Getting Started Guide vA5(1.0), Cisco ACE 4700 Series Application Control Engine Appliance
Creating a Virtual Context
Downloads: This chapterpdf (PDF - 276.0KB) The complete bookPDF (PDF - 2.98MB) | Feedback

Creating a Virtual Context

Table Of Contents

Creating a Virtual Context

Information About Virtualization

Licensing Requirements for Virtual Contexts

Configuring a Virtual Context

Creating a Virtual Context Using the Device Manager GUI

Creating a Resource Class

Creating a Virtual Context

Configuring the Client-Side VLAN Interface

Configuring the Server-Side VLAN Interface

Creating a Virtual Context Using the CLI

Configuring a Resource Class

Creating a Virtual Context

Configuring a Management VLAN Interface to the User Context

Configuring Remote Management Access to the User Contexts

Configuring the Client-Side VLAN Interface

Configuring the Server-Side VLAN Interface

Configuration Examples for Configuring a Virtual Context

Admin Context Configuration Example

VC_web Configuration Example

Where to Go Next


Creating a Virtual Context


This chapter describes how to create a virtual context for the Cisco 4700 Series Application Control Engine (ACE) appliance. In this chapter, you will create a virtual context. In subsequent chapters, you will create a virtual server within the virtual context. The virtual server is associated with a server farm and real servers. The example setup is illustrated in Table 3-1.

This chapter contains the following sections:

Information About Virtualization

Licensing Requirements for Virtual Contexts

Configuring a Virtual Context

Configuration Examples for Configuring a Virtual Context

Where to Go Next

Information About Virtualization

After reading this chapter, you should have a basic understanding of ACE appliance virtualization and be able to partition your ACE into multiple virtual devices or virtual contexts (VCs) for more efficient operation.

Virtualization allows you to create a virtual environment in which a single ACE is partitioned into multiple virtual devices, each functioning as an independent ACE appliance that is configured and managed independently.

You set up virtualization by performing the following configuration steps:

Configure resource allocation for a virtual context

Create a virtual context

Configure access to the virtual context

An example virtual environment will be used throughout this guide, with the user context VC_web, for the web traffic through the network. This user context will be associated with the custom resource class RS_web.

Table 3-1 Example Virtual Contexts

Virtual Context
Virtual Server
Server Farm
Real Servers

VC_web

VS_web

SF_web

RS_web1

RS_web2

RS_web3

RS_web4


Before you begin configuring your ACE for virtualization, you should become familiar with a few concepts: virtual context, Admin and user contexts, and resource classes.

With ACE virtualization, you can create a virtual environment, called a virtual context, in which a single ACE appears as multiple virtual devices, each configured and managed independently. A virtual context allows you to closely and efficiently manage system resources, ACE users, and the services that you provide to your customers.

As the system administrator, you have full system administrator access to configure and manage the Admin context and all user contexts. Each context can also have its own administrator and log-in mechanism that provides access only to the specific context. When you log in to the ACE using the console or Telnet, you are authenticated in the Admin context.

Although virtualization allows you to create multiple contexts, in the physical world, you still have a single ACE with finite resources, such as the number of concurrent connections. To address this limitation, the ACE provides resource classes that allow you to manage each virtual context's access to physical ACE resources. A resource class is a definition of what portion of an ACE's overall resources will be assigned, at a minimum or maximum, to any given context. One resource class may be associated with one or more contexts.

The ACE is preconfigured with a default resource class for the Admin context. This default resource class is applied to all virtual contexts that you create. It allows a maximum of 100 percent access to all resources by all virtual contexts. When a resource is being used to its maximum limit, the ACE will deny additional requests for that resource from any other virtual contexts. To avoid oversubscribing resources and to help guarantee that resource availability is shared among multiple virtual contexts, you create custom resource classes and associate them with the virtual contexts you define.

Licensing Requirements for Virtual Contexts

For the ACE appliance, the ACE appliance licensing supports an Admin context and a maximum of 20 user contexts that allows you to use multiple contexts if you choose to configure them.

For details about licensing, see the Administration Guide, Cisco ACE Application Control Engine.

Configuring a Virtual Context

To configure a virtual context, you can use either the ACE Device Manager user interface (GUI) or the CLI.

Creating a Virtual Context Using the Device Manager GUI

Creating a Virtual Context Using the CLI

Creating a Virtual Context Using the Device Manager GUI

This section describes how to create and configure a virtual context for server load balancing using the ACE Device Manager user interface and contains the following topics:

Creating a Resource Class

Creating a Virtual Context

Configuring the Client-Side VLAN Interface

Configuring the Server-Side VLAN Interface

Creating a Resource Class


Note By default, the Admin context is a member of the default resource class. To ensure that the Admin context resources are not depleted by other virtual contexts and that the context will be guaranteed a minimum amount of resources, we recommend that you create a separate resource class, allocate the resources that you estimate will be required by the Admin context, and make the Admin context the only member.


Create a resource class by following these steps:


Step 1 Choose Config > Virtual Contexts > System > Resource Classes. The Resource Classes pane appears.

Step 2 Click Add (+). The New Resource Class window appears.

Step 3 Enter the following Resource Class attributes. Leave the remaining attributes blank or with their default values.

Name: RC_web

Default Min: 10

Default Max: Unlimited

Step 4 Click Deploy Now. The Resource Classes pane appears with the newly added resource class.


Creating a Virtual Context

You can create a user context for server load-balancing purposes. For the example configuration, you will create a user context, VC_web, and configure a management VLAN interface to VLAN 1000, as illustrated in Figure 3-1 (previously configured settings are grayed out).

Figure 3-1 Creating a User Context

Create a virtual context by following these steps:


Step 1 Choose Config > Virtual Contexts. The All Virtual Contexts pane appears.

Step 2 Click Add (+). The New Virtual Context window appears.

Step 3 Enter the following virtual context attributes. Leave the remaining attributes blank or with their default values.

Name: VC_web

Resource Class: RC_web

Allocate-Interface VLANs: 1000, 400, 500 (these VLANs allow the context to receive the associated traffic)

Description: Virtual context for marketing website

Policy Name: Management

Management VLAN: 1000 (this VLAN allows for remote management of the context)

Management IP: 172.25.91.111 (this IP address also allows for remote management of the context)

Management Netmask: 255.255.255.0

Protocols to Allow: SNMP (or any protocols that you allow for this virtual context)

Default Gateway IP: 172.25.91.1

Step 4 Click Deploy Now to deploy this context. Then, choose Virtual Contexts. The window refreshes with the new virtual context listed in the All Virtual Contexts pane.


Configuring the Client-Side VLAN Interface

You can now configure a client-side VLAN interface, which is the address to which client traffic is sent. For the example configuration, you will configure VLAN 400.

Figure 3-2 Configuring the Client-Side VLAN Interface

Configure a client-side VLAN interface by following these steps:


Step 1 Choose VC_web in the virtual contexts drop-down list.

Step 2 Choose Config > Virtual Contexts > Network > VLAN Interfaces. The VLAN Interfaces pane appears.

Step 3 Click Add (+) to add a new VLAN interface. The VLAN Interfaces window appears.

Step 4 Enter the following VLAN attributes. Leave the remaining attributes blank or with their default values.

VLAN: 400

Description: Client-side VLAN interface

IP Address: 10.10.40.10

Netmask: 255.255.255.0

Admin Status: Up

Step 5 Click Deploy Now to save your entry. Then, choose VLAN Interfaces to return to the VLAN Interfaces pane


Configuring the Server-Side VLAN Interface

At this point, you can now configure the server-side VLAN interface, which is the address to which traffic is sent. For the example configuration, you will configure VLAN 500 and a NAT pool for the VLAN (Figure 3-3).


Note Network Address Translation (NAT) is designed to simplify and conserve IP addresses. It allows private IP networks that use unregistered IP addresses to connect to the Internet. You configure a NAT pool for the ACE so that the ACE exposes only one address for the entire network to the outside world. This pool, which hides the entire internal network behind that address, offers both security and address conservation.


Figure 3-3 Configuring the Server-Side VLAN Interface

Configure the VLAN interface by following these steps:


Step 1 Make sure that VC_web is selected in the virtual contexts drop-down list.

Step 2 Choose Config > Virtual Contexts > Network > VLAN Interfaces. The VLAN Interfaces pane appears.

Step 3 Click Add (+) to add a new VLAN interface. The VLAN Interfaces window appears.

Step 4 Enter the following VLAN attributes. Leave the remaining attributes blank or with their default values.

VLAN: 500

Description: Server-side VLAN interface

IP Address: 10.10.50.1

Netmask: 255.255.255.0

Admin Status: Up

Step 5 Click Deploy Now to save your entry. Then, choose VLAN Interfaces to return to the VLAN Interfaces pane.

Step 6 Choose the row for VLAN 500, and then choose the NAT Pool tab. The NAT Pool pane appears.

Step 7 Click Add (+) to add a new NAT pool. The NAT Pool pane appears.

Step 8 Enter the following NAT pool attributes. Leave the remaining attributes blank or with their default values.

NAT Id: 1

Start IP Address: 10.10.50.101

End IP Address: 10.10.50.104

Netmask: 255.255.255.0

Step 9 Click Deploy Now at the bottom of the window to save your entry and return to the NAT Pool pane.


Creating a Virtual Context Using the CLI

You can create a virtual context using the command-line interface. This section contains the following topics:

Configuring a Resource Class

Creating a Virtual Context

Configuring a Management VLAN Interface to the User Context

Configuring Remote Management Access to the User Contexts

Configuring the Client-Side VLAN Interface

Configuring the Server-Side VLAN Interface

Configuring a Resource Class


Note By default, the Admin context is a member of the default resource class. To ensure that the Admin context resources are not depleted by other virtual contexts and that the context will be guaranteed a minimum amount of resources, we recommend that you create a separate resource class, allocate the resources that you estimate will be required by the Admin context, and make the Admin context the only member.


Configure a resource class by following these steps:


Step 1 Using the console, log in to the ACE as the system administrator. For example, enter the following command at a command prompt.

Telnet 172.25.91.110
 
   

At the prompt, enter admin, then the new password you entered in Step 2 in "Enabling Management Connectivity Using the Setup Script" in Chapter , "Setting Up an ACE Appliance".

host1 login: admin
Password: xxxxx
 
   

Step 2 Enter configuration mode.

host1/Admin# config
host1/Admin(config)# 
 
   

Step 3 Configure a resource class to limit the resources of a context to 10 percent of the total resources available on the ACE, and exit configuration mode.

host1/Admin(config)# resource-class RS_web
host1/Admin(config-resource)# limit-resource all minimum 10 maximum unlimited
host1/Admin(config-resource)# exit
host1/Admin(config)#
 
   

Creating a Virtual Context

Create a virtual context by following these steps:


Step 1 Create a new context.

host1/Admin(config)# context VC_web
host1/Admin(config-context)# 
 
   

Step 2 Associate three existing VLANs with the context so that the context can receive traffic classified for it.

host1/Admin(config-context)# allocate-interface vlan 1000
host1/Admin(config-context)# allocate-interface vlan 400
host1/Admin(config-context)# allocate-interface vlan 500
 
   

Step 3 Associate the context with the resource class that you created in the previous section, "Configuring a Resource Class."

host1/Admin(config-context)# member RC_web
 
   

Step 4 Change to the VC_web context that you created in Step 1 and exit configuration mode.

host1/Admin(config-context)# do changeto VC_web
host1/VC_web(config)# exit
host1/VC_web#
 
   

Step 5 Display the virtual context configuration.

host1/VC_web# show running-config context
 
   

Step 6 Display the resource class configuration.

host1/VC_web# show running-config resource-class
 
   

Configuring a Management VLAN Interface to the User Context

You can provide management connectivity to the user context by assigning an IP address to the VLAN interface, as illustrated in Figure 3-1. Configure a management VLAN interface by following these steps:


Step 1 Access interface configuration mode for VC_web for the VLAN 1000 on VC_web.

host1/VC_web# config
host1/VC_web(config)# interface vlan 1000
host1/VC_web(config -if)#
 
   

Step 2 Assign an IP address of 172.25.91.111 and a subnet mask of 255.255.255.0 to the VLAN interface for management connectivity.

host1/VC_web(config-if)# ip address 172.25.91.111 255.255.255.0 
 
   

Step 3 Enable the VLAN interface.

host1/VC_web(config-if)# no shutdown
 
   

Step 4 Show that VLAN 1000 is active.

host1/VC_web(config-if)# do show interface vlan 1000
 
   

Step 5 Verify network connectivity.

host1/VC_web(config-if)# do ping 172.25.91.111
 
   

Step 6 Display the ARP table.


Note The Address Resolution Protocol (ARP) allows the ACE to manage and learn the mapping of IP to Media Access Control (MAC) information to forward and transmit packets.


host1/VC_web(config-if)# do show arp
 
   

Step 7 Exit configuration mode.

host1/VC_web(config-if)# exit
host1/VC_web(config)# exit
host1/VC_web#
 
   

Configuring Remote Management Access to the User Contexts

Before remote network access can occur on the user context through an Ethernet port, you must create a traffic policy that identifies the network management traffic that can be received by the ACE. Configure remote management access by following these steps:


Step 1 Create a management type class map named REMOTE_ACCESS that matches any traffic.

host1/VC_web# config
host1/VC_web(config)# class-map type management match-any REMOTE_ACCESS
host1/VC_web(config-cmap-mgmt)#
 
   

Step 2 (Optional) Provide a description for the class map.

host1/VC_web(config-cmap-mgmt)# description Remote access traffic match
 
   

Step 3 Configure the match protocol to permit traffic based on the SSH, Telnet, and ICMP protocols for any source address.

host1/VC_web(config-cmap-mgmt)# match protocol ssh any
host1/VC_web(config-cmap-mgmt)# match protocol telnet any
host1/VC_web(config-cmap-mgmt)# match protocol icmp any
host1/VC_web(config-cmap-mgmt)# exit
host1/VC_web(config)#
 
   

Step 4 Create a REMOTE_MGMT_ALLOW_POLICY policy map for traffic destined to an ACE interface.

host1/VC_web(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
host1/VC_web(config-pmap-mgmt)#
 
   

Step 5 Apply the REMOTE_ACCESS class map to this policy.

host1/VC_web(config-pmap-mgmt)# class REMOTE_ACCESS
host1/VC_web(config-pmap-mgmt-c)#
 
   

Step 6 Allow the ACE to receive the configured class map management protocols.

host1/VC_web(config-pmap-mgmt-c)# permit
host1/VC_web(config-pmap-mgmt-c)# exit
host1/VC_web(config-pmap-mgmt)# exit
host1/VC_web(config)#
 
   

Step 7 Access interface configuration mode for the VLAN to which you want to apply the policy map.

host1/VC_web(config)# interface vlan 1000
host1/VC_web(config-if)#
 
   

Step 8 Apply the REMOTE_MGMT_ALLOW_POLICY policy map to the interface.

host1/VC_web(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY
 
   

Step 9 Display the REMOTE_MGMT_ALLOW_POLICY policy applied to the interface.

host1/VC_web(config-if)# do show service-policy REMOTE_MGMT_ALLOW_POLICY
 
   

Step 10 Copy your configuration changes from the running configuration to the startup configuration.

host1/VC_web(config-if)# do copy running-config startup-config
 
   
Generating configuration....
running config of context VC_web saved
 
   
host1/VC_web(config-if)# exit
host1/VC_web(config)# exit
 
   

Step 11 Display the running configuration.

host1/VC_web(config)# do show running-config
 
   

Configuring the Client-Side VLAN Interface

At this point, you can configure a client-side VLAN interface, the address to which the client traffic is sent, as illustrated in Figure 3-2. Configure a client-side VLAN interface by following these steps:


Step 1 Access interface configuration mode for the VLAN 400.

host1/VC_web(config)# interface vlan 400
host1/VC_web(config -if)#
 
   

Step 2 Assign an IP address of 10.10.40.1 and a subnet mask of 255.255.255.0 to the VLAN interface for client connectivity.

host1/VC_web(config-if)# ip address 10.10.40.1 255.255.255.0 
 
   

Step 3 (Optional) Provide a description for the interface.

host1/VC_web(config-if)# description Client connectivity on VLAN 400 
 
   

Step 4 Enable the VLAN interface.

host1/VC_web(config-if)# no shutdown
 
   

Step 5 Show that VLAN 400 is active.

host1/VC_web(config-if)# do show interface vlan 400
 
   

Step 6 Display the ARP table.

host1/VC_web(config-if)# do show arp
 
   

Step 7 Exit configuration mode.

host1/VC_web(config-if)# exit
host1/VC_web(config)# exit
host1/VC_web# 
 
   

Configuring the Server-Side VLAN Interface

Next, you can configure a server-side VLAN interface, the address to which the server traffic is sent, as illustrated in Figure 3-3. Configure the server-side VLAN interface by following these steps:


Step 1 Access interface configuration mode for the VLAN 500.

host1/VC_web# config
host1/VC_web(config)# interface vlan 500
host1/VC_web(config -if)#
 
   

Step 2 Assign an IP address of 10.10.50.1 and a subnet mask of 255.255.255.0 to the VLAN interface for server-side connectivity.

host1/VC_web(config-if)# ip address 10.10.50.1 255.255.255.0 
 
   

Step 3 (Optional) Provide a description for the interface.

host1/VC_web(config-if)# description Server connectivity on VLAN 500 
 
   

Step 4 Enable the VLAN interface.

host1/VC_web(config-if)# no shutdown
 
   

Step 5 Configure a NAT pool.

host1/VC_web(config-if)# nat-pool 1 10.10.50.101 10.10.50.104 netmask 255.255.255.0
 
   

Step 6 Show that VLAN 500 is active.

host1/VC_web(config-if)# do show interface vlan 500
 
   

Step 7 Display the ARP table.

host1/VC_web(config-if)# do show arp
 
   

Step 8 Exit configuration mode.

host1/VC_web(config-if)# exit
host1/VC_web(config)# exit
host1/VC_web# 
 
   

Configuration Examples for Configuring a Virtual Context

The following examples show how to configure a virtual context. The two examples are for the Admin context and the VC_web virtual context, respectively. The commands that you have configured in this chapter are shown in bold text.

Admin Context Configuration Example

The following example shows the running configuration of the Admin context with the commands that you have configured in this chapter in bold text.

host1/Admin# show running-config
 
   
Generating configuration....
 
   
login timeout 0
 
   
resource-class RC_WEB
  limit-resource all minimum 10.00 maximum equal-to-min
 
   
class-map type management match-any REMOTE_ACCESS
  description Remote access traffic match
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any
 
   
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit
 
   
interface vlan 1000
  description Management connectivity on VLAN 1000
  ip address 172.25.91.110 255.255.255.0
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
 
   
ip route 0.0.0.0 0.0.0.0 172.25.91.1
 
   
context VC_web
  allocate-interface vlan 60
  allocate-interface vlan 400
  allocate-interface vlan 500
  allocate-interface vlan 1000
  member RC_WEB
 
   
username admin password 5 $1$JwBOOUEt$jihXQiAjF9igwDay1qAvK.  role Admin domain 
default-domain
username www password 5 $1$xmYMkFnt$n1YUgNOo76hAhg.JqtymF/  role Admin domain 
default-domain
 
   

VC_web Configuration Example

The following example shows the running configuration of the VC_web user context with the commands that you have configured in this chapter in bold text.

host1/Admin# changeto VC_web
VC_web/Admin# show running-config
 
   
Generating configuration....
 
   
class-map type management match-any REMOTE_ACCESS
  description Remote access traffic match
  2 match protocol ssh any
  3 match protocol telnet any
  4 match protocol icmp any
 
   
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit
 
   
service-policy input REMOTE_MGMT_ALLOW_POLICY
 
   
interface vlan 400
  description Client connectivity on VLAN 400
  ip address 10.10.40.1 255.255.255.0
  no shutdown
interface vlan 500
  description Server connectivity on VLAN 500
  ip address 10.10.50.1 255.255.255.0
  no shutdown
 
   
ip route 0.0.0.0 0.0.0.0 172.25.91.1

Where to Go Next

In this chapter, you have partitioned your ACE into an Admin context and a user context (VC_web). Each of the virtual contexts is now associated with a resource class that is appropriate to its intended use. You have also configured a management VLAN interface, as well as the client and server VLAN interfaces in the user context.

In the next chapter, you will configure an access control list (ACL) to secure your network and to permit traffic to enter the ACE.