Virtualization Guide vA2(1.0), Cisco ACE Application Control Engine Module
Configuring Virtualization
Downloads: This chapterpdf (PDF - 253.0KB) The complete bookPDF (PDF - 1.17MB) | Feedback

Configuring Virtualization

Table Of Contents

Configuring Virtualization

Virtualization Configuration Quick Start

Managing ACE Resources

Creating a Resource Class for Resource Management

Allocating Resources within a Resource Class

Changing the Resource Allocation of a Resource Class

Configuring a Context

Creating a Context

Configuring a Context Description

Configuring a VLAN for a Context

Associating a Context with a Resource Class

Changing the Resource Class of a Context

Moving Between Contexts

Creating and Configuring User Roles

Creating and Configuring Domains

Configuring a User

Example of a Virtualization Configuration


Configuring Virtualization


This chapter describes how to create and configure virtualization for your ACE. As the global administrator (SuperUser), you configure and manage all contexts through the Admin context, which contains the basic settings for each virtual device or context. Each context that you configure contains its own set of policies, interfaces, resources, and administrators.

This chapter contains the following major sections:

Virtualization Configuration Quick Start

Managing ACE Resources

Configuring a Context

Moving Between Contexts

Creating and Configuring User Roles

Creating and Configuring Domains

Configuring a User

Example of a Virtualization Configuration


Note By default, the ACE provides an Admin context and allows you to configure five user contexts. To create from 6 to a maximum of 250 user contexts, you must purchase a license from Cisco Systems. For details about licensing, see the Cisco Application Control Engine Module Administration Guide.


Virtualization Configuration Quick Start

Table 2-1 provides a quick overview of the steps required to create and configure the virtualization feature. Each step includes the command-line interface (CLI) command required to complete the task.

Table 2-1 VIrtualization Configuration Quick Start 

Task and Command Example

1. Log in to the ACE as the global administrator using the console. By default, the console comes up with a single context called Admin.

2. Enter configuration mode.

host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z.
host1/Admin(config)# 

3. Configure a resource class to limit resources used by user contexts. For example, to limit the resources of a context to 10 percent of the total resources available, enter the following commands:

host1/Admin(config)# resource-class RC1
host1/Admin(config-resource)# limit resource all minimum 10 
maximum equal-to-min
host1/Admin(config-resource)# exit

4. Create a new context.

host1/Admin(config)# context C1
host1/Admin(config-context)# 

5. Associate an existing VLAN with the context so that the context can receive traffic classified for it.

host1/Admin(config-context)# allocate-interface vlan 100

6. Associate the context with the resource class that you created in Step 3.

host1/Admin(config-context)# member RC1

7. Change to the C1 context that you created in Step 4 and enter configuration mode in that context.

host1/Admin(config-context)# do changeto C1
host1/C1(config-context)# exit
host1/C1(config)#

8. (Optional) Create a domain for the context.

host1/C1(config)# domain D1
host1/C1(config-domain)# 

9. Allocate objects (for example, real servers, server farms, probes, ACLs, and so on) to the domain as needed.

host1/C1(config-domain)# add-object rserver SERVER1

10. (Optional) Create roles to define the object and resource permissions for different groups of users.

host1/C1(config)# role UR1

11. Create rules to define the role permissions.

host1/C1(config-role)# rule 1 permit create feature real
host1/C1(config-role)# rule 2 deny create feature acl

12. Configure users as required and associate roles and domains with the users.

host1/C1(config)# username user1 password 5 MYPASSWORD role UR1 
domain D1

13. Verify the virtualization configuration by entering one of the following commands:

host1/C1# show running-config context
host1/C1# show running-config domain
host1/C1# show running-config resource-class
host1/C1# show running-config role

Managing ACE Resources

You can allocate system resources to multiple contexts by creating and defining one or more resource classes and then associating the contexts with a resource class. The section contains the following topics:

Creating a Resource Class for Resource Management

Allocating Resources within a Resource Class

Changing the Resource Allocation of a Resource Class

Creating a Resource Class for Resource Management

You can create a resource class to allocate and manage system resources by one or more contexts. The ACE supports a maximum of 100 resource classes. After you create and configure the resource class, use the member command in context configuration mode to assign a resource class to the context (see the "Associating a Context with a Resource Class" section). To create a resource class, use the resource-class command in configuration mode. The syntax of the command is as follows:

resource-class name

For the name argument, enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, enter:

host1/Admin(config)# resource-class RC1
host1/Admin(config-resource)

To remove the resource class from the configuration, enter:

host1/Admin(config)# no resource-class RC1

When you remove a resource class from the ACE, any contexts that were members of that resource class automatically become members of the default resource class. The default resource class allocates a minimum of 0.00 percent to a maximum of 100.00 percent of all ACE resources to each context. You cannot modify the default resource class.

Allocating Resources within a Resource Class

When you plan the initial resource allocations for the virtual contexts in your configuration, allocate only the minimum required or estimated resources. The ACE protects resources that are in use, so to decrease a context's resources, those resources must be unused. Although it is possible to decrease the resource allocations in real time, it may require additional management overhead to clear any used resources before reducing them. Therefore, it is considered a best practice to initially keep as many resources in reserve as possible and allocate the unused reserved resources as needed.

To address scaling and capacity planning, we recommend that new ACE installations do not exceed 60 to 80 percent of the module's total capacity. To accomplish this goal, create a reserved resource class with a guarantee of 20 to 40 percent of all the ACE resources and configure a virtual context dedicated solely to ensuring that these resources are reserved. Then, you can efficiently distribute such reserved resources to contexts as capacity demands for handling client traffic increase over time.

You can allocate all resources or individual resources to all member contexts of a resource class. For example, you can allocate only concurrent connections or sticky table memory or management traffic, to name a few. To allocate system resources to all members (contexts) of a resource class, use the limit-resource command in resource-class configuration mode.

The syntax of this command is as follows:

limit-resource {acl-memory | all | buffer {syslog} | conc-connections | mgmt-connections | proxy-connections | rate {bandwidth | connections | inspect-conn | mac-miss | mgmt-traffic | ssl-bandwidth | syslog} | regexp | sticky | xlates} {minimum number} {maximum {equal-to-min | unlimited}}

The arguments and keywords are as follows:

acl-memory—Limits the memory space allocated for ACLs.

all—Limits all resources to the specified value for all contexts assigned to this resource class, except for management traffic bandwidth. Management traffic bandwidth remains at the default values until you explicitly configure a minimum value for management traffic.

buffer—Limits the number of syslog buffers.

conc-connections—Limits the number of simultaneous connections.

mgmt-connections—Limits the number of management (to-the-ACE) connections.

proxy-connections—Limits the number of proxy connections.

rate—Limits the resource as a number per second for the following:

bandwidth—Limits total ACE throughput in bytes per second for one or more contexts. The maximum bandwidth rate per context is determined by your bandwidth license. By default, the entry-level ACE has a 4-Gbps through-traffic bandwidth and a 1-Gbps management-traffic bandwidth for a total maximum bandwidth of 5 Gbps. You can upgrade the ACE with an optional 8-Gbps or 16-Gbps bandwidth license. With the 8-Gbps license, the ACE has a 8-Gbps through-traffic bandwidth and a 1-Gbps management-traffic bandwidth for a total maximum bandwidth of 9 Gbps.

When you configure a minimum bandwidth value for a resource class in the ACE, the ACE subtracts that configured value from the total bandwidth maximum value of all contexts in the ACE, regardless of the resource class with which they are associated. The total bandwidth rate of a context consists of the following two components:

throughput—Limits through-the-ACE traffic. This is a derived value (you cannot configure it directly) and it is equal to the bandwidth rate minus the mgmt-traffic rate for the 4-Gbps and 8-Gbps licenses. With a 16-Gbps license, this value is calculated slightly differently. For details, see the examples of the show resource-usage command output below.

mgmt-traffic—Limits management (to-the-ACE) traffic in bytes per second. This parameter is independent of the limit-resource all minimum command. To guarantee a minimum amount of management traffic bandwidth, you must explicitly allocate a minimum percentage to management traffic using the limit-resource rate mgmt-traffic minimum command. When you allocate a minimum percentage of bandwidth to management traffic, the ACE subtracts that value from the maximum available management traffic bandwidth for all contexts in the ACE. By default, management traffic is guaranteed a minimum bandwidth rate of 0 and a maximum bandwidth rate of 1 Gbps, regardless of which bandwidth license that you install in the ACE.

For details about how the ACE manages bandwidth for throughput and management traffic rates, see the examples of the show resource-usage command output that follow. For each bandwidth license, there are examples for the default values, 25 percent minimum allocation to all resources, and both a 25 percent minimum allocation to all resources and a 10 percent minimum allocation to management traffic. The output has been modified to show only the relevant fields. All values are in bytes per second; to convert to bits per second, multiply each value by 8.

switch/Admin# show resource usage

Example 2-1 Default Show Resource Usage Command Output for 4-Gbps License


         Allocation
Resource
Min
Max
bandwidth
0
625000000
 throughput
0
500000000
 mgmt-traffic rate
0
125000000

Example 2-2 Show Resource Usage Command Output for 4-Gbps License with 25 Percent Minimum Allocation for All Resources (continued)


         Allocation
Resource
Min
Max
bandwidth
125000000
500000000
 throughput
125000000
375000000
 mgmt-traffic rate
0
125000000

Example 2-3 Show Resource Usage Command Output for 4-Gbps License with 25 Percent Minimum Allocation for All Resources and 10 Percent Minimum Allocation for Management Traffic


         Allocation
Resource
Min
Max
bandwidth
137500000
487500000
 throughput
125000000
375000000
 mgmt-traffic rate
 12500000
112500000

Example 2-4 Default Show Resource Usage Command Output for 8-Gbps License


         Allocation
Resource
Min
Max
bandwidth
0
1125000000
 throughput
0
1000000000
 mgmt-traffic rate
0
 125000000

Example 2-5 Show Resource Usage Command Output for 8-Gbps License with 25 Percent Minimum Allocation for All Resources


         Allocation
Resource
Min
Max
bandwidth
250000000
875000000
 throughput
250000000
750000000
 mgmt-traffic rate
0
125000000

Example 2-6 Show Resource Usage Command Output for 8-Gbps License with 25 Percent Minimum Allocation for All Resources and 10 Percent Minimum Allocation for Management Traffic


         Allocation
Resource
Min
Max
bandwidth
262500000
862500000
 throughput
250000000
750000000
 mgmt-traffic rate
 12500000
112500000

Example 2-7 Default Show Resource Usage Command Output for 16-Gbps License


         Allocation
Resource
Min
Max
bandwidth
0
2000000000
 throughput
0
2000000000
 mgmt-traffic rate
0
 125000000

Example 2-8 Show Resource Usage Command Output for 16-Gbps License with 25 Percent Minimum Allocation for All Resources


         Allocation
Resource
Min
Max
bandwidth
500000000
1500000000
 throughput
500000000
1500000000
 mgmt-traffic rate
0
 125000000

Example 2-9 Show Resource Usage Command Output for 16-Gbps License with 25 Percent Minimum Allocation for All Resources and 10 Percent Minimum Allocation for Management Traffic


         Allocation
Resource
Min
Max
bandwidth
500000000
1500000000
 throughput
487500000
1500000000
 mgmt-traffic rate
 12500000
 112500000

connections—Limits the number of connections per second of any kind.

inspect conn—Limits the number of application protocol inspection connections per second for File Transfer Protocol (FTP) and Real-Time Streaming Protocol (RTSP) only.

mac-miss—Limits the ACE traffic sent to the control plane when the encapsulation is not correct in bytes per second.

ssl-bandwidth—Limits the number of SSL connections per second.

syslog—Limits the number of syslog messages per second.

regexp—Limits the amount of regular expression memory.

sticky—Limits the number of entries in the sticky table. You must configure a minimum value for sticky to allocate resources for sticky database entries, because the sticky software receives no resources under the unlimited setting. You can allocate resources to sticky by either configuring a minimum percentage of resources specifically for sticky (limit-resource sticky) or by configuring a minimum percentage of resources for all (limit-resource all).

xlates—Limits the number of network and port address translation entries.

minimum number—Specifies the lowest acceptable value for a resource. Enter an integer from 0.00 to 100.00 percent (two-decimal places of granularity). The number argument specifies a percentage value for all contexts that are members of the resource class. When used with the rate keyword, the number argument specifies a value per second. When you configure a minimum value for a resource in a particular resource class in the ACE, the ACE assigns the minimum resources only to the contexts that are members of the resource class. For all contexts, the ACE subtracts that configured minimum value from the maximum value of that resource, regardless of the resource class with which the contexts are associated. If the resource class has more than one context associated with it, the minimum value that the ACE subtracts from the maximum value is multiplied by the number of contexts in the resource class. For example, with a 4-Gbps bandwidth license, if there are two contexts associated with the resource class and you configure a 25 percent minimum allocation for the bandwidth rate for the class, each context in the resource class would have the values that are shown in Example 2-10 for the show resource usage command output for the bandwidth rate and throughput rate.

Example 2-10 Show Resource Usage Command Output for 4-Gbps License with 25 Percent Minimum Allocation for Bandwidth (continued)


         Allocation
Resource
Min
Max
bandwidth
125000000
375000000
 throughput
125000000
250000000
 mgmt-traffic rate
0
125000000

All other contexts in the ACE would have the same maximum values as shown in Example 2-10, but would have zero minimum values. Compare the values in Example 2-10 with the values in Example 2-2, which represents one context in a resource class.

maximum {equal-to-min | unlimited}—Specifies the maximum resource value: either the same as the minimum value or no limit.


Note The limit that you set for individual resources when you use the limit-resource command overrides the limit that you set for all resources when you use the limit-resource all command.


If you lower the limits for one context (context A) in order to increase the limits of another context (context B), you may experience a delay in the configuration change because the ACE will not lower the limits of context A until the resources are no longer being used by the context.

For example, to allocate 20 percent of all resources (minimum and maximum) to all member contexts of the resource class, enter:

(config-resource)# limit-resource all minimum 20% maximum equal-to-min

To restore resource allocation to the default values of 0 percent minimum and 100 percent maximum for all resources to all member contexts, enter:

(config-resource)# no limit-resource all

Table 2-2 lists the managed system resources of the ACE. You can limit these resources per context or for all contexts associated with the resource class by using the limit-resource command. See the "Allocating Resources within a Resource Class" section.

Table 2-2 System Resource Maximum Values 

Resource
Maximum Value

ACL Memory

78,610,432 bytes

Buffer Memory (Syslog)

4,000,000 bytes

Concurrent Connections (Layer 4)

4,000,000 connections

Concurrent Connections (SSL)

200,000

Management Connections

100,000 connections

Proxy Connections (Layer 7)

524,286 connections

SSL Proxy Connections

200,000

Rate

Bandwidth

4 gigabits per second (Gbps)

You can upgrade the ACE maximum bandwidth to 8 Gbps or 16 Gbps by purchasing a separate license from Cisco Systems. For more information, see the Cisco Application Control Engine Module Administration Guide.

Connections (any kind)

325,000 connections per second

MAC miss

2000 packets per second

Management Traffic

1 Gbps

SSL transactions

1000 transactions per second (TPS), upgradeable to 15000 TPS with a separate license. For more information, see the Cisco Application Control Engine Module Administration Guide.

syslog

For traffic going to the ACE (control plane), 5000 messages per second

For traffic going through the ACE (data plane), 350,000 messages per second

Regular Expression Memory

1,048,576 bytes

Sticky Entries

4,194,304 entries

Xlates (network and port address translation entries)

524,286 translations


Changing the Resource Allocation of a Resource Class

If you (as the global Admin) need to change the resource allocation in a resource class of which two or more user contexts are members, you may do so at any time by entering the appropriate CLI commands. (For details about allocating resources, see the "Allocating Resources within a Resource Class" section.) However, the shift in resources between the contexts does not take place immediately unless the appropriate resources are available to accommodate the change. In most cases, to effect a change in resource allocation, you must inform the context administrators involved to ensure that the new resource allocation is possible.

For example, suppose that context A is using 100 percent of the available resources of the class and you want to allocate 50 percent of the resources to context A and 50 percent of the resources to context B. Although the CLI accepts your resource allocation commands, context B cannot allocate 50 percent of the resources until context A deallocates 50 percent of its resources.

In this case, you must perform the following:

Inform the Context A administrator to start deallocating resources

Inform the Context B administrator to start allocating resources after the Context A administrator releases the resources


Note As resources are released from other contexts, the ACE assigns the resources to resource-starved contexts (contexts where the resource-class minimum allocations have not been met).


Configuring a Context

A context provides a user view into the ACE and determines the resources available to a user. This section contains the following topics:

Creating a Context

Configuring a Context Description

Configuring a VLAN for a Context

Associating a Context with a Resource Class

Changing the Resource Class of a Context

Creating a Context

To create a context, use the context command in configuration mode. The syntax of this command is as follows:

context name

The name argument is a unique identifier of the context. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to create a context called C1, enter:

host1/Admin(config)# context C1
host1/Admin(config-context)# 

To remove the context from the configuration, enter:

host1/Admin(config)# no context C1

Configuring a Context Description

You can enter a description for the context by using the description command in context configuration mode. The syntax of this command is as follows:

description text

For the text argument, enter a description as an unquoted text string with a maximum of 240 alphanumeric characters.

For example, enter:

host1/Admin(config-context)# description context for accounting users

To remove the context description from the configuration, enter:

host1/Admin(config-context)# no description

Configuring a VLAN for a Context

The ACE uses class maps and policy maps to classify (filter) traffic and direct it to different interfaces (VLANs) using a service policy. A context uses VLANs to receive packets classified for that VLAN. To allocate one or more existing VLANs on which a user context can receive packets, use the allocate-interface command in context configuration mode in the Admin context. You can enter this command multiple times to specify multiple VLANs for a user context.


Note You can configure an interface directly in a user context, but the state of the interface remains Down until you enter the allocate-interface command for that interface in the Admin context. You can configure the interface and allocate the interface in any order.


The syntax of this command is as follows:

allocate-interface vlan number1

For the number argument, enter the number of an existing VLAN or a range of VLANs that you want to assign to the context as integers from 2 to 4094.


Note If you remove an interface in the Admin context and the same interface is in use in a user context, the state of the interface becomes Down. Entering the show interface command in the user context shows the interface as Down and the reason that the interface is no longer allocated in the Admin context.


For example, to allocate VLAN 100 to a context, enter:

host1/Admin(config-context)# allocate-interface vlan 100

To allocate an inclusive range of VLANs from VLAN 100 through VLAN 200 to a context, enter:

host1/Admin(config-context)# allocate-interface vlan 100-200

To deallocate a VLAN from a context, enter:

host1/Admin(config-context)# no allocate-interface vlan 100

To deallocate a range of VLANs from a context, enter:

host1/Admin(config-context)# no allocate-interface vlan 100-200

Note You cannot deallocate a VLAN from a user context if the VLAN is in use in that context.


Associating a Context with a Resource Class

Resource classes limit the resources available to one or more contexts. If you do not specify a resource class, the context automatically is a member of the default resource class. The default resource class allocates a minimum of 0.00 percent to a maximum of 100.00 percent of all ACE resources to each context. You can associate a context with only one resource class. For more information about resource classes, see the "Creating a Resource Class for Resource Management" section. To associate a context with a resource class, use the member command in context configuration mode.

The syntax of this command is as follows:

member class

For the class argument, enter the name of an existing resource class as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. For information about configuring a resource class, see the "Creating a Resource Class for Resource Management" section.

For example, to associate a context with the RC1 resource class, enter:

host1/Admin(config-context)# member RC1

To disassociate a context from the RC1 resource class, enter:

host1/Admin(config-context)# no member RC1

Changing the Resource Class of a Context

To remove a context from a resource class, use the no member command in context configuration mode (see the "Associating a Context with a Resource Class" section). When you remove a context from a resource class, the ACE releases all resources associated with that context and makes the resources available to other contexts in the class.

To associate the same context with a different resource class, use the member command in context configuration mode (see the "Associating a Context with a Resource Class" section). When you add a context to a resource class, the ACE adds only those resources that can remain within their configured limits. If you want to allocate additional resources to the context, you can do so if the resources are available. Otherwise, you must first release some resources from other contexts within the resource class. For details about modifying the resource allocation among contexts, see the "Changing the Resource Allocation of a Resource Class" section.

Moving Between Contexts

You can move between contexts by using the changeto command in Exec mode or the do changeto command in configuration mode. You must have one of the predefined user roles in the Admin context to use the changeto command. For information about the predefined user roles, see the "Role-Based Access Control" section in Chapter 1, Overview. Context administrators, who have access to multiple contexts, must explicitly log in to the other contexts to which they have access.

Note the following operating considerations when moving between contexts:

The user role that is enforced after you enter the changeto command is that of the Admin context and not that of the non-Admin context.

You cannot add, modify, or delete objects in a custom domain after you change to a non-Admin context.

If you originally had access to the default-domain in the Admin context prior to moving to a non-Admin context, the ACE allows you to configure any object in the non-Admin context.

If you originally had access to a custom domain in the Admin context prior to moving to a non-Admin context, any created objects in the new context will be added to the default-domain. However, an error message will appear when you attempt to modify existing objects in the non-Admin context.

The syntax of this command is as follows:

changeto name

The name argument specifies the identifier of an existing context. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, enter:

host1/Admin# changeto C1
host1/C1#

Creating and Configuring User Roles

User roles determine the privileges that a user has, the commands that a user can enter, and the actions that a user can perform in a particular context. For a list of the predefined roles that the ACE provides, see Chapter 1, Overview. To display the predefined roles in the CLI, enter the show role command in Exec mode. The global administrator or a context administrator can configure additional roles. You can apply the roles that you create only in the context in which you create them.

To configure roles, use the role command in configuration mode. The syntax of this command is as follows:

role name

The name argument is an identifier associated with a role. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

If you do not assign a role to a new user, the default role is Network-Monitor. For users that you create in the Admin context, the default scope of access is the entire device. For users that you create in other contexts, the default scope of access is the entire context. If you need to restrict a user's access, you must assign a role-domain pair using the username command (see the "Configuring a User" section).

For example, enter:

host1/C1(config)# role TECHNICIAN
host1/C1(config-role)#

To remove the role from the configuration, enter:

host1/C1(config)# no role TECHNICIAN

After you create a user role, you can limit the features that a user has access to and the commands the user can enter for that feature by configuring rules for that role. To assign privileges per feature to a role, use the rule command in role configuration mode.

The syntax of this command is as follows:

rule number {permit | deny} {create | modify | debug | monitor} [feature {AAA | access-list | config-copy | connection | dhcp | fault-tolerant | inspect | interface | loadbalance | nat | pki | probe | real-inservice | routing | rserver | serverfarm | ssl | sticky | syslog | vip}]

The keywords, arguments, and options are as follows:

number—Identifier of the rule and order of precedence. Enter a unique integer from 1 to 16. The rule number determines the order in which the ACE applies the rules, with a higher-numbered rule applied after a lower-numbered rule.

permit—Allows the role to perform the operations defined by the rest of the command keywords.

deny—Disallows the role to perform the operations defined by the rest of the command keywords.

create—Specifies commands for the creation of new objects or the deletion of existing objects (includes modify, debug, and monitor commands).

modify—Specifies commands for modifying existing configurations (includes debug and monitor commands).

debug—Specifies commands for debugging problems (includes monitor commands).

monitor—Specifies commands for monitoring resources and objects (show commands).

feature—(Optional) Specifies one of the following ACE features for configuring this rule:

AAA—Specifies commands for authentication, authorization, and accounting.

access-list—Specifies commands for access control lists (ACLs). Includes ACL configuration, class maps for ACL, and policy maps that contain ACL class maps.

config-copy—Specifies commands for copying the running-config file to the startup-config file, startup-config file to the running-config file, and copying both config files to the flash disk (disk0:) or a remote server.

connection—Specifies commands for network connections.

dhcp—Specifies commands for Dynamic Host Configuration Protocol.

fault-tolerant—Specifies commands for redundancy.

inspect—Specifies commands for packet inspection used in data-center security.

interface—Specifies all interface commands.

loadbalance—Specifies commands for load balancing. Allows adding a load-balancing action in a policy map.

nat—Specifies commands for Network Address Translation (NAT) associated with a class map in a policy map used in data-center security.

pki—Specifies commands for SSL public key infrastructure (PKI).

probe—Specifies commands for keepalives for real servers.

real-inservice—Specifies commands for placing a real server in service.

routing—Specifies all commands for routing, both global and per interface.

rserver—Specifies commands for physical servers.

serverfarm—Specifies commands for server farms.

ssl—Specifies commands for SSL.

sticky—Specifies commands for server persistence.

syslog—Specifies the system logging facility setup commands.

vip—Specifies commands for virtual IP addresses and virtual servers.

For example, to configure a rule that allows a role to create and configure real servers, enter:

host1/C1(config-role)# rule 1 permit create rserver

To remove the rule from a role, enter:

host1/C1(config-role)# no rule 1 permit create rserver

Creating and Configuring Domains

A domain is the namespace in which a user operates. When you create a context, the ACE automatically creates a default domain (default-domain) for that context. You can configure a maximum of 63 additional domains in each context. For information about configuring a context, see the "Configuring a Context" section. To create a domain, use the domain command in configuration mode. The syntax of this command is as follows:

domain name

For the name argument, enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to create a domain called D1, enter:

host1/C1(config)# domain D1
host1/C1(config-domain)#

To remove a domain from the configuration, enter:

host1/C1(config)# no domain D1


Note A domain does not restrict the context configuration that you can display using the show running-config command. You can still display the running configuration for the entire context. However, a domain can restrict your access to the configurable objects within a context by adding only a limited subset of all the objects available to a context to the domain. You can further restrict the operations that a user can perform on those configurable objects by assigning a role to a user. For information about configuring user roles, see the "Creating and Configuring User Roles" section.


After you create a domain, you can associate configurable objects with that domain (for example, a real server, server farm, interface, and so on). To associate a configurable object with a domain, use the add-object command in domain configuration mode.

The syntax of this command is as follows:

add-object {access-list {ethertype | extended} | all | class-map | interface {bvi | vlan} | parameter-map | policy-map | probe | rserver | script | serverfarm | sticky} name

The keywords, arguments, and option are as follows:

access-list—Specifies an existing access control list (ACL) that you want to associate with the domain.

all—Specifies that all existing configuration objects in the context are added to the domain.

class-map—Specifies an existing class map for flow classification that you want to associate with the domain.

interface—Specifies an existing interface that you want to associate with the domain.

parameter-map—Specifies an existing parameter map that you want to associate with the domain.

policy-map—Specifies an existing policy map that you want to associate with the domain.

probe—Specifies an existing real server probe (keepalive) that you want to associate with the domain.

rserver—Specifies an existing real server that you want to associate with the domain.

script—Specifies an existing script that you created with the ACE TCL scripting language.

serverfarm—Specifies an existing server farm that you want to associate with the domain.

sticky—Specifies an existing sticky group that you want to associate with the domain to maintain persistence with a server.

name—Identifier of the specified object. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to associate an interface called VLAN 10 with the domain, enter:

host1/C1(config-domain)# add-object interface vlan 10

To remove the object from the domain, enter:

host1/C1(config-domain)# no add-object interface vlan 10

Configuring a User

The ACE creates two default user accounts at startup: admin and www. The admin user is the global administrator and cannot be deleted. The ACE uses the www user account for the XML interface and cannot be deleted.

The global administrator (admin) assigns one user in each context as the context administrator. The context administrator can then log in to the context or contexts for which he or she is responsible and create additional users.

If you do not assign a role to a new user, the default role is Network-Monitor. For users that you create in the Admin context, their default scope of access is the entire device. For users that you create in other contexts, their default scope of access is the entire context. If you need to restrict a user's access, you must assign a role-domain pair.

To create a user, use the username command in configuration mode. The syntax of this command is as follows:

username name1 [password [0 | 5] {password}] [expire date] [role name2 {domain name3 name4 . . . namen}]

The keywords, arguments, and options are as follows:

name1—Identifier of the user that you are creating. Enter an unquoted text string with no spaces and a maximum of 24 alphanumeric characters.

password—(Optional) Keyword that indicates that a password follows.

0—(Optional) Specifies a clear text password.

5—(Optional) Specifies an MD5-hashed strong encryption password.

password—(Optional) Password in clear text or MD5 strong encryption, depending on the numbered option (0 or 5) that you enter. If you do not enter a numbered option, the password is in clear text by default. If you enter the password keyword, you must enter a password. Enter a password as an unquoted text string with a maximum of 64 alphanumeric characters. The ACE supports the following special characters in a password:

, . / = + - ^ @ ! % ~ # $ * ( )

Note that the ACE encrypts clear text passwords in the running-config.


Note If you specify an MD5-hashed strong encryption password, the ACE considers a password to be weak if it is less than eight characters in length.


expire date—(Optional) Specifies the expiration date of the user account. Enter the expiration date in the format yyyy-mm-dd.

role name2—(Optional) Specifies an existing role that you want to assign to the user.

domain name3 name4 . . . namen—Specifies the domains in which the user can operate. You can enter multiple domain names up to a maximum of 10, including default-domain.

For example, enter:

host1/C1(config)# username USER1 password MYSECRET expire 2005-12-31 
role TECHNICIAN domain D1 default-domain

host1/C1(config)# username USER2 password HERSECRET expire 2005-12-31 
role Admin domain default-domain D2

To delete a user from the configuration, enter:

host1/C1(config)# no username USER1

Example of a Virtualization Configuration

The following running-configuration example shows a basic virtualization configuration with one user-defined context, one resource class, one domain, and one user.

resource-class RC1
  limit-resource rate syslog minimum 10.00 maximum equal-to-min
  limit-resource acl-memory minimum 10.00 maximum unlimited

access-list ACL1 line 10 extended permit ip any any

rserver host RS1
  ip address 192.168.2.251
  inservice
rserver host RS2
  ip address 192.168.2.252
  inservice
serverfarm host SF1
  rserver RS1
    inservice
  rserver RS2
    inservice

domain D1
  add-object access-list extended ACL1
  add-object rserver RS1
  add-object rserver RS2
  add-object serverfarm SF1

role SLB-Admin

context C1
  allocate-interface vlan 100-200
  description accounting department
  member RC1

username JANE password 5 adropgijaeprgja9erjg2uWgtce1 role SLB-Admin 
  domain D1