Table Of Contents
Configuring the ACE and Performing Basic VIP Load Balancing
Configuring VLANs for the ACE Using Cisco IOS Software
Sessioning and Logging in to the ACE
Assigning an IP Address to the ACE
Configuring Remote Access to the ACE
Accessing the ACE through a Telnet Session
Configuring Basic VIP Load Balancing on the ACE
Configuring the VIP Traffic Policy
Verifying the VIP Load-Balancing Configuration
Configuring the ACE and Performing Basic VIP Load Balancing
This chapter provides procedures to configure the ACE to allow traffic and perform basic VIP load balancing. It also includes document references for more detailed configuration information.
Before performing the procedures in this chapter, you should install the ACE in the Catalyst 6500 series switch. For information on how to install the ACE, see the Cisco Application Control Engine Module Installation Note.
This chapter contains the following major sections:
•
Initially Configuring the ACE
•
Initially Configuring the ACE
The initial configuration of the ACE allows you to do the following tasks:
•
•
•
This section describes how to accomplish these tasks:
•
•
•
•
•
Configuring VLANs for the ACE Using Cisco IOS Software
Before the ACE can receive traffic from the supervisor engine in the Catalyst 6500 series switch, you must create VLAN groups on the supervisor engine, and then assign the groups to the ACE. After you configure the VLAN groups on the supervisor engine for the ACE, you can configure the VLAN interfaces on the ACE.
In Cisco IOS software, you can create one or more VLAN groups, and then assign the groups to the ACE. For example, you can assign all the VLANs to one group, or you can create a group for each customer.
You cannot assign the same VLAN to multiple groups; however, you can assign multiple groups to an ACE. VLANs that you want to assign to multiple ACEs, for example, can reside in a separate group from VLANs that are unique to each ACE.
Note
To configure the VLANs for the ACE using the Cisco IOS software, perform the following steps:
1.
linux$ telnet 172.19.110.5User Access VerificationPassword: ciscoRouter#2.
Router# configRouter(config)# svclc vlan-group 50 55-57Router(config)# svclc vlan-group 51 70-85Router(config)# svclc vlan-group 52 1003.
Router(config)# svc module 5 vlan-group 50,52Router(config)# svc module 8 vlan-group 51,524.
Router(config)# exitRouter# show svclc vlan-group5.
Router# show svc moduleSessioning and Logging in to the ACE
To initially session and log in to the ACE, perform the following steps:
1.
Router# session slot 5 processor 02.
switch login: adminPassword: adminYou are ready to use the ACE CLI when the following prompt appears:
switch/Admin#To change the default login username and password, see the Cisco Application Control Engine Module Administration Guide.
3.
switch/Admin# terminal session-timeout 04.
a.
switch/Admin# configureEnter configuration commands, one per line. End with CNTL/Zswitch/Admin(config)#b.
switch/Admin(config)# login timeout 0Assigning a Name to the ACE
The hostname is used for the command-line prompts and default configuration filenames. If you establish sessions to multiple devices, the hostname helps you track where you enter commands. By default, the hostname for the ACE is switch.
Change the hostname for the ACE by using the host command. Enter a case-sensitive name that contains from 1 to 32 alphanumeric characters. For example, to change the hostname of the ACE from switch to host1, enter:
switch/Admin(config)# hostname host1The prompt appears with the new host name:
host1/Admin(config)#Assigning an IP Address to the ACE
After you assign the VLANs to the ACE, you can assign an IP address to the ACE for client connectivity over the network.
Note
Use the show vlans command in Exec mode for the Admin context to display the ACE VLANs downloaded from the supervisor engine. Because show commands are available in Exec mode, you can use these commands from any configuration mode by including the do command. For example, enter:
host1/Admin(config)# do show vlansVlans configured on SUP for this modulevlan55-57 vlan100To configure a VLAN interface on the ACE and access interface mode to configure the interface attributes, perform the following steps:
1.
host1/Admin(config)# interface vlan 55host1/Admin(config-if)#2.
host1/Admin(config-if)# ip address 172.19.110.8 255.255.255.1923.
host1/Admin(config-if)# description Client side connectivity4.
host1/admin(config-if)# no shutdown5.
host1/admin(config-if)# do show interface vlan 556.
host1/admin(config-if)# do ping 172.19.110.17.
host1/admin(config-if)# do show arp8.
host1/admin(config-if)# exithost1/admin(config)#Configuring a Default Route
The default route identifies the IP address where the ACE sends all IP packets for which it does not have a route. To set a default route, use the ip route dest_ip_prefix netmask gateway_ip_address command.
For example, to set the IP address and subnet mask for the default route (0.0.0.0/0) and the default gateway to 172.19.110.1, an address on the same network as VLAN 55, enter:
host1/Admin(config)# ip route 0.0.0.0 0.0.0.0 172.19.110.1To display the ACE routing table, use the show ip route command. For example, enter:
host1/Admin(config)# do show ip routeConfiguring Remote Access to the ACE
Before remote network access can occur on the ACE, you must create a configuration that includes the following features:
•
•
•
To configure remote network management, perform the following steps:
1.
host1/Admin(config)# class-map type management match-any REMOTE_ACCESShost1/Admin(config-cmap-mgmt)#2.
host1/Admin(config-cmap-mgmt)# description Remote access traffic match3.
host1/Admin(config-cmap-mgmt)# match protocol telnet anyhost1/Admin(config-cmap-mgmt)# match protocol ssh anyhost1/Admin(config-cmap-mgmt)# match protocol icmp any4.
host1/Admin(config-cmap-mgmt)# exithost1/Admin(config)#5.
host1/Admin(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICYhost1/Admin(config-pmap-mgmt)#6.
host1/Admin(config-pmap-mgmt)# class REMOTE_ACCESShost1/Admin(config-pmap-mgmt-c)#7.
host1/Admin(config-pmap-mgmt-c)# permit8.
host1/Admin(config-pmap-mgmt-c)# exithost1/Admin(config-pmap-mgmt)# exithost1/Admin(config)#9.
host1/Admin(config)# interface vlan 55host1/Admin(config-if)#10.
host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY11.
host1/Admin(config-if)# do show service-policy REMOTE_MGMT_ALLOW_POLICY12.
host1/Admin(config-if)# do copy running-config startup-config13.
host1/Admin# show running-configGenerating configuration....login timeout 0hostname host1class-map type management match-any REMOTE_ACCESS10 match protocol telnet any20 match protocol ssh any30 match protocol icmp anypolicy-map type management first-match REMOTE_MGMT_ALLOW_POLICYclass REMOTE_ACCESSpermitinterface vlan 55ip address 172.19.110.8 255.255.255.192description Client side connectivityservice-policy input REMOTE_MGMT_ALLOW_POLICYno shutdownip route 0.0.0.0 0.0.0.0 172.19.110.1Accessing the ACE through a Telnet Session
After you have completed the previous configurations, you should be able to use Telnet to access the ACE using its IP address. To use Telnet to access the ACE, perform the following steps:
1.
linux$ telnet 172.19.110.5User Access VerificationPassword: ciscoRouter#2.
Router# telnet 172.19.110.8Trying 172.19.110.8 ... Open3.
host1 login: adminPassword:Cisco Application Control Software (ACSW)TAC support: http://www.cisco.com/tacCopyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved.The copyrights to certain works contained herein are owned byother third parties and are used and distributed under license.Some parts of this software are covered under the GNU PublicLicense. A copy of the license is available athttp://www.gnu.org/licenses/gpl.html.host1/Admin#4.
host1/Admin# show telnetConfiguring Basic VIP Load Balancing on the ACE
A basic load-balancing configuration allows the ACE to perform the following tasks:
•
•
Class maps classify client traffic destined to a VIP address. The ACE load balances traffic to a server farm and selects one of the real servers to respond to the client request.
This section provides the following topics to accomplish these tasks:
•
Configuring Real Servers
Real servers are dedicated physical servers that you typically configure in groups called server farms. These servers provide services to clients, for example, HTTP or XML content. You identify real servers with names and characterize them with IP addresses, connection limits, and weight values.
To configure real servers on the ACE, perform the following steps:
1.
host/Admin# config Enter configuration commands, one per line. End with CNTL/Zhost1/Admin(config)#2.
host1/Admin(config)# rserver SERVER1host1/Admin(config-rserver-host)#3.
host1/Admin(config-rserver-host)# description web-one content server4.
host1/Admin(config-rserver-host)# ip address 192.168.4.115.
host1/Admin(config-rserver-host)# inservice6.
host1/Admin(config-rserver-host)# exithost1/Admin(config)#7.
host1/Admin(config)# rserver SERVER2host1/Admin(config-rserver-host)# description web-two content serverhost1/Admin(config-rserver-host)# ip address 192.168.4.12host1/Admin(config-rserver-host)# inservice8.
host1/Admin(config-rserver-host)# exithost1/Admin(config)#9.
host1/Admin(config)# do show running-config rserverConfiguring a Server Farm
After you create and configure the real servers, add them to a server farm. To create a server farm, perform the following steps:
1.
host1/Admin(config)# serverfarm SFARM1host1/Admin(config-sfarm-host)#2.
host1/Admin(config-sfarm-host)# rserver SERVER1host1/Admin(config-sfarm-host-rs)#3.
host1/Admin(config-sfarm-host-rs)# inservice4.
host1/Admin(config-sfarm-host-rs)# exithost1/Admin(config-sfarm-host)#5.
host1/Admin(config-sfarm-host)# rserver SERVER2host1/Admin(config-sfarm-host-rs)#6.
host1/Admin(config-sfarm-host-rs)# inservice7.
host1/Admin(config-sfarm-host-rs)# exithost1/Admin(config-sfarm-host)# exithost1/Admin(config)#8.
host1/Admin(config)# do show rserver SERVER19.
host1/Admin(config)# interface vlan 57host1/Admin(config-if)#10.
host1/Admin(config-if)# ip address 192.168.4.1 255.255.255.011.
host1/Admin(config-if)# description Server-side Interface12.
host1/admin(config-if)# no shutdown13.
host1/Admin(config-if)# do copy running-config startup-config14.
host1/Admin(config-if)# exithost1/Admin(config)#15.
host1/Admin(config)# do show arpConfiguring the VIP Traffic Policy
The ACE classifies incoming traffic with class maps that are associated with policy maps to perform an action based on the class map match. The simplest match is server load balancing based on a client's attempt to reach a virtual IP address and port. This type of match is a Layer 3 and Layer 4 traffic policy. It matches only the destination IP address and port and then makes the server load-balancing decision.
To create a VIP traffic policy, perform the following steps:
1.
host1/Admin(config)# policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICYhost1/Admin(config-pmap-lb)#2.
host1/Admin(config-pmap-lb)# class class-defaulthost1/Admin(config-pmap-lb-c)#3.
host1/Admin(config-pmap-lb-c)# serverfarm SFARM14.
host1/Admin(config-pmap-lb-c)# exithost1/Admin(config-pmap-lb)# exithost1/Admin(config)#5.
host1/Admin(config)# class-map L4_VIP_ADDRESS_CLASShost1/Admin(config-cmap)#6.
host1/Admin(config-cmap)# match virtual-address 172.19.110.9 any7.
host1/Admin(config-cmap)# exithost1/Admin(config)#8.
host1/Admin(config)# policy-map multi-match L4_LB_VIP_POLICYhost1/Admin(config-pmap)#9.
host1/Admin(config-pmap)# class L4_VIP_ADDRESS_CLASShost1/Admin(config-pmap-c)#10.
host1/Admin(config-pmap-c)# loadbalance policy L7_VIP_LB_ORDER_POLICY11.
host1/Admin(config-pmap-c)# loadbalance vip inservice12.
host1/Admin(config-pmap-c)# exithost1/Admin(config-pmap)# exithost1/Admin(config)# exit13.
host1/Admin(config)# interface vlan 55host1/Admin(config-if)#14.
host1/Admin(config-if)# service-policy input L4_LB_VIP_POLICY15.
host1/Admin(config-if)# exithost1/Admin(config)#16.
host1/Admin(config)# do copy running-config startup-config17.
host1/Admin(config)# do show service-policy L4_LB_VIP_POLICYConfiguring an ACL
An access control list (ACL) provides an extra layer of security on the services that the ACE provides. For traffic destined to a class map that is applied to a multi-match policy map, you must configure an ACL and apply it to an interface. Otherwise, the ACE denies all traffic on the interface.
To configure an ACL, perform the following steps:
1.
host1/Admin(config)# access-list ALL extended permit any2.
host1/Admin(config)# interface vlan 55host1/Admin(config-if)#3.
host1/Admin(config-if)# access-group input ALL4.
host1/Admin(config-if)# endhost1/Admin#5.
host1/Admin# show access-list ALL6.
host1/Admin# copy running-config startup-config7.
host1/Admin# show running-configGenerating configuration....login timeout 0hostname host1access-list ALL line 10 extended permit any ip any anyrserver SERVER1description web-one content serverip address 192.168.4.11inservicerserver SERVER2description web-two content serverip address 192.168.4.12inserviceserverfarm SFARM1rserver SERVER1inservicerserver SERVER2inserviceclass-map type management match-any REMOTE_ACCESS10 match protocol telnet any20 match protocol ssh any30 match protocol icmp anyclass-map match-all L4_VIP_ADDRESS_CLASS10 match virtual-address 172.19.110.9 anypolicy-map type management first-match REMOTE_MGMT_ALLOW_POLICYclass REMOTE_ACCESSpermitpolicy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICYclass CLASS-DEFAULTserverfarm SFARM1policy-map multi-match L4_LB_VIP_POLICYclass L4_VIP_ADDRESS_CLASSloadbalance vip inserviceloadbalance policy L7_VIP_LB_ORDER_POLICYinterface vlan 55ip address 172.19.110.8 255.255.255.192description Client side connectivityaccess-group input ALLservice-policy input REMOTE_MGMT_ALLOW_POLICYservice-policy input L4_LB_VIP_POLICYno shutdowninterface vlan 57ip address 192.168.4.1 255.255.255.0description Server-side Interfaceno shutdownip route 0.0.0.0 0.0.0.0 172.19.110.1Verifying the VIP Load-Balancing Configuration
To verify the load-balancing configuration, use the show service-policy command to display the incrementing of the counters as connections are handled. For example, to display the counters for the L4_LB_VIP_POLICY policy map, enter:
host1/Admin# show service-policy L4_LB_VIP_POLICYInterface: vlan 55service-policy: L4_LB_VIP_POLICYclass: L4_VIP_ADDRESS_CLASSloadbalance:L7 policy: L7_VIP_LB_ORDER_POLICY, VIP state: INSERVICEcurr conns : 0 , hit count : 20dropped conns : 0client pkt count : 100 , client byte count: 13000server pkt count : 127 , server byte count: 92381You can also verify access to the real servers by using a Telnet session to connect to the VIP address. If you are able to receive the login and password prompt from the ACE, access to the real servers is available through the VIP address. For example, enter:
linux$ telnet 172.19.110.9Trying 172.19.110.9... Openhost1 login: adminPassword:Where to Go Next
After you have configured the ACE to allow traffic and remote access, and configured it for basic load balancing, you can configure more advanced features on the ACE.
Table 2-1 lists additional advanced ACE features, including document references where you can obtain configuration information. For information on the ACE command-line interface and commands for each mode, see the Cisco Application Control Engine Module Command Reference.
