Acesm20 Lg

8/12/2019 Acesm20 Lg

1/214

ACESM

Implementing theApplication Control

Engine Service ModuleVersion 2.0

Lab Guide

Text Part Number: 67-2531-01

8/12/2019 Acesm20 Lg

2/214

DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN

CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF

THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED

WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR

PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release

content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.

8/12/2019 Acesm20 Lg

3/214

Table of ContentsLab Guide 1

Overview 1Outline 1Lab Topology 2Your Client PC Information 2IP Addressing 2Connecting to Lab Devices 3

Lab 1: Implementing Virtualization 5Activity Objective 5Visual Objective 5Required Resources 5Task 1: Review the Current Network Configuration 6Task 2: Configure New Contexts 10Task 3: Create Resource Classes 14

Answer Key: Implementing Virtualization 20Lab 2: Using Network Address Translation 21

Activity Objective 21Required Resources 21Task 1: Configure Static NAT for a Host 22Task 2: Configure Static NAT for a Subnet 28Task 3: Apply the Baseline Configuration 30

Answer Key: Using Network Address Translation 31Lab 3: Configuring Server Load Balancing 33

Activity Objective 33Visual Objective 33Required Resources 34Task 1: Configure Real Servers 34Task 2: Configuring Load-Balancing Class Maps and Policy Maps 38Task 3: Test the New VIP Load-Balancing Configuration 41Task 4: Configure Dynamic NAT 42

Answer Key: Configuring Server Load-Balancing 46Lab 4: Implementing Health Monitoring 51

Activity Objective 51Visual Objective 51Required Resources 52Task 1: Configure Health Monitoring for Real Servers 52Task 2: Configure Health Monitoring for a Server Farm 59Task 3: Configure Health Monitoring for a Real Server Within a Server Farm 62Task 4: Return Code Parsing 67Task 5: Configuring the Cisco ACE Action on Server Failure 70Task 6: Configuring Partial Server Farm Failover 72Task 7: Apply the Baseline Configuration 78

Lab 5: Configuring Layer 7 Load Balancing 83Activity Objective 83Visual Objective 83Required Resources 84Task 1: Configure a Real Server 84

Task 2: Configure Layer 7 Load Balancing 86Task 3: Test the New VIP Load-Balancing Configuration 89Task 4: Mixing Layer 4 and Layer 7 Traffic 90Task 5: Optimize the Mixed-Traffic VIP 95Task 6: Generic Layer 4 Content Parsing 97Task 7: Layer 4 Payload Stickiness 102Task 8: Apply the Baseline Configuration 106

Answer Key: Configuring Layer 7 Load Balancing 107

8/12/2019 Acesm20 Lg

4/214

ii Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.

Lab 6: Enabling Sticky Connections 121Activity Objective 121Visual Objective 121Required Resources 122Task 1: Create a Server Farm 122Task 2: Apply Source IP Sticky to Ensure Client Persistence 123Task 3: Apply the Baseline Configuration 124

Answer Key: Enabling Sticky Connections 125Lab 7: Enabling Protocol Inspection 127

Activity Objective 127Visual Objective 127Required Resources 127Task 1: Configure a Protocol Fixup 128Task 2: Configure FTP 130Task 4: Apply the Baseline Configuration 134

Answer Key: Enabling Protocol Inspection 135Lab 8: Configuring SSL Termination 140

Activity Objective 140Visual Objective 140Required Resources 140Task 1: Configure SSL Termination When You Have Certificates and Keys 141Task 2: Configure SSL Termination When You Must Create Certificates and Keys 147Task 3: SSL Session ID Reuse 155Task 4: Configure SSL Queue Delay 160Task 5: Apply the Baseline Configuration 161

Answer Key: Configuring SSL Termination 162Lab 9: Integrating Multiple Features 169

Activity Objective 169Visual Objective 170Required Resources 170Task 1: Create a Virtual IP Address to Accept Web Traffic 171Task 2: Apply Source IP Sticky to Ensure Client Persistence 174Task 3: Apply Probes to Ensure That Real Servers Are Working Properly 176Task 4: Create a Virtual IP Address to Accept Clear Application Traffic 180Task 5: Create a Virtual IP Address to Accept Secure Application Traffic 183Task 6: Add SSL Acceleration 184Task 7: Apply Probe and Cookie Insert Sticky to Ensure Client Persistence 190Task 8: Create a Domain for the Security Team 193Task 9: Allow Direct Server Access and Server-Initiated Connections 196Task 10: Configure HTTP Normalization 199Task 11: Apply the Baseline Configuration 204

Lab 10: Troubleshooting Case Study 1: Common SLB Configuration Errors 205Activity Objective 205Visual Objective 205Required Resources 205Task 1: Troubleshoot the First Error Case Configuration 206Task 2: Troubleshoot the Second Error Case Configuration 206Task 3: Troubleshoot the Third Error Case Configuration 207

Lab 11: Troubleshooting Case Study 2: Common Layer 7 SLB Configuration Errors 209Activity Objective 209Visual Objective 209Required Resources 209Task 1: Troubleshoot the First Error Case Configuration 210

8/12/2019 Acesm20 Lg

5/214

ACESM

Lab Guide

OverviewThis guide presents the instructions and other information concerning the lab activities for this

course. You can find the solutions in the lab activity Answer Key.

Outline

This guide includes these activities:

Lab 1: Implementing Virtualization

Lab 2: Using Network Address Translation

Lab 3: Configuring Server Load Balancing

Lab 4: Implementing Health Monitoring

Lab 5: Configuring Layer 7 Load Balancing

Lab 6: Enabling Sticky Connections

Lab 7: Enabling Protocol Inspection

Lab 8: Configuring SSL Termination

Lab 9: Integrating Multiple Features

Lab 10: Troubleshooting Case Study 1Common SLB Configuration Errors

Lab 11: Troubleshooting Case Study 2Common Layer 7 SLB Configuration Errors

8/12/2019 Acesm20 Lg

6/214

2 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.

Lab Topology

The figure shows the lab topology.

2007 Cisco Systems, Inc. All rights reserved. ACESM v2.02

Lab Topology

192.168.1.10

192.168.1.11

192.168.1.12

192.168.1.13

192.168.1.14

192.168.1.15

Cisco ACE Admin

172.19.110.P9

10.10

.10.1

192.168.1.1

172.16.PC.L

172.16.PC.1

209.165.201.PC

10.10

.10.PC

172.19.110.1

209.165.201.1

Catalyst 6500

CiscoACE

MSFC

172.1

9.1

10.P

C

VLAN 10

VLAN 2PCVL

AN3PC

VLAN4

PC

P = Pod numberC = Client numberL = Lab exercise number + 10

Your Client PC Information

You will be assigned a pod and a client by your instructor. Below please write down your

username, password, pod number, and client number for easy reference during the remainder of

the class.

Username

Password

Pod Number

Client Number

IP Addressing

The IP addressing scheme is outlined in these tables, where:

P = pod number

C = client number

Note In the current virtualized implementation used in this lab, all pods are internally numbered

pod 1. Therefore,P = 1 throughout this lab guide.

8/12/2019 Acesm20 Lg

7/214

8/12/2019 Acesm20 Lg

8/214

8/12/2019 Acesm20 Lg

9/214

2007 Cisco Systems, Inc. Lab Guide 5

Lab 1: Implementing VirtualizationComplete this lab activity to practice what you learned in the related lesson.

Activity Objective

In this exercise, you will explore the lab configuration of the Cisco Catalyst 6500 and the Cisco

ACE Admin context. You will create new contexts and resource classes to understand the

flexibility of virtualization on the Cisco ACE Module. After completing this exercise, you willbe able to meet these objectives:

Review the existing Cisco ACE configuration

Define Cisco ACE contexts

Create Cisco ACE resource classes

Visual Objective

The figure illustrates what you will accomplish in this activity.

2007 Cisco Systems, Inc. All rights reserved. Course acronym vx.x#-5

Implementing Virtualization

Required Resources

These are the resources and equipment required to complete this activity:

Cisco Catalyst 6500 Series Supervisor Engine 720

Cisco ACE Module

Server minimally running Telnet and HTTP

8/12/2019 Acesm20 Lg

10/214


Task 1: Review the Current Network Configuration

In this task, you will connect to the Catalyst 6500 Series Supervisor Engine 720 and establish a

session to the Admin context on the Cisco ACE Module. You will then review the existing

ACE configuration. This lab simulates configuring a new Cisco ACE Module just after system

boot and initial administrative configuration. Before you configure the Cisco ACE Module to

connect with the client-facing network and servers, you must understand how the Catalyst 6500

Series Supervisor Engine 720 is configured to allow these VLANs to be connected to the Cisco

ACE Module. By default, no VLANs are sent to the Cisco ACE Module; this is unlike theContent Switching Module (CSM), which receives all VLAN traffic.

Note Use the terminal monitorcommand after you connect to any device to make sure that all

console messages are seen. This command offers an invaluable source of information when

initially configuring the service modules.

Activity Procedure

Complete these steps:

Step 1 Connect to your Client PC.

Step 2 Telnet to 172.19.110.Pfrom your Client PC to access the Catalyst 6500 SeriesSupervisor Engine 720 in the Catalyst 6500 within your pod. Log in with the

username ciscoand the password cisco.

C:\> telnet 172.19.110.P

Trying 172.19.110.P...

Connected to 172.19.110.P(172.19.110.P).

Escape character is '^]'.

User Access Verification

Password: cisco

Step 3 Display the chassis modules to determine the slot of the Cisco ACE Module.

PodP-6k# show module

Mod Ports Card Type ModelSerial No.

--- ----- -------------------------------------- ------------------ -----------

1 1 Application Control Engine Module ACE10-6500-K9SAD103206UR

2 48 48 port 10/100 mb RJ45 WS-X6348-RJ-45 SAL06313L4X

5 2 Supervisor Engine 720 (Active) WS-SUP720-

3BXL SAL10360EMM

Mod MAC addresses Hw Fw SwStatus

--- ---------------------------------- ------ ------------ ------------ -------

1 0019.0627.b91a to 0019.0627.b921 1.1 8.7(0.5-Eng)A2(0) Ok

2 000a.8a99.31a8 to 000a.8a99.31d7 6.1 5.4(2)8.5(0.46)RFW Ok

8/12/2019 Acesm20 Lg

11/214


5 0017.5a34.bc9c to 0017.5a34.bc9f 5.2 8.4(2)12.2(18)SXF4 Ok

Mod Sub-Module Model SerialHw Status

---- --------------------------- ------------------ ----------- ------- -------

2 Inline Power Module WS-F6K-PWR1.0 Ok

5 Policy Feature Card 3 WS-F6K-PFC3BXLSAL10360CHJ 1.8 Ok

5 MSFC3 Daughterboard WS-SUP720SAL10360EV5 2.5 Ok

Mod Online Diag Status

---- -------------------

1 Pass

2 Pass

5 Pass

Step 4 Observe that, unlike the Firewall Services Module (FWSM) and the CSM, the Cisco

ACE Module does not use a multi-Gigabit EtherChannel to connect to the

backplane, but a single 10-gigabit interface.

Try some of the showcommands: (The following will work if the Cisco ACE

Module is in slot 1.)

PodP-6k# show asic-version slot 1

Module in slot 1 has 2 type(s) of ASICs

ASIC Name Count Version

HYPERION 1 (5.0)

SSA 1 (8.0)

Note The Hyperion is the Cisco ACE interconnect to the Catalyst 6500 Switch Fabric.

PodP-6k# show interface TenGigabitEthernet 1/1 status

Port Name Status Vlan DuplexSpeed Type

Te1/1 connected trunk full10G MultiService Module

Note The statuskeyword must abbreviated as statuor spelled out. Abbreviating the keyword as

statissues the show interface TenGigabitEthernet 1/1 statscommand, which will give

you blank output.

PodP-6k# show interface TenGigabitEthernet 1/1 counters

Port InOctets InUcastPkts InMcastPktsInBcastPkts

Te1/1 745174 4799 5394317

8/12/2019 Acesm20 Lg

12/214


Port OutOctets OutUcastPkts OutMcastPktsOutBcastPkts

Te1/1 248640 0 03885

Step 5 The Cisco ACE Module will not accept VLAN traffic unless the Catalyst 6500

Series Supervisor Engine 720 is specifically configured to allow VLANs to access

the Cisco ACE Module. This is similar to how the FWSM and Web VPN modules

work. By not allowing all VLANs to access the Cisco ACE Module, broadcast

storms on non-ACE VLANs have no effect on the Cisco ACE Module. This is an

improvement over the CSM, which has backplane connectivity to all VLANs within

the Catalyst 6500. To allow VLANs to access the Cisco ACE Module, use the svclc

command to create a VLAN group and apply it to the module.

PodP-6k# conf t

Enter configuration commands, one per line. End with CNTL/Z.

PodP-6k(config)# svclc ?

autostate Enable autostate for all svclcmodules

module Module number which a vlan-groupwill be tied to

multiple-vlan-interfaces Enable multiple vlan interfaces

mode for svclc

modules

vlan-group Secure group which VLANs will betied to

PodP-6k(config)# exit

PodP-6k# show run | inc svc

svclc multiple-vlan-interfaces

svclc module 1 vlan-group 1,2

svclc vlan-group 1 31,110,2P1-2P8

svclc vlan-group 2 30,4P1-4P8

Note SVCLC VLAN groups can be applied to the FWSM using the firewall modulecommand.

Likewise, firewall VLAN groups can be applied to the Cisco ACE Module using the svclc

command.

The svclc multiple-vlan-interfacescommand is required when connecting more than one

VLAN with a Layer 3 MSFC interface to the Cisco ACE Module.

The number of VLANs you see displayed might vary for the example in this guide. In this

lab, you will only be concerned with 2PCand 4PCVLANs.

Step 6 Use the show svclccommand to verify that the proper VLAN group has beencreated and applied.

PodP-6k# show svclc ?

autostate Show ACE module vlan interfacesautostate feature

hsrp-tracking show hsrp tracking entries

module Show secure VLANs tied to a module

multiple-vlan-interfaces Show state of multiple svclc vlaninterfaces

8/12/2019 Acesm20 Lg

13/214


feature

rhi-routes show RHI Routes

vlan-group Show secure VLANs tied to a securegroup

PodP-6k# show svclc vlan-group

Display vlan-groups created by both ACE module and FWSMcommands

Group Created by vlans

----- ---------- -----

1 ACE 31,110,2P1-2P8

2 ACE 30,4P1-4P8

PodP-6k# show svclc module

Module Vlan-groups

------ -----------

01 1,2

Step 7 Verify your configuration with the show interfacescommand. Make sure that both

VLAN 2PCand 4PCare allowed on the trunk and are allowed and active inmanagement domain.

PodP-6k# show interfaces TenGigabitEthernet 1/1 trunk

Port Mode Encapsulation Status Nativevlan

Te1/1 on 802.1q trunking 1

Port Vlans allowed on trunk

Te1/1 30-31,110,2P1-2P8,4P1-4P8

Port Vlans allowed and active in management domain

Te1/1 110,2P1-2P8,4P1-4P8

Port Vlans in spanning tree forwarding state and notpruned

Te1/1 110,2P1-2P8,4P1-4P8

Activity Verification

You have completed this task when you understand how the Cisco ACE Module is physically

and logically connected to the Catalyst 6500:

8/12/2019 Acesm20 Lg

14/214


Task 2: Configure New Contexts

In this task, you will define ACE contexts.

Activity Procedure


Step 1 Continuing from the Task 1 Telnet session, connect to the Cisco ACE Modules

Admin context. (This can be done by using a session from the Catalyst 6500 Series

Supervisor Engine 720 or by using Telnet or SSH from the Client PC in the pod.)

The following step uses the sessioncommand from the Catalyst 6500 Series

Supervisor Engine 720 to gain access to the Cisco ACE Module.

PodP-6k# session slot 1 processor 0

The default escape character is Ctrl-^, then x.

You can also type 'exit' at the remote prompt to end thesession

Trying 127.0.0.10 ... Open

PodP-ACE login: admin

Password: admin

Cisco Application Control Software (ACSW)

TAC support: http://www.cisco.com/tac

Copyright (c) 2002-2006, Cisco Systems, Inc. All rightsreserved.

The copyrights to certain works contained herein are owned by

other third parties and are used and distributed underlicense.

Some parts of this software are covered under the GNU Public

License. A copy of the license is available at

http://www.gnu.org/licenses/gpl.html.

PodP-ACE/Admin#

Note Sessioning into a service module opens an internal connection over the loopback address of

the service module. This number is slot dependant, and the slot number is multiplied by 10.

For example, if the Cisco ACE Module were in slot 5, the session to slot 5 processor 0 would

open a connection to 127.0.0.50. Sessioning into Cisco ACE cannot be connected to while

the Cisco ACE Module is booting.

Reference Processor 0: Admin context used for administration after the module has successfully

booted.

Processor 1: Debug access to NP0. This should only be used with TAC or Engineering

guidance. Issuing commands in this session can make the NP unstable. Usage of this

access should be used with extreme caution in a production environment.

Processor 2: Debug access to NP1. This should only be used with TAC or Engineering

guidance. Issuing commands in this session can make the NP unstable. Usage of this

access should be used with extreme caution in a production environment.

No other processor interfaces are defined at this time.

8/12/2019 Acesm20 Lg

15/214

8/12/2019 Acesm20 Lg

16/214


PodP-ACE/Admin(config)# login timeout 0

Note The line vtycommand is different from Cisco IOS in that it does notcontrol remote session

idle timeouts using the exec-timeoutcommand.

Step 5 Issue the show runcommand from enable mode to see the current Cisco ACE

configuration. The Admin context is where you configure Layer 3 access (VLANs,

ACL static routes etc) to access the Admin context through SSH or Telnet. In the

running configuration, you can also view all of the contexts that are configurationand the VLANs that are associated with them. You can also configure the Cisco

ACE features (load balancing, ssl-proxy, etc.) using the Admin context, but this is

not recommended.

Note By default, the admin and www users are present. They exist in the Admin context and

provide default access. The admin account is for administration. The www account is for

supporting the XML interface. Do not delete this user. If the www user is removed, the XML

interface will be disabled for the entire module.

Step 6 Use the contextcommand to create a new context.

PodP-ACE/Admin# conf tEnter configuration commands, one per line. End with CNTL/Z.

PodP-ACE/Admin(config)# context Lab-Virt-PC

Note Remember that Prefers to your pod number and Crefers to your client number. These

numbers were assigned to you at the beginning of the first part of the lab.

Note You can connect to a context in two ways: by using the changeto context_namecommand,

or by associating a VLAN and an IP address with the context and establishing a Telnet

session to that address (after you have allowed administrative traffic).

PodP-ACE/Admin(config-context)# ?

Submode commands:

allocate-interface Assign a vlan to a context

description Description for the context

do EXEC command

end Exit from configure mode

exit Exit from this submode

member Resource-class membership

no Negate a command or set its defaults

Step 7 Display the VLANs allocated to the entire Cisco ACE Module from the Catalyst6500 Series Supervisor Engine 720.

PodP-ACE/Admin(config-context)# do show vlans

Vlans configured on SUP for this module

vlan110 vlan2P1-2P8 vlan4P1-4P8

Step 8 Allocate your client VLAN to the new context.

PodP-ACE/Admin(config-context)# allocate-interface vlan 2PC

8/12/2019 Acesm20 Lg

17/214


Step 9 To better understand the VLAN allocations, attempt to add two more VLANs to this

context.

PodP-ACE/Admin(config-context)# allocate-interface vlan 11,12

PodP-ACE/Admin(config-context)# do show run context | begVirt-PC

Generating configuration....

context Lab-Virt-PC

allocate-interface vlan 11

allocate-interface vlan 2PC

Note The allocate-interfacecommand does not accept comma separated VLANs.

Step 10 Attempt to add a range of VLANs.

PodP-ACE/Admin(config-context)# allocate-interface vlan 20-29

PodP-ACE/Admin(config-context)# do sho run context | beg Virt-PC


context Lab-Virt-PC

allocate-interface vlan 11

allocate-interface vlan 20-29


Step 11 Remove VLANs 11 and 25. Observer the modified VLAN allocation. Next, remove

the remaining VLANs 20-24 and 26-29.

PodP-ACE/Admin(config-context)# no allocate-interface vlan 11

PodP-ACE/Admin(config-context)# no allocate-interface vlan 25

PodP-ACE/Admin(config-context)# do sho run context | beg Virt-PC


context Lab-Virt-PC

allocate-interface vlan 20-24allocate-interface vlan 26-29


PodP-ACE/Admin(config-context)# no allocate-interface vlan 20-24

PodP-ACE/Admin(config-context)# no allocate-interface vlan 26-29

Step 12 View the newly created context.

PodP-ACE/Admin(config-context)# do sho context Lab-Virt-PC

Name: Lab-Virt-PC, Id: 106

Config count: 0

Description:

Resource-class: default

Vlans: Vlan2PC

Step 13 Create another context to be used in the next task.

PodP-ACE/Admin(config-context)# context Lab-Virt2-PC

8/12/2019 Acesm20 Lg

18/214



You have completed this task when you understand how to create a new context and how to

assign VLANs to a context.

Task 3: Create Resource Classes

In this task, you will learn how to create Cisco ACE resource classes and then assign those

resource classes to a context.

Activity Procedure


Step 1 View the current resource allocation.

PodP-ACE/Admin(config-context)# do show resource ?

allocation Show resource allocation information.

usage Show resource usage information

PodP-ACE/Admin(config-context)# do show resource allocation

---------------------------------------------------------------------------

Parameter Min Max Class

---------------------------------------------------------------------------

acl-memory 0.00% 10100.00% default

0.00% 800.00% cart

0.00% 100.00% avs

syslog buffer 0.00% 10100.00% default

0.00% 800.00% cart

0.00% 100.00% avs

conc-connections 0.00% 10100.00% default

0.00% 800.00% cart

0.00% 100.00% avs

mgmt-connections 0.00% 10100.00% default

0.00% 800.00% cart

0.00% 100.00% avs

proxy-connections 0.00% 10100.00% default

0.00% 800.00% cart0.00% 100.00% avs

8/12/2019 Acesm20 Lg

19/214


bandwidth 0.00% 10100.00% default

0.00% 800.00% cart

0.00% 100.00% avs

connection rate 0.00% 10100.00% default

0.00% 800.00% cart

0.00% 100.00% avs

inspect-conn rate 0.00% 10100.00% default

0.00% 800.00% cart

0.00% 100.00% avs

syslog rate 0.00% 10100.00% default

0.00% 800.00% cart

0.00% 100.00% avs

regexp 0.00% 10100.00% default

0.00% 800.00% cart

0.00% 100.00% avs

sticky 0.00% 10100.00% default

8.00% 8.00% cart

10.00% 10.00% avs

xlates 0.00% 10100.00% default

0.00% 800.00% cart

0.00% 100.00% avs

ssl-connections rate 0.00% 10100.00% default

0.00% 800.00% cart0.00% 100.00% avs

mgmt-traffic rate 0.00% 10100.00% default

0.00% 800.00% cart

0.00% 100.00% avs

mac-miss rate 0.00% 10100.00% default

0.00% 800.00% cart

0.00% 100.00% avs

8/12/2019 Acesm20 Lg

20/214


PodP-ACE/Admin(config-context)# do sho resource usageAllocation

Resource Current Peak Min Max Denied-----------------------------------------------------------------------------Context: Adminconc-connections 0 0 0 8000000 0mgmt-connections 2 16 0 5000 0proxy-connections 0 0 0 1048574 0xlates 0 0 0 1048574 0bandwidth 0 0 0 500000000 0connection rate 0 0 0 1000000 0

ssl-connections rate 0 0 0 1000 0mgmt-traffic rate 0 0 0 125000000 0mac-miss rate 0 0 0 2000 0inspect-conn rate 0 0 0 3000 0acl-memory 2736 8136 0 78610432 0regexp 335 398 0 1048576 0syslog buffer 10000 0 0 4194304 0syslog rate 10000 0 0 3000 0

Context: Lab-SLB-PCconc-connections 0 12 0 8000000 0mgmt-connections 0 0 0 5000 0proxy-connections 0 12 0 1048574 0xlates 0 0 0 1048574 0bandwidth 0 0 0 500000000 0connection rate 0 0 0 1000000 0

ssl-connections rate 0 0 0 1000 0mgmt-traffic rate 0 0 0 125000000 0mac-miss rate 0 0 0 2000 0inspect-conn rate 0 0 0 3000 0acl-memory 2712 5328 0 78610432 0regexp 0 0 0 1048576 0syslog buffer 10000 0 0 4194304 0syslog rate 10000 0 0 3000 0

Context: Lab-HM-PCconc-connections 0 0 0 8000000 0mgmt-connections 0 0 0 5000 0proxy-connections 0 0 0 1048574 0

Step 2 Create a new resource class named HARD-SET-PC.

PodP-ACE/Admin(config)# resource-class HARD-SET-PC

Step 3 Allocate all resources to this resource-classusing the keyword alland limit it to 1%

of the Cisco ACE resources.

PodP-ACE/Admin(config-resource)# ?Submode commands:do EXerror-case- commandexit Exit from this submodelimit-resource Set resource limitsno Negate a command or set its defaults

PodP-ACE/Admin(config-resource)# limit-resource ?acl-memory Limit ACL memoryall Limit all resource parametersbuffer Set resource-limit for buffers

conc-connections Limit concurrent connections (thru-the-box traffic)mgmt-connections Limit management connections (to-the-box traffic)proxy-connections Limit proxy connectionsrate Set resource-limit as a rate (number per second)regexp Limit amout of regular expression memorysticky Limit number of sticky entriesxlates Limit number of Xlate entries

PodP-ACE/Admin(config-resource)# limit-resource all minimum 1 maximum ?equal-to-min Set maximum limit to same as minimum limitunlimited Set maximum limit to unlimited

8/12/2019 Acesm20 Lg

21/214


PodP-ACE/Admin(config-resource)# limit-resource all minimum 1 maximum equal-to-min

Step 4 View the net resource class allocations.

PodP-ACE/Admin(config-context)# do show resource allocation---------------------------------------------------------------------------Parameter Min Max Class---------------------------------------------------------------------------

acl-memory 0.00% 10100.00% default0.00% 800.00% cart

0.00% 100.00% avs

syslog buffer 0.00% 10100.00% default0.00% 800.00% cart0.00% 100.00% avs

conc-connections 0.00% 10100.00% default0.00% 800.00% cart0.00% 100.00% avs

mgmt-connections 0.00% 10100.00% default0.00% 800.00% cart0.00% 100.00% avs

proxy-connections 0.00% 10100.00% default0.00% 800.00% cart

0.00% 100.00% avs

conc-connections 0.00% 10100.00% default0.00% 800.00% cart0.00% 100.00% avs


proxy-connections 0.00% 10100.00% default0.00% 800.00% cart0.00% 100.00% avs

bandwidth 0.00% 10100.00% default

0.00% 800.00% cart0.00% 100.00% avs

Why are the resource allocations not displayed, although the resource class has been created?

Step 5 Apply the new resources class to the context Lab-Virt-PC.

PodP-ACE/Admin(config)# context Lab-Virt-PCPodP-ACE/Admin (config-context)#member avs cart default HARD-SET-PCPodP-ACE/Admin (config-context)#member HARD-SET-PC

View the changes to the resource allocation table.PodP-ACE/Admin(config-context)# do show resource allocation---------------------------------------------------------------------------

Parameter Min Max Class---------------------------------------------------------------------------

acl-memory 0.00% 10000.00% default0.00% 800.00% cart0.00% 100.00% avs1.00% 1.00% HARD-SET-PC

syslog buffer 0.00% 10000.00% default0.00% 800.00% cart0.00% 100.00% avs1.00% 1.00% HARD-SET-PC

8/12/2019 Acesm20 Lg

22/214


conc-connections 0.00% 10000.00% default0.00% 800.00% cart0.00% 100.00% avs1.00% 1.00% HARD-SET-PC

mgmt-connections 0.00% 10000.00% default0.00% 800.00% cart0.00% 100.00% avs1.00% 1.00% HARD-SET-PC

proxy-connections 0.00% 10000.00% default

0.00% 800.00% cart0.00% 100.00% avs1.00% 1.00% HARD-SET-PC

Is your resource class displayed? What percentage of the resources are assigned to your

resource class?

Step 6 Create a new resource-class named MIN+GROWTH-PC. Guarantee the resource

class 2% of the ACE resources and allow any unused ACE resources to be accessed

by contexts which are a member of this resource class.

PodP-ACE/Admin(config)# resource-class MIN+GROWTH-PCPodP-ACE/Admin(config-resource)# limit-resource all minimum 2 maximumunlimited

PodP-ACE/Admin(config)# context Lab-Virt2-PCPodP-ACE/Admin(config-context)# member MIN+GROWTH-PC

Show the resource class information with your changes.PodP-ACE/Admin(config-context)# do sho resource allocation---------------------------------------------------------------------------Parameter Min Max Class---------------------------------------------------------------------------

acl-memory 0.00% 9900.00% default0.00% 800.00% cart0.00% 100.00% avs1.00% 1.00% HARD-SET-PC2.00% 100.00% MIN+GROWTH-PC

syslog buffer 0.00% 9900.00% default0.00% 800.00% cart0.00% 100.00% avs1.00% 1.00% HARD-SET-PC2.00% 100.00% MIN+GROWTH-PC

conc-connections 0.00% 9900.00% default0.00% 800.00% cart0.00% 100.00% avs1.00% 1.00% HARD-SET-PC2.00% 100.00% MIN+GROWTH-PC


1.00% 1.00% HARD-SET-PC2.00% 100.00% MIN+GROWTH-PC

Step 7 Notice the resource usage difference between a context that is allocated only X%

resources (Lab-Virt-PC) compared to a context guaranteed Y% and allowed to burst

beyond this minimum allocation (Lab-Virt2-PC).

PodP-ACE/Admin(config-context)# do sho resource usage context Lab-Virt-PCAllocation

Resource Current Peak Min Max Denied-----------------------------------------------------------------------------

8/12/2019 Acesm20 Lg

23/214


Context: Lab-Virt-PCconc-connections 0 0 80000 0 0mgmt-connections 0 0 50 0 0proxy-connections 0 0 10486 0 0xlates 0 0 10486 0 0bandwidth 0 0 5000000 0 0connection rate 0 0 10000 0 0ssl-connections rate 0 0 10 0 0mgmt-traffic rate 0 0 1250000 0 0mac-miss rate 0 0 20 0 0inspect-conn rate 0 0 30 0 0

acl-memory 0 0 786104 0 0regexp 0 0 10486 0 0syslog buffer 200 0 41943 0 0syslog rate 200 0 30 0 0

PodP-ACE/Admin(config-context)# do sho resource usage context Lab-Virt2-PCAllocation

Resource Current Peak Min Max Denied-----------------------------------------------------------------------------Context: Lab-Virt2-PCconc-connections 0 0 160000 7760000 0mgmt-connections 0 0 100 4850 0proxy-connections 0 0 20972 1017116 0xlates 0 0 20972 1017116 0bandwidth 0 0 10000000 485000000 0

connection rate 0 0 20000 970000 0ssl-connections rate 0 0 20 970 0mgmt-traffic rate 0 0 2500000 121250000 0mac-miss rate 0 0 40 1940 0inspect-conn rate 0 0 60 2910 0acl-memory 0 0 1572209 78610432 0regexp 0 0 20972 1048576 0syslog buffer 10200 0 83886 4194304 0syslog rate 10200 0 60 3000 0

Step 8 Try to allocate more minimum resources than the Cisco ACE Module can support.

Create a temporary context for this test.

PodP-ACE/Admin(config-context)# exitPodP-ACE/Admin(config)# resource-class MAX-PCPodP-ACE/Admin(config-resource)# limit-resource all min 99 maximum equal-to-min

PodP-ACE/Admin(config)# context MAX-PCPodP-ACE/Admin(config-context)#member MAX-PCError: resources in use

Step 9 Try to increase an existing limit to allow more minimum resources than the Cisco

ACE Module can support.

PodP-ACE/Admin(config)# resource HARD-SET-PCPodP-ACE/Admin(config-resource)# limit-resource all min 99 maximum equal-to-minError: checking resource parameter limit failed

PodP-ACE/Admin(config-resource)# limit-resource sticky min 99 maximum equal-

to-minError: checking resource parameter limit failed

Step 10 What conclusions can be drawn regarding the Cisco ACE oversubscription rules

when allocating resources?


You have completed this task when you have developed an understanding of the multiple ways

that resources can be allocated to a context.

8/12/2019 Acesm20 Lg

24/214


Answer Key: Implementing Virtualization

When you complete this exercise, the Cisco ACE Module running configuration file will be

similar to the following, with differences that are specific to your device or workgroup.

PodP-ACE/Admin(config-resource)# do sho run


resource-class HARD-SET-PC

limit-resource all minimum 1.00 maximum equal-to-min

resource-class MIN+GROWTH-PC

limit-resource all minimum 2.00 maximum unlimited

resource-class MAX-PC

limit-resource all minimum 99.00 maximum equal-to-min

context Lab-Virt-PC


member HARD-SET-PC

context Lab-Virt2-PC

member MIN+GROWTH-PCcontext MAX-PC

8/12/2019 Acesm20 Lg

25/214


Lab 2: Using Network Address TranslationComplete this lab activity to practice what you learned in the related lesson.

Activity Objective

In this activity, you will configure your ACE context to perform a variety of network address

translations.

The steps required to configure NAT on Cisco ACE are significantly very different from Cisco

firewalls. NAT on Cisco ACE entirely relies on the Modular Policy CLI framework.

After completing this activity, you will be able to meet these objectives:

Configure static NAT for a host

Configure static NAT for a subnet

Roll back the configuration

Required Resources

These are the resources and equipment required to complete this activity:

Cisco Catalyst 6500 with Supervisor Engine 720

Cisco ACE Module


8/12/2019 Acesm20 Lg

26/214


Task 1: Configure Static NAT for a Host

In this task, you will configure static destination NAT (DNAT) for a host. The goal is to

configure the equivalent of a static (inside, outside) 172.16.PC.222 192.168.1.10 NAT, which

can be read as translate inside address 192.168.1.10 to 172.16.PC.222 on the outside.

Activity Visualization

The figure illustrates what you will accomplish in this task


Static Destination NAT

Client209.165.201.PC

Cisco ACEVLAN 2PC

172.16.PC.12

Cisco ACEVLAN 4PC192.168.1.1

Server192.168.1.10

192.168.1.10172.16.PC.222Outside LocalOutside Global

Activity Procedure



Step 2 Connect directly to the Cisco ACE management IP address for your Lab 7 context.

C:\> telnet 172.16.PC.12

Trying 172.16.PC.12...

Connected to 172.16.PC.12 (172.16.PC.12).



Username: cisco

Password: cisco123

Step 3 Verify that you are in the correct context by looking at the prompt.

PodP-ACE/Lab-NAT-PC#

Step 4 Use the checkpoint system to roll back the configuration:

PodP-ACE/Lab-NAT-PC# checkpoint rollback static-nat-begin

8/12/2019 Acesm20 Lg

27/214


Note The Cisco ACE Module allows up to 10 configuration rollback checkpoints in each context.

To view the currently created checkpoints, use the show checkpoint allcommand. To view

the configuration contained in a checkpoint use the show checkpoint detail command.

Step 5 Execute show runto see what is preconfigured for this lab.

Step 6 The Cisco ACE Module allows users to set a session time that can be used to limit

the current session or to prevent it from ever timing out. For this lab, disable the

session time for your current session.

PodP-ACE/Lab-NAT-PC# terminal session-timeout 0

Note In configuration mode, login timeoutcan be use to modify the idle timeout of future

sessions.

Step 7 Create the INBOUNDaccess list to permit traffic from the client to the servers

NAT-translated address.

PodP-ACE/Lab-NAT-PC(config)# access-list INBOUND extendedpermit tcp host 209.165.201.PChost 172.16.PC.222

Step 8 Define a class map that matches the source IP you want to translate.

PodP-ACE/Lab-NAT-PC(config)# class-map LNX-SOURCED

PodP-ACE/Lab-NAT-PC(config-cmap)#match source-address192.168.1.10 255.255.255.255

PodP-ACE/Lab-NAT-PC(config-cmap)# exit

Step 9 Create a multimatch policy map that specifies NAT as the action. Provide the static

IP that will be used for the server, and define which VLAN the server traffic will use

after it has been NAT-translated.

PodP-ACE/Lab-NAT-PC(config)# policy-map multi-match SVR-NAT

PodP-ACE/Lab-NAT-PC(config-pmap)# class LNX-SOURCED

PodP-ACE/Lab-NAT-PC(config-pmap-c)# nat ?

dynamic Configure dynamic network address translation

static Configure static network address translation

PodP-ACE/Lab-NAT-PC(config-pmap-c)# nat static 172.16.PC.222netmask 255.255.255.255 vlan2PC

Step 10 Apply the multimatch policy and ACL to the server-side (inside) interface.

PodP-ACE/Lab-NAT-PC(config)# interface vlan 4PC

PodP-ACE/Lab-NAT-PC(config-if)# service-policy input SVR-NAT

Step 11 Use the show nat-fabriccommand to obtain detailed NAT runtime information:

PodP-ACE/Lab-NAT-PC# sh nat-fabric policies

Nat objects:

NAT object ID:2 mapped_if:11 policy_id:1 type:STATICstatic_xlate_id:2

ID:2 Static address translation

Real addr:192.168.1.10 Real port:0 Realinterface:12

Mapped addr:172.16.PC.222 Mapped port:0 Mappedinterface:11

8/12/2019 Acesm20 Lg

28/214


Netmask:255.255.255.255

Step 12 Check the traffic statistics of the access list.

PodP-ACE/Lab-NAT-PC# show access-list INBOUND

access-list:INBOUND, elements: 1, status: NOT-ACTIVE

remark :

access-list INBOUND line 10 extended permit tcp host209.165.201.PChost 172.16.PC.222

Step 13 Why is the access list inactive? Was it applied to an interface?

PodP-ACE/Lab-NAT-PC# conf


PodP-ACE/Lab-NAT-PC(config-if)# int vlan 2PC

PodP-ACE/Lab-NAT-PC(config-if)# access-group input INBOUND

PodP-ACE/Lab-NAT-PC(config-if)# exit

PodP-ACE/Lab-NAT-PC(config)# exit


access-list:INBOUND, elements: 1, status: ACTIVE

remark :

access-list INBOUND line 10 extended permit tcp host

209.165.201.PChost 172.16.PC.222 (hitcount=0)

Note The hitcount=0output is always the part to look for when showing an access list. If it is not

there, the access list is most likely not applied to a VLAN interface.

Step 14 If you initiate a long-lived connection (Telnet for example) from the Client PC to

172.16.PC.222, you will see the xlate entry on the Cisco ACE Module.

PodP-ACE/Lab-NAT-PC# sh xlate

NAT from vlan4PC:192.168.1.10 to vlan2PC:172.16.PC.222 count:1

Step 15 To see the NAT work, establish a Telnet connection from the context to the Linux

server. Switch to the user rootand start tethereal.

PodP-ACE/Lab-NAT-PC# telnet 192.168.1.10

Trying 192.168.1.10...

Connected to 192.168.1.10.


linux1 (Linux release 2.6.9-11.ELsmp #1 SMP Fri May 2018:26:27 EDT 2005) (0

)

login: cisco

Password for cisco: cisco

login: Resource temporarily unavailable while getting initialcredentials

Last login: Tue Jun 6 04:25:26 from 192.168.1.1

[cisco@linux1 ~]$ su -

Password: cisco123

[root@linux1 ~]# tethereal R "tcp.port == 80"

8/12/2019 Acesm20 Lg

29/214


Step 16 On the client, start a Ethereal sniffer trace on the 209.165.201.PCinterface. Then,

issue a wgetrequest from the command line to the servers static IP.

C:\tools\wget-1.10.2b>wget http://172.16.PC.222

--12:08:30-- http:// 172.16.PC.222/

=> `index.html.7'

Connecting to 172.16.PC.222:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1,219 (1.2K) [text/html]

100%[====================================>] 1,219 --.--K/s

12:08:30 (8.67 MB/s) - `index.html.5' saved [1219/1219]

Step 17 Observe the tethereal output from the Linux server. Notice that the server IP is now

192.168.1.10 rather than 172.16.PC.222.

449.108905 209.165.201.PC-> 192.168.1.10TCP 2399 > http[SYN] Seq=0 Ack=0 Win=64270 Len=0 MSS=1460

449.109199 192.168.1.10 -> 209.165.201.PC TCP http > 2399[SYN, ACK] Seq=0 Ack=1 Win=5870 Len=0 MSS=1460

449.110228 209.165.201.PC-> 192.168.1.10 TCP 2399 > http[ACK] Seq=1 Ack=1 Win=64270 Len=0

449.117018 209.165.201.PC-> 192.168.1.10 HTTP GET / HTTP/1.0

449.117077 192.168.1.10 -> 209.165.201.PC TCP http > 2399[ACK] Seq=1 Ack=101 Win=5870 Len=0

449.137044 192.168.1.10 -> 209.165.201.PC HTTP HTTP/1.1 200OK

449.171825 192.168.1.10 -> 209.165.201.PC HTTP Continuationor non-HTTP traffic


449.149136 192.168.1.10 -> 209.165.201.PC TCP http > 2399[FIN, ACK] Seq=1485 Ack=101 Win=5870 Len=0


449.155886 209.165.201.PC-> 192.168.1.10 TCP 2399 > http[FIN, ACK] Seq=101 Ack=1486 Win=64270 Len=0

449.156071 192.168.1.10 -> 209.165.201.PC TCP http > 2399[ACK] Seq=1486 Ack=102 Win=5870 Len=0

Step 18 On the client, analyze the Ethereal trace.

8/12/2019 Acesm20 Lg

30/214



Static NAT Client Output

Step 19 On the Cisco ACE Module, view the ACL, service policy, and connection counters.



remark :

access-list INBOUND line 10 extended permit tcp host209.165.201.PChost 172.16.PC.222

(hitcount=1)

PodP-ACE/Lab-NAT-PC# show service-policy SVR-NAT

Status : ACTIVE

-----------------------------------------

Interface: vlan 4PC

service-policy: SVR-NAT

class: LNX-SOURCE

nat:

nat static 172.16.PC.222 vlan 3PC

curr conns : 1 , hit count : 1

dropped conns : 0

client pkt count : 7 , client byte count: 396

server pkt count : 6 , server byte count: 1728

PodP-ACE/Lab-NAT-PC# show stats connection

+------------------------------------------+

+------- Connection statistics ------------+

+------------------------------------------+

Total Connections Created : 2

8/12/2019 Acesm20 Lg

31/214


Total Connections Current : 2

Total Connections Destroyed: 0

Total Connections Timed-out: 0

Total Connections Failed : 0

Step 20 Verify that server source NAT works as expected, which means that connections

sourced from the server 192.168.1.10 will be translated to 172.16.PC.222 as they

traverse the Cisco ACE Module.

PodP-ACE/Lab-NAT-PC(config)# access-list SVR-INIT extended

permit tcp host 192.168.1.10 anyPodP-ACE/Lab-NAT-PC(config)# int vlan 4PC

PodP-ACE/Lab-NAT-PC(config-if)# access-group input SVR-INIT

Step 21 Initiate a Telnet session from the Linux server to the client, then capture a sniffer

trace using Ethereal on the Client PC to verify the servers source IP address. Next,

capture a trace on the client to verify that the server source address is translated to

172.16.PC.222.

Note The Telnet session will fail because the client is not accepting Telnet connections.

[root@linux1 ~]# tethereal R "ip.addr == 209.165.201.0/24" &

[1] 10580

Capturing on eth0

[root@linux1 ~]# telnet 209.165.201.PC

Trying 209.165.201.PC...

34.711920 192.168.1.10 -> 209.165.201.PC TCP 34564 > telnet[SYN] Seq=0 Ack=0 Win=5870 Len=0 MSS=1460 TSV=822460873 TSER=0WS=2

34.716002 209.165.201.PC-> 192.168.1.10 TCP telnet > 34564[RST, ACK] Seq=0 Ack=0 Win=0 Len=0

telnet: connect to address 209.165.201.PC: Connection refused

telnet: Unable to connect to remote host: Connection

No. Source Destination Proto Info

28 172.16.PC.222 209.165.201.PC TCP 34563 > telnet [SYN]Seq=0 Ack=0 Win=5870 Len=0 MSS=146031 209.165.201.PC172.16.PC.222 TCP telnet > 34563 [RST, ACK] Seq=0 Ack=0Win=0 Len=06

PodP-ACE/Lab-NAT-PC# show service-policy SVR-NAT

Status : ACTIVE

-----------------------------------------

Interface: vlan 4PC


class: LNX-SOURCED

nat:



dropped conns : 0



8/12/2019 Acesm20 Lg

32/214


Task 2: Configure Static NAT for a Subnet

In this task you will configure the equivalent of a static destination NAT (DNAT) for the entire

server network. This task shows that NAT can be applied based on ACL matches and can

encompass an entire network address space.


The figure illustrates what you will accomplish in this task


Static Destination NAT for a Subnet


Cisco ACE

VLAN 2PC172.16.PC.12

Cisco ACE

VLAN 4PC192.168.1.1

Server192.168.1.10192.168.1.11192.168.1.12192.168.1.13192.168.1.14192.168.1.15

192.168.1.0/2410.1.PC.0/0Outside LocalOutside Global

Activity Procedure


Step 1 Create anaccess list named SVR-VLAN-INITto classify traffic initiated by a device

on the server VLAN.

PodP-ACE/Lab-NAT-PC(config)# access-list SVR-VLAN-INITextended permit tcp 192.168.1.0 255.255.255.0 any

Step 2 Define a class map named SERVER-VLAN-SOURCEDthat matches on the ACL

defined to classify server initiated traffic.

PodP-ACE/Lab-NAT-PC(config)# class-map match-all SERVER-VLAN-SOURCED

PodP-ACE/Lab-NAT-PC(config-cmap)#match access-listSVR-VLAN-INIT

PodP-ACE/Lab-NAT-PC(config)# exit

Step 3 Edit the multimatch policy map that specifies NAT as the action and remove the

previous class match.

PodP-ACE/Lab-NAT-PC(config)# policy-map multi-match SVR-NAT

PodP-ACE/Lab-NAT-PC(config-pmap)# no class LNX-SOURCED

Step 4 Provide the static IP subnet that will be used for the server traffic, and define which

VLAN the server traffic will use after it has been translated.

PodP-ACE/Lab-NAT-PC(config-pmap)# class SERVER-VLAN-SOURCED

8/12/2019 Acesm20 Lg

33/214


PodP-ACE/Lab-NAT-PC(config-pmap-c)# nat static 172.16.PC.0netmask 255.255.255.0 vlan 2PC

Error: Specified ip address duplicates with an existing ipaddress configured in the context!

Note IP addresses which overlap existing interface VLAN spaces are not allowed. This prevents

the possibility of introducing duplicate IPs.


Error: NAT static mapped ip netmask has to match with real ipnetmask!

Note When matching a subnet, the static NAT range must have the same number of available IP

addresses as the ACL classifies.


Step 5 Ensure that NAT is applied in both directions by modifying the existing ACL and

applying it to the server side (inside) interface. Without an ACL, clients cannot

initiate connections to the servers.

PodP-ACE/Lab-NAT-PC(config)# no access-list INBOUND

PodP-ACE/Lab-NAT-PC(config)# access-list INBOUND extendedpermit tcp host 209.165.201.PCany

PodP-ACE/Lab-NAT-PC(config)# interface vlan 2PC

PodP-ACE/Lab-NAT-PC(config-if)# access-group input INBOUND

Step 6 Define a static route on the client to allow the client to reach the translated subnet

10.1.PC.0/24.

C:\tools\wget-1.10.2b> route add 10.1.PC.0 mask 255.255.255.0209.165.201.PC

Step 7 Verify that your static subnet NAT is working. Telnet to the servers

(10.1.PC.10 - 10.1.PC.15) from your Client PC; try several servers. While you are

logged into at least one server session, execute a show connand a show xlateto see

the destination NAT.

Pod1-ACE/Lab-NAT-11# show conn

total current connections : 4

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

12 2 in TCP 211 209.165.201.PC:1039 172.16.PC.12:23 ESTAB

6 2 out TCP 211 172.16.PC.12:23 209.165.201.PC:1039 ESTAB

10 2 in TCP 211 209.165.201.PC:1250 10.1.11.PC:23 ESTAB9 2 out TCP 411 192.168.1.PC:23 209.165.201.PC:1250 ESTAB

Pod1-ACE/Lab-NAT-11# show xlate

NAT from vlan411:192.168.1.15 to vlan211:10.1.11.15 count:1

Step 8 Keeping your client-initiated Telnet connection open, examine the Cisco ACE

counters.

PodP-ACE/Lab-NAT-PC(config-if)#do sho service-policy SVR-NAT

Status : ACTIVE

8/12/2019 Acesm20 Lg

34/214


-----------------------------------------

Interface: vlan 4PC


class: SERVER-VLAN-SOURCED

nat:



dropped conns : 0

client pkt count : 18 , client byte count:871

server pkt count : 19 , server byte count:956

PodP-ACE/Lab-NAT-PC(config-if)# do sho access-list INBOUND


remark :

access-list INBOUND line 10 extended permit tcp host209.165.201.PCany (hitcount=1)

Task 3: Apply the Baseline ConfigurationThe Cisco ACE Module ensures that no duplicate IPs exist across contexts per VLAN. Due to

the overlapping IPs used in this lab, it is necessary to remove the VLAN interface for the

server, so that the VLAN interface can be reused in the remaining labs.

Note If you want to compare your completed configuration with the one in the Answer Key

provided at the end of this lab, be sure to do so before you complete this task.

Activity Procedure

Use the checkpoint feature to roll back to baseline-mgmt.

PodP-ACE/Lab-NAT-PC# checkpoint rollback baseline-mgmtThis operation will rollback the system's running configuration

to the checkpoint's configuration.

Do you wish to proceed? (y/n) [n] y

Rollback in progress, please wait...


Rollback succeeded


You have completed this task when you have removed the server VLAN from the context.

8/12/2019 Acesm20 Lg

35/214

8/12/2019 Acesm20 Lg

36/214


Lab 2 Task 2 Answer Key

Changes from the previous task are bolded.

access-list INBOUND line 8 extended permit tcp host 209.165.201.PCany

access-list SVR-INIT line 8 extended permit tcp host 192.168.1.10 any

access-list SVR-VLAN-INIT line 8 extended permit tcp 192.168.1.0255.255.255.0 any

class-map match-all LNX-SOURCED

2 match source-address 192.168.1.10 255.255.255.255

class-map match-all SERVER-VLAN-SOURCED

2 match access-list SVR-VLAN-INIT

class-map type management match-any remote-access

description remote-access-traffic-match

2 match protocol telnet any

3 match protocol ssh any

4 match protocol icmp any

policy-map type management first-match remote-mgmt

class remote-access

permit

policy-map multi-match SVR-NAT

class SERVER-VLAN-SOURCED

nat static 10.1.PC.0 netmask 255.255.255.0 vlan 2PC

interface vlan 2PC

ip address 172.16.PC.12 255.255.255.0

access-group input INBOUNDservice-policy input remote-mgmt

no shutdown

interface vlan 3PC

ip address 10.10.10.1 255.255.255.0

interface vlan 4PC

ip address 192.168.1.1 255.255.255.0

access-group input SVR-INIT

service-policy input SVR-NAT

no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.PC.1username cisco password 5 $1$DLODpUTE$pzudNN.PTCWK.E45AsyCz/ roleAdmin domain default-domain

8/12/2019 Acesm20 Lg

37/214


Lab 3: Configuring Server Load BalancingComplete this lab activity to practice what you learned in the related lesson.

Activity Objective

In this exercise, you will configure your ACE context to match traffic destined for the VIP and

load-balance these flows to the real servers (rservers) on a private network behind your ACE

context. To accomplish this, you will apply class maps to classify client traffic destined to aVIP address. The Cisco ACE Module will load-balance that traffic to a server farm and one of

the rservers will be selected to respond to the client request. To allow client traffic into the

ACE context, you must configure an access list.

After you complete this lab, you will be able to meet the following objectives:

Define real server containers and server farms containers

Configure class and policy maps to provide load balancing

Observe the Cisco ACE Module load-balancing client traffic

Configure Dynamic Source NAT to VIP

Roll back the configuration

Visual Objective

The figure illustrates what you will accomplish in this activity.


Interface Service PolicyApply to Any Interface

Multimatch Policy Map

Configuring Server Load Balancing

MSFC

Cisco ACE

Catalyst6500

Client

Servers

Traffic Class MapMatch VIP Connections

Load-Balancing Policy Map

Default Class

RealServer 1

RealServer 2

Server Farm

Only Allow Traffic Destined to a VIP

8/12/2019 Acesm20 Lg

38/214


Required Resources

These are the resources and equipment that are required to complete this activity:

Cisco Catalyst 6500 with Supervisor Engine 720 and ACE Module

Client PC with a Telnet client and web browsers


Task 1: Configure Real ServersIn this task, you will connect to a context (specified by the IP address in step 2) and create a

configuration for the real servers within the pod. The Cisco ACE Module has administrative

connectivity enabled for the client.

Activity Procedure



Step 2 Connect directly to the Cisco ACE management IP address for your Lab 3 context.

C:\> telnet 172.16.PC.5

Trying 172.16.PC.5...

Connected to 172.16.PC.5 (172.16.PC.5).



Username: cisco

Password: cisco123


PodP-ACE/Lab-SLB-PC#

Step 4 Use the checkpoint system to roll back the configuration:PodP-ACE/Lab-SLB-PC# checkpoint rollback baseline-mgmt

Step 5 Execute show runto see what is preconfigured for this lab.

Step 6 The first step in setting up a load-balancing configuration in an ACE context is to

create real server instances, known as rservers. Use this naming convention:

DC5-LNX

PodP-ACE/Lab-SLB-PC# conf t


PodP-ACE/Lab-SLB-PC(config)# rserver DC5-LNX1

Note There are two types of rservers: host and redirect. The default is host; you do not have to

specify the host type in the CLI when you create rservers. The redirect type allows the Cisco

ACE Module to redirect web clients to a different site. In this lab, you will use the host type

only.

8/12/2019 Acesm20 Lg

39/214


Step 7 In the rserver object, assign the IP address of the real server and inservice the object.

Use the IP address of 192.168.1.11 for the first real web server.

PodP-ACE/Lab-SLB-PC(config-rserver-host)# ip address192.168.1.11

PodP-ACE/Lab-SLB-PCpodPclientC(config-rserver-host)# inservice

PodP-ACE/Lab-SLB-PC(config-rserver-host)# exit

Step 8 Create another rserver using the IP address of the second real web server

192.168.1.12 with the name DC5-LNX2.

PodP-ACE/Lab-SLB-PC(config)# rserver DC5-LNX2

PodP-ACE/Lab-SLB-PC(config-rserver-host)# ip address192.168.1.12

PodP-ACE/Lab-SLB-PC(config-rserver-host)# inservice

PodP-ACE/Lab-SLB-PC(config-rserver-host)# exit

Step 9 Show the rservers you have just created by using the show runand show rserver

commands.

PodP-ACE/Lab-SLB-PC(config)# do show run rserver

rserver host DC5-LNX1

ip address 192.168.1.11inservice


ip address 192.168.1.12

inservice

PodP-ACE/Lab-SLB-PC(config)# do show rserver DC5-LNX1

rserver : DC5-LNX1, type: HOST

state : INACTIVE

---------------------------------

----------connections-----------

real weight state currenttotal

---+---------------------+------+------------+----------+--------------------

Step 10 After the rservers have been created, they must be added to a server farm for use in

load balancing. Currently, the only server farm type is host.

PodP-ACE/Lab-SLB-PC(config)# serverfarm SERVERS1

Step 11 Add the recently created rservers to the server farm.

PodP-ACE/Lab-SLB-PC(config-sfarm-host)# rserver DC5-LNX1

PodP-ACE/Lab-SLB-PC(config-sfarm-host-rs)# inservicePodP-ACE/Lab-SLB-PC(config-sfarm-host)#rserver DC5-LNX2

Step 12 Notice that the output from the show rservercommand has changed after the

rservers were added to the server farm.

PodP-ACE/Lab-SLB-PC(config-sfarm-host-rs)# do show rserverDC5-LNX1


8/12/2019 Acesm20 Lg

40/214


state : OPERATIONAL

---------------------------------

----------connections-----------


---+---------------------+------+------------+----------+--------------------

serverfarm: SERVERS1

192.168.1.11:0 8 OPERATIONAL 0 0

PodP-ACE/Lab-SLB-PC(config-sfarm-host-rs)# do show rserverDC5-LNX2


state : OPERATIONAL

---------------------------------

----------connections-----------


---+---------------------+------+------------+----------+--------------------


192.168.1.12:0 8 OUTOFSERVICE0 0

Note Be sure to inservicethe rservers within the server farm. Failure to do so will cause Cisco

ACE Module to consider these rservers out of service, and the server farm will not be

capable of receiving or responding to client requests.

PodP-ACE/Lab-SLB-PC(config-sfarm-host-rs)# inservice

PodP-ACE/Lab-SLB-PC(config-sfarm-host-rs)# do show serverfarmSERVERS1

serverfarm : SERVERS1, type: HOST

total rservers : 2

---------------------------------

----------connections-----------


---+---------------------+------+------------+----------+--------------------

rserver: DC5-LNX1192.168.1.11:0 8 OPERATIONAL 0 0

rserver: DC5-LNX2

192.168.1.12:0 8 OPERATIONAL 0 0

What is odd about these rservers being in the OPERATIONAL state?

Can you ping them? Why or why not?

Execute a do show arp. Are the rservers up?

8/12/2019 Acesm20 Lg

41/214


Step 13 Add the other three web servers to the server farm before going onto the next step

and ensure that all five web servers are in the OPERATIONAL state.

The three additional web servers are as follows; put them into the server farm SERVERS1:

DC5-LNX3 192.168.1.13

DC5-LNX4 192.168.1.14

DC5-LNX5 192.168.1.15

Step 14 Add a new interface to allow the Cisco ACE Module to communicate with the real

servers. Use IP address 192.168.1.1/24 for VLAN 4PC.

PodP-ACE/Lab-SLB-PC(config)# interface vlan 4PC

PodP-ACE/Lab-SLB-PC(config-if)# ip address 192.168.1.1255.255.255.0

PodP-ACE/Lab-SLB-PC(config-if)# description Servers vlan

PodP-ACE/Lab-SLB-PC(config-if)# no shut

PodP-ACE/Lab-SLB-PC(config-if)# exit

PodP-ACE/Lab-SLB-PC(config)# exit

Note VLAN 4PCis already configured in the Catalyst 6500 and the Admin context to be available

to this context.

Catalyst 6500 Config:

svclc multiple-vlan-interfaces

svclc module 1 vlan-group 1,2

svclc vlan-group 1 2P1-2P8

svclc vlan-group 2 4P1-4P8

Ace-Module/Admin:

context Lab-SLB-PC



Step 15 Use the show arpcommand to observe how the Cisco ACE Module populates its

ARP table.

PodP-ACE/Lab-SLB-PC# show arp

Context Lab-SLB-21

================================================================================

IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status

================================================================================

172.16.PC.1 00.d0.04.ec.0c.00 vlan2PC GATEWAY 71 61 sec up

172.16.PC.31 00.12.43.dc.83.05 vlan2PC INTERFACE LOCAL _ up

192.168.1.1 00.05.9a.3b.9a.c1 vlan4PC INTERFACE LOCAL _ up

192.168.1.11 00.50.56.29.01.01 vlan4PC RSERVER 78 297 sec up





================================================================================

Total arp entries 8

8/12/2019 Acesm20 Lg

42/214



You have completed this task when you have:

Verified that the rservers are in the OPERATIONAL state.

Verified that the rservers are in the OPERATIONAL state within the server farm.

Confirmed that ARP entries exist for each of the rservers.

Task 2: Configuring Load-Balancing Class Maps and PolicyMaps

The Cisco ACE Module uses a Modular Policy CLI to classify incoming traffic with class

maps, which are then used in policy maps to force an action based on the class map match. The

simplest of these type of matches is load balancing based on a clients attempt to reach a virtual

IP address. This type of a match is considered Layer 3 because it matches only the destination

IP and then makes a load-balancing decision.

Activity Procedure


Step 1 Start by creating a class map to distinguish traffic destined for a virtual IP (VIP)

from traffic destined elsewhere. Use the IP address 172.16.PC.50.

PodP-ACE/Lab-SLB-PC(config)# class-map VIP-50

PodP-ACE/Lab-SLB-PC(config-cmap)#match virtual-address172.16.PC.50 any

Step 2 A policy map of type loadbalance is required. The Cisco ACE Module will attempt

to match a defined class map at Layer 507 in the order of occurrence as indicated by

the keyword first-match. The class-default map will handle non-matching client

requests. The significance of the class map order will be apparent in a later lab. For

this task, simply create a load-balancing policy map named LB-LOGIC and use the

class-default map.

PodP-ACE/Lab-SLB-PC(config)# policy-map type loadbalancefirst-match LB-LOGIC

PodP-ACE/Lab-SLB-PC(config-pmap-lb)# class class-default

PodP-ACE/Lab-SLB-PC(config-pmap-lb-c)# serverfarm SERVERS1

Step 3 Use the show run policy-mapcommand to view the configuration additions.

PodP-ACE/Lab-SLB-PC(config-pmap-lb-c)# do show run policy-map


class remote-access

permit

policy-map type loadbalance first-match LB-LOGICclass class-default

serverfarm SERVERS1

Step 4 Add another policy map called CLIENT-VIPS, but this time set the type to be multi-

match. This policy simply ties classified incoming requests (at Layer 3 or Layer 4)

to a load-balancing policy map. Create a multimatch policy and apply the class map

to define the VIP address.

PodP-ACE/Lab-SLB-PC(config)# policy-map multi-match CLIENT-VIPS

8/12/2019 Acesm20 Lg

43/214


PodP-ACE/Lab-SLB-PC(config-pmap)# class VIP-50PodP-ACE/Lab-SLB-PC(config-pmap-c)# loadbalance policy LB-LOGIC

PodP-ACE/Lab-SLB-PC(config-pmap-c)# loadbalance vip inservice

Step 5 View the running configuration to observe the new policy map.

PodP-ACE/Lab-SLB-PC(config-pmap-c)# do show run policy-map


policy-map type management first-match remote-mgmtclass remote-access

permit

policy-map type loadbalance first-match LB-LOGIC

class class-default

serverfarm SERVERS1

policy-map multi-match CLIENT-VIPS

class VIP-50

loadbalance vip inservice

loadbalance policy LB-LOGIC

Step 6 Apply the multimatch policy map to the client-facing interface.


PodP-ACE/Lab-SLB-PC(config-if)# service-policy input CLIENT-VIPS

Step 7 Verify that the VIP is applied and in service (meaning the Cisco ACE Module will

respond to traffic destined to the VIP address). Use the show service-policy

command with and without the detailparameter to view the additional information

the Cisco ACE Module provides.

PodP-ACE/Lab-SLB-PC(config-if)# do sho service-policy CLIENT-VIPS

Status : ACTIVE-----------------------------------------

Interface: vlan 2PC

service-policy: client-vips

class: VIP-50

loadbalance:

L7 loadbalance policy: lb-logic

VIP Route Metric : 77

VIP Route Advertise : DISABLED

VIP ICMP Reply : DISABLED

VIP State: INSERVICE

curr conns : 0 , hit count : 0dropped conns : 0



PodP-ACE/Lab-SLB-PC(config-if)# do sho service-policy CLIENT-VIPS detail

Status : ACTIVE

8/12/2019 Acesm20 Lg

44/214


Description: -

-----------------------------------------

Interface: vlan 2PC

service-policy: CLIENT-VIPS

class: VIP-50

loadbalance:

L7 loadbalance policy: LB-LOGIC






dropped conns : 0



L7 Loadbalance policy : lb-logic

class/match : class-default

LB action :


hit count : 0

dropped conns : 0

Step 8 Create a new access list from the global configuration.

PodP-ACE/Lab-SLB-PC(config)# access-list anyone extendedpermit tcp any any

Step 9 Apply the access list to the client-facing interface.


PodP-ACE/Lab-SLB-PC(config-if)# access-group input anyone

PodP-ACE/Lab-SLB-PC(config-if)# do sho access-list anyone

access-list:anyone, elements: 1, status: ACTIVE

remark :

access-list anyone line 10 extended permit tcp any any(hitcount=0)



Verified that the service policy is in the ACTIVE state.

Verified that the access list is in the ACTIVE state.

8/12/2019 Acesm20 Lg

45/214


Task 3: Test the New VIP Load-Balancing Configuration

In this task, you will create a baseline configuration for all other labs.

Activity Procedure


Step 1 Use a browser on the Client PC to verify that the Cisco ACE Module is load-

balancing traffic to the server farm using the URL http://172.16.PC.50.

Note The color of an image indicates which server supplied the image.

Step 2 Notice that the service policy counters increment as connections are handled.

PodP-ACE/Lab-SLB-PC(config-if)# do sho service-policy CLIENT-VIPS

Status : ACTIVE

-----------------------------------------

Interface: vlan 2PC

service-policy: CLIENT-VIPSclass: VIP-50

loadbalance:

L7 policy: LB-LOGIC






dropped conns : 0


server pkt count : 90 , server byte count:64712

Step 3 Show the ACL to see the number of incoming requests.

PodP-ACE/Lab-SLB-PC(config-if)# do sho access-list anyone

access-list:anyone, elements: 1, status: ACTIVE

remark :

access-list anyone line 10 extended permit tcp any any(hitcount=10)



Verified that the Cisco ACE Module load-balanced an HTTP request to the VIP.

8/12/2019 Acesm20 Lg

46/214


Task 4: Configure Dynamic NAT

The goal of this exercise is to use dynamic source NAT (SNAT) for traffic from the client

destined to the VIP. You will use dynamic NAT to translate the clients IP (209.165.201.PC) to

10.0.0.1-10.0.0.6. Keep in mind that the Cisco ACE Module also does an implicit destination

NAT (DNAT) operation when load-balancing traffic from the VIP to the rserver.


The figure illustrates what you will accomplish in this task.


Dynamic Source NAT for a Subnet


Cisco ACEVLAN 2PC

172.16.PC.5

Cisco ACEVIP172.16.PC.150

Server192.168.1.10192.168.1.11192.168.1.12192.168.1.13192.168.1.14192.168.1.15

10.0.0.1-6209.165.201.PCInside GlobalOutside Global

192.168.1.11-1510.0.0.1-6

Translated (NAT) andLoad- Balanced to:

Translated (NAT) to:

172.16.PC.150209.165.201.PC

Destination AddressSource Address

Activity ProcedureComplete these steps:

Step 1 Continue from the last task or use the checkpoint system to roll the configuration to

the slb-end configuration.


PodP-ACE/Lab-SLB-PC#

Step 3 Execute the show runcommand to see what is preconfigured for this lab.

Step 4 Create the ALLOW-CLIaccess list to permit the client to send traffic to the server.

PodP-ACE/Lab-SLB-PC(config)# access-list ALLOW-CLI extended

permit ip 209.165.201.0 255.255.255.0 anyStep 5 Dynamic NAT also uses a class map to define what traffic is to be translated, so

create a class map to match any client traffic:

PodP-ACE/Lab-SLB-PC(config)#class-map match-all CLIENT-SOURCED

PodP-ACE/Lab-SLB-PC(config-cmap)#match source-address209.165.201.0 255.255.255.0

8/12/2019 Acesm20 Lg

47/214


Step 6 You need a policy map that says dynamic NAT is to be performed on traffic

matched by the class map CLIENT-SOURCED. You will also create a NAT pool

identified as 123 that uses the source addresses 192.168.1.200 through

192.168.1.205.

PodP-ACE/Lab-SLB-PC(config)#policy-map multi-match NATRULES

PodP-ACE/Lab-SLB-PC(config-pmap)#class CLIENT-SOURCED

PodP-ACE/Lab-SLB-PC(config-pmap-c)#nat dynamic 123 vlan 4PC

Step 7 Define the NAT pool itself on the server-side interface.

PodP-ACE/Lab-SLB-PC(config)#interface vlan 4PC

PodP-ACE/Lab-SLB-PC(config-if)# nat-pool 123 10.0.0.1 10.0.0.6netmask 255.255.255.0

Step 8 Apply the NAT service policy and the ACL to the client-side interface, where the

source IP that need to be translated reside. (Remove the previous ACL named

anyone first.)


PodP-ACE/Lab-SLB-PC(config-if)#no access-group input anyone

PodP-ACE/Lab-SLB-PC(config-if)#access-group input ALLOW-CLI

PodP-ACE/Lab-SLB-PC(config-if)#service-policy input NATRULES

Step 9 To verify that the NAT rules were applied correctly, verify that the NAT fabric isconfigured.

PodP-ACE/Lab-SLB-PC# sho nat-fabric policies

Nat objects:

NAT object ID:15 mapped_if:240 policy_id:22type:DYNAMIC nat_pool_id:5

Pool ID:5 PAT:0 pool_id:123 mapped_if:240Ref_count:1 ixp_bindin

g:in IXP1

lower:10.0.0.1 upper:10.0.0.6 Bitmap:0x1fList of NAT object IDs: 15

Step 10 To verify the NAT configuration, establish a Telnet connection from the context to

the Linux server. Switch to the user root and start tethereal.

PodP-ACE/Lab-SLB-PC# telnet 192.168.1.10

Trying 192.168.1.10...

Connected to 192.168.1.10.


linux1 (Linux release 2.6.9-11.ELsmp #1 SMP Fri May 2018:26:27 EDT 2005) (0)

login: cisco

Password for cisco: cisco

login: Resource temporarily unavailable while getting initialcredentials

Last login: Tue Jun 6 04:25:26 from 192.168.1.1

[cisco@linux1 ~]$ su -

Password: cisco123

[root@linux1 ~]#tethereal R "tcp.port == 80"

8/12/2019 Acesm20 Lg

48/214


On the client issue a wget request from the command line.

C:\tools\wget-1.10.2b>wget http://172.16.PC.50

--12:08:30-- http://172.16.PC.50/

=> `index.html.5'

Connecting to 172.16.PC.50:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1,219 (1.2K) [text/html]

100%[====================================>] 1,219 --.--K/s

12:08:30 (8.67 MB/s) - `index.html.5' saved [1219/1219]

Observe the client IP is now 10.0.0.1 10.0.0.6 in the tethereal output from the Linux server.

Capturing on eth0

3060.106616 10.0.0.1 -> 192.168.1.11 TCP 3991 > http [SYN]Seq=0 Ack=0 Win=64240 Len=0 MSS=1460

3060.106689 192.168.1.11 -> 10.0.0.1 TCP http > 3991 [SYN,ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

3060.107030 10.0.0.1 -> 192.168.1.11 TCP 3991 > http [ACK]Seq=1 Ack=1 Win=64240 Len=0

3060.107762 10.0.0.1 -> 192.168.1.11 HTTP GET / HTTP/1.0

3060.107781 192.168.1.11 -> 10.0.0.1 TCP http > 3991 [ACK]Seq=1 Ack=101 Win=5840 Len=0

3060.115186 192.168.1.11 -> 10.0.0.1 HTTP HTTP/1.1 200 OK

3060.115285 192.168.1.11 -> 10.0.0.1 HTTP Continuation ornon-HTTP traffic

3060.115490 192.168.1.11 -> 10.0.0.1 TCP http > 3991 [FIN,ACK] Seq=1321 Ack=101 Win=5840 Len=0

3060.115851 10.0.0.1 -> 192.168.1.11 TCP 3991 > http [ACK]Seq=101 Ack=1322 Win=62920 Len=0

3060.122303 10.0.0.1 -> 192.168.1.11 TCP 3991 > http [FIN,ACK] Seq=101 Ack=1322 Win=62920 Len=0

3060.122336 192.168.1.11 -> 10.0.0.1 TCP http > 3991 [ACK]Seq=1322 Ack=102 Win=5840 Len=0

Step 11 Use the show service policycommand to view NAT statistics.

PodP-ACE/Lab-SLB-PC#sho service-policy NATRULES

Status : ACTIVE

-----------------------------------------

Interface: vlan 2PC

service-policy: NATRULES

class: CLIENT-SOURCED

nat:

nat dynamic 123 vlan 4PC


dropped conns : 0



8/12/2019 Acesm20 Lg

49/214


Step 12 If you initiate a long-lived flow for the client to the server, you can observe the

dynamic NAT in the show connoutput.

PodP-ACE/Lab-SLB-PC# sho conn

total current connections : 2

conn-id np dir proto vlan source destination state----------+--+---+-----+----+---------------------+---------------------+------+18 2 in TCP 2PC 209.165.201.PC:4063 172.16.PC.50:23 ESTAB

10 2 out TCP 4PC 192.168.1.15:23 10.0.0.1:4063 ESTAB


You have completed this task when connections to the rserver are sourced from the 10.0.0.0

network instead of the original source network.

Task 5: Apply the Baseline Configuration

The Cisco ACE Module ensures that no duplicate IPs exist across contexts per VLAN. Due to

the overlapping IPs used in this lab, it is necessary to remove the VLAN interface for the

server, so that the VLAN interface can be reused in the remaining labs.

Note If you want to compare your completed configuration with the one in the Answer Keyprovided at the end of this lab, be sure to do so before you complete this task.

Activity Procedure

Use the checkpoint feature to roll back to baseline-mgmt.

PodP-ACE/Lab-SLB-PC# checkpoint rollback baseline-mgmt

This operation will rollback the system's running configuration

to the checkpoint's configuration.

Do you wish to proceed? (y/n) [n] y

Rollback in progress, please wait...

Generating configuration....Rollback succeeded


You have completed this task when you have removed the server VLAN from the context.

8/12/2019 Acesm20 Lg

50/214


Answer Key: Configuring Server Load-Balancing

When you complete this activity, your ACE context running configuration file will be similar to

the following, with differences that are specific to your device or workgroup.

Initial Configuration Sample (Pre-Task 1)

PodP-ACE/Lab-SLB-PC# sho run



description remote-access





class remote-access

permit

interface vlan 2PCip address 172.16.PC.11 255.255.255.0

service-policy input remote-mgmt

no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.PC.1

username cisco password 5 $1$36iNgaXz$XzVbOllHUrxkP5FBEULiv0 roleAdmin domain

default-domain

8/12/2019 Acesm20 Lg

51/214


Lab 3 Task 3 Configuration Sample for a Working SLB ConfigurationPodP-ACE/Lab-SLB-PC# sho run


access-list anyone line 10 extended permit tcp any any


ip address 192.168.1.11inservice


ip address 192.168.1.12

inservice


ip address 192.168.1.13

inservice


ip address 192.168.1.14

inservice

rserver host DC5-LNX5ip address 192.168.1.15

inservice

serverfarm host SERVERS1

rserver DC5-LNX1

inservice

rserver DC5-LNX2

inservice

rserver DC5-LNX3

inservice

rserver DC5-LNX4

inservice

rserver DC5-LNX5

inservice

class-map match-all VIP-50

2 match virtual-address 172.16.PC.50 any


description remote-access


3 match protocol ssh any4 match protocol icmp any


class remote-access

permit

policy-map type loadbalance first-match LB-LOGIC

class class-default

serverfarm SERVERS1

8/12/2019 Acesm20 Lg

52/214


policy-map multi-match CLIENT-VIPS

class VIP-50


loadbalance policy LB-LOGIC

interface vlan 2PC

ip address 172.16.PC.11 255.255.255.0

access-group input anyone


service-policy input CLIENT-VIPS

no shutdown

interface vlan 4PC

description Servers vlan

ip address 192.168.1.1 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.PC.1

username cisco password 5 $1$36iNgaXz$XzVbOllHUrxkP5FBEULiv0 roleAdmin domain

default-domain

8/12/2019 Acesm20 Lg

53/214


Lab 3 Task 4 Configuration Example

Pod1-ACE/Lab-SLB-PC# sh run


login timeout 0

access-list ALLOW-CLI line 23 extended permit ip 209.165.201.0255.255.255.0 any

access-list anyone line 10 extended permit tcp any any

rserver host dc5-lnx1

ip address 192.168.1.11

inservice


ip address 192.168.1.12

inservice


ip address 192.168.1.13

inservicerserver host dc5-lnx4

ip address 192.168.1.14

inservice


ip address 192.168.1.15

inservice

serverfarm host SERVERS1

rserver dc5-lnx1

inservice

rserver dc5-lnx2

inservice

rserver dc5-lnx3

inservice

rserver dc5-lnx4

inservice

rserver dc5-lnx5

inservice

class-map match-all CLIENT-SOURCED

2 match source-address 209.165.201.0 255.255.255.0

class-map match-all VIP-50

2 match virtual-address 172.16.PC.50 any


description remote-access-traffic-match




8/12/2019 Acesm20 Lg

54/214



class remote-access

permit

policy-map type loadbalance http first-match slb5-logic

class class-default

serverfarm SERVERS1

policy-map multi-match NATRULES

class CLIENT-SOURCED

nat dynamic 123 vlan 4PC

policy-map multi-match client-vips

class VIP-50


loadbalance policy slb5-logic

interface vlan 2PC

description Client vlan

ip address 172.16.PC.5 255.255.255.0

access-group input ALLOW-CLI


service-policy input client-vips

service-policy input NATRULES

no shutdown

interface vlan 411

description Servers vlan

ip address 192.168.1.1 255.255.255.0

nat-pool 123 10.0.0.1 10.0.0.6 netmask 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.PC.1

username cisco password 5 $1$DLODpUTE$pzudNN.PTCWK.E45AsyCz/ roleAdmin domain default-domain

8/12/2019 Acesm20 Lg

55/214


Lab 4: Implementing Health MonitoringComplete this lab activity to practice what you learned in the related lesson.

Activity Objective

In this exercise, you will configure your ACE context to monitor real servers. After completing

this exercise, you will be able to meet these objectives:

Define health monitoring for a real server

Define health monitoring for a real server with a server farm

Define health monitoring for an entire server farm

Define passive health monitoring checks for a server farm

Configure the Cisco ACE action on a server failure

Acesm20 Lg

Documents

Transcript of Acesm20 Lg