Device Manager GUI Guide vA4(1.0), Cisco ACE 4700 Series Application Control Engine Appliance
Configuring Virtual Contexts
Downloads: This chapterpdf (PDF - 785.0KB) The complete bookPDF (PDF - 14.92MB) | Feedback

Configuring Virtual Contexts

Table Of Contents

Configuring Virtual Contexts

Using Virtual Contexts

Creating Virtual Contexts

Configuring Virtual Contexts

Configuring Virtual Context System Attributes

Configuring Virtual Context Primary Attributes

Configuring Virtual Context Syslog Logging

Configuring Syslog Log Hosts

Configuring Syslog Log Messages

Configuring Syslog Log Rate Limits

Configuring SNMP for Virtual Contexts

Configuring SNMP Version 2c Communities

Configuring SNMP Version 3 Users

Configuring SNMP Trap Destination Hosts

Configuring SNMP Notification

Configuring Virtual Context Global Traffic Policies

Managing ACE Appliance Licenses

Viewing ACE Appliance Licenses

Installing ACE Appliance Licenses

Updating ACE Appliance Licenses

Uninstalling ACE Appliance Licenses

Displaying License Configuration and Statistics

Managing Resource Classes

Resource Allocation Constraints

Adding Resource Classes

Modifying Resource Classes

Deleting Resource Classes

Viewing Resource Class Use on Virtual Contexts

Using the Configuration Checkpoint and Rollback Service

Creating a Configuration Checkpoint

Deleting a Configuration Checkpoint

Rolling Back a Running Configuration

Displaying Checkpoint Information

Performing Device Backup and Restore Functions

Backing Up Device Configuration and Dependencies

Restoring Device Configuration and Dependencies

Configuring Security with ACLs

Creating ACLs

Setting Extended ACL Attributes

Resequencing Extended ACLs

Setting EtherType ACL Attributes

Viewing All ACLs by Context

Editing or Deleting ACLs

Configuring Object Groups

Configuring IP Addresses for Object Groups

Configuring Subnet Objects for Object Groups

Configuring Protocols for Object Groups

Configuring TCP/UDP Service Parameters for Object Groups

Configuring ICMP Service Parameters for an Object Group

Configuring Virtual Context Expert Options

Managing Virtual Contexts

Synchronizing Virtual Context Configurations

Viewing Virtual Context Synchronization Status

High Availability and Virtual Context Configuration Status

Manually Synchronizing Individual Virtual Context Configurations

Manually Synchronizing All Virtual Context Configurations

Editing Virtual Contexts

Deleting Virtual Contexts

Viewing All Virtual Contexts


Configuring Virtual Contexts


Cisco Application Control Engine Appliance Device Manager (ACE appliance Device Manager) provides a number of options for creating, configuring, and managing ACE appliances.


Note When you use the ACE CLI to configure named objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), consider that the Device Manager (DM) supports object names with an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.

If you use the ACE CLI to configure a named object with special characters that the DM does not support, you may not be able to configure the ACE using DM.


For information about these options, see:

Using Virtual Contexts

Creating Virtual Contexts

Configuring Virtual Contexts

Configuring Virtual Context System Attributes

Configuring Virtual Context Primary Attributes

Configuring Virtual Context Syslog Logging

Configuring SNMP for Virtual Contexts

Configuring Virtual Context Global Traffic Policies

Managing ACE Appliance Licenses

Managing Resource Classes

Using the Configuration Checkpoint and Rollback Service

Performing Device Backup and Restore Functions

Configuring Security with ACLs

Configuring Object Groups

Configuring Virtual Context Expert Options

Managing Virtual Contexts

Using Virtual Contexts

Virtual contexts use the concept of virtualization to partition your ACE appliance into multiple virtual devices or contexts. Each context contains its own set of policies, interfaces, resources, and administrators. This feature enables you to more closely and efficiently manage resources, users, and the services you provide to your customers.

The first time you configure a virtual context, you will see only the Admin context. In addition to the configurable attributes of other virtual contexts, the Admin context can configure:

ACE appliance licenses

Resource classes

Port channel, management, and gigabit Ethernet interfaces

High Availability (HA or fault tolerance between ACE appliances)

Application acceleration and optimization on the ACE appliance

Related Topics

Creating Virtual Contexts

Configuring Virtual Contexts

Deleting Virtual Contexts

Creating Virtual Contexts

Use this procedure to create virtual contexts.


Note If you do not configure a management VLAN for SNMP access, the ACE appliance Device Manager will not be able to poll the context.



Note If an ACE appliance is configured as a hot standby in a high availability pair, its configuration cannot be modified and you cannot add or modify virtual contexts. ACE appliances configured as hot standby members display Standby Hot in the HA State column in the All Virtual Contexts table (Config > Virtual Contexts). For more information, see High Availability Polling, page 9-6.


Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Click Add. The New Virtual Context screen appears.

Step 3 Configure the virtual context using the information in Table 2-1.


Tip Fields with 2 or 3 choices use radio buttons. Fields with more than 3 choices use dropdown lists.


Table 2-1 Virtual Context Configuration Attributes 

Field
Description

Basic Settings

Name

Enter a unique name for the virtual context. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

This field is read-only for existing contexts.

Description

Enter a brief description of the virtual context. Enter a description as an unquoted text string with a maximum of 240 alphanumeric characters.

Resource Class

Select the resource class this virtual context is to use.

Allocate Interface VLANs

Enter the number of a VLAN or a range of VLANs so that the context can receive the associated traffic. You can specify VLANs in any of the following ways:

For a single VLAN, enter an integer from 2 to 4096.

For multiple, non-sequential VLANs, use comma-separated entries, such as 101, 201, 302.

For a range of VLANs, use the format <beginning-VLAN>-<ending-VLAN>, such as 101-150.

Note VLANs cannot be modified in an Admin context.

Default Gateway IP

Enter the IP address of the default gateway. Use a comma-separated list to specify multiple IP addresses, such as 192.168.65.1, 192.168.64.2.

Default static routes with a netmask and IP address of 0.0.0.0 previously configured on the ACE appear in this field.

Management Settings

VLAN Id

Enter the VLAN number that you want to assign to the management interface. Valid values are from 2 to 4094. By default, all devices are assigned to VLAN1, known as the default VLAN.

The ACE Device Manager identifies the management class maps and policy maps associated with the selected VLAN ID assigned to the management interface.

This field is read-only if configured for existing contexts.

VLAN Description

Enter a description for the management interface. Enter an unquoted text string that contains a maximum of 240 alphanumeric characters including spaces.

Interface Mode

Select the topology that reflects the relationship of the selected ACE virtual context to the real servers in the network:

Routed—The ACE virtual context acts as a router between the client-side network and the server-side network. In this topology, every real server for the application must be routed through the ACE virtual context, either by setting the default gateway on each real server to the virtual context server-side VLAN interface address, or by using a separate router with appropriate routes configured between the ACE virtual context and the real servers.

Bridged—The virtual ACE bridges two VLANs—a client-side VLAN and a real-server VLAN—on the same subnet using a bridged virtual interface (BVI). In this case, the real server routing does not change to accommodate the ACE virtual context. Instead, the virtual ACE transparently handles traffic to and from the real servers.

This field is read-only if configured for existing contexts.

Management IP

Enter the IP address that is to be used for remote management of the context. This address must be a unique management IP address that is not used in another context. The DM does not support duplicate management IP addresses in different contexts.

Note The Device Manager considers an interface as a management interface if it has a management policy map associated with the VLAN interface. See the "Configuring VLAN Interface Policy Map Use" section on page 8-15.

Management Netmask

Select the subnet mask to apply to this IP address.

Alias IP Address

Enter the IP address of the alias associated with this interface.

Peer IP Address

Enter the IP address of the remote peer.

Access Permission

Select the source IP addresses that are allowed on the management interface:

Allow All—Allows all configured client source IP addresses on the management interface as the network traffic matching criteria.

Deny All—Denies all configured client source IP addresses on the management interface as the network traffic matching criteria.

Match—Displays the Match Conditions table, where you specify the match criteria that the ACE is to use for traffic on the management interface.

Match Conditions

When you enter the VLAN ID for the management interface, the Match Conditions table appears.

To add or modify the protocols allowed on this management VLAN, do the following:

1. Click Add to choose a protocol for the management interface, or choose an existing protocol entry listed in the Match Conditions table and click Edit to modify it.

2. In the Protocol drop-down list, choose a protocol:

HTTP—Specifies the Hypertext Transfer Protocol (HTTP).

HTTPS—Specifies the Hypertext Transfer Protocol Secure (HTTPS) for connectivity with the interface using port 443.

ICMP—Specifies the Internet Control Message Protocol (ICMP), commonly referred to as ping.

KALAP-UDP—Specifies the Keepalive Appliance Protocol over UDP.

SNMP—Specifies the Simple Network Management Protocol (SNMP).


Note If SNMP is not selected, the ACE appliance Device Manager cannot poll the context.


SSH—Specifies a Secure Shell (SSH) connection to the ACE.

TELNET—Specifies a Telnet connection to the ACE.

XML-HTTPS—Specifies HTTPS as the transfer protocol for sending and receiving XML documents between the ACE appliance and a Network Management System (NMS) using port 10443. This option is available for ACE appliances only.

3. In the Allowed From field, specify the matching criteria for the client source IP address:

Any—Specifies any client source address for the management traffic classification.

Source Address—Specifies a client source host IP address and subnet mask as the network traffic matching criteria.

4. Click OK to accept the protocol selection (or click Cancel to exit without accepting your entries).

Note To remove a protocol from the management VLAN, choose the entry in the Match Conditions table, and click Delete.

Enable SNMP Get

Check this check box to add an SNMP Get community string to enable SNMP polling on this context.

This field is read-only if configured for existing contexts.

SNMP v2c Read-Only Community String

When you check the Enable SNMP Get check box, this field appears.

Enter the SNMPv2c read-only community string to be used as the SNMP Get community string.

This field is read-only if configured for existing contexts.

Note If SNMP is not an allowed protocol, the ACE appliance Device Manager will not be able to poll the context.

More Settings

Switch Mode

Check this check box to change the way that the ACE processes TCP connections that are not destined to a VIP or that do not have any policies associated with their traffic. For such traffic, the ACE still creates connection objects but processes the connections as stateless connections, which means that they do not undergo any TCP normalization checks. With this option enabled, the ACE also creates stateless connections for non-SYN TCP packets if they satisfy all other configured requirements. This process ensures that a long-lived persistent connection passes through the ACE successfully (even if it times out) by being reestablished by any incoming packet related to the connection.

By default, these stateless connections time out after 2 hours and 15 minutes unless you configure the inactivity timeout otherwise in a parameter map. When a stateless connection times out, the ACE does not send a TCP RST packet but silently closes the connection. Even though these connections are stateless, the TCP RST and FIN-ACK flags are honored and the connections are closed when the ACE sees these flags in the received packets.

Shared VLAN Host Id

Specific bank of MAC addresses that the ACE uses. Enter a number from 1 to 16. Be sure to configure different bank numbers for multiple ACEs. This field is available only in the Admin context.

Add Admin User

When initially configuring the context, check this check box to configure this context for an Admin user. When the fields appear, enter the user name and password, and confirm the password.


Step 4 Click

Deploy Now to deploy this virtual context. To configure other virtual context attributes, see Configuring Virtual Contexts.

Cancel to exit this procedure without saving your entries and to return to the All Virtual Contexts table.


Related Topics

Using Virtual Contexts

Configuring Virtual Contexts

Configuring Virtual Contexts

After creating a virtual context, you can configure it. Configuring a virtual context involves configuring a number of attributes, grouped into configuration subsets. Table 2-2 describes ACE appliance Device Manager configuration subsets and provides links to related topics.


Note If an ACE appliance is configured as a hot standby in a high availability pair, its configuration cannot be modified and you cannot add or modify virtual contexts. ACE appliances configured as hot standby members display Standby Hot in the HA State column in the All Virtual Contexts table (Config > Virtual Contexts). For more information, see High Availability Polling, page 9-6.



Note To add objects such as real servers or server farms to a customized domain, use the CLI and then use the synchronize feature in ACE appliance Device Manager to add this object into its customized domain on ACE appliance Device Manager. Adding objects to customized domains directly in ACE appliance Device Manager results in the object being added to the default domain.

Synchronization options are available in the All Virtual Contexts table (Config > Virtual Contexts).



Tip Fields with 2 or 3 choices use radio buttons. Fields with more than 3 choices use dropdown lists.


Table 2-2 ACE Appliance and Virtual Context Configuration Options 

Configuration Subset
Description
Related Topics

System

System configuration options allow you to configure:

Primary attributes such as VLANs, SNMP access, and resource class.

Syslog attributes including the type and severity of syslog messages that are to be logged, the syslog log host, log messages, and log rate limits.

SNMP options.

Global policy map configuration for all VLANs on a virtual context.

ACE appliance license use on the ACE appliance.

Resource classes for allocation of ACE appliance resources.

Application acceleration and optimization on the ACE appliance.

Checkpoint (snapshot in time) of a known stable running configuration

Back up or restore the configuration and dependencies of an entire ACE or of a particular virtual context

Note ACE appliance licenses, resource classes, and acceleration and optimization can be configured only in an Admin context.

Configuring Virtual Context Primary Attributes

Configuring Virtual Context Syslog Logging

Configuring SNMP for Virtual Contexts

Configuring Virtual Context Global Traffic Policies

Managing ACE Appliance Licenses

Managing Resource Classes

Configuring Global Application Acceleration and Optimization, page 11-9

Using the Configuration Checkpoint and Rollback Service

Performing Device Backup and Restore Functions

Load Balancing

Load-balancing attributes allow you to

Configure virtual servers, real servers, and server farms for load balancing

Establish the predictor method and return code checking

Implement sticky groups for session persistence

Configure parameter maps to combine related actions for policy maps

Load-balancing configuration options include:

Virtual servers

Real servers

Server farms

Health monitoring

Sticky attributes

Parameter maps

Load Balancing Overview, page 3-1

Configuring Virtual Servers, page 3-2

Configuring Server Farms, page 4-11

Configuring Health Monitoring for Real Servers, page 4-31

Configuring Sticky Groups, page 5-7

Configuring Parameter Maps, page 6-1

SSL

SSL configuration options allow you to:

Import and export SSL certificates and keys

Set up SSL parameter maps and chain group parameters

Generate certificate signing requests for submission to a certificate authority

Authenticate peer certificates

Configure certificate revocation lists for use during client authentication

Configuring SSL, page 7-1

Using SSL Certificates, page 7-6

Using SSL Keys, page 7-11

Generating CSRs, page 7-26

Configuring SSL Parameter Maps, page 7-19

Configuring SSL Chain Group Parameters, page 7-24

Configuring SSL Proxy Service, page 7-27

Configuring SSL Authentication Groups, page 7-29

Configuring CRLs for Client Authentication, page 7-31

Security

Security configuration options allow you to create access control lists, set ACL attributes, resequence ACLs, delete ACLs, and configure object groups.

Configuring Virtual Context Expert Options

Creating ACLs

Configuring Object Groups

Network

Network configuration options allow you to configure:

Port channel interfaces

Gigabit Ethernet interfaces

VLAN interfaces

BVI interfaces

Network Address Translation (NAT) pools for a VLAN interface

Static routes

DHCP relay agents

Note You can configure port channel and gigabit Ethernet interfaces only in an Admin context.

Configuring Virtual Context BVI Interfaces, page 8-19

Configuring Gigabit Ethernet Interfaces, page 8-4

Configuring Virtual Context VLAN Interfaces, page 8-8

Configuring Virtual Context BVI Interfaces, page 8-19

Configuring VLAN Interface NAT Pools, page 8-17

Configuring Virtual Context Static Routes, page 8-22

Configuring Global IP DHCP, page 8-23

High Availability

High Availability (HA) attributes allow you to configure two ACE appliances for fault-tolerant redundancy.

Note You can set up high availability only in an Admin virtual context.

Configuring High Availability, page 9-1

Configuring High Availability Peers, page 9-8

Configuring ACE High Availability Groups, page 9-11

HA Tracking And Failure Detection

HA Tracking And Failure Detection attributes allow you to configure tracking processes that can help ensure reliable fault tolerance.

High Availability Tracking and Failure Detection Overview, page 9-16

Tracking VLAN Interfaces for High Availability, page 9-17

Tracking Hosts for High Availability, page 9-18

Expert

Expert options allow you to:

Configure traffic policies for filtering and handling traffic received by or passing through the ACE appliance.

Configure optimization action lists.

Configure HTTP header modify action lists.

Configuring Traffic Policies, page 10-1

Configuring an HTTP Optimization Action List, page 11-3

Configuring an HTTP Header Modify Action List, page 10-80


Configuring Virtual Context System Attributes

Table 2-3 identifies the ACE appliance Device Manager virtual context System configuration options and related topics for more information.

Table 2-3 Virtual Context System Configuration Options 

System Configuration Options
Related Topics

Specify virtual context primary attributes

Configuring Virtual Context Primary Attributes

Configure syslog options

Configuring Virtual Context Syslog Logging

Configuring Syslog Log Hosts

Configuring Syslog Log Messages

Configuring Syslog Log Rate Limits

Configure SNMP options

Configuring SNMP for Virtual Contexts

Configuring SNMP Version 2c Communities

Configuring SNMP Version 3 Users

Configuring SNMP Trap Destination Hosts

Configuring SNMP Notification

Establish global policy maps for all VLANs on a virtual context

Configuring Virtual Context Global Traffic Policies

Manage ACE appliance licenses

Managing ACE Appliance Licenses

Manage ACE appliance resources across virtual contexts

Managing Resource Classes

Establish application acceleration and optimization for the ACE appliance

Configuring Global Application Acceleration and Optimization, page 11-9

Back up or restore the configuration and dependencies of an entire ACE or of a particular virtual context

Performing Device Backup and Restore Functions


Configuring Virtual Context Primary Attributes

Primary attributes specify a name and resource class for each virtual context. After providing this information, you can configure other attributes, such as interfaces, monitoring, or load-balancing. For a complete list of configuration options, see Configuring Virtual Contexts.

Use this procedure to configure virtual context primary attributes.

Procedure


Step 1 Select Config > Virtual Contexts > context > System > Primary Attributes. The Primary Attributes configuration screen appears.

Step 2 Enter the primary attributes for this virtual context as described in Table 2-1.

Step 3 Click Deploy Now to deploy this configuration on the ACE appliance.

To exit this procedure without accepting your entries, select a different configuration option.


Related Topics

Using Virtual Contexts

Configuring Virtual Context VLAN Interfaces, page 8-8

Configuring Virtual Context BVI Interfaces, page 8-19

Configuring Virtual Context Syslog Logging

Configuring Traffic Policies, page 10-1

Configuring Virtual Context Syslog Logging

The ACE appliance Device Manager uses syslog logging to send log messages to a process which logs messages to designated locations asynchronously to the processes that generated the messages.

Procedure


Step 1 Select Config > Virtual Contexts > context > System > Syslog. The Syslog configuration screen appears.

Step 2 Enter the syslog logging attributes in the displayed fields (see Table 2-5).

All fields that require you to select syslog severity levels use the values in Table 2-4.

Table 2-4 Syslog Logging Levels 

Severity
Description

0-Emergency

Unusable system

1-Critical

Critical condition

2-Warning

Warning condition

3-Alert

Immediate action required

4-Error

Error condition

5-Notification

Normal but significant condition

6-Information

Informational message only

7-Debug

Appears only during debugging


The severity level that you specify indicates that you want syslog messages at that level and the more severe levels. For example, if you specify Error, syslog displays Error, Critical, Alert, and Emergency messages.


Note If you set all syslog levels to Debug, some commands like switchover are not processed successfully. These commands are issued via the CLI and ACE appliance Device Manager cannot parse the returned prompt if Debug level is enabled. Instead, a timeout message is displayed.

If you set syslog levels to Debug and then issue a command that results in a timeout message, click Refresh to view the result of the operation.



Note Setting all syslog levels to Debug during normal operation can degrade overall performance.


Table 2-5 Virtual Context Syslog Configuration Attributes 

Field
Description
Action

Enable Syslog

This option indicates whether syslog logging should be enabled or disabled.

Check the check box to enable syslog logging or clear the check box to disable syslog logging.

Facility

The syslog daemon uses the specified syslog facility to determine how to process the messages it receives. Syslog servers file or direct messages based on the facility number in the message.

For more information on the syslog daemon and facility levels, refer to your syslog daemon documentation.

Enter the facility appropriate for your network.

Valid entries are 16 (LOCAL0) through 23 (LOCAL7). The default for an ACE appliance is 20 (LOCAL4).

Buffered Level

This option enables system logging to a local buffer and limits the messages sent to the buffer based on severity.

Select the desired level for sending system log messages to a local buffer.

This option is disabled by default.

Console Level

This option specifies the maximum level for system log messages sent to the console.

Select the desired level for sending system log messages to the console.

This option is disabled by default.

Note Logging into the console can degrade system performance. Therefore, we recommend that you log messages to the console only when you are testing or debugging problems. Do not use this option when the network is busy, as it can reduce ACE appliance performance.

History Level

This option specifies the maximum level for system log messages sent as traps to an SNMP network management station.

Select the desired level for sending system log messages as traps to an SNMP network management station.

This option is disabled by default.

Note For more information about configuring SNMP, see Configuring SNMP Notification.

Monitor Level

This option specifies the maximum level for system log messages sent to a remote connection using Secure Shell (SSH) or Telnet on the ACE appliance.

Select the desired level for sending system log messages to a remote connection using SSH or Telnet on the ACE appliance.

This option is disabled by default.

Note You must enable remote access on the ACE appliance and establish a remote connection using the SSH or Telnet protocol from a PC for this option to work.

Persistence Level

This option specifies the maximum level for system log messages sent to Flash memory.

Select the desired level for sending system log messages to Flash memory.

This option is disabled by default.

Note We recommend that you use a lower severity level, such as 3, since logging at a high rate to Flash memory on the ACE appliance might impact performance.

Trap Level

This option specifies the maximum level for system log messages sent to a syslog server.

Select the desired level for sending system log messages to a syslog server.

This option is disabled by default.

Queue Size

This option specifies the size of the buffer for storing syslog messages received from other processes within the ACE appliance while they await processing. When the queue exceeds the specified value, the excess messages are discarded.

Enter the desired queue size.

Valid entries are from 0 to 8192 messages.

The default is 100 messages.

Enable Timestamp

This option indicates whether syslog messages should include the date and time that the message was generated.

Check the check box to enable timestamps on syslog messages or clear the check box to disable timestamps on syslog messages.

This option is disabled by default.

Enable Standby

This option indicates whether logging is enabled on the failover standby ACE appliance. When enabled:

This feature causes twice the message traffic on the syslog server.

The standby ACE appliance syslog messages remain synchronized if failover occurs.

Check the check box to enable logging on the failover standby ACE appliance or clear the check box to disable logging on the failover standby ACE appliance.

Enable Fastpath Logging

This option indicates whether connection setup and teardown messages are logged.

Check the check box to enable the logging of setup and teardown messages or clear the check box to disable the logging of setup and teardown messages.

This option is disabled by default.

Device Id Type

This option specifies the type of unique device identifier to be included in syslog messages sent to the syslog server.

The device identifier does not appear in EMBLEM-formatted messages, SNMP traps, or on the ACE appliance console, management session, or buffer.

Select the type of device identifier to be used:

Any String—Indicates that a test string is to be used to uniquely identify syslog messages send from the ACE appliance.

Context Name—Indicates that the name of the current virtual context is to be used to uniquely identify the syslog messages sent from the ACE appliance.

Host Name—Indicates that the hostname of the ACE appliance is to be used to uniquely identify the syslog messages sent from the ACE appliance.

Interface—Indicates that the IP address of the interface is to be used to uniquely identify the syslog messages sent from the ACE appliance.

Undefined—Indicates that no identifier is to be used.

Device Interface Name

This field appears if the Device Id Type is Interface.

This option specifies the logging device interface to be used to uniquely identify syslog messages sent from the ACE appliance.

Enter a text string that uniquely identifies the logging device interface name whose ID is to be included in system messages. The maximum string length is 64 characters without spaces. Do not use the following characters: & (ampersand), ` (single quote), " (double quote), < (less than), > (greater than), or ? (question mark).

Logging Device Id

This field appears if the Device ID Type is Any String.

This option specifies the text string to be used to uniquely identify syslog messages sent from the ACE appliance.

Enter a text string that uniquely identifies the syslog messages sent from the ACE appliance. The maximum string length is 64 characters without spaces. Do not use the following characters: & (ampersand), ` (single quote), " (double quote), < (less than), > (greater than), or ? (question mark).


Step 3 Click Deploy Now to deploy this configuration on the ACE appliance. To configure other Syslog attributes for this virtual context, see:

Configuring Syslog Log Hosts

Configuring Syslog Log Messages

Configuring Syslog Log Rate Limits


Related Topics

Configuring Virtual Contexts

Configuring Syslog Log Hosts

Configuring Syslog Log Messages

Configuring Syslog Log Rate Limits

Configuring Syslog Log Hosts

After configuring basic syslog characteristics (see Configuring Virtual Context Syslog Logging), you can configure the log host, log messages, and log rate limits. The tabs for these attributes appear beneath the Syslog configuration screen.

Use this procedure to configure Syslog log hosts.

Procedure


Step 1 Select Config > Virtual Contexts > context > System > Syslog. The Syslog configuration screen appears.

Step 2 Select the Log Host tab. The Log Host table appears.

Step 3 Click Add to add a new log host, or select an existing log host, then click Edit to modify it. The Log Host configuration screen appears.

Step 4 In the IP Address field, enter the IP address of the host to be used as the syslog server.

Step 5 In the Protocol field, select TCP or UDP as the protocol to be used.

Step 6 In the Protocol Port field, enter the number of the port that the syslog server listens to for syslog messages. Valid entries are from 1024 to 65535; the default is 514.

Step 7 The Default UDP check box appears if TCP is selected in the Protocol field (Step 5). Check the Default UDP check box to specify that the ACE appliance is to default to UDP if the TCP transport fails to communicate with the syslog server. Clear this check box to prevent the ACE appliance from defaulting to UDP if the TCP transport fails.

Step 8 In the Format field, indicate whether EMBLEM-format logging is to be used:

N/A—Indicates that you do not want to enable EMBLEM-format logging.

Emblem—Indicates that EMBLEM-format logging is to be enabled for each syslog server. If you use Cisco Resource Manager Essentials (RME) software to collect and process syslog messages on your network, enable EMBLEM-format logging so that RME can handle them. Similarly, UDP needs to be enabled because the Cisco Resource Manager Essentials (RME) syslog analyzer supports only UDP syslog messages.

Step 9 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit the procedure without saving your entries and to return to the Log Host table.

Next to configure another syslog host.


Related Topics

Configuring Virtual Context Syslog Logging

Configuring Syslog Log Messages

Configuring Syslog Log Rate Limits

Configuring Syslog Log Messages

After configuring basic syslog characteristics (see Configuring Virtual Context Syslog Logging), you can configure the log host, log messages, and log rate limits. The tabs for these attributes appear beneath the Syslog configuration screen.

Use this procedure to configure Syslog log messages.

Procedure


Step 1 Select Config > Virtual Contexts > context > System > Syslog. The Syslog configuration screen appears.

Step 2 Select the Log Message tab. The Log Message table appears.

Step 3 Click Add to add a new entry to this table, or select an existing entry, then click Edit to modify it. The Log Message configuration screen appears.

Step 4 In the Message Id field, select the system log message ID of the syslog messages that are to be sent to the syslog server or that are not to be sent to the syslog server.

Step 5 Check the Enable State check box to indicate that logging is enabled for the specified message ID. Clear the check box to indicate that logging is not enabled for the specified message ID. If you check the Enable State check box, the Log Level field appears.

Step 6 In the Log Level field, select the desired level of syslog messages to be sent to the syslog server, using the levels identified in Table 2-4.

Step 7 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit the procedure without saving your entries and to return to the Log Message table.

Next to save your entries and to configure additional syslog message entries for this virtual context.


Related Topics

Configuring Virtual Context Syslog Logging

Configuring Syslog Log Hosts

Configuring Syslog Log Rate Limits

Configuring Syslog Log Rate Limits

After configuring basic syslog characteristics (see Configuring Virtual Context Syslog Logging), you can configure the log host, log messages, and log rate limits. The tabs for these attributes appear beneath the Syslog configuration screen.

Use this procedure to limit the rate at which the ACE appliance generates messages in the syslog.

Procedure


Step 1 Select Config > Virtual Contexts > context > System > Syslog. The Syslog configuration screen appears.

Step 2 Select the Log Rate Limit tab. The Log Rate Limit table appears.

Step 3 Click Add to add a new entry to this table, or select an existing entry, then click Edit to modify it. The Log Rate Limit configuration screen appears.

Step 4 In the Type field, indicate the method by which syslog messages are to be limited:

Select Level to limit syslog messages by syslog level. In the Level field, select the level of syslog messages to be sent to the syslog server, using the levels identified in Table 2-4.

Select Message to limit syslog messages by message identification number. In the Message Id field, select the syslog message ID for those messages for which you want to suppress reporting.

Step 5 Check the Unlimited check box to indicate that limits are not to be applied to system message logging. Clear the Unlimited check box to indicate that limits are to be applied to system message logging. If you clear the Unlimited check box, the Rate and Time Interval fields appear.

Step 6 If you clear the Unlimited check box, specify the limits to apply to system message logging:

a. In the Rate field, enter the number at which syslog message creation is to be limited. When this limit is reached, the ACE appliance limits the creation of new syslog messages to be no greater than the specified rate. Valid entries are integers from 0 to 2147483647.

b. In the Time Interval (Seconds) field, enter the length of time (in seconds) over which the system message logs should be limited. The default time interval is one second. For example, if you enter 42 in the Rate field and 60 in the Time Interval (Seconds) field, the ACE appliance limits the creation of syslog messages that are sent to a maximum of 42 messages in that 60-second period. Valid entries are from 0 to 2147483647 seconds.

Step 7 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit the procedure without saving your entries and to return to the Log Rate Limit table.

Next to save your entries and to add another entry to the Log Rate Limit table.


Related Topics

Configuring Virtual Contexts

Configuring Virtual Context Syslog Logging

Configuring Syslog Log Hosts

Configuring Syslog Log Messages

Configuring SNMP for Virtual Contexts

Use this procedure to configure SNMP for use with this virtual context.

Procedure


Step 1 Select Config > Virtual Contexts > context > System > SNMP. The SNMP configuration screen appears.

Step 2 Enter SNMP attributes (see Table 2-6).

Table 2-6 SNMP Attributes 

Field
Description

Contact Information

Enter contact information for the SNMP server within the virtual context as a text string with a maximum of 240 characters including spaces. In addition to a name, you might want to include a phone number or e-mail address. To include spaces, add quotation marks at the beginning and end of the entry.

Location

Enter the physical location of the system as a text string with a maximum of 240 characters including spaces. To include spaces, add quotation marks at the beginning and end of the entry.

Unmask Community

Check the check box to unmask the snmpCommunityName and snmpCommunitySecurityName OIDs of the SNMP-COMMUNITY-MIB.

Clear the check box to mask these OIDs . By default, they are masked (the checkbox is unchecked).

Trap Source Interface

Enter a valid VLAN number that identifies the interface from which the SNMP traps originate.

IETF Trap

Check the check box to indicate that the ACE appliance is to send linkUp and linkDown traps with the IETF standard IF-MIB (RFC 2863) variable bindings, consisting of ifIndex, ifAdminStatus, and ifOperStatus.

Clear the check box to indicate that the ACE appliance is not to send linkUp and linkDown traps with the IETF standard IF-MIB (RFC 2863) variable bindings. Instead, the ACE appliance sends Cisco var-binds by default.


Step 3 Click Deploy Now to deploy this configuration on the ACE appliance. To configure other SNMP attributes, see:

Configuring SNMP Version 2c Communities

Configuring SNMP Version 3 Users

Configuring SNMP Trap Destination Hosts

Configuring SNMP Notification


Related Topic

Configuring Virtual Contexts

Configuring SNMP Version 2c Communities

After configuring basic SNMP information for a virtual context (see Configuring SNMP for Virtual Contexts), you can configure other SNMP attributes such as SNMP version 2c communities, SNMP version 3 users, trap destination hosts, and SNMP notification. The tabs for these attributes appear below the SNMP configuration screen.


Note All SNMP communities in ACE appliance Device Manager are read-only communities and all communities belong to the group network monitors.


Use this procedure to configure SNMP version 2c communities for a virtual context.

Assumption

You have configured at least one SNMP contact (see Configuring SNMP for Virtual Contexts).

Procedure


Step 1 Select Config > Virtual Contexts > context > System > SNMP. The SNMP configuration screen appears.

Step 2 Select the SNMP v2c Configuration tab. The SNMP v2c Configuration table appears.

Step 3 Click Add to add an SNMP v2c community. The SNMP v2c Configuration screen appears.


Note You cannot modify an existing SNMP v2c community. Instead, delete the existing SNMP v2c community, then add a new one.


Step 4 In the Read-Only Community field, enter the SNMP v2c community name for this context. Valid entries are unquoted text strings with no spaces and a maximum of 32 characters.

Step 5 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entry and to return to the SNMP v2c Community table.

Next to save your entry and to configure another SNMP community for this virtual context. The screen refreshes and you can enter another community name.


Related Topics

Configuring Virtual Contexts

Configuring SNMP Version 3 Users

Configuring SNMP Trap Destination Hosts

Configuring SNMP Notification

Configuring SNMP Version 3 Users

After configuring basic SNMP information for a virtual context (see Configuring SNMP for Virtual Contexts), you can configure other SNMP attributes such as SNMP version 2c communities, SNMP version 3 users, trap destination hosts, and SNMP notification. The tabs for these attributes appear below the SNMP configuration screen.

Use this procedure to configure SNMP version 3 users for a virtual context.

Assumption

You have configured at least one SNMP contact (see Configuring SNMP for Virtual Contexts).

Procedure


Step 1 Select Config > Virtual Contexts > context > System > SNMP. The SNMP configuration screen appears.

Step 2 Select the SNMP v3 Configuration tab. The SNMP v3 Configuration table appears.

Step 3 Click Add to add users, or select an existing entry, then Edit to modify it. The SNMP v3 Configuration screen appears.

Step 4 Enter SNMP v3 user attributes (see Table 2-7).

Table 2-7 SNMP v3 User Configuration Attributes 

Field
Description

User Name

Enter the SNMP v3 username. Valid entries are unquoted text strings with no spaces and a maximum of 24 characters.

Authentication Algorithm

Select the authentication algorithm to be used for this user.

N/A—Indicates that no authentication is to be used.

Message Digest (MD5)—Indicates that Message Digest 5 is to be used as the authentication mechanism.

Secure Hash Algorithm (SHA)—Indicates that Secure Hash Algorithm is to be used as the authentication mechanism.

Authentication Password

Appears if you select an authentication algorithm. The ACE appliance automatically updates the password for the CLI user with the SNMP authentication password.

Enter the authentication password for this user as follows:

If the passphrases are specified in clear text, enter an unquoted text string with no space that is from 8 to 64 alphanumeric characters in length. The password length can be an odd or even value.

If use of a localized key is enabled, enter an unquoted text string with no space that is from 8 to 130 alphanumeric characters in length. The password length must be an even value.

Confirm

Appears if you select an authentication algorithm.

Reenter the authentication password.

Localized

Appears if you select an authentication algorithm.

Indicate whether the password is in localized key format for security encryption:

N/A—Indicates that this option is not configured.

False—Indicates that the password is not in localized key format for encryption.

True—Indicates that the password is in localized key format for encryption.

Privacy

Appears if you select an authentication algorithm.

Indicate whether encryption attributes are to be configured for this user:

N/A—Indicates that no encryption attributes are specified.

False—Indicates that encryption parameters are not to be configured for this user.

True—Indicates that encryption parameters are to be configured for this user.

AES 128

Appears if you set Privacy to True.

Indicate whether the 128-byte Advanced Encryption standard (AES) algorithm is to be used for privacy. AES is a symmetric cipher algorithm and is one of the privacy protocols for SNMP message encryption.

N/A—Indicates that no standard is specified.

False—Indicates that AES 128 is not be used for privacy.

True—Indicates that AES 128 is to be used for privacy.

Privacy Password

Appears if you set Privacy to True. Enter the user encryption password as follows:

If the passphrases are specified in clear text, enter an unquoted text string with no space that is from 8 to 64 alphanumeric characters in length. The password length can be an odd or even value.

If use of a localized key is enabled, enter an unquoted text string with no space that is from 8 to 130 alphanumeric characters in length. The password length must be an even value.

Confirm

Appears if you set Privacy to True.

Reenter the privacy password.


Step 5 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the SNMP v3 Configuration table.

Next to save your entries and to add another entry to the SNMP v3 Configuration table. The screen refreshes and you can enter another SNMP v3 user.


Related Topics

Configuring Virtual Contexts

Configuring SNMP Version 2c Communities

Configuring SNMP Trap Destination Hosts

Configuring SNMP Notification

Configuring SNMP Trap Destination Hosts

To receive SNMP notifications you must configure:

At least one SNMP trap destination host. This section describes how to do this.

At least one type of notification. See Configuring SNMP Notification.

After configuring basic SNMP information for a virtual context (see Configuring SNMP for Virtual Contexts), you can configure other SNMP attributes such as SNMP version 2c communities, SNMP version 3 users, trap destination hosts, and SNMP notification. The tabs for these attributes appear below the SNMP configuration screen.

Use this procedure to configure SNMP trap destination hosts for a virtual context.

Assumption

You have configured at least one SNMP contact (see Configuring SNMP for Virtual Contexts).

Procedure


Step 1 Select Config > Virtual Contexts > context > System > SNMP. The SNMP configuration screen appears.

Step 2 Select the Trap Destination Host tab. The Trap Destination Host table appears.

Step 3 Click Add to add a host, or select an existing entry in the table, then Edit to modify it. The Trap Destination Host configuration screen appears.

Step 4 Configure the SNMP trap destination host using the information in Table 2-8.

Table 2-8 SNMP Trap Destination Host Configuration Attributes 

Field
Description

IP Address

Enter the IP address of the server that is to receive SNMP notifications. Enter the address in dotted-decimal format, such as 192.168.11.1.

Port

Enter the port to be used for SNMP notification. The default port is 162.

Version

Select the version of SNMP used to send traps:

V1—Indicates that SNMP version 1 is to be used to send traps. This option is not available for use with SNMP inform requests.

V2c—Indicates that SNMP version 2c is to be used to send traps.

V3—Indicates that SNMP version 3 is to be used to send traps. This version is the most secure model because it allows packet encryption.

Community

Enter the SNMP community string or username to be sent with the notification operation. Valid entries are unquoted text strings with no spaces and a maximum of 32 characters.

Security Level

This field appears if V3 is the selected version.

Select the level of security that is to be implemented:

Auth—Indicates that Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) are to be used for packet authentication.

Noauth—Indicates that the noAuthNoPriv security level is to be used.

Priv—Indicates that Data Encryption Standard (DES) is to be used for packet encryption.


Step 5 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the Trap Destination Host table.

Next to save your entries and to add another entry to the Trap Destination Host table. The screen refreshes and you can add another trap destination host.


Related Topics

Configuring Virtual Contexts

Configuring SNMP Version 2c Communities

Configuring SNMP Version 3 Users

Configuring SNMP Notification

Configuring SNMP Notification

After configuring basic SNMP information for a virtual context (see Configuring SNMP for Virtual Contexts), you can configure other SNMP attributes such as SNMP version 2c communities, SNMP version 3 users, trap destination hosts, and SNMP notification. The tabs for these attributes appear below the SNMP configuration screen.

To receive SNMP notifications you must configure:

At least one SNMP trap destination host. See Configuring SNMP Trap Destination Hosts.

At least one type of notification. This section describes how to do this.

Use this procedure to configure SNMP notification for a virtual context.

Assumptions

You have configured at least one SNMP contact (see Configuring SNMP for Virtual Contexts).

At least one SNMP server host has been configured (see Configuring SNMP Trap Destination Hosts).

Procedure


Step 1 Select Config > Virtual Contexts > context > System > SNMP. The SNMP configuration screen appears.

Step 2 Select the SNMP Notification tab. The SNMP Notification table appears.

Step 3 Click Add to add a new entry. The SNMP Notification configuration screen appears.


Note You cannot modify an existing entry. Instead, delete the existing notification entry, then add a new one.


Step 4 In the Options field, select the type of notifications to be sent to the SNMP host. Some options are available only in the Admin context.

License—SNMP license notifications are to be sent. This option is available only in the Admin context.

SLB—Server load-balancing notifications are to be sent.

SLB Real Server—Notifications of real server state changes are to sent.

SLB Virtual Server—Notifications of virtual server state changes are to be sent.

SNMP—SNMP notifications are to be sent.

SNMP Authentication—Notifications of incorrect community strings in SNMP requests are to be sent.

SNMP Cold-Start—SNMP agent restart notifications are to be sent after a cold restart (full power cycle) of the ACE. This option is available only in the Admin context.

SNMP Link-Down—Notifications are to be sent when a VLAN interface is down.

SNMP Link-Up—Notifications are to be sent when a VLAN interface is up.

Syslog—Error message notifications (Cisco Syslog MIB) are to be sent.

Virtual Context—Virtual context notifications are to be sent.

Step 5 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your selection and to return to the SNMP Notification table.

Next to save your entries and to add another entry to the SNMP Notification table. The screen refreshes and you can select another SNMP notification option.


Related Topics

Configuring Virtual Contexts

Configuring SNMP Version 2c Communities

Configuring SNMP Version 3 Users

Configuring Virtual Context Global Traffic Policies

With the ACE appliance Device Manager, you can apply traffic policies to a specific VLAN interface or to all VLAN interfaces in the same virtual context.

Use this procedure to apply a policy to all VLAN interfaces in the selected context.

To apply a policy to a specific VLAN, see Configuring Traffic Policies, page 10-1.


Note You cannot modify an existing policy. Instead, delete the existing global policy, then create a new one.


Assumption

A Layer 3/Layer 4 or Management policy map has been configured for this virtual context. For more information, see Configuring Virtual Context Policy Maps, page 10-33.

Procedure


Step 1 Select Config > Virtual Contexts > context > System > Global Policies. The Global Policies table appears.

Step 2 Click Add to add a new global policy. The Global Policies configuration screen appears.


Note You cannot modify an existing policy. Instead, delete the existing global policy, then create a new one.


Step 3 In the Policy Maps field, select the policy map that you want to apply to all VLANs in this context.

Step 4 In the Direction field, verify that the policy is being applied to incoming communications.

Step 5 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit the procedure without saving your entries and to return to the Global Policies table.

Next to save your entries and to configure another global policy for this context.


Related Topics

Using Virtual Contexts

Configuring Virtual Context Primary Attributes

Configuring Virtual Context VLAN Interfaces, page 8-8

Configuring Virtual Context Syslog Logging

Configuring Traffic Policies, page 10-1

Managing ACE Appliance Licenses


Note This functionality is available for only Admin contexts.


Cisco Systems offers licenses for ACE appliances that let you increase performance throughput, the number of default contexts, SSL TPS (transactions per second), HTTP compression performance, and application acceleration and optimization. For more information on these licenses, refer to the Cisco 4700 Series Application Control Engine Appliance Administration Guide on cisco.com.

You can view, install, remove, or update ACE appliance licenses using the ACE appliance Device Manager.

Installing or updating an ACE appliance license involves two processes:

Copying the license from a remote network server to the disk0: file system in Flash memory on the ACE appliance.

Installing or updating the license on the ACE appliance.

You can use the ACE appliance Device Manager to perform both processes from a single dialog box. If you previously copied the license to disk0: on the ACE by using the copy CLI command, you can use this dialog box to install the new license or upgrade license on your ACE.

Related Topics

Viewing ACE Appliance Licenses

Installing ACE Appliance Licenses

Updating ACE Appliance Licenses

Uninstalling ACE Appliance Licenses

Displaying License Configuration and Statistics

Viewing ACE Appliance Licenses


Note This functionality is available for only Admin contexts.


Use this procedure to view the licenses that are currently installed on an ACE appliance.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Context table appears.

Step 2 Select the Admin context whose ACE appliance licenses you want to view, then click System > Licenses. The Licenses table appears listing all installed licenses.


Related Topics

Managing ACE Appliance Licenses

Installing ACE Appliance Licenses

Updating ACE Appliance Licenses

Uninstalling ACE Appliance Licenses

Displaying License Configuration and Statistics

Installing ACE Appliance Licenses


Note This functionality is available for only Admin contexts.


Use this procedure to copy and install a new or upgrade ACE appliance license from a remote server onto the ACE appliance.

Assumption

You have received the proper software license key for the ACE appliance.

ACE appliance licenses are available on a remote server for importing to the ACE appliance, or you have received the software license key and have copied the license file to the disk0: filesystem on the ACE appliance using the copy disk0: CLI command.

This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the ssh key rsa 1024 force command is applied on the appliance.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the Admin context you want to import and install a license for, then click System > Licenses. The Licenses table appears listing all installed licenses.

Step 3 Click Install License. The Copy a License File and Install It On The ACE dialog box appears.

Step 4 If the license currently exists on the ACE appliance disk0: file system in Flash memory, leave the License needs to be copied to disk0:? check box unchecked. Proceed to Step10.

Step 5 If the update license must be copied to the disk0: file system in Flash memory, check the License needs to be copied to disk0:? check box. Proceed to Step 6.

Step 6 In the Protocol field, select the protocol to be used to import the license file from the remote server to the ACE appliance:

If you select FTP, the User and Password fields appear. Continue with Step 7.

If you select SFTP, the User and Password fields appear. Continue with Step 7.

If you select TFTP, continue with Step 8.

Step 7 If you select FTP or SFTP:

a. In the User field, enter the username of the account on the network server.

b. In the Password field, enter the password for the user account. Reenter the password in the Confirm field.

Step 8 In the Source File Name field, enter the host IP address, path, and filename of the license file on the remote server in the format host-ip/path/filename where:

host-ip represents the IP address of the remote server.

path represents the directory path of the license file on the remote server.

filename represents the filename of the license file on the remote server.

For example, your entry might resemble 192.168.11.2/usr/bin/ACE-VIRT-020.lic.

Step 9 In the Destination field, enter the location where you want the license file to reside on the ACE appliance in preparation for installation or updating. The default location is disk0:.

Step 10 In the User-Specified Name for the License file: field, enter the name that you would like to use for this license file, such as myACE-AP-VIRT-020.lic.

Step 11 Click:

OK to accept your entries and to copy the file from the remote server to the ACE appliance and then install it.

Cancel to exit this procedure without copying the file from the remote server and to return to the Licenses table.


Related Topics

Managing ACE Appliance Licenses

Viewing ACE Appliance Licenses

Updating ACE Appliance Licenses

Uninstalling ACE Appliance Licenses

Displaying License Configuration and Statistics

Updating ACE Appliance Licenses


Note This functionality is available for only Admin contexts.


ACE appliance Device Manager allows you to convert demonstration licenses to permanent licenses and to upgrade permanent licenses to increase the number of virtual contexts.

Use this procedure to install ACE appliance update licenses.

Assumption

You have received the proper update software license for the ACE appliance.

ACE appliance licenses are available on a remote server for importing to the ACE appliance, or you have received the update software license and have copied the license file to the disk0: filesystem on the ACE appliance using the copy disk0: CLI command.

This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the ssh key rsa 1024 force command is applied on the appliance.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the Admin context with the license you want to update, then click System > Licenses. The Licenses table appears listing all installed licenses.

Step 3 Select the license to be updated, then click Update. The Update License On The ACE dialog box appears.

Step 4 If the update license currently exists on the disk0: file system in Flash memory in the ACE (perhaps by using the copy disk0: CLI command), perform the following sequence:

a. Leave the Update License needs to be copied to disk0:? check box unchecked.

b. In the License File Name field, enter the name of the update license file on disk0:.

Step 5 If the update license must be copied to the disk0: file system in Flash memory, check the Update License needs to be copied to disk0:? check box. Proceed to Step 6.

Step 6 In the Protocol field, select the protocol to be used to import the license file from the remote server to the ACE appliance:

If you select FTP, the User and Password fields appear. Continue with Step 7.

If you select SFTP, the User and Password fields appear. Continue with Step 7.

If you select TFTP, continue with Step 8.

Step 7 If you select FTP or SFTP:

a. In the User field, enter the username of the account on the network server.

b. In the Password field, enter the password for the user account. Reenter the password in the Confirm field.

Step 8 In the Source File Name field, enter the host IP address, path, and filename of the license file on the remote server in the format host-ip/path/filename where:

host-ip represents the IP address of the remote server.

path represents the directory path of the license file on the remote server.

filename represents the filename of the license file on the remote server.

For example, your entry might resemble 192.168.11.2/usr/bin/ACE-VIRT-020.lic.

Step 9 In the Destination field, enter the location where you want the license file to reside on the ACE appliance in preparation for installation or updating. The default location is disk0:.

Step 10 Click:

OK to update the license and to return to the Licenses table. The Licenses table displays the updated information.

Cancel to exit this procedure without updating the license and to return to the Licenses table.


Related Topics

Managing ACE Appliance Licenses

Viewing ACE Appliance Licenses

Installing ACE Appliance Licenses

Uninstalling ACE Appliance Licenses

Displaying License Configuration and Statistics

Uninstalling ACE Appliance Licenses


Note This functionality is available for only Admin contexts.



Caution Removing licenses can affect an ACE appliance's bandwidth or performance. For detailed information on the effect of license removal on your ACE appliance, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

Use this procedure to remove ACE appliance licenses.

Assumption

This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the ssh key rsa 1024 force command is applied on the appliance.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the Admin context with the license you want to remove, then click System > Licenses. The Licenses table appears listing all installed licenses.

Step 3 Select the license to be removed.

Step 4 Click Uninstall. A window appears, asking you to confirm the license removal process.


Note Removing licenses can affect the number of contexts, ACE appliance bandwidth, or SSL TPS (transactions per second). Be sure you understand the effect of removing the license on your environment before continuing.


Step 5 Click OK to confirm the removal or Cancel to stop the removal process.

If you click OK, a status window appears with the status of license removal. When the license has been removed, the Licenses table refreshes without the deleted license.


Related Topics

Managing ACE Appliance Licenses

Installing ACE Appliance Licenses

Updating ACE Appliance Licenses

Viewing ACE Appliance Licenses

Displaying License Configuration and Statistics

Displaying License Configuration and Statistics


Note This functionality is available for only Admin contexts.


Use this procedure to view information about ACE appliance licenses.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the Admin context with the license information you want to view, then select System > Licenses. The Licenses table appears listing all installed licenses.

Step 3 Select the license with the information you want to view, then click Status. The Show License Status window appears with the following information:

Compression performance in megabits or gigabits per second

Application acceleration and optimization in the number of concurrent connections

SSL transactions per second

Number of supported virtual contexts

ACE appliance bandwidth in gigabits per second

Step 4 Click Close when you finish viewing the information.


Related Topics

Installing ACE Appliance Licenses

Updating ACE Appliance Licenses

Managing Resource Classes

Resource classes are the means by which you manage virtual context access to ACE appliance resources, such as concurrent connections or bandwidth rate. ACE appliances are preconfigured with a default resource class that is applied to the Admin context and any user context upon creation. The default resource class is configured to allow a context to operate within a range that can vary from no resource access (0%) to complete resource access (100%). When you use the default resource class with multiple contexts, you run the risk of oversubscribing ACE appliance resources. This means that the ACE appliance permits all contexts to have full access to all resources on a first-come, first-served basis. When a resource is utilized to its maximum limit, the ACE appliance denies additional requests made by any context for that resource.

To avoid oversubscribing resources and to help guarantee access to a resource by any context, you can create customized resource classes that you associate with one or more contexts. A context becomes a member of the resource class when you make the association. Creating a resource class allows you to set limits on the minimum and maximum amounts of each ACE appliance resource that a member context is entitled to use. You define the minimum and maximum values as a percentage of the whole. For example, you can create a resource class that allows its member contexts access to no less that 25% of the total number of SSL connections that the ACE appliance supports.

You can limit and manage the allocation of the following ACE appliance resources:

ACL memory

Application acceleration connections

Buffers for syslog messages and TCP out-of-order (OOO) segments

Concurrent connections (through-the-ACE traffic)

Management connections (to-the-ACE traffic)

HTTP compression percentage

Proxy connections

Set resource limit as a rate (number per second)

Regular expression (regexp) memory

SSL connections

Sticky entries

Static or dynamic network address translations (Xlates)

Table 2-9 identifies and defines the resources that you can establish for resource classes.

Resource Allocation Constraints


Note This functionality is available for only Admin contexts.


The following resources are critical for maintaining connectivity to the Admin context:

Rate Bandwidth

Rate Management Traffic

Rate SSL Connections

Rate Connections

Management Connections

Concurrent Connections


Caution If you allocate 100% of these resources to a resource class and then apply the resource class to virtual contexts, connectivity to the Admin context can be lost.

We recommend that you create a resource class specifically for the Admin context and apply it to the context so that you can maintain IP connectivity.

Table 2-9 Resource Class Attributes 

Resource
Definition

All

Limits all resources to the specified value for all contexts assigned to this resource class, except for management traffic bandwidth. Management traffic bandwidth remains at the default values until you explicitly configure a minimum value for management traffic.

Acceleration Connections

Percentage of application acceleration connections.

ACL Memory

Percentage of memory allocated for ACLs.

Concurrent Connections

Percentage of simultaneous connections.

Note If you consume all Concurrent Connections by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.

HTTP Compression

Percentage of compression for HTTP data.

Management Connections

Percentage of management connections.

Note If you consume all Management Connections by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.

Proxy Connections

Percentage of proxy connections.

Regular Expressions

Percentage of regular expression memory.

Sticky

Percentage of entries in the sticky table.

Xlates

Percentage of network and port address translations entries.

Buffer Syslog

Percentage of the syslog buffer.

Rate Inspect Connection

Percentage of application protocol inspection connections for FTP and RTSP.

Rate Bandwidth

Percentage of context throughput. This attribute limits the total ACE throughput in bytes per second for one or more contexts.

Note If you consume all rate bandwidth by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.

The maximum bandwidth rate per context is determined by your bandwidth license. By default, the ACE supports 1 gigabit per second (Gbps) appliance throughput. You can upgrade the ACE with an optional 2-Gbps bandwidth license. When you configure a minimum bandwidth value for a resource class in the ACE, the ACE subtracts that configured value from the total bandwidth maximum value of all contexts in the ACE, regardless of the resource class with which they are associated. The total bandwidth rate of a context consists of the following two components:

Throughput—Limits through-the-ACE traffic. This is a derived value (you cannot configure it directly) and it is equal to the bandwidth rate minus the mgmt-traffic rate for the 1-Gbps and 2-Gbps licenses.

Management Traffic—Limits management (to-the-ACE) traffic in bytes per second. To guarantee a minimum amount of management traffic bandwidth, you must explicitly allocate a minimum percentage to management traffic using the Resource Classes table (Config > Virtual Contexts > admin context > System > Resource Class). When you allocate a minimum percentage of bandwidth to management traffic, the ACE subtracts that value from the maximum available management traffic bandwidth for all contexts in the ACE.

Rate Connections

Percentage of connections of any kind.

Note If you consume all Rate Connections by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.

Rate Management Traffic

Percentage of management traffic connections.

Note If you consume all Rate Management Traffic by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.

Rate SSL Connections

Percentage of SSL connections.

Note If you consume all Rate Management Traffic by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.

Rate Syslog

Percentage of syslog messages per second.

Rate MAC Miss

Percentage of messages destined for the ACE appliance that are sent to the control plane when the encapsulation is not correct in packets.


Related Topics

Adding Resource Classes

Modifying Resource Classes

Deleting Resource Classes

Viewing Resource Class Use on Virtual Contexts

Adding Resource Classes


Note This functionality is available for only Admin contexts.


Resource classes are used when provisioning services, establishing virtual contexts, managing devices, and monitoring virtual context resource consumption.

Defining a resource class does not automatically apply it to a context. New resource classes are applied only when a resource class is assigned to a virtual context.


Caution If you allocate 100% of the resources to a resource class and then apply the resource class to virtual contexts, connectivity to the Admin context can be lost. For more information, refer to Resource Allocation Constraints.

Use this procedure to create a new resource class.

Procedure


Step 1 Select Config > Virtual Contexts > admin context > System > Resource Class. The Resource Classes table appears.

Step 2 Click Add to create a new resource class. The New Resource Class configuration screen appears.

Step 3 In the Name field, enter a unique name for this resource class. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.

Step 4 To use the same values for each resource, enter the following information in the All row: (See Table 2-9 for a description of the resources.)

a. In the Min. field, enter the minimum percentage of each resource you want to allocate to this resource class. Valid entries are numbers from 0 to 100 including those with decimals in increments of .01.

b. In the Max. field, select the maximum percentage of each resource you want to allocate to this resource class:

Equal To Min.—Indicates that the maximum percentage allocated for each resource is equal to the minimum specified in the Min. field.

Unlimited—Indicates that there is no upper limit on the percentage of each resource that can be allocated for this resource class.

Step 5 To use different values for the resources, for each resource, select the method for allocating resources:

Select Default to use the values specified in Step 4.

Select Min. to enter a specific minimum value for the resource.

Step 6 If you select Min.:

a. In the Min. field, enter the minimum percentage of this resource you want to allocate to this resource class. For example, for ACL memory, you would enter 10 in the Min. field to indicate that you want to allocate a minimum of 10% of the available ACL memory to this resource class.

b. In the Max. field, select the maximum percentage of the resource you want to allocate to this resource class:

Equal To Min.—Indicates that the maximum percentage allocated for this resource is equal to the minimum specified in the Min. field.

Unlimited—Indicates that there is no upper limit on the percentage of the resource that can be allocated for this resource class.

Step 7 When you finish allocating the resources for this resource class, click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the Resource Classes table.

Step 8 If you click Deploy Now, the ACE appliance Device Manager displays the number of virtual contexts that can be supported using this resource class in the Maximum VC column. To support more or fewer virtual contexts, select the resource class, click Edit, and modify it as described in this procedure.


Related Topics

Managing Resource Classes

Modifying Resource Classes

Deleting Resource Classes

Viewing Resource Class Use on Virtual Contexts

Modifying Resource Classes


Note This functionality is available for only Admin contexts.


When you modify a resource class, the ACE appliance Device Manager applies the changes to virtual contexts that are associated with the resource class going forward. The changes are applied to existing virtual contexts already associated with the resource class.


Caution If you allocate 100% of the resources to a resource class and then apply the resource class to virtual contexts, connectivity to the Admin context can be lost. For more information, refer to Resource Allocation Constraints.

Use this procedure to modify an existing resource class.


Note You cannot modify the default resource class.


Procedure


Step 1 Select Config > Virtual Contexts > admin context > System > Resource Class. The Resource Classes table appears.

Step 2 Select the resource class you want to modify, then click Edit. The Edit Resource Class configuration screen appears.

Step 3 Modify the fields as desired. For details on setting values, see Adding Resource Classes. For descriptions of the resources, see Table 2-9.

Step 4 When you finish allocating the resources for this resource class, click:

Deploy Now to deploy this configuration on the ACE appliance. The configuration screen refreshes and the Max. Provisionable field beneath the Name field indicates the number of virtual contexts that can be supported using this resource allocation. When you are satisfied with the resource allocation and have saved your entries, click Cancel to return to the Resource Classes table.

Cancel to exit this procedure without saving your entries and to return to the Resource Classes table.

The ACE appliance Device Manager applies all changes to the virtual contexts that use this resource class.


Related Topics

Managing Resource Classes

Adding Resource Classes

Modifying Resource Classes

Deleting Resource Classes

Viewing Resource Class Use on Virtual Contexts

Deleting Resource Classes


Note This functionality is available for only Admin contexts.


Use this procedure to remove resource classes from the ACE appliance Device Manager database.


Note When you remove a resource class from the ACE appliance Device Manager, any virtual contexts that were associated with this resource class automatically become members of the default resource class. The default resource class allocates a minimum of 0.00% to a maximum of 100.00% of all ACE appliance resources to each context. You cannot modify the default resource class.


Because of the impact of resource class deletion on virtual contexts, we recommend that you view a resource class's current deployment before deleting it. See Viewing Resource Class Use on Virtual Contexts.

Procedure


Step 1 Select Config > Virtual Contexts > admin context > System > Resource Class. The Resource Classes table appears.

Step 2 Select the resource class you want to remove, then click Delete. A window appears, asking you to confirm the deletion.

Step 3 Click OK to continue deleting the resource class, or click Cancel to keep the resource class.

The Resource Classes table refreshes with the updated information.


Related Topics

Managing Resource Classes

Adding Resource Classes

Modifying Resource Classes

Viewing Resource Class Use on Virtual Contexts

Viewing Resource Class Use on Virtual Contexts


Note This functionality is available for only Admin contexts.


Use this procedure to view a list of all virtual contexts using a selected resource class.

Procedure


Step 1 Select Config > Virtual Contexts > admin context > System > Resource Class. The Resource Classes table lists the number of virtual contexts using each resource class in the second column.

Step 2 Select the resource class whose usage you want to view, then click Virtual Contexts. The Virtual Contexts Using Resource Class table appears, listing the associated contexts.

Step 3 Click Cancel to return to the Resource Classes table.


Related Topics

Managing Resource Classes

Adding Resource Classes

Modifying Resource Classes

Deleting Resource Classes

Viewing Resource Class Use on Virtual Contexts

Using the Configuration Checkpoint and Rollback Service

At some point, you may want to modify your ACE running configuration. If you run into a problem with the modified configuration, you may need to reboot your ACE. To prevent having to reboot your ACE after unsuccessfully modifying a running configuration, you can create a checkpoint (a snapshot in time) of a known stable running configuration before you begin to modify it. If you encounter a problem with the modifications to the running configuration, you can roll back the configuration to the previous stable configuration checkpoint.


Note Before you upgrade your ACE software, we strongly recommend that you create a checkpoint in your running configuration. For software release A4(1.0), use the backup function to create a backup of the running configuration (see the "Performing Device Backup and Restore Functions" section).


The ACE allows you to make a checkpoint configuration at the context level. The ACE stores the checkpoint for each context in a hidden directory in Flash memory. If, after you make configuration changes that modify the current running configuration, when you roll back the checkpoint, the ACE causes the running configuration to revert to the checkpointed configuration.

This section includes the following topics:

Creating a Configuration Checkpoint

Deleting a Configuration Checkpoint

Rolling Back a Running Configuration

Displaying Checkpoint Information

Creating a Configuration Checkpoint

You can create a configuration checkpoint for a specific context. The ACE supports a maximum of 10 checkpoints for each context.

Assumption

This topic assumes the following:

Make sure that the current running configuration is stable and is the configuration that you want to make as a checkpoint. If you change your mind after creating the checkpoint, you can delete it (see the "Deleting a Configuration Checkpoint" section).

The ACE-Admin, DM-Admin, and Org-Admin predefined roles have access to the configuration checkpoint function.

A custom role with the Device Manager Inventory and Virtual Context role tasks set to create or modify has the required privileges to create a configuration checkpoint.

A checkpoint will not include the SSL keys/certificates, probe scripts, and licenses.

This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the ssh key rsa 1024 force command is applied on the appliance.

Adding a checkpoint from an ACE context directly will not trigger an autosynchronzation on the ACE appliance Device Manager for that context.

Procedure


Step 1 Choose Config  > Virtual Contexts > admin context > System > Checkpoints.

The Checkpoints table appears.

For descriptions of the checkpoints, see Table 2-10.

Table 2-10 Checkpoints Table 

Field
Description

Name

Unique identifier of the checkpoint.

Size (In Bytes)

Size of the configuration checkpoint, shown in bytes.

Date (Created On)

Date that the configuration checkpoint was created.


Step 2 In the Checkpoints table, click the Create Checkpoint button.

The Create Checkpoint dialog box appears.

Step 3 In the Checkpoint Name field of the Create Checkpoint dialog box, specify a unique identifier for the checkpoint.

Enter a text string with no spaces and a maximum of 25 alphanumeric characters.

If the checkpoint already exists, you are prompted to use a different name.

Step 4 Do one of the following:

Click OK to save your configuration checkpoint. You return to the Checkpoints table and the new checkpoint appears in the table.

Click Cancel to exit the procedure without saving the configuration checkpoint and to return to the Checkpoints table.


Deleting a Configuration Checkpoint

You can delete a checkpoint. Deleting a checkpoint from an ACE context directly will not trigger an autosynchronzation to occur on the ACE appliance Device Manager for that context.

Prerequisite

Before you perform this procedure, make sure that you want to delete the checkpoint. Once you click the Trash icon, the ACE removes the checkpoint from Flash memory.

This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the ssh key rsa 1024 force command is applied on the appliance.

Procedure


Step 1 To choose a virtual context that you want to create a configuration checkpoint, choose Config  > Virtual Contexts > admin context > System >Checkpoints.

The Checkpoints table appears.

Step 2 In the Checkpoints table, choose the radio button to the left of any table entry, and click the Trash icon to delete the checkpoint.


Rolling Back a Running Configuration

You can roll back the current running configuration of a context to the previously checkpointed running configuration.


Note This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the ssh key rsa 1024 force command is applied on the appliance.


Procedure


Step 1 Choose Config  > Virtual Contexts > admin context > System > Checkpoints.

The Checkpoints table appears.

Step 2 Choose the radio button to the left of the checkpoint that you wish to roll back, and click Rollback.

The ACE appliance Device Manager displays a confirmation popup window to warn you about this change and to instruct you that the rollback operation may take longer depending on the differences detected between the two configurations.


Note The ACE appliance Device Manager synchronizes the device after performing a rollback. This synchronzation may take some time.



Displaying Checkpoint Information

You can display checkpoint information.

Procedure


Step 1 Choose Config  > Virtual Contexts > admin context > System > Checkpoints.

The Checkpoints table appears.

Step 2 In the Checkpoints table, choose the radio button to the left of the checkpoint that you want to display, and click Details.

The ACE appliance Device Manager uses the ACE show checkpoint detail {name} CLI command to display the running configuration of the specified checkpoint.

Step 3 Click Close to exit the dialog box and return to the Checkpoints table.


Performing Device Backup and Restore Functions

The backup and restore functions allow you to back up or restore the configuration and dependencies of an entire ACE or of a particular virtual context. Configuration dependencies are those files that are required to exist on the ACE so that a configuration can be applied to it. Such files include health-monitoring scripts, SSL certificates, SSL keys, and so on.This feature allows you to back up and restore the following configuration files and dependencies:

Running-configuration files

Startup-configuration files

Checkpoints

SSL files (SSL certificates and keys)

Health-monitoring scripts

Licenses


Note The backup feature does not back up the sample SSL certificate and key pair files.


Typical uses for this feature are as follows:

Back up a configuration for later use

Recover a configuration that was lost because of a software failure or user error

Restore configuration files to a new ACE when a hardware failure resulted in a Return Merchandise Authorization (RMA) of the old ACE

Transfer the configuration files to a different ACE

The backup and restore functions are supported in both the Admin and virtual contexts. If you perform these functions in the Admin context, you can back up or restore the configuration files for either the Admin context only or for all contexts in the ACE. If you perform these functions in a virtual context, you can back up or restore the configuration files only for that context. Both the backup and the restore functions run asynchronously (in the background).

Archive Naming Conventions

Context archive files have the following naming convention format:

Hostname_ctxname_timestamp.tgz

The filename fields are as follows:

Hostname—Name of the ACE. If the hostname contains special characters, the ACE uses the default hostname "switch" in the filename. For example, if the hostname is Active@~!#$%^, then the ACE assigns the following filename: switch_Admin_2009_08_30_15_45_17.tgz

ctxname—Name of the context. If the context name contains special characters, the ACE uses the default context name "context" in the filename. For example, if the context name is Test!123*, then the ACE assigns the following filename: switch_context_2009_08_30_15_45_17.tgz

timestamp—Date and time that the ACE created the file. The time stamp has the following 24 hour format: YYYY_MM_DD_hh_mm_ss

An example is as follows:

ACE-1_ctx1_2009_05_06_15_24_57.tgz

If you back up the entire ACE, the archive filename does not include the ctxname field. So, the format is as follows:

Hostname_timestamp.tgz

An example is as follows:

ACE-1_2009_05_06_15_24_57.tgz

Archive Directory Structure and Filenames

The ACE uses a flat directory structure for the backup archive. The ACE provides file extensions for the individual files that it backs up so that you can identify the types of files easily when restoring an archive. All files are stored in a single directory that is tarred and GZIPed as follows:

ACE-1_Ctx1_2009_05_06_07_24_57.tgz
 ACE-1_Ctx1_2009_05_06_07_24_57\
  context_name-running
  context_name-startup
  context_name-chkpt_name.chkpt
  context_name-cert_name.cert
  context_name-key_name.key
  context_name-script_name.tcl
  context_name-license_name.lic

Guidelines and Limitations

The backup and restore functions have the following configuration guidelines and limitations:

This functionality on the DM requires that SSH is enabled on the appliance. Also, ensure that the ssh key rsa 1024 force command is applied on the appliance.

Store the backup archive on disk0: in the context of the ACE where you intend to restore the files. Use the Admin context for a full backup and the corresponding context for user contexts.

When you back up the running-configuration file, the ACE uses the output of the show running-configuration CLI command as the basis for the archive file.

The ACE backs up only exportable certificates and keys.

License files are backed up only when you back up the Admin context.

Use a pass phrase to back up SSL keys in encrypted form. Remember the pass phrase or write it down and store it in a safe location. When you restore the encrypted keys, the ACE prompts you for the pass phrase to decrypt the keys. If you do not use a pass phrase when you back up the SSL keys, the ACE restores the keys with AES-256 encryption using OpenSSL software.

Only probe scripts that reside in disk0: need to be backed up. The prepackaged probe scripts in the probe: directory are always available. When you perform a backup, the ACE automatically identifies and backs up the scripts in disk0: that are required by the configuration.

The ACE does not resolve any other dependencies required by the configuration during a backup except for scripts that reside in disk0:. For example, if you configured SSL certificates in an SSL proxy in the running-configuration file, but you later deleted the certificates, the backup proceeds anyway as if the certificates still existed.

To perform a restore operation, you must have the admin RBAC feature in your user role. DM-admin and ORG-admin have access to this feature by default. Custom roles with the Device Manager Inventory and Virtual Context role tasks set to create or modify can also access this feature.

When you instruct the ACE to restore the archive for the entire ACE, it restores the Admin context completely first, and then it restores the other contexts. The ACE restores all dependencies before it restores the running configuration. The order in which the ACE restores dependencies is as follows:

License files

SSL certificates and key files

Health-monitoring scripts

Checkpoints

Startup-configuration file

Running-configuration file

When you restore the ACE, previously installed license files are uninstalled and the license files in the backup file are installed in their place.

In a redundant configuration, if the archive that you want to restore is different from the peer configurations in the FT group, redundancy may not operate properly after the restore.

You can restore a single context from a full backup archive provided that:

You execute the restore operation in the context that you want to restore

All files dependencies for the context exist in the full backup archive

To enable the ACE Device Manager to synchronize the CLI after a successful restore, do not navigate from the Backup / Restore page until the Latest Restore status changes from In Progress to Success. If you navigate to another page before the restore process is complete, the CLI will not synchronize until you return to the Backup / Restore page or until the automatic or manual CLI CLI synchronization occurs.

Defaults

Table 2-11 lists the default settings for the backup and restore function parameters.

Table 2-11 Default Backup and Restore Parameters

Parameter
Default

Backed up files

By default the ACE backs up the following files in the current context:

Running-configuration file

Startup-configuration file

Checkpoints

SSL certificates

SSL keys

Health-monitoring scripts

Licenses

SSL key restore encryption

None


This section includes the following topics:

Backing Up Device Configuration and Dependencies

Restoring Device Configuration and Dependencies

Backing Up Device Configuration and Dependencies

You can create a backup of an ACE configuration and its dependencies.


Note When you perform the backup process from the Admin context, you can either back up the Admin context files only or you can back up the Admin context and all user contexts. When you back up from a user context, you back up the current context files only and cannot back up the ACE licenses.



Note If your web browser supports the Remember Passwords option and you enable this option, the web browser may fill in the Username and Password fields for user authentication. By default, these fields should be empty. You can change the username and password fields from whatever the web browser inserts into the two fields.


Procedure


Step 1 Choose Config > Virtual Contexts > System > Backup / Restore.

The Backup / Restore table appears and displays the latest backup and restore statistics.


Note To refresh the table content at any time, click Poll Now.



Note When you choose the Backup / Restore operation, the Appliance Device Manager must poll a context if that context has not been accessed previously for this operation. The polling operation, which is necessary to obtain the latest backup and restore information, can cause a delay in the display time of the Backup / Restore table.


The Backup / Restore fields are described in Table 2-12.

Table 2-12 Backup / Restore Fields 

Field
Description

Latest Backup

Backup Archive

Name of the last *.tgz file created that contains the backup files.

Type

Type of backup: Context or Full (all contexts).

Start-time

Date and time that the last backup began.

Finished-time

Date and time that the last backup ended.

Status

Status of the last context to be backed up: Success, In Progress, or Failed. Click the status link to view status details.

Current vc

Name of the last context in the backup process.

Completed

Number of context backups completed compared to the total number of context backup requests.

For example:

2/2 = Two context backups completed/Two context backups requested

0/1 = No context backup completed/One context backup requested

Latest Restore

Backup Archive

Name of the *.tgz file used in during the restore process.

Type

Type of restore: Context or Full (all contexts).

Start-time

Date and time that the last restore began.

Finished-time

Date and time that the last restore ended.

Status

Status of the last restore: Success, In Progress, or Failed. Click the status to view status details.

Current vc

Name of the last context in the restore process.

Completed

Number of context restores completed compared to the total number of context restore requests.

For example:

2/2 = Two context restores completed/Two context restores requested

0/1 = No context restore completed/One context restore requested


Step 2 Click Backup.

The Backup window appears.

Step 3 In the Backup window, click the radio button of the location where the ACE is to save the backup files:

Backup config on ACE (disk0:)—This is the default. Go to Step 9.

Backup config on ACE (disk0:) and then copy to remote system—The Remote System attributes step appears. Go to Step 4.

Step 4 Click the radio button of the transfer protocol to use:

FTP—File Transfer Protocol

SFTP—Secure File Transfer Protocol

TFTP—Trivial File Transfer Protocol

Step 5 In the Username field, enter the username that the remote server requires for user authentication.

This field appears for FTP and SFTP only.

Step 6 In the Password field, enter the password that the remote server requires for user authentication.

This field appears for FTP and SFTP only.

Step 7 In the IP Address field, enter the IP address of the remote server.

Step 8 In the Backup File Path in Remote System field, enter the full path for the remote server.

Step 9 Check the Backup All Contexts checkbox if you want the ACE to create a backup that contains the files of the Admin context and every user context or uncheck the check box to create a backup of the Admin context files only.

This field appears for the Admin context only.

Step 10 Indicate the components to exclude from the backup process: Checkpoints or SSL Files.

To exclude a component, double-click on it in the Available box to move it to the Selected box. You can also use the right and left arrows to move selected items between the two boxes.


Caution If you exclude the SSL Files component and then restore the ACE using this archived backup, these files are removed from the ACE. To save these files prior to performing a restore with this backup, use the crypto export CLI command to export the keys to a remote server and use the copy CLI command to copy the license files to disk0: as .tar files.

Step 11 In the Pass Phrase field, enter the pass phrase that you specify to encrypt the backed up SSL keys.

Enter the pass phrase as an unquoted text string with no spaces and a maximum of 40 alphanumeric characters. If you enter a pass phrase but exclude the SSL files from the archive, the ACE does not use the pass phrase.

Step 12 Click OK to begin the backup process.

The following actions occur depending on where the ACE Device Manager saves the files:

disk0: only—The Device Manager permits continued GUI functionality during the backup process and polls the ACE for the backup status, which it displays on the Backup / Restore page.

disk0: and a remote server—The Device Manager suspends GUI operation and displays a "Please Wait" message in the Backup dialog box until the process is complete. During this process, the ACE Device Manager instructs the ACE to create and save the backup file locally to disk0: and then place a copy of the file on the specified remote server.

Step 13 In the Backup / Restore page, click Poll Now to ensure that the latest backup statistics are displayed, and then click on the Status link (Success, In Progress, or Failed) located in the Latest Backup column to view details of the backup operation.

If the backup status is either Success or In Progress, then the Show Backup Status Detail pop-up window appears and displays a list of the files successfully backed up. When the backup status is In Progress, the ACE Device Manager polls the ACE every 2 minutes to retrieve the latest status information and then it automatically updates the status information displayed. The polling continues until the ACE Device Manager receives a status of either Success or Failed. If the backup status is Failed, then the Show Backup Errors popup window appears, displaying the reason for the failed backup attempt.


Related Topics

Restoring Device Configuration and Dependencies

Restoring Device Configuration and Dependencies

You can restore an ACE configuration and its dependencies using a backup file.


Caution The restore operation clears any existing SSL certificate and key-pair files, license files, and checkpoints in a context before it restores the backup archive file. If your configuration includes SSL files or checkpoints and you excluded them when you created the backup archive, those files will no longer exist in the context after you restore the backup archive. To preserve any existing exportable SSL certificate and key files in the context, before you execute the restore operation, export the certificates and keys that you want to keep to an FTP, SFTP, or TFTP server by using the CLI and the crypto export command. After you restore the archive, import the SSL files into the context. For details on exporting and importing SSL certificate and key pair files using the CLI, see the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide.

You can also use the exclude option of the restore command to instruct the ACE not to clear the SSL files in disk0: and to ignore the SSL files in the backup archive when the ACE restores the backup.


Note If your web browser supports the Remember Passwords option and you enable this option, the web browser may fill in the Username and Password fields for user authentication. By default, these fields should be empty. You can change the username and password fields from whatever the web browser inserts into the two fields.


Prerequisites

If you are going to restore the Admin context files plus all user context files, use a backup file that was created from the Admin context with the Backup All Contexts checkbox checked (see the "Backing Up Device Configuration and Dependencies" section).

Procedure


Step 1 Choose Config > Virtual Contexts > System > Backup / Restore.

The Backup / Restore table appears.


Note To refresh the table content at any time, click Poll Now.



Note When you perform the restore process from the Admin context, you can either restore the Admin context files only or you can restore the Admin context files plus all user context files. When you perform the restore process from a user context, you can restore the current context files only.


The Backup / Restore fields are described in Table 2-12.

Step 2 Click Restore.

The Restore window appears.


Note The display of the Restore window may be delayed because the Device Manager is retrieving the list of the disk0: archive (*.tgz) files.


Step 3 In the Restore window, click the desired radio button to specify the location where the backup files are located saved:

Choose a backup file on the ACE (disk0:)—This is the default. Go to Step 9.

Choose a backup file from remote system—The Remote System attributes step appears. Go to Step 4.

Step 4 Click the radio button of the transfer protocol to use:

FTP—File Transfer Protocol

SFTP—Secure File Transfer Protocol

TFTP—Trivial File Transfer Protocol

Step 5 In the Username field, enter the username that the remote file system requires for user authentication.

This field appears for FTP and SFTP only.

Step 6 In the Password field, enter the password that the remote file system requires for user authentication.

This field appears for FTP and SFTP only.

Step 7 In the IP Address field, enter the IP address of the remote server.

Step 8 In the Backup File Path in Remote System field, enter the full path of the backup file, including the backup filename, to be copied from the remote server.

Step 9 Check the Restore All Contexts checkbox if you want the ACE to restore the files for every context or uncheck the checkbox to restore the Admin context files only.

This field appears for the Admin context only.

Step 10 Check the Exclude SSL Files checkbox if you want to preserver the SSL files currently loaded on the ACE and not use the backup file's SSL files.


Caution The restore function deletes all SSL files currently loaded on the ACE unless you check the Exclude SSL Files option. If you do not check this option, the restore functions loads the SSL files included in the backup file. If the backup files does not include SSL files, the ACE will not have any SSL files loaded on it when the restore process is complete. You will then need to import copies of the SSL files from a remote server.

Step 11 In the Pass Phrase field, enter the pass phrase that is used to encrypt the backed up SSL keys in the archive.

Enter the pass phrase as an unquoted text string with no spaces and a maximum of 40 alphanumeric characters. The Pass Phrase field does not appear when you check the Exclude SSL Files checkbox.

Step 12 Click OK to begin the restore process.

The following actions occur depending on where the ACE Device Manager retrieves the backup files:

disk0: only—The ACE Device Manager permits continued GUI functionality during the restore process and polls the ACE for the backup status, which it displays on the Backup / Restore page.


Note To enable the Device Manager to synchronize the CLI after a successful restore, do not navigate from the Backup / Restore window until the Latest Restore status changes from In Progress to Success. If you navigate to another window before the restore process is complete, the CLI will not synchronize until you return to the Backup / Restore window or until the automatic or manual CLI CLI synchronization occurs.


disk0: and a remote server—The ACE Device Manager suspends GUI operation and displays a "Please Wait" message in the Restore dialog box until the process is complete. During this process, the ACE Device Manager instructs the ACE to copy the backup file from the specified remote server to disk0: on the ACE and then apply the backup file to the context.

Step 13 In the Backup / Restore page, click Poll Now to ensure that the latest restore statistics are displayed, then click on the Status link (Success, In Progress, or Failed) located in the Latest Backup column to view details of the restore operation.

If the restore status is either Success or In Progress, then the Show Restore Status Detail popup window appears and displays a list of the files successfully restored. When the restore status is In Progress, the ACE Device Manager polls the ACE every 2 minutes to retrieve the latest status information and then it automatically updates the status information displayed. The polling continues until the ACE Device Manager receives a status of either Success or Failed. If the restored status is Failed, then the Show Restored Errors popup window appears, displaying the reason for the failed restore attempt.


Related Topics

Performing Device Backup and Restore Functions

Configuring Security with ACLs

An ACL (access control list) consists of a series of statements called ACL entries that collectively define the network traffic profile. Each entry permits or denies network traffic (inbound and outbound) to the parts of your network specified in the entry. Besides an action element ("permit" or "deny"), each entry also contains a filter element based on criteria such as source address, destination address, protocol, or protocol-specific parameters. An implicit "deny all" entry exists at the end of every ACL, so you must configure an ACL on every interface where you want to permit connections. Otherwise, the ACE denies all traffic on the interface.

ACLs provide basic security for your network by allowing you to control network connection setups rather than processing each packet. Such ACLs are commonly referred to as security ACLs.

You can configure ACLs as parts of other features; for example, security, network address translation (NAT), or server load balancing (SLB). The ACE merges these individual ACLs into one large ACL called a merged ACL. The ACL compiler then parses the merged ACL and generates the ACL lookup mechanisms. A match on this merged ACL can result in multiple actions. You can add, modify, or delete entries to an ACL already in the summary table, or add a new ACL to the list.

When you use ACLs, you may want to permit all e-mail traffic on a circuit, but block FTP traffic. You can also use ACLs to allow one client to access a part of the network and prevent another client from accessing that same area.

When configuring ACLs, you must apply an ACL to an interface to control traffic on that interface. Applying an ACL on an interface assigns the ACL and its entries to that interface.

You can apply only one extended ACL to each direction (inbound or outbound) of an interface. You can also apply the same ACL on multiple interfaces.You can apply EtherType ACLs in only the inbound direction and on only Layer 2 interfaces.


Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly allowed in an ACL can pass. All other traffic is denied.


For specific procedures, see:

Creating ACLs

Setting EtherType ACL Attributes

Setting Extended ACL Attributes

Resequencing Extended ACLs

Viewing All ACLs by Context

Editing or Deleting ACLs

Creating ACLs


Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly allowed in an ACL can pass. All other traffic is denied.


Use this procedure to create, modify, or delete ACLs.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > ACLs. The ACL summary table appears, listing the existing ACLs. ACL summary fields are described in Table 2-13.

Table 2-13 ACL Summary Table 

Field
Description

Name

Enter a unique identifier for the ACL. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters.

Type

Specifies the type of ACL:

Extended—allows you to specify both the source and the destination IP addresses of traffic as well as the protocol and the action to be taken. For more information see "Setting Extended ACL Attributes".

Ethertype—This ACL controls network access for non-IP traffic based on its EtherType. An EtherType is a sub-protocol identifier. For more information see "Setting EtherType ACL Attributes".

Line Number

ACL line number for extended type ACL entries.

Action

Action to be taken (permit/deny).

Protocol

Protocol number or service object group to apply to this ACL entry.

Source

Source IP address (and source netmask with port number if configured for extended type ACL) or source network object group if configured that is being applied to this ACL entry.

Destination

Destination IP address (and destination netmask with port number if configured for extended type ACL) or destination network object group if configured that is applied to this ACL entry.

ICMP

Indicates whether or not this ACL uses ICMP (Internet Control Message Protocol). For more information, see "Protocol Names and Numbers".

Interface(s)

VLAN interface(s) that is/are associated with this ACL, for example <4,5:4> where, < denotes the input direction, > denotes the output direction.

Remark

Enter any comments you want to include for this ACL. Valid entries are unquoted text strings with a maximum of 100 characters. You can enter leading spaces at the beginning of the text or special characters. Trailing spaces are ignored.


Step 2 From the summary table, perform one of the following:

To view full details of an ACL inline, click the plus sign to the left of any table entry.

To create an ACL click the Add icon.

To modify an ACL, select the radio button to the left of any table entry, then click the Edit icon.

To delete an ACL, select the radio button to the left of any table entry, then click the Delete icon.

If you choose create, the New Access List screen appears.

If you choose modify, the Edit ACL or Edit ACL entry screen appears based on the selected radio button to the left of any table entry.

Step 3 Add or edit required fields as described in Table 2-14.

Table 2-14 ACL Configuration Attributes 

Field
Description

ACL Properties

Includes name, type (Extended, Ethertype), remarks. For more information see "ACL Summary Table".

ACL Entries

Entry Attributes

Includes line number, action and protocol/service object group drop down descriptor menu.

Source

Source IP address (and source netmask with port number if configured for extended type ACL) or source network object group if configured that is being applied to this ACL entry.

Destination

Destination IP address (and destination netmask with port number if configured for extended type ACL) or destination network object group if configured that is applied to this ACL entry.

Add To Table button

Used to add multiple ACL entries, adding one at a time using this button, before clicking Deploy. In the past only one entry could be added at a time in a two-step process hopping between two different locations in the UI.

Remove From Table button

Used to remove multiple ACL entries, removing one at a time using this button, before clicking Deploy.

Interfaces

Input/Output Direction

Currently Assigned (ACL:Direction)

Allows you to associate the ACL with one or more interfaces allowing only one input and one output ACL for each interface. The top left checkbox under the Interfaces section allows you to select and apply to all interfaces "access-group input.".

Deploy button

Allows deployment of newly created ACL entries along with VLAN interface assignments that were configured.

Cancel button

Exits without saving your entries.



Note To add, modify, or delete Object Groups go to the "Configuring Object Groups" section.


Step 4 Click:

Deploy to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the ACLs table.


Related Topics

Configuring Security with ACLs

Setting EtherType ACL Attributes

Setting Extended ACL Attributes

Resequencing Extended ACLs

Editing or Deleting ACLs

Setting Extended ACL Attributes


Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly allowed in an ACL can pass. All other traffic is denied.


An extended ACL allows you to specify both the source and the destination IP addresses of traffic as well as the protocol and the action to be taken.

For TCP, UDP, and ICMP connections, you do not need to also apply an ACL on the destination interface to allow returning traffic, because the ACE allows all returning traffic for established connections.


Note The ACE does not explicitly support standard ACLs. To configure a standard ACL, specify the destination address as any and do not specify the ports in an extended ACL.


Procedure


Step 1 Select Config > Virtual Contexts > context > Security > ACLs. The ACLs table appears, listing the existing ACLs.

Step 2 Click Add. The New Access List configuration screen appears.

Step 3 Enter the ACL name in the ACL Properties pane and choose the type as Extended.

Step 4 Configure extended ACL entries using the information in Table 2-15.

Table 2-15 Extended ACL Configuration Options 

Field
Description

Entry Attributes

Line Number

Enter a number that specifies the position of this entry in the ACL. The position of an entry affects the lookup order of the entries in an ACL. To change the sequence of existing extended ACLs, see Resequencing Extended ACLs.

Action

Action to be taken (permit/deny).

Service Object Group

Select a service object group to apply to this ACL.

Protocol

Select the protocol or protocol number to apply to this ACL entry. Table 2-16 lists common protocol names and numbers.

Source

Source Network

Defines the network traffic being received from the source network to the ACE:

Any—Select the Any radio button to indicate that network traffic from any source is allowed.

IP/Netmask—Use this field to limit access to a specific source IP address. Enter the source IP address that is allowed for this ACL. Enter a specific source IP address and select its subnet mask.

Network Object Group—Select a source network object group to apply to this ACL.

Source Port Operator

This field appears if you select TCP or UPD in the Protocol field.

Select the operand to use to compare source port numbers:

Equal To—The source port must be the same as the number in the Source Port Number field.

Greater Than—The source port must be greater than the number in the Source Port Number field.

Less Than—The source port must be less than the number in the Source Port Number field.

Not Equal To—The source port must not equal the number in the Source Port Number field.

Range—The source port must be within the range of ports specified by the Lower Source Port Number field and the Upper Source Port Number field.

Source Port Number

This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the Source Port Operator field.

Enter the port name or number from which you want to permit or deny access.

Lower Source Port Number

This field appears if you select Range in the Source Port Operator field.

Enter the number of the lowest port from which you want to permit or deny access. Valid entries are integers from 0 to 65535. The number in this field must be less than the number entered in the Upper Source Port Number field.

Upper Source Port Number

This field appears if you select Range in the Source Port Operator field.

Enter the port number of the upper port from which you want to permit or deny access. Valid entries are integers from 0 to 65535. The number in this field must be greater than the number entered in the Lower Source Port Number field.

Destination

Destination Network

Defines the network traffic being transmitted to the destination network from the ACE:

Any—Select the Any radio button to indicate that network traffic to any destination is allowed.

IP/Netmask—Use this field to limit access to a specific destination IP address. Enter the source IP address that is allowed for this ACL. Enter a specific destination IP address and select its subnet mask.

Network Object Group—Select a destination network object group to apply to this ACL.

Destination Port Operator

This field appears if you select TCP or UPD in the Protocol field.

Select the operand to use to compare destination port numbers:

Equal To—The destination port must be the same as the number in the Destination Port Number field.

Greater Than—The destination port must be greater than the number in the Destination Port Number field.

Less Than—The destination port must be less than the number in the Destination Port Number field.

Not Equal To—The destination port must not equal the number in the Destination Port Number field.

Range—The destination port must be within the range of ports specified by the Lower Destination Port Number field and the Upper Destination Port Number field.

Destination Port Number

This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the Destination Port Operator field.

Enter the port name or number from which you want to permit or deny access.

Lower Destination Port Number

This field appears if you select Range in the Destination Port Operator field.

Enter the number of the lowest port to which you want to permit or deny access. Valid entries are integers from 0 to 65535. The number in this field must be less than the number entered in the Upper Destination Port Number field.

Upper Destination Port Number

This field appears if you select Range in the Destination Port Operator field.

Enter the port number of the upper port to which you want to permit or deny access. Valid entries are integers from 0 to 65535. The number in this field must be greater than the number entered in the Lower Destination Port Number field.


Table 2-16 Protocol Names and Numbers 

Protocol Name 1
Protocol Number
Description

AH

51

Authentication Header

EIGRP

88

Enhanced IGRP

ESP

50

Encapsulated Security Payload

GRE

47

Generic Routing Encapsulation

ICMP

1

Internet Control Message Protocol

IGMP

2

Internet Group Management Protocol

IP

0

Internet Protocol

IP-In-IP

4

IP-in-IP Layer 3 Tunneling Protocol

OSPF

89

Open Shortest Path First

PIM

103

Protocol Independent Multicast

TCP

6

Transmission Control Protocol

UDP

17

User Datagram Protocol

1 For a complete list of all protocols and their numbers, see the Internet Assigned Numbers Authority available at www.iana.org/numbers/.


Step 5 Click Add To Table if you want to add one or more ACL entries to the table. See Step 4 for information on configuring the extended ACL entries.

Step 6 Associate any VLAN interface to this ACL if required and click:

Deploy to immediately deploy this configuration.

Cancel to exit without saving your entries and to return to the ACL Summary table.


Related Topics

Configuring Security with ACLs

Creating ACLs

Setting EtherType ACL Attributes

Resequencing Extended ACLs

Editing or Deleting ACLs

Resequencing Extended ACLs

Use this procedure to change the sequence of entries in an Extended ACL. EtherType ACL entries cannot be resequenced.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > ACLs. The ACLs table appears, listing the existing ACLs.

Step 2 Select the Extended ACL you want to renumber, then click the Resequence icon appearing to the left of the filter field. The ACL Line Number Resequence window appears.

Step 3 In the Start field, enter the number that is to be assigned to the first entry in the ACL. Valid entries are 1 to 2147483647.

Step 4 In the Increment field, enter the number that is to be added to each entry in the ACL after the first entry. You can enter any integer. Valid entries are 1 to 2147483647.

Step 5 Click:

Resequence to save your entries and to return to the ACLs table.

Cancel to exit this procedure without saving your entries and to return to the ACLs table.


Related Topics

Configuring Security with ACLs

Creating ACLs

Setting EtherType ACL Attributes

Setting Extended ACL Attributes

Editing or Deleting ACLs

Setting EtherType ACL Attributes


Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly allowed in an ACL can pass. All other traffic is denied.


You can configure an ACL that controls traffic based on its EtherType. An EtherType is a sub-protocol identifier. EtherType ACLs support Ethernet V2 frames. EtherType ACLs do not support 802.3-formatted frames because they use a length field as opposed to a type field. The only exception is bridge protocol data units (BPDUs), which are SNAP-encapsulated, and the ACE is designed to specifically handle BPDUs.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > ACLs. The ACLs table appears, listing the existing ACLs.

Step 2 Click Add. The New Access List configuration screen appears.

Step 3 Enter the ACL name in the ACL Properties pane and choose Ethertype.

Step 4 Select one of the following radio buttons:

Deny to indicate that the ACE is to block connections.

Permit to indicate that the ACE is to allow connections.

Step 5 Select one of the following from the Protocol field pulldown menu for this ACL:

Any—Specifies any EtherType.

BPDU—Specifies Bridge Protocol Data Units. The ACE receives trunk port (Cisco proprietary) BPDUs because ACE ports are trunk ports. Trunk BPDUs have VLAN information inside the payload, so the ACE modifies the payload with the outgoing VLAN if you allow BPDUs. If you configure redundancy, you must allow BPDUs on both interfaces with an EtherType ACL to avoid bridging loops. For for information about configuring redundancy, refer to Configuring High Availability, page 9-1.

IPv6—Specifies Internet Protocol version 6.

MPLS—Specifies Multi-Protocol Label Switching. The MPLS selection applies to both MPLS unicast and MPLS multicast traffic. If you allow MPLS, ensure that Label Distribution Protocol (LDP) and Tag Distribution Protocol (TDP) TCP connections are established through the ACE by configuring both MPLS routers connected to the ACE to use the IP address on the ACE interface as the router-id for LDP or TDP sessions. LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.

Step 6 Click Add To Table and add one or more ACL entries if required repeating Step 4 and Step 5 as needed.

Step 7 Associate any VLAN interface to this acl if required and click:

Deploy to immediately deploy this configuration.

Cancel to exit without saving your entries and to return to the ACL Summary table.


Related Topics

Configuring Security with ACLs

Creating ACLs

Setting Extended ACL Attributes

Resequencing Extended ACLs

Editing or Deleting ACLs

Viewing All ACLs by Context

Use this procedure to view all access control lists that have been configured.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the virtual context with the ACLs you want to view, then select Security > ACLs. The ACLs table appears, listing the existing ACLs with their name, their type (Extended or Ethertype), and any comments.


Related Topics

Configuring Virtual Context Expert Options

Creating ACLs

Setting EtherType ACL Attributes

Setting Extended ACL Attributes

Editing or Deleting ACLs

Editing or Deleting ACLs

Use this procedure to delete or edit an ACL or any of its subentries.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > ACLs. The ACLs table appears, listing the existing ACLs.

Step 2 Select the radio button to the left of the ACL you want to Edit or Delete. Expand entries if necessary by clicking the plus sign to the left of any ACL entry until you see the subentry ACL for which you are looking, or click the Expand All icon to view all ACLs and subentries.

Step 3 Perform one of the following steps:

Click Edit if you are editing an ACL or one of its entries and go to Step 4.

or

Click Delete if you are deleting an ACL or one of its entries and go to Step 5.

Step 4 Edit the entry using the summary information listed in Table 2-14 if needed, and click Deploy when done.

Step 5 Click Delete. A window appears asking you to confirm the deletion. If you click OK, the ACLs table refreshes without the deleted ACL.


Related Topics

Creating ACLs

Setting EtherType ACL Attributes

Setting Extended ACL Attributes

Resequencing Extended ACLs

Configuring Object Groups

An object group is a logical grouping of objects such as hosts (servers and clients), services, and networks. When you create an object group, you select a type, such as network or service, and then specify the objects that belong to the groups. In all, there are four types of object groups: Network, protocol, service, and ICMP-type.

After you configure an object group, you can include it in ACLs, thereby including all objects within that group and reducing overall configuration size.

Use this procedure to configure object groups that you can associate with ACLs.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table appears, listing existing object groups.

Step 2 Click Add to create a new object group, or select an existing object group, then click Edit to modify it. The Object Groups configuration screen appears.

Step 3 In the Name field, enter a unique name for this object group. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

Step 4 In the Description field, enter a brief description for the object group.

Step 5 In the Type field, select the type of object group you are creating:

Network—The object group is based on a group of hosts or subnet IP addresses.

Service—The object group is based on TCP or UDP protocols and ports, or ICMP types, such as echo or echo-reply.

Step 6 Click:

Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.

Cancel to exit without saving your entries and to return to the Object Groups table.

Next to deploy your entries and to add another entry to the Object Groups table.

If you click Deploy Now or OK, the screen refreshes with tables additional configuration options.

Step 7 Configure objects for the object group.

For network-type object groups, options include:

Configuring IP Addresses for Object Groups

Configuring Subnet Objects for Object Groups

For service-type object groups, options include:

Configuring Protocols for Object Groups

Configuring TCP/UDP Service Parameters for Object Groups

Configuring ICMP Service Parameters for an Object Group


Related Topics

Configuring Virtual Context Expert Options

Creating ACLs

Setting Extended ACL Attributes

Resequencing Extended ACLs

Configuring IP Addresses for Object Groups

Use this procedure to specify host IP addresses for network-type object groups.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table appears, listing existing object groups.

Step 2 Select the object group you want to configure host IP addresses for, then select the Host Setting For Object Group tab. The Host Setting For Object Group table appears.

Step 3 Click Add to add an entry to this table.

Step 4 In the Host IP Address field, enter the IP address of a host to include in this group.

Step 5 Click:

Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.

Cancel to exit this procedure without saving your entries.

Next to deploy your entries and to add another entry to the Host Setting table.


Related Topics

Configuring Object Groups

Configuring Subnet Objects for Object Groups

Configuring Protocols for Object Groups

Configuring TCP/UDP Service Parameters for Object Groups

Configuring ICMP Service Parameters for an Object Group

Configuring Subnet Objects for Object Groups

Use this procedure to specify subnet objects for a network-type object group.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table appears, listing existing object groups.

Step 2 Select the object group you want to configure subnet objects for, then select the Network Setting For Object Group tab. The Network Setting For Object Group table appears.

Step 3 Click Add to add an entry to this table.

Step 4 In the IP Address field, enter an IP address that, with the subnet mask, defines the subnet object.

Step 5 In the Netmask field, select the subnet mask for this subnet object.

Step 6 Click:

Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.

Cancel to exit this procedure without saving your entries.

Next to deploy your entries and to add another entry to the Network Setting table.


Related Topics

Configuring Object Groups

Configuring IP Addresses for Object Groups

Configuring Protocols for Object Groups

Configuring TCP/UDP Service Parameters for Object Groups

Configuring ICMP Service Parameters for an Object Group

Configuring Protocols for Object Groups

Use this procedure to specify protocols for a service-type object group.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table appears, listing existing object groups.

Step 2 Select an existing service-type object group, then select the Protocol Selection tab. The Protocol Selection table appears.

Step 3 Click Add to add an entry to this table.

Step 4 In the Protocol Number field, select the protocol or protocol number to add to this object group. See Table 2-16 for common protocols and their numbers.

Step 5 Click:

Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.

Cancel to exit this procedure without saving your entries.

Next to deploy your entries and to add another entry to the Protocol Selection table.


Related Topics

Configuring Object Groups

Configuring IP Addresses for Object Groups

Configuring Subnet Objects for Object Groups

Configuring TCP/UDP Service Parameters for Object Groups

Configuring ICMP Service Parameters for an Object Group

Configuring TCP/UDP Service Parameters for Object Groups

Use this procedure to add TCP or UDP service objects to a service-type object group.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table appears, listing existing object groups.

Step 2 Select an existing service-type object group, then select the TCP/UDP Service Parameters tab. The TCP/UDP Service Parameters table appears.

Step 3 Click Add to add an entry to this table.

Step 4 Configure TCP or UDP service objects using the information in Table 2-17.

Table 2-17 TCP and UDP Service Parameters 

Field
Description

Protocol

Select the protocol for this service object:

TCP—TCP is the protocol for this service object.

UDP—UDP is the protocol for this service object.

TCP And UDP—Both TCP and UDP are the protocols for this service object.

Source Port Operator

Select the operand to use when comparing source port numbers for this service object:

Equal To—The source port must be the same as the number in the Source Port field.

Greater Than—The source port must be greater than the number in the Source Port field.

Less Than—The source port must be less than the number in the Source Port field.

Not Equal To—The source port must not equal the number in the Source Port field.

Range—The source port must be within the range of ports specified by the Lower Source Port field and the Upper Source Port field.

Source Port

This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the Source Port Operator field.

Enter the source port name or number for this service object.

Lower Source Port

This field appears if you select Range in the Source Port Operator field.

Enter the number that is the beginning value for a range of services for this service object. Valid entries are integers from 0 to 65535. The number in this field must be less than the number entered in the Upper Source Port field.

Upper Source Port

This field appears if you select Range in the Source Port Operator field.

Enter the number that is the ending value for a range of services for this service object. Valid entries are integers from 0 to 65535. The number in this field must be greater than the number entered in the Lower Source Port field.

Destination Port Operator

Select the operand to use when comparing destination port numbers:

Equal To—The destination port must be the same as the number in the Destination Port field.

Greater Than—The destination port must be greater than the number in the Destination Port field.

Less Than—The destination port must be less than the number in the Destination Port field.

Not Equal To—The destination port must not equal the number in the Destination Port field.

Range—The destination port must be within the range of ports specified by the Lower Destination Port field and the Upper Destination Port field.

Destination Port

This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the Destination Port Operator field.

Enter the destination port name or number for this service object.

Lower Destination Port

This field appears if you select Range in the Destination Port Operator field.

Enter the number that is the beginning value for a range of services for this service object. Valid entries are integers from 0 to 65535. The number in this field must be less than the number entered in the Upper Destination Port field.

Upper Destination Port

This field appears if you select Range in the Destination Port Operator field.

Enter the number that is the ending value for a range of services for this service object. Valid entries are integers from 0 to 65535. The number in this field must be greater than the number entered in the Lower Destination Port field.


Step 5 Click:

Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.

Cancel to exit this procedure without saving your entries.

Next to deploy your entries and to add another entry to the TCP/UDP Service Parameters table.


Related Topics

Configuring Object Groups

Configuring IP Addresses for Object Groups

Configuring Subnet Objects for Object Groups

Configuring Protocols for Object Groups

Configuring ICMP Service Parameters for an Object Group

Configuring ICMP Service Parameters for an Object Group

Use this procedure to add ICMP service parameters to a service-type object group.

Procedure


Step 1 Select Config > Virtual Contexts > context > Security > Object Groups. The Object Groups table appears, listing existing object groups.

Step 2 Select an existing service-type object group, then select the ICMP Service Parameters tab. The ICMP Service Parameters table appears.

Step 3 Click Add to add an entry to this table.

Step 4 Configure ICMP type objects using the information in Table 2-18.

Table 2-18 ICMP Type Service Parameters 

Field
Description

ICMP Type

Select the ICMP type or number for this service object. Table 2-19 lists common ICMP types and numbers.

Message Code Operator

Select the operand to use when comparing message codes for this service object:

Equal To—The message code must be the same as the number in the Message Code field.

Greater Than—The message code must be greater than the number in the Message Code field.

Less Than—The message code must be less than the number in the Message Code field.

Not Equal To—The message code must not equal the number in the Message Code field.

Range—The message code must be within the range of codes specified by the Min. Message Code field and the Max. Message Code field.

Message Code

This field appears if you select Equal To, Greater Than, Less Than, or Not Equal To in the Message Code Operator field.

Enter the ICMP message code for this service object.

Min. Message Code

This field appears if you select Range in the Message Code Operator field.

Enter the number that is the beginning value for a range of services for this service object. Valid entries are integers from 0 to 255. The number in this field must be less than the number entered in the Max. Message Code field.

Max. Message Code

This field appears if you select Range in the Message Code Operator field.

Enter the number that is the ending value for a range of services for this service object. Valid entries are integers from 0 to 255. The number in this field must be greater than the number entered in the Min. Message Code field.


Table 2-19 ICMP Type Numbers and Names 

Number
ICMP Type Name

0

Echo-Reply

3

Unreachable

4

Source-Quench

5

Redirect

6

Alternate-Address

8

Echo

9

Router-Advertisement

10

Router-Solicitation

11

Time-Exceeded

12

Parameter-Problem

13

Timestamp-Request

14

Timestamp-Reply

15

Information-Request

16

Information-Reply

17

Mask-Request

18

Mask-Reply

31

Conversion-Error

32

Mobile-Redirect


Step 5 Click:

Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.

Cancel to exit this procedure without saving your entries.

Next to deploy your entries and to add another entry to the ICMP Service Parameters table.


Related Topics

Configuring Object Groups

Configuring IP Addresses for Object Groups

Configuring Subnet Objects for Object Groups

Configuring Protocols for Object Groups

Configuring TCP/UDP Service Parameters for Object Groups

Configuring Virtual Context Expert Options

Table 2-20 identifies ACE appliance Device Manager virtual context Expert configuration options and related topics for more information.

Table 2-20 Virtual Context Expert Configuration Options 

Expert Configuration Options
Related Topics

Establish traffic policies by classifying types of network traffic and then applying rules and actions for handling the traffic

Configuring Traffic Policies, page 10-1

Configuring Virtual Context Class Maps, page 10-8

Configuring Virtual Context Policy Maps, page 10-33

Configure HTTP optimization action lists

Configuring an HTTP Optimization Action List, page 11-3

Configure HTTP header modify action lists

Configuring an HTTP Header Modify Action List, page 10-80


Managing Virtual Contexts

You can perform the following administrative actions on virtual contexts:

Synchronizing Virtual Context Configurations

Editing Virtual Contexts

Deleting Virtual Contexts

Viewing All Virtual Contexts

Synchronizing Virtual Context Configurations

ACE appliance Device Manager identifies virtual contexts with different configurations on the ACE appliance and in ACE appliance Device Manager. Discrepancies between these configurations occur when a user configures the ACE appliance directly using the CLI instead of the ACE appliance Device Manager.

The ACE appliance Device Manager automatically polls the CLI once every two minutes. When you use the CLI to change a virtual context's configuration on the ACE appliance, and the Device Manager detects an out-of-band configuration change in a context during this polling period, the configuration changes are applied by the Device Manager.

The status bar at the bottom right of the ACE appliance Device Manager displays two indicators for you to monitor CLI and DM GUI synchronization status (Figure 2-1). One indicator displays ACE appliance Device Manager GUI and CLI synchronization status along with a summary count of the contexts in the various synchronization states, and the other indicator displays CLI synchronization and polling status for the active context. The status bar auto-refreshes every 10 seconds.

Figure 2-1 CLI and DM GUI Synchronization Status Bar

For example, as illustrated in Figure 2-1, the message "DM out of sync with CLI (1/17)" indicates that out of the 17 configured contexts, one context is in the "Out of sync" CLI synchronization status state.


Note If a user attempt to deploy a configuration from the ACE appliance Device Manager (clicks the Deploy Now button) while synchronization is in process for a particular context, an error message appears indicating that synchronization is in process and the user should try to deploy the configuration at a later point in time.


ACE appliance Device Manager provides the following options for identifying and synchronizing configuration discrepancies:

Viewing Virtual Context Synchronization Status

High Availability and Virtual Context Configuration Status

Manually Synchronizing Individual Virtual Context Configurations

Manually Synchronizing All Virtual Context Configurations

Viewing Virtual Context Synchronization Status

ACE appliance Device Manager identifies virtual contexts with different configurations in the ACE appliance and in the ACE appliance Device Manager. Discrepancies between these configurations occur when a user configures the ACE appliance directly using the CLI instead of ACE appliance Device Manager.

In Config screens, CLI and DM GUI configuration status appears in the following locations in the ACE appliance Device Manager:

In the All Virtual Contexts table (Config > Virtual Contexts), in the CLI Sync Status column.

The status bar at the bottom of the ACE appliance Device Manager browser (see Figure 2-1).

The following reported CLI synchronization states appear in the All Virtual Context table:

OK—The configurations for the selected virtual context are synchronized with the CLI.

Out Of Sync—The configurations for the selected virtual context are not synchronized with the CLI.

Sync In Progress—The CLI to DM GUI synchronization for this context is in process, either started automatically by the ACE appliance Device Manager or manually (using either the CLI Sync or CLI Sync All buttons).

Sync Failed—The last synchronization attempt failed and you must perform a manual synchronization using either the CLI Sync or CLI Sync All buttons. The failed state could be due to an unrecognized CLI command on the context, or due to an internal error on the ACE appliance Device Manager. Once the problem is resolved, another manual synchronization will be required to move the context into the OK synchronization state.

The status bar at the bottom of the ACE appliance Device Manager browser (see Figure 2-1) displays DM GUI and CLI synchronization status along with a summary count of the contexts in the various synchronization states. For example, the message "DM out of sync with CLI (1/10), DM sync with CLI failed (2/10)" indicates that out of the 10 configured contexts, one context is in the "Out Of Sync" state and two are is the "Sync Failed" state, and the remaining contexts are in the "OK" state. The status bar auto-refreshes every 10 seconds.


Note Clicking the summary count in the status bar from any context-specific page accesses the All Virtual Contexts table. You can view the CLI synchronization status for all contexts.


If a user changes the configuration for a context by using the CLI while you are viewing the All Virtual Contexts table, the information in the CLI Sync Status column does not automatically update to reflect an out-of-sync state. Click Refresh or set an automatic refresh rate by clicking Auto Refresh to view out-of-sync configurations.

For information on synchronizing out-of-sync virtual context configurations, see:

Manually Synchronizing Individual Virtual Context Configurations

Manually Synchronizing All Virtual Context Configurations

Related Topics

Synchronizing Virtual Context Configurations

High Availability and Virtual Context Configuration Status

High Availability and Virtual Context Configuration Status

In a high availability pair, the two configured virtual contexts synchronize with each other as part of their ongoing communications. However, their copies do not synchronize in ACE appliance Device Manager and the configuration on the standby member can become out of sync with the configuration on the ACE appliance.

After the active member of a high availability pair fails and the standby member becomes active, ACE appliance Device Manager on the newly active member detects any out-of-sync virtual context configurations and reports that status in the All Virtual Contexts table so that you can synchronize the virtual context configurations.


Note When a virtual context is in either the Standby Hot or Standby Warm state (see High Availability Polling, page 9-6), the virtual context may receive configuration changes from its ACE peer without updating the Device Manager GUI. As a result, the ACE appliance Device Manager GUI will be out of synchronization with the CLI configuration. If you need to check configuration on a standby virtual context using HA Tracking And Failure Detection (see Tracking VLAN Interfaces for High Availability, page 9-17), we recommend that you first perform a manual synchronization using either the CLI Sync or CLI Sync All buttons before checking the configuration values.


For information on synchronizing out-of-sync virtual context configurations, see:

Manually Synchronizing Individual Virtual Context Configurations

Manually Synchronizing All Virtual Context Configurations

Related Topics

Viewing Virtual Context Synchronization Status

Configuring High Availability Overview, page 9-6

Manually Synchronizing Individual Virtual Context Configurations

Use this procedure if you want to manually synchronize the configuration for a selected virtual context. This procedure removes the configuration information for this virtual context from ACE appliance Device Manager and replaces it with its CLI configuration from the ACE appliance. You may want to manually synchronize a virtual context configuration if you do not want to wait for auto synchronization to occur and you want the CLI context configuration changes immediately applied to the ACE appliance Device Manager.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears. Contexts with configurations that are not synchronized display Out of sync in the CLI Sync Status column.


Note If a user changes the configuration for a context by using the CLI while you are viewing the All Virtual Contexts table, the information in the CLI Sync Status column is not automatically updated to reflect an out-of-sync state. Click Refresh or set an automatic refresh rate by clicking Auto Refresh to view out-of-sync configurations.


Step 2 Select the virtual context with the configuration that you want to synchronize, then click CLI Sync. A window appears, asking you to confirm the operation.

Step 3 Click OK to upload the configuration from the ACE appliance or Cancel to exit this procedure without uploading the configuration.

If you click OK, the screen reports progress and then refreshes with updated configuration status in the CLI Sync Status column.


Related Topics

Synchronizing Virtual Context Configurations

Viewing Virtual Context Synchronization Status

Manually Synchronizing All Virtual Context Configurations

Manually Synchronizing All Virtual Context Configurations

Use this procedure to manually synchronize all virtual context configurations. This procedure removes all virtual context configurations from ACE appliance Device Manager and replaces them with their CLI configurations from the ACE appliance. You may want to manually synchronize all virtual contexts if you do not want to wait for auto-synchronization to occur and you want the CLI context configuration changes immediately applied to the ACE appliance Device Manager.

This operation can take several minutes to finish, depending on the number of virtual contexts.


Note If you configure a virtual server using the CLI and then use the CLI Sync All option (Config > Virtual Contexts) to manually synchronize configurations, the configuration that appears in ACE appliance Device Manager for the virtual server might not display all configuration options for that virtual server. The configuration that appears in ACE appliance Device Manager depends on a number of items, such as the protocols configured in class maps or the rules defined for policy maps.

For example, if you configure a virtual server on the CLI that includes a class map that can match any protocol, you will not see the virtual server Application Acceleration and Optimization configuration subset in ACE appliance Device Manager.



Note This procedure is available for only the admin user in an Admin context.


Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Click CLI Sync All. A window appears, asking you to confirm the operation.

Step 3 Click OK to continue with this option or click Cancel to exit this procedure.

If you click OK, the screen refreshes with the All Virtual Contexts table listing the contexts that have been imported so far and displays configuration update progress.


Note Depending on the number of contexts, this process can take several minutes to complete.


Step 4 Click Refresh to view additional contexts that have been imported.


Related Topic

Synchronizing Virtual Context Configurations

Manually Synchronizing Individual Virtual Context Configurations

Editing Virtual Contexts

Use this procedure to modify the configuration of an existing virtual context.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the virtual context, then select the configuration attributes you want to modify. For information on configuration options, see Configuring Virtual Contexts.

Step 3 Click Deploy Now to deploy this configuration on the ACE appliance.

To exit a procedure without saving your entries, click Cancel, or select another item in the menu bar or another attribute to configure. A window appears, confirming that you have not saved your entries.


Related Topic

Using Virtual Contexts

Deleting Virtual Contexts

Use this procedure to remove an existing virtual context.

Procedure


Step 1 Select Config > Virtual Contexts. The All Virtual Contexts table appears.

Step 2 Select the virtual context you want to remove, then click Delete. A window appears, asking you to confirm the deletion.

Step 3 Click:

OK to delete the selected context. The device tree refreshes and the deleted context no longer appears.

Cancel to exit this procedure and to retain the selected context.


Related Topic

Using Virtual Contexts

Viewing All Virtual Contexts

To view all virtual contexts, select Config > Virtual Contexts. The All Virtual Contexts table appears.


Note Clicking the summary count in the status bar from any context-specific page accesses the All Virtual Contexts table. You can then review the synchronization configuration details for all of the available contexts. If you are not the administrator, you will only see the details for your user context.


The All Virtual Contexts table displays the following information for each virtual context

Name

Resource class

Management IP address

Virtual context synchronization status; that is, whether the ACE appliance Device Manager GUI and CLI configurations for the context are synchronized, not synchronized, being synchronized, or the synchronization attempt failed. For more information, see Viewing Virtual Context Synchronization Status.

ACE high availability state; for more information on the available ACE high availability states, see High Availability Polling, page 9-6.


Note For information on the implication of ACE high availability on ACE appliance Device Manager GUI and CLI configuration synchronization, see Synchronizing High Availability Configurations with ACE Appliance Device Manager, page 9-7.


State of the ACE high availability peer

ACE high availability peer name

Whether automatic synchronization for high availability pairs has been configured


Note If a user changes the configuration for a context by using the CLI while you are viewing the All Virtual Contexts table, or if the high availability state changes, the information in the table columns does not automatically update to reflect an out-of-sync state. Click Refresh or set an automatic refresh rate by clicking Auto Refresh to view out-of-sync configurations.



Note If a user creates a new virtual context in a different session while you are viewing the All Virtual Contexts table, the new virtual context does not automatically appear in this table. Click Refresh or set an automatic refresh rate by clicking Auto Refresh to view newly-created contexts.


Polling status for the selected context appears above the content area in the upper right corner (see Figure 1-2). Table 12-1 describes the various polling states.

From this screen you can:

Add a new virtual context—See Creating Virtual Contexts.

Edit an existing virtual context—See Configuring Virtual Contexts.

Delete an existing virtual context—See Deleting Virtual Contexts.

Manually synchronize ACE appliance Device Manager and CLI configurations for one or all virtual contexts—See Synchronizing Virtual Context Configurations.

Related Topic

Managing Virtual Contexts