User Guide for the Cisco Application Networking Manager 2.0
Configuring Virtual Servers
Downloads: This chapterpdf (PDF - 571.0KB) The complete bookPDF (PDF - 17.97MB) | Feedback

Configuring Virtual Servers

Table Of Contents

Configuring Virtual Servers

Load Balancing Overview

Configuring Virtual Servers

Understanding Virtual Server Configuration and ANM

Using ANM to Configure Virtual Servers

Virtual Server Configuration Procedure

Shared Objects and Virtual Servers

Virtual Server Protocols by Device Type

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Layer 7 Load Balancing

Configuring Virtual Server Default Layer 7 Load Balancing

Configuring Application Acceleration and Optimization

Configuring Virtual Server NAT

Managing Virtual Servers

Deploying Virtual Servers

Viewing All Staged Virtual Servers

Modifying Deployed Virtual Servers

Modifying Staged Virtual Servers

Viewing Virtual Servers by Context

Activating Virtual Servers

Suspending Virtual Servers

Managing GSS VIP Answers

Activating and Suspending DNS Rules Governing GSS Load Balancing

Viewing Detailed Virtual Server Information

Viewing Virtual Servers

Understanding CLI Commands Sent from Virtual Server Table


Configuring Virtual Servers


Revised Date: 2/17/11

This section provides an overview of server load balancing and procedures for configuring virtual servers for load balancing on an ACE.

Topics include:

Load Balancing Overview

Configuring Virtual Servers

Managing Virtual Servers

Load Balancing Overview

Server load balancing (SLB) is the process of deciding to which server a load balancer should send a client request for service. For example, a client request can consist of an HTTP GET for a Web page or an FTP GET to download a file. The job of the load balancer is to select the server that can successfully fulfill the client request and do so in the shortest amount of time without overloading either the server or the server farm as a whole.

Depending on the load-balancing algorithm or predictor that you configure, the ACE performs a series of checks and calculations to determine the server that can best service each client request. The ACE bases server selection on several factors, including the server with the fewest connections with respect to load, source or destination address, cookies, URLs, or HTTP headers.

The ANM allows you to configure load balancing using:

Virtual servers—See Configuring Virtual Servers.

Real servers—See Configuring Real Servers, page 5-4.

Server farms—See Configuring Server Farms, page 5-12.

Sticky groups—See Configuring Sticky Groups, page 6-7.

Parameter maps—See Configuring Parameter Maps, page 7-1.

For information about SLB as configured and performed by the ACE, see:

Configuring Virtual Servers

Load-Balancing Predictors, page 5-2

Real Servers, page 5-3

Server Farms, page 5-3

Health Monitoring, page 5-23

TCL Scripts, page 5-24

Configuring Stickiness, page 6-1

Configuring Virtual Servers

In a load-balancing environment, a virtual server is a construct that allows multiple physical servers to appear as one for load-balancing purposes. A virtual server is bound to physical services running on real servers in a server farm and uses IP address and port information to distribute incoming client requests to the servers in the server farm according to a specified load-balancing algorithm.

You use class maps to configure a virtual server address and definition. The load-balancing predictor algorithms (for example, roundrobin, least connections, and so on) determine the servers to which the ACE sends connection requests.

For more information about virtual servers and ANM, see:

Understanding Virtual Server Configuration and ANM

Using ANM to Configure Virtual Servers

Virtual Server Configuration Procedure

Understanding Virtual Server Configuration and ANM

The ANM Virtual Server configuration interface, an abstraction of the Modular Policy CLI, simplifies, reorders, and makes more atomic the configuration and deployment of a functional load-balancing environment. With simplification or abstraction, some constraints or limitations are necessarily introduced. This section identifies the constraints and framework used by the ANM for virtual server configuration.

In the ANM, a viable virtual server has the following attributes:

A single Layer 3/Layer 4 match condition

This means that you can specify only a single IP address (or single IP address range if a netmask is used), with only a single port (or port range). Having a single match condition greatly simplifies and aids virtual server configuration.

A default Layer 7 action

A Layer 7 policy map

A Layer 3/Layer 4 class map

A multi-match policy map, a class-map match, and an action

In addition:

The virtual server multi-match policy map is associated with an interface or is global.

The name of the virtual server is derived from the name of the Layer 3/Layer 4 class map.

Example 4-1 shows the minimum configuration statements required for a virtual server.

Example 4-1 Minimum Configuration Required for a Virtual Server

class-map match-all Example_VIP
   2 match virtual-address 10.10.10.10 tcp eq www 
policy-map type loadbalance first-match Example_VIP-l7slb
   class class-default
      forward
policy-map multi-match int10
   class Example_VIP
      loadbalance policy Example_VIP-l7slb 

interface vlan 10
   ip address 192.168.65.37 255.255.255.0
   service-policy input int10
   no shutdown


Note also the following items regarding the ANM and virtual servers:

Additional configuration options

The Virtual Server configuration screen allows you to configure additional items for a functional VIP. These items include server farms, sticky groups, real servers, probes, parameter maps, inspection, class maps, and inline match conditions. Because too many items on a screen can be overwhelming, not all configuration options appear on Virtual Server configuration screen, such as sticky statics or backup real servers. These options are available elsewhere in the ANM interface instead of on the Virtual Server configuration screen.

Configuration options and roles

To support and maintain the separation of roles, some objects cannot be configured using the Virtual Server configuration screen. These objects include SSL certificates, SSL keys, NAT pools, interface IP addresses, and ACLs. Providing these options as separate configuration options in the ANM interface ensures that a user who can view or modify virtual servers or aspects of virtual servers cannot create or delete virtual servers.

Changes to virtual servers using the CLI or Expert options can prevent further modifications in the Virtual Server configuration screen

If you create a virtual server using the Virtual Server configuration screen, modify it using the CLI or Expert options (Config > Devices > Expert), and then attempt to modify it again using the Virtual Server configuration screen, error messages will be displayed and you will not be able to modify the virtual server.

Related Topics

Configuring Virtual Servers

Using ANM to Configure Virtual Servers

Virtual Server Configuration Procedure

Using ANM to Configure Virtual Servers

It is important to understand the following concepts when using the ANM to configure virtual servers:

Virtual server configuration screens

The ANM virtual server configuration screens are designed to aid you in configuring virtual servers by presenting configuration options that are relevant to your choices. For example, the protocols that you select in the Properties configuration subset determine the other configuration subsets that appear.

Use the virtual server configuration method that suits you

The ANM Virtual Server configuration screens simplify the process of creating, modifying, and deploying virtual servers by displaying those options that you are most likely to use. In addition, as you specify attributes for a virtual server, such as protocols, the interface refreshes with related configuration options, such as Protocol Inspection or Application Acceleration and Optimization, thereby speeding virtual server configuration and deployment.

While Virtual Server configuration screens remove some configuration complexities, they have a few constraints that the Expert configuration options do not. If you are comfortable using the CLI, you can use the Expert options (such as Config > Devices > context > Expert > Class Map or Policy or Config > Devices > context > Load Balancing > Parameter Maps to configure more complex attributes of virtual servers, traffic policies, and parameter maps.

Synchronizing virtual server configurations

If you configure a virtual server using the CLI and then use the Sync option (Config > Devices > ACE > Sync) to synchronize configurations, the configuration that appears in ANM for the virtual server might not display all configuration options for that virtual server. The configuration that appears in the ANM depends on a number of items, such as the protocols configured in class maps or the rules defined for policy maps.

For example, if you configure a virtual server on the CLI that includes a class map that can match any protocol, you will not see the virtual server Application Acceleration and Optimization configuration subset in the ANM.

Modifying shared objects

Modifying an object that is used by multiple virtual servers, such as a server farm, real server, or parameter map, could impact the other virtual servers. See Shared Objects and Virtual Servers for more information about modifying objects used by multiple virtual servers.

Related Topics

Configuring Virtual Servers

Understanding Virtual Server Configuration and ANM

Virtual Server Configuration Procedure

Virtual Server Configuration Procedure

Use this procedure to add virtual servers to the ANM for load-balancing purposes.

Assumptions

Depending on the protocol to be used for the virtual server, parameter maps need to be defined.

For SSL service, SSL certificates, keys, chain groups, and parameter maps must be configured.

Procedure


Step 1 Select Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.

Step 2 Click Add to add a new virtual server, or select an existing virtual server, then click Edit to modify it. The Virtual Server configuration screen appears with a number of configuration subsets. The subsets that you see depend on whether you use the Basic View or the Advanced View and entries you make in the Properties subset. Change views by using the View object selector at the top of the configuration pane.

Table 4-1 identifies and describes virtual server configuration subsets with links to related topics for configuration information.


Note The protocols that are available depend on the ACE device that you are configuring. For a list of the protocols available for each ACE device type, see Table 4-2.


Table 4-1 Virtual Server Configuration Subsets 

Configuration Subset
Description
Related Topics

Properties

This subset allows you to specify basic virtual server characteristics, such as the virtual server name, IP address, protocol, port, and VLANs.

Configuring Virtual Server Properties

SSL Termination

This subset appears when TCP is the selected protocol and Other or HTTPS is the application protocol.

This subset allows you to configure the virtual server to act as an SSL proxy server and terminate SSL sessions between it and its clients.

Configuring Virtual Server SSL Termination

Protocol Inspection

This subset appears in the Advanced View for:

TCP with FTP, HTTP, HTTPS, RTSP, or SIP

UDP with DNS or SIP

This subset appears in the Basic view for TCP with FTP.

This subset allows you to configure the virtual server so that it can verify protocol behavior and identify unwanted or malicious traffic passing through the ACE on selected application protocols.

Configuring Virtual Server Protocol Inspection

Application Acceleration and Optimization

This subset appears only for ACE appliances. It appears in the Advanced View when HTTP or HTTPS is the selected application protocol.

This subset allows you to configure application acceleration and optimization options for HTTP or HTTPS traffic.

Configuring Application Acceleration and Optimization

L7 Load-Balancing

This subset appears only in the Advanced View for:

TCP with Generic, HTTP, HTTPS, RTSP, or SIP

UDP with Generic, RADIUS, or SIP

This subset allows you to configure Layer 7 load-balancing options, including SSL initiation.

Configuring Virtual Server Layer 7 Load Balancing

Default L7 Load-Balancing Action

This subset allows you to establish the default Layer 7 load-balancing actions for all network traffic that does not meet previously specified match conditions including the SSL initiation configuration.

Configuring Virtual Server Default Layer 7 Load Balancing

NAT

This subset appears in the Advanced View only.

This subset allows you to set up Name Address Translation (NAT) for the virtual server.

Configuring Virtual Server NAT


Step 3 When you finish configuring virtual server properties, click:

Deploy Now to deploy the configuration on the ACE.

Cancel to exit the procedure without saving your entries and to return to the Virtual Servers table.

Deploy Later to save your entries and apply them at a later time.


Related Topics

Configuring Virtual Servers

Understanding Virtual Server Configuration and ANM

Using ANM to Configure Virtual Servers

Shared Objects and Virtual Servers

Understanding Roles, page 15-5

Shared Objects and Virtual Servers

A shared object is one that is used by multiple virtual servers. Examples of shared objects are:

Action lists

Class maps

Parameter maps

Real servers

Server farms

SSL services

Sticky groups

Because these objects are shared, modifying an object's configuration in one virtual server can impact other virtual servers that use the same object.

Configuring Shared Objects

ANM offers the following options for shared objects in virtual server configuration screens (Config > Devices > context > Load Balancing > Virtual Servers):

View—Click View to review the object's configuration. The screen refreshes with read-only fields and the following three buttons.

Cancel—Click Cancel to close the read-only view and to return to the previous screen.

Edit—Click Edit to modify the selected object's configuration. The screen refreshes with fields that can be modified, except for the Name field which remains read-only.


Note Before changing a shared object's configuration, make sure you understand the effect of the changes on other virtual servers using the same object. As an alternative, consider using the Duplicate option instead.


Duplicate—Click Duplicate to create a new object with the same configuration as the selected object. The screen refreshes with configurable fields. In the Name field, enter a unique name for the new object, then modify the configuration as desired. This option allows you to create a new object without impacting other virtual servers using the same object.

Deleting Virtual Servers with Shared Objects

If you create a virtual server and include shared objects in its configuration, deleting the virtual server does not delete the associated shared objects. This ensures that other virtual servers using the same shared objects are not impacted.

Related Topics

Managing Virtual Servers

Virtual Server Protocols by Device Type

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Layer 7 Load Balancing

Configuring Virtual Server Default Layer 7 Load Balancing

Configuring Application Acceleration and Optimization

Virtual Server Protocols by Device Type

The protocols that are available for a virtual server depend on the ACE device you are configuring. Table 4-2 lists the protocols available for each device type.

Table 4-2 Virtual Server Protocols for ACE Modules and Devices 

Protocol
ACE 1.0 Modules
ACE 2.0 Modules
ACE 4710 Appliance Running Image A1(8)
ACE 4710 Appliance Running Image A3(1.0)

Any

X

X

X

X

TCP

Other

X

X

X

X

HTTP

X

X

X

X

HTTPS

X

X

X

X

FTP

X

X

X

X

RTSP

 

X

 

X

RDP

 

X

 

X

Generic

 

X

 

X

SIP

 

X

 

X

UDP

Other

X

X

X

X

DNS

X

X

X

X

RADIUS

 

X

 

X

Generic

 

X

   

SIP

 

X

   

Related Topics

Configuring Virtual Servers

Configuring Virtual Server Properties

Configuring Virtual Server Properties

Use this procedure to configure virtual server properties.

Procedure


Step 1 Select Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.

Step 2 Click Add to add a new virtual server, or select an existing virtual server, then click Edit to modify it. The Virtual Server configuration screen appears. The Properties configuration subset is open by default.

The fields that you see in the Properties configuration subset depend on whether you are using Advanced View or Basic View:

To configure Advanced View properties, continue with Step 3.

To configure Basic View properties, continue with Step 4.

Step 3 To configure virtual server properties in the Advanced View, enter the information in Table 4-3.

Table 4-3 Virtual Server Properties - Advanced View 

Field
Description

VIP Name

Enter the name for the virtual server.

VIP IP

Enter the IP address for the virtual server.

Netmask

Select the subnet mask to apply to the virtual server IP address.

Protocol

Select the protocol the virtual server supports:

Any—The virtual server is to accept connections using any IP protocol.

TCP—The virtual server is to accept connections that use TCP.

UDP—The virtual server is to accept connections that use UDP.

Application Protocol

This field appears if TCP or UDP is selected. The application protocols that are available depend on the type of ACE being configured.

Select the application protocol to be supported by the virtual server. Table 4-2 identifies the available protocols for each ACE device type.

Port

This field appears for any TCP or UDP protocol.

Enter the port to be used for the specified protocol. Valid entries are integers from 0 to 65535 or a range of integers, such as 10-20. Enter 0 (zero) to indicate all ports.

For a complete list of protocols and ports, see the Internet Assigned Numbers Authority available at www.iana.org/numbers/.

All VLANs

Select the check box to support incoming traffic from all VLANs. Clear the check box to support incoming traffic from specific VLANs only.

VLAN

This field appears if the All VLANs check box is cleared.

In the Available Items list, select the VLANs to use for incoming traffic, then click Add. The items appear in the Selected Items list.

To remove VLANs, select them in the Selected Items lists, then click Remove. The items appear in the Available Items list.

Note You cannot change the VLAN for a virtual server once it is specified. Instead, delete the virtual server and create a new one with the desired VLAN.

Connection Parameter Map

This field appears if TCP is the selected protocol.

Select an existing connection parameter map or click *New* to create a new one:

If you select an existing parameter map, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you click *New*, the Connection Parameter Map configuration pane appears. Configure the connection parameter map as described in Table 7-2.

HTTP Parameter Map

This field appears if HTTP or HTTPS is the selected application protocol.

Select an existing HTTP parameter map or click *New* to create a new one:

If you select an existing parameter map, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you click *New*, the HTTP Parameter Map configuration pane appears. Configure the HTTP parameter map as described in Table 7-5.

RTSP Parameter Map

This field appears if RTSP is the selected application protocol over TCP.

Select an existing RTSP parameter map or click *New* to create a new one:

If you select an existing parameter map, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you click *New*, the RTSP Parameter Map configuration pane appears. Configure the RTSP parameter map as described in Table 7-7.

Generic Parameter Map

This field appears if Generic is the selected application protocol over TCP or UDP.

Select an existing Generic parameter map or click *New* to create a new one.

If you select an existing parameter map, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you click *New*, the Generic Parameter Map configuration pane appears. Configure the Generic parameter map as described in Table 7-4.

ICMP Reply

Indicate how the virtual server is to respond to ICMP ECHO requests:

None—The virtual server is not to send ICMP ECHO-REPLY responses to ICMP requests.

Active—The virtual server is to send ICMP ECHO-REPLY responses only if the configured VIP is active.

Always—The virtual server is always to send ICMP ECHO-REPLY responses to ICMP requests.

VIP Advertise

This field appears for ACE 1.0 and 2.0 modules only.

This option allows the ACE to advertise the IP address of the virtual server as the host route.

Select the desired VIP advertise option:

None—The ACE is not to advertise the IP address of the virtual server as the host route.

Active—The ACE is to advertise the IP address of the virtual server as the host route only if there is at least one active real server in the server farm.

Always—The ACE is always to advertise the IP address of the virtual server as the host route.

Active-metric—The ACE is to advertise the IP address of the virtual server as the host route if:

There is at least one active real server in the server farm.

A distance metric is specified for the route in the Distance field.

Always-metric—The ACE is to advertise the IP address of the virtual server as the host route, using the distance metric in the Distance field.

Distance

This field appears if you select Active-metric or Always-metric in the VIP Advertise field.

Enter the administrative distance to be included in the routing table. Valid entries are integers from 1 to 254.

Status

Indicate whether the virtual server is to be in service or out of service:

In Service—Enables the virtual server for load-balancing operations.

Out of Service—Disables the virtual server for load-balancing operations.


Step 4 To configure virtual server properties in the Basic View, enter the information in Table 4-4.

Table 4-4 Virtual Server Properties - Basic View 

Field
Description

VIP Name

Enter the name for the virtual server.

VIP IP

Enter the IP address for the virtual server.

Protocol

Select the protocol that the virtual server supports:

Any—The virtual server is to accept connections using any IP protocol.

TCP—The virtual server is to accept connections that use TCP.

UDP—The virtual server is to accept connections that use UDP.

Application Protocol

This field appears if TCP or UDP is selected. The application protocols that are available depend on the type of ACE being configured.

Select the application protocol to be supported by the virtual server. Table 4-2 identifies the available protocols for each ACE device type.

Port

This field appears for any specific TCP or UDP protocol.

Enter the port to be used for the specified protocol. Valid entries are integers from 0 to 65535 or a range of integers, such as 10-20. Enter 0 (zero) to indicate all ports.

For a complete list of all protocols and ports, see the Internet Assigned Numbers Authority available at www.iana.org/numbers/.

All VLANs

Select the check box to support incoming traffic from all VLANs. Clear the check box to support incoming traffic from specific VLANs only.

VLAN

This field appears if the All VLANs check box is cleared.

In the Available Items list, select the VLANs to use for incoming traffic, then click Add. The items appear in the Selected Items list.

To remove VLANs, select them in the Selected Items lists, then click Remove. The items appear in the Available Items list.

Note You cannot change the VLAN for a virtual server once it is specified. Instead, delete the virtual server and create a new one with the desired VLAN.


Step 5 When you finish configuring virtual server properties, click:

Deploy Now to deploy the configuration on the ACE.

Cancel to exit the procedure without saving your entries.

Deploy Later to save your entries and apply them at a later time.


Related Topics

Configuring Virtual Servers

Configuring Virtual Server SSL Termination

Configuring Virtual Server SSL Termination

SSL termination service allows the virtual server to act as an SSL proxy server and terminate SSL sessions between it and its clients.

Use this procedure to configure virtual server SSL termination service.

Assumption

A virtual server has been configured for HTTPS over TCP or Other over TCP in the Properties configuration subset. For more information, see Configuring Virtual Server Properties.

Procedure


Step 1 Select Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the virtual server you want to configure for SSL termination, then click Edit. The Virtual Server configuration screen appears.

Step 3 Click SSL Termination. The Proxy Service Name field appears.

Step 4 In the Proxy Service Name field, select an existing SSL termination service, or select *New* to create a new SSL proxy service:

If you select an existing SSL service, the screen refreshes and allows you to view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you select *New*, the Proxy Service configuration subset appears.

Step 5 Configure the SSL service using the in Table 4-5.

For more information about SSL, see Configuring SSL, page 8-1.

Table 4-5 Virtual Server SSL Attributes

Field
Description

Name

Enter a name for this SSL proxy service. Valid entries are alphanumeric strings with a maximum of 26 characters.

Key List

Select the SSL key pair to use during the SSL handshake for data encryption.

Certificate List

Select the SSL certificate to use during the SSL handshake.

Chain Group Name

Select the chain group to use during the SSL handshake.

Auth Group Name

Select the SSL authentication group to associate with this proxy server service.


Note This option appears for ACE 2.0 modules and the ACE 4710 A3(1.0) release only.


CRL Best-Effort

This option appears if you select an authentication group in the Auth Group Name field.

Select the check box to allow the ANM to search client certificates for the service to determine if it contains a CRL in the extension and retrieve the value, if it exists.

Clear the check box to disable this feature.

CRL Name

This option appears if the CRL Best-Effort check box is clear.

Select the Certificate Revocation List the ANM is to use for this proxy service.

Parameter Map Name

Select the SSL parameter map to associate with this proxy server service.


Step 6 When you finish configuring virtual server properties, click:

Deploy Now to deploy this configuration on the ACE.

Cancel to exit this procedure without saving your entries.

Deploy Later to save your entries and apply them at a later time.


Related Topics

Configuring Virtual Servers

Configuring Virtual Server Properties

Configuring Virtual Server Protocol Inspection

Configuring protocol inspection allows the virtual server to verify protocol behavior and identify unwanted or malicious traffic passing through the ACE.

In the Advanced View, protocol inspection configuration is available for the following virtual server protocol configurations:

TCP with FTP, HTTP, HTTPS, RTSP, or SIP

UDP with DNS or SIP

In the Basic View, protocol inspection configuration is available for TCP with FTP.

See Table 4-2 for a list of protocols by ACE device type.

Use this procedure to configure protocol inspection on a virtual server.

Assumption

A virtual server has been configured to use one of the protocols that supports protocol inspection in the Properties configuration subset. See Configuring Virtual Server Properties for information on configuring these protocols.

Procedure


Step 1 Select the item to configure:

To configure a virtual server, select Config > Devices > context > Load Balancing > Virtual Servers.

To configure a configuration building block, select Config > Global > All Building Blocks > building_block > Load Balancing > Virtual Servers.

The Virtual Servers table appears.

Step 2 Select the virtual server that you want to configure for protocol inspection, then click Edit. The Virtual Server configuration screen appears.

Step 3 Click Protocol Inspection. The Enable Inspect check box appears.

Step 4 Select the Enable Inspect check box to enable inspection on the specified traffic. Clear this check box to disable inspection on this traffic. By default, the ACE allows all request methods.

Step 5 If you select the Enable Inspect check box, configure additional inspection options using the information in Table 4-6.

Table 4-6 Protocol Inspection Configuration Options 

Protocol
Description

DNS

In the Length field enter the maximum length of the DNS packet in bytes. If you do not enter a value in this field, the DNS packet size is not checked.

FTP

1. Select the Use Strict check box to indicate that the virtual server is to perform enhanced inspection of FTP traffic and enforce compliance with RFC standards. Clear this check box to indicate that the virtual server is not to perform enhanced FTP inspection.

2. If you select the Use Strict check box, in the Blocked FTP Commands field, identify the commands that are to be denied by the virtual server. See Table 11-9 for more information about the FTP commands.

Select the commands that are to be blocked by the virtual server in the Available Items list, then click Add. The commands appear in the Selected Items list.

To remove commands that you do not want to be blocked, select them in the Selected Items list, then click Remove. The commands appear in the Available Items list.

HTTP or HTTPS

1. Select the Logging Enabled check box to enable monitoring of Layer 3 and Layer 4 traffic. When enabled, this feature logs every URL request that is sent in the specified class of traffic, including the source or destination IP address and the URL that is accessed. Clear this check box to disable monitoring of Layer 3 and Layer 4 traffic.

2. In the Policy subset, click Add to add a new match condition and action, or select an existing match condition and action, then click Edit to modify it. The Policy configuration pane appears.

3. In the Matches field, select an existing class map or *New* or *Inline Match* to configure new match criteria for protocol inspection.

If you select an existing class map, the screen refreshes and allows you to view, modify, or duplicate the selected class map. See Shared Objects and Virtual Servers for more information about modifying shared objects.

4. Configure match criteria and related actions using the information in Table 4-7.

5. Click:

OK to save your entries. The Conditions table refreshes with the new entry.

Cancel to exit the Policy subset without saving your entries.

6. In the Default Action field, select the default action that the virtual server is to take when specified match conditions for protocol inspection are not met:

Permit—The specified HTTP traffic is to be received by the virtual server.

Reset—The specified HTTP traffic is to be denied by the virtual server.

SIP

1. In the Actions subset, click Add to add a new match condition and action, or select an existing match condition and action, then click Edit to modify it. The Actions configuration pane appears.

2. In the Matches field, select an existing class map or *New* or *Inline Match* to configure new match criteria for protocol inspection.

If you select an existing class map, the screen refreshes and allows you to view, modify, or duplicate the selected class map. See Shared Objects and Virtual Servers for more information about modifying shared objects.

3. Configure match criteria and related actions using the information in Table 4-9.

4. In the Action field, select the action that the virtual server is to take when the specified match conditions are met:

Permit—The specified SIP traffic is to be received by the virtual server.

Drop—The specified SIP traffic is to be discarded by the virtual server.

Reset—The specified SIP traffic is to be denied by the virtual server.

5. Click:

OK to save your entries. The Conditions table refreshes with the new entry.

Cancel to exit the Conditions subset without saving your entries and to return to the Conditions table.

6. In the SIP Parameter Map field, select an existing parameter map or select *New* to configure a new one.

If you select an existing parameter map, the screen refreshes and allows you to view, modify, or delete the selected parameter map. See Shared Objects and Virtual Servers for more information about modifying shared objects.

7. Configure SIP parameter map options using the information in Table 7-8.

8. In the Secondary Connection Parameter Map field, select an existing parameter map or select *New* to configure a new one.

If you select an existing parameter map, the screen refreshes and allows you to view, modify, or delete the selected parameter map. See Shared Objects and Virtual Servers for more information about modifying shared objects.

9. Configure secondary connection parameter map options using the information in Table 7-2.

10. In the Default Action field, select the default action that the virtual server is to take when specified match conditions for SIP protocol inspection are not met:

Permit—The specified SIP traffic is to be received by the virtual server.

Drop—The specified SIP traffic is to be discarded by the virtual server.

Reset—The specified SIP traffic is to be denied by the virtual server.

11. Select the Logging Enabled check box to enable monitoring of Layer 3 and Layer 4 traffic. When enabled, this feature logs every URL request that is sent in the specified class of traffic, including the source or destination IP address and the URL that is accessed. Clear this check box to disable monitoring of Layer 3 and Layer 4 traffic.

RTSP

There are no protocol-specific inspection options for RTSP.


Table 4-7 HTTP and HTTPS Protocol Inspection Match Criteria Configuration  

Selection
Action

Existing class map

1. Click View to review the match condition information for the selected class map.

2. Click:

Cancel to continue without making changes and to return to the previous screen.

Edit to modify the existing configuration.

Duplicate to create a new class map with the same attributes without affecting other virtual servers using the same classmap.

See Shared Objects and Virtual Servers for information about modifying shared objects.

3. In the Action field, indicate the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Permit—The specified traffic is to be received by the virtual server if it meets the specified deep inspection match criteria.

Reset—The specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.

*New*

1. In the Name field, specify a unique name for this class map.

2. In the Match field, select the method to be used to evaluate multiple match statements when multiple match conditions exist:

Any—A match exists if at least one of the match conditions is satisfied.

All—A match exists only if all match conditions are satisfied.

3. In the Conditions table, click Add to add a new set of conditions, or select an existing entry, then click Edit to modify it. The Type field appears.

4. In the Type field, select the type of condition that is to be met for protocol inspection.

5. Provide condition-specific criteria using the information in Table 4-8.

6. In the Action field, indicate the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Permit—The specified traffic is to be received by the virtual server if it meets the specified deep inspection match criteria.

Reset—The specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.

*Inline Match*

1. In the Conditions Type field, select the type of inline match condition that is to be met for protocol inspection.

2. Provide condition-specific criteria using the information in Table 4-8.

3. In the Action field, indicate the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Permit—The specified traffic is to be received by the virtual server if it meets the specified deep inspection match criteria.

Reset—The specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.


Table 4-8 HTTP and HTTPS Protocol Inspection Conditions and Options 

Condition
Description

None

No conditions are defined for application inspection decisions.

URL

URL names are to be used for application inspection decisions.

In the URL field, enter a URL or a portion of a URL to match. Valid entries are URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL following www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.

URL Length

URL length is to be used for application inspection decisions.

1. In the URL Length Operator field, select the operand to use to compare URL length:

Equal—The URL length must equal the number in the URL Length Value field.

Greater Than—The URL length must be greater than the number in the URL Length Value field.

Less Than—The URL length must be less than the number in the URL Length Value field.

Range—The URL length must be within the range specified in the URL Length Lower Value field and the URL Length Higher Value field.

2. Enter values to apply for URL length comparison:

If you select Equal, Greater Than, or Less Than in the URL Length Operator field, the URL Length Value field appears. In the URL Length Value field, enter the value for comparison. Valid entries are from 1 to 65535 bytes.

If you select Range in the URL Length Operator field, the URL Length Lower Value and the URL Length Higher Value fields appear:

1. In the URL Length Lower Value field, enter the lowest number of bytes to be used for this match condition. Valid entries are integers from 1 to 65535. The number in this field must be less than the number entered in the URL Length Higher Value field.

2. In the URL Length Higher Value field, enter the highest number of bytes to be used for this match condition. Valid entries are integers from 1 to 65535. The number in this field must be greater than the number entered in the URL Length Lower Value field.

Content

Specific content contained within the HTTP entity-body is to be used for application inspection decisions.

1. In the Content Expression field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters.

2. In the Content Offset field, enter the number of bytes to be ignored starting with the first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of the message. Valid entries are from 1 to 255 bytes.

Content Length

The content parse length is used for application inspection decisions.

1. In the Content Length Operator field, select the operand to use to compare content length:

Equal—The content length must equal the number in the Content Length Value field.

Greater than—The content length must be greater than the number in the Content Length Value field.

Less than—The content length must be less than the number in the Content Length Value field.

Range—The content length must be within the range specified in the Content Length Lower Value field and the Content Length Higher Value field.

2. Enter values to apply for content length comparison:

If you select Equal, Greater than, or Less than in the Content Length Operator field, the Content Length Value field appears. In the Content Length Value field, enter the number of bytes for comparison. Valid entries are integers from 0 to 4294967295.

If you select Range in the Content Length Operator field, the Content Length Lower Value and the Content Length Higher Value fields appear:

1. In the Content Length Lower Value field, enter the lowest number of bytes to be used for this match condition. Valid entries are integers from 0 to 4294967295. The number in this field must be less than the number entered in the Content Length Higher Value field.

2. In the Content Length Higher Value field, enter the highest number of bytes to be used for this match condition. Valid entries are integers from 0 to 4294967295. The number in this field must be greater than the number entered in the Content Length Lower Value field.

Header

The name and value in an HTTP header are used for application inspection decisions.

1. In the Header field, select one of the predefined HTTP headers to match, or select HTTP Header to specify a different HTTP header.

2. If you select HTTP Header, in the Header Name field, enter the name of the HTTP header to match. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

3. In the Header Value field, enter the header-value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. See Table 11-35 for a list of the supported characters that you can use in regular expressions.

Header Length

The length of the header in the HTTP message is used for application inspection decisions.

1. In the Header Length Type field, specify whether HTTP header request or response messages are to be used for application inspection decisions:

Request—HTTP header request messages are to be checked for header length.

Response—HTTP header response messages are to be checked for header length.

2. In the Header Length Operator field, select the operand to be used to compare header length:

Equal—The header length must equal the number in the Header Length Value field.

Greater Than—The header length must be greater than the number in the Header Length Value field.

Less Than—The header length must be less than the number in the Header Length Value field.

Range—The header length must be within the range specified in the Header Length Lower Value field and the Header Length Higher Value field.

3. Enter values to apply for header length comparison:

If you select Equal, Greater Than, or Less Than in the Header Length Operator field, the Header Length Value field appears. In the Header Length Value field, enter the number of bytes for comparison. Valid entries are integers from 0 to 255.

If you select Range in the Header Length Operator field, the Header Length Lower Value and the Header Length Higher Value fields appear:

1. In the Header Length Lower Value field, enter the lowest number of bytes to be used for this match condition. Valid entries are integers from 0 to 255. The number in this field must be less than the number entered in the Header Length Higher Value field.

2. In the Header Length Higher Value field, enter the highest number of bytes to be used for this match condition. Valid entries are integers from 1 to 255. The number in this field must be greater than the number entered in the Header Length Lower Value field.

Header MIME Type

Multipurpose Internet Mail Extension (MIME) message types are used for application inspection decisions.

In the Header MIME Type field, select the MIME message type to use for this match condition.

Port Misuse

The misuse of port 80 (or any other port running HTTP) is to be used for application inspection decisions.

Indicate the application category to use for this match condition:

IM—Instant messaging applications are to be checked.

P2P—Peer-to-peer applications are to be checked.

Tunneling—Tunneling applications are to be checked.

Request Method

A request method is to be used for application inspection decisions.

1. Select the type of request method to use for this match condition:

EXT—An HTTP extension method is to be used.

RFC—The request method defined in RFC 2616 is to be used.

2. In the Request Method field, select the request method that is to be inspected.

Transfer Encoding

An HTTP transfer-encoding type is to be used for application inspection decisions. The transfer-encoding general-header field indicates the type of transformation, if any, that has been applied to the HTTP message body to safely transfer it between the sender and the recipient.

In the Transfer Encoding field, select the type of encoding that is to be checked:

Chunked—The message body is transferred as a series of chunks.

Compress—The encoding format that is produced by the UNIX file compression program compress.

Deflate—The .zlib format that is defined in RFC 1950 in combination with the DEFLATE compression mechanism described in RFC 1951.

Gzip—The encoding format that is produced by the file compression program GZIP (GNU zip) as described in RFC 1952.

Identity—The default (identity) encoding which does not require the use of transformation.

Strict HTTP

Compliance with HTTP RFC 2616 is to be used for application inspection decisions.

Content Type Verification

Verification of MIME-type messages with the header MIME-type is to be used for application inspection decisions. This option verifies that the header MIME-type value is in the internal list of supported MIME-types and that the header MIME-type matches the content in the data or body portion of the message.


Table 4-9 SIP Protocol Inspection Match Criteria Configuration  

Selection
Action

Existing class map

1. Click View to review the match condition information for the selected class map.

2. Click:

Cancel to continue without making changes and to return to the previous screen.

Edit to modify the existing configuration.

Duplicate to create a new class map with the same attributes without affecting other virtual servers using the same classmap.

See Shared Objects and Virtual Servers for more information about modifying shared objects.

3. In the Action field, indicate the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Permit—The specified traffic is to be received by the virtual server.

Drop—The specified traffic is to be dropped by the virtual server.

Reset—The specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.

*New*

1. In the Name field, specify a unique name for this class map.

2. In the Conditions table, click Add to add a new set of conditions, or select an existing entry, then click Edit to modify it. The Type field appears.

3. In the Type field, select the type of condition that is to be met for protocol inspection.

4. Provide condition-specific criteria using the information in Table 4-10.

5. In the Action field, indicate the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Permit—The specified traffic is to be received by the virtual server.

Drop—The specified traffic is to be dropped by the virtual server.

Reset—The specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.

*Inline Match*

1. In the Conditions Type field, select the type of inline match condition that is to be met for protocol inspection.

Table 4-10 describes the types of conditions and their related configuration options.

2. Provide condition-specific criteria using the information in Table 4-10.

3. In the Action field, indicate the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Permit—The specified traffic is to be received by the virtual server.

Drop—The specified traffic is to be dropped by the virtual server.

Reset—The specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection.


Table 4-10 SIP Protocol Inspection Conditions and Options 

Condition
Description

None

No conditions are defined for application inspection decisions.

Message Path

SIP inspection allows you to filter messages coming from or transiting through certain SIP proxy servers. The ACE maintains a list of the unauthorized SIP proxy IP addresses or URLs in the form of regular expressions and checks this list against the VIA header field in each SIP packet.

In the Message Path field, enter a regular expression that identifies the SIP proxy server for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 11-35 lists the supported characters that you can use for matching string expressions.

SIP Request Method

A SIP request method is used for application inspection decisions.

In the Request Method field, select the request method that is to be inspected.

IM Subscriber

An IM (instant messaging) subscriber is used for application inspection decisions.

In the IP Subscriber field, enter a regular expression that identifies the IM subscriber for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 11-35 lists the supported characters that you can use for matching string expressions.

Third Party

SIP allows users to register other users on their behalf by sending REGISTER messages with different values in the From and To header fields. This process can pose a security threat if the REGISTER message is actually a DEREGISTER message. A malicious user could cause a DoS (denial-of-service) attack by deregistering all users on their behalf. To prevent this security threat, you can specify a list of privileged users who can register or unregister someone else on their behalf. The ACE maintains the list as a regex table. If you configure this policy, the ACE drops REGISTER messages with mismatched From and To headers and a From header value that does not match any of the privileged user IDs.

In the Third Party Registration Entities field, enter a regular expression that identifies a privileged user who is authorized for third-party registrations. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 11-35 lists the supported characters that you can use for matching string expressions.

URI Length

The ACE can validate the length of SIP URIs or Tel URIs. A SIP URI is a user identifier that a calling party (source) uses to contact the called party (destination). A Tel URI is a telephone number that identifies the endpoint of a SIP connection. For more information about SIP URIs and Tel URIs, see RFC 2534 and RFC 3966, respectively.

To filter SIP traffic based on URIs:

1. In the URI Type field, indicate the type of URI to be used:

SIP URI—The calling party URI is to be used for this match condition.

Tel URI—A telephone number is to be used for this match condition.

2. In the URI Operator field, confirm that Greater Than is selected.

3. In the URI Length field, enter the maximum length of the SIP URI or Tel URI in bytes. Valid entries are integers from 0 to 254 bytes.

Called Party

The destination or called party specified in the URI of the SIP To header is used for SIP protocol inspection decisions.

In the Called Party field, enter a regular expression that identifies the called party in the URI of the SIP To header for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 11-35 lists the supported characters that you can use for matching string expressions.

Calling Party

The source or caller specified in the URI of the SIP From header is used for SIP protocol inspection decisions.

In the Calling Party field, enter a regular expression that identifies the calling party in the URI of the SIP From header for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 11-35 lists the supported characters that you can use for matching string expressions.

SIP Content Type

The content type in the SIP message body is used for SIP protocol inspection decisions.

In the Content Type field, enter a regular expression that identifies the content type in the SIP message body to use for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 11-35 lists the supported characters that you can use for matching string expressions.

SIP Content Length

The SIP message body content length is used for SIP protocol inspection decisions.

To specify SIP traffic based on SIP message body length:

1. In the Content Operator field, confirm that Greater Than is selected.

2. In the Content Length field, enter the maximum size of a SIP message body in bytes that the ACE is to allow without performing SIP protocol inspection. If a SIP message exceeds the specified value, the ACE performs SIP protocol inspection as defined in an associated policy map. Valid entries are integers from 0 to 65534 bytes.


Step 6 When you finish configuring virtual server properties, click:

Deploy Now to deploy this configuration on the ACE.

Cancel to exit this procedure without saving your entries.

Deploy Later to save your entries and deploy the configuration at a later time.


Related Topics

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Layer 7 Load Balancing

Configuring Virtual Server Layer 7 Load Balancing

In the Advanced View, Layer 7 load balancing is available for virtual servers configured with one of the following protocol combinations:

TCP with Generic, HTTP, HTTPS, RTSP, or SIP

UDP with Generic, RADIUS, or SIP

See Configuring Virtual Server Properties for information on configuring these protocols.

Table 4-2 identifies the protocols that are available for each type of ACE device.

Use this procedure to configure Layer 7 load balancing on a virtual server.

Assumption

A virtual server has been configured with one of the following protocol combinations:

TCP with Generic, HTTP, HTTPS, RTSP, or SIP

UDP with Generic, RADIUS, or SIP

Procedure


Step 1 Select Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the virtual server you want to configure for Layer 7 load balancing, then click Edit. The Virtual Server configuration screen appears.

Step 3 Click L7 Load-Balancing. The Layer 7 Load-Balancing Rule Match table appears.

Step 4 In the Rule Match table, click Add to add a new match condition and action, or select an existing match condition and action, then click Edit to modify it. The Rule Match configuration pane appears.

Step 5 In the Rule Match field, select an existing class map or *New* or *Inline Match* to configure new match criteria for Layer 7 load balancing:

If you select an existing class map, click View to review, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you click *New* or *Inline Match*, the Rule Match configuration pane appears.

Step 6 Configure match criteria using the information in Table 4-11.

Table 4-11 Layer 7 Load-Balancing Match Criteria Configuration  

Selection
Action

Existing class map

1. Click View to review the match condition information for the selected class map.

2. Click:

Cancel to continue without making changes and to return to the previous screen.

Edit to modify the existing configuration.

Duplicate to create a new class map with the same attributes without affecting other virtual servers using the same classmap.

See Shared Objects and Virtual Servers for more information about modifying shared objects.

*New*

1. In the Name field, enter a unique name for this class map.

2. In the Match field, select the method to be used to evaluate multiple match statements when multiple match conditions exist:

Match Any—Aa match exists if at least one of the match conditions is satisfied.

Match All—A match exists only if all match conditions are satisfied.

3. In the Conditions table, click Add to add a new set of conditions or select an existing entry, then click Edit to modify it.

4. In the Type field, select the match condition and configure any protocol-specific options:

For Generic protocol options, see Table 11-10.

For HTTP and HTTPS protocol options, see Table 4-12.

For RADIUS protocol options, see Table 11-11.

For RTSP protocol options, see Table 11-12.

For SIP protocol options, see Table 11-13.

5. Click:

OK to accept your entries and to return to the Conditions table.

Cancel to exit this procedure without saving your entries and to return to the Conditions table.

*Inline Match*

In the Conditions Type field, select the type of inline match condition and configure any protocol-specific options:

For Generic protocol options, see Table 11-10.

For HTTP and HTTPS protocol options, see Table 4-12.

For RADIUS protocol options, see Table 11-11.

For RTSP protocol options, see Table 11-12.

For SIP protocol options, see Table 11-13.


Table 4-12 Layer 7 HTTP/HTTPS Load-Balancing Conditions and Options 

Match Condition
Description

Http-cookie

HTTP cookies are used for the match condition.

1. In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

2. In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 11-35 lists the supported characters that you can use for matching string expressions.

3. Select the Secondary Cookie Matching check box to indicate that the ACE is to use both the cookie name and the cookie value to satisfy this match condition. Clear this check box to indicate that the ACE is to use either the cookie name or the cookie value to satisfy this match condition.

This field does not appear for inline match conditions.

Http-header

An HTTP header and corresponding value are used to establish match conditions.

1. In the Header Name field, specify the header in one of the following ways:

To specify an HTTP header that is not one of the standard HTTP headers, select the first radio button and enter the HTTP header name in the Header Name field. Enter an unquoted text string with no spaces and a maximum of 64 characters.

To specify one of the standard HTTP headers, select the second radio button and select the desired HTTP header from the list.

2. In the Header Value field, enter the header-value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. Table 11-35 lists the supported characters that you can use in regular expressions.

Http-url

The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP URL string.

1. In the URL Expr field, enter a URL, or portion of a URL, to match. Valid entries are URL strings from 1 to 255 alphanumeric characters. Include only the portion of the URL following www.hostname.domain in the match statement. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the www.anydomain.com portion, the URL string can take the form of a URL regular expression. The ACE supports regular expressions for matching URL strings. Table 11-35 lists the supported characters that you can use in regular expressions.

2. In the Method field, enter the HTTP method to match. Valid entries are unquoted text strings with no spaces and a maximum of 15 alphanumeric characters. The method can either be one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example, CORVETTE).

Source-address

A client source IP address is used for the match condition.

1. In the Source Address field, enter the source IP address of the client. Enter the IP address in dotted-decimal notation (for example, 192.168.11.2).

2. In the Source Netmask field, select the subnet mask to apply to the source IP address.

Class-map

An existing class map is used for the match condition.

In the Class Map field, select the class map to be used.

Http-content


Note This option appears for ACE 2.0 modules and the ACE 4710 A3(1.0) release only.


Specific content contained within the HTTP entity-body is used to establish a match condition.

1. In the Content Expression field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters.

2. In the Content Offset field, enter the number of bytes to be ignored starting with the first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of the message. Valid entries are integers from 1 to 255.


Step 7 In the Primary Action field, indicate the action that the virtual server is to perform on the traffic if it matches the specified match criteria:

Drop—Client requests for content are to be discarded when match conditions are met. Continue with Step 11.

Forward—Client requests for content are to be forwarded without performing load balancing on the requests when match conditions are met. Continue with Step 11.

Load Balance—Client requests for content are to be directed to a server farm when match conditions are met. Continue with Step 8.

Sticky—Client requests for content are to be handled by a sticky group when match conditions are met. Continue with Step 9.

Step 8 If you select Load Balance as the primary action:

a. In the Server Farm field, select the primary server farm to use for load balancing, or select *New* to configure a new server farm (see Table 4-13).

b. In the Backup Server Farm field, select the server farm to act as the backup server farm for load balancing if the primary server farm is unavailable, or select *New* to configure a new backup server farm (see Table 4-13).


Note If you select an existing object in either of these fields, you can view, modify, or duplicate the selected object's existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects in virtual servers.


Table 4-13 New Server Farm Attributes 

Field
Description

Name

Enter a unique name for the server farm. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.

Type

Select the type of server farm:

Host—A typical server farm that consists of real servers that provide content and services to clients.

By default, if you configure a backup server farm and all real servers in the primary server farm go down, the primary server farm fails over to the backup server farm. Use the following options to specify thresholds for failover and returning to service.

a. In the Partial Threshold Percentage field, enter the minimum percentage of real servers in the primary server farm that must remain active for the server farm to stay up. If the percentage of active real servers falls below this threshold, the ACE takes the server farm out of service. Valid entries are integers from 0 to 99.

b. In the Back Inservice field, enter the percentage of real servers in the primary server farm that must be active again for the ACE to place the server farm back into service. Valid entries are integers from 0 to 99. The value in this field should be larger than the value in the Partial Threshold Percentage field.

Redirect—A server farm that consists only of real servers that redirect client requests to alternate locations specified in the real server configuration.

Predictor

Specify the method for selecting the next server in the server farm to respond to client requests. You can configure additional predictor attributes under Config > Devices > context > Load Balancing > Server Farm as explained in Table 5-7.

Roundrobin—Server selection is based on server weight.

Leastconns—Server selection is based on the number of connections; the server with the fewest connections is selected next.

In the Slowstart Duration field, enter the slow-start value to apply. Valid entries are integers from 1 to 65535, where 1 is the slowest ramp-up time. The slow-start mechanism is used to avoid sending a high number of new connections to servers that have just been put into service.

Least Loaded—Server selection is based on the lowest load based on information obtained from SNMP probes.

In the SNMP Probe Name field, enter the name of the SNMP probe to use.

Least Bandwidth—Server selection is based on the least amount of network traffic over a specified sampling period.

a. In the Assess Time field, enter the number of seconds for which the ACE is to collect traffic information. Valid entries are integers from 1 to 10 seconds.

b. In the Least Bandwidth Samples field, enter the number of samples over which you want to weight and average the results of the probe query to calculate the final load value. Valid entries are 1, 2, 4, 8, and 16 (integers from 1 to 16 that are also a power of 2).

Response—Server selection is based on the lowest response time for the requested response-time measurement.

a. In the Response Type field, select the type of measurement to use:

- App-req-to-resp—Measures the response time from when the ACE sends an HTTP request to a server to the time that the ACE receives a response from the server for that request.

- Syn-to-close—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server.

- Syn-to-synack—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a SYN-ACK from the server.

b. In the Response Samples field, enter the number of samples over which you want to average the results of the response-time measurement. Valid entries are 1, 2, 4, 8, and 16 (integers from 1 to 16 that are also a power of 2).

Probes

Specify the health monitoring probes to use:

To include a probe that you want to use for health monitoring, select it in the Available Items list, then click Add. The probe appears in the Selected Items list.

To remove a probe that you do not want to use for health monitoring, select it in the Selected Items list, then click Remove. The probe appears in the Available Items list.

To specify a sequence for probe use, select probes in the Selected Items list, then click Up or Down until you have the desired sequence.

To add a new probe, click Create. See Configuring Health Monitoring for Real Servers, page 5-25.

To view an existing probe's configuration, select a probe, then click View.

Real Servers

The Real Servers table allows you to add, modify, remove, or change the order of real servers.

1. Select an existing server, or click Add to add a server to the server farm:

If you select an existing server, you can view, modify, or duplicate the server's existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you click Add, the screen refreshes so you can enter server information.

2. In the Name field, specify the name of the real server in one of the following ways:

To identify a new real server, select the first radio button, then enter the name of the real server in the adjoining field.

To specify an existing real server, select the second radio button, then select one of the real servers listed.

3. In the IP Address field, enter the IP address of the real server in dotted-decimal format.

4. In the Port field, enter the port number to be used for server port address translation (PAT). Valid entries are integers from 1 to 65535.

5. In the Weight field, enter the weight to assign to this server in the server farm. Valid entries are integers from 1 to 100, and the default is 8.

6. In the Rate Bandwidth field, enter the real server bandwidth limit in bytes per second. Valid entries are integers from 1 to 300000000 bytes.

7. In the Rate Connection field, enter the limit for connections per second. Valid entries are integers from 1 to 350000.

8. In the State field, select the administrative state of this server:

Inservice—The server is to be placed in use as a destination for server load balancing

Out of Service—The server is not to be placed in use by a server load balancer as a destination for client connections.

9. Click:

OK to accept your entries and add this real server to the server farm. The table refreshes with updated information.

Cancel to exit this procedure without saving your entries and to return to the Real Servers table.


Step 9 If you select Sticky as the primary action, in the Sticky Group field, select an existing sticky group or click *New* to add a new sticky group (see Table 4-14).


Note If you select an existing sticky group, you can view, modify, or duplicate the selected object's existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects in virtual servers.


Table 4-14 Sticky Group Attributes 

Field
Description

Group Name

Enter a unique identifier for the sticky group. You can either accept the automatically incremented entry given or you can enter your own. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

Type

Select the method to be used when establishing sticky connections and configure any type-specific attributes:

HTTP Cookie—The virtual server is either to learn a cookie from the HTTP header of a client request or to insert a cookie in the Set-Cookie header of the response from the server to the client, and then use the learned cookie to provide stickiness between the client and server for the duration of the transaction. See Table 6-3 for additional configuration options.

HTTP Header—The virtual server is to stick client connections to the same real server based on HTTP headers. See Table 6-4 for additional configuration options.

IP Netmask—The virtual server is to stick a client to the same server for multiple subsequent connections as needed to complete a transaction using the client source IP address, the destination IP address, or both. See Table 6-5 for additional configuration options.

Note If an organization uses a megaproxy to load balance client requests across multiple proxy servers when a client connects to the Internet, the source IP address is no longer a reliable indicator of the true source of the request. In this situation, you can use cookies or another sticky method to ensure session persistence.

HTTP Content—The virtual server is to stick client connections to the same real server based on a string in the data portion of the HTTP packet. See Table 6-2 for additional configuration options.

Layer 4 Payload—The virtual server is to stick client connections to the same real server based on a string in the payload portion of the Layer 4 protocol packet. See Table 6-6 for additional configuration options.

RADIUS—The virtual server is to stick client connections to the same real server based on a RADIUS attribute.

RTSP Header—The virtual server is to stick client connections to the same real server based on the RTSP Session header field. Table 6-8 for additional configuration options.

SIP Header—The virtual server is to stick client connections to the same real server based on the SIP Call-ID header field.

Aggregate State

Select the check box to indicate that the state of the primary server farm is to be tied to the state of all real servers in the server farm and in the backup server farm, if configured. The ACE declares the primary server farm down if all real servers in the primary server farm and all real servers in the backup server farm are down.

Clear the check box if the state of the primary server farm is not to be tied to all real servers in the server farm and in the backup server farm.

Sticky Enabled on Backup Server Farm

Select the check box to indicate that the backup server farm is sticky. Clear the check box if the backup server farm is not sticky.

Replicate

Select the check box to indicate that the virtual server is to replicate sticky table entries on the backup server farm. If a failover occurs and this option is selected, the new active server farm can maintain the existing sticky connections.

Clear the check box to indicate that the virtual server is not to replicate sticky table entries on the backup server farm.

Timeout

Enter the number of minutes that the virtual server keeps the sticky information for a client connection in the sticky table after the latest client connection terminates. Valid entries are integers from 1 to 65535; the default is 1440 minutes (24 hours).

Timeout Active Connections

Select the check box to specify that the virtual server is to time out sticky table entries even if active connections exist after the sticky timer expires.

Clear the check box to specify that the virtual is not to time out sticky table entries even if active connections exist after the sticky timer expires. This is the default behavior.

Server Farm

Select an existing server farm to act as the primary server farm for this sticky group, or select *New* to create a new server farm. If you select *New*, configure the server farm using the information in Table 4-13.

Backup Server Farm

Select an existing server farm to act as the backup server farm this sticky group, or select *New* to create a new server farm. If you select *New*, configure the server farm using the information in Table 4-13.


Step 10 In the Compression Method field, select the HTTP compression method to indicate how the ACE appliance is to compress packets when a client request indicates that the client browser is capable of packet compression. By default, HTTP compression is disabled in the ACE. When you configure HTTP compression using the ACE, the appliance compresses data in the HTTP GET responses from the real servers. The ACE does not compress HTTP requests from clients or the HTTP headers in the server responses.


Note By default, the ACE supports HTTP compression at rates of 100 megabits per second (Mbps). Installing an optional HTTP compression license allows you to increase this value to a maximum of 2 Gbps. See the Cisco 4700 Series Application Control Engine Appliance Administration Guide for information on ACE licensing options.


Options include:

deflate—Specifies the deflate compression format as the method to use when the client browser supports both the deflate and gzip compression methods. deflate, the data format for compression described in RFC1951

gzip—Specifies the gzip compression format as the method to use when the client browser supports both the deflate and gzip compression methods. Gzip is the file format for compression described in RFC1952.

N/A—HTTP compression is disabled.

When you enable HTTP compression, the ACE compresses the packets using the following default compression parameter values:

Mime type—All text formats (text/*).

Minimum size—512 bytes.

User agent—None.

Step 11 In the SSL Initiation field, select an existing service, or select *New* to create a new service:

If you select an existing SSL service, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you select *New*, configure the service using the information in Table 4-5. For more information about SSL, see Configuring SSL, page 8-1.

Step 12 In the Insert HTTP Headers field, enter the name of the HTTP header and the value to be matched using the format header_name=header_value where:

header_name represents the name of the HTTP header to insert in the client HTTP request. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You can specify predefined header or any custom header name provided that it does not exceed the maximum length limit.

header_value represents the expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. Table 11-35 lists the supported characters that you can use in regular expressions.

For example, you might enter Host=www.cisco.com.

Step 13 Click:

OK to save your entries and to return to the Rule Match table.

Cancel to exit this procedure without saving your entries and to return to the Rule Match table.

Step 14 When you finish configuring virtual server properties, click:

Deploy Now to deploy this configuration on the ACE.

Cancel to exit this procedure without saving your entries.

Deploy Later to save your entries and apply them at a later time.


Related Topics

Configuring Virtual Servers

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Default Layer 7 Load Balancing

Use this procedure configure default Layer 7 load-balancing actions for all network traffic that does not meet previously specified match conditions.

Assumption

A virtual server has been configured. See Configuring Virtual Servers for information on configuring a virtual server.

Procedure


Step 1 Select Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the virtual server you want to configure for default Layer 7 load balancing, then click Edit. The Virtual Server configuration screen appears.

Step 3 Click Default L7 Load-Balancing Action. The Default L7 Load-Balancing Action configuration pane appears.

Step 4 In the Primary Action field, indicate the default action the virtual server is to take in response to client requests for content when specified match conditions are not met:

Drop—Client requests that do not meet specified match conditions are to be discarded. Continue with Step 8.

Forward—Client requests that do not meet specified match conditions are to be forwarded without performing load balancing on the requests. Continue with Step 8.

Load Balance—Client requests for content are to be directed to a server farm. Continue with Step 5.

Sticky—Client requests for content are to be handled by a sticky group when match conditions are met. Continue with Step 6.

Step 5 If you select Load Balance as the primary action:

a. In the Server Farm field, select the primary server farm to use for load balancing, or select *New* to configure a new server farm (see Table 4-13).

b. In the Backup Server Farm field, select the server farm to act as the backup server farm for load balancing if the primary server farm is unavailable, or select *New* to configure a new backup server farm (see Table 4-13).


Note If you select an existing object in either field, you can view, modify, or duplicate the selected object's existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects in virtual servers.


Step 6 If you select Sticky as the primary action, in the Sticky Group field, select an existing sticky group or click *New* to add a new sticky group (see Table 4-14).


Note If you select an existing sticky group, you can view, modify, or duplicate the selected object's existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects in virtual servers.


Step 7 In the Compression Method field, select the HTTP compression method to indicate how the ACE appliance is to compress packets when a client request indicates that the client browser is capable of packet compression. By default, HTTP compression is disabled in the ACE. When you configure HTTP compression using the ACE, the appliance compresses data in the HTTP GET responses from the real servers. The ACE does not compress HTTP requests from clients or the HTTP headers in the server responses.


Note By default, the ACE supports HTTP compression at rates of 100 megabits per second (Mbps). Installing an optional HTTP compression license allows you to increase this value to a maximum of 2 Gbps. See the Cisco 4700 Series Application Control Engine Appliance Administration Guide for information on ACE licensing options.


Options include:

deflate—Specifies the deflate compression format as the method to use when the client browser supports both the deflate and gzip compression methods. deflate, the data format for compression described in RFC1951

gzip—Specifies the gzip compression format as the method to use when the client browser supports both the deflate and gzip compression methods. Gzip is the file format for compression described in RFC1952.

N/A—HTTP compression is disabled.

When you enable HTTP compression, the ACE compresses the packets using the following default compression parameter values:

Mime type—All text formats (text/*).

Minimum size—512 bytes.

User agent—None.

Step 8 In the SSL Initiation field, select an existing service, or select *New* to create a new service:

If you select an existing SSL service, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you select *New*, configure the service using the information in Table 4-5. For more information about SSL, see Configuring SSL, page 8-1.

Step 9 In the Insert HTTP Headers field, enter the name of the HTTP header and the value to be matched using the format header_name=header_value where:

header_name represents the name of the HTTP header to insert in the client HTTP request. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You can specify predefined header or any custom header name provided that it does not exceed the maximum length limit.

header_value represents the expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. Table 11-35 lists the supported characters that you can use in regular expressions.

For example, you might enter Host=www.cisco.com.

Step 10 When you finish configuring virtual server properties, click:

Deploy Now to deploy this configuration on the ACE.

Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.

Deploy Later to save your entries and apply the configuration at a later time.


Related Topics

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Layer 7 Load Balancing

Configuring Application Acceleration and Optimization

The ACE appliance includes configuration options that allow you to accelerate enterprise applications, resulting in increased employee productivity, enhanced customer retention, and increased online revenues. The application acceleration functions of the ACE appliance apply several optimization technologies to accelerate Web application performance. This application acceleration functionality enables enterprises to optimize network performance and improve access to critical business information. It also accelerates the performance of Web applications, including customer relationship management (CRM), portals, and online collaboration by up to 10 times.

Refer to Configuring Application Acceleration and Optimization, page 12-1 or the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide for more information about application acceleration and optimization.

Use this procedure to configure acceleration and optimization on virtual servers that are configured on ACE appliances.

This option is available only for ACE appliances and only in the Advanced View.

Assumption

A virtual server has been configured on an ACE appliance with HTTP or HTTPS as the application protocol. See Configuring Virtual Servers for information on configuring a virtual server.

Procedure


Step 1 Select Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the virtual server you want to configure for optimization, then click Edit. The Virtual Server configuration screen appears.

Step 3 Click Application Acceleration and Optimization. The Application Acceleration and Optimization configuration pane appears.

Step 4 In the Configuration field, indicate the method you want to use to configure application acceleration and optimization:

EZ—Use standard acceleration and optimization options. Continue with Step 5.

Custom—Associate specific match criteria, actions, and parameter maps for application acceleration and optimization for the virtual server. If you choose this option, continue with Step 6 through Step 14.

Step 5 If you select EZ, the Latency Optimization (FlashForward) and Bandwidth Optimization (Delta) fields appear.

a. Select the Latency Optimization (FlashForward) check box to indicate that the ACE appliance is to use bandwidth reduction and download acceleration techniques to objects embedded within HTML pages. Clear the check box to indicate that the ACE appliance is not to employ these techniques to objects embedded within HTML pages. Latency optimization corresponds to FlashForward functionality. For more information about FlashForward functionality, see Optimization Overview, page 12-1.

b. Select the Bandwidth Optimization (Delta) check box to indicate that the ACE appliance is to dynamically update client browser caches with content differences, or deltas. Clear the check box to indicate that the ACE appliance is not to dynamically update client browser caches. Bandwidth optimization corresponds to action list Delta optimization. For more information about configuring Delta optimization, see Optimization Overview, page 12-1 and Configuring Action Lists for Application Acceleration and Optimization, page 12-3.

c. Continue with Step 14.

Step 6 If you select Custom, the Actions configuration pane appears with a table listing match criteria and actions. Click Add to add an entry to this table, or select an existing entry, then click Edit to modify it. The configuration pane refreshes with the available configuration options.

Step 7 In the Apply Building Block field, select one of the configuration building blocks for the type of optimization you want to configure, or leave blank to configure optimization without a building block:

Bandwidth Optimization—Maximizes bandwidth for Web-based traffic.

Latency Optimization for Embedded Objects—Reduces the latency associated with embedded objects in Web-based traffic.

Latency Optimization for Embedded Images—Reduces the latency associated with embedded images in Web-based traffic.

Latency Optimization for Containers—Reduces the latency associated with Web containers.

If you select one of the building blocks, the Rule Match configuration subset displays the configuration options with selections based on the building block chosen. You can accept the entries as they are or modify them.

If you do not select a building block, additional configuration options appear depending on the features you enable.

Step 8 In the Rule Match field, select an existing class map or click *New* to specify new match criteria:

If you select an existing class map, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you click *New*, the screen refreshes so that you can enter new match criteria.

Step 9 Configure match criteria using the information in Table 4-15.

Table 4-15 Optimization Match Criteria Configuration 

Field
Description

Name

Enter a unique name for this match criteria rule.

Match

Select the method to be used to evaluate multiple match statements when multiple match conditions exist:

Match Any—A match exists if at least one of the match conditions is satisfied.

Match All—A match exists only if all match conditions are satisfied.

Conditions

Click Add to add a new set of conditions or select an existing entry, then click Edit to modify it:

1. In the Type field, select the match condition to be used, then configure any condition-specific options using the information in Table 4-12.

2. Click OK to save your entries, or Cancel to exit this procedure without saving your entries.


Step 10 In the Actions field, select an existing action list to use for optimization or click *New* to create a new action list:

If you select an existing action list, you can view, modify, or duplicate the existing configuration. See Shared Objects and Virtual Servers for more information about modifying shared objects.

If you click *New*, the screen refreshes so you can configure an action list.

Step 11 Configure the action list using the information in Table 4-16.

Table 4-16 Optimization Action List Configuration Options 

Field
Description

Action List Name

Enter a unique name for the action list. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters.

Enable Delta

Delta optimization dynamically updates client browser caches directly with content differences, or deltas, resulting in faster page downloads.

Select this check box to enable delta optimization for the specified URLs. Clear this check box to disable this feature.

If you are configuring optimization without a building block, additional options appear. Configure these options using the information in Table 4-17.

Enable AppScope

AppScope runs on the Management Console of the optional Cisco AVS 3180A Management Station and measures end-to-end application performance.

Select this check box to enable AppScope performance monitoring for use with the ACE appliance. Clear this check box to disable this feature.

If you are configuring optimization without a building block, additional options appear. Configure these options using the information in Table 4-17.

Fast Redirect

The Fast Redirect feature specifies that the ACE appliance is to intercept 302 responses from the origin server and make a second request on behalf of the client for the redirect URL, fetch it, and send it to the client. This feature applies only to redirects within the same domain.

Select this check box to enable the fast redirect feature.

Clear this check box to disable the fast redirect feature.

FlashForward

The FlashForward feature reduces bandwidth usage and accelerates embedded object downloading by combining local object storage with dynamic renaming of embedded objects, thereby enforcing object freshness within the parent HTML page.

Specify how the ACE appliance is to implement FlashForward:

N/A—This feature is not enabled.

FlashForward—FlashForward is to be enabled for the specified URLs and embedded objects are to be transformed.

FlashForward Object—FlashForward static caching is to be enabled for the objects that the corresponding URLs refer to, such as Cascading Style Sheets (CSS), JPEG, and GIF files.

If you are configuring without a building block and select either FlashForward or FlashForward Object, an addition option appears. Configure this option using the information in Table 4-17.

FlashConnect

The FlashConnect feature reduces bandwidth usage and accelerates the downloading of objects that are embedded within HTML pages. FlashConnect dynamically renames embedded objects by adding a prefix and changing the hostname so that the objects appear to reside on different hosts. FlashConnect then has the browser open a separate connection to the origin server for each object and retrieve the objects in parallel instead of sequentially.

Note If you enable this feature, you must configure DNS so that all requests for the rewritten object URLs are resolved back to the ACE appliance that rewrote them initially.

Specify how the ACE appliance is to implement FlashConnect:

N/A—This feature is not enabled.

FlashConnect—FlashConnect is to be enabled for the specified URLs.

FlashConnect Object—FlashConnect is to be enabled for corresponding embedded object URLs.

Cache Dynamic

Select this check box to enable Adaptive Dynamic Caching for the specified URLs even if the expiration settings in the response indicate that the content is dynamic. The expiration of cache objects is controlled by the cache expiration settings based on time or server load.

Clear this check box to disable this feature.

Cache Forward

Specify how the ACE appliance is to implement cache forwarding:

N/A—This feature is not enabled.

With Wait—Cache forwarding is enabled with the wait option for the specified URLs. If the object has expired but the maximum cache TTL time period has not yet expired, the ACE appliance sends a request to the origin server for the object. Users requesting this page continue to receive content from the cache during this time but must wait for the object to be updated before their request is satisfied. When the fresh object is returned, it is sent to the requesting user and the cache is updated.

Without Wait—Cache forwarding is enabled without the wait option.

Dynamic Etag

This feature enables the acceleration of embedded objects not able to be cached, which results in improved application response time. When enabled, this feature eliminates the need for users to download objects not able to be cached on each request.

Select this check box to indicate that the ACE appliance is to implement just-in-time object acceleration for embedded objects not able to be cached.

Clear this check box to disable this feature.

Meta Refresh

The Meta Refresh feature enables the ACE appliance to automatically and transparently convert HTML META tag redirections into more efficient HTTP header-based redirections. When enabled, this feature eliminates the need for unnecessary freshness validation requests and results in significantly faster page response time.

Select this check box to enable the smart URL redirection on the ACE appliance.

Clear this check box to disable this feature.

XSLT Merge

Select this check box to indicate that the ACE appliance is to apply XSL style sheet transformations to an XML source document and return the resulting HTML document to the requestor. The ACE appliance applies other optimizations after the XML is transformed, but before the result is returned to the requestor.

Clear this check box to disable this feature.

If you are configuring optimization without a building block, additional options appear. Configure these options using the information in Table 4-17.

Image Type

Image optimization controls how the ACE appliance compresses how JPEG and PNG images. Image optimization is not applied to small images, such as thumbnails, or when optimization reduces the file size by less than 10 percent. Image optimization is not intended for images with many high-frequency components that do not compress well.

Specify how the ACE appliance is to handle image optimization:

N/A—This feature is not enabled.

Standard—The ACE appliance is to perform standard image optimization and smooth the image, if needed, to reduce noise.

Advanced—The ACE is to override standard settings and control individual optimization options. If you select this option and are configuring optimization without a building block, additional options appear. Configure these options using the information in Table 4-17.

URL Maps

URL mapping enables the ACE appliance to alter URLs and other content in the data stream between an origin server and a client browser.

1. In the URL Maps table, click Add to add a new URL mapping, or select an existing mapping, then click Edit to modify it. The table refreshes with editable fields for your entries.

2. In the URL scope field, select the portion of the URL that is to be remapped:

All—URLs are to be altered, regardless of their locations.

Content—The content is to be altered, not just that which appears in URLs.

Cookie—The domain section of cookies are to be altered.

Header—URLs only within the Location response-header field are to be altered.

HTML—URLs only within the URL attribute of META HTTP-EQUIV tags and within the SRC attribute of the HTML tags BASE, HREF, IMG, LINK, SCRIPT, and STYLE are to be altered.

3. In the Replacement Directive field, indicate how the URL is to be altered:

Host—The host portion of the URL that is specified in the Source field is to be replaced with the string specified in the Destination field.

Pattern—The portion of the input stream specified in the Source field is to be replaced with the string specified in the Destination field.

Port—The port of the URL that is specified in the Source field is to be replaced with the port specified in the Destination field. Valid entries are integers from 0 to 65535.

Protocol—The URL protocol HTTP is to be replaced with HTTPS or HTTPS is to be replaced with HTTP.

 

4. In the Source field, enter the string or value that is to be replaced:

For Host replacements, enter the host portion that is to be replaced.

For Pattern replacements, enter a regular expression that defines subexpressions within the input stream that are to be replaced.

For Port replacements, enter the port number that is to be replaced.

For Protocol replacement, enter either HTTP or HTTPS as the protocol to be replaced.

 

5. In the Destination field, enter the string or value that is to replace the entry in the Source field:

For Host replacements, enter the new host string. Valid entries include a maximum of 64 alphanumeric characters.

For Pattern replacements, enter the pattern that is to replace the existing pattern. Valid entries include a maximum of 64 alphanumeric characters. For more information on Pattern replacements, see Configuring Pattern Replacements, page 12-10.

For Port replacements, enter the port number that is to replace the existing port number. Valid entries are integers from 0 to 65535.

For Protocol replacements, enter HTTP or HTTPS as the protocol to replace the existing protocol.

 

6. Click OK to save your entries and to return to the URL Maps table. Click Cancel to exit this procedure without saving your entries and to return to the URL Maps table.


Step 12 If you are configuring optimization without a building block, additional options appear when you enable specific features. Configure the additional options using the information in Table 4-17.

Table 4-17 Application Acceleration and Optimization Additional Configuration Options 

Field
Description

Response Codes to Ignore

Enter a comma-separated list of HTTP response codes for which the response body must not be read. For example, an entry of 302 indicates that the ACE is to ignore the response body of a 302 (redirect) response from the origin server. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters.

Enable Delta Options

Max for POST Data to Scan for Logging (kBytes)

Enter the maximum number of kilobytes of POST data the ACE is to scan for parameters for the purpose of logging transaction parameters in the statistics log.

Valid entries are 0 to 1000 KB.

Specify Base File Anonymous Level

Information that is common to a large set of users is generally not confidential or user-specific. Conversely, information that is unique to a specific user or a small set of users is generally confidential or user-specific. The anonymous base file feature enables the ACE to create and deliver condensed base files that contain only information that is common to a large set of users. No information unique to a particular user, or across a very small subset of users, is included in anonymous base files.

Enter the value for base file anonymity for the all-user condensation method. Valid entries are integers from 0 to 50; the default value of 0 disables the base file anonymity feature.

Canonical URL Expressions

The ACE uses the canonical URL feature to eliminate the "?" and any characters that follow to identify the general part of the URL. This general URL is then used to create the base file. In this way, the ACE maps multiple URLs to a single canonical URL.

Enter a comma-separated list of parameter expander functions as defined in Table 12-4 to identify the URLs to associate with this parameter map.

Valid entries are unquoted text strings with a maximum of 255 alphanumeric characters.

Enable Cacheable Content Optimization

This feature allows the ACE to detect content that can be cached and perform delta optimization on it.

Select the check box to enable delta optimization of content that can be cached. Clear the check box to disable this feature.

Enable Delta Optimization on First Visit to Web Page

Select the check box to enable condensation on the first visit to a Web page. Clear the check box to disable this feature.

Minimum page size for Delta Optimization (bytes)

Enter the minimum page size, in bytes, that can be condensed. Valid entries are integers from 1 to 250000 bytes.

Maximum page size for Delta Optimization (bytes)

Enter the maximum page size, in bytes, that can be condensed. Valid entries are integers from 1 to 250000 bytes.

Set Default Client Script

Indicate the scripting language that the ACE is to recognize on condensed content pages:

N/A—Indicates that this option is not configured.

Javascript—Indicates that the default scripting language is JavaScript.

Visual Basic Script—Indicates that the default scripting language is Visual Basic.

Exclude Iframes from Delta Optimization

Select the check box to indicate that delta optimization is not to be applied to IFrames (inline frames). Clear the check box to indicate that delta optimization is to be applied to IFrames.

Exclude Non-ASCII Data from Delta Optimization

Select the check box to indicate that delta optimization is not to be applied to non-ASCII data. Clear the check box to indicate that delta optimization is to be applied to non-ASCII data.

Exclude JavaScripts from Delta Optimization

Select the check box to indicate that delta optimization is not to be applied to JavaScript. Clear the check box to indicate that delta optimization is to be applied to JavaScript.

MIME Types to Exclude from Delta Optimization

1. In the first field, enter a comma-separated list of the MIME (Multipurpose Internet Mail Extension) type messages that are not to have delta optimization applied, such as image/Jpeg, text/html, application/msword, or audio/mpeg. See Supported MIME Types, page 7-21 for a list of supported MIME types.

2. Click Add to add the entry to the list box on the right. You can position the entries in the list box by using the Up and Down buttons.

Remove HTML META Elements from Documents

Select the check box to indicate that HTML META elements are to be removed from documents to prevent them from being condensed. Clear the check box to indicate that HTML META elements are not to be removed from documents.

Rebase Delta Optimization Threshold (%)

Enter the delta threshold, expressed as a percent, when rebasing is to be triggered. This entry represents the size of a page delta relative to total page size, expressed as a percent. This entry triggers rebasing when the delta response size exceeds the threshold as a percentage of base file size.

Valid entries are 0 to 10000 percent.

Rebase FlashForward Threshold (%)

Enter the threshold, expressed as a percent, when rebasing is to be triggered based on the percent of FlashForwarded URLs in the response. This entry triggers rebasing when the difference between the percentages of FlashForwarded URLs in the delta response and the base file exceeds the threshold.

Valid entries are 0 to 10000 percent.

Rebase History Size (pages)

Enter the number of pages to be stored before the ACE resets all rebase control parameters to zero and starts over. This option prevents the base file from becoming too rigid.

Valid entries are 10 to 2147483647.

Rebase Modify Cool-off Period (seconds)

Enter the number of seconds after the last modification before performing a rebase.

Valid entries are 1 to 14400 seconds (4 hours).

Rebase Reset Period (seconds)

Enter the period of time, in seconds, for performing a meta data refresh.

Valid entries are 1 to 900 seconds (15 minutes).

UTF-8 Character Set Threshold

The UTF-8 (8-bit Unicode Transformation Format) character set is an international standard that allows Web pages to display non-ASCII or non-English multibyte characters. It can represent any universal character in the Unicode standard and is backwards compatible with ASCII.

Enter the number of UTF-8 characters that need to appear on a page to constitute a UTF-8 character set page. Valid entries are integers from 1 to 1,000,000.

Specify Delta Optimization Mode

Select the method by which delta optimization is to be implemented:

N/A—Indicates that a delta optimization mode is not configured.

Enable all-user mode for delta optimization—Indicates that the ACE is to generate the delta against a single base file that is shared by all users of the URL. This option is usable in most cases if the structure of a page is common across all users, and the disk space overhead is minimal.

Enable the per-user mode for delta optimization—Indicates that the ACE is to generate the delta against a base file that is created specifically for that user. This option is useful when page contents, including layout elements, are different for each user, and delivers the highest level of condensation. However, this increases disk space requirements because a copy of the base page that is delivered to each user is cached. This option is useful when privacy is required because base pages are not shared among users.

Enable Appscope Options

Appscope Optimize Rate (%)

Enter the percentage of all requests or sessions to be sampled for performance with acceleration (or optimization) applied. All applicable optimizations for the class will be performed. Valid entries are from 0 to 100 percent, with a default of 10 percent. The sum of this value and the value entered in the Passthru Rate Percent field must not exceed 100.

Appscope Passthrough Rate (%)

Enter the percentage of all requests or sessions to be sampled for performance without optimization. No optimizations for the class will be performed. Valid entries are from 0 to 100, with a default of 10 percent. The sum of this value and the value entered in the Optimize Rate Percent field must not exceed 100.

Max Number for Parameter Summary Log (bytes)

Enter the maximum number of bytes that are to be logged for each parameter value in the parameter summary of a transaction log entry in the statistics log. If a parameter value exceeds this limit, it is truncated at the specified limit. Valid entries are 0 to 10,000 bytes.

Specify String for Grouping Requests

Enter the string the ACE is to use to sort requests for AppScope reporting. The string can contain a URL regular expression that defines a set of URLs in which URLs that differ only by their query parameters are to be treated as separate URLs in AppScope reports.

For example, to define a string that is used to identify the URLs http://server/catalog.asp?region=asia and http://server/catalog.asp?region=america as two separate reporting categories, you would enter http_query_param(region).

Valid entries contain 1 to 255 characters and can contain the parameter expander functions listed in Table 12-4.

FlashConnect Enabled Option

Hosts Limit for FlashConnect

FlashConnect dynamically renames embedded objects by adding a prefix and changing the hostname so that the objects appear to reside on different hosts. FlashConnect then has the browser open a separate connection to the origin server for each object and retrieve the objects in parallel instead of sequentially.

Enter the maximum number of artificial hosts that FlashConnect can create for retrieving embedded objects.

Valid entries are integers from 0 to 99.

XSLT Merge Options

Enable XSLT Merge Debug

Select the check box to enable the XSLT merge debug function. Clear the check box to disable the XSLT merge debug function.

Specify XSLT Stylesheet for PreTransform

Enter the URL of an XSLT style sheet to indicate that the ACE is to perform a pretransformation of the style sheet.

Specify XSLT Stylesheet for XSLT Merge

Enter the URL of an XSLT style sheet to force the use of this style sheet, regardless of any XSL specified in the XML source file.

Image Type - Advanced Options

Smooth Transform of Image

Select the check box to indicate that the ACE is to apply a smoothing transformation to images, if needed. Clear the check box to indicate that the ACE is not to apply a smoothing transformation to images.

Ignore Thumbnail Images

Select the check box to indicate that the ACE is to ignore small thumbnail images without transforming them in any way. Clear the check box to indicate that the ACE is not to ignore thumbnail images.

Progressive Rendering of Image

Select the check box to indicate that the ACE is to transform images so that they are rendered progressively by the browser. When enabled, this feature results in slightly larger image sizes. Because images render progressively, this feature might not be useful in fast networking environments, such as LANs.

Clear the check box to indicate that the ACE is not to transform images so that they are rendered progressively by the browser.

High Quality Transform of Image

Select the check box to indicate that the ACE is to apply higher quality transformation with less compression to images. When enabled, this option results in images that are larger than those compressed without this option, but they have less visual deterioration. Image size is smaller with this option than for uncompressed images.

Clear the check box to indicate that the ACE is not to apply higher quality transformation to images.

Grayscale Transform of Image

Select the check box to indicate that the ACE is to optimize images by transforming JPEG and PNG images to grayscale images.

Clear the check box to indicate that the ACE is not to optimize images by transforming JPEG and PNG images to grayscale images.


Step 13 When you finish configuring match criteria and actions, click:

OK to save your entries and to return to the Rule Match and Actions table.

Cancel to exit this procedure without saving your entries and to return to the Rule Match and Actions table.

Step 14 When you finish configuring virtual server properties, click:

Deploy Now to save your entries. The ACE appliance validates the action list configuration and deploys it.

Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.

Deploy Later to save your entries and apply the configuration at a later time.


Related Topics

Optimization Traffic Policies and Typical Configuration Flow, page 12-2

Configuring Traffic Policies for HTTP Optimization, page 12-13

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Layer 7 Load Balancing

Configuring Virtual Server Default Layer 7 Load Balancing

Configuring Virtual Server NAT

Use this procedure to configure Name Address Translation (NAT) for virtual servers. The NAT configuration subset appears in the Advanced View only.

Assumptions

A virtual server has been configured. See Configuring Virtual Servers for information on configuring a virtual server.

A VLAN has been configured. See Configuring VLAN Interfaces, page 9-2 for information on configuring a VLAN interface.

At least one NAT pool has been configured on a VLAN interface. See Configuring VLAN Interface NAT Pools, page 9-10 for information on configuring a NAT pool.

Procedure


Step 1 Select Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the virtual server you want to configure for NAT, then click Edit. The Virtual Server configuration screen appears.

Step 3 Click NAT. The NAT table appears.

Step 4 Click Add to add an entry, or select an existing entry, then click Edit to modify it.

Step 5 In the VLAN field, select the VLAN you want to use NAT. For more information about NAT, see Configuring VLAN Interface NAT Pools, page 9-10.

Step 6 In the NAT Pool ID field, select the NAT pool that you want to associate with the selected VLAN.

Step 7 Click:

OK to save your entries and to return to the NAT table. The NAT table refreshes with the new entry.

Cancel to exit the procedure without saving your entries and to return to the NAT table.

Step 8 When you finish configuring virtual server properties, click:

Deploy Now to deploy this configuration on the ACE.

Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.

Deploy Later to save your entries and apply the configuration at a later time.


Related Topics

Configuring Virtual Servers

Configuring Virtual Server Properties

Configuring Virtual Server SSL Termination

Configuring Virtual Server Protocol Inspection

Configuring Virtual Server Layer 7 Load Balancing

Configuring Virtual Server Default Layer 7 Load Balancing

Managing Virtual Servers

The Virtual Servers table (Config > Operations > Virtual Servers) provides the following information by default for each virtual server:

Server name, sorted by virtual context

Admin state

Operational state


Note This column is populated for ACE 4710 appliances running image A3(1.0) and later. Clicking on the value in this column (irrespective of ACE version) will display detailed information about the Virtual Server in a popup.


Number of active connections


Note This column is populated for ACE 4710 appliances running image A3(1.0) and later. For ACE devices, the Active Connections column will display N/A for older versions of the ACE appliance and module.


VIP address

Configured port

VLANs

Associated server farms

Device

High availability

You can activate or suspend virtual servers from this table and obtain additional information about the state of the virtual server.

The following options are available from the Virtual Servers table:

Deploying Virtual Servers

Viewing All Staged Virtual Servers

Modifying Deployed Virtual Servers

Modifying Staged Virtual Servers

Viewing Virtual Servers by Context

Activating Virtual Servers

Suspending Virtual Servers

Managing GSS VIP Answers

Activating and Suspending DNS Rules Governing GSS Load Balancing

Viewing Detailed Virtual Server Information

Viewing Virtual Servers

Understanding CLI Commands Sent from Virtual Server Table

Deploying Virtual Servers

You can deploy virtual servers on your network at times that are convenient and appropriate for your environment. For example, if your site prefers to make changes to the network during a specific time each night, you can modify and save virtual server configurations during the day and then deploy them when appropriate.

Use this procedure to deploy staged virtual servers on your network.

Procedure


Step 1 Select Config > Deploy. The Staged Objects table appears.

Step 2 Select the virtual server you want to deploy on your network, then click Deploy. The virtual server is deployed and the table refreshes with updated information.


Related Topics

Configuring Virtual Servers

Viewing All Staged Virtual Servers

Modifying Staged Virtual Servers

Viewing All Staged Virtual Servers

The ANM allows you to deploy configured virtual servers when it is appropriate for your environment. To view all objects that have been configured but have not yet been deployed on your network, select Config > Deploy. The Staged Objects table appears listing the:

Virtual server name

Device ID and virtual context

Time the virtual server was created

User who last modified the object

Time the object was last updated

Deployment status is also available in the Virtual Servers table (Config > Devices > context > Load Balancing > Virtual Servers). Virtual servers with configurations that have not been deployed appear with the status Not Deployed in the Configured State column.

Related Topics

Configuring Virtual Servers

Deploying Virtual Servers

Modifying Staged Virtual Servers

Modifying Deployed Virtual Servers

Modifying Deployed Virtual Servers

Use this procedure to modify the configuration of a deployed virtual server.

Procedure


Step 1 Select Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the virtual server you want to modify, then click Edit. The Virtual Server configuration screen appears.

Step 3 Modify the virtual server's configuration as desired. See Table 4-1 for virtual server configuration options.

Step 4 When you are done modifying the configuration, click:

Deploy Now to immediately deploy this configuration.

Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.


Related Topics

Managing Virtual Servers

Viewing All Staged Virtual Servers

Activating Virtual Servers

Suspending Virtual Servers

Modifying Staged Virtual Servers

Use this procedure to modify the configuration of a staged virtual server.

Procedure


Step 1 Select Config > Deploy. The Staged Objects table appears, listing those virtual servers that have not yet been deployed in the network.

Step 2 Select the virtual server you want to modify, then click Edit. The virtual server configuration screen appears.

Step 3 Modify the virtual server's configuration as desired. See Table 4-1 for virtual server configuration options.

Step 4 When you are done modifying the configuration, click:

Deploy Now to immediately deploy this configuration.

Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table.

Deploy Later to save your entries and apply this configuration at a later time.


Related Topics

Deploying Virtual Servers

Viewing All Staged Virtual Servers

Viewing Virtual Servers by Context

Viewing Virtual Servers by Context

Use this procedure to view all virtual servers associated with a virtual context.

Procedure


Step 1 Select Config > Devices. The device tree appears.

Step 2 Select the context associated with the virtual servers you want to view, then select Load Balancing > Virtual Servers. The Virtual Servers table appears with the following information:

Virtual server name

Configured state, such as Inservice or Out of service

VIP address

Port

Associated VLANs

Associated server farms

The owner, and context in which the virtual server was created


Related Topics

Configuring Virtual Servers

Managing Virtual Servers

Activating Virtual Servers

Use this procedure to activate a virtual server.


Note A missing operation or Admin state on a CSM or CSS device most likely means that the community string was not enabled on those devices. If the community string is not enabled on a CSM or CSS device, and any kind of operation is performed on those devices, it will not succeed, and ANM will not provide any kind of indication.

For CSM devices, you must enable the community string of the Catalyst 6K chassis.

For CSS devices, you must enable the community string of the CSS device itself.

Procedure


Step 1 Select Config > Operations > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the virtual server that you want to activate, then click Activate. The server is activated and the screen refreshes with updated information in the Configured State column.


Related Topics

Managing Virtual Servers

Viewing Virtual Servers

Suspending Virtual Servers

Suspending Virtual Servers

Use this procedure to suspend a virtual server.


Note A missing operation or Admin state on a CSM or CSS device most likely means that the community string was not enabled on those devices. If the community string is not enabled on a CSM or CSS device, and any kind of operation is performed on those devices, it will not succeed, and ANM will not provide any kind of indication.

For CSM devices, you must enable the community string of the Catalyst 6K chassis.

For CSS devices, you must enable the community string of the CSS device itself.

Procedure


Step 1 Select Config > Operations > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the virtual server that you want to suspend, then click Suspend. The server is taken out of service and the screen refreshes with updated information in the Configured State column.


Related Topics

Managing Virtual Servers

Viewing Virtual Servers

Activating Virtual Servers

Managing GSS VIP Answers

In a GSS network, the term answers refers to resources that respond to content queries. When you create an answer using the primary Global Site Selector Manager (PGSSM), you are simply identifying a resource on your GSS network to which queries can be directed and that can provide your user's D-proxy with the address of a valid host to serve their request.

Virtual IP (VIP) addresses associated with an SLB such as the Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, or a Web server are types of answers that are specified in the ANM UI in the GSS VIP Answers table found in ANM under Configuration > Operations. Use this procedure to poll, activate or suspend GSS VIP answers.

Assumption

You have established GSS VIP answers using the PGSSM.

Procedure


Step 1 Select Config > Operations > GSS VIP Answers. The GSS Answers table appears.

Step 2 Click the checkbox(es) to the left of the servers you want to poll, activate or suspend.

Step 3 Click:

Active/Suspended hyperlink to view the VIP answer details across the GSS node(s). A popup window appears listing all nodes associated with the VIP, operational state, hit count, and timestamp for each node.

Poll Now to query the chosen resource to verify it is still active.


Note If you click Poll Now immediately after you click Activate or Suspend, you might not get the VIP answer operational status on the PGSSM that reflects your most recent configuration. It might be necessary to click Poll Now 2 or 3 times in succession to get an accurate result.

Apart from this, the ability of ANM to update the VIP answer operational status and statistics accurately in detailed GSS statistics window might depend on the polling interval that has been configured on the GSS. The polling interval can be configured directly on the GSS device. (The default is 5 minutes.) Therefore, it can take 5 minutes or more, depending on the interval, for the ANM server to show an accurate result.


Activate to reactivate a GSS answer.

Suspend to temporarily stop the GSS from using an associated answer.

If you clicked Activate or Suspend, a dialog box prompts for a Reason. Acceptable text consists of any characters or nothing at all.

Step 4 Click:

Deploy Now to complete Activation or Suspension.

Cancel to cancel the Activation or Suspension operation.


Related Topics

Load Balancing Overview

Activating and Suspending DNS Rules Governing GSS Load Balancing

Activating and Suspending DNS Rules Governing GSS Load Balancing

The DNS rules table in Configuration > Operations navigation tree specifies actions for the GSS to take when it receives a request from a known source (a member of a source address list) for a known hosted domain (a member of a domain list).

The DNS rule specifies which response (answer) is given to the requesting user's local DNS host (D-proxy) and how that answer is chosen. One of a variety of balance methods is used to determine the best response to the request, based on the status and load of the GSS host devices.

Use this procedure to activate or suspend DNS rules associated with your GSS VIP answers table.

Assumption

You have established GSS VIP answers and DNS rules using the PGSSM.

Procedure


Step 1 Select Config > Operations > DNS Rules. The DNS Rules table appears.

Step 2 Click the checkbox(es) to the left of the servers you want to activate or suspend.

Step 3 Click the Activate or Suspend button. A dialog box prompts for a Reason. Acceptable text consists of any characters or none at all.

Step 4 Click:

Deploy Now to complete Activation or Suspension.

Cancel to cancel the Activation or Suspension operation.


Related Topics

Load Balancing Overview

Managing GSS VIP Answers

Viewing Detailed Virtual Server Information

Use this procedure to view detailed information about the state of a virtual server.

Procedure


Step 1 Select Config > Operations > Virtual Servers. The Virtual Servers table appears.

Step 2 Select the virtual server whose configuration details you want to view. Click the hyperlinked entry for that virtual server that appears in the Operational State column. The Details window appears with the following information:

Current operational status

Description, if one was entered

Configured interfaces, such as VLANs

Configured service policies including:

Configured class maps, detailed by type (such as load balancing or inspection)

States of configured options, indicated by word (ACTIVE, DISABLED, OUTOFSERVICE) and color (green, orange/yellow, and red)

Associated policy maps with details on their type and action (L7 loadbalance, serverfarm)

Statistics regarding connections and counts

Step 3 Click Refresh to view updated information or Cancel to return to the Virtual Servers table.


Related Topics

Configuring Virtual Servers

Managing Virtual Servers

Viewing Virtual Servers

To view all virtual servers, select Config > Operations > Virtual Servers. The Virtual Servers table appears with the following information for each server:

Server name, sorted by virtual context

Admin state

Operational state


Note This column is populated for ACE 4710 appliances running image A3(1.0) and later. Clicking on the value in this column (irrespective of ACE version) will display detailed information about the Virtual Server in a popup.


Number of active connections


Note This column is populated for ACE 4710 appliances running image A3(1.0) and later. For ACE devices, the Active Connections column will display N/A for older versions of the ACE appliance and module.


VIP address

Configured port

VLANs

Associated server farms

Device

High availability

You can activate or suspend virtual servers from this table and obtain additional information about the state of the virtual server.

Related Topics

Activating Virtual Servers

Suspending Virtual Servers

Viewing Detailed Virtual Server Information

Understanding CLI Commands Sent from Virtual Server Table

Table 4-18 displays the CLI commands dispatched to the device for a given Virtual Servers table option, and is sorted by device.

Table 4-18 CLI Commands Deployed from Real Servers Table

Command
Sample CLI Sent
ACE Modules and Appliances

Virtual Server Activate

policy-map multi-match int25  

class VIP3    

loadbalance vip inservice

Virtual Server Suspend

policy-map multi-match int25   class VIP3     no loadbalance vip inservice

CSMs

Virtual Server Activate

vserver APP1    

inservice

Virtual Server Suspend

vserver APP1    

no inservice

CSS Devices

Virtual Server Activate

owner hm

content LB

active

Virtual Server Suspend

owner hm

content LB

suspend