Release Note for the Cisco 4700 Series Application Control Engine Appliance

Transcription

1 Release Note for the Cisco 4700 Series Application Control Engine Appliance June 9, 2008 Note The most current Cisco documentation for released products is also available on Cisco.com. Contents This release note applies to the following software versions for the Cisco 4700 Series Application Control Engine (ACE) appliance: A1(8.0a) A1(8.0) A1(7b) A1(7a) A1(7) For information on the ACE appliance features and configuration details, see the ACE documentation located on at: This release note contains the following sections: New Software Features in A1(8.0) Software Feature Changes in A1(8.0) Available ACE Licenses Ordering an Upgrade License and Generating a Key Upgrading Your ACE Software from A1(7x) to A1(8.0x) in a Redundant Configuration Downgrading Your ACE Software from Version A1(8.0x) to A1(7x) in a Redundant Configuration Supported Browsers for ACE Appliance Device Manager ACE Operating Considerations ACE Documentation Set Software Version A1(8.0a) Resolved Caveats Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA USA 2008 Cisco Systems, Inc. All rights reserved.

2 New Software Features in A1(8.0) Software Version A1(8.0) Resolved Caveats, Open Caveats, and Command Changes Software Version A1(7b) Resolved and Open Caveats Software Version A1(7a) Resolved and Open Caveats Software Version A1(7) Open Caveats Obtaining Documentation and Submitting a Service Request New Software Features in A1(8.0) This section describes the new features in ACE software version A1(8.0). It contains the following topics: New Performance Throughput and HTTP Compression Licenses Configuring KAL-AP Autogenerating a MAC Address for a VLAN Interface Enabling Source MAC Validation Changes to the Packet Capture Utility Bandwidth Reservation for Management Traffic Setting the Maximum Receive or Transmit Buffer Share Configuring the Rate Limit for Gratuitous ARP Packets Configuring a Bank of MAC Addresses for Shared VLANs Source NAT Using a VIP Configuring the ACE to Reply to a Ping to a VIP only if the Primary Server Farm is in Service New Redundancy State for Software Upgrade or Downgrade Modifications to the Cisco CSS-to-ACE Conversion Tool Modifications to the Setup Script For details on these software features as implemented in the Device Manager GUI, see the Online Help system provided with the GUI. Note For a list of the commands and options that have been modified in software version A1(8.0), see the Software Version A1(8.0) Command Changes section. New Performance Throughput and HTTP Compression Licenses With the release of A1(8.0), the following new performance throughput and HTTP compression licenses are now available: ACE-AP-04-LIC: 4-Gbps performance throughput license ACE-AP-04-UP2: Upgrade from 2-Gbps to 4-Gbps performance throughput license ACE-AP-C-2000-LIC: 2-Gbps HTTP compression license ACE-AP-C-2000-LIC=: 2-Gbps HTTP compression license spare ACE-AP-C-UP3=: Upgrade from 1-Gbps to 2-Gbps HTTP compression license See the Available ACE Licenses section for details. 2

3 New Software Features in A1(8.0) Configuring KAL-AP A keepalive-appliance protocol (KAL-AP) on the ACE allows communication between the ACE and the Global Site Selector (GSS) by sending KAL-AP requests to report the server states and loads for global-server load-balancing (GSLB) decisions. The ACE uses KAL-AP through a UDP connection to calculate weights and provide information for server availability to the KAL-AP device. The ACE acts as a server and listens for KAL-AP requests. When KAL-AP is initialized on the ACE, the ACE listens on the standard 5002 port for any KAL-AP requests. You cannot configure any other port. The ACE supports VIP-based and TAG-based KAL-AP probes. For a VIP-based KAL-AP, when the ACE receives a kal-ap-by-vip request, it verifies whether the VIP addresses are active in all Layer 3 class maps that are configured with the addresses. The ACE ignores all other protocol-specific information for the VIP addresses. For each Layer 3 class map, the ACE locates the associated Layer 7 policies and associated real servers in server farms. The ACE determines the total number of servers associated with these VIPs and those servers in the Operational state. The ACE calculates a load number from 0 to 255 and reports the server load of the VIP to the KAL-AP device. The load values are indicators of VIP and server availability. A load value of 0 indicates that the VIP address is not available. This value is also sent in the case of any VIP lookup failures. A load value of 1 is reserved to indicate that the VIP is offline and not available for use. Valid load values are from 2 to 255. A load value of 2 indicates that the VIP is least loaded (most of the servers are available and all servers are up) and a load value of 255 indicates that the VIP is fully loaded (none of the servers are available at the moment). For example, if the total number of servers is 10 and only 5 are operational, the load value is 127, which means that half of the servers are available. Note If the same real server is associated with more than one server farm, the ACE includes it twice in the load calculation. You can configure a TAG-based KAL-AP domain associated with a VIP address that corresponds to a TAG in the ACE. When the ACE receives a kal-ap-by-tag request, the process is similar to VIP-based KAL-AP probes. The load calculation considers the Layer 3 class map, server farm, and real server objects. All other objects under the domain are ignored during the load calculation. The calculation for the domain is similar to a VIP address. However, the only difference is that the real server objects and server farm objects are considered in the calculation. The ACE gathers the server availability information for any Layer 3 VIP addresses within the domain. The ACE considers all of the server farms associated with the domain. If the real servers are in a domain, the ACE adds them to the current total and then performs a division to determine their availability as TAG objects. The ACE reports this final number in the KAL-AP response. This section contains the following topics: Enabling KAL-AP on the ACE Configuring a KAL-AP VIP Address Configuring KAL-AP TAGs as Domains Configuring Secure KAL-AP Displaying Global-Server Load-Balancing Load Information Displaying Global-Server Load-Balancing Statistics 3

4 New Software Features in A1(8.0) Enabling KAL-AP on the ACE To enable KAL-AP on the ACE, you must configure a management class map and policy map, and apply it to the appropriate interface. The KAL-AP server listens on the standard 5002 port to all KAL-AP requests. You can configure the class map for KAL-AP over a UDP management access connection by using the match protocol kalap-udp command in the class map management configuration mode. The syntax of this command is as follows: match protocol kalap-udp any [source-address ip_address subnet_mask] The keywords and arguments are as follows: any Specifies any client source address for the management traffic classification. source-address Specifies a client source host IP address and subnet mask as the network traffic matching criteria. As part of the classification, the ACE implicitly obtains the destination IP address from the interface on which you apply the policy map. ip_address Source IP address of the client. Enter the IP address in dotted-decimal notation (for example, ). mask Subnet mask of the client entry in dotted-decimal notation (for example, ). For example, to specify a KAL-AP class map from any source IP address, enter: host1/admin(config)# class-map type management KALAP-CM host1/admin(config-cmap-mgmt)# match protocol kalap-udp any host1/admin(config-cmap-mgmt)# exit host1/admin(config)# To remove the class map, enter: host1/admin(config-cmap-mgmt)# no match protocol kalap-udp source-address any After you create the KAL-AP class map, create a KAL-AP management policy map and apply the class map to it. To create the policy map and access policy map management configuration mode, use the policy-map type management command in configuration mode. For example, to create the KALAP-MGMT management policy map and apply the KALAP-CM class map to it, enter: host1/admin(config)# policy-map type management KALAP-MGMT host1/admin(config-pmap-mgmt)# class KALAP-CM host1/admin(config-cmap-mgmt)# permit host1/admin(config-cmap-mgmt)# exit host1/admin(config)# To apply the policy map to an interface, use the interface vlan command in configuration mode. For example, to apply the KALAP-MGMT policy map to VLAN interface 10, enter: host1/admin(config)# interface vlan 10 host1/admin(config-if)# ip address host1/admin(config-if)# service-policy input KALAP-MGMT host1/admin(config-if)# no shutdown host1/admin(config-if)# exit host1/admin(config)# Note When you modify or remove a KAL-AP policy, you must clear the existing KAL-AP connections manually. 4

5 New Software Features in A1(8.0) Configuring a KAL-AP VIP Address You can configure VIP-based KAL-AP by configuring a Layer 3/4 class map that contains a VIP address match statement. You can define a 3-tuple flow of VIP address, protocol, and port as matching criteria by using the match virtual-address command in class map configuration mode. You can configure multiple match criteria statements to define the VIPs for SLB. The syntax of this command is as follows: [line_number] match virtual-address vip_address {[mask] any {tcp udp {any eq port_number range port1 port2}} protocol_number} For information on the keywords and arguments, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Guide. Note For KAL-AP, the ACE verifies whether the VIP addresses are active in all Layer 3 class maps that are configured with the addresses. It ignores all other protocol-specific information for the VIP addresses. For example, to create a class map VIP-20 that matches traffic destined to VIP address with a wildcard value for the IP protocol value (TCP or UDP), enter: host1/admin(config)# class-map VIP-20 host1/admin(config-cmap)# match virtual-address any To remove the VIP match statement from the class map, enter: host1/admin(config-cmap)# no match virtual-address any Configuring KAL-AP TAGs as Domains You can configure KAL-AP TAGs as domains by using the domain command in configuration mode. The syntax of this command is as follows: domain name The name is the name of the KAL-AP TAG. Note For the domain load calculation, the ACE considers the Layer 3 class map, server farm, and real server objects. All other objects under the domain are ignored during the calculation. For example, to configure KAL-AP-TAG1 as a domain, enter: host1/admin(config)# domain KAL-AP-TAG1 After you create the domain, use the add-object class-map command in domain configuration mode to add each class map that you want to associate with the TAG domain. For example, to add the VIP-20 and VIP-71 class maps to the TAG domain, enter: host1/admin(config-domain)# add-object class-map VIP-20 host1/admin(config-domain)# add-object class-map VIP-71 To remove the domain, enter: host1/admin(config)# no domain KAL-AP-TAG1 For more information about configuring class maps, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. For more information about configuring domains, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. 5

6 New Software Features in A1(8.0) Configuring Secure KAL-AP The ACE supports secure KAL-AP for MD5 encryption of data between it and the GSS. For encryption, you must configure a shared secret as a key for authentication between the GSS and the ACE context. To configure secure KAL-AP on the ACE, access KAL-AP UDP configuration mode through the kalap udp command in configuration mode. The syntax of this command is as follows: kalap udp For example, enter: host1/admin(config)# kalap udp host1/admin(config-kalap-udp)# To remove the KAL-AP configuration and all VIP entries, enter the following command: host1/admin(config)# no kalap udp In this mode, you enable secure KAL-AP by configuring the VIP address to the GSS and the shared secret through the ip address command. The syntax of this command is as follows: ip address ip_address encryption md5 secret The keywords and arguments are as follows: ip_address The VIP address for the GSS. Enter the IP address in dotted-decimal notation (for example, ). encryption Specifies the encryption method. md5 Specifies the MD5 encryption method. secret Shared secret between the KAL-AP device and the ACE. Enter the shared secret as a case-sensitive string with no spaces and a maximum of 31 alphanumeric characters. For example, to enable secure KAL-AP and configure the VIP address for the GSS and shared secret, enter: host1/admin(config-kalap-udp)# ip address encryption md5 andromeda To disable secure KAL-AP, use the no form of the ip address command. For example, enter: host1/admin(config-kalap-udp)# no ip address Displaying Global-Server Load-Balancing Load Information You can display the latest load information for a VIP address or domain name provided to the KAL-AP request by using the show kalap udp load command in Exec mode. The syntax of the command is as follows: show kalap udp load {vip ip_address} {domain name} The keywords and arguments are as follows: vip ip_address Displays the latest load information for the specified VIP address. Enter the IP address in dotted-decimal notation (for example, ). domain name Displays the latest load information for the specified domain name. The output fields for the show kalap udp load command display the VIP address or domain name, its load value, and the time stamp. 6

7 New Software Features in A1(8.0) For example, to display the latest load information to the KAL-AP request for VIP address , enter: host1/admin# show kalap udp load vip To display the latest load information to the KAL-AP request for domain KAL-AP-TAG1, enter: host1/admin# show kalap udp load domain KAL-AP-TAG1 Displaying Global-Server Load-Balancing Statistics You can display the global-server load-balancing statistics per context by using the show stats kalap command in Exec mode. The syntax of the command is as follows: show stats kalap For example, enter: host1/admin# show stats kalap Table 1-1 lists the output fields displayed by this command. Table 1-1 Field Descriptions for the show stats kalap Command Field Description Total bytes received Total number of bytes received. Total bytes sent Total number of bytes sent. Total requests received Total number of requests received. Total responses sent Total number of responses sent. Total requests Total number of requests successfully received. successfully received Total responses Total number of responses successfully sent. successfully sent Total secure requests Total number of secure requests received. received Total secure responses Total number of secure responses sent. sent Total requests with errors Total number of requests with errors. Total requests with parse Total number of requests with parse errors. errors Total response transfer Total number of response transfer errors. errors Autogenerating a MAC Address for a VLAN Interface By default, the ACE does not allow traffic from one context to another context over a transparent firewall. The ACE assumes that VLANs in different contexts are in different Layer 2 domains, unless it is a shared VLAN. The ACE allocates the same MAC address to each context interface using a shared VLAN. 7

8 New Software Features in A1(8.0) When you are using a firewall service module (FWSM) to bridge traffic between two contexts on the ACE, you must assign two Layer 3 VLANs to the same bridge domain. To support this configuration, these VLAN interfaces require different MAC addresses. To enable the autogeneration of a MAC address on a VLAN interface, use the mac address autogenerate command in interface configuration mode. The syntax of this command is as follows: mac address autogenerate For example, enter: host1/admin(config-if)# mac address autogenerate To disable MAC address autogeneration on the VLAN, use the no mac address autogenerate command. For example, enter: host1/admin(config-if)# no mac address autogenerate Note When you use the mac address autogenerate command, the ACE assigns a MAC address from the bank of MAC addresses for shared VLANs. If you use the no mac address autogenerate command, the interface retains this address. To revert to a MAC address for an unshared VLAN, you must delete the interface and then add the interface again. Enabling Source MAC Validation Source MAC validation allows you to instruct the ACE to check the source MAC address in an Ethernet header against the sender s MAC address in an ARP payload for every ARP packet received by the ACE on the specified interface. The ACE does not learn or update the ARP or MAC tables for packets with different MAC addresses. By default, source MAC validation is disabled. Note If ARP inspection fails, then the ACE does not perform source MAC validation. For details about ARP inspection, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide. To configure source MAC validation, use the arp inspection command in interface configuration mode. The syntax of this command is as follows: arp inspection validate src-mac [flood no-flood] The options are as follows: flood Enables ARP forwarding for the interface and forwards ARP packets with nonmatching source MAC addresses to all interfaces in the bridge group. This is the default option when you enable source MAC validation. no-flood Disables ARP forwarding for the interface and drops ARP packets with nonmatching source MAC addresses. Note Regardless of whether you enter the flood or the no-flood option, if the source MAC address of the ARP packet does not match the MAC address of the Ethernet header, then the source MAC validation fails and the ACE increments the Smac-validation Failed counter of the show arp statistics command. 8

9 New Software Features in A1(8.0) For example, to enable source MAC validation and instruct the ACE to drop ARP packets with nonmatching source MAC addresses, enter: host1/admin(config-if)# arp inspection validate src-mac no-flood To disable source MAC validation, enter: host1/admin(config-if)# no arp inspection validate src-mac no-flood Changes to the Packet Capture Utility Now when you start the packet capture function using the start keyword and the ACE displays the messages on the session console as it receives the packets, the CLI prompt returns and you can type other commands at the same time that the ACE is capturing packets. To stop the capture process, enter stop. The packet capture function automatically stops when the buffer is full unless you enable the circular buffer function. Note Under high traffic conditions, you may observe up to 64 packets printing on the console after you enter the stop keyword. These additional messages can occur because the packets were in transit or buffered before you entered the stop keyword. If you delete an interface that is in use by the packet capture function, the ACE stops the capture automatically. If you check the status of the packet capture using the show capture buffer_name status command, you will notice that the capture stopped because of an interface deletion. At this point, you can perform any operation (for example, saving the old capture) on the capture except starting the capture. To restart the capture, you must delete the old capture and configure a new one. The ACE handles the deletion of an ACL or an ACL entry in a similar manner. If you add an interface while you are already capturing all interfaces, the capture continues using all the original interfaces. If you add an ACL entry during an existing ACL capture, the capture continues normally using the original ACL criteria. Note If you enable packet capture for jumbo packets, the ACE captures only the first 1,860 bytes of data. For details about running the packet capture utility, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. Bandwidth Reservation for Management Traffic The bandwidth keyword of the limit-resource command limits total ACE throughput in bytes per second for one or more contexts. The maximum bandwidth rate per context is determined by your bandwidth license. By default, the entry-level ACE has a 1-Gbps through-traffic bandwidth and a 1-Gbps management-traffic bandwidth for a total maximum bandwidth of 2 Gbps. With the 2-Gbps license, the ACE has a 2-Gbps through-traffic bandwidth and a 1-Gbps management-traffic bandwidth for a total maximum bandwidth of 3 Gbps. You can upgrade the ACE with either an optional 2-Gbps or 4-Gbps bandwidth license (see the Available ACE Licenses section). 9

10 New Software Features in A1(8.0) The syntax of this command is as follows: limit-resource rate {bandwidth mgmt-traffic {minimum number} {maximum {equal-to-min unlimited}} When you configure a minimum bandwidth value for a resource class in the ACE, the ACE subtracts that configured value from the total bandwidth maximum value of all contexts in the ACE, regardless of the resource class with which they are associated. The total bandwidth rate of a context consists of the following two components: throughput Limits through-the-ace traffic. This is a derived value (you cannot configure it directly) and it is equal to the bandwidth rate minus the mgmt-traffic rate for the 1-Gbps and 2-Gbps licenses. mgmt-traffic Limits management (to-the-ace) traffic in bytes per second. This parameter is independent of the limit-resource all minimum command. To guarantee a minimum amount of management traffic bandwidth, you must explicitly allocate a minimum percentage of resources to management traffic using the limit-resource rate mgmt-traffic minimum command. When you allocate a minimum percentage of bandwidth to management traffic, the ACE subtracts that value from the maximum available management traffic bandwidth for all contexts in the ACE. By default, management traffic is guaranteed a minimum bandwidth rate of 0 and a maximum bandwidth rate of 1 Gbps, regardless of the bandwidth license that you install in the ACE. In addition, with the A1(8.0) release, the managed system resources of the ACE for management connections through the limit-resource rate mgmt-connections maximum command has been increased to 100,000 connections (from 5000 connections). For details about how the ACE manages bandwidth for throughput and management traffic rates, see the examples of the show resource-usage command output that follow. For each bandwidth license, examples are shown for the default values, 25 percent minimum allocation to all resources, and both a 25 percent minimum allocation to all resources and a 10 percent minimum allocation to management traffic. The output has been modified to show only the relevant fields. Note All values are in bytes per second; to convert to bits per second, multiply each value by 8. switch/admin# show resource usage Example 1-1 Default Show Resource Usage Command Output for 1-Gbps License Allocation Resource Min Max bandwidth throughput mgmt-traffic rate

11 New Software Features in A1(8.0) Example 1-2 Show Resource Usage Command Output for 1-Gbps License with 25 Percent Minimum Allocation for All Resources Allocation Resource Min Max bandwidth throughput mgmt-traffic rate Example 1-3 Show Resource Usage Command Output for 1-Gbps License with 25 Percent Minimum Allocation for All Resources and 10 Percent Minimum Allocation for Management Traffic Allocation Resource Min Max bandwidth throughput mgmt-traffic rate Example 1-4 Default Show Resource Usage Command Output for 2-Gbps License Allocation Resource Min Max bandwidth throughput mgmt-traffic rate Example 1-5 Show Resource Usage Command Output for 2-Gbps License with 25 Percent Minimum Allocation for All Resources Allocation Resource Min Max bandwidth throughput mgmt-traffic rate Example 1-6 Show Resource Usage Command Output for 2-Gbps License with 25 Percent Minimum Allocation for All Resources and 10 Percent Minimum Allocation for Management Traffic Allocation Resource Min Max bandwidth throughput mgmt-traffic rate

12 New Software Features in A1(8.0) Example 1-7 Default Show Resource Usage Command Output for 4-Gbps License Allocation Resource Min Max bandwidth throughput mgmt-traffic rate Example 1-8 Show Resource Usage Command Output for 4-Gbps License with 25 Percent Minimum Allocation for All Resources (continued) Allocation Resource Min Max bandwidth throughput mgmt-traffic rate Example 1-9 Show Resource Usage Command Output for 4-Gbps License with 25 Percent Minimum Allocation for All Resources and 10 Percent Minimum Allocation for Management Traffic Allocation Resource Min Max bandwidth throughput mgmt-traffic rate The minimum keyword specifies the lowest acceptable value for a resource. Enter an integer from 0.00 to percent (two-decimal places of granularity). The number argument specifies a percentage value for all contexts that are members of the resource class. When used with the rate keyword, the number argument specifies a value per second. When you configure a minimum value for a resource in a particular resource class in the ACE, the ACE assigns the minimum resources only to the contexts that are members of the resource class. For all contexts, the ACE subtracts that configured minimum value from the maximum value of that resource, regardless of the resource class with which the contexts are associated. If the resource class has more than one context associated with it, the minimum value that the ACE subtracts from the maximum value is multiplied by the number of contexts in the resource class. For example, with a 4-Gbps bandwidth license, if there are two contexts associated with the resource class and you configure a 25 percent minimum allocation for the bandwidth rate for the class, each context in the resource class would have the values that are shown in Example 1-10 for the show resource usage command output for the bandwidth rate and throughput rate. 12

13 New Software Features in A1(8.0) Example 1-10 Show Resource Usage Command Output for 4-Gbps License with 25 Percent Minimum Allocation for Bandwidth Allocation Resource Min Max bandwidth throughput mgmt-traffic rate All other contexts in the ACE would have the same maximum values as shown in Example 1-10, but would have zero minimum values. Compare the values in Example 1-10 with the values in Example 1-5, which represents one context in a resource class. Setting the Maximum Receive or Transmit Buffer Share To improve throughput and overall performance, the ACE checks the number of buffered bytes on a TCP connection against the configured buffer setting before accepting new receive or transmit data. By default, the maximum size of the receive or transmit buffer for each TCP connection is bytes. For large bandwidth and delay network connections, you may want to increase the default buffer size to improve your network performance. To set the maximum receive or transmit buffer size for each TCP connection, use the set tcp buffer-share command in parameter map connection configuration mode. The syntax of this command is as follows: set tcp buffer-share number The number argument is the maximum size of the receive or transmit buffer in bytes for each TCP connection. Enter an integer from 8192 to bytes. The default is bytes. Caution If you are using the ACE to terminate SSL traffic, do not decrease the buffer share value below the default value of 32 KB. With a buffer share value of less than 32 KB, SSL connections are significantly slower. For example, enter: host1/c1(config-parammap-conn)# set tcp buffer-share To reset the buffer limit to the default value of bytes, enter: host1/c1(config-parammap-conn)# no set tcp buffer-share Configuring the Rate Limit for Gratuitous ARP Packets By default, the rate limit for gratuitous ARPs sent by the ACE is 512 packets per second. To configure this rate limit, use the arp ratelimit command in configuration mode. This command is available only in the Admin context. This rate limit applies to the module and not per context. The syntax of this command is as follows: arp ratelimit number 13

14 New Software Features in A1(8.0) The number argument defines the rate limit as packets per second. Enter an integer from 100 to The default is 512. Note The rate limit applies to all gratuitous ARPs sent for local addresses on new configurations, module reboot, and on MAC address changes. For example, to specify a rate limit of 1000 packets per second, enter: host1/admin(config)# arp ratelimit 1000 To restore the default value of 512 packets per second, use the no arp ratelimit command. For example, enter: host1/admin(config)# no arp ratelimit Configuring a Bank of MAC Addresses for Shared VLANs When contexts share a VLAN, the ACE assigns a different MAC address to the VLAN on each context. The MAC addresses reserved for shared VLANs are 0x001243dc6b00 to 0x001243dcaaff, inclusive. All ACE appliances derive these addresses from a global pool of 16,000 MAC addresses. This pool is divided into 16 banks, each containing 1024 addresses. Each subnet can have a maximum of 16 ACEs. Each ACE supports 1024 shared VLANs, and uses only one bank of MAC addresses out of the pool. A shared MAC address is associated with a shared VLAN interface. By default, the bank of MAC addresses that the ACE uses is randomly selected at boot time. However, if you configure two ACE appliances in the same Layer 2 network and they are using shared VLANs, the ACEs may select the same address bank, which results in the use of the same MAC addresses. To avoid this conflict, you must configure the bank that the ACEs will use. To configure the MAC address bank to be used by the peer ACE with a shared VLAN, use the peer shared-vlan-hostid command in configuration mode in the Admin context. Use this command with the shared-vlan-hostid command to prevent MAC address conflicts between two peer ACEs sharing the same VLAN. Be sure to select a bank of MAC addresses for the peer that is different from the bank that is used by the local ACE. The syntax of this command is as follows: peer shared-vlan-hostid number The number argument indicates the bank of MAC addresses that the ACE uses. Enter an integer from 1 to 16. Be sure to configure unique bank numbers for multiple ACEs. For example, to configure bank 2 of MAC addresses for the peer ACE, enter: host1/admin(config)# peer shared-vlan-hostid 2 Source NAT Using a VIP The ACE now allows you to configure a virtual IP (VIP) address in the network address translation (NAT) pool for dynamic NAT and PAT. This action is useful when you want to source-nat real server-originated connections (bound to the client) using the VIP address. Use this feature when there are a limited number of real world IP addresses on the client-side network. To perform PAT for different real servers that are source-nated to the same IP address (VIP), you must configure the pat keyword in the nat-pool command. 14

15 New Software Features in A1(8.0) For details about configuring dynamic NAT and PAT for source NAT, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide. Configuring the ACE to Reply to a Ping to a VIP only if the Primary Server Farm is in Service The primary-inservice option has been added to the loadbalance vip icmp-reply active command in policy map class configuration mode. When you specify this option, the ACE replies to an ICMP ping only if the primary server farm state is UP, regardless of the state of the backup server farm. If this option is enabled and the primary server farm state is DOWN, the ACE discards the ICMP request and the request times out. The syntax of this command is as follows: loadbalance vip icmp-reply [active [primary-inservice]] For example, to instruct the ACE to respond to a ping to a VIP only if the primary server farm is in service, enter: host1/admin(config-pmap-c)# loadbalance vip icmp-reply active primary-inservice To remove this command from the configuration, enter: host1/admin(config-pmap-c)# no loadbalance vip icmp-reply active primary-inservice New Redundancy State for Software Upgrade or Downgrade A new redundancy state called STANDBY_WARM has been introduced for upgrading or downgrading the ACE software. When you upgrade or downgrade the ACE from one software version to another, there is a point in the process when the two ACEs have different software versions and, therefore, a CLI incompatibility. Prior to software version A1(8.0), such a condition would cause configuration and state synchronization to fail and the standby ACE would enter the STANDBY_COLD state. When the software versions are different while upgrading or downgrading, the STANDBY_WARM state allows the configuration and state synchronization process to continue on a best-effort basis, which means that the active ACE will continue to synchronize configuration and state information to the standby even though the standby may not recognize or understand the CLI commands or state information. This new standby state allows the standby ACE to come up with best-effort support. In the STANDBY_WARM state, as with the STANDBY_HOT state, the configuration mode is disabled and configuration and state synchronization continues. A failover from the active to the standby based on priorities and preempt can still occur while the standby is in the STANDBY_WARM state. Note Although support for the STANDBY_WARM state has been introduced in software version A1(8.0), it is intended for use only during an upgrade or downgrade procedure involving software versions A1(8.0) and higher. The STANDBY_WARM state will not be available in an upgrade or downgrade procedure involving A1(8.0) and the A1(7a) or A1(7b) software versions. 15

16 New Software Features in A1(8.0) When upgrading or downgrading the ACE software (see the Upgrading Your ACE Software from A1(7x) to A1(8.0x) in a Redundant Configuration and Downgrading Your ACE Software from Version A1(8.0x) to A1(7x) in a Redundant Configuration sections), we recommend that you first upgrade or downgrade the standby ACE. After the standby ACE boots up, it may take a few minutes to reach the STANDBY_HOT state again. Once the standby ACE moves to the STANDBY_HOT state, you may then perform a graceful failover of all contexts from the active ACE to the standby ACE and then upgrade the other ACE. Table 2 System Messages on the Operating Status of the Concurrent Connection Limit Error Message Explanation Recommended Action %ACE-LB_GENERAL : Disabled Web Application Acceleration: Maximum configured concurrent connections limit (<count>) reached, sending connections to real servers %ACE-LB_GENERAL : Enabled Web Application Acceleration: New connections will be sent for Optimization.(concurrent connections count <count>) This message is informational. It is logged when the number of application acceleration concurrent connections exceed the configured or default concurrent connections limit (as specified through the optimize mode concurrent-connections limit command) and new connections are sent to the real servers without optimization. This message is informational. It is logged when application acceleration connections have gone below the configured or default concurrent connections limit (as specified through the optimize mode concurrent-connections limit command) and optimization has been resumed for all new connections. None required. None required. Modifications to the Cisco CSS-to-ACE Conversion Tool The Cisco CSS-to-ACE conversion tool in the A1(8.0) release has been modified as follows: The CSS-to-ACE conversion tool globally applies the converted service policies to all available VLANS interfaces associated with a context on the ACE. If you want a specific service policy applied to a VLAN interface, you must manually attach the traffic policy to the VLAN interface. The conversion tool now creates the permit ip any any global access list to match the CSS allow-all functionality and automatically applies this access list to all VLAN interfaces. The Include Domain Commands checkbox has been added to the CSS-to-ACE conversion tool to allow you to choose whether domains are to be created and populated with objects. Automatically adding domains as part of the CSS conversion may make the resulting configuration unnecessarily long. The Include Domain Commands checkbox provides you with the flexibility to choose whether to actively enable or disable the inclusion of CSS domains. When you check this checkbox, if the CSS configuration contains a content under a owner group, all domains will then be created as part of the conversion. 16

17 New Software Features in A1(8.0) Modifications to the Setup Script With the A1(8.0a) release, the setup script now prompts you to change the Admin and www user passwords as a step when you boot the ACE for the first time and the ACE does not detect a startup-configuration file. The intent of the setup script is to guide you through the process of configuring a management VLAN on the ACE through one of its Gigabit Ethernet ports. Note the following if you do not change the default Admin or www user passwords: If you do not change the default Admin password, after you upgrade the ACE software you will only be able to log in to the ACE through the console port. If you do change the default www user password, the www user will be disabled and you will not be able to use Extensible Markup Language (XML) to remotely configure an ACE until you change the default www user password. The following screen output illustrates the changes to the setup script with the A1(8.0a) release: Starting sysmgr processes.. Please wait...done!!! switch login: admin Password: Please change the password for admin user. Admin user is allowed to login only from console until the password is changed. User 'www' is disabled.please change the password to enable the user. Cisco Application Control Software (ACSW) TAC support: Copyright (c) by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at Basic System Configuration Dialog ---- This setup utility will guide you through the basic configuration of the system. Setup configures only enough connectivity to the ACE appliance Device Manager GUI of the system. *Note: setup is mainly used for configuring the system initially, when no configuration is present. So setup always assumes system defaults and not the current system configuration values. Press Enter at anytime to skip a dialog. Use ctrl-c at anytime to skip the remaining dialogs. Would you like to enter the basic configuration dialog (yes/no): yes Please change the password for admin user. Admin user is allowed to login only from console until the password is changed. WARNING!! PASSWORD CHANGE WILL BE EFFECTIVE IMMEDIATELY Enter the password for "admin": Confirm the password for "admin": User 'www' is disabled.please change the password to enable the user. WARNING!! PASSWORD CHANGE WILL BE EFFECTIVE IMMEDIATELY Enter the password for "www": Confirm the password for "www": Which port is used to carry Management vlan (1-4)? [1]:... 17

18 Software Feature Changes in A1(8.0) Software Feature Changes in A1(8.0) Cisco has refined the ACE application acceleration functionality in software version A1(8.0) by removing features that are rarely used. The following list summarizes the application acceleration CLI commands and associated functions that are no longer supported in the ACE appliance, starting with software release A1(8.0): Action list optimization configuration mode commands: cache forward-with-wait, fast-redirect, flashconnect, flashconnect-object, image, meta refresh-to-302, urlmap scope, xslt merge Optimize configuration mode commands: prefix flashconnect Parameter map optimization configuration mode commands: flashconnect limit, image, urlmap non-html, xslt merge-debug, xslt pretransformer, xslt stylesheet For information on the use of the application acceleration and configuration features of the ACE, see the updated Device Manager GUI online help system and the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide located at: _/configuration/app_acceleration_and_optimization/guide/weboptgd.html Note With the removal of the subset of the application acceleration functionality, an incompatibility has been introduced between release 1.2 of the Cisco Application Networking Manager (ANM) software and release A1(8.0) of the ACE appliance. Specifically, if you attempt to configure the ANM 1.2 to utilize a removed application acceleration command, the deployment will fail and the ANM displays an error message that is related to the removed application acceleration function. To bypass this configuration issue in the ANM software, we recommend that you use the ACE appliance Device Manager to make the application acceleration and optimization configuration changes for the ACE. Note that this incompatibility will be addressed in the next release of the ANM software. 18

19 Available ACE Licenses Available ACE Licenses By default, the ACE supports the following features and capabilities: Performance: 1 gigabit per second (Gbps) appliance throughput Virtualization: 1 admin context and 5 user contexts Secure Sockets Layer (SSL): 1000 transactions per second (TPS) Hypertext Transfer Protocol (HTTP) compression: 100 megabits per second (Mbps) Application Acceleration: 50 connections You can increase the performance and operating capabilities of your ACE product by purchasing one of the licensing options. You can order your ACE product by either of these methods: Ordering a license bundle. Each license bundles includes the ACE appliance and a series of software licenses. Ordering separate license options. You must have the Admin role in the Admin context to perform the tasks of installing, removing, and updating the license. You can access the license and show license commands only in the Admin context. Table 3 summarizes the contents of the available license bundles. Table 4 provides a list of the default and upgrade ACE appliance licensing options. Note Table 3 and Table 4 contain the software license models that are supported for the A1(x.x) software. Any license that you may receive that is not listed in these tables cannot be used on the A1(x.x) software. Table 3 ACE Licensing Bundles License Model ACE F-K9 ACE F-K9 Description This license bundle includes the following items: ACE 4710 appliance 2-Gbps throughput license 7500 SSL transactions per second (TPS) license 1-Gbps compression license 5 virtual contexts license (default) Application acceleration license (50 connections) This license bundle includes the following items: ACE 4710 appliance 1-Gbps throughput license 5000 SSL TPS license 500-Mbps compression license 5 virtual contexts license (default) Application acceleration license (50 connections) 19

20 Available ACE Licenses Table 4 ACE Licensing Options Feature License Model Description ACE Appliance Software ACE-AP-SW-1.8 A1(8.0) software. License Performance Throughput ACE-AP-01-LIC (default) 1-Gbps throughput. ACE-AP-02-LIC 2-Gbps throughput. ACE-AP-04-LIC 4-Gbps throughput. ACE-AP-04-UP2 Upgrade from 2-Gbps to 4-Gbps throughput. Virtualization Default 1 admin/5 user contexts. ACE-AP-VIRT admin/20 user contexts. SSL Default 1000 TPS. ACE-AP-SSL-05K-K TPS. ACE-AP-SSL-07K-K TPS. ACE-AP-SSL-UP1-K9 Upgrade from 5000 TPS to 7500 TPS. HTTP Compression Default 100-Mbps. ACE-AP-C-500-LIC 500-Mbps. ACE-AP-C-1000-LIC 1-Gbps. ACE-AP-C-2000-LIC 2-Gbps. ACE-AP-C-2000-LIC= 2-Gbps license spare. ACE-AP-C-UP1= Upgrade from 500 Mbps to 1Gbps. ACE-AP-C-UP3= Upgrade from 1 Gbps to 2 Gbps. Application Acceleration Feature Pack License ACE-AP-OPT-LIC-K9 Application acceleration and optimization. By default, the ACE performs up to 50 concurrent connections. With the application acceleration and optimization software feature pack installed, the ACE can provide greater than 50 concurrent connections. This license increases the operating capabilities of the following features: Delta optimization Adaptive dynamic caching Flashforward Dynamic Etag 20

21 Ordering an Upgrade License and Generating a Key ACE demo licenses are available through your Cisco account representative. A demo license is valid for only 60 days. At the end of this period, you must update the demo license with a permanent license to continue to use the ACE software. To view the expiration of a demo license, from the CLI, use the show license usage command in Exec mode. If you need to replace the ACE appliance, you can copy and install the licenses onto the replacement appliance. Ordering an Upgrade License and Generating a Key This section describes the process that you use to order an upgrade license and to generate a license key for your ACE. To order an upgrade license, follow these steps: Step 1 Step 2 Step 3 Step 4 Step 5 Order one of the licenses from the list in the Software Feature Changes in A1(8.0) section using any of the available Cisco ordering tools on cisco.com. When you receive the Software License Claim Certificate from Cisco, follow the instructions that direct you to the following Cisco.com website: If you are a registered user of cisco.com, go to the following location: If you are not a registered user of cisco.com, go to the following location: Enter the Product Authorization Key (PAK) number found on the Software License Claim Certificate as your proof of purchase. Provide all the requested information to generate a license key. Once the system generates the license key, you will receive a license key with an attached license file and installation instructions. Save the license key in a safe place in case you need it in the future (for example, to transfer the license to another ACE). For information on installing and managing ACE licenses: From the ACE appliance CLI, see Chapter 3, Managing ACE Software Licenses, in the Cisco 4700 Series Application Control Engine Appliance Administration Guide. From ACE appliance Device Manager, see Chapter 2, Configuring Virtual Contexts, in the Cisco 4700 Series Application Control Engine Appliance Device Manager GUI Configuration Guide. Note If you need to downgrade from version A1(8.0) back to A1(7x) (see the Downgrading Your ACE Software from Version A1(8.0x) to A1(7x) in a Redundant Configuration section), and your ACE includes a new 4-Gbps performance throughput license or a new 2-Gbps HTTP compression license, ensure that you first uninstall the following prior to downgrading: Uninstall the 4-Gbps performance throughput license and reinstall the 2-Gbps license. Uninstall the 2-Gbps HTTP compression license and reinstall the 1-Gbps license. See Chapter 3, Managing ACE Software Licenses, in the Cisco 4700 Series Application Control Engine Appliance Administration Guide. 21

22 Upgrading Your ACE Software from A1(7x) to A1(8.0x) in a Redundant Configuration Upgrading Your ACE Software from A1(7x) to A1(8.0x) in a Redundant Configuration Before You Begin Changing the Admin Password This procedure assumes that your ACEs are configured as redundant peers to ensure that there is no disruption to existing connections during the upgrade process. In the following procedure, the active ACE is referred to as ACE-1 and the standby ACE is referred to as ACE-2. For complete instructions on how to upgrade your ACE software, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. Before you upgrade your ACE software, please be sure that your ACE configurations meet the upgrade prerequisites in the following sections: Changing the Admin Password Changing the www User Password Checking Your Configuration for FT Priority and Preempt Before you upgrade to software version A1(8.0a) or higher, you must change the default Admin password if you have not already done so. Otherwise, after you upgrade the ACE software, you will only be able to log in to the ACE through the console port. Caution If you do not change the Admin password prior to upgrading to A1(8.0a) or higher, configuration synchronization may fail and the context may not be in the STANDBY_HOT state. See, Chapter 1, Setting Up the ACE, in the Cisco 4700 Series Application Control Engine Appliance Administration Guide for details on changing the default Admin password. Note If your ACE is managed by the Cisco Application Networking Manager (ANM) software, you must change the Admin password on the ANM in the Primary Attributes page instead of the ACE CLI. From the ANM, click the Change Password button on Primary Attributes page (Config > Devices > System > Primary Attributes). Changing the www User Password Before you upgrade to software version A1(8.0a) or higher, you must change the default www user password if you have not already done so. Otherwise, after you upgrade the ACE software, the www user will be disabled and you will not be able to use Extensible Markup Language (XML) to remotely configure an ACE until you change the default www user password. See Chapter 2, Configuring Virtualization, in the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide for details on changing a user account password. In this case, the user would be www. 22