Table Of Contents
Configuring Virtualization
Information About Virtualization
Licensing Requirements for Virtualization
Guidelines and Limitations
Default Settings
Configuring Virtualization
Task Flow for Configuring Virtualization
Managing ACE Resources
Creating a Resource Class for Resource Management
Allocating Resources within a Resource Class
Configuring a Context
Creating a Context
Configuring a Context Description
Configuring a VLAN for a Context
Associating a Context with a Resource Class
Moving Between Contexts
Configuring User Roles
Creating a User Role
Assigning Privileges to a User Role
Configuring Domains
Creating a Domain
Associating Objects With a Domain
Configuring a User
Logging Out a User
Displaying Virtualization Configuration Information
Displaying Context Configurations
Displaying Domain Configurations
Displaying Resource Class Configurations
Displaying Role Configurations
Displaying Context Information
Displaying Resource Allocation
Displaying User Roles
Displaying Domains
Displaying User Information
Displaying Resource Usage Statistics for Contexts
Clearing Resource Usage Statistics
Configuration Examples for Virtualization
Configuring Virtualization
This chapter describes how to create and configure virtualization for your ACE. As the global administrator (SuperUser), you configure and manage all contexts through the Admin context, which contains the basic settings for each virtual device or context. Each context that you configure contains its own set of policies, interfaces, resources, and administrators.
This chapter contains the following sections:
•
Information About Virtualization
•Licensing Requirements for Virtualization
•Guidelines and Limitations
•Default Settings
•Configuring Virtualization
•Displaying Virtualization Configuration Information
•Displaying Resource Usage Statistics for Contexts
•Configuration Examples for Virtualization
Information About Virtualization
You can operate your Cisco 4700 Series Application Control Engine (ACE) appliance in a single context or in multiple contexts. Multiple contexts use virtualization to partition your ACE into multiple virtual devices or contexts. Each context contains its own set of policies, interfaces, resources, and administrators.
This feature provides you with the tools to more closely and efficiently manage the system resources and users of the ACE, and the services you provide to your customers.
For a detailed overview on virtualization, see Chapter 1, Overview.
Licensing Requirements for Virtualization
By default, your ACE provides an Admin context and five user contexts that allows you to use multiple contexts if you choose to configure them. To increase the number of user contexts up to a maximum of 20, you must obtain a separate license from Cisco. For details about licensing, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
Guidelines and Limitations
This section includes the guidelines and limitations for virtualization:
•Throughput and Management Traffic Bandwidth Rate Guidelines
•Resource Minimum Value Guidelines
•Changing the Resource Allocation of a Resource Class Guidelines
•Managed System Resources Guidelines
Throughput and Management Traffic Bandwidth Rate Guidelines
The maximum bandwidth rate per context is determined by your bandwidth license. By default, the entry-level ACE has a 1-Gbps through-traffic bandwidth and a 1-Gbps management-traffic bandwidth for a total maximum bandwidth of 2 Gbps. With the 2-Gbps license, the ACE has a 2-Gbps through-traffic bandwidth and a 1-Gbps management-traffic bandwidth for a total maximum bandwidth of 3 Gbps. You can upgrade the ACE with either an optional 2-Gbps or 4-Gbps bandwidth license (see the Cisco 4700 Series Application Control Engine Appliance Administration Guide).
When you configure a minimum bandwidth value for a resource class in the ACE by using the limit-resource command (see the "Allocating Resources within a Resource Class" section), the ACE subtracts that configured value from the total bandwidth maximum value of all contexts in the ACE, regardless of the resource class with which they are associated.
The total bandwidth rate of a context consists of the following two components:
•throughput—Limits through-the-ACE traffic. This is a derived value (you cannot configure it directly) and it is equal to the bandwidth rate minus the mgmt-traffic rate for the 1-Gbps, 2-Gbps, or 4-Gbps licenses.
•management traffic—Limits management (to-the-ACE) traffic in bytes per second. This parameter is independent of the limit-resource all minimum command. To guarantee a minimum amount of management traffic bandwidth, you must explicitly allocate a minimum percentage to management traffic using the limit-resource rate mgmt-traffic minimum command. When you allocate a minimum percentage of bandwidth to management traffic, the ACE subtracts that value from the maximum available management traffic bandwidth for all contexts in the ACE. By default, management traffic is guaranteed a minimum bandwidth rate of 0 and a maximum bandwidth rate of 1 Gbps, regardless of the bandwidth license that you install in the ACE.
For details about how the ACE manages bandwidth for throughput and management traffic rates, see the examples of the show resource-usage command output that follow. For each bandwidth license, there are examples for the default values, 25 percent minimum allocation to all resources, and both a 25 percent minimum allocation to all resources and a 10 percent minimum allocation to management traffic. The output has been modified to show only the relevant fields. All values are in bytes per second; to convert to bits per second, multiply each value by 8.
Example 2-1 Default Show Resource Usage Command Output for 1-Gbps License
Example 2-2 Show Resource Usage Command Output for 1-Gbps License with 25 Percent Minimum Allocation for All Resources (continued)
Example 2-3 Show Resource Usage Command Output for 1-Gbps License with 25 Percent Minimum Allocation for All Resources and 10 Percent Minimum Allocation for Management Traffic
Example 2-4 Default Show Resource Usage Command Output for 2-Gbps License
Example 2-5 Show Resource Usage Command Output for 2-Gbps License with 25 Percent Minimum Allocation for All Resources
Example 2-6 Show Resource Usage Command Output for 2-Gbps License with 25 Percent Minimum Allocation for All Resources and 10 Percent Minimum Allocation for Management Traffic
Example 2-7 Default Show Resource Usage Command Output for 4-Gbps License
Example 2-8 Show Resource Usage Command Output for 4-Gbps License with 25 Percent Minimum Allocation for All Resources (continued)
Example 2-9 Show Resource Usage Command Output for 4-Gbps License with 25 Percent Minimum Allocation for All Resources and 10 Percent Minimum Allocation for Management Traffic
Resource Minimum Value Guidelines
When you configure a minimum value for a resource in a particular resource class in the ACE by using the limit-resource command (see the "Allocating Resources within a Resource Class" section), the ACE assigns the minimum resources only to the contexts that are members of the resource class. For all contexts, the ACE subtracts that configured minimum value from the maximum value of that resource, regardless of the resource class with which the contexts are associated. If the resource class has more than one context associated with it, the minimum value that the ACE subtracts from the maximum value is multiplied by the number of contexts in the resource class.
For example, with a 2-Gbps bandwidth license, if there are two contexts associated with the resource class and you configure a 25 percent minimum allocation for the bandwidth rate for the class, each context in the resource class would have the values that are shown in Example 2-10 for the show resource usage command output for the bandwidth rate and throughput rate.
Example 2-10 Show Resource Usage Command Output for 2-Gbps License with 25 Percent Minimum Allocation for Bandwidth
All other contexts in the ACE would have the same maximum values as shown in Example 2-10, but would have zero minimum values. Compare the values in Example 2-10 with the values in Example 2-5, which represents one context in a resource class.
Changing the Resource Allocation of a Resource Class Guidelines
If you (as the global Admin) need to change the resource allocation in a resource class of which two or more user contexts are members, you may do so at any time by entering the appropriate CLI commands. For details about allocating resources, see the "Allocating Resources within a Resource Class" section.
However, the shift in resources between the contexts does not take place immediately unless the appropriate resources are available to accommodate the change. In most cases, to effect a change in resource allocation, you must inform the context administrators involved to ensure that the new resource allocation is possible.
For example, suppose that context A is using 100 percent of the available resources of the class and you want to allocate 50 percent of the resources to context A and 50 percent of the resources to context B. Although the CLI accepts your resource allocation commands, context B cannot allocate 50 percent of the resources until context A deallocates 50 percent of its resources. In this case, you must perform the following:
•Inform the Context A administrator to start deallocating resources
•Inform the Context B administrator to start allocating resources after the Context A administrator releases the resources
As resources are released from other contexts, the ACE assigns the resources to resource-starved contexts (contexts where the resource-class minimum allocations have not been met).
Managed System Resources Guidelines
Table 2-1 lists the managed system resources of the ACE. You can limit these resources per context or for all contexts associated with the resource class by using the limit-resource command. See the "Allocating Resources within a Resource Class" section.
Table 2-1 System Resource Maximum Values
Resource
|
Maximum Value
|
Application Acceleration Connections
|
10,000 connections. For details, see the Cisco 4700 Series Application Control Engine Appliance Application Acceleration Configuration Guide.
|
ACL Memory
|
34123184 bytes.
|
Buffer Memory (Syslog)
|
1048576 bytes.
|
Concurrent Connections
|
1,000,000 connections (Layer 4),
100,000 connections (SSL).
|
HTTP Compression
|
100 megabits per second (Mbps). You can upgrade the ACE maximum HTTP compression rate to 1 Gbps by purchasing a separate license from Cisco Systems. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
|
Management Connections
|
100,000 connections.
|
Proxy Connections (Layer 7)
|
256,000 connections.
|
Rate
|
Bandwidth
|
1 gigabits per second (Gbps). You can upgrade the ACE maximum bandwidth to 2 Gbps by purchasing a separate license from Cisco Systems. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
|
Connections (any kind)
|
120,000 connections per second (Layer 4)
40,000 connections per second (Layer 7).
|
MAC miss
|
2000 packets per second.
|
Management traffic
|
1 Gbps.
|
SSL connections
|
1000 transactions per second (TPS). You can upgrade the SSL bandwidth to a maximum of 7500 TPS with a separate license. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
|
syslog
|
For traffic going to the ACE (control plane), 3000 messages per second.
For traffic going through the ACE (data plane), 100,000 messages per second.
|
Regular Expression Memory
|
1,048,576 bytes.
|
Sticky Entries
|
819,200 table entries.
|
Xlates (network and port address translation entries)
|
65,535 Xlates (network entries)
1,000,000 Xlates (port address translation entries).
|
Default Settings
Table 2-2 lists the default settings for the virtualization function.
Table 2-2 Default Virtualization Parameters
Parameters
|
Default
|
Through-traffic Bandwidth
|
The entry-level ACE has a 1-Gbps through-traffic bandwidth and a 1-Gbps management-traffic bandwidth for a total maximum bandwidth of 2 Gbps. With the 2-Gbps license, the ACE has a 2-Gbps through-traffic bandwidth and a 1-Gbps management-traffic bandwidth for a total maximum bandwidth of 3 Gbps.
You can upgrade the ACE with either an optional 2-Gbps or 4-Gbps bandwidth license (see the Cisco 4700 Series Application Control Engine Appliance Administration Guide).
|
Management-traffic Bandwidth
|
Management traffic is guaranteed a minimum bandwidth rate of 0 and a maximum bandwidth rate of 1 Gbps, regardless of the bandwidth license that you install in the ACE.
|
Resource Allocation
|
Minimum: 0 percent.
Maximum: 100 percent.
|
User Default Role
|
Network-Monitor.
|
Context Domain
|
Default-domain.
|
User accounts
|
admin, dm, and www.
|
User Password
|
Clear text.
|
Configuring Virtualization
This section includes the following topics:
•Task Flow for Configuring Virtualization
•Managing ACE Resources
•Configuring a Context
•Configuring User Roles
•Configuring Domains
•Configuring a User
•Logging Out a User
For additional information about the CLI command syntax described in this chapter, see the Cisco 4700 Series Application Control Engine Appliance Command Reference located at:
http://www.cisco.com/en/US/products/ps7027/prod_command_reference_list.html
Task Flow for Configuring Virtualization
Follows these steps to configure virtualization.
Step 1 Log in to the ACE as the global administrator using the console. By default, the console comes up with a single context called Admin.
Step 2 Enter configuration mode.
Enter configuration commands, one per line. End with CNTL/Z.
Step 3 Configure a resource class to limit resources used by user contexts. For example, to limit the resources of a context to 10 percent of the total resources available, enter the following commands:
host1/Admin(config)# resource-class RC1
host1/Admin(config-resource)# limit resource all minimum 10 maximum equal-to-min
host1/Admin(config-resource)# exit
Step 4 Create a new context.
host1/Admin(config)# context C1
host1/Admin(config-context)#
Step 5 Associate an existing VLAN with the context so that the context can receive traffic classified for it.
host1/Admin(config-context)# allocate-interface vlan 100
Step 6 Associate the context with the resource class that you created in Step 3.
host1/Admin(config-context)# member RC1
Step 7 Change to the C1 context that you created in Step 4 and enter configuration mode in that context.
host1/Admin(config-context)# do changeto C1
host1/C1(config-context)# exit
Step 8 (Optional) Create a domain for the context.
host1/C1(config)# domain D1
Step 9 Allocate objects (for example, real servers, server farms, probes, ACLs, and so on) to the domain as needed.
host1/C1(config-domain)# add-object rserver SERVER1
Step 10 (Optional) Create roles to define the object and resource permissions for different groups of users.
host1/C1(config)# role UR1
Step 11 Create rules to define the role permissions.
host1/C1(config-role)# rule 1 permit create feature real
host1/C1(config-role)# rule 2 deny create feature acl
Step 12 Configure users as required and associate roles and domains with the users.
host1/C1(config)# username user1 password 5 MYPASSWORD role UR1 domain D1
Step 13 Verify the virtualization configuration by entering one of the following commands:
host1/C1# show running-config context
host1/C1# show running-config domain
host1/C1# show running-config resource-class
host1/C1# show running-config role
Managing ACE Resources
You can allocate system resources to multiple contexts by creating and defining one or more resource classes and then associating the contexts with a resource class.
The section contains the following topics:
•Creating a Resource Class for Resource Management
•Allocating Resources within a Resource Class
Creating a Resource Class for Resource Management
You can create a resource class to allocate and manage system resources by one or more contexts by using the resource-class command in configuration mode.
Restrictions
This configuration topic includes the following restrictions:
•The ACE supports a maximum of 100 resource classes.
•When you remove a resource class from the ACE, any contexts that were members of that resource class automatically become members of the default resource class. The default resource class allocates a minimum of 0.00 percent to a maximum of 100.00 percent of all ACE resources to each context. You cannot modify the default resource class.
Detailed Steps
| |
Command
|
Purpose
|
Step 1
|
config
Example:
host1/Admin# config
(config)#
|
Enters configuration mode.
|
Step 2
|
resource-class name
Example:
host1/Admin(config)# resource-class RC1
host1/Admin(config-resource)
|
Creates a resource class and accesses the resource configuration mode.
For the name argument, enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
|
Step 3
|
no resource-class name
Example:
host1/Admin(config)# no resource-class RC1
|
Caution The no resource-class command will remove all resources from any context to which the specified resource class is assigned. Be sure that you want to do this before you enter the command.
(Optional) Removes a resource class from the configuration and removes all resources from any context to which the resource class is assigned.
|
Step 4
|
do copy running-config startup-config
Example:
host1/Admin(config-resource)# do copy
running-config startup-config
|
(Optional) Copies the running configuration to the startup configuration.
|
Allocating Resources within a Resource Class
You can allocate all resources or individual resources to all member contexts of a resource class. For example, you can allocate only concurrent connections or sticky table memory. You allocate system resources to all members (contexts) of a resource class by using the limit-resource command in resource-class configuration mode.
Prerequisites
This configuration topic includes the following prerequisites:
•When you plan the initial resource allocations for the virtual contexts in your configuration, allocate only the minimum required or estimated resources. The ACE protects resources that are in use, so to decrease a context's resources, those resources must be unused. Although it is possible to decrease the resource allocations in real time, it may require additional management overhead to clear any used resources before reducing them. Therefore, it is considered a best practice to initially keep as many resources in reserve as possible and allocate the unused reserved resources as needed.
•You must configure a minimum value for sticky to allocate resources for sticky database entries, because the sticky software receives no resources under the unlimited setting. You can allocate resources to sticky by either configuring a minimum percentage of resources specifically for sticky (limit-resource sticky) or by configuring a minimum percentage of resources for all (limit-resource all).
Restrictions
This configuration topic includes the following restrictions:
•To address scaling and capacity planning, we recommend that new ACE installations do not exceed 60 to 80 percent of the appliance's total capacity. To accomplish this goal, create a reserved resource class with a guarantee of 20 to 40 percent of all the ACE resources. Configure a virtual context dedicated solely to ensuring that these resources are reserved. Then, you can efficiently distribute such reserved resources to contexts as capacity demands for handling client traffic increase over time.
•The limit that you set for individual resources when you use the limit-resource command overrides the limit that you set for all resources when you use the limit-resource all command.
•If you lower the limits for one context (context A) in order to increase the limits of another context (context B), you may experience a delay in the configuration change because the ACE will not lower the limits of context A until the resources are no longer being used by the context.
Detailed Steps
| |
Command
|
Purpose
|
Step 1
|
limit-resource resources {minimum number}
{maximum {equal-to-min | unlimited}
Example:
host1/Admin(config)# resource-class RC1
host1/Admin(config-resource)#limit-resource
all minimum 20% maximum equal-to-min
|
Specifies the system resource that you want to limit. The keywords, arguments, and options are as follows:
•resources—Enter one of the following keywords for the system resource:
–acc-connections—Limits the number of application acceleration connections.
–acl-memory—Limits memory space allocated for ACLs.
–all—Limits all resources to the specified value for all contexts assigned to this resource class, except for management traffic bandwidth.
–buffer syslog—Limits the number of syslog buffers.
–conc-connections—Limits the number of simultaneous connections.
–http-comp—Limits the HTTP compression rate.
–mgmt-connections—Limits the number of management (to-the-ACE) connections.
–proxy-connections—Limits the number of proxy connections.
–regexp—Limits the amount of regular expression memory.
–sticky—Limits the number of entries in the sticky table.
–xlates—Limits the number of network and port address translations entries.
•minimum number—Specifies the lowest acceptable value for a resource. Enter an integer from 0.00 to 100.00 percent (two-decimal places of granularity). The number argument specifies a percentage value for all contexts that are members of the resource class.
Note For configuration guidelines on the minimum keyword, see the "Guidelines and Limitations" section.
•maximum {equal-to-min | unlimited}—Specifies the maximum resource value: either the same values as the minimum value or no limit.
|
Step 2
|
limit-resource rate rates {minimum number}
{maximum {equal-to-min | unlimited}
Example:
host1/Admin(config)# resource-class RC1
host1/Admin(config-resource)#limit-resource
rate bandwidth minimum 20% maximum
equal-to-min
|
Limits the resource as a number per second for the specified connections or syslog messages.
•rates—Enter one of the following keywords for the rate:
–bandwidth—Limits the total ACE throughput in bytes per second for one or more contexts. The maximum bandwidth rate per context is determined by your bandwidth license (see the "Licensing Requirements for Virtualization"section). When you configure a minimum bandwidth value for a resource class in the ACE, the ACE subtracts that configured value from the total bandwidth maximum value of all contexts in the ACE, regardless of the resource class with which they are associated.
Note For configuration guidelines on bandwidth, see the "Guidelines and Limitations"section.
–connections—Limits the number of connections of any kind per second.
–inspect conn—Limits the number of application protocol inspection connections per second for File Transfer Protocol (FTP) and Real-Time Streaming Protocol (RTSP) only.
–mac-miss—Limits the ACE traffic sent to the control plane when the encapsulation is not correct in bytes per second.
–mgmt-traffic—Limits management (to-the-ACE) traffic in bytes per second.
–ssl-connections—Limits the number of SSL connections per second.
–syslog—Limits the number of syslog messages per second.
•minimum number—Specifies the lowest acceptable value for a resource. Enter an integer from 0.00 to 100.00 percent (two-decimal places of granularity). The number argument specifies a percentage of the ACE's maximum value per second.
Note For configuration guidelines on the minimum keyword, see the "Guidelines and Limitations" section.
•maximum {equal-to-min | unlimited}—Specifies the maximum resource value: either the same values as the minimum value or no limit.
|
Step 3
|
no limit-resource resources | all
Example:
host1/Admin(config-resource)# no
limit-resource all
|
(Optional) Restores resource allocation to the default values of 0 percent minimum and 100 percent maximum for a resource.
|
Step 4
|
no limit-resource rate rates
Example:
host1/Admin(config-resource)# no
limit-resource rate bandwidth
|
(Optional) Restores the resource rate limit to the default values of 0 percent minimum and 100 percent maximum for a resource.
|
Step 5
|
do copy running-config startup-config
Example:
host1/Admin(config-resource)# do copy
running-config startup-config
|
(Optional) Copies the running configuration to the startup configuration.
|
Step 6
|
exit
Example:
host1/Admin(config-resource)# exit
host1/Admin(config)#
|
(Optional) Exits the resource configuration mode.
|
Configuring a Context
A context provides a user view into the ACE and determines the resources available to a user. This section contains the following topics:
•Creating a Context
•Configuring a Context Description
•Configuring a VLAN for a Context
•Associating a Context with a Resource Class
•Moving Between Contexts
Creating a Context
A context provides a user view into the ACE and determines the resources available to a user. You create a context by using the context command in configuration mode.
Note When you create a context, the ACE automatically creates a default domain (default-domain) for that context. You can create a maximum of 63 additional domains in each context. For information about configuring a domain, see the "Configuring Domains" section.
Detailed Steps
| |
Command
|
Purpose
|
Step 1
|
config
Example:
host1/Admin# config
(config)#
|
Enters configuration mode.
|
Step 2
|
context name
Example:
host1/Admin(config)# context C1
host1/Admin(config-context)
|
Creates a context and accesses the context configuration mode.
For the name argument, enter a unique identifier of the context. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Do not configure a context name that contains opening braces, closing braces, white spaces, or any of the following characters: ` ! $ % & * ( ) \ | ; ' " < > / ?
Do start the context name with the following characters: - . # ~
|
Step 3
|
no context name
Example:
host1/Admin(config)# no context C1
|
(Optional) Removes a context from the configuration.
|
Step 4
|
do copy running-config startup-config
Example:
host1/Admin(config-context)# do copy
running-config startup-config
|
(Optional) Copies the running configuration to the startup configuration.
|
Configuring a Context Description
You enter a description for the context by using the description command in context configuration mode.
Detailed Steps
| |
Command
|
Purpose
|
Step 1
|
description text
Example:
host1/Admin(config-context)# description
context for accounting users
|
Enters a description for a user context.
For the text argument, enter a description as an unquoted text string with a maximum of 240 alphanumeric characters.
|
Step 2
|
no description
Example:
host1/Admin(config-context)# no
description
|
(Optional) Removes the context description from the configuration.
|
Step 3
|
do copy running-config startup-config
Example:
host1/Admin(config-context)# do copy
running-config startup-config
|
(Optional) Copies the running configuration to the startup configuration.
|
Configuring a VLAN for a Context
The ACE uses class maps and policy maps to classify (filter) traffic and direct it to different interfaces (VLANs) using a service policy. A context uses VLANs to receive packets classified for that VLAN. You allocate one or more existing VLANs on which a user context can receive packets by using the allocate-interface command in context configuration mode in the Admin context. You can enter this command multiple times to specify multiple VLANs for a user context.
Restrictions
This configuration topic includes the following restrictions:
•You can configure an interface directly in a user context, but the state of the interface remains Down until you enter the allocate-interface command for that interface in the Admin context. You can configure the interface and allocate the interface in any order.
•If you remove an interface in the Admin context and the same interface is in use in a user context, the state of the interface becomes Down. Entering the show interface command in the user context shows the interface as Down and the reason that the interface is no longer allocated in the Admin context.
•You cannot deallocate a VLAN from a user context if the VLAN is in use in that context.
Detailed Steps
| |
Command
|
Purpose
|
Step 1
|
allocate-interface vlan number1
Example:
host1/Admin(config-context)#
allocate-interface vlan 100
Example:
host1/Admin(config-context)#
allocate-interface vlan 100-200
|
Allocate one or more existing VLANs on which a user context can receive packets.
For the number argument, enter the number of an existing VLAN or a range of VLANs that you want to assign to the context as integers from 2 to 4094.
|
Step 2
|
no allocate-interface vlan number1
Example:
host1/Admin(config-context)# no
allocate-interface vlan 100
Example:
host1/Admin(config-context)# no
allocate-interface vlan 100-200
|
(Optional) Deallocates a VLAN or range of VLANs from a context.
|
Step 3
|
do copy running-config startup-config
Example:
host1/Admin(config-context)# do copy
running-config startup-config
|
(Optional) Copies the running configuration to the startup configuration.
|
Associating a Context with a Resource Class
Resource classes limit the resources available to one or more contexts. You associate a context with a resource class or associate the same context with a different resource class by using the member command in context configuration mode.
Prerequisites
This configuration topic includes the following prerequisites:
•The default resource class allocates a minimum of 0.00 percent to a maximum of 100.00 percent of all ACE resources to each context. You can associate a context with only one resource class. For more information about resource classes, see the "Guidelines and Limitations" section.
•When you remove a context from a resource class, the ACE releases all resources associated with that context and makes the resources available to other contexts in the class.
Restrictions
This configuration topic includes the following restrictions:
•If you do not specify a resource class, the context automatically is a member of the default resource class.
•You can associate a context with only one resource class. If you try to associate more than one resource class to the context, the ACE overwrites the existing class.
•When you add a context to a resource class, the ACE adds only those resources that can remain within their configured limits. If you want to allocate additional resources to the context, you can do so if the resources are available. Otherwise, you must first release some resources from other contexts within the resource class. For details about modifying the resource allocation among contexts, see the "Configuring a Context" section.
Detailed Steps
| |
Command
|
Purpose
|
Step 1
|
member class
Example:
host1/Admin(config-context)# member RC1
|
Associates a context with a resource class, or associates the same context with a different resource class.
For the class argument, enter the name of an existing resource class as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. For information about configuring a resource class, see the "Creating a Resource Class for Resource Management" section.
|
Step 2
|
no member class
Example:
host1/Admin(config-context)# no member
RC1
|
(Optional) Disassociates a context from a resource class
|
Step 3
|
do copy running-config startup-config
Example:
host1/Admin(config-context)# do copy
running-config startup-config
|
(Optional) Copies the running configuration to the startup configuration.
|
Step 4
|
exit
Example:
host1/Admin(config-context)# exit
host1/Admin(config)#
|
(Optional) Exits the context configuration mode.
|
Moving Between Contexts
You move between contexts by using the changeto command in Exec mode.
Prerequisites
Context administrators, who have access to multiple contexts, must explicitly log in to the other contexts to which they have access.
Restrictions
This configuration topic includes the following restrictions:
•You must have one of the predefined user roles in the Admin context to use the changeto command. For information about the predefined user roles, see the "Role-Based Access Control" section in Chapter 1, Overview.
•The user role that is enforced after you enter the changeto command is that of the Admin context and not that of the non-Admin context.
•You cannot add, modify, or delete objects in a custom domain after you change to a non-Admin context.
–If you originally had access to the default-domain in the Admin context prior to moving to a non-Admin context, the ACE allows you to configure any object in the non-Admin context.
–If you originally had access to a custom domain in the Admin context prior to moving to a non-Admin context, any created objects in the new context will be added to the default-domain. However, an error message will appear when you attempt to modify existing objects in the non-Admin context.
Detailed Steps
| |
Command
|
Purpose
|
Step 1
|
changeto name
Example:
|
Moves from one context on the ACE to another context.
Note You can move between contexts in configuration mode by using the do changeto command.
The name argument specifies the identifier of an existing context. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
|
Step 2
|
do copy running-config startup-config
Example:
host1/C1# do copy running-config
startup-config
|
(Optional) Copies the running configuration to the startup configuration.
|
Step 3
|
exit
Example:
host1/C1# exit
host1/Admin#
|
(Optional) Exits the context and returns to the Admin context.
|
Configuring User Roles
This section contains the following topics:
•Creating a User Role
•Assigning Privileges to a User Role
Creating a User Role
User roles determine the privileges that a user has, the commands that a user can enter, and the actions that a user can perform in a particular context. For a list of the predefined roles that the ACE provides, see Chapter 1, Overview.
Prerequisites
Only the global administrator or a context administrator can configure additional roles.
Restrictions
If you do not assign a role to a new user, the default role is Network-Monitor. For users that you create in the Admin context, the default scope of access is the entire device. For users that you create in other contexts, the default scope of access is the entire context. If you need to restrict a user's access, you must assign a role-domain pair using the username command (see the "Configuring a User" section).
Detailed Steps
| |
Command
|
Purpose
|
Step 1
|
config
Example:
host1/Admin# config
(config)#
|
Enters configuration mode.
|
Step 2
|
role name
Example:
host1/C1(config)# role TECHNICIAN
|
Creates a role and accesses the role configuration mode.
Note To display the predefined roles in the CLI, enter the show role command in Exec mode.
The name argument is an identifier associated with a role. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
|
Step 3
|
no role name
Example:
host1/C1(config)# no role TECHNICIAN
|
(Optional) Removes the role from the configuration
|
Step 4
|
do copy running-config startup-config
Example:
host1/C1(config-role)# do copy
running-config startup-config
|
(Optional) Copies the running configuration to the startup configuration.
|
Assigning Privileges to a User Role
After you create a user role, you can limit the features that a user has access to and the commands the user can enter for that feature by configuring rules for that role. You assign privileges per feature to a role by using the rule command in role configuration mode.
Restrictions
To allow a user with a customized role to work from the ACE Appliance Device Manager, you must configure the role with rules that permit the create operation for the config-copy and exec-commands features.
Detailed Steps
| |
Command
|
Purpose
|
Step 1
|
rule number {permit | deny} {create | modify
| debug | monitor} [feature features]
Example:
host1/C1(config)# role TECHNICIAN
host1/C1(config-role)# rule 1 permit create
rserver
|
Specifies whether to allow or disallow operations that can be performed by a user, the type of commands that can be permitted or disallowed by the role, and the ACE feature to use when configuring the rule. The keywords, arguments, and options are as follows:
•number—Identifier of the rule and order of precedence. Enter a unique integer from 1 to 16. The rule number determines the order in which the ACE applies the rules, with a higher-numbered rule applied after a lower-numbered rule.
•permit—Allows the role to perform the operations defined by the rest of the command keywords.
•deny—Disallows the role to perform the operations defined by the rest of the command keywords.
•create—Specifies commands for the creation of new objects or the deletion of existing objects (includes modify, debug, and monitor commands).
•modify—Specifies commands for modifying existing configurations (includes debug and monitor commands).
•debug—Specifies commands for debugging problems (includes monitor commands).
•monitor—Specifies commands for monitoring resources and objects (show commands).
|
| |
|
•feature features—(Optional) Specifies an ACE features for configuring this rule. For the features argument, enter one of the following keywords for the system resource:
–AAA—Specifies commands for authentication, authorization, and accounting.
–access-list—Specifies commands for access control lists (ACLs). Includes ACL configuration, class maps for ACL, and policy maps that contain ACL class maps.
–changeto—Specifies the changeto command that enables the user to move between contexts. This command allows a user-defined role to use the changeto command. Also, users retain their privileges when accessing different contexts. By default, this command is disabled for user-defined roles.
–config-copy—Specifies commands for copying the running-config file to the startup-config file, startup-config file to the running-config file, and copying both config files to the flash disk (disk0:) or a remote server.
–connection—Specifies commands for network connections.
–dhcp—Specifies commands for Dynamic Host Configuration Protocol.
–exec-commands—Specifies the following Exec mode commands: capture, clear, debug, delete, gunzip, mkdir, move, rmdir, set, setup, system, tac-pac, telnet, untar, write, and undebug.
–fault-tolerant—Specifies commands for redundancy.
–inspect—Specifies commands for packet inspection used in data-center security.
–interface—Specifies all interface commands.
–loadbalance—Specifies commands for load balancing (including the application acceleration and optimization functions). Allows adding a load-balancing action in a policy map.
–nat—Specifies commands for Network Address Translation (NAT) associated with a class map in a policy map used in data-center security.
–pki—Specifies commands for SSL public key infrastructure (PKI).
–probe—Specifies commands for keepalives for real servers.
–real-inservice—Specifies commands for placing a real server in service.
|
| |
|
–routing—Specifies all commands for routing, both global and per interface.
–rserver—Specifies commands for physical servers.
–serverfarm—Specifies commands for server farms.
–ssl—Specifies commands for SSL.
–sticky—Specifies commands for server persistence.
–syslog—Specifies the system logging facility setup commands.
–vip—Specifies commands for virtual IP addresses and virtual servers.
|
Step 2
|
no rule number {permit | deny} {create |
modify | debug | monitor} [feature
{features}]
Example:
host1/C1(config-role)# no rule 1 permit
create rserver
|
(Optional) Removes the rule from a role.
|
Step 3
|
do copy running-config startup-config
Example:
host1/C1(config-role)# do copy
running-config startup-config
|
(Optional) Copies the running configuration to the startup configuration.
|
Step 4
|
exit
Example:
host1/Admin(config-role)# exit
host1/Admin(config)#
|
(Optional) Exits the role configuration mode.
|
Configuring Domains
This section contains the following topics:
•Creating a Domain
•Associating Objects With a Domain
Creating a Domain
A domain is the namespace in which a user operates.
Restrictions
This configuration topic includes the following restrictions:
•You can create a maximum of 63 additional domains in each context.
•A domain does not restrict the context configuration that you can display using the show running-config command. You can still display the running configuration for the entire context. However, a domain can restrict your access to the configurable objects within a context by adding only a limited subset of all the objects available to a context to the domain. You can further restrict the operations that a user can perform on those configurable objects by assigning a role to a user. For information about configuring user roles, see the "Configuring User Roles" section.
Detailed Steps
| |
Command
|
Purpose
|
Step 1
|
config
Example:
host1/Admin# config
(config)#
|
Enters configuration mode.
|
Step 2
|
domain name
Example:
host1/C1(config)# domain D1
|
Creates a domain and access domain configuration mode.
For the name argument, enter an unquoted text string with no spaces and a maximum of 76 alphanumeric characters.
|
Step 3
|
no domain name
Example:
host1/C1(config)# no domain D1
|
(Optional) Removes the domain from the configuration.
|
Step 4
|
do copy running-config startup-config
Example:
host1/C1(config-domain)# do copy
running-config startup-config
|
(Optional) Copies the running configuration to the startup configuration.
|
Associating Objects With a Domain
After you create a domain, you can associate configurable objects with that domain (for example, a real server, server farm, interface, and so on). You associate a configurable object with a domain by using the add-object command in domain configuration mode.
Detailed Steps
| |
Command
|
Purpose
|
Step 1
|
add-object {access-list {ethertype |
extended} name | all | class-map name |
interface {bvi | vlan} | object_group name
| parameter-map name | policy-map name |
probe name | rserver name | script name |
serverfarm name | sticky name}
Example:
host1/C1(config)# domain D1
host1/C1(config-domain)# add-object
interface vlan 10
|
Specifies the object to be associated with a domain. The keywords, arguments, and options are as follows:
•access-list—Specifies an existing access control list (ACL) that you want to associate with the domain. Enter the following:
–ethertype—Specifies an existing EtherType access control list that you want to associate with the domain.
–extended—Specifies an existing extended access control list that you want to associate with the domain.
–name—Name of the access control list.
•all—Specifies that all existing configuration objects in the context are added to the domain.
•class-map name—Specifies an existing class map for flow classification that you want to associate with the domain.
•interface—Specifies an existing interface that you want to associate with the domain.
–bvi number—Specifies the existing Bridge Group Virtual Interface that you want to associate with the domain. Enter an integer from 1 to 4094.
–vlan number—Specifies the existing VLAN that you want to associate with the domain. Enter an integer from 2 to 4094.
•object-group name—Specifies an existing object group that you want to associate with the domain.
•parameter-map name—Specifies an existing parameter map that you want to associate with the domain.
•policy-map name—Specifies an existing policy map that you want to associate with the domain.
•probe name—Specifies an existing real server probe (keepalive) that you want to associate with the domain.
•rserver name—Specifies an existing real server that you want to associate with the domain.
•script name—Specifies an existing script that you created with the ACE TCL scripting language.
•serverfarm name—Specifies an existing server farm that you want to associate with the domain.
•sticky name—Specifies an existing sticky group that you want to associate with the domain to maintain persistence with a server.
|
Step 2
|
no add-object {access-list {ethertype |
extended} name | all | class-map name |
interface {bvi | vlan} | object_group name
| parameter-map name | policy-map name |
probe name | rserver name | script name |
serverfarm name | sticky name}
Example:
host1/C1(config-domain)# no add-object
interface vlan 10
|
(Optional) Removes the object from the domain.
|
Step 3
|
do copy running-config startup-config
Example:
host1/C1(config-domain)# do copy
running-config startup-config
|
(Optional) Copies the running configuration to the startup configuration.
|
Step 4
|
exit
Example:
host1/Admin(config-domain)# exit
host1/Admin(config)#
|
(Optional) Exits the domain configuration mode.
|
Configuring a User
You create a user and define the associated role and operating domains by using the username command in configuration mode.
The ACE creates the following default user accounts at startup: admin, dm, and www.
•The admin user is the global administrator and cannot be deleted.
•The dm user is for accessing the Device Manager GUI and cannot be deleted. The dm user is an internal user required by the Device Manager GUI; it is hidden on the ACE CLI.
Note Do not modify the dm user password from the ACE CLI. If the password is changed, the Device Manager GUI will become inoperative. If this occurs, restart the Device Manager using the dm reload command (you must be the global administrator to access the dm reload command). Note that restarting the Device Manager does not impact ACE functionality; however, it may take a few minutes for the Device Manager to reinitialize as it reads the ACE CLI configuration.
•The ACE uses the www user account for the XML interface.
Restrictions
This configuration topic includes the following restrictions:
•The global administrator (admin) assigns one user in each context as the context administrator. The context administrator can then log in to the context or contexts for which he or she is responsible and create additional users.
•If you do not assign a role to a new user, the default role is Network-Monitor. For users that you create in the Admin context, their default scope of access is the entire device. For users that you create in other contexts, their default scope of access is the entire context. If you need to restrict a user's access, you must assign a role-domain pair.
Detailed Steps
| |
Command
|
Purpose
|
Step 1
|
config
Example:
host1/Admin# config
(config)#
|
Enters configuration mode.
|
Step 2
|
username name1 [password [0 | 5] password]
[expire date] [role name2] [domain name3
name4 . . . namen]
Example:
host1/C1(config)# username USER2 password
HERSECRET expire 2008-12-31 role Admin
domain default-domain D2
|
Creates a user or changes the default username and password. The keywords, arguments, and options are as follows:
•name1—Identifier of the user that you are creating. Enter an unquoted text string with no spaces and a maximum of 24 alphanumeric characters.
The ACE supports the following non-alphanumeric characters in a username:
- _ @ \
The ACE does not support the following characters:
$ / ; ! #
Note The "." character is not supported on the local database but a username with this character is authenticated when it is configured on an ACS server.
•password—(Optional) Keyword that indicates that a password follows.
•0—(Optional) Specifies a clear text password.
•5—(Optional) Specifies an MD5-hashed strong encryption password.
•password—(Optional) Password in clear text or MD5 strong encryption, depending on the numbered option (0, 5, or 7) that you enter. If you do not enter a numbered option, the password is in clear text by default. If you enter the password keyword, you must enter a password. Enter a password as an unquoted text string with a maximum of 64 alphanumeric characters. The ACE supports the following special characters in a password:
, . / = + - ^ @ ! % ~ # $ * ( )
Note that the ACE encrypts clear text passwords in the running-config.
Note If you specify an MD5-hashed strong encryption password, the ACE considers a password to be weak if it is less than eight characters in length.
•expire date—(Optional) Specifies the expiration date of the user account. Enter the expiration date in the format yyyy-mm-dd. Be aware that the ACE applies the configured UTC offset to this date.
•role name2—(Optional) Specifies an existing role that you want to assign to the user.
•domain name3 name4 . . . namen—(Optional) Specifies the domains in which the user can operate. You can enter multiple domain names up to a maximum of 10, including default-domain.
|
Step 3
|
no username name1
Example:
host1/C1(config)# no username USER2
|
(Optional) Deletes a user from the configuration.
|
Step 4
|
do copy running-config startup-config
Example:
host1/C1(config)# do copy running-config
startup-config
|
(Optional) Copies the running configuration to the startup configuration.
|
Logging Out a User
You can force a user to log out and clear the user session by using the clear user command in Exec mode.
Detailed Steps
Command
|
Purpose
|
clear user name
Example:
host1/Admin# clear user John
|
Clears a user session.
For the name argument, enter the name of an existing user as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
|
Displaying Virtualization Configuration Information
This section describes the show commands that allow you to display a range of configuration information for the contexts configured on your ACE.
This section contains the following topics:
•Displaying Context Configurations
•Displaying Domain Configurations
•Displaying Resource Class Configurations
•Displaying Role Configurations
•Displaying Context Information
•Displaying Resource Allocation
•Displaying User Roles
•Displaying Domains
•Displaying User Information
For additional information about the CLI command syntax described in this chapter, see the Cisco 4700 Series Application Control Engine Appliance Command Reference located at:
http://www.cisco.com/en/US/products/ps7027/prod_command_reference_list.html
Displaying Context Configurations
You display context configurations by using the show running-config context command in Exec mode.
Command
|
Purpose
|
show running-config context
|
Displays all configured user contexts and their descriptions, resource classes, and allocated VLANs.
|
Displaying Domain Configurations
You display domain configurations by using the show running-config domain command in Exec mode.
Command
|
Purpose
|
show running-config domain
|
Displays all configured domains and their objects (access control lists [ACLs], class maps, interfaces, and so on).
|
Displaying Resource Class Configurations
You display resource-class configurations by using the show running-config resource-class command in Exec mode.
Command
|
Purpose
|
show running-config resource-class
|
Displays all configured resource classes and their resource allocation statements.
|
Displaying Role Configurations
You display role configurations by using the show running-config role command in Exec mode.
Command
|
Purpose
|
show running-config role
|
Displays all configured roles, their descriptions, and associated rules.
|
Displaying Context Information
You display information about a context by using the show context command in Exec mode.
Command
|
Purpose
|
show context [name | Admin]
|
Displays the context information including the context name, configured description, resource class, and interfaces.
The options are as follows and available only in the Admin context:
•The name argument is the name of the context.
If you do not specify the name argument, this command displays the information for all contexts including the Admin context.
•The Admin option displays the information for the Admin context only.
|
Table 2-3 describes the fields in the show context command output.
Table 2-3 Field Descriptions for the show context Command Output
Field
|
Description
|
Name
|
Lists identifiers of all configured contexts. If you specify the name argument, the ACE displays the name of the context that you specify only.
|
Config Count
|
The number of lines in the running-config for the context (excluding blank lines).
|
Description
|
Previously configured text description of the context.
|
Resource-class
|
Resource class of which the context is a member.
|
VLANs
|
VLANs allocated to a user context from the Admin context.
|
Displaying Resource Allocation
You view the allocation for each resource across all resource classes and class members by using the show resource allocation command in Exec mode.
Note The show resource allocation command displays the resource allocation but does not show the actual resources being used. See the "Displaying Resource Usage Statistics for Contexts" section for more information about actual resource usage.
Command
|
Purpose
|
show resource-allocation
|
Displays the allocation for each resource across all resource classes and class members.
|
Table 2-4 describes the fields in the show resource allocation command output.
Table 2-4 Field Descriptions for the show resource allocation Command Output
Field
|
Description
|
Parameter
|
Name of the resource that you can limit. See the "Configuring Virtualization" section for information about each resource.
|
Min
|
Minimum percentage of the total system resources that is allocated for a parameter in the specified resource class. For the default resource class, the minimum value for each resource is 0.00 percent.
Note For the Bandwidth Min value, this field does not display the percentage configured with the limit resource all command. The ACE includes the management traffic rate in addition to the throughput rate to calculate the value that appears in this field.
|
Max
|
Maximum percentage of the total system resources that is allocated to a parameter in the specified resource class. For the default resource class, the Max value for each resource is equal to the total Max value of all contexts using the default resource class. For example, if you configure two user contexts and do not associate them with a resource class, the ACE automatically assigns the default resource class. If the Admin context also uses the default resource class, the Max value would equal 300% for each resource.
|
Class
|
Name of the resource class.
|
Displaying User Roles
You display the user roles by using the show role command.
Command
|
Purpose
|
show role [name]
|
Displays the configured user roles (predefined and user-configured roles).
For the optional name argument, enter the unique identifier of the role as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. This parameter displays only the named role that you specify. To display all roles, enter the command without a name.
|
Table 2-5 describes the fields in the show role command output.
Table 2-5 Field Descriptions for the show role Command Output
Field
|
Description
|
Role
|
Name of the role (for example, Admin).
|
Description
|
Text that describes the role (for example, Administrator).
|
Number of Rules
|
Number of rules associated with the role.
|
Rule
|
Sequence number of the rule.
|
Type
|
Type of rule. Possible values are Permit or Deny.
|
Permission
|
Permission level of the rule. The possible permission values ranked from highest to lowest, are Create, Modify, Debug, and Monitor.
|
Feature
|
Software feature associated with the rule (for example, access-list).
|
Displaying Domains
You display information about the configured domains in the ACE by using the show domain command.
Command
|
Purpose
|
show domain [name]
|
Displays the information about the configured domains in the ACE.
For the optional name argument, enter the unique identifier of an existing domain as an unquoted text string with no spaces and a maximum of 76 alphanumeric characters.
|
Table 2-6 describes the fields in the show domain command output.
Table 2-6 Field Descriptions for the show domain Command Output
Field
|
Description
|
Name
|
Unique identifier of the domain.
|
Object Type
|
List of objects associated with the domain (for example, Class-map).
|
Object Name
|
Configured identifier of the object.
|
Displaying User Information
You display user and user account information by using the show users and show user-account commands.
Command
|
Purpose
|
show users [name]
|
Displays the information for users that are currently logged in to the ACE.
For the optional name argument, enter the unique identifier of a user as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
|
show user-account [name]
|
Displays user account information.
For the optional name argument, enter the unique identifier of a user as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
|
Table 2-7 describes the fields in the show users command output.
Table 2-7 Field Descriptions for the show users name Command Output
Field
|
Description
|
User
|
Name of user.
|
Context
|
Name of the context associated with the user.
|
Line
|
Port through which the user connected to the ACE (for example, pts/1).
|
Login Time
|
Month, day, and time that the user logged in to the ACE (for example, Dec 7 20:11).
|
Location
|
Location of the user expressed as an IP address.
|
Role
|
Role assigned to the user (for example, Admin).
|
Domain(s)
|
Domain associated with the user (for example, default-domain).
|
Table 2-8 describes the fields in the show user-account command output.
Table 2-8 Field Descriptions for the show user-account Command Output
Field
|
Description
|
User
|
Name of the user.
|
Account Expiry
|
Date, if any, when the user account expires. This date is based on Coordinated Universal Time (UTC/GMT) which the ACE keeps internally. If you use the clock timezone command to configure a UTC offset, this field displays the UTC date and does not reflect the date with the offset as displayed by the show clock command.
|
Roles
|
Role assigned to the user (for example, Admin).
|
Domain
|
Domain associated with the user (for example, default-domain).
|
Context
|
Name of the context associated with the user (for example, Admin).
|
Displaying Resource Usage Statistics for Contexts
You display the resource usage statistics for each context from the Admin context or the current user context by using the show resource usage command in Exec mode.
Command
|
Purpose
|
show resource usage
Example:
host1/Admin# show resource usage
|
Displays the resource usage statistics for each context from the Admin context or for the current user context.
|
show resource usage counter {all | current | denied | peak} count_threshold
Example:
host1/Admin# show resource counter denied
1000
|
Displays the resource usage statistics for the specified counter and threshold, as follows:
Note Entering any of the following keywords without the count_threshold argument displays all resource statistics.
•all—When used with the count_threshold argument, this option displays the resources that have peak counters that exceed the threshold.
•current—When used with the count_threshold argument, this option displays the resources that have current counters that exceed the threshold.
•denied—When used with the count_threshold argument, this option displays the resources that have denied counters that exceed the threshold.
•peak—When used with the count_threshold argument, this option displays the resources that have peak counters that exceed the threshold.
•count_threshold—Threshold number that exceeds the specified counter. If the usage of the resource is below the number, the resource is not shown. Enter an integer from 0 to 4294967295. The default is 1. The value of 0 displays all resources.
|
show resource usage resource resource | rate rate [counter {all | current | denied | peak [count_threshold]}]
Example:
host1/Admin# show resource usage resource
conc-connections
|
Displays usage statistics for a specific resource or rate.
See Table 2-9 for the descriptions of the resource and rate arguments. See the show resource usage counter {all | current | denied | peak} count_threshold command for the descriptions of the counter keywords and argument.
|
show resource usage context name [resource resources | rate rates] [counter [all | current | denied | peak [count_threshold]]]
Example:
host1/Admin# show resource usage context
C1 resource conc-connections counter
denied 0
|
Displays the resource usage for a specific context from the Admin context. The name argument is the name of the context for the resources and counters that you want to display. If you do not enter any additional options, this command displays all resource usage statistics for the context.
See Table 2-9 for the descriptions of the resource and rate arguments. See the show resource usage counter {all | current | denied | peak} count_threshold command for the descriptions of the counter keywords and argument.
|
show resource usage summary [resource {resources} | rate rates] [counter [all | current | denied | peak [count_threshold]]]
Example:
host1/Admin# show resource usage summary
resource mgmt-connections counter all
1100
|
Displays the total resource usage for all contexts from the Admin context.
See Table 2-9 for the descriptions of the resource and rate arguments. See the show resource usage counter {all | current | denied | peak} count_threshold command for the descriptions of the counter keywords and argument.
|
show resource usage top number resource resources | rate rates [counter [all | current | denied | peak [count_threshold]]]
Example:
host1/Admin# show resource usage top 4
resource conc-connections counter denied
20
|
Displays the specified number of contexts for a single resource arranged from the highest to the lowest percentage of resources used.
For the number argument, enter a number from 1 to 256.
You must specify a resource type. You cannot use the all keyword with resource keyword. See Table 2-9 for the descriptions of the resource and rate arguments.
See the show resource usage counter {all | current | denied | peak} count_threshold command for the descriptions of the counter keywords and argument.
|
Table 2-9 lists and describes the arguments for the resource and rate options of the show resource usage command (see the show resource usage resource resource | rate rate [counter {all | current | denied | peak [count_threshold]}] command).
Table 2-9 Resource and Rate Options for the show resource usage resource command Command
Command Option
|
Description
|
resource resource
|
Displays statistics for a specified system resource. Enter one of the following keywords for the resource argument:
•acc-connections—Displays the number of application acceleration connections.
•acl-memory—Displays the ACL memory usage. If a context has fewer ACL memory resources than the configured Allocation Minimum, the ACE displays the Actual Minimum value that you can assign to the context.
•all—Displays the resource usage for all resources used by the specified context or contexts.
•conc-connections—Displays the resource usage for the number of simultaneous connections.
•mgmt-connections—Displays the resource usage for the number of management connections.
•probes—Displays the resource usage for the probes.
•proxy-connections—Displays the resource usage for the proxy connections.
•rate—See the rate rate command option in this table.
•regexp—Displays the resource usage for the regular expressions.
If a context has fewer regexp resources than the configured Allocation Minimum, the ACE displays the Actual Minimum value that you can assign to the context.
•sticky—Displays the resource usage for the sticky entries. If a context has fewer sticky resources than the configured Allocation Minimum, the ACE displays the Actual Minimum value that you can assign to the context.
•syslogbuffer—Displays the resource usage for the syslog buffer. The ACE assigns syslog buffers in increments of 1024. If the resource-class Allocation Minimum value was satisfied, the Current field of the show resource usage syslogbuffer command would display the highest multiple of 1024 that is less than the Allocation Min value.
•xlates—Displays the resource usage by Network Address Translation (NAT) and Port Address Translation (PAT) entries.
|
rate rate
|
Displays the rate per second for the specified connections or syslog messages. Enter one of the following keywords for the rate argument:
•bandwidth—Displays the bandwidth in bytes per second. To convert to bits per second, multiply the displayed value by 8.
•connections—Displays connections per second.
•http-comp—Displays the HTTP compression rate in bytes per second. To convert to bits per second, multiply the displayed value by 8.
•inspect-conn—Displays RTSP/FTP inspection connections per second.
•mac-miss—Displays MAC miss traffic that was punted to the CP packets per second.
•mgmt-traffic—Displays management traffic bytes per second. To convert to bits per second, multiply the displayed value by 8.
•ssl-connections—Displays Secure Sockets Layer (SSL) connections.
•syslog—Displays the system message rate in messages per second.
Note The syslog message statistics do not include the syslogs generated from the dataplane when you enable logging of connection setup and teardown syslog messages through the logging fastpath command.
|
Table 2-10 describes the fields in the show resource usage command output.
Table 2-10 Field Descriptions for the show resource usage Command Output
Field
|
Description
|
Resource
|
The name of the limited resource in each context. See the "Configuring Virtualization" section for more information about each resource name.
|
Current
|
Active concurrent instances or the current rate of the resource.
|
Peak
|
Highest value of resource usage.
|
Allocation (Min/Max)
|
Allocation minimum value that indicates the resource units that are guaranteed to be available to each context. The allocation maximum value equals the minimum value plus the resource units that are be available to each context and are shared among all contexts from the oversubscription pool. When you configure the maximum value as equal-to-minimum, the maximum value is automatically equal to the minimum value.
|
Denied
|
Number of denied resources because of oversubscription or resource depletion.
|
Actual Min
|
Minimum ACL, regexp, sticky, or syslog buffer resources that you can allocate to the context if the resource-class minimum cannot be met.
|
Clearing Resource Usage Statistics
You clear resource usage statistics by using the following commands.
Command
|
Purpose
|
clear stats resource-usage
|
Resets the resource usage statistics in the Peak and Denied fields to zero for each context from the Admin context.
|
|
Clear all statistical information in a context along with the resource usage counters.
|
Configuration Examples for Virtualization
The following running-configuration example shows a basic virtualization configuration with one user-defined context, one resource class, one domain, and one user.
limit-resource rate syslog minimum 10.00 maximum equal-to-min
limit-resource acl-memory minimum 10.00 maximum unlimited
access-list ACL1 line 10 extended permit ip any any
add-object access-list extended ACL1
add-object serverfarm SF1
allocate-interface vlan 100-200
description accounting department
username JANE password 5 adropgijaeprgja9erjg2uWgtce1 role SLB-Admin domain D1
Feedback
