Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance

From DocWiki

Revision as of 14:48, 2 December 2008 by Kkroeber (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This section describes how to set up a Cisco 4700 Series Application Control Engine (ACE) appliance.


Guide Contents
Overview
Setting Up the ACE Appliance (this section)
Creating a Virtual Context
Configuring Access Control Lists
Configuring Role-Based Access Control
Configuring Server Load Balancing
Configuring a Load-Balancing Predictor
Configuring Server Persistence Using Stickiness
Configuring SSL Security
Configuring Health Monitoring Using Health Probes

Contents




Overview

After reading this section, you should have a basic understanding of how to configure a ACE appliance with the networking parameters necessary for communicating with a management device to configure server load balancing.

After some initial setup using the CLI, you can complete the procedures in this section using the Device Manager GUI.

Before performing the procedures in this section, make sure that you complete the ACE installation instructions as described in the Cisco ACE 4710 Appliance Hardware Installation Guide.

Configuring an ACE involves the following basic steps:

1. Establishing a console connection on the ACE.

2. Enable management connectivity to the ACE through a Gigabit Ethernet port.

3. Log in to the ACE.

4. Configure a second Gigabit Ethernet port for client-side connectivity.

5. Configure a third Gigabit Ethernet port for server-side connectivity.

This section describes how to set up an ACE appliance using the example network setup illustrated in Figure 1.


Figure 1 Example Network Setup

Example Network Setup.jpg


The configuration of the example setup is as follows:

  • VLAN 1000 is assigned to the first Gigabit Ethernet port and is used for management traffic for both the Admin context and a user context.
Note A virtual local area network (VLAN) is a logical division of a computer network within which information can be transmitted for all devices to receive. VLANs enable you to segment a switched network so that devices in one VLAN do not receive information packets from devices in another VLAN.
  • VLAN 400 is assigned to the second Gigabit Ethernet port and is used for client-side traffic.
  • VLAN 500 is assigned to the third Gigabit Ethernet port and is used for server-side traffic.
  • None of the three Gigabit Ethernet ports used are trunked.
  • A management VLAN interface is configured for the Admin context with VLAN 1000 and IP address 172.25.91.110.
  • A management VLAN interface is configured for the user context VC_web with VLAN 1000 and IP address 172.25.91.111.
  • A client-side VLAN interface is configured for the user context VC_web with VLAN 400 and IP address 10.10.40.10.
  • A server-side VLAN interface is configured for the user context VC_web with VLAN 500 and IP address 10.10.50.1.
  • Four web servers are available to the ACE for load-balancing client requests.

Establishing a Console Connection on the ACE

The ACE has one standard RS-232 serial port on its rear panel that operates as the console port. You can establish a direct serial connection between the ACE and your terminal (or a PC with terminal software) by making a serial connection to this console port. The integrated serial port accepts a 9-pin female D shell connector. Use a straight-through cable to connect the ACE to the terminal or a PC. See the Cisco ACE 4710 Appliance Hardware Installation Guide for more instructions on connecting a console cable to your ACE appliance.

The ACE appliance has four physical Ethernet interface ports. All VLANs are assigned to these ports. The four Ethernet ports provide the physical connection between the ACE and the servers, PCs, routers, and other devices. You can configure the Ethernet ports to provide an interface for connecting to 10-Mbps, 100-Mbps, or 1000-Mbps networks. After the VLANs are assigned, you can configure the corresponding VLAN interfaces so that the ACE can provide different networking functions for different VLANs.

Note Only the Admin context is directly accessible through the console port; all other contexts can be accessed through Telnet or SSH sessions on the Ethernet ports.

After making the console connection, you can use any terminal communications application to access the ACE CLI.

Note If the appliance is not on, press the power button on the front of the ACE to start the boot process (see the Cisco ACE 4710 Appliance Hardware Installation Guide for details).

Access the ACE CLI using HyperTerminal for Windows by following these steps:

1. Launch HyperTerminal.

The Connection Description window appears (Figure 2).


Figure 2 HyperTerminal—Connection Description
HyperTerminal—Connection Description.jpg


2. Enter a name for your connection in the Name field.

3. Click OK. The Connect To window appears (Figure 3).


Figure 3 HyperTerminal—Connect To
HyperTerminal—Connect To.jpg


4. From the Connect using drop-down list, choose the COM port to which the device is connected.

5. Click OK. The Port Properties window appears (Figure 4).


Figure 4 HyperTerminal—Port Properties
HyperTerminal—Port Properties.jpg


6. Set the port properties:

  • Bits per second = 9600
  • Data bits = 8
  • Parity = none
  • Stop bits = 1
  • Flow control = None

7. Click OK to connect.

Enabling Management Connectivity Using the Setup Script

When you boot the ACE for the first time and the ACE does not detect a startup configuration file, a setup script guides you through the process of configuring a management VLAN on the ACE through one of its Gigabit Ethernet ports to enable connectivity to the Device Manager GUI.

After running the setup script, the management VLAN is allocated to the specified Gigabit Ethernet port and the VLAN interface is configured on the ACE, as illustrated in Figure 5.


Figure 5 Configuration After the Setup Script is Executed

Configuration After the Setup Script is Executed.jpg


Configure the ACE using the setup script by following these steps:

1. At the login prompt, log into the ACE by entering the login username admin and password. By default, the username and password are admin. For example, enter:

Starting sysmgr processes.. Please wait...Done!!!
switch login: admin
Password: admin

2. At the Enter the new password for “admin”: prompt, change the default Admin password. If you do not change the default Admin password, after you upgrade the ACE software you will only be able to log in to the ACE through the console port.

Enter the new password for “admin”: xxxxx
Confirm the new password for “admin”: xxxxx
admin user password successfully changed.

3. At the Enter the new password for “www”: prompt, change the default www user password. If you do change the default www user password, the www user will be disabled and you will not be able to use Extensible Markup Language (XML) to remotely configure an ACE until you change the default www user password.

Enter the new password for “www”: xxxxx
Confirm the new password for “www”: xxxxx
www user password successfully changed.
This script will perform the configuration necessary for a user to manage the ACE Appliance using the ACE Device Manager. The management port is a designated Ethernet port which has access to the same network as your management tools including the ACE Device Manager. You will be prompted for the Port Number, IP Address, Netmask and Default Route (optional).
Enter ‘ctrl-c’ at any time to quit the script
Caution At this point, you should consider whether you plan to configure the ACE using the Device Manager GUI or using the CLI. If you have a trunking network setup, or if your VLAN 1000 has been used, you should bypass the following setup script and use the CLI as described in Setting Up an ACE Appliance Using the CLI.

4. At the “Would you like to enter the basic configuration dialog? (yes/no)” prompt, press Enter to continue the setup. To bypass setup and directly access the CLI, type no.

Would you like to enter the basic configuration dialog? (yes/no) [y]:
Note The ACE provides a default response in brackets [ ] for each question in the setup script. Accept the default response to a configuration prompt by pressing Enter.

5. Select port 1 to carry management VLAN communication by pressing Enter.

Enter the Ethernet port number to be used as the management port (1-4):? [1]:

6. Assign an IP address for the management VLAN interface by entering 172.25.91.110.

Enter the management port IP Address (n.n.n.n): [192.168.1.10]: 172.25.91.110

7. Accept the default subnet mask for the management VLAN interface by pressing Enter.

Enter the management port Netmask(n.n.n.n): [255.255.255.0]:

8. Assign the IP address of the gateway router (the next-hop address for this route) by entering 172.25.91.1.

Enter the default route next hop IP Address (n.n.n.n) or <enter> to skip this step: 172.25.91.1

9. Examine the entered values.

Summary of entered values:
Management Port: 1
Ip address 172.25.91.110
Netmask: 255.255.255.0
Default Route: 172.25.91.1

10. Review the configuration details by pressing d.

Submit the configuration including security settings to the ACE Appliance? (yes/no/details): [y]:
interface gigabitEthernet 1/3
switchport access vlan 1000
no shut
access-list ALL extended permit ip any any
class-map type management
match-any remote_access
match protocol xml-https any
match protocol dm-telnet any
match protocol icmp any
match protocol telnet any
match protocol ssh any
match protocol http any
match protocol https any
match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 172.25.91.110 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ssh key rsa
ip route 0.0.0.0 0.0.0.0 172.25.91.1

11. Accept this configuration by pressing Enter; otherwise, press n.

Submit the configuration including security settings to the ACE Appliance? (yes/no/details): [y]:

12. After you select y, the following message appears.

Configuration successfully applied. You can now manage this ACE Appliance by entering the url 'https://172.25.91.110' into a web browser to access the Device Manager GUI.

After you have completed the setup script, the command prompt appears.

switch/Admin#

After you specify a Gigabit Ethernet port, port mode, and management VLAN, the setup script automatically applies the following default configuration:

  • A Management VLAN is allocated to the specified Ethernet port.
  • An extended IP access list that allows IP traffic originating from any other host addresses.
  • A traffic classification is created for management protocols HTTP, HTTPS, ICMP, SSH, Telnet, and XML-HTTPS. HTTPS is dedicated to connectivity with the Device Manager GUI.
  • A VLAN interface is configured on the ACE.

Assigning a Name to the ACE

The hostname is used for the command-line prompts and default configuration filenames. When you establish sessions to multiple devices, the hostname helps you keep track of which ACE you are entering commands to. By default, the hostname for the ACE is switch.

For example, change the hostname of the ACE from switch to host1 by entering:

switch/Admin# Config
switch/Admin(config)# hostname host1

The prompt appears with the new hostname.

host1/Admin(config)#


Setting Up an ACE Appliance Using the Device Manager GUI

You can set up an ACE appliance using the Device Manager GUI or the CLI. This section describes how to set up an ACE using the GUI, and includes the following sections:


Logging in to the ACE

You can access the ACE Device Manager GUI through a web-based interface. Log in to the Device Manager by following these steps:

1. Navigate to the ACE Device Manager by entering the secure HTTPS address or hostname of the ACE in the address field of a web browser. For the example setup shown earlier in Figure 1, enter:

https://172.25.91.110/

2. Click Yes at the prompt to accept (trust) and install the signed certificate from Cisco Systems, Inc. To avoid having to approve the signed certificate every time you log in to the Device Manager, accept the certificate.

The Device Manager GUI Login window appears (Figure 6).
Note Because this product is regularly updated, you may notice minor variations between the figures in this manual and the windows that appear in the software version you are running.


Figure 6 Device Manager GUI Login Window
Device Manager GUI Login Window.jpg


3. In the User Name field, type admin for the admin user account.

4. In the Password field, type the new password that you entered in Step 2 in Enabling Management Connectivity Using the Setup Script.

5. Click Login. The default window that appears is the Virtual Contexts window with the Admin context listed, as shown in Figure 7.


Figure 7 Virtual Contexts Pane (Admin Context)
Virtual Contexts Pane (Admin Context).jpg

Configuring a Second Gigabit Ethernet Interface Port

You can configure a second Gigabit Ethernet interface port to connect to clients. For the example configuration, you will configure Gigabit Ethernet interface port 2 as illustrated in Figure 8 (previously configured settings are grayed out).


Figure 8 Configuring a Second Gigabit Ethernet Interface Port to Connect to Clients
Configuring a Second Gigabit Ethernet Interface Port to Connect to Clients.jpg


Configure a second Gigabit Ethernet port by following these steps:

1. Choose Config > Virtual Contexts > Network > GigabitEthernet Interfaces. The GigabitEthernet Interfaces pane appears (Figure 9).

Note Only users authenticated in the Admin context can configure the Gigabit Ethernet interface ports.


Figure 9 GigabitEthernet Interfaces Pane—gigabitEthernet 1/2
GigabitEthernet Interfaces Pane-gigabitEthernet 1 2.jpg


2. In the GigabitEthernet Interfaces pane, choose gigabitEthernet 1/2, and then click Edit to define attributes for the port. The GigabitEthernet Interfaces window appears (Figure 10).


Figure 10 GigabitEthernet Interfaces Window—gigabitEthernet 1/2
GigabitEthernet Interfaces Window—gigabitEthernet 1 2.jpg


3. Enter the following attributes for port 2. Leave the remaining attributes blank or with their default values.

  • Admin Status: Up
  • Speed: Auto
  • Port Operation Mode: Switchport
  • Switchport type: Access
  • Access Vlan: 400

4. Click Deploy Now to save these settings and to return to the GigabitEthernet Interfaces pane (Figure 11).


Figure 11 GigabitEthernet Interfaces Pane with Ethernet Port 2 Configured
GigabitEthernet Interfaces Pane with Ethernet Port 2 Configured.jpg


Configuring a Third Gigabit Ethernet Interface Port

You can configure a third Gigabit Ethernet interface port to connect to the servers. For the example configuration, you will configure Gigabit Ethernet interface port 3 as illustrated in Figure 12 (previously configured settings are grayed out.)


Figure 12 Configuring a Third Gigabit Ethernet Interface Port to Connect to the Servers
Configuring a Third Gigabit Ethernet Interface Port to Connect to the Servers.jpg


Configure a third Gigabit Ethernet port by following these steps:

1. In the GigabitEthernet Interfaces pane, choose gigabitEthernet 1/3, and then click Edit to define attributes for the port. The GigabitEthernet Interfaces window appears (see Figure 10).

2. Enter the following attributes for port 3. Leave the remaining attributes blank or with their default values.

  • Admin Status: Up
  • Speed: Auto
  • Port Operation Mode: Switchport
  • Switchport type: Access
  • Access VLAN: 500

3. Click Deploy Now to save these settings and to return to the GigabitEthernet Interfaces pane (Figure 13).


Figure 13 GigabitEthernet Interfaces Pane with Ethernet Port 3 Configured
GigabitEthernet Interfaces Pane with Ethernet Port 3 Configured.jpg

Setting Up an ACE Appliance Using the CLI

You can set up an ACE appliance using the Device Manager GUI or the CLI. This section describes how to set up an ACE using the CLI, and includes the following sections:


Logging in to the ACE Using the CLI

After you have established a direct serial connection between the ACE and your terminal or a PC (see Establishing a Console Connection on the ACE), you can set up the ACE using the CLI.

When the setup script displays the “Would you like to enter the basic configuration dialog? (yes/no):” prompt, enter no to access the CLI. Log in to the ACE by following these steps:

1. At the login prompt, enter admin. For the password, type the new password that you entered in Step 2 in Enabling Management Connectivity Using the Setup Script.

host1 login: admin
Password: xxxxx

You are ready to use the ACE CLI when the following prompt appears.

host1/Admin#

2. Set the terminal session-timeout command to 0 to prevent this current session from timing out. By default, a session on the ACE is automatically logged out after 5 minutes of inactivity.

host1/Admin# terminal session-timeout 0
host1/Admin#


Configuring the First Gigabit Ethernet Port from the CLI

You can configure a Gigabit Ethernet interface port for the ACE management traffic. For the example configuration, you will configure Gigabit Ethernet interface port 1. Configure the first Gigabit Ethernet port by following theses steps:

1. Configure a Layer 2 Gigabit Ethernet port on the ACE by using the interface gigabitEthernet '''slot_number/port_number command in configuration mode.

Note The slot_number specifies the physical slot on the ACE that contains the Ethernet ports. For the current release of the ACE appliance, this selection is always 1.
Configure Gigabit Ethernet port 1 and enter interface configuration mode by entering:
host1/Admin# config
host1/Admin(config)# interface gigabitEthernet 1/1
host1/Admin(config-if)#

2. Enable the Gigabit Ethernet port by using the no shutdown command in interface configuration mode. Disable a running Gigabit Ethernet port by using the shutdown command; bring one up by using the no shutdown command.

host1/Admin(config-if)# no shutdown

3. Display the configuration of the interface by using the do command with the show interface command.

host1/admin(config-if)# do show interface vlan 1000


Allocating the First Gigabit Ethernet Port to a VLAN from the CLI

After you configure an Gigabit Ethernet port, the next step is to allocate it to a VLAN. For the example configuration, you will allocate the first Gigabit Ethernet port to VLAN 1000, as illustrated in Figure 14 (previously configured settings are grayed out.)


Figure 14 Allocating the First Gigabit Ethernet Port to a VLAN

Allocating the First Gigabit Ethernet Port to a VLAN.jpg


Allocate the port to a VLAN by following these steps:

1. Assign one or more VLAN numbers to the Gigabit Ethernet port by using the switchport trunk allowed vlan '''vlan_list command in interface configuration mode. The vlan_list argument can include:

  • A single VLAN number
  • Beginning and ending VLAN numbers separated by a hyphen
  • Specific VLAN numbers separated by commas
Valid entries are 1 through 4094. Do not enter any spaces in a hyphenated range or in a comma-separated list of numbers in the vlan_list argument.
Note You can associate a VLAN number with only one Gigabit Ethernet port.
Add VLAN 1000 to the defined list of VLANs currently set for Gigabit Ethernet port 1 by entering:
host1/Admin(config)# interface gigabitEthernet 1/1
host1/Admin(config-if)# switchport access allowed vlan 1000

2. Enable VLAN access for the specified Layer 2 Gigabit Ethernet port by using the no shutdown command in interface configuration mode.

host1/Admin(config-if)# no shutdown
host1/Admin(config-if)# exit
host1/Admin(config)#


Configuring a Management VLAN Interface on the ACE from the CLI

You can provide management connectivity to the ACE by assigning an IP address to the VLAN interface on the ACE. For the example configuration, you will assign an IP address 172.25.91.110 and a subnet mask of 255.255.255.0 to VLAN 1000, as illustrated in Figure 15 (previously configured settings are grayed out).


Figure 15 Configuring a Management VLAN Interface on the ACE

Configuring a Management VLAN Interface on the ACE.jpg


Configure a VLAN interface on the ACE by following these steps:

1. Access interface configuration mode for the VLAN 1000.

host1/Admin(config)# interface vlan 1000
host1/Admin(config-if)#

2. Assign an IP address of 172.25.91.110 and a subnet mask of 255.255.255.0 to the VLAN interface for management connectivity.

host1/Admin(config-if)# ip address 172.25.91.110 255.255.255.0

3. (Optional) Provide a description for the interface.

host1/Admin(config-if)# description Management connectivity on VLAN 1000

4. Enable the VLAN interface.

host1/Admin(config-if)# no shutdown

5. Display the configuration of VLAN 1000.

host1/Admin(config-if)# do show interface vlan 1000

6. Verify network connectivity by using the ping command. This command verifies the connectivity of a remote host or server by sending echo messages from the ACE.

host1/Admin(config-if)# do ping 172.25.91.110

7. Exit the interface configuration mode.

host1/Admin(config-if)# exit
host1/Admin(config)#


Configuring a Second Gigabit Ethernet Interface Port from the CLI

You can configure a second Gigabit Ethernet interface port to connect to clients. For the example configuration, you will configure Gigabit Ethernet interface port 2 as illustrated in Figure 8. Configure the second Gigabit Ethernet Interface port by following these steps:

1. Add VLAN 400 to the defined list of VLANs currently set for Gigabit Ethernet port 2.

host1/Admin(config)# interface gigabitEthernet 1/2
host1/Admin(config-if)# switchport access vlan 400

2. Enable the Gigabit Ethernet port.

host1/Admin(config-if)# no shutdown
host1/Admin(config-if)# exit
host1/admin(config)#


Configuring a Third Gigabit Ethernet Interface Port from the CLI

You can configure a third Gigabit Ethernet interface port to connect to the servers. For the example configuration, you will configure Gigabit Ethernet interface port 3 as illustrated in Figure 12. Configure the third Gigabit Ethernet Interface port by following these steps:

1. Add VLAN 500 to the defined list of VLANs currently set for Gigabit Ethernet port 3.

host1/Admin(config)# interface gigabitEthernet 1/3
host1/Admin(config-if)# switchport access allowed vlan 500

2. Enable the Ethernet port.

host1/Admin(config-if)# no shutdown
host1/Admin(config-if)# exit
host1/admin(config)#


Configuring Remote Management Access to the ACE from the CLI

Before remote network access can occur on the ACE through an Ethernet port, you must create a traffic policy that identifies the network management traffic that can be received by the ACE. Configure remote management access to the ACE by following these steps:

1. Create a management-type class map named REMOTE_ACCESS that matches any traffic.

host1/Admin(config)# class-map type management match-any REMOTE_ACCESS
host1/Admin(config-cmap-mgmt)#

2. (Optional) Provide a description for the class map.

host1/Admin(config-cmap-mgmt)# description Remote access traffic match

3. Configure the match protocol to permit traffic based on the SSH, Telnet, and ICMP protocols for any source address.

host1/Admin(config-cmap-mgmt)# match protocol ssh any
host1/Admin(config-cmap-mgmt)# match protocol telnet any
host1/Admin(config-cmap-mgmt)# match protocol icmp any
host1/Admin(config-cmap-mgmt)# exit
host1/Admin(config)#

4. Create a REMOTE_MGMT_ALLOW_POLICY policy map for traffic destined to an ACE interface.

host1/Admin(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
host1/Admin(config-pmap-mgmt)#

5. Apply the previously created REMOTE_ACCESS class map to this policy.

host1/Admin(config-pmap-mgmt)# class REMOTE_ACCESS
host1/Admin(config-pmap-mgmt-c)#

6. Allow the ACE to receive the configured class map management protocols.

host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# exit
host1/Admin(config)#

7. Access interface configuration mode for the VLAN to which you want to apply the policy map.

host1/Admin(config)# interface vlan 1000
host1/Admin(config-if)#

8. Apply the REMOTE_MGMT_ALLOW_POLICY policy map to the interface.

host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY

9. Display the REMOTE_MGMT_ALLOW_POLICY policy applied to the interface.

host1/Admin(config-if)# do show service-policy REMOTE_MGMT_ALLOW_POLICY
Status  : ACTIVE
-----------------------------------------
Interface: vlan 1000
service-policy: REMOTE_MGMT_ALLOW_POLICY

10. Save your configuration changes from the running configuration to the startup configuration.

host1/Admin(config-if)# do copy running-config startup-config
Generating configuration....
running config of context VC_web saved
host1/Admin(config-if)# exit
host1/Admin(config)# exit

11. Display the running configuration.

host1/Admin(config)# do show running-config
Generating configuration....
class-map type management match-any REMOTE_ACCESS
description Remote access traffic match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
interface vlan 1000
description Management connectivity on VLAN 1000
ip address 172.25.91.110 255.255.255.0
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
interface vlan 400
description client connectivity on VLAN 400
ip address 10.10.40.10 255.255.255.0
no shutdown


Accessing the ACE through a Telnet Session

After you have completed the previous configurations, you can use Telnet to access the ACE through an Ethernet port by using its IP address. Access the ACE through Telnet by following these steps:

1. Initiate a Telnet session from a remote host to the ACE. For example, access the ACE from the VLAN IP address of 172.25.91.110 by entering:

remote_host# telnet 172.25.91.110
Trying 172.25.91.110... Open

2. At the prompt, log in to the ACE. Enter admin as the user name and for the password, type the new password that you entered in the Step 2 in Enabling Management Connectivity Using the Setup Script.

host1 login: admin
Password: xxxxx

3. Display the Telnet session.

host1/Admin# show telnet

In this section, you have set up your ACE appliance so that you can use the ACE Device Manager or CLI to perform server load-balancing configuration tasks through a remote management interface. Next, you will create a user context for server load balancing.

Rating: 4.7/5 (7 votes cast)

Personal tools