DocWiki - User contributions [en]

Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Access Control Lists

2011-09-20T15:03:30Z

Kkroeber: /* Maximum Number of ACL Entries */

This article describes security access control lists (ACLs) in the ACE, how to configure them, and troubleshooting steps to follow if you encounter problems with ACLs.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Troubleshooting Guide|Main Article]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Overview of ACE Troubleshooting|Overview of ACE Troubleshooting]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Preliminary ACE Troubleshooting|Preliminary ACE Troubleshooting]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Ethernet Ports|Troubleshooting ACE Appliance Ethernet Ports]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Compression|Troubleshooting Compression]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits|ACE Resource Limits]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Managing Resources|Managing ACE Resources]] [[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Show Counter Reference|Show Counter Reference]] 
|}

__TOC__

== Overview of Security Access Control Lists ==

An ACL consists of a series of statements called ACL entries that define the network traffic profile. Each entry permits or denies network traffic (inbound and outbound) from and to the parts of your network specified in the entry. Each entry also contains a filter element that is based on criteria such as the source address, the destination address, the protocol, and protocol-specific parameters such as ports and so on.

An implicit deny-all entry exists at the end of each ACL, so you must configure an ACL on each interface that you want to permit connections. Otherwise, the ACE denies all traffic on the interface.

ACLs allow you to control network connection setups rather than processing each packet. Such ACLs are commonly referred to as security ACLs.
You can configure ACLs as parts of other features (for example, security, Network Address Translation (NAT), server load balancing (SLB), and so on). The ACE merges these individual ACLs into one large ACL called a merged ACL. The ACL compiler then parses the merged ACL and generates the ACL lookup mechanisms. A match on this merged ACL can result in multiple actions.

{{note|You can apply only one extended ACL to each direction (inbound or outbound) of an interface. You can also apply the same ACL on multiple interfaces. You can apply EtherType ACLs only in the inbound direction and only on Layer 2 interfaces.}}

=== ACL Types and Uses ===

You can configure the following two types of ACLs in the ACE:

* Extended—Control network access for IP traffic (Layer 3 and Layer 4)
* EtherType—Control network access for non-IP traffic on Layer 2 interfaces

The ACE does not explicitly support standard ACLs. To configure a standard ACL, specify the destination address as any and do not specify ports in an extended ACL. For details about configuring an extended ACL, see the “Configuring an Extended ACL” section.

=== ACL Configuration Guidelines ===

This section describes the guidelines to observe when you configure and use ACLs in your network. It contains the following topics:

* ACL Entry Order
* ACL Implicit Deny
* Maximum Number of ACL Entries

==== ACL Entry Order ====

An ACL consists of one or more entries. Depending on the ACL type, you can specify the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP type, the ICMP code, or the EtherType as the match criteria. By default, the ACE appends each ACL entry at the end of the ACL. You can also indicate the location of each entry within an ACL by specifying a line number.

The order of the entries is important. When the ACE decides whether to accept or refuse a connection, the ACE tests the packet against each ACL entry in the order in which the entries are listed. After it finds a match, the ACE does not check any more entries. For example, if you create an entry at the beginning of an ACL that explicitly permits all traffic, the ACE does not check any other statements in the ACL.

{{note|If there is a deny statement for packets coming to the Control Plane (CP), then the ACE skips to the next ACL entry.}}

==== ACL Implicit Deny ====

All ACLs have an implicit deny entry at the end of the ACL, so, unless you explicitly permit it, traffic cannot pass. For example, if you want to allow all users to access a network through the ACE except for those users with particular IP addresses, then you must deny the particular IP addresses in one entry and permit all other IP addresses in another entry.

==== Maximum Number of ACL Entries ====

ACLs are used in ACE as conventional access-groups, and also for use in class maps. The ACLs are converted into trees of different data structures called nodes, which are merged into a single tree instance that consists of nodes of one type called Policy Action Nodes (PANs). This merged tree is then transferred to the dataplane. A tree is created for each instance, and an instance is defined as a VLAN interface in either the input or output direction. Therefore, all ACLs that are applied to a given VLAN and a given direction contribute to the node usage for that instance.

The ACE supports a maximum of 256,000 Policy Action Nodes (PANs) entries. Some ACLs use more memory than others, such as an ACL that uses large port number ranges or overlapping networks (for example, one entry specifies 10.0.0.0/8 and another entry specifies 10.1.1.0/24). Depending on the type of ACL, the actual limit that the ACE can support may be less than 256,000 PANs entries.

If you use object groups in ACL entries, you enter fewer actual ACL entries, but the same number of expanded ACL entries as you did when you entered entries without object groups. Expanded ACL entries count toward the system limit. To view the number of expanded ACL entries in an ACL, use the '''show access-list name''' command.

If you exceed the memory limitations of the ACE, it generates a syslog message and increments the Download Failures counter in the output of the '''show interface vlan''' ''number'' command. The configuration remains in the running-config file and the interface stays enabled. The ACL entries stay the same as they were before the failing configuration was attempted.

For example, if you add a new ACL with ten entries, but the addition of the sixth entry fails because the ACE runs out of memory, the ACE removes the five entries that you successfully entered.

{{note|You must allocate sufficient ACL memory resources for each virtual context in the ACE. The ACE does not generate a syslog if you exceed the maximum number of ACL entries.}}

== Configuring ACLs ==

You can configure ACLs in one of two ways:

* Using the '''access-list''' command in configuration mode
* Using the '''match access-list''' command in a Layer 3 and Layer 4 class map

You can permit or deny network connections based on the IP protocol, source and destination IP addresses, and TCP or UDP ports. To configure a non-ICMP extended ACL, enter the following command:

'''access-list''' ''name'' [''line number''] '''extended''' {'''deny''' | '''permit'''} {'''protocol''' {'''any''' | '''host''' ''src_ip_address'' | ''src_ip_address'' ''netmask'' | '''object-group''' ''net_obj_grp_name''} [''operator'' ''port1'' [''port2'']] {'''any''' | ''host dest_ip_address'' | ''dest_ip_address netmask'' | '''object-group''' ''net_obj_grp_name''} [''operator port3'' [''port4'']]}
| {'''object-group''' ''service_obj_grp_name''} {'''any''' | ''host src_ip_address'' | ''src_ip_address netmask'' | '''object-group''' ''net_obj_grp_name''} {'''any''' | ''host dest_ip_address'' | ''dest_ip_address netmask'' | '''object-group''' ''net_obj_grp_name''}

You can also permit or deny network connections based on the ICMP type (for example, echo, echo-reply, unreachable, and so on). To configure an ICMP extended ACL, enter the following command:

'''access-list''' ''name'' [''line number''] '''extended''' {'''deny''' | '''permit'''} {'''icmp''' {'''any''' | '''host''' ''src_ip_address'' | ''src_ip_address'' ''netmask'' | '''object-group''' ''net_obj_grp_name''} {'''any''' | ''host dest_ip_address'' | ''dest_ip_address netmask'' | '''object-group''' ''net_obj_grp_name''} [''icmp-type'' '''code''' [''operator code1'' [''code2'']]]}
| {'''object-group''' ''service_obj_grp_name''} {'''any''' | ''host src_ip_address'' | ''src_ip_address netmask'' | '''object-group''' ''net_obj_grp_name''} {'''any''' | ''host dest_ip_address'' | ''dest_ip_address netmask'' | '''object-group''' ''net_obj_grp_name''}

You can configure an ACL that controls traffic based on its EtherType. An EtherType is a subprotocol identifier. EtherType ACLs support Ethernet V2 frames; they do not do not support 802.3-formatted frames. To configure an Ethertype ACL, enter the following command:

'''access-list''' ''name'' '''ethertype''' {'''deny''' | '''permit'''} {'''any''' | '''bpdu''' | '''ipv6''' | '''mpls'''}

{{note|You can configure an EtherType ACL on a Layer 2 interface in the inbound direction only. If you are operating the ACE in bridge mode, be sure to configure an ACL on all interfaces that permit BPDUs. Otherwise, a bridge loop may result.}}

For example, to configure an extended ACL to permit all IP traffic from any source IP address and that is destined to any IP address on interface VLAN 200, enter the following commands:

ACE_module5/Admin(config)# '''access-list ACL1 extended permit ip any any'''
ACE_module5/Admin(config)# '''interface vlan 200'''
ACE_module5/Admin(config-if)# '''ip address 192.168.1.1 255.255.255.0'''
ACE_module5/Admin(config)# '''access-group input ACL1'''

You can apply an ACL to all interfaces in a context at once, subject to the following conditions:

* No interface in the context has an ACL applied to it.
* You can globally apply one Layer 2 and one Layer 3 ACL in the inbound direction only.
* On Layer 2 bridged-group virtual interfaces (BVIs), you can apply both Layer 3 and Layer 2 ACLs.
* On Layer 3 virtual LAN (VLAN) interfaces, you can apply only Layer 3 ACLs.
* In a redundant configuration, the ACE does not apply a global ACL to the FT VLAN.

For example, to apply ACL1 to all interfaces in the Admin context, enter the following command in configuration mode:

ACE_module5/Admin(config)# '''access-group input ACL1'''

The syntax of the '''match access-list''' command is as follows:

'''match access-list''' ''acl_name''

To configure an ACL match statement in a class map, enter the following commands:

ACE_module5/Admin(config)# '''class-map match-any L4_CLASS
ACE_module5/Admin(config-cmap)# '''match access-list ACL1'''
ACE_module5/Admin(config-cmap)# '''exit'''
ACE_module5/Admin(config)# '''policy-map multi-match L4_POLICY'''
ACE_module5/Admin(config-pmap)# '''class L4_CLASS'''
ACE_module5/Admin(config-pmap-c)#

For more details about ACLs and how to configure them, see the [http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/acl.html Cisco Application Control Engine Module Security Configuration Guide].

== ACL-Related syslogs ==

When a packet matches an ACL entry, a syslog message is generated based on the following rules:

* All ACL deny entries generate a syslog message unless logging is explicitly disabled using the '''no logging enable''' command in configuration mode.
* An ACL permit entry generates a syslog message only if logging is enabled using the '''logging enable''' command in configuration mode.
* All implicit deny entries generate the default deny syslog (%ACE-4-106023).

To minimize syslog message generation, the ACE uses the flow cache as follows:

#For the first packet hit on an ACL entry, the ACE generates a syslog and caches the flow (5-tuple) in the connection table.
#For subsequent hits on the same ACL entry, the ACE checks the cache. If it finds the flow in the cache, the ACE increments a hit counter for this entry in the cache and does ''not'' generate a syslog.
#After some time (the default is 300 seconds, which is configurable in the ACL entry definition in the CLI as the ''interval_secs'' option), the ACE generates a syslog and sets the hit count to 0.
#However, if at the expiry of the above time, the hit count is 0, the ACE deletes the cache entry silently. So by default, a cache entry is aged out 600 seconds after the last hit.

== Troubleshooting ACLs ==

Many ACL issues manifest themselves by all traffic or only certain traffic being denied or permitted access to the ACE or out of the ACE. Remember that, initially, all traffic to the ACE is denied until you permit traffic using an ACL. Every ACL contains an implicit deny at the end of it, so only traffic that you explicitly permit will have access to the ACE. To troubleshoot ACLs, follow these steps:

1. Verify that your ACL configuration is correct for your network application. Make any required changes to the running-config file, and then test the configuration. If it is satisfactory, save it to the startup-config file using the '''copy runnning-config startup-config''' command.

For example, to display the ACLs that you have configured in your ACE, enter the following command:

ACE_module5/Admin# '''show running-config access-list'''
Generating configuration....

access-list ACL1 remark This ACL permits any IP traffic from any source going to any destination except for ICMP traffic originating from
192.168.12.15 255.255.255.192.
access-list ACL1 line 8 extended permit ip any any
access-list ACL1 line 10 extended deny icmp 192.168.12.15 255.255.255.192 any echo code range 1 1 (hitcount=0) [0x65af0edd]
access-list ANYONE line 8 extended permit ip any any

To verify that the configured ACLs are applied to the correct interfaces and in the right directions (input or output), enter the following command:

ACE_module5/Admin# '''show running-config interface'''
Generating configuration....

interface vlan 100
ip address 10.2.1.1 255.255.255.0
access-group input ANYONE
access-group output ANYONE
no shutdown
interface vlan 200
ip address 192.168.1.1 255.255.255.0
access-group input ACL1
service-policy input MGMT_POLICY
no shutdown

2. Verify that you have allocated sufficient resources for ACLs. To display the allocated resources in your ACE, enter the following command:

ACE_module5/Admin# '''show resource usage'''
Allocation
Resource Current Peak Min Max Denied
-------------------------------------------------------------------------------
Context: Admin
conc-connections 10 18 0 8000000 0
mgmt-connections 2 10 0 100000 0
proxy-connections 584 590 0 1048574 0
xlates 0 0 0 1048574 0
bandwidth 880 16194 0 625000000 0
throughput 880 12606 0 500000000 0
mgmt-traffic rate 0 3588 0 125000000 0
connection rate 1 21 0 1000000 0
ssl-connections rate 0 0 0 5000 0
mac-miss rate 0 16 0 2000 0
inspect-conn rate 0 0 0 6000 0
'''acl-memory 33448 33448 7858944 70749384 0 <------- ACL memory resource allocation statistics'''
sticky 0 0 0 0 0
regexp 0 0 0 1048576 0
syslog buffer 188416 188416 0 4194304 0
syslog rate 0 9 0 100000 0
Context: C1
conc-connections 0 0 0 8000000 0
mgmt-connections 0 0 0 100000 0
proxy-connections 0 0 0 1048574 0
xlates 0 0 0 1048574 0
bandwidth 0 0 0 625000000 0
throughput 0 0 0 500000000 0
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 0 0 1000000 0
ssl-connections rate 0 0 0 5000 0
mac-miss rate 0 0 0 2000 0
inspect-conn rate 0 0 0 6000 0
acl-memory 0 0 7858944 70749384 0
sticky 0 0 0 0 0
regexp 0 0 0 1048576 0
syslog buffer 0 0 0 4194304 0
syslog rate 0 0 0 100000 0

For example, to allocate a 10 percent minimum and a maximum of unlimited resources for ACL memory in the Admin virtual context, enter the following commands:

ACE_module5/Admin(config)# '''resource myclass'''
ACE_module5/Admin(config-resource)# '''limit-resource acl-memory minimum 10 maximum unlimited'''
ACE_module5/Admin(config-resource)# '''exit'''
ACE_module5/Admin(config)# '''context Admin'''
ACE_module5/Admin(config-context)# '''member myclass'''

3. Display the details of an individual ACL by using the '''show access-list''' ''acl_name'' '''detail''' command. This command displays every entry in the specified ACL, the hit counts for each entry, and a 32-bit hexadecimal MD5-hash value that the ACE computes from the '''access-list''' command immediately when you configure an ACL. The ACE includes this hash value in deny syslog messages (106023) to help you identify the ACL entry that caused the deny syslog. For example to display the details of the ACL1 access control list, enter the following command:

ACE_module5/Admin# '''show access-list ACL1 detail'''

access-list:ACL1, elements: 2, status: ACTIVE
remark : This ACL permits any IP traffic from any source going to any destination except for ICMP traffic originating from 192.168.12.15 255.255.255.1.
access-list ACL1 line 8 extended permit ip any any (hitcount=9) [0x894c1008] '''<------- 32-bit hexadecimal MD5-hash value'''
access-list ACL1 line 10 extended deny icmp 192.168.12.15 255.255.255.192 any echo code range 1 1 (hitcount=15) [0x65af0edd]

The format of the deny syslog message is as follows:

%ACE-4-106023: Deny protocol ''number'' | ''name src incoming-interface:src-ip'' dst ''outgoing-interface:dst-ip'' by access-group "''acl-name''"
An IP packet was denied by the ACL.

: '''Explanation:''' This message displays even if you do not have the log option enabled for an ACL. If a packet hits an input ACL, the outgoing interface will not be known. In this case, the ACE prints the outgoing interface as undetermined. The source IP and destination IP addresses are the unmapped and mapped addresses for the input and output ACLs, respectively, when used with NAT.

: '''Recommended Action:''' If messages persist from the same source address, messages may indicate a foot-printing or port-scanning attempt. Contact the remote host administrators.

An ACL merged list is a large ACL that the CP compiles from multiple security ACL entries and policies. When the ACE executes an ACL merged list, it performs multiple actions on a flow that matches the merged list.

4. Display the actions that the ACE will perform on a flow by entering the '''show acl-merge merged-list''' command. For example, to display the merged list for VLAN 100, enter the following command:

ACE_module5/Admin# '''show acl-merge merged-list vlan 100 in non-redundant'''

All ACEs in merged list 2 Total:18 Non-redundant:12

Priority:1000, Lineno:0, ACE-id:211 Action:PERMIT, Path-id:0x81/0x0/0x0:6/0[6/0]
[6/0]
Pmap:0x5, Log:FALSE/FALSE[FALSE][FALSE], Interval:0/0[0][0]
Hash1:0x0 Hash2:0x0
Generated:TRUE, need-to-add-in-comp:NO_ACT_NEEDED, redundant:FALSE
Parent:: feature:SECURITY ace-lineno:5 ACL priority:0[G:0,P:0,C:0,ACL:0]
Parent:: feature:TO CP ace-lineno:2 ACL priority:16779265[G:0,P:1,C:8,ACL:1]
Feature:SECURITY Policy:1[1][1] sec-level:0x0 Intratype:SKIP
Feature:TO CP Policy:1[1][1] sec-level:0x0 Intratype:TERMINATE
Intertype:TERMINATE
IP address SRC:161.44.0.0/255.255.0.0 DST:10.86.215.134/255.255.255.255
Ports SRC:RANGE 0 65535 DST:RANGE 22 22
Protocol:6
Hit Count:0 Active:TRUE Timerange:0
.
.
.
Feature:SECURITY Policy:0[0] sec-level:0x0 Intratype:TERMINATE
.
.
.
Feature:SLB Policy:14[14] sec-level:0x0 Intratype:TERMINATE
.
.
.
Feature:SRC NAT Policy:2[2] sec-level:0x0 Intratype:TERMINATE
.
.
.

5. If the acl-memory Denied counter in the output of the '''show resource usage''' command is incrementing and the Peak (ACL) memory counter has not exceeded the Max Allocated ACL memory counter, the problem may lie with one of the nodes in the ACL merge tree. The ACL merge tree contains several different kinds of nodes (see the example output below), each of a different size and each with a maximum limit. If you allocate a minimum of 10 percent of the ACE resources to ACL memory, the ACE will guarantee 10% of the maximum number of each node. If your configuration causes the ACE to exceed the maximum value of one of these nodes, the ACL resource allocation will fail and the acl-memory Denied counter will increment.

To monitor the ACL merge tree node usage in the ACE, enter the following command:

ACE_module5/Admin# '''show np 1 access-list resource'''

ACL Tree Statistics for Context ID: Admin
=========================================
ACL memory max-limit: None
ACL memory guarantee: 10.00 %
MTrie nodes(used/guaranteed/max-limit):
43 / 26214 / '''262143''' (compressed) <-------|
3 / 2199 / '''21999''' (uncompressed) <--------|
Leaf Head nodes (used/guaranteed/max-limit): |
39 / 26214 / '''262143''' <--------------------|---- '''Maximum number of available nodes in the ACE'''
Leaf Parameter nodes (used/guaranteed/max-limit):|
594 / 52428 / '''524288''' <-------------------|
Policy action nodes used: 153
memory consumed: 23776 bytes resource-limited 4896 bytes other 28672 bytes total
.
min-guarantee: 7861043 bytes total, 0 % consumed.
max-limit: 78610432 bytes total, 0 % consumed.

ACL Tree Statistics for the linecard
====================================
MTrie nodes(used): '''43''' (compressed) 3 (uncompressed) <--------------|
(shared): 235929 (compressed) 19800 (uncompressed) |
Leaf Head nodes (used/shared): '''39''' / 235929 <-----------------------|---- '''Number of used nodes in the ACE'''
Leaf Parameter nodes (used/shared): '''594''' / 471860 <-----------------|
Policy action nodes (used/shared): '''153''' / 261990 <------------------|

You can calculate the percentage of use for each node type by dividing the used nodes value by the maximum number of nodes and multiplying the result by 100. If any of these percentages exceeds the maximum value of allocated ACL memory for the context, increase the '''max''' value of allocated ACL memory using the '''limit-resource acl-memory''' command in resource class configuration mode so that that value is greater than or equal to the highest used nodes percentage that you calculated. Alternatively, if you are approaching the limits of ACL resource capacity, you may consider consolidating your ACL configuration.

If the ACL nodes are depleted while the ACE is downloading ACL configurations for an interface, the complete ACL merged list for that interface is deleted and no traffic flows through that interface. The ACE increments the download failure counter in the output of the '''show interface''' command and the ACE logs a system message from the configuration manager.

6. To trace a packet through a specific ACL, enter the following command:

ACE_module5/Admin# '''show np 1 access-list trace vlan 130 in protocol 1 source 172.27.16.23 2000 destination 192.168.12.15 3000'''

Root 0x2c01b00
Src Mtrie (0) offset 1 curr 0x2c01b00 child 0x0 leaf 0x10a840
Dst Mtrie (0) offset 2 curr 0x10a840 child 0x0 leaf 0x3c01330
proto ICMP head node 0x4004880
proto node 0x4004880
src op range port 0/65535
dst op range port 0/65535 lineno 112000
inner match line#:112000
inner match line#: 112000

packet matched priority 112000

action node 0x4c02460
Action Leaf-node
version+aceid 0x99 (version 0 ace_id 153 dirty no)
action_flag 0x10 (permit no log no punt_to_cp no capture no bridge yes)
path ID 0x0
src nat 0x0 dst nat 0x0 vserver 0x0 fixup 0x0
TCP conn 0x0 AAA 0x0 Websense 0x0 QOS Policer 0x0
Syslog Info 0
Hitcount 130426
Syslog info:
idx:[153:0] name_idx:[0:0] hash1:0x0 hash2:0x0 name_len:0 invalid

Number of DRAM access: 6 (2 mtrie 4 non-mtrie)

Cisco Application Control Engine (ACE) Troubleshooting Guide

2009-05-12T15:32:22Z

Kkroeber: /* Audience */

{| align="center" border="1"
|align="left"|Welcome to '''Cisco DocWiki'''. We encourage [http://tools.cisco.com/RPF/register/register.do registered Cisco.com users] to contribute to this wiki to collaborate on Cisco product documentation. You do not need to log in to read the text. However, you must log in to edit the text. Select the "edit" tab to edit an article or select the "discussion" tab to submit questions or comments about documentation content. 
See [[DocWiki:Terms_of_use|Terms of Use]] and [[DocWiki:About|About DocWiki]] for more information about Cisco DocWiki. 
Click [http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html here] to return to the Cisco ACE Module documentation on [http://www.cisco.com www.cisco.com].
|}

__TOC__

This article provides a systematic approach to identifying and remedying problems that may arise as you use your ACE module over a period of time. This guide is not intended to replace configuration best practices or to be an all-inclusive guide for every application. Rather, it is an attempt to provide you with the knowledge and skills necessary to correct the most common issues that you may encounter.

==Audience==

This article is intended for all trained network administrators who have experience with the configuration and maintenance of the ACE module.

==Organization==

This article consists of the following major sections:

[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]]

[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]]

[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]]

[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]]

[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]]

[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]]

[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]]

[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]]

[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]]

[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]]

[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]]

[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]]

[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]]

[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]]

[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]]

[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]]

[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing Resources]]

==Related Documentation==

*[http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/installation/note/aceinote.html Cisco Application Control Engine Module Installation Note]
*[http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/release/note/RACEA2X.html Release Note for the Cisco Application Control Engine Module (Software Version A2(X))]
*[http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/administration/guide/admgd.html Cisco Application Control Engine Module Administration Guide (Software Version A2(1.0))]
*[http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/cmdref.html Cisco Application Control Engine Module Command Reference (Software Version A2(1.0))]
*[http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/master_index/MasterIX.html Cisco Application Control Engine Module Configuration Guides Master Index (Software Version A2(1.0))]
*[http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/quick/guide/getstart.html Cisco Application Control Engine Module Getting Started Guide (Software Version A2(1.0))]
*[http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/rtbrgdgd.html Cisco Application Control Engine Module Routing and Bridging Configuration Guide (Software Version A2(1.0))]
*[http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/securgd.html Cisco Application Control Engine Module Security Configuration Guide (Software Version A2(1.0))]
*[http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/slbgd.html Cisco Application Control Engine Module Server Load-Balancing Configuration Guide (Software Version A2(1.0))]
*[http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/ssl/guide/sslgd.html Cisco Application Control Engine Module SSL Configuration Guide (Software Version A2(1.0))]
*[http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/system/message/guide/sysmsggd.html Cisco Application Control Engine Module System Message Guide (Software Version A2(1.0))]
*[http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/virtualization/guide/virtgd.html Cisco Application Control Engine Module Virtualization Configuration Guide (Software Version A2(1.0))]
*[http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/csm_to_ace/user/guide/csmaceug.html Cisco CSM-to-ACE Conversion Tool User Guide (Software Version A2(1.0))]
*[http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/css_to_ace/user/guide/cssaceug.html Cisco CSS-to-ACE Conversion Tool User Guide (Software Version A2(1.0))]

[[Category:Cisco ACE Module Troubleshooting Guide]]

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance

2008-12-02T14:48:43Z

Kkroeber: /* Establishing a Console Connection on the ACE */

This section describes how to set up a Cisco 4700 Series Application Control Engine (ACE) appliance.

{| align="right" border="1"
|aling="center"|'''Guide Contents'''
|-
|[[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Overview|Overview]] ''Setting Up the ACE Appliance (this section)'' [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Access Control Lists|Configuring Access Control Lists]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Role-Based Access Control|Configuring Role-Based Access Control]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring a Load-Balancing Predictor|Configuring a Load-Balancing Predictor]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Persistence Using Stickiness|Configuring Server Persistence Using Stickiness]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring SSL Security|Configuring SSL Security]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Health Monitoring Using Health Probes|Configuring Health Monitoring Using Health Probes]]
|}
__TOC__

== Overview ==

After reading this section, you should have a basic understanding of how to configure a ACE appliance with the networking parameters necessary for communicating with a management device to configure server load balancing.

After some initial setup using the CLI, you can complete the procedures in this section using the Device Manager GUI.

Before performing the procedures in this section, make sure that you complete the ACE installation instructions as described in the
[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/4710/hardware/installation/guide/4710_hig.html ''Cisco ACE 4710 Appliance Hardware Installation Guide''].

Configuring an ACE involves the following basic steps:

1. Establishing a console connection on the ACE.

2. Enable management connectivity to the ACE through a Gigabit Ethernet port.

3. Log in to the ACE.

4. Configure a second Gigabit Ethernet port for client-side connectivity.

5. Configure a third Gigabit Ethernet port for server-side connectivity.

This section describes how to set up an ACE appliance using the example network setup illustrated in Figure 1.

'''''Figure 1 Example Network Setup'''''

[[Image:Example Network Setup.jpg]]

The configuration of the example setup is as follows:

* VLAN 1000 is assigned to the first Gigabit Ethernet port and is used for management traffic for both the Admin context and a user context.

:'''Note '''A virtual local area network (VLAN) is a logical division of a computer network within which information can be transmitted for all devices to receive. VLANs enable you to segment a switched network so that devices in one VLAN do not receive information packets from devices in another VLAN.

* VLAN 400 is assigned to the second Gigabit Ethernet port and is used for client-side traffic.

* VLAN 500 is assigned to the third Gigabit Ethernet port and is used for server-side traffic.

* None of the three Gigabit Ethernet ports used are trunked.

* A management VLAN interface is configured for the Admin context with VLAN 1000 and IP address 172.25.91.110.

* A management VLAN interface is configured for the user context VC_web with VLAN 1000 and IP address 172.25.91.111.

* A client-side VLAN interface is configured for the user context VC_web with VLAN 400 and IP address 10.10.40.10.

* A server-side VLAN interface is configured for the user context VC_web with VLAN 500 and IP address 10.10.50.1.

* Four web servers are available to the ACE for load-balancing client requests.

== Establishing a Console Connection on the ACE ==

The ACE has one standard RS-232 serial port on its rear panel that operates as the console port. You can establish a direct serial connection between the ACE and your terminal (or a PC with terminal software) by making a serial connection to this console port. The integrated serial port accepts a 9-pin female D shell connector. Use a straight-through cable to connect the ACE to the terminal or a PC. See the [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/4710/hardware/installation/guide/4710_hig.html ''Cisco ACE 4710 Appliance Hardware Installation Guide''] for more instructions on connecting a console cable to your ACE appliance.

The ACE appliance has four physical Ethernet interface ports. All VLANs are assigned to these ports. The four Ethernet ports provide the physical connection between the ACE and the servers, PCs, routers, and other devices. You can configure the Ethernet ports to provide an interface for connecting to 10-Mbps, 100-Mbps, or 1000-Mbps networks. After the VLANs are assigned, you can configure the corresponding VLAN interfaces so that the ACE can provide different networking functions for different VLANs.

'''Note '''Only the Admin context is directly accessible through the console port; all other contexts can be accessed through Telnet or SSH sessions on the Ethernet ports.

After making the console connection, you can use any terminal communications application to access the ACE CLI.

'''Note '''If the appliance is not on, press the power button on the front of the ACE to start the boot process (see the [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/4710/hardware/installation/guide/4710_hig.html ''Cisco ACE 4710 Appliance Hardware Installation Guide''] for details).

Access the ACE CLI using HyperTerminal for Windows by following these steps:

1. Launch HyperTerminal.

:The Connection Description window appears (Figure 2).

:'''''Figure 2 HyperTerminal—Connection Description'''''

:[[Image:HyperTerminal—Connection_Description.jpg]]

2. Enter a name for your connection in the Name field.

3. Click '''OK'''. The Connect To window appears (Figure 3).

:'''''Figure 3 HyperTerminal—Connect To'''''

:[[Image:HyperTerminal—Connect To.jpg]]

4. From the Connect using drop-down list, choose the COM port to which the device is connected.

5. Click '''OK'''. The Port Properties window appears (Figure 4).

:'''''Figure 4 HyperTerminal—Port Properties'''''

:[[Image:HyperTerminal—Port Properties.jpg]]

6. Set the port properties:

:* Bits per second = 9600

:* Data bits = 8

:* Parity = none

:* Stop bits = 1

:* Flow control = None

7. Click '''OK''' to connect.

== Enabling Management Connectivity Using the Setup Script ==

When you boot the ACE for the first time and the ACE does not detect a startup configuration file, a setup script guides you through the process of configuring a management VLAN on the ACE through one of its Gigabit Ethernet ports to enable connectivity to the Device Manager GUI.

After running the setup script, the management VLAN is allocated to the specified Gigabit Ethernet port and the VLAN interface is configured on the ACE, as illustrated in Figure 5.

'''''Figure 5 Configuration After the Setup Script is Executed'''''

[[Image:Configuration After the Setup Script is Executed.jpg]]

Configure the ACE using the setup script by following these steps:

1. At the login prompt, log into the ACE by entering the login username admin and password. By default, the username and password are admin. For example, enter:

:Starting sysmgr processes.. Please wait...Done!!!

:switch login: '''admin'''

:Password: '''admin'''

2. At the Enter the new password for “admin”: prompt, change the default Admin password. If you do not change the default Admin password, after you upgrade the ACE software you will only be able to log in to the ACE through the console port.

:Enter the new password for “admin”: '''xxxxx'''

:Confirm the new password for “admin”: '''xxxxx'''

:admin user password successfully changed.

3. At the Enter the new password for “www”: prompt, change the default www user password. If you do change the default www user password, the www user will be disabled and you will not be able to use Extensible Markup Language (XML) to remotely configure an ACE until you change the default www user password.

:Enter the new password for “www”: '''xxxxx'''

:Confirm the new password for “www”: '''xxxxx'''

:www user password successfully changed.

:This script will perform the configuration necessary for a user to manage the ACE Appliance using the ACE Device Manager. The management port is a designated Ethernet port which has access to the same network as your management tools including the ACE Device Manager. You will be prompted for the Port Number, IP Address, Netmask and Default Route (optional).

:Enter ‘ctrl-c’ at any time to quit the script

:'''Caution '''At this point, you should consider whether you plan to configure the ACE using the Device Manager GUI or using the CLI. If you have a trunking network setup, or if your VLAN 1000 has been used, you should bypass the following setup script and use the CLI as described in [[#Setting Up an ACE Appliance Using the CLI|Setting Up an ACE Appliance Using the CLI]].

4. At the “Would you like to enter the basic configuration dialog? (yes/no)” prompt, press '''Enter''' to continue the setup. To bypass setup and directly access the CLI, type '''no'''.

:Would you like to enter the basic configuration dialog? (yes/no) [y]:

:'''Note '''The ACE provides a default response in brackets [ ] for each question in the setup script. Accept the default response to a configuration prompt by pressing '''Enter'''.

5. Select port 1 to carry management VLAN communication by pressing '''Enter'''.

:Enter the Ethernet port number to be used as the management port (1-4):? [1]:

6. Assign an IP address for the management VLAN interface by entering '''172.25.91.110'''.

:Enter the management port IP Address (n.n.n.n): [192.168.1.10]: '''172.25.91.110'''

7. Accept the default subnet mask for the management VLAN interface by pressing '''Enter'''.

:Enter the management port Netmask(n.n.n.n): [255.255.255.0]:

8. Assign the IP address of the gateway router (the next-hop address for this route) by entering '''172.25.91.1'''.

:Enter the default route next hop IP Address (n.n.n.n) or <enter> to skip this step: '''172.25.91.1'''

9. Examine the entered values.

:Summary of entered values:

:Management Port: 1

:Ip address 172.25.91.110

:Netmask: 255.255.255.0

:Default Route: 172.25.91.1

10. Review the configuration details by pressing '''d'''.

:Submit the configuration including security settings to the ACE Appliance? (yes/no/details): [y]:

:interface gigabitEthernet 1/3

: switchport access vlan 1000

: no shut

:access-list ALL extended permit ip any any

:class-map type management

:match-any remote_access

: match protocol xml-https any

: match protocol dm-telnet any

: match protocol icmp any

: match protocol telnet any

: match protocol ssh any

: match protocol http any

: match protocol https any

: match protocol snmp any

:policy-map type management first-match remote_mgmt_allow_policy

: class remote_access

: permit

:interface vlan 1000

: ip address 172.25.91.110 255.255.255.0

: access-group input ALL

: service-policy input remote_mgmt_allow_policy

: no shutdown

:ssh key rsa

:ip route 0.0.0.0 0.0.0.0 172.25.91.1

11. Accept this configuration by pressing '''Enter'''; otherwise, press '''n'''.

:Submit the configuration including security settings to the ACE Appliance? (yes/no/details): [y]:

12. After you select '''y''', the following message appears.

:Configuration successfully applied. You can now manage this ACE Appliance by entering the url 'https://172.25.91.110' into a web browser to access the Device Manager GUI.

After you have completed the setup script, the command prompt appears.

:switch/Admin#

After you specify a Gigabit Ethernet port, port mode, and management VLAN, the setup script automatically applies the following default configuration:

* A Management VLAN is allocated to the specified Ethernet port.

* An extended IP access list that allows IP traffic originating from any other host addresses.

* A traffic classification is created for management protocols HTTP, HTTPS, ICMP, SSH, Telnet, and XML-HTTPS. HTTPS is dedicated to connectivity with the Device Manager GUI.

* A VLAN interface is configured on the ACE.

== Assigning a Name to the ACE ==

The hostname is used for the command-line prompts and default configuration filenames. When you establish sessions to multiple devices, the hostname helps you keep track of which ACE you are entering commands to. By default, the hostname for the ACE is switch.

For example, change the hostname of the ACE from switch to host1 by entering:

:switch/Admin# '''Config'''

:switch/Admin(config)# '''hostname''' '''host1'''

The prompt appears with the new hostname.

:host1/Admin(config)#

== Setting Up an ACE Appliance Using the Device Manager GUI ==

You can set up an ACE appliance using the Device Manager GUI or the CLI. This section describes how to set up an ACE using the GUI, and includes the following sections:

* [[#Logging in to the ACE|Logging in to the ACE]]

* [[#Configuring a Second Gigabit Ethernet Interface Port|Configuring a Second Gigabit Ethernet Interface Port]]

* [[#Configuring a Third Gigabit Ethernet Interface Port|Configuring a Third Gigabit Ethernet Interface Port]]

=== Logging in to the ACE ===

You can access the ACE Device Manager GUI through a web-based interface. Log in to the Device Manager by following these steps:

1. Navigate to the ACE Device Manager by entering the secure HTTPS address or hostname of the ACE in the address field of a web browser. For the example setup shown earlier in Figure 1, enter:

:'''https://172.25.91.110/'''

2. Click '''Yes '''at the prompt to accept (trust) and install the signed certificate from Cisco Systems, Inc. To avoid having to approve the signed certificate every time you log in to the Device Manager, accept the certificate.

:The Device Manager GUI Login window appears (Figure 6).

:'''Note '''Because this product is regularly updated, you may notice minor variations between the figures in this manual and the windows that appear in the software version you are running.

:'''''Figure 6 Device Manager GUI Login Window'''''

:[[Image:Device Manager GUI Login Window.jpg]]

3. In the User Name field, type '''admin '''for the admin user account.

4. In the Password field, type the new password that you entered in Step 2 in [[#Enabling Management Connectivity Using the Setup Script|Enabling Management Connectivity Using the Setup Script]].

5. Click '''Login'''. The default window that appears is the Virtual Contexts window with the Admin context listed, as shown in Figure 7.

:'''''Figure 7 Virtual Contexts Pane (Admin Context)'''''

:[[Image:Virtual Contexts Pane (Admin Context).jpg]]

=== Configuring a Second Gigabit Ethernet Interface Port ===

You can configure a second Gigabit Ethernet interface port to connect to clients. For the example configuration, you will configure Gigabit Ethernet interface port 2 as illustrated in Figure 8 (previously configured settings are grayed out).

:'''''Figure 8 Configuring a Second Gigabit Ethernet Interface Port to Connect to Clients'''''

:[[Image:Configuring a Second Gigabit Ethernet Interface Port to Connect to Clients.jpg]]

Configure a second Gigabit Ethernet port by following these steps:

1. Choose '''Config > Virtual Contexts > Network > GigabitEthernet Interfaces'''. The GigabitEthernet Interfaces pane appears (Figure 9).

:'''Note '''Only users authenticated in the Admin context can configure the Gigabit Ethernet interface ports.

:'''''Figure 9 GigabitEthernet Interfaces Pane—gigabitEthernet 1/2'''''

:[[Image:GigabitEthernet Interfaces Pane-gigabitEthernet 1_2.jpg]]

2. In the GigabitEthernet Interfaces pane, choose '''gigabitEthernet 1/2''', and then click '''Edit '''to define attributes for the port. The GigabitEthernet Interfaces window appears (Figure 10).

:'''''Figure 10 GigabitEthernet Interfaces Window—gigabitEthernet 1/2'''''

:[[Image:GigabitEthernet Interfaces Window—gigabitEthernet 1_2.jpg]]

3. Enter the following attributes for port 2. Leave the remaining attributes blank or with their default values.

:* Admin Status: Up

:* Speed: Auto

:* Port Operation Mode: Switchport

:* Switchport type: Access

:* Access Vlan: 400

4. Click '''Deploy Now '''to save these settings and to return to the GigabitEthernet Interfaces pane (Figure 11).

:'''''Figure 11 GigabitEthernet Interfaces Pane with Ethernet Port 2 Configured'''''

:[[Image:GigabitEthernet Interfaces Pane with Ethernet Port 2 Configured.jpg]]

=== Configuring a Third Gigabit Ethernet Interface Port ===

You can configure a third Gigabit Ethernet interface port to connect to the servers. For the example configuration, you will configure Gigabit Ethernet interface port 3 as illustrated in Figure 12 (previously configured settings are grayed out.)

:'''''Figure 12 Configuring a Third Gigabit Ethernet Interface Port to Connect to the Servers'''''

:[[Image:Configuring a Third Gigabit Ethernet Interface Port to Connect to the Servers.jpg]]

Configure a third Gigabit Ethernet port by following these steps:

1. In the GigabitEthernet Interfaces pane, choose '''gigabitEthernet 1/3''', and then click '''Edit''' to define attributes for the port. The GigabitEthernet Interfaces window appears (see Figure 10).

2. Enter the following attributes for port 3. Leave the remaining attributes blank or with their default values.

:* Admin Status: Up

:* Speed: Auto

:* Port Operation Mode: Switchport

:* Switchport type: Access

:* Access VLAN: 500

3. Click '''Deploy Now '''to save these settings and to return to the GigabitEthernet Interfaces pane (Figure 13).

:'''''Figure 13 GigabitEthernet Interfaces Pane with Ethernet Port 3 Configured'''''

:[[Image:GigabitEthernet Interfaces Pane with Ethernet Port 3 Configured.jpg]]

== Setting Up an ACE Appliance Using the CLI ==

You can set up an ACE appliance using the Device Manager GUI or the CLI. This section describes how to set up an ACE using the CLI, and includes the following sections:

* [[#Logging in to the ACE Using the CLI|Logging in to the ACE Using the CLI]]

* [[#Configuring the First Gigabit Ethernet Port from the CLI|Configuring the First Gigabit Ethernet Port from the CLI]]

* [[#Allocating the First Gigabit Ethernet Port to a VLAN from the CLI|Allocating the First Gigabit Ethernet Port to a VLAN from the CLI]]

* [[#Configuring a Management VLAN Interface on the ACE from the CLI|Configuring a Management VLAN Interface on the ACE from the CLI]]

* [[#Configuring a Second Gigabit Ethernet Interface Port from the CLI|Configuring a Second Gigabit Ethernet Interface Port from the CLI]]

* [[#Configuring a Third Gigabit Ethernet Interface Port from the CLI|Configuring a Third Gigabit Ethernet Interface Port from the CLI]]

* [[#Configuring Remote Management Access to the ACE from the CLI|Configuring Remote Management Access to the ACE from the CLI]]

* [[#Accessing the ACE through a Telnet Session|Accessing the ACE through a Telnet Session]]

=== Logging in to the ACE Using the CLI ===

After you have established a direct serial connection between the ACE and your terminal or a PC (see [[#Establishing a Console Connection on the ACE|Establishing a Console Connection on the ACE]]), you can set up the ACE using the CLI.

When the setup script displays the “Would you like to enter the basic configuration dialog? (yes/no):” prompt, enter '''no''' to access the CLI. Log in to the ACE by following these steps:

1. At the login prompt, enter '''admin'''. For the password, type the new password that you entered in Step 2 in [[#Enabling Management Connectivity Using the Setup Script|Enabling Management Connectivity Using the Setup Script]].

:host1 login: '''admin'''

:Password: '''xxxxx'''

You are ready to use the ACE CLI when the following prompt appears.

:host1/Admin#

2. Set the '''terminal session-timeout '''command to 0 to prevent this current session from timing out. By default, a session on the ACE is automatically logged out after 5 minutes of inactivity.

:host1/Admin# '''terminal session-timeout''' '''0'''

:host1/Admin#

=== Configuring the First Gigabit Ethernet Port from the CLI ===

You can configure a Gigabit Ethernet interface port for the ACE management traffic. For the example configuration, you will configure Gigabit Ethernet interface port 1. Configure the first Gigabit Ethernet port by following theses steps:

1. Configure a Layer 2 Gigabit Ethernet port on the ACE by using the '''interface gigabitEthernet ''''''''slot_number/port_number '''''command in configuration mode.

:'''Note '''The slot_number specifies the physical slot on the ACE that contains the Ethernet ports. For the current release of the ACE appliance, this selection is always 1.

:Configure Gigabit Ethernet port 1 and enter interface configuration mode by entering:

:host1/Admin# '''config'''

:host1/Admin(config)# '''interface gigabitEthernet 1/1'''

:host1/Admin(config-if)#

2. Enable the Gigabit Ethernet port by using the '''no shutdown '''command in interface configuration mode. Disable a running Gigabit Ethernet port by using the '''shutdown''' command; bring one up by using the '''no shutdown''' command.

:host1/Admin(config-if)# '''no shutdown'''

3. Display the configuration of the interface by using the '''do '''command with the '''show interface''' command.

:host1/admin(config-if)# '''do show interface vlan 1000'''

=== Allocating the First Gigabit Ethernet Port to a VLAN from the CLI ===

After you configure an Gigabit Ethernet port, the next step is to allocate it to a VLAN. For the example configuration, you will allocate the first Gigabit Ethernet port to VLAN 1000, as illustrated in Figure 14 (previously configured settings are grayed out.)

'''''Figure 14 Allocating the First Gigabit Ethernet Port to a VLAN'''''

[[Image:Allocating the First Gigabit Ethernet Port to a VLAN.jpg]]

Allocate the port to a VLAN by following these steps:

1. Assign one or more VLAN numbers to the Gigabit Ethernet port by using the '''switchport trunk allowed vlan ''''''''vlan_list '''''command in interface configuration mode. The vlan_list argument can include:

:* A single VLAN number

:* Beginning and ending VLAN numbers separated by a hyphen

:* Specific VLAN numbers separated by commas

:Valid entries are 1 through 4094. Do not enter any spaces in a hyphenated range or in a comma-separated list of numbers in the vlan_list argument.

:'''Note '''You can associate a VLAN number with only one Gigabit Ethernet port.

:Add VLAN 1000 to the defined list of VLANs currently set for Gigabit Ethernet port 1 by entering:

:host1/Admin(config)# '''interface gigabitEthernet 1/1'''

:host1/Admin(config-if)# '''switchport access allowed vlan 1000'''

2. Enable VLAN access for the specified Layer 2 Gigabit Ethernet port by using the '''no shutdown '''command in interface configuration mode.

:host1/Admin(config-if)# '''no shutdown'''

:host1/Admin(config-if)# '''exit'''

:host1/Admin(config)#

=== Configuring a Management VLAN Interface on the ACE from the CLI ===

You can provide management connectivity to the ACE by assigning an IP address to the VLAN interface on the ACE. For the example configuration, you will assign an IP address 172.25.91.110 and a subnet mask of 255.255.255.0 to VLAN 1000, as illustrated in Figure 15 (previously configured settings are grayed out).

'''''Figure 15 Configuring a Management VLAN Interface on the ACE'''''

[[Image:Configuring a Management VLAN Interface on the ACE.jpg]]

Configure a VLAN interface on the ACE by following these steps:

1. Access interface configuration mode for the VLAN 1000.

:host1/Admin(config)# '''interface vlan 1000'''

:host1/Admin(config-if)#

2. Assign an IP address of 172.25.91.110 and a subnet mask of 255.255.255.0 to the VLAN interface for management connectivity.

:host1/Admin(config-if)# '''ip address 172.25.91.110 255.255.255.0'''

3. (Optional) Provide a description for the interface.

:host1/Admin(config-if)# '''description Management connectivity on VLAN 1000'''

4. Enable the VLAN interface.

:host1/Admin(config-if)# '''no shutdown'''

5. Display the configuration of VLAN 1000.

:host1/Admin(config-if)# '''do show interface vlan 1000'''

6. Verify network connectivity by using the '''ping''' command. This command verifies the connectivity of a remote host or server by sending echo messages from the ACE.

:host1/Admin(config-if)# '''do ping 172.25.91.110'''

7. Exit the interface configuration mode.

:host1/Admin(config-if)# '''exit'''

:host1/Admin(config)#

=== Configuring a Second Gigabit Ethernet Interface Port from the CLI ===

You can configure a second Gigabit Ethernet interface port to connect to clients. For the example configuration, you will configure Gigabit Ethernet interface port 2 as illustrated in Figure 8. Configure the second Gigabit Ethernet Interface port by following these steps:

1. Add VLAN 400 to the defined list of VLANs currently set for Gigabit Ethernet port 2.

:host1/Admin(config)# '''interface gigabitEthernet 1/2'''

:host1/Admin(config-if)# '''switchport access vlan 400'''

2. Enable the Gigabit Ethernet port.

:host1/Admin(config-if)# '''no shutdown'''

:host1/Admin(config-if)# '''exit'''

:host1/admin(config)#

=== Configuring a Third Gigabit Ethernet Interface Port from the CLI ===

You can configure a third Gigabit Ethernet interface port to connect to the servers. For the example configuration, you will configure Gigabit Ethernet interface port 3 as illustrated in Figure 12. Configure the third Gigabit Ethernet Interface port by following these steps:

1. Add VLAN 500 to the defined list of VLANs currently set for Gigabit Ethernet port 3.

:host1/Admin(config)# '''interface gigabitEthernet 1/3'''

:host1/Admin(config-if)# '''switchport access allowed vlan 500'''

2. Enable the Ethernet port.

:host1/Admin(config-if)# '''no shutdown'''

:host1/Admin(config-if)# '''exit'''

:host1/admin(config)#

=== Configuring Remote Management Access to the ACE from the CLI ===

Before remote network access can occur on the ACE through an Ethernet port, you must create a traffic policy that identifies the network management traffic that can be received by the ACE. Configure remote management access to the ACE by following these steps:

1. Create a management-type class map named REMOTE_ACCESS that matches any traffic.

:host1/Admin(config)# '''class-map type management match-any REMOTE_ACCESS'''

:host1/Admin(config-cmap-mgmt)#

2. (Optional) Provide a description for the class map.

:host1/Admin(config-cmap-mgmt)# '''description Remote access traffic match'''

3. Configure the match protocol to permit traffic based on the SSH, Telnet, and ICMP protocols for any source address.

:host1/Admin(config-cmap-mgmt)# '''match protocol ssh any'''

:host1/Admin(config-cmap-mgmt)# '''match protocol telnet any'''

:host1/Admin(config-cmap-mgmt)# '''match protocol icmp any'''

:host1/Admin(config-cmap-mgmt)# '''exit'''

:host1/Admin(config)#

4. Create a REMOTE_MGMT_ALLOW_POLICY policy map for traffic destined to an ACE interface.

:host1/Admin(config)# '''policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY'''

:host1/Admin(config-pmap-mgmt)#

5. Apply the previously created REMOTE_ACCESS class map to this policy.

:host1/Admin(config-pmap-mgmt)# '''class REMOTE_ACCESS'''

:host1/Admin(config-pmap-mgmt-c)#

6. Allow the ACE to receive the configured class map management protocols.

:host1/Admin(config-pmap-mgmt-c)# '''permit'''

:host1/Admin(config-pmap-mgmt-c)# '''exit'''

:host1/Admin(config-pmap-mgmt)# '''exit'''

:host1/Admin(config)#

7. Access interface configuration mode for the VLAN to which you want to apply the policy map.

:host1/Admin(config)# '''interface vlan 1000'''

:host1/Admin(config-if)#

8. Apply the REMOTE_MGMT_ALLOW_POLICY policy map to the interface.

:host1/Admin(config-if)# '''service-policy input''' '''REMOTE_MGMT_ALLOW_POLICY'''

9. Display the REMOTE_MGMT_ALLOW_POLICY policy applied to the interface.

:host1/Admin(config-if)# '''do show service-policy REMOTE_MGMT_ALLOW_POLICY'''

:Status : ACTIVE

:-----------------------------------------

:Interface: vlan 1000

: service-policy: REMOTE_MGMT_ALLOW_POLICY

10. Save your configuration changes from the running configuration to the startup configuration.

:host1/Admin(config-if)# '''do copy running-config startup-config'''

:Generating configuration....

:running config of context VC_web saved

:host1/Admin(config-if)# '''exit'''

:host1/Admin(config)# '''exit'''

11. Display the running configuration.

:host1/Admin(config)# '''do''' '''show running-config'''

:Generating configuration....

:class-map type management match-any REMOTE_ACCESS

: description Remote access traffic match

: 2 match protocol telnet any

: 3 match protocol ssh any

: 4 match protocol icmp any

:policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

: class REMOTE_ACCESS

: permit

:interface vlan 1000

: description Management connectivity on VLAN 1000

: ip address 172.25.91.110 255.255.255.0

: service-policy input REMOTE_MGMT_ALLOW_POLICY

: no shutdown

:interface vlan 400

: description client connectivity on VLAN 400

: ip address 10.10.40.10 255.255.255.0

: no shutdown

=== Accessing the ACE through a Telnet Session ===

After you have completed the previous configurations, you can use Telnet to access the ACE through an Ethernet port by using its IP address. Access the ACE through Telnet by following these steps:

1. Initiate a Telnet session from a remote host to the ACE. For example, access the ACE from the VLAN IP address of 172.25.91.110 by entering:

:remote_host# '''telnet 172.25.91.110'''

:Trying 172.25.91.110... Open

2. At the prompt, log in to the ACE. Enter '''admin '''as the user name and for the password, type the new password that you entered in the Step 2 in [[#Enabling Management Connectivity Using the Setup Script|Enabling Management Connectivity Using the Setup Script]].

:host1 login: '''admin'''

:Password: '''xxxxx'''

3. Display the Telnet session.

:host1/Admin# '''show telnet'''

In this section, you have set up your ACE appliance so that you can use the ACE Device Manager or CLI to perform server load-balancing configuration tasks through a remote management interface. Next, you will create a user context for server load balancing.

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context

2008-12-02T14:48:19Z

Kkroeber: /* Configuring the Client-Side VLAN Interface */

This section describes how to create a virtual context for the Cisco 4700 Series Application Control Engine (ACE) appliance.

{| align="right" border="1"
|aling="center"|'''Guide Contents'''
|-
|[[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Overview|Overview]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]] ''Creating a Virtual Context (this section)'' [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Access Control Lists|Configuring Access Control Lists]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Role-Based Access Control|Configuring Role-Based Access Control]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring a Load-Balancing Predictor|Configuring a Load-Balancing Predictor]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Persistence Using Stickiness|Configuring Server Persistence Using Stickiness]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring SSL Security|Configuring SSL Security]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Health Monitoring Using Health Probes|Configuring Health Monitoring Using Health Probes]]

|}
__TOC__

== Overview ==

After reading this section, you should have a basic understanding of ACE appliance virtualization and be able to partition your ACE into multiple virtual devices or virtual contexts (VCs) for more efficient operation.

Virtualization allows you to create a virtual environment in which a single ACE is partitioned into multiple virtual devices, each functioning as an independent ACE appliance that is configured and managed independently.

You set up virtualization by performing the following configuration steps:

* Configure resource allocation for a virtual context

* Create a virtual context

* Configure access to the virtual context

An example virtual environment will be used throughout this guide, with the user context VC_web, for the web traffic through the network. This user context will be associated with the custom resource class RS_web.

In this section, you will create a virtual context. In subsequent sections, you will create a virtual server within the virtual context. The virtual server is associated with a server farm and real servers. The example setup is illustrated in Table 1.

'''''Table 1 Example Virtual Contexts'''''

{| cellspacing="0" border="1"
|'''Virtual Context'''
|'''Virtual Server'''
|'''Server Farm'''
|'''Real Servers'''
|-
| rowspan="4" align="center"| VC_web
| rowspan="4" align="center"| VS_web
| rowspan="4" align="center"| SF_web
| RS_web1
|-
|RS_web2
|-
|RS_web3
|-
|RS_web4
|}

Before you begin configuring your ACE for virtualization, you should become familiar with a few concepts: virtual context, Admin and user contexts, and resource classes.

With ACE virtualization, you can create a virtual environment, called a virtual context, in which a single ACE appears as multiple virtual devices, each configured and managed independently. A virtual context allows you to closely and efficiently manage system resources, ACE users, and the services that you provide to your customers.

By default, the ACE initially provides you an Admin context, with the ability to define up to five user contexts. (With additional licenses, you can define up to 20 contexts.)

As the system administrator, you have full system administrator access to configure and manage the Admin context and all user contexts. Each context can also have its own administrator and log-in mechanism that provides access only to the specific context. When you log in to the ACE using the console or Telnet, you are authenticated in the Admin context.

Although virtualization allows you to create multiple contexts, in the physical world, you still have a single ACE with finite resources, such as the number of concurrent connections. To address this limitation, the ACE provides resource classes that allow you to manage each virtual context’s access to physical ACE resources. A resource class is a definition of what portion of an ACE’s overall resources will be assigned, at a minimum or maximum, to any given context. One resource class may be associated with one or more contexts.

The ACE is preconfigured with a default resource class for the Admin context. This default resource class is applied to all virtual contexts that you create. It allows a maximum of 100 percent access to all resources by all virtual contexts. When a resource is being used to its maximum limit, the ACE will deny additional requests for that resource from any other virtual contexts. To avoid oversubscribing resources and to help guarantee that resource availability is shared among multiple virtual contexts, you create custom resource classes and associate them with the virtual contexts you define.

== Creating a Virtual Context Using the Device Manager GUI ==

This section describes how to create and configure a virtual context for server load balancing using the ACE Device Manager user interface and contains the following subsections:

* [[#Creating a Resource Class|Creating a Resource Class]]

* [[#Creating a Virtual Context|Creating a Virtual Context]]

* [[#Configuring the Client-Side VLAN Interface|Configuring the Client-Side VLAN Interface]]

* [[#Configuring the Server-Side VLAN Interface|Configuring the Server-Side VLAN Interface]]

=== Creating a Resource Class ===

Create a resource class by following these steps:

1. Choose '''Config > Virtual Contexts > System > Resource Class'''. The Resource Classes pane appears (Figure 1).

:'''''Figure 1 Resource Classes Pane'''''

:[[Image:Resource Classes Pane.jpg]]

2. Click '''Add'''. The New Resource Class window appears (Figure 2).

:'''''Figure 2 New Resource Class Window'''''

:[[Image:New Resource Class Window.jpg]]

3. Enter the following Resource Class attributes. Leave the remaining attributes blank or with their default values.

:* Name: RC_web

:* Default Min: 10

:* Default Max: Unlimited

4. Click '''Deploy Now'''. The Resource Classes pane appears with the newly added resource class (Figure 3).

:'''''Figure 3 Resource Classes Pane with a New Resource Class Added'''''

:[[Image:Resource Classes Pane with a New Resource Class Added.jpg]]

=== Creating a Virtual Context ===

You can create a user context for server load-balancing purposes. For the example configuration, you will create a user context, VC_web, and configure a management VLAN interface to VLAN 1000, as illustrated in Figure 4 (previously configured settings are grayed out).

:'''''Figure 4 Creating a User Context'''''

:[[Image:Creating a User Context.jpg]]

Create a virtual context by following these steps:

1. Choose '''Config > Virtual Contexts'''. The All Virtual Contexts pane appears (Figure 5).

:'''''Figure 5 All Virtual Contexts Pane'''''

:[[Image:All Virtual Contexts Pane.jpg]]

2. Click '''Add'''. The New Virtual Context window appears (Figure 6).

:'''''Figure 6 New Virtual Context Window'''''

:[[Image:New Virtual Context Window.jpg]]

3. Enter the following virtual context attributes. Leave the remaining attributes blank or with their default values.

:* Name: VC_web

:* Resource Class: RC_web

:* Allocate-Interface VLANs: 110, 400, 500 (these VLANs allow the context to receive the associated traffic)

:* Description: Virtual context for marketing website

:* Policy Name: Management

:* VLANs to Use: 110 (this VLAN allows for remote management of the context)

:* Management IP: 172.25.91.111 (this IP address also allows for remote management of the context)

:* Management Netmask: 255.255.255.0

:* Protocols to Allow: SNMP (or any protocols that you allow for this virtual context)

:* Default Gateway IP: 172.25.91.1

4. Click '''Deploy Now''' to deploy this context. Then, choose '''Virtual Contexts'''. The window refreshes with the new virtual context listed in the All Virtual Contexts pane (Figure 7).

:'''''Figure 7 All Virtual Contexts Pane After VC_web is Added'''''

:[[Image:All Virtual Contexts Pane After VC_web is Added.jpg]]

=== Configuring the Client-Side VLAN Interface ===

You can now configure a client-side VLAN interface, which is the address to which client traffic is sent. For the example configuration, you will configure VLAN 400 (Figure 8).

:'''''Figure 8 Configuring the Client-Side VLAN Interface'''''

:[[Image:Configuring the Client-Side VLAN Interface.jpg]]

Configure a client-side VLAN interface by following these steps:

1. Choose '''VC_web''' in the virtual contexts drop-down list.

2. Choose '''Config > Virtual Contexts > Network > VLAN Interfaces'''. The VLAN Interfaces pane appears (Figure 9).

:'''''Figure 9 VLAN Interfaces Pane'''''

:[[Image:VLAN Interfaces Pane.jpg]]

3. Click '''Add''' to add a new VLAN interface. The VLAN Interfaces window appears (Figure 10).

:'''''Figure 10 VLAN Interfaces Window—VLAN 400'''''

:[[Image:VLAN Interfaces Window—VLAN 400.jpg]]

4. Enter the following VLAN attributes. Leave the remaining attributes blank or with their default values.

:* VLAN: 400

:* Description: Client-side VLAN interface

:* IP Address: 10.10.40.10

:* Netmask: 255.255.255.0

:* Admin Status: Up

5. Click '''Deploy Now '''at the bottom of the window to save your entry. Then, choose '''VLAN Interfaces''' to return to the VLAN Interfaces pane (Figure 11).

:'''''Figure 11 VLAN Interface Pane with Two VLANs Configured'''''

:[[Image:VLAN Interface Pane with Two VLANs Configured.jpg]]

=== Configuring the Server-Side VLAN Interface ===

At this point, you can now configure the server-side VLAN interface, which is the address to which traffic is sent. For the example configuration, you will configure VLAN 500 and a NAT pool for the VLAN (Figure 12).

'''Note '''Network Address Translation (NAT) is designed to simplify and conserve IP addresses. It allows private IP networks that use unregistered IP addresses to connect to the Internet. You configure a NAT pool for the ACE so that the ACE exposes only one address for the entire network to the outside world. This pool, which hides the entire internal network behind that address, offers both security and address conservation.

'''''Figure 12 Configuring the Server-Side VLAN Interface'''''

[[Image:Configuring the Server-Side VLAN Interface.jpg]]

Configure the VLAN interface by following these steps:

1. Make sure that '''VC_web''' is selected in the virtual contexts drop-down list.

2. Choose '''Config > Virtual Contexts > Network > VLAN Interfaces'''. The VLAN Interfaces pane appears (see Figure 11).

3. Click '''Add''' to add a new VLAN interface. The VLAN Interfaces window appears (see Figure 10).

4. Enter the following VLAN attributes. Leave the remaining attributes blank or with their default values.

:* VLAN: 500

:* Description: Server-side VLAN interface

:* IP Address: 10.10.50.1

:* Netmask: 255.255.255.0

:* Admin Status: Up

5. Click '''Deploy Now '''at the bottom of the window to save your entry. Then, choose '''VLAN Interfaces''' to return to the VLAN Interfaces pane.

6. Choose the row for VLAN 500, and then choose the '''NAT Pool '''tab. The NAT Pool pane appears (Figure 13).

:'''''Figure 13 NAT Pool Pane'''''

:[[Image:NAT Pool Pane.jpg]]

7. Click '''Add''' to add a new NAT pool. The NAT Pool pane appears (Figure 14).

:'''''Figure 14 Configuring a NAT Pool'''''

:[[Image:Configuring a NAT Pool.jpg]]

8. Enter the following NAT pool attributes. Leave the remaining attributes blank or with their default values.

:* NAT Id: 1

:* Start IP Address: 10.10.50.101

:* End IP Address: 10.10.50.104

:* Netmask: 255.255.255.0

9. Click '''Deploy Now '''at the bottom of the window to save your entry and return to the NAT Pool pane (Figure 15).

:'''''Figure 15 NAT Pool Pane with a NAT Pool Configured'''''

:[[Image:NAT Pool Pane with a NAT Pool Configured.jpg]]

== Creating a Virtual Context Using the CLI ==

You can create a virtual context using the command-line interface. This section contains the following subsections:

* [[#Configuring a Resource Class from the CLI|Configuring a Resource Class from the CLI]]

* [[#Creating a Virtual Context from the CLI|Creating a Virtual Context from the CLI]]

* [[#Configuring a Management VLAN Interface to the User Context from the CLI|Configuring a Management VLAN Interface to the User Context from the CLI]]

* [[#Configuring Remote Management Access to the User Contexts from the CLI|Configuring Remote Management Access to the User Contexts from the CLI]]

* [[#Configuring the Client-Side VLAN Interface from the CLI|Configuring the Client-Side VLAN Interface from the CLI]]

* [[#Configuring the Server-Side VLAN Interface from the CLI|Configuring the Server-Side VLAN Interface from the CLI]]

=== Configuring a Resource Class from the CLI ===

Configure a resource class by following these steps:

1. Using the console, log in to the ACE as the system administrator. For example, enter the following command at a command prompt.

:'''Telnet 172.25.91.110'''

At the prompt, enter '''admin''', then the new password you entered in Step 2 in the “Enabling Management Connectivity Using the Setup Script” in [[Setting Up an ACE Appliance]].

:host1 login: '''admin'''

:Password: '''xxxxx'''

2. Enter configuration mode.

:host1/Admin# '''config'''

:host1/Admin(config)#

3. Configure a resource class to limit the resources of a context to 10 percent of the total resources available on the ACE, and exit configuration mode.

:host1/Admin(config)# '''resource-class RS_web'''

:host1/Admin(config-resource)# '''limit-resource all minimum 10 maximum unlimited'''

:host1/Admin(config-resource)# '''exit'''

:host1/Admin(config)#

=== Creating a Virtual Context from the CLI ===

Create a virtual context by following these steps:

1. Create a new context.

:host1/Admin(config)# '''context VC_web'''

:host1/Admin(config-context)#

2. Associate three existing VLANs with the context so that the context can receive traffic classified for it.

:host1/Admin(config-context)# '''allocate-interface vlan 1000'''

:host1/Admin(config-context)# '''allocate-interface vlan 400'''

:host1/Admin(config-context)# '''allocate-interface vlan 500'''

3. Associate the context with the resource class that you created in [[#Configuring a Resource Class|Configuring a Resource Class]].

:host1/Admin(config-context)# '''member RC_web'''

4. Change to the VC_web context that you created in Step 1 and exit configuration mode.

:host1/Admin(config-context)# '''do changeto VC_web'''

:host1/VC_web(config)# '''exit'''

:host1/VC_web#

5. Display the virtual context configuration.

:host1/VC_web# '''show running-config context'''

6. Display the resource class configuration.

:host1/VC_web# '''show running-config resource-class'''

=== Configuring a Management VLAN Interface to the User Context from the CLI ===

You can provide management connectivity to the user context by assigning an IP address to the VLAN interface, as illustrated in Figure 4. Configure a management VLAN interface by following these steps:

1. Access interface configuration mode for VC_web for the VLAN 1000 on VC_web.

:host1/VC_web# '''config'''

:host1/VC_web(config)# '''interface vlan 1000'''

:host1/VC_web(config -if)#

2. Assign an IP address of 172.25.91.111 and a subnet mask of 255.255.255.0 to the VLAN interface for management connectivity.

:host1/VC_web(config-if)# '''ip address 172.25.91.111 255.255.255.0'''

3. Enable the VLAN interface.

:host1/VC_web(config-if)# '''no shutdown'''

4. Show that VLAN 1000 is active.

:host1/VC_web(config-if)# '''do show interface vlan 1000'''

5. Verify network connectivity.

:host1/VC_web(config-if)# '''do ping 172.25.91.111'''

6. Display the ARP table.

:'''Note '''The Address Resolution Protocol (ARP) allows the ACE to manage and learn the mapping of IP to Media Access Control (MAC) information to forward and transmit packets.

:host1/VC_web(config-if)# '''do show arp'''

7. Exit configuration mode.

:host1/VC_web(config-if)# '''exit'''

:host1/VC_web(config)# '''exit'''

:host1/VC_web#

=== Configuring Remote Management Access to the User Contexts from the CLI ===

Before remote network access can occur on the user context through an Ethernet port, you must create a traffic policy that identifies the network management traffic that can be received by the ACE. Configure remote management access by following these steps:

1. Create a management type class map named REMOTE_ACCESS that matches any traffic.

:host1/VC_web# '''config'''

:host1/VC_web(config)# '''class-map type management match-any REMOTE_ACCESS'''

:host1/VC_web(config-cmap-mgmt)#

2. (Optional) Provide a description for the class map.

:host1/VC_web(config-cmap-mgmt)# '''description Remote access traffic match'''

3. Configure the match protocol to permit traffic based on the SSH, Telnet, and ICMP protocols for any source address.

:host1/VC_web(config-cmap-mgmt)# '''match protocol ssh any'''

:host1/VC_web(config-cmap-mgmt)# '''match protocol telnet any'''

:host1/VC_web(config-cmap-mgmt)# '''match protocol icmp any'''

:host1/VC_web(config-cmap-mgmt)# '''exit'''

:host1/VC_web(config)#

4. Create a REMOTE_MGMT_ALLOW_POLICY policy map for traffic destined to an ACE interface.

:host1/VC_web(config)# '''policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY'''

:host1/VC_web(config-pmap-mgmt)#

5. Apply the REMOTE_ACCESS class map to this policy.

:host1/VC_web(config-pmap-mgmt)# '''class REMOTE_ACCESS'''

:host1/VC_web(config-pmap-mgmt-c)#

6. Allow the ACE to receive the configured class map management protocols.

:host1/VC_web(config-pmap-mgmt-c)# '''permit'''

:host1/VC_web(config-pmap-mgmt-c)# '''exit'''

:host1/VC_web(config-pmap-mgmt)# '''exit'''

:host1/VC_web(config)#

7. Access interface configuration mode for the VLAN to which you want to apply the policy map.

:host1/VC_web(config)# '''interface vlan 1000'''

:host1/VC_web(config-if)#

8. Apply the REMOTE_MGMT_ALLOW_POLICY policy map to the interface.

:host1/VC_web(config-if)# '''service-policy input REMOTE_MGMT_ALLOW_POLICY'''

9. Display the REMOTE_MGMT_ALLOW_POLICY policy applied to the interface.

:host1/VC_web(config-if)# '''do show service-policy REMOTE_MGMT_ALLOW_POLICY'''

10. Copy your configuration changes from the running configuration to the startup configuration.

:host1/VC_web(config-if)# '''do copy running-config startup-config'''

:Generating configuration....

:running config of context VC_web saved

:host1/VC_web(config-if)# '''exit'''

:host1/VC_web(config)# '''exit'''

11. Display the running configuration.

:host1/VC_web(config)# '''do show running-config'''

=== Configuring the Client-Side VLAN Interface from the CLI ===

At this point, you can configure a client-side VLAN interface, the address to which the client traffic is sent, as illustrated in Figure 8. Configure a client-side VLAN interface by following these steps:

1. Access interface configuration mode for the VLAN 400.

:host1/VC_web(config)# '''interface vlan 400'''

:host1/VC_web(config -if)#

2. Assign an IP address of 10.10.40.1 and a subnet mask of 255.255.255.0 to the VLAN interface for client connectivity.

:host1/VC_web(config-if)# '''ip address 10.10.40.1 255.255.255.0'''

3. (Optional) Provide a description for the interface.

:host1/VC_web(config-if)# '''description Client connectivity on VLAN 400'''

4. Enable the VLAN interface.

:host1/VC_web(config-if)# '''no shutdown'''

5. Show that VLAN 400 is active.

:host1/VC_web(config-if)# '''do show interface vlan 400'''

6. Display the ARP table.

:host1/VC_web(config-if)# '''do show arp'''

7. Exit configuration mode.

:host1/VC_web(config-if)# '''exit'''

:host1/VC_web(config)# '''exit'''

:host1/VC_web#

=== Configuring the Server-Side VLAN Interface from the CLI ===

Next, you can configure a server-side VLAN interface, the address to which the server traffic is sent, as illustrated in Figure 12. Configure the server-side VLAN interface by following these steps:

1. Access interface configuration mode for the VLAN 500.

:host1/VC_web# '''config'''

:host1/VC_web(config)# '''interface vlan 500'''

:host1/VC_web(config -if)#

2. Assign an IP address of 10.10.50.1 and a subnet mask of 255.255.255.0 to the VLAN interface for server-side connectivity.

:host1/VC_web(config-if)# '''ip address 10.10.50.1 255.255.255.0'''

3. (Optional) Provide a description for the interface.

:host1/VC_web(config-if)# '''description Server connectivity on VLAN 500'''

4. Enable the VLAN interface.

:host1/VC_web(config-if)# '''no shutdown'''

5. Configure a NAT pool.

:host1/VC_web(config-if)# '''nat-pool 1 10.10.50.101 10.10.50.104 netmask 255.255.255.0'''

6. Show that VLAN 500 is active.

:host1/VC_web(config-if)# '''do show interface vlan 500'''

7. Display the ARP table.

:host1/VC_web(config-if)# '''do show arp'''

8. Exit configuration mode.

:host1/VC_web(config-if)# '''exit'''

:host1/VC_web(config)# '''exit'''

:host1/VC_web#

In this section, you have partitioned your ACE into an Admin context and a user context VC_web. Each of the virtual contexts is now associated with a resource class that is appropriate to its intended use. You have also configured a management VLAN interface, as well as the client and server VLAN interfaces to the user context.

In the next section, you will configure an access control list to secure your network.

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context

2008-12-02T14:47:39Z

Kkroeber: /* Creating a Virtual Context */

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance

2008-12-02T14:46:58Z

Kkroeber: /* Establishing a Console Connection on the ACE */

This section describes how to set up a Cisco 4700 Series Application Control Engine (ACE) appliance.

{| align="right" border="1"
|aling="center"|'''Guide Contents'''
|-
|[[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Overview|Overview]] ''Setting Up the ACE Appliance (this section)'' [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Access Control Lists|Configuring Access Control Lists]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Role-Based Access Control|Configuring Role-Based Access Control]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring a Load-Balancing Predictor|Configuring a Load-Balancing Predictor]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Persistence Using Stickiness|Configuring Server Persistence Using Stickiness]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring SSL Security|Configuring SSL Security]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Health Monitoring Using Health Probes|Configuring Health Monitoring Using Health Probes]]
|}
__TOC__

== Overview ==

After reading this section, you should have a basic understanding of how to configure a ACE appliance with the networking parameters necessary for communicating with a management device to configure server load balancing.

After some initial setup using the CLI, you can complete the procedures in this section using the Device Manager GUI.

Before performing the procedures in this section, make sure that you complete the ACE installation instructions as described in the
[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/4710/hardware/installation/guide/4710_hig.html ''Cisco ACE 4710 Appliance Hardware Installation Guide''].

Configuring an ACE involves the following basic steps:

1. Establishing a console connection on the ACE.

2. Enable management connectivity to the ACE through a Gigabit Ethernet port.

3. Log in to the ACE.

4. Configure a second Gigabit Ethernet port for client-side connectivity.

5. Configure a third Gigabit Ethernet port for server-side connectivity.

This section describes how to set up an ACE appliance using the example network setup illustrated in Figure 1.

'''''Figure 1 Example Network Setup'''''

[[Image:Example Network Setup.jpg]]

The configuration of the example setup is as follows:

* VLAN 1000 is assigned to the first Gigabit Ethernet port and is used for management traffic for both the Admin context and a user context.

:'''Note '''A virtual local area network (VLAN) is a logical division of a computer network within which information can be transmitted for all devices to receive. VLANs enable you to segment a switched network so that devices in one VLAN do not receive information packets from devices in another VLAN.

* VLAN 400 is assigned to the second Gigabit Ethernet port and is used for client-side traffic.

* VLAN 500 is assigned to the third Gigabit Ethernet port and is used for server-side traffic.

* None of the three Gigabit Ethernet ports used are trunked.

* A management VLAN interface is configured for the Admin context with VLAN 1000 and IP address 172.25.91.110.

* A management VLAN interface is configured for the user context VC_web with VLAN 1000 and IP address 172.25.91.111.

* A client-side VLAN interface is configured for the user context VC_web with VLAN 400 and IP address 10.10.40.10.

* A server-side VLAN interface is configured for the user context VC_web with VLAN 500 and IP address 10.10.50.1.

* Four web servers are available to the ACE for load-balancing client requests.

== Establishing a Console Connection on the ACE ==

The ACE has one standard RS-232 serial port on its rear panel that operates as the console port. You can establish a direct serial connection between the ACE and your terminal (or a PC with terminal software) by making a serial connection to this console port. The integrated serial port accepts a 9-pin female D shell connector. Use a straight-through cable to connect the ACE to the terminal or a PC. See the [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/4710/hardware/installation/guide/4710_hig.html ''Cisco ACE 4710 Appliance Hardware Installation Guide''] for more instructions on connecting a console cable to your ACE appliance.

The ACE appliance has four physical Ethernet interface ports. All VLANs are assigned to these ports. The four Ethernet ports provide the physical connection between the ACE and the servers, PCs, routers, and other devices. You can configure the Ethernet ports to provide an interface for connecting to 10-Mbps, 100-Mbps, or 1000-Mbps networks. After the VLANs are assigned, you can configure the corresponding VLAN interfaces so that the ACE can provide different networking functions for different VLANs.

'''Note '''Only the Admin context is directly accessible through the console port; all other contexts can be accessed through Telnet or SSH sessions on the Ethernet ports.

After making the console connection, you can use any terminal communications application to access the ACE CLI.

'''Note '''If the appliance is not on, press the power button on the front of the ACE to start the boot process (see the [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/4710/hardware/installation/guide/4710_hig.html ''Cisco ACE 4710 Appliance Hardware Installation Guide''] for details).

Access the ACE CLI using HyperTerminal for Windows by following these steps:

1. Launch HyperTerminal.

:The Connection Description window appears (Figure 2).

:'''''Figure 2 HyperTerminal—Connection Description'''''

[[Image:HyperTerminal—Connection_Description.jpg]]

2. Enter a name for your connection in the Name field.

3. Click '''OK'''. The Connect To window appears (Figure 3).

:'''''Figure 3 HyperTerminal—Connect To'''''

:[[Image:HyperTerminal—Connect To.jpg]]

4. From the Connect using drop-down list, choose the COM port to which the device is connected.

5. Click '''OK'''. The Port Properties window appears (Figure 4).

:'''''Figure 4 HyperTerminal—Port Properties'''''

:[[Image:HyperTerminal—Port Properties.jpg]]

6. Set the port properties:

:* Bits per second = 9600

:* Data bits = 8

:* Parity = none

:* Stop bits = 1

:* Flow control = None

7. Click '''OK''' to connect.

== Enabling Management Connectivity Using the Setup Script ==

When you boot the ACE for the first time and the ACE does not detect a startup configuration file, a setup script guides you through the process of configuring a management VLAN on the ACE through one of its Gigabit Ethernet ports to enable connectivity to the Device Manager GUI.

After running the setup script, the management VLAN is allocated to the specified Gigabit Ethernet port and the VLAN interface is configured on the ACE, as illustrated in Figure 5.

'''''Figure 5 Configuration After the Setup Script is Executed'''''

[[Image:Configuration After the Setup Script is Executed.jpg]]

Configure the ACE using the setup script by following these steps:

1. At the login prompt, log into the ACE by entering the login username admin and password. By default, the username and password are admin. For example, enter:

:Starting sysmgr processes.. Please wait...Done!!!

:switch login: '''admin'''

:Password: '''admin'''

2. At the Enter the new password for “admin”: prompt, change the default Admin password. If you do not change the default Admin password, after you upgrade the ACE software you will only be able to log in to the ACE through the console port.

:Enter the new password for “admin”: '''xxxxx'''

:Confirm the new password for “admin”: '''xxxxx'''

:admin user password successfully changed.

3. At the Enter the new password for “www”: prompt, change the default www user password. If you do change the default www user password, the www user will be disabled and you will not be able to use Extensible Markup Language (XML) to remotely configure an ACE until you change the default www user password.

:Enter the new password for “www”: '''xxxxx'''

:Confirm the new password for “www”: '''xxxxx'''

:www user password successfully changed.

:This script will perform the configuration necessary for a user to manage the ACE Appliance using the ACE Device Manager. The management port is a designated Ethernet port which has access to the same network as your management tools including the ACE Device Manager. You will be prompted for the Port Number, IP Address, Netmask and Default Route (optional).

:Enter ‘ctrl-c’ at any time to quit the script

:'''Caution '''At this point, you should consider whether you plan to configure the ACE using the Device Manager GUI or using the CLI. If you have a trunking network setup, or if your VLAN 1000 has been used, you should bypass the following setup script and use the CLI as described in [[#Setting Up an ACE Appliance Using the CLI|Setting Up an ACE Appliance Using the CLI]].

4. At the “Would you like to enter the basic configuration dialog? (yes/no)” prompt, press '''Enter''' to continue the setup. To bypass setup and directly access the CLI, type '''no'''.

:Would you like to enter the basic configuration dialog? (yes/no) [y]:

:'''Note '''The ACE provides a default response in brackets [ ] for each question in the setup script. Accept the default response to a configuration prompt by pressing '''Enter'''.

5. Select port 1 to carry management VLAN communication by pressing '''Enter'''.

:Enter the Ethernet port number to be used as the management port (1-4):? [1]:

6. Assign an IP address for the management VLAN interface by entering '''172.25.91.110'''.

:Enter the management port IP Address (n.n.n.n): [192.168.1.10]: '''172.25.91.110'''

7. Accept the default subnet mask for the management VLAN interface by pressing '''Enter'''.

:Enter the management port Netmask(n.n.n.n): [255.255.255.0]:

8. Assign the IP address of the gateway router (the next-hop address for this route) by entering '''172.25.91.1'''.

:Enter the default route next hop IP Address (n.n.n.n) or <enter> to skip this step: '''172.25.91.1'''

9. Examine the entered values.

:Summary of entered values:

:Management Port: 1

:Ip address 172.25.91.110

:Netmask: 255.255.255.0

:Default Route: 172.25.91.1

10. Review the configuration details by pressing '''d'''.

:Submit the configuration including security settings to the ACE Appliance? (yes/no/details): [y]:

:interface gigabitEthernet 1/3

: switchport access vlan 1000

: no shut

:access-list ALL extended permit ip any any

:class-map type management

:match-any remote_access

: match protocol xml-https any

: match protocol dm-telnet any

: match protocol icmp any

: match protocol telnet any

: match protocol ssh any

: match protocol http any

: match protocol https any

: match protocol snmp any

:policy-map type management first-match remote_mgmt_allow_policy

: class remote_access

: permit

:interface vlan 1000

: ip address 172.25.91.110 255.255.255.0

: access-group input ALL

: service-policy input remote_mgmt_allow_policy

: no shutdown

:ssh key rsa

:ip route 0.0.0.0 0.0.0.0 172.25.91.1

11. Accept this configuration by pressing '''Enter'''; otherwise, press '''n'''.

:Submit the configuration including security settings to the ACE Appliance? (yes/no/details): [y]:

12. After you select '''y''', the following message appears.

:Configuration successfully applied. You can now manage this ACE Appliance by entering the url 'https://172.25.91.110' into a web browser to access the Device Manager GUI.

After you have completed the setup script, the command prompt appears.

:switch/Admin#

After you specify a Gigabit Ethernet port, port mode, and management VLAN, the setup script automatically applies the following default configuration:

* A Management VLAN is allocated to the specified Ethernet port.

* An extended IP access list that allows IP traffic originating from any other host addresses.

* A traffic classification is created for management protocols HTTP, HTTPS, ICMP, SSH, Telnet, and XML-HTTPS. HTTPS is dedicated to connectivity with the Device Manager GUI.

* A VLAN interface is configured on the ACE.

== Assigning a Name to the ACE ==

The hostname is used for the command-line prompts and default configuration filenames. When you establish sessions to multiple devices, the hostname helps you keep track of which ACE you are entering commands to. By default, the hostname for the ACE is switch.

For example, change the hostname of the ACE from switch to host1 by entering:

:switch/Admin# '''Config'''

:switch/Admin(config)# '''hostname''' '''host1'''

The prompt appears with the new hostname.

:host1/Admin(config)#

== Setting Up an ACE Appliance Using the Device Manager GUI ==

You can set up an ACE appliance using the Device Manager GUI or the CLI. This section describes how to set up an ACE using the GUI, and includes the following sections:

* [[#Logging in to the ACE|Logging in to the ACE]]

* [[#Configuring a Second Gigabit Ethernet Interface Port|Configuring a Second Gigabit Ethernet Interface Port]]

* [[#Configuring a Third Gigabit Ethernet Interface Port|Configuring a Third Gigabit Ethernet Interface Port]]

=== Logging in to the ACE ===

You can access the ACE Device Manager GUI through a web-based interface. Log in to the Device Manager by following these steps:

1. Navigate to the ACE Device Manager by entering the secure HTTPS address or hostname of the ACE in the address field of a web browser. For the example setup shown earlier in Figure 1, enter:

:'''https://172.25.91.110/'''

2. Click '''Yes '''at the prompt to accept (trust) and install the signed certificate from Cisco Systems, Inc. To avoid having to approve the signed certificate every time you log in to the Device Manager, accept the certificate.

:The Device Manager GUI Login window appears (Figure 6).

:'''Note '''Because this product is regularly updated, you may notice minor variations between the figures in this manual and the windows that appear in the software version you are running.

:'''''Figure 6 Device Manager GUI Login Window'''''

:[[Image:Device Manager GUI Login Window.jpg]]

3. In the User Name field, type '''admin '''for the admin user account.

4. In the Password field, type the new password that you entered in Step 2 in [[#Enabling Management Connectivity Using the Setup Script|Enabling Management Connectivity Using the Setup Script]].

5. Click '''Login'''. The default window that appears is the Virtual Contexts window with the Admin context listed, as shown in Figure 7.

:'''''Figure 7 Virtual Contexts Pane (Admin Context)'''''

:[[Image:Virtual Contexts Pane (Admin Context).jpg]]

=== Configuring a Second Gigabit Ethernet Interface Port ===

You can configure a second Gigabit Ethernet interface port to connect to clients. For the example configuration, you will configure Gigabit Ethernet interface port 2 as illustrated in Figure 8 (previously configured settings are grayed out).

:'''''Figure 8 Configuring a Second Gigabit Ethernet Interface Port to Connect to Clients'''''

:[[Image:Configuring a Second Gigabit Ethernet Interface Port to Connect to Clients.jpg]]

Configure a second Gigabit Ethernet port by following these steps:

1. Choose '''Config > Virtual Contexts > Network > GigabitEthernet Interfaces'''. The GigabitEthernet Interfaces pane appears (Figure 9).

:'''Note '''Only users authenticated in the Admin context can configure the Gigabit Ethernet interface ports.

:'''''Figure 9 GigabitEthernet Interfaces Pane—gigabitEthernet 1/2'''''

:[[Image:GigabitEthernet Interfaces Pane-gigabitEthernet 1_2.jpg]]

2. In the GigabitEthernet Interfaces pane, choose '''gigabitEthernet 1/2''', and then click '''Edit '''to define attributes for the port. The GigabitEthernet Interfaces window appears (Figure 10).

:'''''Figure 10 GigabitEthernet Interfaces Window—gigabitEthernet 1/2'''''

:[[Image:GigabitEthernet Interfaces Window—gigabitEthernet 1_2.jpg]]

3. Enter the following attributes for port 2. Leave the remaining attributes blank or with their default values.

:* Admin Status: Up

:* Speed: Auto

:* Port Operation Mode: Switchport

:* Switchport type: Access

:* Access Vlan: 400

4. Click '''Deploy Now '''to save these settings and to return to the GigabitEthernet Interfaces pane (Figure 11).

:'''''Figure 11 GigabitEthernet Interfaces Pane with Ethernet Port 2 Configured'''''

:[[Image:GigabitEthernet Interfaces Pane with Ethernet Port 2 Configured.jpg]]

=== Configuring a Third Gigabit Ethernet Interface Port ===

You can configure a third Gigabit Ethernet interface port to connect to the servers. For the example configuration, you will configure Gigabit Ethernet interface port 3 as illustrated in Figure 12 (previously configured settings are grayed out.)

:'''''Figure 12 Configuring a Third Gigabit Ethernet Interface Port to Connect to the Servers'''''

:[[Image:Configuring a Third Gigabit Ethernet Interface Port to Connect to the Servers.jpg]]

Configure a third Gigabit Ethernet port by following these steps:

1. In the GigabitEthernet Interfaces pane, choose '''gigabitEthernet 1/3''', and then click '''Edit''' to define attributes for the port. The GigabitEthernet Interfaces window appears (see Figure 10).

2. Enter the following attributes for port 3. Leave the remaining attributes blank or with their default values.

:* Admin Status: Up

:* Speed: Auto

:* Port Operation Mode: Switchport

:* Switchport type: Access

:* Access VLAN: 500

3. Click '''Deploy Now '''to save these settings and to return to the GigabitEthernet Interfaces pane (Figure 13).

:'''''Figure 13 GigabitEthernet Interfaces Pane with Ethernet Port 3 Configured'''''

:[[Image:GigabitEthernet Interfaces Pane with Ethernet Port 3 Configured.jpg]]

== Setting Up an ACE Appliance Using the CLI ==

You can set up an ACE appliance using the Device Manager GUI or the CLI. This section describes how to set up an ACE using the CLI, and includes the following sections:

* [[#Logging in to the ACE Using the CLI|Logging in to the ACE Using the CLI]]

* [[#Configuring the First Gigabit Ethernet Port from the CLI|Configuring the First Gigabit Ethernet Port from the CLI]]

* [[#Allocating the First Gigabit Ethernet Port to a VLAN from the CLI|Allocating the First Gigabit Ethernet Port to a VLAN from the CLI]]

* [[#Configuring a Management VLAN Interface on the ACE from the CLI|Configuring a Management VLAN Interface on the ACE from the CLI]]

* [[#Configuring a Second Gigabit Ethernet Interface Port from the CLI|Configuring a Second Gigabit Ethernet Interface Port from the CLI]]

* [[#Configuring a Third Gigabit Ethernet Interface Port from the CLI|Configuring a Third Gigabit Ethernet Interface Port from the CLI]]

* [[#Configuring Remote Management Access to the ACE from the CLI|Configuring Remote Management Access to the ACE from the CLI]]

* [[#Accessing the ACE through a Telnet Session|Accessing the ACE through a Telnet Session]]

=== Logging in to the ACE Using the CLI ===

After you have established a direct serial connection between the ACE and your terminal or a PC (see [[#Establishing a Console Connection on the ACE|Establishing a Console Connection on the ACE]]), you can set up the ACE using the CLI.

When the setup script displays the “Would you like to enter the basic configuration dialog? (yes/no):” prompt, enter '''no''' to access the CLI. Log in to the ACE by following these steps:

1. At the login prompt, enter '''admin'''. For the password, type the new password that you entered in Step 2 in [[#Enabling Management Connectivity Using the Setup Script|Enabling Management Connectivity Using the Setup Script]].

:host1 login: '''admin'''

:Password: '''xxxxx'''

You are ready to use the ACE CLI when the following prompt appears.

:host1/Admin#

2. Set the '''terminal session-timeout '''command to 0 to prevent this current session from timing out. By default, a session on the ACE is automatically logged out after 5 minutes of inactivity.

:host1/Admin# '''terminal session-timeout''' '''0'''

:host1/Admin#

=== Configuring the First Gigabit Ethernet Port from the CLI ===

You can configure a Gigabit Ethernet interface port for the ACE management traffic. For the example configuration, you will configure Gigabit Ethernet interface port 1. Configure the first Gigabit Ethernet port by following theses steps:

1. Configure a Layer 2 Gigabit Ethernet port on the ACE by using the '''interface gigabitEthernet ''''''''slot_number/port_number '''''command in configuration mode.

:'''Note '''The slot_number specifies the physical slot on the ACE that contains the Ethernet ports. For the current release of the ACE appliance, this selection is always 1.

:Configure Gigabit Ethernet port 1 and enter interface configuration mode by entering:

:host1/Admin# '''config'''

:host1/Admin(config)# '''interface gigabitEthernet 1/1'''

:host1/Admin(config-if)#

2. Enable the Gigabit Ethernet port by using the '''no shutdown '''command in interface configuration mode. Disable a running Gigabit Ethernet port by using the '''shutdown''' command; bring one up by using the '''no shutdown''' command.

:host1/Admin(config-if)# '''no shutdown'''

3. Display the configuration of the interface by using the '''do '''command with the '''show interface''' command.

:host1/admin(config-if)# '''do show interface vlan 1000'''

=== Allocating the First Gigabit Ethernet Port to a VLAN from the CLI ===

After you configure an Gigabit Ethernet port, the next step is to allocate it to a VLAN. For the example configuration, you will allocate the first Gigabit Ethernet port to VLAN 1000, as illustrated in Figure 14 (previously configured settings are grayed out.)

'''''Figure 14 Allocating the First Gigabit Ethernet Port to a VLAN'''''

[[Image:Allocating the First Gigabit Ethernet Port to a VLAN.jpg]]

Allocate the port to a VLAN by following these steps:

1. Assign one or more VLAN numbers to the Gigabit Ethernet port by using the '''switchport trunk allowed vlan ''''''''vlan_list '''''command in interface configuration mode. The vlan_list argument can include:

:* A single VLAN number

:* Beginning and ending VLAN numbers separated by a hyphen

:* Specific VLAN numbers separated by commas

:Valid entries are 1 through 4094. Do not enter any spaces in a hyphenated range or in a comma-separated list of numbers in the vlan_list argument.

:'''Note '''You can associate a VLAN number with only one Gigabit Ethernet port.

:Add VLAN 1000 to the defined list of VLANs currently set for Gigabit Ethernet port 1 by entering:

:host1/Admin(config)# '''interface gigabitEthernet 1/1'''

:host1/Admin(config-if)# '''switchport access allowed vlan 1000'''

2. Enable VLAN access for the specified Layer 2 Gigabit Ethernet port by using the '''no shutdown '''command in interface configuration mode.

:host1/Admin(config-if)# '''no shutdown'''

:host1/Admin(config-if)# '''exit'''

:host1/Admin(config)#

=== Configuring a Management VLAN Interface on the ACE from the CLI ===

You can provide management connectivity to the ACE by assigning an IP address to the VLAN interface on the ACE. For the example configuration, you will assign an IP address 172.25.91.110 and a subnet mask of 255.255.255.0 to VLAN 1000, as illustrated in Figure 15 (previously configured settings are grayed out).

'''''Figure 15 Configuring a Management VLAN Interface on the ACE'''''

[[Image:Configuring a Management VLAN Interface on the ACE.jpg]]

Configure a VLAN interface on the ACE by following these steps:

1. Access interface configuration mode for the VLAN 1000.

:host1/Admin(config)# '''interface vlan 1000'''

:host1/Admin(config-if)#

2. Assign an IP address of 172.25.91.110 and a subnet mask of 255.255.255.0 to the VLAN interface for management connectivity.

:host1/Admin(config-if)# '''ip address 172.25.91.110 255.255.255.0'''

3. (Optional) Provide a description for the interface.

:host1/Admin(config-if)# '''description Management connectivity on VLAN 1000'''

4. Enable the VLAN interface.

:host1/Admin(config-if)# '''no shutdown'''

5. Display the configuration of VLAN 1000.

:host1/Admin(config-if)# '''do show interface vlan 1000'''

6. Verify network connectivity by using the '''ping''' command. This command verifies the connectivity of a remote host or server by sending echo messages from the ACE.

:host1/Admin(config-if)# '''do ping 172.25.91.110'''

7. Exit the interface configuration mode.

:host1/Admin(config-if)# '''exit'''

:host1/Admin(config)#

=== Configuring a Second Gigabit Ethernet Interface Port from the CLI ===

You can configure a second Gigabit Ethernet interface port to connect to clients. For the example configuration, you will configure Gigabit Ethernet interface port 2 as illustrated in Figure 8. Configure the second Gigabit Ethernet Interface port by following these steps:

1. Add VLAN 400 to the defined list of VLANs currently set for Gigabit Ethernet port 2.

:host1/Admin(config)# '''interface gigabitEthernet 1/2'''

:host1/Admin(config-if)# '''switchport access vlan 400'''

2. Enable the Gigabit Ethernet port.

:host1/Admin(config-if)# '''no shutdown'''

:host1/Admin(config-if)# '''exit'''

:host1/admin(config)#

=== Configuring a Third Gigabit Ethernet Interface Port from the CLI ===

You can configure a third Gigabit Ethernet interface port to connect to the servers. For the example configuration, you will configure Gigabit Ethernet interface port 3 as illustrated in Figure 12. Configure the third Gigabit Ethernet Interface port by following these steps:

1. Add VLAN 500 to the defined list of VLANs currently set for Gigabit Ethernet port 3.

:host1/Admin(config)# '''interface gigabitEthernet 1/3'''

:host1/Admin(config-if)# '''switchport access allowed vlan 500'''

2. Enable the Ethernet port.

:host1/Admin(config-if)# '''no shutdown'''

:host1/Admin(config-if)# '''exit'''

:host1/admin(config)#

=== Configuring Remote Management Access to the ACE from the CLI ===

Before remote network access can occur on the ACE through an Ethernet port, you must create a traffic policy that identifies the network management traffic that can be received by the ACE. Configure remote management access to the ACE by following these steps:

1. Create a management-type class map named REMOTE_ACCESS that matches any traffic.

:host1/Admin(config)# '''class-map type management match-any REMOTE_ACCESS'''

:host1/Admin(config-cmap-mgmt)#

2. (Optional) Provide a description for the class map.

:host1/Admin(config-cmap-mgmt)# '''description Remote access traffic match'''

3. Configure the match protocol to permit traffic based on the SSH, Telnet, and ICMP protocols for any source address.

:host1/Admin(config-cmap-mgmt)# '''match protocol ssh any'''

:host1/Admin(config-cmap-mgmt)# '''match protocol telnet any'''

:host1/Admin(config-cmap-mgmt)# '''match protocol icmp any'''

:host1/Admin(config-cmap-mgmt)# '''exit'''

:host1/Admin(config)#

4. Create a REMOTE_MGMT_ALLOW_POLICY policy map for traffic destined to an ACE interface.

:host1/Admin(config)# '''policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY'''

:host1/Admin(config-pmap-mgmt)#

5. Apply the previously created REMOTE_ACCESS class map to this policy.

:host1/Admin(config-pmap-mgmt)# '''class REMOTE_ACCESS'''

:host1/Admin(config-pmap-mgmt-c)#

6. Allow the ACE to receive the configured class map management protocols.

:host1/Admin(config-pmap-mgmt-c)# '''permit'''

:host1/Admin(config-pmap-mgmt-c)# '''exit'''

:host1/Admin(config-pmap-mgmt)# '''exit'''

:host1/Admin(config)#

7. Access interface configuration mode for the VLAN to which you want to apply the policy map.

:host1/Admin(config)# '''interface vlan 1000'''

:host1/Admin(config-if)#

8. Apply the REMOTE_MGMT_ALLOW_POLICY policy map to the interface.

:host1/Admin(config-if)# '''service-policy input''' '''REMOTE_MGMT_ALLOW_POLICY'''

9. Display the REMOTE_MGMT_ALLOW_POLICY policy applied to the interface.

:host1/Admin(config-if)# '''do show service-policy REMOTE_MGMT_ALLOW_POLICY'''

:Status : ACTIVE

:-----------------------------------------

:Interface: vlan 1000

: service-policy: REMOTE_MGMT_ALLOW_POLICY

10. Save your configuration changes from the running configuration to the startup configuration.

:host1/Admin(config-if)# '''do copy running-config startup-config'''

:Generating configuration....

:running config of context VC_web saved

:host1/Admin(config-if)# '''exit'''

:host1/Admin(config)# '''exit'''

11. Display the running configuration.

:host1/Admin(config)# '''do''' '''show running-config'''

:Generating configuration....

:class-map type management match-any REMOTE_ACCESS

: description Remote access traffic match

: 2 match protocol telnet any

: 3 match protocol ssh any

: 4 match protocol icmp any

:policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

: class REMOTE_ACCESS

: permit

:interface vlan 1000

: description Management connectivity on VLAN 1000

: ip address 172.25.91.110 255.255.255.0

: service-policy input REMOTE_MGMT_ALLOW_POLICY

: no shutdown

:interface vlan 400

: description client connectivity on VLAN 400

: ip address 10.10.40.10 255.255.255.0

: no shutdown

=== Accessing the ACE through a Telnet Session ===

After you have completed the previous configurations, you can use Telnet to access the ACE through an Ethernet port by using its IP address. Access the ACE through Telnet by following these steps:

1. Initiate a Telnet session from a remote host to the ACE. For example, access the ACE from the VLAN IP address of 172.25.91.110 by entering:

:remote_host# '''telnet 172.25.91.110'''

:Trying 172.25.91.110... Open

2. At the prompt, log in to the ACE. Enter '''admin '''as the user name and for the password, type the new password that you entered in the Step 2 in [[#Enabling Management Connectivity Using the Setup Script|Enabling Management Connectivity Using the Setup Script]].

:host1 login: '''admin'''

:Password: '''xxxxx'''

3. Display the Telnet session.

:host1/Admin# '''show telnet'''

In this section, you have set up your ACE appliance so that you can use the ACE Device Manager or CLI to perform server load-balancing configuration tasks through a remote management interface. Next, you will create a user context for server load balancing.

File:HyperTerminal—Connection Description.jpg

2008-12-02T14:36:01Z

Kkroeber: Removing all content from page

File:HyperTerminal—Connection Description.jpg

2008-12-02T14:35:46Z

Kkroeber:

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance

File:VLAN Interfaces Window—VLAN 400.jpg

2008-12-02T14:25:06Z

Kkroeber:

File:GigabitEthernet Interfaces Window—gigabitEthernet 1 2.jpg

2008-12-02T14:23:06Z

Kkroeber:

File:HyperTerminal—Port Properties.jpg

2008-12-02T14:21:12Z

Kkroeber:

File:HyperTerminal—Connect To.jpg

2008-12-02T14:20:27Z

Kkroeber:

File:HyperTerminal—Connection Description.jpg

2008-12-02T14:18:22Z

Kkroeber:

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0)

2008-10-15T14:14:44Z

Kkroeber: /* Related Documentation */

{| align="center" border="1"
|align="left"|Welcome to '''Cisco DocWiki'''. We encourage [http://tools.cisco.com/RPF/register/register.do registered Cisco.com users] to contribute to this wiki to collaborate on Cisco product documentation. You do not need to log in to read the text. However, you must log in to edit the text. Select the "edit" tab to edit an article or select the "discussion" tab to submit questions or comments about documentation content. 
See [[DocWiki:Terms_of_use|Terms of Use]] and [[DocWiki:About|About DocWiki]] for more information about Cisco DocWiki. 
Click [http://www.cisco.com/en/US/products/ps7027/products_installation_and_configuration_guides_list.html here] to return to the Cisco ACE 4700 Series Appliance documentation on www.cisco.com.
|}

__TOC__

The ''Cisco ACE 4700 Series Application Control Engine Appliance Quick Start Guide'' provides the following information:

* An overview of the major functions and features of the Cisco 4700 Series Application Control Engine (ACE) appliance

* Instructions on how to initially configure the ACE to allow traffic and basic load balancing

* Instructions on how to configure the ACE to provide various scalability and security capabilities

== Audience ==

This guide is intended for the following trained and qualified service personnel who are responsible for configuring the ACE:

* Web master

* System administrator

* System operator

== How To Use This Guide ==

This guide is organized into the following sections:

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Overview|Overview]]—Provides an overview of the major functions and features of the ACE

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]]—Provides procedures to initially configure the ACE to allow the passing of traffic and remote access

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]]—Provides procedures to partition the ACE into virtual contexts for more efficient operation

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Access Control Lists|Configuring Access Control Lists]]—Provides procedures to configure an access control list in an ACE to secure your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Role-Based Access Control|Configuring Role-Based Access Control]]—Provides procedures to configure a user with permission to perform limited operations and access a subset of your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]]—Provides procedures to configure the ACE to allow basic server load balancing

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring a Load-Balancing Predictor|Configuring a Load-Balancing Predictor]]—Provides procedures to select a predefined predictor for server load balancing

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Persistence Using Stickiness|Configuring Server Persistence Using Stickiness]]—Provides procedures to configure server persistence for requests from a client using stickiness

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring SSL Security|Configuring SSL Security]]—Provides procedures to configure SSL security for your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Health Monitoring Using Health Probes|Configuring Health Monitoring Using Health Probes]]—Provides procedures to configure server health monitoring using health probes

If you are already familiar with the ACE appliance and would like to quickly set up the device for basic server load balancing, you can follow the configuration procedures in the following sections:

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]]

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]]

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]]

The remaining sections in this guide allow you to explore additional capabilities of the ACE.

== Related Documentation ==

In addition to this document, the ACE documentation set includes the following documents:

* [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/4710/hardware/installation/guide/4710_hig.html Cisco ACE 4710 Appliance Hardware Installation Guide]

* [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/release/note/RACEA3X.html Release Note for the Cisco 4700 Series Application Control Engine Appliance (Software Version A3(x.x))]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/admgd.html Cisco 4700 Series Application Control Engine Appliance Administration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/app_acc_and_opt/guide/appaccoptgd.html Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/command/reference/cmdref.html Cisco 4700 Series Application Control Engine Appliance Command Reference]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/dmguigd.html Cisco ACE 4700 Series Appliance Device Manager GUI Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/routing_bridging/guide/rtbrgdgd.html Cisco ACE 4700 Series Appliance Routing and Bridging Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/securgd.html Cisco ACE 4700 Series Appliance Security Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/slbgd.html Cisco ACE 4700 Series Appliance Server Load-Balancing Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/sslgd.html Cisco ACE 4700 Series Appliance SSL Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/system/message/guide/sysmsggd.html Cisco ACE 4700 Series Appliance System Message Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/virtgd.html Cisco ACE 4700 Series Appliance Virtualization Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/css_to_ace/guide/cssaceug.html Cisco CSS-to-ACE Conversion Tool User Guide]

[[Category:Cisco ACE Appliance Quick Start Guide]]

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0)

2008-10-15T12:08:51Z

Kkroeber: /* Related Documentation */

{| align="center" border="1"
|align="left"|Welcome to '''Cisco DocWiki'''. We encourage [http://tools.cisco.com/RPF/register/register.do registered Cisco.com users] to contribute to this wiki to collaborate on Cisco product documentation. You do not need to log in to read the text. However, you must log in to edit the text. Select the "edit" tab to edit an article or select the "discussion" tab to submit questions or comments about documentation content. 
See [[DocWiki:Terms_of_use|Terms of Use]] and [[DocWiki:About|About DocWiki]] for more information about Cisco DocWiki. 
Click [http://www.cisco.com/en/US/products/ps7027/products_installation_and_configuration_guides_list.html here] to return to the Cisco ACE 4700 Series Appliance documentation on www.cisco.com.
|}

__TOC__

The ''Cisco ACE 4700 Series Application Control Engine Appliance Quick Start Guide'' provides the following information:

* An overview of the major functions and features of the Cisco 4700 Series Application Control Engine (ACE) appliance

* Instructions on how to initially configure the ACE to allow traffic and basic load balancing

* Instructions on how to configure the ACE to provide various scalability and security capabilities

== Audience ==

This guide is intended for the following trained and qualified service personnel who are responsible for configuring the ACE:

* Web master

* System administrator

* System operator

== How To Use This Guide ==

This guide is organized into the following sections:

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Overview|Overview]]—Provides an overview of the major functions and features of the ACE

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]]—Provides procedures to initially configure the ACE to allow the passing of traffic and remote access

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]]—Provides procedures to partition the ACE into virtual contexts for more efficient operation

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Access Control Lists|Configuring Access Control Lists]]—Provides procedures to configure an access control list in an ACE to secure your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Role-Based Access Control|Configuring Role-Based Access Control]]—Provides procedures to configure a user with permission to perform limited operations and access a subset of your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]]—Provides procedures to configure the ACE to allow basic server load balancing

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring a Load-Balancing Predictor|Configuring a Load-Balancing Predictor]]—Provides procedures to select a predefined predictor for server load balancing

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Persistence Using Stickiness|Configuring Server Persistence Using Stickiness]]—Provides procedures to configure server persistence for requests from a client using stickiness

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring SSL Security|Configuring SSL Security]]—Provides procedures to configure SSL security for your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Health Monitoring Using Health Probes|Configuring Health Monitoring Using Health Probes]]—Provides procedures to configure server health monitoring using health probes

If you are already familiar with the ACE appliance and would like to quickly set up the device for basic server load balancing, you can follow the configuration procedures in the following sections:

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]]

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]]

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]]

The remaining sections in this guide allow you to explore additional capabilities of the ACE.

== Related Documentation ==

In addition to this document, the ACE documentation set includes the following documents:

* [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/4710/hardware/installation/guide/4710_hig.html Cisco ACE 4710 Appliance Hardware Installation Guide]

* [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/release/note/RACEA3X.html Release Note for the Cisco 4700 Series Application Control Engine Appliance (Software Version A3(x.x))]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/admgd.html Cisco 4700 Series Application Control Engine Appliance Administration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/app_acc_and_opt/guide/appaccoptgd.html Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/command/reference/cmdref.html Cisco 4700 Series Application Control Engine Appliance Command Reference]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/dmguigd.html Cisco ACE 4700 Series Appliance Device Manager GUI Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/routing_bridging/guide/rtbrgdgd.html Cisco ACE 4700 Series Appliance Routing and Bridging Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/securgd.html Cisco ACE 4700 Series Appliance Security Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/slbgd.html Cisco ACE 4700 Series Appliance Server Load-Balancing Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/sslgd.html Cisco ACE 4700 Series Appliance SSL Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/system/message/guide/sysmsggd.html Cisco ACE 4700 Series Appliance System Message Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/virtgd.html Cisco ACE 4700 Series Appliance Virtualization Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/css_to_ace/guide/cssaceug.html Cisco CSS-to-ACE Conversion Tool User Guide]

[[Category:Cisco ACE Appliance Quick Start Guide]]

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0)

2008-10-07T18:20:27Z

Kkroeber:

{| align="center" border="1"
|align="left"|Welcome to '''Cisco DocWiki'''. We encourage [http://tools.cisco.com/RPF/register/register.do registered Cisco.com users] to contribute to this wiki to collaborate on Cisco product documentation. You do not need to log in to read the text. However, you must log in to edit the text. Select the "edit" tab to edit an article or select the "discussion" tab to submit questions or comments about documentation content. 
See [[DocWiki:Terms_of_use|Terms of Use]] and [[DocWiki:About|About DocWiki]] for more information about Cisco DocWiki. 
Click [http://www.cisco.com/en/US/products/ps7027/products_installation_and_configuration_guides_list.html here] to return to the Cisco ACE 4700 Series Appliance documentation on www.cisco.com.
|}

__TOC__

The ''Cisco ACE 4700 Series Application Control Engine Appliance Quick Start Guide'' provides the following information:

* An overview of the major functions and features of the Cisco 4700 Series Application Control Engine (ACE) appliance

* Instructions on how to initially configure the ACE to allow traffic and basic load balancing

* Instructions on how to configure the ACE to provide various scalability and security capabilities

== Audience ==

This guide is intended for the following trained and qualified service personnel who are responsible for configuring the ACE:

* Web master

* System administrator

* System operator

== How To Use This Guide ==

This guide is organized into the following sections:

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Overview|Overview]]—Provides an overview of the major functions and features of the ACE

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]]—Provides procedures to initially configure the ACE to allow the passing of traffic and remote access

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]]—Provides procedures to partition the ACE into virtual contexts for more efficient operation

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Access Control Lists|Configuring Access Control Lists]]—Provides procedures to configure an access control list in an ACE to secure your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Role-Based Access Control|Configuring Role-Based Access Control]]—Provides procedures to configure a user with permission to perform limited operations and access a subset of your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]]—Provides procedures to configure the ACE to allow basic server load balancing

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring a Load-Balancing Predictor|Configuring a Load-Balancing Predictor]]—Provides procedures to select a predefined predictor for server load balancing

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Persistence Using Stickiness|Configuring Server Persistence Using Stickiness]]—Provides procedures to configure server persistence for requests from a client using stickiness

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring SSL Security|Configuring SSL Security]]—Provides procedures to configure SSL security for your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Health Monitoring Using Health Probes|Configuring Health Monitoring Using Health Probes]]—Provides procedures to configure server health monitoring using health probes

If you are already familiar with the ACE appliance and would like to quickly set up the device for basic server load balancing, you can follow the configuration procedures in the following sections:

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]]

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]]

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]]

The remaining sections in this guide allow you to explore additional capabilities of the ACE.

== Related Documentation ==

In addition to this document, the ACE documentation set includes the following documents:

* [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/4710/hardware/installation/guide/4710_hig.html Cisco ACE 4710 Appliance Hardware Installation Guide]

* [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/release/note/RACEA3X.html Release Note for the Cisco 4700 Series Application Control Engine Appliance (Software Version A3(x.x))]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/admgd.html Cisco 4700 Series Application Control Engine Appliance Administration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/app_acc_and_opt/guide/appaccoptgd.html Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/command/reference/cmdref.html Cisco 4700 Series Application Control Engine Appliance Command Reference]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/dmguigd.html Cisco ACE 4700 Series Appliance Device Manager GUI Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/routing_bridging/guide/rtbrgdgd.html Cisco ACE 4700 Series Appliance Routing and Bridging Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/securgd.html Cisco ACE 4700 Series Appliance Security Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/slbgd.html Cisco ACE 4700 Series Appliance Server Load-Balancing Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/sslgd.html Cisco ACE 4700 Series Appliance SSL Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/system/message/guide/sysmsggd.html Cisco ACE 4700 Series Appliance System Message Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/virtgd.html Cisco ACE 4700 Series Appliance Virtualization Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/css_to_ace/guide/cssaceug.html Cisco CSS-to-ACE Conversion Tool User Guide]

[[Category:Cisco ACE Appliance Quick Start Guide]]

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0)

2008-10-07T18:19:11Z

Kkroeber:

{| align="center" border="1"
|align="left"|Welcome to '''Cisco DocWiki'''. We encourage [http://tools.cisco.com/RPF/register/register.do registered Cisco.com users] to contribute to this wiki to collaborate on Cisco product documentation. You do not need to log in to read the text. However, you must log in to edit the text. Select the "edit" tab to edit an article or select the "discussion" tab to submit questions or comments about documentation content. 
See [[DocWiki:Terms_of_use|Terms of Use]] and [[DocWiki:About|About DocWiki]] for more information about Cisco DocWiki. 
Click [http://www.cisco.com/en/US/products/ps7027/products_installation_and_configuration_guides_list.html here] to return to the Cisco ACE 4700 Series appliance documentation on www.cisco.com.
|}

__TOC__

The ''Cisco ACE 4700 Series Application Control Engine Appliance Quick Start Guide'' provides the following information:

* An overview of the major functions and features of the Cisco 4700 Series Application Control Engine (ACE) appliance

* Instructions on how to initially configure the ACE to allow traffic and basic load balancing

* Instructions on how to configure the ACE to provide various scalability and security capabilities

== Audience ==

This guide is intended for the following trained and qualified service personnel who are responsible for configuring the ACE:

* Web master

* System administrator

* System operator

== How To Use This Guide ==

This guide is organized into the following sections:

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Overview|Overview]]—Provides an overview of the major functions and features of the ACE

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]]—Provides procedures to initially configure the ACE to allow the passing of traffic and remote access

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]]—Provides procedures to partition the ACE into virtual contexts for more efficient operation

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Access Control Lists|Configuring Access Control Lists]]—Provides procedures to configure an access control list in an ACE to secure your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Role-Based Access Control|Configuring Role-Based Access Control]]—Provides procedures to configure a user with permission to perform limited operations and access a subset of your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]]—Provides procedures to configure the ACE to allow basic server load balancing

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring a Load-Balancing Predictor|Configuring a Load-Balancing Predictor]]—Provides procedures to select a predefined predictor for server load balancing

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Persistence Using Stickiness|Configuring Server Persistence Using Stickiness]]—Provides procedures to configure server persistence for requests from a client using stickiness

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring SSL Security|Configuring SSL Security]]—Provides procedures to configure SSL security for your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Health Monitoring Using Health Probes|Configuring Health Monitoring Using Health Probes]]—Provides procedures to configure server health monitoring using health probes

If you are already familiar with the ACE appliance and would like to quickly set up the device for basic server load balancing, you can follow the configuration procedures in the following sections:

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]]

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]]

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]]

The remaining sections in this guide allow you to explore additional capabilities of the ACE.

== Related Documentation ==

In addition to this document, the ACE documentation set includes the following documents:

* [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/4710/hardware/installation/guide/4710_hig.html Cisco ACE 4710 Appliance Hardware Installation Guide]

* [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/release/note/RACEA3X.html Release Note for the Cisco 4700 Series Application Control Engine Appliance (Software Version A3(x.x))]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/admgd.html Cisco 4700 Series Application Control Engine Appliance Administration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/app_acc_and_opt/guide/appaccoptgd.html Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/command/reference/cmdref.html Cisco 4700 Series Application Control Engine Appliance Command Reference]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/dmguigd.html Cisco ACE 4700 Series Appliance Device Manager GUI Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/routing_bridging/guide/rtbrgdgd.html Cisco ACE 4700 Series Appliance Routing and Bridging Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/securgd.html Cisco ACE 4700 Series Appliance Security Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/slbgd.html Cisco ACE 4700 Series Appliance Server Load-Balancing Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/sslgd.html Cisco ACE 4700 Series Appliance SSL Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/system/message/guide/sysmsggd.html Cisco ACE 4700 Series Appliance System Message Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/virtgd.html Cisco ACE 4700 Series Appliance Virtualization Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/css_to_ace/guide/cssaceug.html Cisco CSS-to-ACE Conversion Tool User Guide]

[[Category:Cisco ACE Appliance Quick Start Guide]]

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0)

2008-10-07T18:18:40Z

Kkroeber:

{| align="center" border="1"
|align="left"|Welcome to '''Cisco DocWiki'''. We encourage [http://tools.cisco.com/RPF/register/register.do registered Cisco.com users] to contribute to this wiki to collaborate on Cisco product documentation. You do not need to log in to read the text. However, you must log in to edit the text. Select the "edit" tab to edit an article or select the "discussion" tab to submit questions or comments about documentation content. 
See [[DocWiki:Terms_of_use|Terms of Use]] and [[DocWiki:About|About DocWiki]] for more information about Cisco DocWiki. 
Click [http://www.cisco.com/en/US/products/ps7027/products_installation_and_configuration_guides_list.html Configuration Guides] to return to the Cisco ACE 4700 Series appliance documentation on www.cisco.com.
|}

__TOC__

The ''Cisco ACE 4700 Series Application Control Engine Appliance Quick Start Guide'' provides the following information:

* An overview of the major functions and features of the Cisco 4700 Series Application Control Engine (ACE) appliance

* Instructions on how to initially configure the ACE to allow traffic and basic load balancing

* Instructions on how to configure the ACE to provide various scalability and security capabilities

== Audience ==

This guide is intended for the following trained and qualified service personnel who are responsible for configuring the ACE:

* Web master

* System administrator

* System operator

== How To Use This Guide ==

This guide is organized into the following sections:

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Overview|Overview]]—Provides an overview of the major functions and features of the ACE

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]]—Provides procedures to initially configure the ACE to allow the passing of traffic and remote access

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]]—Provides procedures to partition the ACE into virtual contexts for more efficient operation

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Access Control Lists|Configuring Access Control Lists]]—Provides procedures to configure an access control list in an ACE to secure your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Role-Based Access Control|Configuring Role-Based Access Control]]—Provides procedures to configure a user with permission to perform limited operations and access a subset of your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]]—Provides procedures to configure the ACE to allow basic server load balancing

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring a Load-Balancing Predictor|Configuring a Load-Balancing Predictor]]—Provides procedures to select a predefined predictor for server load balancing

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Persistence Using Stickiness|Configuring Server Persistence Using Stickiness]]—Provides procedures to configure server persistence for requests from a client using stickiness

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring SSL Security|Configuring SSL Security]]—Provides procedures to configure SSL security for your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Health Monitoring Using Health Probes|Configuring Health Monitoring Using Health Probes]]—Provides procedures to configure server health monitoring using health probes

If you are already familiar with the ACE appliance and would like to quickly set up the device for basic server load balancing, you can follow the configuration procedures in the following sections:

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]]

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]]

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]]

The remaining sections in this guide allow you to explore additional capabilities of the ACE.

== Related Documentation ==

In addition to this document, the ACE documentation set includes the following documents:

* [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/4710/hardware/installation/guide/4710_hig.html Cisco ACE 4710 Appliance Hardware Installation Guide]

* [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/release/note/RACEA3X.html Release Note for the Cisco 4700 Series Application Control Engine Appliance (Software Version A3(x.x))]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/admgd.html Cisco 4700 Series Application Control Engine Appliance Administration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/app_acc_and_opt/guide/appaccoptgd.html Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/command/reference/cmdref.html Cisco 4700 Series Application Control Engine Appliance Command Reference]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/dmguigd.html Cisco ACE 4700 Series Appliance Device Manager GUI Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/routing_bridging/guide/rtbrgdgd.html Cisco ACE 4700 Series Appliance Routing and Bridging Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/securgd.html Cisco ACE 4700 Series Appliance Security Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/slbgd.html Cisco ACE 4700 Series Appliance Server Load-Balancing Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/sslgd.html Cisco ACE 4700 Series Appliance SSL Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/system/message/guide/sysmsggd.html Cisco ACE 4700 Series Appliance System Message Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/virtgd.html Cisco ACE 4700 Series Appliance Virtualization Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/css_to_ace/guide/cssaceug.html Cisco CSS-to-ACE Conversion Tool User Guide]

[[Category:Cisco ACE Appliance Quick Start Guide]]

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0)

2008-10-07T18:16:53Z

Kkroeber:

{| align="center" border="1"
|align="left"|Welcome to '''Cisco DocWiki'''. We encourage [http://tools.cisco.com/RPF/register/register.do registered Cisco.com users] to contribute to this wiki to collaborate on Cisco product documentation. You do not need to log in to read the text. However, you must log in to edit the text. Select the "edit" tab to edit an article or select the "discussion" tab to submit questions or comments about documentation content. 
See [[DocWiki:Terms_of_use|Terms of Use]] and [[DocWiki:About|About DocWiki]] for more information about Cisco DocWiki. 
Click [[http://www.cisco.com/en/US/products/ps7027/products_installation_and_configuration_guides_list.html|Configuration Guides]] to return to the Cisco ACE 4700 Series appliance documentation on www.cisco.com.
|}

__TOC__

The ''Cisco ACE 4700 Series Application Control Engine Appliance Quick Start Guide'' provides the following information:

* An overview of the major functions and features of the Cisco 4700 Series Application Control Engine (ACE) appliance

* Instructions on how to initially configure the ACE to allow traffic and basic load balancing

* Instructions on how to configure the ACE to provide various scalability and security capabilities

== Audience ==

This guide is intended for the following trained and qualified service personnel who are responsible for configuring the ACE:

* Web master

* System administrator

* System operator

== How To Use This Guide ==

This guide is organized into the following sections:

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Overview|Overview]]—Provides an overview of the major functions and features of the ACE

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]]—Provides procedures to initially configure the ACE to allow the passing of traffic and remote access

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]]—Provides procedures to partition the ACE into virtual contexts for more efficient operation

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Access Control Lists|Configuring Access Control Lists]]—Provides procedures to configure an access control list in an ACE to secure your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Role-Based Access Control|Configuring Role-Based Access Control]]—Provides procedures to configure a user with permission to perform limited operations and access a subset of your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]]—Provides procedures to configure the ACE to allow basic server load balancing

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring a Load-Balancing Predictor|Configuring a Load-Balancing Predictor]]—Provides procedures to select a predefined predictor for server load balancing

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Persistence Using Stickiness|Configuring Server Persistence Using Stickiness]]—Provides procedures to configure server persistence for requests from a client using stickiness

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring SSL Security|Configuring SSL Security]]—Provides procedures to configure SSL security for your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Health Monitoring Using Health Probes|Configuring Health Monitoring Using Health Probes]]—Provides procedures to configure server health monitoring using health probes

If you are already familiar with the ACE appliance and would like to quickly set up the device for basic server load balancing, you can follow the configuration procedures in the following sections:

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]]

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]]

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]]

The remaining sections in this guide allow you to explore additional capabilities of the ACE.

== Related Documentation ==

In addition to this document, the ACE documentation set includes the following documents:

* [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/4710/hardware/installation/guide/4710_hig.html Cisco ACE 4710 Appliance Hardware Installation Guide]

* [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/release/note/RACEA3X.html Release Note for the Cisco 4700 Series Application Control Engine Appliance (Software Version A3(x.x))]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/admgd.html Cisco 4700 Series Application Control Engine Appliance Administration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/app_acc_and_opt/guide/appaccoptgd.html Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/command/reference/cmdref.html Cisco 4700 Series Application Control Engine Appliance Command Reference]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/dmguigd.html Cisco ACE 4700 Series Appliance Device Manager GUI Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/routing_bridging/guide/rtbrgdgd.html Cisco ACE 4700 Series Appliance Routing and Bridging Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/securgd.html Cisco ACE 4700 Series Appliance Security Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/slbgd.html Cisco ACE 4700 Series Appliance Server Load-Balancing Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/sslgd.html Cisco ACE 4700 Series Appliance SSL Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/system/message/guide/sysmsggd.html Cisco ACE 4700 Series Appliance System Message Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/virtgd.html Cisco ACE 4700 Series Appliance Virtualization Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/css_to_ace/guide/cssaceug.html Cisco CSS-to-ACE Conversion Tool User Guide]

[[Category:Cisco ACE Appliance Quick Start Guide]]

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0)

2008-10-07T12:49:10Z

Kkroeber: /* Related Documentation */

{| align="center" border="1"
|align="left"|Welcome to '''Cisco DocWiki'''. We encourage [http://tools.cisco.com/RPF/register/register.do registered Cisco.com users] to contribute to this wiki to collaborate on Cisco product documentation. You do not need to log in to read the text. However, you must log in to edit the text. Select the "edit" tab to edit an article or select the "discussion" tab to submit questions or comments about documentation content. 
See [[DocWiki:Terms_of_use|Terms of Use]] and [[DocWiki:About|About DocWiki]] for more information about Cisco DocWiki. 
|}

__TOC__

The ''Cisco ACE 4700 Series Application Control Engine Appliance Quick Start Guide'' provides the following information:

* An overview of the major functions and features of the Cisco 4700 Series Application Control Engine (ACE) appliance

* Instructions on how to initially configure the ACE to allow traffic and basic load balancing

* Instructions on how to configure the ACE to provide various scalability and security capabilities

== Audience ==

This guide is intended for the following trained and qualified service personnel who are responsible for configuring the ACE:

* Web master

* System administrator

* System operator

== How To Use This Guide ==

This guide is organized into the following sections:

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Overview|Overview]]—Provides an overview of the major functions and features of the ACE

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]]—Provides procedures to initially configure the ACE to allow the passing of traffic and remote access

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]]—Provides procedures to partition the ACE into virtual contexts for more efficient operation

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Access Control Lists|Configuring Access Control Lists]]—Provides procedures to configure an access control list in an ACE to secure your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Role-Based Access Control|Configuring Role-Based Access Control]]—Provides procedures to configure a user with permission to perform limited operations and access a subset of your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]]—Provides procedures to configure the ACE to allow basic server load balancing

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring a Load-Balancing Predictor|Configuring a Load-Balancing Predictor]]—Provides procedures to select a predefined predictor for server load balancing

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Persistence Using Stickiness|Configuring Server Persistence Using Stickiness]]—Provides procedures to configure server persistence for requests from a client using stickiness

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring SSL Security|Configuring SSL Security]]—Provides procedures to configure SSL security for your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Health Monitoring Using Health Probes|Configuring Health Monitoring Using Health Probes]]—Provides procedures to configure server health monitoring using health probes

If you are already familiar with the ACE appliance and would like to quickly set up the device for basic server load balancing, you can follow the configuration procedures in the following sections:

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]]

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]]

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]]

The remaining sections in this guide allow you to explore additional capabilities of the ACE.

== Related Documentation ==

In addition to this document, the ACE documentation set includes the following documents:

* [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/4710/hardware/installation/guide/4710_hig.html Cisco ACE 4710 Appliance Hardware Installation Guide]

* [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/release/note/RACEA3X.html Release Note for the Cisco 4700 Series Application Control Engine Appliance (Software Version A3(x.x))]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/admgd.html Cisco 4700 Series Application Control Engine Appliance Administration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/app_acc_and_opt/guide/appaccoptgd.html Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/command/reference/cmdref.html Cisco 4700 Series Application Control Engine Appliance Command Reference]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/dmguigd.html Cisco ACE 4700 Series Appliance Device Manager GUI Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/routing_bridging/guide/rtbrgdgd.html Cisco ACE 4700 Series Appliance Routing and Bridging Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/securgd.html Cisco ACE 4700 Series Appliance Security Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/slbgd.html Cisco ACE 4700 Series Appliance Server Load-Balancing Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/sslgd.html Cisco ACE 4700 Series Appliance SSL Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/system/message/guide/sysmsggd.html Cisco ACE 4700 Series Appliance System Message Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/virtgd.html Cisco ACE 4700 Series Appliance Virtualization Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/css_to_ace/guide/cssaceug.html Cisco CSS-to-ACE Conversion Tool User Guide]

[[Category:Cisco ACE Appliance Quick Start Guide]]

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0)

2008-10-07T12:48:58Z

Kkroeber: /* Related Documentation */

{| align="center" border="1"
|align="left"|Welcome to '''Cisco DocWiki'''. We encourage [http://tools.cisco.com/RPF/register/register.do registered Cisco.com users] to contribute to this wiki to collaborate on Cisco product documentation. You do not need to log in to read the text. However, you must log in to edit the text. Select the "edit" tab to edit an article or select the "discussion" tab to submit questions or comments about documentation content. 
See [[DocWiki:Terms_of_use|Terms of Use]] and [[DocWiki:About|About DocWiki]] for more information about Cisco DocWiki. 
|}

__TOC__

The ''Cisco ACE 4700 Series Application Control Engine Appliance Quick Start Guide'' provides the following information:

* An overview of the major functions and features of the Cisco 4700 Series Application Control Engine (ACE) appliance

* Instructions on how to initially configure the ACE to allow traffic and basic load balancing

* Instructions on how to configure the ACE to provide various scalability and security capabilities

== Audience ==

This guide is intended for the following trained and qualified service personnel who are responsible for configuring the ACE:

* Web master

* System administrator

* System operator

== How To Use This Guide ==

This guide is organized into the following sections:

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Overview|Overview]]—Provides an overview of the major functions and features of the ACE

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]]—Provides procedures to initially configure the ACE to allow the passing of traffic and remote access

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]]—Provides procedures to partition the ACE into virtual contexts for more efficient operation

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Access Control Lists|Configuring Access Control Lists]]—Provides procedures to configure an access control list in an ACE to secure your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Role-Based Access Control|Configuring Role-Based Access Control]]—Provides procedures to configure a user with permission to perform limited operations and access a subset of your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]]—Provides procedures to configure the ACE to allow basic server load balancing

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring a Load-Balancing Predictor|Configuring a Load-Balancing Predictor]]—Provides procedures to select a predefined predictor for server load balancing

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Persistence Using Stickiness|Configuring Server Persistence Using Stickiness]]—Provides procedures to configure server persistence for requests from a client using stickiness

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring SSL Security|Configuring SSL Security]]—Provides procedures to configure SSL security for your network

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Health Monitoring Using Health Probes|Configuring Health Monitoring Using Health Probes]]—Provides procedures to configure server health monitoring using health probes

If you are already familiar with the ACE appliance and would like to quickly set up the device for basic server load balancing, you can follow the configuration procedures in the following sections:

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]]

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]]

* [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]]

The remaining sections in this guide allow you to explore additional capabilities of the ACE.

== Related Documentation ==

In addition to this document, the ACE documentation set includes the following documents:

* [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/4710/hardware/installation/guide/4710_hig.html Cisco ACE 4710 Appliance Hardware Installation Guide]

* [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/release/note/RACEA3X.html Release Note for the Cisco 4700 Series Application Control Engine Appliance (Software Version A3(x))]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/admgd.html Cisco 4700 Series Application Control Engine Appliance Administration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/app_acc_and_opt/guide/appaccoptgd.html Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/command/reference/cmdref.html Cisco 4700 Series Application Control Engine Appliance Command Reference]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/dmguigd.html Cisco ACE 4700 Series Appliance Device Manager GUI Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/routing_bridging/guide/rtbrgdgd.html Cisco ACE 4700 Series Appliance Routing and Bridging Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/securgd.html Cisco ACE 4700 Series Appliance Security Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/slbgd.html Cisco ACE 4700 Series Appliance Server Load-Balancing Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/sslgd.html Cisco ACE 4700 Series Appliance SSL Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/system/message/guide/sysmsggd.html Cisco ACE 4700 Series Appliance System Message Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/virtgd.html Cisco ACE 4700 Series Appliance Virtualization Configuration Guide]

*[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/css_to_ace/guide/cssaceug.html Cisco CSS-to-ACE Conversion Tool User Guide]

[[Category:Cisco ACE Appliance Quick Start Guide]]

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring a Load-Balancing Predictor

2008-10-06T20:05:44Z

Kkroeber: /* Configuring a Hash Header Predictor Using the Device Manager GUI */

This section describes how to configure a load-balancing predictor on the Cisco 4700 Series Application Control Engine (ACE) appliance.

{| align="right" border="1"
|align="center"|'''Guide Contents'''
|-
|[[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Overview|Overview]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Access Control Lists|Configuring Access Control Lists]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Role-Based Access Control|Configuring Role-Based Access Control]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]] ''Configuring a Load-Balancing Predictor (this section)'' [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Persistence Using Stickiness|Configuring Server Persistence Using Stickiness]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring SSL Security|Configuring SSL Security]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Health Monitoring Using Health Probes|Configuring Health Monitoring Using Health Probes]]
|}
__TOC__

== Overview ==

After reading this section, you should have a basic understanding of how the ACE appliance selects a real server for a client request using a predictor and how to configure a hash header predictor as an example.

When there is a client request for web services, the ACE selects a server that can successfully fulfill the client request in the shortest amount of time without overloading either the individual server or the server farm.

The ACE makes load-balancing choices using a predictor. When you configure a predictor, you define the series of checks and calculations that the ACE will perform to determine which real server can best service a client request.

For each server farm, you can configure one of several predictor types to allow the ACE to select an appropriate server. Two common predictor types include the following:

* Round-robin—Selects a server from the list of real servers based on weighted server capacity. A weight can be assigned to each real server based on its connection capacity in relation to the other servers in a server farm. Servers with higher weight values receive a proportionally higher number of connections than servers with lower weight values. For example, a server with a weight of 5 would receive five connections for every one connection received by a server with a weight of 1. Also known as weighted round-robin, this is the default predictor.

* Hash header—Selects a server using a hash value based on the HTTP header name.

For a complete list of predictor types that the ACE supports and how to configure them, see the
[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/admgd.html Cisco 4700 Series Application Control Engine Appliance Administration Guide].

You can configure a server load-balancing predictor by following these steps:

1. Choose a server farm.

2. Choose a predictor type and its parameters.

3. Deploy the configuration.

This section describes how to configure a hash header predictor for the server farm that was created in [[Configuring Server Load Balancing]] (as illustrated in Figure 6-1). You can use either the ACE Device Manager GUI or the CLI.

== Configuring a Hash Header Predictor Using the Device Manager GUI ==

You can configure a hash header predictor using the ACE Device Manager GUI by following these steps:

1. Choose '''Config > Virtual Contexts'''. Choose context''' VC_web'''.

2. Choose '''Load Balancing > Server Farms'''. The Server Farms pane appears (Figure 1).

:'''''Figure 1 Configuring a Predictor'''''

:[[Image:Configuring a Predictor.jpg]]

3. Choose '''SF_web'''.

4. Choose the '''Predictor''' tab.

5. Choose '''Hash_Header''' for the predictor Type.

6. Choose '''Accept''' for the Header Name.

7. Assign the hash header predictor to server farm SF_web by clicking '''Deploy Now'''.

== Configuring a Hash Header Predictor Using the CLI ==

You can configure a hash header predictor using the CLI by following these steps:

1. Verify that you are operating in the desired context by checking the CLI prompt. If necessary, change to the correct context.

:host1/Admin# '''changeto VC_web'''

:host1/VC_web#

2. Enter configuration mode for SF_web.

:host1/VC_web# config

:host1/VC_web(config)# '''serverfarm SF_web'''

:host1/VC_web(config-sfarm-host)#

3. Configure a hash header predictor.

:host1/VC_web(config-sfarm-host)# '''predictor hash header Accept'''

4. Display the predictor configuration information.

:host1/VC_web(config-sfarm-host)# '''exit'''

:host1/VC_web(config)# '''exit'''

:host1/VC_web# '''show running-config serverfarm'''

In this section, you have configured a hash header predictor for your server load balancing. Next, you will configure server persistence by using the stickiness feature.

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing

2008-10-06T20:05:29Z

Kkroeber: /* Overview */

This section describes how to configure server load balancing on the Cisco 4700 Series Application Control Engine (ACE) appliance.

{| align="right" border="1"
|aling="center"|'''Guide Contents'''
|-
|[[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Overview|Overview]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Access Control Lists|Configuring Access Control Lists]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Role-Based Access Control|Configuring Role-Based Access Control]] ''Configuring Server Load Balancing (this section)'' [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring a Load-Balancing Predictor|Configuring a Load-Balancing Predictor]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Persistence Using Stickiness|Configuring Server Persistence Using Stickiness]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring SSL Security|Configuring SSL Security]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Health Monitoring Using Health Probes|Configuring Health Monitoring Using Health Probes]]
|}
__TOC__

== Overview ==

After reading this section, you should have an understanding of the basic server load-balancing capabilities provided by the ACE appliance. You should also be able to configure a virtual server for Layer 7 load-balancing purposes.

When there is a client request for web services, a load-balancing device decides to which server it should send the request. For example, a client request may consist of an HTTP GET for a web page or an FTP GET to download a file. The ACE, as a server load balancer, selects a server that can successfully fulfill the client request in the shortest amount of time without overloading either the server or the server farm as a whole.

The ACE uses a virtual server to intercept web traffic to a website. A virtual server allows multiple real servers to appear as one for load-balancing purposes. A virtual server, also called a Virtual IP (VIP), is defined by its IP address, the protocol used (for example, UDP or TEC), and the port address.

Multiple servers grouped together in server farms are assigned to each virtual server and the ACE appliance carries out load balancing across them. Real servers are dedicated servers that provide services to clients—for example, delivery of HTTP or XML content. Server farms contain the same content and typically reside in the same physical location in a data center.

You can configure the ACE for server load balancing by following these steps:

1. Create a virtual server.

2. Configure the real servers and associate them with a server farm.

3. Assign the server farm to the virtual server.

4. Deploy the configuration.

This section describes how to configure a virtual server using either the Device Manager GUI or the CLI, using the network setup example illustrated in Figure 1.

'''''Figure 1 Example Server Load-Balancing Setup'''''

[[Image:Example Server Load-Balancing Setup.jpg]]

The configuration of the example setup is as follows:

* A virtual server VS_web is created with a virtual IP address 10.10.40.10 to forward the client traffic from VLAN 400 to the application servers in VLAN 500.

* There are four real servers grouped into the server farm SF_web.

* The virtual server uses a round-robin predictor to forward the client requests to one of the real servers in the server farm.

== Configuring Layer 7 Server Load Balancing Using the Device Manager GUI ==

You can configure Layer 7 server load balancing using the Device Manager GUI by following these steps:

1. Choose '''Load Balancing > Virtual Servers'''. The Virtual Servers pane appears (Figure 2). Choose the user context '''VC_web'''.

:'''''Figure 2 Virtual Servers Pane'''''

:[[Image:Virtual Servers Pane.jpg]]

2. Click '''Add''' to add a new virtual server. The Virtual Server configuration window appears (Figure 3).

:'''''Figure 3 Properties in the Virtual Server Configuration Window'''''

:[[Image:Properties in the Virtual Server Configuration Window.jpg]]

:By default, the Basic View configuration option is selected and the Properties section is open.

3. In Properties, enter the following virtual server attributes. Leave the remaining attributes blank or with their default values.

:* VIP Name: VS_web

:* VIP IP: 10.10.40.10

:'''Note '''A client request targeted at a website (a URL) is translated to an IP address according to the Domain Name System (DNS). A virtual IP address assigned to a virtual server is the IP address that corresponds to the URL of the website from which the client requests services.

:* Protocol: TCP

:* Application Protocol: HTTP

:* Port: 80

:* VLAN: 400

4. In the Default L7 Load-Balancing Action section, choose '''loadbalance''' from the Primary Action drop-down list.

5. Choose '''*New*''' from the Server Farm drop-down list to configure a new server farm.

6. Enter the following server farm attributes. Leave the remaining attributes blank or with their default values.

:* Name: SF_web

:* Type: host

:* Predictor: roundrobin

7. Click '''Add '''to add a new entry to the Real Servers pane. A new entry appears in the Real Servers pane (Figure 4).

:'''''Figure 4 Real Servers Pane in the Virtual Server Configuration Window'''''

:[[Image:Real Servers Pane in the Virtual Server Configuration Window.jpg]]

8. Enter the following attributes for the first real server to be configured. Leave the remaining attributes blank or with their default values.

:* Name: RS_web1

:* IP Address: 10.10.50.10

:* Port: 80

:* Weight: 8

:* State: In Service

:Click '''OK '''to save the attributes of the first real server.

:'''Note '''For information on how to configure a health probe, see the [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Health Monitoring Using Health Probes|Configuring Health Monitoring Using Health Probes]] section.

9. Add three more entries to the Real Servers pane by repeating Steps 7 and 8 with the following real server names and corresponding IP addresses. Leave the remaining attributes with their default values.

:For RS_web2, enter:

:* Name: RS_web2

:* IP Address: 10.10.50.11

:* Port: 80

:For RS_web3, enter:

:* Name: RS_web3

:* IP Address: 10.10.50.12

:* Port: 80

:For RS_web4, enter:

:* Name: RS_web4

:* IP Address: 10.10.50.13

:* Port: 80

10. Click '''Deploy Now '''at the bottom of the window to save your settings for the virtual server. The Virtual Servers pane reappears (Figure 5). The newly configured virtual server appears in the pane and is in the Inservice state, which means that the virtual server is in use as a destination for server load balancing.

:'''''Figure 5 Virtual Servers Pane with a Virtual Server Created'''''

:[[Image:Virtual Servers Pane with a Virtual Server Created.jpg]]

== Configuring Layer 7 Server Load Balancing Using the CLI ==

You can configure Layer 7 server load balancing using the command-line interface (CLI). This section contains the following subsections:

* [[#Configuring Real Servers|Configuring Real Servers]]
* [[#Creating a Server Farm|Creating a Server Farm]]
* [[#Creating a Virtual Server Traffic Policy|Creating a Virtual Server Traffic Policy]]

=== Configuring Real Servers ===

Configure real servers on the ACE using the CLI by following these steps:

1. Verify that you are operating in the desired context by checking the CLI prompt. If necessary, change to the correct context.

:host1/Admin# '''changeto VC_web'''

:host1/VC_web#

2. Enter configuration mode.

:host1/VC_web# '''config'''

3. Create a real server named RS_web1 as type host (the default).

:host1/VC_web(config)# '''rserver RS_web1'''

:host1/VC_web(config-rserver-host)#

4. Enter a description of the real server.

:host1/VC_web(config-rserver-host)# '''description content server web-one'''

5. Assign the real server with an IP address of 10.10.50.10.

:host1/VC_web(config-rserver-host)# '''ip address 10.10.50.10'''

6. Place the real server in service and exit configuration mode.

:host1/VC_web(config-rserver-host)# '''inservice'''

:host1/VC_web(config-rserver-host)# '''exit'''

:host1/VC_web(config)#

7. Add three more real servers by repeating Steps 3 through 6, using the following real server names, descriptions, and IP addresses.

:For RS_web2, enter:

:* Name: RS_web2

:* Description: content server web-two

:* IP Address: 10.10.50.11

:For RS_web3, enter:

:* Name: RS_web3

:* Description: content server web-three

:* IP Address: 10.10.50.12

:For RS_web4, enter:

:* Name: RS_web4

:* Description: content server web-four

:* IP Address: 10.10.50.13

8. Display the configuration of the real servers.

:host1/VC_web(config)# '''do show running-config rserver'''

=== Creating a Server Farm ===

After you create and configure the real servers, you can create a server farm and associate the real servers with it. Create a server farm by following these steps:

1. Create a server farm of type host (the default) named SF_web.

:host1/VC_web(config)# '''serverfarm SF_web'''

:host1/VC_web(config-sfarm-host)#

2. Associate real server RS_web1 to the server farm through port 80.

:host1/VC_web(config-sfarm-host)# '''rserver RS_web1 80'''

:host1/VC_web(config-sfarm-host-rs)#

3. Place the real server in service within the server farm and exit configuration mode.

:host1/VC_web(config-sfarm-host-rs)# '''inservice'''

:host1/VC_web(config-sfarm-host-rs)# '''exit'''

:host1/VC_web(config-sfarm-host)#

:'''Note '''Before you can start sending connections to a real server in a server farm, you must place it in service. Otherwise, the ACE considers it out of service and the server farm cannot receive or respond to client requests.

4. Similarly, associate the RS_web2, RS_web3, and RS_web4 real servers with the SF_web server farm.

:host1/VC_web(config-sfarm-host)# '''rserver RS_web2 80'''

:host1/VC_web(config-sfarm-host-rs)# '''inservice'''

:host1/VC_web(config-sfarm-host-rs)# '''exit'''

:host1/VC_web(config-sfarm-host)# '''rserver RS_web3 80'''

:host1/VC_web(config-sfarm-host-rs)# '''inservice'''

:host1/VC_web(config-sfarm-host-rs)# '''exit'''

:host1/VC_web(config-sfarm-host)# '''rserver RS_web4 80'''

:host1/VC_web(config-sfarm-host-rs)# '''inservice'''

:host1/VC_web(config-sfarm-host-rs)# '''exit'''

5. Exit server farm configuration mode.

:host1/VC_web(config-sfarm-host)# '''exit'''

:host1/VC_web(config)#

6. Display the information for the real servers and verify that the real servers appear as operational (even though network connectivity has not been established).

:host1/VC_web(config)# '''do show rserver RS_web1'''

:host1/VC_web(config)# '''do show rserver RS_web2'''

:host1/VC_web(config)# '''do show rserver RS_web3'''

:host1/VC_web(config)# '''do show rserver RS_web4'''

7. Display how the ACE populates the ARP table with the real servers.

:host1/VC_web(config)# '''do show arp'''

=== Creating a Virtual Server Traffic Policy ===

You can create a virtual server traffic policy on the ACE by following these steps:

1. Create a Layer 7 server load-balancing policy map named PM_LB to match the class maps in the order in which they occur for load balancing.

:host1/VC_web(config)# '''policy-map type loadbalance first-match PM_LB'''

:host1/VC_web(config-pmap-lb)#

:'''Note '''The ACE uses a class map to specify a series of flow match criteria (traffic classifications). The ACE uses a policy map to define a series of actions (functions) that you want applied to a set of classified inbound traffic.

2. For a simple load-balancing policy, assign the ACE default class map which contains an implicit match any statement to match any traffic classification.

:host1/VC_web(config-pmap-lb)# '''class class-default'''

:host1/VC_web(config-pmap-lb-c)#

3. Add the server farm SF_web to the Layer 7 server load-balancing policy map and exit configuration mode.

:host1/VC_web(config-pmap-lb-c)# '''serverfarm SF_web'''

:host1/VC_web(config-pmap-c)# '''exit'''

:host1/VC_web(config-pmap)# '''exit'''

:host1/VC_web(config)#

4. Create a Layer 3 and Layer 4 load-balancing class map VS_web.

:host1/VC_web(config)# '''class-map VS_web'''

:host1/VC_web(config-cmap)#

5. Define a match statement for the IP address 10.10.40.10 for any IP protocol and exit configuration mode.

:host1/VC_web(config-cmap)# '''match virtual-address 10.10.40.10 255.255.255.0 tcp eq 80'''

:host1/VC_web(config-cmap)# '''exit'''

:host1/VC_web(config)#

6. Create a Layer 3 and Layer 4 multi-match policy map to direct classified incoming requests to the load-balancing policy map.

:host1/VC_web(config)# '''policy-map multi-match PM_multi_match'''

:host1/VC_web(config-pmap)#

7. Associate the Layer 3 and Layer 4 class map VS_web with the policy map.

:host1/VC_web(config-pmap)# '''class VS_web'''

:host1/VC_web(config-pmap-c)#

8. Associate the Layer 7 load-balancing policy map PM_LB with the Layer 3 and Layer 4 policy map.

:host1/VC_web(config-pmap-c)# '''loadbalance policy PM_LB'''

:host1/VC_web(config-pmap-lb-c)#

9. Enable a VIP for load-balancing operations and exit configuration mode.

:host1/VC_web(config-pmap-lb-c)# '''loadbalance vip inservice'''

:host1/VC_web(config-pmap-c)# '''exit'''

:host1/VC_web(config-pmap)# '''exit'''

:host1/VC_web(config)#

10. Access the interface to which you want to apply the multi-match policy map.

:host1/VC_web(config)# '''interface vlan 400'''

:host1/VC_web(config-if)#

11. Apply the multi-match policy map PM_multi_match.

:host1/VC_web(config-if)# '''service-policy input PM_multi_match'''

:host1/VC_web(config-if)# '''exit'''

:host1/VC_web(config)#

12. Save the running configuration to the startup configuration.

:host1/VC_web(config)# '''do copy running-config startup-config'''
13. Display the service policy state for the PM_multi_match policy map.

:host1/VC_web(config)# '''do show service-policy PM_multi_match'''

In this section, you have configured a virtual server for load-balancing HTTP traffic. In the next section, you will configure a load-balancing predictor to forward client requests to the appropriate real servers.

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Role-Based Access Control

2008-10-06T20:05:10Z

Kkroeber: /* Configuring RBAC Using the Device Manager GUI */

This section describes how to configure role-based access control (RBAC) on the Cisco 4700 Series Application Control Engine (ACE) appliance.

{| align="right" border="1"
|aling="center"|'''Guide Contents'''
|-
|[[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Overview|Overview]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Access Control Lists|Configuring Access Control Lists]] ''Configuring Role-Based Access Control (this section)'' [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring a Load-Balancing Predictor|Configuring a Load-Balancing Predictor]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Persistence Using Stickiness|Configuring Server Persistence Using Stickiness]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring SSL Security|Configuring SSL Security]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Health Monitoring Using Health Probes|Configuring Health Monitoring Using Health Probes]]
|}
__TOC__

== Overview ==

After reading this section, you should have a basic understanding of how the ACE appliance provides security administration by using RBAC and how to configure a server maintenance user with permission to access a subset of your network.

One of the most challenging problems in managing large networks is the complexity of security administration. The ACE appliance allows you to determine the commands and resources available to each user through RBAC. In RBAC, users are associated with domains and roles.

A domain is a collection of physical and virtual network resources such as real servers and virtual servers.

User roles determine a user's privileges, such as the commands that the user can enter and the actions the user can perform in a particular context. The ACE provides a number of predefined roles. In addition, administrators in any context can define new roles.

The ACE provides the following predefined roles, which you cannot delete or modify:

* Admin—If created in the Admin context, has complete access to, and control over, all contexts, domains, roles, users, resources, and objects in the entire ACE. If created in a user context, gives a user complete access to and control over all policies, roles, domains, server farms, real servers, and other objects in that context.

* Network Admin—Has complete access to and control over the following features:

:- Interfaces

:- Routing

:- Connection parameters

:- Network Address Translation (NAT)

:- VIPs

:- Copy configurations

:- changeto''' command

* Network-Monitor—Has access to all '''show''' commands and to the '''changeto''' command. If you do not explicitly assign a role to a user with the '''username''' command, this is the default role.

* Security-Admin—Has complete access to and control over the following security-related features within a context:

:- ACLs

:- Application inspection

:- Connection parameters

:- Interfaces

:- Authentication, authorization, and accounting (AAA)

:- NAT

:- Copy configurations

:- '''changeto''' command

* Server-Appln-Maintenance—Has complete access to and control over the following features:

:- Real servers

:- Server farms

:- Load balancing

:- Copy configurations

:- '''changeto''' command

* Server-Maintenance—Can perform real server maintenance, monitoring, and debugging for the following features:

:- Real servers—Modify permission

:- Server farms—Debug permission

:- VIPs—Debug permission

:- Probes—Debug permission

:- Load balancing—Debug permission

:- '''changeto''' command—Create permission

* SLB-Admin—Has complete access to and control over the following ACE features within a context:

:- Real servers

:- Server farms

:- VIPs

:- Probes

:- Load balancing (Layer 3/4 and Layer 7)

:- NAT

:- Interfaces

:- Copy configurations

:- '''changeto''' command

* SSL-Admin—Can administer all SSL features:

:- SSL—Create permission

:- PKI—Create permission

:- Interfaces—Modify permission

:- Copy configurations—Create permission

:- '''changeto''' command—Create permission

You can create a user and assign them privileges through RBAC as follows:

1. Create a domain and choose network resources for the domain.

2. Create a user and associate the user with the following:

:* A role (predefined or custom)

:* A domain

This section describes how to create a domain and a user, and how to associate the user with a predefined role and the new domain. For more information on predefined roles and how to define a custom role, see 
[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/virtgd.html Cisco ACE 4700 Series Appliance Virtualization Configuration Guide].

To create a domain and a user, you can use either the ACE Device Manager GUI or the CLI.

== Configuring RBAC Using the Device Manager GUI ==

In this procedure, you use the GUI to create a domain that includes the user context that you created in [[Creating a Virtual Context]] and then create a server maintenance user, user1, to manage those servers. Configure this RBAC setup using the GUI by following these steps:

1. Choose '''VC_web'''.

2. Choose '''Admin > Role-Based Access Control > Domains'''. The Domains pane appears (Figure 1).

:'''''Figure 1 Domains Pane'''''

:[[Image:Domains Pane.jpg]]

3. Click '''Add''' to add a new domain. The New Domain window appears (Figure 2).

:'''''Figure 2 Domains Window'''''

:[[Image:Domains Window.jpg]]

4. Enter '''Domain1''' for the Domain Name.

5. Select '''All Objects'''.

6. Click '''Deploy Now''' to create a domain that includes all objects in context VC_web.

7. Choose '''Role-Based Access Control > Users''' to create a user. The Users pane appears (Figure 3).

:'''''Figure 3 Users Pane'''''

:[[Image:Domains Pane.jpg]]

8. Click '''Add'''. The User window appears (Figure 4).

:'''''Figure 4 Users Window'''''

:[[Image:Users Window.jpg]]

9. Enter the following user attributes. Leave the remaining attributes blank or with the default values.

:* User Name: user1

:* Password: MYPASSWORD

:* Confirm: MYPASSWORD

:* Role: Server-Maintenance

10. Choose '''Domain1''' and click the '''right-arrow''' button. Domain1 is moved to the Selected Items list.

11. Choose '''default-domain''' and click the '''left-arrow''' button. Default-domain is removed from the Selected Items list.

12. Associate the new user user1 with the role Server-Maintenance and the domain Domain1 by clicking '''Deploy Now'''. The new user is added to the Users pane (Figure 5).

:'''''Figure 5 Users Pane with user1 Added'''''

:[[Image:Users Pane with user1 Added.jpg]]

== Configuring RBAC Using the CLI ==

Configure RBAC using the CLI by following these steps:

1. Verify that you are operating in the desired context by checking the CLI prompt. If necessary, change to the correct context.

:host1/Admin# '''changeto VC_web'''

:host1/VC_web#

2. Enter configuration mode.

:host1/VC_web# '''Config'''

:host1/VC_web(config)#

3. Create a domain for the context.

:host1/VC_web(config)# '''domain Domain1'''

:host1/VC_web(config-domain)#

4. Allocate all objects in the VC_web context to the domain.

:host1/VC_web(config-domain)# '''add-object all'''

:host1/VC_web(config-domain)# '''exit'''

:host1/VC_web(config)#

5. Configure new user user1, and assign the predefined role TECHNICIAN and the domain Domain1 to the user.

:host1/VC_web(config)# '''username user1 password 5 MYPASSWORD role TECHNICIAN domain Domain1'''

:'''Note '''The parameter 5 for password is for an MD5-hashed strong encryption password. Use 0 for a clear text password.

:host1/VC_web(config)# '''exit'''

6. Display the user and domain configurations.

:host1/VC_web# '''show running-config role'''

:host1/VC_web# '''show running-config domain'''

In this section, you have created a user to perform a limited number of functions on a subset of your network. Next, you will create a virtual server for server load balancing.

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Access Control Lists

2008-10-06T20:04:33Z

Kkroeber: /* Configuring an ACL Using the Device Manager GUI */

This section describes how to configure access control lists (ACLs) for the Cisco 4700 Series Application Control Engine (ACE) appliance.

{| align="right" border="1"
|aling="center"|'''Guide Contents'''
|-
|[[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Overview|Overview]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance|Setting Up an ACE Appliance]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]] ''Configuring Access Control Lists (this section)'' [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Role-Based Access Control|Configuring Role-Based Access Control]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring a Load-Balancing Predictor|Configuring a Load-Balancing Predictor]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Persistence Using Stickiness|Configuring Server Persistence Using Stickiness]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring SSL Security|Configuring SSL Security]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Health Monitoring Using Health Probes|Configuring Health Monitoring Using Health Probes]]
|}
__TOC__

== Overview ==

After reading this section, you should have a basic understanding of how to configure an access control list in an ACE to secure your network.

You can use ACLs with the ACE appliance to permit or deny traffic to or from a specific IP address or an entire network. For example, you can permit all e mail traffic on a circuit, but block Telnet traffic. You can also use ACLs to allow one client to access a part of the network while preventing other clients from doing so.

You must configure an ACL on each interface that you want to permit connections. Otherwise, the ACE will deny all traffic on the interface. An ACL consists of a series of ACL entries, which are permit-or-deny entries with criteria for the source IP address, destination IP address, protocol, port, or protocol-specific parameters. Each entry permits or denies inbound or outbound network traffic to the parts of your network specified in the entry.

The order of the ACL entries is important. When the ACE decides whether to accept or refuse a connection, it tests the packet against each ACL entry in the order in which the entries are listed. After it finds a match, it stops checking entries.

For example, if you create an entry at the beginning of an ACL that explicitly permits all traffic, the ACE skips any other entries in the ACL. An implicit deny all entry exists at the end of every ACL, so you must include entries for every interface on which you want to permit connections. Otherwise, the ACE appliance will deny all traffic on the interface.

Certain applications require special handling of the data portion of a packet as the packets pass through the ACE. The ACE verifies the protocol behavior and identifies unwanted or malicious traffic that attempts to pass through. Based on the specifications of the traffic policy, the ACE performs application protocol inspection to accept or reject the packet to ensure the secure use of applications and services.

For more information on how to configure an ACL to permit or deny specific traffic or resources, see the [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/securgd.html Cisco ACE 4700 Series Appliance Security Configuration Guide].

The basic steps in configuring an ACL include:

* Creating an ACL

* Adding at least one ACL entry to the ACL

* Associating the ACL with an interface

To configure an ACL, you can use either the ACE Device Manager user interface (GUI) or the CLI.

== Configuring an ACL Using the Device Manager GUI ==

Configure an ACL using the ACE Device Manager GUI by following these steps:

1. Choose '''VC_web'''.

2. Choose '''Config > Virtual Contexts > Security > ACLs'''. The ACLs pane appears, listing the existing ACLs (Figure 1).

:'''''Figure 1 ACLs Pane'''''

:[[Image:ACLs Pane.jpg]]

3. Click '''Add '''to create an ACL. The ACL configuration window appears (Figure 2).

:'''''Figure 2 ACL Configuration Window'''''

:[[Image:ACL Configuration Window.jpg]]

4. Enter the following ACL properties. Leave the remaining properties blank or with the default values.

:* Name: ACL_permit_all

:* Type: Extended

::– Extended—Control network access for IP traffic

::– EtherType—Control network access for non-IP traffic

5. Click '''Deploy Now'''. The Extended pane appears.

6. Click '''Add '''to create an ACL entry. The ACL entry configuration window appears (Figure 3).

:'''''Figure 3 ACL Entry Configuration Window'''''

:[[Image:ACL Entry Configuration Window.jpg]]

7. Create an ACL entry with the following attributes. Leave the remaining attributes blank or with the default values.

:* Line No.: 1

:'''Note '''For easier insertion of additional ACL entries later, you can enter non-sequential line numbers such as 10, 20, and so on.

:* Permit: (Checked)

:* Protocol: IP (Any)

:* Any Source: (Checked)

:* Any Destination: (Checked)

8. Click '''Deploy Now''' to save the ACL entry on the virtual context. The ACL entry is added to the Extended @ ACL_permit_all pane (Figure 4).

:'''''Figure 4 ACL Entry is Added'''''

:[[Image:ACL Entry is Added.jpg]]

9. Choose '''Network > VLAN Interfaces'''. The VLAN Interfaces pane appears.

10. Choose the '''Access Group''' tab.

11. Click '''Add''' above the pane (Figure 5).

:'''''Figure 5 Adding an ACL to an Interface'''''

:[[Image:Adding an ACL to an Interface.jpg]]

'''Step 12 '''Click '''Deploy Now''' to accept the defaults and add an ACL to the interface. The ACL is added in the Access Group pane (Figure 6).

:'''''Figure 6 ACL is Added to an Interface'''''

:[[Image:ACL is Added to an Interface.jpg]]

== Configuring an ACL Using the CLI ==

You can configure an ACL using the command-line interface (CLI) by following these steps:

1. Check the CLI prompt to verify that you are operating in the desired context; change to the correct context if necessary.

:host1/Admin# '''changeto VC_web'''

:host1/VC_web#

2. Enter configuration mode.

:host1/VC_web# '''Config'''

:host1/VC_web(config)#

3. Create an ACL.

:host1/VC_web(config)# '''access-list INBOUND extended permit ip any any'''

4. Apply the ACL to an interface.

:host1/VC_web(config)# ‘’’interface vlan 400’’’

:host1/VC_web(config-if)# '''access-group input INBOUND'''

:host1/VC_web(config-if)# '''exit'''

5. Display the ACL configuration information.

:host1/VC_web(config)# '''exit'''

:host1/VC_web# '''show running-config access-list'''

In this section, you have created an ACL entry to permit all traffic to the network. Next, you will create a user who is allowed to perform a subset of the ACE management functions on part of your network resources.

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context

2008-10-06T20:04:13Z

Kkroeber: /* Creating a Resource Class */

Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance

2008-10-06T20:03:31Z

Kkroeber: /* Overview */

This section describes how to set up a Cisco 4700 Series Application Control Engine (ACE) appliance.

{| align="right" border="1"
|aling="center"|'''Guide Contents'''
|-
|[[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Overview|Overview]] ''Setting Up the ACE Appliance (this section)'' [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Creating a Virtual Context|Creating a Virtual Context]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Access Control Lists|Configuring Access Control Lists]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Role-Based Access Control|Configuring Role-Based Access Control]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Load Balancing|Configuring Server Load Balancing]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring a Load-Balancing Predictor|Configuring a Load-Balancing Predictor]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Server Persistence Using Stickiness|Configuring Server Persistence Using Stickiness]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring SSL Security|Configuring SSL Security]] [[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Configuring Health Monitoring Using Health Probes|Configuring Health Monitoring Using Health Probes]]
|}
__TOC__

== Overview ==

After reading this section, you should have a basic understanding of how to configure a ACE appliance with the networking parameters necessary for communicating with a management device to configure server load balancing.

After some initial setup using the CLI, you can complete the procedures in this section using the Device Manager GUI.

Before performing the procedures in this section, make sure that you complete the ACE installation instructions as described in the
[http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/4710/hardware/installation/guide/4710_hig.html ''Cisco ACE 4710 Appliance Hardware Installation Guide''].

Configuring an ACE involves the following basic steps:

1. Establishing a console connection on the ACE.

2. Enable management connectivity to the ACE through a Gigabit Ethernet port.

3. Log in to the ACE.

4. Configure a second Gigabit Ethernet port for client-side connectivity.

5. Configure a third Gigabit Ethernet port for server-side connectivity.

This section describes how to set up an ACE appliance using the example network setup illustrated in Figure 1.

'''''Figure 1 Example Network Setup'''''

[[Image:Example Network Setup.jpg]]

The configuration of the example setup is as follows:

* VLAN 1000 is assigned to the first Gigabit Ethernet port and is used for management traffic for both the Admin context and a user context.

:'''Note '''A virtual local area network (VLAN) is a logical division of a computer network within which information can be transmitted for all devices to receive. VLANs enable you to segment a switched network so that devices in one VLAN do not receive information packets from devices in another VLAN.

* VLAN 400 is assigned to the second Gigabit Ethernet port and is used for client-side traffic.

* VLAN 500 is assigned to the third Gigabit Ethernet port and is used for server-side traffic.

* None of the three Gigabit Ethernet ports used are trunked.

* A management VLAN interface is configured for the Admin context with VLAN 1000 and IP address 172.25.91.110.

* A management VLAN interface is configured for the user context VC_web with VLAN 1000 and IP address 172.25.91.111.

* A client-side VLAN interface is configured for the user context VC_web with VLAN 400 and IP address 10.10.40.10.

* A server-side VLAN interface is configured for the user context VC_web with VLAN 500 and IP address 10.10.50.1.

* Four web servers are available to the ACE for load-balancing client requests.

== Establishing a Console Connection on the ACE ==

The ACE has one standard RS-232 serial port on its rear panel that operates as the console port. You can establish a direct serial connection between the ACE and your terminal (or a PC with terminal software) by making a serial connection to this console port. The integrated serial port accepts a 9-pin female D shell connector. Use a straight-through cable to connect the ACE to the terminal or a PC. See the [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/4710/hardware/installation/guide/4710_hig.html ''Cisco ACE 4710 Appliance Hardware Installation Guide''] for more instructions on connecting a console cable to your ACE appliance.

The ACE appliance has four physical Ethernet interface ports. All VLANs are assigned to these ports. The four Ethernet ports provide the physical connection between the ACE and the servers, PCs, routers, and other devices. You can configure the Ethernet ports to provide an interface for connecting to 10-Mbps, 100-Mbps, or 1000-Mbps networks. After the VLANs are assigned, you can configure the corresponding VLAN interfaces so that the ACE can provide different networking functions for different VLANs.

'''Note '''Only the Admin context is directly accessible through the console port; all other contexts can be accessed through Telnet or SSH sessions on the Ethernet ports.

After making the console connection, you can use any terminal communications application to access the ACE CLI.

'''Note '''If the appliance is not on, press the power button on the front of the ACE to start the boot process (see the [http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/4710/hardware/installation/guide/4710_hig.html ''Cisco ACE 4710 Appliance Hardware Installation Guide''] for details).

Access the ACE CLI using HyperTerminal for Windows by following these steps:

1. Launch HyperTerminal.

:The Connection Description window appears (Figure 2).

:'''''Figure 2 HyperTerminal—Connection Description'''''

:[[Image:HyperTerminal—Connection Description.jpg]]

2. Enter a name for your connection in the Name field.

3. Click '''OK'''. The Connect To window appears (Figure 3).

:'''''Figure 3 HyperTerminal—Connect To'''''

:[[Image:HyperTerminal—Connect To.jpg]]

4. From the Connect using drop-down list, choose the COM port to which the device is connected.

5. Click '''OK'''. The Port Properties window appears (Figure 4).

:'''''Figure 4 HyperTerminal—Port Properties'''''

:[[Image:HyperTerminal—Port Properties.jpg]]

6. Set the port properties:

:* Bits per second = 9600

:* Data bits = 8

:* Parity = none

:* Stop bits = 1

:* Flow control = None

7. Click '''OK''' to connect.

== Enabling Management Connectivity Using the Setup Script ==

When you boot the ACE for the first time and the ACE does not detect a startup configuration file, a setup script guides you through the process of configuring a management VLAN on the ACE through one of its Gigabit Ethernet ports to enable connectivity to the Device Manager GUI.

After running the setup script, the management VLAN is allocated to the specified Gigabit Ethernet port and the VLAN interface is configured on the ACE, as illustrated in Figure 5.

'''''Figure 5 Configuration After the Setup Script is Executed'''''

[[Image:Configuration After the Setup Script is Executed.jpg]]

Configure the ACE using the setup script by following these steps:

1. At the login prompt, log into the ACE by entering the login username admin and password. By default, the username and password are admin. For example, enter:

:Starting sysmgr processes.. Please wait...Done!!!

:switch login: '''admin'''

:Password: '''admin'''

2. At the Enter the new password for “admin”: prompt, change the default Admin password. If you do not change the default Admin password, after you upgrade the ACE software you will only be able to log in to the ACE through the console port.

:Enter the new password for “admin”: '''xxxxx'''

:Confirm the new password for “admin”: '''xxxxx'''

:admin user password successfully changed.

3. At the Enter the new password for “www”: prompt, change the default www user password. If you do change the default www user password, the www user will be disabled and you will not be able to use Extensible Markup Language (XML) to remotely configure an ACE until you change the default www user password.

:Enter the new password for “www”: '''xxxxx'''

:Confirm the new password for “www”: '''xxxxx'''

:www user password successfully changed.

:This script will perform the configuration necessary for a user to manage the ACE Appliance using the ACE Device Manager. The management port is a designated Ethernet port which has access to the same network as your management tools including the ACE Device Manager. You will be prompted for the Port Number, IP Address, Netmask and Default Route (optional).

:Enter ‘ctrl-c’ at any time to quit the script

:'''Caution '''At this point, you should consider whether you plan to configure the ACE using the Device Manager GUI or using the CLI. If you have a trunking network setup, or if your VLAN 1000 has been used, you should bypass the following setup script and use the CLI as described in [[#Setting Up an ACE Appliance Using the CLI|Setting Up an ACE Appliance Using the CLI]].

4. At the “Would you like to enter the basic configuration dialog? (yes/no)” prompt, press '''Enter''' to continue the setup. To bypass setup and directly access the CLI, type '''no'''.

:Would you like to enter the basic configuration dialog? (yes/no) [y]:

:'''Note '''The ACE provides a default response in brackets [ ] for each question in the setup script. Accept the default response to a configuration prompt by pressing '''Enter'''.

5. Select port 1 to carry management VLAN communication by pressing '''Enter'''.

:Enter the Ethernet port number to be used as the management port (1-4):? [1]:

6. Assign an IP address for the management VLAN interface by entering '''172.25.91.110'''.

:Enter the management port IP Address (n.n.n.n): [192.168.1.10]: '''172.25.91.110'''

7. Accept the default subnet mask for the management VLAN interface by pressing '''Enter'''.

:Enter the management port Netmask(n.n.n.n): [255.255.255.0]:

8. Assign the IP address of the gateway router (the next-hop address for this route) by entering '''172.25.91.1'''.

:Enter the default route next hop IP Address (n.n.n.n) or <enter> to skip this step: '''172.25.91.1'''

9. Examine the entered values.

:Summary of entered values:

:Management Port: 1

:Ip address 172.25.91.110

:Netmask: 255.255.255.0

:Default Route: 172.25.91.1

10. Review the configuration details by pressing '''d'''.

:Submit the configuration including security settings to the ACE Appliance? (yes/no/details): [y]:

:interface gigabitEthernet 1/3

: switchport access vlan 1000

: no shut

:access-list ALL extended permit ip any any

:class-map type management

:match-any remote_access

: match protocol xml-https any

: match protocol dm-telnet any

: match protocol icmp any

: match protocol telnet any

: match protocol ssh any

: match protocol http any

: match protocol https any

: match protocol snmp any

:policy-map type management first-match remote_mgmt_allow_policy

: class remote_access

: permit

:interface vlan 1000

: ip address 172.25.91.110 255.255.255.0

: access-group input ALL

: service-policy input remote_mgmt_allow_policy

: no shutdown

:ssh key rsa

:ip route 0.0.0.0 0.0.0.0 172.25.91.1

11. Accept this configuration by pressing '''Enter'''; otherwise, press '''n'''.

:Submit the configuration including security settings to the ACE Appliance? (yes/no/details): [y]:

12. After you select '''y''', the following message appears.

:Configuration successfully applied. You can now manage this ACE Appliance by entering the url 'https://172.25.91.110' into a web browser to access the Device Manager GUI.

After you have completed the setup script, the command prompt appears.

:switch/Admin#

After you specify a Gigabit Ethernet port, port mode, and management VLAN, the setup script automatically applies the following default configuration:

* A Management VLAN is allocated to the specified Ethernet port.

* An extended IP access list that allows IP traffic originating from any other host addresses.

* A traffic classification is created for management protocols HTTP, HTTPS, ICMP, SSH, Telnet, and XML-HTTPS. HTTPS is dedicated to connectivity with the Device Manager GUI.

* A VLAN interface is configured on the ACE.

== Assigning a Name to the ACE ==

The hostname is used for the command-line prompts and default configuration filenames. When you establish sessions to multiple devices, the hostname helps you keep track of which ACE you are entering commands to. By default, the hostname for the ACE is switch.

For example, change the hostname of the ACE from switch to host1 by entering:

:switch/Admin# '''Config'''

:switch/Admin(config)# '''hostname''' '''host1'''

The prompt appears with the new hostname.

:host1/Admin(config)#

== Setting Up an ACE Appliance Using the Device Manager GUI ==

You can set up an ACE appliance using the Device Manager GUI or the CLI. This section describes how to set up an ACE using the GUI, and includes the following sections:

* [[#Logging in to the ACE|Logging in to the ACE]]

* [[#Configuring a Second Gigabit Ethernet Interface Port|Configuring a Second Gigabit Ethernet Interface Port]]

* [[#Configuring a Third Gigabit Ethernet Interface Port|Configuring a Third Gigabit Ethernet Interface Port]]

=== Logging in to the ACE ===

You can access the ACE Device Manager GUI through a web-based interface. Log in to the Device Manager by following these steps:

1. Navigate to the ACE Device Manager by entering the secure HTTPS address or hostname of the ACE in the address field of a web browser. For the example setup shown earlier in Figure 1, enter:

:'''https://172.25.91.110/'''

2. Click '''Yes '''at the prompt to accept (trust) and install the signed certificate from Cisco Systems, Inc. To avoid having to approve the signed certificate every time you log in to the Device Manager, accept the certificate.

:The Device Manager GUI Login window appears (Figure 6).

:'''Note '''Because this product is regularly updated, you may notice minor variations between the figures in this manual and the windows that appear in the software version you are running.

:'''''Figure 6 Device Manager GUI Login Window'''''

:[[Image:Device Manager GUI Login Window.jpg]]

3. In the User Name field, type '''admin '''for the admin user account.

4. In the Password field, type the new password that you entered in Step 2 in [[#Enabling Management Connectivity Using the Setup Script|Enabling Management Connectivity Using the Setup Script]].

5. Click '''Login'''. The default window that appears is the Virtual Contexts window with the Admin context listed, as shown in Figure 7.

:'''''Figure 7 Virtual Contexts Pane (Admin Context)'''''

:[[Image:Virtual Contexts Pane (Admin Context).jpg]]

=== Configuring a Second Gigabit Ethernet Interface Port ===

You can configure a second Gigabit Ethernet interface port to connect to clients. For the example configuration, you will configure Gigabit Ethernet interface port 2 as illustrated in Figure 8 (previously configured settings are grayed out).

:'''''Figure 8 Configuring a Second Gigabit Ethernet Interface Port to Connect to Clients'''''

:[[Image:Configuring a Second Gigabit Ethernet Interface Port to Connect to Clients.jpg]]

Configure a second Gigabit Ethernet port by following these steps:

1. Choose '''Config > Virtual Contexts > Network > GigabitEthernet Interfaces'''. The GigabitEthernet Interfaces pane appears (Figure 9).

:'''Note '''Only users authenticated in the Admin context can configure the Gigabit Ethernet interface ports.

:'''''Figure 9 GigabitEthernet Interfaces Pane—gigabitEthernet 1/2'''''

:[[Image:GigabitEthernet Interfaces Pane-gigabitEthernet 1_2.jpg]]

2. In the GigabitEthernet Interfaces pane, choose '''gigabitEthernet 1/2''', and then click '''Edit '''to define attributes for the port. The GigabitEthernet Interfaces window appears (Figure 10).

:'''''Figure 10 GigabitEthernet Interfaces Window—gigabitEthernet 1/2'''''

:[[Image:GigabitEthernet Interfaces Window—gigabitEthernet 1_2.jpg]]

3. Enter the following attributes for port 2. Leave the remaining attributes blank or with their default values.

:* Admin Status: Up

:* Speed: Auto

:* Port Operation Mode: Switchport

:* Switchport type: Access

:* Access Vlan: 400

4. Click '''Deploy Now '''to save these settings and to return to the GigabitEthernet Interfaces pane (Figure 11).

:'''''Figure 11 GigabitEthernet Interfaces Pane with Ethernet Port 2 Configured'''''

:[[Image:GigabitEthernet Interfaces Pane with Ethernet Port 2 Configured.jpg]]

=== Configuring a Third Gigabit Ethernet Interface Port ===

You can configure a third Gigabit Ethernet interface port to connect to the servers. For the example configuration, you will configure Gigabit Ethernet interface port 3 as illustrated in Figure 12 (previously configured settings are grayed out.)

:'''''Figure 12 Configuring a Third Gigabit Ethernet Interface Port to Connect to the Servers'''''

:[[Image:Configuring a Third Gigabit Ethernet Interface Port to Connect to the Servers.jpg]]

Configure a third Gigabit Ethernet port by following these steps:

1. In the GigabitEthernet Interfaces pane, choose '''gigabitEthernet 1/3''', and then click '''Edit''' to define attributes for the port. The GigabitEthernet Interfaces window appears (see Figure 10).

2. Enter the following attributes for port 3. Leave the remaining attributes blank or with their default values.

:* Admin Status: Up

:* Speed: Auto

:* Port Operation Mode: Switchport

:* Switchport type: Access

:* Access VLAN: 500

3. Click '''Deploy Now '''to save these settings and to return to the GigabitEthernet Interfaces pane (Figure 13).

:'''''Figure 13 GigabitEthernet Interfaces Pane with Ethernet Port 3 Configured'''''

:[[Image:GigabitEthernet Interfaces Pane with Ethernet Port 3 Configured.jpg]]

== Setting Up an ACE Appliance Using the CLI ==

You can set up an ACE appliance using the Device Manager GUI or the CLI. This section describes how to set up an ACE using the CLI, and includes the following sections:

* [[#Logging in to the ACE Using the CLI|Logging in to the ACE Using the CLI]]

* [[#Configuring the First Gigabit Ethernet Port from the CLI|Configuring the First Gigabit Ethernet Port from the CLI]]

* [[#Allocating the First Gigabit Ethernet Port to a VLAN from the CLI|Allocating the First Gigabit Ethernet Port to a VLAN from the CLI]]

* [[#Configuring a Management VLAN Interface on the ACE from the CLI|Configuring a Management VLAN Interface on the ACE from the CLI]]

* [[#Configuring a Second Gigabit Ethernet Interface Port from the CLI|Configuring a Second Gigabit Ethernet Interface Port from the CLI]]

* [[#Configuring a Third Gigabit Ethernet Interface Port from the CLI|Configuring a Third Gigabit Ethernet Interface Port from the CLI]]

* [[#Configuring Remote Management Access to the ACE from the CLI|Configuring Remote Management Access to the ACE from the CLI]]

* [[#Accessing the ACE through a Telnet Session|Accessing the ACE through a Telnet Session]]

=== Logging in to the ACE Using the CLI ===

After you have established a direct serial connection between the ACE and your terminal or a PC (see [[#Establishing a Console Connection on the ACE|Establishing a Console Connection on the ACE]]), you can set up the ACE using the CLI.

When the setup script displays the “Would you like to enter the basic configuration dialog? (yes/no):” prompt, enter '''no''' to access the CLI. Log in to the ACE by following these steps:

1. At the login prompt, enter '''admin'''. For the password, type the new password that you entered in Step 2 in [[#Enabling Management Connectivity Using the Setup Script|Enabling Management Connectivity Using the Setup Script]].

:host1 login: '''admin'''

:Password: '''xxxxx'''

You are ready to use the ACE CLI when the following prompt appears.

:host1/Admin#

2. Set the '''terminal session-timeout '''command to 0 to prevent this current session from timing out. By default, a session on the ACE is automatically logged out after 5 minutes of inactivity.

:host1/Admin# '''terminal session-timeout''' '''0'''

:host1/Admin#

=== Configuring the First Gigabit Ethernet Port from the CLI ===

You can configure a Gigabit Ethernet interface port for the ACE management traffic. For the example configuration, you will configure Gigabit Ethernet interface port 1. Configure the first Gigabit Ethernet port by following theses steps:

1. Configure a Layer 2 Gigabit Ethernet port on the ACE by using the '''interface gigabitEthernet ''''''''slot_number/port_number '''''command in configuration mode.

:'''Note '''The slot_number specifies the physical slot on the ACE that contains the Ethernet ports. For the current release of the ACE appliance, this selection is always 1.

:Configure Gigabit Ethernet port 1 and enter interface configuration mode by entering:

:host1/Admin# '''config'''

:host1/Admin(config)# '''interface gigabitEthernet 1/1'''

:host1/Admin(config-if)#

2. Enable the Gigabit Ethernet port by using the '''no shutdown '''command in interface configuration mode. Disable a running Gigabit Ethernet port by using the '''shutdown''' command; bring one up by using the '''no shutdown''' command.

:host1/Admin(config-if)# '''no shutdown'''

3. Display the configuration of the interface by using the '''do '''command with the '''show interface''' command.

:host1/admin(config-if)# '''do show interface vlan 1000'''

=== Allocating the First Gigabit Ethernet Port to a VLAN from the CLI ===

After you configure an Gigabit Ethernet port, the next step is to allocate it to a VLAN. For the example configuration, you will allocate the first Gigabit Ethernet port to VLAN 1000, as illustrated in Figure 14 (previously configured settings are grayed out.)

'''''Figure 14 Allocating the First Gigabit Ethernet Port to a VLAN'''''

[[Image:Allocating the First Gigabit Ethernet Port to a VLAN.jpg]]

Allocate the port to a VLAN by following these steps:

1. Assign one or more VLAN numbers to the Gigabit Ethernet port by using the '''switchport trunk allowed vlan ''''''''vlan_list '''''command in interface configuration mode. The vlan_list argument can include:

:* A single VLAN number

:* Beginning and ending VLAN numbers separated by a hyphen

:* Specific VLAN numbers separated by commas

:Valid entries are 1 through 4094. Do not enter any spaces in a hyphenated range or in a comma-separated list of numbers in the vlan_list argument.

:'''Note '''You can associate a VLAN number with only one Gigabit Ethernet port.

:Add VLAN 1000 to the defined list of VLANs currently set for Gigabit Ethernet port 1 by entering:

:host1/Admin(config)# '''interface gigabitEthernet 1/1'''

:host1/Admin(config-if)# '''switchport access allowed vlan 1000'''

2. Enable VLAN access for the specified Layer 2 Gigabit Ethernet port by using the '''no shutdown '''command in interface configuration mode.

:host1/Admin(config-if)# '''no shutdown'''

:host1/Admin(config-if)# '''exit'''

:host1/Admin(config)#

=== Configuring a Management VLAN Interface on the ACE from the CLI ===

You can provide management connectivity to the ACE by assigning an IP address to the VLAN interface on the ACE. For the example configuration, you will assign an IP address 172.25.91.110 and a subnet mask of 255.255.255.0 to VLAN 1000, as illustrated in Figure 15 (previously configured settings are grayed out).

'''''Figure 15 Configuring a Management VLAN Interface on the ACE'''''

[[Image:Configuring a Management VLAN Interface on the ACE.jpg]]

Configure a VLAN interface on the ACE by following these steps:

1. Access interface configuration mode for the VLAN 1000.

:host1/Admin(config)# '''interface vlan 1000'''

:host1/Admin(config-if)#

2. Assign an IP address of 172.25.91.110 and a subnet mask of 255.255.255.0 to the VLAN interface for management connectivity.

:host1/Admin(config-if)# '''ip address 172.25.91.110 255.255.255.0'''

3. (Optional) Provide a description for the interface.

:host1/Admin(config-if)# '''description Management connectivity on VLAN 1000'''

4. Enable the VLAN interface.

:host1/Admin(config-if)# '''no shutdown'''

5. Display the configuration of VLAN 1000.

:host1/Admin(config-if)# '''do show interface vlan 1000'''

6. Verify network connectivity by using the '''ping''' command. This command verifies the connectivity of a remote host or server by sending echo messages from the ACE.

:host1/Admin(config-if)# '''do ping 172.25.91.110'''

7. Exit the interface configuration mode.

:host1/Admin(config-if)# '''exit'''

:host1/Admin(config)#

=== Configuring a Second Gigabit Ethernet Interface Port from the CLI ===

You can configure a second Gigabit Ethernet interface port to connect to clients. For the example configuration, you will configure Gigabit Ethernet interface port 2 as illustrated in Figure 8. Configure the second Gigabit Ethernet Interface port by following these steps:

1. Add VLAN 400 to the defined list of VLANs currently set for Gigabit Ethernet port 2.

:host1/Admin(config)# '''interface gigabitEthernet 1/2'''

:host1/Admin(config-if)# '''switchport access vlan 400'''

2. Enable the Gigabit Ethernet port.

:host1/Admin(config-if)# '''no shutdown'''

:host1/Admin(config-if)# '''exit'''

:host1/admin(config)#

=== Configuring a Third Gigabit Ethernet Interface Port from the CLI ===

You can configure a third Gigabit Ethernet interface port to connect to the servers. For the example configuration, you will configure Gigabit Ethernet interface port 3 as illustrated in Figure 12. Configure the third Gigabit Ethernet Interface port by following these steps:

1. Add VLAN 500 to the defined list of VLANs currently set for Gigabit Ethernet port 3.

:host1/Admin(config)# '''interface gigabitEthernet 1/3'''

:host1/Admin(config-if)# '''switchport access allowed vlan 500'''

2. Enable the Ethernet port.

:host1/Admin(config-if)# '''no shutdown'''

:host1/Admin(config-if)# '''exit'''

:host1/admin(config)#

=== Configuring Remote Management Access to the ACE from the CLI ===

Before remote network access can occur on the ACE through an Ethernet port, you must create a traffic policy that identifies the network management traffic that can be received by the ACE. Configure remote management access to the ACE by following these steps:

1. Create a management-type class map named REMOTE_ACCESS that matches any traffic.

:host1/Admin(config)# '''class-map type management match-any REMOTE_ACCESS'''

:host1/Admin(config-cmap-mgmt)#

2. (Optional) Provide a description for the class map.

:host1/Admin(config-cmap-mgmt)# '''description Remote access traffic match'''

3. Configure the match protocol to permit traffic based on the SSH, Telnet, and ICMP protocols for any source address.

:host1/Admin(config-cmap-mgmt)# '''match protocol ssh any'''

:host1/Admin(config-cmap-mgmt)# '''match protocol telnet any'''

:host1/Admin(config-cmap-mgmt)# '''match protocol icmp any'''

:host1/Admin(config-cmap-mgmt)# '''exit'''

:host1/Admin(config)#

4. Create a REMOTE_MGMT_ALLOW_POLICY policy map for traffic destined to an ACE interface.

:host1/Admin(config)# '''policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY'''

:host1/Admin(config-pmap-mgmt)#

5. Apply the previously created REMOTE_ACCESS class map to this policy.

:host1/Admin(config-pmap-mgmt)# '''class REMOTE_ACCESS'''

:host1/Admin(config-pmap-mgmt-c)#

6. Allow the ACE to receive the configured class map management protocols.

:host1/Admin(config-pmap-mgmt-c)# '''permit'''

:host1/Admin(config-pmap-mgmt-c)# '''exit'''

:host1/Admin(config-pmap-mgmt)# '''exit'''

:host1/Admin(config)#

7. Access interface configuration mode for the VLAN to which you want to apply the policy map.

:host1/Admin(config)# '''interface vlan 1000'''

:host1/Admin(config-if)#

8. Apply the REMOTE_MGMT_ALLOW_POLICY policy map to the interface.

:host1/Admin(config-if)# '''service-policy input''' '''REMOTE_MGMT_ALLOW_POLICY'''

9. Display the REMOTE_MGMT_ALLOW_POLICY policy applied to the interface.

:host1/Admin(config-if)# '''do show service-policy REMOTE_MGMT_ALLOW_POLICY'''

:Status : ACTIVE

:-----------------------------------------

:Interface: vlan 1000

: service-policy: REMOTE_MGMT_ALLOW_POLICY

10. Save your configuration changes from the running configuration to the startup configuration.

:host1/Admin(config-if)# '''do copy running-config startup-config'''

:Generating configuration....

:running config of context VC_web saved

:host1/Admin(config-if)# '''exit'''

:host1/Admin(config)# '''exit'''

11. Display the running configuration.

:host1/Admin(config)# '''do''' '''show running-config'''

:Generating configuration....

:class-map type management match-any REMOTE_ACCESS

: description Remote access traffic match

: 2 match protocol telnet any

: 3 match protocol ssh any

: 4 match protocol icmp any

:policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

: class REMOTE_ACCESS

: permit

:interface vlan 1000

: description Management connectivity on VLAN 1000

: ip address 172.25.91.110 255.255.255.0

: service-policy input REMOTE_MGMT_ALLOW_POLICY

: no shutdown

:interface vlan 400

: description client connectivity on VLAN 400

: ip address 10.10.40.10 255.255.255.0

: no shutdown

=== Accessing the ACE through a Telnet Session ===

After you have completed the previous configurations, you can use Telnet to access the ACE through an Ethernet port by using its IP address. Access the ACE through Telnet by following these steps:

1. Initiate a Telnet session from a remote host to the ACE. For example, access the ACE from the VLAN IP address of 172.25.91.110 by entering:

:remote_host# '''telnet 172.25.91.110'''

:Trying 172.25.91.110... Open

2. At the prompt, log in to the ACE. Enter '''admin '''as the user name and for the password, type the new password that you entered in the Step 2 in [[#Enabling Management Connectivity Using the Setup Script|Enabling Management Connectivity Using the Setup Script]].

:host1 login: '''admin'''

:Password: '''xxxxx'''

3. Display the Telnet session.

:host1/Admin# '''show telnet'''

In this section, you have set up your ACE appliance so that you can use the ACE Device Manager or CLI to perform server load-balancing configuration tasks through a remote management interface. Next, you will create a user context for server load balancing.

File:Allocating the First Gigabit Ethernet Port to a VLAN.jpg

2008-10-06T20:02:03Z

Kkroeber:

File:Allocating the First Gigabit Ethernet Port to a VLAN.jpg

2008-10-06T20:01:50Z

Kkroeber:

[[Cisco ACE 4700 Series Appliance Quick Start Guide, Release A3(1.0) -- Setting Up an ACE Appliance

File:VLAN Interfaces Windowâ€”VLAN 400.jpg

2008-10-06T19:54:39Z

Kkroeber:

File:VLAN Interfaces Pane.jpg

2008-10-06T19:54:27Z

Kkroeber:

File:VLAN Interface Pane with Two VLANs Configured.jpg

2008-10-06T19:54:16Z

Kkroeber:

File:Resource Classes Pane.jpg

2008-10-06T19:54:05Z

Kkroeber:

File:Resource Classes Pane with a New Resource Class Added.jpg

2008-10-06T19:53:56Z

Kkroeber:

File:New Virtual Context Window.jpg

2008-10-06T19:53:46Z

Kkroeber:

File:New Resource Class Window.jpg

2008-10-06T19:53:34Z

Kkroeber:

File:NAT Pool Pane.jpg

2008-10-06T19:53:19Z

Kkroeber:

File:NAT Pool Pane with a NAT Pool Configured.jpg

2008-10-06T19:53:10Z

Kkroeber:

File:Creating a User Context.jpg

2008-10-06T19:53:00Z

Kkroeber:

File:Configuring the Server-Side VLAN Interface.jpg

2008-10-06T19:52:51Z

Kkroeber:

File:Configuring the Client-Side VLAN Interface.jpg

2008-10-06T19:52:43Z

Kkroeber:

File:Configuring a NAT Pool.jpg

2008-10-06T19:52:33Z

Kkroeber:

File:All Virtual Contexts Pane.jpg

2008-10-06T19:52:24Z

Kkroeber:

File:All Virtual Contexts Pane After VC web is Added.jpg

2008-10-06T19:52:08Z

Kkroeber:

File:SSL Termination.jpg

2008-10-06T19:51:47Z

Kkroeber:

File:Proxy Service Window.jpg

2008-10-06T19:51:35Z

Kkroeber:

File:Proxy Service Pane.jpg

2008-10-06T19:51:25Z

Kkroeber:

File:Parameter Map Window.jpg

2008-10-06T19:51:12Z

Kkroeber:

File:Parameter Map Pane.jpg

2008-10-06T19:51:02Z

Kkroeber:

File:Keys Pane.jpg

2008-10-06T19:50:49Z

Kkroeber:

File:Import a Certificate Key File to a Device Window.jpg

2008-10-06T19:50:36Z

Kkroeber: