Table Of Contents
Cisco CSM-to-ACE Conversion Tool User Guide
Accessing the CSM-to-ACE Conversion Tool
Using the CSM-to-ACE Conversion Tool
Copying the Converted Configuration File to the ACE
Copying and Pasting the Converted Configuration to the ACE CLI Prompt
Copying and Pasting the Converted Configuration to a Text File for Content Editing
Example of a Copied Configuration File for Use By the ACE
Obtaining Documentation, Obtaining Support, and Security Guidelines
Cisco CSM-to-ACE Conversion Tool User Guide
This document describes how to use the CSM-to-ACE conversion tool to migrate Cisco Content Switching Module (CSM) running- or startup-configuration files to the Cisco Application Control Engine (ACE) module. It describes how to access the conversion tool, use the tool to convert a CSM configuration to an ACE configuration, and copy the converted configuration to the ACE. This document also includes a summary of the CSM commands that are not supported by the conversion tool.
This document contains the following sections.
•
Accessing the CSM-to-ACE Conversion Tool
•
Using the CSM-to-ACE Conversion Tool
•
Copying the Converted Configuration File to the ACE
•
Obtaining Documentation, Obtaining Support, and Security Guidelines
Accessing the CSM-to-ACE Conversion Tool
The conversion tool is included as part of the ACE software image and is accessible from the Cisco ACE Module web page using either HTTP or secure HTTP (HTTPS). To access the conversion tool, perform the following steps:
Step 1
Log in to the ACE CLI.
Step 2
Create a Layer 3 and Layer 4 management policy. Ensure that, at a minimum, you permit HTTP or HTTPS traffic in the management policy to enable remote access to the Cisco ACE Module web page. The following excerpt is a typical configuration example that illustrates how to enable web access to the ACE to access the Cisco ACE Module web page. For details on enabling remote access to the ACE, refer to the Cisco Application Control Engine Module Administration Guide.
Cat6k Configurationsvclc multiple-vlan-interfacessvclc module 3 vlan-group 1svclc vlan-group 1 10Cisco ACE Configurationclass-map type management match-any L4_REMOTE-ACCESS_CLASSdescription Enabling remote access traffic to the ACE and the Cisco ACE Module web page2 match protocol telnet any3 match protocol ssh any4 match protocol icmp any5 match protocol http any6 match protocol https anypolicy-map type management first-match L4_REMOTE-ACCESS_MATCHclass L4_REMOTE-ACCESS_CLASSpermitinterface vlan 10ip address 192.168.215.134 255.255.255.0service-policy input L4_REMOTE-ACCESS_MATCHno shutdownip route 0.0.0.0 0.0.0.0 192.168.215.1Step 3
Open your preferred Internet web browser application, such as Microsoft Internet Explorer or Netscape Navigator.
Step 4
Specify the HTTP or HTTPS address of your ACE in the address field:
http://ace_ip_addresshttps://ace_ip_addressStep 5
If this your first time accessing the ACE web page by HTTPS, you will be prompted to accept (trust) and install the signed certificate from Cisco Systems. Click Yes at the prompt to accept and install the signed certificate. To avoid approving the signed certificate each time you log in to the ACE web page, accept the certificate. For instructions on trusting certificates from a particular owner or website, see the online help included with your browser.
Step 6
When the dialog box appears, login with your ACE username and password in the fields provided, then click OK. The ACE web page appears (Figure 1).
![]()
Note
Users with administrative privileges can access the CSM-to-ACE conversion tool.
Figure 1 Cisco ACE Module Web Page
![]()
Step 7
Click the CSM2ACE conversion tool link in the Tools section of the ACE web page. The CSM-to-ACE conversion tool appears (Figure 2). Proceed to the "Using the CSM-to-ACE Conversion Tool" section.
Figure 2 CSM-to-ACE Conversion Tool
![]()
Using the CSM-to-ACE Conversion Tool
You can convert a CSM startup- or running-config to an equivalent ACE startup- or running-config by using one of the following methods:
•
Copying and pasting the contents from a saved CSM configuration file or from the CSM show running-config or show startup-config command output to the conversion tool `
•
Uploading a saved CSM configuration file to the conversion tool
To use the conversion tool to convert a CSM configuration, perform the following steps:
Step 1
By default, the Admin context is always assumed as the target virtual context on the ACE. To migrate a CSM configuration to a different virtual context (for example, C1), specify a different virtual context name in the User Context Name: text box (see Figure 3). The conversion tool generates the corresponding ACE configuration for the Admin context to create the requested virtual context.
Step 2
To add the contents from a saved CSM configuration file or from the CSM show running-config or show startup-config command output, copy and paste the complete configuration into the text area of the Paste CSM Commands: section of the conversion tool (Figure 3). Proceed to Step 4.
Figure 3 Pasting the Content of a CSM Configuration into the CSM-to-ACE Conversion Tool
![]()
Step 3
To select a CSM configuration file to upload to the conversion tool, click Browse. Navigate to the CSM configuration file that you want to convert, then click Open. The CSM configuration file appears in the Upload CSM Command File: section of the conversion tool (Figure 4). Proceed to Step 4.
Figure 4 Uploading a CSM Configuration File
![]()
Step 4
To convert the CSM commands, click Get ACE Commands. The tool converts the CSM startup- or running-config to an equivalent ACE startup- or running-config (Figure 5).
Figure 5 Converted CSM Commands to ACE Commands Example
![]()
In addition, the conversion tool lists the CSM commands from the original configuration file (Figure 6).
Figure 6 Summary of Converted CSM Commands Example
![]()
The conversion tool also includes a list of any unsupported CSM commands (Figure 7). The Notes section provides additional information, as necessary. Proceed to the "Copying the Converted Configuration File to the ACE" section.
Figure 7 Unsupported CSM Commands and Notes Example
![]()
Copying the Converted Configuration File to the ACE
Once you convert the CSM configuration, you can use one of the following methods to copy the converted configuration to the ACE:
•
Copy and paste the converted configuration directly at the ACE CLI configuration mode prompt.
•
Copy and paste the converted configuration to a text file. You can store this configuration file locally and make the appropriate content changes in the configuration text file to support the ACE configuration.
Before you begin, for the ACE to allow the new VLANs identified in the converted CSM configuration file, first create the VLAN groups on the supervisor engine in the Catalyst 6500 series switch or Cisco 7600 series router, and then assign the groups to the ACE. By default, all VLANs are allocated to the Admin context on the ACE. See the Cisco Application Control Engine Module Routing and Bridging Configuration Guide for details.
This section includes the following topics:
•
Copying and Pasting the Converted Configuration to the ACE CLI Prompt
•
Copying and Pasting the Converted Configuration to a Text File for Content Editing
•
Example of a Copied Configuration File for Use By the ACE
Copying and Pasting the Converted Configuration to the ACE CLI Prompt
To copy and paste the converted configuration directly to the ACE CLI prompt, perform the following steps:
Step 1
Log in to the ACE by entering the login username and password at the following prompt:
switch login: xxxxxxPassword: yyyyyyBy default, both the username and password are admin.
The prompt changes to:
switch/Admin#Step 2
Access configuration mode:
switch/Admin# configure
Enter configuration commands, one per line. End with CNTL/ZThe prompt changes to the following:
switch/Admin(config)#Step 3
Copy the converted configuration listed in the ACE Commands: section of the conversion tool (see Figure 5), from the Configuration Commands for Admin Context: section. Paste the copied content at the configuration mode prompt of the ACE. If you are operating in multiple contexts, this step automatically creates the new virtual context identified in the User Context Name: text box of the conversion tool.
For example, to paste the converted configuration to the Admin context::
switch/Admin(config)# resource-class RC1switch/Admin(config-resource)# limit-resource sticky minimum 100 maximum unlimitedswitch/Admin(config-resource)# context C1switch/Admin(config-context)# allocate-interface vlan 16switch/Admin(config-context)# member RC1switch/Admin(config-context)#switch/Admin(config-context)# exitswitch/Admin(config)#Step 4
If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context. If necessary, change to the correct context by using the changeto command in Exec mode.
switch/Admin(config)# exitswitch/Admin# changeto C1switch/C1# configureEnter configuration commands, one per line. End with CNTL/Zswitch/C1(config)#Step 5
Copy the converted configuration listed in the ACE Commands: section of the conversion tool (see Figure 5), from the Configuration Commands for xx Context:. Paste the copied contents at the configuration mode prompt of the ACE.
For example, to paste the converted configuration to the C1 context:
switch/C1(config)# access-list LB_ALLOW_VIPS extended permit tcp any 10.9.8.53 255.255.255.255 eq wwwswitch/C1(config)# probe http EMEAswitch/C1(config-probe-http)# faildetect 2switch/C1(config-probe-http)# interval 5switch/C1(config-probe-http)# open 5switch/C1(config-probe-http)# passdetect interval 20switch/C1(config-probe-http)# request method get url /EMEA/KAL.htmlswitch/C1(config-probe-http)# probe http 200-OKswitch/C1(config-probe-http)# faildetect 2switch/C1(config-probe-http)# header host header-value healthcheck.cisco.comswitch/C1(config-probe-http)# interval 22switch/C1(config-probe-http)# passdetect interval 63switch/C1(config-probe-http)# port 80switch/C1(config-probe-http)# request method get url /serverstatus/status.aspswitch/C1(config-probe-http)#Step 6
(Optional) Use the following commands to save the updated contents of the running- or startup-configuration file:
•
To merge the contents of the startup configuration file into the running configuration file, use the copy startup-config running-config command.
•
To copy the contents of the running configuration file to the startup configuration file in Flash memory, use the copy running-config startup-config command.
Proceed to the "Example of a Copied Configuration File for Use By the ACE" section.
Copying and Pasting the Converted Configuration to a Text File for Content Editing
To copy and paste the converted configuration to a text file and make content changes in the file, perform the following steps:
Step 1
Copy the converted configuration listed in the ACE Commands: section of the conversion tool (see Figure 5) to a text file. Save this text file as an appropriately named configuration file.
Step 2
Store this configuration text file.
Step 3
Make the appropriate changes in the configuration text file to support the ACE design configuration. This step helps you to avoid potential issues or conflicts before copying and pasting the converted CSM configuration text file to the ACE CLI prompt. See the"Unsupported CSM Commands" section for a list of the CSM CLI commands that are not supported during the conversion.
Step 4
Copy and paste the contents of the updated configuration file directly to the ACE CLI prompt as described in the"Copying and Pasting the Converted Configuration to the ACE CLI Prompt" section.
Proceed to the "Example of a Copied Configuration File for Use By the ACE" section.
Example of a Copied Configuration File for Use By the ACE
After you copy the contents of the converted CSM-to-ACE configuration to the ACE, use the following commands to view the updated content of either the running- or startup-configuration file:
•
To view the running-configuration file, use the show running-config command.
•
To view the startup-configuration file, use the show startup-config command.
The following output example is from the show running-config command. This example includes hypertext cross-references to the applicable chapters in the ACE documentation set that you can refer to for the configuration details. You can click the URLs located above the command output for the configuration details. Use the ACE CLI commands to make modifications to the configuration, as needed.
switch/C1# show running-configGenerating configuration....access-list LB_ALLOW_VIPS line 8 extended permit tcp any host 10.9.8.53 eq wwwprobe http 200-OKinterval 22faildetect 2passdetect interval 63request method get url /serverstatus/status.aspheader Host header-value "healthcheck.cisco.com"probe http EMEAinterval 5faildetect 2passdetect interval 20request method get url /EMEA/KAL.htmlopen 5parameter-map type connection HR-CORP_CONNset timeout inactivity 1800parameter-map type http HR-CORP_HTTPpersistence-rebalanceset header-maxparse-length 4000rserver host WIN-EMEA-S1description SJ-Z8ip address 10.9.8.187inservicerserver host WIN-EMEA-S2description SJ-Z8ip address 10.9.8.188inservicerserver host WIN-EMEA-S3description SJ-Z8ip address 10.9.8.189inservicerserver host WIN-GLO-S1description SJ-Z4ip address 10.9.8.28inservicerserver host WIN-GLO-S2description SJ-Z4ip address 10.9.8.29inservicerserver host WIN-GLO-S3description SJ-Z4ip address 10.9.8.30inservicerserver host WIN-HR-S1description SJ-Z1ip address 10.9.8.76inservicerserver host WIN-HR-S2description SJ-Z1ip address 10.9.8.78inservicerserver host WIN-HR-S3description SJ-Z1ip address 10.9.8.77inserviceserverfarm host EMEApredictor leastconnsprobe EMEArserver WIN-EMEA-S1inservicerserver WIN-EMEA-S2inservicerserver WIN-EMEA-S3inserviceserverfarm host HR-CORPpredictor leastconnsprobe 200-OKrserver WIN-HR-S1inservicerserver WIN-HR-S2inservicerserver WIN-HR-S3inserviceserverfarm host HR-GLOBALpredictor leastconnsprobe 200-OKrserver WIN-GLO-S1inservicerserver WIN-GLO-S2inservicerserver WIN-GLO-S3inserviceclass-map type http loadbalance match-all HR-CORP2 match http url /HR.*class-map match-all HR-CORP_L32 match virtual-address 10.9.8.53 tcp eq wwwclass-map type http loadbalance match-all HR-EMEA2 match http header Accept-Language header-value "en-us"class-map type management match-any TO-CP-POLICY2 match protocol http any3 match protocol icmp any4 match protocol telnet anypolicy-map type management first-match TO-CP-POLICYclass TO-CP-POLICYpermitpolicy-map type loadbalance http first-match HR-CORPclass HR-EMEAclass HR-CORPserverfarm HR-CORPclass class-defaultserverfarm HR-GLOBALpolicy-map multi-match POLICY1057590class HR-CORP_L3loadbalance vip inserviceloadbalance policy HR-CORPloadbalance vip icmp-reply activeappl-parameter http advanced-options HR-CORP_HTTPconnection advanced-options HR-CORP_CONNservice-policy input POLICY1057590service-policy input TO-CP-POLICYaccess-group input LB_ALLOW_VIPSinterface vlan 130ip address 10.86.215.74 255.255.255.0no shutdowninterface bvi 16no shutdownUnsupported CSM Commands
The tool converts the majority of the CSM commands to comparable ACE commands. The converted output includes a list of the commands that are not supported by the tool during the conversion process (Figure 8).
Figure 8 Unsupported CSM Commands Area of the CSM-to-ACE Conversion Tool
![]()
This section summarizes the CSM commands that are not supported by the conversion tool. It includes the following tables:
•
Table 1 lists the CSM commands that do not have an equivalent function in the ACE.
•
Table 2 lists the CSM commands that have an equivalent function in the ACE, but are not directly converted by the tool. Table 2 also identifies the commands in the ACE CLI that provide the most comparable function to match the associated CSM command.
Both tables include references to the ACE module documentation that best address the associated CSM function not supported by the conversion tool. For a complete listing of the ACE module documentation available on www.cisco.com, see the "ACE Module Documentation"section.
Table 1 List of CSM Commands Not Supported in the ACE
CSM Command Descriptiondfp and its configuration submode commands
The ACE does not support the Dynamic Feedback Protocol (DFP). If your application requires the capabilities of DFP, we recommend that you use the least-loaded predictor in the ACE. This feature allows the ACE to use SNMP probes to determine server and application availability.
See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details.
ip slb mode
The ip slb mode command instructs the CSM to operate as a CSM load-balancing device instead of a Cisco IOS server load-balancing (SLB) device. This operating capability is not required by the ACE.
map dns
The ACE does not directly provide Global Server Load Balancing (GSLB) support. The ACE can be used as the server load-balancing (SLB) device with the Cisco Global Site Selector (GSS) platform for GSLB support. The GSS load balances geographically distributed data centers based on DNS requests. It also load balances any DNS-capable device that can be registered in the DNS system, such as the ACE.
See the Cisco GSS documentation set for background information at:
http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_support_series_home.html
owner and its configuration submode commands
With the ACE, you can operate it in a single context or in multiple contexts. Multiple contexts use the concept of virtualization to partition your ACE into multiple virtual devices or contexts. You configure and manage all contexts through the Admin context, which contains the basic settings for each virtual device or context. Each context that you configure contains its own set of policies, interfaces, resources, and administrators.
The ACE provides role-based access control (RBAC), which is a mechanism that determines the commands and resources available to each user. A role defines a set of permissions that allow you to access the objects and resources in a context and the actions that you can perform on them.
You can also use domains to logically group objects within a context. In addition, domains can control access to groups of objects within a context.
See the Cisco Application Control Engine Module Virtualization Configuration Guide for details.
reverse sticky
Reverse sticky is not supported by the ACE.
script file and script task
TCL scripts are loaded onto the CSM through script files. A script file may contain one or more scripts. With the ACE, you upload and execute TCL health probe scripts (script files) on the ACE. A script file contains only one script, and the ACE supports the configuration of 256 unique script files.
See the Cisco Application Control Engine Module Administration Guide for details.
serverfarm configuration mode, the bindid command
The ACE does not support the Dynamic Feedback Protocol (DFP) and does not require the conversion of the bindid submode command of the serverfarm command. If your application requires the capabilities of DFP, we recommend that you use the least-loaded predictor in the ACE. This feature allows the ACE to use SNMP probes to determine server and application availability.
See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details.
snmp enable traps slb ft
The ACE does not support fault-tolerant traps as a notification type.
See the Cisco Application Control Engine Module Administration Guide for information about the supported SNMP notifications for the ACE.
vserver configuration mode, the following commands:
•
owner
•
reverse-sticky
•
ssl-sticky offset
The functions of the following vserver subcommands are not supported by the ACE:
•
owner command—This function is configured and managed for each virtual device or context. See the Cisco Application Control Engine Module Virtualization Configuration Guide for details.
•
reverse-sticky command—Reverse-sticky is not a supported function by the ACE.
•
ssl-sticky offset command—The ACE supports stickiness based on the SSL Session ID for SSLv3/TLSv1 only. Because the SSL Session ID is unique across multiple connections from the same client, you can use this feature to stick clients to a particular SSL server when the ACE is configured to load-balance SSL traffic, but not terminate it. To use this feature, configure a generic protocol-parsing policy for sticky learning. The ACE learns the SSL Session ID from the SSL server or other SSL-termination device. See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details.
ACE Module Documentation
You can access the ACE module documentation on www.cisco.com at:
http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html
To familiarize yourself with the ACE module, refer to the following documentation:
•
Release Note for the Cisco Application Control Engine Module
•
Cisco Application Control Engine Module Hardware Installation Note
•
Cisco Application Control Engine Module Administration Guide
•
Cisco Application Control Engine Module Command Reference
•
Cisco Application Control Engine Module Getting Started Guide
•
Cisco Application Control Engine Module Routing and Bridging Configuration Guide
•
Cisco Application Control Engine Module Security Configuration Guide
•
Cisco Application Control Engine Module Server Load-Balancing Configuration Guide
•
Cisco Application Control Engine Module SSL Configuration Guide
•
Cisco Application Control Engine Module System Message Guide
•
Cisco Application Control Engine Module Virtualization Configuration Guide
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
©2008 Cisco Systems, Inc. All rights reserved.