Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Configuration Guide Software Version A1(8) May 2008 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-12225-01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCDE, CCVP, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0801R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Configuration Guide © 2008 Cisco Systems, Inc. All rights reserved. C O N T E N T S About the Documentation xi Audience xi Organization xi Related Documentation xii Conventions xiv Obtaining Documentation, Obtaining Support, and Security Guidelines xv Open-Source Software Included in Cisco 4700 Series Application Control Engine Appliance Device Manager xv Open Source License Acknowledgements xvi OpenSSL/Open SSL Project xvi License Issues xvi CHAPTER 1 Overview 1-1 ACE Appliance Device Manager Overview 1-1 Finding Information on CLI Tasks 1-2 Logging Into ACE Appliance Device Manager 1-3 Changing Your Account Password 1-4 ACE Appliance Device Manager Interface Overview 1-5 Understanding ACE Appliance Device Manager Screens and Menus 1-7 Understanding ACE Appliance Device Manager Buttons 1-8 Understanding Table Buttons 1-9 Conventions in Tables 1-10 Using the Advanced Editing Option 1-11 ACE Appliance Device Manager Screen Conventions 1-12 Viewing Monitoring Results 1-13 Configuration Overview 1-15 Understanding ACE Features 1-16 Understanding ACE Appliance Device Manager Terminology 1-17 CHAPTER 2 Configuring Virtual Contexts 2-1 Using Virtual Contexts 2-1 Creating Virtual Contexts 2-2 Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Configuration Guide OL-12225-01 iii Contents Configuring Virtual Contexts 2-4 Configuring Virtual Context System Attributes 2-6 Configuring Virtual Context Primary Attributes 2-7 Configuring Virtual Context Syslog Logging 2-8 Configuring Syslog Log Hosts 2-12 Configuring Syslog Log Messages 2-13 Configuring Syslog Log Rate Limits 2-14 Configuring SNMP for Virtual Contexts 2-15 Configuring SNMP Version 2c Communities 2-16 Configuring SNMP Version 3 Users 2-17 Configuring SNMP Trap Destination Hosts 2-19 Configuring SNMP Notification 2-20 Configuring Virtual Context Global Traffic Policies 2-22 Managing ACE Appliance Licenses 2-23 Viewing ACE Appliance Licenses 2-23 Importing ACE Appliance Licenses 2-24 Installing ACE Appliance Licenses 2-25 Uninstalling ACE Appliance Licenses 2-26 Updating ACE Appliance Licenses 2-27 Displaying License Configuration and Statistics 2-28 Managing Resource Classes 2-29 Resource Allocation Constraints 2-29 Adding Resource Classes 2-32 Modifying Resource Classes 2-33 Deleting Resource Classes 2-34 Viewing Resource Class Use on Virtual Contexts 2-35 Configuring Security with ACLs 2-36 Configuring ACLs 2-37 Setting EtherType ACL Attributes 2-38 Setting Extended ACL Attributes 2-39 Resequencing Extended ACLs 2-42 Viewing All ACLs by Context 2-43 Deleting ACLs 2-43 Configuring Virtual Context Expert Options 2-44 Managing Virtual Contexts 2-44 Viewing All Virtual Contexts 2-44 Synchronizing Virtual Context Configurations 2-45 Viewing Virtual Context Configuration Status 2-45 High Availability and Virtual Context Configuration Status 2-46 Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Configuration Guide iv OL-12225-01 Contents Synchronizing Individual Virtual Context Configurations 2-46 Synchronizing All Virtual Context Configurations 2-47 Editing Virtual Contexts 2-48 Deleting Virtual Contexts 2-48 CHAPTER 3 Configuring Load Balancing 3-1 Load Balancing Overview 3-1 Virtual Servers 3-2 Load-Balancing Predictors 3-2 Real Servers 3-3 Server Farms 3-4 Configuring Virtual Servers 3-4 Understanding Virtual Server Configuration and ACE Appliance Device Manager 3-4 Using ACE Appliance Device Manager to Configure Virtual Servers 3-6 Virtual Server Configuration Procedure 3-7 Shared Objects and Virtual Servers 3-9 Configuring Virtual Server Properties 3-10 Configuring Virtual Server SSL Termination 3-19 Configuring Virtual Server Protocol Inspection 3-20 Configuring Virtual Server Layer 7 Load Balancing 3-26 Configuring Virtual Server Default Layer 7 Load Balancing 3-36 Configuring Application Acceleration and Optimization 3-38 Configuring Virtual Server NAT 3-41 Managing Virtual Servers 3-42 Viewing Virtual Servers by Context 3-43 Activating Virtual Servers 3-43 Suspending Virtual Servers 3-43 Viewing Detailed Virtual Server Information 3-44 Viewing All Virtual Servers 3-44 Configuring Load Balancing with Real Servers 3-45 Configuring Server Farm Load Balancing 3-47 Adding Real Servers to a Server Farm 3-50 Viewing All Server Farms 3-52 Configuring the Predictor Method for Server Farms 3-52 Configuring Server Farm HTTP Return Error-Code Checking 3-55 Health Monitoring 3-56 TCL Scripts 3-56 Configuring Health Monitoring for Real Servers 3-57 Probe Attribute Tables 3-60 Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Configuration Guide OL-12225-01 v Contents Configuring DNS Probe Expect Addresses 3-70 Configuring Headers for HTTP and HTTPS Probes 3-71 Configuring Health Monitoring Expect Status 3-72 Managing Real Servers 3-73 Activating Real Servers 3-73 Suspending Real Servers 3-74 Modifying Real Servers 3-74 Viewing All Real Servers 3-75 Stickiness Overview 3-77 IP Address Stickiness 3-77 Cookie Stickiness 3-78 HTTP Header Stickiness 3-79 Sticky Groups 3-79 Sticky Table 3-79 Configuring Load Balancing Using Sticky Groups 3-80 Viewing All Sticky Groups by Context 3-83 Configuring Sticky Statics 3-84 Using Parameter Maps 3-85 Configuring Connection Parameter Maps 3-85 Configuring HTTP Parameter Maps 3-91 Configuring Optimization Parameter Maps 3-93 Supported MIME Types 3-100 Viewing All Parameter Maps by Context 3-102 Configuring Secure KAL-AP 3-102 CHAPTER 4 Configuring SSL 4-1 Using SSL Certificates 4-2 Importing SSL Certificates 4-3 Using SSL Keys 4-5 Importing SSL Key Pairs 4-6 Generating SSL Key Pairs 4-7 Exporting SSL Certificates 4-9 Exporting SSL Key Pairs 4-10 Configuring SSL Parameter Maps 4-12 Configuring SSL Chain Group Parameters 4-13 Configuring SSL CSR Parameters 4-14 Generating CSRs 4-16 Configuring SSL Proxy Service 4-16 Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Configuration Guide vi OL-12225-01 Contents CHAPTER 5 Configuring Network Access 5-1 Configuring Virtual Context VLAN Interfaces 5-1 Viewing All VLAN Interfaces 5-5 Configuring VLAN Interface Options 5-5 Configuring VLAN Interface Policy Map Use 5-5 Configuring VLAN Interface Access Control 5-6 Configuring VLAN Interface Static ARP Entries 5-8 Configuring VLAN Interface NAT Pools 5-9 Configuring VLAN Interface DHCP Relay 5-10 Configuring Port Channel Interfaces 5-10 Configuring Gigabit Ethernet Interfaces 5-12 Configuring Virtual Context BVI Interfaces 5-14 Viewing All BVI Interfaces by Context 5-15 Configuring Virtual Context Static Routes 5-15 Viewing All Static Routes by Context 5-16 CHAPTER 6 Configuring High Availability 6-1 Redundancy Overview 6-1 Redundancy Protocol 6-1 Stateful Failover 6-2 Fault-Tolerant VLAN 6-3 Configuration Synchronization 6-4 Redundancy Configuration Requirements and Restrictions 6-4 Configuring High Availability Overview 6-4 High Availability Polling 6-5 Synchronizing High Availability Configurations with ACE Appliance Device Manager 6-5 Synchronizing Virtual Context Configurations 6-6 Configuring High Availability Peers 6-6 Clearing High Availability Pairs 6-8 Configuring High Availability Groups 6-10 Editing High Availability Groups 6-11 Taking a High Availability Group Out of Service 6-12 Enabling a High Availability Group 6-13 Switching Over a High Availability Group 6-13 Deleting High Availability Groups 6-14 High Availability Tracking and Failure Detection Overview 6-14 Tracking VLAN Interfaces for High Availability 6-15 Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Configuration Guide OL-12225-01 vii Contents Tracking Hosts for High Availability 6-16 Configuring Host Tracking Probes 6-17 Deleting Host Tracking Probes 6-18 Configuring Peer Host Tracking Probes 6-18 Deleting Peer Host Tracking Probes 6-19 CHAPTER 7 Configuring Traffic Policies 7-1 Class Map and Policy Map Overview 7-1 Class Maps 7-2 Policy Maps 7-3 Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps 7-4 Application Protocol Inspection Overview 7-5 Performing Application Protocol Inspection 7-5 HTTP Deep Packet Inspection Overview 7-7 DNS Inspection Overview 7-7 FTP Inspection Overview 7-8 ICMP Inspection Overview 7-10 RTSP Inspection Overview 7-11 Configuring Virtual Context Class Maps 7-12 Deleting Class Maps 7-13 Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps 7-14 Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps 7-17 Setting Match Conditions for Layer 7 Server Load-Balancing Class Maps 7-18 Setting Match Conditions for Layer 7 HTTP Deep Packet Inspection Class Maps 7-20 Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps 7-26 Configuring Virtual Context Policy Maps 7-27 Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic 7-29 Setting Policy Map Rules and Actions for Layer 3/Layer 4 Management Traffic 7-34 Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic 7-36 Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection 7-40 Setting Policy Map Rules and Actions for Layer 7 FTP Command Inspection 7-47 Setting Policy Map Rules and Actions for Layer 7 HTTP Optimization 7-49 Special Characters for Matching String Expressions 7-52 CHAPTER 8 Configuring Application Acceleration and Optimization 8-1 Optimization Overview 8-2 Optimization Traffic Policies and Typical Configuration Flow 8-2 Configuring Action Lists 8-3 Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Configuration Guide viii OL-12225-01 Contents Configuring Optimization Parameter Maps 8-5 Configuring Traffic Policies for HTTP Optimization 8-6 Enabling HTTP Optimization Using Virtual Servers 8-9 Configuring Global Application Acceleration and Optimization 8-9 CHAPTER 9 Monitoring Your Network 9-1 Error Monitoring 9-2 Graphing Data 9-3 Monitoring Load Balancing 9-4 Monitoring the CPU 9-5 Monitoring Interfaces 9-6 Monitoring Real Servers 9-7 Setting Up Virtual Contexts Statistics Collection 9-9 Monitoring Probes 9-10 Displaying Resource Usage 9-11 Testing Ping 9-13 CHAPTER 10 Managing the ACE Appliance 10-1 Overview of the Admin Functions 10-1 Controlling Access to the Cisco ACE Appliance 10-3 Types of Users 10-5 Understanding Roles 10-5 Understanding Operations Privileges 10-6 Understanding Domains 10-7 Managing Users 10-7 Guidelines for Managing Users 10-8 Displaying a List of Users 10-8 Creating User Accounts 10-8 Modifying User Accounts 10-10 Deleting User Accounts 10-10 Displaying Current User Sessions 10-11 Deleting Active Users 10-11 Ending Active User Sessions 10-12 Changing User Passwords 10-13 Changing the Admin Password 10-13 Managing User Roles 10-13 Guidelines for Managing User Roles 10-14 Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Configuration Guide OL-12225-01 ix Contents Role Mapping in ACE Appliance Device Manager 10-18 Displaying User Roles 10-25 Creating User Roles 10-25 Modifying User Roles 10-26 Deleting User Roles 10-27 Adding, Editing, or Deleting Rules 10-27 Managing Domains 10-28 Guidelines for Managing Domains 10-28 Displaying Network Domains 10-28 Creating Domains 10-29 Modifying Domains 10-30 Deleting Domains 10-31 Adding or Deleting Domain Objects from a Domain 10-31 Monitoring ACE Appliance Statistics 10-32 Viewing ACE Appliance Server Statistics 10-32 Configuring ACE Appliance Server Statistics Collection 10-33 Using Admin Tools 10-34 CHAPTER 11 Using ACE Appliance Device Manager Troubleshooting Tools 11-1 Generating a Diagnostic Package 11-1 Guidelines for Using Lifeline 11-2 Creating a Lifeline Package 11-2 Downloading a Lifeline Package 11-3 Deleting a Lifeline Package 11-4 Manipulating ACE Appliance Files 11-4 About File Browser 11-5 Downloading Files 11-5 Uploading Files 11-6 Renaming Files 11-6 Deleting Files 11-7 Viewing Files 11-8 GLOSSARY INDEX Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Configuration Guide x OL-12225-01
Description: