Acesm20 Lg
Transcript of Acesm20 Lg
-
8/12/2019 Acesm20 Lg
1/214
ACESM
Implementing theApplication Control
Engine Service ModuleVersion 2.0
Lab Guide
Text Part Number: 67-2531-01
-
8/12/2019 Acesm20 Lg
2/214
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN
CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF
THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED
WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR
PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
-
8/12/2019 Acesm20 Lg
3/214
Table of ContentsLab Guide 1
Overview 1Outline 1Lab Topology 2Your Client PC Information 2IP Addressing 2Connecting to Lab Devices 3
Lab 1: Implementing Virtualization 5Activity Objective 5Visual Objective 5Required Resources 5Task 1: Review the Current Network Configuration 6Task 2: Configure New Contexts 10Task 3: Create Resource Classes 14
Answer Key: Implementing Virtualization 20Lab 2: Using Network Address Translation 21
Activity Objective 21Required Resources 21Task 1: Configure Static NAT for a Host 22Task 2: Configure Static NAT for a Subnet 28Task 3: Apply the Baseline Configuration 30
Answer Key: Using Network Address Translation 31Lab 3: Configuring Server Load Balancing 33
Activity Objective 33Visual Objective 33Required Resources 34Task 1: Configure Real Servers 34Task 2: Configuring Load-Balancing Class Maps and Policy Maps 38Task 3: Test the New VIP Load-Balancing Configuration 41Task 4: Configure Dynamic NAT 42
Answer Key: Configuring Server Load-Balancing 46Lab 4: Implementing Health Monitoring 51
Activity Objective 51Visual Objective 51Required Resources 52Task 1: Configure Health Monitoring for Real Servers 52Task 2: Configure Health Monitoring for a Server Farm 59Task 3: Configure Health Monitoring for a Real Server Within a Server Farm 62Task 4: Return Code Parsing 67Task 5: Configuring the Cisco ACE Action on Server Failure 70Task 6: Configuring Partial Server Farm Failover 72Task 7: Apply the Baseline Configuration 78
Lab 5: Configuring Layer 7 Load Balancing 83Activity Objective 83Visual Objective 83Required Resources 84Task 1: Configure a Real Server 84
Task 2: Configure Layer 7 Load Balancing 86Task 3: Test the New VIP Load-Balancing Configuration 89Task 4: Mixing Layer 4 and Layer 7 Traffic 90Task 5: Optimize the Mixed-Traffic VIP 95Task 6: Generic Layer 4 Content Parsing 97Task 7: Layer 4 Payload Stickiness 102Task 8: Apply the Baseline Configuration 106
Answer Key: Configuring Layer 7 Load Balancing 107
-
8/12/2019 Acesm20 Lg
4/214
ii Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
Lab 6: Enabling Sticky Connections 121Activity Objective 121Visual Objective 121Required Resources 122Task 1: Create a Server Farm 122Task 2: Apply Source IP Sticky to Ensure Client Persistence 123Task 3: Apply the Baseline Configuration 124
Answer Key: Enabling Sticky Connections 125Lab 7: Enabling Protocol Inspection 127
Activity Objective 127Visual Objective 127Required Resources 127Task 1: Configure a Protocol Fixup 128Task 2: Configure FTP 130Task 4: Apply the Baseline Configuration 134
Answer Key: Enabling Protocol Inspection 135Lab 8: Configuring SSL Termination 140
Activity Objective 140Visual Objective 140Required Resources 140Task 1: Configure SSL Termination When You Have Certificates and Keys 141Task 2: Configure SSL Termination When You Must Create Certificates and Keys 147Task 3: SSL Session ID Reuse 155Task 4: Configure SSL Queue Delay 160Task 5: Apply the Baseline Configuration 161
Answer Key: Configuring SSL Termination 162Lab 9: Integrating Multiple Features 169
Activity Objective 169Visual Objective 170Required Resources 170Task 1: Create a Virtual IP Address to Accept Web Traffic 171Task 2: Apply Source IP Sticky to Ensure Client Persistence 174Task 3: Apply Probes to Ensure That Real Servers Are Working Properly 176Task 4: Create a Virtual IP Address to Accept Clear Application Traffic 180Task 5: Create a Virtual IP Address to Accept Secure Application Traffic 183Task 6: Add SSL Acceleration 184Task 7: Apply Probe and Cookie Insert Sticky to Ensure Client Persistence 190Task 8: Create a Domain for the Security Team 193Task 9: Allow Direct Server Access and Server-Initiated Connections 196Task 10: Configure HTTP Normalization 199Task 11: Apply the Baseline Configuration 204
Lab 10: Troubleshooting Case Study 1: Common SLB Configuration Errors 205Activity Objective 205Visual Objective 205Required Resources 205Task 1: Troubleshoot the First Error Case Configuration 206Task 2: Troubleshoot the Second Error Case Configuration 206Task 3: Troubleshoot the Third Error Case Configuration 207
Lab 11: Troubleshooting Case Study 2: Common Layer 7 SLB Configuration Errors 209Activity Objective 209Visual Objective 209Required Resources 209Task 1: Troubleshoot the First Error Case Configuration 210
-
8/12/2019 Acesm20 Lg
5/214
ACESM
Lab Guide
OverviewThis guide presents the instructions and other information concerning the lab activities for this
course. You can find the solutions in the lab activity Answer Key.
Outline
This guide includes these activities:
Lab 1: Implementing Virtualization
Lab 2: Using Network Address Translation
Lab 3: Configuring Server Load Balancing
Lab 4: Implementing Health Monitoring
Lab 5: Configuring Layer 7 Load Balancing
Lab 6: Enabling Sticky Connections
Lab 7: Enabling Protocol Inspection
Lab 8: Configuring SSL Termination
Lab 9: Integrating Multiple Features
Lab 10: Troubleshooting Case Study 1Common SLB Configuration Errors
Lab 11: Troubleshooting Case Study 2Common Layer 7 SLB Configuration Errors
-
8/12/2019 Acesm20 Lg
6/214
2 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
Lab Topology
The figure shows the lab topology.
2007 Cisco Systems, Inc. All rights reserved. ACESM v2.02
Lab Topology
192.168.1.10
192.168.1.11
192.168.1.12
192.168.1.13
192.168.1.14
192.168.1.15
Cisco ACE Admin
172.19.110.P9
10.10
.10.1
192.168.1.1
172.16.PC.L
172.16.PC.1
209.165.201.PC
10.10
.10.PC
172.19.110.1
209.165.201.1
Catalyst 6500
CiscoACE
MSFC
172.1
9.1
10.P
C
VLAN 10
VLAN 2PCVL
AN3PC
VLAN4
PC
P = Pod numberC = Client numberL = Lab exercise number + 10
Your Client PC Information
You will be assigned a pod and a client by your instructor. Below please write down your
username, password, pod number, and client number for easy reference during the remainder of
the class.
Username
Password
Pod Number
Client Number
IP Addressing
The IP addressing scheme is outlined in these tables, where:
P = pod number
C = client number
Note In the current virtualized implementation used in this lab, all pods are internally numbered
pod 1. Therefore,P = 1 throughout this lab guide.
-
8/12/2019 Acesm20 Lg
7/214
-
8/12/2019 Acesm20 Lg
8/214
-
8/12/2019 Acesm20 Lg
9/214
2007 Cisco Systems, Inc. Lab Guide 5
Lab 1: Implementing VirtualizationComplete this lab activity to practice what you learned in the related lesson.
Activity Objective
In this exercise, you will explore the lab configuration of the Cisco Catalyst 6500 and the Cisco
ACE Admin context. You will create new contexts and resource classes to understand the
flexibility of virtualization on the Cisco ACE Module. After completing this exercise, you willbe able to meet these objectives:
Review the existing Cisco ACE configuration
Define Cisco ACE contexts
Create Cisco ACE resource classes
Visual Objective
The figure illustrates what you will accomplish in this activity.
2007 Cisco Systems, Inc. All rights reserved. Course acronym vx.x#-5
Implementing Virtualization
Required Resources
These are the resources and equipment required to complete this activity:
Cisco Catalyst 6500 Series Supervisor Engine 720
Cisco ACE Module
Server minimally running Telnet and HTTP
-
8/12/2019 Acesm20 Lg
10/214
6 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
Task 1: Review the Current Network Configuration
In this task, you will connect to the Catalyst 6500 Series Supervisor Engine 720 and establish a
session to the Admin context on the Cisco ACE Module. You will then review the existing
ACE configuration. This lab simulates configuring a new Cisco ACE Module just after system
boot and initial administrative configuration. Before you configure the Cisco ACE Module to
connect with the client-facing network and servers, you must understand how the Catalyst 6500
Series Supervisor Engine 720 is configured to allow these VLANs to be connected to the Cisco
ACE Module. By default, no VLANs are sent to the Cisco ACE Module; this is unlike theContent Switching Module (CSM), which receives all VLAN traffic.
Note Use the terminal monitorcommand after you connect to any device to make sure that all
console messages are seen. This command offers an invaluable source of information when
initially configuring the service modules.
Activity Procedure
Complete these steps:
Step 1 Connect to your Client PC.
Step 2 Telnet to 172.19.110.Pfrom your Client PC to access the Catalyst 6500 SeriesSupervisor Engine 720 in the Catalyst 6500 within your pod. Log in with the
username ciscoand the password cisco.
C:\> telnet 172.19.110.P
Trying 172.19.110.P...
Connected to 172.19.110.P(172.19.110.P).
Escape character is '^]'.
User Access Verification
Password: cisco
Step 3 Display the chassis modules to determine the slot of the Cisco ACE Module.
PodP-6k# show module
Mod Ports Card Type ModelSerial No.
--- ----- -------------------------------------- ------------------ -----------
1 1 Application Control Engine Module ACE10-6500-K9SAD103206UR
2 48 48 port 10/100 mb RJ45 WS-X6348-RJ-45 SAL06313L4X
5 2 Supervisor Engine 720 (Active) WS-SUP720-
3BXL SAL10360EMM
Mod MAC addresses Hw Fw SwStatus
--- ---------------------------------- ------ ------------ ------------ -------
1 0019.0627.b91a to 0019.0627.b921 1.1 8.7(0.5-Eng)A2(0) Ok
2 000a.8a99.31a8 to 000a.8a99.31d7 6.1 5.4(2)8.5(0.46)RFW Ok
-
8/12/2019 Acesm20 Lg
11/214
2007 Cisco Systems, Inc. Lab Guide 7
5 0017.5a34.bc9c to 0017.5a34.bc9f 5.2 8.4(2)12.2(18)SXF4 Ok
Mod Sub-Module Model SerialHw Status
---- --------------------------- ------------------ ----------- ------- -------
2 Inline Power Module WS-F6K-PWR1.0 Ok
5 Policy Feature Card 3 WS-F6K-PFC3BXLSAL10360CHJ 1.8 Ok
5 MSFC3 Daughterboard WS-SUP720SAL10360EV5 2.5 Ok
Mod Online Diag Status
---- -------------------
1 Pass
2 Pass
5 Pass
Step 4 Observe that, unlike the Firewall Services Module (FWSM) and the CSM, the Cisco
ACE Module does not use a multi-Gigabit EtherChannel to connect to the
backplane, but a single 10-gigabit interface.
Try some of the showcommands: (The following will work if the Cisco ACE
Module is in slot 1.)
PodP-6k# show asic-version slot 1
Module in slot 1 has 2 type(s) of ASICs
ASIC Name Count Version
HYPERION 1 (5.0)
SSA 1 (8.0)
Note The Hyperion is the Cisco ACE interconnect to the Catalyst 6500 Switch Fabric.
PodP-6k# show interface TenGigabitEthernet 1/1 status
Port Name Status Vlan DuplexSpeed Type
Te1/1 connected trunk full10G MultiService Module
Note The statuskeyword must abbreviated as statuor spelled out. Abbreviating the keyword as
statissues the show interface TenGigabitEthernet 1/1 statscommand, which will give
you blank output.
PodP-6k# show interface TenGigabitEthernet 1/1 counters
Port InOctets InUcastPkts InMcastPktsInBcastPkts
Te1/1 745174 4799 5394317
-
8/12/2019 Acesm20 Lg
12/214
8 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
Port OutOctets OutUcastPkts OutMcastPktsOutBcastPkts
Te1/1 248640 0 03885
Step 5 The Cisco ACE Module will not accept VLAN traffic unless the Catalyst 6500
Series Supervisor Engine 720 is specifically configured to allow VLANs to access
the Cisco ACE Module. This is similar to how the FWSM and Web VPN modules
work. By not allowing all VLANs to access the Cisco ACE Module, broadcast
storms on non-ACE VLANs have no effect on the Cisco ACE Module. This is an
improvement over the CSM, which has backplane connectivity to all VLANs within
the Catalyst 6500. To allow VLANs to access the Cisco ACE Module, use the svclc
command to create a VLAN group and apply it to the module.
PodP-6k# conf t
Enter configuration commands, one per line. End with CNTL/Z.
PodP-6k(config)# svclc ?
autostate Enable autostate for all svclcmodules
module Module number which a vlan-groupwill be tied to
multiple-vlan-interfaces Enable multiple vlan interfaces
mode for svclc
modules
vlan-group Secure group which VLANs will betied to
PodP-6k(config)# exit
PodP-6k# show run | inc svc
svclc multiple-vlan-interfaces
svclc module 1 vlan-group 1,2
svclc vlan-group 1 31,110,2P1-2P8
svclc vlan-group 2 30,4P1-4P8
Note SVCLC VLAN groups can be applied to the FWSM using the firewall modulecommand.
Likewise, firewall VLAN groups can be applied to the Cisco ACE Module using the svclc
command.
The svclc multiple-vlan-interfacescommand is required when connecting more than one
VLAN with a Layer 3 MSFC interface to the Cisco ACE Module.
The number of VLANs you see displayed might vary for the example in this guide. In this
lab, you will only be concerned with 2PCand 4PCVLANs.
Step 6 Use the show svclccommand to verify that the proper VLAN group has beencreated and applied.
PodP-6k# show svclc ?
autostate Show ACE module vlan interfacesautostate feature
hsrp-tracking show hsrp tracking entries
module Show secure VLANs tied to a module
multiple-vlan-interfaces Show state of multiple svclc vlaninterfaces
-
8/12/2019 Acesm20 Lg
13/214
2007 Cisco Systems, Inc. Lab Guide 9
feature
rhi-routes show RHI Routes
vlan-group Show secure VLANs tied to a securegroup
PodP-6k# show svclc vlan-group
Display vlan-groups created by both ACE module and FWSMcommands
Group Created by vlans
----- ---------- -----
1 ACE 31,110,2P1-2P8
2 ACE 30,4P1-4P8
PodP-6k# show svclc module
Module Vlan-groups
------ -----------
01 1,2
Step 7 Verify your configuration with the show interfacescommand. Make sure that both
VLAN 2PCand 4PCare allowed on the trunk and are allowed and active inmanagement domain.
PodP-6k# show interfaces TenGigabitEthernet 1/1 trunk
Port Mode Encapsulation Status Nativevlan
Te1/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Te1/1 30-31,110,2P1-2P8,4P1-4P8
Port Vlans allowed and active in management domain
Te1/1 110,2P1-2P8,4P1-4P8
Port Vlans in spanning tree forwarding state and notpruned
Te1/1 110,2P1-2P8,4P1-4P8
Activity Verification
You have completed this task when you understand how the Cisco ACE Module is physically
and logically connected to the Catalyst 6500:
-
8/12/2019 Acesm20 Lg
14/214
10 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
Task 2: Configure New Contexts
In this task, you will define ACE contexts.
Activity Procedure
Complete these steps:
Step 1 Continuing from the Task 1 Telnet session, connect to the Cisco ACE Modules
Admin context. (This can be done by using a session from the Catalyst 6500 Series
Supervisor Engine 720 or by using Telnet or SSH from the Client PC in the pod.)
The following step uses the sessioncommand from the Catalyst 6500 Series
Supervisor Engine 720 to gain access to the Cisco ACE Module.
PodP-6k# session slot 1 processor 0
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end thesession
Trying 127.0.0.10 ... Open
PodP-ACE login: admin
Password: admin
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2006, Cisco Systems, Inc. All rightsreserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed underlicense.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
PodP-ACE/Admin#
Note Sessioning into a service module opens an internal connection over the loopback address of
the service module. This number is slot dependant, and the slot number is multiplied by 10.
For example, if the Cisco ACE Module were in slot 5, the session to slot 5 processor 0 would
open a connection to 127.0.0.50. Sessioning into Cisco ACE cannot be connected to while
the Cisco ACE Module is booting.
Reference Processor 0: Admin context used for administration after the module has successfully
booted.
Processor 1: Debug access to NP0. This should only be used with TAC or Engineering
guidance. Issuing commands in this session can make the NP unstable. Usage of this
access should be used with extreme caution in a production environment.
Processor 2: Debug access to NP1. This should only be used with TAC or Engineering
guidance. Issuing commands in this session can make the NP unstable. Usage of this
access should be used with extreme caution in a production environment.
No other processor interfaces are defined at this time.
-
8/12/2019 Acesm20 Lg
15/214
-
8/12/2019 Acesm20 Lg
16/214
12 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
PodP-ACE/Admin(config)# login timeout 0
Note The line vtycommand is different from Cisco IOS in that it does notcontrol remote session
idle timeouts using the exec-timeoutcommand.
Step 5 Issue the show runcommand from enable mode to see the current Cisco ACE
configuration. The Admin context is where you configure Layer 3 access (VLANs,
ACL static routes etc) to access the Admin context through SSH or Telnet. In the
running configuration, you can also view all of the contexts that are configurationand the VLANs that are associated with them. You can also configure the Cisco
ACE features (load balancing, ssl-proxy, etc.) using the Admin context, but this is
not recommended.
Note By default, the admin and www users are present. They exist in the Admin context and
provide default access. The admin account is for administration. The www account is for
supporting the XML interface. Do not delete this user. If the www user is removed, the XML
interface will be disabled for the entire module.
Step 6 Use the contextcommand to create a new context.
PodP-ACE/Admin# conf tEnter configuration commands, one per line. End with CNTL/Z.
PodP-ACE/Admin(config)# context Lab-Virt-PC
Note Remember that Prefers to your pod number and Crefers to your client number. These
numbers were assigned to you at the beginning of the first part of the lab.
Note You can connect to a context in two ways: by using the changeto context_namecommand,
or by associating a VLAN and an IP address with the context and establishing a Telnet
session to that address (after you have allowed administrative traffic).
PodP-ACE/Admin(config-context)# ?
Submode commands:
allocate-interface Assign a vlan to a context
description Description for the context
do EXEC command
end Exit from configure mode
exit Exit from this submode
member Resource-class membership
no Negate a command or set its defaults
Step 7 Display the VLANs allocated to the entire Cisco ACE Module from the Catalyst6500 Series Supervisor Engine 720.
PodP-ACE/Admin(config-context)# do show vlans
Vlans configured on SUP for this module
vlan110 vlan2P1-2P8 vlan4P1-4P8
Step 8 Allocate your client VLAN to the new context.
PodP-ACE/Admin(config-context)# allocate-interface vlan 2PC
-
8/12/2019 Acesm20 Lg
17/214
2007 Cisco Systems, Inc. Lab Guide 13
Step 9 To better understand the VLAN allocations, attempt to add two more VLANs to this
context.
PodP-ACE/Admin(config-context)# allocate-interface vlan 11,12
PodP-ACE/Admin(config-context)# do show run context | begVirt-PC
Generating configuration....
context Lab-Virt-PC
allocate-interface vlan 11
allocate-interface vlan 2PC
Note The allocate-interfacecommand does not accept comma separated VLANs.
Step 10 Attempt to add a range of VLANs.
PodP-ACE/Admin(config-context)# allocate-interface vlan 20-29
PodP-ACE/Admin(config-context)# do sho run context | beg Virt-PC
Generating configuration....
context Lab-Virt-PC
allocate-interface vlan 11
allocate-interface vlan 20-29
allocate-interface vlan 2PC
Step 11 Remove VLANs 11 and 25. Observer the modified VLAN allocation. Next, remove
the remaining VLANs 20-24 and 26-29.
PodP-ACE/Admin(config-context)# no allocate-interface vlan 11
PodP-ACE/Admin(config-context)# no allocate-interface vlan 25
PodP-ACE/Admin(config-context)# do sho run context | beg Virt-PC
Generating configuration....
context Lab-Virt-PC
allocate-interface vlan 20-24allocate-interface vlan 26-29
allocate-interface vlan 2PC
PodP-ACE/Admin(config-context)# no allocate-interface vlan 20-24
PodP-ACE/Admin(config-context)# no allocate-interface vlan 26-29
Step 12 View the newly created context.
PodP-ACE/Admin(config-context)# do sho context Lab-Virt-PC
Name: Lab-Virt-PC, Id: 106
Config count: 0
Description:
Resource-class: default
Vlans: Vlan2PC
Step 13 Create another context to be used in the next task.
PodP-ACE/Admin(config-context)# context Lab-Virt2-PC
-
8/12/2019 Acesm20 Lg
18/214
14 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
Activity Verification
You have completed this task when you understand how to create a new context and how to
assign VLANs to a context.
Task 3: Create Resource Classes
In this task, you will learn how to create Cisco ACE resource classes and then assign those
resource classes to a context.
Activity Procedure
Complete these steps:
Step 1 View the current resource allocation.
PodP-ACE/Admin(config-context)# do show resource ?
allocation Show resource allocation information.
usage Show resource usage information
PodP-ACE/Admin(config-context)# do show resource allocation
---------------------------------------------------------------------------
Parameter Min Max Class
---------------------------------------------------------------------------
acl-memory 0.00% 10100.00% default
0.00% 800.00% cart
0.00% 100.00% avs
syslog buffer 0.00% 10100.00% default
0.00% 800.00% cart
0.00% 100.00% avs
conc-connections 0.00% 10100.00% default
0.00% 800.00% cart
0.00% 100.00% avs
mgmt-connections 0.00% 10100.00% default
0.00% 800.00% cart
0.00% 100.00% avs
proxy-connections 0.00% 10100.00% default
0.00% 800.00% cart0.00% 100.00% avs
-
8/12/2019 Acesm20 Lg
19/214
2007 Cisco Systems, Inc. Lab Guide 15
bandwidth 0.00% 10100.00% default
0.00% 800.00% cart
0.00% 100.00% avs
connection rate 0.00% 10100.00% default
0.00% 800.00% cart
0.00% 100.00% avs
inspect-conn rate 0.00% 10100.00% default
0.00% 800.00% cart
0.00% 100.00% avs
syslog rate 0.00% 10100.00% default
0.00% 800.00% cart
0.00% 100.00% avs
regexp 0.00% 10100.00% default
0.00% 800.00% cart
0.00% 100.00% avs
sticky 0.00% 10100.00% default
8.00% 8.00% cart
10.00% 10.00% avs
xlates 0.00% 10100.00% default
0.00% 800.00% cart
0.00% 100.00% avs
ssl-connections rate 0.00% 10100.00% default
0.00% 800.00% cart0.00% 100.00% avs
mgmt-traffic rate 0.00% 10100.00% default
0.00% 800.00% cart
0.00% 100.00% avs
mac-miss rate 0.00% 10100.00% default
0.00% 800.00% cart
0.00% 100.00% avs
-
8/12/2019 Acesm20 Lg
20/214
16 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
PodP-ACE/Admin(config-context)# do sho resource usageAllocation
Resource Current Peak Min Max Denied-----------------------------------------------------------------------------Context: Adminconc-connections 0 0 0 8000000 0mgmt-connections 2 16 0 5000 0proxy-connections 0 0 0 1048574 0xlates 0 0 0 1048574 0bandwidth 0 0 0 500000000 0connection rate 0 0 0 1000000 0
ssl-connections rate 0 0 0 1000 0mgmt-traffic rate 0 0 0 125000000 0mac-miss rate 0 0 0 2000 0inspect-conn rate 0 0 0 3000 0acl-memory 2736 8136 0 78610432 0regexp 335 398 0 1048576 0syslog buffer 10000 0 0 4194304 0syslog rate 10000 0 0 3000 0
Context: Lab-SLB-PCconc-connections 0 12 0 8000000 0mgmt-connections 0 0 0 5000 0proxy-connections 0 12 0 1048574 0xlates 0 0 0 1048574 0bandwidth 0 0 0 500000000 0connection rate 0 0 0 1000000 0
ssl-connections rate 0 0 0 1000 0mgmt-traffic rate 0 0 0 125000000 0mac-miss rate 0 0 0 2000 0inspect-conn rate 0 0 0 3000 0acl-memory 2712 5328 0 78610432 0regexp 0 0 0 1048576 0syslog buffer 10000 0 0 4194304 0syslog rate 10000 0 0 3000 0
Context: Lab-HM-PCconc-connections 0 0 0 8000000 0mgmt-connections 0 0 0 5000 0proxy-connections 0 0 0 1048574 0
Step 2 Create a new resource class named HARD-SET-PC.
PodP-ACE/Admin(config)# resource-class HARD-SET-PC
Step 3 Allocate all resources to this resource-classusing the keyword alland limit it to 1%
of the Cisco ACE resources.
PodP-ACE/Admin(config-resource)# ?Submode commands:do EXerror-case- commandexit Exit from this submodelimit-resource Set resource limitsno Negate a command or set its defaults
PodP-ACE/Admin(config-resource)# limit-resource ?acl-memory Limit ACL memoryall Limit all resource parametersbuffer Set resource-limit for buffers
conc-connections Limit concurrent connections (thru-the-box traffic)mgmt-connections Limit management connections (to-the-box traffic)proxy-connections Limit proxy connectionsrate Set resource-limit as a rate (number per second)regexp Limit amout of regular expression memorysticky Limit number of sticky entriesxlates Limit number of Xlate entries
PodP-ACE/Admin(config-resource)# limit-resource all minimum 1 maximum ?equal-to-min Set maximum limit to same as minimum limitunlimited Set maximum limit to unlimited
-
8/12/2019 Acesm20 Lg
21/214
2007 Cisco Systems, Inc. Lab Guide 17
PodP-ACE/Admin(config-resource)# limit-resource all minimum 1 maximum equal-to-min
Step 4 View the net resource class allocations.
PodP-ACE/Admin(config-context)# do show resource allocation---------------------------------------------------------------------------Parameter Min Max Class---------------------------------------------------------------------------
acl-memory 0.00% 10100.00% default0.00% 800.00% cart
0.00% 100.00% avs
syslog buffer 0.00% 10100.00% default0.00% 800.00% cart0.00% 100.00% avs
conc-connections 0.00% 10100.00% default0.00% 800.00% cart0.00% 100.00% avs
mgmt-connections 0.00% 10100.00% default0.00% 800.00% cart0.00% 100.00% avs
proxy-connections 0.00% 10100.00% default0.00% 800.00% cart
0.00% 100.00% avs
conc-connections 0.00% 10100.00% default0.00% 800.00% cart0.00% 100.00% avs
mgmt-connections 0.00% 10100.00% default0.00% 800.00% cart0.00% 100.00% avs
proxy-connections 0.00% 10100.00% default0.00% 800.00% cart0.00% 100.00% avs
bandwidth 0.00% 10100.00% default
0.00% 800.00% cart0.00% 100.00% avs
Why are the resource allocations not displayed, although the resource class has been created?
Step 5 Apply the new resources class to the context Lab-Virt-PC.
PodP-ACE/Admin(config)# context Lab-Virt-PCPodP-ACE/Admin (config-context)#member avs cart default HARD-SET-PCPodP-ACE/Admin (config-context)#member HARD-SET-PC
View the changes to the resource allocation table.PodP-ACE/Admin(config-context)# do show resource allocation---------------------------------------------------------------------------
Parameter Min Max Class---------------------------------------------------------------------------
acl-memory 0.00% 10000.00% default0.00% 800.00% cart0.00% 100.00% avs1.00% 1.00% HARD-SET-PC
syslog buffer 0.00% 10000.00% default0.00% 800.00% cart0.00% 100.00% avs1.00% 1.00% HARD-SET-PC
-
8/12/2019 Acesm20 Lg
22/214
18 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
conc-connections 0.00% 10000.00% default0.00% 800.00% cart0.00% 100.00% avs1.00% 1.00% HARD-SET-PC
mgmt-connections 0.00% 10000.00% default0.00% 800.00% cart0.00% 100.00% avs1.00% 1.00% HARD-SET-PC
proxy-connections 0.00% 10000.00% default
0.00% 800.00% cart0.00% 100.00% avs1.00% 1.00% HARD-SET-PC
Is your resource class displayed? What percentage of the resources are assigned to your
resource class?
Step 6 Create a new resource-class named MIN+GROWTH-PC. Guarantee the resource
class 2% of the ACE resources and allow any unused ACE resources to be accessed
by contexts which are a member of this resource class.
PodP-ACE/Admin(config)# resource-class MIN+GROWTH-PCPodP-ACE/Admin(config-resource)# limit-resource all minimum 2 maximumunlimited
PodP-ACE/Admin(config)# context Lab-Virt2-PCPodP-ACE/Admin(config-context)# member MIN+GROWTH-PC
Show the resource class information with your changes.PodP-ACE/Admin(config-context)# do sho resource allocation---------------------------------------------------------------------------Parameter Min Max Class---------------------------------------------------------------------------
acl-memory 0.00% 9900.00% default0.00% 800.00% cart0.00% 100.00% avs1.00% 1.00% HARD-SET-PC2.00% 100.00% MIN+GROWTH-PC
syslog buffer 0.00% 9900.00% default0.00% 800.00% cart0.00% 100.00% avs1.00% 1.00% HARD-SET-PC2.00% 100.00% MIN+GROWTH-PC
conc-connections 0.00% 9900.00% default0.00% 800.00% cart0.00% 100.00% avs1.00% 1.00% HARD-SET-PC2.00% 100.00% MIN+GROWTH-PC
mgmt-connections 0.00% 9900.00% default0.00% 800.00% cart0.00% 100.00% avs
1.00% 1.00% HARD-SET-PC2.00% 100.00% MIN+GROWTH-PC
Step 7 Notice the resource usage difference between a context that is allocated only X%
resources (Lab-Virt-PC) compared to a context guaranteed Y% and allowed to burst
beyond this minimum allocation (Lab-Virt2-PC).
PodP-ACE/Admin(config-context)# do sho resource usage context Lab-Virt-PCAllocation
Resource Current Peak Min Max Denied-----------------------------------------------------------------------------
-
8/12/2019 Acesm20 Lg
23/214
2007 Cisco Systems, Inc. Lab Guide 19
Context: Lab-Virt-PCconc-connections 0 0 80000 0 0mgmt-connections 0 0 50 0 0proxy-connections 0 0 10486 0 0xlates 0 0 10486 0 0bandwidth 0 0 5000000 0 0connection rate 0 0 10000 0 0ssl-connections rate 0 0 10 0 0mgmt-traffic rate 0 0 1250000 0 0mac-miss rate 0 0 20 0 0inspect-conn rate 0 0 30 0 0
acl-memory 0 0 786104 0 0regexp 0 0 10486 0 0syslog buffer 200 0 41943 0 0syslog rate 200 0 30 0 0
PodP-ACE/Admin(config-context)# do sho resource usage context Lab-Virt2-PCAllocation
Resource Current Peak Min Max Denied-----------------------------------------------------------------------------Context: Lab-Virt2-PCconc-connections 0 0 160000 7760000 0mgmt-connections 0 0 100 4850 0proxy-connections 0 0 20972 1017116 0xlates 0 0 20972 1017116 0bandwidth 0 0 10000000 485000000 0
connection rate 0 0 20000 970000 0ssl-connections rate 0 0 20 970 0mgmt-traffic rate 0 0 2500000 121250000 0mac-miss rate 0 0 40 1940 0inspect-conn rate 0 0 60 2910 0acl-memory 0 0 1572209 78610432 0regexp 0 0 20972 1048576 0syslog buffer 10200 0 83886 4194304 0syslog rate 10200 0 60 3000 0
Step 8 Try to allocate more minimum resources than the Cisco ACE Module can support.
Create a temporary context for this test.
PodP-ACE/Admin(config-context)# exitPodP-ACE/Admin(config)# resource-class MAX-PCPodP-ACE/Admin(config-resource)# limit-resource all min 99 maximum equal-to-min
PodP-ACE/Admin(config)# context MAX-PCPodP-ACE/Admin(config-context)#member MAX-PCError: resources in use
Step 9 Try to increase an existing limit to allow more minimum resources than the Cisco
ACE Module can support.
PodP-ACE/Admin(config)# resource HARD-SET-PCPodP-ACE/Admin(config-resource)# limit-resource all min 99 maximum equal-to-minError: checking resource parameter limit failed
PodP-ACE/Admin(config-resource)# limit-resource sticky min 99 maximum equal-
to-minError: checking resource parameter limit failed
Step 10 What conclusions can be drawn regarding the Cisco ACE oversubscription rules
when allocating resources?
Activity Verification
You have completed this task when you have developed an understanding of the multiple ways
that resources can be allocated to a context.
-
8/12/2019 Acesm20 Lg
24/214
20 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
Answer Key: Implementing Virtualization
When you complete this exercise, the Cisco ACE Module running configuration file will be
similar to the following, with differences that are specific to your device or workgroup.
PodP-ACE/Admin(config-resource)# do sho run
Generating configuration....
resource-class HARD-SET-PC
limit-resource all minimum 1.00 maximum equal-to-min
resource-class MIN+GROWTH-PC
limit-resource all minimum 2.00 maximum unlimited
resource-class MAX-PC
limit-resource all minimum 99.00 maximum equal-to-min
context Lab-Virt-PC
allocate-interface vlan 2PC
member HARD-SET-PC
context Lab-Virt2-PC
member MIN+GROWTH-PCcontext MAX-PC
-
8/12/2019 Acesm20 Lg
25/214
2007 Cisco Systems, Inc. Lab Guide 21
Lab 2: Using Network Address TranslationComplete this lab activity to practice what you learned in the related lesson.
Activity Objective
In this activity, you will configure your ACE context to perform a variety of network address
translations.
The steps required to configure NAT on Cisco ACE are significantly very different from Cisco
firewalls. NAT on Cisco ACE entirely relies on the Modular Policy CLI framework.
After completing this activity, you will be able to meet these objectives:
Configure static NAT for a host
Configure static NAT for a subnet
Roll back the configuration
Required Resources
These are the resources and equipment required to complete this activity:
Cisco Catalyst 6500 with Supervisor Engine 720
Cisco ACE Module
Server minimally running Telnet and HTTP
-
8/12/2019 Acesm20 Lg
26/214
22 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
Task 1: Configure Static NAT for a Host
In this task, you will configure static destination NAT (DNAT) for a host. The goal is to
configure the equivalent of a static (inside, outside) 172.16.PC.222 192.168.1.10 NAT, which
can be read as translate inside address 192.168.1.10 to 172.16.PC.222 on the outside.
Activity Visualization
The figure illustrates what you will accomplish in this task
2007 Cisco Systems, Inc. All rights reserved. ACESM v2.06
Static Destination NAT
Client209.165.201.PC
Cisco ACEVLAN 2PC
172.16.PC.12
Cisco ACEVLAN 4PC192.168.1.1
Server192.168.1.10
192.168.1.10172.16.PC.222Outside LocalOutside Global
Activity Procedure
Complete these steps:
Step 1 Connect to your Client PC.
Step 2 Connect directly to the Cisco ACE management IP address for your Lab 7 context.
C:\> telnet 172.16.PC.12
Trying 172.16.PC.12...
Connected to 172.16.PC.12 (172.16.PC.12).
Escape character is '^]'.
User Access Verification
Username: cisco
Password: cisco123
Step 3 Verify that you are in the correct context by looking at the prompt.
PodP-ACE/Lab-NAT-PC#
Step 4 Use the checkpoint system to roll back the configuration:
PodP-ACE/Lab-NAT-PC# checkpoint rollback static-nat-begin
-
8/12/2019 Acesm20 Lg
27/214
2007 Cisco Systems, Inc. Lab Guide 23
Note The Cisco ACE Module allows up to 10 configuration rollback checkpoints in each context.
To view the currently created checkpoints, use the show checkpoint allcommand. To view
the configuration contained in a checkpoint use the show checkpoint detail command.
Step 5 Execute show runto see what is preconfigured for this lab.
Step 6 The Cisco ACE Module allows users to set a session time that can be used to limit
the current session or to prevent it from ever timing out. For this lab, disable the
session time for your current session.
PodP-ACE/Lab-NAT-PC# terminal session-timeout 0
Note In configuration mode, login timeoutcan be use to modify the idle timeout of future
sessions.
Step 7 Create the INBOUNDaccess list to permit traffic from the client to the servers
NAT-translated address.
PodP-ACE/Lab-NAT-PC(config)# access-list INBOUND extendedpermit tcp host 209.165.201.PChost 172.16.PC.222
Step 8 Define a class map that matches the source IP you want to translate.
PodP-ACE/Lab-NAT-PC(config)# class-map LNX-SOURCED
PodP-ACE/Lab-NAT-PC(config-cmap)#match source-address192.168.1.10 255.255.255.255
PodP-ACE/Lab-NAT-PC(config-cmap)# exit
Step 9 Create a multimatch policy map that specifies NAT as the action. Provide the static
IP that will be used for the server, and define which VLAN the server traffic will use
after it has been NAT-translated.
PodP-ACE/Lab-NAT-PC(config)# policy-map multi-match SVR-NAT
PodP-ACE/Lab-NAT-PC(config-pmap)# class LNX-SOURCED
PodP-ACE/Lab-NAT-PC(config-pmap-c)# nat ?
dynamic Configure dynamic network address translation
static Configure static network address translation
PodP-ACE/Lab-NAT-PC(config-pmap-c)# nat static 172.16.PC.222netmask 255.255.255.255 vlan2PC
Step 10 Apply the multimatch policy and ACL to the server-side (inside) interface.
PodP-ACE/Lab-NAT-PC(config)# interface vlan 4PC
PodP-ACE/Lab-NAT-PC(config-if)# service-policy input SVR-NAT
Step 11 Use the show nat-fabriccommand to obtain detailed NAT runtime information:
PodP-ACE/Lab-NAT-PC# sh nat-fabric policies
Nat objects:
NAT object ID:2 mapped_if:11 policy_id:1 type:STATICstatic_xlate_id:2
ID:2 Static address translation
Real addr:192.168.1.10 Real port:0 Realinterface:12
Mapped addr:172.16.PC.222 Mapped port:0 Mappedinterface:11
-
8/12/2019 Acesm20 Lg
28/214
24 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
Netmask:255.255.255.255
Step 12 Check the traffic statistics of the access list.
PodP-ACE/Lab-NAT-PC# show access-list INBOUND
access-list:INBOUND, elements: 1, status: NOT-ACTIVE
remark :
access-list INBOUND line 10 extended permit tcp host209.165.201.PChost 172.16.PC.222
Step 13 Why is the access list inactive? Was it applied to an interface?
PodP-ACE/Lab-NAT-PC# conf
Enter configuration commands, one per line. End with CNTL/Z.
PodP-ACE/Lab-NAT-PC(config-if)# int vlan 2PC
PodP-ACE/Lab-NAT-PC(config-if)# access-group input INBOUND
PodP-ACE/Lab-NAT-PC(config-if)# exit
PodP-ACE/Lab-NAT-PC(config)# exit
PodP-ACE/Lab-NAT-PC# show access-list INBOUND
access-list:INBOUND, elements: 1, status: ACTIVE
remark :
access-list INBOUND line 10 extended permit tcp host
209.165.201.PChost 172.16.PC.222 (hitcount=0)
Note The hitcount=0output is always the part to look for when showing an access list. If it is not
there, the access list is most likely not applied to a VLAN interface.
Step 14 If you initiate a long-lived connection (Telnet for example) from the Client PC to
172.16.PC.222, you will see the xlate entry on the Cisco ACE Module.
PodP-ACE/Lab-NAT-PC# sh xlate
NAT from vlan4PC:192.168.1.10 to vlan2PC:172.16.PC.222 count:1
Step 15 To see the NAT work, establish a Telnet connection from the context to the Linux
server. Switch to the user rootand start tethereal.
PodP-ACE/Lab-NAT-PC# telnet 192.168.1.10
Trying 192.168.1.10...
Connected to 192.168.1.10.
Escape character is '^]'.
linux1 (Linux release 2.6.9-11.ELsmp #1 SMP Fri May 2018:26:27 EDT 2005) (0
)
login: cisco
Password for cisco: cisco
login: Resource temporarily unavailable while getting initialcredentials
Last login: Tue Jun 6 04:25:26 from 192.168.1.1
[cisco@linux1 ~]$ su -
Password: cisco123
[root@linux1 ~]# tethereal R "tcp.port == 80"
-
8/12/2019 Acesm20 Lg
29/214
2007 Cisco Systems, Inc. Lab Guide 25
Step 16 On the client, start a Ethereal sniffer trace on the 209.165.201.PCinterface. Then,
issue a wgetrequest from the command line to the servers static IP.
C:\tools\wget-1.10.2b>wget http://172.16.PC.222
--12:08:30-- http:// 172.16.PC.222/
=> `index.html.7'
Connecting to 172.16.PC.222:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,219 (1.2K) [text/html]
100%[====================================>] 1,219 --.--K/s
12:08:30 (8.67 MB/s) - `index.html.5' saved [1219/1219]
Step 17 Observe the tethereal output from the Linux server. Notice that the server IP is now
192.168.1.10 rather than 172.16.PC.222.
449.108905 209.165.201.PC-> 192.168.1.10TCP 2399 > http[SYN] Seq=0 Ack=0 Win=64270 Len=0 MSS=1460
449.109199 192.168.1.10 -> 209.165.201.PC TCP http > 2399[SYN, ACK] Seq=0 Ack=1 Win=5870 Len=0 MSS=1460
449.110228 209.165.201.PC-> 192.168.1.10 TCP 2399 > http[ACK] Seq=1 Ack=1 Win=64270 Len=0
449.117018 209.165.201.PC-> 192.168.1.10 HTTP GET / HTTP/1.0
449.117077 192.168.1.10 -> 209.165.201.PC TCP http > 2399[ACK] Seq=1 Ack=101 Win=5870 Len=0
449.137044 192.168.1.10 -> 209.165.201.PC HTTP HTTP/1.1 200OK
449.171825 192.168.1.10 -> 209.165.201.PC HTTP Continuationor non-HTTP traffic
449.143738 209.165.201.PC-> 192.168.1.10 TCP 2399 > http[ACK] Seq=101 Ack=1485 Win=64270 Len=0
449.149136 192.168.1.10 -> 209.165.201.PC TCP http > 2399[FIN, ACK] Seq=1485 Ack=101 Win=5870 Len=0
449.150719 209.165.201.PC-> 192.168.1.10 TCP 2399 > http[ACK] Seq=101 Ack=1486 Win=64270 Len=0
449.155886 209.165.201.PC-> 192.168.1.10 TCP 2399 > http[FIN, ACK] Seq=101 Ack=1486 Win=64270 Len=0
449.156071 192.168.1.10 -> 209.165.201.PC TCP http > 2399[ACK] Seq=1486 Ack=102 Win=5870 Len=0
Step 18 On the client, analyze the Ethereal trace.
-
8/12/2019 Acesm20 Lg
30/214
26 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
2007 Cisco Systems, Inc. All rights reserved. ACESM v2.07
Static NAT Client Output
Step 19 On the Cisco ACE Module, view the ACL, service policy, and connection counters.
PodP-ACE/Lab-NAT-PC# show access-list INBOUND
access-list:INBOUND, elements: 1, status: ACTIVE
remark :
access-list INBOUND line 10 extended permit tcp host209.165.201.PChost 172.16.PC.222
(hitcount=1)
PodP-ACE/Lab-NAT-PC# show service-policy SVR-NAT
Status : ACTIVE
-----------------------------------------
Interface: vlan 4PC
service-policy: SVR-NAT
class: LNX-SOURCE
nat:
nat static 172.16.PC.222 vlan 3PC
curr conns : 1 , hit count : 1
dropped conns : 0
client pkt count : 7 , client byte count: 396
server pkt count : 6 , server byte count: 1728
PodP-ACE/Lab-NAT-PC# show stats connection
+------------------------------------------+
+------- Connection statistics ------------+
+------------------------------------------+
Total Connections Created : 2
-
8/12/2019 Acesm20 Lg
31/214
2007 Cisco Systems, Inc. Lab Guide 27
Total Connections Current : 2
Total Connections Destroyed: 0
Total Connections Timed-out: 0
Total Connections Failed : 0
Step 20 Verify that server source NAT works as expected, which means that connections
sourced from the server 192.168.1.10 will be translated to 172.16.PC.222 as they
traverse the Cisco ACE Module.
PodP-ACE/Lab-NAT-PC(config)# access-list SVR-INIT extended
permit tcp host 192.168.1.10 anyPodP-ACE/Lab-NAT-PC(config)# int vlan 4PC
PodP-ACE/Lab-NAT-PC(config-if)# access-group input SVR-INIT
Step 21 Initiate a Telnet session from the Linux server to the client, then capture a sniffer
trace using Ethereal on the Client PC to verify the servers source IP address. Next,
capture a trace on the client to verify that the server source address is translated to
172.16.PC.222.
Note The Telnet session will fail because the client is not accepting Telnet connections.
[root@linux1 ~]# tethereal R "ip.addr == 209.165.201.0/24" &
[1] 10580
Capturing on eth0
[root@linux1 ~]# telnet 209.165.201.PC
Trying 209.165.201.PC...
34.711920 192.168.1.10 -> 209.165.201.PC TCP 34564 > telnet[SYN] Seq=0 Ack=0 Win=5870 Len=0 MSS=1460 TSV=822460873 TSER=0WS=2
34.716002 209.165.201.PC-> 192.168.1.10 TCP telnet > 34564[RST, ACK] Seq=0 Ack=0 Win=0 Len=0
telnet: connect to address 209.165.201.PC: Connection refused
telnet: Unable to connect to remote host: Connection
No. Source Destination Proto Info
28 172.16.PC.222 209.165.201.PC TCP 34563 > telnet [SYN]Seq=0 Ack=0 Win=5870 Len=0 MSS=146031 209.165.201.PC172.16.PC.222 TCP telnet > 34563 [RST, ACK] Seq=0 Ack=0Win=0 Len=06
PodP-ACE/Lab-NAT-PC# show service-policy SVR-NAT
Status : ACTIVE
-----------------------------------------
Interface: vlan 4PC
service-policy: SVR-NAT
class: LNX-SOURCED
nat:
nat static 172.16.PC.222 vlan 2PC
curr conns : 6 , hit count : 2
dropped conns : 0
client pkt count : 9 , client byte count: 516
server pkt count : 7 , server byte count: 1768
-
8/12/2019 Acesm20 Lg
32/214
28 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
Task 2: Configure Static NAT for a Subnet
In this task you will configure the equivalent of a static destination NAT (DNAT) for the entire
server network. This task shows that NAT can be applied based on ACL matches and can
encompass an entire network address space.
Activity Visualization
The figure illustrates what you will accomplish in this task
2007 Cisco Systems, Inc. All rights reserved. ACESM v2.08
Static Destination NAT for a Subnet
Client209.165.201.PC
Cisco ACE
VLAN 2PC172.16.PC.12
Cisco ACE
VLAN 4PC192.168.1.1
Server192.168.1.10192.168.1.11192.168.1.12192.168.1.13192.168.1.14192.168.1.15
192.168.1.0/2410.1.PC.0/0Outside LocalOutside Global
Activity Procedure
Complete these steps:
Step 1 Create anaccess list named SVR-VLAN-INITto classify traffic initiated by a device
on the server VLAN.
PodP-ACE/Lab-NAT-PC(config)# access-list SVR-VLAN-INITextended permit tcp 192.168.1.0 255.255.255.0 any
Step 2 Define a class map named SERVER-VLAN-SOURCEDthat matches on the ACL
defined to classify server initiated traffic.
PodP-ACE/Lab-NAT-PC(config)# class-map match-all SERVER-VLAN-SOURCED
PodP-ACE/Lab-NAT-PC(config-cmap)#match access-listSVR-VLAN-INIT
PodP-ACE/Lab-NAT-PC(config)# exit
Step 3 Edit the multimatch policy map that specifies NAT as the action and remove the
previous class match.
PodP-ACE/Lab-NAT-PC(config)# policy-map multi-match SVR-NAT
PodP-ACE/Lab-NAT-PC(config-pmap)# no class LNX-SOURCED
Step 4 Provide the static IP subnet that will be used for the server traffic, and define which
VLAN the server traffic will use after it has been translated.
PodP-ACE/Lab-NAT-PC(config-pmap)# class SERVER-VLAN-SOURCED
-
8/12/2019 Acesm20 Lg
33/214
2007 Cisco Systems, Inc. Lab Guide 29
PodP-ACE/Lab-NAT-PC(config-pmap-c)# nat static 172.16.PC.0netmask 255.255.255.0 vlan 2PC
Error: Specified ip address duplicates with an existing ipaddress configured in the context!
Note IP addresses which overlap existing interface VLAN spaces are not allowed. This prevents
the possibility of introducing duplicate IPs.
PodP-ACE/Lab-NAT-PC(config-pmap-c)# nat static 172.16.PC.128netmask 255.255.255.128 vlan 2PC
Error: NAT static mapped ip netmask has to match with real ipnetmask!
Note When matching a subnet, the static NAT range must have the same number of available IP
addresses as the ACL classifies.
PodP-ACE/Lab-NAT-PC(config-pmap-c)# nat static 10.1.PC.0netmask 255.255.255.0 vlan 2PC
Step 5 Ensure that NAT is applied in both directions by modifying the existing ACL and
applying it to the server side (inside) interface. Without an ACL, clients cannot
initiate connections to the servers.
PodP-ACE/Lab-NAT-PC(config)# no access-list INBOUND
PodP-ACE/Lab-NAT-PC(config)# access-list INBOUND extendedpermit tcp host 209.165.201.PCany
PodP-ACE/Lab-NAT-PC(config)# interface vlan 2PC
PodP-ACE/Lab-NAT-PC(config-if)# access-group input INBOUND
Step 6 Define a static route on the client to allow the client to reach the translated subnet
10.1.PC.0/24.
C:\tools\wget-1.10.2b> route add 10.1.PC.0 mask 255.255.255.0209.165.201.PC
Step 7 Verify that your static subnet NAT is working. Telnet to the servers
(10.1.PC.10 - 10.1.PC.15) from your Client PC; try several servers. While you are
logged into at least one server session, execute a show connand a show xlateto see
the destination NAT.
Pod1-ACE/Lab-NAT-11# show conn
total current connections : 4
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
12 2 in TCP 211 209.165.201.PC:1039 172.16.PC.12:23 ESTAB
6 2 out TCP 211 172.16.PC.12:23 209.165.201.PC:1039 ESTAB
10 2 in TCP 211 209.165.201.PC:1250 10.1.11.PC:23 ESTAB9 2 out TCP 411 192.168.1.PC:23 209.165.201.PC:1250 ESTAB
Pod1-ACE/Lab-NAT-11# show xlate
NAT from vlan411:192.168.1.15 to vlan211:10.1.11.15 count:1
Step 8 Keeping your client-initiated Telnet connection open, examine the Cisco ACE
counters.
PodP-ACE/Lab-NAT-PC(config-if)#do sho service-policy SVR-NAT
Status : ACTIVE
-
8/12/2019 Acesm20 Lg
34/214
30 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
-----------------------------------------
Interface: vlan 4PC
service-policy: SVR-NAT
class: SERVER-VLAN-SOURCED
nat:
nat static 10.1.PC.0 vlan 2PC
curr conns : 2 , hit count : 2
dropped conns : 0
client pkt count : 18 , client byte count:871
server pkt count : 19 , server byte count:956
PodP-ACE/Lab-NAT-PC(config-if)# do sho access-list INBOUND
access-list:INBOUND, elements: 1, status: ACTIVE
remark :
access-list INBOUND line 10 extended permit tcp host209.165.201.PCany (hitcount=1)
Task 3: Apply the Baseline ConfigurationThe Cisco ACE Module ensures that no duplicate IPs exist across contexts per VLAN. Due to
the overlapping IPs used in this lab, it is necessary to remove the VLAN interface for the
server, so that the VLAN interface can be reused in the remaining labs.
Note If you want to compare your completed configuration with the one in the Answer Key
provided at the end of this lab, be sure to do so before you complete this task.
Activity Procedure
Use the checkpoint feature to roll back to baseline-mgmt.
PodP-ACE/Lab-NAT-PC# checkpoint rollback baseline-mgmtThis operation will rollback the system's running configuration
to the checkpoint's configuration.
Do you wish to proceed? (y/n) [n] y
Rollback in progress, please wait...
Generating configuration....
Rollback succeeded
Activity Verification
You have completed this task when you have removed the server VLAN from the context.
-
8/12/2019 Acesm20 Lg
35/214
-
8/12/2019 Acesm20 Lg
36/214
32 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
Lab 2 Task 2 Answer Key
Changes from the previous task are bolded.
access-list INBOUND line 8 extended permit tcp host 209.165.201.PCany
access-list SVR-INIT line 8 extended permit tcp host 192.168.1.10 any
access-list SVR-VLAN-INIT line 8 extended permit tcp 192.168.1.0255.255.255.0 any
class-map match-all LNX-SOURCED
2 match source-address 192.168.1.10 255.255.255.255
class-map match-all SERVER-VLAN-SOURCED
2 match access-list SVR-VLAN-INIT
class-map type management match-any remote-access
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match remote-mgmt
class remote-access
permit
policy-map multi-match SVR-NAT
class SERVER-VLAN-SOURCED
nat static 10.1.PC.0 netmask 255.255.255.0 vlan 2PC
interface vlan 2PC
ip address 172.16.PC.12 255.255.255.0
access-group input INBOUNDservice-policy input remote-mgmt
no shutdown
interface vlan 3PC
ip address 10.10.10.1 255.255.255.0
interface vlan 4PC
ip address 192.168.1.1 255.255.255.0
access-group input SVR-INIT
service-policy input SVR-NAT
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.PC.1username cisco password 5 $1$DLODpUTE$pzudNN.PTCWK.E45AsyCz/ roleAdmin domain default-domain
-
8/12/2019 Acesm20 Lg
37/214
2007 Cisco Systems, Inc. Lab Guide 33
Lab 3: Configuring Server Load BalancingComplete this lab activity to practice what you learned in the related lesson.
Activity Objective
In this exercise, you will configure your ACE context to match traffic destined for the VIP and
load-balance these flows to the real servers (rservers) on a private network behind your ACE
context. To accomplish this, you will apply class maps to classify client traffic destined to aVIP address. The Cisco ACE Module will load-balance that traffic to a server farm and one of
the rservers will be selected to respond to the client request. To allow client traffic into the
ACE context, you must configure an access list.
After you complete this lab, you will be able to meet the following objectives:
Define real server containers and server farms containers
Configure class and policy maps to provide load balancing
Observe the Cisco ACE Module load-balancing client traffic
Configure Dynamic Source NAT to VIP
Roll back the configuration
Visual Objective
The figure illustrates what you will accomplish in this activity.
2007 Cisco Systems, Inc. All rights reserved. ACESM v2.09
Interface Service PolicyApply to Any Interface
Multimatch Policy Map
Configuring Server Load Balancing
MSFC
Cisco ACE
Catalyst6500
Client
Servers
Traffic Class MapMatch VIP Connections
Load-Balancing Policy Map
Default Class
RealServer 1
RealServer 2
Server Farm
Only Allow Traffic Destined to a VIP
-
8/12/2019 Acesm20 Lg
38/214
34 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
Required Resources
These are the resources and equipment that are required to complete this activity:
Cisco Catalyst 6500 with Supervisor Engine 720 and ACE Module
Client PC with a Telnet client and web browsers
Server minimally running Telnet and HTTP
Task 1: Configure Real ServersIn this task, you will connect to a context (specified by the IP address in step 2) and create a
configuration for the real servers within the pod. The Cisco ACE Module has administrative
connectivity enabled for the client.
Activity Procedure
Complete these steps:
Step 1 Connect to your Client PC.
Step 2 Connect directly to the Cisco ACE management IP address for your Lab 3 context.
C:\> telnet 172.16.PC.5
Trying 172.16.PC.5...
Connected to 172.16.PC.5 (172.16.PC.5).
Escape character is '^]'.
User Access Verification
Username: cisco
Password: cisco123
Step 3 Verify that you are in the correct context by looking at the prompt.
PodP-ACE/Lab-SLB-PC#
Step 4 Use the checkpoint system to roll back the configuration:PodP-ACE/Lab-SLB-PC# checkpoint rollback baseline-mgmt
Step 5 Execute show runto see what is preconfigured for this lab.
Step 6 The first step in setting up a load-balancing configuration in an ACE context is to
create real server instances, known as rservers. Use this naming convention:
DC5-LNX
PodP-ACE/Lab-SLB-PC# conf t
Enter configuration commands, one per line. End with CNTL/Z.
PodP-ACE/Lab-SLB-PC(config)# rserver DC5-LNX1
Note There are two types of rservers: host and redirect. The default is host; you do not have to
specify the host type in the CLI when you create rservers. The redirect type allows the Cisco
ACE Module to redirect web clients to a different site. In this lab, you will use the host type
only.
-
8/12/2019 Acesm20 Lg
39/214
2007 Cisco Systems, Inc. Lab Guide 35
Step 7 In the rserver object, assign the IP address of the real server and inservice the object.
Use the IP address of 192.168.1.11 for the first real web server.
PodP-ACE/Lab-SLB-PC(config-rserver-host)# ip address192.168.1.11
PodP-ACE/Lab-SLB-PCpodPclientC(config-rserver-host)# inservice
PodP-ACE/Lab-SLB-PC(config-rserver-host)# exit
Step 8 Create another rserver using the IP address of the second real web server
192.168.1.12 with the name DC5-LNX2.
PodP-ACE/Lab-SLB-PC(config)# rserver DC5-LNX2
PodP-ACE/Lab-SLB-PC(config-rserver-host)# ip address192.168.1.12
PodP-ACE/Lab-SLB-PC(config-rserver-host)# inservice
PodP-ACE/Lab-SLB-PC(config-rserver-host)# exit
Step 9 Show the rservers you have just created by using the show runand show rserver
commands.
PodP-ACE/Lab-SLB-PC(config)# do show run rserver
rserver host DC5-LNX1
ip address 192.168.1.11inservice
rserver host DC5-LNX2
ip address 192.168.1.12
inservice
PodP-ACE/Lab-SLB-PC(config)# do show rserver DC5-LNX1
rserver : DC5-LNX1, type: HOST
state : INACTIVE
---------------------------------
----------connections-----------
real weight state currenttotal
---+---------------------+------+------------+----------+--------------------
Step 10 After the rservers have been created, they must be added to a server farm for use in
load balancing. Currently, the only server farm type is host.
PodP-ACE/Lab-SLB-PC(config)# serverfarm SERVERS1
Step 11 Add the recently created rservers to the server farm.
PodP-ACE/Lab-SLB-PC(config-sfarm-host)# rserver DC5-LNX1
PodP-ACE/Lab-SLB-PC(config-sfarm-host-rs)# inservicePodP-ACE/Lab-SLB-PC(config-sfarm-host)#rserver DC5-LNX2
Step 12 Notice that the output from the show rservercommand has changed after the
rservers were added to the server farm.
PodP-ACE/Lab-SLB-PC(config-sfarm-host-rs)# do show rserverDC5-LNX1
rserver : DC5-LNX1, type: HOST
-
8/12/2019 Acesm20 Lg
40/214
36 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
state : OPERATIONAL
---------------------------------
----------connections-----------
real weight state currenttotal
---+---------------------+------+------------+----------+--------------------
serverfarm: SERVERS1
192.168.1.11:0 8 OPERATIONAL 0 0
PodP-ACE/Lab-SLB-PC(config-sfarm-host-rs)# do show rserverDC5-LNX2
rserver : DC5-LNX2, type: HOST
state : OPERATIONAL
---------------------------------
----------connections-----------
real weight state currenttotal
---+---------------------+------+------------+----------+--------------------
serverfarm: SERVERS1
192.168.1.12:0 8 OUTOFSERVICE0 0
Note Be sure to inservicethe rservers within the server farm. Failure to do so will cause Cisco
ACE Module to consider these rservers out of service, and the server farm will not be
capable of receiving or responding to client requests.
PodP-ACE/Lab-SLB-PC(config-sfarm-host-rs)# inservice
PodP-ACE/Lab-SLB-PC(config-sfarm-host-rs)# do show serverfarmSERVERS1
serverfarm : SERVERS1, type: HOST
total rservers : 2
---------------------------------
----------connections-----------
real weight state currenttotal
---+---------------------+------+------------+----------+--------------------
rserver: DC5-LNX1192.168.1.11:0 8 OPERATIONAL 0 0
rserver: DC5-LNX2
192.168.1.12:0 8 OPERATIONAL 0 0
What is odd about these rservers being in the OPERATIONAL state?
Can you ping them? Why or why not?
Execute a do show arp. Are the rservers up?
-
8/12/2019 Acesm20 Lg
41/214
2007 Cisco Systems, Inc. Lab Guide 37
Step 13 Add the other three web servers to the server farm before going onto the next step
and ensure that all five web servers are in the OPERATIONAL state.
The three additional web servers are as follows; put them into the server farm SERVERS1:
DC5-LNX3 192.168.1.13
DC5-LNX4 192.168.1.14
DC5-LNX5 192.168.1.15
Step 14 Add a new interface to allow the Cisco ACE Module to communicate with the real
servers. Use IP address 192.168.1.1/24 for VLAN 4PC.
PodP-ACE/Lab-SLB-PC(config)# interface vlan 4PC
PodP-ACE/Lab-SLB-PC(config-if)# ip address 192.168.1.1255.255.255.0
PodP-ACE/Lab-SLB-PC(config-if)# description Servers vlan
PodP-ACE/Lab-SLB-PC(config-if)# no shut
PodP-ACE/Lab-SLB-PC(config-if)# exit
PodP-ACE/Lab-SLB-PC(config)# exit
Note VLAN 4PCis already configured in the Catalyst 6500 and the Admin context to be available
to this context.
Catalyst 6500 Config:
svclc multiple-vlan-interfaces
svclc module 1 vlan-group 1,2
svclc vlan-group 1 2P1-2P8
svclc vlan-group 2 4P1-4P8
Ace-Module/Admin:
context Lab-SLB-PC
allocate-interface vlan 2PC
allocate-interface vlan 4PC
Step 15 Use the show arpcommand to observe how the Cisco ACE Module populates its
ARP table.
PodP-ACE/Lab-SLB-PC# show arp
Context Lab-SLB-21
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
172.16.PC.1 00.d0.04.ec.0c.00 vlan2PC GATEWAY 71 61 sec up
172.16.PC.31 00.12.43.dc.83.05 vlan2PC INTERFACE LOCAL _ up
192.168.1.1 00.05.9a.3b.9a.c1 vlan4PC INTERFACE LOCAL _ up
192.168.1.11 00.50.56.29.01.01 vlan4PC RSERVER 78 297 sec up
192.168.1.12 00.50.56.29.01.01 vlan4PC RSERVER 77 297 sec up
192.168.1.13 00.50.56.29.01.01 vlan4PC RSERVER 81 297 sec up
192.168.1.14 00.50.56.29.01.01 vlan4PC RSERVER 80 297 sec up
192.168.1.15 00.50.56.29.01.01 vlan4PC RSERVER 79 297 sec up
================================================================================
Total arp entries 8
-
8/12/2019 Acesm20 Lg
42/214
38 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
Activity Verification
You have completed this task when you have:
Verified that the rservers are in the OPERATIONAL state.
Verified that the rservers are in the OPERATIONAL state within the server farm.
Confirmed that ARP entries exist for each of the rservers.
Task 2: Configuring Load-Balancing Class Maps and PolicyMaps
The Cisco ACE Module uses a Modular Policy CLI to classify incoming traffic with class
maps, which are then used in policy maps to force an action based on the class map match. The
simplest of these type of matches is load balancing based on a clients attempt to reach a virtual
IP address. This type of a match is considered Layer 3 because it matches only the destination
IP and then makes a load-balancing decision.
Activity Procedure
Complete these steps:
Step 1 Start by creating a class map to distinguish traffic destined for a virtual IP (VIP)
from traffic destined elsewhere. Use the IP address 172.16.PC.50.
PodP-ACE/Lab-SLB-PC(config)# class-map VIP-50
PodP-ACE/Lab-SLB-PC(config-cmap)#match virtual-address172.16.PC.50 any
Step 2 A policy map of type loadbalance is required. The Cisco ACE Module will attempt
to match a defined class map at Layer 507 in the order of occurrence as indicated by
the keyword first-match. The class-default map will handle non-matching client
requests. The significance of the class map order will be apparent in a later lab. For
this task, simply create a load-balancing policy map named LB-LOGIC and use the
class-default map.
PodP-ACE/Lab-SLB-PC(config)# policy-map type loadbalancefirst-match LB-LOGIC
PodP-ACE/Lab-SLB-PC(config-pmap-lb)# class class-default
PodP-ACE/Lab-SLB-PC(config-pmap-lb-c)# serverfarm SERVERS1
Step 3 Use the show run policy-mapcommand to view the configuration additions.
PodP-ACE/Lab-SLB-PC(config-pmap-lb-c)# do show run policy-map
policy-map type management first-match remote-mgmt
class remote-access
permit
policy-map type loadbalance first-match LB-LOGICclass class-default
serverfarm SERVERS1
Step 4 Add another policy map called CLIENT-VIPS, but this time set the type to be multi-
match. This policy simply ties classified incoming requests (at Layer 3 or Layer 4)
to a load-balancing policy map. Create a multimatch policy and apply the class map
to define the VIP address.
PodP-ACE/Lab-SLB-PC(config)# policy-map multi-match CLIENT-VIPS
-
8/12/2019 Acesm20 Lg
43/214
2007 Cisco Systems, Inc. Lab Guide 39
PodP-ACE/Lab-SLB-PC(config-pmap)# class VIP-50PodP-ACE/Lab-SLB-PC(config-pmap-c)# loadbalance policy LB-LOGIC
PodP-ACE/Lab-SLB-PC(config-pmap-c)# loadbalance vip inservice
Step 5 View the running configuration to observe the new policy map.
PodP-ACE/Lab-SLB-PC(config-pmap-c)# do show run policy-map
Generating configuration....
policy-map type management first-match remote-mgmtclass remote-access
permit
policy-map type loadbalance first-match LB-LOGIC
class class-default
serverfarm SERVERS1
policy-map multi-match CLIENT-VIPS
class VIP-50
loadbalance vip inservice
loadbalance policy LB-LOGIC
Step 6 Apply the multimatch policy map to the client-facing interface.
PodP-ACE/Lab-SLB-PC(config)# interface vlan 2PC
PodP-ACE/Lab-SLB-PC(config-if)# service-policy input CLIENT-VIPS
Step 7 Verify that the VIP is applied and in service (meaning the Cisco ACE Module will
respond to traffic destined to the VIP address). Use the show service-policy
command with and without the detailparameter to view the additional information
the Cisco ACE Module provides.
PodP-ACE/Lab-SLB-PC(config-if)# do sho service-policy CLIENT-VIPS
Status : ACTIVE-----------------------------------------
Interface: vlan 2PC
service-policy: client-vips
class: VIP-50
loadbalance:
L7 loadbalance policy: lb-logic
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : DISABLED
VIP State: INSERVICE
curr conns : 0 , hit count : 0dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
PodP-ACE/Lab-SLB-PC(config-if)# do sho service-policy CLIENT-VIPS detail
Status : ACTIVE
-
8/12/2019 Acesm20 Lg
44/214
40 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
Description: -
-----------------------------------------
Interface: vlan 2PC
service-policy: CLIENT-VIPS
class: VIP-50
loadbalance:
L7 loadbalance policy: LB-LOGIC
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : DISABLED
VIP State: INSERVICE
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
L7 Loadbalance policy : lb-logic
class/match : class-default
LB action :
serverfarm: SERVERS1
hit count : 0
dropped conns : 0
Step 8 Create a new access list from the global configuration.
PodP-ACE/Lab-SLB-PC(config)# access-list anyone extendedpermit tcp any any
Step 9 Apply the access list to the client-facing interface.
PodP-ACE/Lab-SLB-PC(config)# interface vlan 2PC
PodP-ACE/Lab-SLB-PC(config-if)# access-group input anyone
PodP-ACE/Lab-SLB-PC(config-if)# do sho access-list anyone
access-list:anyone, elements: 1, status: ACTIVE
remark :
access-list anyone line 10 extended permit tcp any any(hitcount=0)
Activity Verification
You have completed this task when you have:
Verified that the service policy is in the ACTIVE state.
Verified that the access list is in the ACTIVE state.
-
8/12/2019 Acesm20 Lg
45/214
2007 Cisco Systems, Inc. Lab Guide 41
Task 3: Test the New VIP Load-Balancing Configuration
In this task, you will create a baseline configuration for all other labs.
Activity Procedure
Complete these steps:
Step 1 Use a browser on the Client PC to verify that the Cisco ACE Module is load-
balancing traffic to the server farm using the URL http://172.16.PC.50.
Note The color of an image indicates which server supplied the image.
Step 2 Notice that the service policy counters increment as connections are handled.
PodP-ACE/Lab-SLB-PC(config-if)# do sho service-policy CLIENT-VIPS
Status : ACTIVE
-----------------------------------------
Interface: vlan 2PC
service-policy: CLIENT-VIPSclass: VIP-50
loadbalance:
L7 policy: LB-LOGIC
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : DISABLED
VIP State: INSERVICE
curr conns : 0 , hit count : 10
dropped conns : 0
client pkt count : 71 , client byte count: 5520
server pkt count : 90 , server byte count:64712
Step 3 Show the ACL to see the number of incoming requests.
PodP-ACE/Lab-SLB-PC(config-if)# do sho access-list anyone
access-list:anyone, elements: 1, status: ACTIVE
remark :
access-list anyone line 10 extended permit tcp any any(hitcount=10)
Activity Verification
You have completed this task when you have:
Verified that the Cisco ACE Module load-balanced an HTTP request to the VIP.
-
8/12/2019 Acesm20 Lg
46/214
42 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
Task 4: Configure Dynamic NAT
The goal of this exercise is to use dynamic source NAT (SNAT) for traffic from the client
destined to the VIP. You will use dynamic NAT to translate the clients IP (209.165.201.PC) to
10.0.0.1-10.0.0.6. Keep in mind that the Cisco ACE Module also does an implicit destination
NAT (DNAT) operation when load-balancing traffic from the VIP to the rserver.
Activity Visualization
The figure illustrates what you will accomplish in this task.
2007 Cisco Systems, Inc. All rights reserved. ACESM v2.010
Dynamic Source NAT for a Subnet
Client209.165.201.PC
Cisco ACEVLAN 2PC
172.16.PC.5
Cisco ACEVIP172.16.PC.150
Server192.168.1.10192.168.1.11192.168.1.12192.168.1.13192.168.1.14192.168.1.15
10.0.0.1-6209.165.201.PCInside GlobalOutside Global
192.168.1.11-1510.0.0.1-6
Translated (NAT) andLoad- Balanced to:
Translated (NAT) to:
172.16.PC.150209.165.201.PC
Destination AddressSource Address
Activity ProcedureComplete these steps:
Step 1 Continue from the last task or use the checkpoint system to roll the configuration to
the slb-end configuration.
Step 2 Verify that you are in the correct context by looking at the prompt.
PodP-ACE/Lab-SLB-PC#
Step 3 Execute the show runcommand to see what is preconfigured for this lab.
Step 4 Create the ALLOW-CLIaccess list to permit the client to send traffic to the server.
PodP-ACE/Lab-SLB-PC(config)# access-list ALLOW-CLI extended
permit ip 209.165.201.0 255.255.255.0 anyStep 5 Dynamic NAT also uses a class map to define what traffic is to be translated, so
create a class map to match any client traffic:
PodP-ACE/Lab-SLB-PC(config)#class-map match-all CLIENT-SOURCED
PodP-ACE/Lab-SLB-PC(config-cmap)#match source-address209.165.201.0 255.255.255.0
-
8/12/2019 Acesm20 Lg
47/214
2007 Cisco Systems, Inc. Lab Guide 43
Step 6 You need a policy map that says dynamic NAT is to be performed on traffic
matched by the class map CLIENT-SOURCED. You will also create a NAT pool
identified as 123 that uses the source addresses 192.168.1.200 through
192.168.1.205.
PodP-ACE/Lab-SLB-PC(config)#policy-map multi-match NATRULES
PodP-ACE/Lab-SLB-PC(config-pmap)#class CLIENT-SOURCED
PodP-ACE/Lab-SLB-PC(config-pmap-c)#nat dynamic 123 vlan 4PC
Step 7 Define the NAT pool itself on the server-side interface.
PodP-ACE/Lab-SLB-PC(config)#interface vlan 4PC
PodP-ACE/Lab-SLB-PC(config-if)# nat-pool 123 10.0.0.1 10.0.0.6netmask 255.255.255.0
Step 8 Apply the NAT service policy and the ACL to the client-side interface, where the
source IP that need to be translated reside. (Remove the previous ACL named
anyone first.)
PodP-ACE/Lab-SLB-PC(config)# interface vlan 2PC
PodP-ACE/Lab-SLB-PC(config-if)#no access-group input anyone
PodP-ACE/Lab-SLB-PC(config-if)#access-group input ALLOW-CLI
PodP-ACE/Lab-SLB-PC(config-if)#service-policy input NATRULES
Step 9 To verify that the NAT rules were applied correctly, verify that the NAT fabric isconfigured.
PodP-ACE/Lab-SLB-PC# sho nat-fabric policies
Nat objects:
NAT object ID:15 mapped_if:240 policy_id:22type:DYNAMIC nat_pool_id:5
Pool ID:5 PAT:0 pool_id:123 mapped_if:240Ref_count:1 ixp_bindin
g:in IXP1
lower:10.0.0.1 upper:10.0.0.6 Bitmap:0x1fList of NAT object IDs: 15
Step 10 To verify the NAT configuration, establish a Telnet connection from the context to
the Linux server. Switch to the user root and start tethereal.
PodP-ACE/Lab-SLB-PC# telnet 192.168.1.10
Trying 192.168.1.10...
Connected to 192.168.1.10.
Escape character is '^]'.
linux1 (Linux release 2.6.9-11.ELsmp #1 SMP Fri May 2018:26:27 EDT 2005) (0)
login: cisco
Password for cisco: cisco
login: Resource temporarily unavailable while getting initialcredentials
Last login: Tue Jun 6 04:25:26 from 192.168.1.1
[cisco@linux1 ~]$ su -
Password: cisco123
[root@linux1 ~]#tethereal R "tcp.port == 80"
-
8/12/2019 Acesm20 Lg
48/214
44 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
On the client issue a wget request from the command line.
C:\tools\wget-1.10.2b>wget http://172.16.PC.50
--12:08:30-- http://172.16.PC.50/
=> `index.html.5'
Connecting to 172.16.PC.50:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,219 (1.2K) [text/html]
100%[====================================>] 1,219 --.--K/s
12:08:30 (8.67 MB/s) - `index.html.5' saved [1219/1219]
Observe the client IP is now 10.0.0.1 10.0.0.6 in the tethereal output from the Linux server.
Capturing on eth0
3060.106616 10.0.0.1 -> 192.168.1.11 TCP 3991 > http [SYN]Seq=0 Ack=0 Win=64240 Len=0 MSS=1460
3060.106689 192.168.1.11 -> 10.0.0.1 TCP http > 3991 [SYN,ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
3060.107030 10.0.0.1 -> 192.168.1.11 TCP 3991 > http [ACK]Seq=1 Ack=1 Win=64240 Len=0
3060.107762 10.0.0.1 -> 192.168.1.11 HTTP GET / HTTP/1.0
3060.107781 192.168.1.11 -> 10.0.0.1 TCP http > 3991 [ACK]Seq=1 Ack=101 Win=5840 Len=0
3060.115186 192.168.1.11 -> 10.0.0.1 HTTP HTTP/1.1 200 OK
3060.115285 192.168.1.11 -> 10.0.0.1 HTTP Continuation ornon-HTTP traffic
3060.115490 192.168.1.11 -> 10.0.0.1 TCP http > 3991 [FIN,ACK] Seq=1321 Ack=101 Win=5840 Len=0
3060.115851 10.0.0.1 -> 192.168.1.11 TCP 3991 > http [ACK]Seq=101 Ack=1322 Win=62920 Len=0
3060.122303 10.0.0.1 -> 192.168.1.11 TCP 3991 > http [FIN,ACK] Seq=101 Ack=1322 Win=62920 Len=0
3060.122336 192.168.1.11 -> 10.0.0.1 TCP http > 3991 [ACK]Seq=1322 Ack=102 Win=5840 Len=0
Step 11 Use the show service policycommand to view NAT statistics.
PodP-ACE/Lab-SLB-PC#sho service-policy NATRULES
Status : ACTIVE
-----------------------------------------
Interface: vlan 2PC
service-policy: NATRULES
class: CLIENT-SOURCED
nat:
nat dynamic 123 vlan 4PC
curr conns : 4 , hit count : 4
dropped conns : 0
client pkt count : 28 , client byte count: 1584
server pkt count : 24 , server byte count: 6912
-
8/12/2019 Acesm20 Lg
49/214
2007 Cisco Systems, Inc. Lab Guide 45
Step 12 If you initiate a long-lived flow for the client to the server, you can observe the
dynamic NAT in the show connoutput.
PodP-ACE/Lab-SLB-PC# sho conn
total current connections : 2
conn-id np dir proto vlan source destination state----------+--+---+-----+----+---------------------+---------------------+------+18 2 in TCP 2PC 209.165.201.PC:4063 172.16.PC.50:23 ESTAB
10 2 out TCP 4PC 192.168.1.15:23 10.0.0.1:4063 ESTAB
Activity Verification
You have completed this task when connections to the rserver are sourced from the 10.0.0.0
network instead of the original source network.
Task 5: Apply the Baseline Configuration
The Cisco ACE Module ensures that no duplicate IPs exist across contexts per VLAN. Due to
the overlapping IPs used in this lab, it is necessary to remove the VLAN interface for the
server, so that the VLAN interface can be reused in the remaining labs.
Note If you want to compare your completed configuration with the one in the Answer Keyprovided at the end of this lab, be sure to do so before you complete this task.
Activity Procedure
Use the checkpoint feature to roll back to baseline-mgmt.
PodP-ACE/Lab-SLB-PC# checkpoint rollback baseline-mgmt
This operation will rollback the system's running configuration
to the checkpoint's configuration.
Do you wish to proceed? (y/n) [n] y
Rollback in progress, please wait...
Generating configuration....Rollback succeeded
Activity Verification
You have completed this task when you have removed the server VLAN from the context.
-
8/12/2019 Acesm20 Lg
50/214
46 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
Answer Key: Configuring Server Load-Balancing
When you complete this activity, your ACE context running configuration file will be similar to
the following, with differences that are specific to your device or workgroup.
Initial Configuration Sample (Pre-Task 1)
PodP-ACE/Lab-SLB-PC# sho run
Generating configuration....
class-map type management match-any remote-access
description remote-access
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match remote-mgmt
class remote-access
permit
interface vlan 2PCip address 172.16.PC.11 255.255.255.0
service-policy input remote-mgmt
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.PC.1
username cisco password 5 $1$36iNgaXz$XzVbOllHUrxkP5FBEULiv0 roleAdmin domain
default-domain
-
8/12/2019 Acesm20 Lg
51/214
2007 Cisco Systems, Inc. Lab Guide 47
Lab 3 Task 3 Configuration Sample for a Working SLB ConfigurationPodP-ACE/Lab-SLB-PC# sho run
Generating configuration....
access-list anyone line 10 extended permit tcp any any
rserver host DC5-LNX1
ip address 192.168.1.11inservice
rserver host DC5-LNX2
ip address 192.168.1.12
inservice
rserver host DC5-LNX3
ip address 192.168.1.13
inservice
rserver host DC5-LNX4
ip address 192.168.1.14
inservice
rserver host DC5-LNX5ip address 192.168.1.15
inservice
serverfarm host SERVERS1
rserver DC5-LNX1
inservice
rserver DC5-LNX2
inservice
rserver DC5-LNX3
inservice
rserver DC5-LNX4
inservice
rserver DC5-LNX5
inservice
class-map match-all VIP-50
2 match virtual-address 172.16.PC.50 any
class-map type management match-any remote-access
description remote-access
2 match protocol telnet any
3 match protocol ssh any4 match protocol icmp any
policy-map type management first-match remote-mgmt
class remote-access
permit
policy-map type loadbalance first-match LB-LOGIC
class class-default
serverfarm SERVERS1
-
8/12/2019 Acesm20 Lg
52/214
48 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
policy-map multi-match CLIENT-VIPS
class VIP-50
loadbalance vip inservice
loadbalance policy LB-LOGIC
interface vlan 2PC
ip address 172.16.PC.11 255.255.255.0
access-group input anyone
service-policy input remote-mgmt
service-policy input CLIENT-VIPS
no shutdown
interface vlan 4PC
description Servers vlan
ip address 192.168.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.PC.1
username cisco password 5 $1$36iNgaXz$XzVbOllHUrxkP5FBEULiv0 roleAdmin domain
default-domain
-
8/12/2019 Acesm20 Lg
53/214
2007 Cisco Systems, Inc. Lab Guide 49
Lab 3 Task 4 Configuration Example
Pod1-ACE/Lab-SLB-PC# sh run
Generating configuration....
login timeout 0
access-list ALLOW-CLI line 23 extended permit ip 209.165.201.0255.255.255.0 any
access-list anyone line 10 extended permit tcp any any
rserver host dc5-lnx1
ip address 192.168.1.11
inservice
rserver host dc5-lnx2
ip address 192.168.1.12
inservice
rserver host dc5-lnx3
ip address 192.168.1.13
inservicerserver host dc5-lnx4
ip address 192.168.1.14
inservice
rserver host dc5-lnx5
ip address 192.168.1.15
inservice
serverfarm host SERVERS1
rserver dc5-lnx1
inservice
rserver dc5-lnx2
inservice
rserver dc5-lnx3
inservice
rserver dc5-lnx4
inservice
rserver dc5-lnx5
inservice
class-map match-all CLIENT-SOURCED
2 match source-address 209.165.201.0 255.255.255.0
class-map match-all VIP-50
2 match virtual-address 172.16.PC.50 any
class-map type management match-any remote-access
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
-
8/12/2019 Acesm20 Lg
54/214
50 Implementing the Application Control Engine Service Module (ACESM) v2.0 2007 Cisco Systems, Inc.
policy-map type management first-match remote-mgmt
class remote-access
permit
policy-map type loadbalance http first-match slb5-logic
class class-default
serverfarm SERVERS1
policy-map multi-match NATRULES
class CLIENT-SOURCED
nat dynamic 123 vlan 4PC
policy-map multi-match client-vips
class VIP-50
loadbalance vip inservice
loadbalance policy slb5-logic
interface vlan 2PC
description Client vlan
ip address 172.16.PC.5 255.255.255.0
access-group input ALLOW-CLI
service-policy input remote-mgmt
service-policy input client-vips
service-policy input NATRULES
no shutdown
interface vlan 411
description Servers vlan
ip address 192.168.1.1 255.255.255.0
nat-pool 123 10.0.0.1 10.0.0.6 netmask 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.PC.1
username cisco password 5 $1$DLODpUTE$pzudNN.PTCWK.E45AsyCz/ roleAdmin domain default-domain
-
8/12/2019 Acesm20 Lg
55/214
2007 Cisco Systems, Inc. Lab Guide 51
Lab 4: Implementing Health MonitoringComplete this lab activity to practice what you learned in the related lesson.
Activity Objective
In this exercise, you will configure your ACE context to monitor real servers. After completing
this exercise, you will be able to meet these objectives:
Define health monitoring for a real server
Define health monitoring for a real server with a server farm
Define health monitoring for an entire server farm
Define passive health monitoring checks for a server farm
Configure the Cisco ACE action on a server failure