Application Control Engine Module SSL Configuration Guide (Software Version A1(2))
Configuring SSL Initiation
Download this chapter
Configuring SSL InitiationConfiguring SSL Initiation
Download the complete book
Cisco Application Control Engine Module SSL Configuration Guide Book-Length PDF (Software Version A1(2))Cisco Application Control Engine Module SSL Configuration Guide Book-Length PDF (Software Version A1(2)) (PDF - 1 MB)
give_us_feedback

Table Of Contents

Configuring SSL Initiation

Overview of SSL Initiation

ACE SSL Initiation Configuration Prerequisites

SSL Initiation Configuration Quick Start

Creating and Defining an SSL Parameter Map

Adding a Cipher Suite

Defining the Close-Protocol Behavior

Defining the SSL and TLS Version

Creating and Defining an SSL Proxy Service

Associating an SSL Parameter Map with the SSL Proxy Client Service

Creating a Layer 7 Class Map for SSL Initiation

Creating a Layer 7 Policy Map for SSL Termination

Creating a Layer 7 Policy Map

Associating a Layer 7 Class Map with the Layer 7 Policy Map

Specifying Layer 7 SLB Policy Actions

Creating a Layer 3 and Layer 4 Class Map for SSL Initiation

Creating a Layer 3 and Layer 4 Policy Map for SSL Initiation

Creating a Layer 3 and Layer 4 Policy Map

Associating the Layer 3 and Layer 4 Class Map with the Policy Map

Associating a Layer 7 Policy Map with the Class Map

Applying the Policy Map to the VLANs

Applying the Policy Map Globally

Applying the Policy Map to a Specific VLAN

Example of an SSL Initiation Configuration


Configuring SSL Initiation

This chapter describes the steps required to configure a context on the Cisco Application Control Engine (ACE) module as an SSL client for SSL initiation.

This chapter contains the following major sections:

Overview of SSL Initiation

ACE SSL Initiation Configuration Prerequisites

SSL Initiation Configuration Quick Start

Creating and Defining an SSL Parameter Map

Creating and Defining an SSL Proxy Service

Creating a Layer 7 Class Map for SSL Initiation

Creating a Layer 7 Policy Map for SSL Termination

Creating a Layer 3 and Layer 4 Class Map for SSL Initiation

Creating a Layer 3 and Layer 4 Policy Map for SSL Initiation

Applying the Policy Map to the VLANs

Overview of SSL Initiation

SSL initiation occurs when an ACE, acting as an SSL proxy client, initiates and maintains an SSL connection between itself and an SSL server. In this particular application, the ACE receives clear text from an HTTP client, encrypts and transmits the data as ciphertext to the SSL server. On the reverse side, the ACE decrypts the ciphertext it receives from the SSL server and sends the data to the client as clear text.

Figure 4-1 illustrates the following network connections in which the ACE initiates the SSL connection with the SSL server:

Client to ACE—HTTP connection between the ACE and the client

ACE to Server—SSL connection between a server and the ACE acting as an SSL proxy client

Figure 4-1 SSL Initiation with an SSL Server

SSL initiation allows you to send clear text between devices within a site for maximum speed, while sending ciphertext through the Internet between sites or to an SSL server for maximum security. For each SSL server or ACE (acting as an SSL proxy server) to which you want to establish an SSL connection from a clear text connection, you must configure an SSL initiation policy service on the ACE that maps to that SSL server or other ACE.

Figure 4-2 illustrates an SSL initiation flow with another ACE configured for SSL termination. In this case, ACE B acts as a virtual front-end SSL server.

Figure 4-2 SSL Initiation with a Second ACE Running SSL Termination

The ACE uses a combination of parameter maps, SSL proxy services, and class maps to build the policy maps that determine the flow of information among the client, the ACE, and the SSL server. For SSL initiation, you configure the ACE so that it is recognized as an SSL client by an SSL server. To accomplish this, you configure the following policy map types:

Layer 7 policy map—This policy map contains an association with a Layer 7 class map and an SSL proxy client service. The class map acts as a traffic filter and looks for traffic that matches the server load-balancing (SLB) criteria that you specify. For SSL initiation, the match criteria is in the form of HTTP load-balancing attributes, such as an HTTP cookie or URL. The SSL proxy client service defines the SSL parameters the ACE uses during the handshake and subsequent SSL session.

Layer 3 and Layer 4 policy map—You associate the Layer 7 policy map with a Layer 3 and Layer 4 policy map. The ACE applies the Layer 3 and Layer 4 policy map to the context traffic first to determine if the traffic contains specific Layer 3 and Layer 4 match criteria, such as a particular destination, source, or virtual IP address. You specify the match criteria in the Layer 3 and Layer 4 class map you create and associate with this policy map. When a match is found, the ACE applies the associated Layer 7 policy map to the traffic.

The flow chart shown in Figure 4-3 provides a basic overview of the process required to build and apply the two types of policy maps the ACE uses for SSL initiation. The flow chart also illustrates how you associate the various components of the policy map configurations with each other.

Figure 4-3 Basic SSL Initiation Configuration Flow Diagram

ACE SSL Initiation Configuration Prerequisites

Before configuring your ACE for SSL operation, you must first configure it for server load balancing (SLB). During the SLB configuration process, you create the following configuration objects:

Layer 7 class map

Layer 3 and Layer 4 class map

Layer 7 policy map

Layer 3 and Layer 4 policy map

After configuring SLB, modify the existing SLB class maps and policy maps with the SSL configuration requirements described in this guide for SSL initiation.

To configure your ACE for SLB, refer to the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

SSL Initiation Configuration Quick Start

Table 4-1 provides a quick overview of the steps required to configure the ACE for SSL initiation. Each step includes the CLI command or a reference to the procedure required to complete the task. For a complete description of each feature and all the options associated with the CLI commands, see the sections following Table 4-1.

Note The following quick start does not include creating a parameter map as shown in Figure 4-3. By not creating a parameter map, the ACE uses the default parameter map settings as described in Table 4-2.

Table 4-1 SSL Initiation Configuration Quick Start 

Task and Command Example

1. If you are operating in multiple contexts, observe the CLI prompt to verify you are operating in the desired context. If necessary, log directly in to, or change to, the correct context. 

host1/Admin# changeto C1

host1/C1#

The rest of the examples in this table use the Admin context for illustration purposes. For details on creating contexts, refer to the Cisco Application Control Engine Module Virtualization Configuration Guide.

2. Enter configuration mode. 

host1/Admin# config

host1/Admin(config)#

3. Create an SSL proxy client service to associate with the Layer 7 policy map. For the purposes of this Quick Start, you do not define any parameters of the proxy client service; associating this generic proxy client service with the policy map is all that is required to configure the ACE to perform as an SSL client. 

host1/Admin(config)# ssl-proxy service SSL_PSERVICE_CLIENT

host1/Admin(config-ssl-proxy)# exit

4. Create a Layer 7 class map and configure it with the required load-balancing match criteria. 

host1/Admin(config)# class-map type http loadbalance L7SLBCLASS

host1/Admin(config-cmap-http-lb)# match url XYZ.ORG

host1/Admin(config-cmap-http-lb)# exit

host1/Admin(config)#

5. Create a Layer 3 and Layer 4 class map and configure it with the required input traffic match criteria. 

host1/Admin(config)# class-map match-any L4VIPCLASS

host1/Admin(config-cmap)# match virtual-address 192.168.12.2 
255.255.255.0

host1/Admin(config-cmap)# exit

host1/Admin(config)#

6. Create a Layer 7 policy map and associate the Layer 7 class map created in Step 4 with it. 

host1/Admin(config)# policy-map type loadbalance first-match 
L7SLBPOLICY

host1/Admin(config-pmap-lb)# class L7SLBCLASS

host1/Admin(config-pmap-lb-c)#

7. Associate the SSL proxy client service created in Step 3 with the Layer 7 policy map. 

host1/Admin(config-pmap-lb-c)# ssl-proxy client 
SSL_PSERVICE_CLIENT

host1/Admin(config-pmap-lb-c)# exit

host1/Admin(config-pmap-lb)# exit

host1/Admin(config)#

8. Create a Layer 3 and Layer 4 policy map and associate the Layer 3 and Layer 4 class map created in Step 5 with it. 

host1/Admin(config)# policy-map multi-match L4SLBPOLICY

host1/Admin(config-pmap)# class CLASSMAP_L3

host1/Admin(config-pmap-c)#

9. Associate the load balancing Layer 7 policy map created in Step 6 with the Layer 3 and Layer 4 policy map. 

host1/Admin(config-pmap-c)#loadbalance L7SLBPOLICY

host1/Admin(config-pmap-c)# exit

host1/Admin(config-pmap)# exit

host1/Admin(config)#

10. Apply the Layer 3 and Layer 4 policy map to the input traffic of the desired interface.

Globally, to all VLANs in the context: 

host1/Admin(config)# service-policy input L4SLBPOLICY

To a specific VLAN within the context: 

host1/Admin(config)# interface vlan 50

host1/Admin(config-if)# service-policy input L4SLBPOLICY

11. (Recommended) Display the running configuration to verify that the information you just added is configured properly. 

host1/Admin(config-if)# do show running-config

12. (Optional) To save the configuration changes to flash memory, copy the running configuration to the startup configuration. 

host1/Admin(config-if)# do copy running-config startup-config


Creating and Defining an SSL Parameter Map

An SSL parameter map defines the SSL session parameters that the ACE applies to an SSL proxy service. Creating an SSL parameter map allows you to apply the same SSL session parameters to different proxy services.Table 4-3 describes each of the SSL session parameters along with their default values.

Table 4-2 Default SSL Parameter Map Settings

SSL Session Parameter
Description
Default Value

Cipher suites

Defines the cipher suites the ACE supports during the SSL handshake (see Table 4-3 for a list of available cipher suites the ACE supports)

The ACE supports all of the available cipher suites

Close-protocol

Defines how the ACE executes close-notify messages

strict—The ACE sends a close-notify alert message to its peer when closing a session and expects to receive one back

Version

Defines the SSL and TLS versions the ACE supports during the SSL handshake

all—The ACE supports versions SSL3 and TLS1


Note If an SSL proxy service is to use the default SSL parameter map values, then you do not need to create an SSL parameter map or associate one with the proxy service. When you do not associate a parameter map with the SSL proxy service, the ACE automatically applies the default SSL parameter map values listed in Table 4-3 to the proxy service.

To create an SSL parameter map, use the parameter-map type ssl command in configuration mode.

The syntax of this command is:

parameter-map type ssl parammap_name

The parammap_name argument is the name of the SSL parameter map. Enter an unquoted alphanumeric string with a maximum of 64 characters.

For example, to create the SSL parameter map PARAMMAP_SSL, enter: 

host1/Admin(config)# parameter-map type ssl PARAMMAP_SSL

Once you create an SSL proxy parameter map, the CLI enters SSL parameter map configuration mode. 

host1/Admin(config-parammap-ssl)#

If you exit out of the SSL parameter map configuration mode without defining any of the SSL parameter map attributes, the ACE configures the parameter map with the default values listed in Table 4-2.

To delete an existing SSL parameter map, enter: 

host1/Admin(config)# no parameter-map type ssl PARAMMAP_SSL

This section contains the following procedures for defining the SSL parameter map attributes:

Adding a Cipher Suite

Defining the Close-Protocol Behavior

Defining the SSL and TLS Version

Adding a Cipher Suite

The SSL protocol supports a variety of different cryptographic algorithms, or ciphers, for use in operations such as:

authenticating the server and client to each other

transmitting certificates

establishing session keys

Clients and servers may support different cipher suites, or sets of ciphers, depending on various factors, such as the version of SSL they support, company policies regarding acceptable encryption strength, and government restrictions on export of SSL-enabled software. Among its other functions, the SSL handshake protocol determines how the server and client negotiate which cipher suite they will use to authenticate each other, transmit certificates, and to establish session keys.

As shown in Figure 4-4, a cipher suite consists of the following three algorithms: key exchange algorithm, data encryption algorithm, and message authentication (hash) algorithm.

Figure 4-4 Cipher Suite Algorithms

Note Exportable cipher suites are those cipher suites that are not as strong as some of the other cipher suites (for example, 3DES or RC4 with 128-bit encryption) as defined by U.S. export restrictions on software products. Exportable cipher suites may be exported to most countries from the United States and provide the strongest encryption available for exportable products.

To define each of the cipher suites you want the ACE to support during a secure session, use the cipher command in ssl parameter-map configuration mode. The cipher suite that you choose depends on your environment and security requirements and must correlate to the certificates and keys that you have loaded on the ACE.

Note By default, the ACE supports all of the cipher suites listed in Table 4-3. The default setting works only when you do not configure the SSL parameter map with any specific ciphers. To return to using the all cipher suites setting, you must delete each of the specifically-defined ciphers from the parameter map using the no form of the command.

The syntax of this command is:

cipher cipher_name [priority cipher_priority]

The keywords and arguments are:

cipher_name—Name of the cipher suite you want the ACE to support. Table 4-3 lists the cipher suites the ACE supports. Enter one of the supported cipher suites from the table.

priority—Assigns a priority level to the cipher suite. The priority level represents the preference ranking of the cipher suite, with 10 being the most preferred and 1 being the least preferred. By default, all configured cipher suites have a priority level of 1. When negotiating which cipher suite to use, the ACE selects from the client list based on the cipher suite configured with the highest priority level. A higher priority level will bias towards the specified cipher suite. For SSL termination applications, the ACE uses the priority level to match cipher suites in the client's ClientHello handshake message. For SSL initiation applications, the priority level represents the order in which the ACE places the cipher suites in its ClientHello handshake message to the server.

cipher_priority—Priority level of the cipher suite. Enter a value of 1 to 10. The default priority value is 1.

For example, to add the cipher suite rsa_with _aes_128_cbc_sha and assign it a priority 2 level: 

host1/Admin(config)# parameter-map type ssl PARAMMAP_SSL

host1/Admin(config-parammap-ssl)# cipher rsa_with_aes_128_cbc_sha 
priority 2

Repeat the cipher command for each cipher suite you want to include in the SSL parameter map.

To delete a cipher suite from the SSL parameter map, enter: 

host1/Admin(config-parammap-ssl)# no cipher rsa_with_aes_128_cbc_sha

Table 4-3 lists the available cipher suites that the ACE supports and indicates which of the supported cipher suites are exportable from the ACE. The table also lists the authentication certificate and encryption key required by each cipher suite.

If you use the default setting in which the ACE supports all of the ciphers suites listed in Table 4-3, the ACE sends the cipher suites to its peer in the same order as they appear in the table, starting with RSA_WITH_RC4_128_MD5.

Caution Cipher suites with "export" in the title indicate that they are intended for use outside of the domestic United States and have encryption algorithms with limited key sizes.

Table 4-3 SSL Cipher Suites Supported by the ACE 

Cipher Suite
Exportable
Authentication Certificate Used
Key Exchange Algorithm
Used

RSA_WITH_RC4_128_MD5

No

RSA certificate

RSA key exchange

RSA_WITH_RC4_128_SHA

No

RSA certificate

RSA key exchange

RSA_WITH_DES_CBC_SHA

No

RSA certificate

RSA key exchange

RSA_WITH_3DES_EDE_CBC_SHA

No

RSA certificate

RSA key exchange

RSA_EXPORT_WITH_RC4_40_MD5

Yes

RSA certificate

RSA key exchange

RSA_EXPORT_WITH_DES40_CBC_SHA

Yes

RSA certificate

RSA key exchange

RSA_EXPORT1024_WITH_RC4_56_MD5

Yes

RSA certificate

RSA key exchange

RSA_EXPORT1024_WITH_DES_CBC_SHA

Yes

RSA certificate

RSA key exchange

RSA_EXPORT1024_WITH_RC4_56_SHA

Yes

RSA certificate

RSA key exchange

RSA_WITH_AES_128_CBC_SHA

No

RSA certificate

RSA key exchange

RSA_WITH_AES_256_CBC_SHA

No

RSA certificate

RSA key exchange


Defining the Close-Protocol Behavior

To configure how the ACE handles the sending of close-notify messages, use the close-protocol command in the ssl parameter-map configuration mode.

The syntax for this command is:

close-protocol {disabled | none | strict}

The keywords are:

disabled—The ACE does not send a close notify alert message to the client/server when closing a session. In this case, the ssl-proxy will only send a TCP fin to terminate the SSL connection.

none—The ACE sends a close notify alert message to the client/server when closing a session, but has no expectation of receiving one back from the client/server.

strict—The ACE sends a close-notify alert message to the client/server when closing a session and expects to receive one back from the client/server. This option adheres to the RFC definitions of how the SSL/TLS protocols work. This is the default setting.

For example, to set close-protocol to none, enter: 

host1/Admin(config)# parameter-map type ssl PARAMMAP_SSL

host1/Admin(config-parammap-ssl)# close-protocol none

To configure the close-protocol command with the default setting of strict, use the no form of the command. 

host1/Admin(config-parammap-ssl)# no close-protocol none

Defining the SSL and TLS Version

To specify which version of security protocol the ACE supports during the SSL handshake with its peer, use the version command in SSL parameter map configuration mode.

The syntax of this command is:

version {all | ssl3 | tls1}

The keywords are:

all—(Default) The ACE supports both SSL version and TLS version

ssl3—The ACE supports only SSL version 3.0

tls1—The ACE supports only TLS version 1.0

For example, to specify SSL version 3.0 for the parameter map, enter: 

host1/Admin(config)# parameter-map type ssl PARAMMAP_SSL

host1/Admin(config-parammap-ssl)# version ssl3

To remove a security version from the SSL proxy parameter map, enter: 

host1/Admin(config-parammap-ssl)# no version tlsl

Creating and Defining an SSL Proxy Service

The SSL proxy service defines the SSL parameter map the ACE uses during the SSL handshake. For SSL initiation, you configure the ACE with an SSL proxy client service as the ACE acts as an SSL client.

To create an SSL proxy client service, use the ssl- proxy service command in configuration mode.

The syntax of this command is:

ssl- proxy service pservice_name

The pservice_name argument is the name of the SSL proxy client service. Enter an unquoted alphanumeric string with a maximum of 64 characters.

For example, to create the SSL proxy client service PSERVICE_CLIENT, enter: 

host1/Admin(config)# ssl-proxy service PSERVICE_CLIENT

Once you create an SSL proxy client service, the CLI enters into SSL proxy configuration mode. 

host1/Admin(config-ssl-proxy)#

To delete an existing SSL proxy client service, enter: 

host1/Admin(config)# no ssl-proxy PSERVICE_CLIENT

This section contains the following procedures for configuring the SSL proxy client service:

Associating an SSL Parameter Map with the SSL Proxy Client Service

Associating an SSL Parameter Map with the SSL Proxy Client Service

To associate an SSL parameter map with the SSL proxy client service, use the ssl advanced-options command in SSL proxy configuration mode.

The syntax of this command is:

ssl advanced-options parammap_name

The parammap_name argument represents the name of an existing SSL parameter map (see the "Creating and Defining an SSL Parameter Map" section). Enter an unquoted alphanumeric string with a maximum of 64 characters.

For example, to associate the parameter map PARAMMAP_SSL with the SSL proxy service, enter: 

host1/Admin(config)# ssl-proxy service PSERVICE_CLIENT

host1/Admin(config-ssl-proxy)# ssl advanced-options PARAMMAP_SSL

To remove the association of an SSL parameter map with the SSL proxy service, enter: 

host1/Admin(config-ssl-proxy)# no ssl advanced-options PARAMMAP_SSL

Creating a Layer 7 Class Map for SSL Initiation

The Layer 7 class map you associate with a policy map acts as a filter for traffic that matches the server load balancing (SLB) criteria that you specify. For SSL initiation, the match criteria is in the form of the following HTTP load balancing attributes:

Cookie

HTTP header

URL

Source IP address

To create a Layer 7 class map, use the class-map type http loadbalance command in configuration mode. For details on configuring a Layer 7 class map, refer to the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

Creating a Layer 7 Policy Map for SSL Termination

A Layer 7 policy map enables server load balancing on the ACE. This policy map contains an association with a Layer 7 class map and an SSL proxy client service. To use a Layer 7 SLB policy map, first create the policy map and define match statements and policy actions. Because Layer 7 policy maps are child policies, you must then associate a Layer 7 policy map with the appropriate Layer 3 and Layer 4 policy map to provide an entry point for Layer 7 SLB traffic classification. You cannot directly apply a Layer 7 policy map to an interface; you can apply only a Layer 3 and Layer 4 policy map to an interface or globally to all interfaces in a context.

This section contains the following procedures for creating a Layer 7 policy map for SSL termination:

Creating a Layer 7 Policy Map

Associating a Layer 7 Class Map with the Layer 7 Policy Map

Specifying Layer 7 SLB Policy Actions

Creating a Layer 7 Policy Map

To create a Layer 7 SLB policy map, use the policy-map command in configuration mode.

The syntax of this command is:

policy-map type loadbalance first-match map_name

The keywords and arguments are:

type loadbalance—Specifies a load-balancing policy map.

first-match—Defines the execution for the Layer 7 load-balancing policy-map. The ACE executes only the action specified against the first-matching classification.

map_name—Specifies the identifier assigned to the policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to create the policy map L7SLBPOLICY, enter: 

host1/Admin(config)# policy-map type loadbalance first-match 
L7SLBPOLICY

Once you create a Layer 7 policy map, the CLI enters policy map load balancing configuration mode. 

host1/Admin(config-pmap-lb)#

To delete an existing policy map, enter: 

host1/Admin(config)# no policy-map L7SLBPOLICY

Associating a Layer 7 Class Map with the Layer 7 Policy Map

To associate a class map with the policy map, use the class command in policy map load balancing configuration mode.

The syntax of this command is:

class {name1 | class-default} [insert-before name2]

The keywords, arguments, and options are:

name1—Specifies the name of a previously defined traffic class, configured with the class-map command, to associate traffic with the traffic policy. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

class-default—Reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications match the traffic, then the ACE performs the action specified under the class class-default command. The class-default class map has an implicit match any statement in it enabling it to match all traffic.

insert-before name2—(Optional) Places the current class map ahead of an existing class map or match statement specified by the name2 argument in the policy-map configuration. The ACE does not save the sequence reordering as part of the configuration.

For example, to associate the class map L7SLBCLASS with the policy map, enter: 

host1/Admin(config-pmap-lb)# class L7SLBCLASS

Once you associate a class map with the policy map, the CLI enters into policy map load balancing class configuration mode. 

host1/Admin(config-pmap-lb-c)#

The following example illustrates the use of the insert-before option to define the position of a class map in the policy map: 

host1/Admin(config-pmap-lb)# class L7SLBCLASS insert-before HTTP_CLASS

host1/Admin(config-pmap-lb-c)#

The following example illustrates the use of the class class-default command: 

host1/Admin(config-pmap-lb)# class class-default

host1/Admin(config-pmap-lb-c)#

To remove the association of a class map with the policy map, enter: 

(config-pmap-lb)# no class L7SLBCLASS

Specifying Layer 7 SLB Policy Actions

After you associate a Layer 7 SLB class map with a Layer 7 SLB policy map or specify inline match commands, you need to specify one or more of the following actions that the ACE should take when network traffic matches a class map or inline match command:

Discard requests

Forward Requests without load balancing

Enable HTTP header information

Enable load balancing to a server farm

Configure a sticky server farm

Specify the IP differentiated services code point of packets

Associate an SSL Proxy Service

This section describes the process of associating an SSL proxy service with the policy map. For details on configuring additional policy actions, refer to the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

To associate an SSL proxy client service with the policy map, use the ssl-proxy command in policy map load balancing class configuration mode.

The syntax of this command is:

ssl-proxy client name

The name argument specifies the identifier of an existing SSL proxy client service. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to associate the SSL client proxy service PSERVICE_CLIENT with the class map, enter: 

host1/Admin(config)# policy-map type loadbalance first-match 
L7SLBPOLICY

host1/Admin(config-pmap-lb)# class L7SLBCLASS

host1/Admin(config-pmap-lb-c)# ssl-proxy client PSERVICE_CLIENT

To remove the association of the SSL client proxy service to the class map, enter: 

host1/Admin(config-pmap-lb-c)# no ssl-proxy client PSERVICE_CLIENT

Creating a Layer 3 and Layer 4 Class Map for SSL Initiation

The Layer 3 and Layer 4 class map you associate with a Layer 3 and Layer 4 policy map acts as a filter for traffic that matches the criteria you specify. For SSL initiation, you can define the match criteria based on one or more of the following traffic characteristics:

Access list

Virtual IP address

Source IP address and subnet mask

Destination IP address and subnet mask

TCP/UDP port number or port range

To create a Layer 3 and Layer 4 class map, use the class-map command in the configuration mode. For details on creating and configuring a Layer 3 and Layer 4 class map, refer to the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

Creating a Layer 3 and Layer 4 Policy Map for SSL Initiation

The Layer 3 and Layer 4 policy map you create for SSL initiation contains an association with the Layer 7 policy map that the ACE uses for load balancing. Because you can only apply a Layer 3 and Layer 4 policy map directly directly to a context interface, you need to associate the Layer 7 policy with the Layer 3 and Layer 4 policy map.

This section contains the following procedures for creating a Layer 3 and Layer 4 policy map for SSL initiation and then associating a class map, parameter map, and Layer 7 policy map with it:

Creating a Layer 3 and Layer 4 Policy Map

Associating the Layer 3 and Layer 4 Class Map with the Policy Map

Associating a Layer 7 Policy Map with the Class Map

Creating a Layer 3 and Layer 4 Policy Map

To create a Layer 3 and Layer 4 policy map, use the policy-map command in configuration mode.

The syntax of this command is:

policy-map multi-match policy_name

The policy_name argument represents the name you assign the policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to create the policy map L4SLBPOLICY, enter: 

host1/Admin(config)# policy-map multi-match L4SLBPOLICY

Once you create a class map, the CLI enters into policy map configuration mode. 

host1/Admin(config-pmap)#

To delete an existing policy map, enter: 

host1/Admin(config)# no policy-map L4SLBPOLICY

For information on associating an SSL class map with the policy map, proceed to the "Associating a Layer 7 Class Map with the Layer 7 Policy Map" section.

Associating the Layer 3 and Layer 4 Class Map with the Policy Map

To associate the Layer 3 and Layer 4 class map with the policy map, use the class command in policy map configuration mode.

The syntax of this command is:

class class-map

The class-map argument represents the name of an existing class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to associate the class map L4SLBCLASS with the policy map, enter: 

host1/Admin(config)# policy-map multi-match L4SLBPOLICY

host1/Admin(config-pmap)# class L4SLBCLASS

Once you associate a class map with the policy map, the CLI enters policy map class configuration mode. 

host1/Admin(config-pmap-c)#

To remove the association of a class map to the policy map, enter: 

host1/Admin(config-pmap)# no class L4SLBCLASS

Associating a Layer 7 Policy Map with the Class Map

To associate a Layer 7 policy map with the Layer 3 and Layer 4 class map, use the loadbalance command in policy map class configuration mode. This association nests the Layer 7 policy map within the Layer 3 and Layer 4 policy map that the ACE applies directly to the traffic.

The syntax of this command is:

loadbalance policy policymap

The policy policymap argument represents the name of an existing Layer 7 policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to associate the Layer 7 policy map L7SLBPOLICY with the class map, enter: 

host1/Admin(config)# policy-map multi-match L4SLBPOLICY

host1/Admin(config-pmap)# class L4SLBCLASS

host1/Admin(config-pmap-c)# loadbalance policy L7SLBPOLICY

To remove the association of the Layer 7 policy map with the class map, enter: 

host1/Admin(config-pmap-c)# no loadbalance policy L7SLBPOLICY

Applying the Policy Map to the VLANs

This section describes how to apply the Layer 3 and Layer 4 policy map to the VLAN traffic. The ACE allows you to apply the policy globally to all VLANs within the current context or to a specific VLAN in the context.

This section contains the following procedures for applying the policy map to a VLAN:

Applying the Policy Map Globally

Applying the Policy Map to a Specific VLAN

Applying the Policy Map Globally

To globally apply the policy map to all of the VLANs in the context, use the service-policy command in configuration mode.

The syntax of this command is:

service-policy input policy_name

The policy_name argument represents the name of an existing policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to globally apply the policy map L4SLBPOLICY to all of the context VLANs, enter: 

host1/Admin(config)# service-policy input L4SLBPOLICY

To globally remove a policy map from all VLANs, enter: 

host1/Admin(config)# no service-policy input L4SLBPOLICY

Applying the Policy Map to a Specific VLAN

To apply a. policy map to a specific VLAN interface, you must enter interface configuration mode using the interface command in configuration mode.

The syntax of this command is:

interface vlan vlan

The vlan argument represents the context VLAN number. Enter an integer from 2 to 4094.

For example, to enter into interface configuration mode for VLAN 10, enter: 

host1/Admin(config)# interface vlan 10

host1/Admin(config-if)#

To apply the policy map to the interface, use the service-policy command in interface configuration mode.

The syntax of this command is:

service-policy input policy-name

The policy-name argument represents the name of an existing policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to apply the policy map L4SLBPOLICY to VLAN 10, enter: 

host1/Admin(config)# interface vlan 10

host1/Admin(config-if)# service-policy input L4SLBPOLICY

To remove the policy from the interface, enter: 

host1/Admin(config-if)# no service-policy input L4SLBPOLICY

Example of an SSL Initiation Configuration 

access-list ANYONE line 10 extended permit tcp any any


parameter-map type ssl SSL_TERM

  cipher RSA_WITH_3DES_EDE_CBC_SHA


rserver host DC5-LNX1

  ip address 192.168.1.11

  inservice

rserver host DC5-LNX2

  ip address 192.168.1.12

  inservice

rserver host DC5-LNX3

  ip address 192.168.1.13

  inservice

rserver host DC5-LNX4

  ip address 192.168.1.14

  inservice

rserver host dc5-lnx5

  ip address 192.168.1.15

  inservice


ssl-proxy service SSL_PROXY1

  cert MYCERT.PEM

  ssl advanced-options SSL_TERM


serverfarm SERVERS5

  rserver DC5-LNX1

    inservice

  rserver DC5-LNX2

    inservice

  rserver DC5-LNX3

    inservice

  rserver DC5-LNX4

    inservice

  rserver DC5-LNX5

    inservice


class-map type http loadbalance match-all URL_CLASS

  2 match http url /index.html

class-map type management match-any REMOTE-ACCESS

  description remote-access-traffic-match

  2 match protocol telnet any

  3 match protocol ssh any

  4 match protocol icmp any

class-map match-all VIP-70

  2 match virtual-address 172.16.22.70 any


policy-map type loadbalance first-match POLICY1

  class URL-CLASS

    serverfarm SERVERS5

    ssl-proxy client SSL_PROXY1

policy-map type loadbalance first-match SLB5-LOGIC

  class class-default

    serverfarm SERVERS5

policy-map type management first-match REMOTE-MGMT

  class REMOTE-ACCESS

    permit

policy-map multi-match CLIENT-VIPS

  class VIP-70

    loadbalance vip inservice

    loadbalance SLB5-LOGIC


interface vlan 222

  description Client vlan

  ip address 172.16.22.15 255.255.255.0

  access-group input ANYONE

  service-policy input REMOTE-MGMT

  service-policy input CLIENT-VIPS

  no shutdown

interface vlan 422

  description Servers vlan

  ip address 192.168.1.1 255.255.255.0

  no shutdown


ip route 0.0.0.0 0.0.0.0 172.16.22.1


username cisco password 5 $1$DLODpUTE$pzudNN.PTCWK.E45AsyCz/ role 
Admin domain default-domain