Table Of Contents
Configuring Virtual Contexts
Using Virtual Contexts
Creating Virtual Contexts
Configuring Virtual Contexts
Configuring Virtual Context System Attributes
Configuring Virtual Context Primary Attributes
Configuring Virtual Context Syslog Settings
Configuring Syslog Log Hosts
Configuring Syslog Log Messages
Configuring Syslog Log Rate Limits
Configuring SNMP for Virtual Contexts
Configuring SNMP Version 2c Communities
Configuring SNMP Version 3 Users
Configuring SNMP Trap Destination Hosts
Configuring SNMP Notification
Configuring Virtual Context Global Traffic Policies
Managing ACE Licenses
Viewing ACE Licenses
Importing ACE Licenses
Installing ACE Licenses
Uninstalling ACE Licenses
Updating ACE Licenses
Displaying License Configuration and Statistics
Using Resource Classes
Global and Local Resource Classes
Resource Allocation Constraints
Using Global Resource Classes
Configuring Global Resource Classes
Deploying Global Resource Classes
Auditing Resource Classes
Modifying Global Resource Classes
Deleting Global Resource Classes
Using Local Resource Classes
Configuring Local Resource Classes
Deleting Local Resource Classes
Viewing Local Resource Class Use on Virtual Contexts
Configuring Security with ACLs
Creating ACLs
Setting Extended ACL Attributes
Resequencing Extended ACLs
Setting EtherType ACL Attributes
Configuring Object Groups
Configuring IP Addresses for Object Groups
Configuring Subnet Objects for Object Groups
Configuring Protocols for Object Groups
Configuring TCP/UDP Service Parameters for Object Groups
Configuring ICMP Service Parameters for an Object Group
Managing ACLs
Viewing All ACLs by Context
Editing or Deleting ACLs
Configuring Virtual Context Expert Options
Comparing Context and Building Block Configurations
Managing Virtual Contexts
Viewing All Virtual Contexts
Synchronizing Virtual Context Configurations
Managing Syslog Settings for Autosync
Editing Virtual Contexts
Deleting Virtual Contexts
Upgrading Virtual Contexts
Restarting Virtual Context Polling
Configuring Virtual Contexts
Revised Date: 2/17/11
Cisco Application Networking Manager (ANM) provides a number of options for configuring Cisco Application Control Engine (ACE) hardware.
For information about these options, see:
•
Using Virtual Contexts
•Creating Virtual Contexts
•Configuring Virtual Contexts
•Configuring Virtual Context System Attributes
•Configuring Virtual Context Primary Attributes
•Configuring Virtual Context Syslog Settings
•Configuring SNMP for Virtual Contexts
•Configuring Virtual Context Global Traffic Policies
•Managing ACE Licenses
•Using Resource Classes
•Using Global Resource Classes
•Using Local Resource Classes
•Configuring Security with ACLs
•Configuring Object Groups
•Managing ACLs
•Configuring Virtual Context Expert Options
•Comparing Context and Building Block Configurations
•Managing Virtual Contexts
Using Virtual Contexts
Virtual contexts use the concept of virtualization to partition your ACE into multiple virtual devices or contexts. Each context contains its own set of policies, interfaces, resources, and administrators. This feature enables you to more closely and efficiently manage resources, users, and the services you provide to your customers.
The first time you configure a virtual context, you will see only the Admin context. In addition to the configurable attributes of other virtual contexts, the Admin context can configure:
•High Availability (HA or fault tolerance between ACE devices)
•Resource classes
•ACE licenses
Note If you restore the ANM database from a backup repository and a virtual context that is in the repository has been removed from the device, ANM removes that context from the database and the context does not appear in the ANM interface.
Related Topics
•Creating Virtual Contexts
•Configuring Virtual Contexts
•Deleting Virtual Contexts
•Comparing Context and Building Block Configurations
•Restarting Virtual Context Polling
•Managing Virtual Contexts
Creating Virtual Contexts
Use this procedure to create virtual contexts.
Note You must have the ability to create virtual contexts in your role and an Admin context in your domain before you can create virtual contexts. For more information about configuring roles and domains, see Managing User Roles, page 15-43 and Managing Domains, page 15-49.
Assumption
The ANM is populated with ACE devices.
Procedure
Step 1 Select Config > Devices, then select the ACE to which you want to add a virtual context. The Virtual Contexts table appears.
Tip The ANM device tree indicates the type of ACE device by notation on the device:
- ACE devices with no red notation indicate ACE 1.0 modules.
- ACE devices with a red 2 indicate ACE 2.0 modules.
- ACE devices with a red 3 indicate ACE appliances.
Step 2 Click Add. The New Virtual Context screen appears.
Step 3 Configure the virtual context, using the information in Table 3-1.
Tip Fields that contain 3 or fewer choices use radio buttons. Fields that contain more than 3 choices use dropdown lists.
Table 3-1 Virtual Context Configuration Attributes
Field
|
Description
|
Name
|
Enter a unique name for the virtual context. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
This field is read-only for existing contexts.
|
Device
|
Select the device to associate with this context.
This field appears for new contexts only.
|
Module
|
This field appears for chassis that contain multiple modules and for new contexts only.
Select the module to associate with this context.
|
Resource Class
|
Select the resource class that this virtual context is to use.
|
Tagged Building Block to Apply1
|
Select the configuration building block to apply to this context.
|
Allocate-Interface VLANs
|
Enter the number of a VLAN or a range of VLANs so that the context can receive the associated traffic. You can specify VLANs in any of the following ways:
•For a single VLAN, enter an integer from 2 to 4096.
•For multiple, non-sequential VLANs, use comma-separated entries, such as 101, 201, 302.
•For a range of VLANs, use the format <beginning-VLAN>-<ending-VLAN>, such as 101-150.
Note VLANs cannot be modified in an Admin context.
|
Description
|
Enter a brief description of the virtual context.
|
Policy Name
|
This field is read-only for existing contexts and read/write if the virtual context was created using the CLI.
|
VLAN to use
|
Enter the VLAN that is to use for remote management of the context.
Note For ACE 2.0 modules, you need to specify a management VLAN for the Admin context only; additional contexts will be polled using the same VLAN.
For ACE 1.0 modules and ACE appliances, you need to specify a management VLAN for each context individually or the contexts will not be polled.
|
Management IP
|
Enter the IP address that is to be used for remote management of the context.
Note ANM considers an interface as a management interface if it has a management policy map associated with the VLAN interface. See the "Configuring VLAN Interface Policy Map Use" section on page 9-7.
|
Management Netmask
|
Select the subnet mask to apply to this IP address.
|
Protocols to Allow
|
Select the protocols to allow on this VLAN.
To specify protocols, select them in the Available Items list, then clicking Add. They then appear in the Selected Items list. To remove protocols, select them in the Selected Items list, then click Remove. They then appear in the Available Items lists.
•HTTP—Specifies the Hypertext Transfer Protocol (HTTP).
•HTTPS—Specifies the secure (SSL) Hypertext Transfer Protocol (HTTP) for connectivity with the ANM interface.
•ICMP—Specifies the Internet Control Message Protocol (ICMP), commonly referred to as ping.
•SNMP—Specifies the Simple Network Management Protocol (SNMP).
Note If SNMP is not selected, the ANM will not be able to poll the context.
•SSH—Specifies a Secure Shell (SSH) connection to the ACE.
•TELNET—Specifies a Telnet connection to the ACE.
•KALAP UDP—Specifies the Keepalive Appliance Protocol over UDP. This option is available for ACE 2.0 modules and ACE 4710 A3(1.0) release only.
•XML-HTTPS—Specifies HTTPS as the transfer protocol for sending and receiving XML documents between the ACE appliance and a Network Management System (NMS). This option is available for ACE appliances only.
You can select multiple protocols by holding down the Shift key while selecting protocols or by holding down the mouse button while dragging it over the protocols.
|
Default Gateway IP
|
Enter the IP address of the default gateway. Use a comma-separated list to specify multiple IP addresses, such as 192.168.65.1, 192.168.64.2.
Default static routes with a netmask and IP address of 0.0.0.0 previously configured on the ACE appear in this field.
|
SNMP Community
|
If SNMP is one of the allowed protocols, enter the SNMP version 2c community string to be used.
Note If SNMP is not an allowed protocol, the ANM will not be able to poll the context.
|
Step 4 Click:
•Deploy Now to deploy this context. The screen refreshes and you can continue with virtual context configuration (see Configuring Virtual Contexts).
•Cancel to exit this procedure without saving your entries. The Virtual Contexts table appears.
Related Topics
•Using Virtual Contexts
•Configuring Virtual Contexts
Configuring Virtual Contexts
After creating a virtual context, you can configure it. Configuring a virtual context involves configuring a number of attributes, grouped into configuration subsets.
The options that appear when you select Config > Devices > context depend on the:
•Type of ACE device associated with the context:ACE 1.0 module, ACE 2.0 module, or ACE appliance.
•Role associated with your account, such as Admin, Network-Admin, or SSL-Admin.
•Context you are configuring: An Admin context or a user context.
Table 3-2 describes configuration options for Admin contexts for ACE modules and ACE appliances although not all options are available for both types of devices.
Table 3-3 identifies the configuration options that are available for each ACE device type.
Note You cannot modify a virtual context with the CLI Sync Status Import Failed. You must synchronize the context before you can make changes to it. You can view CLI Sync Status and synchronize contexts from the Virtual Contexts table (Config > Devices > ACE).
Conventions
The ANM uses the following screen conventions:
•Fields with 1 to 3 choices use radio buttons. Fields with more than 3 choices use dropdown lists.
•The ANM device tree indicates the type of ACE device by red notation on the device:
–No red notation indicates ACE 1.0 modules.
–A red 2 indicates ACE 2.0 modules.
–A red 3 indicates ACE appliances.
Table 3-2 Virtual Context Configuration Options
Configuration Subset
|
Description
|
Related Topics
|
System
|
The System configuration subset includes:
•Primary attributes such as building block, resource class, and VLAN options
•Syslog attributes that allow you to identify the type and severity of syslog messages that are to be logged, the syslog log host, log messages, and log rate limits
•SNMP attributes
•Global policy maps for all VLANs on a virtual context
•ACE license attributes that allow you to view, install, remove, update, and copy licenses for ACE hardware
•Resource classes that allow you to manage virtual context access to individual ACE devices
Note ACE licenses and resource classes can be configured in an Admin context only.
|
•Configuring Virtual Context Primary Attributes
•Configuring Virtual Context Syslog Settings
•Configuring SNMP for Virtual Contexts
•Configuring Virtual Context Global Traffic Policies
•Managing ACE Licenses
•Using Resource Classes
|
Load Balancing
|
Load-balancing attributes allow you to:
•Configure virtual servers, real servers, and server farms for load balancing
•Establish the predictor method and return code checking
•Implement sticky groups for session persistence
•Configure parameter maps to combine related actions for policy maps
|
•Load Balancing Overview, page 4-1
•Configuring Virtual Servers, page 4-2
•Configuring Server Farms, page 5-12
•Configuring Health Monitoring for Real Servers, page 5-25
•Configuring Sticky Groups, page 6-7
•Configuring Parameter Maps, page 7-1
|
SSL
|
SSL configuration options allow you to import and export SSL certificates and keys, set up SSL parameter maps and chain group parameters, generate certificate signing requests for submission to a certificate authority, authenticate peer certificates, and configure certificate revocation lists for use during client authentication.
Note You cannot configure all SSL options in a building block. Instead, configure them in an Admin virtual context.
|
•Configuring SSL, page 8-1
•Using SSL Certificates, page 8-5
•Using SSL Keys, page 8-8
•Generating CSRs, page 8-21
•Configuring SSL Parameter Maps, page 8-15
•Configuring SSL Chain Group Parameters, page 8-18
•Configuring SSL Proxy Service, page 8-22
•Configuring SSL Authentication Groups, page 8-24
•Configuring CRLs for Client Authentication, page 8-25
|
Security
|
Security configuration options enable you to create access control lists, set ACL attributes, resequence ACLs, delete ACLs, and configure object groups.
|
•Configuring Security with ACLs
•Creating ACLs
•Configuring Object Groups
|
Network
|
Network configuration options allow you to configure:
•VLAN interfaces
•BVI interfaces
•Static routes
•DHCP relay agents
•Port channel interfaces
•Gigabit Ethernet interfaces
•Over 8,000 static NAT configurations
|
•Configuring VLAN Interfaces, page 9-2
•Configuring Virtual Context BVI Interfaces, page 9-12
•Configuring Virtual Context Static Routes, page 9-14
•Configuring VLAN Interface DHCP Relay, page 9-12
•Configuring Port Channel Interfaces, page 9-21
•Configuring Gigabit Ethernet Interfaces, page 9-17
•Configuring Static VLANs for Over 8 K Static NAT Configurations, page 9-16
|
High Availability
|
High Availability (HA) attributes allow you to configure two ACE devices for fault-tolerant redundancy and the tracking and detection of failures for timely switchover.
Note You can set up high availability in an Admin context only.
|
•Configuring High Availability Overview, page 10-4
•Configuring ACE High Availability Peers, page 10-5
•Configuring High Availability Groups, page 10-8
|
HA Tracking and Failure Detection
|
HA Tracking and Failure Detection attributes allow you to configure tracking processes that can help ensure reliable fault tolerance.
|
•High Availability Tracking and Failure Detection Overview, page 10-13
•Tracking VLAN Interfaces for High Availability, page 10-13
•Tracking Hosts for High Availability, page 10-14
•Configuring ACE HSRP Groups, page 10-18
|
Role-Based Access Control
|
Role-Based Access Control (RBAC) attributes allow you to configure RBAC for individual virtual contexts.
Note Virtual context RBAC is separate from ANM RBAC. For information about ANM RBAC, see How ANM Handles Role-Based Access Control, page 15-7.
|
•Configuring Device RBAC Users, page 2-40
•Configuring Device RBAC Roles, page 2-43
•Configuring Device RBAC Domains, page 2-48
|
Expert
|
Expert attributes allow you to configure traffic policies, configure optimization action lists, and compare a context's configuration with the building block that is associated with it.
|
•Configuring Virtual Context Class Maps, page 11-6
•Configuring Virtual Context Policy Maps, page 11-30
•Configuring Action Lists for Application Acceleration and Optimization, page 12-3
•Comparing Context and Building Block Configurations
|
Table 3-3 Configuration Options by Device Type
Menu Option
|
ACE Device Type
|
Related Topic
|
ACE 1.0
|
ACE 2.0
|
ACE 4710 Running Image A1(8)
|
ACE 4710 Running Image A3(1.0)
|
System
|
Primary Attributes
|
X
|
X
|
X
|
X
|
Configuring Virtual Context Primary Attributes
|
Syslog
|
X
|
X
|
X
|
X
|
Configuring Virtual Context Syslog Settings
|
SNMP
|
X
|
X
|
X
|
X
|
Configuring SNMP for Virtual Contexts
|
Global Policy
|
X
|
X
|
X
|
X
|
Configuring Virtual Context Global Traffic Policies
|
Licenses
|
X
|
X
|
X
|
X
|
Managing ACE Licenses
|
Application Acceleration and Optimization
|
|
|
X
|
X
|
Configuring Global Application Acceleration and Optimization, page 12-16
|
Resource Classes
|
X
|
X
|
X
|
X
|
Using Resource Classes
|
Load Balancing
|
Virtual Servers
|
X
|
X
|
X
|
X
|
Configuring Virtual Servers, page 4-2
|
Real Servers
|
X
|
X
|
X
|
X
|
Configuring Real Servers, page 5-4
|
Server Farms
|
X
|
X
|
X
|
X
|
Configuring Server Farms, page 5-12
|
Health Monitoring
|
X
|
X
|
X
|
X
|
Configuring Health Monitoring for Real Servers, page 5-25
|
Stickiness
|
X
|
X
|
X
|
X
|
Configuring Sticky Groups, page 6-7
|
HTTP Parameter Map
|
X
|
X
|
X
|
X
|
Configuring HTTP Parameter Maps, page 7-8
|
Connection Parameter Map
|
X
|
X
|
X
|
X
|
Configuring Connection Parameter Maps, page 7-2
|
Optimization Parameter Map
|
|
|
X
|
X
|
Configuring Optimization Parameter Maps, page 7-10
|
Generic Parameter Map
|
|
X
|
|
X
|
Configuring Generic Parameter Maps, page 7-7
|
RTSP Parameter Map
|
|
X
|
|
X
|
Configuring RTSP Parameter Maps, page 7-17
|
SIP Parameter Map
|
|
X
|
|
X
|
Configuring SIP Parameter Maps, page 7-18
|
Skinny Parameter Map
|
|
X
|
|
X
|
Configuring Skinny Parameter Maps, page 7-20
|
SSL
|
Certificates
|
X
|
X
|
X
|
X
|
Using SSL Certificates, page 8-5
|
Keys
|
X
|
X
|
X
|
X
|
Using SSL Keys, page 8-8
|
Parameter Map
|
X
|
X
|
X
|
X
|
Configuring SSL Parameter Maps, page 8-15
|
Chain Group Parameters
|
X
|
X
|
X
|
X
|
Configuring SSL Chain Group Parameters, page 8-18
|
CSR Parameters
|
X
|
X
|
X
|
X
|
Configuring SSL CSR Parameters, page 8-19
|
Proxy Service
|
X
|
X
|
X
|
X
|
Configuring SSL Proxy Service, page 8-22
|
Auth Group Parameters
|
|
X
|
|
X
|
Configuring SSL Authentication Groups, page 8-24
|
Certificate Revocation List
|
|
X
|
|
X
|
Configuring CRLs for Client Authentication, page 8-25
|
Security
|
ACLs
|
X
|
X
|
X
|
X
|
Creating ACLs
|
Object Groups
|
|
X
|
|
X
|
Configuring Object Groups
|
Network
|
Port Channel Interfaces
|
|
|
X
|
X
|
Configuring Port Channel Interfaces, page 9-21
|
Gigabit Ethernet Interfaces
|
|
|
X
|
X
|
Configuring Gigabit Ethernet Interfaces, page 9-17
|
VLAN Interfaces
|
X
|
X
|
X
|
X
|
Configuring VLAN Interfaces, page 9-2
|
BVI Interfaces
|
X
|
X
|
X
|
X
|
Configuring Virtual Context BVI Interfaces, page 9-12
|
Static Routes
|
X
|
X
|
X
|
X
|
Configuring Virtual Context Static Routes, page 9-14
|
Global IP DHCP
|
X
|
X
|
X
|
X
|
Configuring Global IP DHCP, page 9-16
|
Static NAT Overwrite
|
|
X
|
|
|
Configuring Static VLANs for Over 8 K Static NAT Configurations, page 9-16
|
High Availability
|
Setup
|
X
|
X
|
X
|
X
|
Configuring ACE High Availability Peers, page 10-5
|
HA Tracking and Failure Detection
|
Interfaces
|
X
|
X
|
X
|
X
|
Tracking VLAN Interfaces for High Availability, page 10-13
|
Hosts
|
X
|
X
|
X
|
X
|
Tracking Hosts for High Availability, page 10-14
|
HSRP Groups
|
X
|
X
|
X
|
X
|
Configuring ACE HSRP Groups, page 10-18
|
Role-Based Access Control
|
Users
|
X
|
X
|
X
|
X
|
Configuring Device RBAC Users, page 2-40
|
Roles
|
X
|
X
|
X
|
X
|
Configuring Device RBAC Roles, page 2-43
|
Domains
|
X
|
X
|
X
|
X
|
Configuring Device RBAC Domains, page 2-48
|
Expert
|
Class Map
|
X
|
X
|
X
|
X
|
Configuring Virtual Context Class Maps, page 11-6
|
Policy Map
|
X
|
X
|
X
|
X
|
Configuring Virtual Context Policy Maps, page 11-30
|
Action List
|
|
X
|
X
|
X
|
Configuring Action Lists for Application Acceleration and Optimization, page 12-3
|
Building Block Audit
|
X
|
X
|
X
|
X
|
Comparing Context and Building Block Configurations
|
Configuring Virtual Context System Attributes
Virtual context System configuration options for all ACE devices are:
•Virtual context primary attributes—See Configuring Virtual Context Primary Attributes.
•Syslog
–Configuring Virtual Context Syslog Settings
–Configuring Syslog Log Hosts
–Configuring Syslog Log Messages
–Configuring Syslog Log Rate Limits
•SNMP
–Configuring SNMP for Virtual Contexts
–Configuring SNMP Version 2c Communities
–Configuring SNMP Version 3 Users
–Configuring SNMP Trap Destination Hosts
–Configuring SNMP Notification
•Global policy maps for all VLANs on a virtual context—See Configuring Virtual Context Global Traffic Policies.
•ACE licenses—See Managing ACE Licenses.
•ACE resource classes—See Using Resource Classes.
For ACE appliances, you can also configure global application acceleration and optimization. See Configuring Global Application Acceleration and Optimization, page 12-16.
Configuring Virtual Context Primary Attributes
Primary attributes allow you to configure essential information for each virtual context including a name, VLANs, a management IP address, and allowed protocols. After providing this information, you can configure other attributes, such as interfaces, load-balancing, or SSL. For a complete list of the configurable items, see Configuring Virtual Contexts.
Procedure
Step 1 Select Config > Devices > context > System > Primary Attributes. The Primary Attributes configuration screen appears.
Step 2 Enter the primary attributes for this virtual context using the information in Table 3-1.
Step 3 Click Deploy Now to save your entries and to return to the Virtual Contexts table.
Related Topics
•Using Virtual Contexts
•Configuring VLAN Interfaces, page 9-2
•Configuring Virtual Context BVI Interfaces, page 9-12
•Configuring Virtual Context Syslog Settings
•Configuring Traffic Policies, page 11-1
Configuring Virtual Context Syslog Settings
The ANM uses syslog logging to send log messages to a process which logs messages to designated locations asynchronously to the processes that generated the messages.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > System > Syslog.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > System > Syslog.
The Syslog configuration screen appears.
Step 2 Enter the syslog logging attributes in the displayed fields (see Table 3-5).
All fields that require you to select syslog severity levels use the values in Table 3-4.
Table 3-4 Syslog Logging Levels
Severity
|
Description
|
Emergency
|
Unusable system
|
Alert
|
Immediate action required
|
Critical
|
Critical condition
|
Error
|
Error condition
|
Warning
|
Warning condition
|
Notification
|
Normal but significant condition
|
Information
|
Informational message only
|
Debug
|
Appears only during debugging
|
The severity level that you specify indicates that you want syslog messages at that level and the more severe levels. For example, if you specify Error, syslog displays Error, Critical, Alert, and Emergency messages.
Note Setting all syslog levels to Debug during normal operations can degrade overall performance.
Table 3-5 Virtual Context Syslog Configuration Attributes
Field
|
Description
|
Action
|
Enable Syslog
|
This option indicates whether syslog logging should be enabled or disabled.
|
Select the check box to enable syslog logging or clear the check box to disable syslog logging.
|
Facility
|
The syslog daemon uses the specified syslog facility to determine how to process the messages it receives. Syslog servers file or direct messages based on the facility number in the message.
For more information on the syslog daemon and facility levels, refer to your syslog daemon documentation.
|
Enter the facility appropriate for your network.
Valid entries are 0 (LOCAL0) through 23 (LOCAL7). The default for ACE is 20 (LOCAL4).
|
Buffered Level
|
This option enables system logging to a local buffer and limits the messages sent to the buffer based on severity.
|
Select the desired level for sending system log messages to a local buffer.
By default, logging to a buffer is disabled on the ACE.
|
Console Level
|
This option specifies the maximum level for system log messages sent to the console.
|
Select the desired level for sending system log messages to the console.
By default, ACE does not display syslog messages during console sessions.
Note Logging to the console can degrade system performance. Therefore, we recommend that you log messages to the console only when you are testing or debugging problems. Do not use this option when the network is busy, as it can reduce ACE performance.
|
History Level
|
This option specifies the maximum level for system log messages sent as traps to an SNMP network management station.
|
Select the desired level for sending system log messages as traps to an SNMP network management station.
By default, the ACE does not send traps and inform requests to an SNMP network management station.
|
Monitor Level
|
This option specifies the maximum level for system log messages sent to a remote connection using Secure Shell (SSH) or Telnet on the ACE.
|
Select the desired level for sending system log messages to a remote connection using SSH or Telnet on the ACE.
By default, logging to a remote connection using SSH or Telnet is disabled on the ACE.
Note You must enable remote access on the ACE and establish a remote connection using the SSH or Telnet protocol from a PC for this option to work.
|
Persistence Level
|
This option specifies the maximum level for system log messages sent to Flash memory.
|
Select the desired level for sending system log messages to Flash memory.
By default, logging to Flash memory is disabled on the ACE.
Note We recommend that you use a lower severity level, such as 3, since logging at a high rate to Flash memory on the ACE might impact performance.
|
Trap Level
|
This option specifies the maximum level for system log messages sent to a syslog server.
|
Select the desired level for sending system log messages to a syslog server.
By default, logging to a syslog server is disabled on the ACE.
|
Supervisor Level
|
This option specifies the maximum level for system log messages sent to the supervisor module on the Catalyst chassis.
Note This option does not appear for ACE appliances or ACE 4710-type configuration building blocks.
|
Select the desired level for sending system log messages to the supervisor module on the Catalyst chassis.
Note We recommend that you use a lower severity level, such as 3, since logging at a high rate to the supervisor module might impact performance of the Catalyst system.
|
Queue Size
|
This option specifies the size of the queue for storing syslog messages in the message queue while they await processing.
|
Enter the desired queue size.
Valid entries are from 0 to 8192 messages.
The default is 80 messages.
|
Enable Timestamp
|
This option indicates whether syslog messages should include the date and time that the message was generated.
|
Select the check box to enable timestamps on syslog messages or clear the check box to disable timestamps on syslog messages.
By default, timestamps are not included on syslog messages.
|
Enable Standby
|
This option indicates whether logging is enabled on the failover standby ACE. When enabled:
•This feature causes twice the message traffic on the syslog server.
•The standby ACE syslog messages remain synchronized if failover occurs.
|
Select the check box to enable logging on the failover standby ACE or clear the check box to disable logging on the failover standby ACE.
|
Enable Fastpath Logging
|
This option indicates whether connection setup and teardown messages are logged.
|
Select the check box to enable the logging of setup and teardown messages or clear the check box to disable the logging of setup and teardown messages.
By default, the ACE does not log connection startup and teardown messages.
|
Reject New Connection when TCP Queue Full
|
This option indicates whether the ACE rejects new connections when the TCP queue is full.
|
Select the check box to reject new connections when the syslog daemon can no longer reach the TCP syslog server.
Clear the check box to disable this feature.
This option is enabled by default.
|
Reject New Connection when Rate Limit Reached
|
This option indicates whether the ACE rejects new connections when the syslog message rate is reached.
|
Select the check box to reject new connections when the syslog message rate is reached.
Clear the check box to disable this feature.
This option is disabled by default.
|
Reject New Connection when Control Plane Buffer Full
|
This option indicates whether the ACE rejects new connections when the syslog daemon buffer is full.
|
Select the check box to reject new connections when the syslog daemon buffer is full.
This option is disabled by default.
|
Device Id Type
|
This option specifies the type of unique device identifier to be included in syslog messages sent to the syslog server.
The device identifier does not appear in EMBLEM-formatted messages, SNMP traps, or on the ACE console, management session, or buffer.
|
Select the type of device identifier to use:
•Undefined—No identifier is used.
•Context Name—The name of the current virtual context is used to uniquely identify the syslog messages sent from the ACE.
•Hostname—The hostname of the ACE is used to uniquely identify the syslog messages sent from the ACE.
•Interface—The IP address of the interface is used to uniquely identify the syslog messages sent from the ACE. If you select this option, enter the name of the interface in the Device Interface Name field.
•Any String—A text string that you specify is used to uniquely identify the syslog messages sent from the ACE. If you select this option, enter the text string to use in the Logging Device Id field.
|
Device Interface Name
|
This field appears if the Device Id Type is Interface.
This option specifies the interface to be used to uniquely identify syslog messages sent from the ACE.
|
Enter the device interface name to use to uniquely identify syslog messages sent from the ACE. Valid entries are 1 to 64 characters with no spaces.
Syslog messages sent to an external server contain the IP address of the interface specified, regardless of which interface the ACE uses to send the log data to the external server.
|
Logging Device Id
|
This field appears if the Device ID Type is Any String.
This option specifies the text string to use to uniquely identify syslog messages sent from the ACE.
|
Enter a text string that uniquely identifies the syslog messages sent from the ACE. The maximum string length is 64 characters without spaces. Do not use the following characters: & (ampersand), ` (single quote), " (double quote), < (less than), > (greater than), or ? (question mark).
|
Step 3 Finish this procedure:
•For virtual contexts, click Deploy Now to save your entries, or select another option to exit the procedure without saving your entries.
•For configuration building blocks, click Save to save your entries or Cancel to exit the procedure without saving your entries.
See Related Topics for additional syslog configuration options.
Related Topics
•Configuring Syslog Log Hosts
•Configuring Syslog Log Messages
•Configuring Syslog Log Rate Limits
Configuring Syslog Log Hosts
After configuring basic syslog characteristics (see Configuring Virtual Context Syslog Settings), you can configure the log host, log messages, and log rate limits.
Use this procedure to configure Syslog log hosts.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > System > Syslog.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > System > Syslog.
The Syslog configuration screen appears.
Step 2 Click the Log Host tab. The Log Host table appears.
Step 3 Click Add to add a new log host, or select an existing log host, then click Edit to modify it. The Log Host configuration screen appears.
Step 4 In the IP Address field, enter the IP address of the host to use as the syslog server.
Step 5 In the Protocol field, select TCP or UDP as the protocol to use.
Step 6 In the Protocol Port field, enter the number of the port that the syslog server listens to for syslog messages. Valid entries are integers from 1-65535.
Step 7 The Default UDP check box appears if TCP is selected in the Protocol field (Step 5). Select the Default UDP check box to specify that the ACE is to default to UDP if the TCP transport fails to communicate with the syslog server. Clear this check box to prevent the ACE from defaulting to UDP if the TCP transport fails.
Step 8 In the Format field, select
•N/A if you do not want to use EMBLEM-format logging.
•Emblem to enable EMBLEM-format logging for each syslog server. If you use Cisco Resource Manager Essentials (RME) software to collect and process syslog messages on your network, enable EMBLEM-format logging so that RME can handle them. Similarly, UDP needs to be enabled because the Cisco Resource Manager Essentials (RME) syslog analyzer supports only UDP syslog messages.
Step 9 Click:
•Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•OK to save your entry. This option appears for configuration building blocks.
•Cancel to exit the procedure without saving your entries and to return to the Log Host table.
•Next to configure another syslog host.
Related Topics
•Configuring Virtual Context Syslog Settings
•Configuring Syslog Log Messages
•Configuring Syslog Log Rate Limits
Configuring Syslog Log Messages
After configuring basic syslog characteristics (see Configuring Virtual Context Syslog Settings), you can configure the log host, log messages, and log rate limits.
Use this procedure to configure Syslog log messages.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > System > Syslog.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > System > Syslog.
The Syslog configuration screen appears.
Step 2 Click the Log Message tab. The Log Message table appears.
Step 3 Click Add to add a new entry to this table, or select an existing entry, then click Edit to modify it. The Log Message configuration screen appears.
Step 4 In the Message Id field, select the system log message ID of the syslog messages that are to be sent to the syslog server or that are not to be sent to the syslog server.
Step 5 Select the Enable State check box to indicate that logging is enabled for the specified message ID. Clear the check box to indicate that logging is not enabled for the specified message ID. If you select the Enable State check box, the Log Level field appears.
Step 6 In the Log Level field, select the desired level of syslog messages to be sent to the syslog server, using the levels identified in Table 3-4.
Step 7 Click:
•Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•OK to save your entry. This option appears for configuration building blocks.
•Cancel to exit the procedure without saving your entries and to return to the Log Message table.
•Next to deploy your entries and to configure additional syslog message entries for this virtual context.
Related Topics
•Configuring Virtual Contexts
•Configuring Virtual Context Syslog Settings
•Configuring Syslog Log Hosts
•Configuring Syslog Log Rate Limits
Configuring Syslog Log Rate Limits
After configuring basic syslog characteristics (see Configuring Virtual Context Syslog Settings), you can configure the log host, log messages, and log rate limits.
Use this procedure to configure Syslog log rate limits.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > System > Syslog.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > System > Syslog.
The Syslog configuration screen appears.
Step 2 Click the Log Rate Limit tab. The Log Rate Limit table appears.
Step 3 Click Add to add a new entry to this table, or select an existing entry, then click Edit to modify it. The Log Rate Limit configuration screen appears.
Step 4 In the Type field, select the method by which syslog messages are to be limited:
•Message—Syslog messages are limited by message identification number. In the Message Id field, select the syslog message ID for those messages you want to suppress reporting.
•Level—Syslog messages are limited by syslog level. In the Level field, select the level of syslog messages to be sent to the syslog server, using the levels identified in Table 3-4.
Step 5 Select the Unlimited check box to apply no limits to system message logging. Clear the Unlimited check box to apply limits to system message logging. If you clear the Unlimited check box, the Rate and Time Interval fields appear.
Step 6 If you clear the Unlimited check box, specify the limits to apply to system message logging:
a. In the Rate field, enter the number at which syslog is to be limited. When this limit is reached, the ACE rejects new syslog messages. Valid entries are integers from 0 to 2147483647.
b. In the Time Interval field, enter the length of time (in seconds) over which the system message logs are to be limited. For example, if you enter 42 in the Rate field and 60 in the Time Interval field, the ACE rejects any syslog messages that arrive after the first 42 messages in that 60-second period. Valid entries are from 0 to 2147483647 seconds.
Step 7 Click:
•Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•OK to save your entry. This option appears for configuration building blocks.
•Cancel to exit the procedure without saving your entries and to return to the Log Rate Limit table.
•Next to deploy your entries and to add another entry to the Log Rate Limit table.
Related Topics
•Configuring Virtual Contexts
•Configuring Virtual Context Syslog Settings
•Configuring Syslog Log Hosts
•Configuring Syslog Log Messages
Configuring SNMP for Virtual Contexts
Use this procedure to configure SNMP for use with this virtual context.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > System > SNMP.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > System > SNMP.
The SNMP configuration screen appears.
Step 2 Configure SNMP using the information in Table 3-6.
Table 3-6 SNMP Attributes
Field
|
Description
|
Contact Info
|
Enter contact information for the SNMP server as a text string with a maximum of 240 characters including spaces. In addition to a name, you might want to include a phone number or e-mail address. If spaces are included, add quotation marks at the beginning and end of the entry.
|
Location
|
Enter the physical location of the system as a text string with a maximum of 240 characters including spaces. If spaces are included, add quotation marks at the beginning and end of the entry.
|
Trap Source Interface
|
Select the VLAN that identifies the interface from which SNMP traps originate.
|
IETF Trap
|
Select the check box to indicate that the ACE is to send linkUp and linkDown traps with the IETF standard IF-MIB (RFC 2863) variable bindings, consisting of ifIndex, ifAdminStatus, and ifOperStatus.
Clear the check box to indicate that the ACE is not to send linkUp and linkDown traps with the IETF standard IF-MIB (RFC 2863) variable bindings. Instead, the ACE sends Cisco var-binds by default.
|
Step 3 Finish the procedure:
•For virtual contexts, click Deploy Now to save your entries or select another configuration option to exit the procedure without saving your entries.
•For configuration building blocks, click OK to save your entries or select another configuration option to exit the procedure without saving your entries.
See Related Topics for additional SNMP configuration options.
Related Topics
•Configuring Virtual Contexts
•Configuring SNMP Version 2c Communities
•Configuring SNMP Version 3 Users
•Configuring SNMP Trap Destination Hosts
•Configuring SNMP Notification
Configuring SNMP Version 2c Communities
After configuring basic SNMP information for a virtual context (see Configuring SNMP for Virtual Contexts), you can configure other SNMP attributes such as SNMP version 2c communities, SNMP version 3 users, trap destination hosts, and SNMP notification.
Note All SNMP communities in ANM are read-only communities and all communities belong to the group network monitors.
Use this procedure to configure SNMP communities for a virtual context or configuration building block.
Assumption
You have configured at least one SNMP contact (see Configuring SNMP for Virtual Contexts).
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > System > SNMP.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > System > SNMP.
The SNMP configuration screen appears.
Step 2 Click the SNMP v2c Community String tab. The SNMP v2c Community String table appears.
Step 3 Click Add to add an SNMP v2c community string. The SNMP v2c Community String configuration screen appears.
Note You cannot modify an existing SNMP v2c community string. Instead, delete the existing SNMP v2c community string, then add a new one.
Step 4 In the Community field, enter the SNMP community name. Valid entries are unquoted text strings with no spaces and a maximum of 32 characters.
Step 5 Click:
•Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•OK to save your entry. This option appears for configuration building blocks.
•Cancel to exit this procedure without saving your entry and to return to the SNMP v2c Community String table.
•Next to deploy your entry and to configure another SNMP community string. The screen refreshes and you can enter another community string.
Related Topics
•Configuring Virtual Contexts
•Configuring SNMP Version 3 Users
•Configuring SNMP Trap Destination Hosts
•Configuring SNMP Notification
Configuring SNMP Version 3 Users
After configuring basic SNMP information for a virtual context (see Configuring SNMP for Virtual Contexts), you can configure other SNMP attributes such as SNMP version 2c communities, SNMP version 3 users, trap destination hosts, and SNMP notification.
Use this procedure to configure SNMP version 3 users for a virtual context or configuration building block.
Assumption
You have configured at least one SNMP contact (see Configuring SNMP for Virtual Contexts).
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > System > SNMP.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > System > SNMP.
The SNMP configuration screen appears.
Step 2 Click the SNMP v3 Configuration tab. The SNMP v3 Configuration table appears.
Step 3 Click Add to add users, or select an existing entry in the SNMP v3 Configuration table, then Edit to modify it. The SNMP v3 Configuration screen appears.
Step 4 Enter SNMP user attributes using the information in Table 3-7.
Table 3-7 SNMP User Configuration Attributes
Field
|
Description
|
User Name
|
Enter the SNMP username. Valid entries are unquoted text strings with no spaces and a maximum of 24 characters.
|
Auth Algorithm
|
Select the authentication algorithm to be used for this user.
•N/A—No authentication algorithm is used.
•MD5—Message Digest 5 is used as the authentication mechanism.
•SHA—Secure Hash Algorithm is used as the authentication mechanism.
|
Auth Password
|
Appears if you select an authentication algorithm.
Enter the authentication password for this user. Valid entries are unquoted text strings with no spaces and a maximum of 130 characters. The ACE automatically updates the password for the CLI user with the SNMP authentication password.
|
Confirm
|
Appears if you select an authentication algorithm.
Reenter the authentication password.
|
Localized
|
Appears if you select an authentication algorithm.
Indicate whether the password is in localized key format for security encryption:
•N/A—This option is not configured.
•False—The password is not in localized key format for encryption.
•True—The password is in localized key format for encryption.
|
Privacy
|
Appears if you select an authentication algorithm.
Indicate whether encryption attributes are to be configured for this user:
•N/A—This option is not configured.
•False—Encryption parameters are not to be configured for this user.
•True—Encryption parameters are to be configured for this user.
|
AES 128
|
Appears if you set Privacy to True.
Indicate whether the 128-byte Advanced Encryption standard (AES) algorithm is to be used for privacy. AES is a symmetric cipher algorithm and is one of the privacy protocols for SNMP message encryption.
•N/A—This option is not configured.
•False—AES 128 is not used for privacy.
•True—AES 128 is used for privacy.
|
Privacy Password
|
Appears if you set Privacy to True.
Enter the user encryption password. This password can have a minimum of 8 characters. If the passphrases are specified in clear text, you can enter a maximum of 64 characters. If use of a localized key is enabled, you can enter a maximum of 130 characters. Spaces are not allowed.
|
Confirm
|
Appears if you set Privacy to True.
Reenter the privacy password.
|
Step 5 Click:
•Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•OK to save your entries. This option appears for configuration building blocks.
•Cancel to exit this procedure without saving your entries and to return to the SNMP v3 Configuration table.
•Next to deploy your entries and to add another entry to the SNMP v3 Configuration table. The screen refreshes and you can enter another SNMP v3 user.
Related Topics
•Configuring Virtual Contexts
•Configuring SNMP Version 2c Communities
•Configuring SNMP Trap Destination Hosts
•Configuring SNMP Notification
Configuring SNMP Trap Destination Hosts
To receive SNMP notifications you must configure:
•At least one SNMP trap destination host. This section describes how to do this.
•At least one type of notification. See Configuring SNMP Notification.
After configuring basic SNMP information for a virtual context (see Configuring SNMP for Virtual Contexts), you can configure other SNMP attributes such as SNMP version 2c communities, SNMP version 3 users, trap destination hosts, and SNMP notification.
Use this procedure to configure SNMP trap destination hosts for a virtual context.
Assumption
You have configured at least one SNMP contact (see Configuring SNMP for Virtual Contexts).
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > System > SNMP.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > System > SNMP.
The SNMP configuration screen appears.
Step 2 Click the Trap Destination Host tab. The Trap Destination Host table appears.
Step 3 Click Add to add a host, or select an existing entry in the table, then Edit to modify it. The Trap Destination Host configuration screen appears.
Step 4 In the IP Address field, enter the IP address of the server that is to receive SNMP notifications. Enter the address in dotted-decimal format, such as 192.168.11.1.
Step 5 In the Port field, enter the port to use. The default port is 162.
Step 6 In the Version field, select the version of SNMP used to send traps:
•V1—SNMP version 1 is used to send traps. This option is not available for use with SNMP inform requests.
•V2c—SNMP version 2c is used to send traps.
•V3—SNMP version 3 is used to send traps. This version is the most secure model because it allows packet encryption.
Step 7 In the Community field, enter the SNMP community string or username to be sent with the notification operation. Valid entries are unquoted text strings with no spaces and a maximum of 32 characters.
Step 8 Click:
•Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•OK to save your entries. This option appears for configuration building blocks.
•Cancel to exit this procedure without saving your entries and to return to the Trap Destination Host table.
•Next to deploy your entries and to add another entry to the Trap Destination Host table. The screen refreshes and you can add another trap destination host.
Related Topics
•Configuring Virtual Contexts
•Configuring SNMP Version 2c Communities
•Configuring SNMP Version 3 Users
•Configuring SNMP Notification
Configuring SNMP Notification
After configuring basic SNMP information for a virtual context (see Configuring SNMP for Virtual Contexts), you can configure other SNMP attributes such as SNMP version 2c communities, SNMP version 3 users, trap destination hosts, and SNMP notification.
To receive SNMP notifications you must configure:
•At least one SNMP trap destination host. See Configuring SNMP Trap Destination Hosts.
•At least one type of notification. This section describes how to do this.
Use this procedure to configure SNMP notification for a virtual context.
Assumptions
•You have configured at least one SNMP contact (see Configuring SNMP for Virtual Contexts).
•At least one SNMP server host has been configured (see Configuring SNMP Trap Destination Hosts).
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > System > SNMP.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > System > SNMP.
The SNMP configuration screen appears.
Step 2 Click the SNMP Notification tab. The SNMP Notification table appears.
Step 3 Click Add to add a new entry, or select an existing entry in the table, then click Edit to modify it. The SNMP Notification configuration screen appears.
Step 4 In the Options field, select the type of notifications to be sent to the SNMP host. Some options are available only in the Admin context.
Note When configuring SNMP notification for ACE appliances, we recommend that you select the more specific options. For example, select Slb real or Slb vserver instead of Slb. This ensures that the correct commands are issued on the ACE appliance.
•License—SNMP license notifications are to be sent. This option is available only in the Admin context.
•Virtual-context—Notifications are to be sent upon changes to a virtual context. This option is available only in the Admin context.
•Slb—Server load-balancing notifications are to be sent.
•Slb real—Notifications of real server state changes are to sent.
•Slb vserver—Notifications of virtual server state changes are to be sent.
•Snmp—SNMP notifications are to be sent.
•Snmp authentication—Notifications of incorrect community strings in SNMP requests are to be sent.
•SNMP coldstart—SNMP agent restart notifications are to be sent after a cold restart (full power cycle) of the ACE. This option is available only in the Admin context.
•Snmp linkdown—Notifications are to be sent when a VLAN interface is down.
•Snmp linkup—Notifications are to be sent when a VLAN interface is up.
•Syslog—Error message notifications (Cisco Syslog MIB) are to be sent.
Step 5 Click:
•Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•OK to save your entries. This option appears for configuration building blocks.
•Cancel to exit this procedure without saving your selection and to return to the SNMP Notification table.
•Next to deploy your entries and to add another entry to the SNMP Notification table. The screen refreshes and you can select another SNMP notification option.
Related Topics
•Configuring Virtual Contexts
•Configuring SNMP Version 2c Communities
•Configuring SNMP Version 3 Users
•Configuring SNMP Trap Destination Hosts
Configuring Virtual Context Global Traffic Policies
With the ANM you can apply traffic policies to a specific VLAN interface or to all VLAN interfaces in the same virtual context or configuration building block.
Use this procedure to apply a policy to all VLAN interfaces in the selected context or configuration building block.
To apply a policy to a specific VLAN, see Configuring Traffic Policies, page 11-1.
Note You cannot modify an existing policy. Instead, delete the existing global policy, then create a new one.
Assumption
A Layer 3/Layer 4 or Management policy map has been configured for the selected context or building block. For more information, see Configuring Virtual Context Policy Maps, page 11-30.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > System > Global Policy.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > System > Global Policy.
The Global Policy table appears.
Step 2 Click Add to add a new global policy. The Global Policy configuration screen appears.
Note You cannot modify an existing policy. If you want to change the policy map used globally for a context or building block, first delete the existing global policy and then create a new one.
Step 3 In the Policy Map field, select the policy map that you want to apply to all VLANs in this context.
Step 4 In the Direction field, verify that the policy applies to incoming traffic.
Step 5 Click:
•Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•OK to save your entries. This option appears for configuration building blocks.
•Cancel to exit the procedure without saving your entries and to return to the Global Policy table.
•Next to deploy your entries and to configure another global policy.
Related Topics
•Using Virtual Contexts
•Configuring Virtual Context Primary Attributes
•Configuring VLAN Interfaces, page 9-2
•Configuring Virtual Context Syslog Settings
•Configuring Traffic Policies, page 11-1
Managing ACE Licenses
Note This functionality is available for only Admin contexts.
Cisco Systems offers licenses for ACE devices that let you increase the number of default contexts, module bandwidth, and SSL TPS (transactions per second). For more information on these licenses, refer to the Cisco Application Control Engine documentation on cisco.com.
If you install ACE licenses to increase the number of virtual contexts that you can create and manage on a device, you need to ensure that the installed ANM licenses support the increased number of virtual contexts. For example, if you install an upgrade ACE device license that allows you to create and manage 20 virtual contexts on the device, you must purchase and install the appropriate ANM license before you can manage the additional contexts using ANM. For more information about using and managing ANM licenses, see Managing ANM Licenses, page 15-56.
You can view, install, remove, or update ACE licenses using the ANM.
Related Topics
•Viewing ACE Licenses
•Installing ACE Licenses
•Updating ACE Licenses
•Adding Licenses into License Management, page 15-58
Viewing ACE Licenses
Note This functionality is available for only Admin contexts.
Use this procedure to view the licenses that are currently installed on an ACE.
Procedure
Step 1 Select Config > Devices. The device tree appears.
Step 2 Select the Admin context with ACE licenses you want to view, then click System > Licenses. The License table appears listing all installed licenses with their filename, vendor, and expiration date.
Related Topics
•Managing ACE Licenses
•Installing ACE Licenses
•Uninstalling ACE Licenses
•Updating ACE Licenses
Importing ACE Licenses
Note This functionality is available for Admin contexts only.
Installing ACE licenses involves two steps:
1. Importing the license from the remote server to the ACE.
2. Installing the license on the ACE. See Installing ACE Licenses.
Use this procedure to import new or upgrade ACE licenses from a remote server to the appropriate ACE.
Assumption
The ACE licenses are available on a remote server for importing to the ACE.
Procedure
Step 1 Select Config > Devices. The device tree appears.
Step 2 Select the Admin context with the license you want to update, then click System > Licenses. The License table appears listing all installed licenses.
Step 3 Click Install. The Import License File dialog box appears.
Step 4 In the Protocol field, select the protocol to use to copy the license file from the remote server to the ACE.
•If you select FTP, continue with Step 5.
•If you select TFTP, continue with Step 6.
Step 5 For FTP:
•In the User field, enter the username of the account on the network server.
•In the Password field, enter the password for the user account. Reenter the password in the Confirm field.
Step 6 In the Source File Name field, enter the host IP address, path, and filename of the license file on the remote server in the format host-ip/path/filename where:
•host-ip represents the IP address of the remote server.
•path represents the directory path of the license file on the remote server.
•filename represents the filename of the license file on the remote server.
For example, your entry might resemble 192.168.11.2/usr/bin/ACE-VIRT-020.lic.
Note The license file will reside on disk:0. This option is not configurable from within ANM.
Step 7 Click:
•OK to accept your entries and to import the file from the remote server to the selected ACE. When the file has been imported, the License table appears, and you can continue with installing or upgrading licenses. See Installing ACE Licenses.
•Cancel to exit this procedure without importing the file from the remote server and to return to the License table.
Related Topics
•Managing ACE Licenses
•Installing ACE Licenses
•Viewing ACE Licenses
•Uninstalling ACE Licenses
•Updating ACE Licenses
Installing ACE Licenses
Note This functionality is available for Admin contexts only.
Installing ACE licenses involves two steps:
1. Importing the license from the remote server to the ACE. See Importing ACE Licenses.
2. Installing the license on the ACE.
Use this procedure to install a license on an ACE.
Assumption
You have received the software license key for an ACE and have imported the license file onto that ACE.
Procedure
Step 1 Select Config > Devices. The device tree appears.
Step 2 Select the Admin context for the new license, then click System > Licenses. The License table appears listing all installed licenses.
Step 3 Click Install. The Install License dialog box appears.
Step 4 In the File field, specify the name of the license file:
•To specify a license that does not appear in the drop-down list, select the first radio button, then enter the name of the license file that you have imported and are now installing, such as ACE-VIRT-020.lic. You should rarely need to specify a license file with this option.
•To specify an existing license, select the second radio button, then select the license file from the list of available license files.
Step 5 In the License Name field, enter the name that you would like to use for this license, such as myACE-VIRT-020.lic.
Step 6 Click:
•OK to accept your entries and to install the license. When the license is installed, the License table refreshes with the new entry.
•Cancel to exit this procedure without installing the license and to return to the License table.
Related Topics
•Managing ACE Licenses
•Viewing ACE Licenses
•Uninstalling ACE Licenses
•Updating ACE Licenses
Uninstalling ACE Licenses
Note This functionality is available for Admin contexts only.
Caution Removing licenses can affect ACE bandwidth or performance. For detailed information on the effect of license removal on the ACE, see the Cisco Application Control Engine documentation on cisco.com.
Use this procedure to remove ACE licenses.
Procedure
Step 1 Select Config > Devices. The device tree appears.
Step 2 Select the Admin context with the license you want to remove, then click System > Licenses. The License table appears listing all installed licenses.
Step 3 Select the license to be removed.
Step 4 Click Uninstall. A window appears, asking you to confirm the license removal process.
Note Before continuing, confirm that you have selected the correct license to be removed. When you click OK in the confirmation window, you cannot stop the removal process.
Note Removing licenses can affect the number of contexts, ACE bandwidth, or SSL TPS (transactions per second). Be sure you understand the effect on your environment before removing the license.
Step 5 Click OK to confirm the removal or Cancel to stop the removal process.
If you click OK, a status window appears with the status of license removal. When the license has been removed, the License table refreshes without the deleted license.
Related Topics
•Managing ACE Licenses
•Installing ACE Licenses
•Viewing ACE Licenses
•Updating ACE Licenses
Updating ACE Licenses
Note This functionality is available for Admin contexts only.
The ANM allows you to convert demonstration licenses to permanent licenses and to upgrade permanent licenses to increase the number of virtual contexts.
Updating ACE licenses involves two steps:
1. Importing the new license from the remote server onto the ACE. See Importing ACE Licenses.
2. Installing the update license on the ACE. See Installing ACE Licenses.
Use this procedure to install ACE update licenses.
Procedure
Step 1 Select Config > Devices. The device tree appears.
Step 2 Select the Admin context with the license you want to update, then click System > Licenses. The License table appears listing all installed licenses.
Step 3 Select the license to be updated, then click Update. The Update License window appears.
Step 4 In the License File Name field, enter the name that you gave the license file on the ACE when you installed it, such as myACE-VIRT-020.lic. (See Installing ACE Licenses.)
Step 5 Click:
•OK to update the license and to return to the License table. The License table displays the updated information.
•Cancel to exit this procedure without updating the license and to return to the License table.
Related Topics
•Managing ACE Licenses
•Installing ACE Licenses
•Viewing ACE Licenses
•Uninstalling ACE Licenses
Displaying License Configuration and Statistics
Note This functionality is available for only Admin contexts.
Use this procedure to view information about ACE licenses.
Procedure
Step 1 Select Config > Devices. The device tree appears.
Step 2 Select the Admin context with the license information you want to view, then select System > Licenses. The License table appears listing all installed licenses.
Step 3 Select the license with the information you want to view, then click Status. The show license status window appears with the following information for all ACE devices:
•SSL transactions per second
•Number of supported virtual contexts
•ACE bandwidth in gigabits per second
For ACE appliances, it also displays:
•Compression performance in megabits or gigabits per second
•Web optimization in the number of connections per second
Note If no licenses are installed apart from the basic 5 context license shipped with the ACE device, you can click the Status button to view its details as described here.
Step 4 Click Close when you finish viewing the information.
Related Topics
•Managing ACE Licenses
•Installing ACE Licenses
•Viewing ACE Licenses
•Uninstalling ACE Licenses
Using Resource Classes
Resource classes are the means by which you manage virtual context access to ACE resources, such as concurrent connections or bandwidth rate. ACE devices are preconfigured with a default resource class that is applied to the Admin context and any user context upon creation. The default resource class is configured to allow a context to operate within a range that can vary from no resource access (0%) to complete resource access (100%). When you use the default resource class with multiple contexts, you run the risk of oversubscribing ACE resources. This means that the ACE permits all contexts to have full access to all resources on a first-come, first-served basis. When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource.
To avoid oversubscribing resources and to help guarantee access to a resource by any context, you can create customized resource classes that you associate with one or more contexts. A context becomes a member of the resource class when you make the association. Creating a resource class allows you to set limits on the minimum and maximum amounts of each ACE resource that a member context is entitled to use. You define the minimum and maximum values as a percentage of the whole. For example, you can create a resource class that allows its member contexts access to no less that 25% of the total number of SSL connections that the ACE supports.
You can limit and manage the allocation of the following ACE resources:
•ACL memory
•Buffers for syslog messages and TCP out-of-order (OOO) segments
•Concurrent connections (through-the-ACE traffic)
•Management connections (to-the-ACE traffic)
•Proxy connections
•Set resource limit as a rate (number per second)
•Regular expression (regexp) memory
•SSL connections
•Sticky entries
•Static or dynamic network address translations (Xlates)
When you discover ACE devices, the ANM detects the resource class information and imports it with other device information. If an ACE is not configured for a resource class, it inherits the resource class configuration of the virtual context it is associated with. If an ACE does have a resource class configuration but it differs from one configured in the ANM, the discrepancy is logged as an anomaly but otherwise has no impact on the import process or the ACE.
Table 3-8 identifies and defines the resources that you can establish for resource classes.
Related Topics
•Global and Local Resource Classes
•Resource Allocation Constraints
•Using Global Resource Classes
•Viewing Local Resource Class Use on Virtual Contexts
Global and Local Resource Classes
The ANM provides two levels of resource classes for ACE devices that operate independently of each other:
•Local or device-specific resource classes
•Global resource classes
Local resource classes are initially imported from the ACE during the import process and appear in the ANM interface in the Admin virtual context where they can be managed, modified, or deleted by an Admin user. An Admin user can also create new, local resources classes by using ANM. Select Config > Devices > Admin_context > System > Resource Classes to add, view, or modify local resource classes.
Global resource classes are managed separately from local resource classes and require manual deployment to a specific ACE using the Admin virtual context before they take effect. If you deploy a global resource class to an ACE that does not have a resource class with the same name, the ANM creates a new local resource class with the same name and properties as the global resource class. If you deploy a global resource class to an ACE that already has a resource class with the same name, the ANM replaces the properties of the local resource class with those from the global resource class. Select Config > Global > All Resource Classes to add, view, modify, audit, or delete global resource classes.
Related Topics
•Using Resource Classes
•Resource Allocation Constraints
•Using Global Resource Classes
•Using Local Resource Classes
•Auditing Resource Classes
Resource Allocation Constraints
The following resources are critical for maintaining connectivity to the Admin context:
•rate bandwidth
•rate mgmt-traffic
•rate ssl-connections
•rate connections
•mgmt-connections
•conc-connections
Caution If you allocate 100% of these resources to a resource class and then apply the resource class to virtual contexts, connectivity to the Admin context can be lost.
We recommend that you create a resource class specifically for the Admin context and apply it to the context so that you can maintain IP connectivity.
Table 3-8 Resource Class Attributes
Resource
|
Definition
|
Default
|
The default percentage is used for any resource parameter not explicitly set.
|
acc-connections
|
This option is available ACE appliances only.
Percentage of application acceleration connections.
|
acl-memory
|
Percentage of memory allocated for ACLs.
|
conc-connections
|
Percentage of simultaneous connections.
Note If you consume all conc-connections by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.
|
http-comp
|
Percentage of compression for HTTP data.
Note This option appears for ACE appliances running OS versions A3(1.0).
|
mgmt-connections
|
Percentage of management connections.
Note If you consume all mgmt-connections by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.
|
proxy-connections
|
Percentage of proxy connections.
|
regexp
|
Percentage of regular expression memory.
|
sticky
|
Percentage of entries in the sticky table.
Note You must configure a minimum value for sticky to allocate resources for sticky entries; the sticky software receives no resources under the unlimited setting.
|
xlates
|
Percentage of network and port address translations entries.
|
buffer syslog
|
Percentage of the syslog buffer.
|
rate inspect-conn
|
Percentage of application protocol inspection connections.
|
rate bandwidth
|
Percentage of context throughput.
Note If you consume all rate bandwidth by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.
|
rate connections
|
Percentage of connections of any kind.
Note If you consume all rate connections by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.
|
rate mgmt-traffic
|
Percentage of management traffic connections.
Note If you consume all rate mgmt-traffic by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.
|
rate ssl-connections
|
Percentage of SSL connections.
Note If you consume all rate ssl-connections by allocating 100% to virtual contexts, IP connectivity to the Admin context can be lost.
|
rate syslog
|
Percentage of syslog messages per second.
|
rate mac-miss
|
Percentage of messages destined for the ACE that are sent to the control plane when the encapsulation is not correct in packets.
|
Related Topics
•Using Global Resource Classes
•Configuring Global Resource Classes
•Configuring Local Resource Classes
•Auditing Resource Classes
•Deploying Global Resource Classes
Using Global Resource Classes
Resource classes are used when provisioning services, establishing virtual contexts, managing devices, and monitoring virtual context resource consumption.
Defining a new global resource class does not automatically update all configurations. A global resource class is applied only when the resource class is deployed to a specific Admin virtual context on an ACE.
The following options are available for global resource classes:
•Configuring Global Resource Classes
•Deploying Global Resource Classes
•Auditing Resource Classes
•Modifying Global Resource Classes
•Deleting Global Resource Classes
Configuring Global Resource Classes
Use this procedure to create a new global resource class and optionally to deploy it on an ACE by using the Admin virtual context.
Caution If you allocate 100% of these resources to a resource class and then apply the resource class to virtual contexts, connectivity to the Admin context can be lost. For more information, refer to
Resource Allocation Constraints.
Procedure
Step 1 Select Config > Global > All Resource Classes. The Resource Classes table appears.
Step 2 Click Add to create a new resource class. The New Resource Class configuration screen appears.
Step 3 In the Name field, enter a unique name for this resource class. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
Step 4 In the Description field, enter a brief description for this resource class. Valid entries are unquoted text strings with a maximum of 240 alphanumeric characters.
Step 5 To use the same values for each resource, enter the following information in the Default row: (See Table 3-8 for a description of the resources.)
a. In the Min field, enter the minimum percentage of each resource you want to allocate to this resource class. Valid entries are numbers from 0 to 100 including those with decimals.
b. In the Max field, select the maximum percentage of each resource you want to allocate to this resource class:
–Equal to Min—The maximum percentage allocated for each resource is equal to the minimum specified in the Min field.
–Unlimited—There is no upper limit on the percentage of each resource that can be allocated for this resource class.
Step 6 To use different values for the resources, for each resource, select the method for allocating resources:
•Select Default to use the values specified in Step 5.
•Select Min to enter a specific minimum value for the resource.
Step 7 If you select Min:
a. In the Min field, enter the minimum percentage of this resource you want to allocate to this resource class. For example, for ACL memory, enter 10 in the Min field to indicate that you want to allocate a minimum of 10% of the available ACL memory to this resource class.
b. In the Max field, select the maximum percentage of the resource you want to allocate to this resource class:
–Equal to Min—The maximum percentage allocated for this resource is equal to the minimum specified in the Min field.
–Unlimited—There is no upper limit on the percentage of the resource that can be allocated for this resource class.
Step 8 To deploy the resource class to an Admin context:
a. Click Admin VCs To Deploy To to expand the configuration subset.
b. Select the desired Admin context in the Available Items list, then click Add. The items appear in the Selected Items list.
To remove contexts, select them in the Selected Items list, then click Remove. The items appear in the Available Items list.
Step 9 Click:
•OK to save your entries and to return to the Resource Classes table.
•Cancel to exit this procedure without saving your entries and to return to the Resource Classes table.
Related Topics
•Using Resource Classes
•Modifying Global Resource Classes
•Deleting Global Resource Classes
•Auditing Resource Classes
Deploying Global Resource Classes
After you create a global resource class, you can apply it to Admin contexts on selected ACE hardware. If you deploy a global resource class to an ACE that already has a resource class with the same name, the ANM replaces the properties of the local resource class with those from the global resource class. If you deploy a global resource class to an ACE that does not have a resource class with the same name, the ANM creates a new local resource class with the same name and properties as the global resource class.
Use this procedure to apply an existing global resource class to an ACE.
Assumptions
•At least one global resource class exists.
•At least one ACE has been imported into the ANM.
Procedure
Step 1 Select Config > Global > All Resource Classes. The Resource Classes table appears.
Step 2 Select the global resource class you want to apply to an ACE, then click Edit. The Edit Resource Class configuration screen appears.
Step 3 In the Available Items list, select the context that you want to apply this global resource class to, then click Add. The item appear in the Selected Items list.
To remove contexts, select them in the Selected Items list, then click Remove. The items appear in the Available Items list.
Step 4 Click:
•OK to save your entries and to return to the Resource Classes table. The context is updated with the resource class configuration.
•Cancel to exit this procedure without saving your entries and to return to the Resource Classes table.
Related Topics
•Using Resource Classes
•Modifying Global Resource Classes
•Using Local Resource Classes
•Configuring Local Resource Classes
Auditing Resource Classes
After a global resource class has been applied to an Admin context, you can view any discrepancies that exist between the global resource class and the local resource class on the context. Discrepancies occur when either global or context resource class attributes are modified independently of one another after the global resource class has been applied.
Use this procedure to view discrepancies between global and local resource classes.
Procedure
Step 1 Select Config > Global > All Resource Classes. The Resource Classes table appears.
Step 2 Select the resource class you want to audit, then click Audit.
ANM identifies the differences between the selected resource class and the Admin contexts being managed by ANM and displays the results in the Audit Differences table in a separate window. The table uses the following conventions:
•If the selected resource class has not been applied to an Admin context, the Admin context is listed with the comment "Resource class not defined."
•If the selected resource class has been applied to an Admin context, but there are no differences between the global and local resource classes, the context does not appear in the table.
•If the selected resource class has been applied to an Admin context and there are differences between the global and local resource classes, the context appears in the table with the following information:
–The resource attribute that has different values in the global and local resource classes.
–The settings for the resource attribute in the local resource class.
–The settings for the resource attribute in the global resource class.
The values displayed use the format min - max where min represents the minimum percentage configured for this attribute and max represents the maximum percentage configured for this attribute, such as 8% - 8% or 5% - 100%.
Step 3 Click:
•Close to close this window and return to the Resource Classes table.
•Refresh to update the information in the Audit Differences table.
Related Topics
•Using Global Resource Classes
•Using Local Resource Classes
•Configuring Global Resource Classes
•Configuring Local Resource Classes
Modifying Global Resource Classes
When you modify a global resource class, the changes are not applied to virtual contexts previously associated with the resource class. The ANM only applies updated resource class properties to virtual contexts that are associated with the resource class going forward.
Caution If you allocate 100% of these resources to a resource class and then apply the resource class to virtual contexts, connectivity to the Admin context can be lost. For more information, refer to
Resource Allocation Constraints.
Use this procedure to modify an existing global resource class.
Procedure
Step 1 Select Config > Global > All Resource Classes. The Resource Classes table appears.
Step 2 Select the resource class you want to modify, then click Edit. The Edit Resource Class configuration screen appears.
Step 3 Modify the values as desired. For details on setting values, see Configuring Global Resource Classes. For descriptions of the resources, see Table 3-8.
Step 4 To deploy the modified resource class to an Admin context:
a. Click Admin VCs To Deploy To to expand the configuration subset.
b. Select the desired context in the Available Items list, then click Add. The item appears in the Selected Items list.
Note The ANM only applies the updated resource class to contexts that you select and add to the Selected Items list. It does not apply the modified resource class to contexts previously associated with the resource class.
Step 5 Click:
•OK to save your entries, apply them to the selected contexts, and return to the Resource Classes table.
•Cancel to exit this procedure without saving your entries and to return to the Resource Classes table.
Related Topics
•Using Resource Classes
•Using Global Resource Classes
•Modifying Global Resource Classes
•Auditing Resource Classes
•Deleting Global Resource Classes
Deleting Global Resource Classes
Use this procedure to remove global resource classes from the ANM database. Because global resource classes are managed separately from local resource classes, deleting a global resource class does not affect local resource classes deployed on individual contexts.
Procedure
Step 1 Select Config > Global > All Resource Classes. The Resource Classes table appears.
Step 2 Select the resource class you want to remove, then click Delete. A window appears, asking you to confirm the deletion.
Step 3 Click OK to delete the resource class or Cancel to retain the resource class.
The Resource Classes table refreshes with the updated information.
Related Topics
•Using Resource Classes
•Using Global Resource Classes
•Modifying Global Resource Classes
•Auditing Resource Classes
Using Local Resource Classes
Local resource classes can be created in ANM in three ways:
•During the import process, from any ACE with a previously configured resource class. These resource classes appear in the ANM in the Admin virtual context associated with the imported ACE.
•By an Admin user in ANM using the local Resource Class configuration option (Config > Devices > Admin_context > System > Resource Classes).
•By creating a global resource class (Config > Global > All Resource Classes) and applying it to an Admin context.
Note Local resource class configuration options are available in Admin contexts only.
The following options are available for local resource classes:
•Configuring Local Resource Classes
•Deleting Local Resource Classes
•Viewing Local Resource Class Use on Virtual Contexts
Configuring Local Resource Classes
Note This functionality is available in Admin contexts only.
Use this procedure to create or modify a local resource class for use within the selected Admin virtual context.
Procedure
Step 1 Select Config > Devices > Admin_context > System > Resource Classes. The Resource Classes table appears.
Step 2 Click Add to create a new local resource class or select an existing resource class, then click Edit to modify it. The Resource Class configuration screen appears.
Step 3 In the Name field, enter a unique name for this resource class. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
Step 4 In the Description field, enter a brief description for this resource class. Valid entries are unquoted text strings with a maximum of 240 alphanumeric characters.
Step 5 To use the same values for each resource, enter the following information in the Default row: (See Table 3-8 for a description of the resources.)
a. In the Min field, enter the minimum percentage of each resource you want to allocate to this resource class. Valid entries are numbers from 0 to 100 including those with decimals.
b. In the Max field, select the maximum percentage of each resource you want to allocate to this resource class:
–Equal to Min—The maximum percentage allocated for each resource is equal to the minimum specified in the Min field.
–Unlimited—There is no upper limit on the percentage of each resource that can be allocated for this resource class.
Step 6 To use different values for the resources, for each resource, select the method for allocating resources:
•Select Default to use the values specified in Step 5.
•Select Min to enter a specific minimum value for the resource.
Step 7 If you select Min:
a. In the Min field, enter the minimum percentage of this resource you want to allocate to this resource class. For example, for ACL memory, enter 10 in the Min field to indicate that you want to allocate a minimum of 10% of the available ACL memory to this resource class.
b. In the Max field, select the maximum percentage of the resource you want to allocate to this resource class:
–Equal to Min—The maximum percentage allocated for this resource is equal to the minimum specified in the Min field.
–Unlimited—There is no upper limit on the percentage of the resource that can be allocated for this resource class.
Step 8 When you finish allocating resources for this resource class, click:
•OK to save your entries and to return to the Resource Classes table. The resource class can now be applied to other virtual contexts on the same ACE.
•Cancel to exit this procedure without saving your entries and to return to the Resource Classes table.
Related Topics
•Using Resource Classes
•Using Local Resource Classes
•Viewing Local Resource Class Use on Virtual Contexts
•Deleting Local Resource Classes
Deleting Local Resource Classes
Because of the possible impact on virtual contexts of deleting a local resource class, you cannot delete a resource class that is associated with a virtual context. To view a resource class's current deployment, see Viewing Local Resource Class Use on Virtual Contexts.
Use this procedure to delete a local resource class.
Procedure
Step 1 Select Config > Devices > Admin_context > System > Resource Classes. The Resource Classes table lists all local resource classes and the number of virtual contexts using each resource class.
Step 2 Confirm that the resource class you want to delete is not deployed on any virtual contexts. You cannot delete a resource class that is deployed on a context.
To identify the contexts using a specific resource class, see Viewing Local Resource Class Use on Virtual Contexts.
Step 3 Select the resource class you want to remove, then click Delete. A window appears, asking you to confirm the deletion.
Step 4 Click OK to delete the resource class or Cancel to retain the resource class.
The Resource Classes table refreshes with the updated information.
Related Topics
•Using Resource Classes
•Configuring Local Resource Classes
•Viewing Local Resource Class Use on Virtual Contexts
Viewing Local Resource Class Use on Virtual Contexts
Use this procedure to view local resource class usage on all virtual contexts on an ACE.
Procedure
Step 1 Select Config > Devices.
Step 2 In the device tree, select the ACE with the resource class usage that you want to view. The Virtual Contexts table appears, listing all contexts on the selected ACE and the resource class in use for each context.
Step 3 Click the Resource Class column heading to sort the table by resource class.
Related Topics
•Using Resource Classes
•Configuring Local Resource Classes
•Deleting Local Resource Classes
Configuring Security with ACLs
An ACL (access control list) consists of a series of statements called ACL entries that collectively define the network traffic profile. Each entry permits or denies network traffic (inbound and outbound) to the parts of your network specified in the entry. Besides an action element ("permit" or "deny"), each entry also contains a filter element based on criteria such as source address, destination address, protocol, or protocol-specific parameters. An implicit "deny all" entry exists at the end of every ACL, so you must configure an ACL on every interface where you want to permit connections. Otherwise, the ACE denies all traffic on the interface.
ACLs provide basic security for your network by allowing you to control network connection setups rather than processing each packet. Such ACLs are commonly referred to as security ACLs.
You can configure ACLs as parts of other features; for example, security, network address translation (NAT), or server load balancing (SLB). The ACE merges these individual ACLs into one large ACL called a merged ACL. The ACL compiler then parses the merged ACL and generates the ACL lookup mechanisms. A match on this merged ACL can result in multiple actions. You can add, modify, or delete entries to an ACL already in the summary table, or add a new ACL to the list.
When you use ACLs, you may want to permit all e-mail traffic on a circuit, but block FTP traffic. You can also use ACLs to allow one client to access a part of the network and prevent another client from accessing that same area.
When configuring ACLs, you must apply an ACL to an interface to control traffic on that interface. Applying an ACL on an interface assigns the ACL and its entries to that interface.
You can apply only one extended ACL to each direction (inbound or outbound) of an interface. You can also apply the same ACL on multiple interfaces.You can apply EtherType ACLs in only the inbound direction and on only Layer 2 interfaces.
Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly allowed in an ACL can pass. All other traffic is denied.
For specific procedures, see:
•Creating ACLs
•Setting EtherType ACL Attributes
•Setting Extended ACL Attributes
•Resequencing Extended ACLs
•Editing or Deleting ACLs
Creating ACLs
Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly allowed in an ACL can pass. All other traffic is denied.
Use this procedure to create, modify, or delete ACLs.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Security > ACLs.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > Security > ACLs.
Step 2 The ACL summary table appears, listing the existing ACLs. ACL summary fields are described in Table 3-9.
Table 3-9 ACL Summary Table
Field
|
Description
|
Name
|
Enter a unique identifier for the ACL. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters.
|
Type
|
Specifies the type of ACL:
•Extended—allows you to specify both the source and the destination IP addresses of traffic as well as the protocol and the action to be taken. For more information see "Setting Extended ACL Attributes".
•EtherType—This ACL controls network access for non-IP traffic based on its EtherType. An EtherType is a sub-protocol identifier. For more information see "Setting EtherType ACL Attributes".
|
#
|
ACL line number for extended type ACL entries.
|
Action
|
Action to be taken (permit/deny).
|
Protocol
|
Protocol number or service object group to apply to this ACL entry.
|
Source
|
Source IP address (and source netmask with port number if configured for extended type ACL) or source network object group if configured that is being applied to this ACL entry.
|
Destination
|
Destination IP address (and destination netmask with port number if configured for extended type ACL) or destination network object group if configured that is applied to this ACL entry.
|
ICMP
|
Indicates whether or not this ACL uses ICMP (Internet Control Message Protocol). For more information, see "Protocol Names and Numbers".
|
Interface(s)
|
VLAN interface(s) that is/are associated with this ACL, for example <4,5:4> where, < denotes the input direction, > denotes the output direction.
|
Remark
|
Enter any comments you want to include for this ACL. Valid entries are unquoted text strings with a maximum of 100 characters. You can enter leading spaces at the beginning of the text or special characters. Trailing spaces are ignored.
|
Step 3 From the summary table, perform one of the following:
•To view full details of an ACL inline, click the plus sign to the left of any table entry.
•To create an ACL click the Add icon.
•To modify an ACL, select the radio button to the left of any table entry, then click the Edit icon.
•To delete an ACL, select the radio button to the left of any table entry, then click the Trash icon.
If you choose create or modify the New Access List screen appears.
Step 4 Add or edit required fields as described in Table 3-10.
Table 3-10 ACL Configuration Attributes
Field
|
Description
|
ACL Properties
|
Includes name, type (Extended, Ether), remarks. For more information see "ACL Summary Table".
|
ACL Entries
|
Entry Attributes
|
Includes line number, action and protocol/service object group drop down descriptor menu.
|
Source
|
Source IP address (and source netmask with port number if configured for extended type ACL) or source network object group if configured that is being applied to this ACL entry.
|
Destination
|
Destination IP address (and destination netmask with port number if configured for extended type ACL) or destination network object group if configured that is applied to this ACL entry.
|
Add to Table button
|
New in ANM 2.0. Used to add multiple ACL entries, adding one at a time using this button, before clicking Deploy. In the past only one entry could be added at a time in a two-step process hopping between two different locations in the UI.
|
Remove from Table button
|
Used to remove multiple ACL entries, removing one at a time using this button, before clicking Deploy.
|
Interfaces
|
•Input/Output Direction
•Currently Assigned (ACL:Direction)
|
Allows you to associate the ACL with one or more interfaces allowing only one input and one output ACL for each interface. Check box allows you to select and apply to all interfaces "access-group input".
|
Deploy button
|
Allows deployment of newly created ACL entries along with VLAN interface assignments that were configured.
|
Cancel button
|
Exits without saving your entries.
|
Step 5 To add, modify, or delete Object Groups go to "Configuring Object Groups" section.
Related Topics
•Configuring Security with ACLs
•Setting EtherType ACL Attributes
•Setting Extended ACL Attributes
•Resequencing Extended ACLs
•Editing or Deleting ACLs
Setting Extended ACL Attributes
Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly allowed in an ACL can pass. All other traffic is denied.
An extended ACL allows you to specify both the source and the destination IP addresses of traffic as well as the protocol and the action to be taken.
For TCP, UDP, and ICMP connections, you do not need to also apply an ACL on the destination interface to allow returning traffic, because the ACE allows all returning traffic for established connections.
Note The ACE does not explicitly support standard ACLs. To configure a standard ACL, specify the destination address as any and do not specify the ports in an extended ACL.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Security > ACLs.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > Security > ACLs.
The ACLs table appears, listing the existing ACLs.
Step 2 Click Add. The New Access List configuration screen appears.
Step 3 Click Add to Table to add an entry to the table, or select an existing entry and click Edit to modify it.
Step 4 Configure extended ACL entries using the information in Table 3-11.
Table 3-11 Extended ACL Configuration Options
Field
|
Description
|
Line No.
|
Enter a number that specifies the position of this entry in the ACL. The position of an entry affects the lookup order of the entries in an ACL. To change the sequence of existing extended ACLs, see Resequencing Extended ACLs.
|
Action
|
Action to be taken (permit/deny).
|
Service Object Group
|
This option is not applicable to ACE modules running 3.0(0)A1(x) and ACE 4710 appliances Running image A1(x).
Select a service object group to apply to this ACL.
|
Protocol
|
Select the protocol or protocol number to apply to this ACL entry. Table 3-12 lists common protocol names and numbers.
|
Source Network Object Group
|
This option is not applicable to ACE modules running 3.0(0)A1(x) and ACE 4710 appliances Running image A1(x).
Select a source network object group to apply to this ACL.
|
Any Source
|
Select the Any Source radio button to indicate that network traffic from any source is allowed.
|
Source IP Address
|
Enter the source IP address that is allowed for this ACL. Use the value in the Source Netmask field to allow a range IP addresses.
|
Source Netmask
|
Use this field to limit access to a specific source IP address or a range of source IP addresses:
•For a single source IP address, enter a specific IP address in the Source IP Address field and select its subnet mask in the Source Netmask field.
•For a range of source IP addresses, select the appropriate subnet mask in the Source Netmask field.
|
Source Port Operator
|
This field appears if you select TCP or UPD in the Protocol field.
Select the operand to use to compare source port numbers:
•Eq—The source port must be the same as the number in the Source Port Number field.
•Gt—The source port must be greater than the number in the Source Port Number field.
•Lt—The source port must be less than the number in the Source Port Number field.
•Neq—The source port must not equal the number in the Source Port Number field.
•Range—The source port must be within the range of ports specified by the Lower Source Port Number field and the Upper Source Port Number field.
|
Source Port Number
|
This field appears if you select Eq, Gt, Lt, or Neq in the Source Port Operator field.
Enter the port name or number from which you want to permit or deny access. For a list of ports and keywords, see ANM Ports Reference, page A-1.
|
Lower Source Port Number
|
This field appears if you select Range in the Source Port Operator field.
Enter the number of the lowest port from which you want to permit or deny access. Valid entries are integers from 0 to 65535. The number in this field must be less than the number entered in the Upper Source Port Number field.
|
Upper Source Port Number
|
This field appears if you select Range in the Source Port Operator field.
Enter the port number of the upper port from which you want to permit or deny access. Valid entries are integers from 0 to 65535. The number in this field must be greater than the number entered in the Lower Source Port Number field.
|
Destination Network Object Group
|
This option is not applicable to ACE modules running 3.0(0)A1(x) and ACE 4710 appliances Running image A1(x).
Select a destination network object group to apply to this ACL.
|
Any Destination
|
Select the Any Destination radio button to indicate that network traffic toward any destination is allowed.
|
Destination IP Address
|
Enter the destination IP address that is allowed for this ACL. Use the value in the Destination Netmask field to allow a range of IP addresses.
|
Destination Netmask
|
Use this field to limit access to a specific destination IP address or a range of destination IP addresses:
•For a single destination IP address, enter the IP address in the Destination IP Address field and select its subnet mask in the Destination Netmask field.
•For a range of destination IP addresses, select the appropriate subnet mask in the Destination Netmask field.
|
Destination Port Operator
|
This field appears if you select TCP or UPD in the Protocol field.
Select the operand to use to compare destination port numbers:
•Eq—The destination port must be the same as the number in the Destination Port Number field.
•Gt—The destination port must be greater than the number in the Destination Port Number field.
•Lt—The destination port must be less than the number in the Destination Port Number field.
•Neq—The destination port must not equal the number in the Destination Port Number field.
•Range—The destination port must be within the range of ports specified by the Lower Destination Port Number field and the Upper Destination Port Number field.
|
Destination Port Number
|
This field appears if you select Eq, Gt, Lt, or Neq in the Destination Port Operator field.
Enter the port name or number from which you want to permit or deny access. For a list of ports and keywords, see ANM Ports Reference, page A-1.
|
Lower Destination Port Number
|
This field appears if you select Range in the Destination Port Operator field.
Enter the number of the lowest port to which you want to permit or deny access. Valid entries are integers from 0 to 65535. The number in this field must be less than the number entered in the Upper Destination Port Number field.
|
Upper Destination Port Number
|
This field appears if you select Range in the Destination Port Operator field.
Enter the port number of the upper port to which you want to permit or deny access. Valid entries are integers from 0 to 65535. The number in this field must be greater than the number entered in the Lower Destination Port Number field.
|
Table 3-12 Protocol Names and Numbers
|
|
Protocol Number
|
Description
|
AH
|
51
|
Authentication Header
|
EIGRP
|
88
|
Enhanced IGRP
|
ESP
|
50
|
Encapsulated Security Payload
|
GRE
|
47
|
Generic Routing Encapsulation
|
ICMP
|
1
|
Internet Control Message Protocol
|
IGMP
|
2
|
Internet Group Management Protocol
|
IP
|
0
|
Internet Protocol
|
IP-in-IP
|
4
|
IP-in-IP Layer 3 Tunneling Protocol
|
OSPF
|
89
|
Open Shortest Path First
|
PIM
|
103
|
Protocol Independent Multicast
|
TCP
|
6
|
Transmission Control Protocol
|
UDP
|
17
|
User Datagram Protocol
|
Step 5 In the Extended configuration pane, click:
•Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•OK to save your entries. This option appears for configuration building blocks.
•Cancel to exit without saving your entries and to return to the Extended table.
•Next to deploy your entries and to add another entry to the Extended table.
Step 6 Associate any VLAN interface to this ACL if required and click:
•Deploy to immediately deploy this configuration.
•Cancel to exit without saving your entries and to return to the ACL Summary table.
Related Topics
•Configuring Security with ACLs
•Creating ACLs
•Setting EtherType ACL Attributes
•Resequencing Extended ACLs
•Editing or Deleting ACLs
Resequencing Extended ACLs
Use this procedure to change the sequence of entries in an Extended ACL. EtherType ACL entries cannot be resequenced.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Security > ACLs.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > Security > ACLs.
The ACLs table appears, listing the existing ACLs.
Step 2 Select the Extended ACL you want to renumber, then click the Resequence icon appearing to the left of the filter field. The ACL Line Number Resequence window appears.
Step 3 In the Start field, enter the number that is to be assigned to the first entry in the ACL. Valid entries are 1-2147483647.
Step 4 In the Increment field, enter the number that is to be added to each entry in the ACL after the first entry. You can enter any integer. Valid entries are 1-2147483647.
Step 5 Click:
•Resequence to save your entries and to return to the ACLs table.
•Cancel to exit this procedure without saving your entries and to return to the ACLs table.
Related Topics
•Configuring Security with ACLs
•Creating ACLs
•Setting EtherType ACL Attributes
•Setting Extended ACL Attributes
•Editing or Deleting ACLs
Setting EtherType ACL Attributes
Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly allowed in an ACL can pass. All other traffic is denied.
You can configure an ACL that controls traffic based on its EtherType. An EtherType is a sub-protocol identifier. EtherType ACLs support Ethernet V2 frames. EtherType ACLs do not support 802.3-formatted frames because they use a length field as opposed to a type field. The only exception is bridge protocol data units (BPDUs), which are SNAP-encapsulated, and the ACE is designed to specifically handle BPDUs.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Security > ACLs.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > Security > ACLs.
The ACLs table appears, listing the existing ACLs.
Step 2 Click Add. The New Access List configuration screen appears.
Step 3 Enter the ACL name in the ACL Properties pane and choose Ethertype.
Step 4 Select one of the following radio buttons:
•Permit to indicate that the ACE is to allow connections.
•Deny to indicate that the ACE is to block connections.
Step 5 Select one of the following from the Protocol field pulldown menu for this ACL:
•Any—Specifies any EtherType.
•BPDU—Specifies Bridge Protocol Data Units. The ACE receives trunk port (Cisco proprietary) BPDUs because ACE ports are trunk ports. Trunk BPDUs have VLAN information inside the payload, so the ACE modifies the payload with the outgoing VLAN if you allow BPDUs. If you configure redundancy, you must allow BPDUs on both interfaces with an EtherType ACL to avoid bridging loops. For for information about configuring redundancy, refer to Understanding ACE Redundancy, page 10-20.
•IPv6—Specifies Internet Protocol version 6.
•MPLS—Specifies Multi-Protocol Label Switching. The MPLS selection applies to both MPLS unicast and MPLS multicast traffic. If you allow MPLS, ensure that Label Distribution Protocol (LDP) and Tag Distribution Protocol (TDP) TCP connections are established through the ACE by configuring both MPLS routers connected to the ACE to use the IP address on the ACE interface as the router-id for LDP or TDP sessions. LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.
Step 6 Click Add to Table and add one or more ACL entries if required repeating Step 4 and Step 5 as needed.
Step 7 Associate any VLAN interface to this acl if required and click:
•Deploy to immediately deploy this configuration. This option appears for virtual contexts.
•Cancel to exit without saving your entries and to return to the ACL Summary table.
Related Topics
•Configuring Security with ACLs
•Creating ACLs
•Setting Extended ACL Attributes
•Resequencing Extended ACLs
•Editing or Deleting ACLs
Configuring Object Groups
Note Object groups are available for only ACE 2.0 modules. ACE 2.0 configuration building blocks, and the ACE 4710 A3(1.0) release.
An object group is a logical grouping of objects such as hosts (servers and clients), services, and networks. When you create an object group, you select a type, such as network or service, and then specify the objects that belong to the groups. In all, there are four types of object groups: Network, protocol, service, and ICMP-type.
After you configure an object group, you can include it in ACLs, thereby including all objects within that group and reducing overall configuration size.
Use this procedure to configure object groups that you can associate with ACLs.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Security > Object Groups.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > Security > Object Groups.
Note Object groups are available for only ACE 2.0 modules and ACE 2.0 configuration building blocks.
The Object Groups table appears, listing existing object groups.
Step 2 Click Add to create a new object group, or select an existing object group, then click Edit to modify it. The Object Groups configuration screen appears.
Step 3 In the Name field, enter a unique name for this object group. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
Step 4 In the Description field, enter a brief description for the object group.
Step 5 In the Type field, select the type of object group you are creating:
•Network—The object group is based on a group of hosts or subnet IP addresses.
•Service—The object group is based on TCP or UDP protocols and ports, or ICMP types, such as echo or echo-reply.
Step 6 Click:
•Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•OK to save your entries. This option appears for configuration building blocks.
•Cancel to exit without saving your entries and to return to the Object Groups table.
•Next to deploy your entries and to add another entry to the Object Groups table.
If you click Deploy Now or OK, the screen refreshes with tables additional configuration options.
Step 7 Configure objects for the object group.
For network-type object groups, options include:
•Configuring IP Addresses for Object Groups
•Configuring Subnet Objects for Object Groups
For service-type object groups, options include:
•Configuring Protocols for Object Groups
•Configuring TCP/UDP Service Parameters for Object Groups
•Configuring ICMP Service Parameters for an Object Group
Related Topics
•Configuring Security with ACLs
•Creating ACLs
•Setting Extended ACL Attributes
•Resequencing Extended ACLs
Configuring IP Addresses for Object Groups
Note Object groups are available for only ACE 2.0 modules and ACE 2.0 configuration building blocks.
Use this procedure to specify host IP addresses for network-type object groups.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Security > Object Groups.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > Security > Object Groups.
The Object Groups table appears, listing the existing object groups.
Step 2 Select the object group you want to configure host IP addresses for, then select the Host Setting for Object Group tab. The Host Setting for Object Group table appears.
Step 3 Click Add to add an entry to this table.
Step 4 In the Host IP Address field, enter the IP address of a host to include in this group.
Step 5 Click:
•Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•OK to save your entries. This option appears for configuration building blocks.
•Cancel to exit this procedure without saving your entries.
•Next to deploy your entries and to add another entry to the Host Setting table.
Related Topics
•Configuring Object Groups
•Configuring Subnet Objects for Object Groups
•Configuring Protocols for Object Groups
•Configuring TCP/UDP Service Parameters for Object Groups
•Configuring ICMP Service Parameters for an Object Group
Configuring Subnet Objects for Object Groups
Note Object groups are available for only ACE 2.0 modules and ACE 2.0 configuration building blocks.
Use this procedure to specify subnet objects for a network-type object group.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Security > Object Groups.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > Security > Object Groups.
The Object Groups table appears, listing the existing object groups.
Step 2 Select the object group you want to configure subnet objects for, then select the Network Setting for Object Group tab. The Network Setting for Object Group table appears.
Step 3 Click Add to add an entry to this table.
Step 4 In the N/w IP Address field, enter an IP address that, with the subnet mask, defines the subnet object.
Step 5 In the N/w Mask field, select the subnet mask for this subnet object.
Step 6 Click:
•Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•OK to save your entries. This option appears for configuration building blocks.
•Cancel to exit this procedure without saving your entries.
•Next to deploy your entries and to add another entry to the Network Setting table.
Related Topics
•Configuring Object Groups
•Configuring IP Addresses for Object Groups
•Configuring Protocols for Object Groups
•Configuring TCP/UDP Service Parameters for Object Groups
•Configuring ICMP Service Parameters for an Object Group
Configuring Protocols for Object Groups
Note Object groups are available for only ACE 2.0 modules and ACE 2.0 configuration building blocks.
Use this procedure to specify protocols for a service-type object group.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Security > Object Groups.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > Security > Object Groups.
The Object Groups table appears, listing the existing object groups.
Step 2 Select an existing service-type object group, then select the Protocol Selection tab. The Protocol Selection table appears.
Step 3 Click Add to add an entry to this table.
Step 4 In the Protocol Number field, select the protocol or protocol number to add to this object group. See Table 3-12 for common protocols and their numbers.
Step 5 Click:
•Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•OK to save your entries. This option appears for configuration building blocks.
•Cancel to exit this procedure without saving your entries.
•Next to deploy your entries and to add another entry to the Protocol Selection table.
Related Topics
•Configuring Object Groups
•Configuring IP Addresses for Object Groups
•Configuring Subnet Objects for Object Groups
•Configuring TCP/UDP Service Parameters for Object Groups
•Configuring ICMP Service Parameters for an Object Group
Configuring TCP/UDP Service Parameters for Object Groups
Note Object groups are available for only ACE 2.0 modules and ACE 2.0 configuration building blocks.
Use this procedure to add TCP or UDP service objects to a service-type object group.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Security > Object Groups.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > Security > Object Groups.
The Object Groups table appears, listing the existing object groups.
Step 2 Select an existing service-type object group, then select the TCP/UDP Service Parameters tab. The TCP/UDP Service Parameters table appears.
Step 3 Click Add to add an entry to this table.
Step 4 Configure TCP or UDP service objects using the information in Table 3-13.
Table 3-13 TCP and UDP Service Parameters
Field
|
Description
|
Protocol
|
Select the protocol for this service object:
•TCP—TCP is the protocol for this service object.
•UDP—UDP is the protocol for this service object.
•TCP and UDP—Both TCP and UDP are the protocols for this service object.
|
Source Port Operator
|
Select the operand to use when comparing source port numbers for this service object:
•Eq—The source port must be the same as the number in the Source Port field.
•Gt—The source port must be greater than the number in the Source Port field.
•Lt—The source port must be less than the number in the Source Port field.
•Neq—The source port must not equal the number in the Source Port field.
•Range—The source port must be within the range of ports specified by the Lower Source Port field and the Upper Source Port field.
|
Source Port
|
This field appears if you select Eq, Gt, Lt, or Neq in the Source Port Operator field.
Enter the source port name or number for this service object.
|
Lower Source Port
|
This field appears if you select Range in the Source Port Operator field.
Enter the number that is the beginning value for a range of services for this service object. Valid entries are integers from 0 to 65535. The number in this field must be less than the number entered in the Upper Source Port field.
|
Upper Source Port
|
This field appears if you select Range in the Source Port Operator field.
Enter the number that is the ending value for a range of services for this service object. Valid entries are integers from 0 to 65535. The number in this field must be greater than the number entered in the Lower Source Port field.
|
Destination Port Operator
|
Select the operand to use when comparing destination port numbers:
•Eq—The destination port must be the same as the number in the Destination Port field.
•Gt—The destination port must be greater than the number in the Destination Port field.
•Lt—The destination port must be less than the number in the Destination Port field.
•Neq—The destination port must not equal the number in the Destination Port field.
•Range—The destination port must be within the range of ports specified by the Lower Destination Port field and the Upper Destination Port field.
|
Destination Port
|
This field appears if you select Eq, Gt, Lt, or Neq in the Destination Port Operator field.
Enter the destination port name or number for this service object.
|
Lower Destination Port
|
This field appears if you select Range in the Destination Port Operator field.
Enter the number that is the beginning value for a range of services for this service object. Valid entries are integers from 0 to 65535. The number in this field must be less than the number entered in the Upper Destination Port field.
|
Upper Destination Port
|
This field appears if you select Range in the Destination Port Operator field.
Enter the number that is the ending value for a range of services for this service object. Valid entries are integers from 0 to 65535. The number in this field must be greater than the number entered in the Lower Destination Port field.
|
Step 5 Click:
•Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•OK to save your entries. This option appears for configuration building blocks.
•Cancel to exit this procedure without saving your entries.
•Next to deploy your entries and to add another entry to the TCP/UDP Service Parameters table.
Related Topics
•Configuring Object Groups
•Configuring IP Addresses for Object Groups
•Configuring Subnet Objects for Object Groups
•Configuring Protocols for Object Groups
•Configuring ICMP Service Parameters for an Object Group
Configuring ICMP Service Parameters for an Object Group
Note Object groups are available for only ACE 2.0 modules and ACE 2.0 configuration building blocks.
Use this procedure to add ICMP service parameters to a service-type object group.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Security > Object Groups.
•To configure a configuration building block, select Config > Global > All Building Blocks > building_block > Security > Object Groups.
The Object Groups table appears, listing the existing object groups.
Step 2 Select an existing service-type object group, then select the ICMP Service Parameters tab. The ICMP Service Parameters table appears.
Step 3 Click Add to add an entry to this table.
Step 4 Configure ICMP type objects using the information in Table 3-14.
Table 3-14 ICMP Type Service Parameters
Field
|
Description
|
ICMP Type
|
Select the ICMP type or number for this service object. Table 3-15 lists common ICMP types and numbers.
|
Message Code Operator
|
Select the operand to use when comparing message codes for this service object:
•Eq—The message code must be the same as the number in the Message Code field.
•Gt—The message code must be greater than the number in the Message Code field.
•Lt—The message code must be less than the number in the Message Code field.
•Neq—The message code must not equal the number in the Message Code field.
•Range—The message code must be within the range of codes specified by the Min Message Code field and the Max Message Code field.
|
Message Code
|
This field appears if you select Eq, Gt, Lt, or Neq in the Message Code Operator field.
Enter the ICMP message code for this service object.
|
Min Message Code
|
This field appears if you select Range in the Message Code Operator field.
Enter the number that is the beginning value for a range of services for this service object. Valid entries are integers from 0 to 255. The number in this field must be less than the number entered in the Max Message Code field.
|
Max Message Code
|
This field appears if you select Range in the Message Code Operator field.
Enter the number that is the ending value for a range of services for this service object. Valid entries are integers from 0 to 255. The number in this field must be greater than the number entered in the Min Message Code field.
|
Table 3-15 ICMP Type Numbers and Names
Number
|
ICMP Type Name
|
0
|
echo-reply
|
3
|
unreachable
|
4
|
source-quench
|
5
|
redirect
|
6
|
alternate-address
|
8
|
echo
|
9
|
router-advertisement
|
10
|
router-solicitation
|
11
|
time-exceeded
|
12
|
parameter-problem
|
13
|
timestamp-request
|
14
|
timestamp-reply
|
15
|
information-request
|
16
|
information-reply
|
17
|
address-mask-request
|
18
|
address-mask-reply
|
31
|
conversion-error
|
32
|
mobile-redirect
|
Step 5 Click:
•Deploy Now to immediately deploy this configuration. This option appears for virtual contexts.
•OK to save your entries. This option appears for configuration building blocks.
•Cancel to exit this procedure without saving your entries.
•Next to deploy your entries and to add another entry to the ICMP Service Parameters table.
Related Topics
•Configuring Object Groups
•Configuring IP Addresses for Object Groups
•Configuring Subnet Objects for Object Groups
•Configuring Protocols for Object Groups
•Configuring TCP/UDP Service Parameters for Object Groups
Managing ACLs
In addition to creating and configuring ACLs, you can:
•Viewing All ACLs by Context—See Viewing All ACLs by Context.
•Delete ACLs—See Editing or Deleting ACLs.
Viewing All ACLs by Context
Use this procedure to view all access control lists that have been configured.
Procedure
Step 1 Select Config > Devices. The device tree appears.
Step 2 Select the virtual context with the ACLs you want to view, then select Security > ACLs. The ACLs table appears, listing the existing ACLs in that context with their name, their type (Extended or EtherType), and all relevant details (such as Action, Protocol, Interface information).
Step 3 To view all the ACLs for a given table entry, click the plus sign to the left of that entry.
Step 4 To view all the of ACLs for all of the entries click the Expand All icon on the Add/Edit/Delete row.
Step 5 To collapse all the of ACLs for all of the entries click the Collapse All icon on the Add/Edit/Delete row.
Related Topics
•Configuring Security with ACLs
•Creating ACLs
•Setting EtherType ACL Attributes
•Setting Extended ACL Attributes
•Editing or Deleting ACLs
Editing or Deleting ACLs
Use this procedure to delete or edit an ACL or any of its subentries.
Procedure
Step 1 Select the ACL to edit or delete:
•Select Config > Devices > context > Security > ACLs.
or
•Select Config > Global > All Building Blocks > building_block > Security > ACLs.
The ACLs table appears, listing the existing ACLs.
Step 2 Select the radio button to the left of the ACL you want to Edit or Delete. Expand entries if necessary by clicking the plus sign to the left of any ACL entry until you see the subentry ACL for which you are looking, or click the Expand All icon to view all ACLs and subentries.
Step 3 Perform one of the following steps:
•Click Edit if you are editing an ACL or one of its entries and go to Step 4.
or
•Click Delete if you are deleting an ACL or one of its entries and go to Step 5.
Step 4 Edit the entry using the summary information listed in Table 3-10 if needed, and click Deploy when done.
Step 5 Click Delete. A window appears asking you to confirm the deletion. If you click OK, the ACLs table refreshes without the deleted ACL.
Related Topics
•Creating ACLs
•Setting EtherType ACL Attributes
•Setting Extended ACL Attributes
•Resequencing Extended ACLs
Configuring Virtual Context Expert Options
The ANM virtual context Expert configuration options allow you to:
•Establish traffic policies for virtual servers by classifying types of network traffic and then applying the appropriate rules and actions for handling the traffic. See Configuring Traffic Policies, page 11-1.
•Compare a virtual context configuration with a tagged configuration building block that has been applied to the context. See Comparing Context and Building Block Configurations.
•For ACE 2.0 modules and ACE appliances, configure optimization action lists. See Configuring Action Lists for Application Acceleration and Optimization, page 12-3.
Comparing Context and Building Block Configurations
The ANM allows you to compare the current configuration of a virtual context that has had a tagged configuration building block applied to it with the settings of the applied building block. Discrepancies between these configurations can occur when you configure the virtual context after applying the building block instead of modifying and tagging the building block, then applying the updated building block to the virtual context.
The ANM auditing process identifies the discrepancies by configuration category (such as policy maps or SNMP) and groups them accordingly.
Use this procedure to identify discrepancies between an ANM tagged building block and a virtual context that previously had the building block applied to it.
Assumption
The virtual context has had a tagged building block applied to it.
Procedure
Step 1 Select Config > Devices > context > Expert > Building Block Audit. The Building Block Audit screen appears with the Comparison Results table, listing any discrepancies between the configurations.
Step 2 Identify the discrepancies in any of the following ways:
•Click All at the top of the results tree. The Comparison Results table displays all discrepancies.
The values that follow the word All, such as 2c 5d 3a, indicate differences between the virtual context configuration and the building block configuration. These values use the format n<difference> where n represents the number of differences between the configurations and <difference> represents the type of difference. The possible results are:
–nc (changed) indicates the number of items with settings that have changed or differ from the settings in the building block. For example, 2c indicates that two configuration options in the context currently have different settings or values than those in the applied building block.That is, two settings have been changed in the context.
–nd (deleted) indicates the number of items that were in the applied building block that do not exist in the current context configuration. For example, 5d indicates that five configuration options that were in the applied building block do not exist in the current context configuration. That is, five items in the applied building block have been deleted from the context configuration.
–na (added) indicates the number of items that are in the current context configuration that were not in the applied building block. For example, 3a indicates that three configuration options that were not in the applied building block have been added to the context configuration. That is, compared to the applied building block, three items have been added to the context configuration.
•Click a folder in the results tree. The Comparison Results table displays the discrepancies for that configuration category, such as SNMP or class maps.
•Click an item within a folder. The Comparison Results table displays the differences for that specific attribute.
Step 3 When viewing results in the Comparison Results table, you can:
•Filter the results by entering a complete or partial string in one or more of the input fields at the top of the columns, then clicking Go.
•Sort the results in ascending or descending order by clicking a column heading.
Related Topics
•Configuring Virtual Contexts
•Managing Virtual Contexts
•Using Configuration Building Blocks, page 13-1
Managing Virtual Contexts
You can perform the following administrative actions on virtual contexts:
•Viewing All Virtual Contexts
•Synchronizing Virtual Context Configurations
•Managing Syslog Settings for Autosync
•Editing Virtual Contexts
•Upgrading Virtual Contexts
•Restarting Virtual Context Polling
•Comparing Context and Building Block Configurations
Viewing All Virtual Contexts
Use this procedure to view some or all virtual contexts being managed by the ANM.
Procedure
Step 1 Select Config > Devices > All VC. The All Virtual Contexts table appears with the information described in Table 3-16.
Table 3-16 All Virtual Contexts Table
Field
|
Description
|
Name
|
The context name including chassis and slot.
|
Resource Class
|
The resource class applied to the context.
|
Building Block
|
The configuration building block applied to the context.
|
CLI Sync Status
|
The administrative configuration status of the context:
•Import Failed—The context did not import successfully. This could have occurred when the device was added to ANM or when the context was synchronized. Synchronize the context so that you can manage it (Config > Devices > ACE > context > Sync).
•OK—The context is synchronized with the ACE CLI.
•Out of Sync—The context is being managed by the ANM but the configuration for the context on the device differs from the configuration managed by the ANM. For information on synchronizing contexts, see Synchronizing Virtual Context Configurations.
•Unprovisioned—The context has been removed from the ACE using the CLI but has not been removed from the ANM. To remove unprovisioned contexts, synchronize the associated Admin context.
|
Management IPs
|
A list of IP addresses used for remote management of the context.
|
Polling Status
|
The current polling status of the context:
•Missing SNMP Credentials—SNMP credentials are not configured for this virtual context; therefore, statistics are not collected. Add SNMP v2c credentials to fix this error.
•Not Polled—SNMP polling has not started. This happens when the virtual context is first created from the ANM and the SNMP credentials are not configured. Add SNMP v2c credentials to fix this error.
•Not Supported—This status appears at the device level only and applies to Cisco Catalyst chassis, 7600 series routers, and ACE appliances.
•Polling Failed—SNMP polling failed due to some internal error. Try restarting polling to enable SNMP collection again.
•Polling Started—No action required. Everything is working properly. Polling states will display activity.
•Polling Timed Out—SNMP polling has timed out. This might occur if the wrong credentials were configured or might be caused by an internal error (such as SNMP protocol configured incorrectly or destination is not reachable). Verify that SNMP credentials are correct. If the problem persists, restart polling to enable SNMP collection again.
•Unknown—SNMP polling is not working due to one of the above-mentioned conditions. Check the SNMP v2c credential configuration.
|
ACE HA State
|
If the context is configured for high availability, the current state of the context with regard to high availability:
•Active—The context is actively processing flows for the HA pair.
•Standby Cold—Either the fault-tolerant VLAN is down, but the peer ACE is still alive, or the configuration or application state synchronization failed.
•Standby Bulk—The context is waiting to receive information from its active peer context.
•Standby Hot—The context has all the state information it needs to statefully assume the active state if a switchover occurs.
|
ACE HA Autosync
|
Indicates whether high availability automatic synchronization is enabled on the context.
|
Step 2 Use the object selector to view all virtual contexts or only those contexts on a specific device.
Related Topics
•Restarting Virtual Context Polling
•Enabling Polling on All Devices, page 14-20
•Synchronizing Virtual Context Configurations
Synchronizing Virtual Context Configurations
ANM allows you to synchronize the configuration information residing on an ACE with the configuration information maintained by the ANM server for the same device. When ANM synchronizes a context, it uploads the configuration from the device to the ANM server. In accordance your role-based permission level, the ANM Status bar displays the number of virtual contexts out of sync with the ACE CLI against the total number of virtual contexts as well as the number of failed synchronization attempts.
It is important to synchronize contexts when:
•You configure the ACE directly via the CLI instead of using the ANM interface:
–For ACE 2.0 modules and ACE appliances, the CLI Sync Status is Out of Sync in the Virtual Contexts table (Config > Devices > ACE) if the configurations for a virtual context differ.
–For ACE 1.0 modules running software version 3.0(0)A1.x, the CLI Sync Status is always OK in the Virtual Contexts table even if the configurations for a virtual context differ. If any changes are made to virtual context configurations using the CLI on ACE 1.0 modules, you need to remember to synchronize them.
•A context has been removed from the ACE using the CLI, reflected by the CLI Sync Status Unprovisioned in the Virtual Contexts table. In this situation, you need to synchronize the Admin context to remove the unprovisioned context.
•A context has not successfully been imported into the ANM during discovery or a Sync operation, reflected by the CLI Sync Status Import Failed in the Virtual Contexts table. In this situation, you need to synchronize the context before you can modify its configuration.
Use this procedure to synchronize the configurations for a virtual context.
Procedure
Step 1 Select Config > Devices. The device tree appears.
Step 2 Select either All VC or the ACE with the virtual context configuration you want to synchronize. The Virtual Contexts table appears.
Step 3 Select the virtual context with the configuration you want to synchronize, then click CLI Sync.
The Virtual Contexts table refreshes when synchronization is complete.
Related Topics
•Configuring Auto Sync Settings, page 15-65
•Editing Virtual Contexts
•Restarting Virtual Context Polling
•Comparing Context and Building Block Configurations
Managing Syslog Settings for Autosync
Setting auto sync to occur upon receipt of a syslog message from devices allows a faster, more streamlined synchronization process between ANM and any out-of-band configuration changes. Rather than wait the default polling period, ANM will sync when a syslog message is received if Setup Syslog for Autosync is enabled.
Use this procedure to have ANM receive syslog messages for a virtual context.
Procedure
Step 1 Select Config > Devices > Virtual Context Management> Setup Syslog for Autosync. The Setup Syslog for Autosync screen appears.
Step 2 Select either All VC or the ACE with the virtual context configuration for which you want to receive Autosync syslog messages. Click Setup Syslog. A progress bar window appears.
A checkbox with checkmark will appear in the Setup Syslog for Autosync? column for each virtual context and ACE device you checked.
Step 3 Click the Setup Syslog button.
The following CLI commands are sent to the enabled devices:
logging device-id string <ACE-Ip>/Admin
logging host <ANM-Ip> udp/514
logging message 111008 level 2
Related Topics
•Synchronizing Virtual Context Configurations
•Restarting Virtual Context Polling
Editing Virtual Contexts
Use this procedure to modify the configuration of an existing virtual context.
Procedure
Step 1 Select Config > Devices. The device tree appears.
Step 2 Select the virtual context, then select the configuration attributes you want to modify. For information on configuration options, see Configuring Virtual Contexts.
Step 3 Click:
•OK to save your entries.
•Cancel to exit the procedure without saving your entries.
Related Topics
•Using Virtual Contexts
•Configuring Virtual Contexts
Deleting Virtual Contexts
Use this procedure to remove an existing virtual context.
Note If you remove a virtual context using the CLI, the CLI Sync Status for the virtual context appears as Unprovisioned in the Virtual Contexts table (Config > Devices > ACE). To remove the unprovisioned virtual context from the ANM, either synchronize the Admin virtual context (see Synchronizing Virtual Context Configurations) or delete the virtual context by selecting the virtual context, then clicking Delete.
Procedure
Step 1 Select Config > Devices. The device tree appears.
Step 2 In the device tree, select the virtual context you want to configure, then click Delete in either the device pane or the configuration pane.
A window appears, asking you to confirm the deletion.
Step 3 Click:
•OK to delete the selected context. The device tree refreshes and the deleted context no longer appears.
•Cancel to exit this procedure and to retain the selected context.
Related Topics
•Configuring Virtual Contexts
•Comparing Context and Building Block Configurations
Upgrading Virtual Contexts
Use this procedure to apply a different resource class, configuration building block, or VLAN to a virtual context.
Procedure
Step 1 Select Config > Devices. The device tree appears.
Step 2 Select the virtual context you want to upgrade, then select System > Primary Attributes. The Edit Virtual Context screen appears.
Step 3 In the Resource Class field, select the resource class you want to apply to the context.
Note If you attempt to apply a resource class that could consume the resources required to maintain IP connectivity to the Admin context, you will see an error message and the resource class will not be applied. We recommend that you first apply a resource class to the Admin context that will prevent its resources from being allocated to other contexts. For more information, see Resource Allocation Constraints.
Step 4 In the Tagged Building Block to Apply field, select the building block to apply to this virtual context.
Step 5 In the Allocate-Interface VLANs field, enter the number of a VLAN or a range of VLANs so that the context can receive the associated traffic. You can specify VLANs in any of the following ways:
•For a single VLAN, enter an integer from 2 to 4096.
•For multiple, non-sequential VLANs, use comma-separated entries, such as 101,201,302.
•For a range of VLANs, use the format <beginning-VLAN>-<ending-VLAN>, such as 101-150.
Note You cannot modify VLANs in an Admin context.
Step 6 In the Description field, enter a brief description for this context.
Step 7 Click Deploy Now to save your entries. The screen refreshes with updated information.
To exit this procedure without saving your entries, select another item in the menu bar or device tree. A popup window appears, confirming that you have not saved your entries.
Related Topics
•Using Virtual Contexts
•Configuring Virtual Contexts
Restarting Virtual Context Polling
Use this procedure to restart monitoring and enable SNMP collection on a single context that has stopped or failed to start.
To restart polling and enable SNMP collection on all virtual contexts, select Monitor > Settings > Global Polling Configuration, and configure global polling attributes using the information in Enabling Polling on All Devices, page 14-20.
Procedure
Step 1 Select Config > Devices. The device tree appears.
Step 2 Select the ACE associated with the virtual context with stopped or failed polling. The Virtual Contexts table appears.
Step 3 Select the context with the stopped or failed polling, then click Restart Polling.
If the ANM cannot monitor the selected context, it displays an error message stating the reason.
Related Topics
•Using Virtual Contexts
•Configuring Virtual Contexts
•Enabling Polling on All Devices, page 14-20
Feedback
