Guest

Cisco Services Modules

CSM-to-ACE Conversion Tool Guide, Cisco ACE Application Control Engine Module

  • Viewing Options

  • PDF (1.7 MB)
  • Feedback
Cisco CSM-to-ACE Conversion Tool User Guide

Table Of Contents

Cisco CSM-to-ACE Conversion Tool User Guide

Accessing the CSM-to-ACE Conversion Tool

Using the CSM-to-ACE Conversion Tool

Copying the Converted Configuration File to the ACE

Copying and Pasting the Converted Configuration to the ACE CLI Prompt

Copying and Pasting the Converted Configuration to a Text File for Content Editing

Example of a Copied Configuration File for Use By the ACE

Unsupported CSM Commands

ACE Module Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Cisco CSM-to-ACE Conversion Tool User Guide


This document describes how to use the CSM-to-ACE conversion tool to migrate Cisco Content Switching Module (CSM) running- or startup-configuration files to the Cisco Application Control Engine (ACE) module. It describes how to access the conversion tool, use the tool to convert a CSM configuration to an ACE configuration, and copy the converted configuration to the ACE. This document also includes a summary of the CSM commands that are not supported by the conversion tool.

This document contains the following sections.

Accessing the CSM-to-ACE Conversion Tool

Using the CSM-to-ACE Conversion Tool

Copying the Converted Configuration File to the ACE

Unsupported CSM Commands

ACE Module Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

Accessing the CSM-to-ACE Conversion Tool

The conversion tool is included as part of the ACE software image and is accessible from the Cisco ACE Module web page using either HTTP or secure HTTP (HTTPS). To access the conversion tool, perform the following steps:


Step 1 Log in to the ACE CLI.

Step 2 Create a Layer 3 and Layer 4 management policy. Ensure that, at a minimum, you permit HTTP or HTTPS traffic in the management policy to enable remote access to the Cisco ACE Module web page. The following excerpt is a typical configuration example that illustrates how to enable web access to the ACE to access the Cisco ACE Module web page. For details on enabling remote access to the ACE, refer to the Cisco Application Control Engine Module Administration Guide.

Cat6k Configuration
svclc multiple-vlan-interfaces
svclc module 3 vlan-group 1
svclc vlan-group 1  10
 
   
Cisco ACE Configuration
class-map type management match-any L4_REMOTE-ACCESS_CLASS
  description Enabling remote access traffic to the ACE and the Cisco ACE Module web page
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any
  5 match protocol http any
  6 match protocol https any
 
   
policy-map type management first-match L4_REMOTE-ACCESS_MATCH
  class L4_REMOTE-ACCESS_CLASS
    permit
 
   
interface vlan 10
  ip address 192.168.215.134 255.255.255.0
  service-policy input L4_REMOTE-ACCESS_MATCH
  no shutdown
 
   
ip route 0.0.0.0 0.0.0.0 192.168.215.1
 
   

Step 3 Open your preferred Internet web browser application, such as Microsoft Internet Explorer or Netscape Navigator.

Step 4 Specify the HTTP or HTTPS address of your ACE in the address field:

http://ace_ip_address
 
   
https://ace_ip_address
 
   

Step 5 If this your first time accessing the ACE web page by HTTPS, you will be prompted to accept (trust) and install the signed certificate from Cisco Systems. Click Yes at the prompt to accept and install the signed certificate. To avoid approving the signed certificate each time you log in to the ACE web page, accept the certificate. For instructions on trusting certificates from a particular owner or website, see the online help included with your browser.

Step 6 When the dialog box appears, login with your ACE username and password in the fields provided, then click OK. The ACE web page appears (Figure 1).


Note Users with administrative privileges can access the CSM-to-ACE conversion tool.


Figure 1 Cisco ACE Module Web Page

Step 7 Click the CSM2ACE conversion tool link in the Tools section of the ACE web page. The CSM-to-ACE conversion tool appears (Figure 2). Proceed to the "Using the CSM-to-ACE Conversion Tool" section.

Figure 2 CSM-to-ACE Conversion Tool

 
   

Using the CSM-to-ACE Conversion Tool

You can convert a CSM startup- or running-config to an equivalent ACE startup- or running-config by using one of the following methods:

Copying and pasting the contents from a saved CSM configuration file or from the CSM show running-config or show startup-config command output to the conversion tool `

Uploading a saved CSM configuration file to the conversion tool

To use the conversion tool to convert a CSM configuration, perform the following steps:


Step 1 By default, the Admin context is always assumed as the target virtual context on the ACE. To migrate a CSM configuration to a different virtual context (for example, C1), specify a different virtual context name in the User Context Name: text box (see Figure 3). The conversion tool generates the corresponding ACE configuration for the Admin context to create the requested virtual context.

Step 2 To add the contents from a saved CSM configuration file or from the CSM show running-config or show startup-config command output, copy and paste the complete configuration into the text area of the Paste CSM Commands: section of the conversion tool (Figure 3). Proceed to Step 4.

Figure 3 Pasting the Content of a CSM Configuration into the CSM-to-ACE Conversion Tool

Step 3 To select a CSM configuration file to upload to the conversion tool, click Browse. Navigate to the CSM configuration file that you want to convert, then click Open. The CSM configuration file appears in the Upload CSM Command File: section of the conversion tool (Figure 4). Proceed to Step 4.

Figure 4 Uploading a CSM Configuration File

Step 4 To convert the CSM commands, click Get ACE Commands. The tool converts the CSM startup- or running-config to an equivalent ACE startup- or running-config (Figure 5).

Figure 5 Converted CSM Commands to ACE Commands Example

In addition, the conversion tool lists the CSM commands from the original configuration file (Figure 6).

Figure 6 Summary of Converted CSM Commands Example

The conversion tool also includes a list of any unsupported CSM commands (Figure 7). The Notes section provides additional information, as necessary. Proceed to the "Copying the Converted Configuration File to the ACE" section.

Figure 7 Unsupported CSM Commands and Notes Example

 
   

Copying the Converted Configuration File to the ACE

Once you convert the CSM configuration, you can use one of the following methods to copy the converted configuration to the ACE:

Copy and paste the converted configuration directly at the ACE CLI configuration mode prompt.

Copy and paste the converted configuration to a text file. You can store this configuration file locally and make the appropriate content changes in the configuration text file to support the ACE configuration.

Before you begin, for the ACE to allow the new VLANs identified in the converted CSM configuration file, first create the VLAN groups on the supervisor engine in the Catalyst 6500 series switch or Cisco 7600 series router, and then assign the groups to the ACE. By default, all VLANs are allocated to the Admin context on the ACE. See the Cisco Application Control Engine Module Routing and Bridging Configuration Guide for details.

This section includes the following topics:

Copying and Pasting the Converted Configuration to the ACE CLI Prompt

Copying and Pasting the Converted Configuration to a Text File for Content Editing

Example of a Copied Configuration File for Use By the ACE

Copying and Pasting the Converted Configuration to the ACE CLI Prompt

To copy and paste the converted configuration directly to the ACE CLI prompt, perform the following steps:


Step 1 Log in to the ACE by entering the login username and password at the following prompt:

switch login: xxxxxx
Password: yyyyyy
 
   

By default, both the username and password are admin.

The prompt changes to:

switch/Admin# 
 
   

Step 2 Access configuration mode:

switch/Admin# configure
Enter configuration commands, one per line. End with CNTL/Z
 
   

The prompt changes to the following:

switch/Admin(config)#
 
   

Step 3 Copy the converted configuration listed in the ACE Commands: section of the conversion tool (see Figure 5), from the Configuration Commands for Admin Context: section. Paste the copied content at the configuration mode prompt of the ACE. If you are operating in multiple contexts, this step automatically creates the new virtual context identified in the User Context Name: text box of the conversion tool.

For example, to paste the converted configuration to the Admin context::

switch/Admin(config)# resource-class RC1
switch/Admin(config-resource)#   limit-resource sticky minimum 100 maximum unlimited
switch/Admin(config-resource)# context C1
switch/Admin(config-context)#   allocate-interface vlan 16
switch/Admin(config-context)#   member RC1
switch/Admin(config-context)#
switch/Admin(config-context)# exit
switch/Admin(config)# 
 
   

Step 4 If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context. If necessary, change to the correct context by using the changeto command in Exec mode.

switch/Admin(config)# exit
switch/Admin# changeto C1
switch/C1# configure
Enter configuration commands, one per line. End with CNTL/Z
switch/C1(config)# 
 
   

Step 5 Copy the converted configuration listed in the ACE Commands: section of the conversion tool (see Figure 5), from the Configuration Commands for xx Context:. Paste the copied contents at the configuration mode prompt of the ACE.

For example, to paste the converted configuration to the C1 context:

switch/C1(config)# access-list LB_ALLOW_VIPS extended permit tcp any 10.9.8.53 2
55.255.255.255 eq www
switch/C1(config)# probe http EMEA
switch/C1(config-probe-http)#   faildetect 2
switch/C1(config-probe-http)#   interval 5
switch/C1(config-probe-http)#   open 5
switch/C1(config-probe-http)#   passdetect interval 20
switch/C1(config-probe-http)#   request method get url /EMEA/KAL.html
switch/C1(config-probe-http)# probe http 200-OK
switch/C1(config-probe-http)#   faildetect 2
switch/C1(config-probe-http)#   header host header-value healthcheck.cisco.com
switch/C1(config-probe-http)#   interval 22
switch/C1(config-probe-http)#   passdetect interval 63
switch/C1(config-probe-http)#   port 80
switch/C1(config-probe-http)#   request method get url /serverstatus/status.asp
switch/C1(config-probe-http)#
 
   

Step 6 (Optional) Use the following commands to save the updated contents of the running- or startup-configuration file:

To merge the contents of the startup configuration file into the running configuration file, use the copy startup-config running-config command.

To copy the contents of the running configuration file to the startup configuration file in Flash memory, use the copy running-config startup-config command.

Proceed to the "Example of a Copied Configuration File for Use By the ACE" section.


Copying and Pasting the Converted Configuration to a Text File for Content Editing

To copy and paste the converted configuration to a text file and make content changes in the file, perform the following steps:


Step 1 Copy the converted configuration listed in the ACE Commands: section of the conversion tool (see Figure 5) to a text file. Save this text file as an appropriately named configuration file.

Step 2 Store this configuration text file.

Step 3 Make the appropriate changes in the configuration text file to support the ACE design configuration. This step helps you to avoid potential issues or conflicts before copying and pasting the converted CSM configuration text file to the ACE CLI prompt. See the"Unsupported CSM Commands" section for a list of the CSM CLI commands that are not supported during the conversion.

Step 4 Copy and paste the contents of the updated configuration file directly to the ACE CLI prompt as described in the"Copying and Pasting the Converted Configuration to the ACE CLI Prompt" section.

Proceed to the "Example of a Copied Configuration File for Use By the ACE" section.


Example of a Copied Configuration File for Use By the ACE

After you copy the contents of the converted CSM-to-ACE configuration to the ACE, use the following commands to view the updated content of either the running- or startup-configuration file:

To view the running-configuration file, use the show running-config command.

To view the startup-configuration file, use the show startup-config command.

The following output example is from the show running-config command. This example includes hypertext cross-references to the applicable chapters in the ACE documentation set that you can refer to for the configuration details. You can click the URLs located above the command output for the configuration details. Use the ACE CLI commands to make modifications to the configuration, as needed.

switch/C1# show running-config
Generating configuration....
 
   
 
   

! http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/acl.html

access-list LB_ALLOW_VIPS line 8 extended permit tcp any host 10.9.8.53 eq www
 
   
 
   

! http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/probe.html

probe http 200-OK
  interval 22
  faildetect 2
  passdetect interval 63
  request method get url /serverstatus/status.asp
  header Host header-value "healthcheck.cisco.com"
probe http EMEA
  interval 5
  faildetect 2
  passdetect interval 20
  request method get url /EMEA/KAL.html
  open 5
 
   

!http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html

parameter-map type connection HR-CORP_CONN
  set timeout inactivity 1800
parameter-map type http HR-CORP_HTTP
  persistence-rebalance
  set header-maxparse-length 4000
 
   

!http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/rsfarms.html

rserver host WIN-EMEA-S1
  description SJ-Z8
  ip address 10.9.8.187
  inservice
rserver host WIN-EMEA-S2
  description SJ-Z8
  ip address 10.9.8.188
  inservice
rserver host WIN-EMEA-S3
  description SJ-Z8
  ip address 10.9.8.189
  inservice
rserver host WIN-GLO-S1
  description SJ-Z4
  ip address 10.9.8.28
  inservice
rserver host WIN-GLO-S2
  description SJ-Z4
  ip address 10.9.8.29
  inservice
rserver host WIN-GLO-S3
  description SJ-Z4
  ip address 10.9.8.30
  inservice
rserver host WIN-HR-S1
  description SJ-Z1
  ip address 10.9.8.76
  inservice
rserver host WIN-HR-S2
  description SJ-Z1
  ip address 10.9.8.78
  inservice
rserver host WIN-HR-S3
  description SJ-Z1
  ip address 10.9.8.77
  inservice
 
   

!http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/rsfarms.html

serverfarm host EMEA
  predictor leastconns
  probe EMEA
  rserver WIN-EMEA-S1
    inservice
  rserver WIN-EMEA-S2
    inservice
  rserver WIN-EMEA-S3
    inservice
serverfarm host HR-CORP
  predictor leastconns
  probe 200-OK
  rserver WIN-HR-S1
    inservice
  rserver WIN-HR-S2
    inservice
  rserver WIN-HR-S3
    inservice
serverfarm host HR-GLOBAL
  predictor leastconns
  probe 200-OK
  rserver WIN-GLO-S1
    inservice
  rserver WIN-GLO-S2
    inservice
  rserver WIN-GLO-S3
    inservice
 
   

!http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html

class-map type http loadbalance match-all HR-CORP
  2 match http url /HR.*
class-map match-all HR-CORP_L3
  2 match virtual-address 10.9.8.53 tcp eq www
class-map type http loadbalance match-all HR-EMEA
  2 match http header Accept-Language header-value "en-us"
 
   

!http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/administration/guide/access.html

class-map type management match-any TO-CP-POLICY
  2 match protocol http any
  3 match protocol icmp any
  4 match protocol telnet any
policy-map type management first-match TO-CP-POLICY
  class TO-CP-POLICY
    permit
 
   

!http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html

policy-map type loadbalance http first-match HR-CORP
  class HR-EMEA
  class HR-CORP
    serverfarm HR-CORP
  class class-default
    serverfarm HR-GLOBAL
policy-map multi-match POLICY1057590
  class HR-CORP_L3
    loadbalance vip inservice
    loadbalance policy HR-CORP
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options HR-CORP_HTTP
    connection advanced-options HR-CORP_CONN
 
   
service-policy input POLICY1057590
 
   

!http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/administration/guide/access.html

service-policy input TO-CP-POLICY
 
   

! http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/acl.html

access-group input LB_ALLOW_VIPS
 
   

! http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/vlansif.html

interface vlan 130
  ip address 10.86.215.74 255.255.255.0
  no shutdown
interface bvi 16
  no shutdown
 
   

Unsupported CSM Commands

The tool converts the majority of the CSM commands to comparable ACE commands. The converted output includes a list of the commands that are not supported by the tool during the conversion process (Figure 8).

Figure 8 Unsupported CSM Commands Area of the CSM-to-ACE Conversion Tool

This section summarizes the CSM commands that are not supported by the conversion tool. It includes the following tables:

Table 1 lists the CSM commands that do not have an equivalent function in the ACE.

Table 2 lists the CSM commands that have an equivalent function in the ACE, but are not directly converted by the tool. Table 2 also identifies the commands in the ACE CLI that provide the most comparable function to match the associated CSM command.

Both tables include references to the ACE module documentation that best address the associated CSM function not supported by the conversion tool. For a complete listing of the ACE module documentation available on www.cisco.com, see the "ACE Module Documentation"section.

Table 1 List of CSM Commands Not Supported in the ACE 

CSM Command
Description

dfp and its configuration submode commands

The ACE does not support the Dynamic Feedback Protocol (DFP). If your application requires the capabilities of DFP, we recommend that you use the least-loaded predictor in the ACE. This feature allows the ACE to use SNMP probes to determine server and application availability.

See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details.

ip slb mode

The ip slb mode command instructs the CSM to operate as a CSM load-balancing device instead of a Cisco IOS server load-balancing (SLB) device. This operating capability is not required by the ACE.

map dns

The ACE does not directly provide Global Server Load Balancing (GSLB) support. The ACE can be used as the server load-balancing (SLB) device with the Cisco Global Site Selector (GSS) platform for GSLB support. The GSS load balances geographically distributed data centers based on DNS requests. It also load balances any DNS-capable device that can be registered in the DNS system, such as the ACE.

See the Cisco GSS documentation set for background information at:

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_support_series_home.html

owner and its configuration submode commands

With the ACE, you can operate it in a single context or in multiple contexts. Multiple contexts use the concept of virtualization to partition your ACE into multiple virtual devices or contexts. You configure and manage all contexts through the Admin context, which contains the basic settings for each virtual device or context. Each context that you configure contains its own set of policies, interfaces, resources, and administrators.

The ACE provides role-based access control (RBAC), which is a mechanism that determines the commands and resources available to each user. A role defines a set of permissions that allow you to access the objects and resources in a context and the actions that you can perform on them.

You can also use domains to logically group objects within a context. In addition, domains can control access to groups of objects within a context.

See the Cisco Application Control Engine Module Virtualization Configuration Guide for details.

reverse sticky

Reverse sticky is not supported by the ACE.

script file and script task

TCL scripts are loaded onto the CSM through script files. A script file may contain one or more scripts. With the ACE, you upload and execute TCL health probe scripts (script files) on the ACE. A script file contains only one script, and the ACE supports the configuration of 256 unique script files.

See the Cisco Application Control Engine Module Administration Guide for details.

serverfarm configuration mode, the bindid command

The ACE does not support the Dynamic Feedback Protocol (DFP) and does not require the conversion of the bindid submode command of the serverfarm command. If your application requires the capabilities of DFP, we recommend that you use the least-loaded predictor in the ACE. This feature allows the ACE to use SNMP probes to determine server and application availability.

See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details.

snmp enable traps slb ft

The ACE does not support fault-tolerant traps as a notification type.

See the Cisco Application Control Engine Module Administration Guide for information about the supported SNMP notifications for the ACE.

vserver configuration mode, the following commands:

owner

reverse-sticky

ssl-sticky offset

The functions of the following vserver subcommands are not supported by the ACE:

owner command—This function is configured and managed for each virtual device or context. See the Cisco Application Control Engine Module Virtualization Configuration Guide for details.

reverse-sticky command—Reverse-sticky is not a supported function by the ACE.

ssl-sticky offset command—The ACE supports stickiness based on the SSL Session ID for SSLv3/TLSv1 only. Because the SSL Session ID is unique across multiple connections from the same client, you can use this feature to stick clients to a particular SSL server when the ACE is configured to load-balance SSL traffic, but not terminate it. To use this feature, configure a generic protocol-parsing policy for sticky learning. The ACE learns the SSL Session ID from the SSL server or other SSL-termination device. See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details.


Table 2 List of CSM Commands With an Equivalent Function in the ACE 

CSM Command
Description

clear module csm

The ACE does not require the clear module csm command to remove connections to a real server. With the ACE, you clear real server connections by using the clear conn rserver command in Exec mode.

See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details.

hw-module csm slot standby config-sync

The ACE has feature parity with the CSM fault tolerant (FT) services to synchronize the configurations between the active and standby ACE modules. By default, the ACE automatically updates the running configuration on the standby context of an FT group with any changes that occur to the running configuration of the active context. Use the ft auto-sync command to manually disable and reenable the synchronization of the running configuration between the active and standby modules.

See the Cisco Application Control Engine Module Administration Guide for details.

module csm configuration mode, the variable command, except for the ARP and SYN_COOKIE environmental variable functions

The ACE does not require environmental variables in its configuration. The majority of the CSM environmental variables have been incorporated into the different parameter maps and traffic policies within the ACE CLI command structure. See the ACE documentation set for details on the different parameter maps and traffic policies supported by the ACE.

The only supported environmental variables for the ACE are those associated with the following functions:

ARP functions (such as ARP_INTERVAL and ARP_LEARN_MODE). See the Cisco Application Control Engine Module Routing and Bridging Configuration Guide for details on the arp command and configuring ARP in the ACE.

SYN_COOKIE functions (such as SYN_COOKIE_INTERVAL and SYN_COOKIE_THRESHOLD). See the Cisco Application Control Engine Module Security Configuration Guide for details on the syn-cookie command and configuring the SYN cookie feature in the ACE.

redirect-vserver and its configuration submode commands (including the redirect-vserver command in real configuration submode)

The ACE has feature parity with the CSM redirect services function to configure a real server to receive traffic redirected by a redirect virtual server. However, the migration of the CSM redirect-vserver command and its submode commands are not supported in the conversion tool.

You can configure a real server to redirect traffic to a new location by using the rserver redirect command on the ACE.

See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for configuring redirect services on the ACE.

xml-config and its configuration submode commands

The ACE does not support the xml-config command and its configuration submode commands to configure the XML interface. Any command that can be configured from the ACE CLI can be configured remotely from an NMS by exchanging XML documents over HTTP or secure HTTP (HTTPS). You can transmit, exchange, and interpret data among the applications.

See the Cisco Application Control Engine Module Administration Guide for details.


ACE Module Documentation

You can access the ACE module documentation on www.cisco.com at:

http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html

To familiarize yourself with the ACE module, refer to the following documentation:

Release Note for the Cisco Application Control Engine Module

Cisco Application Control Engine Module Hardware Installation Note

Cisco Application Control Engine Module Administration Guide

Cisco Application Control Engine Module Command Reference

Cisco Application Control Engine Module Getting Started Guide

Cisco Application Control Engine Module Routing and Bridging Configuration Guide

Cisco Application Control Engine Module Security Configuration Guide

Cisco Application Control Engine Module Server Load-Balancing Configuration Guide

Cisco Application Control Engine Module SSL Configuration Guide

Cisco Application Control Engine Module System Message Guide

Cisco Application Control Engine Module Virtualization Configuration Guide

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html