cisco ace - admin guide

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706 USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

Administration Guide, Cisco ACE Application Control EngineFor the Cisco ACE Application Control Engine Module and Cisco ACE 4700 Series Application Control Engine Appliance

Software Version A5(1.0)September 2011

Text Part Number: OL-25343-01

http://www.cisco.com

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Administration Guide, Cisco ACE Application Control Engine Copyright © 2007-2011 Cisco Systems, Inc. All rights reserved.

http://www.cisco.com/go/trademarks

Preface

This guide provides instructions for the administration of the following products:

• Cisco ACE Application Control Engine Module (ACE module) in the Catalyst 6500 series switch or Cisco 7600 series router

• Cisco ACE 4700 Series Application Control Engine Appliance (ACE appliance)

The information in this guide applies to both the ACE module and the ACE appliance unless otherwise noted.

You configure the ACE by using the following interfaces:

• The command-line interface (CLI), a line-oriented user interface that provides commands for configuring, managing, and monitoring the ACE.

• (ACE appliance only) Device Manager graphic user interface (GUI), a Web browser-based GUI interface that provides a graphical user interface for configuring, managing, and monitoring the ACE appliance.

• Cisco Application Networking Manager (ANM), a networking management application for monitoring and configuring network devices, including the ACE.

This preface contains the following major sections:

• Audience

• How to Use This Guide

• Related Documentation

• Symbols and Conventions

• Obtaining Documentation, Obtaining Support, and Security Guidelines

AudienceThis guide is intended for the following trained and qualified service personnel who are responsible for configuring the ACE:

• System administrator

• System operator

iiiAdministration Guide, Cisco ACE Application Control Engine

OL-25343-01

Preface

How to Use This GuideThis guide is organized as follows:

Chapter Description

Chapter 1, “Setting Up the ACE Module”

Describes how to configure basic settings on either the ACE module or ACE appliance, including topics such as how to session and log in to the ACE, change the administrative username and password, assign a name to the ACE, configure a message-of-the-day banner, configure the date and time, configure terminal settings, modify the boot configuration, and restart the ACE.

Chapter 2, “Setting Up the ACE Appliance”

Chapter 2, “Enabling Remote Access to the ACE”

Describes how to configure remote access to the ACE by establishing a remote connection using the Secure Shell (SSH) or Telnet protocols. It also describes how to configure the ACE to provide direct access to a user context from SSH. This chapter also covers how to configure the ACE to receive ICMP messages from a host.

Chapter 3, “Managing ACE Software Licenses”

Describes how to manage the software licenses for your ACE.

Chapter 4, “Managing the ACE Software”

Describes how to save and download configuration files, use the file system, view and copy core dumps, capture and copy packet information, use the configuration checkpoint and rollback service, display configuration information, and display technical support information.

Chapter 5, “Displaying ACE Hardware and Software System Information”

Describes how to display ACE hardware and software configuration and technical support information.

Chapter 6, “Configuring Redundant ACEs”

Describes how to configure the ACE for redundancy, which provides fault tolerance for the stateful failover of flows.

Chapter 7, “Configuring SNMP”

Describes how to configure SNMP to query the ACE for Cisco Management Information Bases (MIBs) and to send event notifications to a network management system (NMS).

Chapter 8, “Configuring the XML Interface”

Describes how to provide a mechanism using XML to transfer, configure, and monitor objects in the ACE. This XML capability allows you to easily shape or extend the CLI query and reply data in XML format to meet different specific business needs.

ivAdministration Guide, Cisco ACE Application Control Engine

OL-25343-01

Preface

Related DocumentationIn addition to this document, the ACE documentation set includes the following:

Document Title Description

Application Acceleration and Optimization Guide, Cisco ACE 4700 Series Application Control Engine Appliance

(ACE appliance only) Describes how to configure the web optimization features of the ACE appliance. This guide also provides an overview and description of those features.

Cisco Application Control Engine (ACE) Configuration Examples Wiki

Provides examples of common configurations for load balancing, security, SSL, routing and bridging, virtualization, and so on.

Cisco Application Control Engine (ACE) Troubleshooting Wiki

Describes the procedures and methodology in wiki format to troubleshoot the most common problems that you may encounter during the operation of your ACE.

Command Reference, Cisco ACE Application Control Engine

Provides an alphabetical list and descriptions of all CLI commands by mode, including syntax, options, and related commands.

CSM-to-ACE Conversion Tool Guide, Cisco ACE Application Control Engine Module

(ACE module only) Describes how to use the CSM-to-ACE module conversion tool to migrate Cisco Content Switching Module (CSM) running- or startup-configuration files to the ACE.

CSS-to-ACE Conversion Tool Guide, Cisco ACE Application Control Engine

Describes how to use the CSS-to-ACE conversion tool to migrate Cisco Content Services Switches (CSS) running-configuration or startup-configuration files to the ACE.

Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance

(ACE appliance only) Describes how to use the Device Manager GUI, which resides in flash memory on the ACE appliance, to provide a browser-based interface for configuring and managing the appliance.

Getting Started Guide, Cisco ACE Application Control Engine Module

(ACE module only) Describes how to perform the initial setup and configuration tasks for the ACE module.

Getting Started Guide, Cisco ACE 4700 Series Application Control Engine Appliance

(ACE appliance only) Describes how to use the ACE appliance Device Manager GUI and CLI to perform the initial setup and configuration tasks.

Hardware Installation Guide, Cisco ACE 4710 Application Control Engine Appliance

(ACE appliance only) Provides information for installing the ACE appliance.

Installation Note, Cisco ACE Application Control Engine ACE30 Module

(ACE module only) Provides information for installing the ACE module into the Catalyst 6500 series switch or a Cisco 7600 series router.

Regulatory Compliance and Safety Information, Cisco ACE 4710 Application Control Engine Appliance

(ACE appliance only) Regulatory compliance and safety information for the ACE appliance.

Release Note, Cisco ACE 4700 Series Application Control Engine Appliance

(ACE appliance only) Provides information about operating considerations, caveats, and command-line interface (CLI) commands for the ACE appliance.

vAdministration Guide, Cisco ACE Application Control Engine

OL-25343-01

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide

Preface

Release Note, Cisco ACE Application Control Engine Module

(ACE module only) Provides information about operating considerations, caveats, and command-line interface (CLI) commands for the ACE module.

Routing and Bridging Guide, Cisco ACE Application Control Engine

Describes how to perform the following routing and bridging tasks on the ACE:

• (ACE appliance only) Ethernet ports

• VLAN interfaces

• IPv6, including transitioning IPv4 networks to IPv6, IPv6 header format, IPv6 addressing, and suported protocols.

• Routing

• Bridging

• Dynamic Host Configuration Protocol (DHCP)

Security Guide, Cisco ACE Application Control Engine

Describes how to perform the following ACE security configuration tasks:

• Security access control lists (ACLs)

• User authentication and accounting using a Terminal Access Controller Access Control System Plus (TACACS+), Remote Authentication Dial-In User Service (RADIUS), or Lightweight Directory Access Protocol (LDAP) server

• Application protocol and HTTP deep packet inspection

• TCP/IP normalization and termination parameters

• Network Address Translation (NAT)

Server Load-Balancing Guide, Cisco ACE Application Control Engine

Describes how to configure the following server load-balancing features on the ACE:

• Real servers and server farms

• Class maps and policy maps to load balance traffic to real servers in server farms

• Server health monitoring (probes)

• Stickiness

• Dynamic workload scaling (DWS)

• Firewall load balancing

• TCL scripts

SSL Guide, Cisco ACE Application Control Engine

Describes how to configure the following Secure Sockets Layer (SSL) features on the ACE:

• SSL certificates and keys

• SSL initiation

• SSL termination

• End-to-end SSL


viAdministration Guide, Cisco ACE Application Control Engine

OL-25343-01

Preface

Symbols and ConventionsThis publication uses the following conventions:

1. A numbered list indicates that the order of the list items is important.

a. An alphabetical list indicates that the order of the secondary list items is important.

• A bulleted list indicates that the order of the list topics is unimportant.

System Message Guide, Cisco ACE Application Control Engine

Describes how to configure system message logging on the ACE. This guide also lists and describes the system log (syslog) messages generated by the ACE.

Upgrade/Downgrade Guide, Cisco ACE 4700 Series Application Control Engine Appliance

(ACE appliance only) Describes how to perform an ACE appliance software upgrade or downgrade.

User Guide, Cisco Application Networking Manager

Describes how to use Cisco Application Networking Manager (ANM), a networking management application for monitoring and configuring network devices, including the ACE.

Virtualization Guide, Cisco ACE Application Control Engine

Describes how to operate your ACE in a single context or in multiple contexts.


Convention Description

boldface font Commands, command options, and keywords are in boldface. Bold text also indicates a command in a paragraph.

italic font Arguments for which you supply values are in italics. Italic text also indicates the first occurrence of a new term, book title, emphasized text.

{ } Encloses required arguments and keywords.

[ ] Encloses optional arguments and keywords.

{x | y | z} Required alternative keywords are grouped in braces and separated by vertical bars.

[x | y | z] Optional alternative keywords are grouped in brackets and separated by vertical bars.

string A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks.

screen font Terminal sessions and information the system displays are in screen font.

boldface screen font

Information you must enter in a command line is in boldface screen font.

italic screen font Arguments for which you supply values are in italic screen font.

^ The symbol ^ represents the key labeled Control—for example, the key combination ^D in a screen display means hold down the Control key while you press the D key.

< > Nonprinting characters, such as passwords are in angle brackets.

viiAdministration Guide, Cisco ACE Application Control Engine

OL-25343-01

Preface

– An indented list indicates that the order of the list subtopics is unimportant.

This document uses the following conventions:

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication.

Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.

For additional information about CLI syntax formatting, refer to the Command Reference, Cisco ACE Application Control Engine.

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

viiiAdministration Guide, Cisco ACE Application Control Engine

OL-25343-01

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

AdministOL-25343-01

C H A P T E R 1
Setting Up the ACE Module
Note The information in this chapter applies to the ACE module only. For information about setting up the ACE appliance, see the Chapter 2, “Setting Up the ACE Appliance.”

This chapter describes how to initially configure basic settings on the ACE module in the Catalyst 6500 series switches. It contains the following major sections:

• Prerequisites for Setting Up the ACE Module

• Default Settings

• Setting Up the ACE Module

• Displaying the ACE Module Setup Configuration

For details on assigning VLANs to the ACE module, configuring VLAN interfaces on the ACE module, and configuring a default or static route on the ACE module, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

Prerequisites for Setting Up the ACE ModuleSetting up the ACE module has the following requirements:

• Terminal—The terminal that you use to communicate with the ACE module must contain a terminal communications application, such as HyperTerminal for Windows, and be configured as follows:

– Asynchronous transmission

– 9600 baud

– 8 data bits

– 1 stop bit

– No parity

• Cable—The cable that connects the terminal to the ACE module must meet the following requirements:

– Serial cable with an RJ-45 connector

– Cable type—Rollover serial cable to connect the ACE to a DTE device

For instructions on connecting a console cable to your ACE, see the Installation Note, Cisco ACE Application Control Engine ACE30 Module.

1-1ration Guide, Cisco ACE Application Control Engine

Chapter 1 Setting Up the ACE ModuleDefault Settings

Default SettingsTable 1-2 lists the default settings for the ACE module setup parameters.

Setting Up the ACE ModuleThis section describes the tasks associated with setting up the ACE module and includes the following topics:

• Establishing a Console Connection on the ACE Module

• Sessioning and Logging In to the ACE Module

• Changing or Resetting the Administrative Password

• Assigning a Name to the ACE Module

• Configuring an ACE Module Inactivity Timeout

• Configuring a Message-of-the-Day Banner

• Configuring the Date and Time

• Configuring Terminal Settings

• Modifying the Boot Configuration

• Restarting the ACE Module

• Shutting Down the ACE Module

Table 1-1 Default Setup Parameters

Parameter Default

User accounts Administrator account:

username: admin / password: admin

XML interface account:

username: www: / password: admin

Host name switch

Inactivity timeout 5 minutes

Console port communication parameters • 9600 baud

• 8 data bits

• 1 stop bit

• No parity

1-2Administration Guide, Cisco ACE Application Control Engine

OL-25343-01

Chapter 1 Setting Up the ACE ModuleSetting Up the ACE Module

Establishing a Console Connection on the ACE ModuleThis section describes how to establish a direct serial connection between your terminal and the ACE module by making a serial connection to the console port on the front of the ACE module. The console port is an asynchronous RS-232 serial port with an RJ-45 connector.

Guidelines and Restrictions

Only the Admin context is accessible through the console port; all other contexts can be reached through Telnet or SSH sessions.

Prerequisites

This setup procedure requires a properly configured terminal and cable as described in the “Prerequisites for Setting Up the ACE Module” section.

Detailed Steps

Follow these steps to access the ACE module using a direct serial connection:

Step 1 Connect the serial cable between the ACE module and the terminal and then use any terminal communications application to access the ACE module CLI. This procedure uses HyperTerminal for Windows.

Step 2 Launch HyperTerminal. The Connection Description window appears.

Step 3 Enter a name for your session in the Name field.

Step 4 Click OK. The Connect To window appears.

Step 5 From the drop-down list, choose the COM port to which the device is connected.

Step 6 Click OK. The Port Properties window appears.

Step 7 Set the following port properties:

• Baud Rate = 9600

• Data Bits = 8

• Flow Control = none

• Parity = none

• Stop Bits = 1

Step 8 Click OK to connect.

Step 9 Press Enter to access the CLI prompt.

switch login:


OL-25343-01


What to Do Next

When the login prompt displays, proceed with the following tasks:

• Once a session is created, choose Save As from the File menu to save the connection description. Saving the connection description has the following two advantages:

– The next time that you launch HyperTerminal, the session is listed as an option under Start > Programs > Accessories > HyperTerminal > Name_of_session. This option lets you reach the CLI prompt directly without going through the configuration steps.

– You can connect your cable to a different device without configuring a new HyperTerminal session. If you use this option, make sure that you connect to the same port on the new device as was configured in the saved HyperTerminal session. Otherwise, a blank screen appears without a prompt.

• See the “Sessioning and Logging In to the ACE Module” section for details on logging in and entering the configuration mode to configure the ACE.

Sessioning and Logging In to the ACE ModuleThis section describes how to connect (session) to the ACE module as the default user from either the ACE module console port or from the Catalyst 6500 series CLI. Once you connect to the ACE module as the default user, you can then log in and enter the configuration mode to configure the ACE module.

The ACE module creates two default user accounts at startup: admin and www. The admin user is the global administrator and cannot be deleted. The ACE module uses the www user account for the XML interface.

Later, when you configure interfaces and IP addresses on the ACE module itself, you can remotely access the module CLI through an ACE module interface by using the Catalyst console port or by a Telnet or SSH session. To configure remote access to the ACE module CLI, see Chapter 2, Enabling Remote Access to the ACE. For details on configuring interfaces on the ACE module, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

You can configure the ACE module to provide a higher level of security for users accessing the ACE module. For information about configuring user authentication for login access, see the Security Guide, Cisco ACE Application Control Engine.


Only the Admin context is accessible through the console port; all other contexts can be reached through a Telnet or SSH remote access session.

Detailed Steps

Follow these steps to session into the ACE module and access configuration mode to perform the initial configuration:

Step 1 Access the ACE module through one of the following methods:

• If you choose to access the ACE module directly by its console port, attach a terminal to the asynchronous RS-232 serial port on the front of the module. Any device connected to this port must be capable of asynchronous transmission. The connection requires a terminal configured as 9600 baud, 8 data bits, 1 stop bit, no parity. See the “Establishing a Console Connection on the ACE Module” section.


OL-25343-01


• If you choose to session into ACE module, after the module successfully boots enter the session command from the Catalyst CLI to Telnet to the module:

Cat6k-switch# session slot mod_num processor 0

The mod_num argument identifies the slot number in the Catalyst 6500 series chassis where the ACE module is installed.

Note The default escape character sequence is Ctrl-^, and then x. You can also enter exit at the remote prompt to end the session.

Step 2 Log into the ACE module by entering the login username and password at the following prompt:

switch login: adminPassword: admin

By default, both the username and password are admin.

The prompt changes to the following:

host1/Admin#

To change the default login username and password, see the “Changing or Resetting the Administrative Password” section for details.

Caution You must change the default Admin password if you have not already done so. Otherwise, you will be able to log in to the ACE module only through the console port or through the supervisor engine of the Catalyst 6500 series switch or the Cisco 7600 series router. You will not be able to access the ACE module using Telnet or SSH until you change the default Admin password.

Step 3 To access configuration mode, enter:

host1/Admin# configureEnter configuration commands, one per line. End with CNTL/Z


host1/Admin(config)#

Changing or Resetting the Administrative Password This section describes how to change or reset the administrative password and includes the following topics:

• Changing the Administrative Password

• Resetting the Administrator Account Password


OL-25343-01


Changing the Administrative Password

This section describes how to change the administrative password. During the initial login process to the ACE module, you enter the default username admin and the default password admin in lowercase text. You cannot modify or delete the default administrative username; however, for security reasons, you must change the default administrative password. If you do not change the password, then security on your ACE can be compromised because the administrative username and password are configured to be the same for every ACE module shipped from Cisco Systems.

The administrative username and password are stored in Flash memory. Each time that you reboot the ACE module, it reads the username and password from Flash memory. Global administrative status is assigned to the administrative username by default.

Note For information about changing a user password, see the Virtualization Guide, Cisco ACE Application Control Engine.

Caution You must change the default Admin password if you have not already done so. Otherwise, you can log in to the ACE module only through the console port or through the supervisor engine of the Catalyst 6500 series switch or the Cisco 7600 series router.


OL-25343-01


Detailed Steps

Resetting the Administrator Account Password

This section describes how recover the admin password during the initial bootup sequence of the ACE module if you forget the password for the ACE module administrator account and cannot access the module. You must have access to the ACE module through the console port to be able to reset the password for the Admin user back to the factory-default value of admin.


Only the Admin context is accessible through the console port.

Command Purpose

Step 1 config

Example:host1/Admin# confighost1/Admin(config)#

Enters global configuration mode.

Step 2 username name1 [password [0 | 5] {password}]

Example:host1/Admin(config)# username admin password 0 mysecret_801

Changes the default username and password. The keywords, arguments, and options are as follows:

• name1—Sets the username that you want to assign or change. Enter admin.

• password—(Optional) Keyword that indicates that a password follows.

• 0—(Optional) Specifies a clear text password.

• 5—(Optional) Specifies an MD5-hashed strong encryption password.

• password—The password in clear text, encrypted text, or MD5 strong encryption, depending on the numbered option (0 or 5) that you enter. If you do not enter a numbered option, the password is in clear text by default. Enter a password as an unquoted text string with a maximum of 64 characters.

Note If you specify an MD5-hashed strong encryption password, the ACE considers a password to be weak if it less than eight characters in length.

The ACE supports the following special characters in a password:

, . / = + - ^ @ ! % ~ # $ * ( )

Note that the ACE encrypts clear text passwords in the running-config.

Step 3 do copy running-config startup-config

Example:host1/Admin(config)# do copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.


OL-25343-01


Detailed Steps

Follow these steps to reset the password that allows the Admin user access to the ACE module:

Step 1 Connect to the console port on the Catalyst 6500 series switch.

Step 2 Session in to the ACE module through the console port on the front panel.

Step 3 Reboot the ACE module from the Catalyst 6500 series CLI. See the “Restarting the ACE Module” section for details.

Step 4 During the bootup process, output appears on the console terminal. Press ESC when the “Waiting for 3 seconds to enter setup mode...” message appears on the terminal (see the example below). The setup mode appears. If you miss the time window, wait for the ACE module to properly complete booting, reboot the ACE module from the Catalyst 6500 series CLI, and try again to access the setup mode by pressing ESC.

IXP polling timeout interval: 120

map_pci_xram_to_uspace[149] :: mapping 4096 bytes from 0x58800000

map_pci_xram_to_uspace[149] :: mapping 4096 bytes from 0x5a800000................................................IXP's are up... <Sec 48 :Status of IXP1 7, IXP2 7>

map_pci_xram_to_uspace[149] :: mapping 102400 bytes from 0x4fd68000map_pci_xram_to_usenabling intb 57 interruptspace[149] :: mapping 102400 bytes from 0x57d68000Starting lcpfw process...inserting IPCP klmWarning: loading /itasca/klm/klm_session.klm will taint the kernel: no license See http://www.tux.org/lkml/#export-tainted for information about tainted modulesModule klm_session.klm loaded, with warningsinserting cpu_util klm create dev node as 'mknod /dev/cpu_util c 236 0'getting cpu_util dev major nummaking new cpu_util dev node

Session Agent waiting for packets .Waiting for 3 seconds to enter setup mode...Entering setup sequence...Reset Admin password [y/n] (default: n): yResetting admin password to factory default...XR Serial driver version 1.0 (2004-11-08) with no serial options enabledttyXR major device number: 235Create a dev file with 'mknod /dev/ttyXR c 235 [0-1]'cux major device number: 234Create a dev file with 'mknod /dev/cux c 234 [0-1]'ttyXR0 at 0x10c00000 (irq = 59) is a 16550AttyXR1 at 0x10c00008 (irq = 59) is a 16550ANo licenses installed...

Loading.. Please wait...Done!!!

Step 5 The setup mode prompts if you want to reset the admin password. Enter y. The “Resetting admin password to factory default” message appears. The ACE module deletes the admin user password configuration from the startup configuration and resets the password back to the factory default value of admin.


OL-25343-01


The boot process continues as normal and you are able to enter the admin password at the login prompt.

Assigning a Name to the ACE ModuleThis section describes how to specify a hostname for the ACE module or for the peer ACE module in a redundant configuration. The hostname is used to identify the ACE module and for the command-line prompts. If you establish sessions to multiple devices, the hostname helps you track where you enter commands. By default, the hostname for the ACE module is “switch.”

Restrictions


Detailed Steps

Configuring an ACE Module Inactivity TimeoutThis section describes how to modify the length of time that can occur before the ACE module logs off an inactive user by specifying the length of time that a user session can be idle before the ACE module terminates the console, Telnet, or SSH session. By default, the inactivity timeout value is 5 minutes.


The login timeout command setting overrides the terminal session-timeout setting (see the “Configuring Terminal Display Attributes” section).

Command Purpose

Step 1 config



Step 2 hostname name

Example:host1/Admin(config)# hostname ACE1ACE1/Admin(config)#

Changes the ACE module name.

The name argument specifies a new hostname for the ACE module. Enter a case-sensitive text string that contains from 1 to 32 alphanumeric characters (with no spaces). The underscore (_) character is not supported in the hostname for the ACE.

Step 3 peer hostname name

Example:ACE1/Admin(config)# peer hostname ACE2

(Optional) Changes the peer ACE module name in a redundant configuration.

The name argument specifies a new hostname for the peer ACE module. Enter a case-sensitive text string that contains from 1 to 32 alphanumeric characters (with no spaces). The underscore (_) character is not supported in the hostname for the AC


Example:ACE1/Admin(config)# do copy running-config startup-config



OL-25343-01


Detailed Steps

Configuring a Message-of-the-Day BannerThis section describes how to configure a message in configuration mode to display as the message-of-the-day banner when a user connects to the ACE module. Once connected to the ACE module, the message-of-the-day banner appears, followed by the login banner and Exec mode prompt.

Detailed Steps

Command Purpose

Step 1 config



Step 2 login timeout minutes

Example:host1/Admin(config)# login timeout 10

Configures the inactivity timeout value.

The minutes argument specifies the length of time that a user can be idle before the ACE module terminates the session. Valid entries are from 0 to 60 minutes. A value of 0 instructs the ACE module never to timeout. The default is 5 minutes.

no login timeout

Example:host1/Admin(config)# no login timeout

(Optional) Restores the default timeout value of 5 minutes.




Command Purpose

Step 1 config




OL-25343-01


Step 2 banner motd text

Example:host1/Admin(config)# banner motd #Welcome to “$(hostname)”...#

Configures the message-of-the-day banner.

The text argument is a line of message text to be displayed as the message-of-the-day banner. The text string consists of all characters that follow the first space until the end of the line (carriage return or line feed).

The pound (#) character functions as the delimiting character for each line. For the banner text, spaces are allowed but tabs cannot be entered at the CLI. To instruct the ACE to display multiple lines in a message-of-the-day banner, enter a new banner motd command for each line that you want to appear.

The banner message is a maximum of 80 characters per line, up to a maximum of 3000 characters (3000 bytes) for a message-of-the-day banner. This maximum value includes all line feeds and the last delimiting character in the message.

To add multiple lines to an existing a message-of-the-day banner, precede each line by using the banner motd command. The ACE module appends each line to the end of the existing banner. If the text is empty, the ACE module adds a carriage return (CR) to the banner.

You can include tokens in the form $(token) in the message text. Tokens will be replaced with the corresponding configuration variable. For example, enter:

• $(hostname)—Displays the hostname for the ACE module during run time.

• $(line)—Displays the tty (teletypewriter) line or name (for example, “/dev/console”, “/dev/pts/0”, or “1”).

To use the $(hostname) in a single line banner motd input, you must include double quotes (“) around the $(hostname) so that the $ is interpreted as a special character at the beginning of a variable in the single line (see the Step example).

Do not use the double quote character (“) or the percent sign character (%) as a delimiting character in a single line message string.

For multi-line input, double quotes (“) are not required for the token because the input mode is different from signal-line mode. When you operate in multi-line mode, the ACE interprets the double quote character (“) literally.

no banner motd

Example:host1/Admin(config)# no banner motd

(Optional) Replace a banner or a line in a multi-line banner.

Step 3 do show banner motd

Example:host1/Admin(config)# do show banner motd

(Optional) Display the configured banner message.

Command Purpose


OL-25343-01


Examples

The following example shows how to span multiple lines and use tokens to configure the banner message:

host1/Admin(config)# banner motd #Enter TEXT message. End with the character '#'.================================Welcome to Admin Context--------------------------------Hostname: $(hostname)Tty Line: $(line)=================================#

Configuring the Date and TimeThis section describes how to configure the time zone and daylight saving time of the ACE module for display purposes. The ACE module time and date are synchronized with the clock from the Catalyst 6500 series supervisor engine. See the Cisco 6500 Series Switch Cisco IOS Software Configuration Guide for details on setting the system clock on the switch.

This section contains the following topics:

• Configuring the Time Zone

• Adjusting for Daylight Saving Time

Configuring the Time Zone

This section describes how to set the time zone of the ACE module. The ACE module keeps time internally in Universal Time Coordinated (UTC) offset.

Detailed Steps




Command Purpose

Command Purpose

Step 1 config




OL-25343-01


Step 2 clock timezone {zone_name{+ | –} hours minutes} | {standard timezone}

Example:host1/Admin(config)# clock timezone PST -8 0

Configures the time zone of the ACE module.

The keywords, arguments, and options are as follows:

• zone_name—The 8-character name of the time zone (for example, PDT) to be displayed when the time zone is in effect. Table 1-2 lists the common time zone acronyms that you can use for the zone_name argument.

• hours—Hours offset from UTC. The range is from –23 to +23.

• minutes—Minutes offset from UTC. The range is from 0 to 59 minutes.

• standard timezone—Displays a list of well known time zones that include an applicable UTC hours offset. Available choices in the list are as follows:

– AKST—Alaska Standard Time, as UTC –9 hours

– AST—Atlantic Standard Time, as UTC –4 hours

– BST—British Summer Time, as UTC + 1 hour

– CEST—Central Europe Summer Time, as UTC + 2 hours

– CET—Central Europe Time, as UTC + 1 hour

– CST—Central Standard Time, as UTC –6 hours

– CST—Central Standard Time, as UTC + 9.5 hours

– EEST—Eastern Europe Summer Time, as UTC + 3 hours

– EET—Eastern Europe Time, as UTC + 2 hours

– EST—Eastern Standard Time, as UTC -5 hours

– GMT—Greenwich Mean Time, as UTC

– HST—Hawaiian Standard Time, as UTC –10 hours

– IST—Irish Summer Time, as UTC + 1 hour

– MSD—Moscow Summer Time, as UTC + 4 hours

– MSK—Moscow Time, as UTC + 3 hours

– MST—Mountain Standard Time, as UTC –7 hours

– PST—Pacific Standard Time, as UTC –8 hours

– WEST—Western Europe Summer Time, as UTC + 1 hour

– WST—Western Standard Time, as UTC + 8 hours

no clock timezone

Example:host1/Admin(config)# no clock timezone

(Optional) Removes the clock timezone setting.

Step 3 do show clock

Example:host1/Admin (config)# do show clockFri Aug 7 01:38:30 PST 2009

(Optional) Displays the current clock settings.

Command Purpose


OL-25343-01


Table 1-2 lists common time zone acronyms that you use when specifying the zone name using the command’s zone_name argument.




Command Purpose

Table 1-2 Common Time Zone Acronyms

Acronym Time Zone Name and UTC Offset

Europe

BST British Summer Time, as UTC + 1 hour

CET Central Europe Time, as UTC + 1 hour

CEST Central Europe Summer Time, as UTC + 2 hours

EET Eastern Europe Time, as UTC + 2 hours

EEST Eastern Europe Summer Time, as UTC + 3 hours

GMT Greenwich Mean Time, as UTC

IST Irish Summer Time, as UTC + 1 hour

MSK Moscow Time, as UTC + 3 hours

MSD Moscow Summer Time, as UTC + 4 hours

WET Western Europe Time, as UTC

WEST Western Europe Summer Time, as UTC + 1 hour

United States and Canada

AST Atlantic Standard Time, as UTC – 4 hours

ADT Atlantic Daylight Time, as UTC – 3 hours

CT Central Time, either as CST or CDT, depending on the place and time of the year

CST Central Standard Time, as UTC – 6 hours

CDT Central Daylight Saving Time, as UTC – 5 hours

ET Eastern Time, either as EST or EDT, depending on the place and time of the year

EST Eastern Standard Time, as UTC – 5 hours

EDT Eastern Daylight Saving Time, as UTC – 4 hours

MT Mountain Time, either as MST or MDT, depending on the place and time of the year

MDT Mountain Daylight Saving Time, as UTC – 6 hours

MST Mountain Standard Time, as UTC – 7 hours

PT Pacific Time, either as PST or PDT, depending on the place and time of the year

PDT Pacific Daylight Saving Time, as UTC – 7 hours

PST Pacific Standard Time, as UTC – 8 hours

AKST Alaska Standard Time, as UTC – 9 hours

AKDT Alaska Standard Daylight Saving Time, as UTC – 8 hours


OL-25343-01


Adjusting for Daylight Saving Time

This section describes how to configure the ACE module to change the time automatically to summer time (daylight saving time) by specifying when summer time begins and ends. All times are relative to the local time zone; the start time is relative to standard time and the end time is relative to summer time. If the starting month is after the ending month, the ACE module assumes that you are located in the Southern Hemisphere.

Detailed Steps

HST Hawaiian Standard Time, as UTC – 10 hours

Australia

CST Central Standard Time, as UTC + 9.5 hours

EST Eastern Standard/Summer Time, as UTC + 10 hours (+11 hours during summer time)

WST Western Standard Time, as UTC + 8 hours

Table 1-2 Common Time Zone Acronyms (continued)


Command Purpose

Step 1 config




OL-25343-01


Step 2 clock summer-time {daylight_timezone_name start_week start_day start_month start_time end_week end_day end_month end_time daylight_offset | standard timezone}

Example:host1/Admin(config)# clock summer-time Pacific 1 Sun Apr 02:00 5 Sun Oct 02:00 60

Configures the ACE module to change the time automatically to summer time (daylight saving time).


• daylight_timezone_name—The eight-character name of the time zone (for example, PDT) to be displayed when summer time is in effect. See Table 1-2 for the list the common time zone acronyms used for the daylight_timezone_name argument.

• start_week end_week—The week, ranging from 1 through 5.

• start_day end_day—The day, ranging from Sunday through Saturday.

• start_month end_month—The month, ranging from January through December.

• start_time end_time—Time, in military format, specified in hours and minutes.

• daylight_offset—Number of minutes to add during the summer time. Valid entries are 1 to 1440.

• standard timezone—Displays a list of well known time zones that include an applicable daylight time start and end range along with a daylight offset. Available list choices are as follows:

– ADT—Atlantic Daylight Time: 2 a.m. 1st Sunday April to 2 a.m. last Sunday Oct, + 60 min

– AKDT—Alaska Standard Daylight Time: 2 a.m. 1st Sunday April to 2 a.m. last Sunday Oct, + 60 min

– CDT—Central Daylight Time: 2 a.m. 1st Sunday April to 2 a.m. last Sunday Oct, + 60 min

– EDT—Eastern Daylight Time: 2 a.m. 1st Sunday April to 2 a.m. last Sunday Oct, + 60 min

– MDT—Mountain Daylight Time: 2 a.m. 1st Sunday April to 2 a.m. last Sunday Oct, + 60 min

– PDT—Pacific Daylight Time: 2 a.m. 1st Sunday April to 2 a.m. last Sunday Oct, + 60 min

no clock summer-time

Example:host1/Admin(config)# no clock summer-time

(Optional) Removes the clock summer-time setting.




Command Purpose


OL-25343-01


Configuring Terminal SettingsThis section describes how to access the ACE module CLI by using one of the following methods:

• Make a direct connection by using a dedicated terminal attached to the console port on the front of the ACE module.

• Establish a remote connection to the ACE module through the Catalyst 6500 series switch using the Secure Shell (SSH) or Telnet protocols.


• Configuring Terminal Display Attributes

• Configuring Console Line Settings

• Configuring Virtual Terminal Line Settings

For details on configuring remote access to the ACE CLI using SSH or Telnet, see Chapter 2, Enabling Remote Access to the ACE.


This configuration topic includes the following guidelines and restrictions:

• Only the Admin context is accessible through the console port; all other contexts can be reached through Telnet or SSH.

• The login timeout command setting overrides the terminal session-timeout setting (see the “Configuring an ACE Module Inactivity Timeout” section).

Configuring Terminal Display Attributes

This section describes how to specify the number of lines and the width for displaying information on a terminal during a console session.


The maximum number of displayed screen lines is 511 columns.


OL-25343-01


Detailed Steps

Command Purpose

Step 1 terminal length lines

Example:host1/Admin# terminal lines 50

Specifies the number of lines for displaying information on a terminal during a console session.

The lines argument sets the number of lines displayed on the current terminal screen. This command is specific to only the console port. Telnet and SSH sessions set the length automatically. Valid entries are from 0 to 511. The default is 24 lines. A value of 0 instructs the ACE module to scroll continuously (no pausing) and overrides the terminal width value. If you later change the terminal length to any other value, the originally configured terminal width value takes effect.

Step 2 terminal monitor

Example:host1/Admin# terminal monitor%ACE-7-111009: User 'admin' executed cmd: terminal monitor

%ACE-7-111009: User 'admin' executed cmd: terminal monitor......

Starts the terminal monitor session and displays syslog output on the terminal. To enable the various levels of syslog messages to the terminal, use the logging monitor command (see the System Message Guide, Cisco ACE Application Control Engine for details).

terminal no monitor

Example:host1/Admin# terminal no monitor

(Optional) Stops the current terminal monitoring session.

Step 3 terminal session-timeout minutes

Example:host1/Admin# terminal session-timeout 600

Specifies the inactivity timeout value in minutes to configure the automatic logout time for the current terminal session on the ACE module. When inactivity exceeds the time limit configured by this command, the ACE closes the session and exits. The range is from 0 to 525600. The default value is inherited from the value that is configured for the login timeout command. If you do not configure a value for the login timeout command, the default for both commands is 5 minutes. You can set the terminal session-timeout value to 0 to disable this feature so that the terminal remains active until you choose to exit the ACE module. The ACE module does not save this change in the configuration file.

The minutes argument sets the timeout value in minutes.

Step 4 terminal terminal-type text

Example:host1/Admin# terminal terminal-type vt200

Specifies the name and type of the terminal used to access the ACE module. If a Telnet or SSH session specifies an unknown terminal type, the ACE module uses the VT100 terminal by default.

The minutes argument is the terminal type. Specify a text string from 1 to 80 alphanumeric characters.

Step 5 terminal width characters

Example:host1/Admin# terminal width 250

Specifies the width for displaying information on a terminal during a console session. This command is specific to the console port only.Telnet and SSH sessions set the width automatically.

The characters argument sets the number of characters displayed on the current terminal screen. Valid entries are from 24 to 512. The default is 80 columns.


OL-25343-01


Configuring Console Line Settings

This section describes how to use the ACE module console port to directly access the module to perform an initial configuration. The console port, which is a standard RS-232 port with an RJ-45 connector, is an asynchronous serial port; therefore, any device connected to this port must be capable of asynchronous transmission. The connection requires a terminal configured as 9600 baud, 8 data bits, 1 stop bit, no parity.

Detailed Steps

terminal no width

Example:host1/Admin# terminal no width

(Optional) Resets a terminal setting to its default value.

Step 6 show terminal

Example:host1/Admin# show terminalTTY: /dev/pts/0 Type: “vt100”Length: 25 lines, Width: 80 columnsSession Timeout: 60 minutes

(Optional) Displays the console terminal settings.

Command Purpose

Command Purpose

Step 1 config



Step 2 line console

Example:host1/Admin(config)# line consolehost1/Admin(config-console)#

Enters console configuration mode.

Step 3 databits number

Example:host1/Admin(config-console)# databits 6

Specifies the number of data bits per character. The range is from 5 to 8. The default is 8 data bits.

no databits

Example:host1/Admin(config-console)# no databits

(Optional) Resets the number of data bits per character to the default value (8).

Step 4 parity {even | none | odd}

Example:host1/Admin(config-console)# parity even

Sets the parity for the console connection. The supported choices as even (even parity), none (no parity), or odd (odd parity). The default is none.

no parity

Example:host1/Admin(config-console)# no parity

(Optional) Resets the parity for the console connection to its default value (none).


OL-25343-01


Configuring Virtual Terminal Line Settings

This section describes how to configure the virtual terminal line settings to enable remote access to the ACE module. A virtual terminal line is not associated with the console port; instead, it is a virtual port on the Catalyst 6500 series switch that allows you to access the ACE module.

Detailed Steps

Step 5 speed speed

Example:host1/Admin(config-console)# speed 19200

Sets the transmit and receive speeds for the serial console. The range is between 110 and 115200 baud (110, 150, 300, 600, 1200, 2400, 4800, 9600,19200, 28800, 38400, 57600, or 115200). The default is 9600 baud.

no speed

Example:host1/Admin(config-console)# no speed

(Optional) Resets the transmit and receive speeds for the serial console to its default value (9600).

Step 6 stopbits {1 | 2}

Example:host1/Admin(config-console)# stopbits 2

Sets the stop bits for the console connection. Valid values are 1 or 2 stop bits. The default is 1 stop bit.

no stopbits

Example:host1/Admin(config-console)# no stopbits

(Optional) Resets the stopbit setting to its default value (1).

Step 7 do show line console [connected]

Example:host1/Admin(config-console)# do show line consoleline Console: Speed: 9600 bauds Databits: 8 bits per byte Stopbits: 1 bit(s) Parity: none

(Optional) Displays the line console settings.


Example:host1/Admin(config-console)# do copy running-config startup-config


Command Purpose

Command Purpose

Step 1 config



Step 2 line vty

Example:host1/Admin(config)# line vtyhost1/Admin(config-line)#

Enters line configuration mode.


OL-25343-01


Setting the Daughter Card Network Processor for Console AccessThis section describes how to set the daughter card master or slave network processor (NP) to be directed to the base board front panel for console access. Each daughter card has two NPs designated as the master and the slave. You can specify either NP to be redirected to the base board for console access.

Detailed Steps

Modifying the Boot ConfigurationThis section describes how to control the way in which the ACE module performs its boot process through ROMMON mode. ROMMON is the ROM-resident code that starts executing as soon as you power up or reset the ACE module. Two user-configurable parameters determine how the ACE module boots: the boot field in the configuration register and the BOOT environment variable.

This section describes how to modify the boot configuration of the ACE module and contains the following topics:

• Setting the Boot Method from the Configuration Register

Step 3 session-limit number

Example:host1/Admin(config-line)# session-limit 23

Specifies the maximum number of terminal sessions per line. The range is from 1 to 251.

no session-limit number

Example:host1/Admin(config-line)# no session-limit 23

(Optional) Disables a setting for the configured virtual terminal line.


Example:host1/Admin(config-line)# do copy running-config startup-config


Step 5 Press Ctrl-z. (Optional) Returns to the Exec mode prompt.

Step 6 clear line vty_name

Example:host1/Admin# clear line vty vty1

(Optional) Closes a specified vty session.

The vty_name argument specifies the name of the VTY session. Enter a maximum of 64 characters for the name of the virtual terminal.

Command Purpose

Command Purpose

Step 1 Press Ctrl-z Enters Exec mode from any configuration mode.

Step 2 set dc dc_number console {master | slave}

Example:host1/Admin# set dc 1 console slave

Switched the console access to slave network processor

Sets the specified daughter card console access to the master or the slave network processor. The default is master.


OL-25343-01


• Setting the BOOT Environment Variable

Setting the Boot Method from the Configuration Register

This section describes how to modify the boot method that the ACE module uses at the next startup by setting the boot field in the software configuration register. The configuration register identifies how the ACE module should boot and where the system image is stored. You can modify the boot field to force the ACE module to boot a particular system image at startup instead of using the default system image.

The ROMMON code executes upon power up, reset, or when a fatal exception occurs. The ACE module enters ROMMON mode if it does not find a valid system image, if the Flash memory configuration is corrupted, or if the configuration register is set to enter ROMMON mode.

Note You can manually enter ROMMON mode by restarting the ACE module and then pressing the Break key during the first 60 seconds of startup. If you are connected to the ACE module through a terminal server, you can escape to the Telnet prompt and then enter the send break command to enter the ROMMON mode.

Restrictions

The config-register command used to change the configuration register settings affects only the configuration register bits that control the boot field and leaves the remaining bits unaltered.

Detailed Steps

Command Purpose

Step 1 config




OL-25343-01


Setting the BOOT Environment Variable

This section describes how to add several images to the BOOT environment variable to provide a fail-safe boot configuration. The BOOT environment variable specifies a list of image files on various devices from which the ACE module can boot at startup. If the first file fails to boot the ACE module, subsequent images that are specified in the BOOT environment variable are tried until the ACE module boots or there are no additional images to attempt to boot. If there is no valid image to boot, the ACE module enters ROMMON mode where you can manually specify an image to boot.

The ACE module stores and executes images in the order in which you added them to the BOOT environment variable. If you want to change the order in which images are tried at startup, you can either prepend and clear images from the BOOT environment variable to attain the desired order or you can clear the entire BOOT environment variable and then redefine the list in the desired order.

Step 2 config-register value

Example:host1/Admin(config)# config-register 1

Sets the configuration register value ythat determines how the ACE reboots. The value argument represents the configuration register value that you want to use the next time that you restart the ACE module. The supported value entries are as follows:

• 0—Upon reboot, the ACE module boots to the rommon prompt. The ACE module remains in ROMMON mode at startup. From the ROMMON mode, you select specify the system boot image to use to boot the ACE For information about using the ROMMON mode during a reboot, see the “Restarting the ACE Module” section.

• 1—Upon reboot, the ACE module boots the system image identified in the BOOT environment variable (see the “Setting the BOOT Environment Variable” section). The BOOT environment variable specifies a list of image files on various devices from which the ACE can boot at startup. If the ACE encounters an error or if the image is not valid, it will try the second image (if one is specified). If the second image also fails to boot, the ACE returns to ROMMON mode.

See the “Restarting the ACE Module” section for details on booting the ACE from the rommon prompt.

no config-register 1

Example:host1/Admin(config)# no config-register 1

(Optional) Resets the config-register setting.



Copies the running configuration to the startup configuration.

Command Purpose


OL-25343-01


Detailed Steps

Using Data Path Online DiagnosticsPer CSCth10125, software release A4(1.1) introduces a new online diagnostic called TestNPLoopback that tests the control plane and the data plane of the ACE30. This test is one of several diagnostics that run automatically at bootup and it is initiated by the supervisor engine. You can also run this diagnostic and the others from the supervisor engine CLI.

Before the TestNPLoopback test can run, the supervisor sends an SCP message to the ACE to configure a special loop-back VLAN or to configure a shared memory space with the VLAN ID that the NPs can access. The VLAN exists internally between the ACE and the supervisor engine and you cannot modify it. The ACE ACKs that the test configuration is complete to the supervisor. If the ACE software does not send an ACK to the supervisor, after three failed retries, the supervisor resets the ACE.

The supervisor engine sends four specially marked diagnostic packets each with a different MAC address to the network processors (NPs) in the ACE30 daughter cards. The NPs must loop back the packets to the supervisor within 200 ms. If the supervisor does not receive the looped-back packet within the allotted time, it declares the test as failed. Upon any failure of the test, a syslog message is printed, error logs are recorded in the System Event Archive (SEA) logs, and an SCP message is sent to the ACE to indicate which NPs failed the test. The ACE decides whether to reset the module.

Command Purpose

Step 1 config



Step 2 boot system image:image_name

Example:host1/Admin(config)# boot system image:c6ace-t1k9-mz.A4_1_0.bin

Sets the BOOT environment variable.

The image_name argument specifies the name of the system image file. If the file does not exist (for example, if you entered the wrong filename), then the filename is appended to the bootstring, and this message displays, “Warning: File not found but still added in the bootstring.” If the file does exist, but is not a valid image, the file is not added to the bootstring, and this message displays, “Warning: file found but it is not a valid boot image.”

Step 3 do show bootvar

Example:host1/Admin(config)# BOOT variable = “disk0:c6ace-t1k9-mzg.A4_1_0.binConfiguration register is 0x1

(Optional) Displays the BOOT environment variable settings.





OL-25343-01


Enabling and Disabling Bootup Diagnostics

You can disable all bootup diagnostics by entering the following command from the supervisor engine in configuration mode:

c6k(config)#no diagnostic bootup level

To reenable bootup diagnostics, enter the following command:

c6k(config)#diagnostic bootup level complete | minimal

Running On-Demand Diagnostics

You can run any ACE bootup diagnostic test or all tests on demand at any time from the supervisor engine in Exec mode by entering the following command:

c6k#diagnostic start module number1 test number2 | name | all

The arguments are as follows:

• number1—The module number

• number2 | name—The number or the name of the test

Note that for each test you can enter either the test number or the test name.

To specify the number of repetitions for the on-demand tests, enter the following command:

c6k#diagnostic ondemand iterations number

For the number argument, enter an integer from 1 to 999.

To set the test parameters, enter the following command:

c6k#diagnostic ondemand test-parameter module number1 test number2 | name

Enter the module number and either the test number or the test name.

Stopping a Running Test

To stop a running diagnostic test, enter the following command in Exec mode:

c6k#diagnostic stop module number

For the number argument, enter the module number.

Health Monitoring Diagnostics

The health-monitoring diagnostics run in the background to monitor system health. You can configure the time interval between health-monitoring tests by entering the following command in configuration mode:

c6k(config)#diagnostic monitor interval module number1 {test number2 | name} hh:mm:ss


• interval—Time period between health-monitoring tests

• module number1—Module number

• test number2 | name—Number or name of the test


OL-25343-01


• hh:mm:ss—Test repeat interval in hours, minutes, and seconds

To configure the failure threshold for the health-monitoring diagnostics, enter the following command:

c6k(config)#diagnostic monitor threshold module number1 test number2 failure count number3

The keywords and arguments are as follows:

• threshold—Specifies the health-monitoring failure threshold

• module number1—Module number

• test number2 | name—Number or name of the test

• failure count number3—Number of test failures required to mark the test as failed

You can run a single health-monitoring test on demand by entering the following command:

#c6k#diagnostic start module number1 test number2 | name | all

You can disable an individual health-monitoring diagnostic or all health-monitoring diagnostics by entering the following command:

c6k(config)#no diagnostic monitor module number1 test number2 | name | all

Displaying ACE Diagnostic Failures on the Supervisor Engine

You can display all test failures from the supervisor engine by entering the following command:

c6k#show diagnostic result module number1 test number2

For each test failure, the supervisor displays a specific error code that indicates the reason for the failure. In the failure event, an SCP message is sent to notify the application about the failure. This notification allows the application to take appropriate action. For the ACE30, the CP collects core dumps on all the NPs and then resets the module.

Restarting the ACE ModuleThis section describes how to reload the ACE module directly from its CLI or reboot it by using the Catalyst 6500 series CLI. You may need to reboot the ACE module from the Catalyst CLI if you cannot reach the module through its CLI or by using an external Telnet session.


• Restarting the ACE Module from the CLI

• Restarting the ACE Module from the Catalyst CLI

• Using ROMMON to Specify the System Boot Image During a Restart

Restarting the ACE Module from the CLI

This section describes how to reboot the ACE module directly from its CLI and reload the configuration. When you reboot the ACE module, it performs a full power cycle of both the hardware and software. Any open connections with the ACE module are dropped. The reset process can take several minutes.


OL-25343-01


Caution Configuration changes that are not written to the Flash partition are lost after a reload. Before rebooting, enter the copy running-conf startup-config command in Exec mode to store the current configuration in Flash memory. If you fail to save your configuration changes, the ACE module reverts to its previous settings upon restart.

Detailed Steps

Restarting the ACE Module from the Catalyst CLI

This section describes how to restart the ACE module from the Catalyst 6500 series CLI.


Command Purpose

Step 1 copy running-config startup-config

Example:host1/Admin# copy running-config startup-config


Step 2 reload

Example:host1/Admin# reloadThis command will reboot the systemSave configurations for all the contexts. Save? [yes/no]: [yes]

Reboots the ACE module and reloads the configuration. When you specify reload, the ACE module prompts you for confirmation and performs a cold restart of the module.

During the reload process, the ACE module performs one of the following actions:

• If you specified a value of 1 for the config-register command (see the “Setting the Boot Method from the Configuration Register” section), the ACE module boots the system image identified in the BOOT environment variable.

• If you specified a value of 0 for the config-register command, the ACE module enters the ROMMON mode and you must identify the location of an image file to boot (see the “Using ROMMON to Specify the System Boot Image During a Restart” section).


OL-25343-01


Detailed Steps

Using ROMMON to Specify the System Boot Image During a Restart

This section describes how to specify a value of 0 for the config-register command (see the “Setting the Boot Method from the Configuration Register” section) to force the ACE module to enter the ROMMON mode upon a reload or power cycle of the ACE module. The ACE module remains in ROMMON mode until you identify the location of an image file to boot.

The ACE module supports two methods of booting the ACE from the rommon prompt:

• To manually change the configuration register setting in ROMMON mode, use the confreg command followed by a value of 0 or 1.

• To change the boot characteristics using onscreen prompts, use the confreg command without a value.

To instruct the ACE module to manually boot from a particular system image, use the confreg command and specify a configuration register value of 1. Identify the name of the system image file that the ACE module uses to boot.

A confreg value of 0 instructs the ACE module to boot to the rommon prompt.

For example, to use the confreg command at the rommon prompt to instruct the ACE module to boot from the c6ace-t1k9-mz.A4_1_0.bin system image, enter: rommon 11 > confreg 1rommon 12 > BOOT=disk0:c6ace-t1k9-mz.A4_1_0.binrommon 13 > sync

Command Purpose



(Optional) Copies the running configuration to the startup configuration. Enter this command from the ACE module CLI.

Step 2 hw-module module mod_num reset

Example:Cat6k-switch# hw-module module 3 resetProceed with reload of module?[confirm] % reset issued for module 3

Restarts the ACE module from the Catalyst 6500. Enter this command from the Catalyst 6500 CLI.

The arguments and keywords are as follows:

• module mod_num—Applies the command to the ACE in the specified slot number in the Catalyst 6500 series chassis where the ACE module is installed.

• reset—Resets the specified ACE.

During the restart process, the ACE module performs one of the following actions:

• If you specified a value of 1 for the config-register command (see the “Setting the Boot Method from the Configuration Register” section), the ACE module boots the system image identified in the BOOT environment variable.

• If you specified a value of 0 for the config-register command, the ACE module enters the ROMMON mode and you must identify the location of an image file to boot (see the “Using ROMMON to Specify the System Boot Image During a Restart” section).


OL-25343-01


To instruct the ACE module to automatically boot from the image specified in the BOOT variable (see the “Setting the BOOT Environment Variable” section), use the confreg command without specifying a configuration register value to launch the Configuration Summary menu-based utility. You can then instruct the ACE module to boot from the system image identified in the BOOT environment variable (see the “Setting the BOOT Environment Variable” section).

For example, to use the confreg command to display the onscreen prompts for changing the boot characteristics of the ACE module, enter:

rommon 11 > confregConfiguration Summary(Virtual Configuration Register: 0x1)enabled are:break/abort has effectconsole baud: 9600boot: the ROM monitordo you wish to change the configuration? y/n [n]: ydisable “break/abort has effect”? y/n [n]:enable “ignore system config info”? y/n [n]:change the boot characteristics? y/n [n]: yenter to boot:0 = ROM Monitor1 = boot file specified in BOOT variable[1]: 1

For example, to use the confreg command to instruct the ACE to boot from the c6ace-t1k9-mz.A4_1_0.bin system image, enter:

rommon 11 > confregConfiguration Summary(Virtual Configuration Register: 0x1)enabled are:break/abort has effectconsole baud: 9600boot: the ROM monitordo you wish to change the configuration? y/n [n]: nrommon 12 > BOOT=disk0:c6ace-t1k9-mz.A4_1_0.binrommon 13 > sync

Shutting Down the ACE ModuleThis section describes how to shut down the ACE module from the Catalyst 6500 series CLI. To avoid corrupting the ACE module, you must correctly shut down the ACE before you disconnect the power or remove it from the Catalyst 6500 series chassis.


Caution Do not remove the ACE module from the Catalyst 6500 series switch until the ACE has shut down completely and the Status LED is orange. You can damage the ACE module if you remove it from the switch before it completely shuts down.


OL-25343-01

Chapter 1 Setting Up the ACE ModuleDisplaying the ACE Module Setup Configuration

Detailed Steps

Displaying the ACE Module Setup ConfigurationTo display the ACE module setup configuration information, use the following show commands from Exec mode:

For detailed information about the fields in the output from these commands, refer to the Command Reference, Cisco ACE Application Control Engine.

Command Purpose




Step 2 no power enable module

Example:host1/Admin# no power enable module

Shuts down the ACE.

If the ACE module fails to respond to this command, shut down the ACE by using a small, pointed object (such as a paper clip) to access the recessed Shutdown button on the front panel of the ACE module. The shutdown procedure may take several minutes. The Status LED turns off when the ACE module shuts down.

Command Purpose

show banner motd Displays the configured banner message (see the “Configuring a Message-of-the-Day Banner” section).

show bootvar Displays the BOOT environment variable settings (see the “Setting the BOOT Environment Variable” section).

show clock Displays the current clock settings (see the “Configuring the Time Zone” section).

show line console [connected] Displays the line console settings (see the “Configuring Console Line Settings” section).

show login timeout Displays the configured login time value (see the “Configuring an ACE Module Inactivity Timeout” section).

show terminal Displays the console terminal settings (see the “Configuring Terminal Display Attributes” section).


OL-25343-01

AdministOL-25343-01

C H A P T E R 2
Setting Up the ACE Appliance
Note The information in this chapter applies to the ACE appliance only. For information about setting up the ACE module, see the Chapter 1, “Setting Up the ACE Module.”

This chapter describes how to initially configure basic settings on the ACE appliance. It contains the following major sections:

• Prerequisites for Setting Up the ACE Appliance


• Setting Up the ACE Appliance

• Displaying or Clearing the ACE Appliance Setup Configuration and Statistics

For details on configuring the GigabitEthernet ports, assigning VLANs to the ACE appliance, configuring VLAN interfaces on the ACE appliance, and configuring a default or static route on the ACE appliance, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

Prerequisites for Setting Up the ACE ApplianceSetting up the ACE appliance has the following requirements:

• Terminal—The terminal that you use to communicate with the ACE appliance must contain a terminal communications application, such as HyperTerminal for Windows, and be configured as follows:

– Asynchronous transmission

– 9600 baud

– 8 data bits

– Hardware flow control

– 1 stop bit

– No parity

• Cable—The cable that connects the terminal to the ACE appliance must meet the following requirements:

– Serial cable with an RJ-45 connector

– Adapter—RJ45 to DB-9 male


Chapter 2 Setting Up the ACE ApplianceDefault Settings

– Cable type—Rollover serial cable to connect the ACE appliance to a DTE device

For instructions on connecting a console cable to your ACE appliance, see the Hardware Installation Guide, Cisco ACE 4710 Application Control Engine Appliance.

Default SettingsTable 2-2 lists the default settings for the ACE appliance setup parameters.

Setting Up the ACE ApplianceThis section describes the tasks associated with setting up the ACE appliance and includes the following topics:

• Establishing a Console Connection on the ACE Appliance

• Using the Setup Script to Enable Connectivity to the Device Manager

• Connecting and Logging In to the ACE Appliance

Table 2-1 Default Setup Parameters

Parameter Default

User accounts Administrator account:

username: admin / password: admin

XML interface account:

username: www: / password: admin

Device Manager GUI access account:

username: dm / password: N/A

Host name switch

Inactivity timeout 5 minutes

Gigabit Ethernet port, port mode, and management VLAN parameters when using the ACE setup script

• Management VLAN allocated to the specified Ethernet port.

• VLAN 1000 assigned as the management VLAN interface.

• GigabitEthernet port mode configured as VLAN access port.

• Extended IP access list that allows IP traffic originating from any other host addresses.

• Traffic classification (class map and policy map) created for management protocols HTTP, HTTPS, ICMP, ICMPv6, SSH, Telnet, and XML-HTTPS. HTTPS is dedicated for connectivity with the Device Manager GUI.

• VLAN interface configured on the ACE appliance and a policy map assigned to the VLAN interface.


OL-25343-01

Chapter 2 Setting Up the ACE ApplianceSetting Up the ACE Appliance

• Changing or Resetting the Administrative Password

• Assigning a Name to the ACE Appliance

• Configuring an ACE Appliance Inactivity Timeout

• Configuring a Message-of-the-Day Banner

• Configuring the Date and Time

• Synchronizing the ACE Appliance with an NTP Server

• Configuring Terminal Settings

• Modifying the Boot Configuration

• Restarting the ACE Appliance

• Shutting Down the ACE Appliance

Establishing a Console Connection on the ACE ApplianceThis section describes how to establish a direct serial connection between your terminal or a PC and the ACE appliance by making a serial connection to the console port on the rear panel of the appliance. The ACE appliance has one standard RS-232 serial port found on the rear panel that operates as the console port.

Prerequisites

This setup procedure requires a properly configured terminal and cable as described in the “Prerequisites for Setting Up the ACE Appliance” section.

Restrictions

Only the Admin context is accessible through the console port; all other contexts can be reached through Telnet or SSH sessions.

Detailed Steps

Follow these steps to access the ACE appliance using a direct serial connection:

Step 1 Connect the serial cable between the ACE appliance and the terminal and then use any terminal communications application to access the ACE appliance CLI. This procedure uses HyperTerminal for Windows.

Step 2 Launch HyperTerminal. The Connection Description window appears.

Step 3 Enter a name for your session in the Name field.

Step 4 Click OK. The Connect To window appears.

Step 5 From the drop-down list, choose the COM port to which the device is connected.

Step 6 Click OK. The Port Properties window appears.

Step 7 Set the following port properties:

• Baud Rate = 9600

• Data Bits = 8

• Flow Control = none

• Parity = none


OL-25343-01


• Stop Bits = 1

Step 8 Click OK to connect.

Step 9 Press Enter to access the CLI prompt.

switch login:

What to Do Next

When the login prompt displays, proceed with the following tasks:

• Once a session is created, choose Save As from the File menu to save the connection description. Saving the connection description has the following two advantages:

– The next time that you launch HyperTerminal, the session is listed as an option under Start > Programs > Accessories > HyperTerminal > Name_of_session. This option lets you reach the CLI prompt directly without going through the configuration steps.

– You can connect your cable to a different device without configuring a new HyperTerminal session. If you use this option, make sure that you connect to the same port on the new device as was configured in the saved HyperTerminal session. Otherwise, a blank screen appears without a prompt.

• If this is the first time that you are booting the ACE appliance, see the “Using the Setup Script to Enable Connectivity to the Device Manager” section.

If this is not the first time that you are booting the ACE appliance, see the “Connecting and Logging In to the ACE Appliance” section for information about logging in and entering the configuration mode to configure the ACE appliance.

Using the Setup Script to Enable Connectivity to the Device ManagerThis section describes how to use the setup script to simplify connectivity to the ACE appliance Device Manager GUI (as described in the Device Manager Guide, Cisco ACE Application Control Engine Appliance). When you boot the ACE appliance for the first time and the ACE does not detect a startup-configuration file, a setup script guides you through the process of configuring a management VLAN on the ACE appliance through one of its Gigabit Ethernet ports.

After you specify a gigabit Ethernet port, port mode, and a management VLAN, the setup script automatically applies the following default configuration:

• Management VLAN allocated to the specified Ethernet port.

• VLAN 1000 assigned as the management VLAN interface.

• GigabitEthernet port mode configured as VLAN access port.

• Extended IP access list that allows IP traffic originating from any other host addresses.

• Traffic classification (class map and policy map) created for management protocols HTTP, HTTPS, ICMP, SSH, Telnet, and XML-HTTPS. HTTPS is dedicated for connectivity with the Device Manager GUI.

• VLAN interface configured on the ACE and a policy map assigned to the VLAN interface.

The ACE appliance provides a default answer in brackets [ ] for each question in the setup script. To accept a default configuration prompt, press Enter, and the ACE appliance accepts the setting. To skip the remaining configuration prompts, press Ctrl-C any time during the configuration sequence.


OL-25343-01


Note The script configuration process described in this section is identical to the script configuration process performed using the setup CLI command.

Detailed Steps

Follow these steps to configure the ACE appliance using the setup script:

Step 1 Ensure that you have established a direct serial connection between your terminal or a PC and the ACE appliance (see the “Establishing a Console Connection on the ACE Appliance” section).

Step 2 Press the power button on the front of the ACE appliance and the boot process occurs. See the Hardware Installation Guide, Cisco ACE 4710 Application Control Engine Appliance for details.

Step 3 At the login prompt, log into the ACE appliance by entering the login username and password. By default, the username and password are admin. For example, enter:

Starting sysmgr processes.. Please wait...Done!!!


Step 4 At the prompt “Enter the password for “admin:”, change the default Admin password. If you do not change the default Admin password, after you upgrade the ACE appliance software you will only be able to log in to the appliance through the console port.

Enter the new password for "admin": xxxxxConfirm the new password for "admin": xxxxxadmin user password successfully changed.

Step 5 At the prompt “Enter the password for “www:”, change the default www user password. If you do not change the default www user password, the www user will be disabled and you will not be able to use Extensible Markup Language (XML) to remotely configure an ACE appliance until you change the default www user password.

Enter the new password for "www": xxxxxConfirm the new password for "www": xxxxxwww user password successfully changed.

Step 6 At the prompt “Would you like to enter the basic configuration dialog? (yes/no):”, type yes to continue the setup (or select no to or bypass its operation and directly access the CLI).

Step 7 At the prompt “Enter the Ethernet port number to be used as the management port (1-4):? [1]:”, specify the Ethernet port that you want to use to access the Device Manager GUI. Valid entries are 1 through 4. The default is Ethernet port 1. Press Enter.

Step 8 At the prompt “Enter the management port IP Address (n.n.n.n): [192.168.1.10]:”, assign an IP address to the management VLAN interface. When you assign an IP address to a VLAN interface, the ACE appliance automatically makes it a routed mode interface. Press Enter.

Step 9 At the prompt “Enter the management port Netmask(n.n.n.n): [255.255.255.0]:”, assign a subnet mask to the management VLAN interface. Press Enter.

Step 10 At the prompt “Enter the default route next hop IP Address (n.n.n.n) or <enter> to skip this step:”, choose whether to assign an IP address of the gateway router (the next-hop address for this route). If you specify yes, enter the IP address of default gateway. The gateway address must be in the same network as specified in the IP address for a VLAN interface. Press Enter.

Step 11 After you configure the Ethernet port, the setup script displays a summary of entered values:


OL-25343-01


Management Port: 3Ip address 12.3.4.5Netmask: 255.255.255.0Default Route: 23.4.5.6

Step 12 At the prompt “Submit the configuration including security settings to the ACE Appliance? (yes/no/details): [y]:”, enter one of the following replies:

• Type y to apply the appropriate configuration and save the running-configuration to the startup-configuration file. This is the default.

• Type n to bypass applying the configuration and saving the running-configuration to the startup-configuration file.

• Type d to view a detailed summary of the entered configuration values before you apply those configuration values to the ACE.

Step 13 If you select d, the configuration summary appears:

interface gigabitEthernet 1/3 switchport access vlan 1000 no shutaccess-list ALL extended permit ip any any class-map type management match-any remote_access match protocol xml-https any match protocol dm-telnet any match protocol icmp any match protocol telnet any match protocol ssh any match protocol http any match protocol https any match protocol snmp anypolicy-map type management first-match remote_mgmt_allow_policy class remote_access permitinterface vlan 1000 ip address 192.168.1.10 255.255.255.0 access-group input ALL service-policy input remote_mgmt_allow_policy no shutdownssh key rsaip route 0.0.0.0 0.0.0.0 172.16.2.1

The prompt “Submit the configuration including security settings to the ACE Appliance? (yes/no/details): [y]:” reappears. Enter one of the following replies:

• Type y to apply the appropriate configuration and save the running-configuration to the startup-configuration file. This is the default.

• Type n to bypass applying the configuration and saving the running-configuration to the startup-configuration file.

Step 14 When you select y, the following message appears:

Configuration successfully applied. You can now manage this ACE Appliance by entering the url 'https://192.168.1.10' into a web browser to access the Device Manager GUI.


OL-25343-01


Connecting and Logging In to the ACE ApplianceThis section describes how to connect (session) to the ACE appliance as the default user from the appliance console port. Once you connect to the ACE appliance as the default user, you can then log in and enter the configuration mode to configure the ACE.

The ACE appliance creates the following default users at startup: admin, dm, and www.

• The admin user is the global administrator and cannot be deleted.

• The dm user is for accessing the Device Manager GUI and cannot be deleted. The dm user is an internal user required by the Device Manager GUI; it is hidden on the ACE appliance CLI.

Note Do not modify the dm user password from the ACE appliance CLI. If the password is changed, the Device Manager GUI will become inoperative. If this occurs, restart the Device Manager using the dm reload command (you must be the global administrator to access the dm reload command). Note that restarting the Device Manager does not impact ACE appliance functionality; however, it may take a few minutes for the Device Manager to reinitialize as it reads the appliance CLI configuration.

• The ACE uses the www user account for the XML interface and cannot be deleted.

Later, when you configure interfaces and IP addresses on the ACE appliance itself, you can remotely access the appliance CLI through an ACE interface by using a Telnet or SSH session. To configure remote access to the ACE appliance CLI, see Chapter 2, Enabling Remote Access to the ACE. For details on configuring interfaces on the ACE appliance, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

You can configure the ACE appliance to provide a higher level of security for users accessing the appliance. For information about configuring user authentication for login access, see the Security Guide, Cisco ACE Application Control Engine.

Restrictions

Only the Admin context is accessible through the console port; all other contexts can be reached through a Telnet or SSH remote access session.

Detailed Steps

Follow these steps to session into the ACE appliance and access configuration mode to perform the initial configuration:

Step 1 Access the ACE appliance directly by its console port, attach a terminal to the asynchronous RS-232 serial port on the rear panel of the appliance. The ACE appliance has one standard RS-232 serial port found on the rear panel that operates as the console port. Any device connected to this port must be capable of asynchronous transmission. Connection requires a terminal configured as 9600 baud, 8 data bits, hardware flow control on, 1 stop bit, no parity. See the “Establishing a Console Connection on the ACE Appliance” section.

Step 2 Log into the ACE appliance by entering the login username and password at the following prompt:


By default, both the username and password are admin.


OL-25343-01



host1/Admin#

To change the default login username and password, see the “Changing or Resetting the Administrative Password” section for details.

Caution You must change the default Admin password if you have not already done so. Otherwise, you will be able to log in to the ACE appliance only through the console port. You will not be able to access the ACE using Telnet or SSH until you change the default Admin password.

Note When you boot the ACE appliance for the first time and it does not detect a startup-configuration file, a setup script appears to enable connectivity to the ACE Device Manager GUI. The start-up script is not intended for use with the CLI. Select no to skip the use of the setup script and proceed directly to the CLI. See “Connecting and Logging In to the ACE Appliance” section for details.

Step 3 To access configuration mode, enter:

host1/Admin# configureEnter configuration commands, one per line. End with CNTL/Z


host1/Admin(config)#

Changing or Resetting the Administrative Password This section describes how to change or reset the administrative password and includes the following topics:

• Changing the Administrative Password

• Resetting the Administrator Account Password

Changing the Administrative Password

This section describes how to change the administrative password. During the initial login process to the ACE appliance, you enter the default username admin and the default password admin in lowercase text. You cannot modify or delete the default administrative username; however, for security reasons, you must change the default administrative password. If you do not change the password, then security on your ACE appliance can be compromised because the administrative username and password are configured to be the same for every ACE appliance shipped from Cisco Systems.

The administrative username and password are stored in Flash memory. Each time that you reboot the ACE appliance, it reads the username and password from Flash memory. Global administrative status is assigned to the administrative username by default.

Note For information about changing a user password, see the Virtualization Guide, Cisco ACE Application Control Engine.


OL-25343-01


Caution You must change the default Admin password if you have not already done so. Otherwise, you can log in to the ACE appliance only through the console port.

Detailed Steps

Resetting the Administrator Account Password

This section describes how recover the admin password during the initial bootup sequence of the ACE appliance if you forget the password for the ACE appliance administrator account and cannot access the appliance. You must have access to the ACE appliance through the console port to be able to reset the password for the Admin user back to the factory-default value of admin.

Command Purpose

Step 1 config



Step 2 username name1 [password [0 | 5] {password}]

Example:host1/Admin(config)# username admin password 0 mysecret_801

Changes the default username and password. The keywords, arguments, and options are as follows:

• name1—Sets the username that you want to assign or change. Enter admin.

• password—(Optional) Keyword that indicates that a password follows.

• 0—(Optional) Specifies a clear text password.

• 5—(Optional) Specifies an MD5-hashed strong encryption password.

• password—The password in clear text, encrypted text, or MD5 strong encryption, depending on the numbered option (0 or 5) that you enter. If you do not enter a numbered option, the password is in clear text by default. Enter a password as an unquoted text string with a maximum of 64 characters.

Note If you specify an MD5-hashed strong encryption password, the ACE considers a password to be weak if it less than eight characters in length.

The ACE supports the following special characters in a password:

, . / = + - ^ @ ! % ~ # $ * ( )






OL-25343-01


Restrictions


Detailed Steps

Follow these steps to reset the password that allows the Admin user access to the ACE appliance:

Step 1 Connect to the console port on the ACE appliance.

Step 2 Log in to the ACE appliance. See the “Connecting and Logging In to the ACE Appliance” section.

Step 3 Reboot the ACE appliance. See the “Restarting the ACE Appliance” section.

Step 4 During the bootup process, output appears on the console terminal. Press ESC when the “Starting services...” message appears on the terminal (see the example below). The setup mode appears. If you miss the time window, wait for the ACE appliance to properly complete booting, reboot the ACE appliance, and try again to access the setup mode by pressing ESC.

Daughter Card Found. Continuing... INIT: Entering runlevel: 3 Testing PCI path .... This may take some time, Please wait .... PCI test loop , count 0 PCI path is ready Starting services... <<<<< Press ESC when you see this messageEntering setup sequence...Reset Admin password [y/n] (default: n): yResetting admin password to factory default... . Starting sysmgr processes.. Please wait...Done!!! switch login:

Step 5 The setup mode prompts if you want to reset the admin password. Enter y. The “Resetting admin password to factory default” message appears. The ACE appliance deletes the admin user password configuration from the startup-configuration and resets the password back to the factory default value of admin.

The boot process continues as normal and you are able to enter the admin password at the login prompt.

Assigning a Name to the ACE ApplianceThis section describes how to specify a hostname for the ACE appliance or for the peer ACE appliance in a redundant configuration. The hostname is used to identify the ACE and for the command-line prompts. If you establish sessions to multiple devices, the hostname helps you track where you enter commands. By default, the hostname for the ACE appliance is “switch.”

Restrictions



OL-25343-01


Detailed Steps

Configuring an ACE Appliance Inactivity TimeoutThis section describes how to modify the length of time that can occur before the ACE appliance logs off an inactive user by specifying the length of time that a user session can be idle before the ACE appliance terminates the console, Telnet, or SSH session. By default, the inactivity timeout value is 5 minutes.


The login timeout command setting overrides the terminal session-timeout setting (see the “Configuring Terminal Display Attributes” section).

Command Purpose

Step 1 config




Example:host1/Admin(config)# hostname ACE1ACE1/Admin(config)#

Changes the ACE appliance name.

The name argument specifies a new hostname for the ACE appliance. Enter a case-sensitive text string that contains from 1 to 32 alphanumeric characters (with no spaces). The underscore (_) character is not supported in the hostname for the ACE.


Example:ACE1/Admin(config)# peer hostname ACE2

(Optional) Changes the peer ACE appliance name in a redundant configuration.

The name argument specifies a new hostname for the peer ACE appliance. Enter a case-sensitive text string that contains from 1 to 32 alphanumeric characters (with no spaces). The underscore (_) character is not supported in the hostname for the AC


Example:ACE1/Admin(config)# do copy running-config startup-config



OL-25343-01


Detailed Steps

Configuring a Message-of-the-Day BannerThis section describes how to configure a message in configuration mode to display as the message-of-the-day banner when a user connects to the ACE appliance. Once connected to the ACE appliance, the message-of-the-day banner appears, followed by the login banner and Exec mode prompt.

Restrictions

If you connect to the ACE appliance by using an SSH version 1 remote access session, the message-of-the-day banner is not displayed.

Command Purpose

Step 1 config



Step 2 login timeout minutes

Example:host1/Admin(config)# login timeout 10

Configures the inactivity timeout value.

The minutes argument specifies the length of time that a user can be idle before the ACE appliance terminates the session. Valid entries are from 0 to 60 minutes. A value of 0 instructs the ACE appliance never to timeout. The default is 5 minutes.

no login timeout

Example:host1/Admin(config)# no login timeout

(Optional) Restores the default timeout value of 5 minutes.





OL-25343-01


Detailed Steps

Command Purpose

Step 1 config



Step 2 banner motd text

Example:host1/Admin(config)# banner motd #Welcome to “$(hostname)”...#

Configures the message-of-the-day banner.

The text argument is a line of message text to be displayed as the message-of-the-day banner. The text string consists of all characters that follow the first space until the end of the line (carriage return or line feed).

The pound (#) character functions as the delimiting character for each line. For the banner text, spaces are allowed but tabs cannot be entered at the CLI. To instruct the ACE appliance to display multiple lines in a message-of-the-day banner, enter a new banner motd command for each line that you want to appear.

The banner message is a maximum of 80 characters per line, up to a maximum of 3000 characters (3000 bytes) for a message-of-the-day banner. This maximum value includes all line feeds and the last delimiting character in the message.

To add multiple lines to an existing a message-of-the-day banner, precede each line by using the banner motd command. The ACE appliance appends each line to the end of the existing banner. If the text is empty, the ACE appliance adds a carriage return (CR) to the banner.

You can include tokens in the form $(token) in the message text. Tokens will be replaced with the corresponding configuration variable. For example, enter:

• $(hostname)—Displays the hostname for the ACE appliance during run time.

• $(line)—Displays the tty (teletypewriter) line or name (for example, “/dev/console”, “/dev/pts/0”, or “1”).

To use the $(hostname) in a single line banner motd input, you must include double quotes (“) around the $(hostname) so that the $ is interpreted as a special character at the beginning of a variable in the single line (see the Step example).

Do not use the double quote character (“) or the percent sign character (%) as a delimiting character in a single line message string.

For multi-line input, double quotes (“) are not required for the token because the input mode is different from signal-line mode. When you operate in multi-line mode, the ACE appliance interprets the double quote character (“) literally.

no banner motd

Example:host1/Admin(config)# no banner motd

(Optional) Replace a banner or a line in a multi-line banner.


OL-25343-01


Examples

The following example shows how to span multiple lines and use tokens to configure the banner message:

host1/Admin(config)# banner motd #Enter TEXT message. End with the character '#'.================================Welcome to Admin Context--------------------------------Hostname: $(hostname)Tty Line: $(line)=================================#

Configuring the Date and TimeThis section describes how to manually configure the date, time, and time zone settings for an ACE appliance.

You can automatically set the date and time of the ACE appliance by synchronizing to a Network Time Protocol (NTP) server. For details, see the “Synchronizing the ACE Appliance with an NTP Server” section.


• Setting the System Time and Date

• Configuring the Time Zone

• Adjusting for Daylight Saving Time

Setting the System Time and Date

This section describes how to set the time and the date for an ACE appliance.

Note If you wish to use the Network Time Protocol (NTP) to automatically synchronize the ACE appliance system clock to an authoritative time server (such as a radio clock or an atomic clock), see the “Synchronizing the ACE Appliance with an NTP Server” section. In this case, the NTP time server automatically sets the ACE system clock.

Step 3 do show banner motd

Example:host1/Admin(config)# do show banner motd

(Optional) Display the configured banner message.




Command Purpose


OL-25343-01



If you previously configured NTP on an ACE appliance, the ACE appliance prevents you from using the clock set command to set the time and the date and displays an error message. To manually set the ACE appliance system clock, remove the NTP peer and NTP server from the configuration before setting the clock on an ACE. See the “Synchronizing the ACE Appliance with an NTP Server” section for more information.

Detailed Steps

Configuring the Time Zone

This section describes how to set the time zone of the ACE appliance. The ACE appliance keeps time internally in Universal Time Coordinated (UTC) offset.

Command Purpose

Step 1 clock set hh:mm:ss DD MONTH YYYY

Example:host1/Admin# clock set 01:38:30 7 August 2009Fri Aug 7 01:38:30 PST 2009

Sets the time and the date for an ACE appliance. When you enter this command, the ACE appliance displays the current configured date and time.


• hh:mm:ss—Current time to which the ACE appliance clock is being reset. Specify two digits for the hours, minutes, and seconds.

• DD MONTH YYYY—Current date to which the ACE appliance clock is being reset. Specify one or two digits for the day, the full name of the month, and four digits for the year. The following month names are recognized: January, February, March, April, May, June, July, August, September, October, November, and December.

Step 2 show clock

Example:host1/Admin# show clockFri Aug 7 01:38:30 PST 2009



OL-25343-01


Detailed Steps

Command Purpose

Step 1 config



Step 2 clock timezone {zone_name{+ | –} hours minutes} | {standard timezone}

Example:host1/Admin(config)# clock timezone PST -8 0

Configures the time zone of the ACE appliance.


• zone_name—The 8-character name of the time zone (for example, PDT) to be displayed when the time zone is in effect. Table 2-2 lists the common time zone acronyms that you can use for the zone_name argument.

• hours—Hours offset from UTC. The range is from –23 to +23.

• minutes—Minutes offset from UTC. The range is from 0 to 59 minutes.

• standard timezone—Displays a list of well known time zones that include an applicable UTC hours offset. Available choices in the list are as follows:

– AKST—Alaska Standard Time, as UTC –9 hours

– AST—Atlantic Standard Time, as UTC –4 hours

– BST—British Summer Time, as UTC + 1 hour

– CEST—Central Europe Summer Time, as UTC + 2 hours

– CET—Central Europe Time, as UTC + 1 hour

– CST—Central Standard Time, as UTC –6 hours

– CST—Central Standard Time, as UTC + 9.5 hours

– EEST—Eastern Europe Summer Time, as UTC + 3 hours

– EET—Eastern Europe Time, as UTC + 2 hours

– EST—Eastern Standard Time, as UTC -5 hours

– GMT—Greenwich Mean Time, as UTC

– HST—Hawaiian Standard Time, as UTC –10 hours

– IST—Irish Summer Time, as UTC + 1 hour

– MSD—Moscow Summer Time, as UTC + 4 hours

– MSK—Moscow Time, as UTC + 3 hours

– MST—Mountain Standard Time, as UTC –7 hours

– PST—Pacific Standard Time, as UTC –8 hours

– WEST—Western Europe Summer Time, as UTC + 1 hour

– WST—Western Standard Time, as UTC + 8 hours


OL-25343-01


Table 2-2 lists common time zone acronyms that you use when specifying the zone name using the command’s zone_name argument.

no clock timezone

Example:host1/Admin(config)# no clock timezone

(Optional) Removes the clock timezone setting.

Step 3 do show clock

Example:host1/Admin (config)# do show clockFri Aug 7 01:38:30 PST 2009





Command Purpose

Table 2-2 Common Time Zone Acronyms


Europe

BST British Summer Time, as UTC + 1 hour

CET Central Europe Time, as UTC + 1 hour

CEST Central Europe Summer Time, as UTC + 2 hours

EET Eastern Europe Time, as UTC + 2 hours

EEST Eastern Europe Summer Time, as UTC + 3 hours

GMT Greenwich Mean Time, as UTC

IST Irish Summer Time, as UTC + 1 hour

MSK Moscow Time, as UTC + 3 hours

MSD Moscow Summer Time, as UTC + 4 hours

WET Western Europe Time, as UTC

WEST Western Europe Summer Time, as UTC + 1 hour

United States and Canada

AST Atlantic Standard Time, as UTC – 4 hours

ADT Atlantic Daylight Time, as UTC – 3 hours

CT Central Time, either as CST or CDT, depending on the place and time of the year

CST Central Standard Time, as UTC – 6 hours

CDT Central Daylight Saving Time, as UTC – 5 hours

ET Eastern Time, either as EST or EDT, depending on the place and time of the year

EST Eastern Standard Time, as UTC – 5 hours

EDT Eastern Daylight Saving Time, as UTC – 4 hours

MT Mountain Time, either as MST or MDT, depending on the place and time of the year

MDT Mountain Daylight Saving Time, as UTC – 6 hours


OL-25343-01


Adjusting for Daylight Saving Time

This section describes how to configure the ACE appliance to change the time automatically to summer time (daylight saving time) by specifying when summer time begins and ends. All times are relative to the local time zone; the start time is relative to standard time and the end time is relative to summer time. If the starting month is after the ending month, the ACE appliance assumes that you are located in the Southern Hemisphere.

Detailed Steps

MST Mountain Standard Time, as UTC – 7 hours

PT Pacific Time, either as PST or PDT, depending on the place and time of the year

PDT Pacific Daylight Saving Time, as UTC – 7 hours

PST Pacific Standard Time, as UTC – 8 hours

AKST Alaska Standard Time, as UTC – 9 hours

AKDT Alaska Standard Daylight Saving Time, as UTC – 8 hours

HST Hawaiian Standard Time, as UTC – 10 hours

Australia

CST Central Standard Time, as UTC + 9.5 hours

EST Eastern Standard/Summer Time, as UTC + 10 hours (+11 hours during summer time)

WST Western Standard Time, as UTC + 8 hours

Table 2-2 Common Time Zone Acronyms (continued)


Command Purpose

Step 1 config




OL-25343-01


Step 2 clock summer-time {daylight_timezone_name start_week start_day start_month start_time end_week end_day end_month end_time daylight_offset | standard timezone}

Example:host1/Admin(config)# clock summer-time Pacific 1 Sun Apr 02:00 5 Sun Oct 02:00 60

Configures the ACE appliance to change the time automatically to summer time (daylight saving time).


• daylight_timezone_name—The eight-character name of the time zone (for example, PDT) to be displayed when summer time is in effect. See Table 2-2 for the list the common time zone acronyms used for the daylight_timezone_name argument.

• start_week end_week—The week, ranging from 1 through 5.

• start_day end_day—The day, ranging from Sunday through Saturday.

• start_month end_month—The month, ranging from January through December.

• start_time end_time—Time, in military format, specified in hours and minutes.

• daylight_offset—Number of minutes to add during the summer time. Valid entries are 1 to 1440.

• standard timezone—Displays a list of well known time zones that include an applicable daylight time start and end range along with a daylight offset. Available list choices are as follows:

– ADT—Atlantic Daylight Time: 2 a.m. 1st Sunday April to 2 a.m. last Sunday Oct, + 60 min

– AKDT—Alaska Standard Daylight Time: 2 a.m. 1st Sunday April to 2 a.m. last Sunday Oct, + 60 min

– CDT—Central Daylight Time: 2 a.m. 1st Sunday April to 2 a.m. last Sunday Oct, + 60 min

– EDT—Eastern Daylight Time: 2 a.m. 1st Sunday April to 2 a.m. last Sunday Oct, + 60 min

– MDT—Mountain Daylight Time: 2 a.m. 1st Sunday April to 2 a.m. last Sunday Oct, + 60 min

– PDT—Pacific Daylight Time: 2 a.m. 1st Sunday April to 2 a.m. last Sunday Oct, + 60 min

no clock summer-time

Example:host1/Admin(config)# no clock summer-time

(Optional) Removes the clock summer-time setting.




Command Purpose


OL-25343-01


Synchronizing the ACE Appliance with an NTP ServerThis section describes how to use Network Time Protocol (NTP) to synchronize the ACE appliance system clock to a time server. NTP is an Internet protocol designed to synchronize the clocks of computers over a network. Typically, an NTP network receives its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server, and assures accurate local time-keeping. NTP distributes this time across the network. The NTP protocol can synchronize distributed clocks within milliseconds over long time periods.

NTP runs over User Datagram Protocol (UDP), which runs over IP. NTP is documented in RFC 1305. All NTP communication uses Coordinated Universal Time (UTC), which is the same as Greenwich Mean Time.

An NTP association can be a peer association, which means that the ACE appliance is willing to synchronize to the other system or to allow the other system to synchronize to the ACE. An NTP association can also be a server association, which means that only this system will synchronize to the other system, not the other way around. You can identify multiple servers; the ACE appliance uses the most accurate server. To configure the ACE appliance system clock to synchronize a peer (or to be synchronized by a peer) or to be synchronized by a time server, use the ntp command. To display a list of the current associated peers and NTP statistical information, see the “Displaying NTP Statistics and Information” section.


Only users authenticated in the Admin context can use the ntp command.

Prerequisites

This configuration topic includes the following prerequisites:

• An NTP server must be accessible by the client ACE appliance.

• If you are configuring application acceleration and optimization functionality (as described in the Application Acceleration and Optimization Guide, Cisco ACE 4700 Series Application Control Engine Appliance), and you plan to use an optional Cisco AVS 3180A Management Console with multiple ACE nodes, we strongly recommend that you synchronize the system clock of each ACE node with an NTP server. AppScope performance monitoring relies on very accurate time measurement, in the millisecond range. If you install multiple ACEs, you must synchronize the clocks so that different parts of a single transaction can be handled by different nodes.


OL-25343-01


Detailed Steps

Examples

For example, to specify multiple NTP server IP addresses and identify a preferred server, enter:

host1/Admin(config)# ntp server 192.168.10.10 preferhost1/Admin(config)# ntp server 192.168.4.143host1/Admin(config)# ntp server 192.168.5.10

Command Purpose

Step 1 config

Example:ACE_1/Admin# configACE_1/Admin(config)#


Step 2 ntp peer ip_address [prefer]

Example:ACE_1/Admin(config)# ntp peer 192.168.10.0

Configures the ACE appliance system clock to synchronize a peer (or to be synchronized by a peer).


• ip_address—IP address of the peer providing or being provided by the clock synchronization.

• prefer—(Optional) Makes this peer the preferred peer that provides synchronization. Using the prefer keyword reduces switching back and forth between peers.

no ntp peer ip_address

Example:ACE_1/Admin(config)# no ntp peer 192.168.10.0

(Optional) Removes an NTP peer or server from the configuration.

Step 3 ntp server ip_address [prefer]

Example:ACE_1/Admin(config)# ntp server 192.168.10.10

Configures the ACE appliance system clock to be synchronized by a time server.


• ip_address—IP address of the time server that provides the clock synchronization.

• prefer—(Optional) Makes this server the preferred server that provides synchronization. The prefer keyword sets this NTP server as the preferred server if multiple servers have similar accuracy. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that one. If servers have similar accuracy, then the prefer keyword specifies which server to use.

no ntp server ip_address

Example:ACE_1/Admin(config)# no ntp server 192.168.10.10

(Optional) Removes an NTP peer or server from the configuration.


Example:ACE_1/Admin(config)# do copy running-config startup-config



OL-25343-01


Configuring Terminal SettingsThis section describes how to access the ACE appliance CLI by using one of the following methods:

• Make a direct connection by using a dedicated terminal attached to the console port on the front of the ACE appliance.

• Establish a remote connection to the ACE appliance using the Secure Shell (SSH) or Telnet protocols.


• Configuring Terminal Display Attributes

• Configuring Virtual Terminal Line Settings

For details on configuring remote access to the ACE appliance CLI using SSH or Telnet, see Chapter 2, Enabling Remote Access to the ACE.


This configuration topic includes the following guidelines and restrictions:

• Only the Admin context is accessible through the console port; all other contexts can be reached through Telnet or SSH.

• The login timeout command setting overrides the terminal session-timeout setting (see the “Configuring an ACE Appliance Inactivity Timeout” section).

Configuring Terminal Display Attributes

This section describes how to specify the number of lines and the width for displaying information on a terminal during a console session.


The maximum number of displayed screen lines is 511 columns.


OL-25343-01


Detailed Steps

Command Purpose

Step 1 terminal length lines

Example:host1/Admin# terminal lines 50

Specifies the number of lines for displaying information on a terminal during a console session.

The lines argument sets the number of lines displayed on the current terminal screen. This command is specific to only the console port. Telnet and SSH sessions set the length automatically. Valid entries are from 0 to 511. The default is 24 lines. A value of 0 instructs the ACE appliance to scroll continuously (no pausing) and overrides the terminal width value. If you later change the terminal length to any other value, the originally configured terminal width value takes effect.

Step 2 terminal monitor

Example:host1/Admin# terminal monitor%ACE-7-111009: User 'admin' executed cmd: terminal monitor

%ACE-7-111009: User 'admin' executed cmd: terminal monitor......

Starts the terminal monitor session and displays syslog output on the terminal. To enable the various levels of syslog messages to the terminal, use the logging monitor command (see the System Message Guide, Cisco ACE Application Control Engine for details).

terminal no monitor

Example:host1/Admin# terminal no monitor

(Optional) Stops the current terminal monitoring session.

Step 3 terminal session-timeout minutes

Example:host1/Admin# terminal session-timeout 600

Specifies the inactivity timeout value in minutes to configure the automatic logout time for the current terminal session on the ACE appliance. When inactivity exceeds the time limit configured by this command, the ACE appliance closes the session and exits. The range is from 0 to 525600. The default value is inherited from the value that is configured for the login timeout command. If you do not configure a value for the login timeout command, the default for both commands is 5 minutes. You can set the terminal session-timeout value to 0 to disable this feature so that the terminal remains active until you choose to exit the ACE appliance. The ACE appliance does not save this change in the configuration file.

The minutes argument sets the timeout value in minutes.

Step 4 terminal terminal-type text

Example:host1/Admin# terminal terminal-type vt200

Specifies the name and type of the terminal used to access the ACE appliance. If a Telnet or SSH session specifies an unknown terminal type, the ACE appliance uses the VT100 terminal by default.

The minutes argument is the terminal type. Specify a text string from 1 to 80 alphanumeric characters.

Step 5 terminal width characters

Example:host1/Admin# terminal width 250

Specifies the width for displaying information on a terminal during a console session. This command is specific to the console port only.Telnet and SSH sessions set the width automatically.

The characters argument sets the number of characters displayed on the current terminal screen. Valid entries are from 24 to 512. The default is 80 columns.


OL-25343-01


Configuring Virtual Terminal Line Settings

This section describes how to configure the virtual terminal line settings to enable remote access to the ACE appliance. A virtual terminal line is not associated with the console port; instead, it is a virtual port that allows you to access the ACE appliance.

Detailed Steps

terminal no width

Example:host1/Admin# terminal no width

(Optional) Resets a terminal setting to its default value.

Step 6 show terminal

Example:host1/Admin# show terminalTTY: /dev/pts/0 Type: “vt100”Length: 25 lines, Width: 80 columnsSession Timeout: 60 minutes

(Optional) Displays the console terminal settings.

Command Purpose

Command Purpose

Step 1 config



Step 2 line vty

Example:host1/Admin(config)# line vtyhost1/Admin(config-line)#

Enters line configuration mode.

Step 3 session-limit number

Example:host1/Admin(config-line)# session-limit 23

Specifies the maximum number of terminal sessions per line. The range is from 1 to 251.

no session-limit number

Example:host1/Admin(config-line)# no session-limit 23

(Optional) Disables a setting for the configured virtual terminal line.


Example:host1/Admin(config-line)# do copy running-config startup-config


Step 5 Press Ctrl-z. (Optional) Returns to the Exec mode prompt.

Step 6 clear line vty_name

Example:host1/Admin# clear line vty vty1

(Optional) Closes a specified vty session.

The vty_name argument specifies the name of the VTY session. Enter a maximum of 64 characters for the name of the virtual terminal.


OL-25343-01


Modifying the Boot ConfigurationThis section describes how control the way in which the ACE appliance performs its boot process. You can instruct the ACE appliance to automatically boot the system image identified in the BOOT environment variable or you can manually identify the system boot image to use. In addition, you can choose to have the ACE appliance load the startup-configuration file or ignore the startup-configuration file upon reboot.

This section describes how to modify the boot configuration of the ACE appliance and contains the following topics:

• Setting the Boot Method from the Configuration Register

• Setting the BOOT Environment Variable

• Configuring the ACE Appliance to Bypass the Startup Configuration File During the Boot Process

Setting the Boot Method from the Configuration Register

This section describes how to modify the boot method that the ACE appliance uses at the next startup by setting the boot field in the software configuration register. The configuration register identifies how the ACE appliance should boot, automatically or manually.


The config-register command used to change the configuration register settings affects only the configuration register bits that control the boot field and leaves the remaining bits unaltered.

Detailed Steps

Command Purpose

Step 1 config




OL-25343-01


Setting the BOOT Environment Variable

This section describes how to add several images to the BOOT environment variable to provide a fail-safe boot configuration. The BOOT environment variable specifies a list of image files on various devices from which the ACE appliance can boot at startup. If the first file fails to boot the ACE appliance, subsequent images that are specified in the BOOT environment variable are tried until the ACE boots or there are no additional images to attempt to boot. If there is no valid image to boot, the ACE appliance enters ROMMON mode where you can manually specify an image to boot.

The ACE appliance stores and executes images in the order in which you added them to the BOOT environment variable. If you want to change the order in which images are tried at startup, you can either prepend and clear images from the BOOT environment variable to attain the desired order or you can clear the entire BOOT environment variable and then redefine the list in the desired order.

Step 2 config-register value

Example:host1/Admin(config)# config-register 0x1

Sets the configuration register value that determines how the ACE reboots. The value argument represents the configuration register value that you want to use the next time that you restart the ACE appliance. The supported value entries are as follows:

• 0x0—Upon reboot, the ACE appliance boots to the GNU GRand Unified Bootloader (GRUB). From the GRUB boot loader, you specify the system boot image to use to boot the ACE appliance. Upon startup, the ACE appliance loads the startup-configuration file stored in the Flash memory (nonvolatile memory) to the running-configuration file stored in RAM (volatile memory). For information about using the GRUB boot loader during a reboot, see the “Restarting the ACE Appliance” section.

• 0x1—Upon reboot, the ACE appliance boots the system image identified in the BOOT environment variable (see the “Setting the BOOT Environment Variable” section). The BOOT environment variable specifies a list of image files on various devices from which the ACE appliance can boot at startup. If the ACE appliance encounters an error or if the image is not valid, it will try the second image (if one is specified). Upon startup, the ACE appliance loads the startup-configuration file stored in the Flash memory (nonvolatile memory) to the running-configuration file stored in RAM (volatile memory).

no config-register 0x1

Example:host1/Admin(config)# no config-register 0x1

(Optional) Resets the config-register setting.




Command Purpose


OL-25343-01


Detailed Steps

Configuring the ACE Appliance to Bypass the Startup Configuration File During the Boot Process

This section describes how to use the GRUB bootloader to instruct the ACE appliance to bypass the startup-configuration file stored on the ACE in the Flash memory (nonvolatile memory) during the boot process. You may require the ACE appliance to bypass the startup configuration file during bootup in the following instances:

• Certain configurations cause problems that result in the ACE appliance becoming nonresponsive. You can bypass the startup configuration file to safely boot the ACE appliance and then resolve issues with the configuration.

• You forget the password for the ACE administrator CLI account and cannot access the ACE appliance. You can bypass the startup configuration file and log in with the default password of admin.

Note For the procedure on resetting the administrator CLI account password, see the “Resetting the Administrator Account Password” section.

Command Purpose

Step 1 config



Step 2 boot system image:image_name

Example:host1/Admin(config)# boot system image:c4710ace-t1k9-mz.A4_1_0.bin

Sets the BOOT environment variable.

The image_name argument specifies the name of the system image file. If the file does not exist (for example, if you entered the wrong filename), then the filename is appended to the bootstring, and this message displays, “Warning: File not found but still added in the bootstring.” If the file does exist, but is not a valid image, the file is not added to the bootstring, and this message displays, “Warning: file found but it is not a valid boot image.”

Step 3 do show bootvar

Example:host1/Admin(config)# BOOT variable = "image:/c4710ace-t1k9-mz.A4_1_0.bin"Configuration register is 0x1

(Optional) Displays the BOOT environment variable settings.





OL-25343-01


Detailed Steps

Follow these steps to instruct the ACE appliance to bypass the startup-configuration file during the boot process from the GRUB bootloader:

1. Enter the config-register command so that upon reboot the ACE appliance boots to the GRUB bootloader. See the “Setting the Boot Method from the Configuration Register” section.

2. Reboot the ACE appliance. See the “Restarting the ACE Appliance” section. Upon reboot, the ACE appliance boots to the GRUB bootloader.

3. Press Esc when the countdown initiates on the GNU GRUB multiboot loader. The following GRUB menu appears.

GNU GRUB version 0.95 (639K lower / 3144640K upper memory) ******************************************************************

* image(c4710ace-t1k9-mz.A4_1_0.bin) *** ** ******************************************************************

4. In the GRUB menu, use the arrow keys to select from the ACE appliance images loaded in Flash memory. The ACE appliance image entry is highlighted in the list.

5. Type e to edit the kernel command line. If the boot string is greater than one line, you must press e a second time. Append ignorestartupcfg=1. to the end of the boot.

For example, the following illustrates the screen output when you first type e:

******************************************************************* kernel=(hd0,1)/c4710ace-t1k9-mz.A4_1_0.bin ro root=LABEL=/ auto consol* ** *******************************************************************

For example, the following illustrates the screen output when you press e a second time:

< auto console=ttyS0,9600n8 quiet bigphysarea=32768

At this point, append ignorestartupcfg=1 after the second edit.

< auto console=ttyS0,9600n8 quiet bigphysarea=32768 ignorestartupcfg=1

6. Press enter to return to the previous GRUB menu.

7. Press b to boot with this modified boot string.The ACE appliance boot screen appears as follows:

Note When you instruct the ACE appliance to bypass the startup-configuration file stored on it, after you boot the ACE appliance and the startup-configuration file is empty (typically for a new appliance), the ACE appliance will automatically launch the setup script to enable connectivity to the ACE appliance Device Manager GUI (see the “Connecting and Logging In to the ACE Appliance” section). Otherwise, the ACE appliance boot screens appears as described in the output below. If necessary, you can manually launch the setup script using the setup command in Exec mode.

kernel=(hd0,1)/c4710ace-t1k9-mz.A4_1_0.bin ro root=LABEL=/ auto console=ttyS0,9600n8 quiet bigphysarea=32768


OL-25343-01


[Linux-bzImage, setup=0x1400, size=0xb732b7a] INIT: version 2.85 booting Daughter Card Found. Continuing...

INIT: Entering runlevel: 3Testing PCI path ....This may take some time, Please wait ....PCI test loop , count 0PCI path is readyStarting services... Installing MySQLgroupadd: group nobody existsuseradd: user nobody existsMySQL InstalledInstalling JREJRE Installed Starting sysmgr processes.. Please wait...Done!!!

switch login: adminpassword# xxxxx

What to Do Next

You may now configure the ACE appliance to define its basic configuration settings.

Restarting the ACE ApplianceYou can reboot the ACE appliance directly from its CLI and reload the configuration. When you reboot the ACE appliance, it performs a full power cycle of both the hardware and software. Any open connections with the ACE appliance are dropped. The reset process can take several minutes.

Caution Configuration changes that are not written to the Flash partition are lost after a reload. Before rebooting, enter the copy running-conf startup-config command in Exec mode to store the current configuration in Flash memory. If you fail to save your configuration changes, the ACE appliance reverts to its previous settings upon restart.

This section includes the following topics:

• Restarting the ACE Appliance From the CLI

• Using the GRUB Boot Loader to Specify the System Boot Image During a Reload


OL-25343-01


Restarting the ACE Appliance From the CLI

This section describes how to reboot the ACE appliance directly from its CLI.

Detailed Steps

Using the GRUB Boot Loader to Specify the System Boot Image During a Reload

This section describes how to specify a value of 0x0 for the config-register command (see the “Setting the Boot Method from the Configuration Register” section) to force the ACE appliance to enter the GRUB boot loader mode upon a reload or power cycle of the appliance. The ACE appliance remains in GRUB boot loader mode until you identify the location of an image file to boot.

Press Esc when the count down initiates on the GRUB boot loader. The following GRUB menu appears.

GNU GRUB version 0.95 (639K lower / 3144640K upper memory)

******************************************************************

* image(c4710ace-t1k9-mz.A4_1_0.bin) *

* *

* ****************************************************************

In the GRUB menu, use the arrow keys to select from the ACE appliance images loaded in the Flash memory. The ACE appliance image entry is highlighted in the list.

Command Purpose




Step 2 reload

Example:host1/Admin# reloadThis command will reboot the systemSave configurations for all the contexts. Save? [yes/no]: yesGenerating configuration....running config of context Admin savedPerform system reload. [yes/no]: [yes] yes

Restarts the ACE appliance and reloads the configuration. When you specify reload, the ACE appliance prompts you for confirmation and performs a cold restart of the ACE appliance.

During the reload process, the ACE appliance performs one of the following actions:

• If you specified a value of 0x1 for the config-register command (see the “Setting the Boot Method from the Configuration Register” section), the ACE appliance boots the system image identified in the BOOT environment variable.

• If you specified a value of 0x0 for the config-register command, the ACE appliance enters the GRUB boot loader mode and you must identify the location of an image file to boot (see the “Using the GRUB Boot Loader to Specify the System Boot Image During a Reload” section).


OL-25343-01

Chapter 2 Setting Up the ACE ApplianceDisplaying or Clearing the ACE Appliance Setup Configuration and Statistics

Perform one of the following actions:

• Press enter to boot the selected software version.

• Type e to edit the commands before booting.

• Type c to access a command line.

If no ACE appliance images are loaded in the Flash memory, the GNU GRUB multiboot loader appears as follows:

grub>

Shutting Down the ACE ApplianceThis section describes how to remove power from the ACE appliance by using the power button found on the front panel.

Caution Configuration changes that are not written to the Flash partition are lost after a shutdown. Before you shut down the ACE appliance, enter the copy running-conf startup-config command in Exec mode to store the current configuration in Flash memory. If you fail to save your configuration changes, the ACE appliance reverts to its previous settings upon restart.

Detailed Steps

Displaying or Clearing the ACE Appliance Setup Configuration and Statistics

This section describes how to display or clear the ACE appliance setup configuration and includes the following topics:

• Displaying ACE Appliance Setup Configuration and Statistics

• Clearing NTP Statistics

Displaying ACE Appliance Setup Configuration and StatisticsThis section describes how to display the ACE appliance setup configuration and statistical information and includes the following topics:

• Displaying NTP Statistics and Information

• Displaying Other ACE Appliance Setup Configuration Information

Command Purpose




Step 2 Press the front panel power button. Shuts down the ACE appliance.


OL-25343-01


Displaying NTP Statistics and Information

This section describes how to instruct the ACE appliance to display the following NTP statistics and information:

• NTP peer statistics

• Input/output statistics

• Counters maintained by the local NTP

• Counters related to the memory code

• Listing of all associated peers


Only users who are authenticated in the Admin context can use the show ntp command.

To display the NTP statistics and information, use the show ntp command from Exec mode as follows:

Table 2-3 describes the fields in the show ntp peer-status command output.

Command Purposeshow ntp {peer-status | peers | statistics {io | local | memory | peer ip_address}}

Example:host1/Admin# show ntp peer-status

Displays the NTP statistics and information.


• peer-status—Displays the status for all configured NTP servers and peers.

• peers—Displays a listing of all NTP peers.

• statistics—Displays the NTP statistics.

• io—Displays the input/output statistics.

• local—Displays the counters maintained by the local NTP.

• memory—Displays the statistic counters related to the memory code.

• peer—Displays the per-peer statistics counter of a peer.

• ip_address—Displays the peer statistics for the specified IP address.

Table 2-3 Field Descriptions for the show ntp peer-status Command

Field Description

Total Peers Number of associated peers

Remote IP addresses that correspond to the remote server and peer entries listed in the configuration file

Local IP addresses that correspond to the local server and peer entries listed in the configuration file

St The stratum

Poll The poll interval (in seconds)

Reach The status of the reachability register (see RFC-1305) in octal

Delay The latest delay (in microseconds)

Peer IP Address IP address of each associated peer

Serv/Peer Indication of whether the peer functions as an NTP server or NTP peer


OL-25343-01


Table 2-4 describes the fields in the show ntp peers command output.

Table 2-5 describes the fields in the show ntp statistics io command output.

Table 2-6 describes the fields in the show ntp statistics local command output.

Table 2-4 Field Descriptions for the show ntp peers Command

Field Description

Peer IP Address The IP address of each associated peer

Serv/Peer Indicates whether the peer functions as an NTP server or NTP peer

Table 2-5 Field Descriptions for show ntp statistics io Command

Field Description

Time since reset Time since the last reset of the NTP software on the primary server.

Receive buffers Total number of UDP client-receive buffers.

Free receive buffers Current number of available client-receive buffers.

Used receive buffers Current number of unavailable client-receive buffers.

Low water refills Total number of times buffers were added, which also indicates the number of times there have been low memory resources during buffer creation.

Dropped packets Total number of NTP packets dropped by the ACE appliance.

Ignored packets Total number of NTP packets ignored by the ACE appliance.

Received packets Total number of NTP packets received by the ACE appliance.

Packets sent Total number of NTP packets transmitted by the ACE appliance.

Packets not sent Total number of NTP packets not sent by the ACE appliance due to an error.

Interrupts handled Total number of NTP timer interrupts handled by the ACE appliance.

Received by int Total number of pulses received that triggered an interrupt.

Table 2-6 Field Descriptions for show ntp statistics local Command

Field Description

System uptime Length of time that the ACE appliance has been running.

Time since reset Time in hours since the ACE appliance was last rebooted.

Old version packets Number of packets that match the previous NTP version. The version number is in every NTP packet.

New version packets Number of packets that match the current NTP version. The version number is in every NTP packet.

Unknown version number Number of packets with an unknown NTP version.

Bad packet format Number of NTP packets that were received and dropped by the ACE appliance due to an invalid packet format.

Packets processed Number of NTP packets received and processed by the ACE appliance.

Bad authentication Number of packets not verified as authentic.


OL-25343-01


Table 2-7 describes the fields in the show ntp statistics memory command output.

Table 2-8 describes the fields in the show ntp statistics peer command output.

Table 2-7 Field Descriptions for show ntp statistics memory Command

Field Description

Time since reset Time in hours since the ACE appliance was last rebooted.

Total peer memory Total peer memory available for the allocation of memory to peer structures.

Free peer memory Current available peer memory.

Calls to findpeer The number of calls to findpeer.

Note findpeer is an entry point to the allocation of memory to peer structures that looks for matching peer structures in the peer list.

New peer allocations Number of allocations from the free list.

Peer demobilizations Number of structures freed to the free list.

Hash table counts The count of peers in each hash table.

Table 2-8 Field Descriptions for show ntp statistics peer Command

Field Description

Remote Host IP address of the specified peer.

Local Interface IP address of specified local interface.

Time Last Received Time that the last NTP response was received.

Time Until Next Send Length of time until the next send attempt.

Reachability Change The reachability status for the peer.

Packets Sent Number of packets sent to the NTP peer.

Packets Received Number of packets received from the NTP peer.

Bogus Origin Number of packets received from the NTP peer of a suspect origin.

Duplicate Number of duplicate packets received from the NTP peer.

Bad Dispersion Number of packets with an invalid dispersion.

Note Dispersion measures the errors of the offset values, based on the round-trip delay and the precision of the system and the server.

Bad Reference Time Number of packets with an invalid reference time source.

Candidate Order Order in which the ACE appliance may consider this server when it chooses the master.


OL-25343-01


Displaying Other ACE Appliance Setup Configuration Information

To display the ACE appliance setup configuration information, use the following show commands from Exec mode:

For detailed information about the fields in the output from these commands, refer to the Command Reference, Cisco ACE Application Control Engine.

Clearing NTP StatisticsTo clear the NTP statistical information, use the following command from Exec mode:

Command Purpose

show banner motd Displays the configured banner message (see the “Configuring a Message-of-the-Day Banner” section).

show bootvar Displays the BOOT environment variable settings (see the “Setting the BOOT Environment Variable” section).

show clock Displays the current clock settings (see the “Setting the System Time and Date” or the “Configuring the Time Zone” sections).

show login timeout Displays the configured login time value (see the “Configuring an ACE Appliance Inactivity Timeout” section).

show terminal Displays the console terminal settings (see the “Configuring Terminal Display Attributes” section).

Command Purpose

clear ntp statistics {all-peers | io | local | memory}

Clears the NTP statistics and information.

The keywords are as follows:

• all-peers—Clears I/O statistics for all peers

• io—Clears I/O statistics for I/O devices

• local—Clears I/O statistics for local devices

• memory—Clears I/O statistics for memory


OL-25343-01



OL-25343-01

OL-25343-01

C O N T E N T S

Preface iii

Audience iii

How to Use This Guide iv

Related Documentation v

Symbols and Conventions vii

Obtaining Documentation, Obtaining Support, and Security Guidelines viii

C H A P T E R 1 Setting Up the ACE Module 1-1

Prerequisites for Setting Up the ACE Module 1-1

Default Settings 1-2

Setting Up the ACE Module 1-2

Establishing a Console Connection on the ACE Module 1-3

Sessioning and Logging In to the ACE Module 1-4

Changing or Resetting the Administrative Password 1-5

Changing the Administrative Password 1-6

Resetting the Administrator Account Password 1-7

Assigning a Name to the ACE Module 1-9

Configuring an ACE Module Inactivity Timeout 1-9

Configuring a Message-of-the-Day Banner 1-10

Configuring the Date and Time 1-12

Configuring the Time Zone 1-12

Adjusting for Daylight Saving Time 1-15

Configuring Terminal Settings 1-17

Configuring Terminal Display Attributes 1-17

Configuring Console Line Settings 1-19

Configuring Virtual Terminal Line Settings 1-20

Setting the Daughter Card Network Processor for Console Access 1-21

Modifying the Boot Configuration 1-21

Setting the Boot Method from the Configuration Register 1-22

Setting the BOOT Environment Variable 1-23

Using Data Path Online Diagnostics 1-24

Enabling and Disabling Bootup Diagnostics 1-25

Running On-Demand Diagnostics 1-25

Stopping a Running Test 1-25

37Administration Guide, Cisco ACE Application Control Engine

Contents

Health Monitoring Diagnostics 1-25

Displaying ACE Diagnostic Failures on the Supervisor Engine 1-26

Restarting the ACE Module 1-26

Restarting the ACE Module from the CLI 1-26

Restarting the ACE Module from the Catalyst CLI 1-27

Using ROMMON to Specify the System Boot Image During a Restart 1-28

Shutting Down the ACE Module 1-29

Displaying the ACE Module Setup Configuration 1-30

C H A P T E R 2 Setting Up the ACE Appliance 2-1

Prerequisites for Setting Up the ACE Appliance 2-1


Setting Up the ACE Appliance 2-2

Establishing a Console Connection on the ACE Appliance 2-3

Using the Setup Script to Enable Connectivity to the Device Manager 2-4

Connecting and Logging In to the ACE Appliance 2-7

Changing or Resetting the Administrative Password 2-8

Changing the Administrative Password 2-8

Resetting the Administrator Account Password 2-9

Assigning a Name to the ACE Appliance 2-10

Configuring an ACE Appliance Inactivity Timeout 2-11

Configuring a Message-of-the-Day Banner 2-12

Configuring the Date and Time 2-14

Setting the System Time and Date 2-14

Configuring the Time Zone 2-15

Adjusting for Daylight Saving Time 2-18

Synchronizing the ACE Appliance with an NTP Server 2-20

Configuring Terminal Settings 2-22

Configuring Terminal Display Attributes 2-22

Configuring Virtual Terminal Line Settings 2-24

Modifying the Boot Configuration 2-25

Setting the Boot Method from the Configuration Register 2-25

Setting the BOOT Environment Variable 2-26

Configuring the ACE Appliance to Bypass the Startup Configuration File During the Boot Process 2-27

Restarting the ACE Appliance 2-29

Restarting the ACE Appliance From the CLI 2-30

Using the GRUB Boot Loader to Specify the System Boot Image During a Reload 2-30

Shutting Down the ACE Appliance 2-31


OL-25343-01

Contents

Displaying or Clearing the ACE Appliance Setup Configuration and Statistics 2-31

Displaying ACE Appliance Setup Configuration and Statistics 2-31

Displaying NTP Statistics and Information 2-32

Displaying Other ACE Appliance Setup Configuration Information 2-35

Clearing NTP Statistics 2-35

C H A P T E R 2 Enabling Remote Access to the ACE 2-1

Guidelines and Restrictions 2-1


Enabling Remote Access to the ACE 2-2

Task Flow for Enabling Remote Access to the ACE 2-3

Configuring Remote Network Management Traffic Services 2-5

Creating and Configuring a Remote Management Class Map 2-5

Creating a Layer 3 and Layer 4 Remote Access Policy Map 2-9

Applying a Service Policy Globally to All VLAN Interfaces in the Same Context 2-13

Applying a Service Policy to a Specific VLAN Interface 2-14

Configuring the Maximum Number of Telnet Management Sessions 2-17

Configuring SSH Management Session Parameters 2-18

Configuring Maximum the Number of SSH Sessions 2-18

Generating SSH Host Key Pairs 2-19

Terminating an Active User Session 2-21

Enabling ICMP Messages to the ACE 2-22

Directly Accessing a User Context Through SSH 2-23

Displaying Remote Access Session Information 2-24

Displaying Telnet Session Information 2-24

Displaying SSH Session Information 2-25

Displaying Other Remote Access Session Information 2-26

Configuration Example for Enabling Remote Access to the ACE 2-26

C H A P T E R 3 Managing ACE Software Licenses 3-1

ACE Module License Bundles 3-1

ACE Appliance License Bundles and Migration Paths 3-2


Prerequisites 3-3

Default Feature Capabilities 3-4

Managing ACE Software Licenses 3-4

Tasks for Ordering an Upgrade License and Generating a Key 3-4

Copying a License File to the ACE 3-5


OL-25343-01

Contents

Installing a New or Upgrade License File 3-6

Replacing a Demo License with a Permanent License 3-7

Removing a License Bundle or All License Bundles from the ACE 3-7

Downgrading the ACE Software to a Release Prior to A4(2.0) 3-11

Backing Up an ACE License File 3-11

Retrieving an ACE License File 3-12

Displaying ACE License Configurations and Statistics 3-13

C H A P T E R 4 Managing the ACE Software 4-1

Saving Configuration Files 4-1

Saving the Configuration File in Flash Memory 4-2

Saving Configuration Files to a Remote Server 4-2

Copying the Configuration File to the disk0: File System 4-4

Merging the Startup-Configuration File with the Running-Configuration File 4-4

Displaying Configuration File Content 4-5

Clearing the Startup-Configuration File 4-6

Copying Configuration Files from a Remote Server 4-7

Displaying the Configuration Download Progress Status 4-8

Using the File System on the ACE 4-10

Copying Files 4-10

Copying Files Between Directories in the disk0: File System on the ACE 4-11

Copying Licenses 4-11

Copying a Packet Capture Buffer 4-12

Copying a Scripted Probe File 4-13

Copying Files to a Remote Server 4-14

Copying Files from a Remote Server 4-15

Copying an ACE Software System Image to a Remote Server 4-15

Uncompressing Files in the disk0: File System 4-16

Untarring Files in the disk0: File System 4-17

Creating a New Directory 4-18

Deleting an Existing Directory 4-18

Moving Files 4-19

Deleting Files 4-19

Displaying Files Residing On the ACE 4-21

Saving show Command Output to a File 4-23

Using Backup and Restore 4-24

Information About the Backup and Restore Features 4-24

Archive File 4-25

Archive Naming Conventions 4-25


OL-25343-01

Contents

Archive Directory Structure and Filenames 4-25

Guidelines and Limitations 4-26

Defaults 4-27

Backing Up the ACE Configuration Files and Dependencies 4-27

Restoring the ACE Configuration Files and Dependencies 4-28

Copying a Backup Archive to a Server 4-33

Displaying the Status of the Backup Operation 4-34

Displaying the Status of the Restoration 4-35

Displaying Backup and Restore Errors 4-35

Managing Core Dump Files 4-36

Copying Core Dumps 4-37

Clearing the Core Directory 4-38

Deleting a Core Dump File 4-39

Capturing Packet Information 4-39

Enabling the Packet Capture Function 4-40

Copying Packet Capture Buffer Information 4-43

Displaying or Clearing Packet Information 4-43

Using the Configuration Checkpoint and Rollback Service 4-44

Creating a Configuration Checkpoint 4-44

Deleting a Configuration Checkpoint 4-45

Rolling Back a Running Configuration 4-46

Copying a Checkpoint 4-47

Comparing a Checkpoint with the Running-Configuration File 4-48

Displaying Checkpoint Information 4-48

Setting Thresholds for and Displaying the Network Processor Buffer Usage 4-49

Reformatting the ACE Module Flash Memory 4-51

Reformatting the ACE Appliance Flash Memory 4-51

C H A P T E R 5 Displaying ACE Hardware and Software System Information 5-1

Information About Displaying ACE Hardware and Software Information 5-1

Displaying Hardware Information 5-2

Displaying Installed Software Information 5-5

Displaying System Processes and Memory Resources Limits 5-7

Displaying General System Process Information 5-8

Displaying Detailed Process Status Information and Memory Resource Limits 5-14

Displaying System Information 5-17

Displaying or Clearing ICMP Statistics 5-19

Displaying or Collecting Technical Information for Reporting Problems 5-21


OL-25343-01

Contents

C H A P T E R 6 Configuring Redundant ACEs 6-1

Information About Redundancy 6-1

Redundancy Protocol 6-2

Stateful Failover 6-4

FT VLAN 6-4

Configuration Synchronization 6-5

Redundancy State for Software Upgrade or Downgrade 6-5



Configuring Redundant ACEs 6-7

Task Flow for Configuring Redundancy 6-8

Configuring Redundancy 6-9

Configuring an FT VLAN 6-10

Configuring an Alias IP Address 6-12

Configuring an FT Peer 6-13

Configuring an FT Group 6-15

Modifying an FT Group 6-17

Specifying the Peer Hostname 6-18

Specifying the MAC Address Banks for a Shared VLAN 6-18

Forcing a Failover 6-19

Synchronizing Redundant Configurations 6-20

Disabling Connection Replication 6-23

Configuring Tracking and Failure Detection 6-24

Configuring Tracking and Failure Detection for a Host or Gateway 6-25

Configuring Tracking and Failure Detection for an Interface 6-28

Configuring ACE Module Tracking and Failure Detection for an HSRP Group 6-30

Displaying or Clearing Redundancy Information 6-33

Displaying Redundancy Information 6-33

Displaying Redundancy Configuration Information 6-34

Displaying Bulk Synchronization Command Failures on the Standby ACE 6-34

Displaying FT Group Information 6-35

Displaying the Redundancy Internal Software History 6-37

Displaying the IDMAP Table 6-37

Displaying Memory Statistics 6-38

Displaying Peer Information 6-38

Displaying FT Statistics 6-40

Displaying FT Tracking Information 6-42

Clearing Redundancy Statistics 6-44

Clearing Transport-Layer Statistics 6-45


OL-25343-01

Contents

Clearing Heartbeat Statistics 6-45

Clearing Tracking-Related Statistics 6-45

Clearing All Redundancy Statistics 6-46

Clearing the Redundancy History 6-46

Configuration Example of Redundancy 6-46

C H A P T E R 7 Configuring SNMP 7-1

Information About SNMP 7-1

Managers and Agents 7-2

SNMP Manager and Agent Communication 7-3

SNMP Traps and Informs 7-3

SNMPv3 CLI User Management and AAA Integration 7-4

CLI and SNMP User Synchronization 7-4

Multiple String Index Guidelines 7-5

ACE Module Supported MIBs 7-6

ACE Appliance Supported MIBs 7-14

ACE Supported and Unsupported Tables and Objects 7-25

ACE SNMP Notifications (Traps) 7-38

Default Settings for SNMP 7-42

Configuring SNMP 7-42

Task Flow for Configuring SNMP 7-42

Configuring SNMP Users 7-44

Defining SNMP Communities 7-47

Configuring an SNMP Contact 7-48

Configuring an SNMP Location 7-49

Configuring SNMP Notifications 7-50

Configuring SNMP Notification Hosts 7-50

Enabling SNMP Notifications 7-52

Enabling the IETF Standard for SNMP linkUp and linkDown Traps 7-54

Unmasking the SNMP Community Name and Community Security Name OIDs 7-55

Assigning a Trap-Source Interface for SNMP Traps 7-56

Accessing ACE User Context Data Through the Admin Context IP Address 7-57

Accessing User Context Data When Using SNMPv1/v2 7-58

Accessing User Context Data When Using SNMPv3 7-58

Configuring an SNMPv3 Engine ID for an ACE Context 7-58

Configuring SNMP Management Traffic Services 7-59

Creating and Configuring a Layer 3 and Layer 4 Class Map 7-60

Creating a Layer 3 and Layer 4 Policy Map 7-62



OL-25343-01

Contents


Displaying SNMP and Service Policy Statistics 7-66

Displaying SNMP Statistics and Configuration Information 7-67

Displaying or Clearing SNMP Service Policy Statistics 7-70

Example of an SNMP Configuration 7-70

C H A P T E R 8 Configuring the XML Interface 8-1

Information About XML 8-1

HTTP and HTTPS Support with the ACE 8-2

HTTP Return Codes 8-3

XML Schema 8-5



Configuring the XML Interface 8-7

Task Flow for Configuring XML 8-7

Configuring HTTP and HTTPS Management Traffic Services 8-8

Creating and Configuring a Class Map 8-9

Creating a Layer 3 and Layer 4 Policy Map 8-12



Enabling the Display of Raw XML Request show Command Output in XML Format 8-17

Accessing the ACE XML Schema File 8-19

Displaying or Clearing XML Service Policy Statistics 8-21

Example of ACE CLI Command and the XML Equivalent 8-21

I N D E X


OL-25343-01

AdministOL-25343-01

C H A P T E R 2
Enabling Remote Access to the ACE
Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. All features described in this chapter are supported with IPv6 unless otherwise noted.

This chapter describes how to configure remote access to the ACE by establishing a remote connection by using the Secure Shell (SSH) or Telnet protocols. It also describes how to configure the ACE to provide direct access to a user context from SSH. This chapter also covers how to configure the ACE to receive ICMP messages from a host.

This chapter contains the following major sections:

• Guidelines and Restrictions


• Enabling Remote Access to the ACE

• Displaying Remote Access Session Information

• Configuration Example for Enabling Remote Access to the ACE

Note For information about how to make a direct connection using a dedicated terminal attached to the Console port on the front of the ACE, configure terminal display attributes, and configure terminal line settings for accessing the ACE by console or virtual terminal connection, see either Chapter 1, Setting Up the ACE Module or Chapter 2, Setting Up the ACE Appliance.

Guidelines and Restrictions The guidelines and restrictions for the remote access function are as follows:

• If you configure an ACL on an interface to block certain traffic and a management policy on that same interface allows that traffic, the management policy overrides the ACL and the ACE allows the traffic.

• Telnet Management Sessions—The ACE supports a maximum 16 concurrent Telnet management sessions for the Admin context and 4 concurrent Telnet management sessions for each user context. The ACE supports a total maximum of 256 concurrent Telnet sessions. Telnet is not supported with IPv6.


Chapter 2 Enabling Remote Access to the ACEDefault Settings

• SSH Management Sessions—The ACE supports a maximum of 16 concurrent SSH management sessions for the Admin context and 4 concurrent SSH management sessions for each user context. The ACE supports a total maximum of 256 concurrent SSH sessions. SSH is not supported with IPv6.

The ACE can generate the DSA and RSA keys required to establish an SSH session and encrypt and decrypt messages. The keys are generated in pairs—one public key and one private key. The global administrator performs the key generation in the Admin context. All contexts associated with the ACE share the common key. There is only a single host-key pair.

• ICMP Messages—By default, the ACE does not allow ICMP messages to be received by an ACE interface or to pass through the ACE interface. ICMP is an important tool for testing your network connectivity; however, network hackers can also use ICMP to attack the ACE or your network. We recommend that you allow ICMP during your initial testing, but then disallow it during normal operation. ICMPv6 is supported.

Default SettingsTable 2-1 lists the default settings for the ACE remote access function.

Enabling Remote Access to the ACEThis section describes the tasks associated with enabling remote access to the ACE and includes the following topics:

• Task Flow for Enabling Remote Access to the ACE

• Configuring Remote Network Management Traffic Services

• Configuring the Maximum Number of Telnet Management Sessions

• Configuring SSH Management Session Parameters

• Terminating an Active User Session

• Enabling ICMP Messages to the ACE

• Directly Accessing a User Context Through SSH

Table 2-1 Default Remote Access Parameters

Parameters Default

Concurrent Telnet management sessions per context Admin context: 16

User context: 4 (each)

Concurrent SSH management sessions per context Admin context: 16

User context: 4 (each)

Ability of an ACE interface to receive ICMP messages or allow ICMP messages to pass through it

Disabled

Status of the following match protocol command protocols: http, https, icmp, kalap-udp, snmp, ssh, telnet, and xml-https (ACE appliance only).

Disabled


OL-25343-01

Chapter 2 Enabling Remote Access to the ACEEnabling Remote Access to the ACE

Task Flow for Enabling Remote Access to the ACEFollow these steps to enable IPv6 remote access to the ACE:

Step 1 If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context. If necessary, log directly in to, or change to, the correct context.

host1/Admin# changeto C1host1/C1#

The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Virtualization Guide, Cisco ACE Application Control Engine.

Step 2 Enter configuration mode.

host1/Admin# configEnter configuration commands, one per line. End with CNTL/Zhost1/Admin(config)#

Step 3 Create a class map that permits network management traffic to be received by the ACE based on the ICMPv6 and the client source IP address.

host1/Admin(config)# class-map type management match-all ICMPv6_ALLOW_CLASShost1/Admin(config-cmap-mgmt)# match protocol icmpv6 source-address 2001:DB8:1::/64orhost1/Admin(config-cmap-mgmt)# match protocol icmpv6 anyv6host1/Admin(config-cmap-mgmt)# exithost1/Admin(config)#

Step 4 Configure a policy map that allows ICMPv6 traffic.

host1/Admin(config)# policy-map type management first-match ICMPv6_REMOTE_MGMT_ALLOW_POLICYhost1/Admin(config-pmap-mgmt)# class ICMPv6_ALLOW_CLASSorhost1/Admin(config-pmap-mgmt)# class ipv6 class-defulthost1/Admin(config-pmap-mgmt-c)# permithost1/Admin(config-pmap-mgmt-c)# exithost1/Admin(config)#

Step 5 Attach the traffic policy to a single VLAN interface or globally to all VLAN interfaces in the same context. For example, to specify an interface VLAN and apply the remote management policy map to the VLAN, enter:

host1/Admin(config)# interface vlan 100host1/Admin(config-if)# ipv6 enablehost1/Admin(config-if)# ip address 2001:DB8:1::/64host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICYhost1/Admin(config-if)# exit

Step 6 (Optional) Save your configuration changes to Flash memory.

host1/Admin(config)# exithost1/Admin# copy running-config startup-config

Follow these steps to enable IPv4 remote access to the ACE:



OL-25343-01






Step 3 Create a class map that permits network management traffic to be received by the ACE based on the network management protocol (SSH or Telnet) and client source IP address.

host1/Admin(config)# class-map type management match-all SSH-ALLOW_CLASShost1/Admin(config-cmap-mgmt)# match protocol ssh source-address 172.16.10.0 255.255.255.254host1/Admin(config-cmap-mgmt)# exithost1/Admin(config)# host1/Admin(config)# class-map type management match-all TELNET-ALLOW_CLASShost1/Admin(config-cmap-mgmt)# match protocol telnet source-address 172.16.10.0 255.255.255.254host1/Admin(config-cmap-mgmt)# exithost1/Admin(config)#

Step 4 Configure a policy map that activates the SSH and Telnet management protocol classifications.

host1/Admin(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICYhost1/Admin(config-pmap-mgmt)# class SSH-ALLOW_CLASShost1/Admin(config-pmap-mgmt-c)# permithost1/Admin(config-pmap-mgmt-c)# exithost1/Admin(config-pmap-mgmt)# class TELNET-ALLOW_CLASShost1/Admin(config-pmap-mgmt-c)# permithost1/Admin(config-pmap-mgmt-c)# exithost1/Admin(config-pmap-mgmt)# exithost1/Admin(config)#

Step 5 Attach the traffic policy to a single VLAN interface or globally to all VLAN interfaces in the same context. For example, to specify an interface VLAN and apply the remote management policy map to the VLAN, enter:

host1/Admin(config)# interface vlan 50host1/Admin(config-if)# ip address 172.16.1.100 255.255.0.0host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICYhost1/Admin(config-if)# exit

Step 6 (Optional) Configure the maximum number of Telnet sessions allowed for each context.

host1/Admin(config)# telnet maxsessions 3

Step 7 (Optional) Configure the maximum number of SSH sessions allowed for each context.

host1/Admin(config)# ssh maxsessions 3

Step 8 If you have global administrator privileges, use the ssh key command to generate the SSH private key and the corresponding public key for use by the SSH server. There is only one host-key pair. For example, to generate an RSA1 key pair in the Admin context, enter:

host1/Admin(config)# ssh key rsa1 768generating rsa1 key(768 bits)......generated rsa1 key



OL-25343-01



Step 10 (Optional) Terminate an active SSH or Telnet session for the active context by using one of the following commands in Exec mode:

• clear ssh {session_id | hosts}

• clear telnet session_id

host1/Admin# clear ssh 345

Configuring Remote Network Management Traffic ServicesThis section provides an overview on creating a class map, policy map, and service policy for remote network access to the ACE. The following items summarize the role of each function in configuring remote network management access to the ACE:

• Class map—Provides the remote network traffic match criteria to permit traffic based on:

– Remote access network management protocols (SSH, Telnet, or ICMP)

– Client source IP address

• Policy map—Enables remote network management access for a traffic classification that matches the criteria listed in the class map.

• Service policy—Activates the policy map and attaches the traffic policy to an interface or globally on all interfaces.

Telnet and SSH remote access sessions are established to the ACE on a per context basis. For details on creating users and contexts, see the Virtualization Guide, Cisco ACE Application Control Engine.


• Creating and Configuring a Remote Management Class Map

• Creating a Layer 3 and Layer 4 Remote Access Policy Map

• Applying a Service Policy Globally to All VLAN Interfaces in the Same Context

• Applying a Service Policy to a Specific VLAN Interface

Creating and Configuring a Remote Management Class Map

This section describes how to create a Layer 3 and Layer 4 class map to classify the remote network management traffic received by the ACE. The class map permits network management traffic to be received by the ACE by identifying the incoming IP protocols that the ACE can receive as well as the client source IP address and subnet mask as the matching criteria. You define the allowed network traffic to manage security for protocols such as SSH, Telnet, and ICMP. You also determine how the ACE evaluates multiple match statements operations when multiple match criteria exist in a class map.

The class map identifies the remote network access management protocols that can be received by the ACE. You configure the associated policy map to permit access to the ACE for the specified management protocols. As part of the network management access traffic classification, you also specify either a client source host IP address and subnet mask as the matching criteria or instruct the ACE to allow any client source address for the management traffic classification.


OL-25343-01


Detailed Steps

Command Purpose

Step 1 config



Step 2 class-map type management [match-all | match-any] map_name

Example:host1/Admin(config)# class-map type management match-all SSH-TELNET_ALLOW_CLASShost1/Admin(config-cmap-mgmt)#

Creates a Layer 3 and Layer 4 class map to classify the remote network management traffic received by the ACE.


• match-all | match-any—(Optional) Determines how the ACE evaluates Layer 3 and Layer 4 network management traffic when multiple match criteria exist in a class map. The class map is considered a match if the match commands meet one of the following conditions:

– match-all —(Default) All of the match criteria listed in the class map are satisfied to match the network traffic class in the class map, typically match commands of the same type.

– match-any—Any one of the match criteria listed in the class map is satisfied to match the network traffic class in the class map, typically match commands of different types.

• map_name—Specifies the name assigned to the class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

The CLI enters the class map management configuration mode.

no class-map type management [match-all | match-any] map_name

Example:host1/Admin(config)# no class-map type management match-all SSH-TELNET_ALLOW_CLASS

(Optional) Removes a Layer 3 and Layer 4 network management class map from the ACE.


OL-25343-01


Step 3 (ACE module only)[line_number] match protocol {http | https | icmp | icmpv6 | kalap-udp | snmp | ssh | telnet} {any | anyv6 | source-address {ipv6_address/prefix_length | ipv4_address mask}}

(ACE appliance only)[line_number] match protocol {http | https | icmp | icmpv6 | kalap-udp | snmp | ssh | telnet | xml-https} {any | anyv6 | source-address {ipv6_address/prefix_length | ipv4_address mask}}

Example:ACE_1/Admin(config-cmap-mgmt)# match protocol ssh source-address 172.16.10.0 255.255.255.254ACE_1/Admin(config-cmap-mgmt)# match protocol telnet source-address 172.16.10.0 255.255.255.254

Classifies the remote network management traffic received by the ACE. Include one or more of the match protocol commands to configure the match criteria for the class map.


• line_number—(Optional) Assists you in editing or deleting individual match commands. Enter an integer from 2 to 255 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.

• http—Specifies the Hypertext Transfer Protocol (HTTP). The configuration of the HTTP management protocol is described in Chapter 8, Configuring the XML Interface.

• https—Specifies the secure (SSL) Hypertext Transfer Protocol (HTTP). The configuration of the HTTPS management protocol is described in Chapter 8, Configuring the XML Interface.

(ACE appliance only) HTTPS is used for connectivity with the Device Manager GUI on the ACE appliance using port 443.

• icmp—Specifies Internet Control Message Protocol messages to the ACE. The configuration of the ICMP management protocol is described in the “Enabling ICMP Messages to the ACE” section.

• icmpv6—Specifies Internet Control Message Protocol Version 6 messages to the ACE. The configuration of the ICMPv6 management protocol is described in the “Enabling ICMP Messages to the ACE” section.

• kalap-udp—Specifies management access using KAL-AP over UDP. The configuration of the KAL-AP management access is described in the “Configuring Health Monitoring” chapter of the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

• snmp—Specifies the Simple Network Management Protocol (SNMP). The configuration of the SNMP management protocol is described in Chapter 7, Configuring SNMP.

• ssh—Specifies a Secure Shell (SSH) remote connection to the ACE. The ACE supports the SSH remote shell functionality provided in SSH Version 1 and supports DES and 3DES ciphers. The configuration of the SSH management protocol is described in the “Configuring SSH Management Session Parameters” section.

Note SSH v1.x and v2 are entirely different protocols and are not compatible. Make sure that you use an SSH v1.x client when accessing the ACE.

Command Purpose


OL-25343-01


(ACE module only)[line_number] match protocol {http | https | icmp | icmpv6 | kalap-udp | snmp | ssh | telnet} {any | anyv6 | source-address {ipv6_address/prefix_length | ipv4_address mask}}

(ACE appliance only)[line_number] match protocol {http | https | icmp | icmpv6 | kalap-udp | snmp | ssh | telnet | xml-https} {any | anyv6 | source-address {ipv6_address/prefix_length | ipv4_address mask}}

• telnet—Specifies a Telnet remote connection to the ACE. The configuration of the Telnet management protocol is described in the “Configuring the Maximum Number of Telnet Management Sessions” section.

• (ACE appliance only) xml-https—Specifies HTTPS as transfer protocol to send and receive XML documents between the ACE and a Network Management System (NMS). Communication is performed using port 10443.

You can enable both https and xml-https in a Layer 3 and Layer 4 network management class map. The use of the HTTPS management protocol for XML usage is described in Chapter 8, Configuring the XML Interface.

• any—Specifies any IPv4 client source address for the management traffic classification.

• anyv6—Specifies any IPv6 client source address for the management traffic classification.

• source-address—Specifies a client source host IP address and subnet mask as the network traffic matching criteria. As part of the classification, the ACE implicitly obtains the destination IP address from the interface on which you apply the policy map.

• ipv6_address—Source IPv6 address of the client.

• /prefix_length—Specifies how many of the most significant bits (MSBs) of the IPv6 address are used for the network identifier. Enter a a forward slash character (/) followed by an integer from 1 to 128. The default is /128. If you use the optional eui64 keyword, you must enter a prefix-length and the prefix must be less than or equal to /64.

• ipv4_address—Source IPv4 address of the client.

• mask—Subnet mask of the client in dotted-decimal notation.

(ACE module only)no match protocol {http | https | icmp | icmpv6 | kalap-udp | snmp | ssh | telnet} {any | anyv6 | source-address {ipv6_address/prefix_length | ipv4_address mask}}

(ACE appliance only)no match protocol {http | https | icmp | icmpv6 | kalap-udp | snmp | ssh | telnet | xml-https} {any | anyv6 | source-address {ipv6_address/prefix_length | ipv4_address mask}}

Example:ACE_1/Admin(config-cmap-mgmt)# no match protocol ssh source-address 192.168.10.1 255.255.255.0

(Optional) Deselects the specified network management protocol match criteria from the class map.

Command Purpose


OL-25343-01


Creating a Layer 3 and Layer 4 Remote Access Policy Map

This section describes how to create a Layer 3 and Layer 4 policy map for a Layer 3 and Layer 4 traffic classification with actions to define the network management traffic received by the ACE. The general steps to configure a Layer 3 and Layer 4 network traffic policy are as follows:

• Configure a Layer 3 and Layer 4 policy map that defines the different actions that are applied to the IP management traffic received by the ACE. The ACE executes the specified action only for traffic that meets the first matching classification with a policy map. The ACE does not execute any additional actions.

• Optionally, provide a brief description about the Layer 3 and Layer 4 remote management policy map.

• Specify a Layer 3 and Layer 4 traffic class that you created with the class-map command to associate network traffic with the traffic policy.

• Allow the network management traffic that is listed in the Layer 3 and Layer 4 class map to be received or rejected by the ACE.

Step 4 description text

Example:host1/Admin(config-cmap-mgmt)# description Allow Telnet access to the ACE

Provides a brief summary about the Layer 3 and Layer 4 remote management class map.

no description text

Example:host1/Admin(config-cmap-mgmt)# no description

(Optional) Removes the description from the class map.


Example:ACE_1/Admin(config-cmap-mgmt))# do copy running-config startup-config


Command Purpose


OL-25343-01


Detailed Steps

Command Purpose

Step 1 config



Step 2 policy-map type management first-match map_name

Example:host1/Admin(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICYhost1/Admin(config-pmap-mgmt)#

Configures a Layer 3 and Layer 4 policy map that defines the different actions that are applied to the IP management traffic received by the ACE.

The map_name argument specifies the name assigned to the Layer 3 and Layer 4 network management policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

When you use this command, you will access policy map management configuration mode.

no policy-map type management first-match map_name

Example:host1/Admin(config)# no policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

(Optional) Removes a policy map from the ACE.


Example:host1/Admin(config-pmap-mgmt)# description Allow Telnet access to the ACE

Provides a brief summary about the Layer 3 and Layer 4 remote management policy map.

The text argument specifies the description that you want to provide. Enter an unquoted text string with a maximum of 240 alphanumeric characters.

no description

Example:host1/Admin(config-pmap-mgmt)# no description

(Optional) Removes a description from the policy map.


OL-25343-01


Step 4 class {name1 [insert-before name2] | class-default | class-default-v6}

Example:host1/Admin(config-pmap-mgmt)# class L4_REMOTE_ACCESS_CLASS host1/Admin(config-pmap-mgmt-c)#

Specifies a Layer 3 and Layer 4 traffic class created with the class-map command to associate network traffic with the traffic policy.

The arguments, keywords, and options are as follows:

• name1—Name of a previously defined Layer 3 and Layer 4 traffic class, configured with the class-map command, to associate traffic to the traffic policy. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

• insert-before name2—(Optional) Places the current class map ahead of an existing class map or inline match condition specified by the name2 argument in the policy map configuration. The ACE does not save the sequence reordering as part of the configuration. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

• class-default—Specifies the IPv4 class-default class map for the Layer 3 and Layer 4 traffic policy. This class map is a reserved class map created by the ACE. You cannot delete or modify this class. All IPv4 network traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified IPv4 classifications match, the ACE then matches the action specified under the class class-default command. The class-default class map has an implicit match any statement in it and is used to match any IPv4 traffic classification. The class-default class map has an implicit match any statement that matches all IPv4 traffic.

• class-default-v6—Specifies the IPv6 class-default class map for the Layer 3 and Layer 4 traffic policy. This class map is a reserved class map created by the ACE. You cannot delete or modify this class. All IPv6 network traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications match, the ACE then matches the action specified under the class class-default-v6 command. The class-default class map has an implicit match any statement in it and is used to match any IPv6 traffic classification. The class-default-v6 class map has an implicit match any statement that matches all IPv6 traffic.

This command enters the policy map management class configuration mode.

no class {name1 [insert-before name2] | class-default | class-default-v6}

Example:host1/Admin(config-pmap-mgmt)# no class L4_REMOTE_ACCESS_CLASS

(Optional) Remove a class map from a Layer 3 and Layer 4 policy map.

Command Purpose


OL-25343-01


Examples

The following example shows how to create a Layer 3 and Layer 4 remote network traffic management policy map that permits SSH, Telnet, and ICMP connections to be received by the ACE:

host1/Admin(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICYhost1/Admin(config-pmap-mgmt)# class SSH_ALLOW_CLASShost1/Admin(config-pmap-mgmt-c)# permithost1/Admin(config-pmap-mgmt-c)# exithost1/Admin(config-pmap-mgmt)# class TELNET_ALLOW_CLASShost1/Admin(config-pmap-mgmt-c)# permithost1/Admin(config-pmap-mgmt-c)# exithost1/Admin(config-pmap-mgmt)# class ICMP_ALLOW_CLASShost1/Admin(config-pmap-mgmt-c)# permithost1/Admin(config-pmap-mgmt-c)# exit

The following example shows how to create a policy map that restricts an ICMP connection by the ACE:

host1/Admin(config)# policy-map type management first-action ICMP_RESTRICT_POLICYhost1/Admin(config-pmap-mgmt)# class ICMP_ALLOW_CLASShost1/Admin(config-pmap-mgmt-c)# deny

IPv6 Example

The following example shows how to create a policy map that matches any IPv6 traffic by using the class-default-v6 class map:

host1/Admin(config)# policy-map type management first-action MATCH_ANYV6_POLICYhost1/Admin(config-pmap-mgmt)# class class-default-v6host1/Admin(config-pmap-mgmt-c)# permit

IPv4 Example

The following example shows how to create a policy map that matches any IPv6 traffic by using the class-default-v6 class map:

host1/Admin(config)# policy-map type management first-action MATCH_ANYV6_POLICYhost1/Admin(config-pmap-mgmt)# class class-defaulthost1/Admin(config-pmap-mgmt-c)# permit

Step 5 permit | deny

Example:host1/Admin(config-pmap-mgmt-c)# permit

Allows the network management traffic listed in the Layer 3 and Layer 4 class map to be received or rejected by the ACE as follows:

• Use the permit command in policy map class configuration mode to allow the remote management protocols listed in the class map to be received by the ACE.

• Use the deny command in policy map class configuration mode to refuse the remote management protocols listed in the class map to be received by the ACE.


Example:host1/Admin(config-pmap-mgmt-c)# do copy running-config startup-config


Command Purpose


OL-25343-01


Applying a Service Policy Globally to All VLAN Interfaces in the Same Context

This section describes how to apply a previously created policy map globally to all VLAN interfaces in the same context.

Note the following guidelines when applying a service policy:

• Policy maps, applied globally in a context, are internally applied on all interfaces existing in the context.

• A policy activated on an interface overwrites any specified global policies for overlapping classification and actions.

You can remove a traffic policy map from a VLAN by using either of the following methods:

• Individually from the last VLAN interface on which you applied the service policy

• Globally from all VLAN interfaces in the same context

The ACE automatically resets the associated service policy statistics to provide a new starting point for the service policy statistics the next time that you attach a traffic policy to a specific VLAN interface or globally to all VLAN interfaces in the same context.

Note To apply the policy map to a specific VLAN interface only, see the “Applying a Service Policy to a Specific VLAN Interface” section.


The ACE allows only one policy of a specific feature type to be activated on a given interface and only in the input direction.

Detailed Steps

Command Purpose

Step 1 config



Step 2 service-policy input policy_name

Example:host1/Admin(config)# service-policy input REMOTE_MGMT_ALLOW_POLICY

Applies the remote access policy map globally to all of the VLANs associated with a context.

The policy_name argument is the name of a previously defined policy map, configured with a previously created policy-map command. The name can be a maximum of 40 alphanumeric characters.

no service-policy input policy_name

Example:host1/Admin(config)# no service-policy input REMOTE_MGMT_ALLOW_POLICY

(Optional) Removes the remote access traffic policy globally from all VLANs associated with a context.





OL-25343-01


Applying a Service Policy to a Specific VLAN Interface

This section describes how to apply a previously created policy map to a specific VLAN interface. A policy activated on an interface overwrites any specified global policies for overlapping classification and actions.

You can remove a traffic policy map from a VLAN by using either of the following methods:

• Individually from the last VLAN interface on which you applied the service policy

• Globally from all VLAN interfaces in the same context (see the “Applying a Service Policy Globally to All VLAN Interfaces in the Same Context” section).

The ACE automatically resets the associated service policy statistics to provide a new starting point for the service policy statistics the next time that you attach a traffic policy to a specific VLAN interface or globally to all VLAN interfaces in the same context.

Note To apply the policy map globally to all VLAN interfaces in the same context, see the “Applying a Service Policy Globally to All VLAN Interfaces in the Same Context” section.


The ACE allows only one policy of a specific feature type to be activated on a given interface and only in the input direction.

Step 4 do show service-policy [policy_name [detail]]

Example:host1/Admin(config)# do show service-policy REMOTE_MGMT_ALLOW_POLICY

(Optional) Displays service policy statistics for all policy maps or a specific Layer 3 and Layer 4 remote network traffic management policy map.

The keywords, options, and arguments are as follows:

• policy_name—(Optional) Existing policy map that is currently in service (applied to an interface) as an unquoted text string with a maximum of 64 alphanumeric characters. If you do not enter the name of an existing policy map, the ACE displays information and statistics for all policy maps.

• detail—(Optional) Displays a more detailed listing of policy map statistics and status information.

Note The ACE updates the counters that the show service-policy command displays after the applicable connections are closed.

Step 5 do clear service-policy policy_name

Example:host1/Admin(config)# do clear service-policy REMOTE_MGMT_ALLOW_POLICY

(Optional) Clears the service policy statistics for a policy map.

For the policy_name argument, enter the identifier of an existing policy map that is currently in service (applied to an interface).

Command Purpose


OL-25343-01


Detailed Steps

Command Purpose

Step 1 config



Step 2 interface vlan number

Example:host1/Admin(config)# interface vlan 50host1/Admin(config-if)#

(Optional) Specifies the VLAN to which the remote access policy map is to be applied.

The number argument specifies the VLAN.

This command enters the interface configuration mode.

Note If you want to process ICMPv6 traffic on this interface, you must enter the ipv6 enable command in interface configuration mode.


Example:host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY

Attaches the remote access policy map to the specified VLAN only.

The policy_name argument specifies the policy map name.

To apply the policy map globally to all of the VLANs associated with a context, see the “Applying a Service Policy Globally to All VLAN Interfaces in the Same Context” section.


Example:host1/Admin(config-if)# no service-policy input REMOTE_MGMT_ALLOW_POLICY

(Optional) Detaches the remote access traffic policy from the VLAN.


Example:host1/Admin(config-if)# do copy running-config startup-config



OL-25343-01


Examples

The following example shows how to specify an interface VLAN for IPv6 and apply the remote access policy map to a VLAN:

host1/Admin(config)# interface vlan 50host1/Admin(config-if)# ipv6 enablehost1/Admin(config-if)# ip address 2001:DB8:1::/64host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY

The following example shows how to specify an interface VLAN for IPv4 and apply the remote access policy map to a VLAN:

host1/Admin(config)# interface vlan 50host1/Admin(config-if)# ip address 172.16.1.100 255.255.0.0host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY

The following example shows how to display service policy statistics for the REMOTE_MGMT_ALLOW_POLICY policy map:host1/Admin# show service-policy REMOTE_MGMT_ALLOW_POLICYStatus : ACTIVEDescription: Allow mgmt protocols-----------------------------------------Context Global Policy: service-policy: REMOTE_MGMT_ALLOW_POLICY

Step 5 do show service-policy [policy_name [detail]]

Example:host1/Admin(config-if)# do show service-policy REMOTE_MGMT_ALLOW_POLICY

(Optional) Displays service policy statistics for all policy maps or a specific Layer 3 and Layer 4 remote network traffic management policy map.


• policy_name—(Optional) Existing policy map that is currently in service (applied to an interface) as an unquoted text string with a maximum of 64 alphanumeric characters. If you do not enter the name of an existing policy map, the ACE displays information and statistics for all policy maps.



Step 6 do clear service-policy policy_name

Example:host1/Admin(config-if)# do clear service-policy REMOTE_MGMT_ALLOW_POLICY

(Optional) Clears the service policy statistics for a policy map.


Command Purpose


OL-25343-01


Configuring the Maximum Number of Telnet Management SessionsThis section describes how to control the maximum number of Telnet sessions allowed for each context. Telnet remote access sessions are established on the ACE per context. You can create a context, assign an interface and IP address to it, and then log into the ACE by using Telnet to connect to that IP address. This capability allows you to specify a particular context when accessing the ACE. For details on creating users and contexts, see the Virtualization Guide, Cisco ACE Application Control Engine.


The ACE supports a total maximum of 256 concurrent Telnet sessions. The ACE supports a maximum 16 concurrent Telnet management sessions for the Admin context and 4 concurrent Telnet management sessions for each user context.

Detailed Steps

Command Purpose

Step 1 config



Step 2 telnet maxsessions max_sessions

Example:host1/Admin(config)# telnet maxsessions 3

(Optional) Specifies the maximum number of concurrent Telnet sessions allowed for the associated context.

The max_sessions argument sets the maximum number of concurrent Telnet sessions allowed. The range is from 1 to 16 Telnet sessions for the Admin context and from 1 to 4 Telnet sessions for each user context. The defaults are 16 (Admin context) and 4 (user context).

no telnet maxsessions

Example:host1/Admin(config)# no telnet maxsessions

(Optional) Reverts to the default maximum number of Telnet sessions for the context.

Step 3 do show telnet maxsessions [context_name]

Example:host1/Admin(config)# do show telnet maxsessions

Maximum Sessions Allowed is 4

(Optional) Displays the maximum number of enabled Telnet sessions. Only context administrators can view Telnet session information associated with a particular context.

The optional context_name argument is the name of the context for which you want to view the maximum number of Telnet sessions. The context_name argument is case sensitive.





OL-25343-01


Configuring SSH Management Session ParametersThis section describes how to configure the SSH management session parameters. SSH remote access sessions are established on the ACE per context. You can create a context, assign an interface and IP address to it, and then log into the ACE by using SSH to connect to that IP address. This capability allows you to specify a particular context when accessing the ACE. For details on creating users and contexts, see the Virtualization Guide, Cisco ACE Application Control Engine.


• Configuring Maximum the Number of SSH Sessions

• Generating SSH Host Key Pairs

Configuring Maximum the Number of SSH Sessions

This section describes how to control the maximum number of SSH sessions allowed for each context.


The ACE supports a total maximum of 256 concurrent SSH sessions. The ACE supports a maximum 16 concurrent SSH management sessions for the Admin context and 4 concurrent SSH management sessions for each user context.

Detailed Steps

Command Purpose

Step 1 config



Step 2 ssh maxsessions max_sessions

Example:host1/Admin(config)# ssh maxsessions 3

(Optional) Specifies the maximum number of concurrent SSH sessions allowed for the associated context.

The max_sessions argument sets the maximum number of concurrent SSH sessions allowed. The range is from 1 to 16 SSH sessions for the Admin context and from 1 to 4 SSH sessions for each user context. The defaults are 16 (Admin context) and 4 (user context).

no ssh maxsessions

Example:host1/Admin(config)# no ssh maxsessions

(Optional) Reverts to the default maximum number of SSH sessions for the context.


OL-25343-01


Generating SSH Host Key Pairs

This section describes how to generate an SSH host key pair. The ACE supports remote login over an SSH session that uses private and public key pairs to perform authentication for the context. DSA and RSA keys are generated in pairs—one public key and one private key. With this method of remote connection, use a generated private and public key pair to participate in a secure communication by encrypting and decrypting messages.

The global administrator performs the key generation in the Admin context. All contexts associated with the ACE share the common key. There is only a single host-key pair.

Ensure that you have an SSH host-key pair with the appropriate version before enabling the SSH service (see the “Configuring Remote Network Management Traffic Services” section). The SSH service accepts three types of key pairs for use by SSH versions 1 and 2. Generate the SSH host key pair according to the SSH client version used. The number of bits specified for each key pair ranges from 768 to 4096.

Detailed Steps

Step 3 do show ssh maxsessions [context_name]

Example:host1/Admin(config)# do show ssh maxsessions

Maximum Sessions Allowed is 4

(Optional) Displays the maximum number of enabled SSH sessions. Only context administrators can view SSH session information associated with a particular context.

The optional context_name argument specifies the name of the context for which the context administrator wants to view the maximum number of SSH sessions. The context_name argument is case sensitive.




Command Purpose

Command Purpose

Step 1 changeto Admin

Example:host1/context3# changeto Adminhost1/Admin#

(Optional) Changes to the Admin context.

If you are the administrator or another user authorized in the Admin context, use this command in Exec mode to move to the Admin context. An administrator can perform all allowable functions within the Admin context.

Step 2 config




OL-25343-01



Example:host1/Admin(config)# hostname host1host1/Admin(config)#

Sets the hostname. This setting is used in the generation of the key.

The name argument specifies a new hostname for the ACE. Enter a case-sensitive text string that contains from 1 to 32 alphanumeric characters.

For more information about setting the host name, see the “Assigning a Name to the ACE Module” or “Assigning a Name to the ACE Appliance”.

Step 4 ssh key {dsa | rsa | rsa1} [bits [force]]

Example:host1/Admin(config)# ssh key rsa1 1024

Generates the SSH private key and the corresponding public key.


• dsa—Generates the DSA key pair for the SSH version 2 protocol.

• rsa—Generates the RSA key pair for the SSH version 2 protocol.

• rsa1—Generates the RSA1 key pair for the SSH version 1 protocol.

• bits—(Optional) Number of bits for the key pair. For DSA, the range is from 768 to 2048. For RSA and RSA1, the range is from 768 to 4096. The greater the number of bits that you specify, the longer it takes to generate the key. The default is 1024.

• force—(Optional) Forces the generation of a DSA or RSA key even when previous keys exist. If the SSH key pair option is already generated for the required version, use the force option to overwrite the previously generated key pair.

no ssh key {dsa | rsa | rsa1}

Example:host1/Admin(config)# no ssh key rsa1

(Optional) Removes the SSH host key pair.

Step 5 do show ssh key [dsa | rsa | rsa1]

Example:host1/Admin(config)# do show ssh key rsa

(Optional) Displays the host key pair details for the specified key or for all keys if you do not specify a key.




Step 7 exit

Example:host1/Admin(config)# exithost1/Admin#

(Optional) Returns to the Exec mode prompt.

Step 8 clear ssh hosts

Example:host1/Admin# clear ssh hosts

(Optional) Clears the public keys of all trusted host. These keys are either sent to an SSH client by an SSH server or are entered manually. When a SSH connection is made from the ACE, the SSH client receives the public key and stores it locally.

Command Purpose


OL-25343-01


Examples

The following example shows the show ssh key command output:

host1/Admin # show ssh key**************************************could not retrieve rsa1 key information**************************************rsa Keys generated:Tue Mar 7 19:37:17 2006

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA4v4DQ8aNl482qDTRju9G07hEIxCgTWanPm+WOCU1kihZQNd5ZwA50CBAJSfIIIB4iED6iQbhOkbXSneCvTb5mVoish2wvJrETpIDIeGxxh/jWVsU/MeBbA/7o5tvgCeT6p7pGF5oUNYFP0OeZ9BiIWDc4jBmYEQLEqJHPrMhSFE=

bitcount:1024fingerprint:f5:55:00:18:bc:af:41:74:b6:bc:aa:8e:46:31:74:4f**************************************dsa Keys generated:Tue Dec 20 19:37:17 2005

ssh-dss AAAAB3NzaC1kc3MAAACBAPqDdEqU+0gNtKRXM+DQAXnvcB+H89nq8jA4WgJ7uQcuDCLaG7LqjtKTltJjA6aZVywsQWQ6n4kTlkavZy3cj6PUbSyqvmCTsaYyYo4UQ6CKrK9V+NsfgzTSLWTH8iDUvYjLc3nU51QEKjy7mPsQeX31y1M1rhp8qhkbMKxkc49XAAAAFQCPM0QJrq6+kkaghJpeNxeXhUH9HwAAAIEAkeZ1ZJM6sfKqJDYPLHkTro+lpbV9uR4VyYoZmSoehi/LmSaZDq+Mc8UN1LM+i5vkOgnKcearD9lM4/hKzZGYx5hJOiYCKj/ny2a5p/8HK152cnsOAg6ebkiTTWAprcWrcHDS/1mcaI5GzLrZCdlXW5gBFZtMTJGstICmVWjibewAAACBAJQ66zdZQqYiCWtZfmakridEGDTLV6ixIDjBNgb84qlj+Y1XMzqLL0D4oMSb7idEL3BmhQYQW7hkTK0oS4kVawI1VmW2kvrqoGQnLNQRMvisAXuJWKk1Ln6vWPGZZe8KoALv0GXxsOv2gk/zTDk01oCaTVw//bXJtoVRgIlWXLIP

bitcount:1024fingerprint:8e:13:5c:3e:1a:9c:7a:ed:d0:84:eb:96:12:db:82:be**************************************

Terminating an Active User SessionThis section describes how to terminate an active SSH or Telnet session for the active context.

Detailed Steps

Command Purpose

Step 1 show {ssh session-info | telnet}

Example:host1/Admin# show ssh session-info

(Optional) Displays the session information, including the session ID, of all current SSH or Telnet sessions.


• ssh session-info—Displays SSH session information.

• telnet—Displays Telnet session information.

Step 2 clear {ssh | telnet} session_id

Example:host1/Admin# clear ssh 345

Terminates a current SSH or Telnet session depending on which command you enter.

The argument and keyword are as follows:

• ssh—Selects an SSH session type.

• telnet—Selects a Tenet session type.

• session_id—Specifies the identifier of the SSH or Telnet session to disconnect.


OL-25343-01


Enabling ICMP Messages to the ACEThis section describes how to enable ICMP messages on the ACE. By default, the ACE does not allow ICMP messages to be received by an ACE interface or to pass through the ACE interface. ICMP is an important tool for testing your network connectivity; however, network hackers can also use ICMP to attack the ACE or your network. We recommend that you allow ICMP during your initial testing, but then disallow it during normal operation. The ACE supports both ICMPv4 and ICMPv6.

To permit or deny address(es) to reach an ACE interface with ICMP messages, either from a host to the ACE, or from the ACE to a host which requires the ICMP reply to be allowed back, configure one of the following:

• Class map to provide the ICMP network traffic match criteria for the ACE.

• Policy map to enable ICMP network management access to and from the ACE.

• Service policy to activate the policy map, attach the traffic policy to an interface or globally on all interfaces, and specify the direction in which the policy should be applied.

See the “Configuring Remote Network Management Traffic Services” section for details on configuring a network management class map, policy map, and service policy for the ACE.

To allow ICMP messages to pass through the ACE, configure an ICMP ACL to permit or deny network connections based on the ICMP type (for example, echo, echo-reply, or unreachable). See the Security Guide, Cisco ACE Application Control Engine for details.

Note If you want only to allow the ACE to ping a host (and allow the echo reply back to the interface), but not allow hosts to ping the ACE, enable the ICMP application protocol inspection function instead of defining a class map and policy map. See the Security Guide, Cisco ACE Application Control Engine for details.

Examples

The following example shows how to allow the ACE to receive ICMPv6 pings:

host1/Admin(config)# class-map type management match-all ICMPv6_ALLOW_CLASShost1/Admin(config-cmap-mgmt)# description Allow ICMPv6 packetshost1/Admin(config-cmap-mgmt)# match protocol icmpv6 source-address 2001:DB8:1::/64 host1/Admin(config-cmap-mgmt)# exithost1/Admin(config)# policy-map type management first-action ICMPv6_ALLOW_POLICYhost1/Admin(config-pmap-mgmt)# class ICMPv6_ALLOW_CLASShost1/Admin(config-pmap-mgmt-c)# permithost1/Admin(config-pmap-mgmt-c)# exithost1/Admin(config-pmap-mgmt)# exithost1/Admin(config)# interface vlan 50host1/Admin(config-if)# ipv6 enablehost1/Admin(config-if)# ip address 2001:DB8:2::/64host1/Admin(config-if)# service-policy input ICMPv6_ALLOW_POLICY

The following example shows how to allow the ACE to receive ICMPv4 pings:

host1/Admin(config)# class-map type management match-all ICMP-ALLOW_CLASShost1/Admin(config-cmap-mgmt)# description Allow ICMP packetshost1/Admin(config-cmap-mgmt)# match protocol icmp source-address 172.16.10.0 255.255.255.254host1/Admin(config-cmap-mgmt)# exithost1/Admin(config)# policy-map type management first-action ICMP_ALLOW_POLICYhost1/Admin(config-pmap-mgmt)# class ICMP-ALLOW_CLASShost1/Admin(config-pmap-mgmt-c)# permithost1/Admin(config-pmap-mgmt-c)# exithost1/Admin(config-pmap-mgmt)# exit


OL-25343-01


host1/Admin(config)# interface vlan 50host1/Admin(config-if)# ip address 172.16.1.100 255.255.0.0host1/Admin(config-if)# service-policy input ICMP_ALLOW_POLICY

Directly Accessing a User Context Through SSHThis section describes how to configure a user context and enable direct login access to that user context from a remote SSH session. To perform this procedure, you must be the global administrator and in the Admin context. The ACE does not support SSH with IPv6 for remote access.

Task Flow

Follow these steps to first configure the ACE to provide direct access to a user context from SSH and then access the user context:

Step 1 Create a user context by entering the following command:

host1/Admin(config)# context C1host1/Admin(config-context)#

See the Virtualization Guide, Cisco ACE Application Control Engine.

Step 2 Associate an existing VLAN with the user context so that the context can receive traffic classified for it by entering the following command:

host1/Admin(config-context)# allocate-interface vlan 100

See the Routing and Bridging Guide, Cisco ACE Application Control Engine.

Step 3 Generate the SSH host key pair by entering the following command:

host1/Admin(config)# ssh key rsa1 768generating rsa1 key(768 bits)......generated rsa1 key

See the “Generating SSH Host Key Pairs” section.

Step 4 Change to the C1 context that you created in Step 1 and enter configuration mode in that context by entering the following commands:

host1/Admin(config-context)# do changeto C1host1/C1(config-context)# exithost1/C1(config)#

Only users authenticated in the Admin context can use the changeto command.

Step 5 Configure the VLAN interface that you allocated to the user context in Step 2 by entering the following commands:

host1/C1(config)# interface vlan 50host1/C1(config-if)# ip address 192.168.1.1 255.255.255.0host1/C1(config-if)# no shutdownhost1/C1(config-if)# exithost1/C1(config)#

For example, assign an IP address to the interface and reenable the interface within the context with the no shutdown command. See the Routing and Bridging Guide, Cisco ACE Application Control Engine.


OL-25343-01

Chapter 2 Enabling Remote Access to the ACEDisplaying Remote Access Session Information

Step 6 Create an SSH remote management policy and apply the associated service policy to all VLAN interfaces or just to the VLAN interface allocated to the user context by entering the following commands:

host1/C1(config)# class-map type management match-all SSH-ALLOW_CLASShost1/C1(config-cmap-mgmt)# match protocol ssh source-address 172.16.10.0 255.255.255.254host1/C1(config-cmap-mgmt)# exithost1/C1(config)# host1/C1(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICYhost1/C1(config-pmap-mgmt)# class SSH-ALLOW_CLASShost1/C1(config-pmap-mgmt-c)# permithost1/C1(config-pmap-mgmt-c)# exithost1/C1(config-pmap-mgmt)# exithost1/C1(config)# interface vlan 50host1/C1(config-if)# ip address 192.168.1.1 255.255.255.0host1/C1(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICYhost1/C1(config-if)# exithost1/C1(config)#

See the “Configuring Remote Network Management Traffic Services” section.

Step 7 Create an IP route by entering the following command:

host1/C1(config)# ip route 0.0.0.0 255.255.255.0 192.168.4.8

See the Security Guide, Cisco ACE Application Control Engine.

Step 8 Follow theses steps to directly access the user context from an SSH client:

a. From the SSH client, establish a remote SSH session to the IP address of the user context VLAN interface.

b. Enter the password for the user context VLAN interface. The ACE CLI prompt appears in Exec mode of the user context.

host1/C1#

Displaying Remote Access Session InformationThis section describes how to display remote access session information and includes the following topics:

• Displaying Telnet Session Information

• Displaying SSH Session Information

• Displaying Other Remote Access Session Information

Displaying Telnet Session InformationTo display a Telnet session, perform the following task:


OL-25343-01

Chapter 2 Enabling Remote Access to the ACEDisplaying Remote Access Session Information

Table 2-2 describes the fields in the show telnet command output.

Displaying SSH Session InformationTo display an SSH session, perform the following task:

Table 2-3 describes the fields in the show ssh session-info command output.

Command Purpose

show telnet [context_name] Displays information related to the Telnet session. Only the context administrator can view Telnet information associated with a particular context.

The optional context_name argument is the name of the context for which you want to view specific Telnet session information. The context_name argument is case sensitive.

Table 2-2 Field Descriptions for the show telnet Command

Field Description

SessionID Unique session identifier for the Telnet session.

Remote Host IP address and port of the remote Telnet client.

Active Time Time since the Telnet connection request was received by the ACE.

Command Purpose

show ssh session-info [context_name]

Displays information related to the SSH session. Only context administrators can view SSH session information associated with a particular context.

The optional context_name argument is the name of the context for which you want to view specific SSH session information. The context_name argument is case sensitive.

Table 2-3 Field Descriptions for the show ssh session-info Command

Field Description

SessionID Unique session identifier for the SSH session.

Remote Host IP address and port of the remote SSH client.

Active Time Time since the SSH connection request was received by the ACE.


OL-25343-01

Chapter 2 Enabling Remote Access to the ACEConfiguration Example for Enabling Remote Access to the ACE

Displaying Other Remote Access Session InformationTo display other remote access configuration information, perform one of the following tasks:

Configuration Example for Enabling Remote Access to the ACEThe following CLI example shows how to configure remote access to the ACE through the use of class maps, policy maps, and service policies with IPv6 management traffic.

Step 1 Create and configure an access control list. The sample access control list shown in this step allows network traffic from any source. For details about configuring an access control list, see the Security Guide, Cisco ACE Application Control Engine.

host1/Admin(config)# access-list ACL1 line 10 extended permit ip anyv6 anyv6

Step 2 Create and configure a class map for network management traffic.

host1/Admin(config)# class-map type management match-any IPv6_L4_REMOTE_MGT_CLASShost1/Admin(config-cmap-mgmt)# description Allows ICMPv6 protocolhost1/Admin(config-cmap-mgmt)# 2 match protocol icmpv6 anyv6host1/Admin(config-cmap-mgmt)# exithost1/Admin(config)#

Step 3 Create and configure a management policy map that activates the SSH and Telnet management protocol classifications.

host1/Admin(config)# policy-map type management first-match L4_REMOTE-MGT_POLICYhost1/Admin(config-pmap-mgmt)# class L4_REMOTE-MGT_CLASShost1/Admin(config-pmap-mgmt-c)# permithost1/Admin(config-pmap-mgmt-c)# exithost1/Admin(config-pmap-mgmt)# exithost1/Admin(config)#

Step 4 Alternatively, create and configure a management policy map that matches and permits any IPv6 traffic:

host1/Admin(config)# policy-map type management first-match L4_REMOTE-MGT_POLICYhost1/Admin(config-pmap-mgmt)# class class-deafult-v6

Command Purpose

show running-config Displays the running configuration.

show ssh key [dsa | rsa | rsa1] Displays the host key pair details for the specified key or for all keys if you do not specify a key.

See the “Generating SSH Host Key Pairs” section.

show ssh maxsessions [context_name] Displays the maximum number of enabled SSH sessions. Only context administrators can view SSH session information associated with a particular context.

See the “Configuring Maximum the Number of SSH Sessions” section.

show telnet maxsessions [context_name] Displays the maximum number of enabled Telnet sessions. Only context administrators can view Telnet session information associated with a particular context.

See the “Configuring the Maximum Number of Telnet Management Sessions” section.


OL-25343-01


host1/Admin(config-pmap-mgmt-c)# permithost1/Admin(config-pmap-mgmt-c)# exithost1/Admin(config-pmap-mgmt)# exithost1/Admin(config)#

Step 5 Apply the traffic policy to a specific VLAN interface or globally to all VLAN interfaces and enable the interface.

Apply to a specific VLAN interface:

host1/Admin(config)# interface vlan 100host1/Admin(config-if)# ipv6 enablehost1/Admin(config-if)# ip address 2001:DB8:1::/64host1/Admin(config-if)# access-group input ACL1host1/Admin(config-if)# service-policy input L4_REMOTE-MGT_POLICYhost1/Admin(config-if)# no shutdownhost1/Admin(config-if)# exithost1/Admin(config)#

Apply globally to all VLAN interface:

host1/Admin(config)# service-policy input REMOTE_MGMT_ALLOW_POLICY

Step 6 Save the configuration to Flash memory.

host1/Admin(config)# do copy running-config startup-config

The following example shows how to configure remote access to the ACE through the use of class maps, policy maps, and service policies with IPv4 management traffic.

Step 1 Enter the configuration mode and set the maximum number of Telnet and SSH sessions.

host1/Admin# confighost1/Admin(config)# telnet maxsessions 3host1/Admin(config)# ssh maxsessions 3

Step 2 Create and configure an access control list. The sample access control list shown in this step allows network traffic from any source. For details about configuring an access control list, see the Security Guide, Cisco ACE Application Control Engine.

host1/Admin(config)# access-list ACL1 line 10 extended permit ip any any

Step 3 Create and configure a class map for network management traffic.

host1/Admin(config)# class-map type management match-any L4_REMOTE-MGT_CLASShost1/Admin(config-cmap-mgmt)# description Allows Telnet, SSH, and ICMP protocolshost1/Admin(config-cmap-mgmt)# 2 match protocol telnet anyhost1/Admin(config-cmap-mgmt)# 3 match protocol ssh anyhost1/Admin(config-cmap-mgmt)# 4 match protocol icmp anyhost1/Admin(config-cmap-mgmt)# exithost1/Admin(config)#

Step 4 Create and configure a policy map that activates the SSH and Telnet management protocol classifications.

host1/Admin(config)# policy-map type management first-match L4_REMOTE-MGT_POLICYhost1/Admin(config-pmap-mgmt)# class L4_REMOTE-MGT_CLASShost1/Admin(config-pmap-mgmt-c)# permithost1/Admin(config-pmap-mgmt-c)# exithost1/Admin(config-pmap-mgmt)# exithost1/Admin(config)#


OL-25343-01


Step 5 Apply the traffic policy to a specific VLAN interface or globally to all VLAN interfaces and enable the interface.

Apply to a specific VLAN interface:

host1/Admin(config)# interface vlan 50host1/Admin(config-if)# ip address 192.168.1.1 255.255.255.0host1/Admin(config-if)# access-group input ACL1host1/Admin(config-if)# service-policy input L4_REMOTE-MGT_POLICYhost1/Admin(config-if)# no shutdownhost1/Admin(config-if)# exithost1/Admin(config)#

Apply globally to all VLAN interface:

host1/Admin(config)# service-policy input REMOTE_MGMT_ALLOW_POLICY

Step 6 Generate the SSH private key and corresponding public key for use by the SSH server.

host1/Admin(config)# ssh key rsa1 1024 force

Step 7 Save the configuration to Flash memory.

host1/Admin(config)# do copy running-config startup-config


OL-25343-01

AdministOL-25343-01

C H A P T E R 3
Managing ACE Software Licenses
Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted.

This chapter describes how to manage the software licenses for your ACE. It contains the following major sections:

• ACE Module License Bundles

• ACE Appliance License Bundles and Migration Paths


• Prerequisites

• Default Feature Capabilities

• Managing ACE Software Licenses

• Displaying ACE License Configurations and Statistics

ACE Module License BundlesTable 3-1 lists the ACE30 module licenses, product IDs (PIDs), and descriptions. You can increase the number of default user contexts, module bandwidth, SSL TPS, and compression rates by purchasing an upgrade license or a license bundle that is listed in Table 3-1.

Table 3-1 ACE30 Module License Bundles

License Bundle Product ID (PID) License File Description

Base (default) ACE30-BASE-04-K9 None required 4 Gbps bandwidth1 Gbps compression1,000 TPS SSL5 Virtual Contexts

Base to 4 Gbps4 Gbps Bundle

ACE30-MOD-UPG1=ACE30-MOD-04-K9

ACE30-MOD-UPG1ACE30-MOD-04-K9

4 Gbps bandwidth6 Gbps compression30,000 TPS SSL250 Virtual Contexts


Chapter 3 Managing ACE Software LicensesACE Appliance License Bundles and Migration Paths

ACE Appliance License Bundles and Migration PathsTable 3-2 summarizes the contents of the ACE 4710 appliance license bundles available in software release A4(2.0) and later. You can increase the performance and operating capabilities of your ACE appliance by purchasing one of these license bundles. Note that the number of application acceleration connections is always 100 regardless of the bandwidth of the installed license bundle.

4 Gbps to 8 Gbps8 Gbps Bundle



8 Gbps bandwidth6 Gbps compression30,000 TPS SSL250 virtual contexts





Table 3-1 ACE30 Module License Bundles (continued)


Table 3-2 ACE 4710 License Bundles


0.5 Gbps Bundle ACE-4710-0.5-K9 ACE-4710-0.5-K9 0.5 Gbps bandwidth2.0 Gbps compression7500 TPS SSL20 virtual contexts

0.5 Gbps to 1 Gbps1 Gbps Bundle

ACE-4710-BUN-UPG1=ACE-4710-01-K9

ACE-4710-BUN-UPG1ACE-4710-01-K9

1 Gbps bandwidth2.0 Gbps compression7500 TPS SSL20 virtual contexts



ACE4710-BUN-UPG2ACE-4710-02-K9



ACE4710-BUN-UPG3=ACE-4710-04-K9

ACE4710-BUN-UPG3ACE-4710-04-K9


1 Gbps Bundle (covers two ACE Service Modules)

ACE-4710-2PAK ACE-4710-2PAK 1 Gbps bandwidth2.0 Gbps compression7500 TPS SSL20 virtual contexts


OL-25343-01

Chapter 3 Managing ACE Software LicensesGuidelines and Restrictions

Table 3-3 shows the license migration paths available to you based on the ACE appliance bandwidth license that you owned prior to software release A4(2.0). Each migration license is free and is fully loaded for the bandwidth you select:

Guidelines and RestrictionsThe ACE license guidelines and restrictions are as follows:

• A demo license is valid for only 60 days. At the end of this period, you must update the demo license with a permanent license to continue to use the ACE software. To view the expiration of a demo license, use the show license usage command in Exec mode (see the “Displaying ACE License Configurations and Statistics” section). ACE demo licenses are available through your Cisco account representative.

• If you turn the clock backward for any reason, you will not be able to install a demo license.

• If you need to replace an ACE, you can copy and install the license file for the license into the replacement ACE.

• If you are upgrading a redundant configuration from software version A4(1.0) to software version A4(2.0), while the two ACEs are in split mode with software version A4(1.0) running on the active ACE and software version A4(2.0) running on the standby, config sync is disabled because of a license incompatibility. If you make any configuration changes on the active ACE during this time, your changes are not synchronized to the standby and are lost. After you complete the upgrade, config sync is automatically reenabled. We recommend that you do not make any configuration changes while the two ACEs are in split mode.

• (ACE module only) You can upgrade virtualization to a maximum of 250 contexts.

• (ACE module only) Licenses are platform-specific. You cannot apply an ACE10 or an ACE20 license to an ACE30.

PrerequisitesYou must have the Admin role in the Admin context to install, remove, and update the license file.

Table 3-3 Software Release A4(2.0) Fully Loaded No-Cost Migration Licenses

Currently Owned ACE Bandwidth and Feature LicensesFully Loaded No-Cost Migration License Bundles

0.5 Gbps bandwidth with any combination of feature licenses ACE-4710-0.5-UPG=

1 Gbps bandwidth with any combination of feature licenses ACE-4710-01-UPG=

2 Gbps bandwidth with any combination of feature licenses ACE-4710-02-UPG=

4 Gbps bandwidth with any combination of feature license ACE-4710-04-UPG=


OL-25343-01

Chapter 3 Managing ACE Software LicensesDefault Feature Capabilities

Default Feature CapabilitiesTable 3-4 lists the default feature capabilities of the ACE.

Managing ACE Software LicensesThis section includes the following topics:

• Tasks for Ordering an Upgrade License and Generating a Key

• Copying a License File to the ACE

• Installing a New or Upgrade License File

• Replacing a Demo License with a Permanent License

• Removing a License Bundle or All License Bundles from the ACE

• Backing Up an ACE License File

• Retrieving an ACE License File

Tasks for Ordering an Upgrade License and Generating a KeyThis section describes the process that you use to order an upgrade license and to generate a license key for your ACE.

Detailed Steps

Step 1 Order one of the licenses from the list in the “ACE Module License Bundles” section or the “ACE Appliance License Bundles and Migration Paths” section using any of the available Cisco ordering tools on cisco.com.

Step 2 When you receive the Software License Claim Certificate from Cisco, follow the instructions that direct you to the Cisco.com website. As a registered user of Cisco.com, go to this URL:

Table 3-4 Default Feature Capabilities

Parameter Default

Virtual Contexts (ACE module only) One Admin context, five virtual contexts

(ACE appliance only) One Admin context, 20 virtual contexts

Bandwidth (ACE module only) 4 Gbps

(ACE appliance only) 1.0 Gbps

Secure Sockets Layer (SSL) (ACE module only) 1,000 transactions per second (TPS)

(ACE appliance only) 7,500 transactions per second (TPS)

Hypertext Transfer Protocol (HTTP) compression (ACE module only) 1 Gbps

(ACE appliance only) 2.0 Gbps

Application Acceleration Connections (ACE appliance only) 1051

1. Application acceleration connections are fixed at 105 concurrent connections in ACE appliance software release A4(2.0) for all license bundles.


OL-25343-01

Chapter 3 Managing ACE Software LicensesManaging ACE Software Licenses

http://www.cisco.com/go/license

Step 3 Enter the Product Authorization Key (PAK) number found on the Software License Claim Certificate as your proof of purchase.

Step 4 Provide all the requested information to generate a license key.

After the system generates the license key, you will receive a license key e-mail with an attached license file and installation instructions.

Step 5 Save the attached license file to a remote server that you can access from the ACE. Save the license key e-mail in a safe place in case you need it in the future (for example, to transfer the license to another ACE).

What to Do Next

Copy the license file to the ACE (see the “Copying a License File to the ACE” section).

Copying a License File to the ACEThis section describes how to copy an ACE license file from a remote server to the ACE. For detailed information on copying files from a remote server, see Chapter 4, Managing the ACE Software.

Prerequisites

The license file must reside on a remote server that you can access from the ACE.

You must be in the Admin context to copy the file to disk0: on the ACE.

Detailed Steps

What to Do Next

If the license is a demo or permanent license for a new or upgrade installation, see the “Installing a New or Upgrade License File” section.

If the license is a permanent license replacing a demo license, see the “Replacing a Demo License with a Permanent License” section.

Command Purpose

copy tftp:[//server[/path/][/filename]] disk0:[path/]filename

ACE Module Example: host1/Admin# copy tftp://track/license/ACE30-MOD-04-K9.lic disk0:

ACE Appliance Example:host1/Admin# copy tftp://track/license/ACE-4710-02-K9.lic disk0:

Copies the file to disk0: on the ACE.

The arguments and keywords are as follows:

• [//server[/path/][/filename]]—Path to the network server. This path is optional because the ACE prompts you for this information if you omit it.

• disk0:[path/]filename—Specifies that the file destination is the disk0: directory of the current context and the filename. If you do not provide the optional path, the ACE copies the file to the root directory on the disk0: file system.


OL-25343-01

http://www.cisco.com/go/license


Installing a New or Upgrade License FileThis section describes how to install a license after you copy a demo or permanent license file to the ACE for a new or upgrade installation (see the “Copying a License File to the ACE” section). All license installations except one have no adverse impact to an operating ACE. No reboot is required and existing connections are not interrupted. In a redundant configuration, mismatched context licenses between the active and the standby ACEs cause the active ACE to generate a syslog message (if logging is enabled) and to disable configuration synchronization. After you install the correct matching license on the standby ACE, the software automatically detects the new license and restores normal operation.

For information about replacing a demo license with a permanent one, see the “Replacing a Demo License with a Permanent License” section.


This topic includes the following guidelines and restrictions:

• You must have the Admin role in the Admin context to install or upgrade the license file.

• If you install a context demo license, make sure that you save the Admin running configuration and all user context running configurations to a remote server. If you allow a context license to expire, the ACE automatically removes all user contexts from the Admin running configuration and all configurations for the user contexts.

Detailed Steps

Examples

(ACE module only) To install a license bundle file for 4 Gbps bandwidth, 4 Gbps compression, 30,000 TPS SSL, and 250 virtual contexts, enter:

host1/Admin# license install disk0:ACE30-MOD-04-K9.lic

(ACE appliance only) The following example shows how to install a license bundle for 2 Gbps bandwidth, 2 Gbps compression, 7500 TPS SSL, 20 virtual contexts, and 200 app. accel. conns, enter:

host1/Admin# license install disk0:ACE-4710-02-K9.lic

Command Purpose

license install disk0:[path/]filename [target_filename]

ACE Module Example:host1/Admin# license install disk0:ACE30-MOD-04-K9.lic

ACE Appliance Example:host1/Admin# license install disk0:ACE-4710-02-K9.lic

Installs or upgrades a license on your ACE.


• [path/]filename—License stored on the disk0: file system. If you do not specify the optional path, the ACE looks for the file in the root directory.

• target_filename—(Optional) Target filename for the license file.

show license brief

Example: host1/Admin# show license brief

(Optional) Displays the installed licenses.


OL-25343-01


Replacing a Demo License with a Permanent LicenseThis section describes how to replace an ACE demo license with a permanent license. If you installed a demo license, four weeks before the license expires, the ACE generates warning syslog messages once a day. During the final week, a warning syslog message occurs once an hour. Before this period ends, you must update the demo license with a permanent license. Otherwise, the ACE will revert to its previous bandwidth, SSL TPS, or number of contexts.

After you copy the permanent license file to the ACE (see the “Copying a License File to the ACE” section), you can install it.



• You must have the Admin role in the Admin context to update the demo license file with a permanent file.

• If you replace the context demo license with a permanent license, you can continue to use the configured user contexts on the ACE. However, if you allow a context license to expire, the ACE automatically removes all user contexts from the Admin running configuration and all configurations for the user contexts. Before a context license expires, save the Admin running configuration and the user context running configurations to a remote server. To view the expiration of the demo license, use the show license usage command in Exec mode from the Admin context.

• You must replace a demo license with a permanent license that has the same feature capability. For example, if you want to replace a 4 Gbps demo license, you can replace it only with a permanent 4 Gbps license.

Detailed Steps

Removing a License Bundle or All License Bundles from the ACEThis section describes how to remove a license bundle or all licenses from the ACE.

Note When you use the clear startup-config or the write erase command, the ACE does not remove license files from the startup-configuration file.

Command Purpose

license update disk0:[path/]permanent_filename demo_filename

ACE Module Example:host1/Admin# license update disk0:ACE30-MOD-08-K9.lic ACE30-MOD-08-K9-DEMO.lic

ACE Appliance Example:host1/Admin# license update disk0:ACE-AP-VIRT-020.lic ACE-4710-02-K9-DEMO.lic

Replaces a demo license with a permanent license.


• [path/]permanent_filename—Filename for the permanent license file that you copied onto the ACE.

• demo_filename—Filename for the demo license file that the permanent license file is replacing.


OL-25343-01




• You must have the Admin role in the Admin context to remove the license file.

• (ACE module only) The type of licenses currently installed on the ACE module determines which license you can remove. Table 3-6 lists the currently installed license bundles, the current licensed features, and the remaining licensed features after the license is removed.

• (ACE appliance only) The type of licenses currently installed on the ACE appliance determines which license you can remove. Table 3-6 lists the currently installed license bundles, the current licensed features, and the remaining licensed features after the license is removed.

Table 3-5 Results of Removing ACE Module License Bundles and Upgrade License Bundles

Installed License Bundle File Current Licensed Features Results of License Removal




ACE30-MOD-08-K9 8 Gbps bandwidth6 Gbps compression30,000 TPS SSL250 virtual contexts


ACE30-MOD-16-K9 16 Gbps bandwidth6 Gbps compression30,000 TPS SSL250 virtual contexts


ACE30-MOD-UPG2 8 Gbps bandwidth6 Gbps compression30,000 TPS SSL250 virtual contexts


ACE30-MOD-UPG3 16 Gbps bandwidth6 Gbps compression30,000 TPS SSL250 virtual contexts


Table 3-6 Results of Removing ACE Appliance License Bundles and Upgrade License Bundles


ACE-4710-0.5-K9 0.5 Gbps bandwidth2 Gbps compression7500 TPS SSL20 virtual contexts

1 Gbps bandwidth2 Gbps compression7500 TPS SSL20 virtual contexts





OL-25343-01


Prerequisites

Caution Before you remove any license bundle from the ACE, save the Admin running configuration and the user context running configurations to a remote server. When you remove a demo or permanent license bundle, the ACE removes all user contexts from the Admin running configuration. By removing the user contexts, their running and startup configurations are also removed from the ACE.

Detailed Steps

Follow these steps to remove a license:

Step 1 Save the Admin and user context running configurations to a remote server by entering the copy running-config command in Exec mode in each context. For more information on this command, see Chapter 4, Managing the ACE Software.

For example, to copy the Admin running configuration to an TFTP server as R-CONFIG-ADM, enter:

host1/Admin# copy running-config tftp://192.168.1.2/R-CONFIG-ADM

To copy the C1 user context running configuration to an TFTP server, access the C1 context and enter:

host1/C1# copy running-config tftp://192.168.1.2/R-CONFIG-C1

ACE-4710-BUN-UPG2= ACE-4710-02-K9



ACE4710-BUN-UPG3=ACE-4710-04-K9



ACE-4710-2PAK 1 Gbps bandwidth2 Gbps compression7500 TPS SSL20 virtual contexts


Table 3-6 Results of Removing ACE Appliance License Bundles and Upgrade License Bundles (continued)


Command Purpose

license uninstall {license_filename | all}

ACE Module Example:host1/Admin# license uninstall disk0:ACE30-MOD-04-K9.lic

ACE Appliance Example:host1/Admin# license uninstall disk0:ACE-4710-01-K9.lic

Removes a license bundle or all license bundles from the ACE. The argument and keyword are as follows:

• license_filename—Specifies the filename of the license file that you want to remove. Enter the license filename as an unquoted text string with no spaces.

• all—Removes all license files from the ACE and returns all current licensed features to their default values.


OL-25343-01


Step 2 Remove the license with the license uninstall command.

For example, to remove the ACE30-MOD-04-K9.LIC license from an ACE module, enter:

host1/Admin# license uninstall disk0:ACE30-MOD-04-K9.lic

The ACE displays the following messages and prompt:

Clearing license ACE30-MOD-04-K9.lic:SERVER this_host ANYVENDOR ciscoINCREMENT ACE30-MOD-04-K9.lic cisco 1.0 permanent 1 \ VENDOR_STRING=<count>1</count> HOSTID=ANY \ NOTICE=”<LicFileID>20051103151315824</LicFileID><LicLineID>1</LicLineID> \ <PAK></PAK>” SIGN=86A13B1EA2F2

INCREMENT ACE30-MOD-04-K9.lic cisco 1.0 permanent 1 \!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: Uninstalling virtual context license will automatically!!!!! cleanup all the user context configurations, please backup the !!!!! configurations before proceeding further with uninstallation !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Do you want to continue? (y/n)

Step 3 If you have not saved the running configurations for the Admin and user contexts to a remote server, enter n. Go to Step 1.

If you saved the running configurations for the Admin and user contexts to a remote server, enter y.

During the license removal, the ACE removes the user context configurations from the Admin running configuration, causing the deletion of all user contexts including their running and startup configurations.

Step 4 Display the current number of supported contexts on the ACE by entering the show license status command in Exec mode of the Admin context.

Step 5 Determine which contexts you want to keep in the Admin running configuration. Using a text editor, manually remove the extra context configurations from the Admin running configuration on the remote server.

If the Admin running configuration contains more contexts than what the ACE supports and you copy this configuration to the ACE, the ACE rejects contexts that exceed the supported limit. For example, if the running configuration contains 20 contexts, when you remove the license, the ACE supports five contexts. If you attempt to copy the configuration with all 20 contexts, the ACE allows the first five contexts, fails the remaining contexts, and displays error messages on the console.

Note You can also manually recreate the user contexts in the running configuration that is currently on the ACE. If you do, go to Step 7.

Step 6 Retrieve the modified Admin running configuration from the remote server. For example, to copy the R-CONFIG-ADM Admin running configuration from the TFTP server, enter:

host1/Admin# copy tftp://192.168.1.2/R-CONFIG-ADM running-config

Step 7 Copy the Admin running configuration to the startup-configuration file. For example, enter:

host1/Admin# copy running-config startup-config


OL-25343-01


Note If you do not update the startup configuration with the latest running configuration, when the ACE restarts, it uses the startup configuration with the extra contexts. The ACE allows the number of contexts that the license supports, but fails the remaining contexts.

Step 8 Access the user context, and copy its running configurations from the remote server. For example, to copy the C1 user context running configuration from the TFTP server, access the C1 context and enter:

host1/C1# tftp://192.168.1.2/R-CONFIG-C1 copy running-config

Step 9 Copy the user context running configuration to the startup-configuration file. For example, enter:


Step 10 Repeat Steps 8 and 9 until you retrieve the running configurations for all user contexts configured in the Admin configuration.

Downgrading the ACE Software to a Release Prior to A4(2.0)Because the bundle licenses in software version A4(2.x) and later are not compatible with licenses from earlier releases, the number of virtual contexts that remain after the downgrade is five and all other contexts are lost. Therefore, you must back up all your configured contexts prior to downgrading the ACE software to a release earlier than A4(2.0). The ACE displays the following warning message during the downgrade procedure:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: Currently there are 7 contexts configured on this appliance !!!!!!!! running A4(2.x) or later software. If the box is reloaded with software !!!!!!!! prior to A4(2.0) then it will result in limiting the virtual contexts !!!!!!!! to 5 and hence resulting in losing the configurations and data !!!!!!!! associated with the rest of the contexts. Please backup the user !!!!!!!! context configurations before proceeding further with reload operation. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Continue ? [yes/no]: [no]

For more details, see the “Downgrading Your ACE Software in a Redundant Configuration” section in the release note.

Backing Up an ACE License FileThis section describes how to back up an ACE license file. To protect your license files, we recommend that you back up your license files (in .tar format) to the ACE Flash disk.


You must be in the Admin context to back up an ACE license file.


OL-25343-01


Detailed Steps

Retrieving an ACE License FileThis section describes how retrieve an ACE license file. If you accidently remove or lose the license on the ACE, you can untar your backup license file and then reinstall it.


You must be in the Admin context to retrieve an ACE license file.

Detailed Steps

Command Purpose

copy licenses disk0:[path/]filename.tar

Example:host1/Admin# copy licenses disk0:mylicenses.tar

Backs up your license files to the ACE Flash disk as tar files.

The keyword and argument are as follows:

• disk0:—Specifies that the backup license file is copied to the disk0: file system.

• [path/]filename.tar—Destination filename for the backup licenses. The destination filename must have a .tar file extension.

Command Purpose

untar disk0:[path/]filename.tar

Example:host1/Admin# untar disk0:mylicenses.tar

Untars the backup file should you need to reinstall it because you accidently removed or lost the license.

The [path/]filename.tar argument is the filename of the .tar backup license file.

For information on installing the license, see the “Installing a New or Upgrade License File” section.


OL-25343-01

Chapter 3 Managing ACE Software LicensesDisplaying ACE License Configurations and Statistics

Displaying ACE License Configurations and StatisticsTo display license information about your ACE, perform one of the following tasks in the Admin context only:

Table 3-7 describes the fields in the show license status command output.

Table 3-8 describes the fields in the show license usage command output.

Command Purpose

show license [brief | file filename | internal event-history | status | usage]

Displays all or some of the license information.

Entering this Exec mode command without any options and arguments displays all installed ACE license files and their contents.

The options and arguments for this command are as follows:

• brief—Displays a list of the currently installed licenses.

• file filename—Displays the file contents of the specified license.

• internal event-history—Displays a history of licensing-related events.

• status—Displays the status of licensed features (see Table 3-7).

• usage—Displays the usage table for all licenses (see Table 3-8).

show version Displays license information.

show module services (ACE module only) Displays license information. Enter this command on the supervisor engine. See the license information under the Services field.

Table 3-7 Field Descriptions for the show license status Command Output

Field Description

Licensed Feature List including the ACE SSL transactions per second (TPS), virtual contexts, bandwidth, and compression.

(ACE appliance only) The list also includes application acceleration and optimization concurrent connections.

Count Number of ACE-supported SSL TPS, virtual contexts, bandwidth (Gbps), and compression (Gbps).

(ACE appliance only) The count also includes the application acceleration and optimization concurrent connections.

This information also provides the default number of contexts, SSL TPS, and ACE bandwidth that the ACE supports when a license is not installed.

Table 3-8 Field Descriptions for the show license usage Command Output

Field Description

License Name of the license.

Ins Whether the license is installed (Yes or No).

Lic Count Number of licenses for this feature.


OL-25343-01

Chapter 3 Managing ACE Software LicensesDisplaying ACE License Configurations and Statistics

Status Current state of the feature (In use or Unused).

Expiry Date Date when the demo license expires, as defined in the license file. If the license is permanent, this field displays Never.

Comments Licensing errors, if any.

Table 3-8 Field Descriptions for the show license usage Command Output (continued)

Field Description


OL-25343-01

AdministOL-25343-01

C H A P T E R 4
Managing the ACE Software

This chapter describes how to manage the software running on the ACE and contains the following major sections:

• Saving Configuration Files

• Copying Configuration Files from a Remote Server

• Displaying the Configuration Download Progress Status

• Using the File System on the ACE

• Using Backup and Restore

• Managing Core Dump Files

• Capturing Packet Information

• Using the Configuration Checkpoint and Rollback Service

• Setting Thresholds for and Displaying the Network Processor Buffer Usage

• Reformatting the ACE Module Flash Memory

• Reformatting the ACE Appliance Flash Memory

Saving Configuration FilesUpon startup, the ACE loads the startup-configuration file stored in Flash memory (nonvolatile memory) to the running-configuration file stored in RAM (volatile memory). When you partition your ACE into multiple contexts, each context contains its own startup-configuration file.

Flash memory stores the startup-configuration files for each existing context. When you create a new context, the ACE creates a new context directory in Flash memory to store the context-specific startup-configuration files. When you copy a configuration file from the ACE, you create a copy of the configuration information of the context from where you executed the command.

When you make configuration changes, the ACE places those changes in a virtual running-configuration file called the running-config, which is associated with the context that you are working in. When you enter a CLI command, the change is made only to the running-configuration file in volatile memory.


Chapter 4 Managing the ACE SoftwareSaving Configuration Files

Before you log out or reboot the ACE, copy the contents of the running-configuration file to the startup-configuration file (startup-config) to save configuration changes for the current context to Flash memory. The ACE uses the startup-configuration file on subsequent reboots.


• Saving the Configuration File in Flash Memory

• Saving Configuration Files to a Remote Server

• Copying the Configuration File to the disk0: File System

• Merging the Startup-Configuration File with the Running-Configuration File

• Clearing the Startup-Configuration File

• Displaying Configuration File Content

Saving the Configuration File in Flash MemoryThis section describes how to save the contents of the running-configuration file in RAM (volatile memory) to the startup-configuration file for the current context in Flash memory (nonvolatile memory) on the ACE.

Detailed Steps

Saving Configuration Files to a Remote ServerThis section describes how to save the running-configuration file or startup-configuration file to a remote server using File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), or Trivial Transfer Protocol (TFTP). The copy serves as a backup file for the running-configuration file or startup-configuration file for the current context. Before installing or migrating to a new software

Command Purpose

copy running-config startup-config

Example: host1/Admin# copy running-config startup-config

Copies the contents of the running-configuration file to the startup-configuration file.

write memory [all]

Example: host1/Admin# write memory all

Copies the contents of the running-configuration file to the startup-configuration file.

The optional all keyword saves configurations for all existing contexts. This keyword is available only in the Admin context.

When used without the all keyword, this command copies the contents of the running-configuration file for the current context to the startup-configuration file.

Note After you save the contents of the running-configuration file for the current user context to the startup-configuration file, you should also save the changes to the Admin context startup-configuration file, which contains all configurations that are used to create each user context.


OL-25343-01


version, back up the ACE startup-configuration file to a remote server using FTP, SFTP, or TFTP. When you name the backup file, we recommend that you name it in such a way that you can easily tell the context source of the file (for example, running-config-ctx1, startup-config-ctx1).

Detailed Steps

Command Purpose

copy {running-config | startup-config} {ftp://server/path[/filename] | sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]}

Example: host1/Admin# copy running-config ftp://192.168.1.2/running-config_AdminctxEnter username[]? user1Enter the file transfer mode[bin/ascii]: [bin]Password: password1Passive mode on.Hash mark printing on (1024 bytes/hash mark).####

Saves the running-configuration file or startup-configuration file to a remote server using FTP, SFTP, or FTP.


• running-config—Specifies the running-configuration file currently residing on the ACE in volatile memory.

• startup-config—Specifies the startup-configuration file currently residing on the ACE in Flash memory.

• ftp://server/path[/filename]—Specifies the FTP network server and, optionally, the renamed configuration file.

When using FTP, the bin (binary) file transfer mode is intended for transferring compiled files (executables). The ascii file transfer mode is intended for transferring text files, such as config files. The default selection of bin should be sufficient in all cases when copying files to a remote FTP server.

• sftp://[username@]server/path[/filename]—Specifies the SFTP network server and, optionally, the renamed configuration file.

• tftp://server[:port]/path[/filename]—Specifies the TFTP network server and, optionally, the renamed configuration file.

When you select a destination file system using ftp:, sftp:, or tftp:, the ACE performs the following tasks:

• Prompts you for your username and password if the destination file system requires user authentication.

• Prompts you for the server information if you do not provide the information with the command.

• Copies the file to the root directory of the destination file system if you do not provide the path information.


OL-25343-01


Copying the Configuration File to the disk0: File SystemThis section describes how to copy the running-configuration file or the startup-configuration file to the disk0: file system in Flash memory on the ACE.

Detailed Steps

Merging the Startup-Configuration File with the Running-Configuration FileThis section describes how to merge the contents of the startup-configuration file into the running-configuration file. This process copies any additional configurations from the startup-configuration file into the running-configuration file. If any common commands exist in both files, the startup-configuration file overwrites the attributes in the running-configuration file.

Detailed Steps

Command Purposecopy {running-config | startup-config} disk0:[path/]filename

Example: host1/Admin# copy running-config disk0:running-config_copy

Copies either the running configuration of the startup configuration to a file on the disk0: file system in Flash memory.


• running-config—Specifies the running-configuration file currently residing on the ACE in RAM (volatile memory).

• startup-config—Specifies the startup-configuration file currently residing on the ACE in Flash memory (nonvolatile memory).

• [path/]filename—Path in the disk0: file system. If you do not provide the optional path, the ACE copies the file to the root directory on the disk0: file system.

Command Purpose

copy startup-config running-config

Example: host1/Admin# copy startup-config running-config

Merges the contents of the startup-configuration file into the running-configuration file.


OL-25343-01


Displaying Configuration File ContentTo display the content of the running- and startup-configuration files, perform one of the following tasks:

Command Purpose

show running-config [aaa | access-list | action-list | class-map | context | dhcp | domain | ft | interface | object-group | parameter-map | policy-map | probe | resource-class | role | rserver | serverfarm | sticky [name]]

Displays the contents of the running configuration associated with the current context. Configuration entries within each mode appear in the chronological order in which you configure the ACE. The ACE does not display default configurations in the ACE running-configuration file.

The keywords and options are as follows:

• aaa—(Optional) Displays AAA information.

• access-list—(Optional) Displays access control list (ACL) information.

• action-list—(Optional) Displays action-list information.

• class-map—(Optional) Displays all class maps configured for the current context. The ACE also displays configuration information for each class map.

• context—(Optional) Displays the contexts configured on the ACE. The ACE also displays the resource class (member) assigned to each context. The context keyword works only from within the Admin context.

• dhcp—(Optional) Displays Dynamic Host Configuration Protocol (DHCP) information.

• domain—(Optional) Displays the domains configured for the current context. The ACE also displays configuration information for each domain listed.

• ft—(Optional) Displays the redundancy or fault-tolerance (FT) configurations configured for the current context. The ACE also displays configuration information for each FT configuration.

• interface—(Optional) Displays interface information.

• object-group—(Optional) Displays ACL object-group information.

• parameter-map—(Optional) Displays parameter map information.

• policy-map—(Optional) Displays policy map information.

• probe—(Optional) Displays probe information.

• resource-class—(Optional) Displays resource class information.

• role—(Optional) Displays the roles configured for the current context. The ACE also displays configuration information for each role.

• rserver—(Optional) Displays real server information.

• serverfarm—(Optional) Displays serverfarm information.

• sticky—(Optional) Displays sticky information.

• name—(Optional) Name of the object.

write terminal Displays the contents of the running configuration associated with the current context. The write terminal command is equivalent to the show running-config command.


OL-25343-01


Clearing the Startup-Configuration FileThis section describes how to clear the contents of the ACE startup-configuration file of the current context in Flash memory. Both commands reset the startup-configuration file to the default settings and take effect immediately.

Restrictions

The clear startup-config and write erase commands used to clear the contents of the ACE startup-configuration file of the current context in Flash memory include the following restrictions:

• These commands do not affect the following items:

– Running-configuration file

– Boot variables, such as config-register and boot system settings

The commands do not remove the following items from the ACE startup-configuration file:

• License files—To remove license files, use the license uninstall filename command (see the “Removing a License Bundle or All License Bundles from the ACE” section on page 3-7.).

• Crypto files—To remove crypto files, use the crypto delete filename or the crypto delete all command (see the SSL Guide, Cisco ACE Application Control Engine).

Detailed Steps

invoke context context_name show running-config

Displays the running-configuration file of a user context from the Admin context. The context_name argument is the name of the user context.

show startup-config Displays the contents of the startup configuration associated with the current context.

Command Purpose

Command Purpose

Step 1 copy startup-config {ftp://server/path[/filename] | sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]}

Example: host1/Admin# copy startup-config ftp://192.168.1.2/startup-config_Adminctx

(Optional) Creates a backup of your current startup-configuration file on a remote server.

For details about using this command, see the “Saving Configuration Files to a Remote Server” section.

Step 2 clear startup-config

Example: host1/Admin# clear startup-config

Clears the contents of the startup-configuration file and resets it to the default settings.

write erase

Example: host1/Admin# write erase


OL-25343-01

Chapter 4 Managing the ACE SoftwareCopying Configuration Files from a Remote Server

Copying Configuration Files from a Remote ServerThis section describes how to configure the ACE by downloading a copy of a running-configuration file or startup-configuration file from a remote server. When you copy the backup configuration file to the ACE, you copy the configuration information to the context from where you initially executed the copy command.

Prerequisites

This topics includes the following prerequisites:

• You know the location of the configuration file to be loaded from the remote server.

• The configuration file permissions are set to world-read.

• The ACE has a route to the remote server. The ACE and the remote server must be in the same subnetwork if you do not have a router or default gateway to route the traffic between subnets. To check connectivity to the remote server, use the ping or traceroute command in Exec mode. See the Routing and Bridging Guide, Cisco ACE Application Control Engine for details on how to use the ping and traceroute commands.

• Ensure that the configuration file is appropriate for use in the current context. For example, you would copy the backup configuration file startup-config-ctx1 to context 1.

Detailed Steps


Example: host1/Admin# copy running-config startup-config

(Optional) Recovers a copy of an startup configuration by copying the contents of the existing running-configuration file to the startup-configuration file.

copy {ftp://server/path[/filename] | sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]} startup-config

Example: host1/Admin# copy ftp://192.168.1.2/startup-config_Adminctx startup-config

(Optional) Recovers a copy of an existing startup configuration saved on a remote server.

For details about using this command, see the “Copying Configuration Files from a Remote Server” section.

Command Purpose

Command Purpose

copy {ftp://server/path[/filename] | sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]} {running-config | startup-config}

Example: host1/Admin# copy ftp://192.168.1.2/startup-config_Adminctx startup-config

Configures the ACE using a running-configuration file or startup-configuration file downloaded from a remote server.

For details about using this command, see the “Copying Configuration Files from a Remote Server” section.


OL-25343-01

Chapter 4 Managing the ACE SoftwareDisplaying the Configuration Download Progress Status

Displaying the Configuration Download Progress StatusThis section describes how to display the progress of a configuration download when a large configuration file in the ACE has been applied to a context.

When you apply changes to a configuration file, the ACE downloads the configuration to its data plane. When you perform incremental changes, such as copying and pasting commands in a configuration, the ACE immediately performs the configuration download and does not display any terminal messages at the start or end of the download.

However, in the following situations, the ACE defers the configuration download until the entire configuration is applied to the context:

• A startup configuration at boot time

• Copying of the configuration to the running-configuration file

• A checkpoint rollback

At the start of the deferred download, the ACE displays the following message on all terminals that are logged into the context including a terminal that you log into for the context before the download is done:

Processing has started for applied config

During the download, the ACE locks the context and denies any configuration changes until the download is completed.

Note We recommend that you do not execute any configuration commands during the deferred download. The ACE does not deny you from entering configuration changes. But the changes will not occur until the download is completed. If the command times out during the download, the following message appears:

Config application in progress. This command is queued to the system.

The ACE does not queue the command immediately, however, the ACE processes and executes the command when the download is completed even if the command times out.

You can execute the show download information command to monitor the progress of the download. You can also execute show commands that do not have interaction with the configuration manager (cfgmgr). For example, these commands include the show acl-merge, show interface, show context, show crypto files, and show fifo commands.

The show commands that have interaction with the cfgmgr do not work when the download occurs. For example, these commands include the show access-list, show conn, show domain, show running-config, and show service-policy commands. If you execute a cfgmgr show command during the download, the following error message occurs:

System Busy: Config application in progress

At the end of the deferred download, the ACE displays the follow message on all terminals that are logged into the context:

Processing has finished for applied config


OL-25343-01

Chapter 4 Managing the ACE SoftwareDisplaying the Configuration Download Progress Status

To display the progress status of the configuration download on a context, perform the following task:

Table 4-1 describes the fields that appear in the show download information command output.

Command Purpose

show download information [all] [summary]}

Example: host1/Admin# show download information all

Displays the state of the configuration download for each interface on the context. If no option is included with this command, the status information for all interfaces in the current context is displayed. The options are as follows:

• all —Displays the configuration download status for all interfaces on all contexts. This option is available in the Admin context.

• summary—Displays the summary status of the download information for the context. When you include the all option with the summary option, the download summary status for all contexts is displayed.

See Table 4-1 for information on the download states that the Download-status field displays.

Table 4-1 Field Descriptions for the show download information command

Field Description

Context Name of the context.

Interface Number of the interface on the context. This field is not displayed with the summary option.

Download-Status State of the configuration download. With no option or the all option, the possible states are as follows:

• Pending—The interface has been updated but the update has not been downloaded.

• In Progress—The interface download is in progress.

• Completed—The interface download is completed.

• Pending/Deleted—The interface has been deleted but it has not been downloaded.

• In progress/Deleted—The interface has been deleted and the download is in progress.

With the summary option, the possible states are as follows:

• Completed—All of the interfaces have a status of Completed.

• Pending—One or more of the interfaces are in the Pending state and the rest of the interfaces are in the Completed state.

• In Progress—One or more interfaces are in the Progress state and the rest of the interfaces are in the Completed or Pending state.


OL-25343-01

Chapter 4 Managing the ACE SoftwareUsing the File System on the ACE

Using the File System on the ACEThis section describes how use the ACE file system. Flash memory stores the operating system, startup-configuration files, software licenses, core dump files, system message log files, SSL certificates and keys, probe scripts, and other data on the ACE. Flash memory comprises a number of individual file systems, or partitions, that include this data.

The ACE contains the following file systems, or partitions:

• disk0:—Contains all startup-configuration files, software licenses, system message log files, SSL certificates and keys, and user-generated data for all existing contexts on the ACE.

• image:—Contains the system software images.

• core:—Contains the core files generated after each time that the ACE becomes unresponsive.

• probe:—Contains the Cisco-supplied scripts. For more information about these scripts, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine. Both the Admin context and user contexts support the probe: directory.

• volatile:—Contains the files residing in the temporary (volatile:) directory. The volatile: directory provides temporary storage; files in temporary storage are erased when the ACE reboots.

The Admin context supports all five file systems in the ACE. The user context supports only the disk0:, probe:, and volatile: file systems.

When you create a new context, the ACE creates a new context directory in Flash memory to store context-specific data such as startup-configuration files.

The ACE provides a number of useful commands to help you manage software configuration and image and files.This section contains the following topics that will help you to manage files on the ACE:

• Copying Files

• Uncompressing Files in the disk0: File System

• Untarring Files in the disk0: File System

• Deleting an Existing Directory

• Moving Files

• Deleting Files

• Displaying Files Residing On the ACE

• Saving show Command Output to a File

Copying FilesThis section describes how create copies of a file on the ACE and how to copy files to and from the ACE. This section contains the following topics:

• Copying Files Between Directories in the disk0: File System on the ACE

• Copying Licenses

• Copying a Packet Capture Buffer

• Copying a Scripted Probe File

• Copying Files to a Remote Server

• Copying Files from a Remote Server

• Copying an ACE Software System Image to a Remote Server


OL-25343-01


Copying Files Between Directories in the disk0: File System on the ACE

This section describes how to copy a file from one directory in the disk0: file system of Flash memory to another directory in disk0:.

Detailed Steps

Copying Licenses

This section describes how to create a backup license for the ACE licenses in .tar format and copy it to the disk0: file system. To protect your license files, we recommend that you back up your license files to the ACE Flash memory as tar files.

Detailed Steps

Command Purpose

Step 1 dir disk0:

Example: host1/Admin# dir disk0:

(Optional) Displays the contents of the disk0: file system.

Step 2 copy disk0:[path/]filename1 {disk0:[path]filename2}

Example: host1/Admin# copy disk0:samplefile disk0:MYSTORAGE/SAMPLEFILE

Copies a file from one directory in the disk0: file system of Flash memory to another directory in disk0:.


• [path/]filename1—Name of the file to copy. Use the dir disk0: command to view the files available in the disk0: file system. If you do not provide the optional path, the ACE copies the file from the root directory on the disk0: file system.

• disk0:[path]filename2—Specifies the file destination in the disk0: directory of the current context. If you do not provide the optional path, the ACE copies the file to the root directory on the disk0: file system.

Command Purposecopy licenses disk0:[path/]filename.tar

Example: host1/Admin# copy licenses disk0:mylicenses.tar

Creates a backup license for the ACE licenses in .tar format and copies it to the disk0: file system.

The keyword and argument are as follows:

• disk0:—Specifies that the backup license file is copied to the disk0: file system.

• [path/]filename.tar—Destination filename for the backup licenses. The destination filename must have a .tar file extension. If you do not provide the optional path, the ACE copies the file to the root directory on the disk0: file system.

untar disk0:[path/]filename.tar

Example: host1/Admin# untar disk0:mylicenses.tar

(Optional) Untars the backup file and reinstalls it if you accidently remove or lose the license on the ACE (see the “Untarring Files in the disk0: File System” section).


OL-25343-01


Copying a Packet Capture Buffer

This section describes how to copy an existing packet capture buffer to the disk0: file system.

Detailed Steps

Command Purposecopy capture capture_name disk0:[path/]destination_name

Example: host1/Admin# copy capture packet_capture_Jan_17_07 disk0:capture_Jan_17_07

Copies an existing packet capture buffer to the disk0: file system.


• capture_name—Name of the packet capture buffer on Flash memory. Specify a text string from 1 to 64 alphanumeric characters. If necessary, use the show capture command to view the files available in the disk0: file system. This list includes the name of existing packet capture buffers.

• disk0:—Specifies that the buffer is copied to the disk0: file system.

• [path/]destination_name—Destination path (optional) and name for the packet capture buffer. Specify a text string from 1 to 80 alphanumeric characters. If you do not provide the optional path, the ACE copies the file to the root directory on the disk0: file system.


OL-25343-01


Copying a Scripted Probe File

This section describes how to copy a scripted probe file from the probe: directory to another directory on the disk0:file system on the ACE or a remote server using FTP, SFTP, or TFTP.


You cannot copy a scripted probe file to the probe: directory on the ACE.

The copy probe: command is available only in the Admin context.

Detailed Steps

Command Purpose

copy probe:filename {disk0:[[path/]filename] | ftp://server/path[/filename] | sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]}

Example: host1/Admin# copy probe: disk0:Enter source filename[]? LDAP_PROBE_SCRIPTDestination filename[]?:[LDAP_PROBE_SCRIPT]host1/Admin#

Copies a file from the probe: directory to the disk0: file system on the ACE or a remote server using FTP, SFTP, or TFTP.


• probe:filename—Specifies the scripted probe file residing on the ACE. Use the dir probe: command to view the files available in the probe: directory.

• disk0:[path/]filename—Specifies a location and filename in the disk0: file system.

• ftp://server/path[/filename]—Specifies the FTP network server and, optionally, the renamed file.

When using FTP, the bin (binary) file transfer mode is intended for transferring compiled files (executables). The ascii file transfer mode is intended for transferring text files, such as config files. The default selection of bin mode should be sufficient in all cases when copying files to a remote FTP server.

• sftp://[username@]server/path[/filename]—Specifies the SFTP network server and, optionally, the renamed file.

• tftp://server[:port]/path[/filename]—Specifies the TFTP network server and, optionally, the renamed file.




• Copies the file to the root directory of the destination file system if you do not provide path information.


OL-25343-01


Copying Files to a Remote Server

This section describes how to copy a file from Flash memory on the ACE to a remote server using FTP, SFTP, or TFTP. The copy serves as a backup file for such files as the capture buffer file, core dump, ACE licenses in .tar format, running-configuration file, or startup-configuration file.

Detailed Steps

Command Purposecopy {core:filename | disk0:[path/]filename | running-config | startup-config} {ftp://server/path[/filename] | sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]}

Example: host1/Admin# copy running-config ftp://192.168.215.124/running-config_AdminctxEnter username[]? user1Enter the file transfer mode[bin/ascii]: [bin]Password: password1Passive mode on.Hash mark printing on (1024 bytes/hash mark).####

Copies a file from Flash memory on the ACE to a remote server using FTP, SFTP, or TFTP.


• core:filename—Specifies a core dump residing on the ACE in Flash memory (see the “Managing Core Dump Files” section). The copy core: command is available only in the Admin context. Use the dir core: command to view the core dump files available in the core: file system. Copy the complete filename (for example, 0x401_vsh_log.25256.tar.gz) by using the copy core: command.

• disk0:[path/]filename—Specifies a file in the disk0: file system of Flash memory (for example, a packet capture buffer file, ACE licenses in .tar format, or a system message log). Use the dir disk0: command to view the files available in the disk0: file system.

• running-config—Specifies the running-configuration file residing on the ACE in volatile memory.

• startup-config—Specifies the startup-configuration file currently residing on the ACE in Flash memory.

• ftp://server/path[/filename]—Specifies the FTP network server and, optionally, the renamed file.


• sftp://[username@]server/path[/filename]—Specifies the SFTP network server and, optionally, the renamed file.

• tftp://server[:port]/path[/filename]—Specifies the TFTP network server and, optionally, the renamed file.






OL-25343-01


Copying Files from a Remote Server

This section describes how to copy a file from a remote server to a location on the ACE using FTP, SFTP, or TFTP.

Detailed Steps

Copying an ACE Software System Image to a Remote Server

This section describes how to copy an ACE software system image from Flash memory to a remote server using FTP, SFTP, or TFTP.


The copy image: command is available in the Admin context only.

Command Purposecopy {ftp://server/path[/filename] | sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]} {disk0:[path/]filename | image:image_name | running-config | startup-config}

Example: host1/Admin# copy ftp://192.168.1.2/ startup-configEnter source filename[]? startup_config_AdminctxFile already exists, do you want to overwrite?[y/n]: [y] yEnter username[]? user1Enter the file transfer mode[bin/ascii]: [bin]Password:Passive mode on.Hash mark printing on (1024 bytes/hash mark).

Copies a file from a remote server to a location on the ACE using FTP, SFTP, or TFTP.


• ftp://server/path[/filename]—Specifies the FTP network server and, optionally, the filename.


• sftp://[username@]server/path[/filename]—Specifies the SFTP network server and, optionally, the filename.

• tftp://server[:port]/path[/filename]—Specifies the TFTP network server and, optionally, the filename.

• disk0:[path/]filename—Specifies a file destination in the disk0: file system of Flash memory. If you do not provide the optional path, the ACE copies the file to the root directory on the disk0: file system.

• image:image_name—Specifies to copy a system software image to Flash memory. Use the boot system command as described in Chapter 1, “Setting Up the ACE Module” or Chapter 2, “Setting Up the ACE Appliance” to specify the BOOT environment variable. The BOOT environment variable specifies a list of image files on various devices from which the ACE can boot at startup.

• running-config—Specifies to replace the running-configuration file currently residing on the ACE in RAM (volatile memory).

• startup-config—Specifies to replace the startup-configuration file currently residing on the ACE in Flash memory (nonvolatile memory).


OL-25343-01


Detailed Steps

Uncompressing Files in the disk0: File SystemThis section describes how to uncompress (unzip) LZ77 coded files in the disk0: file system (for example, zipped probe script files).


The filename must end with a .gz extension for the file to be uncompressed using the gunzip command. The .gz extension indicates a file zipped by the gzip (GNU zip) compression utility.

Command Purpose

Step 1 dir image:

Example: host1/Admin# dir image:

(Optional) Displays the software system images available in Flash memory.

Step 2 show version

Example: host1/Admin# show version

(Optional) Displays the version information of system software that is loaded in flash memory and currently running on the ACE.

Step 3 copy image:filename {ftp://server/path[/filename] | sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]}

Example: host1/Admin# copy image:sb-ace.NOV_11 ftp://192.168.1.2

Copies an ACE software system image from Flash memory to a remote server using FTP, SFTP, or TFTP.


• filename—Name of the ACE system software image.

• ftp://server/path[/filename]—Specifies the FTP network server and, optionally, the renamed software system image.

• sftp://[username@]server/path[/filename]—Specifies the SFTP network server and, optionally, the renamed software system image.

• tftp://server[:port]/path[/filename]—Specifies the TFTP network server and, optionally, the renamed software system image.






OL-25343-01


Detailed Steps

Untarring Files in the disk0: File SystemThis section describes how to untar a single file with a .tar extension in the disk0: file system. Use this process to untar the sample scripts file or to unzip a back-up licenses created with the copy licenses disk0: command if a license becomes corrupted or lost.

A .tar file keeps related files together and facilitates the transfer of multiple files. A .tar file is a series of separate files, typically not compressed, added together into a single file by a UNIX TAR program. The resulting file is known as a tarball, which is similar to a ZIP file but without the compression. The files in a .tar file must be extracted before they can be used.


To untar a file, the filename must end with a .tar extension.

Detailed Steps

Command Purpose

Step 1 dir disk0:[directory/][path/][filename]


(Optional) Displays a list of available zipped files on the disk0: file system.


• directory/—(Optional) Contents of the specified directory.

• path/—(Optional) Path to display the contents of a specific directory on the disk0: file system.

• filename—(Optional) Information that relates to the specified file, such as the file size and the date it was created. You can use wildcards in the filename. A wildcard character (*) matches all patterns. Strings after a wildcard are ignored.

Step 2 gunzip disk0:filename

Example: host1/Admin# gunzip disk0:PROBE_SCRIPTS.gz

Uncompresses (unzips) LZ77 coded files in the disk0: file system.

The filename argument identifies the name of the compressed file on the disk0: file system. The filename must end with a .gz extension.

Command Purpose

untar disk0:[path/]filename

Example: host1/Admin# untar disk0:mylicenses.tar

Untars a single file with a .tar extension in the disk0: file system.

The filename argument identifies the name of the .tar file in the disk0: file system. You can optionally provide a path to the .tar file if it exists in another directory in the disk0: file system.


OL-25343-01


Creating a New DirectoryThis section describes how to create a directory in the disk0: file system of Flash memory.

Detailed Steps

Deleting an Existing DirectoryThis section describes how to remove an existing directory from the disk0: file system of Flash memory.

Prerequisites

The directory must be empty before you can delete it. To remove a file from the ACE file system, use the delete command (see the “Deleting Files” section).

Detailed Steps

Command Purposemkdir disk0:[path/]directory

Example: host1/Admin# mkdir disk0:TEST_DIRECTORY

Create a directory in the disk0: file system of Flash memory.


• path/—(Optional) Path on the disk0: file system to the new directory. Specify the optimal path if you want to create a directory within an existing directory.

• directory—Name of the directory to create in disk0:. If a directory with the same name already exists, the ACE does not create the new directory and the “Directory already exists” message appears.

Command Purpose

Step 1 dir disk0:


(Optional) Displays the contents of the disk0: file system.

Step 2 rmdir disk0:[path/]directory

Example: host1/Admin# rmdir disk0:TEST_DIRECTORY

Removes an existing directory from the disk0: file system of Flash memory.

The directory argument provides the name of the directory to delete from the disk0: file system. The directory must be empty before you can delete it. You can optionally provide a path to a directory in the disk0: file system.


OL-25343-01


Moving FilesThis section describes how to move a file between directories in the disk0: file system. If a file with the same name already exists in the destination directory, that file is overwritten by the moved file.

Detailed Steps

Deleting FilesThis section describes how to delete a file from a specific file system in the ACE. When you delete a file, the ACE erases the file from the specified file system.

Note To remove a directory from the ACE file system, use the rmdir command (see the “Deleting an Existing Directory” section).

Command Purpose

Step 1 dir disk0:


(Optional) Displays the files available in the disk0: file system.

Step 2 move disk0:[source_directory/]filename disk0:[destination_directory/]filename

Example: host1/Admin# move disk0:SAMPLEFILE disk0:MYSTORAGE/SAMPLEFILE

Moves a file between directories in the disk0: file system.


• source_directory—(Optional) Name of the source directory in the disk0: file system.

• destination_directory—(Optional) Name of the destination directory in the disk0: file system.

• filename—Name of the file to move in the disk0: file system.


OL-25343-01


Detailed Steps

Command Purpose

Step 1 dir {core: | disk0: | image: | volatile:}


(Optional) Displays the files available in the specified file system.

Step 2 delete {core:filename | disk0:[directory/]filename | image:filename | volatile:filename}

Example: host1/Admin# delete disk0:mystorage/my_running-config1

Delete a file from a specific file system in the ACE.


• core:filename—Deletes the specified file from the core: file system (see the “Managing Core Dump Files” section). The delete cores: command is available only in the Admin context.

• disk0:[directory/]filename— Deletes the specified file from the disk0: file system (for example, a packet capture buffer file or system message log). You can optionally provide a path to a file in directory in the disk0: file system.

• image:filename—Deletes the specified file from the image: file system. The delete image: command is available only in the Admin context.

• volatile:filename—Deletes the specified file from the volatile: file system.


OL-25343-01


Displaying Files Residing On the ACETo display the files in a directory and the contents of a file, perform the following tasks:

Examples

The following example shows the output of the dir disk0: commands:

host1/Admin# dir disk0:

Command Purpose

dir {core: | disk0:[directory/][filename] | image:[filename] | probe:[filename] | volatile:[filename]}

Displays a detailed list of directories and files contained within the specified file system on the ACE, including names, sizes, and time created.


• core:—Displays the contents of the core: file system.

• disk0:—Displays the contents of the disk0: file system.

• image:—Displays the contents of the image: file system.

• probe:—Displays the contents of the probe: file system. This directory contains the Cisco-supplied scripts. For more information about these scripts, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

• volatile:—Displays the contents of the volatile: file system.

• directory/—(Optional) Contents of the specified directory.

• filename—(Optional) Information that relates to the specified file, such as the file size and the date it was created. You can use wildcards in the filename. A wildcard character (*) matches all patterns. Strings after a wildcard are ignored.

show file {disk0: [path/]filename | volatile: filename} [cksum | md5sum]

Displays the contents of a specified file in a directory in Flash memory or in nonvolatile memory.


• disk0: [path/]filename—Specifies the name of a file residing in the disk0: file system of Flash memory (for example, a packet capture buffer file or system message log). You can optionally provide a path to a file in a directory in the disk0: file system.

• volatile: filename—Specifies the name of a file in the volatile memory file system of the ACE.

• cksum—(Optional) Displays the cyclic redundancy check (CRC) checksum for the file. The checksum values compute a CRC for each named file. Use this option to verify that the file is not corrupt. You compare the checksum output for the received file against the checksum output for the original file.

• md5sum—(Optional) Displays the MD5 checksum for the file. MD5 is an electronic fingerprint for the file. MD5 is the latest implementation of the internet standards described in RFC 1321 and is useful for data security and integrity.


OL-25343-01


7465 Jan 03 00:13:22 2000 C2_dsb 2218 Mar 07 18:38:03 2006 ECHO_PROBE_SCRIPT4 1024 Feb 16 12:47:24 2006 core_copies_dsb/ 1024 Jan 01 00:02:07 2000 cv/ 1024 Mar 13 13:53:08 2006 dsb_dir/ 12 Jan 30 17:54:26 2006 messages 7843 Mar 09 22:19:56 2006 running-config 4320 Jan 05 14:37:52 2000 startup-config 1024 Jan 01 00:02:28 2000 www/

Usage for disk0: filesystem4254720 bytes total used6909952 bytes free

11164672 bytes total

For example, to list the core dump files in Flash memory, enter:

host1/Admin# dir core:

2261 Jan 13 18:33:02 2010 SYSTEM_STATS 437478 Apr 15 13:40:36 2010 0x201_vsh_log.29732.tar.gz 504105 Apr 21 20:23:45 2010 0x201_vsh_log.6957.tar.gz 500547 Apr 24 10:58:26 2010 0x201_vsh_log.6959.tar.gz

Usage for core: filesystem 2524160 bytes total used 200572928 bytes free 203097088 bytes total


OL-25343-01


Saving show Command Output to a FileThis section describes how to save all show screen output to a file by appending > filename to any command. For example, you can enter show interface > filename at the Exec mode CLI prompt to redirect the interface configuration command output to a file created at the same directory level.

Detailed Steps

Command Purposeshow keyword [| {begin pattern | count | end | exclude pattern | include pattern | last | more}] [> {filename | {disk0:| volatile}:[path/][filename] | {ftp://server/path[/filename] | sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]}

Example: host1/Admin# show running-config > ftp://192.168.1.2

Saves a show command output to a file.


• |—(Optional) Enables an output modifier that filters the command output.

• begin pattern—Begins with the line that matches the pattern that you specify.

• count—Counts the number of lines in the output.

• end pattern—Ends with the line that matches the pattern that you specify.

• exclude pattern—Excludes the lines that match the pattern that you specify.

• include pattern—Includes the lines that match the pattern that you specify.

• last—Displays the last few lines of the output.

• more—Displays one window page at a time.

• >—(Optional) Enables an output modifier that redirects the command output to a file.

• filename—Name of the file that the ACE saves the output to on the volatile: file system.

• disk0:—Specifies that the destination is the disk0: file system on the ACE Flash memory.

• volatile:—Specifies that the destination is the volatile: file system on the ACE.

• [path/][filename]—(Optional) Path and filename to the disk0: or volatile: file system.

• ftp://server/path[/filename]—Specifies the FTP network server and, optionally, a filename.

• sftp://[username@]server/path[/filename]—Specifies the SFTP network server and, optionally, a filename.

• tftp://server[:port]/path[/filename]—Specifies the TFTP network server and, optionally, a filename.


OL-25343-01

Chapter 4 Managing the ACE SoftwareUsing Backup and Restore

Using Backup and RestoreThis section describes how to back up and restore your ACE configuration data and dependent files. It contains the following subsections:

• Information About the Backup and Restore Features

• Guidelines and Limitations

• Defaults

• Backing Up the ACE Configuration Files and Dependencies

• Restoring the ACE Configuration Files and Dependencies

• Copying a Backup Archive to a Server

• Displaying the Status of the Backup Operation

• Displaying the Status of the Restoration

• Displaying Backup and Restore Errors

Information About the Backup and Restore FeaturesThis section provides information about the backup and restore features. With these features, you can back up or restore the configuration and dependencies of an entire ACE or of a particular virtual context. Configuration dependencies are those files that are required to exist on the ACE so that a configuration can be applied to it. Such files include health-monitoring scripts, SSL certificates, SSL keys, and so on.

Note The ACE backs up the dependencies that exist at the time when the backup is performed.

This feature allows you to back up and restore the following configuration files and dependencies:

• Running-configuration files

• Startup-configuration files

• Checkpoints

• SSL certificates

• SSL keys

• Health-monitoring scripts

• Licenses

Note The backup feature does not back up the sample SSL certificate and key pair files.

Typical uses for this feature are as follows:

• Back up a configuration for later use

• Recover a configuration that was lost because of a software failure or user error

• Restore configuration files to a new ACE when a hardware failure resulted in an RMA of the old ACE

• Transfer the configuration files to a different ACE


OL-25343-01


The backup and restore commands are supported in both the Admin and user contexts. If you enter these commands in the Admin context, you can back up or restore the configuration files for either the Admin context only or for all contexts in the ACE. If you enter the commands in a user context, you can back up or restore the configuration files only for that context.

Both the backup and the restore commands run asynchronously (in the background). You can monitor their progress by entering their corresponding show commands.

Archive File

The backup command runs asynchronously, that is, it runs in the background, which allows you to enter other commands at the CLI while the ACE processes the backup. When you instruct the ACE to back up the selected files, the ACE tars and GZIP-compresses them into a .tgz archive file and places the file in disk0:. For the Admin context, you can store one archive for the Admin context and one archive for the entire ACE. For a user context, you can store one archive for that context only. You can later use the archive files to restore the state of the same ACE or a different ACE.

Each time that you create a new backup for the entire ACE or for a particular user context, the ACE overwrites the previous ACE-wide archive or the context-specific archive, respectively.

Archive Naming Conventions

Archive files for individual contexts have the following naming convention format:

Hostname_ctxname_timestamp.tgz

where timestamp has the following format: yyyy_mm_dd_hh_mm_ss

For example:

ACE-1_ctx1_2009_08_30_15_45_17.tgz

If you back up the entire ACE, the archive filename does not include the ctxname field. So, the format is as follows:

Hostname_timestamp.tgz

For example:

ACE-1_2009_08_30_15_45_17.tgz

Archive Directory Structure and Filenames

The ACE uses a flat directory structure for the backup archive. The ACE provides file extensions for the individual files that it backs up so that you can identify the types of files easily when restoring an archive. All files are stored in a single directory that is tarred and GZIPed as follows:

ACE-1_Ctx1_2009_08_30_15_45_17.tgz ACE-1_Ctx1_2009_08_30_15_45_17\ context_name-running context_name-startup context_name-chkpt_name.chkpt context_name-cert_name.cert context_name-key_name.key context_name-script_name.tcl context_name-license_name.lic


OL-25343-01


When you choose to encrypt the key pair files in a backup archive, the ACE appends an .enc extension to the filename (context_name-key_name.enc).

Guidelines and LimitationsThe backup and restore features have the following configuration guidelines and limitations:

• Use the Admin context for an ACE-wide backup and the corresponding context for a user context backup.

• When you back up the running-configuration file, the ACE uses the output of the show running-configuration command as the basis for the archive file.

• The ACE backs up only exportable certificates and keys.

• License files are backed up only when you back up the Admin context.

• Use a passphrase to back up SSL keys in encrypted form. Remember the passphrase or write it down and store it in a safe location. When you restore the encrypted keys, you must enter the passphrase to decrypt the keys. If you use a passphrase when you back up the SSL keys, the ACE encrypts the keys with AES-256 encryption using OpenSSL software.

• Only probe scripts that reside in disk0: need to be backed up. The prepackaged probe scripts in the probe: directory are always available. When you perform a backup, the ACE automatically identifies and backs up the scripts in disk0: that are required by the configuration.

• The ACE does not resolve any other dependencies required by the configuration during a backup except for scripts that reside in disk0:. For example, if you configured SSL certificates in an SSL proxy in the running-configuration file, but you later deleted the certificates, the backup proceeds as if the certificates still existed.

• To perform a backup or a restore operation, you must have the admin RBAC feature in your user role.

• When you instruct the ACE to restore the archive for the entire ACE in the Admin context, it restores the Admin context completely first, and then it restores the other contexts. The ACE restores all dependencies before it restores the running context. The order in which the ACE restores dependencies is as follows:

– License files

– SSL certificates and key files

– Health-monitoring scripts

– Checkpoints

– Startup-configuration file

– Running-configuration file

• After you restore license files, previously installed license files are uninstalled and the restored files are installed in their place.

• In a redundant configuration, if the archive that you want to restore is different from the peer configurations in the FT group, redundancy may not operate properly after the restoration.

• You can restore a single context from an ACE-wide backup archive provided that:

– You enter the restore command in the context that you want to restore

– All files dependencies for the context exist in the ACE-wide backup archive


OL-25343-01


DefaultsTable 4-2 lists the default settings for the backup and restore feature parameters.

Backing Up the ACE Configuration Files and DependenciesThis section describes the procedure that you perform to back up the ACE configuration files and dependencies.


To back up all contexts, you must be in the Admin context and you must specify the all keyword.

Table 4-2 Default Backup and Restore Parameters

Parameter Default

Backed up files By default, the ACE backs up the following files in the current context:

• Running-configuration file

• Startup-configuration file

• Checkpoints

• SSL certificates

• SSL keys

• Health-monitoring scripts

• Licenses

SSL key backup encryption None


OL-25343-01


Detailed Steps

Restoring the ACE Configuration Files and DependenciesThis section describes the procedure that you perform to restore the ACE configuration files and dependencies on the same or a different ACE. Be sure that the backup archive file resides in disk0: prior to starting the restoration.

Command Purpose

Step 1 changeto

Example:host1/Admin# changeto C1host1/C1#

Changes to the specified context. Be sure that you are in the context that you wish to back up. To back up all contexts in the ACE, you must be in the Admin context.

Step 2 backup [all][pass-phrase text_string][exclude component]

Example:host1/Admin# backup all pass-phrase my_pass_phrase exclude checkpointshost1/Admin#

Backs up configuration files and dependencies in the current context or in all contexts in the ACE.

The keywords and arguments of this command are as follows:

• all—(Optional) Specifies that the ACE should back up the configuration files and dependencies in all contexts. You can specify this keyword only in the Admin context.

• pass-phrase text_string—(Optional) Passphrase that you specify to encrypt the backed up SSL certificates or keys. Enter the passphrase as an unquoted text string with no spaces and a maximum of 40 alphanumeric characters. You must enter the pass-phrase keyword before the exclude keyword. If you enter a passphrase and then exclude the SSL files from the archive, the ACE does not use the passphrase.

Note If you imported SSL certificates or keys with a crypto passphrase, you must use the pass-phrase option to encrpyt the crypto passphrase when you back up these files.

• exclude component—(Optional) Specifies the components that you do not wish to back up.

You can enter any of the following components in any order separated by a comma if you enter more than one:

– checkpoints—Excludes all checkpoints

– ssl-files—Excludes SSL certificate files and key files

Step 3 show backup status [detail]

Example:host1/Admin# show backup status detail

(Optional) Displays the progress of the backup process for each component in the different ACE contexts. Use the detail option to view the components or files that have already been backed up in each context. When the backup is finished, the command displays the status as SUCCESS.

Step 4 show backup errors

Example:host1/Admin# show backup errors

(Optional) If the backup fails, displays the errors that occurred during the backup process.


OL-25343-01


Caution The restore command clears any existing SSL certificate and key-pair files, license files, and checkpoints in a context before it restores the backup archive file. If your configuration includes SSL files or checkpoints and you excluded them when you created the backup archive, those files will no longer exist in the context after you restore the backup archive. To preserve any existing exportable SSL certificate and key files in the context, before you enter the restore command, export the certificates and keys that you want to keep to an FTP, SFTP, or TFTP server by using the crypto export command. After you restore the archive, import the SSL files into the context. For details on exporting and importing SSL certificate and key pair files, see the SSL Guide, Cisco ACE Application Control Engine.You can also use the exclude option of the restore command to instruct the ACE not to clear the SSL files in disk0: and to ignore the SSL files in the backup archive when the ACE restores the backup.


You must be in the Admin context to restore all contexts.

Prerequisites

• The backup archive must reside in disk0: in the ACE where you want to restore the archive before you start the restoration.

• No automatic rollback will be done in case of a restore failure. We recommend that you back up the ACE before you attempt to restore an archive.

• If you excluded the SSL files from the backup archive, you must import the certificates and keys from the FTP, SFTP, or TFTP server before you restore the archive. Then, when you enter the restore command, enter the exclude ssl-files option.

Detailed Steps for a Nonredundant Configuration

Note This procedure will cause an interruption in service for the current context or for all contexts, depending on the type of backup archive that you are restoring. We recommend that you schedule the restoration of a backup archive on an ACE during a maintenance window.


OL-25343-01


Command Purpose

Step 1 changeto


Changes to the specified context. Be sure that you are in the context in which you wish to restore the backup archive. To restore an ACE-wide backup archive completely, you must be in the Admin context.

Step 2 restore {[all] disk0:archive_filename} [pass-phrase text_string] [exclude {licenses | ssl-files}]

Example:host1/Admin# restore disk0:switch_Admin_07_July_2009_11_08_04_AM.tgz pass-phrase MY_PASS_PHRASE

Restores configuration files and dependencies in the current context or in all contexts in the ACE.


• all—(Optional) Specifies that the ACE should restore the configuration files and dependencies in all contexts. You can specify this keyword only in the Admin context.

• disk0:archive_filename—Specifies the name of the archive file that you want to restore.

• pass-phrase text_string—(Optional) Specifies the passphrase that you used to encrypt the backed up SSL keys in the archive. You must enter the pass-phrase option before you enter the exclude option. Enter the passphrase as an unquoted text string with no spaces and a maximum of 40 alphanumeric characters. If you used a passphrase when you backed up the SSL keys, the ACE encrypted the keys with AES-256 encryption using OpenSSL software. To restore the SSL keys, you must enter that same passphrase.

Note If you forget your passphrase, import the required SSL files first. Then, use the exclude option of the restore command to restore the archive.

• exclude—(Optional) Instructs the ACE not to restore the following specified files:

– licenses—Excludes license files from the restoration. Use this option when you want to keep the license files that are already installed in the ACE and ignore the license files in the backup archive, if any.

Note If you upgrade to software version A4(1.0) or later from a release before A4(1.0), the ACE cannot install the earlier license files because they are unsupported. The ACE ignores these license files and keeps the existing licenses.

– ssl-files—Excludes SSL certificates and keys from the restoration. Use this option only if you want to keep the SSL files already present in your ACE and ignore the SSL files in the backup archive, if any.

Note If you enter the exclude option first, you cannot enter the pass-phrase option.


OL-25343-01


Detailed Steps to Restore a Redundant Configuration

Note This procedure will cause an interruption in service for the two redundant contexts. We recommend that you schedule the restoration of a backup archive on a redundant pair during a maintenance window.

Step 3 show restore status [detail]

Example:host1/Admin# show restore status

(Optional) Displays the progress of the restore process by displaying the context. Use the detail option to view the components or files that have already been backed up in each context. When the restore is finished, the command displays the status as SUCCESS.

Step 4 show restore errors

Example:host1/Admin# show restore errors

(Optional) If the restore fails, displays the errors that occurred during the restore process.

Command Purpose

Step 1 changeto


Changes to the specified context. Be sure that you are in the context in which you wish to restore the backup archive. To restore an ACE-wide backup archive completely, you must be in the Admin context.

Step 2 config


Enters configuration mode on the active member of the FT group.

Step 3 ft group group_idno inservice

Example:host1/Admin(config)# ft group 1host1/Admin(config-ft-group)# no inservice

Disables redundancy for the members of the FT group. You must take the FT group out of service before you can restore the archive on the standby ACE. Otherwise, configuration mode is disabled on the standby ACE and the restoration will fail with the following error message:

Archive restore not allowed when config mode is disabled.

Step 4 Press Ctrl-Z Returns to Exec mode from any configuration mode.

Command Purpose


OL-25343-01


Step 5 restore {[all] disk0:archive_filename} [pass-phrase text_string] [exclude {licenses | ssl-files}]

Example:host1/Admin# restore disk0:switch_Admin_07_July_2009_11_08_04_AM.tgz pass-phrase MY_PASS_PHRASE

Restores configuration files and dependencies in the current context or in all contexts in the ACE.


• all—(Optional) Specifies that the ACE should restore the configuration files and dependencies in all contexts. You can specify this keyword only in the Admin context.

• disk0:archive_filename—Specifies the name of the archive file that you want to restore.

• pass-phrase text_string—(Optional) Specifies the passphrase that you used to encrypt the backed up SSL keys in the archive. You must enter the pass phrase before you use the exclude option. Enter the passphrase as an unquoted text string with no spaces and a maximum of 40 alphanumeric characters. If you used a passphrase when you backed up the SSL keys, the ACE encrypted the keys with AES-256 encryption using OpenSSL software. To restore the SSL keys, you must enter that same passphrase.

Note If you forget your passphrase, import the required SSL files first. Then, use the exclude option of the restore command to restore the archive.

• exclude—(Optional) Instructs the ACE not to restore the following specified files:

– licenses—Excludes license files from the restoration. Use this option when you want to keep the license files that are already installed in the ACE and ignore the license files in the backup archive, if any.

Note If you upgrade to software version A4(1.0) or later from a release before A4(1.0), the ACE cannot install the earlier license files because they are unsupported. The ACE ignores these license files and keeps the existing licenses.

– ssl-files—Excludes SSL certificates and keys from the restoration. Use this option only if you want to keep the SSL files already present in your ACE and ignore the SSL files in the backup archive, if any.

Step 6 config


Enters configuration mode on the active member of the FT group.

Step 7 ft group group_idinservice

Example:host1/Admin(config)# ft group 1host1/Admin(config-ft-group)# inservice

Enables redundancy for both members of the FT group.

Step 8 Press Ctrl-Z Returns to Exec mode from any configuration mode.

Command Purpose


OL-25343-01


Copying a Backup Archive to a ServerThis section describes the procedure that you perform to copy a backup archive from the ACE to an FTP or an SFTP server so that you can then restore the archive on a different ACE.


To use the copy backup command or the copy backup-all command, you must have Admin privileges in the context where you enter the command.

Detailed Steps

Examples

The following example shows how to copy a backup archive file to an SFTP server:

switch/Admin# copy backup sftp:Enter Address for the sftp server[]? 10.25.25.11Enter the destination filename[]? [switch_Admin_2009_08_22_02_48_49.tgz]Enter username[]? rootConnecting to 10.25.25.11...

Step 9 show restore status [detail]

Example:host1/Admin# show restore status detail

(Optional) Displays the progress of the restoration. Use the detail option to view the components or files that have been restored in each context. When the restoration is finished, the command displays the status as SUCCESS.

Step 10 show restore errors

Example:host1/Admin# show restore errors

(Optional) If the restoration fails, displays the errors that occurred during the restore process.

Command Purpose

Command Purpose

Step 1 changeto


Changes to the specified context. Be sure that you are in the context from which you wish to copy the backup archive.

Step 2 copy {backup | backup-all} {ftp:[//path] | sftp:[//path}}


Copies a single-context or an ACE-wide backup archive to an FTP or an SFTP server. The keywords of this command are as follows:

• backup—Copies the last successful single-context backup archive to the specified FTP or SFTP server. This keyword is available in both the Admin context and user contexts.

• backup-all—Copies the last successful ACE-wide (all contexts) backup archive to the specified FTP or SFTP server. This keyword is available only in the Admin context.

• ftp:[//path] | sftp:[//path]—Specifies the FTP or SFTP server where you want to copy the backup archive and, optionally, the file path or URI.

Note If you renamed or deleted the backup archive in a context, the copy backup command fails and the ACE displays an error message.


OL-25343-01


[email protected]'s password:sftp> Uploading /TN-HOME/Admin/switch_Admin_2009_08_22_02_48_49.tgz to/root/switch_Admin_2009_08_22_02_48_49.tgz/TN-HOME/Admin/switch_Admin_2009_08_22_02_48_ 100% 6737 0.0KB/s 00:00

Displaying the Status of the Backup OperationTo display the status of the backup operation, perform the following task:

Examples

The following example shows the output of the show backup status command:

hello/Admin# show backup statusBackup Archive: switch_Admin_2009_08_30_15_45_17.tgzType : ContextStart Time : Wed Aug 30 15:45:16 2009Finished Time : Wed Aug 30 15:45:17 2009Status : In ProgressCurrent vc : AdminCompleted : 1/1

The following example shows the output of the show backup status detail command:

host1/Admin# show backup status detail

Backup Archive: switch_Admin_2009_08_30_15_45_17.tgzType : ContextStart Time : Wed Aug 30 15:45:16 2009Finished Time : Wed Aug 30 15:45:17 2009Status : SUCCESSCurrent vc : AdminCompleted : 1/1------------------------+---------------+--------------------------+------------Context component Time Status------------------------+---------------+--------------------------+------------

Admin Running-cfg Wed Aug 30 15:45:17 2009 SUCCESSAdmin Startup-cfg Wed Aug 30 15:45:17 2009 SUCCESSAdmin Checkpoints Wed Aug 30 15:45:17 2009 SUCCESSAdmin Cert/Key Wed Aug 30 15:45:17 2009 N/AAdmin License Wed Aug 30 15:45:17 2009 SUCCESSAdmin Probe script Wed Aug 30 15:45:17 2009 N/A

Command Purpose

show backup status [detail] Displays the status of the last backup operation. Backup status details are not stored across reboots.

Possible values in the Status column are as follows:

• SUCCESS—The component was successfully backed up

• FAILED—The component failed to be backed up

• N/A—The component (for example, a checkpoint or probe script) being backed up contains 0 files


OL-25343-01


Displaying the Status of the RestorationTo display the status of the restoration, perform the following task:

Examples

The following example shows the output of the show restore status command:

host1/Admin# show restore statusBackup Archive: switch_2009_08_30_15_45_17.tgzType : ContextStart Time : Wed Aug 30 16:45:16 2009Finished Time : -Status : In ProgressCurrent vc : AdminCompleted : 0/1

The following example shows the output of the show restore status detail command:

host1/Admin# show restore status detailBackup Archive: switch_2009_08_30_15_45_17.tgzType : ContextStart Time : Wed Aug 30 16:45:16 2009Finished Time : -Status : In ProgressCurrent vc : AdminCompleted : 0/1------------------------+---------------+--------------------------+------------Context component Time Status------------------------+---------------+--------------------------+------------Admin License Wed Aug 30 16:45:16 2009 SUCCESSAdmin Cert/Key Wed Aug 30 16:45:16 2009 SUCCESSAdmin Probe script Wed Aug 30 16:45:16 2009 SUCCESSAdmin Checkpoints Wed Aug 30 16:45:16 2009 SUCCESSAdmin Startup-cfg Wed Aug 30 16:45:17 2009 In Progress

Displaying Backup and Restore ErrorsTo display the errors that may have occurred during a backup or restore operation that did not succeed, perform the following tasks:

Command Purpose

show restore status [detail] Displays the status of the last restoration. Restoration status details are not stored across reboots.

Command Purpose

show backup errors Displays errors that occur during a backup operation. For information about backup system messages, see the System Message Guide, Cisco ACE Application Control Engine.

show restore errors Displays errors that occur during a restore operation. For information about restore system messages, see the System Message Guide, Cisco ACE Application Control Engine.


OL-25343-01

Chapter 4 Managing the ACE SoftwareManaging Core Dump Files

Examples

The following example shows the output of the show backup errors command after a backup failed because of a disk copy failure for checkpoints:

host1/Admin# show backup errors

Context: AdminComponent: Checkpoint

Error Details:Internal Error, checkpoint copy failed

The following example shows the output of the show restore errors command after a restore failed because the running-configuration file differences could not be applied:

host1/Admin# show restore errors

Context: AdminComponent: Running-cfg Below diff could not be applied--

--ssh key rsa 4096 forcessh key dsa 2048 forcessh key rsa1 4096 force--

The following example shows the output of the show restore errors command after a restore failed because a probe was not present in either disk0: or in the probe: directory.

host1/Admin# show backup errorsContext: AdminComponent: Probe scriptsError Details:Error, probe PROBE_1 not found in disk0: or probe:

Managing Core Dump FilesThis section describes how to manage the ACE core dump files. A core dump occurs when the ACE experiences a fatal error. The ACE writes information about the fatal error to the core: file system in Flash memory before a switchover or reboot occurs. The core: file system is the storage location for all core files generated during a fatal error. Three minutes after the ACE reboots, the saved last core file is restored from the core: file system back to its original RAM location. This restoration is a background process and is not visible to the user.



• The core: file system is available from the Admin context only.

• Core dump information is for Cisco Technical Assistance Center (TAC) use only. If the ACE becomes unresponsive, you can view the dump information in the core through the show cores command. We recommend that you contact TAC for assistance in interpreting the information in the core dump.


OL-25343-01


• The time stamp on the restored last core file displays the time when the ACE booted up, not when the last core was actually dumped. To obtain the exact time of the last core dump, check the corresponding log file with the same process identifier (PID).


• Copying Core Dumps

• Clearing the Core Directory

• Deleting a Core Dump File

Copying Core DumpsThis section describes how to copy a core dump from the ACE to the disk0: file system or to a remote server. The ACE copies a single file based on the provided process identifier.


You must perform this task from the Admin context only.


OL-25343-01


Detailed Steps

Clearing the Core DirectoryThis section describes how to clear out all of the core dumps stored in the core: file system.



Command Purpose

Step 1 dir core:

Example: host1/Admin# dir core:

(Optional) Displays the list of available core files. You can copy the complete filename (for example, 0x401_vsh_log.25256.tar.gz) into the copy core: command.

Step 2 copy core:filename {disk0:[path/][filename] | ftp://server/path[/filename] | sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]}

Example: host1/Admin# copy core:0x401_vsh_log.8249.tar.gz ftp://192.168.1.2 Enter the destination filename[]? [0x401_vsh_log.8249.tar.gz]Enter username[]? user1Enter the file transfer mode[bin/ascii]: [bin]Password:Passive mode on.Hash mark printing on (1024 bytes/hash mark).

Saves a core dump from the ACE to the disk0: file system or to a remote server.


• filename—Core dump that resides on the ACE in Flash memory.

• disk0:[path/][filename]—Specifies a file location for the core dump in the disk0: file system and a filename for the core.

• ftp://server/path[/filename]—Specifies the FTP network server and, optionally, the renamed core dump.


• sftp://[username@]server/path[/filename]—Specifies the SFTP network server and, optionally, the renamed core dump.

• tftp://server[:port]/path[/filename]—Specifies the TFTP network server and, optionally, the renamed core dump.






OL-25343-01

Chapter 4 Managing the ACE SoftwareCapturing Packet Information

Detailed Steps

Deleting a Core Dump FileThis section describes how to delete a core dump file from the core: file system in Flash memory.



Detailed Steps

Capturing Packet InformationThis section describes how to capture packet information, which is useful for troubleshooting connectivity problems with the ACE or for monitoring suspicious activity. The ACE can track packet information for network traffic that passes through the ACE. The attributes of the packet are defined by an ACL. The ACE buffers the captured packets, and you can copy the buffered contents to a file in Flash memory on the ACE or to a remote server. You can also display the captured packet information on your console or terminal.

You can capture both IPv4 and IPv6 packets in the same buffer for a single interface or for all interfaces. You do this by configuring an ACL for IPv6 and another ACL for IPv4.

Command Purpose

Step 1 dir core:


(Optional) Displays the list of available core files.

Step 2 clear cores

Example: host1/Admin# clear cores

Clears out all of the core dumps stored in the core: file system.

Command Purpose

Step 1 dir core:


(Optional) Displays the list of available core files. You can copy the complete filename (for example, 0x401_vsh_log.25256.tar.gz) into the delete core: command.

Step 2 delete core:filename

Example: host1/Admin# delete core:0x401_VSH_LOG.25256.TAR.GZ

Deletes a core dump file from the core: file system in Flash memory.

The filename argument specifies the name of a core dump file located in the core: file system.


OL-25343-01


Caution The packet capture function uses ACL resources as can be seen with the show np 1 access-list resource command. If you have a large ACL configuration and you enable packet capturing, the ACE may oversubscribe the allocated ACL resources. If this happens, you may see one of the following error messages:In exec mode,Error: Device Name:[0x3FF] Instance:[63] Error Type:[(null)] code:[255]In configuration mode,Error: ACL merge add acl to list failedFor information about using the show np 1 access-list resource command to monitor ACL resources and how to resolve ACL oversubscription problems, see the “Troubleshooting ACLs” section of the ACE Troubleshooting Wiki.


• Enabling the Packet Capture Function

• Copying Packet Capture Buffer Information

• Displaying or Clearing Packet Information

Enabling the Packet Capture FunctionThis section describes how to enable the packet capture function on the ACE for packet sniffing and network fault isolation. As part of the packet capture process, you specify whether to capture packets from all input interfaces or an individual VLAN interface. The packet capture feature streams output on the console as packets are received by the ACE.



• The packet capture function enables access-control lists (ACLs) to control which packets are captured by the ACE on the input interface. If the ACLs are selecting an excessive amount of traffic for the packet capture operation, the ACE will see a heavy load, which can cause a degradation in performance. We recommend that you avoid using the packet capture function when high network performance is critical.

In addition, probe traffic will not hit a security ACL so ACLs cannot control the capture of those packets. In this case, probe traffic cannot be captured by the packet capture function.

• The capture packet function works on an individual context basis. The ACE traces only the packets that belong to the current context where you execute the capture Exec mode command. The context ID, which is passed along with the packet, can be used to isolate packets that belong to a specific context. To trace the packets for a specific context, use the changeto Exec mode command to enter the specified context and then use the capture command.

• If you enable packet capture for jumbo packets, the ACE captures only the first 2048 bytes of data.

• To the control plane traffic (for example, neighbor discovery packets) is not captured.

• The ACE does not automatically save the packet capture to a file. To copy the capture buffer information as a file in Flash memory or to a remote server, use the copy capture command (see the “Copying Packet Capture Buffer Information” section).


OL-25343-01

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Module_Troubleshooting_Guide%2C_Release_A2(x)_--_Troubleshooting_Access_Control_Lists#Troubleshooting_ACLs

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Module_Troubleshooting_Guide%2C_Release_A2(x)

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Module_Troubleshooting_Guide%2C_Release_A2(x)


• When capturing packets based on a specific interface and you delete the interface, the ACE stops the capture automatically. If you check the status of the packet capture using the show capture status command, you will notice that the capture stopped because of an interface deletion. At this point, you can perform any operation (for example, saving the old capture) on the capture except starting the capture. To restart the capture, you must delete the old capture and configure a new one. The ACE handles the deletion of an ACL or an ACL entry in a similar manner.

• When capturing packets based on a specific access list name, ensure that the access list is for an input interface. If you configure the packet capture on the output interface, the ACE will fail to match any packets.

• If you add an interface while you are already capturing all interfaces, the capture continues using all the original interfaces. If you add an ACL entry during an existing ACL capture, the capture continues normally using the original ACL criteria.

• If the ACE stops a packet capture because of an interface or ACL deletion, the following additional information appears in the output of the show capture buffer_name status command:

Capture forced to stop due to change in [interface | access-list] config.To restart the capture, remove and add the capture again.

• Under high traffic conditions, you may observe up to 64 packets printing on the console after you enter the stop keyword. These additional messages can occur because the packets were in transit or buffered before you entered the stop keyword.

Prerequisites

To create a capture based on an access list, the access list must already exist. For information about creating an access list, see the Security Guide, Cisco ACE Application Control Engine.


OL-25343-01


Detailed Steps

Command Purpose

capture buffer_name {{all | {interface vlan number}} access-list name [bufsize buf_size [circular-buffer]]} | remove | start | stop

Example:host1/Admin# capture capture1 interface vlan 50 access-list acl_v6

host1/Admin# capture capture1 interface vlan 50 access-list acl_v4

host1/Admin# capture capture1 start

host1/Admin# capture capture1 stop

Enables the packet capture function on the ACE for packet sniffing and network fault isolation.


• buffer_name—Name of the packet capture buffer. This argument associates the packet capture with a name. Specify a text string from 1 to 80 alphanumeric characters.

• all—Specifies capture packets for all input interfaces.

Note (ACE appliance only) To capture application acceleration and optimization traffic bound for the optional Cisco AVS 3180A Management Station interface, use the all keyword. This keyword captures all the traffic on all interfaces. You can then transfer the packet capture file to a remote machine to be scanned for traffic that is specific to the Management Station interface.

• interface—Specifies the interface from which to capture packets.

• vlan number—Specifies the VLAN identifier associated with the specified input interface.

• access-list name—Selects packets based on an existing access list. A packet must pass the access list filters before the packet is stored in the capture buffer. Specify a previously created access list identifier. Enter an unquoted text string with a maximum of 64 alphanumeric characters. To capture packets for both IPv6 and IPv4 in the same buffer, configure the capture command twice: once with an IPv6 ACL and once with an IPv4 ACL. See the examples.

• bufsize buf_size—(Optional) Specifies the buffer size, in kilobytes (KB), to store the packet capture. The range is from 1 to 5000 KB. The default is 64 KB.

• circular-buffer—(Optional) Enables the packet capture buffer to overwrite itself, starting from the beginning, when the buffer is full.

• remove—Removes the packet capture configuration.

• start—Starts the packet capture function and displays the messages on the session console as the ACE receives the packets. The CLI prompt returns and you can type other commands at the same time that the ACE is capturing packets. To stop the capture process, enter stop. The packet capture function automatically stops when the buffer is full unless you enable the circular buffer function.

• stop—Stops the packet capture process after a brief delay.


OL-25343-01


Copying Packet Capture Buffer InformationThis section describes how to copy an existing packet capture buffer to the disk0: file system.

Detailed Steps

Displaying or Clearing Packet InformationTo display or clear packet information, perform the following tasks:

Command Purposecopy capture capture_name disk0: [path/]destination_name

Example: host1/Admin# copy capture packet_capture_Jan_17_06 disk0: mycapture1

Copies an existing packet capture buffer to the disk0: file system


• capture_name—Name of the packet capture buffer in Flash memory. Specify a text string from 1 to 80 alphanumeric characters. If necessary, use the show capture command to view the files available in Flash memory. This list includes the name of existing packet capture buffers.

• disk0:—Specifies that the buffer is copied to the disk0: file system. Include a space between disk0: and a destination path.

• [path/]destination_name—Destination path (optional) and name for the packet capture buffer. Specify a text string from 1 to 80 alphanumeric characters. If you do not provide the optional path, the ACE copies the file to the root directory on the disk0: file system.

Command Purpose

show capture buffer_name [detail [connid connection_id | range packet_start packet_end] | status]

Displays the packet information that the ACE traces as part of the packet capture function.


• buffer_name—Name of the packet capture buffer. Specify a text string from 1 to 80 alphanumeric characters.

• detail—(Optional) Displays additional protocol information for each packet.

• connid connection_id—(Optional) Displays protocol information for a specified connection identifier.

• range packet_start packet_end—(Optional) Displays protocol information for a range of captured packets.

• status—(Optional) Displays capture status information for each packet.

For all types of received packets, the console display is in tcpdump format.

clear capture buffer_name Clears the capture packet buffer.

The buffer_name argument specifies the name of the existing packet capture buffer to clear.


OL-25343-01

Chapter 4 Managing the ACE SoftwareUsing the Configuration Checkpoint and Rollback Service

Using the Configuration Checkpoint and Rollback ServiceThis section describes how to make a checkpoint (or snapshot) of a running configuration on your ACE and how to use the rollback service to revert to the last known stable configuration.

At some point, you may want to modify your running configuration. If you run into a problem with the modified configuration, you may need to reboot your ACE. To prevent having to reboot your ACE after unsuccessfully modifying a running configuration, you can create a checkpoint (a snapshot in time) of a known stable running configuration before you begin to modify it. If you encounter a problem with the modifications to the running configuration, you can roll back the configuration to the previous stable configuration checkpoint.

The ACE allows you to make a checkpoint configuration at the context level. The ACE stores the checkpoint for each context in a hidden directory in Flash memory. If after you enter additional commands to modify the current running configuration, you enter the rollback command option, the ACE causes the running configuration to revert to the checkpointed configuration.


• Creating a Configuration Checkpoint

• Deleting a Configuration Checkpoint

• Rolling Back a Running Configuration

Creating a Configuration CheckpointThis section describes how to create a configuration checkpoint.



• The ACE supports a maximum of 10 checkpoints for each context.

• You must perform this task in the Exec mode of the context for which you want to create a checkpoint.

• Avoid using opening braces, closing braces, white spaces, or any of the following symbols: `$&*()\|;'"<>/?

Prerequisites

Be sure that the current running configuration is stable and is the configuration that you want to make a checkpoint.


OL-25343-01


Detailed Steps

Deleting a Configuration CheckpointThis section describes how to delete a configuration checkpoint.

Prerequisites

Before you use this command, make sure that you want to delete the checkpoint. When you enter this command, the ACE removes the checkpoint from Flash memory.

Detailed Steps

Command Purpose

checkpoint create name

Example: host1/Admin# checkpoint create MYCHECKPOINTGenerating configuration....Created checkpoint 'MYCHECKPOINT'

Creates a configuration checkpoint.

The name argument specifies the unique identifier of the checkpoint. Enter a text string with no spaces and a maximum of 25 alphanumeric characters.

If the checkpoint already exists, the CLI responds with the following prompt:

Checkpoint already existsDo you want to overwrite it? (y/n) [n] y Generating configuration....Created checkpoint 'MYCHECKPOINT'

The default is n. If you do not want to overwrite the existing checkpoint, press Enter. To overwrite the existing checkpoint, enter y.

Command Purpose

Step 1 show checkpoint all

Example: host1/Admin# show checkpoint all

(Optional) Displays a list of all existing checkpoints.

Step 2 checkpoint delete name

Example: host1/Admin# checkpoint delete MYCHECKPOINT

Deletes a configuration checkpoint.



OL-25343-01


Rolling Back a Running ConfigurationThis section describes how to roll back the current running configuration to the previously checkpointed running configuration for the current context.

Detailed Steps

If the running-configuration file has the no ft auto-sync command configured and the checkpoint has the ft auto-sync command configured, a checkpoint rollback will fail with the following message:

Warning : 'no ft auto-sync' & 'ft auto-sync' conflict detected - Rollback will failFailing Scenario - running config has 'no ft auto-sync' / checkpoint has 'ft auto-sync'

Command Purpose




Step 2 show checkpoint detail name

Example: host1/Admin# show checkpoint MYCHECKPOINT5

(Optional) Displays the running configuration of the specified checkpoint.

Step 3 checkpoint rollback name

Example: host1/Admin# checkpoint rollback MYCHECKPOINT5This operation will rollback the system's running configuration to the checkpoint's configuration.Do you wish to proceed? (y/n) [n] yRollback in progress, please wait...Generating configuration....Rollback succeededhost1/Admin#

Rolls back the current running configuration to the previously checkpointed running configuration for the current context.



OL-25343-01


Copying a CheckpointThis section describes how to copy a checkpoint to one of several destinations.

Detailed Steps

Command Purpose




Step 2 copy checkpoint:filename disk0:[path/]filename | image:image_name | startup-config | {ftp://server/path[/filename] | sftp://[username]server/path[/filename] | tftp://server[:port]/path[/filename]}

Example:host1/Admin# copy checkpoint:CHECKPOINT1.txt ftp://192.168.1.2 Enter the destination filename[]? [CHECKPOINT1.txt]Enter username[]? user1Enter the file transfer mode[bin/ascii]: [bin]Password:Passive mode on.Hash mark printing on (1024 bytes/hash mark).

Note The bin (binary) file transfer mode is intended for transferring compiled files (executables). The ascii file transfer mode is intended for transferring text files, such as config files. The default selection of bin should be sufficient in all cases when copying files to a remote FTP server.

Copies the specified checkpoint file to the specified destination.

• filename—Filename of the checkpoint file residing on the ACE in flash memory.

• disk0:[path/]filename—Specifies that the file destination is the disk0: directory of the current context and the filename for the checkpoint. If you do not provide the optional path, the ACE copies the file to the root directory on the disk0: file system.

• image:image_name—Specifies that the file destination is an image in the image: directory.

• startup-config—Specifies that the destination file is the startup-configuration file.

• ftp://server/path[/filename]—Specifies the File Transfer Protocol (FTP) network server and optional renamed checkpoint file.

• sftp://[username@]server/path[/filename]—Specifies the Secure File Transfer Protocol (SFTP) network server and optional renamed checkpoint file.

• tftp://server[:port]/path[/filename]—Specifies the Trivial File Transfer Protocol (TFTP) network server and optional renamed checkpoint file.


OL-25343-01


Comparing a Checkpoint with the Running-Configuration FileThis section describes how to compare a checkpoint with the running-configuration file.

Detailed Steps

Displaying Checkpoint InformationTo display checkpoint information, perform the following task:

Table 4-3 describes the fields that appear in the show checkpoint all command output.

Command Purpose




Step 2 compare checkpoint name

Example: host1/Admin# compare checkpoint MYCHECKPOINT5Checkpoint config is same as running config

host1/Admin#

Compares the specified checkpoint with the running-configuration file.

The name argument specifies the unique identifier of an existing checkpoint. Enter a text string with no spaces and a maximum of 25 alphanumeric characters.

If the checkpoint configuration is the same as the running-config, the output of this command is the following:

Checkpoint config is same as running config

If the checkpoint configuration is different from the running-config, the output will be the difference between the two configurations.

Command Purpose

show checkpoint {all | detail name} [|] [>] Displays information relating to the configured checkpoints.

• all—Displays a list of all existing checkpoints. The show output includes checkpoint time stamps.

• detail name—Displays the running configuration of the specified checkpoint.

Table 4-3 Field Descriptions for the show checkpoint all Command Output

Field Description

Checkpoint Name of the checkpoint

Size Size (in bytes) of the checkpoint

Date Date and time at which the checkpoint was created


OL-25343-01

Chapter 4 Managing the ACE SoftwareSetting Thresholds for and Displaying the Network Processor Buffer Usage

Setting Thresholds for and Displaying the Network Processor Buffer Usage

When the ACE is processing very heavy network traffic, the internal buffers of a network processor (NP) may reach their capacity. If this happens, the ACE may become unresponsive and require a manual reload. To set threshold levels for the NP buffers in the active and the standby ACEs and cause the active ACE to reboot if the thresholds are reached or exceeded, use the buffer threshold command in configuration mode in the Admin context. The ACE checks the status of NP buffer usage every five seconds to initiate the reload action if the buffer threshold is configured and reached, and to generate syslogs if necessary. If the buffer threshold command is configured and if the NP buffer usage reaches or exceeds the threshold, the ACE reloads. In a redundant configuration, a switchover occurs and the former standby ACE becomes the active ACE. In the absence of this command, the automatic reload feature is disabled. You can also use this command in a standalone ACE.


OL-25343-01

Chapter 4 Managing the ACE SoftwareSetting Thresholds for and Displaying the Network Processor Buffer Usage

Detailed Steps

Command Purpose

buffer threshold active number1 standby number2 action reload

Example: host1/Admin(config)# buffer threshold active 88 standby 40 action reload

Sets threshold levels for the NP buffers in the active and the standby ACEs and cause the active ACE to reboot if the thresholds are reached or exceeded.

• active number1—Specifies the buffer threshold for the active redundant ACE or stand-alone ACE as a percentage. Enter 50, 75, 88, 95, or 100. There is no default value. In a redundant configuration, if the buffer usage of any NP reaches or exceeds the threshold and each of the NP’s buffer usage in the standby ACE is below the configured standby threshold, the active ACE reboots and a switchover occurs. For a standalone ACE, if any of the NP’s buffer usage exceeds the active value, then the ACE reboots.

• standby number2—Specifies the buffer threshold for the standby redundant ACE. Enter 10, 20, 30, 40, 50. There is no default value. In a redundant configuration, if the active ACE buffer usage reaches or exceeds the configured active threshold and the standby ACE buffer usage reaches or exceeds the standby threshold, the active ACE does not reboot and no switchover occurs. For a reload and a switchover to occur, the standby buffer usage of all NPs must be less than the configured standby threshold value.

• action reload—Specifies that the ACE reloads when the buffer utilization exceeds the configured threshold. In a redundant configuration, a switchover occurs upon reload of the active ACE.

show np number buffer usage

Example: host1/Admin# show np 1 buffer usageTotal Internal Buffer : 155648Internal buffers allocated : 175Internal buffer usage : 0.11%Total External Buffer : 65536External buffers allocated : 0External buffer usage : 0.00%Automatic reload : disabled

Displays the buffer usage of each NP.

• number—Number of the NP for which you want to display buffer usage. For the ACE module, enter an integer from 1 to 4. For the ACE appliance, enter an integer from 0 to 1.

• buffer usage—Displays buffer usage statistics for the Specified NP.


OL-25343-01

Chapter 4 Managing the ACE SoftwareReformatting the ACE Module Flash Memory

Reformatting the ACE Module Flash MemoryThe ACE module uses the file allocation table (FAT16) as the base file system. The file system is used to allocate and organize storage space for various types of storage, such as startup-configuration files, SSL certificate storage, core files, image storage, and log files. Reformatting Flash memory on the ACE module allows you to erase all data on the Flash memory and reformat it with the FAT16 version of the file allocation table. All user-defined configuration information is erased.

Caution We recommend that you reformat the ACE module Flash memory only under the guidance and supervision of Cisco Technical Assistance Center (TAC).

Prerequisites

Before you reformat the Flash memory, we recommend that you copy the following ACE module operation and configuration files or objects to a remote server:

• ACE module software image

• ACE module license

• Startup-configuration file of each context

• Running-configuration file of each context

• Core dump files of each context

• Packet capture buffers of each context

• SSL certificate and key pair files of each context

See the “Copying Files” section for details on how to use the copy command to save configuration files or objects, such as the existing startup-configuration files, running-configuration file, licenses, core dump files, or packet capture buffers, to a remote FTP, SFTP, or TFTP server.

See the SSL Guide, Cisco ACE Application Control Engine for details on how to use the crypto export command to export SSL certificate and key pair files to a remote FTP, SFTP, or TFTP server.

Detailed Steps

Reformatting the ACE Appliance Flash MemoryThe ACE appliance uses the third extended file system (ext3) as the base file system. The file system is used to allocate and organize storage space for various types of storage, such as startup-configuration files, SSL certificate storage, core files, image storage, and log files.

Reformatting the Flash memory erases all data on the Flash memory and reformat it with the ext3 base file system. All user-defined configuration information is erased.

Command Purposeformat disk0:

Example: host1/Admin# format disk0:Warning!! This will reboot the system after formatting disk0.Do you wish to proceed anyway? (y/n) [n] y

Reformats Flash memory on the ACE module and erases all data.


OL-25343-01

Chapter 4 Managing the ACE SoftwareReformatting the ACE Appliance Flash Memory

The ACE appliance performs the following verification sequence prior to reformatting Flash memory:

• If the system image (the current loaded image) is present in the GNU GRand Unified Bootloader (GRUB) boot loader, the ACE appliance automatically performs a backup of that image and then performs the reformat of Flash memory.

• If the system image is not present in the Grub boot loader, the ACE appliance prompts you for the location of an available image to backup prior to reformatting the Flash memory.

• If you choose not to backup an available image file, the ACE appliance searches for the ACE-APPLIANCE-RECOVERY-IMAGE.bin image in the Grub partition of Flash memory. ACE-APPLIANCE-RECOVERY-IMAGE.bin is the recovery software image that the ACE appliance uses if the disk partition in Flash memory is corrupted.

– If ACE-APPLIANCE-RECOVERY-IMAGE.bin is present, the ACE appliance continues with the Flash memory reformat. The CLI prompt changes to “switch(RECOVERY-IMAGE)/Admin#” as a means for you to copy the regular ACE appliance software image.

– If ACE-APPLIANCE-RECOVERY-IMAGE.bin is not present, the ACE appliance stops the Flash memory reformat because there is no image to boot after format.

Prerequisites

Before you reformat Flash memory, we recommend that you copy the following ACE appliance operation and configuration files or objects to a remote server:

• ACE appliance software image

• ACE appliance license

• Startup-configuration file of each context

• Running-configuration file of each context

• Core dump files of each context

• Packet capture buffers of each context

• SSL certificate and key pair files of each context

See the “Copying Files” section for details on how to use the copy command to save configuration files or objects, such as the existing startup-configuration files, running-configuration file, licenses, core dump files, or packet capture buffers, to a remote FTP, SFTP, or TFTP server.

See the SSL Guide, Cisco ACE Application Control Engine for details on how to use the crypto export command to export SSL certificate and key pair files to a remote FTP, SFTP, or TFTP server.


OL-25343-01


Detailed Steps

What to Do Next

After you reformat the Flash memory, perform the following actions:

• Reinstall the ACE appliance software image by using the copy image: command (see the Release Note, Cisco ACE 4700 Series Application Control Engine Appliance).

• Reinstall the ACE appliance license by using the license install command (see Chapter 3, Managing ACE Software Licenses).

• Import the startup and running-configuration files into the associated context by using the copy command (see the “Copying Configuration Files from a Remote Server” section).

• Import SSL certificate files and key pair files into the associated context using by the crypto import command (see the SSL Guide, Cisco ACE Application Control Engine).

Command Purpose

format flash:

Example: host1/Admin# format flash:Warning!! This will erase everything in the compact flash including startup configs for all the contexts and rebootthe system!!Do you wish to proceed anyway? (yes/no) [no] yes

Erases all data on the Flash memory of the ACE appliance and reformats it with the ext3 base file system.

If the ACE appliance fails to extract a system image from the Grub bootloader, it prompts you to provide the location of an available system image to backup:

Failed to extract system image Information from Grubbackup specific imagefile? (yes/no) [no] yes Enter Image name: c4710ace-t1k9-mz.A4_1_0.binSaving Image [c4710ace-t1k9-mz.A4_1_0.bin]Formatting the cf.....Unmounting ext3 filesystems...Unmounting FAT filesystems...Unmounting done...

Unmounting compact flash filesystems...format completed successfullyRestoring Image backupimage/scimi-3.binkjournald starting. Commit interval 5 secondsREXT3 FS on hdb2, internal journalEXT3-fs: mounted filesystem with ordered data mode.starting graceful shutdownhost1/Admin# Unmounting ext3 filesystems...Unmounting FAT filesystems...Unmounting done...


OL-25343-01



OL-25343-01

AdministOL-25343-01

C H A P T E R 5
Displaying ACE Hardware and Software System Information

This chapter describes how to display ACE hardware and software system information.

This chapter does not include information for displaying the running- or startup-configuration files. To display the contents of these files, see Chapter 4, Managing the ACE Software.


• Information About Displaying ACE Hardware and Software Information

• Displaying Hardware Information

• Displaying Installed Software Information

• Displaying System Processes and Memory Resources Limits

• Displaying System Information

• Displaying or Clearing ICMP Statistics

• Displaying or Collecting Technical Information for Reporting Problems

Information About Displaying ACE Hardware and Software Information

The ACE CLI provides a comprehensive set of show commands in Exec mode that you can use to gather the following system information:

• Installed hardware and software information

• System processes

• System information

• Technical support

The following commands display internal system-level hardware show output for use by trained Cisco personnel as an aid in debugging and troubleshooting the ACE:

• show buffer, show fifo, show netio, show np and show vnet commands

• (ACE module only) show cde, show hyp, show lcp, and show scp commands


Chapter 5 Displaying ACE Hardware and Software System InformationDisplaying Hardware Information

For background information about these show commands, see the Command Reference, Cisco ACE Application Control Engine.

Displaying Hardware InformationTo display ACE hardware information, perform one of the following tasks:

Command Purpose

show hardware Displays the ACE hardware details. For descriptions of the fields in the command output, see the following table:

• (ACE30 module only) Table 5-1

• (ACE appliance only) Table 5-2

show inventory [raw] Displays the system hardware inventory of the ACE. This command displays information about the field replaceable units (FRUs) in the ACE, including product identifiers, serial numbers, and version identifiers. The raw option displays information about each temperature sensor (ACE module) or component (ACE appliance) in the ACE.

For descriptions of the fields in the show inventory command output, see the following table:

• (ACE30 module only) Table 5-3

• (ACE appliance only) Table 5-4

show dc dc_number console (ACE module only) Displays whether the master or the slave network processor console is directed to the base board front panel for the specified daughter card. For example, if the master network processor is directed to the front panel, the following message appears:

mCPU console is directed to base board front panel

See the set dc dc_number console command in the “Setting the Daughter Card Network Processor for Console Access” section.

Table 5-1 Field Descriptions for the ACE Module show hardware Command

Field Description

Hardware

Product Number Product number of the ACE30 (ACE30-MOD-K9)

Serial Number Serial number of the ACE30 (SADnnnnnnTn)

Card Index Location of the ACE30, specified as a fixed index value of 207

Hardware Rev Hardware revision of the ACE30

Feature Bits Enabled feature bits of the ACE30 hardware

Slot No. Slot number in the switch or router chassis where the ACE30 is installed

Type Identifies the module type installed in the switch or router chassis as an ACE30 module

Module Mode Supported internetworking speeds in Gigabits per second (Gbps)

Daughter Card Daughter card in slot 1 of the ACE30

Product Number Product number of daughter card 1 (ACEMOD-EXPN-DC)

Serial Number Serial number of daughter card 1 (SADnnnnnnVx)


OL-25343-01


Card Index Location of daughter card 1, specified as a fixed index value of 309

Hardware Rev Hardware revision of the daughter card

Feature Bits Enabled feature bits of the daughter card hardware

Slot No. Slot number (1) in the ACE30 where the daughter card is installed

Controller FPGA Hardware revision of the field-programmable gate array (FPGA) controller

NP 1 Network processor 1

Clock Rate Clock rate of NP1 (600000000 Hz)

Memory Size Size of the NP1 memory (4096 MB)

NP 2 Network Processor 2



Daughter Card Daughter card in slot 2 of the ACE30

Product Number Product number of daughter card 2 (ACEMOD-EXPN-DC)

Serial Number Serial number of daughter card 2 (SADnnnnnnVx)

Card Index Location of daughter card 2, specified as a fixed index value of 309

Hardware Rev Hardware revision of the daughter card

Feature Bits Enabled feature bits of the daughter card hardware

Slot No. Slot number (2) in the ACE30 where the daughter card is installed

Controller FPGA Hardware revision of the field-programmable gate array (FPGA) controller







Table 5-2 Field Descriptions for the ACE Appliance show hardware Command

Field Description

Product Number Product number of the ACE appliance

Serial Number Serial number of the ACE appliance

Hardware Rev Hardware revision of the ACE appliance

VID Version identification number of the ACE appliance

MFG Part Num Manufacturing part number of the ACE appliance

MFG Revision Manufacturing revision of the ACE appliance

Slot No. Not applicable

Type Identifies the device type as an ACE appliance

Table 5-1 Field Descriptions for the ACE Module show hardware Command (continued)

Field Description


OL-25343-01


Examples

(ACE module only) The following example shows the output of the show inventory raw command for the ACE module:

switch/Admin# show inventory raw

NAME: "module 11", DESCR: "Application Control Engine Service Module" PID: ACE30-MOD-K9 , VID: 2.3, SN: SAD114005T7

NAME: "submodule 1", DESCR: "ACE Expansion Card" PID: ACEMOD-EXPN-DC , VID: 0.401, SN: SAD123000VH

Table 5-3 Field Descriptions for the ACE Module show inventory Command

Field Description

Name Name assigned to the ACE30 (module nn) and the two daughter cards (submodule 1 and 2) in the switch or router chassis.

If you specify the raw option, the Name field displays “temperature” for the temperature sensor in the ACE30.

Descr Description of the ACE30 (Application Control Engine Service Module) and the two daughter cards installed in the switch or router chassis.

If you specify the raw option, this field also displays a brief description of each temperature sensor in the ACE30.

PID Product identifier of the ACE30 (ACE30-MOD-K9) and the daughter cards (ACEMOD-EXPN-DC). If you specify the raw option, this field is not applicable.

VID Hardware revision of the ACE30 and the daughter cards. If you specify the raw option, this field is not applicable.

SN Serial number of the ACE30 and the daughter cards. If you specify the raw option, this field is not applicable.

Table 5-4 Field Descriptions for the ACE Appliance show inventory Command

Field Description

Name Name assigned to the ACE appliance component

If you do not specify the raw option, ACE appliance is the only named object that is displayed. If you specify the raw option, this field also displays each monitored component of the ACE appliance.

Descr Description of the ACE appliance.

If you specify the raw option, this field also displays the description for each component.

PID Product identifier of the ACE appliance.

If you specify the raw option, this field is not applicable for the other components.

VID Hardware revision of the ACE appliance.


SN Serial number of the ACE appliance.



OL-25343-01

Chapter 5 Displaying ACE Hardware and Software System InformationDisplaying Installed Software Information

NAME: "submodule 2", DESCR: "ACE Expansion Card" PID: ACEMOD-EXPN-DC , VID: 0.401, SN: SAD123000V4

NAME: "temperature", DESCR: "Inlet Temperature" PID: , VID: , SN:

NAME: "temperature", DESCR: "Outlet Temperature" PID: , VID: , SN:

NAME: "temperature", DESCR: "SIBYTE Temperature Sensor" PID: , VID: , SN:

NAME: "temperature", DESCR: "HYPERION Temperature Sensor" PID: , VID: , SN:

NAME: "temperature", DESCR: "CDE0 Temperature Sensor" PID: , VID: , SN:

NAME: "temperature", DESCR: "CDE1 Temperature Sensor" PID: , VID: , SN:

NAME: "temperature", DESCR: "DB1 Temperature Sensor" PID: , VID: , SN:

NAME: "temperature", DESCR: "DB2 Temperature Sensor" PID: , VID: , SN:

NAME: "temperature", DESCR: "SSA Temperature Sensor" PID: , VID: , SN:

(ACE appliance only) The following example shows the output of the show hardware command for the ACE appliance:

host1/Admin # show hardwareHardwareProduct Number: ACE-4710-K9Serial Number: QCN21220038Hardware Rev: 1.1VID: V02CLEI: COUCAFJCAAMFG Part Num: 800-29070-02MFG Revision: 01Slot No. : 1Type: Unknown

Displaying Installed Software InformationTo display the installed software copyright or version information for the ACE, perform one of the following tasks:

Command Purpose

show copyright Displays the software copyright information for the ACE.

show version Displays the version of system software that is currently running on the ACE in Flash memory.

You use the show version command to verify the software version on the ACE before and after an upgrade.


OL-25343-01

Chapter 5 Displaying ACE Hardware and Software System InformationDisplaying Installed Software Information

Examples

The following example shows the output for the show copyright command:

host1/Admin# show copyrightCisco Application Control Software (ACSW)TAC support: http://www.cisco.com/tacCopyright (c) 1985-2010, Cisco Systems, Inc. All rights reserved.The copyrights to certain works contained herein are owned byother third parties and are used and distributed under license.Some parts of this software are covered under the GNU PublicLicense. A copy of the license is available athttp://www.gnu.org/licenses/gpl.html.

(ACE module only) The following example shows the output for the show version command:

switch/Admin# show versionCisco Application Control Software (ACSW)TAC support: http://www.cisco.com/tacCopyright (c) 1985-2010 by Cisco Systems, Inc. All rights reserved.The copyrights to certain works contained herein are owned byother third parties and are used and distributed under license.Some parts of this software are covered under the GNU PublicLicense. A copy of the license is available athttp://www.gnu.org/licenses/gpl.html.

Software loader: Version 12.2[123] system: Version A4(1.0) [build 3.0(0)A4(1.0) 12:57:44-2010/09/17_REL_3_0_0_A4_1_0] system image file: [LCP] disk0:gmt.bin installed license: ACE30-MOD-16-K9

Hardware Cisco ACE (slot: 11) cpu info: number of cpu(s): 2 cpu type: SiByte cpu: 0, model: SiByte SB1 V0.2, speed: 11.32(BogoMIPS) cpu: 1, model: SiByte SB1 V0.2, speed: 11.32(BogoMIPS) memory info: total: 1014396 kB, free: 295160 kB shared: 0 kB, buffers: 780 kB, cached 0 kB cf info: filesystem: /dev/cf total: 1014624 kB, used: 890928 kB, available: 123696 kB

last boot reason: reload command by adminconfiguration register: 0switch kernel uptime is 1 days 2 hours 27 minute(s) 7 second(s)

(ACE appliance only) The following example shows the output for the show version command:

host1/Admin# show versionCisco Application Control Software (ACSW)TAC support: http://www.cisco.com/tacCopyright (c) 1985-2010 by Cisco Systems, Inc. All rights reserved.The copyrights to certain works contained herein are owned byother third parties and are used and distributed under license.Some parts of this software are covered under the GNU PublicLicense. A copy of the license is available athttp://www.gnu.org/licenses/gpl.html.

Software loader: Version 0.95


OL-25343-01

Chapter 5 Displaying ACE Hardware and Software System InformationDisplaying System Processes and Memory Resources Limits

system: Version A4(1.0) [build 3.0(0)A4(1.0) adbuild_03:31:25-2010/09/176_/auto/adbure_nightly2/nightly_rel_a4_1_0_throttle/REL_3_0_0_A4_1_0 system image file: (hd)c4710ace-t1k9-mz.A4_1_0.bin Device Manager version 4.1 (0) 20080805:0415

installed license: ACE-AP-VIRT-020 ACE-AP-C-1000-LIC

Hardware cpu info: Motherboard: number of cpu(s): 2 Daughtercard: number of cpu(s): 16 memory info: total: 6226392 kB, free: 4315836 kB shared: 0 kB, buffers: 17164 kB, cached 0 kB cf info: filesystem: /dev/hdb2 total: 935560 kB, used: 611564 kB, available: 276472 kB

last boot reason: Unknownconfiguration register: 0x1 kernel uptime is 0 days 21 hours 25 minute(s) 17 second(s)

Displaying System Processes and Memory Resources LimitsThis section describes how display system processes and memory resource limits and contains the following topics:

• Displaying General System Process Information

• Displaying Detailed Process Status Information and Memory Resource Limits


OL-25343-01


Displaying General System Process InformationTo display general information about all of the processes running on the ACE, perform the following task:

Command Purpose

show processes [cpu | log [details | pid process_id] | memory]

Displays general information about all of the processes running on the ACE. This command is available only to users with an Admin role across all contexts. The displayed system processes information is at the CPU system level (the total CPU usage) and is not on a per-context level.

The show processes command with no options displays summary CPU information for the SiByte 1250 Processor (ACE module) or Intel Pentium processor (ACE appliance). Table 5-5 describes the fields for the command output.

The optional keywords and argument are as follows:

• cpu—Displays CPU information for the SiByte 1250 Processor, the BCM1250 dual core MIPS processor (ACE module), or Intel Pentium processor (ACE appliance). Table 5-6 describes the fields for this option.

• log—Displays information about process logs. Table 5-7 describes the fields for this option.

The options for the log keyword are as follows.

– details—Displays process log information for all process identifiers

– pid process_id—Displays information about a specific process identifier

Table 5-8 describes the fields for the details and pid options.

• memory—Displays memory information about the processes. Table 5-9 describes the fields for this option.


OL-25343-01


Table 5-5 Field Descriptions for the show processes Command

Field Description

PID Process identifier.

State Process state. Included below is a summary of the different process state codes that can appear to describe the state of a process:

• D—Uninterruptible sleep (usually I/O related)

• ER—Error while running

• NR—Not running

• R—Running or runnable (on run queue)

• S—Interruptible sleep (waiting for an event to complete)

• T—Stopped, either by a job control signal or because it is being traced

• W—Paging

• X—Process is dead

• Z—Defunct (“zombie”) process, terminated but not reaped by its parent

PC Current program counter in hexadecimal format.

Start_cnt Number of times a process has been started.

TTY Terminal that controls the process. A “—” usually means a daemon is not running on any particular tty.

Process Name of the process.

Table 5-6 Field Descriptions for the show processes cpu Command

Field Description

CPU Utilization Percentage of CPU utilization for the ACE for a 5-second interval, 1-minute interval, and a 5-minute interval

PID Process identifier

Runtime (ms) CPU time the process has used, expressed in milliseconds

Invoked Number of times that the process has been invoked

uSecs Microseconds of CPU time as an average for each process invocation

1 Sec CPU utilization as a percentage for the last second

5 Sec CPU utilization as a percentage for the last 5 seconds

1 Min CPU utilization as a percentage for the last minute

5 Min CPU utilization as a percentage for the last 5 minutes

Process Name of the process


OL-25343-01


Table 5-7 Field Descriptions for the show processes log Command

Field Description



Normal-exit Status of whether the process exited normally

Stack Status of whether a stack trace is in the log

Core Status of whether a core file exists

Log-create-time Time when the log file was generated

Table 5-8 Field Descriptions for the show processes log [details | pid] Command

Field Description

Service Name of the service.

Description Brief description of the service.

Started at Time the process started.

Stopped at Time the process stopped.

Uptime Length of time that the process was active.

Start type System manager option that indicates the process restartability characteristics (that is, whether it is a stateless restart or stateful restart).

Death reason Reason that the system manager killed the process (for example, no sysmgr heartbeats).

Exit code Exit code with which the process exited.

Normally, the Exit code provides the signal number which killed the process.

CWD Current working directory.

Virtual memory Virtual memory addresses where the code, data heap, and stack of the process are located.


SAP Service access point.

UUID Universal unique identifier of the CPU.

Table 5-9 Field Descriptions for the show processes memory Command

Field Description


MemAlloc Total memory allocated by the process

StackBase/Ptr Process stack base and current stack pointer in hex format



OL-25343-01


Examples

(ACE module only) The following example shows the output for the show processes mem command:

host1/Admin# show processes memoryPID MemAlloc StackBase/Ptr Process----- -------- ----------------- ---------------- 1 630784 7fb36f20/7fb36948 init 2 0 0/0 migration/0 3 0 0/0 posix_cpu_timer 4 0 0/0 softirq-high/0 5 0 0/0 softirq-timer/0 6 0 0/0 softirq-net-tx/ 7 0 0/0 softirq-net-rx/ 8 0 0/0 softirq-block/0 9 0 0/0 softirq-tasklet 10 0 0/0 softirq-rcu/0 11 0 0/0 watchdog/0 12 0 0/0 desched/0 13 0 0/0 migration/1 14 0 0/0 posix_cpu_timer 15 0 0/0 softirq-high/1 16 0 0/0 softirq-timer/1 17 0 0/0 softirq-net-tx/ 18 0 0/0 softirq-net-rx/ 19 0 0/0 softirq-block/1 20 0 0/0 softirq-tasklet 21 0 0/0 softirq-rcu/1 22 0 0/0 watchdog/1 23 0 0/0 desched/1 24 0 0/0 events/0 25 0 0/0 events/1 26 0 0/0 khelper 27 0 0/0 kthread 114 0 0/0 sibytecf0 152 0 0/0 loop0 159 0 0/0 loop1 166 0 0/0 loop2 173 0 0/0 loop3 180 0 0/0 loop4 736 3178496 7fc4ee60/7fc4e748 lcpfw 843 393216 7fc71e30/0 insmod 886 0 0/0 PCI 919 2940928 7fbe0df0/7fbe0aa0 httpd 933 1392640 7fadee40/7fadea70 mtsmon 936 3497984 7ffa5e70/7ffa58d8 sysmgr 968 54292480 7fd11cc0/7fd11878 syslogd 969 1859584 7fc61ce0/7fc60c78 sdwrapd 973 2330624 7ffe5ce0/7ffe5730 pfmgr 976 1863680 7fbe0df0/7fbe09b8 httpd 977 1896448 7fbe0df0/7fbe09a0 httpd 981 3170304 7fd54d00/7fd547b8 ntp 983 1449984 7faa3c30/7faa2908 lmgrd 984 1691648 7f8cdcf0/7f8cd4a0 fs-daemon 985 2445312 7f88acf0/7f88aac8 confcheck 986 2830336 7fd2ece0/7fd2e8f0 licmgr 989 9785344 7fff3d10/7fff3720 vshd 999 1589248 7ff38c00/7ff38a30 cisco 1008 475136 7fdc6ca0/7fdc6b70 klogd 1011 2551808 7fd74cb0/7fd74a78 xinetd 1012 6012928 7f9a4ce0/7f9a4680 vacd 1013 2363392 7fac5d10/7fac5620 ttyd 1014 1568768 7fb6ed00/7fb6e958 sysinfo 1015 7155712 7fcc2cd0/7fcc1570 snmpd


OL-25343-01


1016 2199552 7fd15cf0/7fd15918 sme 1017 2301952 7fef3cc0/7fef37d0 scripted_hm 1018 3305472 7ffd2ce0/7ffd1638 radiusd 1019 1548288 7ffb7cf0/7ffb7310 rad 1020 1613824 7f94fce0/7f94f958 pktcap 1021 47558656 7fe03ce0/7fdeef78 nd_mgr 1022 2560000 7f8cacd0/7f8ca730 nat_dnld 1023 3821568 7fecacc0/7feca938 itasca_ssl 1024 32866304 7fe9dcb0/7fe9d6b8 itasca_route_mgr 1025 1859584 7fb63cd0/7fb63950 itasca_fm 1026 8085504 7fd96ce0/7fd968e8 ifmgr 1027 1548288 7fc7fcc0/7fc7f6f0 hsrp_track 1028 4792320 7fc7fcf0/7fc7eff0 hm 1029 2740224 7fdd0ce0/7fdd04c8 ha_mgr 1030 3518464 7fe1bcd0/7fe1b040 ha_dp_mgr 1031 1609728 7f86fcd0/7f86f2f8 gslb_proto 1032 4980736 7fc8cce0/7fc8cb10 dhcv6relay 1033 2355200 7fd7ecf0/7fd7e8f0 dhcrelay 1034 1794048 7fb15cf0/7fb156b8 core-dmon 1035 5009408 7fea7cc0/7fea7120 config_cntlr 1036 1601536 7fa30ce0/7fa304d0 bpdu 1037 2211840 7ff5fce0/7ff5f8a8 ascii-cfg 1038 47419392 7f940cd0/7f92bdb0 arp_mgr 1039 211857408 7fe82cd0/7fe822c8 aclmerged 1040 3215360 7ff6ccd0/7ff6b608 tacacs 1041 2990080 7fcc8ce0/7fcc7aa0 ldap 1042 3186688 7faf2ce0/7faf2868 aaa 1058 7704576 7feadcd0/7feac8f0 securityd 1066 107794432 7f828ce0/7f825a20 cfgmgr 1082 2363392 7f855e90/7f853838 login_o 1097 0 0/0 TL_INIT_THREAD 1155 0 0/0 Peer 1249 4489216 7f890ee0/7f88fa98 vsh23600 765952 7fe7dce0/7fe7d6a8 telnetd23601 2400256 7ff2df10/7ff2b8b8 login_o23609 4255744 7fa5fec0/7fa5ea88 vsh23634 2314240 7fa5fec0/7fa5c0e0 vsh23635 675840 7ffa0e70/7ffa0bb8 more23636 0 7fe51c90/7fe51578 ps

(ACE appliance only) The following example shows the output for the show processes mem command:

host1/Admin# show processes memoryswitch/Admin# show proc mem

PID MemAlloc StackBase/Ptr Process----- -------- ----------------- ---------- 1 495616 bffffe40/bffff930 init 2 0 0/0 migration/ 3 0 0/0 ksoftirqd/ 4 0 0/0 desched/0 5 0 0/0 migration/ 6 0 0/0 ksoftirqd/ 7 0 0/0 desched/1 8 0 0/0 events/0 9 0 0/0 events/1 10 0 0/0 khelper 15 0 0/0 kthread 24 0 0/0 kacpid 117 0 0/0 kblockd/0 118 0 0/0 kblockd/1 171 0 0/0 pdflush 172 0 0/0 pdflush 173 0 0/0 kswapd0


OL-25343-01


174 0 0/0 aio/0 175 0 0/0 aio/1 252 0 0/0 kseriod 362 30277632 bfffe9c0/b220f8e4 mysqld 566 0 0/0 kirqd 649 30277632 bfffe9c0/b21df8e4 mysqld 725 0 0/0 kjournald 803 0 0/0 loop0 804 0 0/0 kjournald 813 0 0/0 loop1 814 0 0/0 kjournald 823 0 0/0 loop2 824 0 0/0 kjournald 833 0 0/0 loop3 834 0 0/0 kjournald 843 0 0/0 loop4 844 0 0/0 kjournald 929 303104 bfffeee0/0 insmod 1035 0 0/0 Octeon 1166 0 0/0 PCI 1609 30277632 bfffe9c0/b24808e4 mysqld 1780 1298432 bfffe3f0/bfffe06c mtsmon 1811 3092480 bffff450/bffff180 httpd 1821 659456 bffff000/bfffed5c cron 1831 1482752 bfffeb60/bfffe7cc watchdog 1833 2981888 bfffe970/bfffe340 sysmgr 1868 42590208 bffff6a0/bffff2cc syslogd 1869 1794048 bffff640/bfffe600 sdwrapd 1874 2170880 bffff3c0/bffff03c pfmgr 1890 6307840 bfffebf0/bfffe5c8 vshd 1891 2924544 bfffeb70/bfffe400 ntp 1892 1216512 bfffea10/bfffd2d0 lmgrd 1893 1597440 bfffea50/bfffe1d0 fs-daemon 1895 2310144 bfffe960/bfffe780 confcheck 1897 2809856 bfffe840/bfffe468 licmgr 1911 3534848 bfffe1c0/bfffe020 ntpd 1916 1404928 bfffddf0/bfffdc30 cisco 1917 2265088 bfffde10/bfffdc40 xinetd 1918 3817472 bfffddd0/bfffd7ac vacd 1919 2564096 bfffdd70/bfffd660 ttyd 1920 5492736 bffffce0/bffff97c sysinfo 1921 8499200 bffffc40/bfffe65c snmpd 1922 2101248 bffffbd0/bffff83c sme 1923 2228224 bffffb20/bffff5d0 scripted_h 1924 3141632 bffffac0/bfffe400 radiusd 1925 1413120 bffffa50/bffff79c rad 1926 1544192 bffff9c0/bffff67c pktcap 1927 41160704 bffff940/bfffec7c nd_mgr 1928 2351104 bffff8c0/bffff35c nat_dnld 1929 4214784 bffff830/bffff4dc itasca_ssl 1930 32788480 bffff790/bffff1bc itasca_rou 1931 1765376 bffff730/bffff3dc itasca_fm 1932 8060928 bffff6c0/bffff2dc ifmgr 1933 6647808 bffff650/bfffe96c hm 1934 2408448 bffff5c0/bfffed60 ha_mgr 1935 3465216 bffff530/bfffec40 ha_dp_mgr 1936 1482752 bffff4b0/bfffeae0 gslb_proto 1937 4956160 bffff440/bffff2b0 dhcv6relay 1938 2334720 bffff3d0/bffff010 dhcrelay 1939 2633728 bffff320/bfffe6ec config_cnt 1940 1527808 bffff2d0/bfffec8c bpdu 1941 2101248 bffff260/bfffef1c avs_stat 1942 1740800 bffff1e0/bfffe3c8 avs_cm 1943 7884800 bffff130/bfffeea0 avs


OL-25343-01


1944 2117632 bffff0c0/bfffec78 ascii-cfg 1945 41406464 bffff040/bfffe03c arp_mgr 1946 163233792 bfffefb0/bfffe9dc aclmerged 1947 3198976 bfffef40/bfffd650 tacacs 1948 2859008 bfffeec0/bfffdcc0 ldap 1949 3010560 bfffee50/bfffe9f8 aaa 1952 6647808 bffff650/ad1a83ac hm 1958 41160704 bffff940/b528d52c nd_mgr 1960 491520 bfffe900/bfffe828 klogd 1961 41406464 bffff040/b52c808c arp_mgr 1964 4247552 bfffe6b0/bfffd2e0 securityd 1965 99672064 bfffe640/bfffbf90 cfgmgr 1966 2633728 bffff320/b50906ac config_cnt 1967 2564096 bfffe540/bfffdf9c portmgr 1968 4214784 bffff830/b4d3e4bc itasca_ssl 1972 163233792 bfffefb0/9e643888 aclmerged 2026 30277632 bfffe9c0/b22cf8e4 mysqld 2054 8499200 bffffc40/b301b7ac snmpd 3142 3612672 bffff450/bffff11c httpd 7196 4059136 bfffe3a0/bfffa608 vsh 7197 618496 bfffefb0/bfffed7c more 7198 1081344 bfffeda0/bfffe5a8 sh 7200 995328 bfffecb0/bfffe754 sort 7511 430080 bffff280/bffff118 agetty_o 7546 0 0/0 TL_INIT_TH18029 638976 bfffe630/bfffdfa0 in.telnetd18037 4034560 bfffe3a0/bfffcff8 vsh22335 651264 bfffdd30/bfffd6a0 in.telnetd22336 4001792 bffffe20/bfffea80 vsh26342 297897984 bfffe670/9025f15c java31556 1105920 bffffaa0/bfffe958 mysqld_saf

Displaying Detailed Process Status Information and Memory Resource LimitsTo display detailed process status information and memory resource limits, perform the following task:

Command Purpose

show terminal internal info Displays detailed process status information and memory resource limits. Table 5-10 describes the fields in the command output.

Table 5-10 Field Descriptions for the show terminal internal info Command

Field Description

Process Information

Name Name of the executable that started the process.


OL-25343-01


State Process state. Included below is a summary of the different process state codes that can appear to describe the state of a process:

• D—Uninterruptible sleep (usually I/O related)

• ER—Error while running

• NR—Not running

• R—Running or runnable (on run queue)

• S—Interruptible sleep (waiting for an event to complete)

• T—Stopped, either by a job control signal or because it is being traced

• W—Paging

• X—Process is dead

• Z—Defunct (“zombie”) process, terminated but not reaped by its parent

SleepAVG Percentage sleep rate of the task.

TGID Terminal group identifier.


PPID Parent process identification number.

TracerPID Tracer process identification number.

UID Identifier of the user that started the process (four element list).

GID Identifier of the group that the process belongs to (four element list).

FDSize Process file descriptor size.

Groups Total number of groups.

VmSize Total amount of virtual memory used by the process (in KB).

VmLck Total locked virtual memory (in KB).

VmRSS Total amount of physical memory used by the process (in KB).

VmData Virtual memory data size (in KB).

VmStk Virtual memory stack size (in KB).

VmExe Executable virtual memory (in KB).

VmLib Virtual memory library size (in KB).

VmPTE Virtual memory pointer size (in kBytes)

Threads Number of threads.

SigPnd Signals pending.

ShdPnd Shared pending signals.

SigBlk Signals blocked.

SigIgn Signals ignored.

SigCat Signals caught.

CapInh Capability inherited privilege.

CapPrm Capability privilege (processor resource manager).

Table 5-10 Field Descriptions for the show terminal internal info Command (continued)

Field Description


OL-25343-01


CapEff Capability effective privilege.

Memory Limits

Core file size Maximum size of core file (in blocks) that may be created.

Data seg size Maximum size (in KB) of the data segment for a process.

File size Maximum size (in blocks) of files created by the shell.

Max locked memory Maximum size (in KB) which a process may lock into memory.

Max memory size Maximum size (in KB) to which a process resident set size may grow.

Note This restriction imposes a limit on the amount of physical memory to be given to a process.

Open files Maximum number of open files for this process.

Pipe size Pipe buffer size (in bytes).

Stack size Maximum size (in KB) of the stack segment for a process. CPU time Maximum amount of CPU time (in seconds) to be used by each process.

Max user processes Maximum number of simultaneous processes for the user identifier.

Virtual memory Maximum amount (in KB) of available virtual memory available to the process.

Table 5-10 Field Descriptions for the show terminal internal info Command (continued)

Field Description


OL-25343-01

Chapter 5 Displaying ACE Hardware and Software System InformationDisplaying System Information

Displaying System InformationTo display the system information for the ACE, perform the following task:

Command Purpose

show system {cpuhog | error-id {hex_id | list} | internal | kcache | kmem | kmemtrack | resources | skbtrack | uptime | watchdog [lcp | memory | scp]}

Displays the system information. The keywords and argument are as follows:

• cpuhog—Displays information related to the process watchdog timer that monitors CPU usage by any currently active processes. This keyword is intended for use by trained Cisco personnel for troubleshooting purposes only.

• error-id—Displays description about a specific error ID or all error IDs.

– hex_id—Error ID in hexadecimal format. The range is from 0x0 to 0xffffffff.

– list—Displays all error IDs.

• internal—Displays Cisco internal system-related functions. The internal keywords and options are intended for use by trained Cisco personnel for troubleshooting purposes only. This option is available in the Admin context only.

• kcache—Displays the Linux kernel cache statistics.

• kmem—Displays the Linux kernel memory usage, see Table 5-11.

• kmemtrack—Displays the kernal memory allocations in the kernel loadable modules. This keyword is intended for use by trained Cisco personnel for troubleshooting purposes only.

• resources—Displays system-related CPU and memory statistics, see Table 5-12.

• skbtrack—Displays the socket buffer (network buffer) allocations in the kernel loadable modules. This keyword is intended for use by trained Cisco personnel for troubleshooting purposes only.

• uptime—Displays how long the ACE has been up and running, see Table 5-13. This keyword is available in all user contexts.

• watchdog [lcp | memory | scp]—Displays whether the watchdog is enabled or disabled. When it is enabled, its timeout is displayed. When you enter the watchdog keyword without an option, all watchdogs are displayed, see Table 5-14. To display a specific watchdog, enter one of the following options:

– lcp—(ACE module only) LCP process watchdog. The current SCP watchdog watches this process. However, if the LCP process is not scheduled on time, this watchdog reboots the ACE module.

– memory—Low memory watchdog when the ACE memory reaches 99 percent.The system watchdog memory command allows you to configure the Memory watchdog timeout.

– scp—(ACE module only) Watchdog for SCP keepalive messages from the hardware timer interrupt level.

Note (ACE module only) The LCP and SCP timeouts are not configurable.


OL-25343-01

Chapter 5 Displaying ACE Hardware and Software System InformationDisplaying System Information

Table 5-11 Field Descriptions for the show system kmem Command

Field Description

Mem

Total Total usable Linux kernel RAM (physical RAM minus the reserved bits and the kernel binary code)

Used Total Linux kernel RAM in use.

Free Available Linux kernel RAM.

Shared Always zero.

Buffers Memory in buffer cache.

Cached RAM used for the page cache (disk cache) minus the RAM used for the swap cache.

Swap

Total Total amount of physical swap memory.

Used Total swap memory in use.

Free Available swap memory.

MemTotal Total usable Linux kernel RAM (physical RAM minus the reserved bits and the kernel binary code).

MemFree Available Linux kernel RAM.

MemShared Always zero.

Buffers Memory in buffer cache.

Cached RAM used for the page cache (disk cache) minus the RAM used for the swap cache.

SwapCached Memory that once was swapped out, is swapped back in, but is still in the swap file. If this memory is needed, it does not need to be swapped out again because it is already in the swap file. This saves I/O.

Active Memory that has been used recently and usually not reclaimed unless it is absolutely necessary.

Inactive Memory that is unused or easily freeable.

HighTotal Total amount of memory in the high memory (highmem) region. Highmem is all memory above approximately 860 MB of physical RAM. The kernel uses indirect methods to access the high memory region. Data cache can go in this memory region.

HighFree Total amount of available memory in the highmem area.

LowTotal Amount of memory in the low memory region (non-highmem memory).

LowFree Amount of free memory in the low memory region. The kernel can address low memory directly. All kernel data structures need to go into low memory.

SwapTotal Total amount of physical swap memory.

SwapFree Available swap memory.

Committed_AS An estimate of how much RAM you would need to make a 99.99% guarantee that there never is an out-of-memory (OOM) condition for a particular workload. Normally, the kernel overcommits memory. For example, if you dynamically allocate 1 GB of memory, no demand is placed on that memory until you actually start using it. The Committed_AS is an estimate of how much RAM or swap memory you would need in a worst-case scenario.


OL-25343-01

Chapter 5 Displaying ACE Hardware and Software System InformationDisplaying or Clearing ICMP Statistics

Table 5-14 describes the output fields for the show system watchdog command.

Displaying or Clearing ICMP StatisticsTo display or clear the Internet Control Message Protocol (ICMP) statistics, perform one of the following tasks:

Table 5-12 Field Descriptions for the show system resources Command

Field Description

Load average Load that is defined as the number of running processes. The average reflects the system load over the past 1-minute, 5-minute, and 15-minute interval.

Processes Number of processes in the system, and how many processes are actually running when you enter the command.

CPU states CPU usage percentage in user mode, kernel mode, and idle time in the last second.

Memory usage Total memory, used memory, free memory, memory used for buffers, and memory used for cache in KB. Buffers and cache are also included in the used memory statistics.

Table 5-13 Field Descriptions for the show system uptime Command

Field Description

System start time Date and time when the ACE was turned on

System uptime Length of time that the ACE hardware and software have been running

Kernel uptime Length of time that the operating system (OS) has been running

Table 5-14 Field Descriptions for the show system watchdog Command

Field Description

LCP watchdog (ACE module only) State of the LCP process watchdog: Enabled or Disabled.

Memory watchdog State of the low memory watchdog: Enabled or Disabled.

SCP watchdog (ACE module only) State of the SCP watchdog: Enabled or Disabled.

Timeout Timeout interval for the enabled watchdog. When the watchdog is disabled, its timeout is not displayed.

Command Purpose

show icmp statistics Displays Internet Control Message Protocol (ICMP) statistics. Table 5-15 describes the fields in the show icmp statistics command output.

clear icmp statistics Clears the Internet Control Message Protocol (ICMP) statistics.


OL-25343-01

Chapter 5 Displaying ACE Hardware and Software System InformationDisplaying or Clearing ICMP Statistics

Table 5-15 Field Descriptions for the show icmp statistics Command

Field Description

Total Messages Total number of ICMP messages transmitted or received by the ACE

Errors Number of ICMP error messages transmitted or received by the ACE

Echo Request Number of ICMP echo request messages transmitted or received by the ACE

Echo Reply Number of ICMP echo reply messages transmitted or received by the ACE

Unreachable Number of ICMP unreachable packets transmitted or received by the ACE

TTL Expired Number of ICMP TTL-expired messages transmitted or received by the ACE

Redirect Number of ICMP redirect messages transmitted or received by the ACE

Mask Number of ICMP Address Mask Request messages transmitted or received by the ACE

Param problem Number of ICMP Parameter Problem messages transmitted or received by the ACE

Source Quench Number of ICMP Source Quench messages transmitted or received by the ACE

Time Stamp Number of ICMP Time Stamp (request) messages transmitted or received by the ACE


OL-25343-01

Chapter 5 Displaying ACE Hardware and Software System InformationDisplaying or Collecting Technical Information for Reporting Problems

Displaying or Collecting Technical Information for Reporting Problems

To display or collect general information about the ACE for use when reporting a problem, perform one of the following tasks:

Command Purpose

show tech-support [details] Displays general information about the ACE for use when you report a problem. You can use this command to collect a large amount of information about your ACE and provide the command output to technical support representatives.

This command displays the output of several show commands at once. The command output varies depending on your configuration.

The optional details keyword provides detailed information for each show command.

You can choose to have detailed information for each command or even specify the output for a particular interface or ACE. Each command output is separated by the line and the command that precedes the output.

The default output of the show tech-support command includes, for example, the output of the following commands:

• show hardware—See the “Displaying Hardware Information” section.

• show interface—See the Routing and Bridging Guide, Cisco ACE Application Control Engine.

• show process—See the “Displaying General System Process Information” section.

• show running-config—See Chapter 4, Managing the ACE Software.

• show version—See the “Displaying Installed Software Information” section.

When using this command, explicitly set the terminal length command to 0 (zero) to disable autoscrolling and enable manual scrolling. Use the show terminal command to view the configured terminal size. After obtaining the output of this command, reset your terminal length as required.

• (ACE module only) See the “Configuring Terminal Display Attributes” section in Chapter 1, “Setting Up the ACE Module.”.

• (ACE appliance only) See the “Configuring Terminal Display Attributes” section in Chapter 2, “Setting Up the ACE Appliance.”

You can save the output of this command to a file by appending > filename to the show tech-support command (see Chapter 4, Managing the ACE Software). If you save this file, verify that you have sufficient space to do so; each file may take about 1.8 MB.


OL-25343-01


Examples

(ACE module only) The following example shows the show tech-support command output for the ACE module:

host1/Admin# show tech-support

`show version`Cisco Application Control Software (ACSW)TAC support: http://www.cisco.com/tacCopyright (c) 1985-2010, Cisco Systems, Inc. All rights reserved.The copyrights to certain works contained herein are owned byother third parties and are used and distributed under license.Some parts of this software are covered under the GNU PublicLicense. A copy of the license is available athttp://www.gnu.org/licenses/gpl.html.

Software loader: Version 12.2[123] system: Version 3.0(0)A4(1.0) [build 3.0(0)A4(1.0) _01:26:21-2006/03/13_/auto/adbu-rel/ws/REL_3_0_0_A4_1_0] system image file: [LCP] disk0:c6ace-t1k9-mzg.3.0.0_A4_1_0.bin licensed features: ACE30-MOD-16-K9

Hardware Cisco ACE (slot: 11) cpu info: number of cpu(s): 2 cpu type: SiByte--More--Generating configuration.... cpu: 0, model: SiByte SB1 V0.2, speed: 700 MHz cpu: 1, model: SiByte SB1 V0.2, speed: 700 MHz memory info: total: 957816 kB, free: 367840 kB shared: 0 kB, buffers: 2928 kB, cached 0 kB cf info: filesystem: /dev/cf

tac-pac {disk0:[path/]filename | {ftp://server/path[/filename] | scp://[username@]server/path[/filename] | sftp://[username@]server/path[/filename] | tftp://server[:port]/path[/filename]}

Redirects the same information as the show tech-support command output to a file on either the ACE disk0: or a remote server.


• disk0:[path/]filename—Specifies that the file destination is the disk0: file system of the current context. If you do not provide the optional path, the ACE copies the file to the root directory on the disk0: file system.

• ftp://server/path[/filename]—Specifies the FTP network server and, optionally, the filename.

• scp://[username@]server/path[/filename]—Specifies the SCP network server and optional file name.

• sftp://[username@]server/path[/filename]—Specifies the SFTP network server and, optionally, the filename.

• tftp://server[:port]/path[/filename]—Specifies the TFTP network server and, optionally, the filename.

The output of the show tech-support command is in gzip format. We recommend that you include the .gz extension in the filename so that it can be easily unzipped from the destination file system.

Command Purpose


OL-25343-01


total: 500040 kB, used: 449976 kB, available: 50064 kB

last boot reason: reload command by adminconfiguration register: 0x1host kernel uptime is 2 days 16 hours 41 minute(s) 20 second(s)

`show inventory`

NAME: "module 11", DESCR: "Application Control Engine Service Module"PID: ACE20-MOD-K9 , VID: 2.3, SN: SAD114005T7

NAME: "submodule 1", DESCR: "ACE Expansion Card"PID: ACEMOD-EXPN-DC , VID: 0.401, SN: SAD123000VH

NAME: "submodule 2", DESCR: "ACE Expansion Card"PID: ACEMOD-EXPN-DC , VID: 0.401, SN: SAD123000V4

`show hardware`

Hardware Product Number: ACE30-MOD-K9 Serial Number: SAD114005T7 Card Index: 207 Hardware Rev: 2.3 Feature Bits: 0000 0002 Slot No. : 11 Type: ACE

Daughter Card Product Number: ACEMOD-EXPN-DC Serial Number: SAD123000VH Card Index: 309 Hardware Rev: 0.401 Feature Bits: 0000 0000 Slot No. : 1 Controller FPGA Rev:1.5 NP 1: Clock Rate: 600000000 Hz Memory Size: 4096 MB NP 2: Clock Rate: 600000000 Hz Memory Size: 4096 MB

Daughter Card Product Number: ACEMOD-EXPN-DC Serial Number: SAD123000V4 Card Index: 309 Hardware Rev: 0.401 Feature Bits: 0000 0000 Slot No. : 2 Controller FPGA Rev:1.5 NP 3: Clock Rate: 600000000 Hz Memory Size: 4096 MB NP 4: Clock Rate: 600000000 Hz Memory Size: 4096 MB

(ACE appliance only) The following example shows the show tech-support command output for the ACE appliance:

`show version`Cisco Application Control Software (ACSW)


OL-25343-01


TAC support: http://www.cisco.com/tacCopyright (c) 1985-2010 by Cisco Systems, Inc. All rights reserved.The copyrights to certain works contained herein are owned byother third parties and are used and distributed under license.Some parts of this software are covered under the GNU PublicLicense. A copy of the license is available athttp://www.gnu.org/licenses/gpl.html.

Software loader: Version 0.95 system: Version A4(1.0) [build 3.0(0)A4(1.0) adbuild_03:31:25-2008/08/06_/auto/adbure_nightly2/nightly_rel_a4_1_0_throttle/REL_3_0_0_A4_1_0 system image file: (hd)c4710ace-t1k9-mz.A4_1_0.bin Device Manager version 4.1 (0) 20080805:0415

installed license: ACE-AP-VIRT-020 ACE-AP-C-1000-LIC

Hardware cpu info: Motherboard: number of cpu(s): 2 Daughtercard: number of cpu(s): 16 memory info: total: 6226392 kB, free: 4315836 kB shared: 0 kB, buffers: 17164 kB, cached 0 kB cf info: filesystem: /dev/hdb2 total: 935560 kB, used: 611564 kB, available: 276472 kB

last boot reason: Unknownconfiguration register: 0x1 kernel uptime is 0 days 21 hours 25 minute(s) 17 second(s)

`show pvlans`*** Context 0: cmd parse error *** cpu: 0, model: Intel(R) Pentium(R) 4, speed: 3399.991 MHz memory info: total: 6226704 kB, free: 4637164 kB shared: kB, buffers: 19436 kB, cached 0 kB cf info: filesystem: /dev/hdb2 total: 861668 kB, used: 348552 kB, available: 469344 kB

last boot reason: reload command by rootconfiguration register: 0x1switch kernel uptime is 0 days 18 hours 59 minute(s) 49 second(s)

`show clock`Tue Aug 5 10:13:57 UTC 2008

`show inventory`

NAME: "Appliance", DESCR: "ACE 4710 Application Control Engine Appliance" PID: ACE-4710-K9 , VID: , SN: 2061

--More--


OL-25343-01

AdministOL-25343-01

C H A P T E R 6
Configuring Redundant ACEs
Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. All features in this chapter function with IPv4 or IPv6 unless otherwise noted.

This chapter describes how to configure the ACE for redundancy, which provides fault tolerance for the stateful switchover of flows. It contains the following major sections:

• Information About Redundancy



• Configuring Redundant ACEs

• Displaying or Clearing Redundancy Information

• Displaying FT Group Information

• Clearing Redundancy Statistics

• Configuration Example of Redundancy

Information About RedundancyRedundancy (or fault tolerance) uses a maximum of two ACEs to ensure that your network remains operational even if one of the ACEs becomes unresponsive.

Note (ACE module only) The two ACE modules can reside in same Catalyst 6500 series switch or the Cisco 7600 series router or in separate switches or routers.

Redundancy ensures that your network services and applications are always available by providing a seamless switchover of flows in case an ACE becomes unresponsive or a critical host, interface, or HSRP group (ACE module only) fails. Redundancy supports the following network applications that require fault tolerance:

• Mission-critical enterprise applications

• Banking and financial services

• E-commerce

• Long-lived flows such as FTP and HTTP file transfers


Chapter 6 Configuring Redundant ACEsInformation About Redundancy


• Redundancy Protocol

• Stateful Failover

• FT VLAN

• Configuration Synchronization

• Redundancy State for Software Upgrade or Downgrade

Redundancy ProtocolThe ACE uses a proprietary protocol to enable redundant configurations of two ACEs (peers). You configure a maximum of two ACEs for redundancy.

Note (ACE module only) The two ACE modules can reside in same Catalyst 6500 series switch or the Cisco 7600 series router or in separate switches or routers.

Each peer ACE can contain one or more fault-tolerant (FT) groups. Each FT group consists of two members: one active context and one standby context. For more information about contexts, see the Virtualization Guide, Cisco ACE Application Control Engine. An FT group has a unique group ID that you assign.

One virtual MAC address (VMAC) is associated with each FT group. The format of the VMAC is: 00-0b-fc-fe-1b-groupID. Because a VMAC does not change upon switchover, the client and server ARP tables do not require updating. The ACE selects a VMAC from a pool of virtual MACs available to it. For more information about VMACs, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

Each FT group acts as an independent redundancy instance. When a switchover occurs, the active member in the FT group becomes the standby member and the original standby member becomes the active member. A switchover can occur for the following reasons:

• The active member becomes unresponsive.

• A tracked host, interface, or HSRP group (ACE module only) fails. See the “Configuring Tracking and Failure Detection” section.

• You enter the ft switchover command to force a switchover. See the “Forcing a Failover” section.

Figure 6-1 shows two possible redundancy configurations, where N is the number of ACEs configured for redundancy. The letters (A, B, C, and D) represent the active contexts in each redundancy group, while the primed letters (A’, B’, C’, and D’) are the standby contexts. The contexts are evenly distributed between the two ACEs. You always configure the active and the standby contexts on different ACEs.


OL-25343-01


Figure 6-1 Even Distribution of Contexts

Figure 6-2 shows the uneven distribution of contexts between the two ACEs. As an example, it is possible that the FT groups A,B, C, and D use only half the resources that E and F require.

Figure 6-2 Uneven Distribution of Contexts

To outside nodes (clients and servers), the active and standby FT group members appear as one node with respect to their IP addresses and associated VMAC. The ACE provides active-active redundancy with multiple-contexts only when there are multiple FT groups configured on each ACE and both ACEs contain at least one active group member (context). With a single context, the ACE supports active-backup redundancy and each group member is an Admin context. For details about configuring contexts, see the Virtualization Guide, Cisco ACE Application Control Engine.

The ACE sends and receives all redundancy-related traffic (protocol packets, configuration data, heartbeats, and state replication packets) on a dedicated FT VLAN. You cannot use this dedicated VLAN for normal traffic.

To optimize the transmission of heartbeat packets for multiple FT groups and to minimize network traffic, the ACE sends and receives heartbeat messages using a separate process. The ACE uses the heartbeat to probe the peer ACE, rather than probe each context. When an ACE does not receive a heartbeat from the peer ACE, all the contexts in the standby state become active. The ACE sends heartbeat packets over UDP. You can set the frequency with which the ACE sends heartbeat packets as part of the FT peer configuration (see the “Configuring an FT Peer” section).

The election of the active member within each FT group is based on a priority scheme. The member configured with the higher priority is elected as the active member. If a member with a higher priority is found after the other member becomes active, the new member becomes active because it has a higher priority. This behavior is known as preemption and is enabled by default. You can override this default behavior by disabling preemption, causing the member with the higher priority always to assert itself and become active (see the “Configuring an FT Group” section).

If the two members have the same priority, the one with the higher IP address becomes the active member. We recommend that you always assign a higher priority to the member that you want to be the active.

1536

39

A B’

B A’

A B C’ D’

C D A’ B’

N=2# redundant groups=2


1536

40


A B C D E’ F’

A’ B’ C’ D’E F


OL-25343-01


Stateful FailoverThe ACE replicates flows on the active FT group member to the standby group member per connection for each context. The replicated flows contain all the flow-state information necessary for the standby member to take over the flow if the active member becomes unresponsive. If the active member becomes unresponsive, the replicated flows on the standby member become active when the standby member assumes mastership of the context. The active flows on the former active member transition to a standby state to fully back up the active flows on the new active member.

After a switchover occurs, the same connection information is available on the new active member. Supported end-user applications do not need to reconnect to maintain the same network session.

The state information passed to the standby ACE includes the following data:

• Network Address Translation (NAT) table based on information synchronized with the connection record

• All Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections not terminated by the ACE

• Sticky table

To ensure that bridge learning occurs quickly upon a switchover in a Layer 2 configuration in the case where a VMAC moves to a new location, the new active member sends a gratuitous ARP on every interface associated with the active context. Also, when there are two VLANs on the same subnet and servers need to send packets to clients directly, the servers must know the location of the gateway on the client-side VLAN. The active member acts as the bridge for the two VLANs. In order to initiate learning of the new location of the gateway, the new active member sends an ARP request to the gateway on the client VLAN and bridges the ARP response onto the server VLAN.

Note During failover, the ACE sends failover traffic to destination addresses as Layer 3 unicast and Layer 2 broadcast. As a result, you may encounter high CPU utilization in the interrupt context on the switch that connects the two ACEs in the failover setup.

FT VLANRedundancy uses a dedicated FT VLAN between redundant ACEs to transmit flow-state information and the redundancy heartbeat. You configure this same VLAN on both peer ACEs. The ACE supports the FT VLAN only with IPv4.

The two redundant ACEs constantly communicate over the FT VLAN to determine the operating status of each ACE. The standby member uses the heartbeat packet to monitor the health of the active member. The active member uses the heartbeat packet to monitor the health of the standby member. Communications over the switchover link include the following data:

• Redundancy protocol packets

• State information replication data

• Configuration synchronization information

• Heartbeat packets

For multiple contexts, the FT VLAN resides in the system configuration file. Each FT VLAN on the ACE has one unique MAC address associated with it. The ACE uses these device MAC addresses as the source or destination MACs for sending or receiving redundancy protocol state and configuration replication packets.


OL-25343-01

Chapter 6 Configuring Redundant ACEsGuidelines and Restrictions

Configuration Synchronization The ACE automatically replicates the active configuration on the standby member using a process called configuration synchronization (config sync). Config sync automatically replicates any changes made to the configuration of the active member to the standby member. After the ACE synchronizes the redundancy configuration from the active member to the standby peer, it disables configuration mode on the standby.

Note In a redundant configuration, with a large configuration on the active ACE, you may encounter a lengthy period of time (sometimes up to 4 hours) for the configuration to be applied and synchronized to the standby ACE.

For information about configuring config sync, see the “Synchronizing Redundant Configurations” section.

Redundancy State for Software Upgrade or DowngradeThe STANDBY_WARM and WARM_COMPATIBLE redundancy states are used when upgrading or downgrading the ACE software. When you upgrade or downgrade the ACE from one software version to another, there is a point in the process when the two ACEs have different software versions and, therefore, a CLI incompatibility.

When the software versions are different while upgrading or downgrading, the STANDBY_WARM and WARM_COMPATIBLE states allows the configuration and state synchronization process to continue on a best-effort basis, which means that the active ACE will continue to synchronize configuration and state information to the standby even though the standby may not recognize or understand the CLI commands or state information. These states allow the standby ACE to come up with best-effort support. In the STANDBY_WARM state, as with the STANDBY_HOT state, the configuration mode is disabled and configuration and state synchronization continues. A failover from the active to the standby based on priorities and preempt can still occur while the standby is in the STANDBY_WARM state. After a forced failover of an active ACE, STANDBY_REAP state occurs on the new standby ACE during the FT transition to the STANDBY_HOT state.

Guidelines and RestrictionsConfiguring redundant ACEs has the following guidelines and restrictions:

• Redundancy is not supported between an ACE module and an ACE appliance operating as peers. Redundancy must be of the same ACE device type and software release.

• You can configure a maximum of two ACEs (peers) for redundancy.

(ACE module only) The two ACE modules can reside in same Catalyst 6500 series switch or the Cisco 7600 series router or in separate switches or routers.

• Each peer ACE can contain one or more fault-tolerant (FT) groups. Each FT group consists of two members: one active context and one standby context. For more information about contexts, see the Virtualization Guide, Cisco ACE Application Control Engine. An FT group has a unique group ID that you assign.


OL-25343-01

Chapter 6 Configuring Redundant ACEsGuidelines and Restrictions

• One virtual MAC address (VMAC) is associated with each FT group. The format of the VMAC is: 00-0b-fc-fe-1b-groupID. Because a VMAC does not change upon switchover, the client and server ARP tables do not require updating. The ACE selects a VMAC from a pool of virtual MACs available to it. For more information about VMACs, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

• In bridged mode (Layer 2), two contexts cannot share the same VLAN.

• To achieve active-active redundancy, a minimum of two contexts and two FT groups are required on each ACE.

• When you configure redundancy, the ACE keeps all interfaces that do not have an IP address in the Down state. The IP address and the peer IP address that you assign to a VLAN interface should be in the same subnet, but different IP addresses. For more information about configuring VLAN interfaces, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

• By default, the ACE does not replicate IP address sticky table entries on the standby ACE unless you use the replicate sticky command in sticky-IP configuration mode. For details on the replicate sticky command, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

• The ACE does not replicate SSL and other terminated (proxied) connections from the active context to the standby context.

• (ACE appliance only) If you are using IPv6 in your network, we recommend that you configure carrier delay properly so that, before Layer 2 convergence occurs, the ACE appliance is not sending any IPv6 packets on the wire. Carrier delay is also highly recommended for duplicate address detection (DAD) to work properly. You can configure a value for carrier delay from 1 to 120 seconds. Generally, 30 to 60 seconds of carrier delay works well for most applications. For more information about configuring carrier delay and DAD, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

• The FT VLAN and the query VLAN are not supported over IPv6.

• The ACE does not support the stateful failover of any connections that are proxied. Such connections include Layer 7 connections (including SSL), inspection, and HTTP compression. Also, any connections that are candidates for compression in the VIP but are not being compressed because of the mime type of the data, for example, will remain proxied and will not be supported by stateful failover.

• In a user context, the ACE allows a switchover only of the FT group that belongs to that context. In the Admin context, the ACE allows a switchover of all FT groups in all configured contexts in the ACE.

• Do not use this dedicated VLAN for any other network traffic, including data and HSRP (ACE module only).

• Redundancy uses a dedicated FT VLAN between redundant ACEs to transmit flow-state information and the redundancy heartbeat. You must configure this same VLAN on both peer ACEs. You also must configure a different IP address within the same subnet on each ACE for the FT VLAN.

• The IP address and the MAC address of the FT VLAN do not change at switchover.

• For redundancy to function properly, both members of an FT group must have identical configurations. Ensure that both ACEs include the same bandwidth software license and the same virtual context software license (4 Gbps, 8 Gbps, or 16 Gbps for the ACE module, or 2G or 1G for the ACE appliance). If there is a mismatch in a software license between the two ACEs in an FT group, the following operational behavior can occur:

– If there is a mismatch in the virtual context software license, synchronization between the active ACE and standby ACE may not work properly.


OL-25343-01

Chapter 6 Configuring Redundant ACEsDefault Settings

– If both the active and the standby ACE devices have the same virtual context software license but have a different bandwidth software license, synchronization will work properly but the standby ACE may experience a potential loss of traffic on switchover. For example, the switchover occurs from an 8-Gbps ACE module to a 4-Gbps ACE module, or from a 2G ACE appliance to a 1G ACE appliance.

• If normalization is disabled, the output from the show rserver command displays different connection total values for the active and standby ACEs. The active ACE displays the total sum of successful connections; whereas the standby ACE displays the total sum of both successful and failed connections.

For details about the available ACE software licenses, see Chapter 3, Managing ACE Software Licenses.

Default SettingsTable 6-1 lists the default settings for the ACE redundancy parameters.

Configuring Redundant ACEsThis section describes how to configure redundant ACEs and includes the following topics:

• Task Flow for Configuring Redundancy

• Configuring Redundancy

• Configuring Tracking and Failure Detection

Table 6-1 Default Redundancy Parameters

Parameter Default

Connection replication Enabled

Heartbeat interval (frequency in milliseconds (ms) at which the active member of the FT group sends the heartbeat packets to the standby member).

300 ms

Heartbeat count (number of missed heartbeats that the standby member must detect before determining that the active member is not available).

10

A member (context) of an FT group becomes the active member through an election process based on the priority that you configure for the group on each peer. The group member with the higher priority becomes the active member.

The group member with the higher priority becomes the active member.

Priority setting of an FT group on the active member. 100

Priority setting of an FT group on the remote standby member. 100

Automatic synchronization of the startup and running configurations between the active and the standby contexts of an FT group.

Enabled

Priority level for multiple probes on the active member. 0

Preempt. Enabled


OL-25343-01

Chapter 6 Configuring Redundant ACEsConfiguring Redundant ACEs

Task Flow for Configuring RedundancyFollow these steps to configure redundancy on the ACE:

Step 1 If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context. If necessary, change to the correct context.




host1/Admin# confighost1/Admin(config)#

Step 3 (ACE appliance only) Configure one of the Ethernet ports on the ACE for fault tolerance using a dedicated fault-tolerant (FT) VLAN for communication between the members of an FT group.

host1/Admin(config-if)# ft-port vlan 200

Step 4 Configure a dedicated FT VLAN for communication between the members of the FT group. The FT VLAN is supported with IPv4 only. This FT VLAN is global and is shared by all contexts. Specify the IP address and netmask of the FT VLAN and the IP address and netmask of the remote peer.

host1/Admin(config)# ft interface vlan 200host1/Admin(config-ft-intf)# ip address 192.168.12.1 255.255.255.0host1/Admin(config-ft-intf)# peer ip address 192.168.12.15 255.255.255.0host1/Admin(config-ft-intf)# no shutdownhost1/Admin(config-ft-intf)# exit

Step 5 Configure a VLAN with an alias IP address that floats between the active and standby ACEs and serves as a shared gateway for the two devices.

host1/Admin(config)# interface vlan 100

host1/Admin(config-if)# ipv6 enablehost1/Admin(config-if)# alias 2001:DB8:1::/64orhost1/Admin(config-if)# alias 192.168.1.1 255.255.255.0

host1/Admin(config-if)# exit

Step 6 Configure the local redundancy peer ACE, associate the FT VLAN with the peer, configure the heartbeat interval and count, and configure a query interface VLAN.

host1/Admin(config)# ft peer 1host1/Admin(config-ft-peer)# ft-interface vlan 200host1/Admin(config-ft-peer)# heartbeat count 20host1/Admin(config-ft-peer)# heartbeat interval 300host1/Admin(config-ft-peer)# query-interface vlan 400host1/Admin(config-ft-intf)# exit

Step 7 Create at least one FT group on each ACE.

host1/Admin(config)# ft group 1host1/Admin(config-ft-group)#


OL-25343-01


Step 8 Associate a context with each FT group. You must associate the local context and the corresponding peer context with the same FT group.

host1/Admin(config-ft-group)# associate-context C1

Step 9 Associate the peer context with the FT group.

host1/Admin(config-ft-group)# peer 1

Step 10 (Optional) Configure the priority of the FT group on the local ACE.

host1/Admin(config-ft-group)# priority 100

Step 11 (Optional) Configure the priority of the FT group on the peer ACE.

host1/Admin(config-ft-group)# peer priority 200

Step 12 Place the FT group in service.

host1/Admin(config-ft-group)# inservicehost1/Admin(config-ft-group)# exit

Step 13 (Optional) Configure one or more critical objects (gateways or hosts, interfaces, or HSRP groups (ACE module only) to track for switchover. For example, to configure a critical interface for tracking, enter:

host1/Admin(config)# ft track interface VLAN100host1/Admin(config-ft-track-intf)# track-interface vlan 100host1/Admin(config-ft-track-intf)# peer track-interface vlan 100host1/Admin(config-ft-track-intf)# priority 50host1/Admin(config-ft-track-intf)# peer priority 150host1/Admin(config-ft-track-intf)# ctrl-z

Step 14 (Optional) Enable autosynchronization of the running- and/or startup-configuration file from the active to the standby context.

host1/Admin(config)# ft auto-sync running-confighost1/Admin(config)# ft auto-sync startup-config

Step 15 (Optional) If you want to disable connection synchronization from the active to the standby, enter the following command:

host1/Admin(config)# ft connection-sync disable



Step 17 (Recommended) Verify your redundancy configuration by using the following commands in Exec mode:

host1/Admin# show running-config fthost1/Admin# show running-config interface

Configuring RedundancyThis section describes how to configure redundancy on the ACE and contains the following topics:

• Configuring an FT VLAN

• Configuring an Alias IP Address

• Configuring an FT Peer


OL-25343-01


• Configuring an FT Group

• Specifying the Peer Hostname

• Specifying the MAC Address Banks for a Shared VLAN

• Forcing a Failover

• Synchronizing Redundant Configurations

Requirements

You must configure the ft interface, ft peer, and ft group commands on all ACEs that participate in the redundancy configuration.

Configuring an FT VLAN

This section describes how to configure an FT VLAN. Peer ACEs communicate with each other over a dedicated FT VLAN. These redundant peers use the FT VLAN to transmit and receive heartbeat packets and state and configuration replication packets. You must configure the same VLAN on each peer ACE.


This topic includes the following restrictions:

• The FT VLAN does not support IPv6.

• Do not use this dedicated VLAN for any other network traffic, including data and HSRP (ACE module only).

• (ACE appliance only) On both peer ACE appliances, you must configure the same Ethernet port or port-channel interface as the FT VLAN port. For example:

– If you configure ACE appliance 1 to use Ethernet port 4 as the FT VLAN port, then be sure to configure ACE appliance 2 to use Ethernet port 4 as the FT VLAN port.

– If you configure ACE appliance 1 to use port-channel interface 255 as the FT VLAN port, then be sure to configure ACE appliance 2 to use port-channel interface 255 as the FT VLAN.

ACE Appliance Prerequisites

To configure one of the Ethernet ports or a port-channel interface on the ACE appliance for fault tolerance using a dedicated FT VLAN for communication between the members of an FT group, use the ft-port vlan command in interface configuration mode (see the Routing and Bridging Guide, Cisco ACE Application Control Engine).

We highly recommend that that you dedicate the specified Ethernet port or port-channel only as the FT VLAN.

Note When you specify the ft-port vlan command, the ACE appliance modifies the associated Ethernet port or port-channel interface to a trunk port.

You have the option to either configure the dedicated VLAN as the only VLAN associated with the Ethernet port or to include it as part of a VLAN trunk link (see the Routing and Bridging Guide, Cisco ACE Application Control Engine). Note that the ACE appliance automatically includes the FT VLAN in the VLAN trunk link. If you choose to configure VLAN trunking, it is not necessary for you to assign the FT VLAN in the trunk link along with the other VLANs.


OL-25343-01


We also highly recommend that you enable Quality of Service (QoS) on the FT VLAN port to provide higher priority for FT traffic. It is important that you maintain QoS throughout the entire FT traffic path. You enable QoS for a configured physical Ethernet port through the qos trust cos interface mode command QoS is based on VLAN Class of Service (CoS) bits (priority bits that segment the traffic in eight different classes of service). If a VLAN header is present, the CoS bits are used by the ACE appliance to map frames into class queues. If the frame is untagged, it falls back to a default port QoS level for mapping. See the Routing and Bridging Guide, Cisco ACE Application Control Engine for details.

Detailed Steps

Command Purpose

Step 1 config

Example:host1/Admin# confighost1/Admin#(config)#


Step 2 ft interface vlan vlan_id

Example:host1/Admin(config)# ft interface vlan 200host1/Admin(config-ft-intf)#

Creates an FT VLAN.

The vlan_id argument specifies a unique identifier for the FT VLAN. Enter an integer from 2 to 4094.

This command enters the FT interface configuration mode.

no ft interface vlan vlan_id

Example:host1/Admin(config)# no ft interface vlan 200

(Optional) Removes an FT VLAN from the redundancy configuration.

To remove an FT VLAN, first remove it from the FT peer by using the no ft-interface vlan command in FT peer configuration mode.

Step 3 ip address ip_address netmask

Example:host1/Admin(config-ft-intf)# ip address 192.168.12.1 255.255.255.0

Assigns an IP address (IPv4 only) to the FT VLAN.

The keyword and arguments of this command are as follows:

• address ip_address—Specifies the IP address of the FT VLAN.

• netmask—Subnet mask of the FT VLAN. Enter a subnet mask in dotted-decimal notation.

no ip address ip_address netmask

Example:host1/Admin(config-ft-intf)# no ip address 192.168.12.1 255.255.255.0

(Optional) Removes an IP address from an FT VLAN.

Step 4 peer ip address ip_address netmask

Example:host1/Admin(config-ft-intf)# peer ip address 192.168.12.15 255.255.255.0

Allows the local member to communicate with the remote peer.

The keyword and arguments of this command are as follows:

• address ip_address—Specifies the IP address of the remote peer.

• netmask—Subnet mask of the remote peer. Enter a subnet mask in dotted-decimal notation.

no peer ip address ip_address netmask

Example:host1/Admin(config-ft-intf)# no peer ip address 192.168.12.15 255.255.255.0

(Optional) Removes an IP address from the remote peer.


OL-25343-01


Configuring an Alias IP Address

This section describes how to configure an alias IP address. When you configure redundancy, configure a VLAN interface that has an alias IP address that floats between the active and standby ACEs. The alias IP address serves as a shared gateway for the two ACEs. For IPv6, the alias address can be either of the following address types:

• Global-unique

• Unique-local

For more information about IPv6 address types and assigning them to a VLAN, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

Detailed Steps

Step 5 no shutdown

Example:host1/Admin(config-ft-intf)# no shutdown

Enables the FT VLAN.

shutdown

Example:host1/Admin(config-ft-intf)# shutdown

(Optional) Disables the FT VLAN after you have enabled it.

Step 6 exit

Example:host1/Admin(config-ft-intf)# exithost1/Admin(config)#

(Optional) Exits the fault-tolerant interface configuration mode.




Command Purpose

Command Purpose

Step 1 config



Step 2 interface vlan vlan_id


Enters interface configuration mode.

The vlan_id argument specifies a unique identifier for the VLAN.

This command enters the FT interface configuration mode.

Step 3 ipv6 enable

Example:host1/Admin(config-if)# ipv6 enable

Enables IPv6 processing for the interface. Enter this command if you want to process IPv6 traffic on this interface.


OL-25343-01


Configuring an FT Peer

This section describes how to configure an FT peer definition on both peer ACEs.



• You must create FT peers in the admin context only.

• You can configure a maximum of two ACEs as redundancy peers.

• Before you can remove an FT peer from the configuration by using the no form of the command, you must remove the peer from the FT group (see the “Configuring an FT Group” section).

• You cannot delete a query interface if it is associated with a peer. You must disassociate the interface from the peer first, and then you can delete the interface.

Step 4 alias ipv6_address/prefix_length

Example:host1/Admin(config-if)# alias 2001:DB8:1::/64

Configures an alias IPv6 address.

The ipv6_address/prefix_length arguments specify the IPv6 address and prefix length of the VLAN interface.

no alias ipv6_address/prefix_length

Example:host1/Admin(config-if)# no alias 2001:DB8:1::/64

(Optional) Removes an alias IPv6 address.

Step 5 alias ipv4_address netmask

Example:host1/Admin(config-if)# alias 192.168.1.1 255.255.255.0

Configures an alias IPv4 address.

The ip_address netmask arguments specify the IPv4 address and netmask for the VLAN interface. Enter the IPv4 address and subnet mask in dotted-decimal notation.

no alias ipv4_address netmask

Example:host1/Admin(config-if)# no alias 192.168.1.1 255.255.255.0

(Optional) Removes an alias IPv4 address.




Command Purpose


OL-25343-01


Detailed Steps

Command Purpose

Step 1 config



Step 2 ft peer peer_id

Example:host1/Admin(config)# ft peer 1host1/Admin(config-ft-peer)

Creates an FT peer.

The peer_id argument specifies a unique identifier for the peer. You can only enter 1.

This command enters the FT peer configuration mode.

no ft peer peer_id

Example:host1/Admin(config)# no ft peer 1

(Optional) Removes the FT peer from the configuration.

Step 3 ft-interface vlan vlan_id

Example:host1/Admin(config-ft-peer) ft-interface vlan 200

Associates an FT VLAN with a peer.

The vlan_id argument specifies the identifier of an existing VLAN. Enter an integer from 2 to 4094.

no ft-interface vlan vlan_id

Example:host1/Admin(config-ft-peer) no ft-interface vlan 200

(Optional) Removes the FT VLAN from the peer configuration.

Step 4 heartbeat {count number | interval frequency}

Example:host1/Admin(config-ft-peer) heartbeat interval 500

Configures the heartbeat interval and count.


• count number—Specifies the number of heartbeat intervals that must transpire with no heartbeat packet received by the standby member before the standby member determines that the active member is not available. Enter an integer from 10 to 50. The default is 10 heartbeat intervals. If the standby member of the FT group does not receive a heartbeat packet from the active member, a time period equal to count number times interval frequency must elapse before a switchover can occur.

For example, in the default case, where the heartbeat frequency is 300 ms and the heartbeat count is 10, if the standby member does not receive a heartbeat packet from the active member for 3000 ms (3 seconds), a switchover occurs.

• interval frequency—Specifies the interval in milliseconds (ms) between heartbeats. Enter an integer from 100 to 1000 ms. The default is 300 ms.

no heartbeat {count number | interval frequency}

Example:host1/Admin(config-ft-peer) no heartbeat interval 500

(Optional) Resets either the heartbeat count to the default of 10 or the heartbeat interval to the default of 100 ms.


OL-25343-01


Configuring an FT Group

This section describes how to configure multiple FT groups on each ACE.



• You must configure the same group ID on both peer ACEs.

• The maximum number of FT groups that you can create is as follows:

– (ACE module only) 251 groups (250 user contexts and 1 Admin context).

– (ACE appliance only) 64 groups (20 user contexts and 1 Admin context).

• Each FT group consists of a maximum of two members (contexts): one active context on one ACE and one standby context on the peer ACE

• Before you can remove a context from an FT group, you must first take the group out of service by using the no inservice command.

• The ACE does not perform bulk config synchronization (sync) on the peer priority command value in the FT group associated with the Admin context to the peer. Therefore, you may observe a peer priority value in the running-configuration file that is different from the actual operating value. For information on bulk config sync, see the “Synchronizing Redundant Configurations” section.

• If you disable preemption by using the no preempt command and a member with a higher priority is found after the other member has become active, the electing member becomes the standby member even though it has a higher priority.

Step 5 query-interface vlan vlan-id

Example:host1/Admin(config-ft-peer)# query-interface vlan 400

Configures a query interface to allow the standby member to determine whether the active member is down or if there is a connectivity problem with the FT VLAN. A query interface helps prevent two redundant contexts from becoming active at the same time for the same FT group. Before triggering a switchover, the ACE pings the active member to make sure that it is down. Configuring a query interface allows you to assess the health of the active member, but it increases switchover time. A query VLAN is not supported over IPv6.

The vlan_id argument specifies the identifier of an existing VLAN. Enter an integer from 2 to 4094.

no query-interface vlan vlan-id

Example:host1/Admin(config-ft-peer)# no query-interface vlan 400

(Optional) Removes a query interface from the peer configuration.

Note You cannot delete a query interface if it is associated with a peer. You must disassociate the interface from the peer first, and then you can delete the interface.


Example:host1/Admin(config-ft-peer)# do copy running-config startup-config


Command Purpose


OL-25343-01


Prerequisites

Before you place an FT group in service, be sure that you have associated one context with the FT group and that you have properly configured the two peers.

Detailed Steps

Command Purpose

Step 1 config



Step 2 ft group group_id

Example:host1/Admin(config) ft group 1host1/Admin(config-ft-group)#

Creates an FT group.

The group_id argument specifies a unique identifier of the group. Enter an integer from 1 to 255 (ACE module) or 1 to 64 (ACE appliance).

This command enters the FT group configuration mode.

no ft group group_id

Example:host1/Admin(config) no ft group 1

(Optional) Removes the FT group from the configuration.

Step 3 associate-context name

Example:host1/Admin(config-ft-group)# associate-context C1

Associates a context with an FT group.

no associate-context name

Example:host1/Admin(config-ft-group)# no associate-context C1

(Optional) Removes a context from an FT group.

Step 4 peer peer_id

Example:host1/Admin(config-ft-group)# peer 1

Associates a peer ACE with an FT group.

For the peer_id argument, enter 1 as the identifier of an existing peer ACE. You can only enter 1.

no peer peer_id

Example:host1/Admin(config-ft-group)# no peer 1

(Optional) Removes the peer association with the FT group.

Step 5 priority number

Example:host1/Admin(config-ft-group)# priority 150

Configures the priority of an FT group on the active member. Configure a higher priority on the FT group member that you want to be the active member.

The number argument specifies the priority of the FT group on the local peer. Enter an integer from 1 to 255. The default is 100.

no priority

Example:host1/Admin(config-ft-group)# no priority

(Optional) Restores the default priority of 100.


OL-25343-01


Modifying an FT Group

This section describes how to modify an FT group.

Note You can modify the priority, peer priority, and preempt command values without taking the FT group out of service.

Details

Follow these steps to modify an FT group:

Step 1 Remove the FT group from service by using the no inservice command.

Step 2 Make the necessary modifications to the FT group.

Step 3 Place the FT group back in service by using the inservice command.

Step 6 peer priority number

Example:host1/Admin(config-ft-group)# peer priority 150

Configures the priority of an FT group on the remote standby member. Configure a lower priority on the FT group member that you want to be the standby member.

The number argument specifies the priority of the FT group on the standby member. Enter an integer from 1 to 255. The default is 100.

no peer priority

Example:host1/Admin(config-ft-group)# no peer priority

(Optional) Restores the default priority of 100.

Step 7 preempt

Example:host1/Admin(config-ft-group)# preempt

Configures preemption after it has been disabled. Preemption ensures that the group member with the higher priority always asserts itself and becomes the active member. By default, preemption is enabled.

no preempt

Example:host1/Admin(config-ft-group)# no preempt

(Optional) Disables preemption.

Step 8 inservice

Example:host1/Admin(config-ft-group)# inservice

Places an FT group in service.

no inservice

Example:host1/Admin(config-ft-group)# no inservice

(Optional) Takes the FT group out of service.


Example:host1/Admin(config-ft-group)# do copy running-config startup-config


Command Purpose


OL-25343-01


Specifying the Peer Hostname

This section describes how to specify the peer hostname.

Detailed Steps

Specifying the MAC Address Banks for a Shared VLAN

This section describes how to specify the MAC address banks to be used by the local ACE and the peer ACE with a shared VLAN (FT VLAN). You configure these commands to prevent MAC address conflicts between the two peer ACEs. For details about these commands, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.



• Perform this task from the Admin context only.

• Select a bank of MAC addresses for the peer that is different from that used by the local ACE.

Detailed Steps

Command Purpose

Step 1 config




Example:host1/Admin(config)# peer hostname ACE_2

Specifies the hostname of a peer ACE. For details about this command, see the Chapter 1, “Setting Up the ACE Module” or Chapter 2, “Setting Up the ACE Appliance” section.

Command Purpose

Step 1 config



Step 2 shared-vlan-hostid number

Example:host1/Admin(config)# shared-vlan-hostid 3

Configures the bank of MAC addresses that the ACE uses. Enter a number from 1 to 16. Be sure to configure different bank numbers for multiple ACEs.

The number argument is the bank of MAC addresses that the ACE uses. Enter a number from 1 to 16. Be sure to configure different bank numbers for multiple ACEs.

For details about this command, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

no shared-vlan-hostid

Example:host1/Admin(config)# no shared-vlan-hostid

(Optional) Removes a configured bank of MAC addresses.


OL-25343-01


Forcing a Failover

This section describes how to force a failover (switchover). You may need to force a switchover when you want to make a particular context the standby (for example, for maintenance or a software upgrade on the currently active context). If the standby group member can statefully becoming the active member of the FT group, a switchover occurs.

Note During failover, the ACE sends failover traffic to destination addresses as Layer 3 unicast and Layer 2 broadcast. As a result, you may encounter high CPU utilization in the interrupt context on the switch that connects the two ACEs in the failover setup.

The switchover process exhibits the following behavior, depending on whether you perform the task from the Admin context or a user context:

• Admin context—If you specify an FT group ID, then the FT group specified by the group ID switches over. If you do not specify a group ID, then the Admin context switches over.

• User context—Because you cannot specify an FT group ID in a user context, the context in which you enter the command switches over.

Note When you specify the ft switchover command to force a switchover, there may be brief periods of time when the configuration mode is enabled on the new active group member to allow the administrator to make configuration changes. However, any configuration changes made during this time are not synchronized with the standby group member and will exist only on the active group member. We recommend that you refrain from making any configuration changes after you enter the ft switchover command until the FT states stabilize to ACTIVE and STANDBY_HOT. After a forced failover of an active ACE, STANDBY_REAP state occurs on the new standby ACE during the FT transition to the STANDBY_HOT state. Once the FT group reaches the steady state of ACTIVE and STANDBY_HOT, any configuration changes performed on the active group member will be dynamically synchronized to the standby group member, assuming that configuration synchronization is enabled.

Step 3 peer shared-vlan-hostid number

Example:host1/Admin(config)# peer shared-vlan-hostid 3

Configures a specific bank of MAC addresses for a peer ACE in a redundant configuration.

The number argument is the bank of MAC addresses that the ACE uses. Enter a number from 1 to 16. Be sure to configure different bank numbers for multiple ACEs.

For details about this command, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

no peer shared-vlan-hostid

Example:host1/Admin(config)# no peer shared-vlan-hostid

(Optional) Removes the configured bank of MAC addresses.




Command Purpose


OL-25343-01


Prerequisites

To use the ft switchover command, you must disable preemption by using the no preempt command. For information on the preempt command, see the “Configuring an FT Group” section.

Detailed Steps

Synchronizing Redundant Configurations

This section describes how to synchronize redundant configurations. To ensure that the running configurations on both the active and the standby contexts of an FT group are identical, the ACE automatically synchronizes the running configurations between the two contexts. After the active context has accepted either a new configuration or modifications to an existing configuration, the ACE automatically applies the new configuration or configuration changes to the standby context and disables configuration mode in the standby context.

The ACE supports the following two types of configuration synchronizations:

• Bulk config sync—Synchronizes the entire active context configuration to the standby context when the peer comes up or when autosynchronization is enabled

• Dynamic incremental sync—Synchronizes the configuration applied to the active context to the standby context if the peer is already up

Command Purpose

Step 1 config



Step 2 ft group group_id

Example:host1/Admin(config) ft group 1host1/Admin(config-ft-group)#

Enters the FT group configuration mode.

Step 3 no preempt

Example:host1/Admin(config-ft-group)# no preempt

Disables preemption.

Step 4 Press Ctrl-z Returns to the Exec mode prompt.

Step 5 ft switchover [all [force] | force | [group_id [force]]]

Example:host1/Admin# ft switchover 1This command will cause card to switchover (yes/no)? [no] yes

Causes a switchover.


• all—(Optional) Causes a switchover of all FT groups configured in the ACE simultaneously. This keyword is available in the Admin context only.

• force—(Optional) Causes a switchover while ignoring the state of the standby member. Use this option only when the FT VLAN is down. This keyword is available in the Admin context only.

• group_id—(Optional) FT group that you want to switch over. Enter the ID of an existing FT group as an integer from 1 to 255. This argument is available in the Admin context only.


OL-25343-01


Note When you upgrade from one major release of ACE software to another major release (for example, from A4(1.0) to A5(1.0), dynamic incremental sync is disabled while the active ACE is running A4(1.0) and the standby is running the earlier release (split mode). We recommend that you do not make any configuration changes during this time and that you do not keep the ACEs in this state for an extended period of time. However, if you must make configuration changes while the ACEs are in split mode, ensure that you manually synchronize to the standby ACE any configuration changes that you make on the active ACE. After you complete the software upgrade of both ACEs, a bulk sync occurs automatically and dynamic incremental sync will be enabled again.

You can enable automatic synchronization of the running-configuration and the startup-configuration files after they have been explicitly disabled.

Caution Toggling ft auto-sync running-config in the Admin context may have undesirable side effects if the same command is also disabled in an active user context. If ft auto-sync running-config is disabled in the active Admin context and in an active user context, and you subsequently enable ft auto-sync running-config in the active Admin context first, the entire configuration of the standby user context will be lost. Always enable ft auto-sync running-config in the active user context first, and then enable the command in the active Admin context.



• The configurations on both the active context and the standby context must be identical. If there is a mismatch between configuration objects, then configuration synchronization may fail.

• In a redundant configuration, with a large configuration on the active ACE, you may encounter a lengthy period of time (sometimes up to 4 hours) for the configuration to be applied and synchronized to the standby ACE.

• If the standby ACE has reached the maximum resource limit for a configuration object even if some of the configuration objects are not in the redundant context and you configure one more object of the same type in the redundant context of the active ACE, configuration synchronization will fail. For example, suppose that you have configured two contexts on each ACE (Admin and C1) and the C1 context is the only one in the FT group. On the standby ACE, you have configured 8,192 match source-address statements in the Admin context and in the C1 context for a total of 16,384 match source-address statements (the ACE limit). When you configure one new match source-address statement on the active ACE in C1, configuration synchronization will fail, the new match statement will not be replicated to the standby, and syslog ACE-1-727005 is generated.

• If you operate the active ACE with config sync disabled for a prolonged period of time, you must manually duplicate any changes that you make to the active ACE on the standby ACE to ensure that connection replication works properly.

• If a license mismatch occurs between the two ACEs in a redundant configuration, the ft auto-sync command is automatically disabled and a syslog message is generated.

• If you temporarily disable ft auto-sync running-config on the active ACE (for example, to test changes to your configuration), when you subsequently reenable config sync, any changes that you made to the active ACE are duplicated on the standby ACE. Note that the standby ACE remains in the STANDBY_HOT state even when config sync is disabled on the active ACE.

• If the configuration synchronization fails, the running-configuration file reverts to the startup-configuration file.


OL-25343-01


• The ACE does not copy or write changes in the running-configuration file to the startup-configuration file unless you enter the copy running-config startup-config command or the write memory command for the current context. To write the contents of the running-configuration file to the startup-configuration file for all contexts, use the write memory all command. At this time, if the ft auto-sync startup-config command is enabled, the ACE synchronizes the startup-configuration file on the active ACE to the standby ACE.

• The ACE does not synchronize the SSL certificates and key pairs that are present in the active context with the standby context of an FT group. If the ACE performs a configuration synchronization and does not find the necessary certificates and keys in the standby context, config sync fails and the standby context enters the STANDBY_COLD state.

Caution Do not enter the no inservice command followed by the inservice command on the active context of an FT group when the standby context is in the STANDBY_COLD state. Doing so may cause the standby context running-configuration file to overwrite the active context running-configuration file.

To copy the certificates and keys to the standby context, you must export the certificates and keys from the active context to an FTP or TFTP server using the crypto export command, and then import the certificates and keys to the standby context using the crypto import command. For more information about importing and exporting certificates and keys, see the SSL Guide, Cisco ACE Application Control Engine.

To return the standby context to the STANDBY_HOT state in this case, ensure that you have imported the necessary SSL certificates and keys to the standby context, and then perform a bulk sync of the active context configuration by entering the following commands in configuration mode in the active context of the FT group:

1. no ft auto-sync running-config

2. ft auto-sync running-config

Detailed Steps

Command Purpose

Step 1 config

Example:host1/C1# confighost1/C1#(config)#



OL-25343-01


Disabling Connection Replication

By default, connection replication is enabled. There may be times when you want to disable it. To disable connection replication, use the ft connection-sync disable command in configuration mode in any context. The syntax of this command is as follows:

ft connection-sync disable

Initially, after you disable connection replication, the active ACE does not synchronize connections to the standby ACE. After a bulk sync:

• New connections are not synchronized

• Connections are not updated in a periodic scan

• Connections that are already synchronized on the standby are not torn down

If you enable connection replication after a bulk sync occurs, the ACE takes the following actions:

• New connections are synced immediately

• Existing connections are synced in the next periodic cycle (in approximately 3 to 4 minutes)

Sticky replication is disabled by default and you can configure it on a per sticky group basis. The replicate sticky command takes precedence over the ft connection-sync disable command, so new client connections can be load balanced to the same server even when connection replication is disabled.

Note the following caveats with stickiness when connection replication is disabled:

• The sticky database is not always in sync on the standby. With connection replication disabled, sticky connections on the active close normally, but on the standby the connections time out according to the idle timeout setting.

• When sticky entries are approaching their expiration time, it is possible to have a zero active-conns-count on the standby and still have active connections on the active ACE. This condition can lead to sticky entries that are not present after a switchover.

For example, to disable connection replication, enter the following command:

host1/Admin(config)# ft connection-sync disable

To reenable connection replication after you have disabled it, enter the following command:

Step 2 ft auto-sync {running-config | startup-config}

Example:host1/C1(config) ft auto-sync running-config

Enables automatic synchronization of the running-configuration and the startup-configuration files after they have been explicitly disabled.


• running-config—Enables autosynchronization of the running-configuration file. The default is enabled.

• startup-config—Enables autosynchronization of the startup-configuration file. The default is enabled.

no ft auto-sync {running-config | startup-config}

Example:host1/C1(config) no ft auto-sync running-config

(Optional) Disables automatic synchronization of the running-configuration and the startup-configuration files.

Command Purpose


OL-25343-01


host1/Admin(config)# no ft connection-sync disable

Configuring Tracking and Failure DetectionThis section describes the tracking and failure detection feature of the ACE. This feature allows you to designate certain network items as critical so that if one or more items fail, the ACE reduces the priority of the associated active FT group accordingly. If the priority of the active FT group falls below the priority of the corresponding FT group on the standby, a switchover occurs.

The ACE supports the tracking and failure detection of several network items. You can configure an ACE to track and detect failures in the following items in the Admin context and any user context:

• Gateways or hosts

• Interfaces

• (ACE module only) Hot Standby Router Protocol (HSRP) groups

Note For IPv6, host and interface tracking are supported.

If one of the items that you configure for tracking and failure detection becomes unresponsive and is associated with the active member of an FT group, by default, the ACE subtracts a value of 0 from the configured priority of the active member. If you configure a nonzero value for the tracking priority and the resulting priority value of the active member is less than that of the standby member, the active member switches over and the standby member becomes the new active member. All active flows that exist at the time of the switchover continue uninterrupted on the new active member of the FT group.

When the failed item comes back up, the ACE increments the priority of the associated group member by a value of 0 by default. If you configure a non-zero value for the tracking priority and the resulting priority of the standby member is greater than the priority of the active member, a switchover occurs back to the original active group member.

You can configure the unit priority associated with tracked items to be greater than 0. This option allows you to fine tune the switchover scenario so that a switchover occurs when either all or any of the tracked objects fails.

Note To prevent an unexpected switchover from occurring, we strongly recommend that you disable preemption while you are configuring tracking. After you configure tracking and before you reenable preemption, ensure that the tracked network objects are up and operating properly. A switchover may occur immediately when you reenable preemption. Preemption must be enabled for a tracking switchover to work. For details about preemption, see the “Configuring an FT Group” section.

For example, suppose that on ACE 1 you configure the active FT group member with a priority of 100 and on ACE 2 you configure the standby FT group member with a priority of 70. Assume that you configure the FT group to track three critical interfaces, each with a unit priority of 15. To trigger a switchover, all three interfaces must fail so that the priority of the active member is less than the priority of the standby member (100 – 45 = 55).

To illustrate the “any” scenario, assume that the active and the standby FT group members have the same individual priorities as in the previous example (100 and 70, respectively). However, this time you configure the three tracked interfaces, each with a unit priority of 40. If any one of the interfaces associated with the active member goes down, then the priority of the active member falls below the priority of the standby member and a switchover occurs. If that failed interface later returns to service,


OL-25343-01


the ACE increments the associated group member priority by 40, and a switchover would occur back to the original active member. To guarantee a switchover if any tracked item goes down, configure the unit priority on each tracked item equal to the group member’s priority. In this case, you could configure the unit priority to be 100.


• Configuring Tracking and Failure Detection for a Host or Gateway

• Configuring Tracking and Failure Detection for an Interface

• Configuring ACE Module Tracking and Failure Detection for an HSRP Group

Configuring Tracking and Failure Detection for a Host or Gateway

This section describes how to configure tracking and failure detection for a gateway or a host.


If you remove a probe from the active FT group member configuration and you have not configured a tracking priority for the FT group, the ACE increments the net FT group priority by the priority value of the deleted probe. You cannot delete a probe from the running-configuration file if the ACE is using the probe for tracking.

Detailed Steps

Command Purpose

Step 1 config



Step 2 ft track host name

Example:host1/Admin(config)# ft track host TRACK_GATEWAY1host1/Admin(config-ft-track-host)#

Creates a tracking and failure detection process for a gateway or host.

For the name argument, enter a unique identifier of the tracking process as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

This command enters the FT track host configuration mode.

Step 3 track-host ip_address

IPv6 Example:host1/Admin(config-ft-track-host)# track-host 2001:DB8:12::/64

IPv4 Example:host1/Admin(config-ft-track-host)# track-host 192.168.12.101

Configures the IPv6 or the IPv4 address of the gateway or host.

The ip_address argument specifies the IP address of the gateway or host that you want the active FT group member to track.

This command enters the FT group configuration mode.


OL-25343-01


no track-host ip_address

IPv6 Example:host1/Admin(config-ft-track-host)# no track-host 2001:DB8:12::/64

IPv4 Example:host1/Admin(config-ft-track-host)# no track-host 192.168.12.101

(Optional) Removes the IP address of the gateway or host from the tracking process on the standby member configuration.

Step 4 probe name priority number

Example:host1/Admin(config-ft-track-host)# probe TCP_PROBE1 priority 50

Associates an existing probe with a gateway or host for tracking by the active member. For information about creating probes, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

The keyword and arguments are as follows:

• name—Identifier of an existing probe that you want to associate with a gateway or host for tracking.

• priority number—Specifies the priority of the probe sent by the active member. Enter an integer from 0 to 255. The default is 0. Higher values indicate higher priorities. Assign a priority value based on the relative importance of the gateway or host that the probe is tracking. If the probe goes down, the ACE decrements the priority of the FT group on the active member by the value of the number argument. If the resulting priority of the FT group on the active member is less than the priority of the FT group on the standby member, a switchover occurs.

no probe name

Example:host1/Admin(config-ft-track-host)# no probe TCP_PROBE1

(Optional) Removes the tracking probe from the active member.


Example:host1/Admin(config-ft-track-host)# priority 50

Assigns a priority for multiple probes on the active member.

The number argument specifies the priority of the probes on the active member. Enter a priority value as an integer from 0 to 255. The default is 0. Higher values indicate higher priorities. Assign a priority value based on the relative importance of the gateway or host that the probes are tracking. If all the probes go down, the ACE decrements the priority of the FT group on the active member by the value of the number argument. If the resulting priority of the FT group on the active member is less than the priority of the FT group on the standby member, a switchover occurs.

no priority number

Example:host1/Admin(config-ft-track-host)# no priority 50

(Optional) Resets the priority to the default value of 0.

Step 6 peer track-host ip_address

Example:host1/Admin(config-ft-track-host)# peer track-host 172.16.27.1

Configures the IP address of the gateway or host.

The ip_address argument specifies the IP address of the gateway or host that you want the standby FT group member to track.

Command Purpose


OL-25343-01


Examples

The following example demonstrates an IPv6 tracking configuration for a gateway on the active member of an FT group:

ft track host TRACK_GATEWAY track-host 2001:DB8:100::/64 probe GATEWAY_TRACK1 priority 10 probe GATEWAY_TRACK2 priority 20 priority 50

no peer track-host ip_address

Example:host1/Admin(config-ft-track-host)# no peer track-host 172.16.27.1

(Optional) Removes the host tracked by the standby member.

Step 7 peer probe name priority number

Example:host1/Admin(config-ft-track-host)# peer probe TCP_PROBE1 priority 25

Associates an existing probe with a gateway or host for tracking by the standby member.

The keyword and arguments are as follows:

• name—Identifier of an existing probe that you want to associate with a gateway or host for tracking.

• priority number—Specifies the priority of the probe sent by the standby member. Enter an integer from 0 to 255. The default is 0. Higher values indicate higher priorities. Assign a priority value based on the relative importance of the gateway or host that the probe is tracking. If the probe goes down, the ACE decrements the priority of the FT group on the standby member by the value of the number argument.

no peer probe name Example:host1/Admin(config-ft-track-host)# no peer probe TCP_PROBE1

(Optional) Removes the tracking probe from the standby member.


Example:host1/Admin(config-ft-track-host)# peer priority 25

Assigns a priority for multiple probes on the standby member.

The number argument specifies the priority of the probes configured for the gateway or host on the standby member. Enter a priority value as an integer from 0 to 255. The default is 0. Higher values indicate higher priorities. Assign a priority value based on the relative importance of the gateway or host that the probes are tracking. If all the probes go down, the ACE decrements the priority of the FT group on the standby member by the value of the number argument.

no peer priority number

Example:host1/Admin(config-ft-track-host)# no peer priority 25

(Optional) Reset the multiple-probe priority to the default value of 0 on the standby member.


Example:host1/Admin(config-ft-track-host)# do copy running-config startup-config


Command Purpose


OL-25343-01


The following example demonstrates an IPv4 tracking configuration for a gateway on the active member of an FT group:

ft track host TRACK_GATEWAY track-host 192.161.100.1 probe GATEWAY_TRACK1 priority 10 probe GATEWAY_TRACK2 priority 20 priority 50

In this configuration example, if the GATEWAY_TRACK1 probe goes down, the ACE reduces the priority of the FT group on the active member by 10. If the GATEWAY_TRACK2 probe goes down, the ACE reduces the priority of the FT group on the active member by 20. If both probes go down, the ACE reduces the priority of the FT group on the active member by 50. If at any time the priority of the FT group on the active member falls below the priority of the FT group on the standby member, a switchover occurs.

Configuring Tracking and Failure Detection for an Interface

This section describes how to configure tracking and failure detection for an interface.


You cannot delete an interface if the ACE is using the interface for tracking. Also, you cannot configure the FT VLAN for tracking.

Detailed Steps

Command Purpose

Step 1 config



Step 2 ft track interface name

Example:host1/Admin(config)# ft track interface TRACK_VLAN100host1/Admin(config-ft-track-intf)#

Creates a tracking and failure detection process for an interface.

For the name argument, enter a unique identifier for the tracking process as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

This command enters the FT track interface configuration mode.

Step 3 no ft track interface name

Example:host1/Admin(config)# no ft track interface TRACK_VLAN100

(Optional) Removes the interface-tracking process.

Step 4 track-interface vlan vlan_id

Example:host1/Admin(config-ft-track-intf)# track-interface vlan 100

Configures the interface that you want the active member to track.

For the vlan_id argument, enter the VLAN ID of an existing VLAN configured on the active member as an integer from 2 to 4094.

no track-interface vlan vlan_id

Example:host1/Admin(config-ft-track-intf)# no track-interface vlan 100

(Optional) Removes the VLAN from the tracking process.


OL-25343-01


Examples

The following example demonstrates a tracking configuration for an interface on the active member of an FT group and configures the interface that you want the standby member to track:

ft track interface TRACK_VLAN100 track-interface vlan 100 priority 50


Example:host1/Admin(config-ft-track-intf)# priority 50

Configures the interface that you want the active member to track.

The number argument specifies the priority of the interface on the active member. Enter a priority value as an integer from 0 to 255. The default is 0. Higher values indicate higher priorities. Assign a priority value based on the relative importance of the interface that you are tracking.

If the tracked interface goes down, the ACE decrements the priority of the FT group on the active member by the value of the number argument. If the priority of the FT group on the active member falls below the priority of the FT group on the standby member, a switchover occurs.

no priority number

Example:host1/Admin(config-ft-track-intf)# no priority 50

(Optional) Resets the interface priority on the active member to the default value of 0.

Step 6 peer track-interface vlan vlan_id

Example:host1/Admin(config-ft-track-intf)# peer track-interface vlan 200

Configures the interface that you want the standby member to track.

The vlan_id argument is a VLAN ID of an existing VLAN con-figured on the standby member as an integer from 2 to 4094.

no peer track-interface vlan vlan_id

Example:host1/Admin(config-ft-track-intf)# no peer track-interface vlan 200

(Optional) Removes the VLAN from the tracking process.


Example:host1/Admin(config-ft-track-intf)# peer priority 25

Assigns a priority to the tracked interface that the standby member is tracking.

The number argument specifies the priority of the interface on the standby member. Enter a priority value as an integer from 0 to 255. The default is 0. Higher values indicate higher priorities. Assign a priority value based on the relative importance of the interface that you are tracking.


Example:host1/Admin(config-ft-track-intf)# no peer priority 25

(Optional) Resets the interface priority on the standby member to the default value of 0.


Example:host1/Admin(config-ft-track-intf)# do copy running-config startup-config


Command Purpose


OL-25343-01


peer track-interface vlan 200 peer priority 25

In this configuration example, if VLAN 100 goes down, then the ACE reduces the priority of the FT group on the active member by 50. If at any time the priority of the FT group on the active member falls below the priority of the FT group on the standby member, a switchover occurs.

Configuring ACE Module Tracking and Failure Detection for an HSRP Group

This section applies to the ACE module only and describes how to configure a tracking and failure detection process for a Hot Standby Router Protocol (HSRP) group that you have previously configured on the Catalyst 6500 services supervisor engine or the Cisco 7600 series router. The ACE module does not support HSRP tracking and failure detection for IPv6.



• The ACE module allows you to track up to 250 HSRP groups.

• When you configure HSRP tracking on the FT group member and the HSRP group does not exist on the supervisor engine, the ACE module marks the tracking process as TRACK_DOWN and automatically decrements the net priority of the FT group by the tracking priority value.

Prerequisites

This topic includes the following prerequisites:

• For best results, observe the following configurational requirements before you attempt to configure HSRP tracking and failure detection on the ACE module:

– Before you configure an HSRP tracking and failure detection process on the ACE module, you must configure the HSRP group on the supervisor engine. For example, if the HSRP group (including the name) is configured on the supervisor engine and it is not in the Active or the Standby state, you will see the following output when you enter the show ft track detail command on the ACE module:

Track type : TRACK_HSRPHSRP Group Name : testState : TRACK_DOWN (HSRP Group does not exist on the Supervisor or it is in the INIT State)Priority : 20Transitions : 1

For example, if the HSRP group is in the Standby state, you will see the following output when you enter the show ft track detail command on the ACE module:

Track type : TRACK_HSRPHSRP Group Name : testState : TRACK_DOWN (HSRP Group is Standby on the Supervisor)Priority : 20Transitions : 1

For example, if the HSRP group is in the Active state, you will see the following output when you enter the show ft track detail command on the ACE module:

Track type : TRACK_HSRPHSRP Group Name : testState : TRACK_UP Priority : 20


OL-25343-01


Transitions : 2

– If the HSRP group (including the name) is configured on the supervisor engine after the HSRP tracking process is initially configured on the ACE module, you may or may not obtain the expected results when you enter the show ft track detail command on the ACE module.

– If the HSRP group name is changed on the supervisor engine after the HSRP tracking process is configured on the ACE module, further state notifications will not be sent to the ACE module. You must delete the HSRP tracking process on the ACE module after the HSRP group name is changed on the supervisor engine.

• To obtain the correct HSRP group identifier to use for tracking on the ACE module, enter the show standby vlan command on the Catalyst 6500 series switch or 7600 series router.

For example, enter the following command:

sh-ace-6k-1# show standby vlan 120Vlan120 - Group 120 Local state is Active, priority 200, may preempt Hellotime 3 sec, holdtime 10 sec Next hello sent in 2.022 Virtual IP address is 192.168.120.254 configured Active router is local Standby router is 192.168.120.252 expires in 8.360 Virtual mac address is 0000.0c07.ac78 7 state changes, last state change 21:54:53 IP redundancy name is "hsrp-Vl120-120" (default) Priority tracking 1 interface or object, 1 up: Interface or object Decrement State GigabitEthernet4/35 110 Up

Use the IP redundancy name (shown in bold in the above output example) as the HSRP group name. The switch or router automatically assigns this name to the HSRP group.

Detailed Steps

Command Purpose

Step 1 config



Step 2 ft track hsrp tracking_process_name

Example:host1/Admin(config)# ft track hsrp HSRP_TRACK_PROCESS1host1/Admin(config-ft-track-hsrp)#

Creates a tracking and failure detection process for an HSRP group.

For the tracking_process_name argument, enter a unique identifier of the tracking process as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

This command enters the FT track hsrp configuration mode.

no ft track hsrp tracking_process_name

Example:host1/Admin(config)# no ft track hsrp HSRP_TRACK_PROCESS1

(Optional) Removes the HSRP group-tracking process.


OL-25343-01


Step 3 track-hsrp name

Example:host1/Admin(config-ft-track-hsrp)# track-hsrp hsrp-vl120-120

Tracks an HSRP group on the active member of an FT group.

For the name argument, enter the identifier of an HSRP group previ-ously configured on the Catalyst supervisor that you want to track on the active member (see the last bullet in the “Prerequisites”section”). Enter the name as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. The ACE module allows you to track up to 250 HSRP groups.

no track-hsrp name

Example:host1/Admin(config-ft-track-hsrp)# no track-hsrp hsrp-vl120-120

(Optional) Removes the HSRP group from the tracking process.


Example:host1/Admin(config-ft-track-hsrp)# priority 50

Assigns a priority to the HSRP group that you are tracking on the active member of an FT group.

For the number argument, enter the priority of the HSRP group as an integer from 0 to 255. The default is 0. Higher values indicate higher priorities. Assign a priority value based on the relative importance of the HSRP group that you are tracking. If the HSRP group goes down, the ACE module decrements the priority of the FT group on the active member by the value of the number argument. If the priority of the FT group on the active member falls below the priority of the FT group on the standby member, a switchover occurs.

no priority number

Example:host1/Admin(config-ft-track-hsrp)# no priority 50


Step 5 peer track-hsrp name

Example:host1/Admin(config-ft-track-hsrp)# peer track-hsrp HSRP_GRP1

Tracks an HSRP group on the standby member of an FT group.

For the name argument, enter the identifier of an HSRP group previ-ously configured on the supervisor engine that you want to track on the standby member of an FT group (see the last bullet in the “Prerequi-sites”section”). Enter the name as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

no peer track-hsrp name

Example:host1/Admin(config-ft-track-hsrp)# no peer track-hsrp HSRP_GRP1

(Optional) Removes the HSRP group from the tracking process.


Example:host1/Admin(config-ft-track-hsrp)# peer priority 25

Assigns a priority to the HSRP group that you are tracking on the standby member of an FT group.

For the number argument, enter the priority of the HSRP group as an integer from 0 to 255. The default is 0. Higher values indicate higher priorities. Assign a priority value based on the relative importance of the HSRP group that you are tracking. If the HSRP group goes down, the ACE module decrements the priority of the FT group on the standby member by the value of the number argument.

Command Purpose


OL-25343-01

Chapter 6 Configuring Redundant ACEsDisplaying or Clearing Redundancy Information

Examples

The following example demonstrates a tracking configuration for an HSRP group on the active member of an FT group and identifies an HSRP group that you want to track on the standby member of the FT group:

ft track hsrp TRACK_HSRP_GRP1 track-hsrp HSRP_GRP1 priority 50 peer track-hsrp HSRP_GRP1 peer priority 25

In the configuration example, if the HSRP_GRP1 group goes down, the ACE module reduces the priority of the FT group on the active member by 50. If at any time the priority of the FT group on the active member falls below the priority of the FT group on the standby member, a switchover occurs.

Displaying or Clearing Redundancy Information This section describes how to display or clear information about redundancy and contains the following sections:

• Displaying Redundancy Information

• Clearing Redundancy Statistics

Displaying Redundancy InformationThis section describes the show commands that display configuration, status, and statistical information for your redundancy configuration and contains the following sections:

• Displaying Redundancy Configuration Information

• Displaying Bulk Synchronization Command Failures on the Standby ACE

• Displaying FT Group Information

• Displaying the Redundancy Internal Software History

• Displaying the IDMAP Table

• Displaying Memory Statistics

• Displaying Peer Information

• Displaying FT Statistics

• Displaying FT Tracking Information


Example:host1/Admin(config-ft-track-hsrp)# no peer priority 25



Example:host1/Admin(config-ft-track-hsrp)# do copy running-config startup-config


Command Purpose


OL-25343-01


Displaying Redundancy Configuration Information

To display the list of redundancy or fault-tolerance (FT) configurations configured for the current context, perform the following task:

Displaying Bulk Synchronization Command Failures on the Standby ACE

To display the configuration commands that fail on the standby ACE during bulk synchronization in a redundant configuration per context, perform the following task:

Command Purpose

show running-config ft Displays the list of redundancy or fault-tolerance (FT) configurations configured for the current context. The ACE also displays configuration information for each FT configuration listed.

Command Purpose

show ft config-error [context_name] Displays the commands that fail on the standby ACE during bulk synchronization in a redundant configuration per context. If all commands succeed on the standby ACE, the command displays the following message:

No bulk config apply errors

In the Admin context, the optional context_name argument is the name of a user context. If you do not enter the argument, the command uses the Admin context. In a user context, this argument is not available.


OL-25343-01


Displaying FT Group Information

To display redundancy statistics per context, perform the following task:

Command Purpose

show ft group {{[group_id] {detail | status | summary}} | brief}

Displays redundancy statistics per context. Table 6-2 describes the fields in the show ft group command output.


• group group_id—Displays FT group statistics for the specified FT group. In the Admin context, this keyword displays statistics for all FT groups in the ACE. Also, in the Admin context, you can specify an FT group number to display statistics for an individual group. In a user context, this keyword displays statistics only for the FT group to which the user context belongs.

• detail—Displays detailed information for all FT groups or the specified FT group. The detail keyword includes the status of autosync and whether it is disabled or enabled for both the running-config and the startup-config.

• status—Displays the current operating status for all FT groups or the specified FT group.

• summary—Displays summary information for all FT groups or the specified FT group.

• brief—Displays the group ID, local state, peer state, context name, context ID, and configuration synchronization status of all the FT groups that are configured in the ACE.

Table 6-2 Field Descriptions for the show ft group Command Output

Field Description

FT Group FT group identifier.

No. of Contexts Number of contexts associated with the FT group.

Context Name Name of the context associated with the FT group.

Context ID Identifier of the context associated with the FT group.

Configured Status Configured state of the FT group. Possible states are the in-service or out-of-service states.

Maintenance Mode Current maintenance mode of the local context in an FT group. Applications can turn on maintenance mode when there is an inability to communicate with the peer, license mismatches, too many application errors, and so on. Possible states are as follows:

• MAINT_MODE_OFF—Maintenance mode is turned off.

• MAINT_MODE_PARTIAL— All standby contexts transition to the FSM_FT_STATE_STANDBY_COLD state (see the “My State” field description). The ACE enters this mode if configuration synchronization fails.

• MAINT_MODE_FULL—All contexts on the ACE become nonredundant causing their peer contexts to become active. The ACE enters this mode just before you reboot the ACE and is used primarily when you upgrade the ACE software.


OL-25343-01


My State State of the FT group member in the local ACE. Possible states are as follows:

• FSM_FT_STATE_INIT—Configuration for the FT group exists but the group is not in service. This is the initial state for each member (local and peer) of an FT group.

• FSM_FT_STATE_ELECT—When you configure the inservice command for an FT group, the local group member enters this state. Through the election process, the local context negotiates with its peer context in the FT group to determine their states. One member enters the ACTIVE state and the other member enters the STANDBY_CONFIG state.

• FSM_FT_STATE_ACTIVE—Local member of the FT group is active and processing flows.

• FSM_FT_STATE_STANDBY_COLD—Either the FT VLAN is down, but the peer device is still alive, or the configuration or application state synchronization failed. When a context is in this state and a switchover occurs, the transition to the ACTIVE state is stateless.

• FSM_FT_STATE_STANDBY_CONFIG—Local standby context is waiting to receive configuration information from its active peer context in the FT group. The active peer context receives a notification to send a snapshot of its running-configuration file to the local standby context.

• FSM_FT_STATE_STANDBY_BULK—Local standby context is waiting to receive state information from its active peer context. The active peer context receives a notification to send a snapshot of the current state information for all applications to the standby context.

My State (Cont.) • FSM_FT_STATE_STANDBY_HOT—Local standby context has all the state information it needs to statefully assume the active state if a switchover occurs.

• FSM_FT_STATE_STANDBY_WARM—State used when upgrading or downgrading the ACE software. When you upgrade or downgrade the ACE from one software version to another, there is a point in the process when the two ACEs have different software versions and, therefore, a CLI incompatibility.

When the software versions are different while upgrading or downgrading, the STANDBY_WARM state allows the configuration and state synchronization process to continue on a best-effort basis, which means that the active ACE will continue to synchronize configuration and state information to the standby even though the standby may not recognize or understand the CLI commands or state information. This standby state allows the standby ACE to come up with best-effort support. In the STANDBY_WARM state, as with the STANDBY_HOT state, the configuration mode is disabled and configuration and state synchronization continues. A failover from the active to the standby based on priorities and preempt can still occur while the standby is in the STANDBY_WARM state.

My Config Priority Priority configured on the FT group in the local ACE.

My Net Priority Priority of the FT group equal to the configured priority minus the priority of the FT tracking failures if any.

My Preempt Preemption value of the FT group in the local ACE. Possible values are Enabled or Disabled.

Peer State State of the FT group in the remote ACE. For possible state values, see the “My State” field description.

Peer Config Priority Priority configured for the FT group in the remote ACE.

Peer Net Priority Priority of the FT group in the remote ACE computed from the configured priority and the priority of the FT tracking failures.

Peer Preempt Preemption value of the FT group in the remote ACE. Possible values are Enabled or Disabled.

Table 6-2 Field Descriptions for the show ft group Command Output (continued)

Field Description


OL-25343-01


Displaying the Redundancy Internal Software History

To display the redundancy internal software history, perform the following task:

Displaying the IDMAP Table

This section describes how to display the IDMAP table. The IDMAP table contains a list of the local ACE to peer (standby) ACE ID mappings for each of the seven object types in the ACE. The local ID and the peer ID for each object type may or may not be the same, but the mappings (local ID to peer ID) should be the same on both the active ACE and the standby ACE. The ACE uses these mappings for configuration synchronization and state replication.

To display the IDMAP table, perform the following task:

Peer ID FT peer identifier.

Last State Change Time Time and date that the peer last changed from the active to standby state, or standby to active state.

Running Cfg Sync Enabled

Configured state of config sync for the running-config. Possible values are Enabled or Disabled.

Running Cfg Sync Status

Current status of config sync for the running-config. For example, Running configuration sync has completed or Config sync disabled when peer is not fully CLI compatible.

Startup Cfg Sync Enabled

Configured state of config sync for the startup-config. Possible states are Enabled or Disabled.

Startup Cfg Sync Status Current status of config sync for the startup-config. For example, Startup configuration sync is disabled or Config sync disabled when peer is not fully CLI compatible.

Bulk Sync Done for ARP

Number of “bulk synchronization done” messages received on the standby ACE during state synchronization from the ARP module in the control plane.

Bulk Sync Done for LB Number of “bulk synchronization done” messages received on the standby ACE during state synchronization from the load balancer (LB) module in the data plane.

Bulk Sync Done for ICM

Number of “bulk synchronization done” messages received on the standby ACE during state synchronization from the ICM input connection manager module in the data plane.

Table 6-2 Field Descriptions for the show ft group Command Output (continued)

Field Description

Command Purpose

show ft history {cfg_cntlr | ha_dp_mgr | ha_mgr}

Displays the redundancy internal software history.


• cfg_cntlr—Displays the configuration controller debug log

• ha_dp_mgr—Displays the high availability (HA) dataplane manager debug log

• ha_mgr—Displays the HA manager debug log

Command Purpose

show ft idmap Displays the IDMAP table. Table 6-3 lists the IDMAP table object types available in the ACE.


OL-25343-01


Displaying Memory Statistics

To display redundancy statistics per context, perform the following task:

Displaying Peer Information

To display peer information, perform the following task:

Table 6-3 ACE Object Types in the IDMAP Table

Object Type Object Name

0 REAL ID

1 RSERVER ID

2 SERVERFARM ID

3 POLICY ID

4 STICKY GROUP ID

5 IF ID

6 CONTEXT ID

Command Purpose

show ft memory [detail] Displays redundancy statistics per context.

The optional detail keyword displays detailed HA manager memory statistics in the Admin context only.

Command Purpose

show ft peer peer_id {detail | status | summary}

Displays redundancy statistics per context. Table 6-4 describes the fields in the show ft peer command output.


• peer_id—Unique identifier of the remote peer

• detail—Displays detailed peer information

• status—Displays the current operating status of the peer

• summary—Displays summary peer information


OL-25343-01


Table 6-4 Field Descriptions for the show ft peer Command Output

Field Description

Peer ID Identifier of the remote context in the FT group.

State Current state of the peer. Possible states are as follows:

• FSM_PEER_STATE_INIT—Initial state of the peer after you configure it.

• FSM_PEER_STATE_MY_IPADDR—Local ACE IP address is missing. Waiting for the local IP address to be configured.

• FSM_PEER_STATE_PEER_IPADDR—Peer IP address is missing. Waiting for the peer IP address to be configured.

• FSM_PEER_STATE_START_HB—Peer configuration is complete. Starting the heartbeat to see if there is a peer device.

State (continued) • FSM_PEER_STATE_TL_SETUP—Heartbeat has detected the presence of the peer device. Redundancy is in the process of establishing a TCP connection to the peer. This connection carries configuration data, application state information, and redundancy protocol packets.

• FSM_PEER_STATE_SRG_CHECK—Checking for software version compatibility with the peer device.

• FSM_PEER_STATE_LIC_CHECK—Checking for license compatibility with the peer device.

• FSM_PEER_STATE_COMPATIBLE—Version and license checks indicate that the peer is compatible for redundancy.

• FSM_PEER_STATE_FT_VLAN_DOWN—FT VLAN is down, but, through the query interface, the local ACE has determined that the peer is still alive.

• FSM_PEER_STATE_DOWN—Peer device is down.

• FSM_PEER_STATE_ERROR—Status of whether an error has occurred with the peer. Possible errors are version mismatch, license mismatch, or failure to establish a TCP connection to the peer. A syslog message appears with more detailed information.

Maintenance Mode

Current maintenance mode of the peer context in an FT group. Applications can turn on maintenance mode when there is an inability to communicate with the peer, license mismatches, too many application errors, and so on. Possible states are as follows:


• MAINT_MODE_PARTIAL— All standby contexts transition to the STANDBY_COLD state. The ACE enters this mode if configuration synchronization fails.


FT VLAN Identifier of the interface that is configured as the FT VLAN or Not Configured.

FT VLAN IF State

Current status of the FT VLAN interface. Possible states are UP or DOWN.

My IP Addr IP address of the local ACE.

Peer IP Addr IP address of the peer ACE.

Query VLAN Identifier of the interface that is configured as the query VLAN or Not Configured.

Query VLAN IF State

Current status of the Query VLAN interface (if configured). Possible states are UP or DOWN.


OL-25343-01


Displaying FT Statistics

To display peer information, perform the following task:

Peer Query IP Addr

IP address of the query interface used to obtain the state of the peer’s health when the FT VLAN is down.

Heartbeat interval

Time in seconds that the ACE waits between sending heartbeat packets.

Heartbeat Count Number of missed heartbeats that an ACE must detect before declaring the peer down.

Tx Packets Total number of packets that the local ACE sent to the peer.

Tx Bytes Total number of bytes that the local ACE sent to the peer.

Rx Packets Total number of packets that the local ACE received from the peer.

Rx Bytes Total number of bytes that the local ACE received from the peer.

Rx Error Bytes Total number of error bytes that the local ACE received from the peer.

Tx Keepalive Packets

Total number of keepalive packets that the local ACE sent to the peer.

Rx Keepalive Packets

Total number of keepalive packets that the local ACE received from the peer.

TL_CLOSE Count

Number of Transport Layer close events (TL_CLOSE) received on the redundant TCP connection from the TL driver.

FT_VLAN_DOWN Count

Number of times that the FT VLAN was unavailable.

PEER_DOWN Count

Number of times that the remote ACE was unavailable.

SRG Compatibility

Status of whether the software version of the local ACE and the software version of the peer ACE are compatible. Possible states are the INIT, COMPATIBLE, or INCOMPATIBLE state.

License Compatibility

Status of whether the license of the local ACE and the license of the peer ACE are compatible. Possible states are the INIT, COMPATIBLE, or INCOMPATIBLE state.

FT Groups Number of FT groups.

Table 6-4 Field Descriptions for the show ft peer Command Output (continued)

Field Description

Command Purpose

show ft stats group_id Displays peer information. Table 6-5 describes the fields in the show ft stats command output.

The group_id argument displays additional load-balancing statistics (LB statistics) for the specified group.


OL-25343-01


Table 6-5 Field Descriptions for the show ft stats Command Output

Field Description

HA Heartbeat Statistics

Number of Heartbeats Sent Total number of heartbeat packets sent by the local ACE.

Number of Heartbeats Received

Total number of heartbeat packets received by the local ACE.

Number of Heartbeats Missed

Total number of heartbeat intervals that transpired with no heartbeats received.

Number of Unidirectional HBs Received

Number of heartbeats (HBs) received by the local peer that indicate the remote peer is not receiving HBs. The remote peer is sending heartbeats, but not receiving any.

Note Both peer ACEs send heartbeat packets and each packet indicates whether the other peer has been receiving heartbeats.

Number of HB Timeout Mismatches

Number of times that the local peer received a heartbeat (HB) from the remote peer with a mismatched heartbeat interval. If the heartbeat intervals do not match, a peer adjusts its interval to the lower of the two intervals.

Note The heartbeat interval should be the same on both peer ACEs. Each heartbeat packet contains the configured interval in the packet. When a peer receives a heartbeat packet, it checks to see if the interval in the heartbeat packet matches the interval configured locally.

Num of Peer Up Events Sent Number of times that the local ACE sent a Peer Up message to the remote ACE.

Num of Peer Down Events Sent

Number of times that the local ACE sent a Peer Down message to the remote ACE.

Successive HBs Miss Intervals Counter

Number of successive heartbeat misses detected by the heartbeat module.

Successive Uni HBs Recv Counter

Number of successive unidirectional heartbeats received by the heartbeat module.

LB Stats for FT Group N

Send-side Stats

Number of Sticky Entries Shared

Number of sticky database entries that the local ACE sent to the remote ACE.

Number of Replication Packets Sent

Number of packets that contain replication information that the local ACE sent to the remote ACE.

Number of Send Failures Number of times that the local ACE attempted to send packets to the remote ACE but failed.

Receive-side Stats

Number of Sticky Entries Dropped

Number of sticky database entries that the remote ACE sent to the local ACE, but the local ACE discarded them.

Number of Replication Packets Received

Number of packets that contain replication information that the local ACE received from the remote ACE.

Number of Receive Failures

Number of times that the remote ACE sent packets to the local ACE, but the local ACE failed to receive them.


OL-25343-01


Displaying FT Tracking Information

To display tracking information, perform the following task:

Command Purpose

show ft track {detail | status | summary}

Displays tracking information. Table 6-6 describes the fields in the show ft track command output.


• detail—Displays detailed tracking information

• status—Displays the current operating status of the peer plus additional information

• summary—Displays summary peer information

Table 6-6 Field Descriptions for the show ft track Command Output

Field Description

FT Group FT group identifier.

Status Configured state of the FT group. Possible states are the in-service or out-of-service state.

Maintenance Mode Current maintenance mode of the local context in an FT group. Applications can turn on maintenance mode when there is an inability to communicate with the peer, license mismatches, too many application errors, and so on. Possible states as follows:


• MAINT_MODE_PARTIAL— All standby contexts transition to the FSM_FT_STATE_STANDBY_COLD state (see the “My State” field description). The ACE enters this mode if configuration synchronization fails.



OL-25343-01


My State State of the FT group member in the local ACE. Possible states are as follows:

• FSM_FT_STATE_INIT—Initial state for each member (local and peer) of an FT group. The configuration for the FT group exists but the group is not yet in service.

• FSM_FT_STATE_ELECT—State that the local group member enters when you configure the inservice command for an FT group. Through the election process, the local context negotiates with its peer context in the FT group to determine their states. One member enters the ACTIVE state and the other member enters the STANDBY_CONFIG state.

• FSM_FT_STATE_ACTIVE—State that indicates that the local member of the FT group is active and processing flows.

• FSM_FT_STATE_STANDBY_COLD—State that indicates if either the FT VLAN is down but the peer device is still alive, or the configuration or application state synchronization failed. When a context is in this state and a switchover occurs, the transition to the ACTIVE state is stateless.

• FSM_FT_STATE_STANDBY_CONFIG—State that indicates that the local standby context is waiting to receive configuration information from its active peer context in the FT group. The active peer context receives a notification to send a snapshot of its running-configuration file to the local standby context.

• FSM_FT_STATE_STANDBY_BULK—State that indicates that the local standby context is waiting to receive state information from its active peer context. The active peer context receives a notification to send a snapshot of the current state information for all applications to the standby context.

• FSM_FT_STATE_STANDBY_HOT—State that indicates that the local standby context has all the state information it needs to statefully assume the active state if a switchover occurs.

• FSM_FT_STATE_STANDBY_WARM—State used when upgrading or downgrading the ACE software. When you upgrade or downgrade the ACE from one software version to another, there is a point in the process when the two ACEs have different software versions and, therefore, a CLI incompatibility.

When the software versions are different while upgrading or downgrading, the STANDBY_WARM state allows the configuration and state synchronization process to continue on a best-effort basis, which means that the active ACE will continue to synchronize configuration and state information to the standby even though the standby may not recognize or understand the CLI commands or state information. This standby state allows the standby ACE to come up with best-effort support. In the STANDBY_WARM state, as with the STANDBY_HOT state, the configuration mode is disabled and configuration and state synchronization continues. A failover from the active to the standby based on priorities and preempt can still occur while the standby is in the STANDBY_WARM state.

My Config Priority Priority configured on the FT group in the local ACE.

My Net Priority Priority of the FT group equal to the configured priority minus the priority of the FT tracking process failures, if any.

My Preempt Preemption value of the FT group in the local ACE. Possible values are Enabled or Disabled.

Context Name Name of the context that is associated with the FT group.

Context ID Identifier of the context that is associated with the FT group.

Table 6-6 Field Descriptions for the show ft track Command Output (continued)

Field Description


OL-25343-01


Clearing Redundancy StatisticsTo clear redundancy statistics, use the commands described in the following sections. You must enter all commands in this section in the Admin context unless otherwise indicated.


• Clearing Transport-Layer Statistics

• Clearing Heartbeat Statistics

• Clearing Tracking-Related Statistics

• Clearing All Redundancy Statistics

• Clearing the Redundancy History


If you configure redundancy on the ACE, then you must explicitly clear statistics on both the active and the standby ACEs. Clearing statistics on the active ACE only does not clear the statistics on the standby ACE.

Track Type Type of object being tracked. Possible values are TRACK_HOST, TRACK_HSRP (ACE module only), or TRACK_INTERFACE.

HSRP Group name (ACE module only) Identifier of the HSRP group that is configured on the Catalyst 6500 series switch that you are tracking.

State State of the tracking process. Possible values are TRACK_UP or TRACK_DOWN.

Priority Priority of the tracking process.

Transitions Number of times that the active member of the FT group switched over to the standby member.

Probe Count Number of probes associated with a TRACK_HOST process.

Probes Down Number of failed probes.

Table 6-6 Field Descriptions for the show ft track Command Output (continued)

Field Description


OL-25343-01


Clearing Transport-Layer Statistics

To clear all transport layer-related counters that the ACE displays as part of the show ft peer detail command output, perform the following task:

Clearing Heartbeat Statistics

To clear all heartbeat-related statistics, perform the following task:

Clearing Tracking-Related Statistics

To clear tracking-related statistics for the Admin FT group only, a user context FT group only, or for all FT groups that are configured in the ACE, perform the following task:

Command Purpose

clear ft ha-stats Clears the following transport layer-related counters that the ACE displays as part of the show ft peer detail command output:

• Tx Packets

• Tx Bytes

• Rx Packets

• Rx Bytes

• Rx Error Bytes

For an explanation of these fields, see the “Displaying Peer Information” section.

Command Purpose

clear ft hb-stats Clears all heartbeat-related statistics.

When you enter this command for the first time, the ACE sets the heartbeat statistics counters to zero and stores a copy of the latest statistics locally. From that point on, when you enter the show ft hb-stats command, the ACE displays the difference between the statistics that are stored locally and the current statistics.

Command Purpose

clear ft track-stats [all] Clears tracking-related statistics for the Admin FT group only, a user context FT group only, or for all FT groups that are configured in the ACE.

Use the optional all keyword in the Admin context only to clear tracking statistics for all FT groups that are configured in the ACE. If you enter this command in the Admin context without the all keyword, it clears the tracking statistics only for the FT group associated with the Admin context. In a user context, you cannot enter the all keyword, so you can clear the tracking statistics only for the FT group associated with the user context.


OL-25343-01

Chapter 6 Configuring Redundant ACEsConfiguration Example of Redundancy

Clearing All Redundancy Statistics

To clear all redundancy statistics, including all TL, heartbeat, and tracking counters, perform the following task in the Admin context only:

Clearing the Redundancy History

To clear the redundancy history, perform the following task in the Admin context only:

Configuration Example of RedundancyThis section shows an example redundancy configuration and illustrates a running-configuration that defines fault tolerance (FT) for a single ACE operating in a redundancy configuration. You must configure a maximum of two ACEs (peers) for redundancy to fail over from the active ACE to the standby ACE.

Note All FT parameters are configured in the Admin context.

This configuration addresses the following redundancy components:

• A dedicated FT VLAN for communication between the members of an FT group. You must configure this same VLAN on both peer ACEs.

• An FT peer definition.

• An FT group that is associated with the Admin context.

• A critical tracking and failure detection process for an interface.

IPv6 Example

(ACE module only) The redundancy configuration appears in bold in the ACE module example that follows:

hostname ACE_Module_1

access-list ACL1 line 10 extended permit ip any any

Command Purpose

clear ft all Clears all redundancy statistics, including all TL, heartbeat, and tracking counters.

This command does not affect the redundancy history. To clear the redundancy history, use the clear ft history command. For details, see the “Clearing the Redundancy History” section.

Command Purpose

clear ft history {cfg_cntlr | ha_dp_mgr | ha_mgr}


• cfg_cntlr—Clears the Configuration Controller debug log

• ha_dp_mgr—Clears the HA (redundancy) dataplane manager debug log

• ha_mgr—Clears the HA (redundancy) manager debug log


OL-25343-01


class-map type management match-any L4_REMOTE-MGT_CLASS 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmpv6 anyv6 5 match protocol http any 7 match protocol snmp any 8 match protocol https any

policy-map type management first-match L4_REMOTE-MGT_POLICY class L4_REMOTE-MGT_CLASS permit

interface vlan 100 ip address 2001:DB8:1::/64 peer ip address 2001:DB8:2::/64 alias 2001:DB8:3::/64 access-group input ACL1 service-policy input L4_REMOTE-MGT_POLICY no shutdown

ft interface vlan 200 ip address 192.168.12.15 255.255.255.0 peer ip address 192.168.12.16 255.255.255.0 no shutdown

ft peer 1 ft-interface vlan 200 heartbeat interval 300 heartbeat count 10

ft group 1 peer 1 priority 200 associate-context Admin inservice

ft track interface TRACK_VLAN100 track-interface vlan 100 peer track-interface vlan 200 priority 50 peer priority 5

ip route ::/0 2001:DB8:1::/64

IPv4 Example

(ACE module only) The redundancy configuration appears in bold in the ACE module example that follows:

hostname ACE_Module_1


class-map type management match-any L4_REMOTE-MGT_CLASS 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any 5 match protocol http any 7 match protocol snmp any 8 match protocol https any

policy-map type management first-match L4_REMOTE-MGT_POLICY


OL-25343-01


class L4_REMOTE-MGT_CLASS permit

interface vlan 100 ip address 192.168.83.219 255.255.255.0 peer ip address 192.168.83.230 255.255.255.0 alias 192.168.83.200 255.255.255.0 access-group input ACL1 service-policy input L4_REMOTE-MGT_POLICY no shutdown





ip route 0.0.0.0 0.0.0.0 192.168.83.1

IPv6 Example

(ACE appliance only) The redundancy configuration appears in bold in the ACE appliance example that follows:

hostname ACE_Appliance_1

interface gigabitEthernet 1/2 speed 1000M duplex FULL ft-port vlan 200 qos trust cos no shutdown


class-map type management match-any L4_REMOTE-MGT_CLASS 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmpv6 anyv6 5 match protocol http any 7 match protocol snmp any 8 match protocol xml-https any



OL-25343-01


interface vlan 100 ip address 2001:DB8:1::/64 peer ip address 2001:DB8:2::/64 alias 2001:DB8:3::/64 access-group input ACL1 service-policy input L4_REMOTE-MGT_POLICY no shutdown





ip route ::/0 2001:DB8:1::/64

IPv4 Example

(ACE appliance only) The redundancy configuration appears in bold in the ACE appliance example that follows:

hostname ACE_Appliance_1

interface gigabitEthernet 1/2 speed 1000M duplex FULL ft-port vlan 200 no shutdown


class-map type management match-any L4_REMOTE-MGT_CLASS 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any 5 match protocol http any 7 match protocol snmp any 8 match protocol xml-https any


interface vlan 100 ip address 192.168.83.219 255.255.255.0 peer ip address 192.168.83.230 255.255.255.0


OL-25343-01


alias 192.168.83.200 255.255.255.0 access-group input ACL1 service-policy input L4_REMOTE-MGT_POLICY no shutdown





ip route 0.0.0.0 0.0.0.0 192.168.83.1


OL-25343-01

AdministOL-25343-01

C H A P T E R 7
Configuring SNMP

This chapter describes how to configure Simple Network Management Protocol (SNMP) to query the ACE for Cisco Management Information Bases (MIBs) and to send event notifications to a network management system (NMS).


• Information About SNMP

• Default Settings for SNMP

• Configuring SNMP

• Displaying SNMP and Service Policy Statistics

• Example of an SNMP Configuration

Information About SNMPSNMP is an application-layer protocol that facilitates the exchange of management information between an NMS, SNMP agents, and managed devices such as the ACE. You can configure the ACE to send traps (event notifications) to an NMS, or you can use the NMS to browse the MIBs that reside on the ACE. The ACE does not support SNMP over IPv6.

The ACE contains an SNMP agent that provides support for network monitoring. The ACE supports SNMP Version 1 (SNMPv1), SNMP Version 2c (SNMPv2c), and SNMP Version 3 (SNMPv3).

SNMPv1 and SNMPv2c use a community string match for authentication. Community strings provide a weaker form of access control. SNMPv3 utilizes an SNMP user for authentication and provides improved access control by using strong authentication. SNMPv3 should be utilized instead of SNMPv1 and SNMPv2c wherever possible.

SNMPv3 is an interoperable standards-based protocol for network management. SNMPv3 provides secure access to devices by using a combination of authenticating and encrypting frames over the network. The SNMPv3 provides the following security features:

• Message integrity—Ensures that a packet has not been tampered with in-transit.

• Authentication—Determines that the message is from a valid source.

• Encryption—Scrambles the packet contents to prevent it from being seen by unauthorized sources.


Chapter 7 Configuring SNMPInformation About SNMP


• Managers and Agents

• SNMP Manager and Agent Communication

• SNMP Traps and Informs

• SNMPv3 CLI User Management and AAA Integration

• CLI and SNMP User Synchronization

• Multiple String Index Guidelines

• ACE Module Supported MIBs

• ACE Appliance Supported MIBs

• ACE Supported and Unsupported Tables and Objects

• ACE SNMP Notifications (Traps)

Managers and Agents SNMP uses software entities called managers and agents to manage network devices:

• The manager monitors and controls all other SNMP-managed devices (network nodes) in the network. At least one SNMP manager must be in a managed network. The manager is installed on a workstation somewhere in the network.

• An agent resides in a managed device (a network node). An agent is a specialized software module that receives instructions from the SNMP manager and also sends management information back to the SNMP manager as events occur. For example, an agent might report such data as the number of bytes and packets in and out of the device or the number of broadcast messages sent and received.

There are many different SNMP management applications, but they all perform the same basic task. These applications allow SNMP managers to communicate with agents to monitor, configure, and receive alerts from the network devices.The ACE supports traps and SNMP get requests but does not support SNMP set requests to configure values on the device. You can use any SNMP-compatible NMS to monitor the ACE.

In SNMP, each variable is referred to as a managed object. A managed object is anything that an agent can access and report back to the NMS. All managed objects are contained in the MIB, which is a database of the managed objects called MIB objects. Each MIB object controls one specific function, such as counting how many bytes are transmitted through an agent’s port. The MIB object consists of MIB variables, which define the MIB object name, description, and default value.The ACE maintains a database of values for each definition.

Browsing a MIB entails issuing an SNMP get request from the NMS. You can use any SNMPv3, MIB-II compliant browser to receive SNMP traps and browse MIBs.


OL-25343-01


SNMP Manager and Agent Communication The SNMP manager and the agent can communicate in several ways. The Protocol Data Unit (PDU) is the message format that SNMP managers and agents use to send and receive information.

• The SNMP manager can perform the following operations:

– Retrieve a value (a get operation) from an agent. The SNMP manager requests information from the agent, such as the number of users logged on to the agent device, or the status of a critical process on that device. The agent gets the value of the requested MIB object and sends the value back to the manager (a get-response operation). The variable binding (varbind) is a list of MIB objects that allows a request recipient to see what the originator wants to know. Variable bindings are object identifiers (OID)=value pairs that make it easy for the NMS to identify the information that it needs when the recipient fills the request and sends back a response.

– Retrieve the value immediately after the variable that you name (a get-next operation). A get-next operation retrieves a group of values from a MIB by issuing a sequence of commands. By performing a get-next operation, you do not need to know the exact MIB object instance that you are looking for; the SNMP manager takes the variable that you name and then uses a sequential search to find the desired variables.

– Retrieve a number of values (a get-bulk operation). The get-bulk operation retrieves large blocks of data, such as multiple rows in a table, which would otherwise require the transmission of many small blocks of data.The SNMP manager performs a number of get-next operations that you specify.

• An agent can send an unsolicited message to the SNMP manager at any time if a significant, predetermined event takes place on the agent. This message is called an event notification. SNMP event notifications (traps or inform requests) are included in many MIBs and help to alleviate the need for the NMS to frequently poll (gather information through a get operation) the managed devices. For details on MIB objects and SNMP notifications supported by the ACE, see the following sections:

– ACE Module Supported MIBs

– ACE Appliance Supported MIBs

– ACE Supported and Unsupported Tables and Objects

– ACE SNMP Notifications (Traps)

SNMP Traps and InformsYou can configure the ACE to send notifications (such as traps or inform requests) to SNMP managers when particular events occur. In some instances, traps can be unreliable because the receiver does not send any acknowledgment when it receives a trap and the sender cannot determine if the trap was received. However, an SNMP manager that receives inform requests acknowledges the message with an SNMP Response PDU. If the sender never receives a Response, the inform request is usually retransmitted. Inform requests are more likely to reach their intended destination.

Notifications may contain a list of MIB variable bindings that clarify the status being relayed by the notification. The list of variable bindings associated with a notification is included in the notification definition in the MIB. For standard MIBs, Cisco has enhanced some notifications with additional variable bindings that further clarify the cause of the notification.


OL-25343-01


Note The clogOriginID and clogOriginIDType variable bindings appended with each notification can be used by the NMS application to uniquely identify the device originating the trap. You can configure the values for clogOriginID and clogOriginIDType varbind to uniquely identify the device by using the logging device-id configuration mode command. For details on the logging device-id command, see the System Message Guide, Cisco ACE Application Control Engine.

Use the SNMP-TARGET-MIB to obtain more information on trap destinations and inform requests.

For details on SNMP notifications supported by the ACE, see the ACE SNMP Notifications (Traps) section.

SNMPv3 CLI User Management and AAA Integration The ACE implements RFC 3414 and RFC 3415, including the SMNPv3 User-based Security Model (USM) for message security and role-based access control. SNMP v3 user management can be centralized at the authentication and accounting (AAA) server level (as described in the Security Guide, Cisco ACE Application Control Engine). This centralized user management allows the ACE SNMP agent to use the user authentication service of an AAA server. After user authentication is verified, the SNMP protocol data units (PDUs) further processed. The AAA server is also used to store user group names. SNMP uses the group names to apply the user access and role policy that is locally available in the ACE.

CLI and SNMP User SynchronizationAny configuration changes to the user group, role, or password, results in the database synchronization for both SNMP and AAA.

Users are synchronized as follows:

• If you delete a user by using the no username command, the user is also deleted from both SNMP and the CLI. However, if you delete a user by using the no snmp-server user command, the user is deleted only from SNMP and not from the CLI.

• User-role mapping changes are synchronized in SNMP and the CLI.

Note When you specify a password in a localized key or encrypted format for security encryption, the password is not synchronized.

• The password specified in the username command is synchronized as the auth and priv passwords for the SNMP user.

• Existing SNMP users can continue to retain the auth and priv information without any changes.

• If you create a new user that is not present in the SNMP database by using the username command without a password, the SNMP user is created with the noAuthNoPriv security level.

For information about creating a CLI user by using the username command, see the Virtualization Guide, Cisco ACE Application Control Engine. To create an SNMP user by using the snmp-server user command, see the “Configuring SNMP Users” section.


OL-25343-01


Multiple String Index GuidelinesIf any SNMP MIB table has more than one string index that contains more than 48 characters, the index may not show up in the MIB table when you perform an SNMP walk. According to SNMP standards, SNMP requests, responses, or traps cannot have more than 128 subidentifiers.

Note The maximum SNMP object identifier (OID) length supported by the ACE is 128 characters. If the SNMP OID exceeds this maximum, the ACE displays the error “Next OID length is greater than permissible.”

The following list contains object names:

• Context name

• Real server name

• Server farm name

• Probe name

• HTTP header name

• ACL name

• Class map name

• Policy map name

• Resource class name

Table 7-1 identifies a list of tables that have more than one string index.

Table 7-1 SNMP MIB Tables with More Than One String Index

MIB Name Table String Indices

CISCO-ENHANCED- SLB-MIB.my cesRserverProbeTable cesRserverName,cesRserverProbeName

CISCO-ENHANCED-SLB-MIB.my cesServerFarmRserverTable slbServerFarmName, cesRserverName

CISCO-SLB-EXT-MIB.my cslbxServerFarmProbeFarmName cslbxServerFarmProbeFarmName,cslbxServerFarmProbeTableName

CISCO-SLB-HEALTH-MON-MIB.my ACE module:

cslbxProbeHeaderCfgTable cslbxProbeHeaderProbeName,cslbxProbeHeaderFieldName

ACE appliance:

cshMonServerfarmRealProbeStatsTable cslbxProbeName,slbServerFarmName,cshMonServerfarmRealServerName


OL-25343-01


ACE Module Supported MIBsTable 7-2 identifies the supported MIBs for the ACE module.

Note The maximum SNMP object identifier (OID) length supported by the ACE module is 128 characters. If the SNMP OID exceeds this maximum, the ACE displays the error “Next OID length is greater than permissible.”

Table 7-2 ACE Module SNMP MIB Support

MIB Support Capability MIB Description

Supervisor Module MIBs

CISCO-ENTITY-FRU-CONTROL-MIB

CISCO-ENTITY-FRU-CONTROL-CAPABILITY

Acts as an extension to the ENTITY-MIB. It monitors the operational state of the ACE module baseboard and the two daughter cards. The CISCO-ENTITY-FRU-CONTROL-MIB is supported only in the Admin context.

CISCO-ENTITY-VENDORTYPE-OID-MIB

N/A Defines the object identifiers (OIDs) assigned to various ACE module components, including the baseboard and the two daughter cards on the ACE30 module. The OIDs in this MIB are used by the entPhysicalTable of the ENTITY-MIB as values for the entPhysicalVendorType field in the entPhysicalTable. Each OID uniquely identifies a type of physical entity, such as a chassis, line cards, or port adapters. The following list contains the entPhysicalVendorType OID values:

Product Name (PID) entPhysicalVendorType

ACE30-MOD-K9 cevCat6kAce30K9

(cevModuleCat6000Type120)

Inlet Temperature cevSensorModuleInletTemp

(cevSensor 36)

Outlet Temperature cevSensorModuleOutletTemp

(cevSensor 35)

Other device

Temperature sensors cevSensorModuleDeviceTemp

(cevSensor 31)

ENTITY-MIB CISCO-ENTITY-CAPABILITY

Provides basic management and identification of physical and logical entities within a network device. Software support for the ENTITY-MIB focuses on the physical entities within the ACE module. This MIB provides details on each module base board, daughter card, power supply, and fan tray within a switch chassis. It gives enough information to correctly map the containment of these entities within the ACE module, creating a chassis view.

The ENTITY-MIB is supported only in the Admin context.

The ENTITY-MIB is described in RFC 4133.


OL-25343-01


ENTITY-SENSOR-MIB

CISCO-ENTITY-SENSOR-RFC-CAPABILITY

Contains a single group called the entitySensorValueGroup, which allows objects to convey the current value and status of a physical sensor. The entitySensorValueGroup contains a single table, called the entPhySensorTable, which provides a few read-only objects that identify the type of data units, scaling factor, precision, current value, and operational status of the sensor.

The ENTITY-SENSOR-MIB is supported only in the Admin context.

The ENTITY-SENSOR-MIB is described in RFC 3433.

SNMPv3 Agent MIBs

SNMP-COMMUNITY-MIB

CISCO-SNMP-COMMUNITY-CAPABILITY

Contains objects for mapping between community strings and version-independent SNMP message parameters. In addition, this MIB provides a mechanism for performing source address validation on incoming requests and for selecting community strings based on target addresses for outgoing notifications.

The SNMP-COMMUNITY-MIB is described in RFC 3584.

Note SNMP communities are applicable only for SNMPv1 and SNMPv2c. SNMPv3 requires user configuration information such as specifying the role group that the user belongs to, authentication parameters for the user, the authentication password, and message encryption parameters.

SNMP-FRAMEWORK-MIB

CISCO-SNMP-FRAMEWORK-CAPABILITY

Defines the elements of SNMP Management Frameworks, including an SNMP engine and Access Control Subsystem.

The SNMP-FRAMEWORK-MIB is described in RFC 3411.

SNMP-MPD-MIB CISCO-SNMP-MPD-CAPABILITY

Describes the Message Processing Subsystem and Dispatcher for SNMP. The Dispatcher in the SNMP engine sends and receives SNMP messages. It also dispatches SNMP PDUs to SNMP applications. A Message Processing Model processes an SNMP version-specific message and coordinates the interaction with the Security Subsystem to ensure that proper security is applied to the SNMP message being handled.

The SNMP-MPD-MIB is described in RFC 3412.

SNMP-NOTIFICATION-MIB

CISCO-SNMP-NOTIFICATION-CAPABILITY

Defines MIB objects that provide a mechanism to remotely configure the parameters used by an SNMP entity for the generation of notifications.

The SNMP-NOTIFICATION-MIB is described in RFC 3413.

SNMP-TARGET-MIB CISCO-SNMP-TARGET-CAPABILITY

Contains a table for the destination information and SNMP parameters in the management target message. Multiple transport end points may be associated with a particular set of SNMP parameters, or a particular transport end point may be associated with several sets of SNMP parameters.

The SNMP-TARGET-MIB is described in RFC 3413.

Table 7-2 ACE Module SNMP MIB Support (continued)



OL-25343-01


SNMP-USER-BASED-SM-MIB

CISCO-SNMP-USM-CAPABILITY

Provides management information definitions for the User-based Security Model (USM) for SMNPv3. The SNMPv3 architecture introduces the User-based Security Model (USM) for message security.

The USM module decrypts incoming messages. The module then verifies the authentication data and creates the PDUs. For outgoing messages, the USM module encrypts PDUs and generates the authentication data. The module then passes the PDUs to the message processor, which then invokes the dispatcher.

The USM module's implementation of the SNMP-USER-BASED-SM-MIB enables the SNMP manager to issue commands to manage users and security keys. The MIB also enables the agent to ensure that a requesting user exists and has the proper authentication information. When authentication is done, the request is carried out by the agent.

The SNMP-USER-BASED-SM-MIB is described in RFC 3414.

Note User configuration is applicable only for SNMPv3; SNMPv1 and SNMPv2c use a community string match for user authentication.

SNMP-VIEW-BASED-ACM-MIB

CISCO-SNMP-VACM-CAPABILITY

Provides the View-based Access Control Model (VACM) for SNMPv3. The SNMPv3 architecture introduces VACM for access control.

The SNMP-VIEW-BASED-ACM-MIB specifies objects that are needed to control access to all MIB data that is accessible through the SNMP agent. Upon initialization, the VACM module registers as the access control module with the agent infrastructure. The VACM module implements access control checks according to several parameters that are derived from the SNMP message.

The SNMP-VIEW-BASED-ACM-MIB is described in RFC 3415.

Other MIBs

CISCO-AAA-SERVER-EXT-MIB

CISCO-AAA-SERVER-EXT-CAPABILITY

Acts as an extension to CISCO-AAA-SERVER-MIB. It enhances the casConfigTable of the CISCO-AAA-SERVER-MIB to include other types of server addresses. The CISCO-AAA-SERVER-EXT-MIB manages the following configuration functions:

• Generic configurations as applied on the authentication and accounting module.

• Configuration settings (settings for all the AAA servers instrumented in one instance of this MIB).

• AAA server group configuration.

• Application-to-AAA function-to-server group mapping configuration.




OL-25343-01


CISCO-AAA-SERVER-MIB

CISCO-AAA-SERVER-CAPABILITY

Provides configuration and statistics that reflect the state of an AAA server operation within the device and AAA communications with external servers. The CISCO-AAA-SERVER-MIB provides the following information:

• A table for configuring AAA servers.

• Identities of external AAA servers.

• Statistics for each AAA function.

• Status of servers that provide AAA functions.

A server is defined as a logical entity that provides any of the AAA functions. The ACE module can use a Remote Access Dial-In User Service (RADIUS), Terminal Access Controller Access Control System Plus (TACACS+), or Lightweight Directory Access Protocol (v3) (LDAP) protocols for remote authentication and designation of access rights.

CISCO-ENHANCED-SLB-MIB

CISCO-ENHANCED-SLB-CAPABILITY

Extends the tables that are defined in CISCO-SLB-MIB and CISCO-SLB-EXT-MIB and supports the following server load-balancing functions:

• A real server configuration with a real server that is identified by a name.

• The current state of the real server (for example, OPERATIONAL, OUT-OF-SERVICE, PROBE-FAILED).

• A real server configuration in a server farm.

• Real server locality (UNKNOWN, LOCAL, or REMOTE) for the dynamic capacity expansion feature (cesRserverLocality).

• A health probe configuration in a real server and server farm.

• Health probe statistics for each real server.

• A sticky configuration for an HTTP header, an HTTP cookie and client IP address, and Secure Socket Layer (SSL). The slbEntity Index used in the table is the slot number of the ACE.

The cesRserverProbeTable table in the CISCO-ENHANCED-SLB-MIB provides details about the real server probe statistics available in the show probe detail command output.

The cesServerFarmRserverTable and cesRserverTable tables in the CISCO-ENHANCED-SLB-MIB provide details about the data available in the show rserver command output.

CISCO-IF-EXTENSION-MIB

CISCO-IF-EXTENSION-CAPABILITY

Provides a table that returns ifName to ifIndex mapping to assign the ifIndex to interfaces.

The CISCO-IF-EXTENSION-MIB is described in RFC 2863.




OL-25343-01


CISCO-IP-PROTOCOL-FILTER-MIB

CISCO-IP-PROTOCOL-FILTER-CAPABILITY

Manages information to support packet filtering on IP protocols (RFC 791).

The cippfIpProfileTable allows users to create, delete, and get information about filter profiles. Filter profiles are uniquely identified by the profile names. Filter profiles can be either simple or extended usage types. The usage type cannot be changed once it has been created. The cippfIfIpProfileTable applies the filtering profiles to device interfaces that run IP. A filter profile can be applied to multiple interfaces.

The cippfIpFilterTable contains ordered lists of IP filters for all filtering profiles. Filters and profiles are related if they have the same filter profile name. Filters can be created only if their associated filter profiles already exist in the cippfIpProfileTable. Filters of the same profile name belong to a common profile.

The interface-based cippfIfIpProfileTable can be configured with information that is independent of the other tables. However, if the profile name in this table matches any profile name in the cippfIpProfileTable and the profile name of any filter entry in the cippfIpFilterTable, the profile is active and the filter entry is applied to IP traffic that passes through the attached device interfaces. Any change to the filters in the cippfIpFilterTable or the profile in the cippfIpProfileTable affects all the attached interfaces.

The IP protocol is described in RFC 791.

CISCO-L4L7MODULE-REDUNDANCY-MIB

CISCO-L4L7MODULE-REDUNDANCY-CAPABILITY

Provides configuration information and statistic tables that reflect the redundancy (or fault tolerance) between an active and a standby ACE module. Each peer ACE module can contain one or more fault-tolerant (FT) groups.

The CISCO-L4L7MODULE-REDUNDANCY-MIB provides redundancy information such as: FT state, IP address, peer FT state, peer IP address, software compatibility, license compatibility, number of groups to which a peer belongs, and the number of heartbeat messages transmitted and received.

This MIB also supports the following tables:

• clrRedundancyInfoTable

• clrPeerInfoTable

• clrHAStatsTable

The CISCO-L4L7MODULE-REDUNDANCY-MIB provides details about the fault tolerance statistics available in the show ft peer, show ft group detail, and show ft stats command output.




OL-25343-01


CISCO-L4L7RESOURCE-LIMIT-MIB

CISCO-L4L7MODULE-RESOURCE-LIMIT-CAPABILITY

Manages resource classes. The resources referenced in this MIB are in addition to the resource information that is available in other MIBs. This MIB applies to Layer 4 through 7 modules that support managing resource limits using a centralized approach.

The ciscoL4L7ResourceLimitTable, ciscoL4L7ResourceRateLimitTable, and ciscoL4L7ResourceUsageSummaryTable in the CISCO-L4L7RESOURCE-LIMIT-MIB provide details about the Current, Peak, and Denied statistics available in the show resource usage and show resource usage summary command output.

The ciscoL4L7BufferUtilizationTable in the CISCO-L4L7RESOURCE-LIMIT-MIB provides details about the NP buffer usage and percentage of buffer usage.

CISCO-MODULE-VIRTUALIZATION-MIB

CISCO-MODULE-VIRTUALIZATION-CAPABILITY

Provides a way to create and manage ACE module user contexts (also referred as virtual contexts). A user context is a logical partition of a physical device (the ACE module). A user context provides different service types that can be managed independently. Each user context is an independent entity with its own configuration. A user-created context supports most of the options that you can configure in the Admin context (the default ACE module context). Each context can have a separate management IP address that allows you to establish a remote connection to the ACE module with the Secure Shell (SSH) or Telnet protocols and send other requests (such as SNMP or FTP).

This MIB contains tables that allow you to create or delete ACE module user contexts and assign interfaces and interface ranges to user contexts.

CISCO-PROCESS-MIB

CISCO-PROCESS-CAPABILITY

Displays memory and process CPU utilization on Cisco devices. This information should be used only as an estimate. The value of cpmCPUTotalPhysicalIndex will always be 1.

The displayed system processes information is at the CPU system level (the total CPU usage) and is not on a per-context level.

CISCO-PRODUCTS-MIB

N/A Contains the OIDs that can be reported in the sysObjectID object in the SNMPv2-MIB. The sysObjectID OID value is listed below:

Product Name (PID) sysObjectID

ACE10-6500-K9 ciscoACE10K9 ACE20-MOD-K9 ciscoACE20K9 ACE30-MOD-K9 ciscoACE30K9




OL-25343-01


CISCO-SLB-EXT-MIB CISCO-SLB-EXT-CAPABILITY

Acts as an extension to the Cisco server load-balancing MIB (CISCO-SLB-MIB). It provides tables for the sticky configuration.

The cslbxServerFarmStatsTable table provides details about the data available in the show serverfarm command output.

The cslbxServerFarmTable table provides details about the server farm state. It includes the following MIB objects:

• cslbxServerFarmState

• cslbxServerFarmStateChange

• cslbxServerFarmDciCfgState

• cslbxServerFarmDciOpState

The cslbxNotifObjects table contains information about the server farm state changes.

The cslbxVServerDciCfgState object reports the configured state of the dynamic capacity expansion feature. Because a VIP can have more than one server farm, it is possible that either none or more than one server farm may have dynamic capacity expansion feature enabled. The possible values of the cslbxVServerDciState object are as follows:

• dciCfgDisabled—None of the server farms has the feature configured under the VIP

• dciCfgEnabled—At least one server farm has the feature enabled under the VIP

The cslbxVServerDciOpState object represents the dynamic capacity expansion operational state at the VIP address level.

The following MIB objects for the ACE module include non-SLB related connections as well:

• cslbxStatsCurrConnections

• cslbxStatsTimedOutConnections

The server farm can change from the inactive to active state or active to inactive state. The reasons for changing from the active to inactive state are as follows:

• All the real servers are down.

• All real servers in a single server farm are out of service because the real server(s) reach the maximum connection or maximum load state, or have a probe failure or an ARP failure.

• The server farm reaches its partial limits.

CISCO-SLB-HEALTH-MON-MIB

CISCO-SLB-HEALTH-MON-CAPABILITY

Acts as an extension to the Cisco server load-balancing MIB (CISCO-SLB-MIB). It provides tables for the health probe configuration and statistics of the ACE module.

The cshMonServerfarmRealProbeStatsTable and cslbxProbeCfgTable tables in the CISCO-SLB-HEALTH-MON-MIB provide details about the probe data available in the show probe detail command output.




OL-25343-01


CISCO-SSL-PROXY-MIB

CISCO-SSL-PROXY-CAPABILITY

Manages a Secure Socket Layer (SSL) Proxy device which terminates and accelerates SSL and Transport Layer Security (TLS) transactions. The proxy device can act as an SSL server or an SSL client depending on the configuration and the application.

This MIB is used for monitoring the statistics of the proxy services and the protocols including TCP, SSL, and TLS that are available in the show stats crypto client command output. It also includes counters related to the insertion of SSL header information and SSL client certificate information into HTTP headers that are available in the show stats crypto server command output. In addition, it includes counters related to a given client certificate authentication failure type that are available in the show stats http command output.

CISCO-SLB-MIB CISCO-SLB-CAPABILITY

Manages the Server Load-Balancing (SLB) manager. This MIB monitors the SLB connections statistics, server farms, real servers, VIP status and statistics, and so on.

The slbVServerInfoTable table in the CISCO-SLB-MIB provides details about the data available in the show service-policy command output.

The slbEntity Index used in the table is the slot number of the ACE module. Because the slot numbers value is not applicable for the ACE module, the slbEntity Index will always have a value of one.

The following MIB objects for the ACE module include non-SLB related connections as well:

• slbStatsCreatedConnections

• slbStatsCreatedHCConnections

• slbStatsEstablishedConnections

• slbStatsEstablishedHCConnetions

• slbStatsDestroyedConnections

• slbStatsDestroyedHCConnections

• slbStatsReassignedConnections

CISCO-SYSLOG-EXT-MIB

CISCO-SYSLOG-EXT-CAPABILITY

Extends the CISCO-SLB-MIB, provides additional server farm configuration parameters (cslbxServerFarmTable), and configures and monitors system log (syslog) management parameters for the ACE module. Use this MIB to set up syslog servers and set logging severity levels.

The syslog is described by RFC 3164.

CISCO-SYSLOG-MIB CISCO-SYSLOG-CAPABILITY

Describes and stores the system messages (syslog messages) generated by the ACE module. The CISCO-SYSLOG-MIB provides access to the syslog messages through SNMP. The MIB also contains a history of syslog messages and objects to enable or disable the transmission of syslog notifications.

Note This MIB does not track messages that are generated from debug commands entered through the CLI.

The syslog is described by RFC 3164.




OL-25343-01


ACE Appliance Supported MIBsTable 7-3 identifies the supported MIBs for the ACE appliance.

Note The maximum SNMP object identifier (OID) length supported by the ACE appliance is 128 characters. If the SNMP OID exceeds this maximum, the ACE displays the error “Next OID length is greater than permissible.”

IF-MIB CISCO-IF-CAPABILITY

Reports generic information on interfaces (for example, VLANs).

The IF-MIB is described in RFC 2863.

IP-MIB CISCO-IP-CAPABILITY

Defines managed objects for managing implementations of the IP and its associated Internet Control Message Protocol (ICMP), but excludes their management of IP routes.

The IP-MIB is described in RFC 4293.

SNMPv2-MIB CISCO-SNMPv2-CAPABILITY

Provides the Management Information Base for SNMPv2. The management protocol, SNMPv2, provides for the exchange of messages that convey management information between the agents and the management stations.

The SNMPv2-MIB is described in RFC 3418.

TCP-MIB CISCO-TCP-STD-CAPABILITY

Defines managed objects for managing the implementation of the Transmission Control Protocol (TCP).

The TCP MIB is described in RFC 4022.

UDP-MIB CISCO-UDP-STD-CAPABILITY

Defines managed objects for managing implementation of the User Datagram Protocol (UDP).

The UDP MIB is described in RFC 4113.




OL-25343-01


Table 7-3 ACE Appliance SNMP MIB Support


Appliance MIBs

CISCO-ENTITY-VENDORTYPE-OID-MIB

N/A Defines the object identifiers (OIDs) assigned to various ACE appliance components. The OIDs in this MIB are used by the entPhysicalTable of the ENTITY-MIB as values for the entPhysicalVendorType field in the entPhysicalTable. Each OID uniquely identifies a type of physical entity, such as a chassis, line cards, or port adapters. The entPhysicalVendorType OID values are listed as follows:

Product Name (PID) {entPhysicalVendorType}

ACE4710-K9 cevChassisACE4710K9 {cevChassis 610}

Power SupplycevPowerSupplyAC345 {cevPowerSupply 190}

CPU fancevFanACE4710K9CpuFan {cevFan 91}

DIMM fan cevFanACE4710K9DimmFan {cevFan 92}

PCI fan cevFanACE4710K9PciFan {cevFan 93}

CISCO-ENTITY-VENDORTYPE-OID-MIB (continued)

N/A Product Name (PID) {entPhysicalVendorType}

Voltage SensorcevSensorPSOutput {cevSensor 39}

CPU fan sensorcevSensorCpuFanSpeed {cevSensor 58}

DIMM fan sensorcevSensorACE4710K9DimmFanSpeed{cevSensor 59}

PCI fan sensorcevSensorACE4710K9PciFanSpeed{cevSensor 60}

CPU temperature sensor cevSensorACE4710K9 CPUTemp{cevSensor 56}

Ambient temperature sensorcevSensorACE4710K9 AmbientTemp{cevSensor 57}


OL-25343-01


ENTITY-MIB CISCO-ENTITY-CAPABILITY

Provides basic management and identification of physical and logical entities within a network device. Software support for the ENTITY-MIB focuses on the physical entities within the ACE appliance. This MIB provides details on each module, power supply, fan, and sensors within the ACE appliance chassis. It provides sufficient information to correctly map the containment of these entities within the ACE appliance.

The ENTITY-MIB is supported only in the Admin context.

The ENTITY-MIB is described in RFC 4133.

ENTITY-SENSOR-MIB CISCO-ENTITY-SENSOR-RFC-CAPABILITY

Contains a single group called the entitySensorValueGroup, which allows objects to convey the current value and status of a physical sensor. The entitySensorValueGroup contains a single table, called the entPhySensorTable, which provides a few read-only objects that identify the type of data units, scaling factor, precision, current value, and operational status of the sensor.

The ENTITY-SENSOR-MIB is supported only in the Admin context.

The ENTITY-SENSOR-MIB is described in RFC 3433.

Table 7-3 ACE Appliance SNMP MIB Support (continued)



OL-25343-01


SNMPv3 Agent MIBs

SNMP-COMMUNITY-MIB CISCO-SNMP-COMMUNITY-CAPABILITY

Contains objects for mapping between community strings and version-independent SNMP message parameters. In addition, this MIB provides a mechanism for performing source address validation on incoming requests and for selecting community strings based on target addresses for outgoing notifications.

The SNMP-COMMUNITY-MIB is described in RFC 3584.

Note SNMP communities are applicable only for SNMPv1 and SNMPv2c. SNMPv3 requires user configuration information such as specifying the role group that the user belongs to, authentication parameters for the user, the authentication password, and message encryption parameters.

SNMP-FRAMEWORK-MIB

CISCO-SNMP-FRAMEWORK-CAPABILITY

Defines the elements of SNMP Management Frameworks, including an SNMP engine and Access Control Subsystem.

The SNMP-FRAMEWORK-MIB is described in RFC 3411.

SNMP-MPD-MIB CISCO-SNMP-MPD-CAPABILITY.my

Describes the Message Processing Subsystem and Dispatcher for SNMP. The Dispatcher in the SNMP engine sends and receives SNMP messages. It also dispatches SNMP PDUs to SNMP applications. A Message Processing Model processes an SNMP version-specific message and coordinates the interaction with the Security Subsystem to ensure that proper security is applied to the SNMP message being handled.

The SNMP-MPD-MIB is described in RFC 3412.

SNMP-NOTIFICATION-MIB

CISCO-SNMP-NOTIFICATION-CAPABILITY

Defines MIB objects used by an SNMP entity for the generation of notifications.

The SNMP-NOTIFICATION-MIB is described in RFC 3413.

SNMP-TARGET-MIB CISCO-SNMP-TARGET-CAPABILITY

Contains a table for the destination information and SNMP parameters in the management target message. There can be a many-to-many relationship in the MIB between these two types of information. Multiple transport end points may be associated with a particular set of SNMP parameters, or a particular transport end point may be associated with several sets of SNMP parameters.

The SNMP-TARGET-MIB is described in RFC 3413.




OL-25343-01



CISCO-SNMP-USM-CAPABILITY

Provides management information definitions for the User-based Security Model (USM) for SMNPv3. The SNMPv3 architecture introduces the User-based Security Model (USM) for message security.

The USM module decrypts incoming messages. The module then verifies the authentication data and creates the PDUs. For outgoing messages, the USM module encrypts PDUs and generates the authentication data. The module then passes the PDUs to the message processor, which then invokes the dispatcher.

The USM module's implementation of the SNMP-USER-BASED-SM-MIB enables the SNMP manager to issue commands to manage users and security keys. The MIB also enables the agent to ensure that a requesting user exists and has the proper authentication information. When authentication is done, the request is carried out by the agent.

The SNMP-USER-BASED-SM-MIB is described in RFC 3414.

Note User configuration is applicable only for SNMPv3; SNMPv1 and SNMPv2c use a community string match for user authentication.


CISCO-SNMP-VACM-CAPABILITY

Provides the View-based Access Control Model (VACM) for SNMPv3. The SNMPv3 architecture introduces VACM for access control.

The SNMP-VIEW-BASED-ACM-MIB specifies objects that are needed to control access to all MIB data that is accessible through the SNMP agent. Upon initialization, the VACM registers as the access control module with the agent infrastructure. The VACM implements access control checks according to several parameters that are derived from the SNMP message.

The SNMP-VIEW-BASED-ACM-MIB is described in RFC 3415.

Other MIBs


CISCO-AAA-SERVER-EXT-CAPABILITY

Acts as an extension to CISCO-AAA-SERVER-MIB. It enhances the casConfigTable of the CISCO-AAA-SERVER-MIB to include other types of server addresses. The CISCO-AAA-SERVER-EXT-MIB manages the following configuration functions:

• Generic configurations as applied on the authentication and accounting module.

• Configuration settings (settings for all the AAA servers instrumented in one instance of this MIB).

• AAA server group configuration.

• Application-to-AAA function-to-server group mapping configuration.




OL-25343-01


CISCO-AAA-SERVER-MIB

CISCO-AAA-SERVER-CAPABILITY

Provides configuration information and statistics that reflect the state of an AAA server operation within the device and AAA communications with external servers. The CISCO-AAA-SERVER-MIB provides the following information:

• A table for configuring AAA servers.

• Identities of external AAA servers.

• Statistics for each AAA function.

• Status of servers that provide AAA functions.

A server is defined as a logical entity that provides any of the AAA functions. The ACE appliance can use a Remote Access Dial-In User Service (RADIUS), Terminal Access Controller Access Control System Plus (TACACS+), or Lightweight Directory Access Protocol (v3) (LDAP) protocols for remote authentication and designation of access rights.

CISCO-APPLICATION ACCELERATION-MIB

CISCO-APPLICATION- ACCELERATION-CAPABILITY-MIB

Manages application acceleration system(s) in the ACE appliance. This MIB includes instrumentation for providing the performance statistics and status of the condenser which is the core of the application acceleration system. A condenser is a software accelerator that applies several optimization techniques to accelerate Web application access.


CISCO-ENHANCED-SLB-CAPABILITY

Supports the following server load-balancing functions:

• A real server configuration with a real server that is identified by a name.

• The current state of the real server (for example, OPERATIONAL, OUT-OF-SERVICE, PROBE-FAILED).

• A real server configuration in a server farm.

• Real server locality (UNKNOWN, LOCAL, or REMOTE) for the dynamic workload scaling feature (cesRserverLocality).

• A health probe configuration in a real server and server farm.

• Health probe statistics for each real server.

• A sticky configuration for an HTTP header, an HTTP cookie and client IP address, and Secure Socket Layer (SSL).

The slbEntity Index used in the table is the slot number of the ACE appliance. Because the slot numbers value is not applicable for the ACE appliance, the slbEntity Index will always have a value of 1.

The cesRServerProbeTable table in the CISCO-ENHANCED-SLB-MIB provides details about the real server probe statistics available in the show probe detail command output.

The cesServerFarmRserverTable and cesRserverTable tables in the CISCO-ENHANCED-SLB-MIB provide details about the data available in the show rserver command output.




OL-25343-01



CISCO-IF-EXTENSION-CAPABILITY

Provides a table that returns ifName to ifIndex mapping to assign the

ifIndex to interfaces.

The CISCO-IF-EXTENSION-MIB is described in RFC 2863.

Note The Ethernet data port, Ethernet management port, and port-channel interfaces are available only in Admin context. In this case, the CISCO-IF-EXTENSION-MIB supports all the interfaces for Admin contexts, while each individual user context supports only VLAN and BVI interfaces.

CISCO-IP-PROTOCOL-FILTER-MIB

CISCO-IP-PROTOCOL-FILTER-CAPABILITY

Manages information to support packet filtering on IP protocols (RFC 791).

The cippfIpProfileTable allows users to create, delete, and get information about filter profiles. Filter profiles are uniquely identified by the profile names. Filter profiles can be either simple or extended usage types. The cippfIfIpProfileTable applies the filtering profiles to device interfaces that run IP. A filter profile can be applied to multiple interfaces.

The cippfIpFilterTable contains ordered lists of IP filters for all filtering profiles. Filters and profiles are related if they have the same filter profile name. Filters of the same profile name belong to a common profile.

The cippfIpFilterHits provides the total number of hit counts for an access control entry.

The IP protocol is described in RFC 791.


CISCO-L4L7MODULE-REDUNDANCY-CAPABILITY

Provides configuration information and statistic tables that reflect the redundancy (or fault tolerance) between an active and a standby ACE appliances. Each peer appliance can contain one or more fault-tolerant (FT) groups.

The CISCO-L4L7MODULE-REDUNDANCY-MIB provides redundancy information such as: FT state, IP address, peer FT state, peer IP address, software compatibility, license compatibility, number of groups to which a peer belongs, and the number of heartbeat messages transmitted and received.

The CISCO-L4L7MODULE-REDUNDANCY-MIB provides details about the fault tolerance statistics available in the show ft peer, show ft group detail, and show ft stats command output.




OL-25343-01


CISCO-L4L7RESOURCE-LIMIT-MIB

CISCO-L4L7MODULE-RESOURCE-LIMIT-CAPABILITY

Manages resource classes. The resources referenced in this MIB are in addition to the resource information that is available in other MIBs. This MIB applies to Layer 4 through 7 modules that support managing resource limits using a centralized approach.

The ciscoL4L7ResourceLimitTable, ciscoL4L7ResourceRateLimitTable, and ciscoL4L7ResourceUsageSummaryTable in the CISCO-L4L7RESOURCE-LIMIT-MIB provide details about the Current, Peak, and Denied statistics available in the show resource usage command output.

The ciscoL4L7BufferUtilizationTable in the CISCO-L4L7RESOURCE-LIMIT-MIB provides details about the NP buffer usage and percentage of buffer usage.


CISCO-MODULE-VIRTUALIZATION-CAPABILITY

Provides a way to create and manage ACE appliance user contexts (also referred as virtual contexts). A virtual context is a logical partition of a physical device (the ACE appliance). A virtual context provides different service types that can be managed independently. Each virtual context is an independent entity with its own configuration. A user-created context supports most of the options that you can configure in the Admin context (the default ACE appliance context). Each context can have a separate management IP address that allows a user to establish a remote connection to the ACE appliance by using the Secure Shell (SSH) or Telnet protocols and to send other requests (such as SNMP or FTP).

This MIB contains tables that allow you to create or delete virtual contexts and assigning interfaces and interface ranges to virtual contexts.

CISCO-PROCESS-MIB CISCO-PROCESS-CAPABILITY

Displays memory and process CPU utilization on Cisco devices. This information should be used only as an estimate. The value of cpmCPUTotalPhysicalIndex will always be 1.

The displayed system processes information at the CPU system level (the total CPU usage) and not on a per-context level.

CISCO-PRODUCTS-MIB N/A Contains the OIDs that can be reported in the sysObjectID object in the SNMPv2-MIB. The sysObjectID OID value is listed as follows:

Product Name (PID) sysObjectID

ACE4710-K9 ciscoACE4710K9 {ciscoProducts 824}




OL-25343-01


CISCO-SLB-MIB CISCO-SLB-CAPABILITY

Manages the Server Load-Balancing (SLB) manager. This MIB monitors the SLB connections statistics, server farms, real servers, VIP status and statistics, and so on.

The slbVServerInfoTable table in the CISCO-SLB-MIB provides details about the data available in the show service-policy command output.

The slbEntity Index used in the table is the slot number of the ACE appliance. Because the slot numbers value is not applicable for the ACE appliance, the slbEntity Index will always have a value of one.

The following MIB objects for the ACE appliance include non-SLB-related connections as well:

• slbStatsCreatedConnections

• slbStatsCreatedHCConnections

• slbStatsEstablishedConnections

• slbStatsEstablishedHCConnetions

• slbStatsDestroyedConnections

• slbStatsDestroyedHCConnections

• slbStatsReassignedConnections




OL-25343-01


CISCO-SLB-EXT-MIB CISCO-SLB-EXT-CAPABILITY

Acts as an extension to the Cisco server load-balancing MIB (CISCO-SLB-MIB). It provides tables for the sticky configuration.

The cslbxServerFarmStatsTable table in the CISCO-SLB-EXT-MIB provides details about the data available in the show serverfarm command output.

The cslbxServerFarmTable table provides details about the server farm state. It includes the following MIB objects:


• cslbxServerFarmStateChange

• cslbxServerFarmDwsCfgState

• cslbxServerFarmDwsOpState

The cslbxNotifObjects table contains information about the server farm state changes.

The cslbxVServerDwsCfgState object reports the configured state of the dynamic workload scaling (DWS) feature. Because a VIP can have more than one server farm, it is possible that either none or more than one server farm may have the DWS feature enabled. The possible values of the cslbxVServerDwsState object as follows:

• dwsCfgDisabled—None of the server farms has the feature configured under the VIP

• dwsCfgEnabled—At least one server farm has the feature enabled under the VIP

The cslbxVServerDwsOpState object represents the DWS operational state at the VIP level.

The following MIB objects for the ACE include non-SLB-related connections as well:

• cslbxStatsCurrConnections

• cslbxStatsTimedOutConnections

The server farm can change from the inactive to active state or active to inactive state. The reasons for changing from the active to inactive state are as follows:

• All the real servers are down.

• All real servers in a single server farm are out of service because the real server(s) reach the maximum connection or maximum load state, or have a probe failure or an ARP failure.

• The server farm reaches its partial limits.




OL-25343-01



CISCO-SLB-HEALTH-MON-CAPABILITY

Acts as an extension to the Cisco server load-balancing MIB (CISCO-SLB-MIB). It provides tables for the health probe configuration and statistics of the ACE appliance.

The cshMonSfarmRealProbeStatsTable and cslbxProbeCfgTable tables in the CISCO-SLB-HEALTH-MON-MIB provide details about the probe data available in the show probe detail command output.

CISCO-SSL-PROXY-MIB CISCO-SSL-PROXY-CAPABILITY

Manages a Secure Socket Layer (SSL) Proxy device which terminates and accelerates SSL and Transport Layer Security (TLS) transactions. The proxy device can act as a SSL server or a SSL client depending on the configuration and the application.

This MIB is used for monitoring the statistics of the proxy services and the protocols including TCP, SSL, and TLS.


CISCO-SYSLOG-EXT-CAPABILITY

Extends the CISCO-SLB-MIB, provides additional server farm configuration parameters (cslbxServerFarmTable), and configures and monitors system log (syslog) management parameters for the ACE appliance. Use this MIB to set up syslog servers and set logging severity levels.

Syslog is described by RFC 3164.

CISCO-SYSLOG-MIB CISCO-SYSLOG-CAPABILITY

Describes and stores the system messages (syslog messages) generated by the ACE appliance. The CISCO-SYSLOG-MIB provides access to the syslog messages through SNMP. The MIB also contains a history of syslog messages and objects to enable or disable the transmission of syslog notifications.

Note This MIB does not track messages that are generated from debug commands entered through the CLI.

Syslog is described by RFC 3164.

IF-MIB CISCO-IF-CAPABILITY Reports generic information on interfaces (for example, VLANs).

The IF-MIB is described in RFC 2863.

Note The Ethernet data port, Ethernet management port, and port-channel interfaces are available only in Admin context. In this case, the IF-MIB supports all the interfaces for Admin contexts, while each individual user context supports only VLAN and BVI interfaces.

IP-MIB CISCO-IP-CAPABILITY Defines managed objects for managing implementations of the IP and its associated Internet Control Message Protocol (ICMP), but excludes their management of IP routes.

The IP-MIB is described in RFC 4293.

SNMPv2-MIB CISCO-SNMPv2-CAPABILITY

Provides the Management Information Base for SNMPv2. The management protocol, SNMPv2, provides for the exchange of messages that convey management information between the agents and the management stations.

The SNMPv2-MIB is described in RFC 3418.




OL-25343-01


ACE Supported and Unsupported Tables and ObjectsTable 7-4 identifies the supported and unsupported tables and objects for each MIB used by the ACE.

TCP-MIB CISCO-TCP-STD-CAPABILITY

Defines managed objects for managing the implementation of the Transmission Control Protocol (TCP).

The TCP MIB is described in RFC 4022.

UDP-MIB CISCO-UDP-STD-CAPABILITY

Defines managed objects for managing implementation of the User Datagram Protocol (UDP).

The UDP MIB is described in RFC 4113.



Table 7-4 ACE MIB Table and Object Support

MIB Name Supported Tables and Objects Unsupported Tables and Objects

SNMPv2-MIB Scalar Objects:

sysDescr

sysName

sysLocation

sysContact

sysObjectID

sysServices

sysORLastChange

snmpInPkts

snmpOutPkts

snmpInBadVersions

snmpInBadCommunityNames

snmpInBadCommunityUses

snmpInASNParseErrs

snmpInTooBigs

snmpInNoSuchNames

snmpInBadValues

snmpInReadOnlys

snmpInGenErrs

snmpInTotalReqVars

snmpInTotalSetVars

snmpInGetRequests

snmpInGetNexts

All tables and objects are supported.


OL-25343-01


SNMPv2-MIB

(continued)

snmpInSetRequests

snmpInGetResponses

snmpInTraps

snmpOutTooBigs

snmpOutNoSuchNames

snmpOutBadValues

snmpOutGenErrs

snmpOutGetRequests

snmpOutGetNexts

snmpOutSetRequests

snmpOutGetResponses

snmpOutTraps

snmpEnableAuthenTraps

snmpSilentDrops

snmpProxyDrops

Tables:

sysORTable

SNMP-COMMUNITY-MIB

Tables:

snmpCommunityTable

snmpTargetAddrExtTable


SNMP-MPD-MIB Scalar Objects:

snmpUnknownSecurityModels

snmpInvalidMsgs

snmpUnknownPDUHandlers


SNMP-NOTIFICA-TION-MIB

Tables:

snmpNotifyTable

snmpNotifyFilterProfileTable

snmpNotifyFilterTable


SNMP-TARGET-MIB Scalar Objects:

snmpUnavailableContexts

snmpUnknownContexts

Tables:

snmpTargetAddrTable

snmpTargetParamsTable

Scalar Objects:

snmpTargetSpinLock

Table 7-4 ACE MIB Table and Object Support (continued)



OL-25343-01



Scalar Objects:

usmStatsUnsupportedSecLevels

usmStatsNotInTimeWindows

usmStatsUnknownUserNames

usmStatsUnknownEngineIDs

usmStatsWrongDigests

usmStatsDecryptionErrors

Tables:

usmUserTable

Scalar Objects:

usmUserSpinLock


Tables:

vacmContextTable

vacmSecurityToGroupTable

vacmAccessTable

Scalar Objects:

vacmViewSpinLock

CISCO-ENTITY-FRU-CONTROL-MIB

Tables:

cefcModuleTable

ENTITY-MIB Tables:

entPhysicalTable

Tables:

entLogicalTable

entLPMappingTable

entAliasMappingTable

entPhysicalContainsTable

Objects:

entPhysicalAlias

entPhysicalAssetID

entPhysicalMfgDate

ENTITY-SENSOR-MIB entPhySensorTable All tables and objects are supported.

IF-MIB Scalar Objects:

ifNumber

ifTableLastChange

Tables:

ifTable

ifXTable

Tables:

ifStackTable

ifRcvAddressTable

ifTestTable

Objects:

ifStackLastChange




OL-25343-01


IP-MIB Scalar Objects:

icmpInMsgs

icmpInErrors

icmpInDestUnreachs

icmpInTimeExcds

icmpInParmProbs

icmpInSrcQuenchs

icmpInRedirects

icmpInEchos

icmpInEchoReps

icmpInTimestamps

icmpInTimestampReps

icmpInAddrMasks

icmpInAddrMaskRepsicmp

OutMsg

icmpOutErrors

icmpOutDestUnreachs

icmpOutTimeExcds

icmpOutParmProbs

icmpOutSrcQuenchs

icmpOutRedirects

icmpOutEchos

icmpOutEchoReps

icmpOutTimestamps

icmpOutTimestampReps

icmpOutAddrMasks

icmpOutAddrMaskReps

Tables:

ipAddrTable

ipSystemStatsTable

ipIfStatsTable

icmpStatsTable

icmpMsgStatsTable

Tables:

ipNetToMediaTable

ipv4InterfaceTable

ipv6InterfaceTable

ipAddressTable

ipAddressPrefixTable

ipNetToPhysicalTable

ipDefaultRouterTable

ipv6RouterAdvertTable

ipv6ScopeZoneIndexTable

Objects:

ipSystemStatsInMcastOctets

ipSystemStatsHCInMcastOctet

ipSystemStatsOutMcastOctets

ipSystemStatsHCOutMcastOctets

ipIfStatsInMcastOctets

ipIfStatsHCInMcastOctets

ipIfStatsOutMcastOctets

ipIfStatsHCOutMcastOctets




OL-25343-01


TCP-MIB Scalar Objects:

tcpRtoAlgorithm

tcpRtoMin

tcpRtoMax

tcpMaxConn

tcpActiveOpens

tcpPassiveOpens

tcpAttemptFails

tcpEstabResets

tcpCurrEstab

tcpInSegs

tcpOutSegs

tcpRetransSegs

tcpInErrs

tcpOutRsts

Scalar Objects:

tcpHCInSegs

tcpHCOutSegs

Tables:

tcpConnTable

tcpConnectionTable

tcpListenerTable

UDP-MIB Scalar Objects:

udpInDatagrams

udpNoPorts

udpInErrors

udpOutDatagrams

Scalar Objects:

udpHCInDatagrams

udpHCOutDatagrams

Tables:

udpTable

udpEndpointTable

CISCO-PROCESS-MIB Tables:

cpmProcessTable

cpmCPUTotalTable

cpmProcessExtRevTable

Tables:

cpmProcessExtTable

cpmCPUThresholdTable

cpmCPUHistoryTable

cpmCPUProcessHistoryTable

Scalar Objects:

cpmCPUHistoryThreshold

cpmCPUHistorySize

Objects:

cpmCPUInterruptMonIntervalValue




OL-25343-01



Scalar Objects:

cseSyslogConsoleEnable

cseSyslogConsoleMsgSeverity

cseSyslogServerTableMaxEntries

cseSyslogTerminalEnable

cseSyslogTerminalMsgSeverity

Tables:

cseSyslogServerTable

Scalar Objects:

cseSyslogLogFileName

cseSyslogLogFileMsgSeverity

cseSyslogFileLoggingDisable

cseSyslogLinecardEnable

cseSyslogLinecardMsgSeverity

Tables:

cseSyslogMessageControlTable

CISCO-SYSLOG-MIB Scalar Objects:

clogNotificationsSent

clogNotificationsEnabled

clogMaxSeverity

clogMsgIgnores

clogMsgDrops

clogOriginIDType

clogOriginID

clogHistTableMaxLength

clogHistMsgsFlushed

Tables:

clogHistoryTable

Scalar Objects:

clogMaxservers

Tables:

clogServerConfigTable

CISCO-SYSTEM-MIB Scalar Objects:

csyClockDateAndTime

csyClockLostOnReboot

csyLocationCountry

Scalar Objects:

csySummerTimeStatus

csySummerTimeOffset

csySummerTimeRecurringStart

csySummerTimeRecurringEnd

csyScheduledResetTime

csyScheduledResetAction

csyScheduledResetReason

csySnmpAuthFail

csySnmpAuthFailAddressType

csySnmpAuthFailAddress

csyNotificationsEnable




OL-25343-01


CISCO-SLB-MIB Scalar Objects:

cSlbVServerStateChangeNotifEnabled

Tables:

slbStatsTable

slbServerFarmTable

slbVServerInfoTable

Scalar Objects:

cSlbVirtStateChangeNotifEnabled

cSlbRealStateChangeNotifEnabled

cSlbRealServerStateChangeNotifEnabled

Tables:

slbRealTable

slbVirtualServerTable

slbVServerTable

slbConnectionTable

slbVirtualClientTable

slbStickyObjectTable

slbDfpPasswordTable

slbDfpAgentTable

slbDfpRealTable

slbSaspTable

slbSaspAgentTable

slbSaspGroupTable

slbSaspMemberTable

slbSaspStatsTable

Unsupported Objects from slbStatsTable:

slbStatsUnassistedSwitchingPkts

slbStatsUnassistedSwitchingHCPks

slbStatsAssistedSwitchingPkts

slbStatsAssistedSwitchingHCPkts

slbStatsZombies

slbStatsHCZombies

Unsupported Objects from slbServer-FarmTable:

slbServerFarmPredictor

slbServerFarmNat

slbServerFarmBindId

Unsupported Objects from slbVServerInfoTa-ble:

slbVServerL4Decisions

slbVServerL7Decisions

slbVServerEstablishedConnections




OL-25343-01


CISCO-SLB-EXT-MIB Tables:

cslbxStatsTable

cslbxServerFarmTable

cslbxServerFarmProbeTable

cslbxServerFarmStatsTable

Scalar Objects:

cslbxServerFarmDwsCfgState

cslbxServerFarmDwsOpState

cslbxVServerDwsCfgState

cslbxVServerDwsOpState

(ACE module only) Scalar Objects:

cslbxServerFarmName

cslbxServerFarmState

cslbxServerFarmStateChangeDescr

cslbxServerFarmNumOfTimeFailOvers

cslbxServerFarmNumOfTimeBkInServs

Tables:

cslbxConnTable

cslbxRedirectSvrTable

cslbxSfarmHttpReturnCodeTable

cslbxNatPoolTable

cslbxStickyGroupTable

cslbxStickyObjectTable

cslbxStickyGroupExtTable

cslbxMapTable

cslbxHttpExpressionTable

cslbxHttpReturnCodeTable

cslbxPolicyTable

cslbxVirtualServerTable

cslbxRuleTable

cslbxVlanTable

cslbxAliasAddrTable

cslbxStaticRouteTable

cslbxFtTable

cslbxXmlConfigTable

cslbxOwnerTable

cslbxScriptFileTable

cslbxScriptTaskTable

Unsupported Objects from cslbxStatsTable:

cslbxStatsServerInitConns

cslbxStatsServerInitHCConns

cslbxStatsCurrServerInitConns

cslbxStatsFailedServerInitConns

cslbxStatsNoActiveServerRejects

Unsupported Objects from cslbxServer-FarmTable:

cslbxServerFarmClientNatPool

cslbxServerFarmHttpReturnCodeMap

(ACE appliance only) Unsupported Objects from cslbxServerFarmStatsTable:

cslbxServerFarmNumOfTimeFailOvers

cslbxServerFarmNumOfTimeBkInServs




OL-25343-01



Tables:

cslbxProbeCfgTable

cslbxProbeHeaderCfgTable

cslbxProbeHTTPCfgTable

cslbxProbeFTPCfgTable

cslbxProbeIMAPCfgTable

cshMonServerfarmRealProbe

StatsTable

cslbxDnsProbeIpTable

cslbxProbeSIPCfgTable

cslbxProbeTFTPCfgTable

cslbxProbeExpectStatusCfgTable

cshMonProbeTypeStatsTable

Unsupported objects from cslbxProbeCfgTable:

cslbxProbePassword

cslbxProbeSocketReuse

cslbxProbeSendDataType

cslbxProbePriority

Unsupported objects from

cslbxProbeHTTPCfgTable:

cslbxProbeHTTPCfgPersistence

Unsupported objects from

cshMonServerfarmRealProbeLastProbeTime:

cshMonServerfarmRealProbeLast

ActiveTime

cshMonServerfarmRealProbeLast

FailedTime

cshMonProbeInheritedPortType


Scalar Objects:

cesRealServerNotifEnable

cesRserverLocality

Tables:

cesRserverTable

cesServerFarmRserverTable

cesRserverProbeTable

Unsupported objects from cesServer-FarmRserverTable:

cesServerFarmRserverDroppedConns

Tables:

cesRealServerProbeTable


Tables:

cieIfNameMappingTable

Tables:

cieIfPacketStatsTable

cieIfInterfaceTable

cieIfStatusListTable

cieIfDot1qCustomEtherTypeTable

cieIfUtilTable

cieIfDot1dBaseMappingTable




OL-25343-01


CISCO-IP-PROTO-COL-FILTER-MIB

Tables:

cippfIpProfileTable

cippfIpFilterTable

cippfIpFilterStatsTable

Tables:

cippfIfIpProfileTable

cippfIpFilterExtTable

Unsupported Objects from cippfIpFilterTable:

cippfIpFilterSrcIPGroupName

cippfIpFilterDstIPGroupName

cippfIpFilterProtocolGroupName

cippfIpFilterSrcServiceGroupName

cippfIpFilterDstServiceGroupName

cippfIpFilterICMPGroupName


Scalar Objects:

cmVirtContextNotifEnable

Tables:

cmVirtualContextTable

cmVirtContextIfMapTable

Unsupported objects from cmVirtualContextTa-ble:

cmVirtContextURL

CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB

Tables:

ciscoL4L7ResourceClassTable

ciscoL4L7ResourceLimitTable

ciscoL4L7ResourceRateLimitTable

ciscoL4L7ResourceUsageSummaryTable

Scalar Objects:

clrResourceLimitReachedNotifEnabled

clrResourceRateLimitReachedNotifEnabled

CISCO-AAA-SERV-ER-MIB

Tables:

casConfigTable

Scalar Objects:

casServerStateChangeEnable

Tables:

casStatisticsTable

Unsupported Objects from casConfigTable:

casPriority




OL-25343-01



Scalar Objects:

cAAASvrExtSvrGrpSvrListMaxEnt

cAAASvrExtAppToSvrGrpMaxEnt

cAAASvrExtClearAccLog

cAAALoginAuthTypeMSCHAP

Tables:

cAAASvrExtConfigTable

cAAASvrExtProtocolParamTable

cAAASvrExtSvrGrpConfigTable

cAAASvrExtSvrGrpLDAPConfig

Table

cAAASvrExtAppSvrGrpConfig

Table

Scalar Objects:

cAAASvrExtLocalAccLogMaxSize

Unsupported Objects in cAAASvrExtConfig-Table:

cAAAServerDeadTime

cAAAServerIdleTime

cAAAServerTestUser

cAAAServerTestPassword

CISCO-LICENSE-MGR-MIB

Scalar Objects:

clmNotificationsEnable

clmNoOfLicenseFilesInstalled

clmNoOfLicensedFeatures

clmLicenseViolationWarnFlag

Tables:

clmLicenseFileContentsTable

clmLicenseFeatureUsageTable

clmFeatureUsageDetailsTable

Scalar Objects:

clmHostId

clmLicenseConfigSpinLock

clmLicenseFileURI

clmLicenseFileTargetName

clmLicenseConfigCommand

clmLicenseRequestCommandStatus

clmLicenseRequestSpinLock

clmLicenseRequestFeatureName

clmLicenseRequestAppName

clmLicenseRequestCommand

clmLicenseRequestCommandStatus

Unsupported Objects from clmLicenseFeature-UsageTable:

clmLicenseGracePeriod

clmLicenseEnabled

(ACE appliance only) CISCO-APPLICATION-ACCELERATION-MIB

Tables:

caaStatTable

Unsupported Objects from caaStatTable:

caaState

caaRequests

caaLastRestartedTime

caaRequestSize




OL-25343-01



Tables:

clrRedundancyInfoTable

clrPeerInfoTable

clrHAStatsTable

Scalar Objects:

clrStateChangeNotifEnabled

Tables:

clrRedundancyConfigTable

clrPeerConfigTable

clrLBStatsTable

Unsupported Objects from Objects clrRedun-dancyInfoTable:

clrRedundancyPriority

clrRedundancyStateChangeTime

Unsupported Objects from clrHAStatsTable:

clrHAStatsMissedHeartBeatMsgs

clrHAStatsRxUniDirectionalHeartBeatMsgs

clrHAStatsHeartBeatTimeout

Mismatches

clrHAStatsPeerUpEvents

clrHAStatsPeerDownEvents




OL-25343-01


CISCO-SSL-PROXY-MIB

Scalar Objects:

cspTlcFullHandShake

cspTlcResumedHandShake

cspS3cFullHandShake

cspS3cResumedHandShake

cspTlcHandShakeFailed

cspTlcDataFailed

cspS3cHandShakeFailed

cspS3cDataFailed

cspScActiveSessions

cspScConnInHandShake

cspScConnInDataPhase

cspScConnInReneg

(ACE module only) Scalar Objects:

cspNumOfSslInfoSuccessInserted

cspNumOfSslInfoFailedInserted

cspNumOfSpoofHttpHeaderDeleted

cspNumOfSslSessHeaderInserted

cspNumOfSslSessHeaderFailedInserted

cspNumOfSslServerCertHeaderInserted

cspNumOfSslServerCerHeaderFailedInserted

cspNumOfTimesSslHeaderTruncated

cspNumOfSslClientCertHeaderInserted

cspNumOfSslClientCertHeaderFailedInserted

cspCertNotYetValidRedirect

cspCertExpiredRedirect

cspIssuerCertNotFoundRedirect

cspCertRevokedRedirect

cspNoClientCertSentRedirect

cspNoCrlAvailableRedirect

cspCrlExpiredRedirect

cspCertSignatureFailedRedirect

cspOtherCertErrorRedirect

All remaining tables and objects are not supported.




OL-25343-01


ACE SNMP Notifications (Traps)Table 7-5 identifies the supported SNMP notifications (traps) for the ACE.

Note The clogOrigin ID and clogOriginIDType variable bindings are appended to each notification listed in Table 7-5 to identify from which chassis, slot, and context combination that the event trap has originated.

Table 7-5 SNMP Trap Support

Notification NameLocation of the Notification Description

authenticationFailure SNMPv2-MIB SNMP request fails because the NMS did not authenticate with the correct community string.

(ACE module only) cesRealServerStateUp


State of a real server configured in a server farm is up due to user intervention.

(ACE module only) cesRealServerStateDown


State of a real server configured in a server farm is down due to user intervention.

(ACE module only) cesRealServerStateChange


State of a real server configured in a server farm changed to a new state as a result of something other than a user intervention. This notification is sent for situations such as ARP failures, probe failures, and so on.

(ACE appliance only) cesRealServerStateUpRev1


State of a real server configured in a server farm is up due to user intervention.The notification is sent with the following varbinds:

• cesRealServerName

• cesServerFarmRserverBackupPort

• cesServerFarmName

• cesServerFarmRserverAdminStatus

• cesServerFarmRserverOperStatus

• cesRserverIpAddressType

• cesRserverIpAddress

• cesServerFarmRserverDescr


OL-25343-01


(ACE appliance only) cesRealServerStateDownRev1


State of a real server configured in a server farm is down due to user intervention. The notification is sent with the following varbinds:






• cesServerFarmRserverStateDescr




(ACE appliance only) cesRealServerStateChangeRev1


State of a real server configured in a server farm changed to a new state as a result of something other than a user intervention. This notification is sent for situations such as ARP failures, probe failures, and so on. The notification is sent with the following varbinds:






• cesServerFarmRserverStateDescr



• cesProbeName


cesRserverStateUp CISCO-ENHANCED-SLB-MIB

State of a global real server is up due to user intervention.

Note No separate cesRealServerStateUp (ACE module) or cesRealServerStateUpRev1 (ACE appliance) notifications are sent for each real server that listens on this rserver.

cesRserverStateDown CISCO-ENHANCED-SLB-MIB

State of a global real server is down due to user intervention.

Note No separate cesRealServerStateDown (ACE module) or cesRealServerStateDownRev1 (ACE appliance) notifications are sent for each real server that listens on this rserver.

Table 7-5 SNMP Trap Support (continued)



OL-25343-01


cesRserverStateChange CISCO-ENHANCED-SLB-MIB

State of a global real server changed to a new state as a result of something other than a user intervention. This notification is sent for situations such as ARP failures, probe failures, and so on.

Note No separate cesRealServerStateChange (ACE module) or cesRealServerStateChangeRev1 (ACE appliance) notifications are sent for each real server that listens on this rserver.

cesRserverLocalityChange CISCO-ENHANCED-SLB-MIB

Locality of the global real server changed from local to remote or from remote to local. The notification is sent with the following varbinds:

• Real server name

• cesRserverLocality

ciscoSlbVServerVIPStateChange

CISCO-SLB-MIB.my State of Vserver changes. This notification is sent with the following var-binds:

• slbVServerState

• slbVServerStateChangeDescr

• slbVServerClassMap

• slbVServerPolicyMap

• slbVServerIpAddressType

• slbVServerIpAddress

• slbVServerProtocol

The change in the Vserver state could be due to different reasons, such as binding to the interface, removing an active server farm from the policy, and associating the virtual IP address (VIP) with a class map.

The ciscoSlbVServerVIPStateChange is specified in the CISCO-SLB-MIB.

ciscoSlbVServerStateChange CISCO-SLB-MIB.my Notification that a virtual IP address (VIP) is removed from a class map. This notification is also sent when the state of a virtual server has changed. The notification is sent with the following var-binds: slbVServerState

• slbVServerStateChangeDescr

• slbVServerClassMap

• slbVServerPolicyMap

The ciscoSlbVServerVIPStateChange notification will be sent when the configuration or association of the VIP address changes.

The ciscoSlbVServerStateChange is specified in the CISCO-SLB-MIB.




OL-25343-01


clogMessageGenerated CISCO-SYSLOG-MIB ACE generated one or more syslog messages.

clmLicenseExpiryNotify CISCO-LICENSE-MGR-MIB

Notification that an installed feature license expires.

clmLicenseFileMissingNotify


Notification that the system detects that one or more installed license files are missing.

clmLicenseExpiryWarningNotify CISCO-LICENSE-MGR-MIB

Notification that the system detects an installed feature license is about to expire.

clmNoLicenseForFeatureNotify


Notification that the system detects that no license is installed for a specific feature.

cmVirtContextAdded, cmVirtContextRemoved


Notification that you created or deleted an ACE user context, also referred as a virtual context.

cslbxServerFarmStateChange CISCO-SLB-EXT-MIB Notification that all real servers in a server farm are down and the server farm has changed state. The varbind contains the following details:

• cslbxServerFarmName


• cslbxServerFarmStateChangeDescr

• cslbxServerFarmNumOfTimeFailOvers

• cslbxServerFarmNumOfTimeBkInServs

cslbxServerFarmDwsOpStateChange

CISCO-SLB-EXT-MIB The load on a DWS-enabled server farm crossed the maximum or minimum thresholds. The ACE generates this notification whenever it either starts bursting traffic to the remote servers or it stops remote bursting and load balances only among the local VMs. The notification is sent with the following varbinds:

• Server farm name

• cslbxServerFarmDwsOpState

coldStart SNMPv2-MIB SNMP agent started after a cold restart (full power cycle) of the ACE.

linkUp, linkDown SNMPv2-MIB VLAN interface is up or down. A VLAN interface can be down, for example, if you specified the shut command followed by the no shut command, or the VLAN was removed from the switch configuration.

Note (ACE appliance only) The Ethernet data port, Ethernet management port, and port-channel interfaces are available only in Admin context. In this case, the linkUp and link Down notifications support all the interfaces for Admin contexts, while each individual user context supports only VLAN and BVI interfaces.




OL-25343-01

Chapter 7 Configuring SNMPDefault Settings for SNMP

Default Settings for SNMPTable 7-6 lists the default settings for the SNMP parameters.

Configuring SNMPThis section describes how to configure SNMP and includes the following topics:

• Task Flow for Configuring SNMP

• Configuring SNMP Users

• Defining SNMP Communities

• Configuring an SNMP Contact

• Configuring an SNMP Location

• Configuring SNMP Notifications

• Unmasking the SNMP Community Name and Community Security Name OIDs

• Assigning a Trap-Source Interface for SNMP Traps

• Accessing ACE User Context Data Through the Admin Context IP Address

• Configuring an SNMPv3 Engine ID for an ACE Context

• Configuring SNMP Management Traffic Services

Task Flow for Configuring SNMPFollow these steps to configure SNMP on the ACE:



The rest of the examples in this procedure use the Admin context, unless otherwise specified. For details on creating contexts, see the Virtualization Guide, Cisco ACE Application Control Engine.

Table 7-6 Default SNMP Parameters

Parameter Default

SNMP notifications None defined or issued.

Implementation of linkUp and linkDown traps Cisco implementation of linkUp and linkDown traps to NMS is enabled (not the Internet Engineering Task Force (IETF) standards-based implementation).

SNMP engine ID for the Admin context and each user context

The ACE automatically creates the engine ID.

snmpCommunityName and snmpCommunitySecurityName OIDs of the SNMP-COMMUNITY-MIB

These OIDs are masked by default.


OL-25343-01

Chapter 7 Configuring SNMPConfiguring SNMP



Step 3 Configure one or more SNMP users from the ACE CLI.

host1/Admin(config)# snmp-server user joe Network-Monitor auth sha abcd1234host1/Admin(config)# snmp-server user sam Network-Monitor auth md5 abcdefghhost1/Admin(config)# snmp-server user Bill Network-Monitor auth sha abcd1234 priv abcdefgh

Step 4 Create an SNMP community and identify access privileges.

host1/Admin(config)# snmp-server community SNMP_Community1 group Network-Monitor

Step 5 Specify the contact name for the SNMP system.

host1/Admin(config)# snmp-server contact “User1 [email protected]”

Step 6 Specify the SNMP system location.

host1/Admin(config)# snmp-server location “Boxborough MA”

Step 7 Specify which host is to receive SNMP notifications.

host1/Admin(config)# snmp-server host 192.168.1.1 traps version 2c SNMP_Community1 udp-port 500

Step 8 Enable the ACE to send SNMP traps and inform requests to the NMS.

host1/Admin(config)# snmp-server enable traps slb

Step 9 Create a class map that permits network management traffic to be received by the ACE based on the SNMP management protocol and client source IP address.

host1/Admin(config)# class-map type management match-all SNMP-ALLOW_CLASShost1/Admin(config-cmap-mgmt)# match protocol snmp source-address 172.16.10.0 255.255.255.254host1/Admin(config-cmap-mgmt)# exithost1/Admin(config)#

Step 10 Configure a policy map that activates the SNMP management protocol classifications.

host1/Admin(config)# policy-map type management first-match SNMP-ALLOW_POLICYhost1/Admin(config-pmap-mgmt)# class SNMP-ALLOW_CLASShost1/Admin(config-pmap-mgmt-c)# permithost1/Admin(config-pmap-mgmt-c)# exithost1/Admin(config-pmap-mgmt)# exithost1/Admin(config)#

Step 11 Attach the traffic policy to a single VLAN interface or globally to all VLAN interfaces in the same context. For example, to specify an interface VLAN and apply the SNMP management policy map to the VLAN, enter:

host1/Admin(config)# interface vlan 50host1/Admin(config-if)# ip address 172.16.10.0 255.255.255.254host1/Admin(config-if)# service-policy input SNMP-ALLOW_POLICYhost1/Admin(config-if)# exit




OL-25343-01


Configuring SNMP UsersThis section describes how to configure SNMP users from the ACE CLI. User configuration includes information such as specifying the role group that the user belongs to, authentication parameters for the user, the authentication password, and message encryption parameters.

The ACE synchronizes the interactions between the user created by the username command and by the snmp-server user command; updates to a user through the ACE CLI are automatically reflected in the SNMP server. For example, deleting a user automatically results in the user being deleted for both SNMP and CLI. In addition, user-role mapping changes are reflected in SNMP.

Caution If you change the SNMP engine ID for an Admin or user context, all configured SNMP users become invalid. You must recreate all SNMP users by using the snmp-server user command in configuration mode. For more information on the SNMPv3 engine ID, see the “Configuring an SNMPv3 Engine ID for an ACE Context” section.



• The ACE supports a maximum of 28 SNMP users for each context.

• User configuration through the snmp-server user command is applicable for SNMPv3 only; SNMPv1 and SNMPv2c use a community string match for user authentication (see the “Defining SNMP Communities” section).


OL-25343-01


Detailed Steps

Command Purpose

Step 1 config

Example:host1/host1/Admin# confighost1/Admin(config)#


Step 2 snmp-server user user_name [group_name] [auth {md5 | sha} password1 [priv [aes-128] password2] [localizedkey]]

Example:host1/Admin(config)# snmp-server user joe Network-Monitor auth sha abcd1234

Configures SNMP user information.


• user_name—Username. Enter an unquoted text string with no space and a maximum of 24 alphanumeric characters.

• group_name—(Optional) User role group to which the user belongs. Enter Network-Monitor, the default group name and the only role that is supported.

Note Only network monitoring operations are supported through the ACE implementation of SNMP. In this case, all SNMP users are automatically assigned the system-defined default group of Network-Monitor. For details on creating users, see the Virtualization Guide, Cisco ACE Application Control Engine.

• auth—(Optional) Sets authentication parameters for the user. Authentication determines that the message is from a valid source.

• md5—Specifies the HMAC Message Digest 5 (MD5) encryption algorithm for user authentication.

• sha—Specifies the HMAC Secure Hash Algorithm (SHA) encryption algorithm for user authentication.


OL-25343-01


Examples

The following example shows how to set the SNMP user information:

host1/Admin# configEnter configuration commands, one per line. End with CNTL/Z

snmp-server user user_name [group_name] [auth {md5 | sha} password1 [priv [aes-128] password2] [localizedkey]]

(continued)

• password1—User authentication password. Enter an unquoted text string with no space and a maximum of 130 alphanumeric characters. The ACE automatically synchronizes the SNMP authentication password as the password for the CLI user. The ACE supports the following special characters in a password:

, . / = + - ^ @ ! % ~ # $ * ( )


• localizedkey—(Optional) Specifies that the password is in a localized key format for security encryption.

• priv—(Optional) Specifies encryption parameters for the user. The priv option and the aes-128 option indicate that this privacy password is for generating 128-bit AES key.

• aes-128—Specifies the 128-byte Advanced Encryption Standard (AES) algorithm for privacy. AES is a symmetric cipher algorithm and is one of the privacy protocols for SNMP message encryption. It conforms with RFC 3826.

Note For an SNMPv3 operation using the external AAA server, user configurations on this server require AES for SNMP PDU encryption.

• password2—Encryption password for the user. The AES priv password can have a minimum of eight characters. If the passphrases are specified in clear text, you can specify a maximum of 64 alphanumeric characters. If you use the localized key, you can specify a maximum of 130 alphanumeric characters. Spaces are not allowed. The ACE supports the following special characters in a password:

, . / = + - ^ @ ! % ~ # $ * ( )


no snmp-server user user_name [group_name] [auth {md5 | sha} password1 [priv [aes-128] password2] [localizedkey]]

Example:host1/Admin(config)# no snmp-server user joe Network-Monitor auth sha abcd1234

(Optional) Disables the SNMP user configuration or removes an SNMP user.




Command Purpose


OL-25343-01


host1/Admin(config)# snmp-server user sam Network-Monitor auth md5 abcdefghhost1/Admin(config)# snmp-server user Bill Network-Monitor auth sha abcd1234 priv abcdefgh

Defining SNMP CommunitiesThis section describes how to create or modify SNMP community names and access privileges. Each SNMP device or member is part of a community. An SNMP community determines the access rights for each SNMP device. SNMP uses communities to establish trust between managers and agents.

You supply a name to the community. After that, all SNMP devices assigned to that community as members have the same access rights (as described in RFC 2576). The ACE allows read-only access to the MIB tree for devices included in this community. The read-only community string allows a user to read data values, but prevents that user from modifying modify the data.

Caution If you change the SNMP engine ID for an Admin or user context, all configured SNMP communities are deleted. You must recreate all SNMP communities by using the snmp-server community command in configuration mode. For more information on the SNMPv3 engine ID, see the “Configuring an SNMPv3 Engine ID for an ACE Context” section.


This topics contains the following restrictions:

• SNMP communities are applicable for SNMPv1 and SNMPv2c only. SNMPv3 requires user configuration information such as specifying the role group that the user belongs to, authentication parameters for the user, authentication password, and message encryption parameters (see the “Configuring SNMP Users” section).

• Only network monitoring operations are supported through the ACE implementation of SNMP. In this case, all SNMP users are automatically assigned the system-defined default group of Network-Monitor. For details on creating users, see the Virtualization Guide, Cisco ACE Application Control Engine.


OL-25343-01


Detailed Steps

Configuring an SNMP Contact This section describes how to specify the contact information for the SNMP system.


You can specify information for one contact name only.

Command Purpose

Step 1 config



Step 2 snmp-server community community_name [group group_name | ro]

Example:host1/Admin(config)# snmp-server community SNMP_Community1 group Network-Monitor

Creates or modifies SNMP community names and access privileges.


• community_name—SNMP community name for this system. Enter an unquoted text string with no space and a maximum of 32 alphanumeric characters.

• group group_name—(Optional) Identifies the role group to which the user belongs. Enter Network-Monitor, the default group name and the only role that is supported.

Note Only network monitoring operations are supported through the ACE implementation of SNMP. In this case, all SNMP users are automatically assigned the system-defined default group of Network-Monitor. For details on creating users, see the Virtualization Guide, Cisco ACE Application Control Engine.

• ro—(Optional) Allows read-only access for this community.

no snmp-server community community_name [group group_name | ro]

Example:host1/Admin(config)# no snmp-server community SNMP_Community1 group Network-Monitor

(Optional) Removes an SNMP community.





OL-25343-01


Detailed Steps

Configuring an SNMP LocationThis section describes how to specify the SNMP system location.


You can specify one location only.

Detailed Steps

Command Purpose

Step 1 config



Step 2 snmp-server contact contact_information

Example:host1/Admin(config)# snmp-server contact “User1 [email protected]”

Specifies the contact information for the SNMP system.

Enter the contact_information argument as a text string with a maximum of 240 alphanumeric characters, including spaces. If the string contains more than one word, enclose the string in quotation marks (“ ”). You can include information on how to contact the person; for example, you can provide a phone number or an e-mail address.

no snmp-server contact

Example:host1/Admin(config)# snmp-server contact

(Optional) Removes the SNMP contact name.




Command Purpose

Step 1 config



Step 2 snmp-server location location

Example:host1/Admin(config)# snmp-server location “Boxborough MA”

Specifies the SNMP system location.

Enter the location argument as the physical location of the system. Enter a text string with a maximum of 240 alphanumeric characters, including spaces. If the string contains more than one word, enclose the string in quotation marks (“ ”).


OL-25343-01


Configuring SNMP NotificationsThis section describes how to configure the ACE to send traps or inform requests as notifications to an SNMP manager when a particular event occurs. In some instances, traps are unreliable because the receiver does not send any acknowledgment when it receives a trap. The sender cannot determine if the trap was received. However, an SNMP manager that receives inform requests acknowledges the message with an SNMP Response PDU. If the sender never receives a Response, the inform request is normally retransmitted. Inform requests are more likely to reach their intended destination.

Use the SNMP-TARGET-MIB to obtain more information on the destinations to which notifications are to be sent either as traps or as SNMP inform requests. See the ACE SNMP Notifications (Traps) section for details.


• Configuring SNMP Notification Hosts

• Enabling SNMP Notifications

• Enabling the IETF Standard for SNMP linkUp and linkDown Traps

Configuring SNMP Notification Hosts

This section describes how to specify which host receives SNMP notifications.



• To send notifications, you must specify at least one host to receive SNMP notifications.

• The ACE supports a maximum of 10 SNMP hosts per context.

no snmp-server location

Example:host1/Admin(config)# no snmp-server location

Removes the SNMP system location information.




Command Purpose


OL-25343-01


Detailed Steps

Command Purpose

Step 1 config



Step 2 snmp-server host host_address [informs | traps] [version {1 | 2c | {3 auth | noauth | priv}] community-string_username [udp-port number]

Example:host1/Admin(config)# snmp-server host 192.168.1.1 traps version 2c SNMP_Community1 udp-port 500

Specifies which host receives SNMP notifications.


• host_address—IP address of the host (the targeted recipient). Enter the address in dotted-decimal notation (for example, 192.168.11.1).

• informs—(Optional) Sends SNMP inform requests to the identified host, which allows for manager-to-manager communication. Inform requests can be useful when the need arises for more than one NMS in the network.

• traps—(Optional) Sends SNMP traps to the identified host. A trap is the method for an agent to tell the NMS that a problem has occurred. The trap originates from the agent and is sent to the trap destination, as configured within the agent itself. Typically the trap destination is the IP address of the NMS.

• version 1 | 2c | 3—(Optional) Specifies the version of SNMP used to send the traps. SNMPv3 is the most secure model because it allows packet encryption with the priv keyword. To specify a version, enter one of the following:

– 1—Specifies SNMPv1. This option is not available for use with SNMP inform requests.

– 2c—Specifies SNMPv2C.

– 3—Specifies SNMPv3.

When you enter 3 for SNMPv3, enter one of the following keywords:

• auth—Enables Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) packet authentication.

• noauth—Specifies the noAuthNoPriv security level.

• priv—Enables Data Encryption Standard (DES) packet encryption (privacy).

• community-string_username—SNMP community string or username with the notification operation. Enter an unquoted text string with no space and a maximum of 32 alphanumeric characters.

• udp-port number—(Optional) Specifies the UDP port of the host to use. The default is 162. Enter a number from 0 to 65535.


OL-25343-01


Enabling SNMP Notifications

This section describes how to enable the ACE to send SNMP notification traps and inform requests to the NMS. Notification traps and inform requests are system alerts that the ACE generates when certain events occur. SNMP notifications can be sent to the NMS as traps or inform requests. By default, no SNMP notification is defined or issued.



• To configure the ACE to send the SNMP notifications, specify at least one snmp-server enable traps command. To enable multiple types of notifications, you must enter a separate snmp-server enable traps command for each notification type and notification option. If you enter the command without any keywords, the ACE enables all notification types and traps.

• The notification types used in the snmp-server enable traps command all have an associated MIB object that globally enables or disables them. However, not all of the notification types available in the snmp-server host command have notificationEnable MIB objects, so some of the notification types cannot be controlled by using the snmp-server enable command.

Prerequisites

The snmp-server enable traps command is used with the snmp-server host command (see the “Configuring SNMP Notification Hosts” section). The snmp-server host command specifies which host receives the SNMP notifications. To send notifications, you must configure at least one SNMP server host.

no snmp-server host host_address {community-string_username | informs | traps | version {1{udp-port} | 2c {udp-port} | 3 [auth | noauth | priv]}}

Example:host1/Admin(config)# no snmp-server host 192.168.1.1 traps version 2c SNMP_Community1 udp-port 500

Removes the specified host.




Command Purpose


OL-25343-01


Detailed Steps

Command Purpose

Step 1 config



Step 2 snmp-server enable traps [notification_type] [notification_option]

Example:host1/Admin(config)# snmp-server enable traps slb real

Enables the ACE to send SNMP traps and informs to the NMS.


• notification_type—(Optional) Type of notification to enable. If no type is specified, the ACE sends all notifications. Specify one of the following keywords as the notification_type:

– license—Sends SNMP license manager notifications. This keyword appears only in the Admin context.

– slb—Sends server load-balancing notifications. When you specify the slb keyword, you can specify a notification_option value.

– snmp—Sends SNMP notifications. When you specify the snmp keyword, you can specify a notification_option value.

– syslog—Sends error message notifications (Cisco Syslog MIB).

Note To enable system messages to be sent as traps to the NMS, you can specify the logging history command. You specify the level of messages to be sent with the logging history level command. You must also enable syslog traps by using the snmp-server enable traps command. See the System Message Guide, Cisco ACE Application Control Engine for details.

– virtual-context—Sends virtual context (ACE user context) change notifications. This keyword appears only in the Admin context.


OL-25343-01


Examples

The following example shows how to enable the ACE to send server load-balancing traps to the host at IP address 192.168.1.1 using a community string:

host1/Admin(config)# snmp-server host 192.168.1.1host1/Admin(config)# snmp-server community SNMP_Community1 group Network-Monitorhost1/Admin(config)# snmp-server enable traps slb real

Enabling the IETF Standard for SNMP linkUp and linkDown Traps

This section describes how to configure the ACE to send the Internet Engineering Task Force (IETF) standards-based implementation for linkUp and linkDown traps (as outlined in RFC 2863) rather than send the Cisco implementation of linkUp and linkDown traps to the NMS. By default, the ACE sends

snmp-server enable traps [notification_type] [notification_option]

(continued)

• notification_option—(Optional) Enables the following SNMP notifications:

– When you specify the snmp keyword, specify the authentication, coldstart, linkdown, or linkup keyword to enable SNMP notifications. This selection generates a notification if the community string provided in the SNMP request is incorrect, or when a VLAN interface is either up or down. The coldstart keyword appears only in the Admin context.

– When you specify the slb keyword, specify the real, serverfarm, or vserver keyword to enable server load-balancing notifications. This selection generates a notification if the following state change occurs:

The real server changes state (up or down) due to user intervention, ARP failures, or probe failures.

The server farm changes state because all real servers in the server farm are down.

The virtual server changes state (up or down). The virtual server represents the servers behind the content switch in the ACE to the outside world and consists of the following attributes: the destination address (can be a range of IP addresses), the protocol, the destination port, or the incoming VLAN.

no snmp-server enable traps [notification_type] [notification_option]

Example:host1/Admin(config)# no snmp-server enable traps slb real

Disables SNMP server notifications.




Command Purpose


OL-25343-01


the Cisco implementation of linkUp and linkDown traps to the NMS. The ACE sends the Cisco Systems IF-MIB variable bindings, which consists of ifIndex, ifAdminStatus, ifOperStatus, ifName, ifType, clogOriginID, and clogOriginIDType.

Note The Cisco variable bindings are sent by default. To receive RFC 2863-compliant traps, you must specify the snmp-server trap link ietf command.

Detailed Steps

Unmasking the SNMP Community Name and Community Security Name OIDsThis section describes how to unmask the snmpCommunityName and snmpCommunitySecurityName OIDs of the SNMP-COMMUNITY-MIB. These OIDs are masked by default.

Detailed Steps

Command Purpose

Step 1 config



Step 2 snmp-server trap link ietf

Example:host1/Admin(config)# snmp-server trap link ietf

Configures the ACE to send the Internet Engineering Task Force (IETF) standards-based implementation for linkUp and linkDown traps.

no snmp-server trap link ietf

Example:host1/Admin(config)# no snmp-server trap link ietf

Reverts to the Cisco implementation of linkUp and linkDown traps.




Command Purpose

Step 1 config



Step 2 snmp-server unmask-community

Example:host1/host1/Admin(config)# snmp-server unmask-community

Unmasks the snmpCommunityName and snmpCommunitySecurityName OIDs of the SNMP-COMMUNITY-MIB.


OL-25343-01


Assigning a Trap-Source Interface for SNMP TrapsThis section describes how to specify the VLAN interface or the Ethernet management port interface (ACE module Admin context only) that is the trap source address contained in the SNMP v1 trap PDU.



• If you do not configure the snmp-server trap-source command, the ACE takes the source IP address from the internal routing table, which is dependent on the destination host address where the notification is to be sent.

• If you specify a VLAN number of an interface that does not have a valid IP address, the ACE fails in sending notifications for SNMP v1 traps.

• The ACE restricts you from selecting the VLAN number of the FT VLAN interface that has been specified between redundant ACEs as the trap source address contained in the SNMP v1 trap PDU.

no snmp-server unmask-community

Example:host1/Admin(config)# no snmp-server unmask-community

(Optional) Masks the snmpCommunityName and snmpCommunitySecurityName OIDs.




Command Purpose


OL-25343-01


Detailed Steps

Accessing ACE User Context Data Through the Admin Context IP AddressThis section describes how SNMP managers can send requests to a context by using the IP address to get the data that corresponds to the context.The ACE Admin context and each ACE user context has its own IP address. The SNMP agent supports a community string for SNMPv1 and SNMPv2 and a username for SNMPv3 on a per-context basis.

You can also retrieve data for user contexts by using the IP address for the Admin context. The Admin context credentials also allow access to user context data, such as performance and configuration information.


• Accessing User Context Data When Using SNMPv1/v2

• Accessing User Context Data When Using SNMPv3


Notifications for user contexts cannot be sent through the Admin context.

Command Purpose

Step 1 config



Step 2 snmp-server trap-source vlan number

Example:host1/Admin(config)# snmp-server trap-source vlan 50

Specifies one of the following interface types that is the trap source address contained in the SNMP v1 trap PDU

Specifies the VLAN interface or the Ethernet management port interface (ACE module, admin context only) that is the trap source address contained in the SNMP v1 trap PDU.

The number argument specifies the number of the VLAN interface that is the trap source address contained in the SNMP v1 trap PDU. Enter a value from 2 to 4094 for an existing VLAN interface.

Note (ACE appliance only) The ACE now restricts you from selecting the VLAN number of the FT VLAN interface that has been specified between redundant ACE appliances as the trap source address contained in the SNMP v1 trap PDU.

no snmp-server trap-source vlan number

Example:host1/Admin(config)# no snmp-server trap-source vlan 50

(Optional) Removes the specified VLAN interface that is trap source address contained in the SNMP v1 trap PDU.





OL-25343-01


Accessing User Context Data When Using SNMPv1/v2

This section describes how with SNMPv1/v2, you can access MIBs available for a user context through an Admin context IP address by specifying the appropriate SNMP version, the Admin context IP address, and the Admin context community string embedded with the name of the user context. The format for the community string is as follows:

admin_community_string@ACE_context_name

The ACE_context_name can be Admin or any ACE user context. If you do not specify a context name, the request is for the Admin context.

Examples

The following example shows how to return data for user context C1 when the Admin context has a configured community string of adminCommunity and an IP address of 10.6.252.63:

snmpget -v2c -c adminCommunity@C1 10.6.252.63 udpDatagrams.0

Accessing User Context Data When Using SNMPv3

This section describes how with SNMPv3, you can access MIBs for a user context through an Admin context IP address by using the Admin context IP address, the appropriate SNMP version, the Admin context username, and the user context name supported by the Admin context in the SNMPv3 packet. The ACE uses the user context name in the SNMPv3 context field of the request.

Note The SNMPv3 engine represents a logically separate SNMP agent. The ACE automatically creates an SNMP engine ID for each context or you can configure it. For more information on configuring an SNMPv3 engine ID, see the “Configuring an SNMPv3 Engine ID for an ACE Context” section.

Examples

The following example shows how to return data from user context C2 when the Admin context has a configured SNMP user snmpuser and an IP address of 10.6.252.63:

snmpgetnext -v 3 - a MD5 -A cisco123 -u snmpuser -1 authNoPriv 10.6.252.63 system -n C2

The ACE uses the user context C2 in place of the SNMPv3 context field in the request.

Note The SNMPv3 request is dropped if the request is sent to the IP address of the user context with a SNMPv3 context name field set to an empty string (“”).

Configuring an SNMPv3 Engine ID for an ACE ContextThis section describes how to configure an SNMP engine ID for the Admin or user context. By default, the ACE automatically creates an SNMP engine ID for the Admin context and each user context. The SNMP engine represents a logically separate SNMP agent. The IP address for an ACE context provides access to only one SNMP engine ID.


OL-25343-01


Caution If you change the SNMP engine ID for an Admin or user context, all configured SNMP users become invalid and all SNMP communities are deleted. You must recreate all SNMP users by using the snmp-server user command in configuration mode, and recreate all SNMP communities by using the snmp-server community command in configuration mode (see the “Defining SNMP Communities” section).

Detailed Steps

Configuring SNMP Management Traffic ServicesThis section describes how to configure SNMP management traffic to and from the ACE through the use of class maps, policy maps, and service policies. The following items summarize the role of each function in configuring remote network management access to the ACE:

• Class map—Provides the remote network traffic match criteria to permit SNMP management traffic based on the SNMP management protocol and the client source IP address.

• Policy map—Enables remote network management access for a traffic classification that matches the criteria listed the class map.

• Service policy—Activates the policy map, and attaches the traffic policy to a VLAN interface or globally on all VLAN interfaces.

This section provides an overview on creating a class map, policy map, and service policy for SNMP access.

SNMP remote access sessions are established to the ACE per context. For details on creating contexts and users, see the Virtualization Guide, Cisco ACE Application Control Engine.

Command Purpose

Step 1 config



Step 2 snmp-server engineid number

Example:host1/Admin(config)# snmp-server engineID 88439573498573888843957349857388

Configures the SNMP engine ID for an ACE context.

The number argument is the SNMPv3 engine ID that you want to configure. Enter a range of 10 to 64 hexadecimal digits.

no snmp-server engineid number

Example:host1/Admin(config)# snmp-server engineID 88439573498573888843957349857388

(Optional) Resets the default engine ID for an ACE context.

Step 3 do show snmp engineID

Example:host1/Admin(config)# do show snmp engineID

(Optional) Displays the engine ID for a context.





OL-25343-01



• Creating and Configuring a Layer 3 and Layer 4 Class Map

• Creating a Layer 3 and Layer 4 Policy Map



Creating and Configuring a Layer 3 and Layer 4 Class Map

This section describes how to create a Layer 3 and Layer 4 class map to classify the SNMP management traffic that can be received by the ACE. This class map allows the ACE to receive the network management traffic by identifying the incoming IP protocols that the ACE can receive and the client source host IP address and subnet mask as the matching criteria. The class map also defines the allowed network traffic as a form of management security for protocols such as SNMP.

A class map can have multiple match commands. You can configure class maps to define multiple SNMP management protocol and source IP address commands in a group that you then associate with a traffic policy. The match-all and match-any keywords determine how the ACE evaluates multiple match statements operations when multiple match criteria exist in a class map.

Detailed Steps

Command Purpose

Step 1 config




Example:host1/Admin(config)# class-map type management match-all SNMP-ALLOW_CLASShost1/Admin(config-cmap-mgmt)#

Create a Layer 3 and Layer 4 class map to classify the SNMP management traffic that can be received by the ACE.


• match-all | match-any—(Optional) Determines how the ACE evaluates Layer 3 and Layer 4 network traffic when multiple match criteria exist in a class map. The class map is considered a match if the match commands meet one of the following conditions:

– match-all —(Default) All of the match criteria listed in the class map match the network traffic class in the class map (typically, match commands of the same type).

– match-any—Only one of the match criteria listed in the class map matches the network traffic class in the class map (typically, match commands of different types).

• map_name—Name assigned to the class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

This command enters the class map management configuration mode.


OL-25343-01



Example:host1/Admin(config)# no class-map type management match-all SNMP-ALLOW_CLASS

(Optional) Removes a Layer 3 and Layer 4 SNMP protocol management class map from the ACE.


Example:host1/Admin(config-cmap-mgmt)# description Allow SNMP access


The text argument is the description that you want to provide. Enter an unquoted text string with a maximum of 240 alphanumeric characters.

no description


(Optional) Remove the description from the class map.

Step 4 [line_number] match protocol snmp {any | source-address ip_address mask}

Example:host1/Admin(config-cmap-mgmt)# match protocol snmp source-address 192.168.10.1 255.255.255.0

Configures the class map to specify that SNMP can be received by the ACE and an NMS. You configure the associated policy map to permit SNMP access to the ACE. As part of the network management access traffic classification, you also specify either a client source host IP address and subnet mask as the matching criteria or instruct the ACE to allow any client source address for the management traffic classification.


• line_number—(Optional) Line number to identify individual match commands to help you edit or delete them. Enter an integer from 2 to 255. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements.

• any—Specifies any client source address for the management traffic classification.

• source-—Specifies a client source host IP address and subnet mask as the network traffic matching criteria. As part of the classification, the ACE implicitly obtains the destination IP address from the interface on which you apply the policy map.

• ip_address—Source IP address of the client.

• mask—Subnet mask of the client in dotted-decimal notation (for example, 255.255.255.0).

no match protocol snmp

Example:host1/Admin(config-cmap-mgmt)# no match protocol snmp

(Optional) Deselects the specified SNMP protocol match criteria from the class map.


Example:host1/Admin(config-cmap-mgmt)# do copy running-config startup-config


Command Purpose


OL-25343-01


Creating a Layer 3 and Layer 4 Policy Map

This section describes how to create a Layer 3 and Layer 4 policy map that defines the actions executed on SNMP network management traffic that matches the specified classifications.

Detailed Steps

Command Purpose

Step 1 config




Example:host1/Admin(config)# policy-map type management first-match SNMP-ALLOW_POLICYhost1/Admin(config-pmap-mgmt)#

Configures a Layer 3 and Layer 4 policy map that permits the ACE to receive the SNMP management protocol. The ACE executes the action for the first matching classification. The ACE does not execute any additional actions.


This command enters the policy map management configuration mode.


Example:host1/Admin(config)# no policy-map type management first-match SNMP-ALLOW_POLICY

(Optional) Removes a network traffic management policy map from the ACE.


OL-25343-01



Example:host1/Admin(config-pmap-mgmt)# class SNMP-ALLOW_CLASS host1/Admin(config-pmap-mgmt-c)#

Specifies a Layer 3 and Layer 4 traffic class created with the class-map command to associate network traffic with the traffic policy.

The arguments keywords, and options are as follows:



• class-default—Specifies the class-default class map for the Layer 3 and Layer 4 traffic policy. This class map is a reserved class map created by the ACE. You cannot delete or modify this class. All network traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications match, the ACE then matches the action specified under the class class-default command. The class-default class map has an implicit match any statement in it and is used to match any traffic classification.

• class-default-v6—Specifies the IPv6 class-default class map for the Layer 3 and Layer 4 traffic policy. This class map is a reserved class map created by the ACE. You cannot delete or modify this class. All IPv6 network traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications match, the ACE then matches the action specified under the class class-default-v6 command. The class-default-v6 class map has an implicit match any statement in it and is used to match any IPv6 traffic classification.



Example:host1/Admin(config-cmap-mgmt)# no class SNMP-ALLOW_CLASS

(Optional) Removes a class map from a Layer 3 and Layer 4 policy map.

Step 4 permit


Enables the network management traffic listed in the Layer 3 and Layer 4 class map to be received by the ACE.

Command Purpose


OL-25343-01


Examples

The following example shows how to use the insert-before command to define the sequential order of two class maps in the policy map:

host1/Admin(config-pmap-mgmt)# class L4_SSH_CLASS insert-before L4_REMOTE_ACCESS_CLASS


This section describes how to apply an existing policy map globally to all VLAN interfaces in the same context.






The ACE allows only one policy of a specific feature type to be activated on a given interface.

deny

Example:host1/Admin(config-pmap-mgmt-c)# deny

(Optional) Enables the network management traffic listed in the Layer 3 and Layer 4 class map to be rejected by the ACE.




Command Purpose


OL-25343-01


Detailed Steps


This section describes how to apply an existing policy map to a specific VLAN interface. A policy activated on an interface overwrites any specified global policies for overlapping classification and actions.



The ACE allows only one policy of a specific feature type to be activated on a given interface.

Command Purpose

Step 1 config




Example:host1/Admin(config)# service-policy input SNMP_MGMT_ALLOW_POLICY

Globally applies the SNMP management policy map to all of the VLANs associated with a context.


• input—Specifies that the traffic policy is to be attached to the input direction of an interface. The traffic policy evaluates all traffic received by that interface.

• policy_name—Name of a previously defined policy map, configured with a previously created policy-map command. The name can be a maximum of 40 alphanumeric characters.

If you are applying the policy map globally to all of the VLANs associated with a context


Example:host1/Admin(config)# no service-policy input SNMP_MGMT_ALLOW_POLICY

(Optional) Removes the SNMP management policy map from all of the VLANs associated with a context.

When you remove a policy, the ACE automatically resets the associated service policy statistics to provide a new starting point for the service policy statistics the next time that you attach a traffic policy to a specific VLAN interface or globally to all VLAN interfaces in the same context.





OL-25343-01

Chapter 7 Configuring SNMPDisplaying SNMP and Service Policy Statistics

Detailed Steps

Displaying SNMP and Service Policy Statistics This section describes how to display SNMP statistics and configuration information, and service policy statistics in the following topics:

• Displaying SNMP Statistics and Configuration Information

• Displaying SNMP and Service Policy Statistics

Command Purpose

Step 1 config





Specifies an interface VLAN.

The number argument is the number for a VLAN assigned to the ACE

This command enters the interface configuration mode commands for the VLAN.

Step 3 ip address

Example:host1/Admin(config-if)# ip address 172.20.1.100 255.255.0.0

Specifies the VLAN IP address.


Example:host1/Admin(config-if)# service-policy input SNMP_MGMT_ALLOW_POLICY

Applies the SNMP management policy map to the VLAN.





Example:host1/Admin(config-if)# no service-policy input SNMP_MGMT_ALLOW_POLICY

(Optional) Removes the SNMP management policy from an interface VLAN.






OL-25343-01


Displaying SNMP Statistics and Configuration InformationTo display SNMP statistics and configuration information, use the following show commands:

Command Purpose

show snmp [community | engineID | group | host | sessions | user]

Displays SNMP statistics and configured SNMP information. By default, this command displays the ACE contact, ACE location, packet traffic information, community strings, and user information. Table 7-7 describes the fields in the show snmp command output.

You can instruct the ACE to display specific SNMP information by including the appropriate keyword.


• community—(Optional) Displays SNMP community strings. Table 7-8 describes the fields in the show snmp community command output.

• engineID—(Optional) Displays the identification of the local SNMP engine and all remote engines that have been configured on the ACE. Table 7-9 describes the fields in the show snmp engineID command output.

• group—(Optional) Displays the names of groups on the ACE, the security model, the status of the different views, and the storage type of each group. Table 7-10 describes the fields in the show snmp group command output.

• host—(Optional) Displays the configured SNMP notification recipient host, User Datagram Protocol (UDP) port number, user, and security model. Table 7-11 describes the fields in the show snmp host command output.

• sessions—(Optional) Displays the IP address of the targets for which traps or informs have been sent. Table 7-12 describes the fields in the show snmp sessions command output.

• user—(Optional) Displays SNMPv3 user information. Table 7-13 describes the fields in the show snmp user command output.

Table 7-7 Field Descriptions for the show snmp Command Output

Field Description

Sys contact Contact name for the SNMP system

Sys location SNMP system location

SNMP packets input Total number of SNMP packets received by the ACE

Bad SNMP versions Number of packets with an invalid SNMP version

Unknown community name Number of SNMP packets with an unknown community name

Illegal operation for community name supplied

Number of packets that request an operation not allowed for that community

Encoding errors Number of SNMP packets that were improperly encoded

Number of requested variables Number of variables requested by SNMP managers

Number of altered variables Number of variables altered by SNMP managers


OL-25343-01


Get-request PDUs Number of get requests received

Get-next PDUs Number of get-next requests received

Set-request PDUs Number of set requests received

SNMP packets output Total number of SNMP packets sent by the ACE

Too big errors Number of SNMP packets that were larger than the maximum packet size

No such name errors Number of SNMP requests that specified a MIB object that does not exist

Bad values errors Number of SNMP set requests that specified an invalid value for a MIB object

General errors Number of SNMP set requests that failed due to some other error, such as a noSuchName error, badValue error, or any of the other specific errors

Community SNMP community name for the ACE

Group/Access Access rights for the community, read-only

User String that identifies the name of the SNMP user Auth Authentication of a packet without encryption

Priv Authentication of a packet with encryption

Group User role group to which the user belongs

Table 7-8 Field Descriptions for the show snmp community Command Output

Field Description

Community SNMP community name for the ACE. Since the output of the show snmp community command is sorted on an index that is a randomly-generated string, the communities are not displayed in any given order.

Group/Access Access rights for the community, read-only.

Table 7-9 Field Descriptions for the show snmp engineID Command Output

Field Description

Local SNMP engineID Identification number of the local SNMP engine on the ACE

Table 7-10 Field Descriptions for the show snmp group Command Output

Field Description

Group name Name of the SNMP group or collection of users that have a common access policy

Security model Security model used by the group, either v1, v2c, or v3

Security level Security level used by the group

Read view String that identifies the read view of the group

Write view String that identifies the write view of the group

Notify view String that identifies the notify view of the group

Table 7-7 Field Descriptions for the show snmp Command Output (continued)

Field Description


OL-25343-01


Storage-type Status of whether the settings have been set in volatile or temporary memory on the device or in nonvolatile or persistent memory where settings will remain after the device has been turned off and on again

Row status Indicates whether the Row status for the SNMP group is active or inactive

Table 7-11 Field Descriptions for the show snmp host Command Output

Field Description

Host IP address of the target host

Port UDP port number to which notifications will be sent

Version Version of SNMP used to send the trap, either v1, v2c, or v3

Level Method for authentication and privacy

Type Type of notification configured

SecName Security name for scanning the target host

Table 7-12 Field Descriptions for the show snmp sessions Command Output

Field Description

Destination IP address of a target for which traps or informs have been sent

Table 7-13 Field Descriptions for the show snmp user Command Output

Field Description

User String identifying the name of the SNMP user

Auth Authentication of a packet without encryption

Priv Authentication of a packet with encryption

Group User role group to which the user belongs

Table 7-10 Field Descriptions for the show snmp group Command Output (continued)

Field Description


OL-25343-01

Chapter 7 Configuring SNMPExample of an SNMP Configuration

Displaying or Clearing SNMP Service Policy StatisticsTo display or clear the statistical information of the service policies associated with your SNMP configuration, perform the following tasks:

Examples

The following example shows how to display service policy statistics for the SNMP_MGMT_ALLOW_POLICY policy map:

host1/Admin# show service-policy SNMP_MGMT_ALLOW_POLICYStatus : ACTIVEDescription: Allow mgmt protocols-----------------------------------------Context Global Policy: service-policy: SNMP_MGMT_ALLOW_POLICY

Example of an SNMP ConfigurationThe following example shows a running-configuration that verifies the current status of a real server through SNMP and the CLI. It also verifies that SNMP traps are sent when a real server or virtual server is not operational. This example illustrates that you can restrict the client source host IP address allowed to connect to the ACE. The policy map is applied to all of the VLAN interfaces associated with the context. The SNMP configuration appears in bold in the example.access-list ACL1 line 10 extended permit ip any any

rserver host SERVER1 ip address 192.168.252.245 inservicerserver host SERVER2 ip address 192.168.252.246 inservicerserver host SERVER3 ip address 192.168.252.247 inservice

Command Purpose

show service-policy policy_name [detail] Displays service policy statistics for a Layer 3 and Layer 4 SNMP management policy map.


• policy_name—Identifier of an existing policy map that is currently in service (applied to an interface) as an unquoted text string with a maximum of 64 alphanumeric characters.



clear service-policy policy_name Clears the service policy statistics associated with your SNMP configuration.



OL-25343-01


serverfarm host SFARM1 probe HTTP_PROBE rserver SERVER1 conn-limit max 3 min 2 inserviceserverfarm host SFARM2 probe HTTP rserver SERVER2 conn-limit max 500 min 2 inservice rserver SERVER3 conn-limit max 500 min 2 inservice

class-map type http loadbalance match-all L7_INDEX-HTML_CLASS 2 match http url /index.htmlclass-map match-all L4_MAX-CONN-VIP_105_CLASS 2 match virtual-address 192.168.120.105 anyclass-map type management match-any L4_REMOTE-ACCESS-LOCAL_CLASS description Enables SNMP remote management for local users 1 match protocol snmp source-address 192.168.0.0 255.248.0.0 2 match protocol snmp source-address 172.16.64.0 255.255.252.0class-map type http loadbalance match-all L7_URL*_CLASS 2 match http url .*policy-map type management first-match L4_SNMP-REMOTE-MGT_POLICY class L4_REMOTE-ACCESS-LOCAL_CLASS permitpolicy-map type loadbalance first-match L7_LB-SF_MAX-CONN_POLICY class L7_INDEX-HTML_CLASS serverfarm SFARM1 class L7_URL*_CLASS serverfarm SFARM2policy-map multi-match L4_VIP_POLICY class L4_MAX-CONN-VIP_105_CLASS loadbalance vip inservice loadbalance policy L7_LB-SF_MAX-CONN_POLICY loadbalance vip icmp-reply appl-parameter http advanced-options PERSIST-REBALANCE

service-policy input L4_REMOTE-MGT_POLICY

snmp-server user user1 Network-Monitor auth sha “adcd1234”snmp-server community ACE-public group rosnmp-server contact “User1 [email protected]”snmp-server location “San Jose CA”snmp-server host 192.168.0.236 traps version 2c ACE-public snmp-server enable traps slb vserversnmp-server enable traps slb realsnmp-server enable traps syslog snmp-server enable traps snmp authenticationsnmp-server enable traps snmp linkupsnmp-server enable traps snmp linkdown


OL-25343-01



OL-25343-01

AdministOL-25343-01

C H A P T E R 8
Configuring the XML Interface

This chapter describes how to use Extensible Markup Language (XML) to remotely configure an ACE from a network management station (NMS). You can transmit, exchange, and interpret data among the applications.


• Information About XML



• Configuring the XML Interface

• Displaying or Clearing XML Service Policy Statistics

• Example of ACE CLI Command and the XML Equivalent

Information About XMLWeb services provide network-based software applications that use XML to transmit, exchange, and interpret data among applications that would otherwise have difficulty interoperating together.

XML provides an application-independent way of sharing data between computer systems. Similar to HTML, XML consists of text delimited by tags so it is easily conveyed over the Internet. In XML, the tags define the meaning and structure of the information, enabling computer applications to use the information directly. Unlike HTML, XML tags identify the data, rather than specifying how to display it. An XML tag acts like a field name in your program; it puts a label on a piece of data that identifies it (for example: <message>...</message>).

An XML document that contains configuration commands and output results is easily transformed between the devices by using standard Internet protocols. A network management station (NMS), such as the CiscoWorks Hosting Solution Engine (HSE), can connect to the ACE and push new configurations to it over HTTP or secure HTTP (HTTPS). Any command that you can configure from the ACE CLI can be configured remotely from a NMS by exchanging XML documents over HTTP or HTTPS.

The XML application programming interface (API) allows you to automate the programmatic configuration of the ACE by using an XML schema. The XML format is a translation of the CLI commands into an equivalent XML syntax. Each ACE CLI command has an equivalent XML tag, and


Chapter 8 Configuring the XML InterfaceInformation About XML

all of the parameters of the CLI command are attributes of that element. The ACE uses an Apache HTTP server to provide the XML management interface and to provide HTTP services between the ACE and the management client. To use the ACE XML API, you must have the Admin user role.

There are three categories of commands as follows:

• Configuration

• Show

• Executable

Ping and traceroute are executable commands. All executable commands are treated by the XML agent as follows:

• The raw mode launches executable commands, but it does not report any output; only the status of the launch.

• The XML mode does not support any executable commands; it is meant to operate only on configuration and show commands.

You can use XML to do the following:

• Provide a mechanism using XML to transfer, configure, and monitor objects in the ACE. This XML capability allows you to easily shape or extend the CLI query and reply data in XML format to meet different specific business needs.

• Transfer show command output from the ACE CLI interface in an XML format for statistics and status monitoring. This capability allows you to query and extract data from the ACE.

• Use the ACE XML schema for formatting CLI queries or parsing the XML results from the ACE to enable third-party software development through XML communications.

• Provide remote user authentication through AAA.

• Provide session and context management by the global administrator and other privileged users that have the Admin user role.


• HTTP and HTTPS Support with the ACE

• HTTP Return Codes

• XML Schema

HTTP and HTTPS Support with the ACEThe ACE and an NMS can easily send and receive an XML document containing configuration commands or output results by using standard Internet protocols, such as HTTP or secure HTTP (HTTPS), as the transfer protocol. HTTPS uses Secure Sockets Layer (SSL) to provide encrypted communication between the management client and the ACE.

The administrator of the system designates a website as the entry point to the API, and all requests and queries are made through those URLs. This website also provides the XMl schemas that define the XML for requests, queries, and responses. There is one XML schema for the ACE module and one for the ACE appliance.

The XML input is submitted through the data portion of an HTTP POST request. A field named “xml” contains the XML string that defines the request or query. The response to this HTTP POST represents a pure XML response with either a success or failure indicator for a request or the response to a query.


OL-25343-01


When you use XML to transfer configuration data and results, the NMS connects to the ACE and sends a new configuration in an XML document to the ACE over HTTP or HTTPS. The ACE then applies the new configuration. The XML agent on the ACE checks the XML output that the ACE generates before sending it to the client. If the output contains incorrect syntax including unsupported characters, the agent displays the following error message:

Generated XML was not well-formed. Possible workaround: retry XML request using text mode response instead.

The following example shows the HTTP conversation between the client and the server, as related to the XML implementation on the ACE:

******** Client **************POST /bin/xml_agent HTTP/1.1Authorization: Basic VTpQContent-Length: 95xml_cmd=<request_xml><interface type=”vlan” number=”80”><access-group access-type=”input” name=”acl1”/><ip_address =”60.0.0.145” netmask=”255.255.255.0”/><shutdown sense=”no"/></interface><show_running-config/></request_xml>

******** Server **************HTTP/1.1 200 OKContent-Length: 21<response_xml><config_command><command>interface vlan 80ip address 60.0.0.145 255.255.255.0access-group input acl1no shutdown</command><status code="100" text="XML_CMD_SUCCESS"/></config_command></response_xml>

******** Client **************POST /bin/xml_agent HTTP/1.1Content-Length: 95xml_cmd=<request_xml><show_running-config/></request_xml>

******** Server **************HTTP/1.1 401 UnauthorizedConnection: closeWWW-Authenticate: Basic realm=/xml-config

HTTP Return CodesHTTP return codes indicate the status of the request and reports errors between the server and the client. The Apache HTTP server return status codes follow the standards outlined in RFC 2616. Table 8-1 lists the supported HTTP return codes.


OL-25343-01


The following HTTP headers are supported:

• Content-Length (nonzero value required for all POSTs)

• Connection (close value indicates that a request should not be persistent)

• WWW-Authenticate (sent to the client when credentials are required and missing)

• Authorization (sent from the client to specify basic credentials in base 64 encoding)

For example, when an XML error occurs, the HTTP response contains a 200 return code. The portion of the original XML document with the error is returned with an error element that contains the error type and description.

The following is a typical example of an XML error response:

<response_xml><config_command><command> interface vlan 20 no shut description xyz exit</command><status code = ‘200’ text=’XML_CMD_FAILURE’><error_command> description xyz </error_command><error_message> unrecognized element - description </error_message></status></config_command></response_xml>

Table 8-1 Supported HTTP Return Codes for XML

Return Code Description

200 OK

201 Created

202 Accepted

203 Non-Authoritative Information

206 Partial Content

301 Moved Permanently

302 Found

400 Bad Request

401 Unauthorized (credentials required, but not provided)

403 Forbidden (illegal credentials submitted; syslog also generated)

404 Not Found (“/xml-config” not specified)

405 Method Not Allowed

406 Not Acceptable

408 Request Time-out (more than 30 seconds has passed waiting on receive)

411 Missing Content-Length (missing or zero Content-Length field)

500 Internal Server Error

501 Not Implemented (“POST” not specified)

505 HTTP Version Not Supported (“1.0” or “1.1” not specified)


OL-25343-01

The returned error codes correspond to the attributes of the configuration element. The possible returned XML error can include any of the following:

XML_ERR_WELLFORMEDNESS /* not a well formed xml document */XML_ERR_ATTR_INVALID /* found invalid value attribute */XML_ERR_ELEM_INVALID /* found invalid value unrecognized */XML_ERR_CDL_NOT_FOUN /* parser cdl file not found */XML_ERR_INTERNAL /* internal memory or coding error */XML_ERR_COMM_FAILURE /* communication failure */XML_ERR_VSH_PARSER /* vsh parse error on the given command */XML_ERR_VSH_CONF_APPLY /* vsh unable to apply the configuration */

XML SchemaA n XML schema is the basis for XML configuration documents that you create using the ACE. The purpose of an XML schema is to define the legal building blocks of an XML document by defining the document structure with a list of legal elements.

The schema designates an XML list that specifies precisely which elements can appear in a request, query, or response document. It also specifies the contents and attributes of the elements. A schema can be declared inline in your XML document or as an external reference.

The ACE XML schema file, schema.xsd, is included as part of the software image and is accessible from a web browser using either HTTP or HTTPS. See the “Accessing the ACE XML Schema File” section for details.

You can use a web browser to access the ACE XML schema file as follows:

• (ACE module only) Directly access the schema.xsd file or open the file from the Cisco ACE Module Management page.

• (ACE appliance only) Directly access the schema.xsd file or open the file from the Cisco ACE Appliance Management page.

The following example shows the sequence of ACE CLI commands for creating a real server followed by the associated XML schema rserver elements for the commands:

[no] rserver [host | redirect] name

[no] conn-limit max maxconns [min minconns]

[no] description string

[no] inservice

[no] ip address {ip_address}

[no] probe name

[no] weight number

********************************************************************** Elements, Attributes and Entities required for rserver ********************************************************************** -->

<!ELEMENT probe_rserver EMPTY><!ATTLIST probe_rserver sense CDATA #FIXED "no" probe-name CDATA #REQUIRED


OL-25343-01

Chapter 8 Configuring the XML InterfaceGuidelines and Restrictions

> <!ELEMENT webhost-redirection EMPTY><!ATTLIST webhost-redirection sense (yes | no) #IMPLIED relocation-string CDATA #REQUIRED redirection-code (301 | 302) #IMPLIED>

<!ELEMENT rserver (description, ip_address, conn-limit, probe_rserver, weight, inservice, webhost-redirection)*><!ATTLIST rserver sense CDATA #FIXED "no" type (redirect | host) #IMPLIED name CDATA #REQUIRED>

Guidelines and RestrictionsThis topic includes the following guidelines and restrictions:

• To use the ACE XML interface, you must have the Admin user role.

• If you use XML mode (request_xml), you cannot run the ping or the traceroute command. If you use raw mode (request_raw), the ping and the traceroute commands always return success, regardless of the actual command result.

• (ACE module only) The ACE module creates two default user accounts at startup: admin and www. The admin user is the global administrator and cannot be deleted. The ACE module uses the www user account for the XML interface and www cannot be deleted.

• (ACE appliance only) The ACE appliance creates the following default user accounts at startup: admin, dm, and www. The admin user is the global administrator and cannot be deleted. The dm user is for accessing the Device Manager GUI and cannot be deleted (it is an internal user that is required by the Device Manager GUI and is hidden on the CLI). The ACE appliance uses the www user account for the XML interface and it cannot be deleted.

Caution When you upgrade your ACE software as follows, you must change the default www user password if you have not already done so:- (ACE module only) to version A2(1.1) or higher- (ACE appliance only) to version A3(1.0) or higherOtherwise, after you upgrade the ACE software, the www user will be disabled and you will not be able to use XML to remotely configure an ACE until you change the default www user password. See Chapter 2, Configuring Virtualization, in the Virtualization Guide, Cisco ACE Application Control Engine for details on changing a user account password. In this case, the user would be www.


OL-25343-01

Chapter 8 Configuring the XML InterfaceDefault Settings

Default SettingsXML responses automatically appear in XML format if the corresponding CLI show command output supports the XML format. However, if you are running commands on the CLI console or you are running raw XML responses from NMS, the XML responses appear in regular CLI display format. See the “Enabling the Display of Raw XML Request show Command Output in XML Format” section for details. For details on the show command output supported in XML format, consult the schema.xsd file.

Configuring the XML InterfaceThis section describes how to configure the XML interface and contains the following topics:

• Task Flow for Configuring XML

• Configuring HTTP and HTTPS Management Traffic Services

• Enabling the Display of Raw XML Request show Command Output in XML Format

• Accessing the ACE XML Schema File

Task Flow for Configuring XMLFollow these steps to configure XML usage with the ACE:





host1/Admin# configEnter configuration commands, one per line. End with CNTL/Z.host1/Admin(config)#

Step 3 Create a Layer 3 and Layer 4 class map to classify the HTTP or HTTPS management traffic that can be received by the ACE.

(ACE module only)host1/Admin(config)# class-map type management match-all HTTPS-ALLOW_CLASShost1/Admin(config-cmap-mgmt)# match protocol https source-address 192.168.1.1 255.255.255.255host1/Admin(config-cmap-mgmt)# exit

(ACE appliance only)host1/Admin(config)# class-map type management match-all XML-HTTPS-ALLOW_CLASShost1/Admin(config-cmap-mgmt)# match protocol xml-https source-address 192.168.1.1 255.255.255.255host1/Admin(config-cmap-mgmt)# exit

Step 4 Configure a Layer 3 and Layer 4 HTTP or HTTPS traffic management policy.

(ACE module only)


OL-25343-01

Chapter 8 Configuring the XML InterfaceConfiguring the XML Interface

host1/Admin(config) # policy-map type management first-match MGMT_HTTPS_POLICYhost1/Admin(config-pmap-mgmt) # class HTTPS-ALLOW_CLASShost1/Admin(config-pmap-mgmt-c) # permithost1/Admin(config-pmap-mgmt-c) # exit

(ACE appliance only)host1/Admin(config) # policy-map type management first-match MGMT_XML-HTTPS_POLICYhost1/Admin(config-pmap-mgmt) # class XML-HTTPS-ALLOW_CLASShost1/Admin(config-pmap-mgmt-c) # permithost1/Admin(config-pmap-mgmt-c) # exit

Step 5 Attach the traffic policy to a single interface or globally on all VLAN interfaces associated with a context, and specify the direction in which the policy should be applied. For example, to specify an interface VLAN and apply multiple service policies to the VLAN, enter:

(ACE module only)host1/Admin(config)# interface vlan50host1/Admin(config-if)# ip address 192.168.10.1 255.255.0.0host1/Admin(config-if)# service-policy input MGMT_HTTPS_POLICYhost1/Admin(config-if)# exithost1/Admin(config)# exit

(ACE appliance only)host1/Admin(config)# interface vlan50host1/Admin(config-if)# ip address 192.168.10.1 255.255.0.0host1/Admin(config-if)# service-policy input MGMT_XML-HTTPS_POLICYhost1/Admin(config-if)# exithost1/Admin(config)# exit

Step 6 (Optional) Enable the display of raw XML request show command output in XML format.

Note True XML responses always automatically appear in XML format.

host1/Admin# xml-show on



Configuring HTTP and HTTPS Management Traffic ServicesThis section describes how to configure HTTP and HTTPS remote management traffic to the ACE through class maps, policy maps, and service policies. The ACE provides support for remote management using XML over either HTTP or HTTPS to configure, monitor, and manage software objects.

The following items summarize the role of each function in configuring HTTP or HTTPS network management access to the ACE:

• Class map—Provides the remote network traffic match criteria to permit HTTP and HTTPS management traffic based on HTTP or HTTPS network management protocols or host source IP es.

• Policy map—Enables remote network management access for a traffic classification that matches the criteria listed the class map.

• Service policy—Activates the policy map and attaches the traffic policy to an interface or globally on all interfaces.


OL-25343-01


HTTP or HTTPS sessions are established to the ACE per context. For details on creating contexts and users, see the Virtualization Guide, Cisco ACE Application Control Engine.


• Creating and Configuring a Class Map

• Creating a Layer 3 and Layer 4 Policy Map



Creating and Configuring a Class Map

This section describes how to create a Layer 3 and Layer 4 class map to classify the HTTP or HTTPS management traffic that can be received by the ACE. This process allows network management traffic by identifying the incoming IP protocols that the ACE can receive and the client source host IP address and subnet mask as the matching criteria.

A class map of type management defines the allowed network traffic as a form of management security for protocols such as HTTP or HTTPS. A class map can include multiple match commands. You can configure class maps to define multiple HTTP or HTTPS management protocol or source IP address match commands in a group that you then associate with a traffic policy. The match-all and match-any keywords determine how the ACE evaluates multiple match statements operations when multiple match criteria exist in a class map.

Detailed Steps

Command Purpose

Step 1 config




ACE Module Example:host1/Admin(config)# class-map type management match-all HTTPS-ALLOW_CLASShost1/Admin(config-cmap-mgmt)#

ACE Appliance Example:host1/Admin(config)# class-map type management match-all XML-HTTPS-ALLOW_CLASShost1/Admin(config-cmap-mgmt)#

Creates a Layer 3 and Layer 4 class map to classify the HTTP or HTTPS management traffic that can be received by the ACE.

The keyword options and argument are as follows:

• match-all | match-any—(Optional) Determines how the ACE evaluates Layer 3 and Layer 4 network traffic when multiple match criteria exist in a class map. The class map is considered a match if the match commands meet one of the following conditions:

– match-all—(Default) All of the match criteria listed in the class map match the network traffic class in the class map.

– match-any—Only one of the match criteria listed in the class map matches the network traffic class in the class map.

• map_name—Name assigned to the class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. The class name is used for both the class map and to configure a policy for the class in the policy map.

This command enters the class map management configuration mode.


OL-25343-01



ACE Module Example:host1/Admin(config)# no class-map type management match-all HTTPS-ALLOW_CLASS

ACE Appliance Example:host1/Admin(config)# no class-map type management match-all XML-HTTPS-ALLOW_CLASS

(Optional) Removes a Layer 3 and Layer 4 network management class map from the ACE.


Example:host1/Admin(config-cmap-mgmt)# description Allow HTTPS access to the ACE


The text argument is the description that you want to provide. Enter an unquoted text string with a maximum of 240 alphanumeric characters.

no description


(Optional) Remove the description from the class map.

Command Purpose


OL-25343-01


Step 4 [line_number] match protocol {http | https} {any | source-address ip_ mask}

ACE Module Example:host1/Admin(config-cmap-mgmt)# match protocol https source-address 192.168.10.1 255.255.0.0

ACE Appliance Example:host1/Admin(config-cmap-mgmt)# match protocol xml-https source-address 192.168.10.1 255.255.0.0

Configures the class map to specify that the HTTP or HTTPS remote network management protocol can be received by the ACE. You configure the associated policy map to permit access to ACE for the specified management protocol. For XML support, a class map of type management allows IP protocols such as HTTP and HTTPS. As part of the network management access traffic classification, you also specify either a client source host IP address and subnet mask as the matching criteria or instruct the ACE to allow any client source for the management traffic classification.

You can include multiple match protocol commands in a class map.


• line_number—(Optional) Line number that allows you to edit or delete individual match commands. Enter an integer from 2 to 255 as the line number. For example, you can enter no line_number to delete long match commands instead of entering the entire line.

• http—Specifies that Hypertext Transfer Protocol (HTTP) is to be used as follows:

– (ACE module only) Management access between the ACE module HTTP server and the management client.

– (ACE appliance only) Send and receive XML documents between the ACE appliance and an NMS.

• https—Specifies that secure Hypertext Transfer Protocol (HTTPS) is used as follows:

– (ACE module only) Management access between the ACE HTTPS server and the management client.

– (ACE appliance only) This keyword specifies HTTPS for connectivity with the Device Manager GUI on the ACE using port 443.

• (ACE appliance only) xml-https—Specifies that HTTPS is used to to send and receive XML documents between the ACE appliance and an NMS. Communication is performed using port 10443.

You can enable both https and xml-https in a Layer 3 and Layer 4 network management class map.

• any—Specifies any client source for the management traffic classification.

• source-—Specifies a client source host IP and subnet mask as the network traffic matching criteria. As part of the classification, the ACE implicitly obtains the destination IP from the interface on which you apply the policy map.

• ip_address—Source IP of the client.

• mask—Subnet mask of the client in dotted-decimal notation (for example, 255.255.255.0).

Command Purpose


OL-25343-01


Creating a Layer 3 and Layer 4 Policy Map

This section describes how to create a Layer 3 and Layer 4 policy map, associate a class map with the policy map, and specify the policy map actions. A Layer 3 and Layer 4 policy map defines the actions executed on HTTP or HTTPS management traffic that matches the specified classifications.

Detailed Steps

no match protocol {http | https} {any | source-address ip_address mask}

ACE Module Example:host1/Admin(config-cmap-mgmt)# no match protocol https source-address 192.168.10.1 255.255.0.0

ACE Appliance Example:host1/Admin(config-cmap-mgmt)# no match protocol xml-https source-adress 192.168.10.1 255.255.0.0

(Optional) Deselects the specified network management protocol match criteria from the class map.


Example:host1/Admin(config-cmap-mgmt)# do copy running-config startup-config


Command Purpose

Command Purpose

Step 1 config




ACE Module Example:host1/Admin(config)# policy-map type management first-match MGMT_HTTPS_POLICYhost1/Admin(config-pmap-mgmt)#

ACE Appliance Example:host1/Admin(config)# policy-map type management first-match MGMT_XML-HTTPS_POLICYhost1/Admin(config-pmap-mgmt)#

Configures a Layer 3 and Layer 4 policy map that permits the management traffic received by the ACE. The ACE executes the action for the first matching classification. The ACE does not execute any additional actions.


This command enters the policy map management configuration mode.


OL-25343-01



ACE Module Example:host1/Admin(config)# no policy-map type management first-match MGMT_HTTPS_POLICY

ACE Appliance Example:host1/Admin(config)# no policy-map type management first-match MGMT_XML-HTTPS_POLICY

(Optional) Removes a network traffic management policy map from the ACE.


ACE Module Example:host1/Admin(config-pmap-mgmt)# class HTTPS-ALLOW_CLASShost1/Admin(config-pmap-mgmt-c)#

ACE Appliance Example:host1/Admin(config-pmap-mgmt)# class XML-HTTPS-ALLOW_CLASShost1/Admin(config-pmap-mgmt-c)#

Associates the HTTP or HTTPS management traffic class map with the traffic policy.




• class-default—Specifies the class-default class map for the Layer 3 and Layer 4 traffic policy. This class map is a reserved class map created by the ACE. You cannot delete or modify this class. All network traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications match, the ACE then matches the action specified under the class class-default command. The class-default class map has an implicit match any statement in it and is used to match any traffic classification.

• class-default-v6—Specifies the IPv6 class-default class map for the Layer 3 and Layer 4 traffic policy. This class map is a reserved class map created by the ACE. You cannot delete or modify this class. All IPv6 network traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications match, the ACE then matches the action specified under the class class-default-v6 command. The class-default-v6 class map has an implicit match any statement in it and is used to match any traffic classification.


Command Purpose


OL-25343-01


Examples

The following examples shows how to use the insert-before command to define the sequential order of two class maps in the policy map:

(ACE module only)host1/Admin(config-pmap-mgmt)# class HTTPS-ALLOW_CLASS insert-before L4_REMOTE_ACCESS_CLASS

(ACE appliance only)host1/Admin(config-pmap-mgmt)# class XML-HTTPS-ALLOW_CLASS insert-before L4_REMOTE_ACCESS_CLASS

IPv6 Example

The following example shows how to specify the IPv6 class-default-v6 class map for the Layer 3 and Layer 4 traffic policy:

host1/Admin(config-pmap-mgmt)# class class-default-v6host1/Admin(config-pmap-mgmt-c)#


ACE Module Example:host1/Admin(config-cmap-mgmt)# no class HTTPS-ALLOW_CLASS

ACE Appliance Example:host1/Admin(config-cmap-mgmt)# no class XML-HTTPS-ALLOW_CLASS

(Optional) Removes a class map from a Layer 3 and Layer 4 policy map.

Step 4 permit


Allows the HTTP or HTTPS management traffic listed in the Layer 3 and Layer 4 class map to be received by the ACE.

no permit

Example:host1/Admin(config-pmap-mgmt-c)# no permit

(Optional) Disallows the HTTP or HTTPS management traffic listed in the Layer 3 and Layer 4 class map to be received by the ACE.

deny

Example:host1/Admin(config-pmap-mgmt-c)# deny

Denies the HTTP or HTTPS management traffic listed in the Layer 3 and Layer 4 class map to be received by the ACE.

no deny

Example:host1/Admin(config-pmap-mgmt-c)# no deny

Allows the HTTP or HTTPS management traffic listed in the Layer 3 and Layer 4 class map to be received by the ACE.




Command Purpose


OL-25343-01


IPv4 Example

The following example shows how to specify the IPv4 class-default class map for the Layer 3 and Layer 4 traffic policy:

host1/Admin(config-pmap-mgmt)# class class-defaulthost1/Admin(config-pmap-mgmt-c)#


This section describes how to apply an existing policy map globally to all VLAN interfaces in the same context.






The ACE allows only one policy of a specific feature type to be activated on an interface.

Detailed Steps

Command Purpose

Step 1 config




ACE Module Example:host1/Admin(config)# service-policy input MGMT_HTTPS_POLICY

ACE Appliance Example:host1/Admin(config)# service-policy input MGMT_XML-HTTPS_POLICY

Globally applies the management policy map to all of the VLANs associated with a context.





OL-25343-01



This section describes how to apply an existing policy map to a specific VLN interface. A policy activated on an interface overwrites any specified global policies for overlapping classification and actions.



The ACE allows only one policy of a specific feature type to be activated on an interface.

Detailed Steps


ACE Module Example:host1/Admin(config)# no service-policy input MGMT_HTTPS_POLICY

ACE Appliance Example:host1/Admin(config)# no service-policy input MGMT_XML-HTTPS_POLICY

(Optional) Removes the management policy map from all of the VLANs associated with a context.





Command Purpose

Command Purpose

Step 1 config





Specifies an interface VLAN.

The number argument is the number for a VLAN assigned to the ACE

This command enters the interface configuration mode commands for the VLAN.

Step 3 ip address

Example:host1/Admin(config-if)# ip address 192.168.10.1 255.255.0.0

Specifies the VLAN IP address.


OL-25343-01

Enabling the Display of Raw XML Request show Command Output in XML Format

This section describes how to enable the display of raw XML request show command output in XML format. By default, XML responses will automatically appear in XML format if the corresponding CLI show command output supports the XML format. However, if you are running commands on the CLI console or you are running raw XML responses from NMS, the XML responses appear in regular CLI display format.

You can enable the display of raw XML request show command output in XML format by performing one of the following actions:

• Specifying the xml-show on command in Exec mode from the CLI.

• Including the xml-show on command in the raw XML request itself (CLI commands included in an XML wrapper).

Selection of the xml-show on command is not required if you are running true XML (as shown in the example below).

For details on the show command output supported in XML format, consult the ACE XML schema file, schema.xsd, that is included as part of the software image (see the “Accessing the ACE XML Schema File” section). The ACE XML schema file contains the information on the XML attributes for those show commands that have output that supports the XML format.

For example, if you specify the show interface vlan 10 command, the XML schema for the show interface command appears as follows:

<!-- interface-number is req for show-type vlan | bvi.


ACE Module Example:host1/Admin(config-if)# service-policy input MGMT_HTTPS_POLICY

ACE Appliance Example:host1/Admin(config-if)# service-policy input MGMT_XML-HTTPS_POICY

Applies the management policy map to the VLAN.





ACE Module Example:host1/Admin(config-if)# no service-policy input MGMT_HTTPS_POLICY

ACE Appliance Example:host1/Admin(config-if)# no service-policy input MGMT_XML-HTTPS_POLICY

(Optional) Removes the management policy from an interface VLAN.





Command Purpose


OL-25343-01


interface-number is between 1 and 4095 for vlan and 8191 for bvi.--><!ENTITY % show-interface "interface-type (vlan | bvi | eobc) #IMPLIED interface-number CDATA #IMPLIED”>

The XML representation of the show interface command appears as follows:

<show_interface interface-type='vlan' interface-number='10'/>

The following example illustrates the XML representation of the show interface command output:

<response_xml><exec_command><command>show interface vlan 10</command><status code="100" text="XML_CMD_SUCCESS"/><xml_show_result><xml_show_interface><xml_interface_entry><xml_interface><interface_name>vlan10</interface_name><interface_status>up</interface_status><interface_hardware>VLAN</interface_hardware><interface_mac><macaddress>00:05:9a:3b:92:b1</macaddress></interface_mac><interface_mode>routed</interface_mode><interface_ip><ipaddress>10.20.105.101</ipaddress><ipmask>255.255.255.0</ipmask></interface_ip><interface_ft_status>non-redundant</interface_ft_status><interface_description><interface_description>not set</interface_description></interface_description><interface_mtu>1500</interface_mtu><interface_last_cleared>never</interface_last_cleared><interface_alias><ipaddress>not set</ipaddress></interface_alias><interface_standby><ipaddress>not set</ipaddress></interface_standby><interface_sup_enabled>Assigned</interface_sup_enabled><interface_auto_status>up</interface_auto_status></xml_interface><interface_stats><ifs_input><ifs_unicast>50</ifs_unicast><ifs_bytes>8963</ifs_bytes><ifs_multicast>26</ifs_multicast><ifs_broadcast>1</ifs_broadcast><ifs_errors>0</ifs_errors><ifs_unknown>0</ifs_unknown><ifs_ignored>0</ifs_ignored><ifs_unicast_rpf>0</ifs_unicast_rpf></ifs_input><ifs_output><ifs_unicast>45</ifs_unicast><ifs_bytes>5723</ifs_bytes>


OL-25343-01


<ifs_multicast>0</ifs_multicast><ifs_broadcast>1</ifs_broadcast><ifs_errors>0</ifs_errors><ifs_ignored>0</ifs_ignored></ifs_output></interface_stats></xml_interface_entry></xml_show_interface></xml_show_result></exec_command></response_xml>

Details

Accessing the ACE XML Schema FileThis section describes how to access the ACE XML schema file, which is included as part of the ACE software image and is accessible from a web browser using either HTTP or HTTPS.

The ACE XML schema file name for both the module and the appliance is schema.xsd.

You can access the ACE XML schema file directly or by using the Cisco ACE Module Management or Cisco ACE Appliance Management page.

Details

Perform these steps to access and display the ACE XML schema file:

Step 1 If you have not done so, create a Layer 3 and Layer 4 class map and policy map to classify the HTTP or HTTPS management traffic that can be received by the ACE. See the “Configuring HTTP and HTTPS Management Traffic Services” section.

Step 2 Open your preferred Internet web browser application, such as Microsoft Internet Explorer or Netscape Navigator.

Command Purpose

xml-show {off | on | status}

Example:host1/Admin# xml-show on

Enables the display of raw XML request show command output in XML format.


• off—Displays CLI show command output in regular CLI display output, not in XML format.

• on—Displays CLI show command output in XML format unless a specific show command is not implemented to display its output in XML format. For details on the show command output supported in XML format, consult the the ACE XML schema file, schema.xsd, that is included as part of the software image (see the “Accessing the ACE XML Schema File” section).

• status—Displays the results of the xml show command status: on or off. The status keyword allows you to determine the status of the xml show command setting.


OL-25343-01


Step 3 Access the ACE XML schema file using either of the following methods (Direct Access Method, or Cisco ACE Module or Appliance Management Page Method):

Direct Access Method

To directly access the ACE XML schema file, specify the HTTP or secure HTTP (HTTPS) of your ACE in the address field of your Web browser, followed by schema.xsd. For example, enter:

https://ace_ip_address/schema.xsd

http://ace_ip_address/schema.xsd

You can choose to either open the ACE XML schema file or save it to your computer.

Cisco ACE Module or Appliance Management Page Method

To access the ACE XML schema file from the Cisco ACE Module Management or Cisco ACE Appliance Management page, perform the following steps:

a. Specify the HTTP or secure HTTP (HTTPS) of your ACE in the field:

https://ace_ip_address

http://ace_ip_address

b. Click Yes at the prompt to accept (trust) and install the signed certificate from Cisco. To install the signed certificate, do one of the following:

– If you are using Microsoft Internet Explorer, in the Security Alert dialog box, click View Certificate, choose the Install Certificate option, and follow the prompts of the Certificate Manager Import Wizard.

– If you are using Netscape Navigator, in the New Site Certificate dialog box, click Next and follow the prompts of the New Site Certificate Wizard.

c. Enter your username and password in the fields provided, and then click OK. The Cisco ACE Module Management or Cisco ACE Appliance Management page appears depending on the device type that you are accessing.

d. Click the CISCO ACE XML Schema link under the Resources column of the Cisco ACE Module Management or Cisco ACE Appliance Management page to access the ACE XML schema file. You can choose to either open the ACE XML schema file or save it to your computer.


OL-25343-01

Chapter 8 Configuring the XML InterfaceDisplaying or Clearing XML Service Policy Statistics

Displaying or Clearing XML Service Policy StatisticsTo display or clear the statistical information of the service policies associated with your XML configuration, perform the following tasks:

Examples

The following examples shows the output for the MGMT_HTTPS_POLICY (ACE module) and MGMT_XML-HTTPS_POLICY (ACE appliance) policy maps by using the show service-policy command:

(ACE module only)host1/Admin# show service-policy MGMT_HTTPS_POLICYStatus : ACTIVEDescription: Allow mgmt protocols-----------------------------------------Context Global Policy: service-policy: MGMT_HTTPS_POLICY

(ACE appliance only)host1/Admin# show service-policy MGMT_XML-HTTPS_POLICYStatus : ACTIVEDescription: Allow mgmt protocols-----------------------------------------Context Global Policy: service-policy: MGMT_XML-HTTPS_POLICY

Example of ACE CLI Command and the XML EquivalentThe following example shows a typical VShell (VSH) CLI command configuration and its equivalent XML configuration commands:

################################ TO/FROM CP CONFIGURATION ################################

Command Purpose

show service-policy policy_name [detail] Displays service policy statistics for a Layer 3 and Layer 4 management policy map.


• policy_name—Identifier of an existing policy map that is currently in service (applied to an interface) as an unquoted text string with a maximum of 64 alphanumeric characters.



clear service-policy policy_name Clears the service policy statistics associated with your XML configuration.

For the policy_name argument, enter the identifier of an existing policy map that is currently in service (applied to an interface) as an unquoted text string with a maximum of 64 alphanumeric characters.


OL-25343-01

Chapter 8 Configuring the XML InterfaceExample of ACE CLI Command and the XML Equivalent

conf taccess-list acl1 extended permit ip any anyint vlan 80access-group input acl1ip address 60.0.0.145 255.255.255.0no shutexitip route 0.0.0.0 0.0.0.0 60.0.0.1end

<access-list id="acl1" config-type="extended" perm-value="permit"protocol-name="ip" src-address type="any" dest-type="any"/><interface type="vlan" number="80"><access-group type="input" name="acl1"/><ip_address ="60.0.0.145" netmask="255.255.255.0"/><shutdown sense="no"/></interface>

<ip_route dest-address="0.0.0.0" dest-mask="0.0.0.0"gateway="60.0.0.1"/>############################## BRIDGING CONFIGURATION ##############################conf t

access-list acl1 extended permit ip any anyint vlan 80access-group input acl1bridge-group 1no shutexit

int vlan 90access-group input acl1bridge-group 1no shutexitend

<access-list id="acl1" config-type="extended" perm-value="permit"protocol-name="ip" src-type="any" dest-type="any"/><interface type="vlan" number="80"><access-group type="input" name="acl1"/><bridge-group value="1"/><shutdown sense="no"/></interface><interface type="vlan" number="90"><access-group type="input" name="acl1"/><bridge-group value="1"/><shutdown sense="no"/></interface>


OL-25343-01

Administration Guide, COL-25343-01

I N D E X

A

ACE

boot configuration

ACE appliance 2-25

ACE module 1-21

capturing packet information 4-39

configuration checkpoint and rollback service 4-44

configuration files, loading from remote server 4-7

configuration files, saving 4-1

console connection

ACE appliance 2-3

ACE module 1-3

date and time, configuring

ACE appliance 2-14

ACE module 1-12

Flash memory, reformatting

ACE appliance 4-51

ACE module 4-51

inactivity timeout

ACE appliance 2-11

ACE module 1-9

information, displaying 5-1

licenses, managing 3-1

logging in

ACE appliance 2-7

ACE module 1-4

message-of-the-day banner

ACE appliance 2-12

ACE module 1-10

naming

ACE appliance 2-10

ACE module 1-9

password, changing administrative

ACE appliance 2-5, 2-8

ACE module 1-5

password, changing CLI account

ACE appliance 2-9

ACE module 1-7

password, changing www user (ACE appliance only) 2-5

redundant configuration 6-1

remote access 2-1

restarting

ACE appliance 2-29

ACE module 1-26

IN-1isco ACE Application Control Engine

Index

setting up

ACE appliance 2-1

ACE module 1-1

setup script (ACE appliance only) 2-4

shutting down

ACE appliance 2-31

SNMP 7-1

terminal settings

ACE appliance 2-22

ACE module 1-17

username, changing

ACE appliance 2-8

ACE module 1-5

using file system 4-10

ACE module

shutting down 1-29

admin user

ACE appliance 2-7

ACE module 1-4

alias IP address 6-12

B

backup

archive file 4-25

defaults 4-27

directory structure 4-25

errors, displaying 4-35

guidelines and limitations 4-26

IN-2Administration Guide, Cisco ACE Application Contro

naming conventions 4-25

overview 4-24

procedure 4-27

status, displaying 4-34

uses 4-24

boot configuration

BOOT environment variable

ACE appliance 2-26

ACE module 1-23

boot method

ACE appliance 2-25

ACE module 1-22

configuration register, setting boot method

ACE appliance 2-25

ACE module 1-22

displaying

ACE appliance 2-27

ACE module 1-24

ignoring startup-configuration file (ACE appliance only) 2-27

modifying

ACE appliance 2-25

ACE module 1-21

BOOT environment variable, setting

ACE appliance 2-26

ACE module 1-23

boot method, setting

ACE appliance 2-25

ACE module 1-22

l EngineOL-25343-01

Index

C

capturing packets 4-40

copying buffer 4-43

checkpoint, configuration

creating 4-44

deleting 4-45

displaying 4-48

rolling back to 4-46

class map

Layer 3 and 4, creating for management traffic 8-9

Layer 3 and 4, for SNMP 7-60

remote management 2-5

SNMP management traffic 7-60

XML 8-9

clearing

ICMP statistics 5-19

CLI

account password, changing

ACE appliance 2-9

ACE module 1-7

restarting ACE module from 1-26

saving session

ACE appliance 2-4

ACE module 1-4

user management of SNMP 7-4

clock

daylight saving time, setting

ACE appliance 2-18

AdministrationOL-25343-01

ACE module 1-15

NTP server, synchronizing ACE system clock (ACE appliance only) 2-20

setting (ACE appliance only) 2-14

timezone, setting

ACE appliance 2-15

ACE module only 1-12

communities, SNMP 7-47

configurational examples

redundancy 6-46

SNMP 7-70

configuration checkpoint and rollback service

creating configuration checkpoint 4-44

deleting configuration checkpoint 4-45

displaying checkpoint information 4-48

rolling back configuration 4-46

using 4-44

configuration command failures

displaying bulk synchronization 6-34

configuration files

clearing startup file 4-6

copying to disk0 file system 4-4

displaying 4-5

loading from remote server 4-7

merging startup with running 4-4

saving 4-1

saving in Flash memory 4-2

saving to remote server 4-2

configuration register

setting boot method

IN-3 Guide, Cisco ACE Application Control Engine

Index

ACE appliance 2-25

ACE module 1-22

values (ACE module only) 1-23

configuration synchronization

overview 6-5

SSL certs and keys 6-20, 6-22

console

connection to ACE appliance 2-3

connection to ACE module 1-3

console line settings (ACE module only) 1-19

contact, SNMP 7-48

context

directly accessing with SSH 2-23

copying

configuration files 4-2, 4-4

core dumps 4-37

files 4-10

files from remote server 4-15

files to remote server 4-14

licenses 4-11

packet capture buffer 4-12

scripted probe files 4-13

software image 4-15

copyright, displaying 5-5

core dumps 4-36

clearing core directory 4-38

copying 4-37

deleting 4-39


D

date and time

configuring

ACE appliance 2-14

ACE module 1-12

daylight saving time setting

ACE appliance 2-18

ACE module 1-15

time zone setting

ACE appliance 2-15

ACE module 1-12

daylight saving time setting

ACE appliance 2-18

ACE module 1-15

default user

admin

ACE appliance 2-7

ACE module 1-4

dm (ACE appliance only) 2-7

www

ACE appliance 2-7

ACE module 1-4

demo license, replacing with permanent license 3-7

Device Manager GUI, enabling connectivity (ACE appliance ony) 2-4

directory

copying files 4-11

creating in disk0 4-18

l EngineOL-25343-01

Index

deleting from disk0 4-18

listing files 4-21

disk0

creating new directory in 4-18

deleting directory in 4-18

moving files in 4-19

overview 4-10

uncompressing files in 4-16

untarring files in 4-17

display attributes, terminal

ACE appliance 2-22

ACE module 1-17

displaying

copyright 5-5

FT bulk synchronization configuration command failures 6-34

FT group information 6-35

FT peer information 6-38

FT statistics 6-40

FT tracking information 6-42

hardware information 5-2

ICMP statistics 5-19

information on ACE 5-1

memory statistics 6-38

NTP statistics and information (ACE appliance only) 2-32

process status 5-14

redundancy history 6-37

system information 5-17

system processes 5-8


technical support information 5-21

dm user (ACE appliance only) 2-7

F

failover

forcing 6-19

stateful 6-4

failure detection 6-24

host or gateway 6-25

HSRP group 6-30

HSRP requirements 6-30

interface 6-28

overview 6-24

fault tolerance

See redundancy

file system

copying files from remote server 4-15

copying files to directory 4-11

copying files to remote server 4-14

copying image to remote server 4-15

copying licenses 4-11

copying packet capture buffer 4-12

copying scripted probe files to 4-13

creating new directory in disk0 4-18

deleting directory in disk0 4-18

deleting files 4-19

listing files 4-21

moving files in disk0 4-19


Index

overview 4-10

saving show command output to file 4-23

uncompressing files in disk0 4-16

untarring files in disk0 4-17

using ACE 4-10

Flash memory

file system overview 4-10

reformatting

ACE appliance 4-51

ACE module 4-51

saving configuration files in 4-2

FT group

configuring 6-15

displaying information 6-35

modifying 6-17

FT peer

configuring 6-13

displaying information 6-38

FT tracking, displaying information 6-42

FT VLAN 6-4, 6-10

G

gateway failure detection

See failure detection

GRUB bootloader (ACE appliance only) 2-28, 2-30


H

hardware information, displaying 5-2

host failure detection


HSRP group

failure detection 6-30

tracking requirements 6-30

HTTP

return codes between server and client 8-3

HyperTerminal

launching

ACE appliance 2-3

ACE module 1-3

saving session

ACE appliance 2-4

ACE module 1-4

I

ICMP

clearing statistics 5-19

displaying statistics 5-19

enabling messages to the ACE 2-22

image

BOOT environment variable

ACE appliance 2-26

ACE module 1-23

l EngineOL-25343-01

Index

copying to remote server 4-15

inactivity timeout

ACE appliance 2-11

ACE module 1-9

interface failure detection


IP address

alias 6-12

K

key

generating for license 3-4

pair for SSH host 2-19

L

Layer 3 and 4 policy map

for management traffic 8-12

SNMP, creating 7-62

Layer 3 and Layer 4 class map

management traffic, creating for 8-9

SNMP, creating for 7-60

licenses

backing up 3-11, 3-12

copying 4-11

copying to ACE 3-5

displaying configuration and statistics 3-13

generating key 3-4


installing 3-6

managing 3-1

ordering upgrade license 3-4

replacing demo with permanent 3-7

location, SNMP 7-49

logging

into ACE appliance 2-7

into ACE module 1-4

M

management access

Layer 3 and 4 traffic 8-12

SSH, configuring 2-18

Telnet 2-17

message-of-the-day banner

ACE appliance 2-12

ACE module 1-10

monitoring

See SNMP

moving files in disk0 4-19

N

naming the ACE appliance 2-10

naming the ACE module 1-9

notifications

error messages 7-53

IETF standard, enabling 7-54


Index

options 7-54

SLB 7-53

SNMP 7-38, 7-50, 7-53

SNMP, enabling 7-52

SNMP host, configuring 7-50

SNMP license manager 7-53

types 7-53

virtual context change 7-53

NTP server (ACE appliance only)

NTP peer associations, configuring 2-20

NTP server associations, configuring 2-20

overview 2-20

statistics and information, viewing 2-32

synchronizing ACS 2-20

P

packet buffer 4-39

capturing packets 4-40

copying capture buffer 4-12, 4-43

password

Admin password, changing for CLI account

ACE appliance 2-5

changing administrative

ACE appliance 2-8

ACE module 1-5

changing CLI account

ACE appliance 2-9

ACE module 1-7


www user password, changing for CLI account (ACE appliance only) 2-5

peer

See FT peer

ping, enabling 2-22

policy map

Layer 3 and 4, for management traffic 8-12

Layer 3 and 4, for SNMP 7-62

remote access 2-9

remote access policy map, applying 2-13, 2-14

SNMP management traffic 7-62

XML 8-12

processes

displaying 5-8

displaying status of 5-14

Q

quick start

remote access 2-3

R

redundancy 6-1

configuration command failures, displaying 6-34

configuration examples 6-46

configuration synchronization overview 6-5

configuring 6-9

l EngineOL-25343-01

Index

failure detection and tracking 6-24

forcing failover 6-19

FT group, configuring 6-15

FT group information, displaying 6-35

FT peer, configuring 6-13

FT peer information, displaying 6-38

FT statistics, displaying 6-40

FT tracking information, displaying 6-42

FT VLAN 6-4

FT VLAN, configuring 6-10

history, displaying 6-37

memory statistics, displaying 6-38

overview 6-1

protocol 6-2

software upgrade or downgrade 6-5

stateful failover 6-4

statistics, clearing 6-44

synchronizing 6-20

synchronizing SSL certs and keys 6-22

task flow 6-8

reformatting Flash memory

ACE appliance 4-51

ACE module 4-51

remote access

class map, creating 2-5

enabling 2-1

network management traffic services, configuring 2-5

policy map 2-9, 2-13, 2-14

quick start 2-3


SSH, configuring 2-18

Telnet 2-17

terminating user session 2-21

remote server

copying files from 4-15

copying files to 4-14

copying image to 4-15

copying scripted probe files to 4-13

loading configuration files from 4-7

saving configuration files to 4-2

restarting

ACE appliance 2-29

ACE module 1-26

restarting ACE module

from ACE module CLI 1-26

from Catalyst CLI 1-27

restore

defaults 4-27

errors, displaying 4-35

guidelines and limitations 4-26

overview 4-24

procedure 4-28

status, displaying 4-35

uses 4-24

retrieving user context through the Admin context IP address when using SNMP 7-57

rollback service

See configuration checkpoint and rollback service


Index

rommon

mode (ACE module only) 1-23

running configuration


merging with startup 4-4

saving to startup configuration file 4-2

viewing 4-5

S

schema

accessing 8-19

overview 8-5

scripted probe files, copying 4-13

service policy

SNMP management policy map, applying 7-64, 7-65

XML management policy map, applying 8-15, 8-16

session

maximum number for SSH 2-18

SSH information, showing 2-25, 2-26

Telnet information, showing 2-25, 2-26

terminating SSH or Telnet 2-21

to ACE appliance 2-7

to ACE module 1-4

setting up

ACE appliance 2-1

ACE module 1-1

setup script


configuring ACE appliance 2-4

Device Manager GUI, enabling connectivity (ACE appliance only) 2-4

show command

enabling the exchange of output in XML 8-17

saving output to file 4-23

viewing hardware and software configuration information 5-1

shutting down

ACE appliance 2-31

ACE module 1-29

Simple Network Management Protocol

See SNMP

SNMP

AAA integration 7-4

agents, communication 7-3

agents, overview 7-2


CLI user management 7-4

communities 7-47

configuration examples 7-70

configuring the engine ID 7-58

contact 7-48

IETF standard 7-54

linkDown trap 7-54

linkUp trap 7-54

location 7-49

management traffic, configuring 7-59

managers, communication 7-3

managers, overview 7-2

l EngineOL-25343-01

Index

MIB table and object support 7-25

notifications 7-50

overview 7-1

policy map, creating 7-62

retrieving user context through the Admin context IP address 7-57

service policy 7-64, 7-65

statistics 7-66

task flow 7-42

traps 7-38

traps and informs 7-3

unmasking community and community security name OIDs 7-55

users, configuring 7-44

VLAN interface, assigning 7-56

software licenses

See licenses

SSH 2-18

directly accessing a user context 2-23

host key pairs 2-19

management access 2-18

maximum sessions 2-18

RSA key 2-20

showing session information 2-25, 2-26

terminating session 2-21

version 2-7

SSL

certificates and keys, synchronizing 6-22

startup configuration



ignoring (ACE appliance only) 2-27

merging with running 4-4

saving to remote server 4-2

updating with running configuration 4-2

viewing 4-5

stateful failover 6-4

statistics

FT 6-40

FT, clearing 6-45

license 3-13

memory 6-38

redundancy history, clearing 6-46

SNMP 7-66

stopping

ACE appliance 2-31

ACE module 1-29

synchronizing

configuration 6-5

SSL certs and keys 6-20

synchronizing redundant configurations 6-20

system information, displaying 5-17

system processes

displaying 5-8

displaying status of 5-14

T

task flow

redundancy 6-8


Index

SNMP 7-42

XML 8-7

technical support information, displaying 5-21

Telnet

management access, configuring 2-17

showing information 2-25, 2-26

terminating session 2-21

terminal settings

configuring

ACE appliance only 2-22

ACE module 1-17

console line settings (ACE module only) 1-19

display attributes

ACE appliance 2-22

ACE module 1-17

virtual terminal line settings

ACE appliance 2-24

ACE module 1-20

time, setting (ACE appliance only) 2-14

time zone setting

ACE appliance 2-15

ACE module 1-12

tracking


traps, SNMP 7-3, 7-38

U

uncompressing files in disk0 4-16


untarring files in disk0 4-17

upgrade license 3-4

user

configuring for SNMP 7-44

user context

accessing by SNMP through the Admin context IP address 7-57

directly accessing with SSH 2-23

username

changing

ACE appliance 2-8

ACE module 1-5

V

virtual terminal line settings

ACE appliance 2-24

ACE module 1-20

VLANs

for SNMP traps 7-56

FT VLAN for redundancy 6-4, 6-10

volatile file system 4-10

W

www user

ACE appliance 2-7

ACE module 1-4

l EngineOL-25343-01

Index

X

XML


example of CLI command and XML equivalent 8-21

HTTP and HTTPS support 8-2

HTTP return codes 8-3

management traffic, configuring 2-8, 8-8

overview 8-1

policy map, creating 8-12

schema, accessing 8-19

schema, overview 8-5

service policy 8-15, 8-16

show command output 8-17

task flow 8-7

IN-13
Guide, Cisco ACE Application Control Engine

Index

l Engine
OL-25343-01

cisco ace - admin guide

Documents

cisco logo

cisco representative

series router cisco

list of cisco trademarks

limited warranty

radministration guide

prefacethis guide

thirdparty trademarks