Getting Started Guide, Cisco ACE Application Control Engine Module
Setting Up an ACE
Downloads: This chapterpdf (PDF - 257.0KB) The complete bookPDF (PDF - 3.17MB) | Feedback

Setting Up an ACE

Table Of Contents

Setting Up an ACE

Information About Setting up an ACE

Prerequisites for Setting Up an ACE

Guidelines and Limitations

Setting Up an ACE

Task Flow for Setting Up an ACE

Configuring VLANs for the ACE Using Cisco IOS Software

Sessioning and Logging in to the ACE from the Supervisor Engine

Assigning a Name to the ACE

Configuring a Management VLAN Interface on the ACE

Configuring a Default Route

Configuring Remote Management Access to the ACE

Accessing the ACE through a Telnet Session

Configuration Example for Setting Up an ACE

Where to Go Next


Setting Up an ACE


This chapter describes how to set up a Cisco Application Control Engine (ACE) module for remote management.

This chapter contains the following topics:

Information About Setting up an ACE

Prerequisites for Setting Up an ACE

Guidelines and Limitations

Setting Up an ACE

Configuration Example for Setting Up an ACE

Where to Go Next


Note All configuration examples in this guide are based on IPv4. IPv6 is supported on the ACE module in software releases A5(1.0) and later. For information about configuring and using IPv6 with your ACE module, see the A5(1.0) Routing and Bridging Guide, Cisco ACE Application Control Engine.


Information About Setting up an ACE

After reading this chapter, you should have a basic understanding of how to set up an ACE and configure it for remote access through a management interface.

This chapter describes how to set up an ACE using the example network setup shown in Figure 2-1.

Figure 2-1 Example Network Setup

The configuration of the example setup is as follows:

VLAN 1000 is assigned to the ACE and is used for management traffic for the Admin context.


Note A virtual local area network (VLAN) is a logical division of a computer network within which information can be transmitted for all devices to receive. VLANs enable you to segment a switched network so that devices in one VLAN do not receive information packets from devices in another VLAN.


VLAN 400 is assigned to the ACE and is used for client-side traffic.

VLAN 500 is assigned to the ACE and is used for server-side traffic.

A management VLAN interface is configured for the Admin context with VLAN 1000 and IP address 172.25.91.110.

A client-side VLAN interface is configured for the user context VC_WEB with VLAN 400 and IP address 10.10.40.1.

A server-side VLAN interface is configured for the user context VC_WEB with VLAN 500 and IP address 10.10.50.1.

Four web servers are available to the ACE for load-balancing client requests.

Prerequisites for Setting Up an ACE

Setting up an ACE has the following prerequisites:

Complete the ACE installation instructions as described in the Installation Note, Cisco ACE Application Control Engine ACE30 Module.

Contact your network administrator to determine which VLANs and addresses are available for use by the ACE.

Guidelines and Limitations

You can assign a maximum of 16 VLAN groups to one ACE.

Setting Up an ACE

This section includes the following topics:

Task Flow for Setting Up an ACE

Configuring VLANs for the ACE Using Cisco IOS Software

Sessioning and Logging in to the ACE from the Supervisor Engine

Assigning a Name to the ACE

Configuring a Management VLAN Interface on the ACE

Configuring a Default Route

Configuring Remote Management Access to the ACE

Accessing the ACE through a Telnet Session

Task Flow for Setting Up an ACE

Follow these steps to set up your ACE:


Step 1 Configure VLANs for your ACE using IOS software.

Step 2 Create a session between the Catalyst 6500 series switch or Cisco 7600 series router and the ACE and log in to the ACE from the supervisor engine.

Step 3 Assign a name to your ACE.

Step 4 Configure a management VLAN interface.

Step 5 Configure a default route.

Step 6 Configure remote management access to your ACE.

Step 7 Access your ACE through a Telnet session.


Configuring VLANs for the ACE Using Cisco IOS Software

Before the ACE can receive traffic from the supervisor engine in the Catalyst 6500 series switch or in a Cisco 7600 series router (an ACE20-MOD-K9 module only), you must create VLAN groups on the supervisor engine, and then assign the groups to the ACE. After you configure the VLAN groups on the supervisor engine for the ACE, you can configure the VLAN interfaces on the ACE.

In Cisco IOS software, you can create one or more VLAN groups, and then assign the groups to the ACE. For example, you can assign all the VLANs to one group, or you can create a group for each customer.

You cannot assign the same VLAN to multiple groups; however, you can assign multiple groups to an ACE. VLANs that you want to assign to multiple ACEs, for example, can reside in a separate group from VLANs that are unique to each ACE.

To configure the VLANs for the ACE using the Cisco IOS software, perform the following steps:

Procedure

 
Command
Purpose

Step 1 

linux$ telnet ip_address
User Access Verification
 
        
Password: cisco
Router> 
 
        
Example:
linux$ telnet 192.168.12.15
User Access Verification
 
        
Password: cisco
Router> 

Connects to the supervisor engine to open a session. Enter the IP address of the supervisor engine in dotted-decimal notation.

Step 2 

enable
 
        
Example:
Router> enable
Password: cisco
Router #

Enters Cisco IOS privileged mode.

Step 3 

config
 
        
Example:
Router# config
Router(config)#

Enters configuration mode.

Step 4 

svclc vlan-group group_number 
vlan_range
 
        
Example:
Router# config
Router(config)# svclc vlan-group 50 40, 
41,60,100,400,500,1000

Assigns VLANs to a group. VLAN numbers have the range 2 to 1000 and 1025 to 4094.

Step 5 

svclc module slot_number vlan-group 
group_number_range
 
        
Example:
Router(config)# svclc module 5 
vlan-group 50

Assigns VLAN group 50 to the ACE. You can assign a maximum of 16 VLAN groups to an ACE.

Step 6 

svclc multiple-vlan-interfaces
 
        
Example:
Router(config)# svclc 
multiple-vlan-interfaces

(Optional) Configures a switched virtual interface (SVI) on the Multilayer Switch Feature Card (MSFC) and assigns the SVI to the ACE. The svclc multiple-vlan-interfaces command allows you to configure multiple SVIs on the MSFC and assign them to the ACE, one for each context in the ACE.

Step 7 

interface vlan vlan_id
 
        
Example:
Router(config)# interface vlan 55
ROuter(config-if)#

Enters interface configuration mode for the specified VLAN.

Step 8 

ip address ip_address netmask
 
        
Example:
Router(config-if)# ip address 10.1.1.1 
255.255.255.0

Assigns an IP address to the VLAN interface.

Step 9 

no shut
 
        
Example:
Router(config-if)# no shut

Enables the interface.

Step 10 

exit
 
        
Example:
Router(config-if)# exit
Router(config)# exit
Router#

Exits the current configuration mode and returns to the previous CLI mode. You can press Ctrl-G (same as exit command) to exit the current config mode. You can also press Ctrl-Z to return to Exec mode from any configuration mode.

Step 11 

show svclc module slot_number 
vlan-group 
 
        
Example:
Router# show svclc module 5 50

Displays VLAN group numbers for the module in the specified slot.

Step 12 

show svclc vlan-group group_number
 
        
Example:
Router# show svclc vlan-group 50

Displays the group configuration for the ACE and the associated VLANs.

Step 13 

copy running-config startup-config

Example:

Router# copy running-config startup-config

(Optional) Copies the running-configuration file to the startup-configuration file.

Sessioning and Logging in to the ACE from the Supervisor Engine

You can session and log in to the ACE from the supervisor engine.

Restrictions

For security reasons, you must change the Admin password when you log in to the ACE for the first time. If you do not change the Admin password, the following will occur:

You will not be able to log in to the ACE remotely using Telnet or SSH

You will be restricted to using either a console connection or a session through the supervisor engine to access the ACE.

You must also change the password of the www user when you log in to the ACE for the first time. The www user is used internally by the ACE for the XML interface. If you do not change the www user password, the XML interface is inoperable.

Procedure

 
Command
Purpose

Step 1 

session slot number1 processor number2
 
        
Example:
Router# session slot 5 processor 0
switch login: 
Password: 

Establishes a session between the supervisor engine and the ACE.

Step 2 

admin
 
        
Example:
switch login: admin
Password: admin
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2009, Cisco Systems, Inc. All 
rights reserved.
The copyrights to certain works contained herein are 
owned by
other third parties and are used and distributed 
under license.
Some parts of this software are covered under the 
GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
switch/Admin#

Logs you in to the ACE. For security reasons, you must change the Admin password when you log in to the ACE for the first time. You should also change the www user password if you intend to use the XML interface to configure the ACE at some point.

Step 3 

username name1 [password [0 | 5] {password}] 
 
        
Example:
switch/Admin# config
switch/Admin(config)# username Admin password 0 
cisco123
switch/Admin(config)# exit
switch/Admin#

Changes the Admin password.

Step 4 

username name1 [password [0 | 5] {password}] 
 
        
Example:
switch/Admin# config
switch/Admin(config)# username www password 0 
xmlsecret_801
switch/Admin(config)# exit
switch/Admin#

Changes the www user password.

Step 5 

terminal session-timeout number
 
        
Example:
switch/Admin# terminal session-timeout 0

Prevents the current session from timing out.

Step 6 

login timeout number
 
        
Example:
switch/Admin# config
switch/Admin(config)# login timeout 0
 
        

Sets the inactivity timeout in the ACE. A value of 0 disables the inactivity timeout.

Step 7 

exit
 
        
Example:
switch/Admin(config)# exit

switch/Admin#

Exits configuration mode.

Step 8 

show terminal

Example:

switch/Admin# show terminal

Displays the terminal configuration, including the session timeout value.

Step 9 

show login timeout

Example:

switch/Admin# show login timeout

Displays the login timeout value.

Step 10 

copy running-config startup-config

Example:

switch/Admin# copy running-config startup-config

(Optional) Copies the running-configuration file to the startup-configuration file.

Assigning a Name to the ACE

The hostname is used for the command-line prompts and default configuration filenames. When you establish sessions to multiple devices, the hostname helps you to keep track of the ACE on which you are entering commands. By default, the hostname for the ACE is "switch."

Procedure

 
Command
Purpose

Step 1 

config
 
        
Example:
switch/Admin# config
switch/Admin(config)#

Enters configuration mode.

Step 2 

hostname name
 
        
Example:
switch/Admin(config)# hostname host1
host1/Admin(config)#

Changes the hostname from "switch" to "host1."

Step 3 

do copy running-config startup-config

Example:

host1/Admin(config)# do copy running-config startup-config

(Optional) Copies the running-configuration file to the startup-configuration file. Note that the do command allows you to enter Exec mode commands in any configuration mode.

Configuring a Management VLAN Interface on the ACE

You can provide management connectivity to the ACE by assigning an IP address to the VLAN interface on the ACE. For the example configuration, you will assign an IP address 172.25.91.110 and a subnet mask of 255.255.255.0 to VLAN 1000, as shown in Figure 2-2 (previously configured settings are grayed out).

Figure 2-2 Configuring a Management VLAN Interface on the ACE

Procedure

 
Command
Purpose

Step 1 

interface vlan vlan_id
 
        
Example:
host1/Admin(config)# interface vlan 
1000
host1/Admin(config-if)#

Configures VLAN 1000 on the ACE.

Step 2 

ip address ip_address netmask
 
        
 
        
Example:
host1/Admin(config-if)# ip address 
172.25.91.110 255.255.255.0

Assigns an IP address and network mask to the VLAN interface for management connectivity.

Step 3 

description string
 
        
Example:
host1/Admin(config-if)# description 
Management connectivity on VLAN 1000

(Optional) Provides a description of the interface.

Step 4 

no shutdown
 
        
 
        
Example:
host1/Admin(config-if)# no shutdown

Enables the VLAN interface.

Step 5 

Ctrl-Z
 
        
Example:
host1/Admin(config-if)# Ctrl-Z
host1/Admin#

Returns to Exec mode directly from any configuration mode.

Step 6 

show running-config interface
 
        
Example:
host1/Admin# show running-config 
interface

Displays the VLAN interface configuration.

Step 7 

show interface vlan vlan_id
 
        
Example:
host1/Admin# show interface vlan 1000

Displays the status and statistics about the VLAN interface.

Step 8 

ping ip_adress
 
        
Example:
host1/Admin(config-if)# ping 
172.25.91.110

Verifies the connectivity of a remote host or server by sending ICMP echo messages from the ACE.

Step 9 

copy running-config startup-config

Example:

host1/Admin# copy running-config startup-config

(Optional) Copies the running-configuration file to the startup-configuration file.

Configuring a Default Route

A default route identifies the IP address where the ACE sends all IP packets for which it does not have a route.

Procedure

 
Command
Purpose

Step 1 

config
 
        
Example:
switch/Admin# config
switch/Admin(config)#

Enters configuration mode.

Step 2 

ip route src_ip_address dest_ip_address 
default_gateway
 
        
Example:
host1/Admin(config)# ip route 0.0.0.0 
0.0.0.0 172.25.91.1

Configures a default IP address where the ACE forwards all IP packets for which it does not have a route.

Step 3 

do show ip route

Example:

host1/Admin(config)# do show ip route

Displays the default route in the routing table.

Step 4 

do copy running-config startup-config

Example:

host1/Admin(config)# do copy running-config startup-config

(Optional) Copies the running-configuration file to the startup-configuration file.

Example

The following example shows how to display the default route in the routing table:

host1/Admin(config)# do show ip route
 
   
Routing Table for Context Admin (RouteId 0)
 
   
   Codes: H - host,   I - interface
          S - static,      N - nat
          A - need arp resolve,      E - ecmp
 
   
Destination         Gateway          Interface         Flags
----------------------------------------------------------------------
0.0.0.0             172.25.91.1      vlan1000          S [0xc]
172.25.91.0/24      0.0.0.0          vlan1000          IA [0x30]
 
   
Total route entries = 2
 
   

Configuring Remote Management Access to the ACE

Before remote network access can occur on the ACE, you must create a traffic policy that identifies the network management traffic that can be received by the ACE.

Procedure

 
Command
Purpose

Step 1 

class-map type management match-any 
name
 
        
Example:
host1/Admin(config)# class-map type 
management match-any REMOTE_ACCESS
host1/Admin(config-cmap-mgmt)#

Creates a management-type class map named REMOTE_ACCESS that matches any traffic.

Step 2 

description string
 
        
Example:
host1/Admin(config-cmap-mgmt)# 
description Remote access traffic match

(Optional) Provides a description for the class map.

Step 3 

match protocol protocol any
 
        
Example:
host1/Admin(config-cmap-mgmt)# match 
protocol ssh any
host1/Admin(config-cmap-mgmt)# match 
protocol telnet any
host1/Admin(config-cmap-mgmt)# match 
protocol icmp any

Configures the match protocol to permit traffic based on the SSH, Telnet, and ICMP protocols for any source address.

Step 4 

exit
 
        
Example:
host1/Admin(config-cmap-mgmt)# exit
host1/Admin(config)#

Exits class map management configuration mode.

Step 5 

policy-map type management first-match 
name
 
        
Example:
host1/Admin(config)# policy-map type 
management first-match 
REMOTE_MGMT_ALLOW_POLICY
host1/Admin(config-pmap-mgmt)#

Creates a policy map named REMOTE_MGMT_ALLOW_POLICY for traffic destined to an ACE interface.

Step 6 

class name
 
        
Example:
host1/Admin(config-pmap-mgmt)# class 
REMOTE_ACCESS

Applies the previously created REMOTE_ACCESS class map to this policy.

Step 7 

permit
 
        
Example:
host1/Admin(config-pmap-mgmt-c)# permit

Allows the ACE to receive the configured class-map management protocols.

Step 8 

exit
 
        
Example:
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# exit
host1/Admin(config)#

Exits policy map class management configuration mode. Exits policy map management configuration mode.

Step 9 

interface vlan vlan_id
 
        
Example:
host1/Admin(config)# interface vlan 
1000
host1/Admin(config-if)#

Accesses interface configuration mode for the VLAN to which you want to apply the policy map.

Step 10 

service-policy input policy_name
 
        
Example:
host1/Admin(config-if)# service-policy 
input REMOTE_MGMT_ALLOW_POLICY

Applies the REMOTE_MGMT_ALLOW_POLICY policy map to the interface.

Step 11 

Ctrl-Z

Example:

host1/Admin(config-if)# Ctrl-Z

host1/Admin#

Returns to Exec mode from any configuration mode.

Step 12 

show running-config class-map

Example:

host1/Admin# show running-config class-map

Displays the class-map configuration.

Step 13 

show running-config policy-map

Example:

host1/Admin# show running-config policy-map

Displays the policy-map configuration.

Step 14 

show service-policy name

Example:

host1/Admin# show service-policy REMOTE_MGMT_ALLOW_POLICY

Displays the service-policy that you applied to the interface.

Step 15 

copy running-config startup-config

Example:

host1/Admin# copy running-config startup-config

(Optional) Copies the running-configuration file to the startup-configuration file.

Accessing the ACE through a Telnet Session

After you have completed the previous configurations, you can use Telnet to access the ACEby using its IP address.

Procedure

 
Command
Purpose

Step 1 

telnet ip_address
 
        
Example:
remote_host# telnet 172.25.91.110
 
        
Trying 172.25.91.110... Open

Initiates a Telnet session from a remote host to the ACE. For example, access the ACE from the VLAN IP address of 172.25.91.110.

Step 2 

host1 login: admin
Password: xxxxx
 
        
Example:
host login: admin
password: cisco123

Logs you in to the ACE. Enter admin as the user name and type the new password that you entered in Step 3 of the "Sessioning and Logging in to the ACE from the Supervisor Engine" section.

Step 3 

show telnet

Example:

host1/Admin# show telnet

Displays the Telnet session.

Step 4 

copy running-config startup-config

Example:

host1/Admin# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Configuration Example for Setting Up an ACE

The following example configuration shows how to set up an ACE for remote management:

host1/Admin# show running-config
 
   
Generating configuration....
 
   
login timeout 0
 
   
class-map type management match-any REMOTE_ACCESS
  description Remote access traffic match
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any
 
   
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit
 
   
interface vlan 1000
  description Management connectivity on VLAN 1000
  ip address 172.25.91.110 255.255.255.0
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
 
   
ip route 0.0.0.0 0.0.0.0 172.25.91.1
 
   
username admin password 5 $1$JwBOOUEt$jihXQiAjF9igwDay1qAvK.  role Admin domain
default-domain
username www password 5 $1$xmYMkFnt$n1YUgNOo76hAhg.JqtymF/  role Admin domain 
default-domain
 
   

Where to Go Next

In this chapter, you have set up your ACE so that you can access it remotely through a management interface. In the next chapter, you will create a user virtual context that you will use later for server load balancing.