Cisco ACE-4710-K9, 4700 Series Administration Manual
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-11157-01
Cisco 4700 Series Application Control
Engine Appliance Administration Guide
Software Version A1(7)
November 2007
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
P
ACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compress
ion is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PR
OVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NO
NINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR A
NY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
CCDE, CCVP, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Networ
k are trademarks; Changing the Way We
Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE,
CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the
Cis
co Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, Eth
erChannel, EtherFast, EtherSwitch, Event Center, Fast
Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness
Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace,
MGX, Networkers, Networking Academy,
Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to
Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the
Uni
ted States and certain other countries.
All other trademarks mentioned in this document or Website are the
property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (0801R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display ou
tput, and
figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and
coincidental.
Cisco 4700 Series Application Control Engine Appliance Administration Guide
Copyright © 2007 Cisco Systems, Inc. All rights reserved.
iii
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
CONTENTS
Preface xv
Audience xvi
How to Use This Guide xvi
Related Documentation xviii
Symbols and Conventions xxi
Obtaining Documentation, Obtaining Support, and Security Guidelines xxiii
Open Source License Acknowledgements xxiii
OpenSSL/Open SSL Project xxiii
License Issues xxiii
CHAPTER
1 Setting Up the ACE 1-1
Establishing a Console Connection on the ACE 1-2
Using the Setup Script to Enable Connectivity to the Device Manager 1-3
Connecting and Logging into the ACE 1-7
Changing the Administrative Password 1-9
Resetting the Administrator CLI Account Password 1-10
Assigning a Name to the ACE 1-12
Configuring an ACE Inactivity Timeout 1-12
Configuring a Message-of-the-Day Banner 1-13
Configuring the Time, Date, and Time Zone 1-15
Setting the System Time and Date 1-15
Setting the Time Zone 1-16
Adjusting for Daylight Saving Time 1-19
Contents
iv
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Viewing the System Clock Settings 1-21
Synchronizing the ACE with an NTP Server 1-21
Configuring NTP Server and Peer Associations 1-22
Viewing NTP Statistics and Information 1-23
.Clearing NTP Statistics 1-28
Configuring Terminal Settings 1-30
Configuring Terminal Display Attributes 1-30
Configuring Terminal Line Settings 1-32
Configuring Console Line Settings 1-32
Configuring Virtual Terminal Line Settings 1-34
Modifying the Boot Configuration 1-35
Setting the Boot Method from the Configuration Register 1-35
Setting the BOOT Environment Variable 1-37
Configuring the ACE to Bypass the Startup Configuration File During the Boot
Process
1-38
Displaying the ACE Boot Configuration 1-41
Restarting the ACE 1-41
Shutting Down the ACE 1-42
CHAPTER
2 Enabling Remote Access to the ACE 2-1
Remote Access Configuration Quick Start 2-2
Configuring Remote Network Management Traffic Services 2-4
Creating and Configuring a Remote Management Class Map 2-5
Defining a Class Map Description 2-6
Defining Remote Network Management Protocol Match Criteria 2-7
Creating a Layer 3 and Layer 4 Remote Access Policy Map 2-9
Creating a Layer 3 and Layer 4 Policy Map for Network Management
Traffic Received by the ACE
2-9
Defining a Layer 3 and Layer 4 Policy Map Description 2-10
v
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Contents
Specifying a Layer 3 and Layer 4 Traffic Class With the Traffic
Policy
2-10
Defining Layer 3 and Layer 4 Management Traffic Policy Actions 2-12
Applying a Service Policy 2-13
Configuring Telnet Management Sessions 2-15
Configuring SSH Management Sessions 2-16
Configuring Maximum Number of SSH Sessions 2-16
Generating SSH Host Key Pairs 2-17
Terminating an Active User Session 2-19
Enabling ICMP Messages to the ACE 2-19
Directly Accessing a User Context Through SSH 2-21
Example of a Remote Access Configuration 2-23
Viewing Session Information 2-24
Showing Telnet Session Information 2-24
Showing SSH Session Information 2-26
Showing SSH Session Information 2-26
Showing SSH Key Details 2-27
CHAPTER
3 Managing ACE Software Licenses 3-1
Available ACE Licenses 3-2
Ordering an Upgrade License and Generating a Key 3-5
Copying a License File to the ACE 3-6
Installing a New or Upgrade License File 3-7
Replacing a Demo License with a Permanent License 3-8
Removing a License 3-9
Removing an Appliance Performance Throughput License 3-10
Removing an SSL TPS License 3-10
Removing a Virtualization Context License 3-10
Removing an HTTP Compression Performance License 3-13
Contents
vi
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Removing the Application Acceleration Software Feature Pack License 3-14
Backing Up a License File 3-15
Displaying License Configurations and Statistics 3-16
CHAPTER
4 Configuring Class Maps and Policy Maps 4-1
Class Map and Policy Map Overview 4-2
Class Maps 4-5
Policy Maps 4-6
Service Policies 4-9
Class Map and Policy Map Configuration Quick Start 4-10
Configuring Layer 3 and Layer 4 Class Maps 4-24
Defining Layer 3 and Layer 4 Classifications for Network Traffic Passing
Through the ACE
4-24
Creating a Layer 3 and Layer 4 Network Traffic Class Map 4-25
Defining a Class Map Description 4-27
Defining Access-List Match Criteria 4-28
Defining Match Any Criteria 4-28
Defining Destination IP Address and Subnet Mask Match Criteria 4-29
Defining TCP/UDP Port Number or Port Range Match Criteria 4-30
Defining the Source IP Address and Subnet Mask Match Criteria 4-31
Defining the VIP Address Match Criteria 4-32
Defining Layer 3 and Layer 4 Classifications for Network Management Traffic
Received by the ACE
4-35
Creating a Layer 3 and Layer 4 Network Management Traffic Class
Map
4-35
Defining Network Management Access Match Criteria 4-37
Configuring Layer 7 Class Maps 4-38
Defining Layer 7 Classifications for HTTP Server Load Balancing 4-39
Defining Layer 7 Classifications for HTTP Deep Packet Inspection 4-41
Defining Layer 7 Classifications for FTP Command Inspection 4-42
vii
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Contents
Configuring a Layer 3 and Layer 4 Policy Map 4-43
Creating a Layer 3 and Layer 4 Policy Map for Network Management Traffic
Received by the ACE
4-44
Creating a Layer 3 and Layer 4 Policy Map for Network Traffic Passing
Through the ACE
4-45
Defining a Layer 3 and Layer 4 Policy Map Description 4-45
Specifying a Layer 3 and Layer 4 Traffic Class With the Traffic Policy 4-46
Specifying Layer 3 and Layer 4 Policy Actions 4-47
Using Parameter Maps in a Layer 3 and Layer 4 Policy Map 4-49
Configuring a Layer 7 Policy Map 4-50
Creating a Layer 7 Policy Map 4-51
Adding a Layer 7 Policy Map Description 4-53
Including Inline Match Statements in a Layer 7 Policy Map 4-53
Specifying a Layer 7 Traffic Class with the Traffic Policy 4-54
Specifying Layer 7 Policy Actions 4-55
Associating the Layer 7 Policy Map with a Layer 3 and Layer 4 Policy
Map
4-57
Applying a Service Policy 4-58
Class Maps and Policy Map Examples 4-60
Firewall Example 4-60
Layer 7 Load-Balancing Example 4-63
Layer 3 and Layer 4 Load-Balancing Example 4-65
VIP With Connection Parameters Example 4-66
Example of a Traffic Policy Configuration 4-68
Viewing Class Maps, Policy Maps, and Service Policies 4-71
Displaying Class Map Configuration Information 4-71
Displaying Policy Map Configuration Information 4-71
Displaying Service Policy Configuration Information 4-72
Contents
viii
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
CHAPTER
5 Managing the ACE Software 5-1
Saving Configuration Files 5-1
Saving the Configuration File in Flash Memory 5-3
Saving Configuration Files to a Remote Server 5-4
Copying the Configuration File to the disk0: File System 5-5
Merging the Startup-Configuration File with the Running-Configuration
File
5-6
Viewing Configuration Files 5-7
Viewing User Context Running-Config Files from the Admin Context 5-10
Clearing the Startup-Configuration File 5-10
Loading Configuration Files from a Remote Server 5-11
Using the File System on the ACE 5-12
Listing the Files in a Directory 5-13
Copying Files 5-15
Copying Files to Another Directory on the ACE 5-15
Copying Licenses 5-16
Copying a Packet Capture Buffer 5-16
Copying Files to a Remote Server 5-17
Copying Files from a Remote Server 5-19
Copying an ACE Software System Image to a Remote Server 5-20
Uncompressing Files in the disk0: File System 5-21
Untarring Files in the disk0: File System 5-22
Creating a New Directory 5-22
Deleting an Existing Directory 5-23
Moving Files 5-23
Deleting Files 5-24
Displaying File Contents 5-25
Saving show Command Output to a File 5-26
Viewing and Copying Core Dumps 5-27
Copying Core Dumps 5-28
ix
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Contents
Clearing the Core Directory 5-29
Deleting a Core Dump File 5-29
Capturing and Copying Packet Information 5-30
Capturing Packet Information 5-30
Copying Capture Buffer Information 5-32
Viewing Packet Capture Information 5-33
Using the Configuration Checkpoint and Rollback Service 5-37
Overview 5-37
Creating a Configuration Checkpoint 5-38
Deleting a Configuration Checkpoint 5-38
Rolling Back a Running Configuration 5-39
Displaying Checkpoint Information 5-39
Reformatting Flash Memory 5-40
CHAPTER
6 Viewing ACE Hardware and Software Configuration Information 6-1
Displaying Software Version Information 6-2
Displaying Software Copyright Information 6-3
Displaying Hardware Information 6-3
Displaying the Hardware Inventory 6-4
Displaying ACE Environment Information 6-5
Displaying System Processes 6-6
Displaying Process Status Information and Memory Resource Limits 6-11
Displaying System Information 6-14
Displaying ICMP Statistics 6-16
Displaying Technical Support Information 6-17
CHAPTER
7 Configuring Redundant ACE Appliances 7-1
Overview of Redundancy 7-1
Contents
x
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Redundancy Protocol 7-2
Stateful Failover 7-5
FT VLAN 7-6
Configuration Synchronization 7-7
Configuration Requirements and Restrictions 7-8
Redundancy Configuration Quick Start 7-8
Configuring Redundancy 7-12
Configuring an FT VLAN 7-12
Creating an FT VLAN 7-13
Configuring an FT VLAN IP Address 7-13
Configuring the Peer IP Address 7-14
Enabling the FT VLAN 7-15
Configuring an Alias IP Address 7-15
Configuring an FT Peer 7-16
Associating the FT VLAN with the Local Peer 7-16
Configuring the Heartbeat Interval and Count 7-17
Configuring a Query Interface 7-18
Configuring an FT Group 7-19
Associating a Context with an FT Group 7-19
Associating a Peer with an FT Group 7-20
Assigning a Priority to the Active FT Group Member 7-20
Assigning a Priority to the Standby FT Group Member 7-21
Configuring Preemption 7-22
Placing an FT Group in Service 7-23
Modifying an FT Group 7-23
Forcing a Failover 7-24
Synchronizing Redundant Configurations 7-25
Configuring Tracking and Failure Detection 7-28
Overview of Tracking and Failure Detection 7-28
Configuring Tracking and Failure Detection for a Host or Gateway 7-29
xi
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Contents
Creating a Tracking and Failure Detection Process for a Host or
Gateway
7-30
Configuring the Gateway or Host IP Address Tracked by the Active
Member
7-30
Configuring a Probe on the Active Member for Host Tracking 7-31
Configuring a Priority on the Active Member for Multiple Probes 7-32
Configuring the Gateway or Host IP Address Tracked by the Standby
Member
7-32
Configuring a Probe on the Standby Member for Host Tracking 7-33
Configuring a Priority on the Standby Member for Multiple Probes 7-33
Example of a Tracking Configuration for a Gateway 7-34
Configuring Tracking and Failure Detection for an Interface 7-35
Creating a Tracking and Failure Detection Process for an Interface 7-35
Configuring the Interface Tracked by the Active Member 7-36
Configuring a Priority for a Tracked Interface on the Active Member 7-36
Configuring the Interface Tracked by the Standby Member 7-37
Configuring a Priority for a Tracked Interface on the Standby
Member
7-37
Example of a Tracking Configuration for an Interface 7-38
Example of a Redundancy Configuration 7-38
Displaying Redundancy Information 7-41
Displaying Redundancy Configurations 7-41
Displaying FT Group Information 7-41
Displaying the IDMAP Table 7-46
Displaying the Redundancy Internal Software History 7-47
Displaying Memory Statistics 7-47
Displaying Peer Information 7-47
Displaying FT Statistics 7-51
Displaying FT Tracking Information 7-54
Clearing Redundancy Statistics 7-58
Clearing FT Statistics 7-58
Contents
xii
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Clearing the Redundancy History 7-58
CHAPTER
8 Configuring SNMP 8-1
SNMP Overview 8-2
Managers and Agents 8-3
SNMP Manager and Agent Communication 8-4
SNMP Traps and Informs 8-5
SNMPv3 CLI User Management and AAA Integration 8-6
CLI and SNMP User Synchronization 8-6
Supported MIBs and Notifications 8-7
SNMP Limitations 8-24
SNMP Configuration Quick Start 8-25
Configuring SNMP Users 8-27
Defining SNMP Communities 8-29
Configuring an SNMP Contact 8-31
Configuring an SNMP Location 8-31
Configuring SNMP Notifications 8-32
Configuring SNMP Notification Hosts 8-32
Enabling SNMP Notifications 8-34
Enabling the IETF Standard for SNMP linkUp and linkDown Traps 8-36
Assigning a Trap-Source Interface for SNMP Traps 8-37
Configuring SNMP Management Traffic Services 8-38
Creating and Configuring a Layer 3 and Layer 4 Class Map 8-39
Defining a Class Map Description 8-40
Defining SNMP Protocol Match Criteria 8-41
Creating a Layer 3 and Layer 4 Policy Map 8-42
Creating a Layer 3 and Layer 4 Policy Map for SNMP Network
Management Traffic Received by the ACE
8-42
Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy 8-43
xiii
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Contents
Specifying Layer 3 and Layer 4 Policy Actions 8-44
Applying a Service Policy 8-45
Example of an SNMP Configuration 8-47
Displaying SNMP Statistics 8-50
CHAPTER
9 Configuring the XML Interface 9-1
XML Overview 9-2
XML Usage with the ACE 9-2
HTTP and HTTPS Support with the ACE 9-4
HTTP Return Codes 9-5
Document Type Definition 9-7
Sample XML Configuration 9-9
XML Configuration Quick Start 9-11
Configuring HTTP and HTTPS Management Traffic Services 9-13
Creating and Configuring a Class Map 9-14
Defining a Class Map Description 9-15
Defining HTTP and HTTPS Protocol Match Criteria 9-16
Creating a Layer 3 and Layer 4 Policy Map 9-17
Creating a Layer 3 and Layer 4 Policy Map for Network Management
Traffic Received by the ACE
9-17
Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy 9-18
Specifying Layer 3 and Layer 4 Policy Actions 9-20
Applying a Service Policy 9-20
Enabling the Display of Raw XML Request show Command Output in XML
Format
9-24
Accessing the ACE DTD File 9-27
APPENDIX
A Upgrading Your ACE Software A-1
Overview of Upgrading ACE Software A-2
Contents
xiv
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Before You Begin A-2
Changing the Admin Password A-2
Changing the www User Password A-3
Checking Your Configuration for FT Priority and Preempt A-3
Creating a Checkpoint A-3
Software Upgrade Quick Start A-4
Copying the Software Upgrade Image to the ACE A-7
Configuring the ACE to Autoboot the Software Image A-8
Setting the Boot Variable A-8
Configuring the Configuration Register to Autoboot the Boot Variable A-9
Verifying the Boot Variable and Configuration Register A-10
Reloading the ACE A-10
Displaying Software Image Information A-11
I
NDEX
xv
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Preface
This guide provides instructions for the administration of the Cisco 4700 Series
Application Control Engine (ACE) appliance. It describes how to perform
administration tasks on the ACE, including initial setup, establish remote access,
manage software licenses, configure class maps and policy maps, manage the
ACE software, configure SNMP, configure redundancy, configure the XML
interface, and upgrade your ACE software.
You can configure the ACE by using the following interfaces:
• The command-line interface (CLI), a line-oriented user interface that
provides commands for configuring, managing, and monitoring the ACE.
• Device Manager graphic user interface (GUI), a Web browser-based GUI
interface that provides a graphical user interface for configuring, managing,
and monitoring the ACE.
This preface contains the following major sections:
• Audience
• How to Use This Guide
• Related Documentation
• Symbols and Conventions
• Obtaining Documentation, Obtaining Support, and Security Guidelines
• Open Source License Acknowledgements
Preface
xvi
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Audience
This guide is intended for the following trained and qualified service personnel
who are responsible for configuring the ACE:
• System administrator
• System operator
How to Use This Guide
This guide is organized as follows:
Chapter Description
Chapter 1, Setting Up
the ACE
Describes how to configure basic settings on the ACE,
incl
uding topics such as how to session and log in to
the ACE, change the administrative username and
password, assign a name to the ACE, configure a
message-of-the-day banner, configure date and time,
configure terminal settings, modify the boot
configuration, and restart the ACE.
Chapter 2, Enabling
Remote Access to the
ACE
Describes how to configure remote access to the Cisco
47
00 Series Application Control Engine (ACE)
appliance by establishing a remote connection using
the Secure Shell (SSH) or Telnet protocols. It also
describes how to configure the ACE to provide direct
access to a user context from SSH. This chapter also
covers how to configure the ACE to receive ICMP
messages from a host.
Chapter 3, Managing
ACE Software
Licenses
Describes how to manage the softw
are licenses for
your ACE.
Chapter 4, Configuring
Class Maps and Policy
Maps
Describes how to configure class maps and policy
maps to pro
vide a global level of classification for
filtering traffic received by or passing through the
ACE.
xvii
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Preface
Chapter 5, Managing
the ACE Software
Describes how to save and download configuration
files, use the file system, view and copy core dumps,
capture and copy packet information, use the
configuration checkpoint and rollback service, display
configuration information, and display technical
support information.
Chapter 6, Viewing
ACE Hardware and
Software
Configuration
Information
Describes how to display ACE hardware and software
co
nfiguration information, and display technical
support information.
Chapter 7, Configuring
Redundant ACE
Appliances
Describes how to configure the ACE for redundancy,
wh
ich provides fault tolerance for the stateful failover
of flows.
Chapter 8, Configuring
SNMP
Describes how to configure Simple Network
Manag
ement Protocol (SNMP) to query the ACE for
Cisco Management Information Bases (MIBs) and to
send event notifications to a network management
system (NMS).
Chapter 9, Configuring
the XML Interface
Describes how to provide a mechanism using XML to
transfer
, configure, and monitor objects in the ACE.
This XML capability allows you to easily shape or
extend the CLI query and reply data in XML format to
meet different specific business needs.
Appendix A,
Upgrading Your ACE
Software
Describes how to upgrade the software on your ACE.
Chapter Description
Preface
xviii
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Related Documentation
In addition to this document, the ACE documentation set includes the following:
Document Title Description
Release Note for the Cisco
47
00 Series Application
Control Engine Appliance
Provides information about operating
considerations, caveats, and command-line
interface (CLI) commands for the ACE.
Cisco Application Control
Engi
ne Appliance
Hardware Installation
Guide
Provides information for
installing the ACE
appliance.
Regulatory Compliance
an
d Safety Information for
the Cisco Application
Control Engine Appliance
Regulatory compliance and safety information for
the A
CE appliance.
Cisco ACE 4700 Series
Appl
ication Control
Engine Appliance CLI
Quick Configuration Note
Describes how to use the ACE CLI to perform the
i
nitial setup and VIP load-balancing configuration
tasks.
Cisco 4700 Series
Appl
ication Control
Engine Appliance Device
Manager GUI Quick
Configuration Note
Describes how to use the ACE Device Manager
GUI to
perform the initial setup and VIP
load-balancing configuration tasks.
Cisco 4700 Series
Appl
ication Control
Engine Appliance
Virtualization
Configuration Guide
Describes how to operate your ACE in a single
co
ntext or in multiple contexts.
xix
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Preface
Cisco 4700 Series
Application Control
Engine Appliance Routing
and Bridging
Configuration Guide
Describes how to perform the following routing
a
nd bridging tasks on the ACE:
• Configuring Ethernet ports
• Configuring VLAN interfaces
• Configuring routing
• Configuring bridging
• Configuring Dynamic Host Configuration
Protocol (DHCP)
Cisco 4700 Series
Appl
ication Control
Engine Appliance Server
Load-Balancing
Configuration Guide
Describes how to configure the following server
load-balancing tasks on the A
CE:
• Real servers and server farms
• Class maps and policy maps to load-balance
traffic to real servers in server farms
• Server health monitoring (probes)
• Stickiness
• Firewall load balancing
• TCL scripts
Cisco 4700 Series
Appl
ication Control
Engine Appliance
Application Acceleration
and Optimization
Configuration Guide
Describes the configuration of the application
a
cceleration and optimization features of the ACE.
It also provides an overview and description of
those features.
Document Title Description
Preface
xx
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Cisco 4700 Series
Application Control
Engine Appliance Security
Configuration Guide
Describes how to perform fo
llowing ACE security
configuration tasks:
• Security access control lists (ACLs)
• User authentication and accounting using a
Terminal Access Controller Access Control
System Plus (TACACS+), Remote
Authentication Dial-In User Service
(RADIUS), or Lightweight Directory Access
Protocol (LDAP) server
• Application protocol and HTTP deep packet
inspection
• TCP/IP normalization and termination
parameters
• Network address translation (NAT)
Cisco 4700 Series
Appl
ication Control
Engine Appliance SSL
Configuration Guide
Describes how to configure the following Secure
Sock
ets Layer (SSL) tasks on the ACE:
• SSL certificates and keys
• SSL initiation
• SSL termination
• End-to-end SSL
Cisco 4700 Series
Appl
ication Control
Engine Appliance System
Message Guide
Describes how to configure system message
log
ging on the ACE. This guide also lists and
describes the system log (syslog) messages generated
by the ACE.
Cisco 4700 Series
Appl
ication Control
Engine Appliance
Command Reference
Provides an alphabetical list and descriptions of all
CLI com
mands by mode, including syntax,
options, and related commands.
Document Title Description
xxi
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Preface
Symbols and Conventions
This publication uses the following conventions:
Cisco 4700 Series
Appl
ication Control
Engine Appliance Device
Manager Configuration
Guide
Describes how to use the Device Manager GUI,
wh
ich resides in flash memory on the ACE, to
provide a browser-based interface for configuring
and managing the appliance.
Cisco CSS-to-ACE
Co
nversion Tool User
Guide
Describes how to use the CSS-to-ACE conversion
tool to migrate Cisco Content Services Switches
(CSS) running-configuration or
startup-configuration files to the ACE.
Document Title Description
Convention Description
boldface font Commands, command options, and keywords are in
bol
dface. Bold text also indicates a command in a
paragraph.
italic f
ont Arguments for which you supply values are in italics.
Italic text also indicates the first occurrence of a new
term, book title, emphasized text.
{ } Encloses required arguments and keywords.
[ ] Encloses optional arguments and keywords.
{x | y | z} Required alternative keywords are grouped in braces and
se
parated by vertical bars.
[x | y | z] Optional alternative keywords are grouped in brackets
an
d separated by vertical bars.
string A nonquoted set of characters. Do not use quotation
marks arou
nd the string or the string will include the
quotation marks.
screen font Terminal sessions and information the system displays
are in
screen font.
Preface
xxii
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Notes use the following conventions:
Note Means reader take note. Notes contain helpful suggestions or references to
material not covered in the publication.
Cautions use the following conventions:
Caution Means reader be careful. In this situation, you might do something that could
result in equipment damage or loss of data.
Warnings use the following conventions:
Warning
Means possible physical harm or equipment damage. A warning describes an
action that could cause you physical harm or damage the equipment.
For additional information about CLI syntax formatting, see the Cisco 4700
Series Application Control Engine Appliance Command Reference.
boldface screen
font
Information you must enter in a command line is in
boldface screen font.
italic screen font Arguments for which you supply values are in i
talic
screen font.
^ The symbol ^ represents the k
ey labeled Control—for
example, the key combination ^D in a screen display
means hold down the Control key while you press the D
key.
< > Nonprinting characters, such as passwords are in angle
brack
ets.
Convention Description
xxiii
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Preface
Obtaining Documentation, Obtaining Support, and
Security Guidelines
For information on obtaining documentation, obtaining support, providing
documentation feedback, security guidelines, and also recommended aliases and
general Cisco documents, see the monthly What’
s New in Cisco Product
Documentation, which also lists all new and revised Cisco technical
d
ocumentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Open Source License Acknowledgements
The following acknowledgements pertain to this software license.
OpenSSL/Open SSL Project
This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit (http://www.openssl.org/).
This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
.
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the
OpenSSL License and the original SSLeay license apply to the toolkit. See below
for the actual license texts. Actually both licenses are BSD-style Open Source
licenses. In case of any license issues related to OpenSSL please contact
openssl-core@openssl.org.
OpenSSL License:
© 1998-1999 The OpenSSL Project. All rights reserved.
Preface
xxiv
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of
conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions, and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must
display the following acknowledgment: “This product includes software
developed by the OpenSSL Project for use in the OpenSSL Toolkit.
(http://www.openssl.org/)”
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to
endorse or promote products derived from this software without prior written
permission. For written permission, please contact
openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may
“OpenSSL” appear in their names without prior written permission of the
OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following
acknowledgment:
“This product includes software developed by the OpenSSL Project for use in
t
he OpenSSL Toolkit (http://www.openssl.org/)”
THIS SOFTWARE IS PROVIDED BY THE
OpenSSL PROJECT “AS IS”' AND
ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
xxv
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Preface
This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com). This product includes software written by Tim Hudson
(tjh@cryptsoft.com).
Original SSLeay License:
© 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
This package is an SSL implementation written by Eric Young
(eay@cryptsoft.com)
.
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and
non-commercial use as long as the
following conditions are adhered to. The following conditions apply to all code
found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the
SSL code. The SSL documentation included with this distribution is covered by
the same copyright terms except that the holder is Tim Hudson
(tjh@cryptsoft.com).
Copyright remains Eric Young’s, and as such any Copyright notices in the code
are
not to be removed. If this package is used in a product, Eric Young should be
given attribution as the author of the parts of the library used. This can be in the
form of a textual message at program startup or in documentation (online or
textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification,
are permi
tted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of
conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must
display the following acknowledgement:
“This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
”.
The word ‘cryptographic’ can be left out if the routines from the library being
us
ed are not cryptography-related.
Preface
xxvi
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
4. If you include any Windows specific code (or a derivative thereof) from the
apps directory (application code) you must include an acknowledgement:
“This product includes software written by Tim Hudson
(tjh@cryptsoft.com)”.
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY
EXPRESS OR IMPLIED W
ARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative
of this c
ode cannot be changed. i.e. this code cannot simply be copied and put
under another distribution license [including the GNU Public License].
1-1
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
CHAPTER
1
Setting Up the ACE
This chapter describes how to initially configure basic settings on the Cisco 4700
Series Application Control Engine (ACE) appliance. It includes the following
major sections:
• Establishing a Console Connection on the ACE
• Using the Setup Script to Enable Connectivity to the Device Manager
• Connecting and Logging into the ACE
• Changing the Administrative Password
• Assigning a Name to the ACE
• Configuring an ACE Inactivity Timeout
• Configuring a Message-of-the-Day Banner
• Configuring the Time, Date, and Time Zone
• Synchronizing the ACE with an NTP Server
• Configuring Terminal Settings
• Modifying the Boot Configuration
• Restarting the ACE
• Shutting Down the ACE
For details on assigning VLANs to the ACE, configuring VLAN interfaces on the
A
CE, and configuring a default or static route on the ACE, see the Cisco 4700
Series Application Control Engine Appliance Routing and Bridging
Configuration Guide.
Chapter 1 Setting Up the ACE
Establishing a Console Connection on the ACE
1-2
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Establishing a Console Connection on the ACE
You establish a direct serial connection between your terminal or a PC and the
ACE by making a serial connection to the console port on the rear panel of the
ACE. The ACE has one standard RS-232 serial port found on the rear panel that
operates as the console port. The integrated serial port uses a 9-pin male D-shell
connector. Use a straight-through cable to connect the switch to a DTE device,
such as a terminal or a PC. For instructions on connecting a console cable to your
ACE appliance, see the Cisco Application Control Engine Appliance Hardware
Installation Guide.
Any device connected to this port must be capable of asynchronous transmission.
Conn
ection requires a terminal configured as 9600 baud, 8 data bits, hardware
flow control on, 1 stop bit, no parity.
Note Only the Admin context is accessible through the console port; all other contexts
can be reached through Telnet or SSH sessions.
Once connected, use any termi
nal communications application to access the ACE
CLI. The following procedure uses HyperTerminal for Windows.
To access the ACE by using a direct seria
l connection, perform the following
steps:
Step 1 Launch HyperTerminal. The Connection Description window appears.
Step 2 Enter a name for your session in the Name field.
Step 3 Click OK. The Connect To window appears.
Step 4 From the drop-down list, choose the COM port to which the device is connected.
Step 5 Click OK. The Port Properties window appears.
Step 6 Set the following port properties as follows:
• Baud Rate = 9600
• Data Bits = 8
• Hardware Flow Control = On
• Parity = none
• Stop Bits = 1
Step 7 Click OK to connect.
1-3
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
Chapter 1 Setting Up the ACE
Using the Setup Script to Enable Connectivity to the Device Manager
Step 8 Press Enter to access the CLI prompt.
switch login:
Once a session is created, choose Save As from the File menu to save the
connection description. Saving the connection description has the following two
advantages:
• The next time that you launch HyperTerminal, the session is listed as an
option under Start > Programs > A
ccessories > HyperTerminal >
Name_of_session. This option lets you reach the CLI prompt directly
without going through the configuration steps.
• You can connect your cable to a different device without configuring a new
HyperTerminal session. If you use this option, make sure that you connect to
the same port on the new device as was configured in the saved
HyperTerminal session. Otherwise, a blank screen appears without a prompt.
Using the Setup Script to Enable Connectivity to the
Device Manager
When you boot the ACE for the first time and the appliance does not detect a
startup-configuration file, a setup script appears to guide you through the process
of configuring a management VLAN on the ACE through one of its Gigabit
Ethernet ports. The primary intent of the setup script is to simplify connectivity
to the Device Manager GUI (as described in the Cisco 4700 Series Application
Control Engine Appliance Device Manager GUI Quick Configuration Guide)
.
After you specify a gigabit Ethernet port, port mode, and a management VLAN,
the setup script automatically applies the following default configuration:
• Management VLAN allocated to the specified Ethernet port.
• Extended IP access list that allows IP traffic originating from any other host
addresses.
• Traffic classification (class map and policy map) created for management
protocols HTTP, HTTPS, ICMP, SSH, Telnet, and XML-HTTPS. HTTPS is
dedicated for connectivity with the Device Manager GUI.
• VLAN interface configured on the ACE and a policy map assigned to the
VLAN interface.
Chapter 1 Setting Up the ACE
Using the Setup Script to Enable Connectivity to the Device Manager
1-4
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
The ACE provides a default answer in brackets [ ] for each question in the setup
script. To accept a default configuration prompt, press Enter, and the ACE
accepts the setting. To skip the remaining configuration prompts, press Ctrl-C
any time during the configuration sequence.
Note The script configuration process described in this section is identical to the script
configuration process performed using the setup CLI command.
To configure the ACE from the setup script, perform the following steps:
Step 1 Ensure that you have established a direct serial connection between your terminal
or a PC and the ACE (see the “Establishing a Console Co
nnection on the ACE”
section).
Step 2 Press the power button on the front of the ACE and the boot process occurs. See
the Cisco Application Control Engine Appliance Hardware Installation Guide for
details.
Step 3 At the login prompt, log into the ACE by entering the login username and
password. By default, the username and password are admin. For example, enter:
switch login: admin
Password: admin
---- Basic System Configuration Dialog ----
This setup utility will guide you through the basic configuration of
the syste
m. Setup configures only enough connectivity to the
ACE appliance Device Manager GUI of the system.
*Note: setup is mainly used for configuring the system initially,
when no configuration is present. So setup always assumes system
defaults and not the current system configuration values.
Press Enter at anytime to skip a dialog. Use ctrl-c at anytime
to skip the remaining dialogs.
Would you like to enter the basic configuration dialog (yes/no):
Caution For software versions A1(8.0a) and higher, you must change the default Admin
password if you have not already done so. Otherwise, you will be able to log in to
the ACE only through the console port.
Loading...