Guest

Cisco Services Modules

CSS-to-ACE Conversion Tool Guide, Cisco ACE Application Control Engine Module

  • Viewing Options

  • PDF (631.0 KB)
  • Feedback
Cisco CSS-to-ACE Conversion Tool User Guide

Table Of Contents

Cisco CSS-to-ACE Conversion Tool User Guide

Accessing the CSS-to-ACE Conversion Tool

Using the CSS-to-ACE Conversion Tool

Verifying and Modifying the Converted Configuration

Copying and Pasting the Converted Configuration File to the ACE

Example of a Copied Configuration File for Use By the ACE

Unsupported CSS Commands

ACE Module Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Cisco CSS-to-ACE Conversion Tool User Guide


This document describes how to use the CSS-to-ACE conversion tool to migrate Cisco Content Services Switches (CSS) running-configuration or startup-configuration files to the Cisco Application Control Engine (ACE) module. It describes how to access the conversion tool, use the tool to convert a CSS configuration to an ACE configuration, and copy the converted configuration to the ACE. This document also includes a summary of the CSS commands that are not supported by the conversion tool.

This document contains the following sections:

Accessing the CSS-to-ACE Conversion Tool

Using the CSS-to-ACE Conversion Tool

Verifying and Modifying the Converted Configuration

Copying and Pasting the Converted Configuration File to the ACE

Unsupported CSS Commands

ACE Module Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

Accessing the CSS-to-ACE Conversion Tool

The conversion tool is included as part of the ACE software image and is accessible from the Cisco ACE Module web page using HTTP. To access the conversion tool, perform the following steps:


Step 1 Log in to the ACE CLI.

Step 2 Create a Layer 3 and Layer 4 management policy. Ensure that, at a minimum, you permit HTTP traffic in the management policy to enable remote access to the Cisco ACE Module web page. The following configuration example shows how to enable web access to the ACE to access the ACE web page. For details on enabling remote access to the ACE, see the Cisco Application Control Engine Module Administration Guide.

class-map type management match-any L4_REMOTE-ACCESS_CLASS
  description Enable remote access traffic to the ACE and the Cisco ACE Module web page
  2 match protocol https any
  4 match protocol icmp any
  5 match protocol telnet any
  6 match protocol ssh any
  7 match protocol http any
policy-map type management first-match L4_REMOTE-ACCESS_MATCH
  class L4_REMOTE-ACCESS_CLASS
    permit
 
   
interface vlan 10
  ip address 192.168.215.134 255.255.255.0
  service-policy input L4_REMOTE-ACCESS_MATCH
  no shutdown
 
   
ip route 0.0.0.0 0.0.0.0 192.168.215.1
 
   

Step 3 Open your preferred Internet web browser application, such as Microsoft Internet Explorer or Netscape Navigator.

Step 4 Specify the HTTP or secure HTTP (HTTPS) address of your ACE in the address field:

https://ace_ip_address
 
   
http://ace_ip_address
 
   

The Login dialog box appears.

Step 5 Login with your ACE username and password in the fields provided, then click OK. The ACE Module web page appears (Figure 1).


Note Users with administrative privileges can access the CSS-to-ACE conversion tool.


Figure 1 Cisco ACE Module Web Page

Step 6 Click the CSS2ACE conversion tool link in the Tools section of the ACE web page. The CSS-to-ACE conversion tool appears (Figure 2). Proceed to the "Using the CSS-to-ACE Conversion Tool" section.

Figure 2 CSS-to-ACE Conversion Tool

 
   

Using the CSS-to-ACE Conversion Tool

You can convert a CSS startup- or running-config to an equivalent ACE startup- or running-config by using one of the following methods:

Copying and pasting the contents from a saved CSS configuration file or from the CSS show running-config or show startup-config command output to the conversion tool `

Uploading a saved CSS configuration file to the conversion tool

To use the conversion tool to convert a CSS configuration, perform the following steps:


Step 1 By default, the Admin context is always assumed as the target virtual context on the ACE. To migrate a CSS configuration to a different virtual context (for example, C1), specify a different virtual context name in the User Context Name: text box (see Figure 3). The conversion tool generates the corresponding ACE configuration for the Admin context to create the requested virtual context.

Step 2 Add the contents from a saved CSS configuration file or from the CSS show running-config or show startup-config command output by copying and pasting the complete configuration into the text area of the Paste CSS Commands: section of the conversion tool (Figure 3). Proceed to Step 4.

Figure 3 Pasting the Content of a CSS Configuration into the CSS-to-ACE Conversion Tool

Step 3 Click Browse to select a CSS configuration file to upload to the conversion tool. Navigate to the CSS configuration file that you want to convert, then click Open. The CSS configuration file appears in the Upload CSS Command File: section of the conversion tool (Figure 4). Proceed to Step 4.

Figure 4 Uploading a CSS Configuration File

Step 4 Click Get ACE Commands to convert the CSS commands. The tool converts the CSS startup- or running-config to an equivalent ACE startup- or running-config (Figure 5).

Figure 5 Converted CSS Commands to ACE Commands Example

In addition, the conversion tool lists the CSS commands from the original configuration file (Figure 6).

Figure 6 Summary of Converted CSS Commands Example

The conversion tool also includes a list of any unsupported CSS commands (Figure 7). The Notes section provides additional information, as necessary. Proceed to the "Verifying and Modifying the Converted Configuration" section.

Figure 7 Unsupported CSS Commands

 
   

Verifying and Modifying the Converted Configuration

Before you copy and paste the converted CSS configuration to the ACE CLI, we recommend that you first carefully review the converted configuration in a text file and make the appropriate content changes based on your network topology and deployment. This step helps you to avoid potential issues or conflicts before you copy the converted CSS configuration text file to the ACE CLI prompt.

Follow these configuration guidelines when verifying and modifying the converted CSS configuration:

The CSS does not display default values in the running configuration or startup configuration file even if you manually enter those values. The CSS default settings for probes (keepalives), such as retryperiod, frequency and expect status, are automatically converted by the conversion tool to the ACE configuration. However, you must review, edit, and test the other the areas in the converted configuration to ensure any additional CSS defaults are properly ported to the ACE configuration before deployment.

For the purpose of applying the Network Address Translation (NAT)-related CSS configurations, the least numbered VLAN is assumed to be the client-side VLAN and the next higher numbered VLAN is assumed to be the server-side VLAN. If you want to apply the NAT configurations to a different interface VLAN, manually make this change in the configuration. See the Cisco Application Control Engine Module Routing and Bridging Configuration Guide for background details.

The keepalive hash command of the service configuration mode uses a default hash value if the hash string provided is not equal to 32 bits.

The keepalive type script command of the service configuration mode is currently not supported. You must manually configure each of these scripted keepalives using the Toolkit Command Language (TCL) scripts on the ACE. See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for background details.

Service policies are added to only a single interface VLAN. If you want to apply the service policy to a different interface VLAN, manually make this change in the configuration. See the Cisco Application Control Engine Module Routing and Bridging Configuration Guide for background details.

All SSL certificates must be imported into the associated context on the ACE before you apply the SSL-related configurations. See the Cisco Application Control Engine Module SSL Configuration Guide for background details.

The conversion tool does not convert the range option of the ip address command in service configuration mode; only the first IP address is converted. You must create individual real servers for each of the remaining IP addresses specified in the range option, and then add these real servers to the appropriate server farm. See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for background details.

The conversion tool creates separate Layer 7 policy maps for each CSS content rule. The Layer 7 policy maps are created separately even when multiple content rules share the same VIP, which results in only one of the policy maps taking effect. Manually combine these Layer 7 policy maps in order to share the same VIP. See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for background details.

See the"Unsupported CSS Commands" section for a list of the CSS CLI commands that are not supported during the conversion.

To verify the converted output configuration, perform the following steps:


Step 1 Copy the complete converted configuration listed in the ACE Commands: section of the conversion tool (see Figure 5) to a text file. Save this text file as an appropriately named configuration file.

Step 2 Review the output configuration in the text file and make the appropriate changes in this text file based on your network topology and deployment.

Step 3 Save your modifications in the configuration text file.

Step 4 Copy the contents of the modified configuration text file directly to the ACE CLI prompt as described in the "Copying and Pasting the Converted Configuration File to the ACE" section.

 
   

Copying and Pasting the Converted Configuration File to the ACE

To copy and paste the converted configuration directly to the ACE CLI prompt, perform the following steps:


Step 1 Log in to the ACE by entering the login username and password at the following prompt:

switch login: xxxxxx
Password: yyyyyy
 
   

By default, both the username and password are admin.

The prompt changes as follows:

switch/Admin# 
 
   

Step 2 Access configuration mode as follows:

switch/Admin# configure
Enter configuration commands, one per line. End with CNTL/Z
 
   

The prompt changes as follows:

switch/Admin(config)#
 
   

Step 3 Copy the complete contents of the Admin Context: section of the converted configuration (as illustrated in Figure 5). Paste the copied Admin Context: content at the configuration mode prompt of the ACE CLI. If you are operating in multiple contexts, this step automatically creates the new virtual context identified in the User Context Name: text box of the conversion tool.

For example, enter:

switch/Admin(config)# resource-class RC1
switch/Admin(config-resource)# limit-resource sticky minimum 10 maximum unlimited
switch/Admin(config-resource)# context C1
switch/Admin(config-context)#   member RC1
switch/Admin(config-context)#
 
   

Step 4 If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context. If necessary, change to the correct context by using the changeto command in Exec mode.

switch/Admin(config-context)# exit
switch/Admin(config)# 
switch/Admin(config)# exit
switch/Admin# changeto C1
switch/C1# configure
Enter configuration commands, one per line. End with CNTL/Z
switch/C1(config)# 
 
   

Step 5 Copy the complete contents of the Configuration Commands for xx Context: section of the converted configuration (as illustrated in Figure 5). Paste the copied Configuration Commands for xx Context: content at the configuration mode prompt of the ACE CLI.

For example, to copy the converted configuration to the C1 context, enter:

switch/C1(config)# probe http Server1_PROBE
switch/C1(config-probe-http)#   request method head url "/"
switch/C1(config-probe-http)# probe http Server2_PROBE
switch/C1(config-probe-http)#   request method head url "/"
switch/C1(config-probe-http)# probe http Server3_PROBE
switch/C1(config-probe-http)#   request method head url "/"
switch/C1(config-probe-http)#
switch/C1(config-probe-http)# rserver host Server1
switch/C1(config-rserver-host)#   inservice
switch/C1(config-rserver-host)#   ip address 10.1.1.1
switch/C1(config-rserver-host)#   probe Server1_PROBE
switch/C1(config-rserver-host)# rserver host Server2
switch/C1(config-rserver-host)#   inservice
switch/C1(config-rserver-host)#   ip address 10.1.1.2
switch/C1(config-rserver-host)#   probe Server2_PROBE
switch/C1(config-rserver-host)# rserver host Server3
switch/C1(config-rserver-host)#   ip address 10.1.1.3
switch/C1(config-rserver-host)#   probe Server3_PROBE
switch/C1(config-rserver-host)#   weight 5
switch/C1(config-rserver-host)#
switch/C1(config-rserver-host)# serverfarm host L3_LeastConnections
switch/C1(config-sfarm-host)#   predictor leastconns
switch/C1(config-sfarm-host)#   rserver Server1
switch/C1(config-sfarm-host-rs)#   rserver Server2
switch/C1(config-sfarm-host-rs)#   rserver Server3
switch/C1(config-sfarm-host-rs)# serverfarm host L3_RoundRobin
switch/C1(config-sfarm-host)#   rserver Server1
switch/C1(config-sfarm-host-rs)#   rserver Server2
switch/C1(config-sfarm-host-rs)#   rserver Server3
switch/C1(config-sfarm-host-rs)#     inservice
switch/C1(config-sfarm-host-rs)# serverfarm host L5_ACA
.
 
   

Step 6 (Optional) Save the updated contents of the running- or startup-configuration file as follows:

To merge the contents of the startup-config file into the running-config file, use the copy startup-config running-config command.

To copy the contents of the running-config file to the startup-config file in Flash memory, use the copy running-config startup-config command.

Proceed to the "Example of a Copied Configuration File for Use By the ACE" section.

 
   

Example of a Copied Configuration File for Use By the ACE

After you copy the contents of the converted CSS-to-ACE configuration to the ACE, use the following commands to view the updated content of either the running- or startup-config file:

To view the running-config file, use the show running-config command.

To view the startup-config file, use the show startup-config command.

The following example is from the show running-config command output. This example includes hypertext cross-references to the applicable chapters in the ACE documentation set that you can refer to for the configuration details. You can click the URLs located above the command output for the configuration details. Use the ACE CLI commands to make modifications to the configuration, as needed.

 
   
switch/C1# show running-config
Generating configuration....
 
   

! http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/probe.html

probe http Server1_PROBE
  request method head
probe http Server2_PROBE
  request method head
probe http Server3_PROBE
  request method head
 
   

!http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/rsfarms.html

rserver host Server1
  ip address 10.1.1.1
  probe Server1_PROBE
  inservice
rserver host Server2
  ip address 10.1.1.2
  probe Server2_PROBE
  inservice
rserver host Server3
  ip address 10.1.1.3
  probe Server3_PROBE
  weight 5
 
   

!http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/rsfarms.html

serverfarm host L3_LeastConnections
  predictor leastconns
  rserver Server1
  rserver Server2
  rserver Server3
serverfarm host L3_RoundRobin
  rserver Server1
  rserver Server2
  rserver Server3
    inservice
serverfarm host L5_ACA
  rserver Server1
  rserver Server2
  rserver Server3
serverfarm host L5_WeightedRR
  rserver Server1
  rserver Server2
  rserver Server3
 
   

!http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html

class-map match-all L3_LeastConnections_CLASS
  2 match virtual-address 10.1.1.100 any
class-map match-all L3_RoundRobin_CLASS
  2 match virtual-address 10.1.1.100 any
class-map match-all L5_ACA_CLASS
  2 match port tcp eq www
class-map type http loadbalance match-all L5_ACA_CLASSURL
  2 match http url /*.html
class-map match-all L5_WeightedRR_CLASS
  2 match port tcp eq www
class-map type http loadbalance match-all L5_WeightedRR_CLASSURL
  2 match http url /*.gif
 
   

!http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/administration/guide/access.html

class-map type management match-any TO-CP-POLICY
  2 match protocol http any
  3 match protocol icmp any
  4 match protocol telnet any
  5 match protocol snmp any
  6 match protocol ssh any
 
   

!http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/administration/guide/access.html

policy-map type management first-match TO-CP-POLICY
  class TO-CP-POLICY
    permit
 
   

!http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html

policy-map type loadbalance first-match L3_LeastConnections_POLICY
  class class-default
    serverfarm L3_LeastConnections
policy-map type loadbalance first-match L3_RoundRobin_POLICY
  class class-default
    serverfarm L3_RoundRobin
policy-map type loadbalance first-match L5_ACA_POLICY
  class L5_ACA_CLASSURL
    serverfarm L5_ACA
policy-map type loadbalance first-match L5_WeightedRR_POLICY
  class L5_WeightedRR_CLASSURL
    serverfarm L5_WeightedRR
policy-map multi-match POLICY
  class L5_WeightedRR_CLASS
  class L5_ACA_CLASS
  class L3_LeastConnections_CLASS
    loadbalance vip inservice
    loadbalance policy L3_LeastConnections_POLICY
    loadbalance vip icmp-reply active
  class L3_RoundRobin_CLASS
    loadbalance vip inservice
    loadbalance policy L3_RoundRobin_POLICY
    loadbalance vip icmp-reply active
 
   

! http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/vlansif.html

interface vlan 10
  ip address 192.168.10.50 255.255.255.0
  service-policy input TO-CP-POLICY
  service-policy input POLICY
  no shutdown
 
   

!http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/rsfarms.html

domain foo.com
  add-object serverfarm L3_LeastConnections
  add-object serverfarm L3_RoundRobin
  add-object serverfarm L5_ACA
  add-object serverfarm L5_WeightedRR
  add-object rserver Server1
  add-object rserver Server2
  add-object rserver Server3

Unsupported CSS Commands

The tool converts the majority of the CSS commands to comparable ACE commands. The converted output includes a list of the commands that are not supported by the tool during the conversion process (Figure 8).

Figure 8 Unsupported CSS Commands Area of the CSS-to-ACE Conversion Tool

Table 1 summarizes the CSS commands and command options that do not have an equivalent function in the ACE and are not supported by the conversion tool. The unsupported CSS commands are listed by global configuration mode. Table 1 also identifies the commands in the ACE CLI that provide the most comparable function to match the associated CSS command.

Table 1 List of CSS Commands Not Supported in the ACE 

CSS Command
CSS Command Function
ACE Command Workaround

Global Configuration Mode

bypass persistence

The bypass persistence command determines if the CSS performs either a service remapping or HTTP redirection operation to reset a bypassed service when a content request matches on a content rule.

The ACE supports a transparent server farm to send client requests unNATed to the real server using the MAC address of the real server IP address.

The ACE also applies service polices that are based on the interface traffic being received. For caching environments, the service policies that address client traffic are different than the service policies that address traffic that is sourced from a cache. This capability allows the ACE to have the same functionality without the requirement of a special command or configuration.

dns-record accel

Creates a domain acceleration record on the CSS mapped to a content rule through an IP address.

The ACE does not directly support global server load-balancing (GSLB) support. If you are migrating from the CSS to the ACE with the CSS Enhanced license, refer to the Cisco ACE GSS 4400 Series Global Site Selector (GSS) appliances for a dedicated GSLB and DNS appliance.1

The ACE can be used as the server load-balancing (SLB) device with the GSS platform for GSLB support. The GSS load balances geographically distributed data centers based on DNS requests. It also load balances any DNS-capable device that can be registered in the DNS system, such as the ACE.

See the Cisco GSS documentation set for background information at:

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_support_series_home.html

dns-server

Enables the DNS server function on the CSS. The CSS acts as the authoritative name server for the content domain.

The ACE does not directly support global server load-balancing (GSLB) support. If you are migrating from the CSS to the ACE with the CSS Enhanced license, refer to the Cisco ACE GSS 4400 Series Global Site Selector (GSS) appliances for a dedicated GSLB and DNS appliance.

The ACE can be used as the server load-balancing (SLB) device with the GSS platform for GSLB support. The GSS load balances geographically distributed data centers based on DNS requests. It also load balances any DNS-capable device that can be registered in the DNS system, such as the ACE.

See the Cisco GSS documentation set for background information at:

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_support_series_home.html

flow permanent port

Supports long-lived flows such as Telnet sessions and TN3270 sessions. This command prevents flow from timing out of the CSS or being reclaimed by the memory management process.

The ACE does not reclaim flows as performed by the CSS, so connections are maintained on the ACE until an end sequence is encountered (a TCP RST or FIN sequence), or until the idle timer has expired. You can use a parameter map on the ACE to extend the connection or to make the connection permanent by specifying 0 for the set timeout inactivity command as the idle timer.

flow persist-span-ooo

Enables the reordering of persistent spanning packets in the CSS.

By default, the ACE reassembles packets when terminating TCP for Layer 7 operations (for example, SSL, TCP server reuse, HTTP compression, HTTP load balancing, and application protocol inspections).

flow set-port-zero

Enables the CSS to pass traffic using port 0 as the TCP/UDP source port and as the destination port.

TCP/IP normalization on the ACE includes a function to drop any connections that are sourced from port 0 or that are destined to port 0. The ACE does not include configuration parameters that support this type of traffic to pass through the ACE.

flow-state port_number

Sets the flow states of TCP and UDP ports in the CSS flow-state table.

The ACE handles all connections as stateful. UDP connections can be timed-out quickly to effectively provide per-packet load balancing for UDP applications such as DNS servers where many requests come into ACE with the same SrcIP:port and DestIP:port.

This capability allows the ACE to distribute incoming request to each real server; otherwise the ACE would see all requests as a part of the same UDP connection.

flow-state flow-disable timeout

Sets the wait time for any response from a server for a configured flow-disable port.

The ACE does not reclaim flows in the same manner as the CSS does; the ACE maintains connections a until a end sequence is encountered (a TCP RST or FIN sequence) or until the idle timer has expired. You can use a parameter map in the ACE to extend the connection or to make the connection permanent by specifying 0 for the set timeout inactivity command as the idle timer.

flow tcp-reset-on-vip-
unavailable

Configures the CSS to send a TCP RST (reset) to a client when a VIP is unavailable. The CSS sends the TCP reset only in response to a TCP packet that is destined for a VIP hosted by the CSS, and only if that VIP is unavailable.

The ACE automatically sends a TCP RST to a client when a VIP is unavailable. This is the default behavior for the ACE.

http-method parse

Configures the CSS to support all HTTP methods defined in RFC-2518 including RFC-2616 and configure user-defined method.

A Layer 5 content rule in the CSS supports the HTTP CONNECT, GET, HEAD, POST, and PUT methods. The CSS recognizes and forwards the following HTTP request methods directly to the destination server in a transparent caching environment but does not load balance these methods: OPTIONS, TRACE, PROPFIND, PROPPATCH, MKCOL, MOVE, LOCK, UNLOCK, COPY, and DELETE.

By default, the ACE handles any HTTP request method and load balances the request at Layer 7. When you enable HTTP inspection, the function supports the well-defined methods listed in RFC 2616 and RFC 2518.

Note Custom or unsupported methods will trigger a TCP RST if you enable HTTP inspection.

http-redirect-option

Configures the CSS to send specific TCP FIN and RST flags with HTTP 302 redirect messages. By default, when the CSS sends an HTTP 302 redirect message, it also sends a FIN flag on an initial connection and RST flags on subsequent requests in a persistent connection.

When a redirect server is applied, the ACE sends the HTTP redirect response and sets the FIN flag in the same packet as the response.

persistence reset redirect and persistence reset remap

With the persistence reset redirect command, when a second GET request for content rule 2 arrives, the CSS sends a TCP RST to the server from content rule 1 and a 302 Redirect for the VIP back to the client. It is expected that the browser will reopen a new connection to the VIP.

With the persistence reset remap command, when a second GET request for content rule 2 arrives, the CSS sends a TCP RST to the server from content rule 1, opens a new back end connection to the server from content rule2, and forwards the GET request. The connection from client to VIP remains untouched.

The ACE allows HTTP requests to be sent to a different server farm by using a persistent reset remap type behavior (the persistence-rebalance command). For VIPs where persistence rebalance is defined as part of the HTTP parameter map, the ACE will inspect each request. If a subsequent request matches a different server farm, the ACE sends a TCP RST to the real server in the existing server farm and initiate a new TCP connection to the newly selected server farm and real server.

Note When you configure TCP server reuse in an HTTP parameter map, the connection to the real server is not a TCP reset, but rather the connection is marked as idle and available for another HTTP request.

restrict

Disables Telnet, SNMP, SSH, console, FTP, user database, secure or unsecured XML, or CVDM access to the CSS. The no form of the restrict command enables access to the CSS.

By default, the ACE denies management traffic to be received. To allow management traffic to the ACE and define the protocol and subnet or host to have remote access to ACE, you must:

Use the class-map type management command to create a Layer 3 and Layer 4 class map to classify the remote network management traffic received by the ACE.

Use the policy-map type management command to configure a Layer 3 and Layer 4 policy map that defines the different actions that are applied to the IP management traffic received by the ACE.

Use the service-policy command to apply a previously created policy map and attach the traffic policy to a specific VLAN interface or globally to all VLAN interfaces in the same context.

When a management traffic policy is applied to an interface, the internal ACLs are automatically updated by the ACE to allow the configured management traffic to pass. See Chapter 2, Configuring Remote Access to the ACE, in the Cisco Application Control Engine Module Administration Guide.

slowstart rate

Increases or decreases the rate in which a service receives connections during the slow-start process. Decreasing the value slows the rate in which a service receives connections and increasing the value quickens the rate that a service receives connections. A value of 0 disables the slow-start feature on all leastconn content rules configured on the CSS, even though the slow-start timer is set on a content rule.

When the connections on the slow-start service equals the number of connections of the other services on the rule, the service exits the slow-start process even when time remains on the slow-start service.

When the slow-start timer times out for the service, the service exits the slow-start process even though its connections does not equal the number of connections for the other services on the rule.

The ACE does not allow the configuration of a slowstart rate. The ACE handles the rate at which load is sent to a newly inservice real server for as long as the real server is in the slowstart mode. Similar to the CSS, the ACE does supports a timer for slowstart mode; this timer can be configured as an optional predictor leastconns parameter within the server farm.

snmp trap-source

Sets the source IP address in the traps generated by the CSS.

To specify the VLAN interface identified in the trap source address contained in the SNMP v1 trap PDU, use the snmp-server trap-source vlan command in configuration mode. See Chapter 7, Configuring SNMP, in the Cisco Application Control Engine Module Administration Guide.

Note the following operating considerations for the snmp-server trap-source vlan command:

If you do not configure the snmp-server trap-source vlan command, the ACE takes the source IP address from the internal routing table, which is dependant on the destination host address where the notification is to be sent.

If you specify a VLAN number of an interface that does not have a valid IP address, the ACE will fail in sending notifications for SNMP v1 traps.

sshd, the server-keybits option

Sets the number of bits in the SSH server key.

To generate the SSH private key and the corresponding public key for use by the SSH server, use the ssh key command in configuration mode.

Before you generate the SSH key, ensure that you set the hostname and the domain name. These two settings are used in the SSH host pair key.

See Chapter 2, Configuring Remote Access to the ACE, in the Cisco Application Control Engine Module Administration Guide.

tacacs-server frequency

Sets the global CSS TACACS+ keepalive frequency for the specified TACACS+ server.

Use the tacacs-server deadtime command to globally set the time interval in which the ACE verifies whether a nonresponsive server is operational. In the ACE, the dead-time interval starts when the server does not respond to an authentication request transmission. When the server responds to a probe access-request packet, the ACE retransmits the authentication request to the server.

Using the tacacs-server deadtime command causes the ACE to mark as dead any TACACS+ servers that fail to respond to authentication requests. This action avoids the wait for the request to time out before trying the next configured server. The ACE skips a TACACS+ server that is marked as dead by additional requests for the duration of minutes.

See Chapter 2, Configuring Authentication and Accounting Services, in the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.

tcp-ip-fragment-enabled

Allows the CSS to flow-process TCP/IP fragments. This feature performs content rule-based forwarding using the Layer 3 (IP address) and Layer 4 (TCP port) information in the IP header and the TCP header. Layer 5 forwarding decisions for IP fragments, based on the packet payload (data), are not supported.

By default, the ACE reassembles packets when terminating TCP for Layer 7 operations (for example, SSL, TCP server reuse, HTTP compression, HTTP load balancing, and application protocol inspections).

Content Configuration Mode Commands

add dns

Maps a DNS name to a content rule when the CSS acts as a DNS server.

The ACE does not support a DNS service for VIPs or GSLB. If you are migrating from the CSS to the ACE with the CSS Enhanced license, refer to the Cisco ACE GSS 4400 Series Global Site Selector (GSS) appliances for a dedicated GSLB and DNS appliance.

The ACE can be used as the server load-balancing (SLB) device with the GSS platform for GSLB support. The GSS load balances geographically distributed data centers based on DNS requests. It also load balances any DNS-capable device that can be registered in the DNS system, such as the ACE.

See the Cisco GSS documentation set for background information at:

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_support_series_home.html

add location-service

Enables location-cookies for GSLB.

If you require to use the CSS location cookie function on the ACE, this functionality can be provided using a combination of the cookie insert and cookie learning functions of the ACE. See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for configuring HTTP cookie stickiness.

add sasp-agent

The Server/Application State Protocol (SASP) functionality works with IBM's EWLM SASP Manager to distribute load to the EWLM services.

The ACE does not support SASP. If you require load balancing that is based on dynamic server health, configure an SNMP-based server load probe. See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

The following options of the advanced-balance command in Content configuration mode:

advanced-balance cookieurl

Functions that same as the supported cookies option of the advanced-balance command, but if the CSS cannot find the cookie header in the HTTP packet, this type of failover looks up the URL extensions (that is, the portion after the "?" in the URL) based on the same string criteria. You can use this option with any Layer 5 HTTP content rule.

You can configure an alternative cookie name that appears in the URL string of the web page on the server. The ACE uses this cookie to maintain a sticky connection between a client and a server and adds a secondary entry in the sticky table.

To configure a secondary cookie, use the cookie secondary command in sticky-cookie configuration mode. See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

advanced-balance sip-call-id

Enables the content rule to stick a client to a server based on the Session Initiation Protocol (SIP) call ID. The application type must be SIP for the content rule and the protocol must be UDP.

The ACE fully supports SIP-aware load balancing (including Call-ID stickiness) to ensure that messages for a particular Call-ID from different TCP or UDP connections reach the correct servers. Stickiness by Call-ID is particularly important for stateful call services that use the Call-ID to identify current SIP sessions and make decisions based on the content of a message.

If you configure SIP stickiness and the ACE finds the Call-ID in the header of the SIP messages sent from the client to the server, the ACE generates a key (hash value) based on the Call-ID. The ACE uses the key to look up an entry in the sticky table. If the entry exists, the ACE sends the client to the sticky server indicated by the table entry. If the entry does not exist, the ACE creates a new sticky entry, hashes the SIP Call-ID value into a key, and saves the key in the entry.

advanced-balance ssl

Enables the content rule to stick the client to the server based on the Secure Sockets Layer (SSL) version 3 session ID assigned by the server. The application type must be SSL for the content rule. You must specify a port in the content rule to use the ssl option. The CSS will then spoof the connection.

If your application requires SSL sticky, configure SSL termination on the ACE. See Chapter 3, Configuring SSL Termination, in the Cisco Application Control Engine Module SSL Configuration Guide.

If you do not wish to use SSL termination on the ACE, you can configure a generic protocol-parsing policy to implement SSL Session ID persistence. See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

advanced-balance ssl-l4-fallback

Disables the CSS from inserting a Layer 4 hash value, that is based on the source IP address and destination address pair, into the sticky table.

Configure a generic protocol-parsing policy on the ACE to implement SSL Session ID persistence. See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

ACE uses Generic Protocol Parsing fro SSL Session ID sticky which is not susceptible to the issues seen when applying SSL persistence on the CSS.

advanced-balance url

Enables the content rule to stick a client to a server based on a configured string found in the URL of the HTTP request.

The ACE provides a comparable advanced-balance url command behavior if you configure the server farm hash URL predictor in conjunction with the HTTP parameter map persistence rebalance function, and apply this configuration to a VIP. The hash URL predictor selects the server by using a hash value based on the requested URL. Use this predictor method to load balance cache servers. Cache servers perform better with the URL hash method because you can divide the contents of the caches evenly if the traffic is random enough. In a redundant configuration, the cache servers continue to work even if the active ACE switches over to the standby ACE.

As with the CSS, the ACE allows portions of the URL to be matched using regex begin and end patterns.

Sticky Layer 4 Payload may be an useful alternative if hashing is not desired.

advanced-balance wap-msisdn

Enables a Layer 5 content rule to stick a client to a server based on the MSISDN header of the HTTP request. MSISDN is the header field for wireless clients using the Wireless Application Protocol (WAP).

The ACE supports HTTP header hashing through the configuration of the hash predictor. MSISDN or other custom fields can be defined, and, if matched, the ACE performs a hash on the value of the header. If a HTTP request does not contain a header matching, the default roundrobin load balancing will be used.

The following options of the application command in Content configuration mode:

application sip

Processes Session Initiation Protocol (SIP) data streams as the application type associated with the content rule. The application type enables the CSS to correctly interpret the data stream matching the content rule and parse them. Otherwise, the data stream packets are rejected.

For SIP-aware load balancing, see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

application ssl

Processes Secure Sockets Layer (SSL) protocol data streams as the application type associated with the content rule. The application type enables the CSS to correctly interpret the data stream matching the content rule and parse them. Otherwise, the data stream packets are rejected.

If your application requires SSL sticky, configure SSL termination on the ACE. See Chapter 3, Configuring SSL Termination, in the Cisco Application Control Engine Module SSL Configuration Guide.

If you do not wish to use SSL termination on ACE, you can configure a generic protocol-parsing policy to implement SSL Session ID persistence. See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

The following options of the balance command in Content configuration mode:

balance aca

ArrowPoint Content Awareness algorithm. The CSS correlates content request frequency with the server's response times.

To instruct the ACE to select the server with the lowest average response time for the specified response-time measurement based on the current connection count and server weight (if configured), use the predictor response command in server farm host or redirect configuration mode. The ACE allows users to load balance traffic based on one of three different response times:

app-req-to-resp—Measures the response time from when the ACE sends an HTTP request to a server to the time that the ACE receives a response from the server for that request.

syn-to-close—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server.

syn-to-synack—Measures the response time from when the ACE sends a TCP SYN to a server.

The ACA algorithm uses response measurements between the SYN and FIN. The ACE closely matches these response measurements by using the syn-to-close metrics.

balance domain

Domain name division. The CSS uses the domain name in the request URI to direct the client request to the appropriate service.

The ACE supports the use of a hash predictor on standard HTTP headers (such as the Host header). By default, the ACE will hash across the entire Header value. However, the ACE can be limited to mimic the 4-character hash that the CSS provides for the domain option of the balance command.

balance domainhash

Internal CSS hash algorithm based on the domain string. The CSS uses the algorithm to hash the entire domain string. Then, the CSS uses the hash result to choose the server.

The ACE supports the use of a hash predictor on standard HTTP headers (such as the Host header). By default, the ACE will hash across the entire Header value.

balance url

URL division. The CSS uses the URL (omitting the leading slash) in the redirect URL to direct the client requests to the appropriate service.

The ACE provides a comparable advanced-balance url command behavior if you configure the server farm hash URL predictor in conjunction with the HTTP parameter map persistence rebalance function, and apply this configuration to a VIP. The hash URL predictor selects the server by using a hash value based on the requested URL. Use this predictor method to load balance cache servers. Cache servers perform better with the URL hash method because you can divide the contents of the caches evenly if the traffic is random enough. In a redundant configuration, the cache servers continue to work even if the active ACE switches over to the standby ACE.

As with the CSS, the ACE allows portions of the URL to be matched using regex begin and end patterns.

Sticky Layer 4 Payload may be an useful alternative if hashing is not desired.

balance urlhash

Internal CSS hash algorithm based on the URL string. The CSS uses the algorithm to hash the entire URL string. Then, the CSS uses the hash result to choose the server.

The ACE provides a comparable advanced-balance url command behavior if you configure the server farm hash URL predictor in conjunction with the HTTP parameter map persistence rebalance function, and apply this configuration to a VIP. The hash URL predictor selects the server by using a hash value based on the requested URL. Use this predictor method to load balance cache servers. Cache servers perform better with the URL hash method because you can divide the contents of the caches evenly if the traffic is random enough. In a redundant configuration, the cache servers continue to work even if the active ACE switches over to the standby ACE.

As with the CSS, the ACE allows portions of the URL to be matched using regex begin and end patterns.

Sticky Layer 4 Payload may be an useful alternative if hashing is not desired.

dnsbalance

Determines where to resolve a request for a domain name into an IP address.

The ACE does not support a DNS service for VIPs or GSLB. If you are migrating from the CSS to the ACE with the CSS Enhanced license, refer to the Cisco ACE GSS 4400 Series Global Site Selector (GSS) appliances for a dedicated GSLB and DNS appliance.

The ACE can be used as the server load-balancing (SLB) device with the GSS platform for GSLB support. The GSS load balances geographically distributed data centers based on DNS requests. It also load balances any DNS-capable device that can be registered in the DNS system, such as the ACE.

See the Cisco GSS documentation set for background information at:

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_support_series_home.html

dns-disable-local

Informs other CSSs through APP that the services related to the content rule are not available for DNS activities. However, the services remain active for other activities.

The ACE does not support a DNS service for VIPs or GSLB. If you are migrating from the CSS to the ACE with the CSS Enhanced license, refer to the Cisco ACE GSS 4400 Series Global Site Selector (GSS) appliances for a dedicated GSLB and DNS appliance.

The ACE can be used as the server load-balancing (SLB) device with the GSS platform for GSLB support. The GSS load balances geographically distributed data centers based on DNS requests. It also load balances any DNS-capable device that can be registered in the DNS system, such as the ACE.

See the Cisco GSS documentation set for background information at:

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_support_series_home.html

failover

Defines what will happen to content requests when a service fails or is suspended.

Use a backup server farm, where you configure the server farm as transparent and the real server in the server farm has the IP address of the next hop.

flow-reset-reject

Enables the CSS flow manager subsystem to send a TCP RST (reset) frame when a flow for requested content is mapped to a destination IP address that is no longer reachable. The flow-reset-reject command prevents a CSS client from hanging up and retransmitting when the request can never be serviced

The ACE sends a TCP reset for new connections if the VIP is down or all of the real servers are out of service.

Use the failaction purge command to instruct the ACE to purge Layer 3 and Layer 4 connections if a real server fails. The failaction purge command forces the ACE to send a TCP RST to established connections if the connected real server fails. See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

hotlist

Enables the hot list for the content rule and configure hot-list parameters for Demand-Based Content Replication (Dynamic Hot Content Overflow).

The ACE does not support Demand-Based Content Replication (Dynamic Hot Content Overflow).

load-threshold

Sets the normalized load threshold for the availability of each local service on the content rule. When the service load metric exceeds this threshold, the local service becomes unavailable and is redirected to the remote services.

The ACE uses thresholds on server farm predictors to determine when a service should no longer be in the rotation. See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

persistent

Maintains a persistent connection with a server. In content rule persistence, the CSS keeps the client on the same service connection specified by the content rule for an entire flow session as long as a new content request:

Matches on the same content rule that specified the current service.

Matches on a new content rule that contains the current service, even if a different best service is specified by the content rule.

Does not match on a content rule, but matches on a previous content rule connected the client to the current service.

The default behavior of the ACE is to enable persistence for Layer 7 connections, where the same server will be used whenever a request matches a Layer 7 class map that uses the same server farm as was previously accessed. For requests matching class maps with different server farms, the ACE sends a TCP RST to the previous server connection and establishes a new TCP connection to a real server in the new server farm.

sticky-serverdown-
failover

Defines what will happen when a sticky string is found but the associated service has failed or is suspended,

The ACE will reloadbalance connections when the real server that those connections were stuck to is not in service.

string-prefix

Specifies the string prefix located in the sticky range. The string result is a sticky string in the cookie header, URL, or URL extension based on a sticky type being configured.

This value is defined within the sticky group configuration in the ACE. See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

url eql

Defines an extension qualifier list (EQL). This list is a collection of file extensions for content requests joined together through content rules. The CSS uses this list to identify which requests to send to a service.

The ACE supports extensions using a Layer 7 load-balancing class map.

The following is a regex example:

host1/Admin(config)# class-map type http 
loadbalance match-any cacheable
host1/Admin(config-pmap-lb)# description 
graphics
host1/Admin(config-pmap-lb)# 2 match http 
url .*(gif|jpg|png)
 
        

The following is an individual matching example:

host1/Admin(config)# class-map type http 
loadbalance match-any cacheable
host1/Admin(config-pmap-lb)# description 
graphics
host1/Admin(config-cmap-http-lb)# 2 match 
http url .*gif
host1/Admin(config-cmap-http-lb)# 3 match 
http url .*jpg
host1/Admin(config-cmap-http-lb)# 4 match 
http url .*png
 
        

See Chapter 3, Configuring Traffic Policies for Server Load Balancing, in the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

url dql

Defines an domain qualifier list (DQL). This list is a collection of domain names (hosts) for content requests joined together through content rules. The CSS uses this list to identify which requests to send to a service.

The ACE supports extensions using a Layer 7 load-balancing class map. For example:

host1/Admin(config)# class-map type http 
loadbalance match-any example
host1/Admin(config-pmap-lb)# 2 match http 
header Host header-value "example.com"
host1/Admin(config-pmap-lb)# 3 match http 
header Host header-value "www.example.com"
host1/Admin(config-pmap-lb)# 4 match http 
header Host header-value 
"origin.www.example.com"
host1/Admin(config-pmap-lb)# 5 match http 
header Host header-value 
"secure.www.example.com"
 
        

See Chapter 3, Configuring Traffic Policies for Server Load Balancing, in the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

url urql

Defines an Uniform Resource Locator qualifier list (URQL). This list is a collection of URLs for content requests joined together through content rules. The CSS uses this list to identify which requests to send to a service.

The ACE supports extensions using a Layer 7 load-balancing class map. For example:

The following is a regex example:

host1/Admin(config)# class-map type http 
loadbalance match-any cacheable
host1/Admin(config-pmap-lb)# description 
graphics
host1/Admin(config-pmap-lb)# 2 match http 
url /(images|logos|icons)/example-logo.jpg
 
        

The following is an individual matching example:

host1/Admin(config)# class-map type http 
loadbalance match-any cacheable
host1/Admin(config-pmap-lb)# 2 match http 
url /images/example-logo.jpg
host1/Admin(config-pmap-lb)# 3 match http 
url /logos/example-logo.jpg
host1/Admin(config-pmap-lb)# 4 match http 
url /icons/example-logo.jpg
 
        

See Chapter 3, Configuring Traffic Policies for Server Load Balancing, in the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

vip-ping-response

Includes local and remote services in the decision by the CSS to respond to a ping request to a VIP address configured on a content rule, use the vip-ping-response command. By default, a CSS responds to a ping request to a VIP address configured on a content rule if any of the local services on the rule are alive.

You can enable a VIP to reply to ICMP ECHO requests by using the loadbalance vip icmp-reply command in policy-map class configuration mode. For example, if a user sends an ICMP ECHO request to a VIP, this command instructs the VIP to send an ICMP ECHO-REPLY.

Header-Field Group Configuration Mode

header-field

A request header-field group contains a list of defined header-field entries used by the content rule lookup process. Each header-field group is given a unique name so different content rules can use them. A group can contain several header-field entries.

The ACE supports extensions using a Layer 7 load-balancing class map. For example:

The following is a regex example:

ost1/Admin(config)# class-map type http 
loadbalance match-any cacheable
host1/Admin(config-pmap-lb)# description 
graphics
host1/Admin(config-pmap-lb)# 2 match http 
url /(images|logos|icons)/example-logo.jpg
host1/Admin(config-pmap-lb)# 3 match http 
header Host header-value "example.com"
host1/Admin(config-pmap-lb)# 4 match http 
header Host header-value "www.example.com"
 
        

The following is an individual matching example:

host1/Admin(config)# class-map type http 
loadbalance match-any cacheable
host1/Admin(config-pmap-lb)# 2 match http 
url /images/example-logo.jpg
host1/Admin(config-pmap-lb)# 3 match http 
url /logos/example-logo.jpg
host1/Admin(config-pmap-lb)# 4 match http 
url /icons/example-logo.jpg
host1/Admin(config-pmap-lb)# 5 match http 
header Host header-value "example.com"
host1/Admin(config-pmap-lb)# 6 match http 
header Host header-value "www.example.com"
 
        

See Chapter 3, Configuring Traffic Policies for Server Load Balancing, in the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

Interface Configuration Mode Commands

max-idle

Sets the maximum idle time for the interface. You use the max-idle command as a troubleshooting tool to verify an interface's ability to receive traffic. If the interface does not receive traffic within the maximum time configured, the CSS reinitializes it automatically.

This command is not applicable for the ACE module.

phy 1Gbits-FD-asym

Sets the Gigabit Ethernet port to full-duplex mode with asymmetric pause toward the link partner.

This command is not applicable for the ACE module.

phy 1Gbits-FD-sym

Sets the Gigabit Ethernet port to full-duplex mode with symmetric pause (pause frames transmitted and received by the CSS).

This command is not applicable for the ACE module.

phy 1Gbits-FD-no-pause

Sets the Gigabit Ethernet port to full-duplex mode with no pause frames transmitted or received.

This command is not applicable for the ACE module.

Keepalive Configuration Mode Commands

active and suspend

The activate command activates the keepalive you are configuring on the CSS. Activating a keepalive starts the sending of messages to the keepalive IP address.

The suspend command deactivates the keepalive.

ACE probes (also known as keepalives) are only active when applied to an inservice real server. There is no need to activate or suspend a probe directly i n the ACE. If a probe should not be sent to a real server for health monitoring, then you should remove the probe from the ACE configuration.

Owner Configuration Mode Commands

address

Specifies the address for the owner of the web hosting service. The CSS allows for the address for the owner of the web hosting service to be defined within the CSS configuration.

Use the context description or the SNMP location commands in the ACE. See Chapter 7, Configuring SNMP, in the Cisco Application Control Engine Module Administration Guide.

billing-info

Specifies billing information about the owner providing the web hosting service. The CSS allows for billing information for the owner of the web hosting service to be defined within the CSS configuration.

Use the context description or the SNMP contact commands in the ACE.

See Chapter 2, Configuring Virtualization, in the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

See Chapter 7, Configuring SNMP, in the Cisco Application Control Engine Module Administration Guide.

case

Defines whether the matching of content requests to the owner's rules is case-sensitive

By default, the ACE regex and string matching is case-sensitive. By using an HTTP parameter map, the ACE can be configured for case-insensitive matching. With case-insensitive matching enabled, uppercase and lowercase letters are considered to be the same.

content

Accesses content configuration mode and configure a content rule. The content command defines how the CSS will handle the received traffic.

The ACE uses class maps, policy maps, and service policies to define how client traffic will be handled. The three steps in the traffic classification process by the ACE are as follows:

1. Create a class map using the class-map command and the associated match commands, which comprise a set of match criteria related to Layer 3 and Layer 4 traffic classifications or Layer 7 protocol classifications.

2. Create a policy map using the policy-map command, which refers to the class maps and identifies a series of actions to perform based on the traffic match criteria.

3. Activate the policy map by associating it with a specific VLAN interface or globally with all VLAN interfaces using the service-policy command to filter the traffic received by the ACE.

description

Provides a description for the owner of the web hosting service to be defined within the CSS configuration.

Use the context description command in the ACE. See Chapter 2, Configuring Virtualization, in the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

dns

Sets the peer DNS exchange policy for the owner.

The ACE does not support a DNS service for VIPs or GSLB. If you are migrating from the CSS to the ACE with the CSS Enhanced license, refer to the Cisco ACE GSS 4400 Series Global Site Selector (GSS) appliances for a dedicated GSLB and DNS appliance.

The ACE can be used as the server load-balancing (SLB) device with the GSS platform for GSLB support. The GSS load balances geographically distributed data centers based on DNS requests. It also load balances any DNS-capable device that can be registered in the DNS system, such as the ACE.

See the Cisco GSS documentation set for background information at:

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_support_series_home.html

dnsbalance

Determines how DNS requests are resolved when CSS is configure as a DNS service.

The ACE does not support a DNS service for VIPs or GSLB. If you are migrating from the CSS to the ACE with the CSS Enhanced license, refer to the Cisco ACE GSS 4400 Series Global Site Selector (GSS) appliances for a dedicated GSLB and DNS appliance.

The ACE can be used as the server load-balancing (SLB) device with the GSS platform for GSLB support. The GSS load balances geographically distributed data centers based on DNS requests. It also load balances any DNS-capable device that can be registered in the DNS system, such as the ACE.

See the Cisco GSS documentation set for background information at:

http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_support_series_home.html

email-address

Specifies an email address for the owner providing the Web hosting service. The CSS allows for an email address for the owner of the web hosting service to be defined within the CSS configuration.

Use the context description or the snmp-server contact commands in the ACE.

See Chapter 2, Configuring Virtualization, in the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

See Chapter 7, Configuring SNMP, in the Cisco Application Control Engine Module Administration Guide.

Reporter Configuration Mode Commands

All Reporter configuration mode commands

Reporter configuration mode allows you to configure a reporter. A reporter is a software monitoring agent that you associate with critical interfaces and virtual routers (VRs). The reporter monitors the state of the critical interfaces and causes the associated VRs to fail over when the interfaces go down. You can also use a reporter to synchronize the state of associated VRs to prevent asymmetric flows.

To create a tracking and failure detection process for a gateway or host, use the ft track host command in configuration mode. The ACE provides a Fault Tolerant (FT) track host configuration to allow users to configure tracking and failure detection for critical network gateways and hosts.

See Chapter 6, Configuring Redundant ACE Modules, in the Cisco Application Control Engine Module Administration Guide.

RMON Alarm, Event, and History Configuration Mode Commands

The ACE does not support RMON

Service Configuration Mode Commands

access ftp

Associates an FTP access mechanism with a service for moving content during publishing, subscribing, and demand-based content replication (Dynamic Hot Content Overflow) activities.

The ACE does not support Demand-Based Content Replication (Dynamic Hot Content Overflow).

bypass-hosttag

Allows the Client Side Accelerator (CSA) on the CSS to bypass a cache farm and establish a connection with the origin server to retrieve noncacheable content.

The ACE does not support the Client Side Accelerator.

cache-bypass

Disables applying content rules to requests originating from a proxy or transparent-cache type service when the CSS processes the requests.

The ACE applies service policies based on the interface traffic is received. The ACE activates a policy map by associating it with a specific VLAN interface or globally with all VLAN interfaces using the service-policy command to filter the traffic received by the ACE.

For caching environments, the service policy that handles client traffic is different from the service policy that handles traffic sourced from a cache, allowing the ACE to have the same functionality without the requirement of a special command or configuration.

The following options of the compress command in Service configuration mode:

compress accept-omit

Specifies the compression encoding type for HTTP requests that do not include the Accept-Encoding field.

The HTTP compression function is not supported by the ACE.

compress disable

Disables HTTP compression on a service.

The HTTP compression function is not supported by the ACE.

compress enable

Enables the service for HTTP compression.

The HTTP compression function is not supported by the ACE.

compress encode

Configures the CSS to prefer a compression encoding type provided by the Accept-Encode field from the client or the compress accept-omit command.

The HTTP compression function is not supported by the ACE.

compress tcp

Configures a client or server TCP connections for HTTP compression.

The HTTP compression function is not supported by the ACE.

compress type

Configures the Huffman code type to optimize the compression for different traffic types.

The HTTP compression function is not supported by the ACE.

ip address, the range number option

Specifies a range of IP addresses.

IP address ranges or index support is not available in the ACE.

keepalive type script

Defines a script keepalive is to be used by the service. The script is played every time the keepalive is issued.

While ACE supports scripted probes, it is outside the scope of the CSS-to-ACE conversion tool to port proprietary CSS scripts to Toolkit Command Language (TCL). The ACE has numerous embedded probes in its health management subsystem. In many cases, you may move from your own scripted probes on the CSS to the embedded probes in the ACE to monitor applications within the data center. If you require a custom script, you must port it to TCL so it can be used by ACE to monitor services.

See Appendix A, Using TCL Scripts with the ACE, in the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

protocol

Specifies the service IP protocol, use the protocol command. The default setting for this command is any, for any IP protocol.

The ACE real server is defined globally using an IP address. When the real server is applied to a server farm it may be assigned a port. The ACE will only loadbalance transport protocols to the real server if a virtual IP address is defined in the Layer 3 and Layer 4 class map match virtual-address command. See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

publisher

Configures a service as a publishing service and define its synchronization interval for demand-based content replication (Dynamic Hot Content Overflow).

The ACE does not support Demand-Based Content Replication (Dynamic Hot Content Overflow).

string

Specifies an HTTP cookie for the service.

The string use for cookie insert is predetermined on the ACE by server farm, real server name, and real server port. See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

subscriber

Configures a service as a subscriber to a publishing service for demand-based content replication (Dynamic Hot Content Overflow).

The ACE does not support Demand-Based Content Replication (Dynamic Hot Content Overflow).

transparent-hosttag

Allows the Client Side Accelerator (CSA) on the CSS to enable destination network address translation (NAT) for the transparent cache service type.

The ACE does not support the Client Side Accelerator.

The following options of the type command in Service configuration mode:

type nci-direct-return

Specifies a NAT Channel Indication (NCI) service for NAT peering. NAT peering allows the building of forward TCP-switched connections between CSSs until the destination CSS is reached and the destination CSS performs the final transformations, which allows return traffic packets to flow to the client through any network path. This service type informs the CSS to include the NCI option in the TCP packet. This keyword indicates to the server-side CSS that NAT parameters are in use and contains the original source and destination IP addresses and TCP port numbers. If a Layer 5 rule is matched, the spoof bit in the NCI option is set to indicate that part of the flow has been spoofed and the rest of the forward path must be established before the destination CSS can use the information in the packet to perform the NAT transformations for the reverse path. Configure the VIP for the service to the VIP on the server-side CSS to indicate an endpoint for the connection.

While the ACE does not support NCI, it does fully support Asymmetric Server Return, which is also known as Direct Server Return (DSR). If you use NCI, you will also be interested in the ACE's capability to support ASR.

You can configure ASR on the ACE by:

Making a transparent server farm that contains the interface IP address of the real server.

Turning off TCP/IP normalization on all ACE interface VLANs.

Applying the VIP as a local loopback address on the real server for which ARP is not configured. It is very important for the server to not have ARP configured for the VIP.

The ACE sends client connections to the real server, and the real server responds through the network directly to the client using the VIP as the source IP address.

type nci-info-only

Specifies the service is NAT Channel indication for information only.

While the ACE does not support NCI, it does fully support Asymmetric Server Return, which is also known as Direct Server Return (DSR). If you use NCI, you will also be interested in the ACE's capability to support ASR.

You can configure ASR on the ACE by:

Making a transparent server farm that contains the interface IP address of the real server.

Turning off TCP/IP normalization on all ACE interface VLANs.

Applying the VIP as a local loopback address on the real server for which ARP is not configured. It is very important for the server to not have ARP configured for the VIP.

The ACE sends client connections to the real server, and the real server responds through the network directly to the client using the VIP as the source IP address.

type proxy-cache

Specifies the service is a proxy cache. This keyword bypasses content rules for requests from the cache. Bypassing content rules prevents a loop from forming between the cache server and the CSS.

The ACE supports a transparent server farm to send client requests unNATed to the real server using the MAC address of the real server IP address.

The ACE also applies service polices that are based on the interface traffic being received. For caching environments, the service policies that address client traffic are different than the service policies that address traffic that is sourced from a cache. This capability allows the ACE to have the same functionality without the requirement of a special command or configuration.

type redundancy-up

Designates one or more routers as type redundancy-up critical services. This critical service type enables the master CSS to ping a router service using the default keepalive Internet Control Message Protocol (ICMP). If the master CSS fails or it detects that all router uplink critical services have failed, the backup CSS becomes the master.

To create a tracking and failure detection process for a gateway or host, use the ft track host command in configuration mode. The ACE provides a Fault Tolerant (FT) track host configuration to allow users to configure tracking and failure detection for critical network gateways and hosts.

See Chapter 6, Configuring Redundant ACE Modules, in the Cisco Application Control Engine Module Administration Guide.

type rep-cache-redir

Specifies the service is a replication cache with redirect for Demand-Based Content Replication (Dynamic Hot Content Overflow). The CSS uses the replication cache as a redirect service instead of load balancing between the local service and the cache.

The ACE does not support Demand-Based Content Replication (Dynamic Hot Content Overflow).

type rep-store

Specifies the service is a replication store server for hot content for Demand-Based Content Replication (Dynamic Hot Content Overflow). The service is a local overflow service used to load-balance content requests. The CSS moves hot content to the server, and then creates a dynamic content rule for the hot content automatically.

The ACE does not support Demand-Based Content Replication (Dynamic Hot Content Overflow).

type rep-store-redir

Specifies the service is a replication store to which content requests are redirected for Demand-Based Content Replication (Dynamic Hot Content Overflow). The service is a remote overflow service. No content rules are applied to requests from this service type.

The ACE does not support Demand-Based Content Replication (Dynamic Hot Content Overflow).

SSL-Proxy-List Configuration Mode Commands

ssl-server number http-header

Inserts client certificate, server certificate, SSL session, or static text information in the HTTP request header during a client connection.

The ACE does not support HTTP header insertion of SSL session information or SSL client certificate information.

ssl-server number tcp

Specifies the TCP connection for the SSL server.

The ssl-server number tcp command is equivalent to the TCP options that you can define for a connection parameter map on the ACE. See the Cisco Application Control Engine Module SSL Configuration Guide.

1 The CSS software is available in a Standard or Enhanced feature set. The Enhanced feature set contains all of the Standard feature set and also includes Network Address Translation (NAT) Peering, Domain Name Service (DNS), Demand-Based Content Replication (Dynamic Hot Content Overflow), Content Staging and Replication, Network Proximity DNS, and Client Side Accelerator. Proximity Database and SSH are optional features.

1 The ACE GSS product is used for Global Server Load Balancing and the SSH license is now a standard supported protocol on ACE. The remaining Enhanced Licensed features are not supported on ACE.


t

ACE Module Documentation

You can access the ACE module documentation on www.cisco.com at:

http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html

To familiarize yourself with the ACE module, refer to the following documentation:

Release Note for the Cisco Application Control Engine Module

Cisco Application Control Engine Module Installation Note

Cisco Application Control Engine Module Administration Guide

Cisco Application Control Engine Module Command Reference

Cisco Application Control Engine Module Getting Started Guide

Cisco Application Control Engine Module Routing and Bridging Configuration Guide

Cisco Application Control Engine Module Security Configuration Guide

Cisco Application Control Engine Module Server Load-Balancing Configuration Guide

Cisco Application Control Engine Module SSL Configuration Guide

Cisco Application Control Engine Module System Message Guide

Cisco Application Control Engine Module Virtualization Configuration Guide

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html