check the Unlimited check box to indicate that limits are not to be applied to system message logging. Clear the Unlimited check box to indicate that limits are to be applied to system message logging. If you clear the Unlimited check box, the Rate and Time Interval fields appear.

Step 6 If you clear the Unlimited check box, specify the limits to apply to system message logging:

a. In the Rate field, enter the number at which syslog message creation is to be limited. When this limit is reached, the ACE appliance limits the creation of new syslog messages to be no greater than the specified rate. Valid entries are integers from 0 to 2147483647.

b. In the Time Interval (Seconds) field, enter the length of time (in seconds) over which the system message logs should be limited. The default time interval is one second. For example, if you enter 42 in the Rate field and 60 in the Time Interval (Seconds) field, the ACE appliance limits the creation of syslog messages that are sent to a maximum of 42 messages in that 60-second period. Valid entries are from 0 to 2147483647 seconds.

Step 7 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit the procedure without saving your entries and to return to the Log Rate Limit table.

Next to save your entries and to add another entry to the Log Rate Limit table.


Related Topics

Configuring Virtual Contexts

Configuring Virtual Context Syslog Logging

Configuring Syslog Log Hosts

Configuring Syslog Log Messages

Configuring SNMP for Virtual Contexts

Use this procedure to configure SNMP for use with this virtual context.

Procedure


Step 1 Select Config > Virtual Contexts > context > System > SNMP. The SNMP configuration screen appears.

Step 2 Enter SNMP attributes (see Table 2-6).

Table 2-6 SNMP Attributes 

Field
Description

Contact Information

Enter contact information for the SNMP server within the virtual context as a text string with a maximum of 240 characters including spaces. In addition to a name, you might want to include a phone number or e-mail address. To include spaces, add quotation marks at the beginning and end of the entry.

Location

Enter the physical location of the system as a text string with a maximum of 240 characters including spaces. To include spaces, add quotation marks at the beginning and end of the entry.

Trap Source Interface

Enter a valid VLAN number that identifies the interface from which the SNMP traps originate.

IETF Trap

Check the check box to indicate that the ACE appliance is to send linkUp and linkDown traps with the IETF standard IF-MIB (RFC 2863) variable bindings, consisting of ifIndex, ifAdminStatus, and ifOperStatus.

Clear the check box to indicate that the ACE appliance is not to send linkUp and linkDown traps with the IETF standard IF-MIB (RFC 2863) variable bindings. Instead, the ACE appliance sends Cisco var-binds by default.


Step 3 Click Deploy Now to deploy this configuration on the ACE appliance. To configure other SNMP attributes, see:

Configuring SNMP Version 2c Communities

Configuring SNMP Version 3 Users

Configuring SNMP Trap Destination Hosts

Configuring SNMP Notification


Related Topic

Configuring Virtual Contexts

Configuring SNMP Version 2c Communities

After configuring basic SNMP information for a virtual context (see Configuring SNMP for Virtual Contexts), you can configure other SNMP attributes such as SNMP version 2c communities, SNMP version 3 users, trap destination hosts, and SNMP notification. The tabs for these attributes appear below the SNMP configuration screen.


Note All SNMP communities in ACE appliance Device Manager are read-only communities and all communities belong to the group network monitors.


Use this procedure to configure SNMP version 2c communities for a virtual context.

Assumption

You have configured at least one SNMP contact (see Configuring SNMP for Virtual Contexts).

Procedure


Step 1 Select Config > Virtual Contexts > context > System > SNMP. The SNMP configuration screen appears.

Step 2 Select the SNMP v2c Configuration tab. The SNMP v2c Configuration table appears.

Step 3 Click Add to add an SNMP v2c community. The SNMP v2c Configuration screen appears.


Note You cannot modify an existing SNMP v2c community. Instead, delete the existing SNMP v2c community, then add a new one.


Step 4 In the Read-Only Community field, enter the SNMP v2c community name for this context. Valid entries are unquoted text strings with no spaces and a maximum of 32 characters.

Step 5 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entry and to return to the SNMP v2c Community table.

Next to save your entry and to configure another SNMP community for this virtual context. The screen refreshes and you can enter another community name.


Related Topics

Configuring Virtual Contexts

Configuring SNMP Version 3 Users

Configuring SNMP Trap Destination Hosts

Configuring SNMP Notification

Configuring SNMP Version 3 Users

After configuring basic SNMP information for a virtual context (see Configuring SNMP for Virtual Contexts), you can configure other SNMP attributes such as SNMP version 2c communities, SNMP version 3 users, trap destination hosts, and SNMP notification. The tabs for these attributes appear below the SNMP configuration screen.

Use this procedure to configure SNMP version 3 users for a virtual context.

Assumption

You have configured at least one SNMP contact (see Configuring SNMP for Virtual Contexts).

Procedure


Step 1 Select Config > Virtual Contexts > context > System > SNMP. The SNMP configuration screen appears.

Step 2 Select the SNMP v3 Configuration tab. The SNMP v3 Configuration table appears.

Step 3 Click Add to add users, or select an existing entry, then Edit to modify it. The SNMP v3 Configuration screen appears.

Step 4 Enter SNMP v3 user attributes (see Table 2-7).

Table 2-7 SNMP v3 User Configuration Attributes 

Field
Description

User Name

Enter the SNMP v3 username. Valid entries are unquoted text strings with no spaces and a maximum of 24 characters.

Authentication Algorithm

Select the authentication algorithm to be used for this user.

N/A—Indicates that no authentication is to be used.

Message Digest (MD5)—Indicates that Message Digest 5 is to be used as the authentication mechanism.

Secure Hash Algorithm (SHA)—Indicates that Secure Hash Algorithm is to be used as the authentication mechanism.

Authentication Password

Appears if you select an authentication algorithm. The ACE appliance automatically updates the password for the CLI user with the SNMP authentication password.

Enter the authentication password for this user as follows:

If the passphrases are specified in clear text, enter an unquoted text string with no space that is from 8 to 64 alphanumeric characters in length. The password length can be an odd or even value.

If use of a localized key is enabled, enter an unquoted text string with no space that is from 8 to 130 alphanumeric characters in length. The password length must be an even value.

Confirm

Appears if you select an authentication algorithm.

Reenter the authentication password.

Localized

Appears if you select an authentication algorithm.

Indicate whether the password is in localized key format for security encryption:

N/A—Indicates that this option is not configured.

False—Indicates that the password is not in localized key format for encryption.

True—Indicates that the password is in localized key format for encryption.

Privacy

Appears if you select an authentication algorithm.

Indicate whether encryption attributes are to be configured for this user:

N/A—Indicates that no encryption attributes are specified.

False—Indicates that encryption parameters are not to be configured for this user.

True—Indicates that encryption parameters are to be configured for this user.

AES 128

Appears if you set Privacy to True.

Indicate whether the 128-byte Advanced Encryption standard (AES) algorithm is to be used for privacy. AES is a symmetric cipher algorithm and is one of the privacy protocols for SNMP message encryption.

N/A—Indicates that no standard is specified.

False—Indicates that AES 128 is not be used for privacy.

True—Indicates that AES 128 is to be used for privacy.

Privacy Password

Appears if you set Privacy to True. Enter the user encryption password as follows:

If the passphrases are specified in clear text, enter an unquoted text string with no space that is from 8 to 64 alphanumeric characters in length. The password length can be an odd or even value.

If use of a localized key is enabled, enter an unquoted text string with no space that is from 8 to 130 alphanumeric characters in length. The password length must be an even value.

Confirm

Appears if you set Privacy to True.

Reenter the privacy password.


Step 5 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the SNMP v3 Configuration table.

Next to save your entries and to add another entry to the SNMP v3 Configuration table. The screen refreshes and you can enter another SNMP v3 user.


Related Topics

Configuring Virtual Contexts

Configuring SNMP Version 2c Communities

Configuring SNMP Trap Destination Hosts

Configuring SNMP Notification

Configuring SNMP Trap Destination Hosts

To receive SNMP notifications you must configure:

At least one SNMP trap destination host. This section describes how to do this.

At least one type of notification. See Configuring SNMP Notification.

After configuring basic SNMP information for a virtual context (see Configuring SNMP for Virtual Contexts), you can configure other SNMP attributes such as SNMP version 2c communities, SNMP version 3 users, trap destination hosts, and SNMP notification. The tabs for these attributes appear below the SNMP configuration screen.

Use this procedure to configure SNMP trap destination hosts for a virtual context.

Assumption

You have configured at least one SNMP contact (see Configuring SNMP for Virtual Contexts).

Procedure


Step 1 Select Config > Virtual Contexts > context > System > SNMP. The SNMP configuration screen appears.

Step 2 Select the Trap Destination Host tab. The Trap Destination Host table appears.

Step 3 Click Add to add a host, or select an existing entry in the table, then Edit to modify it. The Trap Destination Host configuration screen appears.

Step 4 Configure the SNMP trap destination host using the information in Table 2-8.

Table 2-8 SNMP Trap Destination Host Configuration Attributes 

Field
Description

IP Address

Enter the IP address of the server that is to receive SNMP notifications. Enter the address in dotted-decimal format, such as 192.168.11.1.

Port

Enter the port to be used for SNMP notification. The default port is 162.

Version

Select the version of SNMP used to send traps:

V1—Indicates that SNMP version 1 is to be used to send traps. This option is not available for use with SNMP inform requests.

V2c—Indicates that SNMP version 2c is to be used to send traps.

V3—Indicates that SNMP version 3 is to be used to send traps. This version is the most secure model because it allows packet encryption.

Community

Enter the SNMP community string or username to be sent with the notification operation. Valid entries are unquoted text strings with no spaces and a maximum of 32 characters.

Security Level

This field appears if V3 is the selected version.

Select the level of security that is to be implemented:

Auth—Indicates that Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) are to be used for packet authentication.

Noauth—Indicates that the noAuthNoPriv security level is to be used.

Priv—Indicates that Data Encryption Standard (DES) is to be used for packet encryption.


Step 5 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the Trap Destination Host table.

Next to save your entries and to add another entry to the Trap Destination Host table. The screen refreshes and you can add another trap destination host.


Related Topics

Configuring Virtual Contexts

Configuring SNMP Version 2c Communities

Configuring SNMP Version 3 Users

Configuring SNMP Notification

Configuring SNMP Notification

After configuring basic SNMP information for a virtual context (see Configuring SNMP for Virtual Contexts), you can configure other SNMP attributes such as SNMP version 2c communities, SNMP version 3 users, trap destination hosts, and SNMP notification. The tabs for these attributes appear below the SNMP configuration screen.

To receive SNMP notifications you must configure:

At least one SNMP trap destination host. See Configuring SNMP Trap Destination Hosts.

At least one type of notification. This section describes how to do this.

Use this procedure to configure SNMP notification for a virtual context.

Assumptions

You have configured at least one SNMP contact (see Configuring SNMP for Virtual Contexts).

At least one SNMP server host has been configured (see Configuring SNMP Trap Destination Hosts).

Procedure


Step 1 Select Config > Virtual Contexts > context > System > SNMP. The SNMP configuration screen appears.

Step 2 Select the SNMP Notification tab. The SNMP Notification table appears.

Step 3 Click Add to add a new entry. The SNMP Notification configuration screen appears.


Note You cannot modify an existing entry. Instead, delete the existing notification entry, then add a new one.


Step 4 In the Options field, select the type of notifications to be sent to the SNMP host. Some options are available only in the Admin context.

License—SNMP license notifications are to be sent. This option is available only in the Admin context.

SLB—Server load-balancing notifications are to be sent.

SLB Real Server—Notifications of real server state changes are to sent.

SLB Virtual Server—Notifications of virtual server state changes are to be sent.

SNMP—SNMP notifications are to be sent.

SNMP Authentication—Notifications of incorrect community strings in SNMP requests are to be sent.

SNMP Cold-Start—SNMP agent restart notifications are to be sent after a cold restart (full power cycle) of the ACE. This option is available only in the Admin context.

SNMP Link-Down—Notifications are to be sent when a VLAN interface is down.

SNMP Link-Up—Notifications are to be sent when a VLAN interface is up.

Syslog—Error message notifications (Cisco Syslog MIB) are to be sent.

Virtual Context—Virtual context notifications are to be sent.

Step 5 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your selection and to return to the SNMP Notification table.

Next to save your entries and to add another entry to the SNMP Notification table. The screen refreshes and you can select another SNMP notification option.


Related Topics

Configuring Virtual Contexts

Configuring SNMP Version 2c Communities

Configuring SNMP Version 3 Users

Configuring Virtual Context Global Traffic Policies

With the ACE appliance Device Manager, you can apply traffic policies to a specific VLAN interface or to all VLAN interfaces in the same virtual context.

Use this procedure to apply a policy to all VLAN interfaces in the selected context.

To apply a policy to a specific VLAN, see Configuring Traffic Policies, page 10-1.


Note You cannot modify an existing policy. Instead, delete the existing global policy, then create a new one.


Assumption

A Layer 3/Layer 4 or Management policy map has been configured for this virtual context. For more information, see Configuring Virtual Context Policy Maps, page 10-32.

Procedure


Step 1 Select Config > Virtual Contexts > context > System > Global Policies. The Global Policies table appears.

Step 2 Click Add to add a new global policy. The Global Policies configuration screen appears.


Note You cannot modify an existing policy. Instead, delete the existing global policy, then create a new one.


Step 3 In the Policy Maps field, select the policy map that you want to apply to all VLANs in this context.

Step 4 In the Direction field, verify that the policy is being applied to incoming communications.

Step 5 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit the procedure without saving your entries and to return to the Global Policies table.

Next to save your entries and to configure another global policy for this context.


Related Topics

Using Virtual Contexts

Configuring Virtual Context Primary Attributes

Configuring Virtual Context VLAN Interfaces, page 8-6

Configuring Virtual Context Syslog Logging

Configuring Traffic Policies, page 10-1

Managing ACE Appliance Licenses


Note This functionality is available for only Admin contexts.


Cisco Systems offers licenses for ACE appliances that let you increase performance throughput, the number of default contexts, SSL TPS (transactions per second), HTTP compression performance, and application acceleration and optimization. For more information on these licenses, refer to the Cisco 4700 Series Application Control Engine Appliance Administration Guide on cisco.com.

You can view, install, remove, or update ACE appliance licenses using the ACE appliance Device Manager.

Installing or updating an ACE appliance license involves two processes:

Copying the license from a remote network server to the disk0: file system in Flash memory on the ACE appliance.

Installing or updating the license on the ACE appliance.

You can use the ACE appliance Device Manager to perform both processes from a single dialog box. If you previously copied the license to disk0: on the ACE by using the copy CLI command, you can use this dialog box to install the new license or upgrade license on your ACE.

Related Topics

Viewing ACE Appliance Licenses

Installing ACE Appliance Licenses

Updating ACE Appliance Licenses

Uninstalling ACE Appliance Licenses

Displaying License Configuration and Statistics

Viewing ACE Appliance Licenses


Note This functionality is available for only Admin contexts.


Use this procedure to view the licenses that are currently installed on an ACE appliance.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Context table appears.

Step 2 Select the Admin context whose ACE appliance licenses you want to view, then click System > Licenses. The Licenses table appears listing all installed licenses.


Related Topics

Managing ACE Appliance Licenses

Installing ACE Appliance Licenses

Updating ACE Appliance Licenses

Uninstalling ACE Appliance Licenses

Displaying License Configuration and Statistics

Installing ACE Appliance Licenses


Note This functionality is available for only Admin contexts.


Use this procedure to copy and install a new or upgrade ACE appliance license from a remote server onto the ACE appliance.

Assumption

You have received the proper software license key for the ACE appliance.

ACE appliance licenses are available on a remote server for importing to the ACE appliance, or you have received the software license key and have copied the license file to the disk0: filesystem on the ACE appliance using the copy disk0: CLI command.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the Admin context you want to import and install a license for, then click System > Licenses. The Licenses table appears listing all installed licenses.

Step 3 Click Install License. The Copy a License File and Install It On The ACE dialog box appears.

Step 4 If the license currently exists on the ACE appliance disk0: file system in Flash memory, leave the License needs to be copied to disk0:? check box unchecked. Proceed to Step10.

Step 5 If the update license must be copied to the disk0: file system in Flash memory, check the License needs to be copied to disk0:? check box. Proceed to Step 6.

Step 6 In the Protocol field, select the protocol to be used to import the license file from the remote server to the ACE appliance:

If you select FTP, the User and Password fields appear. Continue with Step 7.

If you select SFTP, the User and Password fields appear. Continue with Step 7.

If you select TFTP, continue with Step 8.

Step 7 If you select FTP or SFTP:

a. In the User field, enter the username of the account on the network server.

b. In the Password field, enter the password for the user account. Reenter the password in the Confirm field.

Step 8 In the Source File Name field, enter the host IP address, path, and filename of the license file on the remote server in the format host-ip/path/filename where:

host-ip represents the IP address of the remote server.

path represents the directory path of the license file on the remote server.

filename represents the filename of the license file on the remote server.

For example, your entry might resemble 192.168.11.2/usr/bin/ACE-VIRT-020.lic.

Step 9 In the Destination field, enter the location where you want the license file to reside on the ACE appliance in preparation for installation or updating. The default location is disk0:.

Step 10 In the User-Specified Name for the License file: field, enter the name that you would like to use for this license file, such as myACE-AP-VIRT-020.lic.

Step 11 Click:

OK to accept your entries and to copy the file from the remote server to the ACE appliance and then install it.

Cancel to exit this procedure without copying the file from the remote server and to return to the Licenses table.


Related Topics

Managing ACE Appliance Licenses

Viewing ACE Appliance Licenses

Updating ACE Appliance Licenses

Uninstalling ACE Appliance Licenses

Displaying License Configuration and Statistics

Updating ACE Appliance Licenses


Note This functionality is available for only Admin contexts.


ACE appliance Device Manager allows you to convert demonstration licenses to permanent licenses and to upgrade permanent licenses to increase the number of virtual contexts.

Use this procedure to install ACE appliance update licenses.

Assumption

You have received the proper update software license for the ACE appliance.

ACE appliance licenses are available on a remote server for importing to the ACE appliance, or you have received the update software license and have copied the license file to the disk0: filesystem on the ACE appliance using the copy disk0: CLI command.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the Admin context with the license you want to update, then click System > Licenses. The Licenses table appears listing all installed licenses.

Step 3 Select the license to be updated, then click Update. The Update License On The ACE dialog box appears.

Step 4 If the update license currently exists on the disk0: file system in Flash memory in the ACE (perhaps by using the copy disk0: CLI command), perform the following sequence:

a. Leave the Update License needs to be copied to disk0:? check box unchecked.

b. In the License File Name field, enter the name of the update license file on disk0:.

Step 5 If the update license must be copied to the disk0: file system in Flash memory, check the Update License needs to be copied to disk0:? check box. Proceed to Step 6.

Step 6 In the Protocol field, select the protocol to be used to import the license file from the remote server to the ACE appliance:

If you select FTP, the User and Password fields appear. Continue with Step 7.

If you select SFTP, the User and Password fields appear. Continue with Step 7.

If you select TFTP, continue with Step 8.

Step 7 If you select FTP or SFTP:

a. In the User field, enter the username of the account on the network server.

b. In the Password field, enter the password for the user account. Reenter the password in the Confirm field.

Step 8 In the Source File Name field, enter the host IP address, path, and filename of the license file on the remote server in the format host-ip/path/filename where:

host-ip represents the IP address of the remote server.

path represents the directory path of the license file on the remote server.

filename represents the filename of the license file on the remote server.

For example, your entry might resemble 192.168.11.2/usr/bin/ACE-VIRT-020.lic.

Step 9 In the Destination field, enter the location where you want the license file to reside on the ACE appliance in preparation for installation or updating. The default location is disk0:.

Step 10 Click:

OK to update the license and to return to the Licenses table. The Licenses table displays the updated information.

Cancel to exit this procedure without updating the license and to return to the Licenses table.


Related Topics

Managing ACE Appliance Licenses

Viewing ACE Appliance Licenses

Installing ACE Appliance Licenses

Uninstalling ACE Appliance Licenses

Displaying License Configuration and Statistics

Uninstalling ACE Appliance Licenses


Note This functionality is available for only Admin contexts.



Caution Removing licenses can affect an ACE appliance's bandwidth or performance. For detailed information on the effect of license removal on your ACE appliance, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

Use this procedure to remove ACE appliance licenses.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the Admin context with the license you want to remove, then click System > Licenses. The Licenses table appears listing all installed licenses.

Step 3 Select the license to be removed.

Step 4 Click Uninstall. A window appears, asking you to confirm the license removal process.


Note Removing licenses can affect the number of contexts, ACE appliance bandwidth, or SSL TPS (transactions per second). Be sure you understand the effect of removing the license on your environment before continuing.


Step 5 Click OK to confirm the removal or Cancel to stop the removal process.

If you click OK, a status window appears with the status of license removal. When the license has been removed, the Licenses table refreshes without the deleted license.


Related Topics

Managing ACE Appliance Licenses

Installing ACE Appliance Licenses

Updating ACE Appliance Licenses

Viewing ACE Appliance Licenses

Displaying License Configuration and Statistics

Displaying License Configuration and Statistics


Note This functionality is available for only Admin contexts.


Use this procedure to view information about ACE appliance licenses.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the Admin context with the license information you want to view, then select System > Licenses. The Licenses table appears listing all installed licenses.

Step 3 Select the license with the information you want to view, then click Status. The Show License Status window appears with the following information:

Compression performance in megabits or gigabits per second

Application acceleration and optimization in the number of concurrent connections

SSL transactions per second

Number of supported virtual contexts

ACE appliance bandwidth in gigabits per second

Step 4 Click Close when you finish viewing the information.


Related Topics

Installing ACE Appliance Licenses

Updating ACE Appliance Licenses

Managing Resource Classes

Resource classes are the means by which you manage virtual context access to ACE appliance resources, such as concurrent connections or bandwidth rate. ACE appliances are preconfigured with a default resource class that is applied to the Admin context and any user context upon creation. The default resource class is configured to allow a context to operate within a range that can vary from no resource access (0%) to complete resource access (100%). When you use the default resource class with multiple contexts, you run the risk of oversubscribing ACE appliance resources. This means that the ACE appliance permits all contexts to have full access to all resources on a first-come, first-served basis. When a resource is utilized to its maximum limit, the ACE appliance denies additional requests made by any context for that resource.

To avoid oversubscribing resources and to help guarantee access to a resource by any context, you can create customized resource classes that you associate with one or more contexts. A context becomes a member of the resource class when you make the association. Creating a resource class allows you to set limits on the minimum and maximum amounts of each ACE appliance resource that a member context is entitled to use. You define the minimum and maximum values as a percentage of the whole. For example, you can create a resource class that allows its member contexts access to no less that 25% of the total number of SSL connections that the ACE appliance supports.

You can limit and manage the allocation of the following ACE appliance resources:

ACL memory

Application acceleration connections

Buffers for syslog messages and TCP out-of-order (OOO) segments

Concurrent connections (through-the-ACE traffic)

Management connections (to-the-ACE traffic)

HTTP compression percentage

Proxy connections

Set resource limit as a rate (number per second)

Regular expression (regexp) memory

SSL connections

Sticky entries

Static or dynamic network address translations (Xlates)

Table 2-9 identifies and defines the resources that you can establish for resource classes.

Resource Allocation Constraints


Note This functionality is available for only Admin contexts.


The following resources are critical for maintaining connectivity to the Admin context:

Rate Bandwidth

Rate Management Traffic

Rate SSL Connections

Rate Connections

Management Connections

Concurrent Connections


Caution If you allocate 100% of these resources to a resource class and then apply the resource class to virtual contexts, connectivity to the Admin context can be lost.

We recommend that you create a resource class specifically for the Admin context and apply it to the context so that you can maintain IP connectivity.

Table 2-9 Resource Class Attributes 

Resource
Definition

All

Limits all resources to the specified value for all contexts assigned to this resource class, except for management traffic bandwidth. Management traffic bandwidth remains at the default values until you explicitly configure a minimum value for management traffic.

Acceleration Connections

Percentage of application acceleration connections.

ACL Memory

Percentage of memory allocated for ACLs.

Concurrent Connections

Percentage of simultaneous connections.

Note If you consume all Concurrent Connections by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.

HTTP Compression

Percentage of compression for HTTP data.

Management Connections

Percentage of management connections.

Note If you consume all Management Connections by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.

Proxy Connections

Percentage of proxy connections.

Regular Expressions

Percentage of regular expression memory.

Sticky

Percentage of entries in the sticky table.

Note You must configure a minimum value for sticky to allocate resources for sticky entries; the sticky software receives no resources under the unlimited setting.

Xlates

Percentage of network and port address translations entries.

Buffer Syslog

Percentage of the syslog buffer.

Rate Inspect Connection

Percentage of application protocol inspection connections for FTP and RTSP.

Rate Bandwidth

Percentage of context throughput. This attribute limits the total ACE throughput in bytes per second for one or more contexts.

Note If you consume all rate bandwidth by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.

The maximum bandwidth rate per context is determined by your bandwidth license. By default, the ACE supports 1 gigabit per second (Gbps) appliance throughput. You can upgrade the ACE with an optional 2-Gbps bandwidth license. When you configure a minimum bandwidth value for a resource class in the ACE, the ACE subtracts that configured value from the total bandwidth maximum value of all contexts in the ACE, regardless of the resource class with which they are associated. The total bandwidth rate of a context consists of the following two components:

Throughput—Limits through-the-ACE traffic. This is a derived value (you cannot configure it directly) and it is equal to the bandwidth rate minus the mgmt-traffic rate for the 1-Gbps and 2-Gbps licenses.

Management Traffic—Limits management (to-the-ACE) traffic in bytes per second. To guarantee a minimum amount of management traffic bandwidth, you must explicitly allocate a minimum percentage to management traffic using the Resource Classes table (Config > Virtual Contexts > admin context > System > Resource Class). When you allocate a minimum percentage of bandwidth to management traffic, the ACE subtracts that value from the maximum available management traffic bandwidth for all contexts in the ACE.

Rate Connections

Percentage of connections of any kind.

Note If you consume all Rate Connections by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.

Rate Management Traffic

Percentage of management traffic connections.

Note If you consume all Rate Management Traffic by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.

Rate SSL Connections

Percentage of SSL connections.

Note If you consume all Rate Management Traffic by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.

Rate Syslog

Percentage of syslog messages per second.

Rate MAC Miss

Percentage of messages destined for the ACE appliance that are sent to the control plane when the encapsulation is not correct in packets.


Related Topics

Adding Resource Classes

Modifying Resource Classes

Deleting Resource Classes

Viewing Resource Class Use on Virtual Contexts

Adding Resource Classes


Note This functionality is available for only Admin contexts.


Resource classes are used when provisioning services, establishing virtual contexts, managing devices, and monitoring virtual context resource consumption.

Defining a resource class does not automatically apply it to a context. New resource classes are applied only when a resource class is assigned to a virtual context.


Caution If you allocate 100% of the resources to a resource class and then apply the resource class to virtual contexts, connectivity to the Admin context can be lost. For more information, refer to Resource Allocation Constraints.

Use this procedure to create a new resource class.

Procedure


Step 1 Select Config > Virtual Contexts > admin context > System > Resource Class. The Resource Classes table appears.

Step 2 Click Add to create a new resource class. The New Resource Class configuration screen appears.

Step 3 In the Name field, enter a unique name for this resource class. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.

Step 4 To use the same values for each resource, enter the following information in the All row: (See Table 2-9 for a description of the resources.)

a. In the Min. field, enter the minimum percentage of each resource you want to allocate to this resource class. Valid entries are numbers from 0 to 100 including those with decimals in increments of .01.

b. In the Max. field, select the maximum percentage of each resource you want to allocate to this resource class:

Equal To Min.—Indicates that the maximum percentage allocated for each resource is equal to the minimum specified in the Min. field.

Unlimited—Indicates that there is no upper limit on the percentage of each resource that can be allocated for this resource class.

Step 5 To use different values for the resources, for each resource, select the method for allocating resources:

Select Default to use the values specified in Step 4.

Select Min. to enter a specific minimum value for the resource.

Step 6 If you select Min.:

a. In the Min. field, enter the minimum percentage of this resource you want to allocate to this resource class. For example, for ACL memory, you would enter 10 in the Min. field to indicate that you want to allocate a minimum of 10% of the available ACL memory to this resource class.

b. In the Max. field, select the maximum percentage of the resource you want to allocate to this resource class:

Equal To Min.—Indicates that the maximum percentage allocated for this resource is equal to the minimum specified in the Min. field.

Unlimited—Indicates that there is no upper limit on the percentage of the resource that can be allocated for this resource class.

Step 7 When you finish allocating the resources for this resource class, click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the Resource Classes table.

Step 8 If you click Deploy Now, the ACE appliance Device Manager displays the number of virtual contexts that can be supported using this resource class in the Maximum VC column. To support more or fewer virtual contexts, select the resource class, click Edit, and modify it as described in this procedure.


Related Topics

Managing Resource Classes

Modifying Resource Classes

Deleting Resource Classes

Viewing Resource Class Use on Virtual Contexts

Modifying Resource Classes


Note This functionality is available for only Admin contexts.


When you modify a resource class, the ACE appliance Device Manager applies the changes to virtual contexts that are associated with the resource class going forward. The changes are applied to existing virtual contexts already associated with the resource class.


Caution If you allocate 100% of the resources to a resource class and then apply the resource class to virtual contexts, connectivity to the Admin context can be lost. For more information, refer to Resource Allocation Constraints.

Use this procedure to modify an existing resource class.


Note You cannot modify the default resource class.


Procedure


Step 1 Select Config > Virtual Contexts > admin context > System > Resource Class. The Resource Classes table appears.

Step 2 Select the resource class you want to modify, then click Edit. The Edit Resource Class configuration screen appears.

Step 3 Modify the fields as desired. For details on setting values, see Adding Resource Classes. For descriptions of the resources, see Table 2-9.

Step 4 When you finish allocating the resources for this resource class, click:

Deploy Now to deploy this configuration on the ACE appliance. The configuration screen refreshes and the Max. Provisionable field beneath the Name field indicates the number of virtual contexts that can be supported using this resource allocation. When you are satisfied with the resource allocation and have saved your entries, click Cancel to return to the Resource Classes table.

Cancel to exit this procedure without saving your entries and to return to the Resource Classes table.

The ACE appliance Device Manager applies all changes to the virtual contexts that use this resource class.


Related Topics

Managing Resource Classes

Adding Resource Classes

Modifying Resource Classes

Deleting Resource Classes

Viewing Resource Class Use on Virtual Contexts

Deleting Resource Classes


Note This functionality is available for only Admin contexts.


Use this procedure to remove resource classes from the ACE appliance Device Manager database.


Note When you remove a resource class from the ACE appliance Device Manager, any virtual contexts that were associated with this resource class automatically become members of the default resource class. The default resource class allocates a minimum of 0.00% to a maximum of 100.00% of all ACE appliance resources to each context. You cannot modify the default resource class.


Because of the impact of resource class deletion on virtual contexts, we recommend that you view a resource class's current deployment before deleting it. See Viewing Resource Class Use on Virtual Contexts.

Procedure


Step 1 Select Config > Virtual Contexts > admin context > System > Resource Class. The Resource Classes table appears.

Step 2 Select the resource class you want to remove, then click Delete. A window appears, asking you to confirm the deletion.

Step 3 Click OK to continue deleting the resource class, or click Cancel to keep the resource class.

The Resource Classes table refreshes with the updated information.


Related Topics

Managing Resource Classes

Adding Resource Classes

Modifying Resource Classes

Viewing Resource Class Use on Virtual Contexts

Viewing Resource Class Use on Virtual Contexts


Note This functionality is available for only Admin contexts.


Use this procedure to view a list of all virtual contexts using a selected resource class.

Procedure


Step 1 Select Config > Virtual Contexts > admin context > System > Resource Class. The Resource Classes table lists the number of virtual contexts using each resource class in the second column.

Step 2 Select the resource class whose usage you want to view, then click Virtual Contexts. The Virtual Contexts Using Resource Class table appears, listing the associated contexts.

Step 3 Click Cancel to return to the Resource Classes table.


Related Topics

Managing Resource Classes

Adding Resource Classes

Modifying Resource Classes

Deleting Resource Classes

Viewing Resource Class Use on Virtual Contexts

Configuring Security with ACLs

An ACL (access control list) consists of a series of statements called ACL entries that collectively define the network traffic profile. Each entry permits or denies network traffic (inbound and outbound) to the parts of your network specified in the entry. Besides an action element ("permit" or "deny"), each entry also contains a filter element based on criteria such as source address, destination address, protocol, or protocol-specific parameters. An implicit "deny all" entry exists at the end of every ACL, so you must configure an ACL on every interface where you want to permit connections. Otherwise, the ACE denies all traffic on the interface.

ACLs provide basic security for your network by allowing you to control network connection setups rather than processing each packet. Such ACLs are commonly referred to as security ACLs.

You can configure ACLs as parts of other features; for example, security, network address translation (NAT), or server load balancing (SLB). The ACE merges these individual ACLs into one large ACL called a merged ACL. The ACL compiler then parses the merged ACL and generates the ACL lookup mechanisms. A match on this merged ACL can result in multiple actions. You can add, modify, or delete entries to an ACL already in the summary table, or add a new ACL to the list.

When you use ACLs, you may want to permit all e-mail traffic on a circuit, but block FTP traffic. You can also use ACLs to allow one client to access a part of the network and prevent another client from accessing that same area.

When configuring ACLs, you must apply an ACL to an interface to control traffic on that interface. Applying an ACL on an interface assigns the ACL and its entries to that interface.

You can apply only one extended ACL to each direction (inbound or outbound) of an interface. You can also apply the same ACL on multiple interfaces.You can apply EtherType ACLs in only the inbound direction and on only Layer 2 interfaces.


Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly allowed in an ACL can pass. All other traffic is denied.


For specific procedures, see:

Creating ACLs

Setting EtherType ACL Attributes

Setting Extended ACL Attributes

Resequencing Extended ACLs

Viewing All ACLs by Context

Editing or Deleting ACLs

Creating ACLs


Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly allowed in an ACL can pass. All other traffic is denied.


Use this procedure to create, modify, or delete ACLs.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > ACLs. The ACL summary table appears, listing the existing ACLs. ACL summary fields are described in Table 2-10.

Table 2-10 ACL Summary Table 

Field
Description

Name

Enter a unique identifier for the ACL. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters.

Type

Specifies the type of ACL:

Extended—allows you to specify both the source and the destination IP addresses of traffic as well as the protocol and the action to be taken. For more information see "Setting Extended ACL Attributes".

Ethertype—This ACL controls network access for non-IP traffic based on its EtherType. An EtherType is a sub-protocol identifier. For more information see "Setting EtherType ACL Attributes".

Line Number

ACL line number for extended type ACL entries.

Action

Action to be taken (permit/deny).

Protocol

Protocol number or service object group to apply to this ACL entry.

Source

Source IP address (and source netmask with port number if configured for extended type ACL) or source network object group if configured that is being applied to this ACL entry.

Destination

Destination IP address (and destination netmask with port number if configured for extended type ACL) or destination network object group if configured that is applied to this ACL entry.

ICMP

Indicates whether or not this ACL uses ICMP (Internet Control Message Protocol). For more information, see "Protocol Names and Numbers".

Interface(s)

VLAN interface(s) that is/are associated with this ACL, for example <4,5:4> where, < denotes the input direction, > denotes the output direction.

Remark

Enter any comments you want to include for this ACL. Valid entries are unquoted text strings with a maximum of 100 characters. You can enter leading spaces at the beginning of the text or special characters. Trailing spaces are ignored.


Step 2 From the summary table, perform one of the following:

To view full details of an ACL inline, click the plus sign to the left of any table entry.

To create an ACL click the Add icon.

To modify an ACL, select the radio button to the left of any table entry, then click the Edit icon.

To delete an ACL, select the radio button to the left of any table entry, then click the Delete icon.

If you choose create, the New Access List screen appears.

If you choose modify, the Edit ACL or Edit ACL entry screen appears based on the selected radio button to the left of any table entry.

Step 3 Add or edit required fields as described in Table 2-11.

Table 2-11 ACL Configuration Attributes 

Field
Description

ACL Properties

Includes name, type (Extended, Ethertype), remarks. For more information see "ACL Summary Table".

ACL Entries

Entry Attributes

Includes line number, action and protocol/service object group drop down descriptor menu.

Source

Source IP address (and source netmask with port number if configured for extended type ACL) or source network object group if configured that is being applied to this ACL entry.

Destination

Destination IP address (and destination netmask with port number if configured for extended type ACL) or destination network object group if configured that is applied to this ACL entry.

Add To Table button

Used to add multiple ACL entries, adding one at a time using this button, before clicking Deploy. In the past only one entry could be added at a time in a two-step process hopping between two different locations in the UI.

Remove From Table button

Used to remove multiple ACL entries, removing one at a time using this button, before clicking Deploy.

Interfaces

Input/Output Direction

Currently Assigned (ACL:Direction)

Allows you to associate the ACL with one or more interfaces allowing only one input and one output ACL for each interface. The top left checkbox under the Interfaces section allows you to select and apply to all interfaces "access-group input.".

Deploy button

Allows deployment of newly created ACL entries along with VLAN interface assignments that were configured.

Cancel button

Exits without saving your entries.



Note To add, modify, or delete Object Groups go to the "Configuring Object Groups" section.


Step 4 Click:

Deploy to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the ACLs table.


Related Topics

Configuring Security with ACLs

Setting EtherType ACL Attributes

Setting Extended ACL Attributes

Resequencing Extended ACLs

Editing or Deleting ACLs

Setting Extended ACL Attributes


Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly allowed in an ACL can pass. All other traffic is denied.


An extended ACL allows you to specify both the source and the destination IP addresses of traffic as well as the protocol and the action to be taken.

For TCP, UDP, and ICMP connections, you do not need to also apply an ACL on the destination interface to allow returning traffic, because the ACE allows all returning traffic for established connections.


Note The ACE does not explicitly support standard ACLs. To configure a standard ACL, specify the destination address as any and do not specify the ports in an extended ACL.


Procedure


Step 1 Select Config > Virtual Contexts > context > Security > ACLs. The ACLs table appears, listing the existing ACLs.

Step 2 Click Add. The New Access List configuration screen appears.

Step 3 Enter the ACL name in the ACL Properties pane and choose the type as Extended.

Step 4 Configure extended ACL entries using the information in Table 2-12.

Table 2-12 Extended ACL Configuration Options 

Field
Description

Entry Attributes

Line Number

Enter a number that specifies the position of this entry in the ACL. The position of an entry affects the lookup order of the entries in an ACL. To change the sequence of existing extended ACLs, see Resequencing Extended ACLs.

Action

Action to be taken (permit/deny).

Service Object Group

Select a service object group to apply to this ACL.

Protocol

Select the protocol or protocol number to apply to this ACL entry. Table 2-13 lists common protocol names and numbers.

Source

Source Network

Defines the network traffic being received from the source network to the ACE:

Any—Select the Any radio button to indicate that network traffic from any source is allowed.

IP/Netmask—Use this field to limit access to a specific source IP address. Enter the source IP address that is allowed for this ACL. Enter a specific source IP address and select its subnet mask.

Network Object Group—Select a source network object group to apply to this ACL.

Source Port Operator

This field appears if you select TCP or UPD in the Protocol field.

Select the operand to use to compare source port numbers:

Equal To—The source port must be the same as the number in the Source Port Number field.

Greater Than—The source port must be greater than the number in the Source Port Number field.

Less Than—The source port must be less than the number in the Source Port Number field.

Not Equal To—The source port must not equal the number in the Source Port Number field.

Range—The source port must be within the range of ports specified by the Lower Source Port Number field and the Upper Source Port Number field.

Source Port Number

This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the Source Port Operator field.

Enter the port name or number from which you want to permit or deny access.

Lower Source Port Number

This field appears if you select Range in the Source Port Operator field.

Enter the number of the lowest port from which you want to permit or deny access. Valid entries are integers from 0 to 65535. The number in this field must be less than the number entered in the Upper Source Port Number field.

Upper Source Port Number

This field appears if you select Range in the Source Port Operator field.

Enter the port number of the upper port from which you want to permit or deny access. Valid entries are integers from 0 to 65535. The number in this field must be greater than the number entered in the Lower Source Port Number field.

Destination

Destination Network

Defines the network traffic being transmitted to the destination network from the ACE:

Any—Select the Any radio button to indicate that network traffic to any destination is allowed.

IP/Netmask—Use this field to limit access to a specific destination IP address. Enter the source IP address that is allowed for this ACL. Enter a specific destination IP address and select its subnet mask.

Network Object Group—Select a destination network object group to apply to this ACL.

Destination Port Operator

This field appears if you select TCP or UPD in the Protocol field.

Select the operand to use to compare destination port numbers:

Equal To—The destination port must be the same as the number in the Destination Port Number field.

Greater Than—The destination port must be greater than the number in the Destination Port Number field.

Less Than—The destination port must be less than the number in the Destination Port Number field.

Not Equal To—The destination port must not equal the number in the Destination Port Number field.

Range—The destination port must be within the range of ports specified by the Lower Destination Port Number field and the Upper Destination Port Number field.

Destination Port Number

This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the Destination Port Operator field.

Enter the port name or number from which you want to permit or deny access.

Lower Destination Port Number

This field appears if you select Range in the Destination Port Operator field.

Enter the number of the lowest port to which you want to permit or deny access. Valid entries are integers from 0 to 65535. The number in this field must be less than the number entered in the Upper Destination Port Number field.

Upper Destination Port Number

This field appears if you select Range in the Destination Port Operator field.

Enter the port number of the upper port to which you want to permit or deny access. Valid entries are integers from 0 to 65535. The number in this field must be greater than the number entered in the Lower Destination Port Number field.


Table 2-13 Protocol Names and Numbers 

Protocol Name 1
Protocol Number
Description

AH

51

Authentication Header

EIGRP

88

Enhanced IGRP

ESP

50

Encapsulated Security Payload

GRE

47

Generic Routing Encapsulation

ICMP

1

Internet Control Message Protocol

IGMP

2

Internet Group Management Protocol

IP

0

Internet Protocol

IP-In-IP

4

IP-in-IP Layer 3 Tunneling Protocol

OSPF

89

Open Shortest Path First

PIM

103

Protocol Independent Multicast

TCP

6

Transmission Control Protocol

UDP

17

User Datagram Protocol

1 For a complete list of all protocols and their numbers, see the Internet Assigned Numbers Authority available at www.iana.org/numbers/.


Step 5 Click Add To Table if you want to add one or more ACL entries to the table. See Step 4 for information on configuring the extended ACL entries.

Step 6 Associate any VLAN interface to this ACL if required and click:

Deploy to immediately deploy this configuration.

Cancel to exit without saving your entries and to return to the ACL Summary table.


Related Topics

Configuring Security with ACLs

Creating ACLs

Setting EtherType ACL Attributes

Resequencing Extended ACLs

Editing or Deleting ACLs

Resequencing Extended ACLs

Use this procedure to change the sequence of entries in an Extended ACL. EtherType ACL entries cannot be resequenced.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > ACLs. The ACLs table appears, listing the existing ACLs.

Step 2 Select the Extended ACL you want to renumber, then click the Resequence icon appearing to the left of the filter field. The ACL Line Number Resequence window appears.

Step 3 In the Start field, enter the number that is to be assigned to the first entry in the ACL. Valid entries are 1 to 2147483647.

Step 4 In the Increment field, enter the number that is to be added to each entry in the ACL after the first entry. You can enter any integer. Valid entries are 1 to 2147483647.

Step 5 Click:

Resequence to save your entries and to return to the ACLs table.

Cancel to exit this procedure without saving your entries and to return to the ACLs table.


Related Topics

Configuring Security with ACLs

Creating ACLs

Setting EtherType ACL Attributes

Setting Extended ACL Attributes

Editing or Deleting ACLs

Setting EtherType ACL Attributes


Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly allowed in an ACL can pass. All other traffic is denied.


You can configure an ACL that controls traffic based on its EtherType. An EtherType is a sub-protocol identifier. EtherType ACLs support Ethernet V2 frames. EtherType ACLs do not support 802.3-formatted frames because they use a length field as opposed to a type field. The only exception is bridge protocol data units (BPDUs), which are SNAP-encapsulated, and the ACE is designed to specifically handle BPDUs.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > ACLs. The ACLs table appears, listing the existing ACLs.

Step 2 Click Add. The New Access List configuration screen appears.

Step 3 Enter the ACL name in the ACL Properties pane and choose Ethertype.

Step 4 Select one of the following radio buttons:

Deny to indicate that the ACE is to block connections.

Permit to indicate that the ACE is to allow connections.

Step 5 Select one of the following from the Protocol field pulldown menu for this ACL:

Any—Specifies any EtherType.

BPDU—Specifies Bridge Protocol Data Units. The ACE receives trunk port (Cisco proprietary) BPDUs because ACE ports are trunk ports. Trunk BPDUs have VLAN information inside the payload, so the ACE modifies the payload with the outgoing VLAN if you allow BPDUs. If you configure redundancy, you must allow BPDUs on both interfaces with an EtherType ACL to avoid bridging loops. For for information about configuring redundancy, refer to Configuring High Availability, page 9-1.

IPv6—Specifies Internet Protocol version 6.

MPLS—Specifies Multi-Protocol Label Switching. The MPLS selection applies to both MPLS unicast and MPLS multicast traffic. If you allow MPLS, ensure that Label Distribution Protocol (LDP) and Tag Distribution Protocol (TDP) TCP connections are established through the ACE by configuring both MPLS routers connected to the ACE to use the IP address on the ACE interface as the router-id for LDP or TDP sessions. LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.

Step 6 Click Add To Table and add one or more ACL entries if required repeating Step 4 and Step 5 as needed.

Step 7 Associate any VLAN interface to this acl if required and click:

Deploy to immediately deploy this configuration.

Cancel to exit without saving your entries and to return to the ACL Summary table.


Related Topics

Configuring Security with ACLs

Creating ACLs

Setting Extended ACL Attributes

Resequencing Extended ACLs

Editing or Deleting ACLs

Viewing All ACLs by Context

Use this procedure to view all access control lists that have been configured.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the virtual context with the ACLs you want to view, then select Security > ACLs. The ACLs table appears, listing the existing ACLs with their name, their type (Extended or Ethertype), and any comments.


Related Topics

Configuring Virtual Context Expert Options

Creating ACLs

Setting EtherType ACL Attributes

Setting Extended ACL Attributes

Editing or Deleting ACLs

Editing or Deleting ACLs

Use this procedure to delete or edit an ACL or any of its subentries.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > ACLs. The ACLs table appears, listing the existing ACLs.

Step 2 Select the radio button to the left of the ACL you want to Edit or Delete. Expand entries if necessary by clicking the plus sign to the left of any ACL entry until you see the subentry ACL for which you are looking, or click the Expand All icon to view all ACLs and subentries.

Step 3 Perform one of the following steps:

Click Edit if you are editing an ACL or one of its entries and go to Step 4.

or

Click Delete if you are deleting an ACL or one of its entries and go to Step 5.

Step 4 Edit the entry using the summary information listed in Table 2-11 if needed, and click Deploy when done.

Step 5 Click Delete. A window appears asking you to confirm the deletion. If you click OK, the ACLs table refreshes without the deleted ACL.


Related Topics

Creating ACLs

Setting EtherType ACL Attributes

Setting Extended ACL Attributes

Resequencing Extended ACLs

Configuring Object Groups

An object group is a logical grouping of objects such as hosts (servers and clients), services, and networks. When you create an object group, you select a type, such as network or service, and then specify the objects that belong to the groups. In all, there are four types of object groups: Network, protocol, service, and ICMP-type.

After you configure an object group, you can include it in ACLs, thereby including all objects within that group and reducing overall configuration size.

Use this procedure to configure object groups that you can associate with ACLs.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table appears, listing existing object groups.

Step 2 Click Add to create a new object group, or select an existing object group, then click Edit to modify it. The Object Groups configuration screen appears.

Step 3 In the Name field, enter a unique name for this object group. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

Step 4 In the Description field, enter a brief description for the object group.

Step 5 In the Type field, select the type of object group you are creating:

Network—The object group is based on a group of hosts or subnet IP addresses.

Service—The object group is based on TCP or UDP protocols and ports, or ICMP types, such as echo or echo-reply.

Step 6 Click:

Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.

Cancel to exit without saving your entries and to return to the Object Groups table.

Next to deploy your entries and to add another entry to the Object Groups table.

If you click Deploy Now or OK, the screen refreshes with tables additional configuration options.

Step 7 Configure objects for the object group.

For network-type object groups, options include:

Configuring IP Addresses for Object Groups

Configuring Subnet Objects for Object Groups

For service-type object groups, options include:

Configuring Protocols for Object Groups

Configuring TCP/UDP Service Parameters for Object Groups

Configuring ICMP Service Parameters for an Object Group


Related Topics

Configuring Virtual Context Expert Options

Creating ACLs

Setting Extended ACL Attributes

Resequencing Extended ACLs

Configuring IP Addresses for Object Groups

Use this procedure to specify host IP addresses for network-type object groups.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table appears, listing existing object groups.

Step 2 Select the object group you want to configure host IP addresses for, then select the Host Setting For Object Group tab. The Host Setting For Object Group table appears.

Step 3 Click Add to add an entry to this table.

Step 4 In the Host IP Address field, enter the IP address of a host to include in this group.

Step 5 Click:

Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.

Cancel to exit this procedure without saving your entries.

Next to deploy your entries and to add another entry to the Host Setting table.


Related Topics

Configuring Object Groups

Configuring Subnet Objects for Object Groups

Configuring Protocols for Object Groups

Configuring TCP/UDP Service Parameters for Object Groups

Configuring ICMP Service Parameters for an Object Group

Configuring Subnet Objects for Object Groups

Use this procedure to specify subnet objects for a network-type object group.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table appears, listing existing object groups.

Step 2 Select the object group you want to configure subnet objects for, then select the Network Setting For Object Group tab. The Network Setting For Object Group table appears.

Step 3 Click Add to add an entry to this table.

Step 4 In the IP Address field, enter an IP address that, with the subnet mask, defines the subnet object.

Step 5 In the Netmask field, select the subnet mask for this subnet object.

Step 6 Click:

Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.

Cancel to exit this procedure without saving your entries.

Next to deploy your entries and to add another entry to the Network Setting table.


Related Topics

Configuring Object Groups

Configuring IP Addresses for Object Groups

Configuring Protocols for Object Groups

Configuring TCP/UDP Service Parameters for Object Groups

Configuring ICMP Service Parameters for an Object Group

Configuring Protocols for Object Groups

Use this procedure to specify protocols for a service-type object group.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table appears, listing existing object groups.

Step 2 Select an existing service-type object group, then select the Protocol Selection tab. The Protocol Selection table appears.

Step 3 Click Add to add an entry to this table.

Step 4 In the Protocol Number field, select the protocol or protocol number to add to this object group. See Table 2-13 for common protocols and their numbers.

Step 5 Click:

Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.

Cancel to exit this procedure without saving your entries.

Next to deploy your entries and to add another entry to the Protocol Selection table.


Related Topics

Configuring Object Groups

Configuring IP Addresses for Object Groups

Configuring Subnet Objects for Object Groups

Configuring TCP/UDP Service Parameters for Object Groups

Configuring ICMP Service Parameters for an Object Group

Configuring TCP/UDP Service Parameters for Object Groups

Use this procedure to add TCP or UDP service objects to a service-type object group.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table appears, listing existing object groups.

Step 2 Select an existing service-type object group, then select the TCP/UDP Service Parameters tab. The TCP/UDP Service Parameters table appears.

Step 3 Click Add to add an entry to this table.

Step 4 Configure TCP or UDP service objects using the information in Table 2-14.

Table 2-14 TCP and UDP Service Parameters 

Field
Description

Protocol

Select the protocol for this service object:

TCP—TCP is the protocol for this service object.

UDP—UDP is the protocol for this service object.

TCP And UDP—Both TCP and UDP are the protocols for this service object.

Source Port Operator

Select the operand to use when comparing source port numbers for this service object:

Equal To—The source port must be the same as the number in the Source Port field.

Greater Than—The source port must be greater than the number in the Source Port field.

Less Than—The source port must be less than the number in the Source Port field.

Not Equal To—The source port must not equal the number in the Source Port field.

Range—The source port must be within the range of ports specified by the Lower Source Port field and the Upper Source Port field.

Source Port

This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the Source Port Operator field.

Enter the source port name or number for this service object.

Lower Source Port

This field appears if you select Range in the Source Port Operator field.

Enter the number that is the beginning value for a range of services for this service object. Valid entries are integers from 0 to 65535. The number in this field must be less than the number entered in the Upper Source Port field.

Upper Source Port

This field appears if you select Range in the Source Port Operator field.

Enter the number that is the ending value for a range of services for this service object. Valid entries are integers from 0 to 65535. The number in this field must be greater than the number entered in the Lower Source Port field.

Destination Port Operator

Select the operand to use when comparing destination port numbers:

Equal To—The destination port must be the same as the number in the Destination Port field.

Greater Than—The destination port must be greater than the number in the Destination Port field.

Less Than—The destination port must be less than the number in the Destination Port field.

Not Equal To—The destination port must not equal the number in the Destination Port field.

Range—The destination port must be within the range of ports specified by the Lower Destination Port field and the Upper Destination Port field.

Destination Port

This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the Destination Port Operator field.

Enter the destination port name or number for this service object.

Lower Destination Port

This field appears if you select Range in the Destination Port Operator field.

Enter the number that is the beginning value for a range of services for this service object. Valid entries are integers from 0 to 65535. The number in this field must be less than the number entered in the Upper Destination Port field.

Upper Destination Port

This field appears if you select Range in the Destination Port Operator field.

Enter the number that is the ending value for a range of services for this service object. Valid entries are integers from 0 to 65535. The number in this field must be greater than the number entered in the Lower Destination Port field.


Step 5 Click:

Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.

Cancel to exit this procedure without saving your entries.

Next to deploy your entries and to add another entry to the TCP/UDP Service Parameters table.


Related Topics

Configuring Object Groups

Configuring IP Addresses for Object Groups

Configuring Subnet Objects for Object Groups

Configuring Protocols for Object Groups

Configuring ICMP Service Parameters for an Object Group

Configuring ICMP Service Parameters for an Object Group

Use this procedure to add ICMP service parameters to a service-type object group.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table appears, listing existing object groups.

Step 2 Select an existing service-type object group, then select the ICMP Service Parameters tab. The ICMP Service Parameters table appears.

Step 3 Click Add to add an entry to this table.

Step 4 Configure ICMP type objects using the information in Table 2-15.

Table 2-15 ICMP Type Service Parameters 

Field
Description

ICMP Type

Select the ICMP type or number for this service object. Table 2-16 lists common ICMP types and numbers.

Message Code Operator

Select the operand to use when comparing message codes for this service object:

Equal To—The message code must be the same as the number in the Message Code field.

Greater Than—The message code must be greater than the number in the Message Code field.

Less Than—The message code must be less than the number in the Message Code field.

Not Equal To—The message code must not equal the number in the Message Code field.

Range—The message code must be within the range of codes specified by the Min. Message Code field and the Max. Message Code field.

Message Code

This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the Message Code Operator field.

Enter the ICMP message code for this service object.

Min. Message Code

This field appears if you select Range in the Message Code Operator field.

Enter the number that is the beginning value for a range of services for this service object. Valid entries are integers from 0 to 255. The number in this field must be less than the number entered in the Max. Message Code field.

Max. Message Code

This field appears if you select Range in the Message Code Operator field.

Enter the number that is the ending value for a range of services for this service object. Valid entries are integers from 0 to 255. The number in this field must be greater than the number entered in the Min. Message Code field.


Table 2-16 ICMP Type Numbers and Names 

Number
ICMP Type Name

0

Echo-Reply

3

Unreachable

4

Source-Quench

5

Redirect

6

Alternate-Address

8

Echo

9

Router-Advertisement

10

Router-Solicitation

11

Time-Exceeded

12

Parameter-Problem

13

Timestamp-Request

14

Timestamp-Reply

15

Information-Request

16

Information-Reply

17

Mask-Request

18

Mask-Reply

31

Conversion-Error

32

Mobile-Redirect


Step 5 Click:

Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.

Cancel to exit this procedure without saving your entries.

Next to deploy your entries and to add another entry to the ICMP Service Parameters table.


Related Topics

Configuring Object Groups

Configuring IP Addresses for Object Groups

Configuring Subnet Objects for Object Groups

Configuring Protocols for Object Groups

Configuring TCP/UDP Service Parameters for Object Groups

Configuring Virtual Context Expert Options

Table 2-17 identifies ACE appliance Device Manager virtual context Expert configuration options and related topics for more information.

Table 2-17 Virtual Context Expert Configuration Options 

Expert Configuration Options
Related Topics

Establish traffic policies by classifying types of network traffic and then applying rules and actions for handling the traffic

Configuring Traffic Policies, page 10-1

Configuring Virtual Context Class Maps, page 10-8

Configuring Virtual Context Policy Maps, page 10-32

Configure HTTP optimization action lists

Configuring an HTTP Optimization Action List, page 11-3

Configure HTTP header modify action lists

Configuring an HTTP Header Modify Action List, page 10-79


Managing Virtual Contexts

You can perform the following administrative actions on virtual contexts:

Synchronizing Virtual Context Configurations

Editing Virtual Contexts

Deleting Virtual Contexts

Viewing All Virtual Contexts

Synchronizing Virtual Context Configurations

ACE appliance Device Manager identifies virtual contexts with different configurations on the ACE appliance and in ACE appliance Device Manager. Discrepancies between these configurations occur when a user configures the ACE appliance directly using the CLI instead of the ACE appliance Device Manager.

The ACE appliance Device Manager automatically polls the CLI once every two minutes. When you use the CLI to change a virtual context's configuration on the ACE appliance, and the Device Manager detects an out-of-band configuration change in a context during this polling period, the configuration changes are applied by the Device Manager.

The status bar at the bottom right of the ACE appliance Device Manager displays two indicators for you to monitor CLI and DM GUI synchronization status (Figure 2-1). One indicator displays ACE appliance Device Manager GUI and CLI synchronization status along with a summary count of the contexts in the various synchronization states, and the other indicator displays CLI synchronization and polling status for the active context. The status bar auto-refreshes every 10 seconds.

Figure 2-1 CLI and DM GUI Synchronization Status Bar

For example, as illustrated in Figure 2-1, the message "DM out of sync with CLI (1/17)" indicates that out of the 17 configured contexts, one context is in the "Out of sync" CLI synchronization status state.


Note If a user attempt to deploy a configuration from the ACE appliance Device Manager (clicks the Deploy Now button) while synchronization is in process for a particular context, an error message appears indicating that synchronization is in process and the user should try to deploy the configuration at a later point in time.


ACE appliance Device Manager provides the following options for identifying and synchronizing configuration discrepancies:

Viewing Virtual Context Synchronization Status

High Availability and Virtual Context Configuration Status

Manually Synchronizing Individual Virtual Context Configurations

Manually Synchronizing All Virtual Context Configurations

Viewing Virtual Context Synchronization Status

ACE appliance Device Manager identifies virtual contexts with different configurations in the ACE appliance and in the ACE appliance Device Manager. Discrepancies between these configurations occur when a user configures the ACE appliance directly using the CLI instead of ACE appliance Device Manager.

In Config screens, CLI and DM GUI configuration status appears in the following locations in the ACE appliance Device Manager:

In the All Virtual Contexts table (Config > Virtual Contexts), in the CLI Sync Status column.

The status bar at the bottom of the ACE appliance Device Manager browser (see Figure 2-1).

The following reported CLI synchronization states appear in the All Virtual Context table:

OK—The configurations for the selected virtual context are synchronized with the CLI.

Out Of Sync—The configurations for the selected virtual context are not synchronized with the CLI.

Sync In Progress—The CLI to DM GUI synchronization for this context is in process, either started automatically by the ACE appliance Device Manager or manually (using either the CLI Sync or CLI Sync All buttons).

Sync Failed—The last synchronization attempt failed and you must perform a manual synchronization using either the CLI Sync or CLI Sync All buttons. The failed state could be due to an unrecognized CLI command on the context, or due to an internal error on the ACE appliance Device Manager. Once the problem is resolved, another manual synchronization will be required to move the context into the OK synchronization state.

The status bar at the bottom of the ACE appliance Device Manager browser (see Figure 2-1) displays DM GUI and CLI synchronization status along with a summary count of the contexts in the various synchronization states. For example, the message "DM out of sync with CLI (1/10), DM sync with CLI failed (2/10)" indicates that out of the 10 configured contexts, one context is in the "Out Of Sync" state and two are is the "Sync Failed" state, and the remaining contexts are in the "OK" state. The status bar auto-refreshes every 10 seconds.


Note Clicking the summary count in the status bar from any context-specific page accesses the All Virtual Contexts table. You can view the CLI synchronization status for all contexts.


If a user changes the configuration for a context by using the CLI while you are viewing the All Virtual Contexts table, the information in the CLI Sync Status column does not automatically update to reflect an out-of-sync state. Click Refresh or set an automatic refresh rate by clicking Auto Refresh to view out-of-sync configurations.

For information on synchronizing out-of-sync virtual context configurations, see:

Manually Synchronizing Individual Virtual Context Configurations

Manually Synchronizing All Virtual Context Configurations

Related Topics

Synchronizing Virtual Context Configurations

High Availability and Virtual Context Configuration Status

High Availability and Virtual Context Configuration Status

In a high availability pair, the two configured virtual contexts synchronize with each other as part of their ongoing communications. However, their copies do not synchronize in ACE appliance Device Manager and the configuration on the standby member can become out of sync with the configuration on the ACE appliance.

After the active member of a high availability pair fails and the standby member becomes active, ACE appliance Device Manager on the newly active member detects any out-of-sync virtual context configurations and reports that status in the All Virtual Contexts table so that you can synchronize the virtual context configurations.


Note When a virtual context is in either the Standby Hot or Standby Warm state (see High Availability Polling, page 9-6), the virtual context may receive configuration changes from its ACE peer without updating the Device Manager GUI. As a result, the ACE appliance Device Manager GUI will be out of synchronization with the CLI configuration. If you need to check configuration on a standby virtual context using HA Tracking And Failure Detection (see Tracking VLAN Interfaces for High Availability, page 9-17), we recommend that you first perform a manual synchronization using either the CLI Sync or CLI Sync All buttons before checking the configuration values.


For information on synchronizing out-of-sync virtual context configurations, see:

Manually Synchronizing Individual Virtual Context Configurations

Manually Synchronizing All Virtual Context Configurations

Related Topics

Viewing Virtual Context Synchronization Status

Configuring High Availability Overview, page 9-6

Manually Synchronizing Individual Virtual Context Configurations

Use this procedure if you want to manually synchronize the configuration for a selected virtual context. This procedure removes the configuration information for this virtual context from ACE appliance Device Manager and replaces it with its CLI configuration from the ACE appliance. You may want to manually synchronize a virtual context configuration if you do not want to wait for auto synchronization to occur and you want the CLI context configuration changes immediately applied to the ACE appliance Device Manager.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears. Contexts with configurations that are not synchronized display Out of sync in the CLI Sync Status column.


Note If a user changes the configuration for a context by using the CLI while you are viewing the All Virtual Contexts table, the information in the CLI Sync Status column is not automatically updated to reflect an out-of-sync state. Click Refresh or set an automatic refresh rate by clicking Auto Refresh to view out-of-sync configurations.


Step 2 Select the virtual context with the configuration that you want to synchronize, then click CLI Sync. A window appears, asking you to confirm the operation.

Step 3 Click OK to upload the configuration from the ACE appliance or Cancel to exit this procedure without uploading the configuration.

If you click OK, the screen reports progress and then refreshes with updated configuration status in the CLI Sync Status column.


Related Topics

Synchronizing Virtual Context Configurations

Viewing Virtual Context Synchronization Status

Manually Synchronizing All Virtual Context Configurations

Manually Synchronizing All Virtual Context Configurations

Use this procedure to manually synchronize all virtual context configurations. This procedure removes all virtual context configurations from ACE appliance Device Manager and replaces them with their CLI configurations from the ACE appliance. You may want to manually synchronize all virtual contexts if you do not want to wait for auto-synchronization to occur and you want the CLI context configuration changes immediately applied to the ACE appliance Device Manager.

This operation can take several minutes to finish, depending on the number of virtual contexts.


Note If you configure a virtual server using the CLI and then use the CLI Sync All option (Config > Virtual Contexts) to manually synchronize configurations, the configuration that appears in ACE appliance Device Manager for the virtual server might not display all configuration options for that virtual server. The configuration that appears in ACE appliance Device Manager depends on a number of items, such as the protocols configured in class maps or the rules defined for policy maps.

For example, if you configure a virtual server on the CLI that includes a class map that can match any protocol, you will not see the virtual server Application Acceleration and Optimization configuration subset in ACE appliance Device Manager.



Note This procedure is available for only the admin user in an Admin context.


Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Click CLI Sync All. A window appears, asking you to confirm the operation.

Step 3 Click OK to continue with this option or click Cancel to exit this procedure.

If you click OK, the screen refreshes with the All Virtual Contexts table listing the contexts that have been imported so far and displays configuration update progress.


Note Depending on the number of contexts, this process can take several minutes to complete.


Step 4 Click Refresh to view additional contexts that have been imported.


Related Topic

Synchronizing Virtual Context Configurations

Manually Synchronizing Individual Virtual Context Configurations

Editing Virtual Contexts

Use this procedure to modify the configuration of an existing virtual context.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the virtual context, then select the configuration attributes you want to modify. For information on configuration options, see Configuring Virtual Contexts.

Step 3 Click Deploy Now to deploy this configuration on the ACE appliance.

To exit a procedure without saving your entries, click Cancel, or select another item in the menu bar or another attribute to configure. A window appears, confirming that you have not saved your entries.


Related Topic

Using Virtual Contexts

Deleting Virtual Contexts

Use this procedure to remove an existing virtual context.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the virtual context you want to remove, then click Delete. A window appears, asking you to confirm the deletion.

Step 3 Click:

OK to delete the selected context. The device tree refreshes and the deleted context no longer appears.

Cancel to exit this procedure and to retain the selected context.


Related Topic

Using Virtual Contexts

Viewing All Virtual Contexts

To view all virtual contexts, select Config > Virtual Contexts. The All Virtual Contexts table appears.


Note Clicking the summary count in the status bar from any context-specific page accesses the All Virtual Contexts table. You can then review the synchronization configuration details for all of the available contexts. If you are not the administrator, you will only see the details for your user context.


The All Virtual Contexts table displays the following information for each virtual context

Name

Resource class

Management IP address

Virtual context synchronization status; that is, whether the ACE appliance Device Manager GUI and CLI configurations for the context are synchronized, not synchronized, being synchronized, or the synchronization attempt failed. For more information, see Viewing Virtual Context Synchronization Status.

ACE high availability state; for more information on the available ACE high availability states, see High Availability Polling, page 9-6.


Note For information on the implication of ACE high availability on ACE appliance Device Manager GUI and CLI configuration synchronization, see Synchronizing High Availability Configurations with ACE Appliance Device Manager, page 9-7.


State of the ACE high availability peer

ACE high availability peer name

Whether automatic synchronization for high availability pairs has been configured


Note If a user changes the configuration for a context by using the CLI while you are viewing the All Virtual Contexts table, or if the high availability state changes, the information in the table columns does not automatically update to reflect an out-of-sync state. Click Refresh or set an automatic refresh rate by clicking Auto Refresh to view out-of-sync configurations.



Note If a user creates a new virtual context in a different session while you are viewing the All Virtual Contexts table, the new virtual context does not automatically appear in this table. Click Refresh or set an automatic refresh rate by clicking Auto Refresh to view newly-created contexts.


Polling status for the selected context appears above the content area in the upper right corner (see Figure 1-2). Table 12-1 describes the various polling states.

From this screen you can:

Add a new virtual context—See Creating Virtual Contexts.

Edit an existing virtual context—See Configuring Virtual Contexts.

Delete an existing virtual context—See Deleting Virtual Contexts.

Manually synchronize ACE appliance Device Manager and CLI configurations for one or all virtual contexts—See Synchronizing Virtual Context Configurations.

Related Topic

Managing Virtual Contexts