Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context
From DocWiki
This section describes how to create a virtual context for the Cisco 4700 Series Application Control Engine (ACE) appliance.
Overview
After reading this section, you should have a basic understanding of ACE appliance virtualization and be able to partition your ACE into multiple virtual devices or virtual contexts (VCs) for more efficient operation.
Virtualization allows you to create a virtual environment in which a single ACE is partitioned into multiple virtual devices, each functioning as an independent ACE appliance that is configured and managed independently.
You set up virtualization by performing the following configuration steps:
- Configure resource allocation for a virtual context
- Create a virtual context
- Configure access to the virtual context
An example virtual environment will be used throughout this guide, with the user context VC_web, for the web traffic through the network. This user context will be associated with the custom resource class RS_web.
In this section, you will create a virtual context. In subsequent sections, you will create a virtual server within the virtual context. The virtual server is associated with a server farm and real servers. The example setup is illustrated in Table 1.
Table 1 Example Virtual Contexts
Virtual Context | Virtual Server | Server Farm | Real Servers |
VC_web | VS_web | SF_web | RS_web1 |
RS_web2 | |||
RS_web3 | |||
RS_web4 |
Before you begin configuring your ACE for virtualization, you should become familiar with a few concepts: virtual context, Admin and user contexts, and resource classes.
With ACE virtualization, you can create a virtual environment, called a virtual context, in which a single ACE appears as multiple virtual devices, each configured and managed independently. A virtual context allows you to closely and efficiently manage system resources, ACE users, and the services that you provide to your customers.
By default, the ACE initially provides you an Admin context, with the ability to define up to five user contexts. (With additional licenses, you can define up to 20 contexts.)
As the system administrator, you have full system administrator access to configure and manage the Admin context and all user contexts. Each context can also have its own administrator and log-in mechanism that provides access only to the specific context. When you log in to the ACE using the console or Telnet, you are authenticated in the Admin context.
Although virtualization allows you to create multiple contexts, in the physical world, you still have a single ACE with finite resources, such as the number of concurrent connections. To address this limitation, the ACE provides resource classes that allow you to manage each virtual context’s access to physical ACE resources. A resource class is a definition of what portion of an ACE’s overall resources will be assigned, at a minimum or maximum, to any given context. One resource class may be associated with one or more contexts.
The ACE is preconfigured with a default resource class for the Admin context. This default resource class is applied to all virtual contexts that you create. It allows a maximum of 100 percent access to all resources by all virtual contexts. When a resource is being used to its maximum limit, the ACE will deny additional requests for that resource from any other virtual contexts. To avoid oversubscribing resources and to help guarantee that resource availability is shared among multiple virtual contexts, you create custom resource classes and associate them with the virtual contexts you define.
Creating a Virtual Context Using the Device Manager GUI
This section describes how to create and configure a virtual context for server load balancing using the ACE Device Manager user interface and contains the following subsections:
Creating a Resource Class
Create a resource class by following these steps:
1. Choose Config > Virtual Contexts > System > Resource Class. The Resource Classes pane appears (Figure 1).
- Figure 1 Resource Classes Pane
2. Click Add. The New Resource Class window appears (Figure 2).
- Figure 2 New Resource Class Window
3. Enter the following Resource Class attributes. Leave the remaining attributes blank or with their default values.
- Name: RC_web
- Default Min: 10
- Default Max: Unlimited
4. Click Deploy Now. The Resource Classes pane appears with the newly added resource class (Figure 3).
- Figure 3 Resource Classes Pane with a New Resource Class Added
Creating a Virtual Context
You can create a user context for server load-balancing purposes. For the example configuration, you will create a user context, VC_web, and configure a management VLAN interface to VLAN 1000, as illustrated in Figure 4 (previously configured settings are grayed out).
- Figure 4 Creating a User Context
Create a virtual context by following these steps:
1. Choose Config > Virtual Contexts. The All Virtual Contexts pane appears (Figure 5).
- Figure 5 All Virtual Contexts Pane
2. Click Add. The New Virtual Context window appears (Figure 6).
- Figure 6 New Virtual Context Window
3. Enter the following virtual context attributes. Leave the remaining attributes blank or with their default values.
- Name: VC_web
- Resource Class: RC_web
- Allocate-Interface VLANs: 110, 400, 500 (these VLANs allow the context to receive the associated traffic)
- Description: Virtual context for marketing website
- Policy Name: Management
- VLANs to Use: 110 (this VLAN allows for remote management of the context)
- Management IP: 172.25.91.111 (this IP address also allows for remote management of the context)
- Management Netmask: 255.255.255.0
- Protocols to Allow: SNMP (or any protocols that you allow for this virtual context)
- Default Gateway IP: 172.25.91.1
4. Click Deploy Now to deploy this context. Then, choose Virtual Contexts. The window refreshes with the new virtual context listed in the All Virtual Contexts pane (Figure 7).
- Figure 7 All Virtual Contexts Pane After VC_web is Added
Configuring the Client-Side VLAN Interface
You can now configure a client-side VLAN interface, which is the address to which client traffic is sent. For the example configuration, you will configure VLAN 400 (Figure 8).
- Figure 8 Configuring the Client-Side VLAN Interface
Configure a client-side VLAN interface by following these steps:
1. Choose VC_web in the virtual contexts drop-down list.
2. Choose Config > Virtual Contexts > Network > VLAN Interfaces. The VLAN Interfaces pane appears (Figure 9).
- Figure 9 VLAN Interfaces Pane
3. Click Add to add a new VLAN interface. The VLAN Interfaces window appears (Figure 10).
- Figure 10 VLAN Interfaces Window—VLAN 400
4. Enter the following VLAN attributes. Leave the remaining attributes blank or with their default values.
- VLAN: 400
- Description: Client-side VLAN interface
- IP Address: 10.10.40.10
- Netmask: 255.255.255.0
- Admin Status: Up
5. Click Deploy Now at the bottom of the window to save your entry. Then, choose VLAN Interfaces to return to the VLAN Interfaces pane (Figure 11).
- Figure 11 VLAN Interface Pane with Two VLANs Configured
Configuring the Server-Side VLAN Interface
At this point, you can now configure the server-side VLAN interface, which is the address to which traffic is sent. For the example configuration, you will configure VLAN 500 and a NAT pool for the VLAN (Figure 12).
Note Network Address Translation (NAT) is designed to simplify and conserve IP addresses. It allows private IP networks that use unregistered IP addresses to connect to the Internet. You configure a NAT pool for the ACE so that the ACE exposes only one address for the entire network to the outside world. This pool, which hides the entire internal network behind that address, offers both security and address conservation.
Figure 12 Configuring the Server-Side VLAN Interface
Configure the VLAN interface by following these steps:
1. Make sure that VC_web is selected in the virtual contexts drop-down list.
2. Choose Config > Virtual Contexts > Network > VLAN Interfaces. The VLAN Interfaces pane appears (see Figure 11).
3. Click Add to add a new VLAN interface. The VLAN Interfaces window appears (see Figure 10).
4. Enter the following VLAN attributes. Leave the remaining attributes blank or with their default values.
- VLAN: 500
- Description: Server-side VLAN interface
- IP Address: 10.10.50.1
- Netmask: 255.255.255.0
- Admin Status: Up
5. Click Deploy Now at the bottom of the window to save your entry. Then, choose VLAN Interfaces to return to the VLAN Interfaces pane.
6. Choose the row for VLAN 500, and then choose the NAT Pool tab. The NAT Pool pane appears (Figure 13).
- Figure 13 NAT Pool Pane
7. Click Add to add a new NAT pool. The NAT Pool pane appears (Figure 14).
- Figure 14 Configuring a NAT Pool
8. Enter the following NAT pool attributes. Leave the remaining attributes blank or with their default values.
- NAT Id: 1
- Start IP Address: 10.10.50.101
- End IP Address: 10.10.50.104
- Netmask: 255.255.255.0
9. Click Deploy Now at the bottom of the window to save your entry and return to the NAT Pool pane (Figure 15).
- Figure 15 NAT Pool Pane with a NAT Pool Configured
Creating a Virtual Context Using the CLI
You can create a virtual context using the command-line interface. This section contains the following subsections:
Configuring a Resource Class from the CLI
Configure a resource class by following these steps:
1. Using the console, log in to the ACE as the system administrator. For example, enter the following command at a command prompt.
- Telnet 172.25.91.110
At the prompt, enter admin, then the new password you entered in Step 2 in the “Enabling Management Connectivity Using the Setup Script” in Setting Up an ACE Appliance.
- host1 login: admin
- Password: xxxxx
2. Enter configuration mode.
- host1/Admin# config
- host1/Admin(config)#
3. Configure a resource class to limit the resources of a context to 10 percent of the total resources available on the ACE, and exit configuration mode.
- host1/Admin(config)# resource-class RS_web
- host1/Admin(config-resource)# limit-resource all minimum 10 maximum unlimited
- host1/Admin(config-resource)# exit
- host1/Admin(config)#
Creating a Virtual Context from the CLI
Create a virtual context by following these steps:
1. Create a new context.
- host1/Admin(config)# context VC_web
- host1/Admin(config-context)#
2. Associate three existing VLANs with the context so that the context can receive traffic classified for it.
- host1/Admin(config-context)# allocate-interface vlan 1000
- host1/Admin(config-context)# allocate-interface vlan 400
- host1/Admin(config-context)# allocate-interface vlan 500
3. Associate the context with the resource class that you created in Configuring a Resource Class.
- host1/Admin(config-context)# member RC_web
4. Change to the VC_web context that you created in Step 1 and exit configuration mode.
- host1/Admin(config-context)# do changeto VC_web
- host1/VC_web(config)# exit
- host1/VC_web#
5. Display the virtual context configuration.
- host1/VC_web# show running-config context
6. Display the resource class configuration.
- host1/VC_web# show running-config resource-class
Configuring a Management VLAN Interface to the User Context from the CLI
You can provide management connectivity to the user context by assigning an IP address to the VLAN interface, as illustrated in Figure 4. Configure a management VLAN interface by following these steps:
1. Access interface configuration mode for VC_web for the VLAN 1000 on VC_web.
- host1/VC_web# config
- host1/VC_web(config)# interface vlan 1000
- host1/VC_web(config -if)#
2. Assign an IP address of 172.25.91.111 and a subnet mask of 255.255.255.0 to the VLAN interface for management connectivity.
- host1/VC_web(config-if)# ip address 172.25.91.111 255.255.255.0
3. Enable the VLAN interface.
- host1/VC_web(config-if)# no shutdown
4. Show that VLAN 1000 is active.
- host1/VC_web(config-if)# do show interface vlan 1000
5. Verify network connectivity.
- host1/VC_web(config-if)# do ping 172.25.91.111
6. Display the ARP table.
- Note The Address Resolution Protocol (ARP) allows the ACE to manage and learn the mapping of IP to Media Access Control (MAC) information to forward and transmit packets.
- host1/VC_web(config-if)# do show arp
7. Exit configuration mode.
- host1/VC_web(config-if)# exit
- host1/VC_web(config)# exit
- host1/VC_web#
Configuring Remote Management Access to the User Contexts from the CLI
Before remote network access can occur on the user context through an Ethernet port, you must create a traffic policy that identifies the network management traffic that can be received by the ACE. Configure remote management access by following these steps:
1. Create a management type class map named REMOTE_ACCESS that matches any traffic.
- host1/VC_web# config
- host1/VC_web(config)# class-map type management match-any REMOTE_ACCESS
- host1/VC_web(config-cmap-mgmt)#
2. (Optional) Provide a description for the class map.
- host1/VC_web(config-cmap-mgmt)# description Remote access traffic match
3. Configure the match protocol to permit traffic based on the SSH, Telnet, and ICMP protocols for any source address.
- host1/VC_web(config-cmap-mgmt)# match protocol ssh any
- host1/VC_web(config-cmap-mgmt)# match protocol telnet any
- host1/VC_web(config-cmap-mgmt)# match protocol icmp any
- host1/VC_web(config-cmap-mgmt)# exit
- host1/VC_web(config)#
4. Create a REMOTE_MGMT_ALLOW_POLICY policy map for traffic destined to an ACE interface.
- host1/VC_web(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
- host1/VC_web(config-pmap-mgmt)#
5. Apply the REMOTE_ACCESS class map to this policy.
- host1/VC_web(config-pmap-mgmt)# class REMOTE_ACCESS
- host1/VC_web(config-pmap-mgmt-c)#
6. Allow the ACE to receive the configured class map management protocols.
- host1/VC_web(config-pmap-mgmt-c)# permit
- host1/VC_web(config-pmap-mgmt-c)# exit
- host1/VC_web(config-pmap-mgmt)# exit
- host1/VC_web(config)#
7. Access interface configuration mode for the VLAN to which you want to apply the policy map.
- host1/VC_web(config)# interface vlan 1000
- host1/VC_web(config-if)#
8. Apply the REMOTE_MGMT_ALLOW_POLICY policy map to the interface.
- host1/VC_web(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY
9. Display the REMOTE_MGMT_ALLOW_POLICY policy applied to the interface.
- host1/VC_web(config-if)# do show service-policy REMOTE_MGMT_ALLOW_POLICY
10. Copy your configuration changes from the running configuration to the startup configuration.
- host1/VC_web(config-if)# do copy running-config startup-config
- Generating configuration....
- running config of context VC_web saved
- host1/VC_web(config-if)# exit
- host1/VC_web(config)# exit
11. Display the running configuration.
- host1/VC_web(config)# do show running-config
Configuring the Client-Side VLAN Interface from the CLI
At this point, you can configure a client-side VLAN interface, the address to which the client traffic is sent, as illustrated in Figure 8. Configure a client-side VLAN interface by following these steps:
1. Access interface configuration mode for the VLAN 400.
- host1/VC_web(config)# interface vlan 400
- host1/VC_web(config -if)#
2. Assign an IP address of 10.10.40.1 and a subnet mask of 255.255.255.0 to the VLAN interface for client connectivity.
- host1/VC_web(config-if)# ip address 10.10.40.1 255.255.255.0
3. (Optional) Provide a description for the interface.
- host1/VC_web(config-if)# description Client connectivity on VLAN 400
4. Enable the VLAN interface.
- host1/VC_web(config-if)# no shutdown
5. Show that VLAN 400 is active.
- host1/VC_web(config-if)# do show interface vlan 400
6. Display the ARP table.
- host1/VC_web(config-if)# do show arp
7. Exit configuration mode.
- host1/VC_web(config-if)# exit
- host1/VC_web(config)# exit
- host1/VC_web#
Configuring the Server-Side VLAN Interface from the CLI
Next, you can configure a server-side VLAN interface, the address to which the server traffic is sent, as illustrated in Figure 12. Configure the server-side VLAN interface by following these steps:
1. Access interface configuration mode for the VLAN 500.
- host1/VC_web# config
- host1/VC_web(config)# interface vlan 500
- host1/VC_web(config -if)#
2. Assign an IP address of 10.10.50.1 and a subnet mask of 255.255.255.0 to the VLAN interface for server-side connectivity.
- host1/VC_web(config-if)# ip address 10.10.50.1 255.255.255.0
3. (Optional) Provide a description for the interface.
- host1/VC_web(config-if)# description Server connectivity on VLAN 500
4. Enable the VLAN interface.
- host1/VC_web(config-if)# no shutdown
5. Configure a NAT pool.
- host1/VC_web(config-if)# nat-pool 1 10.10.50.101 10.10.50.104 netmask 255.255.255.0
6. Show that VLAN 500 is active.
- host1/VC_web(config-if)# do show interface vlan 500
7. Display the ARP table.
- host1/VC_web(config-if)# do show arp
8. Exit configuration mode.
- host1/VC_web(config-if)# exit
- host1/VC_web(config)# exit
- host1/VC_web#
In this section, you have partitioned your ACE into an Admin context and a user context VC_web. Each of the virtual contexts is now associated with a resource class that is appropriate to its intended use. You have also configured a management VLAN interface, as well as the client and server VLAN interfaces to the user context.
In the next section, you will configure an access control list to secure your network.