User Guide for the Cisco Application Networking Manager 5.2.2
Configuring Virtual Servers
Downloads: This chapterpdf (PDF - 922.0KB) The complete bookPDF (PDF - 28.37MB) | Feedback

Configuring Virtual Servers

Table Of Contents

Configuring Virtual Servers

Information About Load Balancing

Configuring Virtual Servers

Virtual Server Configuration and ANM

Information About Using ANM to Configure Virtual Servers

Virtual Server Usage Guidelines

Virtual Server Testing and Troubleshooting

Virtual Server Configuration Procedure

Shared Objects and Virtual Servers

Virtual Server Protocols by Device Type

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Layer 7 Load Balancing

Configuring Virtual Server Default Layer 7 Load Balancing

Configuring Application Acceleration and Optimization

Configuring Virtual Server NAT

Displaying Virtual Servers by Context

Displaying Virtual Server Statistics and Status Information

Managing Virtual Servers

Managing Virtual Server Groups

Creating a Virtual Server Group

Editing or Copying a Virtual Server Group

Displaying a Virtual Server Group

Deleting a Virtual Server Group

Activating Virtual Servers

Suspending Virtual Servers

Managing GSS VIP Answers

Activating and Suspending DNS Rules Governing GSS Load Balancing

Managing GSS VIP Answer and DNS Rule Groups

Creating a VIP Answer or DNS Rule Group

Editing or Copying a VIP Answer or DNS Rule Group

Displaying a VIP Answer or DNS Rule Group

Deleting a VIP Answer or DNS Rule Group

Displaying Detailed Virtual Server Information

Displaying Virtual Servers

Using the Virtual Server Connection Statistics Graph

Using the Virtual Server Topology Map

Understanding CLI Commands Sent from Virtual Server Table

Deploying Virtual Servers

Deploying a Virtual Server

Displaying All Staged Virtual Servers

Modifying Deployed Virtual Servers

Modifying Staged Virtual Servers


Configuring Virtual Servers


This chapter describes how to configure virtual servers for load balancing on the Cisco Application Control Engine (ACE) using Cisco Application Networking Manager (ANM).


Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), and dot (.). Spaces are not allowed.

If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM.


This chapter includes the following sections:

Information About Load Balancing

Configuring Virtual Servers

Managing Virtual Servers

Deploying Virtual Servers

Information About Load Balancing

Server load balancing (SLB) is the process of deciding to which server a load balancer should send a client request for service. For example, a client request can consist of an HTTP GET for a web page or an FTP GET to download a file. The load balancer selects the server that can successfully fulfill the client request and in the shortest amount of time without overloading either the server or the server farm as a whole.

Depending on the load-balancing algorithm or predictor that you configure, the ACE performs a series of checks and calculations to determine the server that can best service each client request. The ACE bases server selection on several factors, including the server with the fewest connections with respect to load, source or destination address, cookies, URLs, or HTTP headers.

ANM allows you to configure load balancing using:

Virtual servers—See the "Configuring Virtual Servers" section.

Real servers—See the "Configuring Real Servers" section.

Server farms—See the "Configuring Server Farms" section.

Predictor methods—See the "Configuring the Predictor Method for Server Farms" section

Health probes—See the "Configuring Health Monitoring for Real Servers" section

Sticky groups—See the "Configuring Sticky Groups" section.

Parameter maps—See the "Configuring Parameter Maps" section.

Configuring Virtual Servers

In a load-balancing environment, a virtual server is a construct that allows multiple physical servers to appear as one for load-balancing purposes. A virtual server is bound to physical services running on real servers in a server farm and uses IP address and port information to distribute incoming client requests to the servers in the server farm according to a specified load-balancing algorithm.

You use class maps to configure a virtual server address and definition. The load-balancing predictor algorithms (for example, round-robin, least connections, and so on) determine the servers to which the ACE sends connection requests.

This section includes the following topics:

Virtual Server Configuration and ANM

Information About Using ANM to Configure Virtual Servers

Virtual Server Usage Guidelines

Virtual Server Testing and Troubleshooting

Virtual Server Configuration Procedure

Virtual Server Configuration and ANM

This section identifies the constraints and framework used by ANM for virtual server configuration.

In ANM, a virtual server has the following attributes:

A single Layer 3/Layer 4 match condition

You can specify only a single IP address (or single IP address range if an IPv4 netmask or IPv6 prefix length is used), with only a single port (or port range). A single match condition greatly simplifies and aids virtual server configuration.


Note IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.


A default Layer 7 action

A Layer 7 policy map

A Layer 3/Layer 4 class map

A single multimatch policy map, a class-map match, and an action

Virtual server attributes also include the following:

The virtual server multimatch policy map is associated with an interface or is global.

The name of the virtual server is derived from the name of the Layer 3/Layer 4 class map.

Example 7-1 shows the minimum configuration statements required for a virtual server.

Example 7-1 Minimum Configuration Required for a Virtual Server

IPv4 Configuration

class-map match-all Example_VIP
   2 match virtual-address 10.10.10.10 tcp eq www 
policy-map type loadbalance first-match Example_VIP-l7slb
   class class-default
      forward
policy-map multi-match int10
   class Example_VIP
      loadbalance policy Example_VIP-l7slb 
 
   
interface vlan 10
   ip address 192.168.65.37 255.255.255.0
   service-policy input int10
   no shutdown
 
   

IPv6 Configuration (Requires ACE module and ACE appliance software Version A5(1.0) or later)

class-map match-all Example2_VIP
	2 match virtual-address 2001:DB8:10::5 tcp eq www
policy-map type loadbalance first-match Example2_VIP-l7slb
	class class-default
f		orward
policy-map multi-match int11
	class Example2_VIP
		loadbalance policy Example2_VIP-l7slb
interface vlan 10
	ip address 2001:DB8:10::21/64
	service-policy input int11
	no shutdown
 
   

Note the following items regarding the ANM and virtual servers:

Additional configuration options

The Virtual Server configuration window allows you to configure additional items for a functional VIP. These items include server farms, sticky groups, real servers, probes, parameter maps, inspection, class maps, and inline match conditions. Because too many items on a window can be overwhelming, not all configuration options appear on the Virtual Server configuration window, such as sticky statics or backup real servers. These options are available elsewhere in the ANM interface instead of on the Virtual Server configuration window.

Configuration options and roles

To support and maintain the separation of roles, some objects cannot be configured using the Virtual Server configuration window. These objects include SSL certificates, SSL keys, NAT pools, interface IP addresses, and ACLs. Providing these options as separate configuration options in the ANM interface ensures that a user who can view or modify virtual servers or aspects of virtual servers cannot create or delete virtual servers.

Changes to virtual servers using the CLI or Expert options can prevent further modifications in the Virtual Server configuration window

If you create a virtual server using the Virtual Server configuration window, modify it using the CLI or Expert options (Config > Devices > Expert), and then attempt to modify it again using the Virtual Server configuration window, error messages will be displayed and you will not be able to modify the virtual server.

Changes to virtual server IP address type is not allowed

When creating a virtual server, you choose whether to use the IPv4 or IPv6 address type. You cannot change the IP address type of an existing virtual server. If you need to change the IP address type, you must create a new virtual server.


Note IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.


Related Topics

Configuring Virtual Servers

Information About Using ANM to Configure Virtual Servers

Virtual Server Usage Guidelines

Virtual Server Testing and Troubleshooting

Virtual Server Configuration Procedure

Information About Using ANM to Configure Virtual Servers

Follow these guidelines when using ANM to configure virtual servers:

Virtual server configuration windows

The ANM Virtual Server configuration windows are designed to aid you in configuring virtual servers by presenting configuration options that are relevant to your choices. For example, the protocols that you select in the Properties configuration subset determine the other configuration subsets that appear.

Use the virtual server configuration method that suits you

The ANM Virtual Server configuration windows simplify the process of creating, modifying, and deploying virtual servers by displaying those options that you are most likely to use. In addition, as you specify attributes for a virtual server, such as protocols, the interface refreshes with related configuration options, such as Protocol Inspection or Application Acceleration and Optimization, which speeds virtual server configuration and deployment.

While Virtual Server configuration windows remove some configuration complexities, they have a few constraints that the Expert configuration options do not. If you are comfortable using the CLI, you can use the Expert options (such as Config > Devices > context > Expert > Class Maps or Policy or Config > Devices > context > Load Balancing > Parameter Maps to configure more complex attributes of virtual servers, traffic policies, and parameter maps.

Synchronizing virtual server configurations

If you configure a virtual server using the CLI and then use the Sync option (Config > Devices > ACE > Sync) to synchronize configurations, the configuration that appears in ANM for the virtual server might not display all configuration options for that virtual server. The configuration that appears in ANM depends on a number of items, such as the protocols configured in class maps or the rules defined for policy maps.

For example, if you configure a virtual server on the CLI that includes a class map that can match any protocol, you will not see the virtual server Application Acceleration and Optimization configuration subset in ANM.

Modifying shared objects

Modifying an object that is used by multiple virtual servers, such as a server farm, real server, or parameter map, could impact the other virtual servers. See the "Shared Objects and Virtual Servers" section for more information about modifying objects used by multiple virtual servers.

Related Topics

Configuring Virtual Servers

Virtual Server Configuration and ANM

Virtual Server Usage Guidelines

Virtual Server Testing and Troubleshooting

Virtual Server Configuration Procedure

Virtual Server Usage Guidelines

The Virtual Server configuration window provides you with numerous configuration options. However, instead of setting every option in one pass, configure your virtual server in stages. The first stage should always be to establish basic "pass through" connectivity with simple load balancing and include minimal additional features. This level of setup should verify that ports, VLANs, interfaces, SSL termination (if applicable), and real servers have been set up properly, enabling basic connectivity.

After you establish this level of connectivity, additional virtual server features will be easier to configure and troubleshoot.

Common features to add to a working basic virtual server include:

Health monitoring probes

Session persistence (sticky)

Additional real servers to a server farm

Application protocol inspection

Application acceleration and optimization (ACE appliance only)

Table 7-1 identifies and describes virtual server configuration subsets with links to related topics for configuration information.

Related Topics

Configuring Virtual Servers

Virtual Server Configuration and ANM

Virtual Server Testing and Troubleshooting

Virtual Server Configuration Procedure

Virtual Server Testing and Troubleshooting

As outlined in the "Virtual Server Usage Guidelines" section, first set up a basic virtual server that only enables connectivity and simple load balancing, such as round-robin between two real servers. Next, use a client, such as a web browser, to send a request from the client network to the virtual server's VIP address. If the request is successful, you can now make changes or add virtual server features.

If the request is not successful, begin virtual server troubleshooting as outlined in the following sequence:

1. Wait and retry your request after a minute or two, especially if the existing ACE configuration is large. It can take seconds or even minutes for configuration changes to affect how traffic is handled by ACE.

2. Click the Details button in the lower right of the Virtual Server page. The Details button displays the output of the show service-policy CLI command.

3. Verify that the VIP State in the show service-policy CLI command output is INSERVICE. If the VIP state is not INSERVICE, this may indicate the following:

The virtual server has been manually disabled in the configuration.

The real servers are all unreachable from ACE or manually disabled. If all of a virtual server's real servers are out of service due to one of those reasons, the virtual server itself will be marked Out Of Service.

4. Verify the Hit Count in the show service-policy CLI command output. Hit Count shows the number of requests received by ACE. This value should increase for each request attempted by your client. If the hit count does not increase with each request, this indicates that the request is not reaching your virtual server configuration.

This could be a problem with:

A physical connection.

VLAN or VLAN interface configuration.

Missing or incorrect ACL applied to the client interface.

Incorrect IP address (that is, a VIP that is not valid on the selected VLANs for the virtual server, or a VIP that is not accessible to your client).

If the Hit Count value increases but no response is received (Server Pkt Count does not increases), the problem is more likely to be in the connectivity between the ACE and the backend real servers. This issue is typically caused by one or more of the following problems:

You are working on a one-armed configuration (that is, do not plan to change routing for your real servers) and have not selected an appropriate NAT pool for your virtual server to use with source NAT.

A different routing problem (for example, server traffic does not know how to get back to the ACE).

Addressing problem (for example, you have an incorrect real server address, or the real server is not accessible to ACE due to network topology).


Note Hit count can increase by more than one, even if you make only a single request from your web browser, because retrieving a typical web page makes many requests from the client to the server.


Related Topics

Configuring Virtual Servers

Virtual Server Configuration and ANM

Virtual Server Usage Guidelines

Virtual Server Configuration Procedure

Virtual Server Configuration Procedure

You can add virtual servers to the ANM for load-balancing purposes.

Assumptions

This topic assumes the following:

Depending on the protocol to be used for the virtual server, parameter maps need to be defined.

For SSL service, SSL certificates, keys, and chain groups, parameter maps must be configured.

Guidelines and Restrictions

ANM does not support CSM DNS virtual servers. If you create this type of virtual server, ANM issues an error message if you attempt to use ANM to activate or suspend it.

Procedure


Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.

The Virtual Servers table appears. For details about the information that displays, see "Displaying Virtual Servers by Context" section.

Step 2 In the Virtual Servers table, click Poll Now to instruct ANM to poll the devices and display the current values.

Step 3 Click OK when prompted if you want to poll the devices for data now.

Step 4 Click Add to add a new virtual server, or choose an existing virtual server and click Edit to modify it.

The Virtual Server configuration window appears with a number of configuration subsets. The subsets that you see depend on whether you use the Basic View or the Advanced View and entries that you make in the Properties subset. Change views by using the View object selector at the top of the configuration pane.

Table 7-1 identifies and describes virtual server configuration subsets with links to related topics for configuration information.


Note The protocols that are available depend on the ACE device that you are configuring. For a list of the protocols available for each ACE device type, see Table 7-2.


Table 7-1 Virtual Server Configuration Subsets 

Configuration Subset
Description
Related Topics

Properties

Subset that allows you to specify basic virtual server characteristics, such as the virtual server name, IP address, protocol, port, and VLANs.

Configuring Virtual Server Properties

SSL Termination1

Subset that appears when TCP is the selected protocol and Other or HTTPS is the application protocol.

This subset allows you to configure the virtual server to act as an SSL proxy server and terminate SSL sessions between it and its clients.

Configuring Virtual Server SSL Termination

Protocol Inspection

Subset that appears in the Advanced View for:

TCP with FTP, HTTP, HTTPS, Real Time Streaming Protocol (RTSP), or Session Initiated Protocol (SIP)

UDP with Domain Name System (DNS) or SIP

This subset appears in the Basic view for TCP with FTP.

This subset allows you to configure the virtual server so that it can verify protocol behavior and identify unwanted or malicious traffic passing through the ACE on selected application protocols.

Configuring Virtual Server Protocol Inspection

Application Acceleration And Optimization

Subset that appears only for ACE appliances. It appears in the Advanced View when HTTP or HTTPS is the selected application protocol.

This subset allows you to configure application acceleration and optimization options for HTTP or HTTPS traffic.

Configuring Application Acceleration and Optimization

L7 Load-Balancing

Subset that appears only in the Advanced View for these protocols:

TCP with Generic, HTTP, HTTPS, RTSP, or SIP

UDP with Generic, RADIUS, or SIP

This subset allows you to configure Layer 7 load-balancing options, such as:

Server farms/real servers

Health monitoring probes

Stickiness

SSL initiation

Configuring Virtual Server Layer 7 Load Balancing

Default L7 Load-Balancing Action

Subset that allows you to establish the default Layer 7 load-balancing actions for all network traffic that does not meet previously specified match conditions including the SSL initiation1 configuration.

Configuring Virtual Server Default Layer 7 Load Balancing

NAT

This subset appears in the Advanced View only.

Subset that allows you to set up Name Address Translation (NAT) for the virtual server.

Configuring Virtual Server NAT

1 The SSL initiation and termination configuration options do not apply to the ACE NPE software version (see the "Information About the ACE No Payload Encryption Software Version" section).


Step 5 Do one of the following:

Click Deploy Now to deploy the configuration on the ACE and save your entries to the running-configuration and startup-configuration files.

Click Cancel to exit the procedure without saving your entries and to return to the Virtual Servers table.

Click Deploy Later to save your entries and apply them at a later time.

Step 6 (Optional) To display statistics and status information for an existing virtual server, from the Virtual Servers table, choose a virtual server and click Details.

A popup window appears that displays the detailed virtual server information (see the "Displaying Virtual Server Statistics and Status Information" section for details).


Note This feature requires ACE module software Version A2(1.2), ACE appliance software Version A3(2.1), or later versions of either software. An error displays with earlier software versions.



Related Topics

Configuring Virtual Servers

Virtual Server Configuration and ANM

Virtual Server Usage Guidelines

Information About Using ANM to Configure Virtual Servers

Shared Objects and Virtual Servers

Displaying Virtual Servers by Context

Displaying Virtual Server Statistics and Status Information

Managing Virtual Servers

Deploying Virtual Servers

Understanding Roles

Shared Objects and Virtual Servers

A shared object is one that is used by multiple virtual servers.

The following examples are shared objects:

Action lists

Class maps

Parameter maps

Real servers

Server farms

SSL services

Sticky groups

Because these objects are shared, modifying an object's configuration in one virtual server can impact other virtual servers that use the same object.

Configuring Shared Objects

ANM offers the following options for shared objects in virtual server configuration windows (Config > Devices > context > Load Balancing > Virtual Servers):

View—Displays the object's configuration. The window refreshes with read-only fields and the following three buttons.

Cancel—Closes the read-only view and to return to the previous window.

Edit—Enables you to modify the selected object's configuration. The window refreshes with fields that can be modified, except for the Name field which remains read-only.


Note Before changing a shared object's configuration, make sure that you understand the effect of the changes on other virtual servers using the same object. As an alternative, consider using the Duplicate option instead.


Duplicate—Enables you to create a new object with the same configuration as the selected object. The window refreshes with configurable fields. In the Name field, enter a unique name for the new object, and then modify the configuration as desired. This option allows you to create a new object without impacting other virtual servers using the same object.

Deleting Virtual Servers with Shared Objects

If you create a virtual server and include shared objects in its configuration, deleting the virtual server does not delete the associated shared objects. This action ensures that other virtual servers using the same shared objects are not impacted.

Related Topics

Managing Virtual Servers

Virtual Server Protocols by Device Type

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Layer 7 Load Balancing

Configuring Virtual Server Default Layer 7 Load Balancing

Configuring Application Acceleration and Optimization

Configuring Virtual Server NAT

Virtual Server Protocols by Device Type

The protocols that are available for a virtual server depend on the ACE device that you are configuring. Table 7-2 lists the protocols available for each device type.

Table 7-2 Virtual Server Protocols for ACE Modules and Devices 

Protocol
ACE Modules
ACE Appliance

Any

X

X

TCP

FTP

X

X

Generic

X

X

HTTP

X

X

HTTPS1

X

X

Other

X

X

RTSP

X

X

RDP

X

X

SIP

X

X

Unterminated HTTPS1, 2

X

X

UDP

DNS

X

X

Generic

X

X

Other

X

X

RADIUS

X

X

SIP

X

X

1 This option is not available if the ACE is using the NPE software version (see the "Information About the ACE No Payload Encryption Software Version" section).

2 Requires ACE software Version A5(2.0) or later.


Related Topics

Configuring Virtual Servers

Configuring Virtual Server Properties

Managing Virtual Servers

Configuring Virtual Server Properties

You can configure virtual server properties.

Procedure


Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.

The Virtual Servers table appears.

Step 2 In the Virtual Servers table, click Poll Now to instruct ANM to poll the devices and display the current values, and click OK when prompted if you want to poll the devices for data now.

Step 3 Click Add to add a new virtual server, or choose an existing virtual server and click Edit to modify it.

The Virtual Server configuration window appears. The Properties configuration subset is open by default.

The fields that you see in the Properties configuration subset depend on whether you are using Advanced View or Basic View:

To configure Advanced View properties, go to Step 4.

To configure Basic View properties, go to Step 5.

Step 4 In the Advanced View, configure the virtual server properties by entering the information in Table 7-3.


Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later.


Table 7-3 Virtual Server Properties - Advanced View 

Field
Description

Virtual Server Name

Name for the virtual server.

IP Address Type

Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. Choose the address type of the virtual server: IPv4 or IPv6.

Virtual IP Address

IP address for the virtual server.

Virtual IP Mask

(IPv4 address type only) Subnet mask to apply to the virtual server IP address.

Virtual IP Prefix Length

(IPv6 address type only) Enter the prefix length to apply to the virtual server IP address. The default length for the prefix is 128. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.

Transport Protocol

Protocol that the virtual server supports:

Any—The virtual server is to accept connections using any IP protocol.

TCP—The virtual server is to accept connections that use TCP.

UDP—The virtual server is to accept connections that use UDP.

Application Protocol

Field that appears if TCP or UDP is selected. The application protocols that are available depend on the type of ACE being configured.

Choose the application protocol to be supported by the virtual server. Table 7-2 identifies the available protocols for each ACE device type.

Note This field is read-only if you are editing an existing virtual server. ANM does not allow changes between protocols that require a change to the Layer 7 server load-balancing policy map. You need to delete the virtual server and create a new one with the desired application protocol.

Port

Field that appears for any TCP or UDP protocol.

Enter the port to be used for the specified protocol. Valid entries are from 0 to 65535 or a range of integers, such as 10-20. Enter 0 (zero) to indicate all ports.

For a complete list of protocols and ports, see the Internet Assigned Numbers Authority available at www.iana.org/numbers/

All VLANs

Check box that enables support of incoming traffic from all VLANs. Uncheck the check box to support incoming traffic from specific VLANs only.

VLAN

Field appears if the All VLANs check box is unchecked.

In the Available Items list, choose the VLANs to use for incoming traffic, and click Add. The items appear in the Selected Items list.

To remove VLANs, choose them in the Selected Items lists, and click Remove. The items appear in the Available Items list.

Note You cannot change the VLAN for a virtual server once it is specified. Instead, delete the virtual server and create a new one with the desired VLAN.

Connection Parameter Maps

Field that appears if TCP is the selected protocol.

Choose an existing connection parameter map or click *New* to create a new one as follows:

If you chose an existing parameter map, you can view, modify, or duplicate the existing configuration. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

If you click *New*, the Connection Parameter Maps configuration pane appears. Configure the connection parameter map as described in Table 10-2.

Note Click More Settings to access the additional Connection Parameter Maps configuration attributes. By default, ANM hides the default Connection Parameter Maps configuration attributes and the attributes which are not commonly used.

DNS Parameter Maps

Field that appears if DNS is the selected protocol over UDP.

Choose an existing DNS parameter map or click *New* to create a new one as follows:

If you chose an existing parameter map, you can view, modify, or duplicate the existing configuration. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

If you click *New*, the DNS Parameter Maps configuration pane appears. Configure the DNS parameter map as described in Table 10-11.

Generic Parameter Maps

Field that appears if Generic is the selected application protocol over TCP or UDP.

Choose an existing Generic parameter map or click *New* to create a new one as follows:

If you chose an existing parameter map, you can view, modify, or duplicate the existing configuration. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

If you click *New*, the Generic Parameter Maps configuration pane appears. Configure the Generic parameter map as described in Table 10-4.

HTTP Parameter Maps

Field appears if HTTP or HTTPS is the selected application protocol.

Choose an existing HTTP parameter map or click *New* to create a new one as follows:

If you chose an existing parameter map, you can view, modify, or duplicate the existing configuration. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

If you click *New*, the HTTP Parameter Maps configuration pane appears. Configure the HTTP parameter map as described in Table 10-5.

RTSP Parameter Maps

Field that appears if RTSP is the selected application protocol over TCP.

Choose an existing RTSP parameter map or click *New* to create a new one as follows:

If you chose an existing parameter map, you can view, modify, or duplicate the existing configuration. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

If you click *New*, the RTSP Parameter Maps configuration pane appears. Configure the RTSP parameter map as described in Table 10-8.

KAL-AP-TAG Name

Feature that is supported only for the ACE module software Version A2(2.0), ACE appliance software Version A4(1.0), and later versions for both device types. The KAL-AP-TAG feature allows the Cisco Global Site Selector (GSS) proprietary KAL-AP protocol to extract load and availability information from the ACE when a firewall is positioned between the GSS and the ACE. This feature allows you to configure a tag (name) per VIP for a maximum of 4096 tags on an ACE. This feature does not replace the tag per domain feature. For more information about this feature, see the Release Note for the Cisco Application Control Engine Module (Software Version A2(2.0)) or the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide (Software Version A2(3.0)), the Configuring Health Monitoring chapter.

In the KAL-AP-TAG Name field, enter the name as an unquoted text string with no spaces and a maximum of 76 alphanumeric characters.

The following scenarios are not supported and will result in an error:

You cannot configure a tag name for a VIP that already has a tag configuration as part of a different policy configuration.

You cannot associate the same tag name with more than one VIP.

You cannot associate the same tag name with a domain and a VIP.

You cannot assign two different tags to two different Layer 3 class maps that have the same VIP, but different port numbers. The KAL-AP protocol considers these class maps to have the same VIP and calculates the load for both Layer 3 rules together when the GSS queries the VIP.

KAL-AP-Primary-Out-Of-Service

Feature that is supported only for ACE module software Version A2(3.1), ACE appliance software Version A4(1.0), and later versions of either device type. Check the checkbox to enable the ACE to notify a Global Site Selector (GSS) that the primary server farm is down when the backup server farm is in use. Uncheck the checkbox to disable this feature.

By default, when you configure a redirect server farm as a backup server farm on the ACE and the primary server farm fails, the backup server farm redirects client requests to another data center; however, the VIP remains in the INSERVICE state.

When you configure the ACE to communicate with a GSS, it provides information for server availability. When a backup server is in use after the primary server farm is down, this feature enables the ACE to inform the GSS that the VIP for the primary server farm is out of service by returning a load value of 255. The GSS recognizes that the primary server farm is down and sends future DNS requests with the IP address of the other data center.

ICMP Reply

Virtual server response to ICMP ECHO requests as follows:

None—The virtual server is not to send ICMP ECHO-REPLY responses to ICMP requests.

Active—The virtual server is to send ICMP ECHO-REPLY responses only if the configured VIP is active.

Always—The virtual server is always to send ICMP ECHO-REPLY responses to ICMP requests.

Primary Inservice—The virtual server is to reply to an ICMP ping only if the primary server farm state is UP, regardless of the state of the backup server farm. If this option is selected and the primary server farm state is DOWN, the ACE discards the ICMP request and the request times out.

VIP Advertise

Field that appears for ACE modules only.

This option allows the ACE to advertise the IP address of the virtual server as the host route.

Choose the desired VIP advertise option as follows:

None—The ACE does not advertise the IP address of the virtual server as the host route.

Active—The ACE advertises the IP address of the virtual server as the host route only if there is at least one active real server in the server farm.

Always—The ACE always advertises the IP address of the virtual server as the host route.

Active-Metric—The ACE advertises the IP address of the virtual server as the host route if the following occurs:

There is at least one active real server in the server farm.

A distance metric is specified for the route in the Distance field.

Always-Metric—The ACE advertises the IP address of the virtual server as the host route, using the distance metric in the Distance field.

Distance

Field that appears for ACE modules only.

This field appears if you chose Active-Metric or Always-Metric in the VIP Advertise field.

Enter the administrative distance to be included in the routing table. Valid entries are integers from 1 to 254.

Status

Operating state of the virtual server as follows:

In Service—Enables the virtual server for load-balancing operations.

Out Of Service—Disables the virtual server for load-balancing operations.


Step 5 In the Basic View, configure virtual server properties by entering the information in Table 7-4.


Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later.


Table 7-4 Virtual Server Properties - Basic View 

Field
Description

Virtual Server Name

Name for the virtual server.

IP Address Type

Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. Choose the address type of the virtual server: IPv4 or IPv6.

Virtual IP Address

IP address for the virtual server.

Transport Protocol

Protocol that the virtual server supports as follows:

Any—The virtual server accepts connections using any IP protocol.

TCP—The virtual server accepts connections that use TCP.

UDP—The virtual server accepts connections that use UDP.

Application Protocol

Field that appears if TCP or UDP is selected. The application protocols that are available depend on the type of ACE being configured.

Choose the application protocol to be supported by the virtual server. Table 7-2 identifies the available protocols for each ACE device type.

Note This field is read-only if you are editing an existing virtual server. ANM does not allow changes between protocols that require a change to the Layer 7 server load-balancing policy map. You need to delete the virtual server and create a new one with the desired application protocol.

Port

Field that appears for any specific TCP or UDP protocol.

Enter the port to be used for the specified protocol. Valid entries are from 0 to 65535 or a range of integers, such as 10-20. Enter 0 (zero) to indicate all ports.

For a complete list of all protocols and ports, see the Internet Assigned Numbers Authority available at www.iana.org/numbers/

All VLANs

Check box that enables support of incoming traffic from all VLANs. Uncheck the check box to support incoming traffic from specific VLANs only.

VLAN

Field that appears if the All VLANs check box is unchecked.

In the Available Items list, choose the VLANs to use for incoming traffic, and click Add. The items appear in the Selected Items list.

To remove VLANs, choose them in the Selected Items lists, and click Remove. The items appear in the Available Items list.

Note You cannot change the VLAN for a virtual server once it is specified. Instead, delete the virtual server and create a new one with the desired VLAN.


Step 6 Do one of the following:

Click Deploy Now to deploy the configuration on the ACE and save your entries to the running-configuration and startup-configuration files.

Click Cancel to exit the procedure without saving your entries.

Click Deploy Later to save your entries and apply them at a later time.


Related Topics

Configuring Virtual Servers

Configuring Virtual Server SSL Termination

Configuring Virtual Server SSL Termination


Note The information in this section does not apply to the ACE NPE software version (see the "Information About the ACE No Payload Encryption Software Version" section).


You can configure virtual server SSL termination service, which allows the virtual server to act as an SSL proxy server and terminate SSL sessions between it and its clients.

Assumption

Make sure that a virtual server has been configured for HTTPS over TCP or Other over TCP in the Properties configuration subset. For more information, see the "Configuring Virtual Server Properties" section.

Procedure


Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.

The Virtual Servers table appears.

Step 2 In the Virtual Servers table, choose the virtual server that you want to configure for SSL termination, and click Edit.

The Virtual Server configuration window appears.

Step 3 In the Virtual Server configuration window, click SSL Termination.

The Proxy Service Name field appears.

Step 4 In the Proxy Service Name field, choose an existing SSL termination service, or choose *New* to create a new SSL proxy service, and do one of the following:

If you chose an existing SSL service, the window refreshes and allows you to view, modify, or duplicate the existing configuration. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

If you chose *New*, the Proxy Service configuration subset appears.

Step 5 Configure the SSL service using the information in Table 7-5.

For more information about SSL, see the "Configuring SSL" section.

Table 7-5 Virtual Server SSL Attributes 

Field
Description

Name

Name for this SSL proxy service. Valid entries are alphanumeric strings with a maximum of 26 characters.

Keys

SSL key pair to use during the SSL handshake for data encryption.

Certificates

SSL certificate to use during the SSL handshake.

Chain Groups

Chain group to use during the SSL handshake.

Auth Groups

SSL authentication group to associate with this proxy server service.

CRL Best-Effort

Option that appears if you chose an authentication group in the Auth Groups field.

Check the check box to allow the ANM to search client certificates for the service to determine if it contains a CRL in the extension and retrieve the value, if it exists.

Uncheck the check box to disable this feature.

CRL Name

Option that appears if the CRL Best-Effort check box is clear.

Choose the Certificate Revocation List the ANM is to use for this proxy service.

Parameter Maps

SSL parameter map to associate with this proxy server service.


Step 6 Do one of the following:

Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files.

Click Cancel to exit this procedure without saving your entries.

Click Deploy Later to save your entries and apply them at a later time.


Related Topics

Configuring Virtual Servers

Configuring Virtual Server Properties

Configuring Virtual Server Protocol Inspection

You can configure protocol inspection on a virtual server, which allows the virtual server to verify protocol behavior and identify unwanted or malicious traffic passing through the ACE.

In the Advanced View, protocol inspection configuration is available for the following virtual server protocol configurations:

TCP with FTP, HTTP, HTTPS, RTSP, or SIP

UDP with DNS or SIP

In the Basic View, protocol inspection configuration is available for TCP with FTP.

See Table 7-2 for a list of protocols by ACE device type.

Assumption

Make sure that a virtual server has been configured to use one of the protocols that supports protocol inspection in the Properties configuration subset. See the "Configuring Virtual Server Properties" section for information on configuring these protocols.

Procedure


Step 1 Choose the item to configure:

To configure a virtual server, choose Config > Devices > context > Load Balancing > Virtual Servers.

To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > Load Balancing > Virtual Servers.

The Virtual Servers table appears.

Step 2 In the Virtual Servers table, choose the virtual server that you want to configure for protocol inspection, and click Edit.

The Virtual Server configuration window appears.

Step 3 Click Protocol Inspection.

The Enable Inspect check box appears.

Step 4 Check the Enable Inspect check box to enable inspection on the specified traffic or uncheck it to disable inspection on this traffic.

By default, the ACE allows all request methods.

Step 5 (Optional) If you checked the Enable Inspect check box, configure additional inspection options using the information in Table 7-6.

Table 7-6 Protocol Inspection Configuration Options 

Protocol
Action

DNS

In the length field, enter the maximum length of the DNS packet in bytes as defined in the Length field. If you do not enter a value in this field, the DNS packet size is not checked.

FTP

a. Check the Use Strict check box to specify that the virtual server is to perform enhanced inspection of FTP traffic and enforce compliance with RFC standards. Uncheck the check box to specify that the virtual server is not to perform enhanced FTP inspection.

b. (Optional) If you checked the Use Strict check box, in the Blocked FTP Commands field, identify the commands that are to be denied by the virtual server. See Table 14-8 for more information about the FTP commands.

Choose the commands that are to be blocked by the virtual server in the Available Items list, and click Add. The commands appear in the Selected Items list.

To remove commands that you do not want to be blocked, choose them in the Selected Items list, and click Remove. The commands appear in the Available Items list.

HTTP or HTTPS

a. Check the Logging Enabled check box to enable monitoring of Layer 3 and Layer 4 traffic. When enabled, this feature logs every URL request that is sent in the specified class of traffic, including the source or destination IP address and the URL that is accessed. Uncheck the check box to disable monitoring of Layer 3 and Layer 4 traffic.

b. In the Policy subset, click Add to add a new match condition and action, or choose an existing match condition and action and click Edit to modify it. The Policy configuration pane appears.

c. In the Matches field, choose an existing class map or *New* or *Inline Match* to configure new match criteria for protocol inspection.

If you chose an existing class map, the window refreshes and allows you to view, modify, or duplicate the selected class map. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

d. Configure match criteria and related actions using the information in Table 7-7.

e. Do one of the following:

Click OK to save your entries. The Conditions table refreshes with the new entry.

Click Cancel to exit the Policy subset without saving your entries.

f. In the Default Action field, choose the default action that the virtual server is to take when specified match conditions for protocol inspection are not met:

Permit—The specified HTTP traffic is to be received by the virtual server.

Reset—The specified HTTP traffic is to be denied by the virtual server.

RTSP

There are no protocol-specific inspection options for RTSP.

SIP

a. In the Actions subset, click Add to add a new match condition and action, or choose an existing match condition and action, and click Edit to modify it. The Actions configuration pane appears.

b. In the Matches field, choose an existing class map or *New* or *Inline Match* to configure new match criteria for protocol inspection.

If you chose an existing class map, the window refreshes and allows you to view, modify, or duplicate the selected class map. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

c. Configure match criteria and related actions using the information in Table 7-9.

d. In the Action field, choose the action that the virtual server is to take when the specified match conditions are met:

Drop—The specified SIP traffic is discarded by the virtual server.

Permit—The specified SIP traffic is received by the virtual server.

Reset—The specified SIP traffic is denied by the virtual server.

e. Do one of the following:

Click OK to save your entries. The Conditions table refreshes with the new entry.

Click Cancel to exit the Conditions subset without saving your entries and to return to the Conditions table.

f. In the SIP Parameter Map field, choose an existing parameter map or choose *New* to configure a new one.

If you chose an existing parameter map, the window refreshes and allows you to view, modify, or delete the selected parameter map. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

g. Configure SIP parameter map options using the information in Table 10-9.

h. In the Secondary Connection Parameter Map field, choose an existing parameter map or choose *New* to configure a new one.

If you chose an existing parameter map, the window refreshes and allows you to view, modify, or delete the selected parameter map. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

i. Configure secondary connection parameter map options using the information in Table 10-2.

j. In the Default Action field, choose the default action that the virtual server is to take when specified match conditions for SIP protocol inspection are not met:

Drop—The specified SIP traffic is discarded by the virtual server.

Permit—The specified SIP traffic is received by the virtual server.

Reset—The specified SIP traffic is denied by the virtual server.

k. Check the Logging Enabled check box to enable monitoring of Layer 3 and Layer 4 traffic. When enabled, this feature logs every URL request that is sent in the specified class of traffic, including the source or destination IP address and the URL that is accessed. Uncheck the check box to disable monitoring of Layer 3 and Layer 4 traffic.


Table 7-7 HTTP and HTTPS Protocol Inspection Match Criteria Configuration  

Selection
Action

Existing class map

a. Click View to review the match condition information for the selected class map.

b. Do one of the following:

Click Cancel to continue without making changes and to return to the previous window.

Click Edit to modify the existing configuration.

Click Duplicate to create a new class map with the same attributes without affecting other virtual servers using the same class map.

See the "Shared Objects and Virtual Servers" section for information about modifying shared objects.

c. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Permit—The specified traffic is received by the virtual server if it meets the specified deep inspection match criteria.

Reset—The specified traffic is denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.

*New*

a. In the Name field, specify a unique name for this class map.

b. In the Match field, choose the method to be used to evaluate multiple match statements when multiple match conditions exist:

Any—A match exists if at least one of the match conditions is satisfied.

All—A match exists only if all match conditions are satisfied.

c. In the Conditions table, click Add to add a new set of conditions, or choose an existing entry, and click Edit to modify it. The Type field appears.

d. In the Type field, choose the type of condition that is to be met for protocol inspection.

e. Provide condition-specific criteria using the information in Table 7-8.

f. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Permit—The specified traffic is received by the virtual server if it meets the specified deep inspection match criteria.

Reset—The specified traffic is denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.

*Inline Match*

a. In the Conditions Type field, choose the type of inline match condition that is to be met for protocol inspection.

b. Provide condition-specific criteria using the information in Table 7-8.

c. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Permit—The specified traffic is received by the virtual server if it meets the specified deep inspection match criteria.

Reset—The specified traffic is denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.


Table 7-8 HTTP and HTTPS Protocol Inspection Conditions and Options 

Condition
Description

Content

Specific content contained within the HTTP entity-body to be used for application inspection decisions.

a. In the Content Expression field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters.

b. In the Content Offset field, enter the number of bytes to be ignored starting with the first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of the message. Valid entries are from 1 to 255 bytes.

Content Length

Content parse length is used for application inspection decisions.

a. In the Content Length Operator field, choose the operand to use to compare content length:

Equal To—The content length must equal the number in the Content Length Value field.

Greater Than—The content length must be greater than the number in the Content Length Value field.

Less Than—The content length must be less than the number in the Content Length Value field.

Range—The content length must be within the range specified in the Content Length Lower Value field and the Content Length Higher Value field.

b. Enter values to apply for content length comparison:

If you chose Equal To, Greater Than, or Less Than in the Content Length Operator field, the Content Length Value field appears. In the Content Length Value field, enter the number of bytes for comparison. Valid entries are from 0 to 4294967295.

If you chose Range in the Content Length Operator field, the Content Length Lower Value and the Content Length Higher Value fields appear:

1. In the Content Length Lower Value field, enter the lowest number of bytes to be used for this match condition. Valid entries are from 0 to 4294967295. The number in this field must be less than the number entered in the Content Length Higher Value field.

2. In the Content Length Higher Value field, enter the highest number of bytes to be used for this match condition. Valid entries are from 0 to 4294967295. The number in this field must be greater than the number entered in the Content Length Lower Value field.

Content Type Verification

Verification of MIME-type messages with the header MIME-type is to be used for application inspection decisions. This option verifies that the header MIME-type value is in the internal list of supported MIME-types and that the header MIME-type matches the content in the data or body portion of the message.

Header

Name and value in an HTTP header are used for application inspection decisions.

a. In the Header field, choose one of the predefined HTTP headers to match, or choose HTTP Header to specify a different HTTP header.

b. If you chose HTTP Header, in the Header Name field, enter the name of the HTTP header to match. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

c. In the Header Value field, enter the header-value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. See Table 14-35 for a list of the supported characters that you can use in regular expressions.

Header Length

Length of the header in the HTTP message used for application inspection decisions.

a. In the Header Length Type field, specify whether HTTP header request or response messages are to be used for application inspection decisions:

Request—HTTP header request messages are to be checked for header length.

Response—HTTP header response messages are to be checked for header length.

b. In the Header Length Operator field, choose the operand to be used to compare header length:

Equal To—The header length must equal the number in the Header Length Value field.

Greater Than—The header length must be greater than the number in the Header Length Value field.

Less Than—The header length must be less than the number in the Header Length Value field.

Range—The header length must be within the range specified in the Header Length Lower Value field and the Header Length Higher Value field.

c. Enter values to apply for header length comparison:

If you chose Equal To, Greater Than, or Less Than in the Header Length Operator field, the Header Length Value field appears. In the Header Length Value field, enter the number of bytes for comparison. Valid entries are from 0 to 255.

If you chose Range in the Header Length Operator field, the Header Length Lower Value and the Header Length Higher Value fields appear:

1. In the Header Length Lower Value field, enter the lowest number of bytes to be used for this match condition. Valid entries are from 0 to 255. The number in this field must be less than the number entered in the Header Length Higher Value field.

2. In the Header Length Higher Value field, enter the highest number of bytes to be used for this match condition. Valid entries are from 1 to 255. The number in this field must be greater than the number entered in the Header Length Lower Value field.

Header MIME Type

Multipurpose Internet Mail Extension (MIME) message types are used for application inspection decisions.

In the Header MIME Type field, choose the MIME message type to use for this match condition.

Port Misuse

Misuse of port 80 (or any other port running HTTP) to be used for application inspection decisions.

Choose the application category to use for this match condition as follows:

IM—Instant messaging applications are to be checked.

P2P—Peer-to-peer applications are to be checked.

Tunneling—Tunneling applications are to be checked.

Request Method

A request method is to be used for protocol inspection decisions. By default, ACEs allow all request and extension methods. This option allows you to configure protocol inspection decisions based on compliance to request methods defined in RFC 2616 and by HTTP extension methods.

a. Choose the type of request method to use for this match condition:

Ext—An HTTP extension method is to be used.


Note The list of available HTTP extension methods from which to choose varies depending on the version of software installed in the ACE.


RFC—The request method defined in RFC 2616 is to be used.

b. In the Request Method field, choose the request method that is to be inspected.

Strict HTTP

Compliance with HTTP RFC 2616 to be used for application inspection decisions.

Transfer Encoding

An HTTP transfer-encoding type to be used for application inspection decisions. The transfer-encoding general-header field indicates the type of transformation, if any, that has been applied to the HTTP message body to safely transfer it between the sender and the recipient.

In the Transfer Encoding field, choose the type of encoding that is to be checked:

Chunked—The message body is transferred as a series of chunks.

Compress—The encoding format that is produced by the UNIX file compression program compress.

Deflate—The .zlib format that is defined in RFC 1950 in combination with the DEFLATE compression mechanism described in RFC 1951.

Gzip—The encoding format that is produced by the file compression program GZIP (GNU zip) as described in RFC 1952.

Identity—The default (identity) encoding which does not require the use of transformation.

URL

URL names to be used for application inspection decisions.

In the URL field, enter a URL or a portion of a URL to match. Valid entries are URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL following www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.

URL Length

URL length to be used for application inspection decisions.

a. In the URL Length Operator field, choose the operand to use to compare URL length:

Equal To—The URL length must equal the number in the URL Length Value field.

Greater Than—The URL length must be greater than the number in the URL Length Value field.

Less Than—The URL length must be less than the number in the URL Length Value field.

Range—The URL length must be within the range specified in the URL Length Lower Value field and the URL Length Higher Value field.

b. Enter values to apply for URL length comparison:

If you chose Equal To, Greater Than, or Less Than in the URL Length Operator field, the URL Length Value field appears. In the URL Length Value field, enter the value for comparison. Valid entries are from 1 to 65535 bytes.

If you chose Range in the URL Length Operator field, the URL Length Lower Value and the URL Length Higher Value fields appear:

1. In the URL Length Lower Value field, enter the lowest number of bytes to be used for this match condition. Valid entries are from 1 to 65535. The number in this field must be less than the number entered in the URL Length Higher Value field.

2. In the URL Length Higher Value field, enter the highest number of bytes to be used for this match condition. Valid entries are from 1 to 65535. The number in this field must be greater than the number entered in the URL Length Lower Value field.


Table 7-9 SIP Protocol Inspection Match Criteria Configuration  

Selection
Action

Existing class map

a. Click View to review the match condition information for the selected class map.

b. Do one of the following:

Click Cancel to continue without making changes and to return to the previous window.

Click Edit to modify the existing configuration.

Click Duplicate to create a new class map with the same attributes without affecting other virtual servers using the same class map.

See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

c. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Drop—The specified traffic is to be dropped by the virtual server.

Permit—The specified traffic is to be received by the virtual server.

Reset—The specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.

*New*

a. In the Name field, specify a unique name for this class map.

b. In the Conditions table, click Add to add a new set of conditions, or choose an existing entry, and click Edit to modify it. The Type field appears.

c. In the Type field, choose the type of condition that is to be met for protocol inspection.

d. Provide condition-specific criteria using the information in Table 7-10.

e. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Drop—The specified traffic is to be dropped by the virtual server.

Permit—The specified traffic is to be received by the virtual server.

Reset—The specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.

*Inline Match*

a. In the Conditions Type field, choose the type of inline match condition that is to be met for protocol inspection.

Table 7-10 describes the types of conditions and their related configuration options.

b. Provide condition-specific criteria using the information in Table 7-10.

c. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Drop—The specified traffic is to be dropped by the virtual server.

Permit—The specified traffic is to be received by the virtual server.

Reset—The specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.


Table 7-10 SIP Protocol Inspection Conditions and Options 

Condition
Description

Called Party

Destination or called party specified in the URI of the SIP To header used for SIP protocol inspection decisions.

In the Called Party field, enter a regular expression that identifies the called party in the URI of the SIP To header for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-35 lists the supported characters that you can use for matching string expressions.

Calling Party

Source or caller specified in the URI of the SIP From header used for SIP protocol inspection decisions.

In the Calling Party field, enter a regular expression that identifies the calling party in the URI of the SIP From header for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-35 lists the supported characters that you can use for matching string expressions.

IM Subscriber

IM (instant messaging) subscriber used for application inspection decisions.

In the IP Subscriber field, enter a regular expression that identifies the IM subscriber for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-35 lists the supported characters that you can use for matching string expressions.

Message Path

SIP inspection that allows you to filter messages coming from or transiting through certain SIP proxy servers. The ACE maintains a list of the unauthorized SIP proxy IP addresses or URLs in the form of regular expressions and checks this list against the VIA header field in each SIP packet.

In the Message Path field, enter a regular expression that identifies the SIP proxy server for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-35 lists the supported characters that you can use for matching string expressions.

SIP Content Length

SIP message body content length used for SIP protocol inspection decisions.

To specify SIP traffic based on SIP message body length:

a. In the Content Operator field, confirm that Greater Than is selected.

b. In the Content Length field, enter the maximum size of a SIP message body in bytes that the ACE is to allow without performing SIP protocol inspection. If a SIP message exceeds the specified value, the ACE performs SIP protocol inspection as defined in an associated policy map. Valid entries are from 0 to 65534 bytes.

SIP Content Type

Content type in the SIP message body used for SIP protocol inspection decisions.

In the Content Type field, enter a regular expression that identifies the content type in the SIP message body to use for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-35 lists the supported characters that you can use for matching string expressions.

SIP Request Method

SIP request method used for application inspection decisions.

In the Request Method field, choose the request method that is to be inspected.

Third Party

Condition that indicates that the SIP is to allow users to register other users on their behalf by sending REGISTER messages with different values in the From and To header fields. This process can pose a security threat if the REGISTER message is actually a DEREGISTER message. A malicious user could cause a DoS (denial-of-service) attack by deregistering all users on their behalf. To prevent this security threat, you can specify a list of privileged users who can register or unregister someone else on their behalf. The ACE maintains the list as a regex table. If you configure this policy, the ACE drops REGISTER messages with mismatched From and To headers and a From header value that does not match any of the privileged user IDs.

In the Third Party Registration Entities field, enter a regular expression that identifies a privileged user who is authorized for third-party registrations. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-35 lists the supported characters that you can use for matching string expressions.

URI Length

Condition that indicates that the ACE is to validate the length of SIP URIs or Tel URIs. A SIP URI is a user identifier that a calling party (source) uses to contact the called party (destination). A Tel URI is a telephone number that identifies the endpoint of a SIP connection. For more information about SIP URIs and Tel URIs, see RFC 2534 and RFC 3966, respectively.

To filter SIP traffic based on URIs, do the following:

a. In the URI Type field, choose the type of URI to be used:

SIP URI—The calling party URI is to be used for this match condition.

Tel URI—A telephone number is to be used for this match condition.

b. In the URI Operator field, confirm that Greater Than is selected.

c. In the URI Length field, enter the maximum length of the SIP URI or Tel URI in bytes. Valid entries are from 0 to 254 bytes.


Step 6 Do one of the following:

Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files.

Click Cancel to exit this procedure without saving your entries.

Click Deploy Later to save your entries and deploy the configuration at a later time.


Related Topics

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Layer 7 Load Balancing

Managing Virtual Servers

Configuring Virtual Server Layer 7 Load Balancing

You can configure Layer 7 load balancing on a virtual server. In the Advanced View, Layer 7 load balancing is available for virtual servers configured with one of the following protocol combinations:

TCP with Generic, FTP, HTTP, HTTPS, RDP, RTSP, or SIP

UDP with Generic, DNS, RADIUS, or SIP

See the "Configuring Virtual Server Properties" section for information about configuring these protocols.

Table 7-2 identifies the protocols that are available for each type of ACE device.

Assumption

Make sure that a virtual server has been configured with one of the following protocol combinations:

TCP with Generic, FTP, HTTP, HTTPS, RDP, RTSP, or SIP

UDP with Generic, DNS, RADIUS, or SIP

For more information, see the "Configuring Virtual Server Properties" section.

Procedure


Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.

The Virtual Servers table appears.

Step 2 In the Virtual Servers table, choose the virtual server that you want to configure for Layer 7 load balancing, and click Edit.

The Virtual Server configuration window appears.

Step 3 In the Virtual Server configuration window, click L7 Load-Balancing.

The Layer 7 Load-Balancing Rule Match table appears.

Step 4 In the Rule Match table, click Add to add a new match condition and action, or choose an existing match condition and action, and click Edit to modify it.

The Rule Match configuration pane appears.

Step 5 In the Rule Match field of the Rule Match configuration pane, choose an existing class map or *New* or *Inline Match* to configure new match criteria for Layer 7 load balancing, and do one of the following:

If you chose an existing class map, click View to review, modify, or duplicate the existing configuration. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

If you click *New* or *Inline Match*, the Rule Match configuration pane appears.

Step 6 Configure match criteria using the information in Table 7-11.

Table 7-11 Layer 7 Load-Balancing Match Criteria Configuration  

Selection
Action

Existing class map

a. Click View to review the match condition information for the selected class map.

b. Do one of the following:

Click Cancel to continue without making changes and to return to the previous window.

Click Edit to modify the existing configuration.

Click Duplicate to create a new class map with the same attributes without affecting other virtual servers using the same class map.

See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

*New*

a. In the Name field, enter a unique name for this class map.

b. In the Match field, choose the method to be used to evaluate multiple match statements when multiple match conditions exist:

match-any—A match exists if at least one of the match conditions is satisfied.

match-all—A match exists only if all match conditions are satisfied.

c. In the Conditions table, click Add to add a new set of conditions, or choose an existing entry and click Edit to modify it.

d. In the Type field, choose the match condition and configure any of these protocol-specific options:

For Generic protocol options, see Table 14-9.

For HTTP and HTTPS protocol options, see Table 7-12.

For RADIUS protocol options, see Table 14-10.

For RTSP protocol options, see Table 14-11.

For SIP protocol options, see Table 14-12.

e. Do one of the following:

Click OK to accept your entries and to return to the Conditions table.

Click Cancel to exit this procedure without saving your entries and to return to the Conditions table.

*Inline Match*

In the Conditions Type field, choose the type of inline match condition and configure any protocol-specific options:

For Generic protocol options, see Table 14-9.

For HTTP and HTTPS protocol options, see Table 7-12.

For RADIUS protocol options, see Table 14-10.

For RTSP protocol options, see Table 14-11.

For SIP protocol options, see Table 14-12.


Table 7-12 Layer 7 HTTP/HTTPS Load-Balancing Conditions and Options 

Match Condition
Action

Class Map

Existing class map used for the match condition.

In the Class Map field, choose the class map to be used.

HTTP Content

Specific content contained within the HTTP entity-body used to establish a match condition.

a. In the Content Expression field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters.

b. In the Content Offset field, enter the number of bytes to be ignored starting with the first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of the message. Valid entries are from 1 to 255.

HTTP Cookie

HTTP cookies used for the match condition.

a. In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

b. In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-35 lists the supported characters that you can use for matching string expressions.

c. Check the Secondary Cookie Matching check box to indicate that the ACE is to use both the cookie name and the cookie value to satisfy this match condition. Clear this check box to indicate that the ACE is to use either the cookie name or the cookie value to satisfy this match condition.

HTTP Header

HTTP header and corresponding value used to establish match conditions.

a. In the Header Name field, specify the header in one of the following ways:

To specify an HTTP header that is not one of the standard HTTP headers, click the first radio button and enter the HTTP header name in the Header Name field. Enter an unquoted text string with no spaces and a maximum of 64 characters.

To specify one of the standard HTTP headers, click the second radio button and choose the desired HTTP header from the list.

b. In the Header Value field, enter the header-value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. Table 14-35 lists the supported characters that you can use in regular expressions.

HTTP URL

Condition that indicates that the ACE is to perform regular expression matching against the received packet data from a particular connection based on the HTTP URL string.

a. In the URL Expression field, enter a URL, or portion of a URL, to match. Valid entries are URL strings from 1 to 255 alphanumeric characters. Include only the portion of the URL following www.hostname.domain in the match statement. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the www.anydomain.com portion, the URL string can take the form of a URL regular expression. The ACE supports regular expressions for matching URL strings. Table 14-35 lists the supported characters that you can use in regular expressions.

b. In the Method Expression field, enter the HTTP method to match. Valid entries are unquoted text strings with no spaces and a maximum of 15 alphanumeric characters. The method can either be one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example, CORVETTE).

Source Address

Client source IP address used for the match condition.

a. In the Source Address field, enter the source IP address of the client. Enter the IP address in dotted-decimal notation (for example, 192.168.11.2).

b. In the Source Netmask field, choose the subnet mask to apply to the source IP address.


Step 7 In the Primary Action field, choose the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Drop—Client requests for content are to be discarded when match conditions are met. Continue with Step 12.

Forward—Client requests for content are to be forwarded without performing load balancing on the requests when match conditions are met. Continue with Step 12.

Load Balance—Client requests for content are to be directed to a server farm when match conditions are met. Continue with Step 9.

Sticky—Client requests for content are to be handled by a sticky group when match conditions are met. Continue with Step 10.

Step 8 (Optional) From the HTTP Header Modify Action List drop-down list, choose an existing Action List or choose New to display the Action List configuration table and create a new one. For more information, see the "Configuring an HTTP Header Modify Action List" section.

Step 9 (Optional) If you chose Load Balance as the primary action, do the following:

a. In the Server Farm field, choose the primary server farm to use for load balancing, or choose *New* to configure a new server farm (see Table 7-13).

If you chose an existing object in this field, you can view, modify, or duplicate the selected object's existing configuration. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects in virtual servers.


Note To display statistics and status information for an existing server farm, choose a server farm in the list, and click Details. ANM accesses the show serverfarm name detail CLI command to display detailed server farm information. See the "Displaying Server Farm Statistics and Status Information" section.


b. In the Backup Server Farm field, choose the server farm to act as the backup server farm for load balancing if the primary server farm is unavailable, or choose *New* to configure a new backup server farm (see Table 7-13).


Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later.


If you chose an existing object in this field, you can view, modify, or duplicate the selected object's existing configuration. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects in virtual servers.

Table 7-13 New Server Farm Attributes 

Field
Description

Name

Unique name for the server farm. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.

Type

Type of server farm:

Host—A typical server farm that consists of real servers that provide content and services to clients.

By default, if you configure a backup server farm and all real servers in the primary server farm go down, the primary server farm fails over to the backup server farm. Use the following options to specify thresholds for failover and returning to service.

1. In the Partial-Threshold Percentage field, enter the minimum percentage of real servers in the primary server farm that must remain active for the server farm to stay up. If the percentage of active real servers falls below this threshold, the ACE takes the server farm out of service. Valid entries are from 0 to 99.

2. In the Back Inservice field, enter the percentage of real servers in the primary server farm that must be active again for the ACE to place the server farm back into service. Valid entries are from 0 to 99. The value in this field should be larger than the value in the Partial Threshold Percentage field.

Redirect—A server farm that consists only of real servers that redirect client requests to alternate locations specified in the real server configuration.

Fail Action

Action that the ACE takes if any real server in the server farm fails:

N/A—Indicates that the ACE is to take no action if any server in the server farm fails.

Purge—Indicates that the ACE is to remove connections to a real server if that real server in the server farm fails. The ACE sends a reset command to both the client and the server that failed.

Reassign—Indicates that the ACE reassign the existing server connections to the backup real server (if configured) if the real server fails after you enter this command. If a backup real server has not been configured for the failing server, this selection leaves the existing connections untouched in the failing real server.

Failaction Reassign Across Vlans

Option that is available only for the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of either device type. This field appears only when the L7 Load-Balancing Action parameters are set as follows: Primary Action: LoadBalance; ServerFarm: New; Fail Action: Reassign.

Check the check box to specify that the ACE reassigns the existing server connections to the backup real server on a different VLAN interface (commonly referred to as a bypass VLAN) if the real server fails. If a backup real server has not been configured for the failing server, this option has no effect and leaves the existing connections untouched in the failing real server.

Note the following configuration requirements and restrictions when you enable this option:

Enable the Transparent option (see the next Field) to instruct the ACE not to use NAT to translate the ACE VIP address to the server IP address. The Failaction Reassign Across Vlans option is intended for use in stateful firewall load balancing (FWLB) on your ACE, where the destination IP address for the connection coming in to the ACE is for the end-point real server, and the ACE reassigns the connection so that it is transmitted through a different next hop.

Enable the MAC Sticky option on all server-side interfaces to ensure that packets that are going to and coming from the same server in a flow will traverse the same firewalls or stateful devices (see the "Configuring Virtual Context VLAN Interfaces" section).

Configure the Predictor Hash Address option. See Table 7-14 for the supported predictor methods and configurable attributes for each predictor method.

You must configure identical policies on the primary interface and the backup-server interface. The backup interface must have the same feature configurations as the primary interface.

If you configure a policy on the backup-server interface that is different from the policies on the primary-server interface, that policy will be effective only for new connections. The reassigned connection will always have only the primary-server interface policies.

Interface-specific features (for example, NAT, application protocol inspection, outbound ACLs, or SYN cookie) are not supported.

You cannot reassign connections to the failed real server after it comes back up. This restriction also applies to same-VLAN backup servers.

Real servers must be directly connected to the ACE. This requirement also applies to same-VLAN backup server.

You must disable sequence number randomization on the firewall (see the "Configuring Connection Parameter Maps" section).

Probe configurations should be similar on both ACEs and the interval values should be low. For example, if you configure a high interval value on ACE-1 and a low interval value on ACE-2, the reassigned connections may become stuck because of the probe configuration mismatch. ACE-2 with the low interval value will detect the primary server failure first and will reassign all its incoming connections to the backup-server interface VLAN. ACE-1 with the high interval value may not detect the failure before the primary server comes back up and will still point to the primary server.

To minimize packet loss, we recommend the following probe parameter values on both ACEs: Interval: 2, Faildetect: 2, Passdetect interval: 2, and Passdetect count: 5.

Transparent

Field that appears only for real servers identified as host servers.

Specify whether network address translation from the VIP address to the server IP is to occur. Check the check box to specify that network address translation from the VIP address to the server IP address is to occur. Uncheck the check box to specify that network address translation from the VIP address to the server IP address is not to occur.

Dynamic Workload Scaling

Option that is available only with ACE software Version A4(2.0) or later release on either device type (appliance or module). Field that appears only for host server farms.

Allows the ACE to burst traffic to remote VMs when the average CPU usage, memory usage, or both of the local VMs has reached it's specified maximum threshold value. The ACE stops bursting traffic to the remote VMs when the average CPU and/or memory usage of the local VMs has dropped to it's specified minimum threshold value. This option requires that you have the ACE configured for Dynamic Workload Scaling using a Cisco Nexus 7000 Series, VM Controller, and VM probe (see the "Configuring Dynamic Workload Scaling" section).

Click one of the following radio button options:

N/A—Not applicable (default).

Local—The ACE can use the VM Controller local VMs only for load balancing (bursting is not allowed).

Burst—Enables the ACE to burst traffic to a remote VMs when needed.

When you choose Burst, the VM Probe Name field displays along with a list of available VM probes. Choose an available VM probe or click Add to display the Health Monitoring popup window and create a new VM probe or edit an existing one (see the "Configuring Health Monitoring" section).

Fail-On-All

Field that appears for host server farms only.

By default, real servers that you configure in a server farm inherit the probes that you configure directly on that server farm. When you configure multiple probes on a server farm, the real servers in the server farm use an OR logic with respect to the probes, which means that if one of the probes configured on the server farm fails, all the real servers in that server farm fail and enter the PROBE-FAILED state.

With AND logic, if one server farm probe fails, the real servers in the server farm remain in the OPERATIONAL state. If all the probes associated with the server farm fail, then all the real servers in that server farm fail and enter the PROBE-FAILED state. You can also configure AND logic for probes that you configure directly on real servers in a server farm. For more information, see the command in server farm host real server configuration mode.

Check this check box to configure the real servers in a server farm to use AND logic with respect to multiple server farm probes.

The Fail On All function is applicable to all probe types.

Inband-Health Check

Option that is available only for the ACE module A4(1.0), ACE appliance A4(1.0), and later releases of either device type. Field that appears only for host server farms.

By default, the ACE monitors the health of all real servers in a configuration through the use of ARPs and health probes. However, there is latency period between when the real server goes down and when the ACE becomes aware of the state. The inband health monitoring feature allows the ACE to monitor the health of the real servers in the server farm through the following connection failures:

For TCP, resets (RSTs) from the server or SYN timeouts.

For UDP, ICMP Host, Network, Port, Protocol, and Source Route unreachable messages.

When you configure the failure-count threshold and the number of these failures exceeds the threshold within the reset-time interval, the ACE immediately marks the server as failed, takes it out of service, and removes it from load balancing. The server is not considered for load balancing until the optional resume-service interval expires.

The Inband-Health Check attributes are as follows:

Count—Tracks the total number of TCP or UDP failures, and increments the counters.

Log—Logs a syslog error message when the number of events reaches the threshold value that you set for the Connection Failure Threshold Count attribute.

Remove—Logs a syslog error message when the number of events reaches the configured threshold and removes the real server from service.

Connection Failure Threshold Count

This field appears only when the Inband-Health Check is set to Log or Remove.

Enter the maximum number of connection failures that a real server can exhibit in the reset-time interval before ACE marks the real server as failed. Valid entries are as follows:

ACE appliance—Integers from 1 to 4294967295

ACE module—Integers from 4 to 4294967295

Reset Timeout (Milliseconds)

This field appears only when the Inband-Health Check is set to Log or Remove.

Enter the number of milliseconds for the reset-time interval. Valid entries are integers from 100 to 300000. The default interval is 100.

This interval starts when the ACE detects a connection failure. If the connection failure threshold is reached during this interval, the ACE generates a syslog message. If you configure the Remove attribute, the ACE also removes the real server from service.

Changing the setting of this option affects the behavior of the real server, as follows:

When the real server is in the OPERATIONAL state, even if several connection failures have occurred, the new reset-time interval takes effect the next time that a connection error occurs.

When the real server in the INBAND-HM-FAILED state, the new reset-time interval takes effect the next time that a connection error occurs after the server transitions to the OPERATIONAL state.

Resume Service (Seconds)

Field that appears only when the Inband-Health Check is set to Remove.

Enter the number of seconds after a server has been marked as failed to reconsider it for sending live connections. Valid entries are integers from 30 to 3600. The default setting is 0. The setting of this option affects the behavior of the real server in the inband failed state, as follows:

When this field is not configured and has the default setting of 0, the real server remains in the failed state until you manually suspend and then reactivate it.

When this field is not configured and has the default setting of 0 and then you configure this option with an integer between 30 and 3,600, the failed real server immediately transitions to the Operational state.

When you configure this field and then increase the value, the real server remains in the failed state for the duration of the previously-configured value. The new value takes effect the next time the real server transitions to the failed state.

When you configure this field and then decrease the value, the failed real server immediately transitions to the Operational state.

When you configure this field with an integer between 30 and 3,600 and then reset it to the default of 0, the real server remains in the failed state for the duration of the previously-configured value. The default setting takes effect the next time the real server transitions to the failed state. Then the real server remains in the failed state until you manually suspend and then reactivate it.

When you change this field within the reset-time interval the real server in the OPERATIONAL with several connection failures, the new threshold interval takes effect the next time that a connection error occurs, even if it occurs within the current reset-time interval.

Predictor

Method for selecting the next server in the server farm to respond to client requests. Round Robin is the default predictor method for a server farm.

See Table 7-14 for the supported predictor methods and configurable attributes for each predictor method.

Probes

Health monitoring probes to use:

To include a probe that you want to use for health monitoring, choose it in the Available list, and click Add. The probe appears in the Selected list.

The redirect real server probe list contains only configured probes of the type Is Routed, which means that the ACE routes the probe address according to the ACE internal routing table (see the "Configuring Health Monitoring" section.


Note You can associate both IPv6 and IPv4 probes to a server farm. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.



Note The list of available probes does not include VM health monitoring probes. To choose a VM probe for monitoring local VM usage, see the Dynamic Workload Scaling field.


To remove a probe that you do not want to use for health monitoring, choose it in the Selected list, and click Remove. The probe appears in the Available list.

To specify a sequence for probe use, choose probes in the Selected list, and click Up or Down until you have the desired sequence.

To view the configuration for an existing probe, choose a probe in the list on the right, and click View to review its configuration.

To display statistics and status information for an existing probe, choose a probe in the list on the right, and click Details. ANM accesses the show probe name detail CLI command to display detailed probe information. See the "Displaying Health Monitoring Statistics and Status Information" section.

To add a new probe, click Create. See the "Configuring Health Monitoring for Real Servers" section for details on adding a new health monitoring probe and defining attributes for the specific probe type. In addition to the probe attributes that you set as described in the "Configuring Health Monitoring for Real Servers" section, set the following probe configuration parameters in the Probes section under Server Farm as described as follows:

Expect Addresses—To configure expect addresses for a DNS probe, in the IPv4/IPv6 Address field, enter the IP address that the ACE is to expect as a server response to a DNS request. You can enter multiple addresses in this field; however, you cannot mix IPv4 and IPv6 addresses.


Note IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.


Probe Headers—To configure probe headers for either an HTTP or HTTPS probe, in the Probe Headers field enter the name of the HTTP header and the value to be matched using the format header_name=header_value where:

header_name represents the HTTP header name the probe is to use. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You can specify predefined header or any custom header name provided that it does not exceed the maximum length limit.

header_value represents the string to assign to the header field. Valid entries are text strings with a maximum of 255 characters. If the string includes spaces, enclose the string with quotes.

Probes
(continued)

Probe Expect Status—To configure probe expect status for an FTP, HTTP, HTTPS, RTSP, SIP-TCP, SIP-UDP, or SMTP probe, in the Probe Expect Status field enter the following information:

To configure a single expect status code, enter the minimum expect status code for this probe followed by the same expect status code that you entered as the minimum. Valid entries are from 0 to 999.

To configure a range of expect status codes, enter the lower limit of the range of status codes followed by the upper limit of the range of status codes. The maximum expect status code must be greater than or equal to the value specified for the minimum expect status code. Valid entries are from 0 to 999.

SNMP OID Table—To configure the SNMP OID for an SNMP probe, see the "Configuring an OID for SNMP Probes" section.

After you add a probe, you can modify the attributes for a health probe from the Health Monitoring table (Config > Virtual Contexts > context > Load Balancing > Health Monitoring) as described in the "Configuring Health Monitoring for Real Servers" section. You can also delete an existing health probe from the Health Monitoring table.

Real Servers

Table that allows you to add, modify, remove, or change the order of real servers.

a. Choose an existing server, or click Add to add a server to the server farm and do one of the following:

If you chose an existing server, you can view, modify, or duplicate the server's existing configuration. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

If you click Add, the window refreshes so you can enter server information.

b. In the Name field, specify the name of the real server in one of the following ways:

To identify a new real server, click the first radio button, and then enter the name of the real server in the adjoining field.

To specify an existing real server, click the second radio button, and then choose one of the real servers listed.

c. In the IP Address Type field, choose IPv4 or IPv6. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6.

d. In the IP Address field, enter the IP address of the real server.

e. In the Port field, enter the port number to be used for server port address translation (PAT). Valid entries are from 1 to 65535.

f. In the Weight field, enter the weight to assign to this server in the server farm. Valid entries are from 1 to 100, and the default is 8.

g. In the Redirection Code field, choose the appropriate redirection code. This field appears only for real servers identified as redirect servers.

N/A—Indicates that the webhost redirection code is not defined.

301—Indicates that the requested resource has been moved permanently. For future references to this resource, the client should use one of the returned URIs.

302—Indicates that the requested resource has been found, but has been moved temporarily to another location. For future references to this resource, the client should use the request URI because the resource may be moved to other locations from time to time.

h. In the Web Host Redirection field, enter the URL string used to redirect requests to another server. This field appears only for real servers identified as redirect servers. Enter the URL and port used to redirect requests to another server. Valid entries are in the form http://host.com:port where host is the name of the server and port is the port to be used. Valid host entries are unquoted text strings with no spaces and a maximum of 255 characters. Valid port numbers are from 1 to 65535.

The relocation string supports the following special characters:

%h—Inserts the hostname from the request Host header

%p—Inserts the URL path string from the request

i. In the Rate Bandwidth field, enter the real server bandwidth limit in bytes per second. Valid entries are from 1 to 300000000 bytes.

 

j. In the Rate Connection field, enter the limit for connections per second (valid entries are from 1 to 350000) and do one of the following:

Click OK to accept your entries and add this real server to the server farm. The table refreshes with updated information.

Click Cancel to exit this procedure without saving your entries and to return to the Real Servers table.

k. In the State field, choose the administrative state of this server as follows:

In Service—The server is to be placed in use as a destination for server load balancing.

In Service Standby—The server is a backup server and remains inactive unless the primary server fails. If the primary server fails, the backup server becomes active and starts accepting connections.

Out Of Service—The server is not to be placed in use by a server load balancer as a destination for client connections.

l. In the Buddy Real Group field, associate the real server with a buddy group by creating a buddy real server group or select an existing one.


Note This field appears only for ACE software Version A5(2.0) or later. For more information, see the "Buddy Sticky Groups" section.


m. In the Fail-On-All field, check this check box to configure a real server to remain in the OPERATIONAL state unless all probes associated with it fail (AND logic). The Fail-On-All function is applicable to all probe types. Fail-On-All is applicable only for host real servers.

n. Do one of the following:

Click OK to accept your entries and add this real server to the server farm. The table refreshes with updated information.

Click Cancel to exit this procedure without saving your entries and to return to the Real Servers table.

To display statistics and status information for an existing real server, choose a real server in the list, and then click Details. ANM accesses the show rserver name detail CLI command to display detailed real server information. See the "Displaying Real Server Statistics and Status Information" section.


Table 7-14 Predictor Methods and Attributes 

Predictor Method
Description / Action

Hash Address

Method that indicates that the ACE is to select the server using a hash value based on the source or destination IP address.

To configure the hash address predictor method, do the following:

a. In the Mask Type field, indicate whether server selection is based on the source IP address or the destination IP address:

N/A—Indicates that this option is not defined.

Destination—Indicates that the server is selected based on the destination IP address.

Source—Indicates that the server is selected based on the source IP address.

b. In the IP Netmask field, choose the subnet mask to apply to the address. If none is specified, the default is 255.255.255.255.

Hash Content

Method that indicates that the ACE is to select the server by using a hash value based on the specified content string of the HTTP packet body.

a. In the Begin Pattern field, enter the beginning pattern of the content string and the pattern string to match before hashing. If you do not specify a beginning pattern, the ACE starts parsing the HTTP body immediate following the offset byte. You cannot configure different beginning and ending patterns for different server farms that are part of the same traffic classification.

Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-35 lists the supported characters that you can use for matching string expressions.

b. In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify either a length or an end pattern, the ACE continues to parse the data until it reaches the end of the field or the end of the packet, or until it reaches the maximum body parse length. You cannot configure different beginning and ending patterns for different server farms that are part of the same traffic classification.

Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-35 lists the supported characters that you can use for matching string expressions.

c. In the Length (Bytes) field, enter the length in bytes of the portion of the content (starting with the byte after the offset value) that the ACE uses for sticking the client to the server. Valid entries are from 1 to 1000 bytes.

The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset but shorter than the offset plus the length of the payload, the ACE sticks the connection based on that portion of the payload starting with the byte after the offset value and ending with the byte specified by the offset plus the length. The total of the offset and the length cannot exceed 1000.


Note You cannot specify both the length and the end-pattern options for a Hash Content predictor.


d. In the HTTP Content Offset (Bytes) field, enter the portion of the content that the ACE uses to stick the client on a particular server by indicating the bytes to ignore starting with the first byte of the payload. Valid entries are from 0 to 999 bytes. The default is 0, which indicates that the ACE does not exclude any portion of the content.

Hash Cookie

Method that indicates that the ACE is to select the server by using a hash value based on the cookie name.

In the Cookie Name field, enter a cookie name in the form of an unquoted text string with no spaces and a maximum of 64 characters.

Hash Header

Method that indicates that the ACE is to select the server by using a hash value based on the header name.

In the Header Name field, choose the HTTP header to be used for server selection as follows:

To specify an HTTP header that is not one of the standard HTTP headers, click the first radio button and enter the HTTP header name in the Header Name field. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.

To specify one of the standard HTTP headers, click the second radio button, and then choose one of the HTTP headers from the list.

Hash Layer 4

Method that indicates that the ACE is to select the server by using a Layer 4 generic protocol load-balancing method. Use this predictor to load balance packets from protocols that are not explicitly supported by the ACE.

a. In the Begin Pattern field, enter the beginning pattern of the Layer 4 payload and the pattern string to match before hashing. If you do not specify a beginning pattern, the ACE starts parsing the HTTP body immediate following the offset byte. You cannot configure different beginning and ending patterns for different server farms that are part of the same traffic classification.

Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-35 lists the supported characters that you can use for matching string expressions.

b. In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify either a length or an end pattern, the ACE continues to parse the data until it reaches the end of the field or the end of the packet, or until it reaches the maximum body parse length. You cannot configure different beginning and ending patterns for different server farms that are part of the same traffic classification.

Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-35 lists the supported characters that you can use for matching string expressions.

c. In the Length (Bytes) field, enter the length in bytes of the portion of the payload (starting with the byte after the offset value) that the ACE uses for sticking the client to the server. Valid entries are from 1 to 1000 bytes.

The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset but shorter than the offset plus the length of the payload, the ACE sticks the connection based on that portion of the payload starting with the byte after the offset value and ending with the byte specified by the offset plus the length. The total of the offset and the length cannot exceed 1000.


Note You cannot specify both the length and end-pattern options for a Hash Layer 4 predictor.


d. In the HTTP Content Offset (Bytes) field, enter the portion of the content that the ACE uses to stick the client on a particular server by indicating the bytes to ignore starting with the first byte of the payload. Valid entries are from 0 to 999 bytes. The default is 0, which indicates that the ACE does not exclude any portion of the content.

Hash URL

Method that indicates that the ACE is to select the server using a hash value based on the URL. Use this method to load balance firewalls.

Enter values in one or both of the pattern fields:

In the URL Begin Pattern field, enter the beginning pattern of the URL and the pattern string to parse.

In the URL End Pattern field, enter the ending pattern of the URL and the pattern string to parse.

Valid entries for these fields are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters for each pattern you configure.

Least Bandwidth

Method that indicates that the ACE is to select the server with the least amount of network traffic over a specified sampling period.

a. In the Assess Time field, enter the number of seconds for which the ACE is to collect traffic information. Valid entries are from 1 to 10 seconds.

b. In the Least Bandwidth Samples field, enter the number of samples over which you want to weight and average the results of the probe query to calculate the final load value. Valid entries are 1, 2, 4, 8, and 16 (values from 1 to 16 that are also a power of 2).

Least Connections

Method that indicates that the ACE is to select the server with the fewest number of connections.

In the Slowstart Duration field, enter the slow-start value to be applied to this predictor method. Valid entries are from 1 to 65535, where 1 is the slowest ramp-up value.

The slow-start mechanism is used to avoid sending a high rate of new connections to servers that you have just put into service.

Least Loaded

Method that indicates that the ACE is to select the server with the lowest load based on information from SNMP probes.

a. In the SNMP Probe Name field, choose the name of the SNMP probe to use.

b. In the Auto Adjust field, configure the autoadjust feature to assign a maximum load value of 16000 to that server to prevent it from being flooded with new incoming connections. The ACE periodically adjusts this load value based on feedback from the server's SNMP probe and other configured options. Options are as follows:

Average—Instructs the ACE to apply the average load of the server farm to a real server whose load reaches zero. The average load is the running average of the load values across all real servers in the server farm. This is the default setting.

Maxload—Instructs the ACE to apply the maximum load of the server farm to a real server whose load reaches zero.

The maxload option requires the following ACE software versions:

- ACE appliance—A3(2.7) or A4(1.0) or later

- ACE module—A2(2.4), A2(3.2), or A4(1.0) or later

If you choose the maxload option and the ACE does not support the option, ANM issues a command parse error message.

Off—Instructs the ACE to send all new connections to the server that has a load of zero until the next load update arrives from the SNMP probe for this server. There may be times when you want the ACE to send all new connections to a real server whose load is zero.

c. In the Weight Connection field, check the check box to instruct the ACE to use the current connection count in the final load calculation for a real server. When you configure this option, the ACE includes the current connection count in the total load calculation for each real server in a server farm. Uncheck the check box to reset the behavior of the ACE to the default of excluding the current connection count from the load calculation.

Response

Method that indicates that the ACE is to select the server with the lowest response time for a requested response-time measurement.

a. In the Response Type field, choose the type of measurement to use:

App-Req-To-Resp—The response time from when the ACE sends an HTTP request to a server to the time that the ACE receives a response from the server for that request.

Syn-To-Close—The response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server.

Syn-To-Synack—The response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a SYN-ACK from the server.

b. In the Response Samples field, enter the number of samples over which you want to average the results of the response-time measurement. Valid entries are 1, 2, 4, 8, and 16 (values from 1 to 16 that are also a power of 2).

c. In the Weight Connection field, check the check box to instruct the ACE to use the current connection count in the final load calculation for a real server. When you configure this option, the ACE includes the current connection count in the total load calculation for each real server in a server farm. Uncheck the check box to reset the behavior of the ACE to the default of excluding the current connection count from the load calculation.

Round Robin

Method that indicates that the ACE is to select the next server in the list of servers based on server weight. This is the default predictor method.


Step 10 (Optional) If you chose Sticky as the primary action, in the Sticky Group field, choose an existing sticky group or click *New* to add a new sticky group (Table 7-15).


Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later.



Note If you chose an existing sticky group, you can view, modify, or duplicate the selected object's existing configuration. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects in virtual servers.


Table 7-15 Sticky Group Attributes 

Field
Description

Group Name

Unique identifier for the sticky group. You can either accept the automatically incremented entry that was provided or you can enter your own. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

Type

Method to be used when establishing sticky connections and configure any type-specific attributes:

Note The available selections listed in the Type drop-down list will vary depending on your selection for Application Protocol in the Properties configuration subset (see Table 7-2). For example, if you chose HTTP or HTTPS as the application protocol, only IP Netmask, HTTP Cookie, HTTP Header, and HTTP Content appear as selections in the Type drop-down list.

HTTP Content—The virtual server is to stick client connections to the same real server based on a string in the data portion of the HTTP packet. See Table 9-2 for additional configuration options.

HTTP Cookie—The virtual server is either to learn a cookie from the HTTP header of a client request or to insert a cookie in the Set-Cookie header of the response from the server to the client, and then use the learned cookie to provide stickiness between the client and server for the duration of the transaction. See Table 9-3 for additional configuration options.

HTTP Header—The virtual server is to stick client connections to the same real server based on HTTP headers. See Table 9-4 for additional configuration options.

IP Netmask—The virtual server is to stick a client to the same server for multiple subsequent connections as needed to complete a transaction using the client source IPv4 address, the destination IPv4 address, or both. See Table 9-5 for additional configuration options.

Note If an organization uses a megaproxy to load balance client requests across multiple proxy servers when a client connects to the Internet, the source IP address is no longer a reliable indicator of the true source of the request. In this situation, you can use cookies or another sticky method to ensure session persistence.

V6 Prefix—(Requires ACE module and ACE appliance software Version A5(1.0) or later) Indicates that the virtual server is to stick a client to the same server for multiple subsequent connections as needed to complete a transaction using the client source IPv6 address, the destination IPv6 address, or both. See Table 9-6 for additional configuration options.

Layer 4 Payload—The virtual server is to stick client connections to the same real server based on a string in the payload portion of the Layer 4 protocol packet. See Table 9-7 for additional configuration options.

RADIUS—The virtual server is to stick client connections to the same real server based on a RADIUS attribute.

RTSP Header—The virtual server is to stick client connections to the same real server based on the RTSP Session header field. Table 9-9 for additional configuration options.

SIP Header—The virtual server is to stick client connections to the same real server based on the SIP Call-ID header field.

Sticky Server Farm

Existing server farm that is to act as the primary server farm for this sticky group. You can choose *New* to create a new server farm. If you chose *New*, configure the server farm using the information in Table 7-13.

Backup Server Farm

Existing server farm that is to act as the backup server farm this sticky group. You can choose *New* to create a new server farm. If you chose *New*, configure the server farm using the information in Table 7-13.

Aggregate State

Check box to indicate that the state of the primary server farm is to be tied to the state of all real servers in the server farm and in the backup server farm, if configured. The ACE declares the primary server farm down if all real servers in the primary server farm and all real servers in the backup server farm are down.

Uncheck the check box if the state of the primary server farm is not to be tied to all real servers in the server farm and in the backup server farm.

Enable Sticky On Backup Server Farm

Check box to indicate that the backup server farm is sticky. Uncheck the check box if the backup server farm is not sticky.

Buddy Group

Associate the serverfarm with a buddy member group by creating a buddy sticky group or selecting an existing one.


Note This field appears only for ACE software Version A5(2.0) or later. For more information, see the "Buddy Sticky Groups" section.


Replicate On HA Peer

Check box to indicate that the virtual server is to replicate sticky table entries on the backup server farm. If a failover occurs and this option is selected, the new active server farm can maintain the existing sticky connections.

Uncheck the check box to indicate that the virtual server is not to replicate sticky table entries on the backup server farm.

Timeout (Minutes)

Number of minutes that the virtual server keeps the sticky information for a client connection in the sticky table after the latest client connection terminates. Valid entries are from 1 to 65535; the default is 1440 minutes (24 hours).

Timeout Active Connections

Check box to specify that the virtual server is to time out sticky table entries even if active connections exist after the sticky timer expires.

Uncheck the check box to specify that the virtual is not to time out sticky table entries even if active connections exist after the sticky timer expires. This behavior is the default.


Step 11 (Optional) If you are using the ACE appliance (all versions) or ACE module version A4(1.0) and later, in the Compression Method field, choose the HTTP compression method to indicate how the ACE appliance is to compress packets when a client request indicates that the client browser is capable of packet compression.

By default, HTTP compression is disabled in the ACE. When you configure HTTP compression using the ACE, the appliance compresses data in the HTTP GET responses from the real servers. The ACE does not compress HTTP requests from clients or the HTTP headers in the server responses.


Note By default, the ACE appliance supports HTTP compression at rates of 100 megabits per second (Mbps). Installing an optional HTTP compression license allows you to increase this value to a maximum of 2 Gbps. See the Cisco 4700 Series Application Control Engine Appliance Administration Guide for information on ACE licensing options.


Options are as follows:

Gzip—Specifies the gzip compression format as the method to use when the client browser supports both the deflate and gzip compression methods. Gzip is the file format for compression described in RFC1952.

Deflate—Specifies the deflate compression format as the method to use when the client browser supports both the deflate and gzip compression methods. Deflate is the data format for compression described in RFC1951.

N/A—HTTP compression is disabled.

When configuring HTTP compression, we recommend that you exclude the following MIME types from HTTP compression: ".*gif", ".*css", ".*js", ".*class", ".*jar", ".*cab", ".*txt", ".*ps", ".*vbs", ".*xsl", ".*xml", ".*pdf", ".*swf", ".*jpg", ".*jpeg", ".*jpe", or ".*png".

When you enable HTTP compression, the ACE compresses the packets using the following default compression parameter values:

Mime type—All text formats (text/*).

Minimum size—512 bytes.

User agent—None.

Step 12 In the SSL Initiation field, choose an existing service or choose *New* to create a new service, and do one of the following:

If you chose an existing SSL service, you can view, modify, or duplicate the existing configuration. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

If you chose *New*, configure the service using the information in Table 7-5. For more information about SSL, see the "Configuring SSL" section.


Note The SSL Initiation field appears only in the Advanced View, and when TCP is the selected protocol and Other, HTTP, or HTTPS is the application protocol.



Note The SSL initiation option does not apply to the ACE NPE software version (see the "Information About the ACE No Payload Encryption Software Version" section).


Step 13 In the Insert HTTP Headers field, enter the name of the HTTP header and the value to be matched using the header_name=header_value format where:

header_name represents the name of the HTTP header to insert in the client HTTP request. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You can specify predefined header or any custom header name provided that it does not exceed the maximum length limit.

header_value represents the expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. Table 14-35 lists the supported characters that you can use in regular expressions.

For example, you might enter Host=www.cisco.com.

Step 14 Do one of the following:

Click OK to save your entries and to return to the Rule Match table.

Click Cancel to exit this procedure without saving your entries and to return to the Rule Match table.

Step 15 If you are adding Rule Match entries for a new virtual server and you want to modify the sequence of rules in the L7 Load Balancing section of the Virtual Server configuration page, click Up or Down to change the order of the entries in the Rule Match table.


Note The Up and Down buttons are not available for an existing virtual server, only for a new virtual server. To reorder the entries in the Rule Match table for an existing virtual server, go to Config > Expert > Policy Maps and choose the Layer 7 load balancing policy map, delete the rule entry that you want to reorder, and then add it again by using the Insert Before option to put it in the correct order. See the "Configuring Rules and Actions for Policy Maps" section for details.


Step 16 Do one of the following:

Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files.

Click Cancel to exit this procedure without saving your entries.

Click Deploy Later to save your entries and apply them at a later time.


Related Topics

Configuring Virtual Servers

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Default Layer 7 Load Balancing

You can configure default Layer 7 load-balancing actions for all network traffic that does not meet previously specified match conditions.

Assumption

Make sure that a virtual server has been configured in the Properties configuration subset. For more information, see the "Configuring Virtual Server Properties" section. See the "Configuring Virtual Servers" section for information on configuring a virtual server.

Procedure


Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.

The Virtual Servers table appears.

Step 2 In the Virtual Servers table, choose the virtual server that you want to configure for default Layer 7 load balancing, and click Edit.

The Virtual Server configuration window appears.

Step 3 In the Virtual Server configuration window, click Default L7 Load-Balancing Action.

The Default L7 Load-Balancing Action configuration pane appears.

Step 4 In the Primary Action field of the Default L7 Load-Balancing Action configuration pane, choose the default action that the virtual server is to take in response to client requests for content when specified match conditions are not met:

Drop—Client requests that do not meet specified match conditions are to be discarded. Continue with Step 9.

Forward—Client requests that do not meet specified match conditions are to be forwarded without performing load balancing on the requests. Continue with Step 9.

Load Balance—Client requests for content are to be directed to a server farm. Continue with Step 6.

Sticky—Client requests for content are to be handled by a sticky group when match conditions are met. Continue with Step 7.

Step 5 (Optional) From the HTTP Header Modify Action List drop-down list, choose an existing Action List or choose New to display the Action List configuration table and create a new one. For more information, see the "Configuring an HTTP Header Modify Action List" section.

Step 6 (Optional) If you chose Load Balance as the primary action, do the following:

a. In the Server Farm field, choose the primary server farm to use for load balancing, or choose *New* to configure a new server farm (see Table 7-13).


Note To display statistics and status information for an existing server farm, choose a server farm in the list, and then click Details. ANM accesses the show serverfarm name detail CLI command to display detailed server farm information. See the "Displaying Server Farm Statistics and Status Information" section.


b. In the Backup Server Farm field, choose the server farm to act as the backup server farm for load balancing if the primary server farm is unavailable, or choose *New* to configure a new backup server farm (see Table 7-13).


Note If you chose an existing object in either field, you can view, modify, or duplicate the selected object's existing configuration. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects in virtual servers.


Step 7 (Optional) If you chose Sticky as the primary action, in the Sticky Group field, choose an existing sticky group or click *New* to add a new sticky group (see Table 7-15).


Note If you chose an existing sticky group, you can view, modify, or duplicate the selected object's existing configuration. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects in virtual servers.


Step 8 (Optional) If you are using the ACE appliance (all versions) or ACE module version A4(1.0) and later, in the Compression Method field, choose the HTTP compression method to indicate how the ACE appliance is to compress packets when a client request indicates that the client browser is capable of packet compression.

By default, HTTP compression is disabled in the ACE. When you configure HTTP compression using the ACE, the appliance compresses data in the HTTP GET responses from the real servers. The ACE does not compress HTTP requests from clients or the HTTP headers in the server responses.


Note By default, the ACE appliance supports HTTP compression at rates of 100 megabits per second (Mbps). Installing an optional HTTP compression license allows you to increase this value to a maximum of 2 Gbps. See the Cisco 4700 Series Application Control Engine Appliance Administration Guide for information on ACE licensing options.


Options are as follows:

Deflate—Specifies the deflate compression format as the method to use when the client browser supports both the deflate and gzip compression methods. deflate, the data format for compression described in RFC1951.

Gzip—Specifies the gzip compression format as the method to use when the client browser supports both the deflate and gzip compression methods. Gzip is the file format for compression described in RFC1952.

N/A—HTTP compression is disabled.


Note If you enable the Gzip or Deflate compression format, ANM automatically inserts a L7 Load Balance Primary Action to exclude the MIME types listed above. However, if you disable HTTP compression later on, you will need to remove the auto-inserted Load Balance Primary Action.


When you enable HTTP compression, the ACE compresses the packets using the following default compression parameter values:

Mime type—All text formats (text/*).

Minimum size—512 bytes.

User agent—None.

Step 9 In the SSL Initiation field, choose an existing service or choose *New* to create a new service.

SSL initiation allows the virtual server to act as an SSL proxy client to initiate and maintain an SSL connection between itself and an SSL server. In this particular application, the ACE receives clear text from an HTTP client, and encrypts and transmits the data as ciphertext to the SSL server. On the reverse side, the ACE decrypts the ciphertext that it receives from the SSL server and sends the data to the client as clear text.

If you chose an existing SSL service, you can view, modify, or duplicate the existing configuration. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

If you chose *New*, configure the service using the information in Table 7-5. For more information about SSL, see the "Configuring SSL" section.


Note The SSL Initiation field appears only in the Advanced View, and when TCP is the selected protocol and Other, HTTP, or HTTPS is the application protocol.



Note SSL initiation option does not apply to the ACE NPE software version (see the "Information About the ACE No Payload Encryption Software Version" section).


Step 10 In the Insert HTTP Headers field, enter the name of the HTTP header and the value to be matched using the header_name=header_value format where:

header_name represents the name of the HTTP header to insert in the client HTTP request. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You can specify predefined header or any custom header name provided that it does not exceed the maximum length limit.

header_value represents the expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. Table 14-35 lists the supported characters that you can use in regular expressions.

For example, you might enter Host=www.cisco.com.

Step 11 Do one of the following:

Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files.

Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.

Click Deploy Later to save your entries and apply the configuration at a later time.


Related Topics

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Layer 7 Load Balancing

Configuring Application Acceleration and Optimization


Note This option is available only for ACE appliances and only in the Advanced View.


You can configure acceleration and optimization on virtual servers that are configured on ACE appliances. The ACE appliance includes configuration options that allow you to accelerate enterprise applications, resulting in increased employee productivity, enhanced customer retention, and increased online revenues. The application acceleration functions of the ACE appliance apply several optimization technologies to accelerate Web application performance. This application acceleration functionality enables enterprises to optimize network performance and improve access to critical business information. It also accelerates the performance of Web applications, including customer relationship management (CRM), portals, and online collaboration by up to 10 times.

See the "Configuring Application Acceleration and Optimization" section or the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide for more information about application acceleration and optimization.

Assumption

Make sure that a virtual server has been configured on an ACE appliance with HTTP or HTTPS as the application protocol. See the "Configuring Virtual Servers" section for information about configuring a virtual server.

Procedure


Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.

The Virtual Servers table appears.

Step 2 In the Virtual Servers table, choose the virtual server that you want to configure for optimization, and click Edit.

The Virtual Server configuration window appears.

Step 3 In the Virtual Server configuration window, click Application Acceleration And Optimization.

The Application Acceleration And Optimization configuration pane appears.

Step 4 In the Configuration field of the Application Acceleration And Optimization configuration pane, choose the method that you want to use to configure application acceleration and optimization:

EZ—Use standard acceleration and optimization options. Continue with Step 5.

Custom—Associate specific match criteria, actions, and parameter maps for application acceleration and optimization for the virtual server. If you choose this option, continue with Step 6 through Step 14.

Step 5 (Optional) If you chose EZ, the Latency Optimization (FlashForward) and Bandwidth Optimization (Delta) fields appear.

Do the following:

a. Check the Latency Optimization (FlashForward) check box to specify that the ACE appliance is to use bandwidth reduction and download acceleration techniques to objects embedded within HTML pages. Uncheck the check box to specify that the ACE appliance is not to employ these techniques to objects embedded within HTML pages. Latency optimization corresponds to FlashForward functionality. For more information about FlashForward functionality, see the "Optimization Overview" section.

b. Check the Bandwidth Optimization (Delta) check box to specify that the ACE appliance is to dynamically update client browser caches with content differences, or deltas. Uncheck the check box to specify that the ACE appliance is not to dynamically update client browser caches. Bandwidth optimization corresponds to action list Delta optimization. For more information about configuring Delta optimization, see the "Optimization Overview" section and the "Configuring an HTTP Optimization Action List" section.

c. Continue with Step 14.

Step 6 (Optional) If you chose Custom, the Actions configuration pane appears with a table listing match criteria and actions.

Click Add to add an entry to this table or choose an existing entry, and click Edit to modify it. The configuration pane refreshes with the available configuration options.

Step 7 In the Apply Building Block field, choose one of these configuration building blocks for the type of optimization that you want to configure, or leave the field blank to configure optimization without a building block:

Bandwidth Optimization—Maximizes bandwidth for Web-based traffic.

Latency Optimization for Embedded Objects—Reduces the latency associated with embedded objects in Web-based traffic.

Latency Optimization for Embedded Images—Reduces the latency associated with embedded images in Web-based traffic.

Latency Optimization for Containers—Reduces the latency associated with Web containers.

If you chose one of the building blocks, the Rule Match configuration subset displays the configuration options with selections based on the building block chosen. You can accept the entries as they are or modify them.

If you do not choose a building block, additional configuration options appear depending on the features you enable.

Step 8 In the Rule Match field, choose an existing class map or click *New* to specify new match criteria, and do one of the following:

If you chose an existing class map, you can view, modify, or duplicate the existing configuration. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

If you click *New*, the window refreshes so that you can enter new match criteria.

Step 9 Configure match criteria using the information in Table 7-16.

Table 7-16 Optimization Match Criteria Configuration 

Field
Description/Action

Name

Unique name for this match criteria rule.

Match

Method to be used to evaluate multiple match statements when multiple match conditions exist:

match-any—A match exists if at least one of the match conditions is satisfied.

match-all—A match exists only if all match conditions are satisfied.

Conditions

Field that allows you to add a new set of conditions or choose an existing entry. Click Add to add a new set of conditions, or choose an existing entry and click Edit to modify it:

a. In the Type field, choose the match condition to be used, then configure any condition-specific options using the information in Table 7-12.

b. Click OK to save your entries, or Cancel to exit this procedure without saving your entries.


Step 10 In the Actions field, choose an existing action list to use for optimization or click *New* to create a new action list, and do one of the following:

If you chose an existing action list, you can view, modify, or duplicate the existing configuration. See the "Shared Objects and Virtual Servers" section for more information about modifying shared objects.

If you click *New*, the window refreshes so you can configure an action list.

Step 11 Configure the action list using the information in Table 7-17.

Table 7-17 Optimization Action List Configuration Options 

Field
Description

Action List Name

Unique name for the action list. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters.

Enable Delta

Check box that enables delta optimization for the specified URLs. Delta optimization that dynamically updates client browser caches directly with content differences, or deltas, resulting in faster page downloads.

Uncheck the check box to disable this feature.

If you are configuring optimization without a building block, additional options appear. Configure these options using the information in Table 7-18.

Enable AppScope

Check box that enables AppScope performance monitoring for use with the ACE appliance. AppScope runs on the Management Console of the optional Cisco AVS 3180A Management Station and measures end-to-end application performance.

Uncheck the check box to disable this feature.

If you are configuring optimization without a building block, additional options appear. Configure these options using the information in Table 7-18.

Flash Forward

Feature that reduces bandwidth usage and accelerates embedded object downloading by combining local object storage with dynamic renaming of embedded objects, which enforces object freshness within the parent HTML page.

Choose how the ACE appliance is to implement FlashForward:

N/A—This feature is not enabled.

Flash Forward—FlashForward is to be enabled for the specified URLs and embedded objects are to be transformed.

Flash Forward Object—FlashForward static caching is to be enabled for the objects that the corresponding URLs refer to, such as Cascading Style Sheets (CSS), JPEG, and GIF files.

If you are configuring without a building block and chose either FlashForward or FlashForward Object, an addition option appears. Configure this option using the information in Table 7-18.

Cache Dynamic

Check box that enables Adaptive Dynamic Caching for the specified URLs even if the expiration settings in the response indicate that the content is dynamic. The expiration of cache objects is controlled by the cache expiration settings based on time or server load.

Uncheck the check box to disable this feature.

Cache Forward

Field that specifies how the ACE appliance is to implement cache forwarding:

N/A—This feature is not enabled.

With Wait—Cache forwarding is enabled with the wait option for the specified URLs. If the object has expired but the maximum cache TTL time period has not yet expired, the ACE appliance sends a request to the origin server for the object. Users requesting this page continue to receive content from the cache during this time but must wait for the object to be updated before their request is satisfied. When the fresh object is returned, it is sent to the requesting user and the cache is updated.

Without Wait—Cache forwarding is enabled without the wait option.

Dynamic Entity Tag

Check box that specifies that the ACE appliance is to implement just-in-time object acceleration for embedded objects not able to be cached. This feature enables the acceleration of embedded objects not able to be cached, which results in improved application response time. When enabled, this feature eliminates the need for users to download objects not able to be cached on each request.

Uncheck the check box to disable this feature.


Step 12 (Optional) If you are configuring optimization without a building block, additional options appear when you enable specific features.

Configure the additional options using the information in Table 7-18.

Table 7-18 Application Acceleration and Optimization Additional Configuration Options 

Field
Description

Response Codes To Ignore (Comma Separated)

Comma-separated list of HTTP response codes for which the response body must not be read. For example, an entry of 302 indicates that the ACE is to ignore the response body of a 302 (redirect) response from the origin server. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters.

Set Browse Freshness Period

Method that the ACE is to use to determine the freshness of objects in the client's browser:

N/A—This option is not configured.

Disable Browser Object Freshness Control—Browser freshness control is not to be used.

Set Freshness Similar To Flash Forward Objects—The ACE is to set freshness similar to that used for FlashForwarded objects, and to use the values specified in the Maximum Time for Cache Time-To-Live and Minimum Time For Cache Time-To-Live fields.

Duration For Browser Freshness (Seconds)

Field that appears if the Set Browser Freshness Period option is not configured.

Enter the number of seconds that objects in the client's browser are considered fresh. Valid entries are 0 to 2147483647 seconds.

Enable Delta Options

Max. For Post Data To Scan For Logging (kBytes)

Maximum number of kilobytes of POST data the ACE is to scan for parameters for the purpose of logging transaction parameters in the statistics log.

Valid entries are 0 to 1000 KB.

Base File Anonymous Level

Feature that enables the ACE to create and deliver condensed base files that contain only information that is common to a large set of users. No information unique to a particular user, or across a very small subset of users, is included in anonymous base files.

Information that is common to a large set of users is generally not confidential or user-specific. Conversely, information that is unique to a specific user or a small set of users is generally confidential or user-specific.

Enter the value for base file anonymity for the all-user condensation method. Valid entries are from 0 to 50; the default value of 0 disables the base file anonymity feature.

Cache-Key Modifier Expression

Unique identifier that is used to identify a cached object to be served to a client, replacing a trip to the origin server. The cache key modifier feature allows you to modify the canonical form of a URL; that is, the portion before "?" in a URL. For example, the canonical URL of http://www.xyz.com/somepage.asp?action=browse&level=2 is http://www.xyz.com/somepage.asp.

Enter a regular expression containing embedded variables as described in Table 7-19. The ACE transforms URLs specified in class maps for this virtual server with the expression and variable entered here.

Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. If the string includes spaces, enclose the string with quotation marks (").

Min. Time For Cache Time-To-Live (Seconds)

Minimum number of seconds that an object without an explicit expiration time should be considered fresh in the ACE cache. This value specifies the minimum time that content can be cached. If the ACE is configured for FlashForward optimization, this value should normally be 0. If the ACE is configured for dynamic caching, this value should indicate how long the ACE should cache the page. (See Table 7-17 for information about these configuration options.)

Valid entries are 0 to 2147483647 seconds.

Max. Time For Cache Time-To-Live (Seconds)

Maximum number of seconds that an object without an explicit expiration time should be considered fresh in the ACE cache. Valid entries are 0 to 2147483647 seconds.

Cache Time-To-Live Duration (%)

Percent of an object's age at which an embedded object without an explicit expiration time is considered fresh.

Valid entries are 0 to 100 percent.

Expression To Modify Cache Key Query Parameter

Feature that allows you to modify the query parameter of a URL; that is, the portion after "?" in a URL. For example, the query parameter portion of http://www.xyz.com/somepage.asp?action=browse&level=2 is action=browse&level=2.

Enter a regular expression containing embedded variables as described in Table 7-19. The ACE transforms URLs specified in class maps for this virtual server with the expression and variable entered here. If no string is specified, the query parameter portion of the URL is used as the default value for this portion of the cache key.

Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters.

Canonical URL Expressions

Canonical URL feature to eliminate the "?" and any characters that follow to identify the general part of the URL. This general URL is then used to create the base file. In this way, the ACE maps multiple URLs to a single canonical URL.

Enter a comma-separated list of parameter expander functions as defined in Table 7-19 to identify the URLs to associate with this parameter map.

Valid entries are unquoted text strings with a maximum of 255 alphanumeric characters.

Enable Cacheable Content Optimization

Check box that enables delta optimization of content that can be cached. This feature allows the ACE to detect content that can be cached and perform delta optimization on it.

Uncheck the check box to disable this feature.

Enable Delta Optimization On First Visit To Web Page

Check box that enables condensation on the first visit to a Web page. Uncheck the check box to disable this feature.

Min. Page Size For Delta Optimization (Bytes)

Minimum page size, in bytes, that can be condensed. Valid entries are from 1 to 250000 bytes.

Max. Page Size For Delta Optimization (Bytes)

Maximum page size, in bytes, that can be condensed. Valid entries are from 1 to 250000 bytes.

Set Default Client Script

Scripting language that the ACE is to recognize on condensed content pages:

N/A—Indicates that this option is not configured.

Javascript—Indicates that the default scripting language is JavaScript.

Visual Basic Script—Indicates that the default scripting language is Visual Basic.

Exclude Iframes From Delta Optimization

Check box to specify that delta optimization is not to be applied to IFrames (inline frames). Uncheck the check box to indicate that delta optimization is to be applied to IFrames.

Exclude Non-ASCII Data From Delta Optimization

Check box to specify that delta optimization is not to be applied to non-ASCII data. Uncheck the check box to indicate that delta optimization is to be applied to non-ASCII data.

Exclude JavaScripts From Delta Optimization

Check box to specify that delta optimization is not to be applied to JavaScript. Uncheck the check box to indicate that delta optimization is to be applied to JavaScript.

MIME Types To Exclude From Delta Optimization

a. In the first field, enter a comma-separated list of the MIME (Multipurpose Internet Mail Extension) type messages that are not to have delta optimization applied, such as image/Jpeg, text/html, application/msword, or audio/mpeg. See the "Supported MIME Types" section for a list of supported MIME types.

b. Click Add to add the entry to the list box on the right. You can position the entries in the list box by using the Up and Down buttons.

Remove HTML META Elements From Documents

Check box to specify that HTML META elements are to be removed from documents to prevent them from being condensed. Uncheck the check box to indicate that HTML META elements are not to be removed from documents.

Rebase Delta Optimization Threshold (%)

Delta threshold, expressed as a percent, when rebasing is to be triggered. This entry represents the size of a page delta relative to total page size, expressed as a percent. This entry triggers rebasing when the delta response size exceeds the threshold as a percentage of base file size.

Valid entries are 0 to 10000 percent.

Rebase Flash Forward Threshold (%)

Threshold, expressed as a percent, when rebasing is to be triggered based on the percent of FlashForwarded URLs in the response. This entry triggers rebasing when the difference between the percentages of FlashForwarded URLs in the delta response and the base file exceeds the threshold.

Valid entries are 0 to 10000 percent.

Rebase History Size (Pages)

Number of pages to be stored before the ACE resets all rebase control parameters to zero and starts over. This option prevents the base file from becoming too rigid.

Valid entries are 10 to 2147483647.

Rebase Modify Cool-Off Period (Seconds)

Number of seconds after the last modification before performing a rebase.

Valid entries are 1 to 14400 seconds (4 hours).

Rebase Reset Period (Seconds)

Period of time, in seconds, for performing a meta data refresh.

Valid entries are 1 to 900 seconds (15 minutes).

UTF-8 Character Set Threshold

Number of 8-bit Unicode Transformation Format (UTF-8) characters that need to appear on a page to create a UTF-8 character set page. The UTF-8 character set is an international standard that allows Web pages to display non-ASCII or non-English multibyte characters. It can represent any universal character in the Unicode standard and is backwards compatible with ASCII.

Valid entries are from 1 to 1,000,000.

Server Load Threshold Trigger (%)

Threshold, expressed as a percent, at which the TTL for cached objects is to be changed. The server load threshold trigger indicates that the time-to-live (TTL) period for cached objects is to be based dynamically on server load. With this method, TTL periods increase if the current response time from the origin sever is greater than the average response time and decrease if the current response time from the origin server is less than the average response time when the difference in response times exceeds a specified threshold amount.

Valid entries are from 0 to 100 percent.

Server Load Time-To-Live Change (%)

Percentage by which the cache TTL is to be increased or decreased when the server load threshold trigger is met. This option specifies the percentage by which the cache TTL is increased or decreased in response to a change in server load. For example, if this value is set to 20 and the current TTL for a response is 300 seconds, and if the current server response times exceeds the trigger threshold, the cache TTL for the response is raised to 360 seconds.

Valid entries are from 0 to 100 percent.

Delta Optimization Mode

Method by which delta optimization is to be implemented:

N/A—Indicates that a delta optimization mode is not configured.

Enable The All-User Mode For Delta Optimization—Indicates that the ACE is to generate the delta against a single base file that is shared by all users of the URL. This option is usable in most cases if the structure of a page is common across all users, and the disk space overhead is minimal.

Enable The Per-User Mode For Delta Optimization—Indicates that the ACE is to generate the delta against a base file that is created specifically for that user. This option is useful when page contents, including layout elements, are different for each user, and delivers the highest level of condensation. However, this increases disk space requirements because a copy of the base page that is delivered to each user is cached. This option is useful when privacy is required because base pages are not shared among users.

Enable Appscope Options

Appscope Optimize Rate (%)

Percentage of all requests or sessions to be sampled for performance with acceleration (or optimization) applied. All applicable optimizations for the class will be performed. Valid entries are from 0 to 100 percent, with a default of 10 percent. The sum of this value and the value entered in the Passtthrough Rate Percent field must not exceed 100.

Appscope Passthrough Rate (%)

Percentage of all requests or sessions to be sampled for performance without optimization. No optimizations for the class will be performed. Valid entries are from 0 to 100, with a default of 10 percent. The sum of this value and the value entered in the Optimize Rate Percent field must not exceed 100.

Max Number For Parameter Summary Log (Bytes)

Maximum number of bytes that are to be logged for each parameter value in the parameter summary of a transaction log entry in the statistics log. If a parameter value exceeds this limit, it is truncated at the specified limit. Valid entries are 0 to 10,000 bytes.

Specify String For Grouping Requests

String that the ACE is to use to sort requests for AppScope reporting. The string can contain a URL regular expression that defines a set of URLs in which URLs that differ only by their query parameters are to be treated as separate URLs in AppScope reports.

For example, to define a string that is used to identify the URLs http://server/catalog.asp?region=asia and http://server/catalog.asp?region=america as two separate reporting categories, you would enter http_query_param(region).

Valid entries contain 1 to 255 characters and can contain the parameter expander functions listed in Table 7-19.


Table 7-19 lists the parameter expander functions that you can use.

Table 7-19 Parameter Expander Functions 

Variable
Description

$(number)

Expands to the corresponding matching subexpression (by number) in the URL pattern. Subexpressions are marked in a URL pattern using parentheses (). The numbering of the subexpressions begins with 1 and is the number of the left-parenthesis "(" counting from the left. You can specify any positive integer for the number. $(0) matches the entire URL. For example, if the URL pattern is ((http://server/.*)/(.*)/)a.jsp, and the URL that matches it is http://server/main/sub/a.jsp?category=shoes&session=99999, then the following are correct:

$(0) = http://server/main/sub/a.jsp

$(1) = http://server/main/sub/

$(2) = http://server/main

$(3) = sub

If the specified subexpression does not exist in the URL pattern, then the variable expands to the empty string.

$http_query_string()

Expands to the value of the whole query string in the URL. For example, if the URL is http://myhost/dothis?param1=value1&param2=value2, then the following is correct:

$http_query_string() = param1=value1&param2=value2

This function applies to both GET and POST requests.

$http_query_param(query-param-name)

 
        

The obsolete syntax is also supported:

$param(query-param-name)

Expands to the value of the named query parameter (case-sensitive).

For example, if the URL is http://server/main/sub/a.jsp?category=shoes&session=99999, then the following are correct:

$http_query_param(category) = shoes

$http_query_param(session) = 99999

If the specified parameter does not exist in the query, then the variable expands to the empty string. This function applies to both GET and POST requests.

$http_cookie(cookie-name)

Evaluates to the value of the named cookie. For example, $http_cookie(cookiexyz). The cookie name is case-sensitive.

$http_header(request-header-name)

Evaluates to the value of the specified HTTP request header. In the case of multivalued headers, it is the single representation as specified in the HTTP specification. For example, $http_header(user-agent). The HTTP header name is not case-sensitive.

$http_method()

Evaluates to the HTTP method used for the request, such as GET or POST.

Boolean Functions:

$http_query_param_present(query-param-name)

$http_query_param_notpresent(query-param-name)

$http_cookie_present(cookie-name)

$http_cookie_notpresent(cookie-name)

$http_header_present(request-header-name)

$http_header_notpresent(request-header-name)

$http_method_present(method-name)

$http_method_notpresent(method-name)

Evaluates to a Boolean value: True or False, depending on the presence or absence of the element in the request. The elements are a specific query parameter (query-param-name), a specific cookie (cookie-name), a specific request header (request-header-name), or a specific HTTP method (method-name). All identifiers are case-sensitive except for the HTTP request header name.

$regex_match(param1, param2)

Evaluates to a Boolean value: True if the two parameters match and False if they do not match. The two parameters can be any two expressions, including regular expressions, that evaluate to two strings. For example, this function:

$regex_match($http_query_param(URL), .*Store\.asp.*)
 
        

compares the query URL with the regular expression string .*Store\.asp.*

If the URL matches this regular expression, this function evaluates to True.


Step 13 When you finish configuring match criteria and actions, do one of the following:

Click OK to save your entries and to return to the Rule Match and Actions table.

Click Cancel to exit this procedure without saving your entries and to return to the Rule Match and Actions table.

Step 14 When you finish configuring virtual server properties, do one of the following:

Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The ACE appliance validates the action list configuration and deploys it.

Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.

Click Deploy Later to save your entries and apply the configuration at a later time.


Related Topics

Optimization Traffic Policies and Typical Configuration Flow

Configuring Traffic Policies for HTTP Optimization

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Layer 7 Load Balancing

Configuring Virtual Server Default Layer 7 Load Balancing

Configuring Virtual Server NAT

You can configure Name Address Translation (NAT) for virtual servers.

Assumptions

This topic assumes the following:

Make sure that a virtual server has been configured in the Properties configuration subset. For more information, see the "Configuring Virtual Server Properties" section.

Make sure that a VLAN has been configured. See the "Configuring Virtual Context VLAN Interfaces" section for information on configuring a VLAN interface.

Make sure that at least one NAT pool has been configured on a VLAN interface. See the "Configuring VLAN Interface NAT Pools and Displaying NAT Utilization" section for information on configuring a NAT pool.

Procedure


Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.

The Virtual Servers table appears.

Step 2 In the Virtual Servers table, choose the virtual server you want to configure for NAT, and click Edit.

The Virtual Server configuration window appears.

Step 3 In the Virtual Server configuration window, click NAT.

The NAT table appears.

Step 4 In the NAT table, click Add to add an entry, or choose an existing entry and click Edit to modify it.

Step 5 In the VLAN drop-down list, choose the VLAN that you want to use for NAT.

VLANs that have previously been defined for NAT do not appear in this list. VLAN numbers provide an indication of available NAT pools.

Step 6 In the NAT Pool ID drop-down list, choose the NAT pool that you want to associate with the selected VLAN.

Note the following about the NAT pool ID selections:

NAT Pool IDs (Begin IP - End IP: Netmask: PAT) appear in a format that provides the details of the beginning and ending IP address range, netmask, and the PAT enabled or disabled setting. For example:

2 (10.77.241.2 - 10.77.241.15: 255.255.255.192: PAT Enabled). 
 
   

If the NAT pool had previously been associated but is no longer defined, then it appears as "<NAT_POOL_ID> (Warning: Undefined NAT Pool)". For example:

2 (Warning: Undefined NAT Pool)
 
   

For more information about NAT pools, see the "Configuring VLAN Interface NAT Pools and Displaying NAT Utilization" section.

Step 7 Do one of the following:

Click OK to save your entries and to return to the NAT table. The NAT table refreshes with the new entry.

Click Cancel to exit the procedure without saving your entries and to return to the NAT table.

Step 8 When you finish configuring virtual server properties, do one of the following:

Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files.

Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.

Click Deploy Later to save your entries and apply the configuration at a later time.


Related Topics

Configuring Virtual Servers

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Layer 7 Load Balancing

Configuring Virtual Server Default Layer 7 Load Balancing

Displaying Virtual Servers by Context

You can display all virtual servers associated with a virtual context.

Procedure


Step 1 Choose Config > Devices.

The device tree appears.

Step 2 In the device tree, choose the context associated with the virtual servers that you want to display, and choose Load Balancing > Virtual Servers.

Table 7-20 describes the information that displays.

Table 7-20 Virtual Servers Window

Field
Description

Name

Virtual server name.

Configured State

Current configured state, such as In Service or Out Of Service.

Operational State

Current operating state (if known), such as In Service or Out Of Service.

Last Polled

Date and time that ANM last polled the virtual server for backup statistics.

VIP Address

Virtual server IP address.

Port

Port that the virtual server uses for TCP or UDP.

VLANs

Associated VLANs.

Server Farms

Associated server farms.

Owner

Owner and context in which the virtual server was created



Related Topics

Configuring Virtual Servers

Managing Virtual Servers

Displaying Detailed Virtual Server Information

Displaying Virtual Servers

Displaying Virtual Server Statistics and Status Information

You can display virtual server statistics and status information for a particular virtual server by using the Details button.

Procedure


Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.

The Virtual Servers table appears.

Step 2 From the Virtual Servers table, choose a virtual server and click Details.

A popup window appears that displays the show service-policy policy_name class-map class_name detail CLI command output. For details about the displayed fields, see either the Cisco ACE Module Server Load-Balancing Configuration Guide or the Cisco ACE 4700 Series Appliance Server Load-Balancing Configuration Guide.


Note This feature requires ACE module software Version A2(1.2), ACE appliance software Version A3(2.1), or later versions of either software. An error displays with earlier software versions.


Step 3 Click Update Details to refresh the window information.

Step 4 Click Close to return to the Virtual Servers table.


Related Topics

Configuring Virtual Servers

Managing Virtual Servers

Displaying Detailed Virtual Server Information

Displaying Virtual Servers

Managing Virtual Servers

This section shows how to display and manage the virtual servers from the Virtual Servers window (Config > Operations > Virtual Servers). This window provides you with information about each virtual server configured on ANM (see the "Displaying Virtual Servers" section) and provides access to function buttons that allow you to perform tasks such as activate or suspend a virtual server, display a virtual server topology map, or display connection statistics graphs.


Note ANM may not display the latest virtual servers information if the periodic polling is disabled. To enable periodic polling, see the "Enabling Polling on All Devices" section.


This section also shows how to display and manage GSS VIP answers (Config > Operations > GSS VIP Answers) and GSS DNS rules (Config > Operations > GSS DNS Rules).

Guidelines and Restrictions

The Virtual Servers, GSS VIP Answers, and GSS DNS Rules Operations windows contain a Rows per page option that includes an All setting for displaying all related configured items in one window. Use the All setting for viewing purposes only. ANM does not allow you to perform any operation from an Operations window if you have more than 200 items selected. For example, if you use the All option to display and select more than 200 virtual servers and then attempt to perform the suspend operation, ANM cancels the request and displays an error message.

This section includes the following topics:

Managing Virtual Server Groups

Activating Virtual Servers

Suspending Virtual Servers

Managing GSS VIP Answers

Activating and Suspending DNS Rules Governing GSS Load Balancing

Managing GSS VIP Answer and DNS Rule Groups

Displaying Detailed Virtual Server Information

Displaying Virtual Servers

Using the Virtual Server Connection Statistics Graph

Using the Virtual Server Topology Map

Understanding CLI Commands Sent from Virtual Server Table

Managing Virtual Server Groups

This section describes how to organize virtual servers into groups, which allows you to display and manage a specific group of virtual servers without having to filter the virtual server display. When creating a group, you specify whether the group is available to just you or is available globally to all ANM users.

The virtual server group feature is available from the virtual servers operations window (Config > Operations > Virtual Servers), which contains the Groups option for managing object groups. Figure 7-1 shows the Groups icon with the following available options for managing object groups:

Create New Group—Adds a new group.

Edit Group—Modifies an existing group. This option displays only after you select a group to display in Group mode.

Exit Group Mode—Changes the display from the group mode display to the display of all virtual servers. This option displays only after you select a group and the display enters the Group mode.

Saved Groups—Lists the currently configured groups along with each group's privilege level (local or global) and owner. From this view, you can choose a group to display or delete a group.

Figure 7-1 Object Grouping for Virtual Servers

Guidelines and Restrictions

Object grouping guidelines and restrictions are as follows:

When you create a global group, other users can see the group if they have access to at least one object within the group. This rule does not apply to the admin user or a user with the anm-admin role because they have visibility to all global groups.

To edit or delete a group, you must be the group owner, a user with the anm-admin role, or the admin user.

When you delete a locally authenticated user from the ANM database, ANM deletes all the global and user-specific groups that the user created. However, when you delete a remotely authorized user from the remote AAA server database, ANM does not delete the groups that the user created. In this case, you must manually delete the user's groups.

This section includes the following topics:

Creating a Virtual Server Group

Editing or Copying a Virtual Server Group

Displaying a Virtual Server Group

Deleting a Virtual Server Group

Creating a Virtual Server Group

You can create a virtual server group.

Procedure


Step 1 Choose Config > Operations > Virtual Servers.

The Virtual Servers table appears.

Step 2 Click the Groups icon located above the Virtual Servers table.

The Groups menu appears below the icon (see Figure 7-1).

Step 3 From the Groups menu, choose Create New Group.

The display enters the edit mode and the Creating a New Group table appears with the list of the available virtual servers.

Step 4 From the Creating a New Group table, check the check box next to the virtual servers that you want to include in the group.

Step 5 (Optional) Check the Hide unselected check box to display only the virtual servers that you have chosen. Uncheck the check box to display all the available virtual servers.

Step 6 Do one of the following:

Click Save as to save the group information. The Create Group popup window appears.

From the popup window, do the following:

a. In the Group Name text box, enter a name for the group. Enter 1 to 64 alphanumeric characters. Special characters and spaces are allowed.

b. Choose the availability of the group by clicking one of the following radio buttons:

This user only (local)—Only you can view, modify, or delete the group.

All users (global)—All ANM users can view the group if they have permission to view at least one of the virtual servers associated with the group. A user with the admin or anm-admin can view all groups and can also edit or delete any group.

c. Do one of the following:

Click Save to save the group information. The Create Group popup window closes and the Viewing Group table appears, displaying the new group's name and associated virtual servers.

To exit Group mode and return to the Virtual Servers table, click the Groups icon and click Exit Group Mode from the Groups menu.

Click Cancel to close the Create Group popup window without saving any information and return to the Creating a New Group table.

Click Back to View to exit the Group display mode and return to the Virtual Servers table.


Related Topics

Managing Virtual Server Groups

Editing or Copying a Virtual Server Group

Displaying a Virtual Server Group

Deleting a Virtual Server Group

Editing or Copying a Virtual Server Group

You can edit a virtual server group or create a copy of a virtual server group under a different name.

Procedure


Step 1 Choose Config > Operations > Virtual Servers.

The Virtual Servers table appears.

Step 2 Click the Groups icon located above the Virtual Servers table.

The Groups menu appears below the icon (see Figure 7-1).

Step 3 From the Groups menu, choose the group that you want to edit.

The Viewing Group table appears, displaying the selected group's name and associated virtual servers.

Step 4 Click the Groups icon again and from the Groups menu, choose Edit Group.

The Editing Group table appears, displaying the complete list of available virtual servers with the virtual servers currently associated with the group highlighted and checked.

Step 5 Modify the group as needed by adding (check) or removing (uncheck) virtual servers as needed. Skip this step if you only want to save a copy of the current group under a different name.

Step 6 Do one of the following:

Click Save to save the changes and return to the Viewing Group table, where you can view the changes.

Click Save as to save the configuration under a new group name. The Create Group popup window appears.

From the popup window, do the following:

a. In the Group Name text box, enter a name for the group. Enter 1 to 64 alphanumeric characters. Special characters and spaces are allowed.

b. Choose the availability of the group by clicking one of the following radio buttons:

This user only (local)—Only you can view, modify, or delete the group.

All users (global)—All ANM users can view the group if they have permission to view at least one of the virtual servers associated with the group. The admin user or a user with the anm-admin role can view all global groups and can also edit or delete these groups.

c. Do one of the following:

Click Save to save the group information. The Create Group popup window closes and the Viewing Group table appears, displaying the new group's name and associated virtual servers.

Click Cancel to close the Create Group popup window without saving any information and to return to the Creating a New Group table.

Click Back to View to exit the edit mode and return to the Group mode.

Step 7 (Optional) To exit Group mode and return to the Virtual Servers table, click the Groups icon and click Exit Group Mode from the Groups menu.


Related Topics

Managing Virtual Server Groups

Creating a Virtual Server Group

Displaying a Virtual Server Group

Deleting a Virtual Server Group

Displaying a Virtual Server Group

You can display the list of virtual servers associated with a virtual server group.

Procedure


Step 1 Choose Config > Operations > Virtual Servers.

The Virtual Servers table appears.

Step 2 Click the Groups icon located above the Virtual Servers table.

The Groups menu appears below the icon (see Figure 7-1).

Step 3 From the Groups menu, choose the group that you want to display.

The Viewing Group table appears, displaying the selected group's name and associated virtual servers.

Step 4 (Optional) To exit Group mode and return to the Virtual Servers table, click the Groups icon and click Exit Group Mode from the Groups menu.


Related Topics

Managing Virtual Server Groups

Creating a Virtual Server Group

Editing or Copying a Virtual Server Group

Deleting a Virtual Server Group

Deleting a Virtual Server Group

You can delete a virtual server group. Deleting a virtual server group does not delete the group's associated virtual servers from the ANM database.

Procedure


Step 1 Choose Config > Operations > Virtual Servers.

The Virtual Servers table appears.

Step 2 Click the Groups icon located above the Virtual Servers table.

The Groups menu appears below the icon (see Figure 7-1).

Step 3 From the Groups menu, click X (delete) next to the group that you want to delete.

The Delete Group confirmation popup window appears.

Step 4 From the Delete Group confirmation popup window, do one of the following:

Click Delete to removes the virtual server group.

Click Cancel to ignore the deletion request.


Related Topics

Managing Virtual Server Groups

Creating a Virtual Server Group

Editing or Copying a Virtual Server Group

Displaying a Virtual Server Group

Activating Virtual Servers

You can activate a virtual server.


Note A missing operation or Admin state on a CSM or CSS device most likely means that the community string was not enabled on those devices. If the community string is not enabled on a CSM or CSS device, and any kind of operation is performed on those devices, it will not succeed, and ANM will not provide any kind of indication.

For CSM devices, you must enable the community string of the Catalyst 6500 series chassis.

For CSS devices, you must enable the community string of the CSS device itself.


Guidelines and Restrictions

ANM does not support CSM DNS virtual servers. If you create this type of virtual server, ANM issues an error message if you attempt to use ANM to activate or suspend it.

Procedure


Step 1 Choose Config > Operations > Virtual Servers.

The Virtual Servers table appears.

Step 2 (Optional) To display only the virtual servers of a specific virtual server group, do the following:

a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the icon (see Figure 7-1).

b. From the Groups menu, choose the group to display.

Step 3 In the Virtual Servers table, choose the virtual server that you want to activate, and click Activate.

The server is activated and the window refreshes with updated information in the Configured State column.


Related Topics

Managing Virtual Servers

Displaying Virtual Servers

Suspending Virtual Servers

Suspending Virtual Servers

You can suspend a virtual server.


Note A missing operation or Admin state on a CSM or CSS device most likely means that the community string was not enabled on those devices. If the community string is not enabled on a CSM or CSS device, and any kind of operation is performed on those devices, it will not succeed, and ANM will not provide any kind of indication.

For CSM devices, you must enable the community string of the Catalyst 6500 series chassis.

For CSS devices, you must enable the community string of the CSS device itself.


Guidelines and Restrictions

ANM does not support CSM DNS virtual servers. If you create this type of virtual server, ANM issues an error message if you attempt to use ANM to activate or suspend it.

Procedure


Step 1 Choose Config > Operations > Virtual Servers.

The Virtual Servers table appears.

Step 2 (Optional) To display only the virtual servers of a specific virtual server group, do the following:

a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the icon (see Figure 7-1).

b. From the Groups menu, choose the group to display.

Step 3 In the Virtual Servers table, choose the virtual server that you want to suspend, and click Suspend.

The Suspend Virtual Server window appears.

Step 4 In the Reason field of the Suspend Virtual Server window, enter the reason for this action.

You might enter a trouble ticket, an order ticket, or a user message.


Note Do not enter a password in this field.



Related Topics

Managing Virtual Servers

Displaying Virtual Servers

Activating Virtual Servers

Managing GSS VIP Answers

This section describes how to manage GSS VIP answers. In a GSS network, the term answers refers to resources that respond to content queries. When you create an answer using the primary Global Site Selector Manager (PGSSM), you are simply identifying a resource on your GSS network to which queries can be directed and that can provide your user's D-proxy with the address of a valid host to serve their request.

Virtual IP (VIP) addresses associated with an SLB such as the Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, or a Web server are types of answers that are specified in the ANM user interface in the GSS VIP Answers table found in ANM under Configuration > Operations. Use this procedure to poll, activate, or suspend GSS VIP answers.

Prerequisites

Make sure that you have established GSS VIP answers using the PGSSM.

Procedure


Step 1 Choose Config > Operations > GSS VIP Answers.

The GSS Answers table appears. For a list of fields available, see Table 7-21.

Table 7-21 GSS Answer Table 

Field
Description

Multiple Row Selection Checkbox

Check box that selects all entries at the same time, or you can check line items individually.

IP Address

VIP answer IP address.

Name

VIP answer name.

Config State

VIP answer configured status.

PGSSM Oper State

Operational status as shown on the primary GSS manager (PGSSM).

Answer Group

Answer group names to which the VIP answer belong.

Location

Logical groupings for GSS resources that correspond to geographical entities such as a city, data center, or content site.

Device

Primary GSS device name on ANM.

PGSSM Time

Last operational status update time on the primary GSS.


Step 2 (Optional) To display only the answers of a specific GSS VIP Answer group, do the following:

a. Click the Groups icon located above the DNS Rules table. The Groups menu appears below the icon (see Figure 7-1).

b. From the Groups menu, choose the group to display.

Step 3 In the GSS Answers table, check the check boxes to the left of the answers that you want to poll, activate, or suspend.

Step 4 Do one of the following:

Click Active/Suspended hyperlink to view the VIP answer details across the GSS node(s). A popup window appears listing all nodes associated with the VIP, operational state, hit count, and timestamp for each node.

Click Poll Now to query the chosen resource to verify it is still active.


Note If you click Poll Now immediately after you click Activate or Suspend, you might not get the VIP answer operational status on the PGSSM that reflects your most recent configuration. It might be necessary to click Poll Now two or three times in succession to get an accurate result.

The ability of Cisco License Manager to update the VIP answer operational status and statistics accurately in detailed GSS statistics window might depend on the polling interval that has been configured on the GSS. The polling interval can be configured directly on the GSS device. (The default is 5 minutes.) Depending on the interval, it can take 5 minutes or more for the ANM server to show an accurate result.


Click Activate to reactivate a GSS answer.

Click Suspend to temporarily stop the GSS from using an associated answer.

If you clicked Activate or Suspend, a dialog box prompts for a Reason. Acceptable text consists of any characters or nothing at all.

Step 5 Do one of the following:

Click Deploy Now to complete Activation or Suspension.

Click Cancel to cancel the Activation or Suspension operation.


Related Topics

Managing GSS VIP Answer and DNS Rule Groups

Information About Load Balancing

Activating and Suspending DNS Rules Governing GSS Load Balancing

Activating and Suspending DNS Rules Governing GSS Load Balancing

You can activate or suspend DNS rules associated with your GSS VIP answers table. The DNS rules table in Configuration > Operations navigation tree specifies actions for the GSS to take when it receives a request from a known source (a member of a source address list) for a known hosted domain (a member of a domain list).

The DNS rule specifies which response (answer) is given to the requesting user's local DNS host (D-proxy) and how that answer is chosen. One of a variety of balance methods is used to determine the best response to the request, based on the status and load of the GSS host devices.

Prerequisites

Make sure that you have established GSS VIP answers and DNS rules using the PGSSM.

Procedure


Step 1 Choose Config > Operations > DNS Rules.

The DNS Rules table appears. For a list of fields available, see Table 7-22.

Table 7-22 DNS Rules Table 

Field
Description

Multiple Row Selection Checkbox

Check box that selects all entries at the same time, or you can check line items individually.

Name

Name of the DNS rule.

Source Address

Collection of IP addresses or address blocks for known client DNS proxies (or D-proxies).

Domains

Domain list name containing one or more domain names that point to content for which the GSS is acting as the authoritative DNS server and for which you wish to use the GSS technology to balance traffic and user requests.

Config State

DNS rules configured status, either Active or Suspended.

Answer Group

Lists of GSS resources that are candidates to respond to DNS queries received from a user for a hosted domain.

Owner

Owner names, providing a simple way to organize and identify groups of related GSS resources.

Device

Primary GSS device name on ANM.

PGSSM Time

Last operational status update time on the GSS.


Step 2 (Optional) To display only the rules of a specific DNS Rules group, do the following:

a. Click the Groups icon located above the DNS Rules table. The Groups menu appears below the icon (see Figure 7-1).

b. From the Groups menu, choose the group to display.

Step 3 In the DNS Rules table, check the checkbox to the left of the rules that you want to activate or suspend.

Step 4 Click the Activate or Suspend button.

A dialog box prompts for a Reason. Acceptable text consists of any characters or none at all.

Step 5 Do one of the following:

Click Deploy Now to complete Activation or Suspension.

Click Cancel to cancel the Activation or Suspension operation.


Related Topics

Managing GSS VIP Answer and DNS Rule Groups

Information About Load Balancing

Managing GSS VIP Answers

Managing GSS VIP Answer and DNS Rule Groups

This section describes how to organize GSS VIP answers or DNS rules into groups, which allows you to display and manage a specific group of VIP answers or DNS rules without having to filter the display. When creating a group, you specify whether the group is available to just you or is available globally to all ANM users.

The GSS object grouping feature is available from the following operations windows:

Answer VIPs (Config > Operations > GSS VIP Answers)

DNS Rules (Config > Operations > GSS DNS Rules)

These windows contain the Groups option for managing object groups. Figure 7-2 shows the Groups icon with the following available options for managing object groups:

Create New Group—Adds a new group.

Edit Group—Modifies an existing group. This option displays only after you select a group to display in Group mode.

Exit Group Mode—Changes the display from the Group mode display to the display of all VIP answers or DNS rules. This option displays only after you select a group and the display enters the Group mode.

Saved Groups—Lists the currently configured groups with each group's privilege level (local or global) and owner. From this view, you can choose a group to display or delete a group.

Figure 7-2 Object Grouping for GSS VIP Answers and DNS Rules

Guidelines and Restrictions

Object grouping guidelines and restrictions are as follows:

When you create a global group, other users can see the group if they have access to at least one object within the group. This rule does not apply to the admin user or a user with the anm-admin role because they have visibility to all global groups.

To edit or delete a group, you must be the group owner, a user with the anm-admin role, or the admin user.

When you delete a locally authenticated user from the ANM database, ANM deletes all the global and user-specific groups that the user created. However, when you delete a remotely authorized user from the remote AAA server database, ANM does not delete the groups that the user created. In this case, you must manually delete the user's groups.

This section includes the following topics:

Creating a VIP Answer or DNS Rule Group

Editing or Copying a VIP Answer or DNS Rule Group

Displaying a VIP Answer or DNS Rule Group

Deleting a VIP Answer or DNS Rule Group

Creating a VIP Answer or DNS Rule Group

You can create a GSS answer VIP or DNS rule group.

Procedure


Step 1 Choose one of the following depending on the group type that you want to create:

Config > Operations > GSS VIP Answers.

Config > Operations > GSS DNS Rules

Depending on your choice, either the Answer VIPs or DNS Rules object table appears.

Step 2 Click the Groups icon located above the objects table.

The Groups menu appears below the icon (see Figure 7-2).

Step 3 From the Groups menu, choose Create New Group.

The display enters the edit mode and the Creating a New Group table appears with the list of the available GSS VIP answer or DNS rule objects.

Step 4 From the Creating a New Group table, check the check box next to the GSS objects that you want to include in the group.

Step 5 (Optional) Check the Hide unselected check box to display only the GSS objects that you have chosen. Uncheck the check box to display all the available GSS objects.

Step 6 Do one of the following:

Click Save as to save the group information. The Create Group popup window appears.

From the popup window, do the following:

a. In the Group Name text box, enter a name for the group. Enter 1 to 64 alphanumeric characters. Special characters and spaces are allowed.

b. Choose the availability of the group by clicking one of the following radio buttons:

This user only (local)—Only you can view, modify, or delete the group.

All users (global)—All ANM users can view the group if they have permission to view at least one of the GSS objects associated with the group. A user with the admin or anm-admin can view all groups and can also edit or delete any group.

c. Do one of the following:

Click Save to save the group information. The Create Group popup window closes and the Viewing Group table appears, displaying the new group's name and associated objects.

To exit Group mode and return to the Real Servers table, click the Groups icon and click Exit Group Mode from the Groups menu.

Click Cancel to close the Create Group popup window without saving any information and to return to the Creating a New Group table.

Click Back to View to exit the Group display mode and return to the objects table


Related Topics

Managing GSS VIP Answer and DNS Rule Groups

Editing or Copying a VIP Answer or DNS Rule Group

Displaying a VIP Answer or DNS Rule Group

Deleting a VIP Answer or DNS Rule Group

Managing GSS VIP Answers

Activating and Suspending DNS Rules Governing GSS Load Balancing

Editing or Copying a VIP Answer or DNS Rule Group

You can edit a GSS VIP answer or DNS rule group or create a copy of a group under a different name.

Procedure


Step 1 Choose one of the following depending on the group type that you want to edit or copy:

Config > Operations > GSS VIP Answers.

Config > Operations > GSS DNS Rules

Depending on your choice, either the Answer VIPs or DNS Rules object table appears.

Step 2 Click the Groups icon located above the objects table.

The Groups menu appears below the icon (see Figure 7-2).

Step 3 From the Groups menu, choose the group that you want to edit.

The Viewing Group table appears, displaying the selected group's name and associated GSS VIP answer or DNS rule objects.

Step 4 Click the Groups icon again and from the Groups menu, choose Edit Group.

The Editing Group table appears, displaying the complete list of available objects with the objects currently associated with the group highlighted and checked.

Step 5 Modify the group as needed by adding (check) or removing (uncheck) objects as needed. Skip this step if you only want to save a copy of the current group under a different name.

Step 6 Do one of the following:

Click Save to save the changes and return to the Viewing Group table, where you can view the changes.

Click Save as to save the configuration under a new group name. The Create Group popup window appears.

From the popup window, do the following:

a. In the Group Name text box, enter a name for the group. Enter 1 to 64 alphanumeric characters. Special characters and spaces are allowed.

b. Choose the availability of the group by clicking one of the following radio buttons:

This user only (local)—Only you can view, modify, or delete the group.

All users (global)—All ANM users can view the group if they have permission to view at least one of the real servers associated with the group. The admin user or a user with the anm-admin role can view all global groups and can also edit or delete these groups.

c. Do one of the following:

Click Save to save the group information. The Create Group popup window closes and the Viewing Group table appears, displaying the new group's name and associated objects.

Click Cancel to close the Create Group popup window without saving any information and to return to the Creating a New Group table.

Click Back to View to exit the edit mode and return to the Group mode.

Step 7 (Optional) To exit Group mode and return to the GSS objects table, click the Groups icon and click Exit Group Mode from the Groups menu.


Related Topics

Managing GSS VIP Answer and DNS Rule Groups

Creating a VIP Answer or DNS Rule Group

Displaying a VIP Answer or DNS Rule Group

Deleting a VIP Answer or DNS Rule Group

Managing GSS VIP Answers

Activating and Suspending DNS Rules Governing GSS Load Balancing

Displaying a VIP Answer or DNS Rule Group

You can display the list of GSS objects associated with a VIP answer or DNS rule group.

Procedure


Step 1 Choose one of the following depending on the group type that you want to edit or copy:

Config > Operations > GSS VIP Answers.

Config > Operations > GSS DNS Rules

Depending on your choice, either the Answer VIPs or DNS Rules object table appears.

Step 2 Click the Groups icon located above the objects table.

The Groups menu appears below the icon (see Figure 7-2).

Step 3 From the Groups menu, choose the group that you want to display.

The Viewing Group table appears, displaying the selected group's name and associated objects.

Step 4 (Optional) To exit Group mode and return to the GSS objects table, click the Groups icon and click Exit Group Mode from the Groups menu.


Related Topics

Managing GSS VIP Answer and DNS Rule Groups

Creating a VIP Answer or DNS Rule Group

Editing or Copying a VIP Answer or DNS Rule Group

Deleting a VIP Answer or DNS Rule Group

Managing GSS VIP Answers

Activating and Suspending DNS Rules Governing GSS Load Balancing

Deleting a VIP Answer or DNS Rule Group

You can delete a GSS VIP answer or DNS rule group. Deleting a group does not delete the group's associated objects from the ANM database.

Procedure


Step 1 Choose one of the following depending on the group type that you want to edit or copy:

Config > Operations > GSS VIP Answers.

Config > Operations > GSS DNS Rules

Depending on your choice, either the Answer VIPs or DNS Rules object table appears.

Step 2 Click the Groups icon located above the objects table.

The Groups menu appears below the icon (see Figure 7-2).

Step 3 From the Groups menu, click X (delete) next to the group that you want to delete.

The Delete Group confirmation popup window appears.

Step 4 From the Delete Group confirmation popup window, do one of the following:

Click Delete to remove the selected group.

Click Cancel to ignore the deletion request.


Related Topics

Managing GSS VIP Answer and DNS Rule Groups

Creating a VIP Answer or DNS Rule Group

Editing or Copying a VIP Answer or DNS Rule Group

Displaying a VIP Answer or DNS Rule Group

Activating and Suspending DNS Rules Governing GSS Load Balancing

Displaying Detailed Virtual Server Information

You can display detailed information about the state of a virtual server.

Procedure


Step 1 Choose Config > Operations > Virtual Servers.

The Virtual Servers table appears.

Step 2 (Optional) To display only the virtual servers of a specific virtual server group, do the following:

a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the icon (see Figure 7-1).

b. From the Groups menu, choose the group to display.

Step 3 In the Virtual Servers table, choose the virtual server whose configuration details that you want to display.

Click the hyperlinked entry for that virtual server that appears in the Operational State column.

The Details window appears with the following information:

Current operational status

Description, if one was entered

Configured interfaces, such as VLANs

Configured service policies including:

Configured class maps, detailed by type (such as load balancing or inspection)

States of configured options, indicated by word (ACTIVE, DISABLED, OUTOFSERVICE) and color (green, orange/yellow, and red)

Associated policy maps with details on their type and action (L7 loadbalance, serverfarm)

Statistics regarding connections and counts


Related Topics

Configuring Virtual Servers

Displaying Virtual Servers by Context

Displaying Virtual Server Statistics and Status Information

Managing Virtual Servers

Displaying Virtual Servers

You can display all virtual servers.

Procedure


Step 1 Choose Config > Operations > Virtual Servers.

The Virtual Servers table appears. Table 7-23 describes the Virtual Servers table information.

Table 7-23 Virtual Server Table Fields 

Item
Description

Name

Server farm name sorted by virtual context.

Policy Map

Associated policy map.

IP Address:Protocol:Port

Server farm IP address, protocol, and port used for communications.

HA

Indicators that display when the virtual server is part of a high availability pair. The indicators are as follows:

Asterisk (*)—The virtual server is associated with an HA pair and the HA configuration is complete.

Red dash (-)—The virtual server is associated with an HA pair; however, the HA configuration is incomplete. Typically, the HA pair are not properly configured for HA or only one of the devices has been imported into ANM. Ensure that both devices are imported into ANM and that they are configured as described in the "Configuring ACE High Availability" section.

The table displays HA pair virtual servers together in the same row and they remain together no matter how you sort the information.

SLB Device

Associated ACE IP address and context.

Admin

Administrative state of the virtual server: Up or Down.


Note For a CSM device, the virtual server Admin State is derived from the Operational State. In this case, the Operational State may display an Out of Service condition when the virtual server is configured to be Inservice (if all of the real servers are out of service).


Oper

Operational state of the virtual server: Up or Down.

(ACE devices only) To display detailed information about the virtual server in a popup window, click the linked state value in this column. For more information about this popup window, see the "Displaying Virtual Server Statistics and Status Information" section.


Note The display virtual server details feature requires ACE module software Version A2(1.2), ACE appliance software Version A3(2.1), or later versions of either software. An error displays with earlier software versions.


DWS

Operating state of Dynamic Workload Scaling for the virtual server, which can be:

N/A—Not applicable; the server farms associated with the virtual server are not configured to use Dynamic Workload Scaling.

Local—At least one server farm associated the virtual server is configured to use Dynamic Workload Scaling, but the ACE is sending traffic to the VM Controller's local VMs only.

Expanded—At least one server farm associated the virtual server is configured to use Dynamic Workload Scaling and the ACE is sending traffic to the VM Controller's local and remote VMs.

Conn

Number of active connections.


Note This column is populated for ACE appliances. For ACE devices, the Active Connections column displays N/A for older versions of the ACE appliance and module.


Stat Age

Age of the statistical information.

Serverfarms

Associated server farms.


Note If you have the Details popup window feature enabled, click the value in this column to open the Details popup window and display detailed information about the server farm. By default, this feature is disabled. For information about enabling or disabling this feature, see the "Enabling the ACE Server Farm Details Popup Window Option for Virtual Servers" section.


VLANs

Associated VLANs.


You can activate or suspend virtual servers from this table and obtain additional information about the state of the virtual server.

Step 2 (Optional) Use the display toggle button () located above the table to control which virtual servers ANM displays as follows:

Show ANM recognized Virtual Servers—Displays only virtual servers that match ANM's virtual server definition (see the "Virtual Server Configuration and ANM" section).

Show all Virtual Servers—Displays virtual servers that match ANM's virtual server definition and those that do not match this definition but that ANM can recognize as virtual servers using SNMP polling.


Note The display toggle button displays only when you have the "Display All Virtual Servers in Monitoring & Operations page" advanced setting feature enabled (see the "Managing the Display of Virtual Servers in the Operations and Monitoring Windows" section).


Step 3 (Optional) To display only the virtual servers of a specific virtual server group, do the following:

a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the icon (see Figure 7-1).

b. From the Groups menu, choose the group to display.

You can activate or suspend virtual servers from this table and obtain additional information about the state of the virtual server.


Related Topics

Activating Virtual Servers

Suspending Virtual Servers

Managing Virtual Server Groups

Displaying Detailed Virtual Server Information

Displaying Virtual Server Statistics and Status Information

Displaying Virtual Servers by Context

Using the Virtual Server Connection Statistics Graph

You can display real time and historical statistical information about the connections of a virtual server. ANM displays the information in graph or chart form. This feature also allows you to compare similar connection information across multiple virtual servers.

Procedure


Step 1 Choose Config > Operations > Virtual Servers.

The Virtual Servers table appears. You can activate or suspend virtual servers from this table and obtain additional information about the state of the virtual server.

Step 2 (Optional) To display only the virtual servers of a specific virtual server group, do the following:

a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the icon (see Figure 7-1).

b. From the Groups menu, choose the group to display.

Step 3 In the Virtual Servers table, check the check box next to server whose connection information you want to display, and click Graph.

You can choose up to four virtual servers if you want to compare statistical data.

The Virtual Server Graph window appears, displaying the default graph for each selected virtual server. For details about using the graph feature, see the "Configuring Historical Trend and Real Time Graphs for Devices" section.

Step 4 Click Exit to return to the Virtual Server widow.


Related Topics

Configuring Historical Trend and Real Time Graphs for Devices

Activating Virtual Servers

Suspending Virtual Servers

Managing Virtual Server Groups

Displaying Detailed Virtual Server Information

Displaying Virtual Servers

Using the Virtual Server Topology Map

Displaying Virtual Server Statistics and Status Information

Displaying Virtual Servers by Context

Using the Virtual Server Topology Map

You can display the nodes on your network based on the virtual server that you select.

Procedure


Step 1 Choose Config > Operations > Virtual Servers.

The Virtual Servers table appears.

Step 2 (Optional) To display only the virtual servers of a specific virtual server group, do the following:

a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the icon (see Figure 7-1).

b. From the Groups menu, choose the group to display.

Step 3 Use the display toggle button () to ensure that the Virtual Servers table is set to Show ANM Recognized Virtual Servers.


Note The topology map feature is not available when the Virtual Server table is set to Show All Virtual Servers (for more information, see the "Displaying Virtual Servers" section).


Step 4 In the Virtual Servers table, choose the server whose topology map you want to display, and click Topology.

The ANM Topology map appears. The map includes several tools for navigating the network map and zooming in and out. For details about using the map tools, see the "Displaying Network Topology Maps" section.

Step 5 Click Exit to return to the Virtual Server widow.


Related Topics

Suspending Virtual Servers

Managing Virtual Server Groups

Displaying Detailed Virtual Server Information

Displaying Virtual Servers

Using the Virtual Server Connection Statistics Graph

Displaying Virtual Server Statistics and Status Information

Displaying Virtual Servers by Context

Understanding CLI Commands Sent from Virtual Server Table

Table 7-24 displays the CLI commands dispatched to the device for a given Virtual Servers table option, and is sorted by device.

Table 7-24 CLI Commands Deployed from Virtual Servers Table 

Command
Sample CLI Sent
ACE Modules and Appliances

Virtual Server Activate

policy-map multi-match int25  

class VIP3    

loadbalance vip inservice

Virtual Server Suspend

policy-map multi-match int25   class VIP3     no loadbalance vip inservice

CSMs

Virtual Server Activate

vserver APP1    

inservice

Virtual Server Suspend

vserver APP1    

no inservice

CSS Devices

Virtual Server Activate

owner hm

content LB

active

Virtual Server Suspend

owner hm

content LB

suspend


Deploying Virtual Servers

You can deploy virtual servers on your network at times that are convenient and appropriate for your environment. For example, if your site prefers to make changes to the network during a specific time each night, you can modify and save virtual server configurations during the day and then deploy them when appropriate.

This section includes the following topics:

Deploying a Virtual Server

Displaying All Staged Virtual Servers

Modifying Deployed Virtual Servers

Modifying Staged Virtual Servers

Deploying a Virtual Server

You can deploy virtual servers on your network at times that are convenient and appropriate for your environment. For example, if your site prefers to make changes to the network during a specific time each night, you can modify and save virtual server configurations during the day and then deploy them when appropriate.

Procedure


Step 1 Choose Config > Deploy.

The Staged Objects table appears.

Step 2 Fro the Staged Objects table, choose the virtual server that you want to deploy on your network, and click Deploy.

The virtual server is deployed and the table refreshes with updated information.


Related Topics

Configuring Virtual Servers

Displaying All Staged Virtual Servers

Modifying Staged Virtual Servers

Displaying All Staged Virtual Servers

You can display all objects that have been configured but have not yet been deployed on your network.

Procedure


Step 1 Do one of the following:

Choose Config > Deploy.

The Staged Objects table appears listing the following:

Virtual server name

Device ID and virtual context

Time the virtual server was created

User who last modified the object

Time the object was last updated

Choose Config > Devices > context > Load Balancing > Virtual Servers.

The Virtual Servers table appears. Virtual servers with configurations that have not been deployed appear with the status Not Deployed in the Configured State column.


Related Topics

Configuring Virtual Servers

Deploying a Virtual Server

Modifying Staged Virtual Servers

Modifying Deployed Virtual Servers

Modifying Deployed Virtual Servers

You can modify the configuration of a deployed virtual server.

Procedure


Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.

The Virtual Servers table appears.

Step 2 In the Virtual Servers table, choose the virtual server you want to modify, and click Edit.

The Virtual Server configuration window appears.

Step 3 In the Virtual Server configuration window, modify the virtual server's configuration as desired.

See Table 7-1 for virtual server configuration options.

Step 4 When you are done modifying the configuration, do one of the following:

Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files.

Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.


Related Topics

Managing Virtual Servers

Displaying All Staged Virtual Servers

Activating Virtual Servers

Suspending Virtual Servers

Modifying Staged Virtual Servers

You can modify the configuration of a staged virtual server.

Procedure


Step 1 Choose Config > Deploy.

The Staged Objects table appears, listing those virtual servers that have not yet been deployed in the network.

Step 2 From the Staged Objects table, choose the virtual server you want to modify, and click Edit.

The Virtual server configuration window appears.

Step 3 In the Virtual server configuration window, modify the virtual server configuration as desired.

See Table 7-1 for virtual server configuration options.

Step 4 When you are done modifying the configuration, do one of the following:

Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files.

Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.

Click Deploy Later to save your entries and apply this configuration at a later time.


Related Topics

Deploying a Virtual Server

Displaying All Staged Virtual Servers

Activating Virtual Servers