You are on page 1of 210

ACEAP

Implementing the Cisco ACE Appliance


Version 1.0 Revision 1.0

Lab Guide
Text Part Number: 97-2616-01

DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.

Table of Contents
Lab Guide
Overview Lab Topology Your Client PC Information IP Addressing Connecting to Lab Devices Lab 1: Implementing Virtualization Activity Objective Visual Objective Required Resources Task 1A: Configure New Contexts Using Device Manager Task 1B: Configure New Contexts Using CLI Task 2A: Create Resource Classes Task 2B: Create Resource Classes in the CLI Lab 1 Answer Key Lab 2: Using Network Address Translation Activity Objective Required Resources Task 1: Configure Static NAT for a Host Task 2: Configure Static NAT for a Subnet Task 3: Apply the Baseline Configuration Answer Key: Using Network Address Translation Lab 3: Configuring Server Load Balancing Activity Objective Visual Objective Required Resources Task 1A: Configure Real Servers Task 1B: Configure Real Servers Task 2A: Configuring Load-Balancing Class Maps and Policy Maps Task 2B: Configuring Load-Balancing Class Maps and Policy Maps Task 3: Test the New VIP Load-Balancing Configuration Task 4: Apply the Baseline Configuration Lab 3 Answer Key Lab 4: Implementing Health Monitoring Activity Objective Visual Objective Required Resources Task 1A Configure Health Monitoring for Real Servers Task 1B: Configure Health Monitoring for Real Servers Task 2A: Configure Health Monitoring for a Server Farm Task 2B: Configure Health Monitoring for a Server Farm Task 3: Configure Health Monitoring for a Real Server Within a Server Farm Task 4: Apply the Baseline Configuration Lab 4 Answer Key Lab 5: Configuring Layer 7 Load Balancing Activity Objective Visual Objective Required Resources Task 1A: Configure a Real Server Task 1B: Configure a Real Server Task 2A: Configure Layer 7 Load Balancing Task 2B: Configure Layer 7 Load Balancing Task 3: Test the New VIP Load-Balancing Configuration Task 4: Mixing Layer 4 and Layer 7 Traffic Task 5: Optimize the Mixed-Traffic VIP Task 6: Apply the Baseline Configuration Lab 5 Answer Key

1
1 2 2 2 3 5 5 5 5 6 13 17 19 25 28 28 28 29 35 38 39 41 41 41 42 43 48 52 54 57 58 59 61 61 61 61 62 65 70 71 73 77 78 80 80 80 80 81 82 84 87 90 91 96 98 99

Lab 6: Enabling Sticky Connections Activity Objective Visual Objective Required Resources Task 1: Apply Source IP Sticky to Ensure Client Persistence Task 2: Apply the Baseline Configuration Lab 6 Answer Key Lab 7: Enabling Protocol Inspection Activity Objective Visual Objective Required Resources Task 1: Configure a Protocol Fixup Task 2: Configure Strict FTP Task 3: Apply the Baseline Configuration Lab 7 Answer Key Lab 8: Configuring SSL Termination Activity Objective Visual Objective Required Resources Task 1: Configure SSL Termination when You Have Certificates and Keys Task 2: Configure SSL Termination when You Must Create Certificates and Keys Task 3: Apply the Baseline Configuration Lab 8 Answer Key Lab 9: Enabling HTTP Optimizations Activity Objective Required Resources Task 1: Enable HTTP Optimizations Answer Key for Lab 9 Lab 10: Integrating Multiple Features Activity Objective Visual Objective Required Resources Task 1: Create a Virtual IP Address to Accept Web Traffic Task 2: Apply Source IP Sticky to Ensure Client Persistence Task 3: Apply Probes to Ensure That Real Servers Are Working Properly Task 4: Create a Virtual IP Address to Accept Clear Application Traffic Task 5: Create a Virtual IP Address to Accept Secure Application Traffic Task 6: Add SSL Acceleration Task 7: Apply Probe and Cookie Insert Sticky to Ensure Client Persistence Task 8: Create a Domain for the Security Team Task 9: Allow Direct Server Access and SERVER-INITIATED Connections Task 10: Configure HTTP Normalization Lab 11: Troubleshooting Case Study 1: Common SLB Configuration Errors Activity Objective Visual Objective Required Resources Task 1: Troubleshoot the First Error Case Configuration Task 2: Troubleshoot the Second Error Case Configuration Task 3: Troubleshoot the Third Error Case Configuration Task 4: Apply the Baseline Configuration Lab 12: Troubleshooting Case Study 2: Common Layer 7 SLB Configuration Errors Activity Objective Visual Objective Required Resources Task 1: Troubleshoot the First Error Case Configuration

108 108 108 108 109 111 112 114 114 114 114 115 117 121 122 127 127 127 127 128 134 141 142 147 147 147 148 152 155 155 156 156 157 161 164 170 174 175 182 187 191 195 200 200 200 200 201 202 203 203 204 204 204 204 205

ii

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

ACEAP

Lab Guide
Overview
This guide includes these activities: Lab 1: Implementing Virtualization Lab 2: Using Network Address Translation Lab 3: Configuring Server Load Balancing Lab 4: Implementing Health Monitoring Lab 5: Configuring Layer 7 Load Balancing Lab 6: Enabling Sticky Connections Lab 7: Enabling Protocol Inspection Lab 8: Configuring SSL Termination Lab 9: Enabling HTTP Optimizations Lab 10: Integrating Multiple Features Lab 11: Troubleshooting Case Study 1: Common SLB Configuration Errors Lab 12: Troubleshooting Case Study 2: Common Layer 7 SLB Configuration Errors

Lab Topology
The figure shows the lab topology.

Lab Topology
ACE Admin 172.19.110.29 192.168.1.1 172.16.PC.L
17 2. 19 .1 10
VLAN 10 VLAN 2PC VLAN 4PC

192.168.1.10 192.168.1.11

ACE 172.19.110.PC

192.168.1.12 192.168.1.13

.1

172.16.PC.1

192.168.1.14 192.168.1.15

209.165.201.PC

209.165.201.1 Catalyst 6500

P = Pod number C = Client number

2008 Cisco Systems, Inc. All rights reserved.

ACEAP v1.02

Your Client PC Information


You will be assigned a pod and a client by your instructor. Please write down your username, password, pod number, and client number here for easy reference during the remainder of the class.
Username Password Pod Number Client Number

IP Addressing
The IP addressing scheme is outlined in these tables, where: P = pod number C = client number

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Pod 1 Addressing
Device Client LAN IP Client WAN IP Cisco ACE Client VLAN Cisco ACE Default Gateway Client VLAN Server VLAN Cisco ACE Server VLAN

Pod1-Sup720 Pod1-Client1 Pod1-Client2 Pod1-Client3 Pod1-Client4 Pod1-Client5 Pod1-Client6 Pod1-Client7 Pod1-Client8 Pod1-ACE

172.19.110.1 172.19.110.11 172.19.110.12 172.19.110.13 172.19.110.14 172.19.110.15 172.19.110.16 172.19.110.17 172.19.110.18 172.19.110.29

209.165.201.1 209.165.201.11 209.165.201.12 209.165.201.13 209.165.201.14 209.165.201.15 209.165.201.16 209.165.201.17 209.165.201.18 172.16.11.0/24 172.16.12.0/24 172.16.13.0/24 172.16.14.0/24 172.16.15.0/24 172.16.16.0/24 172.16.17.0/24 172.16.18.0/24 172.16.11.1/24 172.16.12.1/24 172.16.13.1/24 172.16.14.1/24 172.16.15.1/24 172.16.16.1/24 172.16.17.1/24 172.16.18.1/24 211 212 213 214 215 216 217 218 411 412 413 414 415 416 417 418 192.168.1.1/24 192.168.1.1/24 192.168.1.1/24 192.168.1.1/24 192.168.1.1/24 192.168.1.1/24 192.168.1.1/24 192.168.1.1/24

Connecting to Lab Devices


Connecting to Your Client PC
After you have been assigned a pod, a username, and a password by your instructor, go to http://10.199.0.246/ and log in using your assigned credentials. All work in this lab will be initiated from the client PC. Click the PC Desktop icon, which will launch an RDP connection. When prompted to log into the PC, use the username administrator and the password cisco.

2008 Cisco Systems, Inc.

Lab Guide

The web servers are running Red Hat Advanced Server Enterprise 4. You will configure network connectivity to these servers during the lab exercises. To use Telnet to access the server, use the username cisco and the password cisco. To gain root access, use the command su - with the password cisco123.

Connecting to the Cisco ACE


The Cisco ACE modules can be accessed using Telnet or Secure Shell (SSH). A maximum of four Telnet and four SSH sessions can simultaneously log into any given context. If the sessions appear full, please bring this to the attention of the instructor. The Cisco ACE modules have a default configuration for the Admin context. This allows you to remotely access the Admin context to begin the lab. Use the default user admin and password admin to log into the Admin context. You can access the Admin context, using Telnet, SSH, or HTTPS. Note: **** When changing the admin password a strong password of 8 characters minimum is required. For the Lab Guide the user admin and password admin123 is used.

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Lab 1: Implementing Virtualization


Complete this lab activity to practice what you learned in the related lesson.

Activity Objective
In this exercise, you will explore the lab configuration of the Cisco ACE Admin context. You will create new contexts and resource classes to understand the flexibility of virtualization on the Cisco ACE appliance. After completing this exercise, you will be able to meet these objectives: Review the existing Cisco ACE configuration Define contexts and resources classes Combine resource classes and contexts

Visual Objective
The figure illustrates what you will accomplish in this activity.

Implementing Virtualization

2008 Cisco Systems, Inc. All rights reserved.

ACEAP v1.05

Required Resources
These are the resources and equipment that are required to complete this activity: Cisco 4710 Application Control Engine Appliance Server minimally running Telnet and HTTP

2008 Cisco Systems, Inc.

Lab Guide

Task 1A: Configure New Contexts Using Device Manager


This lab simulates configuring a new Cisco ACE appliance just after system boot and initial Admin context configuration is created by the setup script. In this task, you will connect to the Admin context, using the Cisco ACE Device Manager and work with the virtualization commands.

Activity Procedure
Complete these steps:
Step 1

Connect to the Cisco ACE appliance Admin context by opening a connection to the PC Client workstation, then open your browser and enter https://172.19.110.29. Click OK to accept the warning message.

Step 2

Step 3

Click Yes to accept the security alert.

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 4

Enter the username/password of admin/admin123 when prompted.

2008 Cisco Systems, Inc.

Lab Guide

Step 5

The Cisco ACE Appliance has a GUI for configuration purposes. The default screen to start on is Config > Virtual Contexts.

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 6

In Config > Virtual Contexts, Click + Button create a new context, using the following parameters. Name: Resource Class: Allocate-Interface VLANs: Description: Policy Name: VLAN to use: Management IP: Management Netmask: Protocols to Use: Default Gateway IP: Testing-PC default 2PC, 4PC Testing Context MGMT_TEST 2PC 172.16.PC.25 255.255.255.0 Select All except SNMP 172.16.PC.1

Step 7

Click the Deploy Now button.

2008 Cisco Systems, Inc.

Lab Guide

Step 8

View the newly created context.

Step 9

Identify which users are currently active on the appliance: Admin > Role-Based Access Control > Active Users.

10

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 10

Create a user for the context you just created. From Admin > Role-Based Access Control > Users, choose the context you created from the drop-down box. Currently there are no users in your context. Create one by clicking the + (plus sign) button on the green bar. Create a new Admin user with the following username and password: yourname_clientC/qwer1234. (Example: test_client1)

Step 11

Click the Deploy Now button to deploy and verify the user that you have created.

2008 Cisco Systems, Inc.

Lab Guide

11

Step 12

Now you have created a context and added a user to the context with Admin privileges.

Activity Verification
You have completed this task when you attain these results: Successfully logged into your new context from a separate browser session with your username yourname_clientC

12

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 1B: Configure New Contexts Using CLI


This lab simulates configuring a new Cisco ACE appliance just after initial admin configuration and system boot. In this task, you will connect to the Admin context, using the Cisco ACE command-line interface (CLI) and work with the virtualization commands.

Activity Procedure
Complete these steps:
Note Use the terminal monitor command after you connect to any device, to make sure that all console messages are seen. This offers a valuable source of information when initially configuring the service appliances.

Step 1 Step 2

Connect to your client PC. Use Telnet on command line or Putty to access 172.19.110.29 from your client PC to access the Admin context of the Cisco ACE appliance within your pod. Log in with the username cisco and the password cisco.
C:\> telnet 172.19.110.29 switch login: admin Password: admin Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html. switch/Admin#

Step 3

Check system information and the version of the code currently running on the Cisco ACE appliance.
switch/Admin# sho ver Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html. Software loader: Version 0.95 system: Version A1(7) [build 3.0(0)A1(7) adbuild_01:21:07-2007/11/04_/auto/adbu-rel3/ws/c4710ace-a1_7throttl

2008 Cisco Systems, Inc.

Lab Guide

13

e/REL_3_0_0_A1_7] system image file: information unavailable from GRUB Device Manager version 1.0 (0) 20071104:0436 installed license: ACE-AP-02-LIC ACE-AP-VIRT-020 ACE-AP-C1000-LIC ACE-AP-OPT-LIC-K9 ACE-AP-SSL-10K-K9 Hardware cpu info: Motherboard: number of cpu(s): 2 Daughtercard: number of cpu(s): 16 memory info: total: 6226408 kB, free: 4767020 kB shared: 0 kB, buffers: 4440 kB, cached 0 kB cf info: filesystem: /dev/hdb2 total: 861668 kB, used: 703852 kB, available: 114044 kB last boot reason: reload command by root configuration register: 0x1 switch kernel uptime is 0 days 3 hours 38 minute(s) 56 second(s)
Step 4

The Cisco ACE appliance allows users to set a session time. This can be used to limit the current session or to prevent it from ever timing out. For this lab, disable the session time for your current session.
switch/Admin# terminal session-timeout 0

Step 5

The Cisco ACE also allows you to set future session idle timeout settings. For this lab, disable future sessions from timing out.
PodP-ACE/Admin# config Enter configuration commands, one per line. End with CNTL/Z. PodP-ACE/Admin(config)# login timeout 0

Note

The line vty command is different from that of the Cisco IOS Software, in that it does not use the exec-timeout command to control remote session idle timeouts.

Step 6

Use the show run command from the enable mode to see the current Cisco ACE configuration.
By default, the admin and www users are present. They exist in the Admin context and provide default access. The admin is, of course, for administration. The www user account is for supporting the Extensible Markup Language (XML) interface. Do not delete this user. If the www user is removed, the XML interface will be disabled for the entire appliance.

Note

14

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 7

View the information about the Admin context. Use the show context Admin and show running-config interfaces commands.
switch/Admin# show context Admin Name: Admin , Id: 0 Config count: 65 Description: Resource-class: default switch/Admin# show running-config interface Generating configuration.... interface gigabitEthernet 1/1 switchport trunk allowed vlan 110,211-218 no shutdown interface gigabitEthernet 1/2 switchport trunk allowed vlan 411-418 no shutdown interface gigabitEthernet 1/3 shutdown interface gigabitEthernet 1/4 shutdown **Note Case Sensitive

Step 8

Create a new context named Testing-PC. By default, new contexts are members of the default resource class (like the Admin context in the previous step). Add two VLANs (2PC and 4PC) to the context, using the allocate-interface vlan command, and add a description of the Testing context.
switch/Admin(config)# context switch/Admin(config-context)# switch/Admin(config-context)# switch/Admin(config-context)# Testing-PC allocate-interface vlan 2PC allocate-interface vlan 4PC description Testing Context

Note Step 9

The allocate-interface command does not accept comma-separated VLANs.

View the newly created context, using the show context context_name command.
switch/Admin(config)# do show context Testing-PC Name: Testing-PC , Id: 9 Config count: 0 Description: Testing Context Resource-class: default Vlans: Vlan2PC, Vlan4PC

Step 10

To connect to a new context remotely, a network interface must be configured, and management traffic must be allowed to the context. This is done by creating a class map and a policy map and attaching the policy map to an interface, using the service-policy command.
To configure the basic context configuration, use the changeto context_name command.

Note

2008 Cisco Systems, Inc.

Lab Guide

15

switch/Testing-PC(config)# class-map REMOTE_ACCESS switch/Testing-PC(config-cmap-mgmt)# switch/Testing-PC(config-cmap-mgmt)# switch/Testing-PC(config-cmap-mgmt)# switch/Testing-PC(config-cmap-mgmt)# switch/Testing-PC(config-cmap-mgmt)# switch/Testing-PC(config-cmap-mgmt)# switch/Testing-PC(config-cmap-mgmt)#

type management match-any match match match match match match exit protocol protocol protocol protocol protocol protocol icmp any telnet any ssh any https any http any xml-https any

switch/Testing-PC(config)# policy-map type management first-match MGMT_TEST switch/Testing-PC(config-pmap-mgmt)# class REMOTE_ACCESS switch/Testing-PC(config-pmap-mgmt-c)# permit switch/Testing-PC(config)# int vlan 2PC switch/Testing-PC(config-if)# ip address 172.16.PC.25 255.255.255.0 switch/Testing-PC(config-if)# service-policy input MGMT_TEST switch/Testing-PC(config-if)# no shut switch/Testing-PC(config)# ip route 0.0.0.0 0.0.0.0 172.16.PC.1
Step 11

Create a new Admin user for this context with the username and password yourname_clientC/qwer1234.

switch/Admin(config)# username yourname_clientC password qwer1234 role Admin domain default-domain


Step 12

View the configuration that you just created.

switch/Testing-PC(config)# do show run Generating configuration.... class-map 2 match 3 match 4 match 5 match 6 match 7 match type management match-any REMOTE_ACCESS protocol icmp any protocol telnet any protocol ssh any protocol https any protocol http any protocol xml-https any

policy-map type management first-match MGMT_TEST class REMOTE_ACCESS permit interface vlan 2PC ip address 172.16.PC.25 255.255.255.0 service-policy input MGMT_TEST no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username myname_pod1 password 5 $1$ddeNprzb$UMQVQAX/9AEKK88Wbm7uJ1 Admin domain default-domain
16 Implementing the Cisco ACE Appliance (ACEAP) v1.0

role

2008 Cisco Systems, Inc.

Activity Verification
You have completed this task when you attain these results: Successfully logged into your new context from a separate Telnet session with your username myname_pod1

Task 2A: Create Resource Classes


In this task, you will create a resource class to define the Cisco ACE resources allowed per a given context.

Activity Procedure
Complete these steps:
Step 1

View the default class resource allocation. Choose the Admin context by clicking Config>Virtual Context >System >Resource Class> Edit. Double-click the default resource class.

2008 Cisco Systems, Inc.

Lab Guide

17

Step 2

Back at the Resource Class screen, create a new resource class named appl-set-PC and limit the class to 3% of the Cisco ACE resources. Ensure that you have restricted the maximum usage to 3% of Cisco ACE resources for this resource class.

Step 3

Apply this new resource class to the context Testing that you previously created. Click Config > Virtual Contexts > Systems > Primary Attributes.

18

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 2B: Create Resource Classes in the CLI


In this task, you will create a resource class to define the Cisco ACE resources allowed per a given context.

Activity Procedure
Complete these steps:
Step 1

View the current resource allocation.

switch/Admin(config)# do show resource allocation -------------------------------------------------------------------Parameter Min Max Class -------------------------------------------------------------------acl-memory 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 8.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% 8.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% default cart default cart default cart default cart default cart default cart default cart default cart default cart default cart default cart default cart default cart default cart default cart default cart default
Lab Guide 19

syslog buffer

conc-connections

mgmt-connections

proxy-connections

bandwidth

connection rate

inspect-conn rate

syslog rate

regexp

sticky

xlates

ssl-connections rate

mgmt-traffic rate

mac-miss rate

acc-connections

http-comp rate
2008 Cisco Systems, Inc.

0.00% switch/Admin(config)#

800.00%

cart

do show resource usage Denied

Allocation Resource Current Peak Min Max -------------------------------------------------------------------Context: Admin conc-connections 0 0 0 1940000 mgmt-connections 8 8 0 4850 proxy-connections 0 0 0 254279 xlates 0 0 0 63569 acc-connections 0 0 0 9700 bandwidth 2249 146151 0 260382392 connection rate 0 4 0 970000 ssl-connections rate 0 0 0 970 mgmt-traffic rate 574 24882 0 121250000 mac-miss rate 0 0 0 1940 inspect-conn rate 0 0 0 5820 http-comp rate 0 0 0 127139840 acl-memory 9552 9616 0 33088143 regexp 607 607 0 1017119 syslog buffer 0 0 0 1017119 syslog rate 0 0 0 2910 Context: Lab-OPT-11 conc-connections 0 0 0 1940000 mgmt-connections 0 0 0 4850 proxy-connections 0 0 0 254279 xlates 0 0 0 63569 acc-connections 0 0 0 9700 bandwidth 0 0 0 260382392 connection rate 0 0 0 970000 ssl-connections rate 0 0 0 970 mgmt-traffic rate 0 0 0 121250000 mac-miss rate 0 0 0 1940 inspect-conn rate 0 0 0 5820 http-comp rate 0 0 0 127139840 acl-memory 6976 7040 0 33088143 regexp 457 457 0 1017119 syslog buffer 0 0 0 1017119 syslog rate 0 0 0 2910

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

20

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 2

Create a new resource class named appl-set-PC and limit the class to 3% of the Cisco ACE resources. Ensure that you have restricted the maximum usage to 3% of Cisco ACE resources for this resource class.

switch/Admin(config)# resource-class appl-set-PC switch/Admin(config-resource)# ? Submode commands: do EXEC command end Exit from configure mode exit Exit from this submode limit-resource Set resource limits no Negate a command or set its defaults switch/Admin(config-resource)# limit-resource ? acc-connections Limit Application Acceleration connections acl-memory Limit ACL memory all Limit all resource parameters buffer Set resource-limit for buffers conc-connections Limit concurrent connections (thru-the-box traffic) http-comp Limit compression performance mgmt-connections Limit management connections (to-the-box traffic) proxy-connections Limit proxy connections rate Set resource-limit as a rate (number per second) regexp Limit amout of regular expression memory sticky Limit number of sticky entries xlates Limit number of Xlate entries switch/Admin(config-resource)# limit-resource all minimum 3 maximum ? equal-to-min Set maximum limit to same as minimum limit unlimited Set maximum limit to unlimited switch/Admin(config-resource)# limit-resource all minimum 3 maximum equal-to-min

2008 Cisco Systems, Inc.

Lab Guide

21

Step 3

View the net resource class allocations.

switch/Admin(config-resource)# do show resource allocation -------------------------------------------------------------------Parameter Min Max Class -------------------------------------------------------------------acl-memory 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% 800.00% 100.00% default cart default cart default cart default cart default cart default cart default cart default cart default cart default

syslog buffer

conc-connections

mgmt-connections

proxy-connections

bandwidth

connection rate

inspect-conn rate

syslog rate

regexp

Why are the resource allocations not displayed, although the resource class has been created? __________________________________________________________________________ Apply the new resources class to the context Testing-PC.
switch/Admin(config)# context Testing-PC switch/Admin(config-context)# member appl-set-PC cart default switch/Admin(config-context)# member appl-set-PC

22

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 4

View the changes to the resource allocation table.

PodP switch/Admin(config-context)# do sho resource allocation -------------------------------------------------------------------Parameter Min Max Class -------------------------------------------------------------------acl-memory 0.00% 0.00% 3.00% 0.00% 0.00% 3.00% 0.00% 0.00% 3.00% 0.00% 0.00% 3.00% 0.00% 0.00% 3.00% 0.00% 0.00% 3.00% 0.00% 0.00% 3.00% 0.00% 0.00% 3.00% 0.00% 0.00% 3.00% 100.00% 800.00% 3.00% 100.00% 800.00% 3.00% 100.00% 800.00% 3.00% 100.00% 800.00% 3.00% 100.00% 800.00% 3.00% 100.00% 800.00% 3.00% 100.00% 800.00% 3.00% 100.00% 800.00% 3.00% 100.00% 800.00% 3.00% default cart appl-set-PC default cart appl-set-PC default cart appl-set-PC default cart appl-set-PC default cart appl-set-PC default cart appl-set-PC default cart appl-set-PC default cart appl-set-PC default cart appl-set-PC

syslog buffer

conc-connections

mgmt-connections

proxy-connections

bandwidth

connection rate

inspect-conn rate

syslog rate

2008 Cisco Systems, Inc.

Lab Guide

23

Activity Verification
You have completed this task when you have attained these results: Developed an understanding of the multiple ways resources can be allocated to a context
Note To avoid resource conflicts, remove this context from the Admin context when you have completed this task.

24

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Lab 1 Answer Key


switch/Admin# show running-config interface gigabitEthernet 1/1 switchport trunk allowed vlan 110,211-218 no shutdown interface gigabitEthernet 1/2 switchport trunk allowed vlan 411-418 no shutdown interface gigabitEthernet 1/3 shutdown interface gigabitEthernet 1/4 shutdown resource-class appl-set-PC limit-resource all minimum 3.00 maximum equal-to-min resource-class cart limit-resource all minimum 0.00 maximum unlimited limit-resource sticky minimum 1.00 maximum equal-to-min login timeout 0 shared-vlan-hostid 2 class-map 2 match 4 match 5 match 6 match 7 match 8 match type management match-any remote_access protocol xml-https any protocol icmp any protocol telnet any protocol ssh any protocol http any protocol https any

policy-map type management first-match remote_mgmt_allow_policy class remote_access permit interface vlan 110 ip address 172.19.110.29 255.255.255.0 service-policy input remote_mgmt_allow_policy no shutdown context Lab-OPT-11 allocate-interface allocate-interface member cart context Lab-OPT-12 allocate-interface allocate-interface member cart
2008 Cisco Systems, Inc.

vlan 211 vlan 411

vlan 212 vlan 412

Lab Guide

25

context Lab-OPT-13 allocate-interface vlan 213 allocate-interface vlan 413 member cart context Lab-OPT-14 allocate-interface vlan 214 allocate-interface vlan 414 member cart context Lab-OPT-15 allocate-interface vlan 215 allocate-interface vlan 415 member cart context Lab-OPT-16 allocate-interface vlan 216 allocate-interface vlan 416 member cart context Lab-OPT-17 allocate-interface vlan 217 allocate-interface vlan 417 member cart context Lab-OPT-18 allocate-interface vlan 218 allocate-interface vlan 418 member cart context Testing-PC description Testing Context allocate-interface vlan 2PC allocate-interface vlan 4PC member appl-set-PC username admin password 5 $1$faXJEFBj$TJR1Nx7sLPTi5BZ97v08c/ role Admin domain default-d omain username www password 5 $1$faXJEFBj$TJR1Nx7sLPTi5BZ97v08c/ role Admin domain default-donain

26

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

switch/Testing-PC# sh run Generating configuration.... class-map type management match-any MGMT_TEST 201 match protocol xml-https any 202 match protocol telnet any 203 match protocol ssh any 204 match protocol icmp any 205 match protocol https any 206 match protocol http any policy-map type management first-match MGMT_TEST class MGMT_TEST permit interface vlan 2PC ip address 172.16.PC.25 255.255.255.0 service-policy input MGMT_TEST no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username yourname_podp password 5 $1$Xfyu.sPd$c4xaJEWNH2SKEUN7J3NcY. role Admin domain default-domain

2008 Cisco Systems, Inc.

Lab Guide

27

Lab 2: Using Network Address Translation


Complete this lab activity to practice what you learned in the related lesson.

Activity Objective
In this activity, you will configure your Cisco ACE context to perform a variety of Network Address Translations (NATs). The steps required to configure NAT on the Cisco ACE appliance are very different from the steps for using Cisco firewalls. NAT on Cisco ACE relies entirely on the Cisco Modular Policy CLI Framework. After completing this activity, you will be able to meet these objectives: Configure static NAT for a host Configure static NAT for a subnet Roll back the configuration

Required Resources
These are the resources and equipment required to complete this activity: Catalyst 6500 with Supervisor 720 Cisco 4710 Application Control Engine Appliance Server minimally running Telnet and HTTP

28

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 1: Configure Static NAT for a Host


In this task, you will configure static destination NAT (DNAT) for a host. The goal is to configure the equivalent of a static (inside, outside) 172.16.PC.222 192.168.1.10 NAT, which can be read as translate inside address 192.168.1.10 to 172.16.PC.222 on the outside.

Activity Visualization
The figure illustrates what you will accomplish in this task.

Static Destination NAT

Outside Global 172.16.PC.222

Outside Local 192.168.1.10

Client 209.165.201.PC

ACE VLAN 2PC 172.16.PC.20

ACE VLAN 4PC 192.168.1.1

Server 192.168.1.10

2008 Cisco Systems, Inc. All rights reserved.

ACEAP v1.06

Activity Procedure
Complete these steps:
Step 1 Step 2

Connect to your client PC. Connect directly to the Cisco ACE management IP address for your Lab 2 context.
C:\> telnet 172.16.PC.20 Trying 172.16.PC.20... Connected to 172.16.PC.20 (172.16.PC.20). Escape character is '^]'. User Access Verification Username: cisco Password: cisco123

2008 Cisco Systems, Inc.

Lab Guide

29

Step 3

Verify that you are in the correct context by looking at the prompt.
Switch/Lab-OPT-PC #

Step 4

Use the checkpoint system to roll back the configuration.


Switch/Lab-OPT-PC# checkpoint rollback baseline-mgmt

Note

The Cisco ACE module allows up to 10 configuration rollback checkpoints in each context. To view the currently created checkpoints, use the show checkpoint all command. To view the configuration contained in a checkpoint, use the show checkpoint detail command.

Step 5 Step 6

Execute show run to see what is preconfigured for this lab. The Cisco ACE module allows users to set a session time that can be used to limit the current session or to prevent it from ever timing out. For this lab, disable the session time for your current session.
Switch/Lab-OPT-PC# terminal session-timeout 0

Note

In configuration mode, login timeout can be used to modify the idle timeout of future sessions.

Step 7

Create the INBOUND access list to permit traffic from the client to the servers NATed address.
Switch/Lab-OPT-PC(config)# access-list INBOUND extended permit tcp any host 172.16.PC.222

Step 8

Define a class map that matches the source IP that you want to translate.
Switch/Lab-OPT-PC(config)# class-map LNX-SOURCED Switch/Lab-OPT-PC(config-cmap)# match source-address 192.168.1.10 255.255.255.255 Switch/Lab-OPT-PC(config-cmap)# exit

Step 9

Create a multimatch policy map that specifies NAT as the action. Provide the static IP that will be used for the server, and define which VLAN the server traffic will use after it has been NATed.
Switch/Lab-OPT-PC(config)# policy-map multi-match SVR-NAT Switch/Lab-OPT-PC(config-pmap)# class LNX-SOURCED Switch/Lab-OPT-PC(config-pmap-c)# nat ? dynamic Configure dynamic network address translation static Configure static network address translation Switch/Lab-OPT-PC(config-pmap-c)# nat static 172.16.PC.222 netmask 255.255.255.255 vlan2PC

Step 10

Create the server VLAN interface 4PC, give it an IP of 192.168.1.1/24, and no shut it. Apply the multimatch policy to the server-side (inside) interface.
Switch/Lab-OPT-PC(config)# interface vlan 4PC Switch/Lab-OPT-PC(config-if)# ip address 192.168.1.1 255.255.255.0 Switch/Lab-OPT-PC(config-if)# service-policy input SVR-NAT Switch/Lab-OPT-PC(config-if)# no shutdown

30

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 11

Use the show nat-fabric command to obtain detailed NAT run time information.
Switch/Lab-OPT-PC# sh nat-fabric policies Nat objects: NAT object ID:2 mapped_if:11 policy_id:1 type:STATIC static_xlate_id:2 ID:2 Static address translation Real addr:192.168.1.10 Real port:0 Real interface:12 Mapped addr:172.16.PC.222 Mapped port:0 Mapped interface:11 Netmask:255.255.255.255

Step 12

Check the traffic statistics of the access list.


Switch/Lab-OPT-PC# show access-list INBOUND access-list:INBOUND, elements: 1, status: NOT-ACTIVE remark : access-list INBOUND line 10 extended permit tcp host 209.165.201.PC host 172.16.PC.222

Step 13

Why is the access list inactive? Was it applied to an interface?


Switch/Lab-OPT-PC# conf Enter configuration commands, one per line. End with CNTL/Z. Switch/Lab-OPT-PC(config-if)# int vlan 2PC Switch/Lab-OPT-PC(config-if)# access-group input INBOUND Switch/Lab-OPT-PC(config-if)# end Switch/Lab-OPT-PC# show access-list INBOUND access-list:INBOUND, elements: 1, status: ACTIVE remark : access-list INBOUND line 10 extended permit tcp host 209.165.201.PC host 172.16.PC.222 (hitcount=0)

Note

The (hitcount=0) output is always the part to look for when showing an access list. If it is not there, the access list is probably not applied to a VLAN interface.

Step 14

If you initiate a long-lived connection (Telnet, for example) from the client PC to 172.16.PC.222, you will see the xlate entry on the Cisco ACE.
Switch/Lab-OPT-PC# sh xlate NAT from vlan4PC:192.168.1.10 to vlan2PC:172.16.PC.222 count:1

2008 Cisco Systems, Inc.

Lab Guide

31

Step 15

To see the NATing work, Telnet from the context to the Linux server. Switch to the user root and start Tethereal.
Switch/Lab-OPT-PC# telnet 192.168.1.10 Trying 192.168.1.10... Connected to 192.168.1.10. Escape character is '^]'. linux1 (Linux release 2.6.9-11.ELsmp #1 SMP Fri May 20 18:26:27 EDT 2005) (0 ) login: cisco Password for cisco: cisco login: Resource temporarily unavailable while getting initial credentials Last login: Tue Jun 6 04:25:26 from 192.168.1.1 [cisco@linux1 ~]$ su Password: cisco123 [root@linux1 ~]# tethereal R "tcp.port == 80"

Step 16

On the client, start a Wireshark sniffer trace on the 209.165.201.PC interface. Then open a web browser to to the servers static IP. http://172.16.PC.222

Step 17

Observe the Tethereal output from the Linux server. Notice that the server IP is now 192.168.1.10 rather than 172.16.PC.222.
TCP 2399 > http [SYN] Seq=0 Ack=0 TCP http > 2399 [SYN, ACK] Seq=0 TCP 2399 > http [ACK] Seq=1 Ack=1 HTTP GET / HTTP/1.0 TCP http > 2399 [ACK] Seq=1 Ack=101 HTTP HTTP/1.1 200 OK HTTP Continuation or non-HTTP traffic TCP 2399 > http [ACK] Seq=101 TCP http > 2399 [FIN, ACK] Seq=1485 TCP 2399 > http [ACK] Seq=101 TCP 2399 > http [FIN, ACK] Seq=101 TCP http > 2399 [ACK] Seq=1486

449.108905 209.165.201.PC -> 192.168.1.10 Win=64270 Len=0 MSS=1460 449.109199 192.168.1.10 -> 209.165.201.PC Ack=1 Win=5870 Len=0 MSS=1460 449.110228 209.165.201.PC -> 192.168.1.10 Win=64270 Len=0 449.117018 209.165.201.PC -> 192.168.1.10 449.117077 192.168.1.10 -> 209.165.201.PC Win=5870 Len=0 449.137044 192.168.1.10 -> 209.165.201.PC 449.171825 192.168.1.10 -> 209.165.201.PC 449.143738 209.165.201.PC -> 192.168.1.10 Ack=1485 Win=64270 Len=0 449.149136 192.168.1.10 -> 209.165.201.PC Ack=101 Win=5870 Len=0 449.150719 209.165.201.PC -> 192.168.1.10 Ack=1486 Win=64270 Len=0 449.155886 209.165.201.PC -> 192.168.1.10 Ack=1486 Win=64270 Len=0 449.156071 192.168.1.10 -> 209.165.201.PC Ack=102 Win=5870 Len=0

32

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 18

On the client, analyze the Ethereal trace.

Static Nat Client Output

2008 Cisco Systems, Inc. All rights reserved.

ACEAP v1.07

Step 19

On the Cisco ACE, view the ACL, service policy, and connection counters.
Switch/Lab-OPT-PC# show access-list INBOUND access-list:INBOUND, elements: 1, status: ACTIVE remark : access-list INBOUND line 10 extended permit tcp any host 172.16.PC.222 (hitcount=1) Switch/Lab-OPT-PC# show service-policy SVR-NAT Status : ACTIVE ----------------------------------------Interface: vlan 4PC service-policy: SVR-NAT class: LNX-SOURCE nat: nat static 172.16.PC.222 vlan 2PC curr conns : 1 , hit count : 1 dropped conns : 0 client pkt count : 7 , client byte count: 396 server pkt count : 6 , server byte count: 1728 Switch/Lab-OPT-PC# show stats connection +------------------------------------------+ +------- Connection statistics ------------+ +------------------------------------------+

2008 Cisco Systems, Inc.

Lab Guide

33

Total Total Total Total Total


Step 20

Connections Connections Connections Connections Connections

Created : Current : Destroyed: Timed-out: Failed :

2 2 0 0 0

Verify that server source NATing works as expected, which means that connections sourced from the server 192.168.1.10 are NATed to 172.16.PC.222 as they traverse the Cisco ACE module.
Switch/Lab-OPT-PC(config)# access-list SVR-INIT extended permit tcp host 192.168.1.10 any Switch/Lab-OPT-PC(config)# int vlan 4PC Switch/Lab-OPT-PC(config-if)# access-group input SVR-INIT

Step 21

Initiate a telnet session from the Linux server to the client; then capture a sniffer trace using Wireshark on the client PC to verify the servers source IP address. Next, capture a trace on the client to verify that the server source address is NATed to 172.16.PC.222.
The Telnet session will fail because the client is not accepting Telnet connections.

Note

[root@linux1 ~]# tethereal R "ip.addr == 209.165.201.0/24" & [1] 10580 Capturing on eth0 [root@linux1 ~]# telnet 209.165.201.PC Trying 209.165.201.PC... 34.711920 192.168.1.10 -> 209.165.201.PC TCP 34564 > telnet [SYN] Seq=0 Ack=0 Win=5870 Len=0 MSS=1460 TSV=822460873 TSER=0 WS=2 34.716002 209.165.201.PC -> 192.168.1.10 TCP telnet > 34564 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0 telnet: connect to address 209.165.201.PC: Connection refused telnet: Unable to connect to remote host: Connection No. Source Destination Proto Info 28 172.16.PC.222 209.165.201.PC TCP 34563 > telnet [SYN] Seq=0 Ack=0 Win=5870 Len=0 MSS=146031 209.165.201.PC 172.16.PC.222 TCP telnet > 34563 [RST, ACK] Seq=0 Ack=0 Win=0 Len=06 Switch/Lab-OPT-PC# show service-policy SVR-NAT Status : ACTIVE ----------------------------------------Interface: vlan 4PC service-policy: SVR-NAT class: LNX-SOURCED nat: nat static 172.16.PC.222 vlan 2PC curr conns : 6 , hit count : 2 dropped conns : 0 client pkt count : 9 , client byte count: 516 server pkt count : 7 , server byte count: 1768

34

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 2: Configure Static NAT for a Subnet


In this task you will configure the equivalent of a static destination NAT (DNAT) for the entire server network. This task shows that NATing can be applied based on ACL matches and can encompass an entire network address space.

Activity Visualization
The figure illustrates what you will accomplish in this task.

Static Destination NAT For a Subnet

Outside Global 10.2.PC.0/24

Outside Local 192.168.1.0/24

Client 209.165.201.PC

ACE VLAN 2PC 172.16.PC.20

ACE VLAN 4PC 192.168.1.1

Server 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.14 192.168.1.15

2008 Cisco Systems, Inc. All rights reserved.

ACEAP v1.08

Activity Procedure
Complete these steps:
Step 1

Create an access list SVR-VLAN-INIT to classify traffic initiated by a device on the server VLAN.
Switch/Lab-OPT-PC(config)# access-list SVR-VLAN-INIT extended permit tcp 192.168.1.0 255.255.255.0 any

Step 2

Define a class map named SERVER-VLAN-SOURCED that matches on the ACL defined to classify server-initiated traffic.
Switch/Lab-OPT-PC(config)# class-map match-all SERVER-VLANSOURCED Switch/Lab-OPT-PC(config-cmap)# match access-list SVR-VLANINIT Switch/Lab-OPT-PC(config)# exit

Step 3

Edit the multimatch policy map that specifies NAT as the action and remove the previous class match.
Switch/Lab-OPT-PC(config)# policy-map multi-match SVR-NAT Switch/Lab-OPT-PC(config-pmap)# no class LNX-SOURCED

2008 Cisco Systems, Inc.

Lab Guide

35

Step 4

Provide the static IP subnet that will be used for the server traffic, and define which VLAN the server traffic will use after it has been NATed.

Switch/Lab-OPT-PC(config-pmap)# class SERVER-VLAN-SOURCED Switch/Lab-OPT-PC(config-pmap-c)# nat static 172.16.PC.0 netmask 255.255.255.0 vlan 2PC Error: Specified ip address duplicates with an existing ip address configured in the context!
Note IP addresses that overlap existing interface VLAN spaces are not allowed. This prevents the possibility of introducing duplicate IPs.

Switch/Lab-OPT-PC(config-pmap-c)# nat static 172.16.PC.128 netmask 255.255.255.128 vlan 2PC Error: NAT static mapped ip netmask has to match with real ip netmask!
Note When matching a subnet, the static NAT range must have the same number of available IP addresses as the ACL classifies.

Switch/Lab-OPT-PC(config-pmap-c)# nat static 10.2.PC.0 netmask 255.255.255.0 vlan 2PC


Step 5

Ensure that NAT is applied in both directions by modifying the existing ACL and applying it to the server side (inside) interface. Without an ACL, clients cannot initiate connections to the servers.

Switch/Lab-OPT-PC(config)# no access-list INBOUND Switch/Lab-OPT-PC(config)# access-list INBOUND extended permit tcp host 209.165.201.PC any Switch/Lab-OPT-PC(config)# interface vlan 2PC Switch/Lab-OPT-PC(config-if)# access-group input INBOUND
Step 6

Verify that your static subnet NAT is working. Telnet to the servers (10.2.PC.10 - 10.2.PC.15) from your client PC; try several servers. While you are logged into at least one server session, use show conn and show xlate to see the Destination NAT.

Pod1-ACE/Lab-NAT-11# show conn total current connections : 4 conn-id np dir proto vlan source destination state ----------+--+---+-----+----+---------------------+---------------------+------+ 12 2 in TCP 2PC 209.165.201.PC:1039 172.16.PC.20:23 ESTAB 6 2 out TCP 2PC 172.16.PC.20:23 209.165.201.PC:1039 ESTAB 10 2 in TCP 2PC 209.165.201.PC:1250 10.2.11.PC:23 ESTAB 9 2 out TCP 4PC 192.168.1.PC:23 209.165.201.PC:1250 ESTAB Pod1-ACE/Lab-NAT-11# show xlate NAT from vlan4PC:192.168.1.15 to vlan211:10.2.PC.15 count:1
Step 7

Keeping your client-initiated Telnet connection open, examine the Cisco ACE counters.

Switch/Lab-OPT-PC(config-if)# do sho service-policy SVR-NAT

36

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Status : ACTIVE ----------------------------------------Interface: vlan 4PC service-policy: SVR-NAT class: SERVER-VLAN-SOURCED nat: nat static 10.2.PC.0 vlan 2PC curr conns : 2 , hit count : 2 dropped conns : 0 client pkt count : 18 , client byte count: 871 server pkt count : 19 , server byte count: 956 Switch/Lab-OPT-PC(config-if)# do sho access-list INBOUND access-list:INBOUND, elements: 1, status: ACTIVE remark : access-list INBOUND line 10 extended permit tcp host 209.165.201.PC any (hitcount=1)

2008 Cisco Systems, Inc.

Lab Guide

37

Task 3: Apply the Baseline Configuration


The Cisco ACE ensures that no duplicate IPs exist across contexts per VLAN. Because of the overlapping IPs used in this lab, it is necessary to remove the VLAN interface for the server, so that the VLAN interface can be reused in the remaining labs.
Note If you want to compare your completed configuration with the one in the Answer Key provided at the end of this lab, be sure to do so before you complete this task.

Activity Procedure
Use the checkpoint feature to roll back to baseline-mgmt.
Switch/Lab-OPT-PC# checkpoint rollback baseline-mgmt This operation will rollback the system's running configuration to the checkpoint's configuration. Do you wish to proceed? (y/n) [n] y Rollback in progress, please wait... Generating configuration.... Rollback succeeded

Activity Verification
You have completed this task when you have removed the server VLAN from the context.

38

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Answer Key: Using Network Address Translation


When you complete this activity, your switch running-configuration file will be similar to the following, with differences that are specific to your device or workgroup.

Lab 2 Task 1 Answer Key


Generating configuration.... access-list INBOUND line 8 extended permit tcp host 209.165.201.PC host 172.16.PC.222 access-list SVR-INIT line 8 extended permit tcp host 192.168.1.10 any

class-map match-all LNX-SOURCED 2 match source-address 192.168.1.10 255.255.255.255 class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any policy-map type management first-match remote-mgmt class remote-access permit policy-map multi-match SVR-NAT class LNX-SOURCED nat static 172.16.PC.222 netmask 255.255.255.255 vlan 2PC interface vlan 2PC ip address 172.16.PC.20 255.255.255.0 access-group input INBOUND service-policy input remote-mgmt no shutdown interface vlan 4PC ip address 192.168.1.1 255.255.255.0 access-group input SVR-INIT service-policy input SVR-NAT no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$DLODpUTE$pzudNN.PTCWK.E45AsyCz/ Admin domain default-domain

role

2008 Cisco Systems, Inc.

Lab Guide

39

Lab 2 Task 2 Answer Key


Changes from the previous task are in boldface.
access-list INBOUND line 8 extended permit tcp host 209.165.201.PC any access-list SVR-INIT line 8 extended permit tcp host 192.168.1.10 any access-list SVR-VLAN-INIT line 8 extended permit tcp 192.168.1.0 255.255.255.0 any

class-map match-all LNX-SOURCED 2 match source-address 192.168.1.10 255.255.255.255 class-map match-all SERVER-VLAN-SOURCED 2 match access-list SVR-VLAN-INIT class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any policy-map type management first-match remote-mgmt class remote-access permit policy-map multi-match SVR-NAT class SERVER-VLAN-SOURCED nat static 10.1.PC.0 netmask 255.255.255.0 vlan 2PC interface vlan 2PC ip address 172.16.PC.20 255.255.255.0 access-group input INBOUND service-policy input remote-mgmt no shutdown interface vlan 4PC ip address 192.168.1.1 255.255.255.0 access-group input SVR-INIT service-policy input SVR-NAT no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$DLODpUTE$pzudNN.PTCWK.E45AsyCz/ Admin domain default-domain

role

40

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Lab 3: Configuring Server Load Balancing


Complete this lab activity to practice what you learned in the related lesson.

Activity Objective
In this exercise, you will configure your Cisco ACE context to match virtual IP (VIP)- destined traffic and load-balance these flows to the real servers on a private network behind the Cisco ACE context. To accomplish this, class maps are applied to classify client traffic destined to a VIP address. This traffic is then load-balanced to a server farm and one of the real servers is chosen to respond to the client request. To allow client traffic into the Cisco ACE context, an access list is required to permit the client flows. After completing this exercise, you will be able to meet these objectives: Define real server containers and server farms Configure class and policy maps to provide load balancing Observe the Cisco ACE load-balancing client traffic Roll back the configuration

Visual Objective
The figure illustrates what you will accomplish in this activity.

Configuring Server Load Balancing


Interface Service-Policy
Apply to any interface

Multi-Match Policy Map Client Traffic Class-Map Match VIP connections Router Load-Balancing Policy Map Default Class Serverfarm ACE
Real Server 1 Real Server 2

Servers

Only allow traffic destined to a VIP


ACEAP v1.09

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc.

Lab Guide

41

Required Resources
These are the resources and equipment that are required to complete this activity: Cisco 4710 Application Control Engine Appliance Server minimally running Telnet and HTTP

42

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 1A: Configure Real Servers


In this task, you will add a configuration for the real servers within the pod. The Cisco ACE has administrative connectivity already enabled for the client. You will also create the Cisco Modular Policy CLI Layer 3 and 4 load-balancing policy maps and class map at the same time with the quick configuration tools available in the Cisco ACE 4710 Appliance Device Manager. The Modular Policy CLI classifies incoming traffic with class maps, which are then used in policy maps to force an action based on the class map match. The simplest type of these matches is load balancing based on a clients attempt to reach a virtual IP address. This type of match is considered Layer 3 because it matches only the destination IP and then makes a loadbalancing decision.

Activity Procedure
Complete these steps:
Step 1 Step 2

Connect to your client PC. Make a Telnet connection to LAB-OPT-PC context at address 172.16.PC.20 and roll back the configuration to baseline-mgmt. Connect to the Cisco ACE appliance at https://172.19.110.29 through your web browser and log in with username/password of admin/admin123. View the Lab-OPT-PC context that will be used for the remainder of this lab. You can double-click your context from Config > Virtual Contexts. When you complete your changes, click the Deploy Now button at the bottom right of the screen. Context Name: Resource Class: VLANs: Policy Name: Management VLAN: Management IP Address: Management IP Netmask: Protocols to Allow: Default Gateway IP: SNMP v2c Community Lab-OPT-PC Default 2PC, 4PC MGMT-ACCESS 2PC 172.16.PC.20 255.255.255.0 Select all 172.16.PC.1 public

Step 3

Step 4

Note

You might need to synchronize the web configuration to the CLI configuration, using the Sync button at the bottom of the Config > Virtual Context screen.

2008 Cisco Systems, Inc.

Lab Guide

43

Step 5

Create an Admin user for the Lab-OPT-PC context with the username/password of admin/admin123. Click Admin > Role-Based Access Control (under new context).

44

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 6

Open another browser and log into your new context at https://172.16.PC.20 using the username and password that you just created.
If you failed to add all protocols in step 4, you will not be able to log into the web browser login for your context.

Note

2008 Cisco Systems, Inc.

Lab Guide

45

Step 7

Add a new interface VLAN4PC to allow the Cisco ACE appliance to communicate with the real servers. Use IP address 192.168.1.1/24 for VLAN 4PC. Click Config > Virtual Contexts > Network > VLAN Intefaces > Click + button to Add.

Step 8

The Cisco Device Manager makes it simple to configure load balancing. Start by creating a VIP named VIP-150, with IP address 172.16.PC.150. For Protocol, choose any and assign this to 2PC VLAN. This is done from Config > Virtual Contexts > Load Balancing > Virtual Server > Add.

46

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 9

Before clicking Deploy Now, choose Server Farm New. This will open a new menu to create a server farm. Create a server farm called WEBFARM.

Step 10

One more step before deploying this VIP is to create rservers. Create five rservers, using the following convention and details. LINUX-<server_number> Port = 80 Real Server Details: Real Server Details: Real Server Details: Real Server Details: Real Server Details rserver LINUX-1 rserver LINUX-2 rserver LINUX-3 rserver LINUX-4 rserver LINUX-5 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.14 192.168.1.15

Ensure that the servers are inservice. When finished, click Deploy Now.

2008 Cisco Systems, Inc.

Lab Guide

47

Task 1B: Configure Real Servers


In this task, you will add a configuration for the real servers within the pod. The Cisco ACE has administrative connectivity already enabled for the client.

Activity Procedure
Complete these steps:
Step 1 Step 2

Connect to your client PC. Connect directly to the Cisco ACE management IP address for your Lab 3 context.
C:\> telnet 172.16.PC.20 Trying 172.16.PC.20... Connected to 172.16.PC.20 (172.16.PC.20). Escape character is '^]'. User Access Verification Username: cisco Password: cisco123

Step 3

Verify that you are in the correct context by looking at the prompt.
switch/Lab-OPT-PC#

Step 4

Roll back the configuration to baseline-mgmt.


switch/Lab-OPT-PC# checkpoint rollback baseline-mgmt

Step 5 Step 6

Execute show run to see what is preconfigured for this lab. Allow HTTP and HTTPS mgmt access
switch/Lab-OPT-PC(config)# class-map type management match-any remote-access switch/Lab-OPT-PC (config-cmap-mgmt)# match protocol http any switch/Lab-OPT-PC (config-cmap-mgmt)# match protocol https any

Step 7

The Cisco ACE appliance allows users to set a session time. This can be used to limit the current session or to prevent it from ever timing out. For this lab, disable the session time for your current session.
switch/Lab-OPT-PC# terminal session-timeout 0

Note

In configuration mode, login timeout can be used to modify the idle timeout of future sessions.

Step 8

The first step to adding load balancing to the Cisco ACE context is to create real server instances, known as rservers on the Cisco ACE. Use the naming convention LINUX-<server_number>.
switch/Lab-OPT-PC# conf Enter configuration commands, one per line. switch/Lab-OPT-PC(config)# rserver LINUX-1 End with CNTL/Z.

Note

There are two types of rservers; host and redirect. The default is host, and it is not required to be specified in the command-line intergace (CLI) when creating rservers. The redirect type allows the Cisco ACE to redirect web clients to a better website. For this lab, you will only use the rserver of type host.
2008 Cisco Systems, Inc.

48

Implementing the Cisco ACE Appliance (ACEAP) v1.0

Step 9

Within the rserver object, assign the IP address of the real server and inservice the object. Use the IP address of 192.168.1.11 for the first real web server.
switch/Lab-OPT-PC(config-rserver-host)# ip address 192.168.1.11 switch/Lab-OPT-PCpodPclientC(config-rserver-host)# ins switch/Lab-OPT-PC(config-rserver-host)# exit

Step 10

Create another rserver using the IP address of the second real web server 192.168.1.12 with the name LINUX-2.
switch/Lab-OPT-PC(config)# rserver LINUX-2 switch/Lab-OPT-PC(config-rserver-host)# ip address 192.168.1.12 switch/Lab-OPT-PC(config-rserver-host)# inservice switch/Lab-OPT-PC(config-rserver-host)# exit

Step 11

View the rservers you have just created, using the show run and show rserver commands.

switch/Lab-OPT-PC(config)# do show run rserver rserver host ip address inservice rserver host ip address inservice LINUX--1 192.168.1.11 LINUX--2 192.168.1.12

switch/Lab-OPT-PC(config)# do show rserver LINUX-1 rserver : LINUX-1, type: HOST state : INACTIVE ----------------------------------------connections----------real weight state current total ------------------+------+------------+----------+-----------------Step 12

After the rservers have been created, they must be added to a server farm for use in load balancing. Currently, the only server farm type is host.
switch/Lab-OPT-PC(config)# serverfarm WEBFARM

Step 13

Add the recently created rservers to the server farm. Be sure to inservice the real servers within the server farm. Failure to do so will cause the Cisco ACE appliance to consider these real servers out of service, and the server farm will not be capable of receiving or responding to client requests.
switch/Lab-OPT-PC(config-sfarm-host)# rserver LINUX-1 switch/Lab-OPT-PC(config-sfarm-host-rs)# inservice switch/Lab-OPT-PC(config-sfarm-host)# rserver LINUX-2

2008 Cisco Systems, Inc.

Lab Guide

49

Step 14

Notice that the output from show rserver has changed after the rservers are added to the server farm.

switch/Lab-OPT-PC(config-sfarm-host-rs)# do show rserver LINUX-1 rserver : LINUX-1, type: HOST state : OPERATIONAL ------------------------------------------connections--------real weight state current total ------------------+------+------------+----------+-----------------serverfarm: WEBFARM 192.168.1.11:0 8 OPERATIONAL 0 0 switch/Lab-OPT-PC(config-sfarm-host-rs)# do show rserver LINUX-2 rserver : LINUX-2, type: HOST state : OPERATIONAL ------------------------------------------connections--------real weight state current total ------------------+------+------------+----------+-----------------serverfarm: WEBFARM 192.168.1.12:0 8 OPERATIONAL 0 0

switch/Lab-OPT-PC(config-sfarm-host-rs)# inservice switch/Lab-OPT-PC(config-sfarm-host-rs)# do show serverfarm WEBFARM serverfarm : WEBFARM, type: HOST total rservers : 2 ------------------------------------------connections--------real weight state current total -----------------+------+------------+----------+-----------------rserver: LINUX-1 192.168.1.11:0 8 OPERATIONAL 0 0 rserver: LINUX-2 192.168.1.12:0 8 OPERATIONAL 0 0

What is unusual about these rservers being in the OPERATIONAL state? Can you ping them? Why or why not?

50

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 15

Add the other three web servers to the server farm and ensure that all five web servers are in OPERATIONAL state. The three additional web servers are as follows; put them into the server farm WEBFARM. LINUX-3 192.168.1.13 LINUX-4 192.168.1.14 LINUX-5 192.168.1.15

Step 16

Add a new interface to allow the Cisco ACE appliance to communicate with the real servers. Use IP address 192.168.1.1/24 for VLAN 4PC.
switch/Lab-OPT-PC(config)# interface vlan 4PC switch/Lab-OPT-PC(config-if)# ip address 192.168.1.1 255.255.255.0 switch/Lab-OPT-PC(config-if)# description Servers vlan switch/Lab-OPT-PC(config-if)# no shut switch/Lab-OPT-PC(config-if)# exit switch/Lab-OPT-PC(config)# exit

Step 17

Use the show arp command to observe how the Cisco ACE populates its Address Resolution Protocol (ARP) table.

switch/Lab-OPT-PC# show arp Context Lab-SLB-21 ==================================================================== IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status ==================================================================== 172.16.PC.1 00.d0.04.ec.0c.00 vlan2PC GATEWAY 71 61 sec 172.16.PC.31 00.12.43.dc.83.05 vlan2PC INTERFACE LOCAL _ 192.168.1.1 00.05.9a.3b.9a.c1 vlan4PC INTERFACE LOCAL _ 192.168.1.11 00.50.56.29.01.01 vlan4PC RSERVER 78 297 sec 192.168.1.12 00.50.56.29.01.01 vlan4PC RSERVER 77 297 sec 192.168.1.13 00.50.56.29.01.01 vlan4PC RSERVER 81 297 sec 192.168.1.14 00.50.56.29.01.01 vlan4PC RSERVER 80 297 sec 192.168.1.15 00.50.56.29.01.01 vlan4PC RSERVER 79 297 sec ==================================================================== Total arp entries 8

up up up up up up up up

Activity Verification
You have completed this task when you attain these results: The rservers created are in the OPERATIONAL state. The rservers are in the OPERATIONAL state within the server farm. ARP entries exist for each of the rservers.

2008 Cisco Systems, Inc.

Lab Guide

51

Task 2A: Configuring Load-Balancing Class Maps and Policy Maps


In the first task, you created your VIP (Layer 3 and 4 class map), rservers, server farm, Layer 3 and 4 policy map (multimatch policy map or service policy) and Layer 7 load-balancing policy map. All that remains to do in this step is to add an access control list (ACL) to permit traffic to the interface where client traffic will be received (VLAN 2PC).

Activity Procedure
Complete these steps:
Step 1

Create an access control list to permit client traffic and apply it to 2PC. Click Config > virtual contexts > Security > ACLs. Click + Button to add Name: EVERYONE Type: Extended And then click Deploy Now.

Step 2

Now you can add entries to the ACL, using the plus sign (+). Protocol: IP Permit: yes Any Source: yes Any Destination: yes And then click Deploy Now.
When you click Any Source or Any Destination the configuration options will change.

Note

52

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 3

Add the ACL EVERYONE to VLAN 2PC. Click Config > Vitual Contexts > Network > VLAN Interfaces. Choose VLAN 2PC, and the Access Group tab, click + button and choose EVERYONE for ACL Name. Choose the Input radio button and then click Deploy Now.

2008 Cisco Systems, Inc.

Lab Guide

53

Task 2B: Configuring Load-Balancing Class Maps and Policy Maps


The Cisco ACE appliance uses a Modular Policy CLI to classify incoming traffic with class maps, which are then used in policy maps to force an action based on the class map match. The simplest of these types of matches is load balancing based on a clients attempt to reach a virtual IP (VIP) address. This type of match is considered Layer 3 because it matches only the destination IP and then makes a load-balancing decision.

Activity Procedure
Complete these steps:
Step 1

Start by creating a class map to distinguish traffic destined for a VIP from traffic destined elsewhere. Use the IP address 172.16.PC.150.
switch/Lab-OPT-PC(config)# class-map VIP-150 switch/Lab-OPT-PC(config-cmap)# match virtual-address 172.16.PC.150 any

Step 2

A policy map of type load balance is required. The Cisco ACE will attempt to match a defined class map at L5L7 in the order of occurrence, as indicated by the keyword first-match. The class default is used to handle nonmatching client requests. The significance of the class map order will be apparent in a later lab. For this task, simply create a load-balancing policy map using class-default.
switch/Lab-OPT-PC(config)# policy-map type loadbalance firstmatch lb-logic switch/Lab-OPT-PC(config-pmap-lb)# class class-default switch/Lab-OPT-PC(config-pmap-lb-c)# serverfarm WEBFARM

Step 3

Use the show run policy-map command to view the configuration additions.
switch/Lab-OPT-PC(config-pmap-lb-c)# do show run policy-map policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match lb-logic class class-default serverfarm WEBFARM

Step 4

Now another policy map is used, but this time the type will be multimatch. This policy simply ties classified incoming requests (at Layer 3 or Layer 4) to a loadbalancing-type policy map. Create a multimatch policy and apply the class map that defines the VIP address.
switch/Lab-OPT-PC(config)# policy-map multi-match CLIENT-VIPS switch/Lab-OPT-PC(config-pmap)# class VIP-150 switch/Lab-OPT-PC(config-pmap-c)# loadbalance policy lb-logic switch/Lab-OPT-PC(config-pmap-c)# loadbalance vip inservice

54

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 5

View the running configuration to observe the new policy map.


switch/Lab-OPT-PC(config-pmap-c)# do show run policy-map Generating configuration.... policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match lb-logic class class-default serverfarm WEBFARM policy-map multi-match CLIENT-VIPS class VIP-150 loadbalance vip inservice loadbalance policy lb-logic

Step 6

Apply the multimatch policy map to the client-facing interface.


switch/Lab-OPT-PC(config)# interface vlan 2PC switch/Lab-OPT-PC(config-if)# service-policy input CLIENT-VIPS

Step 7

Verify that the VIP is applied and inservice (meaning that the Cisco ACE will respond to traffic destined to the VIP address). Use the show service-policy command with and without the detail parameter to view the additional information that the Cisco ACE provides.
switch/Lab-OPT-PC(config-if)# do sho service-policy CLIENTVIPS Status : ACTIVE ----------------------------------------Interface: vlan 2PC service-policy: CLIENT-VIPS class: VIP-150 loadbalance: L7 loadbalance policy: lb-logic VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count : 0 dropped conns : 0 client pkt count : 0 , client byte count: 0 server pkt count : 0 , server byte count: 0 switch/Lab-OPT-PC(config-if)# do sho service-policy CLIENTVIPS detail Status : ACTIVE Description: ----------------------------------------Interface: vlan 2PC service-policy: CLIENT-VIPS class: VIP-150 loadbalance: L7 loadbalance policy: lb-logic

2008 Cisco Systems, Inc.

Lab Guide

55

VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count : 0 dropped conns : 0 client pkt count : 0 , client byte count: 0 server pkt count : 0 , server byte count: 0 L7 Loadbalance policy : lb-logic class/match : class-default LB action : serverfarm: WEBFARM hit count : 0 dropped conns : 0
Step 8

Create a new access list from the global configuration.


switch/Lab-OPT-PC(config)# no access-list Everyone switch/Lab-OPT-PC(config)# access-list EVERYONE extended permit tcp any any

Step 9

Now simply apply the access list to the client-facing interface.


switch/Lab-OPT-PC(config)# interface vlan 2PC switch/Lab-OPT-PC(config-if)# access-group input EVERYONE switch/Lab-OPT-PC(config-if)# do sho access-list EVERYONE access-list:anyone, elements: 1, status: ACTIVE remark : access-list EVERYONE line 10 extended permit tcp any any (hitcount=0)

Activity Verification
You have completed this task when you attain these results: The service policy is in the ACTIVE state. The access list is in the ACTIVE state.

56

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 3: Test the New VIP Load-Balancing Configuration


In this task, you will verify that Layer 3 and 4 load balancing is working correctly. This should be the same task for both the GUI and the command-line interface (CLI).

Activity Procedure
Complete these steps:
Step 1

Use a browser on the client PC to verify that the Cisco ACE appliance is loadbalancing traffic to the server farm, using the URL http://172.16.PC.150/.
The color of an image indicates which server supplied the image.

Note Step 2 Note

Notice that the service policy counters increment as connections are handled.
Because the Cisco ACE 4710 Appliance Device Manager interface autogenererates policy map and class map names, some differences might occur between the CLI and GUI configurations.

switch/Lab-OPT-PC(config-if)# do sho service-policy CLIENTVIPS Status : ACTIVE ----------------------------------------Interface: vlan 2PC service-policy: CLIENT-VIPS class: VIP-150 loadbalance: L7 policy: lb-logic VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count : 10 dropped conns : 0 client pkt count : 71 , client byte count: 5520 server pkt count : 90 , server byte count: 64712
Step 3

Show the access control list (ACL) to see the incoming requests.
switch/Lab-OPT-PC(config-if)# do sho access-list EVERYONE access-list:anyone, elements: 1, status: ACTIVE remark : access-list EVERYONE line 10 extended permit tcp any any (hitcount=10)

Activity Verification
You have completed this task when you attain these results: Successfully load-balanced HTTP requests to the VIP

2008 Cisco Systems, Inc.

Lab Guide

57

Task 4: Apply the Baseline Configuration


The Cisco ACE ensures that no duplicate IPs exist across contexts per VLAN. Because of the overlapping IPs used in this lab, it is necessary to remove the VLAN interface for the server, so that the VLAN interface can be reused in the remaining labs.

Activity Procedure
Step 1

Use the checkpoint feature to roll back to baseline-mgmt.


switch/Lab-OPT-PC# checkpoint rollback baseline-mgmt This operation will rollback the system's running configuration to the checkpoint's configuration. Do you wish to proceed? (y/n) [n] y Rollback in progress, please wait... Generating configuration.... Rollback succeeded

Activity Verification
You have completed this task when you have removed the server VLAN from the context.

58

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Lab 3 Answer Key


Initial Configuration Sample
switch/Lab-OPT-PC# sho run Generating configuration.... class-map type management match-any remote-access description remote-access 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any policy-map type management first-match remote-mgmt class remote-access permit interface vlan 2PC ip address 172.16.PC.11 255.255.255.0 service-policy input remote-mgmt no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$36iNgaXz$XzVbOllHUrxkP5FBEULiv0 Admin domain default-domain

role

Final Configuration Sample for a Working SLB Configuration


switch/Lab-OPT-PC# sho run Generating configuration.... access-list EVERYONE line 10 extended permit tcp any any rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice LINUX-1 192.168.1.11 LINUX-2 192.168.1.12 LINUX-3 192.168.1.13 LINUX-4 192.168.1.14 LINUX-5 192.168.1.15

2008 Cisco Systems, Inc.

Lab Guide

59

serverfarm host WEBFARM rserver LINUX-1 inservice rserver LINUX-2 inservice rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 inservice class-map match-all VIP-150 2 match virtual-address 172.16.PC.150 any class-map type management match-any remote-access description remote-access 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match lb-logic class class-default serverfarm WEBFARM policy-map multi-match CLIENT-VIPS class VIP-150 loadbalance vip inservice loadbalance policy lb-logic interface vlan 2PC ip address 172.16.PC.11 255.255.255.0 access-group input EVERYONE service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown interface vlan 4PC description Servers vlan ip address 192.168.1.1 255.255.255.0 no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$36iNgaXz$XzVbOllHUrxkP5FBEULiv0 Admin domain default-domain

role

60

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Lab 4: Implementing Health Monitoring


Complete this lab activity to practice what you learned in the related lesson.

Activity Objective
In this exercise, you will configure your Cisco ACE context to monitor real servers. After completing this exercise, you will be able to meet these objectives: Define health monitoring for a real server Define health monitoring for a real server with a server farm Define health monitoring for an entire server farm Roll back the configuration

Visual Objective
The figure illustrates what you will accomplish in this activity.

Implementing Health Monitoring


? ?

Router

ACE Catalyst 6500

Rserver Probe Serverfarm Probe Passive Probe


2008 Cisco Systems, Inc. All rights reserved.

Primary Rserver

Backup Rserver

ACEAP v1.010

Required Resources
These are the resources and equipment that are required to complete this activity: Cisco 4710 Application Control Engine Appliance Server minimally running Telnet and HTTP

2008 Cisco Systems, Inc.

Lab Guide

61

Task 1A Configure Health Monitoring for Real Servers


When configuring the Cisco ACE for health probe monitoring, out-of-band health monitoring allows the Cisco ACE to send active probes periodically to determine the server state. Internet Control Message Protocol (ICMP), TCP, HTTP, and other predefined health probes, including scripted probes, are in this health monitoring category. The Cisco ACE supports 4000 unique probes and 256 scripted probes per system, and allocates 1000 sockets for health monitoring. There are three ways to apply probes on the Cisco ACE; this task will show how to apply probes per rserver.

Activity Procedure
Complete these steps:
Step 1 Step 2

Connect to your client PC. Telnet to LAB-OPT-PC context at address 172.16.PC.20 and roll back the configuration to SLB-END. Connect to the Cisco ACE Appliance at address https://172.19.110.20 through your web browser and log in with username/password of cisco/cisco123. Create a probe type HTTP. Click Config > Virtual Contexts > Load Balancing > Health Monitoring, + button to add. Name: get-index Probe Interval 15 And then click Deploy Now.

Step 3

Step 4

62

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 5

Deploy the probe and apply it to the rserver LINUX-1. Double Click to Edit Click Config > Virtual Contexts > Load Balancing > Real Servers.

Step 6

Check the status of the probe. Click Monitor > Virtual Contexts > Probes > Detail. Click Monitor > Virtual Context > Real Servers. **Choose your Lab-OPT-PC Context
If you see a yellow message that says Polling is not functioning. Verify that the SNMP v2c Community string is correctly configured, click Config > Virtual Contexts > System > SNMP Click + button on bottom section and add public to the SNMP v2c Community field; then proceed with this step.

Note

Step 7

Why is the probe failing? Add an expect status of 200 200 to probe. Click Config > Virtual Contexts > Load Balancing > Health Monitoring. Recheck the status of the probe. Click Monitor > Virtual Contexts > Probes > Detail. Shut down VLAN interface 4PC. Click Config > Virtual Contexts > Network >VLAN Interfaces. Recheck the status of the probe (wait for the probe to fail). Click Monitor > Virtual Contexts > Probes > Detail.

Step 8

Step 9

Step 10

2008 Cisco Systems, Inc.

Lab Guide

63

Step 11

Bring VLAN interface 4PC back up. Click Config > Virtual Contexts > Network >VLAN Interfaces. Recheck the status of the probe (wait for the probe to succeed). Click Monitor > Virtual Contexts > Probes > Detail.

Step 12

64

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 1B: Configure Health Monitoring for Real Servers


When configuring the Cisco ACE for health probe monitoring, out-of-band health monitoring allows the Cisco ACE to send active probes periodically to determine the server state. Internet Control Message Protocol (ICMP), TCP, HTTP, and other predefined health probes, including scripted probes, are in this health monitoring category. The Cisco ACE supports 4000 unique probes and 256 scripted probes per system, and allocates 1000 sockets for health monitoring. There are three ways to apply probes on Cisco ACE; this task will show how to apply probes per rserver.

Activity Procedure
Complete these steps:
Step 1 Step 2

Connect to your client PC. Connect to the Cisco ACE management IP address for this lab context.
C:\> telnet 172.16.PC.20 Username: cisco Password: cisco123 Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html.

Step 3

Verify that you are in the correct context by looking at the prompt:
Switch/Lab-OPT-PC#

Step 4 Step 5 Note Step 6

Use the checkpoint system to roll the configuration to the SLB-END. Use show run to see what is preconfigured for this lab.
This lab is built on the principles learned in the previous lab.

Create an HTTP GET request probe.


switch/Lab-OPT-PC(config)# probe http get-index

Step 7

Show the probe you just created:

switch/Lab-OPT-PC(config)# do show probe detail probe : get-index type : HTTP, state : INACTIVE description : ---------------------------------------------port : 80 address : 0.0.0.0 interval : 120 pass intvl : 300 fail count: 3 recv timeout: 10 http method http url conn termination expect offset : : : : GET / GRACEFUL 0

addr type : pass count : 3

, open timeout

: 10

2008 Cisco Systems, Inc.

Lab Guide

65

expect regex : send data : --------------------- probe results ------------------probe association probed-address probes failed passed ----------- ---------------+----------+----------+----------+-----Note Step 8 The default is an HTTP GET, with a graceful TCP shutdown (TCP FIN sequence).

health

Now that you see the default parameters, change the interval timer so the Cisco ACE probes more frequently.
switch/Lab-OPT-PC(config-probe-http)# interval 15

Step 9

Assign the probe to an rserver.


switch/Lab-OPT-PC(config)# rserver LINUX-1 switch/Lab-OPT-PC(config-rserver-host)# probe get-index **Note Case sensitive

Step 10

Look at the details of the probe several times over several seconds.

switch/Lab-OPT-PC(config-rserver-host)# do show probe probe : GET-INDEX type : HTTP, state : ACTIVE ---------------------------------------------port : 80 address : 0.0.0.0 addr type : interval : 15 pass intvl : 300 pass count : 3 fail count: 3 recv timeout: 10 --------------------- probe results ------------------probe association probed-address probes failed passed ------------ ---------------+----------+----------+----------+-----rserver : LINUX-1 192.168.1.11 0 0 0 switch/Lab-OPT-PC(config-rserver-host)# do show probe probe : GET-INDEX type : HTTP, state : ACTIVE ---------------------------------------------port : 80 address : 0.0.0.0 addr type : interval : 120 pass intvl : 300 pass count : 3 fail count: 3 recv timeout: 10 --------------------- probe results ------------------probe association probed-address probes failed passed ------------ ---------------+----------+----------+---------+------rserver : LINUX-1 192.168.1.11 1 1 0

health

INIT

health

FAILED

Why did the probe fail? ____________________________________________________________________________

66

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 11

This is a change in the default behavior of the Caching Services Module (CSM). The Cisco ACE does not accept any response code by default. Adding one will enable a successful probe.
switch/Lab-OPT-PC(config-rserver-host)# probe http get-index switch/Lab-OPT-PC(config-probe-http)# expect status 200 200

Note

If using the default settings, the probe will take three (pass interval) iterations of 300 seconds (pass interval) before the rserver will be put back into rotation. To expedite the process, simply perform a no inservice/inservice on the rserver; this will force the probing to enter the initialization state.

switch/Lab-OPT-PC(config-probe-http)# rserver LINUX-1 switch/Lab-OPT-PC(config-rserver-host)# no ins switch/Lab-OPT-PC(config-rserver-host)# ins switch/Lab-OPT-PC(config-rserver-host)# do show probe probe : GET-INDEX type : HTTP, state : ACTIVE ---------------------------------------------port : 80 address : 0.0.0.0 addr type : interval : 120 pass intvl : 300 pass count : 3 fail count: 3 recv timeout: 10 --------------------- probe results -----------------probe association probed-address probes failed passed ------------- ---------------+----------+----------+----------+----rserver : LINUX-1 192.168.1.11 5 1 4 SUCCESS Step 12

health

Force the probe to fail, by shutting down the server-side VLAN.


switch/Lab-OPT-PC(config-rserver-host)# interface vlan 4PC switch/Lab-OPT-PC(config-if)# shutdown

2008 Cisco Systems, Inc.

Lab Guide

67

Step 13

View the probe again and with details after a single probe has failed. Notice that there is now a reason listed for the last probe failure.

switch/Lab-OPT-PC(config-if)# do sho probe probe : GET-INDEX type : HTTP, state : ACTIVE ---------------------------------------------port : 80 address : 0.0.0.0 addr type : interval : 15 pass intvl : 300 pass count : 3 fail count: 3 recv timeout: 10 --------------------- probe results ------------------probe association probed-address probes failed passed health ------------------- ---------------+----------+----------+----------+-----rserver : LINUX-1 192.168.1.11 36 2 35 SUCCESS switch/Lab-OPT-PC(config-if)# do sho probe get-index detail probe : GET-INDEX type : HTTP, state : ACTIVE description : ---------------------------------------------port : 80 address : 0.0.0.0 interval : 15 pass intvl : 300 fail count: 3 recv timeout: 10

addr type : pass count : 3

http method : GET http url : / conn termination : GRACEFUL expect offset : 0 , open timeout : 10 expect regex : send data : --------------------- probe results -----------------probe association probed-address probes failed passed ----------- ---------------+----------+----------+----------+----rserver : LINUX-1 192.168.1.11 36 2 35 SUCCESS Socket state No. Passed states No. Probes skipped No. Out of Sockets Last disconnect err Last probe time Last fail time Last active time Step 14 : : : : : : : : CLOSED 1 No. Failed states : 0 0 Last status code : 0 0 No. Internal error: 0 Server open timeout (no SYN ACK) Sat Apr 8 22:46:58 2006 Never Sat Apr 8 22:36:28 2006

health

After three consecutive probes have failed, the probe will take the rserver out of service by placing it in a probe-failed state.

switch/Lab-OPT-PC(config-if)# do sho probe probe : GET-INDEX type : HTTP, state : ACTIVE ---------------------------------------------port : 80 address : 0.0.0.0 addr type : interval : 15 pass intvl : 300 pass count : 3 fail count: 3 recv timeout: 10 --------------------- probe results -----------------probe association probed-address probes failed passed ------------ ---------------+----------+----------+----------+----rserver : LINUX-1 192.168.1.11 39 4 35 switch/Lab-OPT-PC(config-if)# do sho rserver LINUX-1
68 Implementing the Cisco ACE Appliance (ACEAP) v1.0

health

FAILED

2008 Cisco Systems, Inc.

rserver : LINUX-1, type: HOST state : PROBE-FAILED ------------------------------------------connections--------real weight state current total -----------------+------+------------+----------+-----------------serverfarm: servers3 192.168.1.11:0 8 PROBE-FAILED 0 0 Step 15

Enable the server VLAN interface and verify that the probe succeeds and that the rserver is placed back in an operational state.
The pass detect interval is 5 minutes, so expect this delay if the default value was not altered.

Note

Activity Verification
You have completed this task when you configure a probe for an rserver and verify that it is successfully monitoring the rserver

2008 Cisco Systems, Inc.

Lab Guide

69

Task 2A: Configure Health Monitoring for a Server Farm


In this task, you will deploy a probe for all rservers within the server farm.

Activity Procedure
Complete these steps:
Step 1

Create a Telnet probe named L4-TCP. type = TCP port = 23 interval = 5 passdetect interval = 10 Config > Virtual Contexts > Load Balancing > Health Monitoring Apply the probe to the server farm WEBFARM. Click Config > Virtual Contexts > Load Balancing > Server Farms. Check the status of the probe. Click Monitor > Virtual Contexts >Probes > Detail. See Step 3 of Task 2B for probe verification. Remove L4-TCP probe from Server Farms Click Config > Virtual Contexts > Load Balancing > Server Farms. Remote L4-TCP probe Click Config > Virtual Contexts > Load Balancing > Health Monitoring

Step 2

Step 3

Step 4 Step 5

Step 6

70

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 2B: Configure Health Monitoring for a Server Farm


In this task, you will deploy a probe for all rservers within the server farm.

Activity Procedure
Complete these steps:
Step 1

Create a simple Layer 4 probe for TCP. Configure it for port 23 to check the Telnet port for TCP connectivity. Reduce the intervals for failure and pass detection.
L4-TCP port 23 interval 5 passdetect interval 10 connection term forced do sho run probe

switch/Lab-OPT-PC(config)# probe tcp switch/Lab-OPT-PC(config-probe-tcp)# switch/Lab-OPT-PC(config-probe-tcp)# switch/Lab-OPT-PC(config-probe-tcp)# switch/Lab-OPT-PC(config-probe-tcp)# switch/Lab-OPT-PC(config-probe-tcp)# Generating configuration.... probe http GET-INDEX interval 15 expect status 200 200 probe tcp L4-TCP port 23 interval 5 passdetect interval 10 Step 2

Apply the TCP probe to the existing server farm and observe them using show commands.

switch/Lab-OPT-PC(config-probe-tcp)# exit switch/Lab-OPT-PC(config)# serverfarm WEBFARM switch/Lab-OPT-PC(config-sfarm-host)# probe L4-TCP switch/Lab-OPT-PC(config-sfarm-host)# do show probe probe : GET-INDEX type : HTTP, state : ACTIVE ---------------------------------------------port : 80 address : 0.0.0.0 addr type : interval : 15 pass intvl : 300 pass count : 3 fail count: 3 recv timeout: 10 --------------------- probe results -----------------probe association probed-address probes failed passed ---------- ---------------+----------+----------+----------+----rserver : LINUX-1 192.168.1.11 123 0 123 probe : L4-TCP type : TCP, state : ACTIVE ---------------------------------------------port : 23 address : 0.0.0.0 addr type : interval : 5 pass intvl : 10 pass count : 3 fail count: 3 recv timeout: 10 --------------------- probe results -----------------probe association probed-address probes failed passed ------------- ---------------+----------+----------+----------+----serverfarm : WEBFARM real : LINUX-1[0] 192.168.1.11 1 0 1 real : LINUX-2[0] 192.168.1.12 1 0 1 real : LINUX-3[0] 192.168.1.13 1 0 1 real : LINUX-4[0] 192.168.1.14 1 0 1 real : LINUX-5[0] 192.168.1.15 1 0 1

health

SUCCESS

health

SUCCESS SUCCESS SUCCESS SUCCESS SUCCESS

2008 Cisco Systems, Inc.

Lab Guide

71

Step 3

Use Telnet to access the real server and view the probes from the Cisco ACE. Make sure to limit the capture to avoid capturing your current session. Press Control-C to terminate Tethereal.

switch/Lab-OPT-PC(config-probe-tcp)# do telnet 192.168.1.11 Trying 192.168.1.10... Connected to 192.168.1.10. Escape character is '^]'. linux1 (Linux release 2.6.9-11.ELsmp #1 SMP Fri May 20 18:26:27 EDT 2005) (0) login: cisco Password for cisco: cisco login: Resource temporarily unavailable while getting initial credentials Last login: Tue Jun 20 06:08:07 from 192.168.1.99 [cisco@linux1 ~]$ tethereal -bash: tethereal: command not found [cisco@linux1 ~]$ su Password: cisco123 [root@linux1 ~]# tethereal -R "ip.addr == 192.168.1.11" Capturing on eth0 0.481551 192.168.1.1 -> 192.168.1.11 TCP 37204 > telnet [SYN] Seq=0 Ack=0 Win =5840 Len=0 MSS=1460 TSV=199555497 TSER=0 WS=0 0.483704 192.168.1.11 -> 192.168.1.1 TCP telnet > 37204 [SYN, ACK] Seq=0 Ack= 1 Win=5792 Len=0 MSS=1460 TSV=2175843216 TSER=199555497 WS=2 0.484179 192.168.1.1 -> 192.168.1.11 TCP 37204 > telnet [ACK] Seq=1 Ack=1 Win =5840 Len=0 TSV=199555497 TSER=2175843216 0.484700 192.168.1.1 -> 192.168.1.11 TCP 37204 > telnet [RST, ACK] Seq=1 Ack= 1 Win=5840 Len=0 TSV=199555497 TSER=2175843216 4.335322 192.168.1.1 -> 192.168.1.11 TCP 37213 > telnet [SYN] Seq=0 Ack=0 Win =5840 Len=0 MSS=1460 TSV=199555997 TSER=0 WS=0 4.336859 192.168.1.11 -> 192.168.1.1 TCP telnet > 37213 [SYN, ACK] Seq=0 Ack= 1 Win=5792 Len=0 MSS=1460 TSV=2175847069 TSER=199555997 WS=2 4.337184 192.168.1.1 -> 192.168.1.11 TCP 37213 > telnet [ACK] Seq=1 Ack=1 Win =5840 Len=0 TSV=199555997 TSER=2175847069 4.337902 192.168.1.1 -> 192.168.1.11 TCP 37213 > telnet [RST, ACK] Seq=1 Ack= 1 Win=5840 Len=0 TSV=199555997 TSER=2175847069 Note Ctrl-C to quit, Observe that the probes are originated from the Cisco ACE interface that is connected to the servers through Layer 3.

Activity Verification
You have completed this task when you attain these results: Configured a probe for an rserver and verified that it is successfully monitoring the rserver Configured a probe for a server farm and displayed the resulting traffic

72

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 3: Configure Health Monitoring for a Real Server Within a Server Farm
In this task, you will deploy a probe for a single real server within the server farm.

Activity Procedure
Complete these steps:
Step 1

Create a probe for HTTPS. Reduce the intervals for failure and pass detection.
switch/Lab-OPT-PC(config)# probe https L5-SSL switch/Lab-OPT-PC(config-probe-tcp)# interval 5 switch/Lab-OPT-PC(config-probe-tcp)# passdetect interval 10 switch/Lab-OPT-PC(config-probe-https)# do sho run probe | beg L5 Generating configuration.... probe https L5-SSL interval 5 passdetect interval 10

Step 2

Apply the TCP probe to the existing server farm and observe them, using show commands.

switch/Lab-OPT-PC(config-probe-tcp)# exit switch/Lab-OPT-PC(config)# serverfarm WEBFARM switch/Lab-OPT-PC(config-sfarm-host)# rserver LINUX-5 switch/Lab-OPT-PC(config-sfarm-host-rs)# probe L5-SSL switch/Lab-OPT-PC(config-sfarm-host-rs)# do show probe L5-SSL probe : L5-SSL type : HTTPS, state : ACTIVE ---------------------------------------------port : 443 address : 0.0.0.0 addr type : interval : 10 pass intvl : 20 pass count : 3 fail count: 3 recv timeout: 10 --------------------- probe results -----------------probe association probed-address probes failed passed ------------ ---------------+----------+----------+----------+----real : LINUX-5[0] serverfarm: WEBFARM 192.168.1.15 1 1 0 Tip

health

FAILED

By taking the rserver out of service and placing it back in service, the Cisco ACE resets the probing sequence and thus reduces the time it takes for the changes to take effect.

2008 Cisco Systems, Inc.

Lab Guide

73

Step 3

There are several ways to determine why the probe is failing. One approach is to look at the server and verify that Secure Sockets Layer (SSL) is running and use a sniffer trace. View the probe from the Cisco ACE.

switch/Lab-OPT-PC(config-sfarm-host-rs)# do telnet 192.168.1.15 login: cisco password for cisco: cisco [cisco@linux1 ~]$ su - cisco123 [root@linux1 ~]# netstat -l | egrep "https|Address" Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:https *:* LISTEN [root@linux1 ~]# tethereal -R "tcp.port == 443" Capturing on eth0 11.974627 192.168.1.1 -> 192.168.1.15 TCP 38508 > https [SYN] Seq=0 Ack=0 Win= 5840 Len=0 MSS=1460 TSV=199666757 TSER=0 WS=0 11.976089 192.168.1.15 -> 192.168.1.1 TCP https > 38508 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=2176688287 TSER=199666757 WS=2 11.977023 192.168.1.1 -> 192.168.1.15 TCP 38508 > https [ACK] Seq=1 Ack=1 Win= 5840 Len=0 TSV=199666757 TSER=2176688287 11.979669 192.168.1.1 -> 192.168.1.15 SSLv3 Client Hello 11.979953 192.168.1.15 -> 192.168.1.1 TCP https > 38508 [ACK] Seq=1 Ack=81 Win =5792 Len=0 TSV=2176688291 TSER=199666757 12.017120 192.168.1.15 -> 192.168.1.1 SSLv3 Server Hello, Certificate, Server Hello Done 12.018666 192.168.1.1 -> 192.168.1.15 TCP 38508 > https [ACK] Seq=81 Ack=1144 Win=8001 Len=0 TSV=199666758 TSER=2176688328 12.033203 192.168.1.1 -> 192.168.1.15 SSLv3 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 12.048926 192.168.1.15 -> 192.168.1.1 SSLv3 Change Cipher Spec, Encrypted Hand shake Message 12.050995 192.168.1.1 -> 192.168.1.15 SSLv3 Application Data 12.064005 192.168.1.15 -> 192.168.1.1 SSLv3 Application Data 12.067325 192.168.1.1 -> 192.168.1.15 SSLv3 Encrypted Alert 12.067334 192.168.1.1 -> 192.168.1.15 TCP 38508 > https [RST, ACK] Seq=415 Ack =1512 Win=10287 Len=0 TSV=199666761 TSER=2176688375 Note Observe that the probes are requesting HTTP data and receiving HTTP data from the server. These messages are seen as Application Data in the SSL analysis. Immediately after receiving the server data, the Cisco ACE closes SSL and tears down the connection with a TCP RST. This is an indication that the Cisco ACE found something wrong with the returned data, because the Cisco ACE closes TCP with a FIN sequence with successful probes.

74

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 4

You could continue tracing to see more of what is occurring. Try the following. Warning: The output is verbose. **Use caution Large Screen Dump! Ctr-C to quit

[root@linux1 ~]# tethereal -V -R "tcp.port == 443" <snippets> ClientHello Secure Socket Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: SSL 3.0 (0x0300) Length: 75 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 71 Version: SSL 3.0 (0x0300) Random.gmt_unix_time: Jul 5, 2006 20:05:50.000000000 Random.bytes Session ID Length: 0 Cipher Suites Length: 32 Cipher Suites (16 suites) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064) Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062) Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 (0x0061) Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 (0x0060) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009) Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008) Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007) Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003) Cipher Suite: TLS_RSA_WITH_NULL_SHA (0x0002) Cipher Suite: TLS_RSA_WITH_NULL_MD5 (0x0001) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) ServerHello Secure Socket Layer SSLv3 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: SSL 3.0 (0x0300) Length: 74 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 70 Version: SSL 3.0 (0x0300) Random.gmt_unix_time: Jun 25, 2006 11:22:51.000000000 Random.bytes Session ID Length: 32 Session ID (32 bytes) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Compression Method: null (0) SSLv3 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: SSL 3.0 (0x0300) Length: 1050 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1046 Certificates Length: 1043 Certificates (1043 bytes)

2008 Cisco Systems, Inc.

Lab Guide

75

Step 5

Although the sniffer traces show valuable information that covers the default HTTPS probe characteristics, they do not add any more useful data than what you have already determined. You can search for another approach to troubleshoot, because all that is left is to use SSLdump and the servers SSL certificate and RSA key to decrypt the message. Rather than going to this step, you could view the detail of the probe.

Switch/Lab-OPT-PC# sho probe L5-SSL detail probe : L5-SSL type : HTTPS, state : ACTIVE description : ---------------------------------------------port : 443 address : 0.0.0.0 interval : 10 pass intvl : 20 fail count: 3 recv timeout: 10

addr type : pass count : 3

http method : GET http url : / conn termination : GRACEFUL expect offset : 0 , open timeout : 10 expect regex : send data : --------------------- probe results -----------------probe association probed-address probes failed passed ------------ ---------------+----------+----------+----------+----real : LINUX-5[0] serverfarm: WEBFARM 192.168.1.15 10 10 0 Socket state No. Passed states No. Probes skipped No. Out of Sockets Last disconnect err Last probe time Last fail time Last active time Step 6 : : : : : : : : CLOSED 0 No. Failed states : 1 0 Last status code : 0 0 No. Internal error: 0 Received invalid status code Thu Jul 6 03:03:30 2006 Thu Jul 6 03:00:40 2006 Never

health

FAILED

This was much more useful than the sniffer approach. This is telling you something that you have seen before with the HTTP probe. The HTTPS probes are simply the HTTP probe using the OpenSSL in the control plane. Thus for HTTPS it is mandatory to configure the expected status before the probe will be successful.

switch/Lab-OPT-PC(config)# probe https L5-SSL switch/Lab-OPT-PC(config-probe-https)# expect status 200 499 switch/Lab-OPT-PC(config-sfarm-host-rs)# do sho probe L5-SSL probe : L5-SSL type : HTTPS, state : ACTIVE ---------------------------------------------port : 443 address : 0.0.0.0 addr type : interval : 10 pass intvl : 20 pass count : 3 fail count: 3 recv timeout: 10 --------------------- probe results -----------------probe association probed-address probes failed passed ------------- ---------------+----------+----------+----------+----real : LINUX-5[0] serverfarm: WEBFARM 192.168.1.15 67 14 53

health

SUCCESS

Activity Verification
You have completed this task when you have configured a probe for an rserver and verified that it is successfully monitoring the rserver.

76

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 4: Apply the Baseline Configuration


The Cisco ACE ensures that no duplicate IPs exist across contexts per VLAN. Due to the overlapping IPs used in this lab, it is necessary to remove the VLAN interface for the server, so that it can be reused in the remaining labs.

Activity Procedure
Use the checkpoint feature to roll back to baseline-mgmt.
Switch/Lab-OPT-PC# checkpoint rollback baseline-mgmt This operation will rollback the system's running configuration to the checkpoint's configuration. Do you wish to proceed? (y/n) [n] y Rollback in progress, please wait... Generating configuration.... Rollback succeeded

Activity Verification
You have completed this task when you have removed the server VLAN from the context.

2008 Cisco Systems, Inc.

Lab Guide

77

Lab 4 Answer Key


Switch/Lab-OPT-PC# sho run Generating configuration.... logging enable logging monitor 0 login timeout 0 access-list everyone line 10 extended permit tcp any any probe tcp L4-TCP port 23 interval 5 passdetect interval 10 connection term forced probe https L5-SSL interval 5 passdetect interval 10 expect status 200 499 probe http GET-INDEX interval 15 expect status 200 200 rserver host LINUX-1 ip address 192.168.1.11 probe GET-INDEX inservice rserver host LINUX-2 ip address 192.168.1.12 inservice rserver host LINUX-3 ip address 192.168.1.13 inservice rserver host LINUX-4 ip address 192.168.1.14 inservice rserver host LINUX-5 ip address 192.168.1.15 inservice serverfarm host WEBFARM probe L4-TCP rserver LINUX-1 inservice rserver LINUX-2 inservice
78 Implementing the Cisco ACE Appliance (ACEAP) v1.0 2008 Cisco Systems, Inc.

rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 probe L5-SSL inservice class-map match-all VIP-170 2 match virtual-address 172.16.PC.170 any class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match STICKY-SLB class class-default serverfarm WEBFARM policy-map multi-match CLIENT-VIPS class VIP-170 loadbalance vip inservice loadbalance policy STICKY-SLB loadbalnace vip icmp-reply active interface vlan 2PC description Client vlan ip address 172.16.PC.20 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown interface vlan 4PC description Servers vlan ip address 192.168.1.1 255.255.255.0 no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$DLODpUTE$pzudNN.PTCWK.E45AsyCz/ Admin domain default-domain

role

2008 Cisco Systems, Inc.

Lab Guide

79

Lab 5: Configuring Layer 7 Load Balancing


Complete this lab activity to practice what you learned in the related lesson.

Activity Objective
In this exercise, you will create new class maps and server farms to demonstrate URL load balancing. After completing this exercise, you will be able to meet these objectives: Define multiple server farms Create a classification for URL strings Send matches to a specified server Modify a class map to alter URL processing Optimize the mixed-traffic VIP by configuring match-any and match-all Roll back the configuration

Visual Objective
The figure illustrates what you will accomplish in this activity.

Configuring Layer 7 Load Balancing


Interface Service-Policy
Apply to any interface

Multi-Match Policy Map Client Traffic Class-Map Match VIP connections Router Load-Balancing Policy Map Default Class Serverfarm ACE
Real Server 1 Real Server 2

Servers

Only allow traffic destined to a VIP


ACEAP v1.011

2008 Cisco Systems, Inc. All rights reserved.

Required Resources
These are the resources and equipment that are required to complete this activity: Cisco 4710 Application Control Engine Appliance Server minimally running Telnet and HTTP

80

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 1A: Configure a Real Server


In this task, you will add a configuration for the real servers within the pod. The Cisco ACE has administrative connectivity already enabled for the client. For Layer 3 and 4 load balancing you can create the server farm at the same time you create the virtual IP (VIP). With Layer 7 load balancing in this lab, you will need multiple server farms, so you will create them at the beginning, for ease in configuration.

Activity Procedure
Complete these steps:
Step 1 Step 2 Step 3

Roll back configuration to SLB-END from the command-line interface (CLI). Log into the ACE 4710 Device Manager at https://172.16.PC.20. Create a server farm called IE-WEB and put LINUX-1 and LINUX-2 in it. Click Config > Virtual Contexts > Load Balance > Server Farms + add button

Step 4

Create a server farm called NON-IE and put LINUX-3, LINUX-4 and LINUX-5 in it. Click Config > Virtual Contexts > Load Balance > Server Farms.

2008 Cisco Systems, Inc.

Lab Guide

81

Task 1B: Configure a Real Server


In this task, you will add a configuration for the real servers within the pod. The Cisco ACE has administrative connectivity already enabled for the client.

Activity Procedure
Complete these steps:
Step 1 Step 2

Connect to your client PC. Connect to the Cisco ACE management IP address for this lab.
C:\> telnet 172.16.PC.20 Trying 172.16.PC.20... Connected to 172.16.PC.20 (172.16.PC.20). Escape character is '^]'. User Access Verification Username: cisco Password: cisco123

Step 3

Verify that you are in the correct context by looking at the prompt.
switch/Lab-OPT-PC#

Step 4

Use the checkpoint system to roll the configuration to the SLB-END checkpoint.
Swich/Lab-OPT-PC# checkpoint rollback SLB-END

Step 5 Step 6

Use show run to see what is preconfigured for this lab. Use the serverfarm command to create a server farm for IE servers only.
PodP-ACE/Lab2-L7-PC(config)# serverfarm IE-WEB

Step 7

Add the recently created rservers to the server farm. Be sure to inservice the real servers within the server farm. Failure to do so will cause the Cisco ACE appliance to consider these real servers out of service, and the server farm will not be capable of receiving or responding to client requests.
switch/Lab-OPT-PC(config-sfarm-host)# rserver LINUX-1 switch/Lab-OPT-PC(config-sfarm-host-rs)# inservice switch/Lab-OPT-PC(config-sfarm-host)# rserver LINUX-2 switch/Lab-OPT-PC(config-sfarm-host-rs)# inservice

Step 8

Add the other three web servers to the server farm called NON-IE. LINUX-3 192.168.1.13 LINUX-4 192.168.1.14 LINUX-5 192.168.1.15

82

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 9

Display the newly configured rservers.


switch/Lab-OPT-PC(config-sfarm-host)# do show run serverfarm Generating configuration.... serverfarm host IE-WEB rserver LINUX-1 inservice rserver LINUX-2 inservice serverfarm host NON-IE rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 inservice serverfarm host WEBFARM rserver LINUX-1 inservice rserver LINUX-2 inservice rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 inservice

Step 10

The Server VLAN was added during the configuration rollback. Use the show arp command to ensure that the Cisco ACE populates its Address Resolution Protocol (ARP) table with the MACs of the real server.
switch/Lab-OPT-PC# show arp

Activity Verification
You have completed this task when the servers are marked as OPERATIONAL in the new server farms.

2008 Cisco Systems, Inc.

Lab Guide

83

Task 2A: Configure Layer 7 Load Balancing


To send traffic to each server farm you just created (IE-WEB & NON-IE) based on the contents of Layer 7 data, the Cisco ACE must be configured with a class map to properly classify the traffic destined to the server farm.

Activity Procedure
Complete these steps:
Step 1

Create a VIP named VIP-171, give it an IP address of 172.16.PC.171 for all IP traffic, and assign it to the client-facing VLAN interface. Also add one of the server farms already configured (you will remove it in a later step). Click Config > Virtual Contexts > Load Balancing > Virtual Servers + add button

Step 2

Go to Expert mode and create a Layer 7 load-balancing class map named CHECKHEADERS with Match-all. Click Config > Virtual Contexts > Expert > Class Map + add button > Deploy Now

84

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 3

Add three match conditions to the new class map just created: match http url .* match http header Host header-value 172.16.PC.* match http header User-Agent header-value .*MSIE.*

Step 4

Staying in Expert mode, create another Layer 7 load-balancing class map named OTHER-HTTP with Match-all chosen. Add one match condition to the new class map just created: match http url .*

Step 5

2008 Cisco Systems, Inc.

Lab Guide

85

Step 6

Now choose the policy map that was autocreated by the interface when you created the virtual server (for example, VIP-171-l7slb) and edit the class statements. Remove the default action class-default and add the two new class maps with the action for CHECK-HEADERS > IE-WEB and OTHER-HTTP > NON-IE. Click Config > Virtual Contexts > Expert > Policy Map.

Step 7

Verify that the new servicepolicy is inservice: Config > Virtual Contexts > Load Balancing > Virtual Servers Config > Operations > Virtual Servers Also view the statistics in the monitoring section: Click Monitor > Virtual Contexts > Real Servers. **Remove all class maps except remote access

Step 8

Step 9

86

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 2B: Configure Layer 7 Load Balancing


In order to send traffic to each server farm you just created (IE-WEB & NON-IE) based on the contents of Layer 7 data, the Cisco ACE must be configured with a class map to properly classify the traffic destined to the server farm.

Activity Procedure
Complete these steps:
Step 1

Start by creating a class map (Layer 3 and 4) to distinguish traffic destined for a virtual IP from traffic destined elsewhere. Use the IP address 172.16.PC.171.
switch/Lab-OPT-PC(config)# class-map VIP-171 switch/Lab-OPT-PC(config-cmap)# match virtual-address 172.16.PC.171 any

Step 2

Create a class map (Layer 57) to classify HTTP requests coming from IE clients and containing a host header value.
switch/Lab-OPT-PC(config)# class-map type http loadbalance CHECK-HEADERS switch/Lab-OPT-PC(config-cmap-http-lb)# match http url .* switch/Lab-OPT-PC(config-cmap-http-lb)# match http header Host header-value 172.16.PC.* switch/Lab-OPT-PC(config-cmap-http-lb)# match http header User-Agent header-value .*MSIE.*

Step 3

Create a second class map (Layer 57) to classify HTTP requests.


switch/Lab-OPT-PC(config)# class-map type http loadbalance OTHER-HTTP switch/Lab-OPT-PC(config-cmap-http-lb)# match http url .*

Step 4

Display the new class map and verify the configuration.


switch/Lab-OPT-PC(config-cmap-http-lb)# do show run class-map Generating configuration.... class-map type http loadbalance match-all CHECK-HEADERS 2 match http url .* 3 match http header Host header-value "172.16.PC.*" 4 match http header User-Agent header-value ".*MSIE.*" class-map match-all VIP-170 2 match virtual-address 172.16.PC.170 any class-map match-all VIP-171 2 match virtual-address 172.16.PC.171 any class-map type http loadbalance match-all OTHER-HTTP 2 match http url .* class-map type management match-any remote-access description remote-access 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any

2008 Cisco Systems, Inc.

Lab Guide

87

Step 5

Create a policy map of type load balance to handle requests destined to this VIP. Recall that the Cisco ACE will attempt to match a defined class map at Layer 57 in the order of occurrence as indicated by the keyword first-match. The class default is used to handle nonmatching client requests. Apply the IE and NON-IE class maps and server farms respectively.
switch/Lab-OPT-PC(config)# policy-map type loadbalance firstmatch L7-LOGIC switch/Lab-OPT-PC(config-pmap-lb)# class CHECK-HEADERS switch/Lab-OPT-PC(config-pmap-lb-c)# serverfarm IE-WEB switch/Lab-OPT-PC(config-pmap-lb)# class OTHER-HTTP switch/Lab-OPT-PC(config-pmap-lb-c)# serverfarm NON-IE

Step 6

Use the show run policy-map command to view the configuration additions.
switch/Lab-OPT-PC(config-pmap-lb-c)# do show run policy-map Generating configuration.... policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match L7-LOGIC class CHECK-HEADERS serverfarm IE-WEB class OTHER-HTTP serverfarm NON-IE policy-map type loadbalance first-match WEB-LOGIC class class-default serverfarm WEBFARM policy-map multi-match CLIENT-VIPS class VIP-170 loadbalance vip inservice loadbalance policy WEB-LOGIC

Step 7

Add to the existing multimatch policy map. Recall that the multimatch policy map is used to tie the VIP to the load-balancing action.
switch/Lab-OPT-PC(config)# policy-map multi-match CLIENT-VIPS switch/Lab-OPT-PC(config-pmap)# class VIP-171 switch/Lab-OPT-PC(config-pmap-c)# loadbalance policy L7-LOGIC switch/Lab-OPT-PC(config-pmap-c)# loadbalance vip inservice

Step 8

View the running configuration to observe the new policy map.


switch/Lab-OPT-PC(config-pmap-c)# do show run policy-map Generating configuration.... policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match L7-LOGIC class CHECK-HEADERS serverfarm IE-WEB class OTHER-HTTP serverfarm NON-IE

88

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

policy-map type loadbalance first-match WEB-LOGIC class class-default serverfarm WEBFARM policy-map multi-match CLIENT-VIPS class VIP-170 loadbalance vip inservice loadbalance policy WEB-LOGIC class VIP-171 loadbalance vip inservice loadbalance policy L7-LOGIC
Step 9

Verify that the VIP is applied and inservice (meaning that the Cisco ACE will respond to traffic destined to the VIP address).
After a policy map of type multimatch is added to the service policy, any additions to the policy map are immediately applied.

Note

switch/Lab-OPT-PC# show service-policy CLIENT-VIPS Status : ACTIVE ----------------------------------------Interface: vlan 2PC service-policy: CLIENT-VIPS class: VIP-170 loadbalance: L7 loadbalance policy: WEB-LOGIC VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 66 , client byte server pkt count : 91 , server byte class: VIP-171 loadbalance: L7 loadbalance policy: L7-LOGIC VIP Route Metric : 77 VIP Route Advertise : DISABLED VIP ICMP Reply : Disabled VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 0 , client byte server pkt count : 0 , server byte

: 10 count: 5320 count: 64676

: 0 count: 0 count: 0

Activity Verification
You have completed this task when the service policy shows the newly created VIP in the INSERVICE state.

2008 Cisco Systems, Inc.

Lab Guide

89

Task 3: Test the New VIP Load-Balancing Configuration


In this task, you will use show commands to verify the working order of the current Cisco ACE context. You will verify that the VIP works as expected and that the client is being load balanced between real servers.

Activity Procedure
Complete these steps:
Step 1

On the client, use the IE browser to verify that the Cisco ACE appliance is loadbalancing traffic to the IE-WEB server farm.
http://172.16.PC.171/index.html

Step 2

Notice that the service-policy counters increment as connections are handled.


switch/Lab-OPT-PC# sho service-policy CLIENT-VIPS Interface: vlan 2PC service-policy: CLIENT-VIPS class: VIP-171 loadbalance: L7 policy: lb-logic, VIP state: INSERVICE curr conns : 0 , hit count : 10 dropped conns : 0 client pkt count : 50 , client byte count: 5583 server pkt count : 48 , server byte count: 3465

Step 3

Now use Firefox to connect to the same site. Verify that the Cisco ACE appliance is now sending the client to the NON-IE server farm.
http://172.16.PC.171/index.html

Step 4

Now use either browser to connect to the same VIP, but this time without specifying a URL.
http://172.16.PC.171/

Activity Verification
You have completed this task when you attain these results: Successfully load-balance HTTP requests to the VIP and verify that only the proper servers are responding, based on the client issuing the HTTP requests Understand the .* regular expression, which matches both anything and nothing

90

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 4: Mixing Layer 4 and Layer 7 Traffic


In this task, you will configure the Layer 7 parsing behavior of the Cisco ACE appliance to distinquish between HTTP traffic and other traffic.
Note There is no Cisco ACE 4710 Device Manager task here; if you chose to do this task with the Cisco Device Manager, remember that the Device Manager autogenerates names, so the policy map L7-LOGIC would be called VIP-171-l7slb, for example; this applies to several names throughout this task.

Activity Procedure
Complete these steps:
Step 1

Recall that the L7-LOGIC policy map is only configured with Layer 7 HTTP matches.
switch/Lab-OPT-PC# show run policy-map policy-map type loadbalance first-match L7-LOGIC class CHECK-HEADERS serverfarm IE-WEB class OTHER-HTTP serverfarm NON-IE

Step 2

Use Telnet from the client PC in the lab pod to connect to the VIP.
telnet 172.16.PC.171

Step 3

Why did the connection fail? Notice that the service-policy counters increment as connections are handled.

switch/Lab-OPT-PC# sho service-policy CLIENT-VIPS Status : ACTIVE ----------------------------------------Interface: vlan 2PC service-policy: CLIENT-VIPS class: VIP-170 loadbalance: L7 policy: WEB-LOGIC VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 66 , client byte server pkt count : 91 , server byte class: VIP-171 loadbalance: L7 policy: L7-LOGIC VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 2 client pkt count : 174 , client byte server pkt count : 230 , server byte

: 10 count: 5320 count: 64676

: 23 count: 13845 count: 167217

2008 Cisco Systems, Inc.

Lab Guide

91

Step 4

You could consider the failure to be caused by the no default class map, which makes sense based solely on the configuration. Telnet is not HTTP; thus it cannot match the existing L7 class maps. However, there is a class default provided for handling traffic that does not match an L7 class map. Apply this class default.
switch/Lab-OPT-PC(config)# policy-map type loadbalance firstmatch L7-LOGIC switch/Lab-OPT-PC(config-pmap-lb)# class class-default switch/Lab-OPT-PC(config-pmap-lb-c)# serverfarm WEBFARM

Step 5

Again, from the client, use Telnet to connect to the VIP.


telnet 172.16.PC.171

Why did the connection fail?


Step 6

To rectify the problem and allow HTTP and non-HTTP traffic to access the VIP, a new policy map must be created that does not impose HTTP parsing.
switch/Lab-OPT-PC(config)# policy-map type loadbalance firstmatch NONL7-LB switch/Lab-OPT-PC(config-pmap-lb)# class class-default switch/Lab-OPT-PC(config-pmap-lb-c)# serverfarm WEBFARM

Step 7

If the new policy were to be directly applied to the multimatch policy, the class map VIP-171 would be used twice and the second occurance would never be used. Therefore, a new class map must be made. In the majority of cases, customers know the port on which HTTP is allowed. In this lab situation the default port is used. Rather than creating a new class map for the non-Layer 7 load-balancing policy, create one for the more specific Layer 7 load-balancing logic.
PodP-ACE/Lab2-L7-PC(config)# class-map VIP-171-HTTP PodP-ACE/Lab2-L7-PC(config-cmap)# match virtual-address 172.16.PC.171 tcp eq www

Step 8

Now all that is needed is to modify the multimatch policy map.


PodP-ACE/Lab2-L7-PC(config)# policy-map multi-match CLIENTVIPS PodP-ACE/Lab2-L7-PC(config-pmap)# class VIP-171-HTTP PodP-ACE/Lab2-L7-PC(config-pmap-c)# loadbalance policy L7LOGIC PodP-ACE/Lab2-L7-PC(config-pmap-c)# loadbalance vip inservice PodP-ACE/Lab2-L7-PC(config-pmap)# class VIP-171 PodP-ACE/Lab2-L7-PC(config-pmap-c)# no loadbalance policy L7LOGIC PodP-ACE/Lab2-L7-PC(config-pmap-c)# loadbalance policy NONL7LB PodP-ACE/Lab2-L7-PC(config-pmap-c)# loadbalance vip inservice

Step 9

View the running configuration to observe the new policy map.


PodP-ACE/Lab2-L7-PC(config-pmap-c)# do show run policy-map Generating configuration.... policy-map type loadbalance first-match L7-LOGIC class CHECK-HEADERS serverfarm IE-WEB class OTHER-HTTP serverfarm NON-IE class class-default

92

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

serverfarm WEBFARM policy-map type loadbalance first-match NONL7-LB class class-default serverfarm WEBFARM policy-map type loadbalance first-match WEB-LOGIC class class-default serverfarm WEBFARM policy-map multi-match CLIENT-VIPS class VIP-170 loadbalance vip inservice loadbalance policy WEB-LOGIC class VIP-171 loadbalance vip inservice loadbalance policy NONL7-LB class VIP-171-HTTP loadbalance vip inservice loadbalance policy L7-LOGIC
Step 10

Again, from the client, use Telnet to connect to the VIP.


telnet 172.16.PC.171

Step 11

Double-check the load balancing, using both the IE and Firefox web browsers. Why are the HTTP policies being ignored? Display the service-policy counters.

Step 12

switch/Lab-OPT-PC(config-pmap-c)# do sh service-policy CLIENT-VIPS Status : ACTIVE ----------------------------------------Interface: vlan 225 service-policy: CLIENT-VIPS class: VIP-170 loadbalance: L7 loadbalance policy: WEB-LOGIC VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 0 , client byte server pkt count : 0 , server byte class: VIP-171 loadbalance: L7 loadbalance policy: NONL7-LB VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 8 , hit count dropped conns : 2 client pkt count : 1625 , client byte server pkt count : 2411 , server byte class: VIP-171-HTTP loadbalance: L7 loadbalance policy: L7-LOGIC VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 0 , client byte server pkt count : 0 , server byte

: 0 count: 0 count: 0

: 223 count: 157294 count: 1481306

: 0 count: 0 count: 0

2008 Cisco Systems, Inc.

Lab Guide

93

Step 13

Notice that the counters are not incrementing for the VIP-171-HTTP class. This is because the VIP-171 class map matches connections to any port before VIP-171HTTP is even checked. You introduced this error when you added the VIP-171HTTP class map to the CLIENT-VIPS policy map. Modify the order of the class maps in the policy map.

switch/Lab-OPT-PC(config)# policy-map multi-match CLIENT-VIPS switch/Lab-OPT-PC(config-pmap)# no class VIP-171-HTTP switch/Lab-OPT-PC(config-pmap)# do sh run policy-map Generating configuration.... policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match L7-LOGIC class CHECK-HEADERS serverfarm IE-WEB class OTHER-HTTP serverfarm NON-IE class class-default serverfarm WEBFARM policy-map type loadbalance first-match NONL7-LB class class-default serverfarm WEBFARM policy-map type loadbalance first-match WEB-LOGIC class class-default serverfarm WEBFARM policy-map multi-match CLIENT-VIPS class VIP-170 loadbalance vip inservice loadbalance policy WEB-LOGIC class VIP-171 loadbalance vip inservice loadbalance policy NONL7-LB switch/Lab-OPT-PC(config-pmap)# class VIP-171-HTTP insert-before VIP-171 switch/Lab-OPT-PC(config-pmap-c)# loadbalance policy L7-LOGIC switch/Lab-OPT-PC(config-pmap-c)# loadbalance vip ins switch/Lab-OPT-PC(config-pmap-c)# do sh run policy-map Generating configuration.... policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match L7-LOGIC class CHECK-HEADERS serverfarm IE-WEB class OTHER-HTTP serverfarm NON-IE class class-default serverfarm WEBFARM policy-map type loadbalance first-match NONL7-LB class class-default serverfarm WEBFARM policy-map type loadbalance first-match WEB-LOGIC class class-default serverfarm WEBFARM policy-map multi-match CLIENT-VIPS class VIP-170 loadbalance vip inservice loadbalance policy WEB-LOGIC class VIP-171-HTTP loadbalance vip inservice loadbalance policy L7-LOGIC class VIP-171 loadbalance vip inservice loadbalance policy NONL7-LB
94 Implementing the Cisco ACE Appliance (ACEAP) v1.0 2008 Cisco Systems, Inc.

Step 14 Step 15

Verify that Telnet and the HTTP policies all work correctly. Display the service-policy counters.

Activity Verification
You have completed this task when you attain these results: Successfully load-balance HTTP requests to the VIP and verify that only the proper servers are responding, based on the client issuing the HTTP requests Understand the HTTP parsing impact to a policy map Can use HTTP to a specific server, based on client, and can gain non-HTTP access to the server

2008 Cisco Systems, Inc.

Lab Guide

95

Task 5: Optimize the Mixed-Traffic VIP


In this task, you will optimize the mixed-traffic VIP.

Activity Procedure
Complete these steps:
Step 1

Recall that the L7-LOGIC policy map will only match HTTP traffic.

PodP-ACE/Lab2-L7-PC(config-pmap-lb-c)# do show run policy-map policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match L7-LOGIC class CHECK-HEADERS serverfarm IE-WEB class OTHER-HTTP serverfarm NON-IE class class-default serverfarm WEBFARM policy-map type loadbalance first-match NONL7-LB class class-default serverfarm WEBFARM policy-map type loadbalance first-match WEB-LOGIC class class-default serverfarm WEBFARM policy-map multi-match CLIENT-VIPS class VIP-170 loadbalance vip inservice loadbalance policy WEB-LOGIC class VIP-171-HTTP loadbalance vip inservice loadbalance policy L7-LOGIC class VIP-171 loadbalance vip inservice loadbalance policy NONL7-LB Step 2

The rationale for creating the OTHER-HTTP class map was to classify only HTTP traffic and send it to the NON-IE server farm. In Task 3 you saw how a single match of type HTTP forces all traffic to be inspected as if it were HTTP; thus the default class map will serve the same function as making the class map OTHER-HTTP. View the regex memory consumption before removing the class map.

switch/Lab-OPT-PC# sho resource usage resource regexp Allocation Resource Current Peak Min Max -------------------------------------------------------------------Context: Lab-L7-PC regexp 146 219 0 1048576

Denied

switch/Lab-OPT-PC(config)# policy-map type loadbalance first-match L7-LOGIC switch/Lab-OPT-PC(config-pmap-lb)# no class OTHER-HTTP switch/Lab-OPT-PC(config-pmap-lb)# class class-default switch/Lab-OPT-PC(config-pmap-lb-c)#no serverfarm IE-WEB switch/Lab-OPT-PC(config-pmap-lb-c)#serverfarm NON-IE switch/Lab-OPT-PC(config-pmap-lb-c)# do sho resource usage resource regexp Allocation Resource Current Peak Min Max Denied -------------------------------------------------------------------Context: Lab-L7-PC regexp 146 219 0 1048576 0 switch/Lab-OPT-PC(config-pmap-lb-c)# exit switch/Lab-OPT-PC(config-pmap-lb)# exit
96 Implementing the Cisco ACE Appliance (ACEAP) v1.0 2008 Cisco Systems, Inc.

Step 3

Notice that the current memory consumption has not decreased. Remove the unused class map and view the memory usage.

switch/Lab-OPT-PC(config)# no class-map type http loadbalance OTHER-HTTP switch/Lab-OPT-PC(config)# do sho resource usage resource regexp Allocation Resource Current Peak Min Max Denied -------------------------------------------------------------------Context: Lab-L7-PC regexp 146 219 0 1048576 0 Step 4

Why did the current memory used for the regular expression not decrement? ______________________________________________________________

Step 5

To see the memory consumption change, add a new match to the existing class map CHECK-HEADERS.

switch/Lab-OPT-PC(config)# class-map type http loadbalance CHECK-HEADERS switch/Lab-OPT-PC(config-cmap-http-lb)# match http header Transfer-Encoding header-value .*foo.* switch/Lab-OPT-PC(config-cmap-http-lb)# do sho resource usage resource regexp Allocation Resource Current Peak Min Max Denied -------------------------------------------------------------------Context: Lab-L7-PC regexp 196 219 0 1048576 0 Step 6

Remove the match to see the usage go down.

switch/Lab-OPT-PC(config-cmap-http-lb)# no match http header TransferEncoding header-value .*foo.* switch/Lab-OPT-PC(config-cmap-http-lb)# do sho resource usage resource regexp Allocation Resource Current Peak Min Max Denied -------------------------------------------------------------------Context: Lab-L7-PC regexp 196 219 0 1048576 0 Step 7

Wait a minute or two, then display the usage again.

switch/Lab-OPT-PC(config-cmap-http-lb)# do sho resource usage resource regexp Allocation Resource Current Peak Min Max Denied -------------------------------------------------------------------Context: Lab-L7-PC regexp 146 219 0 1048576 0 Step 8

Why is there a delay in the decrementing of the current memory used for the regular expression after it was removed? _______________________________________________________________

2008 Cisco Systems, Inc.

Lab Guide

97

Task 6: Apply the Baseline Configuration


The Cisco ACE ensures that no duplicate IPs exist across contexts per VLAN. Because of the overlapping IPs used in this lab, it is necessary to remove the VLAN interface for the server, so that the VLAN interface can be reused in the remaining labs.

Activity Procedure
Step 1

Use the checkpoint feature to roll back to baseline-mgmt.


switch/Lab-OPT-PC# checkpoint rollback baseline-mgmt This operation will rollback the system's running configuration to the checkpoint's configuration. Do you wish to proceed? (y/n) [n] y Rollback in progress, please wait... Generating configuration.... Rollback succeeded

Activity Verification
You have completed this task when you have removed the server VLAN from the context.

98

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Lab 5 Answer Key


Initial Configuration Sample
switch/Lab-OPT-PC# sho run Generating configuration.... login timeout 0 access-list everyone line 10 extended permit tcp any any rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice LINUX-1 192.168.1.11 LINUX-2 192.168.1.12 LINUX-3 192.168.1.13 LINUX-4 192.168.1.14 LINUX-5 192.168.1.15

serverfarm host WEBFARM rserver LINUX-1 inservice rserver LINUX-2 inservice rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 inservice class-map match-all VIP-170 2 match virtual-address 172.16.PC.170 any class-map type management match-any remote-access description remote-access 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any policy-map type management first-match remote-mgmt class remote-access
2008 Cisco Systems, Inc. Lab Guide 99

permit policy-map type loadbalance first-match WEB-LOGIC class class-default serverfarm WEBFARM policy-map multi-match CLIENT-VIPS class VIP-170 loadbalance vip inservice loadbalance policy WEB-LOGIC interface vlan 2PC description Client vlan ip address 172.16.PC.20 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown interface vlan 4PC description Servers vlan ip address 192.168.1.1 255.255.255.0 no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$36iNgaXz$XzVbOllHUrxkP5FBEULiv0 Admin domain default-domain

role

Configuration Sample After Task 2 when Layer 7 SLB Is Working


switch/Lab-OPT-PC# sho run Generating configuration.... login timeout 0 access-list everyone line 10 extended permit tcp any any rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address
100

LINUX-1 192.168.1.11 LINUX-2 192.168.1.12 LINUX-3 192.168.1.13 LINUX-4 192.168.1.14 LINUX-5 192.168.1.15
2008 Cisco Systems, Inc.

Implementing the Cisco ACE Appliance (ACEAP) v1.0

inservice serverfarm host IE-WEB rserver LINUX-1 inservice rserver LINUX-2 inservice serverfarm host NON-IE rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 inservice serverfarm host WEBFARM rserver LINUX-1 inservice rserver LINUX-2 inservice rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 inservice class-map type http loadbalance match-all CHECK-HEADERS 2 match http url .* 3 match http header Host header-value "172.16.PC.*" 4 match http header User-Agent header-value ".*MSIE.*" class-map match-all VIP-170 2 match virtual-address 172.16.PC.170 any class-map match-all VIP-171 2 match virtual-address 172.16.PC.171 any class-map type http loadbalance match-all OTHER-HTTP 2 match http url .* class-map type management match-any remote-access description remote-access 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match l7-logic class CHECK-HEADERS serverfarm IE-WEB

2008 Cisco Systems, Inc.

Lab Guide

101

class OTHER-HTTP serverfarm NON-IE policy-map type loadbalance first-match WEB-LOGIC class class-default serverfarm WEBFARM policy-map multi-match CLIENT-VIPS class VIP-170 loadbalance vip inservice loadbalance policy WEB-LOGIC class VIP-171 loadbalance vip inservice loadbalance policy l7-logic interface vlan 2PC description Client vlan ip address 172.16.PC.20 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown interface vlan 4PC description Servers vlan ip address 192.168.1.1 255.255.255.0 no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$36iNgaXz$XzVbOllHUrxkP5FBEULiv0 Admin domain default-domain

role

Configuration Sample after Task 3 when a Mix of Layer 4 and Layer 7 SLB Is Working
switch/Lab-OPT-PC# sho run Generating configuration.... login timeout 0 access-list everyone line 10 extended permit tcp any any rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice
102

LINUX-1 192.168.1.11 LINUX-2 192.168.1.12 LINUX-3 192.168.1.13

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

rserver host ip address inservice rserver host ip address inservice

LINUX-4 192.168.1.14 LINUX-5 192.168.1.15

serverfarm host IE-WEB rserver LINUX-1 inservice rserver LINUX-2 inservice serverfarm host NON-IE rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 inservice serverfarm host WEBFARM rserver LINUX-1 inservice rserver LINUX-2 inservice rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 inservice class-map type http loadbalance match-all CHECK-HEADERS 2 match http url .* 3 match http header Host header-value "172.16.PC.*" 4 match http header User-Agent header-value ".*MSIE.*" class-map match-all VIP-170 2 match virtual-address 172.16.PC.170 any class-map match-all VIP-171 2 match virtual-address 172.16.PC.171 any class-map match-all VIP-171-HTTP 2 match virtual-address 172.16.PC.171 tcp eq www class-map type http loadbalance match-all OTHER-HTTP 2 match http url .* class-map type management match-any remote-access description remote-access 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any

2008 Cisco Systems, Inc.

Lab Guide

103

policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match l7-logic class CHECK-HEADERS serverfarm IE-WEB class OTHER-HTTP serverfarm NON-IE class class-default serverfarm WEBFARM policy-map type loadbalance first-match NONL7-LB class class-default serverfarm WEBFARM policy-map type loadbalance first-match WEB-LOGIC class class-default serverfarm WEBFARM policy-map multi-match CLIENT-VIPS class VIP-170 loadbalance vip inservice loadbalance policy WEB-LOGIC class VIP-171-HTTP loadbalance vip inservice loadbalance policy l7-logic class VIP-171 loadbalance vip inservice loadbalance policy NONL7-LB interface vlan 2PC description Client vlan ip address 172.16.PC.20 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown interface vlan 4PC description Servers vlan ip address 192.168.1.1 255.255.255.0 no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$36iNgaXz$XzVbOllHUrxkP5FBEULiv0 Admin domain default-domain

role

104

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Configuration Sample after Task 4 when the Mixed Traffic Configuration Has Been Optimized
switch/Lab-OPT-PC# sho run Generating configuration.... login timeout 0 access-list everyone line 10 extended permit tcp any any rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice LINUX-1 192.168.1.11 LINUX-2 192.168.1.12 LINUX-3 192.168.1.13 LINUX-4 192.168.1.14 LINUX-5 192.168.1.15

serverfarm host IE-WEB rserver LINUX-1 inservice rserver LINUX-2 inservice serverfarm host NON-IE rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 inservice serverfarm host WEBFARM rserver LINUX-1 inservice rserver LINUX-2 inservice rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 inservice

2008 Cisco Systems, Inc.

Lab Guide

105

class-map type http loadbalance match-all CHECK-HEADERS 2 match http url .* 3 match http header Host header-value "172.16.PC.*" 4 match http header User-Agent header-value ".*MSIE.*" class-map match-all VIP-170 2 match virtual-address 172.16.PC.170 any class-map match-all VIP-171 2 match virtual-address 172.16.PC.171 any class-map match-all VIP-171-HTTP 2 match virtual-address 172.16.PC.171 tcp eq www class-map type management match-any remote-access description remote-access 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match l7-logic class CHECK-HEADERS serverfarm IE-WEB class class-default serverfarm NON-IE policy-map type loadbalance first-match NONL7-LB class class-default serverfarm WEBFARM policy-map type loadbalance first-match WEB-LOGIC class class-default serverfarm WEBFARM policy-map multi-match CLIENT-VIPS class VIP-170 loadbalance vip inservice loadbalance policy WEB-LOGIC class VIP-171-HTTP loadbalance vip inservice loadbalance policy l7-logic class VIP-171 loadbalance vip inservice loadbalance policy NONL7-LB interface vlan 2PC description Client vlan ip address 172.16.PC.20 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input CLIENT-VIPS

106

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

no shutdown interface vlan 4PC description Servers vlan ip address 192.168.1.1 255.255.255.0 no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$36iNgaXz$XzVbOllHUrxkP5FBEULiv0 Admin domain default-domain

role

2008 Cisco Systems, Inc.

Lab Guide

107

Lab 6: Enabling Sticky Connections


Complete this lab activity to practice what you learned in the related lesson.

Activity Objective
In this exercise, you will configure your Cisco ACE context to match VIP-destined traffic and load-balance these flows to the real servers on a private network behind the Cisco ACE context. To accomplish this, class maps are applied to classify client traffic destined to a virtual IP (VIP) address. This traffic is then load-balanced to a server farm, and one of the real servers is chosen to respond to the client request. To allow client traffic into the Cisco ACE context, an access list is required to permit the client flows. After completing this exercise, you will be able to meet these objectives: Define real server containers and server farms Apply source IP sticky to ensure client persistence Roll back the configuration

Visual Objective
The figure illustrates what you will accomplish in this activity.

Enabling Sticky Connections


Servers
1. Browse 2. Select 3. Buy

ACE

2008 Cisco Systems, Inc. All rights reserved.

ACEAP v1.012

Required Resources
These are the resources and equipment that are required to complete this activity: Cisco 4710 Application Control Engine Appliance Server minimally running Telnet and HTTP

108

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 1: Apply Source IP Sticky to Ensure Client Persistence


In this task, you will define real server containers and server farms.

Activity Procedure
Complete these steps:
Step 1

Connect to your client PC.


Connect directly to the ACE management IP address for your Lab 5 context. C:\> telnet 172.16.PC.20 Trying 172.16.PC.20... Connected to 172.16.PC.20 (172.16.PC.20). Escape character is '^]'. User Access Verification Username: cisco Password: cisco123

Step 2

Verify that you are in the correct context by looking at the prompt.
switch/Lab-OPT-PC#

Step 3 Step 4 Step 5

Use the checkpoint system to roll the configuration to the SLB-END. Execute show run to see what is preconfigured for this Lab. Create a sticky group named STICKY-GRP.
switch/Lab-OPT-PC(config)# sticky ip-netmask 255.255.255.255 address source STICKY-GRP

Step 6

Specify a timeout of 1 minute.


switch/Lab-OPT-PC(config-sticky-ip)# timeout 1

Step 7

Specify the server farm to be used for this sticky group.


switch/Lab-OPT-PC(config-sticky-ip)# serverfarm WEBFARM switch/Lab-OPT-PC(config-sticky-ip)# exit

Step 8

The sticky group is applied within a policy map of type loadbalance.


switch/Lab-OPT-PC(config)# policy-map type loadbalance firstmatch STICKY-SLB switch/Lab-OPT-PC(config-pmap-lb)# class class-default switch/Lab-OPT-PC(config-pmap-lb-c)# sticky-serverfarm STICKYGRP

Step 9

Create a VIP on interface VLAN 2PC and load-balance with this sticky group.
switch/Lab-OPT-PC(config)# class-map STICKY-VIP switch/Lab-OPT-PC(config-cmap)# match virtual-address 172.16.PC.171 any switch/Lab-OPT-PC(config-cmap)# exit switch/Lab-OPT-PC(config)# policy-map multi-match CLIENT-VIPS switch/Lab-OPT-PC(config-pmap)# class STICKY-VIP switch/Lab-OPT-PC(config-pmap-c)# loadbalance vip inservice switch/Lab-OPT-PC(config-pmap-c)# loadbalance policy STICKYSLB switch/Lab-OPT-PC(config-pmap-c)# exit switch/Lab-OPT-PC(config-pmap)# exit

2008 Cisco Systems, Inc.

Lab Guide

109

Step 10 Step 11

Use the client web browser to access http://172.16.PC.171. View the sticky tables on the Cisco ACE.
switch/Lab-OPT-PC# show sticky database sticky group : STICKY-GRP type : IP timeout : 1 timeout-activeconns : FALSE sticky-entry rserver-instance timeto-expire flags ---------------------+--------------------------------+-------------+-------+ 3517303317 LINUX-1:0 53 -

110

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 2: Apply the Baseline Configuration


The Cisco ACE ensures that no duplicate IPs exist across contexts per VLAN. Because of the overlapping IPs used in this lab, it is necessary to remove the VLAN interface for the server, so that the VLAN interface can be reused in the remaining labs.

Activity Procedure
Use the checkpoint feature to roll back to baseline-mgmt.
switch/Lab-OPT-PC# checkpoint rollback baseline-mgmt This operation will rollback the system's running configuration to the checkpoint's configuration. Do you wish to proceed? (y/n) [n] y Rollback in progress, please wait... Generating configuration.... Rollback succeeded

Activity Verification
You have completed this task when you have removed the server VLAN from the context.

2008 Cisco Systems, Inc.

Lab Guide

111

Lab 6 Answer Key


switch/Lab-OPT-PC# sho run Generating configuration.... login timeout 0 access-list everyone line 10 extended permit ip any any rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice LINUX-1 192.168.1.11 LINUX-2 192.168.1.12 LINUX-3 192.168.1.13 LINUX-4 192.168.1.14 LINUX-5 192.168.1.15

serverfarm host WEBFARM rserver LINUX-1 inservice rserver LINUX-2 inservice rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 inservice

sticky ip-netmask 255.255.255.255 address source STICKY-GRP timeout 1 serverfarm WEBFARM class-map match-all STICKY-VIP 2 match virtual-address 172.16.PC.171 any class-map match-all VIP-170 2 match virtual-address 172.16.PC.170 any class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any
112 Implementing the Cisco ACE Appliance (ACEAP) v1.0 2008 Cisco Systems, Inc.

3 match protocol ssh any 4 match protocol icmp any 5 match protocol http any policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match STICKY-SLB class class-default serverfarm WEBFARM policy-map type loadbalance first-match STICKY-SLB class class-default sticky-serverfarm STICKY-GRP policy-map multi-match CLIENT-VIPS class VIP-170 loadbalance vip inservice loadbalance policy WEB-SLB loadbalance vip icmp-reply active class STICKY-VIP loadbalance vip inservice loadbalance policy STICKY-SLB access-group input everyone interface vlan 2PC ip address 172.16.PC.20 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown interface vlan 4PC ip address 192.168.1.1 255.255.255.0 service-policy input remote-mgmt no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$DLODpUTE$pzudNN.PTCWK.E45AsyCz/ Admin domain default-domain

role

2008 Cisco Systems, Inc.

Lab Guide

113

Lab 7: Enabling Protocol Inspection


Complete this lab activity to practice what you learned in the related lesson.

Activity Objective
In this exercise, you will implement fixups and inspection for the FTP protocol. After completing this exercise, you will be able to meet these objectives: Implement fixups for the FTP protocol Implement FTP inspection (Strict FTP) Roll back the configuration

Visual Objective
The figure illustrates what you will accomplish in this activity.

Enabling Protocol Inspection

ACE

Server

2008 Cisco Systems, Inc. All rights reserved.

ACEAP v1.013

Required Resources
These are the resources and equipment that are required to complete this activity: Cisco 4710 Application Control Engine Appliance Server minimally running Telnet and HTTP

114

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 1: Configure a Protocol Fixup


The Cisco ACE uses FTP inspection to enable FTP fixups. This must be used to allow the Cisco ACE to load balance FTP sessions.

Activity Procedure
Complete these steps:
Step 1 Step 2

Connect to your client PC. Connect directly to the Cisco ACE management IP address for context.
C:\> telnet 172.16.PC.20 Trying 172.16.PC.20... Connected to 172.16.PC.20 (172.16.PC.20). Escape character is '^]'. User Access Verification Username: cisco Password: cisco123

Step 3

Verify that you are in the correct context by looking at the prompt:
switch/Lab-OPT-PC#

Step 4

Use the checkpoint system to roll the configuration to the SLB-END to ensure that the following task steps correspond to the Cisco ACE configuration. Execute show run to see what is preconfigured for this lab.
This lab is built on the principles learned in the previous lab.

Step 5 Note Step 6

Start by creating a class map to distinguish traffic destined for a virtual IP from traffic destined elsewhere. Use the IP address 172.16.PC.172.
switch/Lab-OPT-PC(config)# class-map VIP-172-FTP switch/Lab-OPT-PC(config-cmap)# match virtual-address 172.16.PC.172 tcp eq ftp

Step 7

Create a server farm for the FTP servers called FTP-APP and add rserver LINUX-4 and LINUX-5. Then create the LB policy map for FTP.
switch/Lab-OPT-PC(config)# serverfarm FTP-APP switch/Lab-OPT-PC(config)# rserver LINUX-4 switch/Lab-OPT-PC(config)# in switch/Lab-OPT-PC(config)# rserver LINUX-5 switch/Lab-OPT-PC(config)# in switch/Lab-OPT-PC(config)# policy-map type loadbalance firstmatch FTP-LB switch/Lab-OPT-PC(config-pmap-lb)# class class-default switch/Lab-OPT-PC(config-pmap-lb-c)# serverfarm FTP-APP

Step 8

Modify the multimatch policy to include the FTP VIP and LB policy.
switch/Lab-OPT-PC(config)# policy-map multi-match CLIENT-VIPS switch/Lab-OPT-PC(config-pmap)# class VIP-172-FTP switch/Lab-OPT-PC(config-pmap-c)# loadbalance policy FTP-LB switch/Lab-OPT-PC(config-pmap-c)# loadbalance vip ins

2008 Cisco Systems, Inc.

Lab Guide

115

Step 9

Use the client PC to connect to the new VIP, using FTP from the command prompt. Look at the directory and download a file.
C:\Documents and Settings\Administrator>ftp 172.16.PC.172 Connected to 172.16.PC.172. 220 (vsFTPd 2.0.1) User (172.16.PC.172:(none)): cisco 331 Please specify the password. Password: cisco

Although the FTP connection was successful, why did the directory listing or file transfer, or both, fail?
Step 10

To apply the FTP fixup, the multimatch policy map must be configured to inspect FTP traffic. This enables FTP fixups for a VIP.
switch/Lab-OPT-PC(config-pmap-c)# inspect ftp

Step 11

Try the FTP connection from the client again. Use the show service to see the counters. Notice that now there are FTP inspection counters.

switch/Lab-OPT-PC# sho service-policy CLIENT-VIPS Status : ACTIVE ----------------------------------------Interface: vlan 2PC service-policy: CLIENT-VIPS class: VIP-172-FTP loadbalance: L7 policy: FTP-LB VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 11 , client byte server pkt count : 8 , server byte inspect ftp: strict ftp: DISABLED curr conns : 0 , hit count dropped conns : 0 client pkt count : 9 , client byte server pkt count : 8 , server byte class: VIP-170 loadbalance: L7 policy: WEB-SLB VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 5 , client byte server pkt count : 4 , server byte

: 3 count: 490 count: 618

: 1 count: 394 count: 718

: 2 count: 270 count: 364

Activity Verification
You have completed this task when load-balanced FTP connections succeed.

116

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 2: Configure Strict FTP


The Cisco ACE uses a Layer 7 FTP command class map to perform FTP request inspection for FTP sessions, allowing you to restrict specific commands by the Cisco ACE. This function provides a security feature to prevent web browsers from sending embedded commands to the Cisco ACE in FTP requests. Each specified FTP command must be acknowledged before the Cisco ACE allows a new command. To create a Layer 7 class map to be used for the inspection of FTP request commands, use the class-map type ftp inspect command.

Activity Procedure
Complete these steps:
Step 1

Create a server farm for a different FTP server to handle only strict FTP connections. Call the server farm STRICT-FTP-APP and add rserver LINUX-2. Create a new class map VIP-173-STRICT to handle strict FTP sessions. Use the virtual IP address 172.16.PC.173 and restrict the match to the FTP port. Create a new LB policy called STRICT. Send all traffic to the server farm STRICT-FTP-APP. Define the strict FTP matching. Do this in a class map, because Cisco ACE is classifying FTP requests as they are received from the client. Create a class map called NO-PUTS and define a match for put.
switch/Lab-OPT-PC(config)# class-map type ftp inspect matchany NO-PUTS switch/Lab-OPT-PC(config-cmap-ftp-insp)# match request-method put

Step 2

Step 3

Step 4

Step 5

Use the show class-map command to view the configuration additions.


switch/Lab-OPT-PC(config-cmap-ftp-insp)# do show run class-map class-map match-all VIP-170 2 match virtual-address 172.16.PC.170 any class-map match-all VIP-172-FTP 2 match virtual-address 172.16.PC.172 any class-map match-all VIP-173-STRICT 2 match virtual-address 172.16.PC.173 tcp eq ftp class-map type ftp inspect match-any NO-PUTS 2 match request-method put class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any

Step 6

Now a new policy type is needed. The inspect policy type is used by strict FTP to apply the previously created class map. Any traffic matching the class map NOPUTS will be denied. Create a policy map called FTP-INSPECT-POLICY.
switch/Lab-OPT-PC(config)# policy-map type inspect ftp firstmatch FTP-INSPECT-POLICY switch/Lab-OPT-PC(config-pmap-ftp-ins)# class NO-PUTS switch/Lab-OPT-PC(config-pmap-ftp-ins-c)# deny

2008 Cisco Systems, Inc.

Lab Guide

117

Step 7

Finish the strict FTP configuration by updating the multimatch policy map.
switch/Lab-OPT-PC(config)# policy-map multi-match CLIENT-VIPS switch/Lab-OPT-PC(config-pmap)# class VIP-173-STRICT switch/Lab-OPT-PC(config-pmap-c)# loadbalance vip inservice switch/Lab-OPT-PC(config-pmap-c)# loadbalance policy STRICT switch/Lab-OPT-PC(config-pmap-c)# inspect ftp strict policy FTP-INSPECT-POLICY

Step 8

Display the policy map.


switch/Lab-OPT-PC(config-pmap-c)# do show run policy-map Generating configuration.... policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match FTP-LB class class-default serverfarm FTP-APP policy-map type loadbalance first-match WEB-SLB class class-default serverfarm WEBFARM policy-map type loadbalance first-match STRICT class class-default serverfarm strict-FTP-APP policy-map type inspect ftp first-match FTP-INSPECT-POLICY class NO-PUTS deny policy-map multi-match CLIENT-VIPS class VIP-172-FTP loadbalance vip inservice loadbalance policy FTP-LB inspect ftp class VIP-170 loadbalance vip inservice loadbalance policy WEB-SLB class VIP-173-STRICT loadbalance vip inservice loadbalance policy STRICT inspect ftp strict policy FTP-INSPECT-POLICY

118

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 9

Test the FTP configuration. Open a command-line window on the client and FTP to the new VIP class map you created (172.16.PC.173). The FTP username/password is cisco/cisco. Get a listing of the files on the server.
C:\Documents and Settings\Administrator>ftp 172.16.PC.173 Connected to 172.16.PC.173. 220 (vsFTPd 2.0.1) User (172.16.PC.173:(none)): cisco 331 Please specify the password. Password: cisco 230 Login successful. ftp> dir 200 PORT command successful. Consider using PASV. 190 Here comes the directory listing. -rw-r--r-1 0 0 2124906 Oct 09 2005 UltraVnc-101-src.zip -rw-r--r-1 0 0 1113 Oct 09 2005 anaconda-ks.cfg drwxr-xr-x 7 0 0 7096 Nov 08 01:25 htmldata -rw-r--r-1 0 0 1913993 Nov 08 01:23 htmldata.zip -rw-r--r-1 0 0 48180 Oct 09 2005 install.log -rw-r--r-1 0 0 3653 Oct 09 2005 install.log.syslog -rw-r--r-1 0 0 1607137 Oct 09 2005 vnc4_1_1-1[1].i386.rpm -rw-r--r-1 0 0 1607137 Oct 09 2005 vnc.rpm -rw-r--r-1 0 0 3317760 Nov 08 02:02 vtlabdata.tar 226 Directory send OK. ftp: 690 bytes received in 0.09Seconds 6.99Kbytes/sec.

Step 10

Look at the files in your current working directory with a !dir.


ftp> !dir Volume in drive C has no label. Volume Serial Number is 08F8-DB81 Directory of C:\Documents and Settings\Administrator 04/06/2006 04/06/2006 04/06/2006 04/06/2006 04/06/2006 09/23/2004 09/23/2004 09/23/2004 03:29a <DIR> . 03:29a <DIR> .. 03:29a 49 .asadminprefs 03:29a 757 .asadmintruststore 03:19a <DIR> Desktop 12:35p <DIR> Favorites 04:22a <DIR> My Documents 04:22a <DIR> Start Menu 2 File(s) 806 bytes 6 Dir(s) 17,946,099,712 bytes free
Lab Guide 119

2008 Cisco Systems, Inc.

Step 11

Test the strict FTP functionality by issuing a PUT of an existing file in your working directory.
ftp> put exisiting file 200 PORT command successful. Consider using PASV. Connection closed by remote host. ftp>

Step 12

Now, look at some show commands on the Cisco ACE.


switch/Lab-OPT-PC# show service-policy CLIENT-VIPS detail <snip> class: VIP-173-STRICT loadbalance: L7 policy: strict VIP State: INSERVICE curr conns : 0 , dropped conns : 0 client pkt count : 16 , server pkt count : 14 , inspect ftp: strict ftp: ENABLED curr conns : 0 , dropped conns : 0 client pkt count : 16 , server pkt count : 14 , L7 policy: FTP-INSPECT-POLICY TotalReplyMasked : 0

hit count

: 1

client byte count: 770 server byte count: 890

hit count

: 1

client byte count: 770 server byte count: 890 TotalDropped: 1

Activity Verification
You have completed this task when you use the Cisco ACE to prevent FTP PUTs to a FTP server.

120

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 3: Apply the Baseline Configuration


The Cisco ACE ensures that no duplicate IPs exist across contexts per VLAN. Because of the overlapping IPs used in this lab, it is necessary to remove the VLAN interface for the server, so that the VLAN interface can be reused in the remaining labs.

Activity Procedure
Use the checkpoint feature to roll back to baseline-mgmt.
# checkpoint rollback baseline-mgmt This operation will rollback the system's running configuration to the checkpoint's configuration. Do you wish to proceed? (y/n) [n] y Rollback in progress, please wait... Generating configuration.... Rollback succeeded

Activity Verification
You have completed this task when you have removed the server VLAN from the context.

2008 Cisco Systems, Inc.

Lab Guide

121

Lab 7 Answer Key


Working FTP Configuration Sample
switch/Lab-OPT-PC# show checkpoint detail ftp-end login timeout 0 access-list everyone line 10 extended permit tcp any any probe http GET-INDEX interval 15 expect status 200 200 rserver host LINUX-1 ip address 192.168.1.11 probe GET-INDEX inservice rserver host LINUX-2 ip address 192.168.1.12 inservice rserver host LINUX-3 ip address 192.168.1.13 inservice rserver host LINUX-4 ip address 192.168.1.14 inservice rserver host LINUX-5 ip address 192.168.1.15 inservice serverfarm host FTP-APP rserver LINUX-4 inservice rserver LINUX-5 inservice serverfarm host WEBFARM rserver LINUX-1 inservice rserver LINUX-2 inservice rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 inservice class-map match-all VIP-170
122 Implementing the Cisco ACE Appliance (ACEAP) v1.0 2008 Cisco Systems, Inc.

2 match virtual-address 172.16.PC.170 any class-map match-all VIP-172-FTP 2 match virtual-address 172.16.PC.172 any class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match FTP-LB class class-default serverfarm FTP-APP policy-map type loadbalance first-match WEB-SLB class class-default serverfarm WEBFARM policy-map multi-match CLIENT-VIPS class VIP-172-FTP loadbalance vip inservice loadbalance policy FTP-LB inspect ftp class VIP-170 loadbalance vip inservice loadbalance policy WEB-SLB interface vlan 2PC description Client vlan ip address 172.16.PC.13 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown interface vlan 4PC description Servers vlan ip address 192.168.1.1 255.255.255.0 service-policy input remote-mgmt no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$1WMrkvAT$wKQ1z8XC0XvTY0Fpv55QN0 Admin domain default-domain

role

2008 Cisco Systems, Inc.

Lab Guide

123

Working Strict FTP Configuration Sample


Pod5-ACE/Lab-Fixups-91# show checkpoint detail ftp-strict login timeout 0 access-list everyone line 10 extended permit tcp any any probe http GET-INDEX interval 15 expect status 200 200 rserver host LINUX-1 ip address 192.168.1.11 probe GET-INDEX inservice rserver host LINUX-2 ip address 192.168.1.12 inservice rserver host LINUX-3 ip address 192.168.1.13 inservice rserver host LINUX-4 ip address 192.168.1.14 inservice rserver host LINUX-5 ip address 192.168.1.15 inservice serverfarm host FTP-APP rserver LINUX-4 inservice rserver LINUX-5 inservice serverfarm host WEBFARM rserver LINUX-1 inservice rserver LINUX-2 inservice rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 inservice serverfarm host STRICT-FTP-APP rserver LINUX-2 inservice

124

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

class-map match-all VIP-170 2 match virtual-address 172.16.PC.170 any class-map match-all VIP-172-FTP 2 match virtual-address 172.16.PC.172 any class-map match-all VIP-173-STRICT 2 match virtual-address 172.16.PC.173 tcp eq ftp class-map type ftp inspect match-any NO-PUTS 2 match request-method put class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match FTP-LB class class-default serverfarm FTP-APP policy-map type loadbalance first-match WEB-SLB class class-default serverfarm WEBFARM policy-map type loadbalance first-match STRICT class class-default serverfarm strict-FTP-APP policy-map type inspect ftp first-match FTP-INSPECT-POLICY class NO-PUTS deny policy-map multi-match CLIENT-VIPS class VIP-172-FTP loadbalance vip inservice loadbalance policy FTP-LB inspect ftp class VIP-170 loadbalance vip inservice loadbalance policy WEB-SLB class VIP-173-STRICT loadbalance vip inservice loadbalance policy STRICT inspect ftp strict FTP-INSPECT-POLICY interface vlan 2PC description Client vlan ip address 172.16.PC.13 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input CLIENT-VIPS

2008 Cisco Systems, Inc.

Lab Guide

125

no shutdown interface vlan 4PC description Servers vlan ip address 192.168.1.1 255.255.255.0 service-policy input remote-mgmt no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$1WMrkvAT$wKQ1z8XC0XvTY0Fpv55QN0 Admin domain default-domain

role

126

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Lab 8: Configuring SSL Termination


Complete this lab activity to practice what you learned in the related lesson.

Activity Objective
In this exercise, you will configure Secure Sockets Layer (SSL) termination. After completing this exercise, you will be able to meet these objectives: Configure SSL termination when you have certificates and keys Configure SSL termination when you must create certificates and keys Roll back the configuration

Visual Objective
The figure illustrates what you will accomplish in this activity.

Configuring SSL Termination

ACE
Encrypted Unencrypted

Server

2008 Cisco Systems, Inc. All rights reserved.

ACEAP v1.014

Required Resources
These are the resources and equipment that are required to complete this activity: Cisco 4710 Application Control Engine Appliance Server minimally running Telnet and HTTP

2008 Cisco Systems, Inc.

Lab Guide

127

Task 1: Configure SSL Termination when You Have Certificates and Keys
It is very simple to configure SSL services on the Cisco ACE appliance. All that is needed is the SSL certificate and (Rivest, Shamir, and Adleman) RSA key added to an SSL proxy and associated to a classification of traffic.

Activity Procedure
Complete these steps:
Step 1 Step 2

Connect to your client PC. Connect directly to the Cisco ACE management IP address of the Lab-SSL-PC context.
C:\> telnet 172.16.PC.20 Trying 172.16.PC.20... Connected to 172.16.PC.20 (172.16.PC.20). Escape character is '^]'. User Access Verification Username: cisco Password: cisco123

Step 3

Verify that you are in the correct context by looking at the prompt.
switch/Lab-OPT-PC#

Step 4 Step 5 Note Step 6

Use the checkpoint system to roll the configuration to the SLB-END. Use show run to see what is preconfigured for this lab.
This lab is built on the principles learned in the previous lab.

Delete any crypto files on the Cisco ACE before beginning this lab.
switch/Lab-OPT-PC# crypto delete all This operation will delete all crypto files for this context from the disk, but will not interrupt existing SSL services. If new SSL files are not applied SSL services will be disabled upon next vip inservice or device reload. Do you wish to proceed? (y/n) [n] y

Step 7

Create the server farm SSL-SF and add rservers LINUX-1 and LINUX-2 to it. Create a load-balance policy map for the SSL terminated traffic. Call the policy map SSL-SLB, match all traffic sent to the policy map, and send it to the server farm SSL-SF.
switch/Lab-OPT-PC(config)# policy-map type loadbalance firstmatch SSL-SLB switch/Lab-OPT-PC(config-pmap-lb)# class class-default switch/Lab-OPT-PC(config-pmap-lb-c)# serverfarm SSL-SF

Step 8

For the initial exercise, you will import the SSL certificates from the Linux Apache server. Telnet to the server and copy the certificate and key to the Cisco user directory.

128

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Note

This is required, because, by default, Apache installs the server certificate and key into a root-owned directory with permissions which allow only the owner to read and write the files. This prevents the FTP server from accessing the files. Overwrite the destination files if prompted.

switch/Lab-OPT-PC(config-pmap-lb-c)# do telnet 192.168.1.11 login: cisco Password for cisco: cisco [cisco@linux1 ~]$ su Password: cisco123 [root@linux1 ~]# cp /etc/httpd/conf/ssl.crt/server.crt . [root@linux1 ~]# cp /etc/httpd/conf/ssl.key/server.key . [root@linux1 ~]# chmod 644 server.*
Step 9 Note

Exit the Telnet session and begin importing the SSL files.
The crypto import commands are exec-mode commands, not config-mode commands.

switch/Lab-OPT-PC# crypto import ftp 192.168.1.11 cisco server.crt server.crt Password: cisco ?Invalid command This is a known issue, you can ignore this message Passive mode on. Hash mark printing on (1024 bytes/hash mark). # Successfully imported file from remote server. switch/Lab-OPT-PC# crypto import ftp 192.168.1.11 cisco server.key server.key Password: cisco ?Invalid command This is a known issue, you can ignore this message Passive mode on. Hash mark printing on (1024 bytes/hash mark). # Successfully imported file from remote server.
Step 10

Show the files.

switch/Lab-OPT-PC# show crypto files Filename

File File Expor Key/ Size Type table Cert -------------------------------------------------------------------server.crt 1464 PEM Yes CERT server.key 887 PEM Yes KEY Step 11

Verify that the key and certificate match.


switch/Lab-OPT-PC# crypto verify server.key server.crt Keypair in server.key matches certificate in server.crt.

Step 12

Create the SSL proxy service.


switch/Lab-OPT-PC(config)# ssl-p service 171-SSL switch/Lab-OPT-PC(config-ssl-proxy)# cert server.crt switch/Lab-OPT-PC(config-ssl-proxy)# key server.key

2008 Cisco Systems, Inc.

Lab Guide

129

Step 13

Create the class map virtual IP (VIP) for the SSL traffic.
switch/Lab-OPT-PC(config-ssl-proxy)# class VIP-171 switch/Lab-OPT-PC(config-cmap)# match virtual-address 172.16.PC.171 tcp eq https

Step 14

Create the policy map multimatch for the SSL traffic.


switch/Lab-OPT-PC(config-cmap)# policy-map multi-match CLIENTVIPS switch/Lab-OPT-PC(config-pmap)# class VIP-171 switch/Lab-OPT-PC(config-pmap-c)# loadbalance vip inservice switch/Lab-OPT-PC(config-pmap-c)# loadbalance policy SSL-SLB switch/Lab-OPT-PC(config-pmap-c)# ssl-proxy server 171-SSL

Step 15

Show the service policy.

switch/Lab-OPT-PC(config-pmap-c)# do show service-policy CLIENT-VIPS detail Status : ACTIVE Description: ----------------------------------------Interface: vlan 2PC service-policy: CLIENT-VIPS class: VIP-170 loadbalance: L7 loadbalance policy: WEB-SLB VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 0 , client byte server pkt count : 0 , server byte L7 Loadbalance policy : WEB-SLB class/match : class-default LB action : serverfarm: WEBFARM hit count : 0 dropped conns : 0 class: VIP-171 loadbalance: L7 loadbalance policy: SSL-SLB VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 0 , client byte server pkt count : 0 , server byte L7 Loadbalance policy : SSL-SLB class/match : class-default LB action : serverfarm: SSL-SF hit count : 0 dropped conns : 0 Step 16

: 0 count: 0 count: 0

: 0 count: 0 count: 0

Test the SSL configuration by using a client browser to access https://172.16.PC.171/. Take time to verify that the certificate the client receives is the correct SSL certificate. Is the connection completely successful? View the service policy states.

switch/Lab-OPT-PC(config-pmap-c)# do show service-policy CLIENT-VIPS detail Status : ACTIVE Description: ----------------------------------------Interface: vlan 2PC service-policy: CLIENT-VIPS

130

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

class: VIP-170 loadbalance: L7 loadbalance policy: WEB-SLB VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 0 , client byte server pkt count : 0 , server byte L7 Loadbalance policy : WEB-SLB class/match : class-default LB action : serverfarm: WEBFARM hit count : 0 dropped conns : 0 class: VIP-171 loadbalance: L7 loadbalance policy: SSL-SLB VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 15 , client byte server pkt count : 8 , server byte L7 Loadbalance policy : SSL-SLB class/match : class-default LB action : serverfarm: SSL-SF hit count : 2 dropped conns : 0 Step 17

: 0 count: 0 count: 0

: 2 count: 1461 count: 846

Check the server farm. Can you find the problem?

switch/Lab-OPT-PC(config-pmap-c)# do sho server SSL-SF serverfarm : SSL-SF, type: HOST total rservers : 2 ------------------------------------------connections--------real weight state current total ---------------+------+------------+----------+-----------------rserver: LINUX-1 192.168.1.11:0 8 OPERATIONAL 0 1 rserver: LINUX-2 192.168.1.12:0 8 OPERATIONAL 0 1 Note The issue is that the server farm has Layer 3 rservers; in other words, real servers defined by IP only. This means that Cisco ACE will not implicitly translate the port addresses of client requests with PAT. On the wire, the server sees the client load-balancing to LINUX-1 or 2 and then a TCP SYN to port 443 followed by an HTTP GET, which the Apache HTTPSD server will reject; resulting in a blank page after receiving the SSL certificate. Step 18

Make the rservers port-bound in the server farm to force Cisco ACE to implicitly translate the destination ports of incoming connections to direct them to the Apache HTTPD server residing on port 80.
switch/Lab-OPT-PC(config-sfarm-host-rs)# rserver LINUX-1 80 switch/Lab-OPT-PC(config-sfarm-host-rs)# rserver LINUX-2 80

2008 Cisco Systems, Inc.

Lab Guide

131

Step 19

If this is all that is needed, test the site again. Is any configuration missing?
switch/Lab-OPT-PC(config-sfarm-host-rs)# do sho run serverfarm Generating configuration.... serverfarm host WEBFARM rserver LINUX-1 inservice rserver LINUX-2 inservice rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 inservice serverfarm host SSL-SF rserver LINUX-1 inservice rserver LINUX-1 80 rserver LINUX-2 inservice rserver LINUX-2 80

Step 20

Notice that by adding port-bound rservers, the existing rservers were left as originally configured. Remove them and inservice the port-bound rservers.
switch/Lab-OPT-PC(config-sfarm-host-rs)# switch/Lab-OPT-PC(config-sfarm-host-rs)# switch/Lab-OPT-PC(config-sfarm-host-rs)# switch/Lab-OPT-PC(config-sfarm-host-rs)# switch/Lab-OPT-PC(config-sfarm-host-rs)# switch/Lab-OPT-PC(config-sfarm-host)# no switch/Lab-OPT-PC(config-sfarm-host)# do Generating configuration.... serverfarm host WEBFARM rserver LINUX-1 inservice rserver LINUX-2 inservice rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 inservice serverfarm host SSL-SF rserver LINUX-1 80 inservice rserver LINUX-2 80 rserver LINUX-1 80 ins rserver LINUX-2 80 ins no rserver LINUX-1 rserver LINUX-2 sho run serverfarm

132

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

inservice
Step 21

Test the VIP again. Now the web page should appear. Verify that the server response byte count exceeds the client byte count.
switch/Lab-OPT-PC(config-sfarm-host)# do show service-policy CLIENT-VIPS detail Status : ACTIVE Description: ----------------------------------------Interface: vlan 2PC service-policy: CLIENT-VIPS class: VIP-170 loadbalance: L7 loadbalance policy: WEB-SLB VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 0 , client byte server pkt count : 0 , server byte L7 Loadbalance policy : WEB-SLB class/match : class-default LB action : serverfarm: WEBFARM hit count : 0 dropped conns : 0 class: VIP-171 loadbalance: L7 loadbalance policy: SSL-SLB VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 115 , client byte 11876 server pkt count : 97 , server byte 54325 L7 Loadbalance policy : SSL-SLB class/match : class-default LB action : serverfarm: SSL-SF hit count : 13 dropped conns : 0

: 0 count: 0 count: 0

: 13 count: count:

Activity Verification
You have completed this task when you can access web pages via SSL connections.

2008 Cisco Systems, Inc.

Lab Guide

133

Task 2: Configure SSL Termination when You Must Create Certificates and Keys
Cisco ACE allows the user to create an RSA key pair and CSR. These are the core server components for creating an SSL certificate. The other required component is a certificate authority (CA). CAs can be third-party companies such as VeriSign or Thawte, or freeware CAs such as OpenSSL or the Microsoft CA Server.
Note You cannot create self-signed certificates on the Cisco

ACE appliance.

Activity Procedure
Complete these steps:
Step 1

In this lab task, you will reuse the server farm and load-balancing policy map created in the previous exercise. A crypto parameter map is required to define the parameters used in the generation of a Certificate Signing Request (CSR). This benefit of this is that the CSR can be easily re-created if needed, without reentering all the CSR data again. Create a CSR parameter map and name it ACE-CSR-INFO.
PodP-ACE/LAB-SSL-PC(config)# crypto csr-params ACE-CSR-INFO switch/Lab-OPT-PC(config-csr-params)# country US switch/Lab-OPT-PC(config-csr-params)# state California switch/Lab-OPT-PC(config-csr-params)# locality SJC switch/Lab-OPT-PC(config-csr-params)# organization-name Cisco switch/Lab-OPT-PC(config-csr-params)# organization-unit ADBU switch/Lab-OPT-PC(config-csr-params)# common-name www.example.com switch/Lab-OPT-PC(config-csr-params)# serial-number 1234 switch/Lab-OPT-PC(config-csr-params)# email secadmin@example.com

Step 2

Step 3

Show the defined crypto parameters.


switch/Lab-OPT-PC# sho crypto csr-params all crypto csr-params ACE-CSR-INFO country US state California locality SJC organization-name Cisco organization-unit ADBU common-name www.example.com serial-number 1234 email secadmin@example.com

134

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 4

Before the CSR can be generated, an RSA key pair must be created. Use 1024 bits and name it ACEKEY. Delete an existing file if necessary. When this is created, the crypto generate csr command combines the public key and information in the CSR parameter map to create a CSR in PEM format.

switch/Lab-OPT-PC# crypto generate key 1024 ACEKEY switch/Lab-OPT-PC# sho crypto key ACEKEY 1024 bit RSA keypair found in ACEKEY Modulus: c5:d3:28:fc:2b:dd:15:90:e9:8c:1e:f9:4d:87:ef:72:80:cc:d4:39:da:99:14:36:db:b6: 52 :a4:64:22:4a:f2:00:6f:df:e5:86:b6:45:cd:7c:59:cc:48:8e:d0:57:66:4c:cb:b1:b7:19 :e 5:90:26:e6:4e:48:38:f3:56:3f:4c:72:ff:40:8b:a1:99:12:95:0f:31:80:6d:a7:28:bc:f 5: c0:37:76:97:b6:78:6d:92:f5:c7:90:c2:00:13:54:0b:b5:ad:77:8a:c5:fa:79:4c:fe:af: eb :58:17:dd:4e:ff:ad:07:0d:90:1d:e6:97:62:af:be:3e:d0:52:99:97:69: switch/Lab-OPT-PC# crypto generate csr ACE-CSR-INFO ACEKEY -----BEGIN CERTIFICATE REQUEST----MIIBzzCCATgCAQAwgY4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MQwwCgYDVQQHEwNTSkMxDjAMBgNVBAoTBUNpc2NvMQ0wCwYDVQQLEwRBREJVMRgw FgYDVQQDEw93d3cuZXhhbXBsZS5jb20xIzAhBgkqhkiG9w0BCQEWFHNlY2FkbWlu QGV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF0yj8K90V kOmMHvlNh+9ygMzUOdqZFDbbtlKkZCJK8gBv3+WGtkXNfFnMSI7QV2ZMy7G3GeWQ JuZOSDjzVj9Mcv9Ai6GZEpUPMYBtpyi89cA3dpe2eG2S9ceQwgATVAu1rXeKxfp5 TP6v61gX3U7/rQcNkB3ml2Kvvj7QUpmXaQIDAQABoAAwDQYJKoZIhvcNAQEEBQAD gYEAVcc+a0grYZiSKBn9p77RrSgPWNRIMn257pQcK+SYArEOGZVOenZFWCMqO4Pf 7/sOiiE3okJEAKeq0HpcEpvGt+xl6SXVKNBjijLXUKuNMzQe3xJmBH90et2O+8fk XyHXJkQ5jHKKcr99Kd2JhTXLkB/WccQTPWuXA/8Mx2IQpb4= -----END CERTIFICATE REQUEST----Step 5

Sign the CSR, using the Linux server to make an SSL certificate or obtain the certificate free from Thawte/Verisign. When using the Linux server, paste the Cisco ACE CSR into a file.
The entire CSR, including the -----BEGIN and -----END lines, must be copied from the Cisco ACE and pasted into a file on the Linux server. The UNIX cat command used below copies from the terminal to a file. After pasting the CSR, press Enter to ensure that a final carriage return is present in the file; then end the cat command by pressing Control-D.

Note

switch/Lab-OPT-PC# telnet 192.168.1.11 login: cisco Password for cisco: cisco [cisco@linux1 ~]$ su Password: cisco123 [cisco@linux1 ~]# cat > acecsr -----BEGIN CERTIFICATE REQUEST----MIIBzzCCATgCAQAwgY4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MQwwCgYDVQQHEwNTSkMxDjAMBgNVBAoTBUNpc2NvMQ0wCwYDVQQLEwRBREJVMRgw FgYDVQQDEw93d3cuZXhhbXBsZS5jb20xIzAhBgkqhkiG9w0BCQEWFHNlY2FkbWlu QGV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF0yj8K90V kOmMHvlNh+9ygMzUOdqZFDbbtlKkZCJK8gBv3+WGtkXNfFnMSI7QV2ZMy7G3GeWQ JuZOSDjzVj9Mcv9Ai6GZEpUPMYBtpyi89cA3dpe2eG2S9ceQwgATVAu1rXeKxfp5 TP6v61gX3U7/rQcNkB3ml2Kvvj7QUpmXaQIDAQABoAAwDQYJKoZIhvcNAQEEBQAD gYEAVcc+a0grYZiSKBn9p77RrSgPWNRIMn257pQcK+SYArEOGZVOenZFWCMqO4Pf 7/sOiiE3okJEAKeq0HpcEpvGt+xl6SXVKNBjijLXUKuNMzQe3xJmBH90et2O+8fk XyHXJkQ5jHKKcr99Kd2JhTXLkB/WccQTPWuXA/8Mx2IQpb4= -----END CERTIFICATE REQUEST-----

2008 Cisco Systems, Inc.

Lab Guide

135

Step 6

Use openssl to create a Root CA certificate. Press Enter for all the default questions. In the real world, you would want to fill these out appropriately.

[cisco@linux1 ~]$ openssl req -newkey rsa:1024 -nodes -x509 -keyout rootCAkey.pem -out rootCAcert.pem -config /opt/lampp/etc/openssl.cnf Generating a 1024 bit RSA private key ...........................................++++++ .......................++++++ writing new private key to 'rootCAkey.pem' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [GB]: State or Province Name (full name) [Berkshire]: Locality Name (eg, city) [Newbury]: Organization Name (eg, company) [My Company Ltd]:Organizational Unit Name (eg, s ection) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Step 7

Notice that the previous openssl command created two new files, which will be used to sign the Cisco ACE CSR.
~]$ ls -lrt | tail cisco root 704 cisco root 887 cisco root 1001 -3 Jun 26 05:22 httpd.cnf Jun 26 05:37 rootCAkey.pem Jun 26 05:37 rootCAcert.pem

[cisco@linux1 -rw-r--r-- 1 -rw-r--r-- 1 -rw-r--r-- 1

[cisco@linux1 ~]$ openssl x509 -in /root/acecsr -req -days 365 -CA rootCAcert.pem -CAkey rootCAkey.pem -set_serial 1234 -out ACECERT.pem Signature ok subject=/C=US/ST=California/L=SJC/O=Cisco/OU=ADBU/CN=www.example.com/emailAddr es s=secadmin@example.com Getting CA Private Key Step 8

You can use openssl to view and verify the new SSL certificate.

[cisco@linux1 ~]$ openssl x509 -in ACECERT.pem -text Certificate: Data: Version: 1 (0x0) Serial Number: 1234 (0x4d2) Signature Algorithm: md5WithRSAEncryption Issuer: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd Validity Not Before: Jun 26 12:38:30 2006 GMT Not After : Jun 26 12:38:30 2007 GMT Subject: C=US, ST=California, L=SJC, O=Cisco, OU=ADBU, CN=www.example.com/emailAddress=secadmin@example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c5:d3:28:fc:2b:dd:15:90:e9:8c:1e:f9:4d:87: ef:72:80:cc:d4:39:da:99:14:36:db:b6:52:a4:64: 22:4a:f2:00:6f:df:e5:86:b6:45:cd:7c:59:cc:48: 8e:d0:57:66:4c:cb:b1:b7:19:e5:90:26:e6:4e:48: 38:f3:56:3f:4c:72:ff:40:8b:a1:99:12:95:0f:31: 80:6d:a7:28:bc:f5:c0:37:76:97:b6:78:6d:92:f5: c7:90:c2:00:13:54:0b:b5:ad:77:8a:c5:fa:79:4c:
136 Implementing the Cisco ACE Appliance (ACEAP) v1.0 2008 Cisco Systems, Inc.

fe:af:eb:58:17:dd:4e:ff:ad:07:0d:90:1d:e6:97: 62:af:be:3e:d0:52:99:97:69 Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 5a:74:ac:0a:72:51:d3:fc:bc:c3:de:c5:d1:6f:89:db:9a:13: 63:d5:d0:25:65:c4:81:79:5a:f5:12:fb:07:62:c9:7d:32:a0: 4b:77:b5:4a:7f:97:35:fa:b8:e8:e9:3b:6a:c9:d6:af:28:df: a9:a8:20:0f:c9:90:d4:7a:01:d6:0f:6b:ff:63:d9:bf:d7:7d: 17:32:c5:8b:52:88:1a:63:41:bb:d1:49:15:b6:78:0e:7d:34: d7:48:23:83:c3:b6:26:b4:80:dc:cf:c9:4a:0e:54:b5:15:50: 07:9f:e1:ff:cd:5b:5f:87:67:b3:78:ff:fa:44:80:ad:9e:92: d2:16 -----BEGIN CERTIFICATE----MIICSzCCAbQCAgTSMA0GCSqGSIb3DQEBBAUAMEwxCzAJBgNVBAYTAkdCMRIwEAYD VQQIEwlCZXJrc2hpcmUxEDAOBgNVBAcTB05ld2J1cnkxFzAVBgNVBAoTDk15IENv bXBhbnkgTHRkMB4XDTA2MDYyNjEyMzgzMFoXDTA3MDYyNjEyMzgzMFowgY4xCzAJ BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMQwwCgYDVQQHEwNTSkMxDjAM BgNVBAoTBUNpc2NvMQ0wCwYDVQQLEwRBREJVMRgwFgYDVQQDEw93d3cuZXhhbXBs ZS5jb20xIzAhBgkqhkiG9w0BCQEWFHNlY2FkbWluQGV4YW1wbGUuY29tMIGfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF0yj8K90VkOmMHvlNh+9ygMzUOdqZFDbb tlKkZCJK8gBv3+WGtkXNfFnMSI7QV2ZMy7G3GeWQJuZOSDjzVj9Mcv9Ai6GZEpUP MYBtpyi89cA3dpe2eG2S9ceQwgATVAu1rXeKxfp5TP6v61gX3U7/rQcNkB3ml2Kv vj7QUpmXaQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFp0rApyUdP8vMPexdFvidua E2PV0CVlxIF5WvUS+wdiyX0yoEt3tUp/lzX6uOjpO2rJ1q8o36moIA/JkNR6AdYP a/9j2b/XfRcyxYtSiBpjQbvRSRW2eA59NNdII4PDtia0gNzPyUoOVLUVUAef4f/N W1+HZ7N4//pEgK2ektIW -----END CERTIFICATE----Step 9

After the certificate is created, simply import it, using cut and paste or FTP.

switch/Lab-OPT-PC# crypto import terminal ACECERT Please enter PEM formatted data. End with "quit" on a new line. -----BEGIN CERTIFICATE----MIICSzCCAbQCAgTSMA0GCSqGSIb3DQEBBAUAMEwxCzAJBgNVBAYTAkdCMRIwEAYD VQQIEwlCZXJrc2hpcmUxEDAOBgNVBAcTB05ld2J1cnkxFzAVBgNVBAoTDk15IENv bXBhbnkgTHRkMB4XDTA2MDYyNjEyMzgzMFoXDTA3MDYyNjEyMzgzMFowgY4xCzAJ BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMQwwCgYDVQQHEwNTSkMxDjAM BgNVBAoTBUNpc2NvMQ0wCwYDVQQLEwRBREJVMRgwFgYDVQQDEw93d3cuZXhhbXBs ZS5jb20xIzAhBgkqhkiG9w0BCQEWFHNlY2FkbWluQGV4YW1wbGUuY29tMIGfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF0yj8K90VkOmMHvlNh+9ygMzUOdqZFDbb tlKkZCJK8gBv3+WGtkXNfFnMSI7QV2ZMy7G3GeWQJuZOSDjzVj9Mcv9Ai6GZEpUP MYBtpyi89cA3dpe2eG2S9ceQwgATVAu1rXeKxfp5TP6v61gX3U7/rQcNkB3ml2Kv vj7QUpmXaQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFp0rApyUdP8vMPexdFvidua E2PV0CVlxIF5WvUS+wdiyX0yoEt3tUp/lzX6uOjpO2rJ1q8o36moIA/JkNR6AdYP a/9j2b/XfRcyxYtSiBpjQbvRSRW2eA59NNdII4PDtia0gNzPyUoOVLUVUAef4f/N W1+HZ7N4//pEgK2ektIW -----END CERTIFICATE----quit Step 10

Show the files.

switch/Lab-OPT-PC# show crypto files Filename

File File Expor Key/ Size Type table Cert -------------------------------------------------------------------server.crt 1464 PEM Yes CERT server.key 887 PEM Yes KEY ACEKEY 891 PEM Yes KEY ACECERT 855 PEM Yes CERT Step 11

Verify that the key and cert match.

switch/Lab-OPT-PC# crypto verify ACEKEY ACECERT Keypair in ACEKEY matches certificate in ACECERT.

2008 Cisco Systems, Inc.

Lab Guide

137

Step 12

For this example, force the Cisco ACE VIP to accept connections only from clients capable of using the standard strong cipher RC4-128-MD5. Create a parameter map of type-ssl, called RC4-ONLY.
An SSL parameter map defines the SSL session parameters that the Cisco ACE applies to an SSL proxy service. Creating an SSL parameter map allows you to apply the same SSL session parameters to different proxy services.

Reference

switch/Lab-OPT-PC# conf Enter configuration commands, one per line. End with CNTL/Z. switch/Lab-OPT-PC(config)# parameter-map type ssl RC4-ONLY switch/Lab-OPT-PC(config-parammap-ssl)# cipher <TAB> RSA_EXPORT1024_WITH_DES_CBC_SHA RSA_WITH_AES_128_CBC_SHA RSA_EXPORT1024_WITH_RC4_56_MD5 RSA_WITH_AES_256_CBC_SHA RSA_EXPORT1024_WITH_RC4_56_SHA RSA_WITH_DES_CBC_SHA RSA_EXPORT_WITH_DES40_CBC_SHA RSA_WITH_RC4_128_MD5 RSA_EXPORT_WITH_RC4_40_MD5 RSA_WITH_RC4_128_SHA RSA_WITH_3DES_EDE_CBC_SHA switch/Lab-OPT-PC(config-parammap-ssl)# cipher RSA_WITH_RC4_128_MD5
Step 13

Create a new SSL proxy service for this particular SSL VIP.
switch/Lab-OPT-PC(config-parammap-ssl)# ssl-proxy service ACESSL-RC4 switch/Lab-OPT-PC(config-ssl-proxy)# cert ACECERT switch/Lab-OPT-PC(config-ssl-proxy)# key ACEKEY switch/Lab-OPT-PC(config-ssl-proxy)# ssl advanced-options RC4ONLY

Step 14

Create the class map VIP for the SSL traffic


switch/Lab-OPT-PC(config-ssl-proxy)# class VIP-172-SSL-RC4 switch/Lab-OPT-PC(config-cmap)# match vir 172.16.PC.172 tcp eq 443

Step 15

Create the policy multimatch for the SSL traffic


switch/Lab-OPT-PC(config-cmap)# pol multi CLIENT-VIPS switch/Lab-OPT-PC(config-pmap)# class VIP-172-SSL-RC4 switch/Lab-OPT-PC(config-pmap-c)# load vip ins switch/Lab-OPT-PC(config-pmap-c)# load pol SSL-SLB switch/Lab-OPT-PC(config-pmap-c)# ssl-proxy server ACE-SSL-RC4

Step 16

Show the service policy

switch/Lab-OPT-PC(config-pmap-c)# do show service CLIENT-VIPS detail Status : ACTIVE Description: ----------------------------------------Interface: vlan 2PC service-policy: CLIENT-VIPS class: VIP-170 loadbalance: L7 loadbalance policy: WEB-SLB VIP Route Metric : 77 VIP Route Advertise : DISABLED VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count
138 Implementing the Cisco ACE Appliance (ACEAP) v1.0

: 0
2008 Cisco Systems, Inc.

dropped conns : 0 client pkt count : 0 , client byte server pkt count : 0 , server byte L7 Loadbalance policy : WEB-SLB class/match : class-default LB action : serverfarm: WEBFARM hit count : 0 dropped conns : 0 class: VIP-171 loadbalance: L7 loadbalance policy: SSL-SLB VIP Route Metric : 77 VIP Route Advertise : DISABLED VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 115 , client byte server pkt count : 97 , server byte L7 Loadbalance policy : SSL-SLB class/match : class-default LB action : serverfarm: SSL-SF hit count : 13 dropped conns : 0 class: VIP-172-SSL-RC4 loadbalance: L7 loadbalance policy: SSL-SLB VIP Route Metric : 77 VIP Route Advertise : DISABLED VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 0 , client byte server pkt count : 0 , server byte L7 Loadbalance policy : SSL-SLB class/match : class-default LB action : serverfarm: SSL-SF hit count : 13 dropped conns : 0 Step 17

count: 0 count: 0

: 13 count: 11876 count: 54325

: 0 count: 0 count: 0

Test the SSL configuration by using a client browser to reach https://172.16.PC.172/. Take time to verify that the certificate the client receives is the correct SSL certificate. Is the connection completely successful? View the service policy states.

switch/Lab-OPT-PC(config-pmap-c)# do show service CLIENT-VIPS detail Status : ACTIVE Description: ----------------------------------------Interface: vlan 2PC service-policy: CLIENT-VIPS class: VIP-170 loadbalance: L7 loadbalance policy: WEB-SLB VIP Route Metric : 77 VIP Route Advertise : DISABLED VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count : 0 dropped conns : 0 client pkt count : 0 , client byte count: 0 server pkt count : 0 , server byte count: 0 L7 Loadbalance policy : WEB-SLB
2008 Cisco Systems, Inc. Lab Guide 139

class/match : class-default LB action : serverfarm: WEBFARM hit count : 0 dropped conns : 0 compression : off compression: bytes_in : 0 bytes_out : 0 class: VIP-171 loadbalance: L7 loadbalance policy: SSL-SLB VIP Route Metric : 77 VIP Route Advertise : DISABLED VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 115 , client byte server pkt count : 97 , server byte L7 Loadbalance policy : SSL-SLB class/match : class-default LB action : serverfarm: SSL-SF hit count : 24 dropped conns : 0 compression : off compression: bytes_in : 0 bytes_out : 0 class: VIP-172-SSL-RC4 loadbalance: L7 loadbalance policy: SSL-SLB VIP Route Metric : 77 VIP Route Advertise : DISABLED VIP ICMP Reply : DISABLED VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 96 , client byte server pkt count : 83 , server byte L7 Loadbalance policy : SSL-SLB class/match : class-default LB action : serverfarm: SSL-SF hit count : 24 dropped conns : 0 compression : off compression: bytes_in : 0 bytes_out : 0

: 13 count: 11876 count: 54325

: 11 count: 9797 count: 50479

Activity Verification
You have completed this task when you attain these results: Created an RSA key and CSR on Cisco ACE Used OpenSSL to create a Root CA cert and key Used OpenSSL to sign the Cisco ACE CSR to make it an SSL certificate Applied the Cisco ACE SSL certificate, and verified that SSL termination works as expected

140

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 3: Apply the Baseline Configuration


The Cisco ACE ensures that no duplicate IPs exist across contexts per VLAN. Because of the overlapping IPs used in this lab, it is necessary to remove the VLAN interface for the server, so that the VLAN interface can be reused in the remaining labs.

Activity Procedure
Use the checkpoint feature to roll back to baseline-mgmt.
switch/Lab-OPT-PC# checkpoint rollback baseline-mgmt This operation will rollback the system's running configuration to the checkpoint's configuration. Do you wish to proceed? (y/n) [n] y Rollback in progress, please wait... Generating configuration.... Rollback succeeded

Activity Verification
You have completed this task when you have removed the server VLAN from the context.

2008 Cisco Systems, Inc.

Lab Guide

141

Lab 8 Answer Key


SSL Termination Configuration (Task 1)
switch/Lab-OPT-PC(config-sfarm-host)# do sho run Generating configuration.... login timeout 0 access-list everyone line 10 extended permit tcp any any rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice LINUX-1 192.168.1.11 LINUX-2 192.168.1.12 LINUX-3 192.168.1.13 LINUX-4 192.168.1.14 LINUX-5 192.168.1.15

ssl-proxy service 171-SSL key server.key cert server.crt serverfarm host WEBFARM rserver LINUX-1 inservice rserver LINUX-2 inservice rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 inservice serverfarm host SSL-SF rserver LINUX-1 80 inservice rserver LINUX-2 80 inservice class-map match-all VIP-170
142 Implementing the Cisco ACE Appliance (ACEAP) v1.0 2008 Cisco Systems, Inc.

2 match virtual-address 172.16.PC.170 any class-map match-all VIP-171 2 match virtual-address 172.16.PC.171 tcp eq https class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match WEB-SLB class class-default serverfarm WEBFARM policy-map type loadbalance first-match SSL-SLB class class-default serverfarm SSL-SF policy-map multi-match CLIENT-VIPS class VIP-170 loadbalance vip inservice loadbalance policy WEB-SLB class VIP-171 loadbalance vip inservice loadbalance policy SSL-SLB ssl-proxy server 171-SSL interface vlan 2PC description Client vlan ip address 172.16.PC.20 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown interface vlan 4PC description Servers vlan ip address 192.168.1.1 255.255.255.0 no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$DLODpUTE$pzudNN.PTCWK.E45AsyCz/ Admin domain default-domain

role

2008 Cisco Systems, Inc.

Lab Guide

143

SSL Termination Configuration Using the Cisco ACE-Created CSR and Limiting Client to the RC4 Cipher (Task 2)
switch/Lab-OPT-PC# sho run Generating configuration.... login timeout 0 crypto csr-params ACE-CSR-INFO country US state California locality SJC organization-name Cisco organization-unit ADBU common-name www.example.com serial-number 1234 email secadmin@example.com access-list everyone line 10 extended permit tcp any any parameter-map type ssl RC4-ONLY cipher RSA_WITH_RC4_128_MD5 ssl-proxy service 171-SSL key server.key cert server.crt ssl-proxy service ACE-SSL-RC4 key ACEKEY cert ACECERT ssl advanced-options RC4-ONLY rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice LINUX-1 192.168.1.11 LINUX-2 192.168.1.12 LINUX-3 192.168.1.13 LINUX-4 192.168.1.14 LINUX-5 192.168.1.15

serverfarm host WEBFARM rserver LINUX-1


144 Implementing the Cisco ACE Appliance (ACEAP) v1.0 2008 Cisco Systems, Inc.

inservice rserver LINUX-2 inservice rserver LINUX-3 inservice rserver LINUX-4 inservice rserver LINUX-5 inservice serverfarm host SSL-SF rserver LINUX-1 80 inservice rserver LINUX-2 80 inservice class-map match-all VIP-170 2 match virtual-address 172.16.PC.170 any class-map match-all VIP-171 2 match virtual-address 172.16.PC.171 tcp eq https class-map match-all VIP-172-SSL-RC4 2 match virtual-address 172.16.PC.172 tcp eq https class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match WEB-SLB class class-default serverfarm WEBFARM policy-map type loadbalance first-match SSL-SLB class class-default serverfarm SSL-SF policy-map multi-match CLIENT-VIPS class VIP-170 loadbalance vip inservice loadbalance policy WEB-SLB class VIP-171 loadbalance vip inservice loadbalance policy SSL-SLB ssl-proxy server 171-SSL class VIP-172-SSL-RC4 loadbalance vip inservice loadbalance policy SSL-SLB ssl-proxy server ACE-SSL-RC4

2008 Cisco Systems, Inc.

Lab Guide

145

interface vlan 2PC description Client vlan ip address 172.16.PC.20 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown interface vlan 4PC description Servers vlan ip address 192.168.1.1 255.255.255.0 no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$DLODpUTE$pzudNN.PTCWK.E45AsyCz/ Admin domain default-domain

role

146

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Lab 9: Enabling HTTP Optimizations


Complete this lab activity to practice what you learned in the related lesson.

Activity Objective
In this exercise, you will configure your Cisco ACE context to monitor real servers. After completing this exercise, you will be able to meet these objectives: Define application acceleration parameters Test application acceleration

Required Resources
These are the resources and equipment that are required to complete this activity: Catalyst 6500 with Supervisor 720 Cisco 4710 Application Control Engine Appliance Server minimally running Telnet and HTTP

2008 Cisco Systems, Inc.

Lab Guide

147

Task 1: Enable HTTP Optimizations


The Neufoo applications team has been receiving complaints about application response time and overall performance. They have begun to examine things from the server side, but you know that the Cisco ACE can assist in client-side delivery with the new web optimization features. In this section, you will configure the Cisco ACE to address a variety of application delivery-related problems. You will experiment with three optimizations: Compression Delta optimization FlashForward

Activity Procedure
Complete these steps:
Step 1 Step 2

From the client PC, connect to 172.16.PC.20. Verify that you are in the correct context by looking at the prompt:
switch/Lab-OPT-PC

Step 3

Within Lab-OPT-PC, use the checkpoint rollback command to roll back to optstart. Apply compression to the virtual IPs (VIPs) that you have created. Compression is a simple optimization, supported by the HTTP 1.1 standard. It will help with bandwidth usage over the network, with the added benefit of usually improving response times to the user. You can easily configure the Cisco ACE to compress responses from the 191 VIP by adding the following to the POM-L7lb policy map.
switch/Lab-OPT-PC(config)# policy-map type loadbalance firstmatch POM-L7lb switch/Lab-OPT-PC(config-pmap-lb)# class CM-DELTA switch/Lab-OPT-PC(config-pmap-lb)# compress default-method deflate

Step 4

Step 5

This configuration change uses deflate as the default method of compression. We can easily verify that compression is working by examining the response from the VIP. The response size for HTML data should reflect the correct Content-Encoding value in the HTTP headers, and the HTTP payload itself will be compressed binary. For a given page, the size over the wire should also be significantly smaller, reduced as much as 90%. Using the HTTP Analyzer tool for Internet Explorer, verify that the response has been compressed. Open the Internet Explorer browser and click View > Explorer Bar > IE HTTP Analyzer. You should see that the application is now open within the Internet Explorer browser. Now you can simultaneously use Internet Explorer to send a request to the VIP and examine the HTTP headers. A particular page that has certain remote users upset is a simple page that lists important details for the day. For some reason, this page takes a long time to load when accessed by certain users. Examine the page in the Internet Explorer HTTP Analyzer by accessing it at http://172.16.PC.190/neufoo/big.php. You should see that, although the page is very simple, it is very large. Perhaps the developers made a mistake when they created it. Note the size and the response time in the HTTP Analyzer for an HTTP 200 response.

Step 6

Step 7

148

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 8

Now access the same page from the VIP with compression enabled by browsing to http://172.16.PC.191/neufoo/big.php. You should see a big difference in the size of the response from this VIP for the same content. How does the response time compare? Although this page is very large, when accessed across the LAN, it is downloaded in a few hundred milliseconds. Could this be the delay the users were referring to? The simple answer is No. None of the complaints logged by the Neufoo tech support came from users inside the Neufoo corporate office. In fact, all the complaints came from users in locations that are remote, and they claimed a delay on the order of seconds. One thing these users have in common are Internet connections with limited bandwidthmostly DSL lines shared with their children at home (using bandwidth by playing video games) or high-latency connections (that remote team in India with a 400 ms delay). Simulating the conditions of these users would more readily identify the poor performance reported.

Step 9

Create parameter-maps that define the behavior of some of our other optimizations. You will specify a cache time (for the FlashForward feature) such that the Cisco ACE will check the freshness of any embedded objects in our web pages at least once a minute and set up persistent rebalance as well.
switch/Lab-OPT-PC(config)# parameter-map type optimization http PM-DEF switch/Lab-OPT-PC(config)# parameter-map type optimization http PM-DFF switch/Lab-OPT-PC(config-parammap-optmz)# cache ttl max 60 switch/Lab-OPT-PC(config-parammap-optmz)# cache ttl min 0 switch/Lab-OPT-PC(config)# parameter-map type http PM-REB switch/Lab-OPT-PC(config-parammap-http)# persistence-rebalance

Step 10

Define the optimizations that will be applied in an action list. In this case, you will use delta optimization and FlashForward. Delta optimization will also assist with bandwidth usage, by allowing the client to only download changes to a given dynamic HTML page since the last visit, rather than the entire page. FlashForward helps in cases where latency is an issue, by preventing unnecessary requests (and their responses) from traveling the wide-area network.
switch/Lab-OPT-PC(config)# action-list AL-DEF switch/Lab-OPT-PC(configactlist-optm)# switch/Lab-OPT-PC(configactlist-optm)# switch/Lab-OPT-PC(config)# action-list AL-DFF switch/Lab-OPT-PC(configactlist-optm)# type optimization http delta flashforward type optimization http flashforward-object

Step 11

Construct a class map that will look for embedded objects. You already have a class map that looks for all HTTP contact (CM-DELTA). These URL classes will allow you to choose which HTTP data will have optimizations applied to it.
switch/Lab-OPT-PC(config)# class-map type http loadbalance match-any CM-DFF switch/Lab-OPT-PC(config-cmap-http-lb)# match http url .*gif switch/Lab-OPT-PC(config-cmap-http-lb)# match http url .*jpg

Step 12

Create a policy map that will apply the optimization actions that you will then bundle to a VIP. The optimization policy map simply associates types of actions with parameters that modify their behavior. Note that because this policy is a firstmatch, the order in which the classes of traffic are processed is important. For this
Lab Guide 149

2008 Cisco Systems, Inc.

lab, you want to match against embedded objects in a page first, before you process the rest of the URLs.
switch/Lab-OPT-PC(config)# policy-map type optimization http first- switch/Lab-OPT-11(config-pmap-optmz)# match POM-OPT switch/Lab-OPT-11(config-pmap-optmz-c)# class CM-DFF switch/Lab-OPT-11(config-pmap-optmz-c)# action AL-DFF parameter PM-DFF switch/Lab-OPT-11(config-pmap-optmz-c)# class CM-DELTA switch/Lab-OPT-11(config-pmap-optmz-c)# action AL-DEF parameter PM-DEF
Step 13

Apply the optimizations to your existing VIP classes.


switch/Lab-OPT-PC(config)# policy-map multi-match POM-LBVIP switch/Lab-OPT-PC(config-pmap)# class LB-VIP switch/Lab-OPT-PC(config-pmap-c)# optimize http policy POM-OPT switch/Lab-OPT-PC(config-pmap-c)# appl-parameter http advanced-options PM-REB

Step 14

Verify that the optimizations have been configured on the Cisco ACE, using the show service-policy command.
switch/Lab-OPT-PC# show service-policy POM-LBVIP detail Status : ACTIVE Description: ----------------------------------------Interface: vlan 1 2PC service-policy: POM-LBVIP class: LB-VIP VIP Address: Protocol: Port: 172.16.PC.191 any loadbalance: L7 loadbalance policy: POM-L7LB VIP ICMP Reply : ENABLED-WHEN-ACTIVE VIP State: INSERVICE curr conns : 0 , hit count : 176 dropped conns : 0 client pkt count : 1353 , client byte count: 120247 server pkt count : 2029 , server byte count: 1644932 L7 Loadbalance policy : POM-L7LB class/match : CM-DELTA LB action : serverfarm: web_servers hit count : 175 dropped conns : 0 compression : on class/match : class-default LB action : serverfarm: web_servers hit count : 0

150

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

dropped conns : 0 compression : off compression: bytes_in : 325934 bytes_out : 154676 optimization: L7 optimization policy: POM-OPT
Step 15

Access http://172.16.PC.191/ to see the optimization features in action (using Internet Explorer HTTP Analyzer) Verify that the optimizations are functioning by using an HTTP or network tracing tool. You should see several changes in the HTML payload delivered through the Cisco ACE. For the FlashForward feature, confirm that you are seeing the filenames of objects (images, and so on) in the web page modified, and the cache values set to expire approximately two years in the future. For delta encoding, confirm that the response through the Cisco ACE is a delta page that consists of a series of JavaScript instructions.

2008 Cisco Systems, Inc.

Lab Guide

151

Answer Key for Lab 9


login timeout 0 logging enable logging buffered 6 access-list everyone line 10 extended permit ip any any parameter-map type optimization http PM-DEF parameter-map type optimization http PM-DFF cache ttl max 60 cache ttl min 0 parameter-map type http PM-REB persistence-rebalance action-list type optimization http AL-DEF delta flashforward action-list type optimization http AL-DFF flashforward-object

rserver host ip address inservice rserver host ip address inservice

server1 192.168.1.11 server2 192.168.1.12

serverfarm host web_servers rserver server1 inservice rserver server2 inservice class-map type http loadbalance match-all CM-DELTA 2 match http url .* class-map type http loadbalance match-any CM-DFF 2 match http url .*jpg 3 match http url .*gif class-map match-all LB-VIP 2 match virtual-address 172.16.PC.191 any class-map match-all NO-OPT-VIP 2 match virtual-address 172.16.PC.190 any class-map type management match-any remote-access description remote-access-traffic-match

152

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

201 202 203 204 205 206 207

match match match match match match match

protocol protocol protocol protocol protocol protocol protocol

telnet any ssh any icmp any http any https any snmp any xml-https any

policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match NO-OPT-LB class CM-DELTA serverfarm web_servers class class-default serverfarm web_servers policy-map type loadbalance first-match POM-L7Lb class CM-DELTA serverfarm web_servers compress default-method deflate class class-default serverfarm web_servers compress default-method deflate policy-map type optimization http first-match POM-OPT class CM-DFF action AL-DFF parameter PM-DFF class CM-DELTA action AL-DEF parameter PM-DEF policy-map multi-match POM-LBVIP class LB-VIP loadbalance vip inservice loadbalance policy POM-L7Lb optimize http policy POM-OP loadbalance vip icmp-reply active appl-parameter http advanced-options pmap1

interface vlan 211 ip address 172.16.PC.20 255.255.255.0 access-group input web service-policy input remote-mgmt service-policy input client-vips no shutdown interface vlan 411 ip address 192.168.1.1 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input src-nat-servers

2008 Cisco Systems, Inc.

Lab Guide

153

no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$XmQdckxk$.7qpe2mHEq1WJowynpfuK0 role Admin domain default-domain username secops password 5 $1$ZUdFMk7n$bjMjyAXHaUC8viJR6mkmq/ role Security-Admin domain infosec snmp-server contact "ANM" snmp-server location "ANM" snmp-server community public group Network-Monitor snmp-server trap-source vlan 211

154

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Lab 10: Integrating Multiple Features


Complete this lab activity to practice what you learned in the related lesson.

Activity Objective
In this exercise, you will configure your Cisco ACE context to perform a variety of functions in an integrated environment. After completing this exercise, you will be able to meet these objectives: Create a virtual IP address to accept web traffic Apply source IP sticky to ensure client persistence Apply probes to ensure that real servers are working properly Create a virtual IP address to accept clear application traffic Create a virtual IP address to accept secure application traffic Configure SSL acceleration Apply probe and cookie insert sticky to ensure client persistence Create a domain for the security team Allow direct server access and server-initiated connections Configure HTTP normalization The features you configure will provide the following services: Web (HTTP and HTTPS with source IP sticky): Layer 3 VIPs Source IP sticky Health monitoring on port 80 with real SSL probe

Web with SSL offload (HTTP and HTTPS with cookie sticky): Layer 4 VIPs SSL termination Health monitoring on port 80 Sticky to tie them together with cookie insert

Effective use of RBAC and domains: ACLs (security role and domain) Permit only 80 and 443

Allow server management access only (require source NAT) Add HTTP normalization: Deobsfucation Misuse

Source NAT for SERVER-INITIATED connections

2008 Cisco Systems, Inc.

Lab Guide

155

Visual Objective
The figure illustrates what you will accomplish in this activity.

Integrating Multiple Features


Interface Service-Policy
Apply to any interface

Multi-Match Policy Map Client Traffic Class-Map Match VIP connections Load-Balancing Policy Map Default Class Serverfarm ACE
Real Server 1 Real Server 2

Servers

Only allow traffic destined to a VIP


ACEAP v1.016

2008 Cisco Systems, Inc. All rights reserved.

Required Resources
These are the resources and equipment that are required to complete this activity: Cisco 4710 Application Control Engine Appliance Server minimally running Telnet, FTP, and HTTP

156

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 1: Create a Virtual IP Address to Accept Web Traffic


In this task, you will create a virtual IP address to accept web traffic.

Activity Procedure
Complete these steps:
Step 1 Step 2

Connect to your client PC. Connect directly to the Cisco ACE management IP address for your Lab 10 context.
C:\> telnet 172.16.PC.20 Trying 172.16.PC.20... Connected to 172.16.PC.20 (172.16.PC.20). Escape character is '^]'. User Access Verification Username: cisco Password: cisco123

Step 3

Verify that you are in the correct context by looking at the prompt.
switch/Lab-OPT-PC#.

Step 4 Step 5

Use the checkpoint system to roll the configuration to the baseline-mgmt. Create a class map for the Layer 3 virtual IP (VIP).
class-map match-all VIP-WEB 2 match virtual-address 172.16.PC.170 any

Step 6

Create Layer 3 rserver entries for the two real servers, so that Cisco ACE knows about them.
rserver host ip address inservice rserver host ip address inservice LINUX-1 192.168.1.11 LINUX-2 192.168.1.12

Step 7

Create the Layer 3 interface (4PC), give it the IP address 192.168.1.1/24, and activate the interface.
interface vlan 4PC ip address 192.168.1.1 255.255.255.0 no shutdown

2008 Cisco Systems, Inc.

Lab Guide

157

Step 8

Use the show arp command to verify that the Cisco ACE appliance has network connectivity to the real servers.
show arp

Context Lab-OPT-11 ================================================================================ IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status ================================================================================ 127.1.0.128 00.12.43.dc.73.00 vlan1 INTERFACE LOCAL _ up 127.1.0.192 00.12.43.dc.73.00 vlan1 STATIC 4 _ up 172.16.PC.1 00.17.df.92.d0.00 vlan2PC GATEWAY 36 238 sec up 172.16.PC.20 02.04.06.02.8e.18 vlan2PC INTERFACE LOCAL _ up 192.168.1.1 02.04.06.02.8e.18 vlan4PC INTERFACE LOCAL _ up 192.168.1.10 00.50.56.13.11.10 vlan4PC LEARNED 74 14176 sec up 192.168.1.11 00.50.56.13.11.10 vlan4PC RSERVER 73 71 sec up 192.168.1.12 00.50.56.13.11.10 vlan4PC LEARNED 75 14285 sec up ================================================================================ Total arp entries 8 Step 9

Create a server farm to group the rservers.


serverfarm host WEBFARM rserver LINUX-1 inservice rserver LINUX-2 inservice

Step 10

Create a policy map for load-balancing traffic to the real servers through a server farm.
policy-map type loadbalance first-match STICKY-SLB class class-default serverfarm WEBFARM

Step 11

Create a policy map of type multimatch to associate VIP and load-balancing (LB).
policy-map multi-match CLIENT-VIPS class VIP-WEB loadbalance vip inservice loadbalance policy STICKY-SLB loadbalance vip icmp-reply active

Step 12

Create an access control list (ACL) to allow all traffic from anywhere to anywhere, name everyone.
access-list everyone extended permit ip any any

Step 13

Apply policy map of type LB and the ACL to the client VLAN interface.
int vlan 2PC service-policy input CLIENT-VIPS access-group input everyone

Step 14

Add the ACL to the server L3 interface


int vlan 4PC access-group input everyone

158

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 15

Verify that the VIP is active and ready to receive traffic, by using the show servicepolicy command.

show service-policy CLIENT-VIPS Status : ACTIVE ----------------------------------------Interface: vlan 2PC service-policy: CLIENT-VIPS class: VIP-WEB loadbalance: L7 loadbalance policy: STICKY-SLB VIP ICMP Reply : ENABLED-WHEN-ACTIVE VIP State: INSERVICE curr conns : 0 , hit count : 0 dropped conns : 0 client pkt count : 0 , client byte count: 0 server pkt count : 0 , server byte count: 0 Step 16

Verify that the VIP is accessible by trying to connect to the VIP from your client PC. Make sure you test both port 80 traffic and port 443. http://172.16.PC.170/index.html https://172.16.PC.170/small.html

Step 17

Use the show service-policy command again and verify that the counters are incrementing.

2008 Cisco Systems, Inc.

Lab Guide

159

Configuration Example
login timeout 0 access-list everyone line 10 extended permit ip any any rserver host ip address inservice rserver host ip address inservice LINUX-1 192.168.1.11 LINUX-2 192.168.1.12

serverfarm host WEBFARM rserver LINUX-1 inservice rserver LINUX-2 inservice class-map match-all VIP-WEB 2 match virtual-address 172.16.PC.170 any class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any 4 match protocol http any

policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match STICKY-SLB class class-default serverfarm WEBFARM policy-map multi-match CLIENT-VIPS class VIP-WEB loadbalance vip inservice loadbalance policy STICKY-SLB loadbalance vip icmp-reply active interface vlan 2PC ip address 172.16.PC.20 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown interface vlan 4PC ip address 192.168.1.1 255.255.255.0
160 Implementing the Cisco ACE Appliance (ACEAP) v1.0 2008 Cisco Systems, Inc.

access-group input everyone service-policy input remote-mgmt no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$XmQdckxk$.7qpe2mHEq1WJowynpfuK0 role Admin domain default-domain

Task 2: Apply Source IP Sticky to Ensure Client Persistence


In this task, you will apply source IP sticky to ensure client persistence.

Activity Procedure
Complete these steps:
Step 1

Create a sticky group. Use the name STICKY-GRP-WEB to clearly identify the sticky group being used.
sticky ip-netmask 255.255.255.255 address source STICKY-GRPWEB timeout 10 serverfarm WEBFARM

Step 2

The sticky group is applied within the policy map of type load balance. Before the sticky group can be applied, the current server farm must be removed.
policy-map type loadbalance first-match STICKY-SLB class class-default no serverfarm WEBFARM sticky-serverfarm STICKY-GRP-WEB

Step 3

Use the following commands to view the sticky tables on the Cisco ACE.
show sticky database type ip-netmask source show sticky database group

Step 4

Verify that the sticky configuration is working for clients connecting to the VIP from your client PC. Make sure you test both port 80 traffic and port 443. http://172.16.PC.170/index.html https://172.16.PC.170/small.html Also try the Serverstress.html page. It has about 50 images.

Step 5

Issue the show commands for the service-policy and the sticky table again and verify that the output is as expected.

2008 Cisco Systems, Inc.

Lab Guide

161

Configuration Example
switch/Lab-OPT-PC# show run Generating configuration.... login timeout 0 access-list everyone line 10 extended permit ip any any rserver host ip address inservice rserver host ip address inservice LINUX-1 192.168.1.11 LINUX-2 192.168.1.12

serverfarm host WEBFARM rserver LINUX-1 inservice rserver LINUX-2 inservice sticky ip-netmask 255.255.255.255 address source STICKY-GRP-WEB timeout 10 serverfarm WEBFARM class-map match-all VIP-WEB 2 match virtual-address 172.16.PC.170 any class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any 5 match protocol http any policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match STICKY-SLB class class-default sticky-serverfarm STICKY-GRP-WEB policy-map multi-match CLIENT-VIPS class VIP-WEB loadbalance vip inservice loadbalance policy STICKY-SLB loadbalance vip icmp-reply active interface vlan 2PC ip address 172.16.PC.20 255.255.255.0
162 Implementing the Cisco ACE Appliance (ACEAP) v1.0 2008 Cisco Systems, Inc.

access-group input everyone service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown interface vlan 4PC ip address 192.168.1.1 255.255.255.0 access-group input everyone service-policy input remote-mgmt no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$XmQdckxk$.7qpe2mHEq1WJowynpfuK0 domain default-domain

role Admin

2008 Cisco Systems, Inc.

Lab Guide

163

Task 3: Apply Probes to Ensure That Real Servers Are Working Properly
In this task, you will apply probes to ensure that real servers are working properly.

Activity Procedure
Complete these steps:
Step 1

Create a probe to check the index.html page of the real servers.


probe http HTTP-PROBE expect status 200 200

Step 2

Apply the probe to the server farm WEBFARM.


serverfarm host WEBFARM probe HTTP-PROBE

Step 3

Use the show probe command to view the probes and their default parameters. Note: you will need to wait some time for the probe to leave the initialization state.

switch/Lab-OPT-PC(config-sfarm-host)# do sho probe HTTP-PROBE probe : HTTP-PROBE type : HTTP, state : ACTIVE ---------------------------------------------port : 80 address : 0.0.0.0 addr type : interval : 120 pass intvl : 300 pass count : 3 fail count: 3 recv timeout: 10 --------------------- probe results ------------------probe association probed-address probes failed passed health ------------------- ---------------+----------+----------+----------+-----serverfarm : WEBFARM real : LINUX-1[0] 192.168.1.11 0 0 0 INIT real : LINUX-2[0] 192.168.1.12 0 0 0 INIT Step 4

See what the default probe is. Using a new Telnet session from your client PC, connect to the Cisco ACE context.
C:\> telnet 172.16.PC.20 Trying 172.16.PC.20... Connected to 172.16.PC.20 (172.16.PC.20). Escape character is '^]'. User Access Verification Username: cisco Password: cisco123

Step 5

From the Cisco ACE context, Telnet to the rserver.


telnet 192.168.1.11 login: cisco Password for cisco: cisco Resource temporarily unavailable while getting initial credentials Last login: Fri Mar 31 18:32:06 from 209.165.202.18 [cisco@linux1 ~]$

164

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 6

When you are logged into the Linux server, change to the super-user account.
[cisco@linux1 ~]$ su Password: cisco123

Step 7

Use Tethereal to verify the probe from the Cisco ACE appliance:
-R http 192.168.1.12 192.168.1.11 192.168.1.1 192.168.1.1 192.168.1.1 192.168.1.1 192.168.1.12 192.168.1.11 192.168.1.1 192.168.1.1 192.168.1.1 192.168.1.1 192.168.1.12 192.168.1.11 192.168.1.1 192.168.1.1 192.168.1.1 192.168.1.1 HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP GET / HTTP/1.1 GET / HTTP/1.1 HTTP/1.1 200 OK Continuation or HTTP/1.1 200 OK Continuation or GET / HTTP/1.1 GET / HTTP/1.1 HTTP/1.1 200 OK Continuation or HTTP/1.1 200 OK Continuation or GET / HTTP/1.1 GET / HTTP/1.1 HTTP/1.1 200 OK Continuation or HTTP/1.1 200 OK Continuation or

[root@linux1 ~]# tethereal Capturing on eth0 9.451638 192.168.1.1 -> 9.452596 192.168.1.1 -> 9.483577 192.168.1.11 -> 9.487261 192.168.1.11 -> 9.501460 192.168.1.12 -> 9.516644 192.168.1.12 -> 91.644233 192.168.1.1 -> 91.645006 192.168.1.1 -> 91.659091 192.168.1.12 -> 91.659208 192.168.1.12 -> 91.667273 192.168.1.11 -> 91.668084 192.168.1.11 -> 170.424459 192.168.1.1 -> 170.424605 192.168.1.1 -> 170.440235 192.168.1.12 -> 170.440476 192.168.1.12 -> 170.456357 192.168.1.11 -> 170.457243 192.168.1.11 -> Step 8

non-HTTP traffic non-HTTP traffic

non-HTTP traffic non-HTTP traffic

non-HTTP traffic non-HTTP traffic

See what is in the details of the show probe command (details noted in boldface).

switch/Lab-OPT-PC(config-sfarm-host)# do sho probe HTTP-PROBE detail probe : HTTP-PROBE type : HTTP, state : ACTIVE description : ---------------------------------------------port : 80 address : 0.0.0.0 interval : 120 pass intvl : 300 fail count: 3 recv timeout: 10

addr type : pass count : 3

http method : GET http url : / conn termination : GRACEFUL expect offset : 0 , open timeout : 10 expect regex : send data : --------------------- probe results -----------------probe association probed-address probes failed passed ----------- ---------------+----------+----------+----------+----serverfarm : WEBFARM real : LINUX-1[0] 192.168.1.11 8 0 8 SUCCESS Socket state No. Passed states No. Probes skipped No. Out of Sockets Last disconnect err Last probe time Last fail time Last active time real SUCCESS : : : : : : : : CLOSED 1 No. Failed states : 0 0 Last status code : 0 0 No. Internal error: 0 Sat Sep 16 18:01:31 2006 Never Sat Sep 16 17:47:31 2006

health

: LINUX-2[0] 192.168.1.12

2008 Cisco Systems, Inc.

Lab Guide

165

Socket state No. Passed states No. Probes skipped No. Out of Sockets Last disconnect err Last probe time Last fail time Last active time Step 9

: : : : : : : :

CLOSED 1 No. Failed states : 0 0 Last status code : 0 0 No. Internal error: 0 Sat Sep 16 18:01:31 2006 Never Sat Sep 16 17:47:31 2006

The probe works fine, but now bring the probe timers down, so that you can demonstrate a failure detection quickly for the VPs, in case they ask. You also need to lower the passdetect parameters to let the Cisco ACE bring the real server back into rotation more quickly.
probe http HTTP-PROBE interval 5 passdetect interval 2 passdetect count 1

Step 10

Take a look at the traces. Verify that the new timers have taken effect.

958.033048 192.168.1.11 -> 192.168.1.1 HTTP Continuation or non-HTTP traffic 958.033521 192.168.1.12 -> 192.168.1.1 HTTP Continuation or non-HTTP traffic DELAY is greater than the new interval of 5 Seconds initially. Why? 1037.431043 192.168.1.1 -> 192.168.1.11 HTTP GET / HTTP/1.1 1037.431050 192.168.1.1 -> 192.168.1.12 HTTP GET / HTTP/1.1 1037.448825 192.168.1.11 -> 192.168.1.1 HTTP HTTP/1.1 200 OK 1037.451091 192.168.1.11 -> 192.168.1.1 HTTP Continuation or non-HTTP traffic 1037.461033 192.168.1.12 -> 192.168.1.1 HTTP HTTP/1.1 200 OK 1037.463870 192.168.1.12 -> 192.168.1.1 HTTP Continuation or non-HTTP traffic 1040.744189 192.168.1.1 -> 192.168.1.12 HTTP GET / HTTP/1.1 1040.744453 192.168.1.1 -> 192.168.1.11 HTTP GET / HTTP/1.1 1040.757704 192.168.1.11 -> 192.168.1.1 HTTP HTTP/1.1 200 OK 1040.758681 192.168.1.11 -> 192.168.1.1 HTTP Continuation or non-HTTP traffic 1040.766226 192.168.1.12 -> 192.168.1.1 HTTP HTTP/1.1 200 OK 1040.766541 192.168.1.12 -> 192.168.1.1 HTTP Continuation or non-HTTP traffic 1044.037083 192.168.1.1 -> 192.168.1.12 HTTP GET / HTTP/1.1 1044.037089 192.168.1.1 -> 192.168.1.11 HTTP GET / HTTP/1.1 1044.049173 192.168.1.12 -> 192.168.1.1 HTTP HTTP/1.1 200 OK 1044.053683 192.168.1.11 -> 192.168.1.1 HTTP HTTP/1.1 200 OK 1044.056029 192.168.1.11 -> 192.168.1.1 HTTP Continuation or non-HTTP traffic 1044.066692 192.168.1.12 -> 192.168.1.1 HTTP Continuation or non-HTTP traffic Step 11

Now try the SSL probe. Configure the same tweaked parameters and change the URL requested to just a small static page.
probe https SSL-PROBE interval 5 passdetect interval 2 passdetect count 1 request method get url /small.html expect status 200 200

You must add the probe to the server farm/rserver.


Step 12 Step 13

Apply the new HTTPS probe to the server farm. Use the previous show probe and show probe detail commands to verify that the SSL probe is working. Also try the show stats probe command.

166

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 14

Verify that the SSL probes really are establishing SSL connections on the real servers.
[root@linux1 ~]# tethereal -R ssl 6.109443 192.168.1.1 -> 192.168.1.11 6.118343 192.168.1.11 -> 192.168.1.1 Certificate, ServerHello Done 6.127678 192.168.1.1 -> 192.168.1.11 Exchange, Change Cipher Spec, Encrypted 6.136039 192.168.1.11 -> 192.168.1.1 Spec, Encrypted Handshake Message 6.138365 192.168.1.1 -> 192.168.1.11 6.142274 192.168.1.11 -> 192.168.1.1 6.143018 192.168.1.11 -> 192.168.1.1 6.144019 192.168.1.11 -> 192.168.1.1 6.145025 192.168.1.1 -> 192.168.1.11 SSLv3 Client Hello SSLv3 Server Hello, SSLv3 Client Key Handshake Message SSLv3 Change Cipher SSLv3 SSLv3 SSLv3 SSLv3 SSLv3 Application Data Application Data Application Data Encrypted Alert Encrypted Alert

Step 15

Verify that configuration is working for clients connecting to the VIP from your client PC. Make sure you test both port 80 traffic and port 443. http://172.16.PC.170/index.html https://172.16.PC.170/small.html

Step 16

Use the show commands for the service-policy and the sticky table again and verify that the output is still as expected.

2008 Cisco Systems, Inc.

Lab Guide

167

Configuration Example
switch/Lab-OPT-PC# show run Generating configuration.... login timeout 0 access-list everyone line 10 extended permit ip any any probe http HTTP-PROBE interval 5 passdetect interval 2 passdetect count 1 request method get url /small.html expect status 200 200 probe https SSL-PROBE interval 5 passdetect interval 2 passdetect count 1 request method get url /small.html expect status 200 200 rserver host ip address inservice rserver host ip address inservice LINUX-1 192.168.1.11 LINUX-2 192.168.1.12

serverfarm host WEBFARM probe HTTP-PROBE probe SSL-PROBE rserver LINUX-1 inservice rserver LINUX-2 inservice sticky ip-netmask 255.255.255.255 address source STICKY-GRPWEB timeout 10 serverfarm WEBFARM class-map match-all VIP-WEB 2 match virtual-address 172.16.PC.170 any class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any
168 Implementing the Cisco ACE Appliance (ACEAP) v1.0 2008 Cisco Systems, Inc.

5 match protocol http any policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match STICKY-SLB class class-default sticky-serverfarm STICKY-GRP-WEB policy-map multi-match CLIENT-VIPS class VIP-WEB loadbalance vip inservice loadbalance policy STICKY-SLB loadbalance vip icmp-reply active interface vlan 2PC ip address 172.16.PC.20 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown interface vlan 4PC ip address 192.168.1.1 255.255.255.0 access-group input everyone service-policy input remote-mgmt no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$XmQdckxk$.7qpe2mHEq1WJowynpfuK0 role Admin domain default-domain

2008 Cisco Systems, Inc.

Lab Guide

169

Task 4: Create a Virtual IP Address to Accept Clear Application Traffic


In this task, you will create a virtual IP address to accept clear application traffic.

Activity Procedure
Complete these steps:
Step 1

Create a class map for a new Layer 4 VIP.


class-map match-all VIP-APP-WEB 2 match virtual-address 172.16.PC.171 tcp eq http

Step 2

Create Layer 3 rserver entries for the two real servers, so that the Cisco ACE knows about them.
rserver host ip address inservice rserver host ip address inservice LINUX-3 192.168.1.13 LINUX-4 192.168.1.14

Step 3

Use the show arp command to verify that the Cisco ACE appliance has network connectivity to the real servers. Create a server farm to group the rservers.
serverfarm host APP-FARM rserver LINUX-3 inservice rserver LINUX-4 inservice

Step 4

Step 5

Create a policy map for load-balancing traffic to the real servers through a server farm.
policy-map type loadbalance first-match APP-POLICY class class-default serverfarm APP-FARM

Step 6

Edit the existing policy map of type multimatch to associate VIP and LB policy maps.
policy-map multi-match CLIENT-VIPS class VIP-APP-WEB loadbalance vip inservice loadbalance policy APP-POLICY loadbalance vip icmp-reply active

170

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 7

Verify that the VIP is active and ready to receive traffic, by using the show servicepolicy command.
switch/Lab-OPT-PC(config-pmap-c)# do show service-policy CLIENT-VIPS Status : ACTIVE ----------------------------------------Interface: vlan 2PC service-policy: CLIENT-VIPS class: VIP-WEB loadbalance: L7 loadbalance policy: STICKY-SLB VIP ICMP Reply : ENABLED-WHEN-ACTIVE VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 0 , client byte server pkt count : 0 , server byte class: VIP-APP-WEB loadbalance: L7 loadbalance policy: APP-POLICY VIP ICMP Reply : ENABLED-WHEN-ACTIVE VIP State: INSERVICE curr conns : 0 , hit count dropped conns : 0 client pkt count : 0 , client byte server pkt count : 0 , server byte

: 0 count: 0 count: 0

: 0 count: 0 count: 0

Step 8

Verify that the VIP is accessible by trying to connect to the VIP from your client PC. Make sure you only test port 80 traffic at this point. http://172.16.PC.171/index.html

Step 9

Use the show service-policy command again and verify that the counters are incrementing.

2008 Cisco Systems, Inc.

Lab Guide

171

Configuration Example
login timeout 0 access-list everyone line 10 extended permit ip any any probe http HTTP-PROBE interval 5 passdetect interval 2 passdetect count 1 expect status 200 200 probe https SSL-PROBE interval 5 passdetect interval 2 passdetect count 1 request method get url /small.html expect status 200 200 rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice LINUX-1 192.168.1.11 LINUX-2 192.168.1.12 LINUX-3 192.168.1.13 LINUX-4 192.168.1.14

serverfarm host APP-FARM rserver LINUX-3 inservice rserver LINUX-4 inservice serverfarm host WEBFARM probe HTTP-PROBE probe SSL-PROBE rserver LINUX-1 inservice rserver LINUX-2 inservice sticky ip-netmask 255.255.255.255 address source STICKY-GRPWEB timeout 10 serverfarm WEBFARM

172

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

class-map match-all VIP-APP-WEB 2 match virtual-address 172.16.PC.171 tcp eq www class-map match-all VIP-WEB 2 match virtual-address 172.16.PC.170 any class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any 5 match protocol http any policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match APP-POLICY class class-default serverfarm APP-FARM policy-map type loadbalance first-match STICKY-SLB class class-default sticky-serverfarm STICKY-GRP-WEB policy-map multi-match CLIENT-VIPS class VIP-WEB loadbalance vip inservice loadbalance policy STICKY-SLB loadbalance vip icmp-reply active class VIP-APP-WEB loadbalance vip inservice loadbalance policy APP-POLICY loadbalance vip icmp-reply active interface vlan 2PC ip address 172.16.PC.20 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown interface vlan 4PC ip address 192.168.1.1 255.255.255.0 access-group input everyone service-policy input remote-mgmt no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$XmQdckxk$.7qpe2mHEq1WJowynpfuK0 role Admin domain default-domain

2008 Cisco Systems, Inc.

Lab Guide

173

Task 5: Create a Virtual IP Address to Accept Secure Application Traffic


In this task, you will create a virtual IP (VIP) address to accept secure application traffic.

Activity Procedure
Complete these steps:
Step 1

Create a class map for the Layer 4 VIP.


class-map match-all VIP-APP-SSL 2 match virtual-address 172.16.PC.171 tcp eq https

Step 2

Create a new policy map for load-balancing secure traffic to the real servers through a server farm.
policy-map type loadbalance first-match SSL-APP-POLICY class class-default serverfarm APP-FARM

Step 3

Edit the existing policy map of type multimatch to associate VIP and LB policy maps.
policy-map multi-match CLIENT-VIPS class VIP-APP-SSL loadbalance vip inservice loadbalance policy SSL-APP-POLICY loadbalance vip icmp-reply active

Step 4

Verify that the VIP is active and ready to receive traffic, by using the show servicepolicy command. Verify that the secure VIP is accessible, by trying to connect to the VIP from your client PC.
https://172.16.PC.171/index.html

Step 5

Step 6

Issue the show service-policy command again and verify that the counters are incrementing.

174

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 6: Add SSL Acceleration


In this task, you will configure SSL acceleration.

Activity Procedure
Complete these steps:
Step 1

Create a private RSA key file within the Cisco ACE context. This key file will be used for generating the certificate and to encrypt/decrypt all SSL traffic.
crypto generate key 2048 app-key

Step 2

Now view the private key file, using show crypto key commands.
Bit Size Type -------- ---2048 RSA

switch/Lab-OPT-PC# show crypto key all Filename -------app-key

switch/Lab-OPT-PC# show crypto key app-key 2048 bit RSA keypair found in app-key Modulus: a9:46:d4:d4:e0:9b:f6:ab:e6:03:35:71:89:1c:f7:2d:69:64:a5:2e:14:79:77:a0:bb:e4:90 :92:7f:28:2a:50:92:5b:bc:62:30:73:aa:f3:e1:7d:e3:5b:3d:6b:70:eb:e6:84:09:5a:28:7 1:8c:19:fc:40:d8:da:77:18:7b:a4:65:55:0b:7c:45:bb:31:c2:a4:db:7a:96:51:d4:83:47: b3:ae:6d:01:a9:39:71:a0:be:ac:7a:7a:75:54:a4:c2:09:ad:32:3a:5a:60:a2:30:ec:45:72 :ff:87:f5:44:d9:95:90:79:52:3d:87:fe:97:4f:1d:fd:ad:ee:2b:db:16:fb:6d:c6:2e:b3:5 7:38:25:a3:ad:96:6e:e4:38:25:d7:c4:82:5a:95:38:87:d1:ff:a3:28:b5:41:2b:24:c4:47: 40:e6:5d:18:58:dc:d5:6c:c5:27:ff:f2:84:23:63:1f:34:33:c0:7c:9b:e3:a6:91:67:48:a3 :c4:08:b3:0c:5a:c3:bc:4e:a1:ee:16:8f:c4:82:54:a6:30:ed:ca:6d:7c:e9:32:01:a6:d8:3 7:c9:c4:a6:62:81:a1:5d:e3:c9:38:eb:d2:5b:06:b2:91:40:f3:01:9b:3e:50:19:31:4c:2e: 63:62:61:2a:67:3a:7e:45:b8:b6:20:ac:03:89:aa:a5: Step 3

After the key file exists on the Cisco ACE, it can be used to create a certificate signing request. Now you will be asked a series of questions. The answers will be used to fill out the certificate you are creating for the site. Note that any information you put in at this time will be added to the SSL appliance.
switch/Lab-OPT-PC(config)# crypto csr-params APP-CSR switch/Lab-OPT-PC(config-csr-params)# common-name testapp.neufoo.com switch/Lab-OPT-PC(config-csr-params)# country US switch/Lab-OPT-PC(config-csr-params)# email secofficer@neufoo.com switch/Lab-OPT-PC(config-csr-params)# locality SanJose switch/Lab-OPT-PC(config-csr-params)# organization-name CentralIT switch/Lab-OPT-PC(config-csr-params)# organization-unit Demo switch/Lab-OPT-PC(config-csr-params)# state California switch/Lab-OPT-PC(config-csr-params)# serial-number 12345

Step 4

Step 5

Now from exec mode, generate the Certificate Signing Request (CSR).

crypto generate csr APP-CSR app-key -----BEGIN CERTIFICATE REQUEST----MIIC4TCCAckCAQAwgZsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MREwDwYDVQQHEwhTYW4gSm9zZTESMBAGA1UEChMJQ2VudHJhbElUMQ0wCwYDVQQL EwREZW1vMRswGQYDVQQDExJ0ZXN0YXBwLm5ldWZvby5jb20xJDAiBgkqhkiG9w0B CQEWFXNlY29mZmljZXJAbmV1Zm9vLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAKlG1NTgm/ar5gM1cYkc9y1pZKUuFHl3oLvkkJJ/KCpQklu8YjBz
2008 Cisco Systems, Inc. Lab Guide 175

qvPhfeNbPWtw6+aECVoocYwZ/EDY2ncYe6RlVQt8RbsxwqTbepZR1INHs65tAak5 caC+rHp6dVSkwgmtMjpaYKIw7EVy/4f1RNmVkHlSPYf+l08d/a3uK9sW+23GLrNX OCWjrZZu5Dgl18SCWpU4h9H/oyi1QSskxEdA5l0YWNzVbMUn//KEI2MfNDPAfJvj ppFnSKPECLMMWsO8TqHuFo/EglSmMO3KbXzpMgGm2DfJxKZigaFd48k469JbBrKR QPMBmz5QGTFMLmNiYSpnOn5FuLYgrAOJqqUCAwEAAaAAMA0GCSqGSIb3DQEBBAUA A4IBAQCWyT6MPhX2LuuVTatPIQcT7Rp3RfHNR7q4ezN4NePkmiXKn484NEVqAJ10 M5XBojnoIu/sF8TMlSMwbFdMvZGQhYarAAi2iZRsva99ik7y4NDuDNxeqnFOXAYa 5mlC6/BbEvUn32n3kGIrVUDiIPz3XsOnIH32z7cHRHJwHy3ETj5j60p3Fjd8PnuW tnqc7FLf91/MuMxZZN+wbUezsnZBhTUaM7VnKkCxQdZvGkhVgktZO4NhyLIFcPp5 6PKHHEvD6gXaxRPwA55segL4jKYRKvFlycS5VixinpJf6b+k2H0yTLUS38JBvi5L Qjgr3zbyTYLFwgvDh/sPfYbVPhTR -----END CERTIFICATE REQUEST----Step 6

Use the Telnet session you have on the Linux server. Leave the su shell (exit), and from the Cisco users shell, save this CSR as a new file in the /tmp directory.

[cisco@linux1 ~]$ cat > /tmp/appcsr -----BEGIN CERTIFICATE REQUEST----MIIC4TCCAckCAQAwgZsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MREwDwYDVQQHEwhTYW4gSm9zZTESMBAGA1UEChMJQ2VudHJhbElUMQ0wCwYDVQQL EwREZW1vMRswGQYDVQQDExJ0ZXN0YXBwLm5ldWZvby5jb20xJDAiBgkqhkiG9w0B CQEWFXNlY29mZmljZXJAbmV1Zm9vLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAKlG1NTgm/ar5gM1cYkc9y1pZKUuFHl3oLvkkJJ/KCpQklu8YjBz qvPhfeNbPWtw6+aECVoocYwZ/EDY2ncYe6RlVQt8RbsxwqTbepZR1INHs65tAak5 caC+rHp6dVSkwgmtMjpaYKIw7EVy/4f1RNmVkHlSPYf+l08d/a3uK9sW+23GLrNX OCWjrZZu5Dgl18SCWpU4h9H/oyi1QSskxEdA5l0YWNzVbMUn//KEI2MfNDPAfJvj ppFnSKPECLMMWsO8TqHuFo/EglSmMO3KbXzpMgGm2DfJxKZigaFd48k469JbBrKR QPMBmz5QGTFMLmNiYSpnOn5FuLYgrAOJqqUCAwEAAaAAMA0GCSqGSIb3DQEBBAUA A4IBAQCWyT6MPhX2LuuVTatPIQcT7Rp3RfHNR7q4ezN4NePkmiXKn484NEVqAJ10 M5XBojnoIu/sF8TMlSMwbFdMvZGQhYarAAi2iZRsva99ik7y4NDuDNxeqnFOXAYa 5mlC6/BbEvUn32n3kGIrVUDiIPz3XsOnIH32z7cHRHJwHy3ETj5j60p3Fjd8PnuW tnqc7FLf91/MuMxZZN+wbUezsnZBhTUaM7VnKkCxQdZvGkhVgktZO4NhyLIFcPp5 6PKHHEvD6gXaxRPwA55segL4jKYRKvFlycS5VixinpJf6b+k2H0yTLUS38JBvi5L Qjgr3zbyTYLFwgvDh/sPfYbVPhTR -----END CERTIFICATE REQUEST----Step 7

Still using the Linux session, generate a CA certificate. For a real CA certificate, you would want to fill these out appropriately.

[cisco@linux1 ~]$ openssl req -newkey rsa:1024 -nodes -x509 -keyout /tmp/rootCAkey.pem -out /tmp/rootCAcert.pem -config /usr/share/ssl/openssl.cnf Generating a 1024 bit RSA private key ....++++++ .............++++++ unable to write 'random state' writing new private key to '/tmp/rootCAkey.pem' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [GB]: State or Province Name (full name) [Berkshire]: Locality Name (eg, city) [Newbury]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:Email Address []:[ciscocrypto generate csr APP-CSR app-key

176

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 8

Now use the CA to sign the applications CSR


[cisco@linux1 ~]$ openssl x509 -in /tmp/appcsr -req -days 365 -CA /tmp/rootCAcert.pem -CAkey /tmp/rootCAkey.pem -set_serial 1234 -out /tmp/appcert Signature ok subject=/C=US/ST=California/L=SanJose/O=CentralIT/OU=Demo/CN=t estapp. neufoo.com/emailAddress=secofficer@neufoo.com Getting CA Private Key unable to write 'random state'

Step 9

You can view the certificate, using openssl.


[cisco@linux1 ~]$openssl x509 -in /tmp/appcert text

Step 10

Now import the applications certificate into the Cisco ACE appliance.

switch/Lab-OPT-PC# crypto import terminal app-cert Please enter PEM formatted data. End with "quit" on a new line. -----BEGIN CERTIFICATE----MIIC3DCCAkUCAgTSMA0GCSqGSIb3DQEBBAUAMEwxCzAJBgNVBAYTAkdCMRIwEAYD VQQIEwlCZXJrc2hpcmUxEDAOBgNVBAcTB05ld2J1cnkxFzAVBgNVBAoTDk15IENv bXBhbnkgTHRkMB4XDTA2MDkxMzEyNDcxMFoXDTA3MDkxMzEyNDcxMFowgZsxCzAJ BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9z ZTESMBAGA1UEChMJQ2VudHJhbElUMQ0wCwYDVQQLEwREZW1vMRswGQYDVQQDExJ0 ZXN0YXBwLm5ldWZvby5jb20xJDAiBgkqhkiG9w0BCQEWFXNlY29mZmljZXJAbmV1 Zm9vLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKlG1NTgm/ar 5gM1cYkc9y1pZKUuFHl3oLvkkJJ/KCpQklu8YjBzqvPhfeNbPWtw6+aECVoocYwZ /EDY2ncYe6RlVQt8RbsxwqTbepZR1INHs65tAak5caC+rHp6dVSkwgmtMjpaYKIw 7EVy/4f1RNmVkHlSPYf+l08d/a3uK9sW+23GLrNXOCWjrZZu5Dgl18SCWpU4h9H/ oyi1QSskxEdA5l0YWNzVbMUn//KEI2MfNDPAfJvjppFnSKPECLMMWsO8TqHuFo/E glSmMO3KbXzpMgGm2DfJxKZigaFd48k469JbBrKRQPMBmz5QGTFMLmNiYSpnOn5F uLYgrAOJqqUCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBwbF2gzGwmZvXjVKBqfQFT 6VDEYqZhaqQg4/TTQZZuhuDLFAgvg/6Wc18FkZyrqLHfBT3a1XZM5hJjYI0sAeLV ZQUWRijjqJnX5G6iNSMrWjxbLuP210l8b/9P2zj1v0qIpUqLc9oCswhoIDlnpZqv 0E4JztvOTMvKFfHzZGU06w== -----END CERTIFICATE----quit Step 11

Verify the certificate and the key to ensure that the certificate and key match.
switch/Lab-OPT-PC# crypto verify app-key app-cert Keypair in app-key matches certificate in appcert.

Note Step 12

If the verification fails, you must fix the problem before proceeding.

After the SSL key and SSL certificate exist within the context, they can be applied to the SSL proxy service.
ssl-proxy service APP-SSL cert app-cert key app-key

Step 13

Now apply the SSL proxy service to the pmap multimatch for the secure application traffic.
policy-map multi-match CLIENT-VIPS class VIP-APP-SSL ssl-proxy server APP-SSL

Step 14

Verify that the VIP is active and ready to receive traffic, by using the show servicepolicy command.

2008 Cisco Systems, Inc.

Lab Guide

177

Step 15

Before testing the SSL Acceleration, you will need to force the Cisco ACE appliance to translate the client requests so that requests to port 443 are translated to port 80 after the traffic is decrypted. You need to remove and re-add the existing rservers.
serverfarm APP-FARM no rserver LINUX-3 no rserver LINUX-4 rserver LINUX-3 80 inservice rserver LINUX-4 80 inservice

Step 16

Verify that the secure VIP is accessible, by trying to connect to the VIP from your client PC. https://172.16.PC.171/index.html Issue the show service-policy command again and verify that the counters are incrementing.

Step 17

178

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Configuration Example
login timeout 0 crypto csr-params APP-CSR country US state California locality SanJose organization-name CentralIT organization-unit Demo common-name testapp.neufoo.com serial-number 12345 email secofficer@neufoo.com access-list everyone line 10 extended permit ip any any

probe http HTTP-PROBE interval 5 passdetect interval 2 passdetect count 1 expect status 200 200 probe https SSL-PROBE interval 5 passdetect interval 2 passdetect count 1 request method get url /small.html expect status 200 200 rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice LINUX-1 192.168.1.11 LINUX-2 192.168.1.12 LINUX-3 192.168.1.13 LINUX-4 192.168.1.14

ssl-proxy service APP-SSL key app-key cert app-cert serverfarm host APP-FARM rserver LINUX-3 80 inservice
2008 Cisco Systems, Inc. Lab Guide 179

rserver LINUX-4 80 inservice serverfarm host WEBFARM probe HTTP-PROBE probe SSL-PROBE rserver LINUX-1 inservice rserver LINUX-2 inservice sticky ip-netmask 255.255.255.255 address source STICKY-GRPWEB timeout 10 serverfarm WEBFARM class-map match-all VIP-APP-SSL 2 match virtual-address 172.16.PC.171 tcp eq https class-map match-all VIP-APP-WEB 2 match virtual-address 172.16.PC.171 tcp eq www class-map match-all VIP-WEB 2 match virtual-address 172.16.PC.170 any class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any 5 match protocol http any policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match APP-POLICY class class-default serverfarm APP-FARM policy-map type loadbalance first-match SSL-APP-POLICY class class-default serverfarm APP-FARM policy-map type loadbalance first-match STICKY-SLB class class-default sticky-serverfarm STICKY-GRP-WEB policy-map multi-match CLIENT-VIPS class VIP-WEB loadbalance vip inservice loadbalance policy STICKY-SLB loadbalance vip icmp-reply active class VIP-APP-WEB loadbalance vip inservice loadbalance policy APP-POLICY loadbalance vip icmp-reply active
180 Implementing the Cisco ACE Appliance (ACEAP) v1.0 2008 Cisco Systems, Inc.

class VIP-APP-SSL loadbalance vip inservice loadbalance policy SSL-APP-POLICY loadbalance vip icmp-reply active ssl-proxy server APP-SSL interface vlan 2PC ip address 172.16.PC.20 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown interface vlan 4PC ip address 192.168.1.1 255.255.255.0 access-group input everyone service-policy input remote-mgmt no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$XmQdckxk$.7qpe2mHEq1WJowynpfuK0 role Admin domain default-domain

2008 Cisco Systems, Inc.

Lab Guide

181

Task 7: Apply Probe and Cookie Insert Sticky to Ensure Client Persistence
In this task, you will apply probe and cookie insert sticky to ensure client persistence.

Activity Procedure
Complete these steps:
Step 1

To set up probes, reuse the existing HTTP probe. Notice that no HTTPS probe is needed because traffic to the server will be HTTP only.
serverfarm APP-FARM probe HTTP-PROBE

Step 2 Step 3

Use the show probe command to verify that the probes are working as expected. Create a new sticky group. Use the name app-cookie to clearly identify the sticky group being used.
sticky http-cookie ACE-ID app-cookie cookie insert serverfarm APP-FARM

Step 4

The sticky group is applied within the policy map of type load balance for both app maps. Again, before the sticky group can be applied, the current server farm must be removed.
policy-map type loadbalance first-match APP-POLICY class class-default no serverfarm APP-FARM sticky-serverfarm app-cookie policy-map type loadbalance first-match SSL-APP-POLICY class class-default no serverfarm APP-FARM sticky-serverfarm app-cookie

Step 5

Use the show sticky database static command to view the cookie insert sticky tables.

switch/Lab-OPT-PC(config-pmap-lb-c)# do sho sticky databas static sticky group : app-cookie type : HTTP-COOKIE timeout : 1440 timeout-activeconns : FALSE sticky-entry rserver-instance time-to-expire flags ------------+--------------------------------+--------------+-------+ 9029821149554191621 LINUX-3:80 never sticky group : app-cookie type : HTTP-COOKIE timeout : 1440 timeout-activeconns : FALSE sticky-entry rserver-instance time-to-expire flags -------------+--------------------------------+--------------+-------+ 439771910386717333 LINUX-4:80 never Step 6

Verify that the sticky configuration is working for clients connecting to the VIP from your client PC. Make sure that you test both port 80 traffic and port 443. http://172.16.PC.171/index.html https://172.16.PC.171/small.html Also try the Serverstress.html page. It has about 50 images.

182

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Step 7

Use the show commands for the service-policy and the sticky table again and verify that the output is as expected.

2008 Cisco Systems, Inc.

Lab Guide

183

Configuration Example
login timeout 0 crypto csr-params APP-CSR country US state California locality SanJose organization-name CentralIT organization-unit Demo common-name testapp.neufoo.com serial-number 12345 email secofficer@neufoo.com access-list everyone line 10 extended permit ip any any probe http HTTP-PROBE interval 5 passdetect interval 2 passdetect count 1 expect status 200 200 probe https SSL-PROBE interval 5 passdetect interval 2 passdetect count 1 request method get url /small.html expect status 200 200 rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice LINUX-1 192.168.1.11 LINUX-2 192.168.1.12 LINUX-3 192.168.1.13 LINUX-4 192.168.1.14

ssl-proxy service APP-SSL key app-key cert app-cert serverfarm host APP-FARM probe HTTP-PROBE rserver LINUX-3 80 inservice
184 Implementing the Cisco ACE Appliance (ACEAP) v1.0 2008 Cisco Systems, Inc.

rserver LINUX-4 80 inservice serverfarm host WEBFARM probe HTTP-PROBE probe SSL-PROBE rserver LINUX-1 inservice rserver LINUX-2 inservice sticky ip-netmask 255.255.255.255 address source STICKY-GRPWEB timeout 10 serverfarm WEBFARM sticky http-cookie ACE-ID app-cookie cookie insert serverfarm APP-FARM class-map match-all VIP-APP-SSL 2 match virtual-address 172.16.PC.171 tcp eq https class-map match-all VIP-APP-WEB 2 match virtual-address 172.16.PC.171 tcp eq www class-map match-all VIP-WEB 2 match virtual-address 172.16.PC.170 any class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any 5 match protocol http any policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match APP-POLICY class class-default sticky-serverfarm app-cookie policy-map type loadbalance first-match SSL-APP-POLICY class class-default sticky-serverfarm app-cookie policy-map type loadbalance first-match STICKY-SLB class class-default sticky-serverfarm STICKY-GRP-WEB policy-map multi-match CLIENT-VIPS class VIP-WEB loadbalance vip inservice loadbalance policy STICKY-SLB loadbalance vip icmp-reply active class VIP-APP-WEB loadbalance vip inservice
2008 Cisco Systems, Inc. Lab Guide 185

loadbalance policy APP-POLICY loadbalance vip icmp-reply active class VIP-APP-SSL loadbalance vip inservice loadbalance policy SSL-APP-POLICY loadbalance vip icmp-reply active ssl-proxy server APP-SSL interface vlan 2PC ip address 172.16.PC.20 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown interface vlan 4PC ip address 192.168.1.1 255.255.255.0 access-group input everyone service-policy input remote-mgmt no shutdown ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$XmQdckxk$.7qpe2mHEq1WJowynpfuK0 role Admin domain default-domain

186

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 8: Create a Domain for the Security Team


In this task, you will create a domain for the security team.

Activity Procedure
Complete these steps:
Step 1

Create a domain. This domain will have a user and all the objects the Info Sec team will need so that ACL security policies can be applied.
domain infosec

Step 2

Add the current ACLs and interfaces to the infosec domain.


add-object access-list extended everyone add-object interface vlan 2PC add-object interface vlan 4PC

Step 3

Create a new user for the security team. Give the new user the password neufoosec and the role of Security-Admin and make the new user a part of the infosec domain (Security-Admin is case sensitive).
username secops password neufoosec role Security-Admin domain infosec

Step 4

From your client PC, create another Telnet session to the Cisco ACE context and log in as the secops user.
C:\> telnet 172.16.PC.20 Trying 172.16.PC.20... Connected to 172.16.PC.20 (172.16.PC.20). Escape character is '^]'. User Access Verification Username: secops Password: neufoosec

Step 5

Using the secops account, create access lists to only allow web traffic for the two VIPs.
access-list web line 10 172.16.PC.170 eq www access-list web line 20 172.16.PC.170 eq https access-list web line 30 172.16.PC.171 eq www access-list web line 40 172.16.PC.171 eq https extended permit tcp any host extended permit tcp any host extended permit tcp any host extended permit tcp any host

Step 6 Step 7

Apply the new access list to the client VLAN to better protect the VIPs and servers. Verify that the ACLs block nonweb traffic. You should no longer be able to Telnet to VIP 190. To see the ACLs denies, use the cisco account and enable logging to monitor the terminal. Use the show domain command to view the objects in the infosec domain. Notice that the web ACL was created within the infosec domain by default.

Step 8

2008 Cisco Systems, Inc.

Lab Guide

187

Configuration Example
login timeout 0 crypto csr-params APP-CSR country US state California locality SanJose organization-name CentralIT organization-unit Demo common-name testapp.neufoo.com serial-number 12345 email secofficer@neufoo.com access-list access-list access-list access-list access-list everyone web line web line web line web line line 10 extended permit ip 10 extended permit tcp any 20 extended permit tcp any 30 extended permit tcp any 40 extended permit tcp any any any host 172.16.PC.170 host 172.16.PC.170 host 172.16.PC.171 host 172.16.PC.171

eq eq eq eq

www https www https

probe http HTTP-PROBE interval 5 passdetect interval 2 passdetect count 1 expect status 200 200 probe https SSL-PROBE interval 5 passdetect interval 2 passdetect count 1 request method get url /small.html expect status 200 200 rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice LINUX-1 192.168.1.11 LINUX-2 192.168.1.12 LINUX-3 192.168.1.13 LINUX-4 192.168.1.14

ssl-proxy service APP-SSL key app-key cert app-cert serverfarm host APP-FARM probe HTTP-PROBE rserver LINUX-3 80 inservice rserver LINUX-4 80 inservice serverfarm host WEBFARM probe HTTP-PROBE probe SSL-PROBE rserver LINUX-1 inservice rserver LINUX-2
188 Implementing the Cisco ACE Appliance (ACEAP) v1.0 2008 Cisco Systems, Inc.

inservice sticky ip-netmask 255.255.255.255 address source STICKY-GRP-WEB timeout 10 serverfarm WEBFARM sticky http-cookie ACE-ID app-cookie cookie insert serverfarm APP-FARM class-map match-all VIP-APP-SSL 2 match virtual-address 172.16.PC.171 tcp eq https class-map match-all VIP-APP-WEB 2 match virtual-address 172.16.PC.171 tcp eq www class-map match-all VIP-WEB 2 match virtual-address 172.16.PC.170 any class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any 5 match protocol http any policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match APP-POLICY class class-default sticky-serverfarm app-cookie policy-map type loadbalance first-match SSL-APP-POLICY class class-default sticky-serverfarm app-cookie policy-map type loadbalance first-match STICKY-SLB class class-default sticky-serverfarm STICKY-GRP-WEB policy-map multi-match CLIENT-VIPS class VIP-WEB loadbalance vip inservice loadbalance policy STICKY-SLB loadbalance vip icmp-reply active class VIP-APP-WEB loadbalance vip inservice loadbalance policy APP-POLICY loadbalance vip icmp-reply active class VIP-APP-SSL loadbalance vip inservice loadbalance policy SSL-APP-POLICY loadbalance vip icmp-reply active ssl-proxy server APP-SSL interface vlan 2PC ip address 172.16.PC.20 255.255.255.0 access-group input web service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown interface vlan 4PC ip address 192.168.1.1 255.255.255.0 access-group input everyone service-policy input remote-mgmt no shutdown

2008 Cisco Systems, Inc.

Lab Guide

189

domain infosec add-object interface vlan 2PC add-object interface vlan 4PC add-object access-list extended everyone add-object access-list extended web ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$XmQdckxk$.7qpe2mHEq1WJowynpfuK0 role Admin domain default-domain username secops password 5 $1$ZudFMk7n$bjMjyAXHaUC8viJR6mkmq/ role Security-Adm in domain infosec

190

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 9: Allow Direct Server Access and SERVER-INITIATED Connections


Direct access to the server can be applied using ACLs or simple class map matches. The user has the option of matching per real server IP or a server network. One important aspect of applying Network Address Translation (NAT) as a subnet is that the NAT pool subnet cannot overlap the VIP, even if the VIP would never be affected by the NAT rule. The Cisco ACE ensures that duplicate IPs cannot exist, so it is required that NAT pool networks do not overlap VIP addresses. In this demonstration, use matches based on host IPs rather than networks; but be aware that networks could be used in this type of design. To allow direct access to the real server, consider that you are the Cisco ACE and think of how flows should be manipulated if they are initiated from the servers. The reasons for this are (1) it will align your thought process with the way the Cisco ACE implements static NAT; and (2) you need to realize that the pinholes created for source NAT are applied bidirectionally; thus, if a server should be source NATed to X, connections from the outside to X will be NATed to the real server.

Activity Procedure
Complete these steps:
Step 1

Configure a class map to match the real servers initiated connections. Note that the provisioning group used a VMware server for real server 11-14. The primary IP for the physical real server is 192.168.1.10.
class-map match-all SERVER-INITIATED match source-address 192.168.1.11 255.255.255.255

Step 2

Create a new policy map of type multimatch to classify server sourced traffic and translate it to the client VLAN using NAT.
policy-map multi-match src-nat-servers class SERVER-INITIATED nat static 172.16.PC.250 netmask 255.255.255.255 vlan 2PC

Step 3

Now simply apply the source NAT policy map to the servers VLAN.
interface vlan 4PC service-policy input src-nat-servers

Step 4

To show that the Cisco ACE is properly NATing client-to-server and server initiated traffic, simply open Ethereal on the client. Capture on the interface 209.165.201.PC. When the sniffer is running, create a Telnet connection to the servers NATed address. Verify that the server is reachable, and that the IPs in trace are as expected.
telnet 172.16.PC.250

Step 5

Step 6

Now that Telnet works into the real server, use this session to connect back to the client. Verify that your client PCs IP address is 209.165.201.PC, and make a Telnet connection to the client from the real server. Verify that the client is reachable, and that IPs in trace are as expected. Note that the real server-to-client connection will fail, because the client is not running a Telnet or HTTP server.

2008 Cisco Systems, Inc.

Lab Guide

191

Configuration Example
login timeout 0 crypto csr-params APP-CSR country US state California locality SanJose organization-name CentralIT organization-unit Demo common-name testapp.neufoo.com serial-number 12345 email secofficer@neufoo.com access-list access-list access-list access-list access-list everyone web line web line web line web line line 10 extended permit ip 10 extended permit tcp any 20 extended permit tcp any 30 extended permit tcp any 40 extended permit tcp any any any host 172.16.PC.170 host 172.16.PC.170 host 172.16.PC.171 host 172.16.PC.171

eq eq eq eq

www https www https

probe http HTTP-PROBE interval 5 passdetect interval 2 passdetect count 1 expect status 200 200 probe https SSL-PROBE interval 5 passdetect interval 2 passdetect count 1 request method get url /small.html expect status 200 200 rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice LINUX-1 192.168.1.11 LINUX-2 192.168.1.12 LINUX-3 192.168.1.13 LINUX-4 192.168.1.14

ssl-proxy service APP-SSL key app-key cert app-cert serverfarm host APP-FARM probe HTTP-PROBE rserver LINUX-3 80 inservice rserver LINUX-4 80 inservice serverfarm host WEBFARM probe HTTP-PROBE probe SSL-PROBE rserver LINUX-1 inservice
192 Implementing the Cisco ACE Appliance (ACEAP) v1.0 2008 Cisco Systems, Inc.

rserver LINUX-2 inservice sticky ip-netmask 255.255.255.255 address source STICKY-GRP-WEB timeout 10 serverfarm WEBFARM sticky http-cookie ACE-ID app-cookie cookie insert serverfarm APP-FARM class-map match-all VIP-APP-SSL 2 match virtual-address 172.16.PC.171 tcp eq https class-map match-all VIP-APP-WEB 2 match virtual-address 172.16.PC.171 tcp eq www class-map match-all VIP-WEB 2 match virtual-address 172.16.PC.170 any class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any 5 match protocol http any class-map match-all SERVER-INITIATED 2 match source-address 192.168.1.11 255.255.255.255 policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match APP-POLICY class class-default sticky-serverfarm app-cookie policy-map type loadbalance first-match SSL-APP-POLICY class class-default sticky-serverfarm app-cookie policy-map type loadbalance first-match STICKY-SLB class class-default sticky-serverfarm STICKY-GRP-WEB policy-map multi-match CLIENT-VIPS class VIP-WEB loadbalance vip inservice loadbalance policy STICKY-SLB loadbalance vip icmp-reply active class VIP-APP-WEB loadbalance vip inservice loadbalance policy APP-POLICY loadbalance vip icmp-reply active class VIP-APP-SSL loadbalance vip inservice loadbalance policy SSL-APP-POLICY loadbalance vip icmp-reply active ssl-proxy server APP-SSL policy-map multi-match src-nat-servers class SERVER-INITIATED nat static 172.16.PC.250 netmask 255.255.255.255 vlan 2PC interface vlan 2PC ip address 172.16.PC.20 255.255.255.0 access-group input web service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown
2008 Cisco Systems, Inc. Lab Guide 193

interface vlan 4PC ip address 192.168.1.1 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input src-nat-servers no shutdown domain infosec add-object interface vlan 2PC add-object interface vlan 4PC add-object access-list extended everyone add-object access-list extended web ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$XmQdckxk$.7qpe2mHEq1WJowynpfuK0 role Admin domain default-domain username secops password 5 $1$ZUdFMk7n$bjMjyAXHaUC8viJR6mkmq/ role Security-Adm in domain infosec

194

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 10: Configure HTTP Normalization


The Cisco ACE HTTP normalization feature set can provide HTTP security. In this task, you will configure application protection to prevent the following attacks: Specific methods Prevention of buffer overflows Prevention of obfuscated attacks

Activity Procedure
Complete these steps:
Step 1

The security team has identified that the existing Apache web servers allow HTTP TRACE requests (see https://www.kb.cert.org/vuls/id/867593), which could be used by hackers to surreptitiously gain information about the internal Neufoo network from the web servers. InfoSec wants to restrict HTTP requests to the server farm to three acceptable HTTP methods: GET, HEAD, and POST. To implement this restriction, create a whitelist using an HTTP inspection class map WHITE to classify acceptable HTTP traffic.
class-map 3 match 4 match 5 match type http inspect match-any WHITE request-method rfc get request-method rfc head request-method rfc post

Step 2

Create an HTTP inspection policy map and add the class map WHITE to the new policy map with action permit. Make the default action for Cisco ACE to return a reset for any traffic that does not match class WHITE by including class classdefault with the appropriate action.
policy-map type inspect http all-match HTTP-INSP class WHITE permit class class-default reset

Step 3

Add the HTTP inspection policy to the multimatch policy maps to begin inspecting all HTTP traffic for the correct HTTP methods.
policy-map multi-match CLIENT-VIPS class VIP-APP-WEB inspect http policy HTTP-INSP class VIP-APP-SSL inspect http policy HTTP-INSP

Step 4

Test the whitelist by sending a TRACE request from the client to the VIP. You can use Telnet to send the request, and you should see that that connection is immediately closed.
C:\Documents and Settings\Administrator>telnet <VIP> 80 TRACE / HTTP/1.1<HIT ENTER> Connection to host lost.

2008 Cisco Systems, Inc.

Lab Guide

195

Step 5

InfoSec wants to add basic protections to prevent application level attacks by restricting the length of requested URLs to 45 bytes. This should help to prevent buffer overflows. InfoSec is also concerned that users should never be able to directly request an administrative page called admin.html. Create a blacklist to reject any traffic matching these conditions.
class-map type http inspect match-any BLACK 2 match url .*admin.html 3 match url length range 46 65535

Step 6

Add the blacklist with action reset to the HTTP inspection policy map created earlier.
policy-map type inspect http all-match HTTP-INSP class BLACK reset

Step 7

Test that the blacklist rejects requests longer than 45 bytes by sending a request such as the following.
https://<VIP>/index.html?long=1234123412341234123412341234

The Cisco ACE should send you a reset. You can test further by adjusting the length of the URL to see how the Cisco ACE will react to the request.
Step 8

Malicious encodings attacks are a technique used to bypass a servers security filters, using various types of character encodings (URL, Unicode, and so on). Make sure that the URL admin.html cannot be accessed. Try requesting the URL:
http://<VIP>/admin.html

Note

The Cisco ACE HTTP inspection engine automatically performs URL deobfuscation. Here is a example of an obfuscated URL: http://bock-bock/%7E%63%70%61%67%67%65%6E. Many phishing e-mails frequently use this technique because it can easily hide suspicious portions of a URL and make them appear as if they belong to some legitimate script.

Now try accessing the same URL; however, this time try to bypass the blacklist filter by obscuring the URL. For example, try converting the a in admin.html to its URL encoded equivalent (%61): http://<VIP>/%61dmin.html You can use http://ha.ckers.org/xss as a resource to help you obfuscate URLs. Cisco ACE will first deobfuscate the requested URL before applying any regular expression match to it. Can you access the page now that you have encoded the request?

196

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Configuration Example
login timeout 0

crypto csr-params APP-CSR country US state California locality SanJose organization-name CentralIT organization-unit Demo common-name testapp.neufoo.com serial-number 12345 email secofficer@neufoo.com access-list access-list access-list access-list access-list everyone web line web line web line web line line 10 extended permit ip 10 extended permit tcp any 20 extended permit tcp any 30 extended permit tcp any 40 extended permit tcp any any any host 172.16.PC.170 host 172.16.PC.170 host 172.16.PC.171 host 172.16.PC.171

eq eq eq eq

www https www https

probe http HTTP-PROBE interval 5 passdetect interval 2 passdetect count 1 expect status 200 200 probe https SSL-PROBE interval 5 passdetect interval 2 passdetect count 1 request method get url /small.html expect status 200 200 rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice rserver host ip address inservice LINUX-1 192.168.1.11 LINUX-2 192.168.1.12 LINUX-3 192.168.1.13 LINUX-4 192.168.1.14

ssl-proxy service APP-SSL key app-key cert app-cert serverfarm host APP-FARM probe HTTP-PROBE rserver LINUX-3 80 inservice rserver LINUX-4 80 inservice serverfarm host WEBFARM probe HTTP-PROBE probe SSL-PROBE
2008 Cisco Systems, Inc. Lab Guide 197

rserver LINUX-1 inservice rserver LINUX-2 inservice sticky ip-netmask 255.255.255.255 address source STICKY-GRP-WEB timeout 10 serverfarm WEBFARM sticky http-cookie ACE-ID app-cookie cookie insert serverfarm APP-FARM class-map 2 match 3 match class-map 2 match class-map 2 match class-map 2 match class-map 3 match 4 match 5 match type http inspect match-any BLACK url .*admin.html url length range 46 65535 match-all VIP-APP-SSL virtual-address 172.16.PC.171 tcp eq https match-all VIP-APP-WEB virtual-address 172.16.PC.171 tcp eq www match-all VIP-WEB virtual-address 172.16.PC.170 any type http inspect match-any WHITE request-method rfc get request-method rfc head request-method rfc post

class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any 5 match protocol http any class-map match-all SERVER-INITIATED 2 match source-address 192.168.1.11 255.255.255.255 policy-map type management first-match remote-mgmt class remote-access permit policy-map type loadbalance first-match APP-POLICY class class-default sticky-serverfarm app-cookie policy-map type loadbalance first-match SSL-APP-POLICY class class-default sticky-serverfarm app-cookie policy-map type loadbalance first-match STICKY-SLB class class-default sticky-serverfarm STICKY-GRP-WEB policy-map type inspect http all-match HTTP-INSP class WHITE permit class BLACK reset class class-default reset policy-map multi-match CLIENT-VIPS class VIP-WEB loadbalance vip inservice loadbalance policy STICKY-SLB loadbalance vip icmp-reply active class VIP-APP-WEB
198 Implementing the Cisco ACE Appliance (ACEAP) v1.0 2008 Cisco Systems, Inc.

loadbalance vip inservice loadbalance policy APP-POLICY loadbalance vip icmp-reply active inspect http policy HTTP-INSP class VIP-APP-SSL loadbalance vip inservice loadbalance policy SSL-APP-POLICY loadbalance vip icmp-reply active inspect http policy HTTP-INSP ssl-proxy server APP-SSL policy-map multi-match src-nat-servers class SERVER-INITIATED nat static 172.16.PC.250 netmask 255.255.255.255 vlan 2PC interface vlan 2PC ip address 172.16.PC.20 255.255.255.0 access-group input web service-policy input remote-mgmt service-policy input CLIENT-VIPS no shutdown interface vlan 4PC ip address 192.168.1.1 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input src-nat-servers no shutdown domain infosec add-object interface vlan 2PC add-object interface vlan 4PC add-object access-list extended everyone add-object access-list extended web ip route 0.0.0.0 0.0.0.0 172.16.PC.1 username cisco password 5 $1$XmQdckxk$.7qpe2mHEq1WJowynpfuK0 role Admin domain default-domain username secops password 5 $1$ZUdFMk7n$bjMjyAXHaUC8viJR6mkmq/ role Security-Adm in domain infosec

2008 Cisco Systems, Inc.

Lab Guide

199

Lab 11: Troubleshooting Case Study 1: Common SLB Configuration Errors


Complete this lab activity to practice what you learned in the related lesson.

Activity Objective
In this exercise, you will troubleshoot common server load-balancing (SLB) configuration errors. After completing this exercise, you will be able to meet these objectives: Troubleshoot real server containers and server farms Troubleshoot class and policy maps to provide load balancing Verify that the Cisco ACE is load-balancing client traffic

Visual Objective
The figure illustrates what you will accomplish in this activity.

Troubleshooting Case Study 1: Common SLB Configuration Errors


Why Cant I get to this website?!?
Servers

X
ACE

2008 Cisco Systems, Inc. All rights reserved.

ACEAP v1.017

Required Resources
These are the resources and equipment that are required to complete this activity: Catalyst 6500 with Supervisor 720 Cisco 4710 Application Control Engine Appliance Server minimally running Telnet and HTTP

200

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 1: Troubleshoot the First Error Case Configuration


In this task, you will review an existing configuration to determine why clients cannot successfully connect to the VIP.

Activity Procedure
Complete these steps:
Step 1 Step 2

Connect to your client PC. Connect directly to the Cisco ACE management IP address for your SLB context.
C:\> telnet 172.16.PC.5 Trying 172.16.PC.5... Connected to 172.16.PC.5 (172.16.PC.5). Escape character is '^]'. User Access Verification Username: cisco Password: cisco123

Step 3

Use the checkpoint feature to roll back to error-case-1.


switch/Lab-OPT-PC# checkpoint rollback error-case-1 This operation will rollback the system's running configuration to the checkpoint's configuration. Do you wish to proceed? (y/n) [n] y Rollback in progress, please wait... Generating configuration.... Rollback succeeded

Step 4

Use show commands to view the configuration. Problem: Why cannot clients successfully connect to the VIP and receive HTTP responses?

Step 5

Make the corrections and test to ensure that clients can successfully reach the VIP http://172.16.PC.171/.

Activity Verification
You have completed this task when you have successfully load-balanced HTTP requests to the VIP.

2008 Cisco Systems, Inc.

Lab Guide

201

Task 2: Troubleshoot the Second Error Case Configuration


In this task, you will review an existing configuration to determine why clients cannot successfully connect to the VIP.

Activity Procedure
Complete these steps:
Step 1

Use the checkpoint feature to roll back to error-case-2.


switch/Lab-OPT-PC# checkpoint rollback error-case-2 This operation will rollback the system's running configuration to the checkpoint's configuration. Do you wish to proceed? (y/n) [n] y Rollback in progress, please wait... Generating configuration.... Rollback succeeded

Step 2

Use show commands to view the configuration. Problem: Why are clients unable to successfully connect to the VIP and receive HTTP responses?

Step 3

Make the corrections and test to ensure that clients can successfully reach the VIP http://172.16.PC.171/.
Try using the show service-policy CLIENT-VIPS detail command.

Tip

Activity Verification
You have completed this task when you have successfully load-balanced HTTP requests to the VIP.

202

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 3: Troubleshoot the Third Error Case Configuration


In this task, you will review an existing configuration to determine why clients cannot successfully connect to the VIP.

Activity Procedure
Complete these steps:
Step 1

Use the checkpoint feature to roll back to error-case-3.


switch/Lab-OPT-PC# checkpoint rollback error-case-3 This operation will rollback the system's running configuration to the checkpoint's configuration. Do you wish to proceed? (y/n) [n] y Rollback in progress, please wait... Generating configuration.... Rollback succeeded

Step 2

Use show commands to view the configuration. Problem: Why are clients unable to successfully connect to the VIP and receive HTTP responses?

Step 3

Make the corrections and test to ensure that clients can successfully reach the VIP http://172.16.PC.171/.

Activity Verification
You have completed this task when you have successfully load-balanced HTTP requests to the VIP.

Task 4: Apply the Baseline Configuration


The Cisco ACE ensures that no duplicate IPs exist across contexts per VLAN. Because of the overlapping IPs used in this lab, it is necessary to remove the VLAN interface for the server, so that the VLAN interface can be reused in the remaining labs.

Activity Procedure
Use the checkpoint feature to roll back to baseline-mgmt.
switch/Lab-OPT-PC# checkpoint rollback baseline-mgmt This operation will rollback the system's running configuration to the checkpoint's configuration. Do you wish to proceed? (y/n) [n] y Rollback in progress, please wait... Generating configuration.... Rollback succeeded

Activity Verification
You have completed this task when you have removed the server VLAN from the context.

2008 Cisco Systems, Inc.

Lab Guide

203

Lab 12: Troubleshooting Case Study 2: Common Layer 7 SLB Configuration Errors
Complete this lab activity to practice what you learned in the related lesson.

Activity Objective
In this exercise, you will troubleshoot common Layer 7 server load-balancing (SLB) configuration errors. After completing this exercise, you will be able to meet these objectives: Troubleshoot real server containers and server farms Troubleshoot class and policy maps to provide load balancing Verify that the the Cisco ACE is load-balancing client traffic

Visual Objective
The figure illustrates what you will accomplish in this activity.

Troubleshooting Case Study 2: Common Layer SLB Configuration Errors


Why Cant I get to this website?!?
Servers

X
ACE

2008 Cisco Systems, Inc. All rights reserved.

ACEAP v1.018

Required Resources
These are the resources and equipment that are required to complete this activity: Catalyst 6500 with Supervisor 720 Cisco 4710 Application Control Engine appliance Server minimally running Telnet and HTTP

204

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

Task 1: Troubleshoot the First Error Case Configuration


In this task, you will review an existing configuration to determine why clients cannot successfully connect to the VIP.

Activity Procedure
Complete these steps:
Step 1 Step 2

Connect to your client PC. Connect directly to the Cisco ACE management IP address for your Layer 7 loadbalancing context.
C:\> telnet 172.16.PC.7 Trying 172.16.PC.7... Connected to 172.16.PC.7 (172.16.PC.7). Escape character is '^]'. User Access Verification Username: cisco Password: cisco123

Step 3

Verify that you are in the correct context by looking at the prompt:
switch/Lab-OPT-PC#

Step 4 Step 5

Use the checkpoint feature to roll back to error-case-1. Use show commands to view the configuration. Problem: Why cannot clients successfully connect to the VIP and receive HTTP responses?

Step 6

Make the corrections and test to ensure that clients can successfully reach the VIP. http://172.16.PC.171/

Activity Verification
You have completed this task when you have successfully load-balanced HTTP requests to the VIP.

2008 Cisco Systems, Inc.

Lab Guide

205

206

Implementing the Cisco ACE Appliance (ACEAP) v1.0

2008 Cisco Systems, Inc.

You might also like