Cisco 4700M, 4700 Series Administration Manual

Cisco 4700 Series Application Control
Engine Appliance Administration Guide

Software Version A3(2.x)
October 2009

Americas Headquarters

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Text Part Number: OL-20823-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SH

IPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE

OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compress
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAU
LIMIT
DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WI
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase,
Cisc
Mino,
Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Styli
Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Collab
IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY,
PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are
registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the propert
between Cisco and any other company. (1002R)

LTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

ATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF

THOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

o StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip

Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work,

oration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the

ion is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public

zed), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and

y of their respect

ive owners. The use of the word partner does not imply a partnership relationship

Cisco 4700 Series Application Control Engine Appliance Administration Guide

Copyright © 2007-2008 Cisco Systems, Inc. All rights reserved.

CONTENTS

Preface xi

Audience xi
How to Use This Guide xii
Related Documentation xiii
Symbols and Conventions xv
Obtaining Documentation, Obtaining Support, and Security Guidelines xvi

CHAPTER

1 Setting Up the ACE 1-1

Prerequisites for Setting Up the ACE 1-2
Default Settings 1-2
Setting Up the ACE 1-4

Establishing a Console Connection on the ACE 1-4
Using the Setup Script to Enable Connectivity to the Device Manager 1-5
Connecting and Logging In to the ACE 1-8
Changing or Resetting the Administrative Password 1-9

Changing the Administrative Password 1-10

Resetting the Administrator Account Password 1-11
Assigning a Name to the ACE 1-12
Configuring an ACE Inactivity Timeout 1-13
Configuring a Message-of-the-Day Banner 1-14
Configuring the Date and Time 1-16

Setting the System Time and Date 1-16

Configuring the Time Zone 1-17

Adjusting for Daylight Saving Time 1-20
Synchronizing the ACE with an NTP Server 1-22
Configuring Terminal Settings 1-24

Configuring Terminal Display Attributes 1-24

Configuring Virtual Terminal Line Settings 1-26
Modifying the Boot Configuration 1-27

Setting the Boot Method from the Configuration Register 1-27

Setting the BOOT Environment Variable 1-28

Configuring the ACE to Bypass the Startup Configuration File During the Boot Process 1-29
Restarting the ACE 1-31

Restarting the ACE From the CLI 1-31

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

iii

Contents

Using the GRUB Boot Loader to Specify the System Boot Image During a Reload 1-32

Shutting Down the ACE 1-33

Displaying or Clearing the ACE Setup Configuration and Statistics 1-33

Displaying ACE Setup Configuration and Statistics 1-33

Displaying NTP Statistics and Information 1-33
Displaying Other ACE Setup Configuration Information 1-36

Clearing NTP Statistics 1-37

CHAPTER

2 Enabling Remote Access to the ACE 2-1

Guidelines and Limitations 2-2
Default Settings 2-2
Enabling Remote Access to the ACE 2-3

Task Flow for Enabling Remote Access to the ACE 2-3
Configuring Remote Network Management Traffic Services 2-4

Creating and Configuring a Remote Management Class Map 2-5
Creating a Layer 3 and Layer 4 Remote Access Policy Map 2-9
Applying a Service Policy Globally to All VLAN Interfaces in the Same Context 2-11

Applying a Service Policy to a Specific VLAN Interface 2-13
Configuring the Maximum Number of Telnet Management Sessions 2-15
Configuring SSH Management Session Parameters 2-16

Configuring Maximum Number of SSH Sessions 2-16

Generating SSH Host Key Pairs 2-17
Terminating an Active User Session 2-19
Enabling ICMP Messages to the ACE 2-20
Directly Accessing a User Context Through SSH 2-21

Displaying Remote Access Session Information 2-22

Displaying Telnet Session Information 2-23
Displaying SSH Session Information 2-23
Displaying Other Remote Access Session Information 2-24

Configuration Example for Enabling Remote Access to the ACE 2-25

CHAPTER

3 Managing ACE Software Licenses 3-1

Information about ACE Licenses 3-1
Guidelines and Limitations 3-5
Prerequisites 3-5
Default License Feature Capabilities 3-5
Managing ACE Appliance Software Licenses 3-6

Tasks for Ordering an Upgrade License and Generating a Key 3-6

Cisco 4700 Series Application Control Engine Appliance Administration Guide

iv

OL-20823-01

Copying a License File to the ACE 3-6
Installing a New or Upgrade License File 3-7
Replacing a Demo License with a Permanent License 3-8
Removing a License 3-9

Removing a Performance Throughput, HTTP Compression, Application Acceleration License, or
SSL License

Removing a Virtual Context License 3-11
Backing Up an ACE License File 3-13
Retrieving an ACE License File 3-13

Displaying ACE License Configurations and Statistics 3-14

3-9

Contents

CHAPTER

4 Managing the ACE Software 4-1

Saving Configuration Files 4-1

Saving the Configuration File in Flash Memory 4-2
Saving Configuration Files to a Remote Server 4-2
Copying the Configuration File to the disk0: File System 4-3
Merging the Startup-Configuration File with the Running-Configuration File 4-4
Displaying Configuration File Content 4-4
Clearing the Startup-Configuration File 4-6

Copying Configuration Files from a Remote Server 4-7
Using the File System on the ACE 4-8

Copying Files 4-8

Copying Files to Another Directory on the ACE 4-9

Copying Licenses 4-9

Copying a Packet Capture Buffer 4-10

Copying Files to a Remote Server 4-10

Copying Files from a Remote Server 4-12

Copying an ACE Software System Image to a Remote Server 4-12
Uncompressing Files in the disk0: File System 4-13
Untarring Files in the disk0: File System 4-14
Creating a New Directory 4-15
Deleting an Existing Directory 4-15
Moving Files 4-15
Deleting Files 4-16
Displaying Files Residing On the ACE 4-18
Saving show Command Output to a File 4-19

Managing Core Dump Files 4-21

Copying Core Dumps 4-21
Clearing the Core Directory 4-22

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

v

Contents

Deleting a Core Dump File 4-23

Capturing Packet Information 4-23

Enabling the Packet Capture Function 4-24
Copying Packet Capture Buffer Information 4-25
Displaying or Clearing Packet Information 4-26

Displaying Packet Information 4-26
Clearing Capture Buffer Information 4-27

Using the Configuration Checkpoint and Rollback Service 4-27

Creating a Configuration Checkpoint 4-27
Deleting a Configuration Checkpoint 4-28
Rolling Back a Running Configuration 4-29
Displaying Checkpoint Information 4-29

Reformatting the Flash Memory 4-30

CHAPTER

CHAPTER

5 Displaying ACE Hardware and Software System Information 5-1

Information About Displaying ACE Hardware and Software Information 5-1
Displaying Hardware Information 5-2
Displaying Installed Software Information 5-3
Displaying System Processes and Memory Resources Limits 5-4

Displaying General System Process Information 5-4

Displaying Detailed Process Status Information and Memory Resource Limits 5-7
Displaying System Information 5-9
Displaying or Clearing ICMP Statistics 5-11
Displaying or Collecting Technical Information for Reporting Problems 5-13

6 Configuring Redundant ACEs 6-1

Information About Redundancy 6-1

Redundancy Protocol 6-2

Stateful Failover 6-3

FT VLAN 6-4

Configuration Synchronization 6-4

Redundancy State for Software Upgrade or Downgrade 6-5
Guidelines and Limitations 6-5
Default Settings 6-6
Configuring Redundant ACEs 6-7

Task Flow for Configuring Redundancy 6-7

Configuring Redundancy 6-9

Configuring an FT VLAN 6-9

Cisco 4700 Series Application Control Engine Appliance Administration Guide

vi

OL-20823-01

Configuring an Alias IP Address 6-11
Configuring an FT Peer 6-12
Configuring an FT Group 6-14
Modifying an FT Group 6-16
Specifying the Peer Hostname 6-16
Specifying the MAC Address Banks for a Shared VLAN 6-17
Forcing a Failover 6-18
Synchronizing Redundant Configurations 6-19

Configuring Tracking and Failure Detection 6-21

Configuring Tracking and Failure Detection for a Host or Gateway 6-22
Configuring Tracking and Failure Detection for an Interface 6-25

Displaying or Clearing Redundancy Information 6-27

Displaying Redundancy Information 6-28

Displaying Redundancy Configuration Information 6-28
Displaying Bulk Synchronization Command Failures on the Standby ACE 6-28
Displaying FT Group Information 6-29
Displaying the Redundancy Internal Software History 6-32
Displaying the IDMAP Table 6-32
Displaying Memory Statistics 6-32
Displaying Peer Information 6-33
Displaying FT Statistics 6-35
Displaying FT Tracking Information 6-36

Clearing Redundancy Statistics 6-39

Clearing Transport-Layer Statistics 6-39
Clearing Heartbeat Statistics 6-40
Clearing Tracking-Related Statistics 6-40
Clearing All Redundancy Statistics 6-40
Clearing the Redundancy History 6-40

Contents

Configuration Example of Redundancy 6-41

CHAPTER

7 Configuring SNMP 7-1

Information About SNMP 7-1

Managers and Agents 7-2
SNMP Manager and Agent Communication 7-2
SNMP Traps and Informs 7-3
SNMPv3 CLI User Management and AAA Integration 7-3
CLI and SNMP User Synchronization 7-4
Multiple String Index Guidelines 7-4
Supported MIBs and Notifications 7-5

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

vii

Contents

Default Settings for SNMP 7-30
Configuring SNMP 7-31

Task Flow for Configuring SNMP 7-31

Configuring SNMP Users 7-32

Defining SNMP Communities 7-35

Configuring an SNMP Contact 7-36

Configuring an SNMP Location 7-37

Configuring SNMP Notifications 7-38

Configuring SNMP Notification Hosts 7-38
Enabling SNMP Notifications 7-40

Enabling the IETF Standard for SNMP linkUp and linkDown Traps 7-42
Unmasking the SNMP Community Name and Community Security Name OIDs 7-43
Assigning a Trap-Source Interface for SNMP Traps 7-44
Accessing ACE User Context Data Through the Admin Context IP Address 7-45

Accessing User Context Data When Using SNMPv1/v2 7-45

Accessing User Context Data When Using SNMPv3 7-46
Configuring an SNMPv3 Engine ID for an ACE Context 7-46
Configuring SNMP Management Traffic Services 7-47

Creating and Configuring a Layer 3 and Layer 4 Class Map 7-48

Creating a Layer 3 and Layer 4 Poli cy Map 7-50

Applying a Service Policy Globally to All VLAN Interfaces in the Same Context 7-52

Applying a Service Policy to a Specific VLAN Interface 7-53

CHAPTER

Displaying or Clearing SNMP and Service Policy Statistics 7-55

Displaying SNMP and Service Policy Statics 7-55

Displaying SNMP Statistical Information 7-55

Displaying SNMP Service Policy Statistics 7-58
Clearing SNMP Service Policy Statistics 7-59

Example of an SNMP Configuration 7-59

8 Configuring the XML Interface 8-1

Information About XML 8-1

HTTP and HTTPS Support with the ACE 8-2
HTTP Return Codes 8-3
Document Type Definition 8-4

Guidelines and Limitations 8-6
Default Settings 8-6
Configuring the XML Interface 8-7

Task Flow for Configuring XML 8-7
Configuring HTTP and HTTPS Management Traffic Services 8-8

Cisco 4700 Series Application Control Engine Appliance Administration Guide

viii

OL-20823-01

Creating and Configuring a Class Map 8-8
Creating a Layer 3 and Layer 4 Poli cy Ma p 8-11
Applying a Service Policy Globally to All VLAN Interfaces in the Same Context 8-13

Applying a Service Policy to a Specific VLAN Interface 8-14
Enabling the Display of Raw XML Request show Command Output in XML Format 8-15
Accessing the ACE DTD File 8-18

Displaying or Clearing XML Service Policy Statistics 8-19

Displaying XML Service Policy Statistics 8-19
Clearing XML Service Policy Statisti cs 8-19

Example of ACE CLI Command and the XML Equivalent 8-20

Contents

APPENDIX

A Upgrading or Downgrading Your ACE Software A-1

Overview of Upgrading ACE Software A-1
Prerequisites for Upgrading Your ACE A-2

Changing the Admin Password A-2
Changing the www User Password A-2
Checking Your Configuration for FT Priority and Preempt A-2
Creating a Checkpoint A-2
Updating Your Application Protocol Inspection Configurations A-3

Performing Software Upgrades and Downgrades A-4

Task Flow for Upgrading the ACE Software A-4
Task Flow for Downgrading the ACE Software A-7
Copying the Software Upgrade Image to the ACE A-9
Configuring the ACE to Autoboot the Software Image A-10

Setting the Boot Variable A-10

Configuring the Configuration Register to Autoboot the Boot Variable A-10
Reloading the ACE A-11

Displaying Software Image Information A-11

Displaying the Boot Variable and Configuration Register A-12
Displaying the Software Version A-12

I

NDEX

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

ix

Contents

Cisco 4700 Series Application Control Engine Appliance Administration Guide

x

OL-20823-01

Preface

This guide provides instructions for the administration of the Cisco 4700 Series Application Control
Engine (ACE) appliance. It describes how to perform administration tasks on the ACE, including initial
setup, establish remote access, manage software licenses, configure class maps and policy maps, manage
the ACE software, configure SNMP, configure redundancy, configure the XML interface, and upgrade
your ACE software.

You can configure the ACE by using the following interfaces:

• The command-line interface (CLI), a line-oriented user interface that provides commands for

configuring, managing, and monitoring the ACE.

Audience

• Device Manager graphic user interface (GUI), a Web browser-based GUI interface that provides a

graphical user interface for configuring, managing, and monitoring the ACE.

This preface contains the following major sections:

• Audience

• How to Use This Guide

• Related Documentation

• Symbols and Conventions

• Obtaining Documentation, Obtaining Support, and Security Guidelines

This guide is intended for the following trained and qualified service personnel who are responsible for
configuring the ACE:

• System administrator

• System operator

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

xi

How to Use This Guide

This guide is organized as follows:

Chapter Description

Chapter 1, Setting Up the
ACE

Chapter 2, Enabling Remote
Access to the ACE

Chapter 3, Managing ACE
Software Licenses

Chapter 4, Managing the
ACE Software

Chapter 5, Displaying ACE
Hardware and Software
System Information

Chapter 6, Configuring
Redundant ACEs

Chapter 7, Configuring
SNMP

Chapter 8, Configuring the
XML Interface

Appendix A, Upgrading or
Downgrading Your ACE
Software

Preface

Describes how to configure basic settings on the ACE, including topics
such as how t
administrative username and password, assign a name to the ACE,
configure a message-of-the-day banner, configure the date and time,
configure terminal settings, modify the boot configuration, and restart
the ACE.

Describes how to configure remote ac
Application Control Engine (ACE) appliance by establishing a remote
connection using the Secure Shell (SSH) or Telnet protocols. It also
describes how to configure the ACE to provide direct access to a user
context from SSH. This chapter also covers how to configure the ACE
to receive ICMP messages from a host.

Describes how to manage the software licenses for your ACE.

Describes how to save and download configuration files, use the file

m

syste
information, use the configuration checkpoint and rollback service,
display configuration information, and display technical support
information.

Describes how to display ACE hardware and software configuration

tech

and

Describes how to configure the ACE for redundancy, which provides
fa

ult tolerance for the stateful failover of flows.

Describes how to configure SNMP to query the ACE for Cisco

na

gement Information Bases (MIBs) and to send event

Ma
notifications to a network management system (NMS).

Describes how to provide a mechanism using XML to transfer,

f

igure, and monitor objects in the ACE. This XML capability

con
allows you to easily shape or extend the CLI query and reply data in
XML format to meet different specific business needs.

Describes how to upgrade or downgrade the software on your ACE.

o session and log in to the ACE, change the

to the Cisco 4700 Series

cess

, view and copy core dumps, capture and copy packet

nical support information.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

xii

OL-20823-01

Preface

Related Documentation

In addition to this document, the ACE documentation set includes the following:

Document Title Description

Release Note for the Cisco 4700
Series Applicat
Appliance

Cisco Application Control Engine
Applia

nce

Hardware Installation Guide

Regulatory Compliance and Safety
Information for the

ication Control Engine

Appl
Appliance

Cisco 4700 Series Application

ntr

ol Engine Appliance Quick

Co
Start Guide

Cisco 4700 Series Application

ntr

ol Engine Appliance

Co
Administration Guide

ion Control Engine

Cisco

Provides information about operating considerations, caveats,
and command-line interface (CLI) commands for the ACE.

Provides information for installing the ACE appliance.

Regulatory compliance and safety information for the ACE
appliance.

Describes how to use the ACE appliance Device Manager GUI
and CLI to perform the initial setup and VIP load-balancing
configuration tasks.

Describes how to perform the following administration tasks on
the ACE:

• Setting up the ACE

• Establishing remote access

• Managing software licenses

Cisco 4700 Series Application

ol Engine Appliance

Contr
Virtualization Configuration Guide

Cisco 4700 Series Application
Contr

ol Engine Appliance Routing

and Bridging Configuration Guide

• Configuring class maps and policy maps

• Managing the ACE software

• Configuring SNMP

• Configuring redundancy

• Configuring the XML interface

• Upgrading the ACE software

Describes how to operate your ACE in a single context or in
multiple contexts.

Describes how to perform the following routing and bridging
tasks on the ACE:

• Configuring Ethernet ports

• Configuring VLAN interfaces

• Configuring routing

• Configuring bridging

• Configuring Dynamic Host Configuration Protocol (DHCP)

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

xiii

Document Title Description

Cisco 4700 Series Application
Control Engine Appliance Server
Load-Balancing Configuration
Guide

Cisco 4700 Series Application
Control Engine Appliance
Application Acceleration and
Optimization Configuration Guide

Describes how to configure the follo
features on the ACE:

• Real servers and server farms

• Class maps and policy maps to load balance traffic to real

servers in server farms

• Server health monitoring (probes)

• Stickiness

• Firewall load balancing

• TCL scripts

•

Describes how to configure the web optimization features of the

CE. This guide also provides an overview and description of

A
those features.

Preface

wing server load-balancing

Cisco 4700 Series Application
Contr

ol Engine Appliance Security

Configuration Guide

Cisco 4700 Series Application
Control Engine Appliance SSL
Configuration Guide

Cisco 4700 Series Application

ol Engine Appliance System

Contr
Message Guide

Cisco 4700 Series Application

ntr

ol Engine Appliance

Co
Command Reference

Describes how to perform the following ACE security
configuration tasks:

• Security access control lists (ACLs)

• User authentication and accounting using a Terminal Access

Controller Access Control System Plus (TACACS+),
Remote Authentication Dial-In User Service (RADIUS), or
Lightweight Directory Access Protocol (LDAP) server

• Application protocol and HTTP deep packet inspection

• TCP/IP normalization and termination parameters

• Network Address Translation (NAT)

•

Describes how to configure the following Secure Sockets Layer
(SSL) features on the ACE:

• SSL certificates and keys

• SSL initiation

• SSL termination

• End-to-end SSL

Describes how to configure system message logging on the ACE.
This guide also lists and describes the system log (syslog)
messages generated by the ACE.

Provides an alphabetical list and descriptions of all CLI
commands by mode, including syntax, options, and related
commands.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

xiv

OL-20823-01

Preface

Document Title Description

Cisco 4700 Series Application
Contr

ol Engine Appliance Device

Manager Configuration Guide

Cisco CSS-to-ACE Conversion Tool

r

Guide

Use

Symbols and Conventions

This publication uses the following conventions:

Convention Description

boldface font Commands, command options, and keywords are in boldface. Bold text also

indicates a

ont Ar

italic f

the first occurrence of a new term, book title, emphasized text.

{ } Encloses required arguments and keywords.

[ ] Encloses optional arguments and keywords.

{x | y | z} Required alternative keywords are grouped in brac

bars.

[x | y | z] Optional alternative keywords are grouped in brackets and separated by

e

rtical bars.

v

string A nonquoted set of characters. Do not use quotation marks around the string or

the str

screen font Terminal sessions and information the system displays are in screen font.

boldface screen

font

italic screen font Arguments for which you supply values are in it

^ The symbol ^ represents the key labele

< > Nonprinting characters, such as passwords are in angle brackets.

Information you must enter in a command line is in boldface screen font.

combination ^D in a screen display means hold down the Control key while
you press the D key.

Describes how to use the Device Manager GUI, which resides in
flash memory on the ACE, to provide a browser-based interface
for configuring and managing the appliance.

Describes how to use the CSS-to-ACE conversion tool to
migrate Cisco Content Services Switches (CSS)
running-configuration or startup-configuration files to the ACE.

command in a paragraph.

guments for which you supply values are in italics. Italic text also indicates

parated by vertical

ing

will include the quotation marks.

es and se

alic screen font.

d Control—for example, the key

1. A numbered list indicates that the order of the list items is important.
a. An alphabetical list indicates that the order of the secondary list items is important.

• A bulleted list indicates that the order of the list topics is unimportant.

–

An indented list indicates that the order of the list subtopics is unimportant.

Notes use the following conventions:

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

xv

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the

publication.

Cautions use the following conventions:

Caution Means reader be careful. In this situation, you might do something that could result in equipment

damage or loss of data.

For additional information about CLI syntax formatting, refer to the Cisco 4700 Series Application
Control Engine Appliance Command Reference.

Obtaining Documentation, Obtaining Support, and Security
Guidelines

Preface

For information on obtaining documentation, obtaining support, providing documentation feedback,
security guidelines, and also recommended aliases and general Cisco documents, see the monthly

What’s Ne

documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

w in Cisco Pro

duct Documentation, which also lists all new and revised Cisco technical

Cisco 4700 Series Application Control Engine Appliance Administration Guide

xvi

OL-20823-01

CHAPTER

1

Setting Up the ACE

This chapter describes how to initially configure basic settings on the Cisco 4700 Series Application
Control Engine (ACE) appliance. It contains the following major sections:

• Prerequisites for Setting Up the ACE

• Default Settings

• Setting Up the ACE

• Displaying or Clearing the ACE Setup Configuration and Statistics

For details on configuring the GigabitEthernet ports, assigning VLANs to the ACE, configuring VLAN

terfaces on the ACE, and configuring a default or static route on the ACE, see the Cisco 4700 Series

in
Application Control Engine Appliance Routing and Bridging Configuration Guide.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-1

Prerequisites for Setting Up the ACE

Prerequisites for Setting Up the ACE

Setting up the ACE has the following requirements:

• Terminal—The terminal that you use to communicate with the ACE must contain a terminal

communications application, such as HyperTerminal for Windows, and be configured as follows:

–

Asynchronous transmission

–

9600 baud

–

8 data bits

–

Hardware flow control

–

1 stop bit

–

No parity

• Cable—The cable that connects the terminal to the ACE must meet the following requirements:

–

Serial cable with an RJ-45 connector

–

Adapter—RJ45 to DB-9 male

–

Cable type—Rollover serial cable to connect the ACE to a DTE device

Chapter 1 Setting Up the ACE

For instructions on connecting a console ca
Engine Appliance Hardware Installation Guide.

Default Settings

Table 1-1 lists the default settings for the ACE setup parameters.

Table 1-1 Default Setup Parameters

Parameter Default

User accounts Administrator account:

Host name switch

ble to your ACE, see the Cisco Application Control

n

username: admi

XML interface account:

username: w

Device Manager GUI access account:

username: dm / p

/ password: admin

ww: / passw

a

ord: admin

ssword: N/A

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-2

OL-20823-01

Chapter 1 Setting Up the ACE

Table 1-1 Default Setup Parameters

Parameter Default

Inactivity timeout 5 minutes

Gigabit Ethernet port, port mode, and
management VL
the ACE setup script

AN parameters when using

Default Settings

• Management VLAN allocated to the specified

Ethernet port.

• VLAN 1000 assigned as the management VLAN

interface.

• GigabitEthernet port mode configured as VLAN

access port.

• Extended IP access list that allows IP traffic

originating from any other host addresses.

• Traffic classification (class map and policy map)

created for management protocols HTTP, HTTPS,
ICMP, SSH, Telnet, and XML-HTTPS. HTTPS is
dedicated for connectivity with the Device
Manager GUI.

• VLAN interface configured on the ACE and a

policy map assigned to the VLAN interface.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-3

Setting Up the ACE

Setting Up the ACE

This section describes the tasks associated with setting up the ACE and includes the following topics:

• Establishing a Console Connection on the ACE

• Using the Setup Script to Enable Connectivity to the Device Manager

• Connecting and Logging In to the ACE

• Changing or Resetting the Administrative Password

• Assigning a Name to the ACE

• Configuring an ACE Inactivity Timeout

• Configuring a Message-of-the-Day Banner

• Configuring the Date and Time

• Synchronizing the ACE with an NTP Server

• Configuring Terminal Settings

• Modifying the Boot Configuration

Chapter 1 Setting Up the ACE

• Restarting the ACE

• Shutting Down the ACE

Establishing a Console Connection on the ACE

This section describes how to establish a direct serial connection between your terminal or a PC and the
ACE by making a serial connection to the console port on the rear panel of the ACE. The ACE has one
standard RS-232 serial port found on the rear panel that operates as the console port.

Prerequisites

This setup procedure requires a properly configured terminal and cable as described in the “Prerequisites

for Setting Up the ACE” section.

Restrictions

Only the Admin context is accessible through the console port; all other contexts can be reached through
Telnet or SSH sessions.

Detailed Steps

Follow these steps to access the ACE using a direct serial connection:

Step 1 Connect the serial cable between the ACE and the terminal and then use any terminal communications

application to access the ACE CLI. This procedure uses HyperTerminal for Windows.

Step 2 Launch HyperTerminal. The Connection Description window appears.
Step 3 Enter a name for your session in the Name field.
Step 4 Click OK. The Connect To window appears.
Step 5 From the drop-down list, choose the COM port to which the device is connected.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-4

OL-20823-01

Chapter 1 Setting Up the ACE

Step 6 Click OK. The Port Properties window appears.
Step 7 Set the following port properties:

Step 8 Click OK to connect.
Step 9 Press Enter to access the CLI prompt.

What to Do Next

Setting Up the ACE

• Baud Rate = 9600

• Data Bits = 8

• Flow Control = none

• Parity = none

• Stop Bits = 1

switch login:

When the login prompt displays, proceed with the following tasks:

• Once a session is created, choose Save As from the File menu to save the connection description.

Saving the connection description has the following two advantages:

–

The next time that you launch HyperTerminal, the session is listed as an option under

Start > Programs > Accessories > Hy

reach the CLI prompt directly without going through the configuration steps.

perTerminal > Name_of_session. This option lets you

–

You can connect your cable to a different device without configuring a new HyperTerminal
session. If you use this option, make sure that you connect to the same port on the new device
as was configured in the saved HyperTerminal session. Otherwise, a blank screen appears
without a prompt.

• If this is the first time that you are booting the ACE, see the “Using the Setup Script to Enable

Connectivity to the Device Manager” section.

If this is not the first time that you are booting the ACE, see the “Connecti

ng and Logging In to the
ACE” section for information about logging in and entering the configuration mode to configure the

ACE.

Using the Setup Script to Enable Connectivity to the Device Manager

This section describes how to use the setup script to simplify connectivity to the Device Manager GUI
(as described in the Cisco 4700 Series Application Control Engine Appliance Device Manager GUI
Quick Configuration Guide). When you boot the ACE for the first time and the appliance does not detect
a startup-configuration file, a setup script appears to guide you through the process of configuring a
management VLAN on the ACE through one of its Gigabit Ethernet ports.

After you specify a gigabit Ethernet port, port mode, and a management VLAN, the setup script

o

matically applies the following default configuration:

aut

• Management VLAN allocated to the specified Ethernet port.

• VLAN 1000 assigned as the management VLAN interface.

• GigabitEthernet port mode configured as VLAN access port.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-5

Setting Up the ACE

Detailed Steps

Chapter 1 Setting Up the ACE

• Extended IP access list that allows IP traffic originating from any other host addresses.

• Traffic classification (class map and policy map) created for management protocols HTTP, HTTPS,

ICMP, SSH, Telnet, and XML-HTTPS. HTTPS is dedicated for connectivity with the Device
Manager GUI.

• VLAN interface configured on the ACE and a policy map assigned to the VLAN interface.

The ACE provides a default answer in brackets [ ] for each ques

default configuration prompt, press Enter, and the ACE accepts the setting. To skip the remaining
configuration prompts, press Ctrl-C any time during the configuration sequence.

Note The script configuration process described in this section is identical to the script configuration process

performed using the setup CLI command.

Follow these steps to configure the ACE using the setup script:

Step 1 Ensure that you have established a direct serial connection between your terminal or a PC and the ACE

(see the “Establishing a Console Connection on the ACE” section).

Step 2 Press the power button on the front of the ACE and the boot process occurs. See the Cisco Application

Control Engine Appliance Hardware Installation Guide for details.

Step 3 At the login prompt, log into the ACE by entering the login username and password. By default, the

username and password are admin. For example, enter:

Starting sysmgr processes.. Please wait...Done!!!

tion in the setup script. To accept a

switch login: admin
Password: admin

Step 4 At the prompt “Enter the password for “admin:”, change the default Admin password. If you do not

change the default Admin password, after you upgrade the ACE software you will only be able to log in
to the ACE through the console port.

Enter the new password for "admin": xxxxx
Confirm the new password for "admin": xxxxx
admin user password successfully changed.

Step 5 At the prompt “Enter the password for “www:”, change the default www user password. If you do not

change the default www user password, the www user will be disabled and you will not be able to use
Extensible Markup Language (XML) to remotely configure an ACE until you change the default www
user password.

Enter the new password for "www": xxxxx
Confirm the new password for "www": xxxxx
www user password successfully changed.

Step 6 At the prompt “Would you like to enter the basic configuration dialog? (yes/no):”, type yes to continue

the setup (or select no to or bypass its operation and directly access the CLI).

Step 7 At the prompt “Enter the Ethernet port number to be used as the management port (1-4):? [1]:”, specify

the Ethernet port that you want to use to access the Device Manager GUI. Valid entries are 1 through 4.

The default is Ethernet port 1. Press Enter.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-6

OL-20823-01

Chapter 1 Setting Up the ACE

Step 8 At the prompt “Enter the management port IP Address (n.n.n.n): [192.168.1.10]:”, assign an IP address

to the management VLAN interface. When you assign an IP address to a VLAN interface, the ACE

automatically makes it a routed mode interface. Press Enter.

Step 9 At the prompt “Enter the management port Netmask(n.n.n.n): [255.255.255.0]:”, assign a subnet mask

to the management VLAN interface. Press Enter.

Step 10 At the prompt “Enter the default route next hop IP Address (n.n.n.n) or <enter> to skip this step:”, choose

whether to assign an IP address of the gateway router (the next-hop address for this route). If you specify

yes, enter the IP address of default gateway. The gateway address must be in the same network as
specified in the IP address for a VLAN interface. Press Enter.

Step 11 After you configure the Ethernet port, the setup script displays a summary of entered values:

Step 12 At the prompt “Submit the configuration including security settings to the ACE Appliance?

(yes/no/details): [y]:”, enter one of the following replies:

• Typ e y to apply the appropriate configuration and save the running-configuration to the

• Typ e n to bypass applying the configuration and saving the running-configuration to the

Setting Up the ACE

Management Port: 3
Ip address 12.3.4.5
Netmask: 255.255.255.0
Default Route: 23.4.5.6

startup-configuration file. This is the default.

startup-configuration file.

• Typ e d to view a detailed summary of the entered configuration values before you apply those

configuration values to the ACE.

Step 13 If you select d, the configuration summary appears:

interface gigabitEthernet 1/3
switchport access vlan 1000
no shut
access-list ALL extended permit ip any any class-map type management match-any
remote_ac
match p
match protocol dm-telnet any
match protocol icmp any
match protocol telnet any
match protocol ssh any
match protocol http any
match protocol https any
match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 192.168.1.10 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ssh key rsa
ip route 0.0.0.0 0.0.0.0 172.16.2.1

cess
rotocol xml-https any

The prompt “Submit the configuration including security settings to the ACE Appliance?
(yes/no/details): [y]:” reappears. Enter one of the following replies:

• Typ e y to apply the appropriate configuration and save the running-configuration to the

startup-configuration file. This is the default.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-7

Setting Up the ACE

• Typ e n to bypass applying the configuration and saving the running-configuration to the

startup-configuration file.

Step 14 When you select y, the following message appears:

Configuration successfully applied. You can now manage this ACE Appliance by entering the
url 'https://192.168.1.10' into a web browser to access the Device Manager GUI.

Connecting and Logging In to the ACE

This section describes how to connect (session) to the ACE as the default user from the ACE console
port. Once you connect to the ACE as the default user, you can then log in and enter the configuration
mode to configure the ACE.

The ACE creates the following default users at startup: admin, dm, and www.

• The admin user is the global administrator and cannot be deleted.

• The dm user is for accessing the Device Manager GUI and cannot be deleted. The dm user is an

internal user required by the Device Manager GUI; it is hidden on the ACE CLI.

Chapter 1 Setting Up the ACE

Restrictions

Note Do not modify the dm user password from the ACE CLI. If the password is changed, the Device

Manager GUI will become inoperative. If this occurs, restart the Device Manager using the dm
reload command (you must be the global administrator to access the dm reload command).

Note that restarting the Device Manager does not impact ACE functionality; however, it may
take a few minutes for the Device Manager to reinitialize as it reads the ACE CLI configuration.

• The ACE uses the www user account for the XML interface and cannot be deleted.

Later, when you configure interfaces and IP addresses on the

ACE itself, you can remotely access the
ACE CLI through an ACE interface by using a Telnet or SSH session. To configure remote access to the
ACE CLI, see Chapter 2, Enabling Remote Access to the ACE. For details on configuring interfaces on

47

the ACE, see the Cisco

00 Series Application Control Engine Appliance Routing and Bridging

Configuration Guide.

You can configure the ACE to provide a higher level of security for users acc

essing the ACE. For
information about configuring user authentication for login access, see the Cisco 4700 Series
Application Control Engine Appliance Security Configuration Guide.

Only the Admin context is accessible through the console port; all other contexts can be reached through
a Telnet or SSH remote access session.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-8

OL-20823-01

Chapter 1 Setting Up the ACE

Detailed Steps

Step 1 Access the ACE directly by its console port, attach a terminal to the asynchronous RS-232 serial port on

Step 2 Log into the ACE by entering the login username and password at the following prompt:

Setting Up the ACE

Follow these steps to session into the ACE and access configuration mode to perform the initial
configuration:

the rear panel of the ACE. The ACE has one standard RS-232 serial port found on the rear panel that
operates as the console port. Any device connected to this port must be capable of asynchronous
transmission. Connection requires a terminal configured as 9600 baud, 8 data bits, hardware flow control
on, 1 stop bit, no parity.See the “Establishing a Console Connection on the ACE” section.

switch login: admin
Password: admin

By default, both the username and password are admin.

The prompt changes to the following:

host1/Admin#

To change the default login username and password, see the “Changing or Resetting the Administrative

Password” section for details.

Caution You must change the default Admin password if you have not already done so. Otherwise, you

will be able to log in to the ACE only through the console port. You will not be able to access
the ACE using Telnet or SSH until you change the default Admin password.

Note When you boot the ACE for the first time and the appliance does not detect a

startup-configuration file, a setup script appears to enable connectivity to the ACE Device

Manager GUI. The start-up script is not intended for use with the CLI. Select no to skip the use

of the setup script and proceed directly to the CLI. See “Connecting and Logging In to the ACE”
section for details.

Step 3 To access configuration mode, enter:

host1/Admin# configure
Enter configuration commands, one per line. End with CNTL/Z

The prompt changes to the following:

host1/Admin(config)#

Changing or Resetting the Administrative Password

This section describes how to change or reset the administrative password and includes the following
topics:

• Changing the Administrative Password

• Resetting the Administrator Account Password

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-9

Setting Up the ACE

Changing the Administrative Password

This section describes how to change the administrative password. During the initial login process to the

ACE, you enter the default user name admin and the default password admin in lowercase text. You

cannot modify or delete the default administrative username; however, for security reasons, you must
change the default administrative password. If you do not change the password, then security on your
ACE can be compromised because the administrative username and password are configured to be the
same for every ACE shipped from Cisco Systems.

The administrative username and pas
ACE, it reads the username and password from Flash memory. Global administrative status is assigned
to the administrative username by default.

Note For information about changing a user password, see the Cisco 4700 Series Application Control Engine

Appliance Virtualization Configuration Guide.

Caution You must change the default Admin password if you have not already done so. Otherwise, you can log

in to the ACE only through the console port.

Chapter 1 Setting Up the ACE

word are stored in Flash memory. Each time that you reboot the

s

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-10

OL-20823-01

Chapter 1 Setting Up the ACE

Detailed Steps

Command Purpose

Step 1

Step 2

config

Example:

host1/Admin# config
host1/Admin(config)#

username

password

{

Example:

host1/Admin(config)# username admin
password 0 mysec

name1

}]

[password [0 | 5]

ret_801

Setting Up the ACE

Enters global configuration mode.

Changes the default username and password. The keywords,
arguments, and options are as follows:

• name1—Sets the username that you want to assign or

change. Enter admin.

• password—(Optional) Keyword that indicates that a

password follows.

• 0—(Optional) Specifies a clear text password.

• 5—(Optional) Specifies an MD5-hashed strong encryption

password.

• password—The password in clear text, encrypted text, or

MD5 strong encryption, depending on the numbered option
(0 or 5) that you enter. If you do not enter a numbered option,
the password is in clear text by default. Enter a password as
an unquoted text string with a maximum of 64 characters.

Step 3

do copy running-config startup-config

Example:

host1/Admin(config)# do copy
running-config startup-config

Resetting the Administrator Account Password

This section describes how recover the admin password during the initial bootup sequence of the ACE
if you forget the password for the ACE administrator account and cannot access the ACE. You must have
access to the ACE through the console port to be able to reset the password for the Admin user back to
the factory-default value of admin.

Restrictions

Note If you specify an MD5-hashed strong encryption

password, the ACE considers a password to be weak if it
less than eight characters in length.

The ACE supports the following special characters in a
password:

, . / = + - ^ @ ! % ~ # $ * ( )

xt pas

Note that the ACE encrypts clear te

swords in the

running-config.

(Optional) Copies the running configuration to the startup
configuration.

Only the Admin context is accessible through the console port.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-11

Setting Up the ACE

Detailed Steps

Chapter 1 Setting Up the ACE

Follow these steps to reset the password that allows the Admin user access to the ACE:

Step 1 Connect to the console port on the ACE.
Step 2 Log in to the ACE. See the “Connecting and Logging In to the ACE” section.
Step 3 Reboot the ACE. See the “Restarting the ACE” section.
Step 4 During the bootup process, output appears on the console terminal. Press ESC when the “Starting

services...” message appears on the terminal (see the example below). The setup mode appears. If you
miss the time window, wait for the ACE to properly complete booting, reboot the ACE, and try again to

access the setup mode by pressing ESC.

Daughter Card Found. Continuing...

INIT: Entering runlevel: 3

Testing PCI path ....

This may take some time, Please wait ....

PCI test loop , count 0
PCI path is ready
Starting services... <<<<< Press

Entering setup sequence...
Reset Admin password [y/n] (default: n): y

Resetting admin password to factory default...
.

Starting sysmgr processes.. Please wait...Done!!!

switch login:

ESC when you see this mes

sage

Step 5 The setup mode prompts if you want to reset the admin password. Enter y. The “Resetting admin

password to factory default” message appears. The ACE deletes the admin user password configuration
from the startup-configuration and resets the password back to the factory default value of admin.

The boot process continues as normal and you are

Assigning a Name to the ACE

This section describes how to specify a hostname for the ACE or for the peer ACE in a redundant
configuration. The hostname is used to identify the ACE and for the command-line prompts. If you
establish sessions to multiple devices, the hostname helps you track where you enter commands. By
default, the hostname for the ACE is “switch.”

Restrictions

Only the Admin context is accessible through the console port.

able

to enter the admin password at the login prompt.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-12

OL-20823-01

Chapter 1 Setting Up the ACE

Detailed Steps

Command Purpose

Step 1

Step 2

config

Example:

host1/Admin# config
host1/Admin(config)#

hostname name

Setting Up the ACE

Enters global configuration mode.

Changes the ACE name.

Example:

host1/Admin(config)# hostname ACE_1
ACE_1/Admin(config)#

Step 3

Step 4

peer hostname name

Example:

ACE_1/Admin(config)# peer hostname ACE_2

do copy running-config startup-config

Example:

ACE_1/Admin(config)# do copy
running-config s

tartup-config

Configuring an ACE Inactivity Timeout

This section describes how to modify the length of time that can occur before the ACE automatically
logs off an inactive user by specifying the length of time that a user session can be idle before the ACE
terminates the console, Telnet, or SSH session. By default, the inactivity timeout value is 5 minutes.

Restrictions

The login timeout command setting overrides the terminal session-timeout setting (see the

“Configuring Terminal Display Attributes” section).

The name ar

gument specifies a new hostname for the ACE. Enter
a case-sensitive text string that contains from 1 to 32
alphanumeric characters.

(Optional) Changes the peer ACE name in a redundant
configuration.

The name ar

gument specifies a new hostname for the peer ACE.
Enter a case-sensitive text string that contains from 1 to 32
alphanumeric characters.

(Optional) Copies the running configuration to the startup
configuration.

Detailed Steps

Command Purpose

Step 1

Step 2

OL-20823-01

config

Example:

host1/Admin# config
host1/Admin(config)#

login timeout minutes

Example:

host1/Admin(config)# login timeout 10

Enters global configuration mode.

Configures the inactivity timeout value.

The minutes ar

gument specifies the length of time that a user can
be idle before the ACE terminates the session. Valid entries are
from 0 to 60 minutes. A value of 0 instructs the ACE never to
timeout. The default is 5 minutes.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-13

Setting Up the ACE

Command Purpose

Step 3

no login timeout

Example:

host1/Admin(config)# no login timeout

do copy running-config startup-config

Example:

host1/Admin(config)# do copy
running-config s

tartup-config

(Optional) Restores the default timeout value of 5 minutes.

(Optional) Copies the running configuration to the startup
configuration.

Configuring a Message-of-the-Day Banner

This section describes how to configure a message in configuration mode to display as the
message-of-the-day banner when a user connects to the ACE. Once connected to the ACE, the
message-of-the-day banner appears, followed by the login banner and Exec mode prompt.

Restrictions

Chapter 1 Setting Up the ACE

If you connect to the ACE by using an SSH version 1 remote access session, the message-of-the-day
banner is not displayed.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-14

OL-20823-01

Chapter 1 Setting Up the ACE

Detailed Steps

Command Purpose

Step 1

Step 2

config

Example:

host1/Admin# config
host1/Admin(config)#

banner motd text

Setting Up the ACE

Enters global configuration mode.

Configures the message-of-the-day banner.

Example:

host1/Admin(config)# banner motd #Welcome
to “$(hostname)”...#

The text ar

gument is a line of message text to be displayed as the
message-of-the-day banner. The text string consists of all
characters that follow the first space until the end of the line
(carriage return or line feed).

mit

The pound (#) character functions as the deli

ing character for
each line. For the banner text, spaces are allowed but tabs cannot
be entered at the CLI. To instruct the ACE to display multiple
lines in a message-of-the-day banner, enter a new banner motd
command for each line that you want to appear.

80

The banner message is a maximum of

characters per line, up
to a maximum of 3000 characters (3000 bytes) for a
message-of-the-day banner. This maximum value includes all
line feeds and the last delimiting character in the message.

To add multiple lines to an existing a message-of-the-day

er

, precede each line by using the banner motd command.

bann
The ACE appends each line to the end of the existing banner. If
the text is empty, the ACE adds a carriage return (CR) to the
banner.

(tok

You can include tokens in the form $

en) in the message text.
Tokens will be replaced with the corresponding configuration
variable. For example, enter:

• $(hostname)—Displays the hostname for the ACE during

run time.

• $(line)—Displays the tty (teletypewriter) line or name (for

example, “/dev/console”, “/dev/pts/0”, or “1”).

To use the $(hostname) in a single line banner motd input, you
must in

clude double quotes (“) around the $(hostname) so that
the $ is interpreted as a special character at the beginning of a
variable in the single line (see the Step example).

OL-20823-01

Do not use the double quote character (“) or the percent sign

aracter (

ch

%) as a delimiting character in a single line message

string.

For multi-line input, double quotes (“) are not required for the

e

n because the input mode is different from signal-line mode.

tok
When you operate in multi-line mode, the ACE interprets the
double quote character (“) literally.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-15

Setting Up the ACE

Step 3

Step 4

Examples

Command Purpose

no banner motd

Example:

host1/Admin(config)# do show banner motd

do show banner motd

Example:

host1/Admin(config)# no banner motd

do copy running-config startup-config

Example:

host1/Admin(config)# do copy
running-config s

tartup-config

The following example shows how to span multiple lines and use tokens to configure the banner
message:

host1/Admin(config)# banner motd #
Enter TEXT message. End with the character '#'.
================================
Welcome to Admin Context

-------------------------------­Hostname: $(hostname)
Tty Line: $(line)
=================================
#

(Optional) Replace a banner or a line in a multi-line banner.

(Optional) Display the configured banner message.

(Optional) Copies the running configuration to the startup
configuration.

Chapter 1 Setting Up the ACE

Configuring the Date and Time

This section describes how to manually configure the date, time, and time zone settings for an ACE.

You can automatically set the date and time of the AC
(NTP) server. For details, see the “Synchronizing the ACE with an NTP Server” section.

This section contains the following topics:

• Setting the System Time and Date

• Configuring the Time Zone

• Adjusting for Daylight Saving Time

Setting the System Time and Date

This section describes how to set the time and the date for an ACE.

Note If you wish to use the Network Time Protocol (NTP) to automatically synchronize the ACE system clock

to an authoritative time server (such as a radio clock or an atomic clock), see the “Synchronizing the

ACE with an NTP Server” section. In this case, the NTP time server automatically sets the ACE system

clock.

E by synchronizing to a Network Time Protocol

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-16

OL-20823-01

Chapter 1 Setting Up the ACE

Restriction

Detailed Steps

Command Purpose

Step 1

Step 2

clock set hh:mm:ss DD MONTH YYYY

Example:

host1/Admin# clock set 01:38:30 7 August
2009
Fri Aug 7 01:38:30 PST 2009

show clock

Setting Up the ACE

If you previously configured NTP on an ACE, the ACE prevents you from using the clock set command

to set the time and the date and displays an error message. To manually set the ACE system clock,
remove the NTP peer and NTP server from the configuration before setting the clock on an ACE. See
the “Synchronizing the ACE with an NTP Server” section for more information.

Sets the time and the date for an ACE. When you enter this
command, the ACE displays the current configured date and
time.

The arguments are:

• hh:mm:ss—Current time to which the ACE clock is being

reset. Specify two digits for the hours, minutes, and seconds.

• DD MONTH YYYY—Current date to which the ACE clock is

being reset. Specify one or two digits for the day, the full
name of the month, and four digits for the year. The
following month names are recognized: January, February,
March, April, May, June, July, August, September, October,
November, and December.

(Optional) Displays the current clock settings.

Example:

host1/Admin# show clock
Fri Aug 7 01:38:30 PST 2009

Configuring the Time Zone

This section describes how to set the time zone of the ACE. The ACE keeps time internally in Universal
Time Coordinated (UTC) offset.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-17

Setting Up the ACE

Detailed Steps

Command Purpose

Step 1

Step 2

config

Example:

host1/Admin# config
host1/Admin(config)#

clock timezone {

minutes

Example:

host1/Admin(config)# clock timezone
PST -8 0

zone_name

} | {standard

{+ | –}

timezone

}

hours

Chapter 1 Setting Up the ACE

Enters global configuration mode.

Configures the time zone of the ACE.

The keywords, arguments, and options are as follows:

• zone_name—The 8-character name of the time zone (for

example, PDT) to be displayed when the time zone is in effect.

Table 1-1 lists the common time zone acronyms that you can use

for the zo

• hours—Hours offset from UTC. The range is from –23 to +23.

• minutes—Minutes offset from UTC. The range is from 0 to 59

ne_name ar

minutes.

• standard timezone—Displays a list of well known time zones

that include an applicable UTC hours offset. Available choices in
the list are as follows:

–

AKST—Alaska Standard Time, as UTC –9 hours

gument.

–

AST—Atlantic Standard Time, as UTC –4 hours

–

BST—British Summer Time, as UTC + 1 hour

–

CEST—Central Europe Summer Time, as UTC + 2 hours

–

CET—Central Europe Time, as UTC + 1 hour

–

CST—Central Standard Time, as UTC –6 hours

–

CST—Central Standard Time, as UTC + 9.5 hours

–

EEST—Eastern Europe Summer Time, as UTC + 3 hours

–

EET—Eastern Europe Time, as UTC + 2 hours

–

EST—Eastern Standard Time, as UTC -5 hours

–

GMT—Greenwich Mean Time, as UTC

–

HST—Hawaiian Standard Time, as UTC –10 hours

–

IST—Irish Summer Time, as UTC + 1 hour

–

MSD—Moscow Summer Time, as UTC + 4 hours

–

MSK—Moscow Time, as UTC + 3 hours

–

MST—Mountain Standard Time, as UTC –7 hours

–

PST—Pacific Standard Time, as UTC –8 hours

–

WEST—Western Europe Summer Time, as UTC + 1 hour

–

WST—Western Standard Time, as UTC + 8 hours

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-18

OL-20823-01

Chapter 1 Setting Up the ACE

Command Purpose

no clock timezone

Example:

host1/Admin(config)# no clock timezone

Step 3

Step 4

do show clock

Example:

host1/Admin (config)# do show clock
Fri Aug 7 01:38:30 PST 2009

do copy running-config startup-config

Example:

host1/Admin(config)# do copy
running-config startup-config

Setting Up the ACE

(Optional) Removes the clock timezone setting.

(Optional) Displays the current clock settings.

(Optional) Copies the running configuration to the startup
configuration.

Table 1-1 lists common time zone acronyms that you use when specifying the zone name using the

command’s zone

Tab l e 1-1 Common Time Zone Acronyms

_name argument.

Acronym Time Zone Name and UTC Offset
Europe

BST British Summer Time, as UTC + 1 hour

CET Central Europe Time, as UTC + 1 hour

CEST Central Europe Summer Time, as UTC + 2 hours

EET Eastern Europe Time, as UTC + 2 hours

EEST Eastern Europe Summer Time, as UTC + 3 hours

GMT Greenwich Mean Time, as UTC

IST Irish Summer Time, as UTC + 1 hour

MSK Moscow Time, as UTC + 3 hours

MSD Moscow Summer Time, as UTC + 4 hours

WET Western Europe Time, as UTC

WEST Western Europe Summer Time, as UTC + 1 hour

United States and Canada

AST Atlantic Standard Time, as UTC – 4 hours

ADT Atlantic Daylight Time, as UTC – 3 hours

CT Central Time, either as CST or CDT, depending on the place and time of the year

CST Central Standard Time, as UTC – 6 hours

CDT Central Daylight Saving Time, as UTC – 5 hours

ET Eastern Time, either as EST or EDT, depending on the place and time of the year

EST Eastern Standard Time, as UTC – 5 hours

EDT Eastern Daylight Saving Time, as UTC – 4 hours

MT Mountain Time, either as MST or MDT, depending on the place and time of the year

MDT Mountain Daylight Saving Time, as UTC – 6 hours

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-19

Setting Up the ACE

Chapter 1 Setting Up the ACE

Table 1-1 Common Time Zone Acronyms (continued)

Acronym Time Zone Name and UTC Offset

MST Mountain Standard Time, as UTC – 7 hours

d

PT Pacific Time, either as PST or PDT, depen

PDT Pacific Daylight Saving Time, as UTC – 7 hours

PST Pacific Standard Time, as UTC – 8 hours

AKST Alaska Standard Time, as UTC – 9 hours

AKDT Alaska Standard Daylight Saving Time, as UTC – 8 hours

HST Hawaiian Standard Time, as UTC – 10 hours

Australia

CST Central Standard Time, as UTC + 9.5 hours

EST Eastern Standard/Summer Time, as UTC + 10 hours (+11 hours during summer time)

WST Western Standard Time, as UTC + 8 hours

ing on the place and time of the year

Adjusting for Daylight Saving Time

This section describes how to configure the ACE to change the time automatically to summer time
(daylight saving time) by specifying when summer time begins and ends. All times are relative to the
local time zone; the start time is relative to standard time and the end time is relative to summer time. If
the starting month is after the ending month, the ACE assumes that you are located in the Southern
Hemisphere.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-20

OL-20823-01

Chapter 1 Setting Up the ACE

Detailed Steps

Command Purpose

Step 1

Step 2

config

Example:

host1/Admin# config
host1/Admin(config)#

clock summer-time {

start_week start_day start_month
start_time end_week end_day end_month
end_time daylight_offset
timezone

Example:

host1/Admin(config)# clock summer-time
Pacific 1 Sun Ap

}

daylight_timezone_name

| standard

r 02:00 5 Sun Oct 02:00 6

Setting Up the ACE

Enters global configuration mode.

Configures the ACE to change the time automatically to summer
time (daylight saving time).

The keywords, arguments, and options are as follows:

• daylight_timezone_name—The eight-character name of the

time zone (for example, PDT) to be displayed when summer

0

time is in effect. See Tab le 1-1 for the list the common time

one acronyms used for the dayligh

z

t_timezone_name

argument.

• start_week end_week—The week, ranging from 1 through 5.

• start_day end_day—The day, ranging from Sunday through

Saturday.

• start_month end_month—The month, ranging from January

through December.

• start_time end_time—Time, in military format, specified in

hours and minutes.

• daylight_offset—Number of minutes to add during the

summer time. Valid entries are 1 to 1440.

• standard timezone—Displays a list of well known time

zones that include an applicable daylight time start and end
range along with a daylight offset. Available list choices are
as follows:

–

ADT—Atlantic Daylight Time: 2 a.m. 1st Sunday April

to 2 a.m. last Sunday Oct, + 60 min

–

AKDT—Alaska Standard Daylight Time: 2 a.m. 1st

Sunday April to 2 a.m. last Sunday Oct, + 60 min

–

CDT—Central Daylight Time: 2 a.m. 1st Sunday April

to 2 a.m. last Sunday Oct, + 60 min

–

EDT—Eastern Daylight Time: 2 a.m. 1st Sunday April

to 2 a.m. last Sunday Oct, + 60 min

–

MDT—Mountain Daylight Time: 2 a.m. 1st Sunday

April to 2 a.m. last Sunday Oct, + 60 min

–

PDT—Pacific Daylight Time: 2 a.m. 1st Sunday April

to 2 a.m. last Sunday Oct, + 60 min

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-21

Setting Up the ACE

Command Purpose

Step 3

no clock summer-time

Example:

host1/Admin(config)# no clock summer-time

do copy running-config startup-config

Example:

host1/Admin(config)# do copy
running-config s

tartup-config

(Optional) Remove the clock summer-time setting.

(Optional) Copies the running configuration to the startup
configuration.

Synchronizing the ACE with an NTP Server

This section describes how to use Network Time Protocol (NTP) to synchronize the ACE system clock
to a time server. NTP is an Internet protocol designed to synchronize the clocks of computers over a
network. Typically, an NTP network receives its time from an authoritative time source, such as a radio
clock or an atomic clock attached to a time server, and assures accurate local time-keeping. NTP
distributes this time across the network. The NTP protocol can synchronize distributed clocks within
milliseconds over long time periods.

NTP runs over User Datagram Protocol (UDP), which runs over IP. NTP is documented in RFC 1305.

TP communication uses Coordinated Universal Time (UTC), which is the same as Greenwich

ll N

A
Mean Time.

Chapter 1 Setting Up the ACE

Prerequisites

Restrictions

h

An NTP association can be a peer association, which means t

at the ACE is willing to synchronize to
the other system or to allow the other system to synchronize to the ACE. An NTP association can also
be a server association, which means that only this system will synchronize to the other system, not the
other way around. You can identify multiple servers; the ACE uses the most accurate server. To configure
the ACE system clock to synchronize a peer (or to be synchronized by a peer) or to be synchronized by

a time server, use the ntp command. To display a list of the current associated peers and NTP statistical

information, see the “Displaying NTP Statistics and Information” section.

This configuration topic includes the following prerequisites:

• An NTP server must be accessible by the client ACE.

• If you are configuring application acceleration and optimization functionality (as described in the

Cisco 4700 Series Application Control Engine Appliance Application Acceleration and
Optimization Configuration Guide), and you plan to use an optional Cisco AVS 3180A Management

Console with multiple ACE nodes, we strongly recommend that you synchronize the system clock
of each ACE node with an NTP server. AppScope performance monitoring relies on very accurate
time measurement, in the millisecond range. If you instal multiple ACE appliances, you must
synchronize the clocks so that different parts of a single transaction can be handled by different
nodes.

Only users authenticated in the Admin context can use the ntp command.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-22

OL-20823-01

Chapter 1 Setting Up the ACE

Detailed Steps

Command Purpose

Step 1

Step 2

Step 3

config

Example:

ACE_1/Admin# config
ACE_1/Admin(config)#

ntp peer

Example:

ACE_1/Admin(config)# ntp peer 192.168.10.0

no ntp peer

Example:

ACE_1/Admin(config)# no ntp peer

192.168.10.0

ntp server

Example:

ACE_1/Admin(config)# ntp server

192.168.10.10

ip_address

[prefer]

ip_address

ip_address

[prefer]

Setting Up the ACE

Enters global configuration mode.

Configure the ACE system clock to synchronize a peer (or to be
synchronized by a peer).

The keywords, arguments, and options are:

• ip_address—IP address of the peer providing or being

provided by the clock synchronization.

• prefer—(Optional) Makes this peer the preferred peer that

provides synchronization. Using the prefer keyword

reduces switching back and forth between peers.

(Optional) Remove an NTP peer or server from the
configuration.

Configure the ACE system clock to be synchronized by a time
server.

The keywords, arguments, and options are:

• ip_address—IP address of the time server that provides the

clock synchronization.

Step 4

Examples

no ntp server

Example:

ACE_1/Admin(config)# no ntp server

192.168.10.10

do copy running-config startup-config

Example:

ACE_1/Admin(config)# do copy
running-config s

ip_address

tartup-config

For example, to specify multiple NTP server IP addresses and identify a preferred server, enter:

host1/Admin(config)# ntp server 192.168.10.10 prefer
host1/Admin(config)# ntp server 192.168.4.143
host1/Adm

in(config)# ntp server 192.168.5.10

• prefer—(Optional) Makes this server the preferred server

that provides synchronization. The prefer keyword sets this

NTP server as the preferred server if multiple servers have
similar accuracy. NTP uses an algorithm to determine which
server is the most accurate and synchronizes to that one. If

servers have similar accuracy, then the prefer keyword

specifies which server to use.

(Optional) Remove an NTP peer or server from the
configuration.

(Optional) Copies the running configuration to the startup
configuration.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-23

Setting Up the ACE

Configuring Terminal Settings

This section describes how to access the ACE CLI by using one of the following methods:

• Make a direct connection by using a dedicated terminal attached to the console port on the front of

the ACE.

• Establish a remote connection to the ACE using the Secure Shell (SSH) or Telnet protocols.

This section contains the following topics:

• Configuring Terminal Display Attributes

• Configuring Virtual Terminal Line Settings

Chapter 1 Setting Up the ACE

For details on configuring remote access to the ACE CLI using SSH or Telnet, see Chapter 2, Enabl

Remote Access to the ACE.

Restrictions

This configuration topic includes the following restrictions:

• Only the Admin context is accessible through the console port; all other contexts can be reached

through Telnet or SSH.

• The login timeout command setting overrides the terminal session-timeout setting (see the

“Configuring an ACE Inactivity Timeout” section).

Configuring Terminal Display Attributes

This section describes how to specify the number of lines and the width for displaying information on a
terminal during a console session.

Restrictions

The maximum number of displayed screen lines is 511 columns.

ing

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-24

OL-20823-01

Chapter 1 Setting Up the ACE

Detailed Steps

Command Purpose

Step 1

Step 2

terminal length

Example:

host1/Admin# terminal lines 50

terminal monitor

Example:

host1/Admin# terminal monitor
%ACE-7-111009: User 'admin'
executed cmd: te

lines

rminal monitor

Setting Up the ACE

Specifies the number of lines for displaying information on a terminal
during a console session.

The lines ar
terminal screen. This command is specific to only the console port. Telnet
and SSH sessions set the length automatically. Valid entries are from 0 to

511. The default is 24 lines. A value of 0 instructs the ACE to scroll
continuously (no pausing) and overrides the terminal width value. If you
later change the terminal length to any other value, the originally
configured terminal width value takes effect.

Starts the terminal monitor session and displays syslog output on the
terminal. To enable the various levels of syslog messages to the terminal,

use the logging monitor command (see the Cisco 4700 Series

Application Control Engine Appliance System Message Guide for
details).

gument sets the number of lines displayed on the current

Step 3

Step 4

Step 5

%ACE-7-111009:
executed cmd: terminal

monitor......

terminal no monitor

Example:

host1/Admin# terminal no monitor

terminal session-timeout

Example:

host1/Admin# terminal
session-timeout 600

terminal terminal-type

Example:

host1/Admin# terminal terminal-type
vt200

terminal width

Example:

host1/Admin# terminal width 250

User 'admin'

minutes

text

characters

(Optional) Stops the current terminal monitoring session.

Specifies the inactivity timeout value in minutes to configure the
automatic logout time for the current terminal session on the ACE. When
inactivity exceeds the time limit configured by this command, the ACE
closes the session and exits. The range is from 0 to 525600. The default

value is inherited from the value that is configured for the login timeout
command. If you do not configure a value for the login timeout

command, the default for both commands is 5 minutes. You can set the

meout value to 0 to disable this feature so that the

terminal sessi

on-ti

terminal remains active until you choose to exit the ACE. The ACE does
not save this change in the configuration file.

The min

utes argument sets the timeout value in minutes.

Specifies the name and type of the terminal used to access the ACE. If a
Telnet or SSH session specifies an unknown terminal type, the ACE uses
the VT100 terminal by default.

The mi

nutes ar

gument is the terminal type. Specify a text string from 1 to

80 alphanumeric characters.

Specifies the width for displaying information on a terminal during a
console session. This command is specific to the console port only.Telnet
and SSH sessions set the width automatically.

haracters ar

The c
current terminal screen. Valid entries are from 24 to 512

gument sets the number of characters displayed on the

. The default is

80 columns.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-25

Setting Up the ACE

Command Purpose

terminal no width

Example:

host1/Admin# terminal no width

Chapter 1 Setting Up the ACE

(Optional) Resets a terminal setting to its default value.

Step 6

show terminal

Example:

host1/Admin# show terminal
TTY: /dev/pts/0 Type: “vt100”
Length: 25 lines, Width: 80 columns
Session Timeout: 60 minutes

Configuring Virtual Terminal Line Settings

This section describes how to configure the virtual terminal line settings to enable remote access to the
ACE. A virtual terminal line is not associated with the console port; instead, it is a virtual port that allows
you to access the ACE.

Detailed Steps

Command Purpose

Step 1

Step 2

config

Example:

host1/Admin# config
host1/Admin(config)#

line vty

(Optional) Displays the console terminal settings.

Enters global configuration mode.

Enters line configuration mode.

Step 3

Step 4

Example:

host1/Admin(config)# line vty
host1/Admin(config-line)#

session-limit

Example:

host1/Admin(config-line)# session-limit 23

no session-limit

Example:

host1/Admin(config-line)# no session-limit
23

do copy running-config startup-config

Example:

host1/Admin(config-line)# do copy
running-config startup-config

number

number

Specifies the maximum number of terminal sessions per line. The
range is from 1 to 251.

(Optional) Disables a setting for the configured virtual terminal
line.

(Optional) Copies the running configuration to the startup
configuration.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-26

OL-20823-01

Chapter 1 Setting Up the ACE

Command Purpose

Step 5

Step 6

Ctrl-z

Example:

host1/Admin(config-line)# ctrl-z
host1/Admin#

clear line vty_name

Example:

host1/Admin# clear line vty vty1

Modifying the Boot Configuration

This section describes how control the way in which the ACE performs its boot process. You can instruct
the ACE to automatically boot the system image identified in the BOOT environment variable or you can
manually identify the system boot image to use. In addition, you can choose to have the ACE load the
startup-configuration file or ignore the startup-configuration file upon reboot.

This section describes how to modify the boot configuration of the ACE and contains the following

opi

cs:

t

• Setting the Boot Method from the Configuration Register

Setting Up the ACE

(Optional) Returns to the Exec mode prompt.

(Optional) Closes a specified vty session.

The vty_name
Enter a maximum of 64 characters for the name of the virtual
terminal.

argument specifies the name of the VTY session.

• Setting the BOOT Environment Variable

• Configuring the ACE to Bypass the Startup Configuration File During the Boot Process

Setting the Boot Method from the Configuration Register

This section describes how to modify the boot method that the ACE uses at the next startup by setting the boot
field in the software configuration register. The configuration register identifies how the ACE should boot,
automatically or manually.

Restrictions

The config-register command used to change the configuration register settings affects only the

configuration register bits that control the boot field and leaves the remaining bits unaltered.

Detailed Steps

Command Purpose

Step 1

config

Example:

host1/Admin# config
host1/Admin(config)#

Enters global configuration mode.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-27

Setting Up the ACE

Command Purpose

Step 2

config-register

Example:

host1/Admin(config)# config-register 0x1

no config-register 0x1

value

Chapter 1 Setting Up the ACE

The value argument represents the configuration register value
that you want to use the next time that you restart the ACE. The
supported value entries are as follows:

• 0x0—Upon reboot, the ACE boots to the GNU GRand

Unified Bootloader (GRUB). From the GRUB boot loader,
you specify the system boot image to use to boot the ACE.
Upon startup, the ACE loads the startup-configuration file
stored in the Flash memory (nonvolatile memory) to the
running-configuration file stored in RAM (volatile
memory). For information about using the GRUB boot
loader during a reboot, see the “Restarting the ACE”
section.

• 0x1—Upon reboot, the ACE boots the system image

identified in the BOOT environment variable (see the

“Setting the BOOT Environment Variable” section). The

BOOT environment variable specifies a list of image files on

a

rious devices from which the ACE can boot at startup. If

v
the ACE encounters an error or if the image is not valid, it
will try the second image (if one is specified). Upon startup,
the ACE loads the startup-configuration file stored in the
Flash memory (nonvolatile memory) to the
running-configuration file stored in RAM (volatile
memory).

(Optional) Resets the config-register setting.

Example:

host1/Admin(config)# no config-register
0x1

Step 3

do copy running-config startup-config

Example:

host1/Admin(config)# do copy
running-config s

tartup-config

Setting the BOOT Environment Variable

This section describes how to add several images to the BOOT environment variable to provide a
fail-safe boot configuration. The BOOT environment variable specifies a list of image files on various
devices from which the ACE can boot at startup. If the first file fails to boot the ACE, subsequent images
that are specified in the BOOT environment variable are tried until the ACE boots or there are no
additional images to attempt to boot. If there is no valid image to boot, the ACE enters ROMMON mode
where you can manually specify an image to boot.

The ACE stores and executes images i
variable. If you want to change the order in which images are tried at startup, you can either prepend and
clear images from the BOOT environment variable to attain the desired order or you can clear the entire
BOOT environment variable and then redefine the list in the desired order.

Copies the running configuration to the startup configuration.

n

the order in which you added them to the BOOT environment

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-28

OL-20823-01

Chapter 1 Setting Up the ACE

Detailed Steps

Command Purpose

Step 1

Step 2

Step 3

config

Example:

host1/Admin# config
host1/Admin(config)#

boot system image:

Example:

host1/Admin(config)# boot system
image:c4710ace-mz.A3_1_0.bin

do show bootvar

image_name

Setting Up the ACE

Enters global configuration mode.

Sets the BOOT environment variable.

The image_name argument specifies the name of the system
image f
the wrong filename), then the filename is appended to the
bootstring, and this message displays, “Warning: File not found
but still added in the bootstring.” If the file does exist, but is not
a valid image, the file is not added to the bootstring, and this
message displays, “Warning: file found but it is not a valid boot
image.”

(Optional) Displays the BOOT environment variable settings.

ile. If the file does not exist (for example, if you entered

Example:

host1/Admin(config)# BOOT variable =

Step 4

"image:/c4710ace
0ace-mz.A1_8_0A.bin"
Configuration register is 0x1

do copy running-config startup-config

Example:

host1/Admin(config)# do copy
running-config s

-mz.A3_1_0.bin;image:/c47

tartup-config

1

Copies the running configuration to the startup configuration.

Configuring the ACE to Bypass the Startup Configuration File During the Boot Process

This section describes how to use the GRUB bootloader to instruct the ACE to bypass the
startup-configuration file stored on the appliance in the Flash memory (nonvolatile memory) during the
boot process. You may require the ACE to bypass the startup configuration file during bootup in the
following instances:

• Certain configurations cause problems that result in the ACE becoming nonresponsive. You can

bypass the startup configuration file to safely boot the ACE and then resolve issues with the
configuration.

• You forget the password for the ACE administrator CLI account and cannot access the ACE. You

can bypass the startup configuration file and log in with the default password of admin.

Note For the procedure on resetting the administrator CLI account password, see the “Resetting the

Administrator Account Password” section.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-29

Setting Up the ACE

Detailed Steps

Chapter 1 Setting Up the ACE

Follow these steps to instruct the ACE to bypass the startup-configuration file during the boot process
from the GRUB bootloader:

1. Enter the config-register command so that upon reboot the ACE boots to the GRUB bootloader. See

the “Setting the Boot Method from the Configuration Register” section.

2. Reboot the ACE. See the “Restarting the ACE” section. Upon reboot, the ACE boots to the GRUB

bootloader.

3. Press Esc when the countdown initiates on the GNU GRUB multiboot loader. The following GRUB

menu appears.

GNU GRUB version 0.95 (639K lower / 3144640K upper memory)

******************************************************************
* image(c4710ace-mz.A3_1_0.bin) *
* image(c4710ace-mz.A1_8_0A.bin) *

*

* *

* ******************************************************************

4. In the GRUB menu, use the arrow keys to select from the ACE images loaded in Flash memory. The

ACE image entry is highlighted in the list.

5. Type e to edit the kernel command line. If the boot string is greater than one line, you must press e

a second time. Append

ignorestartupcfg=1. to the end of the boot.

For example, the following illustrates the screen output when you first type e:

******************************************************************

* kernel=(hd0,1)/c4710ace-mz.A3_1_0.bin ro root=LABEL=/ auto consol* *

* *

******************************************************************

For example, the following illustrates the screen output when you press e a second time:

< auto console=ttyS0,9600n8 quiet bigphysarea=32768

At this point, append ignorestartupcfg=1 after the second edit.

< auto console=ttyS0,9600n8 quiet bigphysarea=32768 ignorestartupcfg=1

6. Press enter to return to the previous GRUB menu.

7. Press b to boot with this modified boot string.The ACE boot screen appears as follows:

Note When you instruct the ACE to bypass the startup-configuration file stored on the appliance, after

you boot the ACE and the startup-configuration file is empty (typically for a new ACE), the ACE
will automatically launch the setup script to enable connectivity to the ACE Device Manager
GUI (see the “Connecting and Logging In to the ACE” section). Otherwise, the ACE boot
screens appears as described in the output below. If necessary, you can manually launch the setup

script using the setup command in Exec mode.

kernel=(hd0,1)/c4710ace-mz.A3_1_0.bin ro root=LABEL=/ auto console=ttyS0,96

00n8 quiet bigphysarea=32768

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-30

OL-20823-01

Chapter 1 Setting Up the ACE

Setting Up the ACE

[Linux-bzImage, setup=0x1400, size=0xb732b7a]

INIT: version 2.85 booting

Daughter Card Found. Continuing...

INIT: Entering runlevel: 3

Testing PCI path ....

This may take some time, Please wait ....

PCI test loop , count 0
PCI path is ready
Starting services...

Installing MySQL
groupadd: group nobody exists
useradd: user nobody exists
MySQL Installed
Installing JRE
JRE Installed

Starting sysmgr processes.. Please wait...Done!!!

switch login: admin
password# xxxxx

What to Do Next

You may now configure the ACE to define basic configuration settings for the appliance.

Restarting the ACE

You can reboot the ACE directly from its CLI and reload the configuration. When you reboot the ACE, it
performs a full power cycle of both the hardware and software. Any open connections with the ACE are
dropped. The reset process can take several minutes.

Caution Configuration changes that are not written to the Flash partition are lost after a reload. Before rebooting,

enter the copy running-conf startup-config command in Exec mode to store the current configuration in

Flash memory. If you fail to save your configuration changes, the ACE reverts to its previous settings
upon restart.

This section includes the following topics:

• Restarting the ACE From the CLI

• Using the GRUB Boot Loader to Specify the System Boot Image During a Reload

Restarting the A C E F r o m t h e CL I

This section describes how to reboot the ACE directly from its CLI.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-31

Setting Up the ACE

Detailed Steps

Command Purpose

Step 1

Step 2

copy running-config startup-config

Example:

host1/Admin# copy running-config
startup-config

reload

Example:

host1/Admin# reload
This command will reboot the system
Save configurations for all the contexts.
Save? [yes/no]:
Generating confi
running config of context Admin saved
Perform system reload. [yes/no]: [yes] yes

yes

guration....

Chapter 1 Setting Up the ACE

(Optional) Copies the running configuration to the startup
configuration.

Restarts the ACE and reloads the configuration. When you specify

reload, the ACE prompts you for confirmation and performs a

cold restart of the ACE.

During the reload process, the ACE performs one of the

lo

wing actions:

fol

• If you specified a value of 0x1 for the config-register

command (see the “Setting the Boot Method from the

Configuration Register” section), the ACE boots the system

image identified in the BOOT environment variable.

• If you specified a value of 0x0 for the config-register

command, the ACE enters the GRUB boot loader mode and
you must identify the location of an image file to boot (see

o

the “Using the GRUB Boot Loader t

Boot Image During a Reload” section).

Specify the System

Using the GRUB Boot Loader to Specify the System Boot Image During a Reload

This section describes how to specify a value of 0x0 for the config-register command (see the “Setting

the Boot Method from the Configuration Register” section) to force the ACE to enter the GRUB boot

loader mode upon a reload or pow
until you identify the location of an image file to boot.

Press Esc wh

GNU GRUB version 0.95 (639K lower / 3144640K upper memory)

******************************************************************

* image(c4710ace-mz.A3_1_0.bin) *

* image(c4710ace-mz.A1_8_0A.bin) *

* *

* ****************************************************************

en the count down initiates on the GRUB boot loader. The following GRUB menu appears.

In the GRUB menu, use the arrow keys to select from the ACE images loaded in the Flash memory. The
ACE image entry is highlighted in the list.

Perform one of the following actions:

• Press enter to boot the selected software version.

• Type e to edit the commands before booting.

• Type c to access a command line.

er cycle of the ACE. The ACE remains in GRUB boot loader mode

If no ACE images are loaded in the Flash memor

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-32

y, the GNU GRUB multiboot loader appears as follows:

OL-20823-01

Chapter 1 Setting Up the ACE

grub>

Shutting Down the ACE

This section describes how to remove power from the ACE by using the power button found on the front
panel.

Caution Configuration changes that are not written to the Flash partition are lost after a shutdown. Before you

shut down the ACE, enter the copy running-conf startup-config command in Exec mode to store the

current configuration in Flash memory. If you fail to save your configuration changes, the ACE reverts to
its previous settings upon restart.

Detailed Steps

Command Purpose

Step 1

Step 2

copy running-config startup-config

Example:

host1/Admin# copy running-config
startup-config

Press the front panel power button.

Displaying or Clearing the ACE Setup Configuration and Statistics

(Optional) Copies the running configuration to the startup
configuration.

Shuts down the ACE.

Displaying or Clearing the ACE Setup Configuration and
Statistics

This section describes how to display or clear the ACE setup configuration and includes the following
topics:

• Displaying ACE Setup Configuration and Statistics

• Clearing NTP Statistics

Displaying ACE Setup Configuration and Statistics

This section describes how to display the ACE setup configuration and statistical information and
includes the following topics:

• Displaying NTP Statistics and Information

• Displaying Other ACE Setup Configuration Information

Displaying NTP Statistics and Information

This section describes how to instruct the ACE to display the following NTP statistics and information:

• NTP peer statistics

• Input/output statistics

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-33

Displaying or Clearing the ACE Setup Configuration and Statistics

• Counters maintained by the local NTP

• Counters related to the memory code

• Listing of all associated peers

Restrictions

Only users who are authenticated in the Admin context can use the show ntp command.

Chapter 1 Setting Up the ACE

To display the NTP statistics and information, use the sho

w ntp command from Exec mode as follows:

Command Purpose

show ntp {peer-status | peers | statistics
{io | local | memory | peer

ip_address

Displays the NTP statistics and information.

}}

The keywords, arguments, and options are as follows:

Example:

host1/Admin# show ntp peer-status

Table 1-2 describes the fields in the sh

Tab l e 1-2 Field Descriptions for the show ntp peer-status Command

• peer-status—Displays the status for all configured NTP servers and

peers.

• peers—Displays a listing of all NTP peers.

• statistics—Displays the NTP statistics.

• io—Displays the input/output statistics.

• local—Displays the counters maintained by the local NTP.

• memory—Displays the statistic counters related to the memory code.

• peer—Displays the per-peer statistics counter of a peer.

• ip_address—Displays the peer statistics for the specified IP address.

ow ntp peer-status command output.

Field Description

Total Peers Number of associated peers

Remote IP addresses that correspond to the remote server and peer entries listed in the configuration file

Local IP addresses that correspond to the local server and peer entries listed in the configuration file

St The stratum

Poll The poll interval (in seconds)

Reach The status of the reachability register (see RFC-1305) in octal

Delay The latest delay (in microseconds)

Peer IP Address IP address of each associated peer

Serv/Peer Indication of whether the peer functions as an NTP server or NTP peer

Table 1-3 describes the fields in the sh

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-34

ow ntp peers command output.

OL-20823-01

Chapter 1 Setting Up the ACE

Displaying or Clearing the ACE Setup Configuration and Statistics

Tab l e 1-3 Field Descriptions for the show ntp peers Command

Field Description

Peer IP Address The IP address of each associated peer

Serv/Peer Indicates whether the peer functions as an NTP server or NTP peer

Table 1-4 describes the fields in the show ntp statistics io command output.

Tab l e 1-4 Field Descriptions for show ntp statistics io Command

Field Description

Time since reset Time since the last reset of the NTP software on the primary server

Receive buffers Total number of UDP client-receive buffers

Free receive buffers Current number of available client-receive buffers

Used receive buffers Current number of unavailable client-receive buffers

Low water refills Total number of times buffers were added, which also indicates the number of times there have been

low memory resources during buffer creation

Dropped packets Total number of NTP packets dropped by the ACE

Ignored packets Total number of NTP packets ignored by the ACE

Received packets Total number of NTP packets received by the ACE

Packets sent Total number of NTP packets transmitted by the ACE

Packets not sent Total number of NTP packets not sent by the ACE due to an error

Interrupts handled Total number of NTP timer interrupts handled by the ACE

Received by int Total number of pulses received that triggered an interrupt

Table 1-5 describes the fields in the sh

Tab l e 1-5 Field Descriptions for show ntp statistics local Command

ow ntp statistics local command output.

Field Description

System uptime Length of time that the ACE has been running.

Time since reset Time in hours since the ACE was last rebooted.

Old version packets Number of packets that match the previous NTP version. The version number is in every NTP packet.

New version packets Number of packets that match the current NTP version. The version number is in every NTP packet.

Unknown version number Number of packets with an unknown NTP version.

Bad packet format Number of NTP packets that were received and dropped by the ACE due to an invalid packet format.

Packets processed Number of NTP packets received and processed by the ACE.

Bad authentication Number of packets not verified as authentic.

Table 1-6 describes the fields in the sh

Cisco 4700 Series Application Control Engine Appliance Administration Guide

OL-20823-01

ow ntp statistics memory command output.

1-35

Displaying or Clearing the ACE Setup Configuration and Statistics

Tab l e 1-6 Field Descriptions for show ntp statistics memory Command

Field Description

Time since reset Time in hours since the ACE was last rebooted.

Total peer memory Total peer memory available for the allocation of memory to peer structures.

Free peer memory Current available peer memory.

Calls to findpeer The number of calls to findpeer.

Note findpeer is an entry point to the allocation of memory to peer structures that looks for

matching peer structures in the peer list.

New peer allocations Number of allocations from the free list.

Peer demobilizations Number of structures freed to the free list.

Hash table counts The count of peers in each hash table.

Table 1-7 describes the fields in the show ntp statistics peer command output.

Tab l e 1-7 Field Descriptions for show ntp statistics peer Command

Chapter 1 Setting Up the ACE

Field Description

Remote Host IP address of the specified peer.

Local Interface IP address of specified local interface.

Time Last Received Time that the last NTP response was received.

Time Until Next Send Length of time until the next send attempt.

Reachability Change The reachability status for the peer.

Packets Sent

Number of packets sent to the NTP peer.

Packets Received Number of packets received from the NTP peer.

Bogus Origin Number of packets received from the NTP peer

Duplicate Number of duplicate pack

Bad Dispersion Number of packets with an i

Note Dispersion measures the errors of the offset values, based on the round-trip delay and the

ets received from the NTP peer.

nvalid dispersion.

precision of the system and the server.

v

Bad Reference Time Number of packets with an in

alid reference time source.

Candidate Order Order in which the ACE may consider this serv

Displaying Other ACE Setup Configuration Information

To display the ACE setup configuration information, use the following show commands from Exec

mode:

of a

suspect origin.

er when it chooses the master.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-36

OL-20823-01

Chapter 1 Setting Up the ACE

Displaying or Clearing the ACE Setup Configuration and Statistics

Command Purpose

show banner motd Displays the configured banner message (see the “Con

Message-of-the-Day Banner” section).

show boot var Displays the BOOT environment variable settings (see the “Se

BOOT Environment Variable” section).

et

show clock Displays the current clock settings (see the “S

ting the System Time and

Date” or the “Configuring the Time Zone” sections).

show login timeout Displays the configured login time value (see the “C

Inactivity Timeout” section).

show terminal Displays the console terminal settings (see the “C

Display Attributes” section).

For detailed information about the fields in the output from these commands, refer to the Cisco 4700 Series
Application Control Engine Appliance Command Reference.

figuring a

on

figuring an ACE

on

figuring Terminal

t

ting the

Clearing NTP Statistics

To clear the NTP statistical information, use the following command from Exec mode:

Command Purpose

clear ntp statistics {all-peers | io | local |
memory}

lears the NTP statistics and information.

C

The keywords are as follows:

• all-peers—Clears I/O statistics for all peers

• io—Clears I/O statistics for I/O devices

• local—Clears I/O statistics for local devices

• memory—Clears I/O statistics for memory

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-37

Displaying or Clearing the ACE Setup Configuration and Statistics

Chapter 1 Setting Up the ACE

Cisco 4700 Series Application Control Engine Appliance Administration Guide

1-38

OL-20823-01

CHAPTER

2

Enabling Remote Access to the ACE

This chapter describes how to configure remote access to the Cisco 4700 Series Application Control
Engine (ACE) appliance by establishing a remote connection by using the Secure Shell (SSH) or Telnet
protocols. It also describes how to configure the ACE to provide direct access to a user context from
SSH. This chapter also covers how to configure the ACE to receive ICMP messages from a host.

This chapter contains the following major sections:

• Guidelines and Limitations

• Default Settings

• Enabling Remote Access to the ACE

• Displaying Remote Access Session Information

• Configuration Example for Enabling Remote Access to the ACE

Note For information about how to make a direct connection using a dedicated terminal attached to the Console

port on the front of the ACE, configure terminal display attributes, and configure terminal line settings
for accessing the ACE by console or virtual terminal connection, see Chapter 1, Setting Up the ACE.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-1

Guidelines and Limitations

Guidelines and Limitations

This section describes the guidelines and limitations for the remote access function and includes the
following topics:

• Telnet Management Sessions

• SSH Management Sessions

• ICMP Messages

Telnet Management Sessions

The ACE supports a maximum 16 concurrent Telnet management sessions for the Admin context and 4
concurrent Telnet management sessions for each user context. The ACE supports a total maximum of
256 concurrent Telnet sessions.

SSH Management Sessions

The ACE supports a maximum of 16 concurrent SSH management sessions for the Admin context and
4 concurrent SSH management sessions for each user context. The ACE supports a total maximum of
256 concurrent SSH sessions.

Chapter 2 Enabling Remote Access to the ACE

o

The ACE can generate the DSA and RSA keys required t
decrypt messages. The keys are generated in pairs—one public key and one private key. The global
administrator performs the key generation in the Admin context. All contexts associated with the ACE
share the common key. There is only a single host-key pair.

ICMP Messages

By default, the ACE does not allow ICMP messages to be received by an ACE interface or to pass
through the ACE interface. ICMP is an important tool for testing your network connectivity; however,
network hackers can also use ICMP to attack the ACE or your network. We recommend that you allow
ICMP during your initial testing, but then disallow it during normal operation.

establish an SSH session and encrypt and

Default Settings

Table 2-1 lists the default settings for the ACE remote access function.

Tab l e 2-1 Default Remote Access Parameters

Parameters Default

Concurrent Telnet management sessions per context

Concurrent SSH management sessions per context

• Admin context: 16

• User context: 4 (each)

• Admin context: 16

Ability of an ACE interface to receive ICMP messages or allow
through it

Status of the following matc

snmp, ssh, telnet, and xml-https.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-2

h protocol command protocols: http, https, icmp, kalap-udp,

ICMP messages to pass

• User context: 4 (each)

Disabled

Disabled

OL-20823-01

Chapter 2 Enabling Remote Access to the ACE

Enabling Remote Access to the ACE

This section describes the tasks associated with enabling remote access to the ACE and includes the
following topics:

• Task Flow for Enabling Remote Access to the ACE

• Configuring Remote Network Management Traffic Services

• Configuring the Maximum Number of Telnet Management Sessions

• Configuring SSH Management Session Parameters

• Terminating an Active User Session

• Enabling ICMP Messages to the ACE

• Directly Accessing a User Context Through SSH

Task Flow for Enabling Remote Access to the ACE

Follow these steps to enable remote access to the ACE:

Enabling Remote Access to the ACE

Step 1 If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the

desired context. If necessary, log directly in to, or change to, the correct context.

host1/Admin# changeto C1
host1/C1#

The rest of the examples in this table use the Admin context, unless otherwise specified. For details on
creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization

Configuration Guide.

Step 2 Enter configuration mode.

host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z
host1/Admin(config)#

Step 3 Create a class map that permits network management traffic to be received by the ACE based on the

network management protocol (SSH or Telnet) and client source IP address.

host1/Admin(config)# class-map type management match-all SSH-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# match protocol ssh source-a

255.255.255.254

host1/Admin(config-cmap-mgmt)# exit
host1/Adm
host1/Admin(config)# class-map type management match-all T
host1/Admin(config-cmap-mgmt)# match protocol telnet sourc

255.255.255.254

host1/Admin(config-cmap-mgmt)# exit
host1/Adm

in(config)#

in(config)#

ddress 172.16.10.0

ELNET-ALLOW_CLASS
e-address 172.16.10.0

Step 4 Configure a policy map that activates the SSH and Telnet management protocol classifications.

host1/Admin(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
host1/Admin(config-pmap-mgmt)# class SSH-ALLOW_CLASS
host1/Adm
host1/Adm
host1/Adm
host1/Adm
host1/Adm

OL-20823-01

in(config-pmap-mgmt-c)# permit
in(config-pmap-mgmt-c)# exit
in(config-pmap-mgmt)# class TELNET-ALLOW_CLASS
in(config-pmap-mgmt-c)# permit
in(config-pmap-mgmt-c)# exit

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-3

Enabling Remote Access to the ACE

host1/Admin(config-pmap-mgmt)# exit
host1/Admin(config)#

Step 5 Attach the traffic policy to a single VLAN interface or globally to all VLAN interfaces in the same

context. For example, to specify an interface VLAN and apply the remote management policy map to
the VLAN, enter:

host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ip address 172.16.1.100 255.255.0.
host1/Admin(config-if)# service-policy input REMOTE_MGMT_A
host1/Admin(config-if)# exit

Step 6 (Optional) Configure the maximum number of Telnet sessions allowed for each context.

host1/Admin(config)# telnet maxsessions 3

Step 7 (Optional) Configure the maximum number of SSH sessions allowed for each context.

host1/Admin(config)# ssh maxsessions 3

Step 8 If you have global administrator privileges, use the ssh key command to generate the SSH private key

and the corresponding public key for use by the SSH server. There is only one host-key pair. For
example, to generate an RSA1 key pair in the Admin context, enter:

host1/Admin(config)# ssh key rsa1 1024
generating rsa1 key

.....

generated rsa1 key

Chapter 2 Enabling Remote Access to the ACE

0
LLOW_POLICY

Step 9 (Optional) Save your configuration changes to Flash memory.

host1/Admin(config)# exit
host1/Admin# copy running-config startup-config

Step 10 (Optional) Terminate an active SSH or Telnet session for the active context by using one of the following

commands in Exec mode:

• clear ssh {session_id | hosts}

• clear telnet session_id

host1/Admin# clear ssh 345

Configuring Remote Network Management Traffic Services

This section provides an overview on creating a class map, policy map, and service policy for remote
network access to the ACE. The following items summarize the role of each function in configuring
remote network management access to the ACE:

• Class map—Provides the remote network traffic match criteria to permit traffic based on:

–

Remote access network management protocols (SSH, Telnet, or ICMP)

–

Client source IP address

• Policy map—Enables remote network management access for a traffic classification that matches

the criteria listed in the class map.

• Service policy—Activates the policy map and attaches the traffic policy to an interface or globally

on all interfaces.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-4

OL-20823-01

Chapter 2 Enabling Remote Access to the ACE

Telnet and SSH remote access sessions are established to the ACE on a per context basis. For details on
creating users and contexts, see the Cisco 4700 Series Application Control Engine Appliance

Virtualization Configuration Guide.

This section contains the following topics:

• Creating and Configuring a Remote Management Class Map

• Creating a Layer 3 and Layer 4 Remote Access Policy Map

• Applying a Service Policy Globally to All VLAN Interfaces in the Same Context

• Applying a Service Policy to a Specific VLAN Interface

Creating and Configuring a Remote Management Class Map

This section describes how to create a Layer 3 and Layer 4 class map to classify the remote network
management traffic received by the ACE. The class map permits network management traffic to be
received by the ACE by identifying the incoming IP protocols that the ACE can receive as well as the
client source IP address and subnet mask as the matching criteria. You define the allowed network traffic
to manage security for protocols such as SSH, Telnet, and ICMP. You also determine how the ACE
evaluates multiple match statements operations when multiple match criteria exist in a class map.

The class map identifies the remote network access management p
ACE. You configure the associated policy map to permit access to the ACE for the specified management
protocols. As part of the network management access traffic classification, you also specify either a
client source host IP address and subnet mask as the matching criteria or instruct the ACE to allow any
client source address for the management traffic classification.

Enabling Remote Access to the ACE

ocols that can be received by the

rot

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-5

Enabling Remote Access to the ACE

Detailed Steps

Command Purpose

Step 1

Step 2

config

Example:

host1/Admin# config
host1/Admin(config)#

class-map type management [match-all |
match-any]

Example:

host1/Admin(config)# class-map type
management match-all
SSH-TELNET_ALLOW
host1/Admin(config-cmap-mgmt)#

no class-map type management [match-all |
match-any]

map_name

_CLASS

map_name

Chapter 2 Enabling Remote Access to the ACE

Enters global configuration mode.

Create a Layer 3 and Layer 4 class map to classify the remote
network management traffic received by the ACE.

The keywords, arguments, and options are as follows:

• match-all | match-any—(Optional) Determines how the

ACE evaluates Layer 3 and Layer 4 network management

ic when multiple match criteria exist in a class map. The

traff
class map is considered a match if the match commands
meet one of the following conditions:

–

match-all —(Default) All of the match criteria listed in

the class map are satisfied to match the network traffic
class in the class map, typically match commands of the
same type.

–

match-any—Any one of the match criteria listed in the

class map is satisfied to match the network traffic class
in the class map, typically match commands of different
types.

• map_name—Specifies the name assigned to the class map.

Enter an unquoted text string with no spaces and a maximum
of 64 alphanumeric characters.

The CLI enters the class map management configuration mode.

(Optional) Remove a Layer 3 and Layer 4 network management
class map from the ACE.

Example:

host1/Admin(config)# no class-map type
management match-all
SSH-TELNET_ALLOW

Cisco 4700 Series Application Control Engine Appliance Administration Guide

_CLASS

2-6

OL-20823-01

Chapter 2 Enabling Remote Access to the ACE

Command Purpose

Step 3

[line_number] match protocol {http | https
| icmp | kalap-udp | snmp | ssh | telnet |
xml-https} {any | source-address

ip_address mask

Example:

ACE_1/Admin(config-cmap-mgmt)# match
protocol ssh source-address 172.16.10.0

255.255.255.254
ACE_1/Admin(conf
protocol tel

255.255.255.254

}

ig-cmap-mgmt)# match

net source-address

172.16.10.0

Enabling Remote Access to the ACE

Classifies the remote network management traffic received by

the ACE. Include one or more of the match protocol commands

to configure the match criteria for the class map.

The keywords and arguments are as follows:

• line_number—(Optional) Assists you in editing or deleting

individual match commands. Enter an integer from 2 to 255
as the line number. You can enter no line_number to delete
long match commands instead of entering the entire line.

The line numbers do not dictate a priority or sequence for

the match statements.

• http—Specifies the Hypertext Transfer Protocol (HTTP).

The configuration of the HTTP management protocol is
described in Chapter 8, Configuring the XML Interface.

• https—Specifies secure (SSL) Hypertext Transfer Protocol

(HTTP) for connectivity with the Device Manager GUI on
the ACE using port 443.

• icmp—Specifies Internet Control Message Protocol

messages to the ACE. The configuration of the ICMP
management protocol is described in the “Enabling ICMP

Messages to the ACE” section.

• kalap-udp—Specifies management access using KAL-AP

over UDP. The configuration of the KAL-AP management
access is described in the “Configuring Health Monitoring”
chapter of the Cisco 4700 Series Application Control Engine
Appliance Server Load-Balancing Configuration Guide.

• snmp—Specifies the Simple Network Management

Protocol (SNMP). The configuration of the SNMP
management protocol is described in Chapter 7,

Configuring SNMP.

• ssh—Specifies a Secure Shell (SSH) remote connection to

the ACE. The ACE supports the SSH remote shell
functionality provided in SSH Version 1 and supports DES
and 3DES ciphers. The configuration of the SSH
management protocol is described in the “Configuring SSH

Management Session Parameters” section.

OL-20823-01

Note SSH v1.x and v2 are entirely different protocols and

are not compatible. Make sure that you use an SSH
v1.x client when accessing the ACE.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-7

Enabling Remote Access to the ACE

Command Purpose

match protocol
(continued)

no match protocol {http | https | icmp |
kalap-udp | snmp | ssh | telnet |
xml-https} {any | source-address

ip_address mask

}

Chapter 2 Enabling Remote Access to the ACE

• telnet—Specifies a Telnet remote connection to the ACE.

The configuration of the Telnet management protocol is
described in the “Configuring the Maximum Number of

Telnet Management Sessions” section.

• xml-https—Specifies HTTPS as transfer protocol to send

and receive XML documents between the ACE and a
Network Management System (NMS). Communication is
performed using port 10443. The use of the HTTPS
management protocol for XML usage is described in

Chapter 8, Configuring the XML Interface.

Note You can enable both https and xml-https in a Layer 3

and Layer 4 network management class map.

• any—Specifies any client source address for the

management traffic classification.

• source-address—Specifies a client source host IP address

and subnet mask as the network traffic matching criteria. As
part of the classification, the ACE implicitly obtains the
destination IP address from the interface on which you apply
the policy map.

• ip_address—Source IP address of the client.

• mask—Subnet mask of the client in dotted-decimal notation.

(Optional) Deselects the specified network management
protocol match criteria from the class map.

Step 4

Step 5

2-8

Example:

ACE_1/Admin(config-cmap-mgmt)# no match
protocol ssh source-address 192.168.10.1

255.255.255.0

description

text

Provides a brief summary about the Layer 3 and Layer 4 remote
management class map.

Example:

host1/Admin(config-cmap-mgmt)# description
Allow Telnet access to the ACE

no description

Example:

host1/Admin(config-cmap-mgmt)# no
description

do copy running-config startup-config

Example:

ACE_1/Admin(config-cmap-mgmt))# do copy
running-config startup-config

Cisco 4700 Series Application Control Engine Appliance Administration Guide

text

(Optional) Removes the description from the class map.

(Optional) Copies the running configuration to the startup
configuration.

OL-20823-01

Chapter 2 Enabling Remote Access to the ACE

Creating a Layer 3 and Layer 4 Remote Access Policy Map

This section describes how to create a Layer 3 and Layer 4 policy map for a Layer 3 and Layer 4 traffic
classification with actions to define the network management traffic received by the ACE. The general
steps to configure a Layer 3 and Layer 4 network traffic policy are as follows:

• Configure a Layer 3 and Layer 4 policy map that defines the different actions that are applied to the

IP management traffic received by the ACE. The ACE executes the specified action only for traffic
that meets the first matching classification with a policy map. The ACE does not execute any
additional actions.

• Optionally, provide a brief description about the Layer 3 and Layer 4 remote management policy

map.

• Specify a Layer 3 and Layer 4 traffic class that you created with the class-map command to

associate network traffic with the traffic policy.

• Allow the network management traffic that is listed in the Layer 3 and Layer 4 class map to be

received or rejected by the ACE.

Detailed Steps

Enabling Remote Access to the ACE

Step 1

Step 2

Step 3

Command Purpose

config

Example:

host1/Admin# config
host1/Admin(config)#

policy-map type management first-match

map_name

Example:

host1/Admin(config)# policy-map type
management first-match
REMOTE_MGMT_ALLO
host1/Admin(config-pmap-mgmt)#

W_POLICY

Enters global configuration mode.

Configures a Layer 3 and Layer 4 policy map that defines the
different actions that are applied to the IP management traffic
received by the ACE.

The ma
Layer 3 and Layer 4 network management policy map. Enter an
unquoted text string with no spaces and a maximum of 64
alphanumeric characters.

When you use this command, you will access policy map
managemen

no policy-map type management first-match

map_name

Example:

host1/Admin(config)# no policy-map type
management first-match
REMOTE_MGMT_ALLO

description

Example:

host1/Admin(config-pmap-mgmt)# description
Allow Telnet access to the ACE

W_POLICY

text

(Optional) Removes a policy map from the ACE.

Provides a brief summary about the Layer 3 and Layer 4 remote
management policy map.

The text ar
provide. Enter an unquoted text string with a maximum of
240 alphanumeric characters.

p_name ar

gument specifies the name assigned to the

t con

figuration mode.

gument specifies the description that you want to

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-9

Enabling Remote Access to the ACE

Command Purpose

no description

Example:

host1/Admin(config-pmap-mgmt)# no
description

Step 4

class {
class-default}

Example:

host1/Admin(config-pmap-mgmt)# class
L4_REMOTE_ACCESS
host1/Admin(conf

no class {
class-default}

Example:

host1/Admin(config-pmap-mgmt)# no class
L4_REMOTE_ACCESS

name1

name1

[insert-before

_CLASS
ig-pmap-mgmt-c)#

[insert-before

_CLASS

name2

name2

] |

] |

Chapter 2 Enabling Remote Access to the ACE

(Optional) Removes a description from the policy map.

Specifies a Layer 3 and Layer 4 traffic class created with the

class-map command to associate network traffic with the traffic

policy.

The arguments, keywords, and options are as follows:

• name1—Name of a previously defined Layer 3 and Layer 4

traffic class, configured with the class-map command, to

associate traffic to the traffic policy. Enter an unquoted text
string with no spaces and a maximum of 64 alphanumeric
characters.

• insert-before name2—(Optional) Places the current class

map ahead of an existing class map or inline match condition
specified by the name2 argument in the policy map
configuration. The ACE does not save the sequence
reordering as part of the configuration. Enter an unquoted
text string with no spaces and a maximum of 64
alphanumeric characters.

• class-default—Specifies the class-default class map for the

Layer 3 and Layer 4 traffic policy. This class map is a
reserved class map created by the ACE. You cannot delete or
modify this class. All network traffic that fails to meet the
other matching criteria in the named class map belongs to the
default traffic class. If none of the specified classifications
match, the ACE then matches the action specified under the

class class-default command. The class-default class map
has an implicit match any statement in it and is used to

match any traffic classification. The class-default class map

has an implicit match any statement that matches all traffic.

This command enters the policy map management class

nf

iguration mode.

co

(Optional) Remove a class map from a Layer 3 and Layer 4 policy
map.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-10

OL-20823-01

Chapter 2 Enabling Remote Access to the ACE

Command Purpose

Step 5

Step 6

permit | deny

Example:

host1/Admin(config-pmap-mgmt-c)# permit

do copy running-config startup-config

Example:

host1/Admin(config-pmap-mgmt-c)# do copy
running-config s

tartup-config

Examples

The following example shows how to create a Layer 3 and Layer 4 remote network traffic management
policy map that permits SSH, Telnet, and ICMP connections to be received by the ACE:

host1/Admin(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
host1/Admin(config-pmap-mgmt)# class SSH-ALLOW_CLASS
host1/Adm
host1/Adm
host1/Adm
host1/Adm
host1/Adm
host1/Adm
host1/Adm
host1/Adm

in(config-pmap-mgmt-c)# permit
in(config-pmap-mgmt-c)# exit
in(config-pmap-mgmt)# class TELNET-ALLOW_CLASS
in(config-pmap-mgmt-c)# permit
in(config-pmap-mgmt-c)# exit
in(config-pmap-mgmt)# class ICMP-ALLOW_CLASS
in(config-pmap-mgmt-c)# permit
in(config-pmap-mgmt-c)# exit

Enabling Remote Access to the ACE

Allows the network management traffic listed in the Layer 3 and
Layer 4 class map to be received or rejected by the ACE as

ows:

foll

• Use the permit command in policy map class configuration

mode to allow the remote management protocols listed in the
class map to be received by the ACE.

• Use the deny command in policy map class configuration

mode to refuse the remote management protocols listed in
the class map to be received by the ACE.

(Optional) Copies the running configuration to the startup
configuration.

The following example shows how to create a policy map that restricts an ICMP connection by the ACE:

host1/Admin(config)# policy-map type management first-action ICMP_RESTRICT_POLICY
host1/Admin(config-pmap-mgmt)# class ICMP-ALLOW_CLASS
host1/Adm

in(config-pmap-mgmt-c)# deny

Applying a Service Policy Globally to All VLAN Interfaces in the Same Context

This section describes how to apply a previously created policy map globally to all VLAN interfaces in
the same context.

Note the following guidelines when applying a service policy:

• Policy maps, applied globally in a context, are internally applied on all interfaces existing in the

context.

• A policy activated on an interface overwrites any specified global policies for overlapping

classification and actions.

You can remove a traffic policy map from a VLAN by using either of the following methods:

• Individually from the last VLAN interface on which you applied the service policy

• Globally from all VLAN interfaces in the same context

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-11

Enabling Remote Access to the ACE

Note To apply the policy map to a specific VLAN interface only, see the “Applying a Service Policy to a

Restrictions

Detailed Steps

Command Purpose

Step 1

config

Chapter 2 Enabling Remote Access to the ACE

The ACE automatically resets the associated service policy statistics to provide a new starting point for
the service policy statistics the next time that you attach a traffic policy to a specific VLAN interface or
globally to all VLAN interfaces in the same context.

Specific VLAN Interface” section.

The ACE allows only one policy of a specific feature type to be activated on a given interface and only
in the input direction.

Enters global configuration mode.

Step 2

Step 3

Example:

host1/Admin# config
host1/Admin(config)#

service-policy input

Example:

host1/Admin(config)# service-policy input
REMOTE_MGMT_ALLOW_POLICY

no service-policy input

Example:

host1/Admin(config)# no service-policy
input REMOTE_MGMT_ALLOW_POLICY

do copy running-config startup-config

Example:

host1/Admin(config)# do copy
running-config s

policy_name

policy_name

tartup-config

Applies the remote access policy map globally to all of the
VLANs associated with a context.

The policy_name ar

gument is the name of a previously defined

policy map, configured with a previously created policy-map

command. The name can be a maximum of 40 alphanumeric
characters.

(Optional) Removes the remote access traffic policy globally
from all VLANs associated with a context.

(Optional) Copies the running configuration to the startup
configuration.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-12

OL-20823-01

Chapter 2 Enabling Remote Access to the ACE

Command Purpose

Step 4

do show service-policy [
[detail]]

Example:

host1/Admin(config)# do show
service-policy R

EMOTE_MGMT_ALLOW_POLICY

policy_name

Enabling Remote Access to the ACE

(Optional) Displays service policy statistics for all policy maps or
a specific Layer 3 and Layer 4 remote network traffic
management policy map.

The keywords, options, and arguments are as follows:

• policy_name—(Optional) Existing policy map that is

currently in service (applied to an interface) as an unquoted
text string with a maximum of 64 alphanumeric characters. If
you do not enter the name of an existing policy map, the ACE
displays information and statistics for all policy maps.

• detail—(Optional) Displays a more detailed listing of policy

map statistics and status information.

Note The ACE updates the counters that the show

service-policy command displays after the applicable

connections are closed.

Step 5

do clear service-policy

Example:

host1/Admin(config)# do clear
service-policy REMOTE_MGMT_ALLOW_POLICY

policy_name

(Optional) Clears the service policy statistics for a policy map.

For the policy_name ar
policy map that is currently in service (applied to an interface).

Applying a Service Policy to a Specific VLAN Interface

This section describes how to apply a previously created policy map to a specific VLAN interface. A
policy activated on an interface overwrites any specified global policies for overlapping classification
and actions.

You can remove a traffic policy map from a VLAN by using either of the following methods:

• Individually from the last VLAN interface on which you applied the service policy

• Globally from all VLAN interfaces in the same context (see the “Applying a Service Policy Globally

to All VLAN Interfaces in the Same Context” section).

The ACE automatically resets the associated service policy statistics to provide a new starting point for

e service policy statistics the next time that you attach a traffic policy to a specific VLAN interface or

th
globally to all VLAN interfaces in the same context.

Note To apply the policy map globally to all VLAN interfaces in the same context, see the “Applying a Service

Policy Globally to All VLAN Interfaces in the Same Context” section.

gument, enter the identifier of an existing

Restrictions

The ACE allows only one policy of a specific feature type to be activated on a given interface and only
in the input direction.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-13

Enabling Remote Access to the ACE

Detailed Steps

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5

config

Example:

host1/Admin# config
host1/Admin(config)#

interface vlan

Example:

host1/Admin(config)# interface vlan 50
host1/Admin(config-if)#

service-policy input

Example:

host1/Admin(config-if)# service-policy
input REMOTE_MGMT_ALLOW_POLICY

no service-policy input

Example:

host1/Admin(config-if)# no service-policy
input REMOTE_MGMT_ALLOW_POLICY

do copy running-config startup-config

Example:

host1/Admin(config-if)# do copy
running-config s

do show service-policy [
[detail]]

Example:

host1/Admin(config-if)# do show
service-policy R

number

policy_name

policy_name

tartup-config

policy_name

EMOTE_MGMT_ALLOW_POLICY

Chapter 2 Enabling Remote Access to the ACE

Enters global configuration mode.

(Optional) Specifies the VLAN to which the remote access policy
map is to be applied.

The number ar

This command enters the interface configuration mode.

Attaches the remote access policy map to the specified VLAN
only.

The policy_name ar

To apply the policy map globally to all of the VLANs associated

th a context, see the “Applying a Service Policy Globally to All

wi

VLAN Interfaces in the Same Context” section.

(Optional) Detaches the remote access traffic policy from the
VLAN.

(Optional) Copies the running configuration to the startup
configuration.

(Optional) Displays service policy statistics for all policy maps or
a specific Layer 3 and Layer 4 remote network traffic
management policy map.

The keywords, options, and arguments are as follows:

• policy_name—(Optional) Existing policy map that is

currently in service (applied to an interface) as an unquoted
text string with a maximum of 64 alphanumeric characters. If
you do not enter the name of an existing policy map, the ACE
displays information and statistics for all policy maps.

• detail—(Optional) Displays a more detailed listing of policy

map statistics and status information.

gument specifies the VLAN.

gument specifies the policy map name.

Step 6

do clear service-policy

Example:

host1/Admin(config-if)# do clear
service-policy REMOTE_MGMT_ALLOW_POLICY

Cisco 4700 Series Application Control Engine Appliance Administration Guide

policy_name

2-14

Note The ACE updates the counters that the show

service-policy command displays after the applicable

connections are closed.

(Optional) Clears the service policy statistics for a policy map.

For the policy_name ar

gument, enter the identifier of an existing

policy map that is currently in service (applied to an interface).

OL-20823-01

Chapter 2 Enabling Remote Access to the ACE

Enabling Remote Access to the ACE

Examples

The following example shows how to specify an interface VLAN and apply the remote access policy
map to a VLAN:

host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ip address 172.16.1.100 255.255.0.
host1/Admin(config-if)# service-policy input REMOTE_MGMT_A

0
LLOW_POLICY

The following example shows how to display service policy statistics for the
REMOTE_MGMT_ALLOW_POLICY policy map:

host1/Admin# show service-policy REMOTE_MGMT_ALLOW_POLICY
Status : ACTIVE
Description: Allow mgmt protocols

----------------------------------------­Context Global Policy:
service-policy: REMOTE_MGMT_ALLOW_POLICY

Configuring the Maximum Number of Telnet Management Sessions

Restrictions

Detailed Steps

Command Purpose

Step 1

Step 2

config

Example:

host1/Admin# config
host1/Admin(config)#

telnet maxsessions

Example:

host1/Admin(config)# telnet maxsessions 3

no telnet maxsessions

Example:

host1/Admin(config)# no telnet maxsessions

This section describes how to control the maximum number of Telnet sessions allowed for each context.
Telnet remote access sessions are established on the ACE per context. You can create a context, assign
an interface and IP address to it, and then log into the ACE by using Telnet to connect to that IP address.
This capability allows you to specify a particular context when accessing the ACE. For details on
creating users and contexts, see the Cisco 4700 Series Application Control Engine Appliance
Virtualization Configuration Guide.

The ACE supports a total maximum of 256 concurrent Telnet sessions. The ACE supports a maximum
16 concurrent Telnet management sessions for the Admin context and 4 concurrent Telnet management
sessions for each user context.

Enters global configuration mode.

max_sessions

(Optional) Specifies the maximum number of concurrent Telnet
sessions allowed for the associated context.

The max_sessions ar

gument sets the maximum number of
concurrent Telnet sessions allowed. The range is from 1 to 16
Telnet sessions for the Admin context and from 1 to 4 Telnet
sessions for each user context. The defaults are 16 (Admin
context) and 4 (user context).

(Optional) Reverts to the default maximum number of Telnet
sessions for the context.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-15

Enabling Remote Access to the ACE

Command Purpose

Step 3

Step 4

do show telnet maxsessions [context_name]

Example:

host1/Admin(config)# do show telnet
maxsessions

Maximum Sessions Allowed is 4

do copy running-config startup-config

Example:

host1/Admin(config)# do copy
running-config s

tartup-config

(Optional) Displays the maximum number of enabled Telnet
sessions. Only context administrators can view Telnet session
information associated with a particular context.

nt

The optional co

ext_name argument specifies the name of the

context for which you want to view the maximum number of
Telnet sessions. The context_name argument is case sensitive.

(Optional) Copies the running configuration to the startup
configuration.

Configuring SSH Management Session Parameters

This section describes how to configure the SSH management session parameters. SSH remote access
sessions are established on the ACE per context. You can create a context, assign an interface and IP
address to it, and then log into the ACE by using SSH to connect to that IP address. This capability allows
you to specify a particular context when accessing the ACE. For details on creating users and contexts,
see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

This section contains the following topics:

• Configuring Maximum Number of SSH Sessions

• Generating SSH Host Key Pairs

Chapter 2 Enabling Remote Access to the ACE

Configuring Maximum Number of SSH Sessions

This section describes how to control the maximum number of SSH sessions allowed for each context.

Restrictions

The ACE supports a total maximum of 256 concurrent SSH sessions. The ACE supports a maximum 16
concurrent SSH management sessions for the Admin context and 4 concurrent SSH management
sessions for each user context.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-16

OL-20823-01

Chapter 2 Enabling Remote Access to the ACE

Detailed Steps

Command Purpose

Step 1

Step 2

Step 3

Step 4

config

Example:

host1/Admin# config
host1/Admin(config)#

ssh maxsessions

Example:

host1/Admin(config)# ssh maxsessions 3

no ssh maxsessions

Example:

host1/Admin(config)# no ssh maxsessions

do show ssh maxsessions [

Example:

host1/Admin(config)# do show ssh
maxsessions

Maximum Sessions Allowed is 4

do copy running-config startup-config

Example:

host1/Admin(config)# do copy
running-config s

max_sessions

tartup-config

context_name

Enabling Remote Access to the ACE

Enters global configuration mode.

(Optional) Specifies the maximum number of concurrent SSH
sessions allowed for the associated context.

The max_sessions ar
concurrent SSH sessions allowed. The range is from 1 to 16 SSH
sessions for the Admin context and from 1 to 4 SSH sessions for
each user context. The defaults are 16 (Admin context) and 4
(user context).

(Optional) Reverts to the default maximum number of SSH
sessions for the context.

]

(Optional) Displays the maximum number of enabled SSH
sessions. Only context administrators can view SSH session
information associated with a particular context.

The optional co
context for which the context administrator wants to view the
maximum number of SSH sessions. The context_name argument
is case sensitive.

(Optional) Copies the running configuration to the startup
configuration.

gument sets the maximum number of

nt

ext_name argument specifies the name of the

Generating SSH Host Key Pairs

This section describes how to generate an SSH host key pair. The ACE supports remote login over an
SSH session that uses private and public key pairs to perform authentication for the context. DSA and
RSA keys are generated in pairs—one public key and one private key. With this method of remote
connection, use a generated private and public key pair to participate in a secure communication by
encrypting and decrypting messages.

The global administrator performs the key generation in th
the ACE share the common key. There is only a single host-key pair.

Ensure that you have an SSH host-key pair with the appropriate version before enabling the SSH service
(see the “Configuring Remote Network Management Traffic Services” section). The SSH service
accepts three types of key pairs for use by SSH versions 1 and 2. Generate the SSH host key pair

ording to the SSH

acc
768 to 4096.

OL-20823-01

e Admi

n context. All contexts associated with

client version used. The number of bits specified for each key pair ranges from

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-17

Enabling Remote Access to the ACE

Detailed Steps

Command Purpose

Step 1

Step 2

Step 3

Step 4

changeto Admin

Example:

host1/context3# changeto Admin
host1/Admin#

config

Example:

host1/Admin# config
host1/Admin(config)#

hostname

Example:

host1/Admin(config)# hostname host1
host1/Admin(config)#

ssh key {dsa | rsa | rsa1} [

name

bits

[force]]

Chapter 2 Enabling Remote Access to the ACE

(Optional) Changes to the Admin context.

If you are the administrator or anothe
Admin context, use this command in Exec mode to move to the
Admin context. An administrator can perform all allowable
functions within the Admin context.

Enters global configuration mode.

Sets the hostname. This setting is used in the generation of the
key.

The name ar

gument specifies a new hostname for the ACE. Enter
a case-sensitive text string that contains from 1 to 32
alphanumeric characters.

For more information about setting the host name, see the

“Assigning a Name to the ACE” section on page 1-12.

Generates the SSH private key and the corresponding public key.

r user authorized in the

Step 5

Example:

host1/Admin(config)# ssh key rsa1 1024

no ssh key {dsa | rsa | rsa1}

Example:

host1/Admin(config)# no ssh key rsa1

do show ssh key [dsa | rsa | rsa1]

Example:

host1/Admin(config)# do show ssh key rsa

The arguments, keywords, and options are as follows:

• dsa—Generates the DSA key pair for the SSH version 2

protocol.

• rsa—Generates the RSA key pair for the SSH version 2

protocol.

• rsa1—Generates the RSA1 key pair for the SSH version 1

protocol.

• bits—(Optional) Number of bits for the key pair. For DSA,

the range is from 768 to 2048. For RSA and RSA1, the range
is from 768 to 4096. The greater the number of bits that you
specify, the longer it takes to generate the key. The default is

768.

• force—(Optional) Forces the generation of a DSA or RSA

key even when previous keys exist. If the SSH key pair
option is already generated for the required version, use the

force option to overwrite the previously generated key pair.

(Optional) Removes the SSH host key pair.

(Optional) Displays the host key pair details for the specified key
or for all keys if you do not specify a key.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-18

OL-20823-01

Chapter 2 Enabling Remote Access to the ACE

Command Purpose

Step 6

Step 7

Step 8

do copy running-config startup-config

Example:

host1/Admin(config)# do copy
running-config startup-config

exit

Example:

host1/Admin(config)# exit
host1/Admin#

clear ssh hosts

Example:

host1/Admin# clear ssh hosts

Examples

The following example shows the show ssh key command output:

host1/Admin # show ssh key
**************************************
could not retrieve rsa1 key information
**************************************
rsa Keys generated:Tue Mar 7 19:37:17 2006

Enabling Remote Access to the ACE

(Optional) Copies the running configuration to the startup
configuration.

(Optional) Returns to the Exec mode prompt.

(Optional) Clears the public keys of all trusted host. These keys
are either sent to an SSH client by an SSH server or are entered
manually. When a SSH connection is made from the ACE, the
SSH client receives the public key and stores it locally.

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA4v4DQ8aNl482qDTRju9G07hEIxCgTWanPm+WOCU1kihZ
QNd5ZwA50CBAJSfIIIB4iED6iQbhOkbXSneCvTb5mVoish2wvJrETpIDIeGxxh/jWVsU/MeBbA/7o5tv
gCeT6p7pGF5oUNYFP0OeZ9BiIWDc4jBmYEQLEqJHPrMhSFE=

bitcount:1024
fingerprint:
f5:55:00:18:bc:af:41:74:b6:bc:aa:8e:46:31:74:4f
**************************************
dsa Keys generated:Tue Dec 20 19:37:17 2005

ssh-dss AAAAB3NzaC1kc3MAAACBAPqDdEqU+0gNtKRXM+DQAXnvcB+H89nq8jA4WgJ7uQcuDCLaG7Lq
jtKTltJjA6aZVywsQWQ6n4kTlkavZy3cj6PUbSyqvmCTsaYyYo4UQ6CKrK9V+NsfgzTSLWTH8iDUvYjL
c3nU51QEKjy7mPsQeX31y1M1rhp8qhkbMKxkc49XAAAAFQCPM0QJrq6+kkaghJpeNxeXhUH9HwAAAIEA
keZ1ZJM6sfKqJDYPLHkTro+lpbV9uR4VyYoZmSoehi/LmSaZDq+Mc8UN1LM+i5vkOgnKcearD9lM4/hK
zZGYx5hJOiYCKj/ny2a5p/8HK152cnsOAg6ebkiTTWAprcWrcHDS/1mcaI5GzLrZCdlXW5gBFZtMTJGs
tICmVWjibewAAACBAJQ66zdZQqYiCWtZfmakridEGDTLV6ixIDjBNgb84qlj+Y1XMzqLL0D4oMSb7idE
L3BmhQYQW7hkTK0oS4kVawI1VmW2kvrqoGQnLNQRMvisAXuJWKk1Ln6vWPGZZe8KoALv0GXxsOv2gk/z
TDk01oCaTVw//bXJtoVRgIlWXLIP

bitcount:1024
fingerprint:
8e:13:5c:3e:1a:9c:7a:ed:d0:84:eb:96:12:db:82:be
**************************************

Terminating an Active User Session

This section describes how to terminate an active SSH or Telnet session for the active context.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-19

Enabling Remote Access to the ACE

Detailed Steps

Command Purpose

Step 1

Step 2

show {ssh session-info | telnet}

Example:

host1/Admin# show ssh session-info

clear {ssh | telnet}

Example:

host1/Admin# clear ssh 345

session_id

Chapter 2 Enabling Remote Access to the ACE

(Optional) Displays the session information, including the
session ID, of all current SSH or Telnet sessions.

The keywords are as follows:

• ssh session-info—Displays SSH session information.

• telnet—Displays Telnet session information.

Terminates a current SSH or Telnet session depending on which
command you enter.

The argument and keyword are as follows:

• ssh—Selects an SSH session type.

• telnet—Selects a Tenet session type.

• session_id—Specifies the identifier of the SSH or Telnet

session to disconnect.

Enabling ICMP Messages to the ACE

This section describes how to enable ICMP messages on the ACE. By default, the ACE does not allow
ICMP messages to be received by an ACE interface or to pass through the ACE interface. ICMP is an
important tool for testing your network connectivity; however, network hackers can also use ICMP to
attack the ACE or your network. We recommend that you allow ICMP during your initial testing, but
then disallow it during normal operation.

To permit or deny address(es) to reach an ACE interface
ACE, or from the ACE to a host which requires the ICMP reply to be allowed back, configure one of the
following:

• Class map to provide the ICMP network traffic match criteria for the ACE.

• Policy map to enable ICMP network management access to and from the ACE.

• Service policy to activate the policy map, attach the traffic policy to an interface or globally on all

interfaces, and specify the direction in which the policy should be applied.

See the “Conf
a network management class map, policy map, and service policy for the ACE.

To allow ICMP messages to pass through the ACE, configure an ICMP ACL to permit or deny network

ections based on the ICMP type (for example, echo, echo-reply, or unreachable). See the Cisco 4700

conn
Series Application Control Engine Appliance Security Configuration Guide for details.

Note If you want only to allow the ACE to ping a host (and allow the echo reply back to the interface), but not

allow hosts to ping the ACE, enable the ICMP application protocol inspection function instead of
defining a class map and policy map. See the Cisco 4700 Series Application Control Engine Appliance
Security Configuration Guide for details.

iguring Remote Network Management Traffic Services” section for details on configuring

wi

th ICMP messages, either from a host to the

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-20

OL-20823-01

Chapter 2 Enabling Remote Access to the ACE

Examples

The following example shows how to allow the ACE to receive ICMP pings:

host1/Admin(config)# class-map type management match-all ICMP-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# description Allow ICMP pack
host1/Admin(config-cmap-mgmt)# match protocol icmp source-

255.255.255.254

host1/Admin(config-cmap-mgmt)# exit
host1/Adm
host1/Admin(config-pmap-mgmt)# class ICMP-ALLOW_CLASS
host1/Adm
host1/Adm
host1/Adm
host1/Adm
host1/Adm
host1/Admin(config-if)# service-policy input ICMP_ALLOW_PO

in(config)# policy-map type management first-acti

in(config-pmap-mgmt-c)# permit
in(config-pmap-mgmt-c)# exit
in(config-pmap-mgmt)# exit
in(config)# interface vlan 50
in(config-if)# ip address 172.16.1.100 255.255.0.

Directly Accessing a User Context Through SSH

This section describes how to configure a user context and enable direct login access to that user context
from a remote SSH session. To perform this procedure, you must be the global administrator and in the
Admin context.

Enabling Remote Access to the ACE

ets
address 172.16.10.0

on ICMP_ALLOW_POLICY

0
LICY

Task Flow

Follow these steps to first configure the ACE to provide direct access to a user context from SSH and
then access the user context:

Step 1 Create a user context by entering the following command:

host1/Admin(config)# context C1
host1/Admin(config-context)#

See the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

Step 2 Associate an existing VLAN with the user context so that the context can receive traffic classified for it

by entering the following command:

host1/Admin(config-context)# allocate-interface vlan 100

See the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration
Guide.

Step 3 Generate the SSH host key pair by entering the following command:

host1/Admin(config-context)# ssh key rsa1 1024
generating rsa1 key

.....

generated rsa1 key

See the “Generating SSH Host Key Pairs” section.

Step 4 Change to the C1 context that you created in Step 1 and enter configuration mode in that context by

entering the following commands:

host1/Admin(config-context)# do changeto C1
host1/C1(config-context)# exit
host1/C1(config)#

Only users authenticated in the Admin context can use the changeto command.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-21

Displaying Remote Access Session Information

Step 5 Configure the VLAN interface that you allocated to the user context in Step 2 by entering the following

commands:

host1/C1(config)# interface vlan 50
host1/C1(config-if)# ip address 192.168.1.1 255.255.255.0
host1/C1(
host1/C1(config-if)# exit
host1/C1(config)#

config-if)# no shutdown

For example, assign an IP address to the interface and reenable the interface within the context with the

no shutdown command. See the Cisco 4700 Series Application Control Engine Appliance Routing and

Bridging Configuration Guide.

Step 6 Create an SSH remote management policy and apply the associated service policy to all VLAN

interfaces or just to the VLAN interface allocated to the user context by entering the following
commands:

host1/C1(config)# class-map type management match-all SSH-ALLOW_CLASS
host1/C1(config-cmap-mgmt)# match protocol ssh source-addr
host1/C1(config-cmap-mgmt)# exit
host1/C1(config)#
host1/C1(config)# policy-map type
host1/C1(config-pmap-mgmt)# class SSH-ALLOW_CLASS
host1/C1(
host1/C1(
host1/C1(
host1/C1(config)# interface vlan
host1/C1(
host1/C1(
host1/C1(config-if)# exit
host1/C1(config)#

config-pmap-mgmt-c)# permit
config-pmap-mgmt-c)# exit
config-pmap-mgmt)# exit

config-if)# ip address 192.168.1.1 255.255.255.0
config-if)# service-policy input REMOTE_MGMT_ALLO

Chapter 2 Enabling Remote Access to the ACE

management first-match R

50

ess 172.16.10.0 255.255.255.254

EMOTE_MGMT_ALLOW_POLICY

W_POLICY

See the “Configuring Remote Network Management Traffic Services” section.

Step 7 Create an IP route by entering the following command:

host1/C1(config)# ip route 0.0.0.0 255.255.255.0 192.168.4.8

See the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.

Step 8 Follow theses steps to directly access the user context from an SSH client:

a. From the SSH client, establish a remote SSH session to the IP address of the user context VLAN

interface.

b. Enter the password for the user context VLAN interface. The ACE CLI prompt appears in Exec

mode of the user context.

host1/C1#

Displaying Remote Access Session Information

This section describes how to display remote access session information and includes the following
topics:

• Displaying Telnet Session Information

• Displaying SSH Session Information

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-22

OL-20823-01

Chapter 2 Enabling Remote Access to the ACE

• Displaying Other Remote Access Session Information

Displaying Telnet Session Information

To display a Telnet session, perform the following task:

Command Purpose

show telnet [cont

ext_name] Display information related to the Telnet session. Only the context administrator can

view Telnet information associated with a particular context.

The optional conte
want to view specific Telnet session information. The context_name argument is case
sensitive.

xt_name argument specifies the name of the context for which you

Displaying Remote Access Session Information

Table 2-2 describes the fields in the sh

Tab l e 2-2 Field Descriptions for the show telnet Command

Field Description

SessionID Unique session identifier for the Telnet session.

Remote Host IP address and port of the remote Telnet client.

Active Time Time since the Telnet connec

Displaying SSH Session Information

To display an SSH session, perform the following task:

Command Purpose

show ssh session-info

ext_name]

[cont

Displays information related to the SSH session. Only context administrators can view
SSH session information associated with a particular context.

The optional conte
want to view specific SSH session information. The context_name argument is case
sensitive.

ow telnet command output.

tion reque

xt_name argument specifies the name of the context for which you

st was received by the ACE.

Table 2-3 describes the fields in the s

Tab l e 2-3 Field Descriptions for the show ssh session-info Command

Field Description

SessionID Unique session identifier for the SSH session.

Remote Host IP address and port of the remote SSH client.

Active Time Time since the SSH connection request was received by the ACE.

OL-20823-01

how ssh session-info command output.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-23

Displaying Remote Access Session Information

Displaying Other Remote Access Session Information

To display other remote access configuration information, perform one of the following tasks:

Command Purpose

show running-config Displays the running configuration.
show ssh key [dsa | rs

show ssh maxsessions [conte

a | rsa1] Disp

xt_name] Displays the maximum number of enabled SSH sessions. Only context

show telnet maxsessions [conte

xt_name] Display the maximum number of enabled Telnet sessions. Only context

lays the host key pair details for the specified key or for all keys if you do not

specify a key.

See the “Generating SSH Host Key Pairs” sec

administrators can view SSH session information associated with a particular
context.

f

See the “Con

iguring Maximum Number of SSH Sessions” section.

administrators can view Telnet session information associated with a particular
context.

f

See the “Con

iguring the Maximum Number of Telnet Management Sessions”

section.

Chapter 2 Enabling Remote Access to the ACE

tion.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-24

OL-20823-01

Chapter 2 Enabling Remote Access to the ACE

Configuration Example for Enabling Remote Access to the ACE

Configuration Example for Enabling Remote Access to the ACE

The following CLI example shows how to configure remote access to the ACE through the use of class
maps, policy maps, and service policies.

Step 1 Enter the configuration mode and set the maximum number of Telnet and SSH sessions.

host1/Admin# config
host1/Admin(config)# telnet maxsessions 3
host1/Admin(config)# ssh maxsessions 3

Step 2 Create and configure an access control list. The sample access control list shown in this step allows

network traffic from any source. For details about configuring an access control list, see the Cisco 4700
Series Application Control Engine Appliance Security Configuration Guide.

host1/Admin(config)# access-list ACL1 line 10 extended permit ip any any

Step 3 Create and configure a class map for network management traffic.

host1/Admin(config)# class-map type management match-any L4_REMOTE-MGT_CLASS
host1/Admin(config-cmap-mgmt)# description Allows Telnet,
host1/Admin(config-cmap-mgmt)# 2 match protocol telnet any
host1/Admin(config-cmap-mgmt)# 3 match protocol ssh any
host1/Admin(config-cmap-mgmt)# 4 match protocol icmp any
host1/Admin(config-cmap-mgmt)# exit
host1/Admin(config)#

SSH, and ICMP protocols

Step 4 Create and configure a policy map that activates the SSH and Telnet management protocol

classifications.

host1/Admin(config)# policy-map type management first-match L4_REMOTE-MGT_POLICY
host1/Admin(config-pmap-mgmt)# class L4_REMOTE-MGT_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# exit
host1/Admin(config)#

Step 5 Apply the traffic policy to a specific VLAN interface or globally to all VLAN interfaces and enable the

interface.

Apply to a specific VLAN interface:

host1/Admin(config)# interface vlan 50
host1/Admin(config-if)# ip address 192.168.1.1 255.255.255.0
host1/Admin(config-if)# access-group input ACL1
host1/Admin(config-if)# service-policy input L4_REMOTE-MGT_POLICY
host1/Admin(config-if)# no shutdown
host1/Admin(config-if)# exit
host1/Admin(config)#

Apply globally to all VLAN interface:

host1/Admin(config)# service-policy input REMOTE_MGMT_ALLOW_POLICY

Step 6 Generate the SSH private key and corresponding public key for use by the SSH server.

host1/Admin(config)# ssh key rsa1 1024 force

Step 7 Save the configuration to Flash memory.

host1/Admin(config)# do copy running-config startup-config

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-25

Configuration Example for Enabling Remote Access to the ACE

Chapter 2 Enabling Remote Access to the ACE

Cisco 4700 Series Application Control Engine Appliance Administration Guide

2-26

OL-20823-01

Managing ACE Software Licenses

This chapter describes how to manage the software licenses for your Cisco Application Control Engine
(ACE) module. It contains the following major sections:

• Information about ACE Licenses

• Guidelines and Limitations

• Prerequisites

• Default License Feature Capabilities

• Managing ACE Appliance Software Licenses

• Displaying ACE License Configurations and Statistics

Information about ACE Licenses

CHAPTER

3

Table 3-1 summarizes the contents of the ACE license bundles that includes the ACE appliance and a

series of software licenses. You can increase the pe
product by purchasing one of the licensing options. Table 3-2 provides a list of the default and upgrade
ACE appliance licensing options.

You can order your ACE product by either of these methods:

• Ordering a license bundle. Each license bundles includes the ACE appliance and a series of software

licenses.

• Ordering separate license options.

rformance and operating capabilities of your ACE

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

3-1

Chapter 3 Managing ACE Software Licenses

Information about ACE Licenses

Tab l e 3-1 ACE Licensing Bundles

License Model Description Upgrade Path

ACE-4710-0.5F-K9 This license bundle includes the following items:

• ACE 4710 appliance

• 0.5-Gbps throughput license (ACE-AP-500M-LIC)

• 100-Mbps compression license (ACE-AP-C-100-LIC)

• 100 SSL transactions per second (TPS) license

(ACE-AP-SSL-100-K9)

• 5 virtual contexts license (ACE-AP-VIRT-5)

• Application acceleration license (50 connections)

(ACE-AP-OPT-50-K9)

ACE-4710-1F-K9 This license bundle includes the following items:

• ACE 4710 appliance

• 1-Gbps throughput license (ACE-AP-01-LIC)

• 500-Mbps compression license (ACE-AP-C-500-LIC)

• 5000 SSL TPS license (ACE-AP-SSL-05K-K9)

You have the option to
upgrade to
2-Gbps, or 4-Gbps
bundle.

Start the upgrade with

C

E-4710-BUN-UP1=.

A

You have the option to
upgrade t

o the 2-Gbps or

4-Gbps bundle.

Start the upgrade with

C

E-4710-BUN-UP2=.

A

the 1-Gbps,

• 5 virtual contexts license (ACE-AP-VIRT-5)

• Application acceleration license (50 connections)

(ACE-AP-OPT-50-K9)

ACE-4710-BAS-2PAK This license bundle includes the following items:

• Two ACE 4710 appliances

• 1-Gbps throughput license (ACE-AP-01-LIC)

ACE-4710-BAS-2PAK also includes the following default options:

• 1000 SSL TPS

• 100-Mbps compression

• 5 virtual contexts

• Application acceleration (50 connections)

ACE-4710-2F-K9 This license bundle includes the following items:

• ACE 4710 appliance

• 2-Gbps throughput license (ACE-AP-02-LIC)

• 1-Gbps compression license (ACE-AP-C-1000-LIC)

• 7500 SSL TPS license (ACE-AP-SSL-07K-K9)

• 5 virtual contexts license (ACE-AP-VIRT-5)

• Application acceleration license (50 connections)

(ACE-AP-OPT-50-K9)

You have the option to
upgrade t

o the 2-Gbps or

4-Gbps bundle.

Start the upgrade with

C

E-4710-BUN-UP2=.

A
Two upgrade licenses are
required for upgrading
two units of the
ACE-4710-BAS-2PAK
bundle.

You have the option to
upgrade to

the 4-Gbps

bundle.

Start the upgrade with

C

E-4710-BUN-UP3=.

A

Cisco 4700 Series Application Control Engine Appliance Administration Guide

3-2

OL-20823-01

Chapter 3 Managing ACE Software Licenses

Information about ACE Licenses

Table 3-1 ACE Licensing Bundles (continued)

License Model Description Upgrade Path

ACE-4710-4F-K9 This license bundle includes the following items:

• ACE 4710 appliance

• 4-Gbps throughput license (ACE-AP-04-LIC)

• 2-Gbps compression license (ACE-AP-C-2000-LIC)

• 7500 SSL TPS license (ACE-AP-SSL-07K-K9)

• 5 virtual contexts license (ACE-AP-VIRT-5)

• Application acceleration license (50 connections)

(ACE-AP-OPT-50-K9)

ACE-4710-BUN-UP1 0.5 to 1-Gbps throughput bundle upgrade license See the Upgrade Path

ACE-4710-BUN-UP2 1 to 2-Gbps throughput bundle upgrade license See the Upgrade Path

ACE-4710-BUN-UP3 2 to 4-Gbps throughput bundle upgrade license See the Upgrade Path

This is the highest value
bu

ndle.

v

outlined abo

outlined abo

outlined abo

e.

v

e.

v

e.

Tab l e 3-2 ACE Licensing Options

Feature License Model Description

Performance Throughput Default 0.5-Gbps throughput.

ACE-AP-01-LIC 1-Gbps throughput.

ACE-AP-02-LIC 2-Gbps throughput.

ACE-AP-04-LIC 4-Gbps throughput.

ACE-AP-02-UP1 Upgrade from 1-Gbps to 2-Gbps throughput.

ACE-AP-04-UP1 Upgrade from 1-Gbps to 4-Gbps throughput.

ACE-AP-04-UP2 Upgrade from 2-Gbps to 4-Gbps throughput.

Virtualization Default 1 admin/5 user contexts.

ACE-AP-VIRT-020 1 admin/20 user contexts.

SSL Default 100 TPS.

ACE-AP-SSL-05K-K9 5000 TPS.

ACE-AP-SSL-07K-K9 7500 TPS.

ACE-AP-SSL-UP1-K9 Upgrade from 5000 TPS to 7500 TPS.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

3-3

Information about ACE Licenses

Table 3-2 ACE Licensing Options (continued)

Feature License Model Description

HTTP Compression Default 100-Mbps.

ACE-AP-C-500-LIC 500-Mbps.

ACE-AP-C-1000-LIC 1-Gbps.

ACE-AP-C-2000-LIC 2-Gbps.

ACE-AP-C-UP1 Upgrade from 500-Mbps to 1 Gbps.

ACE-AP-C-UP2 Upgrade from 500-Mbps to 2 Gbps.

ACE-AP-C-UP3 Upgrade from 1 Gbps to 2 Gbps.

Application Acceleration

t

ure Pack License

Fea

ACE-AP-OPT-LIC-K9 Application acceleration and optimization. By default,

the ACE performs up to 50 concurrent connections.
With the application acceleration and optimization
software feature pack installed, the ACE can provide
greater than 50 concurrent connections.

This license increases the operating capabilities
following features:

• Delta optimization

• Adaptive dynamic caching

Chapter 3 Managing ACE Software Licenses

of the

• FlashForward

• Dynamic Etag

Cisco 4700 Series Application Control Engine Appliance Administration Guide

3-4

OL-20823-01

Chapter 3 Managing ACE Software Licenses

Guidelines and Limitations

The ACE license guidelines and limitations are as follows:

• A demo license is valid for only 60 days. At the end of this period, you must update the demo license

with a permanent license to continue to use the ACE software. To view the expiration of a demo

license, use the show license usage command in Exec mode (see the “Displaying ACE License

Configurations and Statistics” section). ACE demo licenses are available through your Cisco

account representative.

• If you need to replace the ACE, you can copy and install the license file for the license onto the

replacement appliance.

Prerequisites

You must have the Admin role in the Admin context to install, remove, and update the license file.

Guidelines and Limitations

Default License Feature Capabilities

Table 3-3 lists the default feature capabilities of the ACE.

Tab l e 3-3 Default Capabilities Parameters

Parameter Default

Virtualization One Admin context, five user contexts

Performance 0.5 gigabit per second (Gbps) appliance throughput

Secure Sockets Layer (SSL) 100 transactions per second (TPS)

Hypertext Transfer Protocol (HTTP) compression 100 megabits per second (Mbps)

Application Acceleration 50 connections

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

3-5

Chapter 3 Managing ACE Software Licenses

Managing ACE Appliance Software Licenses

Managing ACE Appliance Software Licenses

This section includes the following topics:

• Tasks for Ordering an Upgrade License and Generating a Key

• Copying a License File to the ACE

• Installing a New or Upgrade License File

• Replacing a Demo License with a Permanent License

• Removing a License

• Backing Up an ACE License File

• Retrieving an ACE License File

Tasks for Ordering an Upgrade License and Generating a Key

This section describes the process that you use to order an upgrade license and to generate a license key
for your ACE.

Follow these steps to order an upgrade license:

Step 1 Order one of the licenses from the list in the “Information about ACE Licenses” section using any of the

available Cisco ordering tools on cisco.com.

Step 2 When you receive the Software License Claim Certificate from Cisco, follow the instructions that direct

you to the Cisco.com website. As a registered user of Cisco.com, go to this URL:

http://www.cisco.com/go/license

Step 3 Enter the Product Authorization Key (PAK) number found on the Software License Claim Certificate as

your proof of purchase.

Step 4 Provide all the requested information to generate a license key.

After the system generates the license key, you will recei
file and installation instructions.

Step 5 Save the attached license file to a remote server that you can access from the ACE. Save the license key

e-mail in a safe place in case you need it in the future (for example, to transfer the license to another
ACE).

What to Do Next

Copy the license file to the ACE (see the “Copying a License File to the ACE” section).

Copying a License File to the ACE

ve a license key e-mail with an attached license

This section describes how to copy an ACE license file from a remote server to the ACE. For detailed
information on copying files from a remote server, see Chapter 4, Managing the ACE Software.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

3-6

OL-20823-01

Chapter 3 Managing ACE Software Licenses

Prerequisites

The license file must reside on a remote server that you can access from the ACE.

You must be in the Admin context to copy the file to disk0: on the ACE.

Detailed Steps

Command Purpose

copy tftp:[//server[/path/][/filename]]
disk0:[path/]filename

Example:

host1/Admin# copy
tf

//track/license/ACE-AP-VIRT-020.lic

tp:

disk0:

Managing ACE Appliance Software Licenses

Copies the file to disk0: on the ACE.

The arguments and keywords are as follows:

• [//server[/path/][/filename]]—The path to the network

server. This path is optional because the ACE prompts you
for this information if you omit it.

• disk0:[path/]filename—Specifies that the file destination is

the disk0: directory of the current context and the filename.
If you do not provide the optional path, the ACE copies the
file to the root directory on the disk0: file system.

What to Do Next

If the license is a demo or permanent license for a new or upgrade installation, see the “Installing a New

or Upgrade License File” section.

If the license is a permanent license re

placing a demo license, see the “Replacing a Demo License with

a Permanent License” section.

Installing a New or Upgrade License File

This section describes how to install a license after you copy a demo or permanent license file to the
ACE for a new or upgrade installation (see the “Copying a License File to the ACE” section). All license
installations except one have no adverse impact to an oper
connections are not interrupted. In a redundant configuration, mismatched context licenses between the
active and the standby ACEs cause the active ACE to generate a syslog message (if logging is enabled)
and to disable configuration synchronization. After you install the correct matching license on the
standby ACE, the software automatically detects the new license and restores normal operation.

For information about replacing a demo license w

License with a Permanent License” section.

Restrictions

This topic includes the following restrictions:

• You must have the Admin role in the Admin context to install or upgrade the license file.

ating ACE. No reboot is required and existing

i

th a permanent one, see the “Replacing a Demo

• If you install a context demo license, make sure that you save the Admin running configuration and

all user context running configurations to a remote server. If you allow a context license to expire,
the ACE automatically removes all user contexts from the Admin running configuration and all
configurations for the user contexts.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

3-7

Managing ACE Appliance Software Licenses

• In a redundant configuration, mismatched context licenses between the active and the standby ACEs

cause the active ACE to generate a syslog message (if logging is enabled) and to disable
configuration synchronization. After you install the correct matching license on the standby ACE,
the software automatically detects the license and restores normal operation.

Detailed Steps

Command Purpose

license install disk0:[

target_filename

[

Example:
host1/Admin# license install disk0:
ACE-AP-02-LIC.li

show license brief

]

c

path/]filename

Chapter 3 Managing ACE Software Licenses

Installs or upgrades a license on your ACE.

The arguments are as follows:

• [path/]filename—License stored on the disk0: file system. If

you do not specify the optional path, the ACE looks for the
file in the root directory.

• target_filename—(Optional) Target filename for the license

file.

(Optional) Displays the installed licenses.

Example:
host1/Admin# show license brief

Examples

To install a license file for an SSL 5000 TPS license, enter:

host1/Admin# license install disk0:ACE-AP-SSL-05K-K9.lic

To install a license file for a 20 context license, enter:

host1/Admin# license install disk0:ACE-VIRT-020.lic

Replacing a Demo License with a Permanent License

This section describes how replace an ACE demo license with a permanent license. If you installed a
demo license, four weeks before the license expires, the ACE generates warning syslog messages once
a day. During the final week, a warning syslog message occurs once an hour. Before this period ends,
you must update the demo license with a permanent license. Otherwise, the ACE will revert to its
previous bandwidth, SSL TPS, or number of contexts.

After you copy the permanent license file to the ACE (see the “C
section), you can install it.

Restrictions

op

ying a License File to the ACE”

This topic includes the following restrictions:

• You must have the Admin role in the Admin context to update the demo license file with a permanent

file.

• If you replace the context demo license with a permanent license, you can continue to use the

configured user contexts on the ACE. However, if you allow a context license to expire, the ACE
automatically removes all user contexts from the Admin running configuration and all

Cisco 4700 Series Application Control Engine Appliance Administration Guide

3-8

OL-20823-01

Chapter 3 Managing ACE Software Licenses

configurations for the user contexts. Before a context license expires, save the Admin running
configuration and the user context running configurations to a remote server. To view the expiration

of the demo license, use the show license usage command in Exec mode from the Admin context.

Detailed Steps

Command Purpose

license update disk0:[

demo_filename

Example:
host1/Admin# license update
disk0:ACE-AP-VIRT-020.lic ACE-AP-VIRT-020

Removing a License

path/]permanent_filename

-DEMO.lic

Managing ACE Appliance Software Licenses

Replaces a demo license with a permanent license.

The arguments are as follows:

• [path/]permanent_filename—Filename for the

permanent license file that you copied onto the
ACE.

• demo_filename—Filename for the demo license

file that the permanent license file is replacing.

This section describes how to remove an installed license from the ACE and includes the following
topics:

• Removing a Performance Throughput, HTTP Compression, Application Acceleration License, or

SSL License

• Removing a Virtual Context License

Removing a Performance Throughput, HTTP Compression, Application Acceleration License, or SSL
License

This section describes how to remove a Performance Throughput, HTTP Compression, Application
Acceleration License, or SSL License.

Note When you use the clear startup-config or the write erase command, the ACE does not remove license

files from the startup-configuration file.

Restrictions

This topics includes the following restrictions:

• You must have the Admin role in the Admin context to remove the license file.

• Performance throughput license removal—Table 3-4 lists the currently installed performance

throughput, the type of license on the ACE, and the remaining number of context after the license is
removed.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

3-9

Managing ACE Appliance Software Licenses

Table 3-4 Performance Throughput License Removal

Current performance throughput Applicable licenses Results of license removal

0.5-Gbps throughput Not applicable —

1-Gbps throughput ACE-AP-01-LIC 0.5-Gbps throughput

2-Gbps throughput ACE-AP-02-LIC 0.5-Gbps throughput

4-Gbps throughput ACE-AP-04-LIC 0.5-Gbps throughput

• SSL license removal—When you uninstall an SSL license, it reduces SSL TPS performance to 1000

TPS on the ACE.

• HTTP compression performance license removal—The current compression capability and type of

compression licenses currently installed on the ACE determines which license you can remove.

Table 3-5 lists the currently installed compression license on the ACE and the remaining

compression capability after the license is removed.

Chapter 3 Managing ACE Software Licenses

ACE-AP-02-UP1 1 -Gbps throughput

ACE-AP-04-UP1 1-Gbps throughput

ACE-AP-04-UP2 2-Gbps throughput

Table 3-5 Compression License Removal

Current compression capability Applicable licenses Results of license removal

100 Mbps (default) Not applicable —

500 Mbps ACE-AP-C-500-LIC 100 Mbps

1 Gbps ACE-AP-C-1000-LIC 100 Mbps

ACE-AP-C-UP1 500 Mbps

2 Gbps ACE-AP-C-2000-LIC 100 Mbps

ACE-AP-C-UP2 500 Mbps

ACE-AP-C-UP3 1 Gbps

• Application acceleration software feature pack removal—With the application acceleration software

feature pack installed, the ACE can support approximately 1,000 concurrent connections under
typical usage conditions. When you uninstall the software feature pack, the ACE is capable of 50
connections per second. For more information on the application acceleration and optimization
capabilities of the ACE and configuring these capabilities, see the Ci

sco 4700 Series Application

Control Engine Appliance Application Acceleration and Optimization Configuration Guide.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

3-10

OL-20823-01

Chapter 3 Managing ACE Software Licenses

Detailed Steps

Command Purpose

license uninstall

Example:

host1/Admin# license uninstall disk0:
ACE-AP-02-LIC.lic

license_filename

Removing a Virtual Context License

This section describes how to removes a virtual context license.

Prerequisite

Managing ACE Appliance Software Licenses

Removes a performance throughput license, HTTP compression
performance license, application acceleration software feature
pack, or SSL TPS.

ile

The license_f
license file that you want to remove. Enter the license filename as
an unquoted text string with no spaces.

name argument specifies the filename of the

Restrictions

Caution Before removing any virtual context license, save the Admin running configuration and the user context

running configurations to a remote server. When you remove a demo or permanent virtual context
license, the ACE removes all user contexts from the Admin running configuration. By removing the user
contexts, their running and startup configurations are also removed from the ACE.

This topic includes the following restrictions:

• You must have the Admin role in the Admin context to remove the license file.

• The number of virtual contexts and type of licenses currently installed on the ACE determines which

license you can remove. Table 3-6 lists the currently installed contexts, the type of license on the
ACE, and the remaining number of context after the license is removed.

Table 3-6 VIrtual Context License Removal

Current number of contexts Applicable licenses Results of license removal

5 (default) Not applicable —

20 ACE-AP-VIRT-020 5 contexts

Follow these steps to remove a context license:

Step 1 Save the Admin and user context running configurations to a remote server by entering the copy

running-config command in Exec mode in each context. For more information on this command, see

Chapter 4, Managing the ACE Software.

For example, to copy the Admin running configuration to an TFTP server as R-CONFIG-ADM, enter:

host1/Admin# copy running-config tftp://192.168.1.2/R-CONFIG-ADM

To copy the C1 user context running configuration to an TFTP server, access the C1 context and enter:

host1/C1# copy running-config tftp://192.168.1.2/R-CONFIG-C1

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

3-11

Managing ACE Appliance Software Licenses

Step 2 Remove the license with the license uninstall command. For example, to remove the

ACE-VIRT-250.LIC license, enter:

host1/Admin# license uninstall ACE-AP-VIRT-020.lic

The ACE displays the following messages and prompt:

Clearing license ACE-AP-VIRT-020.lic:
SERVER this_host ANY
VENDOR cisco
INCREMENT ACE-AP-VIRT-020 cisco 1.0 permanent 1 \
VENDOR_STRING=<count>1</count> HOSTID=ANY \
NOTICE=”<LicFileID>20051103151315824</LicFileID><LicLineID>1</LicLineID> \
<PAK></PAK>” SIGN=86A13B1EA2F2

INCREMENT ACE-AP-VIRT-020 cisco 1.0 permanent 1 \
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! WARNING: Uninstalling virtual context license will automatically!!
!!! cleanup all the user context configurations, please backup the !!
!!! configurations before proceeding further with uninstallation !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Do you want to continue? (y/n)

Step 3 If you have not saved the running configurations for the Admin and user contexts to a remote server,

enter n. Go to Step 1
If you saved the running configurations for the Admin and user contexts to a remote server, enter y.

During the license removal, the ACE removes the user conte
configuration, causing the deletion of all user contexts including their running and startup
configurations.

Chapter 3 Managing ACE Software Licenses

x

t configurations from the Admin running

Step 4 Display the current number of supported contexts on the ACE by entering the show license status

command in Exec mode of the Admin context.

Step 5 Determine which contexts you want to keep in the Admin running configuration. Using a text editor,

manually remove the extra context configurations from the Admin running configuration on the remote
server.

x

If the Admin running configuration contains more conte

ts than what the ACE supports and you copy
this configuration to the ACE, the ACE rejects contexts that exceed the supported limit. For example, if
the running configuration contains 20 contexts, when you remove the license, the ACE supports five
contexts. If you attempt to copy the configuration with all 20 contexts, the ACE allows the first five
contexts, fails the remaining contexts, and displays error messages on the console.

Note You can also manually recreate the user contexts in the running configuration that is currently

on the ACE. If you do, go to Step7.

Step 6 Retrieve the modified Admin running configuration from the remote server. For example, to copy the

R-CONFIG-ADM Admin running configuration from the TFTP server, enter:

host1/Admin# copy tftp://192.168.1.2/R-CONFIG-ADM running-config

Step 7 Copy the Admin running configuration to the startup-configuration file. For example, enter:

host1/Admin# copy running-config startup-config

Cisco 4700 Series Application Control Engine Appliance Administration Guide

3-12

OL-20823-01

Chapter 3 Managing ACE Software Licenses

Note If you do not update the startup configuration with the latest running configuration, when the

ACE restarts, it uses the startup configuration with the extra contexts. The ACE allows the
number of contexts that the license supports, but fails the remaining contexts.

Step 8 Access the user context, and copy its running configurations from the remote server. For example, to

copy the C1 user context running configuration from the TFTP server, access the C1 context and enter:

host1/C1# tftp://192.168.1.2/R-CONFIG-C1 copy running-config

Step 9 Copy the user context running configuration to the startup-configuration file. For example, enter:

host1/Admin# copy running-config startup-config

Step 10 Repeat Steps 8 and 9 until you retrieve the running configurations for all user contexts configured in the

Admin configuration.

Backing Up an ACE License File

Managing ACE Appliance Software Licenses

This section describes how to back up an ACE license file. To protect your license files, we recommend
that you back up your license files (in .tar format) to the ACE Flash disk.

Restrictions

You must be in the Admin context to back up an ACE license file.

Detailed Steps

Command Purpose

copy licenses disk0:[path/]filename.tar

Example:

host1/Admin# copy licenses

:mylicenses.tar

disk0

Retrieving an ACE License File

Backs up your license files to the ACE Flash disk as tar files.

The keyword and argument are as follows:

• disk0:—Specifies that the backup license file is copied to the

disk0: file system.

• [path/]filename.tar—Destination filename for the backup

licenses. The destination filename must have a .tar file
extension.

This section describes how retrieve an ACE license file. If you accidently remove or lose the license on
the ACE, you can untar your backup license file and then reinstall it.

Restrictions

You must be in the Admin context to retrieve an ACE license file.

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

3-13

Chapter 3 Managing ACE Software Licenses

Displaying ACE License Configurations and Statistics

Detailed Steps

Command Purpose

untar disk0:[

Example:

host1/Admin# untar disk0:mylicenses.tar

path/]filename.tar

Untars the backup file should you need to reinstall it because you
accidently removed or lost the license.

The [path/]f

ilename.tar argument is the filename of the .tar

backup license file.

For information on installing the license, s

ee the “Installing a

New or Upgrade License File” section.

Displaying ACE License Configurations and Statistics

To display license information about your ACE, perform one of the following tasks in the Admin context
only:

Command Purpose

show license [brief | fil

e filename | internal

event-history | status | usage]

Displays all or some of the license information.

Entering this Exec mode command without any options and arguments
displays all

installed ACE license files and their contents.

The options and arguments for this command are as follows:

• brief—Displays a list of the currently installed licenses.

• file filename—Displays the file contents of the specified license.

• internal event-history—Displays a history of licensing-related

events.

• status—Displays the status of licensed features (see Table 3 - 7).

• usage—Displays the usage table for all licenses (see Tab le 3 - 8).

show versi on Displays license information.

Table 3-7

Tab l e 3-7 Field Descriptions for the show license status Command Output

describes the fields in the sh

ow license status command output.

Field Description

Licensed Feature List including the ACE virtualized contexts, the SSL transactions per s

optimization concurrent connections, and the appliance bandwidth feature.

n

Count Number of ACE-supported contexts, SSL tra

sactions per second (TPS), application acceleration and
optimization concurrent connections, and bandwidth in gigabits per second (Gbps). This information also
provides the default number of contexts, SSL TPS, and appliance bandwidth that the ACE supports when
a license is not installed.

econd, application acceleration and

Cisco 4700 Series Application Control Engine Appliance Administration Guide

3-14

OL-20823-01

Chapter 3 Managing ACE Software Licenses

Table 3-8 describes the fields in the show license usage command output.

Tab l e 3-8 Field Descriptions for the show license usage Command Output

Field Description

License Name of the license.

Ins Whether the license is installed (Yes or No).

Lic Count Number of licenses for this feature.

Status Current state of the feature (In use or Unused).

Expiry Date Date when the demo license expires, as defined in the

displays Never.

Comments Licensing errors, if any.

Displaying ACE License Configurations and Statistics

li

cense file. If the license is permanent, this field

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

3-15

Displaying ACE License Configurations and Statistics

Chapter 3 Managing ACE Software Licenses

Cisco 4700 Series Application Control Engine Appliance Administration Guide

3-16

OL-20823-01

Managing the ACE Software

This chapter describes how to manage the software running on the Cisco 4700 Series Application
Control Engine (ACE) appliance and contains the following major sections:

• Saving Configuration Files

• Copying Configuration Files from a Remote Server

• Using the File System on the ACE

• Managing Core Dump Files

• Capturing Packet Information

• Using the Configuration Checkpoint and Rollback Service

• Reformatting the Flash Memory

Saving Configuration Files

CHAPTER

4

Upon startup, the ACE loads the startup-configuration file stored in Flash memory (nonvolatile memory)
to the running-configuration file stored in RAM (volatile memory). When you partition your ACE into
multiple contexts, each context contains its own startup-configuration file.

ach e

Flash memory stores the startup-configuration files for e
context, the ACE creates a new context directory in Flash memory to store the context-specific
startup-configuration files. When you copy a configuration file from the ACE, you create a copy of the
configuration information of the context from where you executed the command.

When you make configuration changes, the ACE places t
file called the running-config, which is associated with the context that you are working in. When you
enter a CLI command, the change is made only to the running-configuration file in volatile memory.
Before you log out or reboot the ACE, copy the contents of the running-configuration file to the
startup-configuration file (startup-config) to save configuration changes for the current context to Flash
memory. The ACE uses the startup-configuration file on subsequent reboots.

This section contains the following topics:

• Saving the Configuration File in Flash Memory

• Saving Configuration Files to a Remote Server

• Copying the Configuration File to the disk0: File System

• Merging the Startup-Configuration File with the Running-Configuration File

• Clearing the Startup-Configuration File

xisting context. When you create a new

h

ose changes in a virtual running-configuration

OL-20823-01

Cisco 4700 Series Application Control Engine Appliance Administration Guide

4-1

Saving Configuration Files

• Displaying Configuration File Content

Saving the Configuration File in Flash Memory

This section describes how to save the contents of the running-configuration file in RAM (volatile
memory) to the startup-configuration file for the current context in Flash memory (nonvolatile memory)
on the ACE.

Detailed Steps

Command Purpose

copy running-config startup-config

Example:

host1/Admin# copy running-config
startup-config

write memory [all]

Example:

host1/Admin# write memory all

Copies the contents of the running-configuration file to the
startup-configuration file.

Copies the contents of the running-configuration file to the
startup-configuration file.

The optional all k

eyword saves configurations for all existing contexts.

This keyword is available only in the Admin context.

When used without the all ke

the running-configuration file for the current context to the
startup-configuration file.

Chapter 4 Managing the ACE Software

yword, this command copies the contents of

Note After you save the contents of the running-configuration file for

the current user context to the startup-configuration file, you
should also save the changes to the Admin context
startup-configuration file, which contains all configurations that
are used to create each user context.

Saving Configuration Files to a Remote Server

This section describes how to save the running-configuration file or startup-configuration file to a remote
server using File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), or Trivial Transfer
Protocol (TFTP). The copy serves as a backup file for the running-configuration file or
startup-configuration file for the current context. Before installing or migrating to a new software
version, back up the ACE startup-configuration file to a remote server using FTP, SFTP, or TFTP. When
you name the backup file, we recommend that you name it in such a way that you can easily tell the
context source of the file (for example, running-config-ctx1, startup-config-ctx1).

Cisco 4700 Series Application Control Engine Appliance Administration Guide

4-2

OL-20823-01

Chapter 4 Managing the ACE Software

Detailed Steps

Command Purpose

copy {running-config | startup-config}
{ftp:

//server/path[/filename

sftp://[
tftp:

username@]server/path[/filename

//server[:port]/path[/filename

] |

]}

] |

Saves the running-configuration file or startup-configuration file to a
remote server using FTP, SFTP, or FTP.

The keywords, arguments, and options are as follows:

Saving Configuration Files

Example:
host1/Admin# copy running-config
ftp://192.168.1.
Enter username[]? user1
Enter the file transfer mode[bin/ascii]: [bin]
Password: password1
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
####

2/running-config_Adminct

x

• running-config—Specifies the running-configuration file

currently residing on the ACE in volatile memory.

• startup-config—Specifies the startup-configuration file

currently residing on the ACE in Flash memory.

• ftp://server/path[/filename]—Specifies the FTP network server

and, optionally, the renamed configuration file.

When using FTP, the bin (binary) fi

le transfer mode is intended

for transferring compiled files (executables). The ascii file

transfer mode is intended for transferring text files, such as config
files. The default selection of bin should be sufficient in all cases
when copying files to a remote FTP server.

• sftp://[username@]server/path[/filename]—Specifies the SFTP

network server and, optionally, the renamed configuration file.

• tftp://server[:port]/path[/filename]—Specifies the TFTP

network server and, optionally, the renamed configuration file.

When you select a destination file system using ftp:, sftp:, or tftp:

,

the ACE performs the following tasks:

• Prompts you for your username and password if the destination

file system requires user authentication.

• Prompts you for the server information if you do not provide the

information with the command.

• Copies the file to the root directory of the destination file system

if you do not provide the path information.

Copying the Configuration File to the disk0: File System

This section describes how to copy the running-configuration file or the startup-configuration file to the
disk0: file system in Flash memory on the ACE.

Cisco 4700 Series Application Control Engine Appliance Administration Guide

OL-20823-01

4-3

Chapter 4 Managing the ACE Software

Saving Configuration Files

Detailed Steps

Command Purpose

copy {running-config | startup-config}
disk0:[

Example:

host1/Admin# copy running-config
disk0:running-config_copy

path/]filename

Copies either the running configuration of the startup configuration to a
file on the disk0: file system in Flash memory.

The keywords and arguments are as follows:

• running-config—Specifies the running-configuration file currently

residing on the ACE in RAM (volatile memory).

• startup-config—Specifies the startup-configuration file currently

residing on the ACE in Flash memory (nonvolatile memory).

• [path/]filename—Path in the disk0: file system. If you do not provide

the optional path, the ACE copies the file to the root directory on the
disk0: file system.

Merging the Startup-Configuration File with the Running-Configuration File

This section describes how to merge the contents of the startup-configuration file into the
running-configuration file. This process copies any additional configurations from the
startup-configuration file into the running-configuration file. If any common commands exist in both
files, the startup-configuration file overwrites the attributes in the running-configuration file.

Detailed Steps

Command Purpose

copy startup-config running-config

Example:

host1/Admin# copy startup-config
running-config

Merges the contents of the startup-configuration file into the
running-configuration file.

Displaying Configuration File Content

To display the content of the running- and startup-configuration files, perform one of the following tasks:

Cisco 4700 Series Application Control Engine Appliance Administration Guide

4-4

OL-20823-01