Application Control Engine Module Getting Started Guide (Software Version A2(1.0)) - ACE Overview [Cisco Services Modules]

Table Of Contents

Overview

Routing and Bridging

Administering the ACE

Virtualization

Server Load Balancing

ACE Security

Secure Sockets Layer

Overview

The Cisco Application Control Engine (ACE) module performs high-performance server load balancing (SLB) among groups of servers, server farms, firewalls, and other network devices, based on Layer 3 as well as Layer 4 through Layer 7 packet information. The ACE module can also terminate and initiate SSL-encrypted traffic so that it can perform intelligent load balancing while ensuring secure end-to-end encryption.

The following sections provide an overview of the major functions and features on the ACE:

•Routing and Bridging

•Administering the ACE

•Virtualization

•Server Load Balancing

•ACE Security

•Secure Sockets Layer

Routing and Bridging

The ACE does not have any external physical interfaces to receive traffic from clients and servers. Instead, it uses internal VLAN interfaces.

First, you must assign VLANs from the supervisor in the Catalyst 6500 series switch or a Cisco 7600 series router (an ACE20-MOD-K9 module only) to the ACE. After the ACE is booted, it downloads the VLANs from the supervisor. You can then configure the interfaces as either routed or bridged as needed.

The ACE supports these protocols:

•Address Resolution Protocol (ARP)—Allows the ACE to manage and learn the mapping of IP to Media Access Control (MAC) information to forward and transmit packets.

•Dynamic Host Configuration Protocol (DHCP)—Provides configuration parameters to DHCP clients. You can configure the ACE as a DHCP relay agent; it i can forward the requests and responses negotiations between the DHCP clients and the server.

For more information, see the Cisco Application Control Engine Module Routing and Bridging Configuration Guide.

Administering the ACE

In addition to standard administration tasks, such as establishing remote access and managing software licenses and the ACE software, the ACE allows you to perform advanced administration tasks such as using traffic policies to classify traffic flow and the action to take for the type of traffic. Traffic policies are as follows:

•Class maps—Classify inbound network traffic destined to, or passing through, the ACE based on a series of flow match criteria specified by a class map. Each class map defines network traffic that is of interest to you.

•Policy maps—Define a series of actions (functions) that you want applied to traffic configured for a class map.

•Service policy—Attaches the traffic policy to each specified VLAN interface. The ACE evaluates all network traffic on the specified interface according to the actions specified in the named traffic policy.

The ACE uses the individual traffic policies to implement the following functions:

•Remote access using Secure Shell (SSH) or Telnet

•Server load balancing (Layer 3, Layer 4, and Layer 7)

•Network Address Translation (NAT)

•HTTP deep packet inspection, application protocol inspection, and FTP command inspection

•SSL security services between a web browser (the client) and the HTTP connection (the server)

•TCP/IP normalization and termination

Simple Network Management Protocol (SNMP) allows you to query the ACE for Cisco Management Information Bases (MIBs) and to send event notifications to a network management system (NMS).

An XML interface on the ACE allows you to transfer, configure, and monitor objects in the ACE. This interface allows you to easily shape or extend the CLI query and reply data in XML format.

Redundancy provides fault tolerance for the stateful switchover of flows. Redundancy offers increased uptime and a more robust network by providing seamless switchover of flows in case an ACE becomes unresponsive. Redundancy is designed especially for the following network applications that require fault tolerance:

•Mission-critical enterprise applications

•Banking and financial services

•E-commerce

•Long-lived flows such as FTP and HTTP file transfers

For more information, see the Cisco Application Control Engine Module Administration Guide.

Virtualization

The virtualization tools allow you to manage the system resources and users of the ACE, as well as the services provided to your customers.

Virtualization provides the following features:

•Contexts—The objects that divide the virtualized environment. You can operate ACE in a single context or in multiple contexts. Multiple contexts use virtualization to partition your ACE into multiple virtual devices or contexts. Each context behaves like an independent device with its own policies, interfaces, domains, server farms, real servers, and administrators. Each context also has its own management VLAN that you can access using Telnet or SSH.

•Domains—A namespace in which a user operates and each user is associated with at least one domain. The role assigned to a user determines the operations that a user can perform on the objects in a domain and the command set available to that user. When you create a context, the ACE automatically creates a default domain for that context.

•Role-based access control (RBAC)—A mechanism that determines the commands and resources available to each user. A role defines a set of permissions for accessing the objects and resources in a context and the actions that you can perform on them.

•Resource classes—The means by which you manage context access to ACE resources, such as concurrent connections or bandwidth rate. The ACE is preconfigured with a default resource class that it applies to the Admin context and any user context upon creation.

For more information, see the Cisco Application Control Engine Module Virtualization Configuration Guide.

Server Load Balancing

Server load balancing (SLB) on the ACE provides the following features:

•Network traffic policies for SLB

•Real servers and server farms

•Health monitoring through probes, as well as TCL scripts

•Stickiness (connection persistence)

•Firewall load balancing (FWLB) to load-balance traffic from the Internet through a firewall to a data center or intranet

For more information, see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

ACE Security

The ACE contains the following security features:

•Security access control lists (ACLs) to provide basic security for your network by filtering traffic and controlling network connections

•User authentication and accounting using a Terminal Access Controller Access Control System Plus (TACACS+), Remote Authentication Dial-In User Service (RADIUS), or Lightweight Directory Access Protocol (LDAP) server to perform user authentication and accounting (AAA) services to provide a higher level of security for users accessing the ACE

•HTTP deep packet inspection, File Transfer Protocol (FTP) command request inspection, and application inspection of Domain Name System (DNS), FTP, HTTP, Internet Control Message Protocol (ICMP), or Real-Time Streaming Protocol (RTSP)

•TCP/IP normalization and IP fragmentation to protect your ACE and the data center from attacks. It also describes IP reassembly and UDP parameters

•NAT to protect your data center by hiding private addresses from public networks

For more information, see the Cisco Application Control Engine Module Security Configuration Guide.

Secure Sockets Layer

SSL protocol on the ACE provides encryption technology for the Internet, ensuring secure transactions, such as the transmission of credit card numbers for e-commerce web sites. SSL provides the secure transaction of data between a client and a server through a combination of privacy, authentication, and data integrity. SSL relies upon certificates and private-public key exchange pairs for this level of security.

The ACE provides the following SSL features:

•A special set of SSL commands to perform the SSL cryptographic functions between a client and a server. The SSL functions include server authentication, private-key and public-key generation, certificate management, and data packet encryption and decryption.

•SSL termination to configure an ACE context for a front-end application in which the ACE operates as an SSL server communicating with a client.

•SSL initiation to configure an ACE context for a back-end application in which the ACE operates as a client communicating with an SSL server.

•End-to-end SSL to configure an ACE context for both SSL termination and SSL initiation. You can configure the ACE for end-to-end SSL when you have an application that requires establishing a secure SSL channel between the client, the ACE, and the SSL server.

For more information, see the Cisco Application Control Engine Module SSL Configuration Guide.

	Application Control Engine Module Getting Started Guide (Software Version A2(1.0))
	ACE Overview
Application Control Engine Module Getting Started Guide (Software Version A2(1.0)) Preface ACE Overview Configuring the ACE and Performing Basic VIP Load Balancing	Download this chapter ACE Overview Download the complete book Cisco Application Control Engine Module Getting Started Guide Book-Length PDF (Software Version A2(1.0)) (PDF - 420 KB) Table Of Contents Overview Routing and Bridging Administering the ACE Virtualization Server Load Balancing ACE Security Secure Sockets Layer Overview The Cisco Application Control Engine (ACE) module performs high-performance server load balancing (SLB) among groups of servers, server farms, firewalls, and other network devices, based on Layer 3 as well as Layer 4 through Layer 7 packet information. The ACE module can also terminate and initiate SSL-encrypted traffic so that it can perform intelligent load balancing while ensuring secure end-to-end encryption. The following sections provide an overview of the major functions and features on the ACE: •Routing and Bridging •Administering the ACE •Virtualization •Server Load Balancing •ACE Security •Secure Sockets Layer Routing and Bridging The ACE does not have any external physical interfaces to receive traffic from clients and servers. Instead, it uses internal VLAN interfaces. First, you must assign VLANs from the supervisor in the Catalyst 6500 series switch or a Cisco 7600 series router (an ACE20-MOD-K9 module only) to the ACE. After the ACE is booted, it downloads the VLANs from the supervisor. You can then configure the interfaces as either routed or bridged as needed. The ACE supports these protocols: •Address Resolution Protocol (ARP)—Allows the ACE to manage and learn the mapping of IP to Media Access Control (MAC) information to forward and transmit packets. •Dynamic Host Configuration Protocol (DHCP)—Provides configuration parameters to DHCP clients. You can configure the ACE as a DHCP relay agent; it i can forward the requests and responses negotiations between the DHCP clients and the server. For more information, see the Cisco Application Control Engine Module Routing and Bridging Configuration Guide. Administering the ACE In addition to standard administration tasks, such as establishing remote access and managing software licenses and the ACE software, the ACE allows you to perform advanced administration tasks such as using traffic policies to classify traffic flow and the action to take for the type of traffic. Traffic policies are as follows: •Class maps—Classify inbound network traffic destined to, or passing through, the ACE based on a series of flow match criteria specified by a class map. Each class map defines network traffic that is of interest to you. •Policy maps—Define a series of actions (functions) that you want applied to traffic configured for a class map. •Service policy—Attaches the traffic policy to each specified VLAN interface. The ACE evaluates all network traffic on the specified interface according to the actions specified in the named traffic policy. The ACE uses the individual traffic policies to implement the following functions: •Remote access using Secure Shell (SSH) or Telnet •Server load balancing (Layer 3, Layer 4, and Layer 7) •Network Address Translation (NAT) •HTTP deep packet inspection, application protocol inspection, and FTP command inspection •SSL security services between a web browser (the client) and the HTTP connection (the server) •TCP/IP normalization and termination Simple Network Management Protocol (SNMP) allows you to query the ACE for Cisco Management Information Bases (MIBs) and to send event notifications to a network management system (NMS). An XML interface on the ACE allows you to transfer, configure, and monitor objects in the ACE. This interface allows you to easily shape or extend the CLI query and reply data in XML format. Redundancy provides fault tolerance for the stateful switchover of flows. Redundancy offers increased uptime and a more robust network by providing seamless switchover of flows in case an ACE becomes unresponsive. Redundancy is designed especially for the following network applications that require fault tolerance: •Mission-critical enterprise applications •Banking and financial services •E-commerce •Long-lived flows such as FTP and HTTP file transfers For more information, see the Cisco Application Control Engine Module Administration Guide. Virtualization The virtualization tools allow you to manage the system resources and users of the ACE, as well as the services provided to your customers. Virtualization provides the following features: •Contexts—The objects that divide the virtualized environment. You can operate ACE in a single context or in multiple contexts. Multiple contexts use virtualization to partition your ACE into multiple virtual devices or contexts. Each context behaves like an independent device with its own policies, interfaces, domains, server farms, real servers, and administrators. Each context also has its own management VLAN that you can access using Telnet or SSH. •Domains—A namespace in which a user operates and each user is associated with at least one domain. The role assigned to a user determines the operations that a user can perform on the objects in a domain and the command set available to that user. When you create a context, the ACE automatically creates a default domain for that context. •Role-based access control (RBAC)—A mechanism that determines the commands and resources available to each user. A role defines a set of permissions for accessing the objects and resources in a context and the actions that you can perform on them. •Resource classes—The means by which you manage context access to ACE resources, such as concurrent connections or bandwidth rate. The ACE is preconfigured with a default resource class that it applies to the Admin context and any user context upon creation. For more information, see the Cisco Application Control Engine Module Virtualization Configuration Guide. Server Load Balancing Server load balancing (SLB) on the ACE provides the following features: •Network traffic policies for SLB •Real servers and server farms •Health monitoring through probes, as well as TCL scripts •Stickiness (connection persistence) •Firewall load balancing (FWLB) to load-balance traffic from the Internet through a firewall to a data center or intranet For more information, see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide. ACE Security The ACE contains the following security features: •Security access control lists (ACLs) to provide basic security for your network by filtering traffic and controlling network connections •User authentication and accounting using a Terminal Access Controller Access Control System Plus (TACACS+), Remote Authentication Dial-In User Service (RADIUS), or Lightweight Directory Access Protocol (LDAP) server to perform user authentication and accounting (AAA) services to provide a higher level of security for users accessing the ACE •HTTP deep packet inspection, File Transfer Protocol (FTP) command request inspection, and application inspection of Domain Name System (DNS), FTP, HTTP, Internet Control Message Protocol (ICMP), or Real-Time Streaming Protocol (RTSP) •TCP/IP normalization and IP fragmentation to protect your ACE and the data center from attacks. It also describes IP reassembly and UDP parameters •NAT to protect your data center by hiding private addresses from public networks For more information, see the Cisco Application Control Engine Module Security Configuration Guide. Secure Sockets Layer SSL protocol on the ACE provides encryption technology for the Internet, ensuring secure transactions, such as the transmission of credit card numbers for e-commerce web sites. SSL provides the secure transaction of data between a client and a server through a combination of privacy, authentication, and data integrity. SSL relies upon certificates and private-public key exchange pairs for this level of security. The ACE provides the following SSL features: •A special set of SSL commands to perform the SSL cryptographic functions between a client and a server. The SSL functions include server authentication, private-key and public-key generation, certificate management, and data packet encryption and decryption. •SSL termination to configure an ACE context for a front-end application in which the ACE operates as an SSL server communicating with a client. •SSL initiation to configure an ACE context for a back-end application in which the ACE operates as a client communicating with an SSL server. •End-to-end SSL to configure an ACE context for both SSL termination and SSL initiation. You can configure the ACE for end-to-end SSL when you have an application that requires establishing a secure SSL channel between the client, the ACE, and the SSL server. For more information, see the Cisco Application Control Engine Module SSL Configuration Guide.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.