Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context

From DocWiki

Revision as of 20:04, 6 October 2008 by Kkroeber (Talk | contribs)
Jump to: navigation, search

This section describes how to create a virtual context for the Cisco 4700 Series Application Control Engine (ACE) appliance.


Guide Contents
Overview
Setting Up an ACE Appliance
Creating a Virtual Context (this section)
Configuring Access Control Lists
Configuring Role-Based Access Control
Configuring Server Load Balancing
Configuring a Load-Balancing Predictor
Configuring Server Persistence Using Stickiness
Configuring SSL Security
Configuring Health Monitoring Using Health Probes

Contents




Overview

After reading this section, you should have a basic understanding of ACE appliance virtualization and be able to partition your ACE into multiple virtual devices or virtual contexts (VCs) for more efficient operation.

Virtualization allows you to create a virtual environment in which a single ACE is partitioned into multiple virtual devices, each functioning as an independent ACE appliance that is configured and managed independently.

You set up virtualization by performing the following configuration steps:

  • Configure resource allocation for a virtual context
  • Create a virtual context
  • Configure access to the virtual context


An example virtual environment will be used throughout this guide, with the user context VC_web, for the web traffic through the network. This user context will be associated with the custom resource class RS_web.

In this section, you will create a virtual context. In subsequent sections, you will create a virtual server within the virtual context. The virtual server is associated with a server farm and real servers. The example setup is illustrated in Table 1.


Table 1 Example Virtual Contexts

Virtual Context Virtual Server Server Farm Real Servers
VC_web VS_web SF_web RS_web1
RS_web2
RS_web3
RS_web4


Before you begin configuring your ACE for virtualization, you should become familiar with a few concepts: virtual context, Admin and user contexts, and resource classes.

With ACE virtualization, you can create a virtual environment, called a virtual context, in which a single ACE appears as multiple virtual devices, each configured and managed independently. A virtual context allows you to closely and efficiently manage system resources, ACE users, and the services that you provide to your customers.

By default, the ACE initially provides you an Admin context, with the ability to define up to five user contexts. (With additional licenses, you can define up to 20 contexts.)

As the system administrator, you have full system administrator access to configure and manage the Admin context and all user contexts. Each context can also have its own administrator and log-in mechanism that provides access only to the specific context. When you log in to the ACE using the console or Telnet, you are authenticated in the Admin context.

Although virtualization allows you to create multiple contexts, in the physical world, you still have a single ACE with finite resources, such as the number of concurrent connections. To address this limitation, the ACE provides resource classes that allow you to manage each virtual context’s access to physical ACE resources. A resource class is a definition of what portion of an ACE’s overall resources will be assigned, at a minimum or maximum, to any given context. One resource class may be associated with one or more contexts.

The ACE is preconfigured with a default resource class for the Admin context. This default resource class is applied to all virtual contexts that you create. It allows a maximum of 100 percent access to all resources by all virtual contexts. When a resource is being used to its maximum limit, the ACE will deny additional requests for that resource from any other virtual contexts. To avoid oversubscribing resources and to help guarantee that resource availability is shared among multiple virtual contexts, you create custom resource classes and associate them with the virtual contexts you define.


Creating a Virtual Context Using the Device Manager GUI

This section describes how to create and configure a virtual context for server load balancing using the ACE Device Manager user interface and contains the following subsections:


Creating a Resource Class

Create a resource class by following these steps:

1. Choose Config > Virtual Contexts > System > Resource Class. The Resource Classes pane appears (Figure 1).


Figure 1 Resource Classes Pane
Resource Classes Pane.jpg


2. Click Add. The New Resource Class window appears (Figure 2).


Figure 2 New Resource Class Window
New Resource Class Window.jpg


3. Enter the following Resource Class attributes. Leave the remaining attributes blank or with their default values.

  • Name: RC_web
  • Default Min: 10
  • Default Max: Unlimited

4. Click Deploy Now. The Resource Classes pane appears with the newly added resource class (Figure 3).


Figure 3 Resource Classes Pane with a New Resource Class Added
Resource Classes Pane with a New Resource Class Added.jpg

Creating a Virtual Context

You can create a user context for server load-balancing purposes. For the example configuration, you will create a user context, VC_web, and configure a management VLAN interface to VLAN 1000, as illustrated in Figure 4 (previously configured settings are grayed out).


Figure 4 Creating a User Context
Creating a User Context.jpg


Create a virtual context by following these steps:

1. Choose Config > Virtual Contexts. The All Virtual Contexts pane appears (Figure 5).


Figure 5 All Virtual Contexts Pane
All Virtual Contexts Pane.jpg


2. Click Add. The New Virtual Context window appears (Figure 6).


Figure 6 New Virtual Context Window
New Virtual Context Window.jpg


3. Enter the following virtual context attributes. Leave the remaining attributes blank or with their default values.

  • Name: VC_web
  • Resource Class: RC_web
  • Allocate-Interface VLANs: 110, 400, 500 (these VLANs allow the context to receive the associated traffic)
  • Description: Virtual context for marketing website
  • Policy Name: Management
  • VLANs to Use: 110 (this VLAN allows for remote management of the context)
  • Management IP: 172.25.91.111 (this IP address also allows for remote management of the context)
  • Management Netmask: 255.255.255.0
  • Protocols to Allow: SNMP (or any protocols that you allow for this virtual context)
  • Default Gateway IP: 172.25.91.1

4. Click Deploy Now to deploy this context. Then, choose Virtual Contexts. The window refreshes with the new virtual context listed in the All Virtual Contexts pane (Figure 7).


Figure 7 All Virtual Contexts Pane After VC_web is Added
All Virtual Contexts Pane After VC web is Added.jpg


Configuring the Client-Side VLAN Interface

You can now configure a client-side VLAN interface, which is the address to which client traffic is sent. For the example configuration, you will configure VLAN 400 (Figure 8).


Figure 8 Configuring the Client-Side VLAN Interface
Configuring the Client-Side VLAN Interface.jpg


Configure a client-side VLAN interface by following these steps:

1. Choose VC_web in the virtual contexts drop-down list.

2. Choose Config > Virtual Contexts > Network > VLAN Interfaces. The VLAN Interfaces pane appears (Figure 9).


Figure 9 VLAN Interfaces Pane
VLAN Interfaces Pane.jpg


3. Click Add to add a new VLAN interface. The VLAN Interfaces window appears (Figure 10).


Figure 10 VLAN Interfaces Window—VLAN 400
VLAN Interfaces Window—VLAN 400.jpg


4. Enter the following VLAN attributes. Leave the remaining attributes blank or with their default values.

  • VLAN: 400
  • Description: Client-side VLAN interface
  • IP Address: 10.10.40.10
  • Netmask: 255.255.255.0
  • Admin Status: Up

5. Click Deploy Now at the bottom of the window to save your entry. Then, choose VLAN Interfaces to return to the VLAN Interfaces pane (Figure 11).


Figure 11 VLAN Interface Pane with Two VLANs Configured
VLAN Interface Pane with Two VLANs Configured.jpg


Configuring the Server-Side VLAN Interface

At this point, you can now configure the server-side VLAN interface, which is the address to which traffic is sent. For the example configuration, you will configure VLAN 500 and a NAT pool for the VLAN (Figure 12).

Note Network Address Translation (NAT) is designed to simplify and conserve IP addresses. It allows private IP networks that use unregistered IP addresses to connect to the Internet. You configure a NAT pool for the ACE so that the ACE exposes only one address for the entire network to the outside world. This pool, which hides the entire internal network behind that address, offers both security and address conservation.


Figure 12 Configuring the Server-Side VLAN Interface

Configuring the Server-Side VLAN Interface.jpg


Configure the VLAN interface by following these steps:

1. Make sure that VC_web is selected in the virtual contexts drop-down list.

2. Choose Config > Virtual Contexts > Network > VLAN Interfaces. The VLAN Interfaces pane appears (see Figure 11).

3. Click Add to add a new VLAN interface. The VLAN Interfaces window appears (see Figure 10).

4. Enter the following VLAN attributes. Leave the remaining attributes blank or with their default values.

  • VLAN: 500
  • Description: Server-side VLAN interface
  • IP Address: 10.10.50.1
  • Netmask: 255.255.255.0
  • Admin Status: Up

5. Click Deploy Now at the bottom of the window to save your entry. Then, choose VLAN Interfaces to return to the VLAN Interfaces pane.

6. Choose the row for VLAN 500, and then choose the NAT Pool tab. The NAT Pool pane appears (Figure 13).


Figure 13 NAT Pool Pane
NAT Pool Pane.jpg


7. Click Add to add a new NAT pool. The NAT Pool pane appears (Figure 14).


Figure 14 Configuring a NAT Pool
Configuring a NAT Pool.jpg


8. Enter the following NAT pool attributes. Leave the remaining attributes blank or with their default values.

  • NAT Id: 1
  • Start IP Address: 10.10.50.101
  • End IP Address: 10.10.50.104
  • Netmask: 255.255.255.0

9. Click Deploy Now at the bottom of the window to save your entry and return to the NAT Pool pane (Figure 15).


Figure 15 NAT Pool Pane with a NAT Pool Configured
NAT Pool Pane with a NAT Pool Configured.jpg

Creating a Virtual Context Using the CLI

You can create a virtual context using the command-line interface. This section contains the following subsections:


Configuring a Resource Class from the CLI

Configure a resource class by following these steps:

1. Using the console, log in to the ACE as the system administrator. For example, enter the following command at a command prompt.

Telnet 172.25.91.110

At the prompt, enter admin, then the new password you entered in Step 2 in the “Enabling Management Connectivity Using the Setup Script” in Setting Up an ACE Appliance.

host1 login: admin
Password: xxxxx

2. Enter configuration mode.

host1/Admin# config
host1/Admin(config)#

3. Configure a resource class to limit the resources of a context to 10 percent of the total resources available on the ACE, and exit configuration mode.

host1/Admin(config)# resource-class RS_web
host1/Admin(config-resource)# limit-resource all minimum 10 maximum unlimited
host1/Admin(config-resource)# exit
host1/Admin(config)#


Creating a Virtual Context from the CLI

Create a virtual context by following these steps:

1. Create a new context.

host1/Admin(config)# context VC_web
host1/Admin(config-context)#

2. Associate three existing VLANs with the context so that the context can receive traffic classified for it.

host1/Admin(config-context)# allocate-interface vlan 1000
host1/Admin(config-context)# allocate-interface vlan 400
host1/Admin(config-context)# allocate-interface vlan 500

3. Associate the context with the resource class that you created in Configuring a Resource Class.

host1/Admin(config-context)# member RC_web

4. Change to the VC_web context that you created in Step 1 and exit configuration mode.

host1/Admin(config-context)# do changeto VC_web
host1/VC_web(config)# exit
host1/VC_web#

5. Display the virtual context configuration.

host1/VC_web# show running-config context

6. Display the resource class configuration.

host1/VC_web# show running-config resource-class


Configuring a Management VLAN Interface to the User Context from the CLI

You can provide management connectivity to the user context by assigning an IP address to the VLAN interface, as illustrated in Figure 4. Configure a management VLAN interface by following these steps:

1. Access interface configuration mode for VC_web for the VLAN 1000 on VC_web.

host1/VC_web# config
host1/VC_web(config)# interface vlan 1000
host1/VC_web(config -if)#

2. Assign an IP address of 172.25.91.111 and a subnet mask of 255.255.255.0 to the VLAN interface for management connectivity.

host1/VC_web(config-if)# ip address 172.25.91.111 255.255.255.0

3. Enable the VLAN interface.

host1/VC_web(config-if)# no shutdown

4. Show that VLAN 1000 is active.

host1/VC_web(config-if)# do show interface vlan 1000

5. Verify network connectivity.

host1/VC_web(config-if)# do ping 172.25.91.111

6. Display the ARP table.

Note The Address Resolution Protocol (ARP) allows the ACE to manage and learn the mapping of IP to Media Access Control (MAC) information to forward and transmit packets.
host1/VC_web(config-if)# do show arp

7. Exit configuration mode.

host1/VC_web(config-if)# exit
host1/VC_web(config)# exit
host1/VC_web#


Configuring Remote Management Access to the User Contexts from the CLI

Before remote network access can occur on the user context through an Ethernet port, you must create a traffic policy that identifies the network management traffic that can be received by the ACE. Configure remote management access by following these steps:

1. Create a management type class map named REMOTE_ACCESS that matches any traffic.

host1/VC_web# config
host1/VC_web(config)# class-map type management match-any REMOTE_ACCESS
host1/VC_web(config-cmap-mgmt)#

2. (Optional) Provide a description for the class map.

host1/VC_web(config-cmap-mgmt)# description Remote access traffic match

3. Configure the match protocol to permit traffic based on the SSH, Telnet, and ICMP protocols for any source address.

host1/VC_web(config-cmap-mgmt)# match protocol ssh any
host1/VC_web(config-cmap-mgmt)# match protocol telnet any
host1/VC_web(config-cmap-mgmt)# match protocol icmp any
host1/VC_web(config-cmap-mgmt)# exit
host1/VC_web(config)#

4. Create a REMOTE_MGMT_ALLOW_POLICY policy map for traffic destined to an ACE interface.

host1/VC_web(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
host1/VC_web(config-pmap-mgmt)#

5. Apply the REMOTE_ACCESS class map to this policy.

host1/VC_web(config-pmap-mgmt)# class REMOTE_ACCESS
host1/VC_web(config-pmap-mgmt-c)#

6. Allow the ACE to receive the configured class map management protocols.

host1/VC_web(config-pmap-mgmt-c)# permit
host1/VC_web(config-pmap-mgmt-c)# exit
host1/VC_web(config-pmap-mgmt)# exit
host1/VC_web(config)#

7. Access interface configuration mode for the VLAN to which you want to apply the policy map.

host1/VC_web(config)# interface vlan 1000
host1/VC_web(config-if)#

8. Apply the REMOTE_MGMT_ALLOW_POLICY policy map to the interface.

host1/VC_web(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY

9. Display the REMOTE_MGMT_ALLOW_POLICY policy applied to the interface.

host1/VC_web(config-if)# do show service-policy REMOTE_MGMT_ALLOW_POLICY

10. Copy your configuration changes from the running configuration to the startup configuration.

host1/VC_web(config-if)# do copy running-config startup-config
Generating configuration....
running config of context VC_web saved
host1/VC_web(config-if)# exit
host1/VC_web(config)# exit

11. Display the running configuration.

host1/VC_web(config)# do show running-config


Configuring the Client-Side VLAN Interface from the CLI

At this point, you can configure a client-side VLAN interface, the address to which the client traffic is sent, as illustrated in Figure 8. Configure a client-side VLAN interface by following these steps:

1. Access interface configuration mode for the VLAN 400.

host1/VC_web(config)# interface vlan 400
host1/VC_web(config -if)#

2. Assign an IP address of 10.10.40.1 and a subnet mask of 255.255.255.0 to the VLAN interface for client connectivity.

host1/VC_web(config-if)# ip address 10.10.40.1 255.255.255.0

3. (Optional) Provide a description for the interface.

host1/VC_web(config-if)# description Client connectivity on VLAN 400

4. Enable the VLAN interface.

host1/VC_web(config-if)# no shutdown

5. Show that VLAN 400 is active.

host1/VC_web(config-if)# do show interface vlan 400

6. Display the ARP table.

host1/VC_web(config-if)# do show arp

7. Exit configuration mode.

host1/VC_web(config-if)# exit
host1/VC_web(config)# exit
host1/VC_web#


Configuring the Server-Side VLAN Interface from the CLI

Next, you can configure a server-side VLAN interface, the address to which the server traffic is sent, as illustrated in Figure 12. Configure the server-side VLAN interface by following these steps:

1. Access interface configuration mode for the VLAN 500.

host1/VC_web# config
host1/VC_web(config)# interface vlan 500
host1/VC_web(config -if)#

2. Assign an IP address of 10.10.50.1 and a subnet mask of 255.255.255.0 to the VLAN interface for server-side connectivity.

host1/VC_web(config-if)# ip address 10.10.50.1 255.255.255.0

3. (Optional) Provide a description for the interface.

host1/VC_web(config-if)# description Server connectivity on VLAN 500

4. Enable the VLAN interface.

host1/VC_web(config-if)# no shutdown

5. Configure a NAT pool.

host1/VC_web(config-if)# nat-pool 1 10.10.50.101 10.10.50.104 netmask 255.255.255.0

6. Show that VLAN 500 is active.

host1/VC_web(config-if)# do show interface vlan 500

7. Display the ARP table.

host1/VC_web(config-if)# do show arp

8. Exit configuration mode.

host1/VC_web(config-if)# exit
host1/VC_web(config)# exit
host1/VC_web#

In this section, you have partitioned your ACE into an Admin context and a user context VC_web. Each of the virtual contexts is now associated with a resource class that is appropriate to its intended use. You have also configured a management VLAN interface, as well as the client and server VLAN interfaces to the user context.

In the next section, you will configure an access control list to secure your network.

Rating: 5.0/5 (6 votes cast)

Personal tools