Page 1 Cisco 4700 Series Application Control Engine Appliance Administration Guide Software Version A1(7) November 2007 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-11157-01...
Page 2 LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
Page 3: Table Of Contents
Configuring a Message-of-the-Day Banner 1-13 Configuring the Time, Date, and Time Zone 1-15 Setting the System Time and Date 1-15 Setting the Time Zone 1-16 Adjusting for Daylight Saving Time 1-19 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 4 Creating a Layer 3 and Layer 4 Remote Access Policy Map Creating a Layer 3 and Layer 4 Policy Map for Network Management Traffic Received by the ACE Defining a Layer 3 and Layer 4 Policy Map Description 2-10 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 5 Replacing a Demo License with a Permanent License Removing a License Removing an Appliance Performance Throughput License 3-10 Removing an SSL TPS License 3-10 Removing a Virtualization Context License 3-10 Removing an HTTP Compression Performance License 3-13 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 6 4-38 Defining Layer 7 Classifications for HTTP Server Load Balancing 4-39 Defining Layer 7 Classifications for HTTP Deep Packet Inspection 4-41 Defining Layer 7 Classifications for FTP Command Inspection 4-42 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 7 Example of a Traffic Policy Configuration 4-68 Viewing Class Maps, Policy Maps, and Service Policies 4-71 Displaying Class Map Configuration Information 4-71 Displaying Policy Map Configuration Information 4-71 Displaying Service Policy Configuration Information 4-72 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 8 5-23 Moving Files 5-23 Deleting Files 5-24 Displaying File Contents 5-25 Saving show Command Output to a File 5-26 Viewing and Copying Core Dumps 5-27 Copying Core Dumps 5-28 Cisco 4700 Series Application Control Engine Appliance Administration Guide viii OL-11157-01...
Page 9 Displaying Process Status Information and Memory Resource Limits 6-11 Displaying System Information 6-14 Displaying ICMP Statistics 6-16 Displaying Technical Support Information 6-17 Configuring Redundant ACE Appliances C H A P T E R Overview of Redundancy Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 10 Forcing a Failover 7-24 Synchronizing Redundant Configurations 7-25 Configuring Tracking and Failure Detection 7-28 Overview of Tracking and Failure Detection 7-28 Configuring Tracking and Failure Detection for a Host or Gateway 7-29 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 11 Displaying the Redundancy Internal Software History 7-47 Displaying Memory Statistics 7-47 Displaying Peer Information 7-47 Displaying FT Statistics 7-51 Displaying FT Tracking Information 7-54 Clearing Redundancy Statistics 7-58 Clearing FT Statistics 7-58 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 12 Creating a Layer 3 and Layer 4 Policy Map for SNMP Network Management Traffic Received by the ACE 8-42 Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy 8-43 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 13 Enabling the Display of Raw XML Request show Command Output in XML Format 9-24 Accessing the ACE DTD File 9-27 Upgrading Your ACE Software A P P E N D I X Overview of Upgrading ACE Software Cisco 4700 Series Application Control Engine Appliance Administration Guide xiii OL-11157-01...
Page 14 Configuring the Configuration Register to Autoboot the Boot Variable Verifying the Boot Variable and Configuration Register A-10 Reloading the ACE A-10 Displaying Software Image Information A-11 N D E X Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 15 Preface This guide provides instructions for the administration of the Cisco 4700 Series Application Control Engine (ACE) appliance. It describes how to perform administration tasks on the ACE, including initial setup, establish remote access, manage software licenses, configure class maps and policy maps, manage the ACE software, configure SNMP, configure redundancy, configure the XML interface, and upgrade your ACE software.
Page 16: How To Use This Guide
ACE. Chapter 2, Enabling Describes how to configure remote access to the Cisco Remote Access to the 4700 Series Application Control Engine (ACE) appliance by establishing a remote connection using the Secure Shell (SSH) or Telnet protocols.
Page 17 CLI query and reply data in XML format to meet different specific business needs. Appendix A, Describes how to upgrade the software on your ACE. Upgrading Your ACE Software Cisco 4700 Series Application Control Engine Appliance Administration Guide xvii OL-11157-01...
Page 18: Related Documentation
Manager GUI Quick Configuration Note Cisco 4700 Series Describes how to operate your ACE in a single Application Control context or in multiple contexts. Engine Appliance Virtualization Configuration Guide Cisco 4700 Series Application Control Engine Appliance Administration Guide xviii OL-11157-01...
Page 19 Describes the configuration of the application Application Control acceleration and optimization features of the ACE. Engine Appliance It also provides an overview and description of Application Acceleration those features. and Optimization Configuration Guide Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 20 ACE. Cisco 4700 Series Provides an alphabetical list and descriptions of all Application Control CLI commands by mode, including syntax, Engine Appliance options, and related commands. Command Reference Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 21: Symbols And Conventions
A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks. font Terminal sessions and information the system displays screen are in font. screen Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 22 Means possible physical harm or equipment damage. A warning describes an Warning action that could cause you physical harm or damage the equipment. For additional information about CLI syntax formatting, see the Cisco 4700 Series Application Control Engine Appliance Command Reference. Cisco 4700 Series Application Control Engine Appliance Administration Guide...
Page 23: Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
Page 24 CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Cisco 4700 Series Application Control Engine Appliance Administration Guide xxiv OL-11157-01...
Page 25 “This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”. The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 26 The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License]. Cisco 4700 Series Application Control Engine Appliance Administration Guide xxvi OL-11157-01...
Page 27 Shutting Down the ACE For details on assigning VLANs to the ACE, configuring VLAN interfaces on the ACE, and configuring a default or static route on the ACE, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.
Page 28: Chapter 1 Setting Up The Ace
Use a straight-through cable to connect the switch to a DTE device, such as a terminal or a PC. For instructions on connecting a console cable to your ACE appliance, see the Cisco Application Control Engine Appliance Hardware Installation Guide.
Page 29: Using The Setup Script To Enable Connectivity To The Device Manager
VLAN on the ACE through one of its Gigabit Ethernet ports. The primary intent of the setup script is to simplify connectivity to the Device Manager GUI (as described in the Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Quick Configuration Guide)
Page 30 Press the power button on the front of the ACE and the boot process occurs. See Step 2 the Cisco Application Control Engine Appliance Hardware Installation Guide for details. At the login prompt, log into the ACE by entering the login username and Step 3 password.
Page 31 ALL extended permit ip any any class-map type management match-any remote_access match protocol xml-https any match protocol icmp any match protocol telnet any match protocol ssh any match protocol http any match protocol https any Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 32 (yes/no) [n]:, enter one of the following replies: Type y to save the running-configuration to the startup-configuration file. • Type n to bypass saving the running-configuration to the • startup-configuration file. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 33: Connecting And Logging Into The Ace
You can configure the ACE to provide a higher level of security for users accessing the ACE. For information about configuring user authentication for login access, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide. Cisco 4700 Series Application Control Engine Appliance Administration Guide...
Page 34 For software versions A1(8.0a) and higher, you must change the default Admin Caution password if you have not already done so. Otherwise, you will be able to log in to the ACE only through the console port. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 35: Changing The Administrative Password
If you do not change the administrative password, security on your ACE can be compromised because the administrative password is configured to be the same for every ACE shipped from Cisco Systems. For software versions A1(8.0a) and higher, you must change the default Admin Caution password if you have not already done so.
Page 36: Resetting The Administrator Cli Account Password
ACE. You must have access to the ACE through the console port to be able to reset the password for the Admin user back to the factory-default value of admin. Only the Admin context is accessible through the console port. Note Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-10 OL-11157-01...
Page 37 The boot process continues as normal and you are able to enter the admin password at the login prompt. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-11 OL-11157-01...
Page 38: Assigning A Name To The Ace
The minutes argument specifies the length of time that a user can be idle before the ACE terminates the session. Valid entries are from 0 to 60 minutes. A value of 0 instructs the ACE never to timeout. The default is 5 minutes. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-12 OL-11157-01...
Page 39: Configuring A Message-Of-The-Day Banner
The ACE appends each line to the end of the existing banner. If the text is empty, the ACE adds a carriage return (CR) to the banner. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-13...
Page 40 To replace a banner or a line in a multi-line banner, use the no banner motd command before adding the new lines. To display the configured banner message, use the show banner motd command in Exec mode as follows: host1/Admin# show banner motd Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-14 OL-11157-01...
Page 41: Configuring The Time, Date, And Time Zone
For example, to specify a time of 1:38:30 and a date of October 7, 2007, enter: host1/Admin# clock set 01:38:30 7 October 2007 Tues Oct 7 01:38:30 PST 2007 Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-15 OL-11157-01...
Page 42: Setting The Time Zone
ACST—Australian Central Standard Time as UTC +9.5 hours – AKST—Alaska Standard Time as UTC –9 hours – AST—Atlantic Standard Time as UTC –4 hours – BST—British Summer Time as UTC +1 hour – Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-16 OL-11157-01...
Page 43 Eastern Europe Time, as UTC +2 hours EEST Eastern Europe Summer Time, as UTC +3 hours Greenwich Mean Time, as UTC Irish Summer Time, as UTC +1 hour Moscow Summer Time as UTC +4 hours Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-17 OL-11157-01...
Page 44 Alaska Standard Time as UTC –9 hours AKDT Alaska Standard Daylight Saving Time as UTC –8 hours Hawaiian Standard Time as UTC –10 hours Australia Central Standard Time as UTC +9.5 hours Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-18 OL-11157-01...
Page 45: Adjusting For Daylight Saving Time
PDT) to be displayed when summer time is in effect. See Table 1-1 for the list the common time zone acronyms used for the daylight_timezone_name argument. start_week end_week—The week, ranging from 1 through 5. • Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-19 OL-11157-01...
Page 46 Pacific 1 Sun Apr 02:00 5 Sun Oct 02:00 60 To remove the clock summer-time setting, use the no form of this command. For example, enter: host1/Admin(config)# no clock summer-time Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-20 OL-11157-01...
Page 47: Viewing The System Clock Settings
Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide), and you plan to use an optional Cisco AVS 3180A Management Console with multiple ACE nodes, we strongly recommend that you synchronize the system clock of each ACE node with an NTP server.
Page 48: Configuring Ntp Server And Peer Associations
ACE system clock to be synchronized by a time • server. You can specify multiple associations. ip_address2—IP address of the time server that provides the clock • synchronization. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-22 OL-11157-01...
Page 49: Viewing Ntp Statistics And Information
Listing of all associated peers • The syntax of this command is as follows: show ntp {peer-status | peers | statistics [io | local | memory | peer ip_address] Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-23 OL-11157-01...
Page 50 The stratum Poll The poll interval (in seconds) Reach The status of the reachability register (see RFC-1305) in octal Delay The latest delay (in microseconds) Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-24 OL-11157-01...
Page 51 Current number of unavailable client-receive buffers Low water refills Total number of times buffers were added, which also indicates the number of times there have been low memory resources during buffer creation Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-25 OL-11157-01...
Page 52 ACE due to an invalid packet format. Packets processed Number of NTP packets received and processed by the ACE. Bad authentication Number of packets not verified as authentic. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-26 OL-11157-01...
Page 53 Time Last Received Time that the last NTP response was received. Time Until Next Send Length of time until the next send attempt. Reachability Change The reachability status for the peer. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-27 OL-11157-01...
Page 54: Clearing Ntp Statistics
I/O statistics for local devices • memory—Clears I/O statistics for memory • For example, to clear the NTP statistics for all peers, enter: host1/Admin# clear ntp statistics all-peers Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-28 OL-11157-01...
Page 55 For example, to clear the NTP statistics for the local devices, enter: host1/Admin# clear ntp statistics local For example, to clear the NTP statistics for memory, enter: host1/Admin# clear ntp statistics memory Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-29 OL-11157-01...
Page 56: Configuring Terminal Settings
Valid entries are from 0 to 511. The default is 24 lines. A selection of 0 instructs the ACE to scroll continuously (no pausing). Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-30 OL-11157-01...
Page 57 • session. To enable the various levels of syslog messages to the terminal, use the logging monitor command (see the Cisco 4700 Series Application Control Engine Appliance System Message Guide for details). session-timeout minutes—Specifies the inactivity timeout value in minutes •...
Page 58: Configuring Terminal Line Settings
The range • is from 5 to 8. The default is 8 data bits. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-32 OL-11157-01...
Page 59 The optional connected keyword displays the physical connection status. For example, to display the configured console settings, enter: host1/Admin# show line console line Console: Speed: 9600 bauds Databits: 8 bits per byte Stopbits: 1 bit(s) Parity: none Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-33 OL-11157-01...
Page 60 The vty_name argument specifies the name of the VTY session. Enter a maximum of 64 characters for the name of the virtual terminal. For example, to close a specified vty session, enter: host1/Admin# clear line vty vty1 Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-34 OL-11157-01...
Page 61: Modifying The Boot Configuration
ACE. Upon startup, the ACE loads the startup-configuration file stored in the Flash memory (nonvolatile memory) to the running-configuration file stored in RAM (volatile memory). Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-35 OL-11157-01...
Page 62 Perform one of the following actions: Press enter to boot the selected software version. • Type e to edit the commands before booting. • Type c to access a command line. • Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-36 OL-11157-01...
Page 63: Setting The Boot Environment Variable
“Warning: file found but it is not a valid boot image” displays. For example, to set the BOOT environment variable, enter: host1/Admin(config)# boot system image:c4710ace-mz.3.0.0_AB0_0.488.bin Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-37 OL-11157-01...
Page 64: Configuring The Ace To Bypass The Startup Configuration File During The Boot Process
GRUB bootloader. See the “Setting the Boot Method from the Configuration Register” section. Reboot the ACE. See the “Restarting the ACE” section. Upon reboot, the ACE boots to the GRUB bootloader. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-38 OL-11157-01...
Page 65 This may take some time, Please wait ..PCI test loop , count 0 PCI path is ready Starting services... Starting sysmgr processes.. Please wait...Done!!! switch login: admin Password: admin Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-39 OL-11157-01...
Page 66 Would you like to enter the basic configuration dialog (yes/no):no Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license.
Page 67: Displaying The Ace Boot Configuration
This command will reboot the system Save configurations for all the contexts. Save? [yes/no]: yes Generating configuration..running config of context Admin saved Perform system reload. [yes/no]: [yes] yes Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-41 OL-11157-01...
Page 68: Shutting Down The Ace
Exec mode to store the current configuration in Flash memory. If you fail to save your configuration changes, the ACE reverts to its previous settings upon restart. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-42 OL-11157-01...
Page 69: Enabling Remote Access To The Ace
C H A P T E R Enabling Remote Access to the This chapter describes how to configure remote access to the Cisco 4700 Series Application Control Engine (ACE) appliance by establishing a remote connection by using the Secure Shell (SSH) or Telnet protocols. It also describes how to configure the ACE to provide direct access to a user context from SSH.
Page 70: Chapter 2 Enabling Remote Acces To The Ace
C1 host1/C1# The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode.
Page 71 (Optional) Configure the maximum number of Telnet sessions allowed for each context. host1/Admin(config)# telnet maxsessions 3 (Optional) Configure the maximum number of SSH sessions allowed for each context. host1/Admin(config)# ssh maxsessions 3 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 72: Configuring Remote Network Management Traffic Services
This section provides an overview on creating a class map, policy map, and service policy for remote network access. For detailed information on creating class maps, policy maps, and service policies, see Chapter 4, Configuring Class Maps and Policy Maps. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 73: Creating And Configuring A Remote Management Class Map
Configuring Remote Network Management Traffic Services Telnet and SSH remote access sessions are established to the ACE on a per context basis. For details on creating users and contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Page 74: Defining A Class Map Description
For example, to specify a description that the class map is to allow remote Telnet access, enter: host1/Admin(config)# class-map type management TELNET-ALLOW_CLASS host1/Admin(config-cmap-mgmt)# description Allow Telnet access to the Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 75: Defining Remote Network Management Protocol Match Criteria
SSH remote shell functionality provided in SSH Version 1 and supports DES and 3DES ciphers. The configuration of SSH sessions is described in the “Configuring SSH Management Sessions” section. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 76 SSH-ALLOW_CLASS host1/Admin(config-cmap-mgmt)# match protocol ssh source-address 172.16.10.0 255.255.255.254 To deselect the specified network management protocol match criteria from the class map, enter: host1/Admin(config-cmap-mgmt)# no match protocol ssh source-address 172.16.10.0 255.255.255.254 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 77: Creating A Layer 3 And Layer 4 Remote Access Policy Map
When you use this command, you will access policy map management configuration mode. For example, to create a Layer 3 and Layer 4 network traffic management policy map, enter: host1/Admin(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY host1/Admin(config-pmap-mgmt)# Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 78 This command enters the policy map management class configuration mode. The syntax of this command is as follows: class {name1 [insert-before name2] | class-default} Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-10 OL-11157-01...
Page 79 To specify the class-default class map for the Layer 3 and Layer 4 traffic policy, enter: host1/Admin(config-pmap-mgmt)# class class-default host1/Admin(config-pmap-mgmt-c)# To remove a class map from a Layer 3 and Layer 4 policy map, enter: host1/Admin(config-pmap-mgmt)# no class L4_REMOTE_ACCESS_CLASS Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-11 OL-11157-01...
Page 80: Defining Layer 3 And Layer 4 Management Traffic Policy Actions
For example, to create a policy map that restricts an ICMP connection by the ACE, enter: host1/Admin(config)# policy-map type management first-action ICMP_RESTRICT_POLICY host1/Admin(config-pmap-mgmt)# class ICMP-ALLOW_CLASS host1/Admin(config-pmap-mgmt-c)# deny Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-12 OL-11157-01...
Page 81: Applying A Service Policy
For example, to globally apply the remote access policy map to all of the VLANs associated with a context, enter: host1/Admin(config)# service-policy input REMOTE_MGMT_ALLOW_POLICY To detach the remote access traffic policy from an interface, enter: host1/Admin(config-if)# no service-policy input REMOTE_MGMT_ALLOW_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-13 OL-11157-01...
Page 82 (applied to an interface) as an unquoted text string with a maximum of 64 alphanumeric characters. detail—(Optional) Displays a more detailed listing of policy map statistics • and status information. Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-14 OL-11157-01...
Page 83: Configuring Telnet Management Sessions
Telnet to connect to that IP address. This capability allows you to specify a particular context when accessing the ACE. For details on creating users and contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Page 84: Configuring Ssh Management Sessions
SSH to connect to that IP address. This capability allows you to specify a particular context when accessing the ACE. For details on creating users and contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Page 85: Generating Ssh Host Key Pairs
The number of bits specified for each key pair ranges from 768 to 4096. To generate the SSH private key and the corresponding public key for use by the SSH server, use the ssh key command in configuration mode. Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-17 OL-11157-01...
Page 86 See Chapter 1, Setting Up the ACE, for details on setting a hostname and to the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide for details on configuring a domain. For example, to generate an RSA1 key pair in the Admin context, enter:...
Page 87: Terminating An Active User Session
Service policy to activate the policy map, attach the traffic policy to an • interface or globally on all interfaces, and specify the direction in which the policy should be applied. Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-19 OL-11157-01...
Page 88 To allow ICMP messages to pass through the ACE, configure an ICMP ACL to permit or deny network connections based on the ICMP type (for example, echo, echo-reply, or unreachable). See the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide for details.
Page 89: Directly Accessing A User Context Through Ssh
Step 2 traffic classified for it by entering the following command: host1/Admin(config-context)# allocate-interface vlan 100 See the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide. Generate the SSH host key pair by entering the following command:...
Page 90 For example, assign an IP address to the interface and reenable the interface within the context with the no shutdown command. See the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide. Create an SSH remote management policy and apply the associated service policy...
Page 91: Example Of A Remote Access Configuration
4 match protocol icmp any policy-map type management first-match L4_REMOTE-MGT_POLICY class L4_REMOTE-MGT_CLASS permit interface vlan 50 ip address 192.168.1.1 255.255.255.0 access-group input ACL1 service-policy input L4_REMOTE-MGT_POLICY no shutdown ssh key rsa1 1024 force Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-23 OL-11157-01...
Page 92: Viewing Session Information
The optional context_name argument specifies the name of the context for which you want to view specific Telnet session information. The context_name argument is case sensitive. For example, enter: host1/Admin# show telnet Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-24 OL-11157-01...
Page 93 The optional context_name argument specifies the name of the context for which you want to view the maximum number of Telnet sessions. The context_name argument is case sensitive. For example, enter: host1/Admin# show telnet maxsessions Maximum Sessions Allowed is 4 Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-25 OL-11157-01...
Page 94: Showing Ssh Session Information Showing Ssh Key Details
To display the maximum number of enabled SSH sessions, use the show ssh maxsessions command in Exec mode. Only context administrators can view SSH session information associated with a particular context. Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-26 OL-11157-01...
Page 95 # show ssh key ************************************** could not retrieve rsa1 key information ************************************** rsa Keys generated:Tue May 8 19:37:17 2007 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA4v4DQ8aNl482qDTRju9G07hEIxCgTWanPm+WOCU1ki QNd5ZwA50CBAJSfIIIB4iED6iQbhOkbXSneCvTb5mVoish2wvJrETpIDIeGxxh/jWVsU/M eBbA/7o5tv gCeT6p7pGF5oUNYFP0OeZ9BiIWDc4jBmYEQLEqJHPrMhSFE= bitcount:1024 fingerprint: f5:55:00:18:bc:af:41:74:b6:bc:aa:8e:46:31:74:4f ************************************** Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-27 OL-11157-01...
Page 96 Viewing Session Information dsa Keys generated:Tue May 8 19:37:17 2007 ssh-dss AAAAB3NzaC1kc3MAAACBAPqDdEqU+0gNtKRXM+DQAXnvcB+H89nq8jA4WgJ7uQcuDCLaG7 jtKTltJjA6aZVywsQWQ6n4kTlkavZy3cj6PUbSyqvmCTsaYyYo4UQ6CKrK9V+NsfgzTSLW TH8iDUvYjL c3nU51QEKjy7mPsQeX31y1M1rhp8qhkbMKxkc49XAAAAFQCPM0QJrq6+kkaghJpeNxeXhU H9HwAAAIEA keZ1ZJM6sfKqJDYPLHkTro+lpbV9uR4VyYoZmSoehi/LmSaZDq+Mc8UN1LM+i5vkOgnKce arD9lM4/hK zZGYx5hJOiYCKj/ny2a5p/8HK152cnsOAg6ebkiTTWAprcWrcHDS/1mcaI5GzLrZCdlXW5 gBFZtMTJGs tICmVWjibewAAACBAJQ66zdZQqYiCWtZfmakridEGDTLV6ixIDjBNgb84qlj+Y1XMzqLL0 D4oMSb7idE L3BmhQYQW7hkTK0oS4kVawI1VmW2kvrqoGQnLNQRMvisAXuJWKk1Ln6vWPGZZe8KoALv0G XxsOv2gk/z TDk01oCaTVw//bXJtoVRgIlWXLIP bitcount:1024 fingerprint: 8e:13:5c:3e:1a:9c:7a:ed:d0:84:eb:96:12:db:82:be ************************************** Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-28 OL-11157-01...
Page 97: Managing Ace Software Licenses
C H A P T E R Managing ACE Software Licenses This chapter describes how to manage the software licenses for your Cisco 4700 Series Application Control Engine (ACE) appliance. It contains the following major sections: Available ACE Licenses •...
Page 98: Available Ace Licenses
Ordering separate license options. • Table 3-1 summarizes the contents of the available license bundles. Table 3-2 provides a list of the default and upgrade ACE appliance licensing options. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 99 2 Gbps throughput. Virtualization Default 1 admin/5 user contexts. ACE-AP-VIRT-020 1 admin/20 user contexts. Default 1000 TPS. ACE-AP-SSL-05K-K9 5000 TPS. ACE-AP-SSL-07K-K9 7500 TPS. ACE-AP-SSL-UP1-K9 Upgrade from 5000 TPS to 7500 TPS. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 100 Etag • ACE demo licenses are available through your Cisco account representative. A demo license is valid for only 60 days. At the end of this period, you must update the demo license with a permanent license to continue to use the ACE software.
Page 101: Ordering An Upgrade License And Generating A Key
Table 3-2 using any of the available Step 1 Cisco ordering tools on cisco.com. When you receive the Software License Claim Certificate from Cisco, follow the Step 2 instructions that direct you to the following Cisco.com website: http://www.cisco.com/go/license Enter the Product Authorization Key (PAK) number found on the Software Step 3 License Claim Certificate as your proof of purchase.
Page 102: Copying A License File To The Ace
Copying a License File to the ACE Copying a License File to the ACE When you receive the software license key e-mail from Cisco Systems, you must copy the attached license file to a network server. Then use the copy command in Exec mode from the Admin context to copy the file from the network server to disk0: on the ACE.
Page 103: Installing A New Or Upgrade License File
To install a license file for an SSL 5000 TPS license, enter: host1/Admin# license install disk0:ACE-AP-SSL-05K-K9.lic To install a license file for a 20 context license, enter: host1/Admin# license install disk0:ACE-AP-VIRT-020.lic Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 104: Replacing A Demo License With A Permanent License
[path/]permanent_filename—Filename for the permanent license file that • you copied onto the ACE. demo_filename—Filename for the demo license file that the permanent • license file is replacing. For example, enter: host1/Admin# license update disk0:ACE-AP-VIRT-020.lic ACE-AP-VIRT-020-DEMO.lic Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 105: Removing A License
Before removing any virtual context license, save the Admin running configuration and the user context running configurations to a remote server. For more information, see the “Removing a Virtualization Context License” section. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 106: Removing An Appliance Performance Throughput License
Table 3-3 VIrtual Context License Removal Results of license Current number of contexts Applicable licenses removal 5 (default) Not applicable — ACE-AP-VIRT-020 5 contexts Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-10 OL-11157-01...
Page 107 The ACE displays the following messages and prompt: Clearing license ACE-AP-VIRT-020.lic: SERVER this_host ANY VENDOR cisco INCREMENT ACE-AP-VIRT-020 cisco 1.0 permanent 1 \ VENDOR_STRING=<count>1</count> HOSTID=ANY \ NOTICE="<LicFileID>20051103151315824</LicFileID><LicLineID>1</LicLineI D> \ <PAK></PAK>" SIGN=86A13B1EA2F2 Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-11 OL-11157-01...
Page 108 Retrieve the modified Admin running configuration from the remote server. For Step 6 example, to copy the R-CONFIG-ADM Admin running configuration from the TFTP server, enter: host1/Admin# copy tftp://192.168.1.2/R-CONFIG-ADM running-config Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-12 OL-11157-01...
Page 109: Removing An Http Compression Performance License
Table 3-4 Compression License Removal Current compression Results of license capability Applicable licenses removal 100 Mbps (default) Not applicable — 500 Mbps ACE-AP-C-500-LIC 100 Mbps Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-13 OL-11157-01...
Page 110: Removing The Application Acceleration Software Feature Pack License
ACE is capable of only five connections per second. For more information on the application acceleration and optimization capabilities of the ACE and configuring these capabilities, see the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide.
Page 111: Backing Up A License File
For example, to untar the mylicenses.tar file on disk0:, enter: host1/Admin# untar disk0:mylicenses.tar For information on installing the license, see the “Installing a New or Upgrade License File” section. Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-15 OL-11157-01...
Page 112: Displaying License Configurations And Statistics
Entering the show license command without any options and arguments displays all installed ACE license files and their contents. For example, to display a list of the current installed licenses, enter host1/Admin# show license brief ACE-AP-VIRT-020.lic ACE-AP-OPT-LIC-K9.lic ACE-AP-SSL-10K-K9.lic Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-16 OL-11157-01...
Page 113 If the license is permanent, this field displays never. Comments Licensing errors, if any. You can also view the ACE license by using the show version command in Exec mode on the ACE. Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-17 OL-11157-01...
Page 114 Chapter 3 Managing ACE Software Licenses Displaying License Configurations and Statistics Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-18 OL-11157-01...
Page 115 This chapter describes how to configure class maps and policy maps to provide a global level of classification for filtering traffic received by or passing through the Cisco 4700 Series Application Control Engine (ACE) appliance. You create traffic policies and attach these policies to one or more VLAN interfaces associated with the ACE to apply feature-specific actions to the matching traffic.
Page 116: Chapter 4 Configuring Clas Map And Policy Map
Layer 4 traffic classifications or Layer 7 protocol classifications. Creating a policy map by using the policy-map command, which refers to the class maps and identifies a series of actions to perform based on the traffic match criteria. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 117 (application protocol inspection). The figure also illustrates how the ACE associates the various components of the class map and policy map configuration with each other. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 118 Associates the Layer 7 FTP inspection class map HTTP_INSPECT_L4POLICY and specifies one or more of the following actions: Service policy applies policy Deny map to a specific VLAN Mask-reply interface Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 119: Class Maps
Packets that fail to meet any of the matching criteria are classified as members of the default traffic class if one is specified. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 120: Policy Maps
Previously created traffic class map or, optionally, the class-default class map • One or more of the individual Layer 3 and Layer 4 or Layer 7 policies that • specify the actions (functions) to be performed by the ACE Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 121 When there are multiple instances of actions of the same type configured in a policy map, the ACE performs the first action encountered of the same type that has a match. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 122 The policy lookup order of the ACE is as follows: Access control (permit or deny a packet) Permit or deny management traffic TCP/UDP connection parameters Load balancing based on a virtual IP (VIP) Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 123: Service Policies
For example, to specify an interface VLAN and apply multiple service policies to the VLAN, enter: host1/Admin(config)# interface vlan 50 host1/Admin(config-if)# ip address 172.16.1.100 255.255.255.0 host1/Admin(config-if)# service-policy input L4_HTTP_SLB_POLICY host1/Admin(config-if)# service-policy input L4_MGMT_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 124: Class Map And Policy Map Configuration Quick Start
C1 host1/C1# The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode.
Page 125 INBOUND (Optional) Specify a source IP address and subnet mask as a matching criteria in the class map. host1/Admin(config-cmap)# match source-address 192.168.10.1 255.255.255.0 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-11 OL-11157-01...
Page 126 C1 host1/C1# The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode.
Page 127 (Optional) Configure the class map to identify the IP network management traffic received by the ACE. host1/Admin(config-cmap-mgmt)# match protocol ssh source-address 192.168.10.1 255.255.255.0 host1/Admin(config-cmap-mgmt)# match protocol telnet source-address 192.168.10.1 255.255.255.0 host1/Admin(config-cmap-mgmt)# match protocol icmp source-address 192.168.10.1 255.255.255.0 host1/Admin(config-cmap-mgmt)# exit Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-13 OL-11157-01...
Page 128 C1 host1/C1# The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode.
Page 129 HTTP protocol deep inspection of incoming traffic host1/Admin(config-cmap-http-insp)# match header length request eq 256 host1/Admin(config-cmap-http-insp)# match header Host header-value .mycompanyexample.com host1/Admin(config-cmap-http-insp)# match url length eq 10000 host1/Admin(config-cmap-http-insp)# exit Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-15 OL-11157-01...
Page 130 Layer 3 and Layer 4 traffic policy map and to apply the policy to one or all of the VLAN interfaces associated with the context. Each step includes the CLI command required to complete the task. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-16 OL-11157-01...
Page 131 C1 host1/C1# The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode.
Page 132 Layer 3 and Layer 4 network management policy map and to apply the policy to one or all of the VLAN interfaces associated with the context. Each step includes the CLI command required to complete the task. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-18 OL-11157-01...
Page 133 C1 host1/C1# The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode.
Page 134 VLAN interfaces in the same context. host1/Admin(config)# interface vlan 50 host1/Admin(config-if)# ip address 192.168.1.100 255.255.0.0 host1/Admin(config-if)# service-policy input L4_MGMT_POLICY (Optional) Save your configuration changes to Flash memory. host1/Admin(config)# exit host1/Admin# copy running-config startup-config Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-20 OL-11157-01...
Page 135 C1 host1/C1# The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode.
Page 136 (Optional) Create and configure a Layer 7 policy map that enables FTP command inspection. host1/Admin(config) # policy-map type inspect ftp first-match FTP_INSPECTION_L7_POLICY host1/Admin(config-pmap-ftp-ins)# description FTP command inspection of incoming traffic host1/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7_CLASS host1/Admin(config-pmap-ftp-ins-c)# match request-method stou host1/Admin(config-pmap-ftp-ins-c)# deny Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-22 OL-11157-01...
Page 137 VLAN interfaces in the same context. host1/Admin(config)# interface vlan 50 host1/Admin(config-if)# ip address 192.168.1.100 255.255.0.0 host1/Admin(config-if)# service-policy input L4_SLB_POLICY (Optional) Save your configuration changes to Flash memory. host1/Admin(config)# exit host1/Admin# copy running-config startup-config Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-23 OL-11157-01...
Page 138: Configuring Layer 3 And Layer 4 Class Maps
• Defining TCP/UDP Port Number or Port Range Match Criteria • Defining the Source IP Address and Subnet Mask Match Criteria • Defining the VIP Address Match Criteria • Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-24 OL-11157-01...
Page 139: Creating A Layer 3 And Layer 4 Network Traffic Class Map
The default setting is to meet all of the match criteria (match-all) in a class map. map_name—Name assigned to the class map. Enter an unquoted text string • with no spaces and a maximum of 64 alphanumeric characters. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-25 OL-11157-01...
Page 140 This command is intended to define a 3-tuple flow of VIP address, protocol, and port as matching criteria for server load balancing. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-26 OL-11157-01...
Page 141: Defining A Class Map Description
For example, to specify a description that the class map is to filter network traffic to the server, enter: host1/Admin(config)# class-map HTTP_APP_PROTOCOL_INSPECTION_CLASS host1/Admin(config-cmap)# description HTTP inspection of incoming traffic To remove the description from the class map, enter: host1/Admin(config-cmap)# no description Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-27 OL-11157-01...
Page 142: Defining Access-List Match Criteria
When a packet matches an entry in an ACL, and if it is a permit entry, the ACE allows the matching result. If it is a deny entry, the ACE blocks the matching result. Refer to the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide for details about creating ACLs in the ACE.
Page 143: Defining Destination Ip Address And Subnet Mask Match Criteria
The line numbers do not dictate a priority or sequence for the match statements. • ip_address—Destination IP address. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1). mask—Subnet mask entry in dotted-decimal notation (for example, • 255.255.255.0). Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-29 OL-11157-01...
Page 144: Defining Tcp/Udp Port Number Or Port Range Match Criteria
TCP or UDP port number. With any • used in place of either the eq or range values, packets from any incoming port match. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-30 OL-11157-01...
Page 145: Defining The Source Ip Address And Subnet Mask Match Criteria
The line numbers do not dictate a priority or sequence for the match statements. ip_address—Source IP address of the client. Enter the IP address in • dotted-decimal notation (for example, 192.168.11.1). Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-31 OL-11157-01...
Page 146: Defining The Vip Address Match Criteria
VIPs for server load balancing. See the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide for details about configuring the ACE to perform server load balancing.
Page 147 Mapping of Airline Traffic over Internet Protocol (MATIP) Type A nntp Network News Transport Protocol (NNTP) pop2 Post Office Protocol (POP) v2 pop3 Post Office Protocol (POP) v3 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-33 OL-11157-01...
Page 148 L4_SLB_VIP_CLASS host1/Admin(config-cmap)# match virtual-address 192.168.1.10 tcp port eq 80 To remove the VIP match statement from the class map, enter: host1/Admin(config-cmap)# no match virtual-address 192.168.1.10 tcp port eq 80 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-34 OL-11157-01...
Page 149: Defining Layer 3 And Layer 4 Classifications For Network Management Traffic Received By The Ace
ACE evaluates multiple match statements operations when multiple match criteria exist in a class map. The syntax of this command is: class-map type management [match-all | match-any] map_name Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-35 OL-11157-01...
Page 150 172.16.10.0 255.255.255.0 host1/Admin(config-cmap-mgmt)# match protocol ssh any To remove a Layer 3 and Layer 4 network management class map from the ACE, enter: host1/Admin(config)# no class-map type management match-any MGMT-ACCESS_CLASS Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-36 OL-11157-01...
Page 151: Defining Network Management Access Match Criteria
HTTPS as transfer protocol to send and receive XML • documents between the ACE and a Network Management System (NMS). any—Specifies any client source address for the management traffic • classification. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-37 OL-11157-01...
Page 152: Configuring Layer 7 Class Maps
Defining Layer 7 Classifications for HTTP Server Load Balancing • Defining Layer 7 Classifications for HTTP Deep Packet Inspection • Defining Layer 7 Classifications for FTP Command Inspection • Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-38 OL-11157-01...
Page 153 Layer 7 HTTP load-balancing class map. The syntax of this command is: class-map type http loadbalance [match-all | match-any] map_name Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-39 OL-11157-01...
Page 154 HTTP server load balancing configuration mode. For details on specifying the match criteria for a HTTP server load-balancing class map, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide. Cisco 4700 Series Application Control Engine Appliance Administration Guide...
Page 155: Defining Layer 7 Classifications For Http Deep Packet Inspection
URL content statements in the same class map is valid. However, specifying a match-all condition for multiple HTTP headers with the same names or multiple URLs in the same class map is invalid. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-41 OL-11157-01...
Page 156: Defining Layer 7 Classifications For Ftp Command Inspection
When you use the class-map type ftp inspect command, you will access class map FTP inspection configuration mode. For details on specifying the match criteria for the FTP command inspection class map, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.
Page 157: Configuring A Layer 3 And Layer 4 Policy Map
Specifying a Layer 3 and Layer 4 Traffic Class With the Traffic Policy • • Specifying Layer 3 and Layer 4 Policy Actions Using Parameter Maps in a Layer 3 and Layer 4 Policy Map • Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-43 OL-11157-01...
Page 158: Creating A Layer 3 And Layer 4 Policy Map For Network Management Traffic Received By The Ace
For example, to create a Layer 3 and Layer 4 network traffic management policy map, enter: host1/Admin(config)# policy-map type management first-match L4_MGMT_POLICY host1/Admin(config-pmap-mgmt)# To remove a network traffic management policy map from the ACE, enter: host1/Admin(config)# no policy-map type management first-match L4_MGMT_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-44 OL-11157-01...
Page 159: Through The Ace
To provide a brief summary about the Layer 3 and Layer 4 policy map, use the description command in policy map configuration mode. The syntax of this command is: description text Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-45 OL-11157-01...
Page 160: Specifying A Layer 3 And Layer 4 Traffic Class With The Traffic Policy
To manually insert the class map ahead of a previously specified class map, use the class command with the insert-before keyword. However, the ACE does not save this reordering as part of the configuration. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-46 OL-11157-01...
Page 161: Specifying Layer 3 And Layer 4 Policy Actions
Use the deny command in policy map class configuration mode to refuse the • remote network management protocols listed in the class map to be received by the ACE. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-47 OL-11157-01...
Page 162 Optimization Configuration Guide Secure Sockets Layer Cisco 4700 Series Application Chapter 3, Configuring SSL Termination (SSL) security Control Engine Appliance SSL and Chapter 4, Configuring SSL Initiation services Configuration Guide Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-48 OL-11157-01...
Page 163: Using Parameter Maps In A Layer 3 And Layer 4 Policy Map
• connection-related parameters pertaining to TCP normalization, termination, and server re-use as well as IP normalization, fragmentation, and reassembly. See the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide for details. • parameter-map type http—Configures advanced HTTP behavior for HTTP load-balanced connections.
Page 164: Configuring A Layer 7 Policy Map
To specify the SSL session parameters that the ACE uses in an SSL proxy service, you can create an SSL parameter map. Use the parameter-map type ssl command to specify SSL termination parameters. Refer to the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide for details.
Page 165: Creating A Layer 7 Policy Map
HTTP inspection configuration mode. The ACE attempts to match a packet against all classes in the policy map and executes the actions of all matching classes associated with the policy map. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-51 OL-11157-01...
Page 166 For example, to create a Layer 7 load-balancing policy map, enter: host1/Admin(config)# policy-map type loadbalance first-match L4_SLB_POLICY host1/Admin(config-pmap-lb)# To remove a policy map from the ACE, enter: host1/Admin(config)# no policy-map type loadbalance first-match L4_SLB_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-52 OL-11157-01...
Page 167: Adding A Layer 7 Policy Map Description
To specify actions for multiple match statements, use a class map as described in Note “Specifying a Layer 7 Traffic Class with the Traffic Policy” section. The syntax for an inline match command is: match name match_statement [insert-before map_name] Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-53 OL-11157-01...
Page 168: Specifying A Layer 7 Traffic Class With The Traffic Policy
For example, to specify an existing class map in the Layer 7 policy map, enter: host1/Admin(config-pmap-lb)# class L7_SLB_SERVER_CLASS host1/Admin(config-pmap-lb-c)# To remove a class map from a Layer 7 policy map, enter: host1/Admin(config-pmap-lb)# no class L7_SLB_SERVER_CLASS Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-54 OL-11157-01...
Page 169: Specifying Layer 7 Policy Actions
ACE document and chapter as outlined in Table 4-10. Table 4-10 defines the associated actions for the different Layer 7 application policies based on the function of the Layer 7 policy map. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-55 OL-11157-01...
Page 170: Map
Control Engine Appliance Protocol Inspection Security Configuration Guide FTP command Cisco 4700 Series Application Chapter 3, Configuring Application inspection Control Engine Appliance Protocol Inspection Security Configuration Guide Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-56 OL-11157-01...
Page 171 L7_SLB_POLICY host1/Admin(config-pmap-lb)# class L7_SLB_CLASS host1/Admin(config-pmap-lb-c)# serverfarm FARM2 backup FARM3 sticky host1/Admin(config-pmap-lb-c)# exit host1/Admin(config-pmap-lb)# exit host1/Admin(config)# policy-map multi-match L4_SLB_POLICY host1/Admin(config-pmap)# class L4_SLB_CLASS host1/Admin(config-pmap-c)# loadbalance policy L7_SLB_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-57 OL-11157-01...
Page 172: Applying A Service Policy
L4_SLB_POLICY host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY For example, to globally apply multiple service policies to all VLANs associated with the context, enter: host1/Admin(config)# service-policy input L4_SLB_POLICY host1/Admin(config)# service-policy input REMOTE_MGMT_ALLOW_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-58 OL-11157-01...
Page 173 A policy activated on a VLAN interface overwrites any specified global • policies for overlapping classification and actions. The ACE allows only one policy of a specific feature type to be activated on • a VLAN interface. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-59 OL-11157-01...
Page 174: Class Maps And Policy Map Examples
Filters a subset of the HTTP traffic using a content filtering rule that permits • the following packet types: With an HTTP header length of 255 or less – Without the string “BAD” included in the URL – Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-60 OL-11157-01...
Page 175 255 or less by entering the following commands: host1/Admin(config)# class-map type http inspect match-all L7_FLTRHTML1_CLASS host1/Admin(config-cmap-http-insp)# match header accept header-value html host1/Admin(config-cmap-http-insp)# match header length request eq Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-61 OL-11157-01...
Page 176 Apply the completed policies to interface VLAN 50 by entering the following Step 5 commands: host1/Admin(config)# interface vlan 50 host1/Admin(config-if)# ip address 172.16.1.100 255.255.255.0 host1/Admin(config-if)# service-policy input L4_MGMT_POLICY host1/Admin(config-if)# service-policy input L4_FILTER_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-62 OL-11157-01...
Page 177: Layer 7 Load-Balancing Example
Create a Layer 7 server load-balancing policy by entering the following commands: host1/Admin(config)# policy-map type loadbalance first-match L7_SLB_POLICY host1/Admin(config-pmap-lb)# class SPORTS-MAP_CLASS host1/Admin(config-pmap-lb-c)# serverfarm SPORTS-SERVER host1/Admin(config-pmap-lb-c)# exit host1/Admin(config-pmap-lb)# class NEWS-MAP_CLASS host1/Admin(config-pmap-lb-c)# serverfarm NEWS-SERVER host1/Admin(config-pmap-lb-c)# exit Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-63 OL-11157-01...
Page 178 HTTP_PARAMETER_MAP host1/Admin(config-pmap-c)# exit host1/Admin(config-pmap)# exit host1/Admin(config)# Apply the completed policies to interface VLAN 10 by entering the following Step 7 commands: host1/Admin(config)# interface VLAN 10 host1/Admin(config-if)# service-policy input L4_SLB_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-64 OL-11157-01...
Page 179: Layer 3 And Layer 4 Load-Balancing Example
L4_SLB_POLICY host1/Admin(config-pmap)# class L4_SLBVIP_CLASS host1/Admin(config-pmap-c)# loadbalance policy L7_SLB_POLICY host1/Admin(config-pmap-c)# loadbalance vip inservice host1/Admin(config-pmap-c)# exit host1/Admin(config-pmap)# exit host1/Admin(config)# Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-65 OL-11157-01...
Page 180: Vip With Connection Parameters Example
Step 2 protocol, and port as matching criteria for server load balancing by entering the following commands: host1/Admin(config)# class-map L4_SLBVIP_CLASS host1/Admin(config-cmap)# match virtual-address 192.168.5.10 tcp port host1/Admin(config-cmap)# exit host1/Admin(config)# Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-66 OL-11157-01...
Page 181 TCP_MAP host1/Admin(config-pmap-c)# exit host1/Admin(config-pmap)# exit host1/Admin(config)# Apply the completed policies to interface VLAN 10 by entering the following Step 5 commands: host1/Admin(config)# interface VLAN 10 host1/Admin(config-if)# service-policy input L4_SLB_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-67 OL-11157-01...
Page 182: Example Of A Traffic Policy Configuration
PRED-CONNS predictor leastconns rserver SERVER1 inservice rserver SERVER2 inservice rserver SERVER3 inservice rserver SERVER4 inservice rserver SERVER5 inservice rserver SERVER6 inservice rserver SERVER7 inservice rserver SERVER8 inservice Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-68 OL-11157-01...
Page 183 2 match virtual-address 192.168.120.128 udp eq 0 class-map match-all L4PRED-CONNS-VIP_128:80_CLASS 2 match virtual-address 192.168.120.128 tcp eq www class-map match-all L4PREDICTOR_117:80_CLASS 2 match virtual-address 192.168.120.117 tcp eq www policy-map type management first-match L4_REMOTE-MGT_POLICY class L4_REMOTE-MGT_CLASS permit Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-69 OL-11157-01...
Page 184 192.168.120.1 255.255.255.0 fragment chain 20 fragment min-mtu 68 access-group input ACL1 nat-pool 1 192.168.120.70 192.168.120.70 netmask 255.255.255.0 pat service-policy input L4SH-Gold-VIPs_POLICY no shutdown ip route 10.1.0.0 255.255.255.0 192.168.120.254 Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-70 OL-11157-01...
Page 185: Viewing Class Maps, Policy Maps, And Service Policies
Exec mode. For example, enter: host1/Admin# show running-config policy-map Generating configuration..policy-map type management first-match REMOTE_MGMT_ALLOW class SSH-ALLOW permit class TELNET-ALLOW permit policy-map type loadbalance first-match L4_SLB_policy class L4_SLB_class Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-71 OL-11157-01...
Page 186: Displaying Service Policy Configuration Information
(applied to an interface). For example, to clear the statistics for the policy map REMOTE_MGMT_POLICY that is currently in service, enter: host1/Admin# clear service-policy REMOTE_MGMT_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-72 OL-11157-01...
Page 187 Status of the ICMP error function for ICMP application protocol inspection: Enabled or Disabled. Nat Dynamic NAT pool identifier with the configured interface VLAN. VIP Route Metric Not applicable for the ACE appliance. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-73 OL-11157-01...
Page 188 Number of packets received from clients. Client Byte Number of bytes received from clients. Count Server Pkt Count Number of packets received from servers. Server Byte Number of bytes received from servers. Count Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-74 OL-11157-01...
Page 189 Applicable to only the FTP SYST command and its associated reply. Total Total number of packets dropped due to an error in the Dropped On match. Error TotalLogged Total number of errors logged. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-75 OL-11157-01...
Page 190 Chapter 4 Configuring Class Maps and Policy Maps Viewing Class Maps, Policy Maps, and Service Policies Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-76 OL-11157-01...
Page 191: Managing The Ace Software
C H A P T E R Managing the ACE Software This chapter describes how to manage the software running on the Cisco 4700 Series Application Control Engine (ACE) appliance and contains the following sections: Saving Configuration Files • Loading Configuration Files from a Remote Server •...
Page 192 Copying the Configuration File to the disk0: File System • Merging the Startup-Configuration File with the Running-Configuration File • Viewing Configuration Files • Viewing User Context Running-Config Files from the Admin Context • Clearing the Startup-Configuration File • Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 193: Chapter 5 Managing The Ace Software
Admin context. You should save changes to the Admin context startup-configuration file; the Admin context startup-configuration file contains all configurations that are used to create each user context. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 194: Saving Configuration Files To A Remote Server
• optionally, the renamed configuration file. sftp://[username@]server/path[/filename]—Specifies the SFTP network • server and, optionally, the renamed configuration file. tftp://server[:port]/path[/filename]—Specifies the TFTP network server and, • optionally, the renamed configuration file. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 195: Copying The Configuration File To The Disk0: File System
To save the contents of the startup-configuration file to the disk0: file system, use • the copy startup-config disk0: command in Exec mode. The syntax for the command is: copy {running-config | startup-config} disk0:[path/]filename Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 196: Merging The Startup-Configuration File With The Running-Configuration File
The syntax for the command is: copy startup-config running-config For example, enter: host1/Admin# copy startup-config running-config Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 197: Viewing Configuration Files
Displays the list of contexts configured on the ACE. The • ACE also displays the resource class (member) assigned to each context. The context keyword works only from within the Admin context. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 198 10 extended permit ip any any rserver type host real1 address 16.1.1.102 inservice rserver type host real2 address 16.1.1.103 inservice rserver type host real3 address 16.1.1.105 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 199 Admin member default username admin password 5 $1$faXJEFBj$TJR1Nx7sLPTi5BZ97v08c/ role Admin domain default-domain username www password 5 $1$UZIiwUk7$QMVYN1JASaycabrHkhGcS/ role Admin domain de fault-domain snmp-server user www Network-Monitor snmp-server user admin Network-Monitor Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 200: Viewing User Context Running-Config Files From The Admin Context
Copy the contents of the existing running-configuration file to the • startup-configuration file by using the copy running-config startup-config command. See the “Saving the Configuration File in Flash Memory” section Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-10 OL-11157-01...
Page 201: Loading Configuration Files From A Remote Server
To check connectivity to the remote server, use the ping or traceroute command in Exec mode. See the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide for details on how to use the ping and traceroute commands.
Page 202: Using The File System On The Ace
The volatile: directory provides temporary storage; files in temporary storage are erased when the ACE reboots. The Admin context supports all four file systems in the ACE. The user context supports only the disk0: and volatile: file systems. Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-12 OL-11157-01...
Page 203: Listing The Files In A Directory
• image:—Displays the contents of the image: file system. • volatile:—Displays the contents of the volatile: file system. • directory/—(Optional) Contents of the specified directory. • Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-13 OL-11157-01...
Page 204 Mar 14 21:23:33 2007 0x401_vsh_log.8249.tar.gz 262711 Mar 15 21:22:18 2007 0x401_vsh_log.15592.tar.gz 250037 Mar 15 18:35:27 2007 0x401_vsh_log.16296.tar.gz Usage for core: filesystem 1847296 bytes total used 64142336 bytes free 65989632 bytes available Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-14 OL-11157-01...
Page 205: Copying Files
For example, to copy the file called SAMPLEFILE to the MYSTORAGE directory in the disk0: file system, enter: host1/Admin# copy disk0:samplefile disk0:MYSTORAGE/SAMPLEFILE Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-15 OL-11157-01...
Page 206: Copying A Packet Capture Buffer
To copy an existing packet capture buffer to the disk0: file system, use the copy capture command in Exec mode. The syntax for the command is: copy capture capture_name disk0:[path/]destination_name Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-16 OL-11157-01...
Page 207: Copying Files To A Remote Server
(for example, a packet capture buffer file, ACE licenses in .tar format, or a system message log). Use the dir disk0: command to view the files available in the disk0: file system. Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-17 OL-11157-01...
Page 208 The default selection of bin should be sufficient in all cases when copying files to a remote FTP server. For example, to save a core dump file to a remote FTP server, enter: host1/Admin# copy core:0x401_vsh_log.8249.tar.gz ftp://192.168.1.2 Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-18 OL-11157-01...
Page 209: Copying Files From A Remote Server
File already exists, do you want to overwrite?[y/n]: [y] y Enter username[]? user1 Enter the file transfer mode[bin/ascii]: [bin] Password: Passive mode on. Hash mark printing on (1024 bytes/hash mark). Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-19 OL-11157-01...
Page 210: Copying An Ace Software System Image To A Remote Server
SFTP network • server and, optionally, the renamed software system image. tftp://server[:port]/path[/filename]—Specifies the TFTP network server and, • optionally, the renamed software system image. Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-20 OL-11157-01...
Page 211: Uncompressing Files In The Disk0: File System
For example, to unzip a compressed series of probe script files residing in the disk0: file system, enter: host1/Admin# gunzip disk0:PROBE_SCRIPTS.gz Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-21 OL-11157-01...
Page 212: Untarring Files In The Disk0: File System
Creating a New Directory To create a directory in the disk0: file system of Flash memory, use the mkdir disk0: command in Exec mode. The syntax for this command is: mkdir disk0:[path/]directory Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-22 OL-11157-01...
Page 213: Deleting An Existing Directory
Exec mode. If a file with the same name already exists in the destination directory, that file is overwritten by the moved file. To view the files available in the disk0: file system, use the dir disk0: command. Note Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-23 OL-11157-01...
Page 214: Deleting Files
• system (for example, a packet capture buffer file or system message log). You can optionally provide a path to a file in directory in the disk0: file system. Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-24 OL-11157-01...
Page 215: Displaying File Contents
RFC 1321 and is useful for data security and integrity. For example, to display the contents of a file residing in the current directory, enter: host1/Admin# show file disk0:myfile md5sum 3d8e05790155150734eb8639ce98a331 Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-25 OL-11157-01...
Page 216: Saving Show Command Output To A File
ACE • Flash memory. volatile:—Specifies that the destination is the volatile: file system on the • ACE. [path/][filename]—(Optional) Path and filename to the disk0: or volatile: file • system. Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-26 OL-11157-01...
Page 217: Viewing And Copying Core Dumps
Exec mode. The core: file system is available only from the Admin context. Core dump information is for Cisco Technical Assistance Center (TAC) use only. Note If the ACE becomes unresponsive, you can view the dump information in the core through the show cores command.
Page 218: Copying Core Dumps
Prompts you for the server information if you do not provide the information • with the command. Copies the file to the root directory of the destination file system if you do not • provide path information. Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-28 OL-11157-01...
Page 219: Clearing The Core Directory
The filename argument specifies the name of a core dump file located in the core: file system. For example, to delete the file 0x401_VSH_LOG.25256.TAR.GZ from the core: file system, enter: host1/Admin# delete core:0x401_VSH_LOG.25256.TAR.GZ Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-29 OL-11157-01...
Page 220: Capturing And Copying Packet Information
To trace the packets for a specific context, use the changeto Exec command to enter the specified context and then use the capture command. Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-30 OL-11157-01...
Page 221 To capture application acceleration and optimization traffic bound for the Note optional Cisco AVS 3180A Management Station interface, use the all keyword. This keyword captures all the traffic on all interfaces. You can then transfer the packet capture file to a remote machine to be scanned for traffic that is specific to the Management Station interface.
Page 222: Copying Capture Buffer Information
Specify a text string from 1 to 80 alphanumeric characters. If you do not provide the optional path, the ACE copies the file to the root directory on the disk0: file system. Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-32 OL-11157-01...
Page 223: Viewing Packet Capture Information
For all types of received packets, the console display is in tcpdump format. For example, to display captured packet information for packet capture buffer CAPTURE1, enter: host1/Admin# show capture CAPTURE1 Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-33 OL-11157-01...
Page 224 ....0x00a0: 0000 0000 1020 0010 0000 0000 19b2 fb3c ....< 0x00b0: 000c 40ae 0000 0029 0000 0000 000c 40ae ..@..)..@. 0x00c0: 0000 0000 0000 0000 0000 0000 .... Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-34 OL-11157-01...
Page 225 .... 0003: msg_type: PKT_RCV con_id: 16777218 other_con_id: 0 message_hex_dump: 0x0000: 8900 004e 0050 8034 0038 000a 0010 0a06 ...N.P.4.8..0x0010: 0000 0005 9a3b 95d9 0011 5d6a f800 0800 ..;..]j..Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-35 OL-11157-01...
Page 226 0x0010: 0004 0011 5d6a f800 0005 9a3b 95d9 0800 ..]j..;..0x0020: 4500 0028 7b6e 4000 4006 d539 0a07 6b0f E..({n@.@..9..k. 0x0030: 0a07 6b0b 0017 7604 f31b 6f72 19b2 fb4e ..k...v...or...N 0x0040: 5010 16d0 c131 00 P..1. Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-36 OL-11157-01...
Page 227: Using The Configuration Checkpoint And Rollback Service
This section contains the following topics: Creating a Configuration Checkpoint • Deleting a Configuration Checkpoint • Rolling Back a Running Configuration • Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-37 OL-11157-01...
Page 228: Creating A Configuration Checkpoint
Exec mode. Before you use this command, make sure that you want to delete the checkpoint. When you enter this command, the ACE removes the checkpoint from Flash memory. The syntax of this command is: checkpoint delete name Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-38 OL-11157-01...
Page 229: Rolling Back A Running Configuration
{all | detail name} The options and arguments are: all—Displays a list of all existing checkpoints • detail name—Displays the running configuration of the specified checkpoint • Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-39 OL-11157-01...
Page 230: Reformatting Flash Memory
We recommend that you use the format flash command to reformat the ACE Caution Flash memory only under the guidance and supervision of Cisco Technical Assistance Center (TAC). The ACE uses the third extended file system (ext3) as the base file system. The...
Page 231 FTP, SFTP, or TFTP server. See the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide for details on how to use the crypto export command to export SSL certificate and key pair files to a remote FTP, SFTP, or TFTP server.
Page 232 Import SSL certificate files and key pair files into the associated context using • by the crypto import command (see the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide). Cisco 4700 Series Application Control Engine Appliance Administration Guide...
Page 233: Viewing Ace Hardware And Software Configuration Information
Viewing ACE Hardware and Software Configuration Information This chapter describes how to view Cisco 4700 Series Application Control Engine (ACE) appliance hardware and software configuration information. The ACE CLI provides a comprehensive set of show commands in Exec mode that you can use to gather ACE hardware and software configuration information.
Page 234: Displaying Software Version Information
Note display internal system-level hardware show output for use by trained Cisco personnel as an aid in debugging and troubleshooting the ACE. See the Cisco 4700 Series Application Control Engine Appliance Command Reference for background information about those show commands.
Page 235: C H A P T E R 6 Viewing Ace Hardware And Software Configuration Information
Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license.
Page 236: Displaying The Hardware Inventory
The syntax of this command is: show inventory [raw] The optional raw keyword displays information about each component in the ACE. For example, to display the ACE hardware inventory details, enter: host1/Admin # show inventory Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 237: Displaying Ace Environment Information
The optional temperature keyword displays the temperature thresholds and the alarm status of temperature sensors. For example, to display the status and alarm states of the temperature sensors in the ACE, enter: host1/Admin # show environment Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 238: Displaying System Processes
The keywords, arguments, and options are: cpu—Displays CPU information for the Intel Pentium processor. • log—Displays information about process logs. • details—Displays process log information for all process identifiers. • Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 239 --More-- Table 6-4 describes the fields in the show processes command output. The show processes command displays summary CPU information for the Intel Pentium processor. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 240 Number of times a process has been started. Terminal that controls the process. A “—” usually means a daemon is not running on any particular tty. Process Name of the process. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 241 Status of whether the process exited normally Stack Status of whether a stack trace is in the log Core Status of whether a core file exists Log-create-time Time when the log file was generated Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 242 Virtual memory addresses where the code, data heap, and stack of the process are located. Process identifier. Service access point. UUID Universal unique identifier of the Intel Pentium processor Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-10 OL-11157-01...
Page 243: Displaying Process Status Information And Memory Resource Limits
Table 6-9 Field Descriptions for the show terminal internal info Command Field Description Process Information Name Name of the executable that started the process. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-11 OL-11157-01...
Page 244 Identifier of the group the process belongs to (four element list). FDSize Process file descriptor size. Groups Total number of groups. VmSize Total amount of virtual memory used by the process (in kBytes). Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-12 OL-11157-01...
Page 245 Maximum size (in kbytes) of the data segment for a process. File size Maximum size (in blocks) of files created by the shell. Max locked memory aximum size (in kbytes) which a process may lock into memory. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-13 OL-11157-01...
Page 246: Displaying System Information
ID in hexadecimal format. The range is 0x0 to 0xffffffff. • list—Specifies all error IDs. • • internal—Specifies a series of internal system-level commands for use by trained Cisco personnel only. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-14 OL-11157-01...
Page 247 Memory usage Total memory, used memory, free memory, memory used for buffers, and memory used for cache in KB. Buffers and cache are also included in the used memory statistics. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-15 OL-11157-01...
Page 248: Displaying Icmp Statistics
ACE Echo Request Number of ICMP echo request messages transmitted or received by the ACE Echo Reply Number of ICMP echo reply messages transmitted or received by the ACE Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-16 OL-11157-01...
Page 249: Displaying Technical Support Information
Use the show terminal command to view the configured terminal size. After obtaining the output of this command, reset your terminal length as required (see Chapter 1, Setting Up the ACE). Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-17 OL-11157-01...
Page 250 `show version` Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license.
Page 251 0 days 18 hours 59 minute(s) 49 second(s) `show clock` Tue Mar 20 10:13:57 UTC 2007 `show inventory` NAME: "chassis", DESCR: "ACE 4710 Application Control Engine Appliance" PID: ACE-4710-K9 , VID: , SN: 2061 --More-- Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-19 OL-11157-01...
Page 252 TFTP network server and • optional file name. For example, to send the output of the show tech-support command to a remote FTP server, enter: host1/Admin# tac-pac ftp://192.168.1.2/tac-output_10-7-07.gz Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-20 OL-11157-01...
Page 253: Configuring Redundant Ace Appliances
C H A P T E R Configuring Redundant ACE Appliances This chapter describes how to configure the Cisco 4700 Series Application Control Engine (ACE) appliance for redundancy, which provides fault tolerance for the stateful switchover of flows. It contains the following major sections: Overview of Redundancy •...
Page 254: C H A P T E R 7 Configuring Redundant Ace Appliances
Each peer appliance can contain one or more fault-tolerant (FT) groups. Each FT group consists of two members: one active context and one standby context. For more information about contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. An FT group has a unique group ID that you assign.
Page 255 ACEs. You always configure the active and the standby contexts on different ACEs. Figure 7-1 Even Distribution of Contexts B’ # redundant groups A’ C’ D’ # redundant groups A’ B’ Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 256 (context). With a single context, the ACE supports active-backup redundancy and each group member is an Admin context. For details about configuring contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Page 257: Stateful Failover
Network Address Translation (NAT) table based on information synchronized • with the connection record • All Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections not terminated by the ACE Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 258: Ft Vlan
Communications over the switchover link include the following data: Redundancy protocol packets • State information replication data • Configuration synchronization information • Heartbeat packets • Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 259: Configuration Synchronization
2G ACE appliance to the 1G ACE appliance. See the Cisco 4700 Series Application Control Engine Appliance Administration Guide for details about the available ACE software licenses. The ACE automatically replicates the active configuration on the standby member using a process called configuration synchronization (config sync).
Page 260: Configuration Requirements And Restrictions
VLAN interface should be in the same subnet, but different IP addresses. For more information about configuring VLAN interfaces, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide. Redundancy Configuration Quick Start...
Page 261 C1 host1/C1# The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode.
Page 262 150 host1/Admin(config-ft-track-intf)# exit (Optional) Enable autosynchronization of the running- and/or startup-configuration file from the active to the standby context. host1/Admin(config)# ft auto-sync running-config host1/Admin(config)# ft auto-sync startup-config Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-10 OL-11157-01...
Page 263 (Optional) Save your configuration changes to Flash memory. host1/Admin(config)# exit host1/Admin# copy running-config startup-config (Recommended) Verify your redundancy configuration by using the following commands in Exec mode: host1/Admin# show running-config ft host1/Admin# show running-config interface Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-11 OL-11157-01...
Page 264: Configuring Redundancy
Note to either configure the dedicated VLAN as the only VLAN associated with the Ethernet port or to include it as part of a VLAN trunk link (see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide). Note that the ACE automatically includes the FT VLAN in the VLAN trunk link.
Page 265: Creating An Ft Vlan
After you create the FT VLAN, you must assign an IP address to the VLAN. To assign an IP address to the VLAN, use the ip command in FT interface configuration mode. The syntax of this command is: ip address ip_address netmask Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-13 OL-11157-01...
Page 266: Configuring The Peer Ip Address
For example, to configure an IP address on the remote peer, enter: host1/Admin(config-ft-intf)# peer ip address 192.168.12.15 255.255.255.0 To remove an IP address from the remote peer, enter: host1/Admin(config-ft-intf)# no peer ip address 192.168.12.15 255.255.255.0 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-14 OL-11157-01...
Page 267: Enabling The Ft Vlan
For example, to configure an alias IP address, enter: host1/Admin(config)# interface vlan 100 host1/Admin(config-if)# alias 192.168.12.15 255.255.255.0 To remove an alias IP address, enter: host1/Admin(config-if)# no alias 192.168.12.15 255.255.255.0 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-15 OL-11157-01...
Page 268: Configuring An Ft Peer
“Configuring an FT VLAN” section. To associate an FT VLAN with a peer, use the ft-interface command in FT peer configuration mode. The syntax of this command is: ft-interface vlan vlan_id Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-16 OL-11157-01...
Page 269: Configuring The Heartbeat Interval And Count
For example, to set the heartbeat count to 20, enter: host1/Admin(config-ft-peer)# heartbeat count 20 To reset the heartbeat count to the default of 10, enter: host1/Admin(config-ft-peer)# no heartbeat count Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-17 OL-11157-01...
Page 270: Configuring A Query Interface
You cannot delete a query interface if it is associated with a peer. You must Note disassociate the interface from the peer first, and then you can delete the interface. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-18 OL-11157-01...
Page 271: Configuring An Ft Group
FT group configuration mode. You need to make this association for both redundant contexts in an FT group. The syntax of this command is: associate-context name Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-19 OL-11157-01...
Page 272: Associating A Peer With An Ft Group
The group member with the higher priority becomes the active member. To ensure that the member with the higher priority always becomes the active member, use the preempt command, which is enabled by default. For details, see “Configuring Preemption” section. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-20 OL-11157-01...
Page 273: Assigning A Priority To The Standby Ft Group Member
Enter an integer from 1 to 255. The default is 100. Configure a lower priority on the FT group member that you want to be the standby member. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-21 OL-11157-01...
Page 274: Configuring Preemption
If you disable preemption by using the no preempt command and a member with Note a higher priority is found after the other member has become active, the electing member becomes the standby member even though it has a higher priority. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-22 OL-11157-01...
Page 275: Placing An Ft Group In Service
Place the FT group back in service by using the inservice command. You can modify the priority, peer priority, and preempt command values Note without taking the FT group out of service. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-23 OL-11157-01...
Page 276: Forcing A Failover
For example, to cause a failover from the active appliance to the standby appliance of FT group1, enter: host1/Admin# ft switchover 1 This command will cause card to switchover (yes/no)? [no] yes host1/Admin# Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-24 OL-11157-01...
Page 277: Synchronizing Redundant Configurations
If a license mismatch occurs between the two ACEs in a redundant configuration, Note the auto-sync command is automatically disabled and a syslog message is generated. The syntax of this command is: ft auto-sync {running-config | startup-config} Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-25 OL-11157-01...
Page 278 FT group when the standby context is in the STANDBY_COLD state. Doing so may cause the standby context running-configuration file to overwrite the active context running-configuration file. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-26 OL-11157-01...
Page 279 For more information about importing and exporting certs and keys, see the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide. To return the standby context to the STANDBY_HOT state in this case, ensure...
Page 280: Configuring Tracking And Failure Detection
You can configure the unit priority associated with tracked items to be greater than 0. This option allows you to fine tune the switchover scenario so that a switchover occurs when either all or any of the tracked objects fails. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-28 OL-11157-01...
Page 281: Configuring Tracking And Failure Detection For A Host Or Gateway
Configuring a Probe on the Standby Member for Host Tracking • Configuring a Priority on the Standby Member for Multiple Probes • Example of a Tracking Configuration for a Gateway • Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-29 OL-11157-01...
Page 282: Gateway
FT group member to track. Enter the IP address in dotted-decimal notation (for example, 192.168.12.101). For example, to track the gateway located at 192.168.12.101, enter: host1/Admin(config-ft-track-host)# track-host 192.168.12.101 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-30 OL-11157-01...
Page 283: Configuring A Probe On The Active Member For Host Tracking
Configuring a Probe on the Active Member for Host Tracking Configure one or more probes on the active FT group member to track the health of the gateway or host. For details about creating probes, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.
Page 284: Configuring A Priority On The Active Member For Multiple Probes
FT group member to track. Enter the IP address in dotted-decimal notation (for example, 172.16.27.1). For example, to track the gateway located at 172.16.27.1, enter: host1/Admin(config-ft-track-host)# peer track-host 172.16.27.1 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-32 OL-11157-01...
Page 285: Configuring A Probe On The Standby Member For Host Tracking
Configuring a Probe on the Standby Member for Host Tracking Configure one or more probes on the standby member to track the health of the gateway or host. For details about creating probes, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.
Page 286: Example Of A Tracking Configuration For A Gateway
To configure tracking on the standby member, use the peer commands described in the “Configuring a Probe on the Standby Member for Host Tracking” and the “Configuring a Priority on the Standby Member for Multiple Probes” sections. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-34 OL-11157-01...
Page 287: Configuring Tracking And Failure Detection For An Interface
Note you cannot configure the FT VLAN for tracking. For example, enter: host1/Admin(config)# ft track interface TRACK_VLAN100 To remove the interface-tracking process, enter: host1/Admin(config)# no ft track interface TRACK_VLAN100 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-35 OL-11157-01...
Page 288 FT group on the standby member, a switchover occurs. For example, enter: host1/Admin(config-ft-track-intf)# priority 50 To reset the interface priority on the active member to the default value of 0, enter: host1/Admin(config-ft-track-intf)# no priority 50 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-36 OL-11157-01...
Page 289 For example, enter: host1/Admin(config-ft-track-intf)# peer priority 25 To reset the interface priority on the standby member to the default value of 0, enter: host1/Admin(config-ft-track-intf)# no peer priority 25 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-37 OL-11157-01...
Page 290: Example Of A Redundancy Configuration
An FT group that is associated with the Admin context. • A critical tracking and failure detection process for an interface. • The redundancy configuration appears in bold in the example. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-38 OL-11157-01...
Page 291 192.168.1.2 255.255.255.0 no shutdown ft peer 1 ft-interface vlan 200 heartbeat interval 300 heartbeat count 10 ft group 1 peer 1 priority 200 associate-context Admin inservice Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-39 OL-11157-01...
Page 292 Configuring Redundant ACE Appliances Example of a Redundancy Configuration ft track interface TRACK_VLAN100 track-interface vlan 100 peer track-interface vlan 200 priority 50 peer priority 5 ip route 0.0.0.0 0.0.0.0 192.168.83.1 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-40 OL-11157-01...
Page 293: Displaying Redundancy Information
To display redundancy statistics per context, use the show ft group command in Exec mode. The syntax of this command is: show ft group {brief | {[group_id]{detail | status | summary}}} Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-41 OL-11157-01...
Page 294 Field Descriptions for the show ft group Command Output Field Description FT Group FT group identifier. Configured Status Configured state of the FT group. Possible states are the in-service or out-of-service states. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-42 OL-11157-01...
Page 295 The ACE enters this mode just before you reboot the appliance and is used primarily when you upgrade the ACE software. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-43 OL-11157-01...
Page 296 The active peer context receives a notification to send a snapshot of the current state information for all applications to the standby context. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-44 OL-11157-01...
Page 297 Startup Cfg Sync Current status of config sync for the startup-config. For Status example: Startup configuration sync is disabled. No. of Contexts Number of contexts associated with the FT group. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-45 OL-11157-01...
Page 298: Displaying The Idmap Table
ACE Object Types in the IDMAP Table Object Type Object Name REAL ID RSERVER ID SERVERFARM ID POLICY ID STICKY GROUP ID IF ID CONTEXT ID For example, enter: host1/Admin# show ft idmap Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-46 OL-11157-01...
Page 299: Displaying The Redundancy Internal Software History
Displaying Peer Information To display peer information, use the show ft peer command in Exec mode. The syntax of this command is: show ft peer peer_id {detail | status | summary} Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-47 OL-11157-01...
Page 300 FSM_PEER_STATE_PEER_IPADDR—Peer IP address is missing. Waiting for the peer IP address to be configured. FSM_PEER_STATE_START_HB—Peer configuration is complete. Starting the heartbeat to see if there is a peer device. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-48 OL-11157-01...
Page 301 Possible errors are version mismatch, license mismatch, or failure to establish a TCP connection to the peer. A syslog message appears with more detailed information. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-49 OL-11157-01...
Page 302 Total number of bytes that the local ACE sent to the peer. Rx Packets Total number of packets that the local ACE received from the peer. Rx Bytes Total number of bytes that the local ACE received from the peer. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-50 OL-11157-01...
Page 303: Displaying Ft Statistics
The group_id argument displays additional load-balancing statistics (LB statistics) for the specified group. For example, enter: host1/Admin# show ft stats 1 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-51 OL-11157-01...
Page 304 Number of times that the local ACE sent a Peer Up message Events Sent to the remote ACE. Num of Peer Number of times that the local ACE sent a Peer Down Down Events message to the remote ACE. Sent Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-52 OL-11157-01...
Page 305 ACE received from the remote ACE. Packets Received Number of Number of times that the remote ACE sent packets to the Receive local ACE, but the local ACE failed to receive them. Failures Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-53 OL-11157-01...
Page 306: Displaying Ft Tracking Information
Field Descriptions for the show ft track Command Output Field Description FT Group FT group identifier. Status Configured state of the FT group. Possible states are the in-service or out-of-service state. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-54 OL-11157-01...
Page 307 The ACE enters this mode just before you reboot the appliance and is used primarily when you upgrade the ACE software. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-55 OL-11157-01...
Page 308 The active peer context receives a notification to send a snapshot of the current state information for all applications to the standby context. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-56 OL-11157-01...
Page 309 Number of times that the active member of the FT group switched over to the standby member. Probe Count Number of probes associated with a TRACK_HOST process. Probes Down Number of failed probes. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-57 OL-11157-01...
Page 310: Clearing Redundancy Statistics
Config Controller debug log • ha_dp_mgr—Clears the HA (redundancy) dataplane manager debug log • ha_mgr—Clears the HA (redundancy) manager debug log • For example, enter: host1/Admin# clear ft history cfg_cntlr Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-58 OL-11157-01...
Page 311: Configuring Snmp
Configuring SNMP This chapter describes how to configure Simple Network Management Protocol (SNMP) to query the Cisco 4700 Series Application Control Engine (ACE) appliance for Cisco Management Information Bases (MIBs) and to send event notifications to a network management system (NMS).
Page 312: Chapter 8 Configuring Snmp
Managers and Agents SNMP Manager and Agent Communication • SNMP Traps and Informs • SNMPv3 CLI User Management and AAA Integration • Supported MIBs and Notifications • SNMP Limitations • Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 313: Managers And Agents
ACE maintains a database of values for each definition. Browsing a MIB entails issuing an SNMP get request from the NMS. You can use any SNMPv3, MIB-II compliant browser to receive SNMP traps and browse MIBs. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 314: Snmp Manager And Agent Communication
NMS to frequently poll (gather information through a get operation) the managed devices. For details on MIB objects and SNMP notifications supported by the ACE, see the “Supported MIBs and Notifications” section. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 315: Snmp Traps And Informs
The list of variable bindings associated with a notification is included in the notification definition in the MIB. For standard MIBs, Cisco has enhanced some notifications with additional variable bindings that further clarify the cause of the notification.
Page 316: Snmpv3 Cli User Management And Aaa Integration
User-based Security Model (USM) for message security and role-based access control. SNMP v3 user management can be centralized at the authentication and accounting (AAA) server level (as described in the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide). This centralized user management allows the ACE SNMP agent to use the user authentication service of a AAA server.
Page 317: Supported Mibs And Notifications
OID values are listed as follows: Product Name (PID)/entPhysicalVendorType ACE4710-K9 cevChassisACE4710K9 {cevChassis 610} Power Supply cevPowerSupplyAC345 {cevPowerSupply 190} CPU fan cevFanACE4710K9CpuFan {cevFan 91} DIMM fan cevFanACE4710K9DimmFan {cevFan 92} PCI fan cevFanACE4710K9PciFan {cevFan 93} Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 318 ACE appliance chassis. It provides sufficient information to correctly map the containment of these entities within the ACE. The ENTITY-MIB is supported only in the Admin context. The ENTITY-MIB is described in RFC 4133. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 319 SNMPv1 and SNMPv2c. SNMPv3 requires user configuration information such as specifying the role group that the user belongs to, authentication parameters for the user, the authentication password, and message encryption parameters. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 320 SNMP parameters, or a particular transport end point may be associated with several sets of SNMP parameters. The SNMP-TARGET-MIB is described in RFC 3413. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-10 OL-11157-01...
Page 321 The SNMP-USER-BASED-SM-MIB is described in RFC 3414. User configuration is applicable only Note for SNMPv3; SNMPv1 and SNMPv2c use a community string match for user authentication. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-11 OL-11157-01...
Page 322 Configuration settings (settings for all the • AAA servers instrumented in one instance of this MIB). AAA server group configuration. • Application-to-AAA function-to-server • group mapping configuration. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-12 OL-11157-01...
Page 323 A condenser is a software accelerator that applies several optimization techniques to accelerate Web application access. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-13 OL-11157-01...
Page 324 Admin context. In this case, the CISCO-IF-EXTENSION-MIB supports all the interfaces for Admin contexts, while each individual user context supports only VLAN and BVI interfaces. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-14 OL-11157-01...
Page 325 Any change to the filters in the cippfIpFilterTable or the profile in the cippfIpProfileTable affects all the attached interfaces. The IP protocol is described in RFC 791. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-15 OL-11157-01...
Page 326 Telnet protocols and to send other requests (such as SNMP or FTP). This MIB contains tables that allow you to create or delete virtual contexts and assigning interfaces and interface ranges to virtual contexts. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-16 OL-11157-01...
Page 327 • cslbxStatsTimedOutConnections • CISCO-SLB-HEALTH- CISCO-SLB-HEALTH- Acts as an extension to the Cisco server MON-MIB MON-CAPABILITY load-balancing MIB (CISCO-SLB-MIB). It provides tables for the probe configuration. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-17 OL-11157-01...
Page 328 Configures and monitors system log (syslog) CAPABILITY management parameters for the ACE. Use this MIB to set up syslog servers and set logging severity levels. Syslog is described by RFC 3164. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-18 OL-11157-01...
Page 329 SNMPv2. The management protocol, CAPABILITY SNMPv2, provides for the exchange of messages that convey management information between the agents and the management stations. The SNMPv2-MIB is described in RFC 3418. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-19 OL-11157-01...
Page 330 This notification is sent for situations such as ARP failures, probe failures, and so on. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-20 OL-11157-01...
Page 331 This notification is sent for situations such as ARP failures, probe failures, and so on. No separate Note cesRealServerStateChange notifications are sent for each real server that listens on this rserver. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-21 OL-11157-01...
Page 332 • slbVServerStateChangeDescr • slbVServerClassMap • slbVServerPolicyMap • The ciscoSlbVServerStateChange is specified in the CISCO-SLB-MIB. clogMessageGenerated CISCO-SYSLOG-MIB ACE generated one or more syslog messages. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-22 OL-11157-01...
Page 333 Admin context. In this case, the linkUp and link Down notifications support all the interfaces for Admin contexts, while each individual user context supports only VLAN and BVI interfaces. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-23 OL-11157-01...
Page 334: Snmp Limitations
SNMP MIB Tables with More Than One String Index MIB Name Table Sting Indices CISCO-ENHANCED- cesRserverProbeTable cesRserverName, SLB-MIB.my cesRserverProbeName CISCO-ENHANCED-SLB- cesServerFarmRserverTable slbServerFarmName, MIB.my cesRserverName CISCO-SLB-EXT-MIB.my cslbxServerFarmProbeFarmName cslbxServerFarmProbeFarmName, cslbxServerFarmProbeProbeName CISCO-SLB-HEALTH- cslbxProbeHeaderCfgTable cslbxProbeHeaderProbeName, MON-MIB.my cslbxProbeHeaderFieldName Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-24 OL-11157-01...
Page 335: Snmp Configuration Quick Start
C1 host1/C1# The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode.
Page 336 50 host1/Admin(config-if)# ip address 172.16.10.0 255.255.255.254 host1/Admin(config-if)# service-policy input SNMP-ALLOW_POLICY host1/Admin(config-if)# exit (Optional) Save your configuration changes to Flash memory. host1/Admin(config)# exit host1/Admin# copy running-config startup-config Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-26 OL-11157-01...
Page 337: Configuring Snmp Users
Each group in SNMP is similar to a role when accessed from the CLI. The groupname is defined by the role configuration mode command, as described in the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
Page 338 Note implementation of SNMP. In this case, all SNMP users are automatically assigned the system-defined default group of Network-Monitor. For details on creating users, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. auth—(Optional) Sets authentication parameters for the user. Authentication •...
Page 339: Defining Snmp Communities
Use the snmp-server community command in configuration mode to create or modify SNMP community names and access privileges. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-29 OL-11157-01...
Page 340 Note implementation of SNMP. In this case, all SNMP users are automatically assigned the system-defined default group of Network-Monitor. For details on creating users, refer to the Cisco Application Control Engine Module Virtualization Configuration Guide. ro—(Optional) Allows read-only access for this community.
Page 341: Configuring An Snmp Contact
(“ ”). For example, to specify SNMP system location information, enter: host1/Admin(config)# snmp-server location “Boxborough MA” To remove the specified SNMP system location information, enter: host1/Admin(config)# no snmp-server location Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-31 OL-11157-01...
Page 342: Configuring Snmp Notifications
The keywords, arguments, and options are as follows: • host_address—The IP address of the host (the targeted recipient). Enter the address in dotted-decimal IP notation (for example, 192.168.11.1). Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-32 OL-11157-01...
Page 343 192.168.1.1 traps version 2c SNMP_Community1 udp-port 500 To remove the specified host, use the no form of the command. For example: host1/Admin(config)# no snmp-server host 192.168.1.1 traps version 2c SNMP_Community1 udp-port 500 Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-33 OL-11157-01...
Page 344: Enabling Snmp Notifications
SNMP license manager notifications. This keyword – appears only in the Admin context. slb—Sends server load-balancing notifications. When you specify the – slb keyword, you can specify a notification_option value. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-34 OL-11157-01...
Page 345 For example, to enable the ACE to send server load-balancing traps to the host at IP address 192.168.1.1 by using the community string public, enter: host1/Admin(config)# snmp-server host 192.168.1.1 host1/Admin(config)# snmp-server community SNMP_Community1 group Network-Monitor host1/Admin(config)# snmp-server enable traps slb real Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-35 OL-11157-01...
Page 346: Enabling The Ietf Standard For Snmp Linkup And Linkdown Traps
Enabling the IETF Standard for SNMP linkUp and linkDown Traps By default, the ACE sends the Cisco implementation of linkUp and linkDown traps to the NMS. The ACE sends the Cisco Systems IF-MIB variable bindings, which consists of ifIndex, ifAdminStatus, ifOperStatus, ifName, ifType, clogOriginID, and clogOriginIDType.
Page 347: Assigning A Trap-Source Interface For Snmp Traps
SNMP v1 trap PDU, enter: host1/Admin(config)# snmp-server trap-source vlan 50 To remove the specified VLAN interface that is trap source address contained in the SNMP v1 trap PDU, enter: host1/Admin(config)# no snmp-server trap-source Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-37 OL-11157-01...
Page 348: Configuring Snmp Management Traffic Services
Chapter 4, Configuring Class Maps and Policy Maps. SNMP remote access sessions are established to the ACE per context. For details on creating contexts and users, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. This section contains the following topics: •...
Page 349 The default setting is to meet all of the match criteria (match-all) in a class map. map_name—Name assigned to the class map. Enter an unquoted text string • with no spaces and a maximum of 64 alphanumeric characters. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-39 OL-11157-01...
Page 350: Defining A Class Map Description
Access the class map management configuration mode to specify the description command. The syntax of this command is as follows: description text Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-40 OL-11157-01...
Page 351: Defining Snmp Protocol Match Criteria
IP address from the interface on which you apply the policy map. • ip_address—Source IP address of the client. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1). Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-41 OL-11157-01...
Page 352: Creating A Layer 3 And Layer 4 Policy Map
The map_name argument specifies the name assigned to the Layer 3 and Layer 4 network management policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-42 OL-11157-01...
Page 353: Specifying A Layer 3 And Layer 4 Traffic Class With The Traffic Policy
The ACE does not save the sequence reordering as part of the configuration. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-43 OL-11157-01...
Page 354 ACE. Use the deny command in policy map class configuration mode to refuse the • SNMP management protocols listed in the class map to be received by the ACE. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-44 OL-11157-01...
Page 355: Applying A Service Policy
For example, to specify an interface VLAN and apply the SNMP management policy map to a VLAN, enter: host1/Admin(config)# interface vlan 50 host1/Admin(config-if)# ip address 172.20.1.100 255.255.0.0 host1/Admin(config-if)# service-policy input SNMP_MGMT_ALLOW_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-45 OL-11157-01...
Page 356 (applied to an interface) as an unquoted text string with a maximum of 64 alphanumeric characters. detail—(Optional) Displays a more detailed listing of policy map statistics • and status information. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-46 OL-11157-01...
Page 357: Example Of An Snmp Configuration
The SNMP configuration appears in bold in the example. access-list ACL1 line 10 extended permit ip any any rserver host SERVER1 ip address 192.168.252.245 inservice rserver host SERVER2 Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-47 OL-11157-01...
Page 358 L7_LB-SF_MAX-CONN_POLICY class L7_INDEX-HTML_CLASS serverfarm SFARM1 class L7_URL*_CLASS serverfarm SFARM2 policy-map multi-match L4_VIP_POLICY class L4_MAX-CONN-VIP_105_CLASS loadbalance vip inservice loadbalance policy L7_LB-SF_MAX-CONN_POLICY loadbalance vip icmp-reply appl-parameter http advanced-options PERSIST-REBALANCE Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-48 OL-11157-01...
Page 359 Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-49 OL-11157-01...
Page 360: Displaying Snmp Statistics
SNMP packets received by the ACE input Bad SNMP Number of packets with an invalid SNMP version versions Unknown Number of SNMP packets with an unknown community community name name Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-50 OL-11157-01...
Page 361 SNMP user Auth Authentication of a packet without encryption Priv Authentication of a packet with encryption Group User role group to which the user belongs Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-51 OL-11157-01...
Page 362 Row status Status of whether the Row status for the SNMP group is active or inactive Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-52 OL-11157-01...
Page 363 String that identifies the name of the SNMP user Auth Authentication of a packet without encryption Priv Authentication of a packet with encryption Group User role group to which the user belongs Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-53 OL-11157-01...
Page 364 Chapter 8 Configuring SNMP Displaying SNMP Statistics Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-54 OL-11157-01...
Page 365: Configuring The Xml Interface
Configuring the XML Interface This chapter describes how to use Extensible Markup Language (XML) to remotely configure a Cisco 4700 Series Application Control Engine (ACE) appliance from a network management station (NMS). Any command that you can configure from the ACE CLI can be configured remotely from a NMS by exchanging XML documents over HTTP or secure HTTP (HTTPS).
Page 366: Chapter 9 Configuring The Xml Interface
ACE software, the www user will be disabled and you will not be able to use XML to remotely configure an ACE until you change the default www user password. See Chapter 2, Configuring Virtualization, in the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide for details on changing a user account password.
Page 367 Admin user role. A network management station (NMS), such as the CiscoWorks Hosting Solution Engine (HSE), can connect to the ACE and push new configurations to it over HTTP or HTTPS. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 368: Http And Https Support With The Ace
<ip_address address="60.0.0.145" netmask="255.255.255.0"/> <shutdown sense="no"/> </interface> <show_running-config/> </request_xml> ******** Server ************** HTTP/1.1 200 OK Content-Length: 21 <response_xml> <config_command> <command> interface vlan 80 ip address 60.0.0.145 255.255.255.0 access-group input acl1 no shutdown Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 369: Http Return Codes
Description Created Accepted Non-Authoritative Information Partial Content Moved Permanently Found Bad Request Unauthorized (credentials required, but not provided) Forbidden (illegal credentials submitted; syslog also generated) Not Found (“/xml-config” not specified) Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 370 <response_xml> <config_command> <command> interface vlan 20 no shut description xyz exit </command> <status code = ‘200’ text=’XML_CMD_FAILURE’> <error_command> description xyz </error_command> <error_message> unrecognized element - description </error_message> </status> </config_command> </response_xml> Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 371: Document Type Definition
“Enabling the Display of Raw XML Request show Command Output in XML Format” section for details. For details on the show command output supported in XML format, consult the ace_appliance.dtd file. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 372 = host. address-type is valid only when type=host. name length is 1 to 32. webhost-redirection is valid only if type=redirect. --> Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 373: Sample Xml Configuration
<ip_address address="60.0.0.145" netmask="255.255.255.0"/> <shutdown sense="no"/> </interface> <ip_route dest-address="0.0.0.0" dest-mask="0.0.0.0" gateway="60.0.0.1"/> ############################ ## BRIDGING CONFIGURATION ## ############################ conf t access-list acl1 extended permit ip any any int vlan 80 access-group input acl1 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 374 <access-list id="acl1" config-type="extended" perm-value="permit" protocol-name="ip" src-type="any" dest-type="any"/> <interface type="vlan" number="80"> <access-group type="input" name="acl1"/> <bridge-group value="1"/> <shutdown sense="no"/> </interface> <interface type="vlan" number="90"> <access-group type="input" name="acl1"/> <bridge-group value="1"/> <shutdown sense="no"/> </interface> Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-10 OL-11157-01...
Page 375: Xml Configuration Quick Start
For example, to specify an interface VLAN and apply multiple service policies to the VLAN, enter: host1/Admin(config)# interface vlan50 host1/Admin(config-if)# ip address 192.168.10.1 255.255.0.0 host1/Admin(config-if)# service-policy input MGMT_XML-HTTPS_POLICY host1/Admin(config-if)# exit host1/Admin(config)# exit Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-11 OL-11157-01...
Page 376 (Optional) Enable the display of raw XML request show command output in XML format. True XML responses always automatically appear in XML format. Note host1/Admin# xml-show on (Optional) Save your configuration changes to Flash memory. host1/Admin# copy running-config startup-config Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-12 OL-11157-01...
Page 377: Configuring Http And Https Management Traffic Services
HTTP or HTTPS sessions are established to the ACE per context. For details on creating contexts and users, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. This section contains the following topics: •...
Page 378: Creating And Configuring A Class Map
64 alphanumeric characters. The class name is used for both the class map and to configure a policy for the class in the policy map. Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-14 OL-11157-01...
Page 379: Defining A Class Map Description
For example, to specify a description that the class map is to allow HTTPS access, enter: host1/Admin(config)# class-map type management match-all XML-HTTPS-ALLOW_CLASS host1/Admin(config-cmap-mgmt)# description Allow HTTPS as the XML transfer protocol Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-15 OL-11157-01...
Page 380: Defining Http And Https Protocol Match Criteria
The https keyword specifies secure (SSL) Hypertext Transfer Protocol Note (HTTP) for connectivity with the Device Manager GUI on the ACE any—Specifies any client source address for the management traffic • classification. Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-16 OL-11157-01...
Page 381: Creating A Layer 3 And Layer 4 Policy Map
ACE use the policy-map type management command in configuration mode. The ACE executes the action for the first matching classification. The ACE does not execute any additional actions. Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-17 OL-11157-01...
Page 382: Specifying A Layer 3 And Layer 4 Traffic Class With The Traffic Policy
Layer 3 and Layer 4 traffic class, configured with the class-map command, to associate traffic to the traffic policy. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-18 OL-11157-01...
Page 383 To specify the class-default class map for the Layer 3 and Layer 4 traffic policy, enter: host1/Admin(config-pmap-mgmt)# class class-default host1/Admin(config-pmap-mgmt-c)# To remove a class map from a Layer 3 and Layer 4 policy map, enter: host1/Admin(config-pmap-mgmt)# no class XML-HTTPS-ALLOW_CLASS Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-19 OL-11157-01...
Page 384: Specifying Layer 3 And Layer 4 Policy Actions
VLAN interface. Specifying a policy map in the configuration mode applies the policy to all of the VLAN interfaces associated with a context. Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-20 OL-11157-01...
Page 385 To detach the XML HTTPS management policy from an interface, enter: host1/Admin(config-if)# no service-policy input MGMT_XML-HTTPS_POLICY To globally detach the XML HTTPS management policy from all VLANs associated with a context, enter: host1/Admin(config)# no service-policy input MGMT_XML-HTTPS_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-21 OL-11157-01...
Page 386 Displays a more detailed listing of policy map statistics • and status information. The ACE updates the counters that the show service-policy command displays Note after the applicable connections are closed. Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-22 OL-11157-01...
Page 387 (applied to an interface) as an unquoted text string with a maximum of 64 alphanumeric characters. For example, to clear the statistics for the policy map MGMT_XML-HTTPS_POLICY that is currently in service, enter: host1/Admin# clear service-policy MGMT_XML-HTTPS_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-23 OL-11157-01...
Page 388: Format
1 and 4095 for vlan and 8191 for bvi. --> <!ENTITY % show-interface "interface-type (vlan | bvi) #IMPLIED interface-number CDATA #IMPLIED” > The XML representation of the show interface command appears as follows: <show_interface interface-type='vlan' interface-number='10'/> Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-24 OL-11157-01...
Page 389 <ipaddress>10.20.105.101</ipaddress> <ipmask>255.255.255.0</ipmask> </interface_ip> <interface_ft_status>non-redundant</interface_ft_status> <interface_description> <interface_description>not set</interface_description> </interface_description> <interface_mtu>1500</interface_mtu> <interface_last_cleared>never</interface_last_cleared> <interface_alias> <ipaddress>not set</ipaddress> </interface_alias> <interface_standby> <ipaddress>not set</ipaddress> </interface_standby> <interface_auto_status>up</interface_auto_status> </xml_interface> <interface_stats> <ifs_input> <ifs_unicast>50</ifs_unicast> <ifs_bytes>8963</ifs_bytes> <ifs_multicast>26</ifs_multicast> <ifs_broadcast>1</ifs_broadcast> <ifs_errors>0</ifs_errors> <ifs_unknown>0</ifs_unknown> <ifs_ignored>0</ifs_ignored> Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-25 OL-11157-01...
Page 390 For example, to enable the display of raw XML request show command output in XML format from the CLI, enter: host1/Admin# xml-show on To return to displaying CLI show command output in regular CLI output, enter: host1/Admin# xml-show off Cisco 4700 Series Application Control Engine Appliance Administration Guide 9-26 OL-11157-01...
Page 391: Accessing The Ace Dtd File
You can choose to either open the ace_appliance.dtd file or save it to your computer. To access the ace_appliance.dtd file from the Cisco ACE appliance Management Step 4 page, perform the following procedure: Specify the HTTP or secure HTTP (HTTPS) address of your ACE in the address...
Page 392 Enter your username and password in the fields provided, and then click OK. The Cisco ACE appliance Management page appears. Click the link under the Resources column of the Cisco ACE appliance Management page to access the ace_appliance.dtd file. You can choose to either open the ace_appliance.dtd file or save it to your computer.
Page 393: Upgrading Your Ace Software
C H A P T E R Upgrading Your ACE Software This appendix provides information to upgrade your Cisco 4700 Series Application Control Engine (ACE) appliance. It contains the following major sections: Overview of Upgrading ACE Software • Software Upgrade Quick Start •...
Page 394: Overview Of Upgrading Ace Software
ACE software, you will only be able to log in to the ACE through the console port. Chapter 1, Setting Up the ACE for details on changing the admin account password. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 395: Changing The Www User Password
Extensible Markup Language (XML) to remotely configure an ACE until you change the default www user password. See Chapter 2, Configuring Virtualization, in the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide for details on changing a user account password. In this case, the user would be www.
Page 396: Software Upgrade Quick Start
ACE. For example, to copy the image with the name c4710ace-t1k9-mz.A1_7.bin using FTP, enter: host1/Admin# copy ftp://server1/images/c4710ace-t1k9-mz.A1_7.bin image: Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 397 Verify the boot variable was synchronized to ACE-2 by entering the following command on ACE-2: host1/Admin# show bootvar BOOT variable = "disk0:/c4710ace-t1k9-mz.A1_7.bin; disk0:/c4710ace-mz.3.0.0_AB0_0.488.bin" Configuration register is 0x1 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 398 Save configurations for all the contexts. Save? [yes/no]: [yes] Enter the show ft group detail command to verify that ACE-1 is in the ACTIVE state and ACE-2 is in the STANDBY_HOT state. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 399: Copying The Software Upgrade Image To The Ace
ACE, enter: host1/Admin# copy ftp://server1/images/c4710ace-t1k9-mz.A1_7.bin image: To set the boot variable and configure the ACE to autoboot this image, see the “Configuring the ACE to Autoboot the Software Image” section. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 400: Configuring The Ace To Autoboot The Software Image
For example, to set the boot variable with the c4710ace-t1k9-mz.A1_7.bin image, enter: host1/Admin(config)# boot system image:c4710ace-t1k9-mz.A1_7.bin Use the no boot system image: command to unset the previously configured boot variable. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 401: Configuring The Configuration Register To Autoboot The Boot Variable
For details about the different settings of the config-register command, refer to Chapter 1, Setting Up the ACE. For example, to set the register to 0x1 to boot the system image, enter: host1/Admin(config)# config-register 0x1 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-11157-01...
Page 402: Verifying The Boot Variable And Configuration Register
To reload the ACE, use the reload command in the Admin context from the Exec mode. The syntax for this command is: reload For example, enter: host1/Admin# reload This command will reboot the system Save configurations for all the contexts. Save? [yes/no]: [yes] Cisco 4700 Series Application Control Engine Appliance Administration Guide A-10 OL-11157-01...
Page 403: Displaying Software Image Information
For example, enter: host1/Admin# show version TAC support: http://www.cisco.com/tac Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License.
Page 404 Chapter A Upgrading Your ACE Software Displaying Software Image Information Cisco 4700 Series Application Control Engine Appliance Administration Guide A-12 OL-11157-01...
Page 405 1-35, A-8 naming 1-12 configuration register, setting boot password, changing administrative method 1-35, A-8 password, changing CLI account 1-10 displaying 1-41 policy maps, configuring ignoring startup-configuration file 1-38 remote access Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-1 OL-11157-01...
Page 406 Layer 3 and 4, creating for management traffic 4-35, 9-14 account password, changing 1-10 Layer 3 and 4, creating for network saving session traffic 4-25 user management of SNMP Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-2 OL-11157-01...
Page 407 5-10 core dumps 5-27 loading from remote server 5-11 clearing core directory 5-29 merging startup with running copying 5-28 saving deleting 5-29 saving in Flash memory Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-3 OL-11157-01...
Page 408 5-23 overview moving files in 5-23 overview 5-12 uncompressing files in 5-21 untarring files in 5-22 environment display attributes, terminal 1-30 boot environment variable, setting 1-37 displaying Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-4 OL-11157-01...
Page 409 FT peer copying packet capture buffer 5-16 associating with FT group 7-20 creating new directory in disk0 5-22 associating with FT VLAN 7-16 deleting directory in disk0 5-23 configuring 7-16 Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-5 OL-11157-01...
Page 410 See failure detection HTTP deep packet inspection class map generating for license 4-41 load balancing class map pair for SSH host 4-39 2-17 return codes between server and client HyperTerminal Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-6 OL-11157-01...
Page 411 4-16 generating key SNMP, creating 8-42 installing specifying traffic class 2-10, 4-46 list of available using parameter maps 4-49 managing Layer 7 class map ordering upgrade license Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-7 OL-11157-01...
Page 412 4-49 password changing administrative naming the ACE 1-12 changing CLI account 1-10 notifications peer error messages 8-35 See FT peer IETF standard, enabling 8-36 ping, enabling 2-19 options 8-35 Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-8 OL-11157-01...
Page 413 Layer 3 and 4 quick start for network query interface for FT peer 7-18 traffic 4-16 quick start Layer 3 and 4 SLB 4-48 Layer 3 and 4 class map for management traffic 4-12 Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-9 OL-11157-01...
Page 414 7-16 remote server FT peer information, displaying 7-47 copying files from 5-19 FT statistics, displaying 7-51 copying files to 5-17 FT tracking information, displaying 7-54 copying image to 5-20 Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-10 OL-11157-01...
Page 415 Layer 3 and 4 policy map, applying to VLAN class map, creating 8-39 interface 4-58 CLI user management overview communities 8-29 remote access policy map, applying 2-13 configuration examples 8-47 Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-11 OL-11157-01...
Page 416 SNMP 8-50 stopping ACE 1-42 configuring synchronizing 2-16 directly accessing a user context configuration 2-21 host key pairs redundant configurations 2-17 7-25 management access system information, displaying 2-16 6-14 Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-12 OL-11157-01...
Page 417 4-58 See failure detection volatile file system 5-12 traps, SNMP 8-5, 8-20 www user 1-7, 9-1 uncompressing files in disk0 5-21 untarring files in disk0 5-22 upgrade license upgrading Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-13 OL-11157-01...
Page 418 HTTP and HTTPS support HTTP return codes management traffic, configuring 2-8, 9-13 overview policy map, creating 9-17 quick start 9-11 sample configuration service policy 9-20 show command output 9-24 Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-14 OL-11157-01...

This manual is also suitable for:

4700 series

Cisco ACE-4710-K9 Administration Manual

Chapter 1 Setting up the ACE

Enabling Remote Access to the ACE

Chapter 2 Enabling Remote Acces to the ACE

Managing ACE Software Licenses

Chapter 3 Managing ACE Software License

Chapter 4 Configuring Clas Map and Policy Map

Map

Managing the ACE Software

Chapter 5 Managing the ACE Software

CHAPTER 6 Viewing ACE Hardware and Software Configuration Information

CHAPTER 7 Configuring Redundant ACE Appliances

Chapter 8 Configuring SNMP

Chapter 9 Configuring the XML Interface

Upgrading Your ACE Software

APPENDIX A Upgrading Your ACE Software

Quick Links

Related Manuals for Cisco ACE-4710-K9

Summary of Contents for Cisco ACE-4710-K9