Re: ACE Configuration Guide

atul.thapar · ‎07-26-2013

I am new to ACE in our company there is ACE modules installed on 6509 switches as VSS configured and we are running ver A4(2.3) for ACE. Please guide me some good http link to start reading about ACE.

-Atul

Alex Rickard · ‎07-29-2013

Hi,

Here are a couple links to get you started:

Product page:

http://www.cisco.com/en/US/products/ps6906/index.html

Getting started guide:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/getting/started/guide/ace_module_gsg.html

A4 Admin guide:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_2_0/configuration/administration/guide/AdminGd.html

Load balancing guide:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_2_0/configuration/slb/guide/slbcfggd.html

Config documents and release notes:

http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html

Regards,

Alex

CharlesM1 · ‎08-01-2013

Hello Alex

Working in new enviornment and need to configure and confirm traffic restricted to only ssh and https, here is what I have come up with so far from reading other configs and document examples. I believe that part of the problem is the permit ip any any

interface gigabitEthernet 1/1
description REAL SERVERS SDE
speed 1000M
duplex FULL
switchport access vlan 200
no shutdown
interface gigabitEthernet 1/2
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
speed 1000M
duplex FULL
switchport access vlan 500
no shutdown

access-list ACL_10 line 8 extended permit ip any host 10.24.96.4

access-list ACL_10 line 16 extended permit icmp any host 10.24.96.4

access-list ACL_20 line 8 extended permit ip any any

access-list ACL_20 line 16 extended permit icmp any any

access-list ACL_30 line 8 extended permit ip any any

access-list ACL_30 line 16 extended permit icmp any any

access-list ACL_40 line 16 extended permit ip 10.24.96.64 255.255.255.224 any eq ssh

access-list ACL_40 line 16 extended permit ip 10.24.96.64 255.255.255.224 any eq https

probe icmp SERVICE_ICMP_PROBE

interval 10

passdetect interval 5

parameter-map type http cisco_avs_parametermap
persistence-rebalance
length-exceed continue

rserver host Arges

ip address 10.24.96.68

probe SERVICE_ICMP_PROBE

inservice

rserver host vsuiteFrontEnd-A

ip address 10.24.96.67

probe SERVICE_ICMP_PROBE

inservice

action-list type optimization http WEB-ACTION-LIST
flashforward
action-list type optimization http cisco_avs_container_latency
flashforward
action-list type optimization http cisco_avs_img_latency
flashforward
action-list type optimization http cisco_avs_obj_latency
flashforward

serverfarm host VIRTUAL-SERVER-FARM
rserver Arges 80
    backup-rserver Brontes 80
    conn-limit max 4000000 min 4000000
    inservice
rserver Brontes 80
    conn-limit max 4000000 min 4000000
    inservice

serverfarm host rule-vsuiteFrontEnd-A

rserver vsuiteFrontEnd-A

inservice

serverfarm host rule-vsuiteSsh-A

rserver ssh-vsuiteA 22

inservice

parameter-map type http CASE_PARAM

case-insensitive

persistence-rebalance

parameter-map type connection rule-vsuiteFrontEnd-A_CONN_PARAM

set timeout inactivity 6400

parameter-map type connection rule-vsuiteSsh-A_CONN_PARAM

set timeout inactivity 6400

class-map match-any SERVERSOURCED

2 match access-list ACL_40

class-map match-all rule-vsuiteFrontEnd-A_CLASS

2 match virtual-address 10.24.96.4 tcp eq https

class-map match-all rule-vsuiteSsh-A_CLASS

2 match virtual-address 10.24.96.4 tcp eq 22

class-map type http loadbalance match-all cisco_avs_container_latency ??????
2 match http url http://10.10.10.*/browser/*
class-map type http loadbalance match-any cisco_avs_img_latency
2 match http url .*jpg
3 match http url .*jpeg
4 match http url .*jpe
5 match http url .*png
6 match http url .*aspx
7 match http url .*aspd
8 match http url .*axd
9 match http url .*axs
10 match http url .i*
class-map type http loadbalance match-any cisco_avs_obj_latency
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*aspx
16 match http url .*aspd
17 match http url .*axd
18 match http url .*axs
19 match http url .*
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol any
4 match protocol icmp any
5 match protocol telnet any
6 match protocol ssh any
7 match protocol http any
8 match protocol https any
9 match protocol snmp any

policy-map type loadbalance first-match rule-vsuiteFrontEnd-A_POLICY

class class-default

serverfarm rule-vsuiteFrontEnd-A

policy-map type loadbalance first-match rule-vsuiteSsh-A_POLICY

class class-default

serverfarm rule-vsuiteSsh-A

policy-map multi-match POLICY

class rule-vsuiteFrontEnd-A_CLASS

loadbalance vip inservice

loadbalance policy rule-vsuiteFrontEnd-A_POLICY

loadbalance vip icmp-reply active

connection advanced-options rule-vsuiteFrontEnd-A_CONN_PARAM

class rule-vsuiteSsh-A_CLASS

loadbalance vip inservice

loadbalance policy rule-vsuiteSsh-A_POLICY

loadbalance vip icmp-reply active

connection advanced-options rule-vsuiteSsh-A_CONN_PARAM

policy-map multi-match SERVERSOURCED

class SERVERSOURCED

nat dynamic 1 vlan 500

policy-map type optimization http first-match VIRTUAL-SERVER-20-l7opt
class cisco_avs_obj_latency
    action cisco_avs_obj_latency
class cisco_avs_img_latency
    action cisco_avs_img_latency
class cisco_avs_container_latency
    action cisco_avs_container_latency

policy-map multi-match int500
class VIRTUAL-SERVER-20
    loadbalance vip inservice
    loadbalance policy VIRTUAL-SERVER-20-l7slb
    optimize http policy VIRTUAL-SERVER-20-l7opt
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options cisco_avs_parametermap
class VIRTUAL-SERVER-11
    loadbalance vip inservice
    loadbalance policy VIRTUAL-SERVER-11-l7slb
    loadbalance vip icmp-reply active

interface vlan 200
description "REAL SERVERS"
ip address 162.16.103.1 255.255.255.0
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 500
description ACE CLIENT VLANE_Client VLAN
ip address 10.10.10.5 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input int500
no shutdown
interface vlan 820
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown

ip route 0.0.0.0 0.0.0.0 10.10.10.1

snmp-server contact "CHARLES"
snmp-server location "DEP"
snmp-server community DEP group Network-Monitor

snmp-server trap-source vlan 820

Cesar Roque · ‎08-02-2013

Hi Charles,

If you are talking about management traffic you need a configuration like this:

class-map type management match-any NSS-MGT

3 match protocol https any

6 match protocol ssh any

policy-map type management first-match MGT

class NSS-MGT

permit

interface vlan 144

ip address 10.198.44.11 255.255.255.0

peer ip address 10.198.44.15 255.255.255.0

service-policy input MGT

no shutdown

If you want to restric even more and specify the IP address that are going to be permitted you can configure the policy like this:

class-map type management match-any NSS-MGT

3 match protocol https source x.x.x.x z.z.z.z

6 match protocol ssh source x.x.x.x z.z.z.z

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

CharlesM1 · ‎08-02-2013

Hello Cesar
I greatly appreciate your response and will give this a go, then reply if I need further help.

Thank you

CharlesM1 · ‎08-02-2013

It appears that ssh is not for management but for sending data to us.

CharlesM1 · ‎08-07-2013

I can not get rservers up or the VIPs active.... Help Me....

logging enable

logging timestamp

logging trap 5

logging history 5

logging buffered 6

logging persistent 5

logging monitor 5

logging queue 5000

boot system image:c4710ace-t1k9-mz.A5_1_2.bin

hostname x86ACE03

interface gigabitEthernet 1/1

switchport access vlan 700

no shutdown

interface gigabitEthernet 1/2

switchport trunk allowed vlan 701,704

no shutdown

interface gigabitEthernet 1/3

shutdown

interface gigabitEthernet 1/4

shutdown

ntp server 157.127.103.139

access-list ACL_10 line 8 extended permit ip any host 10.22.6.117

access-list ACL_10 line 16 extended permit icmp any host 10.22.6.117

access-list ACL_10 line 24 extended permit ip any host 10.22.6.116

access-list ACL_10 line 32 extended permit icmp any host 10.22.6.116

access-list ACL_10 line 34 extended permit icmp any host 10.22.6.118

access-list ACL_10 line 38 extended permit ip any host 10.22.6.118

access-list ACL_10 line 40 extended permit ip any host 10.22.6.119

access-list ACL_10 line 48 extended permit icmp any host 10.22.6.119

access-list ACL_20 line 8 extended permit ip any any

access-list ACL_20 line 16 extended permit icmp any any

access-list ACL_40 line 16 extended permit ip 10.22.7.2 255.255.255.224 any

access-list ACL_50 line 16 extended permit ip 10.22.7.34 255.255.255.224 any

access-list FILTER line 10 extended permit tcp any any eq https

access-list FILTER line 20 extended permit tcp any any eq www

probe icmp SERVICE_ICMP_PROBE

interval 10

passdetect interval 5

rserver host vsuiteFrontEnd-A

ip address 10.22.6.116 ! 10.22.7.2

probe SERVICE_ICMP_PROBE

inservice

rserver host vsuiteFrontEnd-CoreA

ip address 10.22.6.118 ! 10.22.7.34

probe SERVICE_ICMP_PROBE

inservice

serverfarm host rule-vsuiteFrontEnd-A

rserver vsuiteFrontEnd-A

conn-limit max 4000000 min 1

inservice

serverfarm host rule-vsuiteFrontEnd-CoreA

rserver vsuiteFrontEnd-CoreA

conn-limit max 4000000 min 1

inservice

parameter-map type http CASE_PARAM

case-insensitive

persistence-rebalance

parameter-map type connection rule-vsuiteFrontEnd-A_CONN_PARAM

set timeout inactivity 6400

parameter-map type connection rule-vsuiteFrontEnd-CoreA_CONN_PARAM

set timeout inactivity 6400

class-map type management match-any REMOTE_ACCESS_CLASS

description Enable remote management

2 match protocol xml-https any

4 match protocol icmp any

5 match protocol telnet any

6 match protocol ssh any

8 match protocol https any

class-map match-any SERVERSOURCED

2 match access-list ACL_40

class-map match-any SERVERSOURCED-CoreA

2 match access-list ACL_50

class-map match-all rule-vsuiteFrontEnd-A_CLASS

2 match virtual-address 10.22.6.117 tcp eq https

class-map match-all rule-vsuiteFrontEnd-CoreA_CLASS

2 match virtual-address 10.22.6.119 tcp eq https

policy-map type management first-match REMOTE_ACCESS_POLICY

class REMOTE_ACCESS_CLASS

permit

policy-map type loadbalance first-match rule-vsuiteFrontEnd-A_POLICY

class class-default

serverfarm rule-vsuiteFrontEnd-A

policy-map type loadbalance first-match rule-vsuiteFrontEnd-CoreA_POLICY

class class-default

serverfarm rule-vsuiteFrontEnd-CoreA

policy-map multi-match POLICY

class rule-vsuiteFrontEnd-A_CLASS

loadbalance vip inservice

loadbalance policy rule-vsuiteFrontEnd-A_POLICY

loadbalance vip icmp-reply active

connection advanced-options rule-vsuiteFrontEnd-A_CONN_PARAM

policy-map multi-match POLICY-CoreA

class rule-vsuiteFrontEnd-CoreA_CLASS

loadbalance vip inservice

loadbalance policy rule-vsuiteFrontEnd-CoreA_POLICY

loadbalance vip icmp-reply active

connection advanced-options rule-vsuiteFrontEnd-CoreA_CONN_PARAM

policy-map multi-match SERVERSOURCED

class SERVERSOURCED

nat dynamic 1 vlan 700

policy-map multi-match SERVERSOURCED-CoreA

class SERVERSOURCED-CoreA

nat dynamic 2 vlan 700

service-policy input POLICY

service-policy input POLICY-CoreA

interface vlan 700

ip address 10.22.6.2 255.255.255.224

no icmp-guard

access-group input ACL_10

nat-pool 1 10.22.6.117 10.22.6.117 netmask 255.255.255.255 pat

nat-pool 2 10.22.6.119 10.22.6.119 netmask 255.255.255.255 pat

service-policy input REMOTE_ACCESS_POLICY

no shutdown

interface vlan 701

ip address 10.22.7.2 255.255.255.224

no icmp-guard

access-group input ACL_20

service-policy input SERVERSOURCED

no shutdown

interface vlan 704

ip address 10.22.7.34 255.255.255.224

no icmp-guard

access-group input ACL_20

service-policy input SERVERSOURCED-CoreA

no shutdown

ip route 0.0.0.0 0.0.0.0 10.22.6.1

x86ACE03/Admin#

x86ACE03/Admin# sh probe

probe : SERVICE_ICMP_PROBE

type : ICMP

state : ACTIVE

----------------------------------------------

port : 0 address : 0.0.0.0

addr type : - interval : 10 pass intvl : 5

pass count: 3 fail count: 3 recv timeout: 10

------------------ probe results ------------------

associations ip-address port porttype probes failed passed health

------------ ----------------------+----+--------+------+------+------+------

rserver : vsuiteFrontEnd-A

10.22.6.116 0 -- 78 78 0 FAILED

rserver : vsuiteFrontEnd-CoreA

10.22.6.118 0 -- 459 459 0 FAILED

x86ACE03/Admin#

x86ACE03/Admin# sh service-policy

Policy-map : POLICY

Status : ACTIVE

-----------------------------------------

Context Global Policy:

service-policy: POLICY

loadbalance:

L7 loadbalance policy: rule-vsuiteFrontEnd-A_POLICY

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP state: OUTOFSERVICE

VIP DWS state: DWS_DISABLED

Persistence Rebalance: DISABLED

curr conns : 0 , hit count : 0

dropped conns : 0

conns per second : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0

conn-rate-limit : - , drop-count : -

bandwidth-rate-limit : - , drop-count : -

compression:

bytes_in : 0 bytes_out : 0

Compression ratio : 0.00%

Gzip: 0 Deflate: 0

compression errors:

User-Agent : 0 Accept-Encoding : 0

Content size: 0 Content type : 0

Not HTTP 1.1: 0 HTTP response error: 0

Others : 0

Parameter-map(s):

rule-vsuiteFrontEnd-A_CONN_PARAM

Policy-map : POLICY-CoreA

Status : ACTIVE

-----------------------------------------

Context Global Policy:

service-policy: POLICY-CoreA

loadbalance:

L7 loadbalance policy: rule-vsuiteFrontEnd-CoreA_POLICY

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP state: OUTOFSERVICE

VIP DWS state: DWS_DISABLED

Persistence Rebalance: DISABLED

curr conns : 0 , hit count : 0

dropped conns : 0

conns per second : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0

conn-rate-limit : - , drop-count : -

bandwidth-rate-limit : - , drop-count : -

compression:

bytes_in : 0 bytes_out : 0

Compression ratio : 0.00%

Gzip: 0 Deflate: 0

compression errors:

User-Agent : 0 Accept-Encoding : 0

Content size: 0 Content type : 0

Not HTTP 1.1: 0 HTTP response error: 0

Others : 0

Parameter-map(s):

rule-vsuiteFrontEnd-CoreA_CONN_PARAM

Policy-map : SERVERSOURCED

Status : ACTIVE

-----------------------------------------

Interface: vlan 1 701

service-policy: SERVERSOURCED

nat:

nat dynamic 1 vlan 700

curr conns : 0 , hit count : 0

dropped conns : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

Policy-map : SERVERSOURCED-CoreA

Status : ACTIVE

-----------------------------------------

Interface: vlan 1 704

service-policy: SERVERSOURCED-CoreA

nat:

nat dynamic 2 vlan 700

curr conns : 0 , hit count : 0

dropped conns : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

x86ACE03/Admin# sh serverfarm

serverfarm type rservers predictor current conns

+--------------------+---------+--------+------------------+---------------

rule-vsuiteFrontEnd-A

HOST 1 ROUNDROBIN 0

rule-vsuiteFrontEnd-CoreA

HOST 1 ROUNDROBIN 0

x86ACE03/Admin# sh serverfarm rule-vsuiteFrontEnd-A

serverfarm : rule-vsuiteFrontEnd-A, type: HOST

total rservers : 1

state : INACTIVE

DWS state : DISABLED

---------------------------------

----------connections-----------

real weight state current total failures

---+---------------------+------+------------+----------+----------+---------

rserver: vsuiteFrontEnd-A

10.22.6.116:0 8 PROBE-FAILED 0 0 0

x86ACE03/Admin# sh serverfarm rule-vsuiteFrontEnd-A

serverfarm : rule-vsuiteFrontEnd-A, type: HOST

total rservers : 1

state : INACTIVE

DWS state : DISABLED

---------------------------------

----------connections-----------

real weight state current total failures

---+---------------------+------+------------+----------+----------+---------

rserver: vsuiteFrontEnd-A

10.22.6.116:0 8 PROBE-FAILED 0 0 0

x86ACE03/Admin#

Jorge Bejarano · ‎07-31-2013

Atul,

You may see these links:

http://www.cisco.com/en/US/products/ps9336/products_tech_note09186a0080a7c72b.shtml#ace_fwsm

VSS:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html#wp1131842

Jorge

atul.thapar · ‎08-02-2013

Thanks Alex and Jorge,

I have to configure ACE for Riverbed and our ACE is on blade in 6509 and 6509 is in VSS. ACE is configured in context. Can any one please help, I know its small thing for you guys but big for me as new to ACE.

-Atul