free stats
Cisco 4700M Administration Manual

Cisco 4700M Administration Manual

Application control engine appliance
Hide thumbs Also See for 4700M:
Table of Contents

Advertisement

Cisco 4700 Series Application Control
Engine Appliance Administration Guide
Software Version A3(2.x)
October 2009
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-20823-01

Advertisement

Table of Contents
loading

Summary of Contents for Cisco 4700M

  • Page 1 Cisco 4700 Series Application Control Engine Appliance Administration Guide Software Version A3(2.x) October 2009 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-20823-01...
  • Page 2 OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
  • Page 3: Table Of Contents

    Setting the BOOT Environment Variable 1-28 Configuring the ACE to Bypass the Startup Configuration File During the Boot Process 1-29 Restarting the ACE 1-31 Restarting the ACE From the CLI 1-31 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 4 C H A P T E R Information about ACE Licenses Guidelines and Limitations Prerequisites Default License Feature Capabilities Managing ACE Appliance Software Licenses Tasks for Ordering an Upgrade License and Generating a Key Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 5 4-16 Displaying Files Residing On the ACE 4-18 Saving show Command Output to a File 4-19 Managing Core Dump Files 4-21 Copying Core Dumps 4-21 Clearing the Core Directory 4-22 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 6 FT VLAN Configuration Synchronization Redundancy State for Software Upgrade or Downgrade Guidelines and Limitations Default Settings Configuring Redundant ACEs Task Flow for Configuring Redundancy Configuring Redundancy Configuring an FT VLAN Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 7 Managers and Agents SNMP Manager and Agent Communication SNMP Traps and Informs SNMPv3 CLI User Management and AAA Integration CLI and SNMP User Synchronization Multiple String Index Guidelines Supported MIBs and Notifications Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 8 HTTP and HTTPS Support with the ACE HTTP Return Codes Document Type Definition Guidelines and Limitations Default Settings Configuring the XML Interface Task Flow for Configuring XML Configuring HTTP and HTTPS Management Traffic Services Cisco 4700 Series Application Control Engine Appliance Administration Guide viii OL-20823-01...
  • Page 9 Configuring the Configuration Register to Autoboot the Boot Variable A-10 Reloading the ACE A-11 Displaying Software Image Information A-11 Displaying the Boot Variable and Configuration Register A-12 Displaying the Software Version A-12 N D E X Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 10 Contents Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 11 Preface This guide provides instructions for the administration of the Cisco 4700 Series Application Control Engine (ACE) appliance. It describes how to perform administration tasks on the ACE, including initial setup, establish remote access, manage softw are licenses, configure class maps and policy maps, manage the ACE software, configure SNMP, configure redundancy, configure the XML interface, and upgrade your ACE software.
  • Page 12: How To Use This Guide

    ACE. Chapter 2, Enabling Remote Describes how to configure remote access to the Cisco 4700 Series Access to the ACE Application Control Engine (ACE) appliance by establishing a remote connection using the Secure Shell (SSH) or Telnet protocols. It also describes how to configure the ACE to provide direct access to a user context from SSH.
  • Page 13: Related Documentation

    ACE: and Bridging Configuration Guide Configuring Ethernet ports • Configuring VLAN interfaces • Configuring routing • Configuring bridging • Configuring Dynamic Host Configuration Protocol (DHCP) • Cisco 4700 Series Application Control Engine Appliance Administration Guide xiii OL-20823-01...
  • Page 14 ACE. Cisco 4700 Series Application Provides an alphabetical list and descriptions of all CLI Control Engine Appliance commands by mode, including syntax, options, and related Command Reference commands. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 15 A bulleted list indicates that the order of the list topics is unimportant. • An indented list indicates that the order of the list subtopics is unimportant. – Notes use the following conventions: Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 16 For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
  • Page 17: Setting Up The Ace

    For details on configuring the GigabitEthernet ports, assigning VLANs to the ACE, configuring VLAN interfaces on the ACE, and configuring a default or static route on the ACE, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.
  • Page 18: Chapter 1 Setting Up The Ace

    Adapter—RJ45 to DB-9 male – Cable type—Rollover serial cable to connect the ACE to a DTE device – For instructions on connecting a console cable to your ACE, see the Cisco Application Control Engine Appliance Hardware Installation Guide. Default Settings Table 1-1 lists the default settings for the ACE setup parameters.
  • Page 19 ICMP, SSH, Telnet, and XML-HTTPS. HTTPS is dedicated for connectivity with the Device Manager GUI. VLAN interface configured on the ACE and a • policy map assigned to the VLAN interface. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 20: Setting Up The Ace

    Enter a name for your session in the Name field. Step 3 Click OK. The Connect To window appears. Step 4 From the drop-down list, choose the COM port to which the device is connected. Step 5 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 21: Using The Setup Script To Enable Connectivity To The Device Manager

    This section describes how to use the setup script to simplify connectivity to the Device Manager GUI (as described in the Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Quick Configuration Guide). When you boot the ACE for the first time and the appliance does not detect a startup-configuration file, a setup script appears to guide you through the process of configuring a management VLAN on the ACE through one of its Gigabit Ethernet ports.
  • Page 22 (see the “Establishing a Console Connection on the ACE” section). Press the power button on the front of the ACE and the boot process occurs. See the Cisco Application Step 2 Control Engine Appliance Hardware Installation Guide for details. At the login prompt, log into the ACE by entering the login username and password. By default, the Step 3 username and password are admin.
  • Page 23 The prompt “Submit the configuration including security settings to the ACE Appliance? (yes/no/details): [y]:” reappears. Enter one of the following replies: Type y to apply the appropriate configuration and save the running-configuration to the • startup-configuration file. This is the default. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 24: Connecting And Logging In To The Ace

    Chapter 2, Enabling Remote Access to the ACE. For details on configuring interfaces on the ACE, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide. You can configure the ACE to provide a higher level of security for users accessing the ACE. For information about configuring user authentication for login access, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.
  • Page 25: Changing Or Resetting The Administrative Password

    Changing or Resetting the Administrative Password This section describes how to change or reset the administrative password and includes the following topics: Changing the Administrative Password • Resetting the Administrator Account Password • Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 26: Changing The Administrative Password

    ACE, it reads the username and password from Flash memory. Global administrative status is assigned to the administrative username by default. For information about changing a user password, see the Cisco 4700 Series Application Control Engine Note Appliance Virtualization Configuration Guide.
  • Page 27: Resetting The Administrator Account Password

    ACE through the console port to be able to reset the password for the Admin user back to the factory-default value of admin. Restrictions Only the Admin context is accessible through the console port. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-11 OL-20823-01...
  • Page 28: Assigning A Name To The Ace

    By default, the hostname for the ACE is “switch.” Restrictions Only the Admin context is accessible through the console port. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-12 OL-20823-01...
  • Page 29: Configuring An Ace Inactivity Timeout

    ACE terminates the session. Valid entries are host1/Admin(config)# login timeout 10 from 0 to 60 minutes. A value of 0 instructs the ACE never to timeout. The default is 5 minutes. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-13 OL-20823-01...
  • Page 30: Configuring A Message-Of-The-Day Banner

    Exec mode prompt. Restrictions If you connect to the ACE by using an SSH version 1 remote access session, the message-of-the-day banner is not displayed. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-14 OL-20823-01...
  • Page 31 For multi-line input, double quotes (“) are not required for the token because the input mode is different from signal-line mode. When you operate in multi-line mode, the ACE interprets the double quote character (“) literally. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-15 OL-20823-01...
  • Page 32: Configuring The Date And Time

    (such as a radio clock or an atomic clock), see the “Synchronizing the ACE with an NTP Server” section. In this case, the NTP time server automatically sets the ACE system clock. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-16 OL-20823-01...
  • Page 33: Configuring The Time Zone

    Fri Aug 7 01:38:30 PST 2009 Configuring the Time Zone This section describes how to set the time zone of the ACE. The ACE keeps time internally in Universal Time Coordinated (UTC) offset. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-17 OL-20823-01...
  • Page 34 MST—Mountain Standard Time, as UTC –7 hours – PST—Pacific Standard Time, as UTC –8 hours – WEST—Western Europe Summer Time, as UTC + 1 hour – WST—Western Standard Time, as UTC + 8 hours – Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-18 OL-20823-01...
  • Page 35 Eastern Daylight Saving Time, as UTC – 4 hours Mountain Time, either as MST or MDT, depending on the place and time of the year Mountain Daylight Saving Time, as UTC – 6 hours Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-19 OL-20823-01...
  • Page 36: Adjusting For Daylight Saving Time

    If the starting month is after the ending month, the ACE assumes that you are located in the Southern Hemisphere. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-20 OL-20823-01...
  • Page 37 – April to 2 a.m. last Sunday Oct, + 60 min PDT—Pacific Daylight Time: 2 a.m. 1st Sunday April – to 2 a.m. last Sunday Oct, + 60 min Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-21 OL-20823-01...
  • Page 38: Synchronizing The Ace With An Ntp Server

    • Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide), and you plan to use an optional Cisco AVS 3180A Management Console with multiple ACE nodes, we strongly recommend that you synchronize the system clock of each ACE node with an NTP server. AppScope performance monitoring relies on very accurate time measurement, in the millisecond range.
  • Page 39 Examples For example, to specify multiple NTP server IP addresses and identify a preferred server, enter: host1/Admin(config)# ntp server 192.168.10.10 prefer host1/Admin(config)# ntp server 192.168.4.143 host1/Admin(config)# ntp server 192.168.5.10 Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-23 OL-20823-01...
  • Page 40: Configuring Terminal Settings

    This section describes how to specify the number of lines and the width for displaying information on a terminal during a console session. Restrictions The maximum number of displayed screen lines is 511 columns. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-24 OL-20823-01...
  • Page 41 Step 2 terminal monitor terminal. To enable the various levels of syslog messages to the terminal, Example: use the logging monitor command (see the Cisco 4700 Series host1/Admin# terminal monitor Application Control Engine Appliance System Message Guide for %ACE-7-111009: User 'admin' details).
  • Page 42: Configuring Virtual Terminal Line Settings

    Example: host1/Admin(config-line)# no session-limit (Optional) Copies the running configuration to the startup Step 4 do copy running-config startup-config configuration. Example: host1/Admin(config-line)# do copy running-config startup-config Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-26 OL-20823-01...
  • Page 43: Modifying The Boot Configuration

    Detailed Steps Command Purpose Enters global configuration mode. Step 1 config Example: host1/Admin# config host1/Admin(config)# Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-27 OL-20823-01...
  • Page 44: Setting The Boot Environment Variable

    BOOT environment variable to attain the desired order or you can clear the entire BOOT environment variable and then redefine the list in the desired order. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-28...
  • Page 45: Configuring The Ace To Bypass The Startup Configuration File During The Boot Process

    For the procedure on resetting the administrator CLI account password, see the “Resetting the Note Administrator Account Password” section. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-29 OL-20823-01...
  • Page 46 If necessary, you can manually launch the setup script using the setup command in Exec mode. kernel=(hd0,1)/c4710ace-mz.A3_1_0.bin ro root=LABEL=/ auto console=ttyS0,96 00n8 quiet bigphysarea=32768 Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-30 OL-20823-01...
  • Page 47: Using The Grub Boot Loader To Specify The System Boot Image During A Reload

    Using the GRUB Boot Loader to Specify the System Boot Image During a Reload • Restarting the ACE From the CLI This section describes how to reboot the ACE directly from its CLI. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-31 OL-20823-01...
  • Page 48 Type e to edit the commands before booting. • Type c to access a command line. • If no ACE images are loaded in the Flash memory, the GNU GRUB multiboot loader appears as follows: Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-32 OL-20823-01...
  • Page 49: Shutting Down The Ace

    • Displaying NTP Statistics and Information This section describes how to instruct the ACE to display the following NTP statistics and information: NTP peer statistics • Input/output statistics • Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-33 OL-20823-01...
  • Page 50 IP address of each associated peer Serv/Peer Indication of whether the peer functions as an NTP server or NTP peer Table 1-3 describes the fields in the show ntp peers command output. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-34 OL-20823-01...
  • Page 51 Number of NTP packets received and processed by the ACE. Bad authentication Number of packets not verified as authentic. Table 1-6 describes the fields in the show ntp statistics memory command output. Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-35 OL-20823-01...
  • Page 52: Displaying Other Ace Setup Configuration Information

    Order in which the ACE may consider this server when it chooses the master. Displaying Other ACE Setup Configuration Information To display the ACE setup configuration information, use the following show commands from Exec mode: Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-36 OL-20823-01...
  • Page 53: Clearing Ntp Statistics

    Display Attributes” section). For detailed information about the fields in the output from these commands, refer to the Cisco 4700 Series Application Control Engine Appliance Command Reference. Clearing NTP Statistics To clear the NTP statistical information, use the following command from Exec mode:...
  • Page 54 Chapter 1 Setting Up the ACE Displaying or Clearing the ACE Setup Configuration and Statistics Cisco 4700 Series Application Control Engine Appliance Administration Guide 1-38 OL-20823-01...
  • Page 55: Chapter 2 Enabling Remote Access To The Ace

    C H A P T E R Enabling Remote Access to the This chapter describes how to configure remote access to the Cisco 4700 Series Application Control Engine (ACE) appliance by establishing a remote connection by using the Secure Shell (SSH) or Telnet protocols.
  • Page 56: Chapter 2 Enabling Remote Acces To The Ace

    Ability of an ACE interface to receive ICMP messages or allow ICMP messages to pass Disabled through it Status of the following match protocol command protocols: http, https, icmp, kalap-udp, Disabled snmp, ssh, telnet, and xml-https. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 57: Enabling Remote Access To The Ace

    C1 host1/C1# The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode. Step 2 host1/Admin# config Enter configuration commands, one per line.
  • Page 58: Configuring Remote Network Management Traffic Services

    Policy map—Enables remote network management access for a traffic classification that matches • the criteria listed in the class map. Service policy—Activates the policy map and attaches the traffic policy to an interface or globally • on all interfaces. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 59: Creating And Configuring A Remote Management Class Map

    Enabling Remote Access to the ACE Telnet and SSH remote access sessions are established to the ACE on a per context basis. For details on creating users and contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
  • Page 60 (Optional) Remove a Layer 3 and Layer 4 network management no class-map type management [match-all | class map from the ACE. match-any] map_name Example: host1/Admin(config)# no class-map type management match-all SSH-TELNET_ALLOW_CLASS Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 61 KAL-AP • over UDP. The configuration of the KAL-AP management access is described in the “Configuring Health Monitoring” chapter of the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide. snmp—Specifies the Simple Network Management •...
  • Page 62 (Optional) Removes the description from the class map. no description text Example: host1/Admin(config-cmap-mgmt)# no description (Optional) Copies the running configuration to the startup Step 5 do copy running-config startup-config configuration. Example: ACE_1/Admin(config-cmap-mgmt))# do copy running-config startup-config Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 63: Creating A Layer 3 And Layer 4 Remote Access Policy Map

    The text argument specifies the description that you want to host1/Admin(config-pmap-mgmt)# description provide. Enter an unquoted text string with a maximum of Allow Telnet access to the ACE 240 alphanumeric characters. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 64 (Optional) Remove a class map from a Lay er 3 and Layer 4 policy no class { name1 [insert-before name2 ] | map. class-default} Example: host1/Admin(config-pmap-mgmt)# no class L4_REMOTE_ACCESS_CLASS Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-10 OL-20823-01...
  • Page 65: Applying A Service Policy Globally To All Vlan Interfaces In The Same Context

    You can remove a traffic policy map from a VLAN by using either of the following methods: Individually from the last VLAN interface on which you applied the service policy • Globally from all VLAN interfaces in the same context • Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-11 OL-20823-01...
  • Page 66 VLANs associated with a context. Example: host1/Admin(config)# no service-policy input REMOTE_MGMT_ALLOW_POLICY (Optional) Copies the running configuration to the startup Step 3 do copy running-config startup-config configuration. Example: host1/Admin(config)# do copy running-config startup-config Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-12 OL-20823-01...
  • Page 67: Applying A Service Policy To A Specific Vlan Interface

    Policy Globally to All VLAN Interfaces in the Same Context” section. Restrictions The ACE allows only one policy of a specific feature type to be activated on a given interface and only in the input direction. Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-13 OL-20823-01...
  • Page 68 For the policy_name argument, enter the identifier of an existing Example: policy map that is currently in service (applied to an interface). host1/Admin(config-if)# do clear service-policy REMOTE_MGMT_ALLOW_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-14 OL-20823-01...
  • Page 69: Configuring The Maximum Number Of Telnet Management Sessions

    IP address to it, and then log into the ACE by using Telnet to connect to that IP address. This capability allows you to specify a particular context when accessing the ACE. For details on creating users and contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
  • Page 70: Configuring Ssh Management Session Parameters

    ACE by using SSH to connect to thatIP address. This capability allows you to specify a particular context when accessing the ACE. For details on creating users and contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. This section contains the following topics: Configuring Maximum Number of SSH Sessions •...
  • Page 71: Generating Ssh Host Key Pairs

    SSH versions 1 and 2. Generate the SSH host key pair according to the SSH client version used. The number of bits specified for each key pair ranges from 768 to 4096. Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-17 OL-20823-01...
  • Page 72 Step 5 do show ssh key [dsa | rsa | rsa1] or for all keys if you do not specify a key. Example: host1/Admin(config)# do show ssh key rsa Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-18 OL-20823-01...
  • Page 73: Terminating An Active User Session

    L3BmhQYQW7hkTK0oS4kVawI1VmW2kvrqoGQnLNQRMvisAXuJWKk1Ln6vWPGZZe8KoALv0GXxsOv2gk/z TDk01oCaTVw//bXJtoVRgIlWXLIP bitcount:1024 fingerprint: 8e:13:5c:3e:1a:9c:7a:ed:d0:84:eb:96:12:db:82:be ************************************** Terminating an Active User Session This section describes how to terminate an active SSH or Telnet session for the active context. Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-19 OL-20823-01...
  • Page 74: Enabling Icmp Messages To The Ace

    To allow ICMP messages to pass through the ACE, configure an ICMP ACL to permit or deny network connections based on the ICMP type (for example, echo, echo-reply, or unreachable). See the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide for details.
  • Page 75: Directly Accessing A User Context Through Ssh

    Associate an existing VLAN with the user context so that the context can receive traffic classified for it Step 2 by entering the following command: host1/Admin(config-context)# allocate-interface vlan 100 See the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide. Generate the SSH host key pair by entering the following command: Step 3...
  • Page 76: Displaying Remote Access Session Information

    For example, assign an IP address to the interface and reenable the interface within the context with the no shutdown command. See the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide. Create an SSH remote management policy and apply the associated service policy to all VLAN...
  • Page 77: Displaying Telnet Session Information

    Unique session identifier for the SSH session. Remote Host IP address and port of the remote SSH client. Active Time Time since the SSH connection request was received by the ACE. Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-23 OL-20823-01...
  • Page 78: Displaying Other Remote Access Session Information

    [context_name] Display the maximum number of enabled Telnet sessions. Only context administrators can view Telnet session information associated with a particular context. See the “Configuring the Maximum Number of Telnet Management Sessions” section. Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-24 OL-20823-01...
  • Page 79: Configuration Example For Enabling Remote Access To The Ace

    Create and configure an access control list. The sample access control list shown in this step allows Step 2 network traffic from any source. For details about configuring an access control list, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.
  • Page 80 Chapter 2 Enabling Remote Access to the ACE Configuration Example for Enabling Remote Access to the ACE Cisco 4700 Series Application Control Engine Appliance Administration Guide 2-26 OL-20823-01...
  • Page 81: Chapter 3 Managing Ace Software Licenses

    C H A P T E R Managing ACE Software Licenses This chapter describes how to manage the software licenses for your Cisco Application Control Engine (ACE) module. It contains the following major sections: Information about ACE Licenses • Guidelines and Limitations •...
  • Page 82 • Start the upgrade with 1-Gbps compression license (ACE-AP-C-1000-LIC) • ACE-4710-BUN-UP3=. 7500 SSL TPS license (ACE-AP-SSL-07K-K9) • 5 virtual contexts license (ACE-AP-VIRT-5) • Application acceleration license (50 connections) • (ACE-AP-OPT-50-K9) Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 83 Upgrade from 2-Gbps to 4-Gbps throughput. Virtualization Default 1 admin/5 user contexts. ACE-AP-VIRT-020 1 admin/20 user contexts. Default 100 TPS. ACE-AP-SSL-05K-K9 5000 TPS. ACE-AP-SSL-07K-K9 7500 TPS. ACE-AP-SSL-UP1-K9 Upgrade from 5000 TPS to 7500 TPS. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 84 ACE can provide greater than 50 concurrent connections. This license increases the operating capabilities of the following features: Delta optimization • Adaptive dynamic caching • FlashForward • Dynamic Etag • Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 85: Guidelines And Limitations

    Exec mode (see the “Displaying ACE License Configurations and Statistics” section). ACE demo licenses are available through your Cisco account representative. If you need to replace the ACE, you can copy and install the license file for the license onto the •...
  • Page 86: Managing Ace Appliance Software Licenses

    Step 1 available Cisco ordering tools on cisco.com. When you receive the Software License Claim Certificate from Cisco, follow the instructions that direct Step 2 you to the Cisco.com website. As a registered user of Cisco.com, go to this URL: http://www.cisco.com/go/license...
  • Page 87: Installing A New Or Upgrade License File

    If you allow a context license to expire, the ACE automatically removes all user contexts from the Admin running configuration and all configurations for the user contexts. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 88: Replacing A Demo License With A Permanent License

    • configured user contexts on the ACE. However, if you allow a context license to expire, the ACE automatically removes all user contexts from the Admin running configuration and all Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 89: Removing A License

    Performance throughput license removal—Table 3-4 lists the currently installed performance • throughput, the type of license on the ACE, and the remaining number of context after the license is removed. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 90 When you uninstall the software feature pack, the ACE is capable of 50 connections per second. For more information on the application acceleration and optimization capabilities of the ACE and configuring these capabilities, see the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide.
  • Page 91: Removing A Virtual Context License

    For example, to copy the Admin running configuration to an TFTP server as R-CONFIG-ADM, enter: host1/Admin# copy running-config tftp://192.168.1.2/R-CONFIG-ADM To copy the C1 user context running configuration to an TFTP server, access the C1 context and enter: host1/C1# copy running-config tftp://192.168.1.2/R-CONFIG-C1 Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-11 OL-20823-01...
  • Page 92 R-CONFIG-ADM Admin running configuration from the TFTP server, enter: host1/Admin# copy tftp://192.168.1.2/R-CONFIG-ADM running-config Copy the Admin running configuration to the startup-configuration file. For example, enter: Step 7 host1/Admin# copy running-config startup-config Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-12 OL-20823-01...
  • Page 93: Backing Up An Ace License File

    This section describes how retrieve an ACE license file. If you accidently remove or lose the license on the ACE, you can untar your backup license file and then reinstall it. Restrictions You must be in the Admin context to retrieve an ACE license file. Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-13 OL-20823-01...
  • Page 94: Displaying Ace License Configurations And Statistics

    (Gbps). This information also provides the default number of contexts, SSL TPS, and appliance bandwidth that the ACE supports when a license is not installed. Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-14 OL-20823-01...
  • Page 95 Current state of the feature (In use or Unused). Expiry Date Date when the demo license expires, as defined in the license file. If the license is permanent, this field displays Never. Comments Licensing errors, if any. Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-15 OL-20823-01...
  • Page 96 Chapter 3 Managing ACE Software Licenses Displaying ACE License Configurations and Statistics Cisco 4700 Series Application Control Engine Appliance Administration Guide 3-16 OL-20823-01...
  • Page 97: Chapter 4 Managing The Ace Software

    C H A P T E R Managing the ACE Software This chapter describes how to manage the software running on the Cisco 4700 Series Application Control Engine (ACE) appliance and contains the following major sections: Saving Configuration Files •...
  • Page 98: Saving The Configuration File In Flash Memory

    (for example, running-config-ctx1, startup-config-ctx1). Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 99: Copying The Configuration File To The Disk0: File System

    Copying the Configuration File to the disk0: File System This section describes how to copy the running-configuration file or the startup-configuration file to the disk0: file system in Flash memory on the ACE. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 100: Merging The Startup-Configuration File With The Running-Configuration File

    Example: host1/Admin# copy startup-config running-config Displaying Configuration File Content To display the content of the running- and startup-configuration files, perform one of the following tasks: Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 101 Displays sticky information. • Displays the contents of the running configuration associated with the write terminal current context. The write terminal command is equivalent to the show running-config command. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 102: Clearing The Startup-Configuration File

    “Removing a License” section on page 3-9.). Crypto files—To remove crypto files, use the crypto delete filename or the crypto delete all • command (see the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide). Detailed Steps Command Purpose...
  • Page 103: Copying Configuration Files From A Remote Server

    Exec mode. See the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide for details on how to use the ping and traceroute commands.
  • Page 104: Using The File System On The Ace

    • core:—Contains the core files generated after each time that the ACE becomes unresponsive. • probe:—Contains the Cisco-supplied scripts. For more information about these scripts, see the • Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide. Both the Admin context and user contexts support the probe: directory.
  • Page 105 This section describes how to create a backup license for the ACE licenses in .tar format and copy it to the disk0: file system. To protect your license files, we recommend that you back up your license files to the ACE Flash memory as tar files. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 106 SFTP, or TFTP . The copy serves as a backup file for such files as the capture buffer file, core dump, ACE licenses in .tar format, running-configuration file, or startup-configuration file. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-10...
  • Page 107 Prompts you for the server information if you do not • provide the information with the command. Copies the file to the root directory of the destination file • system if you do not provide path information. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-11 OL-20823-01...
  • Page 108 This section describes how to copy an ACE software system image from Flash memory to a remote server using FTP, SFTP, or TFTP. Restrictions The copy image: command is available in the Admin context only. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-12 OL-20823-01...
  • Page 109: Uncompressing Files In The Disk0: File System

    The filename must end with a .gz extension for the file to be uncompressed using the gunzip command. The .gz extension indicates a file zipped by the gzip (GNU zip) compression utility. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-13...
  • Page 110: Untarring Files In The Disk0: File System

    The filename argument identifies the name of the .tar file in the disk0: file Example: system. You can optionally provide a path to the .tar file if it exists in host1/Admin# untar disk0:mylicenses.tar another directory in the disk0: file system. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-14 OL-20823-01...
  • Page 111: Creating A New Directory

    This section describes how to move a file between directories in the disk0: file system. If a file with the same name already exists in the destination directory, that file is overwritten by the moved file. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-15...
  • Page 112: Deleting Files

    ACE erases the file from the specified file system. To remove a directory from the ACE file system, use the rmdir command (see the “Deleting an Existing Note Directory” section). Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-16 OL-20823-01...
  • Page 113 • file system. The delete image: command is available only in the Admin context. volatile:filename—Deletes the specified file from the • volatile: file system. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-17 OL-20823-01...
  • Page 114: Displaying Files Residing On The Ace

    This • directory contains the Cisco-supplied scripts. For more information about these scripts, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide. volatile:—Displays the contents of the volatile: file system.
  • Page 115: Saving Show Command Output To A File

    For example, you can enter show interface > filename at the Exec mode CLI prompt to redirect the interface configuration command output to a file created at the same directory level. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-19...
  • Page 116 FTP network server and, • optionally, a filename. sftp://[username@]server/path[/filename]—Specifies the SFTP • network server and, optionally, a filename. tftp://server[:port]/path[/filename]—Specifies the TFTP network • server and, optionally, a filename. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-20 OL-20823-01...
  • Page 117: Managing Core Dump Files

    The core: file system is available from the Admin context only. • Core dump information is for Cisco Technical Assistance Center (TAC) use only. If the ACE • becomes unresponsive, you can view the dump information in the core through the show cores command.
  • Page 118: Clearing The Core Directory

    This section describes how to clear out all of the core dumps stored in the core: file system. Restrictions You must perform this task from the Admin context only. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-22 OL-20823-01...
  • Page 119: Deleting A Core Dump File

    This section contains the following topics: Enabling the Packet Capture Function • Copying Packet Capture Buffer Information • Displaying or Clearing Packet Information • Clearing Capture Buffer Information • Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-23 OL-20823-01...
  • Page 120: Enabling The Packet Capture Function

    ACE. Prerequisites To create a capture based on an access list, the access list must already exist. For information about creating an access list, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide. Restrictions...
  • Page 121: Copying Packet Capture Buffer Information

    To capture application acceleration and optimization traffic bound for the Note optional Cisco AVS 3180A Management Station interface, use the all keyword. This keyword captures all the traffic on all interfaces. You can then transfer the packet capture file to a remote machine to be scanned for traffic that is specific to the Management Station interface.
  • Page 122: Displaying Or Clearing Packet Information

    Displays capture status information for each • packet. For all types of received packets, the console display is in tcpdump format. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-26 OL-20823-01...
  • Page 123: Clearing Capture Buffer Information

    The ACE supports a maximum of 10 checkpoints for each context. • You must perform this task in the Exec mode of the context for which you want to create a • checkpoint. Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-27 OL-20823-01...
  • Page 124: Deleting A Configuration Checkpoint

    The name argument specifies the unique identifier of the Example: checkpoint. Enter a text string with no spaces and a maximum of host1/Admin# checkpoint delete 25 alphanumeric characters. MYCHECKPOINT Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-28 OL-20823-01...
  • Page 125: Rolling Back A Running Configuration

    Table 4-1 Field Descriptions for the show checkpoint all Command Output Field Description Checkpoint Name of the checkpoint Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-29 OL-20823-01...
  • Page 126: Reformatting The Flash Memory

    Running-configuration file of each context • Core dump files of each context • Packet capture buffers of each context • SSL certificate and key pair files of each context • Cisco 4700 Series Application Control Engine Appliance Administration Guide 4-30 OL-20823-01...
  • Page 127 FTP, SFTP, or TFTP server. See the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide for details on how to use the crypto export command to export SSL certificate and key pair files to a remote FTP, SFTP, or TFTP server.
  • Page 128 Import SSL certificate files and key pair files into the associated context using by the crypto import • command (see the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide). Cisco 4700 Series Application Control Engine Appliance Administration Guide...
  • Page 129: Chapter 5 Displaying Ace Hardware And Software System Information

    The show buffer, show fifo, show netio, show np, and show vnet commands display internal system-level hardware show output for use by trained Cisco personnel as an aid in debugging and troubleshooting the ACE. For background information about theose show commands, see the Cisco 4700 Series Application Control Engine Appliance Command Reference.
  • Page 130: Displaying Hardware Information

    Version identifier of the ACE. Serial number of the ACE. Examples The following example shows the output of the show hardware command: host1/Admin # show hardware Hardware Product Number: ACE-4710-K9 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 131: Displaying Installed Software Information

    Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2009 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license.
  • Page 132: Displaying System Processes And Memory Resources Limits

    • details—Displays process log information for all process identifiers • pid process_id—Displays information about a specific process • identifier memory—Displays memory information about the processes • Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 133 CPU utilization as a percentage for the last 5 seconds 1 Min CPU utilization as a percentage for the last minute 5 Min CPU utilization as a percentage for the last 5 minutes Process Name of the process Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 134 Field Descriptions for the show processes memory Command Field Description Process identifier MemAlloc Total memory allocated by the process StackBase/Ptr Process stack base and current stack pointer in hex format Process Name of the process Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 135: Displaying Detailed Process Status Information And Memory Resource Limits

    Table 5-8 Field Descriptions for the show terminal internal info Command Field Description Process Information Name Name of the executable that started the process. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 136 Threads Number of threads. SigPnd Signals pending. ShdPnd Shared pending signals. SigBlk Signals blocked. SigIgn Signals ignored. SigCat Signals caught. CapInh Capability inherited privilege. CapPrm Capability privilege (processor resource manager). Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 137: Displaying System Information

    CPU and memory statistics. • skbtrack—Displays the socket buffer (network buffer) allocations in • the kernel loadable modules. uptime—Displays how long the ACE has been up and running. • Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 138 For example, if you dynamically allocate 1 GB of memory, no demand is placed on that memory until you actually start using it. The Committed_AS is an estimate of how much RAM or swap memory you would need in a worst-case scenario. Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-10 OL-20823-01...
  • Page 139: Displaying Or Clearing Icmp Statistics

    Number of ICMP unreachable packets transmitted or received by the ACE TTL Expired Number of ICMP TTL-expired messages transmitted or received by the ACE Redirect Number of ICMP redirect messages transmitted or received by the ACE Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-11 OL-20823-01...
  • Page 140 Source Quench Number of ICMP Source Quench messages transmitted or received by the ACE Time Stamp Number of ICMP Time Stamp (request) messages transmitted or received by the ACE Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-12 OL-20823-01...
  • Page 141: Displaying Or Collecting Technical Information For Reporting Problems

    The default output of the show tech-support command includes, for example, the output of the following commands: show hardware—See the “Displaying Hardware Information” section • show interface—See the Cisco 4700 Series Application Control Engine • Appliance Routing and Bridging Configuration Guide show process—See the “Displaying General System Process Information” •...
  • Page 142 `show version` Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license.
  • Page 143 0 days 18 hours 59 minute(s) 49 second(s) `show clock` Tue Aug 5 10:13:57 UTC 2008 `show inventory` NAME: "chassis", DESCR: "ACE 4710 Application Control Engine Appliance" PID: ACE-4710-K9 , VID: , SN: 2061 --More-- Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-15 OL-20823-01...
  • Page 144 Chapter 5 Displaying ACE Hardware and Software System Information Displaying or Collecting Technical Information for Reporting Problems Cisco 4700 Series Application Control Engine Appliance Administration Guide 5-16 OL-20823-01...
  • Page 145: Chapter 6 Configuring Redundant Aces

    C H A P T E R Configuring Redundant ACEs This chapter describes how to configure the Cisco 4700 Series Application Control Engine (ACE) appliance for redundancy, which provides fault tolerance for the stateful switchover of flows. It contains the following major sections: Information About Redundancy •...
  • Page 146: Redundancy Protocol

    (FT) groups. Each FT group consists of two members: one active context and one standby context. For more information about contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. An FT group has a unique group ID that you assign.
  • Page 147: Stateful Failover

    (context). With a single context, the ACE supports active-backup redundancy and each group member is an Admin context. For details about configuring contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
  • Page 148: Ft Vlan

    After the ACE synchronizes the redundancy configuration from the active member to the standby peer, it disables configuration mode on the standby. For information about configuring config sync, see the “Synchronizing Redundant Configurations” section. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 149: Redundancy State For Software Upgrade Or Downgrade

    To avoid MAC address conflicts, be sure that the two pools are different on the two ACEs. For more information about VMACs and MAC address pools, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.
  • Page 150: Default Settings

    Priority setting of an FT group on the active member. Priority setting of an FT group on the remote standby member. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 151: Configuring Redundant Aces

    C1 host1/C1# The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode. Step 2...
  • Page 152 Step 15 host1/Admin(config)# exit host1/Admin# copy running-config startup-config (Recommended) Verify your redundancy configuration by using the following commands in Exec mode: Step 16 host1/Admin# show running-config ft host1/Admin# show running-config interface Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 153: Configuring Redundancy

    VLAN as the only VLAN associated with the Ethernet port or to include it as part of a VLAN trunk link (see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide). Note that the ACE automatically includes the FT VLAN in the VLAN trunk link.
  • Page 154 IP address of the remote • address 192.168.12.15 255.255.255.0 peer. netmask—Subnet mask of the remote peer. Enter a subnet • mask in dotted-decimal notation. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-10 OL-20823-01...
  • Page 155: Configuring An Alias Ip Address

    The ip_address netmask arguments specify the IP address and Example: netmask for the VLAN interface. Enter the IP address and subnet host1/Admin(config-if)# alias 192.168.1.1 mask in dotted-decimal notation. 255.255.255.0 Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-11 OL-20823-01...
  • Page 156: Configuring An Ft Peer

    Associates an FT VLAN with a peer. Step 3 ft-interface vlan vlan_id The vlan_id argument specifies the identifier of an existing Example: VLAN. Enter an integer from 2 to 4094. host1/Admin(config-ft-peer) ft-interface vlan 200 Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-12 OL-20823-01...
  • Page 157 (Optional) Copies the running configuration to the startup Step 6 do copy running-config startup-config configuration. Example: host1/Admin(config-ft-peer)# do copy running-config startup-config Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-13 OL-20823-01...
  • Page 158: Configuring An Ft Group

    (Optional) Removes the FT group from the configuration. no ft group group_id Example: host1/Admin(config) no ft group 1 Associates a context with an FT group. Step 3 associate-context name Example: host1/Admin(config-ft-group)# associate-context C1 Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-14 OL-20823-01...
  • Page 159 By default, host1/Admin(config-ft-group)# preempt preemption is enabled. (Optional) Disables preemption. no preempt Example: host1/Admin(config-ft-group)# no preempt Places an FT group in service. Step 8 inservice Example: host1/Admin(config-ft-group)# inservice Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-15 OL-20823-01...
  • Page 160: Modifying An Ft Group

    Specifies the hostname of a peer ACE. For details about this Step 2 peer hostname name command, see the “Assigning a Name to the ACE” section. Example: host1/Admin(config)# peer hostname ACE_2 Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-16 OL-20823-01...
  • Page 161: Specifying The Mac Address Banks For A Shared Vlan

    ACE with a shared VLAN (FT VLAN). You configure these commands to prevent MAC address conflicts between the two peer ACEs. For details about these commands, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.
  • Page 162: Forcing A Failover

    To use the ft switchover command, you must disable preemption by using the no preempt command. For information on the preempt command, see the “Configuring an FT Group” section. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-18 OL-20823-01...
  • Page 163: Synchronizing Redundant Configurations

    Dynamic config sync—Synchronizes the configuration applied to the active context to the standby • context if the peer is already up Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-19 OL-20823-01...
  • Page 164 FT group. If the ACE performs a configuration synchronization and does not find the necessary certificates and keys in the standby context, config sync fails and the standby context enters the STANDBY_COLD state. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-20 OL-20823-01...
  • Page 165: Configuring Tracking And Failure Detection

    FTP or TFTP server using the crypto export command, and then import the certificates and keys to the standby context using the crypto import command. For more information about importing and exporting certificates and keys, see the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide.
  • Page 166: Configuring Tracking And Failure Detection For A Host Or Gateway

    Configuring Tracking and Failure Detection for an Interface • • Configuring Tracking and Failure Detection for a Host or Gateway This section describes how to configure tracking and failure detection for a gateway or a host. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-22 OL-20823-01...
  • Page 167 If the resulting priority of the FT group on the active member is less than the priority of the FT group on the standby member, a switchover occurs. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-23 OL-20823-01...
  • Page 168 (Optional) Removes the tracking probe from the standby no peer probe name member. Example: host1/Admin(config-ft-track-host)# no peer probe TCP_PROBE1 Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-24 OL-20823-01...
  • Page 169: Configuring Tracking And Failure Detection For An Interface

    This section describes how to configure tracking and failure detection for an interface. Restrictions You cannot delete an interface if the ACE is using the interface for tracking. Also, you cannot configure the FT VLAN for tracking. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-25 OL-20823-01...
  • Page 170 The vlan_id argument is a VLAN ID of an existing VLAN con- host1/Admin(config-ft-track-intf)# peer figured on the standby member as an integer from 2 to 4094. track-interface vlan 200 Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-26 OL-20823-01...
  • Page 171: Displaying Or Clearing Redundancy Information

    Displaying or Clearing Redundancy Information This section describes how to display or clear information about redundancy and contains the following sections: Displaying Redundancy Information • Clearing Redundancy Statistics • Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-27 OL-20823-01...
  • Page 172: Displaying Redundancy Information

    In the Admin context, the optional context_name argument is the nameof a user context. If you do not enter the argument, the command uses the Admin context. In a user context, this argument is not available. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-28 OL-20823-01...
  • Page 173: Displaying Ft Group Information

    • specified FT group. brief—Displays the group ID, local state, peer state, context name, and • context ID of all the FT groups that are configured in the ACE. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-29 OL-20823-01...
  • Page 174 The active peer context receives a notification to send a snapshot of the current state information for all applications to the standby context. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-30 OL-20823-01...
  • Page 175 Bulk Sync Done for Number of “bulk synchronization done” messages received on the standby ACE during state synchronization from the ICM input connection manager module in the data plane. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-31 OL-20823-01...
  • Page 176: Displaying The Redundancy Internal Software History

    Object Name REAL ID RSERVER ID SERVERFARM ID POLICY ID STICKY GROUP ID IF ID CONTEXT ID Displaying Memory Statistics To display redundancy statistics per context, perform the following task: Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-32 OL-20823-01...
  • Page 177: Displaying Peer Information

    FSM_PEER_STATE_PEER_IPADDR—Peer IP address is missing. Waiting for the peer IP address to be configured. FSM_PEER_STATE_START_HB—Peer configuration is complete. Starting the heartbeat to see if there is a peer device. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-33 OL-20823-01...
  • Page 178 Rx Bytes Total number of bytes that the local ACE received from the peer. Rx Error Bytes Total number of error bytes that the local ACE received from the peer. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-34 OL-20823-01...
  • Page 179: Displaying Ft Statistics

    HBs. The remote peer is sending heartbeats, but not receiving any. Both peer appliances send heartbeat packets and each packet indicates whether the Note other peer has been receiving heartbeats. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-35 OL-20823-01...
  • Page 180: Displaying Ft Tracking Information

    Number of times that the remote ACE sent packets to the local ACE, but the local ACE failed Failures to receive them. Displaying FT Tracking Information To display tracking information, perform the following task: Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-36 OL-20823-01...
  • Page 181 MAINT_MODE_FULL—All contexts on the ACE become nonredundant causing their peer • contexts to become active. The ACE enters this mode just before you reboot the appliance and is used primarily when you upgrade the ACE software. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-37 OL-20823-01...
  • Page 182 Name of the context that is associated with the FT group. Context ID Identifier of the context that is associated with the FT group. Track Type Type of object being tracked. Possible values are TRACK_HOST or TRACK_INTERFACE. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-38 OL-20823-01...
  • Page 183: Clearing Redundancy Statistics

    This command clears the following transport-layer counters: Tx Packets • Tx Bytes • Rx Packets • Rx Bytes • Rx Error Bytes • For an explanation of these fields, see the “Displaying Peer Information” section. Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-39 OL-20823-01...
  • Page 184: Clearing Heartbeat Statistics

    For details, see the “Clearing the Redundancy History” section. Clearing the Redundancy History To clear the redundancy history, perform the following task in the Admin context only: Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-40 OL-20823-01...
  • Page 185: Configuration Example Of Redundancy

    8 match protocol xml-https any policy-map type management first-match L4_REMOTE-MGT_POLICY class L4_REMOTE-MGT_CLASS permit interface vlan 100 ip address 192.168.83.219 255.255.255.0 peer ip address 192.168.83.230 255.255.255.0 alias 192.168.83.200 255.255.255.0 access-group input ACL1 Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-41 OL-20823-01...
  • Page 186 1 peer 1 priority 200 associate-context Admin inservice ft track interface TRACK_VLAN100 track-interface vlan 100 peer track-interface vlan 200 priority 50 peer priority 5 ip route 0.0.0.0 0.0.0.0 192.168.83.1 Cisco 4700 Series Application Control Engine Appliance Administration Guide 6-42 OL-20823-01...
  • Page 187: Chapter 7 Configuring Snmp

    Configuring SNMP This chapter describes how to configure Simple Network Management Protocol (SNMP) to query the Cisco 4700 Series Application Control Engine (ACE) appliance for Cisco Management Information Bases (MIBs) and to send event notifications to a network management system (NMS).
  • Page 188: Managers And Agents

    (OID)=value pairs that make it easy for the NMS to identify the information that it needs when the recipient fills the request and sends back a response. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 189: Snmp Traps And Informs

    (USM) for message security and role-based access control. SNMP v3 user management can be centralized at the authentication and accounting (AAA) server level (as described in the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide). This centralized user management allows the ACE SNMP agent to use the user authentication service of an AAA server.
  • Page 190: Cli And Snmp User Synchronization

    SNMP user is created with the noAuthNoPriv security level. For information about creating a CLI user by using the username command, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. To create an SNMP user by using the snmp-server user command, see the “Configuring SNMP Users”...
  • Page 191: Supported Mibs And Notifications

    Product Name (PID)/entPhysicalVendorType ACE4710-K9 cevChassisACE4710K9 {cevChassis 610} Power Supply cevPowerSupplyAC345 {cevPowerSupply 190} CPU fan cevFanACE4710K9CpuFan {cevFan 91} DIMM fan cevFanACE4710K9DimmFan {cevFan 92} PCI fan cevFanACE4710K9PciFan {cevFan 93} Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 192 The ENTITY-SENSOR-MIB is supported only in the Admin context. The ENTITY-SENSOR-MIB is described in RFC 3433. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 193 Multiple transport end points may be associated with a particular set of SNMP parameters, or a particular transport end point may be associated with several sets of SNMP parameters. The SNMP-TARGET-MIB is described in RFC 3413. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 194 • accounting module. Configuration settings (settings for all the AAA servers • instrumented in one instance of this MIB). AAA server group configuration. • Application-to-AAA function-to-server group mapping • configuration. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 195 The cesServerFarmRserverTable and cesRserverTable tables in the CISCO-ENHANCED-SLB-MIB provide details about the data available in the show rserver command output. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 196 The CISCO-L4L7MODULE- REDUNDANCY-MIB provides details about the fault tolerance statistics available in the show ft peer, show ft group detail, and show ft stats command output. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-10 OL-20823-01...
  • Page 197 CISCO-PROCESS-MIB CISCO-PROCESS- Displays memory and process CPU utilization on Cisco devices. CAPABILITY This information should be used only as an estimate. The v alue of cpmCPUTotalPhysicalIndex will always be 1.
  • Page 198 • slbStatsReassignedConnections • CISCO-SLB-EXT-MIB CISCO-SLB-EXT- Acts as an extension to the Cisco server load-balancing MIB CAPABILITY (CISCO-SLB-MIB). It provides tables for the sticky configuration. The cslbxServerFarmStatsTable table in the CISCO-SLB-EXT-MIB provides details about the data available in the show serverfarm command output.
  • Page 199 SNMP MIB Support (continued) MIB Support Capability MIB Description CISCO-SLB-HEALTH- CISCO-SLB-HEALTH- Acts as an extension to the Cisco server load-balancing MIB MON-MIB MON-CAPABILITY (CISCO-SLB-MIB). It provides tables for the health probe configuration and statistics of the ACE. The cshMonSfarmRealProbeStatsTable and cslbxProbeCfgTable...
  • Page 200 The TCP MIB is described in RFC 4022. UDP-MIB CISCO-UDP-STD- Defines managed objects for managing implementation of the CAPABILITY User Datagram Protocol (UDP). The UDP MIB is described in RFC 4113. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-14 OL-20823-01...
  • Page 201 All tables and objects are supported. Scalar Objects: sysDescr sysName sysLocation sysContact sysObjectID sysServices sysORLastChange snmpInPkts snmpOutPkts snmpInBadVersions snmpInBadCommunityNames snmpInBadCommunityUses snmpInASNParseErrs snmpInTooBigs snmpInNoSuchNames snmpInBadValues snmpInReadOnlys snmpInGenErrs snmpInTotalReqVars snmpInTotalSetVars snmpInGetRequests snmpInGetNexts Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-15 OL-20823-01...
  • Page 202 All tables and objects are supported. Scalar Objects: snmpUnknownSecurityModels snmpInvalidMsgs snmpUnknownPDUHandlers SNMP-NOTIFICA- All tables and objects are supported. Tables: TION-MIB snmpNotifyTable snmpNotifyFilterProfileTable snmpNotifyFilterTable SNMP-TARGET-MIB Scalar Objects: Scalar Objects: snmpUnavailableContexts snmpTargetSpinLock snmpUnknownContexts Tables: snmpTargetAddrTable snmpTargetParamsTable Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-16 OL-20823-01...
  • Page 203 Objects: entPhysicalAlias entPhysicalAssetID entPhysicalMfgDate ENTITY-SENSOR-MIB entPhySensorTable All tables and objects are supported. IF-MIB Scalar Objects: Tables: ifStackTable ifNumber ifTableLastChange ifRcvAddressTable Tables: ifTestTable ifTable Objects: ifXTable ifStackLastChange Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-17 OL-20823-01...
  • Page 204 OutMsg icmpOutErrors ipSystemStatsHCOutMcastOctets icmpOutDestUnreachs ipIfStatsInMcastOctets icmpOutTimeExcds ipIfStatsHCInMcastOctets icmpOutParmProbs ipIfStatsOutMcastOctets ipIfStatsHCOutMcastOctets icmpOutSrcQuenchs icmpOutRedirects icmpOutEchos icmpOutEchoReps icmpOutTimestamps icmpOutTimestampReps icmpOutAddrMasks icmpOutAddrMaskReps IP-MIB Tables: ipAddrTable (continued) ipSystemStatsTable ipIfStatsTable icmpStatsTable icmpMsgStatsTable Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-18 OL-20823-01...
  • Page 205 Scalar Objects: Scalar Objects: udpInDatagrams udpHCInDatagrams udpNoPorts udpHCOutDatagrams udpInErrors udpOutDatagrams Tables: udpTable udpEndpointTable CISCO-PROCESS-MIB Tables: Tables: cpmProcessTable cpmProcessExtTable cpmCPUTotalTable cpmCPUThresholdTable cpmProcessExtRevTable cpmCPUHistoryTable cpmCPUProcessHistoryTable Scalar Objects: cpmCPUHistoryThreshold cpmCPUHistorySize Objects: cpmCPUInterruptMonIntervalValue Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-19 OL-20823-01...
  • Page 206 Tables: clogMsgIgnores clogServerConfigTable clogMsgDrops clogOriginIDType clogOriginID clogHistTableMaxLength clogHistMsgsFlushed Tables: clogHistoryTable CISCO-SYSTEM-MIB Scalar Objects: Scalar Objects: csyClockDateAndTime csySummerTimeStatus csyClockLostOnReboot csySummerTimeOffset csyLocationCountry csySummerTimeRecurringStart csySummerTimeRecurringEnd csyScheduledResetTime csyScheduledResetAction csyScheduledResetReason csySnmpAuthFail csySnmpAuthFailAddressType csySnmpAuthFailAddress csyNotificationsEnable Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-20 OL-20823-01...
  • Page 207 CISCO-SLB-MIB Unsupported Objects from slbStatsTable: slbStatsUnassistedSwitchingPkts (continued) slbStatsUnassistedSwitchingHCPks slbStatsAssistedSwitchingPkts slbStatsAssistedSwitchingHCPkts slbStatsZombies slbStatsHCZombies Unsupported Objects from slbServerFarmTable: slbServerFarmPredictor slbServerFarmNat slbServerFarmBindId Unsupported Objects from slbVServerInfoTable: slbVServerL4Decisions slbVServerL7Decisions slbVServerEstablishedConnections Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-21 OL-20823-01...
  • Page 208 CISCO-SLB-EXT-MIB Unsupported Objects from cslbxStatsTable: cslbxStatsServerInitConns (continued) cslbxStatsServerInitHCConns cslbxStatsCurrServerInitConns cslbxStatsFailedServerInitConns cslbxStatsNoActiveServerRejects Unsupported Objects from cslbxServerFarmTable: cslbxServerFarmClientNatPool cslbxServerFarmHttpReturnCodeMap Unsupported Objects from cslbxServerFarmStat- sTable: cslbxServerFarmNumOfTimeFailOvers cslbxServerFarmNumOfTimeBkInServs Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-22 OL-20823-01...
  • Page 209 CISCO-ENHANCED- Scalar Objects: Unsupported objects from cesServerFarmRserverT- SLB-MIB able: cesRealServerNotifEnable cesServerFarmRserverDroppedConns Tables: Tables: cesRserverTable cesRealServerProbeTable cesServerFarmRserverTable cesRserverProbeTable CISCO-IF- Tables: Tables: EXTENSION-MIB cieIfNameMappingTable cieIfPacketStatsTable cieIfInterfaceTable cieIfStatusListTable cieIfDot1qCustomEtherTypeTable cieIfUtilTable cieIfDot1dBaseMappingTable Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-23 OL-20823-01...
  • Page 210 Tables: cmVirtualContextTable cmVirtContextIfMapTable CISCO-L4L7MODULE- Tables: Scalar Objects: RESOURCE-LIMIT- ciscoL4L7ResourceClassTable clrResourceLimitReachedNotifEnabled ciscoL4L7ResourceLimitTable clrResourceRateLimitReachedNotifEnabled ciscoL4L7ResourceRateLimitTable ciscoL4L7ResourceUsage SummaryTable CISCO-AAA-SERV- Tables: Scalar Objects: ER-MIB casConfigTable casServerStateChangeEnable Tables: casStatisticsTable Unsupported Objects from casConfigTable: casPriority Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-24 OL-20823-01...
  • Page 211 Tables: clmLicenseFileContentsTable clmLicenseRequestSpinLock clmLicenseFeatureUsageTable clmLicenseRequestFeatureName clmFeatureUsageDetailsTable clmLicenseRequestAppName clmLicenseRequestCommand clmLicenseRequestCommandStatus Unsupported Objects from clmLicenseFeatureUsageTa- ble: clmLicenseGracePeriod clmLicenseEnabled CISCO-APPLICA- Tables: Unsupported Objects from caaStatTable: TION-ACCELERA- caaStatTable caaState TION- caaRequests caaLastRestartedTime caaRequestSize Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-25 OL-20823-01...
  • Page 212 Mismatches clrHAStatsPeerUpEvents clrHAStatsPeerDownEvents CISCO-SSL-PROXY- Scalar Objects: All remaining tables and objects are not supported. cspTlcFullHandShake cspTlcResumedHandShake cspS3cFullHandShake cspS3cResumedHandShake cspTlcHandShakeFailed cspTlcDataFailed cspS3cHandShakeFailed cspS3cDataFailed cspScActiveSessions cspScConnInHandShake cspScConnInDataPhase cspScConnInReneg Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-26 OL-20823-01...
  • Page 213 SLB-MIB user intervention. The notification is sent with the following varbinds: cesRealServerName • cesServerFarmRserverBackupPort • cesServerFarmName • cesServerFarmRserverAdminStatus • cesServerFarmRserverOperStatus • cesServerFarmRserverStateDescr • cesRserverIpAddressType • cesRserverIpAddress • cesServerFarmRserverDescr • Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-27 OL-20823-01...
  • Page 214 This notification is sent for situations such as ARP failures, probe failures, and so No separate cesRealServerStateChangeRev1 Note notifications are sent for each real server that listens on this rserver. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-28 OL-20823-01...
  • Page 215 Notification that the system detects that no license is installed Notify MGR-MIB for a specific feature. cmVirtContextAdded, CISCO-MODULE- Notification that you created or deleted an ACE user context, cmVirtContextRemoved VIRTUALIZATION- also referred as a virtual context. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-29 OL-20823-01...
  • Page 216: Default Settings For Snmp

    SNMP Trap Support (continued) Location of the Notification Name Notification Description cslbxServerFarmStateChange CISCO-SLB-EXT-MIB Notification that all real servers in a server farm are down and the server farm has changed state. The varbind contains the following details: cslbxServerFarmName • cslbxServerFarmState •...
  • Page 217: Configuring Snmp

    C1 host1/C1# The rest of the examples in this procedure use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode. Step 2 host1/Admin# config Enter configuration commands, one per line.
  • Page 218: Configuring Snmp Users

    You must recreate all SNMP users by using the snmp-server user command in configuration mode. For more information on the SNMPv3 engine ID, see the “Configuring an SNMPv3 Engine ID for an ACE Context” section. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-32 OL-20823-01...
  • Page 219 ACE implementation of SNMP. In this case, all SNMP users are automatically assigned the system-defined default group of Network-Monitor. For details on creating users, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. auth—(Optional) Sets authentication parameters for the •...
  • Page 220 Network-Monitor auth sha abcd1234 (Optional) Copies the running configuration to the startup Step 3 do copy running-config startup-config configuration. Example: host1/Admin(config)# do copy running-config startup-config Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-34 OL-20823-01...
  • Page 221: Defining Snmp Communities

    • this case, all SNMP users are automatically assigned the system-defined default group of Network-Monitor. For details on creating users, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Cisco 4700 Series Application Control Engine Appliance Administration Guide...
  • Page 222: Configuring An Snmp Contact

    Configuring an SNMP Contact This section describes how to specify the contact information for the SNMP system. Restrictions You can specify information for one contact name only. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-36 OL-20823-01...
  • Page 223: Configuring An Snmp Location

    Enter a text string with a maximum of 240 alphanumeric host1/Admin(config)# snmp-server location characters, including spaces. If the string contains more than one “Boxborough MA” word, enclose the string in quotation marks (“ ”). Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-37 OL-20823-01...
  • Page 224: Configuring Snmp Notifications

    This topic includes the following restrictions: To send notifications, you must specify at least one host to receive SNMP notifications. • The ACE supports a maximum of 10 SNMP hosts per context. • Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-38 OL-20823-01...
  • Page 225 Enables Message Digest 5 (MD5) and • Secure Hash Algorithm (SHA) packet authentication. noauth—(Optional) Specifies the noAuthNoPriv security • level. priv—(Optional) Enables Data Encryption Standard (DES) • packet encryption (privacy). Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-39 OL-20823-01...
  • Page 226: Enabling Snmp Notifications

    The snmp-server enable traps command is used with the snmp-server host command (see the “Configuring SNMP Notification Hosts” section). The snmp-server host command specifies which host receives the SNMP notifications. To send notifications, you must configure at least one SNMP server host. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-40 OL-20823-01...
  • Page 227 See the Cisco 4700 Series Application Control Engine Appliance System Message Guide for details. virtual-context—Sends virtual context (ACE user – context) change notifications. This keyword appears only in the Admin context. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-41 OL-20823-01...
  • Page 228: Enabling The Ietf Standard For Snmp Linkup And Linkdown Traps

    (as outlined in RFC 2863) rather than send the Cisco implementation of linkUp and linkDown traps to the NMS. By default, the ACE sends Cisco 4700 Series Application Control Engine Appliance Administration Guide...
  • Page 229: Unmasking The Snmp Community Name And Community Security Name Oids

    Chapter 7 Configuring SNMP Configuring SNMP the Cisco implementation of linkUp and linkDown traps to the NMS. The ACE sends the Cisco Systems IF-MIB variable bindings, which consists of ifIndex, ifAdminStatus, ifOperStatus, ifName, ifType, clogOriginID, and clogOriginIDType. The Cisco variable bindings are sent by default. To receive RFC 2863-compliant traps, you must specify Note the snmp-server trap link ietf command.
  • Page 230: Assigning A Trap-Source Interface For Snmp Traps

    SNMP trap-source vlan 50 v1 trap PDU. Enter a value from 2 to 4094 for an existing VLAN interface. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-44 OL-20823-01...
  • Page 231: Accessing Ace User Context Data Through The Admin Context Ip Address

    The following example shows how to return data for user context C1 when the Admin context has a configured community string of adminCommunity and an IP address of 10.6.252.63: snmpget -v2c -c adminCommunity@C1 10.6.252.63 udpDatagrams.0 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-45 OL-20823-01...
  • Page 232: Accessing User Context Data When Using Snmpv3

    SNMP communities are deleted. You must recreate all SNMP users by using the snmp-server user command in configuration mode, and recreate all SNMP communities by using the snmp-server community command in configuration mode (see the “Defining SNMP Communities” section). Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-46 OL-20823-01...
  • Page 233: Configuring Snmp Management Traffic Services

    This section provides an overview on creating a class map, policy map, and service policy for SNMP access. SNMP remote access sessions are established to the ACE per context. For details on creating contexts and users, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. This section contains the following topics: Creating and Configuring a Layer 3 and Layer 4 Class Map •...
  • Page 234: Creating And Configuring A Layer 3 And Layer 4 Class Map

    (Optional) Removes a Layer 3 and Layer 4 SNMP protocol no class-map type management [match-all | map_name management class map from the ACE. match-any] Example: host1/Admin(config)# no class-map type management match-all SNMP-ALLOW_CLASS Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-48 OL-20823-01...
  • Page 235 Example: host1/Admin(config-cmap-mgmt)# no match protocol snmp (Optional) Copies the running configuration to the startup Step 5 do copy running-config startup-config configuration. Example: host1/Admin(config-cmap-mgmt)# do copy running-config startup-config Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-49 OL-20823-01...
  • Page 236: Creating A Layer 3 And Layer 4 Policy Map

    This command enters the policy map management configuration mode. (Optional) Removes a network traffic management policy map no policy-map type management first-match from the ACE. map_name Example: host1/Admin(config)# no policy-map type management first-match SNMP-ALLOW_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-50 OL-20823-01...
  • Page 237 Layer 3 and Layer 4 class map to be rejected by the ACE. Example: host1/Admin(config-pmap-mgmt-c)# deny (Optional) Copies the running configuration to the startup Step 5 do copy running-config startup-config configuration. Example: host1/Admin(config-pmap-mgmt-c)# do copy running-config startup-config Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-51 OL-20823-01...
  • Page 238: Applying A Service Policy Globally To All Vlan Interfaces In The Same Context

    The name can be a maximum of 40 alphanumeric characters. If you are applying the policy map globally to all of the VLANs associated with a context Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-52 OL-20823-01...
  • Page 239: Applying A Service Policy To A Specific Vlan Interface

    50 host1/Admin(config-if)# This commands enters the interface configuration mode commands for the VLAN. Specifies the VLAN IP address. Step 3 ip address address Example: host1/Admin(config-if)# ip address 172.20.1.100 255.255.0.0 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-53 OL-20823-01...
  • Page 240 VLAN interface or globally to all VLAN interfaces in the same context. (Optional) Copies the running configuration to the startup Step 5 do copy running-config startup-config configuration. Example: host1/Admin(config-if)# do copy running-config startup-config Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-54 OL-20823-01...
  • Page 241: Displaying Or Clearing Snmp And Service Policy Statistics

    Displays the IP address of the • targets for which traps or informs have been sent. user—(Optional) Displays SNMPv3 user information. • Table 7-6 describes the fields in the show snmp community command output. Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-55 OL-20823-01...
  • Page 242 Table 7-7 Field Descriptions for the show snmp community Command Output Field Description Community SNMP community name for the ACE Group/Access Access rights for the community, read-only Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-56 OL-20823-01...
  • Page 243 Table 7-11 Field Descriptions for the show snmp sessions Command Output Field Description Destination IP address of a target for which traps or informs have been sent Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-57 OL-20823-01...
  • Page 244: Displaying Snmp Service Policy Statistics

    The following examples shows how to display service policy statistics for the SNMP_MGMT_ALLOW_POLICY policy map: host1/Admin# show service-policy SNMP_MGMT_ALLOW_POLICY Status : ACTIVE Description: Allow mgmt protocols ----------------------------------------- Context Global Policy: service-policy: SNMP_MGMT_ALLOW_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-58 OL-20823-01...
  • Page 245: Clearing Snmp Service Policy Statistics

    1 match protocol snmp source-address 192.168.0.0 255.248.0.0 2 match protocol snmp source-address 172.16.64.0 255.255.252.0 class-map type http loadbalance match-all L7_URL*_CLASS 2 match http url .* policy-map type management first-match L4_SNMP-REMOTE-MGT_POLICY class L4_REMOTE-ACCESS-LOCAL_CLASS permit Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-59 OL-20823-01...
  • Page 246 Cisco 4700 Series Application Control Engine Appliance Administration Guide 7-60 OL-20823-01...
  • Page 247: Chapter 8 Configuring The Xml Interface

    C H A P T E R Configuring the XML Interface This chapter describes how to use Extensible Markup Language (XML) to remotely configure a Cisco 4700 Series Application Control Engine (ACE) appliance from a network management station (NMS). You can transmit, exchange, and interpret data among the applications.
  • Page 248: Http And Https Support With The Ace

    POST /bin/xml_agent HTTP/1.1 Authorization: Basic VTpQ Content-Length: 95 xml_cmd=<request_xml> <interface type=”vlan” number=”80”> <access-group access-type=”input” name=”acl1”/> <ip_address address=”60.0.0.145” netmask=”255.255.255.0”/> <shutdown sense=”no"/> </interface> <show_running-config/> </request_xml> ******** Server ************** HTTP/1.1 200 OK Content-Length: 21 Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 249: Http Return Codes

    Not Found (“/xml-config” not specified) Method Not Allowed Not Acceptable Request Time-out (more than 30 seconds has passed waiting on receive) Missing Content-Length (missing or zero Content-Length field) Internal Server Error Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 250: Document Type Definition

    DTD designates an XML list that specifies precisely which elements can appear in a request, query, or response document. It also specifies the contents and attributes of the elements. A DTD can be declared inline in your XML document or as an external reference. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 251 --> <!ELEMENT rserver (description, ip_address, conn-limit, probe_rserver, weight, inservice, webhost-redirection)*> <!ATTLIST rserver sense CDATA #FIXED "no" type (redirect | host) #IMPLIED name CDATA #REQUIRED > Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 252: Guidelines And Limitations

    XML to remotely configure an ACE until you change the default www user password. See Chapter 2, Configuring Virtualization, in the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide for details on changing a user account password.
  • Page 253: Configuring The Xml Interface

    C1 host1/C1# The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode. Step 2 host1/Admin# config Enter configuration commands, one per line.
  • Page 254: Configuring Http And Https Management Traffic Services

    • on all interfaces. HTTP or HTTPS sessions are established to the ACE per context. For details on creating contexts and users, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. This section contains the following topics: Creating and Configuring a Class Map •...
  • Page 255 240 alphanumeric characters. description Allow HTTPS access to the ACE (Optional) Remove the description from the class map. no description Example: host1/Admin(config-cmap-mgmt)# no description Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 256 IP address of the client. • mask—Subnet mask of the client in dotted-decimal notation (for • example, 255.255.255.0). Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-10 OL-20823-01...
  • Page 257: Creating A Layer 3 And Layer 4 Policy Map

    This command enters the policy map management configuration mode. (Optional) Removes a network traffic management policy map no policy-map type management first-match from the ACE. map_name Example: host1/Admin(config)# no policy-map type management first-match MGMT_XML-HTTPS_POLICY Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-11 OL-20823-01...
  • Page 258 Denies the HTTP or HTTPS management traffic listed in the deny Layer 3 and Layer 4 class map to be received by the ACE. Example: host1/Admin(config-pmap-mgmt-c)# deny Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-12 OL-20823-01...
  • Page 259 “Applying a Service Policy to a Note Specific VLAN Interface” section. Restrictions The ACE allows only one policy of a specific feature type to be activated on an interface. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-13 OL-20823-01...
  • Page 260: Applying A Service Policy To A Specific Vlan Interface

    Policy Globally to All VLAN Interfaces in the Same Context” section. Restrictions The ACE allows only one policy of a specific feature type to be activated on an interface. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-14 OL-20823-01...
  • Page 261: Enabling The Display Of Raw Xml Request Show Command Output In Xml Format

    XML format. However, if you are running commands on the CLI console or you are running raw XML responses from NMS, the XML responses appear in regular CLI display format. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-15 OL-20823-01...
  • Page 262 <status code="100" text="XML_CMD_SUCCESS"/> <xml_show_result> <xml_show_interface> <xml_interface_entry> <xml_interface> <interface_name>vlan10</interface_name> <interface_status>up</interface_status> <interface_hardware>VLAN</interface_hardware> <interface_mac> <macaddress>00:05:9a:3b:92:b1</macaddress> </interface_mac> <interface_mode>routed</interface_mode> <interface_ip> <ipaddress>10.20.105.101</ipaddress> <ipmask>255.255.255.0</ipmask> </interface_ip> <interface_ft_status>non-redundant</interface_ft_status> <interface_description> <interface_description>not set</interface_description> </interface_description> <interface_mtu>1500</interface_mtu> <interface_last_cleared>never</interface_last_cleared> <interface_alias> <ipaddress>not set</ipaddress> </interface_alias> Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-16 OL-20823-01...
  • Page 263 • status: on or off. The status keyword allows you to determine the status of the xml show command setting. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-17 OL-20823-01...
  • Page 264: Accessing The Ace Dtd File

    Click Yes at the prompt to accept (trust) and install the signed certificate from Cisco. To install the signed certificate, do one of the following: If you are using Microsoft Internet Explorer, in the Security Alert dialog box, click View –...
  • Page 265: Displaying Or Clearing Xml Service Policy Statistics

    For the policy_name argument, enter the identifier of an existing policy map that is currently in service (applied to an interface) as an unquoted text string with a maximum of 64 alphanumeric characters. Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-19 OL-20823-01...
  • Page 266: Example Of Ace Cli Command And The Xml Equivalent

    <access-list id="acl1" config-type="extended" perm-value="permit" protocol-name="ip" src-type="any" dest-type="any"/> <interface type="vlan" number="80"> <access-group type="input" name="acl1"/> <bridge-group value="1"/> <shutdown sense="no"/> </interface> <interface type="vlan" number="90"> <access-group type="input" name="acl1"/> <bridge-group value="1"/> <shutdown sense="no"/> </interface> Cisco 4700 Series Application Control Engine Appliance Administration Guide 8-20 OL-20823-01...
  • Page 267: Appendix

    A P P E N D I X Upgrading or Downgrading Your ACE Software This appendix provides information to upgrade your Cisco Application Control Engine (ACE) module. It contains the following major sections: Overview of Upgrading ACE Software • Prerequisites for Upgrading Your ACE •...
  • Page 268: A P P E N D I X A Upgrading Or Downgrading Your Ace Software

    Chapter 4, Managing the ACE Software. For information about downgrading your ACE, see the Downgrading Your ACE Software section in the Release Note for the Cisco 4700 Series Application Control Engine Appliance. Cisco 4700 Series Application Control Engine Appliance Administration Guide...
  • Page 269: Updating Your Application Protocol Inspection Configurations

    For DNS inspection, the class map must have UDP as the con figured protocol and a specific port or range of ports. For example, enter the following commands: host1/Admin(config)# class-map match-all L4_CLASS host1/Admin(config-cmap)# match port udp eq domain Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 270: Performing Software Upgrades And Downgrades

    Password: xxxxxxxx Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License.
  • Page 271 Check the MD5 checksum of the new software image on both ACEs to ensure that the new image is the Step 7 same as the image posted on Cisco.com. For example, enter: ACE-1/Admin# show file image:c6ace-t1k9-mz.A2_3_0.bin md5sum Configure ACE-1 to automatically boot from the new image. To set the boot variable and configuration...
  • Page 272 ACE-2, making ACE-2 the new standby. ACE-1 becomes the active ACE once again. Enter the show ft group detail command to verify that ACE-1 is in the ACTIVE state and ACE-2 is in Step 15 the STANDBY_HOT state. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 273: Task Flow For Downgrading The Ace Software

    ACE-1/Admin# changeto C1 ACE-1/C1# checkpoint create C1_CHECKPOINT For information about creating checkpoints and rolling back configurations, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. If necessary, enter the copy ftp, copy sftp, or the copy tftp command in Exec mode to copy the Step 6 downgrade software image to the image: directory of each ACE.
  • Page 274 This command will reboot the system Save configurations for all the contexts. Save? [yes/no]: [yes] After ACE-1 boots up, it assumes the role of standby and enters the STANDBY_HOT state (this may take several minutes). Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 275: Copying The Software Upgrade Image To The Ace

    • image copied to the ACE. If you do not enter the name argument, the ACE uses the default name of the image. Cisco 4700 Series Application Control Engine Appliance Administration Guide OL-20823-01...
  • Page 276: Configuring The Ace To Autoboot The Software Image

    Configuring the Configuration Register to Autoboot the Boot Variable This section describes how to configure the ACE to autoboot the system image identified in the boot environment variable. Cisco 4700 Series Application Control Engine Appliance Administration Guide A-10 OL-20823-01...
  • Page 277: Reloading The Ace

    Save configurations for all the contexts. Save? [yes/no]: [yes] Displaying Software Image Information This section describes how to display software image information and contains the following topics: Displaying the Boot Variable and Configuration Register • Cisco 4700 Series Application Control Engine Appliance Administration Guide A-11 OL-20823-01...
  • Page 278: Displaying The Boot Variable And Configuration Register

    Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license.
  • Page 279 /dev/hdb2 total: 935560 kB, used: 611564 kB, available: 276472 kB last boot reason: Unknown configuration register: kernel uptime is 0 days 21 hours 25 minute(s) 17 second(s) Cisco 4700 Series Application Control Engine Appliance Administration Guide A-13 OL-20823-01...
  • Page 280 Appendix A Upgrading or Downgrading Your ACE Software Displaying Software Image Information Cisco 4700 Series Application Control Engine Appliance Administration Guide A-14 OL-20823-01...
  • Page 281: I N D E X

    1-6, 1-9 method 1-27, A-10 password, changing CLI account 1-11 displaying 1-29 password, changing www user ignoring startup-configuration file 1-29 redundant configuration modifying 1-27 Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-1 OL-20823-01...
  • Page 282 1-27, A-10 user management of SNMP configuration synchronization clock overview daylight saving time, setting SSL certs and keys 1-20 6-19, 6-20 NTP server, sychronizing ACE system console clock 1-22 Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-2 OL-20823-01...
  • Page 283 6-35 1-20 FT tracking information time zone setting 6-36 1-17 hardware information daylight saving time setting 1-20 ICMP statistics default user 5-11 information on ACE admin 1-8, 8-6 Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-3 OL-20823-01...
  • Page 284 6-21 displaying information 6-33 fault tolerance FT tracking, displaying information 6-36 See redundancy FT VLAN 6-4, 6-9 file system copying files from remote server 4-12 copying files to directory Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-4 OL-20823-01...
  • Page 285 BOOT environment variable 3-14 1-28 generating key copying to remote server 4-12 installing copying upgrade image to ACE list of available software image information, displaying A-11 Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-5 OL-20823-01...
  • Page 286 7-41 See FT peer IETF standard, enabling 7-42 ping, enabling 2-20 options 7-42 policy map 7-41 Layer 3 and 4, for management traffic 8-11 SNMP 7-27, 7-38, 7-41 Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-6 OL-20823-01...
  • Page 287 4-12 FT group information, displaying 6-29 copying files to 4-10 FT peer, configuring 6-12 copying image to 4-12 FT peer information, displaying 6-33 loading configuration files from Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-7 OL-20823-01...
  • Page 288 ACE MIBs setting up ACE MIB table and object support 7-15 setup script notifications 7-38 configuring ACE overview Device Manager GUI, enabling connectivity policy map, creating 7-50 show command Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-8 OL-20823-01...
  • Page 289 SNMP 7-31 copying to disk0 file system upgrading ignoring 1-29 merging with running technical support information, displaying 5-13 saving to remote server Telnet updating with running configuration Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-9 OL-20823-01...
  • Page 290 DTD, accessing A-11 8-18 task flow DTD, overview user example of CLI command and XML equivalent 8-20 configuring for SNMP 7-32 HTTP and HTTPS support user context HTTP return codes Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-10 OL-20823-01...
  • Page 291 Index management traffic, configuring 2-8, 8-8 overview policy map, creating 8-11 show command output 8-15 task flow Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-11 OL-20823-01...
  • Page 292 Index Cisco 4700 Series Application Control Engine Appliance Administration Guide IN-12 OL-20823-01...

This manual is also suitable for:

4700 series

Table of Contents