Les cookies nous permettent à Google de vous proposer des services plus facilement. En utilisant ces services, vous nous donnez expressément votre accord pour exploiter ces cookies.En savoir plus OK
Cisco Catalyst 9130 シリーズ
アクセスポイント導入ガイド
Cisco Catalyst 9130 シリーズ
アクセスポイント導入ガイド
Revenir à l'accueil
Cliquez sur le pdf pour le télécharger
© 2020 Cisco and/or its affiliates. All rights reserved. 1/52 ページ
Cisco Catalyst 9130 シリーズ
アクセスポイント導入ガイド
導入ガイド
Cisco Public
© 2020 Cisco and/or its affiliates. All rights reserved. 2/52 ページ
目次
Cisco Catalyst 9130 シリーズの概要: 3
次世代モビリティに対応した設計 3
Cisco Catalyst 9130 シリーズの主な機能 3
Cisco Catalyst 9130 シリーズの主な機能 4
取り付けオプション 6
チャネルレールアダプタ 8
Power over Ethernet(PoE) 13
内蔵 Cisco RF ASIC 14
Cisco Catalyst 9130I 内部アンテナシステム 15
アンテナの改善 16
Cisco Catalyst 9130E(外部アンテナモデル) 19
レガシーアンテナのサポート 20
Self-Identifying Antenna について 25
フレキシブル ラジオ アサインメントについて 40
FRA とデュアル 5 GHz の動作 40
デュアル DFS - RF ASIC 43
FastLocate - RF ASIC 43
使用例 44
使用例 45
WLAN のベストプラクティス 48
設置に関する一般的な注意事項 49
アンテナケーブルの推奨事項 50
付録 52
© 2020 Cisco and/or its affiliates. All rights reserved. 3/52 ページ
このマニュアルは、Cisco® ワイヤレス エンタープライズ ネットワーキングの既存製品ラインと機能に精通し、
トレーニングを受けた経験豊富な技術スタッフを対象としています。
Cisco Catalyst 9130 シリーズの概要:
次世代モビリティに対応した設計
Cisco Catalyst® 9130 シリーズ アクセスポイントは高性能な Wi-Fi 6 機能を搭載するほか、RF 性能とセキュリ
ティ面および分析面の革新的な進化により、エンドツーエンドのデジタル化が可能になりました。従来の Wi-Fi を
超えるネットワーク性能で、ビジネスサービスの展開を加速させます。
● 復元力:要求の厳しい環境でも、802.11ac アクセスポイントの最大 4 倍のキャパシティにより、効率性
とセルラーのような確定性が向上します
● セキュア:これらのアクセスポイントは、組み込みのセキュリティと Software-Defined Access(SD-Access)
をサポートし、オープン Wi-Fi で標準に準拠した強化されたセキュリティを提供します
● インテリジェント:Internet of Things(IoT)デバイスと拡大されたエコシステム パートナーシップにとっ
て最も重要なマルチ RF サポートにより、Catalyst 9100 ポートフォリオは、シスコ ネットワーク上のモ
バイルデバイスからかつてないほどの可視性を実現し、Cisco DNA Assurance を強化します
Catalyst 9100 アクセスポイントには、セキュアブート、ランタイム防御、イメージ署名、整合性の検証、ハー
ドウェアの信頼性などのセキュリティ機能が組み込まれています。Wi-Fi 6 を備えた 9100 ポートフォリオは、
ブランチおよびキャンパスネットワーク導入のニーズを満たす信頼性の高いワイヤレスを提供します。
Cisco Catalyst 9130 シリーズの主な機能
● 4x4 MIMO(Multi-Input Multi-Output)および 4 つの空間ストリームを備えた次世代 Wi-Fi 6(802.11ax)
アクセスポイント:
◦ 5 GHz の 8x8:8 シングルまたはデュアル 4x4:4、およびダウンリンク/アップリンク直交周波数分割多重ア
クセス(OFDMA)
◦ マルチユーザ MIMO(MU-MIMO)およびダウンリンク/アップリンク OFDMA を備えた 2.4 GHz の 4x4:4
● Cisco DNA 対応
● 次世代 Cisco CleanAir® およびアップグレード可能な RF 機能を備えた Cisco RF 特定用途向け集積回路(ASIC)
● 内蔵 Bluetooth Low Energy(BLE)無線(Bluetooth 5.0)
© 2020 Cisco and/or its affiliates. All rights reserved. 4/52 ページ
● マルチギガビット イーサネット(1 Gbps、2.5 および 5 Gbps)
● USB
● 最大 500 台の Wi-Fi デバイスをサポート
● IoT 対応(Zigbee、Thread)
● 内部および外部アンテナオプション
● 9130I の動作温度:0 ~ 50°C(32 ~ 122°F)
● 9130E の動作温度:-20 ~ 50°C(-4 ~ 122°F)
Cisco Catalyst 9130 シリーズの主な機能
● OFDMA と MU-MIMO:高度なアプリケーションと IoT で、予測どおりのパフォーマンスを実現
● RF シグネチャキャプチャ、不正検出、およびデバイス分類による優れたセキュリティ
● コンテナのサポート:IoT アプリケーションをホストする Docker サポート機能のある多言語アクセスポイント
● マルチギガビットのサポート:ボトルネックなしでネットワークトラフィックをシームレスにオフロードし、
最小のコストで高いスループットを実現
● 内蔵 Bluetooth 5.0:IoT の使用を可能にするマルチ RF テクノロジー
● 内部および外部アンテナのサポート:さまざまなキャンパスタイプに柔軟に対応する導入オプション
● 802.3af(制限付き)から 802.3bt までの複数入力電源オプション
また、Cisco Catalyst 9100 アクセスポイントは、シスコの先進的な企業向けアーキテクチャである SD-Access
をサポートしています。
適切なアクセスポイントの選択(モデル 9130I および 9130E)
図 1. Cisco Catalyst 9130I(内部アンテナ付き)および 9130E(外部アンテナが必要)アクセスポイント
© 2020 Cisco and/or its affiliates. All rights reserved. 5/52 ページ
9130I モデルの使用例
● 美観(絨毯が敷かれた場所)
● アンテナの追加費用がない
● 設置するアイテム数が少ない
● 高い天井に適している場合がある
9130E モデルの使用例
● 高温での動作を必要とする産業用途
● 外部アンテナまたは指向性アンテナが必要(屋内/屋外で使用)
● 範囲が広いまたはエネルギーを集中する必要がある
● デュアル 5 GHz(異なるセル領域をカバー)指向性または全方位
● レガシー シングルバンド アンテナまたは個別に 2.4 GHz および 5 GHz セルの使用
Cisco Catalyst 9130 シリーズの新しいメカニカルデザイン
Cisco Catalyst 9100 アクセスポイントは設計段階から見直して開発が行われ、空気力学的な滑らかな外観に仕
上がっています。RF の優れた点と次世代のテクノロジーを取り入れ、妥協のない最高水準のワイヤレスエクス
ペリエンスを提供します。複数の高性能な機能を揃えつつ、ハードウェアを再設計し、効率性を高める設計によ
りフォームファクタをコンパクトに収めることで、Wi-Fi 導入を見た目から簡単なものにしています。
図 2. 寸法:9130I モデル
© 2020 Cisco and/or its affiliates. All rights reserved. 6/52 ページ
図 3. 寸法:9130E モデル
注: 9130 シリーズは、Cisco Aironet® 2800 シリーズよりも約 13% 軽量で、25% 小型ですが、同じ
AIR-BRACKET-1 および AIR-BRACKET-2 取り付け用部品を使用して簡単に導入できます。
取り付けオプション
お客様の要件に応じて、さまざまな設置オプションを使用できます。ブラケットは、シスコおよびサード パーティ
企業から入手できます。発注段階で、お客様は 2 種類のブラケットのうち 1 種類を選択できます(両方は選択で
きません)。各ブラケットは構成時の 0 ドル オプションです。お客様がブラケットを選択しない場合、デフォル
トでは、天井設置用の一般的な AIR-AP-BRACKET-1 が選択されます。もう 1 つの選択肢は、製品番号
AIR-AP-BRACKET-2 のユニバーサルブラケットです。
図 4. 2 種類の取り付けブラケット
© 2020 Cisco and/or its affiliates. All rights reserved. 7/52 ページ
AP をグリッド構造の天井に直接取り付ける場合は、AIR-AP-BRACKET-1 ブラケットを使用すると、同一面上に
平らに取り付けることができ、最も目立ちません。ただし、電気制御ボックスやその他の配線器具、または NEMA
(National Electrical Manufactuers Association)ラック内や壁面に AP を取り付ける場合は、AIR-AP-BRACKET-2
が適しています。このブラケットの余ったスペースを使って配線でき、追加の穴が多くの一般的な電気制御ボック
スに合わせて並んでいます。ブラケットをグリッド構造の天井に取り付ける場合、天井タイルによっては埋め込み
型にするものもあります。したがって、2 つの違う形の天井クリップの、埋め込み型(Recessed)と同一面型(Flush)
のレールを使用できます。以下の図を参照してください。
図 5. 天井グリッド構造に取り付けるためのクリップ
図 6. AP の固定
AP をブラケットに固定する必要がある場合は、上の図に示すように行うことができます。
© 2020 Cisco and/or its affiliates. All rights reserved. 8/52 ページ
チャネルレールアダプタ
次の図に示すような天井チャネルレールに AP を取り付ける場合、オプションのチャネルアダプタ
AIR-CHNL-ADAPTER を使用します。これは 2 個組で付属していて、天井グリッドクリップに取り付けます。
図 8 および 9 を参照してください。
図 7. チャネルレールの例
図 8. AIR-CHNL-ADAPTER(左)をレールにスライド
図 9. AIR-CHNL-ADAPTER をレールクリップ(左)に取り付けて設置完了(右)
© 2020 Cisco and/or its affiliates. All rights reserved. 9/52 ページ
AP の壁面取り付け
壁面への取り付けが必要な場合、壁はワイヤレス信号への物理的な障害物になる可能性があり、そのため 360 度
のカバレッジの維持が損なわれる可能性があることを理解する必要があります。外壁である場合や目標として 360
度の代わりに 180 度のパターンで信号を送信する場合、外部アンテナモデルの使用を想定して、「パッチ」アン
テナと呼ばれることも多い指向性アンテナを選択する方がよい場合もあります。
内部アンテナモデルは天井に取り付けて 360 度のカバレッジを提供するように設計されているため、オプション
の直角取り付け具(サードパーティ製)を使用する場合を除き、内部アンテナ付き AP の壁への取り付けは避け
てください。
図 10. 9115AX、9117AX、9120AX、および 9130 シリーズ アクセスポイント用 AccelTex 壁面取り付けソリューション
さまざまなタイプの取り付けソリューションが用意されているため、次のサードパーティ企業の製品を推奨します。
Oberon:www.beroninc.com/
AccelTex:www.acceltex.com/
Ventev:www.ventev.com/
天井方向以外で壁面に取り付けられている場合は、信号がフロアの上や下を通り抜けることがあります。これが
原因で意図しないカバレッジが生じ、たとえば、Wi-Fi 電話器などのモビリティクライアントを持つユーザが隣
接フロアを歩くと、追加で不要なローミングアクセスが発生する可能性があります。
© 2020 Cisco and/or its affiliates. All rights reserved. 10/52 ページ
図 11. 9130 シリーズを壁面に取り付ける場合の注意事項
AP のカラーの変更
AP の色を変更したい場合には、AP に塗装すると保証が無効になるため、色付きビニールテープを使用するか、
Oberon の色付きプラスチックカバーを使用することを検討してください。
図 12. AP のカラー変更、カスタムロゴの追加、または LED を隠すための Oberon サードパーティオプション
© 2020 Cisco and/or its affiliates. All rights reserved. 11/52 ページ
図 13. AccelTex のビニール「スキン」
もう 1 つのサードパーティオプションは、上図のようなビニール「スキン」です。
天井タイルの上
Cisco Catalyst 9130I および 9130E はプレナム空間(UL-2043)の設置に対して定格が定められています。天
井に何も見えないように AP を設置することを選ぶお客様も多くいます(美観上の理由)。その場合は、AP を
吊り天井の上に設置できます。この方法は、教室など盗難の多い場所や天井には目視できるものがないことがポ
リシーで規定される場所にも適している場合があります。
これが厳しい要件である場合、Erico や Cooper などのサードパーティ企業が提供しているオプションの T バー
ハンガーアクセサリを使用できます。Erico Caddy 512a や Cooper B-Line BA50a などの T バーグリッドを使
用できます。
詳細については、以下を参照してください。
Erico
Eaton
© 2020 Cisco and/or its affiliates. All rights reserved. 12/52 ページ
図 14. AP を天井タイルの上に吊り下げる方法の例
注: 天井の下への取り付けが選択できない場合のみ、天井タイルの上に AP を設置してください。タイルに
導電性がないことが必要です。このような設置では音声やロケーションなどの高度な RF 機能が低下するため、
カバレッジとパフォーマンスを検証してください。AP をタイルの内側中央にできるだけ近い場所に取り付け、
障害物のある領域は避けるようにしてください。
図 15. 天井タイルの上に AP を設置:障害物のない場所を選択し、天井の散乱物を避ける
高振動の領域
アクセスポイントが「サイドアーム」タイプの取り付け具で設置されているか、高振動が生じる可能性のある場
所に設置されている場合は、パッドロックまたは金属製ピンを使用して、AP が振動で緩んでブラケットから落
ちないようにすることが推奨されます。
© 2020 Cisco and/or its affiliates. All rights reserved. 13/52 ページ
図 16. 金属製ピンまたはパッドロックは経年劣化しないため、プラスチックタイより望ましい
Power over Ethernet(PoE)
9130 シリーズは、802.3af の限られた電力でも柔軟な電源オプションを提供します。
表 1. 9130 シリーズの消費電力
Catalyst 9130AXI
PoE 電力消費 2.4 GHz 無線 5 GHz 無線 リンク速度 USB LLDP
802.3at(PoE+) 4 X 4 8 x 8 5G N 25.5W
802.3at(PoE+) 4 X 4 4 X 4 5G ○ [4.5 w] 25.5W
802.3bt(UPoE) 4 X 4 8 x 8 5G ○ [4.5 w] 30.5W
Catalyst 9130AXE
PoE 電力消費 2.4 GHz 無線 5 GHz 無線 リンク速度 USB LLDP
802.3at(PoE+) 4 X 4 4 X 4 5G ○ [4.5 w] 25.5W
802.3bt(UPoE) 4 X 4 8 x 8 5G ○ [4.5 w] 30.5W
Catalyst 9130AXI / 9130AXE
PoE 電力消費 2.4 GHz 無線 5 GHz 無線 リンク速度 USB LLDP
802.3af PoE 1 x 1 1 x 1 1G N 13.4W
注: 推奨されるイーサネットケーブルは CAT-6 で、最大距離は 100 m(328 フィート)です。電源装置(PSE)
で必要な電力は、ケーブル長およびその他の環境問題によって異なります。
© 2020 Cisco and/or its affiliates. All rights reserved. 14/52 ページ
図 17. シスコのマルチギガビット製品
シスコには、これらのアクセスポイントに簡単に電力を供給できるマルチギガビット製品があります。
内蔵 Cisco RF ASIC
Cisco Catalyst 9130 シリーズに内蔵された RF ASIC は、アクセスポイントのクライアントサービス無線の RF ス
ペクトルとパフォーマンスを向上させます。
Cisco Catalyst 9130 シリーズなどの次世代 Wi-Fi 6 アクセスポイントには、ASIC(アプリケーション独自の集
積回路)と呼ばれる、カスタム設計されたシスコ デバイスに基づく新しい無線が搭載されています。詳細な RF 分
析はすべて RF ASIC 上で実行されるため、この分析無線はアクセスポイントのクライアントサービス無線のパフォー
マンスを向上させます。
Cisco RF ASIC(実際には 2 つの ASIC チップ)の機能は、対象の周波数または周波数範囲を分析し、受信した RF
信号を I/Q データと呼ばれる直角位相信号に変換します。その後、この I/Q データは専用のベースバンドプロセッ
サである 2 番目の ASIC に渡されます。このベースバンドプロセッサは、詳細な RF 分析(検査対象の信号の位
相や振幅および変調特性の微妙な変化の判断)に使用されます。
Wi-Fi 以外の干渉源を特定するためにカスタム設計されたスペクトル解析エンジン(SAgE)は、最もシンプルか
つ効果的な方法を使って、最大の解像度で I/Q データを評価します。
RF ASIC は、CleanAir と SAgE を含むだけでなく、はるかに高度で、将来のソフトウェアアップグレードで高
度な機能をサポートする独自のハードウェアです。
RF ASIC の初期機能には、CleanAir と SAgE のすべての機能に加えて、動的周波数選択(DFS)の提供無線の分
析を強化するために DFS イベントを検出する機能も含まれます。これにより、スペクトル分析が大幅に改善さ
© 2020 Cisco and/or its affiliates. All rights reserved. 15/52 ページ
れ、無線スペクトルの「セカンドオピニオン」が常に得られます。これは、デュアル DFS と呼ばれます。また、
RF ASIC はオフチャネル分析を提供することで、シスコの RRM(無線リソース管理)でも重要な役割を果たし
ます。
図 18. Cisco RF ASIC チップを搭載した Cisco Catalyst 9130I
Cisco Catalyst 9130I 内部アンテナシステム
図 19. 9130I 内部アンテナシステム
9130I には、アクセスポイントで使用できる最も高度なアンテナシステムの 1 つが搭載されています。
主要な提供無線のデフォルト設定は次のとおりです。
© 2020 Cisco and/or its affiliates. All rights reserved. 16/52 ページ
● 専用の 5 GHz 無線は、4 dBi のデュアルバンド クライアントサービス アンテナに接続されます。
● 5 GHz 8x8 モードでは、4 つのデュアルバンドアンテナと 4 つのマイクロアンテナがすべて使用されます
が、デュアルバンドアンテナを使用する 2.4 GHz 無線も 4x4 モードでアクティブになります。
● 以前のモデルとは異なり、XOR(排他的論理和)無線は、(XoR の状態に関係なくアクティブである)
2.4 GHz 無線に関連付けられなくなりました。
● デュアル 5 GHz モードでは、8x8 5 GHz 無線の状態が 8x8 から 4x4 に変わり、マイクロアンテナでセカ
ンダリ 5 GHz 無線を独立して動作させることができるので、真のデュアルマイクロ/マクロセル方式を実
現できます。
提供無線アンテナに加えて、2 つのアンテナがあります。
● ゲインが 2.5 dBi の BLE(IoT)アンテナ
● 2.4 GHz のゲインが 4.5 dBi で 5 GHz のゲインが 5 dBi の RF ASIC アンテナ
RF ASIC アンテナは、スペクトル分析およびその他の高度な RF 機能のために、専用のソフトウェア定義型無線
に接続されます。RF ASIC アンテナは、提供無線アンテナと同じ設計で、提供無線と同様のネットワークビュー
を提供します。
アンテナの改善
Cisco Catalyst 9130 シリーズの新しいアンテナ設計は、従来の Aironet 4800i を改良したものです。マイクロ
セルアンテナのカバレッジが改善され、「meso」セルと呼ばれる新しい概念が導入されました。meso セルは、
マクロセルとマイクロセルのハイブリッドです。このハードウェアの革新により、新しいソフトウェアリリース
でマイクロセルのカバレッジの改善が可能になります。
図 20. Cisco Catalyst 9130I と Aironet 4800 シリーズのアンテナカバレッジの比較
© 2020 Cisco and/or its affiliates. All rights reserved. 17/52 ページ
図 21. Cisco Catalyst 9130I アンテナパターン(デュアルバンド 5 GHz)
図 22. Cisco Catalyst 9130I アンテナパターン(シングルバンド 5 GHz)
© 2020 Cisco and/or its affiliates. All rights reserved. 18/52 ページ
図 23. Cisco Catalyst 9130I アンテナパターン(デュアルバンド 2.4 GHz)
図 24. Cisco Catalyst 9130I アンテナパターン、RF ASIC(AUX デュアルバンド)
© 2020 Cisco and/or its affiliates. All rights reserved. 19/52 ページ
図 25. Cisco Catalyst 9130I アンテナパターン、BLE および IoT
Cisco Catalyst 9130E(外部アンテナモデル)
図 26. 9130E のアンテナコネクタ
注: 9130E では、外部アンテナシステムを使用する必要があります。黄色のカバー(左側)を取り外し、適
切なアンテナシステムを 8 ポートの DART「スマート」コネクタに取り付ける必要があります。このコネクタは、
黄色のカバーを取り外すと露出します。適切なアンテナがない状態で装置を操作しないでください。
© 2020 Cisco and/or its affiliates. All rights reserved. 20/52 ページ
図 27. 9130E アンテナコネクタの詳細
9130E はスマートアンテナコネクタ(上図)を使用します。内部アンテナや RP-TNC コネクタは含まれません。
RP-TNC コネクタまたは「N」型コネクタを備えた古いアンテナが必要な場合は、対応するアダプタケーブルを
使用できます。
スマートアンテナコネクタ(DART-8)について
9130E では、デュアル 5G、4x4 + 4x4 +(2.4 GHz で 4x4)などのモードで古い RP-TNC シングル RF コネク
タは実用的ではありませんでした。シスコは設置を簡素化し、プロビジョニングと検出を自動化する回路を搭載
する Self-Identifying Antenna(SIA)の新しいラインに適合するシングル挿入ケーブルを作成するために DART-8
を開発しました。このコネクタがあるため、専門の作業者が設置する特別なモデル(製品番号の末尾に「-P」が
付くモデル)が今後は必要ありません。既存のアンテナをお持ちのお客様は、DART-8(スマートアダプタケー
ブル)を介して 9130E に接続できます。
レガシーアンテナのサポート
Cisco Catalyst 9130E は、スマートアンテナコネクタ(DART-8)で終端された SIA で使用するように設計されて
います。DART アダプタケーブルを使用すると、AP はレガシーアンテナモードになります。使用するアダプタに
応じて、最大 6 dBi(RP-TNC を使用)または最大 13 dBi(「N」型コネクタを使用)のアンテナを使用できます。
図 28. 従来のアンテナ用 Cisco AIR-CAB-002-D8-R= コネクタ(最大 6 dBi、RP-TNC コネクタを使用)
© 2020 Cisco and/or its affiliates. All rights reserved. 21/52 ページ
図 29. 従来のアンテナ用 Cisco AIR-CAB-003-D8-N=(最大 13 dBi、「N」型コネクタを使用)
AIR-CAB-002-D8-N= を使用する場合は、以前の専門の作業者が設置するように設計されたアンテナ(モデル
番号の末尾が「-P」)を 9130E で使用できるため、9130E に「-P」モデルはありません。
注: Cisco Catalyst 9120AXE で使用される 4 ポート DART アダプタ(シスコ製品番号
AIR-CAB-002-DART-R=)は、新しい Cisco Catalyst 9130E アクセスポイントと互換性がありません。
Cisco Catalyst 9130 シリーズのトライ無線サポートについて
図 30. 9130 シリーズのデフォルトモード
Cisco Catalyst 9130 シリーズは、8x8 またはデュアル 5 GHz 4x4 モードで 5 GHz を実行できます。
9130 シリーズのデフォルトモードは、5 GHz 8x8 および 2.4 GHz 4x4 モードです。このデフォルトモードでは、
主に MU-MIMO クライアント環境でパフォーマンスが向上し、1 つの無線あたりのスループットが最大になりま
す。このモードでは、データレートは向上しますが、範囲は小さくなり、クライアントを受信するレシーバの数
が増えて、最大比合成(MRC)が向上します。
© 2020 Cisco and/or its affiliates. All rights reserved. 22/52 ページ
図 31. デュアル 5 GHz 4x4 モード
5 GHz 無線の動作を 8x8 から 2 つの独立した 5GHz 4x4 無線に変更すると効果的な場合があります。デュアル
5 GHz 4x4 無線の利点は、マクロ/マイクロセル動作が可能になることです。これは、高密度環境で非常に便利で
す。また、Wi-Fi 6 対応クライアントが少ない場合や、2 つの異なる 5 GHz Wi-Fi カバレッジセルを作成したり、
モニタリングなどの動作モードを変更する必要が生じた場合にも、より多くのクライアントでパフォーマンスを
向上させることができます。
表 2. Cisco Catalyst 9130 シリーズの動作モードと基準の例
5 GHz 無線のロール ドライバ
無線 1 無線 2
8x8 クライアントサービス なし 160MHz または 80+80MHz での優先動作
MU-MIMO ステーション数が増加
チャネル再利用の要件が低い
空間ストリーム(SS)の必要数が増加
4x4 クライアントサービス 4x4 クライアントサービス クライアントの密度とキャパシティ要件が高い
指向性アンテナユニット(カバレッジスライス)
80MHz 以下として動作
4x4 クライアントサービス モニタ(Monitor) MU-MIMO ステーション数が減少
密度が低く、チャネル再利用は向上
モニタリング アプリケーションには 4x4 RX が必要
© 2020 Cisco and/or its affiliates. All rights reserved. 23/52 ページ
Cisco Catalyst 9130 シリーズのトライ無線の設定
初期化時(デフォルト)、9130 シリーズは 2.4 GHz 4x4 および 1x 5 GHz 8x8 モードになります。無線インターフェイ
スの設定レベルでは、デュアル無線モードは [Auto (disabled)] であることに注意してください。「Auto」は無線がフレ
キシブル ラジオ アサインメント(FRA)によって割り当てられることを示し、「disabled」は 8x8 モードとして割り当
てられているか、FRA によってまだ評価されていないことを示します。FRA がデュアル 5 GHz モードを割り当てた場合
は、「disabled」は「enabled」になります。いずれの場合も、「Auto」は無線が FRA モードであり、手動でオーバー
ライドされていないことを示します。8 つのアンテナすべてがこの単一のインターフェイスに割り当てられます。
また、インターフェイスリストには、同じ AP のスロット 1 と 2 の両方が表示されます。ただし、スロット 2 は
すでにスロット 1 の 8x8 モードの一部としてアクティブになっており、スロット 2 としてアドレス指定できな
いため、グレー表示されます。デュアルバンドモードを有効にするには、[Dual Radio Mode] で [Enabled] を選
択します。これにより、8x8 が 2 つの独立して機能する 4x4 無線に手動で分割されます。
スロット 1 の無線は、4 つのアンテナのみを使用するように切り替わります。スロット 2 の無線がアクティブに
なり、4 つのアンテナチェーンも設定されます。各 4x4 無線は独立したインターフェイスになり、異なるチャネ
ルを割り当てることができ、2 つの異なるユーザグループにサービスを提供します。
注: セカンダリ無線の管理ステータスが有効になったら、デュアル無線モードを無効にする場合、まずセカ
ンダリ無線の管理ステータスを無効にする必要があります。そうしないと、次の警告が表示されます。
© 2020 Cisco and/or its affiliates. All rights reserved. 24/52 ページ
つまり、デュアル 5 GHz を手動で割り当てた後、手動で 8x8 シングル無線モードに戻す場合は、最初に 2 番目
の 5 GHz インターフェイスを無効にして、スロット 1 のプライマリ無線に戻すために解放する必要があります。
スロット 1 とスロット 2 が有効になっており、スロット 2 には独立した設定があり、8 つの使用可能なアンテナ
のうち 4 つが割り当てられています。
トライ無線の FRA 設定は、他の Cisco FRA 対応 AP の場合と同様です。FRA ロールを選択する必要があります。
[Auto] では FRA 制御となり、[Client Serving] ではクライアントとビーコンがアクティブなインターフェイスと
して提供されます。[Monitor] では、5 GHz バンドのすべてのチャネルがスキャンされるだけです。
ロールの選択は、デュアル無線モードの設定に応じて、両方のインターフェイスまたは 1 つのインターフェイスだ
けで使用できます。デュアル無線モードが有効になっている場合、両方のインターフェイスが FRA によって割り
当て可能であり、どちらにも独立したロール選択があります。[Auto] モードでは、FRA が選択できるのは [Client
Serving] と [Monitor] のいずれかであり、使用可能なアクティブな 5 GHz インターフェイスの数と、1 番目と 2 番
目の 5 GHz インターフェイスに非干渉チャネルを割り当て可能かどうかに応じて、割り当てられます。
FRA の制御下では、5 GHz インターフェイスがクライアントサービスに割り当てられない可能性があります。こ
れは、RRM の動的チャネル割り当て(DCA)に割り当て可能な非干渉チャネルがない場合に発生します。通常は、
Over-the-Air 測定に基づいたチャネルの枯渇(多数の 5 GHz インターフェイスが密集している)が原因で発生し
ます。より多くのチャネルを解放するには、割り当てるチャネル帯域幅を確認します。チャネル帯域幅を 80 MHz
に設定すると、インターフェイスごとに 4 つのチャネルを消費し、デュアル 5 GHz モードでは、1 つの AP に 8 つ
のチャネルが必要です。チャネルを 40 MHz に再設定すると、デュアル 5 GHz AP ごとに 4 つのチャネルが解放
され、より多くのインターフェイスを干渉なしでアクティブにできます。
© 2020 Cisco and/or its affiliates. All rights reserved. 25/52 ページ
Self-Identifying Antenna について
図 32. Self-Identifying Antenna
9130E のリリースに伴い、スマートアンテナコネクタを備えた 3 つの新しいアンテナが導入されました。これら
のアンテナは、アクセスポイントを補完するように設計された新しいインダストリアルデザインを特長としてい
ます。
注: これら 3 つのアンテナは、8x8 モードで 5 GHz、4x4 モードで 2.4 GHz を完全にサポートし、BLE/IoT お
よび RF ASIC 機能を搭載しています。ただし、アンテナのサイズが小さいため、デュアル 5 GHz はサポートし
ません。デュアル 5 GHz などの追加機能とモードを備えた高ゲインアンテナも予定されています。
C-ANT9101= 天井取り付け型全方位(AIR-ANT2524V4C-R= と類似)
C-ANT9102= 壁面/支柱取り付け型全方位(AIR-ANT2544V4M-R= と類似)
C-ANT9103= 壁面/支柱取り付け型パッチ(AIR-ANT2566D4M-R= と類似)
上記のアンテナには挿入ケーブルが 1 本付属しており、各アンテナはプロビジョニングと検出を自動化する SIA
回路を搭載しています。また、各アンテナには、アクセスポイントのライトと同様のインジケータライト(LED)
があり、アンテナに「アクティブ」ステータスを表示できます。
図 33. C-ANT9101= 天井取り付け型全方位アンテナ
© 2020 Cisco and/or its affiliates. All rights reserved. 26/52 ページ
Cisco C-ANT9101 天井取り付け型全方位アンテナは、タイルの中央に取り付けることができ、天井レール(上
図の右側のアンテナの横)に取り付けられたアクセスポイントよりも目立ちません。これにより、AP を天井タ
イルの上に配置できます。
図 34. C-ANT9101 アンテナパターン(2.4 GHz デュアルバンド)
図 35. C-ANT9101 アンテナパターン(5 GHz デュアルバンド)
© 2020 Cisco and/or its affiliates. All rights reserved. 27/52 ページ
図 36. C-ANT9101 アンテナパターン(5 GHz シングルバンド)
図 37. C-ANT9101 アンテナパターン(2.4 GHz RF ASIC/AUX)
© 2020 Cisco and/or its affiliates. All rights reserved. 28/52 ページ
図 38. C-ANT9101 アンテナパターン(5 GHz RF ASIC/AUX)
図 39. C-ANT9101 アンテナパターン(2.4-GHz BLE/IoT)
© 2020 Cisco and/or its affiliates. All rights reserved. 29/52 ページ
図 40. C-ANT9102= 壁面/支柱取り付け型全方位アンテナ
Cisco C-ANT9102 壁面/支柱取り付け型全方位アンテナは、製造現場や小売店など、柱や壁面に取り付ける必要
がある場所に設置できます。これは、アクセスポイントの LED と同様のアクティブ LED を備えた Self-Identifying
Antenna です。レイドームの素材は Lexan EXL 9330 で、スマート 8 ポート DART アンテナコネクタで終端さ
れています。
図 41. C-ANT9102 アンテナパターン(2.4 GHz デュアルバンド)
© 2020 Cisco and/or its affiliates. All rights reserved. 30/52 ページ
図 42. C-ANT9102 アンテナパターン(5 GHz デュアルバンド)
図 43. C-ANT9102 アンテナパターン(5 GHz シングルバンド)
© 2020 Cisco and/or its affiliates. All rights reserved. 31/52 ページ
図 44. C-ANT9102 アンテナパターン(2.4 GHz RF ASIC/AUX)
図 45. C-ANT9102 アンテナパターン(5 GHz RF ASIC/AUX)
© 2020 Cisco and/or its affiliates. All rights reserved. 32/52 ページ
図 46. C-ANT9102 アンテナパターン(2.4-GHz BLE/IoT)
図 47. C-ANT9103= 6 dBi 壁面/支柱取り付け型指向性アンテナ
Cisco C-ANT9103 壁面/支柱取り付け型指向性アンテナは、製造現場や小売店など、柱と壁面取り付けが必要な
場所に設置できます。これは、アクセスポイントの LED と同様のアクティブ LED を備えた Self-Identifying Antenna
です。
© 2020 Cisco and/or its affiliates. All rights reserved. 33/52 ページ
図 48. C-ANT9103=(オプションの AP ブラケット AIR-AP-BRACKET-9= を使用)
オプションのブラケットを使用すると、AP をアンテナの背後に取り付けることができます。
LED 付きのこのスマートアンテナには、AP の外観を洗練された「目立たない」状態にするための直角 DART コ
ネクタがあります。
図 49. C-ANT9103 アンテナパターン(2.4 GHz デュアルバンド)
© 2020 Cisco and/or its affiliates. All rights reserved. 34/52 ページ
図 50. C-ANT9103 アンテナパターン(5 GHz デュアルバンド)
図 51. C-ANT9103 アンテナパターン(5 GHz シングルバンド)
© 2020 Cisco and/or its affiliates. All rights reserved. 35/52 ページ
図 52. C-ANT9103 アンテナパターン(2.4 GHz RF ASIC/AUX)
図 53. C-ANT9103 アンテナパターン(5 GHz RF ASIC/AUX)
© 2020 Cisco and/or its affiliates. All rights reserved. 36/52 ページ
図 54. C-ANT9103 アンテナパターン(2.4-GHz BLE/IoT)
Cisco Catalyst 9130E でサポートされる外部アンテナ
表 3. 外部アンテナ
製品番号 説明 ゲイン
C-ANT9101= 天井取り付け式全方位性 Self-Identifying Antenna、8 ポート、DART
コネクタ付き。
4 dBi(2.4 GHz)
4 dBi(5 GHz)
C-ANT9102= 支柱または壁面取り付け式全方位性 Self-Identifying Antenna、Bluetooth、
8 ポート、DART コネクタ付き。
4 dBi(2.4 GHz)
4 dBi(5 GHz)
C-ANT9103= 支柱または壁面取り付け式 75° 指向性 Self-Identifying Antenna、Bluetooth、
8 ポート、DART コネクタ付き。
6 dBi(2.4 GHz)
6 dBi(5 GHz)
AIR-ANT2513P4M-N= パッチアンテナ、4 ポート、N コネクタ付き。
注:AIR-CAB003-D8-N= を使用して AP に接続します。
13 dBi(2.4 GHz)
13 dBi(5 GHz)
AIR-ANT2524V4C-R 天井取り付け式全方位性アンテナ、4 ポート、RP-TNC コネクタ付き。
注:AIR-CAB002-D8-R= を使用して AP に接続します。
2 dBi(2.4 GHz)
4 dBi(5 GHz)
AIR-ANT2524V4C-RS= 天井取り付け式全方位性 Self-Identifying Antenna、4 ポート、RP-TNC
コネクタ付き。
2 dBi(2.4 GHz)
4 dBi(5 GHz)
AIR-ANT2544V4M-R 壁取り付け式全方位性アンテナ、4 ポート、RP-TNC コネクタ付き。
注:AIR-CAB002-D8-R= を使用して AP に接続します。
4 dBi(2.4 GHz)
4 dBi(5 GHz)
© 2020 Cisco and/or its affiliates. All rights reserved. 37/52 ページ
製品番号 説明 ゲイン
AIR-ANT2544V4M-RS= 壁取り付け式全方位性 Self-Identifying Antenna、4 ポート、RP-TNC コ
ネクタ付き。
4 dBi(2.4 GHz)
4 dBi(5 GHz)
AIR-ANT2566D4M-R 60 度パッチアンテナ、4 ポート、RP-TNC コネクタ付き。1
注:AIR-CAB002-D8-R= を使用して AP に接続します。
6 dBi(2.4 GHz)
6 dBi(5 GHz)
AIR-ANT2566D4M-RS= 60 度パッチ Self-Identifying Antenna、4 ポート、RP-TNC コネクタ付き。 6 dBi(2.4 GHz)
6 dBi(5 GHz)
AIR-ANT2566P4W-R= 指向性アンテナ、4 ポート、RP-TNC コネクタ付き。
注:AIR-CAB002-D8-R= を使用して AP に接続します。
6 dBi(2.4 GHz)
6 dBi(5 GHz)
AIR-ANT2566P4W-RS= 指向性 Self-Identifying Antenna、4 ポート、RP-TNC コネクタ付き。 6 dBi(2.4 GHz)
6 dBi(5 GHz)
1米国では、UNII-1 チャネルは屋内にのみ使用できます。
デュアル 5 GHz 動作および外部アンテナ
前述のように、AIR-ANT9101、AIR-ANT9102、および AIR-ANT9103 は、デュアル 5 GHz モードをサポート
していません。これらのアンテナは、物理設計が小さく、デュアル 5 GHz 動作に十分な RF 分離が備わっていな
いためです。
デュアル 5 GHz 動作をサポートする他のアンテナを開発中ですが、現在デュアル 5 GHz を使用する際は、9130I
(内部アンテナモデル)を使用するか、9130E の場合はスマート DART-8 アダプタを使用します。このアダプタ
によって、上の表にある現在のアンテナの多くがデュアル 5 GHz モードで使用できます。
図 55. 左:AIR-CAB-002-D8-R=(RP-TNC コネクタ)右:AIR-CAB-003-D8-N=(「N」型コネクタ)
以下の図では、DART アダプタによってケーブルが 4 つのアンテナからなる 2 つのグループに分割されています。
© 2020 Cisco and/or its affiliates. All rights reserved. 38/52 ページ
図 56. DART アダプタと RF 接続
DART ラベル RF 接続
A 2.4/5 GHz(デュアルバンド)
B 2.4/5 GHz(デュアルバンド)
C 2.4/5 GHz(デュアルバンド)
D 2.4/5 GHz(デュアルバンド)
E 5 GHz
F 5 GHz
G 5 GHz
H 5 GHz
Cisco DART ケーブルアセンブリでは、4 つのアンテナからなる 2 つのグループを使用できます。コネクタごとに
ラベルが付けられています。
デュアル 5 GHz モードでは、ポート A 〜 D は 2.4 および 5 GHz(4x4 モード)で、ポート E 〜 H はセカンダリ
5 GHz 無線です。
これにより、指向性アンテナを使用して 2.4 または 5 GHz を一方位に送信し、セカンダリ 5 GHz をまったく異
なる方位に送信できます。
© 2020 Cisco and/or its affiliates. All rights reserved. 39/52 ページ
図 57. DART アダプタでの指向性アンテナの使用
この外部アンテナは柔軟な使用が可能なため、マイクロセルとマクロセルの任意の組み合わせができます。また、
必要に応じて(1 組の無線で病室、もう 1 組で廊下など)異なるセル領域(屋内/屋外)をカバーできます。DART
ケーブルアダプタを使用すると、RF の柔軟性の真価が発揮できます。
ただし、性能低下が発生しないように、4x4 アンテナを相互に分離することが重要です。指向性アンテナを使用
するか、または全方位アンテナを使用する場合は、適切な間隔(2 メートル以上)にする必要があります。次に、
分離に関する一般的な考えを示します。
図 58. RF 分離の作成
アンテナは相互にできるだけ離して取り付け、次の FRA およびデュアル 5 GHz 動作に関するセクションの分離
ガイドラインに従ってください。
© 2020 Cisco and/or its affiliates. All rights reserved. 40/52 ページ
フレキシブル ラジオ アサインメントについて
Cisco Catalyst 9130 シリーズ アクセスポイントには、フレキシブル ラジオ アサインメント(FRA)機能があり
ます。AP には、必要に応じて 2 つの個別の 4x4 無線に分割できる専用の柔軟な 8x8 5GHz 無線があるため、ト
ライバンド無線です(アクセスポイントは、2 つの異なる 5 GHz 4x4 無線をサポートするので、クライアントに
サービスを提供するように個別に設定できます)。
デュアル 5 GHz モードに移行するときに 2.4 GHz 無線を無効にする以前のシスコ製品とは異なり、9130 シリー
ズ アクセスポイントには専用の 2.4 GHz 無線があり、この無線も(5 GHz の状態に関係なく)アクティブで、4
つのプライマリ デュアルバンド アンテナ(ポート A 〜 D)を 5 GHz 無線と共有するので、2.4 GHz 4x4 動作は
同時に機能します。
デュアル 5 GHz モードで動作している場合、プライマリアンテナポート A 〜 D はデュアルバンドモードで動作
し、2.4 GHz と 5 GHz の両方を同時にサポートします。
FRA とデュアル 5 GHz の動作
デュアル 5 GHz セルの管理は、FRA の機能の中で最も重要なものの 1 つです。デュアル 5 GHz の AP には、次
の 2 種類の動作モードがあります。
● マクロ/マイクロ:より小さなセルが内部にある大きなセル。単一セルの範囲内でキャパシティを倍にし
ます。
● マクロ/マクロ:独立した 5 GHz のデュアルセル。単一の従来のデュアルバンド AP のカバレッジを倍に
します(マクロ/マクロモードは、9120AXE と 9130E でのみサポートされています(これに対応する外
付けアンテナが使用されている場合))。
マクロ/マイクロモードは、内部アンテナがセル内セル展開をサポートするように設計されているため、Cisco Catalyst
9130I モデルに適用できます。この機能を効果的なものとするために、デバイスから 2 つのセルを分離させるこ
とに設計上の多くの労力が傾けられました。その結果、アンテナ極性の分離と周波数の分離が実現しました。
FRA と DCA では、デュアル 5 GHz マクロ/マイクロとして動作する際に、多くの設定要件が必要とされます。
● 最小 100 MHz でチャネルを分離(周波数の多様性)
● マイクロセル電力を最小に制限
● 各セルのサービスセット識別子(SSID)が同じ
マクロ/マイクロ セル アーキテクチャの導入は魅力的です。非常に多様なクライアント エクスペリエンスを実現
できる広範囲なセルを使用する際の問題が解決できるからです。AP に近いクライアントほど、より高いデータ
レートを使用でき、セルのエッジ部分にあるクライアントよりも高い信号対雑音比(SNR)で動作できます。マ
クロ/マイクロモードでは、セル内でそれぞれのクライアントを分離でき、全体的な効率性を向上させることで通
信時間を保持し、セルを最適な状態で使用できます。
© 2020 Cisco and/or its affiliates. All rights reserved. 41/52 ページ
図 59. マクロおよびマイクロセル
重要なポイント:マイクロおよびマクロセルを作成するデュアル 5 GHz 対応 Cisco Catalyst 9130I は、Wi-Fi 6
のすべての機能と利点を使用して、2 つの独立した 5 GHz アクセスポイントと同じように動作します。
9130I がデュアル 5 GHz モードで動作している場合、クライアントで同等の通信時間、チャネル利用率の低減、
クライアント接続データレートの向上、再試行回数の減少を実現します。
図 60. シングル 5 GHz チャネルとデュアル 5 GHz チャネル
左:シングルチャネルモデル - チャネル 36 の使用率が 60%
右:デュアルチャネルモデル - チャネル 36 では 20% に使用率が低下、チャネル 108 では 24%
上の図の左側では、すべてのクライアントが 1 つのチャネルに接続されているため、単一チャネルセル(チャネル
36)のチャネル使用率は 60% です。さらに悪いことに、近くにあるクライアントは遠くにあるクライアントより
もはるかに高速で接続するため、接続速度は一定ではありません。
デュアルチャネルモデル(右側)では、2 つのチャネルを使用することで、明確に改善が見られます。これによ
り、競合が大幅に減り、再試行が少なくなるため、ユーザエクスペリエンスがはるかに向上します。
注: この機能は、Aironet 2800/3800 シリーズで初めて導入され、2017 年にシスコのイノベーション Pioneer
Award(エンジニアリングデザイン部門)を受賞しました。このモードは、遅延と小さなパケットに役立つ Wi-Fi
6 機能と組み合わせると、チャネル使用率を削減するという非常に大きな利点があります。
重要なポイント:デュアル 5 GHz を使用すると、データレートの高速化とチャネル使用率の低下により、スルー
プットが向上し、再試行回数が減少するため、Wi-Fi エクスペリエンスが改善します。
© 2020 Cisco and/or its affiliates. All rights reserved. 42/52 ページ
シスコの RF ASIC を使用した CleanAir スペクトル分析
Cisco CleanAir テクノロジーは、カスタム ハードウェア/ソフトウェア ソリューションです。
標準 Wi-Fi チップセットの解析力の限界を克服するために、シスコは、すべての RF アクティビティを分析して
分類するために特別に設計したソフトウェアと特許取得済みのチップを使用した統合ソリューションを構築しま
した(このテクノロジーについては、これまでに 25 件以上の特許を取得しています)。
基本的には Cisco Spectrum Expert 分析ツールのベースとなっているテクノロジーを利用し、インフラストラク
チャに直接統合しました。これには、専用のソフトウェア定義型無線(SDR)とカスタム RF ASIC の緊密な統合
が含まれます。これは大きな進歩であり、企業においてワイヤレスが「あれば便利」なものから「ビジネスに不
可欠」なものに変化したことを明確に示しています。
カスタム ソリューションは、Cisco RF ASIC カスタムデバイスに直接統合された Cisco SAgE ハードウェアコア
から始まります。SAgE コアは、高分解能の高速フーリエ変換(FFT)やパルス検出など、非常に高い処理能力
が必要な動作を行います(パルスとは、周波数および時間における RF エネルギーのバーストのことです)。SAgE
コアは、78.125 kHz という非常に細かいスペクトル分解能(最も近い競合ソリューションの 4 倍、ほとんどの
チップセットの 64 倍)を備えています。
RF ASIC は、高度で包括的な干渉分析、検出、および緩和システムを AP に提供します。基本的に SAgE コアは、
リアルタイムでのソフトウェア処理や提供無線での処理ができないほどの高い処理能力が求められる基本レベル
のスペクトル解析処理を行います。
利点:他の競合他社にはない包括的な RF 分析とスペクトル分析。アクセスポイントのクライアントサービスの
パフォーマンスに影響を与えないように、(クライアントサービス無線とは別の)専用の SDR で干渉を明確に
識別します。
図 61. CleanAir は、専用の無線とカスタムデバイスを使用して干渉を明確に識別
© 2020 Cisco and/or its affiliates. All rights reserved. 43/52 ページ
デュアル DFS - RF ASIC
RF ASIC および CleanAir チップセットは、DFS 信号の判定を強化して、DFS を強化し、DFS の誤ったアラート
を減らすため、AP がより安定して DFS チャネルに留まるようにします。また、専用の無線が干渉の軽減と最適
なチャネル選択のためにシスコの RRM に参加します。
図 62. DFS イベント(Wi-Fi チップセットによって検出)は、実際の DFS イベントであることを確認するために RF ASIC
と比較される
RF ASIC は、Wi-Fi チップセットで使用される DFS 検出よりもはるかに高度で、スペクトルの「第 2 の目」と
して機能します。専用 SDR としての RF ASIC は、将来のソフトウェアアップグレードがリリースされると、新
しい機能でさらに拡張されます。
FastLocate - RF ASIC
Cisco Connected Mobile Experiences(CMX)FastLocate テクノロジーを使用して、接続中の Wi-Fi クライア
ントの位置を迅速に更新できます。データパケットとプローブフレームからの受信信号強度インジケータ(RSSI)
が使用可能な場合は、この RSSI が位置の計算に使用されます。このテクノロジーは、中央でスイッチされる WLAN
と Cisco FlexConnect®(ローカルでスイッチされる WLAN)の両方で使用できます。
利点:Cisco Catalyst 9130 シリーズは、オンボードの RF ASIC モニタリング無線により、さまざまなクライア
ントサービス チャネル上のアクセスポイントが RF ASIC を使用して(チャネルに関係なく)目的の Wi-Fi クラ
イアントのプローブとデータパケットをリッスンできるようにすることで、ロケーションを向上させます。
図 63. RF ASIC 無線は、提供チャネルに関係なく Wi-Fi クライアントを追跡できる
© 2020 Cisco and/or its affiliates. All rights reserved. 44/52 ページ
使用例
製造業、保管倉庫、および工場
倉庫への設置は、天井が非常に高く、物が散乱していて、困難な場合がよくあります。カバレッジ調査(サイト
調査)を行うとき、保管倉庫内の物によって RF カバレッジが変わり、均一なカバレッジの喪失を招く可能性が
あるため、「フルストック」レベルでのカバレッジを必ず確認します。また、できるだけユーザの近くに AP を
配置するようにし、可能であればアンテナの位置を低くしてください。AP が空中 30 フィートの位置にある場合、
信号は「最高条件で」30 フィート遠くまで到達する必要があります。通路にカバレッジを設定する場合は、壁面
に指向性(パッチ)アンテナを使用し、通路に届くようにします。または、天井に低ゲイン全方位アンテナ(ダ
イポールなど)を使用するか、アンテナ内蔵タイプを使用します(高ゲイン全方位アンテナではカバレッジの抜
けが多く発生する傾向があるため)。
別の方法は、パイプおよび電気ボックスによる取り付け技法を使用して AP の取り付け位置を低くすることです。
次の例を参照してください。
図 64. 保管倉庫環境の AP 配置
(外部ダイポールの「e」シリーズまたは内部アンテナの「i」シリーズのバージョンが使用できます)。
© 2020 Cisco and/or its affiliates. All rights reserved. 45/52 ページ
パイプの端部または電気コンジットボックスに AP を取り付けるには、ユニバーサルブラケットである Cisco
AIR-AP-BRACKET-2 を使用します。これはほとんどの電気ボックスの穴に合わせて調整されているためです。
コンジットおよびアダプタは、ほとんどの電器店やホームセンターで購入できます。
図 65. AP を電気コンジットボックス(天井の T バーまたはコンジット)に取り付ける
使用例
医療機関/クリーンルーム
Cisco Catalyst 9130 シリーズをクリーンルーム、病院または感染管理が必要な場所で使用するために化学薬品
で除菌する必要がある場合は、Steris 社の Spor-Klenz などのすぐに使用できる滅菌剤をお勧めします。一部の
アクセスポイントとは異なり、9130 シリーズには通気口がないため、拭き取ることができます。プラスチック
はこの減菌剤でテストされています。
Steris Spor-Klenz:
https://www.sterislifesciences.com/products/surface-disinfectants/sporicide-cleaners-and-sterilant/sporklenz-ready-to-use-cold-sterilant
医療環境で金属製の天井やタイルが実用的ではない場所がある場合は、Oberon または AccelTex の金属製ラッ
クを使用できます。
© 2020 Cisco and/or its affiliates. All rights reserved. 46/52 ページ
図 66. Oberon の金属製ラックはクリーンルームエリアの AP を保護し、しっかり固定する
スタジアムおよび過酷な環境
運動用エリア、スタジアム、オープンな庭園空間、保管倉庫の冷凍庫など、AP が外気にさらされる可能性のあ
る過酷な環境に AP を設置することを希望するお客様は、NEMA タイプのラックを使用することができます。
注: アクセスポイントによっては NEMA ラックでの屋外導入向けには保証されていない場合があります。こ
れについては国によって異なります。たとえば規制機関によっては、AP が冷凍庫や庭園エリアなどの屋内で使
用される場合に AP 屋外 NEMA ラックを許可し、屋外での使用は禁じている場合があります。これは、気象レー
ダーのコンプライアンス、多くの場合 UNII-1 に関して国ごとに異なるようです。シスコ アカウント チームまた
は地元管轄の通信規制機関に確認してください。
図 67. AccelTex 12x10x6 NEMA ラックの例
NEMA タイプのラックおよびその他のアクセサリは次のようなサードパーティによって供給されています。
© 2020 Cisco and/or its affiliates. All rights reserved. 47/52 ページ
Oberon:www.oberonwireless.com
AccelTex:www.acceltex.com
Ventev TerraWave:www.terra-wave.com
NEMA タイプのラックを使用する場合は、雨水や湿気がケーブルを伝ってラック内に侵入しないように、ケーブ
ルをラックの下部から外に出すようにしてください。また、ラックの色は、熱定格に影響を与えることもありま
す。たとえば、日の当たる場所では、黒いラックは白いラックよりも非常に熱くなります。水分の蓄積を防ぐた
めに圧力ベントを使用することもできます。
教育機関/学校
導入ガイドについては、次の URL を参照してください。
https://www.cisco.com/c/dam/en/us/td/docs/solutions/Verticals/Education/SRA_Schools/schoolSRA_wla
n_sba.pdf
中間配線盤(IDF)クローゼット(電気通信機器またはその他の電気機器)内での設置
AP を他の電気機器または電気通信機器の近くに設置する場合、すべての配線および金属類をアンテナから離し、
電気配線の近くのアンテナの取り付けは避けてください。アンテナから近い場所(6 ~ 15 インチ)には電気配
線またはイーサネット配線を通さないでください。AP に最適な場所は可能な限りユーザに近い場所であること
から、電気クローゼット内に AP を設置しないようにしてください。クローゼットからリモートアンテナをケー
ブルでつなぐ場合、プレナム定格ケーブルの使用が要求される場合があります(詳しくは、現地の防災安全に関
する規定を確認してください)。
干渉について理解するための URL を以下に示します。
https://www.cisco.com/en/US/prod/collateral/wireless/ps9391/ps9393/ps9394/prod_white_paper0900ae
cd807395a9_ns736_Networking_Solutions_White_Paper.html
https://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wrlan_wp.pdf
https://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps10981/white_paper_c11-609300.html
エレベータの内部および周辺での設置
エレベータの場合は、エレベータに近い場所、一般にエレベータ扉の近くの各フロアに AP を配置してカバレッ
ジを確保することがあります。多くの場合、エレベータには金属製のドアがあり、シャフトがコンクリートで固
められているか、Wi-Fi カバレッジを低下させるその他の材料を含んでいるため、エレベータ内部のカバレッジ
を確認することが重要です。そのようなカバレッジが課題になる場合がありますが、多くの場合、特にエレベー
タが少数のフロアだけで動作している場合は設置可能です。
高層ビルのエレベータでは、クライアントが多数の AP 間を高速に循環するため、ローミングの問題がより大き
な課題となります。エレベータ内部に広告がある企業では、エレベータ シャフト内のフロアやエレベータのかご
の底面にパッチアンテナ(または実際の AP)を配置する場合や、シャフトの側面に沿って漏洩同軸ケーブルを
使用する場合があります。
エレベータのかごやシャフトの中に Wi-Fi 機器を設置する場合は、安全性の理由から禁止されるか、またはビル
の所有者や地域の消防署によって禁止されることが多いため、現地の規制に従う必要があります。また、危険で
あるため、このような作業の経験があるエレベータ修理人や請負業者だけがそのような領域に入るようにしてく
ださい。外部アンテナが必要な場合は、9130E モデルを再度配置して使用します。
© 2020 Cisco and/or its affiliates. All rights reserved. 48/52 ページ
WLAN のベストプラクティス
アクセスポイントのアンテナの配置
Cisco Catalyst 9130I アクセスポイントには高度なアンテナシステムが備わっていますが、AP を正しく配置す
ることが重要です。
図 68. 天井への配置と全方位性放射で最適なカバレッジ
一般的な設計ガイドライン:アクセスポイントの推奨間隔
AP などの Wi-Fi デバイスがあり、異なるチャネル付近で別の AP を使用する場合は、AP の間隔を約 2 m(6 フィー
ト)取ることが推奨されます。複数の AP または異なる AP のアンテナをクラスタリングするとパフォーマンス
が低下するおそれがあるため避けてください。この推奨間隔は、両方のデバイスがライセンス不要の周波数帯で
動作し、RF エネルギーを 23 dB、つまり 200 mW を超えて送信しない前提に基づいています。これより多くの
電力を使用する場合、それに応じて間隔をさらにあけます。
たとえば、AP の周波数の近くで動作する周波数ホッピングのレガシー AP やその他のデバイス(2.4 および 5 GHz
帯近辺で動作)など、送信する別のデバイスがあり、特にそれらが同じ周波数範囲で動作する場合は、妥当な間
隔をあけてデバイスを移動したり、離したりすることを検討してください。デバイス間隔を設定したら、両方の
デバイスを高使用率(負荷)で同時にテストして干渉があるかどうか調べ、次に各システムで個別に低下が見ら
れるかどうか、低下していればどの程度か、特性を明らかにします。
Warning
FCC、EU、および EFTA の RF ばく露制限に準拠するため、アンテナは身体から 20 cm(7.9 インチ)以上離れた場所に配置す
る必要があります。詳細については、「適合宣言」に基づいた設置ガイドを参照してください。
© 2020 Cisco and/or its affiliates. All rights reserved. 49/52 ページ
モデルやタイプが異なるアクセスポイントの混在
Cisco Catalyst 9130 シリーズは、Wi-Fi 6 機能をサポートする非常に高度なアクセスポイントであり、デュアル
5 GHz やシスコのカスタム RF ASIC デバイスを使用した高度な RF 検出などの独自の機能を備えています。
このため、アクセスポイントモデルを混在させること(「塩とコショウ」アプローチと呼ばれることもあります)
は推奨されません。9130 シリーズでは、デュアル DFS 検出など、他のアクセスポイントが関与しないスペクト
ル判定を行うことができるためです。
したがって、異なる種類の AP が混在している場合は、同種類のアクセスポイントをまとめてグループ化(たと
えば、Aironet 3800 シリーズを 1 つの階に配置したら、Cisco Catalyst 9130 シリーズは別の階に配置)して、
混在させないことをお勧めします。
設置に関する一般的な注意事項
アクセスポイントの設置に関する重要なガイドラインは次のとおりです。
● 最適なパフォーマンスを得るためにできるだけユーザの近くに AP を配置するようにします。環境を考慮
します。たとえば、病院には金属のドアがあり、ドアを閉じるとカバレッジが変化する可能性があります。
また、古い建物では石膏またはアスベストの中に金属グリッド構造が含まれている場合があります。カバ
レッジ領域を変化させて、クライアントに影響を与える可能性があるため、AP またはアンテナを金属物
の近くに配置しないようにします。
● 2.4 GHz 周波数を使用すると、5 GHz チャネル方式と同じ、1/6/11 チャネル方式が使用されます。同じ
チャネルにすべての AP を配置せず、可能な場合はチャネルを再利用します。
● Cisco RRM、FRA などの機能を利用するとプロセスを自動化できます。
● どのクライアントが頻繁に使用されているかを判断し、そのクライアントを使用してカバレッジを確認してみ
ます。たとえば、PDA や Wi-Fi 電話機はノートまたはタブレットと同じ範囲ではない可能性があります。
Tip
展開するクライアントで最もパフォーマンスの低いクライアントを使用してカバレッジを確認します。
● サイト サーベイを強く推奨しますが、Cisco RRM を適切に使用すれば、小規模の予定地では設計にあま
り時間をかけず、限定的なサイト サーベイ(カバレッジ チェック)で十分な場合があります。列車での
接続、石油/ガスの採掘現場、大規模病院のような非常に厳しい環境の場合は、シスコのアドバンスドサー
ビスチームと契約して、短期間での設置の支援や設置自体を依頼することができます。詳細については、
シスコのアカウント チームにお問い合わせください。
図 69. 非重複チャネルを間隔をあけて配置するチャネルカバレッジモデルの例
© 2020 Cisco and/or its affiliates. All rights reserved. 50/52 ページ
アンテナケーブルの推奨事項
実際的または可能であれば、アンテナケーブル区間をできるだけ短く保つようにしてください。シスコでは、Times
Microwave LMR-400 および LMR-600 と同じ特性を持つ低損失(LL)と超低損失(ULL)ケーブルを提供しています。
シスコ製ケーブルの部品番号には AIR-CAB とその後に長さが付きます。たとえば、RP-TNC コネクタ付きの長
さ 20 フィートの LL ケーブルは、Cisco AIR-CAB-020LL-R になります。これらの重くて黒いケーブルはプレ
ナム定格を満たしていないため、主に屋外か製造エリアで使用します。
図 70. RP-TNC コネクタ付きシスコ製ケーブル
ケーブル用の穴を開ける場合は、コネクタのサイズ(上記の RP-TNC の場合、通常 5/8 インチドリルビット)
を考慮します。「N」型や DART などの他のコネクタはサイズが大きくなります。
Wi-Fi 6 の設置とサイト調査に関する考慮事項
今日は何を設置するかを判断するときは、以下の WLAN ニーズの評価を行います。
● Wi-Fi 6 に更新する前に、既存の WLAN の問題を確認し、新しい場所、BLE、または IoT の要件を特定します。
● 1 対 1 の交換では、現在のカバレッジと密度の目標を満たす最適な場所に AP が設置されていることを前提
としています。
● まだ対処していないカバレッジの問題はありますか。
● 取り付け不良または最適ではない取り付けがありますか。
● 理想的には、少なくとも 802.3at(30W PoE)が使用可能である必要があります。
● Wi-Fi 6 は、設計の不備を軽減するのに役立つ可能性がありますが、すべて最初から設置する場合に勝る
ものはありません。
サイト調査をモデル化して実行するためのツールは多数あります。シスコは最近、Ekahau と協力してそのアプリケー
ションに Cisco AP とアンテナモデルをインポートしました。これには BLE のモデリング機能も含まれています。
図 71. Ekahau は、サイト調査および WLAN プランナーソフトウェアを提供している
配置のためにアクティブな調査を行う場合は、常に導入予定の機器を用意することをお勧めします。計画中の実
際のモデルを使用できるとは限りません。シスコでは、新しいモデルの AP の RF カバレッジを以前の AP モデ
© 2020 Cisco and/or its affiliates. All rights reserved. 51/52 ページ
ルと厳密に一致させて、AP の計画と交換のコストを削減することに注力しています。Cisco Catalyst 9130 シリー
ズも例外ではありません。次の図は、Cisco Catalyst 9120AX シリーズと Aironet 3802i を同じチャネルと電力
で比較した例です。代替 AP を使用した調査は、部品表(BOM)の生成や既存の設置を更新する場合に適してい
ます。重要なカバレッジは、結果を確実にするために、常に同じモデルを使用して測定する必要があります。
図 72. Over The Air で測定した Cisco Catalyst 9120AX シリーズと Aironet 3802i のカバレッジパターンの比較
注: 上図のセルサイズは、同様のセルサイズであるため、Cisco Catalyst 9130 シリーズにも適用されます。
建物がイーサネット用に配線されておらず、バッテリから Cisco Catalyst 9130 シリーズ アクセスポイントに電
力を供給する必要がある場合、AccelTex が提供するバッテリパックを使用できます。
図 73. AccelTex サイト調査用バッテリパック P/N ATS-SSBP-1
©2020 Cisco Systems, Inc. All rights reserved.
Cisco、Cisco Systems、およびCisco Systemsロゴは、Cisco Systems, Inc.またはその関連会社の米国およびその他の一定の国における登録商標または商標です。
本書類またはウェブサイトに掲載されているその他の商標はそれぞれの権利者の財産です。
「パートナー」または「partner」という用語の使用は Cisco と他社との間のパートナーシップ関係を意味するものではありません。(1502R)
この資料の記載内容は2020年10月現在のものです。
この資料に記載された仕様は予告なく変更する場合があります。
シスコシステムズ合同会社
〒107‐6227 東京都港区赤坂9-7-1 ミッドタウン・タワー
http://www.cisco.com/jp
C07-743490-00JA 20.10
お問い合せ先
付録
参照 URL:
● Cisco CleanAir ホワイトペーパー:
https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/cleanair-technology/white
_paper_c11-599260.html
● フレキシブル ラジオ アサインメントとデュアル 5 GHz 動作:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-
3/b_RRM_White_Paper/b_RRM_White_Paper_chapter_01000.html
● Flexible radio Cisco Aironet 2800/3800 Series deployment guide:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-
3/b_cisco_aironet_series_2800_3800_access_point_deployment_guide.pdf
● シスコ マルチギガビットの概要とサポートされるスイッチ:
https://www.cisco.com/c/en/us/solutions/enterprise-networks/catalyst-multigigabitswitching/index.html
● Cisco DNA の概要:
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/cisco-digitalnetwork-architecture/solution-overview-c22-736580.pdf
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Cisco Systems, Inc.
Corporate Headquarters
Tel:
800 553-NETS (6387)
408 526-4000
Fax: 408 526-4100
Cisco IOS Dial Technologies
Configuration Guide
Release 12.2
Customer Order Number: DOC-7812090=
Text Part Number: 78-12090-02
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE
PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR
APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of
UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED
“AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of
Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST,
BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press,
Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast
Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo,
Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView
Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco
Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0304R)
Cisco IOS Dial Technologies Configuration Guide
Copyright © 2002–2006 Cisco Systems, Inc.
All rights reserved.
iii
Cisco IOS Dial Technologies Configuration Guide
CONTENTS
About Cisco IOS Software Documentation xxxvii
Documentation Objectives xxxvii
Audience xxxvii
Documentation Organization xxxvii
Documentation Modules xxxvii
Master Indexes xl
Supporting Documents and Resources xl
New and Changed Information xli
Document Conventions xli
Obtaining Documentation xlii
World Wide Web xlii
Documentation CD-ROM xliii
Ordering Documentation xliii
Documentation Feedback xliii
Obtaining Technical Assistance xliii
Cisco.com xliv
Technical Assistance Center xliv
Contacting TAC by Using the Cisco TAC Website xliv
Contacting TAC by Telephone xliv
Using Cisco IOS Software xlvii
Understanding Command Modes xlvii
Getting Help xlviii
Example: How to Find Command Options xlix
Using the no and default Forms of Commands li
Saving Configuration Changes lii
Filtering Output from the show and more Commands lii
Identifying Supported Platforms liii
Using Feature Navigator liii
Using Software Release Notes liii
Contents
iv
Cisco IOS Dial Technologies Configuration Guide
DIAL INTERFACES, CONTROLLERS, AND LINES
Overview of Dial Interfaces, Controllers, and Lines DC-3
Cisco IOS Dial Components DC-3
Logical Constructs DC-5
Asynchronous Interfaces DC-5
Group Asynchronous Interfaces DC-6
Virtual Template Interfaces DC-6
Templates for Virtual Access Interfaces DC-7
Templates for Protocol Translation DC-7
Logical Interfaces DC-7
Dialer Interfaces DC-8
Virtual Access Interfaces DC-9
Virtual Asynchronous Interfaces DC-10
Circuit-Switched Digital Calls DC-10
T1 and E1 Controllers DC-11
Non-ISDN Channelized T1 and Channelized E1 Lines DC-11
ISDN Service DC-12
ISDN BRI DC-13
ISDN PRI DC-13
Line Types DC-15
Relationship Between Lines and Interfaces DC-16
Asynchronous Interfaces and Physical Terminal Lines DC-16
Synchronous Interfaces and Virtual Terminal Lines DC-17
Encapsulation Types DC-18
Configuring Asynchronous Lines and Interfaces DC-19
How to Configure Asynchronous Interfaces and Lines DC-19
Configuring a Typical Asynchronous Interface DC-20
Monitoring and Maintaining Asynchronous Connections DC-20
Creating a Group Asynchronous Interface DC-21
Verifying the Group Interface Configuration DC-22
Configuring Asynchronous Rotary Line Queueing DC-25
Verifying Asynchronous Rotary Line Queueing DC-26
Troubleshooting Asynchronous Rotary Lines DC-26
Monitoring and Maintaining Asynchronous Rotary Line Queues DC-27
Configuring Autoselect DC-27
Verifying Autoselect PPP DC-28
Verifying Autoselect ARA DC-28
Contents
v
Cisco IOS Dial Technologies Configuration Guide
How to Configure Other Asynchronous Line and Interface Features DC-29
Configuring the Auxiliary (AUX) Port DC-29
Establishing and Controlling the EXEC Process DC-30
Enabling Routing on Asynchronous Interfaces DC-31
Configuring Dedicated or Interactive PPP and SLIP Sessions DC-31
Conserving Network Addresses DC-32
Using Advanced Addressing Methods for Remote Devices DC-33
Assigning a Default Asynchronous Address DC-33
Allowing an Asynchronous Address to Be Assigned Dynamically DC-33
Optimizing Available Bandwidth DC-34
Configuring Header Compression DC-34
Forcing Header Compression at the EXEC Level DC-35
Configuration Examples for Asynchronous Interfaces and Lines DC-35
Interface and Line Configuration Examples DC-36
Asynchronous Interface Backup DDR Configuration Example DC-36
Passive Header Compression and Default Address Example DC-36
High-Density Dial-In Solution Using Autoselect and EXEC Control Example DC-36
Asynchronous Line Backup DDR Configuration Example DC-37
Line AUX Configuration Example DC-37
Rotary Group Examples DC-37
Dedicated Asynchronous Interface Configuration Example DC-38
Access Restriction on the Asynchronous Interface Example DC-38
Group and Member Asynchronous Interface Examples DC-38
Asynchronous Group Interface Examples DC-39
Modem Asynchronous Group Example DC-39
High-Density Dial-In Solution Using an Asynchronous Group DC-40
Asynchronous Interface Address Pool Examples DC-40
DHCP Pooling Example DC-40
Local Pooling Example DC-40
Configuring Specific IP Addresses for an Interface DC-41
IP and SLIP Using an Asynchronous Interface Example DC-41
IP and PPP Asynchronous Interface Configuration Example DC-41
Asynchronous Routing and Dynamic Addressing Configuration Example DC-42
TCP Header Compression Configuration Example DC-42
Network Address Conservation Using the ip unnumbered Command Example DC-42
Asynchronous Interface As the Only Network Interface Example DC-43
Routing on a Dedicated Dial-In Router Example DC-43
IGRP Configuration Example DC-44
Contents
vi
Cisco IOS Dial Technologies Configuration Guide
Configuring Asynchronous Serial Traffic
over UDP DC-45
UDPTN Overview DC-45
How to Configure Asynchronous Serial Traffic over UDP DC-46
Preparing to Configure Asynchronous Serial Traffic over UDP DC-46
Configuring a Line for UDPTN DC-46
Enabling UDPTN DC-47
Verifying UDPTN Traffic DC-47
Configuration Examples for UDPTN DC-48
Multicast UDPTN Example DC-48
Broadcast UDPTN Example DC-49
Point-to-Point UDPTN Example DC-49
MODEM CONFIGURATION AND MANAGEMENT
Overview of Modem Interfaces DC-53
Cisco Modems and Cisco IOS Modem Features DC-53
Cisco IOS Modem Components DC-54
Logical Constructs in Modem Configurations DC-56
Asynchronous Interfaces DC-56
Group Asynchronous Interfaces DC-57
Modem Lines and Asynchronous Interfaces DC-58
Modem Calls DC-59
Asynchronous Line Configuration DC-59
Absolute Versus Relative Line Numbers DC-59
Line and Modem Numbering Issues DC-60
Decimal TCP Port Numbers for Line Connections DC-61
Signal and Flow Control Overview DC-62
Configuring and Managing Integrated Modems DC-63
Modems and Modem Feature Support DC-63
V.90 Modem Standard DC-64
V.110 Bit Rate Adaption Standard DC-64
V.120 Bit Rate Adaptation Standard DC-66
Managing Modems DC-66
Managing SPE Firmware DC-67
Configuring Modems in Cisco Access Servers DC-69
Configuring Modem Lines DC-69
Verifying the Dial-In Connection DC-70
Troubleshooting the Dial-In Connection DC-71
Contents
vii
Cisco IOS Dial Technologies Configuration Guide
Configuring the Modem Using a Modemcap DC-71
Configuring the Modem Circuit Interface DC-73
Comparison of NextPort SPE and MICA Modem Commands DC-73
Configuring Cisco Integrated Modems Using Modem Attention Commands DC-76
Using Modem Dial Modifiers on Cisco MICA Modems DC-76
Changing Configurations Manually in Integrated Microcom Modems DC-77
Configuring Leased-Line Support for Analog Modems DC-78
Configuring Modem Pooling DC-82
Creating a Modem Pool DC-83
Verifying Modem Pool Configuration DC-84
Configuring Physical Partitioning DC-85
Creating a Physical Partition DC-86
Physical Partitioning with Dial-In and Dial-Out Scenario DC-88
Configuring Virtual Partitioning DC-90
Configuring Call Tracker DC-91
Verifying Call Tracker DC-92
Enabling Call Tracker DC-92
Configuring Polling of Link Statistics on MICA Modems DC-93
Configuring MICA In-Band Framing Mode Control Messages DC-94
Enabling Modem Polling DC-95
Setting Modem Poll Intervals DC-95
Setting Modem Poll Retry DC-95
Collecting Modem Statistics DC-95
Logging EIA/TIA Events DC-95
Configuring a Microcom Modem to Poll for Statistics DC-96
Troubleshooting Using a Back-to-Back Modem Test Procedure DC-96
Clearing a Direct Connect Session on a Microcom Modem DC-99
Displaying Local Disconnect Reasons DC-99
Removing Inoperable Modems DC-102
Busying Out a Modem Card DC-104
Monitoring Resources on Cisco High-End Access Servers DC-104
Enabling DS0 Busyout Traps DC-105
Enabling ISDN PRI Requested Channel Not Available Traps DC-106
Enabling Modem Health Traps DC-106
Enabling DS1 Loopback Traps DC-106
Verifying Enabled Traps DC-106
Troubleshooting the Traps DC-107
NAS Health Monitoring Example DC-107
Configuration Examples for Modem Management DC-110
NextPort Modem Log Example DC-110
Contents
viii
Cisco IOS Dial Technologies Configuration Guide
Modem Performance Summary Example DC-111
Modem AT-Mode Example DC-111
Connection Speed Performance Verification Example DC-111
Configuring and Managing Cisco Access Servers and Dial Shelves DC-115
Cisco AS5800 Dial Shelf Architecture and DSIP Overview DC-115
Split Dial Shelves Feature DC-116
How to Configure Dial Shelves DC-116
Configuring the Shelf ID DC-117
Configuring Redundant DSC Cards DC-118
Synchronizing to the System Clocks DC-119
Verifying External Clock Configuration DC-120
Configuring Dial Shelf Split Mode DC-120
Changing Slot Sets DC-122
Leaving Split Mode DC-123
Troubleshooting Split Dial Shelves DC-123
Managing a Split Dial Shelf DC-123
Executing Commands Remotely DC-124
Verifying DSC Configuration DC-125
Monitoring and Maintaining the DSCs DC-125
Troubleshooting DSIP DC-125
Port Management Services on Cisco Access Servers DC-126
Upgrading and Configuring SPE Firmware DC-128
Downloading SPE Firmware from the Cisco.com FTP Server to a Local TFTP Server DC-129
Copying the SPE Firmware File from the Local TFTP Server to the SPEs DC-131
Specifying a Country Name DC-132
Configuring Dial Split Shelves (AS5800 Only) DC-132
Configuring SPEs to Use an Upgraded Firmware File DC-133
Disabling SPEs DC-134
Rebooting SPEs DC-135
Configuring Lines DC-136
Configuring Ports DC-137
Verifying SPE Line and Port Configuration DC-138
Configuring SPE Performance Statistics DC-138
Clearing Log Events DC-139
Troubleshooting SPEs DC-139
Monitoring SPE Performance Statistics DC-141
SPE Events and Firmware Statistics DC-141
Port Statistics DC-141
Digital SPE Statistics DC-142
Contents
ix
Cisco IOS Dial Technologies Configuration Guide
SPE Modem Statistics DC-143
Configuring and Managing External Modems DC-145
External Modems on Low-End Access Servers DC-145
Automatically Configuring an External Modem DC-146
Manually Configuring an External Modem DC-148
Supporting Dial-In Modems DC-149
Testing the Modem Connection DC-151
Managing Telnet Sessions DC-152
Modem Troubleshooting Tips DC-154
Checking Other Modem Settings DC-155
Modem Signal and Line States DC-157
Signal and Line State Diagrams DC-157
Configuring Automatic Dialing DC-159
Automatically Answering a Modem DC-159
Supporting Dial-In and Dial-Out Connections DC-160
Configuring a Line Timeout Interval DC-161
Closing Modem Connections DC-162
Configuring a Line to Disconnect Automatically DC-163
Supporting Reverse Modem Connections and Preventing Incoming Calls DC-163
Creating and Using Modem Chat Scripts DC-165
Chat Script Overview DC-165
How To Configure Chat Scripts DC-166
Understanding Chat Script Naming Conventions DC-166
Creating a Chat Script DC-166
Chat String Escape Key Sequences DC-167
Adding a Return Key Sequence DC-167
Chat String Special-Case Script Modifiers DC-168
Configuring the Line to Activate Chat Scripts DC-168
Manually Testing a Chat Script on an Asynchronous Line DC-169
Using Chat Scripts DC-169
Generic Chat Script Example DC-169
Traffic-Handling Chat Script Example DC-169
Modem-Specific Chat Script Examples DC-170
Dialer Mapping Example DC-170
System Login Scripts and Modem Script Examples DC-171
Contents
x
Cisco IOS Dial Technologies Configuration Guide
ISDN CONFIGURATION
Configuring ISDN BRI DC-175
ISDN Overview DC-175
Requesting BRI Line and Switch Configuration from a Telco Service Provider DC-176
Interface Configuration DC-178
Dynamic Multiple Encapsulations DC-178
Interface Configuration Options DC-178
ISDN Cause Codes DC-179
How to Configure ISDN BRI DC-180
Configuring the ISDN BRI Switch DC-180
Configuring the Switch Type DC-180
Checking and Setting the Buffers DC-181
Multiple ISDN Switch Types Feature DC-182
Specifying Interface Characteristics for an ISDN BRI DC-182
Specifying the Interface and Its IP Address DC-183
Specifying ISDN SPIDs DC-183
Configuring Encapsulation on ISDN BRI DC-183
Configuring Network Addressing DC-185
Configuring TEI Negotiation Timing DC-186
Configuring CLI Screening DC-186
Configuring Called Party Number Verification DC-186
Configuring ISDN Calling Number Identification DC-187
Configuring the Line Speed for Calls Not ISDN End to End DC-187
Configuring a Fast Rollover Delay DC-188
Overriding ISDN Application Default Cause Codes DC-188
Configuring Inclusion of the Sending Complete Information Element DC-189
Configuring DNIS-plus-ISDN-Subaddress Binding DC-189
Screening Incoming V.110 Modem Calls DC-189
Disabling V.110 Padding DC-190
Configuring ISDN Semipermanent Connections DC-190
Configuring ISDN BRI for Leased-Line Service DC-190
Configuring Leased-Line Service at Normal Speeds DC-191
Configuring Leased-Line Service at 128 Kbps DC-191
Monitoring and Maintaining ISDN Interfaces DC-192
Troubleshooting ISDN Interfaces DC-192
Configuration Examples for ISDN BRI DC-193
Global ISDN and BRI Interface Switch Type Example DC-193
BRI Connected to a PBX Example DC-193
Contents
xi
Cisco IOS Dial Technologies Configuration Guide
Multilink PPP on a BRI Interface Example DC-193
Dialer Rotary Groups Example DC-194
Compression Examples DC-194
Multilink PPP and Compression Example DC-195
Voice over ISDN Examples DC-195
DNIS-plus-ISDN-Subaddress Binding Example DC-196
Screening Incoming V.110 Modem Calls Example DC-196
ISDN BRI Leased-Line Configuration Example DC-196
Configuring Virtual Asynchronous Traffic
over ISDN DC-197
Recommendation V.120 Overview DC-198
How to Configure V.120 Access DC-198
Configuring Answering of All Incoming Calls as V.120 DC-198
Configuring Automatic Detection of Encapsulation Type DC-199
Enabling V.120 Support for Asynchronous Access over ISDN DC-199
Configuration Example for V.120 DC-200
ISDN LAPB-TA Overview DC-200
How to Configure ISDN LAPB-TA DC-201
Verifying ISDN LAPB-TA DC-202
Configuration Example for ISDN LAPB-TA DC-203
Configuring Modem Use over ISDN BRI DC-205
Modem over ISDN BRI Overview DC-206
How to Configure Modem over ISDN BRI DC-207
Verifying ISDN BRI Interface Configuration DC-210
Configuration Examples for Modem over ISDN BRI DC-212
BRI Interface Configuration Example DC-212
Complete Configuration Examples DC-215
Configuring X.25 on ISDN DC-227
X.25 on ISDN Overview DC-227
X.25-over-D-Channel Logical Interface DC-227
Outbound Circuit-Switched X.25 Support over a Dialer Interface DC-228
How to Configure X.25 on ISDN DC-228
Configuring X.25 on the ISDN D Channel DC-229
Configuration Examples for X.25 on ISDN DC-229
X.25 on ISDN D-Channel Configuration Example DC-229
Outbound Circuit-Switched X.25 Example DC-230
Contents
xii
Cisco IOS Dial Technologies Configuration Guide
Configuring X.25 on ISDN Using AO/DI DC-235
AO/DI Overview DC-235
PPP over X.25 Encapsulation DC-237
Multilink PPP Bundle DC-238
MLP Encapsulation Enhancements DC-238
BACP/BAP DC-239
How to Configure an AO/DI Interface DC-239
Configuring PPP and BAP on the Client DC-239
Configuring X.25 Parameters on the Client DC-240
Configuring PPP and BAP on the Server DC-240
Configuring X.25 Parameters on the Server DC-241
How to Configure an AO/DI Client/Server DC-241
Configuring the AO/DI Client DC-242
Enabling AO/DI on the Interface DC-242
Enabling the AO/DI Interface to Initiate Client Calls DC-242
Enabling the MLP Bundle to Add Multiple Links DC-242
Modifying BACP Default Settings DC-243
Configuring the AO/DI Server DC-243
Enabling the Interface to Receive AO/DI Client Calls DC-243
Enabling the MLP Bundle to Add Multiple Links DC-244
Modifying BACP Default Settings DC-244
Configuration Examples for AO/DI DC-245
AO/DI Client Configuration Example DC-245
AO/DI Server Configuration Example DC-246
Configuring ISDN on Cisco 800 Series Routers DC-247
CAPI and RCAPI Overview DC-248
Framing Protocols DC-248
Data Link and Network Layer Protocols DC-248
CAPI Features DC-248
Supported B-Channel Protocols DC-249
Supported Switch Types DC-250
CAPI and RVS-COM DC-250
Supported Applications DC-251
Helpful Website DC-251
How to Configure RCAPI DC-251
Configuring RCAPI on the Cisco 800 Series Router DC-251
Monitoring and Maintaining RCAPI DC-252
Troubleshooting RCAPI DC-252
Contents
xiii
Cisco IOS Dial Technologies Configuration Guide
Configuration Examples for RCAPI DC-252
SIGNALING CONFIGURATION
Configuring ISDN PRI DC-257
Signaling Overview DC-258
In-Band and Out-of-Band Signaling DC-258
Channelized E1 and T1 on Cisco Devices DC-258
How to Configure ISDN PRI DC-259
Requesting PRI Line and Switch Configuration from a Telco Service Provider DC-259
Configuring Channelized E1 ISDN PRI DC-260
Configuring Channelized T1 ISDN PRI DC-261
Configuring the Serial Interface DC-262
Specifying an IP Address for the Interface DC-263
Configuring Encapsulation on ISDN PRI DC-263
Configuring Network Addressing DC-265
Configuring ISDN Calling Number Identification DC-266
Overriding the Default TEI Value DC-266
Configuring a Static TEI DC-266
Configuring Incoming ISDN Modem Calls DC-266
Filtering Incoming ISDN Calls DC-267
Configuring the ISDN Guard Timer DC-268
Configuring Inclusion of the Sending Complete Information Element DC-268
Configuring ISDN PRI B-Channel Busyout DC-269
Configuring NSF Call-by-Call Support DC-269
Configuring Multiple ISDN Switch Types DC-270
Configuring B Channel Outgoing Call Order DC-272
Performing Configuration Self-Tests DC-272
Monitoring and Maintaining ISDN PRI Interfaces DC-273
How to Configure Robbed-Bit Signaling for Analog Calls over T1 Lines DC-273
How to Configure CAS DC-275
CAS on Channelized E1 DC-275
Configuring CAS for Analog Calls over E1 Lines DC-276
Configuring CAS on a Cisco Router Connected to a PBX or PSTN DC-276
CAS on T1 Voice Channels DC-277
Configuring ANI/DNIS Delimiters for CAS Calls on CT1 DC-277
How to Configure Switched 56K Digital Dial-In over Channelized T1 and Robbed-Bit Signaling DC-278
Switched 56K Scenarios DC-279
Switched 56K and Analog Modem Calls into T1 CAS DC-279
Contents
xiv
Cisco IOS Dial Technologies Configuration Guide
Basic Call Processing Components DC-280
ISDN BRI Calls into T1 CAS DC-281
How to Configure Switched 56K Services DC-281
How to Configure E1 R2 Signaling DC-282
E1 R2 Signaling Overview DC-282
Configuring E1 R2 Signaling DC-285
Configuring E1 R2 Signaling for Voice DC-285
Monitoring E1 R2 Signaling DC-286
Verifying E1 R2 Signaling DC-287
Troubleshooting E1 R2 Signaling DC-288
Enabling R1 Modified Signaling in Taiwan DC-289
R1 Modified Signaling Topology DC-289
R1 Modified Signaling Configuration Task List DC-290
Configuring R1 Modified Signaling on a T1 Interface DC-291
Configuring R1 Modified Signaling on an E1 Interface DC-292
Troubleshooting Channelized E1 and T1 Channel Groups DC-293
Interface Local Loopback DC-293
Interface Remote Loopback DC-294
Configuration Examples for Channelized E1 and Channelized T1 DC-294
ISDN PRI Examples DC-294
Global ISDN, BRI, and PRI Switch Example DC-295
Global ISDN and Multiple BRI and PRI Switch Using TEI Negotiation Example DC-295
NSF Call-by-Call Support Example DC-295
PRI on a Cisco AS5000 Series Access Server Example DC-296
ISDN B-Channel Busyout Example DC-298
Multiple ISDN Switch Types Example DC-298
Outgoing B-Channel Ascending Call Order Example DC-298
Static TEI Configuration Example DC-299
Call Reject Configuration Examples DC-299
ISDN Cause Code Override and Guard Timer Example DC-299
PRI Groups and Channel Groups on the Same Channelized T1 Controller Example DC-299
Robbed-Bit Signaling Examples DC-300
Allocating All Channels for Robbed-Bit Signaling Example DC-300
Mixing and Matching Channels—Robbed-Bit Signaling and Channel Grouping DC-300
Switched 56K Configuration Examples DC-300
Switched 56K T1 Controller Procedure DC-301
Mixture of Switched 56K and Modem Calls over CT1 CAS Example DC-301
Switched 56K and Analog Modem Calls over Separate T1 CAS Lines Example DC-302
Comprehensive Switched 56K Startup Configuration Example DC-302
Contents
xv
Cisco IOS Dial Technologies Configuration Guide
ISDN CAS Examples DC-307
Allocating All Channels for CAS Example DC-307
Mixing and Matching Channels—CAS and Channel Grouping Example DC-308
E1 R2 Signaling Procedure DC-308
R1 Modified Signaling Using an E1 Interface Example DC-311
R1 Modified Signaling for Taiwan Configuration Example DC-312
Configuring ISDN Special Signaling DC-313
How to Configure ISDN Special Signaling DC-313
Configuring ISDN AOC DC-314
Configuring Short-Hold Mode DC-314
Monitoring ISDN AOC Call Information DC-315
Configuring NFAS on PRI Groups DC-315
ISDN NFAS Prerequisites DC-316
ISDN NFAS Configuration Task List DC-316
Configuring NFAS on PRI Groups DC-316
Configuring NTT PRI NFAS DC-317
Disabling a Channel or Interface DC-318
When the T1 Controller Is Shut Down DC-319
Monitoring NFAS Groups DC-319
Monitoring ISDN Service DC-319
Enabling an ISDN PRI to Take PIAFS Calls on MICA Modems DC-319
Verifying PIAFS DC-320
Configuring Automatic Detection of Encapsulation Type DC-320
Configuring Encapsulation for Combinet Compatibility DC-321
Troubleshooting ISDN Special Signaling DC-322
Configuration Examples for ISDN Special Signaling DC-322
ISDN AOC Configuration Examples DC-322
Using Legacy DDR for ISDN PRI AOC Configuration DC-322
Using Dialer Profiles for ISDN BRI AOC Configuration DC-323
ISDN NFAS Configuration Examples DC-324
NFAS Primary and Backup D Channels DC-324
PRI Interface Service State DC-325
NTT PRI NFAS Primary D Channel Example DC-325
Configuring Network Side ISDN PRI Signaling, Trunking, and Switching DC-327
Network Side ISDN PRI Signaling Overview DC-327
Call Switching Using Dial Peers DC-328
Trunk Group Resource Manager DC-328
Class of Restrictions DC-329
Contents
xvi
Cisco IOS Dial Technologies Configuration Guide
ISDN Disconnect Timers DC-329
How to Configure Network Side ISDN PRI DC-329
Configuring ISDN Network Side DC-330
Configuring ISDN Network Side for the National ISDN Switch Type DC-331
Configuring ISDN Network Side for ETSI Net5 PRI DC-331
Configuring Global or Interface Trunk Groups DC-332
Configuring Classes of Restrictions DC-333
Configuring ISDN T306 and T310 Timers DC-334
Verifying Network Side ISDN PRI Signaling, Trunking, and Switching DC-334
Monitoring Network Side ISDN PRI DC-337
Monitoring TGRM DC-338
Configuration Examples for Network Side ISDN PRI Signaling, Trunking, and Switching DC-338
Call Switching and Dial Peers Configuration on T1/T3 Example DC-338
Trunk Group Configuration Example DC-339
COR for Dial Peer Configuration Example DC-339
COR Based on Outgoing Dial Peers Example DC-340
Dial Peers and Trunk Groups for Special Numbers Examples DC-341
ISDN Network Side for ETSI Net5 PRI Configuration on E1 Example DC-342
T306/T310 Timer Configuration Example DC-342
DIAL-ON-DEMAND ROUTING CONFIGURATION
Preparing to Configure DDR DC-345
DDR Decision Flowchart DC-345
DDR Topology Decisions DC-347
DDR-Independent Implementation Decisions DC-347
DDR-Dependent Implementation Decisions DC-348
Dialer Profiles DC-348
Legacy DDR DC-349
Simple or Complex DDR Configuration DC-349
Global and Interface Preparations for DDR DC-349
Preparations Depending on the Selected Interface Type DC-350
Preparations for Routing or Bridging over DDR DC-350
Preparing for Transparent Bridging over DDR DC-350
Defining the Protocols to Bridge DC-350
Specifying the Bridging Protocol DC-351
Controlling Bridging Access DC-351
Preparing for Routing over DDR DC-351
Configuring the Protocol for Routing and Access Control DC-352
Contents
xvii
Cisco IOS Dial Technologies Configuration Guide
Associating the Protocol Access List with a Dialer Group DC-356
Configuration Examples for Legacy DDR DC-356
Point-to-Point DDR Without Authentication Examples DC-356
Point-to-Point DDR with Authentication Examples DC-358
Configuring Legacy DDR Spokes DC-361
DDR Spokes Configuration Task Flow DC-361
How to Configure DDR DC-362
Specifying the Interface DC-363
Enabling DDR on the Interface DC-364
Configuring the Interface to Place Calls DC-365
Specifying the Dial String for Synchronous Serial Interfaces DC-365
Specifying Chat Scripts and Dial Strings for Asynchronous Serial Interfaces DC-365
Configuring the Interface to Receive Calls DC-365
Configuring the Interface to Place and Receive Calls DC-366
Defining the Traffic to Be Authenticated DC-366
Configuring Access Control for Outgoing Calls DC-367
Configuring Access Control for Bridging DC-367
Controlling Bridging Access by Ethernet Type Codes DC-368
Permitting All Bridge Packets to Trigger Calls DC-368
Assigning the Interface to a Bridge Group DC-368
Configuring Access Control for Routing DC-368
Customizing the Interface Settings DC-369
Configuring Timers on the DDR Interface DC-369
Setting Dialer Interface Priority DC-370
Configuring a Dialer Hold Queue DC-371
Configuring Bandwidth on Demand DC-371
Disabling and Reenabling DDR Fast Switching DC-372
Configuring Dialer Redial Options DC-372
Sending Traffic over Frame Relay, X.25, or LAPB Networks DC-372
Configuring the Interface for Sending Traffic over a Frame Relay Network DC-373
Configuring the Interface for Sending Traffic over an X.25 Network DC-374
Configuring the Interface for Sending Traffic over a LAPB Network DC-375
Monitoring DDR Connections DC-375
Configuration Examples for Legacy DDR Spoke DC-376
Legacy Dial-on-Demand Routing Example DC-376
Transparent Bridging over DDR Examples DC-377
DDR Configuration in an IP Environment Example DC-378
Two-Way DDR for Novell IPX Example DC-378
Remote Configuration Example DC-378
Contents
xviii
Cisco IOS Dial Technologies Configuration Guide
Local Configuration Example DC-379
AppleTalk Configuration Example DC-380
DECnet Configuration Example DC-380
ISO CLNS Configuration Example DC-381
XNS Configuration Example DC-381
Single Site Dialing Example DC-381
DTR Dialing Example DC-382
Hub-and-Spoke DDR for Asynchronous Interfaces and Authentication Example DC-383
Spoke Topology Configuration DC-383
Hub Router Configuration DC-384
Two-Way Reciprocal Client/Server DDR Without Authentication Example DC-385
Remote Configuration DC-385
Local Configuration DC-385
Frame Relay Support Example DC-386
Frame Relay Access with In-Band Dialing (V.25bis) and Static Mapping Example DC-386
Frame Relay Access with ISDN Dialing and DDR Dynamic Maps Example DC-387
X.25 Support Example DC-387
LAPB Support Example DC-388
Configuring Legacy DDR Hubs DC-389
DDR Issues DC-389
DDR Hubs Configuration Task Flow DC-390
How to Configure DDR DC-391
Specifying the Interface DC-391
Enabling DDR on the Interface DC-392
Configuring the Interface to Place Calls Only DC-392
Defining the Dialing Destination DC-393
Specifying a Physical Interface to Use and Assigning It to a Dialer Rotary Group DC-393
Configuring the Interface to Receive Calls Only DC-394
Configuring the Interface for TACACS+ DC-395
Configuring the Interface for PPP Authentication DC-395
Specifying Physical Interfaces and Assigning Them to the Dialer Rotary Group DC-396
Configuring the Interface to Place and Receive Calls DC-396
Defining One or More Dialing Destinations DC-397
Defining the Traffic to Be Authenticated DC-398
Configuring Access Control for Outgoing Calls DC-398
Configuring Access Control for Bridging DC-398
Configuring Access Control for Routing DC-399
Customizing the Interface Settings DC-399
Configuring Timers on the DDR Interface DC-399
Contents
xix
Cisco IOS Dial Technologies Configuration Guide
Setting Dialer Interface Priority DC-401
Configuring a Dialer Hold Queue DC-401
Configuring Bandwidth on Demand DC-401
Disabling and Reenabling DDR Fast Switching DC-402
Configuring Dialer Redial Options DC-402
Sending Traffic over Frame Relay, X.25, or LAPB Networks DC-403
Configuring the Interface for Sending Traffic over a Frame Relay Network DC-403
Configuring the Interface for Sending Traffic over an X.25 Network DC-405
Configuring the Interface for Sending Traffic over a LAPB Network DC-405
Monitoring DDR Connections DC-406
Configuration Examples for Legacy DDR Hub DC-406
Transparent Bridging over DDR Examples DC-407
DDR Configuration in an IP Environment Example DC-408
AppleTalk Configuration Example DC-408
Banyan VINES Configuration Example DC-409
DECnet Configuration Example DC-409
ISO CLNS Configuration Example DC-410
XNS Configuration Example DC-410
Hub-and-Spoke DDR for Asynchronous Interfaces and Authentication Example DC-410
Spoke Topology Configuration DC-411
Hub Router Configuration DC-411
Single Site or Multiple Sites Dialing Configuration Example DC-413
Multiple Destinations Configuration Example DC-413
Dialer Interfaces and Dialer Rotary Groups Example DC-414
DDR Configuration Using Dialer Interface and PPP Encapsulation Example DC-414
Two-Way DDR with Authentication Example DC-415
Remote Configuration DC-416
Local Configuration DC-416
Frame Relay Support Examples DC-417
Frame Relay Access with In-Band Dialing and Static Mapping DC-417
Frame Relay Access with ISDN Dialing and DDR Dynamic Maps DC-417
Frame Relay Access with ISDN Dialing and Subinterfaces DC-418
X.25 Support Configuration Example DC-419
LAPB Support Configuration Example DC-419
Configuring Peer-to-Peer DDR with Dialer Profiles DC-421
Dialer Profiles Overview DC-421
New Dialer Profile Model DC-422
Dialer Interface DC-423
Dialer Map Class DC-423
Contents
xx
Cisco IOS Dial Technologies Configuration Guide
Dialer Pool DC-423
How to Configure Dialer Profiles DC-425
Configuring a Dialer Profile DC-425
Configuring a Dialer Interface DC-425
Fancy Queueing and Traffic Shaping on Dialer Profile Interfaces DC-426
Configuring a Map Class DC-426
Configuring the Physical Interfaces DC-427
Configuring Dialer Profiles for Routed Protocols DC-427
Configuring Dialer Profiles for AppleTalk DC-428
Configuring Dialer Profiles for Banyan VINES DC-428
Configuring Dialer Profiles for DECnet DC-428
Configuring Dialer Profiles for IP DC-429
Configuring Dialer Profiles for Novell IPX DC-429
Configuring XNS over DDR DC-430
Configuring Dialer Profiles for Transparent Bridging DC-430
Defining the Protocols to Bridge DC-431
Specifying the Bridging Protocol DC-431
Controlling Access for Bridging DC-431
Configuring an Interface for Bridging DC-432
Monitoring and Maintaining Dialer Profile Connections DC-433
Configuration Examples Dialer Profiles DC-433
Dialer Profile with Inbound Traffic Filter Example DC-434
Dialer Profile for Central Site with Multiple Remote Sites Example DC-434
Dialer Profile for ISDN BRI Backing Up Two Leased Lines Example DC-435
Dynamic Multiple Encapsulations over ISDN Example DC-436
Verifying the Dynamic Multiple Encapsulations Feature DC-438
Configuring Snapshot Routing DC-441
Snapshot Routing Overview DC-441
How to Configure Snapshot Routing DC-442
Configuring the Client Router DC-443
Configuring the Server Router DC-444
Monitoring and Maintaining DDR Connections and Snapshot Routing DC-444
Configuration Examples for Snapshot Routing DC-444
DIAL-BACKUP CONFIGURATION
Configuring Dial Backup for Serial Lines DC-449
Backup Serial Interface Overview DC-449
Contents
xxi
Cisco IOS Dial Technologies Configuration Guide
How to Configure Dial Backup DC-450
Specifying the Backup Interface DC-451
Defining the Traffic Load Threshold DC-451
Defining Backup Line Delays DC-452
Configuration Examples for Dial Backup for Serial Interfaces DC-452
Dial Backup Using an Asynchronous Interface Example DC-452
Dial Backup Using DDR and ISDN Example DC-453
Dial Backup Service When the Primary Line Reaches Threshold Example DC-453
Dial Backup Service When the Primary Line Exceeds Threshold Example DC-453
Dial Backup Service When the Primary Line Goes Down Example DC-454
Configuring Dial Backup with Dialer Profiles DC-455
Dial Backup with Dialer Profiles Overview DC-455
How to Configure Dial Backup with Dialer Profiles DC-455
Configuring a Dialer Interface DC-456
Configuring a Physical Interface to Function As Backup DC-456
Configuring Interfaces to Use a Backup Interface DC-456
Configuration Example of Dialer Profile for ISDN BRI Backing Up Two Leased Lines DC-457
Configuring Dial Backup Using Dialer Watch DC-459
Dialer Watch Overview DC-459
How to Configure Dialer Backup with Dialer Watch DC-460
Determining the Primary and Secondary Interfaces DC-461
Determining the Interface Addresses and Networks to Watch DC-461
Configuring the Interface to Perform DDR Backup DC-461
Creating a Dialer List DC-461
Setting the Disable Timer on the Backup Interface DC-461
Configuration Examples for Dialer Watch DC-462
Dialer Watch Configuration Example Prior to Cisco IOS Release 12.3(11)T DC-463
Dialer Watch Configuration Example After Cisco IOS Release 12.3(11)T DC-467
DIAL-RELATED ADDRESSING SERVICES
Configuring Cisco Easy IP DC-473
Cisco Easy IP Overview DC-473
How to Configure Cisco Easy IP DC-476
Defining the NAT Pool DC-477
Configuring the LAN Interface DC-477
Defining NAT for the LAN Interface DC-477
Configuring the WAN Interface DC-477
Contents
xxii
Cisco IOS Dial Technologies Configuration Guide
Enabling PPP/IPCP Negotiation DC-478
Defining NAT for the Dialer Interface DC-478
Configuring the Dialer Interface DC-478
Timeout Considerations DC-479
Configuration Examples for Cisco Easy IP DC-479
VIRTUAL TEMPLATES, PROFILES, AND NETWORKS
Configuring Virtual Template Interfaces DC-483
Virtual Template Interface Service Overview DC-484
Features that Apply Virtual Template Interfaces DC-485
Selective Virtual Access Interface Creation DC-485
How to Configure a Virtual Template Interface DC-486
Monitoring and Maintaining a Virtual Access Interface DC-486
Configuration Examples for Virtual Template Interface DC-486
Basic PPP Virtual Template Interface DC-487
Virtual Template Interface DC-487
Selective Virtual Access Interface DC-487
RADIUS Per-User and Virtual Profiles DC-488
TACACS+ Per-User and Virtual Profiles DC-488
Configuring Virtual Profiles DC-489
Virtual Profiles Overview DC-489
DDR Configuration of Physical Interfaces DC-490
Multilink PPP Effect on Virtual Access Interface Configuration DC-491
Interoperability with Other Features That Use Virtual Templates DC-491
How Virtual Profiles Work—Four Configuration Cases DC-492
Case 1: Virtual Profiles Configured by Virtual Template DC-493
Case 2: Virtual Profiles Configured by AAA DC-493
Case 3: Virtual Profiles Configured by Virtual Template and AAA Configuration DC-494
Case 4: Virtual Profiles Configured by AAA, and a Virtual Template Defined by Another
Application DC-495
How to Configure Virtual Profiles DC-496
Configuring Virtual Profiles by Virtual Template DC-496
Creating and Configuring a Virtual Template Interface DC-496
Specifying a Virtual Template Interface for Virtual Profiles DC-497
Configuring Virtual Profiles by AAA Configuration DC-497
Configuring Virtual Profiles by Both Virtual Template and AAA Configuration DC-497
Creating and Configuring a Virtual Template Interface DC-498
Specifying Virtual Profiles by Both Virtual Templates and AAA DC-498
Contents
xxiii
Cisco IOS Dial Technologies Configuration Guide
Troubleshooting Virtual Profile Configurations DC-499
Configuration Examples for Virtual Profiles DC-499
Virtual Profiles Configured by Virtual Templates DC-499
Virtual Profiles Configured by AAA Configuration DC-501
Virtual Profiles Configured by Virtual Templates and AAA Configuration DC-502
Virtual Profiles Configured by AAA Plus a VPDN Virtual Template on a VPDN Home Gateway DC-504
Configuring Virtual Private Networks DC-507
VPN Technology Overview DC-507
VPDN MIB DC-508
VPN Hardware Terminology DC-508
VPN Architectures DC-509
Client-Initiated VPNs DC-509
NAS-Initiated VPNs DC-509
PPTP Dial-In with MPPE Encryption DC-509
PPTP Tunnel Negotiation DC-510
Flow Control Alarm DC-510
MPPE Overview DC-510
MPPE Encryption Types DC-511
L2F Dial-In DC-511
Protocol Negotiation Sequence DC-512
L2F Tunnel Authentication Process DC-514
L2TP Dial-In DC-515
Incoming Call Sequence DC-517
VPN Tunnel Authentication Search Order DC-518
VPN Tunnel Lookup Based on Domain Name DC-519
VPN Tunnel Lookup Based on DNIS Information DC-519
VPN Tunnel Lookup Based on Both Domain Name and DNIS Information DC-519
NAS AAA Tunnel Definition Lookup DC-519
L2TP Dial-Out DC-520
VPN Configuration Modes Overview DC-521
Prerequisites for VPNs DC-523
Configuring the LAN Interface DC-524
Configuring AAA DC-524
Specifying the IP Address Pool and BOOTP Servers on the Tunnel Server DC-526
Commissioning the T1 Controllers on the NAS DC-526
Configuring the Serial Channels for Modem Calls on the NAS DC-527
Configuring the Modems and Asynchronous Lines on the NAS DC-528
Configuring the Group-Asynchronous Interface on the NAS DC-528
Configuring the Dialer on a NAS DC-529
Contents
xxiv
Cisco IOS Dial Technologies Configuration Guide
Configuring the Dialer on a Tunnel Server DC-529
How to Configure a VPN DC-530
Enabling a VPN DC-530
Configuring VPN Tunnel Authentication Configuration DC-530
Disabling VPN Tunnel Authentication for L2TP Tunnels DC-531
Configuring VPN Tunnel Authentication Using the Host Name or Local Name DC-532
Configuring VPN Tunnel Authentication Using the L2TP Tunnel Password DC-532
Configuring Client-Initiated Dial-In VPN DC-533
Configuring a Tunnel Server to Accept PPTP Tunnels DC-533
Configuring MPPE on the ISA Card DC-534
Tuning PPTP DC-534
Configuring NAS-Initiated Dial-In VPN DC-534
Configuring a NAS to Request Dial-In DC-534
Configuring a Tunnel Server to Accept Dial-In DC-535
Creating the Virtual Template on the Network Server DC-535
Configuring Dial-Out VPN DC-536
Configuring a Tunnel Server to Request Dial-Out DC-536
Configuring a NAS to Accept Dial-Out DC-537
Configuring Advanced VPN Features DC-537
Configuring Advanced Remote AAA Features DC-537
Configuring Per-User VPN DC-538
Configuring Preservation of IP ToS Field DC-539
Shutting Down a VPN Tunnel DC-540
Limiting the Number of Allowed Simultaneous VPN Sessions DC-540
Enabling Soft Shutdown of VPN Tunnels DC-541
Configuring Event Logging DC-542
Setting the History Table Size DC-542
Verifying VPN Sessions DC-542
Verifying a Client-Initiated VPN DC-542
Verifying a NAS-Initiated VPN DC-544
Monitoring and Maintaining VPNs DC-547
Troubleshooting VPNs DC-548
Successful Debug Examples DC-549
L2TP Dial-In Debug Output on NAS Example DC-549
L2TP Dial-In Debug Output on a Tunnel Server Example DC-550
L2TP Dial-Out Debug Output on a NAS Example DC-550
L2TP Dial-Out Debug Output on a Tunnel Server Example DC-551
VPN Troubleshooting Methodology DC-553
Comparing Your Debug Output to the Successful Debug Output DC-555
Contents
xxv
Cisco IOS Dial Technologies Configuration Guide
Troubleshooting VPN Negotiation DC-555
Troubleshooting PPP Negotiation DC-559
Troubleshooting AAA Negotiation DC-560
Configuration Examples for VPN DC-563
Client-Initiated Dial-In Configuration Example DC-563
VPN Tunnel Authentication Examples DC-565
Tunnel Secret Configured Using the Local Name Command DC-565
Tunnel Secret Configured Using the L2TP Tunnel Password Command DC-565
Tunnel Secret Configuration Using Different Tunnel Authentication Methods DC-566
NAS Comprehensive Dial-In Configuration Example DC-566
Tunnel Server Comprehensive Dial-in Configuration Example DC-567
NAS Configured for Both Dial-In and Dial-Out Example DC-568
Tunnel Server Configured for Both Dial-In and Dial-Out Example DC-569
RADIUS Profile Examples DC-569
RADIUS Domain Profile DC-569
RADIUS User Profile DC-570
TACACS+ Profile Examples DC-570
TACACS+ Domain Profile DC-570
TACACS+ User Profile DC-571
TACACS+ Tunnel Profiles DC-571
PPP CONFIGURATION
Configuring Asynchronous SLIP and PPP DC-575
Asynchronous SLIP and PPP Overview DC-575
Responding to BOOTP Requests DC-576
Asynchronous Network Connections and Routing DC-576
Asynchronous Interfaces and Broadcasts DC-577
How to Configure Asynchronous SLIP and PPP DC-577
Configuring Network-Layer Protocols over PPP and SLIP DC-578
Configuring IP and PPP DC-578
Configuring IPX and PPP DC-578
Configuring AppleTalk and PPP DC-580
Configuring IP and SLIP DC-581
Configuring Asynchronous Host Mobility DC-581
Making Additional Remote Node Connections DC-582
Creating PPP Connections DC-582
Making SLIP Connections DC-583
Configuring Remote Access to NetBEUI Services DC-583
Configuring Performance Parameters DC-584
Contents
xxvi
Cisco IOS Dial Technologies Configuration Guide
Compressing TCP Packet Headers DC-584
Setting the TCP Connection Attempt Time DC-585
Compressing IPX Packet Headers over PPP DC-585
Enabling Fast Switching DC-586
Controlling Route Cache Invalidation DC-587
Customizing SLIP and PPP Banner Messages DC-587
Configuration Examples for Asynchronous SLIP and PPP DC-588
Basic PPP Configurations Examples DC-588
Remote Node NetBEUI Examples DC-589
Remote Network Access Using PPP Basic Configuration Example DC-590
Remote Network Access Using PPP and Routing IP Example DC-591
Remote Network Access Using a Leased Line with Dial-Backup and PPP Example DC-592
Multilink PPP Using Multiple Asynchronous Interfaces Example DC-593
Configuring Media-Independent PPP and Multilink PPP DC-595
PPP Encapsulation Overview DC-595
Configuring PPP and MLP DC-596
Enabling PPP Encapsulation DC-597
Enabling CHAP or PAP Authentication DC-597
Enabling Link Quality Monitoring DC-599
Configuring Compression of PPP Data DC-600
Software Compression DC-600
Hardware-Dependent Compression DC-600
Configuring Microsoft Point-to-Point Compression DC-601
MPPC Restrictions DC-602
Configuring MPPC DC-602
Configuring IP Address Pooling DC-603
Peer Address Allocation DC-603
Precedence Rules DC-604
Interfaces Affected DC-604
Choosing the IP Address Assignment Method DC-604
Defining the Global Default Address Pooling Mechanism DC-605
Controlling DHCP Network Discovery DC-606
Configuring IP Address Assignment DC-606
Configuring PPP Reliable Link DC-607
Troubleshooting PPP DC-608
Disabling or Reenabling Peer Neighbor Routes DC-608
Configuring PPP Half-Bridging DC-608
Configuring Multilink PPP DC-610
Configuring MLP on Synchronous Interfaces DC-610
Contents
xxvii
Cisco IOS Dial Technologies Configuration Guide
Configuring MLP on Asynchronous Interfaces DC-611
Configuring MLP on a Single ISDN BRI Interface DC-611
Configuring MLP on Multiple ISDN BRI Interfaces DC-612
Configuring MLP Using Multilink Group Interfaces DC-614
Changing the Default Endpoint Discriminator DC-615
Configuring MLP Interleaving and Queueing DC-615
Configuring MLP Interleaving DC-616
Configuring MLP Inverse Multiplexer and Distributed MLP DC-617
Enabling Distributed CEF Switching DC-619
Creating a Multilink Bundle DC-619
Assigning an Interface to a Multilink Bundle DC-619
Disabling PPP Multilink Fragmentation DC-620
Verifying the MLP Inverse Multiplexer Configuration DC-620
Monitoring and Maintaining PPP and MLP Interfaces DC-620
Configuration Examples for PPP and MLP DC-620
CHAP with an Encrypted Password Examples DC-621
User Maximum Links Configuration Example DC-621
MPPC Interface Configuration Examples DC-622
IP Address Pooling Example DC-623
DHCP Network Control Example DC-625
PPP Reliable Link Examples DC-625
MLP Examples DC-626
MLP on Synchronous Serial Interfaces Example DC-626
MLP on One ISDN BRI Interface Example DC-628
MLP on Multiple ISDN BRI Interfaces Example DC-629
MLP Using Multilink Group Interfaces over ATM Example DC-629
Changing the Default Endpoint Discriminator Example DC-630
MLP Interleaving and Queueing for Real-Time Traffic Example DC-630
T3 Controller Configuration for an MLP Multilink Inverse Multiplexer Example DC-631
Multilink Interface Configuration for Distributed MLP Example DC-631
Configuring Multichassis Multilink PPP DC-633
Multichassis Multilink PPP Overview DC-633
Stack Groups DC-634
Call Handling and Bidding DC-634
How to Configure MMP DC-636
Configuring the Stack Group and Identifying Members DC-636
Configuring a Virtual Template and Creating a Virtual Template Interface DC-636
Monitoring and Maintaining MMP Virtual Interfaces DC-637
Contents
xxviii
Cisco IOS Dial Technologies Configuration Guide
Configuration Examples for MMP DC-638
MMP Using PRI But No Dialers DC-638
MMP with Dialers DC-639
MMP with Explicitly Defined Dialer DC-639
MMP with ISDN PRI but No Explicitly Defined Dialer DC-640
MMP with Offload Server DC-640
CALLBACK AND BANDWIDTH ALLOCATION CONFIGURATION
Configuring Asynchronous Callback DC-643
Asynchronous Callback Overview DC-643
How to Configure Asynchronous Callback DC-644
Configuring Callback PPP Clients DC-644
Accepting Callback Requests from RFC-Compliant PPP Clients DC-644
Accepting Callback Requests from Non-RFC-Compliant PPP Clients Placing Themselves in
Answer Mode DC-645
Enabling PPP Callback on Outgoing Lines DC-645
Enabling Callback Clients That Dial In and Connect to the EXEC Prompt DC-646
Configuring Callback ARA Clients DC-647
Configuration Examples for Asynchronous Callback DC-647
Callback to a PPP Client Example DC-648
Callback Clients That Connect to the EXEC Prompt Example DC-649
Callback to an ARA Client Example DC-649
Configuring PPP Callback DC-651
PPP Callback for DDR Overview DC-651
How to Configure PPP Callback for DDR DC-652
Configuring a Router as a Callback Client DC-652
Configuring a Router as a Callback Server DC-653
MS Callback Overview DC-653
How to Configure MS Callback DC-654
Configuration Examples for PPP Callback DC-654
Configuring ISDN Caller ID Callback DC-657
ISDN Caller ID Callback Overview DC-658
Callback After the Best Match Is Determined DC-658
Legacy DDR DC-658
Dialer Profiles DC-659
Timing and Coordinating Callback on Both Sides DC-659
How to Configure ISDN Caller ID Callback DC-659
Contents
xxix
Cisco IOS Dial Technologies Configuration Guide
Configuring ISDN Caller ID Callback for Legacy DDR DC-659
Configuring ISDN Caller ID Callback for Dialer Profiles DC-660
Monitoring and Troubleshooting ISDN Caller ID Callback DC-661
Configuration Examples for ISDN Caller ID Callback DC-661
Best Match System Examples DC-661
Best Match Based on the Number of “Don’t Care” Characters Example DC-662
Best Match with No Callback Configured Example DC-662
No Match Configured Example DC-662
Simple Callback Configuration Examples DC-662
ISDN Caller ID Callback with Dialer Profiles Examples DC-663
ISDN Caller ID Callback with Legacy DDR Example DC-664
Individual Interface Example DC-664
Dialer Rotary Group Example DC-665
Configuring BACP DC-667
BACP Overview DC-668
BACP Configuration Options DC-668
How to Configure BACP DC-669
Enabling BACP DC-670
Modifying BACP Passive Mode Default Settings DC-671
Configuring Active Mode BACP DC-671
Monitoring and Maintaining Interfaces Configured for BACP DC-672
Troubleshooting BACP DC-673
Configuration Examples for BACP DC-673
Basic BACP Configurations DC-673
Dialer Rotary Group with Different Dial-In Numbers DC-674
Passive Mode Dialer Rotary Group Members with One Dial-In Number DC-675
PRI Interface with No Defined PPP BACP Number DC-676
BRI Interface with No Defined BACP Number DC-676
DIAL ACCESS SPECIALIZED FEATURES
Configuring Large-Scale Dial-Out DC-679
Large-Scale Dial-Out Overview DC-679
Next Hop Definition DC-681
Static Routes DC-681
Stack Groups DC-681
How to Configure Large-Scale Dial-Out DC-682
Complying with Large-Scale Dial-Out Prerequisites DC-682
Contents
xxx
Cisco IOS Dial Technologies Configuration Guide
Establishing the Route to the Remote Network DC-683
Enabling AAA and Static Route Download DC-683
Enabling Access to the AAA Server DC-684
Enabling Reverse DNS DC-684
Enabling SGBP Dial-Out Connection Bidding DC-684
Defining a User Profile DC-685
Monitoring and Maintaining the Large-Scale Dial-Out Network DC-690
Configuration Examples for Large-Scale Dial-Out DC-690
Stack Group and Static Route Download Configuration Example DC-690
User Profile on an Ascend RADIUS Server for NAS1 Example DC-695
Asynchronous Dialing Configuration Examples DC-696
Asynchronous Dialing Example DC-696
Asynchronous and Synchronous Dialing Example DC-696
Configuring per-User Configuration DC-699
Per-User Configuration Overview DC-699
General Operational Processes DC-700
Operational Processes with IP Address Pooling DC-701
Deleting Downloaded Pools DC-702
Supported Attributes for AV Pairs DC-703
How to Configure a AAA Server for Per-User Configuration DC-705
Configuring a Freeware TACACS Server for Per-User Configuration DC-706
Configuring a CiscoSecure TACACS Server for Per-User Configuration DC-706
Configuring a RADIUS Server for Per-User Configuration DC-707
Monitoring and Debugging Per-User Configuration Settings DC-708
Configuration Examples for Per-User Configuration DC-708
TACACS+ Freeware Examples DC-708
IP Access Lists and Static Routes Using Virtual Profiles over ISDN BRI DC-709
IPX Per-User SAP Filters Using IPXWAN and Virtual Profiles by a Synchronous Interface DC-711
RADIUS Examples DC-712
IP Access Lists and Static Routes Using Virtual Profiles over ISDN BRI DC-712
IPX Per-User SAP Filters Using IPXWAN and Virtual Profiles by a Synchronous Interface DC-718
Configuring Resource Pool Management DC-721
RPM Overview DC-721
Components of Incoming and Outgoing Call Management DC-722
Customer Profile Types DC-723
DNIS Groups DC-725
CLID Groups DC-725
Call Types DC-725
Contents
xxxi
Cisco IOS Dial Technologies Configuration Guide
Resource Groups DC-726
Resource Services DC-726
VPDN Groups DC-727
VPDN Profiles DC-727
Call Treatments DC-727
Details on RPM Call Processes DC-728
Accounting Data DC-730
Data over Voice Bearer Services DC-730
Call Discriminator Profiles DC-731
Incoming Call Preauthentication DC-732
RPM Standalone Network Access Server DC-733
Call Processing DC-734
Base Session and Overflow Session Limits DC-734
VPDN Session and Overflow Session Limits DC-735
VPDN MLP Bundle and Links-per-Bundle Limits DC-736
VPDN Tunnel Limits DC-736
RPM Using the Cisco RPMS DC-739
Resource Manager Protocol DC-739
Direct Remote Services DC-740
RPM Process with RPMS and SS7 DC-740
Additional Information About Cisco RPM DC-741
How to Configure RPM DC-741
Enabling RPM DC-742
Configuring DNIS Groups DC-743
Creating CLID Groups DC-744
Configuring Discriminator Profiles DC-744
Configuring Resource Groups DC-746
Configuring Service Profiles DC-746
Configuring Customer Profiles DC-747
Configuring Default Customer Profiles DC-747
Configuring Customer Profiles Using Backup Customer Profiles DC-747
Configuring Customer Profiles for Using DoVBS DC-748
Configuring a Customer Profile Template DC-748
Typical Template Configuration DC-749
Verifying Template Configuration DC-749
Placing the Template in the Customer Profile DC-750
Configuring AAA Server Groups DC-751
Configuring VPDN Profiles DC-751
Configuring VPDN Groups DC-752
Counting VPDN Sessions by Using VPDN Profiles DC-753
Contents
xxxii
Cisco IOS Dial Technologies Configuration Guide
Limiting the Number of MLP Bundles in VPDN Groups DC-755
Configuring Switched 56 over CT1 and RBS DC-756
Verifying RPM Components DC-757
Verifying Current Calls DC-757
Verifying Call Counters for a Customer Profile DC-757
Clearing Call Counters DC-758
Verifying Call Counters for a Discriminator Profile DC-758
Verifying Call Counters for a Resource Group DC-758
Verifying Call Counters for a DNIS Group DC-759
Verifying Call Counters for a VPDN Profile DC-759
Verifying Load Sharing and Backup DC-759
Troubleshooting RPM DC-760
Resource-Pool Component DC-761
Successful Resource Pool Connection DC-762
Dialer Component DC-762
Resource Group Manager DC-762
Signaling Stack DC-762
AAA Component DC-763
VPDN Component DC-763
Troubleshooting DNIS Group Problems DC-763
Troubleshooting Call Discriminator Problems DC-764
Troubleshooting Customer Profile Counts DC-764
Troubleshooting Resource Group Counts DC-764
Troubleshooting VPDN DC-764
Troubleshooting RPM/VPDN Connection DC-765
Troubleshooting Customer/VPDN Profile DC-765
Troubleshooting VPDN Profile Limits DC-766
Troubleshooting VPDN Group Limits DC-766
Troubleshooting VPDN Endpoint Problems DC-767
Troubleshooting RPMS DC-767
Configuration Examples for RPM DC-768
Standard Configuration for RPM Example DC-769
Customer Profile Configuration for DoVBS Example DC-770
DNIS Discriminator Profile Example DC-770
CLID Discriminator Profile Example DC-771
Direct Remote Services Configuration Example DC-774
VPDN Configuration Example DC-775
VPDN Load Sharing and Backing Up Between Multiple HGW/LNSs Example DC-776
Contents
xxxiii
Cisco IOS Dial Technologies Configuration Guide
Configuring Wholesale Dial Performance Optimization DC-779
Wholesale Dial Performance Optimization Feature Overview DC-779
How to Configure Automatic Command Execution DC-780
How to Configure TCP Clear Performance Optimization DC-780
Verifying Configuration of TCP Clear Performance Optimization DC-781
DIAL ACCESS SCENARIOS
Dial Networking Business Applications DC-785
Dial Networking for Service Providers and Enterprises DC-785
Common Dial Applications DC-788
IP Address Strategies DC-789
Choosing an Addressing Scheme DC-789
Classic IP Addressing DC-789
Cisco Easy IP DC-790
Enterprise Dial Scenarios and Configurations DC-793
Remote User Demographics DC-793
Demand and Scalability DC-794
Remote Offices and Telecommuters Dialing In to a Central Site DC-794
Network Topologies DC-794
Dial-In Scenarios DC-795
Cisco 1604 Remote Office Router Dialing In to a Cisco 3620 Access Router DC-796
Remote Office Router Dialing In to a Cisco 3620 Router DC-799
Cisco 700 Series Router Using Port Address Translation to Dial In to a Cisco AS5300 Access
Server DC-802
Cisco 3640 Central Site Router Configuration to Support ISDN and Modem Calls DC-806
Cisco AS5300 Central Site Configuration Using Remote Security DC-808
Bidirectional Dial Between Central Sites and Remote Offices DC-811
Dial-In and Dial-Out Network Topology DC-811
Dialer Profiles and Virtual Profiles DC-812
Running Access Server Configurations DC-814
Cisco AS5300 Access Server Configuration with Dialer Profiles DC-815
Cisco 1604 ISDN Router Configuration with Dialer Profiles DC-820
Cisco 1604 Router Asynchronous Configuration with Dialer Profiles DC-821
Cisco AS5300 Access Server Configuration Without Dialer Profiles DC-822
Cisco 1604 ISDN Router Configuration Without Dialer Profiles DC-824
Cisco 1604 Router Asynchronous Configuration Without Dialer Profiles DC-825
Large-Scale Dial-In Configuration Using Virtual Profiles DC-826
Contents
xxxiv
Cisco IOS Dial Technologies Configuration Guide
Telecommuters Dialing In to a Mixed Protocol Environment DC-826
Description DC-827
Enterprise Network Topology DC-829
Mixed Protocol Dial-In Scenarios DC-830
Cisco 7200 #1 Backbone Router DC-831
Cisco 7200 #2 Backbone Router DC-832
Cisco AS5300 Universal Access Server DC-833
Telco and ISP Dial Scenarios and Configurations DC-837
Small- to Medium-Scale POPs DC-837
Individual Remote PCs Using Analog Modems DC-838
Network Topology DC-838
Running Configuration for ISDN PRI DC-838
Running Configuration for Robbed-Bit Signaling DC-840
Individual PCs Using ISDN Terminal Adapters DC-842
Network Topology DC-842
Terminal Adapter Configuration Example DC-843
Mixture of ISDN and Analog Modem Calls DC-845
Combination of Modem and ISDN Dial-In Configuration Example DC-845
Large-Scale POPs DC-847
Scaling Considerations DC-847
How Stacking Works DC-848
A Typical Multilink PPP Session DC-848
Using Multichassis Multilink PPP DC-849
Setting Up an Offload Server DC-850
Using the Stack Group Bidding Protocol DC-851
Using L2F DC-852
Stack Group of Access Servers Using MMP with an Offload Processor Examples DC-852
Cisco Access Server #1 DC-852
Cisco Access Server #2 DC-854
Cisco Access Server #3 DC-856
Cisco 7206 as Offload Server DC-859
RADIUS Remote Security Examples DC-860
User Setup for PPP DC-861
User Setup for PPP and Static IP Address DC-861
Enabling Router Dial-In DC-861
User Setup for SLIP DC-861
User Setup for SLIP and Static IP Address DC-862
Using Telnet to connect to a UNIX Host DC-862
Automatic rlogin to UNIX Host DC-862
Contents
xxxv
Cisco IOS Dial Technologies Configuration Guide
PPP Calls over X.25 Networks DC-862
Overview DC-863
Remote PC Browsing Network Topology DC-863
Protocol Translation Configuration Example DC-864
APPENDIXES
Modem Initialization Strings DC-869
Sample Modem Scripts DC-872
INDEX
Contents
xxxvi
Cisco IOS Dial Technologies Configuration Guide
xxxvii
Cisco IOS Dial Technologies Configuration Guide
About Cisco IOS Software Documentation
This chapter discusses the objectives, audience, organization, and conventions of Cisco IOS software
documentation. It also provides sources for obtaining documentation from Cisco Systems.
Documentation Objectives
Cisco IOS software documentation describes the tasks and commands necessary to configure and
maintain Cisco networking devices.
Audience
The Cisco IOS software documentation set is intended primarily for users who configure and maintain
Cisco networking devices (such as routers and switches) but who may not be familiar with the tasks,
the relationship between tasks, or the Cisco IOS software commands necessary to perform particular
tasks. The Cisco IOS software documentation set is also intended for those users experienced with
Cisco IOS software who need to know about new features, new configuration options, and new software
characteristics in the current Cisco IOS software release.
Documentation Organization
The Cisco IOS software documentation set consists of documentation modules and master indexes. In
addition to the main documentation set, there are supporting documents and resources.
Documentation Modules
The Cisco IOS documentation modules consist of configuration guides and corresponding command
reference publications. Chapters in a configuration guide describe protocols, configuration tasks, and
Cisco IOS software functionality and contain comprehensive configuration examples. Chapters in a
command reference publication provide complete Cisco IOS command syntax information. Use each
configuration guide in conjunction with its corresponding command reference publication.
About Cisco IOS Software Documentation
Documentation Organization
xxxviii
Cisco IOS Dial Technologies Configuration Guide
Figure 1 shows the Cisco IOS software documentation modules.
Note The abbreviations (for example, FC and FR) next to the book icons are page designators,
which are defined in a key in the index of each document to help you with navigation. The
bullets under each module list the major technology areas discussed in the corresponding
books.
Figure 1 Cisco IOS Software Documentation Modules
Cisco IOS
IP
Configuration
Guide
IPC
Cisco IOS
Configuration
Fundamentals
Configuration
Guide
Cisco IOS
Configuration
Fundamentals
Command
Reference
Module FC/FR:
• Cisco IOS User
Interfaces
• File Management
• System Management
Cisco IOS
IP Command
Reference,
Volume 2 of 3:
Routing
Protocols
Module IPC/IP1R/IP2R/IP3R:
• IP Addressing and Services
• IP Routing Protocols
• IP Multicast
Cisco IOS
AppleTalk and
Novell IPX
Configuration
Guide
Cisco IOS
AppleTalk and
Novell IPX
Command
Reference
Module P2C/P2R:
• AppleTalk
• Novell IPX
Cisco IOS
Apollo Domain,
Banyan VINES,
DECnet, ISO
CLNS, and XNS
Configuration
Guide
Cisco IOS
Apollo Domain,
Banyan VINES,
DECnet, ISO
CLNS, and XNS
Command
Reference
Module P3C/P3R:
• Apollo Domain
• Banyan VINES
• DECnet
• ISO CLNS
• XNS
Cisco IOS
Wide-Area
Networking
Configuration
Guide
Cisco IOS
Wide-Area
Networking
Command
Reference
Module WC/WR:
• ATM
• Broadband Access
• Frame Relay
• SMDS
• X.25 and LAPB
Cisco IOS
Security
Configuration
Guide
Cisco IOS
Security
Command
Reference
Module SC/SR:
• AAA Security Services
• Security Server Protocols
• Traffic Filtering and Firewalls
• IP Security and Encryption
• Passwords and Privileges
• Neighbor Router Authentication
• IP Security Options
• Supported AV Pairs
Cisco IOS
Interface
Configuration
Guide
Cisco IOS
Interface
Command
Reference
Module IC/IR:
• LAN Interfaces
• Serial Interfaces
• Logical Interfaces
47953
FC
FR
IP2R
WC
WR
SC
SR
MWC
MWR
Cisco IOS
Mobile
Wireless
Configuration
Guide
Cisco IOS
Mobile
Wireless
Command
Reference
Module MWC/MWR:
• General Packet
Radio Service
IC
IR
Cisco IOS
IP Command
Reference,
Volume 1 of 3:
Addressing
and Services
Cisco IOS
IP Command
Reference,
Volume 3 of 3:
Multicast
P2C
P2R
IP1R
IP3R
P3C
P3R
About Cisco IOS Software Documentation
Documentation Organization
xxxix
Cisco IOS Dial Technologies Configuration Guide
Cisco IOS
Voice, Video,
and Fax
Configuration
Guide
Cisco IOS
Voice, Video,
and Fax
Command
Reference
Module VC/VR:
• Voice over IP
• Call Control Signalling
• Voice over
Frame Relay
• Voice over ATM
• Telephony Applications
• Trunk Management
• Fax, Video, and
Modem Support
Cisco IOS
Quality of
Service
Solutions
Configuration
Guide
Cisco IOS
Quality of
Service
Solutions
Command
Reference
Module QC/QR:
• Packet Classification
• Congestion Management
• Congestion Avoidance
• Policing and Shaping
• Signalling
• Link Efficiency
Mechanisms
Module DC/DR:
• Preparing for Dial Access
• Modem and Dial Shelf Configuration
and Management
• ISDN Configuration
• Signalling Configuration
• Dial-on-Demand Routing
Configuration
• Dial-Backup Configuration
• Dial-Related Addressing Services
• Virtual Templates, Profiles, and
Networks
• PPP Configuration
• Callback and Bandwidth Allocation
Configuration
• Dial Access Specialized Features
• Dial Access Scenarios
Module BC/B1R:
• Transparent
Bridging
• SRB
• Token Ring
Inter-Switch Link
• Token Ring Route
Switch Module
• RSRB
• DLSw+
• Serial Tunnel and
Block Serial Tunnel
• LLC2 and SDLC
• IBM Network
Media Translation
• SNA Frame Relay
Access
• NCIA Client/Server
• Airline Product Set
Module BC/B2R:
• DSPU and SNA
Service Point
• SNA Switching
Services
• Cisco Transaction
Connection
• Cisco Mainframe
Channel Connection
• CLAW and TCP/IP
Offload
• CSNA, CMPC,
and CMPC+
• TN3270 Server
Cisco IOS
Switching
Services
Configuration
Guide
Cisco IOS
Switching
Services
Command
Reference
Module XC/XR:
• Cisco IOS
Switching Paths
• NetFlow Switching
• Multiprotocol Label Switching
• Multilayer Switching
• Multicast Distributed Switching
• Virtual LANs
• LAN Emulation
47954
Cisco IOS
Bridging and
IBM Networking
Configuration
Guide
Cisco IOS
Bridging
and IBM
Networking
Command
Reference,
Volume 1 of 2
Cisco IOS
Bridging
and IBM
Networking
Command
Reference,
Volume 2 of 2
XC
DC
DR
TC
TR
BC
XR
B1R B2R
QC
QR
VC
VR
Cisco IOS
Terminal
Services
Configuration
Guide
Cisco IOS
Terminal
Services
Command
Reference
Module TC/TR:
• ARA
• LAT
• NASI
• Telnet
• TN3270
• XRemote
• X.28 PAD
• Protocol Translation
Cisco IOS
Dial
Technologies
Configuration
Guide
Cisco IOS
Dial
Technologies
Command
Reference
About Cisco IOS Software Documentation
Documentation Organization
xl
Cisco IOS Dial Technologies Configuration Guide
Master Indexes
Two master indexes provide indexing information for the Cisco IOS software documentation set:
an index for the configuration guides and an index for the command references. Individual books also
contain a book-specific index.
The master indexes provide a quick way for you to find a command when you know the command name
but not which module contains the command. When you use the online master indexes, you can click
the page number for an index entry and go to that page in the online document.
Supporting Documents and Resources
The following documents and resources support the Cisco IOS software documentation set:
• Cisco IOS Command Summary (two volumes)—This publication explains the function and syntax
of the Cisco IOS software commands. For more information about defaults and usage guidelines,
refer to the Cisco IOS command reference publications.
• Cisco IOS System Error Messages—This publication lists and describes Cisco IOS system error
messages. Not all system error messages indicate problems with your system. Some are purely
informational, and others may help diagnose problems with communications lines, internal
hardware, or the system software.
• Cisco IOS Debug Command Reference—This publication contains an alphabetical listing of the
debug commands and their descriptions. Documentation for each command includes a brief
description of its use, command syntax, usage guidelines, and sample output.
• Dictionary of Internetworking Terms and Acronyms—This Cisco publication compiles and defines
the terms and acronyms used in the internetworking industry.
• New feature documentation—The Cisco IOS software documentation set documents the mainline
release of Cisco IOS software (for example, Cisco IOS Release 12.2). New software features are
introduced in early deployment releases (for example, the Cisco IOS “T” release train for 12.2,
12.2(x)T). Documentation for these new features can be found in standalone documents called
“feature modules.” Feature module documentation describes new Cisco IOS software and hardware
networking functionality and is available on Cisco.com and the Documentation CD-ROM.
• Release notes—This documentation describes system requirements, provides information about
new and changed features, and includes other useful information about specific software releases.
See the section “Using Software Release Notes” in the chapter “Using Cisco IOS Software” for
more information.
• Caveats documentation—This documentation provides information about Cisco IOS software
defects in specific software releases.
• RFCs—RFCs are standards documents maintained by the Internet Engineering Task Force (IETF).
Cisco IOS software documentation references supported RFCs when applicable. The full text of
referenced RFCs may be obtained on the World Wide Web at http://www.rfc-editor.org/.
• MIBs—MIBs are used for network monitoring. For lists of supported MIBs by platform and
release, and to download MIB files, see the Cisco MIB website on Cisco.com at
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
About Cisco IOS Software Documentation
New and Changed Information
xli
Cisco IOS Dial Technologies Configuration Guide
New and Changed Information
For Cisco IOS Release 12.2, two previous Release 12.1 guides, Cisco IOS Dial Services Configuration
Guide: Terminal Services and Cisco IOS Dial Services Configuration Guide: Network Services, have
been renamed and reorganized into a single book: Cisco IOS Dial Technologies Configuration Guide.
See Figure 1 for a list of the contents.
For Cisco IOS Release 12.2, the Release 12.1 Cisco IOS Dial Services Command Reference has been
renamed Cisco IOS Dial Technologies Command Reference.
The Cisco IOS Terminal Services Configuration Guide and Cisco IOS Terminal Services Command
Reference were extracted from the 12.1 release of the Cisco IOS Dial Services Configuration Guide:
Terminal Services and Cisco IOS Dial Services Command Reference, and placed in separate books not
included in this set.
Document Conventions
Within Cisco IOS software documentation, the term router is generally used to refer to a variety of Cisco
products (for example, routers, access servers, and switches). Routers, access servers, and other
networking devices that support Cisco IOS software are shown interchangeably within examples. These
products are used only for illustrative purposes; that is, an example that shows one product does not
necessarily indicate that other products are not supported.
The Cisco IOS documentation set uses the following conventions:
Command syntax descriptions use the following conventions:
Convention Description
^ or Ctrl The ^ and Ctrl symbols represent the Control key. For example, the key combination ^D or Ctrl-D
means hold down the Control key while you press the D key. Keys are indicated in capital letters but
are not case sensitive.
string A string is a nonquoted set of characters shown in italics. For example, when setting an SNMP
community string to public, do not use quotation marks around the string or the string will include the
quotation marks.
Convention Description
boldface Boldface text indicates commands and keywords that you enter literally as shown.
italics Italic text indicates arguments for which you supply values.
[x] Square brackets enclose an optional element (keyword or argument).
| A vertical line indicates a choice within an optional or required set of keywords or arguments.
[x | y] Square brackets enclosing keywords or arguments separated by a vertical line indicate an optional
choice.
{x | y} Braces enclosing keywords or arguments separated by a vertical line indicate a required choice.
About Cisco IOS Software Documentation
Obtaining Documentation
xlii
Cisco IOS Dial Technologies Configuration Guide
Nested sets of square brackets or braces indicate optional or required choices within optional or
required elements. For example:
Examples use the following conventions:
The following conventions are used to attract the attention of the reader:
Caution Means reader be careful. In this situation, you might do something that could result in
equipment damage or loss of data.
Note Means reader take note. Notes contain helpful suggestions or references to materials not
contained in this manual.
Timesaver Means the described action saves time. You can save time by performing the action
described in the paragraph.
Obtaining Documentation
The following sections provide sources for obtaining documentation from Cisco Systems.
World Wide Web
The most current Cisco documentation is available on the World Wide Web at the following website:
http://www.cisco.com
Translated documentation is available at the following website:
http://www.cisco.com/public/countries_languages.html
Convention Description
[x {y | z}] Braces and a vertical line within square brackets indicate a required choice within an optional element.
Convention Description
screen Examples of information displayed on the screen are set in Courier font.
boldface screen Examples of text that you must enter are set in Courier bold font.
< > Angle brackets enclose text that is not printed to the screen, such as passwords.
! An exclamation point at the beginning of a line indicates a comment line. (Exclamation points are also
displayed by the Cisco IOS software for certain processes.)
[ ] Square brackets enclose default responses to system prompts.
About Cisco IOS Software Documentation
Documentation Feedback
xliii
Cisco IOS Dial Technologies Configuration Guide
Documentation CD-ROM
Cisco documentation and additional literature are available in a CD-ROM package, which ships
with your product. The Documentation CD-ROM is updated monthly and may be more current than
printed documentation. The CD-ROM package is available as a single unit or through an
annual subscription.
Ordering Documentation
Cisco documentation can be ordered in the following ways:
• Registered Cisco Direct Customers can order Cisco product documentation from the Networking
Products MarketPlace:
http://www.cisco.com/cgi-bin/order/order_root.pl
• Registered Cisco.com users can order the Documentation CD-ROM through the online
Subscription Store:
http://www.cisco.com/go/subscription
• Nonregistered Cisco.com users can order documentation through a local account representative by
calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by
calling 800 553-NETS(6387).
Documentation Feedback
If you are reading Cisco product documentation on the World Wide Web, you can submit technical
comments electronically. Click Feedback in the toolbar and select Documentation. After you complete
the form, click Submit to send it to Cisco.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, use the response card behind the front cover of your document, or
write to the following address:
Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can
obtain documentation, troubleshooting tips, and sample configurations from online tools. For
Cisco.com registered users, additional troubleshooting tools are available from the TAC website.
About Cisco IOS Software Documentation
Obtaining Technical Assistance
xliv
Cisco IOS Dial Technologies Configuration Guide
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open
access to Cisco information and resources at anytime, from anywhere in the world. This highly
integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
Cisco.com provides a broad range of features and services to help customers and partners streamline
business processes and improve productivity. Through Cisco.com, you can find information about Cisco
and our networking solutions, services, and programs. In addition, you can resolve technical issues with
online technical support, download and test software packages, and order Cisco learning materials and
merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information
and services. Registered users can order products, check on the status of an order, access technical
support, and view benefits specific to their relationships with Cisco.
To access Cisco.com, go to the following website:
http://www.cisco.com
Technical Assistance Center
The Cisco TAC website is available to all customers who need technical assistance with a Cisco product
or technology that is under warranty or covered by a maintenance contract.
Contacting TAC by Using the Cisco TAC Website
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC
website:
http://www.cisco.com/tac
P3 and P4 level problems are defined as follows:
• P3—Your network performance is degraded. Network functionality is noticeably impaired, but
most business operations continue.
• P4—You need information or assistance on Cisco product capabilities, product installation, or basic
product configuration.
In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.
To register for Cisco.com, go to the following website:
http://www.cisco.com/register/
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered
users can open a case online by using the TAC Case Open tool at the following website:
http://www.cisco.com/tac/caseopen
Contacting TAC by Telephone
If you have a priority level 1 (P1) or priority level 2 (P2) problem, contact TAC by telephone and
immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following
website:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
About Cisco IOS Software Documentation
Obtaining Technical Assistance
xlv
Cisco IOS Dial Technologies Configuration Guide
P1 and P2 level problems are defined as follows:
• P1—Your production network is down, causing a critical impact to business operations if service
is not restored quickly. No workaround is available.
• P2—Your production network is severely degraded, affecting significant aspects of your business
operations. No workaround is available.
About Cisco IOS Software Documentation
Obtaining Technical Assistance
xlvi
Cisco IOS Dial Technologies Configuration Guide
xlvii
Cisco IOS Dial Technologies Configuration Guide
Using Cisco IOS Software
This chapter provides helpful tips for understanding and configuring Cisco IOS software using the
command-line interface (CLI). It contains the following sections:
• Understanding Command Modes
• Getting Help
• Using the no and default Forms of Commands
• Saving Configuration Changes
• Filtering Output from the show and more Commands
• Identifying Supported Platforms
For an overview of Cisco IOS software configuration, refer to the Cisco IOS Configuration
Fundamentals Configuration Guide.
For information on the conventions used in the Cisco IOS software documentation set, see the chapter
“About Cisco IOS Software Documentation” located at the beginning of this book.
Understanding Command Modes
You use the CLI to access Cisco IOS software. Because the CLI is divided into many different modes,
the commands available to you at any given time depend on the mode you are currently in. Entering a
question mark (?) at the CLI prompt allows you to obtain a list of commands available for each
command mode.
When you log in to the CLI, you are in user EXEC mode. User EXEC mode contains only a limited
subset of commands. To have access to all commands, you must enter privileged EXEC mode, normally
by using a password. From privileged EXEC mode you can issue any EXEC command—user or
privileged mode—or you can enter global configuration mode. Most EXEC commands are one-time
commands. For example, show commands show important status information, and clear commands
clear counters or interfaces. The EXEC commands are not saved when the software reboots.
Configuration modes allow you to make changes to the running configuration. If you later save the
running configuration to the startup configuration, these changed commands are stored when the
software is rebooted. To enter specific configuration modes, you must start at global configuration
mode. From global configuration mode, you can enter interface configuration mode and a variety of
other modes, such as protocol-specific modes.
ROM monitor mode is a separate mode used when the Cisco IOS software cannot load properly. If a
valid software image is not found when the software boots or if the configuration file is corrupted at
startup, the software might enter ROM monitor mode.
Using Cisco IOS Software
Getting Help
xlviii
Cisco IOS Dial Technologies Configuration Guide
Table 1 describes how to access and exit various common command modes of the Cisco IOS software.
It also shows examples of the prompts displayed for each mode.
For more information on command modes, refer to the “Using the Command-Line Interface” chapter in
the Cisco IOS Configuration Fundamentals Configuration Guide.
Getting Help
Entering a question mark (?) at the CLI prompt displays a list of commands available for each command
mode. You can also get a list of keywords and arguments associated with any command by using the
context-sensitive help feature.
To get help specific to a command mode, a command, a keyword, or an argument, use one of the
following commands:
Table 1 Accessing and Exiting Command Modes
Command
Mode Access Method Prompt Exit Method
User EXEC Log in. Router> Use the logout command.
Privileged
EXEC
From user EXEC mode,
use the enable EXEC
command.
Router# To return to user EXEC mode, use the disable
command.
Global
configuration
From privileged EXEC
mode, use the configure
terminal privileged
EXEC command.
Router(config)# To return to privileged EXEC mode from global
configuration mode, use the exit or end command,
or press Ctrl-Z.
Interface
configuration
From global
configuration mode,
specify an interface using
an interface command.
Router(config-if)# To return to global configuration mode, use the exit
command.
To return to privileged EXEC mode, use the end
command, or press Ctrl-Z.
ROM monitor From privileged EXEC
mode, use the reload
EXEC command. Press
the Break key during the
first 60 seconds while the
system is booting.
> To exit ROM monitor mode, use the continue
command.
Command Purpose
help Provides a brief description of the help system in any command mode.
abbreviated-command-entry? Provides a list of commands that begin with a particular character string. (No space
between command and question mark.)
abbreviated-command-entry Completes a partial command name.
? Lists all commands available for a particular command mode.
command ? Lists the keywords or arguments that you must enter next on the command line.
(Space between command and question mark.)
Using Cisco IOS Software
Getting Help
xlix
Cisco IOS Dial Technologies Configuration Guide
Example: How to Find Command Options
This section provides an example of how to display syntax for a command. The syntax can consist of
optional or required keywords and arguments. To display keywords and arguments for a command, enter
a question mark (?) at the configuration prompt or after entering part of a command followed by a space.
The Cisco IOS software displays a list and brief description of available keywords and arguments. For
example, if you were in global configuration mode and wanted to see all the keywords or arguments for
the arap command, you would type arap ?.
The symbol in command help output stands for “carriage return.” On older keyboards, the carriage
return key is the Return key. On most modern keyboards, the carriage return key is the Enter key. The
symbol at the end of command help output indicates that you have the option to press Enter to
complete the command and that the arguments and keywords in the list preceding the symbol are
optional. The symbol by itself indicates that no more arguments or keywords are available and that
you must press Enter to complete the command.
Table 2 shows examples of how you can use the question mark (?) to assist you in entering commands.
The table steps you through configuring an IP address on a serial interface on a Cisco 7206 router that
is running Cisco IOS Release 12.0(3).
Table 2 How to Find Command Options
Command Comment
Router> enable
Password:
Router#
Enter the enable command and
password to access privileged EXEC
commands. You are in privileged
EXEC mode when the prompt changes
to Router#.
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
Enter the configure terminal
privileged EXEC command to enter
global configuration mode. You are in
global configuration mode when the
prompt changes to Router(config)#.
Router(config)# interface serial ?
<0-6> Serial interface number
Router(config)# interface serial 4 ?
/
Router(config)# interface serial 4/ ?
<0-3> Serial interface number
Router(config)# interface serial 4/0
Router(config-if)#
Enter interface configuration mode by
specifying the serial interface that you
want to configure using the interface
serial global configuration command.
Enter ? to display what you must enter
next on the command line. In this
example, you must enter the serial
interface slot number and port number,
separated by a forward slash.
You are in interface configuration mode
when the prompt changes to
Router(config-if)#.
Using Cisco IOS Software
Getting Help
l
Cisco IOS Dial Technologies Configuration Guide
Router(config-if)# ?
Interface configuration commands:
.
.
.
ip Interface Internet Protocol config commands
keepalive Enable keepalive
lan-name LAN Name command
llc2 LLC2 Interface Subcommands
load-interval Specify interval for load calculation for an
interface
locaddr-priority Assign a priority group
logging Configure logging for interface
loopback Configure internal loopback on an interface
mac-address Manually set interface MAC address
mls mls router sub/interface commands
mpoa MPOA interface configuration commands
mtu Set the interface Maximum Transmission Unit (MTU)
netbios Use a defined NETBIOS access list or enable
name-caching
no Negate a command or set its defaults
nrzi-encoding Enable use of NRZI encoding
ntp Configure NTP
.
.
.
Router(config-if)#
Enter ? to display a list of all the
interface configuration commands
available for the serial interface. This
example shows only some of the
available interface configuration
commands.
Router(config-if)# ip ?
Interface IP configuration subcommands:
access-group Specify access control for packets
accounting Enable IP accounting on this interface
address Set the IP address of an interface
authentication authentication subcommands
bandwidth-percent Set EIGRP bandwidth limit
broadcast-address Set the broadcast address of an interface
cgmp Enable/disable CGMP
directed-broadcast Enable forwarding of directed broadcasts
dvmrp DVMRP interface commands
hello-interval Configures IP-EIGRP hello interval
helper-address Specify a destination address for UDP broadcasts
hold-time Configures IP-EIGRP hold time
.
.
.
Router(config-if)# ip
Enter the command that you want to
configure for the interface. This
example uses the ip command.
Enter ? to display what you must enter
next on the command line. This
example shows only some of the
available interface IP configuration
commands.
Table 2 How to Find Command Options (continued)
Command Comment
Using Cisco IOS Software
Using the no and default Forms of Commands
li
Cisco IOS Dial Technologies Configuration Guide
Using the no and default Forms of Commands
Almost every configuration command has a no form. In general, use the no form to disable a function.
Use the command without the no keyword to reenable a disabled function or to enable a function that
is disabled by default. For example, IP routing is enabled by default. To disable IP routing, use the no
ip routing command; to reenable IP routing, use the ip routing command. The Cisco IOS software
command reference publications provide the complete syntax for the configuration commands and
describe what the no form of a command does.
Configuration commands also can have a default form, which returns the command settings to the
default values. Most commands are disabled by default, so in such cases using the default form has the
same result as using the no form of the command. However, some commands are enabled by default and
Router(config-if)# ip address ?
A.B.C.D IP address
negotiated IP Address negotiated over PPP
Router(config-if)# ip address
Enter the command that you want to
configure for the interface. This
example uses the ip address command.
Enter ? to display what you must enter
next on the command line. In this
example, you must enter an IP address
or the negotiated keyword.
A carriage return () is not
displayed; therefore, you must enter
additional keywords or arguments to
complete the command.
Router(config-if)# ip address 172.16.0.1 ?
A.B.C.D IP subnet mask
Router(config-if)# ip address 172.16.0.1
Enter the keyword or argument you
want to use. This example uses the
172.16.0.1 IP address.
Enter ? to display what you must enter
next on the command line. In this
example, you must enter an IP subnet
mask.
A is not displayed; therefore, you
must enter additional keywords or
arguments to complete the command.
Router(config-if)# ip address 172.16.0.1 255.255.255.0 ?
secondary Make this IP address a secondary address
Router(config-if)# ip address 172.16.0.1 255.255.255.0
Enter the IP subnet mask. This example
uses the 255.255.255.0 IP subnet mask.
Enter ? to display what you must enter
next on the command line. In this
example, you can enter the secondary
keyword, or you can press Enter.
A is displayed; you can press
Enter to complete the command, or
you can enter another keyword.
Router(config-if)# ip address 172.16.0.1 255.255.255.0
Router(config-if)#
In this example, Enter is pressed to
complete the command.
Table 2 How to Find Command Options (continued)
Command Comment
Using Cisco IOS Software
Saving Configuration Changes
lii
Cisco IOS Dial Technologies Configuration Guide
have variables set to certain default values. In these cases, the default form of the command enables the
command and sets the variables to their default values. The Cisco IOS software command reference
publications describe the effect of the default form of a command if the command functions differently
than the no form.
Saving Configuration Changes
Use the copy system:running-config nvram:startup-config command to save your configuration
changes to the startup configuration so that the changes will not be lost if the software reloads or a
power outage occurs. For example:
Router# copy system:running-config nvram:startup-config
Building configuration...
It might take a minute or two to save the configuration. After the configuration has been saved, the
following output appears:
[OK]
Router#
On most platforms, this task saves the configuration to NVRAM. On the Class A Flash file system
platforms, this task saves the configuration to the location specified by the CONFIG_FILE environment
variable. The CONFIG_FILE variable defaults to NVRAM.
Filtering Output from the show and more Commands
In Cisco IOS Release 12.0(1)T and later releases, you can search and filter the output of show and more
commands. This functionality is useful if you need to sort through large amounts of output or if you
want to exclude output that you need not see.
To use this functionality, enter a show or more command followed by the “pipe” character (|); one of
the keywords begin, include, or exclude; and a regular expression on which you want to search or filter
(the expression is case-sensitive):
command | {begin | include | exclude} regular-expression
The output matches certain lines of information in the configuration file. The following example
illustrates how to use output modifiers with the show interface command when you want the output to
include only lines in which the expression “protocol” appears:
Router# show interface | include protocol
FastEthernet0/0 is up, line protocol is up
Serial4/0 is up, line protocol is up
Serial4/1 is up, line protocol is up
Serial4/2 is administratively down, line protocol is down
Serial4/3 is administratively down, line protocol is down
For more information on the search and filter functionality, refer to the “Using the Command-Line
Interface” chapter in the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2.
Using Cisco IOS Software
Identifying Supported Platforms
liii
Cisco IOS Dial Technologies Configuration Guide
Identifying Supported Platforms
Cisco IOS software is packaged in feature sets consisting of software images that support specific
platforms. The feature sets available for a specific platform depend on which Cisco IOS software
images are included in a release. To identify the set of software images available in a specific release
or to find out if a feature is available in a given Cisco IOS software image, see the following sections:
• Using Feature Navigator
• Using Software Release Notes
Using Feature Navigator
Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software
images support a particular set of features and which features are supported in a particular Cisco IOS
image.
Feature Navigator is available 24 hours a day, 7 days a week. To access Feature Navigator, you must
have an account on Cisco.com. If you have forgotten or lost your account information, e-mail the
Contact Database Administration group at cdbadmin@cisco.com. If you do not have an account on
Cisco.com, go to http://www.cisco.com/register and follow the directions to establish an account.
To use Feature Navigator, you must have a JavaScript-enabled web browser such as Netscape 3.0 or
later, or Internet Explorer 4.0 or later. Internet Explorer 4.0 always has JavaScript enabled. To enable
JavaScript for Netscape 3.x or Netscape 4.x, follow the instructions provided with the web browser. For
JavaScript support and enabling instructions for other browsers, check with the browser vendor.
Feature Navigator is updated when major Cisco IOS software releases and technology releases occur.
You can access Feature Navigator at the following URL:
http://www.cisco.com/go/fn
Using Software Release Notes
Cisco IOS software releases include release notes that provide the following information:
• Platform support information
• Memory recommendations
• Microcode support information
• Feature set tables
• Feature descriptions
• Open and resolved severity 1 and 2 caveats for all platforms
Release notes are intended to be release-specific for the most current release, and the information
provided in these documents may not be cumulative in providing information about features that first
appeared in previous releases.
Using Cisco IOS Software
Identifying Supported Platforms
liv
Cisco IOS Dial Technologies Configuration Guide
Dial Interfaces, Controllers, and
Lines
DC-3
Cisco IOS Dial Technologies Configuration Guide
Overview of Dial Interfaces, Controllers, and
Lines
This chapter describes the different types of software constructs, interfaces, controllers, channels, and
lines that are used for dial-up remote access. It includes the following main sections:
• Cisco IOS Dial Components
• Logical Constructs
• Logical Interfaces
• Circuit-Switched Digital Calls
• T1 and E1 Controllers
• Non-ISDN Channelized T1 and Channelized E1 Lines
• ISDN Service
• Line Types
• Encapsulation Types
For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies
Command Reference. To locate documentation of other commands that appear in this chapter, use the
command reference master index or search online.
Cisco IOS Dial Components
Different components inside Cisco IOS software work together to enable remote clients to dial in and
send packets. Figure 2 shows one Cisco AS5300 access server that is receiving calls from a remote
office, branch office (ROBO); small office, home office (SOHO); and modem client.
Depending on your network scenario, you may encounter all of the components in Figure 2. For
example, you might decide to create a virtual IP subnet by using a loopback interface. This step saves
address space. Virtual subnets can exist inside devices that you advertise to your backbone. In turn, IP
packets get relayed to remote PCs, which route back to the central site.
Overview of Dial Interfaces, Controllers, and Lines
Cisco IOS Dial Components
DC-4
Cisco IOS Dial Technologies Configuration Guide
Figure 2 Cisco IOS Dial Universe
Virtual
access
interface
Interface
virtual template
Headquarters
intranet/Internet
Interface
group-async Cloning
Cloning
Asynchronous
interfaces
Lines
Modems
POTS
PSTN/ISDN
BRI
line
BRI
line
POTS line
Cisco 766
(SOHO)
Cisco 1604
(ROBO)
Modem
Remote
PC
14931
Loopback
interface
Fast Ethernet
interface
Routing and
switching engine
Interface serial
channels S0:0, S0:1…
(B channels)
Interface dialer
controlling the
D channels
Cloning
TDM bus
Controllers
E1/T1 PRI ports
PRI lines
AAA
= ISDN B channel
= Modem/POTS
Cisco IOS software
inside a Cisco AS5300
Overview of Dial Interfaces, Controllers, and Lines
Logical Constructs
DC-5
Cisco IOS Dial Technologies Configuration Guide
Logical Constructs
A logical construct stores core protocol characteristics to assign to physical interfaces. No data packets
are forwarded to a logical construct. Cisco uses three types of logical constructs in its access servers and
routers. These constructs are described in the following sections:
• Asynchronous Interfaces
• Group Asynchronous Interfaces
• Virtual Template Interfaces
Asynchronous Interfaces
An asynchronous interface assigns network protocol characteristics to remote asynchronous clients that
are dialing in through physical terminal lines and modems. (See Figure 3.)
Use the interface async command to create and configure an asynchronous interface.
Figure 3 Logical Construct for an Asynchronous Interface
To enable clients to dial in, you must configure two asynchronous components: asynchronous lines and
asynchronous interfaces. Asynchronous interfaces correspond to physical terminal lines. For example,
asynchronous interface 1 corresponds to tty line 1.
Commands entered in asynchronous interface mode configure protocol-specific parameters for
asynchronous interfaces, whereas commands entered in line configuration configure the physical aspects
for the same port.
Contains core protocol
characteristics for
incoming asynchronous
clients
Asynchronous interface
Modem 1
Modem
14054
Line 1
PSTN/ISDN
Remote PC
negotiating parameters
with the asynchronous
interface
Overview of Dial Interfaces, Controllers, and Lines
Logical Constructs
DC-6
Cisco IOS Dial Technologies Configuration Guide
Specifically, you configure asynchronous interfaces to support PPP connections. An asynchronous
interface on an access server or router can be configured to support the following functions:
• Network protocol support such as IP, Internet Protocol Exchange (IPX), or AppleTalk
• Encapsulation support (such as PPP)
• IP client addressing options (default or dynamic)
• IPX network addressing options
• PPP authentication
• ISDN BRI and PRI configuration
For additional information about configuring asynchronous interfaces, see the chapter “Configuring
Asynchronous Lines and Interfaces.”
Group Asynchronous Interfaces
A group asynchronous interface is a parent interface that stores core protocol characteristics and projects
them to a specified range of asynchronous interfaces. Asynchronous interfaces clone protocol
information from group asynchronous interfaces. No data packets arrive in a group asynchronous
interface. By setting up a group asynchronous interface, you also eliminate the need to repeatedly
configure identical configuration information across several asynchronous interfaces.
See the “Overview of Modem Interfaces” chapter for more information about group asynchronous
interfaces.
Virtual Template Interfaces
A virtual template interface stores protocol configuration information for virtual access interfaces and
protocol translation sessions. (See Figure 4.)
Figure 4 Logical Construct for a Virtual Template Interface
Temporary
virtual access
interface
Multilink
session
event
VPDN
session event
Protocol
translation
event
S6490
Virtual template interface
Stores and projects
core protocol
configuration
information
Overview of Dial Interfaces, Controllers, and Lines
Logical Interfaces
DC-7
Cisco IOS Dial Technologies Configuration Guide
Templates for Virtual Access Interfaces
Virtual templates project configuration information to temporary virtual access interfaces triggered by
multilink or virtual private dial-up network (VPDN) session events. When a virtual access interface is
triggered, the configuration attributes in the virtual template are cloned and the negotiated parameters
are applied to the connection.
The following example shows a virtual template interface on a Cisco 7206 router, which is used as a
home gateway in a VPDN scenario:
Router# configure terminal
Router(config)# interface virtual-template 1
Router(config-if)# ip unnumbered ethernet 2/1
Router(config-if)# peer default ip address pool cisco-pool
Router(config-if)# ppp authentication chap pap
Router(config-if)# exit
Router(config)# vpdn enable
Router(config)# vpdn incoming isp cisco.com virtual-template 1
Templates for Protocol Translation
Virtual templates are used to simplify the process of configuring protocol translation to tunnel PPP or
Serial Line Internet Protocol (SLIP) across X.25, TCP, and LAT networks. You can create a virtual
interface template using the interface virtual-template command, and you can use it for one-step and
two-step protocol translation. When a user dials in through a vty line and a tunnel connection is
established, the router clones the attributes of the virtual interface template onto a virtual access
interface. This virtual access interface is a temporary interface that supports the protocol configuration
specified in the virtual interface template. This virtual access interface is created dynamically and lasts
only as long as the tunnel session is active.
The virtual template in the following example explicitly specifies PPP encapsulation. The translation is
from X.25 to PPP, which enables tunneling of PPP across an X.25 network.
Router# configure terminal
Router(config)# interface virtual-template 1
Router(config-if)# ip unnumbered ethernet 0
Router(config-if)# peer default ip address 172.18.2.131
Router(config-if)# encapsulation ppp
Router(config-if)# exit
Router(config)# translate x25 5555678 virtual-template 1
For more information, refer to the chapter “Configuring Protocol Translation and Virtual Asynchronous
Devices” in the Cisco IOS Terminal Services Configuration Guide.
Logical Interfaces
A logical interface receives and sends data packets and controls physical interfaces. Cisco IOS software
provides three logical interfaces used for dial access. These interfaces are described in the following
sections:
• Dialer Interfaces
• Virtual Access Interfaces
• Virtual Asynchronous Interfaces
Overview of Dial Interfaces, Controllers, and Lines
Logical Interfaces
DC-8
Cisco IOS Dial Technologies Configuration Guide
Dialer Interfaces
A dialer interface is a parent interface that stores and projects protocol configuration information that is
common to all data (D) channels that are members of a dialer rotary group. Data packets pass through
dialer interfaces, which in turn initiate dialing for inbound calls. In most cases, D channels get their core
protocol intelligence from dialer interfaces.
Figure 5 shows packets coming into a dialer interface, which contains the configuration parameters
common to four D channels (shown as S0:0, S0:1, S0:2, and S0:3). All the D channels are members of
the same rotary group. Without the dialer interface configuration, each D channel must be manually
configured with identical properties. Dialer interfaces condense and streamline the configuration
process.
Figure 5 Dialer Interface and Its Neighboring Components
A dialer interface is user configurable and linked to individual B channels, where it delivers data packets
to their physical destinations. Dialer interfaces seize physical interfaces to cause packet delivery. If a
dialer interface engages in a multilink session, a dialer interface is in control of a virtual access interface,
which in turn controls S0:3 or chassis 2 S0:3, for example. A dialer interface is created with the interface
dialer global configuration command.
The following example shows a fully configured dialer interface:
Router# configure terminal
Router(config)# interface dialer 0
Router(config-if)# ip unnumbered loopback 0
Router(config-if)# no ip mroute-cache
Router(config-if)# encapsulation ppp
Router(config-if)# peer default ip address pool dialin_pool
Router(config-if)# dialer in-band
Router(config-if)# dialer-group 1
Router(config-if)# no fair-queue
Router(config-if)# no cdp enable
Router(config-if)# ppp authentication chap pap callin
Router(config-if)# ppp multilink
All the D channels are members of rotary group 1.
S0:0 S0:1 S0:2 S0:3
Dialer interface (parent)
Incoming
data packets
Incoming
data packets
S6489
PRI 1
B channels
PRI 2
B channels
PRI 3
B channels
PRI 4
B channels
Overview of Dial Interfaces, Controllers, and Lines
Logical Interfaces
DC-9
Cisco IOS Dial Technologies Configuration Guide
Virtual Access Interfaces
A virtual access interface is a temporary interface that is spawned to terminate incoming PPP streams
that have no physical connections. PPP streams, Layer 2 Forwarding Protocol (L2F), and Layer 2 Tunnel
Protocol (L2TP) frames that come in on multiple B channels are reassembled on virtual access
interfaces. These access interfaces are constructs used to terminate packets.
Virtual access interfaces obtain their set of instructions from virtual interface templates. The attributes
configured in virtual templates are projected or cloned to a virtual access interfaces. Virtual access
interfaces are not directly user configurable. These interfaces are created dynamically and last only as
long as the tunnels or multilink sessions are active. After the sessions end, the virtual access interfaces
disappear.
Figure 6 shows how a virtual access interface functions to accommodate a multilink session event. Two
physical interfaces on two different access servers are participating in one multilink call from a remote
PC. However, each Cisco AS5300 access server has only one B channel available to receive a call. All
other channels are busy. Therefore all four packets are equally dispersed across two separate B channels
and two access servers. Each Cisco AS5300 access server receives only half the total packets. A virtual
access interface is dynamically spawned upstream on a Cisco 7206 backhaul router to receive the
multilink protocol, track the multilink frames, and reassemble the packets. The Cisco 7206 router is
configured to be the bundle master, which performs all packet assembly and reassembly for both
Cisco AS5300 access servers.
Figure 6 Virtual Access Interfaces Used for Multichassis Multilink Session Events
PC sending data over
a PPP packet stream
Cisco 1600
remote office
router
BRI
Fast
Ethernet
HSSI/ATM
Cisco AS5300.
One available B channel.
Receiving packets and
Cisco 7206 backhaul router.
Spawns all virtual access interfaces.
The dedicated bundlemaster.
Cisco AS5300.
One available B channel.
Receiving packets and S6492
1
1
1
2
2
2
3
3
3
4
4
4
PSTN/ISDN
ISDN network
Overview of Dial Interfaces, Controllers, and Lines
Circuit-Switched Digital Calls
DC-10
Cisco IOS Dial Technologies Configuration Guide
Virtual Asynchronous Interfaces
A virtual asynchronous interface is created on demand to support calls that enter the router through a
nonphysical interface. For example, asynchronous character stream calls terminate or land on
nonphysical interfaces. These types of calls include inbound Telnet, LAT, PPP over character-oriented
protocols (such as V.120 or X.25), and LAPB-TA and PAD calls. A virtual asynchronous interface is also
used to terminate L2F/L2TP tunnels, which are often traveling companions with Multilink protocol
sessions. Virtual asynchronous interfaces are not user configurable; rather, they are dynamically created
and torn down on demand. A virtual asynchronous line is used to access a virtual asynchronous interface.
Figure 7 shows a variety of calls that are terminating on a virtual asynchronous interface. After the calls
end, the interface is torn down.
Figure 7 Asynchronous Character Stream Calls Terminating on a Virtual Asynchronous Interface
Circuit-Switched Digital Calls
Circuit-switched digital calls are usually ISDN 56-kbps or 64-kbps data calls that use PPP. These calls
are initiated by an ISDN router, access server, or terminal adapter that is connected to a client
workstation. Individual synchronous serial digital signal level 0 (DS0) bearer (B) channels are used to
transport circuit-switched digital calls across WANs. These calls do not transmit across “old world”
lines.
Figure 8 shows a Cisco 1600 series remote office router dialing in to a Cisco 3640 router positioned at
a headquarters gateway.
Virtual asynchronous
interface
Telnet call
X.25 PAD
call
PPP stream
coming in over
a V.120 line
L2F/L2TP tunnel
needing to be
terminated
LAT call
S6488
Overview of Dial Interfaces, Controllers, and Lines
T1 and E1 Controllers
DC-11
Cisco IOS Dial Technologies Configuration Guide
Figure 8 Remote Office LAN Dialing In to Headquarters
T1 and E1 Controllers
Cisco controllers negotiate the following parameters between an access server and a central office: line
coding, framing, clocking, DS0/time-slot provisioning, and signaling.
Time slots are provisioned to meet the needs of particular network scenarios. T1 controllers have
24 time slots, and E1 controllers have 30 time slots. To support traffic flow for one ISDN PRI line in a
T1 configuration, use the pri-group command. To support traffic flow for analog calls over a
channelized E1 line with recEive and transMit (E&M—also ear and mouth) signaling, use the cas-group
1 timeslots 1-30 type e&m-fgb command. Most telephone companies do not support provisioning one
trunk for different combinations of time-slot services, though this provisioning is supported on Cisco
controllers. On a T1 controller, for example, time slots 1 to 10 could run PRI, time slots 11 to 20 could
run channel-associated signaling (CAS), and time slots 21 to 24 could support leased-line grouping.
The following example configures one of four T1 controllers on a Cisco AS5300 access server:
Router# configure terminal
Router(config)# controller t1 ?
<0-3> Controller unit number
Router(config)# controller t1 0
Router(config-controller)# framing esf
Router(config-controller)# linecode b8zs
Router(config-controller)# clock source line primary
Router(config-controller)# pri-group timeslots 1-24
Router(config-controller)#
This example supports modem calls and circuit-switched digital calls over ISDN PRI.
Non-ISDN Channelized T1 and Channelized E1 Lines
A channelized T1 or channelized E1 line is an analog line that was originally intended to support analog
voice calls, but has evolved to support analog data calls. ISDN is not sent across channelized T1 or E1
lines. Channelized T1 and channelized E1 lines are often referred to as CT1 and CE1. These channelized
lines are found in “old world,” non-ISDN telephone networks.
PC sending e-mail
to headquarters
PC
Hub
NT server Cisco 1600
remote office
router
Cisco 3640
headquarters
gateway router
BRI PRI Fast
PSTN/ISDN Ethernet
PPP
14053
Overview of Dial Interfaces, Controllers, and Lines
ISDN Service
DC-12
Cisco IOS Dial Technologies Configuration Guide
The difference between traditional channelized lines (analog) and nonchannelized lines (ISDN) is that
channelized lines have no built-in D channel. That is, all 24 channels on a T1 line carry only data. The
signaling is in-band or associated to the data channels. Traditional channelized lines do not support
digitized data calls (for example, BRI with 2B + D). Channelized lines support a variety of in-band signal
types, such as ground start, loop start, wink start, immediate start, E&M, and R2.
Signaling for channelized lines is configured with the cas-group controller configuration command. The
following example configures E&M group B signaling on a T1 controller:
Router# configure terminal
Router(config)# controller t1 0
Router(config-controller)# cas-group 1 timeslots 1-24 type ?
e&m-fgb E & M Type II FGB
e&m-fgd E & M Type II FGD
e&m-immediate-start E & M Immediate Start
fxs-ground-start FXS Ground Start
fxs-loop-start FXS Loop Start
r1-modified R1 Modified
sas-ground-start SAS Ground Start
sas-loop-start SAS Loop Start
Router(config-controller)# cas-group 1 timeslots 1-24 type e&m-fgb
Router(config-controller)# framing esf
Router(config-controller)# clock source line primary
ISDN Service
Cisco routing devices support ISDN BRI and ISDN PRI. Both media types use B channels and
D channels. Figure 9 shows how many B channels and D channels are assigned to each media type.
Figure 9 Logical Relationship of B Channels and D Channels
BRI 2B + D
T1-PRI
23B + D
Used in North America
and Japan
E1-PRI 30B + D
Used in Europe
14051
B channel
B channel
B channel
D channel
D channel
B channel
D channel
Overview of Dial Interfaces, Controllers, and Lines
ISDN Service
DC-13
Cisco IOS Dial Technologies Configuration Guide
ISDN BRI
ISDN BRI operates over most of the copper twisted-pair telephone wiring in place. ISDN BRI delivers
a total bandwidth of a 144 kbps via three separate channels. Two of the B channels operate at 64 kbps
and are used to carry voice, video, or data traffic. The third channel, the D channel, is a 16-kbps signaling
channel used to tell the Public Switched Telephone Network (PSTN) how to handle each of the B
channels. ISDN BRI is often referred to as “2 B + D.”
Enter the interface bri command to bring up and configure a single BRI interface, which is the overseer
of the 2 B + D channels. The D channel is not user configurable.
The following example configures an ISDN BRI interface on a Cisco 1600 series router. The isdn spid
command defines the service profile identifier (SPID) number for both B channels. The SPID number is
assigned by the ISDN service provider. Not all ISDN lines have SPIDs.
Router# configure terminal
Router(config)# interface bri 0
Router(config-if)# isdn spid1 55598760101
Router(config-if)# isdn spid2 55598770101
Router(config-if)# isdn switch-type basic-ni
Router(config-if)# ip unnumbered ethernet 0
Router(config-if)# dialer map ip 172.168.37.40 name hq 5552053
Router(config-if)# dialer load-threshold 70
Router(config-if)# dialer-group 1
Router(config-if)# encapsulation ppp
Router(config-if)# ppp authentication chap pap callin
Router(config-if)# ppp multilink
Router(config-if)# no shutdown
ISDN PRI
ISDN PRI is designed to carry large numbers of incoming ISDN calls at point of presences (POPs) and
other large central site locations. All the reliability and performance of ISDN BRI applies to ISDN PRI,
but ISDN PRI has 23 B channels running at 64 kbps each and a shared 64 kbps D channel that carries
signaling traffic. ISDN PRI is often referred to as “23 B + D” (North America and Japan) or “30 B + D”
(rest of the world).
The D channel notifies the central office switch to send the incoming call to particular timeslots on the
Cisco access server or router. Each one of the B channels carries data or voice. The D channel carries
signaling for the B channels. The D channel identifies if the call is a circuit-switched digital call or an
analog modem call. Analog modem calls are decoded and then sent to the onboard modems.
Circuit-switched digital calls are directly relayed to the ISDN processor in the router. Enter the interface
serial command to bring up and configure the D channel, which is user configurable.
Figure 10 shows the logical contents of an ISDN PRI interface used in a T1 network configuration. The
logical contents include 23 B channels, 1 D channel, 24 time slots, and 24 virtual serial interfaces (total
number of B + D channels).
Overview of Dial Interfaces, Controllers, and Lines
ISDN Service
DC-14
Cisco IOS Dial Technologies Configuration Guide
Figure 10 Logical Relationship of ISDN PRI Components for T1
The following example is for a Cisco AS5300 access server. It configures one T1 controller for ISDN
PRI, then configures the neighboring D channel (interface serial 0:23). Controller T1 0 and interface
serial 0:23 are both assigned to the first PRI port. The second PRI port is assigned to controller T1 1 and
interface serial 1:23, and so on. The second PRI port configuration is not shown in this example. This
Cisco AS5300 access server is used as part of a stack group dial-in solution for an Internet service
provider.
Router# configure terminal
Router(config)# controller t1 0
Router(config-controller)# framing esf
Router(config-controller)# linecode b8zs
Router(config-controller)# clock source line primary
Router(config-controller)# pri-group timeslots 1-24
Router(config-controller)# exit
Router(config)# interface serial 0:23
Router(config-if)# ip unnumbered Loopback 0
Router(config-if)# ip accounting output-packets
Router(config-if)# no ip mroute-cache
Router(config-if)# encapsulation ppp
Router(config-if)# isdn incoming-voice modem
Router(config-if)# dialer-group 1
Router(config-if)# no fair-queue
Router(config-if)# compress stac
Router(config-if)# no cdp enable
Router(config-if)# ppp authentication chap
Router(config-if)# ppp multilink
Router(config-if)# netbios nbf
B (data channel) 1 S0:0
B (data channel) 2 S0:1
B (data channel) 3 S0:2
B (data channel) 4 S0:3
• ••
• ••
• ••
• ••
• ••
B (data channel) 21 S0:20
B (data channel) 22 S0:21
B (data channel) 23 S0:22
D (signaling channel) 24 S0:23
S6487
Channel
Type
Time Slot
Number
Logical
contents
of a PRI
interface
Virtual
Serial
Interface
Number
Overview of Dial Interfaces, Controllers, and Lines
Line Types
DC-15
Cisco IOS Dial Technologies Configuration Guide
Line Types
This section describes the different line types used for dial access. It also describes the relationship
between lines and interfaces.
Note Cisco devices have four types of lines: console, auxiliary, asynchronous, and virtual terminal.
Different routers have different numbers of these line types. Refer to the hardware and software
configuration guides that shipped with your device for exact configurations.
Table 3 shows the types of lines that can be configured.
Use the show line command to see the status of each of the lines available on a router. (See Figure 11.)
Table 3 Available Line Types
Line Type Interface Description Numbering Rules
CON or
CTY
Console Typically used to log in to the router for
configuration purposes.
Line 0.
AUX Auxiliary EIA/TIA-232 data terminal equipment
(DTE) port used as a backup (tty)
asynchronous port. Cannot be used as a
second console port.
Last tty line number plus 1.
tty Asynchronous Same as asynchronous interface. Used
typically for remote-node dial-in
sessions that use such protocols as SLIP,
PPP, AppleTalk Remote Access (ARA),
and XRemote.
The numbering widely varies
between platforms. This
number is equivalent to the
maximum number of modems
or asynchronous interfaces
supported by your access
server or router.1
1. Enter the interface line tty ? command to view the maximum number of tty lines supported.
vty Virtual
asynchronous
Used for incoming Telnet, LAT, X.25
PAD, and protocol translation
connections into synchronous ports
(such as Ethernet and serial interfaces)
on the router.
Last tty line number plus 2
through the maximum number
of vty lines specified.2
2. Increase the number of vty lines on a router using the line vty global configuration command. Delete vty lines with the no
line vty line-number command. The line vty command accepts any line number larger than 5 up to the maximum number of
lines supported by your router with its current configuration. Enter the interface line vty ? command to view the maximum
number of vty lines supported.
Overview of Dial Interfaces, Controllers, and Lines
Line Types
DC-16
Cisco IOS Dial Technologies Configuration Guide
Figure 11 Sample Show Line Output Showing CTY, tty, AUX, and vty Line Statistics
Relationship Between Lines and Interfaces
The following sections describe the relationship between lines and interfaces:
• Asynchronous Interfaces and Physical Terminal Lines
• Synchronous Interfaces and Virtual Terminal Lines
Asynchronous Interfaces and Physical Terminal Lines
Asynchronous interfaces correspond to physical terminal lines. Commands entered in asynchronous
interface mode let you configure protocol-specific parameters for asynchronous interfaces; commands
entered in line configuration mode let you configure the physical aspects of the line port.
sankara> show line
Tty Typ Tx/Rx A Modem Roty ACCO ACCI Uses Noise Overruns
* 0 CTY - - - - - 0 0 0/0
* 1 TTY 115200/115200 - inout - 4 - 31 26 0/0
* 2 TTY 115200/115200 - inout - 21630 - 37 23 0/0
A 3 TTY 115200/115200 - inout - 25 - 10 24 1/0
* 4 TTY 115200/115200 - inout - 4 - 20 63 1/0
* 5 TTY 115200/115200 - inout - 32445 - 18 325 22/0
A 6 TTY 115200/115200 - inout - 25 - 7 0 0/0
I 7 TTY 115200/115200 - inout - 6 - 6 36 1/0
I 8 TTY 115200/115200 - inout - - - 3 25 3/0
* 9 TTY 115200/115200 - inout - 4 - 2 0 0/0
A 10 TTY 115200/115200 - inout - 56 - 2 470 216/0
I 11 TTY 115200/115200 - inout - 4 - 31 26 0/0
I 12 TTY 115200/115200 - inout - 4 - 31 26 0/0
I 13 TTY 115200/115200 - inout - 4 - 31 26 0/0
I 14 TTY 115200/115200 - inout - 4 - 31 26 0/0
I 15 TTY 115200/115200 - inout - 4 - 31 26 0/0
I 16 TTY 115200/115200 - inout - 4 - 31 26 0/0
17 AUX 9600/9600 - - - - - 2 1 2/104800
* 18 VTY 9600/9600 - - - - - 103 0 0/0
19 VTY 9600/9600 - - - - - 6 0 0/0
20 VTY 9600/9600 - - - - - 1 0 0/0
21 VTY 9600/9600 - - - - - 0 0 0/0
22 VTY 9600/9600 - - - - - 0 0 0/0
23 VTY 9600/9600 - - - - - 0 0 0/0
24 VTY 9600/9600 - - - - - 0 0 0/0
25 VTY 9600/9600 - - - - - 0 0 0/0
26 VTY 9600/9600 - - - - - 0 0 0/0
27 VTY 9600/9600 - - - - - 0 0 0/0
28 VTY 9600/9600 - - - - - 0 0 0/0
29 VTY 9600/9600 - - - - - 0 0 0/0
30 VTY 9600/9600 - - - - - 0 0 0/0
31 VTY 9600/9600 - - - - - 0 0 0/0
32 VTY 9600/9600 - - - - - 0 0 0/0
33 VTY 9600/9600 - - - - - 0 0 0/0
Rotary group # Access class in/out
Autoselect state
Absolute line
number
Line speed
This is VTY2
(3rd VTY) line 20
Modem setting
Number of TCP
connections made
S4214
Overview of Dial Interfaces, Controllers, and Lines
Line Types
DC-17
Cisco IOS Dial Technologies Configuration Guide
For example, to enable IP resources to dial in to a network through a Cisco 2500 series access server,
configure the lines and asynchronous interfaces as follows.
• Configure the physical aspect of a line that leads to a port. You might enter the following commands
to configure lines 1 through 16 (asynchronous physical terminal lines on a Cisco 2511 access
server):
line 1 16
login local
modem inout
speed 115200
flowcontrol hardware
! Configures the line to autosense PPP; physical line attribute.
autoselect ppp
• On asynchronous interface 1, you configure your protocol-specific commands. You might enter the
following commands:
interface async 1
encapsulation ppp
async mode interactive
async dynamic address
async dynamic routing
async default ip address 192.168.16.132
ppp authentication chap
The remote node services SLIP, PPP, and XRemote are configured in asynchronous interface mode. ARA
is configured in line configuration mode on virtual terminal lines or physical terminal lines.
Synchronous Interfaces and Virtual Terminal Lines
Virtual terminal lines provide access to the router through a synchronous interface. Virtual terminal lines
do not correspond to synchronous interfaces in the same way that physical terminal lines correspond to
asynchronous interfaces because vty lines are created dynamically on the router, whereas physical
terminal lines are static physical ports. When a user connects to the router on a vty line, that user is
connecting into a virtual port on an interface. You can have multiple virtual ports for each synchronous
interface.
For example, several Telnet connections can be made to an interface (such as an Ethernet or serial
interface).
The number of virtual terminal lines available on a router is defined using the line vty number-of-lines
global configuration command.
Overview of Dial Interfaces, Controllers, and Lines
Encapsulation Types
DC-18
Cisco IOS Dial Technologies Configuration Guide
Encapsulation Types
Synchronous serial interfaces default to High-Level Data Link Control (HDLC) encapsulation, and
asynchronous serial interfaces default to SLIP encapsulation. Cisco IOS software provides a long list of
encapsulation methods that can be set on the interface to change the default encapsulation method. See
the Cisco IOS Interface Command Reference for a complete list and description of these encapsulation
methods.
The following list summarizes the encapsulation commands available for serial interfaces used in dial
configurations:
• encapsulation frame-relay—Frame Relay
• encapsulation hdlc—HDLC protocol
• encapsulation lapb—X.25 LAPB DTE operation
• encapsulation ppp—PPP
• encapsulation slip—SLIP
To use SLIP or PPP encapsulation, the router or access server must be configured with an IP routing
protocol or with the ip host-routing command.
DC-19
Cisco IOS Dial Technologies Configuration Guide
Configuring Asynchronous Lines and Interfaces
This chapter describes how to configure asynchronous line features in the following main sections:
• How to Configure Asynchronous Interfaces and Lines
• How to Configure Other Asynchronous Line and Interface Features
• Configuration Examples for Asynchronous Interfaces and Lines
Perform these tasks, as required, for your particular network.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies
Command Reference. To locate documentation of other commands that appear in this chapter, use the
command reference master index or search online.
How to Configure Asynchronous Interfaces and Lines
To configure an asynchronous interface, perform the tasks described in the following sections as
required:
• Configuring a Typical Asynchronous Interface (As required)
• Creating a Group Asynchronous Interface (As required)
• Configuring Asynchronous Rotary Line Queueing (As required)
• Configuring Autoselect (As required)
Configuring Asynchronous Lines and Interfaces
How to Configure Asynchronous Interfaces and Lines
DC-20
Cisco IOS Dial Technologies Configuration Guide
Configuring a Typical Asynchronous Interface
To configure an asynchronous interface, use the following commands beginning in global configuration
mode:
The “Interface and Line Configuration Examples” and “Asynchronous Interface As the Only Network
Interface Example” sections later in this chapter contain examples of how to configure an asynchronous
interface.
Monitoring and Maintaining Asynchronous Connections
This section describes the following monitoring and maintenance tasks that you can perform on
asynchronous interfaces:
• Monitoring and maintaining asynchronous activity
• Debugging asynchronous interfaces
• Debugging PPP
Command Purpose
Step 1 Router(config)# interface async number Brings up a single asynchronous interface and enters
interface configuration mode.
Step 2 Router(config-if)# description description Provides a description for the interface.
Step 3 Router(config-if)# ip address address mask Specifies an IP address.
Step 4 Router(config-if)# encapsulation ppp Enables PPP to run on the asynchronous interfaces in the
group.
Step 5 Router(config-if)# async default routing Enables the router to pass routing updates to other routers
over the AUX port configured as an asynchronous interface.
Step 6 Router(config-if)# async mode dedicated Places a line into dedicated asynchronous mode using Serial
Line Internet Protocol (SLIP) or PPP encapsulation.
Step 7 Router(config-if)# dialer in-band Specifies that dial-on-demand routing (DDR) is to be
supported.
Step 8 Router(config-if)# dialer map protocol
next-hop-address
Configures a serial interface to call one or multiple sites or
to receive calls from multiple sites.
Step 9 Router(config-if)# dialer-group Controls access by configuring an interface to belong to a
specific dialing group.
Step 10 Router(config-if)# ppp authentication chap pap
list-name
Enables Challenge Handshake Authentication Protocol
(CHAP) and Password Authentication Protocol (PAP)
authentication on the interface. Replace the list-name
variable with a specified authentication list name.1
1. To create a string used to name the following list of authentication methods tried when a user logs in, refer to the aaa authentication ppp
command. Authentication methods include RADIUS, TACACS+, and Kerberos.
Step 11 Router(config-if)# exit Return to global configuration mode.
Configuring Asynchronous Lines and Interfaces
How to Configure Asynchronous Interfaces and Lines
DC-21
Cisco IOS Dial Technologies Configuration Guide
To monitor and maintain asynchronous activity, use the following commands in privileged EXEC mode
as needed:
To debug asynchronous interfaces, use the following debug command in privileged EXEC mode:
To debug PPP links, use the following debug commands in privileged EXEC mode as needed:
Creating a Group Asynchronous Interface
Create a group asynchronous interface to project a set of core protocol characteristics to a range of
asynchronous interfaces. Configuring the asynchronous interfaces as a group saves you time. Analog
modem calls cannot enter the access server without this configuration.
To configure a group asynchronous interface, use the following commands beginning in global
configuration mode:
Command Purpose
Router# clear line line-number Returns a line to its idle state.
Router# show async bootp Displays parameters that have been set for extended BOOTP
requests.
Router# show async status Displays statistics for asynchronous interface activity.
Router# show line [line-number] Displays the status of asynchronous line connections.
Command Purpose
Router# debug async {framing | state | packets} Displays errors, changes in interface state, and log input and
output.
Command Purpose
Router# debug ppp negotiation Enables debugging of PPP protocol negotiation
process.
Router# debug ppp error Displays PPP protocol errors.
Router# debug ppp packet Displays PPP packets sent and received.
Router# debug ppp chap Displays errors encountered during remote or local
system authentication.
Command Purpose
Step 1 Router(config)# interface async number Brings up a single asynchronous interface and enters
interface configuration mode.
Step 2 Router(config-if)# ip unnumbered loopback number Configures the asynchronous interfaces as unnumbered
and assigns the IP address of the loopback interface to
them to conserve IP addresses.1
Step 3 Router(config-if)# encapsulation ppp Enables PPP to run on the asynchronous interfaces in
the group.
Configuring Asynchronous Lines and Interfaces
How to Configure Asynchronous Interfaces and Lines
DC-22
Cisco IOS Dial Technologies Configuration Guide
The “Group and Member Asynchronous Interface Examples” section later in this chapter contains an
example of how to configure a group interface.
Verifying the Group Interface Configuration
To verify the group interface configuration and check if one of the asynchronous interfaces is up, use the
show interface async command:
Router# show interface async 1
Async1 is up, line protocol is up
modem(slot/port)=1/0, csm_state(0x00000204)=CSM_IC4_CONNECTED, bchan_num=18
modem_status(0x0002): VDEV_STATUS_ACTIVE_CALL.
Hardware is Async Serial
Interface is unnumbered. Using address of FastEthernet0 (10.1.1.10)
MTU 1500 bytes, BW 115 Kbit, DLY 100000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive not set
DTR is pulsed for 5 seconds on reset
LCP Open
Open: IPCP
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/5, 0 drops; input queue 1/5, 0 drops
5 minute input rate 37000 bits/sec, 87 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
31063 packets input, 1459806 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
33 packets output, 1998 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
Step 4 Router(config-if)# async mode interactive Configures interactive mode on the asynchronous
interface.
Step 5 Router(config-if)# ppp authentication chap pap
list-name
Enables CHAP and PAP authentication on the interface.
Replace the list-name variable with a specified
authentication list name.2
Step 6 Router(config-if)# peer default ip address pool
poolname
Assigns dial-in clients IP addresses from an address
pool.3
Step 7 Router(config-if)# no cdp enable Disables the Cisco Discovery Protocol (CDP) on the
interface.
Step 8 Router(config-if)# group-range low-end-of-range
high-end-of-range
Specifies the range of asynchronous interfaces to
include in the group, which is usually equal to the
number of modems you have in the access server.
Step 9 Router(config-if)# exit Returns to global configuration mode.
1. You can also specify the Ethernet interface to conserver address space. In this case, enter the ip unnumbered ethernet 0 command.
2. To create a string used to name the following list of authentication methods tried when a user logs in, refer to the aaa authentication ppp
command. Authentication methods include RADIUS, TACACS+, and Kerberos.
3. To create an IP address pool, refer to the ip local pool global configuration command.
Command Purpose
Configuring Asynchronous Lines and Interfaces
How to Configure Asynchronous Interfaces and Lines
DC-23
Cisco IOS Dial Technologies Configuration Guide
If you are having trouble, enter one of the following debug commands and then send a call into the
access server. Interpret the output and make configuration changes accordingly.
• undebug all
• debug ppp negotiation
• debug ppp authentication
• debug modem
• debug ip peer
Router# undebug all
All possible debugging has been turned off
Router# debug ppp negotiation
PPP protocol negotiation debugging is on
Router# debug ppp authentication
PPP authentication debugging is on
Router# debug modem
Modem control/process activation debugging is on
Router# debug ip peer
IP peer address activity debugging is on
Router# show debug
General OS:
Modem control/process activation debugging is on
Generic IP:
IP peer address activity debugging is on
PPP:
PPP authentication debugging is on
PPP protocol negotiation debugging is on
Router#
*Mar 1 21:34:56.958: tty4: DSR came up
*Mar 1 21:34:56.962: tty4: Modem: IDLE->READY
*Mar 1 21:34:56.970: tty4: EXEC creation
*Mar 1 21:34:56.978: tty4: set timer type 10, 30 seconds
*Mar 1 21:34:59.722: tty4: Autoselect(2) sample 7E
*Mar 1 21:34:59.726: tty4: Autoselect(2) sample 7EFF
*Mar 1 21:34:59.730: tty4: Autoselect(2) sample 7EFF7D
*Mar 1 21:34:59.730: tty4: Autoselect(2) sample 7EFF7D23
*Mar 1 21:34:59.734: tty4 Autoselect cmd: ppp negotiate
*Mar 1 21:34:59.746: tty4: EXEC creation
*Mar 1 21:34:59.746: tty4: create timer type 1, 600 seconds
*Mar 1 21:34:59.786: ip_get_pool: As4: using pool default
*Mar 1 21:34:59.790: ip_get_pool: As4: returning address = 172.20.1.101
*Mar 1 21:34:59.794: tty4: destroy timer type 1 (OK)
*Mar 1 21:34:59.794: tty4: destroy timer type 0
*Mar 1 21:35:01.798: %LINK-3-UPDOWN: Interface Async4, changed state to up
*Mar 1 21:35:01.834: As4 PPP: Treating connection as a dedicated line
*Mar 1 21:35:01.838: As4 PPP: Phase is ESTABLISHING, Active Open
*Mar 1 21:35:01.842: As4 LCP: O CONFREQ [Closed] id 1 len 25
*Mar 1 21:35:01.846: As4 LCP: ACCM 0x000A0000 (0x0206000A0000)
*Mar 1 21:35:01.850: As4 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 21:35:01.854: As4 LCP: MagicNumber 0x64E923A8 (0x050664E923A8)
*Mar 1 21:35:01.854: As4 LCP: PFC (0x0702)
*Mar 1 21:35:01.858: As4 LCP: ACFC (0x0802)
*Mar 1 21:35:02.718: As4 LCP: I CONFREQ [REQsent] id 3 len 23
*Mar 1 21:35:02.722: As4 LCP: ACCM 0x000A0000 (0x0206000A0000)
*Mar 1 21:35:02.726: As4 LCP: MagicNumber 0x00472467 (0x050600472467)
*Mar 1 21:35:02.726: As4 LCP: PFC (0x0702)
*Mar 1 21:35:02.730: As4 LCP: ACFC (0x0802)
*Mar 1 21:35:02.730: As4 LCP: Callback 6 (0x0D0306)
*Mar 1 21:35:02.738: As4 LCP: O CONFREJ [REQsent] id 3 len 7
*Mar 1 21:35:02.738: As4 LCP: Callback 6 (0x0D0306)
*Mar 1 21:35:02.850: As4 LCP: I CONFREQ [REQsent] id 4 len 20
Configuring Asynchronous Lines and Interfaces
How to Configure Asynchronous Interfaces and Lines
DC-24
Cisco IOS Dial Technologies Configuration Guide
*Mar 1 21:35:02.854: As4 LCP: ACCM 0x000A0000 (0x0206000A0000)
*Mar 1 21:35:02.854: As4 LCP: MagicNumber 0x00472467 (0x050600472467)
*Mar 1 21:35:02.858: As4 LCP: PFC (0x0702)
*Mar 1 21:35:02.858: As4 LCP: ACFC (0x0802)
*Mar 1 21:35:02.862: As4 LCP: O CONFACK [REQsent] id 4 len 20
*Mar 1 21:35:02.866: As4 LCP: ACCM 0x000A0000 (0x0206000A0000)
*Mar 1 21:35:02.870: As4 LCP: MagicNumber 0x00472467 (0x050600472467)
*Mar 1 21:35:02.870: As4 LCP: PFC (0x0702)
*Mar 1 21:35:02.874: As4 LCP: ACFC (0x0802)
*Mar 1 21:35:03.842: As4 LCP: TIMEout: State ACKsent
*Mar 1 21:35:03.842: As4 LCP: O CONFREQ [ACKsent] id 2 len 25
*Mar 1 21:35:03.846: As4 LCP: ACCM 0x000A0000 (0x0206000A0000)
*Mar 1 21:35:03.850: As4 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 21:35:03.854: As4 LCP: MagicNumber 0x64E923A8 (0x050664E923A8)
*Mar 1 21:35:03.854: As4 LCP: PFC (0x0702)
*Mar 1 21:35:03.858: As4 LCP: ACFC (0x0802)
*Mar 1 21:35:03.962: As4 LCP: I CONFACK [ACKsent] id 2 len 25
*Mar 1 21:35:03.966: As4 LCP: ACCM 0x000A0000 (0x0206000A0000)
*Mar 1 21:35:03.966: As4 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 21:35:03.970: As4 LCP: MagicNumber 0x64E923A8 (0x050664E923A8)
*Mar 1 21:35:03.974: As4 LCP: PFC (0x0702)
*Mar 1 21:35:03.974: As4 LCP: ACFC (0x0802)
*Mar 1 21:35:03.978: As4 LCP: State is Open
*Mar 1 21:35:03.978: As4 PPP: Phase is AUTHENTICATING, by this end
*Mar 1 21:35:03.982: As4 CHAP: O CHALLENGE id 1 len 26 from "nas-1"
*Mar 1 21:35:04.162: As4 CHAP: I RESPONSE id 1 len 26 from "krist"
*Mar 1 21:35:04.170: As4 AUTH: Started process 0 pid 47
*Mar 1 21:35:04.182: As4 CHAP: O SUCCESS id 1 len 4
*Mar 1 21:35:04.186: As4 PPP: Phase is UP
*Mar 1 21:35:04.190: As4 IPCP: O CONFREQ [Not negotiated] id 1 len 10
*Mar 1 21:35:04.194: As4 IPCP: Address 172.20.1.2 (0x0306AC140102)
*Mar 1 21:35:04.202: As4 CDPCP: O CONFREQ [Closed] id 1 len 4
*Mar 1 21:35:04.282: As4 IPCP: I CONFREQ [REQsent] id 1 len 40
*Mar 1 21:35:04.282: As4 IPCP: CompressType VJ 15 slots CompressSlotID (0x02
06002D0F01)
*Mar 1 21:35:04.286: As4 IPCP: Address 0.0.0.0 (0x030600000000)
*Mar 1 21:35:04.290: As4 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
*Mar 1 21:35:04.294: As4 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
*Mar 1 21:35:04.298: As4 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
*Mar 1 21:35:04.302: As4 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
*Mar 1 21:35:04.306: As4 IPCP: O CONFREJ [REQsent] id 1 len 10
*Mar 1 21:35:04.310: As4 IPCP: CompressType VJ 15 slots CompressSlotID (0x02
06002D0F01)
*Mar 1 21:35:04.314: As4 CCP: I CONFREQ [Not negotiated] id 1 len 15
*Mar 1 21:35:04.318: As4 CCP: MS-PPC supported bits 0x00000001 (0x1206000000
01)
*Mar 1 21:35:04.318: As4 CCP: Stacker history 1 check mode EXTENDED (0x11050
00104)
*Mar 1 21:35:04.322: As4 LCP: O PROTREJ [Open] id 3 len 21 protocol CCP
*Mar 1 21:35:04.326: As4 LCP: (0x80FD0101000F12060000000111050001)
*Mar 1 21:35:04.330: As4 LCP: (0x04)
*Mar 1 21:35:04.334: As4 IPCP: I CONFACK [REQsent] id 1 len 10
*Mar 1 21:35:04.338: As4 IPCP: Address 172.20.1.2 (0x0306AC140102)
*Mar 1 21:35:04.342: As4 LCP: I PROTREJ [Open] id 5 len 10 protocol CDPCP (0x82
0701010004)
*Mar 1 21:35:04.342: As4 CDPCP: State is Closed
*Mar 1 21:35:05.186: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async4, ch
anged state to up
*Mar 1 21:35:05.190: As4 PPP: Unsupported or un-negotiated protocol. Link cdp
*Mar 1 21:35:05.190: As4 PPP: Trying to negotiate NCP for Link cdp
*Mar 1 21:35:05.194: As4 CDPCP: State is Closed
*Mar 1 21:35:05.198: As4 CDPCP: TIMEout: State Closed
*Mar 1 21:35:05.202: As4 CDPCP: State is Listen
*Mar 1 21:35:06.202: As4 IPCP: TIMEout: State ACKrcvd
Configuring Asynchronous Lines and Interfaces
How to Configure Asynchronous Interfaces and Lines
DC-25
Cisco IOS Dial Technologies Configuration Guide
*Mar 1 21:35:06.206: As4 IPCP: O CONFREQ [ACKrcvd] id 2 len 10
*Mar 1 21:35:06.206: As4 IPCP: Address 172.20.1.2 (0x0306AC140102)
*Mar 1 21:35:06.314: As4 IPCP: I CONFACK [REQsent] id 2 len 10
*Mar 1 21:35:06.318: As4 IPCP: Address 172.20.1.2 (0x0306AC140102)
*Mar 1 21:35:07.274: As4 IPCP: I CONFREQ [ACKrcvd] id 2 len 34
*Mar 1 21:35:07.278: As4 IPCP: Address 0.0.0.0 (0x030600000000)
*Mar 1 21:35:07.282: As4 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
*Mar 1 21:35:07.286: As4 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
*Mar 1 21:35:07.286: As4 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
*Mar 1 21:35:07.290: As4 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
*Mar 1 21:35:07.294: As4 IPCP: O CONFNAK [ACKrcvd] id 2 len 34
*Mar 1 21:35:07.298: As4 IPCP: Address 172.20.1.101 (0x0306AC140165)
*Mar 1 21:35:07.302: As4 IPCP: PrimaryDNS 172.20.5.100 (0x8106AC140564)
*Mar 1 21:35:07.306: As4 IPCP: PrimaryWINS 172.20.5.101 (0x8206AC140565)
*Mar 1 21:35:07.310: As4 IPCP: SecondaryDNS 172.20.6.100 (0x8306AC140664)
*Mar 1 21:35:07.314: As4 IPCP: SecondaryWINS 172.20.6.101 (0x8406AC140665)
*Mar 1 21:35:07.426: As4 IPCP: I CONFREQ [ACKrcvd] id 3 len 34
*Mar 1 21:35:07.430: As4 IPCP: Address 172.20.1.101 (0x0306AC140165)
*Mar 1 21:35:07.434: As4 IPCP: PrimaryDNS 172.20.5.100 (0x8106AC140564)
*Mar 1 21:35:07.438: As4 IPCP: PrimaryWINS 172.20.5.101 (0x8206AC140565)
*Mar 1 21:35:07.442: As4 IPCP: SecondaryDNS 172.20.6.100 (0x8306AC140664)
*Mar 1 21:35:07.446: As4 IPCP: SecondaryWINS 172.20.6.101 (0x8406AC140665)
*Mar 1 21:35:07.446: ip_get_pool: As4: validate address = 172.20.1.101
*Mar 1 21:35:07.450: ip_get_pool: As4: using pool default
*Mar 1 21:35:07.450: ip_get_pool: As4: returning address = 172.20.1.101
*Mar 1 21:35:07.454: set_ip_peer_addr: As4: address = 172.20.1.101 (3) is redun
dant
*Mar 1 21:35:07.458: As4 IPCP: O CONFACK [ACKrcvd] id 3 len 34
*Mar 1 21:35:07.462: As4 IPCP: Address 172.20.1.101 (0x0306AC140165)
*Mar 1 21:35:07.466: As4 IPCP: PrimaryDNS 172.20.5.100 (0x8106AC140564)
*Mar 1 21:35:07.470: As4 IPCP: PrimaryWINS 172.20.5.101 (0x8206AC140565)
*Mar 1 21:35:07.474: As4 IPCP: SecondaryDNS 172.20.6.100 (0x8306AC140664)
*Mar 1 21:35:07.474: As4 IPCP: SecondaryWINS 172.20.6.101 (0x8406AC140665)
*Mar 1 21:35:07.478: As4 IPCP: State is Open
*Mar 1 21:35:07.490: As4 IPCP: Install route to 172.20.1.101
*Mar 1 21:35:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp
*Mar 1 21:36:12.614: tty0: timer type 1 expired
*Mar 1 21:36:12.614: tty0: Exec timer (continued)
*Mar 1 21:36:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp
*Mar 1 21:37:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp
*Mar 1 21:38:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp
*Mar 1 21:39:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp
*Mar 1 21:40:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp
*Mar 1 21:41:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp
*Mar 1 21:42:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp
*Mar 1 21:43:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp
Configuring Asynchronous Rotary Line Queueing
The Cisco IOS Asynchronous Rotary Line Queueing feature allows Telnet connection requests to busy
asynchronous rotary groups to be queued so that users automatically obtain the next available line, rather
than needing to try repeatedly to open a Telnet connection. The Cisco IOS software sends a periodic
message to the user to update progress in the connection queue.
This feature allows users to make effective use of the asynchronous rotary groups on a Cisco router to
access legacy mainframes or other serial devices with a limited number of asynchronous ports that might
be used by a large number of users. Users that are unable to make a Telnet connection on the first attempt
are assured of eventual success in an orderly process. They are no longer required to guess when a line
might be available and to retry manually again and again.
Configuring Asynchronous Lines and Interfaces
How to Configure Asynchronous Interfaces and Lines
DC-26
Cisco IOS Dial Technologies Configuration Guide
Connections are authenticated using the method specified for the line configurations for the
asynchronous rotary group. If a connection is queued, authentication is done prior to queueing and no
authentication is done when the connection is later established.
Make sure you comply with the following requirements when configuring asynchronous rotary line
queueing:
• Configure more virtual terminal lines than will ever be used by waiting asynchronous rotary
connection attempts. Even when the queue is at its maximum, there must be at least one virtual
terminal line available so that system operators or network administrators can use Telnet to access
the router to show, debug, or configure system performance.
• When adding lines to a rotary group, all lines must be either queued or not queued. A mixture of
queued and unenqueued lines in the same rotary group is not supported and can result in unexpected
behavior.
• All lines within a queued rotary group need to use the same authentication method. Using different
authentication methods within the same rotary group can result in unexpected behavior.
To configure asynchronous rotary line queueing, use the following commands beginning in global
configuration mode:
See the “Rotary Group Examples” section for configuration examples.
Verifying Asynchronous Rotary Line Queueing
To verify operation of asynchronous rotary line queueing, perform the following tasks:
• Use the show line command in EXEC mode to check the status of the vty lines.
• Use the show line async-queue command in EXEC mode to check the status of queued connection
requests.
Troubleshooting Asynchronous Rotary Lines
If asynchronous rotary line queueing is not operating correctly, use the following debug commands in
privileged EXEC mode to determine where the problem may lie:
• debug async async-queue
• debug ip tcp transactions
• debug modem
Refer to the Cisco IOS Debug Command Reference for information about these commands.
Command Purpose
Step 1 Router (config)# line [aux | console | tty | vty]
line-number [ending-line-number]
Starts line configuration mode on the line type and
numbers specified.
Step 2 Router(config-line)# rotary group [queued |
round-robin]
Enables asynchronous rotary line queueing on the
designated line or group of lines. The optional
round-robin keyword selects a round-robin port
selection algorithm instead of the default (queued)
linear port selection algorithm.
Configuring Asynchronous Lines and Interfaces
How to Configure Asynchronous Interfaces and Lines
DC-27
Cisco IOS Dial Technologies Configuration Guide
Monitoring and Maintaining Asynchronous Rotary Line Queues
To display queued lines and to remove lines from the queue, use the following commands in EXEC mode
as needed:
Configuring Autoselect
Autoselect is used by the access server to sense the protocol being received on an incoming line and to
launch the appropriate protocol. Autoselect can be used for AppleTalk Remote Access (ARA), PPP, or
SLIP.
When using Autoselect, “login” authentication is bypassed, so if security is required, it must be
performed at the protocol level, that is, the AppleTalk Remote Access Protocol (ARAP) or PPP
authentication. SLIP does not offer protocol layer authentication.
To configure the Cisco IOS software to allow an ARA, PPP, or SLIP session to start automatically, use
the following command in line configuration mode:
The autoselect command enables the Cisco IOS software to start a process automatically when a start
character is received.
The autoselect command bypasses the login prompt and enables the specified session to begin
automatically. However, when the autoselect command is entered with the during login keyword, the
username or password prompt appears without the need to press the Return key; thus “login” users will
get a prompt right away without needing to press the Return key. While the username or password
prompt is displayed, you can choose either to answer these prompts or to send packets from an
autoselected protocol.
Normally a router avoids line and modem noise by clearing the initial data received within the first one
or two seconds. However, when the autoselect PPP feature is configured, the router flushes characters
initially received and then waits for more traffic. This flush causes timeout problems with applications
that send only one carriage return. To ensure that the input data sent by a modem or other asynchronous
device is not lost after line activation, enter the flush-at-activation line configuration command.
Note When the autoselect command is used, the activation character should be set to the default Return,
and exec-character-bits should be set to 7. If you change these defaults, the application cannot
recognize the activation request.
See the “High-Density Dial-In Solution Using Autoselect and EXEC Control Example” section for an
example that makes use of the autoselect feature.
Command Purpose
Router# show line async-queue rotary-group Displays which lines are queued.
Router# clear line async-queue rotary-group Clears all rotary queues or the specified rotary queue. If the
rotary-group argument is not specified, all rotary queues are
removed.
Command Purpose
Router(config-line)# autoselect {arap | ppp | slip |
during login}
Configures a line to automatically start an ARA, PPP, or
SLIP session.
Configuring Asynchronous Lines and Interfaces
How to Configure Asynchronous Interfaces and Lines
DC-28
Cisco IOS Dial Technologies Configuration Guide
Verifying Autoselect PPP
The following trace appears when the debug modem and debug ppp negotiation commands are
enabled. As PPP calls pass through the access server, you should see this output.
When autoselect is used, “login” authentication is bypassed. If security is required, it must be performed
at the protocol level (that is, ARAP or PPP authentication). SLIP does not offer protocol layer
authentication.
22:21:02: TTY1: DSR came up
22:21:02: tty1: Modem: IDLE->READY
22:21:02: TTY1: Autoselect started
22:21:05: TTY1: Autoselect sample 7E
22:21:05: TTY1: Autoselect sample 7EFF
22:21:05: TTY1: Autoselect sample 7EFF7D
22:21:05: TTY1 Autoselect cmd: ppp default
22:21:05: TTY1: EXEC creation
%LINK-3-UPDOWN: Interface Async1, changed state to up
22:21:07: ppp: sending CONFREQ, type = 2 (CI_ASYNCMAP), value = A0000
22:21:07: ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = 23BE13AA
22:21:08: PPP Async1: state = REQSENT fsm_rconfack(0xC021): rcvd id 0x11
22:21:08: ppp: config ACK received, type = 2 (CI_ASYNCMAP), value = A0000
22:21:08: ppp: config ACK received, type = 5 (CI_MAGICNUMBER), value = 23BE13AA
22:21:08: ppp: config ACK received, type = 7 (CI_PCOMPRESSION)
22:21:08: ppp: config ACK received, type = 8 (CI_ACCOMPRESSION)
22:21:08: PPP Async1: received config for type = 0x2 (ASYNCMAP) value = 0x0 acked
22:21:08: PPP Async1: received config for type = 0x5 (MAGICNUMBER) value = 0x2A acked
22:21:08: PPP Async1: received config for type = 0x7 (PCOMPRESSION) acked
22:21:08: PPP Async1: received config for type = 0x8 (ACCOMPRESSION) acked
22:21:08: ipcp: sending CONFREQ, type = 3 (CI_ADDRESS), Address = 172.16.1.1
22:21:08: ppp Async1: ipcp_reqci: rcvd COMPRESSTYPE (rejected) (REJ)
22:21:08: ppp Async1: Negotiate IP address: her address 0.0.0.0 (NAK with address
172.16.1.100) (NAK)
22:21:08: ppp: ipcp_reqci: returning CONFREJ.
22:21:08: PPP Async1: state = REQSENT fsm_rconfack(0x8021): rcvd id 0x9
22:21:08: ipcp: config ACK received, type = 3 (CI_ADDRESS), Address = 172.16.1.1
22:21:08: ppp Async1: Negotiate IP address: her address 0.0.0.0 (NAK with address
172.16.1.100) (NAK)
22:21:08: ppp: ipcp_reqci: returning CONFNAK.
22:21:09: ppp Async1: Negotiate IP address: her address 172.16.1.100 (ACK)
22:21:09: ppp: ipcp_reqci: returning CONFACK.
%LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed state to up
Verifying Autoselect ARA
The following trace appears when the debug modem and debug arap internal commands are enabled.
As ARA version 2.0 calls pass through the access server, this output is displayed.
20:45:11: TTY3: DSR came up
20:45:11: tty3: Modem: IDLE->READY
20:45:11: TTY3: EXEC creation
20:45:11: TTY3: Autoselect(2) sample 1
20:45:11: TTY3: Autoselect(2) sample 11B
20:45:12: TTY3: Autoselect(2) sample 11B02
20:45:18: ARAP: ---------- SRVRVERSION ----------
20:45:19: ARAP: ---------- ACKing 0 ----------
20:45:19: ARAP: ---------- AUTH_CHALLENGE ----------
20:45:21: ARAP: ---------- ACKing 1 ----------
20:45:21: ARAP: ---------- AUTH_RESPONSE ----------
20:45:21: ARAP: ---------- STARTINFOFROMSERVER ----------
20:45:22: ARAP: ---------- ACKing 2 ----------
22:45:22: ARAP: ---------- ZONELISTINFO ----------
Configuring Asynchronous Lines and Interfaces
How to Configure Other Asynchronous Line and Interface Features
DC-29
Cisco IOS Dial Technologies Configuration Guide
22:45:22: ARAP: ---------- ZONELISTINFO ----------
22:45:22: ARAP: ---------- ZONELISTINFO ----------
The following trace is for ARA version 1.0 calls:
22:31:45: TTY1: DSR came up
22:31:45: tty1: Modem: IDLE->READY
22:31:45: TTY1: Autoselect started
22:31:46: TTY1: Autoselect sample 16
22:31:46: TTY1: Autoselect sample 1610
22:31:46: TTY1: Autoselect sample 161002
22:31:47: ARAP: ---------- SRVRVERSION ----------
22:31:47: ARAP: ---------- ACKing 0 ----------
22:31:47: ARAP: ---------- AUTH_CHALLENGE ----------
22:31:47: ARAP: ---------- ACKing 1 ----------
22:31:47: ARAP: ---------- AUTH_RESPONSE ----------
22:31:47: ARAP: ---------- STARTINFOFROMSERVER ----------
22:31:48: ARAP: ---------- ACKing 2 ----------
22:31:48: ARAP: ---------- ZONELISTINFO ----------
22:31:48: ARAP: ---------- ZONELISTINFO ----------
22:31:49: ARAP: ---------- ZONELISTINFO ----------
How to Configure Other Asynchronous Line and Interface
Features
This section describes the following asynchronous line and interface configurations:
• Configuring the Auxiliary (AUX) Port
• Establishing and Controlling the EXEC Process
• Enabling Routing on Asynchronous Interfaces
• Configuring Dedicated or Interactive PPP and SLIP Sessions
• Conserving Network Addresses
• Using Advanced Addressing Methods for Remote Devices
• Optimizing Available Bandwidth
Configuring the Auxiliary (AUX) Port
The AUX (auxiliary) port is typically configured as an asynchronous serial interface on routers without
built-in asynchronous interfaces. To configure the AUX port as an asynchronous interface, configure it
first as an auxiliary line with the line aux 1 global configuration command.
The AUX port sends a data terminal ready (DTR) signal only when a Telnet connection is established.
The auxiliary port does not use request to send/clear to send (RTS/CTS) handshaking for flow control.
To understand the differences between standard asynchronous interfaces and AUX ports configured as
an asynchronous interface, refer to Table 4. To enable the auxiliary port, use the following command in
global configuration mode:
Command Purpose
Router(config)# line aux line-number Enables the auxiliary serial DTE port.
Configuring Asynchronous Lines and Interfaces
How to Configure Other Asynchronous Line and Interface Features
DC-30
Cisco IOS Dial Technologies Configuration Guide
You cannot use the auxiliary (AUX) port as a second console port. To use the AUX port as a console port,
you must order a special cable from your technical support personnel.
On an access server, you can configure any of the available asynchronous interfaces (1 through 8, 16, or
48). The auxiliary port (labeled AUX on the back of the product) can also be configured as an
asynchronous serial interface, although performance on the AUX port is much slower than on standard
asynchronous interfaces and the port does not support some features.
Table 4 illustrates why asynchronous interfaces permit substantially better performance than AUX ports
configured as asynchronous interfaces.
On routers without built-in asynchronous interfaces, only the AUX port can be configured as an
asynchronous serial interface. To configure the AUX port as an asynchronous interface, you must also
configure it as an auxiliary line with the line aux 1 command. Access servers do not have this restriction.
Use the line command with the appropriate line configuration commands for modem control, such as
speed.
Only IP packets can be sent across lines configured for SLIP. PPP supports transmission of IP, Internet
Packet Exchange (IPX), and AppleTalk packets on an asynchronous serial interface.
See the “Line AUX Configuration Example” section for an example that shows how to configure the
AUX port.
Establishing and Controlling the EXEC Process
By default, the Cisco IOS software starts an EXEC process on all lines. However, you can control EXEC
processes, as follows:
• Turn the EXEC process on or off. (A serial printer, for example, should not have an EXEC session
started.)
• Set the idle terminal timeout interval.
The EXEC command interpreter waits for a specified amount of time to receive user input. If no input
is detected, the EXEC facility resumes the current connection. If no connections exist, it returns the
terminal to the idle state and disconnects the incoming connection.
Table 4 Differences Between the Asynchronous Port and the Auxiliary (AUX) Port
Feature Asynchronous Interface Auxiliary Port
Maximum speed 115200 bps 38400 bps
DMA buffering support1
1. Direct Memory Access (DMA) buffering moves data packets directly to and from system memory without
interrupting the main CPU. This process removes overhead from the CPU and increases overall system
performance.
Yes No
PPP framing on chip2
2. PPP framing on a hardware chip removes overhead from the CPU on the router, which enables the router to
sustain 115200 bps throughput on all asynchronous ports simultaneously.
Yes No
IP fast switching3
3. After the destination of the first IP packet is added to the fast switching cache, it is fast switched to and from
other interfaces with minimal involvement from the main processor.
Yes No
Configuring Asynchronous Lines and Interfaces
How to Configure Other Asynchronous Line and Interface Features
DC-31
Cisco IOS Dial Technologies Configuration Guide
To control the EXEC process, use the following commands in line configuration mode:
See the “High-Density Dial-In Solution Using Autoselect and EXEC Control Example” section for an
example of configuring control over the EXEC process.
Enabling Routing on Asynchronous Interfaces
To route IP packets on an asynchronous interface, use one of the following commands in interface
configuration mode:
The async dynamic routing command routes IP packets on an asynchronous interface, which permits
you to enable the Interior Gateway Routing Protocol (IGRP), Routing Information Protocol (RIP), and
Open Shortest Path First (OSPF) routing protocols for use when the user makes a connection using the
ppp or slip EXEC commands. The user must, however, specify the /routing keyword at the SLIP or PPP
command line.
For asynchronous interfaces in interactive mode, the async default routing command causes the ppp
and slip EXEC commands to be interpreted as though the /route switch had been included in the
command. For asynchronous interfaces in dedicated mode, the async dynamic routing command
enables routing protocols to be used on the line. Without the async default routing command, there is
no way to enable the use of routing protocols automatically on a dedicated asynchronous interface.
See the following sections for examples of enabling routing on asynchronous interfaces:
• Asynchronous Interface As the Only Network Interface Example
• IGRP Configuration Example
Configuring Dedicated or Interactive PPP and SLIP Sessions
You can configure one or more asynchronous interfaces on your access server (and one on a router) to
be in dedicated network interface mode. In dedicated mode, an interface is automatically configured for
SLIP or PPP connections. There is no user prompt or EXEC level, and no end-user commands are
required to initiate remote-node connections. If you want a line to be used only for SLIP or PPP
connections, configure the line for dedicated mode.
Command Purpose
Step 1 Router(config-line)# exec Turns on EXEC processes.
Step 2 Router(config-line)# exec-timeout minutes [seconds] Sets the idle terminal timeout interval.
Command Purpose
Router(config-if)# async dynamic routing Configures an asynchronous interface for dynamic
routing. Use this command to manually bring up
PPP from an EXEC session.
Router(config-if)# async default routing Automatically configures an asynchronous
interface for routing. Use this command to enable
two routers to communicate over an asynchronous
dial backup link.
Configuring Asynchronous Lines and Interfaces
How to Configure Other Asynchronous Line and Interface Features
DC-32
Cisco IOS Dial Technologies Configuration Guide
In interactive mode, a line can be used to make any type of connection, depending on the EXEC
command entered by the user. For example, depending on its configuration, the line could be used for
Telnet or XRemote connections, or SLIP or PPP encapsulation. The user is prompted for an EXEC
command before a connection is initiated.
You can configure an asynchronous interface to be in dedicated network mode. When the interface is
configured for dedicated mode, the end user cannot change the encapsulation method, address, or other
parameters.
To configure an interface for dedicated network mode or to return it to interactive mode, use one of the
following commands in interface configuration mode:
By default, no asynchronous mode is configured. In this state, the line is not available for inbound
networking because the SLIP and PPP connections are disabled.
See the “Dedicated Asynchronous Interface Configuration Example” section for an example of how to
configure a dedicated asynchronous interface.
Conserving Network Addresses
When asynchronous routing is enabled, you might need to conserve network addresses by configuring
the asynchronous interfaces as unnumbered. An unnumbered interface does not have an address.
Network resources are therefore conserved because fewer network numbers are used and routing tables
are smaller.
To configure an unnumbered interface, use the following command in interface configuration mode:
Whenever the unnumbered interface generates a packet (for example, a routing update), it uses the
address of the specified interface as the source address of the IP packet. It also uses the address of the
specified interface to determine which routing processes are sending updates over the unnumbered
interface.
You can use the IP unnumbered feature even if the system on the other end of the asynchronous link does
not support it. The IP unnumbered feature is transparent to the other end of the link because each system
bases its routing activities on information in the routing updates it receives and on its own interface
address.
See the “Network Address Conservation Using the ip unnumbered Command Example” section for an
example of how to conserve network addresses.
Command Purpose
Router(config-if)# async mode dedicated Places the line into dedicated asynchronous network mode.
Router(config-if)# async mode interactive Returns the line to interactive mode.
Command Purpose
Router(config-if)# ip unnumbered type number Conserves IP addresses by configuring the asynchronous
interfaces as unnumbered, and assigns the IP address of the
interface type that you want to leverage.
Configuring Asynchronous Lines and Interfaces
How to Configure Other Asynchronous Line and Interface Features
DC-33
Cisco IOS Dial Technologies Configuration Guide
Using Advanced Addressing Methods for Remote Devices
You can control whether addressing is dynamic (the user specifies the address at the EXEC level when
making the connection) or whether default addressing is used (the address is forced by the system). If
you specify dynamic addressing, the router must be in interactive mode and the user will enter the
address at the EXEC level.
It is common to configure an asynchronous interface to have a default address and to allow dynamic
addressing. With this configuration, the choice between the default address or dynamic addressing is
made by the users when they enter the slip or ppp EXEC command. If the user enters an address, it is
used, and if the user enters the default keyword, the default address is used.
This section describes the following optional tasks:
• Assigning a Default Asynchronous Address
• Allowing an Asynchronous Address to Be Assigned Dynamically
Assigning a Default Asynchronous Address
To assign a permanent default asynchronous address, use the following command in interface
configuration mode:
Use the no form of this command to disable the default address. If the server has been configured to
authenticate asynchronous connections, you are prompted for a password after you enter the slip default
or ppp default EXEC command before the line is placed into asynchronous mode.
The assigned default address is implemented when the user enters the slip default or ppp default EXEC
command. The transaction is validated by the TACACS server, when enabled, and the line is put into
network mode using the address that is in the configuration file.
Configuring a default address is useful when the user is not required to know the IP address to gain
access to a system (for example, users of a server that is available to many students on a campus). Instead
of each user being required to know an IP address, they only need to enter the slip default or ppp default
EXEC command and let the server select the address to use.
See the section “Making Additional Remote Node Connections” in the chapter “Configuring
Asynchronous SLIP and PPP” in this publication for more information about the slip and ppp EXEC
commands.
See the following sections for examples:
• Modem Asynchronous Group Example
• Configuring Specific IP Addresses for an Interface
• IP and PPP Asynchronous Interface Configuration Example
Allowing an Asynchronous Address to Be Assigned Dynamically
When a line is configured for dynamic assignment of asynchronous addresses, the user enters the slip or
ppp EXEC command and is prompted for an address or logical host name. The address is validated by
TACACS, when enabled, and the line is assigned the given address and put into asynchronous mode.
Command Purpose
Router(config-if)# peer default ip address ip-address Assigns a default IP address to an asynchronous interface.
Configuring Asynchronous Lines and Interfaces
How to Configure Other Asynchronous Line and Interface Features
DC-34
Cisco IOS Dial Technologies Configuration Guide
Assigning asynchronous addresses dynamically is useful when you want to assign set addresses to users.
For example, an application on a personal computer that automatically dials in using Serial Line Internet
Protocol (SLIP) and polls for electronic mail messages can be set up to dial in periodically and enter the
required IP address and password.
To assign asynchronous addresses dynamically, use the following command in interface configuration
mode:
The dynamic addressing features of the internetwork allow packets to get to their destination and back
regardless of the access server, router, or network they are sent from. For example, if a host such as a
laptop computer moves from place to place, it can keep the same address no matter where it is dialing in
from.
Logical host names are first converted to uppercase and then sent to the TACACS server for
authentication.
See the following sections for examples of configurations that allow asynchronous addresses to be
assigned dynamically:
• Access Restriction on the Asynchronous Interface Example
• Asynchronous Routing and Dynamic Addressing Configuration Example
• Network Address Conservation Using the ip unnumbered Command Example
Optimizing Available Bandwidth
Asynchronous lines have relatively low bandwidth and can easily be overloaded, resulting in slow traffic
across these lines.
To optimize available bandwidth, perform either of the following optional tasks:
• Configuring Header Compression
• Forcing Header Compression at the EXEC Level
Configuring Header Compression
One way to optimize available bandwidth is by using TCP header compression. Van Jacobson TCP
header compression (defined by RFC 1144) can increase bandwidth availability two- to five-fold when
compared to lines not using header compression. Theoretically, it can improve bandwidth availability by
a ratio of seven to one.
To configure header compression, use the following command in interface configuration mode:
Command Purpose
Router(config-if)# async dynamic address Allows the IP address to be assigned when the protocol is
initiated.
Command Purpose
Router(config-if)# ip tcp header-compression
[on | off | passive]
Configures Van Jacobson TCP header compression on the
asynchronous link.
Configuring Asynchronous Lines and Interfaces
Configuration Examples for Asynchronous Interfaces and Lines
DC-35
Cisco IOS Dial Technologies Configuration Guide
Forcing Header Compression at the EXEC Level
On SLIP interfaces, you can force header compression at the EXEC prompt on a line on which header
compression has been set to passive. This option allows more efficient use of the available bandwidth
and does not require entering privileged configuration mode.
To implement header compression, use the following command in interface configuration mode:
For PPP interfaces, the passive option functions the same as the on option.
See the following sections for examples of header compression:
• TCP Header Compression Configuration Example
• Network Address Conservation Using the ip unnumbered Command Example
• IGRP Configuration Example
Configuration Examples for Asynchronous Interfaces and Lines
This section provides the following asynchronous interface configuration examples:
• Interface and Line Configuration Examples
• Line AUX Configuration Example
• Rotary Group Examples
• Dedicated Asynchronous Interface Configuration Example
• Access Restriction on the Asynchronous Interface Example
• Group and Member Asynchronous Interface Examples
• Asynchronous Interface Address Pool Examples
• IP and SLIP Using an Asynchronous Interface Example
• IP and PPP Asynchronous Interface Configuration Example
• Asynchronous Routing and Dynamic Addressing Configuration Example
• TCP Header Compression Configuration Example
• Network Address Conservation Using the ip unnumbered Command Example
• Asynchronous Interface As the Only Network Interface Example
• Routing on a Dedicated Dial-In Router Example
• IGRP Configuration Example
Command Purpose
Router(config-if)# ip tcp header-compression
passive
Allows status of header compression to be assigned at the user level.
Configuring Asynchronous Lines and Interfaces
Configuration Examples for Asynchronous Interfaces and Lines
DC-36
Cisco IOS Dial Technologies Configuration Guide
Interface and Line Configuration Examples
This section contains the following examples:
• Asynchronous Interface Backup DDR Configuration Example
• Passive Header Compression and Default Address Example
• High-Density Dial-In Solution Using Autoselect and EXEC Control Example
• Asynchronous Line Backup DDR Configuration Example
Asynchronous Interface Backup DDR Configuration Example
The following is an example of one asynchronous interface configuration on a Cisco AS2511-RJ access
server that is used in an asynchronous backup DDR scenario:
interface async 1
description ASYNC LINE 5293731 TO HIGHWAY
encapsulation ppp
async default routing
async mode dedicated
dialer in-band
dialer map ip 192.168.10.2 name Router2 broadcast
dialer-group 1
ppp authentication chap
Passive Header Compression and Default Address Example
The following configuration shows interface and line configuration. The interface is configured with
access lists, passive header compression, and a default address. The line is configured for TACACS
authentication.
interface async 1
ip access-group 1 in
ip access-group 1 out
ip tcp header-compression passive
async default ip address 172.31.176.201
line 1
login tacacs
location 457-5xxx
exec-timeout 20 0
password XXXXXXXX
session-timeout 20
stopbits 1
High-Density Dial-In Solution Using Autoselect and EXEC Control Example
The following example configures a Cisco AS5800 access server, which is used as a high-density dial-in
solution:
line 1/2/00 1/9/71
session-timeout 30
exec-timeout 30 0
absolute-timeout 240
autoselect during-login
autoselect ppp
Configuring Asynchronous Lines and Interfaces
Configuration Examples for Asynchronous Interfaces and Lines
DC-37
Cisco IOS Dial Technologies Configuration Guide
modem InOut
transport preferred none
transport input all
Asynchronous Line Backup DDR Configuration Example
The following example configures one asynchronous line on a Cisco AS2511-RJ access server that is
used in an asynchronous backup DDR scenario:
line 1
modem InOut
speed 115200
transport input all
flowcontrol hardware
Line AUX Configuration Example
In the following example, the asynchronous interface corresponds to the AUX port. Use the show line
command to determine which asynchronous interface corresponds to the AUX port. The IP address on
the AUX ports of both routers are in the same subnet
interface Async1
ip address 192.168.10.1 255.255.255.0
encapsulation ppp
async dynamic routing
async mode dedicated
!
no ip classless
ip route 0.0.0.0 0.0.0.0 Async1 /Default route points to the Async1 (AUX port) interface.
!
!
logging buffered
!
line con 0
exec-timeout 0 0
line aux 0
modem InOut
transport input all
rxspeed 38400
txspeed 38400
Rotary Group Examples
The following example establishes a rotary group consisting of virtual terminal lines 2 through 4 and
defines a password on those lines. By using Telnet to connect to TCP port 3001, the user gets the next
free line in the rotary group. The user need not remember the range of line numbers associated with the
password.
line vty 2 4
rotary 1
password letmein
login
Configuring Asynchronous Lines and Interfaces
Configuration Examples for Asynchronous Interfaces and Lines
DC-38
Cisco IOS Dial Technologies Configuration Guide
The following example enables asynchronous rotary line queueing:
line 1 2
rotary 1 queued
The following example enables asynchronous rotary line queueing using the round-robin algorithm:
line 1 2
rotary 1 queued round-robin
Dedicated Asynchronous Interface Configuration Example
The following example shows how to assign an IP address to an asynchronous interface and place the
line in dedicated network mode. Setting the stop bit to 1 is a performance enhancement.
line 20
location Department PC Lab
stopbits 1
speed 19200
!
interface async 20
async default ip address 172.18.7.51
async mode dedicated
Access Restriction on the Asynchronous Interface Example
The following example shows how to allow most terminal users access to anything on the local network,
but restrict access to certain servers designated as asynchronous servers:
! access list for normal connections
access-list 1 permit 192.168.0.0 0.0.255.255
!
access-list 2 permit 192.168.42.55
access-list 2 permit 192.168.111.1
access-list 2 permit 192.168.55.99
!
line 1
speed 19200
flow hardware
modem inout
interface async 1
async mode interactive
async dynamic address
ip access-group 1 out
ip access-group 2 in
Group and Member Asynchronous Interface Examples
The following examples are included in this section:
• Asynchronous Group Interface Examples
• Modem Asynchronous Group Example
• High-Density Dial-In Solution Using an Asynchronous Group
Configuring Asynchronous Lines and Interfaces
Configuration Examples for Asynchronous Interfaces and Lines
DC-39
Cisco IOS Dial Technologies Configuration Guide
Asynchronous Group Interface Examples
The following example shows how to create an asynchronous group interface 0 with group interface
members 2 through 7, beginning in global configuration mode:
interface group-async 0
group-range 2 7
The following example shows how you need to configure asynchronous interfaces 1, 2, and 3 separately
if you do not have a group interface configured:
interface Async1
ip unnumbered Ethernet0
encapsulation ppp
async default ip address 172.30.1.1
async mode interactive
async dynamic routing
!
interface Async2
ip unnumbered Ethernet0
encapsulation ppp
async default ip address 172.30.1.2
async mode interactive
async dynamic routing
!
interface Async3
ip unnumbered Ethernet0
!
encapsulation ppp
async default ip address 172.30.1.3
async mode interactive
async dynamic routing
The following example configures the same interfaces, but from a single group asynchronous interface:
interface Group-Async 0
ip unnumbered Ethernet0
encapsulation ppp
async mode interactive
async dynamic routing
group-range 1 3
member 1 async default ip address 172.30.1.1
member 2 async default ip address 172.30.1.2
member 3 async default ip address 172.30.1.3
Modem Asynchronous Group Example
To configure a group asynchronous interface, specify the group async number (an arbitrary number) and
the group range (beginning and ending asynchronous interface number).
The following example shows the process of creating and configuring a group asynchronous interface
for asynchronous interfaces 1 through 96 on a Cisco AS5300 access server, which is loaded with
ninety-six 56K MICA technologies modems:
interface group-async 1
ip unnumbered ethernet 0
encapsulation ppp
async mode interactive
ppp authentication chap pap
peer default ip address pool default
group-range 1 96
Configuring Asynchronous Lines and Interfaces
Configuration Examples for Asynchronous Interfaces and Lines
DC-40
Cisco IOS Dial Technologies Configuration Guide
High-Density Dial-In Solution Using an Asynchronous Group
The following example configures a Cisco AS5800 access server that is used as a high-density dial-in
solution:
interface group-async 0
ip unnumbered FastEthernet0/2/0
encapsulation ppp
async mode interactive
peer default ip address pool default
no cdp enable
ppp authentication chap
hold-queue 10 in
group-range 1/2/00 1/9/71
Asynchronous Interface Address Pool Examples
The following sections provide examples of the use of Dynamic Host Configuration Protocol (DHCP)
and local pooling mechanisms:
• DHCP Pooling Example
• Local Pooling Example
• Configuring Specific IP Addresses for an Interface
DHCP Pooling Example
The following global configuration example enables DHCP proxy-client status on all asynchronous
interfaces on the access server:
ip address-pool dhcp-proxy-client
The following global configuration example shows how to specify which DHCP servers are used on your
network. You can specify up to four servers using IP addresses or names. If you do not specify servers,
the default is to use the IP limited broadcast address of 255.255.255.255 for transactions with any and
all discovered DHCP servers.
ip dhcp-server jones smith wesson
The following interface configuration example illustrates how to disable DHCP proxy-client
functionality on asynchronous interface 1:
async interface
interface 1
no peer default ip address
Local Pooling Example
The following example shows how to select the IP pooling mechanism and how to create a pool of local
IP addresses that are used when a client dials in on an asynchronous line. The default address pool
comprises IP addresses 172.30.0.1 through 172.30.0.28.
! This command tells the access server to use a local pool.
Configuring Asynchronous Lines and Interfaces
Configuration Examples for Asynchronous Interfaces and Lines
DC-41
Cisco IOS Dial Technologies Configuration Guide
ip address-pool local
! This command defines the ip address pool.
! The address pool is named group1 and comprised of addresses.
! 172.30.0.1 through 172.30.0.28 inclusive
ip local-pool group1 172.30.0.1 172.30.0.28
Configuring Specific IP Addresses for an Interface
The following example shows how to configure the access server so that it will use the default address
pool on all interfaces except interface 7, on which it will use an address pool called lass:
ip address-pool local
ip local-pool lass 172.30.0.1
async interface
interface 7
peer default ip address lass
IP and SLIP Using an Asynchronous Interface Example
The following example configures IP and SLIP on asynchronous interface 6. The IP address for the
interface is assigned to Ethernet 0, interactive mode has been enabled, and the IP address of the client
PC running SLIP has been specified.
IP and the appropriate IP routing protocols have already been enabled on the access server or router.
interface async 6
ip unnumbered ethernet 0
encapsulation slip
async mode interactive
async default ip address 172.18.1.128
IP and PPP Asynchronous Interface Configuration Example
The following example configures IP and PPP on asynchronous interface 6. The IP address for the
interface is assigned to Ethernet 0, interactive mode has been enabled, and the IP address of the client
PC running PPP has been specified. IP and the appropriate IP routing protocols have already been
enabled on the access server or router.
interface async 6
ip unnumbered ethernet 0
encapsulation ppp
async mode interactive
peer default ip address 172.18.1.128
Configuring Asynchronous Lines and Interfaces
Configuration Examples for Asynchronous Interfaces and Lines
DC-42
Cisco IOS Dial Technologies Configuration Guide
Asynchronous Routing and Dynamic Addressing Configuration Example
The following example shows a simple configuration that allows routing and dynamic addressing.
With this configuration, if the user specifies /routing in the EXEC slip or ppp command, routing
protocols will be sent and received.
interface async 6
async dynamic routing
async dynamic address
TCP Header Compression Configuration Example
The following example configures asynchronous interface 7 with a default IP address, allowing header
compression if it is specified in the slip or ppp connection command entered by the user or if the
connecting system sends compressed packets.
interface async 7
ip address 172.31.79.1
async default ip address 172.31.79.2
ip tcp header-compression passive
Network Address Conservation Using the ip unnumbered Command Example
The following example shows how to configure your router for routing using unnumbered interfaces.
The source (local) address is shared between the Ethernet 0 and asynchronous 6 interfaces (172.18.1.1).
The default remote address is 172.18.1.2.
interface ethernet 0
ip address 172.18.1.1 255.255.255.0
!
interface async 6
ip unnumbered ethernet 0
async dynamic routing
! Default address is on the local subnet.
async dynamic address
async default ip address 172.18.1.2
ip tcp header-compression passive
The following example shows how the IP unnumbered configuration works. Although the user is
assigned an address, the system response shows the interface as unnumbered, and the address entered by
the user will be used only in response to BOOTP requests.
Router> slip /compressed 10.11.11.254
Password:
Entering async mode.
Interface IP address is unnumbered, MTU is 1500 bytes.
Header compression is On.
Configuring Asynchronous Lines and Interfaces
Configuration Examples for Asynchronous Interfaces and Lines
DC-43
Cisco IOS Dial Technologies Configuration Guide
Asynchronous Interface As the Only Network Interface Example
The following example shows how one of the asynchronous lines can be used as the only network
interface. The router is used primarily as a terminal server, but is at a remote location and dials in to the
central site for its only network connection.
ip default-gateway 10.11.12.2
interface ethernet 0
shutdown
interface async 1
async dynamic routing
ip tcp header-compression on
async default ip address 10.11.16.12
async mode dedicated
ip address 10.11.12.32 255.255.255.0
Routing on a Dedicated Dial-In Router Example
The following example shows how a router is set up as a dedicated dial-in router. Interfaces are
configured as IP unnumbered to conserve network resources, primarily IP addresses.
ip routing
interface ethernet 0
ip address 10.129.128.2 255.255.255.0
!
interface async 1
ip unnumbered ethernet 0
async dynamic routing
! The addresses assigned with SLIP or PPP EXEC commands are not used except
! to reply to BOOTP requests.
! Normally, the routers dialing in will have their own address and not use BOOTP at all.
async default ip address 10.11.11.254
!
interface async 2
ip unnumbered ethernet 0
async default ip address 10.11.12.16
ip tcp header-compression passive
async mode dedicated
!
! Run RIP on the asynchronous lines because few implementations of SLIP
! understand IGRP. Run IGRP on the Ethernet (and in the local network).
!
router igrp 110
network 10.11.12.0
! Send routes from the asynchronous lines on the production network.
redistribute RIP
! Do not send IGRP updates on the asynchronous interfaces.
passive-interface async 1
!
router RIP
network 10.11.12.0
redistribute igrp
passive-interface ethernet 0
! Consider filtering everything except a default route from the routing
! updates sent on the (slow) asynchronous lines.
distribute-list 1 out
ip unnumbered async 2
async dynamic routing
Configuring Asynchronous Lines and Interfaces
Configuration Examples for Asynchronous Interfaces and Lines
DC-44
Cisco IOS Dial Technologies Configuration Guide
IGRP Configuration Example
In the following example, only the Interior Gateway Routing Protocol (IGRP) TCP/IP routing protocol
is running; it is assumed that the systems that are dialing in to use routing will either support IGRP or
have some other method (for example, a static default route) of determining that the router is the best
place to send most of its packets.
router igrp 111
network 10.11.12.0
interface ethernet 0
ip address 10.11.12.92 255.255.255.0
!
interface async 1
async default ip address 10.11.12.96
async dynamic routing
ip tcp header-compression passive
ip unnumbered ethernet 0
line 1
modem ri-is-cd
DC-45
Cisco IOS Dial Technologies Configuration Guide
Configuring Asynchronous Serial Traffic
over UDP
This chapter describes how to communicate with a modem using the Asynchronous Serial Traffic over
UDP feature in the following main sections:
• UDPTN Overview
• How to Configure Asynchronous Serial Traffic over UDP
See the “Configuration Examples for UDPTN” section for configuration examples.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the UDP commands mentioned in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference, Release 12.2. To locate documentation of other commands that
appear in this chapter, use the command reference master index or search online.
UDPTN Overview
The Asynchronous Serial Traffic over UDP feature provides the ability to encapsulate asynchronous data
into User Datagram Protocol (UDP) packets and then unreliably send this data without needing to
establish a connection with a receiving device. This process is referred to as UDP Telnet (UDPTN),
although it does not—and cannot—use the Telnet protocol. UDPTN is similar to Telnet in that both are
used to send data, but UDPTN is unique in that it does not require that a connection be established with
a receiving device. You load the data that you want to send through an asynchronous port, and then send
it, optionally, as a multicast or a broadcast. The receiving device(s) can then receive the data whenever
it wants. If the receiver ends reception, the transmission is unaffected.
The Asynchronous Serial Traffic over UDP feature provides a low-bandwidth, low-maintenance method
to unreliably deliver data. This delivery is similar to a radio broadcast: It does not require that you
establish a connection to a destination; rather, it sends the data to whatever device wants to receive it.
The receivers are free to begin or end their reception without interrupting the transmission.
It is a low-bandwidth solution for delivering streaming information for which lost packets are not
critical. Such applications include stock quotes, news wires, console monitoring, and multiuser chat
features.
Configuring Asynchronous Serial Traffic over UDP
How to Configure Asynchronous Serial Traffic over UDP
DC-46
Cisco IOS Dial Technologies Configuration Guide
This feature is particularly useful for broadcast, multicast, and unstable point-to-point connections. This
feature may not work as expected when there are multiple users on the same port number in a
nonmulticast environment. The same port must be used for both receiving and sending.
How to Configure Asynchronous Serial Traffic over UDP
To configure the Asynchronous Serial Traffic over UDP feature, perform the tasks described in the
following sections:
• Preparing to Configure Asynchronous Serial Traffic over UDP (Required)
• Configuring a Line for UDPTN (Required)
• Enabling UDPTN (Required)
• Verifying UDPTN Traffic (Optional but Recommended)
See the “Configuration Examples for UDPTN” section at the end of this chapter for multicast, broadcast,
and point-to-point UDPTN configuration examples.
Preparing to Configure Asynchronous Serial Traffic over UDP
When configuring the Asynchronous Serial Traffic over UDP feature for multicast transmission, you
must configure IP multicast routing for the entire network that will receive or propagate the multicasts.
When configuring the feature for broadcast transmission, you must configure broadcast flooding on the
routers between network segments. Refer to the “Configuring IP Multicast Routing” chapter of this
guide for information on how to configure IP multicast routing. See the section “Configuring Broadcast
Packet Handling” in the Cisco IOS IP Configuration Guide for information on how to configure
broadcast flooding.
Configuring a Line for UDPTN
To configure the line that will be used to send or receive UDP packets, use the following commands
beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# line line-number Enters line configuration mode for the line number
specified.
Step 2 Router(config-line)# transport output udptn Enables the line to transport UDP packets.
Step 3 Router(config-line)# dispatch-timeout 1000 Sends packets every 1000 milliseconds.
Step 4 Router(config-line)# dispatch-character 13 Sends packets after every new line.
Step 5 Router(config-line)# no session-timeout Disables timeout connection closing.
Configuring Asynchronous Serial Traffic over UDP
How to Configure Asynchronous Serial Traffic over UDP
DC-47
Cisco IOS Dial Technologies Configuration Guide
Enabling UDPTN
There are two methods of enabling UDPTN. You can manually enable UDPTN when you want to begin
transmission or reception, or you can configure the router to automatically enable UDPTN when a
connection is made to the line.
To manually enable UDPTN and begin UDPTN transmission or reception, use the following command
in EXEC mode:
To automatically enable UDPTN when a connection is made to the line, use the following commands
beginning in global configuration mode:
Verifying UDPTN Traffic
To verify that UDPTN is enabled correctly, perform the following steps:
Step 1 Enable UDPTN debugging by using the debug udptn EXEC command.
Step 2 Enable UDPTN by using the udptn ip-address EXEC command, and then observe the debug output.
The following debug output shows a UDPTN session being successfully established and then
disconnected.
Router# debug udptn
Router# udptn 172.16.1.1
Trying 172.16.1.1 ... Open
*Mar 1 00:10:15.191:udptn0:adding multicast group.
*Mar 1 00:10:15.195:udptn0:open to 172.16.1.1:57 Loopback0jjaassdd
*Mar 1 00:10:18.083:udptn0:output packet w 1 bytes
*Mar 1 00:10:18.087:udptn0:Input packet w 1 bytes
Router# disconnect
Closing connection to 172.16.1.1 [confirm] y
Router#
Command Purpose
Router# udptn ip-address [port] [/transmit] [/receive] Enables UDPTN to the specified IP address (optionally,
using the specified port). Use the /transmit or /receive
keyword if the router will only be sending or receiving
UDPTN.
Command Purpose
Step 1 Router(config)# line line-number Enters line configuration mode for the line number
specified.
Step 2 Router(config-line)# autocommand udptn ip-address
[port] [/transmit] [/receive]
Enables UDPTN automatically when a connection is
made to the line (optionally, using the specified port).
Use the /transmit or /receive keyword if the router will
only be sending or receiving UDPTN.
Configuring Asynchronous Serial Traffic over UDP
Configuration Examples for UDPTN
DC-48
Cisco IOS Dial Technologies Configuration Guide
Step 3 While the udptn command is enabled, enter the show ip socket command to verify that the socket being
used for UDPTN opened correctly.
Router# show ip socket
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 172.21.14.90 67 0 0 89 0
17 0.0.0.0 520 172.21.14.90 520 0 0 1 0
17 1.1.1.2 57 1.1.1.1 57 0 0 48 0
17 224.1.1.1 57 1.2.2.2 57 0 0 48 0 Loopback0
Configuration Examples for UDPTN
This section provides the following UDPTN configuration examples:
• Multicast UDPTN Example
• Broadcast UDPTN Example
• Point-to-Point UDPTN Example
Multicast UDPTN Example
These configurations are for multicast UDPTN. The router that is multicasting does not require a
multicast configuration—it simply sends to the multicast IP address.
Router That Is Multicasting
ip multicast-routing
interface ethernet 0
ip address 10.1.1.1 255.255.255.0
ip pim dense-mode
!
line 5
no session-timeout
transport output udptn
dispatch-timeout 10000
dispatch-character 13
modem in
autocommand udptn 172.1.1.1 /transmit
Receiving Routers
ip multicast-routing
interface ethernet 0
ip address 10.99.98.97 255.255.255.192
ip pim dense-mode
!
line 0 16
transport output udptn telnet lat rlogin
autocommand udptn 172.1.1.1 /receive
Configuring Asynchronous Serial Traffic over UDP
Configuration Examples for UDPTN
DC-49
Cisco IOS Dial Technologies Configuration Guide
Broadcast UDPTN Example
These configurations are for broadcast UDPTN. This is the simplest method to send to multiple
receivers. The broadcasting router sends to the broadcast IP address, and any router that wants to receive
the transmission simply connects to the broadcast IP address by using the udptn command.
Router That Is Broadcasting
interface ethernet 0
ip address 10.1.1.1 255.255.255.0
!
line 5
no session-timeout
transport output udptn
dispatch-timeout 10000
dispatch-character 13
modem in
autocommand udptn 255.255.255.255 /transmit
Receiving Routers
interface ethernet 0
ip address 10.99.98.97 255.255.255.192
!
line 0 16
transport output udptn telnet lat rlogin
autocommand udptn 255.255.255.255 /receive
Point-to-Point UDPTN Example
These configurations are for two routers in mobile, unstable environments that wish to establish a
bidirectional asynchronous tunnel. Because there is no way to ensure that both routers will be up and
running when one of the routers wants to establish a tunnel, they cannot use connection-dependent
protocols like Telnet or local area transport (LAT). They instead use the following UDPTN
configurations. Each router is configured to send to and receive from the IP address of the other. Because
both routers will be sending and receiving, they do not use the /transmit or /receive keywords with the
udptn command.
Router A
interface ethernet 0
ip address 10.54.46.1 255.255.255.192
!
line 5
no session-timeout
transport output udptn
dispatch-timeout 10000
dispatch-character 13
modem in
autocommand udptn 10.54.46.2
Configuring Asynchronous Serial Traffic over UDP
Configuration Examples for UDPTN
DC-50
Cisco IOS Dial Technologies Configuration Guide
Router B
interface ethernet 0
ip address 10.54.46.2 255.255.255.192
!
line 10
no session-timeout
transport output udptn
dispatch-timeout 10000
dispatch-character 13
modem in
autocommand udptn 10.54.46.1
Modem Configuration and Management
DC-53
Cisco IOS Dial Technologies Configuration Guide
Overview of Modem Interfaces
This chapter describes modem interfaces in the following sections:
• Cisco Modems and Cisco IOS Modem Features
• Cisco IOS Modem Components
• Logical Constructs in Modem Configurations
See the chapter “Overview of Dial Interfaces, Controllers, and Lines” for more information about Cisco
asynchronous serial interfaces.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the modem support commands in this chapter, refer to the Cisco IOS
Modem Command Reference. To locate documentation of other commands that appear in this chapter,
use the command reference master index or search online.
Cisco Modems and Cisco IOS Modem Features
Deciding which asynchronous features to use, to some degree, depends on your hardware configuration.
All Cisco access servers must have their asynchronous interfaces and lines configured for network
protocol support. Commands entered in asynchronous interface mode configure protocol-specific
parameters for asynchronous interfaces, whereas commands entered in line configuration mode
configure the physical and logical aspects for the same port.
Modems inside high-end access servers need a localized modem country code. This code is projected
from the Cisco IOS software to the onboard modems using the modem country {mica |
microcom_hdms} country command. The following are high-end access servers: Cisco AS5800,
Cisco AccessPath, Cisco AS5300, and the Cisco AS5200.
Modems externally attached to low-end access servers need to receive initialization strings from the
modem autoconfigure discovery command. For troubleshooting tips, see the section “External
Modems on Low-End Access Servers” in the chapter “Configuring and Managing External Modems.”
The following are low-end access servers: Cisco AS2511-RJ, Cisco AS2509-RJ, Cisco 2509,
Cisco 2511, and the Cisco 2512.
Figure 12 shows a Cisco AS2511-RJ access server. Figure 13 shows a Cisco AS5300 access server.
Notice that modems are either inside or outside the chassis, depending on the product model.
Overview of Modem Interfaces
Cisco IOS Modem Components
DC-54
Cisco IOS Dial Technologies Configuration Guide
Figure 12 Cisco AS2511-RJ Access Server
Figure 13 Cisco AS5300 Access Server
Cisco IOS Modem Components
Different components inside Cisco IOS software work together to enable remote clients to dial in and
send packets. Figure 14 shows one Cisco AS5300 access server that is receiving calls from a remote
office, branch office (ROBO); small office, home office (SOHO); and modem client.
Depending on your network scenario, you may encounter all of the components in Figure 14. For
example, you might decide to create a virtual IP subnet by using a loopback interface. This step saves
address space. Virtual subnets can exist inside devices that you advertise to your backbone. In turn, IP
packets get relayed to remote PCs, which route back to the central site.
14479
1 ASYNC 2 3 ASYNC 4 5 ASYNC 6 7 ASYNC 8
9 ASYNC 10 11 ASYNC 12 13 ASYNC 14 15 ASYNC 16
Cisco AS2511-RJ
Modems are outside
the chassis
Modem
Modem
14480
Cisco AS5300
Modems are inside
the chassis
Overview of Modem Interfaces
Cisco IOS Modem Components
DC-55
Cisco IOS Dial Technologies Configuration Guide
Figure 14 Cisco IOS Modem Concepts
Virtual
access
interface
Interface
virtual template
Headquarters
intranet/Internet
Interface
group-async Cloning
Cloning
Asynchronous
interfaces
Lines
Modems
POTS
PSTN/ISDN
BRI
line
BRI
line
POTS line
Cisco 766
(SOHO)
Cisco 1604
(ROBO)
Modem
Remote
PC
14931
Loopback
interface
Fast Ethernet
interface
Routing and
switching engine
Interface serial
channels S0:0, S0:1…
(B channels)
Interface dialer
controlling the
D channels
Cloning
TDM bus
Controllers
E1/T1 PRI ports
PRI lines
AAA
= ISDN B channel
= Modem/POTS
Cisco IOS software
inside a Cisco AS5300
Overview of Modem Interfaces
Logical Constructs in Modem Configurations
DC-56
Cisco IOS Dial Technologies Configuration Guide
Logical Constructs in Modem Configurations
A logical construct stores core protocol characteristics to assign to physical interfaces. No data packets
are forwarded to a logical construct. Cisco uses three types of logical constructs in its access servers and
routers. These constructs are described in the following sections:
• Asynchronous Interfaces
• Group Asynchronous Interfaces
• Modem Lines and Asynchronous Interfaces
Asynchronous Interfaces
An asynchronous interface assigns network protocol characteristics to remote asynchronous clients that
are dialing in through physical terminal lines and modems. (See Figure 15.)
Use the interface async command to create and configure an asynchronous interface.
Figure 15 Logical Construct for an Asynchronous Interface
To enable clients to dial in, you must configure two asynchronous components: asynchronous lines and
asynchronous interfaces. Asynchronous interfaces correspond to physical terminal lines. For example,
asynchronous interface 1 corresponds to tty line 1.
Commands entered in asynchronous interface mode configure protocol-specific parameters for
asynchronous interfaces, whereas commands entered in line configuration mode configure the physical
aspects for the same port.
Contains core protocol
characteristics for
incoming asynchronous
clients
Asynchronous interface
Modem 1
Modem
14054
Line 1
PSTN/ISDN
Remote PC
negotiating parameters
with the asynchronous
interface
Overview of Modem Interfaces
Logical Constructs in Modem Configurations
DC-57
Cisco IOS Dial Technologies Configuration Guide
Specifically, you configure asynchronous interfaces to support PPP connections. An asynchronous
interface on an access server or router can be configured to support the following functions:
• Network protocol support such as IP, Internet Protocol Exchange (IPX), or AppleTalk
• Encapsulation support such as PPP
• IP client addressing options (default or dynamic)
• IPX network addressing options
• PPP authentication
• ISDN BRI and PRI configuration
For additional information about configuring asynchronous interfaces, see the “Overview of Dial
Interfaces, Controllers, and Lines” chapter.
Group Asynchronous Interfaces
A group asynchronous interface is a parent interface that stores core protocol characteristics and projects
them to a specified range of asynchronous interfaces. Asynchronous interfaces clone protocol
information from group asynchronous interfaces. No data packets arrive in a group asynchronous
interface.
By setting up a group asynchronous interface, you also eliminate the need to repeatedly configure
identical configuration information across several asynchronous interfaces. For example, on a
Cisco AS5300 one group asynchronous interface is used instead of 96 individual asynchronous
interfaces. (See Figure 16.)
The following example shows a group asynchronous configuration for a Cisco AS5300 access server
loaded with one 4-port ISDN PRI card and 96 MICA modems:
Router(config)# interface group-async 1
Router(config-if)# ip unnumbered loopback 0
Router(config-if)# encapsulation ppp
Router(config-if)# async mode interactive
Router(config-if)# peer default ip address pool dialin_pool
Router(config-if)# no cdp enable
Router(config-if)# ppp authentication chap pap dialin
Router(config-if)# group-range 1 96
To configure multiple asynchronous interfaces at the same time (with the same parameters), you can
assign each asynchronous interface to a group and then configure the group. Configurations throughout
this guide configure group asynchronous interfaces, rather than each interface separately.
If you want to configure different attributes on different asynchronous interfaces, do not assign them to
the group or assign different interfaces to different groups. After assigning asynchronous interfaces to a
group, you cannot configure these interfaces separately. For example, on a Cisco AS5300 access server
in a T1 configuration, you could assign asynchronous interfaces 1 to 48 as part of one group (such as
group-async1) and asynchronous interfaces 49 to 96 as part of another group (group-async2). You can
also use the member command to perform a similar grouping function.
Overview of Modem Interfaces
Logical Constructs in Modem Configurations
DC-58
Cisco IOS Dial Technologies Configuration Guide
Modem Lines and Asynchronous Interfaces
Modems attach to asynchronous lines, which in turn attach to asynchronous interfaces. Depending on
the type of access server you have, these components appear outside or inside the physical chassis.
Figure 16 shows the logical relationships among modems, asynchronous lines, asynchronous interfaces,
and group asynchronous interfaces. All these components work together to deliver packets as follows:
• Asynchronous calls come into the modems from the “plain old telephone service” (POTS) or Public
Switched Telephone Network (PSTN).
• Modems pass packets up through asynchronous lines.
• Asynchronous interfaces clone their configuration information from group asynchronous interfaces.
Note The number of interfaces and modems varies among access server product models.
Figure 16 Modems, Lines, and Asynchronous Interfaces
Use the interface group-async command to create and configure a group asynchronous interface. The
following example shows a group asynchronous configuration for a Cisco AS5300 access server loaded
with one 4-port ISDN PRI card and 96 MICA modems:
Router(config)# interface group-async 1
Router(config-if)# ip unnumbered loopback 0
Router(config-if)# encapsulation ppp
Router(config-if)# async mode interactive
Router(config-if)# peer default ip address pool dialin_pool
Router(config-if)# no cdp enable
Router(config-if)# ppp authentication chap pap dialin
Router(config-if)# group-range 1 96
Group asynchronous interface
Projects core protocol
characteristics out to
asynchronous
interfaces
Modem 1 Modem 2 Modem 96
14478
Interface async 1 Interface async 2 Interface async 96
Line 1 Line 2 Line 96
Asynchronous lines
and interfaces inside
the access server
Modems are inside or
outside the access
server, depending on
the product model
Overview of Modem Interfaces
Logical Constructs in Modem Configurations
DC-59
Cisco IOS Dial Technologies Configuration Guide
Modem Calls
Modem calls travel through traditional telephone and ISDN lines. Regardless of the media used, these
calls are initiated by a modem and terminate on another modem at the remote end.
Figure 17 shows a remote laptop using a V.90 internal modem to dial in to a Cisco AS5300 access server,
which is loaded with 96 internal V.90 MICA technologies modems.
Figure 17 Remote Node Dialing In to a Cisco AS5300 Access Server
Asynchronous Line Configuration
Asynchronous line configuration commands configure ports for the following options:
• Physical layer options such as modem configuration
• Security for login in EXEC mode
• AppleTalk Remote Access (ARA) protocol configuration (PPP is configured in interface
configuration mode)
• Autoselect to detect incoming protocols (ARA and PPP)
To enter line configuration mode, first connect to the console port of the access server and enter
privileged EXEC mode. Then enter global configuration mode and finally enter line configuration mode
for the asynchronous lines that you want to configure. The following example shows how you enter line
configuration mode for lines 1 through 16:
Router> enable
Router# configure terminal
Router(config)# line 1 16
Router(config-line)#
Absolute Versus Relative Line Numbers
When you enter line configuration mode, you can specify an absolute line number or a relative line
number. For example, absolute line number 20 is vty 2 (line 18 is vty 0). Referring to lines in a relative
format is often easier than attempting to recall the absolute number of a line on a large system. Internally,
the router uses absolute line numbers.
On all routers except the Cisco AS5350, AS5400, AS5800, AS5850 access servers, you can view all of
the absolute and relative line numbers using the show users all EXEC command.
POTS PSTN/ISDN
Async PRI Fast
Ethernet
Cisco AS5300
equipped with
96 V.90 MICA
modems
PC laptop with
internal V.90 modem
dialing in to large
business LAN
14052
PPP
Overview of Modem Interfaces
Logical Constructs in Modem Configurations
DC-60
Cisco IOS Dial Technologies Configuration Guide
In the following sample display, absolute line numbers are listed at the far left. Relative line numbers are
in the third column, after the line type. The second virtual terminal line, vty 1, is absolute line number
3. Compare the line numbers in this sample display to the output from the show line command.
Line User Host(s) Idle Location
0 con 0
1 aux 0
2 vty 0 incoming 0 SERVER.COMPANY.COM
3 vty 1
4 vty 2
5 vty 3
6 vty 4
On the Cisco AS5350, AS5400, AS5800, AS5850 access servers, you can view the absolute and relative
line numbers with the following commands:
• show users all | exclude tty | interface to show the non-internal modem lines
• show controller async | include tty to show the internal modem lines
The following example shows the information displayed with the show users all | exclude tty|Interface
command:
Router# show users all | exclude tty | Interface
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
1 aux 0 00:00:00
2 vty 0 00:00:00
3 vty 1 00:00:00
4 vty 2 00:00:00
5 vty 3 00:00:00
6 vty 4 00:00:00
The following example shows the information displayed with the show controller async | include tty
command:
Router# show controller async | include tty
Controller information for Async2/00 (tty324)
Controller information for Async2/01 (tty325)
Controller information for Async2/02 (tty326)
.
.
.
Compare the line numbers in this sample display to the output from the show line command.
Line and Modem Numbering Issues
The tty line numbering scheme used by your access server or router is specific to your product and its
hardware configuration. Refer to the product-specific documentation that came with your product for
line numbering scheme information.
For example, the Cisco AS5200 access server has tty lines that map directly to integrated modems, as
shown in Table 5. Depending on the shelf, slot, and port physical architecture of the access server, the
modem and tty line number schemes will change.
As shown in Table 5, physical terminal lines 1 through 24 directly connect to modems 1/0 through 1/23,
which are installed in the first chassis slot in this example. Physical terminal lines 25 through 48 directly
connect to modems 2/0 through 2/23, which are installed in the second slot.
Overview of Modem Interfaces
Logical Constructs in Modem Configurations
DC-61
Cisco IOS Dial Technologies Configuration Guide
Decimal TCP Port Numbers for Line Connections
Connections to an individual line are most useful when a dial-out modem, parallel printer, or serial
printer is attached to that line. To connect to an individual line, the remote host or terminal must specify
a particular TCP port on the router.
If reverse XRemote is required, the port is 9000 (decimal) plus the decimal value of the line number.
If a raw TCP stream is required, the port is 4000 (decimal) plus the decimal line number. The raw TCP
stream is usually the required mode for sending data to a printer.
If Telnet protocols are required, the port is 2000 (decimal) plus the decimal value of the line number.
The Telnet protocol might require that Return characters be translated into Return and line-feed
character pairs. You can turn off this translation by specifying the Telnet binary mode option. To specify
this option, connect to port 6000 (decimal) plus the decimal line number.
Table 5 tty Lines Associated with Cisco AS5200 Modems
tty Line Slot/Modem Number tty Line Slot/Modem Number
1 1/0 25 2/0
2 1/1 26 2/1
3 1/2 27 2/2
4 1/3 28 2/3
5 1/4 29 2/4
6 1/5 30 2/5
7 1/6 31 2/6
8 1/7 32 2/7
9 1/8 33 2/8
10 1/9 34 2/9
11 1/10 35 2/10
12 1/11 36 2/11
13 1/12 37 2/12
14 1/13 38 2/13
15 1/14 39 2/14
16 1/15 40 2/15
17 1/16 41 2/16
18 1/17 42 2/17
19 1/18 43 2/18
20 1/19 44 2/19
21 1/20 45 2/20
22 1/21 46 2/21
23 1/22 47 2/22
24 1/23 48 2/23
Overview of Modem Interfaces
Logical Constructs in Modem Configurations
DC-62
Cisco IOS Dial Technologies Configuration Guide
For example, a laser printer is attached to line 10 of a Cisco 2511 router. Such a printer usually uses
XON/XOFF software flow control. Because the Cisco IOS software cannot receive an incoming
connection if the line already has a process, you must ensure that an EXEC session is not accidentally
started. You must, therefore, configure it as follows:
line 10
flowcontrol software
no exec
A host that wants to send data to the printer would connect to the router on TCP port 4008, send the data,
and then close the connection. (Remember that line number 10 octal equals 8 decimal.)
Signal and Flow Control Overview
The EIA/TIA-232 output signals are Transmit Data (TXDATA), Data Terminal Ready (DTR), and Ready
To Send (RTS—Cisco 2500 routers only). The input signals are Receive Data (RXDATA), Clear to Send
(CTS), and RING. The sixth signal is ground. Depending on the type of modem control your modem
uses, these names may or may not correspond to the standard EIA/TIA-232 signals.
Dialup modems that operate over normal telephone lines at speeds of 28800 bps use hardware flow
control to stop the data from reaching the host by toggling an EIA/TIA-232 signal when their limit is
reached.
In addition to hardware flow control, modems require special software configuring. For example, they
must be configured to create an EXEC session when a user dials in and to hang up when the user exits
the EXEC. These modems also must be configured to close any existing network connections if the
telephone line hangs up in the middle of a session.
The Cisco IOS software supports hardware flow control on its CTS input signal, which is also used by
the normal modem handshake.
DC-63
Cisco IOS Dial Technologies Configuration Guide
Configuring and Managing Integrated Modems
The Cisco IOS software provides commands that manage modems that reside inside access servers or
routers in the form of modem cards. This chapter describes the modem management tasks. It includes
the following main sections:
• Modems and Modem Feature Support
• Managing Modems
• Configuration Examples for Modem Management
For additional instructions for configuring Cisco access servers, see the chapter “Configuring and
Managing Cisco Access Servers and Dial Shelves” in this publication.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
Modem initialization strings are listed in the “Modem Initialization Strings” appendix. For a complete
description of the commands mentioned in this chapter, refer to the Cisco IOS Dial Technologies
Command Reference. To locate documentation of other commands that appear in this chapter, use the
command reference master index or search online.
Modems and Modem Feature Support
The Cisco IOS software supports three types of integrated modems for Cisco access servers and access
routers:
• Modem ISDN channel aggregation (MICA) digital modem
• NextPort digital modem
• NM-AM network module analog modem
Table 6 lists device support for each of the Cisco access server hardware platforms.
Configuring and Managing Integrated Modems
Modems and Modem Feature Support
DC-64
Cisco IOS Dial Technologies Configuration Guide
Note If the platform is using MICA technologies modems, the V.120 rate adaptation is done by CPU on
vty lines like protocol translation sessions.
The following sections summarize the standards supported by modems in the Cisco access servers. See
Table 7 through Table 10 for a summary and comparison of the Cisco IOS commands used for the MICA
and NextPort modems.
V.90 Modem Standard
Study Group 16 of the International Telecommunication Union Telecommunication Standardization
Sector (ITU-T) developed the V.90 modem standard for multimedia systems. The V.90 standard
describes a digital modem and analog modem pair for use on the public switched telephone network
(PSTN). V.90 modems are designed for connections that are digital at one end and have only one
digital-to-analog conversion. The V.90 standard is expected to be widely used for applications such as
Internet and online service access. Download speeds of up to 56,000 bits per second (bps) are possible,
depending on telephone line conditions, with upload speeds of up to 33,600 bps.
V.110 Bit Rate Adaption Standard
V.110 is a bit rate adaptation standard defined by the ITU that provides a standard method of
encapsulating data over global system for mobile telecommunication (GSM) and ISDN networks. V.110
allows for reliable transport of asynchronous or synchronous data. V.110 adapts a low-speed connection
Table 6 Cisco IOS Modems and Modem Feature Support
Device Support Cisco AS5300 Cisco AS5350 Cisco AS5400 Cisco AS5800
Cisco 2600/3600
Series Routers
Integrated
modems
6- and 12-port
MICA
60-port
NextPort CSM
v6DFC
108-port
NextPort CSM
v6DFC
72- and
144-port MICA
324-port
NextPort CSM
v6DFC
6-port, 12-port,
18-port,
24-port, or
30-port MICA
NM-DM
8- and 16-port
analog
NM-AM
V.90 Yes Yes Yes Yes Yes with
NM-DM
V.110 Yes Yes Yes Yes Yes with
NM-DM
V.120 No, CPU only Yes Yes Yes with
324-port
NextPort1
CSM
v6DFC
1. For more detailed information regarding the V.120 functionalities that are supported both by NextPort and Cisco IOS
software, see the section “V.120 Bit Rate Adaptation Standard.”
No, CPU only
Configuring and Managing Integrated Modems
Modems and Modem Feature Support
DC-65
Cisco IOS Dial Technologies Configuration Guide
to an ISDN B channel allowing the remote station or terminal adapter to use the fast call setup times
offered by ISDN. This feature allows V.110 calls to be originated and terminated over ISDN. It also
enables GSM wireless connectivity.
V.110, as an alternative to V.120, provides DTE with V-series type interfaces with access to ISDN
network by bit stuffing. Many V.110 devices are used in Europe and Japan. In Japan, MICA supports the
Personal-Handyphone-System Internet Access Forum Standard (PIAFS) protocol, which is similar to
V.110.
The V.110 implementation for calls on MICA modems is managed by special boardware and modem
code, along with the appropriate Cisco IOS image, in a manner similar to other modulation standards.
This MICA V.110 implementation provides V.110 user rates ranging from 600 bps to 38,400 bps.
V.110 is supported on the following Cisco devices and network modules:
• Cisco AS5300-series access servers
• Cisco 3620, 3640, and 3660 access routers
• NM-6DM, NM-12DM, NM-18DM, NM-24DM, and NM-30DM network modules
The digital signal processors (DSPs) on the board can function as either modems or V.110 terminal
adapters (or V.120 terminal adapters for NextPort DSPs). Based on the ISDN Q.931 bearer capability
information element, the Cisco IOS software configures the DSP to treat the incoming call as a modem
call, a V.110 call, or a V.120 call.
Figure 18 shows a dial-in scenario for how V.110 technology can be used with a stack of
Cisco AS5300-series access servers.
Figure 18 V.110 Dial-In Scenario Using a Stack of Cisco AS5300-Series Access Servers
S6819
GSM cellular
satellite
Cellular
phone
Laptop with
wireless modem
Cellular
tower
V.110 terminal
adapter Telecommuter or
home office
Dial process
server
Stack of Cisco AS5300
access servers loaded with
V.110 terminal adapter cards
PRI PRI
PSTN/
ISDN
network
Internet or
enterprise
Configuring and Managing Integrated Modems
Managing Modems
DC-66
Cisco IOS Dial Technologies Configuration Guide
V.120 Bit Rate Adaptation Standard
ITU-T Recommendation V.120 revised by the ITU-T Study Group 14. V.120 describes a standard that can
be used for adapting terminals with non-ISDN standard network interfaces to an ISDN. It is intended to
be used between two terminal adapter (TA) functional groups, between two ISDN terminal (TE1)
functional groups, between a TA and a TE1, or between either a TA or TE1 and an interworking facility
inside a public or private ISDN.
V.120 allows for reliable transport of synchronous, asynchronous, or bit transparent data over ISDN
bearer channels. Cisco provides three V.120 support features for terminal adapters that do not send the
low-layer compatibility fields or bearer capability V.120 information:
• Answer all incoming calls as V.120—Static configuration used when all remote users have
asynchronous terminals and need to connect with a vty on the router.
• Automatically detect V.120 encapsulation—Encapsulation dynamically detected and set.
• Enable V.120 support for asynchronous access over ISDN.
For terminal adapters that send the low-layer compatibility or bearer capability V.120 information,
mixed V.120 and ISDN calls are supported. No special configuration is required.
V.120 is a digital rate adaptation and cannot be done on NM-AM network module analog modems.
MICA DSP firmware does not have the code to terminate V.120 calls.
NextPort supports only a subset of V.120 functionalities that are supported by Cisco IOS software.
Therefore, certain V.120 calls still will need to be terminated on the CPU, even if the chassis has
available NextPort modems.
Managing Modems
To manage modems, perform the tasks in the following sections; the tasks you need to perform depend
upon the type and needs of your system:
• Managing SPE Firmware
• Configuring Modems in Cisco Access Servers
• Configuring Cisco Integrated Modems Using Modem Attention Commands
• Configuring Modem Pooling
• Configuring Physical Partitioning
• Configuring Virtual Partitioning
• Configuring Call Tracker
• Configuring Polling of Link Statistics on MICA Modems
• Configuring MICA In-Band Framing Mode Control Messages
• Enabling Modem Polling
• Setting Modem Poll Intervals
• Setting Modem Poll Retry
• Collecting Modem Statistics
• Troubleshooting Using a Back-to-Back Modem Test Procedure
• Clearing a Direct Connect Session on a Microcom Modem
Configuring and Managing Integrated Modems
Managing Modems
DC-67
Cisco IOS Dial Technologies Configuration Guide
• Displaying Local Disconnect Reasons
• Removing Inoperable Modems
• Busying Out a Modem Card
• Monitoring Resources on Cisco High-End Access Servers
Managing SPE Firmware
You can upgrade your modem firmware to the latest NextPort Service Processing Element (SPE)
firmware image available from Cisco. The SPE firmware image is usually retrieved from Cisco.com. You
must first copy the SPE image from a TFTP server to flash memory using the copy tftp flash command.
You then configure the firmware upgrade using the firmware location and firmware upgrade SPE
configuration commands. The firmware location command specifies the location of the firmware file
and downloads the firmware to an SPE or a range of SPEs, according to the schedule you selected for
the firmware upgrade method using the firmware upgrade command.
The modem firmware upgrade commands must be saved into the system configuration using the write
memory command; otherwise, at the next reboot downloading of the specified firmware will not occur.
To upgrade SPE firmware, use the following commands:
Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 AS5400:
Router(config)# spe slot/spe
or
Router(config)# spe slot/spe slot/spe
AS5800:
Router(config)# spe shelf/slot/spe
or
Router(config)# spe shelf/slot/spe
shelf/slot/spe
Enters SPE configuration mode. You can choose to
configure a range of SPEs by specifying the first and last
SPE in the range.
Step 3 Router(config-spe)# firmware upgrade {busyout |
download-maintenance | reboot}
Specifies the upgrade method.
Three methods of upgrade are available. The busyout
keyword waits until all calls are terminated on an SPE
before upgrading the SPE to the designated firmware. The
download-maintenance keyword upgrades the firmware
during the download maintenance time. The reboot
keyword requests the access server to upgrade firmware at
the next reboot.
Configuring and Managing Integrated Modems
Managing Modems
DC-68
Cisco IOS Dial Technologies Configuration Guide
Note As soon as a firmware file is specified, the downloading begins. Do not specify all modems and then
go into an upgrade process on a busy router. The modems that are not busy will all be marked busy
and the server will wait until all the modems on each of the given cards are free before upgrading the
multiple-port cards. The only way to clear this situation is to start disconnecting users with a clear
command. Normally, groups of modems are specified in scripts with the spe slot/spe_begin and
slot/spe_end statements, and upgrades are done in a rolling fashion.
Use the show modem version and show spe version commands to verify that the modems are running
the portware version you specified.
The following example shows how to enter the SPE configuration mode, set the range of SPEs, specify
the firmware file location in flash memory, download the file to the SPEs, and display a status report
using the show spe EXEC command:
Router# configure terminal
Router(config)# spe 7/0 7/17
Router(config-spe)# firmware upgrade busyout
Router(config-spe)# firmware location flash:np_6_75
Started downloading firmware flash:np_6_75.spe
Router(config-spe)# exit
Router(config)# exit
Router# show spe 7
.
.
.
Step 4 Router(config-spe)# firmware location
[IFS:[/]]filename
Specifies the SPE firmware file in flash memory to use for
the selected SPEs. Allows you to upgrade firmware for
SPEs after the new SPE firmware image is copied to your
flash memory.
The Cisco IOS file specification (IFS) can be any valid IFS
on any local file system. Use the dir all-filesystems EXEC
command to display legal IFSs. Examples of legal IFS
specifications include:
• bootflash:—Loads the firmware from a separate flash
memory device.
• flash:—Loads the firmware from the flash NVRAM
located within the router.
• system:/—Loads the firmware from a built-in file
within the Cisco IOS image. The optional forward slash
(/) and system path must be entered with this
specification.
• filename—The name of the desired firmware file (for
example, mica-modem-pw.2.7.3.0.bin). If the system
keyword is specified, enter the path to the filename you
want to download.
Step 5 Router(config-spe)# exit Exits SPE configuration mode.
Step 6 Router(config)# exit Exits global configuration mode.
Step 7 Router# copy running-config startup-config Saves your changes.
Command Purpose
Configuring and Managing Integrated Modems
Managing Modems
DC-69
Cisco IOS Dial Technologies Configuration Guide
SPE SPE SPE SPE Port Call
SPE# Port # State Busyout Shut Crash State Type
7/00 0000-0005 ACTIVE 1 0 0 BBBBBB ______
7/01 0006-0011 DOWNLOAD 1 0 0 bbbbbb ______
7/02 0012-0017 DOWNLOAD 1 0 0 bbbbbb ______
7/03 0018-0023 DOWNLOAD 1 0 0 bbbbbb ______
.
.
.
For information about upgrading Cisco 3600 Series and Cisco 3700 modems, see the Cisco 3600 Series
and Cisco 3700 Series Modem Portware Upgrade Configuration Note at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/cis3600/sw_conf/portware/5257d56
k.htm .
Configuring Modems in Cisco Access Servers
To configure modem support for access servers such as the Cisco AS5300 and AS5800, perform the
following tasks. The list describes which tasks are required and which are optional but recommended.
• Configuring Modem Lines (Required)
• Verifying the Dial-In Connection (Optional but Recommended)
• Troubleshooting the Dial-In Connection (Optional but Recommended)
• Configuring the Modem Using a Modemcap (Required)
• Configuring the Modem Circuit Interface (Required for Digital Modems)
Note See the chapter “Configuring and Managing Cisco Access Servers and Dial Shelves” for additional
information about configuring Cisco AS5x00 series access servers.
Configuring Modem Lines
You must configure the modem lines and set the country code to enable asynchronous connections into
your access server. To configure the modems and line, use the following commands beginning in global
configuration mode:
Command Purpose
Step 1 MICA modems
Router(config)# modem country mica country
NextPort SPE modems
Router(config)# spe country country
Microcom modems
Router(config)# modem country microcom_hdms country
Depending on the type of modems loaded in your
access server, specifies the modem vendor and
country code.1
This step is only for the MICA,
NextPort SPE, and Microcom modems in the
Cisco AS5000 series access servers.
Table 7 through Table 10 provide a summary and
comparison of the Cisco IOS commands used for
the MICA and NextPort modems.
Step 2 Router(config)# line beginning-line-number
ending-line-number
Enters the number of modem lines to configure.
Usually this range is equal to the number of
modems in the access server. Use the show line
EXEC command to see which lines are available.
Configuring and Managing Integrated Modems
Managing Modems
DC-70
Cisco IOS Dial Technologies Configuration Guide
Verifying the Dial-In Connection
Before configuring any additional protocols for the line such as SLIP, PPP, or ARA, test whether the
dial-in connection for the access server and modem are configured correctly for dial-in access,
Note The same configuration issues exist between the client DTE and client modem. Make sure that you
have the correct EIA/TIA-232 cabling and modem initialization string for your client modem.
The following is an example of a successful connection from a PC using a known good modem to dial
in to a Cisco access server:
at
OK
atdt9,5550101
CONNECT 14400/ARQ/V32/LAPM/V42BIS
User Access Verification
Username: user1
Password:
Router>
Step 3 Router(config-line)# transport {input | output} {all |
none}
Specifies that connection protocols can be used
when connecting to the line. For outgoing calls,
choose the output option. For incoming calls,
choose the input option. If you do not intend to
dial out, choose the none option.
Step 4 Router(config-line)# autoselect {arap | ppp | slip} Configures the line to automatically startup an
AppleTalk Remote Access (ARA), PPP, and
Serial Line Internet Protocol (SLIP) session. You
can configure more than one protocol by entering
multiple autoselect commands with the
appropriate keyword.
Step 5 Router(config-line)# autoselect during-login Configures the lines to display the username and
password prompt as soon as the line is connected,
rather than waiting until the user presses the Enter
or Return key at the terminal.
Step 6 Router(config-line)# login authentication dialin
or
Router(config-line)# login login-name
Router(config-line)# password password
Enables authentication across all asynchronous
modem logins.
Use the login authentication dialin command
when authentication, authorization, and
accounting (AAA) authentication has been
enabled.
Use the login and password commands to
configure non-AAA user authentication.
Step 7 Router(config-line)# modem dialin Configures the modem for only incoming calls.
Step 8 Router(config-line)# exit Returns to global configuration mode.
1. For a comprehensive list of modem country codes, see the modem country mica command and the modem country microcom_hdms
command in the Cisco IOS Dial Technologies Command Reference.
Command Purpose
Configuring and Managing Integrated Modems
Managing Modems
DC-71
Cisco IOS Dial Technologies Configuration Guide
Troubleshooting the Dial-In Connection
Depending upon the problems you experience, take the appropriate action:
• If you are having problems making or receiving calls, make sure that you turned on the protocols for
connecting to the lines and configured for incoming and outgoing calls.
• If the calls are not coming up at all, turn on modem debugging. Use the the modem debugging
commands as follows:
– The debug modem command enables debugging on the modem line.
– The debug modem csm (or debug csm modem) command enables debugging for lines
configured for digital modems.
– The debug isdn q931 command enables debugging for lines configured for the ISDN and
Signaling System 7 (SS7) Q.931 protocols.
– The debug cas command enables debugging for lines configured for channel-associated
signaling (CAS).
Following is a sample of how to enable and then disable Cisco IOS modem debugging commands
on a network access server:
Router# debug modem
Router# debug modem csm
Router# debug isdn q931
Router# no debug modem
Router# no debug modem csm
Router# no debug isdn q931
• Enter the debug modem ? command for a list of additional modem debugging commands:
Router# debug modem ?
b2b Modem Special B2B
csm CSM activity
maintenance Modem maintenance activity
mica MICA Async driver debugging
oob Modem out of band activity
tdm B2B Modem/PRI TDM
trace Call Trace Upload
• Turn off the messages by entering the no debug modem command.
For more detailed information refer to the TAC Tech Notes document, Troubleshooting Modems, at the
following URL: http://www.cisco.com/warp/public/471/index_14280.html
Configuring the Modem Using a Modemcap
Modems are controlled by a series of parameter settings (up to a limit of 128 characters) that are sent to
the modem to configure it to interact with a Cisco device in a specified way. The parameter settings are
stored in a database called a modem capability (modemcap). The Cisco IOS software contains defined
modemcaps that have been found to properly initialize internal modems. Following are the names of
some modemcaps available in the Cisco IOS software:
• cisco_v110—Cisco (NEC) internal V.110 TA (AS5200)
• mica—Cisco MICA HMM/DMM internal digital modem
• nextport—Cisco NextPort CSMV/6 internal digital modem
• microcom_hdms—Microcom HDMS chassis
Configuring and Managing Integrated Modems
Managing Modems
DC-72
Cisco IOS Dial Technologies Configuration Guide
• microcom_mimic—Cisco (Microcom) internal analog modem (NM-AM–2600/3600)
• microcom_server—Cisco (Microcom) V.34/56K internal digital modem (AS5200)
Enter these modemcap names with the modem autoconfigure type command.
For more information on creating and using modemcaps refer to the TAC Tech Notes documentation,
Recommended Modemcaps for Internal Digital and Analog Modems on Cisco Access Servers, at the
following URL: http://www.cisco.com/warp/public/471/recc_modemcaps.html
If your modem is not on this list and if you know what modem initialization string you need to use with
it, you can create your own modemcap; see the following procedure, “Using the Modem Autoconfigure
Type Modemcap Feature.” To have the Cisco IOS determine what type of modem you have, use the
modem autoconfigure discovery command to configure it, as described in the procedure “Using the
Modem Autoconfigure Discovery Feature.”
Note When configuring an internal modem, avoid using the Modem Autoconfigure Discovery feature
because the feature can misdetect the internal modem type and cause the modem to start working in
an unpredictable and unreproducable manner.
Using the Modem Autoconfigure Type Modemcap Feature
If you know what modem initialization string you need to use with your modem, you can create your
own modemcap by performing the following steps.
Step 1 Use the modemcap edit command to define your own modemcap entry.
The following example defines modemcap MODEMCAPNAME:
Router(config)# modemcap edit MODEMCAPNAME miscellaneous &FS0=1&D3
Step 2 Apply the modemcap to the modem lines as shown in the following example:
Router# terminal monitor
Router# debug confmodem
Modem Configuration Database debugging is on
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line 33 34
Router(config-line)#modem autoconfigure type MODEMCAPNAME
Jan 16 18:12:59.643: TTY34: detection speed (115200) response ---OK---
Jan 16 18:12:59.643: TTY34: Modem command: --AT&FS0=1&D3--
Jan 16 18:12:59.659: TTY33: detection speed (115200) response ---OK---
Jan 16 18:12:59.659: TTY33: Modem command: --AT&FS0=1&D3--
Jan 16 18:13:00.227: TTY34: Modem configuration succeeded
Jan 16 18:13:00.227: TTY34: Detected modem speed 115200
Jan 16 18:13:00.227: TTY34: Done with modem configuration
Jan 16 18:13:00.259: TTY33: Modem configuration succeeded
Jan 16 18:13:00.259: TTY33: Detected modem speed 115200
Jan 16 18:13:00.259: TTY33: Done with modem configuration
Note The report that is generated by the debug confmodem command can be misleading for the MICA
and NextPort internal modems because these modems do not have Universal Asynchronous
Receiver/Transmitter (UART) and exchange data with the CPU at speeds of hundreds of kbps.
Configuring and Managing Integrated Modems
Managing Modems
DC-73
Cisco IOS Dial Technologies Configuration Guide
Using the Modem Autoconfigure Discovery Feature
If you prefer that the modem software use its autoconfigure mechanism to configure the modem, use the
modem autoconfigure discovery command.
The following example shows how to configure modem autoconfigure discovery mode:
Router# terminal monitor
Router# debug confmodem
Modem Configuration Database debugging is on
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# line 33 34
Router(config-line)# modem autoconfigure discovery
Jan 16 18:16:17.724: TTY33: detection speed (115200) response ---OK---
Jan 16 18:16:17.724: TTY33: Modem type is default
Jan 16 18:16:17.724: TTY33: Modem command: --AT&F&C1&D2S0=1H0--
Jan 16 18:16:17.728: TTY34: detection speed (115200) response ---OK---
Jan 16 18:16:17.728: TTY34: Modem type is default
Jan 16 18:16:17.728: TTY34: Modem command: --AT&F&C1&D2S0=1H0--
Jan 16 18:16:18.324: TTY33: Modem configuration succeeded
Jan 16 18:16:18.324: TTY33: Detected modem speed 115200
Jan 16 18:16:18.324: TTY33: Done with modem configuration
Jan 16 18:16:18.324: TTY34: Modem configuration succeeded
Jan 16 18:16:18.324: TTY34: Detected modem speed 115200
Jan 16 18:16:18.324: TTY34: Done with modem configuration
Configuring the Modem Circuit Interface
The next task to complete before using the integrated modem is to configure the modem circuit interface.
The basic steps are outlined next:
• If the integrated modem is an analog modem, no further configuration is required; modem
characteristics are set on the line.
• If the integrated modem is a digital modem, you can configure either the ISDN or CAS, as
appropriate.
– For ISDN BRI and PRI, you need to select the switch type and whether ISDN accepts incoming
voice or data calls. If you configure a PRI, you will need to configure the T1 or E1 controller.
See the chapter “Configuring ISDN BRI” in the “ISDN Configuration” part of this guide, and
the chapter “Configuring ISDN PRI” in the “Signaling Configuration” part of this guide.
– Configuring CAS is described in the chapter “Configuring ISDN PRI” in the Signaling
Configuration part of this guide.
If you want to configure SS7, refer to Appendix G, “Configuring the Cisco SS7/C7 Dial Access Solution
System,” in the Cisco IOS Voice, Video, and Fax Configuration Guide.
Comparison of NextPort SPE and MICA Modem Commands
Table 7 through Table 10 compare the MICA and SPE commands.
Table 7 EXEC Commands: NextPort to MICA Command Comparison
NextPort SPE Commands Purpose MICA Modem Commands
clear port Clears specified ports. clear modem
clear port log Clears all log entries for specified ports. clear modem log
Configuring and Managing Integrated Modems
Managing Modems
DC-74
Cisco IOS Dial Technologies Configuration Guide
clear spe Reboots all specified SPEs. All calls
will be torn down.
none
clear spe counters Clears all statistics. clear modem counters
clear spe log Clears all log entries for specified SPEs. clear modem log
show port config Displays configuration parameters for
the current active session.
show modem config
show port modem calltracker Displays port-level information for an
active modem.
show modem calltracker
show port modem log Displays the events generated by the
modem sessions.
show modem log
show port modem test Displays port modem test results. show modem test
show port operational-status Displays statistics for the current active
session.
show modem operational-status
show spe Displays the SPE status. —
show spe log Displays the SPE system log. —
show spe modem active Displays the statistics of all active calls
on specified SPEs.
show modem
show spe modem csr Displays the call success rate (CSR) for
the specified SPE.
show modem
show spe modem disconnect-reason Displays all modem disconnect reasons
for the specified SPEs.
show modem call-stats
show spe modem high speed Displays the total number of
connections negotiated within each
modulation or coder-decoder (codec)
for a specific range of SPEs.
show modem speed
show spe modem high standard Displays the total number of
connections negotiated within each high
modulation or codec for a specific range
of SPEs or for all the SPEs.
—
show spe modem low speed Displays the connect-speeds negotiated
within each low-speed modulation or
codec for a specific range of SPEs or for
all the SPEs.
show modem speed
show spe modem low standard Displays the total number of
connections negotiated within each low
modulation or codec for a specific range
of SPEs or for all the SPEs.
—
show spe modem summary Displays the modem service history
statistics for specific SPEs.
show modem
show spe version Displays all MICA and NextPort
firmware versions stored in flash
memory and the firmware assigned to
each SPE.
show modem mapping
Table 7 EXEC Commands: NextPort to MICA Command Comparison (continued)
NextPort SPE Commands Purpose MICA Modem Commands
Configuring and Managing Integrated Modems
Managing Modems
DC-75
Cisco IOS Dial Technologies Configuration Guide
Table 8 SPE Configuration Commands: NextPort to MICA Command Comparison
NextPort SPE Commands Purpose MICA Modem Commands
busyout Busies out active calls. modem busyout
firmware location filename Specifies the firmware file to be
upgraded.
Already implemented on the
Cisco AS5300 and Cisco AS5800
platforms.
firmware upgrade Specifies the upgrade method. Already implemented on the
Cisco AS5300 platform.
port modem autotest1
1. Cisco does not recommend the use of the modem autotest or port modem autotest command. These commands may produce unexpected results
including modems being marked out of service and unscheduled reloads. These commands have been removed in Cisco IOS Release 12.3.
Enables modem autotest. modem autotest
shutdown Tears down all active calls on the
specified SPEs.
modem shutdown
spe Configures the SPE. Already implemented on the
Cisco AS5300 and Cisco AS5800
platforms.
spe call-record Generates a modem call record at the
end of each call.
modem call-record
spe country Sets the system country code. modem country
spe log-size Sets the maximum log entries for each
port.
modem buffer-size
spe poll Sets the statistic polling interval. modem poll
Table 9 Port Configuration Commands: NextPort to MICA Command Comparison
NextPort SPE Commands Purpose MICA Modem Commands
busyout Busies out a port. modem busyout
default Compares the value of the command to
its default value.
default modem
port Configures the port range. modem range
shutdown Shuts down a port. modem shutdown
Table 10 Global Configuration Commands: NextPort to MICA Command Comparison
NextPort SPE CLI Commands Purpose MICA Modem CLI Commands
ds0 busyout-threshold Defines a threshold to maintain a
balance between the number of digital
signal level 0s (DS0s) and modems.
modem busyout-threshold
Configuring and Managing Integrated Modems
Managing Modems
DC-76
Cisco IOS Dial Technologies Configuration Guide
Configuring Cisco Integrated Modems Using Modem Attention Commands
This section provides information about using modem attention (AT) command sets to modify modem
configuration. It contains the following sections:
• Using Modem Dial Modifiers on Cisco MICA Modems (As required)
• Changing Configurations Manually in Integrated Microcom Modems (As required)
• Configuring Leased-Line Support for Analog Modems (As required)
Using Modem Dial Modifiers on Cisco MICA Modems
Dial modifiers permit multistage dialing for outbound modem calling through public and private
switched telephone networks (PSTNs).
Note For additional information about dial modifiers for the MICA modems, search Cisco.com for the
publication AT Command Set and Register Summary for MICA Six-Port Modules.
The Cisco NAS Modem Health feature is enabled by arguments to the ATD AT command. The AT prefix
informs the network access server modem that commands are being sent to it, and the D (dial string or
dial) suffix dials a telephone number, establishing a connection. With NAS Modem Health feature, you
can enter the dial modifiers listed in Table 11 after the D in your dial string: X, W, and the comma (,)
character. These modifiers had been previously accepted without error but ignored in Cisco MICA
modems on Cisco AS5300 and Cisco AS5800 universal access servers.
In the following example dial string, the portion of the string before the X is dialed for the given line
type used in your configuration. All digits after the X generate the appropriate DTMF tones.
atdT5550101x,,567
Table 11 Dial Modifiers for Cisco MICA Modems
Dial
Modifier Definition
X Switches to in-band dual tone multifrequency (DTMF) mode for any subsequent digits
remaining in the ATD string. The X dial modifier has been added to serve as a delimiter for
the host when the dial string is processed. It allows Cisco MICA portware to be used in
many environments that do not support DTMF dialing (for example, PRI).
W Waits for dial tone and then switches to in-band DTMF mode for any subsequent digits
remaining in the ATD string. The W dial modifier also acts as a delimiter between the
primary and secondary sections of the dial string, so that no additional X modifier is
needed. Once either an X or a W has been parsed in the dial string, any additional X
modifiers are ignored. Additional W modifiers cause Cisco MICA modems to wait for a
dial tone.
, Delay: Number of seconds in S8. Default is 2 seconds. The comma (,) dial modifier is
treated as a silent DTMF tone for the duration of seconds specified in S8. The comma is
acted on only after the call switching module (CSM) has made the transition to DTMF
mode, which requires that it either follow an X or a W in the dial string, or that the T1/E1
be configured for DTMF signaling.
Configuring and Managing Integrated Modems
Managing Modems
DC-77
Cisco IOS Dial Technologies Configuration Guide
Changing Configurations Manually in Integrated Microcom Modems
You can change the running configuration of an integrated modem by sending individual modem AT
commands. Manageable Microcom modems have an out-of-band feature, which is used to poll modem
statistics and send AT commands. The Cisco IOS software uses a direct connect session to transfer
information through this out-of-band feature. To send AT commands to a Microcom modem, you must
permit a direct connect session for a specified modem, open a direct connect session, send AT commands
to a modem, and clear the directly connected session from the modem when you are finished.
Open a direct connect session by entering the modem at-mode slot/port command in privileged EXEC
mode. From here, you can send AT commands directly from your terminal session window to the internal
Microcom modems. Most incoming or outgoing calls on the modems are not interrupted when you open
a direct connect session and send AT commands. However, some AT commands interrupt a call—for
example, the ATH command, which hangs up a call. Open and close one direct connect session at a time.
Note that multiple open sessions slow down modem performance.
Refer to the AT command set that came with your router for a complete list of AT commands that you
can send to the modems.
For Microcom modems, you can clear or terminate an active directly connected session in two ways:
• Press Ctrl-C after sending all AT commands as instructed by the system when you enter AT
command mode.
• Enter a second Telnet session and execute the clear modem at-mode slot/port EXEC command.
This method is used for closing a directly connected session that may have been mistakenly left open
by the first Telnet session.
The following example illustrates use of the modem commands.
AT Mode Example for Integrated Modems
To establish a direct connect session to an internal or integrated modem (existing inside the router), such
as the connection required for Microcom modems in the Cisco AS5200 access server, open a directly
connected session with the modem at-mode command and then send an AT command to the specified
modem. For example, the following example sends the AT command at%v to modem 1/1:
AS5200# modem at-mode 1/1
You are now entering AT command mode on modem (slot 1 / port 1).
Please type CTRL-C to exit AT command mode.
at%v
MNP Class 10 V.34/V.FC Modem Rev 1.0/85
OK
at\s
IDLE 000:00:00
LAST DIAL
NET ADDR: FFFFFFFFFFFF
MODEM HW: SA 2W United States
4 RTS 5 CTS 6 DSR - CD 20 DTR - RI
MODULATION IDLE
MODEM BPS 28800 AT%G0
MODEM FLOW OFF AT\G0
MODEM MODE AUT AT\N3
V.23 OPR. OFF AT%F0
AUTO ANS. ON ATS0=1
SERIAL BPS 115200 AT%U0
BPS ADJUST OFF AT\J0
Configuring and Managing Integrated Modems
Managing Modems
DC-78
Cisco IOS Dial Technologies Configuration Guide
SPT BPS ADJ. 0 AT\W0
ANSWER MESSGS ON ATQ0
SERIAL FLOW BHW AT\Q3
PASS XON/XOFF OFF AT\X0
PARITY 8N AT
The modem responds with “OK” when the AT command you send is received.
Configuring Leased-Line Support for Analog Modems
Analog modems on the NM-8AM and NM-16AM network modules in the Cisco 2600 and 3600 series
routers provide two-wire leased-line support for enterprise customers who require point-to-point
connections between locations and for enterprise customers with medium to high data transfer
requirements without access to other technologies or with access to only low-grade phone lines.
This feature works only with leased lines that provide loop current. Each modem used must have an
RJ-11 connection to the PSTN.
Several features enhance the analog modem software:
• 2-wire leased-line support.
• Modem speeds up to 33.6 kbps with support for all current analog modem protocols, compression,
and error correction techniques.
• Power-on autoconnect and loopback testing.
• Support for the maximum number of leased-line users without data transmission loss at distances up
to 2 to 5 km.
• In-band and out-of-band monitoring.
• Support on all Cisco 2600 and Cisco 3600 series platforms and upgradability using Cisco IOS
software.
• Compatibility with other major leased-line modem vendors.
To configure this support, configure one modem AT command (AT&L) and two AT registers with the
modemcap entry command for the appropriate leased lines.
For leased line configuration using the AT&L{0 | 1 | 2}command:
• 0—Disables the leased line (enables switched line; default).
• 1—Enables the leased line. The modem initiates a leased line when dial and answer commands
(ATD and ATA) are issued.
• 2—Enables the leased line. The modem goes off hook automatically after T57 number of seconds in:
– Originate mode if ATS0 is 0.
– Answer mode if ATS0 is not equal to 0.
The following AT registers can also be set:
• AT:T57—Number of seconds before going off hook in leased-line mode when the command
AT&L2 is used (defaults to 6).
• AT:T79—Number of autoretrains before the modem is disconnected (defaults to 3).
For more information about using the AT command set with the modems on the NM-8AM and
NM-16AM network modules in the Cisco 2600 and 3600 series routers, search Cisco.com for the
publication AT Command Set and Register Summary for Analog Modem Network Modules.
Configuring and Managing Integrated Modems
Managing Modems
DC-79
Cisco IOS Dial Technologies Configuration Guide
To configure a modem for leased-line operation, use the following commands in global configuration
mode:
The show modemcap command lists all the predefined modem types and any user-defined modemcaps
that are currently configured on the router:
• If the leased line has been configured, the modemcap information will be available.
• If the leased line has not been configured, only the predefined modem types will be displayed.
The important setting for leased-line support is what is defined in the modemcap as the key configuration
item and its application to the leased line. Consider the following command strings:
modemcap entry micro_LL_orig:AA=S0=0&L2
modemcap entry micro_LL_ans:AA=S0=1&L2
AA stands for autoanswer:
• The answering modem AA register is set to 1 (AA=S0=1) so that autoanswer is “on”.
• The originating modem AA register is set to 0 (AA=S0=0) so that autoanswer is “off”.
If the AA feature is used, both the originating and answering modem must be put into leased-line mode
with the &L2 AT command.
In the examples, the micro_LL_orig and micro_LL_ans strings are arbitrary text descriptions.
Note For the modemcap entry command, one of the predefined modem types may be used or a completely
user-defined modemcap may be created. For leased line, no new modem type was added. Users may
create their own modemcaps for leased-line functionality.
To configure the modem for leased-line operation, use the modemcap entry command. For each
connection, each modem must be configured as an originator or answerer.
The following example shows modemcaps for a leased-line originator and answerer and their application
to specific ports:
modemcap entry micro_LL_orig:AA=S0=0&L2
modemcap entry micro_LL_ans:AA=S0=1&L2
line 73
no exec
modem InOut
modem autoconfigure type micro_LL_ans
transport input all
line 74
no exec
modem InOut
modem autoconfigure type micro_LL_orig
transport input all
Command Purpose
Step 1 Router(config)# modemcap entry
modem-type-name:AA=S0=0&L2
Sets the modemcap for leased-line operation for the
originating modem.
Step 2 Router(config)# modemcap entry
modem-type-name:AA=S0=1&L2
Sets the modemcap for leased-line operation for the
answering modem.
Configuring and Managing Integrated Modems
Managing Modems
DC-80
Cisco IOS Dial Technologies Configuration Guide
Note When Multilink PPP (MLP) is configured on a dialer interface, the dialer configuration has a default
value of 2 minutes for dialer idle timeout. For leased-line connections, set the dialer idle timeout to
infinity by adding dialer idle-timeout 0 to the configuration.
Verifying the Analog Leased-Line Configuration
The following information is important for verifying or troubleshooting your configuration. The show
modem log command displays the progress of leased-line connections. Here is an example log for a
leased-line answerer. Note the “LL Answering” state and “LL Answer” in the “Direction” field of the
connection report:
00:44:03.884 DTR set high
00:44:02.888 Modem enabled
00:43:57.732 Modem disabled
00:43:52.476 Modem State:LL Answering
00:43:52.476 CSM:event-MODEM_STARTING_CONNECT New
State-CSM_CONNECT_INITIATED_STATE
00:43:51.112 Modem State:Waiting for Carrier
00:43:43.308 Modem State:Connected
00:43:42.304 Connection:TX/RX Speed = 33600/33600,
Modulation = V34
Direction = LL Answer, Protocol = MNP, Compression =
V42bis
00:43:42.304 CSM:event-MODEM_CONNECTED New
State-CONNECTED_STATE
00:43:42.300 RS232:noCTS* DSR* DCD* noRI noRxBREAK
TxBREAK*
00:43:41.892 PPP mode active
00:43:41.892 Modem enabled
00:43:39.888 PPP escape maps set:TX map=00000000 RX
map=FFFFFFFF
00:43:39.724 PPP escape maps set:TX map=00000000 RX
map=000A0000
00:43:34.444 RS232:CTS* DSR DCD noRI noRxBREAK TxBREAK
00:43:11.716 Modem Analog Report:TX = -20, RX = -34,
Signal to noise = 61
Cisco 2600 and 3600 Series Analog Modem Leased-Line Support Examples
In the following examples, one Cisco 3620 router and one Cisco 3640 router are connected back-to-back
using leased lines. The Cisco 3620 router has the originating configuration, and the Cisco 3640 router
has the answering configuration.
In the dialer interface configuration, the dialer idle-timeout 0 command is added to set the dialer idle
timeout to be infinity. Otherwise the leased line will go down and up every 2 minutes because the default
dialer interface idle timeout is 2 minutes.
Note Except for passwords and logins, the Cisco IOS command-line interface (CLI) is case-insensitive.
For this document, an uppercase “L” has been used in the command examples to avoid confusion with
the numeral “1”.
Leased-Line Originating Configuration
version 12.1
service timestamps debug uptime
service timestamps log uptime
!
Configuring and Managing Integrated Modems
Managing Modems
DC-81
Cisco IOS Dial Technologies Configuration Guide
modemcap entry micro_LL_orig:AA=S0=0&L2
modemcap entry micro_LL_ans:AA=S0=1&L2
!
interface Async33
no ip address
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer in-band
dialer pool-member 1
async default routing
async dynamic routing
async mode dedicated
no peer default ip address
no fair-queue
no cdp enable
ppp direction callout
ppp multilink
!
interface Dialer1
ip address 10.1.24.1 255.255.255.0
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer remote-name sara40
dialer pool 1
dialer idle-timeout 0
dialer max-call 4096
no cdp enable
ppp direction callout
ppp multilink
!
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 0 0
transport input none
line 33
no exec
modem InOut
modem autoconfigure type micro_LL_orig
transport input all
line aux 0
exec-timeout 0 0
line vty 0 4
exec-timeout 0 0
!
end
Leased-Line Answering Configuration
version 12.1
service timestamps debug uptime
service timestamps log uptime
!
modemcap entry micro_LL_orig:AA=S0=0&L2
modemcap entry micro_LL_ans:AA=S0=1&L2
!
interface Async73
no ip address
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer in-band
Configuring and Managing Integrated Modems
Managing Modems
DC-82
Cisco IOS Dial Technologies Configuration Guide
dialer pool-member 1
async default routing
async dynamic routing
async mode dedicated
no peer default ip address
no fair-queue
no cdp enable
ppp direction callout
ppp multilink
!
interface Dialer1
ip address 10.1.24.2 255.255.255.0
encapsulation ppp
no ip route-cache
no ip mroute-cache
load-interval 30
dialer remote-name sara20
dialer pool 1
dialer idle-timeout 0
dialer load-threshold 1 either
dialer max-call 4096
no cdp enable
ppp direction callout
ppp multilink
!
dialer-list 1 protocol ip permit
line con 0
exec-timeout 0 0
transport input none
line 73
no exec
modem InOut
modem autoconfigure type micro_LL_ans
transport input all
line aux 0
transport input all
flowcontrol hardware
line vty 0 4
exec-timeout 0 0
!
end
Configuring Modem Pooling
Modem pooling allows you to control which modem a call connects to, on the basis of dialed number
identification service (DNIS). When modem pooling is not used, incoming and outgoing calls are
arbitrarily assigned to modems. For example, consider a Cisco AS5300 access server loaded with a
4-port ISDN PRI card. After an analog modem call comes into the first PRI trunk, the call is greeted by
a general pool of B channels and a general pool of modems. Any B channel can be connected to any
modem in the access server. A random assignment takes place. Modem resources cannot be controlled.
Modem pooling assigns physical modems to a single DNIS. It enables you to create pools of physical
modems in one access server, assign a unique DNIS to each modem pool, and set maximum simultaneous
connect limits.
This feature is used for physically partitioning or virtually partitioning modems inside one network
access server.
Configuring and Managing Integrated Modems
Managing Modems
DC-83
Cisco IOS Dial Technologies Configuration Guide
Modem pooling offers these benefits:
• A certain number of modem ports can be guaranteed per DNIS.
• Maximum simultaneous connection limits can be set for each DNIS.
The following restrictions apply:
• Modem pooling is not a solution for large-scale dial access. It cannot be used to create virtual
modem pools across multiple access servers that are connected. Modem pooling is physically
restricted to one access server.
• MICA and Microcom technology modems support modem pooling. However, only MICA modems
support modem pooling for CT1 and CE1 configurations using CAS. To use modem pooling with
CT1 or CE1 connections, you must reserve at least two modems in the default modem pool. These
reserved modems decode DNIS before handing off calls to the modems assigned to modem pools.
If you see many call failures appearing on the access server, try assigning more modems to the
default pool. Use the show modem and show modem summary EXEC commands to display the
modem call failure and success ratio.
• No MIBs support modem pooling.
• The same DNIS cannot exist in more than one modem pool.
Modem pooling is supported on the Cisco AS5300 access servers. To configure and manage modems,
perform the tasks in the following sections; all tasks are optional and depend upon the needs of your
system.
• Creating a Modem Pool (Required)
• Verifying Modem Pool Configuration (As required)
Creating a Modem Pool
You must first decide to physically partition or virtually partition your modems. For more information,
see the previous section, “Configuring Modem Pooling.” After you have made this decision, create a
modem pool for a dial-in service or specific customer by using the following commands beginning in
global configuration mode.
Command Purpose
Step 1 Router(config)# modem-pool name Creates a modem pool and assigns it a name, and starts
modem pool configuration mode.
Step 2 Router(config-modem-pool)# pool-range number-number Assigns a range of modems to the pool. A hyphen (-) is
required between the two numbers. The range of
modems you can choose from is equivalent to the
number of modems in your access server that are not
currently associated with another modem pool.
Step 3 Router(config-modem-pool)# called-number number
[max-conn number]
Assigns the DNIS to be used for this modem pool.
The max-conn option specifies the maximum number
of simultaneous connections allowed for this DNIS. If
you do not specify a max-conn value, the default (total
number of modems in the pool) is used.1
Step 4 Router(config-modem-pool)# Ctrl-Z Returns to EXEC mode.
Configuring and Managing Integrated Modems
Managing Modems
DC-84
Cisco IOS Dial Technologies Configuration Guide
Note If you have active modem calls on the access server before using modem pooling, modem pooling
gracefully applies itself to the access server. Modem pooling first waits for active calls to hang up
before assigning modems to modem pools and directing calls according to DNIS.
Verifying Modem Pool Configuration
To verify the modem configuration, enter the show modem-pool command to display the configuration.
This command displays the structure and activity status for all the modem pools in the access server. See
Table 12 for a description of each display field.
Router# show modem-pool
modem-pool: System-def-Mpool
modems in pool: 0 active conn: 0
0 no free modems in pool
modem-pool: v90service
modems in pool: 48 active conn: 46
8 no free modems in pool
called_party_number: 1234
max conn allowed: 48, active conn: 46
8 max-conn exceeded, 8 no free modems in pool
modem-pool: v34service
modems in pool: 48 active conn: 35
0 no free modems in pool
called_party_number: 5678
max conn allowed: 48, active conn: 35
0 max-conn exceeded, 0 no free modems in pool
Step 5 Router# show configuration Displays the running configuration to verify the modem
pool settings. Make changes accordingly.
Step 6 Router# copy running-config startup-config Saves the running configuration to the startup
configuration.
1. The DNIS string can have an integer x to indicate a “don’t care” digit for that position, for example, 555010x.
Command Purpose
Table 12 show modem-pool Field Descriptions
Field Description
modem-pool Name of the modem pool. In the previous example, there are three
modem pools configured: System-def-Mpool, v90service, and
v34service. To set the modem pool name, refer to the modem-pool
command.
All the modems not assigned to a modem pool are automatically
assigned to the system default pool (displayed as
System-def-Mpool).
modems in pool Number of modems assigned to the modem pool. To assign modems
to a pool, refer to the display and descriptions for the pool-range
command.
Configuring and Managing Integrated Modems
Managing Modems
DC-85
Cisco IOS Dial Technologies Configuration Guide
For modem pool configuration examples, see the section “Physical Partitioning with Dial-In and
Dial-Out Scenario” later in this chapter.
Check the following if you are having trouble operating your modem:
• Make sure you have not configured the same DNIS for multiple pools.
• Make sure you have not placed the same modem in multiple pools.
Note Modem pools that use MICA or Microcom modems support incoming analog calls over ISDN PRI.
However, only MICA modems support modem pooling for T1 and E1 configurations with CAS.
Configuring Physical Partitioning
You can either physically partition or virtually partition your modems to enable different dial-in and
dial-out services. This section provides information about the following optional tasks:
• Creating a Physical Partition, page 86
• Physical Partitioning with Dial-In and Dial-Out Scenario, page 88
Physical partitioning uses one access server to function as multiple access servers loaded with different
types of modem services (for example, V.34 modems, fax-capable modems, and point-of-sale (POS)
modems). Each modem service is part of one physical modem pool and is assigned a unique DNIS
number. (See Figure 19.)
active conn Number of simultaneous active connections for the specified modem
pool or called party DNIS number.
no free modems in pool Number of times incoming calls were rejected because there were no
more free modems in the pool to accept the call.
called_party_number Specified called party DNIS number. This is the number that the
remote clients use to dial in to the access server. You can have more
than one DNIS number per modem pool. To set the DNIS number,
refer to the description for the called-number command.
max conn allowed Maximum number of modems that a called party DNIS number can
use, which is an overflow protection measure. To set this feature,
refer to the description for the called-number command.
max-conn exceeded Number of times an incoming call using this called party DNIS
number was rejected because the max-conn number parameter
specified by the called-number command was exceeded.
Table 12 show modem-pool Field Descriptions (continued)
Field Description
Configuring and Managing Integrated Modems
Managing Modems
DC-86
Cisco IOS Dial Technologies Configuration Guide
Figure 19 Modem Pooling Using Physical Partitioning
Physical partitioning can also be used to set up an access server for bidirectional dial access. (See
Figure 20.)
Figure 20 shows one Cisco AS5300 access server loaded with 96 MICA modems and configured with 2
modem pools. One modem pool has 84 modems and collects DNIS. This pool is shared by 400
salespeople who remotely download e-mail from headquarters. The other modem pool contains 12
fax-capable modems and does not collect DNIS. This pool is shared by 40 employees using PCs on a
LAN. Each time an outbound call is initiated by a PC, a modem on the Cisco AS5300 access server is
seized and used to fax out or dial out. Not configuring DNIS support in the fax-out modem pool protects
the pool from being used by the calls coming in from the field. Regardless of how many salespeople are
dialing in or which telephone number they use, the fax-out and dial-out modem pool will always be
reserved for the PCs connected to the LAN.
Figure 20 Modem Pooling Used for Bidirectional Dialing
Creating a Physical Partition
The following task creates one V.34 modem pool and one 56K modem pool on a Cisco AS5200. Each
modem pool is configured with its own DNIS. Depending on which DNIS the remote clients dial, they
connect to a 56K MICA modem or a V.34 Microcom modem.
13053
56K modems
V.34 modems
Fax-capable modems
POS modems
24
24
24
24
555-1111
Modems
in Pool
Assigned
DNIS Number
555-2222
555-3333
555-4444
One Cisco AS5300
loaded with 96 modems
84 field salespeople
dialing in with
56K modems
Cisco
AS5300
Four PRI
or CT1 lines
13051
Dial-in calls
• 84 V.90 modems
in modem pool
• DNIS is collected 40 PCs dialing out
and faxing out with
Cisco DialOut Utility
software
Dial out/fax out calls
• 12 modems in default
modem pool
• DNIS is not collected.
Dial in
Fax out
Dial out
Headquarters LAN
E-mail server
PSTN
Configuring and Managing Integrated Modems
Managing Modems
DC-87
Cisco IOS Dial Technologies Configuration Guide
The following hardware configuration is used on the Cisco AS5200 access server:
• One 2-port T1 PRI card
• One 48-port card containing four 6-port MICA 56K modem modules and two 12-port Microcom
V.34 modem modules
To configure basic physical partitioning, perform the following steps:
Step 1 Enter global configuration mode:
Router# configure terminal
Router(config)#
Step 2 Create the modem pool for the 56K MICA modem services using the modem-pool name command. The
modem pool is called 56kservices, which spans four 6-port MICA 56K modem modules.
Router(config)# modem-pool 56kservices
Router(config-modem-pool)#
Note The router is in modem pool configuration mode after the prompt changes from
Router(config)# to Router(config-modem-pool)#.
Step 3 Assign a range of modems to the modem pool using the pool-range number-number command. Because
all the 56K MICA technologies modems are seated in slot 1, they are assigned TTY line numbers 1 to
24. Use the show line EXEC command to determine the TTY line numbering scheme for your access
server.
Router(config-modem-pool)# pool-range 1-24
Step 4 Assign a DNIS to the modem pool using the called-number number [max-conn number] command.
This example uses the DNIS 5550101 to connect to the 56K modems. The maximum simultaneous
connection limit is set to 24. The 25th user who dials 5550101 gets a busy signal.
Router(config-modem-pool)# called-number 5550101 max-conn 24
Step 5 Return to EXEC mode by entering Ctrl-Z. Next, display the modem pool configuration using the show
modem-pool command. In the following example, 56K modems are in the modem pool called
56kservices. The remaining 24 V.34 Microcom modems are still in the default system pool.
Router(config-modem-pool)# ^Z
Router# show modem-pool
modem-pool: System-def-Mpool
modems in pool: 24 active conn: 0
0 no free modems in pool
modem-pool: 56kservices
modems in pool: 24 active conn: 0
0 no free modems in pool
called_party_number: 5550101
max conn allowed: 24, active conn: 0
0 max-conn exceeded, 0 no free modems in pool
Step 6 Create the modem pool for the Microcom physical partition. After the configuration is complete, the
show modem-pool command shows that there are no remaining modems in the system default modem
pool.
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# modem-pool v34services
Configuring and Managing Integrated Modems
Managing Modems
DC-88
Cisco IOS Dial Technologies Configuration Guide
Router(config-modem-pool)# pool-range 25-48
Router(config-modem-pool)# called-number 5550202 max-conn 24
Router(config-modem-pool)# ^Z
Router# show modem-pool
modem-pool: System-def-Mpool
modems in pool: 0 active conn: 0
0 no free modems in pool
modem-pool: 56kservices
modems in pool: 48 active conn: 0
0 no free modems in pool
called_party_number: 5550101
max conn allowed: 48, active conn: 0
0 max-conn exceeded, 0 no free modems in pool
modem-pool: v34services
modems in pool: 48 active conn: 0
0 no free modems in pool
called_party_number: 5550202
max conn allowed: 48, active conn: 0
0 max-conn exceeded, 0 no free modems in pool
Router# copy running-config startup-config
Physical Partitioning with Dial-In and Dial-Out Scenario
The following is a bidirectional dial scenario using a Cisco AS5300 access server. Two modem pools are
configured. One modem pool contains 84 56K MICA modems, which is shared by 400 remote
salespeople who dial in to headquarters. The other modem pool contains 12 fax-capable modems, which
are shared by 40 employees who dial out of the headquarters LAN using the Cisco DialOut Utility
software. See Figure 20 for the network topology.
The following hardware configuration is used on the Cisco AS5300:
• One 4-port T1 PRI card
• Two 48-port cards containing fourteen 6-port MICA 56K modem modules and two 6-port MICA
fax-capable modem modules
To configure physical partitioning with dial-in and dial-out capability, perform the following steps:
Step 1 Create the 56K modem pool for the 400 remote salespeople. This modem pool contains 84 modems,
which are reserved for the dial-in calls. To get access, the salespeople dial the DNIS 5550303. The total
number of simultaneous calls is limited to 84. The 85th call and those above it are rejected. The modem
dialin line configuration command is used to prevent modems 1 to 84 from dialing out.
Router# configure terminal
Router(config)# modem-pool 56ksalesfolks
Router(config-modem-pool)# pool-range 1-84
Router(config-modem-pool)# called-number 5550303 max-conn 84
Router(config-modem-pool)# exit
Router(config)# line 1 84
Router(config-line)# modem dialin
Router(config-line)# transport input all
Router(config-line)# rotary 1
Router(config-line)# autoselect ppp
Router(config-line)# exit
Router(config)#
Configuring and Managing Integrated Modems
Managing Modems
DC-89
Cisco IOS Dial Technologies Configuration Guide
Step 2 Create the dial-out/fax-out modem pool for the 40 local employees connected to the headquarters LAN.
This modem pool contains 12 fax-capable MICA modems. No DNIS is assigned to the pool. Because
lines 85 to 96 are used for the dial-out and fax-out modem services, the asynchronous lines are
configured for reverse Telnet. This configuration is needed for the Telnet extensions to work with the
dial-out application, which is installed on the LAN PCs.
Router(config)# modem-pool dialoutfolks
Router(config-modem-pool)# pool-range 85-96
Router(config-modem-pool)# exit
Router(config)# line 85-96
Router(config-line)# refuse-message z [!NMM!] No Modems Available z
Router(config-line)# exec-timeout 0 0
Router(config-line)# autoselect during-login
Router(config-line)# autoselect ppp
Router(config-line)# modem inout
Router(config-line)# rotary 1
Router(config-line)# transport preferred telnet
Router(config-line)# transport input all
Router(config-line)# exit
Router(config)#
Step 3 Configure the group asynchronous interface, which assigns core protocol characteristics to all the
asynchronous interfaces in the system. Regardless of the direction that the modems are dialing, all
modems in the access server leverage this group asynchronous configuration.
Router(config)# interface group-async 1
Router(config-if)# ip unnumbered ethernet 0
Router(config-if)# encapsulation ppp
Router(config-if)# async mode interactive
Router(config-if)# ppp authentication chap pap paplocal
Router(config-if)# peer default ip address pool bidir_dial_pool
Router(config-if)# no cdp enable
Router(config-if)# no ip mroute cache
Router(config-if)# no ip route cache
Router(config-if)# async dynamic routing
Router(config-if)# async dynamic address
Router(config-if)# group range 1-96
Building configuration...
Router(config-if)# exit
Step 4 Create an IP address pool for all the dial-in clients and dial-out clients. Both types of clients borrow
addresses from this shared pool.
Router(config)# ip local pool bidir_dial_pool 10.4.1.1 10.4.1.96
Router(config)# ^z
Router# copy running-config startup-config
Step 5 (Optional) If you are using CiscoSecure AAA and a remote TACACS server, include the following
security statements on the access server:
Router(config)# aaa new-model
Router(config)# aaa authentication login default tacacs+
Router(config)# aaa authentication login noaaa local
Router(config)# aaa authentication login logintac tacacs+
Router(config)# aaa authentication ppp ppptac tacacs+
Router(config)# aaa authentication ppp paplocal local
Router(config)# aaa authorization exec tacacs+
Router(config)# aaa authorization network tacacs+
Router(config)# aaa authorization reverse-access tacacs+
Router(config)# aaa accounting exec start-stop tacacs+
Router(config)# aaa accounting network start-stop tacacs+
Router(config)# aaa accounting update newinfo
Router(config)# enable password cisco
Configuring and Managing Integrated Modems
Managing Modems
DC-90
Cisco IOS Dial Technologies Configuration Guide
You should also include the host name, timeout interval, and authentication key:
Router(config)# tacacs-server host 10.4.1.10
Router(config)# tacacs-server timeout 20
Router(config)# tacacs-server key nas1
Configuring Virtual Partitioning
Virtual partitioning creates one large modem pool on one access server, but assigns different DNIS
numbers to different customers. Each incoming DNIS consumes resources from the same modem pool,
but a maximum connect option is set for each DNIS.
Figure 21 shows two Internet service provider (ISP) customers who are leasing modems from another
service provider. Each ISP is assigned its own DNIS number and range of modems. Each ISP is
guaranteed a certain number of physical modem ports for simultaneous connections. After an ISP uses
up all the modems assigned to its DNIS, a busy signal is issued.
Figure 21 Modem Pooling Using Virtual Partitioning
Virtual partitioning essentially resells modem banks to customers, such as a small-sized ISP. However,
remember that modem pooling is a single-chassis solution, not a multichassis solution. Modem pooling
is not a solution for reselling ports on a large-scale basis.
The following procedure creates one modem pool on a Cisco AS5300 access server for two ISP
customers. The shared modem pool is called isp56kpool. However, both ISP customers are assigned
different DNIS numbers and are limited to a maximum number of simultaneous connections.
See Figure 21 for the network topology.
The following hardware configuration is used on the Cisco AS5300 access server:
• One 4-port T1 PRI card
• Two 48-port cards containing sixteen 6-port MICA 56K modem modules
ISP-A client
dialing in to
a leased POP
ISP-B client
dialing in to
a leased POP
Cisco AS5300 loaded
with 96 MICA modems.
Leasing modems to
ISP-A and ISP-B.
Four PRI
or CE1 lines
13052
Modem pool: ISP-A
Modems in pool: 48
Assigned DNIS: 5551111
Maximum connections: 48
Modem pool: ISP-B
Modems in pool: 48
Assigned DNIS: 5552222
Maximum connections: 48
Backbone
leading to the
Internet
Fast Ethernet PSTN
Configuring and Managing Integrated Modems
Managing Modems
DC-91
Cisco IOS Dial Technologies Configuration Guide
To configure virtual partitioning, perform the following steps:
Step 1 Enter global configuration mode:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
Step 2 Create the shared modem pool for the 56K MICA modem services. This modem pool is called
isp56kpool, which spans sixteen 6-port MICA 56K modem modules.
Router(config)# modem-pool isp56kpool
Router(config-modem-pool)#
Step 3 Assign all the modems to the modem pool using the pool-range number-number command. Use the
show line EXEC command to determine your TTY line numbering scheme.
Router(config-modem-pool)# pool-range 1-96
Step 4 Assign a unique DNIS to each ISP customer using the called-number number [max-conn number]
command. In this example, the max-conn number option limits each ISP to 48 simultaneous
connections. The 49th user to dial either DNIS will get a busy signal.
Router(config-modem-pool)# called-number 5550101 max-conn 48
Router(config-modem-pool)# called-number 5550202 max-conn 48
Step 5 Return to EXEC mode by entering a Ctrl-Z sequence. Next, display the modem pool configuration using
the show modem-pool command. In the following example, all the 56K modems are in the isp56kpool
modem pool. The output also shows two DNIS numbers configured: 5550101 and 5550202.
Router(config-modem-pool)# ^Z
Router# show modem-pool
modem-pool: System-def-Mpool
modems in pool: 0 active conn: 0
0 no free modems in pool
modem-pool: isp56kpool
modems in pool: 96 active conn: 0
0 no free modems in pool
called_party_number: 5550101
max conn allowed: 48, active conn: 0
0 max-conn exceeded, 0 no free modems in pool
called_party_number: 5550202
max conn allowed: 48, active conn: 0
0 max-conn exceeded, 0 no free modems in pool
Router# copy running-config startup-config
Configuring Call Tracker
The Call Tracker feature captures detailed statistics on the status and progress of active calls and retains
historical data for disconnected call sessions. Call Tracker collects session information such as call states
and resources, traffic statistics, total bytes transmitted and received, user IP address, and disconnect
reason. This data is maintained within the Call Tracker database tables, which are accessible through the
Simple Network Management Protocol (SNMP), the CLI, or syslog.
Configuring and Managing Integrated Modems
Managing Modems
DC-92
Cisco IOS Dial Technologies Configuration Guide
Note The calltracker command, providing Call Tracker services, is supported for dial calls but not voice.
Calltracker is supported for dial calls on 5x platforms (5300, 5350, 5400, 5800, and 5850).
Call Tracker is notified of applicable call events by related subsystems such as ISDN, PPP, CSM,
Modem, EXEC, or TCP-Clear. SNMP traps are generated at the start of each call, when an entry is
created in the active table, and at the end of each call, when an entry is created in the history table. Call
Record syslogs are available through configuration that will generate detailed information records for
all call terminations. This information can be sent to syslog servers for permanent storage and future
analysis.
Additionally, the status and diagnostic data that is routinely collected from MICA modems is expanded
to include new link statistics for active calls, such as the attempted transmit and receive rates, the
maximum and minimum transmit and receive rates, and locally and remotely issued retrains and
speedshift counters. For more detailed information on Call Tracker logs, refer to the TAC Tech Notes
document, Understanding Call Tracker Outputs, at the following URL:
http://www.cisco.com/warp/public/471/calltracker_view.html
To configure Call Tracker, perform the following steps:
Verifying Call Tracker
To verify the operation of Call Tracker, use the the following command in EXEC mode:
Enabling Call Tracker
The following example shows how to enable the Call Tracker feature:
calltracker enable
Command Purpose
Step 1 Router(config)# calltracker enable Enables Call Tracker.
Step 2 Router(config)# calltracker call-record
{terse|verbose} [quiet]
Enables Call Tracker syslog support for generating detailed
Call Records.
Step 3 Router(config)# calltracker history max-size
number
Sets the maximum number of call entries to store in the Call
Tracker history table.
Step 4 Router(config)# calltracker history
retain-mins minutes
Sets the number of minutes for which calls are stored in the
Call Tracker history table.
Step 5 Router(config)# snmp-server packetsize
byte-count
Sets the maximum packet size allowed for SNMP server
requests and replies.
Step 6 Router(config)# snmp-server queue-length
length
Sets the queue length for SNMP traps.
Step 7 Router(config)# snmp-server enable traps
calltracker
Enables Call Tracker to send traps whenever a call starts or
ends.
Step 8 Router(config)# snmp-server host host
community-string calltracker
Specifies the name or Internet address of the host to send Call
Tracker traps.
Command Purpose
Router# show call calltracker summary Verifies the Call Tracker configuration and current status.
Configuring and Managing Integrated Modems
Managing Modems
DC-93
Cisco IOS Dial Technologies Configuration Guide
calltracker call-record terse
calltracker history max-size 50
calltracker history retain-mins 5000
!
snmp-server engineID local 0012345
snmp-server community public RW
snmp-server community private RW
snmp-server community wxyz123 view v1default RO
snmp-server trap-source FastEthernet0
snmp-server packetsize 17940
snmp-server queue-length 200
snmp-server location SanJose
snmp-server contact Bob
snmp-server enable traps snmp
snmp-server enable traps calltracker
snmp-server enable traps isdn call-information
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps bgp
snmp-server enable traps ipmulticast-heartbeat
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps rtr
snmp-server enable traps syslog
snmp-server enable traps dlsw
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps voice poor-qov
snmp-server host 10.255.255.255 wxyz123
snmp-server host 10.0.0.0 xxxyyy calltracker
!
radius-server host 172.16.0.0 auth-port 1645 acct-port 1646 non-standard
radius-server key xyz
!
Configuring Polling of Link Statistics on MICA Modems
The status and diagnostic data that is routinely collected from MICA modems is expanded to include
new link statistics for active calls, such as the attempted transmit and receive rates, the maximum and
minimum transmit and receive rates, and locally and remotely issued retrains and speedshift counters.
This connection data is polled from the modem at user-defined intervals and passed to Call Tracker.
To poll modem link statistics, use the following command in global configuration mode:
Note The modem link-info poll time command consumes a substantial amount of memory, approximately
500 bytes for each MICA modem call. Use this command only if you require the specific data that it
collects; for instance, if you have enabled Call Tracker on your access server.
Command Purpose
Router(config)# modem link-info poll
time seconds
Sets the polling interval at which link statistics for active
calls are retrieved from the modem.
Configuring and Managing Integrated Modems
Managing Modems
DC-94
Cisco IOS Dial Technologies Configuration Guide
Configuring MICA In-Band Framing Mode Control Messages
Dial-in Internet connections typically start in character mode to allow the user to log in and select a
preferred service. When Cisco IOS software determines that the user wants a framed interface protocol
during the call, such as PPP or SLIP, commands are sent to the MICA modem so that it will provide
hardware assistance with the framing. This hardware assistance reduces the Cisco IOS processing load.
To avoid loss or misinterpretation of framed data during the transition, issue these commands at precise
times with respect to the data being sent and received.
MICA modem framing commands can be sent in the data stream itself, which greatly simplifies Cisco
IOS tasks in achieving precision timing. For PPP connections, the common way for modems to connect
to the Internet, total connect time might typically be improved by 2 to 3 seconds. This functionality
reduces timeouts during PPP startup and reduces startup time. If an ASCII banner is sent just before PPP
startup, this feature eliminates problems with banner corruption such as truncation and extraneous
characters, thus improving the performance of terminal equipment.
In earlier software, the modem interface timing rules were not well understood and were difficult or
impossible to implement using the separate command interface of the modem. The practical result is that
the MICA in-band framing mode reduces the number of timeouts during PPP startup, and thus reduces
startup time. MICA in-band framing is supported on MICA modems in Cisco AS5300 and Cisco AS5800
access servers.
To configure the MICA in-band framing mode control messages, use the following commands beginning
in global configuration mode:
The Cisco IOS software offers additional interface commands that can be set to control modem interface
timing. Refer to the Cisco IOS command references for more information about the interface commands
described in the following paragraphs.
When a link goes down and comes back up before the timer set by the carrier-delay command expires,
the down state is effectively filtered, and the rest of the software on the switch is not aware that a
link-down event occurred. Therefore, a large carrier delay timer results in fewer link-up and link-down
events being detected. On the other hand, setting the carrier delay time to 0 means that every link-up and
link-down event is detected.
When the link protocol goes down (because of loss of synchronization, for example), the interface
hardware is reset and the data terminal ready (DTR) signal is held inactive for at least the specified
interval. Setting the pulse-time command enable pulsing DTR signal intervals on serial interfaces, and
is useful for handling encrypting or other similar devices that toggle the DTR signal to resynchronize.
Command Purpose
Step 1 Router(config)# line line-number
[ending-line-number]
Specifies the number of modem lines to configure and
enters line configuration mode. If a range is entered, it
must be equal to the number of modems in the router.
Step 2 Router(config-line)# no flush-at-activation Improves PPP and SLIP startup.
Normally a router avoids line and modem noise by
clearing the initial data received within the first one or
two seconds. However, when the autoselect PPP
feature is configured, the router flushes characters
initially received and then waits for more traffic. This
flush causes timeout problems with applications that
send only one carriage return.
Configuring and Managing Integrated Modems
Managing Modems
DC-95
Cisco IOS Dial Technologies Configuration Guide
Use the modem dtr-delay command to reduce the time that a DTR signal is held down after an
asynchronous line clears and before the DTR signal is raised again to accept new calls. Incoming calls
may be rejected in heavily loaded systems, even when modems are unused because the default DTR
hold-down interval may be too long. The modem dtr-delay command is designed for lines used for an
unframed asynchronous session such as Telnet. Lines used for a framed asynchronous session such as
PPP should use the pulse-time interface command.
Enabling Modem Polling
The following example enables modem status polling through the out-of-band feature, which is
associated to line 1:
Router# configure terminal
Router(config)# line 1
Router(config-line)# modem status-poll
Setting Modem Poll Intervals
The following example sets the time interval between polls to 10 seconds using the modem poll time
global configuration command:
Router# configure terminal
Router(config)# modem poll time 10
Setting Modem Poll Retry
The following example configures the server to attempt to retrieve statistics from a local modem up to
five times before discontinuing the polling effort:
Router# configure terminal
Router(config)# modem poll retry 5
Collecting Modem Statistics
Depending upon your modem type, the Cisco IOS software provides several show EXEC commands that
allow you to display or poll various modem statistics. See Table 7 and Table 8 to find the show EXEC
command appropriate for your modem type and the task you want to perform.
Logging EIA/TIA Events
To facilitate meaningful analysis of the modem log, turn the storage of specific types of EIA/TIA events
on or off. To activate or inactivate the storage of a specific type of EIA/TIA modem event for a specific
line or set of lines, use either of the following commands in line configuration mode, as needed:
Configuring and Managing Integrated Modems
Managing Modems
DC-96
Cisco IOS Dial Technologies Configuration Guide
Configuring a Microcom Modem to Poll for Statistics
Manageable Microcom modems have an out-of-band feature, which is used for polling modem statistics.
To configure the system to poll for modem statistics, use the following commands in global
configuration mode:
Troubleshooting Using a Back-to-Back Modem Test Procedure
You can manually isolate an internal back-to-back connection and data transfer between two modems
for focused troubleshooting purposes. For example, if mobile users cannot dial in to modem 2/5 (which
is the sixth modem port on the modem board in the second chassis slot), attempt a back-to-back test with
modem 2/5 and a modem known to be functioning, such as modem 2/6. You might need to enable this
command on several different combinations of modems to determine which one is not functioning
properly. A pair of operable modems connect and complete sending data in both directions. An operable
modem and an inoperable modem do not connect with each other.
To perform the modem test procedure, enter the test modem back-to-back first-slot/port
second-slot/port command, as follows:
Step 1 Perform a back-to-back modem test between two normal functioning modems. This example shows a
successful connection between modem 1/1 and modem 1/0, which verifies normal operating conditions
between these two modems:
Command Purpose
Router(config-line)# modem log {cts | dcd | dsr |
dtr | ri | rs323 | rts | tst}
or
Router(config-line)# no modem log {cts | dcd | dsr
| dtr | ri | rs323 | rts | tst}
Configures the types of EIA/TIA events that are stored in the
modem log. The default setting stores no EIA/TIA events.
Turns off the logging of a specific type of EIA/TIA event.
Command Purpose
Step 1 Router(config)# modem poll time seconds Specifies the number of seconds between statistical modem
polling for Microcom modems. The default is 12 seconds. The
configuration range is from 2 to 120 seconds.
Step 2 Router(config)# modem poll retry number Sets the maximum number of polling attempts to Microcom
modems. The default is three polling attempts. The
configuration range is from 0 to 10 attempts.1
1. If the number of attempts to retrieve modem status or statistics exceeds the number you define, the out-of-band feature is removed from
operation. In this case, you must reset the modem hardware using the clear modem command.
Step 3 Router(config)# modem status-poll Polls for status and statistics for a Microcom modem through the
modem’s out-of-band feature.
Step 4 Router(config)# modem buffer-size number Defines the number of modem events that each modem is able to
store. The default is 100 events for each modem. Use the show
modem log command to display modem events.
Configuring and Managing Integrated Modems
Managing Modems
DC-97
Cisco IOS Dial Technologies Configuration Guide
Router# test modem back-to-back 1/1 1/0
Repetitions (of 10-byte packets) [1]: 10
Router#
%MODEM-5-B2BCONNECT: Modems (1/1) and (1/0) connected in back-to-back test: CONN
ECT9600/REL-MNP
%MODEM-5-B2BMODEMS: Modems (1/0) and (1/1) completed back-to-back test: success/
packets = 20/20
After you enter the test modem back-to-back command, you must define the number of packets sent
between modems at the Repetitions prompt. The ideal range of packets to send and receive is from 1 to
100. The default is 1 packet that is 10 bytes large. The response message (for example, “success/packets
= 20/20”) tells you how many packets were sent in both directions compared to the total number of
packets attempted to be sent in both directions. Because the software reports the packet total in both
directions, the reported numbers are two times the number you originally specify.
When a known good modem is tested against a known bad modem, the back-to-back modem test fails.
In the following example, modem 1/3 is suspected or proven to be inoperable or bad:
Router# test modem back-to-back 1/1 1/3
Repetitions (of 10-byte packets) [1]: 10
Router#
%MODEM-5-BADMODEMS: Modems (1/3) and (1/1) failed back-to-back test: NOCARRIER
Step 2 You would need to manually mark modem 1/3 as an inoperable or bad modem. You mark the bad modem
by determining which line number corresponds with the modem. Use the show modem 1/3 EXEC
command to verify that TTY line number 4 (shown as TTY4) is used for modem 1/3:
Router# show modem 1/3
Mdm Typ Status Tx/Rx G Duration TX RX RTS CTS DSR DCD DTR
1/3 V34 Idle 28800/28800 0 00:00:00 x x x x x
Modem 1/3, Microcom MNP10 V34 Modem (Managed), TTY4
Firmware (Boot) Rev: 1.0(23) (1.0(5))
Modem config: Incoming and Outgoing
Protocol: reliable/MNP, Compression: V42bis
Management port config: Status polling and AT session
Management port status: Status polling and AT session
TX signals: -15 dBm, RX signals: -17 dBm
Last clearing of "show modem" counters never
0 incoming completes, 0 incoming failures
0 outgoing completes, 0 outgoing failures
0 failed dial attempts, 0 ring no answers, 1 busied outs
0 no dial tones, 0 dial timeouts, 0 watchdog timeouts
0 no carriers, 0 link failures, 0 resets, 0 recover oob
0 protocol timeouts, 0 protocol errors, 0 lost events
Transmit Speed Counters:
Connection Speeds 75 300 600 1200 2400 4800
# of connections 0 0 0 0 0 0
Connection Speeds 7200 9600 12000 14400 16800 19200
# of connections 0 0 0 0 0 0
Connection Speeds 21600 24000 26400 28800 31200 32000
# of connections 0 0 0 1 0 0
Connection Speeds 33600 34000 36000 38000 40000 42000
# of connections 0 0 0 0 0 0
Connection Speeds 44000 46000 48000 50000 52000 54000
# of connections 0 0 0 0 0 0
Connection Speeds 56000
# of connections 0
Configuring and Managing Integrated Modems
Managing Modems
DC-98
Cisco IOS Dial Technologies Configuration Guide
Step 3 Enter line configuration mode and manually remove modem 1/3 from dial services by entering the
modem bad command on line 4:
Router# configure terminal
Router(config)# line 4
Router(config-line)# modem bad
Router(config-line)# exit
Router(config)# exit
Step 4 Enter the show modem EXEC command or the show modem slot/port command to display the bad
modem status.
Bad modems are marked with the letter B in the Mdm column of the show modem command display
output.
Router# show modem
%SYS-5-CONFIG_I: Configured from console by consolem
Inc calls Out calls Busied Failed No Succ
Mdm Usage Succ Fail Succ Fail Out Dial Answer Pct.
1/0 0% 0 0 0 0 1 0 0 0%
1/1 0% 0 0 0 0 3 0 0 0%
1/2 0% 0 0 0 0 1 0 0 0%
B 1/3 0% 0 0 0 0 1 0 0 0%
1/4 0% 0 0 0 0 1 0 0 0%
1/5 0% 0 0 0 0 1 0 0 0%
1/6 0% 0 0 0 0 1 0 0 0%
1/7 0% 0 0 0 0 1 0 0 0%
1/8 0% 0 0 0 0 1 0 0 0%
1/9 0% 0 0 0 0 1 0 0 0%
1/10 0% 0 0 0 0 1 0 0 0%
1/11 0% 0 0 0 0 1 0 0 0%
1/12 0% 0 0 0 0 1 0 0 0%
1/13 0% 0 0 0 0 1 0 0 0%
1/14 0% 0 0 0 0 1 0 0 0%
1/15 0% 0 0 0 0 1 0 0 0%
1/16 0% 0 0 0 0 1 0 0 0%
1/17 0% 0 0 0 0 1 0 0 0%
1/18 0% 0 0 0 0 0 0 0 0%
1/19 0% 0 0 0 0 0 0 0 0%
1/20 0% 0 0 0 0 0 0 0 0%
1/21 0% 0 0 0 0 0 0 0 0%
1/22 0% 0 0 0 0 0 0 0 0%
1/23 0% 0 0 0 0 0 0 0 0%
Malfunctioning modems are also marked as Bad in the Status column of the show modem slot/port
command display output, as the following example shows:
Router# show modem 1/3
Mdm Typ Status Tx/Rx G Duration TX RX RTS CTS DSR DCD DTR
1/3 V34 Bad 28800/28800 0 00:00:00 x x x x x
Modem 1/3, Microcom MNP10 V34 Modem (Managed), TTY4
Firmware (Boot) Rev: 1.0(23) (1.0(5))
Modem config: Incoming and Outgoing
Protocol: reliable/MNP, Compression: V42bis
Management port config: Status polling and AT session
Management port status: Status polling and AT session
TX signals: -15 dBm, RX signals: -17 dBm
Last clearing of "show modem" counters never
0 incoming completes, 0 incoming failures
0 outgoing completes, 0 outgoing failures
Configuring and Managing Integrated Modems
Managing Modems
DC-99
Cisco IOS Dial Technologies Configuration Guide
0 failed dial attempts, 0 ring no answers, 1 busied outs
0 no dial tones, 0 dial timeouts, 0 watchdog timeouts
0 no carriers, 0 link failures, 0 resets, 0 recover oob
0 protocol timeouts, 0 protocol errors, 0 lost events
Transmit Speed Counters:
Connection Speeds 75 300 600 1200 2400 4800
# of connections 0 0 0 0 0 0
Connection Speeds 7200 9600 12000 14400 16800 19200
# of connections 0 0 0 0 0 0
Connection Speeds 21600 24000 26400 28800 31200 32000
# of connections 0 0 0 1 0 0
Connection Speeds 33600 34000 36000 38000 40000 42000
# of connections 0 0 0 0 0 0
Connection Speeds 44000 46000 48000 50000 52000 54000
# of connections 0 0 0 0 0 0
Connection Speeds 56000
# of connections 0
Clearing a Direct Connect Session on a Microcom Modem
The examples in this section are for Microcom modems.
The following example shows how to execute the modem at-mode command from a Telnet session:
Router# modem at-mode 1/1
The following example shows how to execute the clear modem at-mode command from a second Telnet
session while the first Telnet session is connected to the modem:
Router# clear modem at-mode 1/1
clear "modem at-mode" for modem 1/1 [confirm]
Router#
The following output is displayed in the first Telnet session after the modem is cleared by the second
Telnet session:
Direct connect session cleared by vty0 (172.19.1.164)
Displaying Local Disconnect Reasons
To find out why a modem ended its connection or why a modem is not operating at peak performance,
use the show modem call-stats [slot] EXEC command.
Disconnect reasons are described using four hexadecimal digits. The three lower-order digits can be used
to identify the disconnect reason. The high-order digit generally indicates the type of disconnect reason
or the time at which the disconnect occurred. For detailed information on the meaning of hexadecimal
values for MICA modem disconnects, refer to the TAC Tech Notes document, MICA Modem States and
Disconnect Reasons, at the following URL: http://www.cisco.com/warp/public/76/mica-states-drs.html
For detailed information on the meaning of hexadecimal values for NextPort modem disconnects, refer
to the TAC Tech Notes document, Interpreting NextPort Disconnect Reason Codes, at the following
URL: http://www.cisco.com/warp/public/471/np_disc_code.html .
Configuring and Managing Integrated Modems
Managing Modems
DC-100
Cisco IOS Dial Technologies Configuration Guide
Local disconnect reasons are listed across the top of the screen display (for example, wdogTimr,
compress, retrain, inacTout, linkFail, moduFail, mnpProto, and lapmProt). In the body of the screen
display, the number of times each modem disconnected is displayed (see the # column). For a particular
disconnect reason, the % column indicates the percent that a modem was logged for the specified
disconnect reason with respect to the entire modem pool for that given reason. For example, out of all
the times the rmtLink error occurred on all the modems in the system, the rmtLink error occurred
10 percent of the time on modem 0/22.
Malfunctioning modems are detected by an unusually high number of disconnect counters for a
particular disconnect reason. For example, if modem 1/0 had a high number of compression errors
compared to the remaining modems in system, modem 1/0 would likely be the inoperable modem.
To reset the counters displayed by the show modem call-stats command, enter the clear modem
counters command.
Note For a complete description of each error field displayed by the commands on this page, refer to the
Cisco IOS Dial Technologies Command Reference. Remote disconnect reasons are not described by
the show modem command output.
The following example displays output for the show modem call-stats command. Because of the screen
size limitation of most terminal screen displays, not all possible disconnect reasons are displayed at one
time. Only the top eight most frequently experienced disconnect reasons are displayed at one time.
Router# show modem call-stats
dial-in/dial-out call statistics
lostCarr dtrDrop rmtLink wdogTimr compress retrain inacTout linkFail
Mdm # % # % # % # % # % # % # % # %
* 0/0 6 2 2 3 1 0 0 0 0 0 0 0 0 0 0 0
* 0/1 5 2 2 3 2 1 0 0 0 0 0 0 0 0 0 0
0/2 5 2 2 3 4 3 0 0 0 0 0 0 0 0 0 0
* 0/3 5 2 2 3 2 1 0 0 0 0 0 0 0 0 0 0
* 0/4 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0
* 0/5 5 2 2 3 2 1 0 0 0 0 0 0 0 0 0 0
* 0/6 4 1 2 3 2 1 0 0 0 0 0 0 0 0 0 0
* 0/7 4 1 2 3 4 3 0 0 0 0 0 0 0 0 0 0
* 0/8 6 2 1 1 3 2 0 0 0 0 0 0 0 0 0 0
* 0/9 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0
* 0/10 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0
* 0/11 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0
0/12 5 2 2 3 2 1 0 0 0 0 0 0 0 0 0 0
* 0/13 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0
* 0/14 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0
* 0/15 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0
* 0/16 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0
* 0/17 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0
* 0/18 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0
* 0/19 5 2 1 1 3 2 0 0 0 0 0 0 0 0 0 0
* 0/20 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0
* 0/21 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0
* 0/22 5 2 1 1 11 10 0 0 0 0 0 0 0 0 0 0
* 0/23 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0
* 2/0 4 1 2 3 2 1 0 0 0 0 0 0 0 0 0 0
* 2/1 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0
* 2/2 5 2 2 3 0 0 0 0 0 0 0 0 0 0 0 0
* 2/3 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0
* 2/4 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0
* 2/5 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0
* 2/6 4 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0
Configuring and Managing Integrated Modems
Managing Modems
DC-101
Cisco IOS Dial Technologies Configuration Guide
* 2/7 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0
* 2/8 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0
* 2/9 4 1 1 1 2 1 0 0 0 0 0 0 0 0 0 0
* 2/10 5 2 1 1 0 0 0 0 0 0 0 0 0 0 0 0
* 2/11 5 2 1 1 5 4 0 0 0 0 0 0 0 0 0 0
* 2/12 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0
* 2/13 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0
* 2/14 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0
* 2/15 4 1 1 1 3 2 0 0 0 0 0 0 0 0 0 0
* 2/16 4 1 1 1 3 2 0 0 0 0 0 0 0 0 0 0
* 2/17 5 2 2 3 9 8 0 0 0 0 0 0 0 0 0 0
* 2/18 4 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0
* 2/19 3 1 1 1 2 1 0 0 0 0 0 0 0 0 0 0
* 2/20 7 3 1 1 8 7 0 0 0 0 0 0 0 0 0 0
* 2/21 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0
* 2/22 4 1 1 1 2 1 0 0 0 0 0 0 0 0 0 0
* 2/23 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0
Total 233 59 110 0 0 0 0 0
dial-out call statistics
noCarr noDitone busy abort dialStrg autoLgon dialTout rmtHgup
Mdm # % # % # % # % # % # % # % # %
* 0/0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0/2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/3 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/4 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/6 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/7 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/9 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/11 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0/12 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/13 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/14 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/15 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/16 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/17 4 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/18 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/19 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/21 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/22 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 0/23 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/1 3 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/5 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/6 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/7 4 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/8 7 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/9 4 1 1 1 2 1 0 0 0 0 0 0 0 0 0 0
* 2/10 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/11 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/12 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/13 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/14 4 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/15 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/16 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Configuring and Managing Integrated Modems
Managing Modems
DC-102
Cisco IOS Dial Technologies Configuration Guide
* 2/17 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/18 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/19 3 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/21 4 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/22 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0
* 2/23 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Total 84 0 0 0 0 0 0 0
Removing Inoperable Modems
To manually remove inoperable modems from dialup services, use the following commands in line
configuration mode:
If you use the modem bad command to remove an idle modem from dial services and mark it as
inoperable, the letter B is used to identify the modem as bad. The letter B appears in the Status column
in the output of show modem slot/port command and in the far left column in the output of the show
modem command. Use the no modem bad command to unmark a modem as B and restore it for dialup
connection services. If the letter B appears next to a modem number, it means the modem was removed
from service with the modem shutdown command.
Note Only idle modems can be marked “bad” by the modem bad command. If you want to mark a modem
bad that is actively supporting a call, first enter the modem shutdown command, then enter the
modem bad command.
Use the modem hold-reset command if a router is experiencing extreme modem behavior (for example,
if the modem is uncontrollably dialing in to the network). This command prevents the modem from
establishing software relationships such as those created by the test modem back-to-back command.
The modem is unusable while the modem hold-reset command is configured. The modem hold-reset
command also resets a modem that is frozen in a suspended state. Disable the suspended modem with
the modem hold-reset command, and then restart hardware initialization with the no modem hold-reset
command.
The following example disables a suspended modem and resets its hardware initialization:
Router# configure terminal
Router(config)# line 4
Router(config-line)# modem hold-reset
Router(config-line)# no modem hold-reset
Command Purpose
Step 1 Router(config-line)# modem bad Removes and idles the modem from service and
indicates it as suspected or proven to be inoperable.
Step 2 Router(config-line)# modem hold-reset Resets and isolates the modem hardware for extensive
troubleshooting.
Step 3 Router(config-line)# modem shutdown Abruptly shuts down a modem from dial service.
Step 4 Router(config-line)# modem recovery-time minutes Sets the maximum amount of time for which the
call-switching module waits for a local modem to
respond to a request before it is considered locked in a
suspended state. The default is 5 minutes.
Configuring and Managing Integrated Modems
Managing Modems
DC-103
Cisco IOS Dial Technologies Configuration Guide
The following example gracefully disables the modem associated with line 1 from dialing and answering
calls. The modem is disabled only after all active calls on the modem are dropped.
Router# configure terminal
Router(config)# line 1
Router(config)# modem busyout
The following example abruptly shuts down the modem associated with line 2. All active calls on the
modem are dropped immediately.
Router# configure terminal
Router(config)# line 2
Router(config)# modem shutdown
In the following example, the modem using TTY line 3 is actively supporting a call (as indicated by the
asterisk). However, we want to mark the modem bad because it has poor connection performance. First,
abruptly shut down the modem and drop the call with the modem shutdown command, and then enter
the modem bad command to take the modem out of service.
Router# show modem
Inc calls Out calls Busied Failed No Succ
Mdm Usage Succ Fail Succ Fail Out Dial Answer Pct.
1/0 37% 98 4 0 0 0 0 0 96%
1/1 38% 98 2 0 0 0 0 0 98%
* 1/2 2% 3 99 0 0 0 0 0 1%
.
.
.
Router# configure terminal
Router(config)# line 3
Router(config)# modem shutdown
Router(config)# modem bad
Router(config)# exit
Router# show modem
Inc calls Out calls Busied Failed No Succ
Mdm Usage Succ Fail Succ Fail Out Dial Answer Pct.
1/0 37% 98 4 0 0 0 0 0 96%
1/1 38% 98 2 0 0 0 0 0 98%
B 1/2 2% 3 99 0 0 0 0 0 1%
For more information about modem recovery procedures, refer to TAC Tech Notes Configuring MICA
Modem Recovery at http://www.cisco.com/warp/public/76/modem-recovery.html and Configuring
NextPort SPE Recovery at http://www.cisco.com/warp/public/76/spe-recovery.html.
Configuring and Managing Integrated Modems
Managing Modems
DC-104
Cisco IOS Dial Technologies Configuration Guide
Busying Out a Modem Card
To busy out a modem card in a Cisco access server, use the following commands beginning in global
configuration mode:
The modem busyout command disables the modem associated with a specified line from dialing and
answering calls. The modem busyout command can busy out and eventually terminate all 72 ports on
the Cisco AS5800 modem card.
Monitoring Resources on Cisco High-End Access Servers
The following tasks enable you to monitor the network access server (NAS) health conditions at the DS0
level, PRI bearer channel level, and modem level. Performing these tasks will benefit network operation
with improved visibility into the line status for the NAS for comprehensive health monitoring and
notification capability, and improved troubleshooting and diagnostics for large-scale dial networks.
Perform the following tasks to monitor resource availability on the Cisco high-end access servers:
• Enabling DS0 Busyout Traps—DS0 busyout traps are generated when there is a request to busy out
a DS0, when there is a request to take a DS0 out of busyout mode, or when busyout completes and
the DS0 is out-of-service. DS0 busyout traps are generated at the DS0 level for both CAS and ISDN
Command Purpose
Step 1 Router(config)# line shelf/slot/port Specifies the line number, by specifying the shelf, slot, and port
numbers; you must type in the slashes. This command also
begins line configuration mode.
Step 2 Router(config-line)# modem busyout Having specified the modem to be busied out with the line
command, enter the modem busyout command to busy out the
modem. The command disables the modem associated with line
shelf/slot/port from dialing and answering calls.You need not
specify a shelf/slot/port number again in this command.
Step 3 Router(config-line)# modem shutdown Having specified the modem to be shut down with the line
command, enter the modem shutdown command to shut down
the modem, whether or not it has already been busied out. You
need not specify a shelf/slot/port number again in this command
because you have already done so with the line command.
Step 4 Router(config-line)# exit Exits line configuration mode and returns to global
configuration mode.
Step 5 Router(config)# modem busyout-threshold
number
Specifies a threshold number using the modem
busyout-threshold number command to balance the number of
DS0s with the number of modem lines. For more information,
refer to the Cisco IOS Dial Technologies Command Reference.
Step 6 Router(config)# exit Exits global configuration mode and returns to privileged EXEC
mode.
Step 7 Router# show busyout From privileged EXEC mode, verifies that the line is busied out.
If there are active calls, the software waits until the call
terminates before the line is busied out.
Configuring and Managing Integrated Modems
Managing Modems
DC-105
Cisco IOS Dial Technologies Configuration Guide
configured lines. This feature is enabled and disabled through use of the CLI and MIBs. DS0
busyout traps are disabled by default and are supported on Cisco AS5300, Cisco AS5400, and
Cisco AS5800 universal access servers.
• Enabling ISDN PRI Requested Channel Not Available Traps—ISDN PRI channel not available traps
are generated when a requested DS0 channel is not available, or when there is no modem available
to take the incoming call. This feature is available only for ISDN PRI interfaces. This feature is
enabled and disabled through use of CLI for ISDN traps and the CISCO-ISDN-MIB. ISDN PRI
channel not available traps are disabled by default and are supported on the Cisco AS5300,
Cisco AS5400, and Cisco AS5800.
• Enabling Modem Health Traps—Modem health traps are generated when a modem port is bad,
disabled, reflashed, or shut down, or when there is a request to busy out the modem. This feature is
enabled and disabled through use of CLI and the CISCO-MODEM-MGMT-MIB. Modem health
traps are disabled by default and are supported on the Cisco AS5300, Cisco AS5400, and
Cisco AS5800.
• Enabling DS1 Loopback Traps—DS1 loopback traps are generated when a DS1 line goes into
loopback mode. This feature is enabled and disabled by CLI and the CISCO-POP-MGMT-MIB. DS1
loopback traps are disabled by default and are supported on the Cisco AS5300 and Cisco AS5400
only.
The CISCO-POP-MGMT-MIB supplies the DS0 busyout traps and the DS1 loopback traps. The
CISCO-MODEM-MGMT-MIB supplies additional modem health traps when the modem port becomes
non-functional. The CISCO-ISDN-MIB supplies additional traps for ISDN PRI channel not available.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules,
go to the Cisco MIB website on Cisco.com at
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
See the sections “Verifying Enabled Traps” and “Troubleshooting the Traps” to verify and troubleshoot
configuration. The section “NAS Health Monitoring Example” provides output of a configuration with
the NAS health monitoring features enabled.
Enabling DS0 Busyout Traps
Before you enable DS0 busyout traps, the SNMP manager must already have been installed on your
workstation, and the SNMP agent must be configured on the NAS by entering the snmp-server
community and snmp-server host commands. Refer to the Cisco IOS Configuration Fundamentals
Configuration Guide for more information on these commands.
To generate DS0 busyout traps, use the following command in global configuration mode:
Command Purpose
Router(config)# snmp-server enable traps
ds0-busyout
Generates a trap when there is a request to busy out a DS0 or to
indicate when busyout finishes.
Configuring and Managing Integrated Modems
Managing Modems
DC-106
Cisco IOS Dial Technologies Configuration Guide
Enabling ISDN PRI Requested Channel Not Available Traps
To generate ISDN PRI requested channel not available traps, use the following command in global
configuration mode:
Enabling Modem Health Traps
To generate modem health traps, use the following command in global configuration mode:
Enabling DS1 Loopback Traps
To generate DS1 loopback traps, use the following command in global configuration mode:
Verifying Enabled Traps
To verify that the traps are enabled, use the show run command. The following output indicates that all
the traps are enabled:
Router(config)# show run
snmp-server enable traps ds0-busyout
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps modem-health
snmp-server enable traps ds1-loopback
Additionally, you can use the show controllers command with the timeslots keyword to display details
about the channel state. This feature shows whether the DS0 channels of a particular controller are in
idle, in-service, maintenance, or busyout state. This enhancement applies to both CAS and ISDN PRI
interfaces and is supported on the Cisco AS5300 and Cisco AS5400 only.
Command Purpose
Router(config)# snmp-server enable traps isdn
chan-not-avail
Generates a trap when the NAS rejects an incoming call on an ISDN
PRI interface because the channel is not available.
Command Purpose
Router(config)# snmp-server enable traps
modem-health
Generates a trap when a modem port is bad, disabled, or prepared
for firmware download; when download fails; when placed in
loopback mode for maintenance; or when there is a request to busy
out the modem.
Command Purpose
Router(config)# snmp-server enable traps
ds1-loopback
Generates a trap when the DS1 line goes into loopback mode.
Configuring and Managing Integrated Modems
Managing Modems
DC-107
Cisco IOS Dial Technologies Configuration Guide
Troubleshooting the Traps
To troubleshoot the traps, turn on the debug switch for SNMP packets by entering the following
command in privileged EXEC mode:
Router# debug snmp packets
Check the resulting output to see that the SNMP trap information packet is being sent. The output will
vary based on the kind of packet sent or received:
SNMP: Packet received via UDP from 10.5.4.1 on Ethernet0
SNMP: Get-next request, reqid 23584, errstat 0, erridx 0
sysUpTime = NULL TYPE/VALUE
system.1 = NULL TYPE/VALUE
system.6 = NULL TYPE/VALUE
SNMP: Response, reqid 23584, errstat 0, erridx 0
sysUpTime.0 = 2217027
system.1.0 = Cisco Internetwork Operating System Software
system.6.0 =
SNMP: Packet sent via UDP to 10.5.4.1
You can also use trap monitoring and logging tools like snmptrapd, with debugging flags turned on, to
monitor output.
NAS Health Monitoring Example
The following is sample configuration output showing all NAS health monitoring traps turned on:
Building configuration...
Current configuration:
! Last configuration change at 12:27:30 pacific Thu May 25 2000
version xx.x
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router
!
aaa new-model
aaa authentication ppp default group radius
enable password
!
spe 1/0 1/7
firmware location system:/ucode/mica_port_firmware
spe 2/0 2/7
firmware location system:/ucode/mica_port_firmware
!
resource-pool disable
!
clock timezone PDT -8
clock calendar-valid
no modem fast-answer
modem country mica usa
modem link-info poll time 60
modem buffer-size 300
ip subnet-zero
!
isdn switch-type primary-5ess
isdn voice-call-failure 0
!
Configuring and Managing Integrated Modems
Managing Modems
DC-108
Cisco IOS Dial Technologies Configuration Guide
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
framing esf
linecode b8zs
ds0-group 0 timeslots 1-24 type e&m-fgb
cas-custom 0
!
controller T1 2
shutdown
clock source line secondary 2
!
controller T1 3
shutdown
clock source line secondary 3
!
controller T1 4
shutdown
clock source line secondary 4
!
controller T1 5
shutdown
clock source line secondary 5
!
controller T1 6
shutdown
clock source line secondary 6
!
controller T1 7
shutdown
clock source line secondary 7
!
interface Loopback0
ip address 10.5.4.1
!
interface Ethernet0
no ip address
shutdown
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Serial2
no ip address
shutdown
!
interface Serial3
no ip address
shutdown
!
interface Serial0:23
no ip address
ip mroute-cache
isdn switch-type primary-5ess
isdn incoming-voice modem
Configuring and Managing Integrated Modems
Managing Modems
DC-109
Cisco IOS Dial Technologies Configuration Guide
no cdp enable
!
interface FastEthernet0
ip address 10.5.4.1
duplex full
speed auto
no cdp enable
!
interface Group-Async1
ip unnumbered FastEthernet0
encapsulation ppp
ip tcp header-compression passive
no ip mroute-cache
async mode interactive
peer default ip address pool swattest
no fair-queue
ppp authentication chap
ppp multilink
group-range 1 192
!
interface Dialer1
ip unnumbered FastEthernet0
encapsulation ppp
ip tcp header-compression passive
dialer-group 1
peer default ip address pool swattest
pulse-time 0
no cdp enable
!
ip local pool swattest 10.5.4.1
ip default-gateway 10.5.4.1
ip classless
!
dialer-list 1 protocol ip permit
snmp-server engineID local 00000009020000D058890CF0
snmp-server community public RO
snmp-server packetsize 2048
snmp-server enable traps ds0-busyout
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps modem-health
snmp-server enable traps ds1-loopback
snmp-server host 10.5.4.1 public
!
radius-server host 10.5.4.1 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key
!
line con 0
transport input none
line 1 192
autoselect ppp
modem InOut
transport preferred none
transport input all
transport output none
line aux 0
line vty 0 4
end
Configuring and Managing Integrated Modems
Configuration Examples for Modem Management
DC-110
Cisco IOS Dial Technologies Configuration Guide
Configuration Examples for Modem Management
This section provides the following examples:
• NextPort Modem Log Example
• Modem Performance Summary Example
• Modem AT-Mode Example
• Connection Speed Performance Verification Example
For additional information and examples about the commands in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference.
NextPort Modem Log Example
The following is partial sample output for the Cisco AS5400 with the NextPort Distributed forwarding
Card (DFC). This example shows the port history event log for slot 5, port 47:
Router# show port modem log 5/47
Port 5/47 Events Log
Service type: DATA_FAX_MODEM
Service mode: DATA_FAX_MODEM
Session State: IDLE
00:02:23: incoming called number: 35160
Service type: DATA_FAX_MODEM
Service mode: DATA_FAX_MODEM
Session State: IDLE
Service type: DATA_FAX_MODEM
Service mode: DATA_FAX_MODEM
Session State: ACTIVE
00:02:23: Modem State event:
State: Connect
00:02:16: Modem State event:
State: Link
00:02:13: Modem State event:
State: Train Up
00:02:05: Modem State event:
State: EC Negotiating
00:02:05: Modem State event:
State: Steady
00:02:05: Modem Static event:
Connect Protocol : LAP-M
Compression : V.42bis
Connected Standard : V.34+
TX,RX Symbol Rate : 3429, 3429
TX,RX Carrier Frequency : 1959, 1959
TX,RX Trellis Coding : 16/16
Frequency Offset : 0 Hz
Round Trip Delay : 0 msecs
TX,RX Bit Rate : 33600, 33600
Robbed Bit Signalling (RBS) pattern : 0
Digital Pad : None
Digital Pad Compensation : None
4 bytes of link info not formatted : 0x00 0x00 0x00 0x00 0x00
00:02:06:Modem Dynamic event:
Sq Value : 5
Signal Noise Ratio : 40 dB
Receive Level : -12 dBm
Phase Jitter Frequency : 0 Hz
Configuring and Managing Integrated Modems
Configuration Examples for Modem Management
DC-111
Cisco IOS Dial Technologies Configuration Guide
Phase Jitter Level : 2 degrees
Far End Echo Level : -90 dBm
Phase Roll : 0 degrees
Total Retrains : 0
EC Retransmission Count : 0
Characters transmitted, received : 0, 0
Characters received BAD : 0
PPP/SLIP packets transmitted, received : 0, 0
PPP/SLIP packets received (BAD/ABORTED) : 0
EC packets transmitted, received OK : 0, 0
EC packets (Received BAD/ABORTED) : 0
Modem Performance Summary Example
You can display a high level summary of the performance of a modem with the show modem summary
command:
Router# show modem summary
Incoming calls Outgoing calls Busied Failed No Succ
Usage Succ Fail Avail Succ Fail Avail Out Dial Ans Pct.
14% 2489 123 15 0 0 15 0 3 3 95%
Modem AT-Mode Example
The following example shows that modem 1/1 has one open AT directly connected session:
Router# show modem at-mode
Active AT-MODE management sessions:
Modem User's Terminal
1/1 0 cty 0
Connection Speed Performance Verification Example
Making sure that your modems are connecting at the correct connection speeds is an important aspect of
managing modems. The show modem connect-speeds and show modem commands provide
performance information that allow you to investigate possible inoperable or corrupt modems or T1/E1
lines. For example, suppose you have an access server that is fully populated with V.34 modems. If you
notice that modem 1/0 is getting V.34 connections only 50 percent of the time, whereas all the other
modems are getting V.34 connections 80 percent of the time, then modem 1/0 is probably
malfunctioning. If you are reading low connection speeds across all the modems, you may have a faulty
channelized T1 or ISDN PRI line connection.
To display connection speed information for all modems that are running in your system, use the show
modem connect-speeds max-speed EXEC command. Because most terminal screens are not wide
enough to display the entire range of connection speeds at one time (for example, 75 to 56,000 bps), the
max-speed argument is used. This argument specifies the contents of a shifting baud-rate window, which
provides you with a snapshot of the modem connection speeds for your system. Replace the max-speed
argument with the maximum connect speed that you want to display. You can specify from 12,000 to
56,000 bps. If you are interested in viewing a snapshot of lower baud rates, specify a lower connection
speed. If you are interested in displaying a snapshot of higher rates, specify a higher connection speed.
Configuring and Managing Integrated Modems
Configuration Examples for Modem Management
DC-112
Cisco IOS Dial Technologies Configuration Guide
The following example displays connection speed information for modems running up to 33,600 bps:
Router# show modem connect-speeds 33600
transmit connect speeds
Mdm 14400 16800 19200 21600 24000 26400 28800 31200 33600 TotCnt
* 0/0 0 0 0 0 0 0 4 4 1 9
* 0/1 2 0 0 0 0 0 3 3 1 9
0/2 2 0 0 0 0 1 2 4 1 10
* 0/3 0 0 0 1 0 0 3 4 1 9
* 0/4 1 0 0 0 0 2 2 1 1 7
* 0/5 0 0 0 0 0 0 4 4 1 9
* 0/6 0 0 0 0 0 1 3 3 1 8
* 0/7 0 0 0 2 0 0 4 3 1 10
* 0/8 2 0 0 0 0 0 3 4 1 10
* 0/9 0 0 0 0 0 0 4 3 0 7
* 0/10 1 0 0 0 0 1 3 2 1 8
* 0/11 0 0 0 0 0 0 4 3 1 8
0/12 1 0 0 0 0 0 4 2 1 8
* 0/13 0 0 0 0 0 0 4 2 1 7
* 0/14 1 0 0 0 0 1 2 2 1 7
* 0/15 0 0 0 0 0 0 4 2 1 7
* 0/16 0 0 0 1 0 0 3 2 1 7
* 0/17 1 0 0 0 0 0 4 2 1 8
* 0/18 1 0 0 0 0 0 3 3 1 8
* 0/19 0 0 0 0 0 0 5 3 1 9
* 0/20 0 0 0 0 0 0 4 2 1 7
* 0/21 1 0 0 0 0 0 4 2 0 7
* 0/22 0 0 0 0 0 0 7 9 1 17
* 0/23 0 0 0 0 0 2 2 3 1 8
* 2/0 0 0 0 1 0 0 3 3 1 8
* 2/1 0 0 0 0 0 0 5 2 1 8
* 2/2 0 0 0 1 0 0 4 1 1 7
* 2/3 1 0 0 0 0 0 4 2 1 8
* 2/4 0 0 0 0 0 0 5 2 1 8
* 2/5 0 0 0 0 0 0 4 3 1 8
* 2/6 0 0 0 0 0 0 3 2 1 6
* 2/7 1 0 0 0 0 1 3 2 0 7
* 2/8 1 0 0 0 0 0 3 2 1 7
* 2/9 0 0 0 0 0 1 3 2 1 7
* 2/10 2 0 0 0 0 2 1 0 1 6
* 2/11 0 0 0 1 0 1 3 5 1 11
* 2/12 0 0 0 0 0 0 5 2 1 8
* 2/13 1 0 0 0 0 0 5 0 1 7
* 2/14 1 0 0 0 0 0 3 3 1 8
* 2/15 1 0 0 0 0 1 2 3 1 8
* 2/16 0 0 0 0 0 0 4 3 1 8
* 2/17 0 0 0 0 0 0 5 11 0 16
* 2/18 0 0 0 1 0 1 1 2 1 6
* 2/19 0 0 0 0 0 0 2 3 1 6
* 2/20 1 0 0 0 0 2 3 9 1 16
* 2/21 1 0 0 0 0 0 4 1 1 7
* 2/22 0 0 0 1 0 0 2 3 1 7
* 2/23 0 0 0 0 0 1 3 3 1 8
Tot 23 0 0 9 0 18 165 141 44 400
Tot % 5 0 0 2 0 4 41 35 11
receive connect speeds
Mdm 14400 16800 19200 21600 24000 26400 28800 31200 33600 TotCnt
* 0/0 0 0 0 0 0 4 1 3 1 9
* 0/1 2 0 0 0 0 3 1 2 1 9
0/2 2 0 0 0 0 3 1 3 1 10
Configuring and Managing Integrated Modems
Configuration Examples for Modem Management
DC-113
Cisco IOS Dial Technologies Configuration Guide
* 0/3 0 0 0 1 0 3 4 0 1 9
* 0/4 1 0 0 0 0 4 0 1 1 7
* 0/5 0 0 0 0 0 4 3 1 1 9
* 0/6 0 0 0 0 0 4 0 3 1 8
* 0/7 0 0 0 2 0 4 1 2 1 10
* 0/8 2 0 0 0 0 3 0 5 0 10
* 0/9 0 0 0 0 0 4 2 0 1 7
* 0/10 1 0 0 0 0 4 0 2 1 8
* 0/11 0 0 0 0 0 4 0 3 1 8
0/12 1 0 0 0 0 2 2 2 1 8
* 0/13 0 0 0 0 0 4 1 1 1 7
* 0/14 1 0 0 0 0 2 3 0 1 7
* 0/15 0 0 0 0 0 4 1 1 1 7
* 0/16 0 0 0 1 0 3 2 0 1 7
* 0/17 1 0 0 0 0 4 1 1 1 8
* 0/18 1 0 0 0 0 3 2 1 1 8
* 0/19 0 0 0 0 0 5 1 2 1 9
* 0/20 0 0 0 0 0 4 0 3 0 7
* 0/21 1 0 0 0 0 4 0 1 1 7
* 0/22 0 0 0 0 0 6 6 4 1 17
* 0/23 0 0 0 0 0 4 2 1 1 8
* 2/0 0 0 0 1 0 3 1 2 1 8
* 2/1 0 0 0 0 0 3 3 1 1 8
* 2/2 0 0 0 1 0 4 0 1 1 7
* 2/3 1 0 0 0 0 3 2 1 1 8
* 2/4 0 0 0 0 0 4 2 1 1 8
* 2/5 0 0 0 0 0 4 1 2 1 8
* 2/6 0 0 0 0 0 3 0 3 0 6
* 2/7 1 0 0 0 1 2 2 0 1 7
* 2/8 1 0 0 0 0 3 0 2 1 7
* 2/9 0 0 0 0 0 4 1 1 1 7
* 2/10 2 0 0 0 0 3 0 0 1 6
* 2/11 0 0 0 1 0 3 1 5 1 11
* 2/12 0 0 0 0 0 4 3 0 1 8
* 2/13 1 0 0 0 0 2 3 0 1 7
* 2/14 1 0 0 0 0 3 2 1 1 8
* 2/15 1 0 0 0 0 3 0 3 1 8
* 2/16 0 0 0 0 0 4 0 4 0 8
* 2/17 0 0 0 0 0 5 2 8 1 16
* 2/18 0 0 1 0 0 2 1 1 1 6
* 2/19 0 0 0 0 0 2 2 1 1 6
* 2/20 1 0 0 0 0 4 2 8 1 16
* 2/21 1 0 0 0 0 4 0 1 1 7
* 2/22 0 0 1 0 0 2 0 3 1 7
* 2/23 0 0 0 0 0 4 2 1 1 8
Tot 23 0 2 7 1 167 64 92 44 400
Tot % 5 0 0 1 0 41 16 23 11
Configuring and Managing Integrated Modems
Configuration Examples for Modem Management
DC-114
Cisco IOS Dial Technologies Configuration Guide
DC-115
Cisco IOS Dial Technologies Configuration Guide
Configuring and Managing Cisco Access Servers
and Dial Shelves
This chapter describes configuration and monitoring tasks for the Cisco AS5800 and AS5400 access
servers, including dial shelves and dial shelf controllers on the Cisco AS5800 access servers in the
following main sections:
• Cisco AS5800 Dial Shelf Architecture and DSIP Overview
• How to Configure Dial Shelves
• Port Management Services on Cisco Access Servers
• Upgrading and Configuring SPE Firmware
For further information and configuration examples for the Cisco AS5400, refer to the Cisco AS5400
Universal Access Server Software Configuration Guide.
For further information and configuration examples for the Cisco AS5800, refer to the Cisco AS5800
Universal Access Server Operations, Administration, Maintenance, and Provisioning Guide.
For more information on the Cisco access servers, go to the Cisco Connection Documentation site on
Cisco.com, or use the Cisco Documentation CD-ROM.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies
Command Reference. To locate documentation of other commands that appear in this chapter, use the
command reference master index or search online.
Cisco AS5800 Dial Shelf Architecture and DSIP Overview
The Cisco AS5800 is a rack-mounted system consisting of a router shelf and a dial shelf. The dial shelf
contains feature and controller cards (trunk cards), modem cards, and dial shelf controller (DSC) cards.
Note For more information about split dial shelf configuration, refer to the hardware installation guides
that accompanied your Cisco AS5800 Universal Access Server and the Cisco AS5800 Universal
Access Server Software Installation and Configuration Guide.
Configuring and Managing Cisco Access Servers and Dial Shelves
How to Configure Dial Shelves
DC-116
Cisco IOS Dial Technologies Configuration Guide
The Dial Shelf Interconnect Protocol (DSIP) is used for communication between router shelf and dial
shelf on an AS5800. Figure 22 diagrams the components of the architecture. The router shelf is the host
for DSIP commands, which can be run remotely on the feature boards of the dial shelf using the
command, execute-on. DSIP communicates over the packet backplane via the dial shelf interconnect
(DSI) cable.
Figure 22 DSIP Architecture in the Cisco AS5800
Split Dial Shelves Feature
The split dial shelves feature provides for doubling the throughput of the Cisco AS5800 access server
by splitting the dial shelf slots between two router shelves, each router connected to one Dial Shelf
Controller (DSC), two of which must be installed in the system. Each router shelf is configured to control
a certain set from the range of the dial shelf slots. Each router shelf will operate as though any other slots
in the dial shelf contained no cards, even if there is a card in them, because they are controlled by the
other router shelf. Thus the configuration on each router shelf would affect only the “owned” slots.
Each router shelf should own modem cards and trunk cards. Calls received on a trunk card belonging to
one router shelf cannot be serviced by a modem card belonging to the other router shelf. Each router
shelf operates like a single Cisco AS5800 access server system, as if some slots are unavailable.
Refer to the section “Configuring Dial Shelf Split Mode” for more information about configuring split
dial shelves.
How to Configure Dial Shelves
To configure and maintain dial shelves, perform the tasks in the following sections:
• Configuring the Shelf ID
• Configuring Redundant DSC Cards
• Synchronizing to the System Clocks
• Configuring Dial Shelf Split Mode
• Executing Commands Remotely
• Verifying DSC Configuration
Packet back plane
Router shelf
Feature board
DSIP
DSIP
Feature board
DSIP
Feature board
DSIP
15013
Configuring and Managing Cisco Access Servers and Dial Shelves
How to Configure Dial Shelves
DC-117
Cisco IOS Dial Technologies Configuration Guide
• Monitoring and Maintaining the DSCs
• Troubleshooting DSIP
Configuring the Shelf ID
The Cisco AS5800 consists of a router shelf and a dial shelf. To distinguish the slot/port number on the
Cisco AS5800, you must specify the shelf number. The default shelf number is 0 for the router shelf and
1 for the dial shelf.
Caution You must reload the Cisco AS5800 for the new shelf number to take effect. Because the shelf number
is part of the interface names when you reload, all NVRAM interface configuration information is
lost.
Normally you do not need to change the shelf IDs; however, if you do, we recommend that you change
the shelf number when you initially access the setup facility. For information on the setup facility, refer
to the Cisco AS5800 Universal Access Server Software Installation and Configuration Guide.
If you are booting the router shelf from the network (netbooting), you can change the shelf numbers
using the shelf-id command.
To configure the dial shelf, you save and verify the configuration in EXEC mode, and enter shelf-id
commands in global configuration mode, as indicated in the following steps:
Command Purpose
Step 1 Router# copy startup-configure tftp Saves your current configuration. Changing the shelf
number removes all interface configuration information
when you reload the Cisco AS5800.
Step 2 Router# configure terminal Begins global configuration mode.
Step 3 Router(config)# shelf-id number router-shelf Specifies the router shelf ID.
Step 4 Router(config)# shelf-id number dial-shelf Specifies the dial shelf ID.
Step 5 Router(config)# exit Exits global configuration mode.
Step 6 Router# copy running-config startup-config Saves your configuration. This step is optional.
Step 7 Router# show version Verifies that the correct shelf number will be changed after
the next reload.
Step 8 Router# reload components all Instructs the DSC (or DSCs in a redundant configuration) be
reloaded at the same time as a reload on the router shelf.
Type “yes” to the “save config” prompt.
Configure one interface so that its router shelf has
connectivity to the server with the configuration.
Step 9 Router# copy tftp startup-config Because changing the shelf number removes all interface
configuration information when you reload the
Cisco AS5800, edit the configuration file saved in step 1 and
download it.
Configuring and Managing Cisco Access Servers and Dial Shelves
How to Configure Dial Shelves
DC-118
Cisco IOS Dial Technologies Configuration Guide
If you are booting the router shelf from Flash memory, use the following commands beginning in EXEC
mode:
Configuring Redundant DSC Cards
The Redundant Dial Shelf Controller feature consists of two DSC cards on a Cisco AS5800 dial shelf.
The DSC cards provide clock and power control to the dial shelf cards. Each DSC card provides the
following:
• Master clock for the dial shelf
• Fast Ethernet link to the router shelf
• Environmental monitoring of the feature boards
• Bootstrap images on start-up for the feature boards
The Redundant Dial Shelf Controller feature is automatically enabled when two DSC cards are installed.
DSC redundancy is supported with Cisco AS5800 software at the Dial Shelf Interconnect Protocol
(DSIP) level.
This feature enables a Cisco AS5800 dial shelf to use dual DSCs for full redundancy. A redundant
configuration allows for one DSC to act as backup to the active card, should the active card fail. This
increases system availability by preventing loss of service. The redundant DSC functionality is robust
under high loads and through DSC or software crashes and reloads. The redundant DSC functionality is
driven by the following events:
• User actions
• Control messages
• Timeouts
Command Purpose
Step 1 Router# copy running-config tftp
or
Router# copy startup-config tftp
Saves your current (latest) configuration to a server.
Step 2 Router# configure terminal Begins global configuration mode.
Step 3 Router(config)# shelf-id number router-shelf Configures the router shelf ID.
Step 4 Router(config)# shelf-id number dial-shelf Configures the dial shelf ID.
Step 5 Router(config)# exit Exits global configuration mode.
Step 6 Router> copy running-config startup-config Saves your configuration. This step is optional. If this step
is skipped, type “No” at the “save configuration” prompt.
Step 7 Router> show version Allows verification that the correct shelf number will be
changed after the next reload.
Edit the configuration file saved in Step 1.
Step 8 Router> copy tftp startup-config Copies the edited configuration to NVRAM on the
Cisco AS5800.
Step 9 Router# reload components all Instructs the DSC (or DSCs in a redundant configuration) to
be reloaded at the same time as a reload on the router shelf.
Configuring and Managing Cisco Access Servers and Dial Shelves
How to Configure Dial Shelves
DC-119
Cisco IOS Dial Technologies Configuration Guide
• Detection of component failures
• Error and warning messages
DSC redundancy provides maximum system availability by preventing loss of service if one of the DSCs
fails. There is no load sharing between the Broadband Inter-Carrier Interfaces (BICI). One BIC is used
as a backup, carrying only control traffic, such as keepalives, until there is a switchover.
Before starting this configuration task:
• Your Cisco AS5800 router shelf and dial shelf must be fully installed, with two DSC cards installed
on the dial shelf.
• Your Cisco AS5800 access server must be running Cisco IOS Release 12.1(2)T.
• The external DSC clocking port must be configured identically on both router shelves and must be
physically connected to both DSCs. This assures that if a DSC card needs replacing or if the backup
DSC card becomes primary, clocking remains stable.
Synchronizing to the System Clocks
The time-division multiplexing (TDM) bus in the backplane on the dial shelf must be synchronized to
the T1/E1 clocks on the trunk cards. The Dial Shelf Controller (DSC) card on the daily shelf provides
hardware logic to accept multiple clock sources as input and use one of them as the primary source to
generate a stable, PPL synchronized output clock. The input clock can be any of the following sources:
• Trunk port in slots 0 through 5—up to 12 can be selected (2 per slot)
• An external T1 or E1 clock source fed directly through a connector on the DSC card
• A free-running clock from an oscillator in the clocking hardware on the DSC card
For dual (redundant) DSC cards, the external DSC clocking port should be configured so that the clock
signal fed into both DSCs is identical.
To configure the external clocks, use the following commands from the router shelf login beginning in
global configuration mode. One external clock is configured as the primary clock source, and the other
is configured as the backup clock source.
Command Purpose
Step 1 Router(config)# dial-tdm-clock priority value Configures the trunk card clock priority. Priority range is a
value between 1 and 50.
Step 2 Router(config)# dial-tdm-clock priority X
{trunk-slot Y port Z} external {t1 | e1}
[120-ohm]
Selects the T1/E1 trunk slot and port that is providing the
clocking source. T1/E1 selection is based on the incoming
signal. Select the impedance. The default impedance is
75-ohm.
Step 3 Router(config)# dial-tdm-clock priority value
external t1
or
Router(config)# dial-tdm-clock priority value
external e1
Configures the T1/E1 external clock on the dial shelf
controller front panel. T1/E1 selection is based on the signal
coming in. Priority range is a value between 1 and 50.
Step 4 Router(config)# Ctrl-Z
Router#
Verifies your command registers when you press the return
key. Enter Ctrl-Z to return to privileged EXEC mode.
Step 5 Router# copy running-config startup-config Saves your changes.
Configuring and Managing Cisco Access Servers and Dial Shelves
How to Configure Dial Shelves
DC-120
Cisco IOS Dial Technologies Configuration Guide
Verifying External Clock Configuration
To verify that the primary clock is running, enter the show dial-shelf clocks privileged EXEC command:
Router# show dial-shelf 12 clocks
Slot 12:
System primary is 1/2/0 of priority 202
TDM Bus Master Clock Generator State = NORMAL
Backup clocks:
Source Slot Port Priority Status State
-------------------------------------------------------
Trunk 2 1 208 Good Default
Slot Type 11 10 9 8 7 6 5 4 3 2 1 0
2 T1 G G G G G G G G G G G G
For more information on configuring external clocks, refer to the Cisco document Managing Dial
Shelves.
Configuring Dial Shelf Split Mode
This section describes the procedure required to transition a router from normal mode to split mode and
to change the set of slots a router owns while it is in split mode. Since the process of switching the
ownership of a slot from one router to the other is potentially disruptive (when a feature board is
restarted, all calls through that card are lost), a router shelf cannot take over a slot until ownership is
relinquished by the router that currently claims ownership, either by reconfiguring the router or
disconnecting that router or its associated DSC.
The dial shelf is split by dividing the ownership of the feature boards between the two router shelves.
You must configure the division of the dial shelf slots between the two router shelves so that each router
controls an appropriate mix of trunk and modem cards. Each router shelf controls its set of feature boards
as if those were the only boards present. There is no interaction between feature boards owned by one
router and feature boards owned by the other router.
Split mode is entered when the dial-shelf split slots command is parsed on the router shelf. This can
occur when the router is starting up and parsing the stored configuration, or when the command is
entered when the router is already up. Upon parsing the dial-shelf split slots command, the router frees
any resources associated with cards in the slots that it no longer owns, as specified by exclusion of slot
numbers from the slot-numbers argument. The router should be in the same state as if the card had been
removed from the slot; all calls through that card will be terminated. The configured router then informs
its connected DSC that it is in split mode, and which slots it claims to own.
In split mode, a router shelf by default takes half of the 2048 available TDM timeslots. The TDM split
mode is configured using the dial-shelf split backplane-ds0 command. (The dial-shelf split slot
command must be defined for the dial-shelf split backplane-ds0 command to be active.) If the
dial-shelf split slots command is entered when the total number of calls using timeslots exceeds the
number that would normally be available to the router in split mode, the command is rejected. This
should occur only when a change to split mode is attempted, in which the dial shelf has more than 896
calls in progress (more than half of the 1,792 available timeslots). Otherwise, a transition from normal
mode to split mode can be made without disturbing the cards in the slots that remain owned, and calls
going through those cards will stay up.
Configuring and Managing Cisco Access Servers and Dial Shelves
How to Configure Dial Shelves
DC-121
Cisco IOS Dial Technologies Configuration Guide
To configure a router for split dial shelf operation, perform the following steps:
Step 1 Ensure that both DSCs and both router shelves are running the same Cisco IOS image.
Note Having the same version of Cisco IOS running on both DSCs and both router shelves is not
mandatory; however, it is a good idea. There is no automatic checking that the versions are
the same.
Step 2 Schedule a time when the Cisco AS5800 can be taken out of service without unnecessarily terminating
calls in progress. The entire procedure for transitioning from normal mode to split mode should require
approximately one hour if all the hardware is already installed.
Step 3 Busy out all feature boards and wait for your customers to log off.
Step 4 Reconfigure the existing router shelf to operate in split mode.
Step 5 Enter the dial-shelf split slots command, specifying the slot numbers that are to be owned by the existing
router shelf.
Step 6 Configure the new router shelf to operate in split mode on other feature boards.
Step 7 Enter the dial-shelf split slots command, specifying the slot numbers that are to be owned by the new
router shelf. Do not specify any of the slot numbers that you specified in Step 6. The range of valid slot
numbers is 0 through 11.
To perform this step, enter the following command in global configuration mode:
Step 8 Install the second DSC, if it has not already been installed.
Step 9 Connect the DSIP cable from the second DSC to the new router shelf.
Command Purpose
Router(config)# dial-shelf split slots
slot-numbers
Enter list of slot numbers, for example:
dial-shelf split slots 0 1 2 6 7 8
In this example, the other router shelf could be configured to own the
other slots: 3 4 5 9 10 11.
Normal mode: This command changes the router shelf to split mode
with ownership of the slots listed.
In case of conflicting slot assignments, the command is rejected and
a warning message is issued. Issue a show dial-shelf split slots
command to the other router shelf to display its list of owned dial
shelf slots.
Online insertion and removal (OIR) events on all slots are detected
by both DSCs and added to the list of feature boards physically
present in the dial shelf; however, OIR event processing is done only
for assigned slots.
Split mode: This command adds the dial shelf slots listed to the
router shelf’s list of owned dial shelf slots.
Configuring and Managing Cisco Access Servers and Dial Shelves
How to Configure Dial Shelves
DC-122
Cisco IOS Dial Technologies Configuration Guide
Step 10 Ensure that split mode is operating properly.
Enter the show dial-shelf command for each router. This command has been extended so that the
response indicates that the router shelf is running in split mode and which slots the router shelf owns.
The status of any cards in any owned slots is shown, just as they are in the present show dial-shelf
command. When in split mode, the output will be extended as in the following example:
System is in split dial shelf mode.
Slots owned: 0 2 3 4 5 6 (connected to DSC in slot 13)
Slot Board CPU DRAM I/O Memory State Elapsed
Type Util Total (free) Total (free) Time
0 CE1 0%/0% 21341728( 87%) 8388608( 45%) Up 00:11:37
2 CE1 0%/0% 21341728( 87%) 8388608( 45%) Up 00:11:37
4 Modem(HMM) 20%/20% 6661664( 47%) 6291456( 33%) Up 00:11:37
5 Modem(DMM) 0%/0% 6661664( 31%) 6291456( 32%) Up 00:11:37
6 Modem(DMM) 0%/0% 6661664( 31%) 6291456( 32%) Up 00:11:37
13 DSC 0%/0% 20451808( 91%) 8388608( 66%) Up 00:16:31
Dial shelf set for auto boot
Step 11 Enable all feature boards to accept calls once again.
Changing Slot Sets
You can change the sets of slots owned by the two router shelves while they are in split mode by first
removing slots from the set owned by one router, and then adding them to the slot set of the other router.
The changed slot set information is sent to the respective DSCs, and the DSCs determine which slots
have been removed and which added from the new slot set information. It should be clear that moving a
slot in this manner will disconnect all calls that were going through the card in that slot.
To perform this task, enter the following commands as needed:
When a Slot Is Removed
The router shelf that is losing the slot frees any resources and clears any state associated with the card
in the slot it is relinquishing. The DSC reconfigures its hub to ignore traffic from that slot, and if there
is a card in the slot, it will be reset. This ensures that the card frees up any TDM resource it might be
using and allows it to restart under control of the router shelf that is subsequently configured to own the
slot.
When a Slot Is Added
If there are no configuration conflicts, and there is a card present in the added slot, a dial-shelf OIR
insertion event is sent to the router shelf, which processes the event the same as it always does. The card
in the added slot is reset by the DSC to ensure a clean state, and the card downloads its image from the
router shelf that now owns it.
Command Purpose
Router (config)# dial-shelf split slots remove
slot-numbers
Removes the dial shelf slots listed from the router shelf’s list of
owned dial shelf slots. The effect of multiple commands is
cumulative.
Router(config)# dial-shelf split slots slot-numbers Adds the dial shelf slots listed to the router shelf’s list of owned
dial shelf slots.
Configuring and Managing Cisco Access Servers and Dial Shelves
How to Configure Dial Shelves
DC-123
Cisco IOS Dial Technologies Configuration Guide
If the other router shelf and the other DSC claim ownership of the same slot, the command adding the
slot should be rejected. However, should a configuration conflict exist, error messages are sent to both
routers and the card is not reset until one of the other router shelves and its DSC stop claiming ownership
of the slot. Normally, this will not happen until you issue a dial-shelf split slots remove command
surrendering the ownership claim on the slot by one of the routers.
Leaving Split Mode
Split mode is exited when the dial shelf configuration is changed by a no dial-shelf split slots command.
When the split dial shelf line is removed, the router shelf will start using all of the TDM timeslots.
Feature boards that were not owned in split mode and that are not owned by the other router will be reset.
Cards in slots that are owned by the other router will be reset, but only after the other DSC has been
removed or is no longer claiming the slots. The split dial shelf configuration should not be removed while
the second router shelf is still connected to the dial shelf.
When a router configured in split mode fails, all calls associated with the failed router are lost. Users
cannot connect back in until the failed router recovers and is available to accept new incoming calls;
however, the other split mode router shelf will continue to operate normally.
Troubleshooting Split Dial Shelves
The system will behave as configured as soon as the configuration is changed. The exception is when
there is a misconfiguration, such as when one router is configured in split mode and the other router is
configured in normal mode, or when both routers are configured in split mode and both claim ownership
of the same slots.
Problems can arise if one of the two routers connected to a dial shelf is not configured in split mode, or
if both are configured in split mode and both claim ownership of the same slots. If the state of the second
router is known when the dial-shelf split slots command is entered and the command would result in a
conflict, the command is rejected.
If a conflict in slot ownership does arise, both routers will receive warning messages until the conflict is
resolved. Any card in a slot which is claimed by both routers remains under the control of the router that
claimed it first, until you can resolve the conflict by correcting the configuration of one or both routers.
It should be noted that there can also be slots that are not owned by either router (orphan slots). Cards
in orphan slots cannot boot up until one of the two routers claims ownership of the slot because neither
DSC will download bootstrap images to cards in unowned orphan slots.
Managing a Split Dial Shelf
If you are installing split dial shelf systems, a system controller is available that provides a single system
view of multiple point of presences (POPs). The system controller for the Cisco AS5800 Universal
Access Server includes the Cisco 3640 router running Cisco IOS software. The system controller can be
installed at a remote facility so that you can access multiple systems through a console port or Web
interface.
There are no new MIBs or MIB variables required for the split dial shelf configuration. A split dial shelf
appears to Simple Network Management Protocol (SNMP) management applications as two separate
Cisco AS5800 systems. One console to manage the whole system is not supported—you must have a
console session per router shelf (two console sessions) to configure each split of the Cisco AS5800. The
system controller must manage a split dial shelf configuration as two separate Cisco AS5800 systems.
Configuring and Managing Cisco Access Servers and Dial Shelves
How to Configure Dial Shelves
DC-124
Cisco IOS Dial Technologies Configuration Guide
The normal mode configuration of the Cisco AS5800 requires the dial shelf and router shelf IDs to be
different. In a split system, four unique shelf IDs are desirable, one for each router shelf and one for each
of the slot sets; however, a split system will function satisfactorily if the router shelf IDs are the same.
If a system controller is used to manage a split dial shelf configuration, the two routers must have distinct
shelf IDs, just as they must when each router has its own dial shelf.
You can download software configurations to any Cisco AS5800 using SNMP or a Telnet connection.
The system controller also provides performance monitoring and accounting data collection and logging.
In addition to the system controller, a network management system with a graphical user interface (GUI)
runs on a UNIX SPARC station and includes a database management system, polling engine, trap
management, and map integration.
To manage a split dial shelf, enter the following commands in EXEC mode as needed:
Executing Commands Remotely
Although not recommended, it is possible to connect directly to the system console interface in the DSC
to execute dial shelf configuration commands. All commands necessary for dial shelf configuration, and
show, and debug command tasks can be executed remotely from the router console. A special command,
execute-on, is provided for this purpose. This command enables a special set of EXEC mode commands
to be executed on the router or the dial shelf. This command is a convenience that avoids connecting the
console to the DSC. For a list of commands you can execute using execute-on, refer to the command
description in the Cisco IOS Dial Technologies Command Reference.
To enter a command that you wish to execute on a specific card installed in the dial shelf while logged
onto the router shelf console, use the following commands in privileged EXEC mode as needed:
Command Purpose
Router# show dial-shelf split Displays the slots assigned to each of the router shelves and the
corresponding feature boards in ‘orphan’ slots (slots not
currently assigned to either router).
Router# show dial-shelf Displays information about the dial shelf, including clocking
information.
Router# show context Displays information about the dial shelf, including clocking
information, but works only for owned slots. Use show context all
to display all the information available about any slot. This is
intended to cover the case where ownership of a feature board is
moved from one router shelf to the other after a crash.
Command Purpose
Router# execute-on slot slot command Executes a command from the router shelf on a specific slot in
the dial shelf.
Router# execute-on all command Executes a command from the router shelf on all cards in the dial
shelf.
Configuring and Managing Cisco Access Servers and Dial Shelves
How to Configure Dial Shelves
DC-125
Cisco IOS Dial Technologies Configuration Guide
Verifying DSC Configuration
To verify that you have started the redundant DSC feature, enter the show redundancy privileged EXEC
command:
Router# show redundancy
DSC in slot 12:
Hub is in 'active' state.
Clock is in 'active' state.
DSC in slot 13:
Hub is in 'backup' state.
Clock is in 'backup' state.
Router#
Monitoring and Maintaining the DSCs
To monitor and maintain the DSC cards, use the following commands in privileged EXEC mode, as
needed:
Troubleshooting DSIP
There are a number of show commands available to aid in troubleshooting dial shelves. Use the
following EXEC mode commands to monitor DSI and DSIP activity as needed:
Command Purpose
Router# hw-module shelf/slot {start|stop} Stops the target DSC remotely from the router console. Restart the
DSC if it has been stopped.
Router# show redundancy [history] Displays the current or history status for redundant DSC.
Router# debug redundancy {all|ui|clk|hub} Use this debug command if you need to collect events for
troubleshooting, selecting the appropriate required key word.
Router# show debugging Lists the debug commands that are turned on, including those for
redundant DSC.
Command Purpose
Router# clear dsip tracing Clears tracing statistics for the DSIP.
Router# show dsip Displays all information about the DSIP.
Router# show dsip clients Displays information about DSIP clients.
Router# show dsip nodes Displays information about the processors running the DSIP.
Router# show dsip ports Displays information about local and remote ports.
Router# show dsip queue Displays the number of messages in the retransmit queue waiting for
acknowledgment.
Router# show dsip tracing Displays DSIP tracing buffer information.
Configuring and Managing Cisco Access Servers and Dial Shelves
Port Management Services on Cisco Access Servers
DC-126
Cisco IOS Dial Technologies Configuration Guide
The privileged EXEC mode show dsi command can also be used to troubleshoot, as it displays the status
of the DSI adapter, which is used to physically connect the router shelf and the dial shelf to enable DSIP
communications.
The following is an example troubleshooting scenario:
Problem: The router shelf boots, but there is no communication between the router and dial shelves.
Step 1 Run the show dsip transport command.
Step 2 Check the “DSIP registered addresses” column. If there are zero entries there, there is some problem
with the Dial Shelf Interconnect (DSI). Check if the DSI is installed in the router shelf.
Step 3 If there is only one entry and it is our own local address, then first sanity check the physical layer. Make
sure that there is a physical connection between the RS and DS. If everything is fine from cabling point
of view, go to step 3.
Step 4 Check the DSI health by issuing the show dsi command. This gives a consolidated output of DSI
controller and interface. Check for any errors like runts, giants, throttles and other usual FE interface
errors.
Diagnosis: If an entry for a particular dial shelf slot is not found among the registered addresses, but
most of other card entries are present, the problem is most likely with that dial shelf slot. The DSI
hardware on that feature board is probably bad.
Port Management Services on Cisco Access Servers
Port Management Services on the Cisco AS5400 Access Server
Port service management on the Cisco AS5400 access server implements service using the NextPort dial
feature card (DFC). The NextPort DFC is a hardware card that processes digital service port technology
for the Cisco AS5400 access server. A port is defined as an endpoint on a DFC card through which
multiservice tones and data flow. The ports on the NextPort DFC support both modem and digital
services. Ports can be addressed-aggregated at the slot level of the NextPort module, the Service
Processing Element (SPE) level within the NextPort module, and the individual port level.
Cisco IOS Release 12.1(3)T or higher is required for the NextPort DFC.
Instead of the traditional line-modem one-to-one correspondence, lines are mapped to an SPE that
resides on the Cisco AS5400 NextPort DFC. Each SPE provides modem services for six ports. Busyout
and shutdown can be configured at the SPE or port level. The NextPort DFC introduces the slot and SPE
software hierarchy. On the Cisco AS5400, the hierarchy designation is slot/SPE.
The NextPort DFC slot is defined as a value between 1 and 7. Slot 0 is reserved for the motherboard.
Each NextPort DFC provides 18 SPEs. The SPE value ranges from 0 to 17. Since each SPE has six ports,
the NextPort DFC has a total of 108 ports. The port value ranges from 0 to 107.
Router# show dsip transport Displays information about the DSIP transport statistics for the
control/data and IPC packets and registered addresses.
Router# show dsip version Displays DSIP version information.
Command Purpose
Configuring and Managing Cisco Access Servers and Dial Shelves
Port Management Services on Cisco Access Servers
DC-127
Cisco IOS Dial Technologies Configuration Guide
The NextPort DFC performs the following functions:
• Converts pulse code modulation (PCM) bitstreams to digital packet data.
• Forwards converted and packetized data to the main processor, which examines the data and
forwards it to the backhaul egress interface.
• Supports all modem standards (such as V.34 and V.42bis) and features, including dial-in and
dial-out.
Port Management Services on the Cisco AS5800 Access Server
Port service management on the Cisco AS5800 access server implements service on the Universal Port
Card (UPC). A universal port carries a single channel at the speed of digital signal level 0 (DS0), or the
equivalent of 64-kbps on a T1 facility.
Network traffic can be a modem, voice, or fax connection. The 324 port UPC uses NextPort hardware
and firmware to provide universal ports for the Cisco AS5800 access server. These ports are grouped into
54 service processing elements (SPEs). Each SPE supports six universal ports. To find the total number
of ports supported by a UPC, multiply the 54 SPEs by the six ports supported on each SPE. The total
number of universal ports supported by a single UPC is 324. Configuration, management, and
troubleshooting of universal ports can be done at the UPC, SPE, and port level. Each UPC also has a
SDRAM card with a minimum of a 128 MB of memory.
The Cisco AS5800 access server can be equipped with a maximum of seven UPCs with upgradable
firmware. The UPC supports data traffic, and depending on the software and platform is universal port
capable. Each UPC plugs directly into the dial shelf backplane and does not need any external
connections. Each UPC has three LEDs, which indicate card status.
The Cisco AS5800 access server is capable of terminating up to 2,048 incoming modem connections
(slightly more than an OC3) when equipped with seven UPCs and three CT3 trunk cards. A split shelf
configuration with a second router shelf and second dial shelf controller are required to achieve full
capacity. A single router with a standard configuration supports up to 1,344 port connections.
Cisco IOS Release 12.1(3)T or higher is required for the UPC. Unless your system shipped with UPCs
installed, you must upgrade the Cisco IOS image on the dial shelf and router shelf or shelves.
Instead of the traditional line-modem one-to-one correspondence, lines are mapped to an SPE that
resides on the Cisco AS5800 access server UPC. Each SPE provides modem services for six ports.
Busyout and shutdown can be configured at the SPE or port level. The UPC introduces the shelf, slot,
and SPE software hierarchy. On the Cisco AS5800 access server, the hierarchy designation is
shelf/slot/SPE.
A UPC can be installed in slots numbered 2 to 11 on the dial shelf backplane. If installed in slots 0 or 1,
the UPC automatically powers down. Slots 0 and 1 only accept trunk cards; they do not accept mixes of
cards. We recommend that you install mixes of T3 and T1 cards, or E1 trunk cards in slots 2 to 5. You
can use double-density modem cards, UPCs, and VoIP cards simultaneously. Trunk cards can operate in
slots 0 to 5 and are required for call termination.
The UPC performs the following functions:
• Converts pulse code modulation (PCM) bitstreams to digital packet data.
• Forwards converted and packetized data to the dial shelf main processor, which examines the data
and forwards it to the router shelf. From the router shelf, the data is routed to the external network.
Configuring and Managing Cisco Access Servers and Dial Shelves
Upgrading and Configuring SPE Firmware
DC-128
Cisco IOS Dial Technologies Configuration Guide
• Supports all modem standards (such as V.34 and V.42bis) and features, including dial-in and
dial-out.
• Supports online insertion and removal (OIR), a feature that allows you to remove and replace UPCs
while the system is operating. A UPC can be removed without disrupting the operation of other cards
and their associated calls. If a UPC is removed while the system is operating, connections or current
calls on that card are dropped. Calls being handled by other cards are not affected.
Note All six ports on an SPE run the same firmware.
Upgrading and Configuring SPE Firmware
SPE firmware is automatically downloaded in both the Cisco AS5400 and AS5800 access servers.
AS5400 Access Server
SPE firmware is automatically downloaded to a NextPort DFC from the Cisco AS5400 when you boot
the system for the first time, or when you insert a NextPort DFC while the system is operating. When
you insert DFCs while the system is operating, the Cisco IOS image recognizes the cards and downloads
the required firmware to the cards.
The SPE firmware image is bundled with the access server Cisco IOS image. The SPE firmware image
uses an autodetect mechanism, which enables the NextPort DFC to service multiple call types. An SPE
detects the call type and automatically configures itself for that operation. For further information on
upgrading SPE firmware from the Cisco IOS image, refer to the section “Configuring SPEs to Use an
Upgraded Firmware File.”
The firmware is upgradeable independent of Cisco IOS upgrades, and different firmware versions can
be configured to run on SPEs in the same NextPort DFC. You can download firmware from the Cisco
System Cisco.com File Transfer Protocol (FTP) server.
AS5800 Access Server
SPE firmware is automatically downloaded to an AS5800 UPC from the router shelf Cisco IOS image
when you boot the system for the first time or when you insert a UPC while the system is operating. The
Cisco IOS image recognizes the card and the dial shelf downloads the required portware to the cards.
Cisco IOS Release 12.1(3)T or higher is required for the UPC.
The SPE firmware image (also known as portware) is bundled with the Cisco IOS UPC image. The SPE
firmware image uses an autodetect mechanism, which enables the UPC to service multiple call types.
An SPE detects the call type and automatically configures itself for that operation. For further
information on upgrading SPE firmware from the Cisco IOS image, refer to the section “Configuring
SPEs to Use an Upgraded Firmware File.”
The firmware is upgradable independent of Cisco IOS upgrades, and different firmware versions can be
configured to run on SPEs in the same UPC. You can download firmware from the Cisco.com File
Transfer Protocol (FTP) server.
Firmware Upgrade Task List
Upgrading SPE firmware from the Cisco.com FTP server is done in two steps:
• Downloading SPE Firmware from the Cisco.com FTP Server to a Local TFTP Server
• Copying the SPE Firmware File from the Local TFTP Server to the SPEs
Configuring and Managing Cisco Access Servers and Dial Shelves
Upgrading and Configuring SPE Firmware
DC-129
Cisco IOS Dial Technologies Configuration Guide
Firmware Configuration Task List
To complete firmware configuration once you have downloaded the SPE firmware, perform the tasks in
the following sections:
• Specifying a Country Name
• Configuring Dial Split Shelves (AS5800 Only)
• Configuring SPEs to Use an Upgraded Firmware File
• Disabling SPEs
• Rebooting SPEs
• Configuring Lines
• Configuring Ports
• Verifying SPE Line and Port Configuration
• Configuring SPE Performance Statistics
• Clearing Log Events
• Troubleshooting SPEs
• Monitoring SPE Performance Statistics
Note The following procedure can be used for either a Cisco AS5400 or AS5800 access server.
Downloading SPE Firmware from the Cisco.com FTP Server to a Local TFTP
Server
Note You must be a registered Cisco user to log in to the Cisco Software Center.
You can download software from the Cisco Systems Cisco.com FTP server using an Internet browser or
using an FTP application. Both procedures are described.
Using an Internet Browser
Step 1 Launch an Internet browser.
Step 2 Bring up the Cisco Software Center home page at the following URL (this is subject to change without
notice):
http://www.cisco.com/kobayashi/sw-center/
Step 3 Click Access Software (under Cisco Software Products) to open the Access Software window.
Step 4 Click Cisco AS5400 Series or Cisco AS5800 Series software.
Step 5 Click the SPE firmware you want and download it to your workstation or PC. For example, to download
SPE firmware for the universal access server, click Download Universal Images.
Step 6 Click the SPE firmware file you want to download, and then follow the remaining download instructions.
If you are downloading the SPE firmware file to a PC, make sure that you download the file to the
c:/tftpboot directory; otherwise, the download process does not work.
Configuring and Managing Cisco Access Servers and Dial Shelves
Upgrading and Configuring SPE Firmware
DC-130
Cisco IOS Dial Technologies Configuration Guide
Step 7 When the SPE firmware is downloaded to your workstation, transfer the file to a Trivial File Transfer
Protocol (TFTP) server in your LAN using a terminal emulation software application.
Step 8 When the SPE firmware is downloaded to your workstation, transfer the file to a TFTP server somewhere
in your LAN using a terminal emulation software application.
Using an FTP Application
Note The directory path leading to the SPE firmware files on cco.cisco.com is subject to change without
notice. If you cannot access the files using an FTP application, try the Cisco Systems URL
http://www.cisco.com/cgi-bin/ibld/all.pl?i=support&c=3.
Step 1 Log in to the Cisco.com FTP server called cco.cisco.com:
terminal> ftp cco.cisco.com
Connected to cio-sys.cisco.com.
Step 2 Enter your registered username and password (for example, harry and letmein):
Name (cco.cisco.com:harry): harry
331 Password required for harry.
Password: letmein
230-#############################################################
230-# Welcome to the Cisco Systems CCO FTP server.
230-# This server has a number of restrictions. If you are not familiar
230-# with these, please first get and read the /README or /README.TXT file.
230-# http://www.cisco.com/acs/info/cioesd.html for more info.
230-#############################################################
Step 3 Specify the directory path that holds the SPE firmware you want to download. For example, the directory
path for the Cisco AS5400 SPE firmware is /cisco/access/5400:
ftp> cd /cisco/access/5400
250-Please read the file README
250- it was last modified on Tue May 27 10:07:38 1997 - 48 days ago
250-Please read the file README.txt
250- it was last modified on Tue May 27 10:07:38 1997 - 48 days ago
250 CWD command successful.
Step 4 Enter the ls command to view the contents of the directory:
ftp> ls
227 Entering Passive Mode (192,31,7,130,218,128)
150 Opening ASCII mode data connection for /bin/ls.
total 2688
drwxr-s--T 2 ftpadmin ftpcio 512 Jun 30 18:11 .
drwxr-sr-t 19 ftpadmin ftpcio 512 Jun 23 10:26 ..
lrwxrwxrwx 1 root 3 10 Aug 6 1996 README ->README.txt
-rw-rw-r-- 1 root ftpcio 2304 May 27 10:07 README.txt
-r--r--r-- 1 ftpadmin ftpint 377112 Jul 10 18:08 np-spe-upw-10.0.1.2.bin
-r--r--r-- 1 ftpadmin ftpint 635 Jul 10 18:08 SPE-firmware.10.1.30.readme
Step 5 Specify a binary image transfer:
ftp> binary
200 Type set to I.
Step 6 Copy the SPE firmware files from the access server to your local environment with the get command.
Configuring and Managing Cisco Access Servers and Dial Shelves
Upgrading and Configuring SPE Firmware
DC-131
Cisco IOS Dial Technologies Configuration Guide
Step 7 Quit your terminal session:
ftp> quit
Goodbye.
Step 8 Enter the ls -al command to verify that you successfully transferred the files to your local directory:
server% ls -al
total 596
-r--r--r-- 1 280208 Jul 10 18:08 np-spe-upw-10.0.1.2.bin
server% pwd
/auto/tftpboot
Step 9 Transfer these files to a local TFTP or remote copy protocol (RCP) server that your access server or
router can access.
Copying the SPE Firmware File from the Local TFTP Server to the SPEs
The procedure for copying the SPE firmware file from your local TFTP server to the Cisco AS5400
NextPort DFCs or Cisco AS5800 UPCs is a two-step process. First, transfer the SPE firmware to the
access server’s Flash memory. Then, configure the SPEs to use the upgrade firmware. The upgrade
occurs automatically, either as you leave configuration mode, or as specified in the configuration.
These two steps are performed only once. After you copy the SPE firmware file into Flash memory for
the first time, you should not have to perform these steps again.
Note Because the SPE firmware is configurable for individual SPEs or ranges of SPEs, the Cisco IOS
software automatically copies the SPE firmware to each SPE each time the access server restarts.
To transfer SPE Firmware to Flash memory, perform the following task to download the Universal SPE
firmware to Flash memory:
Step 1 Check the image in the access server Flash memory:
Router# show flash
System flash directory:
File Length Name/status
1 4530624 c5400-js-mx
[498776 bytes used, 16278440 available, 16777216 total]
16384K bytes of processor board System flash (Read/Write)
Step 2 Enter the copy tftp flash command to download the code file from the TFTP server into the access server
Flash memory. You are prompted for the download destination and the remote host name.
Router# copy tftp flash
Step 3 Enter the show flash command to verify that the file has been copied into the access server Flash
memory:
Router# show flash
Configuring and Managing Cisco Access Servers and Dial Shelves
Upgrading and Configuring SPE Firmware
DC-132
Cisco IOS Dial Technologies Configuration Guide
Specifying a Country Name
To set the Cisco AS5400 NextPort DFCs or Cisco AS5800 UPCs to be operational for call set up, you
must specify the country name. To specify the country name, use the following command in global
configuration mode:
Configuring Dial Split Shelves (AS5800 Only)
The Cisco AS5800 access server requires a split dial shelf configuration using two router shelves to
achieve the maximum capacity of 2048 port connections using the seven UPCs and three T3 + 1 T1
trunks. A new configuration command is available to define the split point:
dial-shelf split backplane-ds0 option
The options for this command come in pairs, and vary according to the desired configuration. You will
need to log in to each router shelf and separately configure the routers for the intended load. In most
circumstances it is recommended that the predefined options are selected. These options are designed to
be matched pairs as seen below.
Command Purpose
Router(config)# spe country country
name
Specifies the country to set the UPC or DFC parameters
(including country code and encoding). If you do not specify
a country, the interface uses the default. If the access server
is configured with T1 interfaces, the default is usa. If the
access server is configured with E1 interfaces, the default is
e1-default. Use the no form of this command to set the
country code to the default of the domestic country.
Note All sessions in all UPCs or DFCs in all slots must be
in the idle state for this command to execute.
Option
Pair
Router Shelf 1 Router Shelf 2 Total
Option
Maximum
Calls Unused T1 Option
Maximum
Calls Unused T1
1 2ct3cas 1344 1ct3cas 672 2016
2 part2ct1ct3cas 1152 4 part1ct1ct3cas 888 3 2040
3 2ct3isdn 1288 part1ct1ct3isdn_b 644 7 1932
4 part2ct1ct3isdn 1150 2 part1ct1ct3isdn 897 1 2047
51
1. This option is used to revert to the default for an environment using 6 E1 lines.
3ce1 960 3ce1 960 1920
6 Default (no option
entered)
1/2 of current
input
Default (no option
entered)
1/2 of current
input
7 no dial-shelf
backplane-ds0
1024 no dial-shelf
backplane-ds0
1024 2048
Configuring and Managing Cisco Access Servers and Dial Shelves
Upgrading and Configuring SPE Firmware
DC-133
Cisco IOS Dial Technologies Configuration Guide
The dial-shelf split slot 0 3 4 5 command must be defined for the dial-shelf split backplane-ds0 option
command to be active. You may also select the user defined option to define your own split.
Even if your system is already using a split dial shelf configuration, configuring one router shelf to
handle two T3 trunks and the other router to handle the third trunk requires you to take the entire access
server out of service. Busyout all connections before attempting to reconfigure. The configuration must
be changed to setup one pool of TDM resources that can be used by either DMM cards or UPCs, and a
second pool of two streams that contains TDM resources that can only be used by UPCs.
You may have more trunk capacity than 2048 calls. It is your decision how to provision the trunks so the
backplane capacity is not exceeded. If more calls come in than backplane DS0 capacity for that half of
the split, the call will be rejected and an error message printed for each call. This cannot be detected
while a new configuration is being built because the router cannot tell which T1 trunks are provisioned
and which are not. The user may want some trunks in hot standby.
The DMM, HMM, and VoIP cards can only use 1792 DS0 of the available 2048 backplane DS0. The
UPC and trunk cards can use the full 2048 backplane DS0. The show tdm splitbackplane command will
show the resources in two groups, the first 1792 accessible to all cards, and the remaining 256 accessible
only to UPC and trunk cards.
For more information about split dial shelf configuration, refer to the Cisco AS5800 Universal Access
Server Split Dial Shelf Installation and Configuration Guide and the hardware installation guides that
accompanied your Cisco AS5800 Universal Access Server.
Configuring SPEs to Use an Upgraded Firmware File
To configure the SPEs to use the upgraded firmware file, use the following commands beginning in
privileged EXEC mode to display the firmware version number:
Command Purpose
Step 1 Router# show spe version Displays SPE firmware versions to obtain the On-Flash
firmware filename.
Step 2 Router# configure terminal Enters global configuration mode.
Step 3 AS5400:
Router(config)# spe slot/spe
or
Router(config)# spe slot/spe slot/spe
AS5800:
Router(config)# spe shelf/slot/spe
or
Router(config)# spe shelf/slot/spe
shelf/slot/spe
Enters the SPE configuration mode. You can choose to
configure a range of SPEs by specifying the first and last
SPE in the range.
Step 4 Router(config-spe)# firmware upgrade {busyout |
download-maintenance | reboot}
Specifies the upgrade method.
Three methods of upgrade are available. The busyout
keyword waits until all calls are terminated on an SPE
before upgrading the SPE to the designated firmware. The
download-maintenance keyword upgrades the firmware
during the download maintenance time. The reboot
keyword requests the access server to upgrade firmware at
the next reboot.
Configuring and Managing Cisco Access Servers and Dial Shelves
Upgrading and Configuring SPE Firmware
DC-134
Cisco IOS Dial Technologies Configuration Guide
Note The copy ios-bundled command is not necessary with UPCs or NextPort DFCs. By default, the
version of SPE firmware bundled with the Cisco IOS software release transfers to all SPEs not
specifically configured for a different SPE firmware file.
Disabling SPEs
To disable specific SPEs in the Cisco AS5400 NextPort DFCs or Cisco AS5800 UPCs, use the following
commands starting in global configuration mode:
Step 5 Router(config-spe)# firmware location filename Specifies the SPE firmware file in Flash memory to use for
the selected SPEs. Allows you to upgrade firmware for
SPEs after the new SPE firmware image is copied to your
Flash memory.
Enter the no firmware location command to revert back to
the default Cisco IOS bundled SPE firmware.
Step 6 Router(config-spe)# exit Exits SPE configuration mode.
Step 7 Router# exit Exits global configuration mode.
Step 8 Router# copy running-config startup-config Saves your changes.
Command Purpose
Command Purpose
Step 1 Cisco AS5400 Series Routers
Router(config)# spe slot/spe
or
Router(config)# spe slot/spe slot/spe
Cisco AS5800 Series Routers
Router(config)# spe shelf/slot/spe
or
Router(config)# spe shelf/slot/spe
shelf/slot/spe
Enters SPE configuration mode. You can also configure
SPEs specifying the first and last SPE in a range.
Configuring and Managing Cisco Access Servers and Dial Shelves
Upgrading and Configuring SPE Firmware
DC-135
Cisco IOS Dial Technologies Configuration Guide
Rebooting SPEs
To reboot specified SPEs, use the following command in privileged EXEC mode:
Step 2 Router(config-spe)# busyout Gracefully disables an SPE by waiting for all the active
services on the specified SPE to terminate.
You can perform auto-diagnostic tests and firmware
upgrades when you put the SPEs in the Busy out state.
Active ports on the specified SPE will change the state of
the specified range of SPEs to the BusyoutPending state.
The state changes from BusyoutPending to Busiedout when
all calls end. Use the show spe command to see the state of
the range of SPEs.
Use the no form of this command to re-enable the SPEs.
Step 3 Router(config-spe)# shutdown Clears active calls on all ports on the SPE. Calls can no
longer be placed on the SPE because the SPE state is
changed to Busiedout.
Use the no form of this command to re-enable the ports on
the SPE.
Command Purpose
Command Purpose
Cisco AS5400 Series Routers
Router# clear spe slot/spe
Cisco AS5800 Series Routers
Router# clear spe shelf/slot/spe
Allows manual recovery of a port that is frozen in a
suspended state. Reboots SPEs that are in suspended or Bad
state. Downloads configured firmware to the specified SPE
or range of SPEs and power-on self test (POST) is executed.
Note Depending on the problem, sometimes
downloading the SPE firmware may not help
recover a bad port or an SPE.
This command can be executed regardless of the state of
SPEs. All active ports running on the SPE are prematurely
terminated, and messages are logged into the appropriate
log.
Configuring and Managing Cisco Access Servers and Dial Shelves
Upgrading and Configuring SPE Firmware
DC-136
Cisco IOS Dial Technologies Configuration Guide
Configuring Lines
To configure the lines to dial in to your network, use the following commands beginning in global
configuration mode:
Command Purpose
Step 1 Cisco AS5400 Series Routers
Router(config)# line slot/port slot/port
Cisco AS5800 Series Routers
Router(config)# line shelf/slot/port
shelf/slot/port
Enters the line configuration mode. You can specify a range
of slot and port numbers to configure.
On the Cisco AS5400 access server, the NextPort DFC slot
is defined as a value between 1 and 7. Slot 0 is reserved for
the motherboard. Each NextPort DFC provides 18 SPEs.
The SPE value ranges from 0 to 17. Since each SPE has six
ports, the NextPort DFC has a total of 108 ports. The port
value ranges from 0 to 107. To configure 108 ports on slot 3,
you would enter line 3/00 3/107. If you wish to configure
324 ports on slots 3-5, you would enter line 3/00 5/107.
On the Cisco AS5800 access server, the UPC slot is defined
as a value between 2 and 11. Each UPC provides 54 SPEs.
The SPE value ranges from 0 to 53. Because each SPE has
six ports, the UPC has a total of 324 ports. The port value
ranges from 0 to 323. To configure 324 ports on slot 3, you
would enter line 1/3/00 1/3/323. If you want to configure
972 ports on slots 3-5, you would enter line 1/3/00 1/5/323.
Step 2 Router(config-line)# transport input all Allows all protocols when connecting to the line.
Step 3 Router(config-line)# autoselect ppp Enables remote IP users running a PPP application to dial in,
bypass the EXEC facility, and connect directly to the
network.
Step 4 Router(config-line)# modem inout Enables incoming and outgoing calls.
Step 5 Router(config-line)# modem autoconfigure type
name
Configures the attached modem using the entry for name.
Configuring and Managing Cisco Access Servers and Dial Shelves
Upgrading and Configuring SPE Firmware
DC-137
Cisco IOS Dial Technologies Configuration Guide
Configuring Ports
This section describes how to configure Cisco AS5800 UPC or Cisco AS5400 NextPort DFC ports. You
need to be in port configuration mode to configure these ports. The port configuration mode allows you
to shut down or put individual ports or ranges of ports in busyout mode. To configure Cisco AS5800 UPC
or Cisco AS5400 NextPort DFC ports, perform the following tasks beginning in global configuration
mode:
Command Purpose
Step 1 Cisco AS5400 Series Routers
Router(config)# port slot/spe
or
Router(config)# port slot/spe slot/spe
Cisco AS5800 Series Routers
Router(config)# port shelf/slot/spe
or
Router(config)# port shelf/slot/spe
shelf/slot/spe
Enters port configuration mode. You can choose to
configure a single port or range of ports.
Step 2 Router(config-port)# busyout (Optional) Gracefully disables a port by waiting for the
active services on the specified port to terminate. Use the no
form of this command to re-enable the ports.
Maintenance activities, such as testing, can still be
performed while the port is in busyout mode.
Note When a port is in busyout mode, the state of the SPE
is changed to the consolidated states of all the
underlying ports on that SPE.
Step 3 Router(config-port)# shutdown (Optional) Clears active calls on the port. No more calls can
be placed on the port in the shutdown mode. Use the no
form of this command to re-enable the ports.
Note When a port is in shutdown mode, the state of the
SPE is changed to the consolidated states of all the
underlying ports on that SPE.
Step 4 Router(config-port)# exit Exits port configuration mode.
Configuring and Managing Cisco Access Servers and Dial Shelves
Upgrading and Configuring SPE Firmware
DC-138
Cisco IOS Dial Technologies Configuration Guide
Verifying SPE Line and Port Configuration
To verify your SPE line configuration, enter the show spe command to display a summary for all the
lines and ports:
Step 1 Enter the show spe command to display a summary for all the lines and ports:
Router# show spe
Step 2 Enter the show line command to display a summary for a single line.
AS5400
Router# show line 1/1
AS5800
Router# show line 1/2/10
Note If you are having trouble, make sure that you have turned on the protocols for If you are
having trouble, make sure that you have turned on the protocols for connecting to the lines
(transport input all) and that your access server is configured for incoming and outgoing
calls (modem inout).
Configuring SPE Performance Statistics
Depending on the configuration, call record is displayed on the console, or the syslog, or on both. The
log contains raw data in binary form, which must be viewed using the show commands listed in the
section “Monitoring SPE Performance Statistics.” You can configure some aspects of history events by
using one of the following commands in global configuration mode:
Command Purpose
Router(config)# spe call-record modem max-userid Requests the access server to generate a modem call record after
a call is terminated. To disable this function, use the no form of
this command.
Router(config)# spe log-size number Sets the maximum size of the history event queue log entry for
each port. The default is 50 events per port.
Configuring and Managing Cisco Access Servers and Dial Shelves
Upgrading and Configuring SPE Firmware
DC-139
Cisco IOS Dial Technologies Configuration Guide
Clearing Log Events
To clear some or all of the log events relating to the SPEs as needed, use the following privileged EXEC
mode commands:
Troubleshooting SPEs
This section provides troubleshooting information for your SPEs regardless of service type mode.
Note SPE ports that pass the diagnostic test are marked as Pass, Fail, and Unkn. Ports that fail the
diagnostic test are marked as Bad. These ports cannot be used for call connections.
Depending on how many ports are installed, the diagnostic tests may take from 5 to 10
minutes to complete.
• Enter the port modem startup-test command to perform diagnostic testing for all modems during
the system's initial startup or rebooting process. To disable the test, enter the no port modem
startup-test command.
• Enter the port modem autotest command to perform diagnostic testing for all ports during the
system’s initial startup or rebooting process.To disable the test, enter the no port modem autotest
command.
You may additionally configure the following options:
– Enter the port modem autotest minimum ports command to define the minimum number of
free ports available for autotest to begin.
– Enter the port modem autotest time hh:mm interval command to enable autotesting time and
interval.
– Enter the port modem autotest error threshold command to define the maximum number of
errors detected for autotest to begin.
• Enter the show port modem test command to displays results of the SPE port startup test and SPE
port auto-test.
When an SPE port is tested as Bad, you may perform additional testing by conducting a series of internal
back-to-back connections and data transfers between two SPE ports. All port test connections occur
inside the access server. For example, if mobile users cannot dial into port 2/5 (which is the sixth port
on the NextPort DFC in the second chassis slot), attempt a back-to-back test with port 2/5 and a
known-functioning port such as port 2/6.
• Enter the test port modem back-to-back slot/port slot/port command to perform internal
back-to-back port tests between two ports sending test packets of the specified size.
Command Purpose
Router# clear spe log Clears all event entries in the slot history event log.
Router# clear spe counters Clears statistical counters for all types of services for the specified
SPE, a specified range of SPEs, or all SPEs. If you do not specify the
range of SPEs or an SPE, the statistics for all SPEs are cleared.
Router# clear port log Clears all event entries in the port level history event log. You cannot
remove individual service events from the port log.
Configuring and Managing Cisco Access Servers and Dial Shelves
Upgrading and Configuring SPE Firmware
DC-140
Cisco IOS Dial Technologies Configuration Guide
Note You might need to enable this command on several different combinations of ports to
determine which one is not functioning properly. A pair of operable ports successfully
connects and completes transmitting data in both directions. An operable port and an
inoperable port do not successfully connect with each other.
A sample back-to-back test might look like the following:
Router# test port modem back-to-back 2/10 3/20
Repetitions (of 10-byte packets) [1]:
*Mar 02 12:13:51.743:%PM_MODEM_MAINT-5-B2BCONNECT:Modems (2/10) and (3/20) connected
in back-to-back test:CONNECT33600/V34/LAP
*Mar 02 12:13:52.783:%PM_MODEM_MAINT-5-B2BMODEMS:Modems (3/20) and (2/10) completed
back-to-back test:success/packets = 2/2
Tips You may reboot the port that has problems using the clear spe EXEC command.
• Enter the spe recovery {port-action {disable | recover | none} | port-threshold num-failures}
command to perform automatic recovery (removal from service and reloading of SPE firmware) of
ports on an SPE at any available time.
An SPE port failing to connect for a certain number of consecutive times indicates that a problem
exists in a specific part or the whole of SPE firmware. Such SPEs have to be recovered by
downloading firmware. Any port failing to connect num-failures times is moved to a state based on
the port-action value, where you can choose to disable (mark the port as Bad) or recover the port
when the SPE is in the idle state and has no active calls. The default for num-failures is 30
consecutive call failures.
Tips You may also schedule recovery using the spe download maintenance command.
• Enter the spe download maintenance time hh:mm | stop-time hh:mm | max-spes number | window
time-period | expired-window {drop-call | reschedule} command to perform a scheduled recovery
of SPEs.
The download maintenance activity starts at the set start time and steps through all the SPEs that
need recovery and the SPEs that need a firmware upgrade and starts maintenance on the maximum
number of set SPEs for maintenance. The system waits for the window delay time for all the ports
on the SPE to become inactive before moving the SPE to the Idle state. Immediately after the SPE
moves to Idle state, the system starts to download firmware. If the ports are still in use by the end of
window delay time, depending upon the expired-window setting, connections on the SPE ports are
shutdown and the firmware is downloaded by choosing the drop-call option, or the firmware
download is rescheduled to the next download maintenance time by choosing the reschedule option.
This process continues until the number of SPEs under maintenance is below max-spes, or until
stop-time (if set), or until all SPEs marked for recovery or upgrade have had their firmware
reloaded.
Configuring and Managing Cisco Access Servers and Dial Shelves
Upgrading and Configuring SPE Firmware
DC-141
Cisco IOS Dial Technologies Configuration Guide
Monitoring SPE Performance Statistics
This section documents various SPE performance statistics for the Cisco AS5400 NextPort DFCs or
Cisco AS5800 UPCs:
• SPE Events and Firmware Statistics
• Port Statistics
• Digital SPE Statistics
• SPE Modem Statistics
SPE Events and Firmware Statistics
To view SPE events and firmware statistics for the Cisco AS5400 NextPort DFCs or Cisco AS5800
UPCs, use one or more of the following commands in privileged EXEC mode:
Port Statistics
To view port statistics for the Cisco AS5400 NextPort DFCs or Cisco AS5800 UPCs, use the following
commands in privileged EXEC mode as needed:
Command Purpose
Cisco AS5400 series routers
Router# show spe slot/spe
Cisco AS5800 series routers
Router# show spe shelf/slot/spe
Displays the SPE status for the specified range of SPEs.
Router# show spe log [reverse | slot] Displays the SPE system log.
Router# show spe version Lists all SPEs and the SPE firmware files used.
Note This list helps you decide if you need to update your SPE
firmware files.
Command Purpose
Cisco AS5400 series routers
Router# show port config {slot | slot/port}
Cisco AS5800 series routers
Router# show port config {slot |
shelf/slot/port}
Displays the configuration information for specified ports or the
specified port range. The port should have an active session
associated at the time the command is executed.
Cisco AS5400 series routers
Router# show port digital log [reverse
slot/port] [slot | slot/port]
Displays the digital data event log.
Configuring and Managing Cisco Access Servers and Dial Shelves
Upgrading and Configuring SPE Firmware
DC-142
Cisco IOS Dial Technologies Configuration Guide
Digital SPE Statistics
To view digital SPE statistics for the Cisco AS5400 NextPort DFCs, use one or more of the following
commands in privileged EXEC mode:
Cisco AS5400 series routers
Router# show port modem log [reverse slot/port]
[slot | slot/port]
Cisco AS5800 series routers
Router# show port modem log [reverse shelf/slot/port]
[shelf/slot | shelf/slot/port]
Displays the port history event log.
Cisco AS5400 series routers
Router# show port modem test [slot | slot/port]
Cisco AS5800 series routers
Router# show port modem test [shelf/slot |
shelf/slot/port]
Displays the test log for the specified SPE port range or all the SPE
ports.
Cisco AS5400 series routers
Router# show port operational-status [slot |
slot/port]
Cisco AS5800 series routers
Router# show port operational-status
[shelf/slot | shelf/slot/port]
Displays the operational status of the specified ports or the specified
port range. The port should have an active session associated at the
time the command is executed.
Command Purpose
Command Purpose
Router# show spe digital [slot | slot/spe] Displays history statistics of all digital SPEs.
Router# show spe digital active [slot |
slot/spe]
Displays active digital statistics of a specified SPE, the specified
range of SPEs, or all the SPEs.
Router# show spe digital csr [summary | slot |
slot/spe]
Displays the digital call success rate statistics for a specific SPE, a
range of SPEs, or all the SPEs.
Router# show spe digital disconnect-reason
[summary | slot | slot/spe]
Displays the digital disconnect reasons for the specified SPE or
range of SPEs. The disconnect reasons are displayed with Class
boundaries.
Router# show spe digital summary [slot |
slot/spe]
Displays digital history statistics of all SPEs, a specified SPE, or the
specified range of SPEs for all service types.
Configuring and Managing Cisco Access Servers and Dial Shelves
Upgrading and Configuring SPE Firmware
DC-143
Cisco IOS Dial Technologies Configuration Guide
SPE Modem Statistics
To view SPE modem statistics for the Cisco AS5400 NextPort DFCs or Cisco AS5800 UPCs, use one or
more of the following commands in privileged EXEC mode:
Command Purpose
Cisco AS5400 series routers
Router# show spe modem active {slot | slot/spe}
Cisco AS5800 series router:
Router# show spe modem active {shelf/slot |
shelf/slot/spe}
Displays the active statistics of a specified SPE, a specified range of
SPEs, or all the SPEs serving modem traffic.
Cisco AS5400 series routers
Router# show spe modem csr {summary | slot |
slot/spe}
Cisco AS5800 series routers
Router# show spe modem csr {summary | shelf/slot
| shelf/slot/spe}
Displays the call success rate statistics for a specific SPE, range of
SPEs, or all the SPEs.
Cisco AS5400 series routers
Router# show spe modem disconnect-reason
{summary | slot | slot/spe}
Cisco AS5800 series routers
Router# show spe modem disconnect-reason
{summary | shelf/slot | shelf/slot/spe}
Displays the disconnect reasons for the specified SPE or range of
SPEs. The disconnect reasons are displayed with Class boundaries.
Cisco AS5400 series routers
Router# show spe modem high speed {summary |
slot | slot/spe}
Cisco AS5800 series routers
Router# show spe modem high speed {summary |
shelf/slot | shelf/slot/spe}
Shows the connect-speeds negotiated within each high speed
modulation or codecs for a specific range of SPEs or all the SPEs.
Cisco AS5400 series routers
Router# show spe modem low speed {summary | slot
| slot/spe}
Cisco AS5800 series routers
Router# show spe modem low speed {summary |
shelf/slot | shelf/slot/spe}
Shows the connect-speeds negotiated within each low speed
modulation or codecs for a specific range of SPEs or all the SPEs.
Cisco AS5400 series routers
Router# show spe modem high standard {summary |
slot | slot/spe}
Cisco AS5800 series routers
Router# show spe modem high standard {summary |
shelf/slot | shelf/slot/spe}
Displays the total number of connections within each low
modulation or codec for a specific range of SPEs.
Configuring and Managing Cisco Access Servers and Dial Shelves
Upgrading and Configuring SPE Firmware
DC-144
Cisco IOS Dial Technologies Configuration Guide
Cisco AS5400 series routers
Router# show spe modem low standard {summary |
slot | slot/spe}
Cisco AS5800 series routers
Router# show spe modem low standard {summary |
shelf/slot | shelf/slot/spe}
Displays the total number of connections within each high
modulation or codec for a specific range of SPEs.
Cisco AS5400 series routers
Router# show spe modem summary {slot | slot/spe}
Cisco AS5800 series routers
Router# show spe modem summary {shelf/slot |
shelf/slot/spe}
Displays the history statistics of all SPEs, specified SPE or the
specified range of SPEs.
Command Purpose
DC-145
Cisco IOS Dial Technologies Configuration Guide
Configuring and Managing External Modems
This chapter describes how to configure externally connected modems. These tasks are presented in the
following main sections:
• External Modems on Low-End Access Servers
• Automatically Configuring an External Modem
• Manually Configuring an External Modem
• Supporting Dial-In Modems
• Testing the Modem Connection
• Managing Telnet Sessions
• Modem Troubleshooting Tips
• Checking Other Modem Settings
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the modem support commands in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference. To locate documentation of other commands that appear in this
chapter, use the command reference master index or search online.
External Modems on Low-End Access Servers
Some of the Cisco lower-end access servers, such as the Cisco AS2511-RJ shown in Figure 23, have
cable connections to external modems. The asynchronous interfaces and lines are inside the access
server.
Configuring and Managing External Modems
Automatically Configuring an External Modem
DC-146
Cisco IOS Dial Technologies Configuration Guide
Figure 23 Cisco AS2511-RJ Access Server
When you configure modems to function with your access server, you must provide initialization strings
and other settings on the modem to tell it how to function with the access server.
This section assumes that you have already physically attached the modem to the access server. If not,
refer to the user guide or installation and configuration guide for your access server for information
about attaching modems.
Automatically Configuring an External Modem
The Cisco IOS software can issue initialization strings automatically, in a file called a modemcap, for
most types of modems externally attached to the access server. A modemcap is a series of parameter
settings that are sent to your modem to configure it to interact with the Cisco device in a specified way.
The Cisco IOS software defines modemcaps that have been found to properly initialize most modems so
that they function properly with Cisco routers and access servers. For Cisco IOS Release 12.2, these
modemcaps have the following names:
• default—Generic Hayes interface external modem
• codex_3260—Motorola Codex 3260 external
• usr_courier—U.S. Robotics Courier external
• usr_sportster—U.S. Robotics Sportster external
• hayes_optima—Hayes Optima external1
• global_village—Global Village Teleport external
• viva—Viva (Rockwell ACF with MNP) external
• telebit_t3000—Telebit T3000 external
• nec_v34—NEC V.34 external
• nec_v110—NEC V.110 TA external
• nec_piafs—NEC PIAFS TA external
1
The hayes_optima modemcap is not recommended for use; instead, use the default modemcap. 14479
1 ASYNC 2 3 ASYNC 4 5 ASYNC 6 7 ASYNC 8
9 ASYNC 10 11 ASYNC 12 13 ASYNC 14 15 ASYNC 16
Cisco AS2511-RJ
Modems are outside
the chassis
Modem
Modem
Configuring and Managing External Modems
Automatically Configuring an External Modem
DC-147
Cisco IOS Dial Technologies Configuration Guide
Enter these modemcap names with the modemcap entry command.
If your modem is not on this list and if you know what modem initialization string you need to use with
it, you can create your own modemcap; see the following procedure “Using the Modem Autoconfigure
Type Modemcap Feature.” To have the Cisco IOS software determine what type of modem you have, use
the modem autoconfigure discovery command to configure it, as described in the procedure “Using the
Modem Autoconfigure Discovery Feature.”
Using the Modem Autoconfigure Type Modemcap Feature
Step 1 Use the modemcap edit command to define your own modemcap entry.
The following example defines modemcap MODEMCAPNAME:
Router(config)# modemcap edit MODEMCAPNAME miscellaneous &FS0=1&D3
Step 2 Apply the modemcap to the modem lines as shown in the following example:
Router# terminal monitor
Router# debug confmodem
Modem Configuration Database debugging is on
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# line 33 34
Router(config-line)# modem autoconfigure type MODEMCAPNAME
Router(config-line)#
Jan 16 18:12:59.643: TTY34: detection speed (115200) response ---OK---
Jan 16 18:12:59.643: TTY34: Modem command: --AT&FS0=1&D3--
Jan 16 18:12:59.659: TTY33: detection speed (115200) response ---OK---
Jan 16 18:12:59.659: TTY33: Modem command: --AT&FS0=1&D3--
Jan 16 18:13:00.227: TTY34: Modem configuration succeeded
Jan 16 18:13:00.227: TTY34: Detected modem speed 115200
Jan 16 18:13:00.227: TTY34: Done with modem configuration
Jan 16 18:13:00.259: TTY33: Modem configuration succeeded
Jan 16 18:13:00.259: TTY33: Detected modem speed 115200
Jan 16 18:13:00.259: TTY33: Done with modem configuration
Using the Modem Autoconfigure Discovery Feature
If you prefer the modem software to use its autoconfigure mechanism to configure the modem, use the
modem autoconfigure discovery command.
The following example shows how to configure modem autoconfigure discovery mode:
Router# terminal monitor
Router# debug confmodem
Modem Configuration Database debugging is on
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# line 33 34
Router(config-line)# modem autoconfigure discovery
Jan 16 18:16:17.724: TTY33: detection speed (115200) response ---OK---
Jan 16 18:16:17.724: TTY33: Modem type is default
Jan 16 18:16:17.724: TTY33: Modem command: --AT&F&C1&D2S0=1H0--
Jan 16 18:16:17.728: TTY34: detection speed (115200) response ---OK---
Jan 16 18:16:17.728: TTY34: Modem type is default
Jan 16 18:16:17.728: TTY34: Modem command: --AT&F&C1&D2S0=1H0--
Jan 16 18:16:18.324: TTY33: Modem configuration succeeded
Configuring and Managing External Modems
Manually Configuring an External Modem
DC-148
Cisco IOS Dial Technologies Configuration Guide
Jan 16 18:16:18.324: TTY33: Detected modem speed 115200
Jan 16 18:16:18.324: TTY33: Done with modem configuration
Jan 16 18:16:18.324: TTY34: Modem configuration succeeded
Jan 16 18:16:18.324: TTY34: Detected modem speed 115200
Jan 16 18:16:18.324: TTY34: Done with modem configuration
Manually Configuring an External Modem
If you cannot configure your modem automatically, you must configure it manually. This section
describes how to determine and issue the correct initialization string for your modem and how to
configure your modem with it.
Modem command sets vary widely. Although most modems use the Hayes command set (prefixing
commands with at), Hayes-compatible modems do not use identical at command sets.
Refer to the documentation that came with your modem to learn how to examine the current and stored
configuration of the modem that you are using. Generally, you enter at commands such as &v, i4, or *o
to view, inspect, or observe the settings.
Timesaver You must first create a direct Telnet or connection session to the modem before you can send an
initialization string. You can use AT&F as a basic modem initialization string in most cases. To
establish a direct Telnet session to an external modem, determine the IP address of your LAN
(Ethernet) interface, and then enter a Telnet command to port 2000 + n on the access server, where n
is the line number to which the modem is connected. See the sections “Testing the Modem
Connection” and “Managing Telnet Sessions” for more information about making Telnet
connections.
A sample modem initialization string for a US Robotics Courier modem is as follows:
&b1&h1&r2&c1&d3&m4&k1s0=1
Modem initialization strings enable the following functions:
• Locks the speed of the modem to the speed of the serial port on the access server
• Sets hardware flow control (RTS/CTS or request to send/clear to send)
• Ensures correct data carrier detect (DCD) operation
• Ensures proper data terminal ready (DTR) interpretation
• Answers calls on the first ring
Note Make sure to turn off automatic baud rate detection because the modem speeds must be set to a fixed
value.
The port speed must not change when a session is negotiated with a remote modem. If the speed of the
port on the access server is changed, you must establish a direct Telnet session to the modem and send
an at command so that the modem can learn the new speed.
Configuring and Managing External Modems
Supporting Dial-In Modems
DC-149
Cisco IOS Dial Technologies Configuration Guide
Modems differ in the method that they use to lock the EIA/TIA-232 (serial) port speed. In the modem
documentation, vendors use terms such as port-rate adjust, speed conversion, or buffered mode. Enabling
error correction often puts the modem in the buffered mode. Refer to your modem documentation to
learn how your modem locks speed (check the settings &b, \j, &q, \n, or s-register settings).
RTS and CTS signals must be used between the modem and the access server to control the flow of data.
Incorrectly configuring flow control for software or setting no flow control can result in hung sessions
and loss of data. Modems differ in the method that they use to enable hardware flow control. Refer to
your modem documentation to learn how to enable hardware flow control (check the settings &e, &k,
&h, &r, or s-register).
The modem must use the DCD wire to indicate to the access server when a session has been negotiated
and is established with a remote modem. Most modems use the setting &c1. Refer to your modem
documentation for the DCD settings used with your modem.
The modem must interpret a toggle of the DTR signal as a command to drop any active call and return
to the stored settings. Most modems use the settings &d2 or &d3. Refer to your modem documentation
for the DTR settings used with your modem.
If a modem is used to service incoming calls, it must be configured to answer a call after a specific
number of rings. Most modems use the setting s0=1 to answer the call after one ring. Refer to your
modem documentation for the settings used with your modem.
Supporting Dial-In Modems
The Cisco IOS software supports dial-in modems that use DTR to control the off-hook status of the
telephone line. This feature is supported primarily on old-style modems, especially those in Europe. To
configure the line to support this feature, use the following command in line configuration mode:
Figure 24 illustrates the modem callin command. When a modem dialing line is idle, it has its DTR
signal at a low state and waits for a transition to occur on the data set ready (DSR) input. This transition
causes the line to raise the DTR signal and start watching the CTS signal from the modem. After the
modem raises CTS, the Cisco IOS software creates an EXEC session on the line. If the timeout interval
(set with the modem answer-timeout command) passes before the modem raises the CTS signal, the
line lowers the DTR signal and returns to the idle state.
Command Purpose
Router(config-line)# modem callin Configures a line for a dial-in modem.
Configuring and Managing External Modems
Supporting Dial-In Modems
DC-150
Cisco IOS Dial Technologies Configuration Guide
Figure 24 EXEC Creation on a Line Configured for Modem Dial-In
Note The modem callin and modem cts-required line configuration commands are useful for SLIP
operation. These commands ensure that when the line is hung up or the CTS signal drops, the line
reverts from Serial Line Internet Protocol (SLIP) mode to normal interactive mode. These commands
do not work if you put the line in network mode permanently.
Although you can use the modem callin line configuration command with newer modems, the modem
dialin line configuration command described in this section is more appropriate. The modem dialin
command frees up CTS input for hardware flow control. Modern modems do not require the assertion
of DTR to answer a phone line (that is, to take the line off-hook).
high,
watching
Lower DTR
Ringing
Idle state
Ready and active
Ring transition
CTS raised
DTR
CTS
Create EXEC
Raise DTR
Lower DTR
close connection
DTR high
CTS lowered
or exit
Answer
timeout
Hang up DTR low
S1001a
DTR low,
watching
CTS
Configuring and Managing External Modems
Testing the Modem Connection
DC-151
Cisco IOS Dial Technologies Configuration Guide
Testing the Modem Connection
To test the connection, send the modem the AT command to request its attention. The modem should
respond with “OK.” For example:
at
OK
If the modem does not reply to the at command, perform the following steps:
Step 1 Enter the show users EXEC command and scan the display output. The output should not indicate that
the line is in use. Also verify that the line is configured for modem inout.
Step 2 Enter the show line EXEC command. The output should contain the following two lines:
Modem state: Idle
Modem hardware state: CTS noDSR DTR RTS
If the output displays “no CTS” for the modem hardware state, the modem is not connected, is not
powered up, is waiting for data, or might not be configured for hardware flow control.
Step 3 Verify the line speed and modem transmission rate. Make sure that the line speed on the access server
matches the transmission rate, as shown in Table 13.
To verify the line speed, use the show run EXEC command. The line configuration fragment appears at
the tail end of the output.
The following example shows that lines 7 through 9 are transmitting at 115200 bits per second (bps).
Sixteen 28800-kbps modems are connected to a Cisco AS2511-RJ access server via a modem cable.
Router# show run
Building configuration...
Current configuration:
. . .
!
line 1 16
login local
modem InOut
speed 115200
transport input all
flowcontrol hardware
script callback callback
autoselect ppp
autoselect during-login
Table 13 Matching Line Speed with Transmission Rate
Modem Transmission Rate
(in bits per second)
Line Speed on the Access Server
(in bits per second)
9600 38400
14400 57600
28800 115200
Configuring and Managing External Modems
Managing Telnet Sessions
DC-152
Cisco IOS Dial Technologies Configuration Guide
Step 4 The speeds of the modem and the access server are likely to be different. If so, switch off the modem,
and then switch it back on. This action should change the speed of the modem to match the speed of the
access server.
Step 5 Check your cabling and the modem configuration (echo or result codes might be off). Enter the
appropriate at modem command to view the modem configuration, or use the at&f command to return
to factory defaults. Refer to your modem documentation to learn the appropriate at command to view
your modem configuration.
Note See the section “Configuring Cisco Integrated Modems Using Modem Attention Commands” in the
“Configuring and Managing Integrated Modems” chapter for information about modem attention
commands for the Cisco internal modems.
Managing Telnet Sessions
You communicate with an external modem by establishing a direct Telnet session from the asynchronous
line on the access server, which is connected to the modem. This process is also referred to as reverse
Telnet. Performing a reverse Telnet means that you are initiating a Telnet session out the asynchronous
line, instead of accepting a connection into the line (called a forward connection).
Note Before attempting to allow inbound connections, make sure that you close all open connections to
the modems attached to the access server. If you have a modem port in use, the modem will not accept
a call properly.
To establish a direct Telnet session to an external modem, determine the IP address of your LAN
(Ethernet) interface, and then enter a Telnet command to port 2000 + n on the access server, where n is
the line number to which the modem is connected. For example, to connect to the modem attached to
line 1, enter the following command from an EXEC session on the access server:
Router# telnet 172.16.1.10 2001
Trying 172.16.1.10, 2001 ... Open
This example enables you to communicate with the modem on line 1 using the AT (attention) command
set defined by the modem vendor.
Timesaver Use the ip host configuration command to simplify direct Telnet sessions with modems. The ip host
command maps an IP address of a port to a device name. For example, the modem1 2001 172.16.1.10
command enables you to enter modem1 to initiate a connection with the modem, instead of
repeatedly entering telnet 172.16.1.10 2001 each time you want to communicate with the modem.
You can also configure asynchronous rotary line queueing, which places Telnet login requests in a
queue when lines are busy. See the section “Configuring Asynchronous Rotary Line Queueing” in
the “Configuring Asynchronous Lines and Interfaces” chapter for more information.
Configuring and Managing External Modems
Managing Telnet Sessions
DC-153
Cisco IOS Dial Technologies Configuration Guide
Suspending Telnet Sessions:
When you are connected to an external modem, the direct Telnet session must be terminated before the
line can accept incoming calls. If you do not terminate the session, it will be indicated in the output of
the show users command and will return a modem state of ready if the line is still in use. If the line is
no longer in use, the output of the show line value command will return a state of idle. Terminating the
Telnet session requires first suspending it, then disconnecting it.
To suspend a Telnet session, perform the following steps:
Step 1 Enter Ctrl-Shift-6 x to suspend the Telnet session:
- suspend keystroke -
Router#
Note Ensure that you can reliably issue the escape sequence to suspend a Telnet session. Some
terminal emulation packages have difficulty sending the Ctrl-Shift-6 x sequence. Refer to
your terminal emulation documentation for more information about escape sequences.
Step 2 Enter the where EXEC command to check the connection numbers of open sessions:
Router# where
Conn Host Address Byte Idle Conn Name
* 1 172.16.1.10 172.16.1.10 0 0 172.16.1.10
2 172.16.1.11 172.16.1.11 0 12 modem2
Step 3 When you have suspended a session with one modem, you can connect to another modem and suspend it:
Router# telnet modem2
Trying modem2 (172.16.1.11, 2002) ... Open
- suspend keystroke -
Router#
Step 4 To disconnect (completely close) a Telnet session, enter the disconnect EXEC command:
Router# disconnect line 1
Closing connection to 172.16.1.10 [confirm] y
Router# disconnect line 2
Closing connection to 172.16.1.11 [confirm] y
Router#
Configuring and Managing External Modems
Modem Troubleshooting Tips
DC-154
Cisco IOS Dial Technologies Configuration Guide
Modem Troubleshooting Tips
Table 14 contains troubleshooting tips on modem access and control.
Table 14 Modem Troubleshooting Tips
Problem Likely Cause
Connection refused. Someone already has a connection to that port.
or
an EXEC is running on that port.
or
The modem failed to lower the carrier detect (CD) signal after a call
disconnected, resulting in an EXEC that remained active after disconnect.
To force the line back into an idle state, clear the line from the console
and try again. If it still fails, ensure that you have set modem inout
command for that line. If you don't have modem control, either turn off
EXEC on the line (by using the exec-timeout line configuration
command) before making a reverse connection or configure the modem
using an external terminal. As a last resort, disconnect the modem, clear
the line, make the Telnet connection, and then attach the modem. The
prevents a misconfigured modem from denying you line access.
Connection appears to hang. Try entering “^U” (clear line), “^Q” (XON), and press Return a few times
to try to establish terminal control.
EXEC does not come up; autoselect is on. Press Return to enter EXEC.
Modem does not hang up after entering quit. The modem is not receiving DTR information, or you have not set up
modem control on the router.
Interrupts another user session when you dial in. The modem is not dropping CD on disconnect, or you have not set up
modem control on the router.
Connection hangs after entering “+++” on the
dialing modem, followed by an ATO.
The answering modem saw and interpreted the “+++” when it was echoed
to you. This is a bug in the answering modem, common to many modems.
There may be a switch to work around this problem; check the modem’s
documentation.
Losing data. You may have Hardware Flow Control only on for either the router’s line
(DTE) or the modem (DCE). Hardware Flow Control should be on for
both or off for both, but not for only one.
Using MDCE. Turn MDCE into an MMOD by moving pin 6 to pin 8 because most
modems use CD and not DSR to indicate the presence of carrier. You can
also program some modems to provide carrier info via DSR.
Configuring and Managing External Modems
Checking Other Modem Settings
DC-155
Cisco IOS Dial Technologies Configuration Guide
Checking Other Modem Settings
This section defines other settings that might be needed or desirable, depending on your modem.
Error correction can be negotiated between two modems to ensure a reliable data link. Error correction
standards include Link Access Procedure for Modems (LAPM) and MNP4. V.42 error correction allows
either LAPM or MNP4 error correction to be negotiated. Modems differ in the way they enable error
correction. Refer to your modem documentation for the error correction methods used with your modem.
Data compression can be negotiated between two modems to allow for greater data throughput. Data compression standards include V.42bis and MNP5. Modems differ in the way they enable data compression.
Refer to your modem documentation for the data compression settings used with your modem.
Configuring and Managing External Modems
Checking Other Modem Settings
DC-156
Cisco IOS Dial Technologies Configuration Guide
DC-157
Cisco IOS Dial Technologies Configuration Guide
Modem Signal and Line States
This chapter describes modem states in the following section:
• Signal and Line State Diagrams
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the modem support commands in this chapter, refer to the Cisco IOS
Modem Command Reference. To locate documentation of other commands that appear in this chapter,
use the command reference master index or search online.
Signal and Line State Diagrams
The following signal and line state diagrams accompany some of the tasks in the following sections to
illustrate how the modem control works:
• Configuring Automatic Dialing
• Automatically Answering a Modem
• Supporting Dial-In and Dial-Out Connections
• Configuring a Line Timeout Interval
• Closing Modem Connections
• Configuring a Line to Disconnect Automatically
• Supporting Reverse Modem Connections and Preventing Incoming Calls
Modem Signal and Line States
Signal and Line State Diagrams
DC-158
Cisco IOS Dial Technologies Configuration Guide
The diagrams show two processes:
• The “create daemon” process creates a tty daemon that handles the incoming network connection.
• The “create EXEC” process creates the process that interprets user commands. (See Figure 25
through Figure 29.)
In the diagrams, the current signal state and the signal the line is watching are listed inside each box.
The state of the line (as displayed by the show line EXEC command) is listed next to the box. Events
that change that state appear in italics along the event path, and actions that the software performs are
described within ovals.
Figure 25 illustrates line states when no modem control is set. The DTR output is always high, and CTS
and RING are completely ignored. The Cisco IOS software starts an EXEC session when the user types
the activation character. Incoming TCP connections occur instantly if the line is not in use and can be
closed only by the remote host.
Figure 25 EXEC and Daemon Creation on a Line with No Modem Control
Ringing
Ready
Exit
Create
daemon
Network
connection
closed
Incoming
network
connection
Ready and active
DTR high
Ready and active
User-typed
activation
character
Create
EXEC
DTR high
S1201a
DTR high
Modem Signal and Line States
Signal and Line State Diagrams
DC-159
Cisco IOS Dial Technologies Configuration Guide
Configuring Automatic Dialing
With the dialup capability, you can set a modem to dial the phone number of a remote router
automatically. This feature offers cost savings because phone line connections are made only when they
are needed—you pay for using the phone line only when there is data to be received or sent.
To configure a line for automatic dialing, use the following command in line configuration mode:
Using the modem dtr-active command causes a line to raise DTR signal only when there is an outgoing
connection (such as reverse Telnet, NetWare Asynchronous Support Interface (NASI), or DDR), rather
than leave DTR raised all the time. When raised, DTR potentially tells the modem that the router is ready
to accept a call.
Automatically Answering a Modem
You can configure a line to answer a modem automatically. You also can configure the modem to answer
the telephone on its own (as long as DTR is high), drop connections when DTR is low, and use its Carrier
Detect (CD) signal to accurately reflect the presence of carrier. (Configuring the modem is a
modem-dependent process.) First, wire the modem CD signal (generally pin-8) to the router RING input
(pin-22), then use the following command in line configuration mode:
You can turn on modem hardware flow control independently to respond to the status of router CTS
input. Wire CTS to whatever signal the modem uses for hardware flow control. If the modem expects to
control hardware flow in both directions, you might also need to wire modem flow control input to some
other signal that the router always has high, such as the DTR signal.
Figure 26 illustrates the modem dialin process with a high-speed dialup modem. When the Cisco IOS
software detects a signal on the RING input of an idle line, it starts an EXEC or autobaud process on that
line. If the RING signal disappears on an active line, the Cisco IOS software closes any open network
connections and terminates the EXEC facility. If the user exits the EXEC or the software terminates
because of no user input, the line makes the modem hang up by lowering the DTR signal for 5 seconds.
After 5 seconds, the modem is ready to accept another call.
Command Purpose
Router(config-line)# modem dtr-active Configures a line to initiate automatic dialing.
Command Purpose
Router(config-line)# modem dialin Configures a line to automatically answer a modem.
Modem Signal and Line States
Signal and Line State Diagrams
DC-160
Cisco IOS Dial Technologies Configuration Guide
Figure 26 EXEC Creation on a Line Configured for a High-Speed Modem
Supporting Dial-In and Dial-Out Connections
To configure a line for both incoming and outgoing calls, use the following command in line
configuration mode:
Figure 27 illustrates the modem inout command. If the line is activated by raising the data set ready
(DSR) signal, it functions exactly as a line configured with the modem dialin line configuration
command described in the section “Automatically Answering a Modem” earlier in this chapter. If the
line is activated by an incoming TCP connection, the line functions similarly to lines not used with
modems.
high,
watching
Lower DTR
Ringing
Idle state
Ready and active
Ring transition
CTS raised
DTR
CTS
Create EXEC
Raise DTR
Lower DTR
close connection
DTR high
CTS lowered
or exit
Answer
timeout
Hang up DTR low
S1001a
DTR low,
watching
CTS
Command Purpose
Router(config-line)# modem inout Configures a line for both incoming and outgoing calls.
Modem Signal and Line States
Signal and Line State Diagrams
DC-161
Cisco IOS Dial Technologies Configuration Guide
Figure 27 EXEC and Daemon Creation for Incoming and Outgoing Calls
Note If your system incorporates dial-out modems, consider using access lists to prevent unauthorized use.
Configuring a Line Timeout Interval
To change the interval that the Cisco IOS software waits for the CTS signal after raising the DTR signal
in response to the DSR (the default is 15 seconds), use the following command in line configuration
mode. The timeout applies to the modem callin command only.
Note The DSR signal is called RING on older ASM-style chassis.
Hang up
Idle state
CTS raised
high,
watching
DTR
CTS
CTS lowered or
network
connection
closed
CTS lowered high,
watching
DTR
CTS
Close connection,
DTR low for
5 seconds
high,
watching
DTR
CTS
Incoming network
connection
DTR going
low
high,
watching
DTR
CTS
Create
daemon
User-typed
activation
character Create
EXEC
Ready
Ready
and
active
Ready
and
active
CTS lowered
or exit
S1004a
Command Purpose
Router(config-line)# modem answer-timeout seconds Configures modem line timing.
Modem Signal and Line States
Signal and Line State Diagrams
DC-162
Cisco IOS Dial Technologies Configuration Guide
Closing Modem Connections
Note The modem cts-required command was replaced by the modem printer command in Cisco IOS
Release 12.2.
To configure a line to close connections from a user’s terminal when the terminal is turned off and to
prevent inbound connections to devices that are out of service, use the following command in line
configuration mode:
Figure 28 illustrates the modem cts-required command operating in the context of a continuous CTS
signal. This form of modem control requires that the CTS signal be high for the entire session. If CTS
is not high, the user input is ignored and incoming connections are refused (or sent to the next line in a
rotary group).
Figure 28 EXEC and Daemon Creation on a Line Configured for Continuous CTS
Command Purpose
Router(config-line)# modem cts-required Configures a line to close connections.
Hang up
Idle state
CTS raised
high,
watching
DTR
CTS
CTS lowered or
network
connection
closed
CTS lowered high,
watching
DTR
CTS
Close connection,
DTR low for
5 seconds
high,
watching
DTR
CTS
Incoming network
connection
DTR going
low
high,
watching
DTR
CTS
Create
daemon
User-typed
activation
character Create
EXEC
Ready
Ready
and
active
Ready
and
active
CTS lowered
or exit
S1004a
Modem Signal and Line States
Signal and Line State Diagrams
DC-163
Cisco IOS Dial Technologies Configuration Guide
Configuring a Line to Disconnect Automatically
To configure automatic line disconnect, use the following command in line configuration mode:
The autohangup command causes the EXEC facility to issue the exit command when the last
connection closes. This feature is useful for UNIX-to-UNIX copy program (UUCP) applications because
UUCP scripts cannot issue a command to hang up the telephone. This feature is not used often.
Supporting Reverse Modem Connections and Preventing Incoming Calls
In addition to initiating connections, the Cisco IOS software can receive incoming connections. This
capability allows you to attach serial and parallel printers, modems, and other shared peripherals to the
router or access server and drive them remotely from other modem-connected systems. The Cisco IOS
software supports reverse TCP, XRemote, and local-area transport (LAT) connections.
The specific TCP port or socket to which you attach the device determines the type of service that the
Cisco IOS software provides on a line. When you attach the serial lines of a computer system or a data
terminal switch to the serial lines of the access server, the access server can act as a network front-end
device for a host that does not support the TCP/IP protocols. This arrangement is sometimes called
front-ending or reverse connection mode.
The Cisco IOS software supports ports connected to computers that are connected to modems. To
configure the Cisco IOS software to function somewhat like a modem, use the following command in
line configuration mode. This command also prevents incoming calls.
Figure 29 illustrates the modem callout process. When the Cisco IOS software receives an incoming
connection, it raises the DTR signal and waits to see if the CTS signal is raised to indicate that the host
has noticed the router DTR signal. If the host does not respond within the interval set by the modem
answer-timeout line configuration command, the software lowers the DTR signal and drops the
connection.
Command Purpose
Router(config-line)# autohangup Configures automatic line disconnect.
Command Purpose
Router(config-line)# modem callout Configures a line for reverse connections and prevents incoming
calls.
Modem Signal and Line States
Signal and Line State Diagrams
DC-164
Cisco IOS Dial Technologies Configuration Guide
Figure 29 Daemon Creation on a Line Configured for Modem Dial-Out
Lower DTR
Ringing
Idle state
Ready and active
Incoming network
connection
CTS raised
Create daemon
Raise DTR
DTR high,
watching
CTS
DTR high,
watching
CTS
Network
connection
closed or
CTS lowered
Answer
timeout
S1930
Lower DTR
Close
connection
DTR low
DC-165
Cisco IOS Dial Technologies Configuration Guide
Creating and Using Modem Chat Scripts
This chapter describes how to create and use modem chat scripts. These tasks are presented in the
following main sections:
• Chat Script Overview
• How To Configure Chat Scripts
• Using Chat Scripts
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the modem support commands in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference publication. To locate documentation of other commands that appear
in this chapter, use the command reference master index or search online.
Chat Script Overview
Chat scripts are strings of text used to send commands for modem dialing, logging in to remote systems,
and initializing asynchronous devices connected to an asynchronous line.
Note On a router, chat scripts can be configured only on the auxiliary port.
A chat script must be configured to dial out on asynchronous lines. You also can configure chat scripts
so that they can be executed automatically for other specific events on a line, or so that they are executed
manually.
Each chat script is defined for a different event. These events can include the following:
• Line activation
• Incoming connection initiation
• Asynchronous dial-on-demand routing (DDR)
• Line resets
• Startup
Creating and Using Modem Chat Scripts
How To Configure Chat Scripts
DC-166
Cisco IOS Dial Technologies Configuration Guide
Note Outbound chat scripts are not supported on lines where modem control is set for inbound activity
only using the modem dialin command.
How To Configure Chat Scripts
The following tasks must be performed before a chat script can be used:
• Define the chat script in global configuration mode using the chat-script command.
• Configure the line so that a chat script is activated when a specific event occurs (using the script
line configuration command), or start a chat script manually (using the start-chat privileged EXEC
command).
To configure a chat script, perform the tasks in the following sections:
• Understanding Chat Script Naming Conventions (Required)
• Creating a Chat Script (Required)
• Configuring the Line to Activate Chat Scripts (Required)
• Manually Testing a Chat Script on an Asynchronous Line (Optional)
See the section “Using Chat Scripts” later in this chapter for examples of how to use chat scripts.
Understanding Chat Script Naming Conventions
When you create a script name, include the modem vendor, type, and modulation, separated by hyphens,
as follows:
vendor-type-modulation
For example, if you have a Telebit t3000 modem that uses V.32bis modulation, your script name would
be:
telebit-t3000-v32bis
Note Adhering to the recommended naming convention allows you to specify a range of chat scripts by
using partial names in UNIX-style regular expressions. The regular expressions are used to match
patterns and select chat scripts to use. This method is particularly useful for dialer rotary groups on
an interface that dials multiple destinations. Regular expressions are described in the “Regular
Expressions” appendix in the Cisco IOS Terminal Services Configuration Guide.
Creating a Chat Script
We recommend that one chat script (a “modem” chat script) be written for placing a call and that another
chat script (a “system” or “login” chat script) be written to log in to remote systems, where required.
Creating and Using Modem Chat Scripts
How To Configure Chat Scripts
DC-167
Cisco IOS Dial Technologies Configuration Guide
To define a chat script, use the following command in global configuration mode:
The Cisco IOS software waits for the string from the modem (defined by the expect portion of the script)
and uses it to determine what to send back to the modem (defined by the send portion of the script).
Chat String Escape Key Sequences
Chat script send strings can include the special escape sequences listed in Table 15.
Adding a Return Key Sequence
After the connection is established and you press the Return key, you must often press Return a second
time before the prompt appears. To create a chat script that enters this additional Return key for you,
include the following string with the Return key escape sequence (see Table 15) as part of your chat
script:
ssword:-/r-ssword
Command Purpose
Router(config)# chat-script script-name expect
send...
Creates a script that will place a call on a modem, log in to a
remote system, or initialize an asynchronous device on a line.
Table 15 Chat Script Send String Escape Sequences
Escape Sequence Description
\ Sends the ASCII character with its octal value.
\\ Sends a backslash (\) character.
\” Sends a double-quote (“) character (does not work within double quotes).
\c Suppresses a new line at the end of the send string.
\d Delays for 2 seconds.
\K Inserts a BREAK.
\n Sends a newline or linefeed character.
\N Sends a null character.
\p Pauses for 0.25 second.
\q Reserved, not yet used.
\r Sends a return.
\s Sends a space character.
\t Sends a tab character.
\T Replaced by phone number.
“ ” Expects a null string.
BREAK Causes a BREAK. This sequence is sometimes simulated with line speed
changes and null characters. May not work on all systems.
EOT Sends an end-of-transmission character.
Creating and Using Modem Chat Scripts
How To Configure Chat Scripts
DC-168
Cisco IOS Dial Technologies Configuration Guide
This part of the script specifies that, after the connection is established, you want ssword to be displayed.
If it is not displayed, you must press Return again after the timeout passes. (For more information about
expressing characters in chat scripts, see the “Regular Expressions” appendix in the Cisco IOS Terminal
Services Configuration Guide.)
Chat String Special-Case Script Modifiers
Special-case script modifiers are also supported; refer to Table 16 for examples.
For example, if a modem reports BUSY when the number dialed is busy, you can indicate that you want
the attempt stopped at this point by including ABORT BUSY in your chat script.
Note If you use the expect-send pair ABORT SINK instead of ABORT ERROR, the system terminates
abnormally when it encounters SINK instead of ERROR.
Configuring the Line to Activate Chat Scripts
Chat scripts can be activated by any of five events, each corresponding to a different version of the script
line configuration command. To start a chat script manually at any point, see the following section,
“Manually Testing a Chat Script on an Asynchronous Line.”
To define a chat script to start automatically when a specific event occurs, use one of the following
commands in line configuration mode:
Table 16 Special-Case Script Modifiers
Special Case Function
ABORT string Designates a string whose presence in the input indicates that the
chat script has failed. (You can have as many active abort entries
as you like.)
TIMEOUT time Sets the time to wait for input, in seconds. The default is
5 seconds, and a timeout of 60 seconds is recommended for V.90
modems.
Command Purpose
Router(config-line)# script activation regexp1
1. The regexp argument is a regular expression that is matched to a script name that has already been defined using the chat-script command.
Starts a chat script on a line when the line is activated (every time
a command EXEC is started on the line).
Router(config-line)# script connection regexp Starts a chat script on a line when a network connection is made
to the line.
Router(config-line)# script dialer regexp Specifies a modem script for DDR on a line.
Router(config-line)# script reset regexp2
2. Do not use the script reset or script startup commands to configure a modem; instead use the modem autoconfigure command.
Starts a chat script on a line whenever the line is reset.
Router(config-line)# script startup regexp2 Starts a chat script on a line whenever the system is started up.
Creating and Using Modem Chat Scripts
Using Chat Scripts
DC-169
Cisco IOS Dial Technologies Configuration Guide
Note Outbound chat scripts are not supported on lines where modem control is set for inbound activity
only (using the modem dialin command).
Manually Testing a Chat Script on an Asynchronous Line
To test a chat script on any line that is currently not active, use the following commands in privileged
EXEC mode:
If you do not specify the line number, the script runs on the current line. If the line specified is already
in use, you cannot start the chat script. A message appears indicating that the line is already in use.
Using Chat Scripts
The following sections provide examples of how to use chat scripts:
• Generic Chat Script Example
• Traffic-Handling Chat Script Example
• Modem-Specific Chat Script Examples
• Dialer Mapping Example
• System Login Scripts and Modem Script Examples
Generic Chat Script Example
The following example chat script includes a pair of empty quotation marks (“ ”), which means “expect
anything,” and \r, which means “send a return”:
" " \r "name:" "myname" "ord":" "mypassword" ">" "slip default"
Traffic-Handling Chat Script Example
The following example shows a configuration in which, when there is traffic, a random line will be used.
The dialer code will try to find a script that matches either the modem script .*-v32 or the system script
cisco. If there is no match for either the modem script or the system script, you will see a “no matching
chat script found” message.
interface dialer 1
! v.32 rotaries are in rotary 1.
dialer rotary-group 1
! Use v.32 generic script.
dialer map ip 10.0.0.1 modem-script .*-v32 system-script cisco 1234
Command Purpose
Step 1 Router# debug chat line number Starts detailed debugging on the specified line.
Step 2 Router# start-chat regexp [line-number [dialer-string]] Starts a chat script on any asynchronous line.
Creating and Using Modem Chat Scripts
Using Chat Scripts
DC-170
Cisco IOS Dial Technologies Configuration Guide
Modem-Specific Chat Script Examples
The following example shows line chat scripts being specified for lines connected to Telebit and US
Robotics modems:
! Some lines have Telebit modems.
line 1 6
script dialer telebit.*
! Some lines have US Robotics modems.
line 7 12
script dialer usr.*
Dialer Mapping Example
The following example shows a modem chat script called dial and a system login chat script called login:
chat-script dial ABORT ERROR "" "AT Z" OK "ATDT \T" TIMEOUT 60 CONNECT \c
chat-script login ABORT invalid TIMEOUT 60 name: myname word: mypassword ">" "slip
default"
interface async 10
dialer in-band
dialer map ip 10.55.0.1 modem-script dial system-script login 96837890
Figure 30 illustrates the configuration.
Figure 30 Chat Script Configuration and Function
• The configuration is on Router A.
• The modem chat script dial is used to dial out to the modem at Router B.
• The system login chat script login is used to log in to Router B.
• The phone number is the number of the modem attached to Router B.
• The IP address in the dialer map command is the address of Router B.
In the sample script shown, the dialer in-band command enables DDR on asynchronous interface 10,
and the dialer map command dials 96837890 after finding the specified dialing and the system login
scripts. When a packet is received for 10.55.0.1, the first thing to happen is that the modem script is
implemented. Table 17 lists the functions that are implemented with each expect-send pair in the modem
script called dial.
Router B
Router A 10.55.0.1 96837890
S2313
Creating and Using Modem Chat Scripts
Using Chat Scripts
DC-171
Cisco IOS Dial Technologies Configuration Guide
After the modem script is successfully executed, the system login script is executed. Table 18 lists the
functions that are executed with each expect-send pair in the system script called login.
System Login Scripts and Modem Script Examples
The following example shows the use of chat scripts implemented with the system-script and
modem-script options of the dialer map command.
If there is traffic for IP address 10.2.3.4, the router will dial the 91800 number using the usrobotics-v32
script, matching the regular expression in the modem chat script. Then the router will run the unix-slip
chat script as the system script to log in.
If there is traffic for 10.3.2.1, the router will dial 8899 using usrobotics-v32, matching both the modem
script and modem chat script regular expressions. The router will then log in using the cisco-compressed
script.
! Script for dialing a usr v.32 modem:
chat-script usrobotics-v32 ABORT ERROR "" "AT Z" OK "ATDT \T" TIMEOUT 60 CONNECT \c
!
! Script for logging into a UNIX system and starting up SLIP:
chat-script unix-slip ABORT invalid TIMEOUT 60 name: billw word: wewpass ">" "slip
default"
!
Table 17 Example Modem Script Execution
Expect and Send Pair Implementation
ABORT ERROR Ends the script execution if the text “ERROR” is found. (You can
have as many active abort entries as you like.)
“ ” “AT Z” Without expecting anything, sends an “AT Z” command to the
modem. (Note the use of quotation marks to allow a space in the
send string.)
OK “ATDT \T Waits to see “OK.” Sends “ATDT 96837890.”
TIMEOUT 60 Waits up to 60 seconds for next expect string.
CONNECT \c Expects “connect,” but does not send anything. (Note that \c is
effectively nothing; “ ” would have indicated nothing followed by
a carriage return.)
Table 18 Example System Script Execution
Expect and Send Pair Implementation
ABORT invalid Ends the script execution if the message “invalid username or
password” is displayed.
TIMEOUT 60 Waits up to 60 seconds.
name: username Waits for “name:” and sends username. (Using just “name:” will
help avoid any capitalization issues.)
word: password Waits for “word:” and sends the password.
“>” “slip default” Waits for the > prompt and places the line into Serial Line
Internet Protocol (SLIP) mode with its default address.
Creating and Using Modem Chat Scripts
Using Chat Scripts
DC-172
Cisco IOS Dial Technologies Configuration Guide
! Script for logging into a Cisco access server and starting up TCP header compression:
chat-script cisco-compressed...
!
line 15
script dialer usrobotics-*
!
interface async 15
dialer map ip 10.2.3.4 system-script *-v32 system-script cisco-compressed 91800
dialer map ip 10.3.2.1 modem-script *-v32 modem-script cisco-compressed 91800
ISDN Configuration
DC-175
Cisco IOS Dial Technologies Configuration Guide
Configuring ISDN BRI
This chapter describes tasks that are required to use an ISDN BRI line. It provides an overview of the
ISDN technologies currently available and describes features that you can configure in an ISDN BRI
circuit-switched internetworking environment. This information is included in the following main
sections:
• ISDN Overview
• How to Configure ISDN BRI
• Monitoring and Maintaining ISDN Interfaces
• Troubleshooting ISDN Interfaces
• Configuration Examples for ISDN BRI
This chapter describes configuration of the ISDN BRI. See the chapter “Configuring ISDN PRI” for
information about configuring the ISDN PRI.
This chapter does not address routing issues, dialer configuration, and dial backup. For information
about those topics, see the chapters in the “Dial-on-Demand Routing Configuration” part of this
publication.
For hardware technical descriptions and for information about installing the router interfaces, refer to
the appropriate hardware installation and maintenance publication for your particular product.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the BRI commands in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference. To locate documentation of other commands that appear in this
chapter, use the command reference master index or search online.
ISDN Overview
Basic ISDN service is described in the section “ISDN Service” in the chapter “Overview of Dial
Interfaces, Controllers, and Lines.” To summarize, Cisco IOS software supports both the ISDN BRI and
the ISDN PRI.
ISDN BRI provides two bearer (B) channels, each capable of transferring voice or data at 64 kbps, and
one 16 kbps data (D) signaling channel, which is used by the telephone network to carry instructions
about how to handle each of the B channels. ISDN BRI (also referred to as 2 B + D) provides a maximum
transmission speed of 128 kbps, but many users use only half the available bandwidth.
Configuring ISDN BRI
ISDN Overview
DC-176
Cisco IOS Dial Technologies Configuration Guide
Figure 9 in the chapter “Overview of Dial Interfaces, Controllers, and Lines” illustrates the channel
assignment for each ISDN type.
Requesting BRI Line and Switch Configuration from a Telco Service Provider
Before configuring ISDN BRI on your Cisco router, you must order a correctly configured ISDN line
from your telecommunications service provider. This process varies from provider to provider on a
national and international basis. However, some general guidelines follow:
• Ask for two channels to be called by one number.
• Ask for delivery of calling line identification. Providers sometimes call this CLI or automatic
number identification (ANI).
• If the router will be the only device attached to the BRI, ask for point-to-point service and a
data-only line.
• If the router will be attached to an ISDN bus (to which other ISDN devices might be attached), ask
for point-to-multipoint service (subaddressing is required) and a voice-and-data line.
When you order ISDN service for switches used in North America, request the BRI switch configuration
attributes specified in Table 19.
Table 19 North American ISDN BRI Switch Type Configuration Information
Switch Type Configuration
DMS-100 BRI Custom 2 B channels for voice and data.
2 directory numbers assigned by service provider.
2 service profile identifiers (SPIDs) required; assigned by service provider.
Functional signaling.
Dynamic terminal endpoint identifier (TEI) assignment.
Maximum number of keys = 64.
Release key = no, or key number = no.
Ringing indicator = no.
EKTS = no.
PVC = 2.
Request delivery of calling line ID on Centrex lines.
Set speed for ISDN calls to 56 kbps outside local exchange.
Directory number 1 can hunt to directory number 2.
Configuring ISDN BRI
ISDN Overview
DC-177
Cisco IOS Dial Technologies Configuration Guide
5ESS Custom BRI For Data Only
2 B channels for data.
Point to point.
Terminal type = E.
1 directory number (DN) assigned by service provider.
MTERM = 1.
Request delivery of calling line ID on Centrex lines.
Set speed for ISDN calls to 56 kbps outside local exchange.
For Voice and Data
(Use these values only if you have an ISDN telephone connected.)
2 B channels for voice or data.
Multipoint.
Terminal type = D.
2 directory numbers assigned by service provider.
2 SPIDs required; assigned by service provider.
MTERM = 2.
Number of call appearances = 1.
Display = No.
Ringing/idle call appearances = idle.
Autohold = no.
Onetouch = no.
Request delivery of calling line ID on Centrex lines.
Set speed for ISDN calls to 56 kbps outside local exchange.
Directory number 1 can hunt to directory number 2.
5ESS National ISDN
(NI) BRI
Terminal type = A.
2 B channels for voice and data.
2 directory numbers assigned by service provider.
2 SPIDs required; assigned by service provider.
Set speed for ISDN calls to 56 kbps outside local exchange.
Directory number 1 can hunt to directory number 2.
EZ-ISDN 1 For Voice and Data
• ISDN Ordering Code for Cisco 766/776 Series = Capability S
• ISDN Ordering Code for Cisco 1604 Series = Capability R
2 B channels featuring alternate voice and circuit-switched data. Non-EKTS
voice features include the following:
• Flexible Calling
• Call Forwarding Variable
• Additional Call Offering
• Calling Number Identification (includes Redirecting Number Delivery)
Table 19 North American ISDN BRI Switch Type Configuration Information (continued)
Switch Type Configuration
Configuring ISDN BRI
ISDN Overview
DC-178
Cisco IOS Dial Technologies Configuration Guide
Interface Configuration
The Cisco IOS software also provides custom features for configuring the ISDN BRI interface that
provide such capability as call screening, called party number verification, ISDN default cause code
override, and for European and Australian customers, Dialed Number Identification Service
(DNIS)-plus-ISDN-subaddress binding to allow multiple binds between a dialer profile and an ISDN B
channel.
Dynamic Multiple Encapsulations
Before Cisco IOS Release 12.1, encapsulation techniques such as Frame Relay, High-Level Data Link
Control (HDLC), Link Access Procedure, Balanced- Terminal Adapter (LAPB-TA), and X.25 could
support only one ISDN B-channel connection over the entire link. HDLC and PPP could support
multiple B channels, but the entire ISDN link needed to use the same encapsulation. The Dynamic
Multiple Encapsulations feature introduced in Cisco IOS Release 12.1 allows various encapsulation
types and per-user configurations on the same ISDN B channel at different times according to the type
of incoming call.
With the Dynamic Multiple Encapsulations feature, once calling line identification (CLID) binding is
completed, the topmost interface is always used for all configuration and data structures. The ISDN B
channel becomes a forwarding device, and the configuration on the D channel is ignored, thereby
allowing the different encapsulation types and per-user configurations. Dynamic multiple encapsulations
provide support for packet assembler/disassembler (PAD) traffic and X.25 encapsulated and switched
packets. For X.25 encapsulations, the configurations reside on the dialer profile.
Dynamic multiple encapsulation is especially important in Europe, where ISDN is relatively expensive
and maximum use of all 30 B channels on the same ISDN link is desirable. Further, the feature removes
the need to statically dedicate channels to a particular encapsulation and configuration type, and
improves channel usage.
Figure 31 shows a typical configuration for an X.25 network in Europe. The Dynamic Multiple
Encapsulations feature allows use of all 30 B channels, and supports calls that originate in diverse areas
of the network and converge on the same ISDN PRI.
Figure 31 European X.25 Network
Interface Configuration Options
You can also optionally configure snapshot routing for ISDN interfaces. Snapshot routing is a method
of learning remote routes dynamically and keeping the routes available for a specified period of time,
even though routing updates are not exchanged during that period. See the chapter “Configuring
Snapshot Routing” later in this guide for detailed information about snapshot routing.
X.25
X.25
TA
ISDN
BRI
2 B
BRI
2 B
X.25
Host
E1-PRI
30 X.25
B channels
BRI
2 B
22344
Configuring ISDN BRI
ISDN Overview
DC-179
Cisco IOS Dial Technologies Configuration Guide
To place calls on an ISDN interface, you must configure it with dial-on-demand routing (DDR). For
configuration information about ISDN using DDR, see the “Dial-on-Demand Routing Configuration”
part of this publication. For command information, refer to the Cisco IOS Dial Technologies Command
Reference.
To configure bandwidth on demand, see the chapters “Configuring Legacy DDR Spokes” or
“Configuring Legacy DDR Hubs” later in this publication.
ISDN Cause Codes
A cause code is an information element (IE) that indicates why an ISDN call failed or was otherwise
disconnected. When the originating gateway receives a Release Complete message, it generates a tone
corresponding to the cause code in the message.
Table 20 lists the default cause codes that the VoIP (Voice over IP) gateway sends to the switch when a
call fails at the gateway, and the corresponding tones that it generates.
For a complete list of ISDN cause codes that are generated by the switch, refer to “Appendix B: ISDN
Switch Types, Codes and Values” in the Cisco IOS Debug Command Reference.
Although the VoIP gateway generates the cause codes listed in Table 20 by default, there are commands
introduced in previous Cisco IOS releases that can override these defaults, allowing the gateway to send
different cause codes to the switch. The following commands override the default cause codes:
• isdn disconnect-cause—Sends the specified cause code to the switch when a call is disconnected.
• isdn network-failure-cause—Sends the specified cause code to the switch when a call fails because
of internal network failures.
• isdn voice-call-failure—Sends the specified cause code to the switch when an inbound voice call
fails with no specific cause code.
Table 20 Cause Codes Generated by the Cisco VoIP Gateway
Cause Code Description Explanation Tone
1 Unallocated (unassigned) number The ISDN number is not assigned to any destination
equipment.
Reorder
3 No route to destination The call was routed through an intermediate network that
does not serve the destination address.
Reorder
16 Normal call clearing Normal call clearing has occurred. Dial
17 User busy The called system acknowledged the connection request
but was unable to accept the call because all B channels
were in use.
Busy
19 No answer from user (user alerted) The destination responded to the connection request but
failed to complete the connection within the prescribed
time. The problem is at the remote end of the connection.
Reorder
28 Invalid number format The connection could not be established because the
destination address was presented in an unrecognizable
format or because the destination address was incomplete.
Reorder
34 No circuit/channel available The connection could not be established because no
appropriate channel was available to take the call.
Reorder
Configuring ISDN BRI
How to Configure ISDN BRI
DC-180
Cisco IOS Dial Technologies Configuration Guide
When you implement these commands, the configured cause codes are sent to the switch; otherwise, the
default cause codes of the voice application are sent. For a complete description of these commands,
refer to the Cisco IOS Dial Technologies Command Reference.
How to Configure ISDN BRI
To configure ISDN lines and interfaces, perform the tasks in the following sections:
• Configuring the ISDN BRI Switch (Required)
• Specifying Interface Characteristics for an ISDN BRI (As required)
• Configuring ISDN Semipermanent Connections (As required)
• Configuring ISDN BRI for Leased-Line Service (As required)
See the sections “Monitoring and Maintaining ISDN Interfaces” and “Troubleshooting ISDN Interfaces”
later in this chapter for tips on maintaining your network. See the section “Configuration Examples for
ISDN BRI” at the end of this chapter for configuration examples.
To configure ISDN BRI for voice, video, and fax applications, refer to the Cisco IOS Voice, Video, and
Fax Applications Configuration Guide.
Configuring the ISDN BRI Switch
To configure the ISDN switch type, perform the following tasks:
• Configuring the Switch Type (Required)
• Checking and Setting the Buffers (As required)
Also see to the “Multiple ISDN Switch Types Feature” section for information about configuring
multiple switch types.
Configuring the Switch Type
To configure the switch type, use the following command in global configuration mode:
The section “Global ISDN and BRI Interface Switch Type Example” later in this chapter provides an
example of configuring the ISDN BRI switch.
Table 21 lists the ISDN BRI service provider switch types.
Command Purpose
Router(config)# isdn switch-type switch-type Selects the service provider switch type; see Table 19 for switch
types.
Configuring ISDN BRI
How to Configure ISDN BRI
DC-181
Cisco IOS Dial Technologies Configuration Guide
Note The command parser will still accept the following switch type keywords: basic-nwnet3, vn2, and
basic-net3; however, when viewing the NVRAM configuration, the basic-net3 or vn3 switch type
keywords are displayed respectively.
Checking and Setting the Buffers
When configuring a BRI, after the system comes up, make sure enough buffers are in the free list of the
buffer pool that matches the maximum transmission unit (MTU) of your BRI interface. If not, you must
reconfigure buffers in order for the BRI interfaces to function properly.
To check the MTU size and the buffers, use the following commands in EXEC mode as needed:
Table 21 ISDN Service Provider BRI Switch Types
Switch Type Keywords Description/Use
Central Office
(CO) Switch
Type?
Voice/PBX Systems
basic-qsig PINX (PBX) switch with QSIG signaling per Q.931
Australia, Europe, and UK
basic-1tr6 German 1TR6 ISDN switch Yes
basic-net3 NET3 ISDN BRI for Norway NET3, Australia NET3,
and New Zealand NET3 switches; covers
ETSI-compliant Euro-ISDN E-DSS1 signaling system
Yes
vn3 French VN3 ISDN BRI switch Yes
Japan
ntt Japanese NTT ISDN BRI switch
North America
basic-5ess Lucent (AT&T) basic rate 5ESS switch Yes
basic-dms100 Nortel basic rate DMS-100 switch Yes
basic-ni National ISDN switch Yes
All Users
none No switch defined
Command Purpose
Router# show interfaces bri number Displays the MTU size.
Router# show buffers Displays the free buffers.
Configuring ISDN BRI
How to Configure ISDN BRI
DC-182
Cisco IOS Dial Technologies Configuration Guide
To configure the buffers and the MTU size, use the following commands in global configuration mode
as needed:
Multiple ISDN Switch Types Feature
The Cisco IOS software provides an enhanced Multiple ISDN Switch Types feature that allows you to
apply an ISDN switch type to a specific ISDN interface and configure more than one ISDN switch type
per router. This feature allows both ISDN BRI and ISDN PRI to run simultaneously on platforms that
support both interface types. See the section “Configuring Multiple ISDN Switch Types” in the chapter
“Configuring ISDN PRI” for information about configuring this feature.
Specifying Interface Characteristics for an ISDN BRI
Perform the tasks in the following sections to set interface characteristics for an ISDN BRI, whether it
is the only BRI in a router or is one of many. Each of the BRIs can be configured separately.
• Specifying the Interface and Its IP Address (Required)
• Configuring CLI Screening (As Required)
• Configuring Encapsulation on ISDN BRI (Required)
• Configuring Network Addressing (Required)
• Configuring TEI Negotiation Timing (Optional)
• Configuring CLI Screening (Optional)
• Configuring Called Party Number Verification (Optional)
• Configuring ISDN Calling Number Identification (Optional)
• Configuring the Line Speed for Calls Not ISDN End to End (Optional)
• Configuring a Fast Rollover Delay (Optional)
• Overriding ISDN Application Default Cause Codes (Optional)
• Configuring Inclusion of the Sending Complete Information Element (Optional)
• Configuring DNIS-plus-ISDN-Subaddress Binding (Optional)
• Screening Incoming V.110 Modem Calls (Optional)
• Disabling V.110 Padding (Optional)
Command Purpose
Router(config)# buffers big permanent number
Router(config)# buffers big max-free number
Router(config)# buffers big min-free number
Router(config)# buffers big initial number
Configures the buffers.
Configuring ISDN BRI
How to Configure ISDN BRI
DC-183
Cisco IOS Dial Technologies Configuration Guide
Specifying the Interface and Its IP Address
To specify an ISDN BRI and enter interface configuration mode, use the following commands beginning
in global configuration mode:
Specifying ISDN SPIDs
Some service providers use SPIDs to define the services subscribed to by the ISDN device that is
accessing the ISDN service provider. The service provider assigns the ISDN device one or more SPIDs
when you first subscribe to the service. If you are using a service provider that requires SPIDs, your
ISDN device cannot place or receive calls until it sends a valid, assigned SPID to the service provider
when accessing the switch to initialize the connection.
Currently, only the DMS-100 and NI switch types require SPIDs. The AT&T 5ESS switch type may
support a SPID, but we recommend that you set up that ISDN service without SPIDs. In addition, SPIDs
have significance at the local access ISDN interface only. Remote routers never receive the SPID.
A SPID is usually a seven-digit telephone number with some optional numbers. However, service
providers may use different numbering schemes. For the DMS-100 switch type, two SPIDs are assigned,
one for each B channel.
To define the SPIDs and the local directory number (LDN) on the router, use the following commands
in interface configuration mode as needed:
The LDN is optional but might be necessary if the router is to answer calls made to the second directory
number.
Configuring Encapsulation on ISDN BRI
Each ISDN B channel is treated as a synchronous serial line, and the default serial encapsulation is
HDLC. The Dynamic Multiple Encapsulations feature allows incoming calls over ISDN to be assigned
an encapsulation type such as Frame Relay, PPP, and X.25 based on CLID or DNIS. PPP encapsulation
is configured for most ISDN communication.
Command Purpose
Step 1 Router(config)# interface bri number
Cisco 7200 series router only
Router(config)# interface bri slot/port
Specifies the interface and begins interface
configuration mode.
Step 2 Router(config-if)# ip address address mask Specifies an IP address for the interface.
Command Purpose
Router(config-if)# isdn spid1 spid-number [ldn] Specifies a SPID and local directory number for the B1
channel.
Router(config-if)# isdn spid2 spid-number [ldn] Specifies a SPID and local directory number for the B2
channel.
Configuring ISDN BRI
How to Configure ISDN BRI
DC-184
Cisco IOS Dial Technologies Configuration Guide
To configure encapsulation, use the following command in interface configuration mode:
Verifying the Dynamic Multiple Encapsulations Feature
To verify dialer interfaces configured for binding and see statistics on each physical interface bound to
the dialer interface, use the show interfaces EXEC command.
The following example shows that the output under the B channel keeps all hardware counts that are not
displayed under any logical or virtual access interface. The line in the report that states “Interface is
bound to Dialer0 (Encapsulation LAPB)” indicates that this B interface is bound to the dialer 0 interface
and the encapsulation running over this connection is LAPB, not PPP, which is the encapsulation
configured on the D interface and inherited by the B channel.
Router# show interfaces bri0:1
BRI0:1 is up, line protocol is up
Hardware is BRI
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive not set
Interface is bound to Dialer0 (Encapsulation LAPB)
LCP Open, multilink Open
Last input 00:00:31, output 00:00:03, output hang never
Last clearing of “show interface” counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 1 packets/sec
5 minute output rate 0 bits/sec, 1 packets/sec
110 packets input, 13994 bytes, 0 no buffer
Received 91 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
135 packets output, 14175 bytes, 0 underruns
0 output errors, 0 collisions, 12 interface resets
0 output buffer failures, 0 output buffers swapped out
8 carrier transitions
Any protocol configuration and states should be displayed from the dialer 0 interface.
Encapsulation Configuration Notes
The router might need to communicate with devices that require a different encapsulation protocol or the
router might send traffic over a Frame Relay or X.25 network. The Dynamic Multiple Encapsulations
feature provides bidirectional support of all serial encapsulations except Frame Relay.
For more information, see the sections “Sending Traffic over Frame Relay, X.25, or LAPB Networks”
in the chapters “Configuring Legacy DDR Spokes” and “Configuring Legacy DDR Hubs” later in this
publication.
To configure the router for automatic detection of encapsulation type on incoming calls, or to configure
encapsulation for Cisco 700 and 800 series (formerly Combinet) router compatibility, see the section
“Configuring Automatic Detection of Encapsulation Type” in the chapter “Configuring ISDN Special
Signaling” later in this publication.
Command Purpose
Router(config-if)# encapsulation [ppp | lapb | frame-relay] Configures encapsulation type.
Configuring ISDN BRI
How to Configure ISDN BRI
DC-185
Cisco IOS Dial Technologies Configuration Guide
Configuring Network Addressing
The steps in this section support the primary goals of network addressing:
• Define which packets are interesting and will thus cause the router to make an outgoing call.
• Define the remote host where the calls are going.
• Specify whether broadcast messages will be sent.
• Specify the dialing string to use in the call.
Intermediate steps that use shared argument values tie the host identification and dial string to the
interesting packets to be sent to that host.
To configure network addressing, use the following commands beginning in interface configuration
mode:
German networks allow semipermanent connections between customer routers with BRIs and the 1TR6
basic rate switches in the exchange. Semipermanent connections are less expensive than leased lines.
Note The access list reference in Step 5 of this task is an example of the access-list commands allowed by
different protocols. Some protocols might require a different command form or might require
multiple commands. Refer to the relevant protocol chapter in the network protocol configuration
guide (the Cisco IOS Novell IPX Configuration Guide, for example) for more information about
setting up access lists for a protocol.
For more information about defining outgoing call numbers, see the chapters “Configuring Legacy DDR
Hubs” and “Configuring Legacy DDR Spokes” later in this publication.
Command Purpose
Step 1 Router(config-if)# dialer map protocol
next-hop-address name hostname speed [56 | 64]
dial-string[:isdn-subaddress]
or
Router(config-if)# dialer map protocol
next-hop-address name hostname spc [speed 56 |
64] [broadcast] dial-string[:isdn-subaddress]
(Most locations) Configures a serial interface or ISDN
interface to call one or multiple sites or to receive calls
from multiple sites.
(Germany) Uses the command keyword that enables
ISDN semipermanent connections.
Step 2 Router(config-if)# dialer-group group-number Assigns the interface to a dialer group to control access
to the interface.
Step 3 Router(config-if)# exit Exits to global configuration mode.
Step 4 Router(config)# dialer-list dialer-group
protocol protocol-name {permit | deny | list
access-list-number | access-group}
Defines a dial-on-demand routing (DDR) dialer list for
dialing by protocol or by a combination of a protocol
and an access list.
Step 5 Router(config)# access-list access-list-number
{deny | permit} protocol source address
source-mask destination destination-mask
Defines an access list permitting or denying access to
specified protocols, sources, or destinations. Permitted
packets cause the router to place a call to the destination
protocol address.
Configuring ISDN BRI
How to Configure ISDN BRI
DC-186
Cisco IOS Dial Technologies Configuration Guide
Configuring TEI Negotiation Timing
You can configure ISDN TEI negotiation on individual ISDN interfaces. TEI negotiation is useful for
switches that may deactivate Layers 1 or 2 when there are no active calls. Typically, this setting is used
for ISDN service offerings in Europe and connections to DMS-100 switches that are designed to initiate
TEI negotiation.
By default, TEI negotiation occurs when the router is powered up. The TEI negotiation value configured
on an interface overrides the default or global TEI value. For example, if you configure isdn tei first-call
globally and isdn tei powerup on BRI interface 0, then TEI negotiation powerup is the value applied
to BRI interface 0. It is not necessary to configure TEI negotiation unless you wish to override the default
value (isdn tei powerup).
To apply TEI negotiation to a specific BRI interface, use the following command in interface
configuration mode:
Configuring CLI Screening
CLI screening adds a level of security by allowing you to screen incoming calls. You can verify that the
calling line ID is from an expected origin. CLI screening requires a local switch that is capable of
delivering the CLI to the router.
To configure CLI screening, use the following command in interface configuration mode:
Note If caller ID screening is configured and the local switch does not deliver caller IDs, the router rejects
all calls.
Note In earlier releases of the Cisco IOS software, ISDN accepted all synchronous calls and performed
some minimal CLI screening before accepting or rejecting a call. Beginning with Cisco IOS Release
12.1 software, DDR provides a separate process that screens for the profile of the caller. The new
screening process also checks that enough resources are available to accept the call and that the call
conforms to predetermined rules. When the call is found acceptable, the screening process searches
for a matching profile for the caller. The call is accepted only when there is a matching profile.
Configuring Called Party Number Verification
When multiple devices are attached to an ISDN BRI, you can ensure that only a single device answers
an incoming call by verifying the number or subaddress in the incoming call against the configured
number or subaddress or both of the device.
Command Purpose
Router(config-if)# isdn tei [first-call |
powerup]
Determines when ISDN TEI negotiation occurs.
Command Purpose
Router(config-if)# isdn caller number Configures caller ID screening.
Configuring ISDN BRI
How to Configure ISDN BRI
DC-187
Cisco IOS Dial Technologies Configuration Guide
You can specify that the router verify a called-party number or subaddress number in the incoming setup
message for ISDN BRI calls, if the number is delivered by the switch. You can do so by configuring the
number that is allowed. To configure verification, use the following command in interface configuration
mode:
Verifying the called-party number ensures that only the desired router responds to an incoming call. If
you want to allow an additional number for the router, you can configure it, too.
To configure a second number to be allowed, use the following command in interface configuration
mode:
Configuring ISDN Calling Number Identification
A router with an ISDN BRI interface might need to supply the ISDN network with a billing number for
outgoing calls. Some networks offer better pricing on calls in which the number is presented. When
configured, this information is included in the outgoing call Setup message.
To configure the interface to identify the billing number, use the following command in interface
configuration mode:
This command can be used with all switch types except German 1TR6 ISDN BRI switches.
Configuring the Line Speed for Calls Not ISDN End to End
When calls are made at 56 kbps but delivered by the ISDN network at 64 kbps, the incoming data can be
corrupted. However, on ISDN calls, if the receiving side is informed that the call is not an ISDN call
from end to end, it can set the line speed for the incoming call.
To set the speed for incoming calls recognized as not ISDN end to end, use the following command in
interface configuration mode:
Command Purpose
Router(config-if)# isdn answer1
[called-party-number][:subaddress]
Specifies that the router verify a called-party number or
subaddress number in the incoming setup message.
Command Purpose
Router(config-if)# isdn answer2
[called-party-number][:subaddress]
Specifies that the router verify a second called-party number or
subaddress number in the incoming setup message.
Command Purpose
Router(config-if)# isdn calling-number
calling-number
Specifies the calling party number.
Command Purpose
Router(config-if)# isdn not-end-to-end {56 | 64} Sets the speed to be used for incoming calls recognized as not
ISDN end to end.
Configuring ISDN BRI
How to Configure ISDN BRI
DC-188
Cisco IOS Dial Technologies Configuration Guide
Configuring a Fast Rollover Delay
Sometimes a router attempts to dial a call on an ISDN B channel before a previous call is completely
torn down. The fast rollover fails because the second call is made to a different number before the
B channel is released from the unsuccessful call. This failure might occur in the following ISDN
configurations:
• The two B channels of the BRI are not configured as a hunt group, but have separate numbers
defined.
• The B channel is not released by the ISDN switch until after Release Complete signal is processed.
You need to configure this delay if a BRI on a remote peer has two phone numbers configured one for
each B channel you are dialing into this BRI, you have a dialer map for each phone number, and the first
call succeeds but a second call fails with no channel available.
To configure a fast rollover delay, use the following command in interface configuration mode:
A delay of 5 seconds should cover most cases. Configure sufficient delay to make sure the ISDN
RELEASE_COMPLETE message has been sent or received before making the fast rollover call. Use the
debug isdn q931 command to display this information. This pattern of failed second calls is a rare
occurrence.
Overriding ISDN Application Default Cause Codes
The ISDN Cause Code Override function is useful for overriding the default cause code of ISDN
applications. When this feature is implemented, the configured cause code is sent to the switch;
otherwise, default cause codes of the application are sent.
To configure ISDN cause code overrides, use the following command in interface configuration mode:
ISDN Cause Code Override Configuration Example
The following example sends a BUSY cause code to the switch when an application fails to complete
the call:
interface serial 0:23
isdn disconnect-cause busy
Verifying ISDN Cause Code Override
To verify that the ISDN Cause Code Override feature is operating correctly, enter the debug q931
command. The debug q931 command displays a report of any configuration irregularities.
Command Purpose
Router(config-if)# isdn fast-rollover-delay
seconds
Defines a fast rollover delay.
Command Purpose
Router(config-if)# isdn disconnect-cause
{cause-code-number | busy | not-available}
Specifies the ISDN cause code to send to the switch.
Configuring ISDN BRI
How to Configure ISDN BRI
DC-189
Cisco IOS Dial Technologies Configuration Guide
Configuring Inclusion of the Sending Complete Information Element
In some geographic locations, such as Hong Kong and Taiwan, ISDN switches require that the Sending
Complete information element be included in the outgoing Setup message to indicate that the entire
number is included. This information element is generally not required in other locations.
To configure the interface to include the Sending Complete information element in the outgoing call
Setup message, use the following command in interface configuration mode:
Configuring DNIS-plus-ISDN-Subaddress Binding
To configure DNIS-plus-ISDN-subaddress binding, use the following command in global configuration
mode
Note This command allows multiple binds between a dialer profile and an ISDN B channel. The
configuration requires an ISDN subaddress, which is used in Europe and Australia.
See the section “DNIS-plus-ISDN-Subaddress Binding Example” later in this chapter for a configuration
example.
Screening Incoming V.110 Modem Calls
You can screen incomingV.110 modem calls and reject calls that do not have the communications
settings configured as the network expects them to be.
To selectively accept incoming V.110 modem calls based on data bit, parity, and stop bit modem
communications, use the following command in interface configuration mode:
Command Purpose
Router(config-if)# isdn sending-complete Includes the Sending Complete information element in the
outgoing call Setup message.
Command Purpose
Router(config)# dialer called DNIS:subaddress Binds a DNIS to an ISDN subaddress.
Command Purpose
Router(config-if)# isdn v110 only [databits {5 | 7
| 8}] [parity {even | mark | none | odd | space}]
[stopbits {1 | 1.5 | 2}]
Selectively accepts incoming V.110 calls based on data bit,
parity, and stop bit modem communication settings.
Configuring ISDN BRI
How to Configure ISDN BRI
DC-190
Cisco IOS Dial Technologies Configuration Guide
Disabling V.110 Padding
In networks with devices such as terminal adapters (TAs) and global system for mobile communication
(GSM) handsets that do not fully conform to the V.110 modem standard, you will need to disable V.110
padding. To disable the padded V.110 modem speed report required by the V.110 modem standard, use
the following command in interface configuration mode:
Configuring ISDN Semipermanent Connections
German networks allow semipermanent connections between customer routers with BRI interfaces and
the 1TR6 basic rate switches in the exchange. Australian networks allow semipermanent connections
between ISDN PRI interfaces and the TS-014 primary rate switches in the exchange. Semipermanent
connections are offered at better pricing than leased lines.
Configuring BRI interfaces for semipermanent connection requires only that you use a keyword that
indicates semipermanent connections when you are setting up network addressing as described in the
previous section of this chapter.
To configure a BRI for semipermanent connections, follow this procedure:
Step 1 Set up the ISDN lines and ports as described in the sections “Configuring the ISDN BRI Switch”and
“Specifying Interface Characteristics for an ISDN BRI” or for ISDN PRI, see the section “How to
Configure ISDN PRI” in the chapter “Configuring ISDN PRI” later in this manual.
Step 2 Configure DDR on a selected interface, as described in the “Dial-on-Demand Routing Configuration”
part of this publication.
To begin DDR network addressing, use the following command in interface configuration mode
:
Configuring ISDN BRI for Leased-Line Service
To configure ISDN BRI for leased line service, perform the tasks in one of the following sections as
needed and available:
• Configuring Leased-Line Service at Normal Speeds (Available in Japan and Germany)
• Configuring Leased-Line Service at 128 Kbps (Available only in Japan)
Command Purpose
Router(config-if)# no isdn v110 padding Disables the padded modem speed report required by the V.110
modem standard.
Command Purpose
Router(config-if)# dialer map protocol
next-hop-address name hostname spc [speed 56 |
64] [broadcast] dial-string[:isdn-subaddress]
Defines the remote recipient’s protocol address, host name, and
dialing string; indicates semipermanent connections; optionally,
provides the ISDN subaddress; and sets the dialer speed to 56 or
64 kbps, as needed.
Configuring ISDN BRI
How to Configure ISDN BRI
DC-191
Cisco IOS Dial Technologies Configuration Guide
Note Once an ISDN BRI interface is configured for access over leased lines, it is no longer a dialer
interface, and signaling over the D channel no longer applies. Although the interface is called
interface bri n, it is configured as a synchronous serial interface having the default High-Level Data
Link (HDLC) encapsulation. However, the Cisco IOS commands that set the physical characteristics
of a serial interface (such as the pulse time) do not apply to this interface.
Configuring Leased-Line Service at Normal Speeds
This service is offered in Japan and Germany and no call setup or teardown is involved. Data is placed
on the ISDN interface similar to the way data is placed on a leased line connected to a serial port.
To configure the BRI to use the ISDN connection as a leased-line service, use the following commands
in global configuration mode:
To disable leased-line service if you no longer want to support it on a specified ISDN BRI, use the
following command in global configuration mode:
Configuring Leased-Line Service at 128 Kbps
The Cisco IOS software supports leased-line service at 128 kbps via ISDN BR. This service combines
two B channels into a single pipe. This feature requires one or more ISDN BRI hardware interfaces that
support channel aggregation and service provider support for ISDN channel aggregation at 128 kbps.
When this software first became available, service providers offered support for ISDN channel
aggregation at 128 kbps only in Japan.
Note This feature is not supported on the Cisco 2500 series router because its BRI hardware does not
support channel aggregation.
To enable leased-line service at 128 kbps on a specified ISDN BRI, use the following commands in
global configuration mode:
Command Purpose
Step 1 Router(config)# isdn switch-type
switch-type
Configures the BRI switch type, as specified by the local
service provider.
Step 2 Router(config)# isdn leased-line bri
number 128
Specifies the BRI interface number.
Command Purpose
Router(config)# no isdn leased-line bri number Removes leased line configuration from a specified ISDN BRI
interface.
Command Purpose
Step 1 Router(config)# isdn switch-type
switch-type
Selects the service provider switch type.
Step 2 Router(config)# isdn leased-line bri
number 128
Configures a specified BRI for access over leased lines.
Configuring ISDN BRI
Monitoring and Maintaining ISDN Interfaces
DC-192
Cisco IOS Dial Technologies Configuration Guide
To complete the configuration of the interface, see the chapter “Configure a Synchronous Serial Ports”
in this publication.
To remove the leased-line service configuration from a specified ISDN BRI, use the following command
in global configuration mode:
Monitoring and Maintaining ISDN Interfaces
To monitor and maintain ISDN interfaces, use the following commands in EXEC mode as needed:
Troubleshooting ISDN Interfaces
To test the ISDN configuration of the router, use the following commands in EXEC mode as needed:
Refer to the Cisco IOS Debug Command Reference for more information about the debug commands.
Command Purpose
Router(config)# no isdn leased-line bri number Removes leased-line configuration from a specified ISDN
BRI interface.
Command Purpose
Router> show interfaces bri number
Cisco 7200 series routers only
Router> show interfaces bri slot/port
Displays information about the physical attributes of the
ISDN BRI B and D channels.
Router> show controllers bri number
Cisco 7200 series routers only
Router> show controllers bri slot/port
Displays protocol information about the ISDN B and
D channels.
Router> show isdn {active | history | memory | status
| timers}
Displays information about calls, history, memory, status,
and Layer 2 and Layer 3 timers.
Router> show dialer interface bri number Obtains general diagnostic information about the specified
interface.
Command Purpose
Router# show controllers bri number Checks Layer 1 (physical layer) of the BRI.
Router# debug q921 Checks Layer 2 (data link layer).
Router# debug isdn events
Router# debug q931
Router# debug dialer
Router# show dialer
Checks Layer 3 (network layer).
Configuring ISDN BRI
Configuration Examples for ISDN BRI
DC-193
Cisco IOS Dial Technologies Configuration Guide
Configuration Examples for ISDN BRI
This section provides the following ISDN BRI configuration examples:
• Global ISDN and BRI Interface Switch Type Example
• BRI Connected to a PBX Example
• Multilink PPP on a BRI Interface Example
• Dialer Rotary Groups Example
• Compression Examples
• Multilink PPP and Compression Example
• Voice over ISDN Examples
• DNIS-plus-ISDN-Subaddress Binding Example
• Screening Incoming V.110 Modem Calls Example
• ISDN BRI Leased-Line Configuration Example
Global ISDN and BRI Interface Switch Type Example
The following example shows a global National ISDN switch type (keyword basic-ni) and an
interface-level NET3 ISDN switch type (keyword basic-net3). The basic-net3 keyword is applied to
BRI interface 0 and overrides the global switch setting.
isdn switch-type basic-ni
!
interface BRI0
isdn switch-type basic-net3
BRI Connected to a PBX Example
The following example provides a simple partial configuration of a BRI interface that is connected to a
PBX. This interface is connected to a switch that uses SPID numbers.
interface BRI0
description connected to pbx line 61885
ip address 10.1.1.3 255.255.255.0
encapsulation ppp
isdn spid1 123
dialer map ip 10.1.1.1 name mutter 61886
dialer map ip 10.1.1.2 name rudder 61884
dialer map ip 10.1.1.4 name flutter 61888
dialer-group 1
no fair-queue
ppp authentication chap
Multilink PPP on a BRI Interface Example
The following example enables Multilink PPP on BRI 0:
interface BRI0
description Enables PPP Multilink on BRI 0
ip address 10.1.1.1 255.255.255.0
Configuring ISDN BRI
Configuration Examples for ISDN BRI
DC-194
Cisco IOS Dial Technologies Configuration Guide
encapsulation ppp
dialer map ip 10.1.1.2 name coaster 14195291357
dialer map ip 10.1.1.3 name roaster speed 56 14098759854
ppp authentication chap
ppp multilink
dialer-group 1
Dialer Rotary Groups Example
The following example configures BRI interfaces to connect into a rotary group (using the dialer-group
command) and then configures a dialer interface for that dialer group. This configuration permits IP
packets to trigger calls.
interface BRI 0
description connected into a rotary group
encapsulation ppp
dialer rotary-group 1
interface BRI 1
no ip address
encapsulation ppp
dialer rotary-group 1
interface BRI 2
encapsulation ppp
dialer rotary-group 1
interface BRI 3
no ip address
encapsulation ppp
dialer rotary-group 1
interface BRI 4
encapsulation ppp
dialer rotary-group 1
interface Dialer 0
description Dialer group controlling the BRIs
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
dialer map ip 10.1.1.2 name angus 14802616900
dialer-group 1
ppp authentication chap
dialer-list 1 protocol ip permit
Compression Examples
The following example enables predictor compression on BRI 0:
interface BRI0
description Enables predictor compression on BRI 0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
dialer map ip 10.1.1.2 name bon 14195291357
compress predictor
ppp authentication chap
dialer-group 1
The following example enables stacker compression on BRI 0:
interface BRI0
Configuring ISDN BRI
Configuration Examples for ISDN BRI
DC-195
Cisco IOS Dial Technologies Configuration Guide
description Enables stac compression on BRI 0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
dialer map ip 10.1.1.2 name malcom 14195291357
compress stac
ppp authentication chap
dialer-group 1
Multilink PPP and Compression Example
The following example enables Multilink PPP and stacker compression on BRI 0:
interface BRI0
description Enables PPP Multilink and stac compression on BRI 0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
dialer map ip 10.1.1.2 name rudd 14195291357
ppp authentication chap
compress stac
ppp multilink
dialer-group 1
Voice over ISDN Examples
The following example allows incoming voice calls to be answered on BRI 0:
interface bri0
description Allows incoming voice calls to be answered on BRI 0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
isdn incoming-voice data
dialer map ip 10.1.1.2 name starstruck 14038182344
ppp authentication chap
dialer-group 1
The following example allows outgoing voice calls on BRI 1:
interface bri1
description Places an outgoing call as a voice call on BRI 1
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
dialer map ip 10.1.1.2 name angus class calltype 19091238877
ppp authentication chap
dialer-group 1
map-class dialer calltype
dialer voice-call
For more configuration examples of voice calls over ISDN, refer to the Cisco IOS Voice, Video, and Fax
Configuration Guide.
Configuring ISDN BRI
Configuration Examples for ISDN BRI
DC-196
Cisco IOS Dial Technologies Configuration Guide
DNIS-plus-ISDN-Subaddress Binding Example
The following example configures a dialer profile for a receiver with DNIS 12345 and ISDN
subaddress 6789:
dialer called 12345:6789
For additional configuration examples, see the sections “Dynamic Multiple Encapsulations” and
“Verifying the Dynamic Multiple Encapsulations Feature” in the chapter “Configuring Peer-to-Peer
DDR with Dialer Profiles” in this publication.
Screening Incoming V.110 Modem Calls Example
The following example filters out all V.110 modem calls except those with communication settings of
8 data bits, no parity bit, and 1 stop bit:
interface serial 0:23
isdn v110 only databits 8 parity none stopbits 1
ISDN BRI Leased-Line Configuration Example
The following example configures the BRI 0 interface for leased-line access at 128 kbps. Because of the
leased-line–not dialed–environment, configuration of ISDN called and calling numbers are not needed
and not used. The BRI 0 interface is henceforth treated as a synchronous serial interface, with the default
HDLC encapsulation.
isdn leased-line bri 0 128
The following example configures the BRI 0 interface for PPP encapsulation:
interface bri 0
ip address 10.1.1.2 255.255.255.0
encapsulation ppp
bandwidth 128
DC-197
Cisco IOS Dial Technologies Configuration Guide
Configuring Virtual Asynchronous Traffic
over ISDN
Cisco IOS software offers two solutions to send virtual asynchronous traffic over ISDN:
• Using International Telecommunication Union Telecommunication Standardization Sector (ITU-T)
Recommendation V.120, which allows for reliable transport of synchronous, asynchronous, or bit
transparent data over ISDN bearer channels.
• Using ITU-T Recommendation X.75, which allows a system with an ISDN terminal adapter
supporting asynchronous traffic over Link Access Procedure, Balanced (LAPB) to call into a router
and establish an asynchronous PPP session. This method of asynchronous traffic transmission is also
called ISDN Link Access Procedure, Balanced-Terminal Adapter (LAPB-TA).
A virtual asynchronous interface (also known as vty-async) is created on demand to support calls that
enter the router through a nonphysical interface. For example, asynchronous character stream calls
terminate or land on nonphysical interfaces. These types of calls include inbound Telnet, local-area
transport (LAT), PPP over character-oriented protocols (such as V.120 or X.25), and LAPB-TA and
packet assembler/disassembler (PAD) calls.
Virtual asynchronous interfaces are not user configurable; rather, they are dynamically created and torn
down on demand. A virtual asynchronous line is used to access a virtual asynchronous interface. Refer
to the section “Virtual Asynchronous Interfaces” in the chapter “Overview of Dial Interfaces,
Controllers, and Lines” in this publication for more overview information about virtual asynchronous
interfaces. Refer to the section “Enabling Asynchronous Functions on Virtual Terminal Lines” in the
chapter “Configuring Protocol Translation and Virtual Asynchronous Devices” in the Cisco IOS
Terminal Services Configuration Guide, for additional virtual asynchronous interface configuration
information.
This chapter describes how to configure virtual asynchronous traffic over ISDN lines. It includes the
following main sections:
• Recommendation V.120 Overview
• How to Configure V.120 Access
• Configuration Example for V.120
• ISDN LAPB-TA Overview
• How to Configure ISDN LAPB-TA
• Configuration Example for ISDN LAPB-TA
Configuring Virtual Asynchronous Traffic over ISDN
Recommendation V.120 Overview
DC-198
Cisco IOS Dial Technologies Configuration Guide
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies
Command Reference. To locate documentation of other commands that appear in this chapter, use the
command reference master index or search online.
Recommendation V.120 Overview
The V-series recommendations are ITU-T standards dealing with data communications over telephone
networks. V.120 allows for reliable transport of synchronous, asynchronous, or bit transparent data over
ISDN bearer channels. Cisco provides three V.120 support features for terminal adapters that do not send
the low-layer compatibility fields or bearer capability V.120 information:
• Answer all incoming calls as V.120—Static configuration used when all remote users have
asynchronous terminals and need to connect with a vty on the router.
• Automatically detect V.120 encapsulation—Encapsulation dynamically detected and set.
• Enable V.120 Support for Asynchronous Access over ISDN.
For terminal adapters that send the low-layer compatibility or bearer capability V.120 information,
mixed V.120 and ISDN calls are supported. No special configuration is required.
How to Configure V.120 Access
To configure V.120 access, perform the tasks in the following sections:
• Configuring Answering of All Incoming Calls as V.120 (Required)
• Configuring Automatic Detection of Encapsulation Type (Required)
• Enabling V.120 Support for Asynchronous Access over ISDN (Required)
See the section “Configuration Example for V.120” at the end of this chapter for an example of how to
configure V.120 access.
Configuring Answering of All Incoming Calls as V.120
This V.120 support feature allows users to connect using an asynchronous terminal over ISDN terminal
adapters with V.120 support to a vty on the router, much like a direct asynchronous connection.
Beginning with Cisco IOS Release 11.1, this feature supports incoming calls only.
When all the remote users have asynchronous terminals and call in to a router through an ISDN terminal
adapter that uses V.120 encapsulation but does not send the low-layer compatibility or bearer capability
V.120 information, you can configure the interface to answer all calls as V.120. Such calls are connected
with an available vty on the router.
Configuring Virtual Asynchronous Traffic over ISDN
How to Configure V.120 Access
DC-199
Cisco IOS Dial Technologies Configuration Guide
To configure an ISDN BRI or PRI interface to answer all incoming calls as V.120, use the following
commands beginning in global configuration mode:
Configuring Automatic Detection of Encapsulation Type
If an ISDN call does not identify the call type in the lower-layer compatibility fields and is using an
encapsulation that is different from the one configured on the interface, the interface can change its
encapsulation type dynamically.
This feature enables interoperation with ISDN terminal adapters that use V.120 encapsulation but do not
signal V.120 in the call setup message. An ISDN interface that by default answers a call as synchronous
serial with PPP encapsulation can change its encapsulation and answer such calls.
Automatic detection is attempted for the first 10 seconds after the link is established or the first 5 packets
exchanged over the link, whichever is first.
To enable automatic detection of V.120 encapsulation, use the following command in interface
configuration mode:
You can specify one or more encapsulations to detect. Cisco IOS software currently supports automatic
detection of PPP and V.120 encapsulations.
Enabling V.120 Support for Asynchronous Access over ISDN
You can optionally configure a router to support asynchronous access over ISDN by globally enabling
PPP on vty lines. Asynchronous access is then supported over ISDN from the ISDN terminal to the vty
session on the router.
Command Purpose
Step 1 Cisco 4000 series routers only
Router(config)# interface bri number
or
Cisco 7200 series routers only
Router(config)# interface bri slot/port
Configures the ISDN BRI interface and begins
interface configuration mode.
Step 2 Router(config)# interface serial e1
controller-number:15
or
Router(config)# interface serial t1
controller-number:23
Configures the ISDN PRI D channel and begins
interface configuration mode.
Step 3 Router(config-if)# isdn all-incoming-calls-v120 Configures the interface to answer all calls as
V.120.
Command Purpose
Router(config-if)# autodetect encapsulation v120 Enables automatic detection of encapsulation type
on the specified interface.
Configuring Virtual Asynchronous Traffic over ISDN
Configuration Example for V.120
DC-200
Cisco IOS Dial Technologies Configuration Guide
To enable asynchronous protocol features on vty lines, use the following command in global
configuration mode:
This task enables PPP on vty lines on a global basis on the router. If you prefer instead to configure PPP
on a per-vty basis, use the translate command, which is described in the Cisco IOS Dial Technologies
Command Reference.
Configuration Example for V.120
The following example configures BRI 0 to call and receive calls from two sites, to use PPP
encapsulation on outgoing calls, and to use Challenge Handshake Authentication Protocol (CHAP)
authentication on incoming calls. This example also enables BRI 0 to configure itself dynamically to
answer calls that use V.120 but that do not signal V.120 in the call setup message.
interface bri 0
encapsulation ppp
autodetect encapsulation v120
no keepalive
dialer map ip 172.18.36.10 name EB1 234
dialer map ip 172.18 36.9 name EB2 456
dialer-group 1
ppp authentication chap
ISDN LAPB-TA Overview
To carry asynchronous traffic over ISDN, your system must be able to convert that traffic and forward it
over synchronous connections. This process can be implemented by the V.120 protocol, which carries
asynchronous traffic over ISDN. However, several countries in Europe (Germany, Switzerland, and some
Eastern European countries) use LAPB as the protocol to forward their asynchronous traffic over
synchronous connections. Your system, therefore, must be able to recognize and accept calls from these
asynchronous/synchronous conversion devices. LAPB-TA performs that function. (LAPB is sometimes
referred to as “X.75,” because LAPB is the link layer specified in the ITU-T X.75 recommendation for
carrying asynchronous traffic over ISDN.)
LAPB-TA allows devices that use LAPB instead of the V.120 protocol to communicate with routers on
the Cisco 3600 and 5300 series.
LAPB supports both local CHAP authentication and external RADIUS authorization on the
authentication, authorization, and accounting (AAA) server.
Before configuring ISDN LAPB-TA in your network, observe these restrictions:
• LAPB-TA does not currently support the ability to set a maximum frame size per user.
• Outbound LAPB-TA calls are not supported.
Command Purpose
Router(config)# vty-async Configures all vty lines to support asynchronous protocol
features.
Configuring Virtual Asynchronous Traffic over ISDN
How to Configure ISDN LAPB-TA
DC-201
Cisco IOS Dial Technologies Configuration Guide
• PPP over LAPB-TA (and V.120) connections impose a greater overhead on the router than
synchronous PPP over ISDN. The number of simultaneous sessions can be limited by dedicating a
pool of virtual terminals to these protocols and limiting the number of virtual terminals in the pool.
• Multilink PPP compression is not supported.
How to Configure ISDN LAPB-TA
ISDN LAPB-TA is supported on the Cisco 3600 and Cisco 5300 series routers that meet the following
additional requirements:
• A virtual terminal must be configured for incoming LAPB-TA. If no appropriately configured
virtual terminals are available, the incoming call will be cleared.
• ISDN, LAPB, and PPP must be running to configure LAPB-TA.
• The Cisco IOS software must include the vty-async global configuration command, which must be
configured before you can run asynchronous PPP traffic over a LAPB-TA connection.
If an interface is already configured for V.120, only the following two additional configuration
commands are required on the interface because V.120 and LAPB-TA sessions are configured in a
similar way:
• Use the autodetect encapsulation command to enable autodetection of LAPB-TA connections.
• Use the transport input command to list LAPB-TA as an acceptable transport on a specific router.
Perform the following required task to configure LAPB-TA: To configure ISDN LAPB-TA, use the
following commands beginning in global configuration command mode: (required).
Procedures for verifying the configuration are found in the section “Verifying ISDN LAPB-TA” later in
this chapter. The section “Configuration Example for ISDN LAPB-TA” at the end of this chapter
provides configuration examples.
To configure ISDN LAPB-TA, use the following commands beginning in global configuration command
mode:
Command Purpose
Step 1 Router(config)# vty-async Creates a virtual asynchronous interface.
Step 2 Router(config)# vty-async virtual-template 1 Applies virtual template to the virtual asynchronous
interface.
Step 3 Router(config)# interface virtual-template 1 Creates a virtual interface template and enters
interface configuration mode.
Step 4 Router(config-if)# ip unnumbered Ethernet0 Assigns an IP address to the virtual interface
template.
Step 5 Router(config-if)# encapsulation ppp Enables encapsulation on the virtual interface
template.
Step 6 Router(config-if)# no peer default ip address Disables an IP address from a pool to the device
connecting to the virtual access interface
Step 7 Router(config-if)# ppp authentication chap Enables the CHAP protocol for PPP authentication.
Step 8 Router(config-if)# exit Exits to global configuration mode.
Configuring Virtual Asynchronous Traffic over ISDN
How to Configure ISDN LAPB-TA
DC-202
Cisco IOS Dial Technologies Configuration Guide
Verifying ISDN LAPB-TA
Enter the show running configuration command to verify that LAPB-TA is configured. The following
output shows LAPB-TA enabled for serial interface 0:23:
Router# show running configuration
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname Router
...(output omitted)
interface Serial0:23
description ENG PBX BRI num.:81063
no ip address
no ip directed-broadcast
encapsulation ppp
no ip route-cache
dialer pool-member 1
autodetect encapsulation ppp lapb-ta
isdn switch-type primary-5ess
no peer default ip address
no fair-queue
no cdp enable
ppp authentication chap
...(output omitted)
!
end
Step 9 Router(config)# username user1 password home Specifies CHAP password to be used to authenticate
calls from caller “user1.”
Step 10 Router(config)# interface Serial0:236 Enters interface configuration mode for a D-channel
serial interface.1
Step 11 Router(config-if)# encapsulation ppp Configures PPP encapsulation as the default.
Step 12 Router(config-if)# dialer-group 1 Specifies the dialer group belonging to the interface.
Step 13 Router(config-if)# ppp authentication chap Enables the CHAP protocol for PPP authentication.
Step 14 Router(config-if)# autodetect encapsulation lapb-ta Enables autodetect encapsulation for LAPB-TA
protocols.
Step 15 Router(config)# line vty 0 32 Configures a range of 32 vty lines starting with vty0.
Step 16 Router(config-line)# transport input telnet lapb-ta Defines which protocol to use to connect to a specific
line of the access server.
1. The D channel is the signaling channel.
Command Purpose
Configuring Virtual Asynchronous Traffic over ISDN
Configuration Example for ISDN LAPB-TA
DC-203
Cisco IOS Dial Technologies Configuration Guide
Configuration Example for ISDN LAPB-TA
The following example configures a virtual template LAPB-TA connection capable of running PPP. It
assumes that you have already configured usernames and passwords for PPP authentication.
vty-async
vty-async virtual-template 1
interface virtual-template 1
ip unnumbered Ethernet0
encapsulation ppp
no peer default ip address
ppp authentication chap
exit
interface Serial0:23
autodetect encapsulation lapb-ta
The following example treats the LAPB-TA and V.120 calls identically by immediately starting a PPP
session without asking for username and password and relying on PPP authentication to identify the
caller:
vty-async
vty-async virtual-template 1
interface Loopback0
ip address 10.2.2.1 255.255.255.0
exit
interface BRI3/0
encapsulation ppp
autodetect encapsulation ppp lapb-ta v120
exit
interface Virtual-Template1
ip unnumbered Loopback0
ppp authentication chap
exit
ip local pool default 10.2.2.64 10.2.2.127
line vty 0 2
password
login
transport input telnet
exit
line vty 3 4
no login
transport input lapb-ta v120
autocommand ppp neg
exit
end
Configuring Virtual Asynchronous Traffic over ISDN
Configuration Example for ISDN LAPB-TA
DC-204
Cisco IOS Dial Technologies Configuration Guide
DC-205
Cisco IOS Dial Technologies Configuration Guide
Configuring Modem Use over ISDN BRI
This chapter describes how to configure the Modem over ISDN BRI feature. It includes the following
main sections:
• Modem over ISDN BRI Overview
• How to Configure Modem over ISDN BRI
• Verifying ISDN BRI Interface Configuration
• Configuration Examples for Modem over ISDN BRI
Before beginning the tasks in this chapter, check your system for the following hardware and software:
• At least one of the following digital modem network modules. The number in the model name
indicates the number of digital modems that can be connected to the module.
– NM-6DM
– NM-12DM
– NM-18DM
– NM-24DM
– NM-30DM
These digital modem network modules do not have their own network connections, but instead
handle analog calls passing through other router interfaces. BRI modules can provide their ISDN
connectivity. Other modules, such as Ethernet, can provide connectivity to the LAN. The digital
modem module acts as a pool of available modems that can be used for both incoming and outgoing
calls. Digital modem network modules do not support BRI voice interface cards or wide-area
network (WAN) interface cards.
• At least one of the following Cisco BRI network modules:
– NM-4B-S/T: 4-port ISDN BRI network module, minimum version 800-01236-03
– NM-4B-U: 4-port ISDN BRI with integrated network termination 1 (NT-1) network module,
minimum version 800-01238-06
– NM-8B-S/T: 8-port ISDN BRI network module, minimum version 800-01237-03
– NM-8B-U: 8-port ISDN BRI with integrated NT-1 network module, minimum version
800-01239-06
The version level is available from the show diag command, which displays the version number as
the part number.
Configuring Modem Use over ISDN BRI
Modem over ISDN BRI Overview
DC-206
Cisco IOS Dial Technologies Configuration Guide
If your BRI network module is a version lower than those cited or you need more details, refer to
the Cisco.com Field Notice titled Using Digital Modems with the Cisco 3600 Basic Rate Interface
(BRI) Network Module Upgrade in the Access Products index. If your existing Cisco BRI network
module is one of those listed and does not support the Modem over ISDN BRI feature, Cisco will
upgrade the module at no charge.
• To support the Modem over ISDN BRI feature, V.90 modem portware—for instructions on
downloading this software or obtaining it otherwise, refer to the Cisco 3600 Series Modem Portware
Upgrade Configuration Note on Cisco.com.
Before you can configure a Cisco 3640 router to provide Modem over ISDN BRI connectivity, you must
also perform the following tasks:
• Obtain BRI service from your telecommunications provider. The BRI line must be provisioned at
the switch to support voice calls.
• Install a 4-port or 8-port BRI network module into your Cisco router. Depending on the type of
network module and your BRI service, you might also need to install an external NT-1 for S/T
interfaces.
• Install a supported digital modem network module into the Cisco 3640 router.
• After the system comes up, make sure enough buffers are in the free list of the buffer pool that
matches the maximum transmission unit (MTU) of your BRI interface. If not, you must reconfigure
buffers so the BRI interfaces function properly. To check the MTU of your interfaces, use the show
interfaces bri command. The show buffers command displays the free buffer space. Use the
buffers global configuration command to make adjustments to initial buffer pool settings and to the
limits at which temporary buffers are created and destroyed.
For more information about the physical characteristics of the BRI network modules and their digital
modem support, or instructions on how to install the network or modem modules, either refer to the
Cisco 3600 series Network Module Hardware Installation Guide that came with your BRI network
module or view the up-to-date information on CCO.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the Modem over ISDN BRI commands in this chapter, refer to the
Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that
appear in this chapter, use the command reference master index or search online.
Modem over ISDN BRI Overview
The Modem over ISDN BRI feature for the Cisco 3640 modular access router lowers the cost of remote
access by offering high-speed modem and ISDN connectivity for mobile customers, offices, and other
remote-access users. Branch offices and enterprises can support analog modem users who call over the
Public Switched Telephone Network (PSTN) into BRI interfaces in Cisco 3640 routers.
The digital modem in the router accepts the modem calls at connection speeds as fast as 56 kbps,
adhering to the V.90 standard. As shown in Figure 32, the Cisco 3640 router in this way provides rapid
access to E-mail and other network services.
Configuring Modem Use over ISDN BRI
How to Configure Modem over ISDN BRI
DC-207
Cisco IOS Dial Technologies Configuration Guide
Figure 32 Modem over ISDN BRI Feature
The following are benefits of using the Modem over ISDN BRI feature:
• Supports cost-effective and readily available BRI service.
• Provides remote modem users with rapid Internet and LAN/WAN access.
• Allows flexible remote access application support.
How to Configure Modem over ISDN BRI
The Modem over ISDN BRI feature is part of interface configuration for BRI. You configure the BRI
interface after you have configured the ISDN global characteristics, which are switch type and TEI
negotiation timing. These characteristics can also be defined for each BRI interface, as shown in the
following task table.
To set up the BRI interface characteristics, set the global parameters and then configure each interface
separately by using the following commands beginning in global configuration mode:
BRI
Cisco 3640 router with 4- or 8-port
module and internal digital modems
POTS
lines
Optional WAN to
headquarters
Ethernet
Home office
Small business
Mobile
PSTN
17271
Command Purpose
Step 1 Router(config)# isdn switch-type switch-type Configures the global ISDN switch type to match the
service provider switch type. For a list of keywords, see
Table 22.
Step 2 Router(config)# isdn tei [first-call | powerup] Configures when the ISDN TEI negotiation occurs. If
this command is not used, negotiation occurs when the
router is powered up.
The first-call option is primarily used in European
ISDN switch types, such as NET3 networks. The
powerup option should be used in most other locations.
Configuring Modem Use over ISDN BRI
How to Configure Modem over ISDN BRI
DC-208
Cisco IOS Dial Technologies Configuration Guide
Step 3 Router(config)# interface bri slot/port Begins interface configuration mode to configure
parameters for the specified interface.
slot is the location of the BRI module. Valid values are
from 0 to 3.
port is an interface number. Valid values are from 0 to 7
if the module is an 8-port BRI network module, or from
0 to 4 if the module is a 4-port BRI network module.
Step 4 Router(config-if)# ip address ip-address mask Specifies an IP address and subnet for the interface. You
can also specify that there is no IP address. For
information about IP addressing, see the Release 12.2
Cisco IOS IP Configuration Guide publication.
Step 5 Router(config-if)# encapsulation ppp Enables PPP encapsulation on the BRI interface. PPP
encapsulation is configured for most ISDN
communication.
If the router needs to communicate with devices that
require a different encapsulation protocol, needs to
detect encapsulation on incoming calls automatically, or
needs to send traffic over a Frame Relay or X.25
network, see the chapter “Configuring X.25 on ISDN”
later in this part, and the chapters in the
Dial-on-Demand Routing Configuration part of this
publication for information.
Step 6 Router(config-if)# dialer map protocol
next-hop-address name hostname speed 56|64
dial-string[:isdn-subaddress]
or
Router(config-if)# dialer map protocol
next-hop-address name hostname spc [speed 56 | 64]
[broadcast] dial-string[:isdn-subaddress]
(Most locations) Defines the remote protocol address of
the recipient, host name, and dialing string; optionally,
provide the ISDN subaddress; set the dialer speed to 56
or 64 kbps, as needed.
(Germany) Use the spc keyword to enable ISDN
semipermanent connections.
Step 7 Router(config-if)# dialer-group group-number Assigns the interface to a dialer group to control access
to the interface.
Step 8 Router(config-if)# dialer-list dialer-group list
access-list-number
Associates the dialer group number with an access list
number.
Step 9 Router(config-if)# access-list access-list-number
{deny | permit} protocol source address
source-mask destination destination-mask
Defines an access list permitting or denying access to
specified protocols, sources, or destinations. Permitted
packets cause the router to place a call to the destination
protocol address.
Step 10 Router(config-if)# no ip-directed broadcast (Optional) Disables the translation of directed broadcast
to physical broadcasts.
Step 11 Router(config-if)# isdn switch-type switch-type (Optional) Configures the interface ISDN switch type to
match the service provider switch type. The interface
ISDN switch type overrides the global ISDN switch
type on the interface.
For a list of keywords, refer to Table 22.
Command Purpose
Configuring Modem Use over ISDN BRI
How to Configure Modem over ISDN BRI
DC-209
Cisco IOS Dial Technologies Configuration Guide
Step 12 Router(config-if)# isdn tei [first-call |
powerup]
(Optional) Determines when ISDN TEI negotiation
occurs for an individual interface. This overrides the
global configuration command.
Step 13 Router(config-if)# isdn spid1 spid-number [ldn] Specifies a service profile identifier (SPID) and local
directory number for the B1 channel. Currently, only the
DMS-100 and NI-1 switch types require SPIDs.
Although the Lucent 5ESS switch type might support a
SPID, we recommend that you set up that ISDN service
without SPIDs.
Step 14 Router(config-if)# isdn spid2 spid-number [ldn] Specifies a SPID and local directory number for the B2
channel.
Step 15 Router(config-if)# isdn caller number (Optional) Configure caller ID screening.
Step 16 Router(config-if)# isdn answer1
[called-party-number][:subaddress]
(Optional) Configures called-party number verification
for a called-party number or subaddress number in the
incoming setup message.
Step 17 Router(config-if)# isdn calling-number
calling-number
(Optional) Specifies the calling-party number.
Step 18 Router(config-if)# isdn not-end-to-end [56 | 64] (Optional) Configures the speed for incoming calls
recognized as not ISDN end-to-end.
Step 19 Router(config-if)# isdn incoming-voice modem Routes incoming voice calls to the modem and treats
them as analog data. This step is required for the Modem
over ISDN BRI feature.
Step 20 Router(config-if)# isdn disconnect-cause
{cause-code-number | busy | not available}
Overrides specific cause codes such as modem
availability and resource pooling that are sent to the
switch by ISDN applications. When the isdn
disconnect-cause command is implemented, the
configured cause codes are sent to the switch; otherwise,
the default cause codes of the application are sent.
The cause-code-number argument sends a cause code
number (submitted as integer 1 through 127) to the
switch.
The busy keyword sends the USER BUSY code to the
switch.
The not available keyword sends the CHANNEL NOT
AVAILABLE code to the switch.
Step 21 Router(config-if)# isdn fast-rollover-delay
seconds
(Optional) Configures a delay between fast rollover
dials.
Step 22 Router(config-if)# isdn sending-complete (Optional) Configures the BRI interface to include the
Sending Complete information element in the outgoing
call Setup message. Used in some geographic locations,
such as Hong Kong and Taiwan, where the sending
complete information element is required in the
outgoing call setup message.
Command Purpose
Configuring Modem Use over ISDN BRI
How to Configure Modem over ISDN BRI
DC-210
Cisco IOS Dial Technologies Configuration Guide
See the section “Configuration Examples for Modem over ISDN BRI” at the end of this chapter for
configuration examples.
Verifying ISDN BRI Interface Configuration
Use the show running-config command in EXEC mode to verify the current configuration that is
running on the terminal.
Note The show startup-config shows the configuration stored in NVRAM or in a location specified by the
CONFIG_FILE environment variable.
The following example shows some of the command output that is relevant to BRI configuration tasks.
The bold text in the example are the results of configuration steps such as those shown in the section
“How to Configure Modem over ISDN BRI” earlier in this chapter.
Building configuration...
Current configuration:
!
version 12.0
no service udp-small-servers
service tcp-small-servers
!
hostname Router
!
enable secret 5 $1$c8xi$tObplXsIS.jDeo43yZgq50
enable password xxx
!
username xxxx password x 11x5xx07
no ip domain-lookup
ip host Labhost 172.17.12.1
ip host Labhost2 172.17.12.2
ip name-server 172.19.169.21
!
interface Ethernet0
ip address 172.17.12.100 255.255.255.192
no ip mroute-cache
Table 22 ISDN Switch Types
Country ISDN Switch Type Description
Australia basic-ts013 Australian TS013 switches
Europe basic-1tr6 German 1TR6 ISDN switches
basic-net3 NET3 ISDN switches (United Kingdom and others)
vn2 French VN2 ISDN switches
vn3 French VN3 and VN4 ISDN switches
Japan ntt Japanese NTT ISDN switches
North America basic-5ess Lucent Technologies basic rate switches
basic-dms100 NT DMS-100 basic rate switches
basic-ni National ISDN-1 switches
Configuring Modem Use over ISDN BRI
How to Configure Modem over ISDN BRI
DC-211
Cisco IOS Dial Technologies Configuration Guide
no ip route-cache
no mop enabled
.
.
.
interface BRI1/7
description (408) 555-3777
ip address 10.1.1.26 255.255.255.1
no ip directed-broadcast
encapsulation ppp
no ip route-cache
no ip mroute-cache
no keepalive
shutdown
dialer idle-timeout 180
dialer map ip 10.1.1.9 name MDial1 14085550715
dialer map ip 10.1.1.14 name MDial2 14085553775
dialer-group 1
isdn switch-type basic-5ess
isdn incoming-voice modem
isdn disconnect-cause busy
no fair-queue
no cdp enable
ppp authentication chap
ppp multilink
.
.
.
!
interface Group-Async1
ip unnumbered Loopback0
no ip directed-broadcast
ip tcp header-compression passive
async mode interactive
peer default ip address pool default
no fair-queue
group-range 65 70
hold-queue 10 in
!
router igrp 109
network 172.21.0.0
!
ip local pool local 172.21.50.85 172.21.50.89
ip local pool default 10.1.1.1 10.1.1.253
ip classless
ip route 0.0.0.0 0.0.0.0 172.21.48.1
!
!
map-class dialer VOICE
dialer voice-call
!
map-class dialer DATA
dialer-list 1 protocol ip list 101
tacacs-server host 172.19.2.74
tacacs-server host 192.168.15.197
snmp-server community isdn RW
snmp-server enable traps isdn call-information
snmp-server host 172.25.3.154 traps isdn
Use the show interfaces bri number command to verify information about the physical attributes of the
ISDN BRI B and D channels. The number argument is the slot location of the BRI module. Valid values
are from 0 to 3.
Configuring Modem Use over ISDN BRI
Configuration Examples for Modem over ISDN BRI
DC-212
Cisco IOS Dial Technologies Configuration Guide
BRI0:1 is down, line protocol is down
Hardware is BRI
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Internet address is 10.1.1.3/27
Encapsulation PPP, loopback not set, keepalive not set
LCP Closed
Closed: IPCP
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 7 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
Configuration Examples for Modem over ISDN BRI
This section provides the following examples:
• BRI Interface Configuration Example
• Complete Configuration Examples
These examples show configuration of just the Modem over ISDN BRI feature using the interface
configuration commands for each interface and a complete configuration showing global configuration,
BRI interfaces, and modem configuration.
BRI Interface Configuration Example
The following example shows how to configure each BRI interface on a Cisco 3640 router for the
Modem over ISDN BRI feature:
interface BRI0/0
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0444000101 9194440001
isdn spid2 0444001101 9194440011
isdn incoming-voice modem
!
interface BRI0/1
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0444000201 9194440002
isdn spid2 0444001201 9194440012
isdn incoming-voice modem
!
interface BRI0/2
no ip address
no ip directed-broadcast
Configuring Modem Use over ISDN BRI
Configuration Examples for Modem over ISDN BRI
DC-213
Cisco IOS Dial Technologies Configuration Guide
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0444000301 9194440003
isdn spid2 0444001301 9194440013
isdn incoming-voice modem
!
interface BRI0/3
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0444000401 9194440004
isdn spid2 0444001401 9194440014
isdn incoming-voice modem
!
interface BRI0/4
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0444000501 9194440005
isdn spid2 0444001501 9194440015
isdn incoming-voice modem
!
interface BRI0/5
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0444000601 9194440006
isdn spid2 0444001601 9194440016
isdn incoming-voice modem
!
interface BRI0/6
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0444000701 9194440007
isdn spid2 0444001701 9194440017
isdn incoming-voice modem
!
interface BRI0/7
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0444000801 9194440008
isdn spid2 0444001801 9194440018
isdn incoming-voice modem
!
interface BRI2/0
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0555000101 9195550001
isdn spid2 0555001101 9195550011
isdn incoming-voice modem
!
interface BRI2/1
no ip address
no ip directed-broadcast
encapsulation ppp
Configuring Modem Use over ISDN BRI
Configuration Examples for Modem over ISDN BRI
DC-214
Cisco IOS Dial Technologies Configuration Guide
isdn switch-type basic-ni
isdn spid1 0555000201 9195550002
isdn spid2 0555001201 9195550012
isdn incoming-voice modem
!
interface BRI2/2
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0555000301 9195550003
isdn spid2 0555001301 9195550013
isdn incoming-voice modem
!
interface BRI2/3
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0555000401 9195550004
isdn spid2 0555001401 9195550014
isdn incoming-voice modem
!
interface BRI2/4
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0555000501 9195550005
isdn spid2 0555001501 9195550015
isdn incoming-voice modem
!
interface BRI2/5
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0555000601 9195550006
isdn spid2 0555001601 9195550016
isdn incoming-voice modem
!
interface BRI2/6
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0555000701 9195550007
isdn spid2 0555001701 9195550017
isdn incoming-voice modem
!
interface BRI2/7
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0555000801 9195550008
isdn spid2 0555001801 9195550018
isdn incoming-voice modem
!
Configuring Modem Use over ISDN BRI
Configuration Examples for Modem over ISDN BRI
DC-215
Cisco IOS Dial Technologies Configuration Guide
Complete Configuration Examples
The following example shows a complete configuration for a dial-in router, including a global command,
BRI interface configuration, and modem configuration including group-async and dialer commands.
version 12.0
service timestamps debug datetime localtime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname MBRI_IN
!
no logging buffered
enable password xxx
The following lines are used for PPP CHAP authentication. Each username and password is associated
with one dialer interface.
username async1 password devtest
username async2 password devtest
username async3 password devtest
username async4 password devtest
username async5 password devtest
username async6 password devtest
username async7 password devtest
username async8 password devtest
username async9 password devtest
username async10 password devtest
username async11 password devtest
username async12 password devtest
username async13 password devtest
username async14 password devtest
username async15 password devtest
username async16 password devtest
username async17 password devtest
username async18 password devtest
username async19 password devtest
username async20 password devtest
username async21 password devtest
username async22 password devtest
username async23 password devtest
username async24 password devtest
username async25 password devtest
username async26 password devtest
username async27 password devtest
username async28 password devtest
username async29 password devtest
username async30 password devtest
username FLOYD password devtest
username MBRI_OUT password devtest
ip subnet-zero
no ip domain-lookup
!
isdn switch-type basic-5ess
Configuring Modem Use over ISDN BRI
Configuration Examples for Modem over ISDN BRI
DC-216
Cisco IOS Dial Technologies Configuration Guide
interface BRI0/0
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0444000101 9194440001
isdn spid2 0444001101 9194440011
isdn incoming-voice modem
!
interface BRI0/1
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0444000201 9194440002
isdn spid2 0444001201 9194440012
isdn incoming-voice modem
!
interface BRI0/2
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0444000301 9194440003
isdn spid2 0444001301 9194440013
isdn incoming-voice modem
!
interface BRI0/3
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0444000401 9194440004
isdn spid2 0444001401 9194440014
isdn incoming-voice modem
!
interface BRI0/4
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0444000501 9194440005
isdn spid2 0444001501 9194440015
isdn incoming-voice modem
no shut
!
interface BRI0/5
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0444000601 9194440006
isdn spid2 0444001601 9194440016
isdn incoming-voice modem
!
interface BRI0/6
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0444000701 9194440007
isdn spid2 0444001701 9194440017
isdn incoming-voice modem
!
Configuring Modem Use over ISDN BRI
Configuration Examples for Modem over ISDN BRI
DC-217
Cisco IOS Dial Technologies Configuration Guide
interface BRI0/7
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0444000801 9194440008
isdn spid2 0444001801 9194440018
isdn incoming-voice modem
!
interface BRI2/0
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0555000101 9195550001
isdn spid2 0555001101 9195550011
isdn incoming-voice modem
!
interface BRI2/1
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0555000201 9195550002
isdn spid2 0555001201 9195550012
isdn incoming-voice modem
!
interface BRI2/2
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0555000301 9195550003
isdn spid2 0555001301 9195550013
isdn incoming-voice modem
!
interface BRI2/3
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0555000401 9195550004
isdn spid2 0555001401 9195550014
isdn incoming-voice modem
!
interface BRI2/4
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0555000501 9195550005
isdn spid2 0555001501 9195550015
isdn incoming-voice modem
!
interface BRI2/5
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0555000601 9195550006
isdn spid2 0555001601 9195550016
isdn incoming-voice modem
!
Configuring Modem Use over ISDN BRI
Configuration Examples for Modem over ISDN BRI
DC-218
Cisco IOS Dial Technologies Configuration Guide
interface BRI2/6
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0555000701 9195550007
isdn spid2 0555001701 9195550017
isdn incoming-voice modem
!
interface BRI2/7
no ip address
no ip directed-broadcast
encapsulation ppp
isdn switch-type basic-ni
isdn spid1 0555000801 9195550008
isdn spid2 0555001801 9195550018
isdn incoming-voice modem
!
interface Ethernet1/0
ip address 172.18.16.123 255.255.255.192
no ip directed-broadcast
!
The following example defines a group-async interface for grouping all the digital modems and
configuring them together. Group-async configuration is much easier than configuring all 30 digital
modems individually.
interface Group-Async1
ip unnumbered Ethernet3/1
no ip directed-broadcast
encapsulation ppp
load-interval 30
dialer in-band
dialer pool-member 1
async default routing
async mode dedicated
no peer default ip address
no cdp enable
ppp authentication chap
group-range 96 125
hold-queue 10 in
The following example defines dialer interfaces, associates IP addresses, and sets all the authentication
parameters required during the call establishment.
interface Dialer1
ip address 10.1.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async1
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async1
ppp chap password devtest
!
interface Dialer2
ip address 10.2.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async2
dialer pool 1
dialer-group 1
no cdp enable
Configuring Modem Use over ISDN BRI
Configuration Examples for Modem over ISDN BRI
DC-219
Cisco IOS Dial Technologies Configuration Guide
ppp authentication chap callin
ppp chap hostname async2
ppp chap password devtest
!
interface Dialer3
ip address 10.3.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async3
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async3
ppp chap password devtest
!
interface Dialer4
ip address 10.4.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async4
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async4
ppp chap password devtest
!
interface Dialer5
ip address 10.5.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async5
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async5
ppp chap password devtest
!
interface Dialer6
ip address 10.6.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async6
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async6
ppp chap password devtest
!
interface Dialer7
ip address 10.7.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async7
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async7
ppp chap password devtest
!
Configuring Modem Use over ISDN BRI
Configuration Examples for Modem over ISDN BRI
DC-220
Cisco IOS Dial Technologies Configuration Guide
interface Dialer8
ip address 10.8.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async8
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async8
ppp chap password devtest
!
interface Dialer9
ip address 10.9.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async9
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async9
ppp chap password devtest
!
interface Dialer10
ip address 10.10.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async10
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async10
ppp chap password devtest
!
interface Dialer11
ip address 10.11.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async11
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async11
ppp chap password devtest
!
interface Dialer12
ip address 10.12.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async12
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async12
ppp chap password devtest
!
interface Dialer13
ip address 10.13.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
Configuring Modem Use over ISDN BRI
Configuration Examples for Modem over ISDN BRI
DC-221
Cisco IOS Dial Technologies Configuration Guide
dialer remote-name async13
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async13
ppp chap password devtest
!
interface Dialer14
ip address 10.14.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async14
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async14
ppp chap password devtest
!
interface Dialer15
ip address 10.15.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async15
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async15
ppp chap password devtest
!
interface Dialer16
ip address 10.16.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async16
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async16
ppp chap password devtest
!
interface Dialer17
ip address 10.17.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async17
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async17
ppp chap password devtest
!
interface Dialer18
ip address 10.18.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async18
dialer pool 1
dialer-group 1
no cdp enable
Configuring Modem Use over ISDN BRI
Configuration Examples for Modem over ISDN BRI
DC-222
Cisco IOS Dial Technologies Configuration Guide
ppp authentication chap callin
ppp chap hostname async18
ppp chap password devtest
!
interface Dialer19
ip address 10.19.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async19
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async19
ppp chap password devtest
!
interface Dialer20
ip address 10.20.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async20
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async20
ppp chap password devtest
!
interface Dialer21
ip address 10.21.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async21
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async21
ppp chap password devtest
!
interface Dialer22
ip address 10.22.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async22
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async22
ppp chap password devtest
!
interface Dialer23
ip address 10.23.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async23
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async23
ppp chap password devtest
!
Configuring Modem Use over ISDN BRI
Configuration Examples for Modem over ISDN BRI
DC-223
Cisco IOS Dial Technologies Configuration Guide
interface Dialer24
ip address 10.24.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async24
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async24
ppp chap password devtest
!
interface Dialer25
ip address 10.25.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async25
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async25
ppp chap password devtest
!
interface Dialer26
ip address 10.26.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async26
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async26
ppp chap password devtest
!
interface Dialer27
ip address 10.27.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async27
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async27
ppp chap password devtest
!
interface Dialer28
ip address 10.28.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async28
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async28
ppp chap password devtest
!
interface Dialer29
ip address 10.29.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
Configuring Modem Use over ISDN BRI
Configuration Examples for Modem over ISDN BRI
DC-224
Cisco IOS Dial Technologies Configuration Guide
dialer remote-name async29
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async29
ppp chap password devtest
!
interface Dialer30
ip address 10.30.0.1 255.255.0.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name async30
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname async30
ppp chap password devtest
!
no ip classless
The following lines define routes that send incoming packets out via specific interfaces:
ip route 0.0.0.0 0.0.0.0 172.18.16.193
ip route 10.91.0.1 255.255.255.255 1.1.0.2
ip route 10.91.0.2 255.255.255.255 1.2.0.2
ip route 10.91.0.3 255.255.255.255 1.3.0.2
ip route 10.91.0.4 255.255.255.255 1.4.0.2
ip route 10.91.0.5 255.255.255.255 1.5.0.2
ip route 10.91.0.6 255.255.255.255 1.6.0.2
ip route 10.91.0.7 255.255.255.255 1.7.0.2
ip route 10.91.0.8 255.255.255.255 1.8.0.2
ip route 10.91.0.9 255.255.255.255 1.9.0.2
ip route 10.91.0.10 255.255.255.255 1.10.0.2
ip route 10.91.0.11 255.255.255.255 1.11.0.2
ip route 10.91.0.12 255.255.255.255 1.12.0.2
ip route 10.91.0.13 255.255.255.255 1.13.0.2
ip route 10.91.0.14 255.255.255.255 1.14.0.2
ip route 10.91.0.15 255.255.255.255 1.15.0.2
ip route 10.91.0.16 255.255.255.255 1.16.0.2
ip route 10.91.0.17 255.255.255.255 1.17.0.2
ip route 10.91.0.18 255.255.255.255 1.18.0.2
ip route 10.91.0.19 255.255.255.255 1.19.0.2
ip route 10.91.0.20 255.255.255.255 1.20.0.2
ip route 10.91.0.21 255.255.255.255 1.21.0.2
ip route 10.91.0.22 255.255.255.255 1.22.0.2
ip route 10.91.0.23 255.255.255.255 1.23.0.2
ip route 10.91.0.24 255.255.255.255 1.24.0.2
ip route 10.91.0.25 255.255.255.255 1.25.0.2
ip route 10.91.0.26 255.255.255.255 1.26.0.2
ip route 10.91.0.27 255.255.255.255 1.27.0.2
ip route 10.91.0.28 255.255.255.255 1.28.0.2
ip route 10.91.0.29 255.255.255.255 1.29.0.2
ip route 10.91.0.30 255.255.255.255 1.30.0.2
ip route 172.18.0.0 255.255.0.0 Ethernet3/1
!
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 0 0
transport input none
Configuring Modem Use over ISDN BRI
Configuration Examples for Modem over ISDN BRI
DC-225
Cisco IOS Dial Technologies Configuration Guide
The following example configures the lines associated with the digital modems:
line 96 125
exec-timeout 0 0
modem InOut
transport input all
stopbits 1
flowcontrol hardware
line aux 0
exec-timeout 0 0
line vty 0 4
exec-timeout 0 0
password lab
login
line vty 5 60
exec-timeout 0 0
password lab
login
!
end
Configuring Modem Use over ISDN BRI
Configuration Examples for Modem over ISDN BRI
DC-226
Cisco IOS Dial Technologies Configuration Guide
DC-227
Cisco IOS Dial Technologies Configuration Guide
Configuring X.25 on ISDN
This chapter describes how to configure X.25 on ISDN. It includes the following main sections:
• X.25 on ISDN Overview
• How to Configure X.25 on ISDN
• Configuration Examples for X.25 on ISDN
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies
Command Reference. To locate documentation of other commands that appear in this chapter, use the
command reference master index or search online.
X.25 on ISDN Overview
BRI is an ISDN interface, and it consists of two B channels (B1 and B2) and one D channel. The
B channels are used to transfer data, voice, and video. The D channel controls the B channels.
ISDN uses the D channel to carry signal information. ISDN can also use the D channel in a BRI to carry
X.25 packets. The D channel has a capacity of 16 kbps, and the X.25 over D channel can utilize up to
9.6 kbps.
X.25-over-D-Channel Logical Interface
When X.25 on ISDN is configured, a separate X.25-over-D-channel logical interface is created. You can
set its parameters without disrupting the original ISDN interface configuration. The original BRI
interface will continue to represent the D, B1, and B2 channels.
Because some end-user equipment uses static terminal endpoint identifiers (TEIs) to access this feature,
static TEIs are supported. The dialer understands the X.25-over-D-channel calls and initiates them on a
new interface.
X.25 traffic over the D channel can be used as a primary interface where low-volume, sporadic
interactive traffic is the normal mode of operation. Supported traffic includes the Internet Protocol
Exchange (IPX), AppleTalk, transparent bridging, Xerox Network Systems (XNS), DECnet, and IP.
This feature is not available on the ISDN PRI.
Configuring X.25 on ISDN
How to Configure X.25 on ISDN
DC-228
Cisco IOS Dial Technologies Configuration Guide
Note X.25 on ISDN is also supported using the ISDN Always On/Dynamic (AO/DI) feature. AO/DI uses
the Multilink PPP (MLP) protocol signaling with standard Q.922 and X.25 encapsulations, and can
additionally use the Bandwidth Allocation Control Protocol (BACP) to optimize bandwidth on
demand. For information about how to configure AO/DI, see the chapter “Configuring X.25 on ISDN
Using AO/DI” in this publication.
Outbound Circuit-Switched X.25 Support over a Dialer Interface
Current Cisco IOS software enablescircuit-switched X.25 clients—PAD, X.25 switching, and Qualified
Logical Link Control (QLLC)—to initiate calls and dynamically bring the X.25 context (which runs the
X.25 protocol) up or down as needed. This capability allows packet-switched traffic over ISDN.
In earlier releases of the Cisco IOS software, X.25 circuit-switched clients were required to do an X.25
route lookup to forward a call. If the lookup resulted in a route to a dialer interface, the client would
check the X.25 protocol state on the dialer interface. If the interface was not already bound to run the
X.25 protocol, the software would reroute the call instead of bringing up a link and running the X.25
protocol. With this new feature, the X.25 context is dynamically created on demand and then removed
when the X.25 session is cleared on the dialer interface.
For dialer profile interfaces, the X.25 context is created on the dialer interface, because X.25 protocol
functions run on the dialer interface itself. Member links act like forwarding devices, because their
topmost interface runs the actual encapsulated protocol. But for legacy dialer interfaces, the X.25 context
is created on the member links once they come up and bind to a dialer.
There are no specific configuration tasks required to enable outbound circuit-switched X.25 support. See
the “Outbound Circuit-Switched X.25 Example” example in the section “Configuration Examples for
X.25 on ISDN” at the end of this chapter for an example of how to make use of this feature in your
network.
How to Configure X.25 on ISDN
You can configure X.25 on ISDN in three ways:
• If the ISDN traffic will cross an X.25 network, you configure the ISDN interface as described in the
“Setting Up Basic ISDN Services” and “Configuring signaling on T1 and E1” chapters earlier in this
publication. Make certain to configure that ISDN interface for X.25 addressing and encapsulation
as described in the “Configuring X.25” chapter of the Cisco IOS Wide-Area Networking
Configuration Guide.
• Configure dynamic X.25 as illustrated in the section “Outbound Circuit-Switched X.25 Example”
later in this chapter.
• If the D channel of an ISDN BRI interface is to carry X.25 traffic, perform the task described in the
next section, “Configuring X.25 on the ISDN D Channel.”
Configuring X.25 on ISDN
Configuration Examples for X.25 on ISDN
DC-229
Cisco IOS Dial Technologies Configuration Guide
Configuring X.25 on the ISDN D Channel
To configure an ISDN BRI interface (and create a special ISDN interface) to carry X.25 traffic on the
D channel, use the following commands beginning in global configuration mode:
The last step is to configure the X.25-over-ISDN interface for X.25 traffic. See the chapter “Configuring
LAPB and X.25” in the Cisco IOS Wide-Area Networking Configuration Guide, Release 12.2, for the
commands and tasks.
The new X.25-over-ISDN interface is called interface bri number:0 in configuration displays. It must
be configured as an individual X.25 interface. For information about configuring an interface for X.25
traffic, refer to the Cisco IOS Wide-Area Networking Configuration Guide, Release 12.2.
Note The encapsulation x25 command is neither required nor used on this new interface, but other X.25
commands can be used to configure this interface.
If you want to remove the X.25-over-ISDN interface later, use the no isdn x25 dchannel command.
See the section “X.25 on ISDN D-Channel Configuration Example” at the end of this chapter for a
configuration example.
Configuration Examples for X.25 on ISDN
This section illustrates X.25 on ISDN with the following examples:
• X.25 on ISDN D-Channel Configuration Example
• Outbound Circuit-Switched X.25 Example
X.25 on ISDN D-Channel Configuration Example
The following example creates a BRI 0:0 interface for X.25 traffic over the D channel and then
configures the new interface to carry X.25 traffic:
interface bri0
isdn x25 dchannel
isdn x25 static-tei 8
!
interface bri0:0
ip address 10.1.1.2 255.255.255.0
x25 address 31107000000100
x25 htc 1
x25 suppress-calling-address
Command Purpose
Step 1 Router(config)# interface bri number Specifies an ISDN BRI interface and begins interface
configuration mode.
Step 2 Router(config-if)# isdn x25 static-tei
tei-number
Specifies a static TEI, if required by the switch.
Step 3 Router(config-if)# isdn x25 dchannel Creates a configurable interface for X.25 traffic over the
ISDN D channel.
Configuring X.25 on ISDN
Configuration Examples for X.25 on ISDN
DC-230
Cisco IOS Dial Technologies Configuration Guide
x25 facility windowsize 2 2
x25 facility packetsize 256 256
x25 facility throughput 9600 9600
x25 map ip 10.1.1.3 31107000000200
Outbound Circuit-Switched X.25 Example
The following example shows how to configure dynamic X.25 on an ISDN interface. Figure 33
illustrates the configuration.
Figure 33 Dynamic X.25 over ISDN
Configuration for Yen
version 12.0(5)T
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname yen
!
enable secret 5 $1$K32j$4AZW2oMDivpUeuMa/Fdcd.
enable password secret
!
username peso password 0 cisco
username dinar password 0 cisco
ip subnet-zero
no ip domain-lookup
ip domain-name cicso.com
ip name-server 172.18.1.148
!
isdn switch-type basic-5ess
x25 routing
!
interface Loopback0
no ip address
no ip directed-broadcast
no ip mroute-cache
!
interface Ethernet0
ip address 172.21.75.2 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
media-type 10BaseT
!
Peso (as X.25 switch)
X.25
Yen Dinar
PRI
BRI ISDN
X.25 Host
BRI
25087
Configuring X.25 on ISDN
Configuration Examples for X.25 on ISDN
DC-231
Cisco IOS Dial Technologies Configuration Guide
interface BRI1
no ip address
no ip directed-broadcast
no ip mroute-cache
dialer pool-member 1
isdn switch-type basic-5ess
no fair-queue
!
interface Dialer0
ip address 10.1.1.1 255.0.0.0
no ip directed-broadcast
encapsulation x25
no ip mroute-cache
dialer remote-name dinar
dialer idle-timeout 180
dialer string 81060
dialer caller 81060
dialer max-call 1
dialer pool 1
dialer-group 1
x25 address 11111
x25 map ip 10.1.1.2 22222
!
ip default-gateway 172.21.75.1
no ip classless
ip route 0.0.0.0 0.0.0.0 172.21.75.1
no ip http server
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
x25 route 22222 interface Dialer0
x25 route 33333 interface Dialer0
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
transport input all
line vty 0 4
password cisco
login
line vty 5 100
password cisco
login
!
end
Configuration for Peso Acting as X.25 Switch
version 12.0(5)T
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname peso
!
enable secret 5 $1$.Q00$h3vIhbOwO1fPvA2LYx2gE.
enable password cisco
!
ip subnet-zero
!
isdn switch-type primary-5ess
x25 routing
Configuring X.25 on ISDN
Configuration Examples for X.25 on ISDN
DC-232
Cisco IOS Dial Technologies Configuration Guide
!
controller T1 0
cablelength short
cablelength short 133
!
controller T1 1
framing esf
clock source line primary
pri-group timeslots 1-24
!
controller T1 2
cablelength short
cablelength short 133
!
controller T1 3
cablelength short
cablelength short 133
!
interface Ethernet0
ip address 172.21.75.3 255.255.255.0
no ip directed-broadcast
!
interface Serial1:23
no ip address
no ip directed-broadcast
encapsulation ppp
dialer pool-member 1
isdn switch-type primary-5ess
isdn incoming-voice modem
no fair-queue
no cdp enable
ppp authentication chap
!
interface Dialer0
no ip address
no ip directed-broadcast
encapsulation x25 dce
no ip mroute-cache
dialer remote-name yen
dialer idle-timeout 180
dialer string 61401
dialer caller 61401
dialer max-call 1
dialer pool 1
x25 address 33333
!
interface Dialer1
no ip address
no ip directed-broadcast
encapsulation x25 dce
no ip mroute-cache
dialer remote-name dinar
dialer idle-timeout 180
dialer string 61403
dialer caller 61403
dialer max-call 1
dialer pool 1
x25 address 44444
!
ip default-gateway 172.21.75.1
no ip classless
ip route 0.0.0.0 0.0.0.0 172.21.75.1
no ip http server
!
Configuring X.25 on ISDN
Configuration Examples for X.25 on ISDN
DC-233
Cisco IOS Dial Technologies Configuration Guide
x25 route 11111 interface Dialer0
x25 route 22222 interface Dialer1
x25 route source 11111 interface Dialer1
x25 route input-interface Dialer0 interface Dialer1
!
line con 0
transport input none
line 1 48
line aux 0
line vty 0 4
password cisco
login
line vty 5 100
password cisco
login
!
end
Configuration for Dinar
version 12.0(5)T
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname dinar
!
logging buffered 16384 debugging
enable secret 5 $1$8EjF$4.S0AoMOVa5OIAYEMrrFI/
enable password cisco
!
username yen password 0 cisco
username 7701
username drachma password 0 cisco
username AODI password 0 cisco
ip subnet-zero
ip rcmd rcp-enable
ip rcmd rsh-enable
ip rcmd remote-username atirumal
!
isdn switch-type basic-5ess
x25 routing
!
controller T1 0/0
!
interface BRI3/1
no ip address
no ip directed-broadcast
no ip mroute-cache
dialer pool-member 1
isdn switch-type basic-5ess
no fair-queue
!
interface Dialer0
ip address 10.1.1.2 255.0.0.0
no ip directed-broadcast
encapsulation x25
no ip mroute-cache
dialer remote-name yen
dialer idle-timeout 180
dialer string 81060
dialer caller 81060
dialer max-call 1
dialer pool 1
Configuring X.25 on ISDN
Configuration Examples for X.25 on ISDN
DC-234
Cisco IOS Dial Technologies Configuration Guide
dialer-group 1
x25 address 22222
x25 map ip 10.1.1.1 11111
!
interface Dialer1
ip address 10.1.1.10 255.0.0.0
no ip directed-broadcast
no ip mroute-cache
dialer in-band
dialer-group 1
no fair-queue
!
ip default-gateway 172.21.75.1
no ip classless
ip route 0.0.0.0 0.0.0.0 172.21.75.1
no ip http server
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
x25 route 11111 interface Dialer0
x25 route 44444 interface Dialer0
!
DC-235
Cisco IOS Dial Technologies Configuration Guide
Configuring X.25 on ISDN Using AO/DI
The chapter describes how to configure the X.25 on ISDN using the Always On/Dynamic ISDN (AO/DI)
feature. It includes the following main sections:
• AO/DI Overview
• How to Configure an AO/DI Interface
• How to Configure an AO/DI Client/Server
• Configuration Examples for AO/DI
AO/DI supports PPP encapsulation on switched X.25 virtual circuits (VCs) only.
The X.25 encapsulation (per RFC 1356), PPP, Bandwidth Allocation Control Protocol (BACP), and
Bandwidth Allocation Protocol (BAP) modules must be present in both the AO/DI client and server.
AO/DI relies on features from X.25, PPP, and BACP modules and must be configured on both the AO/DI
client and server. BAP, if negotiated, is a subset of BACP, which is responsible for bandwidth allocation
for the Multilink PPP (MLP) peers. It is recommended you configure MLP with the BAP option due to
the differences between the ISDN (E.164) and X.25 (X.121) numbering formats.
To implement AO/DI, you must configure the AO/DI client and server for PPP, incorporating BAP and
X.25 module commands. This task involves configuring the BRI or PRI interfaces with the appropriate
X.25 commands and the dialer interfaces with the necessary PPP or BAP commands.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies
Command Reference, Release 12.2. To locate documentation of other commands that appear in this
chapter, use the command reference master index or search online.
AO/DI Overview
AO/DI functionality is based on the technology modules described in the following sections:
• PPP over X.25 Encapsulation
• Multilink PPP Bundle
• BACP/BAP
Configuring X.25 on ISDN Using AO/DI
AO/DI Overview
DC-236
Cisco IOS Dial Technologies Configuration Guide
AO/DI is an on-demand service that is designed to optimize the use of an existing ISDN signaling
channel (D channel) to transport X.25 traffic. The X.25 D-channel call is placed from the subscriber to
the packet data service provider. The use of PPP allows protocols to be encapsulated within the X.25
logical circuit carried by the D channel. The bearer channels (B channels) use the multilink protocol
without the standard Q.922 and X.25 encapsulations, and invoke additional bandwidth as needed.
Optionally, BACP and BAP can be used to negotiate bandwidth allocation as required.
AO/DI takes full advantage of existing packet handlers at the central office by using an existing
D channel to transport the X.25 traffic. The link associated with the X.25 D channel packet connection
is used as the primary link of the multilink bundle. The D channel is a connectionless, packet-oriented
link between the customer premise equipment (CPE) and the central office. Because the D channel is
always available, it is possible to in turn offer “always available” services. On-demand functionality is
achieved by using the B channels to temporarily boost data throughput and by disconnecting them after
use. Figure 34 shows the AO/DI environment and how ISDN and X.25 resources are implemented.
Note On the client side, the X.25 switched virtual circuit (SVC) can only be terminated on an ISDN D
channel; however, on the server side, the SVC can be terminated on an ISDN BRI using a D channel,
a PRI using specific time slots, or a high-speed serial link.
Figure 34 AO/DI Environment
AO/DI provides the following benefits:
• ISDN telecommuting cost savings. Low-speed, D-channel services are typically more cost-efficient
than the time-based tariffs applied to the B channels, which usually carry user data.
• Reductions in the amount of data traffic from service provider voice networks. The D-channel X.25
packets are handled at the central office by the X.25 packet handler, thereby routing these packets
bypassing the switch, which reduces impact on the telephony network.
• Network access server cost reductions. AO/DI can reduce service provider network access server
costs by increasing port efficiencies. Initial use of the “always on” D-channel connection lowers the
contention ratio on standard circuit switched dial ports. (See Figure 35.)
PH
ISDN CPE
ISP or
corporate
PPP over X.25
over the D channel
X.25 link to NAS
or corporate router
X.25
B channel
D channel
11520
Configuring X.25 on ISDN Using AO/DI
AO/DI Overview
DC-237
Cisco IOS Dial Technologies Configuration Guide
Figure 35 Increasing Port Efficiency with AO/DI
PPP over X.25 Encapsulation
PPP over X.25 is accomplished through the following process:
1. The X.25 map statement on the client side creates a virtual access interface. A virtual access
interface is dynamically created and configured by cloning the configuration from a dialer interface
(dialer interface 1, for example).
2. The dialer interface goes into “spoofing” mode and stays in this mode until interesting traffic is seen.
3. When interesting traffic is seen, the dialer interface activates the virtual access interface, which
creates the X.25 SVC. Once the SVC is established, PPP negotiation begins in order to bring up the
line protocol. The client will initiate a call to the remote end server, per the x25 map ppp command.
4. When the AO/DI server receives a call intended for its X.25 map statement, the call is accepted and
an event is queued to the X.25 encapsulation manager. The encapsulation manager is an X.25
process that authenticates incoming X.25 calls and AO/DI events, and creates a virtual access
interface that clones the configuration from the dialer or BRI interface. Figure 36 shows the virtual
interface creation process.
Figure 36 Creating a Virtual Access Interface
Traffic pointing a route to Dialer or BRI used
for cloning
MLP bundle
Primary
link
Member
link
Member
link
11522
Traffic pointing a route to Dialer or BRI used
for cloning
Virtual access interface
11521
Configuring X.25 on ISDN Using AO/DI
AO/DI Overview
DC-238
Cisco IOS Dial Technologies Configuration Guide
Multilink PPP Bundle
The multilink protocol offers load balancing, packet fragmentation, and the bandwidth allocation
functionality that is key to AO/DI structure. The MLP bundle process is achieved through the following
process:
1. The ppp multilink bap command initiates MLP and, subsequently, BAP. The virtual access
interface that is created above the X.25 VC (over the D channel) becomes the first member link of
the MLP bundle.
2. The ppp multilink idle-link command works in conjunction with the dialer load-threshold
command in order to add B channels as needed to boost traffic throughput. When a B channel is
added, the first member link enters “receive only” mode, allowing the link additions. When the
higher throughput is no longer needed, the additional B channels are disconnected and the primary
link is the only link in the bundle, the bundle disengages “receive only” mode. The X.25 SVC stays
active. Figure 37 shows the MLP bundle sequence.
Figure 37 MLP Bundle Creation Sequence
MLP Encapsulation Enhancements
In previous releases of the Cisco IOS software, when MLP was used in a dialer profile, a virtual access
interface was always created as the bundle. It was bound to both the B channel and the dialer profile
interfaces after creation and cloning. The dialer profile interface could act as the bundle without help
from a virtual access interface. But with recent software enhancements, it is no longer the virtual access
interface that is added into the connected group of the dialer profile, but the dialer profile itself. The
dialer profile becomes a connected member of its own connected group.
Traffic pointing a route to Dialer or BRI used
for cloning
MLP bundle
Primary
link
Member
link
Member
link
11522
Configuring X.25 on ISDN Using AO/DI
How to Configure an AO/DI Interface
DC-239
Cisco IOS Dial Technologies Configuration Guide
BACP/BAP
Bandwidth resources are provided by BACP, described in RFC 2125. Once the MLP peers have
successfully negotiated BACP, BAP negotiates bandwidth resources in order to support traffic
throughput. BAP is a subset of BACP, and it defines the methods and governing rules for adding and
removing links from the bundle for MLP. BACP/BAP negotiations are achieved through the following
process:
1. Once the MLP session is initiated and BACP is negotiated over the MLP bundle, the AO/DI client
issues a BAP call request for additional bandwidth.
2. The AO/DI server responds with the BAP call response, which contains the phone number of the
B channel to add. B channels are added, as needed, to support the demand for increased traffic
throughput.
3. B channels are disconnected as the traffic load decreases.
How to Configure an AO/DI Interface
To configure X.25 on ISDN using AO/DI, perform the following tasks:
• Configuring PPP and BAP on the Client (As required)
• Configuring X.25 Parameters on the Client (As required)
• Configuring PPP and BAP on the Server (As required)
• Configuring X.25 Parameters on the Server (As required)
For examples of how to configure X.25 on ISDN using AO/DI in your network, see the section
“Configuration Examples for AO/DI” at the end of this chapter.
Configuring PPP and BAP on the Client
To configure PPP and BAP under the dialer interface on the AO/DI client, use the following commands
in interface configuration mode as needed:
Command Purpose
Router(config-if)# ppp multilink bap Enables PPP BACP bandwidth allocation negotiation.
Router(config-if)# encapsulation ppp Enables PPP on the interface.
Router(config-if)# dialer in-band Enables dial-on-demand routing (DDR) on the interface.
Router(config-if)# dialer load-threshold load Sets the dialer load threshold.
Router(config-if)# dialer-group group-number Controls access to this interface by adding it to a dialer
access group.
Router(config-if)# ppp bap callback accept (Optional) Enables the interface to initiate additional links
upon peer request.
Configuring X.25 on ISDN Using AO/DI
How to Configure an AO/DI Interface
DC-240
Cisco IOS Dial Technologies Configuration Guide
Configuring X.25 Parameters on the Client
The AO/DI client interface must be configured to run PPP over X.25. To configure the interface for the
X.25 parameters, use the following commands in interface configuration mode as needed:
For details and usage guidelines for X.25 configuration parameters, refer to the Cisco IOS Wide-Area
Networking Configuration Guide and Cisco IOS Wide-Area Networking Command Reference.
Configuring PPP and BAP on the Server
To configure PPP and BAP under the dialer interface on the AO/DI server, use the following commands
in interface configuration mode as needed:
Router(config-if)# ppp bap call request Enables the interface to initiate additional links.
Router(config-if)# dialer map protocol
next-hop-address [name hostname] [spc] [speed 56 |
speed 64] [broadcast] [modem-script modem-regexp]
system-script system-regexp]
or
Router(config-if)# dialer string dial-string
[:isdn-subaddress]
Router(config-if)# dialer string dial-string [class
class-name]
Enables a serial interface or an ISDN interface to initiate
and receive calls to or from remote sites.
Specifies the destination string (telephone number) for
calling:
• A single site (using legacy DDR)
• Multiple sites (using dialer profiles)
Command Purpose
Command Purpose
Router(config-if)# x25 address address Configures the X.25 address.
Router(config-if)# x25 htc circuit-number Sets the highest two-way circuit number. For X.25 the
default is 1024.
Router(config-if)# x25 win packets Sets the default VC receive window size. The default is
2 packets.1
1. The default input and output window sizes are typically defined by your network administrator. Cisco IOS configured window sizes must be set to match
the window size of the network.
Router(config-if)# x25 wout packets Sets the default VC transmit window size. The default is
2 packets.1
Command Purpose
Router(config-if)# ppp multilink bap Enables PPP BACP bandwidth allocation negotiation.
Router(config-if)# encapsulation ppp Enables PPP on the interface.
Router(config-if)# dialer in-band Enables DDR on the interface.
Configuring X.25 on ISDN Using AO/DI
How to Configure an AO/DI Client/Server
DC-241
Cisco IOS Dial Technologies Configuration Guide
BAP configuration commands are optional. For information on how to configure BACP/BAP see the
chapter “Configuring BACP” later in this publication.
Configuring X.25 Parameters on the Server
The AO/DI server BRI, PRI, or serial interface must be configured for the X.25 parameters necessary to
run PPP over X.25. To configure the interface for X.25 parameters, use the following commands in
interface configuration mode as needed:
For details and usage guidelines for X.25 configuration parameters, see the Cisco IOS Wide-Area
Networking Configuration Guide and Cisco IOS Wide-Area Networking Command Reference.
How to Configure an AO/DI Client/Server
Once the AO/DI client and server are configured with the necessary PPP, BAP, and X.25 commands,
configure the routers to perform AO/DI. Perform the tasks in the following sections:
• Configuring the AO/DI Client (Required)
• Configuring the AO/DI Server (Required)
Router(config-if)# dialer load-threshold load Sets the dialer load threshold.
Router(config-if)# dialer-group group-number Controls access to this interface by adding it to a dialer
access group.
Router(config-if)# ppp bap call accept Enables the interface to accept additional links upon peer
request.
Router(config-if)# ppp bap callback request Enables the interface to initiate additional links (optional).
Command Purpose
Command Purpose
Router(config-if)# x25 address address Configures the X.25 address.
Router(config-if)# x25 htc circuit-number Sets the highest two-way circuit number. For X.25 the default is
1024.
Router(config-if)# x25 win packets Sets the default VC receive window size. The default is
2 packets.1
1. The default input and output window sizes are typically defined by your network administrator. Cisco IOS configured window sizes must be sets to match
the window size of the network.
Router(config-if)# x25 wout packets Sets the default VC transmit window size. The default is
2 packets.1
Configuring X.25 on ISDN Using AO/DI
How to Configure an AO/DI Client/Server
DC-242
Cisco IOS Dial Technologies Configuration Guide
Configuring the AO/DI Client
To configure AO/DI, you must complete the tasks in the following section. The last task, to define local
number peer characteristics, is optional.
• Enabling AO/DI on the Interface (Required)
• Enabling the AO/DI Interface to Initiate Client Calls (Required)
• Enabling the MLP Bundle to Add Multiple Links (Required)
• Modifying BACP Default Settings (Optional)
See the section “AO/DI Client Configuration Example” at the end of this chapter for an example of how
to configure the AO/DI client.
Enabling AO/DI on the Interface
To enable an interface to run the AO/DI client, use the following command in interface configuration
mode:
Enabling the AO/DI Interface to Initiate Client Calls
You must enable the interface to establish a PPP session over the X.25 protocol. The cloning interface
will hold the PPP configuration, which will be cloned by the virtual access interface that is created and
attached to the X.25 VC. The cloning interface must also hold the MLP configuration that is needed to
run AO/DI.
To add the X.25 map statement that will enable the PPP session over X.25, identify the cloning interface,
and configure the interface to initiate AO/DI calls, use the following command in interface configuration
mode:
Enabling the MLP Bundle to Add Multiple Links
Once MLP is enabled and the primary traffic load is reached (based on the dialer load-threshold value),
the MLP bundle will add member links (B channels). The addition of another B channel places the first
link member into “receive-only” mode and subsequent links are added, as needed.
To configure the dialer interface or BRI interface used for cloning purposes and to place the first link
member into receive only mode, use the following command in interface configuration mode:
Command Purpose
Router(config-if)# x25 aodi Enables the AO/DI client on an interface.
Command Purpose
Router(config-if)# x25 map ppp x121-address
interface cloning-interface
Enables the interface to initiate a PPP session over the X.25
protocol and remote end mapping.
Command Purpose
Router(config-if)# ppp multilink idle-link Configures the interface to enter “receive only” mode so that
MLP links are added as needed.
Configuring X.25 on ISDN Using AO/DI
How to Configure an AO/DI Client/Server
DC-243
Cisco IOS Dial Technologies Configuration Guide
Modifying BACP Default Settings
During BACP negotiation between peers, the called party indicates the number to call for BACP. This
number may be in either a national or subscriber format. A national format indicates that the phone
number returned from the server to the client should contain ten digits. A subscriber number format
contains seven digits.
To assign a prefix to the phone number that is to be returned, use the following optional command in
interface configuration mode:
Note The ppp bap number prefix command is not typically required on the server side, as the server
usually does not initiate calls to the client. This command would only be used on the server in a
scenario where both sides are configured to act as both client and server.
Configuring the AO/DI Server
The AO/DI server will receive calls from the remote end interface running AO/DI client and likewise,
and must be configured to initiate a PPP session over X.25, allow interface cloning, and be capable of
adding links to the MLP bundle. The interface configured for AO/DI server relies on the no-outgoing
option for the x25 map command to ensure calls are not originated by the interface. Use the commands
in the following sections to configure the AO/DI server:
• Enabling the Interface to Receive AO/DI Client Calls (Required)
• Enabling the MLP Bundle to Add Multiple Links (Required)
• Modifying BACP Default Settings (Optional)
See the section “AO/DI Server Configuration Example” at the end of this chapter for an example of how
to configure the AO/DI server.
Enabling the Interface to Receive AO/DI Client Calls
Configure the x25 map command with the X.121 address of the calling client. This task enables the
AO/DI server interface to run a PPP over X.25 session with the configured client. The no-outgoing
option must be set in order to ensure that calls do not originate from this interface.
To configure an interface for AO/DI server, use the following command in interface configuration mode:
Command Purpose
Router(config-if)# ppp bap number prefix
prefix-number
(Optional) specifies a primary telephone number prefix for a peer to
call for PPP BACP negotiation.
Command Purpose
Router(config-if)# x25 map ppp x121-address
interface cloning-interface no-outgoing
Enables the interface to initiate a PPP session over the X.25 protocol
and remote end mapping.
Configuring X.25 on ISDN Using AO/DI
How to Configure an AO/DI Client/Server
DC-244
Cisco IOS Dial Technologies Configuration Guide
Enabling the MLP Bundle to Add Multiple Links
Once MLP is enabled and the primary traffic load is reached (based on the dialer load-threshold value),
the MLP bundle will add member links (B channels). The addition of another B channel places the first
link member into “receive-only” mode and subsequent links are added, as needed.
To configure the dialer interface or BRI interface used for cloning purposes and to place the first link
member into receive only mode, use the following command in interface configuration mode:
Modifying BACP Default Settings
During BACP negotiation between peers, the called party indicates the number to call for BACP. This
number may be in either a national or subscriber format. A national format indicates that the phone
number returned from the server to the client should contain 10 digits. A subscriber number format
contains 7 digits.
To assign a prefix to the phone number that is to be returned, use the following, optional command in
interface configuration mode:
Note The ppp bap number prefix command is not typically required on the server side, because the
server usually does not initiate calls to the client. This command would only be used on the server in
a scenario where both sides are configured to act as both client and server.
Command Purpose
Router(config-if)# ppp multilink idle-link Configures the interface to enter “receive only” mode so that MLP
links are added as needed.
Command Purpose
Router(config-if)# ppp bap number {format
national | subscriber}
(Optional) Specifies that the primary telephone number for a peer to
call is in either a national or subscriber number format.
Configuring X.25 on ISDN Using AO/DI
Configuration Examples for AO/DI
DC-245
Cisco IOS Dial Technologies Configuration Guide
Configuration Examples for AO/DI
This section provides the following configuration examples:
• AO/DI Client Configuration Example
• AO/DI Server Configuration Example
AO/DI Client Configuration Example
The following example shows BRI interface 0 configured with the PPP, multilink, and X.25 commands
necessary for the AO/DI client:
hostname Router_client
!
ip address-pool local
isdn switch-type basic-5ess
x25 routing
!
interface Ethernet0
ip address 172.21.71.99 255.255.255.0
!
interface BRI0
isdn switch-type basic-5ess
ip address 10.1.1.9 255.0.0.0
encap ppp
dialer in-band
dialer load-threshold 1 either
dialer-group 1
no fair-queue
ppp authentication chap
ppp multilink bap
ppp bap callback accept
ppp bap call request
ppp bap number prefix 91
ppp multilink idle-link
isdn x25 static-tei 23
isdn x25 dchannel
dialer rotary-group 1
!
interface BRI0:0
no ip address
x25 address 12135551234
x25 aodi
x25 htc 4
x25 win 3
x25 wout 3
x25 map ppp 12135556789 interface bri0
!
dialer-list 1 protocol ip permit
Configuring X.25 on ISDN Using AO/DI
Configuration Examples for AO/DI
DC-246
Cisco IOS Dial Technologies Configuration Guide
AO/DI Server Configuration Example
The following example shows the configuration for the AO/DI server, which is configured to only
receive calls from the AO/DI client. The configuration uses the x25 map ppp command with the
no-outgoing option, and the ppp bap number format command, which implements the national
format.
hostname Router_server
!
ip address-pool local
isdn switch-type basic-5ess
x25 routing
!
interface Ethernet0
ip address 172.21.71.100 255.255.255.0
!
interface BRI0
isdn switch-type basic-5ess
ip address 10.1.1.10 255.0.0.0
encap ppp
dialer in-band
no fair-queue
dialer load-threshold 1 either
dialer-group 1
ppp authentication pap
ppp multilink bap
ppp multilink idle-link
ppp bap number default 2135550904
ppp bap number format national
ppp bap call accept
ppp bap timeout pending 20
isdn x25 static-tei 23
isdn x25 dchannel
dialer rotary-group 1
!
interface BRI0:0
no ip address
x25 address 12135556789
x25 htc 4
x25 win 3
x25 wout 3
x25 map ppp 12135551234 interface bri0 no-outgoing
!
dialer-list 1 protocol ip permit
DC-247
Cisco IOS Dial Technologies Configuration Guide
Configuring ISDN on Cisco 800 Series Routers
This chapter describes the Common Application Programming Interface (CAPI) and Remote Common
Application Programming Interface (RCAPI) feature for the Cisco 800 series routers. This information
is included in the following main sections:
• CAPI and RCAPI Overview
• How to Configure RCAPI
• Configuration Examples for RCAPI
The CAPI is an application programming interface standard used to access ISDN equipment connected
to ISDN BRIs and ISDN PRIs. RCAPI is the CAPI feature configured remotely from a PC client.
Before you can enable the RCAPI feature on the Cisco 800 series router, the following requirements
must be met:
• Cisco 800 series software with RCAPI support is installed on the router.
• CAPI commands are properly configured on the router.
• Both the CAPI local device console and RCAPI client devices on the LAN are correctly installed
and configured with RVS-COM client driver software.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies
Command Reference. To locate documentation of other commands that appear in this chapter, use the
command reference master index or search online.
Configuring ISDN on Cisco 800 Series Routers
CAPI and RCAPI Overview
DC-248
Cisco IOS Dial Technologies Configuration Guide
CAPI and RCAPI Overview
Figure 38 shows how CAPI connects applications, drivers, and controllers.
Figure 38 CAPI Connections
Framing Protocols
The framing protocols supported by CAPI include High-Level Data Link Control (HDLC), HDLC
inverted, bit transparent (speech), and V.110 synchronous/asynchronous.
Data Link and Network Layer Protocols
CAPI integrates the following data link and network layer protocols:
• Link Access Procedure on the D-channel (LAPD) in accordance with Q.921 for X.25 D-channel
implementation
• PPP
• ISO 8208 (X.25 DTE-DTE)
• X.25 DCE, T.90NL, and T.30 (fax group 3)
CAPI Features
CAPI supports the following features:
• Basic call features, such as call setup and tear-down
• Multiple B channels for data and voice connections
• Multiple logical data link connections within a physical connection
• Selection of different services and protocols during connection setup and on answering
incoming calls
Controller 1
Application
Facsimile
Controller 2 Controller 3 Controller 4
26485
Application
Telephone
Common ISDN API (CAPI)
Application
File Transfer
Application
Other
Configuring ISDN on Cisco 800 Series Routers
CAPI and RCAPI Overview
DC-249
Cisco IOS Dial Technologies Configuration Guide
• Transparent interface for protocols above Layer 3
• One or more BRIs as well as PRI on one or more Integrated Services Digital Network
(ISDN) adapters
• Multiple applications
• Operating-systems-independent messages
• Operating-system-dependent exchange mechanism for optimum operating system integration
• Asynchronous event-driven mechanism, resulting in high throughput
• Well-defined mechanism for manufacturer-specific extensions
• Multiple supplementary services
Figure 39 shows the components of the RCAPI implementation.
Figure 39 Components of RCAPI
CAPI provides a standardized interface through which application programs can use ISDN drivers and
controllers. One application can use one or more controllers. Several applications can share one or more
controllers.
CAPI supplies a selection mechanism that supports applications that use protocols at different levels and
standardized network access. An abstraction from different protocol variables is performed to provide
this support. All connection-related data, such as connection state and display messages, is available to
the applications at any time.
Supported B-Channel Protocols
The router provides two 64-kbps B channels to RCAPI clients. Each B channel can be configured
separately to work in either HDLC mode or bit transparent mode. For CAPI support, layers B2 through
B7 protocols are transparent to the applications using these B channels.
WinFax
(non-CAPI)
Soft
modem
ISDN DCP
client driver
DCP messaging over TCP/IP
ISDN DCP
server driver
ISDN stack
Cisco IOS software - 800 series router
Virtual
com port
G4 fax
(CAPI)
CAPI
library
RCAPI client
29145
Configuring ISDN on Cisco 800 Series Routers
CAPI and RCAPI Overview
DC-250
Cisco IOS Dial Technologies Configuration Guide
The ISDN Core Engine of RVS-COM supports the following B-channel protocols:
• CAPI layer B1
– 64-kbps with HDLC framing
– 64-kbps bit transparent operation with byte framing from the network
– T.30 modem for fax group 3
– Modem with full negotiation
• CAPI layer B2
– V.120
– Transparent
– T.30 modem for fax group 3
– Modem with full negotiation
• CAPI layer B3
– Transparent
– T.90NL with compatibility to T.70NL according to T.90 Appendix II
– ISO 8208 (X.25 DTE-DTE) modulo 8 and windows size 2, no multiple logical connections
– T.30 for fax group 3
– Modem with full negotiation
• T.30 for fax group 3 (SFF file format [default], sending and receiving up to 14400 bit/s with ECM
option, modulations V.17, V.21, V.27ter, V.29)
• Analog modem (sending and receiving up to 14,400 bit/s, modulations V.21, V.22, V.22bis, V.23,
V.32, V.32bis)
Supported Switch Types
CAPI and RCAPI support is available only for the ISDN switch type Net3.
CAPI and RVS-COM
The router supports the ISDN Device Control Protocol (ISDN-DCP) from RVS-COM. ISDN-DCP
allows a workstation on the LAN or router to use legacy dial computer telephony integration (CTI)
applications. These applications include placing and receiving telephone calls and transmitting and
receiving faxes.
Using ISDN-DCP, the router acts as a DCP server. By default, the router listens for DCP messages on
TCP port number 2578 (the Internet-assigned number for RVS-COM DCP) on its LAN port.
When the router receives a DCP message from a DCP client (connected to the LAN port of the router),
the router processes the message and acts on it; it can send confirmations to the DCP clients and ISDN
packets through the BRI port of the router.
When the router receives packets destined for one of the DCP clients on its BRI port, the router formats
the packet as a DCP message and sends it to the corresponding client. The router supports all the DCP
messages specified in the ISDN-DCP specifications defined by RVS-COM.
Configuring ISDN on Cisco 800 Series Routers
How to Configure RCAPI
DC-251
Cisco IOS Dial Technologies Configuration Guide
Supported Applications
ISDN-DCP supports CAPI and non-CAPI applications. Applications are supported that use one or two
B channels for data transfer, different HDLC-based protocols, Euro File transfer, or G4 fax; also
supported are applications that send bit-transparent data such as A/Mu law audio, G3 fax, analog
modem, or analog telephones.
Helpful Website
The following Web link provides answers to frequently asked questions about installing and using
RCAPI: http://www.cisco.com/warp/partner/synchronicd/cc/pd/rt/800/prodlit/rcapi_qa.htm
How to Configure RCAPI
To configure RCAPI, perform the tasks in the following sections:
• Configuring RCAPI on the Cisco 800 Series Router (Required)
• Monitoring and Maintaining RCAPI (Optional)
• Troubleshooting RCAPI (Optional)
Configuring RCAPI on the Cisco 800 Series Router
To configure RCAPI on the Cisco 800 series router, use the following commands beginning in global
configuration mode:
Command Purpose
Step 1 Router(config)# isdn switch-type basic-net3 Sets the switch type. In this example, the switch type is set
to NET3 ISDN, which covers the Euro-ISDN E-DSS1
signaling system and is ETSI-compliant.
Step 2 Router(config)# rcapi number number Enters the RCAPI directory number assigned by the ISDN
provider for the device.
An example command:
rcapi number 12345.
Step 3 Router(config)# rcapi server port number The rcapi server command is mandatory for RCAPI to be
enabled on the router. The parameter port is optional and
is entered only when you need to specify a port number
for RCAPI functions. Otherwise, the default port 2578 is
used.
An example command with default port 2578:
rcapi server port
An example command with port 2000:
rcapi server port 2000
Configure the same number on both the router and the
client PC.
Configuring ISDN on Cisco 800 Series Routers
Configuration Examples for RCAPI
DC-252
Cisco IOS Dial Technologies Configuration Guide
Note If required, at each remote device console change to global configuration mode, using the command
configure terminal, and repeat Step 2 through Step 7 to configure that device.
Monitoring and Maintaining RCAPI
To monitor and maintain RCAPI, use the following command in privileged EXEC mode:
Troubleshooting RCAPI
To test the RCAPI operation, use the following command in privileged EXEC mode
Configuration Examples for RCAPI
The following configuration output example shows two Cisco 800 series routers configured for RCAPI:
Router 1
Router1# show running-config
Building configuration...
Current configuration:
!
version xx.x
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname local
!
Step 4 Router(config)# interface bri0 Configures the ISDN BRI interface and begins interface
configuration mode.
Step 5 Router(config-if)# isdn switch-type basic-net3 Sets the switch type for the bri0 interface. In this example,
the switch type is set to NET3 ISDN, which covers the
Euro-ISDN E-DSS1 signaling system and is
ETSI-compliant.
Step 6 Router(config-if)# isdn incoming-voice modem Sets the modem as the default handler for incoming voice
calls.
Command Purpose
Command Purpose
Router# show rcapi status Displays RCAPI status.
Command Purpose
Router# debug rcapi events Starts a background debug program.
Configuring ISDN on Cisco 800 Series Routers
Configuration Examples for RCAPI
DC-253
Cisco IOS Dial Technologies Configuration Guide
ip subnet-zero
!
isdn switch-type basic-net3
isdn voice-call-failure 0
!
interface Ethernet0
ip address 192.168.2.1 255.255.255.0
no ip directed-broadcast
!
interface BRI0
no ip address
no ip directed-broadcast
isdn switch-type basic-net3
isdn incoming-voice modem
!
no ip http server
ip classless
!
line con 0
transport input none
stopbits 1
line vty 0 4
!
rcapi server port 2578
!
rcapi number 5551000
rcapi number 5553000
!
end
Router1#
Router 2
Router2# show running-config
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname local
!
ip subnet-zero
!
isdn switch-type basic-net3
isdn voice-call-failure 0
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
!
interface BRI0
no ip address
no ip directed-broadcast
isdn switch-type basic-net3
isdn incoming-voice modem
!
Configuring ISDN on Cisco 800 Series Routers
Configuration Examples for RCAPI
DC-254
Cisco IOS Dial Technologies Configuration Guide
no ip http server
ip classless
!
line con 0
transport input none
stopbits 1
line vty 0
!
rcapi server port 2578
!
rcapi number 5552000
rcapi number 5554000
!
end
Router2#
Signaling Configuration
DC-257
Cisco IOS Dial Technologies Configuration Guide
Configuring ISDN PRI
This chapter describes how to configure channelized E1 and channelized T1 for ISDN PRI and for two
types of signaling to support analog calls over digital lines. This information is included in the following
sections:
• Signaling Overview
• How to Configure ISDN PRI
• Monitoring and Maintaining ISDN PRI Interfaces
• How to Configure Robbed-Bit Signaling for Analog Calls over T1 Lines
• How to Configure CAS
• How to Configure Switched 56K Digital Dial-In over Channelized T1 and Robbed-Bit Signaling
• How to Configure Switched 56K Services
• How to Configure E1 R2 Signaling
• Enabling R1 Modified Signaling in Taiwan
• Configuration Examples for Channelized E1 and Channelized T1
In addition, this chapter describes how to run interface loopback diagnostics on channelized E1 and
channelized T1 lines. For more information, see the “How to Configure Switched 56K Digital Dial-In
over Channelized T1 and Robbed-Bit Signaling” section later in this chapter, and the Cisco IOS Interface
Configuration Guide, Release 12.2.
For hardware technical descriptions and for information about installing the controllers and interfaces,
refer to the hardware installation and maintenance publication for your particular product.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the channelized E1/T1 commands in this chapter, refer to the Cisco IOS
Dial Technologies Command Reference, Release 12.2. To locate documentation of other commands that
appear in this chapter, use the command reference master index or search online.
Configuring ISDN PRI
Signaling Overview
DC-258
Cisco IOS Dial Technologies Configuration Guide
Signaling Overview
Channelized T1 and channelized E1 can be configured for ISDN PRI, synchronous serial, and
asynchronous serial communications.
Channelized T1 and channelized E1 are supported by corresponding controllers. Each T1 or E1
controller has one physical network termination, but it can have many virtual interfaces, depending on
the configuration.
In-Band and Out-of-Band Signaling
The terms in-band and out-of-band indicate whether various signals—which are used to set up, control,
and terminate calls—travel in the same channel (or band) with voice calls or data made by the user, or
whether those signals travel in a separate channel (or band).
ISDN, which uses the D channel for signaling and the B channels for user data, fits into the out-of-band
signaling category.
Robbed-bit signaling, which uses bits from specified frames in the user data channel for signaling, fits
into the in-band signaling category.
Channel-associated signaling (CAS), which uses E1 time slot 16 (the D channel) for signaling, fits into
the out-of-band signaling category.
Channelized E1 and T1 on Cisco Devices
You can allocate the available channels for channelized E1 or T1 in the following ways:
• All channels can be configured to support ISDN PRI. Channelized T1 ISDN PRI offers
23 B channels and 1 D channel. Channelized E1 ISDN PRI offers 30 B channels and 1 D channel.
Channel 24 is the D channel for T1, and channel 16 is the D channel for E1.
• If you are not running ISDN PRI, all channels can be configured to support robbed-bit signaling,
which enables a Cisco modem to receive and send analog calls.
• All channels can be configured in a single channel group. For configuration information about this
leased line or nondial use, see the “Configuring Serial Interfaces” chapter in the Cisco IOS Interface
Configuration Guide.
• Mix and match channels supporting ISDN PRI and channel grouping.
• Mix and match channels supporting ISDN PRI, robbed-bit signaling, and channel grouping across
the same T1 line. For example, on the same channelized T1 line you can configure the pri-group
timeslots 1-10 command, channel-group 11 timeslots 11-16 command, and cas-group 17
timeslots 17-23 type e&m-fgb command. This is a rare configuration because it requires you to
align the correct range of time slots on both ends of the connection.
See the sections “PRI Groups and Channel Groups on the Same Channelized T1 Controller Example,”
“Robbed-Bit Signaling Examples,” and the “ISDN CAS Examples” at the end of this chapter.
Configuring ISDN PRI
How to Configure ISDN PRI
DC-259
Cisco IOS Dial Technologies Configuration Guide
How to Configure ISDN PRI
This section describes tasks that are required to get ISDN PRI up and running. This section does not
address routing issues, dialer configuration, and dial backup. For information about those topics, see the
chapters in the “Dial-on-Demand Routing” part of this manual.
To configure ISDN PRI, perform the tasks in the following sections:
• Requesting PRI Line and Switch Configuration from a Telco Service Provider (Required)
• Configuring Channelized E1 ISDN PRI (As required)
• Configuring Channelized T1 ISDN PRI (As required)
• Configuring the Serial Interface (Required)
• Configuring NSF Call-by-Call Support (Primary-4ESS Only)
• Configuring Multiple ISDN Switch Types (Optional)
• Configuring B Channel Outgoing Call Order (Optional)
• Performing Configuration Self-Tests (Optional)
See the section “Monitoring and Maintaining ISDN PRI Interfaces” later in this chapter for tips on
maintaining the ISDN PRI interface. See the end of this chapter for the “ISDN PRI Examples” section.
Note After the ISDN PRI interface and lines are operational, configure the D-channel interface for
dial-on-demand routing (DDR). The DDR configuration specifies the packets that can trigger
outgoing calls, specifies whether to place or receive calls, and provides the protocol, address, and
phone number to use.
Requesting PRI Line and Switch Configuration from a Telco Service Provider
Before configuring ISDN PRI on your Cisco router, you need to order a correctly provisioned ISDN PRI
line from your telecommunications service provider.
This process varies dramatically from provider to provider on a national and international basis.
However, some general guidelines follow:
• Verify if the outgoing B channel calls are made in ascending or descending order. Cisco IOS default
is descending order however, if the switch from the service providers is configured for outgoing calls
made in ascending order, the router can be configured to match the switch configuration of the
service provider.
• Ask for delivery of calling line identification. Providers sometimes call this CLI or automatic
number identification (ANI).
• If the router will be attached to an ISDN bus (to which other ISDN devices might be attached), ask
for point-to-multipoint service (subaddressing is required) and a voice-and-data line.
Table 23 provides a sample of the T1 configuration attributes you might request for a PRI switch used
in North America.
Configuring ISDN PRI
How to Configure ISDN PRI
DC-260
Cisco IOS Dial Technologies Configuration Guide
Configuring Channelized E1 ISDN PRI
To configure ISDN PRI on a channelized E1 controller, use the following commands beginning in global
configuration mode:
If you do not specify the time slots, the specified controller is configured for 30 B channels and
1 D channel. The B channel numbers range from 1 to 31; channel 16 is the D channel for E1.
Corresponding serial interfaces numbers range from 0 to 30. In commands, the D channel is interface
serial controller-number:15. For example, interface serial 0:15.
Table 23 North American PRI Switch Configuration Attributes
Attribute Value
Line format Extended Superframe Format (ESF)
Line coding Binary 8-zero substitution (B8ZS)
Call type 23 incoming channels and 23 outgoing channels
Speed 64 kbps
Call-by-call capability Enabled
Channels 23 B + D
Trunk selection sequence Either ascending order (from 1 to 23) or descending
order (from 23 to 1)
B + D glare Yield
Directory numbers Only 1 directory number assigned by service
provider
SPIDs required? None
Command Purpose
Step 1 Router(config)# isdn switch-type switch-type Selects a service provider switch type that
accommodates PRI. (See Table 24 for a list of
supported switch type keywords.)
Step 2 Router(config)# controller e1 slot/port
or
Router(config)# controller e1 number
Defines the controller location in the Cisco 7200 or
Cisco 7500 series router by slot and port number.
Defines the controller location in the Cisco 4000
series or the Cisco AS5200 universal access server
by unit number.1
1. Controller numbers range from 0 to 2 on the Cisco 4000 series and from 1 to 2 on the Cisco AS5000 series access server.
Step 3 Router(config-controller)# framing crc4 Defines the framing characteristics as cyclic
redundancy check 4 (CRC4).
Step 4 Router(config-controller)# linecode hdb3 Defines the line code as high-density bipolar 3
(HDB3).
Step 5 Router(config-controller)# pri-group [timeslots range] Configures ISDN PRI.
Configuring ISDN PRI
How to Configure ISDN PRI
DC-261
Cisco IOS Dial Technologies Configuration Guide
Table 24 lists the keywords for the supported service provider switch types to be used in Step 1 above.
Note For information and examples for configuring ISDN PRI for voice, video, and fax applications, refer
to the Cisco IOS Voice, Video, and Fax Applications Configuration Guide.
Configuring Channelized T1 ISDN PRI
To configure ISDN PRI on a channelized T1 controller, use the following commands beginning in global
configuration mode:
Table 24 ISDN Service Provider PRI Switch Types
Switch Type Keywords Description/Use
Voice/PBX Systems
primary-qsig Supports QSIG signaling per Q.931. Network side functionality is assigned
with the isdn protocol-emulate command.
Australia and Europe
primary-net5 NET5 ISDN PRI switch types for Asia, Australia, and New Zealand;
ETSI-compliant switches for Euro-ISDN E-DSS1 signaling system.
Japan
primary-ntt Japanese NTT ISDN PRI switches.
North America
primary-4ess Lucent (AT&T) 4ESS switch type for the United States.
primary-5ess Lucent (AT&T) 5ESS switch type for the United States.
primary-dms100 Nortel DMS-100 switch type for the United States.
primary-ni National ISDN switch type.
All Users
none No switch defined.
Command Purpose
Step 1 Router(config)# isdn switch-type switch-type Selects a service provider switch type that
accommodates PRI. (Refer to Table 24 for a list of
supported PRI switch type keywords.)
Step 2 Router(config)# controller t1 slot/port
or
Router(config)# controller t1 number
Specifies a T1 controller on a Cisco 7500.
Specifies a T1 controller on a Cisco 4000.1
Step 3 Router(config-controller)# framing esf Defines the framing characteristics as Extended
Superframe Format (ESF).
Configuring ISDN PRI
How to Configure ISDN PRI
DC-262
Cisco IOS Dial Technologies Configuration Guide
If you do not specify the time slots, the specified controller is configured for 24 B channels and
1 D channel. The B channel numbers range from 1 to 24; channel 24 is the D channel for T1.
Corresponding serial interfaces numbers range from 0 to 23. In commands, the D channel is interface
serial controller-number:23. For example, interface serial 0:23.
Configuring the Serial Interface
When you configure ISDN PRI on the channelized E1 or channelized T1 controller, in effect you create
a serial interface that corresponds to the PRI group time slots. This interface is a logical entity associated
with the specific controller. After you create the serial interface by configuring the controller, you must
configure the D channel serial interface. The configuration applies to all the PRI B channels (time slots).
To configure the D channel serial interface, perform the tasks in the following sections:
• Specifying an IP Address for the Interface (Required)
• Configuring Encapsulation on ISDN PRI (Required)
• Configuring Network Addressing (Required)
• Configuring ISDN Calling Number Identification (As Required)
• Overriding the Default TEI Value (As Required)
• Configuring a Static TEI (As Required)
• Configuring Incoming ISDN Modem Calls (As Required)
• Filtering Incoming ISDN Calls (As Required)
• Configuring the ISDN Guard Timer (Optional)
• Configuring Inclusion of the Sending Complete Information Element (Optional)
• Configuring ISDN PRI B-Channel Busyout (Optional)
Step 4 Router(config-controller)# linecode b8zs Defines the line code as binary 8 zero substitution
(B8ZS).
Step 5 Router(config-controller)# pri-group [timeslots
range]2 Configures ISDN PRI.
If you do not specify the time slots, the controller is
configured for 23 B channels and 1 D channel.
1. Controller numbers range from 0 to 2 on the Cisco 4000 series and from 1 to 2 on the Cisco AS5000 series.
2. On channelized T1, time slots range from 1 to 24. You can specify a range of time slots (for example, pri-group timeslots 12-24) if other
time slots are used for non-PRI channel groups.
Command Purpose
Configuring ISDN PRI
How to Configure ISDN PRI
DC-263
Cisco IOS Dial Technologies Configuration Guide
Specifying an IP Address for the Interface
To configure the D channel serial interface created for ISDN PRI, use the following commands
beginning in global configuration mode:
When you configure the D channel, its configuration is applied to all the individual B channels.
Configuring Encapsulation on ISDN PRI
PPP encapsulation is configured for most ISDN communication. However, the router might require a
different encapsulation for traffic sent over a Frame Relay or X.25 network, or the router might need to
communicate with devices that require a different encapsulation protocol.
Configure encapsulation as described in one of the following sections:
• Configuring PPP Encapsulation
• Configuring Encapsulation for Frame Relay or X.25 Networks
• Configuring Encapsulation for Combinet Compatibility
In addition, the router can be configured for automatic detection of encapsulation type on incoming calls.
To configure this feature, complete the tasks in the “Configuring Automatic Detection of Encapsulation
Type of Incoming Calls” section.
Note See the sections “Dynamic Multiple Encapsulations” and “Configuring Encapsulation on ISDN BRI”
in the chapter “Configuring ISDN BRI” for information about the Cisco Dynamic Multiple
Encapsulations feature.
Configuring PPP Encapsulation
Each ISDN B channel is treated as a serial line and supports HDLC and PPP encapsulation. The default
serial encapsulation is HDLC. To configure PPP encapsulation, use the following command in interface
configuration mode:
Command Purpose
Step 1 Router(config)# interface serial slot/port:23
Router(config)# interface serial number:23
or
Router(config)# interface serial slot/port:15
Router(config)# interface serial number:15
Specifies D channel on the serial interface for
channelized T1 and begins interface configuration
mode.
Specifies D channel on the serial interface for
channelized E1 and begins interface configuration
mode.
Step 2 Router(config-if)# ip address ip-address Specifies an IP address for the interface.
Command Purpose
Router(config-if)# encapsulation ppp Configures PPP encapsulation.
Configuring ISDN PRI
How to Configure ISDN PRI
DC-264
Cisco IOS Dial Technologies Configuration Guide
Configuring Encapsulation for Frame Relay or X.25 Networks
If traffic from this ISDN interface crosses a Frame Relay or X.25 network, the appropriate addressing
and encapsulation tasks must be completed as required for Frame Relay or X.25 networks.
See the sections “Sending Traffic over Frame Relay, X.25, or LAPB Networks” in the chapter
“Configuring Legacy DDR Spokes” for more information about addressing, encapsulation, and other
tasks necessary to configure Frame Relay or X.25 networks.
Configuring Encapsulation for Combinet Compatibility
Historically, Combinet devices supported only the Combinet Proprietary Protocol (CPP) for negotiating
connections over ISDN B channels. To enable Cisco routers to communicate with those Combinet
bridges, the Cisco IOS software supports the CPP encapsulation type.
To enable routers to communicate over ISDN interfaces with Combinet bridges that support only CPP,
use the following commands in interface configuration mode:
Most Combinet devices support PPP. Cisco routers can communicate over ISDN with these devices by
using PPP encapsulation, which supports both routing and fast switching.
Cisco 700 and 800 series routers and bridges (formerly Combinet devices) support only IP, IPX, and
bridging. For AppleTalk, Cisco routers automatically perform half-bridging with Combinet devices. For
more information about half-bridging, see the section “Configuring PPP Half-Bridging” in the
“Configuring Media-Independent PPP and Multilink PPP” chapter in this publication.
Cisco routers can also half-bridge IP and IPX with Combinet devices that support only CPP. To configure
this feature, you only need to set up the addressing with the ISDN interface as part of the remote subnet;
no additional commands are required.
Configuring Automatic Detection of Encapsulation Type of Incoming Calls
You can enable a serial or ISDN interface to accept calls and dynamically change the encapsulation in
effect on the interface when the remote device does not signal the call type. For example, if an ISDN call
does not identify the call type in the Lower Layer Compatibility fields and is using an encapsulation that
is different from the one configured on the interface, the interface can change its encapsulation type at
that time.
This feature enables interoperation with ISDN terminal adapters that use V.120 encapsulation but do not
signal V.120 in the call setup message. An ISDN interface that by default answers a call as synchronous
serial with PPP encapsulation can change its encapsulation and answer such calls.
Automatic detection is attempted for the first 10 seconds after the link is established or the first 5 packets
exchanged over the link, whichever is first.
Command Purpose
Step 1 Router(config-if)# encapsulation cpp Specifies CPP encapsulation.
Step 2 Router(config-if)# cpp callback accept Enables CPP callback acceptance.
Step 3 Router(config-if)# cpp authentication Enables CPP authentication.
Configuring ISDN PRI
How to Configure ISDN PRI
DC-265
Cisco IOS Dial Technologies Configuration Guide
To enable automatic detection of encapsulation type, use the following command in interface
configuration mode:
You can specify one or more encapsulations to detect. Cisco IOS software currently supports automatic
detection of PPP and V.120 encapsulations.
Configuring Network Addressing
When you configure networking, you specify how to reach the remote recipient. To configure network
addressing, use the following commands in interface configuration mode:
Australian networks allow semipermanent connections between customer routers with PRIs and the
TS-014 ISDN PRI switches in the exchange. Semipermanent connections are offered at better pricing
than leased lines.
Packets that are permitted by the access list specified by the dialer-list command are considered
interesting and cause the router to place a call to the identified destination protocol address.
Note The access list reference in Step 4 of this task list is an example of the access list commands allowed
by different protocols. Some protocols might require a different command form or might require
multiple commands. See the relevant chapter in the appropriate network protocol configuration guide
(for example, the Cisco IOS AppleTalk and Novell IPX Configuration Guide) for more information
about setting up access lists for a protocol.
For more information about defining outgoing call numbers, see the sections “Configuring Access
Control for Outgoing Calls” in the chapters “Configuring Legacy DDR Spokes” or “Configuring Legacy
DDR Hubs” later in this publication.
Command Purpose
Router(config-if)# autodetect encapsulation
encapsulation-type
Enables automatic detection of encapsulation type on the
specified interface.
Command Purpose
Step 1 Router(config-if)# dialer map protocol
next-hop-address name hostname speed 56|64
dial-string[:isdn-subaddress]
or
Defines the protocol address of the remote recipient, host
name, and dialing string; optionally, provides the ISDN
subaddress; sets the dialer speed to 56 or 64 kbps, as
needed.
Router(config-if)# dialer map protocol
next-hop-address name hostname spc [speed 56 |
64] [broadcast] dial-string[:isdn-subaddress]
(Australia) Uses the spc keyword that enables ISDN
semipermanent connections.
Step 2 Router(config-if)# dialer-group group-number Assigns the interface to a dialer group to control access to
the interface.
Step 3 Router(config-if)# dialer-list dialer-group
list access-list-number
Associates the dialer group number with an access list
number.
Step 4 Router(config-if)# access-list
access-list-number {deny | permit} protocol
source address source-mask destination
destination-mask
Defines an access list permitting or denying access to
specified protocols, sources, or destinations.
Configuring ISDN PRI
How to Configure ISDN PRI
DC-266
Cisco IOS Dial Technologies Configuration Guide
Configuring ISDN Calling Number Identification
A router might need to supply the ISDN network with a billing number for outgoing calls. Some
networks offer better pricing on calls in which the number is presented. When configured, the calling
number information is included in the outgoing Setup message.
To configure the interface to identify the billing number, use the following command in interface
configuration mode:
This command can be used with all ISDN PRI switch types.
Overriding the Default TEI Value
You can configure ISDN terminal endpoint identifier (TEI) negotiation on individual ISDN interfaces.
TEI negotiation is useful for switches that may deactivate Layers 1 or 2 when there are no active calls.
Typically, this setting is used for ISDN service offerings in Europe and connections to DMS 100
switches that are designed to initiate TEI negotiation.
By default, TEI negotiation occurs when the router is powered up. The TEI negotiation value configured
on an interface overrides the default or global TEI value. On PRI interfaces connecting to DMS 100
switches, the router will change the default TEI setting to isdn tei first-call. To apply TEI negotiation
to a specific PRI interface, use the following command in interface configuration mode:
Configuring a Static TEI
Depending on the telephone company you subscribe to, you may have a dynamically or statically
assigned terminal endpoint identifier (TEI) for your ISDN service. By default, TEIs are dynamic in
Cisco routers. To configure the TEI as a static configuration, use the following command in interface
configuration mode:
Configuring Incoming ISDN Modem Calls
All incoming ISDN analog modem calls that come in on an ISDN PRI receive signaling information
from the ISDN D channel. The D channel is used for circuit-switched data calls and analog modem calls.
Command Purpose
Router(config-if)# isdn calling-number
calling-number
Specifies the calling party number.
Command Purpose
Router(config-if)# isdn tei [first-call | powerup] Determines when ISDN TEI negotiation occurs.
Command Purpose
Router(config-if)# isdn static-tei tei-number Configures a static ISDN Layer 2 TEI over the D channel.
Configuring ISDN PRI
How to Configure ISDN PRI
DC-267
Cisco IOS Dial Technologies Configuration Guide
To enable all incoming ISDN voice calls to access the call switch module and integrated modems, use
the following command in interface configuration mode:
The settings for the isdn incoming-voice interface command determine how a call is handled based on
bearer capability information, as follows:
• isdn incoming-voice voice—Calls bypass the modem and are handled as a voice call.
• isdn incoming-voice data—Calls bypass the modem and are handled as digital data.
• isdn incoming-voice modem—Calls are passed to the modem and the call negotiates the
appropriate connection with the far-end modem.
Refer to the Cisco IOS Voice, Video, and Fax Configuration Guide and Cisco IOS Voice, Video, and Fax
Command Reference, Release 12.2, for more information about using the isdn incoming-voice interface
configuration command to configure incoming ISDN voice and data calls.
Filtering Incoming ISDN Calls
You may find it necessary to configure your network to reject an incoming call with some specific ISDN
bearer capability such as nonspeech or nonaudio data. To filter out unwanted call types, use the following
command in interface configuration mode:
Note When the ISDN interface is configured for incoming voice with the isdn incoming-voice voice
command (see the previous section “Configuring Incoming ISDN Modem Calls”), and bearer
capability indicates the call as unrestricted digital data (i = 0x8890), the call is handled as voice over
data (use vod keyword).
Verifying the Call Reject Configuration
To verify that calls are being rejected, perform the following steps:
Step 1 Enable the following debug commands at the privileged EXEC prompt:
• debug isdn event
• debug isdn event detail
• debug isdn q931
• debug isdn q931 l3trace
Command Purpose
Router(config-if)# isdn incoming-voice {modem [56 |
64]}
Routes incoming ISDN modem calls to the call switch module.
Command Purpose
Router(config-if)# isdn reject {{cause cause-code}
|{data [56 | 64]} | piafs | v110 | v120 | vod |
voice {[3.1khz | 7khz | speech]}}
Rejects an incoming ISDN BRI or PRI call based on type.
Configuring ISDN PRI
How to Configure ISDN PRI
DC-268
Cisco IOS Dial Technologies Configuration Guide
Step 2 Configure the appropriate isdn reject command. The following example configures the network to reject
all incoming data calls on ISDN interfaces 4 through 23:
Router(config)# interface serial 4:23
Router(config-if)# isdn reject data
Router(config-if)# ^Z
Step 3 Build the configuration and then monitor the debug command output for the following string, which
indicates that the call was rejected:
ISDN : Rejecting call id isdn calltype screening failed
Step 4 Enter the show isdn status EXEC command to display a detailed report of the ISDN configuration,
including status of Layers 1 through 3, the call type, and the call identifier.
Step 5 Turn off the debugging messages by entering the no form of the debug
command—no debug isdn event detail, for example— or by entering the undebug form of the
command—undebug isdn q931, for example.
Configuring the ISDN Guard Timer
Beginning in Cisco IOS Release 12.2, the ISDN guard timer feature implements a new managed timer
for ISDN calls. Because response times for authentication requests can vary, for instance when using
DNIS authentication, the guard timer allows you to control the handling of calls.
To configure the ISDN guard timer, use the following command in interface configuration mode:
For more information about configuring RADIUS, and to see sample ISDN PRI guard timer
configurations, refer to the Cisco IOS Security Configuration Guide.
Configuring Inclusion of the Sending Complete Information Element
In some geographic locations, such as Hong Kong and Taiwan, ISDN switches require that the Sending
Complete information element be included in the outgoing Setup message to indicate that the entire
number is included. This information element is generally not required in other locations.
To configure the interface to include the Sending Complete information element in the outgoing call
Setup message, use the following command in interface configuration mode:
Command Purpose
Router(config-if)# isdn guard-timer msecs Enables the guard timer and sets the number of milliseconds
for which the access server waits for RADIUS to respond
before rejecting or accepting (optional) a call.
Command Purpose
Router(config-if)# isdn sending-complete Includes the Sending Complete information element in the
outgoing call Setup message.
Configuring ISDN PRI
How to Configure ISDN PRI
DC-269
Cisco IOS Dial Technologies Configuration Guide
Configuring ISDN PRI B-Channel Busyout
To allow the busyout of individual ISDN PRI B channels, use the following commands beginning in
global configuration mode:
Configuring NSF Call-by-Call Support
Network-Specific Facilities (NSF) are used to request a particular service from the network or to provide
an indication of the service being provided. Call-by-call support means that a B channel can be used for
any service; its use is not restricted to a certain preconfigured service, such as incoming 800 calls or an
outgoing 800 calls. This specific NSF call-by-call service supports outgoing calls configured as voice
calls.
This NSF call-by-call support feature is vendor-specific; only routers connected to AT&T Primary-4ESS
switches need to configure this feature. This feature is supported on channelized T1.
To enable the router for NSF call-by-call support and, optionally, to place outgoing voice calls, complete
the following steps:
Step 1 Configure the controller for ISDN PRI.
Step 2 Configure the D channel interface to place outgoing calls using the dialer map command with a
dialing-plan keyword. You can enter a dialer map command for each dialing plan to be supported.
Step 3 Define the dialer map class for that dialing plan.
To define the dialer map class for the dialing plan, use the following commands beginning in global
configuration mode:
Note To set the called party type to international, the dialed number must be prefaced by 011.
Table 25 lists the NSF dialing plans and supported services offered on AT&T Primary-4ESS switches.
Command Purpose
Step 1 Router(config)# interface serial
controller:timeslot
Enters interface configuration mode for a D-channel serial
interface.
Step 2 Router(config-if)# isdn snmp busyout b-channel Allows the busyout of individual PRI B channels via
SNMP.
Command Purpose
Step 1 Router(config)# map-class dialer classname Specifies the dialer map class, using the dialing-plan
keyword as the class name, and begins map class
configuration mode.
Step 2 Router(config-map-class)# dialer voice-call (Optional) Enables voice calls.
Step 3 Router(config-map-class)# dialer outgoing
classname
Configures the specific dialer map class to make outgoing
calls.
Configuring ISDN PRI
How to Configure ISDN PRI
DC-270
Cisco IOS Dial Technologies Configuration Guide
Configuring Multiple ISDN Switch Types
You can apply an ISDN switch type on a per-interface basis, thus extending the existing global isdn
switch-type command to the interface level. This allows PRI and BRI to run simultaneously on
platforms that support both interface types.
A global ISDN switch type is required and must be configured on the router before you can configure a
switch type on an interface.
To configure multiple ISDN switch types for a PRI interface using a channelized E1 or channelized T1
controller, use the following command in global configuration mode:
You must ensure that the ISDN switch type is valid for the ISDN interfaces on the router. Table 24 lists
valid ISDN switch types for BRI and PRI interfaces.
Note When you configure an ISDN switch type on the channelized E1 or T1 controller, this switch type is
applied to all time slots on that controller. For example, if you configure channelized T1 controller
1:23, which corresponds to serial interface 1, with the ISDN switch type keyword primary-net5,
then all time slots on serial interface 1 (and T1 controller 1) will use the Primary-Net5 switch type.
The following restrictions apply to the Multiple ISDN Switch Types feature:
• You must configure a global ISDN switch type using the existing isdn switch-type global
configuration command before you can configure the ISDN switch type on an interface. Because
global commands are processed before interface level commands, the command parser will not
accept the isdn switch-type command on an interface unless a switch type is first added globally.
Using the isdn switch-type global command allows for backward compatibility.
• If an ISDN switch type is configured globally, but not at the interface level, then the global switch
type value is applied to all ISDN interfaces.
• If an ISDN switch type is configured globally and on an interface, the interface level switch type
supersedes the global switch type at initial configuration. For example, if the global BRI switch-type
keyword basic-net3 is defined and the interface-level BRI switch-type keyword is basic-ni, the
National ISDN switch type is the value applied to that BRI interface.
Table 25 NSF Supported Services on AT&T Primary-4ESS Switches
NSF Dialing Plan Data Voice International
Software Defined Network
(SDN)1
1. The dialing plan terminology in this table is defined and used by AT&T.
Yes Yes Global SDN
MEGACOMM No Yes Yes
ACCUNET Yes Yes Yes
Command Purpose
Router(config)# isdn switch-type switch-type Applies a global ISDN switch type.
Configuring ISDN PRI
How to Configure ISDN PRI
DC-271
Cisco IOS Dial Technologies Configuration Guide
• The ISDN global switch type value is only propagated to the interface level on initial configuration
or router reload. If you reconfigure the global ISDN switch type, the new value is not applied to
subsequent interfaces. Therefore, if you require a new switch type for a specific interface, you must
configure that interface with the desired ISDN switch type.
• If an ISDN global switch type is not compatible with the interface type you are using or you change
the global switch type and it is not propagated to the interface level, as a safety mechanism, the
router will apply a default value to the interface level, as indicated in Table 26.
If, for example, you reconfigure the router to use global switch type keyword basic-net3, the router will
apply the primary-net5 ISDN switch type to PRI interfaces and the basic-net3 ISDN switch type to any
BRI interfaces. You can override the default switch assignment by configuring a different ISDN switch
type on the associated interface.
Table 26 ISDN PRI and ISDN BRI Global Switch Type Keywords
Global Switch Type PRI Interface BRI Interface
primary-4ess primary-4ess basic-ni
primary-5ess primary-5ess basic-ni
primary-dms100 primary-dms100 basic-ni
primary-net5 primary-net5 basic-net3
primary-ni primary-ni basic-ni
primary-ntt primary-ntt basic-ntt
primary-qsig primary-qsig basic-qsig
primary-ts014 primary-ts014 basic-ts013
basic-1tr6 primary-net5 basic-1tr6
basic-5ess primary-ni basic-5ess
basic-dms100 primary-ni basic-dms100
basic-net3 primary-net5 basic-net3
basic-ni primary-ni basic-ni
basic-ntt primary-ntt basic-ntt
basic-qsig primary-qsig basic-qsig
basic-ts013 primary-ts014 basic-ts013
basic-vn3 primary-net5 basic-vn3
Configuring ISDN PRI
How to Configure ISDN PRI
DC-272
Cisco IOS Dial Technologies Configuration Guide
Configuring B Channel Outgoing Call Order
You can configure the router to select the first available B channel in ascending order (channel B1) or
descending order (channel B23 for a T1 and channel B30 for an E1). To configure the optional task of
selecting B channel order for outgoing calls for PRI interface types, use the following command in
interface configuration mode:
Before configuring the ISDN PRI on your router, check with your service vendor to determine if the
ISDN trunk call selection is configured for ascending or descending order. If there is a mismatch
between the router and switch with regard to channel availability, the switch will send back an error
message stating the channel is not available. By default, the router will select outgoing calls in
descending order.
Performing Configuration Self-Tests
To test the ISDN configuration, use the following EXEC commands as needed. Refer to the Cisco IOS
Debug Command Reference for information about the debug commands.
Command Purpose
Router(config-if)# isdn bchan-number-order
{ascending | descending}
Enables B channel selection for outgoing calls on a PRI interface
(optional).
Command Purpose
Router> show controllers t1 slot/port Checks Layer 1 (physical layer) of the PRI over T1.
Router> show controllers e1 slot/port Checks Layer 1 (physical layer) of the PRI over E1.
Router> show isdn status Checks the status of PRI channels.
Router# debug q921 Checks Layer 2 (data link layer).
Router# debug isdn events
or
Router# debug q931
or
Router# debug dialer
or
Router> show dialer
Checks Layer 3 (network layer).
Configuring ISDN PRI
Monitoring and Maintaining ISDN PRI Interfaces
DC-273
Cisco IOS Dial Technologies Configuration Guide
Monitoring and Maintaining ISDN PRI Interfaces
To monitor and maintain ISDN interfaces, use the following EXEC commands as needed:
How to Configure Robbed-Bit Signaling for Analog Calls over T1
Lines
Some Cisco access servers support robbed-bit signaling for receiving and sending analog calls on T1
lines. Robbed-bit signaling emulates older analog trunk and line in-band signaling methods that are sent
in many networks.
Command Purpose
Cisco 7500 series routers
Router> show interfaces serial slot/port bchannel
channel-number
or
Cisco 4000 series routers
Router> show interfaces serial number bchannel
channel-number
Displays information about the physical attributes of the
ISDN PRI over T1 B and D channels.
Cisco 7500 series routers
Router> show interfaces serial slot/port bchannel
channel-number
or
Cisco 4000 series routers
Router> show interfaces serial number bchannel
channel-number
Displays information about the physical attributes of the
ISDN PRI over E1 B and D channels.
Cisco 7500 series routers
Router> show controllers t1 [slot/port]
or
Cisco 4000 series routers
Router> show controllers t1 number
Displays information about the T1 links supported on the
ISDN PRI B and D channels.
Cisco 7500 series routers
Router> show controllers e1 [slot/port]
or
Cisco 4000 series routers
Router> show controllers e1 number
Displays information about the E1 links supported on the
ISDN PRI B and D channels.
Router> show isdn {active | history | memory |
services | status [dsl | serial number] | timers}
Displays information about current calls, history, memory,
services, status of PRI channels, or Layer 2 or Layer 3
timers. (The service keyword is available for PRI only.)
Router> show dialer [interface type number] Obtains general diagnostic information about the specified
interface.
Configuring ISDN PRI
How to Configure Robbed-Bit Signaling for Analog Calls over T1 Lines
DC-274
Cisco IOS Dial Technologies Configuration Guide
In countries that support T1 framing (such as the United States and Canada), many networks send
supervisory and signaling information to each other by removing the 8th bit of each time slot of the 6th
and 12th frame for superframe (SF) framing. For networks supporting extended superframe (ESF)
framing, the 6th, 12th, 18th, and 24th frames are affected. This additional signaling information is added
to support channel banks in the network that convert various battery and ground operations on analog
lines into signaling bits.
Robbed-bit signaling configured on a Cisco access server enables integrated modems to answer and send
analog calls. Robbed bits are forwarded over digital lines. To support analog signaling over T1 lines,
robbed-bit signaling must be enabled.
Note The signal type configured on the access server must match the signal type offered by your telco
provider. Ask your telco provider which signal type to configure on each T1 controller.
The Cisco access server has two controllers: controller T1 1 and controller T1 0, which must be
configured individually.
To configure robbed-bit signaling support for calls made and received, use the following commands
beginning in global configuration mode:
If you want to configure robbed-bit signaling on the other T1 controller, repeat Steps 1 through 7, making
sure in Step 5 to select T1 controller line 1 as the secondary clock source.
If you want to configure ISDN on the other controller, see the section “How to Configure ISDN PRI” in
this chapter. If you want to configure channel groupings on the other controller, see the chapter
“Configuring Synchronous Serial Ports” in this publication; specify the channel groupings when you
specify the interface.
See the section “Robbed-Bit Signaling Examples” at the end of this chapter for configuration examples.
Command Purpose
Step 1 Router(config)# controller t1 0 Enables the T1 0 controller and begins controller
configuration mode.
Step 2 Router(config-controller)# cablelength long
dbgain-value dbloss-value
If the channelized T1 line connects to a smart jack instead
of a CSU, sets pulse equalization (use parameter values
specified by your telco service provider).
Step 3 Router(config-controller)# framing esf Sets the framing to match that of your telco service provider,
which in most cases is esf.
Step 4 Router(config-controller)# linecode b8zs Sets the line-code type to match that of your telco service
provider, which in most cases is b8zs.
Step 5 Router(config-controller)# clock source line
primary
Configures one T1 line to serve as the primary or most
stable clock source line.
Step 6 Router(config-controller)# cas-group
channel-number timeslots range type signal
Configures channels to accept voice calls.
This step creates interfaces that you can configure.
Step 7 Router(config-controller)# fdl {att | ansi} Sets the facilities data-link exchange standard for the CSU,
as specified by your telco service provider.
Configuring ISDN PRI
How to Configure CAS
DC-275
Cisco IOS Dial Technologies Configuration Guide
How to Configure CAS
The following sections describe how to configure channel-associated signaling in Cisco networking
devices for both channelized E1 and T1 lines:
• CAS on Channelized E1
• CAS on T1 Voice Channels
CAS on Channelized E1
Cisco access servers and access routers support CAS for channelized E1 lines, which are commonly
deployed in networks in Latin America, Asia, and Europe. CAS is configured to support channel banks
in the network that convert various battery and ground operations on analog lines into signaling bits,
which are forwarded over digital lines.
CAS is call signaling that is configured on an E1 controller and enables the access server to send or
receive analog calls. The signaling uses the16th channel (time slot); thus, CAS fits in the out-of-band
signaling category.
Once CAS is configured on a single E1 controller, remote users can simultaneously dial in to the Cisco
device through networks running the R2 protocol (see specifications for your particular network device
for the number of dialins supported).
The R2 protocol is an international signaling standard for analog connections. Because R2 signaling is
not supported in the Cisco access servers, an E1-to-E1 converter is required.
Figure 40 illustrates that, because the Cisco access servers have more than one physical E1 port on the
dual E1 PRI board, up to 60 simultaneous connections can be made through one dual E1 PRI board.
Figure 40 Remote PC Accessing Network Resources Through the Cisco AS5000 Series Access Server
Note For information on how to configure an Anadigicom E1-to-E1 converter, see to the documentation
that came with the converter.
Note The dual E1 PRI card must be installed in the Cisco access server before you can configure CAS. To
identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information.
S5960
Remote PC
making an
analog call
Cisco AS5200
Modem EI-to-EI
converter
EI
R2
EI
E&M
IP
network
Central
office network
using the R2
protocol
Configuring ISDN PRI
How to Configure CAS
DC-276
Cisco IOS Dial Technologies Configuration Guide
Configuring CAS for Analog Calls over E1 Lines
To configure the E1 controllers in the Cisco access servers, use the following commands beginning in
global configuration mode:
If you do not specify the time slots, CAS is configured on all 30 B channels and one D channel on the
specified controller.
See the section “ISDN CAS Examples” for configuration examples.
Configuring CAS on a Cisco Router Connected to a PBX or PSTN
To define E1 channels for the CAS method by which the router connects to a PBX or PSTN, use the
following commands beginning in global configuration mode:
If you do not specify the time slots, channel-associated signaling is configured on all 30 B channels and
one D channel on the specified controller.
Command Purpose
Step 1 Router(config)# controller e1 number Defines the controller location in the Cisco access
server by unit number (choices for the number
argument are 1 or 2) and begins controller
configuration mode.
Step 2 Router(config-controller)# cas-group channel-number
timeslots range type signal
Configures CAS and the R2 signaling protocol on a
specified number of time slots.
Step 3 Router(config-controller)# framing crc4 Defines the framing characteristics as CRC4.
Step 4 Router(config-controller)# linecode hdb3 Defines the line code as HDB3.
Step 5 Router(config-controller)# clock source line primary1
1. Specify the other E1 line as the secondary clock source using the clock source line secondary command.
Specifies one E1 line to serve as the primary or
most stable clock source line.
Command Purpose
Step 1 Router(config)# controller e1 slot/port Specifies the E1 controller that you want to
configure with R2 signaling and begins controller
configuration.
Step 2 Router(config-controller)# ds0-group ds0-group-no
timeslots timeslot-list type {e&m-immediate |
e&m-delay | e&m-wink | fxs-ground-start |
fxs-loop-start |fxo-ground-start | fxo-loop-start}
Configures channel-associated signaling and the
signaling protocol on a specified number of time
slots.
Step 3 Router(config-controller)# framing crc4 Defines the framing characteristics as cyclic
redundancy check 4 (CRC4).
Step 4 Router(config-controller)# linecode hdb3 Defines the line code as high-density bipolar 3
(HDB3).
Step 5 Router(config-controller)# clock source line primary1
1. Specify the other E1 line as the secondary clock source using the clock source line secondary command.
Specifies one E1 line to serve as the primary or
most stable clock source line.
Configuring ISDN PRI
How to Configure CAS
DC-277
Cisco IOS Dial Technologies Configuration Guide
CAS on T1 Voice Channels
Various types of CAS signaling are available in the T1 world. The most common forms of CAS signaling
are loop-start, ground-start, and recEive and transMit (E&M). The biggest disadvantage of CAS
signaling is its use of user bandwidth to perform signaling functions. CAS signaling is often referred to
as robbed-bit-signaling because user bandwidth is being “robbed” by the network for other purposes. In
addition to receiving and placing calls, CAS signaling also processes the receipt of DNIS and ANI
information, which is used to support authentication and other functions.
This configuration allows the Cisco access servers to provide the automatic number identification/dialed
number identification service (ANI/DNIS) delimiter on incoming T1/CAS trunk lines. The digit
collection logic in the call switching module (CSM) for incoming T1 CAS calls in dual tone multifrequency
(DTMF) is modified to process the delimiters, the ANI digits, and the DNIS digits.
As part of the configuration, a CAS signaling class with the template to process ANI/DNIS delimiters
has to be defined. This creates a signaling class structure which can be referred to by its name.
This feature is only functional in a T1 CAS configured for E&M-feature group b (wink start). E&M
signaling is typically used for trunks. It is normally the only way that a central office (CO) switch can
provide two-way dialing with direct inward dialing. In all the E&M protocols, off-hook is indicated by
A=B=1, and on-hook is indicated by A=B=0. If dial pulse dialing is used, the A and B bits are pulsed to
indicate the addressing digits.
For this feature, here is an example of configuring for E&M-feature group b:
ds0-group 1 timeslots 1-24 type e&m-fgb dtmf dnis
In the original Wink Start protocol, the terminating side responds to an off-hook from the originating
side with a short wink (transition from on-hook to off-hook and back again). This wink tells the
originating side that the terminating side is ready to receive addressing digits. After receiving addressing
digits, the terminating side then goes off-hook for the duration of the call. The originating endpoint
maintains off-hook for the duration of the call.
Configuring ANI/DNIS Delimiters for CAS Calls on CT1
To configure the signaling class and ANI/DNIS delimiters, use the following commands beginning in
global configuration mode:
To disable the delimiter, use the command no class under the cas-custom configuration.
Command Purpose
Step 1 Router(config)# signaling-class cas name Names the signaling class and begins interface
configuration mode.
Step 2 Router(config-if)# profile incoming template Defines the template to process the ANI/DNIS
delimiter.
Step 3 Router(config-if)# exit Return to global configuration mode.
Step 4 Router(config)# controller t1 slot/port/number Enables this feature for a T1 controller and begins
controller configuration mode.
Step 5 Router(config-controller)# cas-custom channel Specifies a single channel group number.
Step 6 Router(config-ctrl-cas)# class name Enables the ANI/DNIS delimiter feature by specifying
the template.
Configuring ISDN PRI
How to Configure Switched 56K Digital Dial-In over Channelized T1 and Robbed-Bit Signaling
DC-278
Cisco IOS Dial Technologies Configuration Guide
To remove the signaling class, use the configuration command no signaling-class cas. When removing
a signaling class, make sure the signaling class is no longer used by any controllers; otherwise, the
following warning will be displayed:
% Can’t delete, signaling class test is being used
How to Configure Switched 56K Digital Dial-In over Channelized
T1 and Robbed-Bit Signaling
Internet service providers (ISPs) can provide switched 56-kbps access to their customers using a
Cisco AS5000 series access server. Switched 56K digital dial-in enables many services for ISPs. When
using traditional ISDN PRI, the access server uses the bearer capability to determine the type of service.
However when providing switched 56K over a CT1 RBS connection, the digital signal level 0 (DS0s) in
the access server can be configured to provide either modem or 56-kbps data service. The dial-in user
can access a 56-kbps data connection using either an ISDN BRI connection or a 2- or 4-wire switched
56-kbps connection. The telco to which the access server connects must configure its switches to route
56-kbps data calls and voice (modem) calls to the appropriate DS0.
Likewise, an enterprise can provide switched 56-kbps digital dial-in services to its full time
telecommuters or small remote offices using ISDN PRI or a CT1 RBS connection.
Switched 56K digital dial-in offers the following benefits:
• Enables ISDN BRI clients to connect to a Cisco access server over switched 56K and T1 CAS.
• Provides switched 56K dial-in services over T1 CAS to remote clients that do not have access to
ISDN BRI, for example, a remote PC making digital calls over a 2- or 4-wire switched 56-kbps
connection and a CSU.
The following prerequisites apply to the Switched 56K Digital Dial-In feature:
• The remote device could be an ISDN BRI end point such as a terminal adapter or BRI router. In this
scenario, the CSU/DSU is irrelevant. For 2- or 4-wire switched 56K remote clients, the remote
endpoint must be compatible with the service of the carrier. Different carriers may implement
different versions of switched 56K end points.
• A CSU/DSU must be present at the remote client side of the connection. Otherwise, switched 56K
connections are not possible. The Cisco access servers have built-in CSU/DSUs.
• The telco must configure its side of the T1 connection to deliver 56-kbps data calls to the correct
range of DS0s. If you do not want to dedicate all the DS0s or time slots on a single T1 to switched
56K services, be sure to negotiate with the telco about which DS0s will support switched 56K and
which DS0s will not.
• Cisco IOS Release 11.3(2)T or later must be running on the access server.
The following restrictions apply to Switched 56K digital dial-in:
• A Cisco access server only supports incoming switched 56K calls. Dialing out with switched 56K
is not supported at this time.
• Switched 56K over E1 is not supported. Only switched 56K over T1 is supported.
Configuring ISDN PRI
How to Configure Switched 56K Digital Dial-In over Channelized T1 and Robbed-Bit Signaling
DC-279
Cisco IOS Dial Technologies Configuration Guide
• Analog modem calls are not supported over DS0s that are provisioned for switched 56K. For a
configuration example, see the section “Switched 56K and Analog Modem Calls over Separate T1
CAS Lines Example” later in this chapter.
• Certain types of T1 lines, such as loop start and ground start, might not support this service. Contact
your telco vendor to determine if this feature is available.
Switched 56K Scenarios
The following scenarios are provided to show multiple applications for supporting switched 56K over
T1 CAS:
• Switched 56K and Analog Modem Calls into T1 CAS
• Basic Call Processing Components
• ISDN BRI Calls into T1 CAS
Switched 56K and Analog Modem Calls into T1 CAS
Figure 41 shows a sample network scenario using switched 56K. Two remote PCs are dialing in to the
same Cisco access server to get access to the Internet. The desktop PC is making switched 56K digital
calls through an external CSU/DSU. The laptop PC is making analog modem calls through a 28.8-kbps
modem. The Cisco access server dynamically assigns IP addresses to each node and forwards data
packets off to the switched 56K channels and onboard modems respectively.
Figure 41 PCs Making Switched 56K and Analog Modem Calls into a Cisco AS5000 Series Access
Server
For the startup running configuration on the Cisco access server shown in Figure 41, see the section
“Comprehensive Switched 56K Startup Configuration Example” later in this chapter.
RADIUS
security
server
ISP backbone
providing 100BASE-T
connections into
the Internet
PC running Windows 95
and making switched 56K
digital calls into the Internet
PC laptop making
28.8 modem calls
into the Internet
Switched
56K line
External CSU/DSU
4 T1 lines 100BASE-T
Cisco AS5300
Asynchronous
modem line
10315
PSTN
Internet
Configuring ISDN PRI
How to Configure Switched 56K Digital Dial-In over Channelized T1 and Robbed-Bit Signaling
DC-280
Cisco IOS Dial Technologies Configuration Guide
Basic Call Processing Components
Figure 42 shows the basic components that process switched 56K calls and analog modem calls on board
a Cisco access server. Switched 56K and modem calls are signaling using robbed-bit signaling. Digital
switched 56K calls utilize logical serial interfaces just like in ISDN PRI. Modem calls utilize
asynchronous interfaces, lines, and modems.
Note The BRI terminal must originate its calls with a bearer capability of 56 kbps.
Figure 42 Processing Components for Switched 56K Calls Versus Analog Modem Calls
Note The Cisco IOS software does enable you to configure one T1 controller to support both switched 56K
digital calls and analog modem calls. In this scenario, Figure 42 would show all calls coming into the
access server through one T1 line and controller. However, you must negotiate with the telco which
DS0s will support switched 56K services and which DS0s will not. On the access server, analog
modem calls are not supported over DS0s that are provisioned for switched 56K. For an example
software configuration, see the section “Mixture of Switched 56K and Modem Calls over CT1 CAS
Example” at the end of this chapter.
Serial
interfaces
SI:0-SI:23
Group-async
Lines
Modems
Ethernet
Laptop making
analog modem
calls to server
PC making
digital BRI calls
with an internal
terminal adapter
BRI
Access server at
service provider POP,
which is configured
to support switched 56K
calls and modem calls
PC making
switched 56K
digital calls into
access server
T1 1
cas-group
service data
cas-group
service voice
Switched 56K
over T1 CAS
CSU/DSU
WAN
Analog modem
over T1 CAS
10314
T1 0
Configuring ISDN PRI
How to Configure Switched 56K Services
DC-281
Cisco IOS Dial Technologies Configuration Guide
ISDN BRI Calls into T1 CAS
Figure 43 shows how switched 56K functionality can be used to forward ISDN BRI network traffic to a
Cisco access server that is configured for switched 56K robbed-bit signaling over CT1.
Note The BRI terminal must originate its calls with a bearer capability of 56 kbps.
Figure 43 Remote PC Making BRI Digital Calls via Switched 56K to a Cisco AS5000 Series Access
Server
For a configuration example on the Cisco access server, see the section “Comprehensive Switched 56K
Startup Configuration Example” at the end of this chapter.
How to Configure Switched 56K Services
This section describes how to configure switched 56K services on a Cisco access server. After the
cas-group command is enabled for switched 56K services, a logical serial interface is automatically
created for each 56K channel, which must also be configured.
To configure an access server to support switched 56K digital calls, use the following commands
beginning in global configuration mode:
Enterprise LAN
Windows NT
server
PC running Windows 95
and loaded with a
BRI interface terminal
adapter card
PC telecommuter
making analog modem
calls into the enterprise
BRI
Switched 56K over CTI 100BASE-T
Cisco AS5300
10316
PSTN
Telco switch
converting ISDN BRI
and analog modem calls
to robbed bit signaling
UNIX
mail server
Command Purpose
Step 1 Router(config)# controllers t1 number Specifies a T1 controller and begins controller
configuration mode.
Step 2 Router(config-controller)# framing {sf | esf} Sets the framing.
Step 3 Router(config-controller)# linecode {ami | b8zs} Defines the line code.
Configuring ISDN PRI
How to Configure E1 R2 Signaling
DC-282
Cisco IOS Dial Technologies Configuration Guide
For configuration examples, see the section “Switched 56K Configuration Examples” later in this
chapter.
How to Configure E1 R2 Signaling
R2 signaling is an international signaling standard that is common to channelized E1 networks. However,
there is no single signaling standard for R2. The International Telecommunication Union
Telecommunication Standardization Sector (ITU-T) Q.400-Q.490 recommendation defines R2, but a
number of countries and geographic regions implement R2 in entirely different ways. Cisco addresses
this challenge by supporting many localized implementations of R2 signaling in its Cisco IOS software.
The following sections offer pertinent information about the E1 R2 signaling feature:
• E1 R2 Signaling Overview
• Configuring E1 R2 Signaling
• Configuring E1 R2 Signaling for Voice
• Monitoring E1 R2 Signaling
• Verifying E1 R2 Signaling
• Troubleshooting E1 R2 Signaling
E1 R2 Signaling Overview
R2 signaling is channelized E1 signaling used in Europe, Asia, and South America. It is equivalent to
channelized T1 signaling in North America. There are two types of R2 signaling: line signaling and
interregister signaling. R2 line signaling includes R2 digital, R2 analog, and R2 pulse. R2 interregister
signaling includes R2 compelled, R2 noncompelled, and R2 semicompelled. These signaling types are
configured using the cas-group command for Cisco access servers, and the ds0-group command for
Cisco routers.
Many countries and regions have their own E1 R2 variant specifications, which supplement the ITU-T
Q.400-Q.490 recommendation for R2 signaling. Unique E1 R2 signaling parameters for specific
countries and regions are set by entering the cas-custom channel command followed by the country
name command.
Step 4 Router(config-controller)# clock source {line
{primary | secondary} | internal}
Specifies the clocking.
Step 5 Router(config-controller)# cas-group channel
timeslots range type signal
Configures robbed-bit signaling for a range of time
slots. A logical serial interface is automatically created
for each switched 56K channel.
Step 6 Router(config-controller)# exit Exits controller configuration mode.
Step 7 Router(config)# interface serial number:number Specifies logical serial interface, which was
dynamically created when the cas-group command was
issued, and configures the core protocol characteristics
for the serial interface.
Command Purpose
Configuring ISDN PRI
How to Configure E1 R2 Signaling
DC-283
Cisco IOS Dial Technologies Configuration Guide
The Cisco E1 R2 signaling default is ITU, which supports the following countries: Denmark, Finland,
Germany, Russia (ITU variant), Hong Kong (ITU variant), and South Africa (ITU variant). The
expression “ITU variant” means that there are multiple R2 signaling types in the specified country, but
Cisco supports the ITU variant.
Cisco also supports specific local variants of E1 R2 signaling in the following regions, countries, and
corporations:
Note Only MICA technologies modems support R2 functionality. Microcom modems do not support R2.
The following are benefits of E1 R2 signaling:
• R2 custom localization—R2 signaling is supported for a wide range of countries and geographical
regions. Cisco is continually supporting new countries.
• Broader deployment of dial access services—The flexibility of a high-density access server can be
deployed in E1 networks.
Cisco’s implementation of R2 signaling has DNIS support turned on by default. If you enable the ani
option, the collection of DNIS information is still performed. Specifying the ani option does not disable
DNIS collection. DNIS is the number being called. ANI is the number of the caller. For example, if you
are configuring router A to call router B, then the DNIS number is assigned to router B, the ANI number
is assigned to router A. ANI is similar to Caller ID.
Figure 44 shows a sample network topology for using E1 R2 signaling with a Cisco AS5800. All four
controllers on the access server are configured with R2 digital signaling. Additionally, localized R2
country settings are enabled on the access server.
• Argentina • Laos1
• Australia • Malaysia
• Bolivia1 • Malta1
• Brazil • New Zealand
• Bulgaria1 • Paraguay
• China • Peru
• Colombia • Philippines
• Costa Rica • Saudi Arabia
• East Europe2 • Singapore
• Ecuador ITU • South Africa (Panaftel variant)
• Ecuador LME • Telmex corporation (Mexico)
• Greece • Telnor corporation (Mexico)
• Guatemala • Thailand
• Hong Kong (uses the China variant) • Uruguay
• Indonesia • Venezuela
• Israel • Vietnam
• Korea
1. Cisco 3620 and 3640 series routers only.
2. Includes Croatia, Russia, and Slovak Republic.
Configuring ISDN PRI
How to Configure E1 R2 Signaling
DC-284
Cisco IOS Dial Technologies Configuration Guide
Figure 44 Service Provider Using E1 R2 Signaling and a Cisco AS5800
Figure 45 shows a sample network topology for using E1 R2 signaling for voice transfers with a
Cisco 2600, 3600, or 7200 series router. All the controllers on the router are configured with R2 digital
signaling. Additionally, localized R2 country settings are enabled on the router.
Figure 45 E1 R2 Connections for the Cisco 2600/3600/7200 Series Routers
Configuration examples are supplied in the “Configuration Examples for Channelized E1 and
Channelized T1” section at the end of this chapter.
Service
provider
LAN
PC running Windows 95
and making analog modem
calls into the Cisco AS5800
4 CEI lines Fast
Ethernet
Cisco AS5800
loaded with 56k
MICA modems
12950
PSTN
56k modem
Telco switch
Data
network
42930
IP, ATM, or
Frame Relay
Network
Router
E1 R2 line
PBX
Configuring ISDN PRI
How to Configure E1 R2 Signaling
DC-285
Cisco IOS Dial Technologies Configuration Guide
Configuring E1 R2 Signaling
To configure support for E1 R2 signaling on the Cisco access servers, use the following commands
beginning in global configuration mode:
For an E1 R2 configuration example, see the section “E1 R2 Signaling Procedure.”
Configuring E1 R2 Signaling for Voice
To configure E1 R2 signaling on systems that will be configured for voice, use the following commands
beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# controller e1 slot/port Specifies the E1 controller that you want to configure
with R2 signaling and begins controller configuration
mode.
Step 2 Router(config-controller)# cas-group channel
timeslots range type signal
Replace the signal argument with any of the following
choices under R2 analog, R2 digital, or R2 pulse:
r2-analog [dtmf | r2-compelled [ani] |
r2-non-compelled [ani] | r2-semi-compelled [ani]]
or
r2-digital [dtmf | r2-compelled [ani] |
r2-non-compelled [ani] | r2-semi-compelled [ani]]
or
r2-pulse [dtmf | r2-compelled [ani] |
r2-non-compelled [ani] | r2-semi-compelled [ani]]
Configures R2 channel associated signaling on the E1
controller. For a complete description of the available
R2 options, see the cas-group command.
The R2 part of this command is defined by the signal
argument in the cas-group command.
Command Purpose
Step 1 Router(config)# controller E1 slot/port Specifies the E1 controller that you want to configure
with R2 signaling and begins controller configuration
mode.
Step 2 Router(config-controller)# ds0-group channel
timeslots range type signal
Replace the signal argument with any of the following
choices under R2 analog, R2 digital, or R2 pulse:
r2-analog [dtmf | r2-compelled [ani] |
r2-non-compelled [ani] | r2-semi-compelled [ani]]
or
r2-digital [dtmf | r2-compelled [ani] |
r2-non-compelled [ani] | r2-semi-compelled [ani]]
or
r2-pulse [dtmf | r2-compelled [ani] |
r2-non-compelled [ani] | r2-semi-compelled [ani]]
Configures R2 channel-associated signaling on the E1
controller. For a complete description of the available
R2 options, see the ds0-group (controller e1)
command reference page.
Configuring ISDN PRI
How to Configure E1 R2 Signaling
DC-286
Cisco IOS Dial Technologies Configuration Guide
Monitoring E1 R2 Signaling
To monitor E1 R2 signaling, use the following commands in EXEC mode as needed:
Step 3 Router(config-controller)# cas-custom channel Enters cas-custom mode. In this mode, you can localize
E1 R2 signaling parameters, such as specific R2 country
settings for Hong Kong.
For the customization to take effect, the channel number
used in the cas-custom command must match the
channel number specified by the ds0-group command.
Step 4 Router(config-ctrl-cas)# country name use-defaults Specifies the local country, region, or corporation
specification to use with R2 signaling. Replaces the
name variable with one of the supported country names.
Cisco strongly recommends that you include the
use-defaults option, which engages the default settings
for a specific country. The default setting for all
countries is ITU.
See the cas-custom command reference page for the list
of supported countries, regions, and corporation
specifications.
Step 5 • Router(config-ctrl-cas)# ani-digits
• Router(config-ctrl-cas)# answer-signal
• Router(config-ctrl-cas)# caller-digits
• Router(config-ctrl-cas)# category
• Router(config-ctrl-cas)# default
• Router(config-ctrl-cas)# dnis-digits
• Router(config-ctrl-cas)# invert-abcd
• Router(config-ctrl-cas)# ka
• Router(config-ctrl-cas)# kd
• Router(config-ctrl-cas)# metering
• Router(config-ctrl-cas)# nc-congestion
• Router(config-ctrl-cas)# unused-abcd
• Router(config-ctrl-cas)# request-category
(Optional) Further customizes the R2 signaling
parameters. Some switch types require you to fine tune
your R2 settings. Do not tamper with these commands
unless you fully understand your switch’s requirements.
For nearly all network scenarios, the country name
use-defaults command fully configures your country’s
local settings. You should not need to perform Step 5.
See the cas-custom command reference page for more
information about each signaling command.
Command Purpose
Command Purpose
Router> show controllers e1
or
Router> show controllers e1 number
Displays the status for all controllers or a specific
controller. Be sure the status indicates the controller is
up and there are no alarms or errors (lines 2, 4, 9, and
10, as shown immediately below in the “Monitoring E1
R2 Using the show controllers e1 Command” section).
Router> show modem csm [slot/port| group number] Displays status for a specific modem, as shown below
in the “Monitoring E1 R2 Signaling Using the show
modem csm Command” section.
Configuring ISDN PRI
How to Configure E1 R2 Signaling
DC-287
Cisco IOS Dial Technologies Configuration Guide
Monitoring E1 R2 Using the show controllers e1 Command
Router# show controllers e1 0
E1 0 is up.
Applique type is Channelized E1 - balanced
No alarms detected.
Version info of Slot 0: HW: 2, Firmware: 4, PLD Rev: 2
Manufacture Cookie is not programmed.
Framing is CRC4, Line Code is HDB3, Clock Source is Line Primary.
Data in current interval (785 seconds elapsed):
0 Line Code Violations, 0 Path Code Violations
0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
Total Data (last 13 15 minute intervals):
0 Line Code Violations, 0 Path Code Violations,
0 Slip Secs, 12 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 12 Unavail Secs
Monitoring E1 R2 Signaling Using the show modem csm Command
Router# show modem csm 1/0
MODEM_INFO: slot 1, port 0, unit 0, tone r2-compelled, modem_mask=0x0000,
modem_port_offset=0
tty_hwidb=0x60E63E4C, modem_tty=0x60C16F04, oobp_info=0x00000000, modem_pool=0x60BC60CC
modem_status(0x0002): VDEV_STATUS_ACTIVE_CALL.
csm_state(0x0205)=CSM_IC5_CONNECTED, csm_event_proc=0x600CFF70, current call thru CAS line
invalid_event_count=0, wdt_timeout_count=0
wdt_timestamp_started is not activated
wait_for_dialing:False, wait_for_bchan:False
pri_chnl=TDM_PRI_STREAM(s0, u3, c7), modem_chnl=TDM_MODEM_STREAM(s1, c0)
dchan_idb_start_index=0, dchan_idb_index=0, call_id=0x0239, bchan_num=6
csm_event=CSM_EVENT_DSX0_CONNECTED, cause=0x0000
ring_no_answer=0, ic_failure=0, ic_complete=3
dial_failure=0, oc_failure=0, oc_complete=0
oc_busy=0, oc_no_dial_tone=0, oc_dial_timeout=0
remote_link_disc=2, stat_busyout=2, stat_modem_reset=0
oobp_failure=0
call_duration_started=00:04:56, call_duration_ended=00:00:00, total_call_duration=00:01:43
The calling party phone number =
The called party phone number = 9993003
total_free_rbs_timeslot = 0, total_busy_rbs_timeslot = 0, total_dynamic_busy_rbs_timeslot
= 0, total_static_busy_rbs_timeslot = 0, min_free_modem_threshold = 0
Verifying E1 R2 Signaling
To verify the E1 R2 signaling configuration, enter the show controller e1 command to view the status
for all controllers, or enter the show controller e1 slot/port command to view the status for a particular
controller. Make sure that the status indicates that the controller is up (line 2 in the following example)
and that no alarms (line 6 in the following example) or errors (lines 9, 10, and 11 in the following
example) have been reported.
Router# show controller E1 1/0
E1 1/0 is up.
Applique type is Channelized E1
Cablelength is short 133
Configuring ISDN PRI
How to Configure E1 R2 Signaling
DC-288
Cisco IOS Dial Technologies Configuration Guide
Description: E1 WIC card Alpha
No alarms detected.
Framing is CRC4, Line Code is HDB3, Clock Source is Line Primary.
Data in current interval (1 seconds elapsed):
0 Line Code Violations, 0 Path Code Violations
0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
Troubleshooting E1 R2 Signaling
If a connection does not come up, check for the following:
• Loose wires, splices, connectors, shorts, bridge taps, and grounds
• Backward send and receive
• Mismatched framing types (for example, CRC-4 versus no CRC-4)
• Send and receive pair separation (crosstalk)
• Faulty line cards or repeaters
• Noisy lines (for example, power and crosstalk)
If you see errors on the line or the line is going up and down, check the following:
• Mismatched line codes (HDB3 versus AMI)
• Receive level
• Frame slips due to poor clocking plan
If problems persist, enable the modem management Call Switching Module (CSM) debug mode, using
the debug modem csm command, as shown immediately below in the “Debug E1 R1 Signaling Using
the debug modem Command” section.
Debug E1 R1 Signaling Using the debug modem Command
Router# debug modem csm 1/0
*May 15 04:05:46.675: VDEV_ALLOCATE: slot 2 and port 39 is allocated.
*May 15 04:05:46.675: CSM_RX_CAS_EVENT_FROM_NEAT:(04BF): EVENT_CALL_DIAL_IN at slot 2 and
port 39
*May 15 04:05:46.675: CSM_PROC_IDLE: CSM_EVENT_DSX0_CALL at slot 2, port 39
*May 15 04:05:46.675: Mica Modem(2/39): Configure(0x0)
*May 15 04:05:46.675: Mica Modem(2/39): Configure(0x3)
*May 15 04:05:46.675: Mica Modem(2/39): Configure(0x6)
*May 15 04:05:46.675: Mica Modem(2/39): Call Setup
*May 15 04:05:46.891: Mica Modem(2/39): State Transition to Call Setup
*May 15 04:05:46.891: Mica Modem(2/39): Went offhook
*May 15 04:05:46.891: CSM_PROC_IC1_RING: CSM_EVENT_MODEM_OFFHOOK at slot 2, port 39
When the E1 controller comes up, you will see the following messages:
%CONTROLLER-3-UPDOWN: Controller E1 0, changed state to up
It also shows these messages for individual timeslots:
%DSX0-5-RBSLINEUP: RBS of controller 1 timeslot 1 is up
%DSX0-5-RBSLINEUP: RBS of controller 1 timeslot 2 is up
%DSX0-5-RBSLINEUP: RBS of controller 1 timeslot 3 is up
%DSX0-5-RBSLINEUP: RBS of controller 1 timeslot 4 is up
%DSX0-5-RBSLINEUP: RBS of controller 1 timeslot 5 is up
Configuring ISDN PRI
Enabling R1 Modified Signaling in Taiwan
DC-289
Cisco IOS Dial Technologies Configuration Guide
%DSX0-5-RBSLINEUP: RBS of controller 1 timeslot 6 is up
%DSX0-5-RBSLINEUP: RBS of controller 1 timeslot 7 is up
%DSX0-5-RBSLINEUP: RBS of controller 1 timeslot 8 is up
Enabling R1 Modified Signaling in Taiwan
Enabling R1 modified signaling allows a Cisco universal access server to communicate with central
office trunks that also use R1 modified signaling. R1 modified signaling is an international signaling
standard that is common to channelized T1/E1 networks. Cisco IOS Release 12.1 supports R1 modified
signaling customized for Taiwan only. You can configure a channelized T1/E1 interface to support
different types of R1 modified signaling, which is used in older analog telephone networks.
This feature allows enterprises and service providers to fully interoperate with the installed Taiwanese
telecommunications standards, providing interoperability in addition to the vast array of Cisco IOS
troubleshooting and diagnostic capability. This feature will provide customers with a seamless,
single-box solution for their Taiwan signaling requirements.
Note This type of signaling is not the same as ITU R1 signaling; it is R1 signaling modified for Taiwan
specifically. In the future, R1 modified signaling will be supported by the Cisco AS5800 access
server, and will also be available in Turkey.
The following restrictions are for the use of R1 modified signaling:
• Because different line signaling uses different A/B/C/D bit definitions to represent the line state, you
must understand the configuration of the T1/E1 trunk before configuring the CAS group. If the
wrong type of provision is configured, the access server might interpret the wrong A/B/C/D bit
definitions and behave erratically.
• Cisco access servers (Cisco AS5300, and Cisco AS5800) with Microcom modems cannot support
this feature.
• You must know the configuration of the T1/E1 trunk before configuring the cas-group. If there is a
trunk provisioning mismatch, performance problems may occur.
R1 Modified Signaling Topology
Figure 46 illustrates a service provider using R1 signaling with E1 and a Cisco AS5200 access server.
The network topology would be the same for T1 or a Cisco AS5300 access server.
Configuring ISDN PRI
Enabling R1 Modified Signaling in Taiwan
DC-290
Cisco IOS Dial Technologies Configuration Guide
Figure 46 Service Provider Using E1 R1 Signaling with a Cisco AS5200 Access Server
Figure 47 illustrates a service provider using R1 modified signaling with E1 and a Cisco AS5800 access
server.
Figure 47 Service Provider Using E1 R1 Modified Signaling with a Cisco AS5800 Access Server
R1 Modified Signaling Configuration Task List
This section describes how to enable R1 modified signaling on your Cisco access server on both a T1
and E1 interface.
Before beginning the tasks in this section, check for the following hardware and software in your system:
• Cisco AS 5200, Cisco AS5300, or Cisco AS5800 access server (without a Microcom modem)
• Cisco IOS Release 12.1 or later software
• MICA feature module
• Portware Version 2.3.1.0 or later
Service
provider
LAN
PC running Windows 95
and making analog modem
calls into the Cisco AS5200
2 CE1 lines 10BaseT
Cisco AS5200
loaded with 56k
MICA modems
10733
PSTN
56k modem
Telco switch
Data
network
Service
provider
LAN
PC making analog modem
calls into the Cisco AS5800
12 CEI lines 10BASE-T
Cisco AS5800
72 modem
MICA card per
CE1 line
17692
PSTN
56K modem
Telco switch
Data
network
Configuring ISDN PRI
Enabling R1 Modified Signaling in Taiwan
DC-291
Cisco IOS Dial Technologies Configuration Guide
For information on upgrading your Cisco IOS images, modem portware, or modem code, go to the
following locations and then select your access server type (Cisco AS5200, Cisco AS5300, or
Cisco AS5800) and port information:
• On Cisco.com:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/
Or, follow this path:
Cisco Product Documentation/Access Servers and Access Routers/Access Servers
• On the Documentation CD-ROM:
Cisco Product Documentation/Access Servers and Access Routers/Access Servers
To configure R1 modified signaling, perform the tasks in the following sections, as required:
• Configuring R1 Modified Signaling on a T1 Interface
• Configuring R1 Modified Signaling on an E1 Interface
Note The sample prompts and output are similar for the Cisco AS5200, Cisco AS5300 and Cisco AS5800
access servers.
Configuring R1 Modified Signaling on a T1 Interface
To configure R1 modified signaling on a T1 interface, use the following commands beginning global
configuration mode:
Command Purpose
Step 1 Cisco AS5800 access server
Router(config)# vty-async(config)# controller
t1 shelf/slot/port
Router(config)# vty-async(config-controller)#
or
Cisco AS5200 and AS5300 access servers
Router(config)# vty-async(config)# controller
t1 [0 | 1 | 2 | 3]
Router(config)# vty-async(config-controller)#
Specifies the T1 controller that you want to configure and
begins controller configuration mode. Refer to the Cisco
AS5800 Universal Access Server Software Installation and
Configuration Guide for port details.
The T1 controller ports are labeled 0 to 3 on the quad
T1/PRI cards in the Cisco AS5200 and AS5300 access
servers.
Step 2 Router(config)# vty-async (config-controller)#
framing {sf|esf}
Entering framing sf configures framing to T1 with sf.
Entering framing esf configures framing to T1 only.
Step 3 Router(config)# vty-async (config-controller)#
linecode {ami|b8zs}
Entering linecode ami configures line code to AMI1
encoding.
Entering linecode b8zs configures line code to b8zs
encoding.
Step 4 Router(config)# vty-async (config-controller)#
clock source {internal | line [primary |
secondary]}
Entering clock source internal configures the clock source
to the internal clock.
Entering clock source line primary configures the clock
source to the primary recovered clock.
Entering clock source secondary configures the clock
source to the secondary recovered clock.
Configuring ISDN PRI
Enabling R1 Modified Signaling in Taiwan
DC-292
Cisco IOS Dial Technologies Configuration Guide
Configuring R1 Modified Signaling on an E1 Interface
To configure R1 modified signaling on an E1 interface, use the following commands beginning in global
configuration mode:
Step 5 Router(config)# vty-async(config-controller)#
cas-group 1 timeslots 1-24 type {r1-modified
{ani-dnis | dnis} | r1-itu {dnis}}
Configures the time slots that belong to each E1 circuit for
r1-modified or for r1-itu signaling.2
• The cas-group # ranges from 0 to 23 for CT1.
• The timeslot # ranges from 1 to 24 for CT1.
• For the type, each CAS group can be configured as one
of the Robbed Bit Signaling provisions.
• ani-dnis indicates R1 will collect ani and dnis
information; dnis indicates R1 will collect only dnis
information.
Step 6 Router(config)# vty-async(config-if)# ^Z
Router(config)# vty-async#
%SYS-5-CONFIG_I: Configured from console by
console
Returns to enable mode by simultaneously pressing the Ctrl
key and the z key. (This message returned is expected and
does not indicate an error.)
1. AMI = alternate mark inversion.
2. For a more detailed description of the syntax and arguments of this command, refer to the Cisco IOS Dial Technologies Command Reference.
Command Purpose
Command Purpose
Step 1 Cisco AS5800 access server
Router(config)# controller e1 shelf/slot/port
or
Cisco AS5200 and AS5300 access servers
Router(config)# controller e1 [0 | 1 | 2 | 3]
Specifies the T1 controller that you want to configure and
begins controller configuration mode.
Refer to the Cisco AS5800 Universal Access Server
Software Installation and Configuration Guide for port
details.
The T1 controller ports are labeled 0 to 3 on the quad
T1/PRI cards in the Cisco AS5200 and AS5300 access
servers.
Step 2 Router (config-controller)# framing {crc4 |
no-crc4}
Entering framing crc4 configures framing to E1 with
CRC.1
Entering framing no-crc4 configures framing to E1 only.
Step 3 Router (config-controller)# linecode {ami |
hdb3}
Entering linecode ami configures line code to AMI2
encoding.
Entering linecode hdb3 configures line code to HDB3
encoding.
Step 4 Router (config-controller)# clock source
{internal | line [primary | secondary]}
Entering clock source internal configures the clock source
to the internal clock.
Entering clock source line primary configures the clock
source to the primary recovered clock.
Entering clock source secondary configures the clock
source to the secondary recovered clock.
Configuring ISDN PRI
Enabling R1 Modified Signaling in Taiwan
DC-293
Cisco IOS Dial Technologies Configuration Guide
Troubleshooting Channelized E1 and T1 Channel Groups
Each channelized T1 or channelized E1 channel group is treated as a separate serial interface. To
troubleshoot channel groups, first verify configurations and check everything that is normally checked
for serial interfaces. You can verify that the time slots and speed are correct for the channel group by
checking for CRC errors and aborts on the incoming line.
Note None of the Cisco channelized interfaces will react to any loop codes. To loop a channelized interface
requires that the configuration command be entered manually.
Two loopbacks are available for channel groups and are described in the following sections:
• Interface Local Loopback
• Interface Remote Loopback
Interface Local Loopback
Interface local loopback is a bidirectional loopback, which will loopback toward the router and toward
the line. The entire set of time slots for the channel group is looped back. The service provider can use
a BERT test set to test the link from the central office to your local router, or the remote router can test
using pings to its local interface (which will go from the remote site, looped back at your local site, and
return to the interface on the remote site).
Step 5 Router(config-controller)# cas-group 1
timeslots 1-15, 17-31 type r1-modified
{ani-dnis | dnis}
Configures the time slots that belong to each E1 circuit for
R1 modified signaling.4
• The cas-group number ranges from 0 to 30 for CE1.
• The timeslot number ranges from 1 to 31 for CE1.
• For the type, each CAS group can be configured as one
of the robbed bit signaling provisions.
• ani-dnis indicates R1 will collect ANI and DNIS
information; dnis indicates R1 will collect only DNIS
information.
Step 6 Router(config-controller-cas)# cas-custom 1 (Optional) Enters the channel number to customize.
Step 7 Router(config-controller-cas)# ^Z
Router#
%SYS-5-CONFIG_I: Configured from console by
console
Returns to enable mode by simultaneously pressing the Ctrl
key and the Z key.
This message is normal and does not indicate an error.
1. CRC = cyclic redundancy check.
2. AMI = alternate mark inversion.
3. HDB = high-density bipolar 3.
4. For a more detailed description of the syntax and arguments of this command, refer to the Cisco IOS Dial Technologies Command Reference.
Command Purpose
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-294
Cisco IOS Dial Technologies Configuration Guide
To place the serial interface (channel group) into local loopback, use the following command in interface
configuration mode:
Interface Remote Loopback
Remote loopback is the ability to put the remote DDS CSU/DSU in loopback. It will work only with
channel groups that have a single DS0 (1 time slot), and with equipment that works with a latched CSU
loopback as specified in AT&T specification TR-TSY-000476, “OTGR Network Maintenance Access
and Testing.” To place the serial interface (channel group) in remote loopback, use the following
command in interface configuration mode:
Using the loopback remote interface command sends a latched CSU loopback command to the remote
CSU/DSU. The router must detect the response code, at which time the remote loopback is verified.
Configuration Examples for Channelized E1 and Channelized T1
• ISDN PRI Examples
• PRI Groups and Channel Groups on the Same Channelized T1 Controller Example
• Robbed-Bit Signaling Examples
• Switched 56K Configuration Examples
• ISDN CAS Examples
• E1 R2 Signaling Procedure
• R1 Modified Signaling Using an E1 Interface Example
• R1 Modified Signaling for Taiwan Configuration Example
ISDN PRI Examples
This section contains the following ISDN PRI examples:
• Global ISDN, BRI, and PRI Switch Example
• Global ISDN and Multiple BRI and PRI Switch Using TEI Negotiation Example
• NSF Call-by-Call Support Example
• PRI on a Cisco AS5000 Series Access Server Example
• ISDN B-Channel Busyout Example
• Multiple ISDN Switch Types Example
• Outgoing B-Channel Ascending Call Order Example
Command Purpose
Router(config-if)# loopback local Places the serial interface (channel group) in local loopback.
Command Purpose
Router(config-if)# loopback remote interface Places the serial interface (channel group) in remote loopback.
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-295
Cisco IOS Dial Technologies Configuration Guide
• Static TEI Configuration Example
• Call Reject Configuration Examples
• ISDN Cause Code Override and Guard Timer Example
Global ISDN, BRI, and PRI Switch Example
The following example shows BRI interface 0 configured for a NET3 ISDN switch type (basic-net3
keyword) that will override the National ISDN switch type configured globally. The PRI interface
(channelized T1 controller) is configured for ISDN switch type Primary-Net5 and is applied only to the
PRI.
isdn switch-type basic-ni
!
interface BRI0
isdn switch-type basic-net3
interface serial0:23
! Apply the primary-net5 switch to this interface only.
isdn switch-type primary-net5
Global ISDN and Multiple BRI and PRI Switch Using TEI Negotiation Example
In the following example, the global ISDN switch type setting is NET3 ISDN (basic-net3 keyword) and
the PRI interface (channelized T1 controller) is configured to use isdn switch-type primary-net5. BRI
interface 0 is configured for isdn switch-type basic-ni and isdn tei first-call. TEI first-call negotiation
configured on BRI interface 0 overrides the default value (isdn tei powerup).
isdn switch-type basic-net
!
interface serial0:23
isdn switch-type primary-net5
ip address 172.21.24.85 255.255.255.0
!
interface BRI0
isdn switch-type basic-ni
isdn tei first-call
NSF Call-by-Call Support Example
The following example configures NSF, which is needed for an AT&T 4ESS switch when it is configured
for call-by-call support. In call-by-call support, the PRI 4ESS switch expects some AT&T-specific
information when placing outgoing ISDN PRI voice calls. The options are accunet, sdn, and megacom.
This example shows both the controller and interface commands required to make the ISDN interface
operational and the DDR commands, such as the dialer map, dialer-group, and map-class dialer
commands, that are needed to configure the ISDN interface to make outgoing calls.
! The following lines configure the channelized T1 controller; all time slots are
! configured for ISDN PRI.
!
controller t1 1/1
framing esf
linecode b8zs
pri-group timeslots 1-23
isdn switchtype primary-4ess
!
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-296
Cisco IOS Dial Technologies Configuration Guide
! The following lines configure the D channel for DDR. This configuration applies
! to all B channels on the ISDN PRI interface.
interface serial 1/1:23
description Will mark outgoing calls from AT&T type calls.
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
dialer map ip 10.1.1.2 name tommyjohn class sdnplan 14193460913
dialer map ip 10.1.1.3 name angus class megaplan 14182616900
dialer map ip 10.1.1.4 name angus class accuplan 14193453730
dialer-group 1
ppp authentication chap
map-class dialer sdnplan
dialer outgoing sdn
map-class dialer megaplan
dialer voice-call
dialer outgoing mega
map-class dialer accuplan
dialer outgoing accu
PRI on a Cisco AS5000 Series Access Server Example
The following example configures ISDN PRI on the appropriate interfaces for IP dial-in on channelized
T1:
! T1 PRI controller configuration
controller T1 0
framing esf
linecode b8zs
clock source line primary
pri-group timeslots 1-24
!
controller T1 1
framing esf
linecode b8zs
clock source line secondary
pri-group timeslots 1-24
!
interface Serial0:23
isdn incoming-voice modem
dialer rotary-group 1
!
interface Serial1:23
isdn incoming-voice modem
dialer rotary-group 1
!
interface Loopback0
ip address 172.16.254.254 255.255.255.0
!
interface Ethernet0
ip address 172.16.1.1 255.255.255.0
!
interface Group-Async1
ip unnumbered Loopback0
ip tcp header-compression passive
encapsulation ppp
async mode interactive
peer default ip address pool default
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-297
Cisco IOS Dial Technologies Configuration Guide
dialer-group 1
ppp authentication chap pap default
group-range 1 48
!
interface Dialer1
ip unnumbered Loopback0
encapsulation ppp
peer default ip address pool default
ip local pool default 172.16.254.1 172.16.254.48
dialer in-band
dialer-group 1
dialer idle-timeout 3600
ppp multilink
ppp authentication chap pap default
The following example configures ISDN PRI on the appropriate interfaces for IP dial-in on
channelized E1:
! E1 PRI controller configuration
controller E1 0
framing crc4
linecode hdb3
clock source line primary
pri-group timeslots 1-31
!
controller E1 1
framing crc4
linecode hdb3
clock source line secondary
pri-group timeslots 1-31
interface serial0:15
isdn incoming-voice modem
dialer rotary-group 1
!
interface serial1:15
isdn incoming-voice modem
dialer rotary-group 1
!
interface loopback0
ip address 172.16.254.254 255.255.255.0
!
interface ethernet0
ip address 172.16.1.1 255.255.255.0
!
! The following block of commands configures DDR for all the ISDN PRI interfaces
! configured above. The dialer-group and dialer rotary-group commands tie the
! interface configuration blocks to the DDR configuration.
!
interface dialer1
ip unnumbered loopback0
encapsulation ppp
peer default ip address pool default
ip local pool default 172.16.254.1 172.16.254.60
dialer in-band
dialer-group 1
dialer idle-timeout 3600
ppp multilink
ppp authentication chap pap default
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-298
Cisco IOS Dial Technologies Configuration Guide
ISDN B-Channel Busyout Example
interface Serial0:23
ip address 172.16.0.0 192.168.0.0
no ip directed-broadcast
encapsulation ppp
no keepalive
dialer idle-timeout 400
dialer load-threshold 1 either
dialer-group 1
isdn switch-type primary-5ess
isdn incoming-voice modem
isdn snmp busyout b-channel
no fair-queue
no cdp enable
Multiple ISDN Switch Types Example
The following example configures ISDN switch type keyword primary-4ess on channelized T1
controller 0 and a switch type keyword primary-net5 for channelized T1 controller 1.
controller t1 0
framing esf
linecode b8zs
isdn switchtype primary-4ess
!
controller t1 1
framing esf
linecode b8zs
isdn switchtype primary-net5
The following example shows BRI interface 0 configured for switch type keyword basic-net3 (NET3
ISDN) that will override the global switch type keyword basic-ni (National ISDN). The PRI interface
(channelized T1 controller), is configured for ISDN switch type keyword primary-net5 and is applied
only to the PRI interface.
isdn switch-type basic-ni
!
interface BRI0
isdn switch-type basic-net3
interface serial0:23
! Apply the primary-net5 switch to this interface only.
isdn switch-type primary-net5
Outgoing B-Channel Ascending Call Order Example
The following example configures the router to use global ISDN switch-type keyword primary-ni and
configures the ISDN outgoing call channel selection to be made in ascending order:
isdn switch-type primary-ni
!
interface serial0:23
isdn bchan-number-order ascending
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-299
Cisco IOS Dial Technologies Configuration Guide
Static TEI Configuration Example
The following example shows a static TEI configuration:
interface bri 0
isdn static-tei 1
Call Reject Configuration Examples
The following example configures the network to accept incoming ISDN voice calls and reject data calls:
interface Serial4:23
description Connected to V-Sys R2D2
no ip address
isdn switch-type primary-5ess
isdn incoming-voice modem
isdn reject data
no cdp enable
end
The following example sets cause code 21 to reject all incoming data calls:
interface serial 2/0:23
isdn reject data
isdn reject cause 21
ISDN Cause Code Override and Guard Timer Example
The following example shows how to configure cause code override and the ISDN guard timer:
interface Serial0:23
no ip address
no ip directed-broadcast
encapsulation ppp
dialer rotary-group 0
isdn switch-type primary-5ess
isdn incoming-voice modem
isdn disconnect-cause 17
isdn guard-timer 3000 on-expiry accept
isdn calling-number 8005551234
no fair-queue
no cdp enable
PRI Groups and Channel Groups on the Same Channelized T1 Controller
Example
The following example shows a channelized T1 controller configured for PRI groups and for channel
groups. The pri-group command and the channel-group command cannot have overlapping time slots;
note the correct time slot configuration in this example.
controller t1 0
channel-group 0 timeslot 1-6
channel-group 1 timeslot 7
channel-group 2 timeslot 8
channel-group 3 timeslot 9-11
pri-group timeslot 12-24
The same type of configuration also applies to channelized E1.
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-300
Cisco IOS Dial Technologies Configuration Guide
Robbed-Bit Signaling Examples
This section provides sample configurations for the T1 controllers on the Cisco access server. You can
configure the 24 channels of a channelized T1 to support ISDN PRI, robbed-bit signaling, channel
grouping, or a combination of all three. The following samples are provided:
• Allocating All Channels for Robbed-Bit Signaling Example
• Mixing and Matching Channels—Robbed-Bit Signaling and Channel Grouping
Allocating All Channels for Robbed-Bit Signaling Example
The following example configures all 24 channels to support robbed-bit signaling feature group B on a
Cisco access server:
controller T1 0
cas-group 1 timeslots 1-24 type e&m-fgb
Mixing and Matching Channels—Robbed-Bit Signaling and Channel Grouping
The following example shows you how to configure all 24 channels to support a combination of ISDN
PRI, robbed-bit signaling, and channel grouping. The range of time slots that you allocate must match
the time slot allocations that your central office chooses to use. This is a rare configuration due to the
complexity of aligning the correct range of time slots on both ends of the connection.
The following configuration creates serial interfaces 0 to 9, which correspond to ISDN PRI time slots 1
to 10 (shown as serial 1:0 through serial 1:9). The serial line 1:23 is the D channel, which carries the
analog signal bits that dial the phone number of the modem and determine if a modem is busy or
available. The D channel is automatically created and assigned to time slot 24.
controller T1 0
! ISDN PRI is configured on time slots 1 through 10.
pri-group timeslots 1-10
! Channelized T1 data is transmitted over time slots 11 through 16.
channel-group 11 timeslots 11-16
! The channel-associated signal ear and mouth feature group B is configured on
! virtual signal group 17 for time slots 17 to 23, which are used for incoming
! and outgoing analog calls.
cas-group 17 timeslots 17-23 type e&m-fgb
There is no specific interface, such as the serial interface shown in the earlier examples, that corresponds
to the time-slot range.
Switched 56K Configuration Examples
The following switched 56K configuration examples are provided:
• Switched 56K T1 Controller Procedure
• Mixture of Switched 56K and Modem Calls over CT1 CAS Example
• Switched 56K and Analog Modem Calls over Separate T1 CAS Lines Example
• Comprehensive Switched 56K Startup Configuration Example
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-301
Cisco IOS Dial Technologies Configuration Guide
Switched 56K T1 Controller Procedure
The following procedure shows how to configure one T1 controller on a Cisco access server to support
switched 56K digital calls. The Cisco access server has four controllers, which are numbered 0 to 3. If
you want all four T1 controllers to support switched 56K calls, then repeat this procedure on each
controller.
Step 1 Enter global configuration mode using the configure terminal command:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Step 2 Specify a T1 controller with the controller t1 number command. Replace the number variable with a
controller number from 0 to 3.
Router(config)# controller t1 1
Step 3 Configure robbed-bit signaling on a range of time slots, then specify switched 56K digital services using
the cas-group command. In this example, all calls coming into controller T1 1 are expected to be
switched 56K data calls, not analog modem calls.
Router(config-controller)# cas-group 1 timeslots 1-24 type e&m-fgb service data
Note Be sure your signaling type matches the signaling type specified by the central office or telco
on the other end. For a list of supported signaling types and how to collect DNIS, refer to the
cas-group command description for the E1 controller card in the Cisco IOS Dial
Technologies Command Reference, Release 12.2.
Step 4 Set the framing for your network environment. You can choose ESF (enter framing esf) or SF (enter
framing sf).
Router(config-controller)# framing esf
Step 5 Set the line-code type for your network environment. You can choose AMI encoding (enter linecode
ami) or B8ZS encoding (enter linecode b8zs).
Router(config-controller)# linecode b8zs
Mixture of Switched 56K and Modem Calls over CT1 CAS Example
The following example configures one T1 controller to accept incoming switched 56K digital calls and
analog modem calls over the same T1 CAS line. Time slots 1 through 10 are provisioned by the telco to
support switched 56K digital calls. Time slots 11 through 24 are provisioned to support analog modem
calls. Due to the DS0s provisioning, it is impossible for analog modems calls to be sent over the DS0s
that map to time slots 1 through 10.
controller T1 0
cas-group 1 timeslots 1-10 type e&m-fgb service data
cas-group 1 timeslots 11-24 type e&m-fgb service voice
framing esf
clock source line primary
linecode b8zs
exit
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-302
Cisco IOS Dial Technologies Configuration Guide
Switched 56K and Analog Modem Calls over Separate T1 CAS Lines Example
The following example configures one Cisco access server to accept 50 percent switched 56K digital
calls and 50 percent analog modem calls. The controllers T1 0 and T1 1 are configured to support the
switched 56K digital calls using the cas-group 1 timeslots 1-24 type e&m-fgb service digital
command. Controllers T1 2 and T1 3 are configured to support analog modem calls.
controller T1 0
cas-group 1 timeslots 1-24 type e&m-fgb service data
framing esf
clock source line primary
linecode b8zs
exit
controller T1 1
cas-group 1 timeslots 1-24 type e&m-fgb service data
framing esf
clock source line secondary
linecode b8zs
exit
controller T1 2
cas-group 1 timeslots 1-24 type e&m-fgb service voice
framing esf
clock source internal
linecode b8zs
exit
controller T1 3
cas-group 1 timeslots 1-24 type e&m-fgb service voice
framing esf
clock source internal
linecode b8zs
exit
copy running-config startup-config
Comprehensive Switched 56K Startup Configuration Example
The startup configuration in this section runs on the Cisco access server, as shown in Figure 41. This
configuration is for an IP dial-in scenario with a mix of switched 56K calls and modem calls. Switched
56K digital calls come into controllers T1 0 and T1 1. Analog modem calls come into controllers T1 2
and T1 3.
In this example, the switched 56K clients are single endpoints in a remote node configuration. If each
switched 56K client were instead a router with a LAN behind it without port address translation (PAT)
turned on, then a static address, subnet mask, and route must be configured for each remote endpoint.
This configuration would best done through RADIUS.
After a T1 time slot is configured with robbed-bit signaling using the cas-group command with the
service data option, a logical serial interface is instantly created for each switched 56K channel. For
example, signaling configured on all 24 time slots of controller T1 1 dynamically creates serial interfaces
S0:0 through S0:23. You must then configure protocol support on each serial interface. No interface
group command exists for serial interfaces, unlike asynchronous interfaces via the interface
group-async command. Each serial interface must be individually configured. In most cases, the serial
configurations will be identical. To streamline or shorten this configuration task, you might consider
using a dialer interface, as shown in the following example.
Note In the following example, only analog modem calls encounter the group asynchronous and line
interfaces. Switched 56K calls encounter the logical serial interfaces and dialer interface.
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-303
Cisco IOS Dial Technologies Configuration Guide
version xx.x
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname 5300
!
aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin radius
aaa authentication ppp default local
aaa authentication ppp dialin if-needed radius
aaa authorization exec local radius
aaa authorization network radius
aaa accounting network start-stop radius
aaa accounting exec start-stop radius
!
enable secret cisco
!
username admin password cisco
async-bootp dns-server 10.1.3.1 10.1.3.2
!
!
! Switched 56K calls come into controllers T1 0 and T1 1. Take note of the keywords
! ”service data” in the cas-group command.
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
cas-group 0 timeslots 1-24 type e&m-fgb service data
!
controller T1 1
framing esf
clock source line secondary
linecode b8zs
cas-group 1 timeslots 1-24 type e&m-fgb service data
!
! Analog modem calls come into controllers T1 2 and T1 3.
!
controller T1 2
framing esf
clock source line internal
linecode b8zs
cas-group 2 timeslots 1-24 type e&m-fgb
!
controller T1 3
framing esf
clock source line internal
linecode b8zs
cas-group 3 timeslots 1-24 type e&m-fgb
!
interface loopback0
ip address 10.1.2.62 255.255.255.192
!
interface Ethernet0
no ip address
shutdown
!
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-304
Cisco IOS Dial Technologies Configuration Guide
interface FastEthernet0
ip address 10.1.1.11 255.255.255.0
ip summary address eigrp 10.10.1.2.0 255.255.255.192
!
! Interface serial0:0 maps to the first switched 56K channel. The dialer pool-member
! command connects this channel to dialer interface 1.
!
interface Serial0:0
dialer rotary-group 1
!
interface Serial0:1
dialer rotary-group 1
!
interface Serial0:2
dialer rotary-group 1
!
interface Serial0:3
dialer rotary-group 1
!
interface Serial0:4
dialer rotary-group 1
!
interface Serial0:5
dialer rotary-group 1
!
interface Serial0:6
dialer rotary-group 1
!
interface Serial0:7
dialer rotary-group 1
!
interface Serial0:8
dialer rotary-group 1
!
interface Serial0:9
dialer rotary-group 1
!
interface Serial0:10
dialer rotary-group 1
!
interface Serial0:11
dialer rotary-group 1
!
interface Serial0:12
dialer rotary-group 1
!
interface Serial0:13
dialer rotary-group 1
!
interface Serial0:14
dialer rotary-group 1
!
interface Serial0:15
dialer rotary-group 1
!
interface Serial0:16
dialer rotary-group 1
!
interface Serial0:17
dialer rotary-group 1
!
interface Serial0:18
dialer rotary-group 1
!
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-305
Cisco IOS Dial Technologies Configuration Guide
interface Serial0:19
dialer rotary-group 1
!
interface Serial0:20
dialer rotary-group 1
!
interface Serial0:21
dialer rotary-group 1
!
interface Serial0:22
dialer rotary-group 1
!
! Interface serial 0:23 is the last switched 56K channel for controller T1 0.
!
interface Serial0:23
dialer rotary-group 1
!
! The switched 56K channels for controller T1 1 begin with interface serial 1:0 and end
! with interface serial 1:23.
!
interface Serial1:0
dialer rotary-group 1
!
interface Serial1:1
dialer rotary-group 1
!
interface Serial1:2
dialer rotary-group 1
!
interface Serial1:3
dialer rotary-group 1
!
interface Serial1:4
dialer rotary-group 1
!
interface Serial1:5
dialer rotary-group 1
!
interface Serial1:6
dialer rotary-group 1
!
interface Serial1:7
dialer rotary-group 1
!
interface Serial1:8
dialer rotary-group 1
!
interface Serial1:9
dialer rotary-group 1
!
interface Serial1:10
dialer rotary-group 1
!
interface Serial1:11
dialer rotary-group 1
!
interface Serial1:12
dialer rotary-group 1
!
interface Serial1:13
dialer rotary-group 1
!
interface Serial1:14
dialer rotary-group 1
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-306
Cisco IOS Dial Technologies Configuration Guide
!
interface Serial1:15
dialer rotary-group 1
!
interface Serial1:16
dialer rotary-group 1
!
interface Serial1:17
dialer rotary-group 1
!
interface Serial1:18
dialer rotary-group 1
!
interface Serial1:19
dialer rotary-group 1
!
interface Serial1:20
dialer rotary-group 1
!
interface Serial1:21
dialer rotary-group 1
!
interface Serial1:22
dialer rotary-group 1
!
interface Serial1:23
dialer rotary-group 1
!
interface Group-Async1
ip unnumbered Loopback0
encapsulation ppp
async mode interactive
peer default ip address pool dialin_pool
no cdp enable
ppp authentication chap pap dialin
group-range 1 96
!
interface Dialer1
ip unnumbered Loopback0
no ip mroute-cache
encapsulation ppp
peer default ip address pool dialin_pool
no fair-queue
no cdp enable
ppp authentication chap pap dialin
!
router eigrp 10
network 10.0.0.0
passive-interface Dialer0
no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.96
ip default-gateway 10.1.1.1
ip classless
!
dialer-list 1 protocol ip permit
radius-server host 10.1.1.23 auth-port 1645 acct-port 1646
radius-server host 10.1.1.24 auth-port 1645 acct-port 1646
radius-server key cisco
!
line con 0
login authentication console
line 1 96
autoselect ppp
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-307
Cisco IOS Dial Technologies Configuration Guide
autoselect during-login
login authentication dialin
modem DialIn
line aux 0
login authentication console
line vty 0 4
login authentication vty
transport input telnet rlogin
!
end
ISDN CAS Examples
This section provides channelized E1 sample configurations for the Cisco access server. You can
configure the 30 available channels with CAS, channel grouping, or a combination of the two. The
following examples are provided:
• Allocating All Channels for CAS Example
• Mixing and Matching Channels—CAS and Channel Grouping Example
Allocating All Channels for CAS Example
The following interactive example configures channels (also known as time slots) 1 to 30 with ear and
mouth channel signaling and feature group B support on a Cisco access server; it also shows that the
router displays informative messages about each time slot. signaling messages are sent in the 16th time
slot; therefore, that time slot is not brought up.
Router#
%SYS-5-CONFIG_I: Configured from console by console
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# controller e1 0
Router(config-controller)# cas-group 1 timeslots 1-31 type e&m-fgb
Router(config-controller)#
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 1 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 2 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 3 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 4 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 5 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 6 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 7 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 8 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 9 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 10 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 11 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 12 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 13 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 14 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 15 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 17 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 18 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 19 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 20 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 21 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 22 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 23 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 24 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 25 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 26 is up
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-308
Cisco IOS Dial Technologies Configuration Guide
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 27 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 28 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 29 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 30 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 31 is up
Mixing and Matching Channels—CAS and Channel Grouping Example
The following interactive example shows you how to configure an E1 controller to support a combination
of CAS and channel grouping. The range of time slots that you allocate must match the time slot
allocations that your central office chooses to use. This configuration is rare because of the complexity
of aligning the correct range of time slots on both ends of the connection.
Time slots 1 through 15 are assigned to channel group 1. In turn, these time slots are assigned to serial
interface 0 and virtual channel group 1 (shown as serial 0:1).
Router(config)# controller e1 0
Router(config-controller)# channel-group 1 timeslots 1-15
Router(config-controller)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0:1, changed state to down
%LINK-3-UPDOWN: Interface Serial0:1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0:1, changed state to up
Time slots 17 to 31 are configured with CAS:
Router(config-controller)# cas-group 2 timeslots 17-31 type e&m-fgb
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0:1, changed state to down
Router(config-controller)#
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 17 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 18 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 19 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 20 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 21 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 22 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 23 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 24 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 25 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 26 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 27 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 28 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 29 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 30 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 31 is up
Router(config-controller)#
E1 R2 Signaling Procedure
The following procedure configures R2 signaling and customizes R2 parameters on controller E1 2 of a
Cisco AS5300 access server. In most cases, the same R2 signaling type is configured on each E1
controller.
Step 1 Enter global configuration mode using the configure terminal command:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-309
Cisco IOS Dial Technologies Configuration Guide
Step 2 Specify the E1 controller that you want to configure with R2 signaling using the controller e1 number
global configuration command. A controller informs the access server how to distribute or provision
individual time slots for a connected channelized E1 line. You must configure one E1 controller for each
E1 line.
Router(config)# controller e1 2
Step 3 Configure CAS with the cas-group channel timeslots range type signal command. The signaling type
forwarded by the connecting telco switch must match the signaling configured on the Cisco AS5300
access server. The Cisco IOS configuration options are r2-analog, r2-digital, or r2-pulse.
Router(config-controller)# cas-group 1 timeslots 1-31 type ?
e&m-fgb E & M Type II FGB
e&m-fgd E & M Type II FGD
e&m-immediate-start E & M Immediate Start
fxs-ground-start FXS Ground Start
fxs-loop-start FXS Loop Start
p7 P7 Switch
r2-analog R2 ITU Q411
r2-digital R2 ITU Q421
r2-pulse R2 ITU Supplement 7
sas-ground-start SAS Ground Start
sas-loop-start SAS Loop Start
The following example specifies R2 ITU Q421 digital line signaling (r2-digital). This example also
specifies R2 compelled register signaling and provisions the ANI ADDR option.
Router(config-controller)# cas-group 1 timeslots 1-31 type r2-digital r2-compelled ani
Router(config-controller)#
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 1 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 2 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 3 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 4 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 5 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 6 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 7 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 8 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 9 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 10 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 11 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 12 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 13 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 14 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 15 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 17 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 18 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 19 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 20 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 21 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 22 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 23 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 24 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 25 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 26 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 27 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 28 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 29 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 30 is up
%DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 31 is up
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-310
Cisco IOS Dial Technologies Configuration Guide
Note The actual R2 CAS is configured on the 16th time slot, which is why the time slot does not
come up in the example output. For a description of the supported R2 signaling options, refer
to the cas-group command for the E1 controller in the Cisco IOS Dial Technologies
Command Reference.
Step 4 Customize some of the E1 R2 signaling parameters with the cas-custom channel controller
configuration command. This example specifies the default R2 settings for Argentina. For custom
options, refer to the cas-custom command in the Cisco IOS Dial Technologies Command Reference.
Router(config-controller)# cas-custom 1
Router(config-ctrl-cas)# ?
CAS custom commands:
ani-digits Expected number of ANI digits
answer-signal Answer signal to be used
caller-digits Digits to be collected before requesting CallerID
category Category signal
country Country Name
default Set a command to its defaults
dnis-digits Expected number of DNIS digits
exit Exit from cas custom mode
invert-abcd invert the ABCD bits before tx and after rx
ka KA Signal
kd KD Signal
metering R2 network is sending metering signal
nc-congestion Non Compelled Congestion signal
no Negate a command or set its defaults
request-category DNIS digits to be collected before requesting category
unused-abcd Unused ABCD bit values
Router(config-ctrl-cas)# country ?
argentina Argentina
australia Australia
brazil Brazil
china China
colombia Colombia
.
.
.
Router(config-ctrl-cas)# country argentina ?
use-defaults Use Country defaults
Router(config-ctrl-cas)# country argentina use-defaults
Note We highly recommend that you specify the default settings of your country. To display a list
of supported countries, enter the country? command. The default setting for all countries is
ITU.
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-311
Cisco IOS Dial Technologies Configuration Guide
R1 Modified Signaling Using an E1 Interface Example
The following example shows a configuration sample for R1 modified signaling on a Cisco access sever,
using an E1 interface:
version xx.x
service timestamps debug datetime msec
no service password-encryption
!
hostname router
!
enable secret 5 $1$YAaG$L0jTcQ.nMH.gpFYXaOU5c.
!
no modem fast-answer
ip host dirt 10.255.254.254
ip multicast rpf-check-interval 0
isdn switch-type primary-dms100
!
!
controller E1 0
clock source line primary
cas-group 1 timeslots 1-15,17-31 type r1-modified ani-dnis
!
controller E1 1
clock source line secondary
cas-group 1 timeslots 1-15,17-31 type r1-modified ani-dnis
!
controller E1 2
clock source internal
!
controller E1 3
clock source internal
!
interface Ethernet0
ip address 10.19.36.7 255.255.0.0
no ip mroute-cache
!
interface FastEthernet0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface Group-Async1
ip unnumbered Ethernet0
encapsulation ppp
dialer in-band
dialer idle-timeout 480
dialer-group 1
async dynamic address
async mode interactive
peer default ip address pool DYNAMIC
no fair-queue
no cdp enable
group-range 1 108
!
router igrp 200
network 10.0.0.0
network 192.168.254.0
!
no ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
logging source-interface Ethernet0
Configuring ISDN PRI
Configuration Examples for Channelized E1 and Channelized T1
DC-312
Cisco IOS Dial Technologies Configuration Guide
!
line con 0
exec-timeout 0 0
line 1 108
exec-timeout 0 0
modem InOut
transport input all
line aux 0
line vty 0 4
!
end
R1 Modified Signaling for Taiwan Configuration Example
The following example shows how to configure R1 modified signaling for Taiwan:
service timestamps debug datetime msec
no service password-encryption
!
hostname router
!
enable secret 5 $1$YAaG$L0jTcQ.nMH.gpFYXaOU5c.
!
no modem fast-answer
ip host dirt 192.168.254.254
ip multicast rpf-check-interval 0
isdn switch-type primary-dms100
!
!
controller T1 1/1/0
framing esf
linecode b8zs
cablelength short 133
pri-group timeslots 1-24
fdl att
!
controller T1 1/1/1
framing esf
linecode b8zs
cablelength short 133
cas-group 1 timeslots 1-24 type r1-modified
fdl att
!
controller T1 1/1/2
framing esf
linecode b8zs
cablelength short 133
pri-group timeslots 1-24
fdl att
!
controller T1 1/1/3
framing esf
linecode b8zs
cablelength short 133
pri-group timeslots 1-24
fdl att
!
DC-313
Cisco IOS Dial Technologies Configuration Guide
Configuring ISDN Special Signaling
This chapter describes features that either depend on special signaling services offered by an ISDN
network service provider or overcome an inability to deliver certain signals. It describes these features
in the following main sections:
• How to Configure ISDN Special Signaling
• Troubleshooting ISDN Special Signaling
• Configuration Examples for ISDN Special Signaling
For an overview of ISDN PRI, see the section “ISDN Service” in the “Overview of Dial Interfaces,
Controllers, and Lines” chapter, and the section “ISDN Overview” in the “Configuring ISDN BRI”
chapter.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the ISDN signaling commands in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference. To locate documentation of other commands that appear in this
chapter, use the command reference master index or search online.
How to Configure ISDN Special Signaling
To configure special signaling features of ISDN, perform the tasks in the following sections; all tasks
are optional:
• Configuring ISDN AOC (Optional)
• Configuring NFAS on PRI Groups (Optional)
• Enabling an ISDN PRI to Take PIAFS Calls on MICA Modems (Optional)
• Configuring Automatic Detection of Encapsulation Type (Optional)
• Configuring Encapsulation for Combinet Compatibility (Optional)
See the section “Configuration Examples for ISDN Special Signaling” at the end of this chapter for
examples of these signaling features. See the “Troubleshooting ISDN Special Signaling” section later in
this chapter for help in troubleshooting ISDN signaling features.
Configuring ISDN Special Signaling
How to Configure ISDN Special Signaling
DC-314
Cisco IOS Dial Technologies Configuration Guide
Configuring ISDN AOC
ISDN Advice of Charge (AOC) allows users to obtain charging information for all calls during the call
(AOC-D) or at the end of the call (AOC-E) or both.
Users must have subscribed through their local ISDN network to receive the AOC information from the
switch. No router configuration changes are required to retrieve this call charging information.
The ISDN AOC feature also supports, for the AOC-D service, an optional configurable short-hold mode
that provides a dynamic idle timeout by measuring the call charging period, based on the frequency of
the AOC-D or the AOC-E message from the network. The short-hold mode allows users to track call
costs and to control and possibly reduce tariff charges. The short-hold mode idle time will do the
following:
• Disconnect a call just before the beginning of a new charging period if the call has been idle for at
least the configured minimum idle time.
• Maintain the call to the end of the current charging period past the configured idle timeout if the
time left in the charging period is longer.
Incoming calls are disconnected using the static dialer idle timeout value.
The AOC-D and AOC-E messages are part of the Facility Information Element (IE) message. Its contents
can be verified with the debug q931 command. Call accounting information from AOC-D and AOC-E
messages is stored in Simple Network Management Protocol (SNMP) MIB objects.
ISDN AOC is provided for ISDN PRI NET5 and ISDN BRI NET3 switch types only. AOC information
at call setup is not supported.
Configuring Short-Hold Mode
No configuration is required to enable ISDN AOC. However, you can configure the optional short-hold
minimum idle timeout period for outgoing calls; the default minimum idle timeout is
120 seconds. If the short-hold option is not configured, the router default is to use the static dialer idle
timeout. If the short-hold idle timeout has been configured but no charging information is available from
the network, the static dialer idle timeout applies.
To configure an ISDN interface and provide the AOC short-hold mode option on an ISDN interface,
perform the following steps:
Step 1 Configure the ISDN BRI or PRI interface, as described in the chapter “Configuring ISDN BRI” or the
section “How to Configure ISDN PRI” in the chapter “Configuring ISDN PRI” later in this publication,
using the relevant keyword in the isdn switch-type command:
• BRI interface—basic-net3
• PRI interface—primary-net5
Step 2 Configure dialer profiles or legacy dial-on-demand routing (DDR) for outgoing calls, as described in the
chapters in the “Dial-on-Demand Routing” part of this publication, making sure to do the following:
• Configure the static line-idle timeout to be used for incoming calls.
• For each destination, use the dialer map command with the class keyword (legacy DDR) or a dialer
string class command (dialer profiles) to identify the dialer map class to be used for outgoing calls
to the destination.
Configuring ISDN Special Signaling
How to Configure ISDN Special Signaling
DC-315
Cisco IOS Dial Technologies Configuration Guide
Step 3 Configure each specified dialer map class, providing a dialer idle timeout, or ISDN short-hold timeout,
or both for outgoing calls, as described in this chapter.
To configure a dialer map class with timers, use the following commands beginning in global
configuration mode:
Monitoring ISDN AOC Call Information
To monitor ISDN AOC call information, use the following command in EXEC mode:
Configuring NFAS on PRI Groups
ISDN Non-Facility Associated Signaling (NFAS) allows a single D channel to control multiple PRI
interfaces. A backup D channel can also be configured for use when the primary NFAS D channel fails.
Use of a single D channel to control multiple PRI interfaces can free one B channel on each interface to
carry other traffic.
Any hard failure causes a switchover to the backup D channel and currently connected calls remain
connected.
Once the channelized T1 controllers are configured for ISDN PRI, only the NFAS primary D channel
must be configured; its configuration is distributed to all the members of the associated NFAS group.
Command Purpose
Step 1 Router(config)# map-class dialer
classname
Specifies the dialer map class and begins map class
configuration mode.
Step 2 Router(config-map-class)# dialer
idle-timeout seconds
(Optional) Specifies a static idle timeout for the map class to
override the static line-idle timeout configured on the BRI
interface.
Step 3 Router(config-map-class)# dialer
isdn short-hold seconds
Specifies a dialer ISDN short-hold timeout for the map class.
Command Purpose
Router> show isdn {active [dsl | serial-number] |
history [dsl | serial-number ] | memory | nfas group
group-number | service [dsl | serial-number] | status
[dsl | serial-number] | timers [dsl | serial-number]}
Displays information about active calls, call history,
memory, nfas group, service or status of PRI channels, or
Layer 2 or Layer 3 timers. The history keyword displays
AOC charging time units used during the call and indicates
whether the AOC information is provided during calls or at
the end of calls.
(The service keyword is available for PRI only.)
Configuring ISDN Special Signaling
How to Configure ISDN Special Signaling
DC-316
Cisco IOS Dial Technologies Configuration Guide
ISDN NFAS Prerequisites
NFAS is only supported with a channelized T1 controller. Table 27 shows the Cisco IOS keywords for
the ISDN switch types and lists whether NFAS is supported.
Note On the Nortel (Northern Telecom) DMS-100 switch, when a single D channel is shared, multiple PRI
interfaces may be configured in a single trunk group. The additional use of alternate route indexing,
which is a feature of the DMS-100 switch, provides a rotary from one trunk group to another. This
feature enables the capability of building large trunk groups in a public switched network.
The ISDN switch must be provisioned for NFAS. The primary and backup D channels should be
configured on separate T1 controllers. The primary, backup, and B-channel members on the respective
controllers should be the same as that configured on the router and ISDN switch. The interface ID
assigned to the controllers must match that of the ISDN switch.
ISDN NFAS Configuration Task List
To configure NFAS on channelized T1 controllers configured for ISDN, perform the tasks in the
following section: Configuring NFAS on PRI Groups (required).
You can also disable a channel or interface, if necessary, and monitor NFAS groups and ISDN service.
To do so, perform the tasks in the following sections:
• Configuring NTT PRI NFAS (Optional)
• Disabling a Channel or Interface (Optional)
• Monitoring NFAS Groups (Optional)
• Monitoring ISDN Service (Optional)
See the section “NFAS Primary and Backup D Channels” later in this chapter for ISDN, NFAS, and DDR
configuration examples.
Configuring NFAS on PRI Groups
This section documents tasks used to configure NFAS with D channel backup. When configuring NFAS,
you use an extended version of the ISDN pri-group command to specify the following values for the
associated channelized T1 controllers configured for ISDN:
• The range of PRI time slots to be under the control of the D channel (time slot 24).
Table 27 ISDN Switch Types and NFAS Support
Switch Type Keyword NFAS Support
Lucent 4ESS Custom NFAS primary-4ess Yes
Lucent 5ESS Custom NFAS primary-5ess No (use National)
Nortel DMS Custom NFAS primary-dms Yes
NTT Custom NFAS primary-ntt Yes
National primary-ni Yes
Other switch types — No (use National)
Configuring ISDN Special Signaling
How to Configure ISDN Special Signaling
DC-317
Cisco IOS Dial Technologies Configuration Guide
• The function to be performed by time slot 24 (primary D channel, backup, or none); the latter
specifies its use as a B channel.
• The group identifier number for the interface under control of the D channel.
To configure ISDN NFAS, use the following commands in controller configuration mode:
For an example of configuring three T1 controllers for the NFAS primary D channel, the backup
D channel, and 24 B channels, along with the DDR configuration for the PRI interface, see the section
“NFAS Primary and Backup D Channels” at the end of this chapter.
When a backup NFAS D channel is configured and the primary NFAS D channel fails, rollover to the
backup D channel is automatic and all connected calls stay connected.
If the primary NFAS D channel recovers, the backup NFAS D channel remains active and does not switch
over again unless the backup NFAS D channel fails.
Configuring NTT PRI NFAS
Addition of the NTT switch type to the NFAS feature allows its use in geographic areas where NTT
switches are available. This feature provides use of a single D channel to control multiple PRI interfaces,
and can free one B channel on each interface to carry other traffic.
To configure NTT PRI NFAS, use the procedure described in the “Configuring NFAS on PRI Groups”
section. Specify a primary-ntt switch type.
Note You cannot configure a backup D channel for the NTT PRI NFAS feature; it does not support
D channel backup.
Verifying NTT PRI NFAS
Step 1 Enter the show isdn status command to learn whether the ISDN PRI switch type was configured
correctly:
Router# show isdn status serial 0:23
Global ISDN Switchtype = primary-ntt
ISDN Serial0:23 interface
Step 2 Enter the show isdn nfas group command to display information about members of an NFAS group:
Router# show isdn nfas group 1
ISDN NFAS GROUP 1 ENTRIES:
Command Purpose
Step 1 Router(config-controller)# pri-group timeslots
1-24 nfas_d primary nfas_interface number
nfas_group number
On one channelized T1 controller, configures the NFAS
primary D channel.
Step 2 Router(config-controller)# pri-group timeslots
1-24 nfas_d backup nfas_interface number
nfas_group number
On a different channelized T1 controller, configures the
NFAS backup D channel to be used if the primary D channel
fails.
Step 3 Router(config-controller)# pri-group timeslots
1-24 nfas_d none nfas_interface number
nfas_group number
(Optional) On other channelized T1 controllers, configures a
24-B-channel interface, if desired.
Configuring ISDN Special Signaling
How to Configure ISDN Special Signaling
DC-318
Cisco IOS Dial Technologies Configuration Guide
The primary D is Serial1/0:23.
The NFAS member is Serial2/0:23.
There are 3 total nfas members.
There are 93 total available B channels.
The primary D-channel is DSL 0 in state INITIALIZED.
The current active layer 2 DSL is 0.
Step 3 Enter the show isdn service command to display information about ISDN channels and the service
states:
Router# show isdn service
PRI Channel Statistics:
ISDN Se1/0:23, Channel (1-24)
Configured Isdn Interface (dsl) 0
State (0=Idle 1=Propose 2=Busy 3=Reserved 4=Restart 5=Maint)
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3
Channel (1-24) Service (0=Inservice 1=Maint 2=Outofservice)
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ISDN Se1/1:23, Channel (1-24)
Configured Isdn Interface (dsl) 1
State (0=Idle 1=Propose 2=Busy 3=Reserved 4=Restart 5=Maint)
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Channel (1-24) Service (0=Inservice 1=Maint 2=Outofservice)
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ISDN Se2/0:23, Channel (1-24)
Configured Isdn Interface (dsl) 2
State (0=Idle 1=Propose 2=Busy 3=Reserved 4=Restart 5=Maint)
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Channel (1-24) Service (0=Inservice 1=Maint 2=Outofservice)
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Disabling a Channel or Interface
You can disable a specified channel or an entire PRI interface, thus taking it out of service or placing it
into one of the other states that is passed in to the switch. To disable a specific channel or PRI interface,
use one of the following commands in interface configuration mode as appropriate for your network:
The supported state-values are as follows:
• 0—In service
• 1—Maintenance
• 2—Out of service
Command Purpose
Router(config-if)# isdn service dsl number
b_channel number state state-value
Takes an individual B channel out of service or sets it to a different
state.
Router(config-if)# isdn service dsl number
b_channel 0 state state-value
Sets the entire PRI to the specified state.
Configuring ISDN Special Signaling
How to Configure ISDN Special Signaling
DC-319
Cisco IOS Dial Technologies Configuration Guide
When the T1 Controller Is Shut Down
In the event that a controller belonging to an NFAS group is shut down, all active B-channel calls on the
controller that is shut down will be cleared (regardless of whether the controller is set to be primary,
backup, or none), and one of the following events will occur:
• If the controller that is shut down is configured as the primary and no backup is configured, all active
calls on the group are cleared.
• If the controller that is shut down is configured as the primary, and the active (In service) D channel
is the primary and a backup is configured, then the active D channel changes to the backup
controller.
• If the controller that is shut down is configured as the primary, and the active D channel is the
backup, then the active D channel remains as backup controller.
• If the controller that is shut down is configured as the backup, and the active D channel is the backup,
then the active D channel changes to the primary controller.
Note The active D channel changeover between primary and backup controllers happens only when one of
the link fails and not when the link comes up. The T309 timer is triggered when the changeover takes
place.
Monitoring NFAS Groups
To monitor NFAS groups, use the following command in EXEC mode:
Monitoring ISDN Service
To display information about ISDN channel service states, use the following command in EXEC mode:
Enabling an ISDN PRI to Take PIAFS Calls on MICA Modems
The Personal-Handyphone-System Internet Access Forum Standard (PIAFS) specifications describe a
transmission system that uses the PHS 64000 bps/32000 bps unrestricted digital bearer on the
Cisco AS5300 universal access server platform.
The PIAFS TA (terminal adapter) module is like a modem or a V.110 module in the following ways:
• Ports will be a pool of resources.
• Calls will use the same call setup Q.931 message.
• Module supports a subset of common AT commands.
• Call setup and teardown are similar.
Command Purpose
Router> show isdn nfas group number Displays information about members of an NFAS group.
Command Purpose
Router> show isdn service Displays information about ISDN channels and the service states.
Configuring ISDN Special Signaling
How to Configure ISDN Special Signaling
DC-320
Cisco IOS Dial Technologies Configuration Guide
However, the rate negotiation information will be part of the bearer cap and not the lower-layer
compatibility. PIAFS calls will have the user rate as 32000 and 64000; this will be used to distinguish a
PIAFS call from a V.110 call. Also, PIAFS will use only up to octets 5a in a call setup message. The data
format will default to 8N1 for PIAFS calls.
To configure ISDN PRI to take PIAFS call on MICA modems, use the following commands beginning
in global configuration mode:
Verifying PIAFS
Step 1 Enter the show modem operational-status slot/port command to view PIAFS call information.
Router# show modem op 1/32
Mdm Typ Status Tx/Rx G Duration RTS CTS DCD DTR
1/32 ISDN Conn 64000/64000 0 1d01h x x x x
Modem 1/32, Mica Hex Modem (Managed), Async33, tty33
Firmware Rev: 8.2.0.c
Modem config: Incoming and Outgoing
Protocol: PIAFS, Compression: V.42bis both
Management config: Status polling
RX signals: 0 dBm
Last clearing of "show modem" counters never
2 incoming completes, 0 incoming failures
0 outgoing completes, 0 outgoing failures
0 failed dial attempts, 0 ring no answers, 0 busied outs
0 no dial tones, 0 dial timeouts, 0 watchdog timeouts
0 no carriers, 0 link failures, 0 resets, 0 recover oob
0 recover modem, 0 current fail count
0 protocol timeouts, 0 protocol errors, 0 lost events
0 ready poll timeouts
Configuring Automatic Detection of Encapsulation Type
You can enable a serial or ISDN interface to accept calls and dynamically change the encapsulation in
effect on the interface when the remote device does not signal the call type. For example, if an ISDN call
does not identify the call type in the lower-layer compatibility fields and is using an encapsulation that
is different from the one configured on the interface, the interface can change its encapsulation type
dynamically.
This feature enables interoperation with ISDN terminal adapters that use V.120 encapsulation but do not
signal V.120 in the call setup message. An ISDN interface that by default answers a call as synchronous
serial with PPP encapsulation can change its encapsulation and answer such calls.
Command Purpose
Step 1 Router(config)# interface serial
controller:channel
Enters interface configuration mode for a D-channel serial
interface.
Step 2 Router(config-if)# isdn piafs-enabled Enables the PRI to take PIAFS calls on MICA modems.
Step 3 Router(config-if)# exit Exits interface configuration mode.
Configuring ISDN Special Signaling
How to Configure ISDN Special Signaling
DC-321
Cisco IOS Dial Technologies Configuration Guide
Automatic detection is attempted for the first 10 seconds after the link is established or the first 5 packets
exchanged over the link, whichever is first.
To enable automatic detection of encapsulation type, use the following command in interface
configuration mode:
You can specify one or more encapsulations to detect. Cisco IOS software currently supports automatic
detection of PPP and V.120 encapsulations.
Configuring Encapsulation for Combinet Compatibility
Historically, Combinet devices supported only the Combinet Proprietary Protocol (CPP) for negotiating
connections over ISDN B channels. To enable Cisco routers to communicate with those Combinet
bridges, the Cisco IOS supports a the CPP encapsulation type.
To enable routers to communicate over ISDN interfaces with Combinet bridges that support only CPP,
use the following commands in interface configuration mode:
Most Combinet devices support PPP. Cisco routers can communicate over ISDN with these devices by
using PPP encapsulation, which supports both routing and fast switching.
Cisco 700 and 800 series routers and bridges (formerly Combinet devices) support only IP, Internet
Protocol Exchange (IPX), and bridging. For AppleTalk, Cisco routers automatically perform
half-bridging with Combinet devices. For more information about half-bridging, see the section
“Configuring PPP Half-Bridging” in the chapter “Configuring Media-Independent PPP and Multilink
PPP” later in this publication.
Cisco routers can also half-bridge IP and IPX with Combinet devices that support only CPP. To configure
this feature, you only need to set up the addressing with the ISDN interface as part of the remote subnet;
no additional commands are required.
Command Purpose
Router(config-if)# autodetect encapsulation
encapsulation-type
Enables automatic detection of encapsulation type on the
specified interface.
Command Purpose
Step 1 Router(config-if)# encapsulation cpp Specifies CPP encapsulation.
Step 2 Router(config-if)# cpp callback accept Enables CPP callback acceptance.
Step 3 Router(config-if)# cpp authentication Enables CPP authentication.
Configuring ISDN Special Signaling
Troubleshooting ISDN Special Signaling
DC-322
Cisco IOS Dial Technologies Configuration Guide
Troubleshooting ISDN Special Signaling
To troubleshoot ISDN, use the following commands in EXEC mode as needed:
Configuration Examples for ISDN Special Signaling
This section provides the following configuration examples:
• ISDN AOC Configuration Examples
• ISDN NFAS Configuration Examples
ISDN AOC Configuration Examples
This section provides the following ISDN AOC configuration examples:
• Using Legacy DDR for ISDN PRI AOC Configuration
• Using Dialer Profiles for ISDN BRI AOC Configuration
Using Legacy DDR for ISDN PRI AOC Configuration
This example shows ISDN PRI configured on an E1 controller. Legacy DDR is configured on the ISDN
D channel (serial interface 0:15) and propagates to all ISDN B channels. A static dialer idle-timeout is
configured for all incoming calls on the B channels, but the map classes are configured independently
of it. Map classes Kappa and Beta use AOC charging unit duration to calculate the timeout for the call.
A short-hold idle timer is set so that if the line is idle for 10 or more seconds, the call is disconnected
when the current charging period ends. Map class Iota uses a static idle timeout.
version 11.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname A
!
username c2503isdn password 7 1511021F0725
Command Purpose
Router# debug dialer Displays the values of timers.
Router# debug isdn q921 [interface bri number]
or
Router# debug isdn q921 interface serial
slot/controller-number:23
Displays link layer information for all interfaces or, optionally,
for a single BRI interface.
Displays link layer information for a single PRI interface.
Router# debug isdn q931 [interface bri number]
or
Router# debug isdn q931 interface serial
slot/controller-number:23
Displays the content of call control messages and information
elements, in particular the Facility IE message for all interfaces
or, optionally, for a single BRI interface.
Displays the content of call control messages and information
elements, in particular the Facility IE message for a single PRI
interface.
Configuring ISDN Special Signaling
Configuration Examples for ISDN Special Signaling
DC-323
Cisco IOS Dial Technologies Configuration Guide
username B password 7 110A1016141D29
username C password 7 1511021F072508
isdn switch-type primary-net5
!
controller E1 0
pri-group timeslots 1-31
!
interface Serial 0:15
ip address 10.0.0.35 255.0.0.0
encapsulation ppp
dialer idle-timeout 150
dialer map ip 10.0.0.33 name c2503isdn class Iota 06966600050
dialer map ip 10.0.0.40 name B class Beta 778578
dialer map ip 10.0.0.45 name C class Kappa 778579
dialer-group 1
ppp authentication chap
!
map-class dialer Kappa
dialer idle-timeout 300
dialer isdn short-hold 120
!
map-class dialer Iota
dialer idle-timeout 300
!
map-class dialer Beta
dialer idle-timeout 300
dialer isdn short-hold 90
!
dialer-list 1 protocol ip permit
Using Dialer Profiles for ISDN BRI AOC Configuration
This example shows ISDN BRI configured as a member of two dialer pools for dialer profiles.
version 11.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname delorean
!
username spanky password 7 0705344245
username delorean password 7 1511021F0725
isdn switch-type basic-net3
!
interface BRI0
description Connected to NTT 81012345678901
no ip address
dialer pool-member 1 max-link 1
dialer pool-member 2 max-link
encapsulation ppp
no fair-queue
!
interface Dialer1
ip address 10.1.1.8 255.255.255.0
encapsulation ppp
dialer remote-name spanky
dialer string 81012345678902 class Omega
dialer pool 1
dialer-group 1
ppp authentication chap
!
Configuring ISDN Special Signaling
Configuration Examples for ISDN Special Signaling
DC-324
Cisco IOS Dial Technologies Configuration Guide
interface Dialer2
ip address 10.1.1.8 255.255.255.0
encapsulation ppp
dialer remote-name dmsisdn
dialer string 81012345678902 class Omega
dialer string 14153909503 class Gamma
dialer pool 2
dialer-group 1
ppp authentication chap
!
map-class dialer Omega
dialer idle-timeout 60
dialer isdn short-hold 150
!
map-class dialer Gamma
dialer isdn short-hold 60
!
dialer-list 1 protocol ip permit
ISDN NFAS Configuration Examples
This section provides the following configuration examples:
• NFAS Primary and Backup D Channels
• PRI Interface Service State
• NTT PRI NFAS Primary D Channel Example
NFAS Primary and Backup D Channels
The following example configures ISDN PRI and NFAS on three T1 controllers of a Cisco 7500 series
router. The NFAS primary D channel is configured on the 1/0 controller, and the NFAS backup D channel
is configured on the 1/1 controller. No NFAS D channel is configured on the 2/0 controller; it is
configured for 24 B channels. Once the NFAS primary D channel is configured, it is the only interface
you see and need to configure; DDR configuration for the primary D channel—which is distributed to
all B channels—is also included in this example.
isdn switch-type primary-4ess
!
! NFAS primary D channel on the channelized T1 controller in 1/0.
controller t1 1/0
framing esf
linecode b8zs
pri-group timeslots 1-24 nfas_d primary nfas_interface 0 nfas_group 1
!
! NFAS backup D channel on the channelized T1 controller in 1/1.
controller t1 1/1
framing esf
linecode b8zs
pri-group timeslots 1-24 nfas_d backup nfas_interface 1 nfas_group 1
!
! NFAS 24 B channels on the channelized T1 controller in 2/0.
controller t1 2/0
framing esf
linecode b8zs
pri-group timeslots 1-24 nfas_d none nfas_interface 2 nfas_group 1
!
Configuring ISDN Special Signaling
Configuration Examples for ISDN Special Signaling
DC-325
Cisco IOS Dial Technologies Configuration Guide
! NFAS primary D channel interface configuration for PPP and DDR. This
! configuration is distributed to all the B channels in NFAS group 1 on the
! three channelized T1 controllers.
!
interface Serial 1/0:23
ip address 10.1.1.2 255.255.255.0
no ip mroute-cache
encapsulation ppp
dialer map ip 10.1.1.1 name flyboy 567898
dialer map ip 10.1.1.3 name flyboy 101112345678
dialer map ip 10.1.1.4 name flyboy 01112345678
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap
PRI Interface Service State
The following example puts the entire PRI interface back in service after it previously had been taken
out of service:
isdn service dsl 0 b-channel 0 state 0
NTT PRI NFAS Primary D Channel Example
The following example configures ISDN PRI and NFAS on three T1 controllers of a Cisco 7500 series
router. The NFAS primary D channel is configured on the 1/0 controller. No NFAS D channel is
configured on the 1/1 and 2/0 controllers; they are configured for 24 B channels. Once the NFAS primary
D channel is configured, it is the only interface you see and need to configure. DDR configuration for
the primary D channel—which is distributed to all B channels—is also included in this example.
isdn switch-type primary-ntt
!
! NFAS primary D channel on the channelized T1 controller in 1/0.
controller t1 1/0
framing esf
linecode b8zs
pri-group timeslots 1-24 nfas_d primary nfas_interface 0 nfas_group 1
!
! NFAS backup D channel on the channelized T1 controller in 1/1.
controller t1 1/1
framing esf
linecode b8zs
pri-group timeslots 1-24 nfas_d none nfas_interface 1 nfas_group 1
!
! NFAS 24 B channels on the channelized T1 controller in 2/0.
controller t1 2/0
framing esf
linecode b8zs
pri-group timeslots 1-24 nfas_d none nfas_interface 2 nfas_group 1
!
! NFAS primary D channel interface configuration for PPP and DDR. This
! configuration is distributed to all the B channels in NFAS group 1 on the
! three channelized T1 controllers.
!
interface Serial 1/0:23
ip address 10.1.1.2 255.255.255.0
no ip mroute-cache
encapsulation ppp
dialer map ip 10.1.1.1 name flyboy 567898
dialer map ip 10.1.1.3 name flyboy 101112345678
Configuring ISDN Special Signaling
Configuration Examples for ISDN Special Signaling
DC-326
Cisco IOS Dial Technologies Configuration Guide
dialer map ip 10.1.1.4 name flyboy 01112345678
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap
DC-327
Cisco IOS Dial Technologies Configuration Guide
Configuring Network Side ISDN PRI Signaling,
Trunking, and Switching
This chapter describes the Network Side ISDN PRI Signaling, Trunking, and Switching feature. The
following main sections are provided:
• Network Side ISDN PRI Signaling Overview
• How to Configure Network Side ISDN PRI
• Configuration Examples for Network Side ISDN PRI Signaling, Trunking, and Switching
For hardware technical descriptions and for information about installing the controllers and interfaces,
refer to the hardware installation and maintenance publication for your particular product.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the ISDN PRI commands in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference. To locate documentation of other commands that appear in this
chapter, use the command reference master index or search online.
Network Side ISDN PRI Signaling Overview
The Network Side ISDN PRI Signaling, Trunking, and Switching feature enables Cisco IOS software to
replicate the public switched network interface to a PBX that is compatible with the National ISDN (NI)
switch types and European Telecommunications Standards Institute (ETSI) Net5 switch types.
Routers and PBXs are both traditionally customer premises equipment (CPE) devices with respect to the
public switched network interfaces. However, for Voice over IP (VoIP) applications, it is desirable to
interface access servers to PBXs with the access server representing the public switched network.
Enterprise organizations use the current VoIP features with Cisco products as a method to reduce costs
for long distance phone calls within and outside their organizations. However, there are times that a call
cannot go over VoIP and the call needs to be placed using the Public Switched Telephone Network
(PSTN). The customer then must have two devices connected to a PBX to allow some calls to be placed
using VoIP and some calls to be placed over the PSTN. In contrast, this feature allows Cisco access
servers to connect directly to user-side CPE devices such as PBXs and allows voice calls and data calls
to be placed without requiring two different devices to be connected to the PBXs.
Configuring Network Side ISDN PRI Signaling, Trunking, and Switching
Network Side ISDN PRI Signaling Overview
DC-328
Cisco IOS Dial Technologies Configuration Guide
The Network Side ISDN PRI Signaling, Trunking, and Switching feature provides the following
benefits:
• Allows you to bypass PSTN tariffed services such as trunking and administration, thus extending
the cost savings of VoIP.
• Allows your PBXs to be connected directly to a Cisco access server, so PBX station calls can be
routed automatically to the IP network without the need for special IP telephones.
• Provides flexibility in network design.
• Enables you to block calls selectively based on the called number or the calling number.
Call Switching Using Dial Peers
Call switching using dial peers enables Cisco VoIP gateways to switch both voice and data calls between
different interfaces based on the dial peer matching. An incoming call is matched against configured dial
peers, and based on the configured called number, the outgoing interface is selected. Any call that arrives
from an ISDN PRI network side on a supported platform is either terminated on the access server,
switched to an IP network, or switched to the PSTN, depending on the configuration.
Note An incoming call will be switched or processed as a voice call only if it matches a dial peer.
A dial peer is an addressable call endpoint identified, for example, by a phone number or a port number.
In VoIP, there are two kinds of dial peers: plain old telephone service (POTS) and VoIP. Dial peers are
defined from the perspective of the access server and are used for both inbound and outbound call legs.
An inbound call leg originates outside the access server. An outbound call leg originates from the access
server.
For inbound call legs, a dial peer might be associated with the calling number or the port designation.
Outbound call legs always have a dial peer associated with them. The destination pattern (a defined
initial part of a phone number) is used to identify the outbound dial peer. The call is associated with the
outbound dial peer at setup time.
POTS dial peers associate a telephone number with a particular voice port so that incoming calls for that
telephone number can be received and outgoing calls can be placed.
Additional information about dial peers can be found in the chapter “Configuring Dial Plans, Dial Peers,
and Digit Manipulation” in the Cisco IOS Voice, Video, and Fax Configuration Guide, Release 12.2.
Trunk Group Resource Manager
The Trunk Group Resource Manager (TGRM) supports the logical grouping, configuration, and joint
management of one or more PRI interfaces. The TGRM is used to store configuration information and
to accept or select an interface from a trunk group when requested. A trunk group is provisioned as the
target of a dial peer, and the TGRM transparently selects the specific PRI interface and channels to use
for incoming or outgoing calls. Trunks are selected based on usage: The trunk that is least used is
selected.
Using trunk groups simplifies the task of configuring dial peers and PRI interfaces, and also enables the
dynamic selection of PRI interfaces as needed in the access server.
A trunk group can include any number of PRI interfaces, but all the interfaces in a trunk group must use
the same type of signaling.
Configuring Network Side ISDN PRI Signaling, Trunking, and Switching
How to Configure Network Side ISDN PRI
DC-329
Cisco IOS Dial Technologies Configuration Guide
Class of Restrictions
The class of restrictions (COR) functionality provides the ability to deny certain call attempts based on
the incoming and outgoing class of restrictions provisioned on the dial peers. This functionality provides
flexibility in network design, allows users to block calls (for example, to 900 numbers), and applies
different restrictions to call attempts from different originators.
COR is used to specify which incoming dial peer can use which outgoing dial peer to make a call. Each
dial peer can be provisioned with an incoming and an outgoing COR list. The incoming COR list
indicates the capability of the dial peer to initiate certain classes of calls. The outgoing COR list
indicates the capability required for an incoming dial peer to deliver a call via this outgoing dial peer. If
the capabilities of the incoming dial peer are not the same or a superset of the capabilities required by
the outgoing dial peer, the call cannot be completed using this outgoing dial peer.
ISDN Disconnect Timers
A new disconnect timer, T306, has been added as part of the Internetworking Signaling Enhancements
for H.323 and SIP VoIP feature. This timer allows in-band announcements and tones to be played before
a call is disconnected. It is designed for routers that are configured as an ISDN network-side switch. The
T306 timer starts when the gateway receives a Disconnect message with a progress indicator of 8. The
voice path is cut-through in the backward direction, and the announcement or error tone is played until
the timer expires. When the timer expires, the voice application disconnects the call. You can configure
this timer by using the isdn t306 command. The T306 timer is supported only on routers that are
configured for network-side ISDN. The following switches support network-side ISDN:
• National ISDN
• NET3 BRI
• NET5
• QSIG
The T310 timer sets a limit for a call in the Call Proceeding state. The timer starts when the router
receives a Call Proceeding message and stops when the call moves to another phase, typically Alerting,
Connect, or Progress. If the timer expires while the call is in the Call Proceeding state, the router releases
the call. You can configure this timer by using the isdn t310 command.
How to Configure Network Side ISDN PRI
See the following sections for configuration tasks for the Network Side ISDN PRI Signaling, Trunking,
and Switching feature. Each task is identified as required or optional.
• Configuring ISDN Network Side (Required)
• Configuring Global or Interface Trunk Groups (Optional)
• Configuring Classes of Restrictions (Optional)
• Configuring ISDN T306 and T310 Timers (Optional)
• Verifying Network Side ISDN PRI Signaling, Trunking, and Switching (Optional)
The sections “Monitoring Network Side ISDN PRI” and “Monitoring TGRM” list commands that you
can use to monitor network side ISDN PRI signaling.
Configuring Network Side ISDN PRI Signaling, Trunking, and Switching
How to Configure Network Side ISDN PRI
DC-330
Cisco IOS Dial Technologies Configuration Guide
Configuring ISDN Network Side
Before you begin to configure the Network Side ISDN PRI Signaling, Trunking, and Switching feature,
ensure that the selected access server is in the following condition:
• The T1 or E1 controllers are operational and configured for ISDN PRI.
• The D-channel interfaces are operational and configured for ISDN PRI.
• Each D-channel interface is configured with the isdn incoming-voice modem command.
For example, the selected PRI interfaces might have a configuration similar to the following:
interface Serial1/0/0:23
no ip address
no ip directed-broadcast
isdn switch-type primary-ni
isdn protocol-emulate network
isdn incoming-voice modem
no cdp enable
Also keep the following restrictions in mind as you configure network side ISDN PRI signaling,
trunking, and switching:
• You can configure Cisco access server and access routers for either Network Side ISDN PRI for NI
or Net5 switches.
• The trunking and COR parts of the Network Side ISDN PRI Signaling, Trunking, and Switching
feature are available only on the Cisco AS5800 access server. In addition, call hairpinning without
the need of a Voice Feature Card (and its digital signal processor) is available only on the
Cisco AS5800 and Cisco AS5400. The remainder of the feature is platform-independent.
• The Cisco AS5800 and Cisco AS5400 switch both voice and data calls. The Cisco As5300 switches
only data calls.
• On the Cisco AS5800, direct-inward-dial (DID) switched calls can work without a Voice Feature
Card, if the appropriate modem is present. Refer to the AS5800 hardware and software installation
manuals for more information.
• On the Cisco AS5400, direct-inward-dial (DID) switched calls can work with only Trunk Feature
Cards present. No Voice Feature Card or Modem Feature card are required.
• An interface that is a member of a Non-Facility Associated Signaling (NFAS) group cannot belong
to a trunk group.
• The Cisco AS5400 supports Network Side ISDN PRI Signaling and Calling Switching Using Dial
Peers. It does not support Trunk Group Resource Manager and Class of Restrictions.
• The Network Side ISDN PRI part of this feature runs on any ISDN-capable platform with PRI
interfaces. The trunking and class of restrictions parts of this feature require the Cisco AS5800.
Note To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature. For more information,
see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter.
Configuring Network Side ISDN PRI Signaling, Trunking, and Switching
How to Configure Network Side ISDN PRI
DC-331
Cisco IOS Dial Technologies Configuration Guide
Configuring ISDN Network Side for the National ISDN Switch Type
To configure Network Side ISDN PRI, use the following commands beginning in global configuration
mode:
If you choose to configure Network Side ISDN PRI on individual interfaces in Step 1, repeat the
configuration on the additional PRI interfaces.
Configuring ISDN Network Side for ETSI Net5 PRI
To configure a Cisco access router for ISDN Network Side for ETSI Net5 PRI, you can configure the
primary-net5 switch type globally or you can configure the primary-net5 switch type on selected PRI
interfaces. To configure ISDN Network Side for Net5, use the following commands beginning in global
configuration mode:
Repeat the configuration steps on all the additional PRI D-channel interfaces you want to configure for
ISDN Network Side for ETSI Net5 PRI.
Command Purpose
Step 1 Router(config)# isdn switch-type type
or
Router(config-if)# interface serial0/0/n
and
Router(config-if)# switch-type primary-ni
Sets the global ISDN switch type. Two types are
supported:
• primary-ni for NI on a T1 line
• primary-net5 for ETSI Net5 on an E1 line
Specifies the D-channel interface. For n, the
D-channel number, use:
0:23 on a T1 PRI
0:15 on an E1 PRI
Sets the switch type on the interface.
Step 2 Router(config-if)# isdn protocol-emulate network Enables network-side support on the PRI interface.
Command Purpose
Step 1 Router(config)# isdn switch-type primary-net5
or
Router(config-if)# interface serial0/0/0:15
Router(config-if)# switch-type primary-net5
Sets the primary-net5 global ISDN switch type.
or
Specifies a D-channel interface to configure for ISDN
Network Side for ETSI Net5 PRI.
Sets the primary-net5 switch type on the interface.
Step 2 Router(config-if)# isdn protocol-emulate network Enables network side support on the interface.
Configuring Network Side ISDN PRI Signaling, Trunking, and Switching
How to Configure Network Side ISDN PRI
DC-332
Cisco IOS Dial Technologies Configuration Guide
Configuring Global or Interface Trunk Groups
You can create trunk groups globally (using the one-command version of Step 1) or on each interface
(using the two-command version of Step 1). To configure trunk groups, use the following commands
beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# trunk group group-number Defines the trunk group globally.
or
Router(config-if)# interface serial0/0/n
and
Specifies the PRI D-channel. For n, the D-channel
number, use:
• 0:23 on a T1 PRI
• 0:15 on an E1 PRI
Router(config-if)# trunk-group group-number Adds the interface to a trunk group. If the trunk
group has not been defined globally, it will be
created now.
Step 2 Router(config-if)# max-calls {voice | data | any}
number | [direction in | out] Applies a maximum number of calls restriction to
the trunk group.
This command can be repeated to apply a
maximum number to different types of calls and,
optionally, to specify whether the maximum
applies to incoming or outgoing calls.
Note Repeat Step 1 and Step 2 to create
additional trunk groups and specify their
restrictions, as needed for your traffic.
Step 3 Router(config)# dial-peer voice tag pots Enters dial-peer configuration mode and defines a
remote dial peer.
Step 4 Router(config-dial-peer)# trunkgroup group-number Specifies the trunk group to be used for outgoing
calls to the destination phone number.
Configuring Network Side ISDN PRI Signaling, Trunking, and Switching
How to Configure Network Side ISDN PRI
DC-333
Cisco IOS Dial Technologies Configuration Guide
Configuring Classes of Restrictions
To configure COR for dial peers, use the following commands beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# dial-peer cor custom Specifies that named classes of restrictions apply
to dial peers and changes the command mode to
COR configuration.
Step 2 Router(config-cor)# name class-name Provides a name for a custom class of restrictions.
Note Repeat this step for additional class
names, as needed. These class names are
used in various combinations to define the
lists in Step 3 and Step 4.
Step 3 Router(config)# dial-peer cor list list-name Provides a name for a list of restrictions.
Step 4 Router(config-cor)# member class-name Adds a COR class to this list of restrictions.
The member is a class named in Step 2.
Note Repeat Step 3 and Step 4 to define another
list and its membership, as needed.
Step 5 Router(config)# dial-peer voice tag pots Enters dial-peer configuration mode and defines a
remote dial peer.
Step 6 Router(config-dial-peer)# corlist incoming
cor-list-name
Specifies the COR list to be used when this is the
incoming dial peer.
Step 7 Router(config-dial-peer)# corlist outgoing
cor-list-name
Specifies the COR list to be used when this is the
outgoing dial peer.
Note Repeat Step 5 through Step 7 for
additional dial peers, as needed.
Configuring Network Side ISDN PRI Signaling, Trunking, and Switching
How to Configure Network Side ISDN PRI
DC-334
Cisco IOS Dial Technologies Configuration Guide
Configuring ISDN T306 and T310 Timers
To configure the T306 and T310 timers, use the following commands beginning in global configuration
mode:
To verify that the T306 timer is configured and operating correctly, perform the following steps:
Step 1 Display the running configuration file with the show running-config privileged EXEC command. Verify
that the configuration is accurate for the T306 timer. See the “T306/T310 Timer Configuration Example”
section for a sample configuration.
Step 2 Enable the debug isdn q931 privileged EXEC command to trace the ISDN messages.
Step 3 Place a call to the gateway. Disconnect the call and allow the far end to play its error message until the
T306 timer expires. When the timer expires, the gateway should disconnect the call.
Verifying Network Side ISDN PRI Signaling, Trunking, and Switching
To learn whether the Network Side ISDN PRI Signaling, Trunking, and Switching feature is configured
successfully, perform the following steps:
Step 1 Enter the show isdn status command to learn whether an appropriate switch type is specified either
globally or on the D-channel interface:
Router# show isdn status serial 0:15
Global ISDN Switchtype = primary-net5
ISDN Serial0:15 interface
******* Network side configuration *******
dsl 0, interface ISDN Switchtype = primary-net5
Command Purpose
Step 1 Router(config)# interface serial controller:timeslot Enters interface configuration mode for a D-channel
serial interface.
Step 2 Router(config-if)# isdn t306 milliseconds Sets the number of milliseconds that the gateway
waits before clearing a call after it receives a
Disconnect message with a progress indicator of 8.
Step 3 Router(config-if)# isdn t310 milliseconds Sets the number of milliseconds that the gateway
waits before clearing a call after it receives a Call
Proceeding message.
Configuring Network Side ISDN PRI Signaling, Trunking, and Switching
How to Configure Network Side ISDN PRI
DC-335
Cisco IOS Dial Technologies Configuration Guide
Step 2 Enter the show dial-peer voice command to learn whether the trunk group COR list and permission
fields are set as desired on a dial peer:
Router# show dial-peer voice
VoiceEncapPeer210
information type = voice,
tag = 210, destination-pattern = `221',
answer-address = `', preference=0,
numbering Type = `unknown'
group = 210, Admin state is up, Operation state is up,
incoming called-number = `221', connections/maximum = 4/unlimited,
DTMF Relay = disabled,
Modem = system passthrough ,
huntstop = disabled,
application associated:
permission :both
incoming COR list:listA
outgoing COR list:minimum requirement
type = pots, prefix = `221',
forward-digits default
session-target = `', voice-port = `1/0/8:D',
direct-inward-dial = enabled,
digit_strip = enabled,
Note The above output is for a dial peer configured with incoming COR list “listA” and without
an outgoing COR list configured. When no outgoing COR list is configured, the show
dial-peer voice command displays “minimum requirement” in the outgoing COR list output.
When no incoming COR list is configured, the show dial-peer voice command displays
“maximum capability” in the incoming COR list output.
Step 3 Enter the show dial-peer cor command to display the COR names and lists you defined. For example,
if you configured COR as shown in the following sample display, the show dial-peer cor command
output reflects that configuration.
Sample Configuration
dial-peer cor custom
name 900block
name 800_call
name Catchall
!
dial-peer cor list list1
member 900block
member 800_call
!
dial-peer cor list list2
member 900block
!
dial-peer cor list list3
member 900block
member 800_call
member Catchall
Configuring Network Side ISDN PRI Signaling, Trunking, and Switching
How to Configure Network Side ISDN PRI
DC-336
Cisco IOS Dial Technologies Configuration Guide
Verification
Router# show dial-peer cor
Class of Restriction
name:900block
name:800_call
name:Catchall
COR list
member:900block
member:800_call
COR list
member:900block
COR list
member:900block
member:800_call
member:Catchall
Step 4 Enter the show tgrm command to verify the trunk group configuration. For example, if you configured
trunk groups as shown in the following sample display, the show tgrm command output reflects that
configuration.
Sample Configuration
interface Serial1/0/8:15
no ip address
ip mroute-cache
no keepalive
isdn switch-type primary-net5
isdn protocol-emulate network
isdn incoming-voice modem
trunk-group 2
no cdp enable
Verification
Router# show tgrm
Trunk Any in Vce in Data in
Group # Any out Vce out Data out
2 65535 65535 65535
65535 65535 65535
0 Retries
Interface Se1/0/1:15 Data = 0, Voice = 0, Free = 30
Interface Se1/0/8:15 Data = 2, Voice = 0, Free = 28
Total calls for trunk group:Data = 2, Voice = 0, Free = 58
Selected Voice Interface :Se1/0/1:15
Selected Data Interface :Se1/0/1:15
Configuring Network Side ISDN PRI Signaling, Trunking, and Switching
How to Configure Network Side ISDN PRI
DC-337
Cisco IOS Dial Technologies Configuration Guide
Step 5 Enter the show isdn status command to display the status of both Network Side ISDN PRI and call
switching:
Router# show isdn status
Global ISDN Switchtype = primary-net5
ISDN Serial1/0/0:15 interface
******* Network side configuration *******
dsl 0, interface ISDN Switchtype = primary-net5
Layer 1 Status:
ACTIVE
Layer 2 Status:
TEI = 0, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
Layer 3 Status:
2 Active Layer 3 Call(s)
Activated dsl 0 CCBs = 2
CCB:callid=3C71, sapi=0, ces=0, B-chan=31, calltype=data
CCB:callid=3C72, sapi=0, ces=0, B-chan=30, calltype=data
The Free Channel Mask: 0x9FFF7FFF
ISDN Serial1/0/1:15 interface
/1/0/8
filtering...
ISDN Serial1/0/8:15 interface
******* Network side configuration *******
dsl 8, interface ISDN Switchtype = primary-net5
Layer 1 Status:
ACTIVE
Layer 2 Status:
TEI = 0, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
Layer 3 Status:
2 Active Layer 3 Call(s)
Activated dsl 8 CCBs = 2
CCB:callid=BB40, sapi=0, ces=0, B-chan=1, calltype=DATA
CCB:callid=BB41, sapi=0, ces=0, B-chan=2, calltype=DATA
The Free Channel Mask: 0xFFFF7FFC
Monitoring Network Side ISDN PRI
To monitor Network Side ISDN PRI, use the following commands in EXEC mode as needed:
Command Purpose
Router# show controllers e1 slot/port Checks Layer 1 (physical layer) of the PRI over E1.
Router# show controllers e1 number call-counters Displays the number of calls and call durations on an E1
controller.
Router# show interfaces serial slot/port bchannel
channel-number
Displays information about the physical attributes of
the ISDN PRI over channelized E1 B and D channels.
Router# show isdn {active | history | memory | services |
status [dsl | interface-type number] | timers}
Displays information about memory, Layer 2 and Layer
3 timers, and the status of PRI channels.
Configuring Network Side ISDN PRI Signaling, Trunking, and Switching
Configuration Examples for Network Side ISDN PRI Signaling, Trunking, and Switching
DC-338
Cisco IOS Dial Technologies Configuration Guide
Monitoring TGRM
To monitor and maintain the Trunk Group Resource Manager, use the following command in EXEC
mode:
Configuration Examples for Network Side ISDN PRI Signaling,
Trunking, and Switching
This section provides the following configuration examples:
• Call Switching and Dial Peers Configuration on T1/T3 Example
• Trunk Group Configuration Example
• COR for Dial Peer Configuration Example
• COR Based on Outgoing Dial Peers Example
• Dial Peers and Trunk Groups for Special Numbers Examples
• ISDN Network Side for ETSI Net5 PRI Configuration on E1 Example
• T306/T310 Timer Configuration Example
Call Switching and Dial Peers Configuration on T1/T3 Example
The following example enables Network Side ISDN PRI, call switching, and dial peers:
isdn switch-type primary-ni
!
controller T1 1/0/0
framing esf
linecode b8zs
pri-group timeslots 1-24
!
interface Serial1/0/0:23
no ip address
no ip directed-broadcast
isdn switch-type primary-ni
isdn protocol-emulate network
isdn incoming-voice modem
no cdp enable
!
dial-peer voice 11 pots
incoming called-number 222
destination-pattern 222
direct-inward-dial
port 1/0/0:D
prefix 555
Command Purpose
Router# show tgrm Displays TGRM information for debugging purposes.
Configuring Network Side ISDN PRI Signaling, Trunking, and Switching
Configuration Examples for Network Side ISDN PRI Signaling, Trunking, and Switching
DC-339
Cisco IOS Dial Technologies Configuration Guide
Trunk Group Configuration Example
The following trunk group allows only voice calls:
trunk group 1
max-calls data 0
!
The following trunk group allows a maximum of 20 outgoing voice calls:
trunk group 2
max-calls voice 20 direction out
!
The following trunk group allows a maximum of 50 incoming calls:
trunk group 3
max-calls any 50 direction in
!
The following trunk group allows a maximum of 100 calls, 30 of which can be voice (incoming or
outgoing), and 60 of which can be incoming data (the remaining 10 will be unused):
trunk group 4
max-calls any 100
max-calls voice 30
max-calls data 60 direction in
COR for Dial Peer Configuration Example
The following example defines trunk group 101, establishes Network Side ISDN PRI on two PRI
interfaces, and assigns both interfaces to trunk group 101. In addition, it establishes three COR lists, and
specifies which incoming dial peers can make calls to 800 and which can make calls to 900 area codes.
This example adopts a useful mnemonic pattern: the dial-peer voice tags for incoming calls correspond
to the answer address (the phone number being called) and the dial-peer voice tags for outgoing calls
correspond to the destination pattern.
trunk group 101
!
interface Serial1/0/0:23
no ip address
no ip directed-broadcast
isdn switch-type primary-ni
isdn protocol-emulate network
isdn incoming-voice modem
no cdp enable
trunk-group 101
!
interface Serial1/0/1:23
no ip address
no ip directed-broadcast
isdn switch-type primary-ni
isdn protocol-emulate network
isdn incoming-voice modem
no cdp enable
trunk-group 101
!
dial-peer cor custom
name 900_call
name 800_call
!
dial-peer cor list list1
member 900_call
!
Configuring Network Side ISDN PRI Signaling, Trunking, and Switching
Configuration Examples for Network Side ISDN PRI Signaling, Trunking, and Switching
DC-340
Cisco IOS Dial Technologies Configuration Guide
dial-peer cor list list2
member 800_call
!
dial-peer cor list list3
member 900_csll
member 800_call
!
dial-peer voice 525 pots
answer-address 408525....
corlist incoming list3
direct-inward-dial
!
dial-peer voice 526 pots
answer-address 408526....
corlist incoming list2
direct-inward-dial
!
dial-peer voice 900 pots
destination-pattern 1900.......
direct-inward-dial
trunkgroup 101
prefix 333
corlist outgoing list1
!
dial-peer voice 12345 pots
destination-pattern .T
direct-inward-dial
trunkgroup 202
!
COR Based on Outgoing Dial Peers Example
A typical application of COR is to define a COR name for the number that an outgoing dial peer serves,
then define a list that contains only that COR name, and assign that list as corlist outgoing for this
outgoing dial peer. For example, dial peer with destination pattern 5x can have a corlist outgoing that
contains COR 5x.
The next step, in the typical application, is to determine how many call permission groups are needed,
and define a COR list for each group. For example, group A is allowed to call 5x and 6x, and group B is
allowed to call 5x, 6x, and 1900x. Then, for each incoming dial peer, we can assign a group for it, which
defines what number an incoming dial peer can call. Assigning a group means assigning a corlist
incoming to this incoming dial peer.
config terminal
dial-peer cor custom
name 5x
name 6x
name 1900x
!
dial-peer cor list listA
member 5x
member 6x
!
dial-peer cor list listB
member 5x
member 6x
member 1900x
!
dial-peer cor list list5x
member 5x
!
Configuring Network Side ISDN PRI Signaling, Trunking, and Switching
Configuration Examples for Network Side ISDN PRI Signaling, Trunking, and Switching
DC-341
Cisco IOS Dial Technologies Configuration Guide
dial-peer cor list list6x
member 6x
!
dial-peer cor list list1900x
member 1900x
! outgoing dialpeer 100, 200, 300
dial-peer voice 100 pots
destination-pattern 5T
corlist outgoing list5x
dial-peer voice 200 pots
destination-pattern 6T
corlist outgoing list6x
dial-peer voice 300 pots
destination-pattern 1900T
corlist outgoing list1900x
!
! incoming dialpeer 400, 500
dial-peer voice 400 pots
answer-address 525....
corlist incoming listA
dial-peer voice 500 pots
answer-address 526
corlist incoming listB
In this example, calls from 525xxxx are not able to use dial peer 300, which means they will not be able
to make 1900 calls (long distance calls to the 900 area code). But calls from 526xxxx can make
1900 calls.
Dial Peers and Trunk Groups for Special Numbers Examples
The following partial examples show setups for handling special numbers such as the 911 emergency
number, the 0 local operator number, the 00 long-distance operator number, and so forth. “T” in these
examples stands for the “interdigital timeout.” Calls to emergency numbers should not wait for this
timeout, so 911 is used as the destination pattern, not 911T.
This partial example sets up a trunk group to handle calls going to the operator (0):
dial-peer voice 100 pots
destination-pattern 0T
trunkgroup 203
!
The following partial example sets up a trunk group to handle calls to the long distance operator (00):
dial-peer voice 200 pots
destination-pattern 00T
trunkgroup 205
!
The following partial example sets up a trunk group to handle calls to the international direct dial (011):
dial-peer voice 300 pots
destination-pattern 011T
trunkgroup 207
!
The following partial example sets up a trunk group to handle street line calls (calls that get a dial tone
for an outside line):
disl-peer voice 400 pots
destination-pattern 9T
trunkgroup 209
!
Configuring Network Side ISDN PRI Signaling, Trunking, and Switching
Configuration Examples for Network Side ISDN PRI Signaling, Trunking, and Switching
DC-342
Cisco IOS Dial Technologies Configuration Guide
The following partial example sets up a trunk group to handle calls for directory assistance:
dial-peer voice 500 pots
destination-pattern 411
trunkgroup 211
!
The following partial example sets up a trunk group to handle calls to the 911 emergency number.
Emergency calls will not require a wait for the interdigital timeout to expire. They will be completed
immediately.
dial-peer voice 600 pots
destination pattern 911
trunkgroup 333
ISDN Network Side for ETSI Net5 PRI Configuration on E1 Example
The following example enables the ISDN Network Side for ETSI Net5 PRI feature on an access server
on which ISDN PRI is already configured and operational. In this example, the Net5 PRI switch type is
set on the D-channel interface, and the global interface type is not shown.
controller e1 0
pri-group timeslots 1-31
exit
!
interface serial0:15
no ip address
no ip directed-broadcast
ip mroute-cache
isdn switch-type primary-net5
isdn protocol-emulate networK
T306/T310 Timer Configuration Example
The following example configures the T306 and T310 disconnect timers:
interface Serial0:23
no ip address
no ip directed-broadcast
encapsulation ppp
dialer rotary-group 0
isdn switch-type primary-5ess
isdn incoming-voice modem
isdn t306 60000
isdn t310 40000
Dial-on-Demand Routing
Configuration
DC-345
Cisco IOS Dial Technologies Configuration Guide
Preparing to Configure DDR
This chapter presents the decisions and preparations leading to a dial-on-demand routing (DDR)
configuration and shows where some advanced features fit into the DDR configuration steps. It
distinguishes between the topology decisions and the implementation of the decisions. In the
implementation phase, it distinguishes the DDR-independent decisions from the DDR-dependent
decisions.
This chapter provides the following information:
• DDR Decision Flowchart—A flowchart of topology and implementation decisions that you will
need to make before you configure DDR.
• DDR Topology Decisions, DDR-Independent Implementation Decisions, and DDR-Dependent
Implementation Decisions—References to sources of detailed information for the configuration
steps associated with each decision.
• Global and Interface Preparations for DDR—Brief description indicating which preparations are
global and which are interface-specific.
• Preparations for Routing or Bridging over DDR—A description of the steps required for bridging
or routing over DDR.
The section “Configuration Examples for Legacy DDR” at the end of this chapter provides examples of
configuring DDR in your network, and includes line configuration and chat script samples.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the global dialer commands in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference. To locate documentation of other commands that appear in this
chapter, use the command reference master index or search online.
DDR Decision Flowchart
This section provides a flowchart of the decisions to be made before and while you configure DDR and
also includes the flowchart.
Figure 48 presents the entire decision flowchart. The decision phases are shown in separate boxes.
Numbers in parentheses refer to notes, which follow the figure.
Preparing to Configure DDR
DDR Decision Flowchart
DC-346
Cisco IOS Dial Technologies Configuration Guide
Figure 48 Decisions and Implementation Flow to DDR
Who places
and who
receives
calls?
Which
routers?
Which
media?
Topology
decisions
Topology
implementation
Async Sync
Bridge
DDR-independent implementation
DDR-dependent implementation
1
Route
Spoke
S6669
Simple
Complex
Hub
Bandwidth
on demand
MLP
BACP
MMP
Dial backup
DDR
IPX
AT
IP
Bridging
configuration
ISDN
HDLC PPP LAPB X.25 FR
Which
encapsulation?
Legacy
DDR or
dialer
profiles?
Simple
or
complex?
Route
or
bridge?
Which
routed
protocol?
.
.
.
2
3
4
6 5
Preparing to Configure DDR
DDR Topology Decisions
DC-347
Cisco IOS Dial Technologies Configuration Guide
Flowchart Notes
The DDR chapters do not provide complete configuration information for most of the items in the
following list. However, detailed information is available in other chapters and publications. The
numbers in this list correspond to the circled numbers in the flowchart.
1. Configuration of the dial port and interface. The port, line, and interface are expected to be
configured and operational before you configure DDR. See the relevant chapters in the “Preparing
for Dial Access” part of this manual.
2. Encapsulation; including encapsulation for other WANs. See the “Configuring Media-Independent
PPP and Multilink PPP” chapter of this publication for PPP encapsulation and refer to the Cisco IOS
Wide-Area Networking Configuration Guide for sections on Frame Relay and X.25.
3. Bridging configurations. Refer to the Cisco IOS Bridging and IBM Networking Configuration
Guide.
4. Routed protocols to be supported. See the protocol-specific chapters and publications.
5. Dialer profiles and legacy DDR are described in different chapters of the “Dial-on-Demand
Routing” part of this publication.
6. Complex DDR configurations. Refer to the chapter “Configuring Media-Independent PPP and
Multilink PPP” in this publication.
The DDR chapters provide complete configuration information about the simple hub-and-spoke DDR
configurations, about the dialer profiles implementation of DDR, and about preparations required for
configuring asynchronous interfaces for DDR.
DDR Topology Decisions
Topology decisions determine which routers will use DDR, which media and interfaces each one will
use for DDR, and how each interface will function when using DDR. For example, if you choose a
hub-and-spoke topology, one router will communicate with multiple routers. You must decide whether
that router will use one interface or multiple interfaces for DDR, and whether it will receive calls only
(forcing the spokes to initiate and bear the cost of calls). If it will use multiple interfaces, you must
decide whether they will be of different types or the same type.
DDR-Independent Implementation Decisions
DDR-independent implementation decisions include the following:
• Using a specific interface or combination of interfaces for DDR.
For complete configuration steps for the various media and interfaces, see the chapters in the
“Dial-In Port Setup” part of this publication.
• Using nondefault encapsulations.
The default encapsulation is High-Level Data Link Control (HDLC). However, PPP is widely used
for situations in which authentication is desired, especially situations in which an interface will
receive calls from multiple sites. Detailed PPP encapsulation requirements are described in the
“Configuring Media-Independent PPP and Multilink PPP” and “Configuring Asynchronous PPP
and SLIP” chapters of this publication.
Preparing to Configure DDR
DDR-Dependent Implementation Decisions
DC-348
Cisco IOS Dial Technologies Configuration Guide
If you decide to send DDR traffic over Frame Relay, X.25, or Link Access Procedure, Balanced
(LAPB) networks, the interface must be configured with the appropriate encapsulation. For
configuration details, refer to the related chapters in the Cisco IOS Wide-Area Networking
Configuration Guide.
• Routing or bridging the DDR traffic.
Legacy DDR supports bridging to only one destination, but the dialer profiles support bridging to
multiple destinations.
If you decide to bridge traffic over a dial-on-demand connection, configure the interface for
transparent bridging. For detailed information, refer to the “Configuring Transparent Bridging”
chapter of the Cisco IOS Bridging and IBM Networking Configuration Guide.
• Supporting one or more specific routed protocols, if you decide to route traffic.
Depending on the protocol, you do need to control access by entering access lists and to decide how
to support network addressing on an interface to be configured for DDR. You might also need to
spoof keepalive or other packets. For configuration details, refer to the related network protocol
chapters in the appropriate network protocols configuration guide, such as the Cisco IOS AppleTalk
and Novell IPX Configuration Guide.
DDR-Dependent Implementation Decisions
You must decide whether to implement legacy DDR or the newer dialer profiles; both are documented
in the “Dial-on-Demand Routing” part of this publication. You must also decide whether a simple DDR
configuration meets your business needs or whether to add other features.
Dialer Profiles
The dialer profiles implementation of DDR is based on a separation between logical and physical
interface configuration. Dialer profiles also allow the logical and physical configurations to be bound
together dynamically on a per-call basis.
Dialer profiles are advantageous in the following situations:
• When you want to share an interface (ISDN, asynchronous, or synchronous serial) to place or
receive calls.
• When you want to change any configuration on a per-user basis.
• When you want to maximize ISDN channel usage using the Dynamic Multiple Encapsulations
feature to configure various encapsulation types and per-user configurations on the same ISDN B
channel at different times according to the type of call.
• When you want to bridge to many destinations, and for avoiding split horizon problem.
Most routed protocols are supported; however, International Organization for Standardization
Connectionless Network Service (ISO CLNS) is not supported.
If you decide to configure dialer profiles, you must disable validation of source addresses for the routed
protocols you support.
For detailed dialer profiles information, see the “Configuring Peer-to-Peer DDR with Dialer Profiles”
chapter in this publication. For more information about Dynamic Multiple Encapsulations, see the “How
to Configure Dialer Profiles” section in that chapter.
Preparing to Configure DDR
Global and Interface Preparations for DDR
DC-349
Cisco IOS Dial Technologies Configuration Guide
Legacy DDR
Legacy DDR is powerful and comprehensive, but its limitations affect scaling and extensibility. Legacy
DDR is based on a static binding between the per-destination call specification and the physical interface
configuration.
However, legacy DDR also has many strengths. It supports Frame Relay, ISO CLNS, LAPB, snapshot
routing, and all routed protocols that are supported on Cisco routers. By default, legacy DDR supports
fast switching.
For information about simple legacy DDR spoke configurations, see the “Configuring Legacy DDR
Spokes” chapter. For information about simple legacy DDR hub configurations, see the “Configuring
Legacy DDR Hubs” chapter. Both chapters are in this publication.
Simple or Complex DDR Configuration
You must also decide whether to implement a simple DDR configuration—whether it is a simple
point-to-point (spoke-to-spoke) layout or a simple hub-and-spoke layout—or to add on features that
make the implementation more complex. Add-on features include dial backup, bandwidth on demand,
application of the Bandwidth Allocation Control Protocol (BACP), Multilink PPP, and many others.
Global and Interface Preparations for DDR
Some preparations are global and some depend on the type of interface you will configure for DDR.
After you have made the required global decision whether to bridge or to route a specified protocol over
a dial-on-demand link, you can make the following preparations:
• If you choose to bridge the protocol, decide whether to allow bridge packet access by Ethernet type
codes or to permit all bridge packets across the link. Allowing access by Ethernet type codes
requires you to define a bridging access list in global configuration mode.
Allowing all bridge packets to trigger calls across a dial-on-demand link to a single destination is a
DDR-dependent task addressed in the “Configure Dialer Access Lists to Trigger Outgoing Calls”
section of both the “Configuring Legacy DDR Spokes” and “Configuring Legacy DDR Hubs”
chapters in this publication.
Bridging to multiple destinations requires dialer profiles.
• If you choose to route the protocol:
– Define one or more access lists for the selected routed protocol to determine which packets
should be permitted or denied access to the dial-on-demand link.
Allowing those packets to trigger calls across a dial-on-demand link is a DDR-dependent task
addressed in the “Configure Dialer Access Lists to Trigger Outgoing Calls” section of both the
“Configuring Legacy DDR Spokes” and “Configuring Legacy DDR Hubs” chapters in this
publication.
– Define an appropriate dialer list for the protocol.
– Disable validation of source addresses, if you decide to configure dialer profiles.
Preparing to Configure DDR
Preparations for Routing or Bridging over DDR
DC-350
Cisco IOS Dial Technologies Configuration Guide
Preparations Depending on the Selected Interface Type
The steps shown in this chapter assume that you have also completed the required preparatory steps for
the type of interface you will configure for DDR:
• The interface is installed, the cable is connected as needed, and operational.
• Chat scripts are ready, as needed, for any asynchronous interfaces and modem scripts have been
assigned to the relevant asynchronous lines.
• Asynchronous lines and modems are configured and operational, as needed.
• Any ISDN line that will be used for DDR is properly provisioned and running.
• You have decided which interfaces and how many interfaces are to be configured for DDR, and what
functions each interface will perform.
Preparations for Routing or Bridging over DDR
The following tasks are DDR-independent and can be completed before you configure DDR. Minimal
tasks required for each item are presented in this chapter. For detailed information about bridging,
routing, and wide-area networking configurations, refer to the appropriate chapters in other manuals of
the Cisco IOS documentation set.
Complete the following minimal tasks for the global decisions you have made:
• Preparing for Transparent Bridging over DDR (As required)
• Preparing for Routing over DDR (As required)
Preparing for Transparent Bridging over DDR
To prepare for transparent bridging over DDR, complete the tasks in the following sections:
• Defining the Protocols to Bridge (As required)
• Specifying the Bridging Protocol (As required)
• Controlling Bridging Access (As required)
Defining the Protocols to Bridge
IP packets are routed by default unless they are explicitly bridged; all others are bridged by default unless
they are explicitly routed. To bridge IP packets, use the following command in global configuration
mode:
If you choose not to bridge another protocol supported on your network, use the relevant command to
enable routing of that protocol. For more information about tasks and commands, refer to the relevant
protocol chapter in the appropriate network protocols configuration guide, such as the Cisco IOS
AppleTalk and Novell IPX Configuration Guide or Cisco IOS IP Configuration Guide.
Command Purpose
Router(config)# no ip routing Disables IP routing.
Preparing to Configure DDR
Preparations for Routing or Bridging over DDR
DC-351
Cisco IOS Dial Technologies Configuration Guide
Specifying the Bridging Protocol
You must specify the type of spanning-tree bridging protocol to use and also identify a bridge group. To
specify the spanning-tree protocol and a bridge group number, use the following command in global
configuration mode:
The bridge-group number is used when you configure the interface and assign it to a bridge group.
Packets are bridged only among members of the same bridge group.
Controlling Bridging Access
You can control access by defining any transparent bridge packet as interesting, or you can use the finer
granularity of controlling access by Ethernet type codes.
To control access by Ethernet type codes, use the following commands in global configuration mode:
Packets with a specified Ethernet type code can trigger outgoing calls. Spanning tree bridge protocol data
units (BPDUs) are always treated as uninteresting and cannot trigger calls.
For a table of some common Ethernet types codes, refer to the “Ethernet Types Codes” appendix in the
Cisco IOS Bridging and IBM Networking Command Reference.
To identify all transparent bridge packets as interesting, use the following command in global
configuration mode:
Preparing for Routing over DDR
DDR supports the following routed protocols: AppleTalk, Banyan VINES, DECnet, IP, Internet Protocol
Exchange (IPX), ISO CLNS, and Xerox Network Systems (XNS).
To prepare for routing a protocol over DDR, perform the tasks in the relevant section:
• Configuring the Protocol for Routing and Access Control (As required)
• Associating the Protocol Access List with a Dialer Group (As required)
Command Purpose
Router(config)# bridge bridge-group protocol {ieee | dec} Defines the type of spanning tree protocol and identifies
a bridge group.
Command Purpose
Step 1 Router(config)# access-list access-list-number
{permit | deny} type-code [mask]
Identifies interesting packets by Ethernet type codes
(access list numbers must be in the range 200–299).
Step 2 Router(config)# dialer-list dialer-group protocol
bridge list access-list-number
Defines a dialer list for the specified access list.
Command Purpose
Router(config)# dialer-list dialer-group protocol bridge
permit
Defines a dialer list that treats all transparent bridge
packets as interesting.
Preparing to Configure DDR
Preparations for Routing or Bridging over DDR
DC-352
Cisco IOS Dial Technologies Configuration Guide
Configuring the Protocol for Routing and Access Control
This section specifies the minimal steps required to configure a protocol for routing over DDR. For more
options and more detailed descriptions, refer to the relevant protocol chapter.
Configuring IP Routing
IP routing is enabled by default on Cisco routers; thus no preparation is required simply to enable it. You
might, however, need to decide your addressing strategy and complete other global preparations for
routing IP in your networks. To use dynamic routing where multiple remote sites communicate with each
other through a central site, you might need to disable the IP split horizon feature. Refer to the
“Configuring IP Addressing” chapter in the Cisco IOS IP Configuration Guide for more information.
At a minimum, you must complete the following tasks:
• Disable validation of source addresses.
• Configure one or more IP access lists before you refer to the access lists in DDR dialer-list
commands to specify which packets can trigger outgoing calls.
To disable validation of source addresses, use the following commands in global configuration mode:
For more information about IP routing protocols, refer to the Cisco IOS IP Configuration Guide.
To configure IP access lists, use one of the following commands in global configuration mode:
You can also use simplified IP access lists that use the any keyword instead of the numeric forms of
source and destination addresses and masks. Other forms of IP access lists are also available. For more
information, refer to the “IP Services Commands” chapter in the Cisco IOS IP Configuration Guide.
For an example of configuring DDR for IP, see the chapters “Configuring a Legacy DDR Spoke” or
“Configuring a Legacy DDR Hub” in this publication.
You can configure IP routing on DDR asynchronous, synchronous serial, and ISDN interfaces, as well
as dialer rotary groups.
Command Purpose
Router(config)# router rip Specifies the routing protocol; RIP, for example.
Router(config)# no validate-update-source Disables validation of source addresses.
Router(config)# network number Specifies the IP address.
Command Purpose
Router(config)# access-list access-list-number
{deny | permit} source [source-mask]
or
Router(config)# access-list access-list-number
{deny | permit} protocol source source-mask
destination destination-mask [operator operand]
Specifies an IP standard access list.
Specifies an IP extended access list.
Preparing to Configure DDR
Preparations for Routing or Bridging over DDR
DC-353
Cisco IOS Dial Technologies Configuration Guide
Configuring Novell IPX Routing
To configure routing of IPX over DDR, you must complete both global and interface-specific tasks:
• Enable IPX routing globally.
• Enable IPX watchdog spoofing, or enable Sequenced Packet Exchange (SPX) keepalive spoofing on
the interface.
To enable IPX routing, use the following command in global configuration mode:
To enable IPX watchdog spoofing on the interface, use the following command in interface configuration
mode:
To enable SPX keepalive spoofing, use the following commands in interface configuration mode:
You can configure IPX routing on DDR asynchronous, synchronous serial, and ISDN interfaces, as well
as dialer rotary groups.
For detailed DDR for IPX configuration examples, refer to the section “IPX over DDR Example” in the
“Configuring Novell IPX” chapter of the Cisco IOS AppleTalk and Novell IPX Configuration Guide.
Configuring AppleTalk Routing
You must enable AppleTalk routing and then specify AppleTalk access lists. After you specify AppleTalk
access lists, define dialer lists. Use the dialer-list protocol command to define permit or deny conditions
for the entire protocol; for a finer granularity, use the dialer-list protocol command with the list
keyword.
You can configure AppleTalk routing on DDR asynchronous, synchronous serial, and ISDN interfaces,
as well as dialer rotary groups.
See the chapters “Configuring a Legacy DDR Spoke” or “Configuring a Legacy DDR Hub” for more
information and examples.
Command Purpose
Router(config)# ipx routing [node] Enables IPX routing.
Command Purpose
Router(config-if)# ipx watchdog-spoof Enables IPX watchdog spoofing.
Command Purpose
Router(config-if)# ipx spx-spoof Enables SPX keepalive spoofing.
Router(config-if)# ipx spx-idle-time
delay-in-seconds
Sets the idle time after which SPX spoofing begins.
Preparing to Configure DDR
Preparations for Routing or Bridging over DDR
DC-354
Cisco IOS Dial Technologies Configuration Guide
Configuring Banyan VINES Routing
To configure DDR for Banyan VINES, use one of the following commands in global configuration
mode:
After you specify VINES standard or extended access lists, define DDR dialer lists. Use the dialer-list
protocol command to define permit or deny conditions for the entire protocol; for a finer granularity,
use the dialer-list protocol command with the list keyword. See the chapters “Configuring a Legacy
DDR Spoke” or “Configuring a Legacy DDR Hub” for more information and examples.
You can configure Banyan VINES on DDR asynchronous, synchronous serial, and ISDN interfaces, as
well as dialer rotary groups.
Note The Banyan VINES neighbor command is not supported for LAPB and X.25 encapsulations.
Configuring DECnet Routing
To configure DDR for DECnet, use one of the following commands in global configuration mode:
After you specify DECnet standard or extended access lists, define DDR dialer lists. Use the dialer-list
protocol command to define permit or deny conditions for the entire protocol; for a finer granularity,
use the dialer-list protocol command with the list keyword. See the chapters “Configuring a Legacy
DDR Spoke” or “Configuring a Legacy DDR Hub” in this publication for more information and
examples.
You classify DECnet control packets, including hello packets and routing updates, using one or more of
the following commands: dialer-list protocol decnet_router-L1 permit, dialer-list protocol
decnet_router-L2 permit, and dialer-list protocol decnet_node permit.
You can configure DECnet on DDR asynchronous, synchronous serial, and ISDN interfaces, as well as
dialer rotary groups.
Command Purpose
Router(config)# vines access-list access-list-number {permit
| deny} source source-mask1
or
Router(config)# vines access-list access-list-number {permit
| deny} source source-mask [destination] [destination-mask]
Specifies a VINES standard access list.
Specifies a VINES extended access list.
Command Purpose
Router(config)# access-list access-list-number {permit |
deny} source source-mask1
or
Router(config)# access-list access-list-number {permit | deny}
source source-mask [destination] [destination-mask]
Specifies a DECnet standard access list.
Specifies a DECnet extended access list.
Preparing to Configure DDR
Preparations for Routing or Bridging over DDR
DC-355
Cisco IOS Dial Technologies Configuration Guide
Configuring ISO CLNS Routing
To configure ISO CLNS for DDR, use the following commands beginning in global configuration mode:
After you complete these CLNS-specific steps, define a dialer list for CLNS. Use the dialer-list protocol
command to define permit or deny conditions for the entire protocol; for a finer granularity, use the
dialer-list protocol command with the list keyword. Use the access-group argument with this command,
because ISO CLNS uses access groups but does not use access lists. See the chapters “Configuring a
Legacy DDR Spoke” or “Configuring a Legacy DDR Hub” in this publication for more information and
examples.
You classify CLNS control packets, including hello packets and routing updates, using the dialer-list
protocol clns_is permit and/or dialer-list protocol clns_es permit command.
You can configure ISO CLNS on DDR asynchronous, synchronous serial, and ISDN interfaces, as well
as dialer rotary groups.
Configuring XNS Routing
You must enable XNS routing and then define an access list. To define an XNS access list, use one of
the following commands in global configuration mode:
After you specify an XNS access list, define a DDR dialer list. Use the dialer-list protocol command to
define permit or deny conditions for the entire protocol; for a finer granularity, use the dialer-list
protocol command with the list keyword. See the chapters “Configuring a Legacy DDR Spoke” or
“Configuring a Legacy DDR Hub” for more information and examples.
Command Purpose
Step 1 Router(config)# clns filter-set name [permit | deny]
template
Specifies one or more CLNS filters, repeating this
command as needed to build the filter list
associated with the filter name.
Step 2 Router(config)# interface type number Specifies the interface to apply the filter to and
begins interface configuration mode.
Step 3 Router(config-if)# clns access-group name out Filters CLNS traffic going out of the interface, on
the basis of the filter specified and named in
Step 1.
Command Purpose
Router(config)# access-list access-list-number {deny | permit}
source-network[.source-address [source-address-mask]]
[destination-network[.destination-address
[destination-address-mask]]]
or
Router(config)# access-list access-list-number {deny | permit}
protocol [source-network[.source-host
[source-network-mask.]source-host-mask] source-socket
[destination-network [.destination-host
[destination-network-mask.destination-host-mask]
destination-socket[/pep]]]
Specifies a standard XNS access list.
Specifies an extended XNS access list.
Preparing to Configure DDR
Configuration Examples for Legacy DDR
DC-356
Cisco IOS Dial Technologies Configuration Guide
You can configure XNS on DDR asynchronous, synchronous serial, and ISDN interfaces, as well as
dialer rotary groups.
Associating the Protocol Access List with a Dialer Group
DDR supports the following routed protocols: AppleTalk, Banyan VINES, DECnet, IP, Novell IPX, ISO
CLNS, and XNS.
You can permit or deny access by protocol, or you can specify an access list for more refined control. To
associate a protocol or access list with a dialer group, use the following command in global configuration
mode:
Note For a given protocol and a given dialer group, only one access list can be specified in the dialer-list
command.
For the dialer-list protocol list command form, acceptable access list numbers are as follows:
• Banyan VINES, DECnet, IP, and XNS standard and extended access list numbers
• Novell IPX standard, extended, and SAP access list numbers
• AppleTalk access lists numbers
• Bridge type codes
Configuration Examples for Legacy DDR
The following sections provide DDR configuration examples:
• Point-to-Point DDR Without Authentication Examples
• Point-to-Point DDR with Authentication Examples
Point-to-Point DDR Without Authentication Examples
The following example sets up two-way reciprocal DDR without authentication; the client and server
have dial-in access to each other. This configuration is demonstrated in the following two subsections.
Remote Configuration
The following sample configuration is performed on the remote side of the connection:
interface ethernet 0
ip address 172.30.44.1 255.255.255.0
!
interface async 7
ip address 172.30.45.2 255.255.255.0
Command Purpose
Router(config)# dialer-list dialer-group protocol
protocol-name {permit | deny | list
access-list-number | access-group}
Associates a protocol access list number or access group name
with the dialer group.
Preparing to Configure DDR
Configuration Examples for Legacy DDR
DC-357
Cisco IOS Dial Technologies Configuration Guide
async mode dedicated
peer default ip address 172.30.45.1
encapsulation ppp
dialer in-band
dialer string 1234
dialer-group 1
!
ip route 172.30.43.0 255.255.255.0 async 7
ip default-network 172.30.0.0
chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT
dialer-list 1 protocol ip permit
!
line 7
no exec
modem InOut
speed 38400
flowcontrol hardware
script dialer generic
Local Configuration
The following sample configuration is performed on the local side of the connection:
interface ethernet 0
ip address 172.30.43.1 255.255.255.0
!
interface async 7
async mode dedicated
peer default ip address 172.30.45.2
encapsulation ppp
dialer in-band
dialer string 1235
dialer rotary-group 1
!
interface async 8
async mode dedicated
peer default ip address 172.30.45.2
dialer rotary-group 1
!
ip route 172.30.44.0 255.255.255.0 async 7
ip address 172.30.45.2 255.255.255.0
encapsulation ppp
ppp authentication chap
dialer in-band
dialer map ip 172.30.45.2 name remote 4321
dialer load-threshold 80
!
ip route 172.30.44.0 255.255.255.0 128.150.45.2
chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT
dialer-list 1 protocol ip permit
!
route igrp 109
network 172.30.0.0
redistribute static
passive-interface async 7
!
line 7
modem InOut
speed 38400
flowcontrol hardware
script dialer generic
Preparing to Configure DDR
Configuration Examples for Legacy DDR
DC-358
Cisco IOS Dial Technologies Configuration Guide
Point-to-Point DDR with Authentication Examples
The following sample sets up two-way DDR with authentication; the client and server have dial-in access
to each other. This configuration is demonstrated in the following two subsections.
Remote Configuration
The following example is performed on the remote side of the connection. It provides authentication by
identifying a password that must be provided on each end of the connection.
username local password secret1
username remote password secret2
interface ethernet 0
ip address 172.30.44.1 255.255.255.0
!
interface async 7
ip address 172.30.45.2 255.255.255.0
async mode dedicated
peer default ip address 172.30.45.1
encapsulation ppp
dialer in-band
dialer string 1234
dialer-group 1
!
ip route 172.30.43.0 255.255.255.0 async 7
ip default-network 172.30.0.0
chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT
dialer-list 1 protocol ip permit
!
line 7
no exec
modem InOut
speed 38400
flowcontrol hardware
script dialer generic
Local Configuration
The following example configuration is performed on the local side of the connection. As with the
remote side configuration, it provides authentication by identifying a password for each end of the
connection.
username remote password secret1
username local password secret2
!
interface ethernet 0
ip address 172.30.43.1 255.255.255.0
!
interface async 7
async mode dedicated
peer default ip address 172.30.45.2
dialer rotary-group 1
!
interface async 8
async mode dedicated
peer default ip address 172.30.45.2
dialer rotary-group 1
!
interface dialer 1
ip address 172.30.45.2 255.255.255.0
encapsulation ppp
Preparing to Configure DDR
Configuration Examples for Legacy DDR
DC-359
Cisco IOS Dial Technologies Configuration Guide
ppp authentication chap
dialer in-band
dialer map ip 172.30.45.2 name remote 4321
dialer load-threshold 80
!
ip route 172.30.44.0 255.255.255.0 172.30.45.2
chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT
!
route igrp 109
network 172.30.0.0
redistribute static
passive-interface async 7
!
line 7
modem InOut
speed 38400
flowcontrol hardware
script dialer generic
Preparing to Configure DDR
Configuration Examples for Legacy DDR
DC-360
Cisco IOS Dial Technologies Configuration Guide
DC-361
Cisco IOS Dial Technologies Configuration Guide
Configuring Legacy DDR Spokes
This chapter describes how to configure legacy dial-on-demand routing (DDR) on interfaces that
function as a spoke in a hub-and-spoke network topology. It includes the following main sections:
• DDR Spokes Configuration Task Flow
• How to Configure DDR
• Monitoring DDR Connections
• Configuration Examples for Legacy DDR Spoke
This chapter considers a spoke interface to be any interface that calls or receives calls from exactly one
other router, and considers a hub interface to be an interface that calls or receives calls from more than
one router: all the spokes in the network.
This chapter also describes the DDR-independent tasks required to bridge protocols or to route protocols
over DDR. Most of these tasks are global in scope and can be completed before you begin to configure
DDR.
For configuration tasks for the central hub interface in a hub-and-spoke network topology, see the
chapter “Configuring a Legacy DDR Hub” in this publication.
For information about the Dialer Profiles implementation of DDR, see the chapter “Configuring
Peer-to-Peer DDR with Dialer Profiles” in this publication.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the legacy DDR spoke commands mentioned in this chapter, refer to the
Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that
appear in this chapter, use the command reference master index or search online.
DDR Spokes Configuration Task Flow
Before you configure DDR, make sure you have completed the preparations for bridging or routing as
described in the chapter “Preparing to Configure DDR” in this publication. That chapter provides
information about the minimal requirements. For detailed information about bridging, routing, and
wide-area networking configurations, refer to the appropriate chapters in other volumes of this
documentation set.
Configuring Legacy DDR Spokes
How to Configure DDR
DC-362
Cisco IOS Dial Technologies Configuration Guide
When you configure DDR on a spoke interface in a hub-and-spoke topology, you perform the following
general steps:
Step 1 Specify the interface that will place calls to or receive calls from a single site. (See the chapter
“Configuring Legacy DDR Hubs” in this publication for information about configuring an interface to
place calls to or receive calls from multiple sites.)
Step 2 Enable DDR on the interface. This step is not required for some interfaces; for example, ISDN interfaces
and passive interfaces that receive only from DTR-dialing interfaces.
Step 3 Configure the interface to receive calls only, if applicable. Receiving calls from multiple sites requires
each inbound call to be authenticated.
Step 4 Configure the interface to place calls only, if applicable.
Step 5 Configure the interface to place and receive calls, if applicable.
Step 6 If the interface will place calls, specify access control for:
• Transparent bridging—Assign the interface to a bridge group, and define dialer lists associated with
the bridging access lists. The interface switches between members of the same bridge group, and
dialer lists specify which packets can trigger calls.
or
• Routed protocols—Define dialer lists associated with the protocol access lists to specify which
packets can trigger calls.
Step 7 Customize the interface settings (timers, interface priority, hold queues, bandwidth on demand, and
disabling fast switching) as needed.
When you have configured the interface and it is operational, you can monitor its performance and its
connections as described in the “Monitoring DDR Connections” section later in this chapter.
You can also enhance DDR by configuring Multilink PPP and configuring PPP callback. The PPP
configuration tasks are described in the chapter “Configuring Media-Independent PPP and Multilink
PPP” in this publication.
See the section “Configuration Examples for Legacy DDR Spoke” later in this chapter for examples of
how to configure DDR on your network.
How to Configure DDR
To configure DDR on an interface, perform the tasks in the following sections. The first five bulleted
items are required. The remaining tasks are not required, but might be necessary in your networking
environment.
• Specifying the Interface (Required)
• Enabling DDR on the Interface (Required)
• Configuring the Interface to Place Calls (Required)
or
Configuring the Interface to Receive Calls (Required)
or
Configuring the Interface to Place and Receive Calls (Required)
• Defining the Traffic to Be Authenticated (As required)
Configuring Legacy DDR Spokes
How to Configure DDR
DC-363
Cisco IOS Dial Technologies Configuration Guide
• Configuring Access Control for Outgoing Calls (As required)
• Configuring Access Control for Bridging (As required)
• Configuring Access Control for Routing (As required)
• Customizing the Interface Settings (As required)
• Sending Traffic over Frame Relay, X.25, or LAPB Networks (As required)
You can also monitor DDR connections. See the “Monitoring DDR Connections” section later in this
chapter for commands and other information.
For examples of legacy DDR on a point-to-point connection, see the “Configuration Examples for
Legacy DDR Spoke” section later in this chapter.
Specifying the Interface
This section assumes that you have completed any preparatory steps required for the relevant interface.
For example, if you intend to use an asynchronous interface, it assumes that you have completed the
modem support and line configuration steps and the chat script creation steps. If you intend to use an
ISDN interface, it assumes that you have the ISDN line properly provisioned and running.
You can configure any asynchronous, synchronous serial, ISDN, or dialer interface for legacy DDR.
Note When you specify an interface, make sure to use the interface numbering scheme supported on the
network interface module or other port hardware on the router. On the Cisco 7200 series, for example,
you specify an interface by indicating its type, slot number, and port number.
To specify an interface to configure for DDR, use one of the following commands in global configuration
mode:
Dialer interfaces are logical or virtual entities, but they use physical interfaces to place or receive calls.
Command Purpose
Router(config)# interface async number
Router(config)# interface serial number
Router(config)# interface bri number
or
Router(config)# interface serial slot/port:23
Router(config)# interface serial slot/port:15
or
Router(config)# interface dialer number
Specifies an interface to configure for DDR.
Specifies an ISDN PRI D channel (T1).
Specifies an ISDN PRI D channel (E1).
Specifies a logical interface to function as a dialer rotary
group leader.
Configuring Legacy DDR Spokes
How to Configure DDR
DC-364
Cisco IOS Dial Technologies Configuration Guide
Enabling DDR on the Interface
This task is required for asynchronous or synchronous serial interfaces but not for ISDN interfaces. The
software automatically configures ISDN interfaces to be dialer type ISDN.
This step is not required for ISDN interfaces (BRI interfaces and ISDN PRI D channels) and for purely
passive interfaces that will receive calls only from interfaces that use DTR dialing.
Enabling DDR on an interface usually requires you to specify the type of dialer to be used. This step is
not required for ISDN interfaces because the software automatically configures ISDN interfaces to be
dialer type ISDN.
To enable DDR and specify the dialer type, use one of the following commands in global configuration
mode:
Note An interface configured with the dialer in-band command can both place and receive calls. A serial
interface configured for DTR dialing can place calls only; it cannot accept them.
You can optionally specify parity if the modem on this interface uses the V.25bis command set. The 1984
version of the V.25bis specification states that characters must have odd parity. However, the default for
the dialer in-band command is no parity.
For an example of configuring an interface to support DTR dialing, see the section “DTR Dialing
Example” later in this chapter.
To receive calls from an interface that is using DTR dialing, an interface can be configured for in-band
dialing or not configured for anything but encapsulation, depending on the desired behavior. If you
expect the receiving interface to terminate a call when no traffic is received for some time, you must
configure in-band dialing (along with access lists and a dummy dialer string). If the receiving interface
is purely passive, no additional configuration is necessary.
Note You can configure an interface or dialer rotary group to both place and receive calls. If the interface
is calling and being called by a single site, simply enable DDR and specify a dial string.
Command Purpose
Router(config)# dialer dtr
or
Router(config)# dialer in-band [no-parity | odd-parity]
Enables DDR and configures the specified serial
interface to use DTR dialing—for interfaces with
non-V.25bis modems using EIA Data Terminal Ready
(DTR) signaling.
Enables DDR and configures the specified serial
interface to use in-band dialing—for asynchronous
interfaces or interfaces using V.25bis modems.
Configuring Legacy DDR Spokes
How to Configure DDR
DC-365
Cisco IOS Dial Technologies Configuration Guide
Configuring the Interface to Place Calls
To configure an interface to place calls to one site only, perform the tasks in one of the following
sections:
• Specifying the Dial String for Synchronous Serial Interfaces (As required)
• Specifying Chat Scripts and Dial Strings for Asynchronous Serial Interfaces (As required)
Specifying the Dial String for Synchronous Serial Interfaces
If you want to call only one remote system per synchronous serial interface, use the dialer string
command. Dialers pass the string you have defined to the external DCE device. ISDN devices call the
number specified in the string.
To specify the telephone number call on a serial interface (asynchronous or synchronous), use the
following command in interface configuration mode:
Dialers pass the string (telephone number) to the external DCE device, which dials the number; ISDN
devices themselves call the specified number.
Specifying Chat Scripts and Dial Strings for Asynchronous Serial Interfaces
The modem chat script becomes the default chat script for an interface, which means it becomes the
default chat script for the dialer string and dialer map commands presented in this section.
To place a call to a single site on an asynchronous line for which either a modem dialing script has not
been assigned or a system script login must be specified, use the following command in interface
configuration mode:
Refer to the sections “How To Configure Chat Scripts” and “Dialer Mapping Example” in the chapter
“Creating and Using Modem Chat Scripts” for more information about configuring chat scripts.
Configuring the Interface to Receive Calls
If you enable DDR on an interface by using the dialer in-band command, the interface can receive calls.
No additional configuration steps are required simply to receive calls. Parity is not required for receiving
calls only. An interface configured with the dialer in-band command can terminate calls when the line
is idle for some configurable time.
You cannot set up an ISDN interface only to receive calls from a single site, but you can set it up to
receive and place calls to a single site.
Command Purpose
Router(config-if)# dialer string dial-string[:isdn-subaddress] Specifies the number to dial.
Command Purpose
Router(config-if)# dialer map protocol next-hop-address
[modem-script modem-regexp] [system-script system-regexp]
dial-string [:isdn-subaddress]
Specifies chat scripts and a dial string.
Configuring Legacy DDR Spokes
How to Configure DDR
DC-366
Cisco IOS Dial Technologies Configuration Guide
To receive calls from an interface that is using DTR dialing, an interface can be configured for in-band
dialing or not configured for anything but encapsulation, depending on the desired behavior. If you
expect the receiving interface to terminate a call when no traffic is received for some time, you must
configure in-band dialing (along with access lists and a dummy dialer string). If the receiving interface
is purely passive, no additional configuration is necessary.
Authentication is not required when traffic comes from only one site. However, you can configure
authentication for security. See the “Defining the Traffic to Be Authenticated” section. If you want to
receive calls only, do not provide a dial string in the dialer map command shown in that section.
Configuring the Interface to Place and Receive Calls
If you enable DDR on an interface by using the dialer in-band command, the interface can receive calls.
To enable it to place calls to one site, you must define the dialing destination.
To define the dialing destination, use the following command in interface configuration mode:
Note Use the dialer map command instead of the dialer string command if you want to authenticate calls
received. See the section “Defining the Traffic to Be Authenticated” later in this chapter for more
information.
When a dialer string is configured but PPP Challenge Handshake Authentication Protocol (CHAP) is not
configured on the interface, the Cisco IOS software recognizes each incoming call as coming from the
configured dialer string. That is, if your outgoing calls go to only one number and you do not
authenticate incoming calls, it is assumed that all incoming calls come from that number. (If you received
calls from multiple sites, you would need to authenticate the calls.)
Authentication is not required when traffic comes from only one site. However, you can configure
authentication for an extra measure of security. See the following section, “Defining the Traffic to Be
Authenticated,” for more information. If you want to receive and place calls, use the dialer map
command.
Defining the Traffic to Be Authenticated
Authentication can be done through CHAP or Password Authentication Protocol (PAP). In addition, the
interface must be configured to map the protocol address of the host to the name to use for authenticating
the remote host.
Command Purpose
Router(config-if)# dialer string
dial-string[:isdn-subaddress]
Specifies the number to dial one site.
Configuring Legacy DDR Spokes
How to Configure DDR
DC-367
Cisco IOS Dial Technologies Configuration Guide
To enable CHAP or PAP on an interface and authenticate sites that are calling in, use the following
commands in interface configuration mode:
If the dial string is not provided in the chat script, the interface will be able to receive calls from the host
but will not be able to place calls to the host.
Configuring Access Control for Outgoing Calls
Protocol access lists and dialer access lists are central to the operation of DDR. In general, access lists
are used as the screening criteria for determining when to initiate DDR calls. All packets are tested
against the dialer access list. Packets that match a permit entry are deemed interesting. Packets that do
not match a permit entry or that do match a deny entry are deemed uninteresting. When a packet is found
to be interesting, either the dialer idle timer is reset (if the line is active) or a connection is attempted (if
the line is available but not active). If a tested packet is deemed uninteresting, it will be forwarded if it
is intended for a destination known to be on a specific interface and the link is active. However, such a
packet will not initiate a DDR call and will not reset the idle timer.
Configuring Access Control for Bridging
You can control access by defining any transparent bridge packet as interesting, or you can use the finer
granularity of controlling access by Ethernet type codes. To control access for DDR bridging, perform
one of the following tasks in global configuration mode:
• Controlling Bridging Access by Ethernet Type Codes (As required)
• Permitting All Bridge Packets to Trigger Calls (As required)
• Assigning the Interface to a Bridge Group (As required)
Note Spanning-tree bridge protocol data units (BPDUs) are always treated as uninteresting.
Command Purpose
Step 1 Router(config-if)# encapsulation ppp Configures an interface for PPP encapsulation.
Step 2 Router(config-if)# ppp authentication chap
[if-needed]
or
Router(config-if)# ppp authentication pap
[if-needed]
Enables CHAP.
Enables PAP.
Step 3 Router(config-if)# dialer map protocol
next-hop-address name hostname [modem-script
modem-regexp] [system-script system-regexp]
[dial-string[:isdn-subaddress]]
Maps the protocol address to a host name.
Configuring Legacy DDR Spokes
How to Configure DDR
DC-368
Cisco IOS Dial Technologies Configuration Guide
Controlling Bridging Access by Ethernet Type Codes
To control access by Ethernet type codes, use the following command in global configuration mode:
To enable packets with a specified Ethernet type code to trigger outgoing calls, use the following
command in interface configuration mode:
For a table of some common Ethernet types codes, see the “Ethernet Types Codes” appendix in the
Cisco IOS Bridging and IBM Networking Command Reference.
Permitting All Bridge Packets to Trigger Calls
To identify all transparent bridge packets as interesting, use the following command in interface
configuration mode when you are configuring DDR:
Assigning the Interface to a Bridge Group
Packets are bridged only among interfaces that belong to the same bridge group. To assign an interface
to a bridge group, use the following command in interface configuration mode:
Configuring Access Control for Routing
Before you perform the tasks outlined in this section, configure access lists for the protocols you intend
to route over DDR as described briefly in the chapter “Preparing to Configure DDR” in this publication,
and as described in greater detail in the appropriate network protocol configuration guide (for example,
the Cisco IOS AppleTalk and Novell IPX Configuration Guide).
Command Purpose
Router(config)# access-list access-list-number {permit
| deny} type-code [mask]
Identifies interesting packets by Ethernet type codes (access
list numbers must be in the range 200 to 299).
Command Purpose
Router(config-if)# dialer-list dialer-group protocol
bridge list access-list-number
Defines a dialer list for the specified access list.
Command Purpose
Router(config-if)# dialer-list dialer-group protocol
bridge permit
Defines a dialer list that treats all transparent bridge packets
as interesting.
Command Purpose
Router(config-if)# bridge-group bridge-group Assigns the specified interface to a bridge group.
Configuring Legacy DDR Spokes
How to Configure DDR
DC-369
Cisco IOS Dial Technologies Configuration Guide
An interface can be associated only with a single dialer access group; multiple dialer access group
assignments are not allowed. To specify the dialer access group to which you want to assign an access
list, use the following command in interface configuration mode:
Customizing the Interface Settings
To customize DDR in your network, perform the tasks in the following sections as needed:
• Configuring Timers on the DDR Interface (As required)
• Setting Dialer Interface Priority (As required)
• Configuring a Dialer Hold Queue (As required)
• Configuring Bandwidth on Demand (As required)
• Disabling and Reenabling DDR Fast Switching (As required)
• Configuring Dialer Redial Options (As required)
Configuring Timers on the DDR Interface
To set the timers, perform the tasks in the following sections as needed:
• Setting Line-Idle Time (As required)
• Setting Idle Time for Busy Interfaces (As required)
• Setting Line-Down Time (As required)
• Setting Carrier-Wait Time (As required)
Setting Line-Idle Time
To specify the amount of time for which a line will stay idle before it is disconnected, use the following
command in interface configuration mode:
Note The dialer idle-timeout interface configuration command specifies the duration of time before an
idle connection is disconnected. Previously, both inbound and outbound traffic would reset the dialer
idle timer; now you can specify that only inbound traffic will reset the dialer idle timer.
Command Purpose
Router(config-if)# dialer-group group-number Specifies the number of the dialer access group to which the
specific interface belongs.
Command Purpose
Router(config-if)# dialer idle-timeout seconds
[inbound | either]
Specifies the duration of idle time in seconds after which a line
will be disconnected.
By default, outbound traffic will reset the dialer idle timer.
Adding the either keyword causes both inbound and outbound
traffic to reset the timer; adding the inbound keyword causes
only inbound traffic to reset the timer.
Configuring Legacy DDR Spokes
How to Configure DDR
DC-370
Cisco IOS Dial Technologies Configuration Guide
Setting Idle Time for Busy Interfaces
The dialer fast idle timer is activated if there is contention for a line. Contention occurs when a line is
in use, a packet for a different next hop address is received, and the busy line is required to send the
competing packet.
If the line has been idle for the configured amount of time, the current call is disconnected immediately
and the new call is placed. If the line has not yet been idle as long as the fast idle timeout period, the
packet is dropped because there is no way to get through to the destination. (After the packet is dropped,
the fast idle timer remains active and the current call is disconnected as soon as it has been idle for as
long as the fast idle timeout.) If, in the meantime, another packet is sent to the currently connected
destination, and it is classified as interesting, the fast-idle timer is restarted.
To specify the amount of time for which a line for which there is contention will stay idle before the line
is disconnected and the competing call is placed, use the following command in interface configuration
mode:
This command applies to both inbound and outbound calls.
Setting Line-Down Time
To set the length of time for which the interface stays down before it is available to dial again after a line
is disconnected or fails, use the following command in interface configuration mode:
This command applies to both inbound and outbound calls.
Setting Carrier-Wait Time
To set the length of time for which an interface waits for the telephone service (carrier), use the following
command in interface configuration mode:
For asynchronous interfaces, this command sets the total time to wait for a call to connect. This time is
set to allow for running the chat script.
Setting Dialer Interface Priority
Interface priority indicates which interface in a dialer rotary group will get used first for outgoing calls.
You might give one interface a higher priority if it is attached to a faster, more reliable modem. In this
way, the higher-priority interface will be used as often as possible.
Command Purpose
Router(config-if)# dialer fast-idle seconds Sets idle time for high traffic lines.
Command Purpose
Router(config-if)# dialer enable-timeout seconds Sets the interface downtime.
Command Purpose
Router(config-if)# dialer wait-for-carrier-time
seconds
Sets the length of time for which the interface waits for the
carrier to come up when a call is placed.
Configuring Legacy DDR Spokes
How to Configure DDR
DC-371
Cisco IOS Dial Technologies Configuration Guide
To assign priority to an interface in a dialer rotary group, use the following command in interface
configuration mode:
The range of values for number is 0 through 255. Zero is the default value and lowest priority; 255 is the
highest priority. This command applies to outgoing calls only.
Configuring a Dialer Hold Queue
Sometimes packets destined for a remote router are discarded because no connection exists. Establishing
a connection using an analog modem can take time, during which packets are discarded. However,
configuring a dialer hold queue will allow interesting outgoing packets to be queued and sent as soon as
the modem connection is established.
A dialer hold queue can be configured on any type of dialer, including in-band synchronous,
asynchronous, DTR, and ISDN dialers. Also, hunt group leaders can be configured with a dialer hold
queue. If a hunt group leader (of a rotary dialing group) is configured with a hold queue, all members of
the group will be configured with a dialer hold queue and no hold queue of an individual member can be
altered.
To establish a dialer hold queue, use the following command in interface configuration mode:
As many as 100 packets can be held in an outgoing dialer hold queue.
Configuring Bandwidth on Demand
You can configure a dialer rotary group to use additional bandwidth by placing additional calls to a single
destination if the load for the interface exceeds a specified weighted value. Parallel communication links
are established based on traffic load. The number of parallel links that can be established to one location
is not limited.
To set the dialer load threshold for bandwidth on demand, use the following command in interface
configuration mode:
Once multiple links are established, they are still governed by the load threshold. If the total load on all
the links falls below the threshold, an idle link will be torn down.
Command Purpose
Router(config-if)# dialer priority number Sets the interface priority in the dialer rotary group.
Command Purpose
Router(config-if)# dialer hold-queue packets Creates a dialer hold queue and specifies the number of
packets to be held in it.
Command Purpose
Router(config-if)# dialer load-threshold load Configures the dialer rotary group to place additional calls to
a single destination, as indicated by interface load.
Configuring Legacy DDR Spokes
How to Configure DDR
DC-372
Cisco IOS Dial Technologies Configuration Guide
Disabling and Reenabling DDR Fast Switching
Fast switching is enabled by default on all DDR interfaces. When fast switching is enabled or disabled
on an ISDN D channel, it is enabled or disabled on all B channels. When fast switching is enabled or
disabled on a dialer interface, it is enabled or disabled on all rotary group members but cannot be enabled
or disabled on the serial interfaces individually.
Fast switching can be disabled and re-enabled on a protocol-by-protocol basis. To disable fast switching
and re-enable it, use one of the following protocol-specific commands in interface configuration mode:
Configuring Dialer Redial Options
By default, the Cisco IOS software generates a single dial attempt for each interesting packet. Dialer
redial allows the dialer to be configured to make a maximum number of redial attempts if the first
dial-out attempt fails, wait a specific interval between redial attempts, and disable the interface for a
specified duration if all redial attempts fail. New dialout attempts will not be initiated if a redial is
pending to the same destination.
To configure redial options, use the following commands beginning in global configuration mode:
Sending Traffic over Frame Relay, X.25, or LAPB Networks
An interface configured for DDR can send traffic over networks that require Link Access Procedure,
Balanced (LAPB), X.25, or Frame Relay encapsulation.
Before Cisco IOS software Release 12.0(6)T, encapsulation techniques such as Frame Relay, HDLC,
LAPB-TA, and X.25 could support only one ISDN B-channel connection over the entire link. HDLC and
PPP could support multiple B channels, but the entire ISDN link needed to use the same encapsulation.
The Dynamic Multiple Encapsulations feature allows incoming calls over ISDN to be assigned
encapsulation type based on calling line identification (CLID) or DNIS. With the Dynamic Multiple
Encapsulations feature, once CLID binding is completed, the topmost interface is always used for all
Command Purpose
Router(config-if)# no ip route-cache
Router(config-if)# ip route cache
Router(config-if)# no ip route-cache distributed
Router(config-if)# ip route-cache distributed
Disables IP fast switching over a DDR interface.
Reenables IP fast switching over a DDR interface.
Disables distributed IP fast switching over a DDR interface.
This feature works in Cisco 7500 routers with a Versatile
Interface Processor (VIP) card.
Enables distributed IP fast switching over a DDR interface.
This feature works in Cisco 7500 routers with a VIP card.
Router(config-if)# no ipx route-cache
Router(config-if)# ipx route-cache
Disables IPX fast switching over a DDR interface.
Reenables IPX fast switching over a DDR interface.
Command Purpose
Step 1 Router(config)# interface dialer Enters interface configuration mode.
Step 2 Router(config-if)# dialer redial interval time
attempts number re-enable disable-time
Configures redial options on the router.
Configuring Legacy DDR Spokes
How to Configure DDR
DC-373
Cisco IOS Dial Technologies Configuration Guide
configuration and data structures. The ISDN B channel becomes a forwarding device, and the
configuration on the D channel is ignored, thereby allowing the different encapsulation types and
per-user configurations.
To configure an interface for those networks, perform the tasks in the following sections:
• Configuring the Interface for Sending Traffic over a Frame Relay Network (As required)
• Configuring the Interface for Sending Traffic over an X.25 Network (As required)
• Configuring the Interface for Sending Traffic over a LAPB Network (As required)
Configuring the Interface for Sending Traffic over a Frame Relay Network
Access to Frame Relay networks is now available through dialup connections as well as leased lines.
Dialup connectivity allows Frame Relay networks to be extended to sites that do not generate enough
traffic to justify leased lines, and also allows a Frame Relay network to back up another network or
point-to-point line.
DDR over Frame Relay is supported for synchronous serial and ISDN interfaces and for rotary groups,
and is available for in-band, DTR, and ISDN dialers.
Frame Relay supports multiple permanent virtual circuit (PVC) connections over the same serial
interface or ISDN B channel, but only one physical interface can be used (dialed, connected, and active)
in a rotary group or with ISDN.
The Dynamic Multiple Encapsulations feature supports the following Frame Relay features:
• Frame Relay RTP Header Compression (RFC 1889)
• Frame Relay TCP/IP Header Compression
• Legacy DDR over Frame Relay
• Frame Relay Interface/Subinterface Backup
Dynamic multiple encapsulations support at least four Frame Relay PVCs on either dialer interfaces or
dialer subinterfaces.
Note Frame Relay encapsulations in the Dynamic Multiple Encapsulations feature do not support IETF or
Cisco Encapsulation for IBM Systems Network Architecture (SNA). Frame Relay for SNA support
is not applicable.
Configuration Restrictions
The following restrictions apply to DDR used over Frame Relay:
• Frame Relay is not available for asynchronous dialers.
• The Frame Relay Dynamic Multiple Encapsulations feature does not provide bidirectional support.
• With the Dynamic Multiple Encapsulations feature, there is no process switching for Frame Relay
packets; these packets are always fast switched.
• Like HDLC, LAPB, and X.25, Frame Relay does not provide authentication. However, ISDN dialers
can offer some authentication through the caller ID feature.
• Only one ISDN B channel can be dialed at any one time. When configuring a rotary group, you can
use only one serial interface.
Frame Relay subinterfaces work the same on dialup connections as they do on leased lines.
Configuring Legacy DDR Spokes
How to Configure DDR
DC-374
Cisco IOS Dial Technologies Configuration Guide
Configuration Overview
No new commands are required to support DDR over Frame Relay. In general, you configure Frame
Relay and configure DDR. In general, complete the following tasks to configure an interface for DDR
over Frame Relay:
• Specify the interface.
• Specify the protocol identifiers for the interface.
For example, enter the IP address and mask, the IPX network number, and the AppleTalk cable range
and zone.
• Configure Frame Relay.
As a minimum, you must enable Frame Relay encapsulation and decide whether you need to do
static or dynamic address mapping. If you decide to do dynamic mapping, you need not enter a
command because Inverse Address Resolution Protocol is enabled by default. If you decide to do
static mapping, you must enter Frame Relay mapping commands.
You can then configure various options as needed for your Frame Relay network topology.
• Configure DDR.
At a minimum, you must decide and configure the interface for outgoing calls only, incoming calls
only, or both outgoing and incoming calls.
You can also configure DDR for your routed protocols (as specified in the section “Preparations for
Routing or Bridging over DDR” in the chapter “Preparing to Configure DDR” in this publication)
and for snapshot routing (as specified in the chapter “Configuring Snapshot Routing” later in this
publication). You can also customize DDR interfaces on your router or access server (as described
in the section “Customizing the Interface Settings” in this chapter).
For examples of configuring various interfaces for DDR over Frame Relay, see the section “Frame Relay
Support Example” later in this chapter.
Configuring the Interface for Sending Traffic over an X.25 Network
X.25 interfaces can now be configured to support DDR. Synchronous serial and ISDN interfaces on
Cisco routers and access servers can be configured for X.25 addresses, X.25 encapsulation, and mapping
of protocol addresses to the X.25 address of a remote host. In-band, DTR, and ISDN dialers can be
configured to support X.25 encapsulation, but rotary groups cannot.
Remember that for ISDN interfaces, once CLID binding is completed, the topmost interface is always
used for all configuration and data structures. The ISDN B channel becomes a forwarding device, and
the configuration on the D channel is ignored, thereby allowing the different encapsulation types and
per-user configurations. For X.25 encapsulations, the configurations reside on the dialer profile. The
Dynamic Multiple Encapsulations feature provides support for packet assembler/disassembler (PAD)
traffic and X.25 encapsulated and switched packets.
To configure an interface to support X.25 and DDR, use the following X.25-specific commands in
interface configuration mode:
Command Purpose
Step 1 Router(config-if)# encapsulation x25 [dte | dce]
[ietf]
Configures the interface to use X.25 encapsulation.
Configuring Legacy DDR Spokes
Monitoring DDR Connections
DC-375
Cisco IOS Dial Technologies Configuration Guide
The order of DDR and X.25 configuration tasks is not critical; you can configure DDR before or after
X.25, and you can even mix the DDR and X.25 commands.
For an example of configuring an interface for X.25 encapsulation and then completing the DDR
configuration, see the section “X.25 Support Example” later in this chapter.
Configuring the Interface for Sending Traffic over a LAPB Network
DDR over serial lines now supports LAPB encapsulation, in addition to the previously supported PPP,
HDLC, and X.25 encapsulations.
LAPB encapsulation is supported on synchronous serial, ISDN, and dialer rotary group interfaces, but
not on asynchronous dialers.
Because the default encapsulation is HDLC, you must explicitly configure LAPB encapsulation. To
configure an interface to support LAPB encapsulation and DDR, use the following command in interface
configuration mode:
For more information about the serial connections on which LAPB encapsulation is appropriate, refer to
the encapsulation lapb command in the chapter “X.25 and LAPB Commands” in the Cisco IOS
Wide-Area Networking Command Reference.
For an example of configuring an interface for DDR over LAPB, see the section “LAPB Support
Example” later in this chapter.
Monitoring DDR Connections
To monitor DDR connections, use any of the following commands in privileged EXEC mode:
Step 2 Router(config-if)# x25 address x.121-address Assigns an X.25 address to the interface.
Step 3 Router(config-if)# x25 map protocol address
[protocol2 address2 [...[protocol9 address9]]]
x.121-address [option]
Sets up the LAN protocols-to-remote host address
mapping.
Command Purpose
Command Purpose
Router(config-if)# encapsulation lapb [dte |
dce] [multi | protocol]
Specifies LAPB encapsulation.
Command Purpose
Router# show dialer [interface type number] Displays general diagnostics about the DDR interface.
Router# show dialer map Displays current dialer maps, next-hop protocol addresses, user
names, and the interfaces on which they are configured.
Router# show interfaces bri 0 Displays information about the ISDN interface.
Router# show ipx interface [type number] Displays status about the IPX interface.
Router# show ipx traffic Displays information about the IPX packets sent by the router or
access server, including watchdog counters.
Configuring Legacy DDR Spokes
Configuration Examples for Legacy DDR Spoke
DC-376
Cisco IOS Dial Technologies Configuration Guide
Configuration Examples for Legacy DDR Spoke
The following section provides various DDR configurations examples:
• Legacy Dial-on-Demand Routing Example
• Transparent Bridging over DDR Examples
• DDR Configuration in an IP Environment Example
• Two-Way DDR for Novell IPX Example
• AppleTalk Configuration Example
• DECnet Configuration Example
• ISO CLNS Configuration Example
• XNS Configuration Example
• Single Site Dialing Example
• DTR Dialing Example
• Hub-and-Spoke DDR for Asynchronous Interfaces and Authentication Example
• Two-Way Reciprocal Client/Server DDR Without Authentication Example
• Frame Relay Support Example
• X.25 Support Example
• LAPB Support Example
Legacy Dial-on-Demand Routing Example
The following example shows a Cisco 2600 series router that has enabled the dialer idle-timeout
command with the inbound keyword. This command allows only inbound traffic that conforms to the
dialer list to establish a connection and reset the dialer idle timer.
interface BRI0/0
ip address 10.1.1.1 255.255.255.0
no ip directed-broadcast
encapsulation ppp
dialer idle-timeout 120 inbound
dialer map ip 10.1.1.2 name 2611-7 0201
dialer-group 1
Router# show appletalk traffic Displays information about the AppleTalk packets sent by the router
or access server.
Router# show vines traffic Displays information about the Banyan VINES packets sent by the
router or access server.
Router# show decnet traffic Displays information about the DECnet packets sent by the router or
access server.
Router# show xns traffic Displays information about the XNS packets sent by the router or
access server.
Router# clear dialer Clears the values of the general diagnostic statistics.
Command Purpose
Configuring Legacy DDR Spokes
Configuration Examples for Legacy DDR Spoke
DC-377
Cisco IOS Dial Technologies Configuration Guide
isdn switch-type basic-5ess
no cdp enable
ppp authentication chap
!
ip classless
ip route 10.2.1.1 255.255.255.255 10.1.1.2
!
access-list 101 permit icmp any any
access-list 101 deny ip any any
dialer-list 1 protocol ip list 101
tftp-server flash c2600-i-mz.jtong-CSCdm88145-120
Transparent Bridging over DDR Examples
The following two examples differ only in the packets that cause calls to be placed. The first example
specifies by protocol (any bridge packet is permitted to cause a call to be made); the second example
allows a finer granularity by specifying the Ethernet type codes of bridge packets.
The first example configures the serial 1 interface for DDR bridging. Any bridge packet is permitted to
cause a call to be placed.
no ip routing
!
interface Serial1
no ip address
encapsulation ppp
dialer in-band
dialer enable-timeout 3
dialer map bridge name urk broadcast 8985
dialer hold-queue 10
dialer-group 1
ppp authentication chap
bridge-group 1
pulse-time 1
!
dialer-list 1 protocol bridge permit
bridge 1 protocol ieee
bridge 1 hello 10
The second example also configures the serial 1 interface for DDR bridging. However, this example
includes an access-list command that specifies the Ethernet type codes that can cause calls to be placed
and a dialer list protocol list command that refers to the specified access list.
no ip routing
!
interface Serial1
no ip address
encapsulation ppp
dialer in-band
dialer enable-timeout 3
dialer map bridge name urk broadcast 8985
dialer hold-queue 10
dialer-group 1
ppp authentication chap
bridge-group 1
pulse-time 1
!
access-list 200 permit 0x0800 0xFFF8
!
dialer-list 1 protocol bridge list 200
bridge 1 protocol ieee
bridge 1 hello 10
Configuring Legacy DDR Spokes
Configuration Examples for Legacy DDR Spoke
DC-378
Cisco IOS Dial Technologies Configuration Guide
DDR Configuration in an IP Environment Example
The following example illustrates how to use DDR on an synchronous interface in an IP environment.
You could use the same configuration on an asynchronous serial interface by changing interface serial 1
to specify an asynchronous interface (for example, interface async 0).
interface serial 1
ip address 172.18.126.1 255.255.255.0
dialer in-band
! The next command sets the dialer idle time-out to 10 minutes.
dialer idle-timeout 600
! The next command inserts the phone number.
dialer string 5551234
! The next command gives the modem enough time to recognize that
! DTR has dropped so the modem disconnects the call.
pulse-time 1
! The next command adds this interface to the dialer access group defined with
! the dialer-list command.
dialer-group 1
!
! The first access list statement, below, specifies that IGRP updates are not
! interesting packets. The second access-list statement specifies that all
! other IP traffic such as Ping, Telnet, or any other IP packet are interesting
! packets. The dialer-list command then creates dialer access group 1 and states
! that access list 101 is to be used to classify packets as interesting or
! uninteresting. The ip route commands specify that there is a route to network
! 172.18.29.0 and to network 172.18.1.0 via 131.108.126.2. This means that several
! destination networks are available through a router that is dialed from interface
! async 1.
!
access-list 101 deny igrp 0.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
dialer-list 1 list 101
ip route 172.18.29.0 172.18.126.2
ip route 172.18.1.0 172.18.126.2
ip local pool dialin 10.102.126.2 10.102.126.254
With many modems, the pulse-time command must be used so that DTR is dropped for enough time to
allow the modem to disconnect.
The redistribute static command can be used to advertise static route information for DDR applications.
Refer to the redistribute static ip command, described in the chapter “IP Routing Commands” of the
Cisco IOS IP Command Reference. Without this command, static routes to the hosts or network that the
router can access with DDR will not be advertised to other routers with which the router is
communicating. This behavior can block communication because some routes will not be known.
Two-Way DDR for Novell IPX Example
You can set DDR for Novell IPX so that both the client and server have dial-in access to each other. This
configuration is demonstrated in the following two subsections.
Remote Configuration Example
The following example is performed on the remote side of the connection:
username local password secret
ipx routing
!
Configuring Legacy DDR Spokes
Configuration Examples for Legacy DDR Spoke
DC-379
Cisco IOS Dial Technologies Configuration Guide
interface ethernet 0
ipx network 40
!
interface async
ip unnumbered e0
encapsulation ppp
async mode dedicated
async dynamic routing
ipx network 45
ipx watchdog-spoof
dialer in-band
dialer map ipx 45.0000.0cff.d016 broadcast name local 1212
dialer-group 1
ppp authentication chap
!
access-list 901 deny 0 FFFFFFFF 452
access-list 901 deny 0 FFFFFFFF 453
access-list 901 deny 0 FFFFFFFF 457
access-list 901 deny 0 FFFFFFFF 0 FFFFFFFF 452
access-list 901 deny 0 FFFFFFFF 0 FFFFFFFF 453
access-list 901 deny 0 FFFFFFFF 0 FFFFFFFF 457
access-list 901 permit 0
ipx route 41 45.0000.0cff.d016
ipx route 50 45.0000.0cff.d016
ipx sap 4 SERVER 50.0000.0000.0001 451 2
chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT
!
dialer-list 1 list 901
!
line 7
modem InOut
speed 38400
flowcontrol hardware
modem chat-script generic
Local Configuration Example
The following example is performed on the local side of the connection:
username remote password secret
ipx routing
!
interface ethernet 0
ipx network 41
!
interface async
ip unnumbered e0
encapsulation ppp
async mode dedicated
async dynamic routing
ipx network 45
ipx watchdog-spoof
dialer in-band
dialer map ipx 45.0000.0cff.d016 broadcast name remote 8888
dialer-group 1
ppp authentication chap
!
access-list 901 deny 0 FFFFFFFF 452
access-list 901 deny 0 FFFFFFFF 453
access-list 901 deny 0 FFFFFFFF 457
access-list 901 deny 0 FFFFFFFF 0 FFFFFFFF 452
access-list 901 deny 0 FFFFFFFF 0 FFFFFFFF 453
access-list 901 deny 0 FFFFFFFF 0 FFFFFFFF 457
Configuring Legacy DDR Spokes
Configuration Examples for Legacy DDR Spoke
DC-380
Cisco IOS Dial Technologies Configuration Guide
access-list 901 permit 0
ipx route 40 45.0000.0cff.d016
chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT
!
dialer-list 1 list 901
!
line 7
modem InOut
speed 38400
flowcontrol hardware
modem chat-script generic
AppleTalk Configuration Example
The following example configures DDR for AppleTalk access using an ISDN BRI. Two access lists are
defined: one for IP and Interior Gateway Routing Protocol (IGRP) and one for AppleTalk. AppleTalk
packets from network 2141 only (except broadcast packets) can initiate calls.
interface BRI0
ip address 172.17.20.107 255.255.255.0
encapsulation ppp
appletalk cable-range 2141-2141 2141.65
appletalk zone SCruz-Eng
no appletalk send-rtmps
dialer map ip 172.17.20.106 broadcast 1879
dialer map appletalk 2141.66 broadcast 1879
dialer-group 1
!
access-list 101 deny igrp 0.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
access-list 601 permit cable-range 2141-2141 broadcast-deny
access-list 601 deny other-access
!
dialer-list 1 list 101
dialer-list 1 list 601
DECnet Configuration Example
The following example configures DDR for DECnet:
decnet routing 10.19
username RouterB password 7 030752180531
interface serial 0
no ip address
decnet cost 10
encapsulation ppp
dialer in-band
dialer map decnet 10.151 name RouterB broadcast 4155551212
dialer-group 1
ppp authentication chap
pulse-time 1
access-list 301 permit 10.0 0.1023 0.0 63.1023
dialer-list 1 protocol decnet list 301
Configuring Legacy DDR Spokes
Configuration Examples for Legacy DDR Spoke
DC-381
Cisco IOS Dial Technologies Configuration Guide
ISO CLNS Configuration Example
The following example configures a router for International Organization for Standardization
Connectionless Network Service (ISO CLNS) DDR with in-band dialing:
username RouterB password 7 111C140B0E
clns net 47.0004.0001.0000.0c00.2222.00
clns routing
clns filter-set ddrline permit 47.0004.0001....
!
interface serial 0
no ip address
encapsulation ppp
dialer in-band
dialer map clns 47.0004.0001.0000.0c00.1111.00 name RouterB broadcast 1212
dialer-group 1
ppp authentication chap
clns enable
pulse-time 1
!
clns route default serial 0
dialer-list 1 protocol clns list ddrline
XNS Configuration Example
The following example configures DDR for XNS. The access lists deny broadcast traffic to any host on
any network, but allow all other traffic.
xns routing 0000.0c01.d8dd
username RouterB password 7 111B210A0F
interface serial 0
no ip address
encapsulation ppp
xns network 10
dialer in-band
dialer map xns 10.0000.0c01.d877 name RouterB broadcast 4155551212
dialer-group 1
ppp authentication chap
pulse-time 1
!
access-list 400 deny -1 -1.ffff.ffff.ffff 0000.0000.0000
access-list 400 permit -1 10
!
dialer-list 1 protocol xns list 400
Single Site Dialing Example
The following example is based on the configuration shown in Figure 49; the router receives a packet
with a next hop address of 10.1.1.1.
Configuring Legacy DDR Spokes
Configuration Examples for Legacy DDR Spoke
DC-382
Cisco IOS Dial Technologies Configuration Guide
Figure 49 Sample Dialer String or Dialer Map Configuration
If the single site called by the DDR spoke interface on your router has the phone number 5555555, it will
send the packet to that site, assuming that the next hop address 10.1.1.1 indicates the same remote device
as phone number 5555555. The dialer string command is used to specify the string (telephone number)
to be called.
interface serial 1
dialer in-band
dialer string 5555555
DTR Dialing Example
The following example shows Router A and Router B connected to a Public Switched Telephone
Network (PSTN). Router A is configured for DTR dialing. Remote Router B is configured for in-band
dialing so it can disconnect an idle call. (See Figure 50.)
Figure 50 DTR Dialing Through a PSTN
Router A
interface serial 0
ip address 172.18.170.19 255.255.255.0
dialer dtr
dialer-group 1
!
access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
!
dialer-list 1 list 101
Remote
Router B
Remote
Router A
Local router
6666666
5555555
56951
Router A Router B
PSTN E0 S0 S0 E0
S3036
Configuring Legacy DDR Spokes
Configuration Examples for Legacy DDR Spoke
DC-383
Cisco IOS Dial Technologies Configuration Guide
Router B
interface serial 0
ip address 172.18.170.20 255.255.255.0
dialer in-band
dialer string 9876543
pulse-time 1
!
access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
!
dialer-list 1 list 101
Hub-and-Spoke DDR for Asynchronous Interfaces and Authentication Example
The following example sets up DDR to provide service to multiple remote sites. In a hub-and-spoke
configuration, you can use a generic configuration script to set up each remote connection. Figure 51
illustrates a typical hub-and-spoke configuration.
Figure 51 Hub-and-Spoke DDR Configuration
Commands in the following sections are used to create this configuration.
Spoke Topology Configuration
The following commands are executed on the spoke side of the connection. (A different “spoke”
password must be specified for each remote client.) The configuration provides authentication by
identifying a password that must be provided on each end of the connection.
interface ethernet 0
ip address 172.30.44.1 255.255.255.0
!
interface async 7
async mode dedicated
async default ip address 172.30.45.1
ip address 172.30.45.2 255.255.255.0
encapsulation ppp
ppp authentication chap
dialer in-band
dialer map ip 172.30.45.1 name hub system-script hub 1234
dialer map ip 172.30.45.255 name hub system-script hub 1234
dialer-group 1
!
ip route 172.30.43.0 255.255.255.0 172.30.45.1
ip default-network 172.30.0.0
chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT S3366
Configuring Legacy DDR Spokes
Configuration Examples for Legacy DDR Spoke
DC-384
Cisco IOS Dial Technologies Configuration Guide
chat-script hub ““ ““ name: spoke1 word: PPP
dialer-list 1 protocol ip permit
!
username hub password
!
router igrp 109
network 172.30.0.0
passive-interface async 7
!
line 7
modem InOut
speed 38400
flowcontrol hardware
modem chat-script generic
Hub Router Configuration
The following commands are executed on the local side of the connection—the hub router. The
commands configure the server for communication with three clients and provide authentication by
identifying a unique password for each “spoke” in the hub-and-spoke configuration.
interface ethernet 0
ip address 172.30.43.1 255.255.255.0
!
interface async 7
async mode interactive
async dynamic address
dialer rotary-group 1
!
interface async 8
async mode interactive
async dynamic address
dialer rotary-group 1
!
interface dialer 1
ip address 172.30.45.2 255.255.255.0
no ip split-horizon
encapsulation ppp
ppp authentication chap
dialer in-band
dialer map ip 172.30.45.2 name spoke1 3333
dialer map ip 172.30.45.2 name spoke2 4444
dialer map ip 172.30.45.2 name spoke3 5555
dialer map ip 172.30.45.255 name spoke1 3333
dialer map ip 172.30.45.255 name spoke2 4444
dialer map ip 172.30.45.255 name spoke3 5555
dialer-group 1
!
ip route 172.30.44.0 255.255.255.0 172.30.45.2
ip route 172.30.44.0 255.255.255.0 172.30.45.3
ip route 172.30.44.0 255.255.255.0 172.30.45.4
dialer-list 1 list 101
access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT
!
username spoke1 password
username spoke2 password
username spoke3 password
username spoke1 autocommand ppp 172.30.45.2
username spoke2 autocommand ppp 172.30.45.3
username spoke3 autocommand ppp 172.30.45.4
Configuring Legacy DDR Spokes
Configuration Examples for Legacy DDR Spoke
DC-385
Cisco IOS Dial Technologies Configuration Guide
!
router igrp 109
network 172.30.0.0
redistribute static
!
line 7
login tacacs
modem InOut
speed 38400
flowcontrol hardware
modem chat-script generic
Two-Way Reciprocal Client/Server DDR Without Authentication Example
You can set up two-way reciprocal DDR without authentication in which both the client and server have
dial-in access to each other. This configuration is demonstrated in the following two sections.
Remote Configuration
The following commands are executed on the remote side of the connection. This configuration provides
authentication by identifying a password that must be provided on each end of the connection.
interface ethernet 0
ip address 172.30.44.1 255.255.255.0
!
interface async 7
ip address 172.30.45.2 255.255.255.0
async mode dedicated
async default ip address 172.30.45.1
encap ppp
dialer in-band
dialer string 1234
dialer-group 1
!
ip route 172.30.43.0 255.255.255.0 async 7
ip default-network 172.30.0.0
chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT
dialer-list 1 protocol ip permit
!
line 7
no exec
modem InOut
speed 38400
flowcontrol hardware
modem chat-script generic
Local Configuration
The following commands are executed on the local side of the connection. As with the remote side
configuration, this configuration provides authentication by identifying a password for each end of the
connection.
interface ethernet 0
ip address 172.30.43.1 255.255.255.0
!
interface async 7
async mode dedicated
async default ip address 172.30.45.2
encapsulation ppp
Configuring Legacy DDR Spokes
Configuration Examples for Legacy DDR Spoke
DC-386
Cisco IOS Dial Technologies Configuration Guide
dialer in-band
dialer string 1235
dialer rotary-group 1
!
interface async 8
async mode dedicated
async default ip address 172.30.45.2
dialer rotary-group 1
!
ip route 172.30.44.0 255.255.255.0 async 7
ip address 172.30.45.2 255.255.255.0
encapsulation ppp
ppp authentication chap
dialer in-band
dialer map ip 172.30.45.2 name remote 4321
dialer load-threshold 80
!
ip route 172.30.44.0 255.255.255.0 128.150.45.2
chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT
dialer-list 1 protocol ip permit
!
route igrp 109
network 172.30.0.0
redistribute static
passive-interface async 7
!
line 7
modem InOut
speed 38400
flowcontrol hardware
modem chat-script generic
Frame Relay Support Example
The examples in this section present various combinations of interfaces, Frame Relay features, and DDR
features.
Frame Relay Access with In-Band Dialing (V.25bis) and Static Mapping Example
The following example shows how to configure a router for IP over Frame Relay using in-band dialing.
A Frame Relay static map is used to associate the next hop protocol address to the data-link connection
identifier (DLCI). The dialer string allows dialing to only one destination.
interface Serial0
ip address 10.1.1.1 255.255.255.0
encapsulation frame-relay
frame-relay map ip 10.1.1.2 100 broadcast
dialer in-band
dialer string 4155551212
dialer-group 1
!
access-list 101 deny igrp any host 255.255.255.255
access-list 101 permit ip any any
!
dialer-list 1 protocol ip list 101
Configuring Legacy DDR Spokes
Configuration Examples for Legacy DDR Spoke
DC-387
Cisco IOS Dial Technologies Configuration Guide
Frame Relay Access with ISDN Dialing and DDR Dynamic Maps Example
The following example shows a BRI interface configured for Frame Relay and for IP, IPX, and
AppleTalk routing. No static maps are defined because this setup relies on Frame Relay Local
Management Interface (LMI) signaling and Inverse ARP to determine the network addresses-to-DLCI
mappings dynamically. (Because Frame Relay Inverse ARP is enabled by default, no command is
required.)
interface BRI0
ip address 10.1.1.1 255.255.255.0
ipx network 100
appletalk cable-range 100-100 100.1
appletalk zone ISDN
no appletalk send-rtmps
encapsulation frame-relay IETF
dialer map ip 10.1.1.2 broadcast 4155551212
dialer map apple 100.2 broadcast 4155551212
dialer map ipx 100.0000.0c05.33ed broadcast 4085551234
dialer-group 1
!
access-list 101 deny igrp any host 255.255.255.255
access-list 101 permit ip any any
access-list 901 deny -1 FFFFFFFF 452
access-list 901 deny -1 FFFFFFFF 453
access-list 901 deny -1 FFFFFFFF 457
access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 452
access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 453
access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 457
access-list 901 permit -1
access-list 601 permit cable-range 100-100 broadcast-deny
access-list 601 deny other-access
!
dialer-list 1 protocol ip list 101
dialer-list 1 protocol novell list 901
dialer-list 1 protocol apple list 601
X.25 Support Example
The following example configures a router to support X.25 and DTR dialing:
interface serial 0
ip address 172.18.170.19 255.255.255.0
encapsulation x25
x25 address 12345
x25 map ip 172.18.171.20 67890 broadcast
dialer dtr
dialer-group 1
!
access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
!
dialer-list 1 list 101
Configuring Legacy DDR Spokes
Configuration Examples for Legacy DDR Spoke
DC-388
Cisco IOS Dial Technologies Configuration Guide
LAPB Support Example
The following example configures a router for LAPB encapsulation and in-band dialing:
interface serial 0
ip address 172.18.170.19 255.255.255.0
encapsulation lapb
dialer in-band
dialer string 4155551212
dialer-group 1
!
access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
!
dialer-list 1 protocol ip list 101
DC-389
Cisco IOS Dial Technologies Configuration Guide
Configuring Legacy DDR Hubs
This chapter describes how to configure legacy dial-on-demand routing (DDR) on interfaces functioning
as the hub in a hub-and-spoke network topology. It includes the following main sections:
• DDR Issues
• DDR Hubs Configuration Task Flow
• How to Configure DDR
• Monitoring DDR Connections
• Configuration Examples for Legacy DDR Hub
This chapter considers a hub interface to be any interface that calls or receives calls from more than one
other router and considers a spoke interface to be an interface that calls or receives calls from exactly
one router.
For configuration tasks for the spoke interfaces in a hub-and-spoke network topology, see the chapter
“Configuring Legacy DDR Spokes” in this publication.
For information about the dialer profiles implementation of DDR, see the chapter “Configuring
Peer-to-Peer DDR with Dialer Profiles” in this publication.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the DDR commands in this chapter, see the Cisco IOS Dial Technologies
Command Reference, Release 12.2. To locate documentation of other commands that appear in this
chapter, use the command reference master index or search online.
DDR Issues
A DDR configuration applies to a specified router interface but serves to meet the communication needs
of the network. The router configured for DDR has a function to serve in preserving communications
and ensuring that routes are known to other routers at both ends of the dial link. Thus, these issues are
important:
• Types and number of router interfaces to be configured for DDR.
• Function of each specific interface—to place calls, receive calls, or both—and the number of sites
connecting to the interface.
Configuring Legacy DDR Hubs
DDR Hubs Configuration Task Flow
DC-390
Cisco IOS Dial Technologies Configuration Guide
• Identity and characteristics of the router at the other end of each connection—phone number, host
name, next hop network protocol addresses, type of signaling used or required, ability to place or
receive calls, other requirements.
• Types of packets that will be allowed to trigger outgoing calls—if the interface places calls.
• End of the connection that will control the communication: initiating calls and terminating calls
when the line is idle.
• Method for authenticating other routers—if the interface receives calls from multiple sites.
• Passing routing information across the dial link.
DDR Hubs Configuration Task Flow
Before you configure DDR, make sure you have completed the preparations for bridging or routing as
described in the chapter “Preparing to Configure DDR” in this publication. That chapter provides
information about the minimal requirements. For detailed information about bridging, routing, and
wide-area networking configurations, see the appropriate chapters in other volumes of this
documentation set.
When you configure DDR on a hub interface in a hub-and-spoke topology, you perform the following
general steps:
Step 1 Specify the interface that will place calls to or receive calls from multiple sites. (See the chapter
“Configuring Legacy DDR Spokes” in this publication for information about configuring an interface to
place calls to or receive calls from one site only.)
Step 2 Enable DDR on the interface. This step is not required for some interfaces; for example, ISDN interfaces
and passive interfaces that receive only from data terminal ready (DTR)-dialing interfaces.
Step 3 Configure the interface to receive calls only, if applicable. Receiving calls from multiple sites requires
each inbound call to be authenticated.
Step 4 Configure the interface to place calls only, if applicable.
Step 5 Configure the interface to place and receive calls, if applicable.
Step 6 If the interface will place calls, specify access control for the following:
• Transparent bridging—Assign the interface to a bridge group, and define dialer lists associated with
the bridging access lists. The interface switches between members of the same bridge group, and
dialer lists specify which packets can trigger calls.
or
• Routed protocols—Define dialer lists associated with the protocol access lists to specify which
packets can trigger calls.
Configuring Legacy DDR Hubs
How to Configure DDR
DC-391
Cisco IOS Dial Technologies Configuration Guide
Step 7 Customize the interface settings (timers, interface priority, hold queues, bandwidth on demand, and
disabling fast switching) as needed.
When you have configured the interface and it is operational, you can monitor its performance and its
connections as described in the “Monitoring DDR Connections” section later in this chapter.
You can also enhance DDR by configuring Multilink PPP and configuring PPP callback. The PPP
configuration tasks are described in the chapter “Configuring Media-Independent PPP and Multilink
PPP” in this publication.
See the section “Configuration Examples for Legacy DDR Hub” at the end of this chapter for examples
of how to configure DDR on your network.
How to Configure DDR
To configure DDR on an interface, perform the tasks in the following sections. The first five bulleted
items are required. The remaining tasks are not absolutely required, but might be necessary in your
networking environment.
• Specifying the Interface (Required)
• Enabling DDR on the Interface (Required)
• Configuring the Interface to Place Calls Only (Required)
or
Configuring the Interface to Receive Calls Only (Required)
or
Configuring the Interface to Place and Receive Calls (Required)
• Configuring Access Control for Outgoing Calls (As required)
• Customizing the Interface Settings (As required)
• Sending Traffic over Frame Relay, X.25, or LAPB Networks (As required)
See the section “Monitoring DDR Connections” later in this chapter for commands and other
information about monitoring DDR connections. See the section “Configuration Examples for Legacy
DDR Hub” at the end of this chapter for ideas about how to implement DDR in your network.
Specifying the Interface
You can configure any asynchronous, synchronous serial, ISDN, or dialer interface for legacy DDR.
Note When you specify an interface, make sure to use the interface numbering scheme supported on the
network interface module or other port hardware on the router. On the Cisco 7200 series router, for
example, you specify an interface by indicating its type, slot number, and port number.
Configuring Legacy DDR Hubs
How to Configure DDR
DC-392
Cisco IOS Dial Technologies Configuration Guide
To specify an interface to configure for DDR, use one of the following commands in global configuration
mode:
Dialer interfaces are logical or virtual entities, but they use physical interfaces to place or receive calls.
Enabling DDR on the Interface
This task is required for asynchronous serial, synchronous serial, and logical dialer interfaces.
This task is not required for ISDN interfaces (BRI interfaces and ISDN PRI D channels) and for purely
passive interfaces that will receive calls only from interfaces that use DTR dialing.
Enabling DDR on an interface usually requires you to specify the type of dialer to be used. This task is
not required for ISDN interfaces because the software automatically configures ISDN interfaces to be
dialer type ISDN.
To enable DDR on the interface, use the following command in interface configuration mode:
You can optionally specify parity if the modem on this interface uses the V.25bis command set. The 1984
version of the V.25bis specification states that characters must have odd parity. However, the default for
the dialer in-band command is no parity.
Configuring the Interface to Place Calls Only
To configure an interface to place calls to multiple destinations, perform the following tasks. The first
task is required for all interface types. The second task is required only if you specified a dialer interface.
• Defining the Dialing Destination (Required)
• Specifying a Physical Interface to Use and Assigning It to a Dialer Rotary Group (As required)
Command Purpose
Router(config)# interface async number
Router(config)# interface serial number
Router(config)# interface bri number
or
Router(config)# interface serial slot/port:23
Router(config)# interface serial slot/port:15
or
Router(config)# interface dialer number
Specifies an interface to configure for DDR.
Specifies an ISDN PRI D channel (T1).
Specifies an ISDN PRI D channel (E1).
Specifies a logical interface to function as a dialer rotary group
leader.
Command Purpose
Router(config-if)# dialer in-band [no-parity |
odd-parity]
Enables DDR on an asynchronous interface or a synchronous
serial interface using V.25bis modems.
Configuring Legacy DDR Hubs
How to Configure DDR
DC-393
Cisco IOS Dial Technologies Configuration Guide
Defining the Dialing Destination
For calling multiple sites, an interface or dialer rotary group must be configured to map each next hop
protocol address to the dial string (some form of a telephone number) used to reach it.
To define each dialing destination, use one of the following commands in interface configuration mode:
Repeat this task as many times as needed to ensure that all dialing destinations are reachable via some
next hop address and dialed number.
If you intend to send traffic over other types of networks, see one of the following sections later in this
chapter: “Configuring the Interface for Sending Traffic over a Frame Relay Network,” “Configuring the
Interface for Sending Traffic over an X.25 Network,” or “Configuring the Interface for Sending Traffic
over a LAPB Network.”
Specifying a Physical Interface to Use and Assigning It to a Dialer Rotary Group
This section applies only if you specified a dialer interface to configure for DDR.
To assign a physical interface to a dialer rotary group, use the following commands beginning in global
configuration mode:
Repeat these two steps for each physical interface to be used by the dialer interface.
An ISDN BRI is a rotary group of B channels. An ISDN interface can be part of a rotary group
comprising other interfaces (synchronous, asynchronous, ISDN BRI, or ISDN PRI). However, Cisco
supports at most one level of recursion; that is, a rotary of rotaries is acceptable, but a rotary of rotaries
of rotaries is not supported.
Interfaces in a dialer rotary group do not have individual addresses; when the interface is being used for
dialing, it inherits the parameters configured for the dialer interface. However, if the individual interface
is configured with an address and it is subsequently used to establish a connection from the user EXEC
level, the individual interface address again applies.
Command Purpose
Router(config-if)# dialer map protocol
next-hop-address dial-string[:isdn-subaddress]
Defines a dialing destination for a synchronous serial interface
or a dialer interface.
Router(config-if)# dialer map protocol
next-hop-address [spc] [speed 56 | 64] [broadcast]
[dial-string[:isdn-subaddress]]
Defines a dialing destination for an ISDN interface (including an
ISDN PRI D channel).
Router(config-if)# dialer map protocol
next-hop-address [modem-script modem-regexp]
[system-script system-regexp]
dial-string[:isdn-subaddress]
Defines a dialing destination for an asynchronous interface.
If a modem dialing chat script has not been assigned to the line
or a system login chat script must be specified, defines both a
dialing destination and the chat scripts to use.
Command Purpose
Step 1 Router(config)# interface serial number
or
Router(config)# interface async number
Specifies a physical interface to use and begins interface
configuration mode.
Step 2 Router(config-if)# dialer rotary-group number Assigns the specified physical interface to a dialer rotary
group.
Configuring Legacy DDR Hubs
How to Configure DDR
DC-394
Cisco IOS Dial Technologies Configuration Guide
Note When you look at your configuration file, commands will not appear in the order in which you
entered them. You will also see interface configuration commands that you did not enter, because
each interface assigned to a dialer rotary group inherits the parameters of the dialer interface in the
dialer rotary group.
Figure 52 illustrates how dialer interfaces work. In this configuration, serial interfaces 1, 2, and 3 are
assigned to dialer rotary group 1 and thereby take on the parameters configured for dialer interface 1.
When it is used for dialing, the IP address of serial interface 2 is the same as the address of the dialer
interface, 172.18.1.1.
Figure 52 Sample Dialer Interface Configuration
Configuring the Interface to Receive Calls Only
Once DDR is enabled on an asynchronous serial, synchronous serial, and ISDN interface, the interface
can receive calls from multiple sites using one line or multiple lines. However, interfaces that receive
calls from multiple sites require authentication of the remote sites. In addition, dialer interfaces require
at least one physical interface to be specified and added to the dialer rotary group. The tasks in the
following sections describe how to configuration authentication:
• Configuring the Interface for TACACS+
or
• Configuring the Interface for PPP Authentication
• Specifying Physical Interfaces and Assigning Them to the Dialer Rotary Group
Serial interface 6
Serial interface 5
Serial interface 4
Serial interface 1
Serial interface 2
Serial interface 3
Dialer rotary group 2
172.18.1.1 172.25.1.1
Dialer interface 1 Dialer interface 2
Dialer rotary group 1
54733
Router
Configuring Legacy DDR Hubs
How to Configure DDR
DC-395
Cisco IOS Dial Technologies Configuration Guide
Configuring the Interface for TACACS+
To configure TACACS as an alternative to host authentication, use one of the following commands in
interface configuration mode:
Use the ppp use-tacacs command with TACACS and extended TACACS. Use the aaa authentication
ppp command with authentication, authorization, and accounting (AAA)/TACACS+.
Configuring the Interface for PPP Authentication
This section specifies the minimum required configuration for PPP Challenge Handshake Authentication
Protocol (CHAP) or Password Authentication Protocol (PAP) authentication. For more detailed
information, see the chapter “Configuring Media-Independent PPP and Multilink PPP” in this
publication.
To use CHAP or PAP authentication, perform the following steps beginning in interface configuration
mode:
Note After you have enabled one of these protocols, the local router or access server requires
authentication of the remote devices that are calling. If the remote device does not support the
enabled authentication protocol, no traffic will be passed to that device.
1. For CHAP, configure host name authentication and the secret or password for each remote system
with which authentication is required.
2. Map the protocol address to the name of the host calling in.
To enable PPP encapsulation, use the following commands beginning in interface configuration mode:
Command Purpose
Router(config-if)# ppp use-tacacs [single-line]
or
Router(config-if)# aaa authentication ppp
Configures TACACS.
Command Purpose
Step 1 Router(config-if)# encapsulation ppp Enables PPP on an interface.
Step 2 Router(config-if)# ppp authentication chap
[if-needed]
or
Router(config-if)# ppp authentication pap
Enables CHAP on an interface.
Enables PAP on an interface.
Step 3 Router(config-if)# dialer map protocol
next-hop-address name hostname
For any host calling in to the local router or access server,
maps its host name (case-sensitive) to the next hop address
used to reach it.
Repeat this step for each host calling in to this interface.
Configuring Legacy DDR Hubs
How to Configure DDR
DC-396
Cisco IOS Dial Technologies Configuration Guide
Specifying Physical Interfaces and Assigning Them to the Dialer Rotary Group
To assign a physical interface to a dialer rotary group, use the following commands beginning in global
configuration mode:
Repeat these two steps for each physical interface to be used by the dialer interface.
Configuring the Interface to Place and Receive Calls
You can configure an physical interface or dialer interface to both place and receive calls. For placing
calls, the interface must be configured to map each next hop address to the telephone number to dial. For
receiving calls from multiple sites, the interface must be configured to authenticate callers.
Figure 53 shows a configuration in which the central site is calling and receiving calls from multiple
sites. In this configuration, multiple sites are calling in to a central site, and the central site might be
calling one or more of the remote sites.
Step 4 Router(config-if)# exit Returns to global configuration mode.
Step 5 Router(config)# username name [user-maxlinks
link-number] password secret
Specifies the password to be used in CHAP caller
identification. Optionally, you can specify the maximum
number of connections a user can establish.
To use the user-maxlinks keyword, you must also use the
aaa authorization network default local command, and
PPP encapsulation and name authentication on all the
interfaces the user will be accessing.
Repeat this step to add a username entry for each remote
system from which the local router or access server requires
authentication.
Command Purpose
Command Purpose
Step 1 Router(config)# interface serial number
or
Router(config)# interface async number
Specifies a physical interface to use and begins interface
configuration mode.
Step 2 Router(config-if)# dialer rotary-group number Assigns the specified physical interface to a dialer rotary
group.
Configuring Legacy DDR Hubs
How to Configure DDR
DC-397
Cisco IOS Dial Technologies Configuration Guide
Figure 53 Hub-and-Spoke Configuration Using DDR
To configure a single line, multiple lines, or a dialer interface to place calls to and receive calls from
multiple sites, perform the tasks in the following section:
• Defining One or More Dialing Destinations
• Defining the Traffic to Be Authenticated
If you intend to send traffic over other types of networks, see one of the following sections later in this
chapter: “Configuring the Interface for Sending Traffic over a Frame Relay Network,” “Configuring the
Interface for Sending Traffic over an X.25 Network,” or “Configuring the Interface for Sending Traffic
over a LAPB Network.”
Defining One or More Dialing Destinations
For calling multiple sites, an interface or dialer rotary group must be configured to map each next hop
protocol address to the dial string (some form of a telephone number) used to reach it.
To define each dialing destination, use one of the following commands in interface configuration mode:
Repeat this task as many times as needed to ensure that all dialing destinations are reachable via some
next hop address and dialed number.
Central site
S1159a
Remote
Router A
Remote
Router B
Remote
Router D
Remote
Router C
Remote
Router E
Command Purpose
Router(config-if)# dialer string
dial-string[:isdn-subaddress]
Defines only one dialing destination (used to configure one
phone number on multiple lines only).
Router(config-if)# dialer map protocol
next-hop-address dial-string[:isdn-subaddress]
Defines one of several dialing destinations for a
synchronous serial interface or a dialer interface.
Router(config-if)# dialer map protocol
next-hop-address [spc]
[speed 56 | 64][broadcast]
[dial-string[:isdn-subaddress]]
Defines one of several dialing destinations for an ISDN
interface (including an ISDN PRI D channel).
Router(config-if)# dialer map protocol
next-hop-address [modem-script modem-regexp]
[system-script system-regexp]
dial-string[:isdn-subaddress]
Defines one of several dialing destinations for an
asynchronous interface.
If a modem dialing chat script has not been assigned to the
line or a system login chat script must be specified, define
both a dialing destination and the chat scripts to use.
Configuring Legacy DDR Hubs
How to Configure DDR
DC-398
Cisco IOS Dial Technologies Configuration Guide
Defining the Traffic to Be Authenticated
Calls from the multiple sites must be authenticated. Authentication can be done through CHAP or PAP.
In addition, the interface must be configured to map the protocol address of a host to the name to use for
authenticating the remote host.
To enable CHAP or PAP on an interface and authenticate sites that are calling in, use the following
commands in interface configuration mode:
If the dial string is not used, the interface will be able to receive calls from the host, but will not be able
to place calls to the host.
Repeat this task for each site from which the router will receive calls.
Configuring Access Control for Outgoing Calls
Protocol access lists and dialer access lists are central to the operation of DDR. In general, access lists
are used as the screening criteria for determining when to initiate DDR calls. All packets are tested
against the dialer access list. Packets that match a permit entry are deemed interesting or packets of
interest. Packets that do not match a permit entry or that do match a deny entry are deemed uninteresting.
When a packet is found to be interesting, either the dialer idle timer is reset (if the line is active) or a
connection is attempted (assuming the line is available but not active). If a tested packet is deemed
uninteresting, it will be forwarded if it is intended for a destination known to be on a specific interface
and the link is active. However, such a packet will not initiate a DDR call and will not reset the idle timer.
Configuring Access Control for Bridging
When you completed preparations for bridging over DDR, you entered global access lists to specify the
protocol packets to be permitted or denied, and global dialer lists to specify which access list to use and
which dialer group will place the outgoing calls.
Now you must tie those global lists to an interface configured for DDR. You do this by assigning selected
interfaces to a bridge group. Because packets are bridged only among interfaces that belong to the same
bridge group, you need to assign this interface and others to the same bridge group.
Command Purpose
Step 1 Router(config-if)# encapsulation ppp Configures an interface for PPP encapsulation.
Step 2 Router(config-if)# ppp authentication chap
[if-needed]
or
Router(config-if)# ppp authentication pap
[if-needed]
Enables CHAP.
Enables PAP.
Step 3 Router(config-if)# dialer map protocol
next-hop-address name hostname [modem-script
modem-regexp] [system-script system-regexp]
[dial-string[:isdn-subaddress]]
Maps the protocol address to a host name.
Configuring Legacy DDR Hubs
How to Configure DDR
DC-399
Cisco IOS Dial Technologies Configuration Guide
To assign an interface to a bridge group, use the following command in interface configuration mode:
For examples of bridging over DDR, see the “Transparent Bridging over DDR Examples” section later
in this chapter.
Configuring Access Control for Routing
Before you perform the tasks outlined in this section, you should have completed the preparations for
routing a protocol over DDR as described briefly in the chapter “Preparing to Configure DDR” in this
publication and as described in greater detail in the appropriate network protocols configuration guide
(for example, the Cisco IOS AppleTalk and Novell IPX Configuration Guide).
An interface can be associated only with a single dialer access group; multiple dialer access group
assignments are not allowed. To specify the dialer access group to which you want to assign an access
list, use the following command in interface configuration mode:
Customizing the Interface Settings
To customize DDR in your network, perform the tasks in the following sections as needed:
• Configuring Timers on the DDR Interface (As required)
• Setting Dialer Interface Priority (As required)
• Configuring a Dialer Hold Queue (As required)
• Configuring Bandwidth on Demand (As required)
• Disabling and Reenabling DDR Fast Switching (As required)
• Configuring Dialer Redial Options (As required)
Configuring Timers on the DDR Interface
To configure DDR interface timers, perform the tasks in the following sections as needed:
• Setting Line-Idle Time (As required)
• Setting Idle Time for Busy Interfaces (As required)
• Setting Line-Down Time (As required)
• Setting Carrier-Wait Time (As required)
Command Purpose
Router(config-if)# bridge-group bridge-group Assigns the specified interface to a bridge group.
Command Purpose
Router(config-if)# dialer-group group-number Specifies the number of the dialer access group to which the
specific interface belongs.
Configuring Legacy DDR Hubs
How to Configure DDR
DC-400
Cisco IOS Dial Technologies Configuration Guide
Setting Line-Idle Time
To specify the amount of time for which a line will stay idle before it is disconnected, use the following
command in interface configuration mode:
Setting Idle Time for Busy Interfaces
The dialer fast idle timer is activated if there is contention for a line. Contention occurs when a line is
in use, a packet for a different next hop address is received, and the busy line is required to send the
competing packet.
If the line has been idle for the configured amount of time, the current call is disconnected immediately
and the new call is placed. If the line has not yet been idle as long as the fast idle timeout period, the
packet is dropped because the destination is unreachable. (After the packet is dropped, the fast idle timer
remains active and the current call is disconnected as soon as it has been idle for as long as the fast idle
timeout). If, in the meantime, another packet is sent to the currently connected destination, and it is
classified as interesting, the fast-idle timer is restarted.
To specify the amount of time for which a line for which there is contention will stay idle before the line
is disconnected and the competing call is placed, use the following command in interface configuration
mode:
This command applies to both inbound and outbound calls.
Setting Line-Down Time
To set the length of time for which the interface stays down before it is available to dial again after a line
is disconnected or fails, use the following command in interface configuration mode:
This command applies to both inbound and outbound calls.
Setting Carrier-Wait Time
To set the length of time for which an interface waits for the telephone service (carrier), use the following
command in interface configuration mode:
Command Purpose
Router(config-if)# dialer idle-timeout seconds Sets line-idle time.
Command Purpose
Router(config-if)# dialer fast-idle seconds Sets idle time for high traffic lines.
Command Purpose
Router(config-if)# dialer enable-timeout seconds Sets the interface downtime.
Command Purpose
Router(config-if)# dialer wait-for-carrier-time
seconds
Sets the length of for which time the interface waits for the
carrier to come up when a call is placed.
Configuring Legacy DDR Hubs
How to Configure DDR
DC-401
Cisco IOS Dial Technologies Configuration Guide
For asynchronous interfaces, this command sets the total time to wait for a call to connect. This time is
set to allow for running the chat script.
Setting Dialer Interface Priority
You can assign dialer priority to an interface. Priority indicates which interface in a dialer rotary group
will get used first. To assign priority to a dialer interface, use the following command in interface
configuration mode:
For example, you might give one interface in a dialer rotary group higher priority than another if it is
attached to a faster, more reliable modem. In this way, the higher-priority interface will be used as often
as possible.
The range of values for number is 0 through 255. Zero is the default value and lowest priority; 255 is the
highest priority. This command applies to outgoing calls only.
Configuring a Dialer Hold Queue
Sometimes packets destined for a remote router are discarded because no connection exists. Establishing
a connection using an analog modem can take time, during which packets are discarded. However,
configuring a dialer hold queue will allow interesting outgoing packets to be queued and sent as soon as
the modem connection is established.
A dialer hold queue can be configured on any type of dialer, including in-band synchronous,
asynchronous, DTR, and ISDN dialers. Also, hunt group leaders can be configured with a dialer hold
queue. If a hunt group leader (of a rotary dialing group) is configured with a hold queue, all members of
the group will be configured with a dialer hold queue and no hold queue for an individual member can
be altered.
To establish a dialer hold queue, use the following command in interface configuration mode:
As many as 100 packets can be held in an outgoing dialer hold queue.
Configuring Bandwidth on Demand
You can configure a dialer rotary group to use additional bandwidth by placing additional calls to a single
destination if the load for the interface exceeds a specified weighted value. Parallel communication links
are established based on traffic load. The number of parallel links that can be established to one location
is not limited.
Command Purpose
Router(config-if)# dialer priority number Specifies which dialer interfaces will be used first.
Command Purpose
Router(config-if)# dialer hold-queue packets Creates a dialer hold queue and specifies the number of packets to
be held in it.
Configuring Legacy DDR Hubs
How to Configure DDR
DC-402
Cisco IOS Dial Technologies Configuration Guide
To set the dialer load threshold for bandwidth on demand, use the following command in interface
configuration mode:
Once multiple links are established, they are still governed by the load threshold. If the total load falls
below the threshold, an idle link will be torn down.
Disabling and Reenabling DDR Fast Switching
Fast switching is enabled by default on all DDR interfaces. When fast switching is enabled or disabled
on an ISDN D channel, it is enabled or disabled on all B channels. When fast switching is enabled or
disabled on a dialer interface, it is enabled or disabled on all rotary group members but cannot be enabled
or disabled on the serial interfaces individually.
Fast switching can be disabled and re-enabled on a protocol-by-protocol basis. To disable fast switching
and re-enable it, use one of the following protocol-specific commands in interface configuration mode:
Configuring Dialer Redial Options
By default, the Cisco IOS software generates a single dial attempt for each interesting packet. Dialer
redial allows the dialer to be configured to make a maximum number of redial attempts if the first
dial-out attempt fails, wait a specific interval between redial attempts, and disable the interface for a
specified duration if all redial attempts fail. New dialout attempts will not be initiated if a redial is
pending to the same destination.
Command Purpose
Router(config-if)# dialer load-threshold load Configures the dialer rotary group to place additional calls to a
destination, as indicated by interface load.
Command Purpose
Router(config-if)# no ip route-cache
Router(config-if)# ip route cache
Router(config-if)# no ip route-cache distributed
Router(config-if)# ip route-cache distributed
Disables IP fast switching over a DDR interface.
Reenables IP fast switching over a DDR interface.
Disables distributed IP fast switching over a DDR interface.
This feature works in Cisco 7500 routers with a Versatile
Interface Processor (VIP) card.
Enables distributed IP fast switching over a DDR interface. This
feature works in Cisco 7500 routers with a VIP card.
Router(config-if)# no ipx route-cache
Router(config-if)# ipx route-cache
Disables IPX fast switching over a DDR interface.
Reenables IPX fast switching over a DDR interface.
Configuring Legacy DDR Hubs
How to Configure DDR
DC-403
Cisco IOS Dial Technologies Configuration Guide
To configure redial options, use the following commands beginning in global configuration mode:
Sending Traffic over Frame Relay, X.25, or LAPB Networks
An interface configured for DDR can send traffic over networks that require Link Access Procedure,
Balanced (LAPB), X.25, or Frame Relay encapsulation.
Before Cisco IOS software Release 12.0(6)T, encapsulation techniques such as Frame Relay, High-Level
Data Link Control (HDLC), LAPB-TA, and X.25 could support only one ISDN B-channel connection
over the entire link. HDLC and PPP could support multiple B channels, but the entire ISDN link needed
to use the same encapsulation. Dynamic multiple encapsulations allow incoming calls over ISDN to be
assigned encapsulation type based on calling line identification (CLID) or Dialed Number Identification
Service (DNIS). With dynamic multiple encapsulations, once CLID binding is completed, the topmost
interface is always used for all configuration and data structures. The ISDN B channel becomes a
forwarding device, and the configuration on the D channel is ignored, thereby allowing the different
encapsulation types and per-user configurations.
To configure an interface for those networks, perform the tasks in the following sections:
• Configuring the Interface for Sending Traffic over a Frame Relay Network (As Required)
• Configuring the Interface for Sending Traffic over an X.25 Network (As Required)
• Configuring the Interface for Sending Traffic over a LAPB Network (As Required)
Configuring the Interface for Sending Traffic over a Frame Relay Network
Access to Frame Relay networks is now available through dialup connections and leased lines. Dialup
connectivity allows Frame Relay networks to be extended to sites that do not generate enough traffic to
justify leased lines, and also allows a Frame Relay network to back up another network or point-to-point
line.
DDR over Frame Relay is supported for synchronous serial and ISDN interfaces and for rotary groups,
and is available for in-band, DTR, and ISDN dialers.
Frame Relay supports multiple permanent virtual circuit (PVC) connections over the same serial
interface or ISDN B channel, but only one physical interface can be used (dialed, connected, and active)
in a rotary group or with ISDN.
Dynamic multiple encapsulations support the following Frame Relay features:
• Frame Relay RTP Header Compression (RFC 1889)
• Frame Relay TCP/IP Header Compression
• Legacy DDR over Frame Relay
• Frame Relay Interface/Subinterface Backup
Dynamic multiple encapsulations support at least four Frame Relay PVCs on either dialer interfaces or
dialer subinterfaces.
Command Purpose
Step 1 Router(config)# interface dialer Enters interface configuration mode.
Step 2 Router(config-if)# dialer redial interval time
attempts number re-enable disable-time
Configures redial options on the router.
Configuring Legacy DDR Hubs
How to Configure DDR
DC-404
Cisco IOS Dial Technologies Configuration Guide
Note Frame Relay encapsulations in the dynamic multiple encapsulations feature do not support IETF or
Cisco Encapsulation for IBM Systems Network Architecture (SNA). Frame Relay for SNA support
is not applicable.
Configuration Restrictions
The following restrictions apply to DDR used over Frame Relay:
• Frame Relay is not available for asynchronous dialers.
• The Frame Relay dynamic multiple encapsulations does not provide bidirectional support.
• With the dynamic multiple encapsulations, there is no process switching for Frame Relay packets;
these packets are always fast switched.
• Like HDLC, LAPB, X.25 and Frame Relay do not provide authentication. However, ISDN dialers
can offer some authentication through the caller ID feature.
• Only one ISDN B channel can be dialed at any one time. When configuring a rotary group, you can
use only one serial interface.
Note Frame Relay subinterfaces work the same on dialup connections as they do on leased lines.
Configuration Overview
No new commands are required to support DDR over Frame Relay. In general, you configure Frame
Relay and configure DDR. In general, to configure an interface for DDR over Frame Relay, perform the
following tasks:
• Specify the interface.
• Specify the protocol identifiers for the interface.
For example, enter the IP address and mask, the IPX network number, and the AppleTalk cable range
and zone.
• Configure Frame Relay, as described in the chapter “Configuring Frame Relay” in the Cisco IOS
Wide-Area Networking Configuration Guide.
As a minimum, you must enable Frame Relay encapsulation and decide whether you need to do
static or dynamic address mapping. If you decide to do dynamic mapping, you need not enter a
command because Inverse ARP is enabled by default. If you decide to do static mapping, you must
enter Frame Relay mapping commands.
You can then configure various options as needed for your Frame Relay network topology.
• Configure DDR.
At a minimum, you must decide and configure the interface for outgoing calls only, incoming calls
only, or both outgoing and incoming calls.
You can also configure DDR for your routed protocols (as specified in the chapter “Preparing
to Configure DDR”) and for snapshot routing (as specified in the chapter “Configuring Snapshot
Routing” later in this publication). You can also customize DDR on your router or access server (as
described in the “Customizing the Interface Settings” section later in this chapter).
For examples of configuring various interfaces for DDR over Frame Relay, see the section “Frame Relay
Support Examples” later in this chapter.
Configuring Legacy DDR Hubs
How to Configure DDR
DC-405
Cisco IOS Dial Technologies Configuration Guide
Configuring the Interface for Sending Traffic over an X.25 Network
X.25 interfaces can now be configured to support DDR. Synchronous serial and ISDN interfaces on
Cisco routers and access servers can be configured for X.25 addresses, X.25 encapsulation, and mapping
of protocol addresses to the X.25 address of a remote host. In-band, DTR, and ISDN dialers can be
configured to support X.25 encapsulation, but rotary groups cannot.
Remember that for ISDN interfaces, once CLID binding is completed, the topmost interface is always
used for all configuration and data structures. The ISDN B channel becomes a forwarding device, and
the configuration on the D channel is ignored, thereby allowing the different encapsulation types and
per-user configurations. For X.25 encapsulations, the configurations reside on the dialer profile. The
Dynamic Multiple Encapsulations feature provides support for packet assembler/disassembler (PAD)
traffic and X.25 encapsulated and switched packets.
To configure an interface to support X.25 and DDR, use the following X.25-specific commands in
interface configuration mode:
The order of DDR and X.25 configuration tasks is not critical; you can configure DDR before or after
X.25, and you can even mix the DDR and X.25 commands.
For an example of configuring an interface for X.25 encapsulation and then completing the DDR
configuration, see the section “X.25 Support Configuration Example” later in this chapter.
Configuring the Interface for Sending Traffic over a LAPB Network
DDR over serial lines now supports LAPB encapsulation, in addition to the previously supported PPP,
HDLC, and X.25 encapsulations.
LAPB encapsulation is supported on synchronous serial, ISDN, and dialer rotary group interfaces, but
not on asynchronous dialers.
Because the default encapsulation is HDLC, you must explicitly configure LAPB encapsulation. To
configure an interface to support LAPB encapsulation and DDR, use the following command in interface
configuration mode:
For more information about the serial connections on which LAPB encapsulation is appropriate, see the
encapsulation lapb command in the chapter “X.25 and LAPB Commands” in the Cisco IOS Wide-Area
Networking Command Reference, Release 12.2.
For an example of configuring an interface for DDR over LAPB, see the section “X.25 Support
Configuration Example” later in this chapter.
Command Purpose
Step 1 Router(config-if)# encapsulation x25 [dte | dce]
[ietf]
Configures the interface to use X.25 encapsulation.
Step 2 Router(config-if)# x25 address x.121-address Assigns an X.25 address to the interface.
Step 3 Router(config-if)# x25 map protocol address
[protocol2 address2 [...[protocol9 address9]]]
x.121-address [option]
Sets up the LAN protocols-to-remote host address
mapping.
Command Purpose
Router(config-if)# encapsulation lapb [dte | dce]
[multi | protocol]
Specifies LAPB encapsulation.
Configuring Legacy DDR Hubs
Monitoring DDR Connections
DC-406
Cisco IOS Dial Technologies Configuration Guide
Monitoring DDR Connections
To monitor DDR connections and snapshot routing, use the following commands in privileged EXEC
mode:
Configuration Examples for Legacy DDR Hub
The following sections provide various DDR configuration examples:
• Transparent Bridging over DDR Examples
• DDR Configuration in an IP Environment Example
• AppleTalk Configuration Example
• Banyan VINES Configuration Example
• DECnet Configuration Example
• ISO CLNS Configuration Example
• XNS Configuration Example
• Hub-and-Spoke DDR for Asynchronous Interfaces and Authentication Example
• Single Site or Multiple Sites Dialing Configuration Example
• Multiple Destinations Configuration Example
• Dialer Interfaces and Dialer Rotary Groups Example
• DDR Configuration Using Dialer Interface and PPP Encapsulation Example
• Two-Way DDR with Authentication Example
Command Purpose
Router# show dialer [interface type number] Displays general diagnostics about the DDR interface.
Router# show dialer map Displays current dialer maps, next-hop protocol addresses,
user names, and the interfaces on which they are configured.
Router# show interfaces bri 0 Displays information about the ISDN interface.
Router# show ipx interface [type number] Displays status about the IPX interface.
Router# show ipx traffic Displays information about the IPX packets sent by the
router or access server, including watchdog counters.
Router# show appletalk traffic Displays information about the AppleTalk packets sent by
the router or access server.
Router# show vines traffic Displays information about the Banyan VINES packets sent
by the router or access server.
Router# show decnet traffic Displays information about the DECnet packets sent by the
router or access server.
Router# show xns traffic Displays information about the XNS packets sent by the
router or access server.
Router# clear dialer Clears the values of the general diagnostic statistics.
Configuring Legacy DDR Hubs
Configuration Examples for Legacy DDR Hub
DC-407
Cisco IOS Dial Technologies Configuration Guide
• Frame Relay Support Examples
• X.25 Support Configuration Example
• LAPB Support Configuration Example
Transparent Bridging over DDR Examples
The following two examples differ only in the packets that cause calls to be placed. The first example
specifies by protocol (any bridge packet is permitted to cause a call to be made); the second example
allows a finer granularity by specifying the Ethernet type codes of bridge packets.
The first example configures serial interface 1 for DDR bridging. Any bridge packet is permitted to cause
a call to be placed.
no ip routing
!
interface Serial1
no ip address
encapsulation ppp
dialer in-band
dialer enable-timeout 3
dialer map bridge name urk broadcast 8985
dialer hold-queue 10
dialer-group 1
ppp authentication chap
bridge-group 1
pulse-time 1
!
dialer-list 1 protocol bridge permit
bridge 1 protocol ieee
bridge 1 hello 10
The second example also configures the serial interface 1 for DDR bridging. However, this example
includes an access-list command that specifies the Ethernet type codes that can cause calls to be placed
and a dialer list protocol list command that refers to the specified access list.
no ip routing
!
interface Serial1
no ip address
encapsulation ppp
dialer in-band
dialer enable-timeout 3
dialer map bridge name urk broadcast 8985
dialer hold-queue 10
dialer-group 1
ppp authentication chap
bridge-group 1
pulse-time 1
!
access-list 200 permit 0x0800 0xFFF8
!
dialer-list 1 protocol bridge list 200
bridge 1 protocol ieee
bridge 1 hello 10
Configuring Legacy DDR Hubs
Configuration Examples for Legacy DDR Hub
DC-408
Cisco IOS Dial Technologies Configuration Guide
DDR Configuration in an IP Environment Example
The following example shows how to configure DDR to call one site from a synchronous serial interface
in an IP environment. You could use the same configuration on an asynchronous serial interface by
changing the interface serial 1 command to specify an asynchronous interface (for example, interface
async 0).
interface serial 1
ip address 172.18.126.1 255.255.255.0
dialer in-band
dialer idle-timeout 600
dialer string 5551234
pulse-time 1
! The next command adds this interface to the dialer access group defined with
! the dialer-list command.
dialer-group 1
!
! The first access list statement, below, specifies that IGRP updates are not
! interesting packets. The second access-list statement specifies that all
! other IP traffic such as Ping, Telnet, or any other IP packet is interesting.
! The dialer-list command then creates dialer access group 1 and states that
! access list 101 is to be used to classify packets as interesting or
! uninteresting. The ip route commands specify that there is a route to network
! 172.18.29.0 and to network 172.18.1.0 via 172.18.126.2. This means that
! several destination networks are available through a router that is dialed
! from interface serial 1.
!
access-list 101 deny igrp 0.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
dialer-list 1 list 101
ip route 172.18.29.0 172.18.126.2
ip route 172.18.1.0 172.18.126.2
ip local pool dialin 10.102.126.2 10.102.126.254
With many modems, the pulse-time command must be used so that DTR is dropped for enough time to
allow the modem to disconnect.
AppleTalk Configuration Example
The following example configures DDR for AppleTalk access using an ISDN BRI. Two access lists are
defined: one for IP and Interior Gateway Routing Protocol (IGRP) and one for AppleTalk. AppleTalk
packets from network 2141 only (except broadcast packets) can initiate calls.
interface BRI0
ip address 172.16.20.107 255.255.255.0
encapsulation ppp
appletalk cable-range 2141-2141 2141.65
appletalk zone SCruz-Eng
no appletalk send-rtmps
dialer map ip 172.16.20.106 broadcast 1879
dialer map appletalk 2141.66 broadcast 1879
dialer-group 1
!
access-list 101 deny igrp 0.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
access-list 601 permit cable-range 2141-2141 broadcast-deny
access-list 601 deny other-access
!
dialer-list 1 list 101
dialer-list 1 list 601
Configuring Legacy DDR Hubs
Configuration Examples for Legacy DDR Hub
DC-409
Cisco IOS Dial Technologies Configuration Guide
Banyan VINES Configuration Example
The following example configures a router for VINES and IP DDR with in-band dialing. The VINES
access list does not allow RTP routing updates to place a call, but any other data packet is interesting.
vines routing BBBBBBBB:0001
!
hostname RouterA
!
username RouterB password 7 030752180500
username RouterC password 7 00071A150754
!
interface serial 0
ip address 172.18.170.19 255.255.255.0
encapsulation ppp
vines metrics 10
vines neighbor AAAAAAAA:0001 0
dialer in-band
dialer map ip 172.18.170.151 name RouterB broadcast 4155551234
dialer map vines AAAAAAAA:0001 name RouterC broadcast 4155551212
dialer-group 1
ppp authentication chap
pulse-time 1
!
access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
!
vines access-list 107 deny RTP 00000000:0000 FFFFFFFF:FFFF 00000000:0000 FFFFFFFF:FFFF
vines access-list 107 permit IP 00000000:0000 FFFFFFFF:FFFF 00000000:0000 FFFFFFFF:FFFF
!
dialer-list 1 protocol ip list 101
dialer-list 1 protocol vines list 107
DECnet Configuration Example
The following example configures a router for DECnet DDR with in-band dialing:
decnet routing 10.19
username RouterB password 7 030752180531
!
interface serial 0
no ip address
decnet cost 10
encapsulation ppp
dialer in-band
dialer map decnet 10.151 name RouterB broadcast 4155551212
dialer-group 1
ppp authentication chap
pulse-time 1
!
access-list 301 permit 10.0 0.1023 0.0 63.1023
dialer-list 1 protocol decnet list 301
Configuring Legacy DDR Hubs
Configuration Examples for Legacy DDR Hub
DC-410
Cisco IOS Dial Technologies Configuration Guide
ISO CLNS Configuration Example
The following example configures a router for International Organization for Standardization
Connectionless Network Service (ISO CLNS) DDR with in-band dialing:
username RouterB password 7 111C140B0E
clns net 47.0004.0001.0000.0c00.2222.00
clns routing
clns filter-set ddrline permit 47.0004.0001....
!
interface serial 0
no ip address
encapsulation ppp
dialer in-band
dialer map clns 47.0004.0001.0000.0c00.1111.00 name RouterB broadcast 1212
dialer-group 1
ppp authentication chap
clns enable
pulse-time 1
!
clns route default serial 0
dialer-list 1 protocol clns list ddrline
XNS Configuration Example
The following example configures a router for XNS DDR with in-band dialing. The access lists deny
broadcast traffic to any host on any network, but allow all other traffic.
xns routing 0000.0c01.d8dd
username RouterB password 7 111B210A0F
interface serial 0
no ip address
encapsulation ppp
xns network 10
dialer in-band
dialer map xns 10.0000.0c01.d877 name RouterB broadcast 4155551212
dialer-group 1
ppp authentication chap
pulse-time 1
access-list 400 deny -1 -1.ffff.ffff.ffff 0000.0000.0000
access-list 400 permit -1 10
dialer-list 1 protocol xns list 400
Hub-and-Spoke DDR for Asynchronous Interfaces and Authentication Example
You can set up DDR to provide service to multiple remote sites. In a hub-and-spoke configuration, you
can use a generic configuration script to set up each remote connection. Figure 54 illustrates a typical
hub-and-spoke configuration.
Configuring Legacy DDR Hubs
Configuration Examples for Legacy DDR Hub
DC-411
Cisco IOS Dial Technologies Configuration Guide
Figure 54 Hub-and-Spoke DDR Configuration
The examples in the following sections show how to create this configuration.
Spoke Topology Configuration
The following commands are executed on the spoke side of the connection. (A different “spoke”
password must be specified for each remote client.) The configuration provides authentication by
identifying a password that must be provided on each end of the connection.
interface ethernet 0
ip address 172.30.44.1 255.255.255.0
!
interface async 7
async mode dedicated
async default ip address 172.19.45.1
ip address 172.30.45.2 255.255.255.0
encapsulation ppp
ppp authentication chap
dialer in-band
dialer map ip 172.30.45.1 name hub system-script hub 1234
dialer map ip 172.30.45.255 name hub system-script hub 1234
dialer-group 1
!
ip route 172.30.43.0 255.255.255.0 172.30.45.1
ip default-network 172.30.0.0
chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT
chat-script hub ““ ““ name: spoke1 word” PPP
dialer-list 1 protocol ip permit
!
username hub password
!
router igrp 109
network 172.30.0.0
passive-interface async 7
!
line 7
modem InOut
speed 38400
flowcontrol hardware
modem chat-script generic
Hub Router Configuration
The following commands are executed on the local side of the connection—the hub router. The
commands configure the server for communication with three clients and provide authentication by
identifying a unique password for each “spoke” in the hub-and-spoke configuration. S3366
Configuring Legacy DDR Hubs
Configuration Examples for Legacy DDR Hub
DC-412
Cisco IOS Dial Technologies Configuration Guide
interface ethernet 0
ip address 172.30.43.1 255.255.255.0
!
interface async 7
async mode interactive
async dynamic address
dialer rotary-group 1
!
interface async 8
async mode interactive
async dynamic address
dialer rotary-group 1
!
interface dialer 1
ip address 172.30.45.2 255.255.255.0
no ip split-horizon
encapsulation ppp
ppp authentication chap
dialer in-band
dialer map ip 172.30.45.2 name spoke1 3333
dialer map ip 172.30.45.2 name spoke2 4444
dialer map ip 172.30.45.2 name spoke3 5555
dialer map ip 172.30.45.255 name spoke1 3333
dialer map ip 172.30.45.255 name spoke2 4444
dialer map ip 172.30.45.255 name spoke3 5555
dialer-group 1
!
ip route 172.30.44.0 255.255.255.0 172.30.45.2
ip route 172.30.44.0 255.255.255.0 172.30.45.3
ip route 172.30.44.0 255.255.255.0 172.30.45.4
dialer-list 1 protocol ip list 101
access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT
!
username spoke1 password
username spoke2 password
username spoke3 password
username spoke1 autocommand ppp 172.30.45.2
username spoke2 autocommand ppp 172.30.45.3
username spoke3 autocommand ppp 172.30.45.4
!
router igrp 109
network 172.30.0.0
redistribute static
!
line 7
login tacacs
modem InOut
speed 38400
flowcontrol hardware
modem chat-script generic
The redistribute static command can be used to advertise static route information for DDR applications.
Without this command, static routes to the hosts or network that the router can access with DDR will not
be advertised to other routers with which the router is communicating. This behavior can block
communication because some routes will not be known. See the redistribute static ip command,
described in the chapter “IP Routing Protocol-Independent Commands” in the Cisco IOS IP Command
Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Configuring Legacy DDR Hubs
Configuration Examples for Legacy DDR Hub
DC-413
Cisco IOS Dial Technologies Configuration Guide
Single Site or Multiple Sites Dialing Configuration Example
The following example is based on the configuration shown in Figure 55; the router receives a packet
with a next hop address of 10.1.1.1.
Figure 55 Sample Dialer String or Dialer Map Configuration
If the interface on your router is configured to call a single site with phone number 5555555, it will send
the packet to that site, assuming that the next hop address 10.1.1.1 indicates the same remote device as
phone number 5555555. The dialer string command is used to specify the string (telephone number) to
be called.
interface serial 1
dialer in-band
dialer string 5555555
If the interface is configured to dial multiple sites, the interface or dialer rotary group must be configured
so that the correct phone number, 5555555, is mapped to the address 10.1.1.1. If this mapping is not
configured, the interface or dialer rotary group does not know what phone number to call to deliver the
packet to its correct destination, which is the address 10.1.1.1. In this way, a packet with a destination
of 10.2.2.2 will not be sent to 5555555. The dialer map command is used to map next hop addresses to
phone numbers.
interface serial 1
dialer in-band
dialer map ip 10.1.1.1 5555555
dialer map ip 10.2.2.2 6666666
Multiple Destinations Configuration Example
The following example shows how to specify multiple destination numbers to dial for outgoing calls:
interface serial 1
ip address 172.18.126.1 255.255.255.0
dialer in-band
dialer wait-for-carrier-time 100
pulse-time 1
dialer-group 1
dialer map ip 172.18.126.10 5558899
Remote
Router B
Remote
Router A
Local router
6666666
5555555
56951
Configuring Legacy DDR Hubs
Configuration Examples for Legacy DDR Hub
DC-414
Cisco IOS Dial Technologies Configuration Guide
dialer map ip 172.18.126.15 5555555
!
access-list 101 deny igrp 0.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
dialer-list 1 protocol ip list 101
As in the “DDR Configuration in an IP Environment Example” section, a pulse time is assigned and a
dialer access group specified.
The first dialer map command specifies that the number 555-8899 is to be dialed for IP packets with a
next-hop-address value of 172.18.126.10. The second dialer map command then specifies that the
number 5555555 will be called when an IP packet with a next-hop-address value of 172.18.126.15 is
detected.
Dialer Interfaces and Dialer Rotary Groups Example
The following configuration places serial interfaces 1 and 2 into dialer rotary group 1, defined by the
interface dialer 1 command:
! PPP encapsulation is enabled for interface dialer 1.
interface dialer 1
encapsulation ppp
dialer in-band
ip address 172.18.2.1 255.255.255.0
ip address 172.18.2.1 255.255.255.0 secondary
! The first dialer map command allows remote site YYY and the central site to
! call each other. The second dialer map command, with no dialer string, allows
! remote site ZZZ to call the central site but the central site cannot call
! remote site ZZZ (no phone number).
!
dialer map ip 172.18.2.5 name YYY 1415553434
dialer map ip 172.18.2.55 name ZZZ
!
! The DTR pulse signals for three seconds on the interfaces in dialer group 1.
! This holds the DTR low so the modem can recognize that DTR has been dropped.
pulse-time 3
! Serial interfaces 1 and 2 are placed in dialer rotary group 1. All the
! interface configuration commands (the encapsulation and dialer map commands
! shown earlier in this example) that applied to interface dialer 1 also apply
! to these interfaces.
interface serial 1
dialer rotary-group 1
interface serial 2
dialer rotary-group 1
DDR Configuration Using Dialer Interface and PPP Encapsulation Example
The following example shows a configuration for XXX, the local router shown in Figure 56. In this
example, remote Routers YYY and ZZZ can call Router XXX. Router XXX has dialing information only
for Router YYY and cannot call Router ZZZ.
Configuring Legacy DDR Hubs
Configuration Examples for Legacy DDR Hub
DC-415
Cisco IOS Dial Technologies Configuration Guide
Figure 56 DDR Configuration
Router XXX Configuration
username YYY password theirsystem
username ZZZ password thatsystem
! Create a dialer interface with PPP encapsulation and CHAP authentication.
interface dialer 1
ip address 172.18.2.1 255.255.255.0
ip address 172.24.4.1 255.255.255.0 secondary
encapsulation ppp
ppp authentication chap
dialer in-band
dialer group 1
! The first dialer map command indicates that calls between the remote site
! YYY and the central site will be placed at either end. The second dialer
! map command, with no dialer string, indicates that remote site ZZZ will call
! the central site but the central site will not call out.
dialer map ip 172.18.2.5 name YYY 1415553434
dialer map ip 172.24.4.5 name ZZZ
! The DTR pulse holds the DTR low for three seconds, so the modem can recognize
! that DTR has been dropped.
pulse-time 3
!
! Place asynchronous serial interfaces 1 and 2 in dialer group 1. The interface commands
! applied to dialer group 1 (for example, PPP encapsulation and CHAP) apply to these
! interfaces.
!
interface async 1
dialer rotary-group 1
interface async 2
dialer rotary-group 1
Two-Way DDR with Authentication Example
You can set up two-way DDR with authentication in which both the client and server have dial-in access
to each other. This configuration is demonstrated in the following two subsections.
Serial interface 6
Serial interface 5
Serial interface 4
Serial interface 1
Serial interface 2
Serial interface 3
Dialer rotary group 2
172.18.1.1 172.25.1.1
Dialer interface 1 Dialer interface 2
Dialer rotary group 1
54733
Router
Configuring Legacy DDR Hubs
Configuration Examples for Legacy DDR Hub
DC-416
Cisco IOS Dial Technologies Configuration Guide
Remote Configuration
The following commands are executed on the remote side of the connection. This configuration provides
authentication by identifying a password that must be provided on each end of the connection.
username local password secret1
username remote password secret2
!
interface ethernet 0
ip address 172.30.44.1 255.255.255.0
!
interface async 7
ip address 172.30.45.2 255.255.255.0
async mode dedicated
async default ip address 172.30.45.1
encapsulation ppp
dialer in-band
dialer string 1234
dialer-group 1
!
ip route 172.30.43.0 255.255.255.0 async 7
ip default-network 172.30.0.0
chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT
dialer-list 1 protocol ip permit
!
line 7
no exec
modem InOut
speed 38400
flowcontrol hardware
modem chat-script generic
Local Configuration
The following commands are executed on the local side of the connection. As with the remote side
configuration, this configuration provides authentication by identifying a password for each end of the
connection.
username remote password secret1
username local password secret2
!
interface ethernet 0
ip address 172.30.43.1 255.255.255.0
!
interface async 7
async mode dedicated
async default ip address 172.30.45.2
dialer rotary-group 1
!
interface async 8
async mode dedicated
async default ip address 172.30.45.2
dialer rotary-group 1
!
interface dialer 1
ip address 172.30.45.2 255.255.255.0
encapsulation ppp
ppp authentication chap
dialer in-band
dialer map ip 172.30.45.2 name remote 4321
dialer load-threshold 80
!
Configuring Legacy DDR Hubs
Configuration Examples for Legacy DDR Hub
DC-417
Cisco IOS Dial Technologies Configuration Guide
ip route 172.30.44.0 255.255.255.0 172.30.45.2
chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT
!
router igrp 109
network 172.30.0.0
redistribute static
passive-interface async 7
!
line 7
modem InOut
speed 38400
flowcontrol hardware
modem chat-script generic
Frame Relay Support Examples
The examples in this section present various combinations of interfaces, Frame Relay features, and DDR
features.
Frame Relay Access with In-Band Dialing and Static Mapping
The following example configures a router for IP over Frame Relay using in-band dialing. A Frame
Relay static map is used to associate the next hop protocol address to the DLCI. The dialer string allows
dialing to only one destination.
interface Serial0
ip address 10.1.1.1 255.255.255.0
encapsulation frame-relay
frame-relay map ip 10.1.1.2 100 broadcast
dialer in-band
dialer string 4155551212
dialer-group 1
!
access-list 101 deny igrp any host 255.255.255.255
access-list 101 permit ip any any
!
dialer-list 1 protocol ip list 101
Frame Relay Access with ISDN Dialing and DDR Dynamic Maps
The following example shows a BRI interface configured for Frame Relay and for IP, Internet Protocol
Exchange (IPX), and AppleTalk routing. No static maps are defined because this setup relies on Frame
Relay Local Management Interface (LMI) signaling and Inverse ARP to determine the network
addresses-to-DLCI mappings dynamically. (Because Frame Relay Inverse ARP is enabled by default, no
command is required.)
interface BRI0
ip address 10.1.1.1 255.255.255.0
ipx network 100
appletalk cable-range 100-100 100.1
appletalk zone ISDN
no appletalk send-rtmps
encapsulation frame-relay IETF
dialer map ip 10.1.1.2 broadcast 4155551212
dialer map apple 100.2 broadcast 4155551212
dialer map ipx 100.0000.0c05.33ed broadcast 4085551234
dialer-group 1
!
Configuring Legacy DDR Hubs
Configuration Examples for Legacy DDR Hub
DC-418
Cisco IOS Dial Technologies Configuration Guide
access-list 101 deny igrp any host 255.255.255.255
access-list 101 permit ip any any
access-list 901 deny -1 FFFFFFFF 452
access-list 901 deny -1 FFFFFFFF 453
access-list 901 deny -1 FFFFFFFF 457
access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 452
access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 453
access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 457
access-list 901 permit -1
access-list 601 permit cable-range 100-100 broadcast-deny
access-list 601 deny other-access
!
dialer-list 1 protocol ip list 101
dialer-list 1 protocol novell list 901
dialer-list 1 protocol apple list 601
Frame Relay Access with ISDN Dialing and Subinterfaces
The following example shows a BRI interface configured for Frame Relay and for IP, IPX, and
AppleTalk routing. Two logical subnets are used; a point-to-point subinterface and a multipoint
subinterface are configured. Frame Relay Annex A (LMI type Q933a) and Inverse ARP are used for
dynamic routing.
interface BRI0
no ip address
encapsulation frame-relay
dialer string 4155551212
dialer-group 1
frame-relay lmi-type q933a
!
interface BRI0.1 multipoint
ip address 10.1.100.1 255.255.255.0
ipx network 100
appletalk cable-range 100-100 100.1
appletalk zone ISDN
no appletalk send-rtmps
frame-relay interface-dlci 100
frame-relay interface-dlci 110
frame-relay interface-dlci 120
!
interface BRI0.2 point-to-point
ip address 10.1.200.1 255.255.255.0
ipx network 200
appletalk cable-range 200-200 200.1
appletalk zone ISDN
no appletalk send-rtmps
frame-relay interface-dlci 200 broadcast IETF
!
access-list 101 deny igrp any host 255.255.255.255
access-list 101 permit ip any any
access-list 901 deny -1 FFFFFFFF 452
access-list 901 deny -1 FFFFFFFF 453
access-list 901 deny -1 FFFFFFFF 457
access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 452
access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 453
access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 457
access-list 901 permit -1
access-list 601 permit cable-range 100-100 broadcast-deny
access-list 601 permit cable-range 200-200 broadcast-deny
access-list 601 deny other-access
Configuring Legacy DDR Hubs
Configuration Examples for Legacy DDR Hub
DC-419
Cisco IOS Dial Technologies Configuration Guide
dialer-list 1 protocol ip list 101
dialer-list 1 protocol novell list 901
dialer-list 1 protocol apple list 601
X.25 Support Configuration Example
The following example configures a router to support X.25 and DTR dialing:
interface serial 0
ip address 172.18.170.19 255.255.255.0
encapsulation x25
x25 address 12345
x25 map ip 172.18.171.20 67890 broadcast
dialer dtr
dialer-group 1
!
access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
!
dialer-list 1 protocol ip list 101
LAPB Support Configuration Example
The following example configures a router for LAPB encapsulation and in-band dialing:
interface serial 0
ip address 172.18.170.19 255.255.255.0
encapsulation lapb
dialer in-band
dialer string 4155551212
dialer-group 1
!
access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
!
dialer-list 1 protocol ip list 101
Configuring Legacy DDR Hubs
Configuration Examples for Legacy DDR Hub
DC-420
Cisco IOS Dial Technologies Configuration Guide
DC-421
Cisco IOS Dial Technologies Configuration Guide
Configuring Peer-to-Peer DDR with Dialer
Profiles
This chapter describes how to configure the Cisco IOS software for the Dialer Profiles feature
implementation of dial-on-demand routing (DDR). It includes the following main sections:
• Dialer Profiles Overview
• How to Configure Dialer Profiles
• Monitoring and Maintaining Dialer Profile Connections
• Configuration Examples Dialer Profiles
For information about preparations for configuring dialer profiles, see the chapter “Preparing to
Configure DDR” in this publication.
The Dialer Profiles feature is contrasted with legacy DDR. For information about legacy DDR, see the
other chapters in the “Dial-on-Demand Routing” part of this publication.
For information about dial backup using dialer profiles, see the chapter “Configuring Dial Backup with
Dialer Profiles” in this publication.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies
Command Reference. To locate documentation of other commands that appear in this chapter, use the
command reference master index or search online.
Dialer Profiles Overview
Dialer profiles allow the configuration of physical interfaces to be separated from the logical
configuration required for a call, and they also allow the logical and physical configurations to be bound
together dynamically on a per-call basis.
A dialer profile consists of the following elements:
• A dialer interface (a logical entity) configuration including one or more dial strings (each of which
is used to reach one destination subnetwork)
• A dialer map class that defines all the characteristics for any call to the specified dial string
• An ordered dialer pool of physical interfaces to be used by the dialer interface
Configuring Peer-to-Peer DDR with Dialer Profiles
Dialer Profiles Overview
DC-422
Cisco IOS Dial Technologies Configuration Guide
Note Dialer profiles support most routed protocols; however, International Organization for
Standardization Connectionless Network Service (ISO CLNS) is not supported.
New Dialer Profile Model
In earlier releases of the Cisco IOS software, dialer profiles in the same dialer pool needed
encapsulation-specific configuration information entered under both the dialer profile interface and the
ISDN interface. If any conflict arose between the logical and the physical interfaces, the dialer profile
failed to work.
In the new dialer profile model introduced by the Dynamic Multiple Encapsulations feature in Cisco IOS
Release 12.1, the configuration on the ISDN interface is ignored and only the configuration on the profile
interface is used, unless PPP name binding is used. Before a successful bind by CLID occurs, no
encapsulation type and configuration are assumed or taken from the physical interfaces.
When PPP is used and a caller identification (CLID) bind fails, a dialer profile still can be matched by
PPP name authentication. In the new dialer profile model, multiple attempts are made to find a matching
profile.
The dialer profile software binds an incoming call on a physical dialer interface according to the
following events, and in the order listed:
1. There is only one dialer profile configured to use the pool of which the physical interface is a
member; this condition is the default bind. The physical interface must be a member of only this
one pool. A default bind is possible only to a dialer profile when there are no dialer caller or dialer
called commands configured on that profile.
2. The CLID matches what is configured in a dialer caller command on a dialer profile using a pool
of which the physical interface is a member.
3. The DNIS that is presented matches what is configured in a dialer called command on a dialer
profile using a pool of which the physical interface is a member.
4. If a bind has not yet occurred but the physical interface is configured for PPP encapsulation and
CHAP or PAP authentication, and the CHAP or PAP name presented matches a dialer remote-name
command configuration on a dialer profile using a pool of which the physical interface is a member,
then the dialer profile software binds to that dialer profile.
If none of the above events are successful, the call is not answered. The call is also disconnected during
any of the first three events when, after the bind occurs and the physical interface is configured for PPP
encapsulation and CHAP or PAP authentication, the CHAP or PAP name presented does not match what
is configured in a dialer remote-name command on the dialer profile that was bound to the call.
PPP encapsulation on an ISDN link is different from other encapsulation types because it runs on the B
channel rather than the dialer profile interface. There are two possible configuration sources in a profile
bind: the D and the dialer profile interfaces. Hence, a configuration conflict between the sources is
possible. If a successful bind is accomplished by name authentication, the configuration used to bring
PPP up is the one on the D interface. This is the name used to locate a dialer profile for the bind. The
configuration on an ISDN interface goes under the D rather than a B channel, although B channels inherit
the configuration from their D interface.
However, the configuration on this found dialer profile could be different from the one on the
D interface. For example, the ppp multilink command is configured on the D interface, but not on the
dialer profile interface. The actual per-user configuration is the one on the dialer profile interface. In this
case, per-user configuration is not achieved unless link control protocol (LCP) and authentication are
Configuring Peer-to-Peer DDR with Dialer Profiles
Dialer Profiles Overview
DC-423
Cisco IOS Dial Technologies Configuration Guide
renegotiated. Because PPP client software often does not accept renegotiation, this workaround is not
acceptable. Therefore, the D interface configuration takes precedence over the dialer profile interface
configuration. This is the only case where the configuration of the dialer profile is overruled.
Dialer Interface
A dialer interface configuration includes all settings needed to reach a specific destination subnetwork
(and any networks reached through it). Multiple dial strings can be specified for the same dialer
interface, each dial string being associated with a different dialer map class.
Dialer Map Class
The dialer map class defines all the characteristics for any call to the specified dial string. For example,
the map class for one destination might specify a 56-kbps ISDN speed; the map class for a different
destination might specify a 64-kbps ISDN speed.
Dialer Pool
Each dialer interface uses a dialer pool, a pool of physical interfaces ordered on the basis of the priority
assigned to each physical interface. A physical interface can belong to multiple dialer pools, contention
being resolved by priority. ISDN BRI and PRI interfaces can set a limit on the minimum and maximum
number of B channels reserved by any dialer pools. A channel reserved by a dialer pool remains idle until
traffic is directed to the pool.
When dialer profiles are used to configure DDR, a physical interface has no configuration settings except
encapsulation and the dialer pools with which the interface belongs.
Note The preceding paragraph has one exception: commands that apply before authentication is complete
must be configured on the physical (or BRI or PRI) interface and not on the dialer profile. Dialer
profiles do not copy PPP authentication commands (or LCP commands) to the physical interface.
Figure 57 shows a typical application of dialer profiles. Router A has dialer interface 1 for DDR with
subnetwork 10.1.1.0, and dialer interface 2 for DDR with subnetwork 10.2.2.0. The IP address for dialer
interface 1 is its address as a node in network 10.1.1.0; at the same time, that IP address serves as the IP
address of the physical interfaces used by the dialer interface 1. Similarly, the IP address for dialer
interface 2 is its address as a node in network 10.2.2.0.
Configuring Peer-to-Peer DDR with Dialer Profiles
Dialer Profiles Overview
DC-424
Cisco IOS Dial Technologies Configuration Guide
Figure 57 Typical Dialer Profiles Application
A dialer interface uses only one dialer pool. A physical interface, however, can be a member of one or
many dialer pools, and a dialer pool can have several physical interfaces as members.
Figure 58 illustrates the relations among the concepts of dialer interface, dialer pool, and physical
interfaces. Dialer interface 0 uses dialer pool 2. Physical interface BRI 1 belongs to dialer pool 2 and
has a specific priority in the pool. Physical interface BRI 2 also belongs to dialer pool 2. Because
contention is resolved on the basis of priority levels of the physical interfaces in the pool, BRI 1 and
BRI 2 must be assigned different priorities in the pool. Perhaps BRI 1 is assigned priority 50 and BRI 2
is assigned priority 100 in dialer pool 2 (a priority of 100 is higher than a priority of 50). BRI 2 has a
higher priority in the pool, and its calls will be placed first.
Figure 58 Relations Among Dialer Interfaces, Dialer Pools, and Physical Interfaces
Router B is on
subnetwork 10.1.1.0.
Networks 3, 4, and 5
are reached through it.
Network 3 Network 4 Network 5 Network 6 Network 7 Network 8
Dialer interface 1 for subnetwork 10.1.1.0
and all networks reached through it.
Router C is on
subnetwork 10.2.2.0.
Networks 6, 7, and 8
are reached through it.
Dialer interface 2 for subnetwork 10.2.2.0
and all networks reached through it.
56952
BRI 0 BRI 1
Dialer pool 1
Dialer interface 0 Dialer interface 1 Dialer interface 2
Dialer pool 2
S4786
BRI 2 BRI 3
Dialer pool 3
Configuring Peer-to-Peer DDR with Dialer Profiles
How to Configure Dialer Profiles
DC-425
Cisco IOS Dial Technologies Configuration Guide
How to Configure Dialer Profiles
To configure dialer profiles, perform the task in the following section:
• Configuring a Dialer Profile (Required)
The following tasks can be configured whether you use legacy DDR or dialer profiles. Perform these
tasks as needed for your network:
• Configuring Dialer Profiles for Routed Protocols (As required)
• Configuring Dialer Profiles for Transparent Bridging (As required)
See the “Verifying the Dynamic Multiple Encapsulations Feature” section later in this chapter for tips
on verifying that the feature is running in your network. See the “Configuration Examples Dialer
Profiles” section at the end of this chapter for comprehensive configuration examples.
Configuring a Dialer Profile
To configure a dialer profile, perform the tasks in the following sections as required:
• Configuring a Dialer Interface (Required)
• Fancy Queueing and Traffic Shaping on Dialer Profile Interfaces (Optional)
• Configuring a Map Class (Optional)
• Configuring the Physical Interfaces (Required)
Configuring a Dialer Interface
Any number of dialer interfaces can be created for a router. Each dialer interface is the complete
configuration for a destination subnetwork and any networks reached through it. The router on the
destination subnetwork sends traffic on to the appropriate shadowed networks.
To configure a dialer interface, use the following commands beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# interface dialer number Creates a dialer interface and begins interface configuration
mode.
Step 2 Router(config-if)# ip address address mask Specifies the IP address and mask of the dialer interface as a
node in the destination network to be called.
Step 3 Router(config-if)# encapsulation type Specifies the encapsulation type.
Step 4 Router(config-if)# dialer string dial-string
class class-name
Specifies the remote destination to call and the map class
that defines characteristics for calls to this destination.
Step 5 Router(config-if)# dialer pool number Specifies the dialing pool to use for calls to this destination.
Step 6 Router(config-if)# dialer-group group-number Assigns the dialer interface to a dialer group.
Step 7 Router(config-if)# dialer-list dialer-group
protocol protocol-name {permit | deny | list
access-list-number}
Specifies an access list by list number or by protocol and list
number to define the “interesting” packets that can trigger a
call.
Configuring Peer-to-Peer DDR with Dialer Profiles
How to Configure Dialer Profiles
DC-426
Cisco IOS Dial Technologies Configuration Guide
Fancy Queueing and Traffic Shaping on Dialer Profile Interfaces
In earlier releases of the Cisco IOS software, fancy queueing and traffic shaping were configured under
the physical interfaces, therefore the same queueing or traffic shaping scheme needed to be applied to
all users that were sharing the same ISDN link.
Beginning in Cisco IOS Release 12.1, you need only configure the queueing and traffic shaping schemes
you desire on the dialer profile interface and the interface will take precedence over those configured on
the ISDN B-channel interface. All the per-user encapsulation configuration has been moved to the dialer
profile interfaces, separating it from hardware interfaces to make it dynamic and also to make per-user
queueing and traffic shaping configuration possible.
Note Per-user fancy queueing and traffic shaping work with both process switching and fast switching in
the new dialer profile model. However, Frame Relay Traffic Shaping (FRTS) is not supported on the
new dialer profile model.
See the chapter “Policing and Shaping Overview” in the Cisco IOS Quality of Service Solutions
Configuration Guide for more information about FRTS.
Configuring a Map Class
Map-class configuration is optional but allows you to specify different characteristics for different types
of calls on a per-call-destination basis. For example, you can specify higher priority and a lower
wait-for-carrier time for an ISDN-calls map class than for a modem-calls map class. You can also specify
a different speed for some ISDN calls than for other ISDN calls.
A specific map class is tied to a specific call destination by the use of the map-class name in the
dialer-string command with the class keyword.
To specify a map class and define its characteristics, use the following commands beginning in global
configuration mode:
Command Purpose
Step 1 Router(config)# map-class dialer classname Specifies a map class and begins map-class
configuration mode.
Step 2 Router(config-map-class)# dialer fast-idle seconds Specifies the fast idle timer value.
Step 3 Router(config-map-class)# dialer idle-timeout seconds
[inbound | either]
Specifies the duration of idle time in seconds after
which a line will be disconnected.
By default, outbound traffic will reset the dialer
idle timer. Adding the either keyword causes both
inbound and outbound traffic to reset the timer;
adding the inbound keyword causes only inbound
traffic to reset the timer.
Step 4 Router(config-map-class)# dialer wait-for-carrier-time
seconds
Specifies the length of time to wait for a carrier
when dialing out to the dial string associated with
the map class.
Step 5 Router(config-map-class)# dialer isdn [speed speed]
[spc]
For ISDN only, specifies the bit rate used on the B
channel associated with a specified map class or
specifies that an ISDN semipermanent connection
is to be used for calls associated with this map.
Configuring Peer-to-Peer DDR with Dialer Profiles
How to Configure Dialer Profiles
DC-427
Cisco IOS Dial Technologies Configuration Guide
Note The dialer idle-timeout interface configuration command specifies the duration of time before an
idle connection is disconnected. Previously, both inbound and outbound traffic would reset the dialer
idle timer; now you can specify that only inbound traffic will reset the dialer idle timer.
Configuring the Physical Interfaces
To configure a physical interface, use the following commands beginning in global configuration mode:
Repeat this procedure for additional physical interfaces that you want to use with dialer profiles.
Configuring Dialer Profiles for Routed Protocols
Both legacy DDR and dialer profiles support the following routed protocols: AppleTalk, Banyan VINES,
DECnet, IP, Novell Internet Protocol Exchange (IPX), and Xerox Network System (XNS). To configure
dialer profiles for a routed protocol, perform the tasks in the relevant section:
• Configuring Dialer Profiles for AppleTalk (As required)
• Configuring Dialer Profiles for Banyan VINES (As required)
• Configuring Dialer Profiles for DECnet (As required)
Command Purpose
Step 1 Router(config)# interface type number Specifies the physical interface and begins
interface configuration mode.
Step 2 Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Step 3 Router(config-if)# ppp authentication chap Specifies PPP Challenge Handshake
Authentication Protocol (CHAP) authentication, if
you also want to receive calls on this interface.
Step 4 dialer pool-member number [priority priority]
dialer pool-member number [priority priority] [min-link
minimum] [max-link maximum]
Places the interface in a dialing pool and,
optionally, assigns the interface a priority.
For ISDN interfaces, you may also specify the
minimum number of channels reserved and
maximum number of channels used on this
interface.
The minimum value applies to outgoing calls only,
and specifies the number of channels or interfaces
reserved for dial out in that dialer pool; the
channels remain idle when no calls are active. The
maximum value applies to both incoming and
outgoing calls and sets the total number of
connections for a particular dialer pool member.
Step 5 Router(config-if)# dialer pool-member number [priority
priority]
or
Router(config-if)# dialer pool-member number [priority
priority] [min-link minimum] [max-link maximum]
(Optional) Repeat Step 4 if you want to put the
interface in additional dialing pools.
Configuring Peer-to-Peer DDR with Dialer Profiles
How to Configure Dialer Profiles
DC-428
Cisco IOS Dial Technologies Configuration Guide
• Configuring Dialer Profiles for IP (As required)
• Configuring Dialer Profiles for Novell IPX (As required)
• Configuring XNS over DDR (As required)
Configuring Dialer Profiles for AppleTalk
To configure dialer profiles for AppleTalk, you specify AppleTalk access lists and then configure the
dialer interface for dialer profiles, defining the dialer list to be used. Use the dialer-list protocol
command to define permit or deny conditions for the entire protocol; for a finer granularity, use the
dialer-list protocol command with the list keyword. See the section “Configuring a Dialer Interface”
earlier in this chapter for more information about defining dialer lists.
Configuring Dialer Profiles for Banyan VINES
To configure DDR for Banyan VINES, use one of the following commands in global configuration
mode:
After you specify VINES standard or extended access lists, configure the dialer interface for dialer
profiles, defining the dialer list to be used. Use the dialer-list protocol command to define permit or
deny conditions for the entire protocol; for a finer granularity, use the dialer-list protocol command with
the list keyword. See the section “Configuring a Dialer Interface” earlier in this chapter for more
information about defining dialer lists.
Note The Banyan VINES neighbor command is not supported for Link Access Procedure, Balanced
(LAPB) and X.25 encapsulations.
Configuring Dialer Profiles for DECnet
To configure dial-on-demand routing (DDR) for DECnet, use one of the following commands in global
configuration mode:
Command Purpose
Router(config)# vines access-list access-list-number
{permit | deny} source source-mask1
or
Router(config)# vines access-list access-list-number
{permit | deny} source source-mask [destination]
[destination-mask]
Specifies a VINES standard access list.
Specifies a VINES extended access list.
Command Purpose
Router(config)# access-list access-list-number {permit |
deny} source source-mask1
or
Router(config)# access-list access-list-number {permit |
deny} source source-mask [destination] [destination-mask]
Specifies a DECnet standard access list.
Specifies a DECnet extended access list.
Configuring Peer-to-Peer DDR with Dialer Profiles
How to Configure Dialer Profiles
DC-429
Cisco IOS Dial Technologies Configuration Guide
After you specify DECnet standard or extended access lists, configure the dialer interface for dialer
profiles, defining the dialer list to be used. Use the dialer-list protocol command to define permit or
deny conditions for the entire protocol; for a finer granularity, use the dialer-list protocol command with
the list keyword. See the section “Configuring a Dialer Interface” earlier in this chapter for more
information about defining dialer lists.
You classify DECnet control packets, including hello packets and routing updates, using one or more of
the following commands: dialer-list protocol decnet_router-L1 permit, dialer-list protocol
decnet_router-L2 permit, and dialer-list protocol decnet_node permit.
Configuring Dialer Profiles for IP
To configure DDR for IP, use one of the following commands in global configuration mode:
You can now also use simplified IP access lists that use the any keyword instead of the numeric forms
of source and destination addresses and masks. Other forms of IP access lists are also available. For more
information, see the chapter “IP Services Commands” in the Cisco IOS IP Command Reference.
To use dynamic routing where multiple remote sites communicate with each other through a central site,
you might need to disable the IP split horizon feature. Split horizon applies to Routing Information
Protocol (RIP), Interior Gateway Routing Protocol (IGRP), and Enhanced IGRP. Depending on which
routing protocol is configured, see the chapter “Configuring RIP,” “Configuring IGRP,” or “Configuring
Enhanced IGRP” in this publication. Refer to the chapter “Configuring IP Routing Protocols” in the
Cisco IOS IP Configuration Guide for more information.
Configuring Dialer Profiles for Novell IPX
On DDR links for Novell IPX, the link may come up often even when all client sessions are idle because
the server sends watchdog or keepalive packets to all the clients approximately every 5 minutes. You can
configure a local router or access server to idle out the DDR link and respond to the watchdog packets
on behalf of the clients.
Command Purpose
Router(config)# access-list access-list-number
{deny | permit} source [source-mask]
or
Router(config)# access-list access-list-number
{deny | permit} protocol source source-mask
destination destination-mask [operator operand]
Specifies an IP standard access list.
Specifies an IP extended access list.
Configuring Peer-to-Peer DDR with Dialer Profiles
How to Configure Dialer Profiles
DC-430
Cisco IOS Dial Technologies Configuration Guide
To modify the dialer profiles dialer interface configuration for Novell IPX, use the following commands
in interface configuration mode:
Configuring XNS over DDR
To configure XNS for DDR, use one of the following commands in global configuration mode:
After you specify an XNS access list, configure the dialer interface for dialer profiles, defining the dialer
list to be used. Use the dialer-list protocol command to define permit or deny conditions for the entire
protocol; for a finer granularity, use the dialer-list protocol command with the list keyword. See the
section “Configuring a Dialer Interface” earlier in this chapter for more information about defining
dialer lists.
Configuring Dialer Profiles for Transparent Bridging
The Cisco IOS software supports transparent bridging over both legacy DDR and dialer profiles, and it
provides you some flexibility in controlling access and configuring the interface.
To configure dialer profiles for bridging, perform the tasks in the following sections:
• Defining the Protocols to Bridge (Required)
• Specifying the Bridging Protocol (Required)
• Controlling Access for Bridging (Required)
• Configuring an Interface for Bridging (Required)
Command Purpose
Step 1 Router(config-if)# no ipx route-cache Disables fast switching for IPX.
Step 2 Router(config-if)# ipx watchdog-spoof
or
Router(config-if)# ipx spx-spoof
Enables IPX watchdog spoofing.
Enables Sequenced Packet Exchange (SPX)
keepalive spoofing.
Step 3 Router(config-if)# ipx spx-idle-time delay-in-seconds Sets the idle time after which SPX keepalive
spoofing begins.
Command Purpose
Router(config)# access-list access-list-number {deny | permit}
source-network[.source-address [source-address-mask]]
[destination-network[.destination-address
[destination-address-mask]]]
or
Router(config)# access-list access-list-number {deny | permit}
protocol [source-network[.source-host
[source-network-mask.]source-host-mask] source-socket
[destination-network [.destination-host
[destination-network-mask.destination-host-mask]
destination-socket[/pep]]]
Specifies a standard XNS access list.
Specifies an extended XNS access list.
Configuring Peer-to-Peer DDR with Dialer Profiles
How to Configure Dialer Profiles
DC-431
Cisco IOS Dial Technologies Configuration Guide
Defining the Protocols to Bridge
IP packets are routed by default unless they are explicitly bridged; all others are bridged by default unless
they are explicitly routed. To bridge IP packets, use the following command in global configuration
mode:
If you choose not to bridge another protocol, use the relevant command to enable routing of that protocol.
For more information about tasks and commands, refer to the relevant chapter in the appropriate network
protocol configuration guide, such as the Cisco IOS AppleTalk and Novell IPX Configuration Guide.
Specifying the Bridging Protocol
You must specify the type of spanning-tree bridging protocol to use and also identify a bridge group. To
specify the spanning-tree protocol and a bridge group number, use the following command in global
configuration mode:
The bridge-group number is used when you configure the interface and assign it to a bridge group.
Packets are bridged only among members of the same bridge group.
Controlling Access for Bridging
You can control access by defining any transparent bridge packet as interesting, or you can use the finer
granularity of controlling access by Ethernet type codes. To control access for DDR bridging, perform
one of the following tasks:
• Permitting All Bridge Packets
• Controlling Bridging Access by Ethernet Type Codes
Note Spanning-tree bridge protocol data units (BPDUs) are always treated as uninteresting.
Permitting All Bridge Packets
To identify all transparent bridge packets as interesting, use the following command in global
configuration mode:
Command Purpose
Router(config)# no ip routing Disables IP routing.
Command Purpose
Router(config)# bridge bridge-group protocol {ieee |
dec}
Defines the type of spanning-tree protocol and identifies a
bridge group.
Command Purpose
Router(config)# dialer-list dialer-group protocol
bridge permit
Defines a dialer list that treats all transparent bridge
packets as interesting.
Configuring Peer-to-Peer DDR with Dialer Profiles
How to Configure Dialer Profiles
DC-432
Cisco IOS Dial Technologies Configuration Guide
Controlling Bridging Access by Ethernet Type Codes
To control access by Ethernet type codes, use the following commands in global configuration mode:
For a table of some common Ethernet type codes, see the “Ethernet Type Codes” appendix in the
Cisco IOS Bridging and IBM Networking Command Reference.
Configuring an Interface for Bridging
You can perform serial interfaces or ISDN interfaces for DDR bridging. To configure an interface for
DDR bridging, complete all the tasks in the following sections:
• Specifying the Interface (Required)
• Configuring the Destination (Required)
• Assigning the Interface to a Bridge Group (Required)
Specifying the Interface
To specify the interface and enter interface configuration mode, use the following command in global
configuration mode:
Configuring the Destination
You can configure the destination by specifying either of the following:
• A dial string—for unauthenticated calls to a single site
• A dialer bridge map—when you want to use authentication
To configure the destination for bridging over a specified interface, use the following command in
interface configuration mode:
Note You can define only one dialer bridge map for the interface. If you enter a different bridge map, the
previous one is replaced immediately.
Command Purpose
Step 1 Router(config)# access-list access-list-number
{permit | deny} type-code [mask]
Identifies interesting packets by Ethernet type codes
(access list numbers must be in the range 200 to 299).
Step 2 Router(config)# dialer-list dialer-group protocol
bridge list access-list-number
Defines a dialer list for the specified access list.
Command Purpose
Router(config)# interface type number Specifies the serial or ISDN interface and enters
interface configuration mode.
Command Purpose
Router(config-if)# dialer string dial-string Configures the dial string to call.
Configuring Peer-to-Peer DDR with Dialer Profiles
Monitoring and Maintaining Dialer Profile Connections
DC-433
Cisco IOS Dial Technologies Configuration Guide
Assigning the Interface to a Bridge Group
Packets are bridged only among interfaces that belong to the same bridge group. To assign an interface
to a bridge group, use the following command in interface configuration mode:
Monitoring and Maintaining Dialer Profile Connections
To monitor DDR dialer profile connections, use any of the following commands in privileged EXEC
mode:
Configuration Examples Dialer Profiles
The following sections provide three comprehensive configuration examples:
• Dialer Profile with Inbound Traffic Filter Example
• Dialer Profile for Central Site with Multiple Remote Sites Example
• Dialer Profile for ISDN BRI Backing Up Two Leased Lines Example
• Dynamic Multiple Encapsulations over ISDN Example
Command Purpose
Router(config-if)# bridge-group bridge-group Assigns the specified interface to a bridge group.
Command Purpose
Router# show dialer interface Displays information for the interfaces configured for DDR dialer
profiles.
Router# show interfaces type number Displays statistics for configured interfaces. The output varies,
depending on the network for which an interface has been
configured.
Router# show ipx interface [type number] Displays status about the IPX interface.
Router# show ipx traffic Displays information about the IPX packets sent by the router or
access server, including watchdog counters.
Router# show appletalk traffic Displays information about the AppleTalk packets sent by the router
or access server.
Router# show vines traffic Displays information about the Banyan VINES packets sent by the
router or access server.
Router# show decnet traffic Displays information about the DECnet packets sent by the router
or access server.
Router# show xns traffic Displays information about the XNS packets sent by the router or
access server.
Router# clear dialer Clears the values of the general diagnostic statistics.
Configuring Peer-to-Peer DDR with Dialer Profiles
Configuration Examples Dialer Profiles
DC-434
Cisco IOS Dial Technologies Configuration Guide
Dialer Profile with Inbound Traffic Filter Example
The following example shows a Cisco 5200 series router that has enabled the dialer idle-timeout
command with the inbound keyword. This command allows only inbound traffic that conforms to the
dialer list to establish a connection and reset the dialer idle timer.
interface Serial0:23
no ip address
no ip directed-broadcast
encapsulation ppp
dialer pool-member 1 max-link 2
isdn switch-type primary-5ess
no cdp enable
ppp authentication chap
!
interface Dialer0
ip address 10.1.1.2 255.255.255.0
no ip directed-broadcast
encapsulation ppp
dialer remote-name 2610-2
dialer idle-timeout 30 inbound
dialer string 2481301
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap
ppp multilink
!
access-list 101 permit icmp any any
access-list 101 deny ip any any
dialer-list 1 protocol ip list 101
Dialer Profile for Central Site with Multiple Remote Sites Example
The following example shows a central site that can place or receive calls from three remote sites over
four ISDN BRI lines. Each remote site is on a different IP subnet and has different bandwidth
requirements; therefore, three dialer interfaces and three dialer pools are defined.
! This is a dialer profile for reaching remote subnetwork 10.1.1.1.
interface Dialer1
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
dialer remote-name Smalluser
dialer string 4540
dialer pool 3
dialer-group 1
! This is a dialer profile for reaching remote subnetwork 10.2.2.2.
interface Dialer2
ip address 10.2.2.2 255.255.255.0
encapsulation ppp
dialer remote-name Mediumuser
dialer string 5264540 class Eng
dialer load-threshold 50 either
dialer pool 1
dialer-group 2
! This is a dialer profile for reaching remote subnetwork 10.3.3.3.
interface Dialer3
ip address 10.3.3.3 255.255.255.0
Configuring Peer-to-Peer DDR with Dialer Profiles
Configuration Examples Dialer Profiles
DC-435
Cisco IOS Dial Technologies Configuration Guide
encapsulation ppp
dialer remote-name Poweruser
dialer string 4156884540 class Eng
dialer hold-queue 10
dialer load-threshold 80
dialer pool 2
dialer-group 2
! This map class ensures that these calls use an ISDN speed of 56 kbps.
map-class dialer Eng
isdn speed 56
interface BRI0
encapsulation PPP
! BRI 0 has a higher priority than BRI 1 in dialer pool 1.
dialer pool-member 1 priority 100
ppp authentication chap
interface BRI1
encapsulation ppp
dialer pool-member 1 priority 50
dialer pool-member 2 priority 50
! BRI 1 has a reserved channel in dialer pool 3; the channel remains inactive
! until BRI 1 uses it to place calls.
dialer pool-member 3 min-link 1
ppp authentication chap
interface BRI2
encapsulation ppp
! BRI 2 has a higher priority than BRI 1 in dialer pool 2.
dialer pool-member 2 priority 100
ppp authentication chap
interface BRI3
encapsulation ppp
! BRI 3 has the highest priority in dialer pool 2.
dialer pool-member 2 priority 150
ppp authentication chap
Dialer Profile for ISDN BRI Backing Up Two Leased Lines Example
The following example shows the configuration of a site that backs up two leased lines using one BRI.
Two dialer interfaces are defined. Each serial (leased line) interface is configured to use one of the dialer
interfaces as a backup. Both of the dialer interfaces use BRI 0, and BRI 0 is a member of the two dialer
pools. Thus, BRI 0 can back up two different serial interfaces and can make calls to two different sites.
interface dialer0
ip unnumbered loopback0
encapsulation ppp
dialer remote-name Remote0
dialer pool 1
dialer string 5551212
dialer-group 1
interface dialer1
ip unnumbered loopback0
encapsulation ppp
dialer remote-name Remote1
dialer pool 2
dialer string 5551234
dialer-group 1
Configuring Peer-to-Peer DDR with Dialer Profiles
Configuration Examples Dialer Profiles
DC-436
Cisco IOS Dial Technologies Configuration Guide
interface bri 0
encapsulation PPP
dialer pool-member 1
dialer pool-member 2
ppp authentication chap
interface serial 0
ip unnumbered loopback0
backup interface dialer0
backup delay 5 10
interface serial 1
ip unnumbered loopback0
backup interface dialer1
backup delay 5 10
Dynamic Multiple Encapsulations over ISDN Example
The following example shows a network access server named NAS1 with dialer profiles and LAPB,
X.25, and PPP encapsulations configured. Although the BRI0 D interface uses X.25 encapsulation, the
actual encapsulations running over the ISDN B channels are determined by the encapsulations
configured on the profile interfaces bound to them.
When an ISDN B channel connects to remote user RU2 using CLID 60043, Dialer1 is bound to this
ISDN B channel by CLID binding. The protocol used is PPP; the X.25 configuration on the
D interface has no effect. Because the ppp authentication chap command is configured, even though
the binding is done by CLID, PPP authentication is still performed over the name RU2 before the
protocol is allowed to proceed.
The Dialer2 interface uses DNIS-plus-ISDN-subaddress binding and is bound to a B channel with an
incoming call with DNIS 60045 and ISDN subaddress 12345. Also note that the High-Level Data Link
Control (HDLC) encapsulation has no username associated. It is no longer necessary to configure the
dialer remote-name command, as in the previous dialer profile model.
When there is an ISDN B-channel connection to remote user RU1 using CLID 60036, LAPB
encapsulation will run on this connection once CLID binding to Dialer0 takes place. This connection
will operate as a standalone link independent of other activities over other ISDN B channels.
version xx.x
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service udp-small-servers
service tcp-small-servers
!
virtual-profile virtual-template 1
virtual-profile aaa
!
hostname NAS1
!
aaa new-model
aaa authentication ppp default radius
aaa authorization network radius
enable secret 5 $1$0Ced$YYJJl2p8f94lc/.JSgw8n1
enable password 7 153D19270D2E
!
username RU1 password 7 11260B2E1E16
username RU2 password 7 09635C221001
no ip domain-lookup
Configuring Peer-to-Peer DDR with Dialer Profiles
Configuration Examples Dialer Profiles
DC-437
Cisco IOS Dial Technologies Configuration Guide
ip domain-name cisco.com
ip name-server 192.168.30.32
ip name-server 172.16.2.132
isdn switch-type basic-5ess
!
interface Virtual-Template 1
encapsulation ppp
ppp authentication chap
!
interface Ethernet0
ip address 172.21.17.11 255.255.255.0
no ip mroute-cache
no cdp enable
!
interface Serial0
ip address 10.2.2.1 255.0.0.0
shutdown
clock rate 56000
ppp authentication chap
!
interface Serial1
ip address 10.0.0.1 255.0.0.0
shutdown
!
interface BRI0
description PBX 60035
no ip address
encapsulation x25
no ip mroute-cache
no keepalive
dialer pool-member 1
dialer pool-member 2
!
interface Dialer0
ip address 10.1.1.1 255.0.0.0
encapsulation lapb dce multi
no ip route-cache
no ip mroute-cache
no keepalive
dialer remote-name RU1
dialer idle-timeout 300
dialer string 60036
dialer caller 60036
dialer pool 1
dialer-group 1
no fair-queue
!
interface Dialer1
ip address 10.1.1.1 255.0.0.0
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer remote-name RU2
dialer string 60043
dialer caller 60043
dialer pool 2
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap
!
interface Dialer2
ip address 10.1.1.1 255.0.0.0
encapsulation hdlc
Configuring Peer-to-Peer DDR with Dialer Profiles
Configuration Examples Dialer Profiles
DC-438
Cisco IOS Dial Technologies Configuration Guide
dialer called 60045:12345
dialer pool 1
dialer-group 1
fair-queue
!
radius-server host 172.19.61.87
radius-server key foobar
snmp-server community public RO
!
line con 0
exec-timeout 0 0
line aux 0
transport input all
line vty 0 4
password 7 10611B320C13
login
!
end
Verifying the Dynamic Multiple Encapsulations Feature
To see statistics on each physical interface bound to the dialer interface, and to verify dialer interfaces
configured for binding, use the show interfaces EXEC command. Look for the reports “Bound to:” and
“Interface is bound to...” while remembering that this feature applies only to ISDN.
Router# show interfaces dialer0
Dialer0 is up, line protocol is up
Hardware is Unknown
Internet address is 10.1.1.2/8
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set
DTR is pulsed for 1 seconds on reset
Interface is bound to BRI0:1
Last input 00:00:38, output never, output hang never
Last clearing of “show interface” counters 00:05:36
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
38 packets input, 4659 bytes
34 packets output, 9952 bytes
Bound to:
BRI0:1 is up, line protocol is up
Hardware is BRI
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive not set
Interface is bound to Dialer0 (Encapsulation PPP)
LCP Open, multilink Open
Last input 00:00:39, output 00:00:11, output hang never
Last clearing of “show interface” counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
78 packets input, 9317 bytes, 0 no buffer
Received 65 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
93 packets output, 9864 bytes, 0 underruns
0 output errors, 0 collisions, 7 interface resets
0 output buffer failures, 0 output buffers swapped out
4 carrier transitions
Configuring Peer-to-Peer DDR with Dialer Profiles
Configuration Examples Dialer Profiles
DC-439
Cisco IOS Dial Technologies Configuration Guide
At the end of the Dialer0 display, the show interfaces command is executed on each physical interface
bound to it.
In the next example, the physical interface is the B1 channel of the BRI0 link. This example also
illustrates that the output under the B channel keeps all hardware counts that are not displayed under any
logical or virtual access interface. The line in the report that states “Interface is bound to Dialer0
(Encapsulation LAPB)” indicates that this B interface is bound to the dialer 0 interface and that the
encapsulation running over this connection is LAPB, not PPP, which is the encapsulation configured on
the D interface and inherited by the B channel.
Router# show interfaces bri0:1
BRI0:1 is up, line protocol is up
Hardware is BRI
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive not set
Interface is bound to Dialer0 (Encapsulation LAPB)
LCP Open, multilink Open
Last input 00:00:31, output 00:00:03, output hang never
Last clearing of “show interface” counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 1 packets/sec
5 minute output rate 0 bits/sec, 1 packets/sec
110 packets input, 13994 bytes, 0 no buffer
Received 91 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
135 packets output, 14175 bytes, 0 underruns
0 output errors, 0 collisions, 12 interface resets
0 output buffer failures, 0 output buffers swapped out
8 carrier transitions
Any protocol configuration and states should be displayed from the dialer 0 interface.
Configuring Peer-to-Peer DDR with Dialer Profiles
Configuration Examples Dialer Profiles
DC-440
Cisco IOS Dial Technologies Configuration Guide
DC-441
Cisco IOS Dial Technologies Configuration Guide
Configuring Snapshot Routing
This chapter describes how to configure snapshot routing. It includes the following main sections:
• Snapshot Routing Overview
• How to Configure Snapshot Routing
• Monitoring and Maintaining DDR Connections and Snapshot Routing
• Configuration Examples for Snapshot Routing
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the snapshot routing commands mentioned in this chapter, refer to the
Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that
appear in this chapter, use the command reference master index or search online.
Snapshot Routing Overview
Snapshot routing enables a single router interface to call other routers during periods when the line
protocol for the interface is up (these are called “active periods”). The router dials in to all configured
locations during such active periods to get routes from all the remote locations.
The router can be configured to exchange routing updates each time the line protocol goes from “down”
to “up” or from “dialer spoofing” to “fully up.” The router can also be configured to dial the server router
in the absence of regular traffic if the active period time expires.
Snapshot routing is useful in two command situations:
• Configuring static routes for dial-on-demand routing (DDR) interfaces
• Reducing the overhead of periodic updates sent by routing protocols to remote branch offices over
a dedicated serial line
When configuring snapshot routing, you choose one router on the interface to be the client router and
one or more other routers to be server routers. The client router determines the frequency at which
routing information is exchanged between routers.
Routing information is exchanged during an active period. During the active period, a client router dials
all the remote server routers for which it has a snapshot dialer map defined in order to get routes from
all the remote locations. The server router provides information about routes to each client router that
calls.
Configuring Snapshot Routing
How to Configure Snapshot Routing
DC-442
Cisco IOS Dial Technologies Configuration Guide
At the end of the active period, the router takes a snapshot of the entries in the routing table. These entries
remain frozen during a quiet period. At the end of the quiet period, another active period starts during
which routing information is again exchanged; see Figure 59.
Figure 59 Active and Quiet Periods in Snapshot Routing
When the router makes the transition from the quiet period to the active period, the line might not be
available for a variety of reasons. For example, the line might be down or busy, or the permanent virtual
circuit (PVC) might be down. If this happens, the router has to wait through another entire quiet period
before it can update its routing table entries. This wait might be a problem if the quiet period is very
long—for example, 12 hours. To avoid the need to wait through the quiet period, you can configure a
retry period. If the line is not available when the quiet period ends, the router waits for the amount of
time specified by the retry period and then makes the transition to an active period. See to Figure 60.
Figure 60 Retry Period in Snapshot Routing
The retry period is also useful in a dialup environment in which there are more remote sites than router
interface lines that dial in to a PRI and want routing information from that interface. For example, a PRI
has 23 DS0s available, but you might have 46 remote sites. In this situation, you would have more dialer
map commands than available lines. The router will try the dialer map commands in order and will use
the retry time for the lines that it cannot immediately access.
The following routed protocols support snapshot routing. Note that these are all distance-vector
protocols.
• AppleTalk—Routing Table Maintenance Protocol (RTMP)
• Banyan VINES—Routing Table Protocol (RTP)
• IP—Routing Information Protocol (RIP), Interior Gateway Routing Protocol (IGRP)
• Internet Protocol Exchange (IPX)—RIP, Service Advertisement Protocol (SAP)
How to Configure Snapshot Routing
To configure snapshot routing, perform the tasks in the following sections:
• Configuring the Client Router (Required)
• Configuring the Server Router (Required)
Active
period
Active
period Quiet period
S3105
Time (minutes)
Active
period
Active
period Quiet period
Time (minutes)
S3106
Active
period
Retry
period
Configuring Snapshot Routing
How to Configure Snapshot Routing
DC-443
Cisco IOS Dial Technologies Configuration Guide
You can also monitor and maintain interfaces configured for snapshot routing. For tips on maintaining
your network with snapshot routing, see the section “Monitoring and Maintaining DDR Connections and
Snapshot Routing” later in this chapter.
For an example of configuring snapshot routing, see the section “Configuration Examples for Snapshot
Routing” at the end of this chapter.
Configuring the Client Router
To configure snapshot routing on the client router that is connected to a dedicated serial line, use the
following commands beginning in global configuration mode:
To configure snapshot routing on the client router that is connected to an interface configured for DDR,
use the following commands beginning in global configuration mode:
Repeat these steps for each map you want to define. Maps must be provided for all the remote server
routers that this client router is to call during each active period.
Because ISDN BRI and PRI automatically have rotary groups, you need not define a rotary group when
configuring snapshot routing.
To configure snapshot routing on the client router over an interface configured for BRI or PRI, use the
following commands beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# interface serial number Specifies a serial interface.
Step 2 Router(config-if)# snapshot client
active-time quiet-time
[suppress-statechange-updates] [dialer]
Configures the client router.
Command Purpose
Step 1 Router(config)# interface serial number Specifies a serial interface.
Step 2 Router(config-if)# dialer rotary-group number Configures a dialer rotary group.
Step 3 Router(config-if)# interface dialer number Specifies a dialer interface.
Step 4 Router(config-if)# snapshot client
active-time quiet-time
[suppress-statechange-updates] [dialer]
Configures the client router.
Step 5 Router(config-if)# dialer map snapshot
sequence-number dial-string
Defines a dialer map.
Command Purpose
Step 1 Router(config)# interface bri number Specifies a BRI interface.
Step 2 Router(config-if)# snapshot client
active-time quiet-time
[suppress-statechange-updates] [dialer]
Configures the client router.
Step 3 Router(config-if)# dialer map snapshot
sequence-number dial-string
Defines a dialer map.
Configuring Snapshot Routing
Monitoring and Maintaining DDR Connections and Snapshot Routing
DC-444
Cisco IOS Dial Technologies Configuration Guide
Configuring the Server Router
To configure snapshot routing on the server router that is connected to a dedicated serial line, use the
following commands beginning in global configuration mode:
To configure snapshot routing on the associated server router that is connected to an interface configured
for DDR, use the following commands beginning in global configuration mode:
The active period for the client router and its associated server routers should be the same.
Monitoring and Maintaining DDR Connections and Snapshot
Routing
To monitor DDR connections and snapshot routing, use any of the following commands in privileged
EXEC mode:
Configuration Examples for Snapshot Routing
The following example configures snapshot routing on an interface configured for DDR on the client
router. In this configuration, a single client router can call multiple server routers. The client router dials
to all different locations during each active period to get routes from all those remote locations.
Command Purpose
Step 1 Router(config)# interface serial number Specifies a serial interface.
Step 2 Router(config-if)# snapshot server
active-time [dialer]
Configures the server router.
Command Purpose
Step 1 Router(config)# interface serial number Specifies a serial interface.
Step 2 Router(config-if)# interface dialer number Specifies a dialer interface.
Step 3 Router(config-if)# snapshot server
active-time [dialer]
Configures the server router.
Command Purpose
Router# show dialer [interface type number] Displays general diagnostics about the DDR interface.
Router# show interfaces bri 0 Displays information about the ISDN interface.
Router# clear snapshot quiet-time interface Terminates the snapshot routing quiet period on the client
router within 2 minutes.
Router# show snapshot [type number] Displays information about snapshot routing parameters.
Router# clear dialer Clears the values of the general diagnostic statistics.
Configuring Snapshot Routing
Configuration Examples for Snapshot Routing
DC-445
Cisco IOS Dial Technologies Configuration Guide
The absence of the suppress-statechange-updates keyword means that routing updates will be
exchanged each time the line protocol goes from “down” to “up” or from “dialer spoofing” to “fully up.”
The dialer keyword on the snapshot client command allows the client router to dial the server router in
the absence of regular traffic if the active period time expires.
interface serial 0
dialer rotary-group 3
!
interface dialer 3
dialer in-band
snapshot client 5 360 dialer
dialer map snapshot 2 4155556734
dialer map snapshot 3 7075558990
The following example configures the server router:
interface serial 2
snapshot server 5 dialer
Configuring Snapshot Routing
Configuration Examples for Snapshot Routing
DC-446
Cisco IOS Dial Technologies Configuration Guide
Dial-Backup Configuration
DC-449
Cisco IOS Dial Technologies Configuration Guide
Configuring Dial Backup for Serial Lines
This chapter describes how to configure the primary interface to use the dial backup interface. It includes
the following main sections:
• Backup Serial Interface Overview
• How to Configure Dial Backup
• Configuration Examples for Dial Backup for Serial Interfaces
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the dial backup commands in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference. To locate documentation of other commands that appear in this
chapter, use the command reference master index or search online.
Backup Serial Interface Overview
For a backup serial interface, an external DCE device, such as a modem attached to a circuit-switched
service, must be connected to the backup serial interface. The external device must be capable of
responding to a data terminal ready (DTR) Active signal by automatically dialing the preconfigured
telephone number of the remote site.
A backup interface is an interface that stays idle until certain circumstances occur; then it is activated.
A backup interface for a serial interface can be an ISDN interface or a different serial interface. A backup
interface can be configured to be activated when any of the following three circumstances occurs:
• The primary line goes down.
• The load on the primary line reaches a certain threshold.
• The load on the primary line exceeds a specified threshold.
To configure a dial backup to a serial interface, you must configure the interface to use the dial backup
interface, specify the conditions in which the backup interface will be activated, and then configure the
dial-backup interface for dial-on-demand routing (DDR). The DDR configuration specifies the
conditions and destinations for dial calls. The serial interface (often called the primary interface) might
be configured for DDR or for Frame Relay or X.25 over a leased line, but the backup tasks are the same
in all three cases.
Configuring Dial Backup for Serial Lines
How to Configure Dial Backup
DC-450
Cisco IOS Dial Technologies Configuration Guide
Note Dial backup is also available using the Dialer Watch feature. Dialer Watch is based on routing
characteristics instead of relying exclusively on interesting traffic conditions. For information about
Dialer Watch, see the chapter “Configuring Dial Backup Using Dialer Watch” in this publication.
To configure a backup interface for a serial interface based on one of the conditions listed, complete the
following general steps:
• Specify the interface and configure it as needed (for DDR, Frame Relay, or X.25). You can also
specify and configure a Frame Relay subinterface.
Refer to the chapters “Configuring Frame Relay” or “Configuring X.25” in the Cisco IOS Wide-Area
Networking Configuration Guide. In this publication, see the chapter “Configuring Synchronous
Serial Ports” and related chapters in the “Dial-on-Demand Routing” part for details.
• Configure the primary interface or subinterface by specifying the dial backup interface and the
conditions for activating the backup interface, as described in this chapter.
• Configure the backup interface for DDR, as described in the “Dial-on-Demand Routing” part of this
publication.
See the chapters “Configuring Legacy DDR Spokes” (for point-to-point legacy DDR connections) or
“Configuring Legacy DDR Hubs” (for point-to-multipoint legacy DDR connections) in this publication.
If you have configured dialer profiles instead of legacy DDR, see the chapter “Configuring Dial Backup
with Dialer Profiles” in this publication for backup information.
How to Configure Dial Backup
You must decide whether to activate the backup interface when the primary line goes down, when the
traffic load on the primary line exceeds the defined threshold, or both. The tasks you perform depend on
your decision. Perform the tasks in the following sections to configure dial backup:
• Specifying the Backup Interface (Optional)
• Defining the Traffic Load Threshold (Optional)
• Defining Backup Line Delays (Optional)
Then configure the backup interface for DDR, so that calls are placed as needed. See the chapters in the
“Dial-on-Demand Routing” part of this publication for more information.
For simple configuration examples, see the section “Configuration Examples for Dial Backup for Serial
Interfaces” at the end of this chapter.
Configuring Dial Backup for Serial Lines
How to Configure Dial Backup
DC-451
Cisco IOS Dial Technologies Configuration Guide
Specifying the Backup Interface
To specify a backup interface for a primary serial interface or subinterface, use one the following
commands in interface configuration mode:
Note When you enter the backup interface command, the configured physical or logical interface will be
forced to standby mode. When you use a BRI for a dial backup (with Legacy DDR), neither of the B
channels can be used because the physical BRI interface is in standby mode. However, with dialer profiles,
only the logical dialer interface is placed in standby mode and the physical interface (BRI) still can be
used for other connections by making it a member of another pool.
When configured for legacy DDR, the backup interface can back up only one interface. For examples of
selecting a backup line, see the sections “Dial Backup Using an Asynchronous Interface Example” and
“Dial Backup Using DDR and ISDN Example” later in this chapter.
Defining the Traffic Load Threshold
You can configure dial backup to activate the secondary line based on the traffic load on the primary line.
The software monitors the traffic load and computes a 5-minute moving average. If this average exceeds
the value you set for the line, the secondary line is activated and, depending upon how the line is
configured, some or all of the traffic will flow onto the secondary dialup line.
To define how much traffic should be handled at one time on an interface, use the following command
in interface configuration mode:
Command Purpose
Router(config-if)# backup interface type number
or
Cisco 7500 series routers:
Router(config-if)# backup interface type slot/port
or
Cisco 7200 series routers:
Router(config-if)# backup interface type
slot/port-adapter/port
Selects a backup interface.
Command Purpose
Router(config-if)# backup load {enable-threshold | never}
{disable-load | never}
Defines the traffic load threshold as a percentage of the
available bandwidth of the primary line.
Configuring Dial Backup for Serial Lines
Configuration Examples for Dial Backup for Serial Interfaces
DC-452
Cisco IOS Dial Technologies Configuration Guide
Defining Backup Line Delays
You can configure a value that defines how much time should elapse before a secondary line status
changes after a primary line status has changed. You can define two delays:
• A delay that applies after the primary line goes down but before the secondary line is activated
• A delay that applies after the primary line comes up but before the secondary line is deactivated
To define these delays, use the following command in interface configuration mode:
For examples of how to define backup line delays, see the sections “Dial Backup Using an Asynchronous
Interface Example” and “Dial Backup Using DDR and ISDN Example” at the end of this chapter.
Configuration Examples for Dial Backup for Serial Interfaces
The following sections present examples of specifying the backup interface:
• Dial Backup Using an Asynchronous Interface Example
• Dial Backup Using DDR and ISDN Example
The following sections present examples of backup interfaces configured to be activated in three
different circumstances:
• The load on the primary line reaches a certain threshold.
• The load on the primary line exceeds a specified threshold.
• The primary line goes down.
Dial Backup Using an Asynchronous Interface Example
The following is an example for dial backup using asynchronous interface 1, which is configured for
DDR:
interface serial 0
ip address 172.30.3.4 255.255.255.0
backup interface async1
backup delay 10 10
!
interface async 1
ip address 172.30.3.5 255.255.255.0
dialer in-band
dialer string 5551212
dialer-group 1
async dynamic routing
dialer-list 1 protocol ip permit
chat-script sillyman "" “atdt 5551212” TIMEOUT 60 “CONNECT”
line 1
modem chat-script sillyman
modem inout
speed 9600
Command Purpose
Router(config-if)# backup delay {enable-delay | never}
{disable-delay | never}
Defines backup line delays.
Configuring Dial Backup for Serial Lines
Configuration Examples for Dial Backup for Serial Interfaces
DC-453
Cisco IOS Dial Technologies Configuration Guide
Dial Backup Using DDR and ISDN Example
The following example shows how to use an ISDN interface to back up a serial interface.
Note When you use a BRI interface for dial backup, neither of the B channels can be used while the
interface is in standby mode.
Interface BRI 0 is configured to make outgoing calls to one number. This is a legacy DDR spoke
example.
interface serial 1
backup delay 0 0
backup interface bri 0
ip address 10.2.3.4 255.255.255.0
!
interface bri 0
ip address 10.2.3.5 255.255.255.0
dialer string 5551212
dialer-group 1
!
dialer-list 1 protocol ip permit
Note Dialing will occur only after a packet is received to be output on BRI 0. We recommend using the
dialer-list command with the protocol and permit keywords specified to control access for dial
backup. Using this form of access control specifies that all packets are interesting.
Dial Backup Service When the Primary Line Reaches Threshold Example
The following example configures the secondary line (serial 1) to be activated only when the load of the
primary line reaches a certain threshold:
interface serial 0
backup interface serial 1
backup load 75 5
In this case, the secondary line will not be activated when the primary goes down. The secondary line
will be activated when the load on the primary line is greater than 75 percent of the bandwidth of the
primary line. The secondary line will then be brought down when the aggregate load between the primary
and secondary lines fits within 5 percent of the primary bandwidth.
The same example on a Cisco 7500 series router would be as follows:
interface serial 1/1
backup interface serial 2/2
backup load 75 5
Dial Backup Service When the Primary Line Exceeds Threshold Example
The following example configures the secondary line (serial 1) to activate when the traffic threshold on
the primary line exceeds 25 percent:
interface serial 0
backup interface serial 1
backup load 25 5
backup delay 10 60
Configuring Dial Backup for Serial Lines
Configuration Examples for Dial Backup for Serial Interfaces
DC-454
Cisco IOS Dial Technologies Configuration Guide
When the aggregate load of the primary and the secondary lines returns to within 5 percent of the primary
bandwidth, the secondary line is deactivated. The secondary line waits 10 seconds after the primary goes
down before activating and remains active for 60 seconds after the primary returns and becomes active
again.
The same example on a Cisco 7500 series router would be as follows:
interface serial 1/0
backup interface serial 2/0
backup load 25 5
backup delay 10 60
Dial Backup Service When the Primary Line Goes Down Example
The following example configures the secondary line (serial 1) as a backup line that becomes active only
when the primary line (serial 0) goes down. The backup line will not be activated because of load on the
primary line.
interface serial 0
backup interface serial 1
backup delay 30 60
The backup line is configured to activate 30 seconds after the primary line goes down and to remain on
for 60 seconds after the primary line is reactivated.
The same example on a Cisco 7500 series router would be as follows:
interface serial 1/1
backup interface serial 2/0
backup delay 30 60
DC-455
Cisco IOS Dial Technologies Configuration Guide
Configuring Dial Backup with Dialer Profiles
This chapter describes how to configure dialer interfaces, which can be configured as the logical
intermediary between one or more physical interfaces and another physical interface that is to function
as backup. It includes the following main sections:
• Dial Backup with Dialer Profiles Overview
• How to Configure Dial Backup with Dialer Profiles
• Configuration Example of Dialer Profile for ISDN BRI Backing Up Two Leased Lines
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the dial backup commands in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference. To locate documentation of other commands that appear in this
chapter, use the command reference master index or search online.
Dial Backup with Dialer Profiles Overview
A backup interface is an interface that stays idle until certain circumstances occur; then it is activated.
Dialer interfaces can be configured to use a specific dialing pool; in turn, physical interfaces can be
configured to belong to the same dialing pool.
See the section “Configuration Example of Dialer Profile for ISDN BRI Backing Up Two Leased Lines”
at the end of this chapter for a comprehensive example of a dial backup interface using dialer profiles.
In the example, one BRI functions as backup to two serial lines and can make calls to two different
destinations.
How to Configure Dial Backup with Dialer Profiles
To configure a dialer interface and a specific physical interface to function as backup to other physical
interfaces, perform the tasks in the following sections:
• Configuring a Dialer Interface (Required)
• Configuring a Physical Interface to Function As Backup (Required)
• Configuring Interfaces to Use a Backup Interface (Required)
Configuring Dial Backup with Dialer Profiles
How to Configure Dial Backup with Dialer Profiles
DC-456
Cisco IOS Dial Technologies Configuration Guide
Configuring a Dialer Interface
To configure the dialer interface that will be used as an intermediary between a physical interface that
will function as backup interface and the interfaces that will use the backup, use the following commands
beginning in global configuration mode:
Configuring a Physical Interface to Function As Backup
To configure the physical interface that is to function as backup, use the following commands beginning
in global configuration mode:
Configuring Interfaces to Use a Backup Interface
To configure one or more interfaces to use a backup interface, use the following commands beginning
in global configuration mode:
Command Purpose
Step 1 Router(config)# interface dialer number Creates a dialer interface and begins interface configuration
mode.
Step 2 Router(config-if)# ip unnumbered loopback0 Specifies IP unnumbered loopback.
Step 3 Router(config-if)# encapsulation ppp Specifies PPP encapsulation.
Step 4 Router(config-if)# dialer remote-name
username
Specifies the Challenge Handshake Authentication Protocol
(CHAP) authentication name of the remote router.
Step 5 Router(config-if)# dialer string dial-string Specifies the remote destination to call.
Step 6 Router(config-if)# dialer pool number Specifies the dialing pool to use for calls to this destination.
Step 7 Router(config-if)# dialer-group group-number Assigns the dialer interface to a dialer group.
Command Purpose
Step 1 Router(config)# interface type number Specifies the interface and begins interface configuration
mode.
Step 2 Router(config-if)# encapsulation ppp Specifies PPP encapsulation.
Step 3 Router(config-if)# dialer pool-member number Makes the interface a member of the dialing pool that the
dialer interface will use; make sure the number arguments
have the same value.
Step 4 Router(config-if)# ppp authentication chap Specifies CHAP authentication.
Command Purpose
Step 1 Router(config)# interface type number Specifies the interface to be backed up and begins interface
configuration mode.
Step 2 Router(config-if)# ip unnumbered loopback0 Specifies IP unnumbered loopback.
Configuring Dial Backup with Dialer Profiles
Configuration Example of Dialer Profile for ISDN BRI Backing Up Two Leased Lines
DC-457
Cisco IOS Dial Technologies Configuration Guide
Configuration Example of Dialer Profile for ISDN BRI Backing
Up Two Leased Lines
The following example shows the configuration of a site that backs up two leased lines using one BRI.
Two dialer interfaces are defined. Each serial (leased line) interface is configured to use one of the dialer
interfaces as a backup. Both of the dialer interfaces use dialer pool 1, which has physical interface BRI
0 as a member. Thus, physical interface BRI 0 can back up two different serial interfaces and can make
calls to two different sites.
interface dialer0
ip unnumbered loopback0
encapsulation ppp
dialer remote-name Remote0
dialer pool 1
dialer string 5551212
dialer-group 1
interface dialer1
ip unnumbered loopback0
encapsulation ppp
dialer remote-name Remote1
dialer pool 1
dialer string 5551234
dialer-group 1
interface bri 0
encapsulation PPP
dialer pool-member 1
ppp authentication chap
interface serial 0
ip unnumbered loopback0
backup interface dialer 0
backup delay 5 10
interface serial 1
ip unnumbered loopback0
backup interface dialer1
backup delay 5 10
Step 3 Router(config-if)# backup interface dialer
number
Specifies the backup interface and begins interface
configuration mode.
Step 4 Router(config-if)# backup delay enable-delay
disable-delay
Specifies delay between the physical interface going down
and the backup being enabled, and between the physical
interface coming back up and the backup being disabled.
Command Purpose
Configuring Dial Backup with Dialer Profiles
Configuration Example of Dialer Profile for ISDN BRI Backing Up Two Leased Lines
DC-458
Cisco IOS Dial Technologies Configuration Guide
DC-459
Cisco IOS Dial Technologies Configuration Guide
Configuring Dial Backup Using Dialer Watch
This chapter describes how to configure dial backup using the Dialer Watch feature. It includes the
following main sections:
• Dialer Watch Overview
• How to Configure Dialer Backup with Dialer Watch
• Configuration Examples for Dialer Watch
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the dial backup commands used to configure Dialer Watch, refer to the
Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that
appear in this chapter, use the command reference master index or search online.
Dialer Watch Overview
Dialer Watch is a backup feature that integrates dial backup with routing capabilities. Prior dial backup
implementations used the following conditions to trigger backup:
• Interesting packets were defined at central and remote routers using dial-on-demand routing (DDR).
• Connection loss occurred on a primary interface using a back up interface with floating static routes.
• Traffic thresholds were exceeded using a dialer load threshold.
Prior backup implementations may not have supplied optimum performance on some networks, such as
those using Frame Relay multipoint subinterfaces or Frame Relay connections that do not support
end-to-end permanent virtual circuit (PVC) status updates.
Dialer Watch provides reliable connectivity without relying solely on defining interesting traffic to
trigger outgoing calls at the central router. Dialer Watch uses the convergence times and characteristics
of dynamic routing protocols. Integrating backup and routing features enables Dialer Watch to monitor
every deleted route. By configuring a set of watched routes that define the primary interface, you are able
to monitor and track the status of the primary interface as watched routes are added and deleted.
Monitoring the watched routes is done in the following sequence:
1. Whenever a watched route is deleted, Dialer Watch checks whether there is at least one valid route
for any of the defined watched IP addresses.
2. If no valid route exists, the primary line is considered down and unusable.
Configuring Dial Backup Using Dialer Watch
How to Configure Dialer Backup with Dialer Watch
DC-460
Cisco IOS Dial Technologies Configuration Guide
3. If a valid route exists for at least one of the defined IP addresses and if the route is pointing to an
interface other than the backup interface configured for Dialer Watch, the primary link is
considered up.
4. If the primary link goes down, Dialer Watch is immediately notified by the routing protocol and the
secondary link is brought up.
5. Once the secondary link is up, at the expiration of each idle timeout, the primary link is rechecked.
6. If the primary link remains down, the idle timer is indefinitely reset.
7. If the primary link is up, the secondary backup link is disconnected. Additionally, you can set a
disable timer to create a delay for the secondary link to disconnect, after the primary link is
reestablished.
Dialer Watch provides the following advantages:
• Routing—Backup initialization is linked to the dynamic routing protocol, rather than a specific
interface or static route entry. Therefore, both primary and backup interfaces can be any interface
type, and can be used across multiple interfaces and multiple routers. Dialer Watch also relies on
convergence, which is sometimes preferred over traditional DDR links.
• Routing protocol independent—Static routes or dynamic routing protocols, such as Interior
Gateway Routing Protocol (IGRP), Enhanced IGRP (EIGRP) or Open Shortest Path First (OSPF)
can be used.
• Nonpacket semantics—Dialer Watch does not exclusively rely on interesting packets to trigger
dialing. The link is automatically brought up when the primary line goes down without postponing
dialing.
• Dial backup reliability—DDR redial functionality is extended to dial indefinitely in the event that
secondary backup lines are not initiated. Typically, DDR redial attempts are affected by
enable-timeouts and wait-for-carrier time values. Intermittent media difficulties or flapping
interfaces can cause problems for traditional DDR links. However, Dialer Watch automatically
reestablishes the secondary backup line on ISDN, synchronous, and asynchronous serial links.
The following prerequisites apply to Dialer Watch:
• The router is dial backup capable, meaning the router has a data communications equipment (DCE),
terminal adapter, or network termination 1 device attached that supports V.25bis.
• The router is configured for DDR. This configuration includes traditional commands such as dialer
map and dialer in-band commands, and so on.
• Dialer Watch is only supported for IP at this time.
For information on how to configure traditional DDR for dial backup, see the other chapters in the “Dial
Backup” part of this publication.
How to Configure Dialer Backup with Dialer Watch
To configure Dialer Watch, perform the following tasks. All tasks are required except the last one to set
a disable timer.
• Determining the Primary and Secondary Interfaces (Required)
• Determining the Interface Addresses and Networks to Watch (Required)
• Configuring the Interface to Perform DDR Backup (Required)
Configuring Dial Backup Using Dialer Watch
How to Configure Dialer Backup with Dialer Watch
DC-461
Cisco IOS Dial Technologies Configuration Guide
• Creating a Dialer List (Required)
• Setting the Disable Timer on the Backup Interface (Optional)
Determining the Primary and Secondary Interfaces
Decide which interfaces on which routers will act as primary and secondary interfaces. Unlike traditional
backup methods, you can define multiple interfaces on multiple routers instead of a singly defined
interface on one router.
Determining the Interface Addresses and Networks to Watch
Determine which addresses and networks are to be monitored or watched. Typically, this will be the
address of an interface on a remote router or a network advertised by a central or remote router.
Configuring the Interface to Perform DDR Backup
To initiate Dialer Watch, you must configure the interface to perform DDR and backup. Use traditional
DDR configuration commands, such as dialer maps, for DDR capabilities. To enable Dialer Watch on
the backup interface, use the following command in interface configuration mode:
Creating a Dialer List
To define the IP addresses that you want watched, use the following command in global configuration
mode:
The dialer watch-list command is the means to detect if the primary interface is up or down. The
primary interface is determined to be up when there is an available route with a valid metric to any of
the addresses defined in this list, and it points to an interface other than the interface on which the dialer
watch-group command is defined. The primary interface is determined to be down when there is no
available route to any of the addresses defined in the dialer watch-list command.
Setting the Disable Timer on the Backup Interface
This task is optional. Under some conditions, you may want to implement a delay before the backup
interface is dropped once the primary interface recovers. This delay can ensure stability, especially for
flapping interfaces or interfaces experiencing frequent route changes.
Command Purpose
Router(config-if)# dialer watch-group
group-number
Enables Dialer Watch on the backup interface.
Command Purpose
Router(config)# dialer watch-list group-number
ip ip-address address-mask
Defines all IP addresses to be watched.
Configuring Dial Backup Using Dialer Watch
Configuration Examples for Dialer Watch
DC-462
Cisco IOS Dial Technologies Configuration Guide
Note The dialer watch-disable command used in Dialer Watch configurations was Replaced in
Cisco IOS Release 12.3(11)T by the dialer watch-list delay command. When using the dialer
watch-list delay command in software later than Cisco IOS Release 12.3(11)T, you can specify both
a connect and disconnect timer for the disable timer. The disconnect time specifies that the
disconnect timer is started when the secondary link is up and after the idle timeout period has expired,
and only when software has determined that the primary route has come up
In Cisco IOS Software Releases Prior to 12.3(11)T
To apply a disable time, use the following command in interface configuration mode:
In Cisco IOS Software Releases After 12.3(11)T
To apply a disable time, use the following command in global configuration mode:
Configuration Examples for Dialer Watch
The dialer watch-disable command used in Dialer Watch configurations was replaced in
Cisco IOS Release 12.3(11)T by the dialer watch-list delay command. The following sections provide
examples of how to configure Dialer Watch in software before and after the dialer watch-disable
command was replaced.
• Dialer Watch Configuration Example Prior to Cisco IOS Release 12.3(11)T, page 463
• Dialer Watch Configuration Example After Cisco IOS Release 12.3(11)T, page 467
Command Purpose
Router(config-if)# dialer watch-disable seconds Applies a disable time to the interface.
Command Purpose
Router(config-if)# dialer watch-list
group-number delay {connect connect-time |
disconnect disconnect-time}
Configures a disable time.
• group-number—Group number assigned to the list. Valid group
numbers are from 1 to 255.
• delay—Specifies that the router will delay dialing the secondary
link when the primary link becomes unavailable.
• connect connect-time—Time, in seconds, after which the router
rechecks for availability of the primary link. If the primary link
is still unavailable, the secondary link is then dialed. Valid times
range from 1 to 2147483 seconds.
• disconnect disconnect-time—Time, in seconds, that specifies
when to disconnect. Disconnect occurs when the secondary link
is up and after the idle timeout period has expired, and only when
software has determined that the primary route has come up.
Valid times range from 1 to 2147483 seconds.
Configuring Dial Backup Using Dialer Watch
Configuration Examples for Dialer Watch
DC-463
Cisco IOS Dial Technologies Configuration Guide
Dialer Watch Configuration Example Prior to Cisco IOS Release 12.3(11)T
In the following example, an ISDN BRI line is used to back up a serial leased line connection by
configuring the Dialer Watch feature on a router named maui-soho-01. The Dialer Watch feature enables
the router to monitor the existence of a specified route. If that route is not present, the backup interface
is activated. Unlike other backup methods, the Dialer Watch feature does not require interesting traffic
to activate the backup interface. The configuration shown in Figure 61 uses legacy dial-on-demand
routing (DDR) and the Open Shortest Path First (OSPF) routing protocol. Dialer profiles can be used in
place of DDR. Once the backup connection is activated, you must ensure that the routing table is updated
to use the new backup route. Additional information about the Dialer Watch feature is available at the
following website:
http://www.cisco.com/warp/public/129/bri-backup-map-watch.html
For additional information on configuring legacy DDR, dialer profiles, PPP, and traditional dial backup
features, see the relevant chapters in this publication.
Figure 61 Dialer Watch for Frame Relay Interfaces
Note The following example uses commands supported in Cisco IOS software prior to Release 12.3(11)T.
See the updated example for configuring Dialer Watch after Cisco IOS Release 12.3(11)T that
follows this example.
Configuration for maui-soho-01
maui-soho-01# show running-config
Building configuration...
Current configuration : 1546 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname maui-soho-01
!
logging rate-limit console 10 except errors
aaa new-model
aaa authentication login default local
aaa authentication login NO_AUTHEN none
aaa authentication ppp default local
bri0 172.20.10.2 bri1/0 172.20.10.1
192.168.10.1
s2/0
192.168.10.2
172.22.53.0/24
maui-soho-01 maui-nas-05
60177
ISDN
(backup link)
Serial
network
s0 (primary link)
e0/0
Configuring Dial Backup Using Dialer Watch
Configuration Examples for Dialer Watch
DC-464
Cisco IOS Dial Technologies Configuration Guide
!This is basic AAA configuration for PPP calls.
enable secret 5
!
username maui-nas-05 password 0 cisco
!Username for remote router (maui-nas-05) and shared secret.
!Shared secret(used for CHAP authentication) must be the same on both sides.
ip subnet-zero
no ip finger
!
isdn switch-type basic-ni
!
interface Loopback0
ip address 172.17.1.1 255.255.255.0
!
interface Ethernet0
ip address 172.16.1.1 255.255.255.0
!
interface Serial0
!Primary link.
ip address 192.168.10.2 255.255.255.252
encapsulation ppp
ppp authentication chap
!
interface BRI0
ip address 172.20.10.2 255.255.255.0
!IP address for the BRI interface (backup link).
encapsulation ppp
dialer idle-timeout 30
!Idle timeout(in seconds)for this backup link.
!Dialer watch checks the status of the primary link every time the
!idle-timeout expires.
dialer watch-disable 15
!Delays disconnecting the backup interface for 15 seconds after the
!primary interface is found to be up.
dialer map ip 172.20.10.1 name maui-nas-05 broadcast 5550111
!Dialer map for the BRI interface of the remote router.
dialer map ip 172.22.53.0 name maui-nas-05 broadcast 5550111
!Map statement for the route/network being watched by the
!dialer watch-list command.
!This address must exactly match the network configured with the
!dialer watch-list command.
!When the watched route disappears, this dials the specified phone number.
dialer watch-group 8
!Enable Dialer Watch on this backup interface.
!Watch the route specified with dialer watch-list 8.
dialer-group 1
!Apply interesting traffic defined in dialer-list 1.
isdn switch-type basic-ni
isdn spid1 51255522220101 5550112
isdn spid2 51255522230101 5550112
ppp authentication chap
!Use chap authentication.
!
router ospf 5
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 172.17.1.0 0.0.0.255 area 0
network 172.20.10.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.3 area 0
!
ip classless
no ip http server
!
Configuring Dial Backup Using Dialer Watch
Configuration Examples for Dialer Watch
DC-465
Cisco IOS Dial Technologies Configuration Guide
dialer watch-list 8 ip 172.22.53.0 255.255.255.0
!This defines the route(s) to be watched.
!This exact route(including subnet mask) must exist in the routing table.
!Use the dialer watch-group 8 command to apply this list to the backup interface.
access-list 101 remark Define Interesting Traffic
access-list 101 deny ospf any any
!Mark OSPF as uninteresting.
!This will prevent OSPF hellos from keeping the link up.
Access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!Interesting traffic is defined by access-list 101.
!This is applied to BRI0 using dialer-group 1.
!
line con 0
login authentication NO_AUTHEN
transport input none
line vty 0 4
!
end
Configuration for maui-nas-05
maui-nas-05# show running-config
Building configuration...
Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname maui-nas-05
!
aaa new-model
aaa authentication login default local
aaa authentication login NO_AUTHEN none
aaa authentication ppp default local
! -- This is basic AAA configuration for PPP calls.
Enable secret 5
!
username maui-soho-01 password 0 cisco
!Username for remote router (maui-soho-01) and shared secret.
!Shared secret(used for CHAP authentication) must be the same on both sides.
!
ip subnet-zero
!
isdn switch-type basic-ni
!
interface Loopback0
ip address 172.22.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 172.22.53.105 255.255.255.0
!
interface Ethernet0/1
no ip address
shutdown
!
interface BRI1/0
!Backup link.
ip address 172.20.10.1 255.255.255.0
encapsulation ppp
Configuring Dial Backup Using Dialer Watch
Configuration Examples for Dialer Watch
DC-466
Cisco IOS Dial Technologies Configuration Guide
dialer map ip 172.20.10.2 name maui-soho-01 broadcast
!Dialer map with IP address and authenticated username for remote destination.
!The name should match the authentication username provided by the remote side.
!The dialer map statement is used even though this router is not dialing out.
Dialer-group 1
!Apply interesting traffic defined in dialer-list 1.
isdn switch-type basic-ni
isdn spid1 51255501110101 5550111
isdn spid2 51255501120101 5550112
ppp authentication chap
!
.
.
.
!
interface Serial2/0
ip address 192.168.10.1 255.255.255.252
encapsulation ppp
clockrate 64000
ppp authentication chap
!
.
.
.
!
router ospf 5
network 172.20.10.0 0.0.0.255 area 0
network 172.22.1.0 0.0.0.255 area 0
network 172.22.53.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.3 area 0
default-information originate
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
no ip http server
!
dialer-list 1 protocol ip permit
!This defines all IP traffic as interesting.
!
line con 0
login authentication NO_AUTHEN
transport input none
line 97 102
line aux 0
line vty 0 4
!
end
Configuring Dial Backup Using Dialer Watch
Configuration Examples for Dialer Watch
DC-467
Cisco IOS Dial Technologies Configuration Guide
Dialer Watch Configuration Example After Cisco IOS Release 12.3(11)T
The following example shows how to configure Dialer Watch using the dialer watch-list delay
command that replaced the dialer watch-disable command.
Configuration for maui-soho-01
maui-soho-01# show running-config
Building configuration...
Current configuration : 1546 bytes
!
version 12.4
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname maui-soho-01
!
logging rate-limit console 10 except errors
aaa new-model
aaa authentication login default local
aaa authentication login NO_AUTHEN none
aaa authentication ppp default local
!This is basic AAA configuration for PPP calls.
enable secret 5
!
username maui-nas-05 password 0 cisco
!Username for remote router (maui-nas-05) and shared secret.
!Shared secret(used for CHAP authentication) must be the same on both sides.
ip subnet-zero
no ip finger
!
isdn switch-type basic-ni
!
interface Loopback0
ip address 172.17.1.1 255.255.255.0
!
interface Ethernet0
ip address 172.16.1.1 255.255.255.0
!
interface Serial0
!Primary link.
ip address 192.168.10.2 255.255.255.252
encapsulation ppp
ppp authentication chap
!
interface BRI0
ip address 172.20.10.2 255.255.255.0
!IP address for the BRI interface (backup link).
encapsulation ppp
dialer idle-timeout 30
!Idle timeout(in seconds)for this backup link.
!Dialer watch checks the status of the primary link every time the
!idle-timeout expires.
dialer map ip 172.20.10.1 name maui-nas-05 broadcast 5550111
!Dialer map for the BRI interface of the remote router.
dialer map ip 172.22.53.0 name maui-nas-05 broadcast 5550111
!Map statement for the route/network being watched by the
!dialer watch-list command.
!This address must exactly match the network configured with the
!dialer watch-list command.
Configuring Dial Backup Using Dialer Watch
Configuration Examples for Dialer Watch
DC-468
Cisco IOS Dial Technologies Configuration Guide
!When the watched route disappears, this dials the specified phone number.
dialer watch-group 8
!Enable Dialer Watch on this backup interface.
!Watch the route specified with dialer watch-list 8.
dialer-group 1
!Apply interesting traffic defined in dialer-list 1.
isdn switch-type basic-ni
isdn spid1 51255522220101 5552222
isdn spid2 51255522230101 5552223
ppp authentication chap
!Use chap authentication.
dialer watch-list 8 delay disconnect 15
!Delays disconnecting the backup interface for 15 seconds after the
!primary interface is found to be up.
!
router ospf 5
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 172.17.1.0 0.0.0.255 area 0
network 172.20.10.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.3 area 0
!
ip classless
no ip http server
!
dialer watch-list 8 ip 172.22.53.0 255.255.255.0
!This defines the route(s) to be watched.
!This exact route(including subnet mask) must exist in the routing table.
!Use the dialer watch-group 8 command to apply this list to the backup interface.
access-list 101 remark Define Interesting Traffic
access-list 101 deny ospf any any
!Mark OSPF as uninteresting.
!This will prevent OSPF hellos from keeping the link up.
Access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!Interesting traffic is defined by access-list 101.
!This is applied to BRI0 using dialer-group 1.
!
line con 0
login authentication NO_AUTHEN
transport input none
line vty 0 4
!
end
Configuration for maui-nas-05
maui-nas-05# show running-config
Building configuration...
Current configuration:
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname maui-nas-05
!
aaa new-model
aaa authentication login default local
aaa authentication login NO_AUTHEN none
aaa authentication ppp default local
Configuring Dial Backup Using Dialer Watch
Configuration Examples for Dialer Watch
DC-469
Cisco IOS Dial Technologies Configuration Guide
! -- This is basic AAA configuration for PPP calls.
Enable secret 5
!
username maui-soho-01 password 0 cisco
!Username for remote router (maui-soho-01) and shared secret.
!Shared secret(used for CHAP authentication) must be the same on both sides.
!
ip subnet-zero
!
isdn switch-type basic-ni
!
interface Loopback0
ip address 172.22.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 172.22.53.105 255.255.255.0
!
interface Ethernet0/1
no ip address
shutdown
!
interface BRI1/0
!Backup link.
ip address 172.20.10.1 255.255.255.0
encapsulation ppp
dialer map ip 172.20.10.2 name maui-soho-01 broadcast
!Dialer map with IP address and authenticated username for remote destination.
!The name should match the authentication username provided by the remote side.
!The dialer map statement is used even though this router is not dialing out.
Dialer-group 1
!Apply interesting traffic defined in dialer-list 1.
isdn switch-type basic-ni
isdn spid1 51255501110101 5550111
isdn spid2 51255501120101 5550112
ppp authentication chap
!
! <<-- irrelevant output removed
!
interface Serial2/0
ip address 192.168.10.1 255.255.255.252
encapsulation ppp
clockrate 64000
ppp authentication chap
!
! <<-- irrelevant output removed
!
router ospf 5
network 172.20.10.0 0.0.0.255 area 0
network 172.22.1.0 0.0.0.255 area 0
network 172.22.53.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.3 area 0
default-information originate
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
no ip http server
!
dialer-list 1 protocol ip permit
!This defines all IP traffic as interesting.
!
line con 0
login authentication NO_AUTHEN
transport input none
line 97 102
Configuring Dial Backup Using Dialer Watch
Configuration Examples for Dialer Watch
DC-470
Cisco IOS Dial Technologies Configuration Guide
line aux 0
line vty 0 4
!
end
Dial-Related Addressing Services
DC-473
Cisco IOS Dial Technologies Configuration Guide
Configuring Cisco Easy IP
This chapter describes how to configure the Cisco Easy IP feature. It includes the following main
sections:
• Cisco Easy IP Overview
• How to Configure Cisco Easy IP
• Configuration Examples for Cisco Easy IP
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the Cisco Easy IP commands in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference. To locate documentation of other commands that appear in this
chapter, use the command reference master index or search online.
Cisco Easy IP Overview
Cisco Easy IP enables transparent and dynamic IP address allocation for hosts in remote environments
using the following functionality:
• Cisco Dynamic Host Configuration Protocol (DHCP) server
• Port Address Translation (PAT), a subset of Network Address Translation (NAT)
• Dynamic PPP/IP Control Protocol (PPP/IPCP) WAN interface IP address negotiation
With the Cisco IOS Easy IP, a Cisco router automatically assigns local IP addresses to remote hosts (such
as small office, home office or SOHO routers) using DHCP with the Cisco IOS DHCP server,
automatically negotiates its own registered IP address from a central server via PPP/IPCP, and uses PAT
functionality to enable all SOHO hosts to access the Internet using a single registered IP address.
Because Cisco IOS Easy IP uses existing port-level multiplexed NAT functionality within Cisco IOS
software, IP addresses on the remote LAN are invisible to the Internet, making the remote LAN more
secure.
Cisco Easy IP provides the following benefits:
• Minimizes Internet access costs for remote offices
• Minimizes configuration requirements on remote access routers
• Enables transparent and dynamic IP address allocation for hosts in remote environments
• Improves network security capabilities at each remote site
Configuring Cisco Easy IP
Cisco Easy IP Overview
DC-474
Cisco IOS Dial Technologies Configuration Guide
• Conserves registered IP addresses
• Maximizes IP address manageability
Figure 62 shows a typical scenario for using the Cisco Easy IP feature.
Figure 62 Telecommuter and Branch Office LANs Using Cisco Easy IP
Steps 1 through 4 show how Cisco Easy IP works:
Step 1 When a SOHO host generates “interesting” traffic (as defined by Access Control Lists) for dialup (first
time only), the Easy IP router requests a single registered IP address from the access server at the central
site via PPP/IPCP. (See Figure 63.)
Figure 63 Cisco Easy IP Router Requests a Dynamic Global IP Address
Step 2 The central site router replies with a dynamic global address from a local DHCP IP address pool. (See
Figure 64.)
Internet
Central site
Telecommuter LAN
using an Easy IP
router
Branch office LAN
using an Easy IP
router
Telecommuter LAN
using an Easy IP
router
Branch office LAN
using an Easy IP
router
S6771
Host A
10.0.0.1
Host B DHCP
server
Easy IP
router
SOHO Central site
S6774
WAN link
IPCP IP-address
negotiation
Configuring Cisco Easy IP
Cisco Easy IP Overview
DC-475
Cisco IOS Dial Technologies Configuration Guide
Figure 64 Dynamic Global IP Address Delivered to the Cisco Easy IP Router
Step 3 The Cisco Easy IP router uses port-level NAT functionality to automatically create a translation that
associates the registered IP address of the WAN interface with the private IP address of the client. (See
Figure 65.)
Figure 65 Port-Level NAT Functionality Used for IP Address Translation
Step 4 The remote hosts contain multiple static IP addresses while the Cisco Easy IP router obtains a single
registered IP address using PPP/IPCP. The Cisco Easy IP router then creates port-level multiplexed NAT
translations between these addresses so that each remote host address (inside private address) is
translated to a single external address assigned to the Cisco Easy IP router. This many-to-one address
translation is also called port-level multiplexing or PAT. Note that the NAT port-level multiplexing
function can be used to conserve global addresses by allowing the remote routers to use one global
address for many local addresses. (See Figure 66.)
Host A
10.0.0.1
Host B DHCP
server
Easy IP
router
SOHO Central site
54720
WAN link
Your global IP address is
172.18.9.4
Host A
10.0.0.1
Host B DHCP
server
Easy IP
router
SOHO Central site
54720
WAN link
Your global IP address is
172.18.9.4
Configuring Cisco Easy IP
How to Configure Cisco Easy IP
DC-476
Cisco IOS Dial Technologies Configuration Guide
Figure 66 Multiple Private Internal IP Addresses Bound to a Single Global IP Address
How to Configure Cisco Easy IP
Before using Cisco Easy IP, perform the following tasks:
• Configure the ISDN switch type and service provider identifier (SPID), if using ISDN.
• Configure the static route from LAN to WAN interface.
• Configure the Cisco IOS DHCP server.
For information about configuring ISDN switch types, see the chapter “Setting Up ISDN Basic Rate
Service” earlier in this publication. For information about configuring static routes, refer to the chapter
“Configuring IP Services” in the Cisco IOS IP Configuration Guide.
The Cisco IOS DHCP server supports both DHCP and BOOTP clients and supports finite and infinite
address lease periods. DHCP address binding information is stored on a remote host via remote copy
protocol (RCP), FTP, or TFTP. Refer to the Cisco IOS IP Configuration Guide for DHCP configuration
instructions.
In its most simple configuration, a Cisco Easy IP router or access server will have a single LAN interface
and a single WAN interface. Based on this model, to use Cisco Easy IP you must perform the tasks in
the following sections:
• Defining the NAT Pool (Required)
• Configuring the LAN Interface (Required)
• Defining NAT for the LAN Interface (Required)
• Configuring the WAN Interface (Required)
• Enabling PPP/IPCP Negotiation (Required)
• Defining NAT for the Dialer Interface (Required)
• Configuring the Dialer Interface (Required)
For configuration examples, see the section “Configuration Examples for Cisco Easy IP” at the end of
this chapter.
Host A
10.0.0.1
Host B
10.0.0.2
DHCP
server
Easy IP
router
172.18.9.4
NAT Table
Inside Outside
10.0.0.1
10.0.0.2
172.18.9.4 : 4880
172.18.9.4 : 4881
SOHO Central site
54718
Configuring Cisco Easy IP
How to Configure Cisco Easy IP
DC-477
Cisco IOS Dial Technologies Configuration Guide
Defining the NAT Pool
The first step in enabling Cisco Easy IP is to create a pool of internal IP addresses to be translated. To
define the NAT pool, use the following commands in global configuration mode:
For information about creating access lists, refer to the chapter “Configuring IP Services” in the
Cisco IOS IP Configuration Guide.
Configuring the LAN Interface
To configure the LAN interface, use the following commands beginning in global configuration mode:
For information about assigning IP addresses and subnet masks to network interfaces, refer to the chapter
“Configuring IP Services” in the Cisco IOS IP Configuration Guide.
Defining NAT for the LAN Interface
To ensure that the LAN interface is connected to the inside network (and therefore subject to NAT), use
the following command in interface configuration mode:
Configuring the WAN Interface
To configure the WAN interface, use the following commands beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# access-list access-list-number
permit source [source-wildcard]
Defines a standard access list permitting those addresses that
are to be translated.
Step 2 Router(config)# ip nat inside source list
access-list-number interface dialer-name
overload
Establishes dynamic source translation, identifying the
access list defined in the prior step.
Command Purpose
Step 1 Router(config)# interface type number Selects a specific LAN interface and begins interface
configuration mode.
Step 2 Router(config-if)# ip address address mask Defines the IP address and subnet mask for this interface.
Command Purpose
Router(config-if)# ip nat inside Defines the interface as internal for NAT.
Command Purpose
Step 1 Router(config)# interface type number Selects the WAN interface and begins interface
configuration mode.
Step 2 Router(config-if)# no ip address Removes any associated IP address from this interface.
Configuring Cisco Easy IP
How to Configure Cisco Easy IP
DC-478
Cisco IOS Dial Technologies Configuration Guide
Enabling PPP/IPCP Negotiation
To enable PPP/IPCP negotiation on the dialer interface, use the following commands beginning in global
configuration mode:
Defining NAT for the Dialer Interface
To define that the dialer interface is connected to the outside network, use the following commands
beginning in global configuration mode:
Configuring the Dialer Interface
To configure the dialer interface information, use the following commands beginning in global
configuration mode:
Step 3 Router(config-if)# encapsulation ppp Selects PPP as the encapsulation method for this interface.
Step 4 Router(config-if)# dialer pool-member number Binds the WAN interface to the dialer interface.
Command Purpose
Command Purpose
Step 1 Router(config)# interface dialer-name Selects the dialer interface and begins interface
configuration mode.
Step 2 Router(config-if)# ip address negotiated Enables PPP/IPCP negotiation for this interface.
Command Purpose
Step 1 Router(config)# interface dialer-name Selects the dialer interface and begins interface
configuration mode.
Step 2 Router(config-if)# ip nat outside Defines the interface as external for network address
translation.
Command Purpose
Step 1 Router(config)# interface dialer-name Selects the dialer interface and begins interface
configuration mode.
Step 2 Router(config-if)# dialer
wait-for-carrier-time seconds
Specifies for a dialer interface the length of time the
interface waits for a carrier before timing out.
Step 3 Router(config-if)# dialer hold-queue packets Creates a dialer hold queue and specifies the number of
packets to be held in it.
Step 4 Router(config-if)# dialer remote-name username Specifies the remote router Challenge Handshake
Authentication Protocol (CHAP) authentication name.
Configuring Cisco Easy IP
Configuration Examples for Cisco Easy IP
DC-479
Cisco IOS Dial Technologies Configuration Guide
Timeout Considerations
Dynamic NAT translations time out automatically after a predefined default period. Although
configurable, with the port-level NAT functionality in Cisco Easy IP, Domain Name System (DNS) User
Datagram Protocol (UDP) translations time out after 5 minutes, while DNS translations time out after 1
minute by default. TCP translations time out after 24 hours by default, unless a TCP Reset (RST) or TCP
Finish (FIN) is seen in the TCP stream, in which case the translation times out after 1 minute.
If the Cisco IOS Easy IP router exceeds the dialer idle-timeout period, it is expected that all active TCP
sessions were previously closed via an RST or FIN. NAT times out all TCP translations before the
Cisco Easy IP router exceeds the dialer idle-timeout period. The router then renegotiates another
registered IP address the next time the WAN link is brought up, thereby creating new dynamic NAT
translations that bind the IP addresses of the LAN host to the newly negotiated IP address.
Configuration Examples for Cisco Easy IP
The following example shows how to configure BRI interface 0 (shown as interface bri0) to obtain its IP
address via PPP/IPCP address negotiation:
! The following command defines the NAT pool.
ip nat inside source list 101 interface dialer1 overload
!
! The following commands define the ISDN switch type.
isdn switch type vn3
isdn tei-negotiation first-call
!
! The following commands define the LAN address and subnet mask.
interface ethernet0
ip address 10.0.0.4 255.0.0.0
! The following command defines ethernet0 as internal for NAT.
ip nat inside
!
! The following commands binds the physical interface to the dialer1 interface.
interface bri0
no ip address
encapsulation ppp
dialer pool-member 1
!
interface dialer1
!
! The following command enables PPP/IPCP negotiation for this interface.
ip address negotiated
encapsulation ppp
Step 5 Router(config-if)# dialer idle-timeout seconds Specifies the amount of idle time that can pass before calls
to the central access server are disconnected. See the next
section “Timeout Considerations,” for more details on this
setting.
Step 6 Router(config-if)# dialer string dialer-string Specifies the telephone number required to reach the central
access server.
Step 7 Router(config-if)# dialer pool number Specifies the dialing pool to use.
Step 8 Router(config-if)# dialer-group group-number Assigns the dialer interface to a dialer group.
Command Purpose
Configuring Cisco Easy IP
Configuration Examples for Cisco Easy IP
DC-480
Cisco IOS Dial Technologies Configuration Guide
!
! The following command defines interface dialer1 as external for NAT.
ip nat outside
dialer remote-name dallas
dialer idle-timeout 180
!
! The following command defines the dialer string for the central access server.
dialer string 4159991234
dialer pool 1
dialer-group 1
!
! The following commands define the static route to the WAN interface.
ip route 0.0.0.0 0.0.0.0 dialer1
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip list 101
The following example shows how to configure an asynchronous interface (interface async1) to obtain
its IP address via PPP/IPCP address negotiation:
! This command defines the NAT pool.
ip nat inside source list 101 interface dialer 1 overload
!
! The following commands define the LAN IP address and subnet mask.
interface ethernet0
ip address 10.0.0.4 255.0.0.0
!
! The following command defines ethernet0 as internal for NAT.
ip nat inside
!
! The following commands bind the physical dialer1 interface.
interface async1
no ip address
encapsulation ppp
async mode dedicated
dialer pool-member 1
!
interface dialer1
!
! The following command enables PPP/IPCP negotiation for this interface.
ip address negotiated
encapsulation ppp
!
! The following command defines interface dialer1 as external for NAT.
ip nat outside
dialer wait-for-carrier-time 30
dialer hold-queue 10
dialer remote-name dallas
dialer idle-timeout 180
!
! The following command defines the dialer string for the central access server.
dialer string 4159991234
dialer pool 1
dialer-group 1
!
! The following commands define the static route to the WAN interface.
ip route 0.0.0.0 0.0.0.0 dialer1
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip list 101
Virtual Templates, Profiles, and
Networks
DC-483
Cisco IOS Dial Technologies Configuration Guide
Configuring Virtual Template Interfaces
This chapter describes how to configure virtual template interfaces. It includes the following main
sections:
• Virtual Template Interface Service Overview
• How to Configure a Virtual Template Interface
• Monitoring and Maintaining a Virtual Access Interface
• Configuration Examples for Virtual Template Interface
The following template and virtual interface limitations apply:
• Although a system can generally support many virtual template interfaces, one template for each
virtual access application is a more realistic limit.
• When in use, each virtual access interface cloned from a template requires the same amount of
memory as a serial interface. Limits to the number of virtual access interfaces that can be configured
are determined by the platform.
• Virtual access interfaces are not directly configurable by users, except by configuring a virtual
template interface or including the configuration information of the user (through virtual profiles or
per-user configuration) on an authentication, authorization, and accounting (AAA) server. However,
information about an in-use virtual access interface can be displayed, and the virtual access interface
can be cleared.
• Virtual interface templates provide no direct value to users; they must be applied to or associated
with a virtual access feature using a command with the virtual-template keyword.
For example, the interface virtual-template command creates the virtual template interface and the
multilink virtual-template command applies the virtual template to a multilink stack group. The
virtual-profile virtual-template command specifies that a virtual template interface will be used
as a source of configuration information for virtual profiles.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the virtual template interface commands mentioned in this chapter, refer
to the Cisco IOS Dial Technologies Command Reference, Release 12.2. To locate documentation of other
commands that appear in this chapter, use the command reference master index or search online.
Configuring Virtual Template Interfaces
Virtual Template Interface Service Overview
DC-484
Cisco IOS Dial Technologies Configuration Guide
Virtual Template Interface Service Overview
The Virtual Template Interface Service feature provides a generic service that can be used to apply
predefined interface configurations (virtual template interfaces) in creating and freeing virtual access
interfaces dynamically, as needed.
Virtual template interfaces can be configured independently of any physical interface and applied
dynamically, as needed, to create virtual access interfaces. When a user dials in, a predefined
configuration template is used to configure a virtual access interface; when the user is done, the virtual
access interface goes down and the resources are freed for other dial-in uses.
A virtual template interface is a logical entity—a configuration for a serial interface but not tied to a
physical interface—that can be applied dynamically as needed. Virtual access interfaces are virtual
interfaces that are created, configured dynamically (for example, by cloning a virtual template interface),
used, and then freed when no longer needed.
Virtual template interfaces are one possible source of configuration information for a virtual access
interface.
Each virtual access interface can clone from only one template. But some applications can take
configuration information from multiple sources; for example, virtual profiles can take configuration
information from a virtual template interface, or from interface-specific configuration information
stored from a user on a AAA server, or from network protocol configuration from a user stored on a AAA
server, or all three. The result of using template and AAA configuration sources is a virtual access
interface uniquely configured for a specific dial-in user.
Figure 67 illustrates that a router can create a virtual access interface by first using the information from
a virtual template interface (if any is defined for the application) and then using the information in a
per-user configuration (if AAA is configured on the router and virtual profiles or per-user configuration
or both are defined for the specific user).
Figure 67 Possible Configuration Sources for Virtual Access Interfaces
The virtual template interface service is intended primarily for customers with large numbers of dial-in
users and provides the following benefits:
• For easier maintenance, allows customized configurations to be predefined and then applied
dynamically when the specific need arises.
• For scalability, allows interface configuration to be separated from physical interfaces. Virtual
interfaces can share characteristics, no matter what specific type of interface the user called on.
• For consistency and configuration ease, allows the same predefined template to be used for all users
dialing in for a specific application.
• For efficient router operation, frees the virtual access interface memory for another dial-in use when
the call from the user ends.
Dials in
S5832
Virtual access
interface for ssmith
Clone from a
virtual interface
template, if any
ssmith
Clone from per-user
configuration (AAA),
if any is configured
Configuring Virtual Template Interfaces
Virtual Template Interface Service Overview
DC-485
Cisco IOS Dial Technologies Configuration Guide
Features that Apply Virtual Template Interfaces
The following features apply virtual template interfaces to create virtual access interfaces dynamically:
• Virtual profiles
• Virtual Private Dialup Networks (VPDN)
• Multilink PPP (MLP)
• Multichassis Multilink PPP (MMP)
• Virtual templates for protocol translation
• PPP over ATM
Virtual templates are supported on all platforms that support these features.
To create and configure a virtual template interface, compete the tasks in this chapter. To apply a virtual
template interface, refer to the specific feature that applies the virtual template interface.
All prerequisites depend on the feature that is applying a virtual template interface to create a virtual
access interface. Virtual template interfaces themselves have no other prerequisites.
The order in which you create virtual template interfaces and virtual profiles and configure the features
that use the templates and profiles is not important. They must exist, however, before someone calling
in can use them.
Selective Virtual Access Interface Creation
Optionally, you can configure a router to automatically determine whether to create a virtual access
interface for each inbound connection. In particular, a call that is received on a physical asynchronous
interface that uses a AAA per-user configuration can now be processed without a virtual access interface
being created by a router that is also configured for virtual profiles.
The following three criteria determine whether a virtual access interface is created:
• Is there a virtual profile AAA configuration?
• Is there a AAA per-user configuration?
• Does the link interface support direct per-user AAA?
A virtual access interface will be created in the following scenarios:
• If there is a virtual profile AAA configuration.
• If there is not a virtual profile AAA configuration, but there is a AAA per-user configuration and
the link interface does not support direct per-user AAA (such as ISDN).
A virtual access interface will not be created in the following scenarios:
• If there is neither a virtual profile AAA configuration nor a AAA per-user configuration.
• If there is not a virtual profile AAA configuration, but there is a AAA per-user configuration and
the link interface does support direct per-user AAA (such as asynchronous).
Configuring Virtual Template Interfaces
How to Configure a Virtual Template Interface
DC-486
Cisco IOS Dial Technologies Configuration Guide
How to Configure a Virtual Template Interface
To create and configure a virtual template interface, use the following commands beginning in global
configuration mode:
Note Configuring the ip address command within a virtual template is not recommended. Configuring a
specific IP address in a virtual template can result in the establishment of erroneous routes and the
loss of IP packets.
Optionally, other PPP configuration commands can be added to the virtual template configuration. For
example, you can add the ppp authentication chap command.
All configuration commands that apply to serial interfaces can also be applied to virtual template
interfaces, except shutdown and dialer commands.
For virtual template interface examples, see the “Configuration Examples for Virtual Template
Interface” section later in this chapter.
Monitoring and Maintaining a Virtual Access Interface
When a virtual template interface or a configuration from a user on a AAA server or both are applied
dynamically, a virtual access interface is created. Although a virtual access interface cannot be created
and configured directly, it can be displayed and cleared.
To display or clear a specific virtual access interface, use the following commands in EXEC mode:
Configuration Examples for Virtual Template Interface
The following sections provide virtual template interface configuration examples:
• Basic PPP Virtual Template Interface
• Virtual Template Interface
Command Purpose
Step 1 Router(config)# interface virtual-template
number
Creates a virtual template interface and enters interface
configuration mode.
Step 2 Router(config-if)# ip unnumbered ethernet 0 Enables IP without assigning a specific IP address on the LAN.
Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation on the virtual template Interface.
Step 4 Router(config-if)# virtual-profile
if-needed
(Optional) Creates virtual-access interfaces only if the inbound
connection requires one.
Command Purpose
Router> show interfaces virtual-access number Displays the configuration of the virtual access interface.
Router> clear interface virtual-access number Tears down the virtual access interface and frees the memory
for other dial-in uses.
Configuring Virtual Template Interfaces
Configuration Examples for Virtual Template Interface
DC-487
Cisco IOS Dial Technologies Configuration Guide
• Selective Virtual Access Interface
• RADIUS Per-User and Virtual Profiles
• TACACS+ Per-User and Virtual Profiles
Basic PPP Virtual Template Interface
The following example enables virtual profiles (configured only by virtual template) on straightforward
PPP (no MLP), and configures a virtual template interface that can be cloned on a virtual access interface
for dial-in users:
virtual-profile virtual-template 1
interface virtual-template 1
ip unnumbered ethernet 0
encapsulation ppp
ppp authentication chap
Virtual Template Interface
The following two examples configure a virtual template interface and then display the configuration of
a virtual access interface when the template interface has been applied.
This example uses a named Internet Protocol Exchange (IPX) access list:
Router(config)# interface virtual-template 1
ip unnumbered Ethernet0
ipx ppp-client Loopback2
no cdp enable
ppp authentication chap
This example displays the configuration of the active virtual access interface that was configured by
virtual-template 1, defined in the preceding example:
Router# show interfaces virtual-access 1 configuration
Virtual-Access1 is a L2F link interface
interface Virtual-Access1 configuration...
ip unnumbered Ethernet0
ipx ppp-client Loopback2
no cdp enable
ppp authentication chap
Selective Virtual Access Interface
The following example shows how to create a virtual access interface for incoming calls that require a
virtual access interface:
aaa new-model
aaa authentication ppp default local radius tacacs
aaa authorization network default local radius tacacs
virtual-profile if-needed
virtual-profile virtual-template 1
virtual-profile aaa
!
interface Virtual-Template1
Configuring Virtual Template Interfaces
Configuration Examples for Virtual Template Interface
DC-488
Cisco IOS Dial Technologies Configuration Guide
ip unnumbered Ethernet 0
no ip directed-broadcast
no keepalive
ppp authentication chap
ppp multilink
RADIUS Per-User and Virtual Profiles
The following examples show RADIUS user profiles that could be used for selective virtual access
interface creation.
This example shows AAA per-user configuration for a RADIUS user profile:
RADIUS user profile:
foo Password = "test"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "ip:inacl#1=deny 10.10.10.10 0.0.0.0",
cisco-avpair = "ip:inacl#1=permit any"
This example shows a virtual profile AAA configuration for a RADIUS user profile:
RADIUS user profile:
foo Password = "test"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "lcp:interface-config=keepalive 30\nppp max-bad-auth 4"
TACACS+ Per-User and Virtual Profiles
The following examples show TACACS+ user profiles that could be used for selective virtual access
interface creation.
This example shows AAA per-user configuration for a TACACS+ user profile:
user = foo {
name = "foo"
global = cleartext test
service = PPP protocol= ip {
inacl#1="deny 10.10.10.10 0.0.0.0"
inacl#1="permit any"
}
}
This example shows a virtual profile AAA configuration for a TACACS+ user profile:
TACACS+ user profile:
user = foo {
name = "foo"
global = cleartext test
service = PPP protocol= lcp {
interface-config="keepalive 30\nppp max-bad-auth 4"
}
service = ppp protocol = ip {
}
}
DC-489
Cisco IOS Dial Technologies Configuration Guide
Configuring Virtual Profiles
This chapter describes how to configure virtual profiles for use with virtual access interfaces. It includes
the following main sections:
• Virtual Profiles Overview
• How Virtual Profiles Work—Four Configuration Cases
• How to Configure Virtual Profiles
• Troubleshooting Virtual Profile Configurations
• Configuration Examples for Virtual Profiles
Virtual profiles run on all Cisco IOS platforms that support Multilink PPP (MLP).
We recommend that unnumbered addresses be used in virtual template interfaces to ensure that duplicate
network addresses are not created on virtual access interfaces.
Virtual profiles interoperate with Cisco dial-on-demand routing (DDR), MLP, and dialers such as ISDN.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the virtual profile commands mentioned in this chapter, refer to the Cisco
IOS Dial Technologies Command Reference, Release 12.2. To locate documentation of other commands
that appear in this chapter, use the command reference master index or search online.
Virtual Profiles Overview
A virtual profile is a unique application that can create and configure a virtual access interface
dynamically when a dial-in call is received and that can tear down the interface dynamically when the
call ends. Virtual profiles support these encapsulation methods:
• PPP
• MLP
• High-Level Data Link Control (HDLC)
• Link Access Procedure, Balanced (LAPB)
• X.25
• Frame Relay
Configuring Virtual Profiles
Virtual Profiles Overview
DC-490
Cisco IOS Dial Technologies Configuration Guide
Any commands for these encapsulations that can be configured under a serial interface can be configured
under a virtual profile stored in a user file on an authentication, authorization, and accounting (AAA)
server and a virtual profile virtual template configured locally. The AAA server daemon downloads them
as text to the network access server and is able to handle multiple download attempts.
The configuration information for a virtual profiles virtual access interface can come from a virtual
template interface or from user-specific configuration stored on a AAA server, or both.
If a B interface is bound by the calling line identification (CLID) to a created virtual access interface
cloned from a virtual profile or a virtual template interface, only the configuration from the virtual
profile or the virtual template takes effect. The configuration on the D interface is ignored unless
successful binding occurs by PPP name. Both the link and network protocols run on the virtual access
interface instead of the B channel, unless the encapsulation is PPP.
Moreover, in previous releases of Cisco IOS software, downloading a profile from an AAA server and
creating and cloning a virtual access interface was always done after the PPP call answer and link control
protocol (LCP) up processes. The AAA download is part of authorization. But in the current release,
these operations must be performed before the call is answered and the link protocol goes up. This
restriction is a new AAA nonauthenticated authorization step. The virtual profile code handles multiple
download attempts and identifies whether a virtual access interface was cloned from a downloaded
virtual profile.
When a successful download is done through nonauthenticated authorization and the configuration on
the virtual profile has encapsulation PPP and PPP authentication, authentication is negotiated as a
separate step after LCP comes up.
The per-user configuration feature also uses configuration information gained from a AAA server.
However, per-user configuration uses network configurations (such as access lists and route filters)
downloaded during Network Control Protocol (NCP) negotiations.
Two rules govern virtual access interface configuration by virtual profiles, virtual template interfaces,
and AAA configurations:
• Each virtual access application can have at most one template to clone from but can have multiple
AAA configurations to clone from (virtual profiles AAA information and AAA per-user
configuration, which in turn might include configuration for multiple protocols).
• When virtual profiles are configured by virtual template, its template has higher priority than any
other virtual template.
See the section “How Virtual Profiles Work—Four Configuration Cases” for a description of the possible
configuration sequences for configuration by virtual template or AAA or both. See the section “Multilink
PPP Effect on Virtual Access Interface Configuration” for a description of the possible configuration
sequences that depend on the presence or absence by MLP or another virtual access feature that clones
a virtual template interface.
DDR Configuration of Physical Interfaces
Virtual profiles fully interoperate with physical interfaces in the following DDR configuration states
when no other virtual access interface application is configured:
• Dialer profiles are configured for the interface—The dialer profile is used instead of the virtual
profiles configuration.
• DDR is not configured on the interface—Virtual profiles overrides the current configuration.
• Legacy DDR is configured on the interface—Virtual profiles overrides the current configuration.
Configuring Virtual Profiles
Virtual Profiles Overview
DC-491
Cisco IOS Dial Technologies Configuration Guide
Note If a dialer interface is used (including any ISDN dialer), its configuration is used on the physical
interface instead of the virtual profiles configuration.
Multilink PPP Effect on Virtual Access Interface Configuration
As shown in Table 28, exactly how a virtual access interface will be configured depends on the following
three factors:
• Whether virtual profiles are configured by a virtual template, by AAA, by both, or by neither. In the
table, these states are shown as “VP VT only,” “VP AAA only,” “VP VT and VP AAA,” and “No
VP at all,” respectively.
• The presence or absence of a dialer interface.
• The presence or absence of MLP. The column label “MLP” is a stand-in for any virtual access
feature that supports MLP and clones from a virtual template interface.
In Table 28, “(Multilink VT)” means that a virtual template interface is cloned if one is defined for MLP
or a virtual access feature that uses MLP.
The order of items in any cell of the table is important. Where VP VT is shown above VP AAA, it means
that first the virtual profile virtual template is cloned on the interface, and then the AAA interface
configuration for the user is applied to it. The user-specific AAA interface configuration adds to the
configuration and overrides any conflicting physical interface or virtual template configuration
commands.
Interoperability with Other Features That Use Virtual Templates
Virtual profiles also interoperate with virtual access applications that clone a virtual template interface.
Each virtual access application can have at most one template to clone from but can clone from multiple
AAA configurations.
Table 28 Virtual Profiles Configuration Cloning Sequence
Virtual Profiles
Configuration
MLP
No Dialer
MLP
Dialer
No MLP
No Dialer
No MLP
Dialer
VP VT only VP VT VP VT VP VT VP VT
VP AAA only (Multilink VT)
VP AAA
(Multilink VT)
VP AAA
VP AAA VP AAA
VP VT and VP
AAA
VP VT
VP AAA
VP VT
VP AAA
VP VT
VP AAA
VP VT
VP AAA
No VP at all (Multilink VT)1
1. The multilink bundle virtual access interface is created and uses the default settings for MLP or the relevant virtual access
feature that uses MLP.
Dialer2
2. The multilink bundle virtual access interface is created and cloned from the dialer interface configuration.
No virtual access
interface is created.
No virtual access
interface is
created.
Configuring Virtual Profiles
How Virtual Profiles Work—Four Configuration Cases
DC-492
Cisco IOS Dial Technologies Configuration Guide
The interaction between virtual profiles and other virtual template applications is as follows:
• If virtual profiles are enabled and a virtual template is defined for it, the virtual profile virtual
template is used.
• If virtual profiles are configured by AAA alone (no virtual template is defined for virtual profiles),
the virtual template for another virtual access application (virtual private dialup networks or
VPDNs, for example) can be cloned onto the virtual access interface.
• A virtual template, if any, is cloned to a virtual access interface before the virtual profiles AAA
configuration or AAA per-user configuration. AAA per-user configuration, if used, is applied last.
How Virtual Profiles Work—Four Configuration Cases
This section describes virtual profiles and the various ways that they can work with virtual template
interfaces, user-specific AAA interface configuration, and MLP or another feature that requires MLP.
Virtual profiles separate configuration information into two logical parts:
• Generic—Common configuration for dial-in users plus other router-dependent configuration. This
common and router-dependent information can define a virtual template interface stored locally on
the router. The generic virtual template interface is independent of and can override the
configuration of the physical interface on which a user dialed in.
• User-specific interface information—Interface configuration stored in a user file on an AAA server;
for example, the authentication requirements and specific interface settings for a specific user. The
settings are sent to the router in the response to the request from the router to authenticate the user,
and the settings can override the generic configuration. This process is explained more in the section
“Virtual Profiles Configured by AAA” later in this chapter.
These logical parts can be used separately or together. Four separate cases are possible:
• Case 1: Virtual Profiles Configured by Virtual Template—Applies the virtual template.
• Case 2: Virtual Profiles Configured by AAA—Applies the user-specific interface configuration
received from the AAA server.
• Case 3: Virtual Profiles Configured by Virtual Template and AAA Configuration—Applies the
virtual template and the user-specific interface configuration received from the AAA server.
• Case 4: Virtual Profiles Configured by AAA, and a Virtual Template Defined by Another
Application—Applies the other application’s virtual template interface and then applies the
user-specific interface configuration received from the AAA server.
Note All cases assume that AAA is configured globally on the router, that the user has configuration
information in the user file on the AAA server, that PPP authentication and authorization proceed as
usual, and that the AAA server sends user-specific configuration information in the authorization
approval response packet to the router.
The cases also assume that AAA works as designed and that the AAA server sends configuration
information for the dial-in user to the router, even when virtual profiles by virtual template are
configured.
See the sections “Virtual Profiles Configured by Virtual Templates,” “Virtual Profiles Configured by
AAA Configuration,” “Virtual Profiles Configured by Virtual Templates and AAA Configuration,” and
“Virtual Profiles Configured by AAA Plus a VPDN Virtual Template on a VPDN Home Gateway” later
in this chapter for examples of how to configure these cases.
Configuring Virtual Profiles
How Virtual Profiles Work—Four Configuration Cases
DC-493
Cisco IOS Dial Technologies Configuration Guide
Case 1: Virtual Profiles Configured by Virtual Template
In the case of virtual profiles configured by virtual template, the software functions as follows:
• If the physical interface is configured for dialer profiles (a DDR feature), the router looks for a dialer
profile for the specific user.
• If a dialer profile is found, it is used instead of virtual profiles.
• If a dialer profile is not found for the user, or legacy DDR is configured, or DDR is not configured
at all, virtual profiles create a virtual access interface for the user.
The router applies the configuration commands that are in the virtual template interface to create and
configure the virtual profile. The template includes generic interface information and router-specific
information, but no user-specific information. No matter whether a user dialed in on a synchronous
serial, an asynchronous serial, or an ISDN interface, the dynamically created virtual profile for the user
is configured as specified in the virtual template.
Then the router interprets the lines in the AAA authorization approval response from the server as
Cisco IOS commands to apply to the virtual profile for the user.
Data flows through the virtual profile, and the higher layers treat it as the interface for the user.
For example, if a virtual template included only the three commands ip unnumbered ethernet 0,
encapsulation ppp, and ppp authentication chap, the virtual profile for any dial-in user would include
those three commands.
In Figure 68, the dotted box represents the virtual profile configured with the commands that are in the
virtual template, no matter which interface the call arrives on.
Figure 68 Virtual Profiles by Virtual Template
See the section “Configuring Virtual Profiles by Virtual Template” later in this chapter for configuration
tasks for this case.
Case 2: Virtual Profiles Configured by AAA
In this case, no dialer profile (a DDR feature) is defined for the specific user and no virtual template for
virtual profiles is defined, but virtual profiles by AAA are enabled on the router.
During the PPP authorization phase for the user, the AAA server responds as usual to the router. The
authorization approval contains configuration information for the user. The router interprets each of the
lines in the AAA response from the server as Cisco IOS commands to apply to the virtual profile for the
user.
S5833
ip unnumbered ethernet 0
encapsulation ppp
ppp authentication chap
ip unnumbered ethernet 0
encapsulation ppp
ppp authentication chap
ip unnumbered ethernet 0
encapsulation ppp
ppp authentication chap
Synchronous
Serial
Upper layers
Asynchronous
Upper layers
B1 B2
ISDN
Upper layers
Configuring Virtual Profiles
How Virtual Profiles Work—Four Configuration Cases
DC-494
Cisco IOS Dial Technologies Configuration Guide
Note If MLP is negotiated, the MLP virtual template is cloned first (this is the second row), and then
interface-specific commands included in the AAA response from the server for the user are applied.
The MLP virtual template overrides any conflicting interface configuration, and the AAA interface
configuration overrides any conflicting configuration from both the physical interface and the MLP
virtual template.
The router applies all the user-specific interface commands received from the AAA server.
Suppose, for example, that the router interpreted the response by the AAA server as including only the
following two commands for this user:
ip address 10.10.10.10 255.255.255.255
keepalive 30
In Figure 69, the dotted box represents the virtual profile configured only with the commands received
from the AAA server, no matter which interface the incoming call arrived on. On the AAA RADIUS
server, the attribute-value (AV) pair might have read as follows, where “\n” means to start a new
command line:
cisco-avpair = “lcp:interface-config=ip address 10.10.10.10 255.255.255.0\nkeepalive 30”,
Figure 69 Virtual Profiles by AAA Configuration
See the section “Configuring Virtual Profiles by AAA Configuration” later in this chapter for
configuration tasks for this case.
Case 3: Virtual Profiles Configured by Virtual Template and AAA Configuration
In this case, no DDR dialer profile is defined for the specific user, a virtual template for virtual profiles
is defined, virtual profiles by AAA is enabled on the router, the router is configured for AAA, and a
user-specific interface configuration for the user is stored on the AAA server.
The router performs the following tasks in order:
1. Dynamically creates a virtual access interface cloned from the virtual template defined for virtual
profiles.
2. Applies the user-specific interface configuration received from the AAA server.
If any command in the user’s configuration conflicts with a command on the original interface or a
command applied by cloning the virtual template, the user-specific command overrides the other
command.
56953
ip address 10.1.1.1
255.255.255.255 keepalive 30
Synchronous
Serial
User ssmith
Upper layers
ip address 10.1.1.1
255.255.255.255 keepalive 30
Asynchronous
User ssmith
Upper layers
ip address 10.1.1.1
255.255.255.255 keepalive 30
Upper layers
B1
User ssmith
B2
ISDN
Configuring Virtual Profiles
How Virtual Profiles Work—Four Configuration Cases
DC-495
Cisco IOS Dial Technologies Configuration Guide
Suppose that the router had the virtual template as defined in Case 1 and the AAA user configuration as
defined in Case 2. In Figure 70 the dotted box represents the virtual profile configured with
configuration information from both sources, no matter which interface the incoming call arrived on.
The ip address command has overridden the ip unnumbered command.
Figure 70 Virtual Profiles by Both Virtual Template and AAA Configuration
See the section “Configuring Virtual Profiles by Both Virtual Template and AAA Configuration” later
in this chapter for configuration tasks for this case.
Case 4: Virtual Profiles Configured by AAA, and a Virtual Template Defined by
Another Application
In this case, no DDR dialer profile is defined for the specific user, virtual profiles by AAA are configured
on the router but no virtual template is defined for virtual profiles, and a user-specific interface
configuration is stored on the AAA server. In addition, a virtual template is configured for some other
virtual access application (a VPDN, for example).
The router performs the following tasks in order:
1. Dynamically creates a virtual access interface and clones the virtual template from the other virtual
access application onto it.
2. Applies the user-specific interface configuration received from the AAA server.
If any command in the virtual template conflicts with a command on the original interface, the template
overrides it.
If any command in the AAA interface configuration for the user conflicts with a command in the virtual
template, the user AAA interface configuration conflicts will override the virtual template.
If per-user configuration is also configured on the AAA server, that network protocol configuration is
applied to the virtual access interface last.
The result is a virtual interface unique to that user.
56954
encapsulation ppp
ppp authentication chap
ip address 10.1.1.1
255.255.255.255 keepalive 30
encapsulation ppp
ppp authentication chap
ip address 10.1.1.1
255.255.255.255 keepalive 30
encapsulation ppp
ppp authentication chap
ip address 10.1.1.1
255.255.255.255 keepalive 30
Synchronous
Serial
User ssmith
Upper layers
Asynchronous
User ssmith
Upper layers Upper layers
B1
User ssmith
B2
ISDN
Configuring Virtual Profiles
How to Configure Virtual Profiles
DC-496
Cisco IOS Dial Technologies Configuration Guide
How to Configure Virtual Profiles
To configure virtual profiles for dial-in users, perform the tasks in one of the first three sections and then
troubleshoot the configuration by performing the tasks in the last section:
• Configuring Virtual Profiles by Virtual Template (As required)
• Configuring Virtual Profiles by AAA Configuration (As required)
• Configuring Virtual Profiles by Both Virtual Template and AAA Configuration (As required)
• Troubleshooting Virtual Profile Configurations (As required)
Note Do not define a DDR dialer profile for a user if you intend to define virtual profiles for the user.
See the section “Configuration Examples for Virtual Profiles” at the end of this chapter for examples of
how to use virtual profiles in your network configuration.
Configuring Virtual Profiles by Virtual Template
To configure virtual profiles by virtual template, complete these two tasks:
• Creating and Configuring a Virtual Template Interface
• Specifying a Virtual Template Interface for Virtual Profiles
Note The order in which these tasks is performed is not crucial. However, both tasks must be completed
before virtual profiles are used.
Creating and Configuring a Virtual Template Interface
Because a virtual template interface is a serial interface, all the configuration commands that apply to
serial interfaces can also be applied to virtual template interfaces, except shutdown and dialer
commands.
To create and configure a virtual template interface, use the following commands beginning in global
configuration mode:
Other optional PPP configuration commands can be added to the virtual template configuration. For
example, you can add the ppp authentication chap command.
Command Purpose
Step 1 Router(config)# interface virtual-template
number
Creates a virtual template interface and enters interface
configuration mode.
Step 2 Router(config-if)# ip unnumbered ethernet 0 Enables IP without assigning a specific IP address on the
LAN.
Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation on the virtual template interface.
Configuring Virtual Profiles
How to Configure Virtual Profiles
DC-497
Cisco IOS Dial Technologies Configuration Guide
Specifying a Virtual Template Interface for Virtual Profiles
To specify a virtual template interface as the source of information for virtual profiles, use the following
command in global configuration mode:
Virtual template numbers range from 1 to 25.
Configuring Virtual Profiles by AAA Configuration
To configure virtual profiles by AAA only, complete these three tasks in any order. All tasks must be
completed before virtual profiles are used.
• On the AAA server, create user-specific interface configurations for each of the specific users to use
this method. See your AAA server documentation for more detailed configuration information about
your AAA server.
• Configure AAA on the router, as described in the Cisco IOS Security Configuration Guide, Release
12.2.
• Specify AAA as the source of information for virtual profiles.
To specify AAA as the source of information for virtual profiles, use the following command in global
configuration mode:
If you also want to use per-user configuration for network protocol access lists or route filters for
individual users, see the chapter “Configuring Per-User Configuration” in this publication. In this case,
no virtual template interface is defined for virtual profiles.
Configuring Virtual Profiles by Both Virtual Template and AAA Configuration
Use of user-specific AAA interface configuration information with virtual profiles requires the router to
be configured for AAA and requires the AAA server to have user-specific interface configuration
AV-pairs. The relevant AV-pairs (on a RADIUS server) begin as follows:
cisco-avpair = “lcp:interface-config=...”,
The information that follows the equal sign (=) could be any Cisco IOS interface configuration
command. For example, the line might be the following:
cisco-avpair = “lcp:interface-config=ip address 192.168.200.200 255.255.255.0”,
Use of a virtual template interface with virtual profiles requires a virtual template to be defined
specifically for virtual profiles.
Command Purpose
Router(config)# virtual-profile virtual-template
number
Specifies the virtual template interface as the source of
information for virtual profiles.
Command Purpose
Router(config)# virtual-profile aaa Specifies AAA as the source of user-specific interface
configuration.
Configuring Virtual Profiles
How to Configure Virtual Profiles
DC-498
Cisco IOS Dial Technologies Configuration Guide
To configure virtual profiles by both virtual template interface and AAA configuration, complete the
following tasks in any order. All tasks must be completed before virtual profiles are used.
• On the AAA server, create user-specific interface configurations for each of the specific users to use
this method. See your AAA server documentation for more detailed configuration information about
your AAA server.
• Configure AAA on the router, as described in the Cisco IOS Security Configuration Guide
publication.
• Creating and Configuring a Virtual Template Interface, described later in this chapter.
• Specifying Virtual Profiles by Both Virtual Templates and AAA, described later in this chapter.
Creating and Configuring a Virtual Template Interface
To create and configure a virtual template interface, use the following commands beginning in global
configuration mode:
Because the software treats a virtual template interface as a serial interface, all the configuration
commands that apply to serial interfaces can also be applied to virtual template interfaces, except
shutdown and dialer commands. Other optional PPP configuration commands can also be added to the
virtual template configuration. For example, you can add the ppp authentication chap command.
Specifying Virtual Profiles by Both Virtual Templates and AAA
To specify both the virtual template interface and the AAA per-user configuration as sources of
information for virtual profiles, use the following commands in global configuration mode:
If you also want to use per-user configuration for network protocol access lists or route filters for
individual users, see the chapter “Configuring Per-User Configuration” in this publication.
Command Purpose
Step 1 Router(config)# interface virtual-template
number
Creates a virtual template interface and enters interface
configuration mode.
Step 2 Router(config-if)# ip unnumbered ethernet 0 Enables IP without assigning a specific IP address on the
LAN.
Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation on the virtual template interface.
Command Purpose
Step 1 Router(config)# virtual-profile
virtual-template number
Defines the virtual template interface as the source of
information for virtual profiles.
Step 2 Router(config)# virtual-profile aaa Specifies AAA as the source of user-specific configuration
for virtual profiles.
Configuring Virtual Profiles
Troubleshooting Virtual Profile Configurations
DC-499
Cisco IOS Dial Technologies Configuration Guide
Troubleshooting Virtual Profile Configurations
To troubleshoot the virtual profiles configurations, use any of the following debug commands in EXEC
mode:
Configuration Examples for Virtual Profiles
The following sections provide examples for the four cases described in this chapter:
• Virtual Profiles Configured by Virtual Templates
• Virtual Profiles Configured by AAA Configuration
• Virtual Profiles Configured by Virtual Templates and AAA Configuration
• Virtual Profiles Configured by AAA Plus a VPDN Virtual Template on a VPDN Home Gateway
In these examples, BRI 0 is configured for legacy DDR, and interface BRI 1 is configured for dialer
profiles. Note that interface dialer 0 is configured for legacy DDR. Interface dialer 1 is a dialer profile.
The intention of the examples is to show how to configure virtual profiles. In addition, the examples
show the interoperability of DDR and dialer profiles in the respective cases with various forms of virtual
profiles.
The same user names (John and Rick) occur in all these examples. Note the different configuration
allowed to them in each of the four examples.
John is a normal user and can dial in to BRI 0 only. Rick is a privileged user who can dial in to BRI 0
and BRI 1. If Rick dials into BRI 1, the dialer profile will be used. If Rick dials into BRI 0, virtual
profiles will be used. Because John does not have a dialer profile, only virtual profiles can be applied to
John.
To see an example of a configuration using virtual profiles and the Dynamic Multiple Encapsulations
feature, see the “Multiple Encapsulations over ISDN” example in the chapter “Configuring Peer-to-Peer
DDR with Dialer Profiles.”
Virtual Profiles Configured by Virtual Templates
The following example shows a router configured for virtual profiles by virtual template. (Virtual
profiles do not have any interface-specific AAA configuration.) Comments in the example draw
attention to specific features or ignored lines.
Command Purpose
Router# debug dialer Displays information about dial calls and negotiations and virtual profile
events.
Router# debug aaa per-user Displays information about the per-user configuration downloaded from
the AAA server.
Router# debug vtemplate Displays cloning information for a virtual access interface from the time it
is cloned from a virtual template to the time it comes down.
Configuring Virtual Profiles
Configuration Examples for Virtual Profiles
DC-500
Cisco IOS Dial Technologies Configuration Guide
In this example, the same virtual template interface applies to both users; they have the same interface
configurations.
Router Configuration
! Enable AAA on the router.
aaa new-model
aaa authentication ppp default radius
! The following command is required.
aaa authorization network radius
enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/
enable password lab
!
! Specify configuration of virtual profiles by virtual template.
! This is the key command for this example.
virtual-profile virtual-template 1
!
! Define the virtual template.
interface Virtual-Template 1
ip unnumbered ethernet 0
encapsulation ppp
ppp authentication chap
!
switch-type basic-dms100
interface BRI 0
description Connected to 103
encapsulation ppp
no ip route-cache
dialer rotary-group 0
ppp authentication chap
!
interface BRI 1
description Connected to 104
encapsulation ppp
! Disable fast switching.
no ip route-cache
dialer pool-member 1
ppp authentication chap
!
! Configure dialer interface 0 for DDR for John and Rick.
interface dialer 0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
! Enable legacy DDR.
dialer in-band
! Disable fast switching.
no ip route-cache
dialer map ip 10.1.1.2 name john 1111
dialer map ip 10.1.1.3 name rick 2222
dialer-group 1
ppp authentication chap
!
! Configure dialer interface 1 for DDR to dial out to Rick.
interface dialer 1
ip address 10.2.2.2 255.255.255.0
encapsulation ppp
dialer remote-name rick
dialer string 3333
dialer pool 1
dialer-group 1
! Disable fast switching.
no ip route-cache
ppp authentication chap
dialer-list 1 protocol ip permit
Configuring Virtual Profiles
Configuration Examples for Virtual Profiles
DC-501
Cisco IOS Dial Technologies Configuration Guide
Virtual Profiles Configured by AAA Configuration
The following example shows the router configuration for virtual profiles by AAA and the AAA server
configuration for user-specific interface configurations. John and Rick have different IP addresses.
In the AAA configuration cisco-avpair lines, “\n” is used to indicate the start of a new Cisco IOS
command line.
AAA Configuration for John and Rick
john Password = "welcome"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "lcp:interface-config=keepalive 75\nip address 172.16.100.100
255.255.255.0",
rick Password = "emoclew"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "lcp:interface-config=keepalive 100\nip address 192.168.200.200
255.255.255.0"
Router Configuration
! Enable AAA on the router.
aaa new-model
aaa authentication ppp default radius
! This is a key command for this example.
aaa authorization network radius
enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/
enable password lab
!
! Specify configuration of virtual profiles by aaa.
! This is a key command for this example.
virtual-profiles aaa
!
! Interface BRI 0 is configured for legacy DDR.
interface BRI 0
description Connected to 103
encapsulation ppp
no ip route-cache
dialer rotary-group 0
ppp authentication chap
!
! Interface BRI 1 is configured for dialer profiles.
interface BRI 1
description Connected to 104
encapsulation ppp
! Disable fast switching.
no ip route-cache
dialer pool-member 1
ppp authentication chap
!
! Configure dialer interface 0 for DDR for John and Rick.
interface dialer 0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
! Enable legacy DDR.
dialer in-band
! Disable fast switching.
no ip route-cache
dialer map ip 10.1.1.2 name john 1111
dialer map ip 10.1.1.3 name rick 2222
Configuring Virtual Profiles
Configuration Examples for Virtual Profiles
DC-502
Cisco IOS Dial Technologies Configuration Guide
dialer-group 1
ppp authentication chap
!
! Configure dialer interface 1 for DDR to dial out to Rick.
interface dialer 1
ip address 10.2.2.2 255.255.255.0
encapsulation ppp
dialer remote-name rick
dialer string 3333
dialer pool 1
dialer-group 1
! Disable fast switching.
no ip route-cache
ppp authentication chap
dialer-list 1 protocol ip permit
Virtual Profiles Configured by Virtual Templates and AAA Configuration
The following example shows how virtual profiles can be configured by both virtual templates and AAA
configuration. John and Rick can dial in from anywhere and have their same keepalive settings and their
own IP addresses.
The remaining AV pair settings are not used by virtual profiles. They are the network protocol access
lists and route filters used by AAA-based per-user configuration.
In the AAA configuration cisco-avpair lines, “\n” is used to indicate the start of a new Cisco IOS
command line.
AAA Configuration for John and Rick
john Password = “welcome”
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = “lcp:interface-config=keepalive 75\nip address 10.16.100.100
255.255.255.0”,
cisco-avpair = “ip:rte-fltr-out#0=router igrp 60”,
cisco-avpair = “ip:rte-fltr-out#3=deny 172.16.0.0 0.255.255.255”,
cisco-avpair = “ip:rte-fltr-out#4=deny 172.17.0.0 0.255.255.255”,
cisco-avpair = “ip:rte-fltr-out#5=permit any”
rick Password = “emoclew”
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = “lcp:interface-config=keepalive 100\nip address 192.168.200.200
255.255.255.0”,
cisco-avpair = “ip:inacl#3=permit ip any any precedence immediate”,
cisco-avpair = “ip:inacl#4=deny igrp 10.0.1.2 255.255.0.0 any”,
cisco-avpair = “ip:outacl#2=permit ip any any precedence immediate”,
cisco-avpair = “ip:outacl#3=deny igrp 10.0.9.10 255.255.0.0 any”
Router Configuration
! Enable AAA on the router.
aaa new-model
aaa authentication ppp default radius
! This is a key command for this example.
aaa authorization network radius
enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/
enable password lab
!
Configuring Virtual Profiles
Configuration Examples for Virtual Profiles
DC-503
Cisco IOS Dial Technologies Configuration Guide
! Specify use of virtual profiles and a virtual template.
! The following two commands are key for this example.
virtual-profile virtual-template 1
virtual-profile aaa
!
! Define the virtual template.
interface Virtual-Template 1
ip unnumbered ethernet 0
encapsulation ppp
ppp authentication chap
!
! Interface BRI 0 is configured for legacy DDR.
interface BRI 0
description Connected to 103
encapsulation ppp
no ip route-cache
dialer rotary-group 0
ppp authentication chap
!
! Interface BRI 1 is configured for dialer profiles.
interface BRI 1
description Connected to 104
encapsulation ppp
! Disable fast switching.
no ip route-cache
dialer pool-member 1
ppp authentication chap
!
! Configure dialer interface 0 for DDR to dial out to John and Rick.
interface dialer 0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
dialer in-band
! Disable fast switching.
no ip route-cache
dialer map ip 10.1.1.2 name john 1111
dialer map ip 10.1.1.3 name rick 2222
dialer-group 1
ppp authentication chap
!
! Configure dialer interface 0 for DDR to dial out to Rick.
interface dialer 1
ip address 10.2.2.2 255.255.255.0
encapsulation ppp
dialer remote-name rick
dialer string 3333
dialer pool 1
dialer-group 1
! Disable fast switching.
no ip route-cache
ppp authentication chap
!
dialer-list 1 protocol ip permit
Configuring Virtual Profiles
Configuration Examples for Virtual Profiles
DC-504
Cisco IOS Dial Technologies Configuration Guide
Virtual Profiles Configured by AAA Plus a VPDN Virtual Template on a VPDN
Home Gateway
Like the virtual profiles configured by AAA example earlier in this section, the following example shows
the router configuration for virtual profiles by AAA. The user file on the AAA server also includes
interface configuration for John and Rick, the two users. Specifically, John and Rick each have their own
IP addresses when they are in privileged mode.
In this case, however, the router is also configured as the VPDN home gateway. It clones the VPDN
virtual template interface first and then clones the virtual profiles AAA interface configuration. If
per-user configuration were configured on this router and the user file on the AAA server had network
protocol information for the two users, that information would be applied to the virtual access interface
last.
In the AAA configuration cisco-avpair lines, “\n” is used to indicate the start of a new Cisco IOS
command line.
AAA Configuration for John and Rick
john Password = "welcome"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "lcp:interface-config=keepalive 75\nip address 10.100.100.100
255.255.255.0",
rick Password = "emoclew"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "lcp:interface-config=keepalive 100\nip address 192.168.200.200
255.255.255.0"
Router Configuration
!Configure the router as the VPDN home gateway.
!
!Enable VPDN and specify the VPDN virtual template to use on incoming calls from the
!network access server.
vpdn enable
vpdn incoming dallas_wan go_blue virtual-template 6
!
!Configure the virtual template interface for VPDN.
interface virtual template 6
ip unnumbered ethernet 0
encapsulation ppp
ppp authentication chap
!
!Enable AAA on the router.
aaa new-model
aaa authentication ppp default radius
aaa authorization network radius
enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/
enable password lab
!
!Specify configuration of virtual profiles by aaa.
virtual-profiles aaa
!
!Configure the physical synchronous serial 0 interface.
interface Serial 0
description Connected to 101
encapsulation ppp
Configuring Virtual Profiles
Configuration Examples for Virtual Profiles
DC-505
Cisco IOS Dial Technologies Configuration Guide
!Disable fast switching.
no ip route-cache
ppp authentication chap
!
!Configure serial interface 1 for DDR. S1 uses dialer rotary group 0, which is
!defined on BRI interface 0.
interface serial 1
description Connected to 102
encapsulation ppp
dialer in-band
! Disable fast switching.
no ip route-cache
dialer rotary-group 0
ppp authentication chap
!
interface BRI 0
description Connected to 103
encapsulation ppp
no ip route-cache
dialer rotary-group 0
ppp authentication chap
!
interface BRI 1
description Connected to 104
encapsulation ppp
!Disable fast switching.
no ip route-cache
dialer pool-member 1
ppp authentication chap
!
!Configure dialer interface 0 for DDR to call and receive calls from John and Rick.
interface dialer 0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
!Enable legacy DDR.
dialer in-band
!Disable fast switching.
no ip route-cache
dialer map ip 10.1.1.2 name john 1111
dialer map ip 10.1.1.3 name rick 2222
dialer-group 1
ppp authentication chap
!
!Configure dialer interface 1 for DDR to dial out to Rick.
interface dialer 1
ip address 10.2.2.2 255.255.255.0
encapsulation ppp
dialer remote-name rick
dialer string 3333
dialer pool 1
dialer-group 1
!Disable fast switching.
no ip route-cache
ppp authentication chap
dialer-list 1 protocol ip permit
Configuring Virtual Profiles
Configuration Examples for Virtual Profiles
DC-506
Cisco IOS Dial Technologies Configuration Guide
DC-507
Cisco IOS Dial Technologies Configuration Guide
Configuring Virtual Private Networks
This chapter describes how to configure, verify, maintain, and troubleshoot a Virtual Private Network
(VPN). It includes the following main sections:
• VPN Technology Overview
• Prerequisites for VPNs
• How to Configure a VPN
• Verifying VPN Sessions
• Monitoring and Maintaining VPNs
• Troubleshooting VPNs
• Configuration Examples for VPN
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature, or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the commands mentioned in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference, Release 12.2. To locate documentation of other commands that
appear in this chapter, use the command reference master index or search online.
VPN Technology Overview
A VPN carries private data over a public network and extends remote access to users over a shared
infrastructure. VPNs maintain the same security and management policies as a private network. They are
the most cost-effective method of establishing a point-to-point connection between remote users and a
central network.
A benefit of VPNs or, more appropriately, access VPNs, is the way they delegate responsibilities for the
network. The customer outsources the responsibility for the information technology (IT) infrastructure
to an Internet service provider (ISP) that maintains the modems that the remote users dial in to (called
modem pools), the access servers, and the internetworking expertise. The customer is then only
responsible for authenticating its users and maintaining its network.
Instead of connecting directly to the network by using the expensive Public Switched Telephone
Network (PSTN), access VPN users need only use the PSTN to connect to the ISP local point of presence
(POP). The ISP then uses the Internet to forward users from the POP to the customer network.
Forwarding a user call over the Internet provides dramatic cost savings for the customer. Access VPNs
use Layer 2 tunneling technologies to create a virtual point-to-point connection between users and the
Configuring Virtual Private Networks
VPN Technology Overview
DC-508
Cisco IOS Dial Technologies Configuration Guide
customer network. These tunneling technologies provide the same direct connectivity as the expensive
PSTN by using the Internet. This means that users anywhere in the world have the same connectivity as
they would at the customer headquarters.
VPNs allow separate and autonomous protocol domains to share common access infrastructure including
modems, access servers, and ISDN routers. VPNs use the following tunneling protocols to tunnel
link-level frames:
• Layer 2 Forwarding (L2F)
• Layer 2 Tunneling Protocol (L2TP)
• Point-to-Point Tunneling Protocol (PPTP)
Using one of these protocols, an ISP or other access service can create a virtual tunnel to link customer
remote sites or remote users with corporate home networks. In particular, a network access server (NAS)
at the ISP POP exchanges PPP messages with the remote users and communicates by L2F, L2TP, or
PPTP requests and responses with the customer tunnel server to set up tunnels.
L2F, L2TP, and PPTP pass protocol-level packets through the virtual tunnel between endpoints of a
point-to-point connection.
Frames from the remote users are accepted by the ISP POP, stripped of any linked framing or
transparency bytes, encapsulated in L2F, L2TP or PPTP, and forwarded over the appropriate tunnel. The
customer tunnel server accepts these frames, strips the Layer 2 encapsulation, and processes the
incoming frames for the appropriate interface.
Cisco routers fast switch VPN traffic. In stack group environments in which some VPN traffic is
offloaded to a powerful router, fast switching provides improved scalability.
VPDN MIB
The VPDN MIB offers a mechanism to track failures of user calls in a VPN system, allowing Simple
Network Management Protocol (SNMP) retrieval of user call failure information, on a per-user basis.
Refer to the Cisco VPDN Management MIB for a list of supported objects for the VPDN MIB.
VPN Hardware Terminology
As new tunneling protocols have been developed for VPNs, new terminology has been created to
describe the hardware involved in VPNs. Fundamentally, two routers are needed for a VPN:
• Network access server (NAS)—It receives incoming calls for dial-in VPNs and places outgoing calls
for dial-out VPNs. Typically it is maintained by an ISP that wishes to provide VPN services to its
customers.
• Tunnel server—It terminates dial-in VPNs and initiates dial-out VPNs. Typically it is maintained by
the ISP customer and is the contact point for the customer network.
For the sake of clarity, we will use these generic terms, and not the technology-specific terms. Table 29
lists the generic terms ant the technology-specific terms that are often used for these devices.
Configuring Virtual Private Networks
VPN Technology Overview
DC-509
Cisco IOS Dial Technologies Configuration Guide
In dial-in scenarios, users dial in to the NAS, and the NAS forwards the call to the tunnel server using a
VPN tunnel.
In dial-out scenarios, the tunnel server initiates a VPN tunnel to the NAS, and the NAS dials out to the
clients.
VPN Architectures
VPNs are designed on the basis of one of two architectural options:
• Client-Initiated VPNs
• NAS-Initiated VPNs
Client-Initiated VPNs
Users establish a tunnel across the ISP shared network to the customer network without an intermediate
NAS participating in the tunnel negotiation and establishment. The customer manages the client
software that initiates the tunnel. The main advantage of client-initiated VPNs is that they secure the
connection between the client and the ISP. However, client-initiated VPNs are not as scalable and are
more complex than NAS-initiated VPNs.
Client-initiated VPNs are also referred to as voluntary tunneling.
NAS-Initiated VPNs
Users dial in to the ISP NAS, which establishes a tunnel to the private network. NAS-initiated VPNs are
more robust than client-initiated VPNs and do not require the client to maintain the tunnel-creating
software. NAS-initiated VPNs do not encrypt the connection between the client and the ISP, but this is
not a concern for most customers because the PSTN is much more secure than the Internet.
NAS-initiated VPNs are also referred to as compulsory tunneling.
Note In Cisco’s VPN implementation, PPTP tunnels are client-initiated while L2F and L2TP tunnels are
NAS-initiated.
PPTP Dial-In with MPPE Encryption
PPTP is a network protocol that enables the secure transfer of data from a remote client to a private
enterprise server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand,
multiprotocol, virtual private networking over public networks, such as the Internet.
Table 29 VPN Hardware Terminology
Generic Term L2F Term L2TP Term PPTP Term
Tunnel Server Home Gateway L2TP Network Server (LNS) PPTP Network Server (PNS)
Network Access Server (NAS) NAS L2TP Access Concentrator
(LAC)
PPTP Access Concentrator
(PAC)
Configuring Virtual Private Networks
VPN Technology Overview
DC-510
Cisco IOS Dial Technologies Configuration Guide
Cisco supports client-initiated VPNs using PPTP. Therefore only the client and the tunnel server need to
be configured. The client first establishes basic connectivity by dialing in to an ISP. Once the client has
established a PPP session, it initiates a PPTP tunnel to the tunnel server. The tunnel server is configured
to terminate PPTP tunnels and clone virtual-access interfaces from virtual templates.
Microsoft Point-to-Point Encryption (MPPE) is an outcropping technology that can be used to encrypt
PPTP VPNs. It encrypts the entire session from the client to the tunnel server.
This section describes the following aspects of PPTP and MPPE:
• PPTP Tunnel Negotiation
• Flow Control Alarm
• MPPE Overview
• MPPE Encryption Types
PPTP Tunnel Negotiation
The following describes the protocol negotiation events that establish a PPTP tunnel:
1. The client dials in to the ISP and establishes a PPP session.
2. The client establishes a TCP connection with the tunnel server.
3. The tunnel server accepts the TCP connection.
4. The client sends a PPTP SCCRQ message to the tunnel server.
5. The tunnel server establishes a new PPTP tunnel and replies with an SCCRP message.
6. The client initiates the session by sending an OCRQ message to the tunnel server.
7. The tunnel server creates a virtual-access interface.
8. The tunnel server replies with an OCRP message.
Flow Control Alarm
The flow control alarm is a new function that indicates if PPTP detects congestion or lost packets. When
a flow control alarm goes off, PPTP reduces volatility and additional control traffic by establishing an
accompanying stateful MPPE session.
For more information, see the pptp flow-control static-rtt command and the output from the show vpdn
session command in the “Verifying a Client-Initiated VPN” section.
MPPE Overview
MPPE is an encryption technology developed by Microsoft to encrypt point-to-point links. These PPP
connections can be over a dialup line or over a VPN tunnel. MPPE works as a subfeature of Microsoft
Point-to-Point Compression (MPPC).
MPPC is a scheme used to compress PPP packets between Cisco and Microsoft client devices. The
MPPC algorithm is designed to optimize bandwidth utilization in order to support multiple simultaneous
connections.
MPPE is negotiated using bits in the MPPC option within the Compression Control Protocol (CCP)
MPPC configuration option (CCP configuration option number 18).
Configuring Virtual Private Networks
VPN Technology Overview
DC-511
Cisco IOS Dial Technologies Configuration Guide
MPPE uses the RC4 algorithm with either 40- or 128-bit keys. All keys are derived from the cleartext
authentication password of the user. RC4 is stream cipher; therefore, the sizes of the encrypted and
decrypted frames are the same size as the original frame. The Cisco implementation of MPPE is fully
interoperable with that of Microsoft and uses all available options, including historyless mode.
Historyless mode can increase throughput in lossy environments such as VPNs, because neither side
needs to send CCP Resets Requests to synchronize encryption contexts when packets are lost.
MPPE Encryption Types
Two modes of MPPE encryption are offered:
• Stateful MPPE Encryption
• Stateless MPPE Encryption
Stateful MPPE Encryption
Stateful encryption provides the best performance but may be adversely affected by networks that
experience substantial packet loss. If you choose stateful encryption, you should also configure flow
control to minimize the detrimental effects of this lossiness.
Because of the way that the RC4 tables are reinitialized during stateful synchronization, it is possible
that two packets may be encrypted using the same key. For this reason, stateful encryption may not be
appropriate for lossy network environments (such as Layer 2 tunnels on the Internet).
Stateless MPPE Encryption
Stateless encryption provides a lower level of performance, but will be more reliable in a lossy network
environment.
Caution If you choose stateless encryption, you should not configure flow control.
L2F Dial-In
VPNs use L2F or L2TP tunnels to tunnel the link layer of high-level protocols (for example, PPP frames
or asynchronous High-Level Data Link Control (HDLC)). ISPs configure their NASs to receive calls
from users and to forward the calls to the customer tunnel server. Usually, the ISP maintains only
information about the tunnel server—the tunnel endpoint. The customer maintains the tunnel server
users’ IP addresses, routing, and other user database functions. Administration between the ISP and the
tunnel server is reduced to IP connectivity.
Figure 71 shows the PPP link that runs between a client (the user hardware and software) and the tunnel
server. The NAS and tunnel server establish an L2F tunnel that the NAS uses to forward the PPP link to
the tunnel server. The VPN then extends from the client to the tunnel server. The L2F tunnel creates a
virtual point-to-point connection between the client and the tunnel server.
Configuring Virtual Private Networks
VPN Technology Overview
DC-512
Cisco IOS Dial Technologies Configuration Guide
Figure 71 End-to-End Access VPN Protocol Flow: L2F, PPP, and IP
The following sections give a functional description of the sequence of events that establish a VPN using
L2F as the tunneling protocol:
• Protocol Negotiation Sequence
• L2F Tunnel Authentication Process
The “Protocol Negotiation Sequence” section provides an overview of the negotiation events that take
place as the VPN is established. The “L2F Tunnel Authentication Process” section provides a detailed
description of how the NAS and tunnel server establish the L2F tunnel.
Protocol Negotiation Sequence
A user who wants to connect to the customer tunnel server first establishes a PPP connection to the ISP
NAS. The NAS then establishes an L2F tunnel with the tunnel server. Finally, the tunnel server
authenticates the client username and password and establishes the PPP connection with the client.
Figure 72 shows the sequence of protocol negotiation events between the ISP NAS and the customer
tunnel server.
PSTN cloud
Enterprise
company
intranet
Internet cloud
L2F
Legend
Client
PPP
IP
18987
Access VPN
NAS Home gateway
Configuring Virtual Private Networks
VPN Technology Overview
DC-513
Cisco IOS Dial Technologies Configuration Guide
Figure 72 Protocol Negotiation Events Between Access VPN Devices
The following explains the sequence of events shown in Figure 72:
1. The user client and the NAS conduct a standard PPP Link Control Protocol (LCP) negotiation.
2. The NAS begins PPP authentication by sending a Challenge Handshake Authentication Protocol
(CHAP) challenge to the client.
3. The client replies with a CHAP response.
4. When the NAS receives the CHAP response, either the phone number that the user dialed in from
(when using Dialed Number Information Service-based authentication) or the user domain name
(when using authentication based on domain name) matches a configuration on either the NAS or
its AAA server.
This configuration instructs the NAS to create a VPN to forward the PPP session to the tunnel server
by using an L2F tunnel.
Because this is the first L2F session with the tunnel server, the NAS and the tunnel server exchange
L2F_CONF packets, which prepare them to create the tunnel. Then they exchange L2F_OPEN
packets, which open the L2F tunnel.
5. Once the L2F tunnel is open, the NAS and tunnel server exchange L2F session packets. The NAS
sends an L2F_OPEN (Mid) packet to the tunnel server that includes the client information from the
LCP negotiation, the CHAP challenge, and the CHAP response.
The tunnel server forces this information on to a virtual access interface that it has created for the
client and responds to the NAS with an L2F_OPEN (Mid) packet.
6. The tunnel server authenticates the CHAP challenge and response (using either local or remote
AAA) and sends a CHAP Auth-OK packet to the client. This completes the three-way CHAP
authentication.
LCP Conf-Req
LCP Conf-Ack
LCP Conf-Req
LCP Conf-Ack
PPP authentication
L2F or L2TP tunnel negotiation
PPP authentication completed
PPP packets
18989
L2F or L2TP session negotiation
1
2
3
4
5
6 7
Client NAS Home gateway
Configuring Virtual Private Networks
VPN Technology Overview
DC-514
Cisco IOS Dial Technologies Configuration Guide
7. When the client receives the CHAP Auth-OK packet, it can send PPP encapsulated packets to the
tunnel server.
The client and the tunnel server can now exchange I/O PPP encapsulated packets. The NAS acts as
a transparent PPP frame forwarder.
Subsequent PPP incoming sessions (designated for the same tunnel server) do not repeat the L2F
tunnel negotiation because the L2F tunnel is already open.
L2F Tunnel Authentication Process
When the NAS receives a call from a client that is to be tunneled to a tunnel server, it first sends a
challenge to the tunnel server. The tunnel server then sends a combined challenge and response to the
NAS. Finally, the NAS responds to the tunnel server challenge, and the two devices open the L2F tunnel.
Before the NAS and tunnel server can authenticate the tunnel, they must have a common “tunnel secret.”
A tunnel secret is a common shared secret that is configured on both the NAS and the tunnel server. For
more information on tunnel secrets, see the “Configuring VPN Tunnel Authentication Using the L2TP
Tunnel Password” section later in this chapter. By combining the tunnel secret with random value
algorithms, which are used to encrypt the tunnel secret, the NAS and tunnel server authenticate each
other and establish the L2F tunnel.
Figure 73 shows the tunnel authentication process.
Figure 73 L2F Tunnel Authentication Process
L2F_CONF name = ISP_NAS challenge = A
1
2
3
4
5
6
L2F_CONF name = ENT_HGW challenge = B key=A'=MD5 {A+ ISP_NAS secret}
L2F_OPEN key = B' = MD5 {B + ENT_HGW secret}
L2F_OPEN key = A'
All subsequent messages have key = B'
All subsequent messages have key = A'
18988
NAS Home gateway
Configuring Virtual Private Networks
VPN Technology Overview
DC-515
Cisco IOS Dial Technologies Configuration Guide
The following explains the sequence of events shown in Figure 73:
1. Before the NAS and tunnel server open an L2F tunnel, both devices must have a common tunnel
secret in their configurations.
2. The NAS sends an L2F_CONF packet that contains the NAS name and a random challenge value, A.
3. After the tunnel server receives the L2F_CONF packet, it sends an L2F_CONF packet back to the
NAS with the tunnel server name and a random challenge value, B. This message also includes a
key containing A' (the MD5 of the NAS secret and the value A).
4. When the NAS receives the L2F_CONF packet, it compares the key A' with the MD5 of the NAS
secret and the value A. If the key and value match, the NAS sends an L2F_OPEN packet to the tunnel
server with a key containing B' (the Message Digest 5 (MD5) of the tunnel server secret and the
value B).
5. When the tunnel server receives the L2F_OPEN packet, it compares the key B' with the MD5 of the
tunnel server secret and the value B. If the key and value match, the tunnel server sends an
L2F_OPEN packet to the NAS with the key A'.
6. All subsequent messages from the NAS include key = B'; all subsequent messages from the tunnel
server include key = A'.
Once the tunnel server authenticates the client, the access VPN is established. The L2F tunnel creates a
virtual point-to-point connection between the client and the tunnel server. The NAS acts as a transparent
packet forwarder.
When subsequent clients dial in to the NAS, the NAS and tunnel server need not repeat the L2F tunnel
negotiation because the L2F tunnel is already open.
L2TP Dial-In
L2TP is an emerging Internet Engineering Task Force (IETF) standard that combines the best features
of two existing tunneling protocols: Cisco L2F (L2F) and Microsoft Point-to-Point Tunneling Protocol
(PPTP).
L2TP offers the same full-range spectrum of features as L2F, but offers additional functionality. An
L2TP-capable tunnel server will work with an existing L2F network access server and will concurrently
support upgraded components running L2TP. Tunnel servers do not require reconfiguration each time an
individual NAS is upgraded from L2F to L2TP. Table 30 offers a comparison of L2F and L2TP feature
components.
Table 30 L2F and L2TP Feature Comparison
Function L2F L2TP
Flow Control No Yes
AVP hiding No Yes
Tunnel server load sharing Yes Yes
Tunnel server stacking/multihop
support
Yes Yes
Tunnel server primary and secondary
backup
Yes Yes
DNS name support Yes Yes
Domain name flexibility Yes Yes
Configuring Virtual Private Networks
VPN Technology Overview
DC-516
Cisco IOS Dial Technologies Configuration Guide
Traditional dialup networking services support only registered IP addresses, which limits the types of
applications that are implemented over VPNs. L2TP supports multiple protocols and unregistered and
privately administered IP addresses over the Internet. This allows the existing access infrastructure, such
as the Internet, modems, access servers, and ISDN terminal adapters (TAs), to be used. It also allows
customers to outsource dial-out support, thus reducing overhead for hardware maintenance costs and 800
number fees, and allows them to concentrate corporate gateway resources. Figure 74 shows the L2TP
architecture in a typical dialup environment.
Figure 74 L2TP Architecture
The following sections supply additional detail about the interworkings and Cisco implementation of
L2TP. Using L2TP tunneling, an Internet service provider (ISP) or other access service can create a
virtual tunnel to link customer remote sites or remote users with corporate home networks. The NAS
located at the POP of the ISP exchanges PPP messages with remote users and communicates by way of
L2TP requests and responses with the customer tunnel server to set up tunnels. L2TP passes
protocol-level packets through the virtual tunnel between endpoints of a point-to-point connection.
Frames from remote users are accepted by the POP of the ISP, stripped of any linked framing or
transparency bytes, encapsulated in L2TP and forwarded over the appropriate tunnel. The customer
tunnel server accepts these L2TP frames, strips the L2TP encapsulation, and processes the incoming
frames for the appropriate interface. Figure 75 shows the L2TP tunnel detail and how user “lsmith”
connects to the tunnel server to access the designated corporate intranet.
Idle and absolute timeout Yes Yes
Multilink PPP support Yes Yes
Multichassis Multilink PPP support Yes Yes
Security • All security benefits of
PPP, including multiple
per-user authentication
options (CHAP,
MS-CHAP, PAP).
• Tunnel authentication
mandatory.
• All security benefits of
PPP, including multiple
per-user authentication
options (CHAP,
MS-CHAP, PAP).
• Tunnel authentication
optional.
Table 30 L2F and L2TP Feature Comparison (continued)
Function L2F L2TP
PSTN or ISDN Corporate
network
ISP or public network
L2TP tunnel
LAC
16521
Dial client
(PPP peer)
LNS
AAA server
AAA server (RADIUS/TACACS+)
(RADIUS/TACACS+)
Configuring Virtual Private Networks
VPN Technology Overview
DC-517
Cisco IOS Dial Technologies Configuration Guide
Figure 75 L2TP Tunnel Structure
Incoming Call Sequence
The following describes the events required to establish a VPN connection between a remote user, a NAS
at the ISP POP, and the tunnel server at the home LAN using an L2TP tunnel:
1. The remote user initiates a PPP connection to the ISP, using the analog telephone system or ISDN.
2. The ISP network NAS accepts the connection at the POP, and the PPP link is established.
3. After the end user and NAS negotiate LCP, the NAS partially authenticates the end user with CHAP
or PAP. The username, domain name, or Dialed Number Information Service (DNIS) is used to
determine whether the user is a VPN client. If the user is not a VPN client, authentication continues,
and the client will access the Internet or other contacted service. If the username is a VPN client,
the mapping will name a specific endpoint (the tunnel server).
4. The tunnel endpoints, the NAS, and the tunnel server authenticate each other before any sessions are
attempted within a tunnel. Alternatively, the tunnel server can accept tunnel creation without any
tunnel authentication of the NAS.
5. Once the tunnel exists, an L2TP session is created for the end user.
6. The NAS will propagate the LCP negotiated options and the partially authenticated CHAP/PAP
information to the tunnel server. The tunnel server will funnel the negotiated options and
authentication information directly to the virtual access interface. If the options configured on the
virtual template interface do not match the negotiated options with the NAS, the connection will fail,
and a disconnect will be sent to the NAS.
The result is that the exchange process appears to be between the dialup client and the remote tunnel
server exclusively, as if no intermediary device (the NAS) is involved. Figure 76 offers a pictorial
account of the L2TP incoming call sequence with its own corresponding sequence numbers. Note that
the sequence numbers in Figure 76 are not related to the sequence numbers described in the previous
table.
LAC LNS
ISP
PSTN cloud Internet cloud
Client:
lsmith
Corporate
network
= LT2P
= PPP
= IP
22110
Configuring Virtual Private Networks
VPN Technology Overview
DC-518
Cisco IOS Dial Technologies Configuration Guide
Figure 76 L2TP Incoming Call Flow
VPN Tunnel Authentication Search Order
When a call to a NAS is to be tunneled to a tunnel server, the NAS must identify the tunnel server to
which the call is to be forwarded. You can configure the router to authenticate users and also to select
the outgoing tunnel on the basis of the following criteria:
• The user domain name
• The DNIS information in the incoming calls
• Both the domain name and the DNIS information
LAC LNS
PSTN/ISDN
WAN
LAC RADIUS server LNS RADIUS server
(6) Tunnel info in AV Pairs
Local name (LAC)
Tunnel password
Tunnel type
LNS IP address
Request tunnel info (5)
user = domain
password = cisco
(15)
(20)
(16)
(21)
Access request
(15) (20)
Access response
(16) (21)
Tunnel setup (7)
Tunnel authentication CHAP challenge (8)
Call setup (1)
PPP LCP setup (2)
User CHAP response (4) Pass (10)
Pass (13)
LAC CHAP response (12)
CHAP response (19)
PASS (22)
User CHAP response + response indentifier + PPP negotiated parameters (14)
User CHAP challenge (3) LNS CHAP response (9)
Pass (17)
Optional second CHAP challenge (18)
CHAP challenge (11)
22106
Configuring Virtual Private Networks
VPN Technology Overview
DC-519
Cisco IOS Dial Technologies Configuration Guide
VPN Tunnel Lookup Based on Domain Name
When a NAS is configured to forward VPN calls on the basis of the user domain name, the user must
use a username of the form username@domain. The NAS then compares the user domain name to the
domain names it is configured to search for. When the NAS finds a match, it forwards the user call to
the proper tunnel server.
VPN Tunnel Lookup Based on DNIS Information
When a NAS is configured to forward VPN calls on the basis of the user DNIS information, the NAS
identifies the user DNIS information, which is provided on ISDN lines, and then forwards the call to the
proper tunnel server.
The ability to select a tunnel on the basis of DNIS information provides additional flexibility to network
service providers that offer VPN services and to the corporations that use the services. Instead of having
to use only the domain name for tunnel selection, tunnel selection can be based on the dialed number.
With this feature, a corporation—which might have only one domain name—can provide multiple
specific phone numbers for users to dial in to the NAS at the service provider POP. The service provider
can select the tunnel to the appropriate services or portion of the corporate network on the basis of the
dialed number.
VPN Tunnel Lookup Based on Both Domain Name and DNIS Information
When a service provider has multiple AAA servers configured, VPN tunnel authorization searches based
on domain name can be time consuming and might cause the client session to time out.
To provide more flexibility, service providers can now configure the NAS to perform tunnel
authorization searches by domain name only, by DNIS only, or by both in a specified order.
NAS AAA Tunnel Definition Lookup
Authentication, authorization, and accounting (AAA) tunnel definition lookup allows the NAS to look
up tunnel definitions using keywords. Two new Cisco AV pairs are added to support NAS tunnel
definition lookup: tunnel type and l2tp-tunnel-password. These AV pairs are configured on the RADIUS
server. Descriptions of the values are as follows:
• tunnel type—Indicates that the tunnel type is either L2F or L2TP. This is an optional AV pair and if
not defined, reverts to L2F, the default value. If you want to configure an L2TP tunnel, you must use
the L2TP AV pair value. This command is case sensitive.
• l2tp-tunnel-password—This value is the secret (password) used for L2TP tunnel authentication and
L2TP AV pair hiding. This is an optional AV pair value; however, if it is not defined, the secret will
default to the password associated with the local name on the NAS local username-password
database. This AV pair is analogous to the l2tp local secret command.
For example:
request dialin l2tp ip 172.21.9.13 domain hoser.com
l2tp local name dustie
l2tp local secret partner
Configuring Virtual Private Networks
VPN Technology Overview
DC-520
Cisco IOS Dial Technologies Configuration Guide
is equivalent to the following RADIUS server configuration:
acme.com Password = “cisco”
cisco-avpair = “vpdn: tunnel-id=dustie”,
cisco-avpair = “vpdn: tunnel-type=l2tp”,
cisco-avpair = “vpdn: l2tp-tunnel-password=partner’,
cisco-avpair = “vpdn: ip-addresses=172.21.9.13”
Note The password for the domain must be “cisco.” This is hard-coded in Cisco IOS software.
L2TP Dial-Out
The L2TP dial-out feature enables tunnel servers to tunnel dial-out VPN calls using L2TP as the
tunneling protocol. This feature enables a centralized network to efficiently and inexpensively establish
a virtual point-to-point connection with any number of remote offices.
Note Cisco routers can carry both dial-in and dial-out calls in the same L2TP tunnels.
L2TP dial-out involves two devices: a tunnel server and a NAS. When the tunnel server wants to perform
L2TP dial-out, it negotiates an L2TP tunnel with the NAS. The NAS then places a PPP call to the
client(s) that the tunnel server wants to dial out to.
Figure 77 shows a typical L2TP dial-out scenario.
Figure 77 L2TP Dial-Out Process
SCCRD
SCCN
OCRQ
OCRP
LAC calls PPP client
PPP packets
26311
SCCRQ
OCCN
2
1
4
5
6
7
3
LNS LAC PC
VPDN session created
VPDN session created
Configuring Virtual Private Networks
VPN Technology Overview
DC-521
Cisco IOS Dial Technologies Configuration Guide
The following explains the sequence of events described in Figure 77:
1. The tunnel server receives Layer 3 packets, which are to be dialed out, and forwards them to its
dialer interface (either a dialer profile or dial-on-demand routing [DDR]).
The dialer issues a dial call request to the VPN group, and the tunnel server creates a virtual access
interface. If the dialer is a dialer profile, this interface becomes a member of the dial pool. If the
dialer is DDR, the interface becomes a member of the rotary group.
The VPN group creates a VPN session for this connection and sets it in the pending state.
2. The tunnel server and NAS establish an L2TP tunnel (unless a tunnel is already open).
3. The tunnel server sends an Outgoing Call ReQuest (OCRQ) packet to the NAS, which checks if it
has a dial resource available.
If the resource is available, the NAS responds to the tunnel server with an Outgoing Call RePly
(OCRP) packet. If the resource is not available, the NAS responds with a Call Disconnect
Notification (CDN) packet, and the session is terminated.
4. If the NAS has an available resource, it creates a VPN session and sets it in the pending state.
5. The NAS then initiates a call to the PPP client. When the NAS call connects to the PPP client, the
NAS binds the call interface to the appropriate VPN session.
6. The NAS sends an Outgoing Call CoNnected (OCCN) packet to the tunnel server. The tunnel server
binds the call to the appropriate VPN session and then brings the virtual access interface up.
7. The dialer on the tunnel server and the PPP client can now exchange PPP packets. The NAS acts as
a transparent packet forwarder.
If the dialer interface is a DDR and a virtual profile is configured, the PPP endpoint is the tunnel server
virtual-access interface, not the dialer. All Layer 3 routes point to this interface instead of the dialer.
Note Large-scale dial-out, Bandwidth Allocation Protocol (BAP), and Dialer Watch are not supported. All
configuration must be local on the router.
VPN Configuration Modes Overview
Cisco VPN is configured using the VPN group configuration mode. VPN groups can now support the
following:
• One or both of the following tunnel server VPN subgroup configuration modes
– Accept-dialin
– Request-dialout
• One or both of the following NAS VPN subgroup configuration modes
– Request-dialin
– Accept-dialout
• One of the four VPN subgroup configuration modes
A VPN group can act as either a tunnel server or a NAS, but not both. But individual routers can have
both tunnel server VPN groups and NAS VPN groups.
Table 31 list four VPDN group configuration commands that correspond to the configuration modes
listed above. These command modes are accessed from VPN group mode; therefore, they are generically
referred to as VPN subgroups.
Configuring Virtual Private Networks
VPN Technology Overview
DC-522
Cisco IOS Dial Technologies Configuration Guide
The keywords and arguments for the previous accept-dialin and request-dialin VPDN group
configuration commands are now independent commands. The previous syntax is still supported, but
when you display the configuration, the commands will appear in the new format.
For example, to configure a NAS to request dial-in, you could use the old command, as follows:
request-dialin l2tp ip 10.1.2.3 domain jgb.com
However when you view the configuration, the keywords and arguments are displayed in the new format
with individual commands:
request dialin
protocol l2tp
domain jgb.com
initiate-to ip 10.1.2.3
Similarly, the accept-dialout and request-dialout commands have subgroup commands that are used to
specify information such as the tunneling protocol and dialer resource.
Table 32 lists the new VPN subgroup commands and which command modes they apply to:
The other VPN group commands are dependent on which VPN subgroups exist on the VPN group.
Table 33 lists the VPN group commands and which subgroups you need to enable in order for them to
be configurable.
Table 31 New VPN Group Command Modes
Command Command Mode Prompt Type of Service
accept-dialin router(config-vpdn-acc-in)# tunnel server
request-dialout router(config-vpdn-req-ou)# tunnel server
request-dialin router(config-vpdn-req-in)# NAS
accept-dialout router(config-vpdn-acc-ou)# NAS
Table 32 VPN Subgroup Commands
Command VPN Subgroups
default all subgroups
dialer accept-dialout
dnis request-dialin
domain request-dialin
pool-member request-dialout
protocol all subgroups
rotary-group request-dialout
virtual-template accept-dialin
Configuring Virtual Private Networks
VPN Technology Overview
DC-523
Cisco IOS Dial Technologies Configuration Guide
Prerequisites for VPNs
Before configuring a VPN, you must complete the prerequisites described in Table 34. These
prerequisites are discussed in the sections that follow.
Table 33 VPN Group Commands
Command VPN Subgroups
accept-dialin tunnel server VPN
group1
1. Tunnel server VPN groups can be configured for accept-dialin
and/or request-dialout.
accept-dialout NAS VPN group2
2. NAS VPN groups can be configured for accept-dialout and/or
request-dialin.
authen before-forward request-dialin
default any subgroup
force-local-chap accept-dialin
initiate-to request-dialin or
request-dialout
lcp renegotiation accept-dialin
local name any subgroup
multilink request-dialin
request-dialin NAS VPN Group2
request-dialout tunnel server VPN
Group1
source-ip any subgroup
terminate-from accept-dialin or
accept-dialout
Table 34 VPN Prerequisites
Prerequisite Client-Initiated Dial-In NAS-Initiated Dial-In Dial-Out
Configuring the LAN Interface Required Required Required
Configuring AAA Optional Required Required
Specifying the IP Address Pool and BOOTP
Servers on the Tunnel Server
Required Required N/A
Commissioning the T1 Controllers on the NAS N/A Required N/A
Configuring the Serial Channels for Modem Calls
on the NAS
N/A Required N/A
Configuring the Modems and Asynchronous Lines
on the NAS
N/A Required N/A
Configuring the Group-Asynchronous Interface
on the NAS
N/A Required N/A
Configuring Virtual Private Networks
VPN Technology Overview
DC-524
Cisco IOS Dial Technologies Configuration Guide
Configuring the LAN Interface
To assign an IP address to the interface that will be carrying the VPN traffic and that brings up the
interface, use the following commands on both the NAS and the tunnel server beginning in global
configuration mode:
Configuring AAA
To enable AAA, use the following commands on both the NAS and the tunnel server in global
configuration mode. If you use RADIUS or TACACS+ for AAA, you also need to point the router to the
AAA server using either the radius-server host or the tacacs-server host command.
Refer to the Cisco IOS Security Configuration Guide, Release 12.2, for a complete list of commands and
configurable options for security and AAA implementation.
For information on configuring remote AAA servers, refer to the CiscoSecure ACS documentation at:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/index.htm.
Configuring the Dialer on a NAS N/A N/A Required
Configuring the Dialer on a Tunnel Server N/A N/A Required
Table 34 VPN Prerequisites
Prerequisite Client-Initiated Dial-In NAS-Initiated Dial-In Dial-Out
Command Purpose
Step 1 Router(config)# interface interface-type number Enters interface configuration mode.
Step 2 Router(config-if)# ip address ip-address subnet-mask Configures the IP address and subnet mask on the
interface.
Step 3 Router(config-if)# no shutdown Changes the state of the interface from
administratively down to up.
Command Purpose
Step 1 Router(config)# aaa new-model Enables the AAA access control system.
Step 2 Router(config)# aaa authentication login default
{local | radius | tacacs}
Enables AAA authentication at login and uses the
local username database for authentication.1
Step 3 Router(config)# aaa authentication ppp default {local
| radius | tacacs}
Configures the AAA authentication method that is
used for PPP and VPN connections.1
Step 4 Router(config)# aaa authorization network default
{local | radius | tacacs}
Configures the AAA authorization method that is
used for network-related service requests.1
Step 5 Router(config)# aaa accounting network default
start-stop {radius | tacacs}
(Optional) Enables AAA accounting that sends a
stop accounting notice at the end of the requested
user process.1
Configuring Virtual Private Networks
VPN Technology Overview
DC-525
Cisco IOS Dial Technologies Configuration Guide
Step 6 Router(config)# vpdn aaa override-server
{aaa-server-ip-address | aaa-server-name}
(Optional) Specifies the AAA servers to be used for
VPDN tunnel authorization. If this command is not
configured, the default AAA server configured for
network authorization is used for VPDN
authorization.
Step 7 Router(config)# vpdn aaa attribute [{nas-ip-address
vpdn-nas}| (nas-port vpdn-nas}]
(Optional) Enables the reporting of AAA attributes
from the HGW to the configured RADIUS or
TACACS+ AAA server. This command is
applicable only on the tunnel server and is disabled
by default.
Step 8 Router(config)# vpdn aaa untagged (Optional) Enables the application of untagged
attribute values to all attribute sets for VPDN
tunnels, unless a value for that attribute is already
specified in the attribute set. This command is
enabled by default, therefore configuration of this
command is required only if the command has been
previously disabled.
Step 9 Router(config)# radius-server host ip-address
[auth-port number] [acct-port number]
Router(config)# radius-server key cisco
or
Router(config)# tacacs-server host ip-address
[port integer] [key string]
Specifies the RADIUS server IP address and
optionally the ports to be used for authentication
and accounting requests.
Sets the authentication key and encryption key for
all RADIUS communication.
Note The RADIUS key must be “cisco.” This is
hard-coded in Cisco IOS software.
Specifies the TACACS+ server IP address and
optionally the port to be used, and an authentication
and encryption key.
1. If you specify more than one method, AAA will query the servers or databases in the order that they are entered.
Command Purpose
Configuring Virtual Private Networks
VPN Technology Overview
DC-526
Cisco IOS Dial Technologies Configuration Guide
Specifying the IP Address Pool and BOOTP Servers on the Tunnel Server
To specify the IP addresses and the BOOTP servers that will be assigned to VPN clients, use the
following commands on the tunnel server in global configuration mode.
The IP address pool is the addresses that the tunnel server assigns to clients. You must configure an IP
address pool. You can also provide BOOTP servers. Domain Name System (DNS) servers translate host
names to IP addresses. WINS servers, which are specified using the async-bootp nbns-server
command, provide dynamic NetBIOS names that Windows devices use to communicate without IP
addresses.
Commissioning the T1 Controllers on the NAS
To define the ISDN switch type and commission the T1 controllers to allow modem calls to come into
the NAS, use the following commands beginning in global configuration mode:
Command Purpose
Step 1 HGW(config)# ip local pool default first-ip-address
last-ip-address
Configures the default local pool of IP address that will
be used by clients.
Step 2 HGW(config)# async-bootp dns-server ip-address1
[additional-ip-address]
(Optional) Returns the configured addresses of DNS in
response to BOOTP requests.
Step 3 HGW(config)# async-bootp nbns-server ip-address1
[additional-ip-address]
(Optional) Returns the configured addresses of
Windows NT servers in response to BOOTP requests.
Command Purpose
Step 1 NAS(config)# isdn switch-type switch-type Enters the telco switch type.
An ISDN switch type that is specified in global
configuration mode is automatically propagated into the
individual serial interfaces (for example, serial
interface 0:23, 1:23, 2:23, and 3:23).
Step 2 NAS(config)# controller t1 0 Accesses controller configuration mode for the first T1
controller, which is number 0. The controller ports are
numbered 0 through 3 on the quad T1/PRI card.
Step 3 NAS(config-controller)# framing framing-type Enters the T1 framing type.
Step 4 NAS(config-controller)# linecode linecode Enters the T1 line-code type.
Configuring Virtual Private Networks
VPN Technology Overview
DC-527
Cisco IOS Dial Technologies Configuration Guide
Configuring the Serial Channels for Modem Calls on the NAS
To configure the D channels (the signaling channels) to allow incoming voice calls to be routed to the
integrated MICA technologies modems and to control the behavior of the individual B channels, use the
following commands on the NAS beginning in global configuration mode:
Step 5 NAS(config-controller)# clock source line primary Configures the access server to get its primary clocking
from the T1 line assigned to controller 0.
Line clocking comes from the remote switch.
Step 6 NAS(config-controller)# pri-group timeslots range Assigns the T1 time slots as ISDN PRI channels.
After you enter this command, a D-channel serial
interface is instantly created (for example, S0:23), along
with individual B-channel serial interfaces (S0:0, S0:1,
and so on).
The D-channel interface functions like a dialer for the
B channels using the controller. If this was an E1
interface, the PRI group range would be 1 to 31. The
D-channel serial interfaces would be S0:15, S1:15,
S2:15, and S3:15.
Command Purpose
Command Purpose
Step 1 NAS(config)# interface serial 0:23 Accesses configuration mode for the D-channel serial
interface that corresponds to controller T1 0.
The behavior of serial 0:0 through serial 0:22 is
controlled by the configuration instructions provided for
serial 0:23. This concept is also true for the other
remaining D-channel configurations.
Step 2 NAS(config-if)# isdn incoming-voice modem Enables analog modem voice calls that come in through
the B channels to be connected to the integrated
modems.
Step 3 NAS(config-if)# exit Returns to global configuration mode.
Step 4 NAS(config)# interface serial 1:23
NAS(config-if)# isdn incoming-voice modem
NAS(config-if)# exit
NAS(config)# interface serial 2:23
NAS(config-if)# isdn incoming-voice modem
NAS(config-if)# exit
NAS(config)# interface serial 3:23
NAS(config-if)# isdn incoming-voice modem
NAS(config-if)# exit
Configures the three remaining D channels with the
same ISDN incoming-voice modem setting.
Configuring Virtual Private Networks
VPN Technology Overview
DC-528
Cisco IOS Dial Technologies Configuration Guide
Configuring the Modems and Asynchronous Lines on the NAS
To define a range of modem lines and to enable PPP clients to dial in, bypass the EXEC facility, and
automatically start PPP, use the following commands on the NAS beginning in global configuration
mode.
Configure the modems and lines after the ISDN channels are operational. Each modem corresponds with
a dedicated asynchronous line inside the NAS. The modem speed of 115200 bps and hardware flow
control are default values for integrated modems.
Configuring the Group-Asynchronous Interface on the NAS
To create a group-asynchronous interface and project protocol characteristics to the asynchronous
interfaces, use the following commands on the NAS beginning in global configuration mode.
The group-async interface is a template that controls the configuration of the specified asynchronous
interfaces inside the NAS. Asynchronous interfaces are lines running in PPP mode. An asynchronous
interface uses the same number as its corresponding line. Configuring all the asynchronous interfaces as
an asynchronous group saves you time by reducing the number of configuration steps.
Command Purpose
Step 1 NAS(config)# line line-number
[ending-line-number]
Enters the modem line or range of modem lines (by entering an
ending-line-number) that you want to configure.
Step 2 NAS(config-line)# autoselect ppp Enables PPP clients to dial in, bypass the EXEC facility, and
automatically start PPP on the lines.
Step 3 NAS(config-line)# autoselect during-login Displays the username:password prompt as the modems
connect.
Note These two autoselect commands enable EXEC (shell)
and PPP services on the same lines.
Step 4 NAS(config-line)# modem inout Supports incoming and outgoing modem calls.
Command Purpose
Step 1 NAS(config)# interface group-async number Creates the group-asynchronous interface.
Step 2 NAS(config-if)# ip unnumbered
interface-type number
Uses the IP address defined on the specified interface.
Step 3 NAS(config-if)# encapsulation ppp Enables PPP.
Step 4 NAS(config-if)# async mode interactive Configures interactive mode on the asynchronous interfaces.
Interactive mode means that clients can dial in to the NAS and
get a router prompt or PPP session.
Dedicated mode means that only PPP sessions can be
established on the NAS. Clients cannot dial in and get an EXEC
(shell) session.
Configuring Virtual Private Networks
VPN Technology Overview
DC-529
Cisco IOS Dial Technologies Configuration Guide
Configuring the Dialer on a NAS
To configure the dialer on a NAS for L2TP dial-out, use the following commands beginning in global
configuration mode:
Configuring the Dialer on a Tunnel Server
To configure the dialer on an a tunnel server for L2TP dial-out, use the following commands beginning
in global configuration mode:
Step 5 NAS(config-if)# ppp authentication {chap |
pap | chap pap | pap chap}
Configures the authentication to be used on the interface during
LCP negotiation.
When both authentication methods are specified, the NAS first
authenticates with the first method entered. If the first method is
rejected by the client, the second authentication method is used.
Step 6 NAS(config-if)# group-range range Specifies the range of asynchronous interfaces to include in the
group, which is usually equal to the number of modems in the
access server.
Command Purpose
Command Purpose
Step 1 NAS(config)# interface dialer number Defines a dialer rotary group.
Step 2 NAS(config-if)# ip unnumbered interface-type
number
Configures the dialer to use the interface IP address.
Step 3 NAS(config-if)# encapsulation ppp Enables PPP encapsulation.
Step 4 NAS(config-if)# dialer in-band Enables DDR on the dialer.
Step 5 NAS(config-if)# dialer aaa Enables the dialer to use the AAA server to locate
profiles for dialing information.
Step 6 NAS(config-if)# dialer-group group-number Assigns the dialer to the specified dialer group.
Step 7 NAS(config-if)# ppp authentication chap Specifies that CHAP authentication will be used.
Command Purpose
Step 1 LNS(config)# interface dialer number Defines a dialer rotary group.
Step 2 LNS(config-if)# ip address ip-address subnet-mask Specifies an IP address for the group.
Step 3 LNS(config-if)# encapsulation ppp Enables PPP encapsulation.
Step 4 LNS(config-if)# dialer remote-name peer-name Specifies the name used to authenticate the remote
router that is being dialed.
Step 5 LNS(config-if)# dialer string dialer-number Specifies the number that is dialed.
Step 6 LNS(config-if)# dialer vpdn Enables dial-out.
Step 7 LNS(config-if)# dialer pool pool-number Specifies the dialer pool.
Configuring Virtual Private Networks
How to Configure a VPN
DC-530
Cisco IOS Dial Technologies Configuration Guide
How to Configure a VPN
Configuration for both dial-in and dial-out VPNs is described in the following sections:
• Enabling a VPN
• Configuring VPN Tunnel Authentication Using the Host Name or Local Name
• Configuring VPN Tunnel Authentication Using the L2TP Tunnel Password
• Configuring Client-Initiated Dial-In VPN
• Configuring NAS-Initiated Dial-In VPN
• Configuring Dial-Out VPN
• Configuring Advanced VPN Features
See the section “Configuration Examples for VPN” later in this chapter for examples of how you can
implement VPN in your network.
Enabling a VPN
To enable a VPN tunnel, use the following command in global configuration mode:
To disable a VPN tunnel, use the clear vpdn tunnel command in EXEC mode. The no vpdn enable
command does not automatically disable a VPN tunnel.
Configuring VPN Tunnel Authentication Configuration
VPN tunnel authentication enables routers to authenticate the other tunnel endpoint before establishing
a VPN tunnel. It is required for L2F tunnels and optional for L2TP tunnels.
Step 8 LNS(config-if)# dialer-group group-number Assigns the dialer to the specified dialer group.
Step 9 LNS(config-if)# ppp authentication chap Specifies that CHAP authentication will be used.
Command Purpose
Command Purpose
Router(config)# vpdn1 enable
1. The Cisco IOS command syntax uses the more specific term VPDN (virtual private dialup network) instead of VPN.
Enables VPN.
Configuring Virtual Private Networks
How to Configure a VPN
DC-531
Cisco IOS Dial Technologies Configuration Guide
Disabling VPN Tunnel Authentication for L2TP Tunnels
To disable VPN tunnel authentication for L2TP tunnels, use the following commands beginning in global
configuration mode:
Note Before you can configure any l2tp VPN group command, you must specify L2TP as the protocol for
a VPN subgroup within the VPN group. For more information, see the “Configuring NAS-Initiated
Dial-In VPN” and “Configuring Dial-Out VPN” sections later in this chapter.
VPN tunnel authentication can be performed in the following ways:
• Using local AAA on both the NAS and the tunnel server
• Using RADIUS on the NAS and local AAA on the tunnel server
• Using TACACS+ on the NAS and local AAA on the tunnel server
This section discusses local tunnel authentication. For information on RADIUS and TACACS+, refer to
the “NAS AAA Tunnel Definition Lookup” section earlier in this chapter and the Cisco IOS Security
Configuration Guide, Release 12.2.
VPN tunnel authentication requires that a single shared secret—called the tunnel secret—be configured
on both the NAS and tunnel server. There are two methods for configuring the tunnel secret:
• Configuring VPN Tunnel Authentication Using the Host Name or Local Name
The tunnel secret is configured as a password by using the username command.
• Configuring VPN Tunnel Authentication Using the L2TP Tunnel Password
The tunnel secret is configured by using the l2tp tunnel password command.
Command Purpose
ISP_NAS(config)# vpdn-group group
ISP_NAS(config-vpdn)# no l2tp tunnel authentication
Disables VPN tunnel authentication for the specified VPN
group. The VPN group will not challenge any router that
attempts to open an L2TP tunnel.
Configuring Virtual Private Networks
How to Configure a VPN
DC-532
Cisco IOS Dial Technologies Configuration Guide
Configuring VPN Tunnel Authentication Using the Host Name or Local Name
To configure VPN tunnel authentication using the hostname or local name commands, use the following
commands beginning in global configuration mode:
Configuring VPN Tunnel Authentication Using the L2TP Tunnel Password
To configure VPN tunnel authentication using the l2tp tunnel password command, use the following
commands beginning in global configuration:
For sample VPN tunnel authentication configurations, see the “VPN Tunnel Authentication Examples”
section later in this chapter.
Command Purpose
Step 1 ISP_NAS(config)# hostname host-name
or
ISP_NAS(config)# vpdn-group group
ISP_NAS(config-vpdn)# local name tunnel-name
Configures the router host name. By default, the router uses
the host name as the tunnel name in VPN tunnel
authentication.
or
(Optional) Configures the local name for the VPN group.
When negotiating VPN tunnel authentication for this VPN
group, the router will use the local name as the tunnel
name.
Step 2 ISP_NAS(config)# username tunnel-name password
tunnel-secret
Configures the other router’s tunnel name and the tunnel
secret as a user name and password combination.
Note The tunnel secret must be the same on both routers.
Each router must have the other router’s tunnel
name (specified by either the hostname or local
name command) configured as a username with the
tunnel secret as the password.
Command Purpose
Step 1 ISP_NAS(config)# vpdn-group group
ISP_NAS(config-vpdn)# l2tp tunnel password
tunnel-secret
Configures the tunnel secret that will be used for VPN
tunnel authentication for this VPN group and enters VPDN
configuration mode.
Step 2 ISP_NAS(config-vpdn)# local name tunnel-name
ISP_NAS(config-vpdn)# exit
ISP_NAS(config)# username tunnel-name password
tunnel-secret
(Optional) Configures the tunnel name of the router.
(Optional) Configures the other router’s tunnel name and
the tunnel secret as a user name.
If the other router uses the l2tp tunnel password command
to configure the tunnel secret, these commands are not
necessary.
Note The tunnel secret must be the same on both routers.
Configuring Virtual Private Networks
How to Configure a VPN
DC-533
Cisco IOS Dial Technologies Configuration Guide
Configuring Client-Initiated Dial-In VPN
For client-initiated dial-in VPNs, complete the following tasks:
• Configuring a Tunnel Server to Accept Dial-In (Required)
• Configuring MPPE on the ISA Card (Optional)
• Tuning PPTP (Optional)
When configuring PPTP and MPPE, you should consider the following restrictions:
• Only Cisco Express Forwarding (CEF) and process switching are supported. Regular fast switching
is not supported.
• PPTP does not support multilink.
• VPDN multihop is not supported.
• Because all PPTP signaling is over TCP, TCP configurations will affect PPTP performance in
large-scale environments.
• MPPE is not supported with TACACS.
• MPPE is supported with RADIUS in Cisco IOS Releases 12.0(7)XE1 and later releases.
• Windows clients must use MS-CHAP authentication in order for MPPE to work.
• If you are performing mutual authentication with MS-CHAP and MPPE, both sides of the tunnel
must use the same password.
• To use MPPE with AAA, you must use a RADIUS server that supports the Microsoft Vendor specific
attribute for MPPE-KEYS. CiscoSecure NT supports MPPE beginning with release 2.6.
CiscoSecure UNIX does not support MPPE.
Configuring a Tunnel Server to Accept PPTP Tunnels
To configure a tunnel to accept tunneled PPP connections from a client, use the following commands
beginning in global configuration mode:
Command Purpose
Step 1 PNS(config)# vpdn-group 1 Creates vpdn group 1.
Step 2 PNS(config-vpdn)# accept-dialin Enables the tunnel server to accept dial-in requests.
Step 3 PNS(config-vpdn-acc-in)# protocol pptp Specifies that the tunneling protocol will be PPTP.
Step 4 PNS(config-vpdn-acc-in)# virtual-template
template-number
Specifies the number of the virtual template that will be
used to clone the virtual-access interface.
Step 5 PNS(config-vpdn-acc-in)# exit Exit to higher command mode.
Step 6 PNS(config-vpdn)# local name localname (Optional) Specifies that the tunnel server will identify
itself with this local name.
If no local name is specified, the tunnel server will
identify itself with its host name.
Configuring Virtual Private Networks
How to Configure a VPN
DC-534
Cisco IOS Dial Technologies Configuration Guide
Configuring MPPE on the ISA Card
To offload MPPE encryption from the tunnel server processor to the ISA card, use the following
commands beginning in global configuration mode:
Tuning PPTP
To tune PPTP, use one or more of the following commands in VPDN configuration mode:
Configuring NAS-Initiated Dial-In VPN
The following tasks must be completed for NAS-initiated dial-in VPNs:
• Configuring a NAS to Request Dial-In (Required)
• Configuring a Tunnel Server to Accept Dial-In (Required)
• Creating the Virtual Template on the Network Server (Required)
Configuring a NAS to Request Dial-In
The NAS is a device that is typically (although not always) located at a service provider POP; initial
configuration and ongoing management are done by the service provider.
To configure a NAS to accept PPP calls and tunnel them to a tunnel server, use the following commands
beginning in global configuration mode:
Command Purpose
Step 1 PNS(config)# controller isa slot/port Enters controller configuration mode on the ISA card.
Step 2 PNS(config-controller)# encryption mppe Enables MPPE encryption
Command Purpose
PNS(config-vpdn)# pptp flow-control receive-window
packets
Specifies how many packets the client can send before it
must wait for the acknowledgment from the tunnel server.
PNS(config-vpdn)# pptp flow-control static-rtt
milliseconds
Specifies the timeout interval of the tunnel server between
sending a packet to the client and receiving a response.
PNS(config-vpdn)# pptp tunnel echo seconds Specifies the period of idle time on the tunnel that will
trigger an echo message from the tunnel server to the client.
Command Purpose
Step 1 NAS(config)# vpdn-group 1 Creates VPN group 1.
Step 2 NAS(config-vpdn)# request-dialin Enables the NAS to request L2F or L2TP dial-in
requests.
Step 3 NAS(config-vpdn-req-in)# protocol [l2f | l2tp |
any]
Specifies which tunneling protocol is to be used.
Configuring Virtual Private Networks
How to Configure a VPN
DC-535
Cisco IOS Dial Technologies Configuration Guide
Configuring a Tunnel Server to Accept Dial-In
To configure a tunnel server to accept tunneled PPP connections from a NAS, use the following
commands beginning in global configuration mode.
The tunnel server is the termination point for a VPN tunnel. The tunnel server initiates outgoing calls to
and receives incoming calls from the NAS.
See the section “Tunnel Server Comprehensive Dial-in Configuration Example” later in this chapter for
a configuration example.
Creating the Virtual Template on the Network Server
At this point, you can configure the virtual template interface with configuration parameters you want
applied to virtual access interfaces. A virtual template interface is a logical entity configured for a serial
interface. The virtual template interface is not tied to any physical interface and is applied dynamically,
as needed. Virtual access interfaces are cloned from a virtual template interface, used on demand, and
then freed when no longer needed.
Step 4 NAS(config-vpdn-req-in)# domain domain-name
or
NAS(config-vpdn-req-in)# dnis dnis-number
Specifies the domain name of the users that are to be
tunneled.
Specifies the DNIS number of users that are to be
tunneled.
You can configure multiple domain names and/or
DNIS numbers for an individual request-dialin
subgroup.
Step 5 NAS(config-vpdn-req-in)# exit
NAS(config-vpdn)# initiate-to ip ip-address
Specifies the IP address that the NAS will establish the
tunnel with. This is the IP address of the tunnel server.
Step 6 NAS(config-vpdn)# vpdn search-order {domain |
dnis | domain dnis | dnis domain}
(Optional) Specifies the method that is used to
determine if a dial-in call should be tunneled.
If both keywords are entered, the NAS will search the
criteria in the order they are entered.
Command Purpose
Command Purpose
Step 1 LNS(config)# vpdn-group 1 Creates VPN group 1.
Step 2 LNS(config-vpdn)# accept-dialin Enables the tunnel server to accept dial-in requests.
Step 3 LNS(config-vpdn-acc-in)# protocol [l2f | l2tp
| any]
Specifies which tunneling protocol is to be used.
Step 4 LNS(config-vpdn-acc-in)# virtual-template
number
Specifies the number of the virtual template that will
be used to clone the virtual access interface.
Step 5 LNS(config-vpdn-acc-in)# exit
LNS(config-vpdn)# terminate-from hostname
hostname
Accepts tunnels that have this host name configured
as a local name.
Configuring Virtual Private Networks
How to Configure a VPN
DC-536
Cisco IOS Dial Technologies Configuration Guide
To create and configure a virtual template interface, use the following commands beginning in global
configuration mode:
Optionally, you can configure other commands for the virtual template interface. For more information
about configuring virtual template interfaces, refer to the “Configuring Virtual Template Interfaces”
chapter in this publication.
Configuring Dial-Out VPN
The following tasks must be completed for dial-out VPNs:
• Configuring a Tunnel Server to Request Dial-Out (Required)
• Configuring a NAS to Accept Dial-Out (Required)
Configuring a Tunnel Server to Request Dial-Out
To configure a tunnel server to request dial-out tunneled PPP connections to a NAS, use the following
commands beginning in global configuration mode:
Command Purpose
Step 1 HGW(config)# interface virtual-template number Create the virtual template that is used to clone virtual
access interfaces.
Step 2 HGW(config-if)# ip unnumbered interface-type
number
Specifies that the virtual access interfaces use the
specified interface IP address.
Step 3 HGW(config-if)# ppp authentication {chap | pap
| chap pap | pap chap}
Enables CHAP authentication using the local
username database.
Step 4 HGW(config-if)# peer default ip address pool
pool
Returns an IP address from the default pool to the
client.
Step 5 HGW(config-if)# encapsulation ppp Enables PPP encapsulation.
Command Purpose
Step 1 LNS(config)# vpdn-group 1 Creates VPN group 1.
Step 2 LNS(config-vpdn)# request-dialout Enables the tunnel server to send L2TP dial-out requests.
Step 3 LNS(config-vpdn-req-ou)# protocol l2tp Specifies L2TP as the tunneling protocol.
Note L2TP is the only protocol that supports dial-out.
Step 4 LNS(config-vpdn-req-ou)# pool-member pool-number
or
LNS(config-vpdn-req-ou)# rotary-group
group-number
Specifies the dialer profile pool that will be used to dial
out.
Specifies the dialer rotary group that will be used to dial
out.
You can configure only one dialer profile pool or dialer
rotary group. Attempting to configure a second dialer
resource will remove the first from the configuration.
Configuring Virtual Private Networks
How to Configure a VPN
DC-537
Cisco IOS Dial Technologies Configuration Guide
Configuring a NAS to Accept Dial-Out
To configure a NAS to accept tunneled dial-out connections from a tunnel server, use the following
commands beginning in global configuration mode:
Configuring Advanced VPN Features
The following optional tasks provide advanced VPN features:
• Configuring Advanced Remote AAA Features
• Configuring Per-User VPN
• Configuring Preservation of IP ToS Field
• Shutting Down a VPN Tunnel
• Limiting the Number of Allowed Simultaneous VPN Sessions
• Enabling Soft Shutdown of VPN Tunnels
• Configuring Event Logging
• Setting the History Table Size
Configuring Advanced Remote AAA Features
This section describes the following two advanced remote AAA features for VPNs:
• Tunnel Server Load Balancing on the NAS AAA Server
• DNS Name Support
Step 5 LNS(config-vpdn-req-ou)# exit
LNS(config-vpdn)# initiate-to ip ip-address
Specifies the IP address that will be dialed out. This is
the IP address of the NAS.
Step 6 LNS(config-vpdn)# local name hostname Specifies that the L2TP tunnel will identify itself with
this host name.
Command Purpose
Command Purpose
Step 1 NAS(config)# vpdn-group 1 Creates VPN group 1.
Step 2 NAS(config-vpdn)# accept-dialout Enables the NAS to accept L2TP dial-out requests.
Step 3 NAS(config-vpdn-acc-ou)# protocol l2tp Specifies L2TP as the tunneling protocol.
Note L2TP is the only protocol that supports dial-out.
Step 4 NAS(config-vpdn-acc-ou)# dialer dialer-interface Specifies the dialer that is used to dial out to the client.
Step 5 NAS(config-vpdn-acc-ou)# exit
NAS(config-vpdn)# terminate-from hostname
hostname
Accepts L2TP tunnels that have this host name
configured as a local name.
Configuring Virtual Private Networks
How to Configure a VPN
DC-538
Cisco IOS Dial Technologies Configuration Guide
Tunnel Server Load Balancing on the NAS AAA Server
NAS AAA servers can forward users of the same domain name or DNIS to more than one tunnel server.
The NAS AAA server can be configured to balance the load of calls equally among the tunnel servers,
or it can designate different priority levels to the tunnel servers.
To configure load balancing on a NAS RADIUS server, configure multiple IP addresses in the
vpdn:ip-addresses attribute value (AV) pair. The IP addresses can be separated by either spaces or by
commas. The following example shows a profile that will equally balance the load between three tunnel
servers.
user = terrapin.com{
profile_id = 29
profile_cycle = 7
radius=Cisco {
check_items= {
2=cisco
}
reply_attributes= {
9,1="vpdn:l2tp-tunnel-password=cisco123"
9,1="vpdn:tunnel-type=l2tp"
9,1="vpdn:ip-addresses=172.16.171.11 172.16.171.12 172.16.171.13"
9,1="vpdn:tunnel-id=tunnel"
}
}
}
To specify different priorities for the tunnel servers, separate the IP addresses with a slash. The following
AV pair instructs the RADIUS server to equally balance calls between 172.16.171.11 and 172.16.171.12.
If both of those tunnel servers are unavailable, the RADIUS server will tunnel calls to 172.16.171.13.
9,1="vpdn:ip-addresses=172.16.171.11 172.16.171.12/172.16.171.13"
DNS Name Support
NAS AAA servers can resolve DNS names and translate them into IP addresses. The server will first
look up the name in its name cache. If the name is not in the name cache, the server will resolve the name
by using a DNS server. The following AV pair instructs the RADIUS server to resolve the DNS name
"terrapin" and tunnel calls to the appropriate IP addresses:
9,1="vpdn:ip-addresses=terrapin"
For detailed information about remote AAA configuration, refer to the CiscoSecure ACS documentation
at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/index.htm.
Configuring Per-User VPN
In a VPN that uses remote AAA, when a user dials in, the access server that receives the call forwards
information about the user to its remote AAA server. With basic VPN, the access server sends only the
user domain name (when performing authentication based on domain name) or the telephone number the
user dialed in from (when performing authentication based on DNIS).
Per-user VPN configuration sends the entire structured username to the AAA server the first time the
router contacts the AAA server. This enables Cisco IOS software to customize tunnel attributes for
individual users who use a common domain name or DNIS.
Without VPN per-user configuration, Cisco IOS software sends only the domain name or DNIS to
determine VPN tunnel attribute information. Then, if no VPN tunnel attributes are returned, Cisco IOS
software sends the entire username string.
Configuring Virtual Private Networks
How to Configure a VPN
DC-539
Cisco IOS Dial Technologies Configuration Guide
Note Per-user VPN configuration supports only RADIUS as the AAA protocol.
To configure per-user VPN, use the following commands beginning in global configuration mode:
Configuring Preservation of IP ToS Field
When L2TP data packets are created, they have a type of service (ToS) field of zero, which indicates
normal service. This ignores the ToS field of the encapsulated IP packets that are being tunneled.
To preserve quality of service (QoS) for tunneled packets by copying the ToS field of the IP packets’
onto the L2TP data packets when they are created at the tunnel server virtual access interface, use the
following commands beginning in global configuration mode:
Note The tunneled link must carry IP for the ToS field to be preserved. The encapsulated payload of
Multilink PPP (MLP) connections is not IP, therefore this task has no effect when MLP is tunneled.
Note Proxy PPP dial-in is not supported.
Command Purpose
Step 1 Router(config)# vpdn-group group-number Enters VPN group configuration mode.
Step 2 Router(config-vpdn)# authen before-forward Specifies that the entire structured username be sent to the AAA
server the first time the router contacts the AAA server.
Command Purpose
Step 1 LNS(config)# vpdn-group 1 Creates VPN group 1.
Step 2 LNS(config-vpdn)# accept-dialin
or
LNS(config-vpdn)# request-dialout
Enables the tunnel server to accept dial-in requests.
Enables the tunnel server to send L2TP dial-out requests.
Step 3 LNS(config-vpdn-acc-in)# protocol l2tp
or
LNS(config-vpdn-req-ou)# protocol l2tp
Specifies L2TP as the tunneling protocol.
Note L2TP is the only protocol that supports dial-out and IP
ToS preservation.
Step 4 LNS(config-vpdn-req-ou)# exit Returns to VPDN group configuration mode.
Step 5 LNS(config-vpdn)# ip tos reflect Preserves the ToS field of the encapsulated IP packets.
Configuring Virtual Private Networks
How to Configure a VPN
DC-540
Cisco IOS Dial Technologies Configuration Guide
Shutting Down a VPN Tunnel
To shut down a VPN tunnel, use the following command in privileged EXEC mode:
Limiting the Number of Allowed Simultaneous VPN Sessions
To set a limit for the maximum number of allowed simultaneous VPN sessions, use the following
command in global configuration mode:
To verify that the vpdn session-limit command is working properly, perform the following steps:
Note If you use a Telnet session to connect to the NAS, enable the terminal monitor command, which
ensures that your EXEC session is receiving the logging and debug output from the NAS.
Step 1 Enter the vpdn session-limit 1 global configuration command on either the NAS or tunnel server.
Step 2 Establish a VPN session by dialing in to the NAS using an allowed username and password.
Step 3 Attempt to establish another VPN session by dialing in to the NAS using another allowed username and
password.
Step 4 A Syslog message similar to the following should appear on the console of the router:
00:11:17:%VPDN-6-MAX_SESS_EXCD:L2F HGW great_went has exceeded configured local
session-limit and rejected user wilson@soam.com
Step 5 Enter the show vpdn history failure command on the router. If you see output similar to the following,
the session limit was successful:
User:wilson@soam.com
NAS:cliford_ball, IP address = 172.25.52.8, CLID = 2
Gateway:great_went, IP address = 172.25.52.7, CLID = 13
Log time:00:04:21, Error repeat count:1
Failure type:Exceeded configured VPDN maximum session limit.
Failure reason:
Command Purpose
Router# clear vpdn tunnel {l2f nas-name
hgw-name | l2tp [remote-name] [local-name]}
Shuts down a specific tunnel and all the sessions within the tunnel.
Command Purpose
Router(config)# vpdn session-limit sessions Limits the number of simultaneous VPN sessions on the router to the
number specified with the sessions argument.
Configuring Virtual Private Networks
How to Configure a VPN
DC-541
Cisco IOS Dial Technologies Configuration Guide
Enabling Soft Shutdown of VPN Tunnels
To prevent new sessions from being established on a VPN tunnel without disturbing the service of
existing sessions, use the following command in global configuration mode:
When the vpdn softshut command is enabled on a NAS, the potential session will be authorized before
it is refused. This authorization ensures that accurate accounting records can be kept.
When the vpdn softshut command is enabled on a tunnel server, the reason for the session refusal will
be returned to the NAS. This information is recorded in the VPN history failure table.
To verify that the vpdn softshut command is working properly, perform the following steps:
Step 1 Establish a VPN session by dialing in to the NAS using an allowed username and password.
Step 2 Enter the vpdn softshut global configuration command on either the NAS or the tunnel server.
Step 3 Verify that the original session is still active by entering the show vpdn command:
ENT_HGW# show vpdn
% No active L2TP tunnels
L2F Tunnel and Session
NAS CLID HGW CLID NAS Name HGW Name State
36 1 cliford_ball great_went open
172.25.52.8 172.25.52.7
CLID MID Username Intf State
36 1 mockingbird@gamehendge.com Vi1 open
Step 4 Attempt to establish another VPN session by dialing in to the NAS using another allowed username and
password.
Step 5 A Syslog message similar to the following should appear on the console of the soft shutdown router:
00:11:17:%VPDN-6-SOFTSHUT:L2F HGW great_went has turned on softshut and rejected user
wilson@soam.com
Step 6 Enter the show vpdn history failure command on the soft shutdown router. If you see output similar to
the following, the soft shutdown was successful:
User:wilson@soam.com
NAS:cliford_ball, IP address = 172.25.52.8, CLID = 2
Gateway:great_went, IP address = 172.25.52.7, CLID = 13
Log time:00:04:21, Error repeat count:1
Failure type:VPDN softshut has been activated.
Failure reason:
Command Purpose
Router(config)# vpdn softshut1
1. When the vpdn softshut command is enabled, Multichassis Multilink PPP (MMP) L2F tunnels can still be created and established.
Prevents new sessions from being established on a VPN tunnel
without disturbing existing sessions.
Configuring Virtual Private Networks
Verifying VPN Sessions
DC-542
Cisco IOS Dial Technologies Configuration Guide
Configuring Event Logging
The Syslog mechanism provides generic and failure event logging. Generic logging is a mixture of type
error, warning, notification, and information logging for VPN. Logging can be done locally or at a
remote tunnel destination. Both generic and failure event logging is enabled by default; therefore, if you
wish to disable VPN failure events you must specifically configure the router or access server to do so.
In order to disable the router to log VPN generic or history events, use the following commands in global
configuration mode:
Setting the History Table Size
You may set the failure history table to a specific number of entries based on the amount of data you
wish to track. To set the failure history table, use the following commands in global configuration mode:
Verifying VPN Sessions
The following sections detail the procedures used for verifying VPN sessions:
• Verifying a Client-Initiated VPN
• Verifying a NAS-Initiated VPN
Verifying a Client-Initiated VPN
To verify that a PPTP network functions properly, complete the following verification steps:
Step 1 From the client, dial in to the ISP and establish a PPP session.
Step 2 From the client, dial in to the tunnel server.
Step 3 From the client, ping the tunnel server. From the client desktop:
a. Click Start.
b. Select Run.
c. Enter ping tunnel-server-ip-address.
d. Click OK.
Command Purpose
Router(config)# vpdn logging [local | remote] Enables generic event logging, locally or at a remote endpoint.
Router(config)# vpdn history failure Enables the logging of failure events to the failure history table.
Note By default, VPN failure history logging is enabled.
Command Purpose
Router(config)# vpdn history failure table-size
entries
(Optional) Sets the failure history table depth.
Configuring Virtual Private Networks
Verifying VPN Sessions
DC-543
Cisco IOS Dial Technologies Configuration Guide
e. Look at the terminal screen and verify that the tunnel server is sending ping reply packets to the
client.
Step 4 From the tunnel server, enter the show vpdn command and verify that the client has established a PPTP
session.
PNS# show vpdn
% No active L2TP tunnels
% No active L2F tunnels
PPTP Tunnel and Session Information (Total tunnels=1 sessions=1)
LocID RemID Remote Name State Remote Address Port Sessions
13 13 10.1.2.41 estabd 10.1.2.41 1136 1
LocID RemID TunID Intf Username State Last Chg
13 0 13 Vi3 estabd 000030
Step 5 For more detailed information, enter the show vpdn session all or show vpdn session window
commands. The last line of output from the show vpdn session all command indicates the current status
of the flow control alarm.
PNS# show vpdn session all
% No active L2TP tunnels
% No active L2F tunnels
PPTP Session Information (Total tunnels=1 sessions=1)
Call id 13 is up on tunnel id 13
Remote tunnel name is 10.1.2.41
Internet Address is 10.1.2.41
Session username is unknown, state is estabd
Time since change 000106, interface Vi3
Remote call id is 0
10 packets sent, 10 received, 332 bytes sent, 448 received
Ss 11, Sr 10, Remote Nr 10, peer RWS 16
0 out of order packets
Flow alarm is clear.
The last line of output from the show vpdn session window command indicates the current status of the
flow control alarm (under the heading “Congestion”) and the number of flow control alarms that have
gone off during the session (under the heading “Alarms”).
PNS# show vpdn session window
% No active L2TP tunnels
% No active L2F tunnels
PPTP Session Information (Total tunnels=1 sessions=1)
LocID RemID TunID ZLB-tx ZLB-rx Congestion Alarms Peer-RWS
13 0 13 0 1 clear 0 16
Step 6 For information on the virtual-access interface, enter the show ppp mppe virtual-access number
command:
PNS# show ppp mppe virtual-access3
Interface Virtual-Access3 (current connection)
Hardware (ISA5/1, flow_id=13) encryption, 40 bit encryption, Stateless mode
packets encrypted = 0 packets decrypted = 1
Configuring Virtual Private Networks
Verifying VPN Sessions
DC-544
Cisco IOS Dial Technologies Configuration Guide
sent CCP resets = 0 receive CCP resets = 0
next tx coherency = 0 next rx coherency = 0
tx key changes = 0 rx key changes = 0
rx pkt dropped = 0 rx out of order pkt= 0
rx missed packets = 0
To update the key change information, reissue the show ppp mppe virtual-access3 command.
PNS# show ppp mppe virtual-access3
Interface Virtual-Access3 (current connection)
Hardware (ISA5/1, flow_id=13) encryption, 40 bit encryption, Stateless mode
packets encrypted = 0 packets decrypted = 1
sent CCP resets = 0 receive CCP resets = 0
next tx coherency = 0 next rx coherency = 0
tx key changes = 0 rx key changes = 1
rx pkt dropped = 0 rx out of order pkt= 0
rx missed packets = 0
Verifying a NAS-Initiated VPN
This section describes how to verify that an L2F dial-in scenario functions as shown in Figure 78. To
verify connectivity, complete the following verification steps:
• Step 1: Dialing In to the NAS
• Step 2: Pinging the Tunnel Server
• Step 3: Displaying Active Call Statistics on the Tunnel Server
• Step 4: Pinging the Client
• Step 5: Verifying That the Virtual-Access Interface Is Up and That LCP Is Open
• Step 6: Viewing Active L2F Tunnel Statistics
Configuring Virtual Private Networks
Verifying VPN Sessions
DC-545
Cisco IOS Dial Technologies Configuration Guide
Figure 78 L2F Dial-In Topology Using Remote AAA
Step 1 From the client, dial in to the NAS by using the PRI telephone number assigned to the NAS T1 trunks.
Sometimes this telephone number is called the hunt group number.
As the call comes in to the NAS, a LINK-3-UPDOWN message automatically appears on the NAS
terminal screen. In the following example, the call comes in to the NAS on asynchronous interface 14.
The asynchronous interface is up.
*Jan 1 21:22:18.410: %LINK-3-UPDOWN: Interface Async14, changed state to up
Note No debug commands are turned on to display this log message. Start troubleshooting the NAS if you
do not see this message 30 seconds after the client first sends the call.
Step 2 From the client, ping the tunnel server. From the client Windows 95 desktop, perform the following
steps:
a. Click Start.
b. Select Run.
c. Enter the ping ip-address command, where the IP address is the tunnel server address.
d. Click OK.
e. Look at the terminal screen and verify that the tunnel server is sending ping reply packets to
the client.
POTS lines
Cisco AS5300
NAS
CiscoSecure ACS
UNIX server
CiscoSecure ACS
NT server
18024
Clients
using modems
Cisco 7206
home gateway
ISP network
Enterprise customer network
Ethernet
172.22.66.23
172.22.66.18
172.22.66.18
L2F tunnel Ethernet
Cisco 7500
edge router
Frame Relay
data network
4 TI PRI lines
PSTN
ISDN
172.22.66.13
Configuring Virtual Private Networks
Verifying VPN Sessions
DC-546
Cisco IOS Dial Technologies Configuration Guide
Step 3 From the tunnel server, enter the show caller command and the show caller user name command to
verify that the client received an IP address. The following example shows that Jeremy is using interface
virtual-access 1 and IP address 172.30.2.1. The network administrator jane-admin is using console 0.
ENT_HGW# show caller
Line User Service Active
con 0 jane-admin TTY 00:00:25
Vi1 jeremy@hgw.com PPP L2F 00:01:28
ENT_HGW# show caller user jeremy@hgw.com
User: jeremy@hgw.com, line Vi1, service PPP L2F, active 00:01:35
PPP: LCP Open, CHAP (<- AAA), IPCP
IP: Local 172.22.66.25, remote 172.30.2.1
VPDN: NAS ISP_NAS, MID 1, MID open
HGW ENT_HGW, NAS CLID 36, HGW CLID 1, tunnel open
Counts: 105 packets input, 8979 bytes, 0 no buffer
0 input errors, 0 CRC, 0 frame, 0 overrun
18 packets output, 295 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
Step 4 From the tunnel server, ping Jeremy’s PC at IP address 172.30.2.1:
ENT_HGW# ping 172.30.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.30.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/132/152 ms
Step 5 From the tunnel server, enter the show interface virtual-access 1 command to verify that the interface
is up, that LCP is open, and that no errors are reported:
ENT_HGW# show interface virtual-access 1
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of FastEthernet0/0 (172.22.66.25)
MTU 1500 bytes, BW 115 Kbit, DLY 100000 usec,
reliablility 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
DTR is pulsed for 5 seconds on reset
LCP Open
Open: IPCP
Last input 00:00:02, output never, output hang never
Last clearing of "show interface" counters 3d00h
Queueing strategy: fifo
Output queue 1/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
114 packets input, 9563 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
27 packets output, 864 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
Configuring Virtual Private Networks
Monitoring and Maintaining VPNs
DC-547
Cisco IOS Dial Technologies Configuration Guide
Step 6 From the tunnel server, display active tunnel statistics by entering the show vpdn command and the
show vpdn tunnel all command:
ENT_HGW# show vpdn
% No active L2TP tunnels
L2F Tunnel and Session
NAS CLID HGW CLID NAS Name HGW Name State
36 1 ISP_NAS ENT_HGW open
172.22.66.23 172.22.66.25
CLID MID Username Intf State
36 1 jeremy@hgw.com Vi1 open
ENT_HGW# show vpdn tunnel all
% No active L2TP tunnels
L2F Tunnel
NAS name: ISP_NAS
NAS CLID: 36
NAS IP address 172.22.66.23
Gateway name: ENT_HGW
Gateway CLID: 1
Gateway IP address 172.22.66.25
State: open
Packets out: 52
Bytes out: 1799
Packets in: 100
Bytes in: 7143
Monitoring and Maintaining VPNs
To display useful information for monitoring and maintaining VPN sessions, use the following
commands in privileged EXEC mode:
Command Purpose
Router# clear vpdn tunnel [pptp | l2f | l2tp]
network-access-server gateway-name
Shuts down a specific tunnel and all the sessions within the
tunnel.
Router# show interface virtual access number Displays information about the virtual access interface,
LCP, protocol states, and interface statistics. The status of
the virtual access interface should be:
Virtual-Access3 is up, line protocol is up
Router# show vpdn Displays a summary of all active VPN tunnels.
Router# show vpdn domain Displays all VPN domains and DNIS groups configured on
the NAS.
Configuring Virtual Private Networks
Troubleshooting VPNs
DC-548
Cisco IOS Dial Technologies Configuration Guide
Troubleshooting VPNs
Troubleshooting components in VPN is not always straightforward because there are multiple
technologies and OSI layers involved. To display detailed messages about VPN and VPN-related events,
use the following commands in EXEC mode:
Router# show vpdn group [name | name domain | name
endpoint]
Displays a summary of the relationships among VPDN
groups and customer/VPDN profiles.
When you include the name of the VPDN group, the output
displays information on domain/DNIS, tunnel endpoint,
session limits, group priority, active sessions, group status,
and reserved sessions.
Router# show vpdn history failure Displays information about VPN user failures.
Router# show vpdn multilink Displays VPN multilink information.
Router# show vpdn session [all | packets | sequence |
state | timers | window] [interface | tunnel |
username]
Displays VPN session information including interface,
tunnel, username, packets, status, and window statistics.
Router# show vpdn tunnel [all | packets | state |
summary | transport] [id | local-name | remote-name]
Displays VPN tunnel information including tunnel protocol,
ID, local and remote tunnel names, packets sent and
received, tunnel, and transport status.
Command Purpose
Command Purpose
Router# debug aaa authentication Displays information on AAA authentication.
Router# debug aaa authorization Displays information on AAA authorization.
Router# debug ppp chap Displays CHAP packet exchanges.
Router# debug ppp mppe Displays debug messages for MPPE events.
Router# debug ppp negotiation Displays information about packets sent during PPP startup
and detailed PPP negotiation options.
Router# debug vpdn error Displays errors that prevent a tunnel from being established
or errors that cause an established tunnel to be closed.
Router# debug vpdn event Displays messages about events that are part of normal
tunnel establishment or shutdown.
Router# debug vpdn l2tp-sequencing Displays message about L2TP tunnel sequencing.
Router# debug vpdn l2x-data Display messages about L2F and L2TP data information.
Router# debug vpdn l2x-errors Displays L2F and L2TP protocol errors that prevent L2F and
L2TP establishment or prevent normal operation.
Router# debug vpdn l2x-events Displays messages about events that are part of normal
tunnel establishment or shutdown for L2F and L2TP.
Router# debug vpdn l2x-packets
or
Router# debug vpdn packet
Displays each protocol packet exchanged. This option may
result in a large number of debug messages and should
generally be used only on a debug chassis with a single
active session.
Configuring Virtual Private Networks
Troubleshooting VPNs
DC-549
Cisco IOS Dial Technologies Configuration Guide
Successful Debug Examples
The following sections provide examples of debug output from successful VPN sessions:
• L2TP Dial-In Debug Output on NAS Example
• L2TP Dial-In Debug Output on a Tunnel Server Example
• L2TP Dial-Out Debug Output on a NAS Example
• L2TP Dial-Out Debug Output on a Tunnel Server Example
Figure 79 shows the topology used for the L2TP dial-in debug examples.
Figure 79 Topology Diagram for L2TP Dial-In Debug Example
L2TP Dial-In Debug Output on NAS Example
The following is debug output from a successful L2TP dial-in session on a NAS for the topology shown
in Figure 79:
DJ# debug vpdn event
VPDN events debugging is on
DJ# debug vpdn l2x-events
L2X protocol events debugging is on
DJ# show debugging
VPN:
L2X protocol events debugging is on
VPDN events debugging is on
DJ#
20:47:33: %LINK-3-UPDOWN: Interface Async7, changed state to up
20:47:35: As7 VPDN: Looking for tunnel -- hoser.com --
20:47:35: As7 VPDN: Get tunnel info for hoser.com with NAS DJ, IP 172.21.9.13
20:47:35: As7 VPDN: Forward to address 172.21.9.13
20:47:35: As7 VPDN: Forwarding...
20:47:35: As7 VPDN: Bind interface direction=1
20:47:35: Tnl/Cl 8/1 L2TP: Session FS enabled
20:47:35: Tnl/Cl 8/1 L2TP: Session state change from idle to wait-for-tunnel
Dial client
ISP or PSTN
Corporate
network
LT2P tunnel
LAC = DJ LNS = partner
22109
aaa new-model
aaa authentication ppp default local
username DJ password 7464756565656B
vpdn enable
vpdn group 1
request dialin 12 tp ip 172.21.9.13 domain cisco.com
aaa new-model
aaa authentication ppp default local
username DJ password 7464756565656B
interfacr virtual-template 1
ip unnumbered ethernet0
no ip mroute-cache
ppp authentication chap
vpdn enable
vpdn group 1
accept dialin 12 tp virtual template 1 remote DJ
Configuring Virtual Private Networks
Troubleshooting VPNs
DC-550
Cisco IOS Dial Technologies Configuration Guide
20:47:35: As7 8/1 L2TP: Create session
20:47:35: Tnl 8 L2TP: SM State idle
20:47:35: Tnl 8 L2TP: Tunnel state change from idle to wait-ctl-reply
20:47:35: Tnl 8 L2TP: SM State wait-ctl-reply
20:47:35: As7 VPDN: kath@hoser.com is forwarded
20:47:35: Tnl 8 L2TP: Got a challenge from remote peer, DJ
20:47:35: Tnl 8 L2TP: Got a response from remote peer, DJ
20:47:35: Tnl 8 L2TP: Tunnel Authentication success
20:47:35: Tnl 8 L2TP: Tunnel state change from wait-ctl-reply to established
20:47:35: Tnl 8 L2TP: SM State established
20:47:35: As7 8/1 L2TP: Session state change from wait-for-tunnel to wait-reply
20:47:35: As7 8/1 L2TP: Session state change from wait-reply to established
20:47:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async7, changed state to up
L2TP Dial-In Debug Output on a Tunnel Server Example
The following is debug output from a successful L2TP dial-in session on a tunnel server for the topology
shown in Figure 79:
tunnel# debug vpdn l2x-events
L2X protocol events debugging is on
20:19:17: L2TP: I SCCRQ from DJ tnl 8
20:19:17: L2X: Never heard of DJ
20:19:17: Tnl 7 L2TP: New tunnel created for remote DJ, address 172.21.9.4
20:19:17: Tnl 7 L2TP: Got a challenge in SCCRQ, DJ
20:19:17: Tnl 7 L2TP: Tunnel state change from idle to wait-ctl-reply
20:19:17: Tnl 7 L2TP: Got a Challenge Response in SCCCN from DJ
20:19:17: Tnl 7 L2TP: Tunnel Authentication success
20:19:17: Tnl 7 L2TP: Tunnel state change from wait-ctl-reply to established
20:19:17: Tnl 7 L2TP: SM State established
20:19:17: Tnl/Cl 7/1 L2TP: Session FS enabled
20:19:17: Tnl/Cl 7/1 L2TP: Session state change from idle to wait-for-tunnel
20:19:17: Tnl/Cl 7/1 L2TP: New session created
20:19:17: Tnl/Cl 7/1 L2TP: O ICRP to DJ 8/1
20:19:17: Tnl/Cl 7/1 L2TP: Session state change from wait-for-tunnel to wait-connect
20:19:17: Tnl/Cl 7/1 L2TP: Session state change from wait-connect to established
20:19:17: Vi1 VPDN: Virtual interface created for kath@hoser.com
20:19:17: Vi1 VPDN: Set to Async interface
20:19:17: Vi1 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking
20:19:18: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
20:19:18: Vi1 VPDN: Bind interface direction=2
20:19:18: Vi1 VPDN: PPP LCP accepting rcv CONFACK
20:19:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state
to up
L2TP Dial-Out Debug Output on a NAS Example
The following is sample output from the debug dialer events and show debugging EXEC commands
for a successful dial-out session on a NAS:
NAS# debug dialer events
Dial on demand events debugging is on
NAS# show debugging
Dial on demand:
Dial on demand events debugging is on
VPN:
Configuring Virtual Private Networks
Troubleshooting VPNs
DC-551
Cisco IOS Dial Technologies Configuration Guide
L2X protocol events debugging is on
VPDN events debugging is on
NAS#
*Mar 1 00:05:26.155:%SYS-5-CONFIG_I:Configured from console by console
*Mar 1 00:05:26.899:%SYS-5-CONFIG_I:Configured from console by console
*Mar 1 00:05:36.195:L2TP:I SCCRQ from lns_l2x0 tnl 1
*Mar 1 00:05:36.199:Tnl 1 L2TP:New tunnel created for remote lns_l2x0, address
10.40.1.150
*Mar 1 00:05:36.203:Tnl 1 L2TP:Got a challenge in SCCRQ, lns_l2x0
*Mar 1 00:05:36.207:Tnl 1 L2TP:O SCCRP to lns_l2x0 tnlid 1
*Mar 1 00:05:36.215:Tnl 1 L2TP:Tunnel state change from idle to wait-ctl-reply
*Mar 1 00:05:36.231:Tnl 1 L2TP:I SCCCN from lns_l2x0 tnl 1
*Mar 1 00:05:36.235:Tnl 1 L2TP:Got a Challenge Response in SCCCN from lns_l2x0
*Mar 1 00:05:36.239:Tnl 1 L2TP:Tunnel Authentication success
*Mar 1 00:05:36.239:Tnl 1 L2TP:Tunnel state change from wait-ctl-reply to established
*Mar 1 00:05:36.243:Tnl 1 L2TP:SM State established
*Mar 1 00:05:36.251:Tnl 1 L2TP:I OCRQ from lns_l2x0 tnl 1
*Mar 1 00:05:36.255:Tnl/Cl 1/1 L2TP:Session sequencing disabled
*Mar 1 00:05:36.259:Tnl/Cl 1/1 L2TP:Session FS enabled
*Mar 1 00:05:36.259:Tnl/Cl 1/1 L2TP:New session created
*Mar 1 00:05:36.263:12C:Same state, 0
*Mar 1 00:05:36.267:DSES 12C:Session create
*Mar 1 00:05:36.271:L2TP:Send OCRP
*Mar 1 00:05:36.275:Tnl/Cl 1/1 L2TP:Session state change from idle to wait-cs-answer
*Mar 1 00:05:36.279:DSES 0x12C:Building dialer map
*Mar 1 00:05:36.283:Dialout 0x12C:Next hop name is 71014
*Mar 1 00:05:36.287:Serial0:23 DDR:rotor dialout [priority]
*Mar 1 00:05:36.291:Serial0:23 DDR:Dialing cause dialer session 0x12C
*Mar 1 00:05:36.291:Serial0:23 DDR:Attempting to dial 71014
*Mar 1 00:05:36.479:%LINK-3-UPDOWN:Interface Serial0:22, changed state to up
*Mar 1 00:05:36.519:isdn_call_connect:Calling lineaction of Serial0:22
*Mar 1 00:05:36.519:Dialer0:Session free, 12C
*Mar 1 00:05:36.523::0 packets unqueued and discarded
*Mar 1 00:05:36.527:Se0:22 VPDN:Bind interface direction=1
*Mar 1 00:05:36.531:Se0:22 1/1 L2TP:Session state change from wait-cs-answer to
established
*Mar 1 00:05:36.531:L2TP:Send OCCN
*Mar 1 00:05:36.539:Se0:22 VPDN:bound to vpdn session
*Mar 1 00:05:36.555:Se0:22 1/1 L2TP:O FS failed
*Mar 1 00:05:36.555:Se0:22 1/1 L2TP:O FS failed
*Mar 1 00:05:42.515:%ISDN-6-CONNECT:Interface Serial0:22 is now connected to 71014
L2TP Dial-Out Debug Output on a Tunnel Server Example
The following is sample debug output from the debug vpdn event, debug vpdn error, debug ppp chap,
debug ppp negotiation, and debug dialer events commands for a successful dial-out session on a tunnel
server:
LNS# debug dialer events
Dial on demand events debugging is on
LNS# debug ppp negotiation
PPP protocol negotiation debugging is on
LNS# debug ppp chap
PPP authentication debugging is on
LNS# show debugging
Configuring Virtual Private Networks
Troubleshooting VPNs
DC-552
Cisco IOS Dial Technologies Configuration Guide
Dial on demand:
Dial on demand events debugging is on
PPP:
PPP authentication debugging is on
PPP protocol negotiation debugging is on
VPN:
VPDN events debugging is on
VPDN errors debugging is on
LNS#
*Apr 22 19:48:32.419:%SYS-5-CONFIG_I:Configured from console by console
*Apr 22 19:48:32.743:%SYS-5-CONFIG_I:Configured from console by console
*Apr 22 19:48:33.243:Di0 DDR:dialer_fsm_idle()
*Apr 22 19:48:33.271:Vi1 PPP:Phase is DOWN, Setup
*Apr 22 19:48:33.279:Vi1 PPP:Phase is DOWN, Setup
*Apr 22 19:48:33.279:Virtual-Access1 DDR:Dialing cause ip (s=10.60.1.160, d=10.10.1.110)
*Apr 22 19:48:33.279:Virtual-Access1 DDR:Attempting to dial 71014
*Apr 22 19:48:33.279:Tnl/Cl 1/1 L2TP:Session sequencing disabled
*Apr 22 19:48:33.279:Tnl/Cl 1/1 L2TP:Session FS enabled
*Apr 22 19:48:33.283:Tnl/Cl 1/1 L2TP:Session state change from idle to wait-for-tunnel
*Apr 22 19:48:33.283:Tnl/Cl 1/1 L2TP:Create dialout session
*Apr 22 19:48:33.283:Tnl 1 L2TP:SM State idle
*Apr 22 19:48:33.283:Tnl 1 L2TP:O SCCRQ
*Apr 22 19:48:33.283:Tnl 1 L2TP:Tunnel state change from idle to wait-ctl-reply
*Apr 22 19:48:33.283:Tnl 1 L2TP:SM State wait-ctl-reply
*Apr 22 19:48:33.283:Vi1 VPDN:Bind interface direction=2
*Apr 22 19:48:33.307:Tnl 1 L2TP:I SCCRP from lac_l2x0
*Apr 22 19:48:33.307:Tnl 1 L2TP:Got a challenge from remote peer, lac_l2x0
*Apr 22 19:48:33.307:Tnl 1 L2TP:Got a response from remote peer, lac_l2x0
*Apr 22 19:48:33.311:Tnl 1 L2TP:Tunnel Authentication success
*Apr 22 19:48:33.311:Tnl 1 L2TP:Tunnel state change from wait-ctl-reply to established
*Apr 22 19:48:33.311:Tnl 1 L2TP:O SCCCN to lac_l2x0 tnlid 1
*Apr 22 19:48:33.311:Tnl 1 L2TP:SM State established
*Apr 22 19:48:33.311:L2TP:O OCRQ
*Apr 22 19:48:33.311:Vi1 1/1 L2TP:Session state change from wait-for-tunnel to wait-reply
*Apr 22 19:48:33.367:Vi1 1/1 L2TP:I OCRP from lac_l2x0 tnl 1, cl 0
*Apr 22 19:48:33.367:Vi1 1/1 L2TP:Session state change from wait-reply to wait-connect
*Apr 22 19:48:33.631:Vi1 1/1 L2TP:I OCCN from lac_l2x0 tnl 1, cl 1
*Apr 22 19:48:33.631:Vi1 1/1 L2TP:Session state change from wait-connect to established
*Apr 22 19:48:33.631:Vi1 VPDN:Connection is up, start LCP negotiation now
*Apr 22 19:48:33.631:%LINK-3-UPDOWN:Interface Virtual-Access1, changed state to up
*Apr 22 19:48:33.631:Vi1 DDR:dialer_statechange(), state=4Dialer statechange to up
Virtual-Access1
*Apr 22 19:48:33.631:Vi1 DDR:dialer_out_call_connected()
*Apr 22 19:48:33.631:Vi1 DDR:dialer_bind_profile() to Di0
*Apr 22 19:48:33.631:%DIALER-6-BIND:Interface Virtual-Access1 bound to profile
Dialer0Dialer call has been placed Virtual-Access1
*Apr 22 19:48:33.635:Vi1 PPP:Treating connection as a callout
*Apr 22 19:48:33.635:Vi1 PPP:Phase is ESTABLISHING, Active Open
*Apr 22 19:48:33.635:Vi1 LCP:O CONFREQ [Closed] id 1 len 15
*Apr 22 19:48:33.635:Vi1 LCP: AuthProto CHAP (0x0305C22305)
*Apr 22 19:48:33.635:Vi1 LCP: MagicNumber 0x50E7EC2A (0x050650E7EC2A)
*Apr 22 19:48:33.663:Vi1 LCP:I CONFREQ [REQsent] id 1 len 15
*Apr 22 19:48:33.663:Vi1 LCP: AuthProto CHAP (0x0305C22305)
*Apr 22 19:48:33.663:Vi1 LCP: MagicNumber 0x10820474 (0x050610820474)
*Apr 22 19:48:33.663:Vi1 LCP:O CONFACK [REQsent] id 1 len 15
*Apr 22 19:48:33.663:Vi1 LCP: AuthProto CHAP (0x0305C22305)
*Apr 22 19:48:33.663:Vi1 LCP: MagicNumber 0x10820474 (0x050610820474)
*Apr 22 19:48:33.663:Vi1 LCP:I CONFACK [ACKsent] id 1 len 15
*Apr 22 19:48:33.663:Vi1 LCP: AuthProto CHAP (0x0305C22305)
*Apr 22 19:48:33.663:Vi1 LCP: MagicNumber 0x50E7EC2A (0x050650E7EC2A)
*Apr 22 19:48:33.663:Vi1 LCP:State is Open
*Apr 22 19:48:33.663:Vi1 PPP:Phase is AUTHENTICATING, by both
*Apr 22 19:48:33.663:Vi1 CHAP:Using alternate hostname lns0
*Apr 22 19:48:33.663:Vi1 CHAP:O CHALLENGE id 1 len 25 from "lns0"
Configuring Virtual Private Networks
Troubleshooting VPNs
DC-553
Cisco IOS Dial Technologies Configuration Guide
*Apr 22 19:48:33.679:Vi1 CHAP:I CHALLENGE id 1 len 35 from "user0@foo.com0"
*Apr 22 19:48:33.679:Vi1 AUTH:Started process 0 pid 92
*Apr 22 19:48:33.679:Vi1 CHAP:Using alternate hostname lns0
*Apr 22 19:48:33.683:Vi1 CHAP:O RESPONSE id 1 len 25 from "lns0"
*Apr 22 19:48:33.695:Vi1 CHAP:I SUCCESS id 1 len 4
*Apr 22 19:48:33.699:Vi1 CHAP:I RESPONSE id 1 len 35 from "user0@foo.com0"
*Apr 22 19:48:33.699:Vi1 CHAP:O SUCCESS id 1 len 4
*Apr 22 19:48:33.699:Vi1 DDR:dialer_remote_name() for user0@foo.com0
*Apr 22 19:48:33.699:Vi1 PPP:Phase is UP
*Apr 22 19:48:33.703:Vi1 IPCP:O CONFREQ [Closed] id 1 len 10
*Apr 22 19:48:33.703:Vi1 IPCP: Address 10.20.1.150 (0x030614140196)
*Apr 22 19:48:33.703:Vi1 CCP:O CONFREQ [Closed] id 1 len 10
*Apr 22 19:48:33.703:Vi1 CCP: LZSDCP history 1 check mode SEQ process UNCOMPRESSSED
(0x170600010201)
*Apr 22 19:48:33.711:Vi1 IPCP:I CONFREQ [REQsent] id 1 len 10
*Apr 22 19:48:33.715:Vi1 IPCP: Address 10.20.1.120 (0x030614140178)
*Apr 22 19:48:33.715:Vi1 IPCP:O CONFACK [REQsent] id 1 len 10
*Apr 22 19:48:33.715:Vi1 IPCP: Address 10.20.1.120 (0x030614140178)
*Apr 22 19:48:33.715:Vi1 CCP:I CONFREQ [REQsent] id 1 len 10
*Apr 22 19:48:33.715:Vi1 CCP: LZSDCP history 1 check mode SEQ process UNCOMPRESSSED
(0x170600010201)
*Apr 22 19:48:33.715:Vi1 CCP:O CONFACK [REQsent] id 1 len 10
*Apr 22 19:48:33.715:Vi1 CCP: LZSDCP history 1 check mode SEQ process UNCOMPRESSSED
(0x170600010201)
*Apr 22 19:48:33.719:Vi1 IPCP:I CONFACK [ACKsent] id 1 len 10
*Apr 22 19:48:33.719:Vi1 IPCP: Address 10.20.1.150 (0x030614140196)
*Apr 22 19:48:33.719:Vi1 IPCP:State is Open
*Apr 22 19:48:33.719:Vi1 DDR:Dialer protocol up
*Apr 22 19:48:33.719:Dialer0:dialer_ckt_swt_client_connect:incoming circuit switched call
*Apr 22 19:48:33.719:Di0 IPCP:Install route to 10.20.1.120
*Apr 22 19:48:33.719:Vi1 CCP:I CONFACK [ACKsent] id 1 len 10
*Apr 22 19:48:33.719:Vi1 CCP: LZSDCP history 1 check mode SEQ process UNCOMPRESSSED
(0x170600010201)
*Apr 22 19:48:33.719:Vi1 CCP:State is Open
*Apr 22 19:48:34.699:%LINEPROTO-5-UPDOWN:Line protocol on Interface Virtual-Access1,
changed state to up
VPN Troubleshooting Methodology
This section describes a methodology for troubleshooting the VPN shown in Figure 80. First, view the
debug output from a successful call. If your debug output does not match the successful output, follow
the remaining steps to begin troubleshooting the network. The bolded lines of debug output indicate
important information.
The following sections detail the steps involved in VPN troubleshooting:
• Comparing Your Debug Output to the Successful Debug Output
• Troubleshooting VPN Negotiation
• Troubleshooting PPP Negotiation
• Troubleshooting AAA Negotiation
Configuring Virtual Private Networks
Troubleshooting VPNs
DC-554
Cisco IOS Dial Technologies Configuration Guide
Figure 80 Troubleshooting Flow Diagram for Access VPN with Remote AAA
If you are accessing the NAS and tunnel server through a Telnet connection, you need to enable the
terminal monitor command. This command ensures that your EXEC session is receiving the logging
and debug output from the devices.
When you finish troubleshooting, use the undebug all command to turn off all debug commands.
Isolating debug output helps you efficiently build a network.
Is PPP
negotiation
successful?
Access VPN
functions
properly
No
No
No
No
Yes, and client can
ping home gateway
Yes, and client can
ping home gateway
Yes, and client can
ping home gateway
Yes, but
client cannot
ping home
gateway
Yes, but
client cannot
ping home
gateway
Yes, but
client cannot
ping home
gateway
Yes, but
client cannot
ping home
gateway
Yes, and client can
ping home gateway
Contact
support
personnel
Does
your output
match successful
output?
Contact
support
personnel
Access VPN
functions
properly
Is AAA
negotiation
successful?
Contact
support
personnel
Access VPN
functions
properly
Access VPN
functions
properly
Contact
support
personnel
Is L2F
negotiation
successful?
23834
View successful
VPDN-event
debug output
Troubleshoot
L2F negotiation
Troubleshoot
PPP negotiation
Troubleshoot
AAA negotiation
Configuring Virtual Private Networks
Troubleshooting VPNs
DC-555
Cisco IOS Dial Technologies Configuration Guide
Comparing Your Debug Output to the Successful Debug Output
Enable the debug vpdn-event command on both the NAS and the tunnel server and dial in to the NAS.
The following debug output shows successful VPN negotiation on the NAS and tunnel server:
NAS#
Jan 7 00:19:35.900: %LINK-3-UPDOWN: Interface Async9, changed state to up
Jan 7 00:19:39.532: sVPDN: Got DNIS string As9
Jan 7 00:19:39.532: As9 VPDN: Looking for tunnel -- hgw.com --
Jan 7 00:19:39.540: As9 VPDN: Get tunnel info for hgw.com with NAS ISP_NAS,
IP172.22.66.25
Jan 7 00:19:39.540: As9 VPDN: Forward to address 172.22.66.25
Jan 7 00:19:39.540: As9 VPDN: Forwarding...
Jan 7 00:19:39.540: As9 VPDN: Bind interface direction=1
Jan 7 00:19:39.540: As9 VPDN: jeremy@hgw.com is forwarded
Jan 7 00:19:40.540: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async9, changed state
to up
ENT_HGW#
Jan 7 00:19:39.967: VPDN: Chap authentication succeeded for ISP_NAS
Jan 7 00:19:39.967: Vi1 VPDN: Virtual interface created for jeremy@hgw.com
Jan 7 00:19:39.967: Vi1 VPDN: Set to Async interface
Jan 7 00:19:39.971: Vi1 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking
6w5d: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
Jan 7 00:19:40.051: Vi1 VPDN: Bind interface direction=2
Jan 7 00:19:40.051: Vi1 VPDN: PPP LCP accepted rcv CONFACK
Jan 7 00:19:40.051: Vi1 VPDN: PPP LCP accepted sent CONFACK
6w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
If you see the debug output shown but cannot ping the tunnel server, go to the next section,
“Troubleshooting PPP Negotiation.”
If you do not see the above debug output, go to the section “Troubleshooting VPN Negotiation” later in
this chapter.
Troubleshooting VPN Negotiation
The following sections describe several common misconfigurations that prevent successful VPN (either
L2F or L2TP) negotiation:
• Misconfigured NAS Tunnel Secret
• Misconfigured Tunnel Server Tunnel Secret
• Misconfigured Tunnel Name
• Control Packet Problem on the NAS
Misconfigured NAS Tunnel Secret
The NAS and the tunnel server must both have the same usernames with the same password to
authenticate the L2F tunnel. These usernames are called the tunnel secret. In this scenario, these
usernames are ISP_NAS and ENT_HGW. The password is cisco for both usernames on both systems.
If one of the tunnel secrets on the NAS is incorrect, you will see the following debug output when you
dial in to the NAS and the debug vpdn l2x-errors command is enabled on the NAS and tunnel server:
NAS#
Jan 1 00:26:49.899: %LINK-3-UPDOWN: Interface Async3, changed state to up
Jan 1 00:26:54.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async3, cha
nged state to up
Jan 1 00:27:00.559: L2F: Resending L2F_OPEN, time #1
Configuring Virtual Private Networks
Troubleshooting VPNs
DC-556
Cisco IOS Dial Technologies Configuration Guide
Jan 1 00:27:05.559: L2F: Resending L2F_ECHO, time #1
Jan 1 00:27:05.559: L2F: Resending L2F_OPEN, time #2
Jan 1 00:27:10.559: L2F: Resending L2F_ECHO, time #2
Jan 1 00:27:10.559: L2F: Resending L2F_OPEN, time #3
Jan 1 00:27:15.559: L2F: Resending L2F_ECHO, time #3
Jan 1 00:27:15.559: L2F: Resending L2F_OPEN, time #4
Jan 1 00:27:20.559: L2F: Resending L2F_ECHO, time #4
Jan 1 00:27:20.559: L2F: Resending L2F_OPEN, time #5
Jan 1 00:27:25.559: L2F: Resending L2F_ECHO, time #5
Jan 1 00:27:25.559: L2F: Resend packet (type 2) around too long, time to kill off the
tunnel
NAS#
ENT_HGW#
Jan 1 00:26:53.645: L2F: Packet has bogus2 key C8353FAB B6369121
5w6d: %VPDN-6-AUTHENFAIL: L2F HGW , authentication failure for tunnel ISP_NAS; Invalid
key
5w6d: %VPDN-5-UNREACH: L2F NAS 172.22.66.23 is unreachable
Jan 1 00:27:00.557: L2F: Gateway received tunnel OPEN while in state closed
ENT_HGW#
The phrase “time to kill off the tunnel” in the NAS debug output indicates that the tunnel was not opened.
The phrase “Packet has bogus2 key” in the tunnel server debug output indicates that the NAS has an
incorrect tunnel secret.
To avoid this problem, make sure that you configure both the NAS and tunnel server for the same two
tunnel secret usernames with the same password.
Misconfigured Tunnel Server Tunnel Secret
If one of the tunnel secret usernames on the tunnel server is incorrect, the following debug output appears
when you dial in to the NAS and the debug vpdn l2x-errors command is enabled on the NAS and tunnel
server:
NAS#
Jan 1 00:45:27.123: %LINK-3-UPDOWN: Interface Async7, changed state to up
Jan 1 00:45:30.939: L2F: Packet has bogus1 key B6C656EE 5FAC6B3
Jan 1 00:45:30.939: %VPDN-6-AUTHENFAIL: L2F NAS ISP_NAS, authentication failure
for tunnel ENT_HGW; Invalid key
Jan 1 00:45:31.935: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async7, cha
nged state to up
Jan 1 00:45:35.559: L2F: Resending L2F_OPEN, time #1
Jan 1 00:45:35.559: L2F: Packet has bogus1 key B6C656EE 5FAC6B3
ENT_HGW#
Jan 1 00:45:30.939: L2F: Tunnel authentication succeeded for ISP_NAS
Jan 1 00:45:35.559: L2F: Gateway received tunnel OPEN while in state open
Jan 1 00:45:40.559: L2F: Gateway received tunnel OPEN while in state open
Jan 1 00:45:45.559: L2F: Gateway received tunnel OPEN while in state open
Jan 1 00:45:50.559: L2F: Gateway received tunnel OPEN while in state open
Notice how this output is similar to the debug output you see when the NAS has a misconfigured tunnel
secret username. This time you see the phrase “Packet has bogus1 key” on the NAS instead of the tunnel
server. This phrase tells you that the tunnel server has an incorrect tunnel secret username.
To avoid this problem, make sure that you configure both the NAS and tunnel server for the same two
tunnel secret usernames with the same password.
Configuring Virtual Private Networks
Troubleshooting VPNs
DC-557
Cisco IOS Dial Technologies Configuration Guide
Misconfigured Tunnel Name
If the NAS and tunnel server do not have matching tunnel names, they cannot establish an L2F tunnel.
On the tunnel server, these tunnel names are configured under the vpdn-group 1 command by using the
local name command. On the NAS, these names are configured on the RADIUS server.
The tunnel server must be configured to accept tunnels from the name that the NAS sends it. This is done
using the accept-dialin l2f virtual-template 1 remote ISP_NAS command, where ISP_NAS is the
name. The name it returns to the NAS is configured using the local name ENT_HGW command, where
ENT_HGW is the name. These commands appear in the following running configuration:
vpdn-group 1
accept-dialin l2f virtual-template 1 remote ISP_NAS
local name ENT_HGW
On the RADIUS server, the tunnel names are configured by adding profiles to the NAS_Group group
with the names ISP_NAS and ENT_HGW.
In the following debug output, the NAS attempted to open a tunnel using the name isp. Because the
tunnel server did not know this name, it did not open the tunnel. To see the following debug output,
enable the debug vpdn l2x-events and debug vpdn l2x-errors commands on the tunnel server:
ENT_HGW#
Jan 1 01:28:54.207: L2F: L2F_CONF received
Jan 1 01:28:54.207: L2X: Never heard of isp
Jan 1 01:28:54.207: L2F: Couldn't find tunnel named isp
To avoid the problem described, make sure that the tunnel names match on the tunnel server and on the
RADIUS server.
Control Packet Problem on the NAS
The following example assumes that you suspect an error in parsing control packets. You can use the
debug vpdn packet command with the control keyword to verify control packet information.
ISP_NAS# debug vpdn packet control
20:50:27: %LINK-3-UPDOWN: Interface Async7, changed state to up
20:50:29: Tnl 9 L2TP: O SCCRQ
20:50:29: Tnl 9 L2TP: O SCCRQ, flg TLF, ver 2, len 131, tnl 0, cl 0, ns 0, nr 0
20:50:29: contiguous buffer, size 131
C8 02 00 83 00 00 00 00 00 00 00 00 80 08 00 00
00 00 00 01 80 08 00 00 00 02 01 00 80 0A 00 00
00 03 00 00 00 03 80 0A 00 00 00 04 00 00 00 ...
20:50:29: Tnl 9 L2TP: Parse AVP 0, len 8, flag 0x0x8000 (M)
20:50:29: Tnl 9 L2TP: Parse SCCRP
20:50:29: Tnl 9 L2TP: Parse AVP 2, len 8, flag 0x0x8000 (M)
20:50:29: Tnl 9 L2TP: Protocol Ver 256
20:50:29: Tnl 9 L2TP: Parse AVP 3, len 10, flag 0x0x8000 (M)
20:50:29: Tnl 9 L2TP: Framing Cap 0x0x3
20:50:29: Tnl 9 L2TP: Parse AVP 4, len 10, flag 0x0x8000 (M)
20:50:29: Tnl 9 L2TP: Bearer Cap 0x0x3
20:50:29: Tnl 9 L2TP: Parse AVP 6, len 8, flag 0x0x0
20:50:29: Tnl 9 L2TP: Firmware Ver 0x0x1120
20:50:29: Tnl 9 L2TP: Parse AVP 7, len 12, flag 0x0x8000 (M)
20:50:29: Tnl 9 L2TP: Hostname DJ
20:50:29: Tnl 9 L2TP: Parse AVP 8, len 25, flag 0x0x0
20:50:29: Tnl 9 L2TP: Vendor Name Cisco Systems, Inc.
20:50:29: Tnl 9 L2TP: Parse AVP 9, len 8, flag 0x0x8000 (M)
20:50:29: Tnl 9 L2TP: Assigned Tunnel ID 8
20:50:29: Tnl 9 L2TP: Parse AVP 10, len 8, flag 0x0x8000 (M)
20:50:29: Tnl 9 L2TP: Rx Window Size 4
Configuring Virtual Private Networks
Troubleshooting VPNs
DC-558
Cisco IOS Dial Technologies Configuration Guide
20:50:29: Tnl 9 L2TP: Parse AVP 11, len 22, flag 0x0x8000 (M)
20:50:29: Tnl 9 L2TP: Chlng D807308D106259C5933C6162ED3A1689
20:50:29: Tnl 9 L2TP: Parse AVP 13, len 22, flag 0x0x8000 (M)
20:50:29: Tnl 9 L2TP: Chlng Resp 9F6A3C70512BD3E2D44DF183C3FFF2D1
20:50:29: Tnl 9 L2TP: No missing AVPs in SCCRP
20:50:29: Tnl 9 L2TP: Clean Queue packet 0
20:50:29: Tnl 9 L2TP: I SCCRP, flg TLF, ver 2, len 153, tnl 9, cl 0, ns 0, nr 1
contiguous pak, size 153
C8 02 00 99 00 09 00 00 00 00 00 01 80 08 00 00
00 00 00 02 80 08 00 00 00 02 01 00 80 0A 00 00
00 03 00 00 00 03 80 0A 00 00 00 04 00 00 00 ...
20:50:29: Tnl 9 L2TP: I SCCRP from DJ
20:50:29: Tnl 9 L2TP: O SCCCN to DJ tnlid 8
20:50:29: Tnl 9 L2TP: O SCCCN, flg TLF, ver 2, len 42, tnl 8, cl 0, ns 1, nr 1
20:50:29: contiguous buffer, size 42
C8 02 00 2A 00 08 00 00 00 01 00 01 80 08 00 00
00 00 00 03 80 16 00 00 00 0D 4B 2F A2 50 30 13
E3 46 58 D5 35 8B 56 7A E9 85
20:50:29: As7 9/1 L2TP: O ICRQ to DJ 8/0
20:50:29: As7 9/1 L2TP: O ICRQ, flg TLF, ver 2, len 48, tnl 8, cl 0, ns 2, nr 1
20:50:29: contiguous buffer, size 48
C8 02 00 30 00 08 00 00 00 02 00 01 80 08 00 00
00 00 00 0A 80 08 00 00 00 0E 00 01 80 0A 00 00
00 0F 00 00 00 04 80 0A 00 00 00 12 00 00 00 ...
20:50:29: Tnl 9 L2TP: Clean Queue packet 1
20:50:29: Tnl 9 L2TP: Clean Queue packet 2
20:50:29: Tnl 9 L2TP: I ZLB ctrl ack, flg TLF, ver 2, len 12, tnl 9, cl 0, ns 1, nr 2
contiguous pak, size 12
C8 02 00 0C 00 09 00 00 00 01 00 02
20:50:30: As7 9/1 L2TP: Parse AVP 0, len 8, flag 0x0x8000 (M)
20:50:30: As7 9/1 L2TP: Parse ICRP
20:50:30: As7 9/1 L2TP: Parse AVP 14, len 8, flag 0x0x8000 (M)
20:50:30: As7 9/1 L2TP: Assigned Call ID 1
20:50:30: As7 9/1 L2TP: No missing AVPs in ICRP
20:50:30: Tnl 9 L2TP: Clean Queue packet 2
20:50:30: As7 9/1 L2TP: I ICRP, flg TLF, ver 2, len 28, tnl 9, cl 1, ns 1, nr 3
contiguous pak, size 28
C8 02 00 1C 00 09 00 01 00 01 00 03 80 08 00 00
00 00 00 0B 80 08 00 00 00 0E 00 01
20:50:30: As7 9/1 L2TP: O ICCN to DJ 8/1
20:50:30: As7 9/1 L2TP: O ICCN, flg TLF, ver 2, len 203, tnl 8, cl 1, ns 3, nr 2
20:50:30: contiguous buffer, size 203
C8 02 00 CB 00 08 00 01 00 03 00 02 80 08 00 00
00 00 00 0C 80 0A 00 00 00 18 00 00 DA C0 80 0A
00 00 00 13 00 00 00 02 00 28 00 00 00 1B 02 ...
20:50:30: Tnl 9 L2TP: Clean Queue packet 3
20:50:30: As7 9/1 L2TP: I ZLB ctrl ack, flg TLF, ver 2, len 12, tnl 9, cl 1, ns 2, nr 4
contiguous pak, size 12
C8 02 00 0C 00 09 00 01 00 02 00 04
20:50:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async7, changed state to up
If you fixed the problem in your configuration, return to the section “Verifying VPN Sessions” earlier in
this chapter.
If your call still cannot successfully complete L2F negotiation, contact your support personnel.
Configuring Virtual Private Networks
Troubleshooting VPNs
DC-559
Cisco IOS Dial Technologies Configuration Guide
Troubleshooting PPP Negotiation
This section first shows debug output of successful PPP negotiation. The subsequent sections explain
several common problems that prevent successful PPP negotiation:
• Successful PPP Negotiation Debug Output
• Non-Cisco Device Connectivity Problem
• Mismatched Username Example
Enable the debug ppp negotiation command on the tunnel server and dial in to the NAS.
Successful PPP Negotiation Debug Output
The following debug output shows successful PPP negotiation on the tunnel server:
1d02h: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
*Feb 4 14:14:40.505: Vi1 PPP: Treating connection as a dedicated line
*Feb 4 14:14:40.505: Vi1 PPP: Phase is ESTABLISHING, Active Open
*Feb 4 14:14:40.505: Vi1 PPP: Treating connection as a dedicated line
*Feb 4 14:14:40.505: Vi1 PPP: Phase is AUTHENTICATING, by this end
*Feb 4 14:14:40.509: Vi1 PPP: Phase is UP
If your call successfully completed PPP negotiation, but you still cannot ping the tunnel server, go to the
section “Troubleshooting AAA Negotiation” later in this chapter.
Non-Cisco Device Connectivity Problem
The debug ppp authentication and debug ppp negotiation commands are enabled to decipher a CHAP
negotiation problem. This is due to a connectivity problem between a Cisco and non-Cisco device. Also
note that the service-timestamps command is enabled on the router. The service-timestamps command
is helpful to decipher timing and keepalive issues, and we recommend that you always enable this
command.
Router# debug ppp authentication
PPP authentication debugging is on
Router# debug ppp negotiation
PPP protocol negotiation debugging is on
3:22:53: ppp: sending CONFREQ, type = 3 (CI_AUTHTYPE), value = C223/5
3:22:53: ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = C6091F.
3:22:55: ppp: sending CONFREQ, type = 3 (CI_AUTHTYPE), value = C223/5
3:22:55: ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = C6091F
3:22:55: PPP BRI0: B-Channel 1: received config for type = 0x0 (??)
3:22:55: PPP BRI0: B-Channel 1: rcvd unknown option 0x0 rejected
3:22:55: PPP BRI0: B-Channel 1: received config for type = 0x1 (MRU) value = 0x5
F4 rejected
3:22:55: PPP BRI0: B-Channel 1: received config for type = 0x3 (AUTHTYPE) value
= 0xC223 value = 0x5 acked
3:22:55: PPP BRI0: B-Channel 1: received config for type = 0x11 (MULTILINK_MRRU)
rejected
3:22:55: PPP BRI0: B-Channel 1: received config for type = 0x13 (UNKNOWN)
3:22:55: PPP BRI0: B-Channel 1: rcvd unknown option 0x13 rejected
3:22:55: ppp: config REJ received, type = 3 (CI_AUTHTYPE), value = C223/5
3:22:55: ppp: sending CONFREQ, type = 3 (CI_AUTHTYPE), value = C223/5
3:22:55: ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = C6091F
3:22:55: PPP BRI0: B-Channel 1: received config for type = 0x3 (AUTHTYPE) value= 0xC2.
Success rate is 0 percent (0/5)
moog#23 value = 0x5 acked
Configuring Virtual Private Networks
Troubleshooting VPNs
DC-560
Cisco IOS Dial Technologies Configuration Guide
3:22:55: ppp: config REJ received, type = 3 (CI_AUTHTYPE), value = C223/5
3:22:55: ppp: BRI0: B-Channel 1 closing connection because remote won't authenticate
3:22:55: ppp: sending CONFREQ, type = 3 (CI_AUTHTYPE), value = C223/5
3:22:55: ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = C6091F
3:22:55: %ISDN-6-DISCONNECT: Interface BRI0: B-Channel 1 disconnected from 0123
5820040 , call lasted 2 seconds
3:22:56: %LINK-3-UPDOWN: Interface BRI0: B-Channel 1, changed state to down
Indication:
Mismatched Username Example
The following debug ppp chap sample output excerpt shows a CHAP authentication failure caused by
a configuration mismatch between devices. Verifying and correcting any username and password
mismatch should remedy this problem.
Router# debug ppp chap
ppp: received conf.ig for type = 5 (MAGICNUMBER) value = 1E24718 acked
PPP BRI0: B-Channel 1: state = ACKSENT fsm_rconfack(C021): rcvd id E6
ppp: config ACK received, type = 3 (CI_AUTHTYPE), value = C223
ppp: config ACK received, type = 5 (CI_MAGICNUMBER), value = 28CEF76C
BRI0: B-Channel 1: PPP AUTH CHAP input code = 1 id = 83 len = 16
BRI0: B-Channel 1: PPP AUTH CHAP input code = 2 id = 96 len = 28
BRI0: B-Channel 1: PPP AUTH CHAP input code = 4 id = 83 len = 21
BRI0: B-Channel 1: Failed CHAP authentication with remote.
Remote message is: MD compare failed
If your call cannot successfully complete PPP negotiation, contact your support personnel.
Troubleshooting AAA Negotiation
This section first shows debug output of successful AAA negotiation. The subsequent sections explain
several common misconfigurations that prevent successful AAA negotiation:
• Successful AAA Negotiation
• Incorrect User Password
• Error Contacting RADIUS Server
• Misconfigured AAA Authentication
Successful AAA Negotiation
Enable the debug aaa authentication and debug aaa authorization commands on the tunnel server and
dial in to the NAS.
The following debug output shows successful AAA negotiation on the tunnel server. This output has
been edited to exclude repetitive lines.
ENT_HGW#
Jan 7 19:29:44.132: AAA/AUTHEN: create_user (0x612D550C) user='ENT_HGW' ruser='
' port='' rem_addr='' authen_type=CHAP service=PPP priv=1
Jan 7 19:29:44.132: AAA/AUTHEN/START (384300079): port='' list='default' action
=SENDAUTH service=PPP
Jan 7 19:29:44.132: AAA/AUTHEN/START (384300079): found list default
Jan 7 19:29:44.132: AAA/AUTHEN/START (384300079): Method=LOCAL
Jan 7 19:29:44.132: AAA/AUTHEN (384300079): status = PASS
Jan 7 19:29:44.132: AAA/AUTHEN: create_user (0x612D550C) user='ISP_NAS' ruser='
' port='' rem_addr='' authen_type=CHAP service=PPP priv=1
Configuring Virtual Private Networks
Troubleshooting VPNs
DC-561
Cisco IOS Dial Technologies Configuration Guide
Jan 7 19:29:44.132: AAA/AUTHEN/START (2545876944): port='' list='default' actio
n=SENDAUTH service=PPP
Jan 7 19:29:44.132: AAA/AUTHEN/START (2545876944): found list default
Jan 7 19:29:44.132: AAA/AUTHEN/START (2545876944): Method=LOCAL
Jan 7 19:29:44.132: AAA/AUTHEN (2545876944): status = PASS
Jan 7 19:29:44.228: AAA/AUTHEN: create_user (0x612F1F78) user='jeremy@hgw.com'
ruser='' port='Virtual-Access1' rem_addr='408/5550945' authen_type=CHAP service=
PPP priv=1
Jan 7 19:29:44.228: AAA/AUTHEN/START (101773535): port='Virtual-Access1' list=''
action=LOGIN service=PPP
Jan 7 19:29:44.228: AAA/AUTHEN/START (101773535): using "default" list
Jan 7 19:29:44.228: AAA/AUTHEN/START (101773535): Method=LOCAL
Jan 7 19:29:44.228: AAA/AUTHEN (101773535): status = ERROR
Jan 7 19:29:44.228: AAA/AUTHEN/START (101773535): Method=RADIUS
Jan 7 19:29:44.692: AAA/AUTHEN (101773535): status = PASS
Jan 7 19:29:44.692: Vi1 AAA/AUTHOR/LCP: Authorize LCP
Jan 7 19:29:44.692: AAA/AUTHOR/LCP Vi1 (3630870259): Port='Virtual-Access1' list=''
service=NET
Jan 7 19:29:44.692: AAA/AUTHOR/LCP: Vi1 (3630870259) user='jeremy@hgw.com'
Jan 7 19:29:44.692: AAA/AUTHOR/LCP: Vi1 (3630870259) send AV service=ppp
Jan 7 19:29:44.692: AAA/AUTHOR/LCP: Vi1 (3630870259) send AV protocol=lcp
Jan 7 19:29:44.692: AAA/AUTHOR/LCP (3630870259) found list "default"
Jan 7 19:29:44.692: AAA/AUTHOR/LCP: Vi1 (3630870259) Method=RADIUS
Jan 7 19:29:44.692: AAA/AUTHOR (3630870259): Post authorization status = PASS_REPL
Jan 7 19:29:44.696: Vi1 AAA/AUTHOR/FSM: We can start IPCP
6w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
Jan 7 19:29:47.792: Vi1 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 172.30.2.1
If the above debug output appears, but you still cannot ping the tunnel server, contact your support
personnel and troubleshoot your network backbone.
If you did not see the debug output above, you need to troubleshoot AAA negotiation.
Incorrect User Password
If the user password is incorrect (or it is incorrectly configured), the tunnel will be established, but the
tunnel server will not authenticate the user. If the user password is incorrect, the following debug output
appears on the NAS and tunnel server when you dial in to the NAS and the debug vpdn l2x-errors and
debug vpdn l2x-events commands are enabled:
ISP_NAS#
Jan 1 01:00:01.555: %LINK-3-UPDOWN: Interface Async12, changed state to up
Jan 1 01:00:05.299: L2F: Tunnel state closed
Jan 1 01:00:05.299: L2F: MID state closed
Jan 1 01:00:05.299: L2F: Open UDP socket to 172.22.66.25
Jan 1 01:00:05.299: L2F: Tunnel state opening
Jan 1 01:00:05.299: As12 L2F: MID jeremy@hgw.com state waiting_for_tunnel
Jan 1 01:00:05.303: L2F: L2F_CONF received
Jan 1 01:00:05.303: L2F: Removing resend packet (L2F_CONF)
Jan 1 01:00:05.303: ENT_HGW L2F: Tunnel state open
Jan 1 01:00:05.307: L2F: L2F_OPEN received
Jan 1 01:00:05.307: L2F: Removing resend packet (L2F_OPEN)
Jan 1 01:00:05.307: L2F: Building nas2gw_mid0
Jan 1 01:00:05.307: L2F: L2F_CLIENT_INFO: CLID/DNIS 4089548021/5550945
Jan 1 01:00:05.307: L2F: L2F_CLIENT_INFO: NAS-Port Async12
Jan 1 01:00:05.307: L2F: L2F_CLIENT_INFO: Client-Bandwidth-Kbps 115
Jan 1 01:00:05.307: L2F: L2F_CLIENT_INFO: NAS-Rate L2F/26400/28800
Jan 1 01:00:05.307: As12 L2F: MID jeremy@hgw.com state opening
Jan 1 01:00:05.307: L2F: Tunnel authentication succeeded for ENT_HGW
Jan 1 01:00:05.391: L2F: L2F_OPEN received
Jan 1 01:00:05.391: L2F: Got a MID management packet
Jan 1 01:00:05.391: L2F: Removing resend packet (L2F_OPEN)
Jan 1 01:00:05.391: As12 L2F: MID jeremy@hgw.com state open
Configuring Virtual Private Networks
Troubleshooting VPNs
DC-562
Cisco IOS Dial Technologies Configuration Guide
Jan 1 01:00:05.391: As12 L2F: MID synced NAS/HG Clid=47/12 Mid=1
Jan 1 01:00:05.523: L2F: L2F_CLOSE received
Jan 1 01:00:05.523: %VPDN-6-AUTHENERR: L2F HGW ENT_HGW cannot locate a AAA server for
As12 user jeremy@hgw.com; Authentication failure
ENT_HGW#
Jan 1 01:00:05.302: L2F: L2F_CONF received
Jan 1 01:00:05.302: L2F: Creating new tunnel for ISP_NAS
Jan 1 01:00:05.302: L2F: Tunnel state closed
Jan 1 01:00:05.302: L2F: Got a tunnel named ISP_NAS, responding
Jan 1 01:00:05.302: L2F: Open UDP socket to 172.22.66.23
Jan 1 01:00:05.302: ISP_NAS L2F: Tunnel state opening
Jan 1 01:00:05.306: L2F: L2F_OPEN received
Jan 1 01:00:05.306: L2F: Removing resend packet (L2F_CONF)
Jan 1 01:00:05.306: ISP_NAS L2F: Tunnel state open
Jan 1 01:00:05.306: L2F: Tunnel authentication succeeded for ISP_NAS
Jan 1 01:00:05.310: L2F: L2F_OPEN received
Jan 1 01:00:05.310: L2F: L2F_CLIENT_INFO: CLID/DNIS 4089548021/5550945
Jan 1 01:00:05.310: L2F: L2F_CLIENT_INFO: NAS-Port Async12
Jan 1 01:00:05.310: L2F: L2F_CLIENT_INFO: Client-Bandwidth-Kbps 115
Jan 1 01:00:05.310: L2F: L2F_CLIENT_INFO: NAS-Rate L2F/26400/28800
Jan 1 01:00:05.310: L2F: Got a MID management packet
Jan 1 01:00:05.310: L2F: MID state closed
Jan 1 01:00:05.310: L2F: Start create mid intf process for jeremy@hgw.com
5w6d: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
Jan 1 01:00:05.390: Vi1 L2X: Discarding packet because of no mid/session
Jan 1 01:00:05.390: Vi1 L2F: Transfer NAS-Rate L2F/26400/28800 to LCP
Jan 1 01:00:05.390: Vi1 L2F: Finish create mid intf for jeremy@hgw.com
Jan 1 01:00:05.390: Vi1 L2F: MID jeremy@hgw.com state open
5w6d: %VPDN-6-AUTHENERR: L2F HGW ENT_HGW cannot locate a AAA server for Vi1 user
jeremy@hgw.com; Authentication failure
Error Contacting RADIUS Server
If the aaa authorization command on the tunnel server is configured with the default radius none
keywords, the tunnel server may allow unauthorized access to your network.
This command is an instruction to first use RADIUS for authorization. The tunnel server first contacts
the RADIUS server (because of the radius keyword). If an error occurs when the tunnel server contacts
the RADIUS server, the tunnel server does not authorize the user (because of the none keyword).
To see the following debug output, enable the debug aaa authorization command on the tunnel server
and dial in to the NAS:
ENT_HGW#
*Feb 5 17:27:36.166: Vi1 AAA/AUTHOR/LCP: Authorize LCP
*Feb 5 17:27:36.166: AAA/AUTHOR/LCP Vi1 (3192359105): Port='Virtual-Access1' list=''
service=NET
*Feb 5 17:27:36.166: AAA/AUTHOR/LCP: Vi1 (3192359105) user='jeremy@hgw.com'
*Feb 5 17:27:36.166: AAA/AUTHOR/LCP: Vi1 (3192359105) send AV service=ppp
*Feb 5 17:27:36.166: AAA/AUTHOR/LCP: Vi1 (3192359105) send AV protocol=lcp
*Feb 5 17:27:36.166: AAA/AUTHOR/LCP (3192359105) found list "default"
*Feb 5 17:27:36.166: AAA/AUTHOR/LCP: Vi1 (3192359105) Method=RADIUS
*Feb 5 17:27:36.166: AAA/AUTHOR (3192359105): Post authorization status = ERROR
*Feb 5 17:27:36.166: AAA/AUTHOR/LCP: Vi1 (3192359105) Method=NONE
*Feb 5 17:27:36.166: AAA/AUTHOR (3192359105): Post authorization status = PASS_ADD
*Feb 5 17:27:36.166: Vi1 CHAP: O SUCCESS id 1 len 4
Caution Using the none keyword can allow unauthorized access to your network. Because of the risk of such
errors occurring, we strongly recommend that you do not use the none keyword in your aaa
commands.
Configuring Virtual Private Networks
Configuration Examples for VPN
DC-563
Cisco IOS Dial Technologies Configuration Guide
Misconfigured AAA Authentication
If you reverse the order of the local and radius keywords in the aaa authentication ppp command on
the tunnel server, the L2F tunnel cannot be established. The command should be configured as aaa
authentication ppp default local radius.
If you configure the command as aaa authentication ppp default radius local, the tunnel server first
tries to authenticate the L2F tunnel using RADIUS. The RADIUS server sends the following message
to the tunnel server. To see this message, enable the debug radius command.
ENT_HGW#
Jan 1 01:34:47.827: RADIUS: SENDPASS not supported (action=4)
The RADIUS protocol does not support inbound challenges. This means that RADIUS is designed to
authenticate user information, but it is not designed to be authenticated by others. When the tunnel server
requests the tunnel secret from the RADIUS server, it responds with the “SENDPASS not supported”
message.
To avoid this problem, use the aaa authentication ppp default local radius command on the tunnel
server.
If your call still cannot successfully complete AAA negotiation, contact your support personnel.
Configuration Examples for VPN
This section provides the following configuration examples:
• Client-Initiated Dial-In Configuration Example
• VPN Tunnel Authentication Examples
• NAS Comprehensive Dial-In Configuration Example
• Tunnel Server Comprehensive Dial-in Configuration Example
• NAS Configured for Both Dial-In and Dial-Out Example
• Tunnel Server Configured for Both Dial-In and Dial-Out Example
• RADIUS Profile Examples
• TACACS+ Profile Examples
Client-Initiated Dial-In Configuration Example
The following example shows the running configuration of a tunnel server configured for PPTP using an
ISA card to perform 40-bit MPPE encryption. It does not have an AAA configuration.
Current configuration
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname PNS
!
no logging console guaranteed
enable password lab
!
Configuring Virtual Private Networks
Configuration Examples for VPN
DC-564
Cisco IOS Dial Technologies Configuration Guide
username tester41 password 0 lab41
!
ip subnet-zero
no ip domain-lookup
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
local name cisco_pns
!
memory check-interval 1
!
controller ISA 5/0
encryption mppe
!
process-max-time 200
!
interface FastEthernet0/0
ip address 10.1.1.12 255.255.255.0
no ip directed-broadcast
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.2.12 255.255.255.0
no ip directed-broadcast
duplex auto
speed auto
!
interface Serial1/0
no ip address
no ip directed-broadcast
shutdown
framing c-bit
cablelength 10
dsu bandwidth 44210
!
interface Serial1/1
no ip address
no ip directed-broadcast
shutdown
framing c-bit
cablelength 10
dsu bandwidth 44210
!
interface FastEthernet4/0
no ip address
no ip directed-broadcast
shutdown
duplex half
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
no ip directed-broadcast
ip mroute-cache
no keepalive
ppp encrypt mppe 40
ppp authentication ms-chap
!
Configuring Virtual Private Networks
Configuration Examples for VPN
DC-565
Cisco IOS Dial Technologies Configuration Guide
ip classless
ip route 172.29.1.129 255.255.255.255 1.1.1.1
ip route 172.29.63.9 255.255.255.255 1.1.1.1
no ip http server
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
login
!
end
VPN Tunnel Authentication Examples
The following examples shows several possibilities for performing local tunnel authentication. These
examples only show the information relevant to tunnel authentication.
Tunnel Secret Configured Using the Local Name Command
The following examples are for a NAS and tunnel server that configure the tunnel names by using local
name VPN group commands. The NAS tunnel name is ISP_NAS, the tunnel server tunnel name is
ENT_HGW, and the tunnel secret is tunnelme.
NAS Configuration
The NAS tunnel name is specified by the local name command. The tunnel server tunnel name and
tunnel secret are specified by the username command.
username ENT_HGW password 7 tunnelme
.
.
.
vpdn-group 1
local name ISP_NAS
Tunnel Server Configuration
The tunnel server tunnel name is specified by the local name command. The NAS tunnel name and
tunnel secret are specified by the username command.
username ISP_NAS password 7 tunnelme
.
.
.
vpdn-group 1
local name ENT_HGW
Tunnel Secret Configured Using the L2TP Tunnel Password Command
The following example is for a NAS and tunnel server that both configure the tunnel secret using the l2tp
tunnel password command. Because both routers use this command, they do not need to use either
username or local name commands for tunnel authentication. The tunnel secret is tunnelme.
NAS Configuration
vpdn-group 1
request-dialin
protocol l2tp
l2tp tunnel password tunnelme
Configuring Virtual Private Networks
Configuration Examples for VPN
DC-566
Cisco IOS Dial Technologies Configuration Guide
Tunnel Server Configuration
vpdn-group 1
accept-dialin
protocol l2tp
l2tp tunnel password tunnelme
Tunnel Secret Configuration Using Different Tunnel Authentication Methods
The follow example is for a NAS that uses the username command to specify the tunnel secret and a
tunnel server that uses the l2tp tunnel password command to specify the tunnel secret.
NAS Configuration
username adrian password garf1eld
.
.
.
vpdn-group 1
local name stella
Tunnel Server Configuration
vpdn-group 1
accept--dialin
protocol l2tp
local name adrian
l2tp tunnel password garf1eld
NAS Comprehensive Dial-In Configuration Example
The following example shows a NAS configured to tunnel PPP calls to a tunnel server using L2TP and
local authentication and authorization:
! Enable AAA authentication and authorization with RADIUS as the default method
aaa new-model
aaa authentication ppp default radius
aaa authorization network default radius
!
username ISP_NAS password 7 tunnelme
username ENT_HGW password 7 tunnelme
!
vpdn enable
!
! Configure VPN to first search on the client domain name and then on the DNIS
vpdn search-order domain dnis
! Allow a maximum of 10 simultaneous VPN sessions
vpdn session-limit 10
!
! Configure VPN to initiate VPN dial-in sessions
vpdn-group 1
request-dialin
! Specify L2TP as the tunneling protocol
protocol l2TP
! Tunnel clients with the domain name “hgw.com”
domain hgw.com
! Establish a tunnel with IP address 172.22.66.25
initiate-to ip 172.22.66.25
! Identify the tunnel using the name “ISP_NAS”
local name ISP_NAS
!
Configuring Virtual Private Networks
Configuration Examples for VPN
DC-567
Cisco IOS Dial Technologies Configuration Guide
! Defines the ISDN switch type as primary-5ess
isdn switch-type primary-5ess
!
! Commissions the T1 controller to allow modem calls in to the NAS
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
interface Ethernet0
ip address 172.22.66.23 255.255.255.192
!
! Configure the Serial channel to allow modem calls in to the NAS
interface Serial0:23
no ip address
isdn switch-type primary-5ess
isdn incoming-voice modem
no cdp enable
!
!
interface Group-Async1
ip unnumbered Ethernet0
encapsulation ppp
async mode interactive
no peer default ip address
ppp authentication chap pap
group-range 1 96
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.22.66.1
!
! Specifies the RADIUS server IP address, authorization port, and accounting port
radius-server host 172.22.66.16 auth-port 1645 acct-port 1646
! Specifies the authentication key to be used with the RADIUS server
radius-server key cisco
!
line con 0
transport input none
! Configures the modems
line 1 96
autoselect during-login
autoselect ppp
modem InOut
line aux 0
line vty 0 4
!
end
Tunnel Server Comprehensive Dial-in Configuration Example
The following example show a tunnel server configured to accept L2TP tunnels from a NAS using local
authentication and authorization:
aaa new-model
! Configure AAA to first use the local database and then contact the RADIUS server for
! PPP authentication
aaa authentication ppp default local radius
! Configure AAA network authorization and accounting by using the RADIUS server
aaa authorization network default radius
aaa accounting network default start-stop radius
!
Configuring Virtual Private Networks
Configuration Examples for VPN
DC-568
Cisco IOS Dial Technologies Configuration Guide
username ISP_NAS password 7 tunnelme
username ENT_HGW password 7 tunnelme
!
vpdn enable
! Prevent any new VPN sessions from being established without disturbing existing
! sessions
vpdn softshut
!
! Configure VPN to accept dial-in sessions
vpdn-group 1
accept-dialin
! Specify L2TP as the tunneling protocol
protocol l2tp
! Specify that virtual-access interfaces be cloned from virtual template 1
virtual-template 1
! Accept dial-in requests from a router using the tunnel name “ISP_NAS”
terminate-from hostname ISP_NAS
! Identify the tunnel using the tunnel name “ENT_HGW”
local name ENT_HGW
!
interface Ethernet0/0
ip address 172.22.66.25 255.255.255.192
no ip directed-broadcast
!
interface Virtual-Template1
! Use the IP address of interface Ethernet 0
ip unnumbered Ethernet0
! Returns an IP address from the default pool to the VPN client
peer default ip address pool default
! Use CHAP to authenticate PPP
ppp authentication chap
!
ip local pool default 172.30.2.1 172.30.2.96
ip classless
ip route 0.0.0.0 0.0.0.0 172.22.66.1
!
! Specifies the RADIUS server IP address, authorization port, and accounting port
radius-server host 172.22.66.13 auth-port 1645 acct-port 1646
! Specifies the authentication key to be used with the RADIUS server
radius-server key cisco
NAS Configured for Both Dial-In and Dial-Out Example
You can configure a NAS to simultaneously initiate L2TP or L2F dial-in tunnels to a tunnel server and
also accept L2TP dial-out tunnels from a tunnel server.
In the following example, the VPN group of a NAS is configured to dial in using L2F and to dial out
using L2TP as the tunneling protocol and dialer interface 2. The example only shows the VPN group and
dialer configuration:
vpdn-group 1
request-dialin
protocol l2f
domain jgb.com
accept-dialout
protocol l2tp
dialer 2
local name cerise
terminate-from hostname reuben
initiate-to ip 172.1.2.3
!
Configuring Virtual Private Networks
Configuration Examples for VPN
DC-569
Cisco IOS Dial Technologies Configuration Guide
interface Dialer2
ip unnumbered Ethernet0
encapsulation ppp
dialer in-band
dialer aaa
dialer-group 1
ppp authentication chap
Tunnel Server Configured for Both Dial-In and Dial-Out Example
You can configure a tunnel server to simultaneously receive L2TP or L2F dial-in tunnels from a NAS
and also initiate L2TP dial-out tunnels to a NAS.
In the following example, a tunnel server VPN group is configured to dial in using virtual template 1 to
clone the virtual access interface and to dial out using dialer pool 1. The example only shows the VPN
group and dialer configuration:
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
request-dialout
protocol l2tp
pool-member 1
local name reuben
terminate-from hostname cerise
initiate-to ip 10.3.2.1
!
interface Dialer2
ip address 172.19.2.3 255.255.128
encapsulation ppp
dialer remote-name reuben
dialer string 5551234
dialer vpdn
dialer pool 1
dialer-group 1
ppp authentication chap
RADIUS Profile Examples
The following sections show VPN RADIUS profiles configured using CiscoSecure version 2.3.1:
• RADIUS Domain Profile
• RADIUS User Profile
RADIUS Domain Profile
The following example show a profile that is configured on the NAS RADIUS server to tunnel calls from
users who dial-in with the domain name terrapin.com. The NAS will balance calls between the tunnel
servers at 172.16.171.11 and 172.16.171.12. If both of those tunnel servers are unavailable, the NAS will
tunnel calls to 172.16.171.13.
user = terrapin.com{
profile_id = 29
set server current-failed-logins = 0
profile_cycle = 7
radius=Cisco {
Configuring Virtual Private Networks
Configuration Examples for VPN
DC-570
Cisco IOS Dial Technologies Configuration Guide
check_items= {
2=cisco
}
reply_attributes= {
9,1="vpdn:l2tp-tunnel-password=cisco123"
9,1="vpdn:tunnel-type=l2tp"
9,1="vpdn:ip-addresses=172.16.171.11 172.16.171.12/172.16.171.13"
9,1="vpdn:tunnel-id=tunnel"
}
}
}
Note check_items={2=cisco} is a hard-coded password. This password must be "cisco."
RADIUS User Profile
The following example shows a profile that is configured on the tunnel server RADIUS server to
authorize and authenticate user sailor@terrapin.com:
user = sailor@terrapin.com{
profile_id = 28
profile_cycle = 2
radius=Cisco {
check_items= {
2=cisco
}
reply_attributes= {
6=2
7=1
}
}
}
Note check_items={2=cisco} is a hard-coded password. This password must be "cisco."
TACACS+ Profile Examples
The following sections show VPN TACACS+ profiles configured using CiscoSecure version 2.2.2:
• TACACS+ Domain Profile
• TACACS+ User Profile
• TACACS+ Tunnel Profiles
TACACS+ Domain Profile
The following example shows a profile that is configured on the NAS TACACS+ server to tunnel users
who dial in with the domain name guava.com:
user = guava.com{
profile_id = 83
profile_cycle = 1
service=ppp {
protocol=vpdn {
set tunnel-id=isp
set ip-addresses="10.31.1.50"
Configuring Virtual Private Networks
Configuration Examples for VPN
DC-571
Cisco IOS Dial Technologies Configuration Guide
set nas-password="little"
set gw-password="birdies"
}
protocol=lcp {
}
}
}
TACACS+ User Profile
The following example shows a profile that is configured on the tunnel server TACACS+ to authorize
and authenticate user geaner@guava.com:
user = geaner@guava.com{
profile_id = 85
profile_cycle = 1
password = chap "daisies"
service=ppp {
protocol=ip {
default attribute=permit
}
protocol=lcp {
}
}
}
TACACS+ Tunnel Profiles
The following examples show a profile that is configured on the tunnel server TACACS+ server to
authenticate the tunnel. See the “Configuring VPN Tunnel Authentication Using the Host Name or Local
Name” and “Configuring VPN Tunnel Authentication Using the L2TP Tunnel Password” sections earlier
in this chapter for more information on tunnel authentication.
Note Only the tunnel server AAA server can perform tunnel authentication. Tunnel authentication must be
performed locally by the NAS.
user = tunnel-server {
profile_id = 82
profile_cycle = 1
password = chap "3stone"
service=ppp {
protocol=ip {
default attribute=permit
}
protocol=lcp {
}
}
}
Configuring Virtual Private Networks
Configuration Examples for VPN
DC-572
Cisco IOS Dial Technologies Configuration Guide
PPP Configuration
DC-575
Cisco IOS Dial Technologies Configuration Guide
Configuring Asynchronous SLIP and PPP
This chapter describes how to configure asynchronous Serial Line Internet Protocol (SLIP) and PPP. It
includes the following main sections:
• Asynchronous SLIP and PPP Overview
• How to Configure Asynchronous SLIP and PPP
• Configuration Examples for Asynchronous SLIP and PPP
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies
Command Reference. To locate documentation of other commands that appear in this chapter, use the
command reference master index or search online.
Asynchronous SLIP and PPP Overview
PPP and SLIP define methods of sending IP packets over standard asynchronous serial lines with
minimum line speeds of 1200 baud.
Using SLIP or PPP encapsulation over asynchronous lines is an inexpensive way to connect personal
computers (PCs) to a network. PPP and SLIP over asynchronous dialup modems allow a home computer
to be connected to a network without the cost of a leased line. Dialup PPP and SLIP links can also be
used for remote sites that need only occasional remote node or backup connectivity. Both public-domain
and vendor-supported PPP and SLIP implementations are available for a variety of computer
applications.
The Cisco IOS software concentrates a large number of SLIP or PPP PC or workstation client hosts onto
a network interface that allows the PCs to communicate with any host on the network. The Cisco IOS
software can support any combination of SLIP or PPP lines and lines dedicated to normal asynchronous
devices such as terminals and modems. Refer to RFC 1055 for more information about SLIP, and RFCs
1331 and 1332 for more information about PPP.
SLIP is an older protocol. PPP is a newer, more robust protocol than SLIP, and it contains functions that
can detect or prevent misconfiguration. PPP also provides greater built-in security mechanisms.
Configuring Asynchronous SLIP and PPP
Asynchronous SLIP and PPP Overview
DC-576
Cisco IOS Dial Technologies Configuration Guide
Note Most asynchronous serial links have very low bandwidth. Take care to configure your system so the
links will not be overloaded. Consider using default routes and filtering routing updates to prevent
them from being sent on these asynchronous lines.
Figure 81 illustrates a typical asynchronous SLIP or PPP remote-node configuration.
Figure 81 Sample SLIP or PPP Remote-Node Configuration
Responding to BOOTP Requests
The BOOTP protocol allows a client machine to discover its own IP address, the address of the router,
and the name of a file to be loaded in to memory and executed. There are typically two phases to using
BOOTP: first, the client’s address is determined and the boot file is selected; then the file is transferred,
typically using the TFTP.
PPP and SLIP clients can send BOOTP requests to the Cisco IOS software, and the Cisco IOS software
responds with information about the network. For example, the client can send a BOOTP request to learn
its IP address and where the boot file is located, and the Cisco IOS software responds with the
information.
BOOTP supports the extended BOOTP requests specified in RFC 1084 and works for both PPP and SLIP
encapsulation.
BOOTP compares to Reverse Address Resolution Protocol (RARP) as follows: RARP is an older
protocol that allows a client to determine its IP address if it knows its hardware address. (Refer to the
Cisco IOS IP Configuration Guide for more information about RARP.) However, RARP is a hardware
link protocol, so it can be implemented only on hosts that have special kernel or driver modifications that
allow access to these raw packets. BOOTP does not require kernel modifications.
Asynchronous Network Connections and Routing
Line configuration commands configure a connection to a terminal or a modem. Interface configuration
(async) commands, described in this chapter, configure a line as an asynchronous network interface over
which networking functions are performed.
The Cisco IOS software also supports IP routing connections for communication that requires
connecting one network to another.
UNIX host
S1470a
Access server
Remote PC
Remote Macintosh
AppleShare
file server
PC server
UNIX server
Configuring Asynchronous SLIP and PPP
How to Configure Asynchronous SLIP and PPP
DC-577
Cisco IOS Dial Technologies Configuration Guide
The Cisco IOS software supports protocol translation for PPP and SLIP between other network devices
running Telnet, local-area transport (LAT), or X.25. For example, you can send IP packets across a public
X.25 packet assembler/disassembler (PAD) network using SLIP or PPP encapsulation when SLIP or PPP
protocol translation is enabled. For more information, see the chapter “Configuring Protocol Translation
and Virtual Asynchronous Devices” in this publication.
If asynchronous dynamic routing is enabled, you can enable routing at the user level by using the routing
keyword with the slip or ppp EXEC command.
Asynchronous interfaces offer both dedicated and dynamic address assignment, configurable hold
queues and IP packet sizes, extended BOOTP requests, and permit and deny conditions for controlling
access to lines. Figure 82 shows a sample asynchronous routing configuration.
Figure 82 Sample Asynchronous Routing Configuration
Asynchronous Interfaces and Broadcasts
The Cisco IOS software recognizes a variety of IP broadcast addresses. When a router receives an IP
packet from an asynchronous client, it rebroadcasts the packet onto the network without changing the IP
header.
The Cisco IOS software receives the SLIP or PPP client broadcasts and responds to BOOTP requests
with the current IP address assigned to the asynchronous interface from which the request was received.
This facility allows the asynchronous client software to automatically learn its own IP address.
How to Configure Asynchronous SLIP and PPP
To configure SLIP and PPP, perform the tasks in the following sections; all tasks are optional:
• Configuring Network-Layer Protocols over PPP and SLIP (Optional)
• Configuring Asynchronous Host Mobility (Optional)
• Making Additional Remote Node Connections (Optional)
UNIX host
S1658
TCP/IP
routing
Asynchronous
serial line
Configuring Asynchronous SLIP and PPP
How to Configure Asynchronous SLIP and PPP
DC-578
Cisco IOS Dial Technologies Configuration Guide
• Configuring Remote Access to NetBEUI Services (Optional)
• Configuring Performance Parameters (Optional)
Configuring Network-Layer Protocols over PPP and SLIP
You can configure network-layer protocols, such as AppleTalk, IP, and Internet Protocol Exchange
(IPX), over PPP and SLIP. SLIP supports only IP, but PPP supports each of these protocols. See the
sections that follow to configure these protocols over PPP and SLIP.
Configuring IP and PPP
To enable IP-PPP (IPCP) on a synchronous or asynchronous interface, use the following commands in
interface configuration mode:
Configuring IPX and PPP
You can configure IPX over PPP (IPXCP) on synchronous serial and asynchronous serial interfaces
using one of two methods.
The first method associates an asynchronous interface with a loopback interface configured to run IPX.
It permits you to configure IPX-PPP on asynchronous interfaces only.
The second method permits you to configure IPX-PPP on asynchronous and synchronous serial
interfaces. However, it requires that you specify a dedicated IPX network number for each interface,
which can require a substantial number of network numbers for a large number of interfaces.
You can also configure IPX to run on virtual terminal lines configured for PPP. See the section “Enabling
IPX and PPP over X.25 to an IPX Network on Virtual Terminal Lines” later in this chapter.
Note If you are configuring IPX-PPP on asynchronous interfaces, you should filter routing updates on the
interface. Most asynchronous serial links have very low bandwidth, and routing updates take up a
great deal of bandwidth. The previous task table uses the ipx update interval command to filter SAP
updates. For more information about filtering routing updates, see the section about creating filters
for updating the routing table in the chapter “Configuring Novell IPX” in the Cisco IOS AppleTalk
and Novell IPX Configuration Guide.
Command Purpose
Step 1 Router(config-if)# ip address ip-address mask
[secondary]
or
Router(config-if)# ip unnumbered type number
Configures IP routing on the interface.
Configures IP unnumbered routing on a serial interface.
Step 2 Router(config-if)# encapsulation ppp Enables PPP encapsulation on the serial interface.
Step 3 Router(config-if)# async mode interactive Enables interactive mode on an asynchronous interface.
Configuring Asynchronous SLIP and PPP
How to Configure Asynchronous SLIP and PPP
DC-579
Cisco IOS Dial Technologies Configuration Guide
IPX and PPP and Associating Asynchronous Interfaces with Loopback Interfaces
To permit IPX client connections to an asynchronous interface, the interface must be associated with a
loopback interface configured to run IPX. To permit such connections, use the following commands
beginning in global configuration mode:
IPX and PPP Using Dedicated IPX Network Numbers for Each Interface
To enable IPX and PPP, use the following commands beginning in global configuration mode. The first
five steps are required. The last step is optional.
Enabling IPX and PPP over X.25 to an IPX Network on Virtual Terminal Lines
You can enable IPX-PPP on virtual terminal lines, which permits clients to log in to a virtual terminal
on a router, invoke a PPP session at the EXEC prompt to a host, and run IPX to the host.
Command Purpose
Step 1 Router(config)# ipx routing [node] Enables IPX routing.
Step 2 Router(config)# interface loopback number Creates a loopback interface, which is a virtual interface
existing only inside the router, and begins interface
configuration mode.
Step 3 Router(config-if)# ipx network network1
1. Every interface must have a unique IPX network number.
Enables IPX routing on the loopback interface.
Step 4 Router(config-if)# exit Exits to global configuration mode.
Step 5 Router(config)# interface async number Enters interface configuration mode for the asynchronous
interface.
Step 6 Router(config-if)# ip unnumbered type number Configures IP unnumbered routing on the interface.
Step 7 Router(config-if)# encapsulation ppp Enables PPP encapsulation on the interface.
Step 8 Router(config-if)# async mode interactive Enables interactive mode on an asynchronous interface.
Step 9 Router(config-if)# ipx ppp-client loopback
number
Assigns the asynchronous interface to the loopback interface
configured for IPX.
Step 10 Router(config-if)# ipx update interval Turns off Service Advertising Protocol (SAP) updates to
optimize bandwidth on asynchronous interfaces.
Command Purpose
Step 1 Router(config)# ipx routing [node] Enables IPX routing.
Step 2 Router(config)# interface loopback number Creates a loopback interface, which is a virtual interface
existing only inside the router, and begins interface
configuration mode.
Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation on the interface.
Step 4 Router(config-if)# async mode interactive Enables interactive mode on an asynchronous interface.
Step 5 Router(config-if)# ipx network network1
1. Every interface must have a unique IPX network number.
Enables IPX routing on the interface.
Step 6 Router(config-if)# ipx update interval (Optional) Turns off SAP updates to optimize bandwidth on
asynchronous interfaces.
Configuring Asynchronous SLIP and PPP
How to Configure Asynchronous SLIP and PPP
DC-580
Cisco IOS Dial Technologies Configuration Guide
For example, in Figure 83, the client terminal on the X.25 network logs in to the access server via a
virtual terminal line, which is configured for IPX-PPP. When the user connects to the access server and
the EXEC prompt appears, enter the PPP command to connect to the IPX host. The virtual terminal is
configured to run IPX, so when the PPP session is established from the access server, the terminal can
access the IPX host using an IPX application.
Figure 83 IPX-PPP on a Virtual Asynchronous Interface
To enable IPX to run over your PPP sessions on virtual terminal lines, use the following commands
beginning in global configuration mode:
Configuring AppleTalk and PPP
You can configure an asynchronous interface so that users can access AppleTalk zones by dialing in to
the router via PPP through this interface. Users accessing the network can run AppleTalk and IP natively
on a remote Macintosh, access any available AppleTalk zones from Chooser, use networked peripherals,
and share files with other Macintosh users. This feature is referred to as AppleTalk Control Protocol
(ATCP).
You create a virtual network that exists only for accessing an AppleTalk internet through the server. To
create a new AppleTalk zone, enter the appletalk virtual-net command and use a new zone name; this
network number is then the only one associated with this zone. To add network numbers to an existing
AppleTalk zone, use this existing zone name in the command; this network number is then added to the
existing zone. Routing is not supported on these interfaces.
To enable ATCP for PPP, use the following commands in interface configuration (asynchronous) mode:
Access
server
X.25 WAN
Terminal
running IPX-PPP Running protocol
translation
IPX host
S3752
Command Purpose
Step 1 Router(config)# ipx routing [node] Enables IPX routing.
Step 2 Router(config)# interface loopback number Creates a loopback interface and begins interface
configuration mode.
Step 3 Router(config-if)# ipx network network1
1. Every loopback interface must have a unique IPX network number.
Enables a virtual IPX network on the loopback interface.
Step 4 Router(config-if)# vty-async ipx ppp-client
loopback number
Enables IPX-PPP on virtual terminal lines by assigning it to
the loopback interface configured for IPX.
Command Purpose
Step 1 Router(config-if)# encapsulation ppp Defines encapsulation as PPP on this interface.
Step 2 Router(config-if)# appletalk virtual-net
network-number zone-name
Creates an internal network on the server.
Step 3 Router(config-if)# appletalk client-mode Enables client-mode on this interface.
Configuring Asynchronous SLIP and PPP
How to Configure Asynchronous SLIP and PPP
DC-581
Cisco IOS Dial Technologies Configuration Guide
Configuring IP and SLIP
To enable IP-SLIP on a synchronous or asynchronous interface, use the following commands in interface
configuration mode:
Configuring Asynchronous Host Mobility
The access server supports a packet tunneling strategy that extends the internetwork—in effect creating
a virtual private link for the mobile user. When a user activates asynchronous host mobility, the access
server on which the remote user dials in becomes a remote point of presence (POP) for the home network
of the user. Once logged in, users experience a server environment identical to the one that they
experience when they connect directly to the “home” access server.
Once the network-layer connection is made, data packets are tunneled at the physical or data link layer
instead of at the protocol layer. In this way, raw data bytes from dial-in users are transported directly to
the “home” access server, which processes the protocols.
Figure 84 illustrates the implementation of asynchronous host mobility on an extended internetwork. A
mobile user connects to an access server on the internetwork and, by activating asynchronous host
mobility, is connected to a “home” access server configured with the appropriate username. The user
sees an authentication dialog or prompt from the “home” system and can proceed as if he or she were
connected directly to that device.
Figure 84 Asynchronous Host Mobility
Asynchronous host mobility is enabled with the tunnel EXEC command and the ip tcp async-mobility
server global configuration command. The ip tcp async-mobility server command establishes
asynchronous listening on TCP tunnel port 57. The tunnel command sets up a network-layer connection
to the specified destination. Both commands must be used. The access server accepts the connection,
attaches it to a virtual terminal line, and runs a command parser capable of running the normal dial-in
services. After the connection is established, data is transferred between the modem and network
connection with a minimum of interpretations. When communications are complete, the network
connection can be closed and terminated from either end.
Command Purpose
Step 1 Router(config-if)# ip address ip-address mask
or
Router(config-if)# ip unnumbered type number
Configures IP routing on the interface.
Configures IP unnumbered routing on a serial interface.
Step 2 Router(config-if)# encapsulation slip Enables SLIP encapsulation on the serial interface.
Step 3 Router(config-if)# async mode interactive Enables interactive mode on an asynchronous interface.
Access
server (home)
Telecommuting user
Internet
Company network
Data packets are
encapsulated and
"tunneled" to the
home communications
server where the protocols
are translated S3244
Configuring Asynchronous SLIP and PPP
How to Configure Asynchronous SLIP and PPP
DC-582
Cisco IOS Dial Technologies Configuration Guide
To enable asynchronous host mobility, use the following commands beginning in global configuration
mode:
To connect from a router other than a Cisco router, you must use Telnet. After a connection is
established, you receive an authentication dialog or prompt from your home router, and can proceed as
if you are connected directly to that router. When communications are complete, the network connection
can be closed and terminated from either end of the connection.
Making Additional Remote Node Connections
This section describes how to connect devices across telephone lines by using PPP and SLIP. It includes
the following sections:
• Creating PPP Connections
• Making SLIP Connections
Creating PPP Connections
When you connect from a remote node computer through an asynchronous port on an access server to
the EXEC facility to connect from the access server to a device on the network, use the following
command in EXEC mode:
If you specify an address for the TACACS server using /default or tacacs-server, the address must be
the first parameter in the command after you type ppp. If you do not specify an address or enter /default,
you are prompted for an IP address or host name. You can enter /default at this point.
For example, if you are working at home on the device named ntpc in Figure 85 and want to connect to
Server 1 using PPP, you could dial in to the access server. When you connect to the EXEC prompt on
the access server, enter the ppp command to connect with the device.
Command Purpose
Step 1 Router(config)# ip tcp async-mobility server Enables asynchronous listening on TCP tunnel port 57.
Step 2 Router(config)# exit Returns to user EXEC mode.
Step 3 Router# tunnel host Sets up a network-layer connection to a router by specifying
its Internet name or address. Replace the host argument with
the name or address of the device that you want to connect
to.
Command Purpose
Router> ppp {/default | {remote-ip-address |
remote-name} [@tacacs-server]} [/routing]
Creates a PPP connection.
Configuring Asynchronous SLIP and PPP
How to Configure Asynchronous SLIP and PPP
DC-583
Cisco IOS Dial Technologies Configuration Guide
Figure 85 Using the ppp Command
To terminate a session, disconnect from the device on the network using the command specific to that
device. Then, exit from EXEC mode by using the exit command.
Making SLIP Connections
To make a serial connection to a remote host by using SLIP, use the following command in EXEC mode:
Your system administrator can configure SLIP to expect a specific address or to provide one for you. It
is also possible to set up SLIP in a mode that compresses packets for more efficient use of bandwidth on
the line.
If you specify an address for the TACACS server using /default or tacacs-server, the address must be
the first parameter in the command after you type slip. If you do not specify an address or enter /default,
you are prompted for an IP address or host name. You can enter /default at this point.
If you do not use the tacacs-server argument to specify a TACACS server for SLIP address
authentication, the TACACS server specified at login (if any) is used for the SLIP address query.
To optimize bandwidth on a line, SLIP enables compression of the SLIP packets using Van Jacobson
TCP header compression as defined in RFC 1144.
To terminate a session, disconnect from the device on the network using the command specific to that
device. Then, exit from EXEC mode by using the exit command.
Configuring Remote Access to NetBEUI Services
NetBIOS Extended User Interface (NetBEUI) is a simple networking protocol developed by IBM for use
by PCs in a LAN environment. It is an extension of the original Network Basic Input/Output System
(NetBIOS) from IBM. NetBEUI uses a broadcast-based name to 802.x address translation mechanism.
Because NetBEUI has no network layer, it is a nonroutable protocol.
The NetBIOS Frames Control Protocol (NBFCP) enables packets from a NetBEUI application to be
transferred via a PPP connection. NetBEUI/PPP is supported in the access server and Cisco enterprise
images only.
Using the Cisco IOS implementation, remote NetBEUI users can have access to LAN-based NetBEUI
services. The PPP link becomes the ramp for the remote node to access NetBIOS services on the LAN.
(See Figure 86.) An Logical Link Control, type 2 (LLC2) connection is set up between the remote access
client and router, and a second LLC2 connection is set up between the router and the remote access
(NetBEUI) server.
Server 1
S1472a
ntpc
Command Purpose
Router> slip [/default] {remote-ip-address | remote-name}
[@tacacs-server] [/routing]} [/compressed]
Creates a SLIP connection.
Configuring Asynchronous SLIP and PPP
How to Configure Asynchronous SLIP and PPP
DC-584
Cisco IOS Dial Technologies Configuration Guide
Figure 86 NetBEUI Connection
By supporting NetBEUI remote clients over PPP, Cisco routers function as a native NetBEUI dial-in
router for remote NetBEUI clients. Thus, you can offer remote access to a NetBEUI network through
asynchronous or ISDN connections.
To enable a remote access client using a NetBEUI application to connect with the remote router
providing NetBEUI services, configure interfaces on the remote access client side and the remote router
side by using the following command in interface configuration mode:
To view NetBEUI connection information, use the following command in EXEC mode:
Configuring Performance Parameters
To tune IP performance, complete the tasks in the following sections:
• Compressing TCP Packet Headers (As required)
• Setting the TCP Connection Attempt Time (As required)
• Compressing IPX Packet Headers over PPP (As required)
• Enabling Fast Switching (As required)
• Controlling Route Cache Invalidation (As required)
• Customizing SLIP and PPP Banner Messages (As required)
Compressing TCP Packet Headers
You can compress the headers of your TCP/IP packets to reduce their size and thereby increase
performance. Header compression is particularly useful on networks with a large percentage of small
packets, such as those supporting many Telnet connections. This feature compresses only the TCP
Router
Remote
access client
Modem LLC2
PPP
Modem LLC2
NetBEUI server
NetBEUI connection
S3910
Command Purpose
Router(config-if)# netbios nbf Enables NBFCP on each side of a NetBEUI connection.
Command Purpose
Router> show nbf sessions Views NetBEUI connection information.
Configuring Asynchronous SLIP and PPP
How to Configure Asynchronous SLIP and PPP
DC-585
Cisco IOS Dial Technologies Configuration Guide
header, so it has no effect on UDP packets or other protocol headers. The TCP header compression
technique, described fully in RFC 1144, is supported on serial lines using High-Level Data Link Control
(HDLC) or PPP encapsulation. You must enable compression on both ends of a serial connection.
You can optionally specify outgoing packets to be compressed only when TCP incoming packets on the
same interface are compressed. If you do not specify this option, the Cisco IOS software will compress
all traffic. The default is no compression.
You can also specify the total number of header compression connections that can exist on an interface.
You should configure one connection for each TCP connection through the specified interface.
To enable compression, use the following commands in interface configuration mode:
Note When compression is enabled, fast switching is disabled. Fast processors can handle several fast
interfaces, such as T1 lines, that are running header compression. However, you should think
carefully about traffic characteristics in your network before compressing TCP headers. You might
want to use the monitoring commands to help compare network utilization before and after enabling
header compression.
Setting the TCP Connection Attempt Time
You can set the amount of time that the Cisco IOS software will wait to attempt to establish a TCP
connection. In previous versions of the Cisco IOS software, the system would wait a fixed 30 seconds
when attempting to make the connection. This amount of time is not enough in networks that have dialup
asynchronous connections, such as a network consisting of dial-on-demand links that are implemented
over modems, because it will affect your ability to use Telnet over the link (from the router) if the link
must be brought up.
Because the connection attempt time is a host parameter, it does not pertain to traffic going through the
router, just to traffic originated at it.
To set the TCP connection attempt time, use the following command in global configuration mode:
Compressing IPX Packet Headers over PPP
The Cisco IOS software permits compression of IPX packet headers over various WAN media. There are
two protocols for IPX compression on point-to-point links:
• CIPX, also known as Telebit style compression
• Shiva compression, which is proprietary
Command Purpose
Step 1 Router(config-if)# ip tcp header-compression
[passive]
Enables TCP header compression.
Step 2 Router(config-if)# ip tcp
compression-connections number
Specifies the total number of header compression
connections that can exist on an interface.
Command Purpose
Router(config)# ip tcp synwait-time seconds Sets the amount of time for which the Cisco IOS software
will wait to attempt to establish a TCP connection.
Configuring Asynchronous SLIP and PPP
How to Configure Asynchronous SLIP and PPP
DC-586
Cisco IOS Dial Technologies Configuration Guide
Cisco routers support IPX Header Compression (CIPX) on all point-to-point Novell interfaces over
various WAN media.
CIPX is described in RFC 1553, Compressing IPX Headers Over WAN Media. The CIPX algorithm is
based on the same concepts as Van Jacobson TCP/IP header compression algorithm. CIPX operates over
PPP WAN links using either the IPXCP or IPXWAN communications protocols.
CIPX compresses all IPX headers and IPX/NCP headers for Novell packets with the following Network
Control Program (NCP) packet types:
• 0x2222—NCP request from workstation
• 0x3333—NCP replies from file server
In this version of software, CIPX is configurable only for PPP links.
CIPX header compression can reduce header information from 30 bytes down to as little as 1 byte. This
reduction can save bandwidth and reduce costs associated with IPX routing over WAN links that are
configured to use IPXCP or IPXWAN.
Consider the following issues before implementing CIPX:
• CIPX is supported on all point-to-point IPX interfaces using PPP or IPXWAN processing (or both).
• CIPX needs to be negotiated for both directions of the link, because it uses the reverse direction of
the link for communicating decompression problems back to the originating peer. In other words,
all peer routers must have CIPX enabled.
To configure CIPX, use the following command in global configuration mode:
Note We recommend that you keep a slot value of 16. Because slots are maintained in the router buffer, a
larger number can impact buffer space for other operations.
Enabling Fast Switching
Fast switching involves the use of a high-speed switching cache for IP routing. With fast switching,
destination IP addresses are stored in the high-speed cache so that some time-consuming table lookups
can be avoided. The Cisco IOS software generally offers better packet transfer performance when fast
switching is enabled.
To enable or disable fast switching, use the following commands in interface configuration mode:
Command Purpose
Router(config)# ipx compression cipx number-of-slots Compresses IPX packet headers in a PPP session.
Command Purpose
Step 1 Router(config-if)# ip route-cache Enables fast-switching (use of a high-speed route cache for
IP routing).
Step 2 Router(config-if)# no ip route-cache Disables fast switching and enables load balancing on a
per-packet basis.
Configuring Asynchronous SLIP and PPP
How to Configure Asynchronous SLIP and PPP
DC-587
Cisco IOS Dial Technologies Configuration Guide
Controlling Route Cache Invalidation
The high-speed route cache used by IP fast switching is invalidated when the IP routing table changes.
By default, the invalidation of the cache is delayed slightly to avoid excessive CPU load while the routing
table is changing.
To control route cache invalidation, use the following commands in global configuration mode as needed
for your network:
Note This task normally should not be necessary. It should be performed only under the guidance of
technical staff. Incorrect configuration can seriously degrade the performance of your router.
Customizing SLIP and PPP Banner Messages
This feature enables you to customize the banner that is displayed when making a SLIP or PPP
connection to avoid connectivity problems the default banner message causes in some non-Cisco SLIP
and PPP dialup software. This feature is particularly useful when legacy client applications require a
specialized connection string.
To configure the SLIP-PPP banner message, use the following command in global configuration mode:
You can also use tokens in the banner message to display current IOS configuration variables. Tokens
are keywords of the form $(token). When you include tokens in a banner command, Cisco IOS will
replace $(token) with the corresponding configuration variable.
Table 35 lists the tokens that you can use in the banner slip-ppp command.
Command Purpose
Step 1 Router(config)# no ip cache-invalidate-delay Allows immediate invalidation of the cache.
Step 2 Router(config)# ip cache-invalidate-delay
[minimum maximum quiet-threshold]
Delays invalidation of the cache.
Command Purpose
Router(config)# banner slip-ppp d message d Configures the SLIP-PPP banner to display a customized
message.
Table 35 SLIP Banner Tokens
Tokens Information Displayed in Banner
Global
$(hostname) Hostname of the router
$(domain) Domain name of the router
Slip/PPP Banner-Specific
$(peer-ip) IP address of the peer machine
$(gate-ip) IP address of the gateway machine
$(encap) Encapsulation type (SLIP, PPP, and so on)
Configuring Asynchronous SLIP and PPP
Configuration Examples for Asynchronous SLIP and PPP
DC-588
Cisco IOS Dial Technologies Configuration Guide
Configuration Examples for Asynchronous SLIP and PPP
This section provides the following examples:
• Basic PPP Configurations Examples
• Remote Node NetBEUI Examples
• Remote Network Access Using PPP Basic Configuration Example
• Remote Network Access Using PPP and Routing IP Example
• Remote Network Access Using a Leased Line with Dial-Backup and PPP Example
• Multilink PPP Using Multiple Asynchronous Interfaces Example
Basic PPP Configurations Examples
The following example illustrates how to make a connection when the system administrator defines a
default IP address by including the peer default ip address command in interface configuration mode.
Note The peer default ip address command replaces the async default ip address command.
Once a correct password is entered, you are placed in SLIP mode, and the IP address appears:
Router> slip
Password:
Entering SLIP mode.
Your IP address is 192.168.7.28, MTU is 1524 bytes
The following example shows the prompts displayed and the response required when dynamic
addressing is used to assign the SLIP address:
Router> slip
IP address or hostname? 192.168.6.15
Password:
Entering SLIP mode
Your IP address is 192.168.6.15, MTU is 1524 bytes
In the previous example, the address 192.168.6.15 had been assigned as the default. Password
verification is still required before SLIP mode can be enabled, as follows:
Router> slip default
Password:
Entering SLIP mode
Your IP address is 192.168.6.15, MTU is 1524 bytes
The following example illustrates the implementation of header compression on the interface with the
IP address 172.16.2.1:
Router> slip 172.16.2.1 /compressed
Password:
$(encap-alt) Encapsulation type displayed as SL/IP instead of SLIP
$(mtu) MTU size
Table 35 SLIP Banner Tokens (continued)
Configuring Asynchronous SLIP and PPP
Configuration Examples for Asynchronous SLIP and PPP
DC-589
Cisco IOS Dial Technologies Configuration Guide
Entering SLIP mode.
Interface IP address is 172.16.2.1, MTU is 1500 bytes.
Header compression will match your system.
In the preceding example, the interface is configured for ip tcp header-compression passive, which
permitted the user to enter the /compressed keyword at the EXEC mode prompt. The message “Header
compression will match your system” indicates that the user has specified compression. If the line was
configured for ip tcp header-compression on, this line would read “Header compression is On.”
The following example specifies a TACACS server named parlance for address authentication:
Router> slip 10.0.0.1@parlance
Password:
Entering SLIP mode.
Interface IP address is 10.0.0.1, MTU is 1500 bytes
Header compression will match your system.
The following example sets the SLIP-PPP banner using several tokens and the percent sign (%) as the
delimiting character:
Router(config)# banner slip-ppp %
Enter TEXT message. End with the character '%'.
Starting $(encap) connection from $(gate-ip) to $(peer-ip) using a maximum packet size of
$(mtu) bytes... %
When you enter the slip command, you will see the following banner. Notice that the $(token) syntax is
replaced by the corresponding configuration variables.
Starting SLIP connection from 192.168.69.96 to 172.16.80.8 using a maximum packet size of
1500 bytes...
Remote Node NetBEUI Examples
In the following example, asynchronous interface 7 and Ethernet interface 0 are configured to enable
NetBEUI connectivity between the corporate telecommuter client and the remote access (NetBEUI)
server. The PC client is running the Chat legacy application in Windows NT to connect with the remote
server. (See Figure 87.)
Figure 87 Connecting a Remote NetBEUI Client to a Server Through a Router
The configuration for the router is as follows:
interface async 7
netbios nbf
encapsulation ppp
Router
Telecommuter
corporate traveler
Modem Modem LLC2
NetBEUI server
NetBEUI connection
S3911
Remote access
client
Interface
async 7
Interface
Ethernet 0
Configuring Asynchronous SLIP and PPP
Configuration Examples for Asynchronous SLIP and PPP
DC-590
Cisco IOS Dial Technologies Configuration Guide
You would also need to configure security, such as TACACS+, RADIUS, or another form of login
authentication on the router.
Remote Network Access Using PPP Basic Configuration Example
Figure 88 illustrates a simple network configuration that includes remote PCs with modems connected
via modem to a router. The cloud is a Public Switched Telephone Network (PSTN). The modems are
connected via asynchronous lines, and the access server is connected to a local network.
In this example, the following is configured:
• An asynchronous line on the access server configured to use PPP encapsulation.
• An interface on the access server for the modem connection; this interface also needs to be
configured to accept incoming modem calls.
• A default IP address for each incoming line.
Figure 88 Remote Network Access Using PPP
This default address indicates the address of the remote PC to the server, unless the user explicitly
specifies another when starting the PPP session.
The server is configured for interactive mode with autoselect enabled, which allows the user to
automatically begin a PPP session upon detection of a PPP packet from the remote PC; or, the remote
PC can explicitly begin a PPP session by entering the ppp EXEC command at the prompt.
The configuration is as follows:
ip routing
!
interface ethernet 0
ip address 192.168.32.12 255.255.255.0
!
interface async 1
encapsulation ppp
async mode interactive
async default ip address 192.168.32.51
async dynamic address
ip unnumbered ethernet 0
line 1
autoselect ppp
modem callin
speed 19200
Logical
network
S3290
Configuring Asynchronous SLIP and PPP
Configuration Examples for Asynchronous SLIP and PPP
DC-591
Cisco IOS Dial Technologies Configuration Guide
Remote Network Access Using PPP and Routing IP Example
Figure 89 illustrates a network configuration that provides routing functionality, allowing routing
updates to be passed across the asynchronous lines.
This network is composed of remote and local PCs connected via modem and network connections to an
access server. This access server is connected to a second access server via an asynchronous line running
TCP/IP. The second access server is connected to a local network via modem.
For this scenario, you will need to configure the following:
• An asynchronous line on both access servers configured to use PPP encapsulation
• An interface on both access servers for the modem connection and for this interface to be configured
to accept incoming modem calls
• A default IP address for each incoming line
• IP routing on all configured interfaces
Figure 89 Routing on an Asynchronous Line Using PPP
The configuration is as follows:
interface async 1
encapsulation ppp
async mode interactive
async default ip address 192.168.32.10
async dynamic address
ip unnumbered ethernet 0
async dynamic routing
If you want to pass IP routing updates across the asynchronous link, enter the following commands:
line 1
autoselect ppp
modem callin
speed 19200
Next, enter the following commands to configure the asynchronous lines between the access servers
beginning in global configuration mode:
interface async 2
async default ip address 192.168.32.55
ip tcp header compression passive
Logical
network
S3291
TCP/IP
(async)
Configuring Asynchronous SLIP and PPP
Configuration Examples for Asynchronous SLIP and PPP
DC-592
Cisco IOS Dial Technologies Configuration Guide
Finally, configure routing as described in the Cisco IOS IP Configuration Guide using one of the
following methods. The server can route packets three different ways.
• Use ARP, which is the default behavior.
• Use a default-gateway by entering the command ip default-gateway x.x.x.x, where x.x.x.x is the IP
address of a locally attached router.
• Run an IP routing protocol such as Routing Information Protocol (RIP), Interior Gateway Routing
Protocol (IGRP), Enhanced IGRP (EIGRP), or Open Shortest Path First (OSPF).
Remote Network Access Using a Leased Line with Dial-Backup and PPP
Example
Figure 90 illustrates a scenario where two networks are connected via access servers on a leased line.
Redundancy is provided by a dial-backup line over the PSTN so that if the primary leased line goes
down, the dial-backup line will be automatically brought up to restore the connection. This configuration
would be useful for using an auxiliary port as the backup port for a synchronous port.
For this scenario, you would need to configure the following:
• Two asynchronous interfaces on each access server
• Two modem interfaces
• A default IP address for each interface
• Dial-backup on one modem interface per access server
• An interface connecting to the related network of an access server
Figure 90 Asynchronous Leased Line with Backup
The configuration for this scenario follows:
hostname routerA
!
username routerB password cisco
chat-script backup "" "AT" TIMEOUT 30 OK atdt\T TIMEOUT 30 CONNECT \c !
!
interface Serial0
backup interface Async1
ip address 192.168.222.12 255.255.255.0
!
interface Async1
ip address 172.16.199.1 255.255.255.0
encapsulation ppp
Leased line
Dial-backup line
Network A Network B
Access
server 1
Access
server 2
S3292
Configuring Asynchronous SLIP and PPP
Configuration Examples for Asynchronous SLIP and PPP
DC-593
Cisco IOS Dial Technologies Configuration Guide
async default ip address 172.16.199.2
async dynamic address
async dynamic routing
async mode dedicated
dialer in-band
dialer map IP 172.16.199.2 name routerB modem-script backup broadcast 3241129
dialer-group 1
ppp authentication chap
!
dialer-list 1 protocol ip permit
!
line aux 0
modem InOut
rxspeed 38400
txspeed 38400
Multilink PPP Using Multiple Asynchronous Interfaces Example
The following example shows how to configure MLP using multiple asynchronous interfaces:
chat-script backup "" "AT" TIMEOUT 30 OK atdt\T TIMEOUT 30 CONNECT \c
!
ip address-pool local
ip pool foo 10.0.1.5 10.0.1.15
!
int as 1 (2, 3)
no ip address
dialer in-band
encapsulation ppp
ppp multilink
dialer-rotary 1
!
interface dialer 1
encaps ppp
ip unnumbered ethernet 0
peer default ip addr pool foo
ppp authentication chap
ppp multilink
dialer in-band
dialer map ip 10.200.100.9 name WAN-R3 modem-script backup broadcast 2322036
dialer load-threshold 5 either
dialer-group 1
!
dialer-list 1 protocol ip permit
!
line line 1 3
modem InOut
speed 115000
Configuring Asynchronous SLIP and PPP
Configuration Examples for Asynchronous SLIP and PPP
DC-594
Cisco IOS Dial Technologies Configuration Guide
DC-595
Cisco IOS Dial Technologies Configuration Guide
Configuring Media-Independent PPP and
Multilink PPP
This chapter describes how to configure the PPP and Multilink PPP (MLP) features that can be
configured on any interface. It includes the following main sections:
• PPP Encapsulation Overview
• Configuring PPP and MLP
• Configuring MLP Interleaving and Queueing
• Configuring MLP Inverse Multiplexer and Distributed MLP
• Monitoring and Maintaining PPP and MLP Interfaces
• Configuration Examples for PPP and MLP
This chapter also describes address pooling for point-to-point links, which is available on all
asynchronous serial, synchronous serial, and ISDN interfaces. See the chapter “Configuring
Asynchronous SLIP and PPP” in this publication for information about PPP features and requirements
that apply only to asynchronous lines and interfaces.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the PPP commands in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference. To locate documentation of other commands that appear in this
chapter, use the command reference master index or search online.
PPP Encapsulation Overview
PPP, described in RFC 1661, encapsulates network layer protocol information over point-to-point links.
You can configure PPP on the following types of physical interfaces:
• Asynchronous serial
• High-Speed Serial Interface (HSSI)
• ISDN
• Synchronous serial
By enabling PPP encapsulation on physical interfaces, PPP can also be in effect on calls placed by the
dialer interfaces that use the physical interfaces.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-596
Cisco IOS Dial Technologies Configuration Guide
The current implementation of PPP supports option 3, authentication using Challenge Handshake
Authentication Protocol (CHAP) or Password Authentication Protocol (PAP), option 4, Link Quality
Monitoring (LQM), and option 5, Magic Number configuration options. The software always sends
option 5 and negotiates for options 3 and 4 if so configured. All other options are rejected.
Magic Number support is available on all serial interfaces. PPP always attempts to negotiate for Magic
Numbers, which are used to detect looped-back lines. Depending on how the down-when-looped
command is configured, the router might shut down a link if it detects a loop.
The software provides the CHAP and PAP on serial interfaces running PPP encapsulation. For detailed
information about authentication, refer to the Cisco IOS Security Configuration Guide.
Beginning with Cisco IOS Release 11.2 F, Cisco supported fast switching of incoming and outgoing
DECnet and CLNS packets over PPP.
Configuring PPP and MLP
To configure PPP on a serial interface (including ISDN), perform the following task in interface
configuration mode. This task is required for PPP encapsulation.
• Enabling PPP Encapsulation
You can also complete the tasks in the following sections; these tasks are optional but offer a variety of
uses and enhancements for PPP on your systems and networks:
• Enabling CHAP or PAP Authentication
• Enabling Link Quality Monitoring
• Configuring Compression of PPP Data
• Configuring Microsoft Point-to-Point Compression
• Configuring IP Address Pooling
• Configuring PPP Reliable Link
• Disabling or Reenabling Peer Neighbor Routes
• Configuring PPP Half-Bridging
• Configuring Multilink PPP
• Configuring MLP Interleaving
• Enabling Distributed CEF Switching
• Creating a Multilink Bundle
• Assigning an Interface to a Multilink Bundle
• Disabling PPP Multilink Fragmentation
• Verifying the MLP Inverse Multiplexer Configuration
See the section “Monitoring and Maintaining PPP and MLP Interfaces” later in this chapter for tips on
maintaining PPP. See the “Configuration Examples for PPP and MLP” at the end of this chapter for ideas
on how to implement PPP and MLP in your network.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-597
Cisco IOS Dial Technologies Configuration Guide
Enabling PPP Encapsulation
To enable PPP on serial lines to encapsulate IP and other network protocol datagrams, use the following
command in interface configuration mode:
PPP echo requests are used as keepalives to minimize disruptions to the end users of your network. The
no keepalive command can be used to disable echo requests.
Enabling CHAP or PAP Authentication
PPP with CHAP or PAP authentication is often used to inform the central site about which remote routers
are connected to it.
With this authentication information, if the router or access server receives another packet for a
destination to which it is already connected, it does not place an additional call. However, if the router
or access server is using rotaries, it sends the packet out the correct port.
CHAP and PAP were originally specified in RFC 1334, and CHAP is updated in RFC 1994. These
protocols are supported on synchronous and asynchronous serial interfaces. When using CHAP or PAP
authentication, each router or access server identifies itself by a name. This identification process
prevents a router from placing another call to a router to which it is already connected, and also prevents
unauthorized access.
Access control using CHAP or PAP is available on all serial interfaces that use PPP encapsulation. The
authentication feature reduces the risk of security violations on your router or access server. You can
configure either CHAP or PAP for the interface.
Note To use CHAP or PAP, you must be running PPP encapsulation.
When CHAP is enabled on an interface and a remote device attempts to connect to it, the local router or
access server sends a CHAP packet to the remote device. The CHAP packet requests or “challenges” the
remote device to respond. The challenge packet consists of an ID, a random number, and the host name
of the local router.
The required response has two parts:
• An encrypted version of the ID, a secret password, and the random number
• Either the host name of the remote device or the name of the user on the remote device
When the local router or access server receives the response, it verifies the secret password by
performing the same encryption operation as indicated in the response and looking up the required host
name or username. The secret passwords must be identical on the remote device and the local router.
Because this response is sent, the password is never sent in clear text, preventing other devices from
stealing it and gaining illegal access to the system. Without the proper response, the remote device
cannot connect to the local router.
CHAP transactions occur only when a link is established. The local router or access server does not
request a password during the rest of the call. (The local device can, however, respond to such requests
from other devices during a call.)
Command Purpose
Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-598
Cisco IOS Dial Technologies Configuration Guide
When PAP is enabled, the remote router attempting to connect to the local router or access server is
required to send an authentication request. If the username and password specified in the authentication
request are accepted, the Cisco IOS software sends an authentication acknowledgment.
After you have enabled CHAP or PAP, the local router or access server requires authentication from
remote devices. If the remote device does not support the enabled protocol, no traffic will be passed to
that device.
To use CHAP or PAP, you must perform the following tasks:
• Enable PPP encapsulation.
• Enable CHAP or PAP on the interface.
• For CHAP, configure host name authentication and the secret or password for each remote system
with which authentication is required.
To enable PPP encapsulation, use the following command in interface configuration mode:
To enable CHAP or PAP authentication on an interface configured for PPP encapsulation, use the
following command in interface configuration mode:
The ppp authentication chap optional keyword if-needed can be used only with Terminal Access
Controller Access Control System (TACACS) or extended TACACS.
With authentication, authorization, and accounting (AAA) configured on the router and list names
defined for AAA, the list-name optional keyword can be used with AAA/TACACS+.
Caution If you use a list-name that has not been configured with the aaa authentication ppp command, you
disable PPP on the line.
Add a username entry for each remote system from which the local router or access server requires
authentication.
Command Purpose
Router(config-if)# encapsulation ppp Enables PPP encapsulation on an interface.
Command Purpose
Router(config-if)# ppp authentication {chap | chap pap |
pap chap | pap} [if-needed] [list-name | default] [callin]
Defines the authentication methods supported and the
order in which they are used.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-599
Cisco IOS Dial Technologies Configuration Guide
To specify the password to be used in CHAP or PAP caller identification, use the following command in
global configuration mode:
Make sure this password does not include spaces or underscores.
To configure TACACS on a specific interface as an alternative to global host authentication, use one of
the following commands in interface configuration mode:
Use the ppp use-tacacs command with TACACS and Extended TACACS. Use the aaa authentication
ppp command with AAA/TACACS+.
For an example of CHAP, see the section “CHAP with an Encrypted Password Examples” at the end of
this chapter. CHAP is specified in RFC 1994, PPP Challenge Handshake Authentication Protocol
(CHAP).
Enabling Link Quality Monitoring
Link Quality Monitoring (LQM) is available on all serial interfaces running PPP. LQM will monitor the
link quality, and if the quality drops below a configured percentage, the router will shut down the link.
The percentages are calculated for both the incoming and outgoing directions. The outgoing quality is
calculated by comparing the total number of packets and bytes sent with the total number of packets and
bytes received by the destination node. The incoming quality is calculated by comparing the total number
of packets and bytes received with the total number of packets and bytes sent by the destination peer.
Note LQM is not compatible with Multilink PPP.
When LQM is enabled, Link Quality Reports (LQRs) are sent, in place of keepalives, every keepalive
period. All incoming keepalives are responded to properly. If LQM is not configured, keepalives are sent
every keepalive period and all incoming LQRs are responded to with an LQR.
LQR is specified in RFC 1989, PPP Link Quality Monitoring.
Command Purpose
Router(config)# username name [user-maxlinks link-number]
password secret
Configures identification. Optionally, you can specify
the maximum number of connections a user can
establish.
To use the user-maxlinks keyword, you must also use
the aaa authorization network default local command
and PPP encapsulation and name authentication on all
the interfaces the user will be accessing.
Command Purpose
Router(config-if)# ppp use-tacacs [single-line]
or
Router(config-if)# aaa authentication ppp
Configures TACACS.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-600
Cisco IOS Dial Technologies Configuration Guide
To enable LQM on the interface, use the following command in interface configuration mode:
The percentage argument specifies the link quality threshold. That percentage must be maintained, or
the link is deemed to be of poor quality and is taken down.
Configuring Compression of PPP Data
You can configure point-to-point software compression on serial interfaces that use PPP encapsulation.
Compression reduces the size of a PPP frame via lossless data compression. PPP encapsulations support
both predictor and Stacker compression algorithms.
If most of your traffic is already compressed files, do not use compression.
Most routers support software compression only, but in the Cisco 7000 series routers, hardware
compression and distributed compression are also available, depending on the interface processor and
compression service adapter hardware installed in the router.
To configure compression, complete the tasks in one of the following sections:
• Software Compression
• Hardware-Dependent Compression
Software Compression
Software compression is available in all router platforms. Software compression is performed by the
main processor in the router.
Compression is performed in software and might significantly affect system performance. We
recommend that you disable compression if the router CPU load exceeds 65 percent. To display the CPU
load, use the show process cpu EXEC command.
To configure compression over PPP, use the following commands in interface configuration mode:
Hardware-Dependent Compression
When you configure Stacker compression on Cisco 7000 series routers with a 7000 Series Route Switch
Processor (RSP7000), on Cisco 7200 series routers, and on Cisco 7500 series routers, there are three
methods of compression: hardware compression, distributed compression, and software compression.
Command Purpose
Router(config-if)# ppp quality percentage Enables LQM on the interface.
Command Purpose
Step 1 Router(config-if)# encapsulation ppp Enables encapsulation of a single protocol on the serial
line.
Step 2 Router(config-if)# compress [predictor | stac |
mppc [ignore-pfc]]
Enables compression.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-601
Cisco IOS Dial Technologies Configuration Guide
Hardware and distributed compression are available on routers that have the SA-Comp/1 and
SA-Comp/4 data compression service adapters (CSAs). CSAs are available on Cisco 7200 series routers,
on Cisco 7500 series routers with second-generation Versatile Interface Processors (VIP2s), and on
Cisco 7000 series routers with the RSP7000 and 7000 Series Chassis Interface (RSP7000CI). (CSAs
require VIP2 model VIP2-40.)
To configure hardware or distributed compression over PPP, use the following commands in interface
configuration mode:
Specifying the compress stac command with no options causes the router to use the fastest available
compression method:
• If the router contains a CSA, compression is performed in the CSA hardware (hardware
compression).
• If the CSA is not available, compression is performed in the software installed on the VIP2
(distributed compression).
• If the VIP2 is not available, compression is performed in the main processor of the router (software
compression).
Using hardware compression in the CSA frees the main processor of the router for other tasks. You can
also configure the router to use the VIP2 to perform compression by using the distributed option, or to
use the main processor of the router by using the software option. If the VIP2 is not available,
compression is performed in the main processor of the router.
When compression is performed in software installed in the main processor of the router, it might
substantially affect system performance. We recommend that you disable compression in the main
processor of the router if the router CPU load exceeds 40 percent. To display the CPU load, use the
show process cpu EXEC command.
Specifying the compress stac command with no options causes the router to use the fastest available
compression method.
Configuring Microsoft Point-to-Point Compression
Microsoft Point-to-Point Compression (MPPC) is a scheme used to compress PPP packets between
Cisco and Microsoft client devices. The MPPC algorithm is designed to optimize bandwidth utilization
in order to support multiple simultaneous connections. The MPPC algorithm uses a Lempel-Ziv
(LZ)-based algorithm with a continuous history buffer called a dictionary.
The Compression Control Protocol (CCP) configuration option for MPPC is 18.
Command Purpose
Step 1 Router(config-if)# encapsulation ppp Enables encapsulation of a single protocol on
the serial line.
Step 2 Cisco 7000 series with RSP7000 and Cisco 7500 series routers
Router(config-if)# compress stac [distributed | software]
Cisco 7200 series routers
Router(config-if)# compress stac [csa slot | software]
Enables compression.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-602
Cisco IOS Dial Technologies Configuration Guide
Exactly one MPPC datagram is encapsulated in the PPP information field. The PPP protocol field
indicates the hexadecimal type of 00FD for all compressed datagrams. The maximum length of the
MPPC datagram sent over PPP is the same as the MTU of the PPP interface; however, this length cannot
be greater than 8192 bytes because the history buffer is limited to 8192 bytes. If compressing the data
results in data expansion, the original data is sent as an uncompressed MPPC packet.
The history buffers between compressor and decompressor are synchronized by maintaining a 12-bit
coherency count. If the decompressor detects that the coherency count is out of sequence, the following
error recovery process is performed:
1. Reset Request (RR) packet is sent from the decompressor.
2. The compressor then flushes the history buffer and sets the flushed bit in the next packet it sends.
3. Upon receiving the flushed bit set packet, the decompressor flushes the history buffer.
Synchronization is achieved without CCP using the Reset Acknowledge (RA) packet, which can
consume additional time.
Compression negotiation between a router and a Windows 95 client occurs through the following
process:
1. Windows 95 sends a request for both STAC (option 17) and MPPC (option 18) compression.
2. The router sends a negative acknowledgment (NAK) requesting only MPPC.
3. Windows 95 resends the request for MPPC.
4. The router sends an acknowledgment (ACK) confirming MPPC compression negotiation.
MPPC Restrictions
The following restrictions apply to the MPPC feature:
• MPPC is supported only with PPP encapsulation.
• Compression can be processor intensive because it requires a reserved block of memory to maintain
the history buffer. Do not enable modem or hardware compression because it may cause
performance degradation, compression failure, or data expansion.
• Both ends of the point-to-point link must be using the same compression method (STAC, Predictor,
or MPPC, for example).
Configuring MPPC
PPP encapsulation must be enabled before you can configure MPPC. For information on how to
configure PPP encapsulation, see the section “Enabling PPP Encapsulation” earlier in this chapter.
There is only one command required to configure MPPC. The existing compress command supports the
mppc keyword, which prepares the interface to initiate CCP and negotiates MPPC with the Microsoft
client. To set MPPC once PPP encapsulation is configured on the router, use the following command in
interface configuration mode:
Command Purpose
Router(config-if)# compress [mppc [ignore-pfc]] Enables MPPC on the interface.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-603
Cisco IOS Dial Technologies Configuration Guide
The ignore-pfc keyword instructs the router to ignore the protocol field compression flag negotiated by
LCP. For example, the uncompressed standard protocol field value for IP is 0x0021 and 0x21 when
compression is enabled. When the ignore-pfc option is enabled, the router will continue to use the
uncompressed value (0x0021). Using the ignore-pfc option is helpful for some asynchronous driver
devices that use an uncompressed protocol field (0x0021), even though the protocol field compression
is negotiated between peers. displays protocol rejections when the debug ppp negotiation command is
enabled. These errors can be remedied by setting the ignore-pfc option.
Sample debug ppp negotiation Command Output Showing Protocol Reject
PPP Async2: protocol reject received for protocol = 0x2145
PPP Async2: protocol reject received for protocol = 0x2145
PPP Async2: protocol reject received for protocol = 0x2145
Configuring IP Address Pooling
A point-to-point interface must be able to provide a remote node with its IP address through the IP
Control Protocol (IPCP) address negotiation process. The IP address can be obtained from a variety of
sources. The address can be configured through the command line, entered with an EXEC-level
command, provided by TACACS+ or the Dynamic Host Configuration Protocol (DHCP), or from a
locally administered pool.
IP address pooling uses a pool of IP addresses from which an incoming interface can provide an IP
address to a remote node through IPCP address negotiation process. IP address pooling also enhances
configuration flexibility by allowing multiple types of pooling to be active simultaneously.
See the chapter “Configuring Asynchronous SLIP and PPP” in this publication for additional
information about address pooling on asynchronous interfaces and about the Serial Line Internet
Protocol (SLIP).
Peer Address Allocation
A peer IP address can be allocated to an interface through several methods:
• Dialer map lookup—This method is used only if the peer requests an IP address, no other peer IP
address has been assigned, and the interface is a member of a dialer group.
• PPP or SLIP EXEC command—An asynchronous dialup user can enter a peer IP address or host
name when PPP or SLIP is invoked from the command line. The address is used for the current
session and then discarded.
• IPCP negotiation—If the peer presents a peer IP address during IPCP address negotiation and no
other peer address is assigned, the presented address is acknowledged and used in the current
session.
• Default IP address—The peer default ip address command and the member peer default ip
address command can be used to define default peer IP addresses.
• TACACS+ assigned IP address—During the authorization phase of IPCP address negotiation,
TACACS+ can return an IP address that the user being authenticated on a dialup interface can use.
This address overrides any default IP address and prevents pooling from taking place.
• DHCP retrieved IP address—If configured, the routers acts as a proxy client for the dialup user and
retrieves an IP address from a DHCP server. That address is returned to the DHCP server when the
timer expires or when the interface goes down.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-604
Cisco IOS Dial Technologies Configuration Guide
• Local address pool—The local address pool contains a set of contiguous IP addresses (a maximum
of 1024 addresses) stored in two queues. The free queue contains addresses available to be assigned
and the used queue contains addresses that are in use. Addresses are stored to the free queue in
first-in, first-out (FIFO) order to minimize the chance the address will be reused, and to allow a peer
to reconnect using the same address that it used in the last connection. If the address is available, it
is assigned; if not, another address from the free queue is assigned.
• Chat script (asynchronous serial interfaces only)—The IP address in the dialer map command entry
that started the script is assigned to the interface and overrides any previously assigned peer IP
address.
• Virtual terminal/protocol translation—The translate command can define the peer IP address for a
virtual terminal (pseudo asynchronous interface).
• The pool configured for the interface is used, unless TACACS+ returns a pool name as part of AAA.
If no pool is associated with a given interface, the global pool named default is used.
Precedence Rules
The following precedence rules of peer IP address support determine which address is used. Precedence
is listed from most likely to least likely:
1. AAA/TACACS+ provided address or addresses from the pool named by AAA/TACACS+
2. An address from a local IP address pool or DHCP (typically not allocated unless no other address
exists)
3. Dialer map lookup address (not done unless no other address exists)
4. Address from an EXEC-level PPP or SLIP command, or from a chat script
5. Configured address from the peer default ip address command or address from the protocol
translate command
6. Peer provided address from IPCP negotiation (not accepted unless no other address exists)
Interfaces Affected
Address pooling is available on all asynchronous serial, synchronous serial, ISDN BRI, and ISDN PRI
interfaces that are running PPP.
Choosing the IP Address Assignment Method
The IP address pooling feature now allows configuration of a global default address pooling mechanism,
per-interface configuration of the address pooling mechanism, and per-interface configuration of a
specific address or pool name.
You can define the type of IP address pooling mechanism used on router interfaces in one or both of the
ways described in the following sections:
• Defining the Global Default Address Pooling Mechanism
• Configuring IP Address Assignment
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-605
Cisco IOS Dial Technologies Configuration Guide
Defining the Global Default Address Pooling Mechanism
The global default mechanism applies to all point-to-point interfaces that support PPP encapsulation and
that have not otherwise been configured for IP address pooling. You can define the global default
mechanism to be either DHCP or local address pooling.
To configure the global default mechanism for IP address pooling, perform the tasks in one of following
sections:
• Defining DHCP as the Global Default Mechanism
• Defining Local Address Pooling as the Global Default Mechanism
After you have defined a global default mechanism, you can disable it on a specific interface by
configuring the interface for some other pooling mechanism. You can define a local pool other than the
default pool for the interface or you can configure the interface with a specific IP address to be used for
dial-in peers.
You can also control the DHCP network discovery mechanism; see the following section for more
information:
• Controlling DHCP Network Discovery
Defining DHCP as the Global Default Mechanism
DHCP specifies the following components:
• A DHCP server—A host-based DHCP server configured to accept and process requests for
temporary IP addresses.
• A DHCP proxy-client—A Cisco access server configured to arbitrate DHCP calls between the
DHCP server and the DHCP client. The DHCP client-proxy feature manages a pool of IP addresses
available to dial-in clients without a known IP address.
To enable DHCP as the global default mechanism, use the following commands in global configuration
mode:
In Step 2, you can provide as few as one or as many as ten DHCP servers for the proxy-client (the Cisco
router or access server) to use. DHCP servers provide temporary IP addresses.
Command Purpose
Step 1 Router(config)# ip address-pool dhcp-proxy-client Specifies DHCP client-proxy as the global default
mechanism.
Step 2 Router(config)# ip dhcp-server [ip-address | name] (Optional) Specifies the IP address of a DHCP server
for the proxy client to use.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-606
Cisco IOS Dial Technologies Configuration Guide
Defining Local Address Pooling as the Global Default Mechanism
To specify that the global default mechanism to use is local pooling, use the following commands in
global configuration mode:
If no other pool is defined, a local pool called “default” is used. Optionally, you can associate an address
pool with a named pool group.
Controlling DHCP Network Discovery
To allow peer routers to dynamically discover Domain Name System (DNS) and NetBIOS name server
information configured on a DHCP server using PPP IP Control Protocol (IPCP) extensions, use the
following command in global configuration mode:
The ip dhcp-client network-discovery global configuration command provides a way to control the
DHCP network discovery mechanism. The number of DHCP Inform or Discovery messages can be set
to 1 or 2, which determines how many times the system sends the DHCP Inform or Discover messages
before stopping network discovery. You can set a time-out period from 3 to 15 seconds, or leave the
default time-out period at 15 seconds. Default for the informs and discovers keywords is 0, which
disables the transmission of these messages.
Configuring IP Address Assignment
After you have defined a global default mechanism for assigning IP addresses to dial-in peers, you can
configure the few interfaces for which it is important to have a nondefault configuration. You can do any
of the following;
• Define a nondefault address pool for use by a specific interface.
• Define DHCP on an interface even if you have defined local pooling as the global default
mechanism.
• Specify one IP address to be assigned to all dial-in peers on an interface.
• Make temporary IP addresses available on a per-interface basis to asynchronous clients using SLIP
or PPP.
Command Purpose
Step 1 Router(config)# ip address-pool local Specifies local pooling as the global default mechanism.
Step 2 Router(config)# ip local pool {named-address-pool
| default} {first-IP-address [last-IP-address]}
[group group-name] [cache-size size]}
Creates one or more local IP address pools.
Command Purpose
Router(config)# ip dhcp-client network-discovery informs
number-of-messages discovers number-of-messages period
seconds
Provides control of the DHCP network discovery
mechanism by allowing the number of DHCP Inform
and Discover messages to be sent, and a time-out period
for retransmission, to be configured.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-607
Cisco IOS Dial Technologies Configuration Guide
To define a nondefault address pool for use on an interface, use the following commands beginning in
global configuration mode:
To define DHCP as the IP address mechanism for an interface, use the following commands beginning
in global configuration mode:
To define a specific IP address to be assigned to all dial-in peers on an interface, use the following
commands beginning in global configuration mode:
Configuring PPP Reliable Link
PPP reliable link is Cisco’s implementation of RFC 1663, PPP Reliable Transmission, which defines a
method of negotiating and using Numbered Mode Link Access Procedure, Balanced (LAPB) to provide
a reliable serial link. Numbered Mode LAPB provides retransmission of error packets across the serial
link.
Although LAPB protocol overhead consumes some bandwidth, you can offset that consumption by the
use of PPP compression over the reliable link. PPP compression is separately configurable and is not
required for use of a reliable link.
Note PPP reliable link is available only on synchronous serial interfaces, including ISDN BRI and ISDN
PRI interfaces. PPP reliable link cannot be used over V.120, and does not work with Multilink PPP.
Command Purpose
Step 1 Router(config)# ip local pool
{named-address-pool | default}
{first-IP-address [last-IP-address]} [group
group-name] [cache-size size]}
Creates one or more local IP address pools.
Step 2 Router(config)# interface type number Specifies the interface and begins interface configuration
mode.
Step 3 Router(config-if)# peer default ip address
pool pool-name-list
Specifies the pool or pools for the interface to use.
Command Purpose
Step 1 Router(config)# interface type number Specifies the interface and begins interface configuration
mode.
Step 2 Router(config-if)# peer default ip address pool
dhcp
Specifies DHCP as the IP address mechanism on this
interface.
Command Purpose
Step 1 Router(config)# interface type number Specifies the interface and begins interface configuration
mode.
Step 2 Router(config-if)# peer default ip address
ip-address
Specifies the IP address to assign.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-608
Cisco IOS Dial Technologies Configuration Guide
To configure PPP reliable link on a specified interface, use the following command in interface
configuration mode:
Having reliable links enabled does not guarantee that all connections through the specified interface will
in fact use reliable link. It only guarantees that the router will attempt to negotiate reliable link on this
interface.
Troubleshooting PPP
You can troubleshoot PPP reliable link by using the debug lapb command and the debug ppp
negotiations, debug ppp errors, and debug ppp packets commands. You can determine whether LAPB
has been established on a connection by using the show interface command.
Disabling or Reenabling Peer Neighbor Routes
The Cisco IOS software automatically creates neighbor routes by default; that is, it automatically sets
up a route to the peer address on a point-to-point interface when the PPP IPCP negotiation is completed.
To disable this default behavior or to reenable it once it has been disabled, use the following commands
in interface configuration mode:
Note If entered on a dialer or asynchronous group interface, this command affects all member interfaces.
Configuring PPP Half-Bridging
For situations in which a routed network needs connectivity to a remote bridged Ethernet network, a
serial or ISDN interface can be configured to function as a PPP half-bridge. The line to the remote bridge
functions as a virtual Ethernet interface, and the serial or ISDN interface on the router functions as a
node on the same Ethernet subnetwork as the remote network.
The bridge sends bridge packets to the PPP half-bridge, which converts them to routed packets and
forwards them to other router processes. Likewise, the PPP half-bridge converts routed packets to
Ethernet bridge packets and sends them to the bridge on the same Ethernet subnetwork.
Note An interface cannot function as both a half-bridge and a bridge.
Command Purpose
Router(config-if)# ppp reliable-link Enables PPP reliable link.
Command Purpose
Step 1 Router(config-if)# no peer neighbor-route Disables creation of neighbor routes.
Step 2 Router(config-if)# peer neighbor-route Reenables creation of neighbor routes.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-609
Cisco IOS Dial Technologies Configuration Guide
Figure 91 shows a router with a serial interface configured as a PPP half-bridge. The interface functions
as a node on the Ethernet subnetwork with the bridge. Note that the serial interface has an IP address on
the same Ethernet subnetwork as the bridge.
Figure 91 Router Serial Interface Configured as a Half-Bridge
Note The Cisco IOS software supports no more than one PPP half-bridge per Ethernet subnetwork.
To configure a serial interface to function as a half-bridge, use the following commands beginning in
global configuration mode as appropriate for your network:
Note You must enter the ppp bridge command either when the interface is shut down or before you
provide a protocol address for the interface.
For more information about AppleTalk addressing, refer to the “Configuring AppleTalk” chapter of the
Cisco IOS AppleTalk and Novell IPX Configuration Guide. For more information about IPX addresses
and encapsulations, refer to the “Configuring Novell IPX” chapter of the Cisco IOS AppleTalk and
Novell IPX Configuration Guide.
S4763
ATM 4/0.100
172.31.5.9
Ethernet subnet
172.31.5.0
Command Purpose
Step 1 Router(config)# interface serial number Specifies the interface and begins interface
configuration mode.
Step 2 Router(config-if)# ppp bridge appletalk
Router(config-if)# ppp bridge ip
Router(config-if)# ppp bridge ipx [novell-ether |
arpa | sap | snap]
Enables PPP half-bridging for one or more routed
protocols: AppleTalk, IP, or Internet Protocol Exchange
(IPX).
Step 3 Router(config-if)# ip address n.n.n.n
Router(config-if)# appletalk address network.node
Router(config-if)# appletalk cable-range
cable-range network.node
Router(config-if)# ipx network network
Provides a protocol address on the same subnetwork as
the remote network.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-610
Cisco IOS Dial Technologies Configuration Guide
Configuring Multilink PPP
The Multilink PPP feature provides load balancing functionality over multiple WAN links, while
providing multivendor interoperability, packet fragmentation and proper sequencing, and load
calculation on both inbound and outbound traffic. The Cisco implementation of MLP supports the
fragmentation and packet sequencing specifications in RFC 1990. Additionally, you can change the
default endpoint discriminator value that is supplied as part of user authentication. Refer to RFC 1990
for more information about the endpoint discriminator.
MLP allows packets to be fragmented and the fragments to be sent at the same time over multiple
point-to-point links to the same remote address. The multiple links come up in response to a defined
dialer load threshold. The load can be calculated on inbound traffic, outbound traffic, or on either, as
needed for the traffic between the specific sites. MLP provides bandwidth on demand and reduces
transmission latency across WAN links.
MLP is designed to work over synchronous and asynchronous serial and BRI and PRI types of single or
multiple interfaces that have been configured to support both dial-on-demand rotary groups and PPP
encapsulation.
Perform the tasks in the following sections, as required for your network, to configure MLP:
• Configuring MLP on Synchronous Interfaces
• Configuring MLP on Asynchronous Interfaces
• Configuring MLP on a Single ISDN BRI Interface
• Configuring MLP on Multiple ISDN BRI Interfaces
• Configuring MLP Using Multilink Group Interfaces
• Changing the Default Endpoint Discriminator
Configuring MLP on Synchronous Interfaces
To configure Multilink PPP on synchronous interfaces, you configure the synchronous interfaces to
support PPP encapsulation and Multilink PPP.
To configure a synchronous interface, use the following commands beginning in global configuration
mode:
Repeat these steps for additional synchronous interfaces, as needed.
Command Purpose
Step 1 Router(config)# interface serial number Specifies an asynchronous interface.
Step 2 Router(config-if)# no ip address Specifies no IP address for the interface.
Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Step 4 Router(config-if)# no fair-queue Disables WFQ on the interface.
Step 5 Router(config-if)# ppp multilink Enables Multilink PPP.
Step 6 Router(config-if)# pulse-time seconds Enables pulsing DTR signal intervals on the interface.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-611
Cisco IOS Dial Technologies Configuration Guide
Configuring MLP on Asynchronous Interfaces
To configure MLP on asynchronous interfaces, configure the asynchronous interfaces to support
dial-on-demand routing (DDR) and PPP encapsulation, and then configure a dialer interface to support
PPP encapsulation, bandwidth on demand, and Multilink PPP.
To configure an asynchronous interface to support DDR and PPP encapsulation, use the following
commands beginning in global configuration mode:
Repeat these steps for additional asynchronous interfaces, as needed.
At some point, adding more asynchronous interfaces does not improve performance, With the default
maximum transmission unit (MTU) size, MLP should support three asynchronous interfaces using V.34
modems. However, packets might be dropped occasionally if the maximum transmission unit (MTU)
size is small or large bursts of short frames occur.
To configure a dialer interface to support PPP encapsulation and Multilink PPP, use the following
commands beginning in global configuration mode:
Configuring MLP on a Single ISDN BRI Interface
To enable MLP on a single ISDN BRI interface, you are not required to define a dialer rotary group
separately because ISDN interfaces are dialer rotary groups by default.
Command Purpose
Step 1 Router(config)# interface async number Specifies an asynchronous interface and begins
interface configuration mode.
Step 2 Router(config-if)# no ip address Specifies no IP address for the interface.
Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Step 4 Router(config-if)# dialer in-band Enables DDR on the interface.
Step 5 Router(config-if)# dialer rotary-group number Includes the interface in a specific dialer rotary group.
Command Purpose
Step 1 Router(config)# interface dialer number Defines a dialer rotary group.
Step 2 Router(config-if)# no ip address Specifies no IP address for the interface.
Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Step 4 Router(config-if)# dialer in-band Enables DDR on the interface.
Step 5 Router(config-if)# dialer load-threshold load
[inbound | outbound | either]
Configures bandwidth on demand by specifying the
maximum load before the dialer places another call to a
destination.
Step 6 Router(config-if)# ppp multilink Enables Multilink PPP.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-612
Cisco IOS Dial Technologies Configuration Guide
To enable PPP on an ISDN BRI interface, use the following commands beginning in global configuration
mode:
If you do not use PPP authentication procedures (Step 8), your telephone service must pass caller ID
information.
The load threshold number is required. For an example of configuring MLP on a single ISDN BRI
interface, see the section “MLP on One ISDN BRI Interface Example” at the end of this chapter.
When MLP is configured and you want a multilink bundle to be connected indefinitely, use the dialer
idle-timeout command to set a very high idle timer. (The dialer-load threshold 1 command no longer
keeps a multilink bundle of n links connected indefinitely, and the dialer-load threshold 2 command no
longer keeps a multilink bundle of two links connected indefinitely.)
Configuring MLP on Multiple ISDN BRI Interfaces
To enable MLP on multiple ISDN BRI interfaces, set up a dialer rotary interface and configure it for
Multilink PPP, and then configure the BRI interfaces separately and add them to the same rotary group.
To set up the dialer rotary interface for the BRI interfaces, use the following commands beginning in
global configuration mode:
Command Purpose
Step 1 Router(config)# interface bri number Specifies an interface and begins interface configuration
mode.
Step 2 Router(config-if)# ip address ip-address mask
[secondary]
Provides an appropriate protocol address for the interface.
Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Step 4 Router(config-if)# dialer idle-timeout seconds
[inbound | either]
Specifies the duration of idle time in seconds after which a
line will be disconnected.
By default, outbound traffic will reset the dialer idle timer.
Adding the either keyword causes both inbound and
outbound traffic to reset the timer; adding the inbound
keyword causes only inbound traffic to reset the timer.
Step 5 Router(config-if)# dialer load-threshold load Specifies the dialer load threshold for bringing up additional
WAN links.
Step 6 Router(config-if)# dialer map protocol
next-hop-address [name hostname] [spc] [speed
56 | 64] [broadcast]
[dial-string[:isdn-subaddress]]
Configures the ISDN interface to call the remote site.
Step 7 Router(config-if)# dialer-group group-number Controls access to this interface by adding it to a dialer
access group.
Step 8 Router(config-if)# ppp authentication pap (Optional) Enables PPP authentication.
Step 9 Router(config-if)# ppp multilink Enables MLP on the dialer rotary group.
Command Purpose
Step 1 Router(config)# interface dialer number Specifies the dialer rotary interface and begins interface
configuration mode.
Step 2 Router(config-if)# ip address address mask Specifies the protocol address for the dialer rotary interface.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-613
Cisco IOS Dial Technologies Configuration Guide
If you do not use PPP authentication procedures (Step 10), your telephone service must pass caller ID
information.
To configure each of the BRI interfaces to belong to the same rotary group, use the following commands
beginning in global configuration mode:
Repeat Steps 1 through 6 for each BRI that you want to belong to the same dialer rotary group.
When MLP is configured and you want a multilink bundle to be connected indefinitely, use the dialer
idle-timeout command to set a very high idle timer. (The dialer load-threshold 1 command no longer
keeps a multilink bundle of n links connected indefinitely and the dialer load-threshold 2 command no
longer keeps a multilink bundle of two links connected indefinitely.)
Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Step 4 Router(config-if)# dialer in-band Specifies in-band dialing.
Step 5 Router(config-if)# dialer idle-timeout seconds
[inbound | either]
Specifies the duration of idle time in seconds after which a
line will be disconnected.
By default, both inbound and outbound traffic will reset the
dialer idle timer. Including the inbound keyword will cause
only inbound traffic to reset the timer.
Step 6 Router(config-if)# dialer map protocol
next-hop-address [name hostname] [spc] [speed
56 | 64] [broadcast]
[dial-string[:isdn-subaddress]]
Maps the next hop protocol address and name to the dial
string needed to reach it.
Step 7 Router(config-if)# dialer load-threshold load Specifies the dialer load threshold, using the same threshold
as the individual BRI interfaces.
Step 8 Router(config-if)# dialer-group number Controls access to this interface by adding it to a dialer
access group.
Step 9 Router(config-if)# ppp authentication chap (Optional) Enables PPP CHAP authentication.
Step 10 Router(config-if)# ppp multilink Enables Multilink PPP.
Command Purpose
Command Purpose
Step 1 Router(config)# interface bri number Specifies one of the BRI interfaces.
Step 2 Router(config-if)# no ip address Specifies that it does not have an individual protocol address.
Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Step 4 Router(config-if)# dialer idle-timeout seconds
[inbound | either]
Specifies the duration of idle time in seconds after which a
line will be disconnected.
By default, outbound traffic will reset the dialer idle timer.
Adding the either keyword causes both inbound and
outbound traffic to reset the timer; adding the inbound
keyword causes only inbound traffic to reset the timer.
Step 5 Router(config-if)# dialer rotary-group number Adds the interface to the rotary group.
Step 6 Router(config-if)# dialer load-threshold load Specifies the dialer load threshold for bringing up additional
WAN links.
Configuring Media-Independent PPP and Multilink PPP
Configuring PPP and MLP
DC-614
Cisco IOS Dial Technologies Configuration Guide
Note Previously, when MLP was used in a dialer profile, a virtual access interface was always created as
the bundle. It was bound to both the B channel and the dialer profile interfaces after creation and
cloning. The dialer profile interface could act as the bundle without help from a virtual access
interface. But with the Dynamic Multiple Encapsulations feature available in Cisco IOS Release
12.1, it is no longer the virtual access interface that is added into the connected group of the dialer
profile, but the dialer profile itself. The dialer profile becomes a connected member of its own
connected group. See the “Dynamic Multiple Encapsulations over ISDN Example” in the chapter
“Configuring Peer-to-Peer DDR with Dialer Profiles” in this publication, for more information about
dynamic multiple encapsulations and its relation to Multilink PPP.
For an example of configuring MLP on multiple ISDN BRI interfaces, see the section “MLP on Multiple
ISDN BRI Interfaces Example” at the end of this chapter.
Configuring MLP Using Multilink Group Interfaces
MLP can be configured by assigning a multilink group to a virtual template configuration. Virtual
templates allow a virtual access interface to dynamically clone interface parameters from the specified
virtual template. If a multilink group is assigned to a virtual template, and then the virtual template is
assigned to a physical interface, all links that pass through the physical interface will belong to the same
multilink bundle.
A multilink group interface configuration will override a global multilink virtual template configured
with the multilink virtual template command.
Multilink group interfaces can be used with ATM, PPP over Frame Relay, and serial interfaces.
To configure MLP using a multilink group interface, perform the following tasks:
• Configure the multilink group.
• Assign the multilink group to a virtual template.
• Configure the physical interface to use the virtual template.
To configure the multilink group, use the following commands beginning in global configuration mode:
To assign the multilink group to a virtual template, perform the following task beginning in global
configuration mode:
Command Purpose
Router(config)# interface multilink group-number Creates a multilink bundle and enters multilink interface
configuration mode to configure the bundle.
Router(config-if)# ip address address mask Sets a primary IP address for an interface.
Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Router(config-if)# ppp multilink Enables MLP on an interface.
Router(config)# interface virtual template number Creates a virtual template interface that can be configured and
applied dynamically in creating virtual access interfaces.
Router(config-if)# ppp multilink group group-number Restricts a physical link to joining only a designated
multilink-group interface.
Configuring Media-Independent PPP and Multilink PPP
Configuring MLP Interleaving and Queueing
DC-615
Cisco IOS Dial Technologies Configuration Guide
To configure the physical interface and assign the virtual template to it, perform the following task
beginning in global configuration mode. This example is for an ATM interface. However, multilink
group interfaces can also be used with PPP over Frame Relay interfaces and serial interfaces.
To see an example of how to configure MLP over an ATM PVC using a multilink group, see the section
“MLP Using Multilink Group Interfaces over ATM Example” at the end of this chapter.
Changing the Default Endpoint Discriminator
By default, when the system negotiates use of MLP with the peer, the value that is supplied for the
endpoint discriminator is the same as the username used for authentication. That username is configured
for the interface by the Cisco IOS ppp chap hostname or ppp pap sent-username command, or defaults
to the globally configured host name (or stack group name, if this interface is a Stack Group Bidding
Protocol, or SGBP, group member).
To override or change the default endpoint discriminator, use the following command in interface
configuration mode:
To see an example of how to change the default endpoint discriminator, see the section “Changing the
Default Endpoint Discriminator Example” at the end of this chapter.
Configuring MLP Interleaving and Queueing
Interleaving on MLP allows large packets to be multilink encapsulated and fragmented into a small
enough size to satisfy the delay requirements of real-time traffic; small real-time packets are not
multilink encapsulated and are sent between fragments of the large packets. The interleaving feature also
provides a special transmit queue for the smaller, delay-sensitive packets, enabling them to be sent
earlier than other flows.
Weighted fair queueing on MLP works on the packet level, not at the level of multilink fragments. Thus,
if a small real-time packet gets queued behind a larger best-effort packet and no special queue has been
reserved for real-time packets, the small packet will be scheduled for transmission only after all the
fragments of the larger packet are scheduled for transmission.
Weighted fair queueing is now supported on all interfaces that support Multilink PPP, including MLP
virtual access interfaces and virtual interface templates. Weighted fair-queueing is enabled by default.
Router(config)# interface atm
interface-number.subinterface-number point-to-point
Configures an ATM interface and enters interface
configuration mode.
Router(config-if)# pvc vpi/vci Creates or assigns a name to an ATM permanent virtual circuit
(PVC), specifies the encapsulation type on an ATM PVC, and
enters ATM virtual circuit configuration mode.
Router(config-if-atm-vc)# protocol ppp
virtual-template name
Configures VC multiplexed encapsulation on a PVC.
Command Purpose
Router(config-if)# ppp multilink endpoint {hostname
| ip IP-address | mac LAN-interface | none | phone
telephone-number | string char-string}
Overrides or changes the default endpoint discriminator the
system uses when negotiating the use of MLP with the peer.
Configuring Media-Independent PPP and Multilink PPP
Configuring MLP Interleaving and Queueing
DC-616
Cisco IOS Dial Technologies Configuration Guide
Fair queueing on MLP overcomes a prior restriction. Previously, fair queueing was not allowed on virtual
access interfaces and virtual interface templates. Interleaving provides the delay bounds for
delay-sensitive voice packets on a slow link that is used for other best-effort traffic.
Interleaving applies only to interfaces that can configure a multilink bundle interface. These restrictions
include virtual templates, dialer interfaces, and ISDN BRI or PRI interfaces.
Multilink and fair queueing are not supported when a multilink bundle is off-loaded to a different system
using Multichassis Multilink PPP (MMP). Thus, interleaving is not supported in MMP networking
designs.
MLP support for interleaving can be configured on virtual templates, dialer interfaces, and ISDN BRI
or PRI interfaces. To configure interleaving, complete the following tasks:
• Configure the dialer interface, BRI interface, PRI interface, or virtual template, as defined in the
relevant chapters of this manual.
• Configure MLP and interleaving on the interface or template.
Note Fair queueing, which is enabled by default, must remain enabled on the interface.
Configuring MLP Interleaving
To configure MLP and interleaving on a configured and operational interface or virtual interface
template, use the following commands beginning in interface configuration mode:
Interleaving statistics can be displayed by using the show interfaces command, specifying the particular
interface on which interleaving is enabled. Interleaving data is displayed only if there are interleaves.
For example, the following line shows interleaves:
Output queue: 315/64/164974/31191 (size/threshold/drops/interleaves)
Command Purpose
Step 1 Router(config-if)# ppp multilink Enables Multilink PPP.
Step 2 Router(config-if)# ppp multilink interleave Enables interleaving of packets among the fragments of
larger packets on an MLP bundle.
Step 3 Router(config-if)# ppp multilink fragment delay
milliseconds
Specifies a maximum size, in units of time, for packet
fragments on an MLP bundle.
Step 4 Router(config-if)# ip rtp reserve
lowest-udp-port range-of-ports
[maximum-bandwidth]
Reserves a special queue for real-time packet flows to
specified destination UDP ports, allowing real-time traffic to
have higher priority than other flows.
Step 5 Router(config-if)# exit Exits interface configuration mode.
Step 6 Router(config)# multilink virtual-template 1 For virtual templates only, applies the virtual template to the
multilink bundle.1
1. This step is not used for ISDN or dialer interfaces.
Configuring Media-Independent PPP and Multilink PPP
Configuring MLP Inverse Multiplexer and Distributed MLP
DC-617
Cisco IOS Dial Technologies Configuration Guide
Configuring MLP Inverse Multiplexer and Distributed MLP
The distributed MLP feature combines T1/E1 lines in a VIP on a Cisco 7500 series router into a bundle
that has the combined bandwidth of the multiple T1/E1 lines. This is done using a VIP MLP link. You
choose the number of bundles and the number of T1/E1 lines in each bundle, which allows you to
increase the bandwidth of your network links beyond that of a single T1/E1 line without having to
purchase a T3 line.
Nondistributed MLP can only perform limited links, with CPU usage quickly reaching 90% with only a
few T1/E1 lines running MLP. With distributed MLP, you can increase the router’s total capacity.
The MLP Inverse Multiplexer feature was designed for Internet service providers (ISPs) that want to
have the bandwidth of multiple T1 lines with performance comparable to that of an inverse multiplexer
without the need of buying standalone inverse-multiplexing equipment. A Cisco router supporting VIPs
can bundle multiple T1 lines in a CT3 or CE3 interface. Bundling is more economical than purchasing
an inverse multiplexer, and eliminates the need to configure another piece of equipment.
This feature supports the CT3 CE3 data rates without taxing the RSP and CPU by moving the data path
to the VIP. This feature also allows remote sites to purchase multiple T1 lines instead of a T3 line, which
is especially useful when the remote site does not need the bandwidth of an entire T3 line.
This feature allows multilink fragmentation to be disabled, so multilink packets are sent using Cisco
Express Forwarding (CEF) on all platforms, if fragmentation is disabled. CEF is now supported with
fragmentation enabled or disabled.
Figure 92 shows a typical network using a VIP MLP link. The Cisco 7500 series router is connected to
the network with a CT3 line that has been configured with VIP MLP to carry two bundles of four T1
lines each. One of these bundles goes out to a Cisco 2500 series router and the other goes out to a
Cisco 3800 series router.
Figure 92 Diagram of a Typical VIP MLP Topology
Before beginning the MLP Inverse Multiplexer configuration tasks, make note of the following
prerequisites and restrictions.
Prerequisites
• Distributed CEF switching must be enabled for distributed MLP.
• One of the following port adapters is required:
– CT3IP
– PA-MC-T3
Cisco 7200
Cisco 7500 PSTN
Cisco 7200
Cisco 2500
Cisco 3800
T1s
T1s
CT3 CT3
Channelized T3
with two bundles
of four T1
Channelized T3
with two bundles
of two T1s each
32378
Configuring Media-Independent PPP and Multilink PPP
Configuring MLP Inverse Multiplexer and Distributed MLP
DC-618
Cisco IOS Dial Technologies Configuration Guide
– PA-MC-2T3+
– PA-MC-E3
– PA-MC-8T1
– PA-MC-4T1
– PA-MC-8E1
• All 16 E1s can be bundled from a PA-MC-E3 in a VIP4-80.
Restrictions
• The Multilink Inverse Multiplexer feature is supported only on the Cisco 7500 series routers.
• For bundles using IP, all lines in the bundle must have the same IP access list.
• Only one port adapter can be installed in a VIP.
• T1 and E1 lines cannot be mixed in a bundle.
• T1 lines in a bundle must have the same bandwidth.
• All lines in a bundle must have identical configurations.
• T1 lines can be combined in one bundle or up to 16 bundles per VIP.
• E1 lines can be combined in one bundle or up to 12 bundles per VIP.
• A maximum of eight T1 lines can be bundled on the VIP2-50 with two MB of SRAM.
• A maximum of 16 T1 lines can be bundled on the VIP2-50 with four or eight MB of SRAM.
• A maximum of 12 E1 lines can be bundled on the VIP2-50 with four or eight MB of SRAM.
• A maximum of 40 T1 lines can be bundled on the VIP4-80.
• Hardware compression is not supported.
• Encryption is not supported.
• Fancy/custom queueing is supported.
• MLP fragmentation is supported.
• Software compression is not recommended because CPU usage would negate performance gains.
• The maximum differential delay supported is 50 milliseconds.
• VIP CEF is limited to IP only; all other protocols are sent to the RSP.
Enabling fragmentation reduces the delay latency among bundle links, but adds some load to the CPU.
Disabling fragmentation may result in better throughput.
If your data traffic is consistently of a similar size, we recommend disabling fragmentation. In this case,
the benefits of fragmentation may be outweighed by the added load on the CPU.
To configure a multilink bundle, perform the tasks in the following sections:
• Enabling Distributed CEF Switching (Required for Distributed MLP)
• Creating a Multilink Bundle (Required)
• Assigning an Interface to a Multilink Bundle (Required)
• Disabling PPP Multilink Fragmentation (Optional)
• Verifying the MLP Inverse Multiplexer Configuration (Optional)
Configuring Media-Independent PPP and Multilink PPP
Configuring MLP Inverse Multiplexer and Distributed MLP
DC-619
Cisco IOS Dial Technologies Configuration Guide
Enabling Distributed CEF Switching
To enable distributed MLP, first enable distributed CEF (dCEF) switching using the following command
in global configuration mode:
Creating a Multilink Bundle
To create a multilink bundle, use the following commands beginning in global configuration mode:
Assigning an Interface to a Multilink Bundle
To assign an interface to a multilink bundle, use the following commands in interface configuration
mode:
Command Purpose
Router(config)# ip cef distributed Enables dCEF switching.
Command Purpose
Step 1 Router(config)# interface multilink
group-number
Assigns a multilink group number and begins interface
configuration mode.
Step 2 Router(config-if)# ip address address mask Assigns an IP address to the multilink interface.
Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Step 4 Router(config-if)# ppp multilink Enables Multilink PPP.
Command Purpose
Step 1 Router(config-if)# no ip address Removes any specified IP address.
Step 2 Router(config-if)# keepalive Sets the frequency of keepalive packets.
Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Step 4 Router(config-if)# ppp multilink group
group-number
Restricts a physical link to joining only the designated
multilink-group interface.
Step 5 Router(config-if)# ppp multilink Enables Multilink PPP.
Step 6 Router(config-if)# ppp authentication chap (Optional) Enables CHAP authentication.
Step 7 Router(config-if)# pulse-time seconds (Optional) Configures DTR signal pulsing.
Configuring Media-Independent PPP and Multilink PPP
Monitoring and Maintaining PPP and MLP Interfaces
DC-620
Cisco IOS Dial Technologies Configuration Guide
Disabling PPP Multilink Fragmentation
By default, PPP multilink fragmentation is enabled. To disable PPP multilink fragmentation, use the
following command in interface configuration mode:
Verifying the MLP Inverse Multiplexer Configuration
To display information about the newly created multilink bundle, use the show ppp multilink command
in EXEC mode:
Router# show ppp multilink
Multilink1, bundle name is group1
Bundle is Distributed
0 lost fragments, 0 reordered, 0 unassigned, sequence 0x0/0x0 rcvd/sent
0 discarded, 0 lost received, 1/255 load
Member links:4 active, 0 inactive (max not set, min not set)
Serial1/0/0:1
Serial1/0/0/:2
Serial1/0/0/:3
Serial1/0/0/:4
Monitoring and Maintaining PPP and MLP Interfaces
To monitor and maintain virtual interfaces, use the following command in EXEC mode:
Configuration Examples for PPP and MLP
The following sections provide various PPP configuration examples:
• CHAP with an Encrypted Password Examples
• User Maximum Links Configuration Example
• MPPC Interface Configuration Examples
• IP Address Pooling Example
• DHCP Network Control Example
• PPP Reliable Link Examples
• MLP Examples
• MLP Interleaving and Queueing for Real-Time Traffic Example
Command Purpose
Router(config-if)# ppp multilink fragment disable (Optional) Disables PPP multilink fragmentation.
Command Purpose
Router> show ppp multilink Displays MLP and MMP bundle information.
Configuring Media-Independent PPP and Multilink PPP
Configuration Examples for PPP and MLP
DC-621
Cisco IOS Dial Technologies Configuration Guide
• T3 Controller Configuration for an MLP Multilink Inverse Multiplexer Example
• Multilink Interface Configuration for Distributed MLP Example
CHAP with an Encrypted Password Examples
The following examples show how to enable CHAP on serial interface 0 of three devices:
Configuration of Router yyy
hostname yyy
interface serial 0
encapsulation ppp
ppp authentication chap
username xxx password secretxy
username zzz password secretzy
Configuration of Router xxx
hostname xxx
interface serial 0
encapsulation ppp
ppp authentication chap
username yyy password secretxy
username zzz password secretxz
Configuration of Router zzz
hostname zzz
interface serial 0
encapsulation ppp
ppp authentication chap
username xxx password secretxz
username yyy password secretzy
When you look at the configuration file, the passwords will be encrypted and the display will look
similar to the following:
hostname xxx
interface serial 0
encapsulation ppp
ppp authentication chap
username yyy password 7 121F0A18
username zzz password 7 1329A055
User Maximum Links Configuration Example
The following example shows how to configure the username sTephen and establish a maximum of five
connections. sTephen can connect through serial interface 1/0, which has a dialer map configured for it,
or through PRI interface 0/0:23, which has dialer profile interface 0 dedicated to it.
The aaa authorization network default local command must be configured. PPP encapsulation and
authentication must be enabled on all the interfaces that sTephen can connect to.
aaa new-model
aaa authorization network default local
enable secret saintstephen
enable password witharose
!
username sTephen user-maxlinks 5 password gardenhegoes
Configuring Media-Independent PPP and Multilink PPP
Configuration Examples for PPP and MLP
DC-622
Cisco IOS Dial Technologies Configuration Guide
!
interface Serial0/0:23
no ip address
encapsulation ppp
dialer pool-member 1
ppp authentication chap
ppp multilink
!
interface Serial1/0
ip address 10.2.2.4 255.255.255.0
encapsulation ppp
dialer in-band
dialer map ip 10.2.2.13 name sTephen 12345
dialer-group 1
ppp authentication chap
!
interface Dialer0
ip address 10.1.1.4 255.255.255.0
encapsulation ppp
dialer remote-name sTephen
dialer string 23456
dialer pool 1
dialer-group 1
ppp authentication chap
ppp multilink
!
dialer-list 1 protocol ip permit
MPPC Interface Configuration Examples
The following example configures asynchronous interface 1 to implement MPPC and ignore the protocol
field compression flag negotiated by LCP:
interface async1
ip unnumbered ethernet0
encapsulation ppp
async default routing
async dynamic routing
async mode interactive
peer default ip address 172.21.71.74
compress mppc ignore-pfc
The following example creates a virtual access interface (virtual-template interface 1) and serial
interface 0, which is configured for X.25 encapsulation. MPPC values are configured on the
virtual-template interface and will ignore the negotiated protocol field compression flag.
interface ethernet0
ip address 172.20.30.102 255.255.255.0
!
interface virtual-template1
ip unnumbered ethernet0
peer default ip address pool vtemp1
compress mppc ignore-pfc
!
interface serial0
no ipaddress
no ip mroute-cache
encapsulation x25
x25 win 7
x25 winout 7
x25 ips 512
x25 ops 512
Configuring Media-Independent PPP and Multilink PPP
Configuration Examples for PPP and MLP
DC-623
Cisco IOS Dial Technologies Configuration Guide
clock rate 50000
!
ip local pool vtemp1 172.20.30.103 172.20.30.104
ip route 0.0.0.0 0.0.0.0 172.20.30.1
!
translate x25 31320000000000 virtual-template 1
IP Address Pooling Example
The following example configures a modem to dial in to a Cisco access server and obtain an IP address
from the DHCP server. This configuration allows the user to log in and browse an NT network. Notice
that the dialer 1 and group-async 1 interfaces are configured with the ip unnumbered loopback
command, so that the broadcast can find the dialup clients and the client can see the NT network.
!
hostname secret
!
aaa new-model
aaa authentication login default local
aaa authentication ppp default if-needed local
aaa authentication ppp chap local
enable secret 5 encrypted-secret
enable password EPassWd1
!
username User1 password 0 PassWd2
username User2 password 0 PassWd3
username User3 password 0 PassWd4
no ip domain-lookup
ip dhcp-server 10.47.0.131
async-bootp gateway 10.47.0.1
async-bootp nbns-server 10.47.0.131
isdn switch-type primary-4ess
!
!
controller t1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller t1 1
framing esf
clock source line secondary
linecode b8zs
!
interface loopback 0
ip address 10.47.252.254 255.255.252.0
!
interface ethernet 0
ip address 10.47.0.5 255.255.252.0
ip helper-address 10.47.0.131
ip helper-address 10.47.0.255
no ip route-cache
no ip mroute-cache
!
interface serial 0
no ip address
no ip mroute-cache
shutdown
!
Configuring Media-Independent PPP and Multilink PPP
Configuration Examples for PPP and MLP
DC-624
Cisco IOS Dial Technologies Configuration Guide
interface serial 1
no ip address
shutdown
!
interface serial 0:23
no ip address
encapsulation ppp
no ip mroute-cache
dialer rotary-group 1
dialer-group 1
isdn incoming-voice modem
no fair-queue
no cdp enable
!
interface group-async 1
ip unnumbered loopback 0
ip helper-address 10.47.0.131
ip tcp header-compression passive
encapsulation ppp
no ip route-cache
no ip mroute-cache
async mode interactive
peer default ip address dhcp
no fair-queue
no cdp enable
ppp authentication chap
group-range 1 24
!
interface dialer 1
ip unnumbered loopback 0
encapsulation ppp
dialer in-band
dialer-group 1
no peer default ip address
no fair-queue
no cdp enable
ppp authentication chap
ppp multilink
!
router ospf 172
redistribute connected subnets
redistribute static
network 10.47.0.0 0.0.3.255 area 0
network 10.47.156.0 0.0.3.255 area 0
network 10.47.168.0 0.0.3.255 area 0
network 10.47.252.0 0.0.3.255 area 0
!
ip local pool RemotePool 10.47.252.1 10.47.252.24
ip classless
ip route 10.0.140.0 255.255.255.0 10.59.254.254
ip route 10.2.140.0 255.255.255.0 10.59.254.254
ip route 10.40.0.0 255.255.0.0 10.59.254.254
ip route 10.59.254.0 255.255.255.0 10.59.254.254
ip route 172.23.0.0 255.255.0.0 10.59.254.254
ip route 192.168.0.0 255.255.0.0 10.59.254.254
ip ospf name-lookup
no logging buffered
access-list 101 deny ip any host 255.255.255.255
access-list 101 deny ospf any any
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
snmp-server community public RO
!
Configuring Media-Independent PPP and Multilink PPP
Configuration Examples for PPP and MLP
DC-625
Cisco IOS Dial Technologies Configuration Guide
line con 0
line 1 24
autoselect during-login
autoselect ppp
modem InOut
transport input all
line aux 0
line vty 0 4
password PassWd5
!
scheduler interval 100
end
DHCP Network Control Example
The following partial example adds the ip dhcp-client network-discovery command to the previous “IP
Address Pooling Example” to allow peer routers to more dynamically discover DNS and NetBIOS name
servers. If the ip dhcp-client network-discovery command is disabled, the system falls back to the
static configurations made using the async-bootp dns-server and async-bootp nb-server global
configuration commands.
!
hostname secret
!
aaa new-model
aaa authentication login default local
aaa authentication ppp default if-needed local
aaa authentication ppp chap local
enable secret 5 encrypted-secret
enable password EPassWd1
!
username User1 password 0 PassWd2
username User2 password 0 PassWd3
username User3 password 0 PassWd4
no ip domain-lookup
ip dhcp-server 10.47.0.131
ip dhcp-client network-discovery informs 2 discovers 2 period 12
async-bootp gateway 10.47.0.1
async-bootp nbns-server 10.47.0.131
isdn switch-type primary-4ess
.
.
.
PPP Reliable Link Examples
The following example enables PPP reliable link and STAC compression on BRI 0:
interface BRI0
description Enables stac compression on BRI 0
ip address 172.1.1.1 255.255.255.0
encapsulation ppp
dialer map ip 172.1.1.2 name baseball 14195386368
compress stac
ppp authentication chap
dialer-group 1
ppp reliable-link
Configuring Media-Independent PPP and Multilink PPP
Configuration Examples for PPP and MLP
DC-626
Cisco IOS Dial Technologies Configuration Guide
The following example shows output of the show interfaces command when PPP reliable link is
enabled. The LAPB output lines indicate that PPP reliable link is provided over LAPB.
Router# show interfaces serial 0
Serial0 is up, line protocol is up
Hardware is HD64570
Description: connects to enkidu s 0
Internet address is 172.21.10.10/8
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set
LCP Open
Open: IPCP, CDP
LAPB DTE, state CONNECT, modulo 8, k 7, N1 12048, N2 20
T1 3000, T2 0, interface outage (partial T3) 0, T4 0, PPP over LAPB
VS 1, VR 1, tx NR 1, Remote VR 1, Retransmissions 0
Queues: U/S frames 0, I frames 0, unack. 0, reTx 0
IFRAMEs 1017/1017 RNRs 0/0 REJs 0/0 SABM/Es 1/1 FRMRs 0/0 DISCs 0/0
Last input 00:00:18, output 00:00:08, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/64/0 (size/threshold/drops)
Conversations 0/1 (active/max active)
Reserved Conversations 0/0 (allocated/max allocated)
5 minute input rate 3000 bits/sec, 4 packets/sec
5 minute output rate 3000 bits/sec, 7 packets/sec
1365 packets input, 107665 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
2064 packets output, 109207 bytes, 0 underruns
0 output errors, 0 collisions, 4 interface resets
0 output buffer failures, 0 output buffers swapped out
4 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
MLP Examples
This section contains the following MLP examples:
• MLP on Synchronous Serial Interfaces Example
• MLP on One ISDN BRI Interface Example
• MLP on Multiple ISDN BRI Interfaces Example
• MLP Using Multilink Group Interfaces over ATM Example
• Changing the Default Endpoint Discriminator Example
MLP on Synchronous Serial Interfaces Example
MLP provides characteristics most similar to hardware inverse multiplexers, with good manageability
and Layer 3 services support. Figure 93 shows a typical inverse multiplexing application using two Cisco
routers and Multilink PPP over four T1 lines.
Configuring Media-Independent PPP and Multilink PPP
Configuration Examples for PPP and MLP
DC-627
Cisco IOS Dial Technologies Configuration Guide
Figure 93 Inverse Multiplexing Application Using Multilink PPP
The following example shows the configuration commands used to create the inverse multiplexing
application:
Router A Configuration
hostname RouterA
!
!
username RouterB password your_password
ip subnet-zero
multilink virtual-template 1
!
interface Virtual-Template1
ip unnumbered Ethernet0
ppp authentication chap
ppp multilink
!
interface Serial0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
pulse-time 3
!
interface Serial1
no ip address
encapsulation ppp
no fair-queue
ppp multilink
pulse-time 3
!
interface Serial2
no ip address
encapsulation ppp
no fair-queue
ppp multilink
pulse-time 3
!
interface Serial3
no ip address
encapsulation ppp
no fair-queue
ppp multilink
pulse-time 3
!
interface Ethernet0
ip address 10.17.1.254 255.255.255.0
!
router rip
network 10.0.0.0
!
end
Router A
Ethernet Ethernet
Router B
T1 connection
60144
Configuring Media-Independent PPP and Multilink PPP
Configuration Examples for PPP and MLP
DC-628
Cisco IOS Dial Technologies Configuration Guide
Router B Configuration
hostname RouterB
!
!
username RouterB password your_password
ip subnet-zero
multilink virtual-template 1
!
interface Virtual-Template1
ip unnumbered Ethernet0
ppp authentication chap
ppp multilink
!
interface Serial0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
pulse-time 3
!
interface Serial1
no ip address
encapsulation ppp
no fair-queue
ppp multilink
pulse-time 3
!
interface Serial2
no ip address
encapsulation ppp
no fair-queue
ppp multilink
pulse-time 3
!
interface Serial3
no ip address
encapsulation ppp
no fair-queue
ppp multilink
pulse-time 3
!
interface Ethernet0
ip address 10.17.2.254 255.255.255.0
!
router rip
network 10.0.0.0
!
end
MLP on One ISDN BRI Interface Example
The following example enables MLP on BRI interface 0. Because an ISDN interface is a rotary group
by default, when one BRI is configured, no dialer rotary group configuration is required.
interface bri 0
description connected to ntt 81012345678902
ip address 172.31.1.7 255.255.255.0
encapsulation ppp
dialer idle-timeout 30
dialer load-threshold 40 either
dialer map ip 172.31.1.8 name atlanta 81012345678901
Configuring Media-Independent PPP and Multilink PPP
Configuration Examples for PPP and MLP
DC-629
Cisco IOS Dial Technologies Configuration Guide
dialer-group 1
ppp authentication pap
ppp multilink
MLP on Multiple ISDN BRI Interfaces Example
The following example configures multiple ISDN BRI interfaces to belong to the same dialer rotary
group for Multilink PPP. The dialer rotary-group command is used to assign each of the ISDN BRI
interfaces to that dialer rotary group.
interface BRI0
no ip address
encapsulation ppp
dialer idle-timeout 500
dialer rotary-group 0
dialer load-threshold 30 either
!
interface BRI1
no ip address
encapsulation ppp
dialer idle-timeout 500
dialer rotary-group 0
dialer load-threshold 30 either
!
interface BRI2
no ip address
encapsulation ppp
dialer idle-timeout 500
dialer rotary-group 0
dialer load-threshold 30 either
!
interface Dialer0
ip address 10.0.0.2 255.0.0.0
encapsulation ppp
dialer in-band
dialer idle-timeout 500
dialer map ip 10.0.0.1 name atlanta broadcast 81012345678901
dialer load-threshold 30 either
dialer-group 1
ppp authentication chap
ppp multilink
MLP Using Multilink Group Interfaces over ATM Example
The following example configures MLP over an ATM PVC using a multilink group:
interface multilink 1
ip address 10.200.83.106 255.255.255.252
ip tcp header-compression iphc-format delay 20000
service policy output xyz
encapsulation ppp
ppp multilink
ppp multilink fragment delay 10
ppp multilink interleave
ppp timeout multilink link remove 10
ip rtp header-compression iphc-format
interface virtual-template 3
bandwidth 128
ppp multilink group 1
Configuring Media-Independent PPP and Multilink PPP
Configuration Examples for PPP and MLP
DC-630
Cisco IOS Dial Technologies Configuration Guide
interface atm 4/0.1 point-to-point
pvc 0/32
abr 100 80
protocol ppp virtual-template 3
Changing the Default Endpoint Discriminator Example
The following partial example changes the MLP endpoint discriminator from the default CHAP host
name C-host1 to the E.164-compliant telephone number 1 603 555-1212:
.
.
.
interface dialer 0
ip address 10.1.1.4 255.255.255.0
encapsulation ppp
dialer remote-name R-host1
dialer string 23456
dialer pool 1
dialer-group 1
ppp chap hostname C-host1
ppp multilink endpoint phone 16035551212
.
.
.
MLP Interleaving and Queueing for Real-Time Traffic Example
The following example defines a virtual interface template that enables MLP interleaving and a
maximum real-time traffic delay of 20 milliseconds, and then applies that virtual template to the MLP
bundle:
interface virtual-template 1
ip unnumbered ethernet 0
ppp multilink
ppp multilink interleave
ppp multilink fragment delay 20
ip rtp interleave 32768 20 1000
multilink virtual-template 1
The following example enables MLP interleaving on a dialer interface that controls a rotary group of
BRI interfaces. This configuration permits IP packets to trigger calls.
interface BRI 0
description connected into a rotary group
encapsulation ppp
dialer rotary-group 1
!
interface BRI 1
no ip address
encapsulation ppp
dialer rotary-group 1
!
interface BRI 2
encapsulation ppp
dialer rotary-group 1
!
interface BRI 3
no ip address
encapsulation ppp
dialer rotary-group 1
!
Configuring Media-Independent PPP and Multilink PPP
Configuration Examples for PPP and MLP
DC-631
Cisco IOS Dial Technologies Configuration Guide
interface BRI 4
encapsulation ppp
dialer rotary-group 1
!
interface Dialer 0
description Dialer group controlling the BRIs
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
dialer map ip 10.1.1.2 name angus 14802616900
dialer-group 1
ppp authentication chap
! Enables Multilink PPP interleaving on the dialer interface and reserves
! a special queue.
ppp multilink
ppp multilink interleave
ip rtp reserve 32768 20 1000
! Keeps fragments of large packets small enough to ensure delay of 20 ms or less.
ppp multilink fragment delay 20
dialer-list 1 protocol ip permit
T3 Controller Configuration for an MLP Multilink Inverse Multiplexer Example
In the following example, the T3 controller is configured and four channelized interfaces are created:
controller T3 1/0/0
framing m23
cablelength 10
t1 1 timeslots 1-24
t1 2 timeslots 1-24
t1 3 timeslots 1-24
t1 4 timeslots 1-24
Multilink Interface Configuration for Distributed MLP Example
In the following example, four multilink interfaces are created with distributed CEF switching and MLP
enabled. Each of the newly created interfaces is added to a multilink bundle.
interface multilink1
ip address 10.0.0.0 10.255.255.255
ppp chap hosstname group 1
ppp multilink
ppp multilink group 1
interface serial 1/0/0/:1
no ip address
encapsulation ppp
ip route-cache distributed
no keepalive
ppp multilink
ppp multilink group 1
interface serial 1/0/0/:2
no ip address
encapsulation ppp
ip route-cache distributed
no keepalive
ppp chap hostname group 1
ppp multilink
ppp multilink group 1
Configuring Media-Independent PPP and Multilink PPP
Configuration Examples for PPP and MLP
DC-632
Cisco IOS Dial Technologies Configuration Guide
interface serial 1/0/0/:3
no ip address
encapsulation ppp
ip route-cache distributed
no keepalive
ppp chap hostname group 1
ppp multilink
ppp multilink group 1
interface serial 1/0/0/:4
no ip address
encapsulation ppp
ip route-cache distributed
no keepalive
ppp chap hostname group 1
ppp multilink
ppp multilink group 1
DC-633
Cisco IOS Dial Technologies Configuration Guide
Configuring Multichassis Multilink PPP
This chapter describes how to configure Multichassis Multilink PPP (MLP). It includes the following
main sections:
• Multichassis Multilink PPP Overview
• How to Configure MMP
• Monitoring and Maintaining MMP Virtual Interfaces
• Configuration Examples for MMP
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the MMP commands mentioned in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference, Release 12. To locate documentation of other commands that appear
in this chapter, use the command reference master index or search online.
Multichassis Multilink PPP Overview
Prior to Release 11.2, Cisco IOS supported Multilink PPP (MLP). Beginning with Release 11.2,
Cisco IOS software also supports Multichassis Multilink PPP (MMP).
MLP provides the capability of splitting and recombining packets to a single end system across a logical
pipe (also called a bundle) formed by multiple links. MMP provides bandwidth on demand and reduces
transmission latency across WAN links.
MMP, however, provides the additional capability for links to terminate at multiple routers with different
remote addresses. MMP can also handle both analog and digital traffic.
MLP is intended for situations with large pools of dial-in users, in which a single chassis cannot provide
enough dial ports. This feature allows companies to provide a single dialup number to its users and to
apply the same solution to analog and digital calls. This feature allows Internet service providers (ISPs),
for example, to allocate a single ISDN rotary number to several ISDN PRIs across several routers. This
capability allows for easy expansion and scalability and for assured fault tolerance and redundancy.
MMP allows network access servers to be stacked together and to appear as a single network access
server chassis so that if one network access server fails, another network access server in the stack can
accept calls.
With large-scale dial-out, these features are available for both outgoing and incoming calls.
Configuring Multichassis Multilink PPP
Multichassis Multilink PPP Overview
DC-634
Cisco IOS Dial Technologies Configuration Guide
Stack Groups
Routers or access servers are configured to belong to groups of peers called stack groups. All members
of the stack group are peers; stack groups do not need a permanent lead router. Any stack group member
can answer calls coming from a single access number, which is usually an ISDN PRI hunt group. Calls
can come in from remote user devices, such as routers, modems, ISDN terminal adapters, and PC cards.
Once a connection is established with one member of a stack group, that member owns the call. If a
second call comes in from the same client and a different router answers the call, the router establishes
a tunnel and forwards all packets that belong to the call to the router that owns the call. Establishing a
tunnel and forwarding calls through it to the router that owns the call is sometimes called projecting the
PPP link to the call master.
If a more powerful router is available, it can be configured as a member of the stack group and the other
stack group members can establish tunnels and forward all calls to it. In such a case, the other stack group
members are just answering calls and forwarding traffic to the more powerful offload router.
Note High-latency WAN lines between stack group members can make stack group operation inefficient.
Call Handling and Bidding
MMP call handling, bidding, and Layer 2 forwarding operations in the stack group proceed as follows:
1. When the first call comes in to the stack group, router A answers.
2. In the bidding, router A wins because it already has the call. Router A becomes the call-master for
that session with the remote device. (Router A might also be called the host to the master bundle
interface.)
3. When the remote device that initiated the call needs more bandwidth, it makes a second MLP call
to the group.
4. When the second call comes in, router D answers it and informs the stack group. Router A wins the
bidding because it already is handling the session with that remote device.
5. Router D establishes a tunnel to router A and forwards the raw PPP data to router A.
6. Router A reassembles and resequences the packets.
7. If more calls come in to router D and they too belong to router A, the tunnel between routers A and
D enlarges to handle the added traffic. Router D does not establish an additional tunnel to router A.
8. If more calls come in and are answered by any other router, that router also establishes a tunnel to
router A and forwards the raw PPP data.
9. The reassembled data is passed on the corporate network as if it had all come through one physical
link.
Figure 94 shows the call handling an bidding process in a typical MLP scenario.
Configuring Multichassis Multilink PPP
Multichassis Multilink PPP Overview
DC-635
Cisco IOS Dial Technologies Configuration Guide
Figure 94 Typical MLP Scenario
In contrast to Figure 94, Figure 95 features an offload router. Access servers that belong to a stack group
answer calls, establish tunnels, and forward calls to a Cisco 4700 router that wins the bidding and is the
call master for all the calls. The Cisco 4700 reassembles and resequences all the packets that come in
through the stack group.
Figure 95 MLP with an Offload Router as a Stack Group Member
Note You can build stack groups using different access-server, switching, and router platforms. However,
universal access servers such as the Cisco AS5200 should not be combined with ISDN-only access
servers such as the Cisco 4000 series platform. Because calls from the central office are allocated in
an arbitrary way, this combination could result in an analog call being delivered to a digital-only
access server, which would not be able to handle the call.
MMP support on a group of routers requires that each router be configured to support the following:
• Multilink PPP
• Stack Group Bidding Protocol (SGBP)
• Virtual template used for cloning interface configuration to support MMP
S4788
Router
ISDN PRI
access Digital
Stack group on a corporate network
Remote user
Internal service
provider
A
B
C
D
E
Analog
S4789
Router
ISDN PRI
access Digital
Stack group on a corporate network
Remote user
Internal service
provider
A
B
Cisco 4700
C
D
E
Analog
Configuring Multichassis Multilink PPP
How to Configure MMP
DC-636
Cisco IOS Dial Technologies Configuration Guide
MMP is supported on the Cisco 2500, 4500, and 7500 series platforms and on synchronous serial,
asynchronous serial, ISDN BRI, ISDN PRI, and dialer interfaces.
MMP does not require reconfiguration of telephone company switches.
Dialer profiles are not supported for SGBP (Stack Group Bidding Protocol).
How to Configure MMP
To configure MMP, perform the tasks in the following sections, in the order listed:
• Configuring the Stack Group and Identifying Members (Required)
• Configuring a Virtual Template and Creating a Virtual Template Interface (Required)
See the section “Monitoring and Maintaining MMP Virtual Interfaces” later in this chapter for tips on
maintaining MMP. See the examples in the section “Configuration Examples for MMP” later in this
chapter for ideas on how to configure MMP in your network.
Configuring the Stack Group and Identifying Members
To configure the stack group on the router, use the following commands in global configuration mode:
Repeat these steps for each additional stack group peer.
Note Only one stack group can be configured per access server or router.
Configuring a Virtual Template and Creating a Virtual Template Interface
You need to configure a virtual template for MMP when asynchronous or synchronous serial interfaces
are used, but dialers are not defined. When dialers are configured on the physical interfaces, do not
specify a virtual template interface.
Command Purpose
Step 1 Router(config)# username name password
password
Creates authentication credentials for the stack group.
Step 2 Router(config)# sgbp group name Creates the stack group and assign this router to it.
Step 3 Router(config)# sgbp member peer-name
[peer-ip-address]
Specifies a peer member of the stack group.
Configuring Multichassis Multilink PPP
Monitoring and Maintaining MMP Virtual Interfaces
DC-637
Cisco IOS Dial Technologies Configuration Guide
To configure a virtual template for any nondialer interfaces, use the following commands beginning in
global configuration mode:
If dialers are or will be configured on the physical interfaces, the ip unnumbered command, mentioned
in Step 4, will be used in configuring the dialer interface. For examples that show MMP configured with
and without dialers, see the “Configuration Examples for MMP” at the end of this chapter.
Note Never define a specific IP address on the virtual template because projected virtual access interfaces
are always cloned from the virtual template interface. If a subsequent PPP link also gets projected to
a stack member with a virtual access interface already cloned and active, we will have identical IP
addresses will be on the two virtual interfaces. IP will erroneously route between them.
For more information about address pooling, see the “Configuring Media-Independent PPP and
Multilink PPP” chapter.
Monitoring and Maintaining MMP Virtual Interfaces
To monitor and maintain virtual interfaces, use any of the following commands in EXEC mode:
Command Purpose
Step 1 Router(config)# multilink virtual-template
number
Defines a virtual template for the stack group.
This step is not required if ISDN interfaces or other dialers
are configured and used by the physical interfaces.
Step 2 Router(config)# ip local pool default
ip-address
Specifies an IP address pool by using any pooling
mechanism—for example, IP local pooling or Dynamic Host
Configuration Protocol (DHCP) pooling.
Step 3 Router(config)# interface virtual-template
number
Creates a virtual template interface and enters interface
configuration mode.
This step is not required if ISDN interfaces or other dialers
are configured and used by the physical interfaces.
Step 4 Router(config-if)# ip unnumbered ethernet 0 Specifies unnumbered IP.
Step 5 Router(config-if)# no ip route-cache Disables fast switching, which enables per-packet load
sharing and enhances performance on slower serial links.
Step 6 Router(config-if)# encapsulation ppp Enables PPP encapsulation on the virtual template interface.
Step 7 Router(config-if)# ppp multilink Enables Multilink PPP on the virtual template interface.
Step 8 Router(config-if)# ppp authentication chap Enables PPP authentication on the virtual template interface.
Command Purpose
Router> show ppp multilink Displays MLP and MMP bundle information.
Router> show sgbp Displays the status of the stack group members.
Router> show sgbp queries Displays the current seed bid value.
Configuring Multichassis Multilink PPP
Configuration Examples for MMP
DC-638
Cisco IOS Dial Technologies Configuration Guide
Configuration Examples for MMP
The following sections provide w MMP configuration examples without and with dialers:
• MMP Using PRI But No Dialers
• MMP with Dialers
• MMP with Offload Server
MMP Using PRI But No Dialers
The following example shows the configuration of MMP when no dialers are involved. Comments in the
configuration discuss the commands. Variations are shown for a Cisco AS5200 access server or
Cisco 4000 series router and for an E1 or T1 controller.
sgbp group stackq
sgbp member systemb 10.1.1.2
sgbp member systemc 10.1.1.3
username stackq password therock
! First make sure the multilink virtual template number is defined globally on
¡ each router that is a member of the stack group.
multilink virtual-template 1
! If you have not configured any dialer interfaces for the physical interfaces in
! question (PRI, BRI, async, sync serial), you can define a virtual template.
interface virtual-template 1
ip unnumbered e0
no ip route-cache
ppp authentication chap
ppp multilink
! Never define a specific IP address on the virtual template because projected
! virtual access interfaces are always cloned from the virtual template interface.
! If a subsequent PPP link also gets projected to a stack member with a virtual
! access interface already cloned and active, identical IP addresses will be on
! on the two virtual interfaces. IP will erroneously route between them.
! On an AS5200 or 4XXX platform.
! On a TI controller.
!
controller T1 0
framing esf
linecode b8zs
pri-group timeslots 1-24
!
interface serial 0:23
no ip address
encapsulation ppp
no ip route-cache
ppp authentication chap
ppp multilink
!
! On an E1 controller.
!
controller E1 0
framing crc4
linecode hdb3
pri-group timeslots 1-31
Configuring Multichassis Multilink PPP
Configuration Examples for MMP
DC-639
Cisco IOS Dial Technologies Configuration Guide
interface serial 0:15
no ip address
encapsulation ppp
no ip route-cache
ppp authentication chap
ppp multilink
MMP with Dialers
When dialers are configured on the physical interfaces and when the interface itself is a dialer, do not
specify a virtual template interface. For dialers, you only need to define the stack group name, common
password, and its members across all the stack members. No virtual template interface is defined at all.
Only the PPP commands in dialer interface configuration are applied to the bundle interface. Subsequent
projected PPP links are also cloned with the PPP commands from the dialer interface.
Dialer profiles are not supported for SGBP (Stack Group Bidding Protocol).
This section includes the following examples:
• MMP with Explicitly Defined Dialer
• MMP with ISDN PRI but No Explicitly Defined Dialer
MMP with Explicitly Defined Dialer
The following example includes a dialer that is explicitly specified by the interface dialer command and
configured by the commands that immediately follow:
sgbp group stackq
sgbp member systemb 10.1.1.2
sgbp member systemc 10.1.1.3
username stackq password therock
interface dialer 1
ip unnumbered e0
dialer map .....
encapsulation ppp
ppp authentication chap
dialer-group 1
ppp multilink
!
! On a T1 controller
controller T1 0
framing esf
linecode b8zs
pri-group timeslots 1-24
interface Serial0:23
no ip address
encapsulation ppp
dialer in-band
dialer rotary 1
dialer-group 1
!
! Or on an E1 Controller
controller E1 0
framing crc4
linecode hdb3
Configuring Multichassis Multilink PPP
Configuration Examples for MMP
DC-640
Cisco IOS Dial Technologies Configuration Guide
pri-group timeslots 1-31
interface serial 0:15
no ip address
encapsulation ppp
no ip route-cache
ppp authentication chap
ppp multilink
MMP with ISDN PRI but No Explicitly Defined Dialer
ISDN PRIs and BRIs by default are dialer interfaces. That is, a PRI configured without an explicit
interface dialer command is still a dialer interface. The following example configures ISDN PRI. The
D-channel configuration on serial interface 0:23 is applied to all the B channels. MMP is enabled, but
no virtual interface template needs to be defined.
sgbp group stackq
sgbp member systemb 10.1.1.2
sgbp member systemc 10.1.1.3
username stackq password therock
isdn switch-type primary-4ess
controller t1 0
framing esf
linecode b8zs
pri-group timeslots 1-23
isdn switch-type basic-net3
interface Serial0:23
ip unnumbered e0
dialer map .....
encap ppp
ppp authentication chap
dialer-group 1
dialer rot 1
!
ppp multilink
MMP with Offload Server
The following example shows a virtual template interface for a system that is being configured as an
offload server (via the sgbp seed-bid offload command). All other stack group members must be defined
with the sgbp seed-bid default command (or if you do not enter any sgbp seed-bid command, it defaults
to this command).
multilink virtual-template 1
sgbp group stackq
sgbp member systemb 10.1.1.2
sgbp member systemc 10.1.1.3
sgbp seed-bid offload
username stackq password therock
interface virtual-template 1
ip unnumbered e0
no ip route-cache
ppp authentication chap
ppp multilink
Callback and Bandwidth Allocation
Configuration
DC-643
Cisco IOS Dial Technologies Configuration Guide
Configuring Asynchronous Callback
This chapter describes how to configure Cisco IOS software to call back an asynchronous device that
dials in, requests a callback from the router, and then disconnects. It includes the following main
sections:
• Asynchronous Callback Overview
• How to Configure Asynchronous Callback
• Configuration Examples for Asynchronous Callback
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the commands mentioned in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference. To locate documentation of other commands that appear in this
chapter, use the command reference master index or search online.
Asynchronous Callback Overview
Asynchronous callback is supported for the PPP and AppleTalk Remote Access (ARA) protocols.
Callback is also supported on other interface types for PPP, including ISDN and any device that calls in
and connects to the router at the EXEC level.
All callback sessions are returned on TTY lines. ARA is supported on virtual terminal lines, but also is
supported on TTY lines if the vty-arap command is used. PPP, however, is supported on interfaces.
Therefore, to enable PPP callback, you must enter the autoselect ppp command on the callback lines.
All current security mechanisms supported in Cisco IOS software are supported by the callback facility,
including the following:
• TACACS+
• Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol
(PAP) for PPP
• Per-user authentication for EXEC callback and ARA callback
The call originator must have the appropriate permissions set on the router before it can initiate a
callback session.
Configuring Asynchronous Callback
How to Configure Asynchronous Callback
DC-644
Cisco IOS Dial Technologies Configuration Guide
Callback is useful for two purposes:
• Cost savings on toll calls
For example, suppose it costs more to call from clients in Zone A to devices in Zone D than to call
from Zone D to Zone A—costs are lower when devices in Zone D call back clients in Zone A.
• Consolidation and centralization of phone billing
For example, if a corporation has 64 dial-in clients, enabling its routers to call back these clients
consolidates billing. Instead of 64 phone bills, the corporation receives one bill.
How to Configure Asynchronous Callback
To configure asynchronous callback, perform the tasks in the following sections:
• Configuring Callback PPP Clients (Required)
• Enabling PPP Callback on Outgoing Lines (Required)
• Enabling Callback Clients That Dial In and Connect to the EXEC Prompt (Required)
• Configuring Callback ARA Clients (Required)
See the section “Configuration Examples for Asynchronous Callback” at the end of this chapter for ideas
on how to implement asynchronous callback.
Configuring Callback PPP Clients
You can call back PPP clients that dial in to asynchronous interfaces. You can enable callback to the
following two types of PPP clients:
• Clients that implement PPP callback per RFC 1570 (as an link control protocol, or LCP, negotiated
extension).
• Clients that do not negotiate callback but can put themselves in answer-mode, whereby a callback
from the router is accepted.
This section describes how to enable callback to each of these types of PPP clients.
Accepting Callback Requests from RFC-Compliant PPP Clients
To accept a callback request from an RFC 1570 PPP-compliant client, use the following command in
interface (asynchronous) configuration mode:
To configure Cisco IOS software to call back the originating PPP client, see the section “Enabling PPP
Callback on Outgoing Lines” later in this chapter.
Command Purpose
Router(config-if)# ppp callback accept Enables callback requests from RFC 1570 PPP-compliant
clients on an asynchronous interface.
Configuring Asynchronous Callback
How to Configure Asynchronous Callback
DC-645
Cisco IOS Dial Technologies Configuration Guide
Accepting Callback Requests from Non-RFC-Compliant PPP Clients Placing Themselves in Answer
Mode
A PPP client can put itself in answer-mode and can still be called back by the router, even though it
cannot specifically request callback. To enable callback on the router to this type of client, use the
following command in interface (asynchronous) configuration mode:
To configure Cisco IOS software to call back the originating PPP client, see the next section, “Enabling
PPP Callback on Outgoing Lines.”
Enabling PPP Callback on Outgoing Lines
After enabling PPP clients to connect to an asynchronous interface and wait for a callback, you must
place one or more TTY lines in PPP mode. Although calls from PPP clients enter through an
asynchronous interface, the calls exit the client on a line placed in PPP mode.
To enable PPP client callback on outgoing TTY lines, use the following commands beginning in global
configuration mode:
A client can issue a callback dial string; that dial string is used only if the dial string on the router is
specified as NULL or is not defined. The recommended PPP chat script follows:
chat-script name ABORT ERROR ABORT BUSY ““ “ATZ” OK “ATDT \T” TIMEOUT 30 CONNECT \c
See the section “Callback to a PPP Client Example” at the end of this chapter for a configuration
example.
Command Purpose
Router(config-if)# ppp callback initiate Initiates callback requests from non-RFC 1570
PPP-compliant clients on an asynchronous interface.
Command Purpose
Step 1 Router(config)# chat-script script-name
expect-send
Defines a chat script to be applied when a PPP client requests
callback.
Step 2 Router(config)# username name
[callback-dialstring telephone-number]
Specifies a per-username callback dial string.
Step 3 Router(config)# username name
[callback-rotary rotary-group-number]
Specifies a per-username rotary group for callback.
Step 4 Router(config)# username name [callback-line
[tty] line-number [ending-line-number]]
Specifies a per-username line or set of lines for callback.
Step 5 Router(config)# line [tty] line-number
[ending-line-number]
Enters line configuration mode.
Step 6 Router(config-line)# autoselect ppp Configures automatic PPP startup on a line or set of lines.
Step 7 Router(config-line)# login {authentication |
local}
Enables authentication on the line.
Step 8 Router(config-line)# script callback regexp Applies a chat script to a line or set of lines.
Step 9 Router(config-line)# callback forced-wait
number-of-seconds
Delays the callback for client modems that require a rest
period before receiving a callback.
Configuring Asynchronous Callback
How to Configure Asynchronous Callback
DC-646
Cisco IOS Dial Technologies Configuration Guide
Note Normally a router avoids line and modem noise by clearing the initial data received within the first
one or two seconds. However, when the autoselect PPP feature is configured, the router flushes
characters initially received and then waits for more traffic. This flush causes time out problems with
applications that send only one carriage return. To ensure that the input data sent by a modem or other
asynchronous device is not lost after line activation, enter the no flush-at-activation line
configuration command.
Enabling Callback Clients That Dial In and Connect to the EXEC Prompt
You can call back clients that dial in to a TTY line and connect to the EXEC prompt. To enable callback,
use the following commands beginning in global configuration mode:
The recommended EXEC chat script follows:
chat-script name ABORT ERROR ABORT BUSY ““ “ATZ” OK “ATDT \T” TIMEOUT 30 CONNECT \c
See the section “Callback Clients That Connect to the EXEC Prompt Example” at the end of this chapter
for a configuration example.
Command Purpose
Step 1 Router(config)# service exec-callback Enables EXEC callback.
Step 2 Router(config)# chat-script script-name
expect-send
Defines a chat script to be applied when clients dial in to the
EXEC prompt.
Step 3 Router(config)# username name
[callback-dialstring telephone-number]
Specifies a per-username callback dial string.
Step 4 Router(config)# username name
[callback-rotary rotary-group-number]
Specifies a per-username rotary group for callback.
Step 5 Router(config)# username name [callback-line
[aux | tty] line-number [ending-line-number]]
Specifies a per-username line or set of lines for callback.
Step 6 Router(config)# username name
[nocallback-verify]
Does not require authentication on EXEC callback.
Step 7 Router(config)# line [tty] line-number
[ending-line-number]
Enters line configuration mode.
Step 8 Router(config-line)# script callback regexp Applies a chat script to the line or a set of lines.
Step 9 Router(config-line)# callback forced-wait
number-of-seconds
Delays the callback for client modems that require a rest
period before receiving a callback.
Configuring Asynchronous Callback
Configuration Examples for Asynchronous Callback
DC-647
Cisco IOS Dial Technologies Configuration Guide
Configuring Callback ARA Clients
To configure callback of ARA clients, use the following commands beginning in global configuration
mode. These steps assume that you have already enabled AppleTalk routing and ARA.
The recommended ARA chat script follows and includes vendor-specific extensions on the Telebit 3000
modem to disable error control. Refer to the manual for your modem for the specific commands to
disable error correction for ARA.
chat-script name ABORT ERROR ABORT BUSY ““ “ATZ” OK “ATS180=0” OK “ATS181=1” OK “ATDT \T”
TIMEOUT 60 CONNECT \c
See the section “Callback to an ARA Client Example” at the end of this chapter for an example of calling
back a PPP client.
Configuration Examples for Asynchronous Callback
The following sections provide asynchronous callback configuration examples:
• Callback to a PPP Client Example
• Callback Clients That Connect to the EXEC Prompt Example
• Callback to an ARA Client Example
Command Purpose
Step 1 Router(config)# arap callback Enables callback to an ARA client.
Step 2 Router(config)# chat-script script-name
expect-send
Defines a chat script to be applied when an ARA client
connects to a TTY line and requests callback.
Step 3 Router(config)# line [tty] line-number
[ending-line-number]
Enters line configuration mode.
Step 4 Router(config-line)# arap enable Enables ARA on the line.
Step 5 Router(config-line)# autoselect arap Configures automatic protocol startup on the line.
Step 6 Router(config-line)# login {authentication |
local}
Enables authentication on the line.
Step 7 Router(config-line)# script arap-callback
regexp
Applies an ARA-specific chat script to a line or set of lines.
Step 8 Router(config-line)# callback forced-wait
number-of-seconds
Delays the callback for client modems that require a rest
period before receiving a callback.
Step 9 Router(config-line)# exit Returns to global configuration mode.
Step 10 Router(config)# username name
[callback-dialstring telephone-number]
Specifies a per-username callback dial string.
Step 11 Router(config)# username name
[callback-rotary rotary-group-number]
Specifies a per-username rotary group for callback.
Step 12 Router(config)# username name [callback-line
[tty] line-number [ending-line-number]]
Specifies a per-username line or set of lines for callback.
Configuring Asynchronous Callback
Configuration Examples for Asynchronous Callback
DC-648
Cisco IOS Dial Technologies Configuration Guide
Callback to a PPP Client Example
The following example shows the process of configuring callback to a PPP client on rotary 77. PAP
authentication is enabled for PPP on the asynchronous interfaces. The login local command enables
local username authentication on lines 7, 8, and 9. The remote PPP client host name is Ted, and the
callback number is fixed at 1234567.
username Ted callback-dialstring “1234567“ callback-rotary 77
password Rhoda
interface async 7
ip unnumbered ethernet 0
encapsulation ppp
no keepalive
async default ip address 10.1.1.1
async mode interactive
ppp callback accept
ppp authentication pap
interface async 8
ip unnumbered ethernet 0
encapsulation ppp
no keepalive
async default ip address 10.1.1.2
async mode interactive
ppp callback accept
ppp authentication pap
interface async 9
ip unnumbered ethernet 0
encapsulation ppp
no keepalive
async default ip address 10.1.1.3
async mode interactive
ppp callback accept
ppp authentication pap
line 7
login local
modem InOut
rotary 77
autoselect ppp
line 8
login local
modem InOut
rotary 77
autoselect ppp
line 9
login local
modem InOut
rotary 77
autoselect ppp
Configuring Asynchronous Callback
Configuration Examples for Asynchronous Callback
DC-649
Cisco IOS Dial Technologies Configuration Guide
Callback Clients That Connect to the EXEC Prompt Example
The following example shows the process to configure an outgoing callback on the same line as the
incoming request. The login local command enables local username authentication on lines 4 and 7.
Reauthentication is required upon reconnection.
service exec-callback
username milarepa callback-dialstring ““ password letmein
line 4
login local
line 7
login local
Callback to an ARA Client Example
The following example shows the process of configuring callback to an ARA client on line 7. The login
local command enables local username authentication on lines 4 and 7. Line 7 will always be used for
ARA callback, whether the incoming call enters line 4, 7, or 8.
appletalk routing
arap callback
arap network 422 router test
username excalibur callback-dialstring “123456“ callback-line 7 password guenivere
line 4
login local
modem InOut
autoselect arap
arap enable
line 7
login local
modem InOut
autoselect arap
arap enable
line 8
login local
modem InOut
autoselect arap
arap enable
Configuring Asynchronous Callback
Configuration Examples for Asynchronous Callback
DC-650
Cisco IOS Dial Technologies Configuration Guide
DC-651
Cisco IOS Dial Technologies Configuration Guide
Configuring PPP Callback
This chapter describes how to configure PPP callback for dial-on-demand routing (DDR). It includes the
following main sections:
• PPP Callback for DDR Overview
• How to Configure PPP Callback for DDR
• MS Callback Overview
• How to Configure MS Callback
• Configuration Examples for PPP Callback
This feature implements the following callback specifications of RFC 1570:
• For the client—Option 0, location is determined by user authentication.
• For the server—Option 0, location is determined by user authentication; Option 1, dialing string;
and Option 3, E.164 number.
Return calls are made through the same dialer rotary group but not necessarily the same line as the initial
call.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the PPP callback commands mentioned in this chapter, refer to the Cisco
IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in
this chapter, use the command reference master index or search online.
PPP Callback for DDR Overview
PPP callback provides a client/server relationship between the endpoints of a point-to-point connection.
PPP callback allows a router to request that a dialup peer router call back. The callback feature can be
used to control access and toll costs between the routers.
When PPP callback is configured on the participating routers, the calling router (the callback client)
passes authentication information to the remote router (the callback server), which uses the host name
and dial string authentication information to determine whether to place a return call. If the
authentication is successful, the callback server disconnects and then places a return call. The remote
username of the return call is used to associate it with the initial call so that packets can be sent.
Configuring PPP Callback
How to Configure PPP Callback for DDR
DC-652
Cisco IOS Dial Technologies Configuration Guide
Both routers on a point-to-point link must be configured for PPP callback; one must function as a
callback client and one must be configured as a callback server. The callback client must be configured
to initiate PPP callback requests, and the callback server must be configured to accept PPP callback
requests and place return calls.
See the section “MS Callback Overview” later in this chapter if you are using PPP callback between a
Cisco router or access server and client devices configured for Windows 95 and Windows NT.
Note If the return call fails (because the line is not answered or the line is busy), no retry occurs. If the
callback server has no interface available when attempting the return call, it does not retry.
How to Configure PPP Callback for DDR
To configure PPP callback for DDR, perform the following tasks:
• Configuring a Router as a Callback Client (Required)
• Configuring a Router as a Callback Server (Required)
For an example of configuring PPP callback, see the section “Configuration Examples for PPP Callback”
at the end of this chapter.
Configuring a Router as a Callback Client
To configure a router interface as a callback client, use the following commands beginning in global
configuration mode:
Command Purpose
Step 1 Router(config)# interface type number Specifies the interface and enters interface configuration
mode.
Step 2 Router(config-if)# dialer in-band [no-parity
| odd-parity]
Enables DDR. Specifies parity, if needed, on synchronous or
asynchronous serial interfaces.
Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Step 4 Router(config-if)# ppp authentication {chap |
pap}
Enables CHAP or PAP authentication.
Step 5 Router(config-if)# dialer map protocol
next-hop-address name hostname dial-string
Maps the next hop address to the host name and phone
number.
Step 6 Router(config-if)# ppp callback request Enables the interface to request PPP callback for this callback
map class.
Step 7 Router(config-if)# dialer hold-queue packets
timeout seconds
(Optional) Configures a dialer hold queue to store packets for
this callback map class.
Configuring PPP Callback
MS Callback Overview
DC-653
Cisco IOS Dial Technologies Configuration Guide
Configuring a Router as a Callback Server
To configure a router as a callback server, use the following commands beginning in global configuration
mode:
Note On the PPP callback server, the dialer enable-timeout command functions as the timer for returning
calls to the callback client.
MS Callback Overview
MS Callback provides client/server callback services for Microsoft Windows 95 and Microsoft
Windows NT clients. MS Callback supports the Microsoft Callback Control Protocol (MSCB). MSCB
is a Microsoft proprietary protocol that is used by Windows 95 and Windows NT clients. MS Callback
supports negotiated PPP Link Control Protocol (LCP) extensions initiated and agreed upon by the
Microsoft client. The MS Callback feature is added to existing PPP Callback functionality. Therefore, if
you configure your Cisco access server to perform PPP Callback using Cisco IOS Release 11.3(2)T or
later, MS Callback is automatically available.
Command Purpose
Step 1 Router(config)# interface type number Specifies the interface and enters interface configuration
mode.
Step 2 Router(config-if)# dialer in-band [no-parity
| odd-parity]
Enables DDR. Specifies parity, if needed, on synchronous or
asynchronous serial interfaces.
Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Step 4 Router(config-if)# ppp authentication {chap |
pap}
Enables CHAP or PAP authentication.
Step 5 Router(config-if)# dialer map protocol
next-hop-address name hostname class
classname dial-string
Maps the next hop address to the host name and phone
number, using the name of the map class established for PPP
callback on this interface.
Step 6 Router(config-if)# dialer hold-queue number
timeout seconds
(Optional) Configures a dialer hold queue to store packets to
be transferred when the callback connection is established.
Step 7 Router(config-if)# dialer enable-timeout
seconds
(Optional) Configures a timeout period between calls.
Step 8 Router(config-if)# ppp callback accept Configures the interface to accept PPP callback.
Step 9 Router(config-if)# isdn fast-rollover-delay
seconds
(ISDN only) Configures the time to wait before another call
is placed on a B channel to allow the prior call to be torn
down completely.
Step 10 Router(config-if)# dialer callback-secure (Optional) Enables callback security, if desired.
Step 11 Router(config-if)# exit Returns to global configuration mode.
Step 12 Router(config-map-class)# map-class dialer
classname
Configures a dialer map class for PPP callback.
Step 13 Router(config-map-class)# dialer
callback-server [username]
Configures a dialer map class as a callback server.
Configuring PPP Callback
How to Configure MS Callback
DC-654
Cisco IOS Dial Technologies Configuration Guide
MS Callback supports authentication, authorization, and accounting (AAA) security models using a
local database or AAA server.
MSCB uses LCP callback options with suboption type 6. The Cisco MS Callback feature supports clients
with a user-specified callback number and server specified (preconfigured) callback number.
MS Callback does not affect non-Microsoft machines that implement standard PPP LCP extensions as
described in RFC 1570. In this scenario, MS Callback is transparent.
The following are restrictions of the MS Callback feature:
• The Cisco access server and client must be configured for PPP and PPP callback.
• The router or access server must be configured to use CHAP or PAP authorization.
• MS Callback is only supported on the Public Switched Telephone Network (PSTN) and ISDN links.
• MS Callback is only supported for IP.
How to Configure MS Callback
If you configure the Cisco access server for PPP callback, MS Callback is enabled by default. You need
not configure additional parameters on the Cisco access server. If an interface is configured to accept
PPP callbacks, and a client attempts to cancel the callback, Cisco IOS software will refuse the request
and disconnect the client. If a client is allowed to cancel callbacks, the ppp callback permit command
must be configured on the interface.
To debug PPP connections using MS Callback, see the debug ppp cbcp command in the Cisco IOS
Debug Command Reference publication.
For more information on configuring MS Callback, see the following URL.
http://www.cisco.com/en/US/customer/tech/tk801/tk36/
technologies_configuration_example09186a0080094338.shtml
Configuration Examples for PPP Callback
The following example configures a PPP callback server and client to call each other. The PPP callback
server is configured on an ISDN BRI interface in a router in Atlanta. The callback server requires an
enable timeout and a map class to be defined. The PPP callback client is configured on an ISDN BRI
interface in a router in Dallas. The callback client does not require an enable timeout and a map class to
be defined. The dialer map command is not required on the Cisco access server when MS Callback is
enabled.
PPP Callback Server
interface bri 0
ip address 10.1.1.7 255.255.255.0
encapsulation ppp
dialer callback-secure
dialer enable-timeout 2
dialer map ip 10.1.1.8 name class1 class dial1 81012345678901
dialer-group 1
ppp callback accept
ppp authentication chap
!
map-class dialer dial1
dialer callback-server user1
Configuring PPP Callback
Configuration Examples for PPP Callback
DC-655
Cisco IOS Dial Technologies Configuration Guide
PPP Callback Client
interface bri 0
ip address 10.1.1.8 255.255.255.0
encapsulation ppp
dialer map ip 10.1.1.7 name class2 81012345678902
dialer-group 1
ppp callback request
ppp authentication chap
Configuring PPP Callback
Configuration Examples for PPP Callback
DC-656
Cisco IOS Dial Technologies Configuration Guide
DC-657
Cisco IOS Dial Technologies Configuration Guide
Configuring ISDN Caller ID Callback
This chapter describes how to configure the ISDN Caller ID Callback feature. It includes the following
main sections:
• ISDN Caller ID Callback Overview
• How to Configure ISDN Caller ID Callback
• Monitoring and Troubleshooting ISDN Caller ID Callback
• Configuration Examples for ISDN Caller ID Callback
The ISDN Caller ID Callback feature conflicts with dialer callback security inherent in the dialer profiles
feature for dial-on-demand routing (DDR). If dialer callback security is configured, it takes precedence;
ISDN caller ID callback is ignored.
Caller ID screening requires a local switch that is capable of delivering the caller ID to the router or
access server. If you enable caller ID screening but do not have such a switch, no calls will be allowed in.
ISDN caller ID callback requires DDR to be configured and bidirectional dialing to be working between
the calling and callback routers. Detailed DDR prerequisites depend on whether you have configured
legacy DDR or dialer profiles.
For a legacy DDR configuration, ISDN caller ID callback has the following prerequisite:
• A dialer map command is configured for the dial string that is used in the incoming call setup
message. The dial string is used in the callback.
For a dialer profiles configuration, ISDN caller ID callback has the following prerequisites:
• A dialer caller command is configured to screen for the dial-in number.
• A dialer string command is configured with the number to use in the callback.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the ISDN caller ID callback commands mentioned in this chapter, refer to
the Cisco IOS Dial Technologies Command Reference, Release 12.2. To locate documentation of other
commands that appear in this chapter, use the command reference master index or search online.
Configuring ISDN Caller ID Callback
ISDN Caller ID Callback Overview
DC-658
Cisco IOS Dial Technologies Configuration Guide
ISDN Caller ID Callback Overview
ISDN caller ID callback allows the initial incoming call from the client to the server to be rejected on
the basis of the caller ID message contained in the ISDN setup message, and it allows a callback to be
initiated to the calling destination.
Before Cisco IOS Release 11.2 F, ISDN callback functionality required PPP or Combinet Packet
Protocol (CPP) client authentication and client/server callback negotiation to proceed. If authentication
and callback negotiation were successful, the callback server had to disconnect the call and then place a
return call. Both the initial call and the return call were subject to tolls, and when service providers
charge by the minute, even brief calls could be expensive.
This feature is independent of the encapsulation in effect and can be used with various encapsulations,
such as PPP, High-Level Data Link Control (HDLC), Frame Relay, and X.25.
The ISDN Caller ID Callback feature allows users to control costs because charges do not apply to the
initial, rejected call.
ISDN caller ID callback allows great flexibility for you to define which calls to accept, which to deny,
and which calls to reject initially but for which the router should initiate callback. The feature works by
using existing ISDN caller ID screening, which matches the number in the incoming call against
numbers configured on the router, determining the best match for the number in the incoming call, and
then, if configured, initiating callback to the number configured on the router.
When a call is received, the entire list of configured numbers is checked and the configuration of the best
match number determines the action:
• If the incoming number is best matched by a number that is configured for callback, the incoming
call is rejected and callback is initiated.
• If the incoming number is best matched by another entry in the list of configured numbers, the call
is accepted.
• If the incoming number does not match any entry in the configured list, the call is rejected and no
callback is started.
“Don’t care” characters are allowed in the caller ID screening configuration on the router and are used
to determine the best match.
For more information and examples, see the “Best Match System Examples” section later in this
document.
Callback After the Best Match Is Determined
The details of router activities after the router finds a best match with callback depend on the DDR
feature that is configured. The ISDN Caller ID Callback feature works with the following DDR features:
• Legacy DDR
• Dialer Profiles
Legacy DDR
If legacy DDR is configured for the host or user that is identified in the incoming call message, the router
performs the following actions:
1. Checks the table of configured numbers for caller ID callback.
2. Searches the dialer map entries for a number that “best matches” the incoming call string.
Configuring ISDN Caller ID Callback
How to Configure ISDN Caller ID Callback
DC-659
Cisco IOS Dial Technologies Configuration Guide
3. Waits for a configured length of time to expire.
4. Initiates callback to the number provided in the dialer map command.
Dialer Profiles
If the dialer profiles are configured for the host or user identified in the incoming call message, the router
performs the following actions:
1. Searches through all the dialer pool members to match the incoming call number to a dialer caller
number.
2. Initiates a callback to the dialer profile.
3. Waits for a configured length of time to expire.
4. Calls the number identified in the dialer string command associated with the dialer profile.
Timing and Coordinating Callback on Both Sides
When an incoming call arrives and the router finds a best match configured for callback, the router uses
the value configured by the dialer enable-timeout command to determine the length of time to wait
before making the callback.
The minimum value of the timer is 1 second; the default value of the timer is 15 seconds. The interval
set for this feature on the router must be much less than that set for DDR fast call rerouting for ISDN
(that interval is set by the dialer wait-for-carrier-time command) on the calling (remote) side. We
recommend setting the dialer wait-for-carrier timer on the calling side to twice the length of the dialer
enable-timeout timer on the callback side.
Note The remote site cannot be configured for multiple dial-in numbers because a busy callback number
or a rejected call causes the second number to be tried. That number might be located at a different
site, defeating the purpose of the callback.
How to Configure ISDN Caller ID Callback
To configure ISDN caller ID callback, perform the tasks in the following sections. The required
configuration tasks depend whether you have configured legacy DDR or dialer profiles.
• Configuring ISDN Caller ID Callback for Legacy DDR (As required)
• Configuring ISDN Caller ID Callback for Dialer Profiles (As required)
For configuration examples, see the section “Configuration Examples for ISDN Caller ID Callback” at
the end of this chapter.
Configuring ISDN Caller ID Callback for Legacy DDR
This section provides configuration tasks for the local (server, callback) side and the remote (client,
calling) side.
Configuring ISDN Caller ID Callback
How to Configure ISDN Caller ID Callback
DC-660
Cisco IOS Dial Technologies Configuration Guide
On the callback (local) side, to configure ISDN caller ID callback when legacy DDR is configured, use
the following commands in interface configuration mode:
On the calling (remote) side, to set the timer for fast call rerouting, use the following command in
interface configuration mode:
Configuring ISDN Caller ID Callback for Dialer Profiles
This section provides configuration tasks for the local side and the remote side.
On the callback (local) side, to configure ISDN caller ID callback when the dialer profiles are
configured, use the following commands in interface configuration mode:
On the calling (remote) side, to set the timer for fast call rerouting, use the following command in
interface configuration mode:
Command Purpose
Step 1 Router(config-if)# isdn caller remote-number
callback
or
Router(config-if)# dialer caller number
callback
Configures caller ID screening and callback when a dialer
rotary is not configured.
Configures caller ID screening and callback when a dialer
rotary (dialer interface) is configured.
Step 2 Router(config-if)# dialer enable-timeout
seconds
Configures the time to wait before initiating callback.
Command Purpose
Router(config-if)# dialer wait-for-carrier-time
seconds
Changes the ISDN fast call rerouting timer to double the
length of the enable timeout timer.
Command Purpose
Step 1 Router(config-if)# dialer caller number
callback
Configures caller ID screening and callback.
Step 2 Router(config-if)# dialer enable-timeout
seconds
Configures the time to wait before initiating callback.
Command Purpose
Router(config-if)# dialer wait-for-carrier-time
seconds
Changes the ISDN fast call rerouting timer to double the
length of the enable timeout timer.
Configuring ISDN Caller ID Callback
Monitoring and Troubleshooting ISDN Caller ID Callback
DC-661
Cisco IOS Dial Technologies Configuration Guide
Monitoring and Troubleshooting ISDN Caller ID Callback
To monitor and troubleshoot ISDN caller ID callback, use the following commands in EXEC mode as
needed:
Configuration Examples for ISDN Caller ID Callback
The following sections provide ISDN caller ID callback configuration examples:
• Best Match System Examples
• Simple Callback Configuration Examples
• ISDN Caller ID Callback with Dialer Profiles Examples
• ISDN Caller ID Callback with Legacy DDR Example
Best Match System Examples
The best match is determined by matching the incoming number against the numbers in the configured
callback commands, starting with the right-most character in the numbers and using the letter X for any
“don’t care” characters in the configured commands. If multiple configured numbers match an incoming
number, the best match is the one with the fewest “don’t care” characters.
The reason for using a system based on right-most matching is that a given number can be represented
in many different ways. For example, all the following items might be used to represent the same
number, depending on the circumstances (international call, long-distance domestic call, call through a
PBX, and so forth):
011 1 408 555 7654
1 408 555 7654
408 555 7654
555 7654
5 7654
Command Purpose
Router# show dialer Displays information about the status and configuration of the
ISDN interface on the router.
Router# debug isdn event Displays ISDN events occurring on the user side (on the
router) of the ISDN interface. The ISDN events that can be
displayed are Q.931 events (call setup and tear down of ISDN
network connections).
Router# debug isdn q931 Displays Layer 3 signaling messages, protocol transitions and
processes, the line protocol state, and the channel IDs for each
ISDN interface.
Configuring ISDN Caller ID Callback
Configuration Examples for ISDN Caller ID Callback
DC-662
Cisco IOS Dial Technologies Configuration Guide
Best Match Based on the Number of “Don’t Care” Characters Example
The following example assumes that you have an incoming call from one of the numbers from the
previous example entered (4085557654), and that you configured the following numbers for callback on
the router (disregarding for the moment the commands that can be used to configure callback):
555xxxx callback
5552xxx callback
555865x
5554654 callback
xxxxx
The first number listed is the best match for the incoming number (in the configured number, the three
numbers and four Xs all match the incoming number); the line indicates that callback is to be initiated.
The last line has five Xs; it is not the best match for the calling number.
Note The last number in the list shown allows calls from any other number to be accepted without callback.
When you use such a line, you must make sure that the number of Xs in the line exceeds the number
of Xs in any other line. In the last line, five Xs are used; the other lines use at most four Xs.
The order of configured numbers is not important; the router searches the entire list and then
determines the best match.
Best Match with No Callback Configured Example
The following example assumes that a call comes from the same number (4085557654) and that only the
following numbers are configured:
5552xxx callback
555865x
5554654 callback
xxxxx
In this case, the best match is in the final line listed, so the incoming call is accepted but callback is not
initiated.
No Match Configured Example
The following example assumes that a call comes from the same number (4085557654) and that only the
following numbers are configured:
5552xxx callback
555865x
5554654 callback
In this case, there is no match at all, and the call is just rejected.
Simple Callback Configuration Examples
The following example assumes that callback calls will be made only to numbers in the
555 and 556 exchanges but that any other number can call in:
isdn caller 408555xxxx callback
isdn caller 408556xxxx callback
isdn caller xxxxx
Configuring ISDN Caller ID Callback
Configuration Examples for ISDN Caller ID Callback
DC-663
Cisco IOS Dial Technologies Configuration Guide
The following example configures the router to accept a call with a delivered caller ID
equal to 4155551234:
isdn caller 4155551234
The following example configures the router to accept a call with a delivered caller ID equal to 41555512
with any digits in the last two positions:
isdn caller 41555512xx
The following example configures the router to make a callback to a delivered caller ID equal
to 41555512 with any digits in the last two positions. (The router rejects the call initially, and then makes
the callback.) The router accepts calls from any other numbers.
isdn caller 41555512xx callback
isdn caller xxx
ISDN Caller ID Callback with Dialer Profiles Examples
The following example shows the configuration of a central site that can place or receive calls from three
remote sites over four ISDN BRI lines. Each remote site is on a different IP subnet and has different
bandwidth requirements. Therefore, three dialer interfaces and three dialer pools are defined.
! This is a dialer profile for reaching remote subnetwork 10.1.1.1.
interface dialer 1
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
dialer remote-name Smalluser
dialer string 4540
dialer pool 3
dialer-group 1
dialer caller 14802616900 callback
dialer caller 1480262xxxx callback
!
! This is a dialer profile for reaching remote subnetwork 10.2.2.2.
interface dialer 2
ip address 10.2.2.2 255.255.255.0
encapsulation ppp
dialer remote-name Mediumuser
dialer string 5264540 class Eng
dialer load-threshold 50 either
dialer pool 1
dialer-group 2
dialer caller 14805364540 callback
dialer caller 1480267xxxx callback
dialer enable-timeout 2
!
! This is a dialer profile for reaching remote subnetwork 10.3.3.3.
interface dialer 3
ip address 10.3.3.3 255.255.255.0
encapsulation ppp
dialer remote-name Poweruser
dialer string 4156884540 class Eng
dialer hold-queue 10
dialer load-threshold 80
dialer pool 2
dialer-group 2
!
! This map class ensures that these calls use an ISDN speed of 56 kbps.
map-class dialer Eng
isdn speed 56
Configuring ISDN Caller ID Callback
Configuration Examples for ISDN Caller ID Callback
DC-664
Cisco IOS Dial Technologies Configuration Guide
!
interface bri 0
encapsulation PPP
! BRI 0 has a higher priority than BRI 1 in dialer pool 1.
dialer pool-member 1 priority 100
ppp authentication chap
!
interface bri 1
encapsulation ppp
dialer pool-member 1 priority 50
dialer pool-member 2 priority 50
! BRI 1 has a reserved channel in dialer pool 3; the channel remains inactive
! until BRI 1 uses it to place calls.
dialer pool-member 3 min-link 1
ppp authentication chap
!
interface bri 2
encapsulation ppp
! BRI 2 has a higher priority than BRI 1 in dialer pool 2.
dialer pool-member 2 priority 100
ppp authentication chap
!
interface bri 3
encapsulation ppp
! BRI 3 has the highest priority in dialer pool 2.
dialer pool-member 2 priority 150
ppp authentication chap
ISDN Caller ID Callback with Legacy DDR Example
This section provides two examples of caller ID callback with legacy DDR:
• Individual Interface Example
• Dialer Rotary Group Example
Individual Interface Example
The following example configures a BRI interface for legacy DDR and ISDN caller ID callback:
interface bri 0
description Connected to NTT 81012345678901
ip address 10.1.1.7 255.255.255.0
no ip mroute-cache
encapsulation ppp
isdn caller 81012345678902 callback
dialer enable-timeout 2
dialer map ip 10.1.1.8 name spanky 81012345678902
dialer-group 1
ppp authentication chap
Configuring ISDN Caller ID Callback
Configuration Examples for ISDN Caller ID Callback
DC-665
Cisco IOS Dial Technologies Configuration Guide
Dialer Rotary Group Example
The following example configures BRI interfaces to connect into a rotary group (dialer group) and then
configures a dialer interface for that dialer group. This configuration permits IP packets to trigger calls.
The dialer interface is configured to initiate callback to any number in the 1-480-261 exchange and to
accept calls from two other specific numbers.
interface bri 0
description connected into a rotary group
encapsulation ppp
dialer rotary-group 1
!
interface bri 1
no ip address
encapsulation ppp
dialer rotary-group 1
!
interface bri 2
encapsulation ppp
dialer rotary-group 1
!
interface bri 3
no ip address
encapsulation ppp
dialer rotary-group 1
!
interface bri 4
encapsulation ppp
dialer rotary-group 1
!
interface dialer 1
description Dialer group controlling the BRIs
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
dialer map ip 10.1.1.2 name angus 14802616900
dialer map ip 10.1.1.3 name shamus 14802616901
dialer map ip 10.1.1.4 name larry 14807362060
dialer map ip 10.1.1.5 name wally 19165561424
dialer map ip 10.1.1.6 name shemp 12129767448
dialer-group 1
ppp authentication chap
!
dialer caller 1480261xxxx callback
dialer caller 19165561424
dialer caller 12129767448
!
dialer-list 1 protocol ip permit
Configuring ISDN Caller ID Callback
Configuration Examples for ISDN Caller ID Callback
DC-666
Cisco IOS Dial Technologies Configuration Guide
DC-667
Cisco IOS Dial Technologies Configuration Guide
Configuring BACP
This chapter describes how to configure the Bandwidth Allocation Control Protocol (BACP), described
in RFC 2125. It includes the following main sections:
• BACP Overview
• How to Configure BACP
• Monitoring and Maintaining Interfaces Configured for BACP
• Troubleshooting BACP
• Configuration Examples for BACP
BACP requires a system only to have the knowledge of its own phone numbers and link types. A system
must be able to provide the phone numbers and link type to its peer to satisfy the call control mechanism.
(Certain situations might not be able to satisfy this requirement; numbers might not be present because
of security considerations.)
BACP is designed to operate in both the virtual interface environment and the dialer interface
environment. It can operate over any physical interface that is Multilink PPP-capable and has a dial
capability; at initial release, BACP supports ISDN and asynchronous serial interfaces.
The addition of any link to an existing multilink bundle is controlled by a Bandwidth Allocation Protocol
(BAP) call or callback request message, and the removal of a link can be controlled by a link drop
message.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the PPP BACP commands in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference, Release 12.2. To locate documentation of other commands that
appear in this chapter, use the command reference master index or search online.
Configuring BACP
BACP Overview
DC-668
Cisco IOS Dial Technologies Configuration Guide
BACP Overview
The BACP provides Multilink PPP (MLP) peers with the ability to govern link utilization. Once peers
have successfully negotiated BACP, they can use the BAP, which is a subset of BACP, to negotiate
bandwidth allocation. BAP provides a set of rules governing dynamic bandwidth allocation through call
control; a defined method for adding and removing links from a multilink bundle for Multilink PPP is
used.
BACP provides the following benefits:
• Allows multilink implementations to interoperate by providing call control through the use of link
types, speeds, and telephone numbers.
• Controls thrashing caused by links being brought up and removed in a short period of time.
• Ensures that both ends of the link are informed when links are added or removed from a multilink
bundle.
For simplicity, the remaining text of this chapter makes no distinction between BACP and BAP; only
BACP is mentioned.
BACP Configuration Options
PPP BACP can be configured to operate in the following ways:
• Passive mode (default)—The system accepts incoming calls; the calls might request callback,
addition of a link, or removal of a link from a multilink bundle. The system also monitors the
multilink load by default.
Passive mode is for virtual template interfaces or for dialer interfaces.
• Active mode—The system initiates outbound calls, sets the parameters for outbound calls, and
determines whether links should be added to or removed from a multilink bundle. The system also
monitors the multilink load by default.
Active mode is for dialer interfaces, but not for virtual template interfaces. (If you attempt to
configure active mode on a virtual template interface, no calls will be made.)
A virtual or dialer interface must be configured either to make call requests or to make callback requests,
but it cannot be configured to do both.
Support of BACP on virtual interfaces in an Multichassis Multilink PPP (MMP) environment is
restricted to incoming calls on the multilink group. Support of BACP for outgoing calls is provided by
dialer interface configuration only.
BACP supports only ISDN and asynchronous serial interfaces.
Dialer support is provided only for legacy dial-on-demand routing (DDR) dialer configurations; BACP
cannot be used in conjunction with the DDR dialer profiles feature.
BACP is configured on virtual template interfaces and physical interfaces that are multilink capable. For
both the virtual template interfaces and the dialer interfaces, BACP requires MMP and bidirectional
dialing to be working between the routers that will negotiate control and allocation of bandwidth for the
multilink bundle.
Configuring BACP
How to Configure BACP
DC-669
Cisco IOS Dial Technologies Configuration Guide
How to Configure BACP
Before you configure BACP on an interface, determine the following important information. The router
might be unable to connect to a peer if this information is incorrect.
• Type of link (ISDN or analog) to be used. Link types must match on the local and remote ends of
the link.
• Line speed needed to reach the remote peer. The speed configured for the local physical interface
must be at least that of the link. The bandwidth command or the dialer map command with the
speed keyword can be used.
• Local telephone number to be used for incoming PPP BACP calls, if it is different from a rotary
group base number or if incoming PPP BACP calls should be directed to a specific number.
During negotiations with a peer, PPP BACP might respond with a telephone number delta,
indicating that the peer should modify certain digits of the dialed phone number and dial again to
reach the PPP BACP interface or to set up another link.
BACP can be configured on a virtual template interface or on a dialer interface (including dialer rotary
groups and ISDN interfaces).
To configure BACP on a selected interface or interface template, perform the following tasks in the order
listed:
• Enabling BACP (Required)
Passive mode is in effect and the values of several parameters are set by default when PPP BACP is
enabled. If you can accept all the passive mode parameters, do not continue with the tasks.
• Modifying BACP Passive Mode Default Settings (As required)
or
• Configuring Active Mode BACP (As required)
Note You can configure one interface in passive mode and another in active mode so that one interface
accepts incoming call requests and makes callback requests (passive mode), and the other interface
makes call requests and accepts callback requests (active mode).
A dialer or virtual template interface should be configured to reflect the required dial capability of
the interface. A dial-in pool (in passive mode) might have no requirement to dial out but might want
remote users to add multiple links, with the remote user incurring the cost of the call. Similarly, a
dial-out configuration (active mode) suggests that the router is a client, rather than a server, on that
link. The active-mode user incurs the cost of additional links.
You might need to configure a base telephone number, if it is applicable to your dial-in environment.
This number is one that remote users can dial to establish a connection. Otherwise, individual PPP BACP
links might need numbers. Information is provided in the task lists for configuring passive mode or
active mode PPP BACP. See the ppp bap number command options in the task lists.
You can also troubleshoot BACP configuration and operations and monitor interfaces configured for PPP
BACP. For details, see the “Troubleshooting BACP” and “Monitoring and Maintaining Interfaces
Configured for BACP” sections later in this chapter.
See the section “Configuration Examples for BACP” at the end of this chapter for examples of PPP
BACP configuration.
Configuring BACP
How to Configure BACP
DC-670
Cisco IOS Dial Technologies Configuration Guide
Enabling BACP
To enable PPP bandwidth allocation control and dynamic allocation of bandwidth, use one of the
following commands in interface configuration mode:
When PPP BACP is enabled, it is in passive mode by default and the following settings are in effect:
• Allows a peer to initiate link addition.
• Allows a peer to initiate link removal.
• Requests that a peer initiate link addition.
• Waits 20 seconds before timing out on pending actions.
• Waits 3 seconds before timing out on not receiving a response from a peer.
• Makes only one attempt to call a number.
• Makes up to three retries for sending a request.
• Searches for and logs up to five free dialers.
• Makes three attempts to send a call status indication.
• Adds only ISDN links to a multilink bundle.
• Monitors load.
The default settings will be in effect in the environment for which the ppp multilink bap command is
entered:
• Virtual template interface, if that is where the command is entered.
When the command is entered in a virtual template interface, configuration applies to any virtual
access interface that is created dynamically under Multilink PPP, the application that defines the
template.
• Dialer interface, if that is where the command is entered.
See the section “Basic BACP Configurations” at the end of this chapter for an example of how to
configure BACP.
Command Purpose
Router(config-if)# ppp multilink bap
or
Router(config-if)# ppp multilink bap required
Enables PPP BACP bandwidth allocation negotiation.
Enables PPP BACP bandwidth allocation negotiation and
enforces mandatory negotiation of BACP for the multilink
bundle.
Configuring BACP
How to Configure BACP
DC-671
Cisco IOS Dial Technologies Configuration Guide
Modifying BACP Passive Mode Default Settings
To modify the default parameter values or to configure additional parameters in passive mode, use the
following commands, as needed, in interface configuration mode for the interface or virtual template
interface that is configured for PPP BACP:
See the section “Passive Mode Dialer Rotary Group Members with One Dial-In Number” later in this
chapter for an example of how to configure passive mode parameters.
Configuring Active Mode BACP
To configure active mode BACP, use the following commands in interface configuration mode for the
dialer interface on which BACP was enabled. For your convenience, the commands that make BACP
function in active mode are presented before the commands that change default parameters or add
parameters.
Command Purpose
Router(config-if)# ppp bap timeout pending seconds Modifies the timeout on pending actions.
Router(config-if)# ppp bap timeout response seconds Modifies the timeout on not receiving a response from a peer.
Router(config-if)# ppp bap max dial-attempts number Modifies the number of attempts to call a number.
Router(config-if)# ppp bap max ind-retries number Modifies the number of times to send a call status indication.
Router(config-if)# ppp bap max req-retries number Modifies the number of retries of a particular request.
Router(config-if)# ppp bap max dialers number Modifies the maximum number of free dialers logged.
Router(config-if)# ppp bap link types analog
or
Router(config-if)# ppp bap link types isdn analog
Specifies that only analog links can be added to a multilink
bundle.
Allows both ISDN and analog links to be added.
Router(config-if)# ppp bap number default
phone-number
For all DDR-capable interfaces in the group, specifies a
primary telephone number for the peer to call for PPP BACP
negotiation, if different from any base number defined on the
dialer interface or virtual template interface.
Router(config-if)# ppp bap number secondary
phone-number
For BRI interfaces on which a different number is provided
for each B channel, specifies the secondary telephone
number.
Router(config-if)# ppp bap drop timer seconds Specifies a time to wait between outgoing link drop requests.
Router(config-if)# no ppp bap monitor load Disables the default monitoring of load and the validation of
peer requests against load thresholds.
Command Purpose
Router(config-if)# ppp bap call request Enables the interface to initiate the addition of links to the
multilink bundle.
Router(config-if)# ppp bap callback accept Enables the interface to initiate the addition of links upon peer
request.
Configuring BACP
Monitoring and Maintaining Interfaces Configured for BACP
DC-672
Cisco IOS Dial Technologies Configuration Guide
When BACP is enabled, multiple dialer maps to one destination are not needed when they differ only by
number. That is, once the initial call has been made to create the bundle, further dialing attempts are
realized through the BACP phone number negotiation.
Outgoing calls are supported through the use of dialer maps. However, when an initial incoming call
creates a dynamic dialer map, the router can dial out if the peer supplies a phone number. This capability
is achieved by the dynamic creation of static dialer maps for BACP. These temporary dialer maps can be
displayed by using the show dialer map command. These temporary dialer maps last only as long as the
BACP group lasts and are removed when the BACP group or the associated map is removed.
Monitoring and Maintaining Interfaces Configured for BACP
To monitor interfaces configured for PPP BACP, use any of the following commands in EXEC mode:
Router(config-if)# ppp bap drop after-retries Enables the interface to drop a link without negotiation after
receiving no response to retries to send a drop request.
Router(config-if)# ppp bap call timer seconds Sets the time to wait between outgoing call requests.
Router(config-if)# ppp bap timeout pending seconds Modifies the timeout on pending actions.
Router(config-if)# ppp bap timeout response seconds Modifies the timeout on not receiving a response from a peer.
Router(config-if)# ppp bap max dial-attempts number Modifies the number of attempts to call a number.
Router(config-if)# ppp bap max ind-retries number Modifies the number of times to send a call status indication.
Router(config-if)# ppp bap max req-retries number Modifies the number of retries of a particular request.
Router(config-if)# ppp bap max dialers number Modifies the maximum number of free dialers logged.
Router(config-if)# ppp bap link types analog
or
Router(config-if)# ppp bap link types isdn analog
Specifies that only analog links can be added to a multilink
bundle.
Allows both ISDN and analog links to be added.
Router(config-if)# ppp bap number default
phone-number
For all DDR-capable interfaces in the group, specifies a
primary telephone number for the peer to call for PPP BACP
negotiation, if different from any base number defined on the
dialer interface or virtual template interface.
Router(config-if)# ppp bap number secondary
phone-number
For BRI interfaces on which a different number is provided
for each B channel, specifies the secondary telephone number.
Command Purpose
Command Purpose
Router> show ppp bap group [name] Displays information about all PPP BACP multilink bundle
groups or a specific, named multilink bundle group.
Router> show ppp bap queues Displays information about the BACP queues.
Router> show ppp multilink Displays information about the dialer interface, the multilink
bundle, and the group members.
Router> show dialer Displays BACP numbers dialed and the reasons for the calls.
Router> show dialer map Displays configured dynamic and static dialer maps and
dynamically created BACP temporary static dialer maps.
Configuring BACP
Troubleshooting BACP
DC-673
Cisco IOS Dial Technologies Configuration Guide
Troubleshooting BACP
To troubleshoot the BACP configuration and operation, use the following debug commands:
Configuration Examples for BACP
The following sections provide BACP configuration examples:
• Basic BACP Configurations
• Dialer Rotary Group with Different Dial-In Numbers
• Passive Mode Dialer Rotary Group Members with One Dial-In Number
• PRI Interface with No Defined PPP BACP Number
• BRI Interface with No Defined BACP Number
Basic BACP Configurations
The following example configures an ISDN BRI interface for BACP to make outgoing calls and prevent
the peer from negotiating link drops:
interface bri 0
ip unnumbered ethernet 0
dialer load-threshold 10 either
dialer map ip 172.21.13.101 name bap-peer 12345668899
encapsulation ppp
ppp multilink bap
ppp bap call request
ppp bap callback accept
no ppp bap call accept
no ppp bap drop accept
ppp bap pending timeout 30
ppp bap number default 5664567
ppp bap number secondary 5664568
The following example configures a dialer rotary group to accept incoming calls:
interface async 1
no ip address
encapsulation ppp
dialer rotary-group 1
ppp bap number default 5663456
!
! Set the bandwidth to suit the modem/line speed on the remote side.
interface bri 0
no ip address
bandwidth 38400
encapsulation ppp
Command Purpose
Router> debug ppp bap [error | event | negotiation] Displays BACP errors, protocol actions, and negotiation
events and transitions.
Router> debug ppp multilink events Displays information about events affecting multilink
bundles established for BACP.
Configuring BACP
Configuration Examples for BACP
DC-674
Cisco IOS Dial Technologies Configuration Guide
dialer rotary-group 1
ppp bap number default 5663457
!
interface bri 1
no ip address
encapsulation ppp
dialer rotary-group 1
ppp bap number default 5663458
!
interface dialer1
ip unnumbered ethernet 0
encapsulation ppp
ppp multilink bap
ppp bap call accept
ppp bap link types isdn analog
dialer load threshold 30
ppp bap timeout pending 60
The following example configures a virtual template interface to use BACP in passive mode:
multilink virtual-template 1
!
interface virtual-template 1
ip unnumbered ethernet 0
encapsulation ppp
ppp multilink bap
ppp authentication chap callin
The bundle is created from any MMP-capable interface.
The following example creates a bundle on a BRI interface:
interface bri 0
no ip address
encapsulation ppp
ppp multilink
ppp bap number default 4000
ppp bap number secondary 4001
Dialer Rotary Group with Different Dial-In Numbers
The following example configures a dialer rotary group that has four members, each with a different
number, and that accepts incoming dial attempts. The dialer interface does not have a base phone
number; the interface used to establish the first link in the multilink bundle will provide the appropriate
number from its configuration.
interface bri 0
no ip address
encapsulation ppp
dialer rotary-group 1
no fair-queue
no cdp enable
ppp bap number default 6666666
!
interface bri 1
no ip address
encapsulation ppp
dialer rotary-group 1
no fair-queue
no cdp enable
ppp bap number default 6666667
!
Configuring BACP
Configuration Examples for BACP
DC-675
Cisco IOS Dial Technologies Configuration Guide
interface bri 2
no ip address
encapsulation ppp
dialer rotary-group 1
no fair-queue
no cdp enable
ppp bap number default 6666668
!
interface bri 3
no ip address
encapsulation ppp
dialer rotary-group 1
no fair-queue
no cdp enable
ppp bap number default 6666669
!
interface dialer 1
ip unnumbered Ethernet0
encapsulation ppp
dialer in-band
dialer idle-timeout 300
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap
ppp multilink bap
ppp bap call accept
ppp bap callback request
ppp bap timeout pending 20
ppp bap timeout response 2
ppp bap max dial-attempts 2
ppp bap monitor load
Passive Mode Dialer Rotary Group Members with One Dial-In Number
The following example, a dialer rotary group with two members each with the same number, accepts
incoming dial attempts. The dialer interface has a base phone number because each of its member
interfaces is in a hunt group and the same number can be used to access each individual interface.
interface bri 0
no ip address
encapsulation ppp
dialer rotary-group 1
no fair-queue
no cdp enable
!
interface bri 1
no ip address
encapsulation ppp
dialer rotary-group 1
no fair-queue
no cdp enable
!
interface dialer 1
ip unnumbered Ethernet0
encapsulation ppp
dialer in-band
dialer idle-timeout 300
dialer-group 1
no fair-queue
no cdp enable
Configuring BACP
Configuration Examples for BACP
DC-676
Cisco IOS Dial Technologies Configuration Guide
ppp authentication chap
ppp multilink bap
ppp bap call accept
ppp bap callback request
ppp bap timeout pending 20
ppp bap timeout response 2
ppp bap max dial-attempts 2
ppp bap monitor load
ppp bap number default 6666666
PRI Interface with No Defined PPP BACP Number
In the following example, a PRI interface has no BACP number defined and accepts incoming dial
attempts (passive mode). The PRI interface has no base phone number defined, so each attempt to add a
link would result in a delta of zero being provided to the calling peer. To establish the bundle, the peer
should then dial the same number as it originally used.
interface serial 0:23
ip unnumbered Ethernet0
encapsulation ppp
dialer in-band
dialer idle-timeout 300
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap
ppp multilink bap
ppp bap call accept
ppp bap callback request
ppp bap timeout pending 20
ppp bap timeout response 2
ppp bap max dial-attempts 2
ppp bap monitor load
BRI Interface with No Defined BACP Number
In the following example, the BRI interface has no base phone number defined. The number that it uses
to establish the bundle is that from the dialer map, and all phone delta operations are applied to that
number.
interface bri 0
ip unnumbered Ethernet0
encapsulation ppp
dialer in-band
dialer idle-timeout 300
dialer map ip 10.1.1.1 name bap_peer speed 56 19998884444
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap
ppp multilink bap
ppp bap call request
ppp bap timeout pending 20
ppp bap timeout response 2
ppp bap max dial-attempts 2
ppp bap monitor load
Dial Access Specialized Features
DC-679
Cisco IOS Dial Technologies Configuration Guide
Configuring Large-Scale Dial-Out
This chapter describes how to configure large-scale dial-out. It includes the following main sections:
• Large-Scale Dial-Out Overview
• How to Configure Large-Scale Dial-Out
• Monitoring and Maintaining the Large-Scale Dial-Out Network
• Configuration Examples for Large-Scale Dial-Out
Consider these restrictions when configuring large-scale dial-out:
• Large-scale dial-out supports only IP over PPP encapsulation.
• Large-scale dial-out does not support tunneling protocols such as Layer 2 Forwarding Protocol
(L2F) and Layer 2 Tunneling Protocol (L2TP).
• Virtual profiles depend on PPP authentication; however, this authentication can create a problem for
Ascend devices, which do not allow devices to authenticate them when answering a call
(bidirectional authentication is not supported).
• The IP address of the remote device must be known before dialing out. Large-scale dial-out does not
support dynamic IP address assignment.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the commands mentioned in this chapter, refer to Cisco IOS Dial
Technologies Command Reference, Release 12.2. To locate documentation of other commands that
appear in this chapter, use Cisco IOS Command Reference Master Index or search online.
Large-Scale Dial-Out Overview
In previous dial-on-demand routing (DDR) networking strategies, only incoming calls could take
advantage of features such as dialer and virtual profiles, Multichassis Multilink PPP (MMP) support, and
the ability to use an authentication, authorization, and accounting (AAA) server to store attributes. MMP
allows network access servers to be stacked together and appear as a single network access server chassis
so that if one network access server fails, another network access server in the stack can accept calls.
MMP also provides stacked network access servers access to a local Internet point of presence (POP)
using a single telephone number. This capability allows for easy expansion and scalability and for
assured fault tolerance and redundancy. Now, with large-scale dial-out, these features are available for
both outgoing and incoming calls.
Configuring Large-Scale Dial-Out
Large-Scale Dial-Out Overview
DC-680
Cisco IOS Dial Technologies Configuration Guide
Large-scale dial-out eliminates the need to configure dialer maps on every network access server for
every destination. Instead, you create remote site profiles that contain outgoing call attributes (telephone
number, service type, and so on) on the AAA server. The profile is downloaded by the network access
server when packet traffic requires a call to be placed to a remote site.
Additionally, large-scale dial-out addresses congestion management by seeking an uncongested,
alternative network access server within the same POP when the designated primary network access
server experiences port congestion.
Large-scale dial-out also enables scalable dial-out service to many remote sites across one or more Cisco
network access servers or Cisco routers. This capability is especially beneficial to both Internet service
providers (ISPs) and large-scale enterprise customers because it can simplify network configuration and
management. Large-scale dial-out streamlines activities such as service maintenance and scheduled
activities like application upgrades from a centralized location. Large enterprise networks such as those
used by retail stores, supermarket chains, and franchise restaurants can use large-scale dial-out to easily
update daily prices and inventory information from a central server to all branch locations in one process,
using the same network access servers that they currently use for dial-in functions.
Additional benefits of using large-scale dial-out include the following:
• Allows dialing the same router from any router in a stack group. Using a primary network access
server, you can configure static routes for a given remote host or network. If the primary network
access server is congested or has no links available, it will search for an alternate server within the
stack, and force that server to dial out.
• Eliminates the need to configure dialer maps in individual network access servers. The user profiles,
along with dial parameters, can be centrally stored on an AAA server such as a Cisco Secure Access
Control Server (ACS).
• Supports extended TACACS (also TACACS+), RADIUS using Cisco attribute-value (AV) pairs, and
the Ascend proprietary RADIUS extension for dial-out operation.
• Provides a way to associate an IP address with a user name and user profile using the static route
and host name association features. If there are no names on the IP static route, the Domain Name
System (DNS) support function can be used to determine the user name that is associated with the
IP address. If a name is not found, the destination IP address is used for the name.
• Allows dynamic static routes to be configured on the centralized AAA server, that is, static routes
stored centrally on an AAA server that can be dynamically downloaded by the router as needed.
• Provides support for MMP and the Stack Group Bidding Protocol (SGBP). SGBP unites each Cisco
access server in a virtual stack, which enables the access servers to become virtually tied together.
If all ports on a given network access server are already being used, the other network access servers
on the stack can be used for outbound calls. Single calls and multilink calls are now supported across
the multichassis stack group.
• Supports dial-out over an asynchronous line, when a chat script is configured.
• Allows ports to be reserved for dial-in and dial-out.
Large-scale dial-out enables scalable dial-out service; that is, configuration information is stored in a
central server, and many network access servers can access this information using either the RADIUS or
extended TACACS protocols. One or more network access servers can advertise summary routes to the
remote destinations and then dynamically download the dial-out profile configurations as needed.
Large-scale dial-out also allows dialing the same remote network or host from any router in a stack
group. You configure static routes for a particular remote host or network on a router in a stack group
that you designate as the primary network access server for that remote network or host. When a primary
network access server experiences port congestion, it searches for an alternate network access server
within the stack group to dial out and, when found, forces the alternate to dial the remote network.
Figure 96 illustrates the large-scale dial-out solution.
Configuring Large-Scale Dial-Out
Large-Scale Dial-Out Overview
DC-681
Cisco IOS Dial Technologies Configuration Guide
Figure 96 Large-Scale Dial-Out Components
Large-scale dial-out relies on per-user static routes in AAA and redistributed static and redistributed
connected routes to put better routes pointing to the same remote on the alternate network access server.
You can use any routing protocol that supports redistributing static and connected routes and that
supports Flash memory updates when a routing topology changes. The Open Shortest Path First (OSPF)
and Enhanced Interior Gateway Routing Protocol (EIGRP) routing protocols are recommended.
Next Hop Definition
A next hop address or remote name that you define is used in an AAA server lookup to retrieve the user
profile from the remote network or host. The name is passed to the AAA server by the router software.
Static Routes
Static routes can be dynamically downloaded from an AAA server by the network access servers or can
be manually configured on the network access servers.
Dynamic static routes are installed on the network access server by an AAA server. The routes are
downloaded at system startup and updated periodically, so that route changes are reflected within a
configurable interval of time. Large-scale dial-out allows multiple AAA transactions with 50 static
routes per AAA server transaction. There is no set limit for the number of AAA server transactions
which can be configured, however configuring too many transactions may impact the performance of
your network. Performance effects will depend on the configurations and platforms used in your
network.
Stack Groups
The network access server stack group redistributes the routes of the remote networks. If the number is
large, the routes are summarized. Packets destined for remote networks are routed to the primary
network access server for the remote network.
AAA server
DNS server
18079
Analog
Modem
Remote LAN
router
ISDN
SGBP
stack
Configuring Large-Scale Dial-Out
How to Configure Large-Scale Dial-Out
DC-682
Cisco IOS Dial Technologies Configuration Guide
If the static route that points to the next hop of the network access server has a name, that name with the
-out suffix attached becomes the profile name. If no profile name is configured in the route statement
that defines the remote location, the router can use reverse DNS lookup to map the IP route to a profile
name. The next hop address on the static route is used in reverse DNS to obtain the name of the remote
network. This name is then used in the AAA server lookup to retrieve the remote user profile. If no name
is returned by DNS, the network access server uses the destination IP address with the -out suffix
appended as the name.
If the primary network access server is congested, an alternate network access server may dial out. The
primary network access server initiates stack group bidding for the outgoing call. The least congested
network access server wins the bid and downloads the user profile. After a call is connected on an
alternate network access server, a better per-user route from the AAA profile is installed on the alternate
network access server. Subsequent packets destined for the remote network are routed to the alternate
network access server while the call is connected. Packets stored in the dialer hold queue on the primary
network access server are switched to the alternate network access server when the new route is
distributed to the primary network access server.
How to Configure Large-Scale Dial-Out
To configure large-scale dial-out perform the tasks in the following sections:
• Complying with Large-Scale Dial-Out Prerequisites (Required)
• Establishing the Route to the Remote Network (As required)
• Enabling AAA and Static Route Download (Required)
• Enabling Access to the AAA Server (Required)
• Enabling Reverse DNS (Required)
• Enabling SGBP Dial-Out Connection Bidding (Required)
• Defining a User Profile (Required)
See the section “Monitoring and Maintaining the Large-Scale Dial-Out Network” later in this chapter
for tips on maintaining large-scale dial-out. See the examples in the section “Configuration Examples
for Large-Scale Dial-Out” at the end of this chapter for ideas on how you can implement large-scale
dial-out in your network.
Complying with Large-Scale Dial-Out Prerequisites
The following prerequisites apply to large-scale dial-out:
• Virtual profiles depend on PPP authentication; therefore the network access server, the remote
device, or both must authenticate the connection to use virtual profiles.
• You must configure SGBP to allow a primary network access server that is congested or otherwise
unable to dial out to select an alternate network access server to dial out. Configure SGBP using the
sgbp group and sgbp member global configuration commands before enabling the stack group to
bid for dial-out connection. Configuring SGBP is described in the chapter “Configuring
Multichassis Multilink PPP” in this publication. The Cisco IOS Dial Technologies Command
Reference describes the commands to configure a stack group.
Configuring Large-Scale Dial-Out
How to Configure Large-Scale Dial-Out
DC-683
Cisco IOS Dial Technologies Configuration Guide
Additionally, all members of the stack group must be in the same routing autonomous system, and
the redistribute static and redistribute connected commands must already be configured. The
stack group supports all routing protocols, but routing protocols such as EIGRP and OSPF, which
support redistributing static and connected routes and Flash memory updates when topology
changes, are recommended.
• You must configure AAA network security services using the aaa new-model, aaa authentication,
aaa authorization, and aaa accounting global configuration commands. For more information
about AAA, see the chapter “AAA Overview” in the Cisco IOS Security Configuration Guide. The
Cisco IOS Security Command Reference describes the commands to configure AAA.
You will also need to configure your network access server to communicate with the applicable
security server, either an extended TACACS or RADIUS daemon.
If you are using RADIUS and Ascend attributes, use the non-standard keyword with the
radius-server host command to enable your Cisco router, acting as a network access server, to
recognize that the RADIUS security server is using a vendor-proprietary version of RADIUS. Use
the radius-server key command to specify the shared secret text string used between your Cisco
router and the RADIUS server. For more information, see the chapter “Configuring RADIUS” in the
Cisco IOS Security Configuration Guide.
If you are using extended TACACS, use the tacacs-server host command to specify the IP address
of one or more extended TACACS daemons. Use the tacacs-server key command to specify the
shared secret text string used between your Cisco router and the extended TACACS daemon. For
more information, see the chapter about configuring extended TACACS in the Cisco IOS Security
Configuration Guide.
Establishing the Route to the Remote Network
The task in this section is optional; you only need to perform it when routes will not be downloaded
statically from the AAA server.
To establish a route to the remote network or host (next hop) that holds the user profile, use the ip route
command in global configuration mode:
The name you define is used in an AAA server lookup to retrieve the AAA profile of the remote network.
Enabling AAA and Static Route Download
AAA network security must be enabled before you perform the tasks in this section. For more
information about enabling AAA, see the chapter “AAA Overview” in the Cisco IOS Security
Configuration Guide.
Enabling the static route download feature allows static routes to be configured at a centrally located
AAA server. Static routes are downloaded when the system is started, and you define a period of time
between route updates when you enable the feature.
Command Purpose
Router(config)# ip route network-number [network-mask] {address
| interface} [distance] [name name]
Establishes a static route to a remote network to
obtain a user profile.
Configuring Large-Scale Dial-Out
How to Configure Large-Scale Dial-Out
DC-684
Cisco IOS Dial Technologies Configuration Guide
Note Static route download is not mandatory for the large-scale dial-out feature; however, it makes
configuration of static routes more manageable by allowing the configuration to be centralized on a
server.
To enable the static route download feature, use the following commands in global configuration mode:
Use the show ip route command to see the routes installed by these commands.
Enabling Access to the AAA Server
To configure the dialer interface to access the AAA server and retrieve the user profile, use the following
command in interface configuration mode for a dialer rotary group leader:
Enabling Reverse DNS
To instruct the dialer to use reverse DNS on dial out, use the following command in interface
configuration mode:
The user profile name passed to the AAA server by the system is reverse-dns-name-out; the -out suffix
is automatically appended to the DNS name and is required to create unique dial-out and dial-in profiles.
Enabling SGBP Dial-Out Connection Bidding
You must configure SGBP before performing the tasks in this section. The chapter “Configuring
Multichassis Multilink PPP” in this publication describes the tasks you perform to configure a stack
group.
To configure stack group bidding, use the following command in global configuration mode:
Command Purpose
Step 1 Router(config)# aaa new-model Enables the AAA server.
Step 2 Router(config)# aaa route download [time] Downloads static routes from the AAA server periodically
using the host name of the router.
Step 3 Router(config)# aaa authorization
configuration default [radius | tacacs+]
Downloads configuration information from the AAA server.
Command Purpose
Router(config-if)# dialer aaa Allows the dialer to use the AAA server to locate profiles for
dialing information.
Command Purpose
Router(config-if)# dialer dns Uses reverse DNS to obtain the name of the user profile of the
remote network.
Configuring Large-Scale Dial-Out
How to Configure Large-Scale Dial-Out
DC-685
Cisco IOS Dial Technologies Configuration Guide
Once the stack group has been configured and enabled for dial-out connection bidding, configure the
dialer interface to search for an alternate network access server in the event of port congestion. Use the
following commands in interface configuration mode:
See the section “Stack Group and Static Route Download Configuration Example” at the end of this
chapter for an example of how to configure stack groups and static routes.
Defining a User Profile
Attributes are used to define specific AAA elements in a user profile. Large-scale dial-out supports a
subset of Ascend AV pairs and RADIUS attributes, as well as a map class attribute that provides
outbound dialing services, as described in Table 36.
The only required attribute is the Cisco AV pair outbound:dial-number; all others are optional. If the
AAA server does not support Cisco AV pairs, attribute #227, Ascend-Dial-Number, can be substituted.
If there are equivalent Cisco AV pairs and Ascend-specific attributes, Cisco recommends using the Cisco
AV pairs.
For additional information about defining user profiles, see the chapter “RADIUS Attribute-Pairs” in the
CiscoSecure ACS for Windows NT User Guide 2.0 publication and the chapter “TACACS+
Attribute-Value Pairs” in the Cisco IOS Security Configuration Guide.
For an example of a user profile that uses the supported attributes, see the section “User Profile on an
Ascend RADIUS Server for NAS1 Example” at the end of this chapter.
Note For the attributes listed in Table 4, the value of a string is 0 to 253 octects; the value of an integer is
a 32-bit value ordered high byte first.
Command Purpose
Router(config)# sgbp dial-bids Allows the stack group to bid for the dial-out call.
Command Purpose
Step 1 Router(config-if)# dialer
congestion-threshold links
Forces the dialer to search for another uncongested system in the
stack group.
Step 2 Router(config-if)# dialer reserved-links
{dialin-link | dialout-link}
Reserves links for dial in and dial-out.
Configuring Large-Scale Dial-Out
How to Configure Large-Scale Dial-Out
DC-686
Cisco IOS Dial Technologies Configuration Guide
Table 36 Large-Scale Dial-Out Outbound Service Attributes
Number Attribute Description
Ascend AV Pairs
#214 Ascend-Send-Secret Specifies the password that the network access server uses
when the remote site challenges the network access server
to authenticate using either Challenge Handshake
Authentication Protocol (CHAP) or Password
Authentication Protocol (PAP).
Cisco AV Pair:
None
TACACS+ Support:
service = outbound {
send-secret = VALUE
}
Value:
Password string
Note The password is encrypted. This attribute requires
a special RADIUS daemon that supports CHAP or
PAP authentication.
#227 Ascend-Dial-Number Defines the number to dial.
Cisco AV Pair:
cisco-avpair="outbound:dial-number=VALUE"
TACACS+ Support:
service = outbound {
dial-number = VALUE
}
Value:
Dial string
Note This attribute defines the plain dial number. It can
be used in different profiles, whereas the
callback-dialstring attribute is only for callbacks.
Configuring Large-Scale Dial-Out
How to Configure Large-Scale Dial-Out
DC-687
Cisco IOS Dial Technologies Configuration Guide
#231 Ascend-Send-Auth Specifies the authentication protocol that the network
access server requests when initiating a connection using
PPP. The answering side of the connection determines
which authentication protocol, if any, that the connection
uses. The network access server will refuse to negotiate
PAP if CHAP is selected, but will negotiate CHAP if PAP
is selected.
Cisco AV Pair:
cisco-avpair="outbound:send-auth=VALUE"
TACACS+ Support:
service = outbound {
send-auth = none/pap/chap
}
Value:
0: Send-Auth-None
1: Send-Auth-PAP
2: Send-Auth-CHAP
#247 Ascend-Data-SVC Specifies the type of data service that the link uses for
outgoing calls.
Cisco AV Pair:
cisco-avpair="outbound:data-service=VALUE"
TACACS+ Support:
service = outbound {
data-service = VALUE
}
Value:
0: Switched-Voice-Bearer
#248 Ascend-Force-56 Determines whether the network access server uses only
the 56K portion of a channel, even when all 64K appear to
be available.
Cisco AV Pair:
cisco-avpair="outbound:force-56=VALUE"
TACACS+ Support:
service = outbound {
force-56 = VALUE
}
Value:
0: Force-56-No
1: Force-56-Yes
Table 36 Large-Scale Dial-Out Outbound Service Attributes (continued)
Number Attribute Description
Configuring Large-Scale Dial-Out
How to Configure Large-Scale Dial-Out
DC-688
Cisco IOS Dial Technologies Configuration Guide
RADIUS (IETF) Attributes
#10 Framed-Routing Indicates a routing method when a router is used to access
a network.
Cisco AV Pair:
None
TACACS+ Support:
service = outbound {
routing = VALUE
}
Value:
0: None
1: Broadcast
2: Listen
3: Broadcast-Listen
Note This attribute is currently supported only for PPP
service.
#19 Callback-Number Defines a dialing string to be used for call back. (Service is
both outbound and PPP.)
Cisco AV Pair:
cisco-avpir="outbound:callback-dialstring=VALUE"
TACACS+ Support:
Equivalent to the existing callback-dialstring attribute.
Value:
Dial string
Note This is an alternate way of setting a callback
number using a standard RADIUS attribute.
Table 36 Large-Scale Dial-Out Outbound Service Attributes (continued)
Number Attribute Description
Configuring Large-Scale Dial-Out
How to Configure Large-Scale Dial-Out
DC-689
Cisco IOS Dial Technologies Configuration Guide
#61 NAS-Port-Type Indicates the type of physical port that the network access
server is using to authenticate the user.
Cisco AV Pair:
None
TACACS+ Support:
None
Value:
0: Asynchronous
1: Synchronous
2: ISDN-Synchronous
Note This attribute is currently supported only for PPP
service.
Map Class Attribute
(unnumbered) map-class Allows the user profile to reference information configured
in a map class of the same name on the network access
server that dials out.
Cisco AV Pair:
cisco-avpair="outbound:map-class=VALUE"
TACACS+ Support:
service = outbound {
map-class = VALUE
}
Value:
Name string, which must match the name of a map class on
the dial-out network access server.
Table 36 Large-Scale Dial-Out Outbound Service Attributes (continued)
Number Attribute Description
Configuring Large-Scale Dial-Out
Monitoring and Maintaining the Large-Scale Dial-Out Network
DC-690
Cisco IOS Dial Technologies Configuration Guide
Monitoring and Maintaining the Large-Scale Dial-Out Network
To monitor and maintain a large-scale dial-out network, use any of the following commands in EXEC
mode:
Configuration Examples for Large-Scale Dial-Out
The following sections provide examples of how you can configure large-scale dial-out in your network:
• Stack Group and Static Route Download Configuration Example
• User Profile on an Ascend RADIUS Server for NAS1 Example
• Asynchronous Dialing Configuration Examples
Stack Group and Static Route Download Configuration Example
The following example configures NAS1 as the primary network access server and NAS2 as the
secondary network access server, in a stack group for dial-out. The remote router is configured to answer
calls. Figure 97 illustrates the configuration.
Figure 97 Stack Group and Static Route Download Configuration
Command Purpose
Router> clear dialer sessions Removes all dialer sessions and disconnects links.
Router> clear ip route download {* | network-number
network-mask | reload}
Removes all or specified IP routes on the router. With the
reload option, forces reload of dynamic static routes before
the update timer expires.
Router> show dialer sessions Displays all dialer sessions.
Router> show ip route [static [download]] Displays all static IP routes or those installed using the AAA
route download function.
AAA server
NAS2
NAS1
DNS server
18080
Remote
ISDN
SGBP
stack
Configuring Large-Scale Dial-Out
Configuration Examples for Large-Scale Dial-Out
DC-691
Cisco IOS Dial Technologies Configuration Guide
At the console for NAS1, ping 20.1.1.1. This action creates a multilink bundle with two links. NAS1
dials out the first link, and NAS2 dials out the second link. The router named Remote is using the CHAP
host name echo-8.cisco.com.
A user profile for NAS1 on an Ascend RADIUS server is listed in the section “User Profile on an Ascend
RADIUS Server for NAS1 Example” later in this chapter.
Primary Network Access Server Configuration for NAS1
version 12.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname NAS1
!
aaa new-model
aaa authentication ppp default radius local
aaa authorization network default radius none
aaa authorization configuration default radius
aaa route download 720
enable password 7 1236173C1B0F
!
username NAS2 password 7 05080F1C2243
username NAS1 password 7 030752180500
username dialbid password 7 121A0C041104
username echo-8.cisco.com password 7 02050D480809
ip subnet-zero
ip domain-name cisco.com
ip name-server 172.31.2.132
ip name-server 172.22.30.32
!
virtual-profile virtual-template 2
!
sgbp group dialbid
sgbp seed-bid offload
sgbp member NAS2 172.21.17.17
sgbp dial-bids
isdn switch-type basic-5ess
!
!
interface Ethernet 0
ip address 172.21.17.18 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
media-type 10BaseT
no cdp enable
!
interface Virtual-Template 1
ip address 10.1.1.1 255.255.255.252
no ip directed-broadcast
!
interface Virtual-Template 2
ip unnumbered Virtual-Template 1
no ip directed-broadcast
ppp multilink
multilink load-threshold 1 outbound
!
interface BRI 0
description PBX 60043
no ip address
no ip directed-broadcast
encapsulation ppp
Configuring Large-Scale Dial-Out
Configuration Examples for Large-Scale Dial-Out
DC-692
Cisco IOS Dial Technologies Configuration Guide
dialer rotary-group 1
isdn switch-type basic-5ess
no fair-queue
!
interface Dialer 1
ip unnumbered Ethernet 0
no ip directed-broadcast
encapsulation ppp
no ip mroute-cache
dialer in-band
dialer dns
dialer aaa
dialer hold-queue 5
dialer congestion-threshold 5
dialer reserved-links 1 0
dialer-group 1
no fair-queue
ppp authentication chap callin
ppp multilink
!
router eigrp 200
redistribute connected
redistribute static
network 172.21.0.0
!
ip default-gateway 172.21.17.1
ip classless
ip route 0.0.0.0 0.0.0.0 172.21.17.1
!
dialer-list 1 protocol ip permit
radius-server host 172.31.61.87 auth-port 1645 acct-port 1646
radius-server key foobar
!
end
Secondary Network Access Server Configuration for NAS2
version 12.0
service timestamps debug datetime msec
service timestamps log uptime
service password-encryption
!
hostname NAS2
!
boot system flash
aaa new-model
aaa authentication ppp default radius local
aaa authorization network default radius none
aaa authorization configuration default radius
enable password 7 022916700202
!
username NAS1 password 7 104D000A0618
username dialbid password 7 070C285F4D06
username echo-8.cisco.com password 7 0822455D0A16
ip subnet-zero
ip domain-name cisco.com
ip name-server 172.22.30.32
ip name-server 172.31.2.132
!
virtual-profile virtual-template 2
!
sgbp group dialbid
sgbp member NAS1 172.21.17.18
Configuring Large-Scale Dial-Out
Configuration Examples for Large-Scale Dial-Out
DC-693
Cisco IOS Dial Technologies Configuration Guide
sgbp dial-bids
isdn switch-type basic-5ess
!
interface Ethernet 0
ip address 172.21.17.17 255.255.255.0
no ip directed-broadcast
media-type 10BaseT
!
interface Virtual-Template 1
ip address 10.1.1.1 255.255.255.252
no ip directed-broadcast
!
interface Virtual-Template 2
ip unnumbered Virtual-Template 1
no ip directed-broadcast
ppp multilink
multilink load-threshold 1 outbound
!
interface BRI 0
no ip address
no ip directed-broadcast
encapsulation ppp
dialer rotary-group 0
isdn switch-type basic-5ess
no fair-queue
!
interface Dialer 0
ip unnumbered Ethernet 0
no ip directed-broadcast
encapsulation ppp
dialer in-band
dialer dns
dialer aaa
dialer hold-queue 5
dialer congestion-threshold 5
dialer reserved-links 1 0
dialer-group 1
no fair-queue
ppp authentication chap callin
ppp multilink
!
router eigrp 200
redistribute connected
redistribute static
network 172.21.0.0
!
ip default-gateway 172.21.17.1
ip classless
ip route 0.0.0.0 0.0.0.0 172.21.17.1
!
dialer-list 1 protocol ip permit
!
radius-server host 172.31.61.87 auth-port 1645 acct-port 1646
radius-server key foobar
!
end
Configuring Large-Scale Dial-Out
Configuration Examples for Large-Scale Dial-Out
DC-694
Cisco IOS Dial Technologies Configuration Guide
Remote Router Configuration
version 12.0
service timestamps debug datetime msec
service timestamps log uptime
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname Remote
!
boot system flash
enable password 7 002B012D0D5F
!
username dialbid password 7 14141B180F0B
ip subnet-zero
no ip domain-lookup
!
isdn switch-type basic-5ess
!
interface Loopback 0
ip address 172.31.229.41 255.255.255.255
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
!
interface Loopback 1
ip address 10.1.1.1 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
!
interface Loopback 2
ip address 10.1.2.1 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
!
interface Loopback 3
ip address 10.3.1.1 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
!
interface Ethernet 0
ip address 172.21.12.15 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
!
interface BRI 0
no ip address
no ip directed-broadcast
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer rotary-group 3
dialer-group 1
isdn switch-type basic-5ess
no fair-queue
!
interface Dialer 3
ip unnumbered Loopback 0
no ip directed-broadcast
Configuring Large-Scale Dial-Out
Configuration Examples for Large-Scale Dial-Out
DC-695
Cisco IOS Dial Technologies Configuration Guide
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer in-band
dialer idle-timeout 10000
dialer-group 1
no fair-queue
ppp authentication chap callin
ppp chap hostname echo-8.cisco.com
ppp chap password 7 045802150C2E
ppp multilink
!
ip default-gateway 172.21.12.1
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
dialer-list 1 protocol ip permit
User Profile on an Ascend RADIUS Server for NAS1 Example
The following example shows a dial-out profile and a static route download profile in AAA. The dial-out
profile username must have “-out” appended to it. The static route download profile username always
has “-N” appended. The router downloads NAS1-1, NAS1-2, through NAS1-N. When NAS1-N fails, the
router does not try NAS1-N+1. The static route download profile cannot have more than 50 static routes
defined.
echo-8.cisco.com-out Password = "cisco", User-Service-Type = Outbound-User
cisco-avpair = "outbound:addr=172.31.229.41",
cisco-avpair = "outbound:dial-number=60039",
NAS1-1 Password = "cisco" User-Service-Type = Outbound-User,
cisco-avpair = "ip:route=10.1.3.0 255.255.255.0 172.31.229.41 200",
cisco-avpair = "ip:route=10.1.2.0 255.255.255.0 172.31.229.41 200",
cisco-avpair = "ip:route=10.1.1.0 255.255.255.0 172.31.229.41 200",
cisco-avpair = "ip:route=172.31.229.41 255.255.255.255 Dialer1 200 name
echo-8.cisco.com"
Note Note that all text between quotation marks must be typed on one line.
Static routes can also be defined using the Framed-Route Internet Engineering Task Force (IETF)
standard. The following example shows how the previous example for NAS1 would look using the
Framed-Route IETF standard:
NAS1-1 Password = "cisco" User-Service-Type = Outbound-User,
Framed-Route = "10.1.3.0/24 172.31.229.41.200",
Framed-Route = "10.1.2.0/24 172.31.229.41.200",
Framed-Route = "10.1.1.0/24 172.31.229.41.200",
Framed-Route = "172.31.229.41/32 Dialer1 200 name echo-8.cisco.com"
Configuring Large-Scale Dial-Out
Configuration Examples for Large-Scale Dial-Out
DC-696
Cisco IOS Dial Technologies Configuration Guide
Asynchronous Dialing Configuration Examples
Large-scale dial-out supports dialing out using an asynchronous line. This type of dialing requires that
a chat script be configured and that the script dialer command be configured in the line commands for
any asynchronous interface that may be dialing out. The following examples are provided in this section:
• Asynchronous Dialing Example
• Asynchronous and Synchronous Dialing Example
Asynchronous Dialing Example
The following example shows an asynchronous dialing configuration:
chat-script dial "" "ATZ" OK "ATDT\T" TIMEOUT 60 CONNECT
!
interface Async 1
no ip address
no ip directed-broadcast
encapsulation ppp
dialer in-band
dialer rotary-group 0
async dynamic address
async dynamic routing
async mode dedicated
no cdp enable
!
interface Dialer 0
ip address 172.21.30.32 255.255.255.0
no ip directed-broadcast
encapsulation ppp
no ip mroute-cache
bandwidth 64
dialer in-band
dialer idle-timeout 60
dialer enable-timeout 10
dialer hold-queue 50
dialer-group 1
no cdp enable
!
line 1
script dialer dial
modem InOut
transport input all
Asynchronous and Synchronous Dialing Example
The following example creates a dialer rotary group for the asynchronous interfaces and a dialer rotary
group for the PRI interfaces. Any dial-in or dial-out reservations are applied only to the PRI dialer
interface. In the following configuration example:
• Destinations that require modem calls have static routes that point to Dialer 0.
• Destinations that require digital connections have static routes that point to Dialer 1.
• The dialer reserved-links command applies to all connections made over the PRI interfaces in
dialer rotary group 1, even if they come from an asynchronous interface.
Configuring Large-Scale Dial-Out
Configuration Examples for Large-Scale Dial-Out
DC-697
Cisco IOS Dial Technologies Configuration Guide
chat-script dial "" "ATZ" OK "ATDT\T" TIMEOUT 60 CONNECT
!
interface Serial 0:23
no ip address
no ip directed-broadcast
no keepalive
dialer rotary-group 1
isdn switch-type primary-5ess
isdn incoming-voice modem
no cdp enable
!
interface Async 1
no ip address
no ip directed-broadcast
encapsulation ppp
dialer in-band
dialer rotary-group 0
async dynamic address
async dynamic routing
async mode dedicated
no cdp enable
!
interface Dialer 0
ip address 172.21.30.32 255.255.255.0
no ip directed-broadcast
encapsulation ppp
no ip mroute-cache
bandwidth 64
dialer in-band
dialer dns
dialer aaa
dialer idle-timeout 60
dialer enable-timeout 10
dialer hold-queue 50
dialer-group 1
no cdp enable
!
interface Dialer 1
ip address unnumbered eth0
no ip directed-broadcast
dialer in-band
dialer dns
dialer aaa
dialer reserved-links 22 0
no cdp enable
!
line 1
script dialer dial
modem InOut
transport input all
Configuring Large-Scale Dial-Out
Configuration Examples for Large-Scale Dial-Out
DC-698
Cisco IOS Dial Technologies Configuration Guide
DC-699
Cisco IOS Dial Technologies Configuration Guide
Configuring per-User Configuration
This chapter describes per-user configuration, a large-scale dial solution. It includes the following main
sections:
• Per-User Configuration Overview
• How to Configure a AAA Server for Per-User Configuration
• Monitoring and Debugging Per-User Configuration Settings
• Configuration Examples for Per-User Configuration
This set of features is supported on all platforms that support Multilink PPP (MLP).
A virtual access interface created dynamically for any user dial-in session is deleted when the session
ends. The resources used during the session are returned for other dial-in uses.
When a specific user dials in to a router, the use of a per-user configuration from an authentication,
authorization, and accounting (AAA) server requires that AAA is configured on the router and that a
configuration for that user exists on the AAA server.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the commands mentioned in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference, Release 12.2 and the Cisco IOS Security Command Reference,
Release 12.2. To locate documentation of other commands that appear in this chapter, use the command
reference master index or search online.
Per-User Configuration Overview
Per-user configuration provides a flexible, scalable, easily maintained solution for customers with a
large number of dial-in users. This solution can tie together the following dial-in features:
• Virtual template interfaces, generic interface configuration and router-specific configuration
information stored in the form of a virtual template interface that can be applied (cloned ) to a virtual
access interface each time any user dials in. This configuration is described in the chapter
“Configuring Virtual Template Interfaces” in this publication.
• AAA per-user security and interface configuration information stored on a separate AAA server and
sent by the AAA server to the access server or router in response to authorization requests during
the PPP authentication phase. The per-user configuration information can add to or override the
generic configuration on a virtual interface.
Configuring per-User Configuration
Per-User Configuration Overview
DC-700
Cisco IOS Dial Technologies Configuration Guide
• Virtual profiles, which can use either or both of the two sources of information listed in the previous
bullets for virtual interface configuration. When a user dials in, virtual profiles can apply the generic
interface configuration and then apply the per-user configuration to create a unique virtual access
interface for that user. This configuration is described in the chapter “Configuring Virtual Profiles”
in this publication.
The per-user configuration feature provides these benefits:
• Maintenance ease for service providers with a large number of access servers and a very large
number of dial-in users. Service providers need not update all their routers and access servers when
user-specific information changes; instead, they can update one AAA server.
• Scalability. By separating generic virtual interface configuration on the router from the
configuration for each individual, Internet service providers and other enterprises with large
numbers of dial-in users can provide a uniquely configured interface for each individual user. In
addition, by separating the generic virtual interface configuration from the physical interfaces on the
router, the number and types of physical interfaces on the router or access server are not intrinsic
barriers to growth.
General Operational Processes
In general, the per-user configuration process on the Cisco router or network access server proceeds as
follows:
1. The user dials in.
2. The authentication and authorization phases occur.
a. If AAA is configured, the router sends an authorization request to the AAA server.
b. If the AAA server has information (attribute-value or AV pairs, or other configuration
parameters) that defines a configuration for the specific user, the server includes it in the
information in the approval response packet.
Figure 98 illustrates the request and response part of the process that happens when a user dials
in, given that AAA is configured and that the AAA server has per-user configuration
information for the dial-in user.
c. The router looks for AV pairs in the AAA approval response.
d. The router caches the configuration parameters.
Note TACACS servers treat authentication and authorization as two phases; RADIUS servers combine
authentication and authorization into a single step. For more detailed information, refer to your server
documentation.
Configuring per-User Configuration
Per-User Configuration Overview
DC-701
Cisco IOS Dial Technologies Configuration Guide
Figure 98 Per-User Configuration Authentication and Authorization
3. A virtual access interface is created for this user.
a. The router finds the virtual template that is set up for virtual profiles, if any, and applies the
commands to the virtual access interface.
b. The router looks for the AV pairs to apply to this virtual access interface to configure it for the
dial-in user.
c. The AV pairs are sent to the Cisco IOS command-line parser, which interprets them as
configuration commands and applies them to configure this virtual access interface.
The result of this process is a virtual access interface configured uniquely for the dial-in user.
When the user ends the call, the virtual access interface is deleted and its resources are returned for other
dial-in uses.
Note The use of virtual profiles can modify the process that occurs between the user dial-in and the use of
AAA configuration information. For more information, see the chapter “Configuring Virtual
Profiles” in this publication.
Operational Processes with IP Address Pooling
During IP Control Protocol (IPCP) address negotiation, if an IP pool name is specified for a user, the
network access server checks whether the named pool is defined locally. If it is, no special action is
required and the pool is consulted for an IP address.
If the required pool is not present (either in the local configuration or as a result of a previous download
operation), an authorization call to obtain it is made using the special username:
pools-nas-name
where nas-name is the configured name of the network access server. In response, the AAA server
downloads the configuration of the required pool.
This pool username can be changed using Cisco IOS configuration, for example:
aaa configuration config-name nas1-pools-definition.cisco.us
This command has the effect of changing the username that is used to download the pool definitions from
the default name “pools-nas-name” to “nas1-pools-definition.cisco.com.”
2. Authorization
request
Network access
server or router
3. Approval response
packet contains
AV pairs
4. Cisco network access
server or router
caches the AV pairs
AAA server
1. ISDN user
dials in
S5870
Configuring per-User Configuration
Per-User Configuration Overview
DC-702
Cisco IOS Dial Technologies Configuration Guide
On a TACACS+ server, the entries for an IP address pool and a user of the pool might be as follows:
user = nas1-pools {
service = ppp protocol = ip {
pool-def#1 = "aaa 10.0.0.1 10.0.0.3"
pool-def#2 = "bbb 10.1.0.1 10.1.0.10"
pool-def#3 = "ccc 10.2.0.1 10.2.0.20"
pool-timeout=60
}
}
user = georgia {
login = cleartext lab
service = ppp protocol = ip {
addr-pool=bbb
}
}
On a RADIUS server, the entries for the same IP address pool and user would be as follows:
nas1-pools Password = “cisco” User-Service-Type=Outbound-User
cisco-avpair = "ip:pool-def#1=aaa 10.0.0.1 10.0.0.3",
cisco-avpair = "ip:pool-def#2=bbb 10.1.0.1 10.1.0.10",
cisco-avpair = "ip:pool-def#3=ccc 10.2.0.1 10.2.0.20",
cisco-avpair = "ip:pool-timeout=60”
georgia Password = “lab”
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = “ip:addr-pool=bbb”
Note This entry specifies a User-Service-Type of Outbound-User. This attribute is supplied by the network
access server to prevent ordinary logins from using the well-known username and password
combination of nas1-pools/cisco.
Pools downloaded to a Cisco network access server are not retained in nonvolatile memory and
automatically disappear whenever the access server or router restarts. Downloaded pools can also be
made to time out automatically by adding a suitable AV pair. For more information, see the section
“Supported Attrubutes for AV Pairs” and the pool-timeout attribute in Table 37. Downloaded pools are
marked as dynamic in the output of the show ip local pool command.
Deleting Downloaded Pools
To delete downloaded pools, you can do either of the following:
• Manually delete the definition from the network access server. For example, if “bbb” is the name of
a downloaded pool, you can enter the Cisco IOS no ip local pool bbb command.
Deleting a pool definition does not interrupt service for current users. If a pool is deleted and then
redefined to include a pool address that is currently allocated, the new pool understands and tracks
the address as expected.
• Set an AV pair pool-timeout value; this is a more desirable solution.
The pool-timeout AV pair starts a timer when the pool is downloaded. Once the timer expires, the
pools are deleted. The next reference to the pools again causes an authorization call to be made, and
the pool definition is downloaded again. This method allows definitions to be made and changed on
the AAA server and propagated to network access servers.
Configuring per-User Configuration
Per-User Configuration Overview
DC-703
Cisco IOS Dial Technologies Configuration Guide
Supported Attributes for AV Pairs
Table 37 provides a partial list of the Cisco-specific supported attributes for AV pairs that can be used
for per-user virtual interface configuration. For complete lists of Cisco-specific, vendor-specific, and
TACACS+ supported attributes, see the Cisco IOS Security Configuration Guide and Cisco IOS Security
Command Reference.
Table 37 Partial List of Cisco-Specific Supported AV Pair Attributes
Attribute Meaning
inacl# An input access list definition. For IP, standard or extended access list syntax can
be used, although you cannot mix them within a single list. For Internet Protocol
Exchange (IPX), only extended syntax is recognized. The value of this attribute
is the text that comprises the body of a named access list definition.
outacl#1
1. The “outacl” attribute still exists and retains its old meaning.
An output access list definition. For IP, standard or extended access list syntax
can be used. For IPX, only extended syntax is recognized. The value of this
attribute is the text that comprises the body of a named access list definition.
rte-fltr-in# An input route filter. For IP, standard or extended access list syntax can be used,
although you cannot mix them within a single list. For IPX, only extended syntax
is recognized. The first line of this filter must specify a routing process.
Subsequent lines comprise the body of a named access list.
rte-fltr-out# An output route filter. For IP, standard or extended access list syntax can be used,
although you cannot mix them within a single list. For IPX, only extended syntax
is recognized. The first line of this filter must specify a routing process.
Subsequent lines comprise the body of a named access list.
route#2
2. The “route” attribute, without a trailing #, is still recognized for backward compatibility with the TACACS+ protocol
specification, but if multiple static routes are required in TACACS+, full “route#” names will need to be employed.
Static routes, for IP and IPX.
The value is text of the form destination-address mask [gateway].
sap# IPX static Service Advertising Protocol (SAP). The value is text from the body
of an ipx sap configuration command.
sap-fltr-in# IPX input SAP filter. Only extended access list syntax is recognized. The value
is text from the body of an extended IPX access-list configuration command.
(The Novell socket number for SAP filtering is 452.)
sap-fltr-out# IPX output SAP filter. Only extended access-list command syntax is recognized.
The value is text from the body of an extended IPX access-list configuration
command.
pool-def# An IP pool definition. The value is text from the body of an ip local pool
configuration command.
pool-timeout An IP pool definition. The body is an integer representing a timeout, in minutes.
Configuring per-User Configuration
Per-User Configuration Overview
DC-704
Cisco IOS Dial Technologies Configuration Guide
Table 38 provides examples for each attribute on an AAA TACACS+ server.
Table 39 provides examples for each attribute on an AAA RADIUS server.
Table 38 TACACS+ Server AV Pair Examples for Each Attribute
Attribute TACACS+ Server Examples
inacl# IP:
inacl#3="permit ip any any precedence immediate"
inacl#4="deny igrp 10.0.1.2 255.255.0.0 any"
IPX:
inacl#1="deny 3C01.0000.0000.0001"
inacl#2="deny 4C01.0000.0000.0002"
outacl# outacl#2="permit ip any any precedence immediate"
outacl#3="deny igrp 10.0.9.10 255.255.0.0 any"
rte-fltr-in# IP:
rte-fltr-in#1="router igrp 60"
rte-fltr-in#3="permit 10.0.3.4 255.255.0.0"
rte-fltr-in#4="deny any"
IPX:
rte-fltr-in#1="deny 3C01.0000.0000.0001"
rte-fltr-in#2="deny 4C01.0000.0000.0002"
rte-fltr-out# rte-fltr-out#1="router igrp 60"
rte-fltr-out#3="permit 10.0.5.6 255.255.0.0"
rte-fltr-out#4="permit any"
route# IP:
route#1="10.0.0.0 255.0.0.0 1.2.3.4"
route#2="10.1.0.0 255.0.0.0"
IPX:
route#1="4C000000 ff000000 10.12.3.4"
route#2="5C000000 ff000000 10.12.3.5"
sap# sap#1="4 CE1-LAB 1234.0000.0000.0001 451 4"
sap#2="5 CE3-LAB 2345.0000.0000.0001 452 5"
sap-fltr-in# sap-fltr-in#1="deny 6C01.0000.0000.0001"
sap-fltr-in#2="permit -1"
sap-fltr-out# sap-fltr-out#1="deny 6C01.0000.0000.0001"
sap-fltr-out#2="permit -1"
pool-def# pool-def#1 = "aaa 10.0.0.1 1.0.0.3"
pool-def#2 = "bbb 10.1.0.1 2.0.0.10"
pool-def#3 = "ccc 10.2.0.1 3.0.0.20"
pool-timeout pool-timeout=60
Table 39 RADIUS Server AV Pair Examples for Each Attribute
Attribute RADIUS Server Examples
lcp:interface-config1 cisco-avpair = "lcp:interface-config=ip address 10.0.0.0
255.255.255.0",
inacl# cisco-avpair = "ip:inacl#3=permit ip any any precedence
immediate",
cisco-avpair = "ip:inacl#4=deny igrp 10.0.1.2 255.255.0.0 any",
Configuring per-User Configuration
How to Configure a AAA Server for Per-User Configuration
DC-705
Cisco IOS Dial Technologies Configuration Guide
How to Configure a AAA Server for Per-User Configuration
The configuration requirements and the structure of per-user configuration information is set by the
specifications of each type of AAA server. Refer to your server documentation for more detailed
information. The following sections about TACACS and RADIUS servers are specific to per-user
configuration:
• Configuring a Freeware TACACS Server for Per-User Configuration (As required)
• Configuring a CiscoSecure TACACS Server for Per-User Configuration (As required)
• Configuring a RADIUS Server for Per-User Configuration (As required)
See the section “Monitoring and Debugging Per-User Configuration Settings” later in this chapter for
tips on troubleshooting per-user configuration settings. See the section “Configuration Examples for
Per-User Configuration” at the end of this chapter for examples of configuring RADIUS and TACACS
servers.
outacl# cisco-avpair = "ip:outacl#2=permit ip any any precedence
immediate",
cisco-avpair = "ip:outacl#3=deny igrp 10.0.9.10 255.255.0.0 any",
rte-fltr-in# IP:
cisco-avpair = "ip:rte-fltr-in#1=router igrp 60",
cisco-avpair = "ip:rte-fltr-in#3=permit 10.0.3.4 255.255.0.0",
cisco-avpair = "ip:rte-fltr-in#4=deny any",
IPX:
cisco-avpair = "ipx:rte-fltr-in=deny 3C01.0000.0000.0001",
rte-fltr-out# cisco-avpair = "ip:rte-fltr-out#1=router igrp 60",
cisco-avpair = "ip:rte-fltr-out#3=permit 10.0.5.6 255.255.0.0",
cisco-avpair = "ip:rte-fltr-out#4=permit any",
route# IP:
cisco-avpair = "ip:route=3.10.0.0 255.0.0.0 1.2.3.4",
cisco-avpair = "ip:route=4.10.0.0 255.0.0.0",
IPX:
cisco-avpair = "ipx:route=4C000000 ff000000 10.12.3.4",
cisco-avpair = "ipx:route=5C000000 ff000000 10.12.3.5"
sap# cisco-avpair = "ipx:sap=4 CE1-LAB 1234.0000.0000.0001 451 4",
cisco-avpair = "ipx:sap=5 CE3-LAB 2345.0000.0000.0001 452 5",
sap-fltr-in# cisco-avpair = "ipx:sap-fltr-in=deny 6C01.0000.0000.0001",
cisco-avpair = "ipx:sap-fltr-in=permit -1"
sap-fltr-out# cisco-avpair = "ipx:sap-fltr-out=deny 6C01.0000.0000.0001",
cisco-avpair = "ipx:sap-fltr-out=permit -1"
pool-def# cisco-avpair = "ip:pool-def#1=aaa 10.0.0.1 1.0.0.3",
cisco-avpair = "ip:pool-def#2=bbb 10.1.0.1 2.0.0.10",
cisco-avpair = "ip:pool-def#3=ccc 10.2.0.1 3.0.0.20",
pool-timeout cisco-avpair = "ip:pool-timeout=60"
1. This attribute is specific to RADIUS servers. It can be used to add Cisco IOS interface configuration commands to specific
user configuration information.
Table 39 RADIUS Server AV Pair Examples for Each Attribute (continued)
Attribute RADIUS Server Examples
Configuring per-User Configuration
How to Configure a AAA Server for Per-User Configuration
DC-706
Cisco IOS Dial Technologies Configuration Guide
Configuring a Freeware TACACS Server for Per-User Configuration
On a TACACS server, the entry in the user file takes a standard form. In the freeware version of
TACACS+, the following lines appear in order:
• “User =” followed by the username, a space, and an open brace
• Authentication parameters
• Authorization parameters
• One or more AV pairs
• End brace on a line by itself
The general form of a freeware TACACS user entry is shown in the following example:
user = username {
authentication parameters go here
authorization parameters go here
}
The freeware TACACS user entry form is also shown by the following examples for specific users:
user= Router1
Password= cleartext welcome
Service= PPP protocol= ip {
ip:route=10.0.0.0 255.0.0.0
ip:route=10.1.0.0 255.0.0.0
ip:route=10.2.0.0 255.0.0.0
ip:inacl#5=deny 10.5.0.1
}
user= Router2
Password= cleartext lab
Service= PPP protocol= ip {
ip:addr-pool=bbb
}
For more requirements and detailed information, refer to your AAA server documentation.
Configuring a CiscoSecure TACACS Server for Per-User Configuration
The format of an entry in the user file in the AAA database is generally name = value. Some values allow
additional subparameters to be specified and, in these cases, the subparameters are enclosed in braces
({}). The following simple example depicts an AAA database showing the default user, one group, two
users that belong to the group, and one user that does not:
# Sample AA Database 1
unknown_user = {
password = system #Use the system's password file (/etc/passwd)
}
group = staff {
# Password for staff who do not have their own.
password = des "sefjkAlM7zybE"
service = shell {
# Allow any commands with any attributes.
default cmd = permit
default attribute = permit
}
Configuring per-User Configuration
How to Configure a AAA Server for Per-User Configuration
DC-707
Cisco IOS Dial Technologies Configuration Guide
}
user = joe { # joe uses the group password.
member = "staff"
}
user = pete { # pete has his own password.
member = "staff"
password = des "alkd9Ujiqp2y"
}
user = anita {
# Use the "default" user password mechanism defined above.
service = shell {
cmd = telnet { # Allow Telnet to any destination
}
}
}
For more information about the requirements and details of configuring the CiscoSecure server, see the
CiscoSecure UNIX Server User Guide.
Configuring a RADIUS Server for Per-User Configuration
On a RADIUS server, the format of an entry in the users file includes the following lines in order:
• Username and password
• User service type
• Framed protocol
• One or more AV pairs
Note All these AV pairs are vendor specific. To use them, RADIUS servers must support the use of
vendor-specific AV pairs. Patches for some servers are available from the Cisco Consulting
Engineering (CE) customer-support organization.
The structure of an AV pair for Cisco platforms starts with cisco-avpair followed by a space, an equal
sign, and another space. The rest of the line is within double quotation marks and, for all lines but the
last, ends with a comma. Inside the double quotation marks is a phrase indicating the supported attribute,
another equal sign, and a Cisco IOS command. The following examples show two different partial user
configurations on a RADIUS server.
Router1
Password = "welcome"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = “ip:route=10.0.0.0 255.0.0.0”,
cisco-avpair = “ip:route=10.1.0.0 255.0.0.0”,
cisco-avpair = “ip:route=10.2.0.0 255.0.0.0”,
cisco-avpair = “ip:inacl#5=deny 10.5.0.1”
Router2
Password = "lab"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "ip:addr-pool=bbb"
Configuring per-User Configuration
Monitoring and Debugging Per-User Configuration Settings
DC-708
Cisco IOS Dial Technologies Configuration Guide
Monitoring and Debugging Per-User Configuration Settings
Per-user configuration information exists on AAA servers only and is configured there, as described in
the “How to Configure a AAA Server for Per-User Configuration” section.
For more information about configuring an application that can tie AAA per-user configuration
information to generic interface and router configuration, see the chapter “Configuring Virtual Profiles”
in this publication. Virtual profiles are required for combining per-user configuration information and
generic interface and router configuration information to create virtual access interfaces for individual
ISDN B channels.
However, you can monitor and debug the per-user configuration settings on the router or access server
that are set from an AAA server. Table 40 indicates some of the commands to use for each attribute.
Configuration Examples for Per-User Configuration
The following sections provide two comprehensive examples:
• TACACS+ Freeware Examples
• RADIUS Examples
These examples show router or access server configuration and AV pair configuration on an AAA server.
TACACS+ Freeware Examples
This section provides the TACACS+ freeware versions of the following examples:
• IP Access Lists and Static Routes Using Virtual Profiles over ISDN BRI
• IPX Per-User SAP Filters Using IPXWAN and Virtual Profiles by a Synchronous Interface
Table 40 Monitoring and Debugging Per-User Configuration Commands
Attribute show Commands debug Commands
inacl#
outacl#
show ip access-list
show ip interface interface
show ipx access-list
show ipx interface
debug aaa authorization
debug aaa per-user
rte-fltr-in#
rte-fltr-out#
show ip access-list
show ip protocols
debug aaa authorization
debug aaa per-user
route# show ip route
show ipx route
debug aaa authorization
debug aaa per-user
sap# show ipx servers debug aaa authorization
debug aaa per-user
sap-fltr-in#
sap-fltr-out#
show ipx access-list
show ipx interface
debug aaa authorization
debug aaa per-user
pool-def#
pool-timeout
show ip local pool [name] —
Configuring per-User Configuration
Configuration Examples for Per-User Configuration
DC-709
Cisco IOS Dial Technologies Configuration Guide
IP Access Lists and Static Routes Using Virtual Profiles over ISDN BRI
The following example provides configurations for the TACACS+ freeware daemon, the network access
server, and the peer router named Router1. On the TACACS+ AAA server, peer router Router1 has a
configuration that includes static routes and IP access lists.
TACACS+ Freeware Daemon Configuration File
key = tac123
user = Router1 {
global = cleartext welcome
service = ppp protocol = ip {
route#1=”10.0.0.0 255.0.0.0"
route#2=”10.1.0.0 255.0.0.0"
route#3=”10.2.0.0 255.0.0.0"
inacl#1=”deny 10.5.0.1"
}
}
Current Network Access Server Configuration
version 11.3
service timestamps debug datetime localtime
service udp-small-servers
service tcp-small-servers
!
hostname Router2
!
aaa new-model
aaa authentication ppp default tacacs+
aaa authorization network tacacs+
enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/
enable password lab
!
username Router1 password 7 15050E0007252621
ip host Router2 172.21.114.132
ip domain-name cisco.com
ip name-server 172.19.2.132
ip name-server 192.168.30.32
isdn switch-type basic-5ess
interface Ethernet 0
ip address 172.21.114.132 255.255.255.224
no ip mroute-cache
media-type 10BaseT
!
interface Virtual-Template1
ip unnumbered Ethernet0
no cdp enable
!
!
interface BRI0
ip unnumbered Ethernet0
no ip mroute-cache
encapsulation ppp
no ip route-cache
dialer idle-timeout 300
dialer map ip 10.5.0.1 name Router1 broadcast 61482
dialer-group 1
no fair-queue
ppp authentication chap
!
!
Configuring per-User Configuration
Configuration Examples for Per-User Configuration
DC-710
Cisco IOS Dial Technologies Configuration Guide
ip default-gateway 172.21.114.129
no ip classless
ip route 0.0.0.0 0.0.0.0 172.21.114.129
!
virtual-profile virtual-template 1
dialer-list 1 protocol ip permit
tacacs-server host 172.21.114.130
tacacs-server key tac123
Current Peer Configuration for Router1
version 11.3
no service pad
!
hostname Router1
!
enable secret 5 $1$m1WK$RsjborN1Z.XZuFqsrtSnp/
enable password lab
!
username Router2 password 7 051C03032243430C
ip host Router1 172.21.114.134
ip domain-name cisco.com
ip name-server 172.19.2.132
ip name-server 192.168.30.32
isdn switch-type basic-5ess
!
interface Ethernet0
ip address 172.21.114.134 255.255.255.224
no ip route-cache
shutdown
!
interface BRI0
ip address 10.5.0.1 255.0.0.0
encapsulation ppp
dialer map ip 172.21.114.132 name Router2 broadcast 61483
dialer-group 1
no fair-queue
!
ip default-gateway 172.21.114.129
no ip classless
ip route 172.21.0.0 255.255.0.0 BRI0
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 0 0
line vty 0 4
password lab
login
end
Configuring per-User Configuration
Configuration Examples for Per-User Configuration
DC-711
Cisco IOS Dial Technologies Configuration Guide
IPX Per-User SAP Filters Using IPXWAN and Virtual Profiles by a Synchronous Interface
The following example provides configurations for the TACACS+ daemon and the peer router named
Router1. On the TACACS+ AAA server, user ny has a configuration that includes inbound and outbound
SAP filters.
TACACS+ Freeware Daemon Configuration File for User
key = tac123
user = Router1 {
global = cleartext welcome
service = ppp protocol = ipx {
sap=”101 CYBER-01 40.0000.0000.0001 400 10"
sap=”202 CYBER-02 40.0000.0000.0001 401 10"
sap=”303 CYBER-03 40.0000.0000.0001 402 10"
sap-fltr-out#1=”deny 40 101"
sap-fltr-out#2=”deny 40 202"
sap-fltr-out#3=”permit -1"
sap-fltr-in#1=”permit 30 444"
sap-fltr-in#2=”deny -1"
Current Remote Peer (Router1) Configuration
version 11.3
!
hostname Router1
!
enable password lab
!
username Router2 password 7 140017070F0B272E
ip host Router1 172.21.114.131
ip name-server 172.19.2.132
ip name-server 192.168.30.32
ipx routing 0000.0c47.090d
ipx internal-network 30
!
interface Ethernet0
ip address 172.21.114.131 255.255.255.224
!
interface Serial1
no ip address
encapsulation ppp
ipx ipxwan 0 unnumbered peer-Router1
clockrate 4000000
!
ipx sap 444 ZEON-4 30.0000.0000.0001 444 10
ipx sap 555 ZEON-5 30.0000.0000.0001 555 10
ipx sap 666 ZEON-6 30.0000.0000.0001 666 10
!
Current Network Access Server (Router2) Configuration
version 11.3
service timestamps debug uptime
!
hostname Router2
!
aaa new-model
aaa authentication ppp default tacacs+
aaa authorization network tacacs+
enable password lab
!
username Router1 password 7 044C0E0A0C2E414B
ip host LA 172.21.114.133
ip name-server 192.168.30.32
Configuring per-User Configuration
Configuration Examples for Per-User Configuration
DC-712
Cisco IOS Dial Technologies Configuration Guide
ip name-server 172.19.2.132
ipx routing 0000.0c47.12d3
ipx internal-network 40
!
interface Ethernet0
ip address 172.21.114.133 255.255.255.224
!
interface Virtual-Template1
no ip address
ipx ipxwan 0 unnumbered nas-Router2
no cdp enable
!
interface Serial1
ip unnumbered Ethernet0
encapsulation ppp
ipx ipxwan 0 unnumbered nas-Router2
ppp authentication chap
!
ipx sap 333 DEEP9 40.0000.0000.0001 999 10
!
virtual-profile virtual-template 1
tacacs-server host 172.21.114.130
tacacs-server key tac123
RADIUS Examples
This section provides the RADIUS versions of the following examples:
• IP Access Lists and Static Routes Using Virtual Profiles over ISDN BRI
• IPX Per-User SAP Filters Using IPXWAN and Virtual Profiles by a Synchronous Interface
IP Access Lists and Static Routes Using Virtual Profiles over ISDN BRI
The following example shows a remote peer (Router1) configured to dial in to a BRI on a Cisco network
access server (Router2), which requests user configuration information from an AAA server (radiusd):
RADIUS User File (Router1)
Password = "welcome"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "ip:route=10.1.0.0 255.0.0.0",
cisco-avpair = "ip:route=10.2.0.0 255.0.0.0",
cisco-avpair = "ip:route=10.3.0.0 255.0.0.0",
cisco-avpair = "ip:inacl#5=deny 10.0.0.1"
Current Network Access Server Configuration
version 11.3
service timestamps debug datetime localtime
service udp-small-servers
service tcp-small-servers
!
hostname Router2
!
aaa new-model
aaa authentication ppp default radius
aaa authorization network radius
enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/
enable password lab
Configuring per-User Configuration
Configuration Examples for Per-User Configuration
DC-713
Cisco IOS Dial Technologies Configuration Guide
!
username Router1 password 7 15050E0007252621
ip host Router2 172.21.114.132
ip domain-name cisco.com
ip name-server 172.19.2.132
ip name-server 192.168.30.32
isdn switch-type basic-5ess
interface Ethernet0
ip address 172.21.114.132 255.255.255.224
no ip mroute-cache
media-type 10BaseT
!
interface Virtual-Template1
ip unnumbered Ethernet0
no cdp enable
!
interface BRI0
ip unnumbered Ethernet0
no ip mroute-cache
encapsulation ppp
no ip route-cache
dialer idle-timeout 300
dialer map ip 10.5.0.1 name Router1 broadcast 61482
dialer-group 1
no fair-queue
ppp authentication chap
!
ip default-gateway 172.21.114.129
no ip classless
ip route 0.0.0.0 0.0.0.0 172.21.114.129
!
virtual-profile vtemplate 1
dialer-list 1 protocol ip permit
radius-server host 172.21.114.130
radius-server key rad123
Current Peer Configuration for Router1
version 11.3
no service pad
!
hostname Router1
!
enable secret 5 $1$m1WK$RsjborN1Z.XZuFqsrtSnp/
enable password lab
!
username Router2 password 7 051C03032243430C
ip host Router1 172.21.114.134
ip domain-name cisco.com
ip name-server 172.19.2.132
ip name-server 192.168.30.32
isdn switch-type basic-5ess
!
interface Ethernet0
ip address 172.21.114.134 255.255.255.224
no ip route-cache
shutdown
!
interface BRI0
ip address 10.5.0.1 255.0.0.0
encapsulation ppp
dialer map ip 172.21.114.132 name Router2 broadcast 61483
dialer-group 1
no fair-queue
Configuring per-User Configuration
Configuration Examples for Per-User Configuration
DC-714
Cisco IOS Dial Technologies Configuration Guide
!
ip default-gateway 172.21.114.129
no ip classless
ip route 172.21.0.0 255.255.0.0 BRI0
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 0 0
line vty 0 4
password lab
login
!
end
Output of ping Command from Router1
Router1# ping 172.21.114.132
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.21.114.132, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
(fails due to access list deny)
RADIUS Debug Output
radrecv: Request from host ac157284 code=1, id=46, length=67
Client-Id = 172.21.114.132
Client-Port-Id = 1112670208
User-Name = “Router1”
CHAP-Password = “\037\317\213\326*\236)#+\266\243\255x\331\370v\334”
User-Service-Type = Framed-User
Framed-Protocol = PPP
Sending Ack of id 46 to ac157284 (172.21.114.132)
User-Service-Type = Framed-User
Framed-Protocol = PPP
[Vendor 9] cisco-avpair = “ip:route=10.0.0.0 255.0.0.0”
[Vendor 9] cisco-avpair = “ip:route=10.1.0.0 255.0.0.0”
[Vendor 9] cisco-avpair = “ip:route=10.2.0.0 255.0.0.0”
[Vendor 9] cisco-avpair = “ip:inacl#5=deny 10.0.0.1”
Network Access Server (Router2) show and debug Command Output
Router2# show debug
General OS:
AAA Authorization debugging is on
PPP:
PPP authentication debugging is on
Multilink activity debugging is on
ISDN:
ISDN events debugging is on
Dial on demand:
Dial on demand events debugging is on
VTEMPLATE:
Virtual Template debugging is on
pr 4 08:30:09: ISDN BR0: received HOST_INCOMING_CALL
Bearer Capability i = 0x080010
*Apr 4 08:30:09: -------------------
Channel ID i = 0x0101
*Apr 4 08:30:09: IE out of order or end of ‘private’ IEs --
Bearer Capability i = 0x8890
Configuring per-User Configuration
Configuration Examples for Per-User Configuration
DC-715
Cisco IOS Dial Technologies Configuration Guide
*Apr 4 08:30:09: Channel ID i = 0x89
*Apr 4 08:30:09: Called Party Number i = 0xC1, ‘61483’
*Apr 4 08:30:09: ISDN BR0: Event: Received a call from on B1 at 64 Kb/s
*Apr 4 08:30:09: ISDN BR0: Event: Accepting the call
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
*Apr 4 08:30:09: ISDN BR0: received HOST_CONNECT
Channel ID i = 0x0101
*Apr 4 08:30:09: -------------------
Channel ID i = 0x89
*Apr 4 08:30:09: ISDN BR0: Event: Connected to on B1 at 64 Kb/s
*Apr 4 08:30:09: PPP BRI0:1: Send CHAP challenge id=30 to remote
*Apr 4 08:30:10: PPP BRI0:1: CHAP response received from Router1
*Apr 4 08:30:10: PPP BRI0:1: CHAP response id=30 received from Router1
*Apr 4 08:30:10: AAA/AUTHOR/LCP: authorize LCP
*Apr 4 08:30:10: AAA/AUTHOR/LCP: BRI0:1: (0): user=’Router1’
*Apr 4 08:30:10: AAA/AUTHOR/LCP: BRI0:1: (0): send AV service=ppp
*Apr 4 08:30:10: AAA/AUTHOR/LCP: BRI0:1: (0): send AV protocol=lcp
*Apr 4 08:30:10: AAA/AUTHOR/LCP: BRI0:1: (2084553184): Method=RADIUS
*Apr 4 08:30:10: AAA/AUTHOR (2084553184): Post authorization status = PASS_ADD
*Apr 4 08:30:10: PPP BRI0:1: Send CHAP success id=30 to remote
*Apr 4 08:30:10: PPP BRI0:1: remote passed CHAP authentication.
*Apr 4 08:30:10: VTEMPLATE Reuse vaccess1, New Recycle queue size:0
*Apr 4 08:30:10: VTEMPLATE set default vaccess1 with no ip address
*Apr 4 08:30:10: Virtual-Access1 VTEMPLATE hardware address 0000.0c46.154a
*Apr 4 08:30:10: VTEMPLATE vaccess1 has a new cloneblk vtemplate, now it has vtemplate
*Apr 4 08:30:10: VTEMPLATE undo default settings vaccess1
*Apr 4 08:30:10: VTEMPLATE ************* CLONE VACCESS1 ******************Apr 4
08:30:10: VTEMPLATE Clone from vtemplate1 to vaccess1
interface Virtual-Access1
no ip address
encap ppp
ip unnumbered ethernet 0
end
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
*Apr 4 08:30:10: AAA/AUTHOR/LCP: authorize LCP
*Apr 4 08:30:10: AAA/AUTHOR/LCP: Virtual-Access1: (0): user=’Router1’
*Apr 4 08:30:10: AAA/AUTHOR/LCP: Virtual-Access1: (0): send AV service=ppp
*Apr 4 08:30:10: AAA/AUTHOR/LCP: Virtual-Access1: (0): send AV protocol=lcp
*Apr 4 08:30:10: AAA/AUTHOR/LCP: Virtual-Access1: (1338953760): Method=RADIUS
*Apr 4 08:30:10: AAA/AUTHOR (1338953760): Post authorization status = PASS_ADD
*Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (0): can we start IPCP?
*Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (0): user=’Router1’
*Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (0): send AV service=ppp
*Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (0): send AV protocol=ip
*Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (1716082074): Method=RADIUS
*Apr 4 08:30:10: AAA/AUTHOR (1716082074): Post authorization status = PASS_ADD
*Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: we can start IPCP (0x8021)
*Apr 4 08:30:10: MLP Bad link Virtual-Access1
*Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (0): can we start UNKNOWN?
*Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (0): user=’Router1’
*Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (0): send AV service=ppp
*Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (0): send AV protocol=unknown
*Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (2526612868): Method=RADIUS
*Apr 4 08:30:10: AAA/AUTHOR (2526612868): Post authorization status = PASS_ADD
*Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: we can start UNKNOWN (0x8207)
*Apr 4 08:30:10: MLP Bad link Virtual-Access1
*Apr 4 08:30:10: BRI0:1: Vaccess started from dialer_remote_name
*Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (0): can we start IPCP?
*Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (0): user=’Router1’
*Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (0): send AV service=ppp
Configuring per-User Configuration
Configuration Examples for Per-User Configuration
DC-716
Cisco IOS Dial Technologies Configuration Guide
*Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (0): send AV protocol=ip
*Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (3920403585): Method=RADIUS
*Apr 4 08:30:10: AAA/AUTHOR (3920403585): Post authorization status = PASS_ADD
*Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: we can start IPCP (0x8021)
*Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (0): can we start UNKNOWN?
*Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (0): user=’Router1’
*Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (0): send AV service=ppp
*Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (0): send AV protocol=unknown
*Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (3439943223): Method=RADIUS
*Apr 4 08:30:10: AAA/AUTHOR (3439943223): Post authorization status = PASS_ADD
*Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: we can start UNKNOWN (0x8207)
%LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
*Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: start: her address 10.0.0.1, we want
0.0.0.0
*Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: (0): user=’Router1’
*Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: (0): send AV servi*Apr 4 08:30:13:
AAA/AUTHOR/IPCP: Virtual-Access1: (0): send AV service=ppp
*Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: (0): send AV protocol=ip
*Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: (0): send AV addr*10.0.0.1
*Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: (3215797579): Method=RADIUS
*Apr 4 08:30:13: AAA/AUTHOR (3215797579): Post authorization status = PASS_ADD
*Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: Processing AV service=ppp
*Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: Processing AV protocol=ip
*Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: Processing AV addr*10.0.0.1
*Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: Processing AV route=10.1.0.0 255.0.0.0
*Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: Processing AV route=10.2.0.0 255.0.0.0
*Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: Processing AV route=10.3.0.0 255.0.0.0
*Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: Processing AV inacl#5=deny 10.0.0.1
*Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: authorization succeeded
*Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: done: her address 10.0.0.1, we want
10.0.0.1
*Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: authorization succeeded
*Apr 4 08:30:13: AAA/AUTHOR: Virtual-Access1: parse_cmd ‘ip route 10.0.0.0 255.0.0.0
10.0.0.1’ ok (0)
*Apr 4 08:30:13: AAA/AUTHOR: Virtual-Access1: enqueue peruser IP txt=no ip route 10.0.0.0
255.0.0.0 10.0.0.1
*Apr 4 08:30:13: AAA/AUTHOR: Virtual-Access1: parse_cmd ‘ip route 11.0.0.0 255.0.0.0
10.0.0.1’ ok (0)
*Apr 4 08:30:13: AAA/AUTHOR: Virtual-Access1: enqueue peruser IP txt=no ip route 11.0.0.0
255.0.0.0 10.0.0.1
*Apr 4 08:30:13: AAA/AUTHOR: Virtual-Access1: parse_cmd ‘ip route 12.0.0.0 255.0.0.0
10.0.0.1’ ok (0)
*Apr 4 08:30:13: AAA/AUTHOR: Virtual-Access1: enqueue peruser IP txt=no ip route 12.0.0.0
255.0.0.0 10.0.0.1
*Apr 4 08:30:13: AAA/AUTHOR: parse ‘ip access-list standard Virtual-Access1#1’ ok (0)
*Apr 4 08:30:13: AAA/AUTHOR: parse ‘deny 10.0.0.1’ ok (0)
*Apr 4 08:30:13: AAA/AUTHOR: Virtual-Access1: enqueue peruser IP txt=no ip access-list
standard Virtual-Access1#1
*Apr 4 08:30:13: VTEMPLATE vaccess1 has a new cloneblk AAA, now it has vtemplate/AAA
*Apr 4 08:30:13: VTEMPLATE ************* CLONE VACCESS1 *****************
*Apr 4 08:30:13: VTEMPLATE Clone from AAA to vaccess1
interface Virtual-Access1
ip access-group Virtual-Access1#1 in
*Apr 4 08:30:13: AAA/AUTHOR: Virtual-Access1: vaccess parse ‘interface Virtual-Access1
ip access-group Virtual-Access1#1 in
‘ ok (0)
*Apr 4 08:30:13: AAA/AUTHOR/FSM: Check for unauthorized mandatory AV’s
*Apr 4 08:30:13: AAA/AUTHOR/FSM: Processing AV service=ppp
*Apr 4 08:30:13: AAA/AUTHOR/FSM: Processing AV protocol=unknown
*Apr 4 08:30:13: AAA/AUTHOR/FSM: succeeded
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to Router1
Configuring per-User Configuration
Configuration Examples for Per-User Configuration
DC-717
Cisco IOS Dial Technologies Configuration Guide
Router2# show ip access-list
Standard IP access list Virtual-Access1#1 (per-user)
deny 10.0.0.1
Router2# show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route, o - ODR
Gateway of last resort is 172.21.114.129 to network 0.0.0.0
U 10.0.0.0/8 [1/0] via 10.3.0.1
U 10.1.0.0/8 [1/0] via 10.3.0.1
U 10.2.0.0/8 [1/0] via 10.3.0.1
10.3.0.0/8 is subnetted, 1 subnets
C 10.3.0.1 is directly connected, Virtual-Access1
172.21.0.0/16 is subnetted, 1 subnets
C 172.21.114.128 is directly connected, Ethernet0
S* 0.0.0.0/0 [1/0] via 172.21.114.129
Router2# show interfaces virtual-access 1
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of Ethernet0 (172.21.114.132)
MTU 1500 bytes, BW 64 Kbit, DLY 100000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
DTR is pulsed for 5 seconds on reset
LCP Open, multilink Closed
Open: IPCP, CDP
Last input 5d04h, output never, output hang never
Last clearing of “show interface” counters 00:06:42
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
76 packets input, 3658 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
141 packets output, 2909 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
Router2# show ip interface virtual-access 1
Virtual-Access1 is up, line protocol is up
Interface is unnumbered. Using address of Ethernet0 (172.21.114.132)
Broadcast address is 255.255.255.255
Peer address is 10.0.0.1
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is enabled
Outgoing access list is not set
Inbound access list is Virtual-Access1#1
Proxy ARP is enabled
Security level is default
Configuring per-User Configuration
Configuration Examples for Per-User Configuration
DC-718
Cisco IOS Dial Technologies Configuration Guide
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
Router2# debug ip packet
IP packet debugging is on
Router2#
*Apr 4 08:30:42: IP: s=172.21.114.129 (Ethernet0), d=255.255.255.255, len 186, rcvd 2
*Apr 4 08:30:42: IP: s=10.0.0.1 (Virtual-Access1), d=172.21.114.132, len 104, a*Apr 4
08:30:42: IP: s=10.0.0.1 (Virtual-Access1), d=172.21.114.132, len 104, access denied
*Apr 4 08:30:42: IP: s=172.21.114.132 (local), d=10.0.0.1 (Virtual-Access1), len 4,
sending
*Apr 4 08:30:42: IP: s=10.0.0.1 (Virtual-Access1), d=172.21.114.132, len 104, access
denied
*Apr 4 08:30:44: IP: s=10.0.0.1 (Virtual-Access1), d=172.21.114.132, len 104, access
denied
*Apr 4 08:30:44: IP: s=172.21.114.132 (local), d=10.0.0.1 (Virtual-Access1), len 16,
sending
*Apr 4 08:30:44: IP: s=10.0.0.1 (Virtual-Access1), d=172.21.114.132, len 104, access
denied
IPX Per-User SAP Filters Using IPXWAN and Virtual Profiles by a Synchronous Interface
The following examples show a remote peer (Router1) configured to dial in to a synchronous interface
on a Cisco network access server (Router2), which requests user configuration information from an AAA
server (radiusd):
RADIUS User File (Router 1)
Password = "welcome"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "ipx:sap=101 CYBER-01 40.0000.0000.0001 400 10",
cisco-avpair = "ipx:sap=202 CYBER-02 40.0000.0000.0001 401 10",
cisco-avpair = "ipx:sap=303 CYBER-03 40.0000.0000.0001 402 10",
cisco-avpair = "ipx:sap-fltr-out#20=deny 40 101",
cisco-avpair = "ipx:sap-fltr-out#21=deny 40 202",
cisco-avpair = "ipx:sap-fltr-out#22=permit -1",
cisco-avpair = "ipx:sap-fltr-in#23=permit 30 444",
cisco-avpair = "ipx:sap-fltr-in#23=deny -1"
Current Remote Peer (Router 1) Configuration
hostname Router1
!
enable password lab
!
username Router2 password 7 140017070F0B272E
ip host Router1 172.21.114.131
ip name-server 172.19.2.132
ip name-server 192.168.30.32
ipx routing 0000.0c47.090d
ipx internal-network 30
!
interface Ethernet0
ip address 172.21.114.131 255.255.255.224
!
Configuring per-User Configuration
Configuration Examples for Per-User Configuration
DC-719
Cisco IOS Dial Technologies Configuration Guide
interface Serial1
no ip address
encapsulation ppp
ipx ipxwan 0 unnumbered peer-Router1
clockrate 4000000
!
ipx sap 444 ZEON-4 30.0000.0000.0001 444 10
ipx sap 555 ZEON-5 30.0000.0000.0001 555 10
ipx sap 666 ZEON-6 30.0000.0000.0001 666 10
!
...
version 12.1
service timestamps debug uptime
!
hostname Router2
!
aaa new-model
aaa authentication ppp default radius
aaa authorization network radius
enable password lab
!
username Router1 password 7 044C0E0A0C2E414B
ip host Router2 172.21.114.133
ip name-server 172.22.30.32
ip name-server 192.168.2.132
ipx routing 0000.0c47.12d3
ipx internal-network 40
!
interface Ethernet0
ip address 172.21.114.133 255.255.255.224
!
interface Virtual-Template1
no ip address
ipx ipxwan 0 unnumbered nas-Router2
no cdp enable
!
interface Serial1
ip unnumbered Ethernet0
encapsulation ppp
ipx ipxwan 0 unnumbered nas-Router2
ppp authentication chap
!
ipx sap 333 DEEP9 40.0000.0000.0001 999 10
!
virtual-profile vtemplate 1
radius-server host 172.21.114.130
radius-server key rad123
RADIUS debug Output
radrecv: Request from host ac157285 code=1, id=23, length=67
Client-Id = 172.21.114.133
Client-Port-Id = 1399128065
User-Name = “Router1”
CHAP-Password = “%”(\012I$\262\352\031\276\024\302\277\225\347z\274”
User-Service-Type = Framed-User
Framed-Protocol = PPP
Sending Ack of id 23 to ac157285 (172.21.114.133)
User-Service-Type = Framed-User
Framed-Protocol = PPP
[Vendor 9] cisco-avpair = “ipx:sap=101 CYBER-01 40.0000.0000.0001 400 10”
[Vendor 9] cisco-avpair = “ipx:sap=202 CYBER-02 40.0000.0000.0001 401 10”
[Vendor 9] cisco-avpair = “ipx:sap=303 CYBER-03 40.0000.0000.0001 402 10”
[Vendor 9] cisco-avpair = “ipx:sap-fltr-out#20=deny1 40 101”
Configuring per-User Configuration
Configuration Examples for Per-User Configuration
DC-720
Cisco IOS Dial Technologies Configuration Guide
[Vendor 9] cisco-avpair = “ipx:sap-fltr-out#21=deny 40 202”
[Vendor 9] cisco-avpair = “ipx:sap-fltr-out#22=permit -1”
[Vendor 9] cisco-avpair = “ipx:sap-fltr-in#23=permit 30 444”
[Vendor 9] cisco-avpair = “ipx:sap-fltr-in#23=deny -1”
Network Access Server show Command Output
Router2# show ipx servers
Codes: S - Static, P - Periodic, E - EIGRP, N - NLSP, H - Holddown, + = detail
5 Total IPX Servers
Table ordering is based on routing and server info
Type Name Net Address Port Route Hops Itf
s 101 CYBER-01 40.0000.0000.0001:0400 conn 10 Int
s 202 CYBER-02 40.0000.0000.0001:0401 conn 10 Int
s 303 CYBER-03 40.0000.0000.0001:0402 conn 10 Int
S 333 DEEP9 40.0000.0000.0001:0999 conn 10 Int
P 444 ZEON-4 30.0000.0000.0001:0444 7/01 11 Vi1
Router1# show ipx servers
Codes: S - Static, P - Periodic, E - EIGRP, N - NLSP, H - Holddown, + = detail
5 Total IPX Servers
Table ordering is based on routing and server info
Type Name Net Address Port Route Hops Itf
P 303 CYBER-03 40.0000.0000.0001:0402 7/01 11 Se1
P 333 DEEP9 40.0000.0000.0001:0999 7/01 11 Se1
S 444 ZEON-4 30.0000.0000.0001:0444 conn 10 Int
S 555 ZEON-5 30.0000.0000.0001:0555 conn 10 Int
S 666 ZEON-6 30.0000.0000.0001:0666 conn 10 Int
Router2# show ipx access-list
IPX sap access list Virtual-Access1#2
permit 30 444
deny FFFFFFFF
IPX sap access list Virtual-Access1#3
deny 40 101
deny 40 202
permit FFFFFFFF
DC-721
Cisco IOS Dial Technologies Configuration Guide
Configuring Resource Pool Management
This chapter describes the Cisco Resource Pool Management (RPM) feature. It includes the following
main sections:
• RPM Overview
• How to Configure RPM
• Verifying RPM Components
• Troubleshooting RPM
• Configuration Examples for RPM
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature, or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
For a complete description of the commands mentioned in this chapter, refer to the Cisco IOS Dial
Technologies Command Reference, Release 12.2. To locate documentation of other commands that
appear in this chapter, use the command reference master index or search online.
RPM Overview
Cisco RPM enables telephone companies and Internet service providers (ISPs) to share dial resources
for wholesale and retail dial network services. With RPM, telcos and ISPs can count, control, and
manage dial resources and provide accounting for shared resources when implementing different
service-level agreements.
You can configure RPM in a single, standalone Cisco network access server (NAS) by using RPM or,
optionally, across multiple NAS stacks by using one or more external Cisco Resource Pool Manager
Servers (RPMS).
Cisco RPM gives data network service providers the capability to do the following:
• Have the flexibility to include local retail dial services in the same NAS with the wholesale dial
customers.
• Manage customer use of shared resources such as modems or High-Level Data Link Control
(HDLC) controllers for data calls.
• Offer advanced wholesale dialup services using a Virtual Private Dialup Network (VPDN) to
enterprise accounts and ISPs.
• Deploy Data over Voice Bearer Service (DoVBS).
Configuring Resource Pool Management
RPM Overview
DC-722
Cisco IOS Dial Technologies Configuration Guide
• Manage call sessions by differentiating dial customers through customer profiles. The customer
profile determines where resources are allocated and is based on the incoming Dialed Number
Information Service (DNIS) number or Calling Line Identification (CLID).
• Efficiently use resource groups such as modems to offer differing over subscription rates and dial
service-level agreements.
Note Ear and Mouth Feature Group B (E&M-FGB) is the only signaling type supported for
channel-associated signaling (CAS) on T1 and T3 facilities; R2 is supported for E1 facilities. FG D
is not supported. Cisco IOS software collects DNIS digits for the signaling types FGB, PRI, and SS7
and only E&M-FGB and R2 CAS customer profiles are supported. For all other CAS signaling types,
use the default DNIS group customer profiles.
Components of Incoming and Outgoing Call Management
Cisco RPM manages both incoming calls and outgoing sessions. Cisco RPM differentiates dial
customers through configured customer profiles based on the DNIS and call type determined at the time
of an incoming call.
The components of incoming call management in the Cisco RPM are described in the following sections:
• Customer Profile Types
• DNIS Groups
• Call Types
• Resource Groups
• Resource Services
You can use Cisco RPM to answer all calls and differentiate customers by using VPDN profiles and
groups. The components of outgoing session management in the Cisco RPM are described in the
following sections:
• VPDN Groups
• VPDN Profiles
Note These components of Cisco RPM are enabled after the NAS and other equipment has been initially
set up, configured, and verified for proper operation of the dial, PPP, VPDN, and authentication,
authorization, and accounting (AAA) segments. Refer to the Cisco IOS documentation for these
other segments for installation, configuration, and troubleshooting information before attempting to
use RPM.
Configured DNIS groups and resource data can be associated to customer profiles. These customer
profiles are selected by the incoming call DNIS number and call type and then used to identify resource
allocations based on the associated resource groups and defined resource services.
After the call is answered, customer profiles can also be associated with VPDN groups so the configured
VPDN sessions and other data necessary to set up or reject a VPDN session are applied to the answered
calls. VPDN group data includes associated domain name or DNIS, IP addresses of endpoints, maximum
sessions per endpoint, maximum Multilink PPP (MLP) bundles per VPDN group, maximum links per
MLP bundle, and other tunnel information.
Configuring Resource Pool Management
RPM Overview
DC-723
Cisco IOS Dial Technologies Configuration Guide
Customer Profile Types
There are three types of customer profiles in Cisco RPM, which are described in the following sections:
• Customer Profiles
• Default Customer Profiles
• Backup Customer Profiles
Additionally, you can create a customer profile template and associate it with a customer profile; it is
then integrated into the customer profile.
Customer Profiles
A customer profile defines how and when to answer a call. Customer profiles include the following
components (see Figure 99):
• Customer profile name and description—Name and description of the customer.
• Session limits—Maximum number of standard sessions.
• Overflow limits—Maximum number of overflow sessions.
• DNIS groups.
• CLID.
• Resource groups.
• Resource services.
• VPDN groups and VPDN profiles.
• Call treatment—Determines how calls that exceed the session and overflow limits are treated.
Figure 99 Components of a Customer Profile
The incoming side of the customer profile determines if the call will be answered using parameters such
as DNIS and call type from the assigned DNIS group and session limits. The call is then assigned the
appropriate resource within the resource group defined in the customer profile. Each configured
customer profile includes a maximum allowed session value and an overflow value. As sessions are
started and ended, session counters are incremented and decremented so customer status is kept current.
This information is used to monitor the customer resource limit and determine the appropriate call
treatment based on the configured session limits.
28523
Incoming
call management
Accept call
Outgoing
session management
• Customer profile
name
• If no matches occur,
session is sent to local
authentication
• Session limits
• Overflow limits
• DNIS groups
• Resource groups
• Resource services
• VPDN profile or group
• Direct remote services
or
or
Configuring Resource Pool Management
RPM Overview
DC-724
Cisco IOS Dial Technologies Configuration Guide
The outgoing side of the customer profile directs the answered call to the appropriate destination:
• To a local AAA server of retail dial applications and Internet/intranet access.
• To a tunnel that is established between the NAS or L2TP Access Concentrator (LAC) to a wholesale
VPDN home gateway of a dial customer, or L2TP Network Server (LNS) using Layer 2 Forwarding
Protocol (L2F) or Layer 2 Tunneling Protocol (L2TP) technology.
Default Customer Profiles
Default customer profiles are identical to standard customer profiles, except that they do not have any
associated DNIS groups. Default customer profiles are created using the reserved keyword default for
the DNIS group.
Default customer profiles are used to provide session counting and resource assignment to incoming
calls that do not match any of the configured DNIS groups. Although specific resources and DNIS
groups can be assigned to customer profiles, default customer profiles allow resource pooling for the
calls that do not match the configured DNIS groups or where the DNIS is not provided. Retail dial
services and domain-based VPDN use default customer profiles.
When multiple default customer profiles are used, the call type (speech, digital, V.110, or V.120) of the
default DNIS group is used to identify which default customer profile to use for an incoming call. At
most, four default profiles (one for each call type) can be configured.
Note If default customer profiles are not defined, then calls that do not match a DNIS group in a customer
profile are rejected with a “no answer” or “busy” call treatment sent to the switch.
Backup Customer Profiles
Backup customer profiles are customer profiles configured locally on the Cisco NAS and are used to
answer calls based on a configured allocation scheme when the link between the Cisco NAS and Cisco
RPMS is disabled. See the section “Configuring Customer Profiles Using Backup Customer Profiles”
for more information about configuring backup customer profiles.
Customer Profile Template
With RPM, users can also implement wholesale dial services without using VPDN tunnels to complete
dial-in calls to destinations of the end customer. This capability is accomplished with components of the
AAA groups and the PPP configurations.
The AAA group provides IP addresses of AAA servers for authentication and accounting. The PPP
configurations allow users to configure the Cisco IOS PPP feature set on each customer profile. In this
current implementation, PPP configuration is based on the following:
• Applicable IP address pool(s) or default local list of IP addresses
• Primary and secondary Domain Name System (DNS) or Windows Internet naming service (WINS)
• Number of links allowed for each call using MLP
Note The AAA and PPP integration applies to a single NAS environment.
To add PPP configurations to a customer profile, you must create a customer profile template. Once you
create the template and associate it with a customer profile using the source template command, it is
integrated into the customer profile.
Configuring Resource Pool Management
RPM Overview
DC-725
Cisco IOS Dial Technologies Configuration Guide
The RPM customer profile template for the PPP command set, when used with the Cisco IOS feature,
Server Groups Selected by DNIS, presents a strong single NAS solution for providers of wholesale dial
services, as follows:
• Call acceptance is determined by the RPM before call answering, using the configured size limits
and resource availability.
• The answered call then uses the PPP configuration defined in the template to initiate authentication,
obtain an IP address, and select a DNS or WINS that is located at the customer site.
• The same DNIS that was used to choose the customer profile selects the servers for
authentication/authorization and accounting that are located at the wholesale customer’s site.
The section “Configuring a Customer Profile Template” later in this chapter describes how to create a
customer profile template so that you can configure the Cisco IOS PPP features on a customer profile,
but this section does not list the existing PPP command set. For information about the PPP command set,
refer to the Cisco IOS Dial Technologies Command Reference.
DNIS Groups
A DNIS group is a configured list of DNIS called party numbers that correspond to the numbers dialed
to access particular customers, service offerings, or both. For example, if a customer from phone number
000-1234 calls a number 000-5678, the DNIS provides information on the number dialed—000-5678.
Cisco RPM checks the DNIS number of inbound calls against the configured DNIS groups, as follows:
• If Cisco RPM finds a match, it uses the configured information in the customer profile to which the
DNIS group is assigned.
• If Cisco RPM does not find a match, it uses the configured information in the customer profile to
which the default DNIS group is assigned.
• The DNIS/call type sequence can be associated only with one customer profile.
CLID Groups
A CLID group is a configured list of CLID calling party numbers. The CLID group specifies a list of
numbers to reject if the group is associated with a call discriminator. For example, if a customer from
phone number 000-1234 calls a number 000-5678, the CLID provides information on the calling party
number—000-1234.
A CLID can be associated with only one CLID group.
Call Types
Call types from calls originating from ISDN, SS7, and CAS (CT1, CT3, and CE1) are used to assign
calls to the appropriate resource. Call types for ISDN and SS7 are based on Q.931 bearer capability. Call
types for CAS are assigned based on static channel configuration.
Supported call types are as follows:
• Speech
• Digital
• V.110
• V.120
Configuring Resource Pool Management
RPM Overview
DC-726
Cisco IOS Dial Technologies Configuration Guide
Note Voice over IP, fax over IP, and dial-out calls are not supported in RPM.
Resource Groups
Cisco RPM enables you to maximize the use of available shared resources within a Cisco NAS for
various resource allocation schemes to support service-level agreements. Cisco RPM allows you to
combine your Cisco NAS resource groups with call types (speech, digital, V.110, and V.120) and
optional resource modem services. Resource groups and services are configured for customer profiles
and assigned to incoming calls through DNIS groups and call types.
Resource groups have the following characteristics:
• Are configured on the Cisco NAS and applied to a customer profile.
• Represent groupings of similar hardware or firmware that are static and do not change on a per-call
basis.
• Can define resources that are port-based or not port-based:
– Port-based resources are identified by physical location, such as a range of port/slot numbers
(for example, modems or terminal adapters).
– Non-port-based resources are identified by a single size parameter (for example, HDLC framers
or V.120 terminal adapters—V.120 terminal adapters are currently implemented as part of Cisco
IOS software).
Resource assignments contain combinations of Cisco NAS resource groups, optional resource modem
services, and call types. The NAS resources in resource groups that have not been assigned to a customer
profile will not be used.
Note To support ISDN DoVBS, use a DNIS group and a configured customer profile to direct the speech
call to the appropriate digital resource. The resource group assigned to this customer profile will be
“digital resources” and also have a call type of “speech,” so the call will terminate on an HDLC
controller rather than a modem.
Resource Services
A resource service contains a finite series of resource command strings that can be used to help
dynamically configure an incoming connection. Services supported by a resource group are determined
by the combination of hardware and firmware installed. Currently, resource service options can be
configured and applied to resource groups. Resource services can be defined to affect minimum and
maximum speed, modulation, error correction, and compression, as shown in Table 41.
Table 41 Resource Services
Service Options Comments
min-speed <300–56000>, any Must be a V.90 increment.
max-speed <300–56000>, any Must be a V.90 increment.
modulation k56flex, v22bis, v32bis, v34, v90,
any
None.
Configuring Resource Pool Management
RPM Overview
DC-727
Cisco IOS Dial Technologies Configuration Guide
VPDN Groups
The VPDN group contains the data required to build a VPDN tunnel from the RPM NAS LAC to the
LNS. In the context of RPM, VPDN is authorized by first associating a customer profile with a VPDN
group, and second by associating the VPDN group to the DNIS group used for that customer profile.
VPDN group data includes the endpoint IP addresses.
Cisco RPM enables you to specify multiple IP endpoints for a VPDN group, as follows:
• If two or more IP endpoints are specified, Cisco RPM uses a load-balancing method to ensure that
traffic is distributed across the IP endpoints.
• For DNIS-based VPDN dial service, VPDN groups are assigned to customer profiles based on the
incoming DNIS number and the configured DNIS groups.
• For domain-based VPDN dial service, VPDN groups are assigned to the customer profile or the
default customer profile with the matching call-type assignment.
• For either DNIS-based or domain-based VPDN dial services, there is a customer profile or default
customer profile for the initial resource allocation and customer session limits.
The VPDN group provides call management by allowing limits to be applied to both the number of MLP
bundles per tunnel and the number of links per MLP bundle. Limits can also restrict the number of
sessions per IP endpoint. If you require more granular control of VPDN counters, use VPDN profiles.
VPDN Profiles
VPDN profiles allow session and overflow limits to be imposed for a particular customer profile. These
limits are unrelated to the limits imposed by the customer profile. A customer profile is associated with
a VPDN profile. A VPDN profile is associated with a VPDN group. VPDN profiles are required only
when these additional counters are required for VPDN usage per customer profile.
Call Treatments
Call treatment determines how calls are handled when certain events require the call to be rejected. For
example, if the session and overflow limits for one of your customers have been exceeded, any additional
calls will receive a busy signal (see Table 42).
error-correction 1apm, mn14 This is a hidden command.
compression mnps, v42bis This is a hidden command.
Table 41 Resource Services (continued)
Service Options Comments
Configuring Resource Pool Management
RPM Overview
DC-728
Cisco IOS Dial Technologies Configuration Guide
Details on RPM Call Processes
On the incoming call management of the customer profile, the following sequence occurs to determine
if a call is answered:
1. The incoming DNIS is mapped to a DNIS group; if there is no incoming DNIS number, or the DNIS
number provided does not match any configured DNIS group, the DNIS group default is used.
2. The mapped DNIS group is checked against configured call discriminator profiles to confirm if this
DNIS group/call-type combination is disallowed. If there is a match, the call is immediately
rejected.
3. Once a DNIS group or a default DNIS group is identified, the customer profile associated with that
DNIS group and the call type (from the bearer capability for ISDN call, statically configured for
CAS calls) is selected. If there is no corresponding customer profile, the call is rejected.
4. The customer profile includes a session limit value and an overflow limit value. If these thresholds
are not met, the call is then assigned the appropriate resource defined in the customer profile. If the
thresholds are met, the call is rejected.
Table 42 Call-Treatment Table
Event Call-Treatment Option Results
Customer profile not
found
No answer (default) The caller receives rings until the switch
eventually times out. Implies that the NAS
was appropriate, but resources were
unavailable. The caller should try later.
Busy The switch drops the call from the NAS and
sends a busy signal back to the caller. The call
is rejected based on not matching a DNIS
group/call type and customer profile. Can be
used to immediately reject the call and free up
the circuit.
Customer profile limits
exceeded
Busy The switch drops the call from the NAS and
sends a busy signal back to the caller.
NAS resource not
available
Channel not available
(default)
The switch sends the call to the next channel
in the trunk group. The call can be answered,
but the NAS does not have any available
resources in the resource groups. Allows the
switch to try additional channels until it gets
to a different NAS in the same trunk group
that has the available resources.
Busy The switch drops the call from the NAS and
sends a busy signal back to the caller. Can be
used when the trunk group does not span
additional NASes.
Call discrimination match No answer The caller receives rings until the switch
eventually times out.
Configuring Resource Pool Management
RPM Overview
DC-729
Cisco IOS Dial Technologies Configuration Guide
5. If resources are available from the resource group defined in the customer profile, the call is
answered. Otherwise, the call is rejected.
6. As sessions start and end, the session counters increase and decrease, so the customer profile call
counters are kept current.
See Figure 100 for a graphical illustration of the RPM call processes.
Figure 100 Incoming Call Management: RPM Functional Description
After the call is answered and if VPDN is enabled, Cisco RPM checks the customer profile for an
assigned VPDN group or profile. The outgoing session management of the customer profile directs the
answered call to the appropriate destination (see Figure 101), as follows:
• To a local AAA server of retail dial applications and Internet/intranet access.
• To a tunnel that is established between the NAS or LAC and a wholesale VPDN home gateway from
a dial customer or LNS using L2F or L2TP tunneling technology.
Figure 101 Outgoing Call Management: RPM Functional Description for VPDN Profiles and Groups
If a VPDN profile is found, the limits are checked, as follows:
• If the limits have not been exceeded, the VPDN group data associated with that VPDN profile is
used to build a VPDN tunnel.
• If the VPDN limits have been exceeded, the call is disconnected.
Incoming
call DNIS
group/
call type
Call
discriminator
DNIS/call type
Base
Apply
resource
service
Accept
call
Resource
group
Overflow
Virtual Range
Resource
group
Limit
26421
Physical
Customer
profile
VPDN
enable
Customer
profile
VPDN
profile Base
= Optional
Overflow Bundles Accept
VPDN
VPDN
group
Links
26420
Configuring Resource Pool Management
RPM Overview
DC-730
Cisco IOS Dial Technologies Configuration Guide
If a VPDN group is found within the customer profile, the VPDN group data is used to build a VPDN
tunnel, as follows:
• If the VPDN group limits (number of multilink bundles, number of links per bundle) have not been
exceeded, a VPDN tunnel is built.
• If the limits have been reached, the call is disconnected.
If no VPDN profile is assigned to the customer profile and VPDN is enabled, non-RPM VPDN service
is attempted. If the attempt fails, the call is processed as a retail dial service call if local AAA service is
available.
Accounting Data
You can generate accounting data for network dial service usage in NAS AAA attribute format.
You can configure the Cisco NAS to generate AAA accounting records for access to external AAA server
option. The accounting start and stop records in AAA attribute format are sent to the external AAA
server using either RADIUS server hosts or TACACS+ protocols for accounting data storage. Table 43
lists the new fields in the AAA accounting packets.
Data over Voice Bearer Services
DoVBS is a dial service that uses a customer profile and an associated resource group of digital resources
to direct data calls with a speech call type to HDLC controllers.
To support ISDN DoVBS, use a DNIS group and a configured customer profile to direct the speech call
to the appropriate digital resource.
The resource group assigned to this customer profile will be “digital resources” and will also have a call
type of speech, so the call will terminate on an HDLC controller rather than a modem.
Table 43 AAA Accounting Records
Accounting Start Record Accounting Stop Record
Call-Type
CAS-Group-Name
Customer-Profile-Name
Customer-Profile-Active-Sessions
DNIS-Group-Name
Overflow
MLP-Session_ID
Modem-Speed-Receive
Modem-Speed-Transmit
VPDN-Domain-Name
VPDN-Tunnel-ID
VPDN-HomeGateway
VPDN-Group-Active-Sessions
Disconnect-Cause
Modem-Speed-Receive
Modem-Speed-Transmit
MLP-Session-ID
Configuring Resource Pool Management
RPM Overview
DC-731
Cisco IOS Dial Technologies Configuration Guide
Call Discriminator Profiles
The Cisco RPM CLID/DNIS Call Discriminator feature lets you specify a list of calling party numbers
to be rejected for inbound calls. This Cisco IOS Release 12.2 CLID/DNIS call screening feature expands
previous call screening features in Cisco RPM. CLID/DNIS call screening provides an additional way
to screen calls on the basis of CLID/DNIS for both local and remote RPM.
Cisco RPM CLID/DNIS Call Discriminator profiles enable you to process calls differently on the basis
of the call type and CLID combination. Resource pool management offers a call discrimination feature
that rejects calls on the basis of a CLID group and a call type filter. When a call arrives at the NAS, the
CLID and the call type are matched against a table of disallowed calls. If the CLID and call type match
entries in this table, the call is rejected before it is assigned Cisco NAS resources or before any other
Cisco RPM processing occurs. This is called precall screening.
Precall screening decides whether the call is allowed to be processed. You can use the following types
of discriminators to execute precall screening:
• ISDN discriminator—Accepts a call if the calling number matches a number in a group of
configured numbers (ISDN group). This is also called white box screening. If you configure an
ISDN group, only the calling numbers specified in the group are accepted.
• DNIS discriminator—Accepts a call if the called party number matches a number in a group of
configured numbers (DNIS group). If you set up a DNIS group, only the called party numbers in the
group are accepted. DNIS gives you information about the called party.
• Cisco RPM CLID/DNIS discriminator—Rejects a call if the calling number matches a number in a
group of configured numbers (CLID/DNIS group). This is also called black box screening.
If you configure a discriminator with a CLID group, the calling party numbers specified in the group
are rejected. CLID gives you information about the caller.
Similarly, if you configure a discriminator with a DNIS group, the called party numbers specified
in the group are rejected.
The Cisco RPM CLID/DNIS Call Discriminator Feature is independent of ISDN or DNIS screening
done by other subsystems. ISDN or DNIS screening and Cisco RPM CLID/DNIS screening can both be
present in the same system. Both features are executed if configured. Similarly, if DNIS Preauthorization
using AAA is configured, it is present in addition to Cisco RPM CLID/DNIS screening. Refer to the
Cisco IOS Security Configuration Guide for more information about call preauthorization.
In Cisco RPM CLID/DNIS screening, the discriminator can be a CLID discriminator, a DNIS
discriminator, or a discriminator that screens on both the CLID and DNIS. The resulting discrimination
logic is:
• If a discriminator contains just DNIS groups, it is a DNIS discriminator that ignores CLID. The
DNIS discriminator blocks the call if the called number is in a DNIS group, which the call type
references.
• If a discriminator contains just CLID groups, it is a CLID discriminator that ignores DNIS. The
CLID discriminator blocks the call if the calling number is in a CLID group, which the call type
references.
• If a discriminator contains both CLID and DNIS groups, it is a logical AND discriminator. It blocks
the call if the calling number and called number are in the CLID or DNIS group, and the call type
references the corresponding discriminator.
Figure 102 shows how call discrimination can be used to restrict a specific DNIS group to only modem
calls by creating call discrimination settings for the DNIS group and the other supported call types
(digital, V.110, and V.120).
Configuring Resource Pool Management
RPM Overview
DC-732
Cisco IOS Dial Technologies Configuration Guide
Figure 102 Call Discrimination
Incoming Call Preauthentication
With ISDN PRI or channel-associated signaling (CAS), information about an incoming call is available
to the NAS before the call is connected. The available call information includes:
• The DNIS, also referred to as the called number
• The CLID, also referred to as the calling number
• The call type, also referred to as the bearer capability
The Preauthentication with ISDN PRI and Channel-Associated Signalling feature introduced in
Cisco IOS Release 12.2 allows a Cisco NAS to decide—on the basis of the DNIS number, the CLID
number, or the call type—whether to connect an incoming call.
When an incoming call arrives from the public network switch, but before it is connected, this feature
enables the NAS to send the DNIS number, CLID number, and call type to a RADIUS server for
authorization. If the server authorizes the call, the NAS accepts the call. If the server does not authorize
the call, the NAS sends a disconnect message to the public network switch to reject the call.
The Preauthentication with ISDN PRI and Channel-Associated Signalling feature offers the following
benefits:
• With ISDN PRI, it enables user authentication and authorization before a call is answered. With
CAS, the call must be answered; however, the call can be dropped if preauthentication fails.
• It enables service providers to better manage ports using their existing RADIUS solutions.
• Coupled with a preauthentication RADIUS server application, it enables service providers to
efficiently manage the use of shared resources to offer differing service-level agreements.
For more information about the Preauthentication with ISDN PRI and Channel-Associated Signalling
feature, refer to the Cisco IOS Security Configuration Guide.
23734
dnis123
5267000
5267001
CD Name
Call discriminator
definitions
Internal disallowed calls table
DNIS groups
CD123
CDabc
CDspeech
CDv120
DNIS Group
dnis123
dnisabc
dnisspeech
default
DNIS
5267000
5267001
5271299
527499
default
Call Type
speech
speech
digital
digitalv110v120
v120
Call Types
speech
digital
digitalv110v120
v120
Reject calls to DNIS group dnis123 with speech call type
Reject calls to DNIS group dnisabc with digital call type
Reject calls to DNIS group dnisspeech that are not speech
Reject all calls that are V.120
Reject calls to 5267000 with speech call type
Reject calls to 5267001 with speech call type
Reject digital calls to 5271299
Accept only speech calls to 5274999
Reject all V.120 calls
dnisabc
527 1299
dnisspeech
5274999
Reserved keyword
identifying default
DNIS reaching all
values
Configuring Resource Pool Management
RPM Overview
DC-733
Cisco IOS Dial Technologies Configuration Guide
RPM Standalone Network Access Server
A single NAS using Cisco RPM can provide the following:
• Wholesale VPDN dial service to corporate customers
• Direct remote services
• Retail dial service to end users
Figure 103 and Figure 104 show multiple connections to a Cisco AS5300 NAS. Incoming calls to the
NAS can use ISDN PRI signaling, CAS, or the SS7 signaling protocol. Figure 103 shows incoming calls
that are authenticated locally for retail dial services or forwarded through VPDN tunnels for wholesale
dial services.
Note This implementation does not use Cisco RPM CLID/DNIS Call Discriminator Feature. If you are not
using Cisco RPMS and you have more than one Cisco NAS, you must manually configure each NAS
by using Cisco IOS commands. Resource usage information is not shared between NASes.
Figure 103 Retail Dial Service Using RPM
Figure 104 shows a method of implementing wholesale dial services without using VPDN tunnels by
creating individual customer profiles that consist of AAA groups and PPP configurations. The AAA
groups provide IP addresses of AAA servers for authentication and accounting. The PPP configurations
enable you to set different PPP parameter values on each customer profile. A customer profile typically
includes the following PPP parameters:
• Applicable IP address pools or a default local list of IP addresses
• Primary and secondary DNS or WINS
• Authentication method such as the Password Authentication Protocol (PAP), Challenge Handshake
Authentication Protocol (CHAP), or Microsoft CHAP Version 1 (MS-CHAP)
• Number of links allowed for each call using Multilink PPP
Note The AAA and PPP integration applies to a single NAS environment; the external RPMS solution is
not supported.
Modem
Remote user
Terminal
adapter
Router
PSTN
PRI
CAS
SS7
Cisco AS5300
(NAS)
Internet/
intranet
18021
AAA
server
(Optional)
Configuring Resource Pool Management
RPM Overview
DC-734
Cisco IOS Dial Technologies Configuration Guide
Figure 104 Resource Pool Management with Direct Remote Services
Call Processing
For call processing, incoming calls are matched to a DNIS group and the customer profile associated
with that DNIS group. If a match is found, the customer profile session and overflow limits are applied
and if available, the required resources are allocated. If a DNIS group is not found, the customer profile
associated with the default DNIS group is used. The call is rejected if a customer profile using the default
DNIS group cannot be found.
After the call is answered and if VPDN is enabled, the Cisco RPM checks the customer profile for an
assigned VPDN group or profile. If a VPDN group is found, Cisco RPM authorizes VPDN by matching
the group domain name or DNIS with the incoming call. If a match is found, VPDN profile session and
overflow limits are applied, and, if the limits are not exceeded, tunnel negotiation begins. If the VPDN
limits are exceeded, the call is disconnected.
If no VPDN profile is assigned to the customer profile and VPDN is enabled, non-RPM VPDN service
will be attempted. If it fails, the call is processed as a retail dial service call if local AAA service is
available.
Base Session and Overflow Session Limits
Cisco RPM enables you to set base and overflow session limits in each customer profile. The base
session limit determines the maximum number of nonoverflow sessions supported for a customer profile.
When the session limit is reached, if overflow sessions are not enabled, any new calls are rejected. If
overflow sessions are enabled, new sessions up to the session overflow limit are processed and marked
as overflow for call handling and accounting.
WAN
infrastructure
Modem
Remote user
Terminal
adapter
Router
PSTN
Optional
local AAA
Cisco AS5300
(NAS)
Customer
profiles
28307
Customer A
Customer B
AAA
DNS
AAA
DNS
DNIS
Configuring Resource Pool Management
RPM Overview
DC-735
Cisco IOS Dial Technologies Configuration Guide
The session overflow limit determines the allowable number of sessions above the session limit. If the
session overflow limit is greater than zero, overflow sessions are enabled and the maximum number of
allowed sessions is the session limit plus the session overflow limit. While the session overflow limit has
been reached, any new calls are rejected. Table 44 summarizes the effects of session and session
overflow limits.
Enabling overflow sessions is useful for allocating extra sessions for preferred customers at premium
rates. Overflow sessions can also be useful for encouraging customers to adequately forecast bandwidth
usage or for special events when normal session usage is exceeded. For example, if a customer is having
a corporate-wide program and many people are expected to request remote access, you could enable
many overflow sessions and charge a premium rate for the excess bandwidth requirements.
Note An overflow call is a call received while the session limit is exceeded and is in an overflow state.
When a call is identified as an overflow call, the call maintains the overflow status throughout its
duration, even if the number of current sessions returns below the session limit.
VPDN Session and Overflow Session Limits
Cisco RPM enables you to configure base and overflow session limits per VPDN profile for managing
VPDN sessions.
Note The VDPN session and session overflow limits are independent of the limits set in the customer
profiles.
The base VPDN session limit determines the maximum number of nonoverflow sessions supported for
a VPDN profile. When the VPDN session limit is reached, if overflow sessions are not enabled, any new
VPDN calls using the VPDN profile sessions are rejected. If overflow sessions are enabled, new sessions
up to the session overflow limit are processed and marked as overflow for VPDN accounting.
The VPDN session overflow limit determines the number of sessions above the session limit allowed in
the VPDN group. If the session overflow limit is greater than zero, overflow sessions are enabled and
the maximum number of allowed sessions is the session limit plus the session overflow limit. While the
session overflow limit has been reached, any new calls are rejected.
Enabling VPDN overflow sessions is useful for allocating extra sessions for preferred customers at
premium rates. Overflow sessions are also useful for encouraging customers to adequately forecast
bandwidth usage or for special events when normal session usage is exceeded. For example, if a
Table 44 Effects of Session Limit and Session Overflow Limit Settings Combinations
Base Session
Limit
Session
Overflow Limit Call Handling
0 0 Reject all calls.
10 0 Accept up to 10 sessions.
10 10 Accept up to 20 sessions and mark sessions 11 to 20 as overflow
sessions.
0 10 Accept up to 10 sessions and mark sessions 1 to 10 as overflow.
All 0 Accept all calls.
0 All Accept all calls and mark all calls as overflow.
Configuring Resource Pool Management
RPM Overview
DC-736
Cisco IOS Dial Technologies Configuration Guide
customer is having a corporate-wide program and many people are expected to request remote access,
you could enable many overflow sessions and charge a premium rate for the extra bandwidth
requirements.
VPDN MLP Bundle and Links-per-Bundle Limits
To ensure that resources are not consumed by a few users with MLP connections, Cisco RPM also
enables you to specify the maximum number of MLP bundles that can open in a VPDN group. In
addition, you can specify the maximum number of links for each MLP bundle.
For example, if standard ISDN users access the VPDN profile, limit this setting to two links per bundle.
If video conferencing is used, increase this setting to accommodate the necessary bandwidth (usually six
links). These limits have no overflow option and are configured under the VPDN group component.
VPDN Tunnel Limits
For increased VPDN tunnel management, Cisco RPM enables you to set an IP endpoint session limit for
each IP endpoint. IP endpoints are configured for VPDN groups.
Figure 105 and Figure 106 show logical flowcharts of RPM call processing for a standalone NAS with
and without the RPM Direct Remote Services feature.
Configuring Resource Pool Management
RPM Overview
DC-737
Cisco IOS Dial Technologies Configuration Guide
Figure 105 RPM Call-Processing Flowchart for a Standalone Network Access Server
DNIS and
call type Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
No
Call
discriminator
match
22609
Reject—Session limit
call treatment busy
Yes
Mapped DNIS
customer profile
exists
Has CP
reached maximum
connections
Overflow
configured and
maximum not
exceeded
Resources
available
Default
customer profile
match
Reject—No resource
call treatment:
CNA (default) or busy
Reject
call treatment:
No answer
Reject—No CP
call treatment:
No answer (default)
or busy
Answer call Check
VPDN
Configuring Resource Pool Management
RPM Overview
DC-738
Cisco IOS Dial Technologies Configuration Guide
Figure 106 Flowchart for a Standalone Network Access Server with RPM Direct Remote Services
DNIS and
call type Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
Call
discriminator
match
29584
Reject—Session limit
call treatment busy
Mapped DNIS
customer profile
exists
Has CP
reached maximum
connections
Overflow
configured and
maximum not
exceeded
Resources
available
Reject—No resource
call treatment:
CNA (default) or busy
Reject
call treatment:
No answer
Reject—No CP
call treatment:
No answer (default)
or busy
Answer call
Check
PPP
Template
Configuring Resource Pool Management
RPM Overview
DC-739
Cisco IOS Dial Technologies Configuration Guide
RPM Using the Cisco RPMS
Figure 107 shows a typical resource pooling network scenario using RPMS.
Figure 107 RPM Scenario Using RPMS
Resource Manager Protocol
Resource Manager Protocol (RMP) is a robust, recoverable protocol used for communication between
the Cisco RPMS and the NAS. Each NAS client uses RMP to communicate resource management
requests to the Cisco RPMS server. RPMS also periodically polls the NAS clients to query their current
call information or address error conditions when they occur. RMP also allows for protocol attributes
that make it extensible and enable support for customer billing requirements.
Figure 108 shows the relationship of Cisco RPM CLID/DNIS Call Discriminator Feature and RMP.
Figure 108 Cisco RPM CLID/DNIS Call Discriminator Feature and RMP
Note RMP must be enabled on all NASes that communicate with the Cisco RPM CLID/DNIS Call
Discriminator Feature.
Modem
Modem
Terminal
adapter
Router
PSTN/
ISDN
PRI
CT1
CE1
UG group
VPDN tunnel
VPDN tunnel
L2F/L2TP
L2F/L2TP
17243
Customer A
Customer B
AAA
server
AAA
server
AAA
proxy
server(Optional)
Home
gateway
router
Home
gateway
router
CO
CO
Cisco RPMS
Internet/
intranet
RMP protocol
RMP interface
NAS Cisco RPMS
with RMP installed
17244
Configuring Resource Pool Management
RPM Overview
DC-740
Cisco IOS Dial Technologies Configuration Guide
Direct Remote Services
Direct remote services is an enhancement to Cisco RPM implemented in Cisco IOS Release 12.0(7)T
that enables service providers to implement wholesale dial services without using VPDN tunnels. A
customer profile that has been preconfigured with a PPP template to define the unique PPP services for
the wholesale dial customer is selected by the incoming DNIS and call type. At the same time, the DNIS
is used to select AAA server groups for authentication/authorization and for accounting for the customer.
PPP Common Configuration Architecture (CCA) is the new component of the RPM customer profile that
enables direct remote services. The full PPP command set available in Cisco IOS software is
configurable per customer profile for wholesale dial applications. A customer profile typically includes
the following PPP parameters:
• Local or named IP address pools
• Primary and secondary DNS or WINS addresses
• Authentication method (PAP, CHAP, MS-CHAP)
• Multilink PPP links per bundle limits
The AAA session information is selected by the incoming DNIS. AAA server lists provide the IP
addresses of AAA servers for authentication, authorization, and accounting in the wholesale local
network of the customer. The server lists for both authentication and authorization and for accounting
contain the server addresses, AAA server type, timeout, retransmission, and keys per server.
When direct remote services is implemented on a Cisco NAS, the following sequence occurs:
1. The NAS sends an authorization request packet to the AAA server by using the authentication
method (PAP, CHAP, MSCHAP) that has been configured through PPP.
2. The AAA server accepts the authorization request and returns one of the following items to the NAS:
– A specific IP address
– An IP address pool name
– Nothing
3. Depending on the response from the AAA server, the NAS assigns one of the following items to the
user through the DNS/WINS:
– The IP address returned by the AAA server
– An IP address randomly assigned from the named IP address pool
– An IP address from a pool specified in the customer profile template
Note If the AAA server sends back to the NAS a named IP address pool and that name does not exist on
the NAS, the request for service is denied. If the AAA server does not send anything back to the NAS
and there is an IP address pool name configured in the customer profile template, an address from
that pool is used for the session.
RPM Process with RPMS and SS7
For information on SS7 implementation for RPM, refer to the document Cisco Resource Pool Manager
Server 1.0 SS7 Implementation.
Configuring Resource Pool Management
How to Configure RPM
DC-741
Cisco IOS Dial Technologies Configuration Guide
Additional Information About Cisco RPM
For more information about Cisco RPM, see the following documents:
• AAA Server Group
• Cisco Access VPN Solutions Using Tunneling Technology
• Cisco AS5200 Universal Access Server Software Configuration Guide
• Cisco AS5300 Software Configuration Guide
• Cisco AS5800 Access Server Software ICG
• Cisco Resource Pool Manager Server Configuration Guide
• Cisco Resource Pool Manager Server Installation Guide
• Cisco Resource Pool Manager Server Solutions Guide
• Dial Solutions Quick Configuration Guide
• RADIUS Multiple UDP Ports Support
• Redundant Link Manager
• Release Notes for Cisco Resource Pool Manager Server Release 1.0
• Resource Pool Management
• Resource Pool Management with Direct Remote Services
• Resource Pool Manager Customer Profile Template
• Selecting AAA Server Groups Based on DNIS
• SS7 Continuity Testing for Network Access Servers
• SS7 Dial Solution System Integration
How to Configure RPM
Read and comply with the following restrictions and prerequisites before beginning RPM configuration:
• RPM is supported on Cisco AS5300, Cisco AS5400, and Cisco AS5800 Universal Access Servers
• Modem pooling and RPM are not compatible.
• The Cisco RPM CLID/DNIS Call Discriminator Feature must have Cisco RPM configured.
• CLID screening is not available to channel-associated signaling (CAS) interrupt level calls.
• Cisco RPM requires the NPE 300 processor when implemented on the Cisco AS5800.
• For Cisco AS5200 and Cisco AS5300 access servers, Cisco IOS Release 12.0(4)XI1 or later releases
must be running on the NAS.
• For Cisco AS5800, Cisco IOS Release 12.0(5)T or later releases must be running on the NAS.
• A minimum of 64 MB must be available on the DMM cards.
• The RPM application requires an NPE 300.
• For call discriminator profiles, the Cisco AS5300, Cisco AS5400, or Cisco AS5800 Universal
Access Servers require a minimum of 16 MB Flash memory and 128 MB DRAM memory, and need
to be configured for VoIP as an H.323-compliant gateway.
The following tasks must be performed before configuring RPM:
Configuring Resource Pool Management
How to Configure RPM
DC-742
Cisco IOS Dial Technologies Configuration Guide
• Accomplish initial configuration as described in the appropriate Universal Access Server Software
Configuration Guide. Perform the following tasks as required.
– Set your local AAA
– Define your TACACS+ server for RPM
– Define AAA accounting
– Ensure PPP connectivity
– Ensure VPDN connectivity
Refer to the document Configuring the NAS for Basic Dial Access for more information.
To configure your NAS for RPM, perform the following tasks:
• Enabling RPM (Required)
• Configuring DNIS Groups (As required)
• Creating CLID Groups (As required)
• Configuring Discriminator Profiles (As required)
• Configuring Resource Groups (As required)
• Configuring Service Profiles (As required)
• Configuring Customer Profiles (As required)
• Configuring a Customer Profile Template (As required)
• Placing the Template in the Customer Profile (As required)
• Configuring AAA Server Groups (As required)
• Configuring VPDN Profiles (As required)
• Configuring VPDN Groups (As required)
• Counting VPDN Sessions by Using VPDN Profiles (As required)
• Limiting the Number of MLP Bundles in VPDN Groups (As required)
• Configuring Switched 56 over CT1 and RBS (As required)
See the section “Troubleshooting RPM” later in this chapter for troubleshooting tips. See the section
“Configuration Examples for RPM” at the end of this chapter for examples of how to configure RPM in
your network.
Enabling RPM
To enable RPM, use the following commands beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# resource-pool enable Turns on RPM.
Step 2 Router(config)# resource-pool call treatment
resource channel-not-available
Creates a resource group for resource management.
Step 3 Router(config)# resource-pool call treatment
profile no-answer
Sets up the signal sent back to the telco switch in response
to incoming calls.
Step 4 Router(config) # resource-pool aaa protocol
local
Specifies which protocol to use for resource management.
Configuring Resource Pool Management
How to Configure RPM
DC-743
Cisco IOS Dial Technologies Configuration Guide
Note If you have an RPMS, you need not define VPDN groups/profiles, customer profiles, or DNIS groups
on the NAS; you need only define resource groups. Configure the remaining items by using the
RPMS system.
Configuring DNIS Groups
This configuration task is optional.
To configure DNIS groups, use the following commands beginning in global configuration mode:
For default DNIS service, no DNIS group configuration is required. The following characteristics and
restrictions apply to DNIS group configuration:
• Each DNIS group/call-type combination can apply to only one customer profile.
• You can use up to four default DNIS groups (one for each call type).
• You must statically configure CAS call types.
• You can use x, X or . as wildcards within each DNIS number.
Command Purpose
Step 1 Router(config)# dialer dnis group
dnis-group-name
Creates a DNIS group. The name you specify in this step
must match the name entered when configuring the
customer profile.
Step 2 Router(config-called-group)# call-type cas
{digital | speech}
Statically sets the call-type override for incoming CAS
calls.
Step 3 Router(config-called-group)# number number Enters DNIS numbers to be used in the customer profile.
(Wildcards can be used.)
Configuring Resource Pool Management
How to Configure RPM
DC-744
Cisco IOS Dial Technologies Configuration Guide
Creating CLID Groups
You can add multiple CLID groups to a discriminator profile. You can organize CLID numbers for a
customer or service type into a CLID group. Add all CLID numbers into one CLID group, or subdivide
the CLID numbers using criteria such as call type, geographical location, or division. To create CLID
groups, use the following commands beginning in global configuration mode:
Configuring Discriminator Profiles
Discriminator profiles enable you to process calls differently on the basis of the call type and
CLID/DNIS combination. The “Call Discriminator Profiles” section earlier in this chapter describes the
different types of discriminator profiles that you can create.
To configure discriminator profiles for RPM implementation, use the following commands beginning in
global configuration mode:
Command Purpose
Step 1 Router(config)# dialer clid group clid-group-name Creates a CLID group, assigns it a name of up to 23
characters, and enters CLID configuration mode.
The CLID group must be the same as the group
specified in the customer profile configuration.
Refer to the Resource Pool Management with
Direct Remote Services document for information
on configuring customer profiles.
Step 2 Router(config-clid-group)# number clid-group-number Enters CLID configuration mode, and adds a CLID
number to the dialer CLID group that is used in the
customer profile. The CLID number can have up to
65 characters. You can use x, X or . as wildcards
within each CLID number. The CLID screening
feature rejects this number if it matches the CLID
of an incoming call.
Command Purpose
Step 1 Router(config)# resource-pool profile discriminator
name
Creates a call discriminator profile and assigns it a
name of up to 23 characters.
Step 2 Router(config-call-d)# call-type {all | digital |
speech | v110 | v120}
Specifies the type of calls you want to block. The
NAS will not answer the call-type you specify.
Configuring Resource Pool Management
How to Configure RPM
DC-745
Cisco IOS Dial Technologies Configuration Guide
To verify discriminator profile settings, use the following commands:
Step 1 Use the show resource-pool discriminator name command to verify the call discriminator profiles that
you configured.
If you enter the show resource-pool discriminator command without including a call discriminator
name, a list of all current call discriminator profiles appears.
If you enter a call discriminator profile name with the show resource-pool discriminator command, the
number of calls rejected by the selected call discriminator appears.
Router# show resource-pool discriminator
List of Call Discriminator Profiles:
deny_CLID
Router# show resource-pool discriminator deny_CLID
1 calls rejected
Step 2 Use the show dialer command to display general diagnostic information for interfaces configured for
the dialer.
Router# show dialer [interface] type number
Step 3 Router(config-call-d)# clid group {clid-group-name |
default}
Optional. Associates a CLID group with the
discriminator. If you do not specify a
clid-group-name, the default discriminator in the
RM is used. Any CLID number coming in on a call
is in its respective default group unless it is
specifically assigned a clid-group-name.
After a CLID group is associated with a call type in
a discriminator, it cannot be used in any other
discriminator.
Step 4 Router(config-call-d)# dnis group {dnis-group-name |
default}
Optional. Associates a DNIS group with the
discriminator. If you do not specify a
dnis-group-name, the default discriminator in the
RM is used. Any DNIS number coming in on a call
is in its respective default group unless it is
specifically assigned a dnis-group-name.
After a DNIS group is associated with a call type in
a discriminator, it cannot be used in any other
discriminator.
Command Purpose
Configuring Resource Pool Management
How to Configure RPM
DC-746
Cisco IOS Dial Technologies Configuration Guide
Configuring Resource Groups
To configure resource groups, use the following commands beginning in global configuration mode:
For external Cisco RPMS environments, configure resource groups on the NAS before defining them on
external RPMS servers.
For standalone NAS environments, first configure resource groups before using them in customer
profiles.
Resource groups can apply to multiple customer profiles.
Note You can separate physical resources into groups. However, do not put heterogeneous resources in the
same group. Do not put MICA technologies modems in the same group as Microcom modems. Do
not put modems and HDLC controllers in the same resource group. Do not configure the port and
limit command parameters in the same resource group.
Configuring Service Profiles
To configure service profiles, use the following commands beginning in global configuration mode:
Service profiles are used to configure modem service parameters for Nextport and MICA technologies
modems, and support speech, digital, V.110, and V.120 call types. Error-correction and compression are
hidden parameters that may be included in a service profile.
Command Purpose
Step 1 Router(config)# resource-pool group resource name Creates a resource group and assign it a name of up to
23 characters.
Step 2 Router(config-resource-group)# range {port
{slot/port slot/port}} | {limit number}
Associates a range of modems or other physical
resources with this resource group:
• For port-based resources, use the physical locations
of the resources.
• For non-port-based resources, use a single integer
limit. Specify the maximum number of
simultaneous connections supported by the
resource group. Up to 192 connections may be
supported, depending on the hardware
configuration of the access server.
Command Purpose
Step 1 Router(config)# resource-pool profile service name Creates a service profile and assign it a name of up to 23
characters.
Step 2 Router(config-service-profil)# modem min-speed
{speed | any} max-speed {speed | any [modulation
value]}
Specifies the desired modem parameter values. The
range for min-speed and max-speed is 300 to 56000
bits per second.
Configuring Resource Pool Management
How to Configure RPM
DC-747
Cisco IOS Dial Technologies Configuration Guide
Configuring Customer Profiles
To configure customer profiles, use the following commands beginning in global configuration mode:
Customer profiles are used so that service providers can assign different service characteristics to
different customers. Note the following characteristics of customer profiles:
• Multiple resources of the same call type are used sequentially.
• The limits imposed are per customer (DNIS)—not per resource.
• A digital resource with a call type of speech allows for Data over Speech Bearer Service (DoSBS).
Configuring Default Customer Profiles
Default customer profiles are identical to standard customer profiles, except they do not have any
associated DNIS groups. To define a default customer profile, use the reserved keyword default for the
DNIS group:
The rest of the customer profile is configured as shown in the previous section “Configuring Customer
Profiles.”
Configuring Customer Profiles Using Backup Customer Profiles
Backup customer profiles are customer profiles configured locally on the Cisco NAS and are used to
answer calls on the basis of a configured allocation scheme when the link between the Cisco NAS and
Cisco RPMS is disabled.
To enable the backup feature, you need to have already configured the following on the router:
• The resource-pool aaa protocol group name local command.
• All customer profiles and DNIS groups on the NAS.
Command Purpose
Step 1 Router(config)# resource-pool profile customer
name
Creates a customer profile.
Step 2 Router(config-customer-pro)# dnis group
{dnis-group-name | default}
Includes a group of DNIS numbers in the customer profile.
Step 3 Router(config-customer-pro)# limit base-size
{number | all}
Specifies the base size usage limit.
Step 4 Router(config-customer-pro)# limit
overflow-size {number | all}
Specifies the oversize size usage limit.
Step 5 Router(config-customer-pro)# resource WORD
{digital | speech | v110 | v120} [service WORD]
Assigns resources and supported call types to the customer
profile.
Command Purpose
Step 1 Router(config)# resource-pool profile customer
name
Assigns a name to the default customer profile.
Step 2 Router(config-customer-pro)# dnis group default Assigns the default DNIS group to the customer profile. This
sets up the customer profile such that it will use the default
DNIS configuration, which is automatically set on the NAS.
Configuring Resource Pool Management
How to Configure RPM
DC-748
Cisco IOS Dial Technologies Configuration Guide
The backup customer profile can contain all of the elements defined in a standard customer profile,
including base size or overflow parameters. However, when the connection between the Cisco NAS and
Cisco RPMS is unavailable, session counting and session limits are not applied to incoming calls. Also,
after the connection is reestablished, there is no synchronization of call counters between the Cisco NAS
and Cisco RPMS.
Configuring Customer Profiles for Using DoVBS
To configure customer profiles for using DoVBS, use the following commands beginning in global
configuration command mode:
To support ISDN DoVBS, use a DNIS group and a configured customer profile to direct the speech call
to the appropriate digital resource. The DNIS group assigned to the customer profile should have a call
type of speech. The resource group assigned to this customer profile will be digital resources and also
have a call type of speech, so the call will terminate on an HDLC controller rather than a modem.
See the section “Customer Profile Configuration for DoVBS Example” at the end of this chapter for a
configuration example.
Configuring a Customer Profile Template
Customer profile templates provide a way to keep each unique situation for a customer separate for both
security and accountability. This is an optional configuration task.
To configure a template and place it in a customer profile, ensure that all basic configuration tasks and
the RPM configuration tasks have been completed and verified before attempting to configure the
customer profile templates.
To add PPP configurations to a customer profile, create a customer profile template. Once you create the
template and associate it with a customer profile by using the source template command, it is integrated
into the customer profile.
Command Purpose
Step 1 Router(config)# resource-pool profile customer
name
Assigns a name to a customer profile.
Step 2 Router(config-customer-pro)# dnis group name Assigns a DNIS group to the customer profile. DNIS
numbers are assigned as shown in the previous section.
Step 3 Router(config)# limit base-size {number | all} Specifies the VPDN base size usage limit.
Step 4 Router(config)# limit overflow-size {number | all} Specifies the VPDN overflow size usage limit.
Step 5 Router(config-customer-pro)# resource name {digital
| speech | v110 | v120} [service name]
Specifies resource names to use within the customer
profile.
Configuring Resource Pool Management
How to Configure RPM
DC-749
Cisco IOS Dial Technologies Configuration Guide
To configure a template in RPM, use the following commands beginning in global configuration mode:
Typical Template Configuration
The following example shows a typical template configuration:
template Word
multilink {max-fragments frag-num | max-links num | min-links num}
peer match aaa-pools
peer default ip address {pool pool-name1 [pool-name2] | dhcp}
ppp ipcp {dns | wins} A.B.C.D [W.X.Y.Z]
resource-pool profile customer WORD
source template Word
aaa group-configuration aaa-group-name
template acme_direct
peer default ip address pool tahoe
ppp authentication chap isdn-users
ppp multilink
Verifying Template Configuration
To verify your template configuration, perform the following steps:
Step 1 Enter the show running-config EXEC command (where the template name is “PPP1”):
Router#
Router# show running-config begin template
.
.
.
Command Purpose
Step 1 Router(config)# template name Creates a customer profile template and assign a unique
name that relates to the customer that will be receiving it.
Note Steps 2, 3, and 4 are optional. Enter multilink, peer,
and ppp commands appropriate to the application
requirements of the customer.
Step 2 Router(config-template)# peer default ip
address pool pool-name
(Optional) Specifies that the customer profile to which this
template is attached will use a local IP address pool with the
specified name.
Step 3 Router(config-template)# ppp authentication
chap
(Optional) Sets the PPP link authentication method.
Step 4 Router(config-template)# ppp multilink (Optional) Enables Multilink PPP for this customer profile.
Step 5 Router(config-template)# exit Exits from template configuration mode; returns to global
configuration mode.
Step 6 Router(config)# resource-pool profile customer
name
Enters customer profile configuration mode for the customer
to which you wish to assign this template.
Step 7 Router(config-customer-profi)# source template
name
Attaches the customer profile template you have just
configured to the customer profile.
Configuring Resource Pool Management
How to Configure RPM
DC-750
Cisco IOS Dial Technologies Configuration Guide
template PPP1
peer default ip address pool pool1 pool2
ppp ipcp dns 10.1.1.1 10.1.1.2
ppp ipcp wins 10.1.1.3 10.1.1.4
ppp multilink max-links 2
.
.
.
Step 2 Ensure that your template appears in the configuration file.
Placing the Template in the Customer Profile
To place your template in the customer profile, use the following commands beginning in global
configuration command mode:
To verify the placement of your template in the customer profile, perform the following steps:
Step 1 Enter the show resource-pool customer EXEC command:
Router# show resource-pool customer
List of Customer Profiles:
CP1
CP2
Step 2 Look at the list of customer profiles and make sure that your profile appears in the list.
Step 3 To verify a particular customer profile configuration, enter the show resource-pool customer name
EXEC command (where the customer profile name is “CP1”):
Router# show resource-pool customer CP1
97 active connections
120 calls accepted
210 max number of simultaneous connections
50 calls rejected due to profile limits
0 calls rejected due to resource unavailable
90 minutes spent with max connections
5 overflow connections
2 overflow states entered
0 overflow connections rejected
0 minutes spent in overflow
13134 minutes since last clear command
Command Purpose
Step 1 Router(config)# resource-pool profile
customer name
Assigns a name to a customer profile.
Step 2 Router(config-customer-pr)# source template Associates the template with the customer profile.
Configuring Resource Pool Management
How to Configure RPM
DC-751
Cisco IOS Dial Technologies Configuration Guide
Configuring AAA Server Groups
To configure AAA server groups, use the following commands beginning in global configuration mode:
AAA server groups are lists of AAA server hosts of a particular type. The Cisco RPM currently supports
RADIUS and TACACS+ server hosts. A AAA server group lists the IP addresses of the selected server
hosts.
You can use a AAA server group to define a distinct list of AAA server hosts and apply this list to the
Cisco RPM application. Note that the AAA server group feature works only when the server hosts in a
group are of the same type.
Configuring VPDN Profiles
A VPDN profile is required only if you want to impose limits on the VPDN tunnel that are separate from
the customer limits.
Command Purpose
Step 1 Router(config)# aaa new-model Enables AAA on the NAS.
Step 2 Router(config)# radius-server key key
or
Router(config)# tacacs-server key key
Set the authentication and encryption key used for
all RADIUS or TACACS+ communications
between the NAS and the RADIUS or TACACS+
daemon.
Step 3 Router(config)# radius-server host {hostname |
ip-address key} [auth-port port acct-port port]
or
Router(config)# tacacs-server host ip-address key
Specifies the host name or IP address of the server
host before configuring the AAA server group. You
can also specify the UDP destination ports for
authentication and for accounting.
Step 4 Router(config)# aaa group server {radius | tacacs+}
group-name
Selects the AAA server type you want to place into
a server group and assign a server group name.
Step 5 Router(config-sg radius)# server ip-address Specifies the IP address of the selected server type.
This must be the same IP address that was assigned
to the server host in Step 3.
Step 6 Router(config-sg radius)# exit Returns to global configuration mode.
Step 7 Router(config)# resource-pool profile customer name Enters customer profile configuration mode for the
customer to which you wish to assign this AAA
server group.
Step 8 Router(config-customer-profil)# aaa
group-configuration group-name
Associates this AAA server group (named in Step 4)
with the customer profile named in Step 7.
Configuring Resource Pool Management
How to Configure RPM
DC-752
Cisco IOS Dial Technologies Configuration Guide
To configure VPDN profiles, use the following commands beginning in global configuration mode:
Configuring VPDN Groups
To configure VPDN groups, use the following commands beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# resource-pool profile vpdn
profile-name
Creates a VPDN profile and assigns it a profile name
Step 2 Router(config-vpdn-profile)# limit base-size
{number | all}
Specifies the maximum number of simultaneous base
VPDN sessions to be allowed for this VPDN group
under the terms of the service-level agreement (SLA).
The range is 0 to 1000 sessions. If all sessions are to be
designated as base VPDN sessions, specify all.
Step 3 Router(config-vpdn-profile)# limit overflow-size
{number | all}
Specifies the maximum number of simultaneous
overflow VPDN sessions to be allowed for this VPDN
group under the terms of the SLA. The range is 0 to
1000 sessions. If all sessions are to be designated as
overflow VPDN sessions, specify all.
Step 4 Router(config-vpdn-profile)# exit Returns to global configuration mode.
Step 5 Router(config)# resource-pool profile customer
name
Enters customer profile configuration mode for the
customer to which you wish to assign this VPDN group.
Step 6 Router(config-customer-profi)# vpdn profile
profile-name
or
Router(config-customer-profi)# vpdn group
group-name
Attaches the VPDN profile you have just configured to
the customer profile to which it belongs, or, if the limits
imposed by the VPDN profile are not required, attaches
VPDN group instead (see the section “Configuring
VPDN Groups” later in this chapter).
Command Purpose
Step 1 Router(config)# vpdn enable Enables VPDN sessions on the NAS.
Step 2 Router(config)# vpdn-group group-name Creates a VPDN group and assigns it a unique name.
Each VPDN group can have multiple endpoints
(HGW/LNSs).
Step 3 Router(config-vpdn)# request dialin {l2f | l2tp}
{ip ip-address} {domain domain-name | dnis
dnis-number}
Specifies the tunneling protocol to be used to reach the
remote peer defined by a specific IP address if a dial-in
request is received for the specified domain name or
DNIS number. The IP address that qualifies the session
is automatically generated and need not be entered
again.
Step 4 Router(config-vpdn)# multilink {bundle-number |
link-number}
Specifies the maximum number of bundles and links for
all multilink users in the VPDN group. The range for
both bundles and links is 0 to 32767. In general, each
user requires one bundle.
Configuring Resource Pool Management
How to Configure RPM
DC-753
Cisco IOS Dial Technologies Configuration Guide
A VPDN group consists of VPDN sessions that are combined and placed into a customer profile or a
VPDN profile. Note the following characteristics of VPDN groups:
• The dnis-group-name argument is required to authorize the VPDN group with RPM.
• A VPDN group placed in a customer profile allows VPDN connections for the customer using that
profile.
• A VPDN group placed in a VPDN profile allows the session limits configured for that profile to
apply to all of the VPDN sessions within that VPDN group.
• VPDN data includes an associated domain name or DNIS, an endpoint IP address, the maximum
number of MLP bundles, and the maximum number of links per MLP bundle; this data can
optionally be located on a AAA server.
See the sections “VPDN Configuration Example” and “VPDN Load Sharing and Backing Up Between
Multiple HGW/LNSs Example” at the end of this chapter for examples of using VPDN with RPM.
Counting VPDN Sessions by Using VPDN Profiles
Session counting is provided for each VPDN profile. One session is brought up each time a remote client
dials into a HGW/LNS router by using the NAS/LAC. Sessions are counted by using VPDN profiles. If
you do not want to count the number of VPDN sessions, do not set up any VPDN profiles. VPDN profiles
count sessions in one or more VPDN groups.
Step 5 Router(config-vpdn)# loadsharing ip ip-address
[limit number]
Configures the endpoints for loadsharing. This router
will share the load of IP traffic with the first router
specified in Step 2. The limit keyword limits the
number of simultaneous sessions that are sent to the
remote endpoint (HGW/LNS). This limit can be 0 to
32767 sessions.
Step 6 Router(config-vpdn)# backup ip ip-address [limit
number] [priority number]
Sets up a backup HGW/LNS router. The number of
sessions per backup can be limited. The priority
number can be 2 to 32767. The highest priority is 2,
which is the first HGW/LNS router to receive backup
traffic. The lowest priority, which is the default, is
32767.
Step 7 Router(config-vpdn)# exit Returns to global configuration mode.
Step 8 Router(config)# resource-pool profile vpdn
profile-name
or
Router(config)# resource-pool profile customer
name
Enters either VPDN profile configuration mode or
customer profile configuration mode, depending on
whether you want to allow VPDN connections for a
customer profile, or allow combined session counting
on all of the VPDN sessions within a VPDN profile.
Step 9 Router(config-vpdn-profile)# vpdn group group-name
or
Router(config-customer-profi)# vpdn group
group-name
Attaches the VPDN group to either the VPDN profile or
the customer profile specified in Step 8.
Command Purpose
Configuring Resource Pool Management
How to Configure RPM
DC-754
Cisco IOS Dial Technologies Configuration Guide
To configure VPDN profile session counting, use the following commands beginning in global
configuration mode:
To verify session counting and view VPDN group information configured under resource pooling, use
the show resource-pool vpdn group command. In this example, two different VPDN groups are
configured under two different customer profiles:
Router# show resource-pool vpdn group
List of VPDN Groups under Customer Profiles
Customer Profile customer1:customer1-vpdng
Customer Profile customer2:customer2-vpdng
List of VPDN Groups under VPDN Profiles
VPDN Profile customer1-profile:customer1-vpdng
To display the contents of a specific VPDN group, use the show resource-pool vpdn group name
command. This example contains one domain name, two DNIS called groups, and two endpoints:
Router# show resource-pool vpdn group customer2-vpdng
VPDN Group customer2-vpdng found under Customer Profiles: customer2
Tunnel (L2TP)
------
dnis:cg1
dnis:cg2
dnis:jan
Endpoint Session Limit Priority Active Sessions Status Reserved Sessions
-------- ------------- -------- --------------- ------ -----------------
172.21.9.67 * 1 0 OK -
10.1.1.1 * 2 0 OK -
--------------- ------------- --------------- -----------------
Total * 0 0
To display the contents of a specific VPDN profile, use the show resource-pool vpdn profile name
command, as follows:
Router# show resource-pool vpdn profile ?
WORD VPDN profile name
Router# show resource-pool vpdn profile customer1-profile
0 active connections
0 max number of simultaneous connections
0 calls rejected due to profile limits
Command Purpose
Step 1 Router(config)# resource-pool profile vpdn name Creates a VPDN profile.
Step 2 Router(config-vpdn-profile)# vpdn-group name
Router(config-vpdn-profile)# exit
Associates a VPDN group to the VPDN profile. VPDN
sessions done within this VPDN group will be counted
by the VPDN profile.
Step 3 Router(config)# resource-pool profile customer
name
Router(config-customer-profi)# vpdn profile name
Links the VPDN group to a customer profile.
Step 4 Router(config-customer-profi)# ^Z
Router#
Returns to EXEC mode to perform verification steps.
Configuring Resource Pool Management
How to Configure RPM
DC-755
Cisco IOS Dial Technologies Configuration Guide
0 calls rejected due to resource unavailable
0 overflow connections
0 overflow states entered
0 overflow connections rejected
1435 minutes since last clear command
Note Use the debug vpdn event command to troubleshoot VPDN profile limits, session limits, and MLP
connections. First, enable this command; then, send a call into the access server. Interpret the debug
output and make configuration changes as needed.
To debug the L2F or L2TP protocols, use the debug vpdn l2x command:
Router# debug vpdn l2x ?
error VPDN Protocol errors
event VPDN event
l2tp-sequencing L2TP sequencing
l2x-data L2F/L2TP data packets
l2x-errors L2F/L2TP protocol errors
l2x-events L2F/L2TP protocol events
l2x-packets L2F/L2TP control packets
packet VPDN packet
Limiting the Number of MLP Bundles in VPDN Groups
Cisco IOS software enables you to limit the number of MLP bundles and links supported for each VPDN
group. A bundle name consists of a username endpoint discriminator (for example, an IP address or
phone number) sent during LCP negotiation.
To limit the number of MLP bundles in VPDN groups, use the following commands beginning in global
configuration mode:
The following example shows the show vpdn multilink command output for verifying MLP bundle
limits:
Router# show vpdn multilink
Multilink Bundle Name VPDN Group Active links Reserved links Bundle/Link Limit
--------------------- ---------- ------------ -------------- -----------------
twv@anycompany.com vgdnis 0 0 */*
Note Use the debug vpdn event and debug resource-pooling commands to troubleshoot VPDN profile
limits, session limits, and MLP connections. First, enable this command; then, send a call into the
access server. Interpret the debug output and make configuration changes as needed.
Command Purpose
Step 1 Router(config)# vpdn-group name Creates a VPDN group.
Step 2 Router(config-vpdn)# multilink {bundle number
| link number}
Limits the number of MLP bundles per VPDN group and
links per bundle.1
These settings limit the number of users
that can multilink.
1. Both the NAS/LAC and the HGW/LNS router must be configured to support multilink before a client can use multilink to connect to a
HGW/LNS.
Configuring Resource Pool Management
How to Configure RPM
DC-756
Cisco IOS Dial Technologies Configuration Guide
Configuring Switched 56 over CT1 and RBS
To configure switched 56 over CT1 and RBS, use the following commands beginning in global
configuration mode. Perform this task on the Cisco AS5200 and Cisco AS5300 access servers only.
To verify switched 56 over CT1, use the show dialer dnis command as follows:
Router# show dialer dnis group
List of DNIS Groups:
default
mdm_grp1
Router# show dialer dnis group mdm_grp1
Called Number:2001
0 total connections
0 peak connections
0 calltype mismatches
Called Number:2002
0 total connections
0 peak connections
0 calltype mismatches
Called Number:2003
0 total connections
0 peak connections
0 calltype mismatches
Called Number:2004
0 total connections
0 peak connections
0 calltype mismatches
.
.
.
Command Purpose
Step 1 Router(config)# controller t1 number Specifies a controller and begins controller
configuration mode.
Step 2 Router(config-controller)# cas-group 0 timeslots
1-24 type e&m-fgb {dtmf | mf} {dnis}
Creates a CAS group and assigns time slots.
Step 3 Router(config-controller)# framing {sf | esf} Specifies framing.
Step 4 Router(config-controller)# linecode {ami | b8zs} Enters the line code.
Step 5 Router(config-controller)# exit Returns to global configuration mode.
Step 6 Router(config)# dialer dnis group name Creates a dialer called group.
Step 7 Router(config-called-group)# call-type cas digital Assigns a call type as digital (switch 56).
Step 8 Router(config-called-group)# exit Returns to global configuration mode.
Step 9 Router(config)# interface serial number:number
Router(config-if)#
Specifies the logical serial interface, which was
dynamically created when the cas-group command was
issued.
This command also enters interface configuration mode,
where you configure the core protocol characteristics
for the serial interface.
Configuring Resource Pool Management
Verifying RPM Components
DC-757
Cisco IOS Dial Technologies Configuration Guide
Router# show dialer dnis number
List of Numbers:
default
2001
2002
2003
2004
.
.
.
Verifying RPM Components
The following sections provide call-counter and call-detail output for the different RPM components:
• Verifying Current Calls
• Verifying Call Counters for a Customer Profile
• Clearing Call Counters
• Verifying Call Counters for a Discriminator Profile
• Verifying Call Counters for a Resource Group
• Verifying Call Counters for a DNIS Group
• Verifying Call Counters for a VPDN Profile
• Verifying Load Sharing and Backup
Verifying Current Calls
The following output from the show resource-pool call command shows the details for all current calls,
including the customer profile and resource group, and the matched DNIS group:
Router# show resource-pool call
Shelf 0, slot 0, port 0, channel 15, state RM_RPM_RES_ALLOCATED
Customer profile ACME, resource group isdn-ports
DNIS number 301001
Shelf 0, slot 0, port 0, channel 14, state RM_RPM_RES_ALLOCATED
Customer profile ACME, resource group isdn-ports
DNIS number 301001
Shelf 0, slot 0, port 0, channel 11, state RM_RPM_RES_ALLOCATED
Customer profile ACME, resource group MICA-modems
DNIS number 301001
Verifying Call Counters for a Customer Profile
The following output from the show resource-pool customer command shows the call counters for a
given customer profile. These counters include historical data and can be cleared.
Router# show resource-pool customer ACME
3 active connections
41 calls accepted
3 max number of simultaneous connections
Configuring Resource Pool Management
Verifying RPM Components
DC-758
Cisco IOS Dial Technologies Configuration Guide
11 calls rejected due to profile limits
2 calls rejected due to resource unavailable
0 minutes spent with max connections
5 overflow connections
1 overflow states entered
11 overflow connections rejected
10 minutes spent in overflow
214 minutes since last clear command
Clearing Call Counters
The clear resource-pool command clears the call counters.
Verifying Call Counters for a Discriminator Profile
The following output from the show resource-pool discriminator command shows the call counters for
a given discriminator profile. These counters include historical data and can be cleared.
Router# show resource-pool discriminator
List of Call Discriminator Profiles:
deny_DNIS
Router# show resource-pool discriminator deny_DNIS
1 calls rejected
Verifying Call Counters for a Resource Group
The following output from the show resource-pool resource command shows the call counters for a
given resource group. These counters include historical data and can be cleared.
Router# show resource-pool resource
List of Resources:
isdn-ports
MICA-modems
Router# show resource-pool resource isdn-ports
46 resources in the resource group
2 resources currently active
8 calls accepted in the resource group
2 calls rejected due to resource unavailable
0 calls rejected due to resource allocation errors
Configuring Resource Pool Management
Verifying RPM Components
DC-759
Cisco IOS Dial Technologies Configuration Guide
Verifying Call Counters for a DNIS Group
The following output from the show dialer dnis command shows the call counters for a given DNIS
group. These counters include historical data and can be cleared.
Router# show dialer dnis group ACME_dnis_numbers
DNIS Number:301001
11 total connections
5 peak connections
0 calltype mismatches
Verifying Call Counters for a VPDN Profile
The following output from the show resource-pool vpdn command shows the call counters for a given
VPDN profile or the tunnel information for a given VPDN group. These counters include historical data
and can be cleared.
Router# show resource-pool vpdn profile ACME_VPDN
2 active connections
2 max number of simultaneous connections
0 calls rejected due to profile limits
0 calls rejected due to resource unavailable
0 overflow connections
0 overflow states entered
0 overflow connections rejected
215 minutes since last clear command
Router# show resource-pool vpdn group outgoing-2
VPDN Group outgoing-2 found under VPDN Profiles: ACME_VPDN
Tunnel (L2F)
------
dnis:301001
dnis:ACME_dnis_numbers
Endpoint Session Limit Priority Active Sessions Status Reserved Sessions
-------- ------------- -------- --------------- ------ -----------------
172.16.1.9 * 1 2 OK -
-------- ------------- --------------- -----------------
Total * 2 0
Verifying Load Sharing and Backup
The following example from the show running-config EXEC command shows two different VPDN
customer groups:
Router# show running-config
Building configuration...
.
.
.
vpdn-group customer1-vpdng
request dialin
protocol l2f
domain cisco.com
Configuring Resource Pool Management
Troubleshooting RPM
DC-760
Cisco IOS Dial Technologies Configuration Guide
domain cisco2.com
dnis customer1-calledg
initiate-to ip 172.21.9.67
loadsharing ip 172.21.9.68 limit 100
backup ip 172.21.9.69 priority 5
vpdn-group customer2-vpdng
request dialin
protocol l2tp
dnis customer2-calledg
domain acme.com
initiate-to ip 172.22.9.5
Troubleshooting RPM
Test and verify that ISDN, CAS, SS7, PPP, AAA, and VPDN are working properly before implementing
RPM. Once RPM is implemented, the only debug commands needed for troubleshooting RPM are as
follows:
• debug resource pool
• debug aaa authorization
The debug resource-pool command is useful as a first step to ensure proper operation. It is usually
sufficient for most cases. Use the debug aaa authorization command for troubleshooting VPDN and
modem service problems.
Problems that might typically occur are as follows:
• No DNIS group found or no customer profile uses a default DNIS
• Call discriminator blocks the DNIS
• Customer profile limits exceeded
• Resource group limits exceeded
Note Always enable the debug and log time stamps when troubleshooting RPM.
This section provides the following topics for troubleshooting RPM:
• Resource-Pool Component
• Resource Group Manager
• Signaling Stack
• AAA Component
• VPDN Component
• Troubleshooting DNIS Group Problems
• Troubleshooting Call Discriminator Problems
• Troubleshooting Customer Profile Counts
• Troubleshooting Resource Group Counts
• Troubleshooting VPDN
• Troubleshooting RPMS
Configuring Resource Pool Management
Troubleshooting RPM
DC-761
Cisco IOS Dial Technologies Configuration Guide
Resource-Pool Component
The resource-pool component contains two modules—a dispatcher and a local resource-pool manager.
The dispatcher interfaces with the signaling stack, resource-group manager, and AAA, and is responsible
for maintaining resource-pool call state and status information. The state transitions can be displayed by
enabling the resource-pool debug traces. Table 45 summarizes the resource pooling states.
The resource-pool state can be used to isolate problems. For example, if a call fails authorization in the
RM_RES_AUTHOR state, investigate further with AAA authorization debugs to determine whether the
problem lies in the resource-pool manager, AAA, or dispatcher.
The resource-pool component also contains local customer profiles and discriminators, and is
responsible for matching, configuring, and maintaining the associated counters and statistics. The
resource-pool component is responsible for the following:
• Configuration of customer profiles or discriminators
• Matching a customer profile or discriminator for local profile configuration
• Counters/statistics for customer profiles or discriminators
• Active call information displayed by the show resource-pool call command
The RPMS debug commands are summarized in Table 46.
Table 45 Resource Pooling States
State Description
RM_IDLE No call activity.
RM_RES_AUTHOR Call waiting for authorization; message sent to AAA.
RM_RES_ALLOCATING Call authorized; resource group manager allocating.
RM_RES_ALLOCATED Resource allocated; connection acknowledgment sent to signaling state.
Call should get connected and become active.
RM_AUTH_REQ_IDLE Signaling module disconnected call while in RM_RES_AUTHOR.
Waiting for authorization response from AAA.
RM_RES_REQ_IDLE Signaling module disconnected call while in RM_RES_ALLOCATING.
Waiting for resource allocation response from resource group manager.
Table 46 Debug Commands for RPM
Command Purpose
debug resource-pool This debug output should be sufficient for most RPM
troubleshooting situations.
debug aaa authorization This debug output provides more specific information and shows
the actual DNIS numbers passed and call types used.
Configuring Resource Pool Management
Troubleshooting RPM
DC-762
Cisco IOS Dial Technologies Configuration Guide
Successful Resource Pool Connection
The following sample output from the debug resource-pool command displays a successful RPM
connection. The entries in bold are of particular importance.
*Mar 1 02:14:57.439: RM state:RM_IDLE event:DIALER_INCALL DS0:0:0:0:21
*Mar 1 02:14:57.439: RM: event incoming call
*Mar 1 02:14:57.443: RM state:RM_DNIS_AUTHOR event:RM_DNIS_RPM_REQUEST DS0:0:0:0:21
*Mar 1 02:14:57.447: RM:RPM event incoming call
*Mar 1 02:14:57.459: RPM profile ACME found
*Mar 1 02:14:57.487: RM state:RM_RPM_RES_AUTHOR event:RM_RPM_RES_AUTHOR_SUCCESS
DS0:0:0:0:21
*Mar 1 02:14:57.487: Allocated resource from res_group isdn-ports
*Mar 1 02:14:57.491: RM:RPM profile "ACME", allocated resource "isdn-ports" successfully
*Mar 1 02:14:57.495: RM state:RM_RPM_RES_ALLOCATING event:RM_RPM_RES_ALLOC_SUCCESS
DS0:0:0:0:21
*Mar 1 02:14:57.603: %LINK-3-UPDOWN: Interface Serial0:21, changed state to up
*Mar 1 02:15:00.879: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0:21, changed
state to up
Dialer Component
The dialer component contains DNIS groups and is responsible for configuration, and maintenance of
counters and statistics. The resource-pool component is responsible for the following:
• DNIS number statistics or counters
• Configuring DNIS groups
Resource Group Manager
Resource groups are created, maintained, allocated, freed, and tallied by the resource group manager.
The resource group manager is also responsible for service profiles, which are applied to resources at
call setup time. The resource group manager is responsible for:
• Allocating resources when the profile has been authorized and a valid resource group is received
• Statistics or configuration of resource groups
• Configuring or applying service profiles to resource groups
• Collecting DNIS number information for channel-associated signaling calls
Signaling Stack
The signaling stacks currently supported in resource pooling are CAS and ISDN. The signaling stack
delivers the incoming call to the resource-pool dispatcher and provides call-type and DNIS number
information to the resource-pool dispatcher. Depending on configuration, call connect attempts may fail
if the signaling stacks do not send the DNIS number and the call type to the resource-pool dispatcher.
Call attempts will also fail if signaling stacks disconnect prematurely, not giving enough time for
authorization or resource allocation processes to complete.
Therefore, investigate the signaling stack when call attempts or call treatment behavior does not meet
expectations. For ISDN, the debug isdn q931 command can be used to isolate errors between resource
pooling, signaling stack, and switch. For CAS, the debug modem csm, service internal, and
Configuring Resource Pool Management
Troubleshooting RPM
DC-763
Cisco IOS Dial Technologies Configuration Guide
modem-mgmt csm debug-rbs commands are used on Cisco AS5200 and Cisco AS5300 access servers,
while the debug csm and debug trunk cas port number timeslots number commands are used on the
Cisco AS5800 access server.
AAA Component
In context with resource pooling, the AAA component is responsible for the following:
• Authorization of profiles between the resource-pool dispatcher and local or external resource-pool
manager
• Accounting messages between the resource-pool dispatcher and external resource-pool manager for
resource allocation
• VPDN authorization between VPDN and the local or external resource-pool manager
• VPDN accounting messages between VPDN and the external resource-pool manager
• Overflow accounting records between the AAA server and resource-pool dispatcher
• Resource connect speed accounting records between the AAA server and resource group
VPDN Component
The VPDN component is responsible for the following:
• Creating VPDN groups and profiles
• Searching or matching groups based on domain or DNIS
• Maintaining counts and statistics for the groups and profiles
• Setting up the tunnel between the NAS/LAC and HGW/LNS
The VPDN component interfaces with AAA to get VPDN tunnel authorization on the local or remote
resource-pool manager. VPDN and AAA debugging traces should be used for troubleshooting.
Troubleshooting DNIS Group Problems
The following output from the debug resource-pool command displays a customer profile that is not
found for a particular DNIS group:
*Mar 1 00:38:21.011: RM state:RM_IDLE event:DIALER_INCALL DS0:0:0:0:3
*Mar 1 00:38:21.011: RM: event incoming call
*Mar 1 00:38:21.015: RM state:RM_DNIS_AUTHOR event:RM_DNIS_RPM_REQUEST DS0:0:0:0:3
*Mar 1 00:38:21.019: RM:RPM event incoming call
*Mar 1 00:38:21.103: RPM no profile found for call-type digital in default DNIS number
*Mar 1 00:38:21.155: RM:RPM profile rejected do not allocate resource
*Mar 1 00:38:21.155: RM state:RM_RPM_RES_AUTHOR event:RM_RPM_RES_AUTHOR_FAIL DS0:0:0:0:3
*Mar 1 00:38:21.163: RM state:RM_RPM_DISCONNECTING event:RM_RPM_DISC_ACK DS0:0:0:0:3
Configuring Resource Pool Management
Troubleshooting RPM
DC-764
Cisco IOS Dial Technologies Configuration Guide
Troubleshooting Call Discriminator Problems
The following output from the debug resource-pool command displays an incoming call that is matched
against a call discriminator profile:
*Mar 1 00:35:25.995: RM state:RM_IDLE event:DIALER_INCALL DS0:0:0:0:4
*Mar 1 00:35:25.999: RM: event incoming call
*Mar 1 00:35:25.999: RM state:RM_DNIS_AUTHOR event:RM_DNIS_RPM_REQUEST DS0:0:0:0:4
*Mar 1 00:35:26.003: RM:RPM event incoming call
*Mar 1 00:35:26.135: RM:RPM profile rejected do not allocate resource
*Mar 1 00:35:26.139: RM state:RM_RPM_RES_AUTHOR event:RM_RPM_RES_AUTHOR_FAIL DS0:0:0:0:4
*Mar 1 00:35:26.143: RM state:RM_RPM_DISCONNECTING event:RM_RPM_DISC_ACK DS0:0:0:0:4
Troubleshooting Customer Profile Counts
The following output from the debug resource-pool command displays what happens once the customer
profile limits have been reached:
*Mar 1 00:43:33.275: RM state:RM_IDLE event:DIALER_INCALL DS0:0:0:0:9
*Mar 1 00:43:33.279: RM: event incoming call
*Mar 1 00:43:33.279: RM state:RM_DNIS_AUTHOR event:RM_DNIS_RPM_REQUEST DS0:0:0:0:9
*Mar 1 00:43:33.283: RM:RPM event incoming call
*Mar 1 00:43:33.295: RPM count exceeded in profile ACME
*Mar 1 00:43:33.315: RM:RPM profile rejected do not allocate resource
*Mar 1 00:43:33.315: RM state:RM_RPM_RES_AUTHOR event:RM_RPM_RES_AUTHOR_FAIL DS0:0:0:0:9
*Mar 1 00:43:33.323: RM state:RM_RPM_DISCONNECTING event:RM_RPM_DISC_ACK DS0:0:0:0:9
Troubleshooting Resource Group Counts
The following output from the debug resource-pool command displays the resources within a resource
group all in use:
*Mar 1 00:52:34.411: RM state:RM_IDLE event:DIALER_INCALL DS0:0:0:0:19
*Mar 1 00:52:34.411: RM: event incoming call
*Mar 1 00:52:34.415: RM state:RM_DNIS_AUTHOR event:RM_DNIS_RPM_REQUEST DS0:0:0:0:19
*Mar 1 00:52:34.419: RM:RPM event incoming call
*Mar 1 00:52:34.431: RPM profile ACME found
*Mar 1 00:52:34.455: RM state:RM_RPM_RES_AUTHOR event:RM_RPM_RES_AUTHOR_SUCCESS
DS0:0:0:0:19
*Mar 1 00:52:34.459: All resources in res_group isdn-ports are in use
*Mar 1 00:52:34.463: RM state:RM_RPM_RES_ALLOCATING event:RM_RPM_RES_ALLOC_FAIL
DS0:0:0:0:19
*Mar 1 00:52:34.467: RM:RPM failed to allocate resources for "ACME"
Troubleshooting VPDN
Troubleshooting problems that might typically occur are as follows:
• Customer profile is not associated with a VPDN profile or VPDN group (the call will be locally
terminated in this case. Regular VPDN can still succeed even if RPM/VPDN fails).
• VPDN profile limits have been reached (call answered but disconnected).
• VPDN group limits have been reached (call answered but disconnected).
• VPDN endpoint is not reachable (call answered but disconnected).
Configuring Resource Pool Management
Troubleshooting RPM
DC-765
Cisco IOS Dial Technologies Configuration Guide
Troubleshooting RPM/VPDN Connection
The following sample output from the debug resource-pool command displays a successful
RPM/VPDN connection. The entries in bold are of particular importance.
*Mar 1 00:15:53.639: Se0:10 RM/VPDN/rm-session-request: Allocated vpdn info for domain
NULL MLP Bundle SOHO
*Mar 1 00:15:53.655: RM/VPDN/ACME_VPDN: VP LIMIT/ACTIVE/RESERVED/OVERFLOW are now 6/0/0/0
*Mar 1 00:15:53.659: RM/VPDN/ACME_VPDN: Session reserved for outgoing-2
*Mar 1 00:15:53.695: Se0:10 RM/VPDN: Session has been authorized using
dnis:ACME_dnis_numbers
*Mar 1 00:15:53.695: Se0:10 RM/VPDN/session-reply: NAS name HQ-NAS
*Mar 1 00:15:53.699: Se0:10 RM/VPDN/session-reply: Endpoint addresses 172.16.1.9
*Mar 1 00:15:53.703: Se0:10 RM/VPDN/session-reply: VPDN tunnel protocol l2f
*Mar 1 00:15:53.703: Se0:10 RM/VPDN/session-reply: VPDN Group outgoing-2
*Mar 1 00:15:53.707: Se0:10 RM/VPDN/session-reply: VPDN domain dnis:ACME_dnis_numbers
*Mar 1 00:15:53.767: RM/VPDN: MLP Bundle SOHO Session Connect with 1 Endpoints:
*Mar 1 00:15:53.771: IP 172.16.1.9 OK
*Mar 1 00:15:53.771: RM/VPDN/rm-session-connect/ACME_VPDN: VP
LIMIT/ACTIVE/RESERVED/OVERFLOW are now 6/1/0/0
*Mar 1 00:15:54.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0:10, changed
state to up
*Mar 1 00:15:57.399: %ISDN-6-CONNECT: Interface Serial0:10 is now connected to SOHO
Troubleshooting Customer/VPDN Profile
The following sample output from the debug resource-pool command displays when there is no VPDN
group associated with an incoming DNIS group. However, the output from the debug resource-pool
command, as shown here, does not effectively reflect the problem:
*Mar 1 03:40:16.483: Se0:15 RM/VPDN/rm-session-request: Allocated vpdn info for domain
NULL MLP Bundle SOHO
*Mar 1 03:40:16.515: Se0:15 RM/VPDN/rm-session-request: Authorization failed
*Mar 1 03:40:16.527: %VPDN-6-AUTHORERR: L2F NAS HQ-NAS cannot locate a AAA server for
Se0:15 user SOHO
*Mar 1 03:40:16.579: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
*Mar 1 03:40:17.539: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0:15, changed
state to up
*Mar 1 03:40:17.615: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1,
changed state to up
*Mar 1 03:40:19.483: %ISDN-6-CONNECT: Interface Serial0:15 is now connected to SOHO
Whenever the debug resource-pool command offers no further assistance besides the indication that
authorization has failed, enter the debug aaa authorization command to further troubleshoot the
problem. In this case, the debug aaa authorization command output appears as follows:
*Mar 1 04:03:49.846: Se0:19 RM/VPDN/rm-session-request: Allocated vpdn info for domain
NULL MLP Bundle SOHO
*Mar 1 04:03:49.854: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): Port='DS0:0:0:0:19'
list='default' service=RM
*Mar 1 04:03:49.858: AAA/AUTHOR/RM vpdn-session: Se0:19 (3912941997) user='301001'
*Mar 1 04:03:49.862: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): send AV
service=resource-management
*Mar 1 04:03:49.866: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): send AV
protocol=vpdn-session
*Mar 1 04:03:49.866: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): send AV
rm-protocol-version=1.0
*Mar 1 04:03:49.870: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): send AV
rm-nas-state=3278356
*Mar 1 04:03:49.874: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): send AV
rm-call-handle=27
Configuring Resource Pool Management
Troubleshooting RPM
DC-766
Cisco IOS Dial Technologies Configuration Guide
*Mar 1 04:03:49.878: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): send AV
multilink-id=SOHO
*Mar 1 04:03:49.878: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): found list "default"
*Mar 1 04:03:49.882: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): Method=LOCAL
*Mar 1 04:03:49.886: Se0:19 AAA/AUTHOR/RM/local (3912941997): Received AV
service=resource-management
*Mar 1 04:03:49.890: Se0:19 AAA/AUTHOR/RM/local (3912941997): Received AV
protocol=vpdn-session
*Mar 1 04:03:49.890: Se0:19 AAA/AUTHOR/RM/local (3912941997): Received AV
rm-protocol-version=1.0
*Mar 1 04:03:49.894: Se0:19 AAA/AUTHOR/RM/local (3912941997): Received AV
rm-nas-state=3278356
*Mar 1 04:03:49.898: Se0:19 AAA/AUTHOR/RM/local (3912941997): Received AV
rm-call-handle=27
*Mar 1 04:03:49.902: Se0:19 AAA/AUTHOR/RM/local (3912941997): Received AV
multilink-id=SOHO
*Mar 1 04:03:49.906: Se0:19 AAA/AUTHOR/VPDN/RM/LOCAL: Customer ACME has no VPDN group
for session dnis:ACME_dnis_numbers
*Mar 1 04:03:49.922: Se0:19 AAA/AUTHOR (3912941997): Post authorization status = FAIL
Troubleshooting VPDN Profile Limits
The following output from the debug resource-pool command displays that VPDN profile limits have
been reached:
*Mar 1 04:57:53.762: Se0:13 RM/VPDN/rm-session-request: Allocated vpdn info for domain
NULL MLP Bundle SOHO
*Mar 1 04:57:53.774: RM/VPDN/ACME_VPDN: VP LIMIT/ACTIVE/RESERVED/OVERFLOW are now 0/0/0/0
*Mar 1 04:57:53.778: RM/VPDN/ACME_VPDN: Session outgoing-2 rejected due to Session Limit
*Mar 1 04:57:53.798: Se0:13 RM/VPDN/rm-session-request: Authorization failed
*Mar 1 04:57:53.802: %VPDN-6-AUTHORFAIL: L2F NAS HQ-NAS, AAA authorization failure for
Se0:13 user SOHO; At Session Max
*Mar 1 04:57:53.866: %ISDN-6-DISCONNECT: Interface Serial0:13 disconnected from SOHO,
call lasted 2 seconds
*Mar 1 04:57:54.014: %LINK-3-UPDOWN: Interface Serial0:13, changed state to down
*Mar 1 04:57:54.050: RM state:RM_RPM_RES_ALLOCATED event:DIALER_DISCON DS0:0:0:0:13
*Mar 1 04:57:54.054: RM:RPM event call drop
*Mar 1 04:57:54.054: Deallocated resource from res_group isdn-ports
Troubleshooting VPDN Group Limits
The following debug resource-pool command display shows that VPDN group limits have been
reached. From this display, the problem is not obvious. To troubleshoot further, use the debug aaa
authorization command described in the “Troubleshooting RPMS” section later in this chapter:
*Mar 1 05:02:22.314: Se0:17 RM/VPDN/rm-session-request: Allocated vpdn info for domain
NULL MLP Bundle SOHO
*Mar 1 05:02:22.334: RM/VPDN/ACME_VPDN: VP LIMIT/ACTIVE/RESERVED/OVERFLOW are now 5/0/0/0
*Mar 1 05:02:22.334: RM/VPDN/ACME_VPDN: Session reserved for outgoing-2
*Mar 1 05:02:22.358: Se0:17 RM/VPDN/rm-session-request: Authorization failed
*Mar 1 05:02:22.362: %VPDN-6-AUTHORFAIL: L2F NAS HQ-NAS, AAA authorization failure for
Se0:17 user SOHO; At Multilink Bundle Limit
*Mar 1 05:02:22.374: %ISDN-6-DISCONNECT: Interface Serial0:17 disconnected from SOHO,
call lasted 2 seconds
*Mar 1 05:02:22.534: %LINK-3-UPDOWN: Interface Serial0:17, changed state to down
*Mar 1 05:02:22.570: RM state:RM_RPM_RES_ALLOCATED event:DIALER_DISCON DS0:0:0:0:17
*Mar 1 05:02:22.574: RM:RPM event call drop
*Mar 1 05:02:22.574: Deallocated resource from res_group isdn-ports
Configuring Resource Pool Management
Troubleshooting RPM
DC-767
Cisco IOS Dial Technologies Configuration Guide
Troubleshooting VPDN Endpoint Problems
The following output from the debug resource-pool command displays that the IP endpoint for the
VPDN group is not reachable:
*Mar 1 05:12:22.330: Se0:21 RM/VPDN/rm-session-request: Allocated vpdn info for domain
NULL MLP Bundle SOHO
*Mar 1 05:12:22.346: RM/VPDN/ACME_VPDN: VP LIMIT/ACTIVE/RESERVED/OVERFLOW are now 5/0/0/0
*Mar 1 05:12:22.350: RM/VPDN/ACME_VPDN: Session reserved for outgoing-2
*Mar 1 05:12:22.382: Se0:21 RM/VPDN: Session has been authorized using
dnis:ACME_dnis_numbers
*Mar 1 05:12:22.386: Se0:21 RM/VPDN/session-reply: NAS name HQ-NAS
*Mar 1 05:12:22.386: Se0:21 RM/VPDN/session-reply: Endpoint addresses 172.16.1.99
*Mar 1 05:12:22.390: Se0:21 RM/VPDN/session-reply: VPDN tunnel protocol l2f
*Mar 1 05:12:22.390: Se0:21 RM/VPDN/session-reply: VPDN Group outgoing-2
*Mar 1 05:12:22.394: Se0:21 RM/VPDN/session-reply: VPDN domain dnis:ACME_dnis_numbers
*Mar 1 05:12:25.762: %ISDN-6-CONNECT: Interface Serial0:21 is now connected to SOHO
*Mar 1 05:12:27.562: %VPDN-5-UNREACH: L2F HGW 172.16.1.99 is unreachable
*Mar 1 05:12:27.578: RM/VPDN: MLP Bundle SOHO Session Connect with 1 Endpoints:
*Mar 1 05:12:27.582: IP 172.16.1.99 Destination unreachable
Troubleshooting RPMS
In general, the debug aaa authorization command is not used for RPM troubleshooting unless the
debug resource-pool command display is too vague. The debug aaa authorization command is more
useful for troubleshooting with RPMS. Following is sample output:
Router# debug aaa authorization
AAA Authorization debugging is on
Router# show debug
General OS:
AAA Authorization debugging is on
Resource Pool:
resource-pool general debugging is on
The following output from the debug resource-pool and debug aaa authorization commands shows a
successful RPM connection:
*Mar 1 06:10:35.450: AAA/MEMORY: create_user (0x723D24) user='301001'
ruser=''port='DS0:0:0:0:12' rem_addr='102' authen_type=NONE service=NONE priv=0
*Mar 1 06:10:35.462: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907):
Port='DS0:0:0:0:12' list='default' service=RM
*Mar 1 06:10:35.466: AAA/AUTHOR/RM call-accept: DS0:0:0:0:12 (2784758907) user= '301001'
*Mar 1 06:10:35.470: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): send AV
service=resource-management
*Mar 1 06:10:35.470: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): send AV
protocol=call-accept
*Mar 1 06:10:35.474: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): send AV
rm-protocol-version=1.0
*Mar 1 06:10:35.478: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): send AV
rm-nas-state=7513368
*Mar 1 06:10:35.482: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): send AV
rm-call-type=speech
*Mar 1 06:10:35.486: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): send AV
rm-request-type=dial-in
*Mar 1 06:10:35.486: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): send AV
rm-link-type=isdn
Configuring Resource Pool Management
Configuration Examples for RPM
DC-768
Cisco IOS Dial Technologies Configuration Guide
*Mar 1 06:10:35.490: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): found list
"default"
*Mar 1 06:10:35.494: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): Method=LOCAL
*Mar 1 06:10:35.498: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907):Received DNIS=301001
*Mar 1 06:10:35.498: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907):Received CLID=102
*Mar 1 06:10:35.502: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907):Received
Port=DS0:0:0:0:12
*Mar 1 06:10:35.506: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907): Received AV
service=resource-management
*Mar 1 06:10:35.510: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907): Received AV
protocol=call-accept
*Mar 1 06:10:35.510: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907): Received AV
rm-protocol-version=1.0
*Mar 1 06:10:35.514: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907): Received AV
rm-nas-state=7513368
*Mar 1 06:10:35.518: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907): Received AV
rm-call-type=speech
*Mar 1 06:10:35.522: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907): Received AV
rm-request-type=dial-in
*Mar 1 06:10:35.526: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907): Received AV
rm-link-type=isdn
*Mar 1 06:10:35.542: AAA/AUTHOR (2784758907): Post authorization status = PASS_REPL
*Mar 1 06:10:35.546: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV
service=resource-management
*Mar 1 06:10:35.550: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV
protocol=call-accept
*Mar 1 06:10:35.554: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV
rm-protocol-version=1.0
*Mar 1 06:10:35.558: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV
rm-response-code=overflow
*Mar 1 06:10:35.558: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV
rm-call-handle=47
*Mar 1 06:10:35.562: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV
rm-call-count=2
*Mar 1 06:10:35.566: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV
rm-cp-name=ACME
*Mar 1 06:10:35.570: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV
rm-rg-name#0=MICA-modems
*Mar 1 06:10:35.574: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV
rm-rg-service-name#0=gold
*Mar 1 06:10:35.578: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV
rm-call-treatment=busy
*Mar 1 06:10:35.582: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV
rm-call-type=speech
Configuration Examples for RPM
The following sections provide RPM configuration examples:
• Standard Configuration for RPM Example
• Customer Profile Configuration for DoVBS Example
• DNIS Discriminator Profile Example
• CLID Discriminator Profile Example
• Direct Remote Services Configuration Example
• VPDN Configuration Example
• VPDN Load Sharing and Backing Up Between Multiple HGW/LNSs Example
Configuring Resource Pool Management
Configuration Examples for RPM
DC-769
Cisco IOS Dial Technologies Configuration Guide
Standard Configuration for RPM Example
The following example demonstrates a basic RPM configuration:
resource-pool enable
resource-pool call treatment resource busy
resource-pool call treatment profile no-answer
!
resource-pool group resource isdn-ports
range limit 46
resource-pool group resource MICA-modems
range port 1/0 2/23
!
resource-pool profile customer ACME
limit base-size 30
limit overflow-size 10
resource isdn-ports digital
resource MICA-modems speech service gold
dnis group ACME_dnis_numbers
!
resource-pool profile customer DEFAULT
limit base-size 10
resource MICA-modems speech service silver
dnis group default
resource-pool profile discriminator deny_DNIS
call-type digital
dnis group bye-bye
!
resource-pool profile service gold
modem min-speed 33200 max-speed 56000 modulation v90
resource-pool profile service silver
modem min-speed 19200 max-speed 33200 modulation v34
!
resource-pool aaa protocol local
!
dialer dnis group ACME_dnis_numbers
number 301001
dialer dnis group bye-bye
number 301005
Tips • Replace the command string resource isdn-ports digital in the previous example with resource
isdn-ports speech to set up DoVBS. See the section, “Customer Profile Configuration for
DoVBS Example,” for more information.
Digital calls to 301001 are associated with the customer ACME by using the resource group
“isdn-ports.”
• Speech calls to 301001 are associated with the customer ACME by using the resource group
“mica-modems” and allow for V.90 connections (anything less than V.90 is also allowed).
• Digital calls to 301005 are denied.
• All other speech calls to any other DNIS number are associated with the customer profile
“DEFAULT” by using the resource group “mica-modems” and allow for V.34 connections (anything
more than V.34 is not allowed; anything less than V.34 is also allowed).
• All other digital calls to any other DNIS number are not associated with a customer profile and are
therefore not allowed.
Configuring Resource Pool Management
Configuration Examples for RPM
DC-770
Cisco IOS Dial Technologies Configuration Guide
• The customer profile named “DEFAULT” serves as the default customer profile for speech calls
only. If the solution uses an external RPMS server, this same configuration can be used for backup
resource pooling if communication is lost between the NAS and the RPMS.
Customer Profile Configuration for DoVBS Example
To allow ISDN calls with a speech bearer capability to be directed to digital resources, make the
following change (highlighted in bold) to the configuration shown in the previous section, “Standard
Configuration for RPM Example”:
resource-pool profile customer ACME
limit base-size 30
limit overflow-size 10
resource isdn-ports speech
dnis group ACME_dnis_numbers
This change causes ISDN speech calls (in addition to ISDN digital calls) to be directed to the resource
“isdn-ports”; thus, ISDN speech calls provide DoVBS.
DNIS Discriminator Profile Example
The following is sample configuration for a DNIS discriminator. It shows how to enable resource pool
management, configure a customer profile, create DNIS groups, and add numbers to the DNIS groups.
aaa new-model
!
! Enable resource pool management
resource-pool enable
!
resource-pool group resource digital
range limit 20
!
! Configure customer profile
resource-pool profile customer cp1
limit base-size all
limit overflow-size 0
resource digital digital
dnis group ok
!
!
isdn switch-type primary-5ess
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
interface Loopback1
ip address 192.168.0.0 255.255.255.0
!
interface Serial0:23
ip unnumbered Loopback1
encapsulation ppp
ip mroute-cache
dialer-group 1
isdn switch-type primary-5ess
Configuring Resource Pool Management
Configuration Examples for RPM
DC-771
Cisco IOS Dial Technologies Configuration Guide
no peer default ip address
ppp authentication chap
!
! Configure DNIS groups
dialer dnis group blot
number 5552003
number 3456789
number 2345678
number 1234567
!
dialer dnis group ok
number 89898989
number 5551003
!
dialer-list 1 protocol ip permit
CLID Discriminator Profile Example
The following is a sample configuration of a CLID discriminator. It shows how to enable resource pool
management, configure resource groups, configure customer profiles, configure CLID groups and DNIS
groups, and add them to discriminator profiles.
version xx.x
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cisco-machine
!
aaa new-model
aaa authentication login djm local
!
username eagle password ***
username infiniti password ***
spe 1/0 1/7
firmware location system:/ucode/mica_port_firmware
spe 2/0 2/7
firmware location system:/ucode/mica_port_firmware
!
! Enable resource pool management
resource-pool enable
!
! Configure resource groups
resource-pool group resource digital
range limit 20
!
! Configure customer profiles
resource-pool profile customer cp1
limit base-size all
limit overflow-size 0
resource digital digital
dnis group ok
!
! Configure discriminator profiles
resource-pool profile discriminator baadaabing
call-type digital
clid group stompIt
!
Configuring Resource Pool Management
Configuration Examples for RPM
DC-772
Cisco IOS Dial Technologies Configuration Guide
resource-pool profile discriminator baadaaboom
call-type digital
clid group splat
!
ip subnet-zero
!
isdn switch-type primary-5ess
chat-script dial ABORT BUSY "" AT OK "ATDT \T" TIMEOUT 30 CONNECT \c
!
!
mta receive maximum-recipients 0
partition flash 2 8 8
!
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
shutdown
clock source line secondary 1
!
controller T1 2
shutdown
clock source line secondary 2
!
controller T1 3
shutdown
clock source line secondary 3
!
controller T1 4
shutdown
clock source line secondary 4
!
controller T1 5
shutdown
clock source line secondary 5
!
controller T1 6
shutdown
clock source line secondary 6
!
controller T1 7
shutdown
clock source line secondary 7
!
interface Loopback0
ip address 192.168.12.1 255.255.255.0
!
interface Loopback1
ip address 192.168.15.1 255.255.255.0
!
interface Loopback2
ip address 192.168.17.1 255.255.255.0
!
interface Ethernet0
ip address 10.0.39.15 255.255.255.0
no ip route-cache
no ip mroute-cache
!
Configuring Resource Pool Management
Configuration Examples for RPM
DC-773
Cisco IOS Dial Technologies Configuration Guide
interface Serial0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial2
no ip address
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial3
no ip address
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial0:23
ip unnumbered Loopback1
encapsulation ppp
ip mroute-cache
dialer-group 1
isdn switch-type primary-5ess
no peer default ip address
ppp authentication chap pap
!
interface FastEthernet0
ip address 10.0.38.15 255.255.255.0
no ip route-cache
no ip mroute-cache
duplex half
speed 100
!
!
ip local pool default 192.168.13.181 192.168.13.226
ip classless
ip route 172.25.0.0 255.0.0.0 Ethernet0
ip route 172.19.0.0 255.0.0.0 Ethernet0
no ip http server
!
!
! Configure DNIS groups
dialer dnis group blot
number 4085551003
number 5552003
number 2223333
number 3456789
number 2345678
number 1234567
Configuring Resource Pool Management
Configuration Examples for RPM
DC-774
Cisco IOS Dial Technologies Configuration Guide
!
dialer dnis group ok
number 89898989
number 4084442002
number 4085552002
number 5551003
!
dialer clid group splat
number 12321224
!
! Configure CLID groups
dialer clid group zot
number 2121212121
number 4085552002
!
dialer clid group snip
number 1212121212
!
dialer clid group stompIt
number 4089871234
!
dialer clid group squash
number 5656456
dialer-list 1 protocol ip permit
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
transport input none
line 1 96
no exec
exec-timeout 0 0
autoselect ppp
line aux 0
line vty 0 4
exec-timeout 0 0
transport input none
!
scheduler interval 1000
end
Direct Remote Services Configuration Example
The following example shows a direct remote services configuration:
resource-pool profile customer ACME
limit base-size 30
limit overflow-size 10
resource isdn-ports digital
resource MICA-modems speech service gold
dnis group ACME_dnis_numbers
aaa group-configuration tahoe
source template acme_direct
!
resource-pool profile customer DEFAULT
limit base-size 10
resource MICA-modems speech service silver
dnis group default
Configuring Resource Pool Management
Configuration Examples for RPM
DC-775
Cisco IOS Dial Technologies Configuration Guide
resource-pool profile discriminator deny_DNIS
call-type digital
dnis group bye-bye
!
resource-pool profile service gold
modem min-speed 33200 max-speed 56000 modulation v90
resource-pool profile service silver
modem min-speed 19200 max-speed 33200 modulation v34
!
resource-pool aaa protocol local
!
template acme_direct
peer default ip address pool tahoe
ppp authentication chap isdn-users
ppp multilink
!
dialer dnis group ACME_dnis_numbers
number 301001
dialer dnis group bye-bye
number 301005
VPDN Configuration Example
Adding the following commands to those listed in the section “Standard Configuration for RPM
Example” earlier in this chapter allows you to use VPDN by setting up a VPDN profile and a VPDN
group:
Note If the limits imposed by the VPDN profile are not required, do not configure the VPDN profile.
Replace the vpdn profile ACME_VPDN command under the customer profile ACME with the vpdn
group outgoing-2 command.
resource-pool profile vpdn ACME_VPDN
limit base-size 6
limit overflow-size 0
vpdn group outgoing-2
!
resource-pool profile customer ACME
limit base-size 30
limit overflow-size 10
resource isdn-ports digital
resource MICA-modems speech service gold
dnis group ACME_dnis_numbers
!
vpdn profile ACME_VPDN
!
vpdn enable
!
vpdn-group outgoing-2
request dialin
protocol 12f
dnis ACME_dnis_numbers
local name HQ-NAS
initiate-to ip 172.16.1.9
multilink bundle 1
multilink link 2
!
dialer dnis group ACME_dnis_numbers
number 301001
Configuring Resource Pool Management
Configuration Examples for RPM
DC-776
Cisco IOS Dial Technologies Configuration Guide
VPDN Load Sharing and Backing Up Between Multiple HGW/LNSs Example
Cisco IOS software enables you to balance and back up VPDN sessions across multiple tunnel endpoints
(HGW/LNS). When a user or session comes into the NAS/LAC, a VPDN load-balancing algorithm is
triggered and applied to the call. The call is then passed to an available HGW/LNS. You can modify this
function by limiting the number of sessions supported on an HGW/LNS router and limiting the number
of MLP bundles and links.
Figure 109 shows an example of one NAS/LAC that directs calls to two HGW/LNS routers by using the
L2TP tunneling protocol. Each router has a different number of supported sessions and works at a
different speed. The NAS/LAC is counting the number of active simultaneous sessions sent to each
HGW/LNS.
Figure 109 Home Gateway Load Sharing and Backup
In a standalone NAS environment (no RPMS server used), the NAS has complete knowledge of the status
of tunnel endpoints. Balancing across endpoints is done by a “least-filled tunnel” or a “next-available
round robin” approach. In an RPMS-controlled environment, RPMS has the complete knowledge of
tunnel endpoints. However, the NAS still has the control over those tunnel endpoints selected by RPMS.
A standalone NAS uses the following default search criteria for load-balancing traffic across multiple
endpoints (HGW/LNS):
• Select any idle endpoint—an HGW/LNS with no active sessions.
• Select an active endpoint that currently has a tunnel established with the NAS.
• If all specified load-sharing routers are busy, select the backup HGW. If all endpoints are busy,
report that the NAS cannot find an IP address to establish the call.
Note This default search order criteria is independent of the Cisco RPMS application scenario. A
standalone NAS uses a different load-sharing algorithm than the Cisco RPMS. This search criteria
will change as future enhancements become available.
AS5000 series
NAS
POTS
line
BRI
line
PSTN
L2TP
tunnel
L2TP
tunnel
PRI
16747
Modem
Cisco 776
Cisco 7246
home gateway
200 sessions
Cisco 3640
home gateway
50 sessions
PC
IP
network
Configuring Resource Pool Management
Configuration Examples for RPM
DC-777
Cisco IOS Dial Technologies Configuration Guide
The following is an example of VPDN load sharing between multiple HGW/LNSs:
vpdn enable
!
vpdn-group outgoing-2
request dialin
protocol l2tp
dnis ACME_dnis_numbers
local name HQ-NAS
initiate-to ip 172.16.1.9
loadsharing ip 172.16.1.9 limit 200
loadsharing ip 172.16.2.17 limit 50
backup ip 172.16.3.22
Configuring Resource Pool Management
Configuration Examples for RPM
DC-778
Cisco IOS Dial Technologies Configuration Guide
DC-779
Cisco IOS Dial Technologies Configuration Guide
Configuring Wholesale Dial Performance
Optimization
This chapter describes the Wholesale Dial Performance Optimization feature in the following sections:
• Wholesale Dial Performance Optimization Feature Overview
• How to Configure Automatic Command Execution
• How to Configure TCP Clear Performance Optimization
• Verifying Configuration of TCP Clear Performance Optimization
Note This task provides inbound and outbound performance optimization for wholesale dial customers
who provide ports to America Online (AOL). It is configured only on Cisco AS5800 access servers.
Wholesale Dial Performance Optimization Feature Overview
Both the inbound and outbound aspects of this feature are enabled using the autocommand-options
telnet-faststream command.
• Outbound—Provides stream processing, allowing the output data processing to occur at the interrupt
level. Being event driven, this removes polling and process switching overhead. In addition, the flow
control algorithm is enhanced to handle the higher volume of traffic and to eliminate some
out-of-resource conditions that could result in abnormal termination of the session.
• Inbound—Provides stream processing with the same improvements as for outbound traffic. Also, it
removes scanning for special escape characters in the data stream; this is very process-intensive and
is not required for this application. (In other situations, the escape characters allow for a return to
the privileged EXEC mode prompt (#) on the router.) In addition, Nagle’s algorithm is used to form
the inbound data stream into larger packets, thus minimizing packet-processing overhead.
This configuration is designed to provide more efficiency in the data transfers for AOL port suppliers
who are using a Cisco network access server to communicate with a wholesale dial carrier.
The Cisco AS5800 access server is required to support all dial-in lines supported by two complete T3
connections (that is, 1344 connections) running TCP Clear connections to an internal host. The desired
average data throughput for these connections is 6 kbps outbound and 3 kbps inbound.
When using the autocommand-options telnet-faststream command, no special character processing,
including break recognition, is performed on incoming data from the dial shelf. This requires the TCP
Clear connection to run as the sole connection on the TTY line. This sole connection is terminated by
TTY line termination or TCP connection termination, with no EXEC session capability for the user. This
Configuring Wholesale Dial Performance Optimization
How to Configure Automatic Command Execution
DC-780
Cisco IOS Dial Technologies Configuration Guide
has been implemented by specifying a new autocommand-options telnet-faststream command that, in
conjunction with the autocommand telnet command with the /stream option, enables Telnet faststream
processing. This capability is also available for TACACS/RADIUS attribute-value pair processing,
because this processing uses the autocommand facility.
How to Configure Automatic Command Execution
The following are three options for configuring the autocommand telnet /stream line configuration
command:
• Automatic command execution can be configured on the lines.
• Automatic command execution can be configured using user ID and password.
• Automatic command execution can also be configured at a TACACS/RADIUS server, if the
username authentication is to be performed there, rather than on the router.
To configure automatic command execution on the lines of a Cisco AS5800 universal network access
server, use the following commands beginning in global configuration mode:
To configure automatic command execution using a user ID and password on a Cisco AS5800 universal
network access server, use the following commands beginning in global configuration mode:
You can also configure automatic command execution at a TACACS/RADIUS server if the username
authentication is to be performed there rather than on the router. The AV-pair processing allows
autocommand to be configured.
How to Configure TCP Clear Performance Optimization
To enable TCP Clear performance optimization, automatic command execution must be configured to
enable Telnet faststream capability. To implement TCP Clear performance optimization on a Cisco
AS5800 universal network access server, use the following commands beginning in global configuration
mode:
Command Purpose
Step 1 Router(config)# line 1/3/00 1/11/143 Selects the lines to be configured and begins line
configuration mode.
Step 2 Router(config-line)# autocommand telnet
aol-host 5190 /stream
Configures autocommand on the lines.
Command Purpose
Step 1 Router(config)# username aol password aol Defines the user ID and password.
Step 2 Router(config)# username aol autocommand telnet
aol-host 5190 /stream
Configures autocommand on the user ID.
Configuring Wholesale Dial Performance Optimization
Verifying Configuration of TCP Clear Performance Optimization
DC-781
Cisco IOS Dial Technologies Configuration Guide
Verifying Configuration of TCP Clear Performance Optimization
To check for correct configuration, use the show line command. In the following example, Telnet
faststream is enabled under “Capabilities”.
Router# show line 1/4/00
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 1/4/00 Digital modem - inout - - - 1 0 0/0 -
Line 1/4/00, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Status: PSI Enabled, Ready, Connected, Active, No Exit Banner
Modem Detected
Capabilities: Hardware Flowcontrol In, Hardware Flowcontrol Out
Modem Callout, Modem RI is CD, Line usable as async interface
Hangup on Last Close, Modem Autoconfigure, Telnet Faststream
Modem state: Ready
Modem hardware state: CTS DSR DTR RTS
modem=1/4/00, vdev_state(0x00000000)=CSM_OC_STATE, bchan_num=(T1 1/2/0:7:20)
vdev_status(0x00000001): VDEV_STATUS_ACTIVE_CALL.
Group codes: 0, Modem Configured
Special Chars: Escape Hold Stop Start Disconnect Activation
^^x none - - none
Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch
never never none not set
Idle Session Disconnect Warning
never
Login-sequence User Response
00:00:30
Autoselect Initial Wait
not set
Modem type is 9600.
Session limit is not set.
Time since activation: never
Editing is enabled.
History is enabled, history size is 10.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed transports are telnet. Preferred is lat.
Automatically execute command "telnet 10.100.254.254 2145 /stream"
No output characters are padded
Command Purpose
Step 1 Router(config)# line 1/3/00 1/11/143 Selects the lines to be configured and begins line
configuration mode.
Step 2 Router(config-line)# autocommand
telnet-faststream
Enables the TCP Clear performance optimization on the
selected lines.
Configuring Wholesale Dial Performance Optimization
Verifying Configuration of TCP Clear Performance Optimization
DC-782
Cisco IOS Dial Technologies Configuration Guide
Dial Access Scenarios
DC-785
Cisco IOS Dial Technologies Configuration Guide
Dial Networking Business Applications
This chapter provides an introduction to common dial networking scenarios used by service providers
and enterprises and includes the following sections:
• Dial Networking for Service Providers and Enterprises
• Common Dial Applications
• IP Address Strategies
Providing dial access means to set up one or more access servers or routers to allow on-demand
connectivity for individual remote nodes or remote offices. The dial network solutions described in this
chapter are based on business case scenarios. Depending on your business application, dial access has
different implementations.
Dial Networking for Service Providers and Enterprises
Service providers tend to supply public and private dial-in services for businesses or individual home
users. Enterprises tend to provide private dial-in access for employees dialing in from remote LANs
(such as a remote office) or individual remote nodes (such as a telecommuter). Additionally, there are
hybrid forms of dial access—virtual private dialup networks (VPDNs)—that are jointly owned,
operated, and set up by both service providers and enterprises.
Figure 110 displays a common dial topology used by an Internet service provider (ISP). The central
dial-in site is owned and controlled by the ISP, who only accepts dial-in calls. Enterprises and individual
remote clients have no administrative control over the point of presence (POP) of the ISP.
Note Many additional dial network strategies exist for different business applications. This overview is
intended to provide only a sample of the most common dial business needs as experienced by the
Cisco dial escalation team.
Dial Networking Business Applications
Dial Networking for Service Providers and Enterprises
DC-786
Cisco IOS Dial Technologies Configuration Guide
Figure 110 Sample Dial Network for an ISP
Enterprises can provide bidirectional access services with remote LANs and one-way dial-in access for
standalone remote nodes. Bidirectional access means that remote LANs can dial in to the enterprise, and
the enterprise can dial out to the remote LANs. A remote LAN can be a large remote office or a small
home office. A standalone remote node can be an individual PC that is dynamically assigned an IP
address from the modem pool of the enterprise. In most cases, an enterprise has complete administrative
control over its local and remote devices. (See Figure 111.)
Internet access
ISDN or analog
network provided by
telephone company
Internet service
provider for remote
nodes and remote LANs
Large business
LAN dialing in
to the Internet
Standalone remote
node dialing in
to the Internet
S6555
Dial Networking Business Applications
Dial Networking for Service Providers and Enterprises
DC-787
Cisco IOS Dial Technologies Configuration Guide
Figure 111 Sample Dial Network for an Enterprise
Service providers and enterprises both benefit from a hybrid dial solution called VPDN. Service
providers offer virtually private access to enterprises by providing the dial-in access devices for the
enterprise to use (for example, access servers and modem pools). In this solution, service providers
construct the networking fabric for city-to-city dial connectivity for the enterprise. Enterprises provide
only a home gateway router (with no attached modems) and a WAN connection to their service provider.
VPDN dial solutions enable the enterprise to continue to maintain complete administrative control over
its remote locations and network resource privileges. (See Figure 112.)
Enterprise resources
such as file servers
and e-mail hosts
ISDN or analog
network provided by
telephone company
Corporate headquarters dialing
out to remote offices and
allowing dial-in from remote
nodes and home offices
Home office dialing
in to headquarters
with a Cisco 766,
Cisco 1600 series,
or terminal adapter
Remote node
telecommuter
dialing in to
headquarters
Remote office
using a
Cisco 4500 series
Remote office
dialing in to
headquarters
Headquarters
dialing out to
remote office
S6554
Dial Networking Business Applications
Common Dial Applications
DC-788
Cisco IOS Dial Technologies Configuration Guide
Figure 112 Sample VPDN for Service Providers and Enterprises
Common Dial Applications
The hardware and software configuration designs for dial networks are derived from business operations
needs. This section describes several of the most common business dial scenarios that Cisco Systems is
supporting for basic IP and security services.
Refer to the scenario that best describes your business or networking needs:
• The following dial scenarios are commonly used by service providers. For detailed description and
configuration information, see the chapter “Telco and ISP Dial Scenarios and Configurations” later
in this manual.
– Scenario 1, Small- to Medium-Scale POPs
(one or two access servers at the central dial-in site)
– Scenario 2, Large-Scale POPs
(more than two access servers at the central dial-in site, Multichassis Multilink PPP or MMP)
– Scenario 3, PPP Calls over X.25 Networks
• The following dial scenarios are commonly used by enterprises. For detailed description and
configuration information, see the chapter “Enterprise Dial Scenarios and Configurations.”
– Scenario 1, Remote Offices and Telecommuters Dialing In to a Central Site
– Scenario 2, Bidirectional Dial Between Central Sites and Remote Offices
– Scenario 3, Telecommuters Dialing In to a Mixed Protocol Environment
S6556
Cisco 4500
home gateway
for 0com.com
IP
network
Cisco 7200
home gateway
for cisco.com
Cisco 2501
home gateway
for descend.com
T1
ATM
Firewall
Firewall
Firewall
Terminal
adapter
Service provider leasing
access servers and
large modem pools out
to enterprise customers
PRI HSSI
BRI
Analog
T3
Telecommuter
making a modem
call in to cisco.com
ISDN or analog
network provided by
telephone company
Dial Networking Business Applications
IP Address Strategies
DC-789
Cisco IOS Dial Technologies Configuration Guide
IP Address Strategies
Exponential growth in the remote access router market has created new addressing challenges for ISPs
and enterprise users. Companies that use dial technologies seek addressing solutions that will:
• Minimize Internet access costs for remote offices
• Minimize configuration requirements on remote access routers
• Enable transparent and dynamic IP address allocation for hosts in remote environments
• Improve network security capabilities at each remote small office, home office site
• Conserve registered IP addresses
• Maximize IP address manageability
Remote networks have variable numbers of end systems that need access to the Internet; therefore, some
ISPs are interested in allocating just one IP address to each remote LAN.
In enterprise networks where telecommuter populations are increasing in number, network
administrators need solutions that ease configuration and management of remote routers and provide
conservation and dynamic allocation of IP addresses within their networks. These solutions are
especially important when network administrators implement large dial-up user pools where ISDN plays
a major role.
Choosing an Addressing Scheme
Use an IP addressing scheme that is appropriate for your business scenario as described in the following
sections:
• Classic IP Addressing
• Cisco Easy IP
Additionally, here are some addressing issues to keep in mind while you evaluate different IP address
strategies:
• How many IP addresses do you need?
• Do you want remote clients to dial in to your network and connect to server-based services, which
require statically assigned IP addresses?
• Is your primary goal to provide Internet services to a network (for example, surfing the web,
downloading e-mail, using TCP/IP applications)?
• Can you conduct business with only a few registered IP addresses?
• Do you need a single contiguous address space, or can you function with two non-contiguous
address spaces?
Classic IP Addressing
This section describes two classic IP addressing strategies that you can use to set up dial-in access.
Classic IP addresses are statically or dynamically assigned from your network to each site router or
dial-in client. The IP address strategy you use depends on whether you are allowing remote LANs or
individual remote clients to dial in.
Dial Networking Business Applications
IP Address Strategies
DC-790
Cisco IOS Dial Technologies Configuration Guide
A remote LAN usually consists of a single router at the gateway followed by multiple nodes such as 50
PCs. The IP address on the gateway router is fixed or statically assigned (for example, 3.3.3.3). This
device always uses the address 3.3.3.3 to dial in to the enterprise or service provider network. There is
also a segment or subnet associated with the gateway router (for example, 2.1.1.0 255.255.255.0), which
is defined by the dial-in security server.
For individual remote clients dialing in, a specific range or pool of IP addresses is defined by the gateway
access server and dynamically assigned to each node. When a remote node dials in, it receives an address
from the specified address pool. This pool of addresses usually resides locally on the network access
server. Whereas, the remote LANs have predefined or statically assigned addresses. The accompanying
subnet is usually statically assigned too. (See Figure 113.)
Figure 113 Classic IP Address Allocation
Here are some advantages and disadvantages of manually assigning IP addresses:
• Advantages
– Web servers or Xservers can be stationed at remote locations.
– Since addresses are members of your network, they are perfectly transparent.
• Disadvantages
– IP address assignments can be difficult to administer or manage. You may also need to use
complicated subnetting configurations.
– Statically assigned IP addresses use up precious address space.
– Strong routing configuration skills are usually required.
Cisco Easy IP
Two of the key problems facing the Internet are depletion of IP address space and scaling in routing. The
Cisco Easy IP feature combines Network Address Translation (NAT) and PPP/Internet Protocol Control
Protocol (IPCP). This feature enables a Cisco router to automatically negotiate its own registered WAN
Local address pool
10.1.1.1 10.1.1.2
10.1.1.3 10.1.1.4
10.1.1.5
User 760
10.3.3.3
10.2.1.0 255.255.255.0
Cisco AS5200
Cisco 760
PRI
BRI
ISDN or
analog network
Laptop 10.1.1.1
Laptop 10.1.1.2
Headquarters
10.2.1.0
10.3.3.3
PC PC
TACACS+
server
56955
Dial Networking Business Applications
IP Address Strategies
DC-791
Cisco IOS Dial Technologies Configuration Guide
interface IP address from a central server and allows all remote hosts to access the global Internet using
this single registered IP address. Because Cisco Easy IP uses existing port-level multiplexed NAT
functionality within the Cisco IOS software, IP addresses on the remote LAN are invisible to the
Internet.
Cisco Easy IP Component Technologies
Cisco Easy IP solution is a scalable, standards-based, “plug-and-play” solution that comprises a
combination of the following technologies:
• NAT—Described in RFC 1631. NAT operates on a router that usually connects two or more
networks together. Using Cisco Easy IP, at least one of these networks (designated as “inside” or
“LAN”) is addressed with private (RFC 1918) addresses that must be converted into a registered
address before packets are forwarded onto the other registered network (designated as “outside” or
“WAN”). Cisco IOS software provides the ability to define one-to-one translations (NAT) as well as
many-to-one translations (Port Address Translation [PAT]). Within the context of Cisco Easy IP,
PAT is used to translate all internal private addresses to a single outside registered IP address.
• PPP/IPCP—Defined in RFC 1332. This protocol enables users to dynamically configure IP
addresses over PPP. A Cisco Easy IP router uses PPP/IPCP to dynamically negotiate its own WAN
interface address from a central access server or DHCP server.
Figure 114 shows an example of how Cisco Easy IP works. A range of registered or unregistered IP
addresses are used inside a company’s network. When a dial-up connection is initiated by an internal
node, the router uses the Cisco Easy IP feature to rewrite the IP header belonging to each packet and
translate the private address into the dynamically assigned and registered IP address, which could be
borrowed from a service provider.
Figure 114 Translating and Borrowing IP Addresses
For a more detailed description of how Cisco Easy IP works, see the chapter “Configuring Cisco Easy
IP.”
PC
PC
ISDN
network
ISDN BRI
Inside Outside
10.0.0.2
10.0.0.2
10.0.0.3
172.29.2.1: 4011
172.29.2.1: 4012
10.0.0.3
Inside
interface
10.0.0.1
Outside registered
address borrowed
from service provider
172.29.2.1
Service
provider
network
DHCP
server
Outside
Address
Inside IP
Address
NAT table
54717
Dial Networking Business Applications
IP Address Strategies
DC-792
Cisco IOS Dial Technologies Configuration Guide
Key Benefits of Using Cisco Easy IP
The Cisco Easy IP feature provides the following benefits:
• Reduces Internet access costs by using dynamically allocated IP addresses. Using dynamic IP
address negotiation (PPP/IPCP) at each remote site substantially reduces Internet access costs.
Static IP addresses cost more to purchase compared to dynamically allocated or rented IP addresses.
Cisco Easy IP enables you to rent IP addresses. In addition, dynamically assigned IP addresses saves
you time and money associated with subnet mask configuration tasks on hosts. It also eliminates the
need to configure host IP addresses when moving from network to network.
• Simplifies IP address management. Cisco Easy IP enables ISPs to allocate a single registered IP
address to each remote LAN. Because only a single registered IP address is required to provide
global Internet access to all users on an entire remote LAN, customers and ISPs can use their
registered IP addresses more efficiently.
• Conserves registered IP addresses. Suppose you want to connect to the Internet, but not all your
hosts have globally unique IP addresses. NAT enables private IP internetworks that use
nonregistered or overlapping IP addresses to connect to the Internet. NAT is configured on the router
at the border of a stub domain (referred to as the inside network) and a public network such as the
Internet (referred to as the outside network). The private addresses you set up on the inside of your
network translate in to a single registered IP addresses on the outside of your network.
• Provides remote LAN IP address privacy. Because Cisco Easy IP uses existing port-level
multiplexed NAT functionality within Cisco IOS software, IP addresses on the remote LAN are
invisible to the Internet, making the LAN inherently more secure. As seen by the external network,
the source IP address of all traffic from the remote LAN is the single registered IP address of the
WAN interface for the Cisco Easy IP router.
DC-793
Cisco IOS Dial Technologies Configuration Guide
Enterprise Dial Scenarios and Configurations
This chapter provides sample configurations for specific dial scenarios used by enterprise networks (not
telephone companies or Internet service providers). Each configuration is designed to support IP
network traffic with basic security for the specified scenario.
The following scenarios are described:
• Scenario 1—Remote Offices and Telecommuters Dialing In to a Central Site
• Scenario 2—Bidirectional Dial Between Central Sites and Remote Offices
• Scenario 3—Telecommuters Dialing In to a Mixed Protocol Environment
Note If you use Token card-based security in your dial network, we recommend that you enable Password
Authentication Protocol (PAP) authentication and disable the Multilink protocol to maximize dial-in
performance.
Remote User Demographics
Employees stationed in remote offices or disparate locations often dial in to central sites or headquarter
offices to download or upload files and check e-mail. These employees often dial in to the corporate
network from a remote office LAN using ISDN or from another location such as a hotel room using a
modem.
The following remote enterprise users typically dial in to enterprise networks:
• Full-time telecommuters—Employees using stationary workstations to dial in from a small office,
home office (SOHO), making ISDN connections with terminal adapters or PC cards through the
public telephone network, and operating at higher speeds over the network, which rules out the need
for a modem.
• Travelers—Employees such as salespeople that are not in a steady location for more than 30 percent
of the time usually dial in to the network with a laptop and modem through the public telephone
network, and primarily access the network to check E-mail or transfer a few files.
• Workday extenders—Employees that primarily work in the company office, occasionally dial in to
the enterprise with a mobile or stationary workstation plus modem, and primarily access the network
to check E-mail or transfer a few files.
Enterprise Dial Scenarios and Configurations
Demand and Scalability
DC-794
Cisco IOS Dial Technologies Configuration Guide
Demand and Scalability
You need to evaluate scalability and design issues before you build a dial enterprise network. As the
number of company employees increases, the number of remote users who need to dial in increases. A
good dial solution scales upward as the demand for dial-in ports grows. For example, it is not uncommon
for a fast-growing enterprise to grow from a demand of 100 modems to 250 modems in less than one
year.
You should always maintain a surplus of dial-in ports to accommodate company growth and occasional
increases in access demand. In the early stages of a fast-growing company that has 100 modems installed
for 6000 registered remote users, only 50 to 60 modems might be active at the same time. As demand
grows over one year, 250 modems might be installed to support 10,000 registered token card holders.
During special company occasions, such as worldwide conventions, demand for remote access can also
increase significantly. During such activities, dial-in lines are used heavily throughout the day and
evening by remote sales people using laptops to access E-mail and share files. This behavior is indicative
of sales people working away from their home territories or sales offices. Network administrators need
to prepare for these remote access bursts, which cause significant increases for remote access demand.
Remote Offices and Telecommuters Dialing In to a Central Site
Remote office LANs typically dial in to other networks using ISDN. Remote offices that use
Frame Relay require a more costly dedicated link.
Connections initiated by remote offices and telecommuters are brought up on an as-needed basis, which
results in substantial cost savings for the company. In dial-on-demand scenarios, users are not connected
for long periods of time. The number of remote nodes requiring access is relatively low, and the
completion time for the dial-in task is short.
Central sites typically do not dial out to the remote LANs. Instead, central sites respond to calls. Remote
sites initiate calls. For example, a field sales office might use ISDN to dial in to and browse a central
site’s intranet. Additionally a warehouse comprising five employees can use ISDN to log in to a remote
network server to download or upload product order information. For an example of bidirectional
dialing, see the section “Bidirectional Dial Between Central Sites and Remote Offices” later in this
chapter.
Note Dial-on-demand routing (DDR) uses static routes or snapshot routing. For IP-only configurations,
static routes are commonly used for remote dial-in. For Internet Protocol Exchange (IPX)
networking, snapshot routing is often used to minimize configuration complexity.
Network Topologies
Figure 115 shows an example of a remote office that places digital calls in to a central site network. The
remote office router can be any Cisco router with a BRI physical interface, such as a Cisco 766 or
Cisco 1604 router. The central office gateway router can be any Cisco router that supports PRI
connections, such as a Cisco 3600 series, Cisco 4000 series, or Cisco 7000 series router.
Enterprise Dial Scenarios and Configurations
Remote Offices and Telecommuters Dialing In to a Central Site
DC-795
Cisco IOS Dial Technologies Configuration Guide
Figure 115 Remote Office Dialing In to a Central Site
Figure 116 shows an example of a remote office and telecommuter dialing in to a central site. The remote
office places digital calls. The telecommuter places analog calls. The remote office router can be any
Cisco router with a BRI interface, such as a Cisco 766, Cisco 1604, or Cisco 2503 router. The central
office gateway router is a Cisco AS5300 series access server or a Cisco 3640 router, which supports both
PRI and analog connections.
Figure 116 Remote Office and Telecommuter Dialing In to a Central Site
Dial-In Scenarios
The configuration examples in the following sections provide different combinations of dial-in
scenarios, which can be derived from Figure 115 and Figure 116:
• Cisco 1604 Remote Office Router Dialing In to a Cisco 3620 Access Router
• Remote Office Router Dialing In to a Cisco 3620 Router
PC running Windows 95
and dialing in to the
central site
BRI
Cisco 766 or 1604
dialing in to the
central site
S6692
ISDN telephone
network
PRI Central site
IP network
Cisco 3600,
4000, or 7000 series
Remote office LAN
Analog network
Telecommuter dialing in
to the central site with
Windows 95 and a
28.8 internal modem
PC running
Windows 95
BRI
Remote office LAN
Cisco 766, 1604,
or 2503 dialing in
to the central office
S6693
ISDN network PRI Central site
IP network
Cisco 3640
or Cisco AS5300
Enterprise Dial Scenarios and Configurations
Remote Offices and Telecommuters Dialing In to a Central Site
DC-796
Cisco IOS Dial Technologies Configuration Guide
• Cisco 700 Series Router Using Port Address Translation to Dial In to a Cisco AS5300 Access Server
• Cisco 3640 Central Site Router Configuration to Support ISDN and Modem Calls
• Cisco AS5300 Central Site Configuration Using Remote Security
Note Be sure to include your own IP addresses, host names, and security passwords where appropriate if
you use these examples in your own network.
Cisco 1604 Remote Office Router Dialing In to a Cisco 3620 Access Router
This section provides a common configuration for a Cisco 1604 remote office router dialing in to a
Cisco 3620 access router positioned at a central enterprise site. Only ISDN digital calls are supported in
this scenario. No analog modem calls are supported. All calls are initiated by the remote router on an
as-needed basis. The Cisco 3620 router is not set up to dial out to the Cisco 1604 router. (Refer to
Figure 115.)
The Cisco 1604 and Cisco 3620 routers use the IP unnumbered address configurations, MLP, and the
dial-load threshold feature, which brings up the second B channel when the first B channel exceeds a
certain limit. Because static routes are used, a routing protocol is not configured. A default static route
is configured on the Cisco 1604 router, which points back to the central site. The central site also has a
static route that points back to the remote LAN. Static route configurations assume that you have only
one LAN segment at each remote office.
Cisco 1604 Router Configuration
The following configuration runs on the Cisco 1604 router, shown in Figure 115. This SOHO router
places digital calls in to the Cisco 3620 central site access router. See the next example for the running
configuration of the Cisco 3620 router.
version xx.x
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname remotelan1
!
enable secret cisco
!
username NAS password dialpass
username admin password cisco
isdn switch-type basic-5ess
!
interface Ethernet0
ip address 10.2.1.1 255.255.255.0
!
interface BRI0
ip unnumbered Ethernet0
encapsulation ppp
dialer map ip 10.1.1.10 name NAS 5551234
dialer load-threshold 100 either
dialer-group 1
no fair-queue
ppp authentication chap pap callin
ppp multilink
Enterprise Dial Scenarios and Configurations
Remote Offices and Telecommuters Dialing In to a Central Site
DC-797
Cisco IOS Dial Technologies Configuration Guide
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.10
ip route 10.1.1.10 255.255.255.255 BRI0
dialer-list 1 protocol ip permit
!
line con 0
line vty 0 4
login local
!
end
Cisco 3620 Router Configuration
The following sample configuration runs on the Cisco 3620 router shown in Figure 115. This modular
access router has one 2-port PRI network module installed in slot 1 and one 1-port Ethernet network
module installed in slot 0. The router receives only digital ISDN calls from the Cisco 1604 router. The
configuration for the Cisco 1604 router was provided in the previous example.
version xx.x
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS
!
aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin local
aaa authentication ppp default local
aaa authentication ppp dialin if-needed local
enable secret cisco
!
username admin password cisco
username remotelan1 password dialpass
async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 1/0
framing esf
clock source line
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1/1
framing esf
clock source line
linecode b8zs
pri-group timeslots 1-24
!
interface Loopback0
ip address 10.1.2.254 255.255.255.0
!
interface Ethernet 0/0
ip address 10.1.1.10 255.255.255.0
ip summary address eigrp 10 10.1.2.0 255.255.255.0
!
Enterprise Dial Scenarios and Configurations
Remote Offices and Telecommuters Dialing In to a Central Site
DC-798
Cisco IOS Dial Technologies Configuration Guide
interface Serial 1/0:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Serial 1/1:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Dialer0
ip unnumbered Loopback0
no ip mroute-cache
encapsulation ppp
peer default ip address pool dialin_pool
dialer in-band
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap pap dialin
ppp multilink
!
router eigrp 10
network 10.0.0.0
passive-interface Dialer0
default-metric 64 100 250 100 1500
redistribute static
no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1
ip route 10.2.1.1 255.255.255.255 Dialer0
ip route 10.2.1.0 255.255.255.0 10.2.1.1
ip classless
!
dialer-list 1 protocol ip permit
!
line con 0
login authentication console
line aux 0
login authentication console
line vty 0 4
login authentication vty
transport input telnet rlogin
!
end
Enterprise Dial Scenarios and Configurations
Remote Offices and Telecommuters Dialing In to a Central Site
DC-799
Cisco IOS Dial Technologies Configuration Guide
Remote Office Router Dialing In to a Cisco 3620 Router
This section provides a common configuration for a Cisco 700 or 800 series remote office router placing
digital calls in to a Cisco 3620 router positioned at a central enterprise site. All calls are initiated by the
remote router on an as-needed basis. The Cisco 3620 router is not set up to dial out to the remote office
router. (See Figure 115.)
Cisco 700 Series Router Configuration
The following configuration task is for a Cisco 700 series ISDN router placing digital calls in to a central
site router that supports ISDN PRI, such as the Cisco 3620 router. In this scenario, ISDN unnumbered
interfaces with static routes are pointing back to the Cisco 3620.
To configure the router, use the following commands in EXEC mode. However, this configuration
assumes that you are starting from the router’s default configuration. To return the router to its default
configuration, issue the set default command.
Command Purpose
Step 1 >
> set systemname remotelan1
remotelan1>
At the system prompt level, specifies the host name of the
router, which is also used when responding to Challenge
Handshake Authentication Protocol (CHAP) authentication
with the Cisco 3620. For CHAP authentication, the system’s
name must match the username configured on the
Cisco 3620.
Step 2 remotelan1> set ppp secret client
remotelan1> Enter new password: dialpass
remotelan1> Enter new password: dialpass
Sets the transmit and receive password for the client. This is
the password which is used in response to CHAP
authentication requests, and it must match the username
password configured on the Cisco 3620 router.
Step 3 remotelan1> set encapsulation ppp Sets PPP encapsulation for incoming and outgoing
authentication instead of CPP.
Step 4 remotelan1> set ppp multilink on Enables Multilink PPP (MLP).
Step 5 remotelan1> set user nas
remotelan1> New user nas being created
Creates the profile named nas, which is reserved for the
Cisco 3620 router.
Step 6 remotelan1:nas> set ip 0.0.0.0 Specifies the LAN IP address. The sequence 0.0.0.0 means
that it will use the address assigned to it from the central
Cisco 3620 router. See Step 14.
Step 7 remotelan1:nas> set ip framing none Configures the profiles to not use Ethernet framing.
Step 8 remotelan1:nas> set ip route destination
0.0.0.0 gateway 10.1.1.10
Sets the default route to point to the Ethernet IP address of the
Cisco 3620 router.
Step 9 remotelan1:nas> set timeout 300 Sets the idle time at which the B channel will be dropped. In
this case, the line is dropped after 300 seconds of idle time.
Step 10 remotelan1:nas> set 1/2 number 5551234 Sets the number to call when dialing out of the first and
second B channel.
Step 11 remotelan1:nas> cd lan Enters LAN profile mode.
Step 12 remotelan1:LAN> set bridging off Turns bridging off.
Step 13 remotelan1:LAN> set ip routing on Turns on IP routing.
Step 14 remotelan1:LAN> set ip address 10.2.1.1 Sets the LAN IP address for the interface.
Enterprise Dial Scenarios and Configurations
Remote Offices and Telecommuters Dialing In to a Central Site
DC-800
Cisco IOS Dial Technologies Configuration Guide
After you configure the Cisco 760 or Cisco 770 series router, the final configuration should resemble the
following:
set systemname remotelan1
set ppp secret client
set encapsulation ppp
set ppp multilink on
cd lan
set bridging off
set ip routing on
set ip 10.2.1.1
set subnet 255.255.255.0
set user nas
set bridging off
set ip 0.0.0.0
set ip netmask 0.0.0.0
set ip framing none
set ip route destination 0.0.0.0 gateway 10.1.1.10
set timeout 300
set 1 number 5551234
set 2 number 5551234
The previous software configuration does not provide for any access security. To provide access security,
use the following optional commands in EXEC mode:
Cisco 3620 Router Configuration
The following example provides a sample configuration for the Cisco 3620 router. This modular access
router has one 2-port PRI network module installed in slot 1 and one 1-port Ethernet network module
installed in slot 0. The router receives only digital ISDN calls over T1 lines from the Cisco 700 series
remote office router, which was described in the previous example.
version xx.x
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
hostname NAS
!
aaa new-model
aaa authentication login default local
Command Purpose
Router> set ppp authentication incoming chap Provides CHAP authentication to incoming calls.
Router> set callerid Requires the calling parties number to be matched against the
configured receive numbers (such as set by the set
callidreceive # command). This command also denies all
incoming calls if no callidreceive number is configured.
Router> set remoteaccess protected Specifies a remote system password, which enables you to
make changes on the router from a remote location.
Router> set localaccess protected Specifies a local system password, which enables you to make
changes on the router from a local console connection.
Router> set password system Sets the system password for the previous access
configurations.
Enterprise Dial Scenarios and Configurations
Remote Offices and Telecommuters Dialing In to a Central Site
DC-801
Cisco IOS Dial Technologies Configuration Guide
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin local
aaa authentication ppp default local
aaa authentication ppp dialin if-needed local
enable secret cisco
!
username admin password cisco
username remotelan1 password dialpass
!
async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 1/0
framing esf
clock source line
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1/1
framing esf
clock source line
linecode b8zs
pri-group timeslots 1-24
!
interface Loopback0
ip address 10.1.2.254 255.255.255.0
!
interface Ethernet 0/0
ip address 10.1.1.10 255.255.255.0
ip summary address eigrp 10 10.1.2.0 255.255.255.0
!
interface Serial 1/0:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Serial 1/1:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Dialer0
ip unnumbered Loopback0
no ip mroute-cache
encapsulation ppp
peer default ip address pool dialin_pool
dialer in-band
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap pap dialin
ppp multilink
!
Enterprise Dial Scenarios and Configurations
Remote Offices and Telecommuters Dialing In to a Central Site
DC-802
Cisco IOS Dial Technologies Configuration Guide
router eigrp 10
network 10.0.0.0
passive-interface Dialer0
default-metric 64 100 250 100 1500
redistribute static
no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1
ip route 10.2.1.1 255.255.255.255 Dialer0
ip route 10.2.1.0 255.255.255.0 10.2.1.1
ip classless
!
dialer-list 1 protocol ip permit
!
line con 0
login authentication console
line aux 0
login authentication console
line vty 0 4
login authentication vty
transport input telnet rlogin
!
end
Cisco 700 Series Router Using Port Address Translation to Dial In to a Cisco AS5300 Access Server
This section shows a Cisco 700 series router using the port address translation (PAT) feature to dial in
to a Cisco AS5300 central site access server. IP addresses are assigned from the central site, which
leverages the PAT feature to streamline multiple devices at the remote site through a single assigned
address. In this example, the Cisco 700 series router has a private range of IP addresses used on the
Ethernet side. However, the router is able to translate between the local private addresses and the
dynamically registered address on the WAN interface. (See Figure 115.)
Cisco 700 Series Configuration
The sample configuration in this section allows PCs on a LAN to boot up and acquire their IP address
dynamically from a Cisco 700 series router, which in turn translates the private addresses into a single
IP address assigned from a Cisco AS5300 central site router. The Cisco 700 series router also passes
information via DHCP regarding the Domain Name System (DNS) server (in this example, 10.2.10.1)
and the Windows Internet naming service (WINS) server (in this example, 10.2.11.1) along with the
domain name.
A possible sequence of events would be a remote PC running Windows 95 boots up on the Ethernet
segment and gets its IP address and network information from the Cisco 700 series router. The PC then
opens up Netscape and attempts to view a web page at the central site, which causes the router to dial in
to the central site. The router dynamically obtains its address from the central site pool of addresses and
uses it to translate between the private address on the local Ethernet segment and the registered IP
address borrowed from the central site router.
Enterprise Dial Scenarios and Configurations
Remote Offices and Telecommuters Dialing In to a Central Site
DC-803
Cisco IOS Dial Technologies Configuration Guide
To configure a remote router, use the following commands beginning in EXEC mode:
After you configure the router, the configuration should resemble the following:
set systemname remotelan1
set encapsulation ppp
set ppp secret client
set ppp multilink on
set dhcp server
set dhcp dns primary 10.2.10.1
set dhcp wins 10.2.11.1
set dhcp domain nas.com
set user nas
set bridging off
Command Purpose
Step 1 >
> set systemname remotelan1
Router>
At the system prompt level, specifies the host name of the
router, which is also used when responding to CHAP
authentication with the Cisco 3620 router. For CHAP
authentication, the system’s name must match the username
configured on the Cisco 3620.
Step 2 Router> set ppp secret client
Router> Enter new password: dialpass
Router> Enter new password: dialpass
Sets the transmit and receive password for the client. This is
the password which is used in response to CHAP
authentication requests, and it must match the username
password configured on the Cisco 3620 router.
Step 3 Router> set encapsulation ppp Sets PPP encapsulation for incoming and outgoing
authentication instead of CPP.
Step 4 Router> set ppp multilink on Enables MLP.
Step 5 Router> set dhcp server Enables the router to act as a DHCP server and assign
addresses from the private network. By default, all DHCP
client addresses are assigned from the 10.0.0.0 network.
Step 6 Router> set dhcp dns primary 10.2.10.1 Passes the DNS server IP address to the DHCP client.
Step 7 Router> set dhcp wins 10.2.11.1 Passes the IP address of the WINS server to the DHCP client.
Step 8 Router> set dhcp domain nas.com Sets the DHCP domain name for the Cisco 3620 central site
router.
Step 9 Router> set user nas
Router> New user nas being created
Creates the profile named nas, which is setup for the
Cisco 3620 router.
Step 10 Router:nas> set ip pat on Enables Port Address Translation (PAT) on the router.
Step 11 Router:nas> set ip framing none Configures the profiles to not use Ethernet framing.
Step 12 Router:nas> set ip route destination 0.0.0.0
gateway 10.1.1.0
Sets the default route to point to the Ethernet IP address of
Cisco 3620 router.
Step 13 Router:nas> set 1 number 5551234 Sets the number to call when dialing out of the first
B channel.
Step 14 Router:nas> set 2 number 5551234 Sets the number to call when dialing out of the second
B channel.
Step 15 Router:nas> cd lan Enters LAN profile mode.
Step 16 Router:LAN> set bridging off Turns bridging off.
Step 17 Router:LAN> set ip routing on Turns IP routing on.
Enterprise Dial Scenarios and Configurations
Remote Offices and Telecommuters Dialing In to a Central Site
DC-804
Cisco IOS Dial Technologies Configuration Guide
set ip routing on
set ip framing none
set ip pat on
set ip route destination 0.0.0.0 gateway 10.1.1.0
set 1 number 5551234
set 2 number 5551234
Cisco AS5300 Router Configuration
The following example configures a Cisco AS5300 router for receiving calls from the router in the
previous example.
Note This configuration can also run on a Cisco 4000, Cisco 3600, or Cisco 7000 series router. However,
the interface numbering scheme for these routers will be in the form of slot/port. Additionally, the
clocking will be set differently. Refer to your product configuration guides and configuration notes
for more details.
!
version xx.x
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS
!
aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin local
aaa authentication ppp default local
aaa authentication ppp dialin if-needed local
enable secret cisco
!
username admin password cisco
username remotelan1 password dialpass
!
async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
framing esf
clock source line secondary
linecode b8zs
pri-group timeslots 1-24
!
interface Loopback0
ip address 10.1.2.254 255.255.255.0
!
Enterprise Dial Scenarios and Configurations
Remote Offices and Telecommuters Dialing In to a Central Site
DC-805
Cisco IOS Dial Technologies Configuration Guide
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip summary address eigrp 10 10.1.2.0 255.255.255.0
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Serial0:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Serial1:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Dialer0
ip unnumbered Loopback0
no ip mroute-cache
encapsulation ppp
peer default ip address pool dialin_pool
dialer in-band
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap pap dialin
ppp multilink
!
router eigrp 10
network 10.0.0.0
passive-interface Dialer0
default-metric 64 100 250 100 1500
redistribute static
no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1
ip route 10.2.1.1 255.255.255.255 Dialer0
ip route 10.2.1.0 255.255.255.0 10.2.1.1
ip classless
!
dialer-list 1 protocol ip permit
!
line con 0
login authentication console
line aux 0
login authentication console
Enterprise Dial Scenarios and Configurations
Remote Offices and Telecommuters Dialing In to a Central Site
DC-806
Cisco IOS Dial Technologies Configuration Guide
line vty 0 4
login authentication vty
transport input telnet rlogin
!
end
In this configuration, the local pool is using a range of unused addresses on the same subnet on which
the Ethernet interface is configured. The addresses will be used for the remote devices dialing in to the
Cisco AS5300 access server.
Cisco 3640 Central Site Router Configuration to Support ISDN and Modem Calls
The following configuration allows remote LANs and standalone remote users with modems to dial in
to a central site. Figure 116 shows the network topology.
The Cisco 3640 router has the following hardware configuration for this scenario:
• One 2-port ISDN-PRI network module installed in slot 1.
• One digital modem network module installed in slot 2 and slot 3.
• One 1-port Ethernet network module installed in slot 0.
Note Each MICA technologies digital modem card has its own group async configuration. Additionally, a
single range of asynchronous lines is used for each modem card. For additional interface numbering
information, refer to the document Digital Modem Network Module Configuration Note.
version xx.x
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS
!
aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin local
aaa authentication ppp default local
aaa authentication ppp dialin if-needed local
enable secret cisco
!
username admin password cisco
username remotelan1 password dialpass1
username remotelan2 password dialpass2
username PCuser1 password dialpass3
username PCuser2 password dialpass4
!
async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 1/0
framing esf
clock source line
linecode b8zs
pri-group timeslots 1-24
!
Enterprise Dial Scenarios and Configurations
Remote Offices and Telecommuters Dialing In to a Central Site
DC-807
Cisco IOS Dial Technologies Configuration Guide
controller T1 1/1
framing esf
clock source line
linecode b8zs
pri-group timeslots 1-24
!
interface Loopback0
ip address 10.1.2.254 255.255.255.0
!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0
ip summary address eigrp 10 10.1.2.0 255.255.255.0
!
interface Serial 1/0:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Serial 1/1:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Group-Async1
ip unnumbered Loopback0
encapsulation ppp
async mode interactive
peer default ip address pool dialin_pool
no cdp enable
ppp authentication chap pap dialin
group-range 65 88
!
interface Group-Async2
ip unnumbered Loopback0
encapsulation ppp
async mode interactive
peer default ip address pool dialin_pool
no cdp enable
ppp authentication chap pap dialin
group-range 97 120
!
interface Dialer0
ip unnumbered Loopback0
no ip mroute-cache
encapsulation ppp
peer default ip address pool dialin_pool
dialer in-band
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap pap dialin
ppp multilink
!
Enterprise Dial Scenarios and Configurations
Remote Offices and Telecommuters Dialing In to a Central Site
DC-808
Cisco IOS Dial Technologies Configuration Guide
router eigrp 10
network 10.0.0.0
passive-interface Dialer0
no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1
ip classless
!
dialer-list 1 protocol ip permit
!
line con 0
login authentication console
line 65 88
autoselect ppp
autoselect during-login
login authentication dialin
modem DialIn
line 97 120
autoselect ppp
autoselect during-login
login authentication dialin
modem DialIn
line aux 0
login authentication console
line vty 0 4
login authentication vty
transport input telnet rlogin
!
end
Cisco AS5300 Central Site Configuration Using Remote Security
The previous examples in this section configured static CHAP authentication on the central router using
the username command. A more common configuration to support modem and ISDN calls on a single
chassis is to use the AAA security model and an external security server at the central site. We
recommend that you have a solid understanding of basic security principles and the AAA model before
you set up this configuration. For more information about security, see the Cisco IOS Security
Configuration Guide.
Central Site Cisco AS5300 Configuration Using TACACS+ Authentication
The following example assumes that you are running TACACS+ on the remote security server:
version xx.x
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS
!
aaa new-model
aaa authentication login console enable
aaa authentication login vty tacacs+
aaa authentication login dialin tacacs+
aaa authentication ppp default tacacs+
aaa authentication ppp dialin if-needed tacacs+
enable secret cisco
!
Enterprise Dial Scenarios and Configurations
Remote Offices and Telecommuters Dialing In to a Central Site
DC-809
Cisco IOS Dial Technologies Configuration Guide
async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
framing esf
clock source line secondary
linecode b8zs
pri-group timeslots 1-24
!
interface Loopback0
ip address 10.1.2.254 255.255.255.0
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip summary address eigrp 10 10.1.2.0 255.255.255.0
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Serial0:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Serial1:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Group-Async1
ip unnumbered Loopback0
encapsulation ppp
async mode interactive
peer default ip address pool dialin_pool
no cdp enable
ppp authentication chap pap dialin
group-range 1 48
!
interface Dialer0
ip unnumbered Loopback0
no ip mroute-cache
encapsulation ppp
peer default ip address pool dialin_pool
dialer in-band
dialer-group 1
Enterprise Dial Scenarios and Configurations
Remote Offices and Telecommuters Dialing In to a Central Site
DC-810
Cisco IOS Dial Technologies Configuration Guide
no fair-queue
no cdp enable
ppp authentication chap pap dialin
ppp multilink
!
router eigrp 10
network 10.0.0.0
passive-interface Dialer0
redistribute static
default-metric 64 100 250 100 1500
no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1
ip classless
!
dialer-list 1 protocol ip permit
!
line con 0
login authentication console
line 1 48
autoselect ppp
autoselect during-login
login authentication dialin
modem DialIn
line aux 0
login authentication console
line vty 0 4
login authentication vty
transport input telnet rlogin
end
TACACS+ Security Server Entry
The following example can be configured on a remote TACACS+ security server, which complements
the Cisco AS5300 access server configuration listed in the previous example:
user = remotelan1 {
chap = cleartext "dialpass1"
service = ppp protocol = ip {
addr = 10.2.1.1
route = "10.2.1.0 255.255.255.0"
}
}
user = PCuser1 {
login = cleartext "dialpass2"
chap = cleartext "dialpass2"
service = ppp protocol = ip {
addr-pool = dialin_pool
}
service = exec {
autocmd = "ppp negotiate"
}
}
user = PCuser2 {
login = cleartext "dialpass3"
chap = cleartext "dialpass3"
service = ppp protocol = ip {
addr-pool = dialin_pool
}
Enterprise Dial Scenarios and Configurations
Bidirectional Dial Between Central Sites and Remote Offices
DC-811
Cisco IOS Dial Technologies Configuration Guide
service = exec {
autocmd = "ppp negotiate"
}
Bidirectional Dial Between Central Sites and Remote Offices
Sometimes a gateway access server at headquarters is required to dial out to a remote site while
simultaneously receiving incoming calls. This type of network is designed around a specific business
support model.
Dial-In and Dial-Out Network Topology
Figure 117 shows a typical dial-in and dial-out network scenario, which amounts to only 25 percent of
all dial topologies. The Cisco AS5300 access server at headquarters initiates a connection with a Cisco
1604 router at remote office 1. After a connection is established, the file server at the remote site (shown
as Inventory child host) runs a batch processing application with the mainframe at headquarters (shown
as Inventory totals parent host). While files are being transferred between remote office 1 and
headquarters, remote office 2 is successfully dialing in to headquarters.
Figure 117 Headquarters Configured for Dial-In and Dial-out Networking
PRI
BRI
BRI
PRI
Inventory
totals
parent host
PC responding to
dial-out calls from
headquarters
PC dialing
in to
headquarters
PC running
Windows 95
Digital
phone
Dial-in
Dial-out
Headquarters
Cisco AS5200
configured for
dial-in and
dial-out calling
ISDN
Analog
ISDN
Analog
S6550
Cisco 1604
Inventory
child host
Remote office #1 responding to
dial-out calls from headquarters
Remote office #2 initiating
calls into headquarters
Cisco 1604
Enterprise Dial Scenarios and Configurations
Bidirectional Dial Between Central Sites and Remote Offices
DC-812
Cisco IOS Dial Technologies Configuration Guide
There are some restrictions for dial-out calling. Dial-out analog and digital calls are commonly made to
remote ISDN routers, such as the Cisco 1604 router. On the whole, dial out calls are not made from a
central site router to a remote PC but rather from a remote PC in to the central site. However, central site
post offices often call remote office routers on demand to deliver E-mail. Callback is enabled on dial-in
scenarios only. The majority of a dial out software configuration is setup on the router at headquarters,
not the remote office router. Dialing out to a stack group of multiple chassis is not supported by
Cisco IOS software. Note that Multichassis Multilink PPP (MMP) and virtual private dialup networks
(VPDNs) are dial-in only solutions.
Dialer Profiles and Virtual Profiles
Profiles are set up to discriminate access on a user-specific basis. For example, if the chief network
administrator is dialing in to the enterprise, a unique user profile can be created with an idle timeout of
one year, and universal access privileges to all networks in the company. For less fortunate users, access
can be restricted to an idle timeout of 10 seconds and network connections setup for only a few
addresses.
Depending on the size and scope of your dial solution, you can set up two different types of profiles:
dialer profiles or virtual profiles. Dialer profiles are individual user profiles set up on routers or access
servers in a small-scale dial solution. This type of profile is configured locally on the router and is
limited by the number of interfaces that exist on the router. When an incoming call comes into the dial
pool, the dialer interface binds the caller to a dialer profile via the caller ID or the caller name.
Figure 118 shows an example of how dialer profiles can be used when:
• You need to bridge over multiple ISDN channels.
• You want to use ISDN to back up a WAN link, but still have the ISDN interface available during
those times that the WAN link is up.
• A security server, such as a AAA TACACS or RADIUS server, is not available for use.
Note For more information about dialer profiles, see the chapters “Configuring Peer-to-Peer DDR with
Dialer Profiles” and “Configuring Dial Backup with Dialer Profiles.”
Figure 118 Dial-In Scenario for Dialer Profiles
S6818
PRI
BRI
BRI
Remote office
network
Cisco 1600 series
router configured
without dialer profiles
Cisco 1600 series
router configured
without dialer profiles
Cisco AS5200 configured
with one dialer profile
for each Cisco 1600
remote office router
Headquarter
network
Remote office
network
ISDN telephone
network
Enterprise Dial Scenarios and Configurations
Bidirectional Dial Between Central Sites and Remote Offices
DC-813
Cisco IOS Dial Technologies Configuration Guide
Virtual profiles are user-specific profiles for large-scale dial solutions; however, these profiles are not
manually configured on each router or access server. A virtual profile is a unique PPP application that
can create and configure a virtual access interface dynamically when a dial-in call is received, and tear
down the interface dynamically when the call ends.
The configuration information for a virtual access interface in a virtual profile can come from the virtual
template interface, or from user-specific configuration information stored on an AAA server, or both.
The virtual profile user-specific configuration stored on the AAA server is identified by the
authentication name for the call-in user. (That is, if the AAA server authenticates the user as samson, the
user-specific configuration is listed under samson in the AAA user file.) The virtual profile user-specific
configuration should include only the configuration that is not shared by multiple users. Shared
configuration should be placed in the virtual template interface, where it can be cloned on many virtual
access interfaces as needed.
AAA configurations are much easier to manage for large numbers of dial-in users. Virtual profiles can
span across a group of access servers, but a AAA server is required. Virtual profiles are set up
independently of which access server, interface, or port number users connect to. For users that share
duplicate configuration information, it is best to enclose the configuration in a virtual template. This
requirement eliminates the duplication of commands in each of the user records on the AAA server.
The user-specific AAA configuration used by virtual profiles is interface configuration information and
downloaded during link control protocol (LCP) negotiations. Another feature, called per-user
configuration, also uses configuration information gained from a AAA server. However, per-user
configuration uses network configuration (such as access lists and route filters) downloaded during NCP
negotiations.
Figure 119 shows an example of how virtual profiles are used:
• A large-scale dial-in solution is available, which includes many access servers or routers (for
example, three or more devices stacked together in an MMP scenario).
• Discrimination between large numbers of users is needed.
• Setup and maintenance of a user profile for each dial-in user on each access server or router is much
too time consuming.
• A security server, such as a AAA TACACS or RADIUS server, is available for use.
Note For a virtual profile configuration example, see the section “Large-Scale Dial-In Configuration Using
Virtual Profiles” later in this chapter. For more information about virtual profiles, see the chapters
“Configuring Virtual Profiles” and “Configuring Per-User Configuration” in this publication.
Enterprise Dial Scenarios and Configurations
Bidirectional Dial Between Central Sites and Remote Offices
DC-814
Cisco IOS Dial Technologies Configuration Guide
Figure 119 Dial-In Scenario for Virtual Profiles
Running Access Server Configurations
In most cases, dialer profiles are configured on access servers or routers that receive calls and must
discriminate between users, such as many different remote routers dialing in. (See Figure 120.)
Figure 120 Remote Cisco 1600s Dialing In to a Cisco AS5300 at the Central Site
Access servers or routers that only place calls (not receive calls) do not need any awareness of configured
dialer profiles. Remote routers do not need to discriminate on the basis of which device they are calling
in to. For example, if multiple Cisco 1600 series routers are dialing in to one Cisco AS5300 access
Headquarters
network
S6816
AAA TACACS+
security server
configured with
user-profile
information
Cisco AS5200s
getting user-profile
information from the
AAA security server
PRI
PRI
PRI
Hunt group
telephone number
555-1234
ISDN telephone
network
100 remote offices
reporting to headquarters
with 100 Cisco 1600
series routers
S6817
PRI
Cisco AS5200
receiving calls
from Cisco 1600
series routers
Headquarters network
Cisco 1600
series remote
office LAN
Cisco 1600
series remote
office LAN
Cisco 1600
series remote
office LAN
ISDN telephone
network
Enterprise Dial Scenarios and Configurations
Bidirectional Dial Between Central Sites and Remote Offices
DC-815
Cisco IOS Dial Technologies Configuration Guide
server, the Cisco 1600 series routers should not be configured with dialer profiles. The Cisco AS5300
access server should be configured with dialer profiles. Do not configure dialer profiles on devices that
only make calls.
The configurations examples in the following section are provided for different types of dial scenarios,
which can be derived from Figure 117 through Figure 120:
• Examples with dialer profiles:
– Cisco AS5300 Access Server Configuration with Dialer Profiles
– Cisco 1604 ISDN Router Configuration with Dialer Profiles
– Cisco 1604 Router Asynchronous Configuration with Dialer Profiles
• Examples without dialer profiles:
– Cisco AS5300 Access Server Configuration Without Dialer Profiles
– Cisco 1604 ISDN Router Configuration Without Dialer Profiles
– Cisco 1604 Router Asynchronous Configuration Without Dialer Profiles
• Large-Scale Dial-In Configuration Using Virtual Profiles
Note Be sure to include your own IP addresses, host names, and security passwords where appropriate if
configuring these examples in your network.
Cisco AS5300 Access Server Configuration with Dialer Profiles
The following bidirectional dial configuration runs on the Cisco AS5300 access server at headquarters
in Figure 117. This configuration enables calls to be sent to the SOHO router and received from remote
hosts and clients. The calling is bidirectional.
version xx.x
service udp-small-servers
service tcp-small-servers
!
hostname 5300
!
aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin local
aaa authentication ppp default local
aaa authentication ppp dialin if-needed local
enable secret cisco
!
username async1 password cisco
username async2 password cisco
username async3 password cisco
username async4 password cisco
username async5 password cisco
username async6 password cisco
username async7 password cisco
username async8 password cisco
username isdn1 password cisco
username isdn2 password cisco
username isdn3 password cisco
username isdn4 password cisco
username isdn5 password cisco
Enterprise Dial Scenarios and Configurations
Bidirectional Dial Between Central Sites and Remote Offices
DC-816
Cisco IOS Dial Technologies Configuration Guide
username isdn6 password cisco
username isdn7 password cisco
username isdn8 password cisco
username DialupAdmin password cisco
!
isdn switch-type primary-dms100
chat-script cisco-default ABORT ERROR "" "AT" OK "ATDT\T" TIMEOUT 60 CONNECT
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
framing esf
clock source line secondary
linecode b8zs
pri-group timeslots 1-24
!
interface loopback 1
ip address 172.18.38.40 255.255.255.128
!
interface loopback 2
ip address 172.18.38.130 255.255.255.128
!
interface Ethernet0
ip address 172.18.39.40 255.255.255.0
no ip mroute-cache
ip ospf priority 0
!
interface Serial0:23
no ip address
no ip mroute-cache
encapsulation ppp
isdn incoming-voice modem
dialer pool-member 2
!
interface Serial1:23
no ip address
no ip mroute-cache
encapsulation ppp
isdn incoming-voice modem
dialer pool-member 2
!
interface Group-Async1
no ip address
no ip mroute-cache
encapsulation ppp
async mode interactive
dialer in-band
dialer pool-member 1
ppp authentication chap pap
group-range 1 48
!
interface Dialer10
ip unnumbered loopback 1
encapsulation ppp
peer default ip address dialin_pool
dialer remote-name async1
dialer string 14085268983
dialer hold-queue 10
dialer pool 1
dialer-group 1
Enterprise Dial Scenarios and Configurations
Bidirectional Dial Between Central Sites and Remote Offices
DC-817
Cisco IOS Dial Technologies Configuration Guide
ppp authentication pap chap callin
ppp pap sent-username DialupAdmin password 7 07063D11542
!
interface Dialer11
ip unnumbered loopback 1
encapsulation ppp
no peer default ip address pool
dialer remote-name async2
dialer string 14085262012
dialer hold-queue 10
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp pap sent-username DialupAdmin password 7 07063D11542
!
interface Dialer12
ip unnumbered loopback 1
encapsulation ppp
no peer default ip address pool
dialer remote-name async3
dialer string 14085260706
dialer hold-queue 10
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp pap sent-username DialupAdmin password 7 07063D11542
!
interface Dialer13
ip unnumbered loopback 1
encapsulation ppp
no peer default ip address pool
dialer remote-name async4
dialer string 14085262731
dialer hold-queue 10
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp pap sent-username DialupAdmin password 7 07063D11542
!
interface Dialer14
ip unnumbered loopback 1
encapsulation ppp
no peer default ip address pool
dialer remote-name async5
dialer string 14085264431
dialer hold-queue 10
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp pap sent-username DialupAdmin password 7 07063D11542
!
interface Dialer15
ip unnumbered loopback 1
encapsulation ppp
no peer default ip address pool
dialer remote-name async6
dialer string 14085261933
dialer hold-queue 10
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp pap sent-username DialupAdmin password 7 07063D11542
!
Enterprise Dial Scenarios and Configurations
Bidirectional Dial Between Central Sites and Remote Offices
DC-818
Cisco IOS Dial Technologies Configuration Guide
interface Dialer16
ip unnumbered loopback 1
encapsulation ppp
no peer default ip address pool
dialer remote-name async7
dialer string 14085267631
dialer hold-queue 10
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp pap sent-username DialupAdmin password 7 07063D11542
!
interface Dialer17
ip unnumbered loopback 2
encapsulation ppp
no peer default ip address pool
dialer remote-name async8
dialer string 14085265153
dialer hold-queue 10
dialer pool 2
dialer-group 1
ppp authentication chap pap
!
interface Dialer18
ip unnumbered loopback 2
encapsulation ppp
no peer default ip address pool
dialer remote-name isdn1
dialer string 14085267887
dialer hold-queue 10
dialer pool 2
dialer-group 1
ppp authentication chap pap
!
interface Dialer19
ip unnumbered loopback 2
encapsulation ppp
no peer default ip address pool
dialer remote-name isdn2
dialer string 14085261591
dialer hold-queue 10
dialer pool 2
dialer-group 1
ppp authentication chap pap
!
interface Dialer20
ip unnumbered loopback 2
encapsulation ppp
no peer default ip address pool
dialer remote-name isdn3
dialer string 14085262118
dialer hold-queue 10
dialer pool 2
dialer-group 1
ppp authentication chap pap
!
interface Dialer21
ip unnumbered loopback 2
encapsulation ppp
no peer default ip address pool
dialer remote-name isdn4
dialer string 14085263757
dialer hold-queue 10
dialer pool 2
Enterprise Dial Scenarios and Configurations
Bidirectional Dial Between Central Sites and Remote Offices
DC-819
Cisco IOS Dial Technologies Configuration Guide
dialer-group 1
ppp authentication chap pap
!
interface Dialer22
ip unnumbered loopback 2
encapsulation ppp
no peer default ip address pool
dialer remote-name isdn5
dialer string 14085263769
dialer hold-queue 10
dialer pool 2
dialer-group 1
ppp authentication chap pap
!
interface Dialer23
ip unnumbered loopback 2
encapsulation ppp
no peer default ip address pool
dialer remote-name isdn6
dialer string 14085267884
dialer hold-queue 10
dialer pool 2
dialer-group 1
ppp authentication chap pap
!
interface Dialer24
ip unnumbered loopback 2
encapsulation ppp
no peer default ip address pool
dialer remote-name isdn7
dialer string 14085267360
dialer hold-queue 10
dialer pool 2
dialer-group 1
ppp authentication chap pap
!
interface Dialer25
ip unnumbered loopback 2
encapsulation ppp
no peer default ip address pool
dialer remote-name isdn8
dialer string 14085260361
dialer hold-queue 10
dialer pool 2
dialer-group 1
ppp authentication chap pap
!
router ospf 1
redistribute static subnets
passive-interface Dialer1
passive-interface Dialer2
network 172.18.0.0 0.0.255.255 area 0
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip domain-name cisco.com
ip classless
!
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 0 0
line 1 24
no exec
exec-timeout 0 0
Enterprise Dial Scenarios and Configurations
Bidirectional Dial Between Central Sites and Remote Offices
DC-820
Cisco IOS Dial Technologies Configuration Guide
autoselect during-login
autoselect ppp
script dialer cisco-default
login local
modem InOut
modem autoconfigure type microcom_hdms
transport input telnet
line aux 0
line vty 0 1
exec-timeout 60 0
password cisco
login
line vty 2 5
exec-timeout 5 0
password cisco
login
!
end
Cisco 1604 ISDN Router Configuration with Dialer Profiles
The following configuration runs on the remote office Cisco 1604 router, which receives calls from the
Cisco AS5300 central site access server. (See Figure 117.)
version xx.x
service udp-small-servers
service tcp-small-servers
!
hostname isdn1
!
enable password cisco
!
username 5300 password cisco
username isdn1 password cisco
isdn switch-type basic-5ess
!
interface Ethernet0
ip address 172.18.40.1 255.255.255.0
!
interface BRI0
no ip address
encapsulation ppp
dialer pool-member 1
ppp authentication chap pap
!
interface Dialer1
ip address 172.18.38.131 255.255.255.128
encapsulation ppp
no peer default ip address pool
dialer remote-name 5300
dialer string 14085269328
dialer hold-queue 10
dialer pool 2
dialer-group 1
ppp authentication chap pap
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.38.130
dialer-list 1 protocol ip permit
!
line con 0
line vty 0 4
Enterprise Dial Scenarios and Configurations
Bidirectional Dial Between Central Sites and Remote Offices
DC-821
Cisco IOS Dial Technologies Configuration Guide
password cisco
login
password cisco
login
!
end
Cisco 1604 Router Asynchronous Configuration with Dialer Profiles
The following asynchronous configuration runs on the remote office Cisco 1604 router, which receives
calls from the Cisco AS5300 central site access server. (See Figure 117.)
version xx.x
service udp-small-servers
service tcp-small-servers
!
hostname async1
!
enable password cisco
!
username 5300 password cisco
username async1 password cisco
chat script dial_out ““ “ATDT\T” timeout 60 connect \c
!
interface Ethernet0
ip address 172.18.41.1 255.255.255.0
!
interface serial 0
physical-layer async
no ip address
encapsulation ppp
dialer pool-member 1
ppp authentication chap pap
!
interface Dialer10
ip address 172.18.38.41 255.255.255.128
encapsulation ppp
no peer default ip address pool
dialer remote-name 5300
dialer string 14085269328
dialer hold-queue 10
dialer pool 1
dialer-group 1
ppp authentication chap pap
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.38.40
dialer-list 1 protocol ip permit
!
line con 0
line 1
password cisco
login
script modem dial_out
!
end
Enterprise Dial Scenarios and Configurations
Bidirectional Dial Between Central Sites and Remote Offices
DC-822
Cisco IOS Dial Technologies Configuration Guide
Cisco AS5300 Access Server Configuration Without Dialer Profiles
The following bidirectional dial configuration runs on the Cisco AS5300 access server at headquarters
in Figure 117. This configuration enables calls to be sent to the SOHO router and received from remote
hosts and clients. The calling is bidirectional.
version xx.x
service udp-small-servers
service tcp-small-servers
!
hostname 5300
!
aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin local
aaa authentication ppp default local
aaa authentication ppp dialin if-needed local
enable secret cisco
!
username async1 password cisco
username async2 password cisco
username async3 password cisco
username async4 password cisco
username async5 password cisco
username async6 password cisco
username async7 password cisco
username async8 password cisco
username isdn1 password cisco
username isdn2 password cisco
username isdn3 password cisco
username isdn4 password cisco
username isdn5 password cisco
username isdn6 password cisco
username isdn7 password cisco
username isdn8 password cisco
username DialupAdmin password cisco
!
isdn switch-type primary-dms100
chat-script cisco-default ABORT ERROR "" "AT" OK "ATDT\T" TIMEOUT 60 CONNECT
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
description ISDN Controller 0
!
controller T1 1
framing esf
clock source line secondary
linecode b8zs
pri-group timeslots 1-24
description ISDN Controller 1
!
interface Ethernet0
ip address 172.18.39.40 255.255.255.0
no ip mroute-cache
ip ospf priority 0
!
Enterprise Dial Scenarios and Configurations
Bidirectional Dial Between Central Sites and Remote Offices
DC-823
Cisco IOS Dial Technologies Configuration Guide
interface Serial0:23
no ip address
no ip mroute-cache
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 2
!
interface Serial1:23
no ip address
no ip mroute-cache
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 2
!
interface Group-Async1
no ip address
no ip mroute-cache
encapsulation ppp
async dynamic address
async mode interactive
dialer in-band
dialer rotary-group 1
ppp authentication pap callin
ppp pap sent-username HQ5300 password 7 09434678520A
group-range 1 24
!
interface Dialer1
ip address 172.18.38.40 255.255.255.128
encapsulation ppp
no peer default ip address pool
dialer in-band
dialer map ip 172.18.38.41 name async1 14445558983
dialer map ip 172.18.38.42 name async2 14445552012
dialer map ip 172.18.38.43 name async3 14445550706
dialer map ip 172.18.38.44 name async4 14445552731
dialer map ip 172.18.38.45 name async5 14445554431
dialer map ip 172.18.38.46 name async6 14445551933
dialer map ip 172.18.38.47 name async7 14445557631
dialer map ip 172.18.38.48 name async8 14445555153
dialer hold-queue 10
dialer-group 1
ppp authentication pap chap callin
ppp pap sent-username DialupAdmin password 7 07063D11542
!
interface Dialer2
ip address 172.18.38.130 255.255.255.128
encapsulation ppp
no peer default ip address pool
dialer in-band
dialer map ip 172.18.38.131 name isdn1 14445557887
dialer map ip 172.18.38.132 name isdn2 14445551591
dialer map ip 172.18.38.133 name isdn3 14445552118
dialer map ip 172.18.38.134 name isdn4 14445553757
dialer map ip 172.18.38.135 name isdn5 14445553769
dialer map ip 172.18.38.136 name isdn6 14445557884
dialer map ip 172.18.38.137 name isdn7 14445557360
dialer map ip 172.18.38.138 name isdn8 14445550361
dialer hold-queue 10
dialer-group 1
ppp authentication chap pap
ppp multilink
!
Enterprise Dial Scenarios and Configurations
Bidirectional Dial Between Central Sites and Remote Offices
DC-824
Cisco IOS Dial Technologies Configuration Guide
router ospf 1
redistribute static subnets
passive-interface Dialer1
passive-interface Dialer2
network 172.18.0.0 0.0.255.255 area 0
!
ip domain-name cisco.com
ip classless
!
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 0 0
line 1 24
no exec
exec-timeout 0 0
autoselect during-login
autoselect ppp
script dialer cisco-default
login local
modem InOut
modem autoconfigure type microcom_hdms
transport input telnet
line aux 0
line vty 0 1
exec-timeout 60 0
password cisco
login
line vty 2 5
exec-timeout 5 0
password cisco
login
!
end
Cisco 1604 ISDN Router Configuration Without Dialer Profiles
The following configuration runs on the remote office Cisco 1604 router, which dials in to the
Cisco AS5300 access server at headquarters in Figure 117. This configuration does not receive calls
from the Cisco AS5300 access server.
!
version 11.1
service udp-small-servers
service tcp-small-servers
!
hostname isdn1
!
enable password cisco
!
username 5300 password cisco
username isdn1 password cisco
isdn switch-type basic-5ess
!
interface Ethernet0
ip address 172.18.40.1 255.255.255.0
!
interface BRI0
ip address 172.18.38.131 255.255.255.128
encapsulation ppp
dialer map ip 172.18.38.130 name 5300 14085269328
Enterprise Dial Scenarios and Configurations
Bidirectional Dial Between Central Sites and Remote Offices
DC-825
Cisco IOS Dial Technologies Configuration Guide
dialer-group 1
ppp authentication chap pap
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.38.130
dialer-list 1 protocol ip permit
!
line con 0
line vty 0 4
password cisco
login
password cisco
login
!
end
Cisco 1604 Router Asynchronous Configuration Without Dialer Profiles
The following asynchronous configuration runs on the remote office Cisco 1604 router, which dials in
to the Cisco AS5300 access server at headquarters in Figure 117. This configuration does not receive
calls from the Cisco AS5300 access server.
version xx.x
service udp-small-servers
service tcp-small-servers
!
hostname async1
!
enable password cisco
!
username 5300 password cisco
username async1 password cisco
chat script dial_out ““ “ATDT\T” timeout 60 connect \c
!
interface Ethernet0
ip address 172.18.41.1 255.255.255.0
!
interface serial 0
physical-layer async
ip address 172.18.38.41 255.255.255.128
encapsulation ppp
dialer in-band
dialer map ip 172.18.38.40 name 5300 modem-script dial_out 14085559328
dialer-group 1
ppp authentication chap pap
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.38.40
dialer-list 1 protocol ip permit
!
line con 0
line 1
password cisco
login
password cisco
login
!
end
Enterprise Dial Scenarios and Configurations
Telecommuters Dialing In to a Mixed Protocol Environment
DC-826
Cisco IOS Dial Technologies Configuration Guide
Large-Scale Dial-In Configuration Using Virtual Profiles
The following example is used on each central site stack member shown in Figure 119. This
configuration is for a large-scale dial-in scenario.
aaa new-model
aaa authentication login default none
aaa authentication ppp default radius
aaa authentication ppp admin local
aaa authorization network radius
isdn switch-type primary-5ess
!
interface Serial0:23
no ip address
no ip mroute-cache
no cdp enable
ppp authentication chap
!
tacacs-server host 172.18.203.45
virtual-profile aaa
The following example configures an entry running on a RADIUS security server, which is queried by
each central site stack member when a call comes in. This entry includes the virtual profile configuration
information for remote users dialing in to the central site stack solution.
In this example, virtual profiles are configured by both virtual templates and AAA configuration. John
and Rick can dial in from anywhere and have their same keepalive settings and their own IP addresses.
The remaining attribute-value pair settings are not used by virtual profiles. They are the
network-protocol access lists and route filters used by AAA-based per-user configuration.
In the AAA configuration cisco-avpair lines, “\n” is used to indicate the start of a new Cisco IOS
command line.
john Password = “welcome”
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = “lcp:interface-config=keepalive 75\nip address 100.100.100.100
255.255.255.0”,
cisco-avpair = “ip:rte-fltr-out#0=router igrp 60”,
cisco-avpair = “ip:rte-fltr-out#3=deny 171.0.0.0 0.255.255.255”,
cisco-avpair = “ip:rte-fltr-out#4=deny 172.0.0.0 0.255.255.255”,
cisco-avpair = “ip:rte-fltr-out#5=permit any”
rick Password = “emoclew”
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = “lcp:interface-config=keepalive 100\nip address 200.200.200.200
255.255.255.0”,
cisco-avpair = “ip:inacl#3=permit ip any any precedence immediate”,
cisco-avpair = “ip:inacl#4=deny igrp 0.0.1.2 255.255.0.0 any”,
cisco-avpair = “ip:outacl#2=permit ip any any precedence immediate”,
cisco-avpair = “ip:outacl#3=deny igrp 0.0.9.10 255.255.0.0 any”
Telecommuters Dialing In to a Mixed Protocol Environment
The scenario in this section describes how to provide remote access to employees who dial in to a mixed
protocol enterprise network. The sample configurations provided in this section assume that enterprise
telecommuters are dialing in with modems or terminal adapters from outside the LAN at headquarters.
Enterprise Dial Scenarios and Configurations
Telecommuters Dialing In to a Mixed Protocol Environment
DC-827
Cisco IOS Dial Technologies Configuration Guide
The following sections are provided:
• Description
• Enterprise Network Topology
• Mixed Protocol Dial-In Scenarios
Description
Sometimes an enterprise conducts its daily business operations across internal mixed protocol
environments. (See Figure 121 and Table 47.) For example, an enterprise might deploy an IP base across
the entire intranet while still allowing file sharing with other protocols such as AppleTalk and AppleTalk
Remote Access (ARA).
Enterprise Dial Scenarios and Configurations
Telecommuters Dialing In to a Mixed Protocol Environment
DC-828
Cisco IOS Dial Technologies Configuration Guide
Figure 121 Large Enterprise with a Multiprotocol Network
Table 47 Typical Mixed Protocol Environment
Applications
Running on the
Network Server
Remote or Local
Client Applications
Protocol Used
to Support
the Network
Internal Supporting
Department
Windows NT Windows 95 or Windows 3.1
running on PCs
IP Marketing, human
resources, engineering,
and customer support
UNIX SunOS or Solaris running on a
UNIX-based workstation or
NCD
IP Engineering and customer
support
bigcompany.com
NT
server
IP
PC
S6553
External/internal
web server
Mixed protocol network layout
for bigcompany.com
AppleTalk
server
UNIX
AppleTalk
IP network for engineering
or marketing clients
running Windows or Solaris
AppleTalk network for
documentation or creative
services running Mac OS
system software
Mac Mac
Enterprise Dial Scenarios and Configurations
Telecommuters Dialing In to a Mixed Protocol Environment
DC-829
Cisco IOS Dial Technologies Configuration Guide
Enterprise Network Topology
Figure 122 shows a sample enterprise network, which supports 10,000 registered token card holders.
Some registered users might use their access privileges each day, while others might use their access
privileges very infrequently, such as only on business trips. The dial-in access provisioned for outsiders,
such as partners or vendors, is supported separately in a firewalled setup.
Five Cisco AS5300 access servers are positioned to provide 250 dial-in ports for incoming modem calls.
A Catalyst 1900 is used as a standalone switch to provide Ethernet switching between the Cisco AS5300
access servers and the 100BASET interfaces on the backbone routers. Two Cisco 7200 series routers are
used to reduce the processing workload on the access servers and provide access to the company’s
backbone. If the Cisco 7200 series routers were not used in the network solution, the Cisco AS5300
access servers could not update routing tables, especially if 20 to 30 additional routers existed on the
company’s backbone. Two additional backbone switches are used to provide access to the company
network.
Note Depending on your networking needs, the Cisco 7200 series routers could be substituted by one or
more Cisco 3640 series routers. Additionally, the Cisco AS5300 access servers could be replaced by
Cisco 3640 routers loaded with MICA digital modem cards.
AppleTalk Mac OS System Software 7.5
running on Macintosh
computers
AppleTalk Documentation and
creative services
NetWare Novell NetWare client software IPX Marketing, and human
resources, engineering,
customer support
Table 47 Typical Mixed Protocol Environment (continued)
Applications
Running on the
Network Server
Remote or Local
Client Applications
Protocol Used
to Support
the Network
Internal Supporting
Department
Enterprise Dial Scenarios and Configurations
Telecommuters Dialing In to a Mixed Protocol Environment
DC-830
Cisco IOS Dial Technologies Configuration Guide
Figure 122 Sample Enterprise Network Topology
If you are setting up dial-in access for remote terminal adapters, the settings configured on the terminal
adapters must match the setting on the access server or router. Depending on your business application,
terminal adapters can operate in many different modes. (See Table 48.)
Mixed Protocol Dial-In Scenarios
The examples in the following sections are intended to run on each network device featured in
Figure 122, which allows remote users to dial in to a mixed protocol environment:
• Cisco 7200 #1 Backbone Router
• Cisco 7200 #2 Backbone Router
• Cisco AS5300 Universal Access Server
Note Be sure to include your own IP addresses, host names, and security passwords where appropriate.
Telecommuter PCs
fitted with terminal
adapters dialing in to
headquarters
Mixed
protocol
network
leading
to clients,
hosts,
and other
routers
Hunt group
dial-in number
1-800-555-1212
Sales people
dialing in with
internal modem
Cisco AS5200
stack group
Catalyst 1900
Cisco 7200 #2
Cisco 7200 #1
Headquarters network
2 backbone
switches
ISDN and
analog
network
S6552
Table 48 Options for Terminal Adapter Settings
Terminal Adapter Mode Comments
Synchronous PPP We recommend you use this mode for most terminal adapter scenarios. By
default, Cisco access servers and routers have synchronous PPP enabled.
Therefore, additional configuration is not required on the router or access
server.
V.120 Use this mode for asynchronous to synchronous communication, which
can be used to tunnel character mode sessions over synchronous ISDN. We
recommend you use this mode with midrange routers, such as the
Cisco 4500 series router.
V.110 Use this modem for setting up cellular modem access.
Enterprise Dial Scenarios and Configurations
Telecommuters Dialing In to a Mixed Protocol Environment
DC-831
Cisco IOS Dial Technologies Configuration Guide
Cisco 7200 #1 Backbone Router
The following configuration runs on the router labeled Cisco 7200 #1 in Figure 122. Fast Ethernet
interface 0/0 connects to the corporate backbone switch. Fast Ethernet interface 1/0 connects to the
Catalyst 1900 switch, which in turn connects to the Cisco AS5300 access servers.
version xx.x
no service udp-small-servers
no service tcp-small-servers
!
hostname bbone-dial1
!
aaa new-model
aaa authentication login default local
aaa authentication login console enable
!
username admin password cisco
!
boot system flash slot0:
enable secret
appletalk routing
ipx routing
!
interface FastEthernet0/0
ip address 10.0.1.52 255.255.255.192
appletalk cable-range 1000-1000
appletalk zone Networking Infrastructure
ipx network 1000
!
interface FastEthernet1/0
ip address 10.1.1.2 255.255.255.224
no ip redirects
appletalk cable-range 7650-7650 7650.1
appletalk zone Dial-Up Net
ipx network 7650
!
standby ip 10.1.1.1
standby priority 101
standby preempt
!
router eigrp 109
redistribute static
network 10.0.0.0
no auto-summary
!
ip classless
ip http server
no logging console
!
ip route 10.1.2.0 255.255.255.192 10.1.1.10
!
line con 0
login authentication console
!
line vty 0 4
login authentication default
end
Enterprise Dial Scenarios and Configurations
Telecommuters Dialing In to a Mixed Protocol Environment
DC-832
Cisco IOS Dial Technologies Configuration Guide
Cisco 7200 #2 Backbone Router
The following configuration runs on the router labeled Cisco 7200 #2 in Figure 122. Fast Ethernet
interface 0/0 connects to the corporate backbone switch. Fast Ethernet interface 1/0 connects to the
Catalyst 1900 switch, which in turn connects to the Cisco AS5300 access servers.
version xx.x
no service udp-small-servers
no service tcp-small-servers
!
hostname bbone-dial2
!
aaa new-model
aaa authentication login default local
aaa authentication login console enable
!
username admin password cisco
!
boot system flash slot0:
enable secret
appletalk routing
ipx routing
!
interface FastEthernet0/0
ip address 10.0.1.116 255.255.255.192
appletalk cable-range 1001-1001
appletalk zone Networking Infrastructure
ipx network 1001
!
interface FastEthernet1/0
ip address 10.1.1.3 255.255.255.224
no ip redirects
appletalk cable-range 7650-7650 7650.2
appletalk zone Dial-Up Net
ipx network 7650
!
standby ip 10.1.1.1
!
router eigrp 109
redistribute static
network 10.0.0.0
no auto-summary
!
ip classless
ip http server
no logging console
!
ip route 10.1.2.0 255.255.255.192 10.1.1.10
!
line con 0
login authentication console
!
line vty 0 4
login authentication console
!
end
Enterprise Dial Scenarios and Configurations
Telecommuters Dialing In to a Mixed Protocol Environment
DC-833
Cisco IOS Dial Technologies Configuration Guide
Cisco AS5300 Universal Access Server
The following configuration runs on each Cisco AS5300 access server in the stack group shown in
Figure 122:
version xx.x
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
appletalk routing
ipx routing
appletalk virtual net 7651 Dial-Up Net
arap network 7652 Dial-Up Net
!
hostname NAS
!
aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin local
aaa authentication ppp default local
aaa authentication ppp dialin if-needed local
aaa authentication arap default auth-guest local
enable secret cisco
!
username admin password cisco
username pcuser1 password mypass
isdn switch-type primary-5ess
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
framing esf
clock source line secondary
linecode b8zs
pri-group timeslots 1-24
!
interface loopback 0
ip address 10.1.2.0 255.255.255.192
ipx network 7651
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
appletalk cable-range 7650
appletalk zone Dial-Up-Net
ipx network 7650
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
Enterprise Dial Scenarios and Configurations
Telecommuters Dialing In to a Mixed Protocol Environment
DC-834
Cisco IOS Dial Technologies Configuration Guide
interface Serial0:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Serial1:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Group-Async1
ip unnumbered Ethernet0
encapsulation ppp
async mode interactive
peer default ip address pool dialin_pool
appletalk client-mode
ipx ppp-client
no cdp enable
ppp authentication chap pap dialin
group-range 1 48
!
interface Dialer0
ip unnumbered Ethernet0
no ip mroute-cache
encapsulation ppp
peer default ip address pool dialin_pool
ipx ppp-client
appletalk client-mode
dialer in-band
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap pap dialin
ppp multilink
!
ip local pool dialin_pool 10.1.2.1 10.1.2.62
ip default-gateway 10.1.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
dialer-list 1 protocol ip permit
!
async-bootp dns-server 10.1.0.40 10.1.0.170
async-bootp nbns-server 10.0.235.228 10.0.235.229
!
xremote buffersize 72000
xremote tftp host 10.0.2.74
!
Enterprise Dial Scenarios and Configurations
Telecommuters Dialing In to a Mixed Protocol Environment
DC-835
Cisco IOS Dial Technologies Configuration Guide
line con 0
login authentication console
line 1 48
autoselect ppp
autoselect during-login
autoselect arap
arap enable
arap authentication default
arap timelimit 240
arap warningtime 15
login authentication dialin
modem DialIn
terminal-type dialup
line aux 0
login authentication console
line vty 0 4
login authentication vty
transport input telnet rlogin
!
end
Enterprise Dial Scenarios and Configurations
Telecommuters Dialing In to a Mixed Protocol Environment
DC-836
Cisco IOS Dial Technologies Configuration Guide
DC-837
Cisco IOS Dial Technologies Configuration Guide
Telco and ISP Dial Scenarios and Configurations
This chapter provides sample hardware and software configurations for specific dial scenarios used by
telcos, Internet service providers (ISPs), regional Bell operating companies (RBOCs), inter-exchange
carriers (IXCs), and other service providers. Each configuration in this chapter is designed to enable IP
network traffic with basic security authentication.
The following scenarios are described:
• Scenario 1—Small- to Medium-Scale POPs
• Scenario 2—Large-Scale POPs
• Scenario 3—PPP Calls over X.25 Networks
Note In all of these scenarios, you can replace the Cisco AS5200 access server with Cisco AS5300 or
Cisco AS5800 access server. This hardware exchange provides higher call density performance and
increases the number of PRI interfaces and modem ports on each chassis.
Small- to Medium-Scale POPs
Many small-to-medium-sized ISPs configure one or two access servers to provide dial-in access for their
customers. Many of these dial-in customers use individual remote PCs that are not connected to LANs.
Using the Windows 95 dialup software, remote clients initiate analog or digital connections using
modems or home office ISDN BRI terminal adapters.
This section provides three types of single user dial-in scenarios for service providers:
• Individual Remote PCs Using Analog Modems
• Individual PCs Using ISDN Terminal Adapters
• Mixture of ISDN and Analog Modem Calls
Note Be sure to include your own IP addresses, host names, and security passwords where appropriate.
The following sample configurations assume that the dial-in clients are individual PCs running PPP,
connecting to an IP network, and requiring only basic security authentication.
Telco and ISP Dial Scenarios and Configurations
Small- to Medium-Scale POPs
DC-838
Cisco IOS Dial Technologies Configuration Guide
Individual Remote PCs Using Analog Modems
ISPs can configure a single Cisco access servers to receive analog calls from remote PCs connected to
modems, as shown in Figure 123. The point of presence (POP) at the ISP central site could also be a
Cisco 2511 access server connected to external modems.
Network Topology
Figure 123 shows a small-scale dial-in scenario using modems.
Figure 123 Remote PC Using an Analog Modem to Dial In to a Cisco Access Server
Running Configuration for ISDN PRI
The following sample configuration runs on the Cisco access server, as shown in Figure 123, which
enables remote analog users to dial in:
version xx.x
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS
!
aaa new-model
aaa authentication login console enable
aaa authentication login vty tacacs+
aaa authentication login dialin tacacs+
aaa authentication ppp default tacacs+
aaa authentication ppp dialin if-needed tacacs+
enable secret cisco
!
async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 0
framing esf
clock source line primary
Analog
modem
T1 PRI
Cisco AS5200
used to provide
Internet access
by an ISP
PC running Windows 95
and accessing
the Internet
Standard telephone
network (POTS)
Analog calls
Internet
S6537
Telco and ISP Dial Scenarios and Configurations
Small- to Medium-Scale POPs
DC-839
Cisco IOS Dial Technologies Configuration Guide
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
framing esf
clock source line secondary
linecode b8zs
pri-group timeslots 1-24
!
interface Loopback0
ip address 10.1.2.254 255.255.255.0
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip summary address eigrp 10 10.1.2.0 255.255.255.0
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Serial0:23
no ip address
encapsulation ppp
isdn incoming-voice modem
!
interface Serial1:23
no ip address
isdn incoming-voice modem
!
interface Group-Async1
ip unnumbered Loopback0
encapsulation ppp
async mode interactive
peer default ip address pool dialin_pool
no cdp enable
ppp authentication chap pap dialin
group-range 1 48
!
router eigrp 10
network 10.0.0.0
passive-interface Dialer0
no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1
ip classless
!
dialer-list 1 protocol ip permit
!
line con 0
login authentication console
line 1 48
autoselect ppp
autoselect during-login
login authentication dialin
modem DialIn
!
line aux 0
login authentication console
Telco and ISP Dial Scenarios and Configurations
Small- to Medium-Scale POPs
DC-840
Cisco IOS Dial Technologies Configuration Guide
line vty 0 4
login authentication vty
transport input telnet rlogin
!
end
Some service providers use a remote TACACS+ or RADIUS security server in this dial-in scenario. The
following example shows a TACACS+ entry that appears in the configuration file of a remote security
server:
user = PCuser1 {
login = cleartext "dialpass1"
chap = cleartext "dialpass1"
service = ppp protocol = ip {
addr-pool = dialin_pool
}
service = exec {
autocmd = "ppp negotiate"
}
}
user = PCuser2 {
login = cleartext "dialpass2"
chap = cleartext "dialpass2"
service = ppp protocol = ip {
addr-pool = dialin_pool
}
service = exec {
autocmd = "ppp negotiate"
}
}
user = PCuser3 {
login = cleartext "dialpass3"
chap = cleartext "dialpass3"
service = ppp protocol = ip {
addr-pool = dialin_pool
}
service = exec {
autocmd = "ppp negotiate"
}
}
Running Configuration for Robbed-Bit Signaling
The following example shows a single Cisco access server configured to support remote client PCs
dialing in with analog modems over traditional T1 lines. Digital ISDN calls do not transmit across these
older types of channelized lines. The configuration assumes that the client can dial in and connect to the
router in either terminal emulation mode (text only) or PPP packet mode.
Note The following configuration works only for analog modem calls. It includes no serial D-channel
configuration (Serial 0:23 and Serial 1:23).
version xx.x
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
Telco and ISP Dial Scenarios and Configurations
Small- to Medium-Scale POPs
DC-841
Cisco IOS Dial Technologies Configuration Guide
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS
!
aaa new-model
aaa authentication login console enable
aaa authentication login vty tacacs+
aaa authentication login dialin tacacs+
aaa authentication ppp default tacacs+
aaa authentication ppp dialin if-needed tacacs+
enable secret cisco
!
async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
cas-group 0 timeslots 1-24 type e&m-fgb
!
controller T1 1
framing esf
clock source line secondary
linecode b8zs
cas-group 0 timeslots 1-24 type e&m-fgb
!
interface Loopback0
ip address 10.1.2.254 255.255.255.0
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip summary address eigrp 10 10.1.2.0 255.255.255.0
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Group-Async1
ip unnumbered Loopback0
encapsulation ppp
async mode interactive
peer default ip address pool dialin_pool
no cdp enable
ppp authentication chap pap dialin
group-range 1 48
!
router eigrp 10
network 10.0.0.0
passive-interface Dialer0
no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1
ip classless
!
dialer-list 1 protocol ip permit
!
Telco and ISP Dial Scenarios and Configurations
Small- to Medium-Scale POPs
DC-842
Cisco IOS Dial Technologies Configuration Guide
line con 0
login authentication console
line 1 48
autoselect ppp
autoselect during-login
login authentication dialin
modem DialIn
line aux 0
login authentication console
line vty 0 4
login authentication vty
transport input telnet rlogin
!
end
Individual PCs Using ISDN Terminal Adapters
ISPs can configure a single Cisco access server to receive digital multilink calls from remote PCs
connected to terminal adapters, as shown in Figure 124. The POP at the central site of the ISP can be
any Cisco router that supports ISDN PRI, such as the Cisco 4700-M router loaded with a channelized
T1 PRI network module.
Network Topology
Figure 124 shows a small-scale dial-in scenario using terminal adapters.
Figure 124 Remote PC Using a Terminal Adapter to Dial In to a Cisco Access Server
To configure one Cisco access server to accept both incoming ISDN and analog calls from individual
terminal adapters and modems, see the section “Mixture of ISDN and Analog Modem Calls” later in this
chapter.
Terminal
adapter
BRI
T1 PRI
Cisco AS5200
used to provide
Internet access
by an ISP
Home office remote
PC running Windows 95
ISDN network
Digital calls
Internet
S6536
Telco and ISP Dial Scenarios and Configurations
Small- to Medium-Scale POPs
DC-843
Cisco IOS Dial Technologies Configuration Guide
Terminal Adapter Configuration Example
The following example configures a Cisco access server to enable PCs fitted with internal or external
terminal adapters to dial in to an IP network. The terminal adapter configuration is set up for
asynchronous-to-synchronous PPP conversion. In some cases, PPP authentication must be set up for the
Password Authentication Protocol (PAP). Some terminal adapters support only PAP authentication.
version xx.x
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS
!
aaa new-model
aaa authentication login console enable
aaa authentication login vty tacacs+
aaa authentication login dialin tacacs+
aaa authentication ppp default tacacs+
aaa authentication ppp dialin if-needed tacacs+
enable secret cisco
!
async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
framing esf
clock source line secondary
linecode b8zs
pri-group timeslots 1-24
!
interface Loopback0
ip address 10.1.2.254 255.255.255.0
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip summary address eigrp 10 10.1.2.0 255.255.255.0
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Serial0:23
no ip address
encapsulation ppp
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
Telco and ISP Dial Scenarios and Configurations
Small- to Medium-Scale POPs
DC-844
Cisco IOS Dial Technologies Configuration Guide
interface Serial1:23
no ip address
encapsulation ppp
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Dialer0
ip unnumbered Loopback0
no ip mroute-cache
encapsulation ppp
peer default ip address pool dialin_pool
dialer in-band
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap pap dialin
ppp multilink
!
router eigrp 10
network 10.0.0.0
passive-interface Dialer0
no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1
ip classless
!
dialer-list 1 protocol ip permit
!
line con 0
login authentication console
line 1 48
autoselect ppp
autoselect during-login
login authentication dialin
modem DialIn
line aux 0
login authentication console
line vty 0 4
login authentication vty
transport input telnet rlogin
!
end
Telco and ISP Dial Scenarios and Configurations
Small- to Medium-Scale POPs
DC-845
Cisco IOS Dial Technologies Configuration Guide
Mixture of ISDN and Analog Modem Calls
ISPs can configure a single Cisco access server to receive calls from a mixture of remote PCs connected
to terminal adapters and modems, as shown in Figure 125.
Figure 125 Remote PCs Making Digital Calls and Analog Calls to a Cisco Access Server
Combination of Modem and ISDN Dial-In Configuration Example
The following example shows a combination of the modem and ISDN dial-in configurations. Using the
bearer capability information element in the call setup packet, the incoming calls are labeled as data or
voice. After the calls enter the access server, they are routed either to the serial configuration or to the
modems and group asynchronous configuration.
Note This configuration assumes that only individual remote PCs are dialing in; no remote routers are
dialing in. For a remote router dial-in configuration, see the chapter “Enterprise Dial Scenarios and
Configurations” in this publication.
version xx.x
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS
!
Terminal
adapter
BRI
T1 PRI
ISP using a
Cisco AS5200
to provide
Internet access
Modem
Home office PC
running Windows 95
and making analog
modem calls in to
the Internet
Home office PC
running Windows 95
and making digital
calls in to the Internet
ISDN
Internet
Analog
S6535
Telco and ISP Dial Scenarios and Configurations
Small- to Medium-Scale POPs
DC-846
Cisco IOS Dial Technologies Configuration Guide
aaa new-model
aaa authentication login console enable
aaa authentication login vty tacacs+
aaa authentication login dialin tacacs+
aaa authentication ppp default tacacs+
aaa authentication ppp dialin if-needed tacacs+
enable secret cisco
!
async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
framing esf
clock source line secondary
linecode b8zs
pri-group timeslots 1-24
!
interface Loopback0
ip address 10.1.2.254 255.255.255.0
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip summary address eigrp 10 10.1.2.0 255.255.255.0
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Serial0:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Serial1:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Group-Async1
ip unnumbered Loopback0
encapsulation ppp
async mode interactive
peer default ip address pool dialin_pool
no cdp enable
ppp authentication chap pap dialin
group-range 1 48
Telco and ISP Dial Scenarios and Configurations
Large-Scale POPs
DC-847
Cisco IOS Dial Technologies Configuration Guide
!
interface Dialer0
ip unnumbered Loopback0
no ip mroute-cache
encapsulation ppp
peer default ip address pool dialin_pool
dialer in-band
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap pap dialin
ppp multilink
!
router eigrp 10
network 10.0.0.0
passive-interface Dialer0
no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1
ip classless
!
dialer-list 1 protocol ip permit
!
line con 0
login authentication console
line 1 48
autoselect ppp
autoselect during-login
login authentication dialin
modem DialIn
line aux 0
login authentication console
line vty 0 4
login authentication vty
transport input telnet rlogin
end
Large-Scale POPs
This section describes how to set up a stack of access servers for a large-scale dial solution and includes
the following sections:
• Scaling Considerations
• How Stacking Works
• Stack Group of Access Servers Using MMP with an Offload Processor Examples
Scaling Considerations
Because of the significant increase in demand for Internet access, large POPs are required by many
Telcos and ISPs. Internet access configurations can be set up to enable users who dial in with individual
computers to make mixed ISDN multilink or modem connections using a stack of Cisco access servers
that run Multichassis Multilink PPP (MMP).
You must consider scalability and call density issues when designing a large-scale dial-in POP. Because
access servers have physical limitations, such as how many dial-in users can be supported on one device,
you should consider the conditions and recommendations described in Table 49.
Telco and ISP Dial Scenarios and Configurations
Large-Scale POPs
DC-848
Cisco IOS Dial Technologies Configuration Guide
Note Depending on the size of your POP requirement, you can replace the Cisco AS5200 access server
with a Cisco AS5300, Cisco AS5800, or Cisco AccessPath. This hardware exchange provides higher
call density performance and increases the number of ISDN PRI ports, channelized ports, and modem
ports on each chassis.
How Stacking Works
Before you install and configure a stack of access servers, you should understand the basic concepts
described in the following sections and how they work together in a large-scale dial-in solution:
• A Typical Multilink PPP Session
• Using Multichassis Multilink PPP
• Setting Up an Offload Server
• Using the Stack Group Bidding Protocol
• Using L2F
A Typical Multilink PPP Session
A basic multilink session is an ISDN connection between two routing devices, such as a Cisco 766 router
and a Cisco AS5200 access server. Figure 126 shows a remote PC connecting to a Cisco 766 ISDN
router, which in turn opens two B-channel connections at 128 kbps across an ISDN network. The
Multilink PPP (MLP) session is brought up. The Cisco 766 router sends four packets across the network
to the Cisco AS5200, which in turn reassembles the packets back into the correct order and sends them
out the LAN port to the Internet.
Table 49 Recommended Configurations for Different Remote Access Needs
Dial-in Demand You Need to Support Recommended Configuration
PCs dialing in, 75 to 90 percent modem calls, 10
to 25 percent ISDN calls (terminal adapters or
routers), and support for fewer than 96 (T1) to 116
(E1) simultaneous dial-in connections.
Two Cisco access servers configured for IP, basic
security, MMP, L2F, and no offload server.
PCs dialing in, less than 50 percent modem calls,
more than 50 percent ISDN calls (terminal
adapters or routers), dial-in only, and 250 or more
simultaneous links into the offload server.
Three or more Cisco access servers configured for
IP, remote security, MMP, and L2F. Each Cisco
access server is configured to offload its
segmentation and reassembly of the multilink
sessions onto an offload server, such as a
Cisco 7202 or Cisco 4700 router.
Telco and ISP Dial Scenarios and Configurations
Large-Scale POPs
DC-849
Cisco IOS Dial Technologies Configuration Guide
Figure 126 A Typical Multilink PPP Session
Using Multichassis Multilink PPP
The dial solution becomes more complex when the scenario is scaled to include multiple multilink calls
connecting across multiple chassis. Figure 127 shows a terminal adapter making a call in to the
Cisco AS5200, labeled #1. However, only one of the access server’s 48 B channels is available to accept
the call. The other channels are busy with calls. As a result, one of the terminal adapter’s two B channels
is redirected to device #2. At this point, a multilink multichassis session is shared between two
Cisco AS5200s that belong to the same stack group. Packet fragments A and C go to device #1. Packet
fragments B and D go to device #2.
Because device #1 is the first access server to receive a packet and establish a link, this access server
creates a virtual interface and becomes the bundle master. The bundle master takes ownership of the
MLP session with the remote device. The Multichassis Multilink PPP (MMP) protocol forwards the
second link from device #2 to the bundle master, which in turn bundles the two B channels together and
provides 128 kbps to the end user. Layer 2 Forwarding (L2F) is the mechanism that device #2 uses to
forward all packet fragments received from the terminal adapter to device #1. In this way, all packets and
calls virtually appear to terminate at device #1.
S6752
Hunt
group
555-1001
Dial-in session #1
PC running
Windows 95
Cisco 766 ISDN network
4 4 2 2 1
1
3
3
Internet access
Service provider network
Cisco AS5200
Telco and ISP Dial Scenarios and Configurations
Large-Scale POPs
DC-850
Cisco IOS Dial Technologies Configuration Guide
Figure 127 A Stack Group of Access Servers Using MMP Without an Offload Processor
Setting Up an Offload Server
Because MMP is a processor-intensive application, you might need to offload the processing or
segmentation and reassembly from the Cisco access servers to a router with a more powerful CPU, such
as the Cisco 4700-M or Cisco 7206. We recommend that you include an offload server for dial-in
solutions that support more than 50 percent ISDN calls or more than 10 multilink sessions per Cisco
access server. (See Figure 128.)
Analog network
S6751
A
Remote security
server
Stack of two Cisco AS5200 access servers
used in one service provider network
Hunt
group
555-1001
#1
#2
Terminal
PC adapter
Modem
PC
Dial-in session #2
ISDN network
C
D
D B A
B
C
Internet
access
Telco and ISP Dial Scenarios and Configurations
Large-Scale POPs
DC-851
Cisco IOS Dial Technologies Configuration Guide
Figure 128 A Stack Group of Access Servers Using MMP with an Offload Processor
Using the Stack Group Bidding Protocol
The Stack Group Bidding Protocol (SGBP) is a critical component used in multichassis multilink
sessions. SGBP unites each Cisco access server in a virtual stack, which enables the access servers to
become virtually tied together. Each independent stack member communicates with the other members
and determines which devices’ CPU should be in charge of running the multilink session and packet
reassembly—the duty of the bundle master. The goal of SGBP is to find a common place to forward the
links and ensure that this destination has enough CPU power to perform the segmentation and packet
reassembly. (See Figure 128.)
When SGBP in configured on each Cisco access server, each access server sends out a query to each
stack group member stating, for example, “I have a call coming in from walt@options.com. What is your
bid for this user?” Each access server then consults the following default bidding criteria and answers
the query accordingly:
• Do I have an existing call or link for the user walt@options.com? If I do, then bid very high to get
this second link in to me.
• If I do not have an existing call for walt@options.com, then bid a value that is proportional to how
much CPU power I have available.
• How busy am I supporting other users?
4
B
A
1
D
C
2
3 3 2 1
D C B A
PC running
Windows 95
Cisco 766
Modem
PC
Terminal
adapter PC
Dial-in session #2
Dial-in session #1
Remote security
server
Using L2F, all packets
are encapsulated and
forwarded to the Cisco 7206
for reassembly of the multilink
and single link process
Hunt
group
555-1001
#1
#2
#3
Stack of three Cisco AS5200 access servers
used in one service provider network
Analog network
ISDN network
S6486
Internet
access
HSSI
Cisco 7206 used for
offload processing
and has a rigged bid
for each call
4
Telco and ISP Dial Scenarios and Configurations
Large-Scale POPs
DC-852
Cisco IOS Dial Technologies Configuration Guide
Note An offload server will always serve as the bundle master by bidding a higher value than the other
devices.
Using L2F
L2F is a critical component used in multichassis multilink sessions. If an access server is not in charge
of a multilink session, the access server encapsulates the fragmented PPP frames and forwards them to
the bundle master using L2F. The master device receives the calls, not through the dial port (such as a
dual T1/PRI card), but through the LAN or Ethernet port. L2F simply tunnels packet fragments to the
device that owns the multilink session for the call. If you include an offload server in your dial-in
scenario, it creates all the virtual interfaces, owns all the multilink sessions, and reassembles all the
fragmented packets received by L2F via the other stackgroup members. (Refer to Figure 128.)
Stack Group of Access Servers Using MMP with an Offload Processor
Examples
The following sections provide examples for the devices shown in Figure 128:
• Cisco Access Server #1
• Cisco Access Server #2
• Cisco Access Server #3
• Cisco 7206 as Offload Server
• RADIUS Remote Security Examples
Note Be sure to include your own IP addresses, host names, and security passwords where appropriate.
Cisco Access Server #1
The following configuration runs on the Cisco access server labeled #1 in Figure 128:
version xx.x
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname AS5200-1
!
aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin radius
aaa authentication ppp default local
aaa authentication ppp dialin if-needed radius
aaa authorization exec local radius
aaa authorization network radius
aaa accounting network start-stop radius
aaa accounting exec start-stop radius
Telco and ISP Dial Scenarios and Configurations
Large-Scale POPs
DC-853
Cisco IOS Dial Technologies Configuration Guide
enable secret cisco
!
username admin password cisco
username MYSTACK password STACK-SECRET
sgbp group MYSTACK
sgbp member AS5200-2 10.1.1.12
sgbp member AS5200-3 10.1.1.13
sgbp member 7200 10.1.1.14
async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
framing esf
clock source line secondary
linecode b8zs
pri-group timeslots 1-24
!
interface Loopback0
ip address 10.1.2.62 255.255.255.192
!
interface Ethernet0
ip address 10.1.1.11 255.255.255.0
ip summary address eigrp 10 10.1.2.0 255.255.255.192
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Serial0:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Serial1:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Group-Async1
ip unnumbered Loopback0
encapsulation ppp
async mode interactive
peer default ip address pool dialin_pool
no cdp enable
ppp authentication chap pap dialin
group-range 1 48
Telco and ISP Dial Scenarios and Configurations
Large-Scale POPs
DC-854
Cisco IOS Dial Technologies Configuration Guide
!
interface Dialer0
ip unnumbered Loopback0
no ip mroute-cache
encapsulation ppp
peer default ip address pool dialin_pool
dialer in-band
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap pap dialin
ppp multilink
!
router eigrp 10
network 10.0.0.0
passive-interface Dialer0
no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1
ip classless
!
dialer-list 1 protocol ip permit
radius-server host 10.1.1.23 auth-port 1645 acct-port 1646
radius-server host 10.1.1.24 auth-port 1645 acct-port 1646
radius-server key cisco
!
line con 0
login authentication console
line 1 48
autoselect ppp
autoselect during-login
login authentication dialin
modem DialIn
line aux 0
login authentication console
line vty 0 4
login authentication vty
transport input telnet rlogin
!
end
Cisco Access Server #2
The following configuration runs on the Cisco access server labeled #2 shown in Figure 128:
version xx.x
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname AS5200-2
!
aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin radius
aaa authentication ppp default local
aaa authentication ppp dialin if-needed radius
aaa authorization exec local radius
Telco and ISP Dial Scenarios and Configurations
Large-Scale POPs
DC-855
Cisco IOS Dial Technologies Configuration Guide
aaa authorization network radius
aaa accounting network start-stop radius
aaa accounting exec start-stop radius
enable secret cisco
!
username admin password cisco
username MYSTACK password STACK-SECRET
sgbp group MYSTACK
sgbp member AS5200-1 10.1.1.11
sgbp member AS5200-3 10.1.1.13
sgbp member 7200 10.1.1.14
async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
framing esf
clock source line secondary
linecode b8zs
pri-group timeslots 1-24
!
interface Loopback0
ip address 10.1.2.126 255.255.255.192
!
interface Ethernet0
ip address 10.1.1.12 255.255.255.0
ip summary address eigrp 10 10.1.2.64 255.255.255.192
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Serial0:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Serial1:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Group-Async1
ip unnumbered Loopback0
encapsulation ppp
async mode interactive
peer default ip address pool dialin_pool
Telco and ISP Dial Scenarios and Configurations
Large-Scale POPs
DC-856
Cisco IOS Dial Technologies Configuration Guide
no cdp enable
ppp authentication chap pap dialin
group-range 1 48
!
interface Dialer0
ip unnumbered Loopback0
no ip mroute-cache
encapsulation ppp
peer default ip address pool dialin_pool
dialer in-band
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap pap dialin
ppp multilink
!
router eigrp 10
network 10.0..0.0
passive-interface Dialer0
no auto-summary
!
ip local pool dialin_pool 10.1.2.65 10.1.2.114
ip default-gateway 10.1.1.1
ip classless
!
dialer-list 1 protocol ip permit
radius-server host 10.1.1.23 auth-port 1645 acct-port 1646
radius-server host 10.1.1.24 auth-port 1645 acct-port 1646
radius-server key cisco
!
line con 0
login authentication console
line 1 48
autoselect ppp
autoselect during-login
login authentication dialin
modem DialIn
line aux 0
login authentication console
line vty 0 4
login authentication vty
transport input telnet rlogin
!
end
Cisco Access Server #3
The following configuration runs on the Cisco access server labeled #3 in Figure 128:
version xx.x
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname AS5200-3
!
aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin radius
Telco and ISP Dial Scenarios and Configurations
Large-Scale POPs
DC-857
Cisco IOS Dial Technologies Configuration Guide
aaa authentication ppp default local
aaa authentication ppp dialin if-needed radius
aaa authorization exec local radius
aaa authorization network radius
aaa accounting network start-stop radius
aaa accounting exec start-stop radius
enable secret cisco
!
username admin password cisco
username MYSTACK password STACK-SECRET
sgbp group MYSTACK
sgbp member AS5200-1 10.1.1.11
sgbp member AS5200-2 10.1.1.12
sgbp member 7200 10.1.1.14
async-bootp dns-server 10.1.3.1 10.1.3.2
isdn switch-type primary-5ess
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
framing esf
clock source line secondary
linecode b8zs
pri-group timeslots 1-24
!
interface Loopback0
ip address 10.1.2.190 255.255.255.192
!
interface Ethernet0
ip address 10.1.1.13 255.255.255.0
ip summary address eigrp 10 10.1.2.128 255.255.255.192
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Serial0:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
interface Serial1:23
no ip address
encapsulation ppp
isdn incoming-voice modem
dialer rotary-group 0
dialer-group 1
no fair-queue
no cdp enable
!
Telco and ISP Dial Scenarios and Configurations
Large-Scale POPs
DC-858
Cisco IOS Dial Technologies Configuration Guide
interface Group-Async1
ip unnumbered Loopback0
encapsulation ppp
async mode interactive
peer default ip address pool dialin_pool
no cdp enable
ppp authentication chap pap dialin
group-range 1 48
!
interface Dialer0
ip unnumbered Loopback0
no ip mroute-cache
encapsulation ppp
peer default ip address pool dialin_pool
dialer in-band
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap pap dialin
ppp multilink
!
router eigrp 10
network 10.0.0.0
passive-interface Dialer0
no auto-summary
!
ip local pool dialin_pool 10.1.2.129 10.1.2.178
ip default-gateway 10.1.1.1
ip classless
!
dialer-list 1 protocol ip permit
radius-server host 10.1.1.23 auth-port 1645 acct-port 1646
radius-server host 10.1.1.24 auth-port 1645 acct-port 1646
radius-server key cisco
!
line con 0
login authentication console
line 1 48
autoselect ppp
autoselect during-login
login authentication dialin
modem DialIn
line aux 0
login authentication console
line vty 0 4
login authentication vty
transport input telnet rlogin
!
end
Telco and ISP Dial Scenarios and Configurations
Large-Scale POPs
DC-859
Cisco IOS Dial Technologies Configuration Guide
Cisco 7206 as Offload Server
The following configuration runs on the Cisco 7206 router shown in Figure 128:
Note Any Cisco router that has a powerful CPU can be used as an offload server, such as a Cisco 4500-M,
4700-M, or 3640. However, the router must be configured to handle the necessary processing
overhead demanded by each stack member.
version xx.x
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname 7200
!
aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login vty local
aaa authentication login dialin radius
aaa authentication ppp default local
aaa authentication ppp dialin if-needed radius
aaa authorization exec local radius
aaa authorization network radius
aaa accounting network start-stop radius
aaa accounting exec start-stop radius
enable secret cisco
!
username MYSTACK password STACK-SECRET
username admin password cisco
multilink virtual-template 1
sgbp group MYSTACK
sgbp member AS5200-1 10.1.1.11
sgbp member AS5200-2 10.1.1.12
sgbp member AS5200-3 10.1.1.13
sgbp seed-bid offload
async-bootp dns-server 10.1.3.1 10.1.3.2
!
interface Loopback0
ip address 10.1.2.254 255.255.255.192
!
interface Ethernet2/0
ip address 10.1.1.14 255.255.255.0
ip summary address eigrp 10 10.1.2.192 255.255.255.192
!
interface Ethernet2/1
no ip address
shutdown
!
interface Ethernet2/2
no ip address
shutdown
!
interface Ethernet2/3
no ip address
shutdown
!
Telco and ISP Dial Scenarios and Configurations
Large-Scale POPs
DC-860
Cisco IOS Dial Technologies Configuration Guide
interface Virtual-Template1
ip unnumbered Loopback0
no ip mroute-cache
peer default ip address pool dialin_pool
ppp authentication chap pap dialin
ppp multilink
!
router eigrp 10
network 10.0.0.0
passive-interface Virtual-Template1
no auto-summary
!
ip local pool dialin_pool 10.1.2.193 10.1.2.242
ip default-gateway 10.1.1.1
ip classless
!
radius-server host 10.1.1.23 auth-port 1645 acct-port 1646
radius-server host 10.1.1.24 auth-port 1645 acct-port 1646
radius-server key cisco
!
line con 0
login authentication console
line aux 0
login authentication console
line vty 0 4
login authentication vty
!
end
RADIUS Remote Security Examples
The RADIUS examples in the following sections use the Internet Engineering Task Force (IETF) syntax
for the attributes:
• User Setup for PPP
• User Setup for PPP and Static IP Address
• Enabling Router Dial-In
• User Setup for SLIP
• User Setup for SLIP and Static IP Address
• Using Telnet to connect to a UNIX Host
• Automatic rlogin to UNIX Host
Depending on how the dictionary is set up, the syntax for these configurations might differ between
versions of RADIUS daemons.
Note You must have the async dynamic address command enabled on the network access server if you
use Framed-IP-Address to statically assign IP addresses.
Telco and ISP Dial Scenarios and Configurations
Large-Scale POPs
DC-861
Cisco IOS Dial Technologies Configuration Guide
User Setup for PPP
The following example shows a user setup for PPP. The user’s IP address comes from the configured
default IP address that is set up on the interface (which could be a specific default IP address, a pointer
to a local pool of addresses, or a pointer to a Dynamic Host Configuration Protocol (DHCP) server). The
special address that signals the default address is 255.255.255.254.
pppme Password = "cisco"
CHAP-Password = "cisco"
Service-Type = Framed,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254
User Setup for PPP and Static IP Address
The following example shows a user setup for PPP and a static IP address that stays with the user across
all connections. Make sure that your router is set up to support this configuration, especially for large or
multiple POPs.
staticallypppme Password = "cisco"
CHAP-Password = "cisco"
Service-Type = Framed,
Framed-Protocol = PPP,
Framed-IP-Address = 10.1.1.1
Enabling Router Dial-In
The following example supports a router dialing in, which requires that a static IP address and a remote
Ethernet interface be added to the network access server’s routing table. The router’s WAN port is
assigned the address 1.1.1.2. The remote Ethernet interface is 2.1.1.0 with a class C mask. Be sure your
routing table can support this requirement. You might need to redistribute the static route with a dynamic
routing protocol.
routeme Password = "cisco"
CHAP-Password = "cisco"
Service-Type = Framed,
Framed-Protocol = PPP,
Framed-IP-Address = 10.1.1.1
Framed-Route = "10.2.1.0/24 10.1.1.2"
User Setup for SLIP
The following example shows a user setup for SLIP. Remote users are assigned to the default address on
the interface.
slipme Password = "cisco"
Service-Type = Framed,
Framed-Protocol = SLIP,
Framed-IP-Address = 255.255.255.254
Telco and ISP Dial Scenarios and Configurations
PPP Calls over X.25 Networks
DC-862
Cisco IOS Dial Technologies Configuration Guide
User Setup for SLIP and Static IP Address
The following example shows a user setup for SLIP and a static IP address that stays with the user across
all connections. Make sure that your routing is set up to support this configuration, especially for large
or multiple POPs.
staticallyslipme Password = "cisco"
Service-Type = Framed,
Framed-Protocol = SLIP,
Framed-IP-Address = 10.1.1.13
Using Telnet to connect to a UNIX Host
The following example automatically uses Telnet to connect the user to a UNIX host. This configuration
is useful for registering new users, providing basic UNIX shell services, or providing a guest account.
telnetme Password = "cisco"
Service-Type = Login,
Login-Service = Telnet,
Login-IP-Host = 10.2.1.1
Automatic rlogin to UNIX Host
The following example automatically uses rlogin to connect the user to a UNIX host:
rloginme Password = "cisco"
Service-Type = Login,
Login-Service = Rlogin,
Login-IP-Host =10.3.1.2
If you want to prevent a second password prompt from being brought up, you must have the following
two commands enabled on the router or access server:
• rlogin trusted-remoteuser-source local
• rlogin trusted-localuser-source radius
PPP Calls over X.25 Networks
Remote PCs stationed in X.25 packet assembler-disassembler (PAD) networks can access the Internet
by dialing in to Cisco routers, which support PPP. By positioning a Cisco router at the corner of an X.25
network, ISPs and telcos can provide Internet and PPP access to PAD users. All remote PAD users that
dial in to X.25 networks dial in to one Cisco router that allows PPP connections. Although connection
performance is not optimal, these X.25-to-PPP calls use installed bases of X.25 equipment and cost less
to operate than connecting over the standard telephone network.
Note This dial-in scenario can also be used as an enterprise solution. In this case, an enterprise consults
with a third-party service provider that allows enterprises to leverage existing X.25 enterprise
equipment to provide connections back into enterprise environments.
Telco and ISP Dial Scenarios and Configurations
PPP Calls over X.25 Networks
DC-863
Cisco IOS Dial Technologies Configuration Guide
Overview
Many cities throughout the world have large installed bases of PCs that interface with older modems,
PADs, and X.25 networks. These remote PCs or terminals dial in to PADs and make X.25 PAD calls or
terminal connections to mainframe computers or other devices, which run the X.25 protocol.
Unfortunately, the user interface is only a regular text-based screen in character mode (as opposed to
packet mode). Therefore, many ISPs and telcos that have large investments in X.25 networks are
upgrading their outdated equipment and creating separate networks for PPP connections. Because this
upgrade process takes substantial time and money to complete, using a Cisco router to allow PPP
connections over an X.25 network is a good interim solution for a dead-end dial case.
Remote PC Browsing Network Topology
Figure 129 shows a remote PC browsing the Internet through an X.25 PAD call and a Cisco 4500 router.
This X.25 network is owned by an ISP or telco that is heavily invested in X.25 equipment, that is
currently upgrading its outdated equipment, and that is creating separate networks for PPP connections.
In this topology, the Cisco 4500 router performs protocol translation between the protocols X.25 and
PPP. The router is configured to accept an incoming X.25 PAD call, run and unpack PPP packets over
the call, and enable the remote PC to function as if it were on the IP network.
Figure 129 Remote PC Browsing the Internet Through an X.25 PAD Call and a Cisco 4500 Router
For more information about configuring protocol translation, see the chapter “Configuring Protocol
Translation and Virtual Asynchronous Devices” in the Cisco IOS Terminal Services Configuration
Guide.
Cisco 4500
installed at
service provider
central site
PC running
Windows 95
and browsing
the Internet
Berlins PAD
Warsaw PAD
Modem
Modem Modem
Modems
X.25
X.25
X.25
X.25 Service provider
European X.25
network
Milan PAD
Modems
IP network
Eastern United
States
S6551
Telco and ISP Dial Scenarios and Configurations
PPP Calls over X.25 Networks
DC-864
Cisco IOS Dial Technologies Configuration Guide
Protocol Translation Configuration Example
In the following example, PAD callers that dial 4085551234 receive a router prompt. PAD callers that
dial 4085555123401 start PPP and pick up an address from the IP pool called dialin_pool. These
addresses are “borrowed” from the Ethernet interface on the Cisco 4500 router. Additionally, a loopback
interface network can be created and the X.25 addresses can be set. However, a routing protocol must be
run to advertise the loopback interface network if this method is used.
Note Be sure to include your own IP addresses, host names, and security passwords where appropriate in
the following examples.
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname NAS
!
aaa new-model
aaa authentication login console enable
aaa authentication login vty tacacs+
aaa authentication login dialin tacacs+
aaa authentication ppp default tacacs+
aaa authentication ppp dialin if-needed tacacs+
enable secret cisco
!
async-bootp dns-server 10.1.3.1 10.1.3.2
!
vty-async
vty-async ppp authentication chap pap
!
interface Loopback0
ip address 10.1.2.254 255.255.255.0
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip summary address eigrp 10 10.1.2.0 255.255.255.0
!
interface Serial0
no ip address
encapsulation x25
x25 address 4085551234
x25 accept-reverse
x25 default pad
!
router eigrp 10
network 10.0.0.0
passive-interface Dialer0
no auto-summary
!
ip local pool dialin_pool 10.1.2.1 10.1.2.50
ip default-gateway 10.1.1.1
!
ip classless
!
translate x25 4085555123401 ppp ip-pool scope-name dialin_pool
!
dialer-list 1 protocol ip permit
!
Telco and ISP Dial Scenarios and Configurations
PPP Calls over X.25 Networks
DC-865
Cisco IOS Dial Technologies Configuration Guide
line con 0
login authentication console
line aux 0
login authentication console
line vty 0 150
login authentication vty
transport input telnet rlogin
!
end
Telco and ISP Dial Scenarios and Configurations
PPP Calls over X.25 Networks
DC-866
Cisco IOS Dial Technologies Configuration Guide
Appendixes
DC-869
Cisco IOS Dial Technologies Configuration Guide
Modem Initialization Strings
This appendix provides tables that contain modem initialization strings and sample modem
initialization scripts. Table 50 lists required settings, and error compression (EC) and compression
settings for specific modem types. Use this information to create your modem scripts. Table 51 lists
information for setting AUX ports. SeeTable 52 for a legend of symbols used in these two tables.
Sample scripts follow the tables.
For information about configuring lines to support modems, see the chapters in the part “Modem and
Dial Shelf Configuration and Management” in this publication.
Table 50 Required Settings and EC/Compression Settings
Settings Required for All Modems Settings for EC/Compression
Modem FD AA CD DTR
RTS/CTS
Flow
LOCK
DTE
Speed
Best
Error
Best
Comp No Error No Comp
Codex 3260 &F S0=1 &C1 &D3 *FL3 *SC1 *SM3 *DC1 *SM1 *DC0
USR Courier
USR Sportster
&F S0=1 &C1 &D3 &H1&R
2
&B1 &M4 &K1 &M0 &K0
Global Village
Teleport Gold
&F S0=1 &C1 &D3 \Q3 \J0 \N7 %C1 \N0 %C0
Telebit
T1600/T3000/
WB
&F1 S0=1 &C1 &D3 S58=2
S68=2
S51=6 S180=2
S181=1
S190=1 S180=0
S181=1
S190=0
Telebit
T2500 (ECM)
&F S0=1 &C1 &D3 S58=2
S68=2
S51=6 S95=2 S98=1
S96=1
S95=0 S98=0
S96=0
Telebit
Trailblazer
&F S0=1 &C1
AT&T
Paradyne
Dataport
&F S0=1 &C1 &D3 \Q3 ---> \N7 %C1 \N0 %C0
Hayes
modems
Accura/
Optima
&F S0=1 &C1 &D3 &K3 &Q6 &Q5 &Q9 &Q6 <---
Microcom
QX4232 series
&F S0=1 &C1 &D3 \Q3 \J0 \N6 %C1 \N0 %C0
DC-870
Cisco IOS Dial Technologies Configuration Guide
Motorola UDS
FastTalk II
&F S0=1 &C1 &D3 \Q3 \J0 \N6 %C1 \N0 %C0
Multitech
MT1432
MT932
&F S0=1 &C1 &D3 &E4 $BA0 &E1 &E15 &E0 &E14
Digicom
Scout Plus
&F S0=1 &C1 &D3 *F3 *S1 *E9 <--- *E0 <---
Digicom
SoftModem
&F S0=1 &C1 &D3 &K3 ---> \N5 %C1 \N0 %C0
Viva
14.4/9642c
&F S0=1 &C1 &D3 &K3 ---> \N3 %M3 \N0 %M0
ZyXel
U-1496E
&F S0=1 &C1 &D3 &H3 &B1 &K4 <--- &K0 <---
Supra
V.32bis/28.8
&F S0=1 &C1 &D3 &K3 ---> \N3 %C1 \N0 %C0
ZOOM
14.4
&F S0=1 &C1 &D3 &K3 ---> \N3 %C2 \N0 %C0
Intel
External
&F S0=1 &C1 &D3 \Q3 \J0 \N3 %C1"H
3
\N0 %C0
Practical
Peripherals
&F S0=1 &C1 &D3 &K3 ---> &Q5 &Q9 &Q6 <---
Table 50 Required Settings and EC/Compression Settings (continued)
Settings Required for All Modems Settings for EC/Compression
Modem FD AA CD DTR
RTS/CTS
Flow
LOCK
DTE
Speed
Best
Error
Best
Comp No Error No Comp
DC-871
Cisco IOS Dial Technologies Configuration Guide
Table 51 AUX and Platform Specific Settings
Modem
Settings for Use
with AUX Port Other Settings
No Echo No Res CAB-MDCE Comments
Write
Memory
Codex 3260 E0 Q1 &S1 &W
USR Courieræ
USR Sportster
E0 Q1 *NA* &W
Global Village
Teleport Gold
E0 Q1 *NA* &W
Telebit
T1600/T3000/
WB
E0 Q1 &S4 &W All Telebit modems need to have the speed set explicitly.
These examples use 38400 bps. Using what Telebit calls
“UNATTENDED ANSWER MODE” is the best place to
start a dial in only modem. Telebit
T2500 (ECM)
E0 Q1 &S1 &W
Telebit
Trailblazer
E0 Q1 *NA* &W Use “ENHANCED COMMAND MODE” on the T2500.
AT&T
Paradyne
Dataport
E0 Q1 *NA* &W Almost all Microcom modems have similar
configuration parameters.
Hayes
modems
Accura/
Optima
E0 Q1 *NA* &W
Microcom
QX4232 series
E0 Q1 *NA* &W
Motorola UDS
FastTalk II
E0 Q1 *NA* &W
Multitech
MT1432
MT932
E0 Q1 &S1 &W
Digicom
Scout Plus
E0 Q2 &B2 &W
Digicom
SoftModem
E0 Q1 &S1 &W
Viva
14.4/9642c
E0 Q1 &S1 &W
ZyXel
U-1496E
E0 Q1 &S1 &W Additional information on ftp.zyxel.com
Supra
V.32bis/28.8
E0 Q1 &S1 &W
ZOOM
14.4
E0 Q1 &S1 &W
Sample Modem Scripts
DC-872
Cisco IOS Dial Technologies Configuration Guide
Table 52 contains a legend of symbols used in Table 50 and Table 51.
Sample Modem Scripts
The following are several modem command strings that are appropriate for use with your access server
or router. For use with the access server, Speed=xxxxxx is a suggested value only. Set the DTE speed
of the modem to its maximum capability. By making a reverse Telnet connection in the EXEC mode to
the port on the access server where the modem is connected, then sending an at command followed by
a carriage return.
In the following example, the modem is attached to asynchronous interface 2 on the access server. The
IP address indicated as the server-ip-address is the IP address of the Ethernet 0 interface. The
administrator connects from the EXEC to asynchronous interface 2, which has its IP address assigned
from Ethernet 0.
2511> telnet server-ip-address port-number
192.156.154.42 2002
AST Premium Exec Internal Data/Fax (MNP 5)
Init=AT&F&C1&D3\G0\J0\N3\Q2S7=60S0=1&W
Speed=9600
ATi 9600etc/e (V.42bis)
Init=AT&FW2&B1&C1&D3&K3&Q6&U1S7=60S0=1&W
Speed=38400
AT&T Paradyne KeepInTouch Card Modem (V.42bis)
Init=AT&FX6&C1&D3\N7\Q2%C1S7=60S0=1&w
Speed=57600
Intel
External
E0 Q1 *NA* &W
Practical
Peripherals
E0 Q1 *NA* &W Based on PC288LCD. May vary.
Table 51 AUX and Platform Specific Settings (continued)
Modem
Settings for Use
with AUX Port Other Settings
No Echo No Res CAB-MDCE Comments
Write
Memory
Table 52 Legend to Symbols Used in Modem Chart
Symbol Meaning
*NA* This option is not available on the noted modem.
--> The command noted on the right will handle that function.
<-- The command noted on the left will handle that function.
AUX port These parameters are only required for pre-9.21 AUX ports or any other port without
modem control set.
Sample Modem Scripts
DC-873
Cisco IOS Dial Technologies Configuration Guide
AT&T ComSphere 3800 Series (V.42bis)
Init=AT&FX6&C1&D2\N5\Q2%C1"H3S7=60S0=1&W
Speed=57600
AT&T DataPort Fax Modem (V.42bis)
Init=AT&FX6&C1&D2\N7\Q2%C1S7=60S0=1&W
Speed=38400
Boca Modem 14.4K/V.32bis (V.42bis)
Init=AT&FW2&C1&D3&K3&Q5%C1\N3S7=60S36=7S46=138S95=47S0=1&W
Speed=57600
CALPAK MXE-9600
Init=AT&F&C1&D3S7=60S0=1&W
Speed=9600
Cardinal 2450MNP (MNP 5)
Init=AT&F&C1&D3\J0\N3\Q2\V1%C1S7=60S0=1&w
Speed=9600
Cardinal 9650V32 (MNP)
Init=AT&F&B1&C1&D3&H1&I1&M6S7=60S0=1&W
Cardinal 9600V42 (V.42bis)
Init=AT&FW2&C1&D3&K3&Q5\N3%C1%M3S7=60S46=138S48=7S95=3S0=1&W
Speed=38400
Cardinal 14400 (V.42bis)
Init=AT&F&C1&D3&K3&Q5\N3%C1%M3S7=60S46=138S48=7S95=47S0=1&W
Speed=57600
COMPAQ SpeedPAQ 144 (V.42bis)
Init=AT&F&C1&D3&K3&Q5\J0\N3%C1S7=60S36=7S46=2S48=7S95=47S0=1&W
Speed=57600
Data Race RediMODEM V.32/V.32bis
Init=AT&F&C1&D3&K3&Q6\J0\N7\Q3\V2%C1S7=60 Speed=38400S0=1&W
Dell NX20 Modem/Fax (MNP)
Init=AT&F&C1&D3%C1\J0\N3\Q3\V1W2S7=60S0=1&W
Speed=9600
Digicom Systems (DSI) 9624LE/9624PC (MNP 5)
Init=AT&F&C1&D3*E1*F3*S1S7=60S0=1&W
Digicom Systems (DSI) 9624LE+ (V.42bis)
Init=AT&F&C1&D3*E9*F3*N6*S1S7=60S0=1&W
Speed=38400
Everex Evercom 24+ and 24E+ (MNP 5)
Init=AT&F&C1&D3\J0\N3\Q2\V1%C1S7=60S0=1&W
Sample Modem Scripts
DC-874
Cisco IOS Dial Technologies Configuration Guide
Everex EverFax 24/96 and 24/96E (MNP 5)
Init=AT&F&C1&D3\J0\N3\Q2\V1%C1S7=60S0=1&W
Speed=9600
Everex Evercom 96+ and 96E+ (V.42bis)
Init=AT&FW2&C1&D3\J0\N3\Q2\V2%C1S7=60S0=1&W
Speed=38400
Freedom Series V.32bis Data/FAX Modem
Init=AT&F&C1&D3&K3&Q6\J0\N7\Q3\V2%C1S7=60S0=1&W
Speed=38400
Gateway 2000 TelePath
Init=AT&FW2&C1&D3&K3&Q5\N3%C1S7=60S36=7S46=138S48=7S95=47S0=1&W
Speed=38400
Gateway 2000 Nomad 9600 BPS Internal Modem
Init=AT&F&C1&D3%C1\J0\N3\Q2S7=60S0=1&W
Speed=38400
GVC SM-96V (V.42bis)
Init=AT&F&C1&D3%C1\J0\N6\Q2\V1S7=60S0=1&W
Speed=38400
GVC SM-144V (V.42bis)
Init=AT&F&C1&D3%C1\J0\N6\Q2\V1S7=60S0=1&W
Speed=57600
Hayes Smartmodem Optima 9600 (V.42bis)
Init=AT&FW2&C1&D3&K3&Q5S7=60S46=138S48=7S95=47S0=1&W
Speed=38400
Hayes Smartmodem Optima 14400 (V.42bis)
Init=AT&FW2&C1&D3&K3&Q5S7=60S46=138S48=7S95=47S0=1&W
Speed=57600
Hayes Optima 28800 (V.34)
Init=AT&FS0=1&C1&D3&K3&Q6&Q5&Q9&W
Speed=115200
Hayes V-series Smartmodem 9600/9600B (V.42)
Init=AT&F&C1&D3&K3&Q5S7=60S0=1&W
Speed=9600
Hayes V-series ULTRA Smartmodem 9600 (V.42bis)
Init=AT&F&C1&D3&K3&Q5S7=60S46=2S48=7S95=63S0=1&W
Speed=38400
Hayes V-series ULTRA Smartmodem 14400 (V.42bis)
Init=AT&FW2&C1&D3&K3&Q5S7=60S38=10S46=2S48=7S95=63S0=1&W
Speed=38400
Sample Modem Scripts
DC-875
Cisco IOS Dial Technologies Configuration Guide
Hayes ACCURA 24 EC (V.42bis)
Init=AT&FW2&C1&D3&K3&Q5S7=60S36=7S46=138S48=7S95=47S0=1&W
Hayes ACCURA 96 EC (V.42bis)
Init=AT&FW2&C1&D3&K3&Q5S7=60S36=7S46=138S48=7S95=47S0=1&W
Speed=38400
Hayes ACCURA 144 EC (V.42bis)
Init=AT&FW2&C1&D3&K3&Q5S7=60S36=7S46=138S48=7S95=47S0=1&W
Speed=57600
Hayes ISDN System Adapter
Init=AT&FW1&C1&D3&K3&Q0S7=60S0=1&W
Speed=57600
IBM 7855 Modem Model 10 (MNP)
Init=AT&F&C1&D3\N3\Q2\V1%C1S7=60S0=1&W
IBM Data/Fax Modem PCMCIA (V.42bis)
Init=AT&F&C1&D3&K3&Q5%C3\N3S7=60S38=7S46=138S48=7S95=47S0=1&W
Speed=57600
Identity ID9632E
Init=AT&F&C1&D3S7=60S0=1&W
Speed=9600
Infotel V.42X (V.42bis)
Init=AT&F&C1&D3S7=30S36=7S0=1&W
Speed=9600
Infotel V.32 turbo (V.42bis)
Init=AT&FW1&C1&D3&K3&Q5S7=60S0=1&w
Speed=38400
Infotel 144I (V.42bis)
Init=AT&F&C1&D3&K3&Q5\N3%C1S7=60S36=7S46=138S48=7S95=47S0=1&W
Speed=38400
Intel 9600 EX (V.42bis)
Init=AT&F&C1&D3\J0\N3\Q2\V2%C1"H3S7=60S0=1&W
Speed=38400
Intel 14400 EX (V.42bis)
Init=AT&F&C1&D3\J0\N3\Q2\V2%C1"H3S7=60S0=1&W
Speed=38400
Macronix MaxFax 9624LT-S
Init=AT&F&C1&D3&K3&Q9\J0\N3\Q3%C1S7=60S36=7S46=138S48=7S95=47S0=1&W
Speed=9600
Megahertz T3144 internal (V.42bis)
Init=AT&F&C1&D3%C1\J0\N3\Q2\V2S7=60S0=1&W
Speed=57600
Sample Modem Scripts
DC-876
Cisco IOS Dial Technologies Configuration Guide
Megahertz T324FM internal (V.42bis)
Init=AT&F&C1&D3%C1\J0\N3\Q2\V1S7=60S46=138S48=7S0=1&W
Speed=9600
Megahertz P2144 FAX/Modem (V.42bis)
Init=AT&F&C1&D3%C1\J0\N7\Q2\V2S7=60S0=1&W
Speed=38400
Megahertz T396FM internal (V.42bis)
Init=AT&FW2&C1&D3%C1\J0\N7\Q2\V2S7=60S0=1&W
Speed=38400
Megahertz CC3144 PCMCIA card modem (V.42bis)
Init=AT&F&C1&D3&K3&Q5%C3\N3S7=60S38=7S46=138S48=7S95=47S0=1&W
Speed=57600
Microcom AX/9624c (MNP 5)
Init=AT&F&C1&D3\G0\J0\N3\Q2%C1S7=60S0=1&W
Speed=9600
Microcom AX/9600 Plus (MNP 5)
Init=AT&F&C1&D3\J0\N3\Q2S7=60S0=1&W
Microcom QX/V.32c (MNP 5)
Init=AT&F&C1&D3\J0%C3\N3\Q2S7=60S0=1&W
Speed=38400
Microcom QX/4232hs (V.42bis)
Init=AT&F&C1&D3\J0%C3\N3\Q2-K0\V2S7=60S0=1&W
Speed=38400
Microcom QX/4232bis (V.42bis)
Init=AT&F&C1&D3\J0%C3\N3\Q2-K0\V2W2S7=60S0=1&W
Speed=38400
Microcom Deskporte 28800 (V.34)
Init=AT&F&c1&q1E0S0=1&W
Speed=115200
Microcom MicroPorte 542 (V.42bis)
Init=AT&F&C1&D3&Q5S7=60S46=138S48=7S95=47S0=1&W
Speed=9600
Microcom MicroPorte 1042 (V.42bis)
Init=AT&F&C1&D3%C3\J0-M0\N6\Q2\V2S7=60S0=1&W
Speed=9600
Microcom MicroPorte 4232bis (V.42bis)
Init=AT&F&C1&D3%C3%G0\J0-M0\N6\Q2\V2S7=60S0=1&W
Speed=38400
Sample Modem Scripts
DC-877
Cisco IOS Dial Technologies Configuration Guide
Microcom DeskPorte FAST
Init=ATX4S7=60-M1\V4\N2L1S0=1&W
Speed=57600
Motorola/Codex 3220 (MNP)
Init=AT&F&C1&D3*DC1*FL3*MF0*SM3*XC2S7=60S0=1&W
Motorola/Codex 3220 Plus (V.42bis)
Init=AT&F&C1&D3*DC1*EC0*MF0*SM3*XC2S7=60S0=1&W
Speed=38400
Motorola/Codex 326X Series (V.42bis)
Init=AT&F&C1&D3*FL3*MF0*SM3*TT2*XC2S7=60S0=1&W
Speed=38400
MultiTech MultiModem V32EC (V.42bis)
Init=AT&FX4&C1&D3$BA0&E1&E4&E15#L0S7=60S0=1&W
Speed=38400
MultiTech MultiModem V32 (no MNP or V.42)
Init=AT&F&C1&D3S7=60S0=1&W
Speed=9600
MultiTech MultiModem 696E (MNP)
Init=AT&F&C1&D3$BA0&E1&E4&E15S7=60S0=1&W
MultiTech MultiModem II MT932 (V.42bis)
Init=AT&FX4&C1&D3$BA0&E1&E4&E15#L0S7=60S0=1&W
Speed=38400
MultiTech MultiModem II MT1432 (V.42bis)
Init=AT&FX4&C1&D3#A0$BA0&E1&E4&E15#L0S7=60S0=1&W
Speed=57600
NEC UltraLite 14.4 Data/Fax Modem (V.42bis)
Init=AT&F&C1&D3&K3&Q4\J0\N7\Q2W2%C1S7=60S0=1&W
Speed=38400
Practical Peripherals PC28800SA (V.42bis)
Init=AT&F&C1&D3&K3&Q5S7=60S36=7S46=2S48=7S95=47S0=1&W
Speed=115200
Practical Peripherals PM9600SA (V.42bis)
Init=AT&F&C1&D3&K3&Q5S46=138S48=7S7=60S0=1&W
Speed=38400
Practical Peripherals PM14400FX (V.42bis)
Init=AT&F&C1&D3&K3&Q5S7=60S36=7S46=2S48=7S95=47S0=1&W
Speed=57600
Practical Peripherals PM14400SA (V.42bis)
Init=AT&F&C1&D3&K3&Q5S7=60S36=7S46=2S48=7S95=47S0=1&W
Speed=57600
Sample Modem Scripts
DC-878
Cisco IOS Dial Technologies Configuration Guide
Prometheus ProModem 9600 Plus (V.42)
Init=AT&F&C1&D3*E7*F3S7=60S0=1&W
Prometheus ProModem Ultima (V.42bis)
Init=AT&F&C1&D3*E9*F3*N6*S1S7=60S0=1&W
Speed=38400
Racal Datacomm ALM 3223 (V.42bis)
Init=AT&F&C1&D3\M0\N3\P2\Q1\V1S7=60S0=1&W
Speed=38400
Supra FAXModem V.32bis (V.42bis)
Init=AT&FN1W2&C1&D1&K3&Q5\N3%C1S7=60S36=7S48=7S95=45S0=1&W
Speed=57600
Telebit T1600 (V.42bis)
Init=AT&FX2&C1&D3&R3S7=60S51=6S58=0S59=15S68=2S180=2S190=1S0=1&W
Speed=38400
Telebit T2500 (V.42bis)
Init=AT~&FX2S7=60S51=5S52=2S66=1S68=2S97=1S98=3S106=1S131=1S0=1&W
Telebit T3000 (V.42bis)
Init=AT&FX2&C1&D3S51=6S59=7S68=2S7=60S0=1&W
Speed=38400
Telebit QBlazer (V.42bis)
Init=AT&FX2&C1&D3S59=7S68=2S7=60S0=1&W
Speed=38400
Texas Instruments V.32bis Internal Modem
Init=AT&F&C1&D3%C1\J0\N7\Q2\V2S7=60S0=1&W
Speed=38400
Toshiba T24/DF Internal
Init=AT&F&C1&D3\J0\N3\Q2%C1S7=60S36=7S46=138S48=7S0=1&W
Speed=9600
Universal Data Systems FasTalk V.32/42b (V.42bis)
Init=AT&F&C1&D3\J0\M0\N7\V1\Q2%C1S7=60S0=1&W
Speed=38400
Universal Data Systems V.32 (no MNP or V.42)
Init=AT&F&C1&D2S7=60S0=1&W
Speed=9600
Universal Data Systems V.3224 (MNP 4)
Init=AT&F&C1&D2\J0\N3\Q2S7=60S0=1&W
Universal Data Systems V.3225 (MNP 5)
Init=AT&F&C1&D2\J0\N3\Q2%C1S7=60S0=1&W
Sample Modem Scripts
DC-879
Cisco IOS Dial Technologies Configuration Guide
Universal Data Systems V.3227 (V.42bis)
Init=AT&F&C1&D2\J0\M0\N7\Q2%C1S7=60S0=1&W
Speed=38400
Universal Data Systems V.3229 (V.42bis)
Init=AT&F&C1&D3\J0\M0\N7\Q2%C1S7=60S0=1&W
Speed=38400
US Robotics Sportster 9600 (V.42bis)
Init=AT&FX4&A3&B1&D3&H1&I0&K1&M4S7=60S0=1&W
Speed=38400
US Robotics Sportster 14400 (V.42bis)
Init=AT&FX4&A3&B1&D3&H1&I0&K1&M4S7=60S0=1&W
Speed=57600
US Robotics Sportster 14400 (V.42bis) x
Init=AT&FX4&B1&C1&D2&H1&K1&M4E0X7Q0V1S0=1&W
Speed=57600
US Robotics Sportster 28800 (V.34)
Init=AT&FS0=1&C1&D2&H1&R2&N14&B1&W
Speed=115200
US Robotics Courier 28800 (V.34)
Init=AT&FS0=1&C1&D2&H1&R2&N14&B1&W
Speed=115200
US Robotics Courier V.32bis (V.42bis)
Init=AT&FX4&A3&C1&D2&M4&H1&K1&B1S0=1&W
Speed=38400
US Robotics Courier HST Dual Standard (V.42bis)
Init=AT&FB0X4&A3&C1&D2&M4&H1&K1&B1&R2&S1S0=1&W
Speed=115200
US Robotics Courier HST (V.42bis)
Init=AT&FB0X4&A3&C1&D2&M1&H1&K1&B1S0=1&W
Speed=115200
US Robotics WorldPort 2496 FAX/Data (V.42bis)
Init=AT&FX4&C1&D3%C1"H3\J0-J1\N3\Q2\V2S7=60S0=1&W
Speed=57600
US Robotics WorldPort 9696 FAX/Data (MNP 5)
Init=AT&FX4&C1&D3%C1\J0\N3\Q2\V2S7=60S0=1&W
US Robotics WorldPort 9600 (MNP 5)
Init=AT&FX4&C1&D3%C1\J0\N3\Q2\V2S7=60S0=1&W
US Robotics WorldPort 14400 (V.42bis)
Init=AT&FX4&A3&B1&C1&D3&H1&K1&M4S7=60S0=1&W
Speed=57600
Sample Modem Scripts
DC-880
Cisco IOS Dial Technologies Configuration Guide
Ven-Tel PCM 9600 Plus (MNP)
Init=AT&FB0&C1&D3\N3\Q3%B0%C1%F1S7=60S0=1&W
ViVa 9642e (V.42bis)
Init=AT&F&C1&D3&K3&Q5\N3%C3S7=60S36=7S46=138S48=7S95=47S0=1&W
Speed=38400
ViVa 14.4/FAX (V.42bis)
Init=AT&F&C1&D3&K3&Q5\N3%C3S7=60S36=7S46=138S48=7S95=47S0=1&W
Speed=38400
ZOOM V.32 turbo (V.42bis)
Init=AT&FW1&C1&D3&K3&Q5%C1\N3S7=60S36=7S46=138S48=7S95=47S0=1&W
Speed=38400
ZOOM V.32bis (V.42bis)
Init=AT&FW1&C1&D3&K3&Q9%C1\N3S7=60S36=7S95=47S0=1&W
Speed=38400
Zyxel U-1496 (V.42bis)
Init=AT&FX6&B1&C1&D2&N0&K4&H3S7=60S0=1&W
Speed=57600
Index
IN-883
Cisco IOS Dial Technologies Configuration Guide
INDEX
Symbols
xlix
? command xlviii
A
AAA (authentication, authorization, and accounting)
large-scale dial-out network security services DC-683
preauthentication overview DC-732
virtual profiles
AAA configuration (example) DC-501, DC-504
virtual template configuration (example) DC-502
VPN
configuring DC-524
local tunnel authentication DC-530
local tunnel authentication (examples) DC-565
VPN per-user configuration DC-538
AAA/TACACS+
PPP authentication, enabling DC-395, DC-599
undefined list name, (caution) DC-598
aaa accounting command DC-683
aaa authentication command DC-683
aaa authentication ppp command DC-395, DC-598, DC-599
aaa authorization command DC-683
aaa authorization configuration default command DC-684
aaa new-model command DC-683, DC-684
aaa route download command DC-684
accept-dialin command DC-535
accept-dialout command DC-537
access control
asynchronous interfaces (example) DC-38
legacy DDR, configuring DC-367, DC-398 to DC-399
outgoing calls, configuring DC-265, DC-367
access-list command DC-265, DC-351, DC-355
access lists
DDR
DECnet DC-354, DC-368
IP DC-352
packets, interesting DC-398
transparent bridging DC-351
VINES DC-354
XNS DC-355
dialer groups DC-356
dialer profiles
DECnet DC-428
Ethernet type codes DC-432
IP DC-429
VINES DC-428
XNS DC-430
legacy DDR, interface assignment DC-367, DC-398
access restrictions, asynchronous interfaces DC-38
addresses
asynchronous interfaces DC-33
default, configuring DC-33
dynamic, configuring DC-33
unnumbered interfaces DC-32
unnumbered interfaces, (example) DC-42
addressing
Cisco Easy IP configuration (examples) DC-479
dynamic, configuring DC-42
address pooling
DHCP DC-605
global default mechanism, local pooling DC-606
ANI/DNIS (automatic number identification/dialed
number identification service)
Index
IN-884
Cisco IOS Dial Technologies Configuration Guide
delimiter, configuring DC-277
ANI/DNIS Delimiter for CAS Calls on CT1
feature DC-277
AO/DI (Always On/Dynamic ISDN)
BACP and BAP negotiation DC-239
BACP default settings DC-243
called number prefix DC-243
called party number formats DC-243
clients
calls, starting DC-242
configuration (example) DC-245
configuring DC-242
interface configuration DC-242
PPP and BAP configuration DC-239
X.25 configuration DC-240
interfaces, configuring DC-242
link member receive only mode DC-242
MLP bundle
multiple links, configuring DC-242
process description DC-238
national and subscriber number formats DC-243
overview DC-235, DC-236
PPP over X.25 DC-237
servers
BACP default settings DC-244
client calls, configuring DC-243
configuring DC-243
configuring, (example) DC-246
incoming calls DC-243
MLP bundle, configuring DC-244
no outgoing option DC-243
PPP and BAP, configuring DC-240
traffic load DC-244
X.25
configuring DC-241
defaults DC-241
virtual access interface DC-237
X.25 SVC DC-236
AOC (Advice of Charge)
ISDN subscription service DC-314
See also ISDN, Advice of Charge
AOL (America Online), wholesale dial performance
optimization DC-779
AppleTalk
DDR, configuring DC-353
dialer profiles, configuring DC-428
PPP, configuring DC-580, DC-602
appletalk address command DC-609
appletalk cable-range command DC-609
appletalk client-mode command DC-580
appletalk virtual-net command DC-580
ARA (AppleTalk Remote Access)
automatic sessions, starting DC-27
arap callback command DC-647
arap enable command DC-647
Ascend attributes, AV pairs (table) DC-686
async default routing command DC-31
async dynamic address command DC-34, DC-860
async dynamic routing command DC-31
asynchronous group interfaces
CHAP authentication DC-20, DC-22
IP unnumbered DC-21
PAP authentication DC-20, DC-22
PPP encapsulation DC-20, DC-21
verifying DC-22
asynchronous host mobility, configuring DC-581
asynchronous host roaming (example) DC-581
asynchronous interfaces
addressing methods
configuring DC-31
description DC-33
bandwidths
configuring optimal DC-34
broadcasts on DC-577
dedicated network mode (example) DC-38
default addresses, configuring DC-33
dynamic addresses, configuring DC-33
dynamic addressing (example) DC-42
Index
IN-885
Cisco IOS Dial Technologies Configuration Guide
group and member (examples) DC-39
IPX loopback interfaces DC-579
large-scale dial-out (example) DC-696
low bandwidth DC-576
modem configuration (examples) DC-77
monitoring DC-38
network interface (example) DC-43
routing configuration (example) DC-577
TCP/IP header compression
(example) DC-42
configuring DC-34
troubleshooting DC-21
Asynchronous Rotary Line Queueing feature DC-25
async mode dedicated command DC-32
async mode interactive command DC-32, DC-581
AT&T latched CSU loopback, specification DC-294
ATCP (AppleTalk Control Protocol)
PPP, enabling DC-580
authen before-forward command DC-539
autocommand command DC-47
autocommand telnet /stream command DC-780
autocommand telnet-faststream command DC-781
autodetect encapsulation command DC-199, DC-201, DC-265
autohangup command DC-163
autoselect arap command DC-647
autoselect command DC-27, DC-70
autoselect during-login command DC-70
Autoselect incoming protocol sensor DC-27
autoselect ppp command DC-643, DC-645
auxiliary ports
asynchronous serial interfaces, configuring DC-29
AV (attribute-value) pairs
AAA server attributes DC-703
Ascend attributes DC-685
Ascend attributes (table) DC-686
map class DC-685
per-user configuration attributes DC-703
RADIUS attributes DC-685
RADIUS attributes (table) DC-704
TACACS attributes (table) DC-704
B
backup delay command DC-452
backup interface command DC-451
backup interfaces
dialer profiles DC-455, DC-459
overview DC-449
See also dial backup, serial interfaces; serial interfaces
backup load command DC-451
BACP (Bandwidth Allocation Control Protocol)
active mode DC-668
BRI interface (example) DC-673
configuring DC-671
dialer interfaces only DC-668
BRI interface (example) DC-676
configuration (examples) DC-673 to DC-676
configuration options DC-668
default parameter values, configuring DC-671
default passive mode DC-670, DC-683
default settings DC-671
dialer rotary
different dial-in numbers (example) DC-674
one dial-in number (example) DC-675
dialer support, legacy DDR DC-668, DC-681
interfaces
monitoring DC-672
physical restrictions DC-668
serial DC-668
virtual DC-668
line speeds DC-669
link types DC-669
multilink bundle creation (example) DC-674
operating environments DC-667
outgoing calls, dialer maps used for DC-672
passive mode
default DC-668
dialer rotary group (example) DC-673
Index
IN-886
Cisco IOS Dial Technologies Configuration Guide
virtual template interface (example) DC-674
PPP bandwidth allocation control, configuring DC-670
prerequisites DC-667
PRI (example) DC-676
temporary dialer maps DC-672
troubleshooting DC-673
bandwidth command DC-669
bandwidth on demand, load threshold DC-371, DC-401
bandwidths, configuring optimal DC-34
banners
SLIP-PPP DC-587
SLIP-PPP (example) DC-589
tokens DC-587
banner slip-ppp command DC-587
binding, DNIS-plus-ISDN-subaddress DC-189
black box screening
See RPM, call discriminator profiles; Cisco RPM
CLID/DNIS Discriminator feature
BOOTP (Bootstrap Protocol) requests DC-576
bridge group command DC-397, DC-399, DC-433
bridge protocol command DC-351, DC-431
broadcasts
asynchronous interfaces DC-577
asynchronous serial traffic over UDP DC-45
buffers command DC-182, DC-206
bundles
MLP Inverse Multiplexer DC-619
MMP DC-633
busyout, ISDN B channel (example) DC-298
C
callback
ARA
chat scripts DC-647
clients DC-647
asynchronous
configuring DC-643
overview DC-643
authentication DC-643
chat scripts DC-646
modem rest period, configuring DC-646
PPP
clients DC-644 to DC-645
dial string DC-645
callback forced-wait command DC-645, DC-646, DC-647
calls
analog modem DC-59
analog robbed-bit signaling DC-258
channel-associated signaling DC-258
circuit-switched digital DC-10
incoming V.120 asynchronous DC-198
incoming voice
configuring modem for DC-266
ISDN not end-to-end DC-187
ISDN voice DC-176, DC-180, DC-195
outgoing access control DC-265, DC-367
preauthenticate incoming DC-732
prevent incoming DC-163
toll DC-644
blocking
See ISDN PRI, class of restrictions
Call Tracker plus ISDN and AAA Enhancements for the
Cisco AS5300 and Cisco AS5800 feature DC-93,
DC-269
call-type cas command DC-743
call-type cas digital command DC-756
CAPI (Common Application Programming Interface)
B-channel protocols supported DC-249
features DC-248
overview DC-247 to DC-251
protocols supported DC-248
carriage return () xlix
carrier wait time, dialer profiles DC-426
CAS (channel-associated signaling)
(examples) DC-307
analog calls DC-258
channelized E1 DC-275
Index
IN-887
Cisco IOS Dial Technologies Configuration Guide
common forms of DC-277
cas-group command DC-282, DC-756
cas-group timeslots command DC-276
cause codes
See ISDN, cause codes
cautions
undefined AAA/TACACS+ list DC-598
usage in text xlii
virtual template interface erroneous routing DC-638
changed information in this release xli
channelized E1
channel-associated signaling, analog calls DC-275
channel groups
(example) DC-299
interface loopbacks, troubleshooting DC-293, DC-294
serial interfaces DC-293
channel uses DC-258
description DC-11
ISDN PRI
configuring DC-260
D-channel number DC-260
PRI groups (example) DC-299
R2 signaling DC-275
channelized T1
ANI/DNIS delimiters on incoming T1 trunk
lines DC-277
channel groups
(example) DC-299
interface loopbacks, troubleshooting DC-293, DC-294
serial interfaces DC-293
channel uses DC-258
description DC-11
ISDN PRI
configuring DC-261
D-channel number DC-262
PRI groups (example) DC-299
switched 56K DC-278
See also switched 56K
voice channels, configuring DC-277
channels
ISDN 2 B + D
BRI DC-12
logical relationship DC-13
PRI DC-13
CHAP (Challenge Handshake Authentication Protocol)
challenge packet DC-597
encrypted password (examples) DC-621
PAP authentication order DC-598
chat-script command DC-167, DC-645
chat scripts
(examples) DC-169, DC-171
ARA (example) DC-647
asynchronous lines DC-365
escape sequences (table) DC-167
expect-send pairs (table) DC-168
large-scale dial-out DC-696
naming conventions DC-166
PPP callback, configuring DC-646
Cisco 700 and 800 series routers
Combinet Proprietary Protocol DC-264, DC-321
protocols supported DC-321
Cisco 7500 MLP Inverse Multiplexer DC-618
Cisco AS5200 access servers
analog calls over E1, configuring DC-276
CAS on channelized E1, configuring DC-275
channelized E1/T1, channel uses DC-258
R1 modified signaling, configuring DC-290
Cisco AS5300 access servers
analog calls over E1, configuring DC-276
busyout B channel DC-269
CAS on channelized E1, configuring DC-275
CAS on T1 voice channels, configuring DC-277
R1 modified signaling, configuring DC-290
Cisco AS5800 access servers
busyout B channel DC-269
CAS on channelized E1, configuring DC-275
CAS on T1 voice channels, configuring DC-277
R1 modified signaling configuration (examples) DC-312
Index
IN-888
Cisco IOS Dial Technologies Configuration Guide
TCP Clear performance optimization DC-780
Cisco Easy IP
address strategy DC-790
async interface configuration (examples) DC-480
business applications DC-790
configuring DC-476
dialer interfaces, configuring DC-478
dial strategy DC-790
dynamic NAT translation timeout period DC-479
ISDN BRI configuration (examples) DC-479
LAN interfaces, configuring DC-477
NAT
dialer interfaces, configuring DC-478
LAN interfaces, configuring DC-477
pool, configuring DC-477, DC-486
overview DC-473, DC-790
PPP/IPCP negotiation DC-478
prerequisites DC-476
WAN interfaces, configuring DC-477
Cisco IOS configuration changes, saving lii
Cisco MICA Modem Dial Modifiers feature DC-76
Cisco RPM CLID/DNIS Call Discriminator
feature DC-731
clear dialer command DC-376, DC-406, DC-444
clear dialer sessions command DC-690
clear dsip tracing command DC-125
clear interface virtual-access command DC-486
clear ip route download command DC-690
clear line command DC-21
clear modem at-mode command DC-77
clear port log command DC-139
clear resource-pool command DC-758
clear snapshot quiet-time command DC-444
clear spe counters command DC-139
clear spe log command DC-139
clear vpdn tunnel command DC-540
client-initiated VPNs DC-509
clns filter-set command DC-355
clock source command DC-276, DC-282
cloning
virtual access interfaces DC-484
virtual profiles DC-491
Combinet
See Cisco 700 and 800 series routers
command modes
dedicated network interfaces, configuring DC-31
interactive sessions, configuring DC-31
understanding xlvii to xlviii
commands
context-sensitive help for abbreviating xlviii
default form, using li
no form, using li
command syntax
conventions xli
displaying (example) xlix
compress command DC-602
compressions
Microsoft PPP DC-601
MLP DC-195
predictor (example) DC-194
Stacker (example) DC-194
compress predictor command DC-600
compress stac command DC-601
compulsory tunneling
See NAS-initiated VPNs
configurations, saving lii
connections
dial-in DC-70, DC-71
LLC2 NetBEUI clients over PPP DC-583
PPP DC-582
printers
configuration (example) DC-62
configuring DC-163
reverse modem DC-163
semipermanent ISDN
BRI DC-185
Germany, Australia DC-190
semipermanent ISDN PRI DC-265
Index
IN-889
Cisco IOS Dial Technologies Configuration Guide
SLIP DC-583
TCP
connection attempt time, configuring DC-585
controller e1 command DC-260, DC-276
controllers
E1, description DC-11
T1, description DC-11
controller t1 command DC-261, DC-281
CSU loopbacks
AT&T specification DC-294
latched DC-294
customer profiles
See profiles, RPM
D
data compression, modem negotiation DC-77, DC-155
DDR (dial-on-demand routing)
access lists
dialer groups DC-356
routed protocols, configuring DC-352
AppleTalk, configuring DC-353
bridged protocols DC-349, DC-363
chat scripts
configuring DC-165
enabling DC-171
configuration (examples) DC-356 to DC-359
decision flowchart DC-345
DECnet
configuring DC-354
control packets DC-354, DC-369
dependent implementation decisions DC-348
dialer profiles
virtual profile interoperation, configuring DC-490
fast switching DC-402, DC-433
independent implementation decisions DC-347
interesting packets DC-367
interfaces DC-349, DC-350, DC-364, DC-392
IP, configuring DC-352, DC-366
IPX, configuring DC-353
ISDN PRI configuration (example) DC-296
ISO CLNS, configuring DC-355
large-scale dial-out DC-679
routed protocols DC-349, DC-351, DC-363, DC-366
snapshot routing DC-441
See also snapshot routing
transparent bridging DC-350
permit all packets DC-351
type code access DC-351
uninteresting packets DC-367
VINES, configuring DC-354
XNS, configuring DC-355
See also dialer profiles; legacy DDR
debug aaa authorization command DC-708, DC-760, DC-767
debug aaa per-user command DC-499, DC-708, DC-738
debug async async-queue command DC-26
debug async command DC-21
debug csm command DC-763
debug dialer command DC-192, DC-272, DC-322, DC-499,
DC-550
debug ip tcp transactions command DC-26
debug isdn events command DC-192, DC-272, DC-661
debug isdn q921 command DC-322
debug isdn q931 command DC-71, DC-322, DC-661, DC-762
debug modem command DC-26, DC-71
debug modem csm command DC-71, DC-762
debug ppp bap command DC-673
debug ppp chap command DC-21
debug ppp command DC-551
debug ppp error command DC-21
debug ppp multilink events command DC-673
debug ppp negotiation command DC-21
debug ppp packet command DC-21
debug q921 command DC-192, DC-272
debug q931 command DC-192, DC-272
debug rcapi events command DC-252
debug redundancy command DC-125
debug resource pool command DC-760
Index
IN-890
Cisco IOS Dial Technologies Configuration Guide
debug trunk cas port timeslots command DC-763
debug udptn command DC-47
debug vpdn commands DC-548
debug vpdn event command DC-549, DC-755
debug vpdn l2x command DC-755
debug vpdn l2x-events command DC-549, DC-550
debug vtemplate command DC-499
DECnet
DDR
access lists DC-354
configuring DC-354
control packets DC-354, DC-369
dialer profiles
access lists DC-429
configuring DC-429
control packets DC-429
dedicated mode
asynchronous interfaces, configuring DC-31
configuration (example) DC-38
DHCP (Dynamic Host Configuration Protocol)
configuration (examples) DC-40
IP address pooling, configuring DC-605
local IP address pool (example) DC-40
dial access scenarios
bidirectional dial DC-811
central site configurations DC-794
dial-in configurations DC-795
enterprise dial DC-793 to DC-832
enterprises DC-785
mixed protocol enterprise network DC-826
remote office and telecommuters DC-794
service providers DC-785
telco and ISP DC-837 to DC-865
dial backup
dialer profiles DC-455 to DC-457
backup interfaces DC-456
dialer interfaces, configuring DC-456
ISDN BRI (example) DC-457
physical interfaces DC-456
ISDN channels DC-453
load threshold exceeded (examples) DC-453
load threshold reached (examples) DC-453
primary line down (examples) DC-454
serial interfaces DC-449 to DC-454
See also Dialer Watch
dialer aaa command DC-684
dialer callback-secure command DC-653
dialer callback-server command DC-653
dialer caller command DC-657, DC-660
dialer command DC-486, DC-537
dialer dnis group command DC-743, DC-756
dialer dns command DC-684
dialer dtr command DC-364
dialer enable-timeout command DC-370, DC-400, DC-653,
DC-659, DC-660
dialer fast-idle command DC-370, DC-400, DC-426
dialer-group command DC-185, DC-208, DC-239, DC-241,
DC-265, DC-369, DC-399, DC-425, DC-431, DC-456, DC-479,
DC-612, DC-613
dialer hold-queue command DC-371, DC-401, DC-478, DC-652,
DC-653
dialer idle-timeout command DC-315, DC-369, DC-400,
DC-479, DC-612
dialer in-band command DC-239, DC-240, DC-364, DC-611,
DC-613, DC-652, DC-653
dialer interfaces
See dialer profiles, dialer interfaces DC-8
dialer isdn command DC-426
dialer isdn short-hold command DC-315
dialer-list command DC-208, DC-356
dialer-list protocol (Dial) command DC-185
dialer-list protocol bridge command DC-351, DC-368,
DC-431, DC-432
dialer-list protocol command DC-356, DC-425
dialer-list protocol list command DC-356
dialer load threshold
MLP DC-613
idle timers DC-612
Multilink PPP
async interface DC-611
Index
IN-891
Cisco IOS Dial Technologies Configuration Guide
BRI, configuring single DC-612
BRIs in rotary group DC-613
idle timers DC-613
dialer load threshold command DC-239, DC-241, DC-371,
DC-402, DC-611, DC-612, DC-613
dialer map class DC-423, DC-442
dialer map command DC-208, DC-240, DC-365, DC-652, DC-653,
DC-657, DC-659, DC-669
dialer map modem-script system-script command DC-367,
DC-393, DC-397, DC-398
dialer map name command DC-395
dialer map name spc command DC-185, DC-190, DC-265
dialer map name speed command DC-185, DC-265
dialer maps, large-scale dial-out and DC-680
dialer map snapshot command DC-443
dialer pool command DC-425, DC-456, DC-479
dialer pool dialer profiles
backup interfaces DC-455, DC-459
physical interfaces DC-424
priorities DC-424
dialer pool-member command DC-427, DC-478
dialer priority command DC-371, DC-401
dialer profiles
AppleTalk, configuring DC-428
central site, multiple remote networks
(example) DC-434
configuring DC-425
DECnet
configuring DC-428, DC-429
control packets DC-429
dial backup DC-455 to DC-457
dialer interfaces
configuring DC-425, DC-456
description DC-423
remote destination and map class DC-425
See also interfaces
dialer map class DC-423, DC-442
dialer pool
description DC-423
dialer interfaces DC-424
physical interfaces DC-424
reserved channel DC-423
dialing pool reserved channels DC-427
inbound traffic filter (example) DC-434
IP
addresses, remote network node DC-423, DC-442
configuring DC-429
IPX, configuring DC-429
ISDN BRI, two leased lines (example) DC-435, DC-457
ISDN caller ID callback
callback actions DC-659
configuring DC-660
map class
configuring DC-426
fast idle timer DC-426
ISDN requirements DC-426
wait for carrier time DC-426
physical interfaces, configuring DC-423, DC-427, DC-444
remote sites with ISDN access only (example) DC-663
source address validation, disabling DC-348
transparent bridging
access control DC-431
bridging protocols, configuring DC-431
interesting packets DC-432
interfaces, configuring DC-432
type code access DC-432
VINES, configuring DC-428
XNS, configuring DC-430
Dialer Profiles feature DC-421
dialer redial
legacy DDR hubs, configuring DC-402
legacy DDR spokes, configuring DC-372
dialer remote-name command DC-456, DC-478
dialer reserved-links command DC-685, DC-696
dialer rotary, MLP DC-612
dialer rotary-group command DC-393, DC-396, DC-443,
DC-611, DC-613
dialer rotary groups
(example) DC-414
Index
IN-892
Cisco IOS Dial Technologies Configuration Guide
bandwidth on demand load threshold DC-401, DC-433
interface priority DC-370
interfaces
assignment DC-396
priority DC-401
leader DC-392
dialer-string class command DC-425, DC-456
dialer string command DC-240, DC-365, DC-394, DC-397,
DC-479, DC-657, DC-659
dialer wait-for-carrier-time command DC-370, DC-400,
DC-426, DC-478, DC-659, DC-660, DC-671
Dialer Watch
addresses, configuring DC-461
benefits DC-460
configuration (examples) DC-462
configuring DC-460
dial backup DC-450, DC-455
interfaces
disable timer DC-461
primary DC-461, DC-475
secondary DC-461, DC-475
interface status DC-461
overview DC-459, DC-473
dialer watch-disable command DC-462
dialer watch-group command DC-461
dialer watch-list command DC-461
dialing
DTR DC-364
configuration (example) DC-382
outgoing calls, configuring DC-364
remote interface DC-364, DC-366
remote passive interface DC-364, DC-366
X.25 encapsulation (example) DC-387
X.25 support (example) DC-419
legacy DDR
outgoing calls, configuring DC-365
dialing services
inbound performance optimization DC-779
outbound performance optimization DC-779
dial-peer cor custom command DC-333
dial-peer cor list command DC-333
dial peers, description DC-328
See also ISDN, dial peers
dial shelves
remote configuration DC-124
shelf IDs, configuring DC-117
dial-tdm-clock priority command DC-119
digital modem network modules DC-205
disconnect timers DC-329
configuration (example) DC-342
DNIS (Dialed Number Identification Service)
encapsulation types based on DC-183
ISDN subaddress binding DC-189
(example) DC-196
dnis group command DC-747
DNIS groups
RPM
configuring DC-743
troubleshooting DC-763
verifying DC-759
documentation
conventions xli
feedback, providing xliii
modules xxxvii to xxxix
online, accessing xlii
ordering xliii
Documentation CD-ROM xliii
documents and resources, supporting xl
domain command DC-535
DoVBS (Data over Voice Bearer Services)
configuring DC-748
overview DC-730
DSC (dial shelf controller)
configuring DC-118
managing DC-125
redundancy DC-118
synchronizing clocks DC-119
DSIP (Dial Shelf Interconnect Protocol)
Index
IN-893
Cisco IOS Dial Technologies Configuration Guide
architecture (figure) DC-116
overview DC-116
troubleshooting DC-125
DTR (data terminal ready), modem control and DC-159
dynamic addressing, configuring DC-42
Dynamic Multiple Encapsulations feature DC-178
E
E1 R2
CAS, configuring DC-284
configure DC-285
country settings DC-285
customizing parameters DC-285
sample topology DC-284
verifying signal DC-287
ear and mouth signaling, description DC-11
encapsulation cpp command DC-321
encapsulation lapb command DC-375, DC-405
encapsulation ppp command DC-456, DC-498
AO/DI configuration DC-239
authentication, use in DC-367, DC-395, DC-398, DC-598
enabling DC-597
interfaces
dialer configuration DC-456
dialer profile DC-425
physical DC-427
virtual template DC-486, DC-496, DC-637
WAN DC-478
modem over ISDN BRI configuration DC-208
encapsulations
automatic detection DC-320
default serial DC-18
dynamic multiple DC-178, DC-422
ISDN LAPB-TA autodetect DC-201
L2F DC-508
V.120 dynamic detection DC-199
virtual profiles DC-507
encapsulation x25 command DC-374, DC-405
endpoint discriminator, changing MLP default DC-615
enterprise networks
dial access scalability DC-794
dial access scenarios DC-793 to DC-832, DC-837
escape characters, modem chat strings DC-167
exec command DC-31
EXEC process
disabling DC-30
enabling DC-30
exec-timeout command DC-31
execute-on command DC-124
exit command DC-282
F
fast switching
IP
disabling DC-586
enabling DC-586
L2F traffic DC-508
legacy DDR
IP DC-372, DC-402
IPX DC-372, DC-402
Feature Navigator
See platforms, supported
filtering output, show and more commands lii
firmware
filename location command DC-134
upgrade command DC-67, DC-133
Frame Relay
DDR
configuration overview DC-404
restrictions DC-404
dialup connections DC-373, DC-403
legacy DDR
configuration overview DC-374
interfaces supported DC-373
restrictions DC-373
framing command DC-281, DC-756
Index
IN-894
Cisco IOS Dial Technologies Configuration Guide
framing crc4 command DC-260, DC-276
framing esf command DC-261
G
Germany, ISDN semipermanent connection
support DC-185
global configuration mode, summary of xlviii
group-range command DC-39, DC-57, DC-58
H
hairpinning
See ISDN, dial peers
hardware platforms
See platforms, supported
help command xlviii
Hong Kong, ISDN Sending Complete information
element DC-189, DC-268
hw-module command DC-125
I
idle timers, MLP
dialer load thresholds DC-612
dialer timeout DC-612, DC-613
IGRP (Interior Gateway Routing Protocol), dial-in
router DC-44
in-band framing mode control messages,
configuring DC-94
indexes, master xl
initiate-to command DC-535, DC-537
interface bri command DC-183, DC-199, DC-229, DC-443
interface command DC-652
interface configuration mode, summary of xlviii
interface dialer command DC-425, DC-443, DC-444, DC-456,
DC-612, DC-640
interface multilink command DC-619
interfaces
asynchronous
configuration options DC-6, DC-57
configuring DC-5, DC-56
logical constructs DC-6, DC-57
MLP DC-611
compared to lines DC-5, DC-56
DDR priority DC-405
dial backup dialer profiles DC-455, DC-459
dialer DC-8, DC-423
configuring DC-425, DC-426
description of DC-8
downtime, enabling DC-400
logical entity DC-363, DC-392
serial address DC-394
dialer rotary group assignment DC-396
ISDN BRI, MLP DC-611 to DC-612
lines, relationship to DC-16
peer address allocation methods DC-603
physical DC-424
dialer pool, configuring DC-423
point-to-point, IP address pooling DC-603
serial encapsulation types DC-18
serial interfaces DC-18
synchronous
MLP DC-610
unnumbered DC-32
virtual asynchronous DC-197
virtual templates, configuring DC-637
virtual templates, description of DC-6
interface serial command DC-199, DC-263, DC-282, DC-443,
DC-444, DC-756
interface virtual-template command DC-483, DC-486,
DC-496, DC-498, DC-637
inverse multiplexing
MLP (example) DC-627
IP
address pooling
assignment method DC-604
concept DC-603
DHCP DC-605
Index
IN-895
Cisco IOS Dial Technologies Configuration Guide
global default mechanism DC-605 to DC-606
interfaces supported DC-604
local address pooling DC-606
peer address allocation methods DC-603
per-interface options DC-606
precedence rules DC-604, DC-640
broadcasts, asynchronous serial traffic over UDP DC-45
Cisco Easy IP
configuration (examples) DC-479
configuring DC-476
dial addressing schemes
Cisco Easy IP DC-789
classic IP DC-789
remote client DC-789
remote LAN DC-789
fast switching
DDR DC-372
disabling DC-586
enabling DC-586
legacy DDR DC-402
IP-SLIP (example) DC-41
performance parameters, configuring DC-584
PPP, configuring over DC-578
PPP-IP (example) DC-41
route cache invalidation DC-587
ip address command DC-208, DC-477, DC-609, DC-612, DC-619
ip address negotiated command DC-478
ip address-pool command DC-605, DC-606
ip cache-invalidate-delay command DC-587
IPCP
See IP–PPP
ip dhcp-server command DC-605
ip-directed broadcast command DC-208
IP header compression
See TCP/IP, header compression
ip host command DC-152
ip local pool command DC-606, DC-607
ip local pool default command DC-637
IP multicast routing, asynchronous serial traffic over
UDP DC-45
ip nat inside command DC-477
ip nat outside command DC-478
IP–PPP, enabling DC-578
ip route-cache command DC-372, DC-402, DC-586
ip route-cache distributed command DC-372, DC-402
ip route command DC-683
ip routing command DC-431
ip tcp compression-connections command DC-585
ip tcp header-compression command DC-34, DC-585
ip tcp synwait-time command DC-585
ip tos reflect command DC-539
ip unnumbered command DC-32
ip unnumbered ethernet command DC-486, DC-496, DC-498,
DC-637
ip unnumbered loopback command DC-456
IPX (Internet Packet Exchange Protocol)
over PPP
configuring DC-578
IPX (Internetwork Packet Exchange)
configuring over PPP DC-579
DDR, configuring DC-353
dialer profiles, configuring DC-429
fast switching, legacy DDR DC-402
header compression over PPP DC-585
over PPP
configuring DC-578
dedicated network numbers DC-579
loopback interfaces DC-579
ipx compression enable command DC-586
IPXCP
See IPX, over PPP
ipx network command DC-609
ipx ppp-client loopback command DC-579
ipx route-cache command DC-430
ipx sap command DC-703, DC-726
ipx spx-idle-time command DC-353, DC-430
ipx spx-spoof command DC-353, DC-368, DC-430
Index
IN-896
Cisco IOS Dial Technologies Configuration Guide
ipx watchdog-spoof command DC-353, DC-430
ISDN
128 kbps leased-line service
(example) DC-196
configuring DC-191
interface characteristics DC-191
Advice of Charge DC-314 to DC-315
BRI and dialer profiles (example) DC-323
call history DC-315
destination DC-314
dialer map class DC-315
dialer profiles DC-314
ISDN interface, configuring DC-314
legacy DDR DC-314
outgoing calls DC-314
overview DC-314
PRI and legacy DDR (example) DC-322
short-hold mode, configuring DC-314
switch types DC-314
B channel
ascending call order (example) DC-298
call order default DC-272
outgoing call order DC-272
caller ID callback conflict DC-657
call history DC-315
cause codes DC-179, DC-188
(table) DC-179
override DC-188
channels, disabling DC-318
channel service states DC-319
dial peers
inbound call leg DC-328
outbound call leg DC-328
disconnect timers
See disconnect timers
DNIS-plus-ISDN-subaddress binding,
(example) DC-436
encapsulations
automatic detection DC-320
dynamic multiple DC-436
interfaces
monitoring DC-315
TEI DC-266
LAPB-TA asynchronous traffic DC-200
leased-line service in Germany and Japan DC-191
multiple switch types DC-182
configuration (example) DC-193
PRI interfaces, configuring DC-270
restrictions DC-270
Network Side PRI Signaling, Trunking, and Switching
call switching, dial peers (example) DC-338
COR
configuring DC-333
dial peers (example) DC-339
outgoing dial peers (example) DC-340
monitoring DC-338
special numbers (example) DC-341
switch types
configuring DC-331
supported DC-327
trunk group (example) DC-339
verification procedure DC-334
NFAS DC-315 to DC-319
alternate route index DC-316
backup D-channel DC-317, DC-324, DC-325
channel interface
configuring DC-317
disabling DC-318
channelized T1 controllers (example) DC-324, DC-325
DDR configuration (example) DC-325
groups, monitoring DC-319
PRI group, configuring DC-316
primary and backup D channels DC-316
primary D-channel DC-317, DC-324, DC-325
service state (example) DC-325
switch types DC-316
semipermanent connections
Australia, Germany DC-190
support DC-265, DC-322
Index
IN-897
Cisco IOS Dial Technologies Configuration Guide
special signaling
(examples) DC-322
troubleshooting DC-322
subaddress DC-366, DC-393
subaddress binding DC-189
isdn all-incoming-calls-v120 command DC-199
isdn answer1 command DC-187, DC-209
isdn answer2 command DC-187
isdn bchan-number-order command DC-272
ISDN BRI
asynchronous access DC-199
called party number, verifying DC-186
caller ID screening DC-186
calling-line identification, configuring DC-186
calling number identification DC-187
compression (examples) DC-194
configuration buffers
configuring DC-181
verifying DC-181
configuration self-tests DC-192
configuring DC-175 to DC-195
dialer rotary group (example) DC-194
encapsulations, configuring DC-183
fast rollover delay, configuring DC-188
global and interface switch type (example) DC-193
interfaces
configuring DC-182
monitoring DC-192
leased-line service DC-190
128 kbps DC-191
normal speeds DC-191
platform support DC-191
line configuration requirements DC-176
line speed, configuring DC-187
MLP and compression (example) DC-195
modem use over
BRI interface configuration (example) DC-212
complete configuration (example) DC-215
configuring DC-207
overview DC-206
verifying DC-210
MTU size DC-181
network address, configuring DC-185
network module DC-205
North American switch configuration DC-176
point-to-multipoint service DC-176
point-to-point service DC-176
semipermanent connections DC-185
Sending Complete information element
Taiwan, Hong Kong DC-189
switch types
(table) DC-181
configuring DC-180
North American configuration DC-176
TEI negotiation timing, configuring DC-186
troubleshooting DC-192
V.120 support, PPP on virtual terminal lines DC-199
voice calls
incoming (example) DC-195
outgoing (example) DC-195
switch type configuration DC-176, DC-180
X.25 traffic, configuring DC-229, DC-236
isdn caller command DC-186, DC-209, DC-660
ISDN caller ID callback
(examples) DC-661
best match system, don’t care digits DC-661
callback, local side DC-659
calling, remote side DC-660
DDR fast call rerouting for ISDN, calling side DC-659
dialer enable-timeout timer DC-659
dialer profiles
callback actions DC-659
configuring DC-660, DC-671
processes DC-659
dialer rotary, configuring DC-660
dialer rotary group (example) DC-665
dialer wait-for-carrier timer DC-659
don’t care digits DC-662, DC-672
Index
IN-898
Cisco IOS Dial Technologies Configuration Guide
legacy DDR
callback actions DC-658
configuring DC-659
overview DC-658
prerequisites
dialer profiles DC-657
legacy DDR DC-657
remote side configuration note DC-659
timers, configuring DC-659
isdn calling-number command DC-187, DC-209, DC-266
isdn disconnect-cause command DC-188
isdn fast-rollover-delay command DC-209, DC-653
isdn guard-timer command DC-268
isdn incoming-voice modem command DC-209, DC-252,
DC-267
ISDN LAPB-TA
configuration (example) DC-203
encapsulation autodetection DC-201
overview DC-200
isdn leased-line bri 128 command DC-191
isdn leased-line bri command DC-191
isdn modem-busy-cause command DC-209
ISDN Non-Facility Associated Signaling
See NFAS
isdn not-end-to-end command DC-187, DC-188, DC-209
ISDN PRI
(examples) DC-294
B channel
ascending call order (example) DC-298
busyout DC-298
outgoing call order DC-272
calling number identification DC-266
channel groups (example) DC-299
channelized E1 controllers
configuring DC-260
DDR configuration (example) DC-297
slot and port numbering DC-260
channelized T1 controllers
configuring DC-261
DDR configuration (example) DC-296
slot and port numbering DC-261
class of restrictions DC-329
configuring DC-333
configuration self-tests DC-272
D-channel serial interface number DC-260, DC-262
DDR configuration requirements DC-259
encapsulations
Frame Relay DC-264
X.25 DC-264
guard timer, configuring DC-268
legacy DDR interface (example) DC-325
line configuration requirements DC-259
multiple switch types
(example) DC-298
configuring DC-270
restrictions DC-270
North American switch configuration DC-259
NSF call-by-call (example) DC-295
point-to-multipoint service DC-259
semipermanent connections, Australia DC-265, DC-322
Sending Complete information element
Hong Kong, Taiwan DC-268
serial interfaces, configuring DC-262
Trunk Group Resource Manager DC-328
configuring DC-332
isdn protocol-emulate network command DC-331
isdn reject command DC-267
isdn sending-complete command DC-189, DC-209, DC-268
isdn service command DC-318
isdn snmp busyout b-channel command DC-269
isdn spid1 command DC-183, DC-209
isdn spid2 command DC-183, DC-209
isdn static-tei command DC-266
isdn switch-type command DC-180, DC-191, DC-260, DC-261,
DC-270, DC-331
ISDN switch types
See ISDN BRI; ISDN PRI; multiple switch types; switch
types
Index
IN-899
Cisco IOS Dial Technologies Configuration Guide
isdn t306 command DC-329
isdn t310 command DC-329
isdn tei command DC-186, DC-266
isdn v110 only command DC-189
isdn v110 padding command DC-190
isdn x25 dchannel command DC-229
isdn x25 static-tei command DC-229
ISO CLNS (ISO Connectionless Network Service), DDR
access groups DC-355
configuring DC-355
K
keepalive command DC-619
keepalives
PPP, enabling LQM DC-599
L
L2F (Layer 2 Forwarding)
encapsulation processes DC-508
fast switching stack group environment DC-508
l2tp tunnel authentication command DC-531
l2tp tunnel password command DC-532
LAPB (Link Access Procedure, Balanced)
DDR, configuring DC-405
large-scale dial-out
AAA network security, configuring DC-683
AAA server access, configuring DC-684
Ascend AV pairs (table) DC-686
asynchronous dialing (example) DC-696
configuration task prerequisites DC-682
map class attributes DC-689
monitoring DC-690
network security services DC-683
overview DC-679
RADIUS attributes DC-688
remote network route, configuring DC-683
reverse DNS, configuring DC-684
scalable dial-out service DC-680
SGBP dial-out connection bidding, configuring DC-684
stack group and static route download configuration
(example) DC-690
user profiles
(example) DC-695
configuring DC-685
leased lines
ISDN BRI (example) DC-435
NM-8AM and NM-16AM analog modem
support DC-78
configuring DC-79
Leased Line Support for Cisco 2600/3600 Series Analog
Modems feature DC-78
legacy DDR (dial-on-demand routing)
dial backup
asynchronous interfaces (example) DC-452
ISDN (example) DC-453
hubs
(examples) DC-406 to DC-419
(figure) DC-397
access lists DC-398
AppleTalk (example) DC-408
asynchronous interfaces (example) DC-410
authentication DC-395
Banyan VINES (example) DC-409
bridging access control DC-398
configuration task flow DC-390
configuring DC-389 to DC-419
connections, monitoring DC-406
DECnet (example) DC-409
dialer group interface assignment DC-399
dialer hold queue DC-401
dialer interfaces (figure) DC-394
dialer rotary group DC-393, DC-396, DC-401, DC-426
dialing configuration (example) DC-413
Frame Relay DC-403 to DC-404
Frame Relay (examples) DC-417
interface diagnostics DC-406
Index
IN-900
Cisco IOS Dial Technologies Configuration Guide
ISDN interfaces, enabling DC-425
ISO CLNS (example) DC-381, DC-410
LAPB (example) DC-419
LAPB, configuring DC-405
load threshold DC-401
multiple destinations DC-397, DC-428
multiple destinations (example) DC-413
PPP (example) DC-415
protocol access control DC-398
routing access control DC-399
timers, enabling DC-399
transparent bridging (example) DC-407
X.25 DC-405
X.25 encapsulation (example) DC-419
XNS (example) DC-410
ISDN caller ID callback DC-658
actions DC-658
BRI interface (example) DC-664
configuring DC-659
ISDN NFAS primary D-channel DC-325
non-V.25bis modems DC-364
PPP DDR
with authentication (example) DC-358
without authentication (example) DC-356
spokes
2-way client/server (examples) DC-378, DC-385
access lists DC-367
AppleTalk configuration (example) DC-380
bandwidth on demand DC-371
bridging access control DC-367
carrier wait time DC-370
configuring DC-361
connections, monitoring DC-375
DDR inbound traffic (example) DC-376
DECnet configuration (example) DC-380
dialer group assignment DC-369
dialer hold queue DC-371
DTR
calls DC-364, DC-366
dialing (example) DC-382
Frame Relay DC-373, DC-374
Frame Relay (example) DC-386, DC-387
interface
diagnostics DC-375
idle timer DC-370
priority in dialer rotary group DC-370
IP, configuring DC-378
ISDN interfaces, enabling DC-364
line down time DC-370
multiple calls to single destination DC-371
passive interface DC-364, DC-366
protocol access control DC-367
single site calls DC-365
spoke configuration (examples) DC-376 to DC-388
transparent bridging DC-368
transparent bridging (example) DC-377
X.25
DTR dialing (example) DC-387
encapsulation DC-374
XNS configuration (example) DC-381
V.120 incoming calls (example) DC-200
virtual profiles interoperability DC-490
limit base-size command DC-748
limit command DC-747
limit overflow-size command DC-748
line aux command DC-29
linecode b8zs command DC-262
linecode command DC-281, DC-756
linecode hdb3 command DC-260, DC-276
lines
asynchronous
rotary line queueing
configuring DC-26
automatic disconnect, configuring DC-163
compared to interfaces DC-5, DC-56
DDR asynchronous
downtime, enabling DC-370
individual connections, configuring DC-61
interfaces, relationship to DC-16
Index
IN-901
Cisco IOS Dial Technologies Configuration Guide
leased serial (example) DC-435
looped-back DC-596
modem chat scripts, activating for DC-168
modems, disabling DC-104
NM-8AM and NM-16AM analog modem leased line
support DC-78
timeout interval, configuring DC-161
tty DC-16
types, description of DC-16
load threshold, dialer rotary DC-401, DC-433
local name command DC-532, DC-537
logical constructs
group asynchronous interfaces DC-6, DC-57
virtual template interfaces DC-6, DC-484
logical interfaces
dialer DC-8
virtual access DC-9
virtual asynchronous DC-10, DC-197
login authentication dialin command DC-70
login local command DC-649
loopback remote (interface) command DC-294
loopbacks
channelized E1
interface local DC-293
channelized T1, interface local DC-293
CSU/DSU, remote DC-294
LQM (Link Quality Monitoring)
keepalives, enabling LQRs DC-599
M
Managing Port Services on the Cisco AS5800 Universal
Access Server feature DC-127
map class
dialer profiles, configuring DC-426
map class attributes, large-scale dial-out (table) DC-689
map-class dialer command DC-315, DC-426, DC-653
max-calls command DC-332
MIB, descriptions online xl
MICA In-Band Framing Mode Control Messages
feature DC-94
MLP (Multilink Point-to-Point Protocol)
(example) DC-626
bandwidth allocation DC-667
See also BACP
bundles DC-619
caller ID authentication DC-612
configuration (example) DC-193
dialer rotary, configuring DC-612
Distributed MLP
configuration (example) DC-631
configuring DC-618
overview DC-617
T3 configuration (example) DC-631
topology DC-617
interfaces
asynchronous DC-611
BRI (examples) DC-628, DC-629
BRI multiple interfaces DC-612
BRI single interface DC-611
dialer rotary DC-612
synchronous DC-610
(example) DC-626
interleaving, weighted fair queuing DC-615
Inverse Multiplexer
configuration (example) DC-631
configuring DC-618
overview DC-617
T3 configuration (example) DC-631
topology DC-617
multiple BRI DC-612
overview DC-610
real-time traffic
(example) DC-630
interleaving DC-615, DC-616
interleaving (example) DC-630
rotary group
BRI members, configuring DC-613
Index
IN-902
Cisco IOS Dial Technologies Configuration Guide
Stacker compression DC-195
virtual profiles
cloning sequence (table) DC-491
interoperability DC-491
weighted fair queuing DC-615
MMP (Multichassis Multilink PPP)
bundle DC-633
call handling and bidding DC-634
configuration requirements DC-635
dialer explicitly defined (example) DC-639
dialer not explicitly defined (example) DC-640
dialer not used (example) DC-638
digital and analog traffic DC-633
interfaces supported DC-636, DC-644
offload server (example) DC-640
overview DC-633
platforms supported DC-636, DC-644
PRI (example) DC-638
stack group members
call ownership DC-634
calls, answering DC-634
configuring DC-636
stack groups DC-634
typical configuration (example) DC-635
virtual interfaces, monitoring DC-637
virtual template interfaces
(caution) DC-638
configuring DC-637
virtual profiles
configuring DC-496
specifying DC-498
modem answer-timeout command DC-161, DC-163
modem at-mode command DC-77
modem attention (AT) commands DC-76, DC-77
2-wire leased-line support DC-78
modem autoconfigure command DC-146
modem bad command DC-102
modem buffer-size command DC-96
modem busyout command DC-104
modem busyout threshold command DC-104
modem callin command DC-149
modem callout command DC-163
modem connections
See modems, connections
modem country mica command DC-69
modem country microcom_hdms command DC-69
modem cts-required command DC-162
modem dialin command DC-70, DC-159, DC-160, DC-166
modem dtr-active command DC-159
modem hold-reset command DC-102
modem inout command DC-160
modem link-info poll time command DC-93
modem management
AT commands DC-77
busy out modem card DC-104
Call Tracker, configuring DC-91
connection speed, verifying DC-111
diagnostics DC-96
incoming V.110 modem calls DC-189, DC-190
inoperable modems DC-102
MIB traps DC-104
(example) DC-107
modem activity, monitoring DC-84
modem control function event buffer DC-102
NAS health, monitoring DC-104
reject incoming call DC-267
statistics
connected AT sessions DC-96
event polling DC-96
modem-mgmt csm debug-rbs command DC-763
modem poll retry command DC-96
modem poll time command DC-96
modem pooling
benefits DC-83
description DC-82
monitoring DC-84
physical partitioning
description DC-85
Index
IN-903
Cisco IOS Dial Technologies Configuration Guide
dial-in (example) DC-86
dial-in and dial-out (example) DC-88
network topology DC-86
restrictions DC-83
virtual partitioning
description DC-90
dial-in (example) DC-90
network topology DC-90
modem recovery-time command DC-102
modems
AUX (table) DC-871
busyout cards in Cisco AS5800 DC-104
chat scripts DC-171, DC-869
close connection DC-162
communication, starting DC-152
configuring using modem commands DC-76
connections
stopping DC-162
testing DC-151
troubleshooting DC-154
data compression DC-77, DC-155
DCD operation DC-149
dial-in DC-149, DC-160
dial-out DC-160
digital network module DC-205
direct Telnet sessions DC-152
displaying statistics DC-95
DTR interpretation DC-149
EC/compression DC-869
(table) DC-869
error correction DC-155
external, configuring DC-145, DC-146
features list DC-63
flowcontrol, configuring DC-149
high-speed
(figure) DC-160
configuring DC-159
incoming calls DC-149
rejecting by type DC-267
rejecting by type (example) DC-299
initialization strings DC-872
inoperable DC-102
integrated, configuring DC-63, DC-76
ISDN, use over DC-205
See also ISDN BRI
line configuration
continuous CTS (figure) DC-162
incoming and outgoing calls (figure) DC-161
modem call-in (figure) DC-150
modem call-out (figure) DC-164
line timing, configuring DC-161
log event, clearing DC-139
MICA
command summary DC-73
in-band framing mode control messages DC-94
link statistics, configuring DC-93
modem attention commands DC-76
PIAFS, enabling DC-319
Microcom, clearing DC-99
modem commands, integrated modems DC-77
NextPort SPE, command summary DC-73
non-V.25bis DTR DC-364, DC-392
overview DC-58
physical partitioning DC-85
platform-specific (table) DC-871
protocols, enabling DC-136
remote IP users, enabling DC-136
reverse connections DC-163
scripts (examples) DC-872
show line command DC-138
troubleshooting DC-71, DC-154
V.110
bit rate padding DC-190
screening incoming calls DC-189
V.120 asynchronous access DC-199
V.90 portware DC-206
V.90 standard DC-64
virtual partitioning DC-90
Index
IN-904
Cisco IOS Dial Technologies Configuration Guide
modem shutdown command DC-102, DC-104
modem status-poll command DC-96
modes
See command modes
Monitoring Resource Availability on Cisco AS5300,
AS5400, and AS5800 Universal Access Servers
feature DC-104
MPPC (Microsoft Point-to-Point Compression)
compression scheme DC-601
protocol field compression flag DC-603
MPPE encryption DC-510
MS Callback DC-653
configuring DC-654
LCP callback option DC-654
Microsoft Callback Control protocol (MSCB) DC-653
multicasts, asynchronous serial traffic over UDP DC-45
multilink command DC-755
multilink virtual-template command DC-483, DC-489,
DC-637
multiple switch types
BRI interface, configuring DC-182
PRI interface
configuration (example) DC-298
configuring DC-270
restrictions DC-270
N
NAS (network access server)
call type matching DC-731
Cisco RPMS DC-733
definition DC-508
RPM
standalone DC-733
See also VPN, NAS
NAS-initiated VPNs DC-509
NAT (Network Address Translation)
(example) DC-479
automatic timeout DC-479
dialer interface, defining DC-478
Easy IP DC-475
LAN interface, defining DC-477
NAT pool, defining DC-477
NetBEUI (NetBIOS Extended User Interface)
connection information DC-584
remote clients over PPP DC-584
new information in this release xli
NFAS (Non-Facility Associated Signaling)
alternate route index DC-316
configuration (example) DC-324
configuring DC-316
groups, monitoring DC-319
NTT PRI
configuring DC-317
verifying DC-317
prerequisites DC-316
PRI groups, configuring DC-315, DC-316
switch types DC-316
no flush-at-activation command DC-94
notes, usage in text xlii
NSF (Network-Specific Facilities)
call-by-call support
configuring DC-269
restriction DC-269
number command DC-743
O
Outbound Circuit-Switched X.25 Support feature DC-228
P
packets, interesting DC-398
PAD (packet assembler/disassembler)
PPP over X.25
(example) DC-863
overview DC-862
Index
IN-905
Cisco IOS Dial Technologies Configuration Guide
PAP (Password Authentication Protocol)
authentication request DC-598
CHAP authentication order DC-598
peer default ip address command DC-33, DC-607
peer default ip address pool command DC-607
peer default ip address pool dhcp command DC-607
peer neighbor-route command DC-608
per-user configuration
AAA
RADIUS server, configuring DC-707, DC-735
server storage location DC-699, DC-721
TACACS server user profile (example) DC-488
authentication and authorization phases DC-701
AV pairs (table) DC-703
debugging commands (table) DC-708
dial-in features DC-699
IP
TACACS (example) DC-709
virtual profiles (example) DC-709, DC-712
IP address pooling
(example) DC-702, DC-723
operational process DC-701
IPXWAN, virtual profiles serial interface
(example) DC-711, DC-718, DC-742
large-scale dial-out DC-701
monitoring DC-708
overview DC-699, DC-700, DC-721
RADIUS
IP (example) DC-712
IPX (example) DC-718
TACACS server
CiscoSecure, configuring DC-706
freeware DC-706
freeware (example) DC-711, DC-742
virtual access interfaces
creation DC-701
duration and resources DC-701
selective creation DC-485
selective creation (example) DC-487
VPN DC-538
PIAFS (Personal-Handyphone-System Internet Access
Forum Standard)
configuring DC-320
description DC-319
PIAFS Wireless Data Protocol for MICA Modems
feature DC-319
platforms, supported
Feature Navigator, identify using liii
release notes, identify using liii
pool-member command DC-536
POP (point of presence)
large-scale dial
configuration (examples) DC-852
scaling DC-847
stacking overview DC-848
remote DC-581
small-to-medium-scale dial
configuration (examples) DC-837
port modem autotest command DC-139
ports
UPC, configuring DC-137
PPP
AppleTalk over, configuring DC-580, DC-602
asynchronous access, ISDN lines DC-199
automatic sessions, starting DC-27
callback DC-653
(example) DC-654
authentication DC-651
client, configuring DC-652
client-server application DC-651
DDR DC-651 to DC-655
outgoing lines DC-645
retries DC-652, DC-658
server, configuring DC-653
support required DC-651
CHAP and PAP, authentication order DC-598
compressions
hardware-dependent DC-600
Index
IN-906
Cisco IOS Dial Technologies Configuration Guide
lossless data DC-600
Microsoft DC-601
platform support DC-601
software DC-600
connections DC-582
encapsulations
enabling DC-598
interfaces, configuring DC-367, DC-398
legacy DDR DC-395
half-bridging
(figure) DC-609
configuring DC-608
IP
address negotiation DC-603
address pooling DC-603
configuring over DC-578
IPX
asynchronous interfaces DC-579
configuring DC-578
header compression DC-585
Magic Number support DC-634
MMP DC-633 to DC-637
MPPC
compression scheme DC-601
protocol field compression flag DC-603
MS Callback
LCP callback option DC-654
Microsoft Callback Control Protocol (MSCB) DC-653
network-layer protocols, configuring DC-578
peer neighbor routes
dialer interface effect DC-608
disabling DC-608
group-async interface effect DC-608
PPP-IP
asynchronous interfaces, configuring DC-41
reliable link DC-607
SLIP banner DC-587
(example) DC-589
tokens DC-587
SLIP BOOTP requests DC-576
telecommuting configuration (example) DC-576, DC-596
virtual terminal lines DC-575, DC-595
ppp authentication chap command DC-367, DC-395, DC-398,
DC-427, DC-486, DC-613, DC-637, DC-652
ppp authentication command DC-598
ppp authentication pap command DC-395, DC-612, DC-652
ppp bap call accept command DC-241
ppp bap callback accept command DC-239, DC-671
ppp bap callback request command DC-241
ppp bap call request command DC-240, DC-671
ppp bap call timer command DC-672
ppp bap drop after-retries command DC-672
ppp bap link types analog command DC-671, DC-672
ppp bap link types isdn analog command DC-672
ppp bap max dial-attempts command DC-671, DC-672
ppp bap max dialers command DC-671, DC-672
ppp bap max ind-retries command DC-671, DC-672
ppp bap max req-retries command DC-671, DC-672
ppp bap monitor load command DC-671
ppp bap number command DC-244
ppp bap number default command DC-671, DC-672
ppp bap number prefix command DC-243
ppp bap number secondary command DC-671, DC-672
ppp bap timeout response command DC-671, DC-672
ppp bridge appletalk command DC-609
ppp bridge ip command DC-609
ppp bridge ipx command DC-609
ppp callback accept command DC-653
ppp callback initiate command DC-645
ppp callback request command DC-652
ppp command DC-582
ppp multilink bap command DC-238, DC-239, DC-240, DC-670
ppp multilink bap required command DC-670, DC-683
ppp multilink command DC-610, DC-611, DC-612, DC-619,
DC-637
ppp multilink endpoint command DC-615
ppp multilink fragment delay command DC-616
ppp multilink fragment disable command DC-620
Index
IN-907
Cisco IOS Dial Technologies Configuration Guide
ppp multilink group command DC-619
ppp multilink idle-link command DC-238, DC-242, DC-244
ppp quality command DC-600
ppp reliable-link command DC-608
ppp use-tacacs command DC-395, DC-599
pptp flow-control receive-window command DC-534
pptp flow-control static-rtt command DC-534
pptp tunnel echo command DC-534
Preauthentication with ISDN PRI and Channel-Associated
Signaling feature DC-732
Preauthentication with ISDN PRI feature DC-268
pri-group command DC-260, DC-262
pri-group timeslots nfas d command DC-317
printer connections
See connections, printers
privileged EXEC mode, summary of xlviii
profiles
dialer DC-660
large-scale dial-out user DC-685
RPM
backup customer DC-724, DC-747
call discriminator DC-728, DC-731
customer DC-723
default customer DC-724
template DC-724
virtual DC-491, DC-501
prompts, system xlviii
protocols, Combinet Proprietary Protocol DC-264, DC-321
Q
QoS (quality of service), preserving over VPNs DC-539
question mark (?) command xlviii
queueing
fancy, ISDN traffic shaping DC-426
queues, dialer hold DC-371, DC-401
R
R1 modified signaling, configuring DC-290
R2 signaling DC-285
system requirements DC-275
RADIUS
attributes
large-scale dial-out, (table) DC-688
server AV pair DC-704
servers DC-700
radius-server host command DC-702
radius-server key command DC-683, DC-702
RCAPI (Remote Common Application Programming
Interface)
B-channel protocols supported DC-249
configuration (examples) DC-252
maintaining DC-252
overview DC-247
rcapi number command DC-251
rcapi server port command DC-251
redial
legacy DDR hubs, configuring DC-402
legacy DDR spokes, configuring DC-372
redistribute static command DC-378, DC-412
Redundant Dial Shelf Controller feature DC-118
release notes
See platforms, supported
reload components command DC-117
Remote Common Application Programming Interface for
Cisco 800 Series Routers feature DC-247
remote loopback, remote DDS CSU/DSU DC-294
remote office routers, configuring DC-796, DC-799
remote offices
enterprise dial DC-788
service provider dial DC-788
remote PCs
large-scale dial DC-788
PPP over X.25 DC-788
small-scale dial DC-788
Index
IN-908
Cisco IOS Dial Technologies Configuration Guide
VPDN dial DC-788
request dialin command DC-534
request-dialout command DC-536
resource command DC-747
resource-pool aaa protocol command DC-742
resource-pool aaa protocol group local command DC-747
resource-pool call treatment profile command DC-742
resource-pool call treatment resource command DC-742
resource-pool enable command DC-742
resource-pool profile customer command DC-747, DC-750,
DC-754
resource-pool profile vpdn command DC-754
Return key
modem chat script, adding code for DC-167
reverse Telnet
See Telnet, direct sessions
RFC
full text, obtaining xl
RFC 1055, SLIP DC-575
RFC 1144, TCP/IP header compression DC-34, DC-583
RFC 1331, PPP DC-575
RFC 1332, IPCP DC-575
RFC 1334, CHAP and PAP protocols DC-597, DC-636
RFC 1570, PPP callback DC-651
RFC 1661, PPP encapsulation DC-595
RFC 1663, PPP Reliable Transmission DC-607
RFC 1989, PPP link quality monitoring DC-599
RFC 1994, CHAP protocol DC-597, DC-636
rlogin trusted-localuser-source radius command DC-862
rlogin trusted-remoteuser-source local command DC-862
RMP (Resource Manager Protocol), communication
protocol for RPMS DC-739
robbed-bit signaling
(examples) DC-300
analog calls DC-258
configuring DC-274
ROM monitor mode, summary of xlviii
rotary command DC-26
rotary-group command DC-536
rotary groups
configuring DC-25
dialer DC-363
route cache invalidation, configuring DC-587
routers
dedicated dial-in (example) DC-43
IGRP dial-in (example) DC-44
routing
asynchronous DC-31
default DC-31
DDR, supported protocols DC-351, DC-366
unnumbered interfaces (example) DC-42
RPM (Resource Pool Management)
AAA accounting records DC-730
AAA components DC-763
AAA server groups DC-751
backup customer profiles DC-747
call discrimination, configuring DC-744
call discriminator profiles DC-728, DC-731
call processes DC-728
call treatments (table) DC-728
call types DC-725
CLID DC-725
CLID/DNIS screening DC-731
configuration (examples) DC-768 to DC-777
configuring DC-756
customer profiles DC-747
default DC-747
templates DC-724 to DC-750
types DC-723
dialer components DC-762
direct remote services (example) DC-774
DNIS groups DC-725
configuring DC-743
troubleshooting DC-763
verifying DC-759
incoming call management DC-722, DC-729
outgoing call management DC-722, DC-729
overview DC-721
Index
IN-909
Cisco IOS Dial Technologies Configuration Guide
profiles
backup customer DC-724
default customer DC-724
resource group manager DC-762
resource groups DC-726, DC-746, DC-758
configuring DC-746
resource pooling states DC-761
resource services DC-726
service profiles, configuring DC-746
session limits DC-735
signaling stack DC-762
standalone NAS DC-733
supported call types DC-725
troubleshooting DC-760
verifying DC-757
VPDN groups
configuring DC-752
description DC-727
responsibility DC-763
verifying DC-759
VPDN profiles DC-727, DC-752, DC-763
RPMS (Resource Pool Manager Servers)
resource groups and DC-744
RMP, relationship to DC-739
troubleshooting DC-767
S
script arap-callback command DC-647
script callback command DC-645, DC-646
script dialer command DC-696
Semipermanent Circuit Support on ISDN PRI
feature DC-265, DC-322
serial interfaces
dial backup DC-449 to DC-454
(examples) DC-452
asynchronous interfaces (example) DC-452
configuring DC-450
ISDN interfaces (example) DC-453
line delay DC-452
traffic load threshold DC-451
See also interfaces
server connections
PPP DC-582, DC-583
SLIP DC-583
servers
RADIUS DC-700
AV pairs DC-704
TACACS DC-700
AV pairs DC-704
service exec-callback command DC-646
service internal command DC-762
service providers
large-scale dial DC-847
PPP over X.25 dial DC-862
small-to-medium-scale dial DC-837
set 1 number command DC-803
set 2 number command DC-803
set bridging command DC-803
set bridging off command DC-799
set callerid command DC-800
set default command DC-799
set dhcp dns primary command DC-803
set dhcp domain command DC-803
set dhcp server command DC-803
set dhcp wins command DC-803
set encapsulation ppp command DC-799, DC-803
set ip address command DC-799
set ip command DC-799
set ip framing command DC-803
set ip pat command DC-803
set ip route destination command DC-799, DC-803
set ip routing command DC-799, DC-803
set localaccess protected command DC-800
set password system command DC-800
set ppp authentication incoming chap command DC-800
set ppp multilink command DC-799, DC-803
set ppp secret client command DC-799, DC-803
Index
IN-910
Cisco IOS Dial Technologies Configuration Guide
set remoteaccess protected command DC-800
set systemname command DC-799, DC-803
set timeout command DC-799
set user nas command DC-799, DC-803
sgbp dial-bids command DC-685
sgbp group command DC-636, DC-682
sgbp member command DC-636
sgbp seed-bid command DC-640
sgbp seed-bid default command DC-640
sgbp seed-bid offload command DC-640
shelf-id command DC-117
show appletalk traffic command DC-376, DC-406, DC-433
show async bootp command DC-21
show async status command DC-21
show buffers command DC-181, DC-206
show busyout command DC-104
show caller command DC-546
show controllers bri command DC-192, DC-273, DC-338
show controllers e1 command DC-272, DC-337
show controllers t1 command DC-272
show debugging command DC-549
show decnet traffic command DC-376, DC-406, DC-433
show diag command DC-205
show dialer command DC-192, DC-272, DC-273, DC-375,
DC-406, DC-444, DC-661, DC-672, DC-745
show dialer dnis command DC-756, DC-759
show dialer map command DC-672
show dialer sessions command DC-690
show dial-shelf clocks command DC-120
show dsi command DC-126
show dsip clients command DC-125
show dsip command DC-125
show dsip nodes command DC-125
show dsip ports command DC-125
show dsip queue command DC-125
show dsip tracing command DC-125
show dsip transport command DC-126
show dsip version command DC-126
show interface async command DC-22
show interfaces bri command DC-181, DC-192, DC-206,
DC-375, DC-406, DC-433
show interfaces serial bchannel command DC-273
show interfaces serial command DC-337
show interfaces virtual-access command DC-486
show interface virtual-access command DC-546
show ip access-list command DC-708
show ip interface command DC-708
show ip local pool command DC-708
show ip protocols command DC-708
show ip route command DC-684, DC-690, DC-708
show ip socket command DC-48
show ipx access-list command DC-708, DC-736
show ipx interface command DC-375, DC-406, DC-433, DC-708
show ipx route command DC-708
show ipx servers command DC-708
show isdn command DC-192, DC-272, DC-273, DC-315, DC-337
show isdn nfas group command DC-319
show isdn service command DC-319
show line async-queue command DC-26
show line command DC-21, DC-26, DC-138
show modem call-stats command DC-99
show modem command DC-111
show modem connect-speeds command DC-111
show port config command DC-141
show port digital log command DC-141
show port modem log command DC-142
show port modem test command DC-142
show port operational-status command DC-142
show ppp bap group command DC-672
show ppp bap queues command DC-672
show ppp multilink command DC-637, DC-672
show process cpu command DC-600, DC-601
show rcapi status command DC-252
show redundancy command DC-125
show resource-pool call command DC-757
show resource-pool customer command DC-750, DC-757
show resource-pool discriminator command DC-758
show resource-pool resource command DC-758
Index
IN-911
Cisco IOS Dial Technologies Configuration Guide
show resource-pool vpdn group command DC-754
show resource-pool vpdn profile command DC-754
show run command DC-106
show running-config command DC-210, DC-759
show sgbp command DC-637
show sgbp queries command DC-637
show snapshot command DC-444
show spe command DC-141
show spe digital active command DC-142
show spe digital command DC-142
show spe digital csr command DC-142
show spe digital disconnect-reason command DC-142
show spe digital summary command DC-142
show spe log command DC-141
show spe modem active command DC-125, DC-126, DC-143
show spe modem command DC-144
show spe modem csr command DC-143
show spe modem disconnect-reason command DC-143
show spe modem speed command DC-144
show spe version command DC-141
show version command DC-118
show vines traffic command DC-376, DC-406, DC-433
show vpdn command DC-547
show vpdn multilink command DC-755
show vpdn tunnel command DC-547
show xns traffic command DC-376, DC-406, DC-433
shutdown command DC-486
signaling
channel-associated analog calls DC-258
E1 R2
configuration (example) DC-308
configuring DC-285
countries supported DC-283
country settings DC-285
overview DC-282
parameters DC-285
sample topology DC-283
troubleshooting DC-288
in-band DC-258
out-of-band DC-258
R1 modified DC-289
R2 DC-285
clock source DC-291, DC-292
encoding options DC-291, DC-292
framing options DC-291, DC-292
robbed-bit DC-258
SLIP (Serial Line Internet Protocol)
(examples) DC-588
automatic sessions, starting DC-27
defined DC-583
IP, configuring over DC-578
IP-SLIP (example) DC-41
PPP banner DC-587
(example) DC-589
tokens DC-587
PPP BOOTP requests DC-576
server connections DC-583
telecommuting configuration (example) DC-576
snapshot client command DC-443, DC-445
snapshot routing DC-441 to DC-445
client router, configuring DC-443
interface diagnostics DC-444
monitoring DC-444
overview DC-441
periods
active DC-442
quiet DC-442
quiet periods, stopping DC-444
routed protocols supported DC-442
routing information exchange DC-441
server configuration (example) DC-445
server router, configuring DC-444
snapshot server command DC-444
snmp-server enable traps ds0-busyout command DC-105
snmp-server enable traps isdn chan-not-avail
command DC-106
snmp-server enable traps modem-health
command DC-106
Index
IN-912
Cisco IOS Dial Technologies Configuration Guide
source template command DC-724, DC-750
SPE (Service Processing Element)
country code DC-132
digital statistics DC-142
download maintenance DC-140
firmware DC-67, DC-128, DC-133
country name, specifying DC-132
firmware statistics DC-141
lines and ports
configuring DC-136
verifying DC-138
log events DC-139
modem statistics DC-143
performance statistics
configuring DC-138
viewing DC-141
port statistics DC-141
reboot DC-135
recovery DC-140
shutdown DC-135
troubleshooting DC-139
verifying DC-138
spe call-record modem command DC-138
spe country command DC-69
speeds
modem, verifying DC-111
spe log-event-size command DC-138
stack groups
large-scale dial-out DC-681
MMP DC-634
PRI hunt groups DC-634
switched 56K
analog calls DC-279
benefits DC-278
BRI bearer capability DC-280
call processing components DC-280
configuring DC-281
ISDN BRI traffic DC-281
overview DC-279
prerequisites DC-278
switched 56K over CT1 RBS
56K and modem calls (example) DC-301
call processing components DC-280
configuration (example) DC-301
description DC-280
ISDN BRI solution DC-281
prerequisites DC-278
restrictions DC-278
sample topology DC-279
startup configuration (example) DC-302
T1 CAS line provisioning DC-302
switch types
ISDN BRI (table) DC-181
ISDN NFAS DC-316
ISDN PRI (table) DC-261
North American ISDN DC-176, DC-259
voice systems DC-180
T
T1 voice channels, configuring DC-277
T3 controllers, MLP configuration (example) DC-631
Tab key, command completion xlviii
TACACS
AV pairs DC-704
servers DC-700
tacacs-server host command DC-683
tacacs-server key command DC-683
Taiwan, ISDN Sending Complete information
element DC-189, DC-268
TCP
connection attempt time, configuring DC-585
TCP/IP header compression
(example) DC-42
configuring DC-34, DC-584
EXEC-level DC-35
Van Jacobsen DC-34
TCP Clear Performance Optimization feature DC-779
Index
IN-913
Cisco IOS Dial Technologies Configuration Guide
tcpdump DC-107
TCP header compression
See TCP/IP, header compression
TEI (terminal endpoint identifier), ISDN interfaces
configuring DC-186
(example) DC-295
configuring static DC-266
(example) DC-299
defaults DC-186, DC-266
telecommuting configuration (example) DC-576
Telnet
automatic rotary line queueing DC-25
connection, queued request DC-25
direct sessions
(example) DC-153
starting DC-152
stopping DC-153
verifying DC-153
TCP Clear performance optimization DC-779, DC-780
terminal
EXEC process DC-30
V.120 asynchronous DC-198
terminate-from command DC-535
test modem back-to-back command DC-96
test port modem back-to-back command DC-139
timers, dialer
carrier wait time, enabling DC-400
disconnect DC-329
configuration (example) DC-342
enable-timeout DC-659, DC-660
fast idle, enabling DC-370
idle reset, enabling DC-367
line down-time, enabling DC-370
line idle, enabling DC-400
wait for carrier DC-659
enabling DC-370
ToS (type of service), preserving over VPNs DC-539
transparent bridging
dialer profiles
interfaces, configuring DC-432
legacy DDR, access (example) DC-377, DC-407
transport command DC-70
transport input command DC-201
transport output command DC-46
traps
modem MIB DC-104
(example) DC-107
trunkgroup (dial-peer) command DC-332
trunk group (global) command DC-332
trunk-group (interface) command DC-332
tty lines
configuring DC-16
numbering scheme (table) DC-61
relationship to interfaces DC-15
tunnel command DC-582
tunneling
packet, asynchronous host roaming DC-581
VPN
authorization search order DC-518
local tunnel authentication DC-530
local tunnel authentication (examples) DC-565
U
UDPTN (User Datagram Protocol Telnet)
configuring DC-46
overview DC-45
udptn command DC-47
user EXEC mode, summary of xlviii
username callback-dialstring command DC-645, DC-646,
DC-647
username callback-line command DC-645, DC-646, DC-647
username callback-rotary command DC-645, DC-647
username command DC-396, DC-599, DC-645, DC-808
username nocallback-verify command DC-646
usernames, maximum links (example) DC-621
Index
IN-914
Cisco IOS Dial Technologies Configuration Guide
V
V.110 modem calls, selective filtering of
incoming DC-189
V.120 Modem Standard DC-66
V.120 standard
dynamic detection DC-199
dynamic detection (example) DC-200
ISDN asynchronous communications DC-198
on virtual asynchronous interface DC-198
V.90 modem standard DC-64
VINES
DDR, configuring DC-354
dialer profiles DC-428
vines access-list command DC-354, DC-428
virtual access interfaces
configuration information sources DC-484
configuration rules DC-490
creation criteria DC-485
description DC-9
dynamic DC-489, DC-699
monitoring DC-486
selective creation DC-485
(example) DC-487
two configuration sources (example) DC-484
virtual asynchronous interfaces
description DC-10
ISDN traffic over DC-197
V.120 support DC-198
virtual-profile aaa command DC-497, DC-498
virtual-profile if-needed command DC-486
virtual profiles
AAA
configuration (example) DC-494, DC-501, DC-504
configuring DC-493, DC-495, DC-497
per-user configuration
TACACS+ user profile
(example) DC-488
configured by virtual template on PPP
(example) DC-487
interoperations, legacy DDR DC-490
MLP
cloning sequence (table) DC-491
configuration requirements DC-491
interoperations DC-491
per-user configuration DC-700, DC-701
physical interface interoperation, configuring DC-490
user-specific interface configuration DC-492
virtual access interfaces
cloning sequence (table) DC-491
selective creation DC-485
selective creation (example) DC-487
virtual template and AAA
configuration (example) DC-494, DC-495, DC-502, DC-515
configuring DC-497
virtual template interfaces
configuration (example) DC-499
configuring DC-492, DC-493
information, defining DC-492
physical interface overrides DC-492
See also virtual template interfaces
virtual templates
configuring DC-496
interoperability DC-491
virtual-profile virtual-template command DC-483, DC-498
virtual-template command DC-535
virtual template interfaces
configuration (examples) DC-486 to DC-488
configuration commands contained in DC-493
configuration service (example) DC-487, DC-493
configuring DC-486, DC-496, DC-498, DC-637
features DC-485
IP unnumbered DC-486, DC-496, DC-498
limitations DC-483
monitoring DC-486
overview DC-484, DC-489
per-user configuration DC-699
stack groups, configuring DC-637
virtual profiles on PPP (example) DC-487
Index
IN-915
Cisco IOS Dial Technologies Configuration Guide
VPN, configuring DC-535
Virtual Template Interface Service feature DC-484
voluntary tunneling
See client-initiated VPNs
VPDN (virtual private dialup network)
See VPDN groups; VPDN profiles; VPN
vpdn enable command DC-530
vpdn-group command DC-534, DC-754, DC-755
VPDN groups, description DC-727
vpdn history failure table-size command DC-542
vpdn logging command DC-542
vpdn logging history failure command DC-542
vpdn profile command DC-754
VPDN profiles, description DC-727
vpdn search-order command DC-535
vpdn session-limit command DC-540
vpdn softshut command DC-541
VPN (Virtual Private Network)
AAA
component interface DC-763
configuring DC-524
negotiation, troubleshooting DC-560
client-initiated architecture DC-509
configuration (examples) DC-563 to DC-569, DC-775
configuration modes DC-521
control packet problem, troubleshooting DC-557
debug commands DC-548
debug output, verifying DC-549
dial-in
configuring DC-534
configuring, (example) DC-566 to DC-568
L2F DC-511
protocol negotiation DC-512
tunnel authentication DC-514
verifying DC-542
L2TP
AAA tunnel definition lookup DC-519
call sequence DC-517
debug output DC-549
PPTP DC-509
flow control alarm DC-510
protocol negotiation DC-510
topology DC-545
virtual template, configuring DC-535
dial-out
configuration (example) DC-568
dialers, configuring DC-529
L2TP DC-520 to DC-521
L2TP debug output DC-550
hardware terminology DC-508
technology-specific terms DC-509
IP ToS preservation DC-539
load sharing (example) DC-776
monitoring and maintaining DC-547
NAS
debug output DC-549, DC-550
definition DC-508, DC-577
dial-in, configuring DC-534
(example) DC-566
dial-out, configuration (example) DC-568
dial-out, configuring DC-537
outgoing connections DC-519
tunnel authorization search order DC-518
NAS-initiated architecture DC-509
per-user configuration DC-538
PPP negotiation, troubleshooting DC-559
prerequisites DC-523
QoS preservation DC-539
topology DC-545
troubleshooting DC-548, DC-764 to DC-767
tunnel authentication
configuration (examples) DC-565
configuring DC-530
tunnel lookup
DNIS DC-519
host name DC-519
tunnel secret, troubleshooting DC-555
tunnel server
debug output DC-550, DC-551
Index
IN-916
Cisco IOS Dial Technologies Configuration Guide
definition DC-508
dial-in, configuring DC-535
(example) DC-567
dial-out, configuring DC-536
(example) DC-569
tunnel session limit, configuring DC-540
tunnel shutdown DC-540
tunnel soft shutdown, configuring DC-541
verifying DC-542
virtual template, configuring DC-535
VPDN MIB and Syslog Facility
event logging, configuring DC-542
supported objects DC-508
table history size, configuring DC-542
VPN group commands (table) DC-523
VPN subgroup commands (table) DC-522
vty-arap command DC-643
vty-async command DC-200
vty-async dynamic-routing command DC-580
vty-async ipx ppp-client loopback command DC-580
vty-async virtual-template command DC-201
W
where command DC-153
X
X.25
address mapping DC-405
DTR dialing (example) DC-419
dynamic circuit-switched client DC-228
ISDN D channel DC-228
configuration (example) DC-229
configuring DC-229, DC-236
overview DC-227
legacy DDR
dialers supported DC-374, DC-405
DTR dialing (example) DC-387, DC-419
mapping protocol address to remote host DC-375
networks, PPP calls over DC-862
See also AO/DI, clients, X.25; AO/DI, servers, X.25
x25 address command DC-240, DC-241, DC-375, DC-405
x25 aodi command DC-242
x25 htc command DC-240
x25 map command DC-375, DC-405
x25 map ppp command DC-237, DC-242, DC-243
x25 win command DC-240
x25 wout command DC-240
XNS (Xerox Network Systems)
DDR, configuring DC-355
dialer profiles, configuring DC-430
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
User Guide for the Cisco Application
Networking Manager 5.2
February 2012
Text Part Number: OL-26572-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at
www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
User Guide for the Cisco Application Networking Manager 5.2
© 2011 Cisco Systems, Inc. All rights reserved.
iii
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
CONTENTS
Preface ix
Audience ix
Organization ix
Conventions xi
Open-Source Software Included in the Cisco Application Networking Manager xi
Obtaining Documentation and Submitting a Service Request xii
CHAPTER 1 Overview 1-1
ANM Overview 1-1
IPv6 Considerations 1-3
Logging In To the Cisco Application Networking Manager 1-5
Changing Your Account Password 1-6
ANM Licenses 1-7
ANM Interface Components 1-8
ANM Windows and Menus 1-9
ANM Buttons 1-11
Table Conventions 1-14
Filtering Entries 1-14
Customizing Tables 1-15
Using the Advanced Editing Option 1-16
ANM Screen Conventions 1-17
CHAPTER 2 Using Homepage 2-1
Information About Homepage 2-1
Customizing the Default ANM Page 2-4
CHAPTER 3 Using ANM Guided Setup 3-1
Information About Guided Setup 3-1
Guidelines and Limitations 3-4
Using Import Devices 3-4
Using ACE Hardware Setup 3-5
Using Virtual Context Setup 3-10
Using Application Setup 3-12
Contents
iv
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
ACE Network Topology Overview 3-12
Using Application Setup 3-14
CHAPTER 4 Using Application Template Definitions 4-1
Information About Application Template Definitions and Instances 4-1
Managing Application Template Instances 4-3
Creating an Application Template Instance 4-4
Deploying a Staged Application Template Instance 4-7
Editing an Application Template Instance 4-9
Duplicating an Application Template Instance 4-10
Viewing and Editing Application Template Instance Details 4-12
Deleting an Application Template Instance 4-13
Managing Application Template Definitions 4-15
Editing an Application Template Definition 4-15
Editing an Application Template Definition Using the ANM Template Editor 4-18
Editing an Application Template Definition Using an External Editor 4-19
Creating an Application Template Definition 4-20
Creating an Application Template Definition Using the ANM Template Editor 4-21
Creating an Application Template Definition Using an External XML Editor 4-23
Exporting an Application Template Definition 4-26
Importing an Application Template Definition 4-26
Testing an Application Template Definition 4-28
Deleting an Application Template Definition 4-29
Using the ANM Template Editor 4-29
CHAPTER 5 Importing and Managing Devices 5-1
Information About Device Management 5-2
Information About Importing Devices 5-4
Preparing Devices for Import 5-4
Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and Cisco 7600 Series Routers 5-5
Enabling SSH Access and the HTTPS Interface on the ACE Module and Appliance 5-6
Enabling SNMP Polling from ANM 5-7
ANM Requirements for ACE High Availability 5-8
Modifying the ANM Timeout Setting to Compensate for Network Latency 5-9
Importing Network Devices into ANM 5-10
Importing Cisco IOS Host Chassis and Chassis Modules 5-11
Importing Cisco IOS Devices with Installed Modules 5-12
Importing ACE Modules after the Host Chassis has been Imported 5-16
Importing CSM Devices after the Host Chassis has been Imported 5-19
Contents
v
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Importing VSS 1440 Devices after the Host Chassis has been Imported 5-20
Importing ACE Appliances 5-21
Importing CSS Devices 5-22
Importing GSS Devices 5-23
Importing VMware vCenter Servers 5-24
Enabling a Setup Syslog for Autosync for Use With an ACE 5-27
Discovering Large Numbers of Devices Using IP Discovery 5-27
Preparing Devices for IP Discovery 5-28
Configuring Device Access Credentials 5-29
Modifying Credential Pools 5-30
Running IP Discovery to Identify Devices 5-31
Monitoring IP Discovery Status 5-33
Configuring Devices 5-34
Configuring Device System Attributes 5-34
Configuring CSM Primary Attributes 5-34
Configuring CSS Primary Attributes 5-35
Configuring GSS Primary Attributes 5-36
Configuring Catalyst 6500 VSS 1440 Primary Attributes 5-38
Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router Primary Attributes 5-38
Configuring Catalyst 6500 Series Chassis, Catalyst 6500 Virtual Switching System 1440 Devices,
and Cisco 7600 Series Routers Static Routes 5-39
Configuring VMware vCenter Server Primary Attributes 5-41
Configuring Catalyst 6500 Series Chassis or Cisco 7600 Series Router Interfaces 5-41
Displaying Chassis Interfaces and Configuring High-Level Interface Attributes 5-42
Configuring Access Ports 5-43
Configuring Trunk Ports 5-44
Configuring Switch Virtual Interfaces 5-45
Configuring Routed Ports 5-46
Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs 5-48
Adding Device VLANs 5-48
Displaying All Device VLANs 5-49
Configuring Device Layer 2 VLANs 5-50
Configuring Device Layer 3 VLANs 5-51
Modifying Device VLANs 5-51
Creating VLAN Groups 5-52
Configuring ACE Module and Appliance Role-Based Access Controls 5-53
Configuring Device RBAC Users 5-53
Guidelines for Managing Users 5-53
Displaying a List of Device Users 5-54
Configuring Device User Accounts 5-54
Contents
vi
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Modifying Device User Accounts 5-55
Deleting Device User Accounts 5-56
Configuring Device RBAC Roles 5-56
Guidelines for Managing User Roles 5-57
Role Mapping in Device RBAC 5-57
Configuring Device User Roles 5-58
Modifying Device User Roles 5-60
Deleting Device User Roles 5-60
Adding, Editing, or Deleting Rules 5-61
Configuring Device RBAC Domains 5-61
Guidelines for Managing Domains 5-62
Displaying Domains for a Device 5-62
Configuring Device Domains 5-63
Modifying Device Domains 5-65
Deleting Device Domains 5-65
Managing Devices 5-66
Synchronizing Device Configurations 5-66
Synchronizing Chassis Configurations 5-67
Synchronizing Module Configurations 5-67
Mapping Real Servers to VMware Virtual Machines 5-68
Instructing ANM to Recognize an ACE Module Software Upgrade 5-71
Configuring User-Defined Groups 5-72
Adding a User-Defined Group 5-72
Modifying a User-Defined Group 5-73
Duplicating a User-Defined Group 5-74
Deleting a User-Defined Group 5-75
Changing Device Credentials 5-75
Changing ACE Module Passwords 5-77
Restarting Device Polling 5-78
Displaying All Devices 5-78
Displaying Modules by Chassis 5-79
Removing Modules from the ANM Database 5-80
Replacing an ACE Module Managed by ANM 5-82
Using the Preferred Method to Replace an ACE Module 5-82
Using the Alternate Method to Replace an ACE Module 5-84
CHAPTER 6 Configuring Virtual Contexts 6-1
Information About Virtual Contexts 6-2
Creating Virtual Contexts 6-2
Contents
vii
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Configuring Virtual Contexts 6-8
Configuring Virtual Context System Attributes 6-13
Configuring Virtual Context Primary Attributes 6-14
Configuring Virtual Context Syslog Settings 6-19
Configuring Syslog Log Hosts 6-23
Configuring Syslog Log Messages 6-24
Configuring Syslog Log Rate Limits 6-26
Configuring SNMP for Virtual Contexts 6-27
Configuring Basic SNMP Attributes 6-27
Configuring SNMPv2c Communities 6-28
Configuring SNMPv3 Users 6-29
Configuring SNMP Trap Destination Hosts 6-32
Configuring SNMP Notification 6-33
Applying a Policy Map Globally to All VLAN Interfaces 6-35
Managing ACE Licenses 6-36
Viewing ACE Licenses 6-36
Installing ACE Licenses 6-37
Uninstalling ACE Licenses 6-39
Updating ACE Licenses 6-40
Displaying the File Contents of a License 6-42
Using Resource Classes 6-43
Global and Local Resource Classes 6-44
Resource Allocation Constraints 6-44
Using Global Resource Classes 6-46
Configuring Global Resource Classes 6-46
Deploying Global Resource Classes 6-48
Auditing Resource Classes 6-49
Modifying Global Resource Classes 6-50
Deleting Global Resource Classes 6-51
Using Local Resource Classes 6-51
Configuring Local Resource Classes 6-52
Deleting Local Resource Classes 6-53
Displaying Local Resource Class Use on Virtual Contexts 6-54
Using the Configuration Checkpoint and Rollback Service 6-54
Creating a Configuration Checkpoint 6-55
Deleting a Configuration Checkpoint 6-56
Rolling Back a Running Configuration 6-56
Displaying Checkpoint Information 6-57
Comparing a Checkpoint to the Running Configuration 6-58
Contents
viii
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Performing Device Backup and Restore Functions 6-59
Backing Up Device Configuration and Dependencies 6-62
Restoring Device Configuration and Dependencies 6-66
Performing Global Device Backup and Copy Functions 6-68
Backing Up Multiple Device Configuration and SSL Files 6-69
Associating a Global Backup Schedule with a Device 6-71
Managing Global Backup Schedules 6-73
Creating a Backup Schedule 6-73
Updating an Existing Backup Schedule 6-76
Deleting a Backup Schedule 6-76
Copying Existing Tarred Backup Files to a Remote Server 6-77
Configuring Security with ACLs 6-78
Creating ACLs 6-79
Setting Extended ACL Attributes 6-82
Resequencing Extended ACLs 6-87
Setting EtherType ACL Attributes 6-87
Displaying ACL Information and Statistics 6-89
Configuring Object Groups 6-89
Creating or Editing an Object Group 6-90
Configuring IP Addresses for Object Groups 6-91
Configuring Subnet Objects for Object Groups 6-92
Configuring Protocols for Object Groups 6-93
Configuring TCP/UDP Service Parameters for Object Groups 6-94
Configuring ICMP Service Parameters for an Object Group 6-97
Managing ACLs 6-99
Viewing All ACLs by Context 6-99
Editing or Deleting ACLs 6-100
Configuring Virtual Context Expert Options 6-101
Comparing Context and Building Block Configurations 6-101
Managing Virtual Contexts 6-103
Displaying All Virtual Contexts 6-103
Synchronizing Virtual Context Configurations 6-105
Managing Syslog Settings for Autosynchronization 6-105
Editing Virtual Contexts 6-106
Deleting Virtual Contexts 6-107
Upgrading Virtual Contexts 6-107
Restarting Virtual Context Polling 6-108
Contents
ix
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
CHAPTER 7 Configuring Virtual Servers 7-1
Information About Load Balancing 7-1
Configuring Virtual Servers 7-2
Virtual Server Configuration and ANM 7-2
Information About Using ANM to Configure Virtual Servers 7-4
Virtual Server Usage Guidelines 7-5
Virtual Server Testing and Troubleshooting 7-6
Virtual Server Configuration Procedure 7-7
Shared Objects and Virtual Servers 7-9
Virtual Server Protocols by Device Type 7-11
Configuring Virtual Server Properties 7-11
Configuring Virtual Server SSL Termination 7-17
Configuring Virtual Server Protocol Inspection 7-18
Configuring Virtual Server Layer 7 Load Balancing 7-30
Configuring Virtual Server Default Layer 7 Load Balancing 7-50
Configuring Application Acceleration and Optimization 7-53
Configuring Virtual Server NAT 7-63
Displaying Virtual Servers by Context 7-65
Displaying Virtual Server Statistics and Status Information 7-65
Managing Virtual Servers 7-66
Managing Virtual Server Groups 7-67
Creating a Virtual Server Group 7-68
Editing or Copying a Virtual Server Group 7-69
Displaying a Virtual Server Group 7-70
Deleting a Virtual Server Group 7-70
Activating Virtual Servers 7-71
Suspending Virtual Servers 7-72
Managing GSS VIP Answers 7-73
Activating and Suspending DNS Rules Governing GSS Load Balancing 7-75
Managing GSS VIP Answer and DNS Rule Groups 7-76
Creating a VIP Answer or DNS Rule Group 7-77
Editing or Copying a VIP Answer or DNS Rule Group 7-78
Displaying a VIP Answer or DNS Rule Group 7-79
Deleting a VIP Answer or DNS Rule Group 7-80
Displaying Detailed Virtual Server Information 7-81
Displaying Virtual Servers 7-81
Using the Virtual Server Connection Statistics Graph 7-84
Using the Virtual Server Topology Map 7-85
Understanding CLI Commands Sent from Virtual Server Table 7-86
Contents
x
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Deploying Virtual Servers 7-86
Deploying a Virtual Server 7-87
Displaying All Staged Virtual Servers 7-87
Modifying Deployed Virtual Servers 7-88
Modifying Staged Virtual Servers 7-88
CHAPTER 8 Configuring Real Servers and Server Farms 8-1
Information About Server Load Balancing 8-1
Load-Balancing Predictors 8-2
Real Servers 8-3
Dynamic Workload Scaling Overview 8-4
Server Farms 8-5
Configuring Real Servers 8-5
Configuring Load Balancing on Real Servers 8-6
Displaying Real Server Statistics and Status Information 8-9
Managing Real Servers 8-9
Managing Real Server Groups 8-10
Creating a Real Server Group 8-11
Editing or Copying a Real Server Group 8-12
Displaying a Real Server Group 8-13
Deleting a Real Server Group 8-13
Activating Real Servers 8-14
Suspending Real Servers 8-15
Modifying Real Server Weight Value 8-17
Displaying Real Servers 8-18
Using the Real Server Connection Statistics Graph 8-22
Using the Real Server Topology Map 8-23
CLI Commands Sent from the Real Server Table 8-23
Server Weight Ranges 8-25
Configuring Dynamic Workload Scaling 8-26
Configuring and Verifying a Cisco Nexus 7000 Series Switch Connection 8-27
Configuring and Verifying a VM Controller Connection 8-29
Configuring Server Farms 8-30
Configuring Load Balancing Using Server Farms 8-31
Adding Real Servers to a Server Farm 8-37
Configuring the Predictor Method for Server Farms 8-39
Configuring Server Farm HTTP Return Error-Code Checking 8-46
Displaying All Server Farms 8-48
Displaying Server Farm Statistics and Status Information 8-48
Contents
xi
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Configuring Health Monitoring 8-49
TCL Scripts 8-50
Configuring Health Monitoring for Real Servers 8-51
Configuring Probe Attributes 8-56
DNS Probe Attributes 8-57
Echo-TCP Probe Attributes 8-58
Echo-UDP Probe Attributes 8-58
Finger Probe Attributes 8-58
FTP Probe Attributes 8-59
HTTP Probe Attributes 8-60
HTTPS Probe Attributes 8-61
IMAP Probe Attributes 8-63
POP Probe Attributes 8-64
RADIUS Probe Attributes 8-65
RTSP Probe Attributes 8-65
Scripted Probe Attributes 8-66
SIP-TCP Probe Attributes 8-67
SIP-UDP Probe Attributes 8-68
SMTP Probe Attributes 8-69
SNMP Probe Attributes 8-69
TCP Probe Attributes 8-70
Telnet Probe Attributes 8-70
UDP Probe Attributes 8-71
VM Probe Attributes 8-72
Configuring DNS Probe Expect Addresses 8-73
Configuring Headers for HTTP and HTTPS Probes 8-74
Configuring Health Monitoring Expect Status 8-74
Configuring an OID for SNMP Probes 8-76
Displaying Health Monitoring Statistics and Status Information 8-77
Configuring Secure KAL-AP 8-77
CHAPTER 9 Configuring Stickiness 9-1
Information About Stickiness 9-1
Sticky Types 9-2
HTTP Content Stickiness 9-3
HTTP Cookie Stickiness 9-3
HTTP Header Stickiness 9-4
IP Netmask and IPv6 Prefix Stickiness 9-4
Layer 4 Payload Stickiness 9-4
Contents
xii
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
RADIUS Stickiness 9-5
RTSP Header Stickiness 9-5
SIP Header Stickiness 9-5
Sticky Groups 9-6
Sticky Table 9-6
Configuring Sticky Groups 9-7
Sticky Group Attribute Tables 9-11
HTTP Content Sticky Group Attributes 9-11
HTTP Cookie Sticky Group Attributes 9-12
HTTP Header Sticky Group Attributes 9-13
IP Netmask Sticky Group Attributes 9-13
V6 Prefix Sticky Group Attributes 9-13
Layer 4 Payload Sticky Group Attributes 9-14
RADIUS Sticky Group Attributes 9-14
RTSP Header Sticky Group Attributes 9-15
Displaying All Sticky Groups by Context 9-15
Configuring Sticky Statics 9-15
CHAPTER 10 Configuring Parameter Maps 10-1
Information About Parameter Maps 10-1
Configuring Connection Parameter Maps 10-3
Configuring Generic Parameter Maps 10-8
Configuring HTTP Parameter Maps 10-9
Configuring Optimization Parameter Maps 10-12
Configuring RTSP Parameter Maps 10-20
Configuring SIP Parameter Maps 10-21
Configuring Skinny Parameter Maps 10-23
Configuring DNS Parameter Maps 10-25
Supported MIME Types 10-26
CHAPTER 11 Configuring SSL 11-1
SSL Overview 11-2
SSL Configuration Prerequisites 11-2
Summary of SSL Configuration Tasks 11-3
SSL Setup Sequence 11-4
Using SSL Certificates 11-5
Importing SSL Certificates 11-7
Contents
xiii
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Using SSL Keys 11-10
Importing SSL Key Pairs 11-11
Generating SSL Key Pairs 11-14
Exporting SSL Certificates 11-15
Exporting SSL Key Pairs 11-16
Configuring SSL Parameter Maps 11-18
Configuring SSL Chain Group Parameters 11-23
Configuring SSL CSR Parameters 11-24
Generating CSRs 11-26
Configuring SSL Proxy Service 11-27
Configuring SSL OCSP Service 11-29
Enabling Client Authentication 11-31
Configuring SSL Authentication Groups 11-31
Configuring CRLs for Client Authentication 11-33
CHAPTER 12 Configuring Network Access 12-1
Information About VLANs 12-2
ACE Module VLANs 12-2
ACE Appliance VLANs 12-2
Configuring VLANs Using Cisco IOS Software (ACE Module) 12-3
Creating VLAN Groups Using Cisco IOS Software 12-3
Assigning VLAN Groups to the ACE Module Through Cisco IOS Software 12-4
Adding Switched Virtual Interfaces to the MSFC 12-5
Configuring Virtual Context VLAN Interfaces 12-6
Displaying All VLAN Interfaces 12-18
Displaying VLAN Interface Statistics and Status Information 12-18
Configuring Virtual Context BVI Interfaces 12-19
Configuring BVI Interfaces for a Virtual Context 12-19
Displaying All BVI Interfaces by Context 12-25
Displaying BVI Interface Statistics and Status Information 12-26
Configuring VLAN Interface NAT Pools 12-26
Configuring Virtual Context Static Routes 12-28
Configuring Global IP DHCP 12-29
Configuring Static VLANs for Over 8000 Static NAT Configurations 12-31
Configuring Gigabit Ethernet Interfaces on the ACE Appliance 12-32
Configuring Gigabit Ethernet Interfaces 12-32
Displaying Gigabit Ethernet Interface Statistics and Status Information 12-35
Configuring Port-Channel Interfaces for the ACE Appliance 12-35
Contents
xiv
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Why Use Port Channels? 12-35
Configuring a Port-Channel Interface 12-36
Configuring a Catalyst 6500 Series Switch for an ACE Appliance Port-Channel Interface
Connection 12-38
Creating the Port Channel Interface on the Catalyst 6500 12-38
Adding Interfaces to the Port Channel 12-39
Displaying Port Channel Interface Statistics and Status Information 12-40
CHAPTER 13 Configuring High Availability 13-1
Understanding ANM High Availability 13-2
Understanding ANM High Availability Processes 13-3
Configuring ANM High Availability Overview 13-3
CLI Commands for ANM High Availability Processes 13-4
Recovering From an HA Database Replication Failure 13-6
Understanding ACE Redundancy 13-6
ACE High Availability Polling 13-7
ACE Redundancy Protocol 13-8
ACE Stateful Failover 13-9
ACE Fault-Tolerant VLAN 13-10
ACE Configuration Synchronization 13-11
ACE Redundancy Configuration Requirements and Restrictions 13-12
ACE High Availability Troubleshooting Guidelines 13-12
Configuring ACE High Availability 13-14
Configuring ACE High Availability Peers 13-15
Clearing ACE High Availability Pairs 13-17
Configuring ACE High Availability Groups 13-17
Editing High Availability Groups 13-19
Taking a High Availability Group Out of Service 13-20
Enabling a High Availability Group 13-21
Displaying High Availability Group Statistics and Status 13-21
Switching Over an ACE High Availability Group 13-22
Deleting ACE High Availability Groups 13-23
ACE High Availability Tracking and Failure Detection Overview 13-23
Tracking ACE VLAN Interfaces for High Availability 13-24
Tracking Hosts for High Availability 13-25
Configuring Host Tracking Probes 13-26
Deleting Host Tracking Probes 13-27
Configuring ACE Peer Host Tracking Probes 13-28
Contents
xv
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Deleting Peer Host Tracking Probes 13-29
Configuring ACE HSRP Groups 13-29
Synchronizing ACE High Availability Configurations 13-30
Synchronizing Virtual Context Configurations in High Availability Mode 13-31
Synchronizing SSL Certificate and Key Pairs on Both ACE Peers 13-32
CHAPTER 14 Configuring Traffic Policies 14-1
Traffic Policy Overview 14-1
Class Map and Policy Map Overview 14-2
Class Maps 14-3
Policy Maps 14-4
Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps 14-5
Protocol Inspection Overview 14-6
Configuring Virtual Context Class Maps 14-6
Deleting Class Maps 14-8
Setting Match Conditions for Class Maps 14-8
Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps 14-9
Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps 14-12
Setting Match Conditions for Layer 7 Server Load Balancing Class Maps 14-14
Setting Match Conditions for Layer 7 HTTP Deep Packet Inspection Class Maps 14-17
Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps 14-22
Setting Match Conditions for Generic Server Load Balancing Class Maps 14-23
Setting Match Conditions for RADIUS Server Load Balancing Class Maps 14-25
Setting Match Conditions for RTSP Server Load Balancing Class Maps 14-26
Setting Match Conditions for SIP Server Load Balancing Class Maps 14-27
Setting Match Conditions for Layer 7 SIP Deep Packet Inspection Class Maps 14-30
Configuring Virtual Context Policy Maps 14-32
Configuring Rules and Actions for Policy Maps 14-34
Setting Policy Map Rules and Actions for Generic Server Load Balancing 14-35
Setting Policy Map Rules and Actions for Layer 3/Layer 4 Management Traffic 14-39
Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic 14-41
Setting Policy Map Rules and Actions for Layer 7 FTP Command Inspection 14-48
Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection 14-51
Setting Policy Map Rules and Actions for Layer 7 HTTP Optimization 14-57
Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic 14-61
Setting Policy Map Rules and Actions for Layer 7 SIP Deep Packet Inspection 14-68
Setting Policy Map Rules and Actions for Layer 7 Skinny Deep Packet Inspection 14-71
Setting Policy Map Rules and Actions for RADIUS Server Load Balancing 14-73
Setting Policy Map Rules and Actions for RDP Server Load Balancing 14-75
Contents
xvi
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Setting Policy Map Rules and Actions for RTSP Server Load Balancing 14-76
Setting Policy Map Rules and Actions for SIP Server Load Balancing 14-79
Special Characters for Matching String Expressions 14-84
Configuring Actions Lists 14-85
Configuring an HTTP Header Modify Action List 14-85
Configuring HTTP Header Insertion, Deletion, and Rewrite 14-85
Configuring SSL URL Rewrite 14-88
Configuring SSL Header Insertion 14-89
CHAPTER 15 Configuring Application Acceleration and Optimization 15-1
Optimization Overview 15-2
Optimization Traffic Policies and Typical Configuration Flow 15-2
Configuring an HTTP Optimization Action List 15-3
Configuring Optimization Parameter Maps 15-6
Configuring Traffic Policies for HTTP Optimization 15-6
Enabling HTTP Optimization Using Virtual Servers 15-9
Configuring Global Application Acceleration and Optimization 15-9
CHAPTER 16 Using Configuration Building Blocks 16-1
Information About Building Block Versions and Tagging 16-4
Enabling the Building Block Feature 16-5
Creating Building Blocks 16-5
Extracting Building Blocks from Virtual Contexts 16-6
Configuring Building Blocks 16-7
Configuring Building Block Primary Attributes 16-8
Tagging Building Blocks 16-9
Applying Building Blocks 16-9
Applying a Building Block to a Single Virtual Context 16-10
Applying a Building Block to Multiple Virtual Contexts 16-10
Displaying Building Block Use 16-11
CHAPTER 17 Monitoring Your Network 17-1
Setting Up Devices for Monitoring 17-2
Device Monitoring Features 17-3
Using Dashboards to Monitor Devices and Virtual Contexts 17-4
ACE Dashboard 17-5
Device Information Table 17-6
Contents
xvii
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
License Status Table 17-6
High Availability Table 17-7
ACE Device Configuration Summary Table 17-7
Context With Denied Resource Usage Detected Table 17-8
Device Resource Usage Graph 17-9
Top 10 Current Resources Table 17-10
Control Plane CPU/Memory Graphs 17-11
ACE Virtual Context Dashboard 17-12
ACE Virtual Context Device Configuration Summary Table 17-13
Context With Denied Resource Usage Detected Table 17-14
Context Resource Usage Graph 17-15
Load Balancing Servers Performance Graphs 17-15
ANM Group Dashboard 17-16
Managed Devices Table 17-17
Context With Denied Resource Usage Detected Table 17-18
ANM Group Device Configuration Summary Table 17-18
Top 10 Current Resources Table 17-20
Latest 5 Alarms Notifications Table 17-21
Latest 5 Critical Events Table 17-21
Contexts Performance Overview Graph 17-22
Monitoring Device Groups 17-23
Monitoring Devices 17-24
Monitoring the System 17-25
Monitoring Resource Usage 17-26
Monitoring Virtual Context Resource Usage 17-26
Monitoring System Traffic Resource Usage 17-27
Monitoring System Non-Connection Based Resource Usage 17-29
Monitoring Traffic 17-30
Displaying Device-Specific Traffic Data 17-31
Monitoring Load Balancing 17-33
Monitoring Load Balancing on Virtual Servers 17-33
Monitoring Load Balancing on Real Servers 17-37
Monitoring Load Balancing on Probes 17-40
Monitoring Load Balancing Statistics 17-41
Monitoring Application Acceleration 17-43
Displaying the Polling Status of All Managed Objects 17-44
Setting Polling Parameters 17-46
Enabling Polling on Specific Devices 17-46
Disabling Polling on Specific Devices 17-47
Contents
xviii
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Enabling Polling on All Devices 17-47
Disabling Polling on All Devices 17-48
Configuring Historical Trend and Real Time Graphs for Devices 17-48
Exporting Historical Data 17-52
Monitoring Events 17-55
Configuring Alarm Notifications on ANM 17-57
Displaying Alarm Notifications 17-65
Displaying Alarms in ANM 17-65
Displaying Email Notifications 17-66
Displaying Traps 17-67
Configuring SMTP for Email Notifications 17-68
Displaying Network Topology Maps 17-68
Testing Connectivity 17-71
CHAPTER 18 Administering the Cisco Application Networking Manager 18-1
Overview of the Admin Function 18-2
Controlling Access to Cisco ANM 18-3
Types of Users 18-5
Understanding Roles 18-6
Understanding Operations Privileges 18-6
Understanding Domains 18-7
Understanding Organizations 18-7
How ANM Handles Role-Based Access Control 18-8
Configuring User Authentication and Authorization 18-9
Adding a New Organization 18-10
Changing Authentication Server Passwords 18-14
Changing the Admin Password 18-14
Modifying Organizations 18-14
Duplicating an Organization 18-15
Displaying Authentication Server Organizations 18-16
Deleting Organizations 18-16
Managing User Accounts 18-17
Guidelines for Managing User Accounts 18-17
Displaying a List of Users 18-18
Creating User Accounts 18-19
Duplicating a User Account 18-20
Modifying User Accounts 18-21
Resetting Another User’s Password 18-22
Contents
xix
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Deleting User Accounts 18-23
Displaying or Terminating Current User Sessions 18-24
Managing User Roles 18-25
Guidelines for Managing User Roles 18-25
Understanding Predefined Roles 18-26
Displaying User Role Relationships 18-27
Displaying User Roles and Associated Tasks and ANM Menu Privileges 18-28
Creating User Roles 18-29
Duplicating a User Role 18-31
Modifying User Roles 18-31
Deleting User Roles 18-32
Managing Domains 18-32
Guidelines for Managing Domains 18-33
Displaying Network Domains 18-33
Creating a Domain 18-34
Duplicating a Domain 18-35
Modifying a Domain 18-36
Deleting a Domain 18-37
Using an AAA Server for Remote User Authentication and Authorization 18-38
Information About Using AD/LDAPS for Remote User Authentication 18-38
Configuring Remote User Authentication Using a TACACS+ Server 18-39
Configuring Remote User Authorization Using a TACACS+ Server 18-45
Configuring Remote User Authorization Using Cisco Secure ACS Version 5.1 18-46
Configuring Remote User Authorization Using Cisco Secure ACS Version 4.2 18-48
Disabling the ANM Login Window Change Password Feature 18-50
Managing ANM 18-51
Checking the Status of the ANM Server 18-52
Using ANM License Manager to Manage ANM Server or Demo Licenses 18-54
Displaying and Adding ANM Licenses to License Management 18-54
Removing an ANM License File 18-55
Displaying ANM Server Statistics 18-56
Configuring ANM Statistics Collection 18-57
Configuring Audit Log Settings 18-58
Performing Device Audit Trail Logging 18-59
Displaying Change Audit Logs 18-61
Configuring Auto Sync Settings 18-61
Configuring Advanced Settings 18-62
Configuring the Overwrite ACE Logging device-id for the Syslog Option 18-62
Configuring the Enable Write Mem on the Config > Operations Option 18-63
Contents
xx
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Enabling the ACE Real Server Details Popup Window Option 18-64
Enabling the ACE Server Farm Details Popup Window Option for Virtual Servers 18-65
Enable Mobile Notifications from ANM 18-66
Managing the Syslog Buffer Display in the All Devices Dashboard 18-66
Managing the Display of Virtual Servers in the Operations and Monitoring Windows 18-66
Administering the ANM Mobile Feature 18-67
Configuring ANM with a Proxy Server for ANM Mobile Push Notifications 18-67
Enabling Mobile Device Notifications for Remotely Authorized Users 18-69
Globally Enabling or Disabling Mobile Device Notifications 18-69
Displaying Mobile Device Notifications and Testing the Notification Channel 18-70
Lifeline Management 18-72
CHAPTER 19 Using ANM Mobile 19-1
Information About ANM Mobile 19-2
ANM Mobile Prerequisites and Supported Devices 19-4
Guidelines and Restrictions 19-5
Using ANM Mobile 19-5
Logging In and Out of ANM Mobile 19-6
Using the Favorites Feature 19-6
Monitoring Managed Object Status 19-7
Modifying an Object’s Operating State or Weight 19-10
Displaying Real Time Charts 19-12
Using the ANM Mobile Setting Feature 19-12
Setting Up and Viewing Mobile Device Alarm Notifications 19-13
Enabling Alarm Notifications on ANM Mobile 19-15
Viewing Alarm Notifications from ANM Mobile 19-15
Managing iPod Alarm Notification Sound and Alerts 19-16
CHAPTER 20 Troubleshooting Cisco Application Networking Manager Problems 20-1
Changing ANM Software Configuration Attributes 20-1
Changing ANM Configuration Properties 20-2
Example ANM Standalone Configuration 20-4
Example ANM HA Configuration 20-5
Example ANM Advanced Options Configuration Session 20-6
Discovering and Adding a Device Does Not Work 20-7
Cisco License Manager Server Not Receiving Syslog Messages 20-7
Using Lifeline 20-7
Guidelines for Using Lifeline 20-8
Contents
xxi
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Creating a Lifeline Package 20-8
Downloading a Lifeline Package 20-9
Adding a Lifeline Package 20-10
Deleting a Lifeline Package 20-11
Backing Up and Restoring Your ANM Configuration 20-11
APPENDIX A ANM Ports Reference A-1
APPENDIX B Using the ANM Plug-In With Virtual Data Centers B-1
Information About Using ANM With VMware vCenter Server B-2
Information About the Cisco ACE SLB Tab in vSphere Client B-3
Prerequisites for Using ANM With VMware vSphere Client B-4
Guidelines and Restrictions B-5
Registering or Unregistering the ANM Plug-in B-5
Logging In To ANM from VMware vSphere Client B-7
Using the Cisco ACE SLB Tab B-8
Managing ACE Real Servers From vSphere Client B-12
Adding a Real Server B-13
Deleting a Real Server Using vSphere Client B-14
Activating Real Servers Using vSphere Client B-15
Suspending Real Servers Using vSphere Client B-16
Modifying Real Server Weight Value Using vSphere Client B-18
Monitoring Real Server Details Using vSphere Client B-19
Refreshing the Displayed Real Server Information B-20
Using the VMware vSphere Plug-in Manager B-22
GLOSSARY
I NDEX
Contents
xxii
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
ix
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Preface
Date: 3/28/12
This guide describes the Cisco Application Networking Manager and explains how to use it to manage
your network.
This preface provides information about using this guide and includes the following topics:
• Audience, page ix
• Organization, page ix
• Conventions, page xi
• Open-Source Software Included in the Cisco Application Networking Manager, page xi
• Obtaining Documentation and Submitting a Service Request, page xii
Audience
This guide is intended for experienced system and network administrators. Depending on the
configuration required, readers should have specific knowledge in the following areas:
• Networking and data communications
• Network security
• Router configuration
Organization
This documentation contains the following sections:
• Chapter 1, “Overview” summaries key features and provides an look into some general topics such
as the interface.
• Chapter 2, “Using Homepage” describes ANM Homepage, a launching point for quick access to
selected areas within ANM.
• Chapter 3, “Using ANM Guided Setup” describes how to use the guided setup pages to simplify
configuration of ANM.
• Chapter 4, “Using Application Template Definitions” describes how to use the application templates
to simplify configuration of ACE devices (or virtual contexts).
x
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Preface
• Chapter 5, “Importing and Managing Devices” describes how to add and manage your supported
network devices.
• Chapter 6, “Configuring Virtual Contexts” describes how to configure virtual contexts on the ACE
so that you can effectively and efficiently manage and allocate resources, users, and services.
• Chapter 7, “Configuring Virtual Servers” contains procedures for configuring virtual servers for
load balancing on the ACE.
• Chapter 8, “Configuring Real Servers and Server Farms” provides an overview of server load
balancing and procedures for configuring real servers and server farms for load balancing on the
ACE.
• Chapter 9, “Configuring Stickiness” provides information about sticky behavior and procedures for
configuring stickiness with the ANM.
• Chapter 10, “Configuring Parameter Maps” describes how to configure parameter maps so that the
ACE can perform actions on incoming traffic based on certain criteria, such as protocol or
connection attributes.
• Chapter 11, “Configuring SSL” describes how to configure your ACE (both the ACE module and
the ACE appliance) as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination.
• Chapter 12, “Configuring Network Access” describes how to configure network access using ANM.
• Chapter 13, “Configuring High Availability” describes how to configure redundancy to ensure that
your network remains operational even if one of the ACE devices becomes unresponsive.
• Chapter 14, “Configuring Traffic Policies” describes how to configure class maps and policy maps
to provide a global level of filtering traffic received by or passing through the ACE.
• Chapter 15, “Configuring Application Acceleration and Optimization” describes how to configure
application acceleration and optimization options on the ACE.
• Chapter 16, “Using Configuration Building Blocks” provides an overview of configuration building
blocks and describes how to configure them, tag them for version control, and apply them to virtual
contexts.
• Chapter 17, “Monitoring Your Network” describes the ANM monitoring functions, including the
various ANM dashboards, and explains how to configure thresholds and configure alarm
notifications.
• Chapter 18, “Administering the Cisco Application Networking Manager” describes how to
administer, maintain, and manage the ANM management system.
• Chapter 19, “Using ANM Mobile” describes how to use the Cisco ANM Mobile app to access your
ANM server to remotely manage your network from your mobile device.
• Chapter 20, “Troubleshooting Cisco Application Networking Manager Problems” describes some
procedures and tips on common troubleshooting scenarios.
• Appendix A, “ANM Ports Reference” identifies the TCP and UDP ports used by the ANM as well
as well-known TCP and UDP port numbers and key words.
• Appendix B, “Using the ANM Plug-In With Virtual Data Centers” describes how to integrate ANM
with VMware vCenter Server and VMware vSphere Client.
xi
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Preface
Conventions
This document uses the following conventions:
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
publication.
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Open-Source Software Included in the Cisco Application
Networking Manager
• The Cisco Application Networking Manager includes the following open-source software, which is
covered by the Apache 2.0 license (http://www.apache.org/): Ant, Avalon Logkit, Commons,
Ehcache, Jetty, Log4J, Oro, Commons_Logging, Xmlrpc.
• The Cisco Application Networking Manager includes the following open-source software, which is
covered by The Legion of the Bouncy Castle (http://www.bouncycastle.org/licence.html) license:
BouncyCastle.
• The Cisco Application Networking Manager includes the following open-source software, which is
covered by the GNU Lesser General Public License Version 2.1
(http://www.gnu.org/licenses/lgpl.html): c3p0-0.9.0.2.jar, Enterprise DT, Jasperreports 1.2,
Jcommon 1.2, Jfreechart 1.0.1
• The Cisco Application Networking Manager includes the following open-source software, which is
covered by the Mozilla Public License Version 1.1 (http://www.mozilla.org/MPL/MPL-1.1.html):
Itext 1.4.
Item Convention
Commands and keywords boldface font
Variables for which you supply values italic font
Displayed session and system information screen font
Information you enter boldface screen font
Variables you enter italic screen font
Menu items and button names boldface font
Choosing a menu item in paragraphs Option > Network Preferences
Choosing a menu item in tables Option > Network Preferences
xii
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Preface
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.
CHAPTER
1-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
1
Overview
Date: 3/28/12
This chapter provides an overview of Cisco Application Networking Manager (ANM), which is a
networking management application.
This chapter includes the following sections:
• ANM Overview, page 1-1
• IPv6 Considerations, page 1-3
• Logging In To the Cisco Application Networking Manager, page 1-5
• Changing Your Account Password, page 1-6
• ANM Licenses, page 1-7
• ANM Interface Components, page 1-8
ANM Overview
ANM is a client server application that enables you to perform the following functions:
• Configure, monitor, and troubleshoot the functions of supported data center devices.
• Create policies for operations, applications owners, and server administration staff to activate and
suspend network-based services without knowledge of, or ability to, change network configuration
or topology.
• Manage the following product types:
– Cisco Application Control Engine (ACE) module or appliance
– Cisco Global Site Selector (GSS)
– Cisco Content Services Switch (CSS)
– Cisco Catalyst 6500 Virtual Switching System (VSS) 1440
– Cisco Catalyst 6500 series switch
– Cisco 7600 series router
– Cisco Content Switching Module (CSM)
– Cisco Content Switching Module with SSL (CSM-S)
– VMware vCenter Server
1-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 1 Overview
ANM Overview
You can install the ANM server software on a standalone server or on a VMware virtual machine as
shown in Figure 1-1. The capabilities and functions of the ANM software are the same regardless of
which application you use. This guide uses the following terms to reference the two ANM applications:
ANM server
Dedicated server with ANM server software and Red Hat Enterprise Linux (RHEL) operating
system installed on it. For information about installing this type of ANM application, see the
Installation Guide for the Cisco Application Networking Manager 5.2.
ANM Virtual Appliance
VMware virtual appliance with ANM server software and Cisco Application Delivery Engine
Operating System (ADE OS) installed on it. Cisco distributes ANM Virtual Appliance (ANM VA)
in Open Virtual Appliance (.OVA) format. For information about installing this type of ANM
application, see the Installation Guide for the Cisco Application Networking Manager 5.2 Virtual
Appliance.
Figure 1-1 Sample ANM Network Deployment
The sample network application in Figure 1-1 illustrates the following ANM and ACE features:
• VMware integration—Feature that enables ANM and the ACE to be integrated with VMware,
allowing you to create and manage server farms for application delivery that consist of real servers
that are a combination of physical servers and VMware virtual machines (VMs).
VM VM VM
VMware
ESX (i) Host
VM VM VM
VMware
ESX (i) Host
VMware
vCenter
VMware
vSphere
Client
Cisco
ACE
Virtual
Machines
Virtual
Machines
Physical
Servers
OTV/DCI Link
(Dynamic
Workload
Scaling)
Cisco
Nexus 7000
Client
Client
Client
Local
Data Center
Remote
Data Center
Cisco
ANM
Standalone Server or
Virtual Appliance
330796
VM VM VM
VMware
ESX (i) Host
Cisco
Nexus 7000
ANM Mobile
1-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 1 Overview
IPv6 Considerations
• Dynamic Workload Scaling—ACE feature that permits on-demand access to remote resources, such
as VMs, that you own or lease from an Internet service provider (or cloud service provider). This
feature uses Cisco’s Nexus 7000 series switches with Cisco’s Overlay Transport Virtualization
(OTV), which is a Data Center Interconnect (DCI) technology used to create a Layer 2 link over an
existing IP network between geographically distributed data centers.
For more information, see the “Dynamic Workload Scaling Overview” section on page 8-4.
Note Dynamic Workload Scaling requires ACE module or appliance software Version A4(2.0) or
later and the Cisco Nexus 7000 Series switch.
• ANM plug-in for vCenter Server—Enabling the plug-in on an ANM server or ANM Virtual
Appliance permits access to ANM’s ACE server load-balancing functions from a VMware vSphere
Client.
For more information, see Appendix B, “Using the ANM Plug-In With Virtual Data Centers.”
• ANM Mobile—Feature that enables supported mobile devices to access to your ANM server or
ANM Virtual Appliance, allowing you to manage the network objects in much the same way you do
from an ANM client. Using a mobile device, you can run ANM Mobile as a native application or
inside the mobile device’s browser.
For more information, see Chapter 19, “Using ANM Mobile.”
IPv6 Considerations
Beginning with ACE software Version 5.1, the ACE supports IPv6 configurations, which you can
configure using ANM beginning with ANM software Version 5.1.
The ACE supports IPv6 configurations with the following considerations:
• All the management traffic used by ANM is required to send over IPv4 protocol. IPv6 is not
supported.
• By default, IPv6 is disabled on an interface. You must enable IPv6 on the interface to enable its
configured IPv6 addresses. The interface cannot be in bridged mode. The interface may or may not
have IPv4 addresses configured on it.
• When you enable IPv6 or configure a global IPv6 address on an interface, the ACE automatically
does the following:
– Configures a link-local address (if it is not already configured)
– Performs duplicate address detection (DAD) on both addresses
You must enable IPv6 on the interface to enable global IPv6 address.
• IPv6 on interface can be individually enabled or disabled. IPv6 cannot be enabled or disabled
globally.
• A link-local address is an IPv6 unicast address that has a scope of the local link only and is required
on every interface. Every link-local address has a predefined prefix of FE80::/10. You can configure
a link-local address manually. If you do not configure a link-local address before enabling an IPV6
address on the interface, the ACE automatically generates a link-local address with a prefix of
FE80::/64. Only one IPv6 link-local address can be configured on an interface.
In a redundant configuration, you can configure an IPv6 peer link-local address for the standby ACE.
You can configure only one peer link-local address on an interface.
1-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 1 Overview
IPv6 Considerations
• A unique-local address is an optional IPv6 unicast address that is used for local communication
within an organization and it is similar to a private IPv4 address (for example, 10.10.2.1).
unique-local addresses have a global scope, but they are not routable on the Internet, and they are
assigned by a central authority. All unique-local addresses have a predefined prefix of FC00::/7. You
can configure only one IPv6 unique-local address on an interface.
In a redundant configuration, you can configure an IPv6 peer unique-local address on the active that
is synchronized to the standby ACE. You can configure only one peer unique-local IPv6 address on
an interface.
• A global address is an IPv6 unicast address that is used for general IPv6 communication. Each
global address is unique across the entire Internet. Therefore, its scope is global. The low order 64
bits can be assigned in several ways, including autoconfiguration using the EUI-64 format. You can
configure only one globally unique IPv6 address on an interface.
In a redundant configuration, you can configure an IPv6 peer global address that is synchronized to
the standby ACE.
When you configure redundancy with active and standby ACEs, you can configure a VLAN
interface that has an alias global IPv6 address that is shared between the active and standby ACEs.
The alias IPv6 address serves as a shared gateway for the two ACEs in a redundant configuration.
You can configure only one alias global IPv6 address on an interface.
• A multicast address is used for communications from one source to many destinations. IPv6
multicast addresses function in a manner that is similar to IPv4 multicast addresses. All multicast
addresses have a predefined prefix of FF00::/8.
• The ACE supports abbreviated IPv6 addresses. When using double colons (::) for leading zeros in a
contiguous block, they can only be used once in an address. Leading zeros can be omitted. Trailing
zeros cannot be omitted. The DM will abbreviate an IPv6 address after you finish typing it. If you
enter the entire address with a block of contiguous zeros, the DM collapses it into the double colons.
For example: FF01:0000:0000:0000:0000:0000:0000:101 becomes FF01::101.
• The ACE uses the Neighbor Discovery (ND) protocol to manage and learn the mapping of IPv6 to
Media Access Control (MAC) addresses of nodes attached to the local link. The ACE uses this
information to forward and transmit IPv6 packets. The neighbor discovery protocol enables IPv6
nodes and routers to:
– Determine the link-layer address of a neighbor on the same link
– Find neighboring routers
– Keep track of neighbors
The IPv6 neighbor discovery process uses ICMPv6 messages and solicited-node multicast addresses
to determine the link-layer address of a neighbor on the same network (local link), verify the
reachability of a neighbor, and keep track of neighbor routers. The IPv6 neighbor discovery process
uses the following mechanisms for its operation:
– Neighbor Solicitation
– Neighbor Advertisement
– Router Solicitation
– Router Advertisement
– Duplicate Address Detection
• The ACE supports IPv6-to-IPv6 L4/L7 SLB, including support for IPv6 VIP, predictor, probe,
serverfarm, sticky, access-list, object-group, interface, source NAT, OCSP, and CRL.
1-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 1 Overview
Logging In To the Cisco Application Networking Manager
• The probe must have the same IP address type (IPv6 or IPv4) as the real server. For example, you
cannot configure an IPv6 probe to an IPv4 real server.
• A server farm can support a mix of IPv6 and IPv4 real servers, and can be associated with both IPv6
and IPv4 probes.
• Only the following Layer 7 protocols support IPv6:
– Layer 7 HTTP/HTTPS/DNS
– Layer 4 TCP/UDP
• The ACE supports the following:
– IPv6-to-IPv4 SLB and IPv4-to-IPv6 SLB for L7 HTTP/HTTP/TCP/UDP
– Source NAT support of IPv6
– IPv6 access-list and object group
– DHCPv6 relay
• ICMPv6 traffic is not automatically allowed. You must configure the corresponding management
traffic policy to allow the ping request to ACE. However, the necessary Neighbor Discovery (ND)
messages for ARP, duplication address detection are automatically permitted.
• Copying files over IPv6 to or from devices are not supported.
• The ACE supports IPv6 HA:
– All the FT transport (ft vlan) is still on IPv4.
– Track IPv6 host /peer will be supported
Logging In To the Cisco Application Networking Manager
You access ANM features and functions through a web-based interface. The following sections describe
logging in, the interface, and terms used in ANM.
The ANM login window allows you to do the following tasks:
• Log into the ANM server.
• Change the password for your account (see the “Changing Your Account Password” section on
page 1-6).
• Obtain online help by clicking Help.
Procedure
Step 1 Choose one the following:
• To log in after a new install, which uses the default web ports of 443 and 80, enter https://host.
Note You do not have to explicitly enter the default ports 443 and 80.
Caution If you log in using HTTP, you must change the properties file. See the “Changing ANM Software
Configuration Attributes” section on page 20-1 for details. If you enable HTTP, you make your
connection to ANM less secure.
1-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 1 Overview
Changing Your Account Password
• To log in after an upgrade, enter https://:10443 or https://:10080.
Note You must explicitly enter the nondefault ports 10443 and 10080.
Note All browsers require that cookies, Javascript/scripting, and popup windows are enabled. If you
reinstall a subsequent ANM release, you must delete the cookies and clear the browser cache.
For example, enter https://192.168.10.10:10443. The login window appears.
Step 2 In the User Name field, enter admin, which is the predefined user account that comes with a new
installation.
Note If you are logging in using ACS authentication (TACACS or RADIUS), you must add
'@ to the username on the login page, or you will not be able to log in.
Once you are logged in using this account, you can create additional user accounts. For information on
changing account passwords, see the “Modifying User Accounts” section on page 18-21.
Step 3 In the Password field, enter the password that you configured the admin account with when installing
ANM.
Step 4 Press Enter or click Login.
When you log in, the default page that appears is the ANM Homepage (see the “ANM Windows and
Menus” section on page 1-9). You can change your default page by making a different selection from the
Homepage. See the “Customizing the Default ANM Page” section on page 2-4 for details.
For a description of the user interface, see Figure 1-2 on page 1-8. The interface will not contain data
until you add devices by one of the methods described in the “Importing Network Devices into ANM”
section on page 5-10.
.
Related Topics
• Changing Your Account Password, page 1-6
• ANM Interface Components, page 1-8
Changing Your Account Password
You can change your account password when you log into ANM.
Guidelines and Restrictions
By default, the feature that allows you to change your password when logging into ANM is enabled;
however, this feature can be disabled. When disabled, the ANM login window no longer displays the
Change Password hyperlink. For more information, see the “Disabling the ANM Login Window Change
Password Feature” section on page 18-50.
1-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 1 Overview
ANM Licenses
Procedure
Step 1 Using a web browser, navigate to the ANM login window by typing the IP address or hostname where
ANM is installed. For example, enter https://192.168.10.10. The login window appears.
Step 2 In the User Name field, enter your account username.
Step 3 Click Change Password. The Change password configuration window appears.
Step 4 In the User Name field, enter the username of the account that you want to modify.
Step 5 In the Old Password field, enter the current password for this account.
Step 6 In the New Password field, enter the new password for this account.
Password attributes such as minimum and maximum length or accepted characters are defined at the
organizational level. For more information on configuring passwords, see the “Configuring User
Authentication and Authorization” section on page 18-9.
Step 7 In the Confirm New Password field, reenter the new password for this account.
Step 8 Do one of the following:
• Click OK to save your entries and to return to the login window.
• Click Cancel to exit this procedure without saving your entries and to return to the login window.
Related Topics
• Logging In To the Cisco Application Networking Manager, page 1-5
• ANM Interface Components, page 1-8
• Disabling the ANM Login Window Change Password Feature, page 18-50
ANM Licenses
Beginning with ANM software Version 5.2, ANM includes a 90-day evaluation period that begins when
you install the software image. During this time, you can use all the functions of ANM without installing
a license, including managing any number of supported devices and any number of ACE virtual contexts.
However, to continue using ANM beyond the evaluation period, you must install the ANM server
license, which is available at no charge.
The ANM demo license is also available, which allows ANM to perform all the functions associated with
the ANM server license; however, the demo license has an expiration date associated with it. You can
order a demo license if you do not know the PAK number required to order the ANM server license.
For more information about the 90-day evaluation period, available ANM licenses, and installing a
license, see the “Using ANM License Manager to Manage ANM Server or Demo Licenses” section on
page 18-54
Related Topics
Using ANM License Manager to Manage ANM Server or Demo Licenses, page 18-54
1-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 1 Overview
ANM Interface Components
ANM Interface Components
This section includes the following topics:
• ANM Windows and Menus, page 1-9
• ANM Buttons, page 1-11
• Table Conventions, page 1-14
• ANM Screen Conventions, page 1-17
When you log in to ANM, the default window that appears is the Homepage from which you can access
the operational and monitoring features of ANM. For details about using Homepage, see the
“Information About Homepage” section on page 2-1).
Figure 1-2 shows the Devices window (Config > Devices), which is an example ANM work window
where you view the network device tree and perform network management tasks. Table 1-1 describes the
numbered fields.
Note The ANM software version that displays across the top of the window varies depending on your version
of ANM.
Figure 1-2 ANM Interface Components
1-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 1 Overview
ANM Interface Components
Related Topics
• ANM Windows and Menus, page 1-9
• ANM Interface Components, page 1-8
• Using Homepage, page 2-1
ANM Windows and Menus
Figure 1-3 contains many common window elements found in ANM and described in Table 1-2. Not all
windows contain all buttons.
Note The ANM software version that displays across the top of the window varies depending on your version
of ANM.
Table 1-1 ANM Interface Components Descriptions
Field Description
1 Navigation pane, which contains the following components:
• High-level navigation path within the ANM interface, which includes Config, Monitor, and Admin. You can
click an item in the navigation path to view that window.
• Logout hyperlink.
• About hyperlink that provides ANM version information.
• Feedback hyperlink that opens a new browser window containing the ANM user feedback form hosted on
www.ciscofeedback.vovici.com.
• Help hyperlink that provides context-sensitive help and a PDF version of the ANM user guide.
2 Second-level Navigation pane, which contains another level of navigation. Clicking an option in this pane displays
the associated window in the content area.
3 Content area, which contains the display and input area of the window. It can include tables, configuration items,
buttons, or combinations of these items.
4 Status bar, which indicates the date and time of the ANM server machine. ANM frequently updates the status bar.
1-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 1 Overview
ANM Interface Components
Figure 1-3 Example ANM Window
Table 1-2 Example ANM Window Descriptions
Number Description
1 Device tree that appears when you click Config or Monitor. The device tree includes All Devices and Groups
folders:
• The All Devices folder expands to show the names of imported Cisco devices and their associated modules or
virtual contexts. When you click the plus sign (+) in front of a chassis icon, you can see a list of the modules
in the chassis. When you expand an ACE appliance or ACE module, you can see the list of existing virtual
contexts for that device. For more information about adding devices, see the “Importing Network Devices into
ANM” section on page 5-10.
• The Groups folder contains the list of user-defined groups. For more information about user-defined groups,
see the “Configuring User-Defined Groups” section on page 5-72.
The Organization tree displays when you click Admin > Role-Based Access Control. The organization tree includes
all organizations in ANM. Choosing an organization name displays its details.
To expand folders in the device tree, click the plus sign (+) to the right of an option. To collapse the structure, click
the minus sign (-).
At the top of the tree are the following buttons:
• Refresh—Refreshes the device tree after you have imported devices or made changes to the User Groups.
• Plus sign (+) —Allows you to add an item to the selected option in the device tree.
• Garbage can—Deletes the selected entry.
Note Menus are based on device types. Although menu labels are the same for different device types, the actual
menu definition is different. For example, you cannot preserve the menu state while traversing back an forth
from a module to a virtual context in the device tree.
2 Option menus, which appear in Config windows. Click the icon on the bar to show or hide the options.
1-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 1 Overview
ANM Interface Components
Related Topics
• ANM Buttons, page 1-11
• ANM Screen Conventions, page 1-17
ANM Buttons
Table 1-3 describes the buttons that appear in some of the Config, Monitor, and Admin windows.
3 Object selector. Use this field to choose a device, context, building block, or other object that you want to view
information on or configure.
4 Command buttons. Use these buttons to perform the action identified by the button label.
5 Input fields. Use these fields to make selections and provide information. When there are more than three choices
for any field, the field displays as a drop-down list. Otherwise, selections display with radio buttons.
6 Feature panel that contains functions that correspond to what is selected in the device or organization tree. Click on
a command to expand the list of options that correspond to that command.
Table 1-2 Example ANM Window Descriptions
Number Description
Table 1-3 Button Descriptions
Button Name Description
ACL table (expand) Allows you to expand all ACL table entries.
ACL table (collapse) Allows you to collapse all ACL table entries.
ACL table (resequence) Allows you to open the resequence popup window that allows you to
reorder the ACL table entries.
Add Allows you to add an entry to the displayed table.
Add another Saves the current entries and refreshes the window so that you can add
another entry.
Advanced editing mode Allows you to view or enter advanced arguments for the chosen display.
1-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 1 Overview
ANM Interface Components
Auto refresh (pause) Allows you to interrupt the table data autorefresh process.
Auto refresh (resume) Indicates that the table data autorefresh process is on pause and allows you
to resume.
Customize Allows you to customize the table to suit your needs. (See the
“Customizing Tables” section on page 1-15.)
Delete Deletes the chosen entry in the table.
Duplicate Duplicates the chosen entry in the table.
Edit Opens the configuration window of a chosen entry in the table.
Groups Allows you to create groups of the following objects:
• Real servers (see the “Managing Real Server Groups” section on
page 8-10)
• Virtual servers (see the “Managing Virtual Server Groups” section on
page 7-67)
• GSS VIP answers or DVS rules (see the “Creating a VIP Answer or
DNS Rule Group” section on page 7-77)
Filter Filters the displayed list of items according to the criteria that you specify.
(See the “Filtering Entries” section on page 1-14.) Also displays a filter
text box where strings can be entered.
Go Appears when filtering is enabled; updates the table with the filtering
criteria.
Key Indicates that the associated field is a foreign key field. This field takes its
values from another table.
Plus Displays a table with information related to the field where Plus appears.
For example, if Plus appears next to the field label VLAN Group, clicking
Plus displays a list of all VLAN groups in a separate window.
Table 1-3 Button Descriptions (continued)
Button Name Description
1-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 1 Overview
ANM Interface Components
Refresh Refreshes the content area.
Save Displays the current information in a new window in either raw data or
Microsoft Excel format so you can save it to a file or print it.
Full window view Allows you to adopt a larger (full) window view for a table or dashboard
window.
Reduced window view
(normal)
Allows you to adopt a smaller window view for a table or dashboard
window.
Sort Sorts a column alphabetically up or down.
Stop Stops the current process. If a process is only partially complete, it will
finish its current operation and exit. For example, when stop is used during
the import of two modules, it will complete only the first of two module
imports.
Switch between
configure and browse
modes
Displays the subtables for those items that have additional sets of
parameters that can be configured, such as Config > Devices > Network >
VLAN Interfaces.
Note This button is not available on single-row tables such as Config >
Devices > System > Syslog or Config > Devices > System > SNMP.
To switch between these modes, navigate to another window where
the button appears (for example, Config > Devices > Load
Balancing > Server Farms), click the button to enter desired mode,
then return to the window on which the button was missing. You
will remain in the mode you chose.
View Excel Displays the raw data in Microsoft Excel format in a separate browser
window.
View raw data Displays the raw data in table format.
Show as image Displays the historical data object graph in a separate browser window.
Table 1-3 Button Descriptions (continued)
Button Name Description
1-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 1 Overview
ANM Interface Components
Related Topics
• ANM Windows and Menus, page 1-9
• ANM Screen Conventions, page 1-17
Table Conventions
This section describes the ANM GUI table conventions, including how to filter the information displayed
and how to customize a table’s appearance.
This section includes the following topics:
• Filtering Entries, page 1-14
• Customizing Tables, page 1-15
• Using the Advanced Editing Option, page 1-16
Filtering Entries
You can filter the information that a table displays. Click Filter to view table entries using the criteria
that you chose. When filtering is enabled, a filter row appears above the first table entry that allows you
to filter entries in the following ways:
• In fields with drop-down lists, choose one of the ANM-identified categories (see Figure 1-4). The
table refreshes automatically with the entries that match the chosen criterion.
• In fields without drop-down lists, enter the string that you want to match, and then click Go above
the first table entry. The table refreshes with the entries that match your input.
• Enter the string in the filter box. For example, by entering the string gold and clicking Go, only the
gold Resource Class virtual contexts appear (see Figure 1-4).
Figure 1-4 Example Table with Filtering Enabled
View as chart Toggles the display of a historical data object as a graph in the monitoring
window.
View as grid Toggles the display of a historical data object as a numerical grid in the
monitoring window. From this display, you can export the data in
Microsoft Excel format.
Table 1-3 Button Descriptions (continued)
Button Name Description
1-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 1 Overview
ANM Interface Components
Related Topics
• ANM Interface Components, page 1-8
• Customizing Tables, page 1-15
• Using the Advanced Editing Option, page 1-16
Customizing Tables
You can customize a table for your use. Click Customize in a table to configure the table to suit your
needs.
When you place the cursor over Customize, the following items appear:
• Default—When chosen with a check mark, this item indicates that the ANM default table format is
being used by the current table.
• Configure—When chosen, this item opens a dialog box that allows you to create a new customized
table format or to modify the table format currently in use.
Procedure
Step 1 When viewing a table, choose Customize > Configure.
The List Configuration dialog box appears.
Step 2 In the List Configuration dialog box, enter the information in Table 1-4.
Note Depending on the table that you chose, the available fields in the configuration table differ.
Table 1-4 includes sample fields that might appear.
Note You can be as inclusive or as restrictive as you like when setting table configuration options.
Table 1-4 Table Configuration Attributes
Field Description
List Customization Name Unique name for a new table configuration.
Fields Fields that you can include in the table, choose the fields from the Available Items list, and click
Add. To remove fields from the table, choose the fields from the Selected Items list, and then
click Remove.
Up/Down Location of a column in the table that you can change. Choose its name in the column on the
right, then click Up or Down to place it in the desired location.
Group By Field that you want to group entries by.
When you choose a field for grouping, one or more entries appears in the table with + at the
beginning of the entry, the name of the field, the grouping criteria, and the number of items in
the group. Click + to view all entries in the group.
Descending Descending check box to sort the groups in reverse order. Clear the Descending check box to
sort the groups in ascending order.
1-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 1 Overview
ANM Interface Components
Step 3 Do one of the following:
• Click Save to save your entries under a new name and to close the List Configuration dialog box. If
a table using this format is displayed, the table is updated automatically.
• Click Cancel to exit the procedure without saving your entries and to close the List Configuration
dialog box.
• Click Apply to apply your current entries to the table that you are viewing, to save your entries, and
to close the List Configuration dialog box.
• Click Delete to delete the currently selected customized table format. It no longer appears as an
option when you click Customize.
Related Topics
• ANM Interface Components, page 1-8
• Filtering Entries, page 1-14
• Using the Advanced Editing Option, page 1-16
Using the Advanced Editing Option
By default, tables include columns that contain configured attributes or a subset of columns related to a
key field.
To view all configurable attributes in table format, click Advanced Editing Mode (the highlighted
button in Figure 1-5). When advanced editing mode is enabled, all columns appear for your review (see
Figure 1-5).
Sort By Field that you want to sort entries by.
When you choose a field for sorting, all entries in the table are sorted according to the values in
the selected field.
Name Filter Name that represents the name of each field in the table.
Enter the string or value that you want to filter the results by.
You can enter complete or partial strings or values to be matched. Do not include wildcard
characters.
Version Filter Version that represents the name of each field in the table.
Enter the string or value that you want to filter the results by.
You can enter complete or partial strings or values to be matched. Do not include wildcard
characters.
Table 1-4 Table Configuration Attributes (continued)
Field Description
1-17
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 1 Overview
ANM Interface Components
Figure 1-5 Advanced Editing Enabled Window
Related Topics
• ANM Interface Components, page 1-8
• Filtering Entries, page 1-14
• Customizing Tables, page 1-15
ANM Screen Conventions
Table 1-5 describes other conventions used in ANM screens.
Related Topics
• Table Conventions, page 1-14
Table 1-5 ANM Window Conventions
Convention Example Description
Dimmed field If no items are selected, buttons are dimmed. If an item is selected, only
operational buttons appear.
Red asterisk A red asterisk indicates a required field.
Yellow field with
red font
Incorrect, invalid, or incomplete entries appear as red font against a yellow
background with the reason for that error. In the example, an IP address
cannot begin with four digits, which results in this display.
Drop-down lists When there are more than three choices for any field, the field displays as
a drop-down list. Otherwise, selections display with radio buttons.
1-18
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 1 Overview
ANM Interface Components
• ANM Interface Components, page 1-8
CHAPTER
2-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
2
Using Homepage
This section describes how to use Homepage, which is a launching point for quick access to selected
areas within Cisco Application Networking Manager (ANM).
This chapter includes the following sections:
• Information About Homepage, page 2-1
• Customizing the Default ANM Page, page 2-4
Information About Homepage
Homepage allows you to have quick access to the following operations and guided setup tasks in ANM:
• Operational tasks that you can access:
– The Real Servers table to view information for each configured real server, activate or suspend
real servers listed in the table, or modify server weight and connection limits.
– The Virtual Servers table to view information for each configured virtual server and to activate
or suspend virtual servers listed in the table.
– The Cisco Global Site Selector (GSS) Answer table to manage GSS VIP answers (resources that
respond to content queries) by specifying virtual IP (VIP) addresses associated with a server
load balancer (SLB) such as the Cisco Content Services Switch (CSS), Cisco Content Switching
Module (CSM), Cisco IOS-compliant SLB, LocalDirector, or a web server.
– The DNS Rules table to specify actions in the DNS rules table for the GSS to take when it
receives a request from a known source (a member of a source address list) for a known hosted
domain (a member of a domain list).
• Monitoring—Connect to the central Device Dashboard where you can quickly view device and
virtual context monitoring results and track potential issues; view detailed context-level resource
usage information; and monitor load balancing statistics for virtual servers.
• Guided setup tasks that you can launch:
– The Import Devices guided setup task to establish communication between ANM and hardware
devices.
– The Cisco Application Control Engine (ACE) Hardware Setup task to configure ACE devices
that are new to the network by establishing network connectivity in either standalone or
high-availability (HA) deployments.
– The Virtual Context Setup task to create and connect an ACE virtual context.
– The Application Setup task to configure end-to-end load-balancing for your application.
2-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 2 Using Homepage
Information About Homepage
• Configuration—Tasks that allow you to configure system attributes for a virtual context, control a
user’s access to ANM, and display configuration and deployment changes logged in the ANM
database.
• Documentation—Quick links to ANM, ACE module, and ACE appliance user documentation on
www.cisco.com.
• System Summary—Tasks that allow you to display critical alarm notifications when the value for a
specific statistic rises above the specified setting or display all critical events received from an ACE
device for syslog and SNMP traps from all virtual contexts.
By default, the ANM Homepage (see Figure 2-1) is the first page that appears in ANM after you log in.
To access the Homepage from other locations within ANM, click the Home menu option at the top of
the window. From the Homepage, you can customize which page you want to display for subsequent
logins into ANM. See the “Customizing the Default ANM Page” section on page 2-4 for details.
Note All menu options on the Homepage are under Role-Based Access Control (RBAC). Menu options will
be grayed if proper permission has not been granted to the logged in user by the administrator. See the
“How ANM Handles Role-Based Access Control” section on page 18-8 for more information about
RBAC in ANM.
Note The ANM software version that displays across the top of the window varies depending on your version
of ANM.
Figure 2-1 Homepage Window
2-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 2 Using Homepage
Information About Homepage
Table 2-1 identifies the Homepage links, associated pages in ANM, and related topics that can be found
in this document.
Table 2-1 Homepage Links
Homepage Link ANM Page Related Topics
Operational Tasks
Manage Real Servers Config > Operations > Real Servers Managing Real Servers, page 8-9
Manage Virtual Servers Config > Operations > Virtual Servers Managing Virtual Servers, page 7-66
Manage GSS VIP Answers Config > Operations > GSS VIP Answers Managing GSS VIP Answers, page 7-73
Manage GSS DNS Rules Config > Operations > DNS Rules Activating and Suspending DNS Rules
Governing GSS Load Balancing, page 7-75
Monitoring
Dashboard Monitor > Devices > Dashboard Using Dashboards to Monitor Devices and
Virtual Contexts, page 17-4
Resource Usage Summary Monitor > Devices > Resource Usage >
Connections
Monitoring System Traffic Resource Usage,
page 17-27
Application Performance
Summary
Monitor > Devices > Load Balancing >
Virtual Servers
Monitoring Load Balancing, page 17-33
Guided Setup
Import a Device Config > Guided Setup > Import Devices Using Import Devices, page 3-4
Configure ACE Hardware Config > Guided Setup > ACE Hardware
Setup
Using ACE Hardware Setup, page 3-5
Create a Virtual Context Config > Guided Setup > Virtual Context
Setup
Using Virtual Context Setup, page 3-10
Provision an Application Config > Guided Setup > Application Setup Using Application Setup, page 3-12
Configuration
Configure Devices Config > Devices > System > Primary
Attributes
Configuring Virtual Context Primary
Attributes, page 6-14
ANM Role-Based Access
Control
Admin > Role-Based Access Control >
Users
Managing User Accounts, page 18-17
Device Audit Config > Device Audit Performing Device Audit Trail Logging,
page 18-59
Application Configs Config > Global > Application Configs Managing Application Template Instances,
page 4-3
Application Config Templates Config > Global > Application Config
Templates
Managing Application Template Definitions,
page 4-15
System Summary
Critical Alarms Monitor > Alarm Notifications > Alarms Displaying Alarms in ANM, page 17-65
High Priority Syslogs Monitor > Events > Events Monitoring Events, page 17-55
Documentation
2-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 2 Using Homepage
Customizing the Default ANM Page
Note For information about the navigational tabs and hyperlinks located at the top of the Homepage window,
see the “ANM Interface Components” section on page 1-8.
Customizing the Default ANM Page
You can choose the default page that you access after logging in to ANM. By default, the ANM
Homepage is the first page that appears after you log in. From the ANM Homepage, you can specify a
different page that appears as the default page after you log in.
Procedure
Step 1 If the Homepage is not active in ANM, click the Home tab. The Homepage appears.
Step 2 From the Default Login Page drop-down list, choose one of the following pages that you want to appear
after you log in to ANM:
• Home > Welcome
• Config > Guided Setup
• Config > Devices
• Config > Operations > Real Servers
• Config > Operations > Virtual Servers
• Config > Operations > GSS VIP Answers
• Config > Operations > GSS DNS Rules
Cisco ANM Documentation
(link to documentation set on
www.cisco.com)
N/A N/A
Cisco ACE Appliance
Documentation
(link to documentation set on
www.cisco.com)
N/A N/A
Cisco ACE Module
Documentation
(link to documentation set on
www.cisco.com)
N/A N/A
Cisco ACE Troubleshooting
Guide
(link to DocWiki)
N/A N/A
What is New in this ANM
Release (link to release notes
on www.cisco.com)
Table 2-1 Homepage Links (continued)
Homepage Link ANM Page Related Topics
Operational Tasks
2-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 2 Using Homepage
Customizing the Default ANM Page
• Config > Deploy
• Config > Device Audit
• Monitor > Devices > Dashboard
• Monitor > Devices > Resource Usage
• Monitor > Devices > Traffic Summary
• Monitor > Devices > Load Balancing > Real Servers
• Monitor > Devices > Load Balancing > Probes
• Monitor > Devices > Load Balancing > Statistics
• Monitor > Devices > Load Balancing > Application Acceleration (ACE appliance only)
• Monitor > Events
• Monitor > Alarm Notifications > Alarms
Step 3 Click Save to save your new selection as the default page the next time that you log in to ANM.
2-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 2 Using Homepage
Customizing the Default ANM Page
CHAPTER
3-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
3
Using ANM Guided Setup
Date: 3/28/12
This chapter describes how to use Cisco Application Networking Manager (ANM) Guided Setup.
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
This chapter includes the following sections:
• Information About Guided Setup, page 3-1
• Guidelines and Limitations, page 3-4
• Using Import Devices, page 3-4
• Using ACE Hardware Setup, page 3-5
• Using Virtual Context Setup, page 3-10
• Using Application Setup, page 3-12
Information About Guided Setup
ANM Guided Setup provides a series of setup sequences that offer GUI window guidance and
networking diagrams to simplify the configuration of ANM and the network devices that it mananges.
Guided Setup allows you to quickly perform the following tasks:
• Establish communication between ANM and Application Control Engine (ACE) hardware devices.
• Configure ACE devices that are new to the network by establishing network connectivity in either
standalone or high-availability (HA) deployments.
• Create and connect to an ACE virtual context.
• Set up load balancing application from an ACE to a group of back-end servers.
To access Guided Setup, click the Config tab located at the top of the window, then click Guided Setup.
3-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Information About Guided Setup
Note The available menu and button options on the Guided Setup tasks are under Role-Based Access Control
(RBAC). Menu and button options will be grayed if proper permission has not been granted to the logged
in user by the administrator. See the “How ANM Handles Role-Based Access Control” section on
page 18-8 for more information about RBAC in ANM.
Table 3-1 identifies the individual guided setup tasks and related topics.
Table 3-1 Guided Setup Tasks and Related Topics
Guided Setup Tasks Purpose Related Topics
Import devices Launch the Import Devices setup task
to establish communication between
ANM and hardware devices. Imported
devices can include: ACE modules,
ACE appliances, Catalyst 6500 series
chassis, Catalyst 6500 Virtual
Switching System (VSS) 1440, Cisco
7600 series routers, Content Services
Switches (CSS) devices, Content
Switching Module (CSM) devices, or
Global Site Selector (GSS) devices.
• Using Import Devices, page 3-4
• Information About Importing Devices, page 5-4
• Preparing Devices for Import, page 5-4
• Importing Network Devices into ANM, page 5-10
• Discovering Large Numbers of Devices Using IP
Discovery, page 5-27
ACE hardware setup Launch the ACE Hardware Setup task
to help you configure ACE devices
that are new to the network by
establishing network connectivity in
either standalone or high-availability
(HA) deployments.
• Using ACE Hardware Setup, page 3-5
• Configuring Devices, page 5-34
• Configuring ACE Module and Appliance
Role-Based Access Controls, page 5-53
• Managing Devices, page 5-66
• Configuring ACE High Availability Peers,
page 13-15
3-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Information About Guided Setup
Virtual context setup Launch the Virtual Context Setup task
to create and connect an ACE virtual
context.
• Using Virtual Context Setup, page 3-10
• Using Resource Classes, page 6-43
• Creating Virtual Contexts, page 6-2
• Configuring Virtual Contexts, page 6-8
• Configuring VLANs Using Cisco IOS Software
(ACE Module), page 12-3
Application setup Launch the Application Setup task to
configure load balancing for your
application. This task guides you
through a complete end-to-end
configuration of the ACE for many
common server load-balancing
situations.
• Using Application Setup, page 3-12
• Creating an Application Template Instance,
page 4-4
• Configuring Virtual Context VLAN Interfaces,
page 12-6
• Configuring Virtual Context BVI Interfaces,
page 12-19
• Configuring Virtual Context Static Routes,
page 12-28
• Configuring Virtual Context BVI Interfaces,
page 12-19
• Configuring Security with ACLs, page 6-78
• SSL Setup Sequence, page 11-4
Table 3-1 Guided Setup Tasks and Related Topics
Guided Setup Tasks Purpose Related Topics
3-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Guidelines and Limitations
Guidelines and Limitations
As you perform a Guided Setup task, use the following operating conventions:
• To move between steps, click the name of the step in the menu to the left.
• The steps for each task are listed in an order that is designed to prevent problems during later steps;
however, you can skip steps if you know they are not applicable to your application.
• Depending on your user privileges, ANM may prevent you from making changes on certain steps.
• You must save and deploy any changes you want to keep before leaving each page.
• Each task can be run as many times as you like.
Using Import Devices
You can use the Import Device task to import ACE modules, ACE appliances, Catalyst 6500 series
chassis, Catalyst 6500 Virtual Switching System (VSS) 1440, Cisco 7600 series routers, CSS devices,
CSM devices, or GSS devices into ANM. You must import the hardware devices before ANM can
manage them.
Before You Begin
• Because ANM communicates with network devices through Secure Shell (SSH) and other protocols,
you must set up your devices to allow ANM to collect data from them. See the “Preparing Devices
for Import” section on page 5-4.
• Before ANM can import a device, you must ensure that the device has a management interface that
ANM can access. Also, you need the IP address and credentials for the device's management
interface in order to import it.
• If the ACE module is new and retains its factory settings, you can configure basic management
during the import process by using the Bare Blade option.
Procedure
Step 1 Choose Config > Guided Setup > Import Devices.
The Import Devices window appears, which includes the All Devices table.
Step 2 At the top of the All Devices table, click Add (+) to import a new device.
The New Device window appears.
Step 3 Enter the information for the specific device and complete the import devices procedure as described in
“Importing Network Devices into ANM” section on page 5-10.
Note To manage modules inside a Catalyst 6500 series switch, you must first import the Catalyst into
the All Devices table.
To import modules from a Catalyst that is already imported, choose the Catalyst switch from the
All Devices table and click Modules below the All Devices table.
3-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Using ACE Hardware Setup
Note The time required to import depends on the size of the existing configuration on each device.
The process can range from a few minutes to 30 minutes or more for a very large configuration.
Step 4 After you finish importing the ACE devices (module or appliance) into ANM, continue to the ACE
Hardware Setup task to guide you through the basic device setup and network configuration. See the
“Using ACE Hardware Setup” section on page 3-5.
Related Topics
• Information About Importing Devices, page 5-4
• Preparing Devices for Import, page 5-4
• Importing Network Devices into ANM, page 5-10
• Discovering Large Numbers of Devices Using IP Discovery, page 5-27
• Using ACE Hardware Setup, page 3-5
Using ACE Hardware Setup
You can use the ACE Hardware Setup task to configure ACE devices that are new to the network by
establishing network connectivity in either standalone or high-availability (HA) deployments.
Before You Begin
Before you can set up the ACE hardware using ANM, you must use the Import Devices task to import
the ACE into ANM if you have not already. See the “Using Import Devices” section on page 3-4.
Assumptions
• You can extend the functionality of the ACE by installing licenses. If you plan to extend the ACE
functionality, ensure that you have received the proper software license key for the ACE, that ACE
licenses are available on a remote server for importing to the ACE, or you have received the software
license key and have copied the license file to the disk0: file system on the ACE using the copy
path/]filename1 disk0: CLI command.
Note See either the Cisco Application Control Engine Module Administration Guide or Cisco 4700
Series Application Control Engine Appliance Administration Guide for details on the copy
path/]filename1 disk0: CLI command.
• You must be in the Admin virtual context on an ACE device (ACE module or ACE appliance) to
configure ACE devices that are new to the network.
• When importing an ACE HA pair into ANM, you should follow one of the following configuration
requirements so that ANM can uniquely identify the ACE HA pair:
– Use a unique combination of FT interface VLAN and FT IP address/peer IP address for every
ACE HA pair imported into ANM. For HA, it is critical that the combination of FT interface
VLAN and IP address/peer IP address is always unique across every pair of ACE peer devices.
3-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Using ACE Hardware Setup
– Define a peer IP address in the management interface using the management IP address of the
peer ACE (module or appliance). The management IP address and management peer IP address
used for this definition should be the management IP address used to import both ACE devices
into ANM.
Note For more information about the use of HA pairs imported into ANM, see the “ANM
Requirements for ACE High Availability” section on page 5-8.
• When you are configuring the ACE, changes to the physical interfaces (including Gigabit Ethernet
ports or port channels) can result in a loss of connectivity between ANM and the ACE. Use caution
when following the ACE Hardware Setup task if you are modifying the interface that management
traffic is traversing.
Procedure
Step 1 Choose Config > Guided Setup > ACE Hardware Setup.
The ACE Hardware Setup window appears, which includes the ACE Device and Configuration Type
drop-down lists.
Step 2 From the ACE Device drop-down list, choose an ACE device (module or appliance).
Step 3 From the Configuration Type drop-down list, choose whether to set up the ACE as a standalone device
or as a member of a high-availability (HA) ACE pair:
• Standalone—The ACE is not to be used in an HA configuration.
• HA Secondary—The ACE is to be the secondary peer in an HA configuration.
• HA Primary—The ACE is to be the primary peer in an HA configuration.
Note Ensure that you complete the ACE hardware setup task for the secondary device before you set
up the primary device.
Step 4 Click Start Setup.
The License window appears (Config > Guided Setup > ACE Hardware Setup > Licenses). Cisco offers
licenses for ACE modules and appliances that allows you to increase the number of default contexts,
bandwidth, and SSL TPS (transactions per second). For more information, see either the Cisco
Application Control Engine Module Administration Guide or the Cisco 4700 Series Application Control
Engine Appliance Administration Guide on cisco.com.
If you need to install licenses at this point, go to Step 5.
If you do not need to install licenses at this point, go to Step 6.
Step 5 Install one or more ACE licenses (see the “Managing ACE Licenses” section on page 6-36).
Note For an ACE primary and secondary HA pair, because each ACE license is only valid on a single
hardware device, licenses are not synchronized between HA peer devices. You must install an
appropriate version of each license independently on both the primary and secondary ACE
devices.
3-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Using ACE Hardware Setup
Step 6 Click SNMP v2c Read-Only Community String under ACE Hardware Setup (Config > Guided Setup
> ACE Hardware Setup > SNMP v2c Read-Only Community String).
The SNMP v2c Read-Only Community String window appears.
Perform the following actions to configure an SNMP community string (a requirement for an ACE to be
monitored by ANM):
a. Click Add (+) at the top of the SNMP v2c Read-Only Community String table to create an SNMP
community string. The New SNMP v2c Community window appears.
Note For ANM to monitor an ACE, you must configure an SNMPv2c community string in the
Admin virtual context.
b. In the Read-Only Community field, enter the SNMP read-only community string name. Valid entries
are unquoted text strings with no spaces and a maximum of 32 characters.
Additional SNMP configuration selections are available under Config > Devices > context > System >
SNMP. See the “Configuring SNMP for Virtual Contexts” section on page 6-27.
Step 7 If you are configuring an ACE appliance, to group physical ports together on the ACE appliance to form
a logical Layer 2 interface called the port-channel (sometimes known as EtherChannels), click Port
Channel Interfaces under ACE Hardware Setup.
The Port Channel Interfaces window appears (Config > Guided Setup > ACE Hardware Setup > Port
Channel Interfaces).
Note You must configure port channels on both the ACE appliance and the switch that the ACE is
connected to.
Perform the following actions to configure a port channel interface:
a. If you want to poll the devices and display the current values, click Poll Now, and then OK when
prompted if you want to poll the devices for data now.
b. At the top of the Port Channel Interfaces table, click Add (+) to add a port channel interface, or
choose an existing port channel interface and click Edit to modify it. The New Port Channel
Interface window appears.
Note If you click Edit, not all of the fields can be modified.
c. Enter the port channel interface attributes as described in the “Configuring Port-Channel Interfaces
for the ACE Appliance” section on page 12-35.
d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
e. To display statistics and status information for a port-channel interface, choose the interface from
the Port Channel Interfaces table and click Details. The show interface port-channel CLI
command output appears. See the “Displaying Port Channel Interface Statistics and Status
Information” section on page 12-40 for details.
3-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Using ACE Hardware Setup
Step 8 If you are configuring an ACE appliance, to configure one or more of the Gigabit Ethernet ports on the
appliance, click GigabitEthernet Interfaces under ACE Hardware Setup. The GigabitEthernet
Interfaces window appears (Config > Guided Setup > ACE Hardware Setup > GigabitEthernet
Interfaces).
a. If you want to poll the devices and display the current values, click Poll Now, and then OK when
prompted if you want to poll the devices for data now.
b. Choose an existing Gigabit Ethernet interface and click Edit to modify it.
c. Enter the Gigabit Ethernet physical interface attributes as described in the “Configuring Gigabit
Ethernet Interfaces on the ACE Appliance” section on page 12-32.
d. Click Deploy Now when completed to deploy this configuration on the ACE and save your entries
to the running-configuration and startup-configuration files.
e. Repeat Steps a through c for each Gigabit Ethernet interface that you want to configure.
f. To display statistics and status information for a particular Gigabit Ethernet interface, choose the
interface from the GigabitEthernet Interfaces table, then click Details. The show interface
gigabitEthernet CLI command output appears. See the “Displaying Gigabit Ethernet Interface
Statistics and Status Information” section on page 12-35 for details.
Step 9 If the ACE is a member of an HA ACE pair, click VLAN Interfaces under ACE Hardware Setup.
The VLAN Interfaces window appears (Config > Guided Setup > ACE Hardware Setup > VLAN
Interfaces).
Note To prevent loss of management connectivity during an HA configuration, you must configure the
IP addresses of the management VLAN interface correctly for your HA setup. During this
procedure, choose the management VLAN interface (and click the Edit button) and make sure
its IP address, alias IP address, and peer IP address are all set correctly. You can repeat this
process for any VLAN interfaces that you want. If the management VLAN is properly
configured before establishing HA, you will be able to return later to reconfigure other VLANs.
a. If you want to poll the devices and display the current values, click Poll Now, and then OK when
prompted if you want to poll the devices for data now.
b. Click Add to add a new VLAN interface, or choose an existing VLAN interface and click Edit to
modify it.
Note If you click Edit, not all of the fields can be modified.
c. Enter the VLAN interface attributes as described in the “Configuring Virtual Context VLAN
Interfaces” section on page 12-6. Click More Settings to access the additional VLAN interface
attributes. By default, ANM hides the default VLAN interface attributes and the VLAN interface
attributes which are not commonly used.
d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
e. To display statistics and status information for a VLAN interface, choose the VLAN interface from
the VLAN Interface table, then click Details. The output of the show interface vlan, show ipv6
interface vlan, and show ipv6 neighbor CLI commands appears. The IPv6 commands require ACE
module and ACE appliance software Version A5(1.0) or later. See the “Displaying VLAN Interface
Statistics and Status Information” section on page 12-18 for details.
3-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Using ACE Hardware Setup
Step 10 If the ACE is the primary peer in a high availability (HA) configuration, click HA Peering under ACE
Hardware Setup (Config > Guided Setup > ACE Hardware Setup > HA Peering).
a. Click Edit below the HA Management section to configure the primary ACE and the secondary ACE
as described in the “Configuring ACE High Availability Peers” section on page 13-15. There are two
columns, one for the selected ACE and another for a peer ACE.
You can specify the following information:
– Identify the two members of a HA pair.
– Assign IP addresses to the peer ACEs.
– Assign an HA VLAN to HA peers and bind a physical Gigabit Ethernet interface to the FT
VLAN.
– Configure the heartbeat frequency and count on the peer ACEs in a fault-tolerant VLAN.
When completed, click Deploy Now to deploy this configuration on the ACE and save your entries
to the running-configuration and startup-configuration files.
Note For ACE modules, the HA VLAN specified for ACE HA Groups must also be set up on the
Catalyst 6500 series switch using the svclc command. See the “Configuring VLANs Using
Cisco IOS Software (ACE Module)” section on page 12-3 for details.
b. Click Add below the ACE HA group table to add a new high availability group. Enter the
information in the configurable fields as described in the “Configuring ACE High Availability
Peers” section on page 13-15. When completed, click Deploy Now to deploy this configuration on
the ACE and save your entries to the running-configuration and startup-configuration files.
The HA State field displays FT VLAN Compatible once HA setup has been successfully completed.
Note To display statistics and status information for a particular HA group, choose the group from
the ACE HA Groups table and click Details. The show ft group group_id detail CLI
command output appears. See the “Displaying High Availability Group Statistics and
Status” section on page 13-21 for details.
Step 11 Once the HA State field in the ACE HA Groups table shows a successful state, the ACE is ready for
further configuration as follows:
• To set up additional virtual contexts, continue to the Virtual Context Setup task to create and connect
an ACE virtual context. See the “Using Virtual Context Setup” section on page 3-10.
• To set up an application in an existing virtual context, continue to the Application Setup task to set
up load-balancing for an application from an ACE to a group of back-end servers. See the “Using
Application Setup” section on page 3-12.
Related Topics
• Using Import Devices, page 3-4
• Configuring Devices, page 5-34
• Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53
• Managing Devices, page 5-66
3-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Using Virtual Context Setup
Using Virtual Context Setup
You can use the Virtual Context Setup task to create and connect an ACE virtual context. Virtual contexts
use virtualization to partition your ACE appliance or module into multiple virtual devices, or contexts.
Each context contains its own set of policies, interfaces, resources, and administrators.
Before You Begin
You must be in the Admin context on the ACE to create a new user context.
Procedure
Step 1 Choose Config > Guided Setup > Virtual Context Setup.
The Virtual Context Setup window appears.
Step 2 From the ACE Device drop-down list, choose an ACE.
Step 3 Click Start Setup.
The Resource Classes window appears (Config > Guided Setup > Virtual Context Setup > Resource
Classes).
Perform the following tasks to create or modify a resource class:
a. If you want to create a resource class, click Add (+). The New Resource Class configuration window
appears. Enter the resource information as described in the “Configuring Global Resource Classes”
section on page 6-46.
b. If you want to modify an existing resource, choose the resource class that you want to modify, then
click Edit. The Edit Resource Class configuration window appears. Enter the resource information
as described in the “Modifying Global Resource Classes” section on page 6-50.
c. Click OK to save your entries and to return to the Resource Classes table.
Make note of the resource class that you want to use because you will need it in Step 5.
Step 4 Click Virtual Context Management under Virtual Context Setup.
The Virtual Context window appears (Config > Guided Setup > Virtual Context Setup > Virtual Context
Management).
Perform the following actions to create or modify a virtual context:
a. If you want to create a virtual context, click Add (+). The New Virtual Context window appears.
Configure the virtual context as described in the “Configuring Virtual Contexts” section on
page 6-8.
b. If you want to modify an existing virtual context, choose the virtual context that you want to modify
and click Edit. The Edit Resource Class configuration window appears. Enter the resource
information as described in the “Modifying Global Resource Classes” section on page 6-50.
Step 5 To create or modify the attributes of a virtual context, configure the virtual context as described in the
“Configuring Virtual Contexts” section on page 6-8.
When completed, click Deploy Now to deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. Follow these guidelines when creating or
modifying the virtual context:
• To connect the virtual context to the available VLANs, specify one or more VLANs in the Allocated
VLANs field. You can specify multiple VLAN values and ranges (for example, “10, 14, 70-79”).
• For virtual contexts configured for an ACE, do the following:
3-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Using Virtual Context Setup
– For an ACE appliance, you must set up all VLANs used in this step as trunk or access VLANs
on the port channel or Gigabit Ethernet interfaces. If you did not set up these VLANs during the
ACE Hardware Setup task, you can return to the ACE Hardware Setup window to configure the
required VLANs. See the “Using ACE Hardware Setup” section on page 3-5.
– For an ACE module, you must set up all VLANs used in this step as trunk or access VLANs on
the Catalyst 6500 series switch using the svclc command. See the “Configuring VLANs Using
Cisco IOS Software (ACE Module)” section on page 12-3 for details.
• When specifying the resource class for the virtual context, choose the resource class that you created
or specified in Step 3.
Note If you are unsure of the resource class to use for this virtual context, choose default. You
can change the resource class setting at a later time.
• If HA has been correctly configured for this ACE device, the High Availability checkbox will be
checked. If the checkbox is unchecked, check it to instruct ANM to automatically configure
synchronization for this virtual context.
Note The High Availability checkbox is available only if HA Peering has previously been
completed for the ACE hardware.
• If you want to set up a separate management VLAN interface for the virtual context, under
Management Settings, configure the management interface for this virtual context and create an
admin user. Each context also has its own management VLAN that you can access using the ANM
GUI. In this case, you would assign an independent VLAN and IP address for management traffic
to access the virtual context.
Step 6 To edit the load-balancing configuration for a virtual context, continue to the Application Setup task. See
the “Using Application Setup” section on page 3-12.
Related Topics
• Using Import Devices, page 3-4
• Using ACE Hardware Setup, page 3-5
• Information About Virtual Contexts, page 6-2
• Using Resource Classes, page 6-43
• Creating Virtual Contexts, page 6-2
• Configuring Virtual Contexts, page 6-8
• Configuring VLANs Using Cisco IOS Software (ACE Module), page 12-3
• Using Application Setup, page 3-12
3-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Using Application Setup
Using Application Setup
This section includes the following topics on application setup:
• ACE Network Topology Overview, page 3-12
• Using Application Setup, page 3-14
ACE Network Topology Overview
With respect to ACE configuration, the network topology describes where—which VLAN or
subnet—client traffic comes into the ACE and where this traffic is sent to real servers. Network
configuration for ACE load balancing depends on the surrounding topology. By specifying to ANM the
topology that is appropriate for your networking application, ANM can present more relevant options
and guidance.
The network topology is often determined solely by your existing network; however, the goals for your
ACE deployment can also play a role. For example, when ACE acts as a router between clients and
servers, it provides a level of protection by effectively hiding the servers from the clients. On the other
hand, for a routed topology to work, each of those servers must be configured to route back through the
ACE, which can be a significant change to the network routing.
The ACE is also capable of bridging the client and server VLANs, which does not affect server routing.
However, it does require the network to have VLANs set up appropriately.
If you are not sure what topology to use, or do not want to make topology decisions immediately, use
the “one-armed” topology. The one-armed topology does not typically require any changes to an existing
network and can be set up with minimal knowledge of the network. You can then expand your ACE
network topology to routed mode or bridged mode to better suit your networking requirements.
Figure 3-1 illustrates the one-armed network topology.
Figure 3-1 Example of a One-Armed Network Topology
247750
ACE Virtual
Context
Real
Servers
Router/
Switch
Client to ACE Request
Client IP (src):
VIP (dst): 172.16.5.10
Client to ACE Request
Nat Pool IP (src): 172.16.5.101
Server IP (dst): 192.168.1.11
ACE VLAN
e.g. 172.16.5.0/16
Server VLAN
e.g. 192.168.1.0/16
Client Network
3-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Using Application Setup
Figure 3-2 illustrates the routed mode network topology.
Figure 3-2 Example of a Routed Mode Network Topology
Figure 3-3 illustrates the bridged mode network topology.
Figure 3-3 Example of a Bridged Mode Network Topology
247751
ACE Virtual
Context
Real
Servers
Router/
Switch
Real Server
Default Routes
Client VLAN
e.g. 172.16.5.0/16
Server VLAN
e.g. 192.168.1.0/16
Client Network
247752
ACE Virtual
Context
Real
Servers
Router/
Switch
Real Server
Default Routes
Client VLAN Server VLAN
BVI
e.g. 192.168.1.0/16
Client Network
3-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Using Application Setup
Using Application Setup
You use the Application Setup task to set up load balancing for an application in which you choose an
application type, virtual context to configure, and network topology (see Figure 3-4). ANM Guided
Setup displays a list of configuration attributes to define that is based on your choice of application type
and network topology.
Figure 3-4 Guided Setup: Application Setup
Guidelines and Restrictions
The Application Type drop down list (see Figure 3-4) includes both non-template and template-based
options. The template-based options are application definition templates that allow you to quickly
configure one or more ACE virtual contexts (or devices) with a complex configuration for well known
or custom in-house applications. A template can be a Cisco-defined system template or it can be
user-defined. The number of system templates that display in the drop-down list increases as more of
these templates become available during ANM upgrades or you import them into ANM from the Cisco
Developers Network. For more information, see the “Information About Application Template
Definitions and Instances” section on page 4-1.
By default, all system templates display in the Application Type drop down list. You can edit a template
so that it does not display in this list. For more information, see the “Editing an Application Template
Definition” section on page 4-15.
Procedure
Step 1 Choose Config > Guided Setup > Application Setup.
The Application Setup window appears.
Step 2 From the Application Type drop-down list, choose an application as follows:
3-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Using Application Setup
• Non-template options—Choose one of the following application types if you do not want to create
an application that is not based on a system or user-defined template:
– Generic-SSL-HTTP—Choose this application type if your ACE is to use HTTPS when
communicating with either the client or with real servers.
– Generic-Non-SSL—Choose this application type if your ACE is to use HTTP when
communicating with either the client or with real servers.
These applications allow you to create an application that is more granular in terms of the number
of attributes that you can configure using Guided Setup compared to an application based on a
system or user template.
• Template-based options—Choose one of the application types that are based on a system template
provided with ANM or a user-defined template. Examples of system templates include the
following:
– Microsoft Exchange
– Microsoft SharePoint
For more informtion, see “Guidelines and Restrictions.”
Step 3 From the Select Virtual Context drop-down list, choose an existing ACE virtual context.
Step 4 Choose the network topology that reflects the relationship of the selected ACE virtual context to the real
servers in the network.
Topology choices include one-armed, routed, or bridged. See the “ACE Network Topology Overview”
section on page 3-12 for background details on networking topology.
Step 5 Click Start Setup.
Step 6 Configure the attributes that are associated with the selected application type and topology and listed
under Application Setup (see Figure 3-5) and described in Table 3-2, which includes all possible
attributes.
Figure 3-5 Navigating Application Setup Configuration Attributes
3-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Using Application Setup
Note As you complete and deploy an attribute configuration, go to the next one by clicking on the
attribute listed under Application Setup (see Figure 3-5).
Table 3-2 Guide Setup Configuration Attributes
Attribute Description
VLAN
Interfaces
To communicate with the client and real servers, a VLAN interface must be specified for client and server
traffic to be sent and received.
Perform the following actions to configure a VLAN interface:
a. If you want to poll the devices and display the current values, click Poll Now, and then click OK when
prompted to poll the devices for data.
b. Click Add to add a new VLAN interface, or choose an existing VLAN interface and click Edit to modify
it.
c. Enter the VLAN interface attributes. Click More Settings to access the additional VLAN interface
attributes. By default, ANM hides the default VLAN interface attributes and the VLAN interface
attributes that are not commonly used. For configuration details, see the “Configuring Virtual Context
VLAN Interfaces” section on page 12-6.
Note After you define the VLAN, write down the VLAN number. You need this number when
configuring the ACLs and Virtual Server attributes.
d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
e. To display statistics and status information for a VLAN interface, choose the VLAN interface from the
VLAN Interface table, then click Details. The output of the show interface vlan, show ipv6 interface
vlan, and show ipv6 neighbor CLI commands appears. The IPv6 commands require ACE module and
ACE appliance software Version A5(1.0) or later. See the “Displaying VLAN Interface Statistics and
Status Information” section on page 12-18 for details.
3-17
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Using Application Setup
BVI
Interfaces
Perform the following actions to configure a BVI interface:
a. If you want to poll the devices and display the current values, click Poll Now, and then OK when
prompted if you want to poll the devices for data now.
b. Click Add to add a new BVI interface, or choose an existing BVI interface, then click Edit to modify it.
c. Enter the BVI interface attributes. For configuration details, see the “Configuring Virtual Context BVI
Interfaces” section on page 12-19.
Note After you define the BVI, write down the client-side VLAN number. You need this number when
configuring the ACLs and Virtual Server attributes.
d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
e. To display statistics and status information for a BVI interface, choose the BVI interface from the BVI
Interface table, then click Details. The show interface bvi, show ipv6 interface bvi, and show ipv6
neighbors CLI commands output appears. The IPv6 commands require ACE module and ACE appliance
software Version A5(1.0) or later. See the “Displaying BVI Interface Statistics and Status Information”
section on page 12-26 for details.
NAT Pools To set up a one-armed topology, you need a NAT pool to provide the set of IP addresses that ACE can use as
source addresses when sending requests to the real servers.
Note You must configure the NAT pool on the same VLAN interface that you configured in Step 6.
Perform the following actions to create or modify a NAT pool for a VLAN:
a. Click Add to add a new NAT pool entry, or choose an existing NAT pool entry and click Edit to modify
it. The NAT Pool configuration window appears.
b. Configure the NAT pool attributes. For configuration details, see the “Configuring VLAN Interface NAT
Pools” section on page 12-26.
Note After you define the NAT pool, write down the NAT pool ID. You specify the NAT pool ID when
configuring the Virtual Server attributes.
c. Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
Table 3-2 Guide Setup Configuration Attributes (continued)
Attribute Description
3-18
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Using Application Setup
ACLs An ACL applies to one or more VLAN interfaces. Each ACL consists of a list of entries, each of which defines
a source, a destination, and whether to permit or deny traffic between those locations.
Perform the following actions to create or modify an ACL:
a. Click Add to add a new ACL entry, or choose an existing ACL entry and click Edit to modify it. The
Access List configuration window appears.
b. Add or edit the required fields. For configuration details, see the “Configuring Security with ACLs”
section on page 6-78.
c. Click Deploy to save this configuration.
d. To display statistics and status information for an ACL, choose an ACL from the ACLs table, then click
Details. The show access-list access-list detail CLI command output appears. See the “Displaying ACL
Information and Statistics” section on page 6-89 for details.
SSL Proxy
Note To terminate or initiate HTTPS connections with ACE, the virtual context must have at least one SSL
proxy service. An SSL proxy contains the certificate and key information needed to terminate HTTPS
connections from the client or initiate them to the servers.
Perform the following actions to create or modify an SSL proxy service:
a. To create an SSL proxy service, click SSL Proxy Setup.
Note To edit an existing SSL proxy service, choose it from the SSL Proxy table, and click Edit to
modify the SSL proxy service. The SSL Proxy Service configuration window appears. Edit the
required fields as described in the “Configuring SSL Proxy Service” section on page 11-27.
b. Add required fields. For configuration details, see the “Configuring SSL Proxy Service” section on
page 11-27.
c. Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
Table 3-2 Guide Setup Configuration Attributes (continued)
Attribute Description
3-19
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Using Application Setup
Virtual
Server
The virtual server defines the load-balancing configuration for an application. Perform the following actions
to create or modify a virtual server:
a. If you want to poll the devices and display the current values, click Poll Now, and then OK when
prompted if you want to poll the devices for data now.
b. Click Add to add a new virtual server, or choose an existing virtual server, and click Edit to modify it.
The Virtual Server configuration window appears with a number of configuration subsets. The subsets
that you see depend on whether you use the Basic View or the Advanced View and entries you make in
the Properties subset. Change views by using the View object selector at the top of the configuration pane.
c. Add or edit required fields. For configuration details, see the “Virtual Server Configuration Procedure”
section on page 7-7. Table 7-1 identifies and describes virtual server configuration subsets with links to
related topics for configuration information. Virtual servers have many configuration options. At a
minimum, you need to configure the following attributes:
– Set the VIP, port number (TCP or UDP), and application protocol for your application.
Note If the ACE is to terminate the client HTTPS connections, choose HTTPS as the Application
Protocol.
– (One-Armed Topology) For VLAN, choose the VLAN defined in VLAN Interfaces.
– (Routed Topology) For VLAN, choose the client-side VLAN defined VLAN Interfaces.
– (Bridged Topology) For VLAN, choose the client-side VLAN defined in VLAN Interfaces.
– If the ACE is to terminate client HTTPS connections, then under the SSL Termination header,
specify the SSL proxy defined in SSL Proxy.
– Under the Default L7 Loadbalancing Action, set Primary Action to Loadbalance.
– Create a server farm that contains one or more real servers for this application (see Table 7-13 in the
“Configuring Virtual Server Layer 7 Load Balancing” section for details on setting server farm
attributes).
– If the ACE is to initiate HTTPS connections to the real servers, choose the desired SSL proxy for
initiation to this application from the menu next to SSL Initiation.
– (One-Armed Topology) Under NAT, enter the NAT pool ID from Step 8.
After you set up a base virtual server, you can test it to validate your configuration and isolate any issues
in your networking application. You can then add these more advanced load balancing options to your
networking application:
– Additional real servers to a server farm. See Table 7-13 in the “Configuring Virtual Server Layer 7
Load Balancing” section for details.
– Health monitoring probes and attributes for the specific probe type. See Table 7-14 in the
“Configuring Virtual Server Layer 7 Load Balancing” section for details.
– Stickiness, where client requests for content are to be handled by a sticky group when match
conditions are met. See Table 7-15 in the “Configuring Virtual Server Layer 7 Load Balancing”
section for details.
Table 3-2 Guide Setup Configuration Attributes (continued)
Attribute Description
3-20
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 3 Using ANM Guided Setup
Using Application Setup
Related Topics
• Using Import Devices, page 3-4
• Using ACE Hardware Setup, page 3-5
• Using Virtual Context Setup, page 3-10
• Configuring Virtual Context VLAN Interfaces, page 12-6
• Configuring Virtual Context BVI Interfaces, page 12-19
• Configuring Virtual Context Static Routes, page 12-28
• Configuring Virtual Context BVI Interfaces, page 12-19
• Configuring Security with ACLs, page 6-78
• SSL Setup Sequence, page 11-4
Virtual
Server
(continued)
– Application protocol inspection, where the ACE allows the virtual server to verify protocol behavior
and identify unwanted or malicious traffic passing through the ACE. See the “Configuring Virtual
Server Protocol Inspection” section for details.
d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
e. To display statistics and status information for an existing virtual server, choose a virtual server from the
Virtual Servers table, then click Details. The show service-policy global detail CLI command output
appears. See the “Displaying Virtual Server Statistics and Status Information” section on page 7-65 for
details.
Application
Config
You can create an application configuration or modify one that is staged (not deployed). Perform the
following actions to create or modify an application configuration:
a. Click Add to add a new application config, or choose an existing application config with a Type of
Staged, and click Edit to modify it. The Application Configuration window appears.
b. Configure or edit the required fields. For configuration details, see the “Creating an Application Template
Instance” section on page 4-4.
c. Do one of the following:
- Click Deploy Now to deploy this application config on the ACE and save your entries to the
running-configuration and startup-configuration files.
- Click Save to save the information but not deploy the application config to the ACE. Use this option if
you want to deploy or complete the configuration at a later time.
Table 3-2 Guide Setup Configuration Attributes (continued)
Attribute Description
CHAPTER
4-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
4
Using Application Template Definitions
Date: 3/28/12
This chapter describes how to use Cisco Application Networking Manager (ANM) application template
definitions for configuring ACE virtual contexts.
Note This chapter uses the terms “virtual context” and “device” interchangeably.
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
This chapter includes the following sections:
• Information About Application Template Definitions and Instances, page 4-1
• Managing Application Template Instances, page 4-3
• Managing Application Template Definitions, page 4-15
Information About Application Template Definitions and
Instances
The ANM application template definitions allow you to quickly configure one or more ACE virtual
contexts (or devices) with a complex configuration for well-known or custom in-house applications. A
template is defined by an XML template definition file, which contains the configuration that is deployed
to a device with place holders for variable replacement. The template variables are presented to the user
in the ANM GUI.
The two types of application template definitions are as follows:
• System templates—Defined by Cisco and included in ANM for major applications. You can edit a
system file to customize it if needed.
4-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Information About Application Template Definitions and Instances
Examples of system templates are as follows:
– Basic HTTP
– DNS
– DWS with Cisco Nexus 7000 OTV
– FTP
– Java Application Server
– Layer 3 LB
– Layer 4 LB
– Microsoft Exchange 2010
– Microsoft SharePoint 2010
– RDP
– Secure Webserver
• User-defined templates—User defined for custom applications. You can create a user-defined
template that is based on an existing template or you can create a template using the base code
provided in this chapter.
The template file follows a specific schema that is defined by ANM. All user-defined templates must
follow this schema before ANM can deploy it to an ACE. You can create or edit a template using the
internal ANM template editor or you can use the template export and import feature that allows you to
use an external XML editor.
Using application template definitions, you create application template instances, which are based on
the template that you choose. You can display and manage application template instances on a global or
device-specific level.
Guidelines and Restrictions
The variable fields of an application template definition are role-based access controlled (RBAC), which
means that when you use a template to create an application template instance, your user account must
be configured with the required roles that will allow you to enter the variable information. ANM does
not allow you to enter variable information for those fields that you are not permitted to fill in. If you
are not permitted to enter all the variable information, you can save the incomplete template instance
with the information that you are allowed to input, and then have a user with the required roles complete
the template instance so that it can be deployed.
Related Topics
• Managing Application Template Instances, page 4-3
• Managing Application Template Definitions, page 4-15
4-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Instances
Managing Application Template Instances
Application template instances are ACE configurations that you create based on a specific application
template definition. ANM maintains a table of the template instances that you create using ANM, which
you can view by doing one of the following:
• To display the template instances of all devices, display the global view by doing one of the
following:
– Choose Home and from the Configuration category, choose Application Template Instances.
– Choose Config > Global > Application Template Instances.
• To display only the template instances associated with a specific device, choose Config > Devices
> context > Load Balancing > Application Template Instances.
The Application Template Instances window appears, displaying the information described in Table 4-1.
From the Application Template Instances window, you can perform such tasks as creating, editing,
deploying, or deleting a template instance.
Note ANM tracks only application template instances that you create and deploy using ANM. It does not
discover template instances that may reside on an ACE. For example, if you use the CLI to configure an
ACE with a configuration that matches an installed application template configuration, you will not see
this configuration listed as a template instance in the ANM GUI (Config > Global > Application
Template Instances).
This section includes the following topics:
• Creating an Application Template Instance, page 4-4
• Deploying a Staged Application Template Instance, page 4-7
Table 4-1 Application Template Instances Window
Field Description
Name Application template instance name.
Application Type Name of the application template definition used to create the template
instance.
Device Virtual context associated with the template instance.
Type Template instance type as follows:
• Staged—Template instance is saved but has not been deployed.
• Deployed—Template instance is saved and deployed to the device.
Status Current status of the template instance as follows:
• Complete—Template instance attributes have all been defined and the
template instance can be deployed if the Type field displays Staged (see the
“Deploying a Staged Application Template Instance” section on page 4-7).
• Incomplete—Template instance attributes have not all been defined so it
cannot be deployed. This status is possible only when the Type field
displays Staged.
Last Updated Time Last time that ANM retrieved the status information.
4-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Instances
• Editing an Application Template Instance, page 4-9
• Duplicating an Application Template Instance, page 4-10
• Viewing and Editing Application Template Instance Details, page 4-12
• Deleting an Application Template Instance, page 4-13
Creating an Application Template Instance
You can create an application template instance by configuring a virtual context using an application
template definition.
Prerequisites
You must have a user account with the following RBAC tasks assigned to it:
ace_interface=modify, ace_access-list=modify, ace_ssl=modify, ace_vip=modify
Procedure
Step 1 Display the Application Template Instances window by doing one of the following:
• Choose Home and from the Configuration category, choose Application Template Instances.
• Choose Config > Devices > context > Load Balancing > Application Template Instances.
• Choose Config > Global > Application Template Instances.
For information about the information that is displayed, see Table 4-1.
Note You can also create a template instance using Application Setup (see the “Using Application
Setup” section on page 3-12).
Step 2 From the Application Template Instances window, click the Add icon (+).
The New Application Template Instance dialog box appears.
Step 3 In the dialog box, do the following:
a. From the Application Type drop-down list, choose one of the system templates provided with ANM
or a user-defined template.
The number of system templates that display in the drop-down list will increase as more templates
become available and you import them into ANM.
b. Click OK. The dialog box closes and the template configuration attributes appear in the Application
Template Instances window.
Step 4 (Optional) From the Application Template Instances window, choose one of the following view settings
from the drop-down list located at the top of the window:
• Basic View—Displays only the variable fields that require user input. Variable fields that are
optional or are configured with default values are hidden.
• Advanced View—Displays all available variable fields.
4-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Instances
Note The Basic/Advanced display option appears only when a variable field in the application
template definition file uses the “advanced” attribute (see the “Creating an Application Template
Definition Using the ANM Template Editor” section on page 4-21). The DWS with Nexus 7000
OTV system template is an example of a template that uses the advanced attribute.
Step 5 From the Application Template Instances window, configure the variable attributes.
Table 4-2 describes some variable attributes that are associated with the system templates included with
ANM. Use the information provided here to define the variables.
Table 4-2 System Template Attributes
Field Description
Application Configuration Visual grouping of application-specific options.
Application Config Name Name of the application that is used as a base name for many ACE objects, such as class
maps, policy maps, stickies, or server farms.
VIP Address/Exchange VIP
Address
Application server VIP address, which is generally the IP address that appears in DNS for
the application. You can enter an IPv4 or IPv6 formatted address here; however, IPv6
requires ACE software Version A5(1.0) or later. Optionally, an IPv4 can include a prefix of
/32 or less, and an IPv6 address can include a prefix of /128 or less.
Real Server IP/
Client Access Servers (CAS)/
SharePoint Web Front End
Servers Addresses
IP addresses of the servers that are being load balanced. You can enter an IPv4 or IPv6
formatted address here; however, IPv6 requires ACE software Version A5(1.0) or later.
Relative Probe URL File location that the ACE health check probes.
FQDN Fully qualified domain name that is used for web host redirection. The %H string redirects
based on the hostname in the header of the client HTTP requests.
Web Front End Port Real server port on which the service is running.
Secure communications
between Load Balancers and
Servers
Check box option that when checked, instructs the ACE to use SSL to encrypt the traffic
between it and the real servers.
Key Type SSL key type. Choose one of the following from the drop-down list:
• PKCS12
• DER
• PEM
SSL Key URL Field that appears only when the Key Type field is set to PKCS12 or DER. The TFTP, FTP,
or SFTP URL including a key server IP address. You must use two forward slashes (//) to do
absolute references; otherwise, the user home directory is used as the base path.
Key Server Username Field that appears only when the Key Type field is set to PKCS12 or DER. The username to
use for SFTP or FTP with the SSL key URL.
Key Server Password Field that appears only when the Key Type field is set to PKCS12 or DER. The password to
use for SFTP or FTP with the SSL key URL.
SSL Key Field that appears only when the Key Type field is set to PEM. The SSL key that the ACE
uses to decrypt and encrypt traffic from the client.
4-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Instances
Step 6 Do one of the following:
• Click Deploy to deploy the template instance to the device. The deployment verification popup
window appears. Go to Step 7.
Note The Deploy option requires a user account with the following RBAC task assigned to it:
ace_virtualcontext=create.
• Click Stage to save the template instance without deploying it to the specified virtual context.
• Click Cancel to exit the configuration window without saving your changes.
Step 7 From the popup window, do one of the following:
• Click OK to deploy the template instance. The Deploy dialog box appears, which displays the list
of configuration attributes to be deployed. Go to Step 8.
• Click Cancel to exit this procedure without deploying the template instance.
Step 8 In the dialog box, do the following:
a. (Optional) Check the Create Named Checkpoint check box to create a checkpoint that ANM does
not delete after a successful deployment.
This check box works as follows:
SSL Certificate Field that appears only when the Key Type field is set to PEM. The SSL certificate that the
ACE presents to the client.
Cert/Key Passphrase Optional passphrase that the key and certificate are encrypted.
Session Persistence Check box option that when checked, enables session persistence. Depending on the type of
template, the persistence type is generally either IP Netmask or HTTP Cookie.
Redirect from 80 to 443 Check box option that when checked, configures an automatic HTTP redirect.
Note When you enable this option, you must specify a FQDN.
Network Configuration Visual grouping of network-specific options.
Load Balancer (Device: Virtual
Context)
Virtual context to which the template is deployed. When you access the Application
Template Instances window through device configurations (Config > Devices > context >
Load Balancing > Application Template Instances), this field is already populated with the
specified virtual context. When you access the Application Template Instances window
through the Home page or global configuration, choose the virtual context from the
drop-down device tree.
Client VLANs VLANs on which client traffic originates.
Enable Source NAT Check box option that when checked, specifies that traffic from the servers must have source
NAT applied in order to return to the ACE. In general, you do not want to enable this feature
if your ACE is installed in a one-armed network topology (see the “ACE Network Topology
Overview” section on page 3-12).
Note You must define NAT pools on the server interfaces before you select this option.
Table 4-2 System Template Attributes (continued)
Field Description
4-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Instances
– Unchecked—ANM creates a checkpoint that you can revert back to if the deployment of the
staged application template is unsuccessful. ANM assigns a random name to the checkpoint and
deletes the checkpoint after a successful deployment.
– Checked—ANM creates a checkpoint that you name and can revert back to at any time because
ANM does not delete it even after a successful deployment.
Note ACE virtual contexts have a limit of 10 checkpoints. If you attempt to exceed this limit,
ANM does not deploy the template instance.
b. Do one of the following:
– Click Deploy Now. The template instance is applied to the device running-configuration and
startup-configuration files. The Results window appears with the deployment status as follows:
- Deployment Successful
- Error in deploying template: error_details
– Click Cancel to cancel the deployment.
Related Topics
• Information About Application Template Definitions and Instances, page 4-1
• Managing Application Template Instances, page 4-3
• Deploying a Staged Application Template Instance, page 4-7
• Editing an Application Template Instance, page 4-9
• Duplicating an Application Template Instance, page 4-10
• Viewing and Editing Application Template Instance Details, page 4-12
• Deleting an Application Template Instance, page 4-13
Deploying a Staged Application Template Instance
You can deploy an application template instance that has been saved (or staged) but not yet deployed to
the device.
Prerequisites
You must have a user account with the following RBAC task assigned to it: ace_virtualcontext=create.
Procedure
Step 1 Display the Application Template Instances window by doing one of the following:
• Choose Home and from the Configuration category, choose Application Template Instances.
• Choose Config > Devices > context > Load Balancing > Application Template Instances.
• Choose Config > Global > Application Template Instances.
For information about the information that is displayed, see Table 4-1.
4-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Instances
Step 2 From the Application Template Instances window, choose the staged template instance to deploy and
click Deploy.
The deployment verification popup window appears.
Step 3 From the popup window, do one of the following:
• Click OK to deploy the template instance. One of the following popups appear depending on the
template instance status:
– Complete template instance—The Deploy dialog box appears, which displays the list of
configuration attributes to be deployed. Go to Step 4.
– Incomplete template instance—A popup window appears with the following message:
The selected instance is not completely filled. Do you want to proceed to edit
screen?
Do one of the following:
- Click OK to proceed to the edit window where you can complete the template instance as
described in the “Editing an Application Template Instance” section on page 4-9.
- Click Cancel to return to the Application Template Instances window.
• Click Cancel to exit this procedure without deploying the template instance.
Step 4 In the dialog box, do the following:
a. (Optional) Check the Create Named Checkpoint check box to create a checkpoint that ANM does
not delete after a successful deployment.
This check box works as follows:
– Unchecked—ANM creates a checkpoint that you can revert back to if the deployment of the
staged application template is unsuccessful. ANM assigns a random name to the checkpoint and
deletes the checkpoint after a successful deployment.
– Checked—ANM creates a checkpoint that you name and can revert back to at any time because
ANM does not delete it even after a successful deployment.
Note ACE virtual contexts have a limit of 10 checkpoints. If you attempt to exceed this limit,
ANM does not deploy the template instance.
b. Do one of the following:
– Click Deploy Now. The template instance is applied to the device running-configuration and
startup-configuration files. The Results window appears with the deployment status as follows:
- Deployment Successful
- Error in deploying template: error_details
– Click Cancel to cancel the deployment.
Related Topics
• Information About Application Template Definitions and Instances, page 4-1
• Managing Application Template Instances, page 4-3
• Creating an Application Template Instance, page 4-4
• Editing an Application Template Instance, page 4-9
4-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Instances
• Duplicating an Application Template Instance, page 4-10
• Viewing and Editing Application Template Instance Details, page 4-12
• Deleting an Application Template Instance, page 4-13
Editing an Application Template Instance
You can edit a staged application template instance.
Guidelines and Restrictions
This topic includes the following guidelines and restrictions:
• To edit an application template instance, it must display as the type Staged. You cannot edit a
template instance that displays as the type Deployed.
• To retain the original template instance and make changes to a copy of it, go to the “Duplicating an
Application Template Instance” section on page 4-10.
Prerequisites
You must have a user account with the following RBAC tasks assigned to it:
ace_interface=modify, ace_access-list=modify, ace_ssl=modify, ace_vip=modify
Procedure
Step 1 View the list of application template instances by doing one of the following:
• To display the template instances of all devices, display the global view by doing one of the
following:
– Choose Home and from the Configuration category, choose Application Template Instances.
– Choose Config > Global > Application Template Instances.
• To display only the template instances associated with a specific device, choose Config > Devices
> context > Load Balancing > Application Template Instances.
The Application Template Instances window appears, displaying the information described in Table 4-2.
Step 2 From the Application Template Instances window, choose a staged template instance to edit and click
the Edit icon ( ).
The Application Configuration window appears, displaying the configured variable attributes.
Step 3 From the Application Configuration window, edit the configuration as needed.
For information about configuring the attributes, see Table 4-2.
Step 4 When your edits are complete, do one of the following:
• Click Deploy to deploy the template instance to the device. The deployment verification popup
window appears. Go to Step 5.
• Click Stage to save the template instance without deploying it to the specified virtual context.
• Click Cancel to exit the configuration window without saving your changes.
Step 5 From the popup window, do one of the following:
• Click OK to deploy the template instance. The Deploy dialog box appears, which displays the list
of configuration attributes to be deployed. Go to Step 6.
4-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Instances
• Click Cancel to exit this procedure without deploying the template instance.
Step 6 From the Deploy dialog box, do the following:
a. (Optional) Check the Create Named Checkpoint check box to create a checkpoint that ANM does
not delete after a successful deployment.
This check box works as follows:
– Unchecked—ANM creates a checkpoint that you can revert back to if the deployment of the
staged application template is unsuccessful. ANM assigns a random name to the checkpoint and
deletes the checkpoint after a successful deployment.
– Checked—ANM creates a checkpoint that you name and can revert back to at any time because
ANM does not delete it even after a successful deployment.
Note ACE virtual contexts have a limit of 10 checkpoints. If you attempt to exceed this limit,
ANM does not deploy the template instance.
b. Do one of the following:
– Click Deploy Now. The template instance is applied to the device running-configuration and
startup-configuration files. The Results window appears with the deployment status as follows:
- Deployment Successful
- Error in deploying template: error_details
– Click Cancel to cancel the deployment.
Related Topics
• Information About Application Template Definitions and Instances, page 4-1
• Managing Application Template Instances, page 4-3
• Creating an Application Template Instance, page 4-4
• Deploying a Staged Application Template Instance, page 4-7
• Duplicating an Application Template Instance, page 4-10
• Viewing and Editing Application Template Instance Details, page 4-12
• Deleting an Application Template Instance, page 4-13
Duplicating an Application Template Instance
You can duplicate an existing application template instance, which allows you to create a new template
instance based on the original one.
Procedure
Step 1 View the list of application template instances by doing one of the following:
• To display the template instances of all devices, display the global view by doing one of the
following:
– Choose Home and from the Configuration category, choose Application Template Instances.
4-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Instances
– Choose Config > Global > Application Template Instances.
• To display only the application configurations associated with a specific device, choose Config >
Devices > context > Load Balancing > Application Template Instances.
The Application Template Instances window appears, displaying the information described in Table 4-1.
Step 2 From the Application Template Instances window, choose the template instance to duplicate and click
the Duplicate icon ( ).
The Duplicate Application Config dialog box appears.
Step 3 In the dialog box, enter the prefix to use for the duplicate and click OK.
The dialog box closes and the Application Template Instances window appears, displaying the
configuration attributes of the original template instance.
Step 4 (Optional) From the Application Template Instances window, edit the variable attributes if needed.
For information about configuring the attributes, see Table 4-2.
Step 5 Do one of the following:
• Click Deploy to deploy the template instance to the device. The deployment verification popup
window appears. Go to Step 6.
• Click Stage to save the template instance without deploying it to the specified virtual context.
• Click Cancel to exit the configuration window without saving your changes.
Step 6 From the popup window, do one of the following:
• Click OK to deploy the template instance. The Deploy dialog box appears, which displays the list
of configuration attributes to be deployed. Go to Step 6.
• Click Cancel to exit this procedure without deploying the template instance.
Step 7 In the dialog box, do the following:
a. (Optional) Check the Create Named Checkpoint check box to create a checkpoint that ANM does
not delete after a successful deployment.
This check box works as follows:
– Unchecked—ANM creates a checkpoint that you can revert back to if the deployment of the
staged application template is unsuccessful. ANM assigns a random name to the checkpoint and
deletes the checkpoint after a successful deployment.
– Checked—ANM creates a checkpoint that you name and can revert back to at any time because
ANM does not delete it even after a successful deployment.
Note ACE virtual contexts have a limit of 10 checkpoints. If you attempt to exceed this limit,
ANM does not deploy the template instance.
b. Do one of the following:
– Click Deploy Now. The template instance is applied to the device running-configuration and
startup-configuration files. The Results window appears with the deployment status as follows:
- Deployment Successful
- Error in deploying template: error_details
– Click Cancel to cancel the deployment.
4-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Instances
Related Topics
• Information About Application Template Definitions and Instances, page 4-1
• Creating an Application Template Instance, page 4-4
• Deploying a Staged Application Template Instance, page 4-7
• Editing an Application Template Instance, page 4-9
• Viewing and Editing Application Template Instance Details, page 4-12
• Deleting an Application Template Instance, page 4-13
Viewing and Editing Application Template Instance Details
You can view the configuration details of an application template instance, such as the real servers and
server farms associated with the template instance. The view details feature also allows you to open the
configuration window of a specific attribute to make changes if needed.
Guidelines and Restrictions
This topic includes the following guidelines and restrictions:
• You can view the details of deployed template instance but you cannot view the details of a staged
template instance.
• ANM tracks only application template instances that you create and deploy using ANM. It does not
discover template instances that may reside on an ACE. For example, if you use the CLI to configure
an ACE with a configuration that matches an installed application template configuration, you will
not see this configuration listed as a template instance in the ANM GUI (Config > Global >
Application Template Instances).
Procedure
Step 1 View the list of application template instances by doing one of the following:
• To display the template instances of all devices, display the global view by doing one of the
following:
– Choose Home and from the Configuration category, choose Application Template Instances.
– Choose Config > Global > Application Template Instances.
• To display only the application template instances associated with a specific device, choose Config
> Devices > context > Load Balancing > Application Template Instances.
The Application Template Instances window appears, displaying the information described in Table 4-1.
Step 2 From the Application Template Instances window, view the details of a configuration by choosing a
template instance name and clicking Details.
The Application Template Instance - Detail window appears, displaying details about the configuration
objects. The information that displays varies depending on the template instance and user input.
Configuration objects that can appear include the following:
4-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Instances
Step 3 To view and edit one of the objects, click the Go To Config Page link.
The associated attribute window opens, such as the Virtual Server, Real Server, or Server Farm window,
where all the objects associated with the attribute display. For example, if you click the Go To Config
Page link associated with a real server, the Real Servers window appears, displaying the complete table
of real servers. You must locate the real server in the table to view its details and make changes to it if
needed.
Related Topics
• Information About Application Template Definitions and Instances, page 4-1
• Managing Application Template Instances, page 4-3
• Creating an Application Template Instance, page 4-4
• Deploying a Staged Application Template Instance, page 4-7
• Editing an Application Template Instance, page 4-9
• Duplicating an Application Template Instance, page 4-10
• Deleting an Application Template Instance, page 4-13
Deleting an Application Template Instance
You can delete an application template instance.
Guidelines and Restrictions
When you delete a deployed template instance, the virtual context configuration attributes that were
added or modified as a result of deploying the application configuration are changed back to what they
were prior to deploying the template instance, which means that if the virtual context was configured
and operating prior to deploying the template instance, it reverts to operating with the previous
configuration after you delete the template instance.
• Virtual Servers • Probe • SSL Chain Group Parameters
• Server Farms • SSL Proxy Service • SSL Parameter Maps
• Real Servers • SSL Keys • HTTP Parameter Maps
• Redirect Real Servers • SSL Certificates • TCP Parameter Maps
• Sticky • SSL Auth Group Parameters • HTTP Header Modify Action Lists
4-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Instances
Prerequisites
You must have a user account with the following RBAC task assigned to it: ace_virtualcontext=create.
Procedure
Step 1 View the list of application configurations by doing one of the following:
• To display the template instances of all devices, display the global view by doing one of the
following:
– Choose Home and from the Configuration category, choose Application Template Instances.
– Choose Config > Global > Application Template Instances.
• To display only the application template instances associated with a specific device, choose Config
> Devices > context > Load Balancing > Application Template Instances.
The Application Template Instances window appears, displaying the information described in Table 4-1.
Step 2 From the Application Template Instances window, choose the template instance to delete and click the
Delete icon ( ).
ANM removes the template instance from the table. If the template instance was of the type Saved, no
virtual context operations are affected. If the template instance was of the type Deployed, the associated
virtual context operations are affected as described in “Guidelines and Restrictions” section on
page 4-13.
Related Topics
• Information About Application Template Definitions and Instances, page 4-1
• Managing Application Template Instances, page 4-3
• Creating an Application Template Instance, page 4-4
• Deploying a Staged Application Template Instance, page 4-7
• Editing an Application Template Instance, page 4-9
• Duplicating an Application Template Instance, page 4-10
• Viewing and Editing Application Template Instance Details, page 4-12
4-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Definitions
Managing Application Template Definitions
ANM maintains a table of the application template definitions, which you can view by choosing Config
> Global > Application Template Definitions. The Application Template Definitions window appears,
displaying the information described in Table 4-3.
From the Application Template Definitions window, you can create, edit, export, import, and test
application template definitions.
This section includes the following topics:
• Editing an Application Template Definition, page 4-15
• Creating an Application Template Definition, page 4-20
• Exporting an Application Template Definition, page 4-26
• Importing an Application Template Definition, page 4-26
• Testing an Application Template Definition, page 4-28
• Deleting an Application Template Definition, page 4-29
• Using the ANM Template Editor, page 4-29
Editing an Application Template Definition
You can edit the XML code of an application template definition file from within ANM using the
template editor that comes with ANM, or you can export the template definition file and edit it outside
of ANM using an XML editor or text editor such as WordPad.
To help you understand how a template can be edited to suit your particular requirements, this section
includes an example that involves editing the probe information in the Basic HTTP system template. In
the code editing example, the probe interval value is changed from a set value of 60 seconds to a variable
with a default of 60 seconds. This change allows you to configure the interval value when you use the
template to create an application template instance (see the “Creating an Application Template Instance”
section on page 4-4).
Table 4-3 Application Template Definitions Window Fields
Field Description
Application Type Template name.
Version Template version.
Template Type Template type: User-defined or System (Cisco defined).
Description Template description that indicates the type of network application in which the
template configures the ACE.
Validity Icons that indicate the validity of a template as follows:
• Check mark—Template conforms to the XML schema and can be deployed
to an ACE.
• Error icon (!)—Template does not conform to the XML schema and cannot
be deployed to an ACE.
4-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Definitions
Figure 4-1 highlights the XML code for the probe URI variable and its set interval value. The figure also
shows the GUI window that the code produces, including the variable field for inputting the relative
probe URI.
Figure 4-1 Basic HTTP Template: Probe with Set Interval Value
You can modify a template to fit your particular requirements. Figure 4-2 highlights the probe code that
was added or modified to produce a variable field in the GUI that allows you to set the probe interval if
you do not want to use the default value of 60 seconds.
4-17
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Definitions
Figure 4-2 Modified Basic HTTP Template: Probe with Variable Interval Setting
Table 4-4 describes the XML code and ANM GUI changes called out in Figure 4-2.
Table 4-4 Example XML Code and ANM GUI Changes
Item Description
Code Changes
1 Modified code that changes the template version number from 1 to 1.1.
2 New code that defines a probe interval variable (probe_interval) that has a default value of 60.
3 Modified code that changes the set probe interval value (60) to a variable ($probe_interval).
GUI Changes
4 Modified template identification bar that includes the new version number (1.1).
5 New user field that allows the user to specify a probe interval other than the default of 60.
4-18
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Definitions
Guidelines and Restrictions
This topic includes the following guidelines and restrictions:
• You can edit the template definition within ANM using the ANM template editor or you can export
the template file, edit the code using a text editor such as WordPad, and then import the modified
template file.
• When editing a system template file, in the XML code you must change the template type or version
number (or both).
• By default, templates that you created using the ANM template editor display as options when using
Application Setup in Guided Setup (see the “Using Application Setup” section on page 3-14). To
configure a template not to display in Application Setup, either change the following code in the
template root element from true to false or remove this piece of code from the root element:
showsInGuidedSetup=”false”
This section includes the following topics:
• Editing an Application Template Definition Using the ANM Template Editor, page 4-18
• Editing an Application Template Definition Using an External Editor, page 4-19
Editing an Application Template Definition Using the ANM Template Editor
You can use the template editor that comes with ANM to modify an application template definition from
within ANM.
Procedure
Step 1 Choose Config > Global > Application Template Definitions.
The Application Template Definitions window appears, displaying the information described in
Table 4-3.
Step 2 From the Application Template Definitions window, choose the template to edit and click the Edit icon
( ).
The template editor window appears, displaying the template code.
Step 3 Edit the code as needed.
For information about using the ANM template editor to make your edits, see the “Using the ANM
Template Editor” section on page 4-29.
Step 4 When your edits are complete, do one of the following:
• Click Validate to have ANM validate the application template definition file, which means that
ANM checks to see that it is a well-formed XML document that follows the rules defined by the
ANM Template XML schema. ANM highlights any errors in the code.
• Click Save to save your changes using the same filename. This button is not available when you edit
a system template (you must use the Save As option).
• Click Save As to open the Save As New Template Definition popup window and save your changes
under a new application type or version. The popup window text fields are populated with the
attributes of the original file opened with the exception of the Version field, which ANM increments
by one. If the version is not a number, the “-next” suffix is added to the version. From the popup
window, modify the file attributes if needed and click Save.
4-19
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Definitions
Note When using the Save As feature, ANM does not allow you to save a template using the same
application type and version number as the original template file. You must change either
the application type or the version number.
• Click Exit to exit the template editor and return to the Application Template Definitions window.
Related Topics
• Information About Application Template Definitions and Instances, page 4-1
• Editing an Application Template Instance, page 4-9
• Managing Application Template Definitions, page 4-15
• Editing an Application Template Definition Using an External Editor, page 4-19
• Testing an Application Template Definition, page 4-28
• Deleting an Application Template Definition, page 4-29
• Using the ANM Template Editor, page 4-29
Editing an Application Template Definition Using an External Editor
You can export an application template definition file, modify it using a text editor, and then import it
back into ANM.
Prerequisites
You must have a text editor (minimum) such as WordPad or an XML editor (preferred).
Procedure
Step 1 Choose Config > Global > Application Template Definitions and export the template to edit from the
list of available templates.
For details, see the “Exporting an Application Template Definition” section on page 4-26.
Step 2 Using a text editor such as WordPad, open the template XML file that you exported in Step 1.
Step 3 Modify the template identification by doing one or both of the following in the header code:
• Assign a new value to the applicationType attribute.
• Change the version number attribute.
In the example (see Figure 4-2), the template version number is changed from 1 to 1.1.
version=”1.1”
Note When you change the template name or version number and import the template, ANM displays
the template as a new line item in the Application Template Definitions window even if you save
the file under the same name (see Step 5).
Step 4 Modify the operation of the template as needed.
In the example (see Figure 4-2), the following changes are made:
4-20
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Definitions
• The template version number is changed from 1 to 1.1.
version=”1.1”
• The input variable name probe_interval is added and defined as having a default value of 60
(seconds).
• The slb code for the probe interval is changed from the set value of 60 to the {$probe_interval}
variable.
– To hide a variable array in Basic view, add the advanced attribute to the variable array as
follows:
4-22
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Definitions
Note ANM does not display the drop-down list for Basic and Advanced viewing options when
the advanced attribute is not used in the XML code.
Procedure
Step 1 Choose Config > Global > Application Template Definitions.
The Application Template Definitions window appears, displaying the list of existing templates.
Step 2 Click Add (+) to begin creating a new template.
The Create New Template Definition dialog box appears.
Step 3 From the dialog box, do the following:
a. In the Application Type field, enter a brief description of the intended application.
b. In the Version field, enter the template version number. By default, this field is set to 1.0.
c. In the Description field, describe the intended use of the template.
d. Check the Load Balance check box if the configuration is to perform load balancing (it is checked
by default).
If you uncheck the check box, go to Step e.
If you check the check box, do the following:
– From the vserver type drop-down list, choose the virtual server type: http, dns, ftp, rdp,
terminated-https, or other.
– Check the Sticky check box to enable sticky (it is unchecked by default).
If you check the check box, choose one of the following from the sticky type drop-down list:
ip-sticky, http-cookie-sticky, or http-header-sticky.
– Check the SSL check box to include in the template a configuration block with an SSL
termination proxy (it is unchecked by default).
e. Do one of the following:
– Click Go to Editor to open the template editor and the template base code, which is configured
with the information that you provided. Go to Step 4.
– Click Cancel to return to the The Application Template Definitions window.
Step 4 Edit the code as needed.
For information about using the ANM template editor to make your edits, see the “Using the ANM
Template Editor” section on page 4-29.
Step 5 (Optional) Tag specific variable fields or variable arrays with the advanced attribute, which enables the
Basic/Advanced display feature when creating a template instance that uses this application template
definition.
When creating an application template instance, the Basic/Advanced display feature allows the user to
set the view to Basic, which displays only the variable fields that require their input. For more
information about configuring this feature, see the “Guidelines and Restrictions” section on page 4-21.
4-23
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Definitions
Step 6 When your edits are complete, do one of the following:
• Click Validate to have ANM validate the application template definition file, which means that
ANM checks to see that it is a well-formed XML document that follows the rules defined by the
ANM Template XML schema. ANM highlights any errors in the code.
• Click Save to save your changes.
Related Topics
• Managing Application Template Definitions, page 4-15
• Editing an Application Template Definition, page 4-15
• Creating an Application Template Definition, page 4-20
• Using the ANM Template Editor, page 4-29
• Testing an Application Template Definition, page 4-28
• Deleting an Application Template Definition, page 4-29
• Creating an Application Template Instance, page 4-4
Creating an Application Template Definition Using an External XML Editor
You can create a basic ACE application template definition using an external XML editor rather than the
template editor that comes with ANM. The procedure shows how to create a base XML file with which
to base your template on and then use the free form XML tag to encapsulate ACE CLI commands that
you copy from a known working configuration and paste into the template. The example template that
you create during the procedure will initialize a virtual context by doing the following:
• Specify a variable message of the day (MOTD) field.
• Enable logging.
• Specify a number of SNMP attributes, some of which are variables.
Guidelines and Restrictions
The ability to create a complex template requires a knowledge of XML programming and the ACE CLI
and is beyond the scope of this guide. For information about creating complex templates for configuring
your ACEs, go to the Cisco Developer Network (CDN) site at the following URL:
http://developer.cisco.com/web/anm/application-templates
Prerequisites
This topic has the following requirements:
• Basic knowledge of XML programming and the ACE CLI.
• Text editor (minimum), such as WordPad, or an XML editor (preferred).
• The application template definition XML schema. You can obtain a copy of this file from the CDN
site at the following URL:
http://developer.cisco.com/web/anm/docs
From this site, use the schemas hyperlink located under the “Application Template Schemas”
heading to download the XML schema.
4-24
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Definitions
• Access to an ACE CLI and the output of the show running config command from which you copy
the commands that you need and paste them into the template.
Procedure
Step 1 From the ACE CLI, enter the show running config command.
Step 2 Create a folder in which to work while creating a template and place the application template definition
XML schema file in it.
Step 3 Using a text editor or XML editor, create an XML template file, save it to your work folder, and copy in
the following base code:
Step 4 Do the following (shown in bold text in the example):
a. Assign values to the application type and provide a brief description.
b. Within the input tags, add the required variable tags.
c. Within the free form tags, paste the required ACE CLI commands that you copy from the show
running config command output.
In the following example, the modified code is shown in bold text:
banner motd #{$motd}#
logging host {$syslog}
logging enable
snmp-server host {$traphost} traps {$community}
snmp-server enable traps
4-25
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Definitions
d. (Optional) Tag specific variable fields or variable arrays with the advanced attribute, which enables
the Basic/Advanced display feature when creating a template instance that uses this application
template definition.
When creating an application template instance, the Basic/Advanced display feature allows the user
to set the view to Basic, which displays only the variable fields that require their input. For more
information about configuring this feature, see the “Guidelines and Restrictions” section on
page 4-21.
e. To configure a template not to display in Application Setup, change the following code in the
template root element from true to false:
showsInGuidedSetup=”false”
By default, templates that you create using the base code in Step 3 display as options when using
Application Setup in Guided Setup (see the “Using Application Setup” section on page 3-14).
Step 5 Save the template file as an .xml file.
Step 6 (Optional) Do the following:
a. Import the template into ANM (see the “Importing an Application Template Definition” section on
page 4-26).
b. From ANM, test the template (see the “Testing an Application Template Definition” section on
page 4-28).
c. From ANM, create an application template instance using the new template and deploy it (see the
“Creating an Application Template Instance” section on page 4-4).
Related Topics
• Managing Application Template Definitions, page 4-15
• Editing an Application Template Definition, page 4-15
• Creating an Application Template Definition, page 4-20
• Exporting an Application Template Definition, page 4-26
• Importing an Application Template Definition, page 4-26
• Testing an Application Template Definition, page 4-28
• Deleting an Application Template Definition, page 4-29
• Creating an Application Template Instance, page 4-4
4-26
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Definitions
Exporting an Application Template Definition
You can export an application template definition for editing or to create a backup that you can import
into another ANM server.
Procedure
Step 1 Choose Config > Global > Application Template Definitions.
The Application Template Definitions window appears, displaying the information described in
Table 4-3.
Step 2 From the Application Template Definitions window, choose the template to export and click Export.
The File Download dialog box opens.
Step 3 From the File Download dialog box, click Save.
The Save As dialog box window appears.
Step 4 From the Save As dialog box, navigate to where you want to save the template definitions file.
Rename the file if you want.
Step 5 Click Save.
The template definitions file is saved to the specified location.
Related Topics
• Information About Application Template Definitions and Instances, page 4-1
• Managing Application Template Definitions, page 4-15
• Editing an Application Template Definition, page 4-15
• Creating an Application Template Definition, page 4-20
• Importing an Application Template Definition, page 4-26
• Testing an Application Template Definition, page 4-28
• Deleting an Application Template Definition, page 4-29
Importing an Application Template Definition
You can import an application template definition. The import process checks the file to ensure that the
XML conforms to the application template schema, using valid tags and attributes.
Guidelines and Restrictions
This topic includes the following guidelines and restrictions:
• ANM allows you to import files that do not conform to the XML schema and does the following:
– Issues an error message when importing the file that indicates the detected issues.
– Places an error icon in the Validity column of the template listing in the Application Template
Definitions window (Config > Global > Application Template Definitions).
4-27
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Definitions
This feature allows you import a template file that is not complete and that you may want to edit
further using the ANM template editor (see the “Editing an Application Template Definition Using
the ANM Template Editor” section on page 4-18).
• The import process does not check the file to ensure that the ACE configuration attributes are
structured correctly. To test the ACE configuration attributes, use the template test feature (see the
“Testing an Application Template Definition” section on page 4-28).
• You can import application template definitions that you created for use with ANM 5.1, which used
an earlier version of the XML schema. When you import the template, ANM modifies the template
root element as required by the current version of the XML schema. This modification does not
affect the ACE configuration.
Procedure
Step 1 Choose Config > Global > Application Template Definitions.
The Application Template Definitions window appears, displaying the information described in
Table 4-3.
Step 2 From the Application Template Definitions window, click Import.
The Select a Template Definition File to Upload dialog box appears.
Step 3 In the dialog box, click Browse to navigate to and choose the template file to upload.
Step 4 Click Upload.
The upload status box appears and displays one of the following messages:
• “Template is imported”—The template definition conforms to the XML schema. Click OK to close
the popup window and complete the upload process.
• “Template is not imported because its XML structure is not valid”—ANM detected that the file does
not contain properly structured XML code and cannot import the file.
• “Template is not imported because upload error was found”—A system or network error has
occurred that prevented the upload. This message is not an indication that a problem exists with the
template.
• “Template is imported, but the following errors were found”—The template contains properly
structure XML code; however, the code does not conform to the XML schema. The message
includes the errors found in the code.
ANM displays the template in the Application Template Definitions window.
Related Topics
• Information About Application Template Definitions and Instances, page 4-1
• Managing Application Template Definitions, page 4-15
• Editing an Application Template Definition, page 4-15
• Creating an Application Template Definition, page 4-20
• Exporting an Application Template Definition, page 4-26
• Testing an Application Template Definition, page 4-28
• Deleting an Application Template Definition, page 4-29
4-28
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Definitions
Testing an Application Template Definition
You can test an application template definition. The test performs the following tasks:
• Displays the application configuration window to verify that the variable information the user is
expected to fill in displays correctly.
• Performs a test deployment and displays the configuration attributes that will be deployed for a live
application configuration deployment. If there is a problem with the template definition, an error
message displays that indicates what the problem is with the source code.
Note The test deployment is done locally on ANM only. No commands are sent to an ACE.
Procedure
Step 1 Choose Config > Global > Application Template Definitions.
The Application Template Definitions window appears, displaying the information described in
Table 4-3.
Step 2 From the Application Template Definitions window, choose a template to test and click Test.
The Application Configuration window appears.
Step 3 From the Application Configuration window, enter the required variable information and click Test
Deploy.
The Test popup window appears displaying the application configuration attributes that the template
generates.
Note If the template contains a boolean statement that allows you to choose one of two values, be sure
to test both values. For example, if the template includes the Secure Backend Servers checkbox
option, test the template with the check box checked (enabled) and unchecked (disabled).
Step 4 Click Cancel to close the Test popup window and return to the Application Template Definitions
window.
Related Topics
• Information About Application Template Definitions and Instances, page 4-1
• Managing Application Template Definitions, page 4-15
• Editing an Application Template Definition, page 4-15
• Creating an Application Template Definition, page 4-20
• Exporting an Application Template Definition, page 4-26
• Importing an Application Template Definition, page 4-26
• Deleting an Application Template Definition, page 4-29
4-29
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Definitions
Deleting an Application Template Definition
You can delete a user-defined application template definition.
Guidelines and Restrictions
You cannot delete a system template.
Caution When you delete an application template definition and you have staged application template instances
that were created using the template, you cannot edit or deploy the template instances.
Procedure
Step 1 Choose Config > Global > Application Template Definitions.
The Application Template Definitions window appears, displaying the information described in
Table 4-3.
Step 2 From the Application Template Definitions window, choose a user-defined template to delete and click
the Delete icon ( ).
The Delete Verification popup window appears.
Step 3 From the popup window, do one of the following:
• Click OK to delete the template.
• Click Cancel to ignore the template delete request.
Related Topics
• Information About Application Template Definitions and Instances, page 4-1
• Managing Application Template Definitions, page 4-15
• Editing an Application Template Definition, page 4-15
• Creating an Application Template Definition, page 4-20
• Importing an Application Template Definition, page 4-26
• Exporting an Application Template Definition, page 4-26
• Testing an Application Template Definition, page 4-28
Using the ANM Template Editor
ANM includes a template editor that you can use to create or edit application template definitions from
within the ANM GUI. This section describes the editor components and how to use them.
You access the ANM template editor by doing one of the following:
• Create a new template (see the “Creating an Application Template Definition Using the ANM
Template Editor” section on page 4-21).
• Edit an existing template (see the “Editing an Application Template Definition Using the ANM
Template Editor” section on page 4-18).
4-30
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Definitions
Figure 4-3 shows a sample view of the ANM template editor. The sample code includes invalid code in
line 6 to show how the editor highlights problem code.
Figure 4-3 ANM Template Editor Components
Table 4-5 describes the editor GUI components called out in Figure 4-3.
Table 4-5 ANM Template Editor Component Descriptions
Item Description
1 Template Identifier
Template type and version number. ANM displays an asterisk (*) next to the template type to indicate that a change
to the template has been made but not saved.
4-31
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Definitions
2 Tool Bar
Editing tools that work as follows:
• Undo button—With each click, undoes the changes that you made but did not save, beginning with the most recent
change made.
• Redo button—With each click, redoes the changes reversed by the Undo button, beginning with the most recent
undo operation.
• Fix Indentation button—Corrects any indentation errors in the code.
• Wrap with:
– If button—Wraps the code that you highlight with the “if” opening and closing tags to create an if block.
– For button—Wraps the code that you highlight with the “foreach” opening and closing tags to create a foreach
block.
If you do not highlight the code to wrap, ANM places the If or For block at the location of the cursor.
• Toggle Comments button—Makes the code that you highlighted a comment. You can use this feature to add
description comments to sections of the code. You can also tag incomplete code as a comment until you are ready
to complete it. At that time, you would highlight the commented code and click Toggle Comments again.
• Search text box—String to locate in the code. The template editor highlights all instances of the string. Use the
following associated tools:
– Up button—Moves to the next instance of the search string above the currently highlighted instance.
– Down button—Moves to the next instance of the search string below the currently highlighted instance.
• Replace text box—String that is to replace the search string as follows:
– Replace button—Replaces only the currently highlighted occurrence of the search string.
– Replace All button—Replaces all occurrences of the search string.
3 Work Area
Area where the code is displayed and modified. The work area includes the following editing tools:
• Code folding—Allows you to expand or collapse sections of code as follows:
– —Collapses code group.
– —Expands code group.
ANM hides these icons and expands the code when an error exists.
• Code auto complete—ANM completes the code tag being entered or displays a list of possible options that match
what has been entered so far. This feature works for a predefined set of elements only and is not available with
every element type.
To use this feature, begin entering the start-tag and then press Ctrl + Space. Enter at least one character after the
open character (<) before pressing Ctrl + Space. For example:
Press Ctrl + Space
Table 4-5 ANM Template Editor Component Descriptions (continued)
Item Description
4-32
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 4 Using Application Template Definitions
Managing Application Template Definitions
4 Error and Warning Indicators
Icons that appear when the code that does not conform to the XML schema as follows:
• —Warning indicator: Error exists; however, the error will not prevent deployment of the template.
• —Error indicator: Error exists that will prevent deployment of the template.
For details about the indicated error, see the Error Description Pane located at the bottom of the window or hover over
the icon to open the popup error message display.
5 Error Description Pane
Descriptions of the detected errors in the code, which are also highlighted with Error and Warning Indicators. Because
the error description text does not wrap, it can extend beyond the display. To view the entire description, hover over
the message to open the popup error message display.
Displayed errors remain in this pane until you fix the issue and validate the fix by clicking Validate.
6 Function Buttons
Buttons that work as follows:
• Validate—ANM validates the application template definition file, which means that ANM checks to see that it is
a well-formed XML document that follows the rules defined by the ANM Template XML schema. When ANM
detects errors in the code, it highlights the errors with Error and Warning Indicators and displays the Error
Description Pane. If you correct the code and click Validate again, ANM removes the error indicators and closes
the error description pane if no other errors exist.
• Save—Saves your changes using the same filename.
Note the following when using this button:
– If any errors exist in the code, ANM displays a verification popup window, asking you to verify that you want
to save the information regardless of the detected errors.
– If the code is not properly structured, ANM displays an error message stating that the template cannot be
saved because the XML structure is not valid. For example, if you enter a tag and do not close it, this error
occurs. You must correct the code error before ANM allows you to save the template.
– The Save button is not available when editing a system template, which requires that you use the Save As
button.
• Save As—Saves the file to a different filename. This option opens the Save As New Template Definition popup
window to save your changes under a new application type name or version. From the popup window, modify the
file attributes if needed and click Save.
Note the following when using this button:
– ANM populates the popup window text fields with the attributes of the original file opened with the exception
of the Version field, which ANM increments by one. If the version is not a number, ANM adds the “-next”
suffix to the version.
– ANM does not allow you to save a template using the same application type and version number as the
original template file. You must change either the application type or version number (or both).
• Exit—Exits the editor without saving your changes.
Table 4-5 ANM Template Editor Component Descriptions (continued)
Item Description
CHAPTER
5-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
5
Importing and Managing Devices
Date: 3/28/12
This chapter describes how to import and manage Cisco Application Networking Manager (ANM)
devices. You can import the following Cisco devices to ANM:
• Application Control Engine (ACE) module or appliance
• Global Site Selector (GSS)
• Content Services Switch (CSS)
• Catalyst 6500 Virtual Switching System (VSS) 1440
• Catalyst 6500 series switch
• Cisco 7600 series router
• Cisco Content Switching Module (CSM)
• Cisco Content Switching Module with SSL (CSM-S)
• VMware vCenter Server
Note The terms add and import are interchangeable in this document.
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
This chapter includes the following sections:
• Information About Device Management, page 5-2
• Information About Importing Devices, page 5-4
• Preparing Devices for Import, page 5-4
• Modifying the ANM Timeout Setting to Compensate for Network Latency, page 5-9
• Importing Network Devices into ANM, page 5-10
5-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Information About Device Management
• Discovering Large Numbers of Devices Using IP Discovery, page 5-27
• Configuring Devices, page 5-34
• Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53
• Managing Devices, page 5-66
• Replacing an ACE Module Managed by ANM, page 5-82
Information About Device Management
ANM includes many device management features. You can import devices and then configure them for
use in your network. In addition to configuring ports, VLANs, and routes, you can modify device
configurations, and manage them.
Table 5-1 identifies common management categories and related topics.
Table 5-1 Device Management Options
Device Management Activities Related Topics
Importing devices • Information About Importing Devices, page 5-4
• Preparing Devices for Import, page 5-4
• Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and
Cisco 7600 Series Routers, page 5-5
• Modifying the ANM Timeout Setting to Compensate for Network Latency,
page 5-9
• Importing Network Devices into ANM, page 5-10
• Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11
• Importing ACE Appliances, page 5-21
• Importing CSS Devices, page 5-22
• Importing GSS Devices, page 5-23
• Importing VMware vCenter Servers, page 5-24
• Discovering Large Numbers of Devices Using IP Discovery, page 5-27
5-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Information About Device Management
Configuring device attributes • Configuring Devices, page 5-34
• Configuring CSM Primary Attributes, page 5-34
• Configuring CSS Primary Attributes, page 5-35
• Configuring GSS Primary Attributes, page 5-36
• Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router
Primary Attributes, page 5-38
• Configuring Catalyst 6500 Series Chassis, Catalyst 6500 Virtual Switching
System 1440 Devices, and Cisco 7600 Series Routers Static Routes,
page 5-39
• Configuring VMware vCenter Server Primary Attributes, page 5-41
• Displaying Chassis Interfaces and Configuring High-Level Interface
Attributes, page 5-42
• Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs,
page 5-48
• Creating VLAN Groups, page 5-52
Configuring device role-based access
control (RBAC)
• Configuring Device RBAC Users, page 5-53
• Configuring Device RBAC Roles, page 5-56
• Configuring Device RBAC Domains, page 5-61
Managing devices • Synchronizing Device Configurations, page 5-66
• Mapping Real Servers to VMware Virtual Machines, page 5-68
• Instructing ANM to Recognize an ACE Module Software Upgrade, page 5-71
• Configuring User-Defined Groups, page 5-72
• Changing Device Credentials, page 5-75
• Changing ACE Module Passwords, page 5-77
• Restarting Device Polling, page 5-78
• Displaying All Devices, page 5-78
• Displaying Modules by Chassis, page 5-79
• Removing Modules from the ANM Database, page 5-80
Table 5-1 Device Management Options (continued)
Device Management Activities Related Topics
5-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Information About Importing Devices
Information About Importing Devices
The quickest and easiest way to add devices to ANM is to import them individually using the Add
function available at Config > Devices. If you already know the device IP address, you can use this
procedure to add your devices to ANM.
Before you begin importing, you need to set up your network devices so that ANM can communicate
and monitor them.
In the sections that follow, you will perform the following steps to prepare and import devices:
1. Enable SSH access (see the “Preparing Devices for Import” section on page 5-4).
2. Modifying the ANM timeout setting (see the “Modifying the ANM Timeout Setting to Compensate
for Network Latency” section on page 5-9).
Note This step is required only when network latency is causing a timeout issue that prevents
ANM from establishing a communication link with the device to be imported.
3. Import devices (see the “Importing Network Devices into ANM” section on page 5-10).
To add large numbers of devices, you can use IP Discovery before you import your devices. This process
is not as efficient as using the Add function. IP Discovery shows where devices are but does not add the
devices to ANM. We recommend that you use the Config > Devices > Device Management > Add
function. For details on IP Discovery, see the “Discovering Large Numbers of Devices Using IP
Discovery” section on page 5-27.
Note Before importing a device, the ANM server pings the IP address of the device. If you have a firewall
between the ANM server and the device that you want to import, your network administrator needs to
modify the firewall to allow the ping traffic to reach the device or ACE.
Preparing Devices for Import
This section describes how to set up your devices to allow ANM to communicate with them and also
describes the requirements for adding ACE devices that are high availability peers.
ANM uses the following protocols for communication:
• For communication to an ACE module or appliance:
– XML over HTTPS
– SSHv2 (read and write)
– SNMP V2C (read-only)
– Syslog over User Datagram Protocol (UDP) (inbound notifications only)
• For communication to the Catalyst 6500 Virtual Switching System (VSS) 1440:
– SSHv2 and Telnet (read and write)
– SNMP V2C (read-only)
– Syslog over UDP (inbound notifications only)
• For communication to a Catalyst 6500 series switch, Cisco 7600 series router, CSM, or CSM-S:
– SSHv2 and Telnet (read and write)
5-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Preparing Devices for Import
– SNMP V2C (read-only)
– Syslog over UDP (inbound notifications only)
• For communication to the CSS:
– Telnet (read and write)
– SNMP V2C (read-only)
– Syslog over UDP (inbound notifications only)
• For communication to the GSS:
– SSHv2
– Remote Method Invocation (RMI) over SSL
Note Before you import a GSS device into ANM, you need to set the GSS communication on the
GSS Ethernet interface that will be used to import the GSS into ANM. See the Cisco Global
Site Selector Command Reference on Cisco.com for instructions on using the
gss-communications command.
• For communication to a VMware vCenter Server, HTTPS is used.
Note For more information about communication between ANM and a VMware vCenter Server,
see the “Prerequisites for Using ANM With VMware vSphere Client” section on page B-4
and “Guidelines and Restrictions” section on page B-5.
This section includes the following topics:
• Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and Cisco 7600 Series Routers,
page 5-5
• Enabling SSH Access and the HTTPS Interface on the ACE Module and Appliance, page 5-6
• Enabling SNMP Polling from ANM, page 5-7
• ANM Requirements for ACE High Availability, page 5-8
Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and
Cisco 7600 Series Routers
You can choose to use Telnet or SSH to import a Catalyst 6500 series switch or Cisco 7600 series router
in ANM. Telnet is enabled by default on the Catalyst 6500 series chassis. If you have disabled Telnet on
the device, you need to enable it to perform the initial setup and import of an ACE module. If you plan
to directly import an ACE module into ANM, Telnet is not mandatory on a Catalyst 6500 series switch.
Note If you choose Telnet, the Use Telnet checkbox will be checked in the Primary Attributes window (see
the “Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router Primary Attributes” section
on page 5-38).
If you use SSH to communicate with the device, you must do the following:
• SSHv2 must be enabled on the chassis, as well as the ACE, in order for ANM to add device
information about the chassis.
5-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Preparing Devices for Import
• Ensure that the chassis has a K9 (Triple Data Encryption Standard [3DES]) software image in order
to enable the SSH server. The ANM requires SSHv2 to be enabled on the chassis.
To enable SSH or Telnet access on Catalyst 6500 series switches or Cisco 7600 series routers, use the
following commands:
Enabling SSH Access and the HTTPS Interface on the ACE Module and
Appliance
You can enable SSH access and the HTTPS interface on the ACE modules and appliances. ANM uses
SSH and XML over HTTPS to communicate with the ACE devices. You need to enable both SSH access
and HTTPS as explained in this section. These settings can be enabled during device import as described
in the “Importing Network Devices into ANM” section on page 5-10 or in the CLI.
Note If the ACE module or appliance is new and still has its factory settings, you do not need to perform the
procedure in this section because SSH is enabled by default.
Note Ensure that the management policy applied on the management interface permits SSH.
To enable SSH access and the HTTPS interface on an ACE module or appliance, enter the following
commands in config mode in the Admin context:
Command Purpose
Step 1 ip ssh version 2 Enables SSHv2.
Step 2 ip domain-name abc.com
Step 3 crypto key generate rsa general-keys modulus 1024 Generates the key.
Step 4 username username password password Enters the username and password.
Step 5 line vty 0 4
Step 6 session-timeout 60
Step 7 login local This is an example only. This commands works for
Cisco IOS 12.2.18SXF(10), but not for
12.2.18SXF(8).
Step 8 transport input telnet ssh Allows SSH and Telnet to the chassis.
Step 9 transport output telnet ssh Allows SSH and Telnet from the chassis to the ACE
module.
Command Purpose
Step 1 ssh key rsa 1024 force Configures SSH access on the ACE.
Step 2 access-list acl line 10 extended permit ip any any
5-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Preparing Devices for Import
For more information about configuring SSH access on the ACE, see either the Cisco Application
Control Engine Module Administration Guide or the Cisco 4700 Series Appliance Administration Guide
on Cisco.com.
Enabling SNMP Polling from ANM
You can enable SNMP polling from ANM, which uses SNMPv2 for polling ACE, CSS, CSM, or CSM-S
devices. To receive traps from these devices, ANM supports use of SNMPv2 traps.
Note To send SNMP traps to ANM, configure the SNMP trap host to the ANM server so that it can receive
traps from ANM.
For alarm condition notifications, ANM uses SNMPv1 EPM-Notificaton-MIB based SNMP traps.
For the ACE, in order for ANM to successfully perform SNMP polling, you must configure the ACE
Admin context with a management IP with a suitable management policy that permits SNMP traffic. All
other contexts can be polled using this Admin context management IP.
For each device type (ACE, CSS, CSM, or CSM-S), see the corresponding configuration guide to
configure the device to permit SNMP traffic.
Step 3 class-map type management match-any ANM_management
2 match protocol ssh any
3 match protocol telnet any
4 match protocol https any
5 match protocol snmp any
6 match protocol icmp any
7 match protocol xml-https
Configures discovery for ANM.
The following comments apply to the line number
specified before the command text in the left column:
• Line 2 classifies the SSH traffic.
• Line 4 is needed by ANM for making configuration
changes on the ACE.
• Line 5 is needed by ANM for periodic statistics.
• Line 6 is not mandatory but useful for network and
route validation.
• Line 7 is needed only for ACE 4710 devices.
Step 4 policy-map type management first-match
ANM_management
class ANM_management
permit
Allows protocols matched in the management class
map.
Step 5 interface vlan 30
ip address 192.168.65.131 255.255.255.0
access-group input acl
service-policy input ANM_management
no shutdown
Configures a management interface with the ACL and
specifies the management service policy. This
configuration is not recommended for a client or server
interface.
Step 6 username admin password 5
$1$faXJEFBj$TJR1Nx7sLPTi5BZ97v08c/ role Admin
domain default-domain
Defined by the administrator.
Step 7 ip route 0.0.0.0 0.0.0.0 192.168.0.1 Specifies the default route (or appropriate route) for
traffic to reach ANM using the management interface if
ANM is not on the same subnet.
Command Purpose
5-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Preparing Devices for Import
ANM Requirements for ACE High Availability
ANM automatically identifies ACE high availability (HA) peers if both peers are imported into ANM.
For ANM to identify two ACE devices (ACE modules or ACE appliances) as high availability peers,
ANM looks for two ACE devices with the same fault-tolerant (FT) interface VLAN configuration and
whose peer IP addresses are reversed.
For example, ANM would consider Peer 1 with the following configuration:
ft interface vlan 4000
ip address 10.10.10.1 255.255.255.0
peer ip address 10.10.10.4 255.255.255.0
and Peer 2 with the following configuration:
ft interface vlan 4000
ip address 10.10.10.4 255.255.255.0
peer ip address 10.10.10.1 255.255.255.0
as HA peers because they both use FT interface VLAN 4000 and their IP and peer IP addresses are
reversed.
However, it is possible that multiple ACE devices imported into ANM have the same FT interface VLAN
and IP address/peer IP address combinations. In this case, ANM is not able to identify the ACE HA pair
correctly. To resolve this issue, ANM uses the following logic to determine that two ACE devices are an
HA pair:
1. Two ACE devices could be identified as a HA pair if their FT interface VLAN IDs match and their
FT interface IP and peer IP addresses are reversed.
2. If the Admin context management interface peer IP address is already defined, ANM will
conclusively identify its HA peer if the other Admin context management interface reversely
matches the management IP and peer IP addresses.
3. If both ACE Admin context management interface peer IP addresses are not defined, and their FT
interface configuration combination is unique across all ACE devices, ANM will then identify them
as an HA pair.
4. An ACE HA peer is identified as Inconclusive if there is a non unique FT interface configuration
combination across all ACE devices and its Admin context management interface peer IP is not
defined.
When importing an ACE HA pair into ANM, you should follow one of the following configuration
requirements so that ANM can uniquely identify the ACE HA pair:
• Use a unique combination of FT interface VLAN and FT IP address/peer IP address for every ACE
HA pair imported into ANM. For HA, it is critical that the combination of FT interface VLAN and
IP address/peer IP address is always unique across every pair of ACE peer devices.
• Define a peer IP address in the management interface using the management IP address of the peer
ACE (module or appliance). The management IP address and management peer IP address used for
this definition should be the management IP address used to import both ACE devices into ANM.
An example is as follows:
• ACE1 is imported into ANM with management IP 10.10.10.10.
• ACE2 is imported into ANM with management IP 10.10.10.12.
In this case, you would perform the following actions for both ACE1 and ACE2:
• Update the management interface on ACE1 with IP address 10.10.10.10. to have 10.10.10.12 as the
peer IP address.
5-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Modifying the ANM Timeout Setting to Compensate for Network Latency
• Update the management interface on ACE2 with IP address 10.10.10.12 to have 10.10.10.10 as the
peer IP address.
An ACE module or appliance may have many other management interfaces defined, but ANM is
particularly interested only in the management interface whose IP address is used for importing into
ANM.
When ANM is unable to determine a unique ACE HA peer pair, it displays an Inconclusive state in the
ACE HA State column of the All Virtual Contexts table (Config > Devices > Virtual Context
Management) or the Virtual Contexts listing page. The Inconclusive state indicates that ANM was able
to determine that the given ACE was configured in HA; however, ANM was able to find more than one
ACE module or ACE appliance that appeared to be a peer. In this case, ANM was unable to conclusively
find a unique HA peer for the given ACE module or ACE appliance. You must then perform the actions
outlined in this section to fix the ACE that is in this state.
More information will appear in the tooltip for the Inconclusive state to specify whether this state was
reached because the FT interface VLAN and the IP address/peer IP address was not unique, or because
the peer IP address on the management interface was not unique.
Based on the information provided to you in the tooltip for the Inconclusive state, you must update the
ACE configuration as described in the configuration requirements outlined above. After you make these
configuration changes, resynchronize the affected ACE devices in ANM to update the configuration and
HA mapping. For more information about synchronizing virtual contexts, see the “Creating Virtual
Contexts” procedure on page 6-2.
Modifying the ANM Timeout Setting to Compensate for Network
Latency
You can adjust the amount of time that ANM waits for a response from a device that you want ANM to
import. You may need to adjust the timeout value when network latency prevents ANM from establishing
a communication link with the device to be imported.
To establish communications between ANM and the device during the device import process, the device
sends requests to ANM for the required device username and password information. After ANM
provides the device username, it waits two seconds for the device to make the next request for the
password. If network latency prevents the password request from arriving within two seconds of
providing the username, the connection times out, preventing ANM from importing the device.
This type of issue can occur when importing devices that are Telnet-managed or require remote user
authentication. To compensate for the resulting network latency, you can modify the default two-second
timeout value by editing the ANM cs-config.properties file.
Procedure
Step 1 Modify the timeout value to 20000 milliseconds (20 seconds) as follows:
• ANM Server—Open the /opt/CSCOanm/etc/cs-config.properties file in a text editor and add the
following line to the end of the file:
telnet.transport.login.timeout=20000
• ANM Virtual Appliance—Enter the following command:
anm-property set telnet.transport.login.timeout 20000
5-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Importing Network Devices into ANM
Step 2 Restart ANM as follows:
• ANM Server—Enter the following command:
/opt/CSCOanm/bin/anm-tool restart
• ANM Virtual Appliance—Enter the following command:
anm-tool restart
Step 3 Import the device.
See one of the following sections:
• Importing Network Devices into ANM, page 5-10
• Discovering Large Numbers of Devices Using IP Discovery, page 5-27
Step 4 (Optional) If the timeout issue persists, slowly increase the timeout value by repeating this procedure.
Do not increase the timeout value beyond 60000 milliseconds.
Related Topics
• Importing Network Devices into ANM, page 5-10
• Discovering Large Numbers of Devices Using IP Discovery, page 5-27
Importing Network Devices into ANM
ANM allows you to add the following devices individually to its database:
• ACE appliances
• ACE modules
• Catalyst 6500 series chassis
• Catalyst 6500 Virtual Switching System (VSS) 1440
• Cisco 7600 series routers
• Cisco Content Services Switch (CSS) devices
• Cisco Content Switching Module (CSM) devices
• Cisco Global Site Selector (GSS) devices
• VMware vCenter Servers
We recommend that you use the procedures in this section to add your devices to ANM because they are
faster and more efficient than running IP Discovery (see the “Discovering Large Numbers of Devices
Using IP Discovery” section on page 5-27).
Guidelines and Restrictions
This topic includes the following guidelines and restrictions:
• When adding a module device, such as an ACE module or a CSM, you must first import the host
chassis device, such as a Cisco Catalyst 6500 series switch chassis, and then you add the installed
modules. The chassis device is referred to as a Cisco IOS device during the device import process.
5-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Importing Network Devices into ANM
• The time required to import devices depends on the number of appliances, chassis, modules, and
contexts that you are importing. For example, an ACE appliance with 20 virtual contexts takes
longer than an ACE appliance with 5 contexts. While ANM imports devices, you cannot perform
other activities in the same session. You can, however, establish a new session with the ANM server
and perform activities on other appliances, chassis, modules, or virtual contexts.
• Network latency can prevent ANM from establishing a communication link with a device that you
want to import. When ANM is providing the device with the device credentials (username and
password), by default it waits two seconds after providing the device username for the password
prompt to appear. The link times out when it takes longer than two seconds for the next prompt to
appear. For information about possible causes of network latency that can create this issue and how
to adjust the ANM timeout value, see the “Modifying the ANM Timeout Setting to Compensate for
Network Latency” section on page 5-9.
Prerequisites
This topic includes the following prerequisites:
• Before adding a device or ACE module, the ANM server pings the IP address of the device or ACE
module. If you have a firewall between the ANM server and the device you want to import, your
network administrator needs to modify the firewall to allow the ping traffic to reach the device or
ACE module.
• To import your devices successfully, ensure the following:
– The ACE module or CSM has booted successfully and is in the OK/Pass state (enter the show
module supervisor Cisco IOS CLI command to verify this action).
– The ACE appliance or the CSS state is up and running. There is no command to validate whether
these devices are up and running.
This section includes the following topics:
• Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11
• Importing ACE Appliances, page 5-21
• Importing CSS Devices, page 5-22
• Importing GSS Devices, page 5-23
• Importing VMware vCenter Servers, page 5-24
Importing Cisco IOS Host Chassis and Chassis Modules
This section shows how to import a Cisco IOS host chassis into ANM, such as the Catalyst 6500 series
chassis or the Cisco 7600 series router. After you define the Cisco IOS device during the import process,
you import the ACE or CSM modules that currently reside in the chassis and are detected by ANM.
When you add additional modules to the Cisco IOS device, you import the new modules into ANM
without having to redefine the host chassis.
This section includes the following topics:
• Importing Cisco IOS Devices with Installed Modules, page 5-12
• Importing ACE Modules after the Host Chassis has been Imported, page 5-16
• Importing CSM Devices after the Host Chassis has been Imported, page 5-19
• Importing VSS 1440 Devices after the Host Chassis has been Imported, page 5-20‘
5-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Importing Network Devices into ANM
Importing Cisco IOS Devices with Installed Modules
This section shows how to import the following Cisco IOS chassis devices into ANM along with any
installed ACE modules or CSMs that ANM detects in the chassis:
• Catalyst 6500 series chassis
• Catalyst 6500 Virtual Switching System (VSS) 1440
• Cisco 7600 series routers
Procedure
Step 1 Choose Config > Devices > All Devices.
The Device Management window appears.
Step 2 In the device tree or in the All Devices table, click Add.
The New Device window appears.
Step 3 Enter the information for the device using the information in Table 5-2.
Table 5-2 New Device Attributes
Field Description
Name Unique name for the device. Valid entries are unquoted text strings with no spaces and a maximum of
26 alphanumeric characters.
Model Type of device to import. From the Model drop-down list, choose Cisco IOS Device.
Primary IP IP address for the device in dotted-decimal format.
Access Protocol Protocol to use for communication with the device. Choose Secure/SSH2 (default setting) or Telnet as
the protocol that ANM uses to access the Cisco IOS devices.
User Name Account name for device access.
Note If you did not configure an account on the chassis before starting this procedure, you can enter
an alphanumeric string with no spaces to complete this procedure. However, we recommend
that you configure an account on the device to prevent unauthorized access.
Password Password for the account.
Enable Password Provides an extra level of security.
SNMP v2c Enabled Check the SNMP v2c Enabled checkbox to configure SNMP access.
Description Field that appears if you check the SNMP v2c Enabled checkbox.
Enter the community string for the device.
Note If you are adding a Catalyst 6500 series chassis, in the Community field, enter the SNMP
community string already configured on the Catalyst 6500 series chassis. ANM uses this string
to query device status information such as VLAN and interface status. This SNMP community
string is also used for any CSM devices contained in the specified Catalyst 6500 series chassis.
For Catalyst 6500 series chassis, CSS, and CSM devices, the SNMP community string already
configured on the device is used by ANM for polling. For ACE modules and ACE appliances, the
SNMP community string entered into ANM is configured on the ACE module/appliance and is used
for polling the devices.
Custom Prompt Settings
5-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Importing Network Devices into ANM
Step 4 Do one of the following:
• Click Next to save your entries and import device information. A progress bar displays while ANM
establishes a session with the chassis and collects information about the installed modules. When
the information has been collected, ANM displays one of the following windows:
– If no CSM devices or ACE or modules are associated with the chassis device, the All Devices
table refreshes with the chassis information.
– If CSM devices or ACE modules are associated with the chassis device, the Modules
configuration window appears and displays information about the first detected module. To
view the detected modules, continue to Step 5.
• Click Cancel to exit the procedure without saving your entries and to return to the All Devices table.
Clicking Cancel prevents device information from being imported and prevents ACE module
discovery.
Step 5 In the Modules window, verify the information of the first detected chassis module as described in
Table 5-3 and use the Next and Previous buttons to navigate through the list of detected chassis modules.
Custom Username
Prompt
Optional field for use with the Cisco Catalyst 6500 series switch and Cisco 7600 series router only.
With either device, if you have it configured to use a TACACS+ server for remote authentication, you
can also configure it to display a custom username prompt during the login process rather than the
default username prompt. If you have the device configured to use a custom username prompt, enter
the custom prompt in this field.
Custom Password
Prompt
Optional field for use with the Cisco Catalyst 6500 series switch and Cisco 7600 series router only.
With either device, if you have it configured to use a TACACS+ server for remote authentication, you
can also configure it to display a custom password prompt during the login process rather than the
default password prompt. If you have the device configured to use a custom password prompt, enter
the custom prompt in this field.
Table 5-2 New Device Attributes (continued)
Field Description
Table 5-3 Detected Modules in Imported Chassis Device
Item Description
Card Slot Chassis IP address, detected module type, and chassis slot number. For example,
10.10.10.1:ACE:2.
Card Type Version information about the detected module. For example, ACE v2.3. This field displays major
release information only. For example, 8.2x might be supported by a module, but only 8.2 displays.
Module Has Been
Imported Into ANM
Read only information to indicate that the module has already been imported (checked) or that it
has not been imported (unchecked).
Operation To Perform Drop down list to specify the action to take as follows:
• Do Not Import (default setting)
• Import
• Perform Initial Setup and Import
5-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Importing Network Devices into ANM
Step 6 To import a displayed module, in the Operation to Perform field, choose one of the following:
• Import—ANM is to import the CSM device or ACE module. For the ACE module, ANM displays
additional configuration fields when the Import option is selected. For both modules types, skip to
Step 7 after selecting Import.
• Perform Initial Setup And Import—(ACE module only) Allows you to perform initial setup
manually required for ANM to communicate with the ACE module and imports ACE module
configuration. Skip to Step 8.
Note We recommend that you choose this option for ACE modules that are configured only with
factory defaults.
Step 7 If you chose Import for a CSM device or ACE module, do one of the following:
• To import a CSM device, no further device information is required. Click Next or Previous to
navigate to the next module to specify to import or click Finish to import the specified modules.
• To import an ACE module, perform the following steps:
a. In the Admin Context IP field, enter the module IP address.
b. In the User Name field, enter the username for accessing this module. Valid entries are unquoted
text strings with a maximum of 24 characters. The default admin credentials are admin/admin.
Note For security reasons, we recommend that you change the username and password on your
ACE device (and modules) after you import them. The security on your ACE module can be
compromised because the administrative username and password are configured to be the
same for every ACE module shipped from Cisco. See the “Changing ACE Module
Passwords” procedure on page 5-77.
c. In the Password field, enter the password for accessing this module. Reenter the password in the
Confirm field. Valid entries are unquoted text strings with a maximum of 64 characters. The
default admin credentials are admin/admin.
d. Click Next or Previous to navigate to the next module to specify to import or click Finish to
import the specified modules.
Skip to Step 10.
Step 8 If you chose Perform Initial Setup And Import for an ACE module, perform the following steps:
a. In the Host Name field, enter a unique name for this ACE module. Valid entries are alphanumeric
strings with no spaces and a maximum of 32 characters.
b. In the Admin Context IP field, enter the IP address for this ACE module.
c. In the Netmask field, from the drop-down list, choose the subnet mask to apply to this IP address.
d. In the Gateway field, enter the IP address of the gateway router to use.
e. In the VLAN field, choose the VLAN to which this module belongs.
f. Check the Blade Is Configured With Factory Default Admin Credentials check box if the ACE
module is currently configured with the default admin credentials (admin/admin).
g. In the User Name field, enter the username for accessing this module. Valid entries are unquoted
text strings with a maximum of 24 characters. The default admin credentials are admin/admin.
5-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Importing Network Devices into ANM
Note For security reasons, we recommend that you change the username and password on your ACE
after you import it. The security on your ACE module can be compromised because the
administrative username and password are configured to be the same for every ACE shipped
from Cisco. See the “Changing ACE Module Passwords” procedure on page 5-77.
h. In the Password field, enter the password for accessing this module. Reenter the password in the
Confirm field. Valid entries are unquoted text strings with a maximum of 64 characters. The default
admin credentials are admin/admin.
Step 9 Do one of the following:
• Click OK to save your entries and to continue with the device configuration. A progress bar reports
status and the Device configuration window appears.
• Click Cancel to exit the procedure without importing ACE modules and to return to the All Devices
table.
Note Clicking Cancel in this window does not cancel the chassis importing process.
Step 10 (Optional) To confirm that the virtual contexts on the ACE module were successfully imported into
ANM, do the following:
a. Choose Config > Devices. The device tree appears.
b. In the device tree, choose the chassis device and ACE module that you just imported. The Virtual
Contexts table appears, listing the contexts for that device.
c. Confirm that the contexts imported successfully:
– If OK appears in the Config Status column, it means that the context imported successfully.
– If Import Failed appears in the Config Status column, it means that the context did not import
successfully.
d. To synchronize the configurations for the context import that failed, choose the context, and then
click Sync. ANM will synchronize the context by uploading it from the ACE device.
For more information on synchronizing virtual contexts, see the “Creating Virtual Contexts”
procedure on page 6-2.
Note If you receive authentication errors or incorrect username/password errors when trying to import ACE
devices, refer to the ACE documentation regarding username and password settings and limitations.
Tip After you add an ACE module, see the “Enabling a Setup Syslog for Autosync for Use With an ACE”
section on page 5-27 to enable auto sync, which allows ANM to synchronization with the ACE CLI when
ANM receives a syslog message from the ACE rather wait the default polling period.
Relate Topics
• Importing ACE Modules after the Host Chassis has been Imported, page 5-16
• Importing CSM Devices after the Host Chassis has been Imported, page 5-19
5-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Importing Network Devices into ANM
• Importing ACE Appliances, page 5-21
• Importing CSS Devices, page 5-22
• Importing GSS Devices, page 5-23
• Importing VMware vCenter Servers, page 5-24
• Removing Modules from the ANM Database, page 5-80
• Synchronizing Module Configurations, page 5-67
Importing ACE Modules after the Host Chassis has been Imported
You can add ACE modules into the ANM database at any time after the host chassis been added.
Before You Begin
• Ensure that the module to be imported has booted successfully and is in OK/Pass state. To check the
module state, enter the show module supervisor Cisco IOS CLI command.
• Note that time needed to import ACE modules depends on the number of modules and contexts that
you are importing. For example, an ACE module with 20 virtual contexts takes longer than an ACE
module with 5 contexts. While ANM imports the module, you cannot perform other activities in the
same session. You can, however, establish a new session with the ANM server and perform activities
on other devices, modules, or virtual contexts.
• If you receive authentication errors or incorrect username/password errors when you try to import
an ACE module, see the ACE documentation regarding username and password settings and
limitations.
• If you physically replace an ACE module in a chassis, you need to synchronize the chassis in ANM.
We recommend you start by adjusting syslog settings to facilitate the ANM auto synchronization
process as described in the “Enabling a Setup Syslog for Autosync for Use With an ACE” section
on page 5-27.
Guidelines and Restrictions
ANM 3.0 and greater releases do not support the importing of an ACE module that contains an A1(6.x)
software release or an ACE appliance that contains an A1(7.x) or A1(8.x) software release. If you
attempt to import an ACE that supports one of these releases, ANM displays a message to instruct you
that it failed to import the unrecognized ACE configuration and that device discovery failed.
However, if you perform an ANM upgrade (for example, from ANM 2.2 to ANM 3.0), and the earlier
ANM release contained an inventory with an ACE module that supported the A1(6x) software release or
an ACE appliance that supported the A1(7.x) or A1(8.x) software release, ANM 3.0 (and greater) allows
the A1(x) software release to reside in the ANM database and will support operations for the release.
ANM prevents a new import of an ACE module or ACE appliance that contains the unsupported software
version.
We strongly recommend that you upgrade your ACE module or ACE appliance to a supported ACE
software release, and that you instruct ANM to recognize the updated release. See the “Instructing ANM
to Recognize an ACE Module Software Upgrade” section on page 5-71.
See the Supported Device Tables for the Cisco Application Networking Manager for a complete list of
supported ACE module and ACE appliance software releases.
Prerequisites
The host chassis of the ACE module that you are adding has been imported (see the “Importing Cisco
IOS Host Chassis and Chassis Modules” section on page 5-11).
5-17
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Importing Network Devices into ANM
Procedure
Step 1 Choose Config > Devices > All Devices.
The All Devices table appears.
Step 2 In the All Devices table, choose the host device that contains the ACE module you want to import and
click Modules.
The Modules table appears, which displays a list of the installed modules.
Step 3 In the Modules table, choose the module that you want to import and click Import.
The Modules configuration window appears.
Step 4 In the Modules window, verify the information of the selected module as described in Table 5-4.
Step 5 To import a displayed module, in the Operation to Perform field, choose one of the following:
• Import—ANM is to import the ACE module. ANM displays additional configuration fields when
the Import option is selected. For both modules types, skip to Step 6 after selecting Import.
• Perform Initial Setup And Import—Allows you to perform initial setup manually required for
ANM to communicate with the ACE module and imports ACE module configuration. Skip to Step 7.
Note We recommend that you choose this option for ACE modules that are configured only with
factory defaults.
Step 6 If you chose Import, perform the following steps:
a. In the Admin Context IP field, enter the module IP address.
b. In the User Name field, enter the username for accessing this module. Valid entries are unquoted
text strings with a maximum of 24 characters. The default admin credentials are admin/admin.
Table 5-4 Importing ACE Modules
Item Description
Card Slot Chassis IP address, detected module type, and chassis slot number. For example,
10.10.10.1:ACE:2.
Card Type Version information about the detected module. For example, ACE v2.3. This field displays major
release information only. For example, 8.2x might be supported by a module, but only 8.2 displays.
Module Has Been
Imported Into ANM
Read only information to indicate that the module has already been imported (checked) or that it
has not been imported (unchecked).
Operation To Perform Drop down list to specify the action to take as follows:
• Do Not Import (default setting)
• Import
• Perform Initial Setup and Import
5-18
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Importing Network Devices into ANM
Note For security reasons, we recommend that you change the username and password on your ACE
device (and modules) after you import them. The security on your ACE module can be
compromised because the administrative username and password are configured to be the same
for every ACE module shipped from Cisco. See the “Changing ACE Module Passwords”
procedure on page 5-77.
c. In the Password field, enter the password for accessing this module. Reenter the password in the
Confirm field. Valid entries are unquoted text strings with a maximum of 64 characters. The default
admin credentials are admin/admin.
d. Click Next or Previous to navigate to the next module to specify to import or click Finish to import
the specified modules.
Skip to Step 9.
Step 7 If you chose Perform Initial Setup And Import, perform the following steps:
a. In the Host Name field, enter a unique name for this ACE module. Valid entries are alphanumeric
strings with no spaces and a maximum of 32 characters.
b. In the Admin Context IP field, enter the IP address for this ACE module.
c. In the Netmask field, from the drop-down list, choose the subnet mask to apply to this IP address.
d. In the Gateway field, enter the IP address of the gateway router to use.
e. In the VLAN field, choose the VLAN to which this module belongs.
f. Check the Blade Is Configured With Factory Default Admin Credentials check box if the ACE
module is currently configured with the default admin credentials (admin/admin).
g. In the User Name field, enter the username for accessing this module. Valid entries are unquoted
text strings with a maximum of 24 characters. The default admin credentials are admin/admin.
Note For security reasons, we recommend that you change the username and password on your ACE
after you import it. The security on your ACE module can be compromised because the
administrative username and password are configured to be the same for every ACE shipped
from Cisco. See the “Changing ACE Module Passwords” procedure on page 5-77.
h. In the Password field, enter the password for accessing this module. Reenter the password in the
Confirm field. Valid entries are unquoted text strings with a maximum of 64 characters. The default
admin credentials are admin/admin.
Step 8 Do one of the following:
• Click OK to save your entries and to continue with the device configuration. A progress bar reports
status and the Device configuration window appears.
• Click Cancel to exit the procedure without importing ACE modules and to return to the All Devices
table.
Note Clicking Cancel in this window does not cancel the chassis importing process.
Step 9 (Optional) To confirm that the virtual contexts on the ACE module were successfully imported into
ANM, do the following:
a. Choose Config > Devices. The device tree appears.
5-19
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Importing Network Devices into ANM
b. In the device tree, choose the chassis device and ACE module that you just imported. The Virtual
Contexts table appears, listing the contexts for that device.
c. Confirm that the contexts imported successfully:
– If OK appears in the Config Status column, it means that the context imported successfully.
– If Import Failed appears in the Config Status column, it means that the context did not import
successfully.
d. To synchronize the configurations for the context import that failed, choose the context, and then
click Sync. ANM will synchronize the context by uploading it from the ACE device.
For more information on synchronizing virtual contexts, see the “Creating Virtual Contexts”
procedure on page 6-2.
Note If you receive authentication errors or incorrect username/password errors when trying to import ACE
devices, refer to the ACE documentation regarding username and password settings and limitations.
Tip After you add ACE devices, see the “Enabling a Setup Syslog for Autosync for Use With an ACE”
section on page 5-27 to enable auto sync, which allows ANM to synchronization with the ACE CLI when
ANM receives a syslog message from the ACE rather wait the default polling period.
Related Topics
• Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11
• Importing ACE Appliances, page 5-21
• Importing CSS Devices, page 5-22
• Importing GSS Devices, page 5-23
• Importing VMware vCenter Servers, page 5-24
• Removing Modules from the ANM Database, page 5-80
• Synchronizing Module Configurations, page 5-67
Importing CSM Devices after the Host Chassis has been Imported
You can import CSM devices into the ANM database at any time after the host chassis or router has been
imported.
Note ANM assigns the device type CSM to both CSM and CSM-S devices. This assignment has to do with
how ANM collects and assigns the information that it receives from the device and does not affect
functionality. To differentiate between these devices, see the description information in the user
interface.
Prerequisites
The host chassis of the CSM that you are adding has been imported (see the “Importing Cisco IOS Host
Chassis and Chassis Modules” section on page 5-11).
5-20
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Importing Network Devices into ANM
Procedure
Step 1 Choose Config > Devices > All Devices.
The All Devices table appears.
Step 2 In the All Devices table, choose the host device that contains the CSM that you want to import, and then
click Modules.
The Modules table appears.
Step 3 In the Modules table, choose the CSM that you want to import, and then click Import.
The Modules configuration window appears.
Step 4 Verify that the information is correct in the following read-only fields:
• Card Slot—The slot in the chassis in which the module resides.
• Card Type—The device type; in this instance, CSM.
• Module Has Been Imported Into ANM—The checkbox is checked to indicate that the module has
already been imported or cleared to indicate that it has not been imported.
Step 5 In the Operation to Perform field, choose Import.
Step 6 Do one of the following:
• Click OK to save your entries. A progress bar reports status and the Modules table refreshes with
updated information.
• Click Cancel to exit the procedure without importing the device and to return to the Modules table.
Related Topics
• Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11
• Importing ACE Appliances, page 5-21
• Importing CSS Devices, page 5-22
• Importing GSS Devices, page 5-23
• Importing VMware vCenter Servers, page 5-24
• Removing Modules from the ANM Database, page 5-80
• Synchronizing Module Configurations, page 5-67
Importing VSS 1440 Devices after the Host Chassis has been Imported
Catalyst 6500 Virtual Switching Systems (VSS) 1440 devices allow for the combination of two switches
into a single, logical network entity from the network control plane and management perspectives. To
the neighboring devices, the Cisco Virtual Switching System appears as a single, logical switch or router.
VSS devices will be discovered as normal Cisco IOS devices in ANM if the devices are already
converted to virtual switch mode.
5-21
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Importing Network Devices into ANM
Note ANM does not recognize failure scenarios as discussed in the “Configuring Virtual Switching System”
section of the “Catalyst 6500 Release 12.2SXH and Later Software Configuration Guide” on Cisco.com
at
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html#
wp1062314.
Related Topics
Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11
Importing ACE Appliances
This section shows how to import an ACE appliance into ANM.
Procedure
Step 1 Choose Config > Devices > All Devices.
The All Devices table appears.
Step 2 In the All Devices table, choose the Add button.
The New Device window appears.
Step 3 In New Device window, define the ACE appliance to import using the information in Table 5-5.
Step 4 Do one of the following:
• Click OK to save your entries. After ANM adds the specified device, the Primary Attributes window
for the device appears.
• Click Cancel to exit the procedure without importing the device and to return to the Modules table.
Related Topics
• Importing Network Devices into ANM, page 5-10
• Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11
Table 5-5 ACE Appliance Configuration Options
Field Description
Name Name assigned to the ACE appliance.
Model Drop-down list to specify the device type. From the Model drop-down list, choose ACE 4710
(appliance).
Primary IP ACE appliance IP address.
User Name Username that has the administrator role.
Password Password that corresponds to the username.
Confirm Confirmation of the password.
Description Brief device description.
5-22
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Importing Network Devices into ANM
• Importing CSS Devices, page 5-22
• Importing GSS Devices, page 5-23
• Importing VMware vCenter Servers, page 5-24
Importing CSS Devices
This section shows how to import CSS devices into ANM.
Procedure
Step 1 Choose Config > Devices > All Devices.
The All Devices table appears.
Step 2 In the All Devices table, choose the Add button.
The New Device window appears.
Step 3 In New Device window, define the CSS device to import using the information in Table 5-6.
Step 4 Do one of the following:
• Click OK to save your entries. After ANM adds the specified device, the Primary Attributes window
for the device appears (see the “Configuring CSS Primary Attributes” section on page 5-35).
• Click Cancel to exit the procedure without importing the device and to return to the Modules table.
Related Topics
• Importing Network Devices into ANM, page 5-10
• Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11
• Importing ACE Appliances, page 5-21
Table 5-6 CSS Configuration Options
Field Description
Name Name assigned to the device.
Model Drop-down list to specify the device type. From the Model drop-down list, choose CSS.
Primary IP Device IP address.
Access Protocol Protocol that ANM is to use when communicating with the CSS. Choose one of the following:
• Secure/SSH (default setting)
• Telnet
User Name Username that has the administrator role.
Password Password that corresponds to the username.
Confirm Confirmation of the password.
SNMP v2c Enabled Checkbox to enable SNMP v2c.
Description Brief device description.
5-23
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Importing Network Devices into ANM
• Importing GSS Devices, page 5-23
• Importing VMware vCenter Servers, page 5-24
Importing GSS Devices
This section shows how to import GSS devices into ANM.
Guidelines and Restrictions
Follow these guidelines for importing GSS devices into ANM:
• You only need to import the primary GSSM into ANM—You are not required or permitted to add
either the standby GSSM or GSS device. ANM communicates only with the primary GSSM for
activation and suspension of DNS rules and virtual IP (VIP) answers and for collecting statistics.
• GSS graphical user interface (GUI) and CLI must have matching passwords—The username that
you configure while adding a GSS device to ANM must be the same on both the GSS GUI and GSS
CLI.
• Communication between ANM and the primary GSSM is accomplished using the GSS
Communication Ethernet Interface—This interface is used for internal communication between the
primary GSSM and the other GSS devices in the GSS cluster. Beginning with ANM 4.3, ANM uses
Java Remote Method Invocation (RMI) only to communicate with GSS devices using software
Version 3.3 or later versions. If the GSS device is using an earlier version of software and ANM
cannot communicate with it using RMI, ANM uses Secure Shell (SSH).
Table 5-7 lists the TCP ports that ANM uses to communicate with GSS devices.
Note When ANM uses SSH for GSS communication, terminal length settings are set to 0 during import,
synchronization, and background polling. The previous terminal length settings that you had before
import, synchronization, and background polling is performed are not preserved.
Procedure
Step 1 Choose Config > Devices > All Devices.
The All Devices table appears.
Step 2 In the All Devices table, choose the Add button.
The New Device window appears.
Step 3 In New Device window, define the GSS device to import using the information in Table 5-8.
Table 5-7 TCP Ports Used by ANM for GSS
Port Description
22 SSH
2001 Java RMI
3009 Secure RMI
5-24
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Importing Network Devices into ANM
Step 4 Do one of the following:
• Click OK to save your entries. After ANM adds the specified device, the Primary Attributes window
for the device appears (see the “Configuring GSS Primary Attributes” section on page 5-36).
• Click Cancel to exit the procedure without importing the device and to return to the Modules table.
Related Topics
• Importing Network Devices into ANM, page 5-10
• Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11
• Importing ACE Appliances, page 5-21
• Importing CSS Devices, page 5-22
• Importing VMware vCenter Servers, page 5-24
Importing VMware vCenter Servers
This section shows how to import VMware vCenter Servers that are part of a VMware virtual datacenter
containing virtual machines (VM). When you import a VMware vCenter Server, ANM discovers the
following network entities associated with the server: datacenters, VMs, and hosts (VMware ESX
servers).
During the VMware vCenter Server import process, you can enable the ANM plug-in that allows you to
access ANM ACE real server functionality from a VMware vSphere Client. Registering the plug-in
provides the client with a URL to access ANM and retrieve the required XML definition file. ANM uses
HTTPS for communication with VMware vCenter Server.
Guidelines and Restrictions
This topic includes the following guidelines and restrictions:
Table 5-8 GSS Configuration Options
Field Description
Name Name assigned to the device.
Model Drop-down list to specify the device type. From the Model drop-down list, choose GSS.
Primary IP Device IP address.
User Name Username that has the administrator role.
Password Password that corresponds to the username.
Confirm Confirmation of the password.
Enable Password Password for remote authorization. When the GSS is configured for remote authorization with the
enable command in the user privilege, then the enable password is not used.
Confirm Confirmation of the enable password.
Description Brief description for this device.
5-25
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Importing Network Devices into ANM
• ANM does not recognize all the special characters that VMware allows you to use in a VM name.
If you import a VMware vCenter Server containing VM names that use certain special characters,
ANM encounters issues that affect the VM Mappings window (Config > Devices > vCenter >
System > VM Mappings). This window shows how VMs map to real servers.
The issues associated with certain special characters in VM names are as follows:
– When a VM name contains a double quote (“), ANM is not able to display the VM Mappings
window (a blank window displays).
– When a VM name contains a percent sign (%), backslash (\), or forward slash (/), ANM displays
the VM name in the VM Mappings window; however, these special characters display as hex
values (%25 for %, %5c for \, and %2f for /).
To avoid these issues, remove these special characters from the VM name before you use the
following procedure to import the VMware vCenter Server in to ANM.
• ANM supports importing a VMware vCenter Server operating in standard mode only. You cannot
import a vCenter Server operating in linked mode.
Procedure
Step 1 Choose Config > Devices > All Devices.
The All Devices table appears.
Step 2 In the All Devices table, choose the Add button.
The New Device window appears.
Step 3 In New Device window, configure the VMware vCenter Server using the information in Table 5-9.
Table 5-9 VMware vCenter Server Configuration Options
Field Description
Name Name assigned to the device.
Model Drop-down list of available device types. From the Model drop-down list, choose vCenter.
Primary IP VMware vCenter Server IP address.
HTTPS Port Port that the VMware vCenter Server uses to communicate with ANM using HTTPS.
User Name VMware vCenter Server username that has the administrator role or an equivalent role that has
privilege on “Extension,” “Global->Manage custom attribute,” and “Global->Set custom attribute.”
Password Password that corresponds to the VMware vCenter Server username.
5-26
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Importing Network Devices into ANM
Step 4 Do one of the following:
• Click OK to save your entries. After ANM adds the VMware vCenter Server, the Primary Attributes
window for the VMware vCenter Server appears (see the “Configuring VMware vCenter Server
Primary Attributes” section on page 5-41).
• Click Cancel to exit the procedure without importing the device and to return to the Modules table.
Related Topics
• Configuring VMware vCenter Server Primary Attributes, page 5-41
• Using the ANM Plug-In With Virtual Data Centers, page B-1
• Mapping Real Servers to VMware Virtual Machines, page 5-68
• Importing Network Devices into ANM, page 5-10
• Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11
• Importing ACE Appliances, page 5-21
• Importing CSS Devices, page 5-22
• Importing GSS Devices, page 5-23
ANM vCenter
Plug-in
Registers the ANM plug-in when adding the VMware vCenter Server. Registering the plug-in provides
the VMware vCenter Server and associated VMware vSphere Clients with a URL to access ANM and
retrieve the required XML definition file. ANM uses HTTPS for communication with the VMware
vCenter Server and vSphere Clients. When the plug-in is registered, you can access ANM ACE real
server functionality from a VMware vSphere Client.
Choose one of the following options:
• Import vCenter and register plug-in
• Import vCenter and but do not register plug-in (default setting)
To register or unregister the ANM plug-in at a later time, see the “Registering or Unregistering the
ANM Plug-in” section on page B-5.
ANM Server DNS name or IP address of the ANM server that will be used by the VMware vCenter Server and
vSphere Client. By default, ANM populates this field with the virtual IP address or hostname or all of
the available IP addresses. If you enter a DNS name, make sure that the name can be resolved on the
VMware vSphere Client side of the network.
Note For ANM servers operating in an HA configuration, choose the shared alias IP address or VIP
address for the HA pair so that the plug-in can still be used after an HA failover occurs.
Table 5-9 VMware vCenter Server Configuration Options (continued)
Field Description
5-27
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Discovering Large Numbers of Devices Using IP Discovery
Enabling a Setup Syslog for Autosync for Use With an ACE
You can set up auto synchronization to occur when ANM receives a syslog message from ACE devices.
This feature allows a faster, more streamlined synchronization process between ANM and any
out-of-band configuration changes. Rather than wait the default polling period, ANM will synchronize
when a syslog message is received if you enable the Autosync feature.
Note ANM does not support Autosync for GSS devices.
Procedure
Step 1 Choose Config > Devices. From the device tree, select either an ACE module or an ACE appliance.
Step 2 Choose Setup Syslog for Autosync.
The Setup Syslog for Autosync window appears.
Step 3 Choose one or more virtual contexts for which you want to receive Autosync syslog messages.
Step 4 Click the Setup Syslog button.
A progress bar window appears.
The following CLI commands are sent to the enabled ACE devices:
logging enable
logging trap 2
logging device-id string /Admin
logging host udp/514
logging message 111008 level 2
Step 5 If the setup is successful, a checkbox with check mark will appear in the Setup Syslog for Autosync?
column for each virtual context that you selected. If there are any errors, the errors will be shown in a
popup window.
Discovering Large Numbers of Devices Using IP Discovery
The IP Discovery feature allows you to discover and import Cisco chassis and ACEs into the ANM
database as follows:
1. Preparing devices for discovery. This process involves enabling SSH and XML over HTTPS and
adding device credentials. See the “Preparing Devices for IP Discovery” section on page 5-28.
2. Discovering devices residing on your network. The ANM uses SSH, XML over HTTPS, and Telnet
to discover its supported devices. When you run IP Discovery, you locate IP addresses of ACE
chassis and appliances. See the “Running IP Discovery to Identify Devices” section on page 5-31.
After discovery, devices do not appear in the Devices table until device import is completed. To
import a specific chassis into the ANM database, you need to enter IP and credentials information
for the chassis and then import it and any associated modules. While this discovery method requires
you to add more information initially, it provides more control over the discovery process.
5-28
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Discovering Large Numbers of Devices Using IP Discovery
3. Importing the device information into the ANM database to add the device into the Devices table.
See the “Importing Network Devices into ANM” section on page 5-10.
4. After importing a module host device, such as a Catalyst 6500 series chassis, you can add ACE
modules and CSMs into the ANM database. See the “Importing ACE Modules after the Host Chassis
has been Imported” section on page 5-16 or the “Importing CSM Devices after the Host Chassis has
been Imported” section on page 5-19.
5. After you start a discovery job, you can monitor its status. See the “Monitoring IP Discovery Status”
section on page 5-33.
ANM offers multiple ways to accomplish some of these steps. For example, you can either run a
discovery job to identify the available chassis, and then choose the ones to import, or you can import a
specific chassis into the ANM database.
To add a chassis without running discovery, see the “Importing Cisco IOS Host Chassis and Chassis
Modules” section on page 5-11.
See the Supported Devices Table for Cisco Application Networking Manager for more information about
the devices that ANM supports.
This section includes the following topics:
• Preparing Devices for IP Discovery, page 5-28
• Running IP Discovery to Identify Devices, page 5-31
• Monitoring IP Discovery Status, page 5-33
Preparing Devices for IP Discovery
This section describes how to prepare your Cisco devices for IP Discovery by enabling SSH and Telnet
on each device and by configuring device SSH and Telnet credentials though ANM. These tasks enable
ANM to communicate with the devices and collect data from them.
Caution IP Discovery sends unencrpyted credentials (Telnet and SNMP) to all devices on the specified subnet
who respond to the associated ports. This is a potential security risk because credentials are broadcast
out to one or more networks. IP Discovery may also find devices that cannot be imported or may not be
able to locate devices that could be imported.
Guidelines and Restrictions
Network latency can prevent ANM from establishing a communication link with a device that you want
to import. When ANM is providing the device with the device credentials (username and password), by
default it waits two seconds after providing the device username for the password prompt to appear. The
link times out when it takes longer than two seconds for the next prompt to appear. For information about
possible causes of network latency that can create this issue and how to adjust the ANM timeout value,
see the “Modifying the ANM Timeout Setting to Compensate for Network Latency” section on page 5-9.
Before You Begin
Ensure that you have enabled SSH and Telnet in your Cisco network devices by performing the tasks
described in the following sections:
• Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and Cisco 7600 Series Routers,
page 5-5
• Enabling SSH Access and the HTTPS Interface on the ACE Module and Appliance, page 5-6
5-29
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Discovering Large Numbers of Devices Using IP Discovery
This section includes the following topics:
• Configuring Device Access Credentials, page 5-29
• Modifying Credential Pools, page 5-30
Configuring Device Access Credentials
You can add device credentials to ANM before running IP Discovery.
Procedure
Step 1 Choose Config > Tools > Credential Pool Management.
The New Credential Pool window appears.
Step 2 In the Name field, enter the name of the new credential pool.
Step 3 Click Save to save this entry and to proceed with credentials configuration.
The configuration window appears.
Step 4 Set the Telnet credentials as follows:
a. Choose Configuration > Telnet Credentials. The Telnet Credentials table appears.
b. In the table, click Add to add a set of credentials to this credential pool, or choose an existing set of
credentials, and click Edit to modify it.
c. Enter the credentials (see Table 5-10).
d. Do one of the following:
– Click OK to save your entries and to return to the Telnet Credentials table.
– Click Cancel to exit this procedure without saving your entries and to return to the Telnet
Credentials table.
– Click Next to deploy your entries and to add another set of Telnet credentials.
Step 5 Set the SNMP credentials as follows:
a. Choose Configuration > SNMP Credentials. The SNMP Credentials table appears.
b. Click Add to add a set of credentials to this credential pool, or choose an existing set of credentials,
and click Edit to modify it.
Table 5-10 Telnet Credentials
Field Description
IP Address Specific IP address in dotted-decimal notation or use an asterisk (*) as a wildcard character to
identify a number of devices, such as 192.168.11.*.
User Name Telnet username for the specified devices.
Password Telnet password for the specified devices.
Confirm Telnet password that you reenter.
Enable Password Telnet enable password for the specified devices. ANM uses this password during the Catalyst 6500
series chassis and Catalyst 6500 Virtual Switching System (VSS) 1440 import process.
Confirm Telnet enable password that you reeenter.
5-30
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Discovering Large Numbers of Devices Using IP Discovery
c. Enter the SNMP credentials (see Table 5-11).
Step 6 Do one of the following:
• Click OK to save your entries and to return to the SNMP Credentials table.
• Click Cancel to exit without saving your entries and to return to the SNMP Credentials table.
• Click Next to deploy your entries and to configure another set of SNMP credentials.
After establishing the Telnet and SNMP credentials, you are ready to run IP Discovery. See the “Running
IP Discovery to Identify Devices” section on page 5-31.
Related Topics
• Running IP Discovery to Identify Devices, page 5-31
• Configuring Device Access Credentials, page 5-29
• Discovering Large Numbers of Devices Using IP Discovery, page 5-27
Modifying Credential Pools
You can modify existing Telnet or SNMP credentials.
Procedure
Step 1 Choose Config > Tools > Credential Pool Management.
The Credential Pools configuration window appears.
Step 2 Choose the credential pool that you want to modify.
The Edit Credential Pool configuration window appears.
Step 3 Click Edit.
Step 4 To modify the existing Telnet credentials, do the following:
a. Choose Configuration > Telnet Credentials. The Telnet Credentials table appears.
b. In the table, click Add to add a set of credentials to this credential pool, or choose an existing set of
credentials, and click Edit to modify it.
Table 5-11 SNMP Credentials
Field Description
IP Address Specific IP address in dotted-decimal notation is used or an asterisk (*) is used as a wildcard
character to identify a number of devices, such as 192.168.11.*.
Mode Default version of SNMP is selected for this credential pool. Snmpv2 indicates that SNMP version
2 is to be used for this credential pool for the specified devices.
RO Community SNMP read-only string for the specified devices. This entry is case sensitive.
Timeout Time, in seconds, that the ANM is to wait for response from a device before performing the first
retry.
Retries Number of times that the ANM is to attempt to communicate with a device before declaring that
the device has timed out.
5-31
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Discovering Large Numbers of Devices Using IP Discovery
c. Enter the Telnet credentials (see Table 5-10).
d. Do one of the following:
– Click OK to save your entries and to return to the Telnet Credentials table.
– Click Cancel to exit this procedure without saving your entries and to return to the Telnet
Credentials table.
– Click Next to deploy your entries and to add another set of Telnet credentials.
Step 5 To modify the existing SNMP credentials, do the following:
a. Choose Configuration > SNMP Credentials. The SNMP Credentials table appears.
b. Click Add to add a set of credentials to this credential pool, or choose an existing set of credentials,
and click Edit to modify it.
c. Enter the SNMP credentials (see Table 5-11).
d. Do one of the following:
– Click OK to save your entries and to return to the SNMP Credentials table.
– Click Cancel to exit without saving your entries and to return to the SNMP Credentials table.
– Click Next to deploy your entries and to configure another set of SNMP credentials.
Related Topics
• Running IP Discovery to Identify Devices, page 5-31
• Configuring Device Access Credentials, page 5-29
• Discovering Large Numbers of Devices Using IP Discovery, page 5-27
Running IP Discovery to Identify Devices
You can run IP Discovery to locate IP addresses of the Catalyst 6500 series chassis (hosting the ACE
module), ACE appliance, and Catalyst 6500 Virtual Switching System (VSS) devices.
After establishing Telnet and SNMP credentials (see the “Configuring Device Access Credentials”
section on page 5-29), use this procedure to identify chassis and ACEs on your network.
Caution IP Discovery sends unencrpyted credentials (Telnet and SNMP) to all devices on the specified subnet
that respond to the associated ports. This is a potential security risk because credentials are broadcast
out to one or more networks. IP Discovery may also find devices that cannot be imported or be unable
to find devices that could be imported.
Before You Begin
For this procedure, you need the follow items:
• IP address for the discovery process.
• Applicable subnet mask.
• Valid credentials for this discovery (see the “Configuring Device Access Credentials” section on
page 5-29).
5-32
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Discovering Large Numbers of Devices Using IP Discovery
• Verification that the devices have SSH enabled (see the “Preparing Devices for IP Discovery”
section on page 5-28).
Procedure
Step 1 Choose Config > Tools > IP Discovery.
The Discovery Jobs table appears.
Tip If you already know the IP address of your devices, use the Config > Devices > Add function.
See the “Importing Network Devices into ANM” section on page 5-10.
Step 2 To create a discovery job, click Add.
The Discovery Jobs window appears.
Step 3 In the IP Address field, enter the IP address of a specific device in dotted-decimal notation such as
192.168.11.1.
Step 4 In the Netmask field, choose the subnet mask to be used. When you specify a subnet mask, the discovery
process discovers all devices in the range of the IP address and its subnet mask. The default netmask is
255.255.255.0.
Note Choose a higher subnet mask only if you are certain that it is appropriate for your network and
you understand the impact. If you choose the subnet mask for a class A or class B network, the
discovery process becomes extensive and can take a substantial amount of time to complete.
Step 5 In the Credential Pool field, choose the credential pool to be used for this discovery.
Step 6 Click Discover to run discovery now or Cancel to exit this procedure without running discovery.
When you run IP Discovery, the Discovery Jobs table reflects the state of the discovery as it runs. The
amount of time to finish a discovery job depends on the size of your network and network activity.
If necessary, click Stop to stop the discovery process. When the process has stopped, the Discovery Jobs
table appears with the discovery job in the table with the state Aborted.
Tip Click Refresh during IP Discovery to see the number of devices found as the discovery process
progresses.
Step 7 (Optional) View the discovery process status (see the “Monitoring IP Discovery Status” section on
page 5-33).
Step 8 (Optional) Import ACE devices into the ANM when the discovery process is complete (see the
“Importing Network Devices into ANM” section on page 5-10).
Related Topics
• Creating Virtual Contexts, page 6-2
• Importing Network Devices into ANM, page 5-10
• Using Configuration Building Blocks, page 16-1
5-33
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Discovering Large Numbers of Devices Using IP Discovery
Monitoring IP Discovery Status
You can monitor device discovery status after starting a discovery job.
Procedure
Step 1 Click Config > Tools > IP Discovery.
The Discovery Jobs table appears with the following information for each discovery job:
• IP address
• Subnet mask
• Start Time in the format hh:mm:ss.nnn
• End Time, if available, in the format hh:mm:ss.nnn
• Credential Pool being used
• State of the discovery job, such as Running or Completed
• Number of devices found
Step 2 Locate your discovery job to see its current status.
If necessary, click Stop to stop the discovery process. When the process has stopped, the Discovery Jobs
table appears with the discovery job in the table with the state Aborted.
Step 3 When discovery is complete, choose the discovery job in the table. A list of the discovered devices
appears below the Discovery Jobs table.
You can now populate the ANM with chassis and ACEs. See the “Importing Network Devices into
ANM” section on page 5-10.
Related Topics
• Importing Network Devices into ANM, page 5-10
• Running IP Discovery to Identify Devices, page 5-31
• Information About Importing Devices, page 5-4
5-34
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
Configuring Devices
This section describes how to configure the devices that you add to ANM and includes the following
topics:
• Configuring Device System Attributes, page 5-34
• Configuring Catalyst 6500 Series Chassis or Cisco 7600 Series Router Interfaces, page 5-41
• Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48
Note The ANM does not detect changes made to a chassis device though the CLI. Be sure to synchronize
chassis configurations whenever chassis configuration has been modified via the CLI.
Configuring Device System Attributes
This section shows how to configure the device system attributes. For the CSM, CSS, and GSS devices,
the system attributes consist of the primary attributes only. For the Catalyst 6500 series chassis, Catalyst
6500 Virtual Switching System (VSS) 1440 devices, and Cisco 7600 series routers, the system attributes
also include the static route attributes.
This section includes the following topics:
• Configuring CSM Primary Attributes
• Configuring CSS Primary Attributes
• Configuring GSS Primary Attributes
• Configuring Catalyst 6500 VSS 1440 Primary Attributes
• Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router Primary Attributes
• Configuring Catalyst 6500 Series Chassis, Catalyst 6500 Virtual Switching System 1440 Devices,
and Cisco 7600 Series Routers Static Routes
• Configuring VMware vCenter Server Primary Attributes
Configuring CSM Primary Attributes
You can configure primary attributes for CSM devices.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose the CSM that you want to configure, and then choose System > Primary
Attributes.
The Primary Attributes window appears.
Step 3 In the Description field, enter a brief description of the module.
Step 4 Choose another CSM for high availability pairing from the Redundant Device field, which displays any
other CSM devices that have been imported into ANM.
5-35
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
Step 5 Click Deploy Now to deploy this configuration on the CSM and save your entries to the
running-configuration and startup-configuration files.
To exit this procedure without deploying your entries, choose another device in the device tree or in the
object selector above the configuration pane.
Related Topics
• Configuring Devices, page 5-34
• Importing ACE Modules after the Host Chassis has been Imported, page 5-16
Configuring CSS Primary Attributes
You can configure primary attributes for CSS devices.
Procedure
Step 1 Choose Config > Devices > All Devices.
The All Devices table appears.
Step 2 In the All Devices table, choose the CSS that you want to configure, and then choose System > Primary
Attributes.
The Primary Attributes window appears with information about the device.
Step 3 Configure the CSS using the information in Table 5-12.
Note Most of the information is read directly from the device during the import process and cannot be
changed using the ANM interface.
Table 5-12 CSS Primary Attributes Configuration Options
Field Description
Description Brief description for this device.
Device Type Read-only field that has the device type in gray.
Use Telnet Read-only field that will be checked if the device was imported using Telnet.
IP Address Read-only field with the device IP address.
Redundant Device Field that displays any other CSS devices that have been imported into the ANM database.
Choose another CSS for high availability pairing.
5-36
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
Step 4 Click Deploy Now to deploy this configuration on the CSS and to save your entries to the
running-configuration and startup-configuration files.
To exit this procedure without deploying your entries, choose another device in the device tree or in the
object selector above the configuration pane.
Related Topics
• Configuring Devices, page 5-34
• Importing Network Devices into ANM, page 5-10
Configuring GSS Primary Attributes
You can configure primary attributes for Cisco Global Site Selector devices.
Procedure
Step 1 Choose Config > Devices > All Devices.
The All Devices table appears.
Step 2 In the All Devices table, choose the GSS that you want to configure, and then choose System > Primary
Attributes.
The Primary Attributes window appears with information about the device.
Step 3 Configure the GSS using the information in Table 5-13.
SNMP v2c Enabled Checkbox to enable SNMP version 2c access. Uncheck the checkbox to disable this feature.
If you enable this feature, in the SNMP Trap Community string field, enter the SNMP community
string.
SNMP v3 Enabled Checkbox to enable SNMP Version 3 access. Uncheck the checkbox to disable this feature.
If you enable this feature, do the following:
1. In the SNMP V3 User Name field, enter the SNMP username.
2. In the SNMP V3 Mode field, choose the level of security to be used when accessing the chassis:
• NoAuthNoPriv—SNMP uses neither authentication nor encryption in its communications.
• AuthNoPriv—SNMP uses authentication, but the data is not encrypted.
3. If you choose AuthNoPriv, do the following:
a. In the SNMP V3 Auth Proto field, choose MD5 or DES to specify the authentication
mechanism.
b. In the SNMP V3 Auth Pass field, enter the user authentication password. Valid entries are
unquoted text strings with no spaces and a maximum of 130 characters.
c. In the Confirm field, reenter the user authentication password.
Table 5-12 CSS Primary Attributes Configuration Options (continued)
Field Description
5-37
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
Step 4 (Optional) To update the IP address and/or password for the GSS on the ANM server only, click Update
IP Address/Password.
The Update IP Address/Password window appears.
Note The password changes are for the ANM server only. The Password/Enable password on the
device will not be changed.
Enter new credentials in the Update IP Address/Password window using the information in Table 5-14.
Step 5 Do one of the following:
• Click OK to save any changes made to GSS server IP address or password to the ANM server.
• Click Cancel.
You return to the Primary Attributes Page.
Step 6 Click Deploy Now to deploy this configuration save your entries to the gslb-configuration file.
To exit this procedure without deploying your entries, choose another device in the device tree or in the
object selector above the configuration pane.
Table 5-13 GSS Primary Attributes Configuration Options
Field Description
Description Brief description for this device.
Device Type Read-only field that has the device type, in this case GSS, in gray.
IP Address Device IP address.
Table 5-14 GSS Change IP Address and Password Options
Field Description
Old Primary IP Address Read-only field displaying the device IP address.
New Primary IP Address IP address that you wish to have GSS associated with on the server.
Update Available password update choices are as follows:
• Both—Update both the password and enable passwords.
• Enable Password Only—Update only the enable password.
• Password Only—Update only the password.
New Password New password.
Confirm New Password New password that you reenter.
New Enable Password New enable password.
Confirm New Enable
Password
New enable password that you reenter.
5-38
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
Related Topics
• Configuring Devices, page 5-34
• Importing ACE Appliances, page 5-21
Configuring Catalyst 6500 VSS 1440 Primary Attributes
You can configure primary attributes for VSS devices.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose the device you want to configure, then choose System > Primary Attributes.
The Primary Attributes window appears with information about the chassis.
Most of the information is read directly from the device during the import process and cannot be changed
using the ANM interface. For example, a VSS-enabled checkbox will display as a read-only field. You
can, however, add a description and configure the device for SNMPv2 or SNMPv3 access.
Note For the ACE devices in VSS, the slot number is represented in the format switch number/slot
number.
Step 3 In the Description field, enter a brief description for the device.
Step 4 To enable SNMPv2c access, do the following:
a. Check the SNMPv2c Enabled checkbox.
b. In the SNMP Trap Community string field, enter the SNMP community string.
Step 5 Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the All Devices table.
Related Topics
• Displaying Chassis Interfaces and Configuring High-Level Interface Attributes, page 5-42
• Displaying Modules by Chassis, page 5-79
• Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48
Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router Primary Attributes
You can configure primary attributes for Catalyst 6500 series chassis and Cisco 7600 series routers.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose the device that you want to configure, and choose System > Primary
Attributes.
5-39
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
The Primary Attributes window appears.
Most of the information is read directly from the device during the import process and cannot be changed
using the ANM interface. However, you can add a description and configure the device for SNMPv2 or
SNMPv3 access.
Step 3 In the Description field, enter a brief description for the device.
Step 4 To enable SNMPv2c access, do the following:
a. Check the SNMPv2c Enabled checkbox.
b. In the SNMP Trap Community string field, enter the SNMP community string.
Step 5 Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the All Devices table.
Related Topics
• Displaying Chassis Interfaces and Configuring High-Level Interface Attributes, page 5-42
• Displaying Modules by Chassis, page 5-79
• Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48
Configuring Catalyst 6500 Series Chassis, Catalyst 6500 Virtual Switching System 1440 Devices, and
Cisco 7600 Series Routers Static Routes
You can configure static routes for the Catalyst 6500 Series Chassis, Catalyst 6500 Virtual Switching
System 1440 Devices, and Cisco 7600 Series Routers. Though interfaces can be shared across contexts,
the ACE supports only static routes for virtual contexts. You can configure static routes for Catalyst 6500
series chassis, Catalyst 6500 Virtual Switching System (VSS) 1440 devices, and Cisco 7600 series
routers.
Note After a device static route has been created, you can modify only its administrative distance.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose the device that you want to configure, and choose Network > Static Routes.
The Static Routes table appears.
Step 3 In the Static Routes table, click Add to configure a new static route for the device, or choose an existing
static route, and click Edit to modify it.
The Static Routes configuration window appears.
Step 4 In the Destination Prefix field, enter the IP address for the route.
The address that you specify for the static route is the address that is in the packet before entering the
ACE and performing network address translation.
Step 5 In the Destination Prefix Mask field, choose the subnet for the static route.
Step 6 In the Next Hop field, enter the IP address of the gateway router for the route.
5-40
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
The gateway address must be on the same network as a VLAN interface for the device.
Step 7 In the Admin Distance field, enter the administrative distance value of the route.
The administrative distance is the first criterion that a router uses to determine which routing protocol
to use if two protocols provide route information for the same destination. The administrative distance
is a measure of the trustworthiness of the source of the routing information.
A lower administrative distance value indicates that the protocol is more reliable. Valid entries are from
0 to 255, with lower numbers indicating greater reliability. For example, a static route has an
administrative distance value of 1 while an unknown protocol has an administrative distance value of
255.
Table 5-15 lists default distance values of the protocols that Cisco supports.
Step 8 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the Static Route table.
• Click Cancel to exit the procedure without saving your entries and to return to the Static Route table.
• Click Next to deploy your entries and to add another static route.
Related Topics
• Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48
• Displaying All Device VLANs, page 5-49
• Importing Network Devices into ANM, page 5-10
Table 5-15 Cisco Default Distance Value Table
Route Source Administrative Distance Value
Connected interface 0
Static route 1
Enhanced Interior Gateway Routing Protocol (EIGRP) summary
route
5
External Border Gateway Protocol (BGP) 20
Internal EIGRP 90
IGRP 100
OSPF (Open Shortest Path First) 110
Intermediate System-to-Intermediate System (IS-IS) 115
Routing Information Protocol (RIP) 120
Exterior Gateway Protocol (EGP) 140
On-Demand Routing (ODR) 160
External EIGRP 170
Internal BGP 200
Unknown 255
5-41
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
Configuring VMware vCenter Server Primary Attributes
You can configure the primary attributes for a selected VMware vCenter Server.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose the VMware vCenter Server that you want to configure, and choose System >
Primary Attributes.
The Primary Attributes window appears.
Step 3 In the Primary Attributes window, configure the VMware vCenter Server primary attributes as described
in Table 5-16.
Step 4 Click Deploy Now to deploy this configuration on the VMware vCenter Server and return to the All
Devices table.
Related Topics
• Importing VMware vCenter Servers, page 5-24
Configuring Catalyst 6500 Series Chassis or Cisco 7600 Series Router Interfaces
This section shows how to configure the interface attributes for the Catalyst 6500 series chassis or Cisco
7600 series router.
This section includes the following topics:
• Displaying Chassis Interfaces and Configuring High-Level Interface Attributes, page 5-42
• Configuring Access Ports, page 5-43
Table 5-16 VMware vCenter Server Primary Attributes
Item Description
Description Brief description for the VMware vCenter Server.
Version VMware vCenter Server version number.
IP Address IP address of the VMware vCenter Server.
HTTPS Port Port number used by the VMware vCenter Server.
ANM vCenter Plug-in Registration Status Current status of the ANM plug-in:
• Registered
• Not Registered
For more information about ANM plug-in registration or to change the plug-in
registration status, see the “Registering or Unregistering the ANM Plug-in”
section on page B-5.
ANM IP Address IP address of the ANM server.
5-42
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
• Configuring Trunk Ports, page 5-44
• Configuring Switch Virtual Interfaces, page 5-45
• Configuring Routed Ports, page 5-46
Displaying Chassis Interfaces and Configuring High-Level Interface Attributes
You can display a complete list of interfaces on a selected Catalyst 6500 series chassis or Cisco 7600
series router. From this display, you can configure the following high-level attributes for a specified
interface: interface description, operating mode, and administrative state.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose the device, and choose Interfaces > Summary.
The Interfaces table appears, listing all interfaces on the device and related information as follows:
• Interface name
• Description, if available
• Configured state, such as Up or Down
• Current operational state, if known
• Mode of operation, such as Access, Routed, or Trunk
• Interface hardware type
Step 3 Choose the interface to configure, and click Edit.
The configuration window appears.
Step 4 Enter the following:
a. In the Description field, enter a brief description of the interface.
b. In the Administrative State field, choose Up or Down to indicate whether the port should be up or
down.
c. In the Mode field, choose the operational mode of the interface: Trunk, Access, or Routed.
d. Click Apply to save your changes or Cancel to exit the procedure without saving your changes.
The Interfaces table appears.
Related Topics
• Configuring Access Ports, page 5-43
• Configuring Trunk Ports, page 5-44
• Configuring Routed Ports, page 5-46
• Configuring Switch Virtual Interfaces, page 5-45
• Creating VLAN Groups, page 5-52
• Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48
5-43
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
Configuring Access Ports
You can configure access port attributes for a selected device. An access port receives and sends traffic
in native formats with no VLAN tagging. Traffic that arrives on an access port is assumed to belong to
the VLAN assigned to the port. If an access port receives a tagged packet (Inter-Switch Link [ISL] or
802.1Q tagged), the packet is dropped, and the source address is not learned.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose the device that you want to configure an access port for, and choose
Interfaces > Access Ports.
The Interfaces table appears.
Step 3 From the Interfaces table, choose the port that you want to configure, and click Edit.
The Access Ports configuration window appears.
Step 4 In the Description field, enter a description for the port.
Valid entries are unquoted text strings with a maximum of 240 characters including spaces.
Step 5 In the Administrative State field, choose Up or Down to indicate whether the port should be up or down.
Step 6 In the Speed field, either specify the speed at which the interface is to operate or that the interface is to
automatically negotiate its speed:
• Auto—The interface is to automatically negotiate speed with the connected device.
• 10 Mbps—The interface is to operate at 10 Mbps.
• 100 Mbps—The interface is to operate at 100 Mbps.
• 1000 Mbps—The interface is to operate at 1000 Mbps.
Step 7 In the Duplex Mode field, specify whether the interface is to automatically negotiate its duplex mode or
use full- or half-duplex mode:
• Auto—The interface is to automatically negotiate duplex mode with the connected device.
• Full—The interface is to operate in full-duplex mode. In this mode, two connected devices can send
and receive traffic at the same time.
• Half—The interface is to operate in half-duplex mode. In this mode, two connected devices can
either send or receive traffic.
Step 8 In the VLANs field, enter individual names for each VLAN to which the interface belongs.
The allowable range is 1 to 4094.
Step 9 Do one of the following:
• Click Apply to save your entries and to return to the Interfaces table.
• Click Cancel to exit the procedure without saving your entries and to return to the Interfaces table.
Related Topics
• Configuring Trunk Ports, page 5-44
• Configuring Switch Virtual Interfaces, page 5-45
5-44
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
• Configuring Routed Ports, page 5-46
• Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48
Configuring Trunk Ports
You can configure trunk ports for a selected device. A trunk port carries the traffic of multiple VLANs
and by default is a member of all VLANs in the VLAN database. Two types of trunk ports are as follows:
• In an Inter-Switch Link (ISL) trunk port, all received packets are expected to be encapsulated with
an ISL header, and all transmitted packets are sent with an ISL header. Native (nontagged) frames
received from an ISL trunk port are dropped.
• An IEEE 802.1Q trunk port supports simultaneous tagged and untagged traffic. An 802.1Q trunk
port is assigned a default port VLAN ID or native VLAN, and all untagged traffic travels on the
native VLAN. All untagged traffic and tagged traffic with a NULL VLAN ID are assumed to belong
to the native VLAN. A packet with a VLAN ID that is equal to the outgoing port native VLAN is
sent untagged. All other traffic is sent with a VLAN tag.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose the device that you want to configure, and choose Interfaces > Trunk Ports.
The Interfaces table appears.
Step 3 In the Interfaces table, choose the port that you want to configure, and click Edit.
The Trunk Port configuration window appears.
Step 4 Configure the port using the information in Table 5-17.
Table 5-17 Trunk Port Configuration Attributes
Field Description
Description Description for the port. Valid entries are unquoted text strings with a maximum of 240 characters
including spaces.
Administrative State Up or Down to indicate whether the port should be up or down.
Speed Speed at which the interface is to operate or that the interface is to automatically negotiate its speed:
• Auto—The interface is to automatically negotiate speed with the connected device.
• 10 Mbps—The interface is to operate at 10 Mbps.
• 100 Mbps—The interface is to operate at 100 Mbps.
• 1000 Mbps—The interface is to operate at 1000 Mbps.
Duplex Mode Whether the interface is to automatically negotiate its duplex mode or use full-duplex or half-duplex
mode:
• Auto—The interface is to automatically negotiate duplex mode with the connected device.
• Full—The interface is to operate in full-duplex mode. In this mode, two connected devices can
send and receive traffic at the same time.
• Half—The interface is to operate in half-duplex mode. In this mode, two connected devices can
either send or receive traffic.
5-45
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
Step 5 Do one of the following:
• Click Apply to save your entries and to return to the Interfaces table.
• Click Cancel to exit the procedure without saving your entries and to return to the Interfaces table.
Related Topics
• Configuring Access Ports, page 5-43
• Configuring Switch Virtual Interfaces, page 5-45
• Configuring Routed Ports, page 5-46
• Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48
Configuring Switch Virtual Interfaces
You can configure a switch virtual interface on a Multilayer Switch Feature Card. A VLAN defined on
the Multilayer Switch Feature Card (MSFC) is called a switch virtual interface (SVI). If you assign the
VLAN used for the SVI to an ACE, then the MSFC routes between the ACE and other Layer 3 VLANs.
By default, only one SVI can exist between an MSFC and an ACE. However, for multiple contexts, you
might need to configure multiple SVIs for unique VLANs on each context.
Trunk Mode How the interface is to interact with neighboring interfaces:
• Dynamic—The interface is to convert a link to a trunk link if the neighboring interface is set
to trunk or desirable mode.
• Dynamic Desirable—The interface is to actively attempt to convert a link to a trunk link. The
interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto
mode.
• Static—The interface is to enter permanent trunking mode and to negotiate converting a link
into a trunk link. The interface becomes a trunk interface even if the neighboring interface does
not change.
Desired Encapsulation Type of encapsulation to be used on the trunk port:
• Dot1Q—The interface is to use 802.1Q encapsulation.
• Negotiate—The interface is to negotiate with the neighboring interface to use ISL
(Inter-Switch Link) (preferred) or 802.1Q encapsulation, depending on the configuration and
capabilities of the neighboring interface.
• ISL—The interface is to use ISL encapsulation.
Native VLAN VLAN to use as the native VLAN for the trunk in 802.1Q trunking mode. VLAN 1 (1) is the default
native VLAN.
VLANs VLANs to which the interface belongs (allowable range is 1-4094). You can also enter ranges of
VLANs, such as 101-120, 130.
Prune VLANs VLANs that can be pruned (allowable range is 1-4094). VTP pruning blocks unneeded flooded
traffic to VLANs on trunk ports that are included in this field. Only VLANs included in this field
can be pruned. You can also specify ranges of VLANs that can be pruned, such as 75, 121-250, 351.
Table 5-17 Trunk Port Configuration Attributes (continued)
Field Description
5-46
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose the device that you want to configure, and choose Interfaces > Switched
Virtual Interfaces.
The Interfaces table appears.
Step 3 In the Interfaces table, click Add to add a new SVI, or choose the interface you want to configure, and
click Edit.
The Switched Virtual Interfaces configuration window appears.
Step 4 In the VLANs field, specify the VLAN to use in one of the following ways:
• To specify a new VLAN, choose the first radio button, and then enter a new VLAN.
• To choose an existing VLAN, choose the second radio button, and choose one of the existing
VLANs.
Note You cannot modify a VLAN for an existing SVI.
Step 5 In the Description field, enter a description for the SVI. Valid entries are unquoted text strings with a
maximum of 240 characters including spaces.
Step 6 In the Administrative State field, choose Up or Down to indicate whether the SVI should be up or down.
Step 7 In the IP Address field, enter the IP address to be used for the interface on the MSFC in dotted-decimal
format.
Step 8 In the Netmask field, choose the subnet mask to be used for the IP address.
Step 9 Do one of the following:
• Click Apply to save your entries and to return to the Interfaces table.
• Click Cancel to exit the procedure without saving your entries and to return to the Interfaces table.
Related Topics
• Configuring Access Ports, page 5-43
• Configuring Trunk Ports, page 5-44
• Configuring Routed Ports, page 5-46
• Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48
Configuring Routed Ports
You can configure routed ports on a specified device. A routed port is a physical port that acts like a port
on a router; however, it does not have to be connected to a router. A routed port is not associated with a
particular VLAN, as is an access port. A routed port behaves like a regular router interface, except that
it does not support VLAN subinterfaces. Routed ports can be configured with a Layer 3 routing protocol.
A routed port is a Layer 3 interface only and does not support Layer 2 protocols, such as Dynamic
Trunking Protocol (DTP) and Spanning Tree Protocol (STP).
5-47
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose the device that you want to configure, and choose Interfaces > Routed Ports.
The Interfaces table appears.
Step 3 In the Interfaces table, choose the interface that you want to configure, and click Edit.
The Routed Ports configuration window appears.
Step 4 In the Description field, enter a description for the interface. Valid entries are unquoted text strings with
a maximum of 240 characters including spaces.
Step 5 In the Administrative State field, choose Up or Down to indicate whether the interface should be up or
down.
Step 6 In the Speed field, either specify the speed at which the interface is to operate or that the interface is to
automatically negotiate its speed:
• Auto—The interface is to automatically negotiate speed with the connected device.
• 10 Mbps—The interface is to operate at 10 Mbps.
• 100 Mbps—The interface is to operate at 100 Mbps.
• 1000 Mbps—The interface is to operate at 1000 Mbps.
Step 7 In the Duplex Mode field, specify whether the interface is to automatically negotiate its duplex mode,
or use full- or half-duplex mode:
• Auto—The interface is to automatically negotiate duplex mode with the connected device.
• Full—The interface is to operate in full-duplex mode. In this mode, two connected devices can send
and receive traffic at the same time.
• Half—The interface is to operate in half-duplex mode. In this mode, two connected devices can
either send or receive traffic.
Step 8 In the IP Address field, enter the IP address to be used for the interface in dotted-decimal format.
Step 9 In the Netmask field, choose the subnet mask to be used for the IP address.
Step 10 Do one of the following:
• Click Apply to apply your entries and to return to the Interfaces table.
• Click Cancel to exit the procedure without saving your entries and to return to the Interfaces table.
Related Topics
• Configuring Trunk Ports, page 5-44
• Configuring Switch Virtual Interfaces, page 5-45
• Configuring Access Ports, page 5-43
• Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48
5-48
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs
You can add a VLANs and VLAN groups to a Catalyst 6500 series chassis or Cisco 7600 series router
that you use when configuring the interfaces for an installed ACE module, which does not have any
external physical interfaces. Instead, the ACE module uses internal VLAN interfaces. For information
about configuring VLANs for use with virtual contexts, see the “Configuring Virtual Context VLAN
Interfaces” section on page 12-6. For more information about VLANs and their use with ACE modules,
see the Cisco Application Control Engine Module Routing and Bridging Configuration Guide.
This section includes the following topics:
• Adding Device VLANs, page 5-48
• Displaying All Device VLANs, page 5-49
• Configuring Device Layer 3 VLANs, page 5-51
• Configuring Device Layer 2 VLANs, page 5-50
• Displaying All Device VLANs, page 5-49
• Creating VLAN Groups, page 5-52
Adding Device VLANs
You can add a VLAN to a Catalyst 6500 series chassis or Cisco 7600 series router.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose the device that you want to configure, and choose VLANs > Layer 2 or
VLANs > Layer 3.
The VLANs table appears.
Step 3 From the VLANs table, click Add.
The VLAN configuration window appears.
Step 4 Configure the VLAN using the information in Table 5-18.
Table 5-18 Device VLAN Configuration Attributes
Field Description
VLAN Unique identifier for the VLAN. Valid entries are from 1 to 4094.
Name Name for the VLAN.
Description Description for the VLAN. Valid entries are unquoted text strings with a maximum of 240 characters
including spaces.
Access Ports Access ports. From the Available Items list, click Add.To remove a port that you do not want to use,
choose the port from the Selected Items list, and click Remove.
Trunk Ports Trunk ports. From the Available Items list, click Add.To remove a port that you do not want to use,
choose the port from the Selected Items list, and click Remove.
5-49
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
Step 5 Do one of the following:
• Click Apply to apply your entries and to return to the VLAN Management table.
• Click Cancel to exit the procedure without saving your entries and to return to the VLAN
Management table.
Related Topics
• Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48
• Configuring Device Layer 2 VLANs, page 5-50
• Configuring Device Layer 3 VLANs, page 5-51
• Displaying All Device VLANs, page 5-49
• Creating VLAN Groups, page 5-52
Displaying All Device VLANs
You can display all configured VLANs on a Catalyst 6500 series chassis or Cisco 7600 series router.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose the device with VLANs that you want to display, and choose VLANs >
Summary.
The VLANs table appears, listing all VLANs on the selected chassis and related information:
• VLAN number
• Name given to the VLAN
• VLAN type, such as Layer 2 or Layer 3
• Number of access ports
• Number of trunk ports
VTP Domain Name of the VTP domain to which the VLAN belongs.
A VTP domain is made up of one or more interconnected network devices that share the same VTP
domain name. A network device can be configured to be in one and only one VTP domain.
IP Address Field that appears for Layer 3 VLANs only.
Enter the IP address to be used for the VLAN interface. Enter the IP address in dotted-decimal
notation, such as 192.168.1.1.
Mask Field that appears for Layer 3 VLANs only.
Choose the subnet mask to apply to the IP address.
Table 5-18 Device VLAN Configuration Attributes (continued)
Field Description
5-50
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
• VLAN Trunking Protocol (VTP) domain to which the VLAN belongs
Related Topics
• Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48
• Configuring Device Layer 2 VLANs, page 5-50
• Configuring Device Layer 3 VLANs, page 5-51
• Displaying All Device VLANs, page 5-49
• Creating VLAN Groups, page 5-52
Configuring Device Layer 2 VLANs
You can add or modify a Layer 2 VLAN on a Catalyst 6500 series chassis or Cisco 7600 series router.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose the device that you want to configure a Layer 2 VLAN for, and choose
VLANs > Layer 2.
The VLANs table appears, listing all Layer 2 VLANs associated with the chassis.
Step 3 Click Add to add a new VLAN, or choose an existing VLAN, and then click Edit to modify it.
The VLAN configuration window appears.
Step 4 Configure the VLAN using the information in Table 5-18.
Step 5 Do one of the following:
• Click Apply to apply your entries and to return to the VLAN Management table.
• Click Cancel to exit the procedure without saving your entries and to return to the VLAN
Management table.
Related Topics
• Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48
• Adding Device VLANs, page 5-48
• Configuring Device Layer 3 VLANs, page 5-51
• Displaying All Device VLANs, page 5-49
• Creating VLAN Groups, page 5-52
5-51
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
Configuring Device Layer 3 VLANs
You can add or modify a Layer 3 VLAN on a Catalyst 6500 series chassis or Cisco 7600 series router.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose the device that you want to configure a Layer 3 VLAN for, and choose
VLANs > Layer 3.
The VLANs table appears, listing all Layer 3 VLANs associated with the chassis.
Step 3 In the VLANs table, click Add to add a new VLAN, or choose an existing VLAN, and click Edit to
modify it.
The VLAN configuration window appears.
Step 4 Configure the VLAN using the information in Table 5-18.
Step 5 Do one of the following:
• Click Apply to apply your entries and to return to the VLAN Management table.
• Click Cancel to exit the procedure without saving your entries and to return to the VLAN
Management table.
Related Topics
• Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48
• Information About Virtual Contexts, page 6-2
Modifying Device VLANs
You can modify VLANs for a specific device.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose the device with the VLAN that you want to modify, and choose VLANs >
Layer 2 or VLANs > Layer 3.
The VLANs table appears.
Step 3 Choose the VLAN you want to modify, and then click Edit.
The VLAN configuration window appears.
Step 4 Modify the VLAN configuration using the information in Table 5-18.
Step 5 Do one of the following:
• Click Apply to save your entries and to return to the VLANs table.
5-52
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring Devices
• Click Cancel to exit the procedure without saving your entries and to return to the VLANs table.
Related Topics
• Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48
• Displaying All Device VLANs, page 5-49
• Adding Device VLANs, page 5-48
• Creating VLAN Groups, page 5-52
Creating VLAN Groups
You can create VLAN groups on a Catalyst 6500 series chassis or Cisco 7600 series router and assign
each group an ACE module. For an ACE module to receive traffic from the Catalyst supervisor module
and VSS devices, you must create VLAN groups on the supervisor module, and then assign the groups
to the ACE module. When the VLANs are configured on the supervisor module to the ACE module, you
can configure the VLANs on the ACE module.
You cannot assign the same VLAN to multiple groups; however, you can assign multiple groups to an
ACE module. VLANs that you want to assign to multiple ACE modules, for example, can reside in a
separate group from VLANs that are unique to each ACE module.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose the device that you want to create a VLAN group for, and choose VLANs >
Groups.
The Groups table appears.
Step 3 Click Add to add a new VLAN group, or choose an existing VLAN group, and click Edit to modify it.
The Groups configuration window appears.
Step 4 In the VLAN Group Id field, enter a unique numerical identifier for the VLAN group.
Valid entries are unquoted number strings with any value between 1-65535. Available Module Slot
numbers will appear underneath this field.
Step 5 In the Module Slot Numbers field, select the ACE module(s) that you want to associate with the VLAN
group.
Step 6 Double click or the number, or single click the arrow to the right of the Available Modules field for the
slot numbers to the Selected field.
Step 7 In the VLANs field, enter the VLANs to be included in the VLAN group. Valid entries are individual
names for each VLAN or ranges of VLANs (allowable range is 1-4094), such as 10, 50-110.
Step 8 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the Groups table.
• Click Cancel to exit the procedure without saving your entries and to return to the Groups table.
5-53
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring ACE Module and Appliance Role-Based Access Controls
• Click Next to deploy your entries and to add another VLAN group.
Related Topics
• Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48
• Configuring Device Layer 3 VLANs, page 5-51
• Configuring Device Layer 2 VLANs, page 5-50
• Displaying All Device VLANs, page 5-49
Configuring ACE Module and Appliance Role-Based Access
Controls
ANM provides an interface to allow you to configure device Role-Based Access Control (RBAC) on the
device only. The RBAC feature applies to ACE modules and appliances only and is applicable only on
the device and is not enforced by ANM. If you want to set up authorization in ANM, go to Admin >
Role-Based Access Control.
This section includes the following topics:
• Configuring Device RBAC Users, page 5-53
• Configuring Device RBAC Roles, page 5-56
• Configuring Device RBAC Domains, page 5-61
Configuring Device RBAC Users
ANM provides an interface that allows you to configure user access to your device through role-based
access controls on the device only. This configuration is applicable only on the device and will not be
enforced by ANM.
Use the Role-Based Access Control feature to specify the people that are allowed to log onto a device.
This section includes the following topics:
• Guidelines for Managing Users, page 5-53
• Displaying a List of Device Users, page 5-54
• Configuring Device User Accounts, page 5-54
• Modifying Device User Accounts, page 5-55
• Deleting Device User Accounts, page 5-56
Guidelines for Managing Users
Follow these guidelines for managing users:
• For users that you create in the Admin context, the default scope of access is for the entire ACE.
• If you do not assign a role to a new user, the default user role is Network-Monitor. For users that
you create in other contexts, the default scope of access is the entire context.
• Users cannot log in until they are associated with a domain and a user role.
5-54
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring ACE Module and Appliance Role-Based Access Controls
• You cannot delete roles and domains that are associated with an existing user.
Related Topics
• Configuring Device RBAC Users, page 5-53
• Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53
Displaying a List of Device Users
You can display of list of users that can access an ACE context.
Procedure
Step 1 Choose Config > Devices > context > Role-Based Access Control > Users.
The Users table appears with the following fields:
• User Name
• Expiry Date
• Role
• Domains
Step 2 (Optional) You can use the options in this window to create a new user or modify or delete any existing
user to which you have access (see Table 5-19).
Related Topics
• Configuring Device RBAC Users, page 5-53
• Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53
Configuring Device User Accounts
You can add or modify a user account in a selected ACE context.
Note This configuration is applicable only on the device or building block and is not enforced by ANM. To
manipulate ANM RBAC, go to Admin > Role-Based Access Control.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Device RBAC > Users.
• To configure a configuration building block, choose Config > Global > Building Blocks >
building_block > Role-Based Access Control > Users.
A list of users appears.
Step 2 In the Users table, click Add to add a new user, or choose the user that you want to configure and click
Edit.
The Users configuration window appears.
5-55
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring ACE Module and Appliance Role-Based Access Controls
Step 3 Configure the user attributes using the information in Table 5-19.
Step 4 Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
The Users table appears.
Related Topics
• Configuring Device RBAC Users, page 5-53
• Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53
Modifying Device User Accounts
You can modify an existing user account in a selected ACE context.
Note This configuration is applicable only on the device or building block and will not be enforced by ANM.
To manipulate ANM RBAC, go to Admin > Role-Based Access Control.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Device RBAC > Users.
• To configure a configuration building block, choose Config > Global > Building Blocks >
building_block > Role-Based Access Control > Users.
A table of users, expiration dates, roles, and domains appears.
Step 2 Choose the user account that you want to modify.
Step 3 Click Edit.
Step 4 Modify any of the attributes in the table (see Table 5-19).
Table 5-19 User Attributes
Field Description
User Name Name by which the user is to be identified (up to 24 characters). Only letters, numbers, and an
underscore can be used. The field is case sensitive.
Expiry Date Date that user account expires (optional).
Password Entered As Password for this user account. You can choose Clear Text or Encrypted Text.
Password Password for the user account.
Confirm Password Password for this account that you reenter.
Encryption Password in either clear or encrypted text.
Role Role that you customize or accept as an existing role. To enter the Role for this user, see the
“Configuring Device User Roles” section on page 5-58. See Table 5-20 for details about setting up
new roles.
Domains Domains to which this user belongs. Use the Add and Remove buttons.
5-56
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring ACE Module and Appliance Role-Based Access Controls
Step 5 Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
The Users table appears.
Related Topics
• Configuring Device RBAC Users, page 5-53
• Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53
Deleting Device User Accounts
You can delete an existing device RBAC user account in a selected ACE context.
Note This configuration is applicable only on the device or building block and will not be enforced by ANM.
To manipulate ANM RBAC, go to Admin > Role-Based Access Control.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Device RBAC > Users.
• To configure a configuration building block, choose Config > Global > Building Blocks >
building_block > Role-Based Access Control > Users.
A table of users, roles, and domains appears.
Step 2 In the table, choose the user account to delete, and click Delete.
A confirmation window appears.
Step 3 In the confirmation window, do one of the following:
• Click OK to remove the user account from the ANM database and return to the Users table.
• Click Cancel to return to the Users table without deleting the user account.
Related Topics
• Configuring Device RBAC Users, page 5-53
• Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53
Configuring Device RBAC Roles
This section shows how to configure RBAC roles and includes the following topics:
• Guidelines for Managing User Roles, page 5-57
• Role Mapping in Device RBAC, page 5-57
• Configuring Device User Roles, page 5-58
• Modifying Device User Roles, page 5-60
5-57
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring ACE Module and Appliance Role-Based Access Controls
• Deleting Device User Roles, page 5-60
Guidelines for Managing User Roles
Follow these guidelines to manage user roles:
• Administrators can view and modify all roles.
• Other users can view only the roles assigned to them.
• You cannot change the default roles.
• Role permissions are different based on whether they were created in either an Admin context or in
a user context. If you want to allow users to switch between contexts, ensure that they have a
predefined role. If you want to restrict a user to only their home context, assign them a customized
user role.
• Certain role features are available only to default roles, for example, an Admin role in the Admin
context would have changeto and system permissions to perform tasks such as license management,
resource class management, HA setup, and so on. User-created roles cannot use these features.
Related Topics
• Role Mapping in Device RBAC, page 5-57
• Controlling Access to Cisco ANM, page 18-3
• Configuring Device RBAC Users, page 5-53
• Configuring Device RBAC Roles, page 5-56
• Configuring Device RBAC Domains, page 5-61
• How ANM Handles Role-Based Access Control, page 18-8
Role Mapping in Device RBAC
When you are logged into a specific device RBAC, you see the tasks that you have been given permission
to access. Features and menus that are not applicable for your role will not display.
Since the predefined roles encompass all the role types you may need, we encourage you to use them. If
you choose to define your own roles, be aware that rules features are not a one-to-one mapping from a
CLI feature to ANM menu task.
Defining the proper rules for your user-defined role will require you to create a mapping between the
features in Device RBAC and the ANM menu tasks. For example, in order to manage virtual servers, you
must choose the following six menu features (Real Servers, Server Farms, VIP, Probes, Loadbalance,
NAT, and Interface) in your role.
Note Certain features in ANM do not have a corresponding feature mapping on the CLI. For example, class
maps and SNMP do not have a corresponding feature mapping. To modify these features, you need to
choose a predefined role that a contains at least one feature with the Modify permission on it.
Related Topics
• How ANM Handles Role-Based Access Control, page 18-8
• Understanding Roles, page 18-6
5-58
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring ACE Module and Appliance Role-Based Access Controls
Configuring Device User Roles
You can edit the predefined roles, or you can create or edit user-defined roles. When you create a new
role, you specify a name and description of the new role, and then choose the operations privileges for
each task. You can also assign this role to one or more users.
Note This configuration is applicable only on the device or building block and will not be enforced by the
ANM. To manipulate the ANM RBAC, go to Admin > Role-Based Access Control.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Device RBAC > Roles.
• To configure a configuration building block, choose Config > Global > Building Blocks >
building_block > Role-Based Access Control > Roles.
A table of the defined roles and their settings appears.
Step 2 In the table, choose the type of configuration that you want to perform as follows:
• To add a new role, click Add, enter the attributes described in Table 5-20, and then click Deploy
Now to deploy this configuration on the ACE and save your entries to the running-configuration and
startup-configuration files.
• To edit an existing role, choose the role, and click Edit.
The Roles configuration window appears.
Step 3 Click Edit.
The Rule table appears.
Step 4 In the Rule table, click Add to create rules for this role, or choose the rule that you want to configure,
and click Edit.
See Table 5-21 for rule attribute descriptions.
Table 5-20 Role Attributes
Attribute Description
Name Name of the role.
Description Brief description of the role.
5-59
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring ACE Module and Appliance Role-Based Access Controls
Step 5 Click Deploy Now to update the rule for this role or click Next to deploy this rule and move to another
rule.
Step 6 Click Deploy Now to update this role and save this configuration to the running-configuration and
startup-configuration files.
Related Topics
• Configuring Device RBAC Roles, page 5-56
• Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53
Table 5-21 Rule Attributes
Attribute Description
Rule Number Number assigned to this rule.
Permission Permit or deny the specified operation.
Operation Create, debug, modify1
, and monitor the specified feature.
1. Certain features are not available for certain operations. For modify, the following features cannot be used: Changeto, config-copy, DHCP,
Exec-commands, NAT, real-inservice, routing, and syslog.
Feature AAA, Access List, Change To Context, Config Copy, Connection, DHCP, Exec-Commands, Fault
Tolerant, Inspect, Interface, Load Balance, NAT, PKI, Probe, Real Inservice, Routing, Real Server, Server
Farm, SSL2
, Sticky, Syslog, and VIP.
The Changeto feature allows you to move from the Admin context to another virtual context and maintain
the same role with the same privileges in the new context that you had in the Admin context. This feature
applies only to the Admin context and to the following ACE software versions:
• ACE module software Version A2(1.3) and later releases.
• ACE appliance software Version A3(2.2) and later releases.
The Exec-commands feature enables all default custom role commands in the ACE. The default custom
role commands are capture, debug, gunzip, mkdir, move, rmkdir, tac-pac, untar, write, and undebug. This
feature applies to both Admin and user contexts and to the following ACE software versions:
• ACE module software Version A2(1.3) and later releases.
• ACE appliance software Version A3(2.2) and later releases.
2. For all SSL-related operations, a user with a custom role should include the following two rules: A rule that includes the SSL feature, and a rule that
includes the PKI feature.
5-60
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring ACE Module and Appliance Role-Based Access Controls
Modifying Device User Roles
You can modify any user-defined role.
Note This configuration is applicable only on the device or building block and will not be enforced by ANM.
To manipulate ANM RBAC, go to Admin > Role-Based Access Control.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Device RBAC > Roles.
• To configure a configuration building block, choose Config > Global > Building Blocks >
building_block > Role-Based Access Control > Roles.
A table of the defined roles and their settings appears.
Step 2 In the table, choose the role that you want to modify.
Step 3 Click Edit. For details on updating role rules, see Table 5-21.
Step 4 Make the changes.
For details on updating role rules, see the “Adding, Editing, or Deleting Rules” section on page 5-61.
Step 5 Click Deploy Now to update the rules for this role and save this configuration to the
running-configuration and startup-configuration files.
Related Topics
• Configuring Device RBAC Roles, page 5-56
• Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53
Deleting Device User Roles
You can delete any user-defined roles.
Note This configuration is applicable only on the device or building block and will not be enforced by ANM.
To manipulate ANM RBAC, go to Admin > Role-Based Access Control.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Device RBAC > Roles.
• To configure a configuration building block, choose Config > Global > Building Blocks >
building_block > Role-Based Access Control > Roles.
The Roles table appears.
Step 2 In the Roles table, choose the role to delete, and click Delete.
5-61
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring ACE Module and Appliance Role-Based Access Controls
Step 3 Click OK to confirm the deletion.
Users that have the deleted role no longer have that access.
Related Topics
• Configuring Device RBAC Roles, page 5-56
• Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53
Adding, Editing, or Deleting Rules
You can change or delete rules to redefine what feature access a specific role contains.
Note This configuration is applicable only on the device or building block and will not be enforced by ANM.
To manipulate ANM RBAC, go to Admin > Role-Based Access Control.
Procedure
Step 1 After selecting the user-defined role, click Edit.
The Rule window appears.
Step 2 Do one of the following:
• To create a new rule, click Add. Enter the rule information (see Table 5-21 on page 5-59), and then
click Deploy Now to add the rule or Next to deploy this rule and add another rule.
• To change an existing rule, choose a rule and click Edit. Click Deploy Now to save this rule to the
running-configuration and startup-configuration files.
• To remove rules from a role, choose the rules to remove, and click Delete. Click OK to confirm its
deletion.
Step 3 Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
Related Topics
• Configuring Device RBAC Roles, page 5-56
• Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53
Configuring Device RBAC Domains
You can configure device RBAC domains.
This section includes the following topics:
• Guidelines for Managing Domains, page 5-62
• Displaying Domains for a Device, page 5-62
• Configuring Device Domains, page 5-63
• Modifying Device Domains, page 5-65
5-62
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring ACE Module and Appliance Role-Based Access Controls
• Deleting Device Domains, page 5-65
Related Topics
• Information About Device Management, page 5-2
• How ANM Handles Role-Based Access Control, page 18-8
• Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53
Guidelines for Managing Domains
Follow these guidelines for managing domains:
• Devices and their components must already be configured in order for them to be added to a domain.
• Domains are logical concepts. You do not delete a member of a domain when you delete the domain.
• The predefined default domain cannot be modified or deleted.
• Normally, a user is associated with the default domain, which allows the user to see all
configurations within the context. When a user is configured with a customized domain, then the
user can see only what is in the domain.
Related Topics
• Configuring Device RBAC Domains, page 5-61
• Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53
Displaying Domains for a Device
You can display domains for a device.
Note Your user role determines whether you can use this option.
Procedure
Step 1 Choose the item to view:
• To view a domain for the device’s virtual context, choose Config > Devices > context > Device
RBAC > Domains.
• To view a domain for a configuration building block, choose Config > Global > Building Blocks >
building block > Role-Based Access Control > Domains.
The Domains table appears.
Step 2 Expand the Domains table until you can see all the network domains.
Step 3 Choose a domain to display the settings for that domain.
You can also perform these tasks from this window:
• Configuring Device Domains, page 5-63
• Modifying Device Domains, page 5-65
• Deleting Device Domains, page 5-65
5-63
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring ACE Module and Appliance Role-Based Access Controls
Related Topics
• Configuring Device RBAC Domains, page 5-61
• Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53
Configuring Device Domains
You can add or modify domains on a selected device, such as a Catalyst 6500 series chassis.
Note This configuration is applicable only on the device or building block and will not be enforced by ANM.
To manipulate ANM RBAC, go to Admin > Role-Based Access Control.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Device RBAC > Domains.
• To configure a configuration building block, choose Config > Global > Building Blocks >
building_block > Role-Based Access Control > Domains.
The Domains table appears.
Step 2 In the Domains table, choose the type of configuration that you want to perform:
• To add a new domain, click Add, enter the Domain Name, and then click Deploy Now to deploy this
configuration on the ACE and save your entries to the running-configuration and
startup-configuration files.
• To edit a domain, choose the domain that you want to configure, and then click Edit.
The Domain Object field appears below the Domain Name in the content area.
Step 3 Click Edit to enter the Domain Object table.
5-64
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring ACE Module and Appliance Role-Based Access Controls
Step 4 In the Domain Object table, choose the type of configuration that you want to perform:
• Click Add to create domain objects for this domain. See Table 5-22 for Domain Object attributes.
• To remove an object, choose the object that you want to remove, and then click Delete.
Step 5 Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
The Domains Edit window updates and displays the total object number next to the object name.
Related Topics
• Configuring Device RBAC Domains, page 5-61
• Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53
Table 5-22 Domain Attributes
Field Description
Name Field that appears when any specific object type is selected. Name of an existing object defined.
All Objects Collection of objects in this domain. The following options may be available depending on your virtual
context:
• All
• Access List EtherType
• Access List Extended
• Class Map
• Interface VLAN
• Interface BVI
• Parameter Map
• Policy Map
• Probe
• Real Server
• Script
• Server Farm
• Sticky
5-65
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Configuring ACE Module and Appliance Role-Based Access Controls
Modifying Device Domains
You can change the settings in a domain.
Note This configuration is applicable only on the device or building block and will not be enforced by ANM.
To manipulate ANM RBAC, go to Admin > Role-Based Access Control.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Device RBAC > Domains.
• To configure a configuration building block, choose Config > Global > Building Blocks >
building_block > Role-Based Access Control > Domains.
Step 2 Choose the domain that you want to edit.
Step 3 Click Edit.
The Edit Domain window appears.
Step 4 Edit the object fields (see Table 5-22).
Step 5 Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
Related Topics
• Configuring Device RBAC Domains, page 5-61
• Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53
Deleting Device Domains
You can delete a network domain from ANM, and all the devices and subdomains that it contains.
Note This configuration is applicable only on the device or building block and will not be enforced by ANM.
To manipulate ANM RBAC, go to Admin > Role-Based Access Control.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Device RBAC > Domains.
• To configure a configuration building block, choose Config > Global > Building Blocks >
building_block > Role-Based Access Control > Domains.
The Domains table appears.
Step 2 In the Domains table, choose the domain that you want to delete.
Step 3 Click Delete.
A prompt asks you to confirm this action.
5-66
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Managing Devices
Step 4 Click OK.
The domain is removed from the ANM database.
Related Topics
• Configuring Device RBAC Domains, page 5-61
• Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53
Managing Devices
This section describes how to manage devices.
This section includes the following topics:
• Synchronizing Device Configurations, page 5-66
• Mapping Real Servers to VMware Virtual Machines, page 5-68
• Instructing ANM to Recognize an ACE Module Software Upgrade, page 5-71
• Configuring User-Defined Groups, page 5-72
• Changing Device Credentials, page 5-75
• Changing ACE Module Passwords, page 5-77
• Restarting Device Polling, page 5-78
• Displaying All Devices, page 5-78
• Displaying Modules by Chassis, page 5-79
• Removing Modules from the ANM Database, page 5-80
Synchronizing Device Configurations
ANM provides three levels of synchronization. You can choose to synchronize from the device to ANM
as follows:
• From the chassis level—Use this level when you want to synchronize Catalyst 6500 series chassis
and module updates. See the “Synchronizing Chassis Configurations” section on page 5-67.
• From the ACE module level—Use this level when you want to synchronize changes to your ACE or
CSM modules, such as new virtual contexts. See the “Synchronizing Module Configurations”
section on page 5-67.
• From the virtual context level —Use this level in the Admin context to synchronize all current and
new virtual contexts or at the user context level to synchronize a specific user context. See the
“Synchronizing Virtual Context Configurations” section on page 6-105.
Caution If you see a difference in device information between what ANM displays and what you see by directly
accessing the device through the CLI, ANM displays the data that is the least accurate. This condition
can occur when the device is modified outside of ANM by using the CLI. We recommend that you
synchronize the network devices up to the ANM using the synchronization option, which makes the
ANM data more accurate.
5-67
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Managing Devices
Synchronizing Chassis Configurations
You can manually synchronize the configuration for Catalyst 6500 series switches, CSS devices, GSS
devices and ACE appliances when there have been changes to a device that are not tracked in ANM.
Note ANM does not support auto synchronization for the Catalyst 6500 series switches, Cisco 7600 series
routers, CSM, CSS, GSS, or VSS devices. Be sure to synchronize configurations on these devices after
import, and whenever their configurations have been modified through the CLI.
The following require synchronization:
• Upgrading chassis hardware or software
• Adding new modules to the chassis
• Removing a module from a chassis
• Rearranging modules within the chassis
• Upgrading module software
• Changing the chassis configuration using the CLI instead of the ANM
Procedure
Step 1 Choose Config > Devices > All Devices.
The All Devices table appears.
Step 2 In the All Devices table, choose the device with the configuration that you want to synchronize, and click
CLI Sync.
A popup confirmation window appears asking you to confirm the synchronization.
Step 3 In the confirmation window, click OK to synchronize the configuration or Cancel to cancel the
synchronization.
ANM displays the status while synchronization is in progress and returns to the All Devices table when
synchronization is complete.
Related Topics
• Configuring Devices, page 5-34
• Synchronizing Module Configurations, page 5-67
• Restarting Device Polling, page 5-78
Synchronizing Module Configurations
You can synchronize configurations for ACE modules or CSM modules when changes are made that
have not been tracked in ANM.
The following module changes require synchronization:
• Upgrading module software
• Changing the module configuration using the CLI instead of the ANM
5-68
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Managing Devices
Procedure
Step 1 Choose Config > Devices > All Devices.
The All Devices table appears.
Step 2 In the All Devices table, choose the chassis that contains the module with the configuration that you want
to synchronize, and click Modules.
The Modules table appears.
Step 3 In the Modules table, choose the module with the configuration you want to synchronize, and click Sync.
A popup confirmation window appears asking you to confirm the synchronization.
Step 4 In the confirmation window, click OK to synchronize the configuration or Cancel to cancel the
synchronization.
ANM displays the status while synchronization is in progress and returns to the Modules table when
synchronization is complete.
Related Topics
• Configuring Devices, page 5-34
• Managing Devices, page 5-66
• Synchronizing Device Configurations, page 5-66
Mapping Real Servers to VMware Virtual Machines
This section describes how ANM maps ACE, CSS, CSM, or CSM-S real servers to VMware vCenter
Server VMs when you integrate ANM with a VMware virtual data center. This section also shows how
you can display and manage the mappings associated with a VMware vCenter Server.
Note To map a real server to a VM, the real server must be associated with a server farm (see the “Configuring
Server Farms” section on page 8-30).
ANM uses the following methods to map a real server to a VM:
• IP Match—ANM matching the real server IP addresses to the VM IP address. This is the default
mapping method that ANM uses and requires the following items:
– Before you import a VMware vCenter Server into ANM along with its associated VMs,
configure a real server in ANM for each VM about to be imported with the vCenter Server.
Configure each real server with the IP address of a VM. For more information, see the
“Configuring Real Servers” section on page 8-5 and the “Importing VMware vCenter Servers”
section on page 5-24.
– ANM must be able to determine the IP address of a VM, which is accomplished by installing
VMware Tools on the guest operating system (OS) of the VM.
• Name Match—ANM matches the real server name to the VM name. This is the backup mapping
method that ANM uses if it cannot match any IP address for the VM. This method requires
consistent use of the device names throughout the network.
5-69
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Managing Devices
Note For the CSM and CSM-S, the VM name must be in uppercase because the CSM and CSM-S
real server names are always in upper case and the mapping is case sensitive though the CSM
and CSM-S is case insensitive. From vSphere Client, you can change a VM name to
uppercase by right-clicking on the VM in the VM tree and choosing Rename.
• Override—You specify the real server-to-VM mapping.
• Ignore—ANM ignores any mapping method.
ANM can detect when VMs are added or deleted to a VMware vCenter Server by listening to the server
events or by polling the server. When a new VM is detected, ANM uses the IP match method to try and
match the new VM with a real server.
Prerequisites
This topic includes the following prerequisites:
• Import the VMware vCenter Server into ANM (see the “Importing VMware vCenter Servers”
section on page 5-24).
• Register the ANM plug-in with the VMware vCenter Servers that you want to view and manage.
Procedure
Step 1 Choose Config > Devices > All Devices.
The All Devices table appears.
Step 2 In the All Devices table, choose the VMware vCenter Server that contains the VMs that you want to
display and map.
The Primary Attribute table appears.
Step 3 Click VM Mappings.
The VM Mappings table appears. Table 5-3 describes the information that displays in the VM Mappings
table.
Table 5-23 VM Mappings Table
Item Description
VM Name Name of the VM associated with the selected VMware vCenter Server.
IP Address(es) IP address of the VM.
Full Path Path of the VM on the VMware vCenter Server.
Rule Currently Applied Mapping rule applied: IP Match, Name Match, Override, or Ignore. This field is blank
if ANM is unable to find a real server match for the VM. You can manually map a real
server to the VM using the Edit Mapping feature (see Step 5).
5-70
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Managing Devices
Note If the VM Mappings window does not display or a VM name contains hex values rather than
certain special characters, these conditions indicate that VM names associated with a vCenter
Server that you imported in to ANM contain special characters that ANM does not recognize.
For example, a VM name that contains a double quote (“) prevents ANM from displaying the
VM Mappings window. If a VM name contains a percent sign (%), backslash (\), or forward slash
(/), ANM displays the VM name in the VM Mappings window; however, these special characters
display as hex values (%25 for %, %5c for \, and %2f for /).
To correct these issues, remove the special characters from the VM names and then manually
perform a CLI synchronization (see Step 4).
Step 4 (Optional) To update the displayed real server to VM mapping information, manually perform a CLI
synchronization with the vCenter Server as follows:
a. Choose Config > Devices > All Devices. The All Devices table appears.
b. From the All Devices table, click the radio button associated with the desired vCenter Server.
c. Click CLI Sync.
Note You must perform this step to update the display if you import a Cisco device after you import
an associated vCenter Server.
Step 5 (Optional) To change the mapping rule applied to a VM, in the VM Mappings window, check the
checkbox next to the VM names to edit and click Edit Mappings.
The VM Mappings edit window appears, providing a list of the selected VMs and the mapping rule
options.
Step 6 From the VM Mappings edit window, choose one of the following options from the Mapping Rule
drop-down list:
• IP Match—Map the VMs to ACE real servers based on matching IP addresses. Skip to Step 8.
• Name Match—Map the VMs to ACE real servers based on matching device names. Skip to Step 8.
• Ignore—Ignore any mapping rule and do not map the VM to an ACE real server. Skip to Step 8.
ACE Real Server(s) ACE real server that the VM maps to on ANM.
Note the following:
• This field is blank if ANM is unable to find a real server match for the VM. You
can manually map a real server to the VM using the Edit Mapping feature (see
Step 5).
• If the VM has been deleted in the vCenter Server but ANM still has the mapping,
a delete icon (red circle with an “x”) appears at the end of the real server ID. Click
the icon to remove the mapping from the table.
Last Updated Time Timestamp when the mapping information was obtained.
Table 5-23 VM Mappings Table (continued)
Item Description
5-71
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Managing Devices
• Override—Map the VMs the specified ACE real servers. This option is available only when you
have one VM selected from the All Devices table (see Step 2). When you choose Override, ANM
displays the Select Real Server(s) table of available ACE real servers that includes the device
information, real server name, IP address, port number, and server farm to which the real server
belongs.
Step 7 If you chose the Override mapping rule, do one or both of the following:
• Check the checkbox next to the real servers to map the selected real servers to the VM. To select all
of the available real servers, check the Device checkbox located at the top of the table.
• Click Add to add a new real server. The Add a Real Server popup window appears. Define the new
real server as described in Table 5-24 and click Deploy Now.
Step 8 In the VM Mappings window, click OK to save the new mapping rule or Cancel to cancel the change.
Related Topics
• Configuring Real Servers, page 8-5
• Importing VMware vCenter Servers, page 5-24
• Configuring VMware vCenter Server Primary Attributes, page 5-41
Instructing ANM to Recognize an ACE Module Software Upgrade
When you upgrade the software of an ACE module that has been imported to the ANM database, perform
the procedure outlined in this section to enable ANM to recognize the updated release and display
features and functions in the ANM GUI that are appropriate for the ACE module software upgrade.
For example, if an imported ACE module contains software Version A2(2.1), and you wish to upgrade
to software Version A2(3.0) to take advantage of features such as backup and restore, you must perform
the steps outlined below to instruct ANM to recognize the upgraded ACE module software version and
Table 5-24 Adding a Real Server for VM Mapping
Item Description
Real Server Name Unique name for this server or accept the automatically incremented value in this field. Valid
entries are unquoted text strings with no spaces and a maximum of 64 characters.
Real Server IP Address Unique IP address in dotted-decimal format (such as 192.168.11.1). The IP address cannot be an
existing virtual IP address (VIP).
Real Server Port Port used for communication with the real server.
Real Server Weight Weight to be assigned to this real server in a server farm. Valid entries are from 1 to 100, and the
default is 8.
Real Server State State of the real server when deployed:
• In Service—The real server is in service.
• Out Of Service—The real server is out of service.
ACE Virtual Context Virtual context that is associated with the real server.
Serverfarm Server farm to which the real server belongs.
Virtual Servers Virtual server that is associated with the real server.
5-72
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Managing Devices
display the features and functions associated with this release. If you do not instruct ANM to recognize
an ACE module software upgrade, the ACE module import will occur without issue but the new features
and functions associated a specific ACE module software release will not appear in the ANM GUI.
Procedure
Step 1 After you upgrade an ACE module software image, perform a CLI sync on the module’s host device (see
the “Synchronizing Chassis Configurations” section on page 5-67).
Step 2 After you complete the CLI sync, whenever ANM detects an upgrade on an imported ACE module,
ANM issues a warning to instruct you to perform a CLI sync on the ACE module to recognize the
upgrade. Perform the procedure described in the “Synchronizing Module Configurations” section on
page 5-67.
The ACE software upgrade sequence is completed.
Configuring User-Defined Groups
You can create logical groupings of virtual contexts or chassis for ease of management. These logical
groups are known as user-defined groups and appear in the device tree (Config > Devices) in the folder
named Groups for quick access.
Users can create their own groups, add and remove members, and assign group names that suit their
environment and are meaningful to them.
This section includes the following topics:
• Adding a User-Defined Group, page 5-72
• Modifying a User-Defined Group, page 5-73
• Duplicating a User-Defined Group, page 5-74
• Deleting a User-Defined Group, page 5-75
Note Device groups continue to display device information even after you remove that device from ANM,
which allows the device group information to be easily reassociated if you reimport the device. The
device name must remain the same.
Adding a User-Defined Group
You can add a user-defined group.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose Groups.
The Groups table appears.
Step 3 Click Add to add a new group, or choose an existing group, and click Edit to modify it.
5-73
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Managing Devices
The Group configuration window appears.
Step 4 In the Name field of the Group configuration window, enter a unique name for this group.
Valid entries are unquoted text strings with no spaces and a maximum of 26 alphanumeric characters.
The window identifies the objects by type and provides a search field for each:
• Virtual Context Members
• Device Members
• Module Members
• CSM Members
Step 5 To add objects to the group, for each object type, choose the object in the Available Items list, and click
Add.
The selected objects appear in the Selected Items list.
To remove objects that you do not want to include, choose the objects in the Selected Items list, and click
Remove. The items then appear in the Available Items list.
To search for specific objects, enter a search string that contains the object name or part of the object
name in the Search field, and then click Search. The Available Items list refreshes with the objects that
meet the search criteria.
Step 6 In the Description field, enter a description for this group.
Step 7 Do one of the following:
• Click Save to accept your entries and to return to the Groups table.
• Click Cancel to exit this procedure without saving your entries and to return to the Groups table.
Related Topics
• Configuring User-Defined Groups, page 5-72
• Modifying a User-Defined Group, page 5-73
• Duplicating a User-Defined Group, page 5-74
• Deleting a User-Defined Group, page 5-75
Modifying a User-Defined Group
You can change the members or the description of a user-defined group. You cannot change the name of
an existing user-defined group.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, click Groups.
The Groups table appears.
Step 3 In the Groups table, choose the group that you want to modify, and click Edit.
The Group configuration window appears.
5-74
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Managing Devices
Step 4 In each Members field of the Group configuration window, add or remove group members as follows:
• Choose the items that you want to add to this group in the Available Items list, and click Add.
• Choose the items that you want to remove from this group in the Selected Items list, and click
Remove.
Step 5 In the Description field, modify the description as needed.
Step 6 Do one of the following:
• Click Save to accept your entries and to return to the Groups table.
• Click Cancel to exit this procedure without saving your entries and to return to the Groups table.
Related Topics
• Configuring User-Defined Groups, page 5-72
• Adding a User-Defined Group, page 5-72
• Duplicating a User-Defined Group, page 5-74
• Deleting a User-Defined Group, page 5-75
Duplicating a User-Defined Group
You can duplicate a user-defined group.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, click Groups.
The Groups table appears.
Step 3 In the Groups table, choose the user-defined group that you want to duplicate, and click Duplicate.
A popup window appears asking you to enter a new name.
Step 4 In the popup window, type the new group name, and click OK.
The Groups table refreshes and the duplicated group name appears in the list.
Related Topics
• Configuring User-Defined Groups, page 5-72
• Adding a User-Defined Group, page 5-72
• Modifying a User-Defined Group, page 5-73
• Deleting a User-Defined Group, page 5-75
5-75
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Managing Devices
Deleting a User-Defined Group
You can delete a user-defined group.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, click Groups.
The Groups table appears.
Step 3 In the Groups table, choose the user-defined group that you want to remove, and click Delete.
A popup confirmation window appears asking you to confirm the deletion.
Step 4 In the popup confirmation window, do one of the following:
• Click OK to delete the selected user-defined group.
The Groups table refreshes and the deleted group no longer appears.
• Click Cancel to exit this procedure without deleting the group.
The Groups table refreshes.
Related Topics
• Configuring User-Defined Groups, page 5-72
• Adding a User-Defined Group, page 5-72
• Modifying a User-Defined Group, page 5-73
• Duplicating a User-Defined Group, page 5-74
Changing Device Credentials
You can change the credentials associated with a device managed by ANM. Each device that you import
into ANM has a device username and password associated with it that ANM uses to access the device.
Some device types, such as the GSS, also have a device enable password associated with them. From
ANM, you can change the device credentials in the ANM database to match a change made to the
credentials on a device using the CLI. This feature allows you to change the device credentials without
having to rediscover or reimport the device.
This procedure applies to the following device types that have been imported into ANM:
• ACE appliance
• Global Site Selector (GSS)
• Content Services Switch (CSS)
• Catalyst 6500 Virtual Switching System (VSS) 1440
• Catalyst 6500 series switch
• Cisco 7600 series router
• VMware vCenter Server
5-76
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Managing Devices
Note To change the credentials of an ACE module, see the “Changing ACE Module Passwords” section on
page 5-77.
Guidelines and Restrictions
This topic includes the following guidelines and restrictions:
• You can change a device username, password, or both.
• We recommend changing the device credentials on the device before changing the credentials on
ANM.
Caution To maintain communication between ANM and the device, it is important that whatever
device credential change you make on the device, you make the same change on ANM.
Procedure
Step 1 Choose Config > Devices > All Devices.
The All Devices table appears.
Step 2 In the All Devices table, choose the device with the passwords that you want to update in ANM, and
click Update Credentials.
The Update Credentials popup window appears.
Step 3 From the popup window, update the device credential using the information in Table 5-25.
Note All credential fields are mandatory, so even if you are updating the device password only, you
must enter the current device username.
Step 4 Do one of the following:
• Click OK to save your changes to ANM. Do the following:
a. If you have not already made a similar change to the device credentials on the device, use the
device CLI to make the changes now.
b. Perform a CLI synchronization to test communications between ANM and the device with
the new credentials (see the “Synchronizing Device Configurations” section on page 5-66).
Table 5-25 Update Device Credentials
Field Description
Username Existing or new device username.
New Password Existing or new device password.
Confirm New Password Confirmation of the device password.
New Enable Password1
1. GSS and Catalyst 6500 series switch only.
Existing or new device enable password.
Confirm Enable Password1 Confirmation of the device enable password.
5-77
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Managing Devices
• Click Cancel to ignore any changes that you made and close the popup window.
Related Topics
• Configuring Devices, page 5-34
• Managing Devices, page 5-66
• Changing ACE Module Passwords, page 5-77
Changing ACE Module Passwords
You can change the ACE module username and password. All ACE modules shipped from Cisco are
configured with the same administrative username and password. Because changing the module
credentials can compromise network security, we recommend that you change the username and
passwords after you import the module into the ANM database.
Note This functionality is available only in Admin contexts.
Before You Begin
Import the ACE module into ANM and ensure that it is operational (see the “Importing ACE Modules
after the Host Chassis has been Imported” section on page 5-16).
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 In the device tree, choose the chassis device containing the ACE module with the password that you want
to change.
The Primary Attributes window appears.
Step 3 From the side menu, choose System > Module/Slots.
The Modules table appears.
Step 4 In the Modules table, choose the module with the password that you want to change and click Update
Credentials.
The Modules configuration window appears.
Step 5 In the Card Slot field, confirm that the correct module is selected.
Step 6 In the Card Type field, confirm that the correct version appears.
Step 7 In the Module Has Been Imported Into ANM field, confirm that the checkbox is checked to indicate that
the module has been imported. This is a read-only field.
Step 8 From the Operation To Perform drop-down list, choose Update Credentials.
Step 9 In the User Name field, enter the existing module username or enter a new username.
Step 10 In the New Password field, enter the existing device password or enter a new password.
Valid passwords are unquoted text strings with a maximum of 64 characters.
Step 11 In the Confirm field, verify the password that you entered in the New Password field.
5-78
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Managing Devices
Step 12 Do one of the following:
• Click OK to save your changes to ANM. Do the following:
a. If you have not already made a similar change to the device credentials on the device, use the
device CLI to make the changes now.
b. Perform a CLI synchronization to test communications between ANM and the device with
the new credentials (see the “Synchronizing Device Configurations” section on page 5-66).
• Click Cancel to exit the procedure without saving your entries and to return to the Modules table.
Related Topics
• Importing ACE Modules after the Host Chassis has been Imported, page 5-16
• Configuring Devices, page 5-34
• Managing Devices, page 5-66
• Changing Device Credentials, page 5-75
Restarting Device Polling
You can restart monitoring on a device that has stopped or failed to start.
Procedure
Step 1 Choose Config > Devices > All Devices.
The All Devices table appears.
Step 2 In the All Devices table, choose the device whose monitoring has stopped or failed, and click Restart
Polling.
The All Devices table refreshes with updated polling status. For a description of the various polling
status variables, see Table 5-26 on page 5-79.
If ANM cannot monitor the selected device, it displays an error message stating the reason.
Related Topics
• Configuring Devices, page 5-34
Displaying All Devices
You can display all devices that have been imported into the ANM database.
Procedure
Step 1 Choose Config > Devices.
The device tree appears.
5-79
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Managing Devices
Step 2 In the device tree, choose All Devices.
The All Devices table displays information for the devices being managed by the ANM (see Table 5-26).
Related Topics
• Importing Network Devices into ANM, page 5-10
• Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router Primary Attributes,
page 5-38
• Displaying Chassis Interfaces and Configuring High-Level Interface Attributes, page 5-42
Displaying Modules by Chassis
You can display all modules on a specific chassis.
Procedure
Step 1 Choose Config > Devices > All Devices.
The All Devices table appears.
Table 5-26 All Devices Table Attributes
Field Description
Name Name assigned to the device.
Type Type of the device, such as Chassis, ACE 4710, or CSS.
Version Version of the software running on the device, if available.
IP Address Device IP address.
Polling Status Current polling status of the device:
• Missing SNMP Credentials—SNMP credentials are not configured for this device; therefore, statistics
are not collected. Add SNMPv2C credentials to fix this error.
• Not Polled—SNMP polling has not started. Add SNMP V2C credentials to fix this error.
• Monitoring Not Supported—This status appears at the device level only and applies to Catalyst 6500
series chassis, Cisco 7600 series routers, and ACE appliances.
• Polling Failed—SNMP polling failed due to some internal error. Try enabling the SNMP collection
again.
• Polling Started—No action is required; everything is working properly. Polling states will display the
activity.
• Polling Timed Out—SNMP polling has timed out. This situation might occur if the wrong credentials
were configured or an internal error exists, such as the SNMP protocol is configured incorrectly or the
destination is not reachable. Verify that SNMP credentials are correct. If the problem persists, enable
SNMP collection again.
• Unknown—SNMP polling is not working due to one of the above-mentioned conditions. Check the
SNMPv2C credential configuration.
5-80
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Managing Devices
Step 2 In the All Devices table, choose the chassis containing the modules that you want to view, and click
Modules.
The Modules table appears, listing all modules on that chassis with the following information:
• Slot number
• Service module model
• Module type, such as Cisco Content Switching Module (CSM), ACE module and version, or other
modules, such as supervisor modules
• Serial number
• Module operational state, such as Up, Powered Off, or Not Imported
• Version of software the module is running
• Brief description
• For ACE modules, the number of virtual contexts configured on the module
• For VSS devices, a Virtual Switch number column indicating the switch, slot, and port number. For
example, command interface 1/5/4 specifies port 4 of the switching module in slot 5 of switch 1.
Depending on the type of module selected, such as CSM or ACE modules, the following options are
available from this window:
• Import—Imports a CSM or ACE module that resides in the selected chassis but has not been
imported into the ANM database. For more information, see the “Importing ACE Modules after the
Host Chassis has been Imported” section on page 5-16 or the “Importing CSM Devices after the
Host Chassis has been Imported” section on page 5-19.
• Change Card Password—Changes the administrative password on an ACE module that has been
imported into the ANM database. For more information, see the “Changing ACE Module
Passwords” section on page 5-77.
• Do Not Manage—Removes a selected ACE module from the ANM database. For more information,
see the “Removing Modules from the ANM Database” section on page 5-80.
Step 3 (Optional) To display the modules of another chassis, choose another chassis in the device tree or use
the chassis selector field at the top of the window.
Related Topics
• Importing ACE Modules after the Host Chassis has been Imported, page 5-16
• Importing CSM Devices after the Host Chassis has been Imported, page 5-19
• Displaying Chassis Interfaces and Configuring High-Level Interface Attributes, page 5-42
• Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48
Removing Modules from the ANM Database
You can remove a module from the ANM database.
Note If you physically replace an ACE module in a chassis, you need to synchronize the chassis in the ANM.
See the “Synchronizing Chassis Configurations” section on page 5-67 for more information.
5-81
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Managing Devices
Procedure
Step 1 Choose Config > Devices > All Devices.
The All Devices table appears.
Step 2 In the All Devices table, choose the device containing the module that you want to remove, and click
Modules.
The Modules table appears.
Step 3 In the Modules table, choose the module that you want to remove from ANM management, and click Do
Not Manage.
The Modules configuration window appears.
Step 4 In the Modules configuration window, confirm the information in the following fields:
• Card Slot
• Card Type
• Module Has Been Imported Into ANM
Step 5 In the Operation To Perform field, choose Do Not Manage.
Step 6 Do one of the following:
• Click OK to confirm removal of the module.
The Modules table refreshes and the removed module appears with the state Not Imported.
You can import the module again when desired (see the “Importing ACE Modules after the Host
Chassis has been Imported” section on page 5-16).
• Click Cancel to exit the procedure without removing the ACE module and to return to the Modules
table.
Related Topics
• Importing Network Devices into ANM, page 5-10
• Changing ACE Module Passwords, page 5-77
5-82
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Replacing an ACE Module Managed by ANM
Replacing an ACE Module Managed by ANM
This section describes the process that you must follow when replacing an ACE module that is currently
managed by ANM.You may need to replace an ACE module to perform a hardware upgrade or replace
a device associated with a Return Materials Authorization (RMA).
The procedures in this section show how to replace an ACE module using either the preferred method,
which uses the ANM GUI, or the alternate method, which uses a combination of the ACE CLI and the
ANM GUI.
Guidelines and Restrictions
This topic includes the following guidelines and restrictions:
• The replacement process includes creating a backup of the ACE module being removed and
installing the backup on the replacement module. The final step is to run a script that maps the
domain attributes that were mapped to the old ACE module serial number to the new module serial
number. These domain attributes include items such as real servers, virtual servers, user groups,
custom groups, mobile favorites, and so forth.
Caution When replacing your ACE module, it is important that you complete the entire replacement procedure
before attempting to edit the properties of any domain. Editing the domains before running the script that
remaps existing domain attributes to the new ACE module serial number can result in the attributes being
removed.
• If you currently use an ACE10 or ACE20 module, you must upgrade to the ACE30 module with ACE
software Version A5(1.0) to use the new features associated with the A5(1.0) release in ANM 5.1.
For more information about a module upgrade, see the Cisco Application Control Engine (ACE30)
Module Installation Note.
Caution When replacing an ACE module that is part of a redundant pair providing high availability, be sure that
the ACE module being replaced is operating in the standby state and not in the active state. Replacing
an active redundant ACE module is a service-affecting operation.
The state information is displayed in the HA State and HA Autosync fields when you choose Config >
Devices > virtual_context. Force a switchover if needed to place the ACE module in the standby state
before you replace it.
Prerequisites
To perform the procedures in this section, you need a copy of the Cisco Application Control Engine
(ACE30) Module Installation Note which you can obtain on Cisco.com.
This section includes the following topics:
• Using the Preferred Method to Replace an ACE Module, page 5-82
• Using the Alternate Method to Replace an ACE Module, page 5-84
Using the Preferred Method to Replace an ACE Module
You can replace an ACE module currently managed by ANM by using the ANM GUI-based method.
5-83
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Replacing an ACE Module Managed by ANM
Note For details about any of the ANM GUI functions discussed in the following procedure, click Help to
display the context-sensitive help associated with the current GUI window.
Procedure
Step 1 From the ANM GUI, create a backup the ACE module that you are replacing using one of the following
methods:
• Choose Config > Devices > context > System > Backup / Restore. The Backup/Restore window
appears.
• Choose Config > Global > All Backups. The Backup window appears.
Note The Backup/Restore feature requires ACE module software Version A2(3.0) or later.
Save or copy the backup to a network location.
Step 2 Record the module serial number of the ACE module being replaced, which you will need in Step 11.
To obtain the module serial number, choose Config > Devices > All Devices, click the chassis that
contains the module being replaced, and click Modules.
Step 3 From the Cisco IOS host chassis, remove the ACE module that you want to replace (see the Cisco
Application Control Engine (ACE30) Module Installation Note).
Step 4 From the ANM GUI, perform a CLI synchronization with the Cisco IOS host chassis.
Note When you perform the CLI synchronization, all the threshold groups associated with the
removed ACE module are deleted.
Do the following:
a. Choose Config > Devices > All Devices. The Device Management window appears.
b. From the Device Management window, click the radio button associated with the host chassis.
c. Click CLI Sync.
A message similar to the following appears:
Warning: The module has been removed: serial#=SAL1413E2YK
Step 5 From the Cisco IOS host chassis, insert the replacement (new) ACE module into the chassis (see the
Cisco Application Control Engine (ACE30) Module Installation Note).
Step 6 Using the CLI, verify that the software on the replacement ACE is equal to or greater than the software
version used in the original ACE.
Upgrade the ACE software on the new device if needed. After the upgrade, reboot the ACE module and
verify that it is running with the correct software image to ensure that ANM can recognize it.
Step 7 From the ANM GUI, do the following to perform a CLI synchronization with the Cisco IOS host chassis
by doing the following:
a. Choose Config > Devices > All Devices. The Device Management window appears.
b. From the Device Management window, click the radio button associated with the host chassis.
5-84
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Replacing an ACE Module Managed by ANM
c. Click CLI Sync.
A message similar to the following appears:
The module has been added: serial#=SAD140102XR
Record the new ACE module serial number, which you will need for Step 11.
Step 8 From the Device Management window, import the replacement module in to ANM as follows:
a. Click the radio button associated with the host chassis and click Modules. The Modules window
appears.
b. From the Modules window, click the radio button associated with the replacement module and click
Import. The Module configuration window appears.
c. From the configuration window, choose Perform Initial Setup and Import from the Operation To
Perform drop-down list and enter the module configuration information that you recorded in Step 2.
d. Click OK to save the module configuration information.
Step 9 Install a license in the replacement module that is consistent with the removed module by choosing
Config > Devices > chassis > module > Admin > System > Licenses. The Licenses window appears.
Step 10 Copy and restore the saved ACE configuration to the replacement module by choosing Config > Devices
> chassis > module > Admin > System > Backup / Restore.
Note The Backup/Restore feature requires ACE module software Version A2(3.0) or later.
Step 11 Remap the ANM objects mapped to the old ACE module serial number to the new ACE module serial
number as follows:
a. Enter the following command to list the module serial numbers that are unassociated with a device
in ANM:
anm-RMA-helper-query
Verify that the list includes the serial number of the old ACE module that you recorded in Step 2.
b. Enter the following command to map the objects to the new ACE module serial number:
anm-RMA-helper-replace
c. Follow the prompts that appear to log in to ANM and specify the old ACE module serial number
recorded in Step 2 and the new module serial number recorded in Step 7.
t
Related Topics
• Importing ACE Modules after the Host Chassis has been Imported, page 5-16
Using the Alternate Method to Replace an ACE Module
This procedure describes the alternate method for replacing an ACE module currently managed by
ANM. This method uses a combination of the ACE CLI and ANM GUI during the replacement process.
To see the preferred method for replacing an ACE module, see the “Using the Preferred Method to
Replace an ACE Module” section on page 5-82.
5-85
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Replacing an ACE Module Managed by ANM
Note For details about using the ACE CLI to perform the procedures discussed in the following procedure,
see the Cisco Application Control Engine (ACE30) Module Installation Note).
For details about any ANM GUI function discussed in the following procedure, click Help to display the
context-sensitive help associated with the current GUI window.
Procedure
Step 1 Referring to the Cisco Application Control Engine (ACE30) Module Installation Note, do the following:
a. SSH in to the ACE and backup all contexts from the Admin context (requires ACE module software
Version A2(3.0) or later).
b. Copy the backup to a network location (requires ACE module software Version A2(3.0) or later).
c. Obtain and record the old module serial number using the show hardware command. You will need
the serial number in Step 4.
d. From the Cisco IOS host chassis, remove the ACE module that you want to replace.
e. From the Cisco IOS host chassis, insert the replacement ACE module into the chassis.
f. Verify that the software on the replacement ACE is equal to or greater than the software version used
in the original ACE. Upgrade the ACE software on the new device if needed.
g. SSH in to the chassis and session in to the new ACE module.
h. Configure basic ACE module connectivity.
i. Obtain and record the new module serial number using the show hardware command.
j. Copy and install necessary licenses.
k. Copy and restore the ACE backup.
Step 2 From the ANM GUI, delete the Cisco IOS host chassis that hosts the replacement ACE module as
follows:
a. Choose Config > Devices > All Devices. The Device Management window appears.
b. Click the radio button associated with the chassis in which the module was replaced.
c. Click Delete.
Step 3 From the Device Management window, import the Cisco IOS host chassis and associated chassis
modules, including the replacement ACE module by clicking Add. The Add New Device window
appears; complete the required chassis and module information.
Step 4 Remap the ANM objects mapped to the old ACE module serial number to the new ACE module serial
number as follows:
a. Enter the following command to list the module serial numbers that are unassociated with a device
in ANM:
anm-RMA-helper-query
Verify that the list includes the serial number of the old ACE module that you recorded in Step 1c.
b. Enter the following command to map the objects to the new ACE module serial number:
anm-RMA-helper-replace
5-86
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 5 Importing and Managing Devices
Replacing an ACE Module Managed by ANM
c. Follow the prompts that appear to log in to ANM and specify the old ACE module serial number
recorded in Step 1c and the new module serial number.
Related Topics
• Importing ACE Modules after the Host Chassis has been Imported, page 5-16
CHAPTER
6-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
6
Configuring Virtual Contexts
Date: 3/28/12
This chapter describes how to configure and manage the Cisco Application Control Engine (ACE) using
Cisco Application Networking Manager (ANM).
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
This chapter includes the following sections:
• Information About Virtual Contexts, page 6-2
• Creating Virtual Contexts, page 6-2
• Configuring Virtual Contexts, page 6-8
• Configuring Virtual Context System Attributes, page 6-13
• Configuring Virtual Context Primary Attributes, page 6-14
• Configuring Virtual Context Syslog Settings, page 6-19
• Configuring SNMP for Virtual Contexts, page 6-27
• Applying a Policy Map Globally to All VLAN Interfaces, page 6-35
• Managing ACE Licenses, page 6-36
• Using Resource Classes, page 6-43
• Using Global Resource Classes, page 6-46
• Using Local Resource Classes, page 6-51
• Using the Configuration Checkpoint and Rollback Service, page 6-54
• Performing Device Backup and Restore Functions, page 6-59
• Performing Global Device Backup and Copy Functions, page 6-68
• Configuring Security with ACLs, page 6-78
6-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Information About Virtual Contexts
• Configuring Object Groups, page 6-89
• Managing ACLs, page 6-99
• Configuring Virtual Context Expert Options, page 6-101
• Comparing Context and Building Block Configurations, page 6-101
• Managing Virtual Contexts, page 6-103
Information About Virtual Contexts
Virtual contexts use the concept of virtualization to partition your ACE into multiple virtual devices or
contexts. Each context contains its own set of policies, interfaces, resources, and administrators. This
feature enables you to more closely and efficiently manage resources, users, and the services you provide
to your customers.
There are two types of virtual contexts; the admin context and the user context. The ACE comes
preconfigured with the default Admin context, which you can modify but you cannot delete. From the
Admin context, you can create user contexts. You also use the Admin context to configure High
Availability (HA or fault tolerance between ACE devices), configure resource classes, and manage ACE
licenses.
Note If you restore the ANM database from a backup repository and if a virtual context that is in the repository
has been removed from the device, ANM removes that context from the database and the context does
not appear in the ANM interface.
Related Topics
• Creating Virtual Contexts, page 6-2
• Configuring Virtual Contexts, page 6-8
• Deleting Virtual Contexts, page 6-107
• Comparing Context and Building Block Configurations, page 6-101
• Restarting Virtual Context Polling, page 6-108
• Managing Virtual Contexts, page 6-103
Creating Virtual Contexts
You can create virtual contexts.
Note You must have the ability to create virtual contexts in your role and an Admin context in your domain
before you can create virtual contexts. For more information about configuring roles and domains, see
the “Managing User Roles” section on page 18-25 and the “Managing Domains” section on page 18-32.
Procedure
Step 1 Choose Config > Devices, and choose the ACE to which you want to add a virtual context.
The Virtual Contexts table appears.
6-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Creating Virtual Contexts
Step 2 In the Virtual Contexts table, click Add.
The New Virtual Context window appears.
Step 3 Configure the virtual context using the information in Table 6-1.
Click Basic Settings, Management Settings, or More Setting to access the additional configuration
attributes. By default, ANM hides the Management Settings and More Settings groups of configuration
attributes until you specify a VLAN identifier in the Management Settings group.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
Table 6-1 Virtual Context Configuration Attributes
Field Description
Basic Settings
Name Unique name for the virtual context. Valid entries are unquoted text strings with no spaces and
a maximum of 64 alphanumeric characters.
This field is read-only for existing contexts.
Device Device to associate with this context.
This field appears for new contexts only.
Description Brief description of the virtual context. Enter a description as an unquoted text string with a
maximum of 240 alphanumeric characters.
Module Field that appears when a chassis contains multiple ACE modules and for new contexts only.
Choose the module to associate with this context.
Resource Class Resource class that this virtual context is to use.
Allocated VLANs Number of a VLAN or a range of VLANs used by the traffic that the context is to receive. You
can specify VLANs in any of the following ways:
• For a single VLAN, enter an integer from 2 to 4096.
• For multiple, nonsequential VLANs, use comma-separated entries, such as 101, 201, 302.
• For a range of VLANs, use the format -, such as
101-150.
Note VLANs cannot be modified in an Admin context.
Default Gateway IP for IPv4 IPv4 address of the default gateway. Use a comma-separated list to specify multiple IP
addresses, such as 192.168.65.1, 192.168.64.2.
Default static routes with a netmask and IP address of 0.0.0.0 previously configured on the
ACE appear in this field.
6-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Creating Virtual Contexts
Default Gateway IP for IPv6 Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
IPv6 address of the default gateway or choose the forward VLAN interface or BVI, as follows:
• IPv6 Address field—Enter the address of the gateway router (the next-hop address for this
route). Then, use the right arrow to move it to the Selected field. You can enter a maximum
of eight addresses including a selected VLAN or BVI through the Outgoing Interfaces
setting.
Default static routes with a prefix and IP address of ::0 previously configured on the ACE
appear in the Selected field.
• Outgoing Interfaces—Select either VLAN or BVI used for the link-local address only.
And then select the Interface Number for the VLAN or BVI.
Enable High Availability Context to be used in a high availability (HA) group.
Note This field is unavailable if the associated FT interface is not configured or if the ACE
peer is not known. See Chapter 13, “Configuring High Availability” for details on
ACE HA groups.
Management Settings
VLAN Id VLAN number that you want to assign to the management interface. Valid values are from 2
to 4094. The VLAN ID should be available in the allocated VLAN interface list. By default,
all devices are assigned to VLAN1, known as the default VLAN.
Note You must enter a VLAN ID before the other Management Settings attribute fields are
enabled for configuring.
VLAN Description Description for the management interface. Enter an unquoted text string that contains a
maximum of 240 alphanumeric characters including spaces.
Interface Mode Topology that reflects the relationship of the selected ACE virtual context to the real servers
in the network:
• Routed—The ACE virtual context acts as a router between the client-side network and
the server-side network. In this topology, every real server for the application must be
routed through the ACE virtual context, either by setting the default gateway on each real
server to the virtual context server-side VLAN interface address, or by using a separate
router with appropriate routes configured between the ACE virtual context and the real
servers.
• Bridged—The virtual ACE bridges two VLANs—a client-side VLAN and a real-server
VLAN—on the same subnet using a bridged virtual interface (BVI). The real server
routing does not change to accommodate the ACE virtual context. Instead the virtual ACE
transparently handles traffic to and from the real servers.
Management IP IPv4 address that is to be used for remote management of the context.
Note ANM considers an interface as a management interface if it has a management policy
map associated with the VLAN interface. See the “Configuring Virtual Context VLAN
Interfaces” section on page 12-6.
Management Netmask Subnet mask to apply to this IP address.
Alias IP Address IP address of the alias this interface is associated with.
Peer IP Address IP address of the remote peer.
Table 6-1 Virtual Context Configuration Attributes (continued)
Field Description
6-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Creating Virtual Contexts
Access Permission List of source IP addresses that are allowed on the management interface:
• Allow All—Allows all configured client source IP addresses on the management interface
as the network traffic matching criteria.
• Deny All—Denies all configured client source IP addresses on the management interface
as the network traffic matching criteria.
• Match—Displays the Match Conditions table, where you specify the match criteria that
the ACE is to use for traffic on the management interface.
Table 6-1 Virtual Context Configuration Attributes (continued)
Field Description
6-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Creating Virtual Contexts
Match Conditions Match Conditions table that appears when you choose Match as the Access Permission
selection.
To add or modify the protocols allowed on this management VLAN, do the following:
1. Click Add to choose a protocol for the management interface, or choose an existing
protocol entry listed in the Match Conditions table and click Edit to modify it.
2. In the Protocol drop-down list, choose a protocol:
– HTTP—Specifies the Hypertext Transfer Protocol (HTTP).
– HTTPS—Specifies the secure (SSL) Hypertext Transfer Protocol (HTTP) for
connectivity with the ANM interface using port 443.
– ICMP— Specifies the Internet Control Message Protocol (ICMP) for Internet
Protocol version 4 (IPv4).
– ICMPv6—Option that appears only for ACE module and ACE appliance software
Version A5(1.0) or later. Specifies the Internet Control Message Protocol version 6
(ICMPv6) for Internet Protocol version 6 (IPv6).
–
– KALAP-UDP—Specifies the Keepalive Appliance Protocol over UDP.
– SNMP—Specifies the Simple Network Management Protocol (SNMP).
Note If SNMP is not selected, ANM will not be able to poll the context.
– SSH—Specifies a Secure Shell (SSH) connection to the ACE.
– TELNET—Specifies a Telnet connection to the ACE.
– XML-HTTPS—Specifies HTTPS as the transfer protocol for sending and receiving
XML documents between the ACE appliance and a Network Management System
(NMS) using port 10443. This option is available for ACE appliances only.
3. In the Allowed From field, specify the matching criteria for the client source IP address:
– Any—Specifies any client source address for the management traffic classification.
– Source Address—Specifies a client source host IP address and subnet mask as the
network traffic matching criteria. An ICMPv6 source address only accepts an IPv6
address. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or
later.
– Source Netmask—Select a subnet mask. This field is not applicable for ICMPv6.
– Source Prefix Length—(ICMPv6 only) Enter the prefix length, a value from 1 to
128.
4. Click OK to accept the protocol selection (or click Cancel to exit without accepting your
entries).
Note To remove a protocol from the management VLAN, choose the entry in the Match
Conditions table, and click Delete.
Enable SNMP Get Check box that you can check to add an SNMP Get community string to enable SNMP polling
on this context.
Table 6-1 Virtual Context Configuration Attributes (continued)
Field Description
6-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Creating Virtual Contexts
Step 4 Do one of the following:
• Click Deploy Now to deploy this context and save this configuration to the running-configuration
and startup-configuration files. The window refreshes and you can continue with virtual context
configuration (see the “Configuring Virtual Contexts” section on page 6-8).
• Click Cancel to exit this procedure without saving your entries. The Virtual Contexts table appears.
SNMP v2c Read-Only
Community String
Field that appears when you check the Enable SNMP Get check box.
Enter the SNMPv2c read-only community string to be used as the SNMP Get community
string.
Enable SNMP Trap Check box that you can check to add an SNMP community string for ANM to receive traps
from this context.
SNMP Community Field that appears when you check the Enable SNMP Trap check box.
Enter the SNMP version 1 or 2c read-only community string or the SNMP version 3 user name
that is to be used as the SNMP trap.
Enable Syslog Notification Check box that you can check to enable syslog logging or uncheck to disable syslog logging.
Add Admin User Check box that you can check to add a user with an administrator role and default-domain
access.
User Name Field that appears when you check the Add Admin User check box.
Specifies the name by which the user is to be identified (up to 24 characters). Only letters,
numbers, and underscore can be used. The field is case sensitive.
Password Field that appears when you check the Add Admin User check box.
Enter the password for the Admin user account.
Confirm Password Field that appears when you check the Add Admin User check box.
Renter the password for the Admin user account.
More Settings
Switch Mode Feature that applies only to the ACE module A2(1.1), ACE appliance A4(1.0), or later releases
of either device type. Choose Switch Mode to change the way that the ACE processes TCP
connections that are not destined to a VIP or that do not have any policies associated with their
traffic. For such traffic, the ACE still creates connection objects, but processes the connections
as stateless connections, which means that they do not undergo any TCP normalization
checks. With this option enabled, the ACE also creates stateless connections for non-SYN
TCP packets if they satisfy all other configured requirements. This process ensures that a
long-lived persistent connection passes through the ACE successfully (even if it times out) by
being reestablished by any incoming packet related to the connection.
By default, these stateless connections time out after 2 hours and 15 minutes unless you
configure the inactivity timeout otherwise in a parameter map. When a stateless connection
times out, the ACE does not send a TCP RST packet but silently closes the connection. Even
though these connections are stateless, the TCP RST and FIN-ACK flags are honored and the
connections are closed when the ACE sees these flags in the received packets.
Building Block To Apply Configuration building block to apply to this context.
Table 6-1 Virtual Context Configuration Attributes (continued)
Field Description
6-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Contexts
Related Topics
• Information About Virtual Contexts, page 6-2
• Configuring Virtual Contexts, page 6-8
Configuring Virtual Contexts
After creating a virtual context, you can configure it. Configuring a virtual context involves configuring
a number of attributes, grouped into configuration subsets.
The options that appear when you choose Config > Devices > context depend on the following:
• Type of ACE device associated with the context: ACE module or ACE appliance.
• Role associated with your account, such as Admin, Network-Admin, or SSL-Admin.
• Context that you are configuring; an Admin context or a user context.
Table 6-2 describes configuration options for Admin contexts for ACE modules and ACE appliances
although not all options are available for both types of devices.
Table 6-3 identifies the configuration options that are available for each ACE device type.
Note You cannot modify a virtual context when its CLI Sync Status is in the Import Failed state. You must
synchronize the context before you can make changes to it. You can view CLI Sync Status and
synchronize contexts from the Virtual Contexts table (Config > Devices > ACE).
6-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Contexts
Table 6-2 Virtual Context Configuration Options
Configuration Subset Description Related Topics
System The System configuration subset includes the
following:
• Primary attributes such as building block,
resource class, and VLAN options
• Syslog attributes that allow you to identify the
type and severity of syslog messages that are
to be logged, the syslog log host, log
messages, and log rate limits
• SNMP attributes
• Global policy maps for all VLANs on a virtual
context
• ACE license attributes that allow you to view,
install, remove, update, and copy licenses for
ACE hardware
• Resource classes that allow you to manage
virtual context access to individual ACE
devices
• Checkpoint (snapshot in time) of a known
stable running configuration
• Back up or restore the configuration and
dependencies of an entire ACE or of a
particular virtual context
Note ACE licenses and resource classes can be
configured in an Admin context only.
• Configuring Virtual Context Primary
Attributes, page 6-14
• Configuring Virtual Context Syslog Settings,
page 6-19
• Configuring SNMP for Virtual Contexts,
page 6-27
• Applying a Policy Map Globally to All VLAN
Interfaces, page 6-35
• Managing ACE Licenses, page 6-36
• Using Resource Classes, page 6-43
• Using the Configuration Checkpoint and
Rollback Service, page 6-54
• Performing Device Backup and Restore
Functions, page 6-59
• Performing Global Device Backup and Copy
Functions, page 6-68
Load Balancing Load-balancing attributes allow you to do the
following:
• Configure virtual servers, real servers, and
server farms for load balancing
• Establish the predictor method and return
code checking
• Implement sticky groups for session
persistence
• Configure parameter maps to combine related
actions for policy maps
• Configure NAT so that only one address for
the entire network to the outside world is
advertised
• Configure a secure keepalive-appliance
protocol (KAL-AP) associated with a virtual
context to enable communication between the
ACE and a Global Site Selector (GSS)
• Information About Load Balancing, page 7-1
• Configuring Virtual Servers, page 7-2
• Configuring Server Farms, page 8-30
• Configuring Health Monitoring for Real
Servers, page 8-51
• Configuring Sticky Groups, page 9-7
• Configuring Parameter Maps, page 10-1
• Configuring VLAN Interface NAT Pools,
page 12-26
• Configuring Secure KAL-AP, page 8-77
6-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Contexts
SSL Secure Sockets Layer (SSL) configuration options
allow you to import and export SSL certificates
and keys, set up SSL parameter maps and chain
group parameters, generate certificate signing
requests for submission to a certificate authority,
authenticate peer certificates, and configure
certificate revocation lists for use during client
authentication.
Note You cannot configure all SSL options in a
building block. Instead, configure them in
an Admin virtual context.
• Configuring SSL, page 11-1
• Using SSL Certificates, page 11-5
• Using SSL Keys, page 11-10
• Generating CSRs, page 11-26
• Configuring SSL Parameter Maps,
page 11-18
• Configuring SSL Chain Group Parameters,
page 11-23
• Configuring SSL Proxy Service, page 11-27
• Configuring SSL Authentication Groups,
page 11-31
• Configuring CRLs for Client Authentication,
page 11-33
Security Security configuration options enable you to
create access control lists, set access control list
(ACL) attributes, resequence ACLs, delete ACLs,
and configure object groups.
• Configuring Security with ACLs, page 6-78
• Creating ACLs, page 6-79
• Configuring Object Groups, page 6-89
Network Network configuration options allow you to
configure the following:
• VLAN interfaces
• Bridged-group virtual interfaces (BVI)
• Network Address Translation (NAT) pools for
a VLAN interface
• Static routes
• Dynamic host configuration protocol (DHCP)
relay agents
• Port channel interfaces
• Gigabit Ethernet interfaces
• Over 8,000 static network address translation
(NAT) configurations
• Configuring Virtual Context VLAN
Interfaces, page 12-6
• Configuring Virtual Context BVI Interfaces,
page 12-19
• Configuring VLAN Interface NAT Pools,
page 12-26
• Configuring Virtual Context Static Routes,
page 12-28
• Configuring Virtual Context BVI Interfaces,
page 12-19
• Configuring Port-Channel Interfaces for the
ACE Appliance, page 12-35
• Configuring Gigabit Ethernet Interfaces on
the ACE Appliance, page 12-32
• Configuring Static VLANs for Over 8000
Static NAT Configurations, page 12-31
High Availability High availability (HA) attributes allow you to
configure two ACE devices for fault-tolerant
redundancy and the tracking and detection of
failures for timely switchover.
Note You can set up high availability in an
Admin context only.
• Configuring ACE High Availability,
page 13-14
• Configuring ACE High Availability Peers,
page 13-15
• Configuring ACE High Availability Groups,
page 13-17
Table 6-2 Virtual Context Configuration Options (continued)
Configuration Subset Description Related Topics
6-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Contexts
HA Tracking and
Failure Detection
HA tracking and failure detection attributes allow
you to configure tracking processes that can help
ensure reliable fault tolerance.
• ACE High Availability Tracking and Failure
Detection Overview, page 13-23
• Tracking ACE VLAN Interfaces for High
Availability, page 13-24
• Tracking Hosts for High Availability,
page 13-25
• Configuring ACE HSRP Groups, page 13-29
Role-Based Access
Control
Role-based access control (RBAC) attributes
allow you to configure RBAC for individual
virtual contexts.
Note Virtual context RBAC is separate from
ANM RBAC. For information about ANM
RBAC, see the “How ANM Handles
Role-Based Access Control” section on
page 18-8.
• Configuring Device RBAC Users, page 5-53
• Configuring Device RBAC Roles, page 5-56
• Configuring Device RBAC Domains,
page 5-61
Expert Expert attributes allow you to configure traffic
policies and configure optimization action lists.
• Configuring Virtual Context Class Maps,
page 14-6
• Configuring Virtual Context Policy Maps,
page 14-32
• Configuring an HTTP Optimization Action
List, page 15-3
Table 6-3 Configuration Options by Device Type
Menu Option
ACE Device Type
Related Topic
ACE
Module
ACE 4710
Appliance
System
Primary Attributes X X Configuring Virtual Context Primary Attributes, page 6-14
Syslog X X Configuring Virtual Context Syslog Settings, page 6-19
SNMP X X Configuring SNMP for Virtual Contexts, page 6-27
Global Policies X X Applying a Policy Map Globally to All VLAN Interfaces,
page 6-35
Licenses X X Managing ACE Licenses, page 6-36
Application Acceleration and
Optimization
– X Configuring Global Application Acceleration and Optimization,
page 15-9
Resource Classes X X Using Resource Classes, page 6-43
Checkpoints X X Using the Configuration Checkpoint and Rollback Service,
page 6-54
Backup/Restore X X Performing Device Backup and Restore Functions, page 6-59
Table 6-2 Virtual Context Configuration Options (continued)
Configuration Subset Description Related Topics
6-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Contexts
Load Balancing
Virtual Servers X X Configuring Virtual Servers, page 7-2
Real Servers X X Configuring Real Servers, page 8-5
Server Farms X X Configuring Server Farms, page 8-30
Health Monitoring X X Configuring Health Monitoring for Real Servers, page 8-51
Stickiness X X Configuring Sticky Groups, page 9-7
HTTP Parameter Maps X X Configuring HTTP Parameter Maps, page 10-9
Connection Parameter Maps X X Configuring Connection Parameter Maps, page 10-3
Optimization Parameter Maps – X Configuring Optimization Parameter Maps, page 10-12
Generic Parameter Maps X X Configuring Generic Parameter Maps, page 10-8
RTSP Parameter Maps X X Configuring RTSP Parameter Maps, page 10-20
SIP Parameter Maps X X Configuring SIP Parameter Maps, page 10-21
Skinny Parameter Maps X X Configuring Skinny Parameter Maps, page 10-23
Secure KAL-AP X X Configuring Secure KAL-AP, page 8-77
SSL
Setup Sequence X X SSL Setup Sequence, page 11-4
Certificates X X Using SSL Certificates, page 11-5
Keys X X Using SSL Keys, page 11-10
Parameter Map X X Configuring SSL Parameter Maps, page 11-18
Chain Group Parameters X X Configuring SSL Chain Group Parameters, page 11-23
CSR Parameters X X Configuring SSL CSR Parameters, page 11-24
Proxy Service X X Configuring SSL Proxy Service, page 11-27
Auth Group Parameters X X Configuring SSL Authentication Groups, page 11-31
Certificate Revocation Lists
(CRLs)
X X Configuring CRLs for Client Authentication, page 11-33
Security
ACLs X X Creating ACLs, page 6-79
Object Groups X X Configuring Object Groups, page 6-89
Network
Port Channel Interfaces – X Configuring Port-Channel Interfaces for the ACE Appliance,
page 12-35
Gigabit Ethernet Interfaces – X Configuring Gigabit Ethernet Interfaces on the ACE Appliance,
page 12-32
VLAN Interfaces X X Configuring Virtual Context VLAN Interfaces, page 12-6
BVI Interfaces X X Configuring Virtual Context BVI Interfaces, page 12-19
Table 6-3 Configuration Options by Device Type (continued)
Menu Option
ACE Device Type
Related Topic
ACE
Module
ACE 4710
Appliance
6-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Context System Attributes
Configuring Virtual Context System Attributes
This section shows how to configure the ACE virtual context system attributes, which are as follows:
• Virtual context primary attributes—See Configuring Virtual Context Primary Attributes, page 6-14.
• Syslog
– Configuring Virtual Context Syslog Settings, page 6-19
– Configuring Syslog Log Hosts, page 6-23
– Configuring Syslog Log Messages, page 6-24
– Configuring Syslog Log Rate Limits, page 6-26
• SNMP
– Configuring SNMP for Virtual Contexts, page 6-27
– Configuring SNMPv2c Communities, page 6-28
NAT Pools X X Configuring VLAN Interface NAT Pools, page 12-26
Static Routes X X Configuring Virtual Context Static Routes, page 12-28
Global IP DHCP X X Configuring Global IP DHCP, page 12-29
Static NAT Overwrite X – Configuring Static VLANs for Over 8000 Static NAT
Configurations, page 12-31
NAT Pools X X Configuring VLAN Interface NAT Pools, page 12-26
High Availability
Setup X X Configuring ACE High Availability Peers, page 13-15
HA Tracking And Failure Detection
Interfaces X X Tracking ACE VLAN Interfaces for High Availability,
page 13-24
Hosts X X Tracking Hosts for High Availability, page 13-25
HSRP Groups X X Configuring ACE HSRP Groups, page 13-29
Role-Based Access Control
Users X X Configuring Device RBAC Users, page 5-53
Roles X X Configuring Device RBAC Roles, page 5-56
Domains X X Configuring Device RBAC Domains, page 5-61
Expert
Class Maps X X Configuring Virtual Context Class Maps, page 14-6
Policy Maps X X Configuring Virtual Context Policy Maps, page 14-32
Action List X X Configuring an HTTP Header Modify Action List, page 14-85
Configuring an HTTP Optimization Action List, page 15-3
Table 6-3 Configuration Options by Device Type (continued)
Menu Option
ACE Device Type
Related Topic
ACE
Module
ACE 4710
Appliance
6-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Context Primary Attributes
– Configuring SNMPv3 Users, page 6-29
– Configuring SNMP Trap Destination Hosts, page 6-32
– Configuring SNMP Notification, page 6-33
• Global policy maps for all VLANs on a virtual context—See Applying a Policy Map Globally to All
VLAN Interfaces, page 6-35.
• ACE licenses—See Managing ACE Licenses, page 6-36.
• ACE resource classes—See Using Resource Classes, page 6-43.
For ACE appliances, you can also configure global application acceleration and optimization. See the
“Configuring Global Application Acceleration and Optimization” section on page 15-9.
Configuring Virtual Context Primary Attributes
Primary attributes allow you to configure essential information for each virtual context including a
name, VLANs, a management IP address, and allowed protocols. After providing this information, you
can configure other attributes, such as interfaces, load-balancing, or SSL. For a complete list of the
configurable items, see the “Configuring Virtual Contexts” section on page 6-8.
Procedure
Step 1 Choose Config > Devices > context > System > Primary Attributes.
The Primary Attributes configuration window appears.
Step 2 In the Primary Attributes configuration window, enter the primary attributes for this virtual context using
the information in Table 6-4.
Certain attribute fields are read-only for existing contexts.
Click Basic Settings, Management Settings, or More Setting to access the additional configuration
attributes. By default, ANM hides these groups of configuration attributes.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
Table 6-4 Primary Attributes Configuration Attributes
Field Description
Basic Settings
Name Unique name for the virtual context.
This field is read-only for existing contexts.
Description Brief description of the virtual context. Enter a description as an unquoted text string with a
maximum of 240 alphanumeric characters.
Resource Class Resource class that this virtual context is to use. Click View to see the details of the selected
resource class (Resource, Minimum, and Maximum).
6-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Context Primary Attributes
Allocated VLANs Number of a VLAN or a range of VLANs that contain traffic for the context to receive. You
can specify VLANs in any of the following ways:
• For a single VLAN, enter an integer from 2 to 4096.
• For multiple, nonsequential VLANs, use comma-separated entries, such as 101, 201, 302.
• For a range of VLANs, use the format -, such as
101-150.
Note VLANs cannot be modified in an Admin context.
This field is read-only if configured for existing contexts.
Default Gateway IP for IPv4 IPv4 address of the default gateway. Use a comma-separated list to specify multiple IP
addresses, such as192.168.65.1, 192.168.64.2.
Default static routes with a netmask and IP address of 0.0.0.0 previously configured on the
ACE appear in this field.
Default Gateway IP for IPv6 Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
IPv6 address of the default gateway or choose the forward VLAN interface or BVI, as follows:
• IPv6 Address field—Enter the address of the gateway router (the next-hop address for this
route). Then, use the right arrow to move it to the Selected field. You can enter a maximum
of eight addresses including a selected VLAN or BVI through the Outgoing Interfaces
setting.
Default static routes with a prefix and IP address of ::0 previously configured on the ACE
appear in the Selected field.
• Outgoing Interfaces—Select either VLAN or BVI used for the link-local address only.
And then select the Interface Number for the VLAN or BVI.
Enable High Availability Context for use in a high availability (HA) group.
Note This field is unavailable if the associated FT interface is not configured or if the ACE
peer is not known. See Chapter 13, “Configuring High Availability” for details on
ACE HA groups.
Management Settings
VLAN Id VLAN number that you want to assign to the management interface. Valid values are from 2
to 4094. By default, all devices are assigned to VLAN1, known as the default VLAN.
ANM identifies the management class maps and policy maps associated with the selected
VLAN ID assigned to the management interface.
This field is read-only if configured for existing contexts.
VLAN Description Description for the management interface. Enter an unquoted text string that contains a
maximum of 240 alphanumeric characters including spaces.
Table 6-4 Primary Attributes Configuration Attributes (continued)
Field Description
6-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Context Primary Attributes
Interface Mode Topology that reflects the relationship of the selected ACE virtual context to the real servers
in the network:
• Routed—The ACE virtual context acts as a router between the client-side network and
the server-side network. In this topology, every real server for the application must be
routed through the ACE virtual context, either by setting the default gateway on each real
server to the virtual context server-side VLAN interface address, or by using a separate
router with appropriate routes configured between the ACE virtual context and the real
servers.
• Bridged—The virtual ACE bridges two VLANs—a client-side VLAN and a real-server
VLAN—on the same subnet using a bridged virtual interface (BVI). In this case, the real
server routing does not change to accommodate the ACE virtual context. Instead, the
virtual ACE transparently handles traffic to and from the real servers.
This field is read-only if configured for existing contexts.
Management IP IPv4 address that is to be used for remote management of the context.
Note ANM considers an interface as a management interface if it has a management policy
map associated with the VLAN interface. See the “Configuring Virtual Context VLAN
Interfaces” section on page 12-6.
Management Netmask Subnet mask to apply to this IP address.
Alias IP Address IP address of the alias this interface is associated with.
Peer IP Address IP address of the remote peer.
Access Permission List of source IP addresses that are allowed on the management interface:
• Allow All—Allows all configured client source IP addresses on the management interface
as the network traffic matching criteria.
• Deny All—Denies all configured client source IP addresses on the management interface
as the network traffic matching criteria.
• Match—Displays the Match Conditions table, where you specify the match criteria that
the ACE is to use for traffic on the management interface.
Table 6-4 Primary Attributes Configuration Attributes (continued)
Field Description
6-17
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Context Primary Attributes
Match Conditions Match Conditions table that appears when you choose Match as the Access Permission
selection.
To add or modify the protocols allowed on this management VLAN, do the following:
1. Click Add to choose a protocol for the management interface, or choose an existing
protocol entry listed in the Match Conditions table and click Edit to modify it.
2. In the Protocol drop-down list, choose a protocol:
– HTTP—Specifies the Hypertext Transfer Protocol (HTTP).
– HTTPS—Specifies the secure (SSL) Hypertext Transfer Protocol (HTTP) for
connectivity with the ANM interface using port 443.
– ICMP—Specifies the Internet Control Message Protocol (ICMP) for Internet
Protocol version 4 (IPv4)
– ICMPv6—Option that appears only for ACE module and ACE appliance software
Version A5(1.0) or later. Specifies the Internet Control Message Protocol version 6
(ICMPv6) for Internet Protocol version 6 (IPv6).
– KALAP-UDP—Specifies the Keepalive Appliance Protocol over UDP.
– SNMP—Specifies the Simple Network Management Protocol (SNMP).
Note If SNMP is not selected, ANM cannot poll the context.
– SSH—Specifies a Secure Shell (SSH) connection to the ACE.
– TELNET—Specifies a Telnet connection to the ACE.
– XML-HTTPS—Specifies HTTPS as the transfer protocol for sending and receiving
XML documents between the ACE appliance and a Network Management System
(NMS) using port 10443. This option is available for ACE appliances only.
3. In the Allowed From field, specify the matching criteria for the client source IP address:
– Any—Specifies any client source address for the management traffic classification.
– Source Address—Specifies a client source host IP address and subnet mask as the
network traffic matching criteria.
4. Click OK to accept the protocol selection (or click Cancel to exit without accepting your
entries).
Note To remove a protocol from the management VLAN, choose the entry in the Match
Conditions table, and click Delete.
Enable SNMP Get Check box to add an SNMP Get community string to enable SNMP polling on this context.
This field is read-only if configured for existing contexts.
SNMP v2c Read-Only
Community String
Field that appears when you check the Enable SNMP Get check box.
Enter the SNMPv2c read-only community string to be used as the SNMP Get community
string.
This field is read-only if configured for existing contexts.
Table 6-4 Primary Attributes Configuration Attributes (continued)
Field Description
6-18
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Context Primary Attributes
Step 3 Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the Virtual Contexts table.
Related Topics
• Information About Virtual Contexts, page 6-2
• Configuring Virtual Context VLAN Interfaces, page 12-6
• Configuring Virtual Context BVI Interfaces, page 12-19
• Configuring Virtual Context Syslog Settings, page 6-19
• Configuring Traffic Policies, page 14-1
Enable SNMP Trap Check box to add an SNMP community string for ANM to receive traps from this context.
This field is read-only if configured for existing contexts.
SNMP Community Field that appears when you check the Enable SNMP Trap check box.
Enter the SNMPv1 or SNMPv2c read-only community string or the SNMPv3 user name that
is to be used as the SNMP trap.
This field is read-only if configured for existing contexts.
Enable Syslog Notification Check box to either enable or disable syslog logging.
More Settings
Switch Mode Feature that applies only to the ACE module A2(1.1), ACE appliance A4(1.0), or later releases
of either device type. Choose Switch Mode to change the way that the ACE processes TCP
connections that are not destined to a VIP or that do not have any policies associated with their
traffic. For such traffic, the ACE still creates connection objects but processes the connections
as stateless connections, which means that they do not undergo any TCP normalization
checks. With this option enabled, the ACE also creates stateless connections for non-SYN
TCP packets if they satisfy all other configured requirements. This process ensures that a
long-lived persistent connection passes through the ACE successfully (even if it times out) by
being reestablished by any incoming packet related to the connection.
By default, these stateless connections time out after 2 hours and 15 minutes unless you
configure the inactivity timeout otherwise in a parameter map. When a stateless connection
times out, the ACE does not send a TCP RST packet but silently closes the connection. Even
though these connections are stateless, the TCP RST and FIN-ACK flags are honored and the
connections are closed when the ACE sees these flags in the received packets.
Shared VLAN Host Id Field that is available in the Admin context only.Specific bank of MAC addresses that the ACE
uses. Enter a number from 1 to 16. Be sure to configure different bank numbers for multiple
ACEs.
Regex Compilation Timeout
(minutes)
Timeout setting for regular expression (regex) compilation. When you configure a regex and
its compilation is longer than the configured timeout, the ACE stops the regex
compilation.Enter a value from 1 to 500 minutes. The default timeout is 60 minutes. This
option is available only in the Admin context.
Building Block To Apply Configuration building block to apply to this context. For information about building blocks,
see Chapter 16, “Using Configuration Building Blocks.”
Table 6-4 Primary Attributes Configuration Attributes (continued)
Field Description
6-19
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Context Syslog Settings
Configuring Virtual Context Syslog Settings
ANM uses syslog logging to send log messages to a process that logs messages to designated locations
asynchronously to the processes that generated the messages.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > System > Syslog.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > System > Syslog.
The Syslog configuration window appears.
Step 2 In the Syslog configuration window, enter the syslog logging attributes in the displayed fields (see
Table 6-6).
All fields that require you to choose syslog severity levels use the values in Table 6-5.
The severity level that you specify indicates that you want syslog messages at that level and the more
severe levels. For example, if you specify Error, syslog displays Error, Critical, Alert, and Emergency
messages.
Note Setting all syslog levels to Debug during normal operations can degrade overall performance.
Table 6-5 Syslog Logging Levels
Severity Description
0-Emergency Unusable system
1-Critical Critical condition
2-Warning Warning condition
3-Alert Immediate action required
4-Error Error condition
5-Notification Normal but significant condition
6-Information Informational message only
7-Debug Appears only during debugging
6-20
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Context Syslog Settings
Table 6-6 Virtual Context Syslog Configuration Attributes
Field Description Action
Enable Syslog Option that determines whether syslog
logging is enabled or disabled.
Check the check box to enable syslog logging or clear
the check box to disable syslog logging.
Facility Syslog daemon that uses the specified
syslog facility to determine how to
process the messages it receives. Syslog
servers file or direct messages based on
the facility number in the message.
For more information on the syslog
daemon and facility levels, see your
syslog daemon documentation.
Enter the facility appropriate for your network.
Valid entries are 0 (LOCAL0) through 23 (LOCAL7).
The default for ACE is 20 (LOCAL4).
Buffered Level Option that enables system logging to a
local buffer and limits the messages sent
to the buffer based on severity.
Choose the desired level for sending system log
messages to a local buffer.
By default, logging to a buffer is disabled on the ACE.
Console Level Option that specifies the maximum level
for system log messages sent to the
console.
Choose the desired level for sending system log
messages to the console.
By default, ACE does not display syslog messages
during console sessions.
Note Logging to the console can degrade system
performance. We recommend that you log
messages to the console only when you are
testing or debugging problems. Do not use this
option when the network is busy, because it can
reduce ACE performance.
History Level Option that specifies the maximum level
for system log messages sent as traps to
an SNMP network management station.
Choose the desired level for sending system log
messages as traps to an SNMP network management
station.
By default, the ACE does not send traps and inform
requests to an SNMP network management station.
Monitor Level Option that specifies the maximum level
for system log messages sent to a remote
connection using Secure Shell (SSH) or
Telnet on the ACE.
Choose the desired level for sending system log
messages to a remote connection using SSH or Telnet
on the ACE.
By default, logging to a remote connection using SSH
or Telnet is disabled on the ACE.
Note You must enable remote access on the ACE and
establish a remote connection using the SSH or
Telnet protocol from a PC for this option to
work.
6-21
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Context Syslog Settings
Persistence Level Option that specifies the maximum level
for system log messages sent to Flash
memory.
Choose the desired level for sending system log
messages to Flash memory.
By default, logging to Flash memory is disabled on the
ACE.
Note We recommend that you use a lower severity
level, such as 3, because logging at a high rate
to Flash memory on the ACE might impact
performance.
Trap Level Option that specifies the maximum level
for system log messages sent to a syslog
server.
Choose the desired level for sending system log
messages to a syslog server.
By default, logging to a syslog server is disabled on the
ACE.
Supervisor Level Option that specifies the maximum level
for system log messages sent to the
supervisor module on the Catalyst 6500
series chassis.
Note This option does not appear for
ACE appliances or ACE
4710-type configuration building
blocks.
Choose the desired level for sending system log
messages to the supervisor module on the Catalyst
6500 series chassis.
Note We recommend that you use a lower severity
level, such as 3, because logging at a high rate
to the supervisor module might impact
performance of the Catalyst 6500 series
chassis.
Queue Size Option that specifies the size of the queue
for storing syslog messages in the
message queue while they await
processing.
Enter the desired queue size.
Valid entries are from 0 to 8192 messages.
The default is 80 messages.
Enable Timestamp Option that determines whether syslog
messages should include the date and
time that the message was generated.
Choose the check box to enable time stamps on syslog
messages or clear the check box to disable time stamps
on syslog messages.
By default, time stamps are not included on syslog
messages.
Enable Standby Option that determines whether or not
logging is enabled or disabled on the
failover standby ACE. When enabled:
• This feature causes twice the
message traffic on the syslog server.
• The standby ACE syslog messages
remain synchronized if failover
occurs.
Choose the check box to enable logging on the failover
standby ACE or clear the check box to disable logging
on the failover standby ACE.
Enable Fastpath
Logging
Option that determines whether or not
connection setup and teardown messages
are logged.
Check the check box to enable the logging of setup and
teardown messages or clear the check box to disable
the logging of setup and teardown messages.
By default, the ACE does not log connection startup
and teardown messages.
Table 6-6 Virtual Context Syslog Configuration Attributes (continued)
Field Description Action
6-22
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Context Syslog Settings
Reject New Connection
When TCP Queue Full
Option that indicates whether or not the
ACE rejects new connections when the
TCP queue is full.
This option is not applicable to ACE 4710 appliances
running image A3(x.x).
Check the check box to reject new connections when
the syslog daemon can no longer reach the TCP syslog
server.
Clear the check box to disable this feature.
This option is enabled by default.
Reject New Connection
When Rate Limit
Reached
Option that indicates whether or not the
ACE rejects new connections when the
syslog message rate is reached.
This option is not applicable to ACE 4710 appliances
running image A3(x.x).
Check the check box to reject new connections when
the syslog message rate is reached.
Clear the check box to disable this feature.
This option is disabled by default.
Reject New Connection
When Control Plane
Buffer Full
Option that indicates whether or not the
ACE rejects new connections when the
syslog daemon buffer is full.
This option is not applicable to ACE 4710 appliances
running image A3(x.x).
Check the check box to reject new connections when
the syslog daemon buffer is full.
This option is disabled by default.
Device Id Type Option that specifies the type of unique
device identifier to be included in syslog
messages sent to the syslog server.
The device identifier does not appear in
EMBLEM-formatted messages, SNMP
traps, or on the ACE console,
management session, or buffer.
Choose the type of device identifier to use:
• Any String—Text string that you specify to
uniquely identify the syslog messages sent from
the ACE. If you choose this option, enter the text
string to use in the Logging Device Id field.
• Context Name—Name of the current virtual
context used to uniquely identify the syslog
messages sent from the ACE.
• Host Name—Hostname of the ACE used to
uniquely identify the syslog messages sent from
the ACE.
• Interface—IP address of the interface used to
uniquely identify the syslog messages sent from
the ACE. If you choose this option, enter the name
of the interface in the Device Interface Name field.
• Undefined—No identifier is used.
Table 6-6 Virtual Context Syslog Configuration Attributes (continued)
Field Description Action
6-23
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Context Syslog Settings
Step 3 Do the following:
• For virtual contexts, click Deploy Now to deploy this configuration on the ACE and save your
entries to the running-configuration and startup-configuration files, or choose another option to exit
the procedure without saving your entries.
• For configuration building blocks, click Save to save your entries or Cancel to exit the procedure
without saving your entries.
Related Topics
• Configuring Syslog Log Hosts, page 6-23
• Configuring Syslog Log Messages, page 6-24
• Configuring Syslog Log Rate Limits, page 6-26
Configuring Syslog Log Hosts
You can configure syslog log hosts. After configuring basic syslog characteristics (see the “Configuring
Virtual Context Syslog Settings” section on page 6-19), you can configure the log host, log messages,
and log rate limits.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > System > Syslog.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > System > Syslog.
The Syslog configuration window appears.
Step 2 In the Syslog configuration window, click the Log Host tab.
The Log Host table appears.
Device Interface Name Field that appears when the Device ID
Type is Interface.
This option specifies the interface to be
used to uniquely identify syslog messages
sent from the ACE.
Enter the device interface name to use to uniquely
identify syslog messages sent from the ACE. Valid
entries are 1 to 64 characters with no spaces.
Syslog messages sent to an external server contain the
IP address of the interface specified, regardless of
which interface that the ACE uses to send the log data
to the external server.
Logging Device Id Field that appears when the Device ID
Type is Any String.
This option specifies the text string to use
to uniquely identify syslog messages sent
from the ACE.
Enter a text string that uniquely identifies the syslog
messages sent from the ACE. The maximum string
length is 64 characters without spaces. Do not use the
following characters: & (ampersand), ‘ (single quote),
“ (double quote), < (less than), > (greater than), or ?
(question mark).
Table 6-6 Virtual Context Syslog Configuration Attributes (continued)
Field Description Action
6-24
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Context Syslog Settings
Step 3 In the Log Host table, click Add to add a new log host, or choose an existing log host, and click Edit to
modify it.
The New Log Host configuration window appears.
Step 4 In the New Log Host configuration window IP Address field, enter the IP address of the host to use as
the syslog server.
Step 5 In the Protocol field, choose TCP or UDP as the protocol to use.
Step 6 In the Protocol Port field, enter the number of the port that the syslog server listens to for syslog
messages.
Valid entries are from 1 to 65535. The default port for TCP is 1470 and for UDP it is 514.
Step 7 Check the Default UDP check box, which appears if TCP is selected in the Protocol field (Step 5), to
specify that the ACE is to default to UDP if the TCP transport fails to communicate with the syslog
server.
Uncheck this check box to prevent the ACE from defaulting to UDP if the TCP transport fails.
Step 8 In the Format field, choose one of the following:
• N/A if you do not want to use EMBLEM-format logging.
• Emblem to enable EMBLEM-format logging for each syslog server.
If you use Cisco Resource Manager Essentials (RME) software to collect and process syslog
messages on your network, enable EMBLEM-format logging so that RME can handle them.
Similarly, UDP needs to be enabled because the Cisco Resource Manager Essentials (RME) syslog
analyzer supports only UDP syslog messages.
Step 9 Do one of the following:
• Deploy Now to immediately deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. This option appears for virtual contexts.
• OK to save your entry. This option appears for configuration building blocks.
• Cancel to exit the procedure without saving your entries and to return to the Log Host table.
• Next to configure another syslog host.
Related Topics
• Configuring Virtual Context Syslog Settings, page 6-19
• Configuring Syslog Log Messages, page 6-24
• Configuring Syslog Log Rate Limits, page 6-26
Configuring Syslog Log Messages
You can configure syslog log messages. After configuring basic syslog characteristics (see the
“Configuring Virtual Context Syslog Settings” section on page 6-19), you can configure the log host, log
messages, and log rate limits.
Procedure
Step 1 Choose the item to configure:
6-25
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Context Syslog Settings
• To configure a virtual context, choose Config > Devices > context > System > Syslog.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > System > Syslog.
The Syslog configuration window appears.
Step 2 In the Syslog configuration window, click the Log Message tab.
The Log Message table appears.
Step 3 In the Log Message table, click Add to add a new entry to this table, or choose an existing entry, and
click Edit to modify it.
The Log Message configuration window appears.
Step 4 In the Message Id field, choose the system log message ID of the syslog messages that are to be sent to
the syslog server or that are not to be sent to the syslog server.
Step 5 Check the Enable State check box to enable logging for the specified message ID or uncheck it to
disable logging for the specified message ID.
If you check the Enable State check box, the Log Level field appears.
Step 6 In the Log Level field, choose the desired level of syslog messages to be sent to the syslog server, using
the levels identified in Table 6-5.
Step 7 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click OK to save your entry. This option appears for configuration building blocks.
• Click Cancel to exit the procedure without saving your entries and to return to the Log Message
table.
• Click Next to deploy your entries and to configure additional syslog message entries for this virtual
context.
Related Topics
• Configuring Virtual Contexts, page 6-8
• Configuring Virtual Context Syslog Settings, page 6-19
• Configuring Syslog Log Hosts, page 6-23
• Configuring Syslog Log Rate Limits, page 6-26
6-26
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Context Syslog Settings
Configuring Syslog Log Rate Limits
You can configure syslog log rate limits after configuring basic syslog characteristics (see the
“Configuring Virtual Context Syslog Settings” section on page 6-19).
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > System > Syslog.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > System > Syslog.
The Syslog configuration window appears.
Step 2 Click the Log Rate Limit tab.
The Log Rate Limit table appears.
Step 3 In the Log Rate Limit table, click Add to add a new entry to this table, or choose an existing entry, and
click Edit to modify it.
The Log Rate Limit configuration window appears.
Step 4 In the Type field of the Log Rate Limit configuration window, choose the method by which syslog
messages are to be limited:
• Level—Syslog messages are limited by syslog level. In the Level field, choose the level of syslog
messages to be sent to the syslog server, using the levels identified in Table 6-5.
• Message—Syslog messages are limited by message identification number. In the Message Id field,
choose the syslog message ID for those messages you want to suppress reporting.
Step 5 Check the Unlimited check box to apply no limits to system message logging or uncheck it to apply
limits to system message logging.
If you uncheck the Unlimited check box, the Rate and Time Interval fields appear.
Step 6 (Optional) If you uncheck the Unlimited check box, specify the limits to apply to system message
logging as follows:
a. In the Rate field, enter the number at which the system log messages are to be limited. When this limit
is reached, the ACE rejects new syslog messages. Valid entries are from 0 to 2147483647.
b. In the Time Interval (Seconds) field, enter the length of time (in seconds) over which the system
message logs are to be limited. For example, if you enter 42 in the Rate field and 60 in the Time Interval
field, the ACE rejects any syslog messages that arrive after the first 42 messages in that 60-second period.
Valid entries are from 0 to 2147483647 seconds.
Step 7 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click OK to save your entry. This option appears for configuration building blocks.
• Click Cancel to exit the procedure without saving your entries and to return to the Log Rate Limit
table.
• Click Next to deploy your entries and to add another entry to the Log Rate Limit table.
6-27
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Related Topics
• Configuring Virtual Contexts, page 6-8
• Configuring Virtual Context Syslog Settings, page 6-19
• Configuring Syslog Log Hosts, page 6-23
• Configuring Syslog Log Messages, page 6-24
Configuring SNMP for Virtual Contexts
This section describes how to configure the SNMP attributes for a virtual context and contains the
following topics:
• Configuring Basic SNMP Attributes, page 6-27
• Configuring SNMPv2c Communities, page 6-28
• Configuring SNMPv3 Users, page 6-29
• Configuring SNMP Trap Destination Hosts, page 6-32
• Configuring SNMP Notification, page 6-33
Configuring Basic SNMP Attributes
You can configure the basic SNMP attributes for use with a virtual context.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > System > SNMP.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > System > SNMP.
The SNMP configuration window appears.
Step 2 In the SNMP configuration window, configure the basic SNMP attributes using the information in
Table 6-7.
Table 6-7 SNMP Attributes
Field Description
Contact Information Contact information for the SNMP server as a text string with a maximum of 240 characters
including spaces. In addition to a name, you might want to include a phone number or email
address. If spaces are included, add quotation marks at the beginning and end of the entry.
Location Physical location of the system as a text string with a maximum of 240 characters including
spaces. If spaces are included, add quotation marks at the beginning and end of the entry.
Unmask Community Checkbox that allows you to unmask the snmpCommunityName and
snmpCommunitySecurityName OIDs of the SNMP-COMMUNITY-MIB. By default, they are
masked (check box is unchecked). Check the checkbox to unmask them.
6-28
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Step 3 Do one of the following:
• For virtual contexts, click Deploy Now to deploy this configuration on the ACE and save your
entries to the running-configuration and startup-configuration files, or choose another configuration
option to exit the procedure without saving your entries.
• For configuration building blocks, click OK to save your entries or choose another configuration
option to exit the procedure without saving your entries.
Step 4 If you chose Deploy Now in Step 3, configure the SNMP device access credentials as described in the
“Configuring Device Access Credentials” section on page 5-29.
Related Topics
• Configuring Virtual Contexts, page 6-8
• Configuring SNMPv2c Communities, page 6-28
• Configuring SNMPv3 Users, page 6-29
• Configuring SNMP Trap Destination Hosts, page 6-32
• Configuring SNMP Notification, page 6-33
Configuring SNMPv2c Communities
You can configure SNMP communities for a virtual context or configuration building block after
configuring basic SNMP information for a virtual context (see the “Configuring Basic SNMP Attributes”
section on page 6-27).
Note All SNMP communities in ANM are read-only communities and all communities belong to the group
network monitors.
Assumption
You have configured at least one SNMP contact (see the “Configuring Basic SNMP Attributes” section
on page 6-27).
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > System > SNMP.
Trap Source Interface VLAN that identifies the interface from which SNMP traps originate.
IETF Trap Check box to enable the ACE to send linkUp and linkDown traps with the IETF standard
IF-MIB (RFC 2863) variable bindings, consisting of ifIndex, ifAdminStatus, and ifOperStatus.
Uncheck the check box to not allow the ACE to send linkUp and linkDown traps with the IETF
standard IF-MIB (RFC 2863) variable bindings. Instead, the ACE sends Cisco var-binds by
default.
Table 6-7 SNMP Attributes (continued)
Field Description
6-29
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > System > SNMP.
The SNMP configuration window appears.
Step 2 In the SNMP configuration window, click the SNMPv2c Configuration tab.
The SNMPv2c Configuration table appears.
Step 3 From the SNMPv2c Configuration table, configure a read-only community string as follows:
• To make “public” the read-only community string, click the associated radio button and click
Deploy Now. By default, this radio button is selected.
• To create a read-only community string, do the following:
a. In the SNMPv2c Configuration table, click Add to add an SNMPv2c read-only community string.
The New SNMPv2c Configuration window appears.
Note You cannot modify an existing SNMPv2c community string. Instead, delete the existing
SNMP v2c community string, and then add a new one.
b. In the Read-Only Community field of the New SNMPv2c Configuration window, enter the
SNMPv2c read-only community name.
Valid entries are unquoted text strings with no spaces and a maximum of 32 characters.
c. Do one of the following:
– Click Deploy Now to immediately deploy this configuration on the ACE and save your entries
to the running-configuration and startup-configuration files. This option appears for virtual
contexts.
– Click OK to save your entry. This option appears for configuration building blocks.
– Click Cancel to exit this procedure without saving your entry and to return to the SNMP v2c
Community String table.
– Click Next to deploy your entry and to configure another SNMP community string. The window
refreshes and you can enter another community string.
Related Topics
• Configuring Virtual Contexts, page 6-8
• Configuring Basic SNMP Attributes, page 6-27
• Configuring SNMPv3 Users, page 6-29
• Configuring SNMP Trap Destination Hosts, page 6-32
• Configuring SNMP Notification, page 6-33
Configuring SNMPv3 Users
You can configure SNMP version 3 users for a virtual context or configuration building block after
configuring basic SNMP information for a virtual context (see the “Configuring Basic SNMP Attributes”
section on page 6-27).
6-30
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Assumption
You have configured at least one SNMP contact (see the “Configuring Basic SNMP Attributes” section
on page 6-27).
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > System > SNMP.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > System > SNMP.
The SNMP configuration window appears.
Step 2 In the SNMP configuration window, click the SNMPv3 Configuration tab.
The SNMP v3 Configuration table appears.
Step 3 In the SNMP v3 Configuration table, click Add to add users, or choose an existing entry in the SNMPv3
Configuration table, and click Edit to modify it.
The SNMP v3 Configuration window appears.
Step 4 In the SNMP v3 Configuration window, enter SNMP user attributes using the information in Table 6-8.
Table 6-8 SNMP User Configuration Attributes
Field Description
User Name SNMP username. Valid entries are unquoted text strings with no spaces and a maximum of 24
characters.
Authentication
Algorithm
Authentication algorithm to be used for this user:
• N/A—No authentication algorithm is used.
• Message Digest 5 (MD5)—Message Digest 5 is used as the authentication mechanism.
• Secure Hash Algorithm (SHA)—Secure Hash Algorithm is used as the authentication
mechanism.
Authentication
Password
Field that appears if you choose an authentication algorithm.
Enter the authentication password for this user. Valid entries are unquoted text strings with no
spaces. This password can have a minimum of 8 characters. If use of a localized key is
disabled or N/A, you can enter a maximum of 64 characters. If use of a localized key is
enabled, you can enter a maximum of 130 characters.
The ACE automatically updates the password for the CLI user with the SNMP authentication
password.
Confirm Field that appears if you choose an authentication algorithm.
Reenter the authentication password.
Localized Field that appears if you choose an authentication algorithm.
Specify whether or not the password is in localized key format for security encryption:
• N/A—This option is not configured.
• False—The password is not in localized key format for encryption.
• True—The password is in localized key format for encryption.
6-31
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Step 5 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click OK to save your entries. This option appears for configuration building blocks.
• Click Cancel to exit this procedure without saving your entries and to return to the SNMP v3
Configuration table.
• Click Next to deploy your entries and to add another entry to the SNMP v3 Configuration table. The
window refreshes and you can enter another SNMP v3 user.
Related Topics
• Configuring Virtual Contexts, page 6-8
• Configuring Basic SNMP Attributes, page 6-27
• Configuring SNMPv2c Communities, page 6-28
• Configuring SNMP Trap Destination Hosts, page 6-32
• Configuring SNMP Notification, page 6-33
Privacy Field that appears if you choose an authentication algorithm.
Specify whether or not encryption attributes are to be configured for this user:
• N/A—This option is not configured.
• False—Encryption parameters are not to be configured for this user.
• True—Encryption parameters are to be configured for this user.
AES 128 Field that appears if you set Privacy to True.
Indicate whether the 128-byte Advanced Encryption standard (AES) algorithm is to be used
for privacy. AES is a symmetric cipher algorithm and is one of the privacy protocols for SNMP
message encryption. Choices are as follows:
• N/A—This option is not configured.
• False—AES 128 is not used for privacy.
• True—AES 128 is used for privacy.
Privacy Password Field that appears if you set Privacy to True.
Enter the user encryption password. This password can have a minimum of 8 characters. If the
passphrases are specified in clear text, you can enter a maximum of 64 characters. If use of a
localized key is enabled, you can enter a maximum of 130 characters. Spaces are not allowed.
Confirm Field that appears if you set Privacy to True.
Reenter the privacy password.
Table 6-8 SNMP User Configuration Attributes (continued)
Field Description
6-32
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Configuring SNMP Trap Destination Hosts
You can configure SNMP trap destination hosts for a virtual context after configuring basic SNMP
information for a virtual context (see the “Configuring Basic SNMP Attributes” section on page 6-27).
To receive SNMP notifications you must configure the following attributes:
• At least one SNMP trap destination host.
• At least one type of notification (see the “Configuring SNMP Notification” section on page 6-33).
Assumption
You have configured at least one SNMP contact (see the “Configuring Basic SNMP Attributes” section
on page 6-27).
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > System > SNMP.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > System > SNMP.
The SNMP configuration window appears.
Step 2 In the SNMP configuration window, click the Trap Destination Host tab.
The Trap Destination Host table appears.
Step 3 In the Trap Destination Host table, click Add to add a host, or choose an existing entry in the table, and
Edit to modify it.
The Trap Destination Host configuration window appears.
Step 4 In the IP Address field of the Trap Destination Host configuration window, enter the IP address of the
server that is to receive SNMP notifications.
Enter the address in dotted-decimal format, such as 192.168.11.1.
Step 5 In the Port field, enter the port to use.
The default port is 162.
Step 6 In the Version field, choose the version of SNMP used to send traps:
• V1—SNMPv1 is used to send traps. This option is not available for use with SNMP inform requests.
• V2c—SNMPv2c is used to send traps.
• V3—SNMPv3 is used to send traps. This version is the most secure model because it allows packet
encryption.
Step 7 In the Community field, enter the SNMP community string or username to be sent with the notification
operation.
Valid entries are unquoted text strings with no spaces and a maximum of 32 characters.
Step 8 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click OK to save your entries. This option appears for configuration building blocks.
6-33
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
• Click Cancel to exit this procedure without saving your entries and to return to the Trap Destination
Host table.
• Click Next to deploy your entries and to add another entry to the Trap Destination Host table. The
window refreshes and you can add another trap destination host.
Related Topics
• Configuring Virtual Contexts, page 6-8
• Configuring Basic SNMP Attributes, page 6-27
• Configuring SNMPv2c Communities, page 6-28
• Configuring SNMPv3 Users, page 6-29
• Configuring SNMP Notification, page 6-33
Configuring SNMP Notification
You can configure SNMP notification for a virtual context after configuring basic SNMP information for
a virtual context (see the “Configuring Basic SNMP Attributes” section on page 6-27).
To receive SNMP notifications you must configure the following attributes:
• At least one SNMP trap destination host (see the “Configuring SNMP Trap Destination Hosts”
section on page 6-32).
• At least one type of notification.
Assumptions
• You have configured at least one SNMP contact (see the “Configuring Basic SNMP Attributes”
section on page 6-27).
• At least one SNMP server host has been configured (see the “Configuring SNMP Trap Destination
Hosts” section on page 6-32).
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > System > SNMP.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > System > SNMP.
The SNMP configuration window appears.
Step 2 In the SNMP configuration window, click the SNMP Notification tab.
The SNMP Notification table appears.
Step 3 In the SNMP Notification table, click Add to add a new entry, or choose an existing entry in the table,
and click Edit to modify it.
The SNMP Notification configuration window appears.
6-34
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring SNMP for Virtual Contexts
Step 4 In the Options field of the SNMP Notification configuration window, choose the type of notifications to
be sent to the SNMP host.
Some options are available only in the Admin context.
Note When configuring SNMP notification for ACE appliances, we recommend that you choose the
more specific options. For example, choose Slb real or Slb vserver instead of Slb to ensure that
the correct commands are issued on the ACE appliance.
Choices are as follows:
• License—SNMP license notifications are to be sent. This option is available only in the Admin
context.
• SLB—Server load-balancing notifications are to be sent.
• SLB Real Server—Notifications of real server state changes are to sent.
• SLB Virtual Server—Notifications of virtual server state changes are to be sent.
• SNMP—SNMP notifications are to be sent.
• SNMP Authentication—Notifications of incorrect community strings in SNMP requests are to be
sent.
• SNMP Cold-Start—SNMP agent restart notifications are to be sent after a cold restart (full power
cycle) of the ACE. This option is available only in the Admin context.
• SNMP Link-Down—Notifications are to be sent when a VLAN interface is down.
• SNMP Link-Up—Notifications are to be sent when a VLAN interface is up.
• Syslog—Error message notifications (Cisco Syslog MIB) are to be sent.
• Virtual Context—Virtual context notifications are to be sent.
Step 5 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click OK to save your entries. This option appears for configuration building blocks.
• Click Cancel to exit this procedure without saving your selection and to return to the SNMP
Notification table.
• Click Next to deploy your entries and to add another entry to the SNMP Notification table. The
window refreshes and you can choose another SNMP notification option.
Related Topics
• Configuring Virtual Contexts, page 6-8
• Configuring Basic SNMP Attributes, page 6-27
• Configuring SNMPv2c Communities, page 6-28
• Configuring SNMPv3 Users, page 6-29
• Configuring SNMP Trap Destination Hosts, page 6-32
6-35
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Applying a Policy Map Globally to All VLAN Interfaces
Applying a Policy Map Globally to All VLAN Interfaces
You can apply a policy map globally to all VLAN interfaces in a selected context or configuration
building block.
To apply a policy map to a specific context VLAN interface only, see the Input Policies attribute in the
“Configuring Virtual Context VLAN Interfaces” section on page 12-6.
Note You cannot modify a policy map that is currently applied to an interface. To modify an applied
policy map, you must first remove (delete) it from the interface, make the required
modifications, and then apply it to the interface again.
Assumption
A Layer 3/Layer 4 or Management policy map has been configured for the selected context or building
block. For more information, see the “Configuring Virtual Context Policy Maps” section on page 14-32.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > System > Global Policies.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > System > Global Policies.
The Global Policies table appears.
Step 2 In the Global Policies table, click Add to add a new global policy.
The New Global Policy window appears.
Step 3 In the Policy Map field of the New Global Policy window, choose an existing policy map that you want
to apply to all VLANs in this context.
Note The Direction field displays the value “input” and cannot be modified.
Step 4 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click OK to save your entries. This option appears for configuration building blocks.
• Click Cancel to exit the procedure without saving your entries and to return to the Global Policies
table.
• Click Next to deploy your entries and to configure another global policy.
Related Topics
• Information About Virtual Contexts, page 6-2
• Configuring Virtual Context Primary Attributes, page 6-14
• Configuring Virtual Context VLAN Interfaces, page 12-6
6-36
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Managing ACE Licenses
• Configuring Virtual Context Syslog Settings, page 6-19
• Configuring Traffic Policies, page 14-1
Managing ACE Licenses
Note This functionality is available for only Admin contexts.
Cisco offers licenses for ACE modules and appliances that allow you to increase the number of default
contexts, bandwidth, and SSL transactions per second (TPS). For more information about these licenses,
see the Cisco Application Control Engine documentation on Cisco.com.
If you install ACE licenses to increase the number of virtual contexts that you can create and manage on
a device, you need to ensure that the installed ANM licenses support the increased number of virtual
contexts. For example, if you install an upgrade ACE device license that allows you to create and manage
20 virtual contexts on the device, you must purchase and install the appropriate ANM license before you
can manage the additional contexts using ANM. For more information about using and managing ANM
licenses, see the “Using ANM License Manager to Manage ANM Server or Demo Licenses” section on
page 18-54.
You can view, install, remove, or update ACE device licenses using ANM.
This section includes the following topics:
• Viewing ACE Licenses, page 6-36
• Installing ACE Licenses, page 6-37
• Uninstalling ACE Licenses, page 6-39
• Updating ACE Licenses, page 6-40
• Displaying the File Contents of a License, page 6-42
Viewing ACE Licenses
Note This functionality is available for only Admin contexts.
You can view the licenses that are currently installed on an ACE.
Procedure
Step 1 Choose Config > Devices.
The device tree appears.
Step 2 In the device tree, choose the Admin context with the ACE licenses that you want to view, and click
System > Licenses.
The following license tables appear:
• License Status Table—Provides a summary of the license status for the ACE, including:
– SSL transactions per second
6-37
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Managing ACE Licenses
– Number of supported virtual contexts
– ACE bandwidth in gigabits per second
For ACE appliances (all versions) and ACE module version A4(1.0) and later, it also displays the
following:
– Compression performance in megabits or gigabits per second
– Web optimization in the number of connections per second
• Installed License Files Table—Lists all installed licenses with their filenames, vendors, and
expiration dates.
Related Topics
• Managing ACE Licenses, page 6-36
• Installing ACE Licenses, page 6-37
• Uninstalling ACE Licenses, page 6-39
• Updating ACE Licenses, page 6-40
• Displaying the File Contents of a License, page 6-42
Installing ACE Licenses
Note This functionality is available for only Admin contexts.
You can install an ACE license on the device after you copy the license from a remote network server to
the disk0: file system in Flash memory on the ACE. You can use the ANM to perform both processes
from a single dialog box. If you previously copied the license to disk0: on the ACE by using the copy
disk0: CLI command, you can use this dialog box to install the new license or upgrade license on your
ACE.
Assumption
This topic assumes the following:
• You have received the proper software license key for the ACE.
• ACE licenses are available on a remote server for importing to the ACE, or you have received the
software license key and have copied the license file to the disk0: filesystem on the ACE using the
copy disk0: CLI command. See either the Cisco Application Control Engine Module Administration
Guide or Cisco 4700 Series Application Control Engine Appliance Administration Guide for details.
Procedure
Step 1 Choose Config > Devices.
The device tree appears.
Step 2 In the device tree, choose the Admin context that you want to import and install a license for, and click
System > Licenses.
The following license tables appear:
6-38
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Managing ACE Licenses
• License Status Table—Provides a summary of the license status for the ACE, including:
– SSL transactions per second
– Number of supported virtual contexts
– ACE bandwidth in gigabits per second
For ACE appliances (all versions) and ACE module version A4(1.0) and later, it also displays the
following:
– Compression performance in megabits or gigabits per second
– Web optimization in the number of connections per second
• Installed License Files Table—Lists all installed licenses with their filenames, vendors, and
expiration dates.
Step 3 Click Install.
The Install an ACE License dialog box appears.
Step 4 (Optional) If the license currently exists on the ACE disk0: file system in Flash memory, do the
following:
a. In the Select an Option to Locate a License File section of the dialog box, click the Select a license
file on the ACE option.
b. In the Select a License File on the Device (disk0) section of the dialog box, from the drop-down list,
choose the name of the license file.
c. Go to Step 10.
Step 5 (Optional) If the license must be copied to the disk0: file system in Flash memory, in the Select an Option
to Locate a License File section of the dialog box, click the Import a license file from remote system
option. Go to Step 6.
Step 6 In the Protocol To Connect To Remote System field, choose the protocol to be used to import the license
file from the remote server to the ACE as follows:
• If you choose FTP, the User Name and Password fields appear. Go to Step 7.
• If you choose SFTP, the User Name and Password fields appear. Go to Step 7.
• If you choose TFTP, go to Step 8.
Step 7 (Optional) If you choose FTP or SFTP, do the following:
a. In the User Name field, enter the username of the account on the network server.
b. In the Password field, enter the password for the user account.
Step 8 In the Remote System IP Address field, enter the host IP address of the remote server.
For example, your entry might be 192.168.11.2.
Step 9 In the License Path In Remote System field, enter the host path and filename of the license file on the
remote server in the format /path/filename where:
• path represents the directory path of the license file on the remote server.
• filename represents the filename of the license file on the remote server.
For example, your entry might resemble /usr/bin/ACE-VIRT-020.lic.
Step 10 Do one of the following:
• Click Install to accept your entries and to install the license file.
6-39
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Managing ACE Licenses
• Click Cancel to exit this procedure without installing the license file and to return to the Licenses
table.
Step 11 (Optional) After installing an ACE license, we recommend that you manually synchronize the ACE
Admin context with the CLI to ensure that ANM accurately displays the monitored resource usage
information (Monitor > Devices > ACE > Resource Usage > Connections).
For information about synchronizing the Admin context, see the “Synchronizing Virtual Context
Configurations” section on page 6-105.
Related Topics
• Managing ACE Licenses, page 6-36
• Viewing ACE Licenses, page 6-36
• Uninstalling ACE Licenses, page 6-39
• Updating ACE Licenses, page 6-40
• Displaying the File Contents of a License, page 6-42
Uninstalling ACE Licenses
Note This functionality is available for Admin contexts only.
You can remove ACE licenses.
Caution Removing licenses can affect the ACE bandwidth or performance. For detailed information on the effect
of license removal on the ACE, see the Cisco Application Control Engine documentation on Cisco.com.
Procedure
Step 1 Choose Config > Devices.
The device tree appears.
Step 2 In the device tree, choose the Admin context with the license that you want to remove, and click
System > Licenses.
Step 3 In the Installed License Files table, choose the license to be removed.
Step 4 Click Uninstall.
A dialog box appears, asking you to confirm the license removal process.
Note Before continuing, confirm that you have selected the correct license to be removed. When you
click OK in the confirmation window, you cannot stop the removal process.
Note Removing licenses can affect the number of contexts, ACE bandwidth, or SSL TPS (transactions
per second). Be sure you understand the effect on your environment before removing the license.
6-40
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Managing ACE Licenses
Step 5 Click OK to confirm the removal or Cancel to stop the removal process.
If you click OK, a status window appears with the status of license removal. When the license has been
removed, the License table refreshes without the deleted license.
Step 6 (Optional) After uninstalling an ACE license, we recommend that you manually synchronize the ACE
Admin context with the CLI to ensure that ANM accurately displays the monitored resource usage
information (Monitor > Devices > ACE > Resource Usage > Connections).
For information about synchronizing the Admin context, see the “Synchronizing Virtual Context
Configurations” section on page 6-105.
Related Topics
• Managing ACE Licenses, page 6-36
• Installing ACE Licenses, page 6-37
• Viewing ACE Licenses, page 6-36
• Updating ACE Licenses, page 6-40
• Displaying the File Contents of a License, page 6-42
Updating ACE Licenses
Note This functionality is available for Admin contexts only.
You can convert demonstration licenses to permanent licenses and to upgrade permanent licenses to
increase the number of virtual contexts.
Assumption
This topic assumes the following:
• You have received the updated software license key for the ACE.
• ACE licenses are available on a remote server for importing to the ACE, or you have received the
updated software license key and have copied the license file to the disk0: filesystem on the ACE
using the copy disk0: CLI command. See either the Cisco Application Control Engine Module
Administration Guide or Cisco 4700 Series Application Control Engine Appliance Administration
Guide for details.
Procedure
Step 1 Choose Config > Devices.
The device tree appears.
Step 2 In the device tree, choose the Admin context with the license that you want to update, and click System >
Licenses.
The following license tables appear:
• License Status Table—Provides a summary of the license status for the ACE, including:
– SSL transactions per second
6-41
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Managing ACE Licenses
– Number of supported virtual contexts
– ACE bandwidth in gigabits per second
For ACE appliances (all versions) and ACE module version A4(1.0) and later, it also displays the
following:
– Compression performance in megabits or gigabits per second
– Web optimization in the number of connections per second
• Installed License Files Table—Lists all installed licenses with their filenames, vendors, and
expiration dates.
Step 3 Choose the license to be updated, and click Update.
The Update License dialog box appears.
Step 4 (Optional) If the update license currently exists on the ACE disk0: file system in Flash memory, do the
following:
a. In the Select an Option to Locate a License File section of the dialog box, click the Select a license
file on the ACE option.
b. In the Select a License File on the Device (disk0) section of the dialog box, choose the name of the
update license file from the drop-down list.
c. Go to Step 10.
Step 5 (Optional) If the update license must be copied to the disk0: file system in Flash memory, in the Select
an Option to Locate a License File section of the dialog box, click the Import a license file from remote
system option. Go to Step 6.
Step 6 In the Protocol To Connect To Remote System field, choose the protocol to be used to import the update
license file from the remote server to the ACE as follows:
• If you choose FTP, the User Name and Password fields appear. Go to Step 7.
• If you choose SFTP, the User Name and Password fields appear. Go to Step 7.
• If you choose TFTP, go to Step 8.
Step 7 (Optional) If you choose FTP or SFTP, do the following:
a. In the User Name field, enter the username of the account on the network server.
b. In the Password field, enter the password for the user account.
Step 8 In the Remote System IP Address field, enter the host IP address of the remote server.
For example, your entry might be 192.168.11.2.
Step 9 In the Licence Path In Remote System field, enter the host path and filename of the license file on the
remote server in the format /path/filename where:
• path represents the directory path of the license file on the remote server.
• filename represents the filename of the license file on the remote server.
For example, your entry might be /usr/bin/ACE-VIRT-020.lic.
Step 10 Do one of the following:
• Click Update to update the license and to return to the License table. The License table displays the
updated information.
• Click Cancel to exit this procedure without updating the license and to return to the License table.
6-42
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Managing ACE Licenses
Step 11 (Optional) After updating an ACE license, recommend that you manually synchronize the ACE Admin
context with the CLI to ensure that ANM accurately displays the monitored resource usage information
(Monitor > Devices > ACE > Resource Usage > Connections).
For information about synchronizing the Admin context, see the “Synchronizing Virtual Context
Configurations” section on page 6-105.
Related Topics
• Managing ACE Licenses, page 6-36
• Installing ACE Licenses, page 6-37
• Viewing ACE Licenses, page 6-36
• Uninstalling ACE Licenses, page 6-39
• Displaying the File Contents of a License, page 6-42
Displaying the File Contents of a License
Note This functionality is available for only Admin contexts.
You can display file content information about ACE licenses.
Procedure
Step 1 Choose Config > Devices.
The device tree appears.
Step 2 Choose the Admin context with the license information that you want to view, and choose System >
Licenses.
The following two license tables appear:
• License Status Table—Provides a summary of the license status for the ACE, including the
supported features and capabilities.
• Installed License Files Table—Lists all installed licenses with their filenames, vendors, and
expiration dates.
Step 3 Choose the installed license file with the information that you want to display, and click View.
ANM displays the output of the show license file CLI command.
For example:
SERVER this_host ANY
VENDOR cisco
INCREMENT ACE-AP-C-2000-LIC cisco 1.0 permanent 1 \
NOTICE="lic.conf 0 \
dummyPak " SIGN=BBBDC344EAE8
Step 4 Click Close when you finish viewing the license file information.
6-43
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Using Resource Classes
Related Topics
• Managing ACE Licenses, page 6-36
• Installing ACE Licenses, page 6-37
• Viewing ACE Licenses, page 6-36
• Uninstalling ACE Licenses, page 6-39
Using Resource Classes
Resource classes are the means by which you manage virtual context access to ACE resources, such as
concurrent connections or bandwidth rate. ACE devices are preconfigured with a default resource class
that is applied to the Admin context and any user context upon creation. The default resource class is
configured to allow a context to operate within a range that can vary from no resource access (0%) to
complete resource access (100%). When you use the default resource class with multiple contexts, you
run the risk of oversubscribing ACE resources. This means that the ACE permits all contexts to have full
access to all resources on a first-come, first-served basis. When a resource is utilized to its maximum
limit, the ACE denies additional requests made by any context for that resource.
To avoid oversubscribing resources and to help guarantee access to a resource by any context, you can
create customized resource classes that you associate with one or more contexts. A context becomes a
member of the resource class when you make the association. Creating a resource class allows you to set
limits on the minimum and maximum amounts of each ACE resource that a member context is entitled
to use. You define the minimum and maximum values as a percentage of the whole. For example, you
can create a resource class that allows its member contexts access to no less that 25% of the total number
of SSL connections that the ACE supports.
You can limit and manage the allocation of the following ACE resources:
• ACL memory
• Buffers for syslog messages and TCP out-of-order (OOO) segments
• Concurrent connections (through-the-ACE traffic)
• Management connections (to-the-ACE traffic)
• Proxy connections
• Set resource limit as a rate (number per second)
• Regular expression (regexp) memory
• SSL connections
• Sticky entries
• Static or dynamic network address translations (Xlates)
When you discover ACE devices, the ANM detects the resource class information and imports it with
other device information. If an ACE is not configured for a resource class, it inherits the resource class
configuration of the virtual context it is associated with. If an ACE does have a resource class
configuration but it differs from one configured in the ANM, the discrepancy is logged as an anomaly
but otherwise has no impact on the import process or the ACE.
Table 6-9 on page 6-45 identifies and defines the resources that you can establish for resource classes.
Related Topics
• Global and Local Resource Classes, page 6-44
6-44
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Using Resource Classes
• Resource Allocation Constraints, page 6-44
• Using Global Resource Classes, page 6-46
• Displaying Local Resource Class Use on Virtual Contexts, page 6-54
Global and Local Resource Classes
ANM provides two levels of resource classes for ACE devices that operate independently of each other:
• Local or device-specific resource classes
• Global resource classes
Local resource classes are initially imported from the ACE during the import process and appear in the
ANM interface in the Admin virtual context where they can be managed, modified, or deleted by an
Admin user. An Admin user can also create new, local resources classes by using ANM. Choose
Config > Devices > Admin_context > System > Resource Classes to add, view, or modify local resource
classes.
Global resource classes are managed separately from local resource classes and require manual
deployment to a specific ACE using the Admin virtual context before they take effect. If you deploy a
global resource class to an ACE that does not have a resource class with the same name, ANM creates a
new local resource class with the same name and properties as the global resource class. If you deploy
a global resource class to an ACE that already has a resource class with the same name, ANM replaces
the properties of the local resource class with the properties from the global resource class. Choose
Config > Global > All Resource Classes to add, view, modify, audit, or delete global resource classes.
Related Topics
• Using Resource Classes, page 6-43
• Resource Allocation Constraints, page 6-44
• Using Global Resource Classes, page 6-46
• Using Local Resource Classes, page 6-51
• Auditing Resource Classes, page 6-49
Resource Allocation Constraints
The following resources are critical for maintaining connectivity to the Admin context:
• Rate Bandwidth
• Rate Management Traffic
• Rate SSL Connections
• Rate Connections
• Management Connections
• Concurrent Connections
Caution If you allocate 100 percent of these resources to a resource class and then apply the resource class to
virtual contexts, connectivity to the Admin context can be lost.
6-45
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Using Resource Classes
We recommend that you create a resource class specifically for the Admin context and apply it to the
context so that you can maintain IP connectivity.
Table 6-9 Resource Class Attributes
Resource Definition
Default Default percentage used for any resource parameter not explicitly set.
Acceleration
Connections
Option that is available ACE appliances only.
Percentage of application acceleration connections.
ACL Memory Percentage of memory allocated for ACLs.
Concurrent
Connections
Percentage of simultaneous connections.
Note If you consume all Concurrent Connections by allocating 100 percent to virtual contexts, IP
connectivity to the Admin context can be lost.
HTTP Compression Percentage of compression for HTTP data.
Note This option appears for ACE appliances (all versions) and ACE module version A4(1.0) and
later only.
Management
Connections
Percentage of management connections.
Note If you consume all Management Connections by allocating 100 percent to virtual contexts,
IP connectivity to the Admin context can be lost.
Proxy Connections Percentage of proxy connections.
Regular Expression Percentage of regular expression memory.
Sticky Percentage of entries in the sticky table.
Note (Pre ACE version A4(1.0) module or appliance only) You must configure a minimum value
for sticky to allocate resources for sticky entries; the sticky software receives no resources
under the unlimited setting.
Xlates Percentage of network and port address translations entries.
Buffer Syslog Percentage of the syslog buffer.
Rate Inspect
Connection
Percentage of application protocol inspection connections.
Rate Bandwidth Percentage of context throughput. This attribute limits the total ACE throughput in bytes per second
for one or more contexts.
Note If you consume all Rate Bandwidth by allocating 100 percent to virtual contexts, IP
connectivity to the Admin context can be lost.
The maximum bandwidth rate per context is determined by your ACE bandwidth license.
Rate Connections Percentage of connections of any kind.
Note If you consume all Rate Connections by allocating 100 percent to virtual contexts, IP
connectivity to the Admin context can be lost.
Rate Management
Traffic
Percentage of management traffic connections.
Note If you consume all Rate Management Traffic by allocating 100 percent to virtual contexts, IP
connectivity to the Admin context can be lost.
6-46
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Using Global Resource Classes
Related Topics
• Using Global Resource Classes, page 6-46
• Configuring Global Resource Classes, page 6-46
• Configuring Local Resource Classes, page 6-52
• Auditing Resource Classes, page 6-49
• Deploying Global Resource Classes, page 6-48
Using Global Resource Classes
Resource classes are used when provisioning services, establishing virtual contexts, managing devices,
and monitoring virtual context resource consumption.
Defining a new global resource class does not automatically update all configurations. A global resource
class is applied only when the resource class is deployed to a specific Admin virtual context on an ACE.
This section includes the following topics:
• Configuring Global Resource Classes, page 6-46
• Deploying Global Resource Classes, page 6-48
• Auditing Resource Classes, page 6-49
• Modifying Global Resource Classes, page 6-50
• Deleting Global Resource Classes, page 6-51
Configuring Global Resource Classes
You can create a new global resource class and optionally deploy it on an ACE by using the Admin
virtual context.
Caution If you allocate 100 percent of these resources to a resource class and then apply the resource class to
virtual contexts, connectivity to the Admin context can be lost. For more information, see the “Resource
Allocation Constraints” section on page 6-44.
Rate SSL Connections Percentage of SSL connections.
Note If you consume all Rate SSL Connections by allocating 100percent to virtual contexts, IP
connectivity to the Admin context can be lost.
Rate Syslog Percentage of syslog messages per second.
Rate MAC Miss Percentage of messages destined for the ACE that are sent to the control plane when the encapsulation
is not correct in packets.
Table 6-9 Resource Class Attributes (continued)
Resource Definition
6-47
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Using Global Resource Classes
Procedure
Step 1 Choose Config > Global > All Resource Classes.
The Resource Classes table appears.
Step 2 In the Resource Classes table, click Add to create a new resource class.
The New Resource Class configuration window appears.
Step 3 In the Name field of the New Resource Class configuration window, enter a unique name for this
resource class.
Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
Step 4 In the Description field, enter a brief description for this resource class.
Valid entries are unquoted text strings with a maximum of 240 alphanumeric characters.
Step 5 To use the same values for each resource, in the All row, enter the following information (see Table 6-9
for a description of the resources):
a. In the Min. field, enter the minimum percentage of each resource that you want to allocate to this
resource class. Valid entries are numbers from 0 to 100 including those numbers with decimals.
b. In the Max. field, choose the maximum percentage of each resource that you want to allocate to this
resource class as follows:
– Equal To Min—The maximum percentage allocated for each resource is equal to the minimum
specified in the Min. field.
– Unlimited—There is no upper limit on the percentage of each resource that can be allocated for
this resource class.
Step 6 To use different values for the resources, for each resource, choose the method for allocating resources:
• Choose Default to use the values specified in Step 5.
• Choose Min to enter a specific minimum value for the resource.
Step 7 If you chose Min, do the following:
a. In the Min. field, enter the minimum percentage of this resource you want to allocate to this resource
class. For example, for ACL memory, enter 10 in the Min. field to indicate that you want to allocate
a minimum of 10 percent of the available ACL memory to this resource class.
b. In the Max. field, choose the maximum percentage of the resource that you want to allocate to this
resource class:
– Equal To Min—The maximum percentage allocated for this resource is equal to the minimum
specified in the Min. field.
– Unlimited—There is no upper limit on the percentage of the resource that can be allocated for
this resource class.
Step 8 To deploy the resource class to an Admin context, do the following:
a. Click Admin VCs To Deploy To to expand the configuration subset.
b. In the Available Items list, choose the desired Admin context, and click Add. The items appear in
the Selected Items list.
In the Selected Items list, choose a context to remove and click Remove. The items appear in the
Available Items list.
Step 9 Do one of the following:
• Click OK to save your entries and to return to the Resource Classes table.
6-48
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Using Global Resource Classes
• Click Cancel to exit this procedure without saving your entries and to return to the Resource Classes
table.
Related Topics
• Using Resource Classes, page 6-43
• Modifying Global Resource Classes, page 6-50
• Deleting Global Resource Classes, page 6-51
• Auditing Resource Classes, page 6-49
Deploying Global Resource Classes
You can apply a global resource class to Admin contexts on selected ACE devices. If you deploy a global
resource class to an ACE that already has a resource class with the same name, ANM replaces the
properties of the local resource class with the properties from the global resource class. If you deploy a
global resource class to an ACE that does not have a resource class with the same name, ANM creates a
new local resource class with the same name and properties as the global resource class.
Assumptions
This topic assumes the following:
• At least one global resource class exists.
• At least one ACE has been imported into the ANM.
Procedure
Step 1 Choose Config > Global > All Resource Classes.
The Resource Classes table appears.
Step 2 In the Resource Classes table, choose the global resource class that you want to apply to an ACE, and
click Edit.
The Edit Resource Class configuration window appears.
Step 3 In the Available Items list of the Edit Resource Class configuration window, choose the context that you
want to apply this global resource class to, and click Add.
The item appears in the Selected Items list.
To remove contexts, choose them in the Selected Items list, and click Remove. The items appear in the
Available Items list.
Step 4 Do one of the following:
• Click OK to save your entries and to return to the Resource Classes table. The context is updated
with the resource class configuration.
• Click Cancel to exit this procedure without saving your entries and to return to the Resource Classes
table.
6-49
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Using Global Resource Classes
Related Topics
• Using Resource Classes, page 6-43
• Modifying Global Resource Classes, page 6-50
• Using Local Resource Classes, page 6-51
• Configuring Local Resource Classes, page 6-52
Auditing Resource Classes
You can display any discrepancies that exist between the global resource class and the local resource
class on the context after you apply a global resource class to an Admin context. Discrepancies occur
when either global or context resource class attributes are modified independently of one another after
the global resource class has been applied.
Procedure
Step 1 Choose Config > Global > All Resource Classes.
The Resource Classes table appears.
Step 2 In the Resource Classes table, choose the resource class that you want to audit, and click Audit.
ANM identifies the differences between the selected resource class and the Admin contexts being
managed by ANM and displays the results in the Audit Differences table in a separate window. The table
uses the following conventions:
• If the selected resource class has not been applied to an Admin context, the Admin context is listed
with the comment “Resource class not defined.”
• If the selected resource class has been applied to an Admin context, but there are no differences
between the global and local resource classes, the context does not appear in the table.
• If the selected resource class has been applied to an Admin context and there are differences between
the global and local resource classes, the context appears in the table with the following information:
– The resource attribute that has different values in the global and local resource classes.
– The settings for the resource attribute in the local resource class.
– The settings for the resource attribute in the global resource class.
The values displayed use the format min - max where min represents the minimum percentage
configured for this attribute and max represents the maximum percentage configured for this
attribute, such as 8% - 8% or 5% - 100%.
Step 3 Do one of the following:
• Click Close to close this window and return to the Resource Classes table.
• Click Refresh to update the information in the Audit Differences table.
Related Topics
• Using Global Resource Classes, page 6-46
• Using Local Resource Classes, page 6-51
• Configuring Global Resource Classes, page 6-46
6-50
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Using Global Resource Classes
• Configuring Local Resource Classes, page 6-52
Modifying Global Resource Classes
You can modify an existing global resource class. The changes are not applied to virtual contexts
previously associated with the resource class. ANM only applies updated resource class properties to
virtual contexts that are associated with the resource class going forward.
Caution If you allocate 100 percent of these resources to a resource class and then apply the resource class to
virtual contexts, connectivity to the Admin context can be lost. For more information, see the “Resource
Allocation Constraints” section on page 6-44.
Procedure
Step 1 Choose Config > Global > All Resource Classes.
The Resource Classes table appears.
Step 2 Choose the resource class that you want to modify, and click Edit.
The Edit Resource Class configuration window appears.
Step 3 In the Edit Resource Class configuration window, modify the values as desired.
For details on setting values, see the “Configuring Global Resource Classes” section on page 6-46. For
descriptions of the resources, see Table 6-9.
Step 4 To deploy the modified resource class to an Admin context, do the following:
a. Click Admin VCs To Deploy To to expand the configuration subset.
b. Choose the desired context in the Available Items list, and click Add. The item appears in the
Selected Items list.
Note ANM only applies the updated resource class to contexts that you choose and add to the
Selected Items list. It does not apply the modified resource class to contexts previously
associated with the resource class.
Step 5 Do one of the following:
• Click OK to save your entries, apply them to the selected contexts, and return to the Resource
Classes table.
• Click Cancel to exit this procedure without saving your entries and to return to the Resource Classes
table.
Related Topics
• Using Resource Classes, page 6-43
• Using Global Resource Classes, page 6-46
• Modifying Global Resource Classes, page 6-50
• Auditing Resource Classes, page 6-49
6-51
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Using Local Resource Classes
• Deleting Global Resource Classes, page 6-51
Deleting Global Resource Classes
You can remove global resource classes from the ANM database. Because global resource classes are
managed separately from local resource classes, deleting a global resource class does not affect local
resource classes deployed on individual contexts.
Procedure
Step 1 Choose Config > Global > All Resource Classes.
The Resource Classes table appears.
Step 2 In the Resource Classes table, choose the resource class that you want to remove, and click Delete.
A confirmation popup window appears, asking you to confirm the deletion.
Step 3 Click OK to delete the resource class or Cancel to retain the resource class.
The Resource Classes table refreshes with the updated information.
Related Topics
• Using Resource Classes, page 6-43
• Using Global Resource Classes, page 6-46
• Modifying Global Resource Classes, page 6-50
• Auditing Resource Classes, page 6-49
Using Local Resource Classes
You can create local resource classes in ANM as follows:
• During the import process, from any ACE with a previously configured resource class. These
resource classes appear in the ANM in the Admin virtual context associated with the imported ACE.
• By an Admin user in ANM using the local Resource Class configuration option (Config > Devices >
Admin_context > System > Resource Classes).
• By creating a global resource class (Config > Global > All Resource Classes) and applying it to an
Admin context.
Note Local resource class configuration options are available in Admin contexts only.
This section includes the following topics:
• Configuring Local Resource Classes, page 6-52
• Deleting Local Resource Classes, page 6-53
• Displaying Local Resource Class Use on Virtual Contexts, page 6-54
6-52
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Using Local Resource Classes
Configuring Local Resource Classes
Note This functionality is available in Admin contexts only.
You can create or modify a local resource class for use within the selected Admin context.
Procedure
Step 1 Choose Config > Devices > Admin_context > System > Resource Classes.
The Resource Classes table appears.
Step 2 In the Resource Classes table, click Add to create a new local resource class or choose an existing
resource class, and click Edit to modify it.
The Resource Class configuration window appears.
Step 3 In the Name field of the Resource Class configuration window, enter a unique name for this resource
class.
Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.
Step 4 To use the same values for each resource, in the All row, enter the following information (see Table 6-9
for a description of the resources):
a. In the Min. field, enter the minimum percentage of each resource that you want to allocate to this
resource class. Valid entries are numbers from 0 to 100 including those numbers with decimals.
b. In the Max. field, choose the maximum percentage of each resource that you want to allocate to this
resource class:
– Equal To Min—The maximum percentage allocated for each resource is equal to the minimum
specified in the Min. field.
– Unlimited—There is no upper limit on the percentage of each resource that can be allocated for
this resource class.
Step 5 To use different values for the resources, for each resource, choose one of the following methods for
allocating resources:
• Choose Default to use the values specified in Step 5.
• Choose Min to enter a specific minimum value for the resource.
Step 6 (Optional) If you chose Min, do the following:
a. In the Min. field, enter the minimum percentage of this resource you want to allocate to this resource
class. For example, for ACL memory, enter 10 in the Min. field to indicate that you want to allocate
a minimum of 10 percent of the available ACL memory to this resource class.
b. In the Max. field, choose the maximum percentage of the resource that you want to allocate to this
resource class:
– Equal To Min—The maximum percentage allocated for this resource is equal to the minimum
specified in the Min. field.
– Unlimited—There is no upper limit on the percentage of the resource that can be allocated for
this resource class.
6-53
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Using Local Resource Classes
Step 7 When you finish allocating resources for this resource class, do one of the following:
• Click OK to save your entries and to return to the Resource Classes table. The resource class can
now be applied to other virtual contexts on the same ACE.
• Click Cancel to exit this procedure without saving your entries and to return to the Resource Classes
table.
Related Topics
• Using Resource Classes, page 6-43
• Using Local Resource Classes, page 6-51
• Displaying Local Resource Class Use on Virtual Contexts, page 6-54
• Deleting Local Resource Classes, page 6-53
Deleting Local Resource Classes
You can delete a local resource class. Because of the possible impact on virtual contexts of deleting a
local resource class, you cannot delete a resource class that is associated with a virtual context. To
display a resource class’s current deployment, see the “Displaying Local Resource Class Use on Virtual
Contexts” section on page 6-54.
Procedure
Step 1 Choose Config > Devices > Admin_context > System > Resource Classes.
The Resource Classes table lists all local resource classes and the number of virtual contexts using each
resource class.
Step 2 Confirm that the resource class that you want to delete is not deployed on any virtual contexts.
You cannot delete a resource class that is deployed on a context.
To identify the contexts using a specific resource class, see the “Displaying Local Resource Class Use
on Virtual Contexts” section on page 6-54.
Step 3 Choose the resource class that you want to remove, and click Delete.
A confirmation popup window appears, asking you to confirm the deletion.
Step 4 Click OK to delete the resource class or Cancel to retain the resource class.
The Resource Classes table refreshes with the updated information.
Related Topics
• Using Resource Classes, page 6-43
• Configuring Local Resource Classes, page 6-52
• Displaying Local Resource Class Use on Virtual Contexts, page 6-54
6-54
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Using the Configuration Checkpoint and Rollback Service
Displaying Local Resource Class Use on Virtual Contexts
You can display local resource class usage on all virtual contexts on an ACE.
Procedure
Step 1 Choose Config > Devices.
The device tree appears.
Step 2 In the device tree, choose the ACE with the resource class usage that you want to display.
The Virtual Contexts table appears, listing all contexts on the selected ACE and the resource class in use
for each context.
Step 3 (Optional) In the Virtual Contexts table, click the Resource Class column heading to sort the table by
resource class.
Related Topics
• Using Resource Classes, page 6-43
• Configuring Local Resource Classes, page 6-52
• Deleting Local Resource Classes, page 6-53
Using the Configuration Checkpoint and Rollback Service
At some point, you may want to modify your ACE running configuration. If you run into a problem with
the modified configuration, you may need to reboot your ACE. To prevent having to reboot your ACE
after unsuccessfully modifying a running configuration, you can create a checkpoint (a snapshot in time)
of a known stable running configuration before you begin to modify it. If you encounter a problem with
the modifications to the running configuration, you can roll back the configuration to the previous stable
configuration checkpoint.
Note Before you upgrade your ACE software, we strongly recommend that you create a checkpoint in your
running configuration. For ACE module A2(3.0) and later releases only, use the backup function to
create a backup of the running configuration (see the “Performing Device Backup and Restore
Functions” section on page 6-59).
The ACE allows you to make a checkpoint configuration at the context level. The ACE stores the
checkpoint for each context in a hidden directory in Flash memory. If, after you make configuration
changes that modify the current running configuration, when you roll back the checkpoint, the ACE
causes the running configuration to revert to the checkpointed configuration.
This section includes the following topics:
• Creating a Configuration Checkpoint, page 6-55
• Deleting a Configuration Checkpoint, page 6-56
• Rolling Back a Running Configuration, page 6-56
• Displaying Checkpoint Information, page 6-57
6-55
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Using the Configuration Checkpoint and Rollback Service
• Comparing a Checkpoint to the Running Configuration, page 6-58
Creating a Configuration Checkpoint
You can create a configuration checkpoint for a specific context. The ACE supports a maximum of 10
checkpoints for each context.
Assumption
This topic assumes the following:
• Make sure that the current running configuration is stable and is the configuration that you want to
make as a checkpoint. If you change your mind after creating the checkpoint, you can delete it (see
the “Deleting a Configuration Checkpoint” section on page 6-56).
• The ACE-Admin, ANM-Admin, and Org-Admin predefined roles have access to the configuration
checkpoint function.
• A custom role defined with the task ANM Inventory > Virtual Context/Create or ANM Inventory >
Virtual Context/Modify has the required privileges to create a configuration checkpoint.
• A checkpoint will not include the SSL keys/certificates, probe scripts, and licenses.
• Adding a checkpoint from an ACE context directly will not trigger an autosynchronzation on ANM
for that context.
Procedure
Step 1 Choose Config > Devices > context > System > Checkpoints.
The Checkpoints table appears.
For descriptions of the checkpoints, see Table 6-10.
Step 2 In the Checkpoints table, click the Create Checkpoint button.
The Create Checkpoint dialog box appears.
Step 3 In the Checkpoint Name field of the Create Checkpoint dialog box, specify a unique identifier for the
checkpoint.
Enter a text string with no spaces and a maximum of 25 alphanumeric characters.
If the checkpoint already exists, you are prompted to use a different name.
Step 4 Do one of the following:
• Click OK to save your configuration checkpoint. You return to the Checkpoints table and the new
checkpoint appears in the table.
Table 6-10 Checkpoints Table
Field Description
Name Unique identifier of the checkpoint.
Size (In Bytes) Size of the configuration checkpoint, shown in bytes.
Date (Created On) Date that the configuration checkpoint was created.
6-56
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Using the Configuration Checkpoint and Rollback Service
• Click Cancel to exit the procedure without saving the configuration checkpoint and to return to the
Checkpoints table.
Related Topics
• Using the Configuration Checkpoint and Rollback Service, page 6-54
• Deleting a Configuration Checkpoint, page 6-56
• Rolling Back a Running Configuration, page 6-56
• Displaying Checkpoint Information, page 6-57
• Comparing a Checkpoint to the Running Configuration, page 6-58
Deleting a Configuration Checkpoint
You can delete a checkpoint. Deleting a checkpoint from an ACE context directly will not trigger an
autosynchronzation to occur on ANM for that context.
Prerequisite
Before you perform this procedure, make sure that you want to delete the checkpoint. Once you click
the Trash icon, the ACE removes the checkpoint from Flash memory.
Procedure
Step 1 To choose a virtual context that you want to create a configuration checkpoint, choose Config > Devices
> context > System > Checkpoints.
The Checkpoints table appears.
Step 2 In the Checkpoints table, choose the radio button to the left of any table entry, and click the Trash icon
to delete the checkpoint.
Related Topics
• Using the Configuration Checkpoint and Rollback Service, page 6-54
• Creating a Configuration Checkpoint, page 6-55
• Rolling Back a Running Configuration, page 6-56
• Displaying Checkpoint Information, page 6-57
• Comparing a Checkpoint to the Running Configuration, page 6-58
Rolling Back a Running Configuration
You can roll back the current running configuration of a context to the previously checkpointed running
configuration.
6-57
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Using the Configuration Checkpoint and Rollback Service
Procedure
Step 1 Choose Config > Devices > context > System > Checkpoints.
The Checkpoints table appears.
Step 2 Choose the radio button to the left of the checkpoint that you wish to roll back, and click Rollback.
ANM displays a confirmation popup window to warn you about this change and to instruct you that the
rollback operation may take longer depending on the differences detected between the two
configurations.
Note ANM synchronizes the device after performing a rollback. This synchronzation may take some time.
Related Topics
• Using the Configuration Checkpoint and Rollback Service, page 6-54
• Creating a Configuration Checkpoint, page 6-55
• Deleting a Configuration Checkpoint, page 6-56
• Displaying Checkpoint Information, page 6-57
• Comparing a Checkpoint to the Running Configuration, page 6-58
Displaying Checkpoint Information
You can display checkpoint configuration information.
Procedure
Step 1 Choose Config > Devices > context > System > Checkpoints.
The Checkpoints table appears.
Step 2 In the Checkpoints table, choose the radio button of the checkpoint that you want to display, and click
Details.
A popup window appears in which ANM uses the ACE s how checkpoint detail name CLI command to
display the configuration of the specified checkpoint (see Figure 6-1).
6-58
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Using the Configuration Checkpoint and Rollback Service
Figure 6-1 show checkpoint detail CLI Command Dialog Box
Step 3 From the popup window, click Close to exit the window and return to the Checkpoints table.
Related Topics
• Using the Configuration Checkpoint and Rollback Service, page 6-54
• Creating a Configuration Checkpoint, page 6-55
• Deleting a Configuration Checkpoint, page 6-56
• Rolling Back a Running Configuration, page 6-56
• Comparing a Checkpoint to the Running Configuration, page 6-58
Comparing a Checkpoint to the Running Configuration
Note This feature requires ACE module and ACE appliance software Version A4(1.0) or later.
You can have ANM compare and display the differences between a specified checkpoint and the ACE’s
current running configuration.
Procedure
Step 1 Choose Config > Devices > context > System > Checkpoints.
The Checkpoints table appears.
Step 2 In the Checkpoints table, choose the radio button of the checkpoint that you want to compare to the
current running configuration, and click Compare.
6-59
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Device Backup and Restore Functions
A popup window appears in which ANM uses the ACE compare name CLI command to display the
differences between the running configuration and the specified checkpoint. The items that display in
red are in the current running configuration and will be removed if you roll back to the checkpoint. The
items that display in green are not in the current running configuration and will be added during the
rollback.
Step 3 From the popup window, click Close to the window and return to the Checkpoints table.
Related Topics
• Using the Configuration Checkpoint and Rollback Service, page 6-54
• Creating a Configuration Checkpoint, page 6-55
• Deleting a Configuration Checkpoint, page 6-56
• Rolling Back a Running Configuration, page 6-56
• Displaying Checkpoint Information, page 6-57
Performing Device Backup and Restore Functions
Note The backup and restore functions are available only for the ACE module A2(3.0), ACE appliance 4(1.0),
and later releases of either device type.
The backup and restore functions allow you to back up or restore the configuration and dependencies of
an entire ACE or of a particular virtual context. Configuration dependencies are those files that are
required to exist on the ACE so that a configuration can be applied to it. Such files include
health-monitoring scripts, SSL certificates, SSL keys, and so on.This feature allows you to back up and
restore the following configuration files and dependencies:
• Running-configuration files
• Startup-configuration files
• Checkpoints
• SSL files (SSL certificates and keys)
• Health-monitoring scripts
• Licenses
Note The backup feature does not back up the sample SSL certificate and key pair files.
Typical uses for this feature are as follows:
• Back up a configuration for later use
• Recover a configuration that was lost because of a software failure or user error
• Restore configuration files to a new ACE when a hardware failure resulted in a Return Merchandise
Authorization (RMA) of the old ACE
• Transfer the configuration files to a different ACE
6-60
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Device Backup and Restore Functions
The backup and restore functions are supported in both the Admin and virtual contexts. If you perform
these functions in the Admin context, you can back up or restore the configuration files for either the
Admin context only or for all contexts in the ACE. If you perform these functions in a virtual context,
you can back up or restore the configuration files only for that context. Both the backup and the restore
functions run asynchronously (in the background).
Note To perform the back up or copy functions on multiple ACEs simultaneously, see the “Performing Global
Device Backup and Copy Functions” section on page 6-68
Archive Naming Conventions
Context archive files have the following naming convention format:
Hostname_ctxname_timestamp.tgz
The filename fields are as follows:
– Hostname—Name of the ACE. If the hostname contains special characters, the ACE uses the
default hostname “switch” in the filename. For example, if the hostname is Active@~!#$%^,
then the ACE assigns the following filename: switch_Admin_2009_08_30_15_45_17.tgz
– ctxname—Name of the context. If the context name contains special characters, the ACE uses
the default context name “context” in the filename. For example, if the context name is
Test!123*, then the ACE assigns the following filename:
switch_context_2009_08_30_15_45_17.tgz
– timestamp—Date and time that the ACE created the file. The time stamp has the following
24 hour format: YYYY_MM_DD_hh_mm_ss
An example is as follows:
ACE-1_ctx1_2009_05_06_15_24_57.tgz
If you back up the entire ACE, the archive filename does not include the ctxname field. So, the format
is as follows:
Hostname_timestamp.tgz
An example is as follows:
ACE-1_2009_05_06_15_24_57.tgz
Archive Directory Structure and Filenames
The ACE uses a flat directory structure for the backup archive. The ACE provides file extensions for the
individual files that it backs up so that you can identify the types of files easily when restoring an archive.
All files are stored in a single directory that is tarred and GZIPed as follows:
ACE-1_Ctx1_2009_05_06_07_24_57.tgz
ACE-1_Ctx1_2009_05_06_07_24_57\
context_name-running
context_name-startup
context_name-chkpt_name.chkpt
context_name-cert_name.cert
context_name-key_name.key
context_name-script_name.tcl
context_name-license_name.lic
Guidelines and Limitations
The backup and restore functions have the following configuration guidelines and limitations:
6-61
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Device Backup and Restore Functions
• Store the backup archive on disk0: in the context of the ACE where you intend to restore the files.
Use the Admin context for a full backup and the corresponding context for user contexts.
• When you back up the running-configuration file, the ACE uses the output of the show
running-configuration CLI command as the basis for the archive file.
• The ACE backs up only exportable certificates and keys.
• License files are backed up only when you back up the Admin context.
• Use a pass phrase to back up SSL keys in encrypted form. Remember the pass phrase or write it
down and store it in a safe location. When you restore the encrypted keys, the ACE prompts you for
the pass phrase to decrypt the keys. If you do not use a pass phrase when you back up the SSL keys,
the ACE restores the keys with AES-256 encryption using OpenSSL software.
• Only probe scripts that reside in disk0: need to be backed up. The prepackaged probe scripts in the
probe: directory are always available. When you perform a backup, the ACE automatically identifies
and backs up the scripts in disk0: that are required by the configuration.
• The ACE does not resolve any other dependencies required by the configuration during a backup
except for scripts that reside in disk0:. For example, if you configured SSL certificates in an SSL
proxy in the running-configuration file, but you later deleted the certificates, the backup proceeds
anyway as if the certificates still existed.
• To perform a restore operation, you must have the admin RBAC feature in your user role.
ANM-admin and ORG-admin have access to this feature by default. Custom roles with the ANM
Inventory and Virtual Context role tasks set to create or modify can also access this feature.
• When you instruct the ACE to restore the archive for the entire ACE, it restores the Admin context
completely first, and then it restores the other contexts. The ACE restores all dependencies before
it restores the running configuration. The order in which the ACE restores dependencies is as
follows:
– License files
– SSL certificates and key files
– Health-monitoring scripts
– Checkpoints
– Startup-configuration file
– Running-configuration file
• When you restore the ACE, previously installed license files are uninstalled and the license files in
the backup file are installed in their place.
• In a redundant configuration, if the archive that you want to restore is different from the peer
configurations in the FT group, redundancy may not operate properly after the restore.
• You can restore a single context from a full backup archive provided that:
– You execute the restore operation in the context that you want to restore
– All files dependencies for the context exist in the full backup archive
• To enable ANM to synchronize the CLI after a successful restore, do not navigate from the
Backup / Restore page until the Latest Restore status changes from In Progress to Success. If you
navigate to another page before the restore process is complete, the CLI will not synchronize until
you return to the Backup / Restore page.
Defaults
Table 6-11 lists the default settings for the backup and restore function parameters.
6-62
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Device Backup and Restore Functions
This section includes the following topics:
• Backing Up Device Configuration and Dependencies, page 6-62
• Restoring Device Configuration and Dependencies, page 6-66
Backing Up Device Configuration and Dependencies
You can create a backup of an ACE configuration and its dependencies.
Note When you perform the backup process from the Admin context, you can either back up the Admin
context files only or you can back up the Admin context and all user contexts. When you back up from
a user context, you back up the current context files only and cannot back up the ACE licenses.
Note If your web browser supports the Remember Passwords option and you enable this option, the web
browser may fill in the Username and Password fields for user authentication. By default, these fields
should be empty. You can change the username and password fields from whatever the web browser
inserts into the two fields.
Procedure
Step 1 Choose Config > Devices > context > System > Backup / Restore.
The Backup / Restore table appears and displays the latest backup and restore statistics.
Note To refresh the table content at any time, click Poll Now.
Table 6-11 Default Backup and Restore Parameters
Parameter Default
Backed up files By default the ACE backs up the following files in the current context:
• Running-configuration file
• Startup-configuration file
• Checkpoints
• SSL certificates
• SSL keys
• Health-monitoring scripts
• Licenses
SSL key restore encryption None
6-63
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Device Backup and Restore Functions
Note When you choose the Backup / Restore operation, ANM must poll a context if that context has
not been accessed previously for this operation. The polling operation, which is necessary to
obtain the latest backup and restore information, can cause a delay in the display time of the
Backup / Restore table.
The Backup / Restore fields are described in Table 6-12.
Step 2 Click Backup.
The Backup window appears.
Step 3 In the Backup window, click the radio button of the location where the ACE is to save the backup files:
• Backup config on ACE (disk0:)—This is the default. Go to Step 9.
• Backup config on ACE (disk0:) and then copy to remote system—The Remote System attributes
step appears. Go to Step 4.
Table 6-12 Backup / Restore Fields
Field Description
Latest Backup
Backup Archive Name of the last *.tgz file created that contains the backup files.
Type Type of backup: Context or Full (all contexts).
Start-time Date and time that the last backup began.
Finished-time Date and time that the last backup ended.
Status Status of the last context to be backed up: Success, In Progress, or Failed. Click the status link to
view status details.
Current vc Name of the last context in the backup process.
Completed Number of context backups completed compared to the total number of context backup requests.
For example:
• 2/2 = Two context backups completed/Two context backups requested
• 0/1 = No context backup completed/One context backup requested
Latest Restore
Backup Archive Name of the *.tgz file used in during the restore process.
Type Type of restore: Context or Full (all contexts).
Start-time Date and time that the last restore began.
Finished-time Date and time that the last restore ended.
Status Status of the last restore: Success, In Progress, or Failed. Click the status to view status details.
Current vc Name of the last context in the restore process.
Completed Number of context restores completed compared to the total number of context restore requests.
For example:
• 2/2 = Two context restores completed/Two context restores requested
• 0/1 = No context restore completed/One context restore requested
6-64
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Device Backup and Restore Functions
Step 4 Click the radio button of the transfer protocol to use:
• FTP—File Transfer Protocol
• SFTP—Secure File Transfer Protocol
• TFTP—Trivial File Transfer Protocol
Step 5 In the Username field, enter the username that the remote server requires for user authentication.
This field appears for FTP and SFTP only.
Step 6 In the Password field, enter the password that the remote server requires for user authentication.
This field appears for FTP and SFTP only.
Step 7 In the IP Address field, enter the IP address of the remote server.
Step 8 In the Backup File Path in Remote System field, enter the full path for the remote server.
Step 9 Check the Backup All Contexts checkbox if you want the ACE to create a backup that contains the files
of the Admin context and every user context or uncheck the check box to create a backup of the Admin
context files only.
This field appears for the Admin context only.
Step 10 Indicate the components to exclude from the backup process: Checkpoints or SSL Files.
To exclude a component, double-click on it in the Available box to move it to the Selected box. You can
also use the right and left arrows to move selected items between the two boxes.
Caution If you exclude the SSL Files component and then restore the ACE using this archived backup,
these files are removed from the ACE. To save these files prior to performing a restore with
this backup, use the crypto export CLI command to export the keys to a remote server and
use the copy CLI command to copy the license files to disk0: as .tar files.
Step 11 In the Pass Phrase field, enter the pass phrase that you specify to encrypt the backed up SSL keys.
Enter the pass phrase as an unquoted text string with no spaces and a maximum of 40 alphanumeric
characters. If you enter a pass phrase but exclude the SSL files from the archive, the ACE does not use
the pass phrase.
Step 12 Click OK to begin the backup process.
The following actions occur depending on where ANM saves the files:
• disk0: only—ANM permits continued GUI functionality during the backup process and polls the
ACE for the backup status, which it displays on the Backup / Restore page.
• disk0: and a remote server— ANM suspends GUI operation and displays a “Please Wait” message
in the Backup dialog box until the process is complete. During this process, ANM instructs the ACE
to create and save the backup file locally to disk0: and then place a copy of the file on the specified
remote server.
Step 13 In the Backup / Restore page, click Poll Now or click the browser refresh button to ensure that the latest
backup statistics are displayed, and then click on the Status link (Success, In Progress, or Failed)
located in the Latest Backup column to view details of the backup operation.
If the backup status is either Success or In Progress, then the Show Backup Status Detail popup window
appears and displays a list of the files successfully backed up. When the backup status is In Progress,
ANM polls the ACE every 2 minutes to retrieve the latest status information and then it automatically
6-65
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Device Backup and Restore Functions
updates the status information displayed. The polling continues until ANM receives a status of either
Success or Failed. If the backup status is Failed, then the Show Backup Errors popup window appears,
displaying the reason for the failed backup attempt.
Related Topics
• Performing Device Backup and Restore Functions, page 6-59
• Restoring Device Configuration and Dependencies, page 6-66
• Performing Global Device Backup and Copy Functions, page 6-68
6-66
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Device Backup and Restore Functions
Restoring Device Configuration and Dependencies
You can restore an ACE configuration and its dependencies using a backup file.
Caution The restore operation clears any existing SSL certificate and key-pair files, license files, and checkpoints
in a context before it restores the backup archive file. If your configuration includes SSL files or
checkpoints and you excluded them when you created the backup archive, those files will no longer exist
in the context after you restore the backup archive. To preserve any existing exportable SSL certificate
and key files in the context, before you execute the restore operation, export the certificates and keys that
you want to keep to an FTP, SFTP, or TFTP server by using the CLI and the crypto export command.
After you restore the archive, import the SSL files into the context. For details on exporting and
importing SSL certificate and key pair files using the CLI, see the Cisco Application Control Engine
Module SSL Configuration Guide.
You can also use the exclude option of the restore command to instruct the ACE not to clear the SSL files
in disk0: and to ignore the SSL files in the backup archive when the ACE restores the backup.
Note If your web browser supports the Remember Passwords option and you enable this option, the web
browser may fill in the Username and Password fields for user authentication. By default, these fields
should be empty. You can change the username and password fields from whatever the web browser
inserts into the two fields.
Prerequisites
If you are going to restore the Admin context files plus all user context files, use a backup file that was
created from the Admin context with the Backup All Contexts checkbox checked (see the “Backing Up
Device Configuration and Dependencies” section on page 6-62).
Procedure
Step 1 Choose Config > Devices > context > System > Backup / Restore.
The Backup / Restore table appears.
Note To refresh the table content at any time, click Poll Now.
Note When you perform the restore process from the Admin context, you can either restore the Admin
context files only or you can restore the Admin context files plus all user context files. When
you perform the restore process from a user context, you can restore the current context files
only.
The Backup / Restore fields are described in Table 6-12.
Step 2 Click Restore.
The Restore window appears.
6-67
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Device Backup and Restore Functions
Step 3 In the Restore window, click the desired radio button to specify the location where the backup files are
located saved:
• Choose a backup file on the ACE (disk0:)—This is the default. Go to Step 9.
• Choose a backup file from remote system—The Remote System attributes step appears. Go to
Step 4.
Step 4 Click the radio button of the transfer protocol to use:
• FTP—File Transfer Protocol
• SFTP—Secure File Transfer Protocol
• TFTP—Trivial File Transfer Protocol
Step 5 In the Username field, enter the username that the remote file system requires for user authentication.
This field appears for FTP and SFTP only.
Step 6 In the Password field, enter the password that the remote file system requires for user authentication.
This field appears for FTP and SFTP only.
Step 7 In the IP Address field, enter the IP address of the remote server.
Step 8 In the Backup File Path in Remote System field, enter the full path of the backup file, including the
backup filename, to be copied from the remote server.
Step 9 Check the Restore All Contexts checkbox if you want the ACE to restore the files for every context or
uncheck the checkbox to restore the Admin context files only.
This field appears for the Admin context only.
Step 10 Check the Exclude SSL Files checkbox if you want to preserver the SSL files currently loaded on the
ACE and not use the backup file’s SSL files.
Caution The restore function deletes all SSL files currently loaded on the ACE unless you check the
Exclude SSL Files option. If you do not check this option, the restore functions loads the SSL
files included in the backup file. If the backup files does not include SSL files, the ACE will
not have any SSL files loaded on it when the restore process is complete. You will then need
to import copies of the SSL files from a remote server.
Step 11 In the Pass Phrase field, enter the pass phrase that is used to encrypt the backed up SSL keys in the
archive.
Enter the pass phrase as an unquoted text string with no spaces and a maximum of 40 alphanumeric
characters. The Pass Phrase field does not appear when you check the Exclude SSL Files checkbox.
Step 12 Click OK to begin the restore process.
The following actions occur depending on where ANM retrieves the backup files:
• disk0: only—ANM permits continued GUI functionality during the restore process and polls the
ACE for the backup status, which it displays on the Backup / Restore page.
Note To enable ANM to synchronize the CLI after a successful restore, do not navigate from the
Backup / Restore window until the Latest Restore status changes from In Progress to Success.
If you navigate to another window before the restore process is complete, the CLI will not
synchronize until you return to the Backup / Restore window.
6-68
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Global Device Backup and Copy Functions
• disk0: and a remote server— ANM suspends GUI operation and displays a “Please Wait” message
in the Restore dialog box until the process is complete. During this process, ANM instructs the ACE
to copy the backup file from the specified remote server to disk0: on the ACE and then apply the
backup file to the context.
Step 13 In the Backup / Restore page, click Poll Now or click the browser refresh button to ensure that the latest
restore statistics are displayed, then click on the Status link (Success, In Progress, or Failed) located in
the Latest Backup column to view details of the restore operation.
If the restore status is either Success or In Progress, then the Show Restore Status Detail popup window
appears and displays a list of the files successfully restored. When the restore status is In Progress, ANM
polls the ACE every 2 minutes to retrieve the latest status information and then it automatically updates
the status information displayed. The polling continues until ANM receives a status of either Success or
Failed. If the restored status is Failed, then the Show Restored Errors popup window appears, displaying
the reason for the failed restore attempt.
Related Topics
• Performing Device Backup and Restore Functions, page 6-59
• Backing Up Device Configuration and Dependencies, page 6-62
• Performing Global Device Backup and Copy Functions, page 6-68
Performing Global Device Backup and Copy Functions
Note The global backup and copy functions are available for the ACE module A2(3.0), ACE appliance
A4(1.0), and later releases of either device type.
The global backup and copy functions allow you to either back up the configuration and dependencies
of multiple ACEs simultaneously or copy existing backup configuration files from disk0: of multiple
ACEs to a remote server. Configuration dependencies are those files that are required to exist on the ACE
so that a configuration can be applied to it. Such files include health-monitoring scripts, SSL certificates,
SSL keys, and so on. This feature allows you to back up and restore the following configuration files and
dependencies:
• License files
• Running-configuration files
• Startup-configuration files
• Checkpoints
• SSL files (SSL certificates and keys)
• Health-monitoring scripts
During the backup, each ACE saves its configuration files locally to disk0: in a single directory that is
tarred and GZIPed. For more information about the backup function, including guidelines and
restrictions, see the “Performing Device Backup and Restore Functions” section on page 6-59.
This section includes the following topics:
• Backing Up Multiple Device Configuration and SSL Files, page 6-69
• Associating a Global Backup Schedule with a Device, page 6-71
6-69
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Global Device Backup and Copy Functions
• Managing Global Backup Schedules, page 6-73
• Copying Existing Tarred Backup Files to a Remote Server, page 6-77
Backing Up Multiple Device Configuration and SSL Files
You can back up the configuration and SSL files for multiple ACEs simultaneously.
Note If your web browser supports the Remember Passwords option and you enable this option, the web
browser may fill in the Username and Password fields for user authentication. By default, these fields
should be empty. You can change the username and password fields from whatever the web browser
inserts into the two fields.
Procedure
Step 1 Choose Config > Global > All Backups.
The Backups table appears and displays a list of the available ACEs.
Note To refresh the table content at any time, click Poll Now.
Note When you choose the All Backups operation, ANM must poll all Admin contexts that have not
been accessed previously for this operation. The polling operation, which is necessary to obtain
the latest backup and restore information, can cause a delay in the display time of the Backups
table.
The Backups fields are described in Table 6-13.
Table 6-13 Backups Fields
Field Description
Name Name of the ACE.
Management IPs Management interface IP addresses. When there are multiple IP addresses, they display as
shown in the following example: 10.77.241.18/10.77.241.28/10.77.241.38
Latest Backup Time Date and time that the last backup occurred.
Latest Backup Status Status of the last backup attempt: Success, In Progress, or Failed. Click the status link to view
status details.
Latest Restore Time Date and time that the last restore occurred.
Latest Restore Status Status of the last restore attempt: Success, In Progress, or Failed. Click the status link to view
status details.
Last Poll Time Date and time that ANM last polled the device for backup statistics.
Schedules Backup schedule associated with the ACE.
6-70
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Global Device Backup and Copy Functions
Step 2 In the Backups table, check the checkbox of the ACE or ACEs to back up.
Note To choose all of the ACEs, check the Name checkbox.
Step 3 Click Backup.
The Backup on devices dialog box appears.
Step 4 In the Backup on devices dialog box, check the Backup All Contexts checkbox if you want each ACE to
create a backup that contains the files of its Admin context and every user context or uncheck the check
box to create a backup of the Admin context files only.
Step 5 Indicate the components that you want to exclude from the backup process: Checkpoints or SSL Files.
To exclude a component, click on it in the Available box and then click Add (right arrow) to move it to
the Selected box. Use Remove (left arrow) to move items from the Selected box back to the Available
box if needed.
Caution If you exclude the SSL Files component and then restore the ACE using this archived backup,
these files are removed from the ACE. To save these files prior to performing a restore with
this backup, use the crypto export CLI command to export the keys to a remote server and
use the copy CLI command to copy the license files to disk0: as .tar files.
Step 6 In the Pass Phrase field, enter the pass phrase that you specify to encrypt the backed up SSL keys.
Enter the pass phrase as an unquoted text string with no spaces and a maximum of 40 alphanumeric
characters. If you enter a pass phrase but excluded the SSL files from the archive, the ACE does not use
the pass phrase.
Step 7 Click OK to begin the backup.
Step 8 In the Backups page, click Poll Now or click the browser refresh button to ensure that the latest statistics
are displayed, and then click on the Status link (Success, In Progress, or Failed) located in the Latest
Backup Status column to view details of the backup.
If the backup status is either Success or In Progress, then the Show Backup Status Detail popup window
appears and displays a list of the files successfully backed up. When the backup status is In Progress,
ANM polls each ACE every 2 minutes to retrieve the latest status information and then it automatically
updates the status information displayed. The polling continues until ANM receives a status of either
Success or Failed.
If the backup status is Failed, then the Show Backup Errors popup window appears, displaying the reason
for the failed backup attempt.
Related Topics
• Associating a Global Backup Schedule with a Device, page 6-71
• Managing Global Backup Schedules, page 6-73
• Copying Existing Tarred Backup Files to a Remote Server, page 6-77
• Performing Device Backup and Restore Functions, page 6-59
6-71
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Global Device Backup and Copy Functions
Associating a Global Backup Schedule with a Device
You can schedule ANM to perform a global backup either as a one-time operation at some future time
or on a regular basis. You do this by creating a backup schedule and then associating the schedule with
one or more ACE devices.
Procedure
Step 1 Choose Config > Global > All Backups.
The Backups table appears and displays a list of the available ACEs (see Table 6-13).
Step 2 In the Backups table, check the checkbox of the ACEs that you want to schedule for backups.
When you choose multiple devices to schedule a backup, ANM checks to ensure that the following
attributes match between the devices:
• Schedules currently associated with the devices
• Remote location details
• Protocol used to connect to the remote location
• Pass phrase used to encrypt the backed up SSL keys
• Specified components to exclude
If these attributes do not match between the selected devices, ANM displays an error message and does
not allow you to continue scheduling a global backup. For example, if the attributes of the selected
devices do not match, ANM displays an error message such as:
One or more field values do not match in the selected devices. Select only devices that
have matching field values.
Step 3 Click Schedule Backup.
The Scheduled Backup popup window appears, which includes a list of the devices that you selected and
backup schedule parameters that you must configure.
Step 4 From the Scheduled Backup popup window, configure the scheduled backup parameters as shown in
Table 6-14.
6-72
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Global Device Backup and Copy Functions
Step 5 From the Scheduled Backup popup window, do one of the following:
Table 6-14 Scheduling a Backup
Item Description
Schedule Associate one or more backup schedule with the devices by performing one or both of the
following:
• To associate an existing schedule listed in the Available box, double-click the schedule
to move it to the Selected box. You can also use the arrow buttons to move selected
schedules between the Available and Selected boxes.
• To create a backup schedule for the devices, click Create. The fields for creating a new
schedule appear in the Schedule section. Assign a unique name to the schedule, define
the schedule’s operating parameters, and click OK. The new schedule is added to the
Selected box.
For more information about creating a schedule, see the “Creating a Backup Schedule”
section on page 6-73.
To display the current settings of schedule in the Selected box, choose the schedule and
click View. The schedule details display in the Schedules section. You cannot modify the
settings. Click Cancel to close the details display.
Backup a file on ACE (disk0:)
and then copy to remote system
Configure where the backup is to be saved remotely as follows:
a. Specify the file transfer protocol to use by clicking one of the following radio buttons:
• FTP
• SFTP
• TFTP
b. In the Username text box, enter the username associated with the remote server.
c. In the Password text box, enter the password associated with the username.
d. In the IP Address text box, enter the remote server IP address.
e. In the Backup File Path in Remote System text box, enter the full path for the backup
file on the remote server.
Backup on devices Define the items to back up as follows:
a. Indicate the components that you want to exclude from the backup process:
Checkpoints or SSL Files. Double-click an item to move it to the Selected box. You
can also use the arrow buttons to move an item between the Available and Selected
boxes.
b. Enter the pass phrase that you specify to encrypt the backed up SSL keys.
Enter the pass phrase as an unquoted text string with no spaces and a maximum of 40
alphanumeric characters. If you enter a pass phrase but excluded the SSL files from the
archive, the ACE does not use the pass phrase.
Note The Backup All Contexts checkbox is checked by default to create a backup that
contains the files of the Admin context and every user context on the ACE. You
cannot change this setting.
6-73
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Global Device Backup and Copy Functions
• Click OK to save the scheduled backup configuration, close the popup window, and return to the
Backups window, which now displays the associated backup schedule with the ACE.
• Click Cancel to ignore the scheduled backup information, close the popup window, and return to
the Backups window.
Related Topics
• Managing Global Backup Schedules, page 6-73
• Creating a Backup Schedule, page 6-73
• Updating an Existing Backup Schedule, page 6-76
• Backing Up Multiple Device Configuration and SSL Files, page 6-69
Managing Global Backup Schedules
You can create multiple schedules that allow ANM to perform a global backup at the time specified in a
particular schedule. You assign each schedule a name and then configure it with a set of parameters that
specify when ANM is to perform the backup. For example, you can create a schedule that has ANM
create a weekly backup every Tuesday at 1:00AM. After you create the schedule, you can apply it to one
or more devices. If you change the schedule’s configuration, such as the day of the week when the
backup is made, the change is applied the devices that use the schedule.
This section includes the following topics:
• Creating a Backup Schedule, page 6-73
• Updating an Existing Backup Schedule, page 6-76
• Deleting a Backup Schedule, page 6-76
Creating a Backup Schedule
You can create a backup schedule that you can apply to one or more devices.
Procedure
Step 1 Choose Config > Global > All Schedules.
The Schedules table appears and displays the information described in Table 6-15.
Table 6-15 All Schedules Fields
Item Description
Name Schedule name.
Type Schedule type: Once, Daily, Weekly, or Monthly.
Date Date that ANM performs a backup. This column applies the schedule type of the type Once.
Time Time of day when ANM performs the backup.
6-74
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Global Device Backup and Copy Functions
Step 2 From the Schedules table window, click Create Schedule.
The Create Schedule popup window appears.
Step 3 From the Create Schedule popup window, create and configure the new backup schedule as described in
Table 6-16.
Daily Recurrence Indicates the following depending on schedule type:
• Daily schedule—Number of days between backups. For example, a value of 4 in this field indicates
that ANM performs one backup every 4 days. When N/A appears in this field for the type Daily,
the schedule is configured to perform a daily backup everyday (Monday–Sunday). In this case, the
days are listed in the Week Days column.
• Monthly schedule—Day of the month when the backup is to occur. For example, a value of 3
indicates that the backup occurs on the third day of each month. When N/A appears in this field
for the type Monthly, the schedule is configured to perform a monthly backup on the occurrence
of a particular day of the week. For example, you can schedule the backup for the second Sunday
of each month, in which case, Sun appears in the Week Days column.
Weekly Recurrence Indicates the following depending on schedule type:
• Weekly schedule—This value is always 1 for any configured weekly schedule and indicates that a
backup will occur every week on the indicated days (see Week Days).
• Monthly schedule—Week of the month when the backup is to occur. For example, a value of 3
indicates that the backup occurs on the third week of each month.
Monthly Recurrence Number of times the monthly schedule occurs.
Week Days Indicates the days of the week when ANM performs a backup depending on the schedule type:
• Weekly schedule—Days of the week when the backup occurs.
• Monthly schedule—Day of the week when the backup occurs. The Weekly Recurrence value
indicates which monthly occurrence of the specified week day that the backup occurs. For
example, if Weekly Recurrence value is 3 and the Week Days value is Sunday, then the monthly
backup occurs every third Sunday of the month.
Devices Name of the ACEs associated with the schedule. ANM adds devices to this field after you associate the
schedule with an ACE backup (see the “Backing Up Multiple Device Configuration and SSL Files”
section on page 6-69).
Table 6-15 All Schedules Fields
Item Description
6-75
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Global Device Backup and Copy Functions
Step 4 Do one of the following:
• Click OK to save the backup schedule, close the popup window, and return to the Schedules window.
The Schedules window displays the new schedule.
• Click Cancel to close the popup window without saving your information and return to the
Schedules window.
Related Topics
• Managing Global Backup Schedules, page 6-73
• Updating an Existing Backup Schedule, page 6-76
• Deleting a Backup Schedule, page 6-76
• Associating a Global Backup Schedule with a Device, page 6-71
Table 6-16 Create Schedule Fields
Item Description
Name Unique schedule name.
Schedule types Schedule types that you can create to specify when a backup is to occur. Choose one of the following:
• Once: Specifies a one-time backup as follows:
– Date: Date that ANM performs a backup. Use the calendar tool to select the date
– Time: Time of day when ANM performs the backup.
• Daily: Specifies a daily schedule as follows:
– Time: Time of day when ANM performs the backup.
– Repeat: Specifies how often the schedule is repeated as follows:
- Every: Specifies the number of days between backups.
- Everyday (Mon-Sun): Specifies that a backup is performed each day.
• Weekly: Specifies a weekly schedule as follows:
– Time: Time of day when ANM performs the backup.
– Repeat Every week on: Specifies the days of the week that the backup is performed.
• Monthly: Specifies a monthly schedule as follows:
– Time: Time of day when ANM performs the backup.
– Repeat:
- Day (number) of every month: Specifies the day of the month when the backup is to occur.
For example, you can schedule a backup for 15th day of the month.
- Occurrence of the day (name) of every month: Specifies the occurrence of a weekday during
the month when the backup is performed. For example, you can schedule a backup to occur
every second Saturday of the month.
6-76
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Global Device Backup and Copy Functions
Updating an Existing Backup Schedule
You can update an existing backup schedule. When you update a schedule that is currently associated
with devices, the changes that you make to the schedule affect the associated devices.
Caution Modifying an existing schedule affects the backup schedule of any device currently associated with the
schedule.
Procedure
Step 1 Choose Config > Global > All Schedules.
The Schedules window appears and displays the information described in Table 6-15.
Step 2 From the Schedules window, click the radio button of the backup schedule to update and click Update
Schedule.
The Update Schedule popup window appears.
Step 3 From the Update Schedule popup window, update backup schedule as described in Table 6-16.
Note You cannot modify the schedule name.
Step 4 From the Update Schedule popup window, do one of the following:
• Click OK to save your changes, close the popup window, and return to the Schedules window.
• Click Cancel to close the po-up window without saving your changes and return to the Schedules
window.
Related Topics
• Managing Global Backup Schedules, page 6-73
• Creating a Backup Schedule, page 6-73
• Deleting a Backup Schedule, page 6-76
• Associating a Global Backup Schedule with a Device, page 6-71
Deleting a Backup Schedule
You can delete an existing global backup schedule.
Caution Deleting a backup schedule removes the schedule from any device currently associated with it.
Procedure
Step 1 Choose Config > Global > All Schedules.
The Schedules window appears and displays the information described in Table 6-15.
6-77
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Performing Global Device Backup and Copy Functions
Step 2 From the Schedules window, click the radio button of the backup schedule to delete and click Delete.
The Delete Confirmation popup window appears.
Step 3 From the Delete Confirmation popup window, do one of the following:
• Click OK to delete the schedule, close the popup window, and return to the Schedules window. The
schedule is removed from the list of schedules.
• Click Cancel to ignore the delete request, close the popup window, and return to the Schedules
window.
Related Topics
• Managing Global Backup Schedules, page 6-73
• Creating a Backup Schedule, page 6-73
• Associating a Global Backup Schedule with a Device, page 6-71
Copying Existing Tarred Backup Files to a Remote Server
You can copy an existing back up file from disk0: to a remote server. During the global backup process,
each ACE creates a tarred file containing its backup files and saves it locally on disk0:. You can use ANM
to simultaneously copy these tarred files from multiple ACEs to a remote server.
Note If your web browser supports the Remember Passwords option and you enable this option, the web
browser may fill in the Username and Password fields for user authentication. By default, these fields
should be empty. You can change the username and password fields from whatever the web browser
inserts into the two fields.
Procedure
Step 1 Choose Config > Global > All Backups.
The Backups table appears and displays a list of the available ACEs.
Note To refresh the table content at any time, click Poll Now.
The Backups fields are described in Table 6-13.
Step 2 In the Backups table, check the checkbox of the ACE or ACEs to perform the copy function.
Note To choose all of the ACEs, check the Name checkbox.
Step 3 Click Copy.
The Copy backup files to a remote system dialog box appears.
Step 4 In the Copy backup files to a remote system dialog box, choose the backup file to copy from the selected
device.
6-78
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Security with ACLs
This option appears only when you have selected a specific device for the copy operation in Step 2. If
you selected multiple devices in Step 2, then each device copies its latest successful backup file to the
remote server.
Step 5 Click the radio button of the transfer protocol to use.
• FTP—File Transfer Protocol
• SFTP—Secure File Transfer Protocol
• TFTP—Trivial File Transfer Protocol
Step 6 In the Username field, enter the username that the remote server requires for user authentication.
This field appears for FTP and SFTP only.
Step 7 In the Password field, enter the password that the remote server requires for user authentication.
This field appears for FTP and SFTP only.
Step 8 In the IP Address field, enter the IP address of the remote server.
Step 9 In the Backup File Path in Remote System field, enter the full path for the remote server.
Step 10 Click OK to begin the copy process.
ANM copies the backup files from each device to the remote server. A popup message displays to
indicate whether a copy operation was successful or failed.
Related Topics
• Backing Up Multiple Device Configuration and SSL Files, page 6-69
• Performing Device Backup and Restore Functions, page 6-59
Configuring Security with ACLs
An access control list (ACL) consists of a series of statements called ACL entries that collectively define
the network traffic profile. Each entry permits or denies network traffic (inbound and outbound) to the
parts of your network specified in the entry. In addition to an action element (permit or deny), each entry
also contains a filter element based on criteria such as the source address, the destination address, the
protocol, or the protocol-specific parameters. An implicit “deny all” entry exists at the end of every ACL,
so you must configure an ACL on every interface where you want to permit connections; otherwise, the
ACE denies all traffic on the interface.
ACLs provide basic security for your network by allowing you to control network connection setups
rather than processing each packet. Such ACLs are commonly referred to as security ACLs.
You can configure ACLs as parts of other features; for example, security, network address translation
(NAT), or server load balancing (SLB). The ACE merges these individual ACLs into one large ACL
called a merged ACL. The ACL compiler then parses the merged ACL and generates the ACL lookup
mechanisms. A match on this merged ACL can result in multiple actions. You can add, modify, or delete
entries to an ACL already in the summary table, or add a new ACL to the list.
When you use ACLs, you may want to permit all email traffic on a circuit, but block FTP traffic. You
can also use ACLs to allow one client to access a part of the network and prevent another client from
accessing that same area.
When configuring ACLs, you must apply an ACL to an interface to control traffic on that interface.
Applying an ACL on an interface assigns the ACL and its entries to that interface.
6-79
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Security with ACLs
You can apply only one extended ACL to each direction (inbound or outbound) of an interface. You can
also apply the same ACL on multiple interfaces.You can apply EtherType ACLs in only the inbound
direction and on only Layer 2 interfaces.
Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly
allowed in an ACL can pass. All other traffic is denied.
This section includes the following topics:
• Creating ACLs, page 6-79
• Setting Extended ACL Attributes, page 6-82
• Resequencing Extended ACLs, page 6-87
• Setting EtherType ACL Attributes, page 6-87
• Displaying ACL Information and Statistics, page 6-89
Creating ACLs
You can create an ACL.
Note By default, the ACE denies all traffic unless explicitly allowed. Only traffic that is explicitly allowed in
an ACL can pass. All other traffic is denied.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Security > ACLs.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > Security > ACLs.
The ACLs table appears listing the existing ACLs. The ACL fields are described in Table 6-17.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
6-80
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Security with ACLs
Step 2 In the ACLs table, do one of the following:
• To view full details of an ACL inline, click the plus sign to the left of any table entry.
• To create an ACL, click Add.
• To modify an ACL, choose the radio button to the left of any table entry, and click Edit.
• To delete an ACL, choose the radio button to the left of any table entry, and click Trash.
If you choose create, the New Access List window appears.
If you choose modify, the Edit ACL or Edit ACL entry window appears based on the selected radio
button to the left of any table entry.
Table 6-17 ACLs Table
Field Description
Name Unique identifier for the ACL. Valid entries are unquoted text strings with a maximum of 64
alphanumeric characters.
Type Identifies the following ACL attributes:
• ACL type:
– Extended—Allows you to specify both the source and the destination IP addresses of
traffic and the protocol and the action to be taken. For more information see the “Setting
Extended ACL Attributes” section on page 6-82.
– EtherType—This ACL controls network access for non-IP traffic based on its EtherType.
An EtherType is a subprotocol identifier. For more information, see the “Setting EtherType
ACL Attributes” section on page 6-87.
• (ACE module and ACE appliance software Version A5(1.0) or later only) IP address type:
– IPv4—This ACL controls network access for IPv4 traffic.
– IPv6—This ACL controls network access for IPv6 traffic.
# ACL line number for extended type ACL entries.
Action Action to be taken (permit/deny).
Protocol Protocol number or service object group to apply to this ACL entry.
Source Source IPv6 or IPv4 address (and source netmask with port number if configured for extended type
ACL) or source network object group (if configured) that is being applied to this ACL entry. IPv6
requires ACE module and ACE appliance software Version A5(1.0) or later.
Destination Destination IPv6 or IPv4 address (and destination netmask with port number if configured for
extended type ACL) or destination network object group (if configured) that is applied to this ACL
entry. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.
ICMP Whether or not this ACL uses ICMP (Internet Control Message Protocol). For more information,
see Table 6-20.
Interface VLAN interfaces associated with this ACL. For example in24,4033:24out where “in” denotes the
input direction and “out” denotes the output direction.
Remark Comments for this ACL. Valid entries are unquoted text strings with a maximum of 100 characters.
You can enter leading spaces at the beginning of the text or special characters. Trailing spaces are
ignored.
6-81
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Security with ACLs
Step 3 Add or edit required fields as described in Table 6-18.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
Table 6-18 ACL Configuration Attributes
Field Description
ACL Properties
Name Unique identifier for the ACL. Valid entries are unquoted text strings with a maximum of 64
alphanumeric characters.
Type Type of ACL:
• Extended—Allows you to specify both the source and the destination IP addresses of
traffic, the protocol, and the action to be taken. For more information see the “Setting
Extended ACL Attributes” section on page 6-82.
• EtherType—This ACL controls network access for non-IP traffic based on its EtherType.
An EtherType is a subprotocol identifier. For more information see the “Setting
EtherType ACL Attributes” section on page 6-87.
IP Address Type Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later,
which supports IPv4 and IPv6. Type of IP address: IPv4 or IPv6.
Remark Comments that you want to include for this ACL. Valid entries are unquoted text strings with
a maximum of 100 characters. You can enter leading spaces at the beginning of the text or
special characters. Trailing spaces are ignored.
ACL Entries
Entry Attributes Line number, action and protocol/service object group drop-down list. For information about
setting these attributes, see the “Setting Extended ACL Attributes” section on page 6-82 or
the “Setting EtherType ACL Attributes” section on page 6-87.
Source This field contains the following information for Extended ACLs only: Source IPv6 address
and prefix length, IPv4 address with port number (if configured) and netmask, or source
network object group (if configured) that is being applied to this ACL entry. For information
about setting this attribute, see the “Setting Extended ACL Attributes” section on page 6-82.
IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.
Destination This field contains the following information for Extended ACLs only: Destination IPv6
address and prefix length, IPv4 address with port number (if configured) and netmask, or
destination network object group (if configured) that is being applied to this ACL entry. For
information about setting this attribute, see the “Setting Extended ACL Attributes” section on
page 6-82.
IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.
Add To Table button Button to add multiple ACL entries, one at a time before clicking Deploy.
Remove From Table button Button to remove multiple ACL entries, one at a time before clicking Deploy.
• Input/Output Direction
• Currently Assigned
(ACL:Direction)
Field that allows you to associate the ACL with one or more interfaces allowing only one input
and one output ACL for each interface. The top left checkbox under the Interfaces section
allows you to choose and apply to all interfaces “access-group input.”
6-82
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Security with ACLs
Note To add, modify, or delete Object Groups go to the “Configuring Object Groups” section on page 6-89.
Step 4 Do one of the following:
• Click Deploy to deploy this newly created ACL entries along with VLAN interface assignments that
were configured.
• Click Cancel to exit this procedure without saving your entries and to return to the ACLs table.
Related Topics
• Configuring Security with ACLs, page 6-78
• Setting EtherType ACL Attributes, page 6-87
• Setting Extended ACL Attributes, page 6-82
• Resequencing Extended ACLs, page 6-87
• Editing or Deleting ACLs, page 6-100
• Displaying ACL Information and Statistics, page 6-89
Setting Extended ACL Attributes
You can configure extended ACL attributes that allows you to specify both the source and the destination
IP addresses of traffic and the protocol and the action to be taken.
For TCP, UDP, and ICMP connections, you do not need to also apply an ACL on the destination interface
to allow returning traffic, because the ACE allows all returning traffic for established connections.
Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly
allowed in an ACL can pass. All other traffic is denied.
Note The ACE does not explicitly support standard ACLs. To configure a standard ACL, specify the
destination address as any and do not specify the ports in an extended ACL.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Security > ACLs.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > Security > ACLs.
The ACLs table appears, listing the existing ACLs.
Step 2 In the ACLs table, click Add.
The New Access List configuration window appears.
Step 3 Click Add to add an entry to the table, or choose an existing entry and click Edit to modify it.
6-83
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Security with ACLs
Step 4 In the ACL Properties pane, do the following:
a. Enter the ACL name.
b. For the ACL type, choose Extended.
c. For the IP address type, choose either IPv4 or IPv6. This field appears only for ACE module and
ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6.
d. (Optional) In the Remark text box, enter comments that you want to include for this ACL. Valid
entries are unquoted text strings with a maximum of 100 characters. You can enter leading spaces at
the beginning of the text or special characters. Trailing spaces are ignored.
Step 5 Configure extended ACL entries using the information in Table 6-19.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
Table 6-19 Extended ACL Configuration Options
Field Description
Entry Attributes
Line Number Number that specifies the position of this entry in the ACL. The position of an entry affects
the lookup order of the entries in an ACL. To change the sequence of existing extended ACLs,
see the “Resequencing Extended ACLs” section on page 6-87.
Action Action to be taken: Permit or Deny.
Service Object Group Option that is not applicable to ACE modules running 3.0(0)A1(x) and ACE 4710 appliances
running image A1(x).
Choose a service object group to apply to this ACL.
Protocol Protocol or protocol number to apply to this ACL entry. Table 6-20 lists common protocol
names and numbers.
ICMP Type This field appears only when the selected protocol type is ICMP. Choose the ICMP type.
Table 6-23 lists common ICMP types and numbers. Table 6-24 lists common ICMPv6 types
and numbers.
ICMP Message Code
Operator
This field appears only when the selected protocol type is ICMP. Choose one of the following
operands to use when comparing message codes for this service object:
• Equal To—The message code must be the same as the number in the Message Code field.
• Greater Than—The message code must be greater than the number in the Message Code
field.
• Less Than—The message code must be less than the number in the Message Code field.
• Not Equal To—The message code must not equal the number in the Message Code field.
• Range—The message code must be within the range of codes specified by the Min.
Message Code field and the Max. Message Code field.
ICMP Message Code This field appears only when the selected protocol type is ICMP and the ICMP Message Code
Operator is set to one of the following: Equal To, Greater Than, Less Than, or Not Equal To.
Enter the ICMP message code for this service object.
6-84
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Security with ACLs
ICMP Min. Message Code These fields appear only when the selected protocol type is ICMP and the ICMP Message
Code Operator is set to Range.
Enter the beginning and ending value for a range of services for this service object. Valid
entries are integers from 0 to 255. The minimum value must be less that the maximum value.
ICMP Max. Message Code
Source
Source Network Network traffic being received from the source network to the ACE:
• Any—Choose the Any radio button to indicate that network traffic from any source is
allowed.
• IP/Netmask—(IPv4 address type) Use this field to limit access to a specific source IP
address. Enter the source IP address that is allowed for this ACL. Enter a specific source
IP address and choose its subnet mask.
• IP/Prefix-length—(IPv6 address type) Use this field to limit access to a specific source IP
address. Enter the source IPv6 address that is allowed for this ACL and its prefix length.
IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.
• Network Object Group—Choose a source network object group to apply to this ACL.
Note This option is not applicable to ACE modules running release 3.0(0)A1(x) and ACE
4710 appliances running release A1(x).
Source Port Operator Field that appears if you choose TCP or UPD in the Protocol field.
Choose the operand to use to compare source port numbers:
• Equal To—The source port must be the same as the number in the Source Port Number
field.
• Greater Than—The source port must be greater than the number in the Source Port
Number field.
• Less Than—The source port must be less than the number in the Source Port Number
field.
• Not Equal To—The source port must not equal the number in the Source Port Number
field.
• Range—The source port must be within the range of ports specified by the Lower Source
Port Number field and the Upper Source Port Number field.
Source Port Number Field that appears if you choose one of the following the Source Port Operator field: Equal To,
Greater Than, Less Than, or Not Equal To.
Enter the port name or number from which you want to permit or deny access. For a list of
ports, see the “ANM Ports Reference” section on page A-1.
Lower Source Port Number Field that appears if you choose Range in the Source Port Operator field.
Enter the number of the lowest port from which you want to permit or deny access. Valid
entries are from 0 to 65535. The number in this field must be less than the number entered in
the Upper Source Port Number field.
Upper Source Port Number Field that appears if you choose Range in the Source Port Operator field.
Enter the port number of the upper port from which you want to permit or deny access. Valid
entries are from 0 to 65535. The number in this field must be greater than the number entered
in the Lower Source Port Number field.
Table 6-19 Extended ACL Configuration Options (continued)
Field Description
6-85
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Security with ACLs
Destination
Destination Network Network traffic being transmitted to the destination network from the ACE:
• Any—Choose the Any radio button to indicate that network traffic to any destination is
allowed.
• IP/Netmask—(IPv4 address type) Use this field to limit access to a specific destination IP
address. Enter the source IP address that is allowed for this ACL. Enter a specific
destination IP address and choose its subnet mask.
• IP/Prefix-length—(IPv6 address type) Use this field to limit access to a specific
destination IP address. Enter the destination IPv6 address that is allowed for this ACL and
its prefix length. IPv6 requires ACE module and ACE appliance software Version A5(1.0)
or later.
• Network Object Group—Choose a destination network object group to apply to this ACL.
Note This option is not applicable to ACE modules running release 3.0(0)A1(x) and ACE
4710 appliances running release A1(x).
Destination Port Operator Field that appears if you choose TCP or UPD in the Protocol field.
Choose the operand to use to compare destination port numbers:
• Equal To—The destination port must be the same as the number in the Destination Port
Number field.
• Greater Than—The destination port must be greater than the number in the Destination
Port Number field.
• Less Than—The destination port must be less than the number in the Destination Port
Number field.
• Not Equal To—The destination port must not equal the number in the Destination Port
Number field.
• Range—The destination port must be within the range of ports specified by the Lower
Destination Port Number field and the Upper Destination Port Number field.
Destination Port Number Field that appears if you choose one of the following in the Destination Port Operator field:
Equal To, Greater Than, Less Than, or Not Equal To.
Enter the port name or number from which you want to permit or deny access. For a list of
ports and keywords, see the “ANM Ports Reference” section on page A-1.
Lower Destination Port
Number
Field that appears if you choose Range in the Destination Port Operator field.
Enter the number of the lowest port to which you want to permit or deny access. Valid entries
are from 0 to 65535. The number in this field must be less than the number entered in the
Upper Destination Port Number field.
Upper Destination Port
Number
Field that appears if you choose Range in the Destination Port Operator field.
Enter the port number of the upper port to which you want to permit or deny access. Valid
entries are from 0 to 65535. The number in this field must be greater than the number entered
in the Lower Destination Port Number field.
Table 6-19 Extended ACL Configuration Options (continued)
Field Description
6-86
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Security with ACLs
Step 6 In the Extended configuration pane, do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click OK to save your entries. This option appears for configuration building blocks.
• Click Cancel to exit without saving your entries and to return to the Extended table.
• Click Next to deploy your entries and to add another entry to the Extended table.
Step 7 (Optional) Associate any VLAN interface to this ACL if required and do one of the following:
• Click Deploy to immediately deploy this configuration.
• Click Cancel to exit without saving your entries and to return to the ACL Summary table.
Related Topics
• Configuring Security with ACLs, page 6-78
• Creating ACLs, page 6-79
• Setting EtherType ACL Attributes, page 6-87
• Resequencing Extended ACLs, page 6-87
• Editing or Deleting ACLs, page 6-100
• Displaying ACL Information and Statistics, page 6-89
Table 6-20 Protocol Names and Numbers
Protocol Name1
1. For a complete list of all protocols and their numbers, see the Internet Assigned Numbers Authority available at
www.iana.org/numbers/
Protocol Number Description
AH 51 Authentication Header
EIGRP 88 Enhanced IGRP
ESP 50 Encapsulated Security Payload
GRE 47 Generic Routing Encapsulation
ICMP 1 Internet Control Message Protocol
ICMPv62
2. ICMPv6 is not available for an IPv4 service object group.
58 Internet Control Message Protocol version 6
IGMP 2 Internet Group Management Protocol
IP 0 Internet Protocol
IP-In-IP 4 IP-In-IP Layer 3 Tunneling Protocol
OSPF 89 Open Shortest Path First
PIM 103 Protocol Independent Multicast
TCP 6 Transmission Control Protocol
UDP 17 User Datagram Protocol
6-87
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Security with ACLs
Resequencing Extended ACLs
You can change the sequence of entries in an Extended ACL.
Note EtherType ACL entries cannot be resequenced.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Security > ACLs.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > Security > ACLs.
The ACLs table appears, listing the existing ACLs.
Step 2 In the ACLs table, choose the Extended ACL that you want to renumber, and click the Resequence icon
that appears to the left of the filter field.
The ACL Line Number Resequence window appears.
Step 3 In the Start field of the ACL Line Number Resequence window, enter the number that is to be assigned
to the first entry in the ACL.
Valid entries are from 1 to 2147483647.
Step 4 In the Increment field, enter the number that is to be added to each entry in the ACL after the first entry.
Valid entries are from 1 to 2147483647.
Step 5 Do one of the following:
• Click Resequence to save your entries and to return to the ACLs table.
• Click Cancel to exit this procedure without saving your entries and to return to the ACLs table.
Related Topics
• Configuring Security with ACLs, page 6-78
• Creating ACLs, page 6-79
• Setting EtherType ACL Attributes, page 6-87
• Setting Extended ACL Attributes, page 6-82
• Editing or Deleting ACLs, page 6-100
• Displaying ACL Information and Statistics, page 6-89
Setting EtherType ACL Attributes
You can configure an ACL that controls traffic based on its EtherType, which is a subprotocol identifier.
EtherType ACLs support Ethernet V2 frames. EtherType ACLs do not support 802.3-formatted frames
because they use a length field instead of a type field. The only exception is a bridge protocol data units
(BPDU), which is SNAP encapsulated. The ACE is designed to handle BPDUs.
6-88
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Security with ACLs
Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly
allowed in an ACL can pass. All other traffic is denied.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Security > ACLs.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > Security > ACLs.
The ACLs table appears, listing the existing ACLs.
Step 2 In the ACLs table, click Add.
The New Access List configuration window appears.
Step 3 In the ACL Properties pane, do the following:
a. In the Name text box, enter the ACL name.
b. For the Type, choose Ethertype.
c. For the IP Address Type, choose IPv4. This field appears only for ACE module and ACE appliance
software Version A5(1.0) or later, which supports IPv4 and IPv6.
Note You cannot use IPv6 with an Ethertype ACL.
Step 4 Choose one of the following radio buttons:
• Deny to indicate that the ACE is to block connections.
• Permit to indicate that the ACE is to allow connections.
Step 5 In the Protocol field, choose one of the following the drop-down list for this ACL:
• Any—Specifies any EtherType.
• BPDU—Specifies bridge protocol data units. The ACE receives trunk port (Cisco proprietary)
BPDUs because ACE ports are trunk ports. Trunk BPDUs have VLAN information inside the
payload, so the ACE modifies the payload with the outgoing VLAN if you allow BPDUs. If you
configure redundancy, you must allow BPDUs on both interfaces with an EtherType ACL to avoid
bridging loops. For information about configuring redundancy, see the “Understanding ACE
Redundancy” section on page 13-6.
• IPv6—Specifies Internet Protocol version 6.
• MPLS—Specifies Multi-Protocol Label Switching. The MPLS selection applies to both MPLS
unicast and MPLS multicast traffic. If you allow MPLS, ensure that Label Distribution Protocol
(LDP) and Tag Distribution Protocol (TDP) TCP connections are established through the ACE by
configuring both MPLS routers connected to the ACE to use the IP address on the ACE interface as
the router-id for LDP or TDP sessions. LDP and TDP allow MPLS routers to negotiate the labels
(addresses) used to forward packets.
Step 6 Click Add to Table and add one or more ACL entries if required repeating Steps 4 and 5 as needed.
Step 7 (Optional) Associate any VLAN interface to this ACL if required and do one of the following:
• Click Deploy to immediately deploy this configuration. This option appears for virtual contexts.
6-89
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Object Groups
• Click Cancel to exit without saving your entries and to return to the ACL Summary table.
Related Topics
• Configuring Security with ACLs, page 6-78
• Creating ACLs, page 6-79
• Setting Extended ACL Attributes, page 6-82
• Resequencing Extended ACLs, page 6-87
• Editing or Deleting ACLs, page 6-100
• Displaying ACL Information and Statistics, page 6-89
Displaying ACL Information and Statistics
You can display information and statistics for a particular ACL by using the Details button.
Procedure
Step 1 Choose Config > Devices > context > Security > ACLs.
The ACLs table appears listing the existing ACLs.
Step 2 In the ACLs table, choose an ACL, and click Details.
The show access-list access-list detail CLI command output appears. For details about the displayed
output fields, see either the Cisco ACE Module Security Configuration Guide or the Cisco ACE 4700
Series Appliance Security Configuration Guide, Chapter 1, “Configuring Security Access Control Lists.”
Step 3 Click Update Details to refresh the output for the show access-list access-list detail CLI command.
Step 4 Click Close to return to the ACLs table.
Related Topics
• Configuring Security with ACLs, page 6-78
• Creating ACLs, page 6-79
• Setting Extended ACL Attributes, page 6-82
• Resequencing Extended ACLs, page 6-87
• Editing or Deleting ACLs, page 6-100
Configuring Object Groups
You can configure object groups that you can associate with ACLs. An object group is a logical grouping
of objects such as hosts (servers and clients), services, and networks. When you create an object group,
you choose a type, such as network or service, and then specify the objects that belong to the groups. In
all, there are four types of object groups: Network, protocol, service, and ICMP-type.
After you configure an object group, you can include it in ACLs, thereby including all objects within
that group and reducing overall configuration size.
6-90
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Object Groups
This section includes the following topics:
• Creating or Editing an Object Group, page 6-90
• Configuring IP Addresses for Object Groups, page 6-91
• Configuring Subnet Objects for Object Groups, page 6-92
• Configuring Protocols for Object Groups, page 6-93
• Configuring TCP/UDP Service Parameters for Object Groups, page 6-94
• Configuring ICMP Service Parameters for an Object Group, page 6-97
Creating or Editing an Object Group
You can create a object group or edit an existing one.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Security > Object Groups.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > Security > Object Groups.
Note Object groups are available for only ACE modules and ACE module configuration building
blocks.
The Object Groups table appears, listing existing object groups.
Step 2 In the Object Groups table, click Add to create a new object group, or choose an existing object group,
and click Edit to modify it.
The Object Groups configuration window appears.
Note The object group definition attributes for Protocol Selection and Service Parameter cannot be
edited once defined for an object group. To edit these values, delete the object group definition
and then add it again with the desired settings.
Step 3 In the Name field of the Object Groups configuration window, enter a unique name for this object group.
Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
Step 4 In the Description field, enter a brief description for the object group.
Step 5 In the Type field, choose the type of object group that you are creating:
• Network—The object group is based on a group of hosts or subnet IP addresses.
• Service—The object group is based on TCP or UDP protocols and ports, or ICMP types, such as
echo or echo-reply.
Step 6 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click OK to save your entries. This option appears for configuration building blocks.
6-91
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Object Groups
• Click Cancel to exit without saving your entries and to return to the Object Groups table.
• Click Next to deploy your entries and to add another entry to the Object Groups table.
If you click Deploy Now or OK, the window refreshes with tables additional configuration options.
Step 7 Configure objects for the object group as follows:
• For network-type object groups, options include:
– Configuring IP Addresses for Object Groups, page 6-91
– Configuring Subnet Objects for Object Groups, page 6-92
• For service-type object groups, options include:
– Configuring Protocols for Object Groups, page 6-93
– Configuring TCP/UDP Service Parameters for Object Groups, page 6-94
– Configuring ICMP Service Parameters for an Object Group, page 6-97
Configuring IP Addresses for Object Groups
You can specify host IP addresses for network-type object groups.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0)
or later.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Security > Object Groups.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > Security > Object Groups.
The Object Groups table appears, listing the existing object groups.
Step 2 In the Object Groups table, choose the object group that you want to configure host IP addresses for, and
click the Host Setting For Object Group tab.
The Host Setting for Object Group table appears.
Step 3 In the Host Setting for Object Group table, click Add to add an entry to this table.
Step 4 Enter the host IP address as follows:
• For ACE module sand ACE appliances using a software version earlier than A5(1.0), enter the IPv4
address of a host to include in this group.
• For ACE module sand ACE appliances using software Version A5(1.0) or later, choose either of the
following IP address types:
– IPv4—A host with an IPv4 IP address. In the IPv4 Address field, enter the IP address of a host
to include in this group.
– IPv6—A host with an IPv6 IP address. In the IPv6 Address field, enter the IP address of a host
to include in this group.
6-92
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Object Groups
Step 5 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click OK to save your entries. This option appears for configuration building blocks.
• Click Cancel to exit this procedure without saving your entries.
• Click Next to deploy your entries and to add another entry to the Host Setting table.
Related Topics
• Configuring Object Groups, page 6-89
• Configuring Subnet Objects for Object Groups, page 6-92
• Configuring Protocols for Object Groups, page 6-93
• Configuring TCP/UDP Service Parameters for Object Groups, page 6-94
• Configuring ICMP Service Parameters for an Object Group, page 6-97
Configuring Subnet Objects for Object Groups
You can specify subnet objects for a network-type object group.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0)
or later.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Security > Object Groups.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > Security > Object Groups.
The Object Groups table appears, listing the existing object groups.
Step 2 In the Object Groups table, choose the object group that you want to configure subnet objects for, and
click the Network Setting For Object Group tab.
The Network Setting for Object Group table appears.
Step 3 Click Add to add an entry to this table.
Step 4 Enter the subnet object IP address as follows:
• For ACE module sand ACE appliances using a software version earlier than A5(1.0), enter an IPv4
address that, with the subnet mask, defines the subnet object.
• For ACE module sand ACE appliances using software Version A5(1.0) or later, in the IP Address
Type field, choose one of the following:
– IPv4—A subnet object with an IPv4 IP address.
– IPv6—A object with an IPv6 IP address. In the IPv6 Address field, enter the IP address.
Step 5 Depending on the IP address type that you chose, do one of the following:
6-93
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Object Groups
• For IPv4, in the IPv4 Address field, enter the IP address. In the Netmask field, select the subnet mask
for this subnet object.
• For IPv6, in the IPv6 Address field, enter the IP address. In the Network Prefix Length field, enter
the prefix length for this object.
Step 6 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click OK to save your entries. This option appears for configuration building blocks.
• Click Cancel to exit this procedure without saving your entries.
• Click Next to deploy your entries and to add another entry to the Network Setting table.
Related Topics
• Configuring Object Groups, page 6-89
• Configuring IP Addresses for Object Groups, page 6-91
• Configuring Protocols for Object Groups, page 6-93
• Configuring TCP/UDP Service Parameters for Object Groups, page 6-94
• Configuring ICMP Service Parameters for an Object Group, page 6-97
Configuring Protocols for Object Groups
You can specify protocols for a service-type object group.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Security > Object Groups.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > Security > Object Groups.
The Object Groups table appears, listing the existing object groups.
Step 2 In the Object Groups table, choose an existing service-type object group, and click the Protocol
Selection tab.
The Protocol Selection table appears.
Step 3 In the Protocol Selection table, click Add to add an entry to this table.
Step 4 In the Protocol Number field, choose the protocol or protocol number to add to this object group.
See Table 6-20 for common protocols and their numbers.
Step 5 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click OK to save your entries. This option appears for configuration building blocks.
• Click Cancel to exit this procedure without saving your entries.
6-94
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Object Groups
• Click Next to deploy your entries and to add another entry to the Protocol Selection table.
Related Topics
• Configuring Object Groups, page 6-89
• Configuring IP Addresses for Object Groups, page 6-91
• Configuring Subnet Objects for Object Groups, page 6-92
• Configuring TCP/UDP Service Parameters for Object Groups, page 6-94
• Configuring ICMP Service Parameters for an Object Group, page 6-97
Configuring TCP/UDP Service Parameters for Object Groups
You can add TCP or UDP service objects to a service-type object group.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Security > Object Groups.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > Security > Object Groups.
The Object Groups table appears, listing the existing object groups.
Step 2 In the Object Groups table, choose an existing service-type object group, and click the TCP/UDP
Service Parameters tab.
The TCP/UDP Service Parameters table appears.
Step 3 Click Add to add an entry to this table.
Step 4 Configure TCP or UDP service objects using the information in Table 6-21.
Table 6-21 TCP and UDP Service Parameters
Field Description
Protocol Protocol for this service object:
• TCP—TCP is the protocol for this service object.
• TCP And UDP—Both TCP and UDP are the protocols for this service object.
• UDP—UDP is the protocol for this service object.
Source Port Operator Operand to use when comparing source port numbers for this service object:
• Equal To—The source port must be the same as the number in the Source Port field.
• Greater Than—The source port must be greater than the number in the Source Port field.
• Less Than—The source port must be less than the number in the Source Port field.
• Not Equal To—The source port must not equal the number in the Source Port field.
• Range—The source port must be within the range of ports specified by the Lower Source Port
field and the Upper Source Port field.
6-95
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Object Groups
Step 5 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click OK to save your entries. This option appears for configuration building blocks.
• Click Cancel to exit this procedure without saving your entries.
• Click Next to deploy your entries and to add another entry to the TCP/UDP Service Parameters
table.
Source Port Field that appears if you choose Equal To, Greater Than, Less Than, or Not Equal To in the Source
Port Operator field.
Enter the source port name or number for this service object.
Lower Source Port Field that appears if you choose Range in the Source Port Operator field.
Enter the number that is the beginning value for a range of services for this service object. Valid
entries are from 0 to 65535. The number in this field must be less than the number entered in the
Upper Source Port field.
Upper Source Port Field that appears if you choose Range in the Source Port Operator field.
Enter the number that is the ending value for a range of services for this service object. Valid entries
are from 0 to 65535. The number in this field must be greater than the number entered in the Lower
Source Port field.
Destination Port
Operator
Operand to use when comparing destination port numbers:
• Equal To—The destination port must be the same as the number in the Destination Port field.
• Greater Than—The destination port must be greater than the number in the Destination Port
field.
• Less Than—The destination port must be less than the number in the Destination Port field.
• Not Equal To—The destination port must not equal the number in the Destination Port field.
• Range—The destination port must be within the range of ports specified by the Lower
Destination Port field and the Upper Destination Port field.
Destination Port Field that appears if you choose Equal To, Greater Than, Less Than, or Not Equal To in the
Destination Port Operator field.
Enter the destination port name or number for this service object.
Lower Destination
Port
Field that appears if you choose Range in the Destination Port Operator field.
Enter the number that is the beginning value for a range of services for this service object. Valid
entries are from 0 to 65535. The number in this field must be less than the number entered in the
Upper Destination Port field.
Upper Destination
Port
Field that appears if you choose Range in the Destination Port Operator field.
Enter the number that is the ending value for a range of services for this service object. Valid entries
are from 0 to 65535. The number in this field must be greater than the number entered in the Lower
Destination Port field.
Table 6-21 TCP and UDP Service Parameters (continued)
Field Description
6-96
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Object Groups
Related Topics
• Configuring Object Groups, page 6-89
• Configuring IP Addresses for Object Groups, page 6-91
• Configuring Subnet Objects for Object Groups, page 6-92
• Configuring Protocols for Object Groups, page 6-93
• Configuring ICMP Service Parameters for an Object Group, page 6-97
6-97
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Object Groups
Configuring ICMP Service Parameters for an Object Group
You can add ICMP service parameters to a service-type object group.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > Security > Object Groups.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > Security > Object Groups.
The Object Groups table appears, listing the existing object groups.
Step 2 In the Object Groups table, choose an existing service-type object group, and click the ICMP Service
Parameters tab.
The ICMP Service Parameters table appears.
Step 3 Click Add to add an entry to this table.
Step 4 Configure ICMP type objects using the information in Table 6-22.
Table 6-22 ICMP Type Service Parameters
Field Description
ICMP Version Field that appears for ACE module and ACE appliance software Version A5(1.0) or later. Internet
Control Message Protocol (ICMP) version. Choose one of the following radio buttons:
• ICMP—ICMP for Internet Protocol version 4 (IPv4).
• ICMPv6—ICMP version 6 (ICMPv6) for Internet Protocol version 6 (IPv6).
ICMP Type ICMP type or number for this service object. Table 6-23 lists common ICMP types and numbers.
Table 6-24 lists the ICMPv6 types and numbers.
Message Code Operator Operand to use when comparing message codes for this service object:
• Equal To—The message code must be the same as the number in the Message Code field.
• Greater Than—The message code must be greater than the number in the Message Code field.
• Less Than—The message code must be less than the number in the Message Code field.
• Not Equal To—The message code must not equal the number in the Message Code field.
• Range—The message code must be within the range of codes specified by the Min Message
Code field and the Max. Message Code field.
Message Code Field that appears if you choose one of the following in the Message Code Operator field: Equal
To, Greater Than, Less Than, or Not Equal To.
Enter the ICMP message code for this service object.
6-98
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Object Groups
Min. Message Code Field that appears if you choose Range in the Message Code Operator field.
Enter the number that is the beginning value for a range of services for this service object. Valid
entries are from 0 to 255. The number in this field must be less than the number entered in the Max
Message Code field.
Max. Message Code Field that appears if you choose Range in the Message Code Operator field.
Enter the number that is the ending value for a range of services for this service object. Valid entries
are from 0 to 255. The number in this field must be greater than the number entered in the Min.
Message Code field.
Table 6-23 ICMP Type Numbers and Names
Number ICMP Type Name
0 Echo-Reply
3 Unreachable
4 Source-Quench
5 Redirect
6 Alternate-Address
8 Echo
9 Router-Advertisement
10 Router-Solicitation
11 Time-Exceeded
12 Parameter-Problem
13 Timestamp-Request
14 Timestamp-Reply
15 Information-Request
16 Information-Reply
17 Address-Mask-Request
18 Address-Mask-Reply
31 Conversion-Error
32 Mobile-Redirect
Table 6-24 ICMPv6 Type Numbers and Names
Number ICMPv6 Type Name
128 Echo
129 Echo-Reply
140 Information-Reply
139 Information-Request
Table 6-22 ICMP Type Service Parameters (continued)
Field Description
6-99
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Managing ACLs
Step 5 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click OK to save your entries. This option appears for configuration building blocks.
• Click Cancel to exit this procedure without saving your entries.
• Click Next to deploy your entries and to add another entry to the ICMP Service Parameters table.
Related Topics
• Configuring Object Groups, page 6-89
• Configuring IP Addresses for Object Groups, page 6-91
• Configuring Subnet Objects for Object Groups, page 6-92
• Configuring Protocols for Object Groups, page 6-93
• Configuring TCP/UDP Service Parameters for Object Groups, page 6-94
Managing ACLs
This section describes how to manage ACLs.
This section includes the following topics:
• Viewing All ACLs by Context, page 6-99.
• Editing or Deleting ACLs, page 6-100.
Viewing All ACLs by Context
You can display ACLs that have been configured.
Procedure
Step 1 Choose Config > Devices.
The device tree appears.
Step 2 In the device tree, choose the virtual context with the ACLs that you want to view, and choose Security >
ACLs.
4 Parameter-Problem
137 Redirect
3 Time-Exceeded
30 Traceroute
1 Unreachable
Table 6-24 ICMPv6 Type Numbers and Names (continued)
Number ICMPv6 Type Name
6-100
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Managing ACLs
The ACLs table appears, listing the existing ACLs in that context with their name, their type (Extended
or EtherType), and all details (such as Action, Protocol, Interface information).
Step 3 To display all of the ACLs for a given table entry, click the plus sign to the left of that entry.
Step 4 To display all of the ACLs for all of the entries, click Expand All on the Add/Edit/Delete row.
Step 5 To collapse all of the ACLs for all of the entries, click Collapse All on the Add/Edit/Delete row.
Related Topics
• Configuring Security with ACLs, page 6-78
• Creating ACLs, page 6-79
• Setting EtherType ACL Attributes, page 6-87
• Setting Extended ACL Attributes, page 6-82
• Editing or Deleting ACLs, page 6-100
Editing or Deleting ACLs
You can delete or edit an ACL or any of its subentries.
Considerations
• You cannot mix IPv6 and IPv4 access-list entries in the same ACL.
Note IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.
• Before you change the IP address type (IPv4/IPv6) for an existing ACL, you must remove the entries
that are not applicable to the new IP address type.
• If you change the ACL protocol, the ACE removes all of the existing settings for the ACL.
Procedure
Step 1 Choose the item to edit or delete as follows:
• Choose Config > Devices > context > Security > ACLs.
• Choose Config > Global > All Building Blocks > building_block > Security > ACLs.
The ACLs table appears, listing the existing ACLs.
Step 2 In the ACLs table, choose the radio button to the left of the ACL that you want to Edit or Delete.
Expand entries if necessary by clicking the plus sign to the left of any ACL entry until you see the
subentry ACL for which you are looking, or click the Expand All icon to view all ACLs and subentries.
Step 3 Do one of the following:
• If you are editing an ACL or one of its entries, click Edit and go to Step 4.
• If you are deleting an ACL or one of its entries, click Delete and go to Step 5.
Step 4 Edit the entry using the summary information listed in Table 6-18 if needed, and click Deploy when
done.
6-101
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Configuring Virtual Context Expert Options
Step 5 Click Delete.
A confirmation popup window appears asking you to confirm the deletion. If you click OK, the ACLs
table refreshes without the deleted ACL.
Related Topics
• Creating ACLs, page 6-79
• Setting EtherType ACL Attributes, page 6-87
• Setting Extended ACL Attributes, page 6-82
• Resequencing Extended ACLs, page 6-87
Configuring Virtual Context Expert Options
The ANM virtual context Expert configuration options allow you to do the following:
• Establish traffic policies for virtual servers by classifying types of network traffic and then applying
the appropriate rules and actions for handling the traffic. See the “Configuring Traffic Policies”
section on page 14-1.
• Compare a virtual context configuration with a tagged configuration building block that has been
applied to the context. See the “Comparing Context and Building Block Configurations” section on
page 6-101.
• For ACE modules and ACE appliances, configure HTTP header modify action lists. See the
“Configuring an HTTP Header Modify Action List” section on page 14-85.
• For ACE appliances, configure optimization action lists. See the “Configuring an HTTP
Optimization Action List” section on page 15-3.
Comparing Context and Building Block Configurations
ANM allows you to compare the current configuration of a virtual context that has had a tagged
configuration building block applied to it with the settings of the applied building block. Discrepancies
between these configurations can occur when you configure the virtual context after applying the
building block instead of modifying and tagging the building block, then applying the updated building
block to the virtual context.
The ANM auditing process identifies the discrepancies by configuration category (such as policy maps
or SNMP) and groups them accordingly.
You can identify discrepancies between an ANM tagged building block and a virtual context that
previously had the building block applied to it.
Assumption
The virtual context has had a tagged building block applied to it.
Procedure
Step 1 Choose Config > Devices > context > Expert > Building Block Audit.
6-102
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Comparing Context and Building Block Configurations
The Building Block Audit window appears with the Comparison Results table, listing any discrepancies
between the configurations.
Step 2 In the Building Block Audit window, identify the discrepancies as follows:
• Click All at the top of the results tree. The Comparison Results table displays all discrepancies.
The values that follow the word All, such as 2c 5d 3a, indicate differences between the virtual
context configuration and the building block configuration. These values use the format
n where n represents the number of differences between the configurations and
represents the type of difference. The possible results are as follows:
– nc (changed) indicates the number of items with settings that have changed or differ from the
settings in the building block. For example, 2c indicates that two configuration options in the
context currently have different settings or values than those settings or values in the applied
building block.
– nd (deleted) indicates the number of items that were in the applied building block that do not
exist in the current context configuration. For example, 5d indicates that five configuration
options that were in the applied building block do not exist in the current context configuration.
– na (added) indicates the number of items that are in the current context configuration that were
not in the applied building block. For example, 3a indicates that three configuration options that
were not in the applied building block have been added to the context configuration.
• Click a folder in the results tree. The Comparison Results table displays the discrepancies for that
configuration category, such as SNMP or class maps.
• Click an item within a folder. The Comparison Results table displays the differences for that specific
attribute.
Step 3 In the Comparison Results table, when viewing results, you can do one of the following:
• Filter the results by entering a complete or partial string in one or more of the input fields at the top
of the columns, then clicking Go.
• Sort the results in ascending or descending order by clicking a column heading.
Related Topics
• Configuring Virtual Contexts, page 6-8
• Managing Virtual Contexts, page 6-103
• Using Configuration Building Blocks, page 16-1
6-103
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Managing Virtual Contexts
Managing Virtual Contexts
You can perform the following administrative actions on virtual contexts.
This section includes the following topics:
• Displaying All Virtual Contexts, page 6-103
• Synchronizing Virtual Context Configurations, page 6-105
• Managing Syslog Settings for Autosynchronization, page 6-105
• Editing Virtual Contexts, page 6-106
• Deleting Virtual Contexts, page 6-107
• Upgrading Virtual Contexts, page 6-107
• Restarting Virtual Context Polling, page 6-108
• Comparing Context and Building Block Configurations, page 6-101
Displaying All Virtual Contexts
You can display some or all virtual contexts being managed by ANM.
Procedure
Step 1 Choose Config > Devices > All VC.
The All Virtual Contexts table appears with the information described in Table 6-25.
Table 6-25 All Virtual Contexts Table
Field Description
Name Context name including chassis and slot.
Resource Class Resource class applied to the context.
Management IPs List of IP addresses used for remote management of the context.
Building Block Configuration building block applied to the context.
CLI Sync Status Administrative configuration status of the context as follows:
• Import Failed—The context did not import successfully. This problem could have occurred
when the device was added to ANM or when the context was synchronized. Synchronize the
context so that you can manage it (Config > Devices > ACE > context > Sync).
• OK—The context is synchronized with the ACE CLI.
• Out of Sync—The context is managed by the ANM but the configuration for the context on the
device differs from the configuration managed by the ANM. For information on synchronizing
contexts, see the “Synchronizing Virtual Context Configurations” section on page 6-105.
• Unprovisioned—The context has been removed from the ACE using the CLI but has not been
removed from ANM. To remove unprovisioned contexts, synchronize the associated Admin
context.
Last CLI Sync Status
Change
Time stamp of the last CLI synchronization with ANM.
6-104
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Managing Virtual Contexts
Step 2 Use the object selector to view all virtual contexts or only those contexts on a specific device.
Related Topics
• Restarting Virtual Context Polling, page 6-108
• Enabling Polling on All Devices, page 17-47
• Synchronizing Virtual Context Configurations, page 6-105
ACE HA State High availability state of the context. If the context is configured for high availability, the current
state of the context with regard to high availability:
• Active—The context is actively processing flows for the HA pair.
• Standby Cold—Either the fault-tolerant VLAN is down, but the peer ACE is still alive, or the
configuration or application state synchronization failed.
• Standby Bulk—The context is waiting to receive information from its active peer context.
• Standby Hot—The context has all the state information that it needs to statefully assume the
active state if a switchover occurs.
• Standby Warm—Allows the configuration and state synchronization process to continue on a
best-effort basis when you upgrade or downgrade the ACE software.
ACE HA Peer Identifier of the ACE high availability peer.
ACE HA Peer State Current state of the context with regard to high availability on the ACE peer. See the states listed
for the ACE HA State field.
Polling Status Current polling status of the context:
• Missing SNMP Credentials—SNMP credentials are not configured for this virtual context;
statistics are not collected. Add SNMPv2c credentials to fix this error.
• Not Polled—SNMP polling has not started. This problem might occur when the virtual context
is first created from ANM and the SNMP credentials are not configured. Add SNMPv2c
credentials to fix this error.
• Not Supported—This status appears at the device level only and applies to Catalyst 6500 series
chassis, Cisco 7600 series routers, and ACE appliances.
• Polling Failed—SNMP polling failed due to some internal error. Try restarting polling to
enable SNMP collection again.
• Polling Started—No action is required. Everything is working properly. Polling states will
display activity.
• Polling Timed Out—SNMP polling has timed out. This problem might occur if the wrong
credentials were configured or might be caused by an internal error (such as SNMP was
configured incorrectly or the destination is not reachable). Verify that SNMP credentials are
correct. If the problem persists, restart polling to enable SNMP collection again.
• Unknown—SNMP polling is not working due to one of the above-mentioned conditions. Check
the SNMPv2c credential configuration.
Table 6-25 All Virtual Contexts Table (continued)
Field Description
6-105
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Managing Virtual Contexts
Synchronizing Virtual Context Configurations
You can synchronize the configurations for a virtual context. ANM allows you to synchronize the
configuration information residing on an ACE with the configuration information maintained by the
ANM server for the same device. When ANM synchronizes a context, it uploads the configuration from
the device to the ANM server. In accordance with your role-based permission level, the ANM Status bar
displays the number of virtual contexts that are not synchronized with the ACE CLI against the total
number of virtual contexts and the number of failed synchronization attempts.
You should synchronize contexts for the following reasons:
• You configure the ACE directly via the CLI instead of using the ANM interface. The CLI Sync
Status is Out of Sync in the Virtual Contexts table (Config > Devices > ACE) if the configurations
for a virtual context differ.
• A context has been removed from the ACE using the CLI, reflected by the CLI Sync Status
Unprovisioned in the Virtual Contexts table. In this situation, you need to synchronize the Admin
context to remove the unprovisioned context.
• A context has not successfully been imported into ANM during discovery or a Sync operation,
reflected by the CLI Sync Status Import Failed in the Virtual Contexts table. In this situation, you
need to synchronize the context before you can modify its configuration.
• You recently installed or uninstalled a license on an ACE using either ANM or the CLI. Synchronize
the Admin context of the ACE with the CLI.
Procedure
Step 1 Choose Config > Devices.
The device tree appears.
Step 2 In the device tree, choose either All VC or the ACE with the virtual context configuration that you want
to synchronize.
The Virtual Contexts table appears.
Step 3 In the Virtual Contexts table, choose the virtual context with the configuration that you want to
synchronize, and click CLI Sync.
The verification popup window appears, asking you to verify the synchronization request.
Step 4 In the verification popup window, click Yes.
Synchronization begins and the Virtual Contexts table refreshes when synchronization is complete.
Related Topics
• Configuring Auto Sync Settings, page 18-61
• Editing Virtual Contexts, page 6-106
• Restarting Virtual Context Polling, page 6-108
• Comparing Context and Building Block Configurations, page 6-101
Managing Syslog Settings for Autosynchronization
You can configure ANM to receive syslog messages for a virtual context.
6-106
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Managing Virtual Contexts
Setting autosynchronization to occur upon receipt of a device syslog message allows a faster, more
streamlined synchronization process between ANM and any out-of-band configuration changes. Instead
of waiting the default polling period, ANM will synchronize when a syslog message is received if Setup
Syslog for Autosync is enabled.
Procedure
Step 1 Choose Config > Devices > Virtual Context Management> Setup Syslog for Autosync.
The Setup Syslog for Autosync window appears.
Step 2 In the Setup Syslog for Autosync window, choose either All VC or the ACE with the virtual context
configuration that you want to receive Autosync syslog messages
Step 3 Click Setup Syslog.
A progress bar window appears.
A checkbox with a checkmark appears in the Setup Syslog for Autosync? column for each virtual context
and ACE device you checked.
Step 4 Click the Setup Syslog button.
The following CLI commands are sent to the enabled devices:
logging enable
logging trap 2
logging device-id string /Admin
logging host udp/514
logging message 111008 level 2
Related Topics
• Synchronizing Virtual Context Configurations, page 6-105
• Restarting Virtual Context Polling, page 6-108
Editing Virtual Contexts
You can modify the configuration of an existing virtual context.
Procedure
Step 1 Choose Config > Devices.
The device tree appears.
Step 2 In the device tree, choose the virtual context, then choose the configuration attributes that you want to
modify.
For information on configuration options, see the “Configuring Virtual Contexts” section on page 6-8.
Step 3 Do one of the following:
• Click OK to save your entries.
• Click Cancel to exit the procedure without saving your entries.
6-107
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Managing Virtual Contexts
Related Topics
• Information About Virtual Contexts, page 6-2
• Configuring Virtual Contexts, page 6-8
Deleting Virtual Contexts
You can remove an existing virtual context.
Note If you remove a virtual context using the CLI, the CLI Sync Status for the virtual context appears as
Unprovisioned in the Virtual Contexts table (Config > Devices > ACE). To remove the unprovisioned
virtual context from the ANM, either synchronize the Admin virtual context (see the “Synchronizing
Virtual Context Configurations” section on page 6-105) or delete the virtual context by selecting the
virtual context, then clicking Delete.
Procedure
Step 1 Choose Config > Devices.
The device tree appears.
Step 2 In the device tree, choose the virtual context that you want to configure, and click Delete in either the
device pane or the configuration pane.
A confirmation popup window appears, asking you to confirm the deletion.
Step 3 Do one of the following:
• Click OK to delete the selected context. The device tree refreshes and the deleted context no longer
appears.
• Click Cancel to exit this procedure and to retain the selected context.
Related Topics
• Configuring Virtual Contexts, page 6-8
• Comparing Context and Building Block Configurations, page 6-101
Upgrading Virtual Contexts
You can apply a different resource class, configuration building block, or VLAN to a virtual context.
Procedure
Step 1 Choose Config > Devices.
The device tree appears.
Step 2 In the device tree, choose the virtual context that you want to upgrade, and choose System > Primary
Attributes.
The Edit Virtual Context window appears.
6-108
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Managing Virtual Contexts
Step 3 In the Resource Class field of the Edit Virtual Context window, choose the resource class that you want
to apply to the context.
Note If you attempt to apply a resource class that could consume the resources required to maintain
IP connectivity to the Admin context, you will see an error message and the resource class will
not be applied. We recommend that you first apply a resource class to the Admin context that
will prevent its resources from being allocated to other contexts. For more information, see the
“Resource Allocation Constraints” section on page 6-44.
Step 4 In the Tagged Building Block To Apply field, choose the building block to apply to this virtual context.
Step 5 In the Allocate-Interface VLANs field, enter the number of a VLAN or a range of VLANs so that the
context can receive the associated traffic.
You can specify VLANs as follows:
• For a single VLAN, enter an integer from 2 to 4096.
• For multiple, nonsequential VLANs, use comma-separated entries, such as 101,201,302.
• For a range of VLANs, use the format -, such as 101-150.
Note You cannot modify VLANs in an Admin context.
Step 6 In the Description field, enter a brief description for this context.
Step 7 Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
The window refreshes with updated information.
To exit this procedure without saving your entries, choose another item in the menu bar or device tree.
A popup window appears, confirming that you have not saved your entries.
Related Topics
• Information About Virtual Contexts, page 6-2
• Configuring Virtual Contexts, page 6-8
Restarting Virtual Context Polling
You can restart monitoring and enable SNMP collection on a single context that has stopped or failed to
start.
Note To restart polling and enable SNMP collection on all virtual contexts, choose Monitor > Settings >
Global Polling Configuration, and configure global polling attributes using the information in the
“Enabling Polling on All Devices” section on page 17-47.
Procedure
Step 1 Choose Config > Devices.
6-109
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Managing Virtual Contexts
The device tree appears.
Step 2 In the device tree, choose the ACE associated with the virtual context with stopped or failed polling.
The Virtual Contexts table appears.
Step 3 In the Virtual Contexts table, choose the context with the stopped or failed polling, and click Restart
Polling.
If the ANM cannot monitor the selected context, it displays an error message stating the reason.
Related Topics
• Information About Virtual Contexts, page 6-2
• Configuring Virtual Contexts, page 6-8
• Enabling Polling on All Devices, page 17-47
6-110
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 6 Configuring Virtual Contexts
Managing Virtual Contexts
CHAPTER
7-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
7
Configuring Virtual Servers
Date: 3/28/12
This chapter describes how to configure virtual servers for load balancing on the Cisco Application
Control Engine (ACE) using Cisco Application Networking Manager (ANM).
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
This chapter includes the following sections:
• Information About Load Balancing, page 7-1
• Configuring Virtual Servers, page 7-2
• Managing Virtual Servers, page 7-66
• Deploying Virtual Servers, page 7-86
Information About Load Balancing
Server load balancing (SLB) is the process of deciding to which server a load balancer should send a
client request for service. For example, a client request can consist of an HTTP GET for a web page or
an FTP GET to download a file. The load balancer selects the server that can successfully fulfill the client
request and in the shortest amount of time without overloading either the server or the server farm as a
whole.
Depending on the load-balancing algorithm or predictor that you configure, the ACE performs a series
of checks and calculations to determine the server that can best service each client request. The ACE
bases server selection on several factors, including the server with the fewest connections with respect
to load, source or destination address, cookies, URLs, or HTTP headers.
ANM allows you to configure load balancing using:
• Virtual servers—See Configuring Virtual Servers, page 7-2.
7-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
• Real servers—See Configuring Real Servers, page 8-5.
• Server farms—See Configuring Server Farms, page 8-30.
• Predictor methods—See Configuring the Predictor Method for Server Farms, page 8-39
• Health probes—See Configuring Health Monitoring for Real Servers, page 8-51
• Sticky groups—See Configuring Sticky Groups, page 9-7.
• Parameter maps—See Configuring Parameter Maps, page 10-1.
Configuring Virtual Servers
In a load-balancing environment, a virtual server is a construct that allows multiple physical servers to
appear as one for load-balancing purposes. A virtual server is bound to physical services running on real
servers in a server farm and uses IP address and port information to distribute incoming client requests
to the servers in the server farm according to a specified load-balancing algorithm.
You use class maps to configure a virtual server address and definition. The load-balancing predictor
algorithms (for example, round-robin, least connections, and so on) determine the servers to which the
ACE sends connection requests.
This section includes the following topics:
• Virtual Server Configuration and ANM, page 7-2
• Information About Using ANM to Configure Virtual Servers, page 7-4
• Virtual Server Usage Guidelines, page 7-5
• Virtual Server Testing and Troubleshooting, page 7-6
• Virtual Server Configuration Procedure, page 7-7
Virtual Server Configuration and ANM
This section identifies the constraints and framework used by ANM for virtual server configuration.
In ANM, a virtual server has the following attributes:
• A single Layer 3/Layer 4 match condition
You can specify only a single IP address (or single IP address range if an IPv4 netmask or IPv6
prefix length is used), with only a single port (or port range). A single match condition greatly
simplifies and aids virtual server configuration.
Note IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.
• A default Layer 7 action
• A Layer 7 policy map
• A Layer 3/Layer 4 class map
• A single multimatch policy map, a class-map match, and an action
Virtual server attributes also include the following:
• The virtual server multimatch policy map is associated with an interface or is global.
7-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
• The name of the virtual server is derived from the name of the Layer 3/Layer 4 class map.
Example 7-1 shows the minimum configuration statements required for a virtual server.
Example 7-1 Minimum Configuration Required for a Virtual Server
IPv4 Configuration
class-map match-all Example_VIP
2 match virtual-address 10.10.10.10 tcp eq www
policy-map type loadbalance first-match Example_VIP-l7slb
class class-default
forward
policy-map multi-match int10
class Example_VIP
loadbalance policy Example_VIP-l7slb
interface vlan 10
ip address 192.168.65.37 255.255.255.0
service-policy input int10
no shutdown
IPv6 Configuration (Requires ACE module and ACE appliance software Version A5(1.0) or later)
class-map match-all Example2_VIP
2 match virtual-address 2001:DB8:10::5 tcp eq www
policy-map type loadbalance first-match Example2_VIP-l7slb
class class-default
f orward
policy-map multi-match int11
class Example2_VIP
loadbalance policy Example2_VIP-l7slb
interface vlan 10
ip address 2001:DB8:10::21/64
service-policy input int11
no shutdown
Note the following items regarding the ANM and virtual servers:
• Additional configuration options
The Virtual Server configuration window allows you to configure additional items for a functional
VIP. These items include server farms, sticky groups, real servers, probes, parameter maps,
inspection, class maps, and inline match conditions. Because too many items on a window can be
overwhelming, not all configuration options appear on the Virtual Server configuration window,
such as sticky statics or backup real servers. These options are available elsewhere in the ANM
interface instead of on the Virtual Server configuration window.
• Configuration options and roles
To support and maintain the separation of roles, some objects cannot be configured using the Virtual
Server configuration window. These objects include SSL certificates, SSL keys, NAT pools,
interface IP addresses, and ACLs. Providing these options as separate configuration options in the
ANM interface ensures that a user who can view or modify virtual servers or aspects of virtual
servers cannot create or delete virtual servers.
• Changes to virtual servers using the CLI or Expert options can prevent further modifications
in the Virtual Server configuration window
7-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
If you create a virtual server using the Virtual Server configuration window, modify it using the CLI
or Expert options (Config > Devices > Expert), and then attempt to modify it again using the Virtual
Server configuration window, error messages will be displayed and you will not be able to modify
the virtual server.
• Changes to virtual server IP address type is not allowed
When creating a virtual server, you choose whether to use the IPv4 or IPv6 address type. You cannot
change the IP address type of an existing virtual server. If you need to change the IP address type,
you must create a new virtual server.
Note IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.
Related Topics
• Configuring Virtual Servers, page 7-2
• Information About Using ANM to Configure Virtual Servers, page 7-4
• Virtual Server Usage Guidelines, page 7-5
• Virtual Server Testing and Troubleshooting, page 7-6
• Virtual Server Configuration Procedure, page 7-7
Information About Using ANM to Configure Virtual Servers
Follow these guidelines when using ANM to configure virtual servers:
• Virtual server configuration windows
The ANM Virtual Server configuration windows are designed to aid you in configuring virtual
servers by presenting configuration options that are relevant to your choices. For example, the
protocols that you select in the Properties configuration subset determine the other configuration
subsets that appear.
• Use the virtual server configuration method that suits you
The ANM Virtual Server configuration windows simplify the process of creating, modifying, and
deploying virtual servers by displaying those options that you are most likely to use. In addition, as
you specify attributes for a virtual server, such as protocols, the interface refreshes with related
configuration options, such as Protocol Inspection or Application Acceleration and Optimization,
which speeds virtual server configuration and deployment.
While Virtual Server configuration windows remove some configuration complexities, they have a
few constraints that the Expert configuration options do not. If you are comfortable using the CLI,
you can use the Expert options (such as Config > Devices > context > Expert > Class Maps or Policy
or Config > Devices > context > Load Balancing > Parameter Maps to configure more complex
attributes of virtual servers, traffic policies, and parameter maps.
• Synchronizing virtual server configurations
If you configure a virtual server using the CLI and then use the Sync option (Config > Devices >
ACE > Sync) to synchronize configurations, the configuration that appears in ANM for the virtual
server might not display all configuration options for that virtual server. The configuration that
appears in ANM depends on a number of items, such as the protocols configured in class maps or
the rules defined for policy maps.
7-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
For example, if you configure a virtual server on the CLI that includes a class map that can match
any protocol, you will not see the virtual server Application Acceleration and Optimization
configuration subset in ANM.
• Modifying shared objects
Modifying an object that is used by multiple virtual servers, such as a server farm, real server, or
parameter map, could impact the other virtual servers. See the “Shared Objects and Virtual Servers”
section on page 7-9 for more information about modifying objects used by multiple virtual servers.
Related Topics
• Configuring Virtual Servers, page 7-2
• Virtual Server Configuration and ANM, page 7-2
• Virtual Server Usage Guidelines, page 7-5
• Virtual Server Testing and Troubleshooting, page 7-6
• Virtual Server Configuration Procedure, page 7-7
Virtual Server Usage Guidelines
The Virtual Server configuration window provides you with numerous configuration options. However,
instead of setting every option in one pass, configure your virtual server in stages. The first stage should
always be to establish basic “pass through” connectivity with simple load balancing and include minimal
additional features. This level of setup should verify that ports, VLANs, interfaces, SSL termination (if
applicable), and real servers have been set up properly, enabling basic connectivity.
After you establish this level of connectivity, additional virtual server features will be easier to configure
and troubleshoot.
Common features to add to a working basic virtual server include:
• Health monitoring probes
• Session persistence (sticky)
• Additional real servers to a server farm
• Application protocol inspection
• Application acceleration and optimization (ACE appliance only)
Table 7-1 identifies and describes virtual server configuration subsets with links to related topics for
configuration information.
Related Topics
• Configuring Virtual Servers, page 7-2
• Virtual Server Configuration and ANM, page 7-2
• Virtual Server Testing and Troubleshooting, page 7-6
• Virtual Server Configuration Procedure, page 7-7
7-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Virtual Server Testing and Troubleshooting
As outlined in the “Virtual Server Usage Guidelines” section on page 7-5, first set up a basic virtual
server that only enables connectivity and simple load balancing, such as round-robin between two real
servers. Next, use a client, such as a web browser, to send a request from the client network to the virtual
server's VIP address. If the request is successful, you can now make changes or add virtual server
features.
If the request is not successful, begin virtual server troubleshooting as outlined in the following
sequence:
1. Wait and retry your request after a minute or two, especially if the existing ACE configuration is
large. It can take seconds or even minutes for configuration changes to affect how traffic is handled
by ACE.
2. Click the Details button in the lower right of the Virtual Server page. The Details button displays
the output of the show service-policy CLI command.
3. Verify that the VIP State in the show service-policy CLI command output is INSERVICE. If the
VIP state is not INSERVICE, this may indicate the following:
– The virtual server has been manually disabled in the configuration.
– The real servers are all unreachable from ACE or manually disabled. If all of a virtual server's
real servers are out of service due to one of those reasons, the virtual server itself will be marked
Out Of Service.
4. Verify the Hit Count in the show service-policy CLI command output. Hit Count shows the number
of requests received by ACE. This value should increase for each request attempted by your client.
If the hit count does not increase with each request, this indicates that the request is not reaching
your virtual server configuration.
This could be a problem with:
– A physical connection.
– VLAN or VLAN interface configuration.
– Missing or incorrect ACL applied to the client interface.
– Incorrect IP address (that is, a VIP that is not valid on the selected VLANs for the virtual server,
or a VIP that is not accessible to your client).
If the Hit Count value increases but no response is received (Server Pkt Count does not increases),
the problem is more likely to be in the connectivity between the ACE and the backend real servers.
This issue is typically caused by one or more of the following problems:
– You are working on a one-armed configuration (that is, do not plan to change routing for your
real servers) and have not selected an appropriate NAT pool for your virtual server to use with
source NAT.
– A different routing problem (for example, server traffic does not know how to get back to the
ACE).
– Addressing problem (for example, you have an incorrect real server address, or the real server
is not accessible to ACE due to network topology).
Note Hit count can increase by more than one, even if you make only a single request from your web
browser, because retrieving a typical web page makes many requests from the client to the server.
7-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Related Topics
• Configuring Virtual Servers, page 7-2
• Virtual Server Configuration and ANM, page 7-2
• Virtual Server Usage Guidelines, page 7-5
• Virtual Server Configuration Procedure, page 7-7
Virtual Server Configuration Procedure
You can add virtual servers to the ANM for load-balancing purposes.
Assumptions
This topic assumes the following:
• Depending on the protocol to be used for the virtual server, parameter maps need to be defined.
• For SSL service, SSL certificates, keys, and chain groups, parameter maps must be configured.
Guidelines and Restrictions
ANM does not support CSM DNS virtual servers. If you create this type of virtual server, ANM issues
an error message if you attempt to use ANM to activate or suspend it.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.
The Virtual Servers table appears. For details about the information that displays, see “Displaying
Virtual Servers by Context” section on page 7-65.
Step 2 In the Virtual Servers table, click Poll Now to instruct ANM to poll the devices and display the current
values.
Step 3 Click OK when prompted if you want to poll the devices for data now.
Step 4 Click Add to add a new virtual server, or choose an existing virtual server and click Edit to modify it.
The Virtual Server configuration window appears with a number of configuration subsets. The subsets
that you see depend on whether you use the Basic View or the Advanced View and entries that you make
in the Properties subset. Change views by using the View object selector at the top of the configuration
pane.
Table 7-1 identifies and describes virtual server configuration subsets with links to related topics for
configuration information.
Note The protocols that are available depend on the ACE device that you are configuring. For a list of
the protocols available for each ACE device type, see Table 7-2.
7-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Table 7-1 Virtual Server Configuration Subsets
Configuration Subset Description Related Topics
Properties Subset that allows you to specify basic virtual server
characteristics, such as the virtual server name, IP address,
protocol, port, and VLANs.
Configuring Virtual Server
Properties, page 7-11
SSL Termination Subset that appears when TCP is the selected protocol and Other
or HTTPS is the application protocol.
This subset allows you to configure the virtual server to act as an
SSL proxy server and terminate SSL sessions between it and its
clients.
Configuring Virtual Server SSL
Termination, page 7-17
Protocol Inspection Subset that appears in the Advanced View for:
• TCP with FTP, HTTP, HTTPS, Real Time Streaming
Protocol (RTSP), or Session Initiated Protocol (SIP)
• UDP with Domain Name System (DNS) or SIP
This subset appears in the Basic view for TCP with FTP.
This subset allows you to configure the virtual server so that it
can verify protocol behavior and identify unwanted or malicious
traffic passing through the ACE on selected application
protocols.
Configuring Virtual Server
Protocol Inspection, page 7-18
Application
Acceleration And
Optimization
Subset that appears only for ACE appliances. It appears in the
Advanced View when HTTP or HTTPS is the selected
application protocol.
This subset allows you to configure application acceleration and
optimization options for HTTP or HTTPS traffic.
Configuring Application
Acceleration and Optimization,
page 7-53
L7 Load-Balancing Subset that appears only in the Advanced View for these
protocols:
• TCP with Generic, HTTP, HTTPS, RTSP, or SIP
• UDP with Generic, RADIUS, or SIP
This subset allows you to configure Layer 7 load-balancing
options, such as:
• Server farms/real servers
• Health monitoring probes
• Stickiness
• SSL initiation
Configuring Virtual Server
Layer 7 Load Balancing,
page 7-30
Default L7
Load-Balancing Action
Subset that allows you to establish the default Layer 7
load-balancing actions for all network traffic that does not meet
previously specified match conditions including the SSL
initiation configuration.
Configuring Virtual Server
Default Layer 7 Load Balancing,
page 7-50
NAT Subset that allows you to set up Name Address Translation
(NAT) for the virtual server.
Configuring Virtual Server NAT,
page 7-63
7-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Step 5 Do one of the following:
• Click Deploy Now to deploy the configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your entries and to return to the Virtual Servers
table.
• Click Deploy Later to save your entries and apply them at a later time.
Step 6 (Optional) To display statistics and status information for an existing virtual server, from the Virtual
Servers table, choose a virtual server and click Details.
A popup window appears that displays the detailed virtual server information (see the “Displaying
Virtual Server Statistics and Status Information” section on page 7-65 for details).
Note This feature requires ACE module software Version A2(1.2), ACE appliance software Version
A3(2.1), or later versions of either software. An error displays with earlier software versions.
Related Topics
• Configuring Virtual Servers, page 7-2
• Virtual Server Configuration and ANM, page 7-2
• Virtual Server Usage Guidelines, page 7-5
• Information About Using ANM to Configure Virtual Servers, page 7-4
• Shared Objects and Virtual Servers, page 7-9
• Displaying Virtual Servers by Context, page 7-65
• Displaying Virtual Server Statistics and Status Information, page 7-65
• Managing Virtual Servers, page 7-66
• Deploying Virtual Servers, page 7-86
• Understanding Roles, page 18-6
Shared Objects and Virtual Servers
A shared object is one that is used by multiple virtual servers.
The following examples are shared objects:
• Action lists
• Class maps
• Parameter maps
• Real servers
• Server farms
• SSL services
• Sticky groups
7-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Because these objects are shared, modifying an object’s configuration in one virtual server can impact
other virtual servers that use the same object.
Configuring Shared Objects
ANM offers the following options for shared objects in virtual server configuration windows (Config >
Devices > context > Load Balancing > Virtual Servers):
• View—Displays the object’s configuration. The window refreshes with read-only fields and the
following three buttons.
• Cancel—Closes the read-only view and to return to the previous window.
• Edit—Enables you to modify the selected object’s configuration. The window refreshes with fields
that can be modified, except for the Name field which remains read-only.
Note Before changing a shared object’s configuration, make sure that you understand the effect
of the changes on other virtual servers using the same object. As an alternative, consider
using the Duplicate option instead.
• Duplicate—Enables you to create a new object with the same configuration as the selected object.
The window refreshes with configurable fields. In the Name field, enter a unique name for the new
object, and then modify the configuration as desired. This option allows you to create a new object
without impacting other virtual servers using the same object.
Deleting Virtual Servers with Shared Objects
If you create a virtual server and include shared objects in its configuration, deleting the virtual server
does not delete the associated shared objects. This action ensures that other virtual servers using the
same shared objects are not impacted.
Related Topics
• Managing Virtual Servers, page 7-66
• Virtual Server Protocols by Device Type, page 7-11
• Configuring Virtual Server Properties, page 7-11
• Configuring Virtual Server SSL Termination, page 7-17
• Configuring Virtual Server Protocol Inspection, page 7-18
• Configuring Virtual Server Layer 7 Load Balancing, page 7-30
• Configuring Virtual Server Default Layer 7 Load Balancing, page 7-50
• Configuring Application Acceleration and Optimization, page 7-53
• Configuring Virtual Server NAT, page 7-63
7-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Virtual Server Protocols by Device Type
The protocols that are available for a virtual server depend on the ACE device that you are configuring.
Table 7-2 lists the protocols available for each device type.
Related Topics
• Configuring Virtual Servers, page 7-2
• Configuring Virtual Server Properties, page 7-11
• Managing Virtual Servers, page 7-66
Configuring Virtual Server Properties
You can configure virtual server properties.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.
The Virtual Servers table appears.
Step 2 In the Virtual Servers table, click Poll Now to instruct ANM to poll the devices and display the current
values, and click OK when prompted if you want to poll the devices for data now.
Step 3 Click Add to add a new virtual server, or choose an existing virtual server and click Edit to modify it.
Table 7-2 Virtual Server Protocols for ACE Modules and Devices
Protocol ACE Modules ACE Appliance
Any X X
TCP
FTP X X
Generic X X
HTTP X X
HTTPS X X
Other X X
RTSP X X
RDP X X
SIP X X
UDP
DNS X X
Generic X X
Other X X
RADIUS X X
SIP X X
7-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
The Virtual Server configuration window appears. The Properties configuration subset is open by
default.
The fields that you see in the Properties configuration subset depend on whether you are using Advanced
View or Basic View:
• To configure Advanced View properties, go to Step 4.
• To configure Basic View properties, go to Step 5.
Step 4 In the Advanced View, configure the virtual server properties by entering the information in Table 7-3.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
Table 7-3 Virtual Server Properties – Advanced View
Field Description
Virtual Server Name Name for the virtual server.
IP Address Type Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later,
which supports IPv4 and IPv6. Choose the address type of the virtual server: IPv4 or IPv6.
Virtual IP Address IP address for the virtual server.
Virtual IP Mask (IPv4 address type only) Subnet mask to apply to the virtual server IP address.
Virtual IP Prefix Length (IPv6 address type only) Enter the prefix length to apply to the virtual server IP address. The
default length for the prefix is 128. IPv6 requires ACE module and ACE appliance software
Version A5(1.0) or later.
Transport Protocol Protocol that the virtual server supports:
• Any—The virtual server is to accept connections using any IP protocol.
• TCP—The virtual server is to accept connections that use TCP.
• UDP—The virtual server is to accept connections that use UDP.
Application Protocol Field that appears if TCP or UDP is selected. The application protocols that are available depend
on the type of ACE being configured.
Choose the application protocol to be supported by the virtual server. Table 7-2 identifies the
available protocols for each ACE device type.
Note This field is read-only if you are editing an existing virtual server. ANM does not allow
changes between protocols that require a change to the Layer 7 server load-balancing
policy map. You need to delete the virtual server and create a new one with the desired
application protocol.
Port Field that appears for any TCP or UDP protocol.
Enter the port to be used for the specified protocol. Valid entries are from 0 to 65535 or a range
of integers, such as 10-20. Enter 0 (zero) to indicate all ports.
For a complete list of protocols and ports, see the Internet Assigned Numbers Authority
available at www.iana.org/numbers/
All VLANs Check box that enables support of incoming traffic from all VLANs. Uncheck the check box to
support incoming traffic from specific VLANs only.
7-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
VLAN Field appears if the All VLANs check box is unchecked.
In the Available Items list, choose the VLANs to use for incoming traffic, and click Add. The
items appear in the Selected Items list.
To remove VLANs, choose them in the Selected Items lists, and click Remove. The items appear
in the Available Items list.
Note You cannot change the VLAN for a virtual server once it is specified. Instead, delete the
virtual server and create a new one with the desired VLAN.
Connection Parameter
Maps
Field that appears if TCP is the selected protocol.
Choose an existing connection parameter map or click *New* to create a new one as follows:
• If you chose an existing parameter map, you can view, modify, or duplicate the existing
configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more
information about modifying shared objects.
• If you click *New*, the Connection Parameter Maps configuration pane appears. Configure
the connection parameter map as described in Table 10-2.
Note Click More Settings to access the additional Connection Parameter Maps configuration
attributes. By default, ANM hides the default Connection Parameter Maps configuration
attributes and the attributes which are not commonly used.
DNS Parameter Maps Field that appears if DNS is the selected protocol over UDP.
Choose an existing DNS parameter map or click *New* to create a new one as follows:
• If you chose an existing parameter map, you can view, modify, or duplicate the existing
configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more
information about modifying shared objects.
• If you click *New*, the DNS Parameter Maps configuration pane appears. Configure the
DNS parameter map as described in Table 10-11.
Generic Parameter Maps Field that appears if Generic is the selected application protocol over TCP or UDP.
Choose an existing Generic parameter map or click *New* to create a new one as follows:
• If you chose an existing parameter map, you can view, modify, or duplicate the existing
configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more
information about modifying shared objects.
• If you click *New*, the Generic Parameter Maps configuration pane appears. Configure the
Generic parameter map as described in Table 10-4.
HTTP Parameter Maps Field appears if HTTP or HTTPS is the selected application protocol.
Choose an existing HTTP parameter map or click *New* to create a new one as follows:
• If you chose an existing parameter map, you can view, modify, or duplicate the existing
configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more
information about modifying shared objects.
• If you click *New*, the HTTP Parameter Maps configuration pane appears. Configure the
HTTP parameter map as described in Table 10-5.
Table 7-3 Virtual Server Properties – Advanced View (continued)
Field Description
7-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
RTSP Parameter Maps Field that appears if RTSP is the selected application protocol over TCP.
Choose an existing RTSP parameter map or click *New* to create a new one as follows:
• If you chose an existing parameter map, you can view, modify, or duplicate the existing
configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more
information about modifying shared objects.
• If you click *New*, the RTSP Parameter Maps configuration pane appears. Configure the
RTSP parameter map as described in Table 10-8.
KAL-AP-TAG Name Feature that is supported only for the ACE module software Version A2(2.0), ACE appliance
software Version A4(1.0), and later versions for both device types. The KAL-AP-TAG feature
allows the Cisco Global Site Selector (GSS) proprietary KAL-AP protocol to extract load and
availability information from the ACE when a firewall is positioned between the GSS and the
ACE. This feature allows you to configure a tag (name) per VIP for a maximum of 4096 tags on
an ACE. This feature does not replace the tag per domain feature. For more information about
this feature, see the Release Note for the Cisco Application Control Engine Module (Software
Version A2(2.0)) or the Cisco Application Control Engine Module Server Load-Balancing
Configuration Guide (Software Version A2(3.0)), the Configuring Health Monitoring chapter.
In the KAL-AP-TAG Name field, enter the name as an unquoted text string with no spaces and
a maximum of 76 alphanumeric characters.
The following scenarios are not supported and will result in an error:
• You cannot configure a tag name for a VIP that already has a tag configuration as part of a
different policy configuration.
• You cannot associate the same tag name with more than one VIP.
• You cannot associate the same tag name with a domain and a VIP.
• You cannot assign two different tags to two different Layer 3 class maps that have the same
VIP, but different port numbers. The KAL-AP protocol considers these class maps to have
the same VIP and calculates the load for both Layer 3 rules together when the GSS queries
the VIP.
KAL-AP-Primary-Out-OfService
Feature that is supported only for ACE module software Version A2(3.1), ACE appliance
software Version A4(1.0), and later versions of either device type. Check the checkbox to enable
the ACE to notify a Global Site Selector (GSS) that the primary server farm is down when the
backup server farm is in use. Uncheck the checkbox to disable this feature.
By default, when you configure a redirect server farm as a backup server farm on the ACE and
the primary server farm fails, the backup server farm redirects client requests to another data
center; however, the VIP remains in the INSERVICE state.
When you configure the ACE to communicate with a GSS, it provides information for server
availability. When a backup server is in use after the primary server farm is down, this feature
enables the ACE to inform the GSS that the VIP for the primary server farm is out of service by
returning a load value of 255. The GSS recognizes that the primary server farm is down and
sends future DNS requests with the IP address of the other data center.
Table 7-3 Virtual Server Properties – Advanced View (continued)
Field Description
7-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Step 5 In the Basic View, configure virtual server properties by entering the information in Table 7-4.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
ICMP Reply Virtual server response to ICMP ECHO requests as follows:
• None—The virtual server is not to send ICMP ECHO-REPLY responses to ICMP requests.
• Active—The virtual server is to send ICMP ECHO-REPLY responses only if the configured
VIP is active.
• Always—The virtual server is always to send ICMP ECHO-REPLY responses to ICMP
requests.
• Primary Inservice—The virtual server is to reply to an ICMP ping only if the primary
server farm state is UP, regardless of the state of the backup server farm. If this option is
selected and the primary server farm state is DOWN, the ACE discards the ICMP request
and the request times out.
VIP Advertise Field that appears for ACE modules only.
This option allows the ACE to advertise the IP address of the virtual server as the host route.
Choose the desired VIP advertise option as follows:
• None—The ACE does not advertise the IP address of the virtual server as the host route.
• Active—The ACE advertises the IP address of the virtual server as the host route only if
there is at least one active real server in the server farm.
• Always—The ACE always advertises the IP address of the virtual server as the host route.
• Active-Metric—The ACE advertises the IP address of the virtual server as the host route if
the following occurs:
• There is at least one active real server in the server farm.
• A distance metric is specified for the route in the Distance field.
• Always-Metric—The ACE advertises the IP address of the virtual server as the host route,
using the distance metric in the Distance field.
Distance Field that appears for ACE modules only.
This field appears if you chose Active-Metric or Always-Metric in the VIP Advertise field.
Enter the administrative distance to be included in the routing table. Valid entries are integers
from 1 to 254.
Status Operating state of the virtual server as follows:
• In Service—Enables the virtual server for load-balancing operations.
• Out Of Service—Disables the virtual server for load-balancing operations.
Table 7-3 Virtual Server Properties – Advanced View (continued)
Field Description
7-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Step 6 Do one of the following:
• Click Deploy Now to deploy the configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your entries.
• Click Deploy Later to save your entries and apply them at a later time.
Related Topics
• Configuring Virtual Servers, page 7-2
Table 7-4 Virtual Server Properties – Basic View
Field Description
Virtual Server Name Name for the virtual server.
IP Address Type Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later,
which supports IPv4 and IPv6. Choose the address type of the virtual server: IPv4 or IPv6.
Virtual IP Address IP address for the virtual server.
Transport Protocol Protocol that the virtual server supports as follows:
• Any—The virtual server accepts connections using any IP protocol.
• TCP—The virtual server accepts connections that use TCP.
• UDP—The virtual server accepts connections that use UDP.
Application Protocol Field that appears if TCP or UDP is selected. The application protocols that are available depend
on the type of ACE being configured.
Choose the application protocol to be supported by the virtual server. Table 7-2 identifies the
available protocols for each ACE device type.
Note This field is read-only if you are editing an existing virtual server. ANM does not allow
changes between protocols that require a change to the Layer 7 server load-balancing
policy map. You need to delete the virtual server and create a new one with the desired
application protocol.
Port Field that appears for any specific TCP or UDP protocol.
Enter the port to be used for the specified protocol. Valid entries are from 0 to 65535 or a range of
integers, such as 10-20. Enter 0 (zero) to indicate all ports.
For a complete list of all protocols and ports, see the Internet Assigned Numbers Authority
available at www.iana.org/numbers/
All VLANs Check box that enables support of incoming traffic from all VLANs. Uncheck the check box to
support incoming traffic from specific VLANs only.
VLAN Field that appears if the All VLANs check box is unchecked.
In the Available Items list, choose the VLANs to use for incoming traffic, and click Add. The items
appear in the Selected Items list.
To remove VLANs, choose them in the Selected Items lists, and click Remove. The items appear
in the Available Items list.
Note You cannot change the VLAN for a virtual server once it is specified. Instead, delete the
virtual server and create a new one with the desired VLAN.
7-17
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
• Configuring Virtual Server SSL Termination, page 7-17
Configuring Virtual Server SSL Termination
You can configure virtual server SSL termination service, which allows the virtual server to act as an
SSL proxy server and terminate SSL sessions between it and its clients.
Assumption
Make sure that a virtual server has been configured for HTTPS over TCP or Other over TCP in the
Properties configuration subset. For more information, see the “Configuring Virtual Server Properties”
section on page 7-11.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.
The Virtual Servers table appears.
Step 2 In the Virtual Servers table, choose the virtual server that you want to configure for SSL termination,
and click Edit.
The Virtual Server configuration window appears.
Step 3 In the Virtual Server configuration window, click SSL Termination.
The Proxy Service Name field appears.
Step 4 In the Proxy Service Name field, choose an existing SSL termination service, or choose *New* to create
a new SSL proxy service, and do one of the following:
• If you chose an existing SSL service, the window refreshes and allows you to view, modify, or
duplicate the existing configuration. See the “Shared Objects and Virtual Servers” section on
page 7-9 for more information about modifying shared objects.
• If you chose *New*, the Proxy Service configuration subset appears.
Step 5 Configure the SSL service using the information in Table 7-5.
For more information about SSL, see the “Configuring SSL” section on page 11-1.
Table 7-5 Virtual Server SSL Attributes
Field Description
Name Name for this SSL proxy service. Valid entries are alphanumeric strings with a maximum of 26
characters.
Keys SSL key pair to use during the SSL handshake for data encryption.
Certificates SSL certificate to use during the SSL handshake.
Chain Groups Chain group to use during the SSL handshake.
Auth Groups SSL authentication group to associate with this proxy server service.
CRL Best-Effort Option that appears if you chose an authentication group in the Auth Groups field.
Check the check box to allow the ANM to search client certificates for the service to determine if
it contains a CRL in the extension and retrieve the value, if it exists.
Uncheck the check box to disable this feature.
7-18
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries.
• Click Deploy Later to save your entries and apply them at a later time.
Related Topics
• Configuring Virtual Servers, page 7-2
• Configuring Virtual Server Properties, page 7-11
Configuring Virtual Server Protocol Inspection
You can configure protocol inspection on a virtual server, which allows the virtual server to verify
protocol behavior and identify unwanted or malicious traffic passing through the ACE.
In the Advanced View, protocol inspection configuration is available for the following virtual server
protocol configurations:
• TCP with FTP, HTTP, HTTPS, RTSP, or SIP
• UDP with DNS or SIP
In the Basic View, protocol inspection configuration is available for TCP with FTP.
See Table 7-2 for a list of protocols by ACE device type.
Assumption
Make sure that a virtual server has been configured to use one of the protocols that supports protocol
inspection in the Properties configuration subset. See the “Configuring Virtual Server Properties”
section on page 7-11 for information on configuring these protocols.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual server, choose Config > Devices > context > Load Balancing > Virtual
Servers.
• To configure a configuration building block, choose Config > Global > All Building Blocks >
building_block > Load Balancing > Virtual Servers.
The Virtual Servers table appears.
CRL Name Option that appears if the CRL Best-Effort check box is clear.
Choose the Certificate Revocation List the ANM is to use for this proxy service.
Parameter Maps SSL parameter map to associate with this proxy server service.
Table 7-5 Virtual Server SSL Attributes (continued)
Field Description
7-19
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Step 2 In the Virtual Servers table, choose the virtual server that you want to configure for protocol inspection,
and click Edit.
The Virtual Server configuration window appears.
Step 3 Click Protocol Inspection.
The Enable Inspect check box appears.
Step 4 Check the Enable Inspect check box to enable inspection on the specified traffic or uncheck it to disable
inspection on this traffic.
By default, the ACE allows all request methods.
Step 5 (Optional) If you checked the Enable Inspect check box, configure additional inspection options using
the information in Table 7-6.
Table 7-6 Protocol Inspection Configuration Options
Protocol Action
DNS In the length field, enter the maximum length of the DNS packet in bytes as defined in the Length
field. If you do not enter a value in this field, the DNS packet size is not checked.
FTP a. Check the Use Strict check box to specify that the virtual server is to perform enhanced
inspection of FTP traffic and enforce compliance with RFC standards. Uncheck the check box
to specify that the virtual server is not to perform enhanced FTP inspection.
b. (Optional) If you checked the Use Strict check box, in the Blocked FTP Commands field,
identify the commands that are to be denied by the virtual server. See Table 14-8 for more
information about the FTP commands.
• Choose the commands that are to be blocked by the virtual server in the Available Items
list, and click Add. The commands appear in the Selected Items list.
• To remove commands that you do not want to be blocked, choose them in the Selected
Items list, and click Remove. The commands appear in the Available Items list.
7-20
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
HTTP or HTTPS a. Check the Logging Enabled check box to enable monitoring of Layer 3 and Layer 4 traffic.
When enabled, this feature logs every URL request that is sent in the specified class of traffic,
including the source or destination IP address and the URL that is accessed. Uncheck the check
box to disable monitoring of Layer 3 and Layer 4 traffic.
b. In the Policy subset, click Add to add a new match condition and action, or choose an existing
match condition and action and click Edit to modify it. The Policy configuration pane appears.
c. In the Matches field, choose an existing class map or *New* or *Inline Match* to configure
new match criteria for protocol inspection.
If you chose an existing class map, the window refreshes and allows you to view, modify, or
duplicate the selected class map. See the “Shared Objects and Virtual Servers” section on
page 7-9 for more information about modifying shared objects.
d. Configure match criteria and related actions using the information in Table 7-7.
e. Do one of the following:
• Click OK to save your entries. The Conditions table refreshes with the new entry.
• Click Cancel to exit the Policy subset without saving your entries.
f. In the Default Action field, choose the default action that the virtual server is to take when
specified match conditions for protocol inspection are not met:
• Permit—The specified HTTP traffic is to be received by the virtual server.
• Reset—The specified HTTP traffic is to be denied by the virtual server.
Table 7-6 Protocol Inspection Configuration Options (continued)
Protocol Action
7-21
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
RTSP There are no protocol-specific inspection options for RTSP.
SIP a. In the Actions subset, click Add to add a new match condition and action, or choose an existing
match condition and action, and click Edit to modify it. The Actions configuration pane
appears.
b. In the Matches field, choose an existing class map or *New* or *Inline Match* to configure
new match criteria for protocol inspection.
If you chose an existing class map, the window refreshes and allows you to view, modify, or
duplicate the selected class map. See the “Shared Objects and Virtual Servers” section on
page 7-9 for more information about modifying shared objects.
c. Configure match criteria and related actions using the information in Table 7-9.
d. In the Action field, choose the action that the virtual server is to take when the specified match
conditions are met:
– Drop—The specified SIP traffic is discarded by the virtual server.
– Permit—The specified SIP traffic is received by the virtual server.
– Reset—The specified SIP traffic is denied by the virtual server.
e. Do one of the following:
– Click OK to save your entries. The Conditions table refreshes with the new entry.
– Click Cancel to exit the Conditions subset without saving your entries and to return to the
Conditions table.
f. In the SIP Parameter Map field, choose an existing parameter map or choose *New* to
configure a new one.
If you chose an existing parameter map, the window refreshes and allows you to view, modify,
or delete the selected parameter map. See the “Shared Objects and Virtual Servers” section on
page 7-9 for more information about modifying shared objects.
g. Configure SIP parameter map options using the information in Table 10-9.
h. In the Secondary Connection Parameter Map field, choose an existing parameter map or
choose *New* to configure a new one.
If you chose an existing parameter map, the window refreshes and allows you to view, modify,
or delete the selected parameter map. See the “Shared Objects and Virtual Servers” section on
page 7-9 for more information about modifying shared objects.
i. Configure secondary connection parameter map options using the information in Table 10-2.
j. In the Default Action field, choose the default action that the virtual server is to take when
specified match conditions for SIP protocol inspection are not met:
– Drop—The specified SIP traffic is discarded by the virtual server.
– Permit—The specified SIP traffic is received by the virtual server.
– Reset—The specified SIP traffic is denied by the virtual server.
k. Check the Logging Enabled check box to enable monitoring of Layer 3 and Layer 4 traffic.
When enabled, this feature logs every URL request that is sent in the specified class of traffic,
including the source or destination IP address and the URL that is accessed. Uncheck the check
box to disable monitoring of Layer 3 and Layer 4 traffic.
Table 7-6 Protocol Inspection Configuration Options (continued)
Protocol Action
7-22
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Table 7-7 HTTP and HTTPS Protocol Inspection Match Criteria Configuration
Selection Action
Existing class map a. Click View to review the match condition information for the selected class map.
b. Do one of the following:
– Click Cancel to continue without making changes and to return to the previous window.
– Click Edit to modify the existing configuration.
– Click Duplicate to create a new class map with the same attributes without affecting other
virtual servers using the same class map.
See the “Shared Objects and Virtual Servers” section on page 7-9 for information about modifying
shared objects.
c. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches
the specified match criteria:
– Permit—The specified traffic is received by the virtual server if it meets the specified deep
inspection match criteria.
– Reset—The specified traffic is denied by the virtual server, which then sends a TCP reset
message to the client or server to close the connection.
*New* a. In the Name field, specify a unique name for this class map.
b. In the Match field, choose the method to be used to evaluate multiple match statements when
multiple match conditions exist:
– Any—A match exists if at least one of the match conditions is satisfied.
– All—A match exists only if all match conditions are satisfied.
c. In the Conditions table, click Add to add a new set of conditions, or choose an existing entry, and
click Edit to modify it. The Type field appears.
d. In the Type field, choose the type of condition that is to be met for protocol inspection.
e. Provide condition-specific criteria using the information in Table 7-8.
f. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches
the specified match criteria:
– Permit—The specified traffic is received by the virtual server if it meets the specified deep
inspection match criteria.
– Reset—The specified traffic is denied by the virtual server, which then sends a TCP reset
message to the client or server to close the connection.
*Inline Match* a. In the Conditions Type field, choose the type of inline match condition that is to be met for protocol
inspection.
b. Provide condition-specific criteria using the information in Table 7-8.
c. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches
the specified match criteria:
– Permit—The specified traffic is received by the virtual server if it meets the specified deep
inspection match criteria.
– Reset—The specified traffic is denied by the virtual server, which then sends a TCP reset
message to the client or server to close the connection.
7-23
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Table 7-8 HTTP and HTTPS Protocol Inspection Conditions and Options
Condition Description
Content Specific content contained within the HTTP entity-body to be used for application inspection
decisions.
a. In the Content Expression field, enter the content that is to be matched. Valid entries are
alphanumeric strings from 1 to 255 characters.
b. In the Content Offset field, enter the number of bytes to be ignored starting with the first byte
of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of
the message. Valid entries are from 1 to 255 bytes.
Content Length Content parse length is used for application inspection decisions.
a. In the Content Length Operator field, choose the operand to use to compare content length:
– Equal To—The content length must equal the number in the Content Length Value field.
– Greater Than—The content length must be greater than the number in the Content Length
Value field.
– Less Than—The content length must be less than the number in the Content Length Value
field.
– Range—The content length must be within the range specified in the Content Length
Lower Value field and the Content Length Higher Value field.
b. Enter values to apply for content length comparison:
– If you chose Equal To, Greater Than, or Less Than in the Content Length Operator field,
the Content Length Value field appears. In the Content Length Value field, enter the
number of bytes for comparison. Valid entries are from 0 to 4294967295.
– If you chose Range in the Content Length Operator field, the Content Length Lower Value
and the Content Length Higher Value fields appear:
1. In the Content Length Lower Value field, enter the lowest number of bytes to be used for
this match condition. Valid entries are from 0 to 4294967295. The number in this field must
be less than the number entered in the Content Length Higher Value field.
2. In the Content Length Higher Value field, enter the highest number of bytes to be used
for this match condition. Valid entries are from 0 to 4294967295. The number in this field
must be greater than the number entered in the Content Length Lower Value field.
Content Type
Verification
Verification of MIME-type messages with the header MIME-type is to be used for application
inspection decisions. This option verifies that the header MIME-type value is in the internal list of
supported MIME-types and that the header MIME-type matches the content in the data or body
portion of the message.
7-24
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Header Name and value in an HTTP header are used for application inspection decisions.
a. In the Header field, choose one of the predefined HTTP headers to match, or choose HTTP
Header to specify a different HTTP header.
b. If you chose HTTP Header, in the Header Name field, enter the name of the HTTP header to
match. Valid entries are unquoted text strings with no spaces and a maximum of 64
alphanumeric characters.
c. In the Header Value field, enter the header-value expression string to compare against the value
in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255
alphanumeric characters. The ACE supports regular expressions for matching. Header
expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the
header map must be matched. See Table 14-33 for a list of the supported characters that you
can use in regular expressions.
Header Length Length of the header in the HTTP message used for application inspection decisions.
a. In the Header Length Type field, specify whether HTTP header request or response messages
are to be used for application inspection decisions:
– Request—HTTP header request messages are to be checked for header length.
– Response—HTTP header response messages are to be checked for header length.
b. In the Header Length Operator field, choose the operand to be used to compare header length:
– Equal To—The header length must equal the number in the Header Length Value field.
– Greater Than—The header length must be greater than the number in the Header Length
Value field.
– Less Than—The header length must be less than the number in the Header Length Value
field.
– Range—The header length must be within the range specified in the Header Length Lower
Value field and the Header Length Higher Value field.
c. Enter values to apply for header length comparison:
– If you chose Equal To, Greater Than, or Less Than in the Header Length Operator field,
the Header Length Value field appears. In the Header Length Value field, enter the number
of bytes for comparison. Valid entries are from 0 to 255.
– If you chose Range in the Header Length Operator field, the Header Length Lower Value
and the Header Length Higher Value fields appear:
1. In the Header Length Lower Value field, enter the lowest number of bytes to be used for
this match condition. Valid entries are from 0 to 255. The number in this field must be less
than the number entered in the Header Length Higher Value field.
2. In the Header Length Higher Value field, enter the highest number of bytes to be used
for this match condition. Valid entries are from 1 to 255. The number in this field must be
greater than the number entered in the Header Length Lower Value field.
Header MIME Type Multipurpose Internet Mail Extension (MIME) message types are used for application inspection
decisions.
In the Header MIME Type field, choose the MIME message type to use for this match condition.
Table 7-8 HTTP and HTTPS Protocol Inspection Conditions and Options (continued)
Condition Description
7-25
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Port Misuse Misuse of port 80 (or any other port running HTTP) to be used for application inspection decisions.
Choose the application category to use for this match condition as follows:
• IM—Instant messaging applications are to be checked.
• P2P—Peer-to-peer applications are to be checked.
• Tunneling—Tunneling applications are to be checked.
Request Method A request method is to be used for protocol inspection decisions. By default, ACEs allow all request
and extension methods. This option allows you to configure protocol inspection decisions based on
compliance to request methods defined in RFC 2616 and by HTTP extension methods.
a. Choose the type of request method to use for this match condition:
– Ext—An HTTP extension method is to be used.
Note The list of available HTTP extension methods from which to choose varies
depending on the version of software installed in the ACE.
– RFC—The request method defined in RFC 2616 is to be used.
b. In the Request Method field, choose the request method that is to be inspected.
Strict HTTP Compliance with HTTP RFC 2616 to be used for application inspection decisions.
Transfer Encoding An HTTP transfer-encoding type to be used for application inspection decisions. The
transfer-encoding general-header field indicates the type of transformation, if any, that has been
applied to the HTTP message body to safely transfer it between the sender and the recipient.
In the Transfer Encoding field, choose the type of encoding that is to be checked:
• Chunked—The message body is transferred as a series of chunks.
• Compress—The encoding format that is produced by the UNIX file compression program
compress.
• Deflate—The .zlib format that is defined in RFC 1950 in combination with the DEFLATE
compression mechanism described in RFC 1951.
• Gzip—The encoding format that is produced by the file compression program GZIP (GNU zip)
as described in RFC 1952.
• Identity—The default (identity) encoding which does not require the use of transformation.
Table 7-8 HTTP and HTTPS Protocol Inspection Conditions and Options (continued)
Condition Description
7-26
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
URL URL names to be used for application inspection decisions.
In the URL field, enter a URL or a portion of a URL to match. Valid entries are URL strings from
1 to 255 alphanumeric characters and include only the portion of the URL following
www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html,
include only /latest/whatsnew.html.
URL Length URL length to be used for application inspection decisions.
a. In the URL Length Operator field, choose the operand to use to compare URL length:
– Equal To—The URL length must equal the number in the URL Length Value field.
– Greater Than—The URL length must be greater than the number in the URL Length
Value field.
– Less Than—The URL length must be less than the number in the URL Length Value field.
– Range—The URL length must be within the range specified in the URL Length Lower
Value field and the URL Length Higher Value field.
b. Enter values to apply for URL length comparison:
– If you chose Equal To, Greater Than, or Less Than in the URL Length Operator field, the
URL Length Value field appears. In the URL Length Value field, enter the value for
comparison. Valid entries are from 1 to 65535 bytes.
– If you chose Range in the URL Length Operator field, the URL Length Lower Value and
the URL Length Higher Value fields appear:
1. In the URL Length Lower Value field, enter the lowest number of bytes to be used for
this match condition. Valid entries are from 1 to 65535. The number in this field must be
less than the number entered in the URL Length Higher Value field.
2. In the URL Length Higher Value field, enter the highest number of bytes to be used for
this match condition. Valid entries are from 1 to 65535. The number in this field must be
greater than the number entered in the URL Length Lower Value field.
Table 7-8 HTTP and HTTPS Protocol Inspection Conditions and Options (continued)
Condition Description
7-27
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Table 7-9 SIP Protocol Inspection Match Criteria Configuration
Selection Action
Existing class map a. Click View to review the match condition information for the selected class map.
b. Do one of the following:
– Click Cancel to continue without making changes and to return to the previous window.
– Click Edit to modify the existing configuration.
– Click Duplicate to create a new class map with the same attributes without affecting other
virtual servers using the same class map.
See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about
modifying shared objects.
c. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches
the specified match criteria:
– Drop—The specified traffic is to be dropped by the virtual server.
– Permit—The specified traffic is to be received by the virtual server.
– Reset—The specified traffic is to be denied by the virtual server, which then sends a TCP reset
message to the client or server to close the connection.
*New* a. In the Name field, specify a unique name for this class map.
b. In the Conditions table, click Add to add a new set of conditions, or choose an existing entry, and
click Edit to modify it. The Type field appears.
c. In the Type field, choose the type of condition that is to be met for protocol inspection.
d. Provide condition-specific criteria using the information in Table 7-10.
e. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches
the specified match criteria:
– Drop—The specified traffic is to be dropped by the virtual server.
– Permit—The specified traffic is to be received by the virtual server.
– Reset—The specified traffic is to be denied by the virtual server, which then sends a TCP reset
message to the client or server to close the connection.
*Inline Match* a. In the Conditions Type field, choose the type of inline match condition that is to be met for protocol
inspection.
Table 7-10 describes the types of conditions and their related configuration options.
b. Provide condition-specific criteria using the information in Table 7-10.
c. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches
the specified match criteria:
– Drop—The specified traffic is to be dropped by the virtual server.
– Permit—The specified traffic is to be received by the virtual server.
– Reset—The specified traffic is to be denied by the virtual server, which then sends a TCP reset
message to the client or server to close the connection.
7-28
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Table 7-10 SIP Protocol Inspection Conditions and Options
Condition Description
Called Party Destination or called party specified in the URI of the SIP To header used for SIP protocol
inspection decisions.
In the Called Party field, enter a regular expression that identifies the called party in the URI of the
SIP To header for this match condition. Valid entries are unquoted text strings with no spaces and
a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching
string expressions. Table 14-33 lists the supported characters that you can use for matching string
expressions.
Calling Party Source or caller specified in the URI of the SIP From header used for SIP protocol inspection
decisions.
In the Calling Party field, enter a regular expression that identifies the calling party in the URI of
the SIP From header for this match condition. Valid entries are unquoted text strings with no spaces
and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching string expressions. Table 14-33 lists the supported characters that you can use for
matching string expressions.
IM Subscriber IM (instant messaging) subscriber used for application inspection decisions.
In the IP Subscriber field, enter a regular expression that identifies the IM subscriber for this match
condition. Valid entries are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters. The ACE supports regular expressions for matching string expressions.
Table 14-33 lists the supported characters that you can use for matching string expressions.
Message Path SIP inspection that allows you to filter messages coming from or transiting through certain SIP
proxy servers. The ACE maintains a list of the unauthorized SIP proxy IP addresses or URLs in the
form of regular expressions and checks this list against the VIA header field in each SIP packet.
In the Message Path field, enter a regular expression that identifies the SIP proxy server for this
match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters. The ACE supports regular expressions for matching string expressions.
Table 14-33 lists the supported characters that you can use for matching string expressions.
SIP Content Length SIP message body content length used for SIP protocol inspection decisions.
To specify SIP traffic based on SIP message body length:
a. In the Content Operator field, confirm that Greater Than is selected.
b. In the Content Length field, enter the maximum size of a SIP message body in bytes that the
ACE is to allow without performing SIP protocol inspection. If a SIP message exceeds the
specified value, the ACE performs SIP protocol inspection as defined in an associated policy
map. Valid entries are from 0 to 65534 bytes.
SIP Content Type Content type in the SIP message body used for SIP protocol inspection decisions.
In the Content Type field, enter a regular expression that identifies the content type in the SIP
message body to use for this match condition. Valid entries are unquoted text strings with no spaces
and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching string expressions. Table 14-33 lists the supported characters that you can use for
matching string expressions.
SIP Request Method SIP request method used for application inspection decisions.
In the Request Method field, choose the request method that is to be inspected.
7-29
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries.
• Click Deploy Later to save your entries and deploy the configuration at a later time.
Related Topics
• Configuring Virtual Server Properties, page 7-11
• Configuring Virtual Server SSL Termination, page 7-17
• Configuring Virtual Server Layer 7 Load Balancing, page 7-30
• Managing Virtual Servers, page 7-66
Third Party Condition that indicates that the SIP is to allow users to register other users on their behalf by
sending REGISTER messages with different values in the From and To header fields. This process
can pose a security threat if the REGISTER message is actually a DEREGISTER message. A
malicious user could cause a DoS (denial-of-service) attack by deregistering all users on their
behalf. To prevent this security threat, you can specify a list of privileged users who can register or
unregister someone else on their behalf. The ACE maintains the list as a regex table. If you
configure this policy, the ACE drops REGISTER messages with mismatched From and To headers
and a From header value that does not match any of the privileged user IDs.
In the Third Party Registration Entities field, enter a regular expression that identifies a privileged
user who is authorized for third-party registrations. Valid entries are unquoted text strings with no
spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching string expressions. Table 14-33 lists the supported characters that you can use for
matching string expressions.
URI Length Condition that indicates that the ACE is to validate the length of SIP URIs or Tel URIs. A SIP URI
is a user identifier that a calling party (source) uses to contact the called party (destination). A Tel
URI is a telephone number that identifies the endpoint of a SIP connection. For more information
about SIP URIs and Tel URIs, see RFC 2534 and RFC 3966, respectively.
To filter SIP traffic based on URIs, do the following:
a. In the URI Type field, choose the type of URI to be used:
– SIP URI—The calling party URI is to be used for this match condition.
– Tel URI—A telephone number is to be used for this match condition.
b. In the URI Operator field, confirm that Greater Than is selected.
c. In the URI Length field, enter the maximum length of the SIP URI or Tel URI in bytes. Valid
entries are from 0 to 254 bytes.
Table 7-10 SIP Protocol Inspection Conditions and Options (continued)
Condition Description
7-30
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Configuring Virtual Server Layer 7 Load Balancing
You can configure Layer 7 load balancing on a virtual server. In the Advanced View, Layer 7 load
balancing is available for virtual servers configured with one of the following protocol combinations:
• TCP with Generic, FTP, HTTP, HTTPS, RDP, RTSP, or SIP
• UDP with Generic, DNS, RADIUS, or SIP
See the “Configuring Virtual Server Properties” section on page 7-11 for information about configuring
these protocols.
Table 7-2 identifies the protocols that are available for each type of ACE device.
Assumption
Make sure that a virtual server has been configured with one of the following protocol combinations:
• TCP with Generic, FTP, HTTP, HTTPS, RDP, RTSP, or SIP
• UDP with Generic, DNS, RADIUS, or SIP
For more information, see the “Configuring Virtual Server Properties” section on page 7-11.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.
The Virtual Servers table appears.
Step 2 In the Virtual Servers table, choose the virtual server that you want to configure for Layer 7 load
balancing, and click Edit.
The Virtual Server configuration window appears.
Step 3 In the Virtual Server configuration window, click L7 Load-Balancing.
The Layer 7 Load-Balancing Rule Match table appears.
Step 4 In the Rule Match table, click Add to add a new match condition and action, or choose an existing match
condition and action, and click Edit to modify it.
The Rule Match configuration pane appears.
Step 5 In the Rule Match field of the Rule Match configuration pane, choose an existing class map or *New*
or *Inline Match* to configure new match criteria for Layer 7 load balancing, and do one of the
following:
• If you chose an existing class map, click View to review, modify, or duplicate the existing
configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more
information about modifying shared objects.
• If you click *New* or *Inline Match*, the Rule Match configuration pane appears.
7-31
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Step 6 Configure match criteria using the information in Table 7-11.
Table 7-11 Layer 7 Load-Balancing Match Criteria Configuration
Selection Action
Existing class map a. Click View to review the match condition information for the selected class map.
b. Do one of the following:
– Click Cancel to continue without making changes and to return to the previous window.
– Click Edit to modify the existing configuration.
– Click Duplicate to create a new class map with the same attributes without affecting other
virtual servers using the same class map.
See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about
modifying shared objects.
*New* a. In the Name field, enter a unique name for this class map.
b. In the Match field, choose the method to be used to evaluate multiple match statements when
multiple match conditions exist:
– match-any—A match exists if at least one of the match conditions is satisfied.
– match-all—A match exists only if all match conditions are satisfied.
c. In the Conditions table, click Add to add a new set of conditions, or choose an existing entry and
click Edit to modify it.
d. In the Type field, choose the match condition and configure any of these protocol-specific options:
– For Generic protocol options, see Table 14-9.
– For HTTP and HTTPS protocol options, see Table 7-12.
– For RADIUS protocol options, see Table 14-10.
– For RTSP protocol options, see Table 14-11.
– For SIP protocol options, see Table 14-12.
e. Do one of the following:
– Click OK to accept your entries and to return to the Conditions table.
– Click Cancel to exit this procedure without saving your entries and to return to the Conditions
table.
*Inline Match* In the Conditions Type field, choose the type of inline match condition and configure any
protocol-specific options:
• For Generic protocol options, see Table 14-9.
• For HTTP and HTTPS protocol options, see Table 7-12.
• For RADIUS protocol options, see Table 14-10.
• For RTSP protocol options, see Table 14-11.
• For SIP protocol options, see Table 14-12.
7-32
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Table 7-12 Layer 7 HTTP/HTTPS Load-Balancing Conditions and Options
Match Condition Action
Class Map Existing class map used for the match condition.
In the Class Map field, choose the class map to be used.
HTTP Content Specific content contained within the HTTP entity-body used to establish a match condition.
a. In the Content Expression field, enter the content that is to be matched. Valid entries are
alphanumeric strings from 1 to 255 characters.
b. In the Content Offset field, enter the number of bytes to be ignored starting with the first byte
of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body
of the message. Valid entries are from 1 to 255.
HTTP Cookie HTTP cookies used for the match condition.
a. In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings
with no spaces and a maximum of 64 alphanumeric characters.
b. In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted
text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports
regular expressions for matching string expressions. Table 14-33 lists the supported characters
that you can use for matching string expressions.
c. Check the Secondary Cookie Matching check box to indicate that the ACE is to use both the
cookie name and the cookie value to satisfy this match condition. Clear this check box to
indicate that the ACE is to use either the cookie name or the cookie value to satisfy this match
condition.
HTTP Header HTTP header and corresponding value used to establish match conditions.
a. In the Header Name field, specify the header in one of the following ways:
– To specify an HTTP header that is not one of the standard HTTP headers, click the first
radio button and enter the HTTP header name in the Header Name field. Enter an
unquoted text string with no spaces and a maximum of 64 characters.
– To specify one of the standard HTTP headers, click the second radio button and choose
the desired HTTP header from the list.
b. In the Header Value field, enter the header-value expression string to compare against the
value in the specified field in the HTTP header. Valid entries are text strings with a maximum
of 255 alphanumeric characters. The ACE supports regular expressions for matching. Header
expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the
header map must be matched. Table 14-33 lists the supported characters that you can use in
regular expressions.
7-33
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Step 7 In the Primary Action field, choose the action that the virtual server is to perform on the traffic if it
matches the specified match criteria:
• Drop—Client requests for content are to be discarded when match conditions are met. Continue
with Step 12.
• Forward—Client requests for content are to be forwarded without performing load balancing on the
requests when match conditions are met. Continue with Step 12.
• Load Balance—Client requests for content are to be directed to a server farm when match
conditions are met. Continue with Step 9.
• Sticky—Client requests for content are to be handled by a sticky group when match conditions are
met. Continue with Step 10.
Step 8 (Optional) From the HTTP Header Modify Action List drop-down list, choose an existing Action List or
choose New to display the Action List configuration table and create a new one. For more information,
see the “Configuring an HTTP Header Modify Action List” section on page 14-85.
Step 9 (Optional) If you chose Load Balance as the primary action, do the following:
a. In the Server Farm field, choose the primary server farm to use for load balancing, or choose *New*
to configure a new server farm (see Table 7-13).
If you chose an existing object in this field, you can view, modify, or duplicate the selected object’s
existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more
information about modifying shared objects in virtual servers.
HTTP URL Condition that indicates that the ACE is to perform regular expression matching against the
received packet data from a particular connection based on the HTTP URL string.
a. In the URL Expression field, enter a URL, or portion of a URL, to match. Valid entries are
URL strings from 1 to 255 alphanumeric characters. Include only the portion of the URL
following www.hostname.domain in the match statement. For example, in the URL
www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the
www.anydomain.com portion, the URL string can take the form of a URL regular expression.
The ACE supports regular expressions for matching URL strings. Table 14-33 lists the
supported characters that you can use in regular expressions.
b. In the Method Expression field, enter the HTTP method to match. Valid entries are unquoted
text strings with no spaces and a maximum of 15 alphanumeric characters. The method can
either be one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT,
DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example,
CORVETTE).
Source Address Client source IP address used for the match condition.
a. In the Source Address field, enter the source IP address of the client. Enter the IP address in
dotted-decimal notation (for example, 192.168.11.2).
b. In the Source Netmask field, choose the subnet mask to apply to the source IP address.
Table 7-12 Layer 7 HTTP/HTTPS Load-Balancing Conditions and Options (continued)
Match Condition Action
7-34
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Note To display statistics and status information for an existing server farm, choose a server farm
in the list, and click Details. ANM accesses the show serverfarm name detail CLI
command to display detailed server farm information. See the “Displaying Server Farm
Statistics and Status Information” section on page 8-48.
b. In the Backup Server Farm field, choose the server farm to act as the backup server farm for load
balancing if the primary server farm is unavailable, or choose *New* to configure a new backup
server farm (see Table 7-13).
Note Fields and information related to IPv6 require ACE module and ACE appliance software
Version A5(1.0) or later.
If you chose an existing object in this field, you can view, modify, or duplicate the selected object’s
existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more
information about modifying shared objects in virtual servers.
Table 7-13 New Server Farm Attributes
Field Description
Name Unique name for the server farm. Valid entries are unquoted text strings with no spaces and a maximum
of 64 characters.
Type Type of server farm:
• Host—A typical server farm that consists of real servers that provide content and services to clients.
By default, if you configure a backup server farm and all real servers in the primary server farm go
down, the primary server farm fails over to the backup server farm. Use the following options to
specify thresholds for failover and returning to service.
1. In the Partial-Threshold Percentage field, enter the minimum percentage of real servers in the
primary server farm that must remain active for the server farm to stay up. If the percentage of active
real servers falls below this threshold, the ACE takes the server farm out of service. Valid entries are
from 0 to 99.
2. In the Back Inservice field, enter the percentage of real servers in the primary server farm that must
be active again for the ACE to place the server farm back into service. Valid entries are from 0 to 99.
The value in this field should be larger than the value in the Partial Threshold Percentage field.
• Redirect—A server farm that consists only of real servers that redirect client requests to alternate
locations specified in the real server configuration.
Fail Action Action that the ACE takes if any real server in the server farm fails:
• N/A—Indicates that the ACE is to take no action if any server in the server farm fails.
• Purge—Indicates that the ACE is to remove connections to a real server if that real server in the
server farm fails. The ACE sends a reset command to both the client and the server that failed.
• Reassign—Indicates that the ACE reassign the existing server connections to the backup real server
(if configured) if the real server fails after you enter this command. If a backup real server has not
been configured for the failing server, this selection leaves the existing connections untouched in the
failing real server.
7-35
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Failaction
Reassign Across
Vlans
Option that is available only for the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of
either device type. This field appears only when the L7 Load-Balancing Action parameters are set as
follows: Primary Action: LoadBalance; ServerFarm: New; Fail Action: Reassign.
Check the check box to specify that the ACE reassigns the existing server connections to the backup real
server on a different VLAN interface (commonly referred to as a bypass VLAN) if the real server fails.
If a backup real server has not been configured for the failing server, this option has no effect and leaves
the existing connections untouched in the failing real server.
Note the following configuration requirements and restrictions when you enable this option:
• Enable the Transparent option (see the next Field) to instruct the ACE not to use NAT to translate the
ACE VIP address to the server IP address. The Failaction Reassign Across Vlans option is intended
for use in stateful firewall load balancing (FWLB) on your ACE, where the destination IP address for
the connection coming in to the ACE is for the end-point real server, and the ACE reassigns the
connection so that it is transmitted through a different next hop.
• Enable the MAC Sticky option on all server-side interfaces to ensure that packets that are going to
and coming from the same server in a flow will traverse the same firewalls or stateful devices (see
the “Configuring Virtual Context VLAN Interfaces” section on page 12-6).
• Configure the Predictor Hash Address option. See Table 7-14 for the supported predictor methods
and configurable attributes for each predictor method.
• You must configure identical policies on the primary interface and the backup-server interface. The
backup interface must have the same feature configurations as the primary interface.
• If you configure a policy on the backup-server interface that is different from the policies on the
primary-server interface, that policy will be effective only for new connections. The reassigned
connection will always have only the primary-server interface policies.
• Interface-specific features (for example, NAT, application protocol inspection, outbound ACLs, or
SYN cookie) are not supported.
• You cannot reassign connections to the failed real server after it comes back up. This restriction also
applies to same-VLAN backup servers.
• Real servers must be directly connected to the ACE. This requirement also applies to same-VLAN
backup server.
• You must disable sequence number randomization on the firewall (see the “Configuring Connection
Parameter Maps” section on page 10-3).
• Probe configurations should be similar on both ACEs and the interval values should be low. For
example, if you configure a high interval value on ACE-1 and a low interval value on ACE-2, the
reassigned connections may become stuck because of the probe configuration mismatch. ACE-2 with
the low interval value will detect the primary server failure first and will reassign all its incoming
connections to the backup-server interface VLAN. ACE-1 with the high interval value may not detect
the failure before the primary server comes back up and will still point to the primary server.
To minimize packet loss, we recommend the following probe parameter values on both ACEs: Interval:
2, Faildetect: 2, Passdetect interval: 2, and Passdetect count: 5.
Table 7-13 New Server Farm Attributes (continued)
Field Description
7-36
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Transparent Field that appears only for real servers identified as host servers.
Specify whether network address translation from the VIP address to the server IP is to occur. Check the
check box to specify that network address translation from the VIP address to the server IP address is to
occur. Uncheck the check box to specify that network address translation from the VIP address to the
server IP address is not to occur.
Dynamic
Workload Scaling
Option that is available only with ACE software Version A4(2.0) or later release on either device type
(appliance or module). Field that appears only for host server farms.
Allows the ACE to burst traffic to remote VMs when the average CPU usage, memory usage, or both of
the local VMs has reached it’s specified maximum threshold value. The ACE stops bursting traffic to the
remote VMs when the average CPU and/or memory usage of the local VMs has dropped to it’s specified
minimum threshold value. This option requires that you have the ACE configured for Dynamic Workload
Scaling using a Nexus 7000, VM Controller, and VM probe (see the “Configuring Dynamic Workload
Scaling” section on page 8-26).
Click one of the following radio button options:
• N/A—Not applicable (default).
• Local—The ACE can use the VM Controller local VMs only for load balancing (bursting is not
allowed).
• Burst—Enables the ACE to burst traffic to a remote VMs when needed.
When you choose Burst, the VM Probe Name field displays along with a list of available VM probes.
Choose an available VM probe or click Add to display the Health Monitoring popup window and
create a new VM probe or edit an existing one (see the “Configuring Health Monitoring” section on
page 8-49).
Fail-On-All Field that appears for host server farms only.
By default, real servers that you configure in a server farm inherit the probes that you configure directly
on that server farm. When you configure multiple probes on a server farm, the real servers in the server
farm use an OR logic with respect to the probes, which means that if one of the probes configured on the
server farm fails, all the real servers in that server farm fail and enter the PROBE-FAILED state.
With AND logic, if one server farm probe fails, the real servers in the server farm remain in the
OPERATIONAL state. If all the probes associated with the server farm fail, then all the real servers in
that server farm fail and enter the PROBE-FAILED state. You can also configure AND logic for probes
that you configure directly on real servers in a server farm. For more information, see the command in
server farm host real server configuration mode.
Check this check box to configure the real servers in a server farm to use AND logic with respect to
multiple server farm probes.
The Fail On All function is applicable to all probe types.
Table 7-13 New Server Farm Attributes (continued)
Field Description
7-37
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Inband-Health
Check
Option that is available only for the ACE module A4(1.0), ACE appliance A4(1.0), and later releases of
either device type. Field that appears only for host server farms.
By default, the ACE monitors the health of all real servers in a configuration through the use of ARPs
and health probes. However, there is latency period between when the real server goes down and when
the ACE becomes aware of the state. The inband health monitoring feature allows the ACE to monitor the
health of the real servers in the server farm through the following connection failures:
• For TCP, resets (RSTs) from the server or SYN timeouts.
• For UDP, ICMP Host, Network, Port, Protocol, and Source Route unreachable messages.
When you configure the failure-count threshold and the number of these failures exceeds the threshold
within the reset-time interval, the ACE immediately marks the server as failed, takes it out of service, and
removes it from load balancing. The server is not considered for load balancing until the optional
resume-service interval expires.
The Inband-Health Check attributes are as follows:
• Count—Tracks the total number of TCP or UDP failures, and increments the counters.
• Log—Logs a syslog error message when the number of events reaches the threshold value that you
set for the Connection Failure Threshold Count attribute.
• Remove—Logs a syslog error message when the number of events reaches the configured threshold
and removes the real server from service.
Connection
Failure Threshold
Count
This field appears only when the Inband-Health Check is set to Log or Remove.
Enter the maximum number of connection failures that a real server can exhibit in the reset-time interval
before ACE marks the real server as failed. Valid entries are as follows:
• ACE appliance—Integers from 1 to 4294967295
• ACE module—Integers from 4 to 4294967295
Reset Timeout
(Milliseconds)
This field appears only when the Inband-Health Check is set to Log or Remove.
Enter the number of milliseconds for the reset-time interval. Valid entries are integers from 100 to
300000. The default interval is 100.
This interval starts when the ACE detects a connection failure. If the connection failure threshold is
reached during this interval, the ACE generates a syslog message. If you configure the Remove attribute,
the ACE also removes the real server from service.
Changing the setting of this option affects the behavior of the real server, as follows:
• When the real server is in the OPERATIONAL state, even if several connection failures have
occurred, the new reset-time interval takes effect the next time that a connection error occurs.
• When the real server in the INBAND-HM-FAILED state, the new reset-time interval takes effect the
next time that a connection error occurs after the server transitions to the OPERATIONAL state.
Table 7-13 New Server Farm Attributes (continued)
Field Description
7-38
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Resume Service
(Seconds)
Field that appears only when the Inband-Health Check is set to Remove.
Enter the number of seconds after a server has been marked as failed to reconsider it for sending live
connections. Valid entries are integers from 30 to 3600. The default setting is 0. The setting of this option
affects the behavior of the real server in the inband failed state, as follows:
• When this field is not configured and has the default setting of 0, the real server remains in the failed
state until you manually suspend and then reactivate it.
• When this field is not configured and has the default setting of 0 and then you configure this option
with an integer between 30 and 3,600, the failed real server immediately transitions to the
Operational state.
• When you configure this field and then increase the value, the real server remains in the failed state
for the duration of the previously-configured value. The new value takes effect the next time the real
server transitions to the failed state.
• When you configure this field and then decrease the value, the failed real server immediately
transitions to the Operational state.
• When you configure this field with an integer between 30 and 3,600 and then reset it to the default
of 0, the real server remains in the failed state for the duration of the previously-configured value.
The default setting takes effect the next time the real server transitions to the failed state. Then the
real server remains in the failed state until you manually suspend and then reactivate it.
• When you change this field within the reset-time interval the real server in the OPERATIONAL with
several connection failures, the new threshold interval takes effect the next time that a connection
error occurs, even if it occurs within the current reset-time interval.
Predictor Method for selecting the next server in the server farm to respond to client requests. Round Robin is the
default predictor method for a server farm.
See Table 7-14 for the supported predictor methods and configurable attributes for each predictor method.
Table 7-13 New Server Farm Attributes (continued)
Field Description
7-39
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Probes Health monitoring probes to use:
• To include a probe that you want to use for health monitoring, choose it in the Available list, and click
Add. The probe appears in the Selected list.
The redirect real server probe list contains only configured probes of the type Is Routed, which means
that the ACE routes the probe address according to the ACE internal routing table (see the
“Configuring Health Monitoring” section on page 8-49.
Note You can associate both IPv6 and IPv4 probes to a server farm. IPv6 requires ACE module and
ACE appliance software Version A5(1.0) or later.
Note The list of available probes does not include VM health monitoring probes. To choose a VM
probe for monitoring local VM usage, see the Dynamic Workload Scaling field.
• To remove a probe that you do not want to use for health monitoring, choose it in the Selected list,
and click Remove. The probe appears in the Available list.
• To specify a sequence for probe use, choose probes in the Selected list, and click Up or Down until
you have the desired sequence.
• To view the configuration for an existing probe, choose a probe in the list on the right, and click View
to review its configuration.
• To display statistics and status information for an existing probe, choose a probe in the list on the
right, and click Details. ANM accesses the show probe name detail CLI command to display
detailed probe information. See the “Displaying Health Monitoring Statistics and Status
Information” section on page 8-77.
To add a new probe, click Create. See the “Configuring Health Monitoring for Real Servers” section on
page 8-51 for details on adding a new health monitoring probe and defining attributes for the specific
probe type. In addition to the probe attributes that you set as described in the “Configuring Health
Monitoring for Real Servers” section on page 8-51, set the following probe configuration parameters in
the Probes section under Server Farm as described as follows:
• Expect Addresses—To configure expect addresses for a DNS probe, in the IPv4/IPv6 Address field,
enter the IP address that the ACE is to expect as a server response to a DNS request. You can enter
multiple addresses in this field; however, you cannot mix IPv4 and IPv6 addresses.
Note IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.
• Probe Headers—To configure probe headers for either an HTTP or HTTPS probe, in the Probe
Headers field enter the name of the HTTP header and the value to be matched using the format
header_name=header_value where:
• header_name represents the HTTP header name the probe is to use. Valid entries are unquoted
text strings with no spaces and a maximum of 64 alphanumeric characters. You can specify
predefined header or any custom header name provided that it does not exceed the maximum
length limit.
• header_value represents the string to assign to the header field. Valid entries are text strings with
a maximum of 255 characters. If the string includes spaces, enclose the string with quotes.
Table 7-13 New Server Farm Attributes (continued)
Field Description
7-40
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Probes
(continued)
• Probe Expect Status—To configure probe expect status for an FTP, HTTP, HTTPS, RTSP, SIP-TCP,
SIP-UDP, or SMTP probe, in the Probe Expect Status field enter the following information:
• To configure a single expect status code, enter the minimum expect status code for this probe
followed by the same expect status code that you entered as the minimum. Valid entries are from
0 to 999.
• To configure a range of expect status codes, enter the lower limit of the range of status codes
followed by the upper limit of the range of status codes. The maximum expect status code must
be greater than or equal to the value specified for the minimum expect status code. Valid entries
are from 0 to 999.
• SNMP OID Table—To configure the SNMP OID for an SNMP probe, see the “Configuring an OID
for SNMP Probes” section on page 8-76.
After you add a probe, you can modify the attributes for a health probe from the Health Monitoring table
(Config > Virtual Contexts > context > Load Balancing > Health Monitoring) as described in the
“Configuring Health Monitoring for Real Servers” section on page 8-51. You can also delete an existing
health probe from the Health Monitoring table.
Table 7-13 New Server Farm Attributes (continued)
Field Description
7-41
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Real Servers Table that allows you to add, modify, remove, or change the order of real servers.
a. Choose an existing server, or click Add to add a server to the server farm and do one of the following:
– If you chose an existing server, you can view, modify, or duplicate the server’s existing
configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more
information about modifying shared objects.
– If you click Add, the window refreshes so you can enter server information.
b. In the Name field, specify the name of the real server in one of the following ways:
– To identify a new real server, click the first radio button, and then enter the name of the real
server in the adjoining field.
– To specify an existing real server, click the second radio button, and then choose one of the real
servers listed.
c. In the IP Address Type field, choose IPv4 or IPv6. This field appears only for ACE module and ACE
appliance software Version A5(1.0) or later, which supports IPv4 and IPv6.
d. In the IP Address field, enter the IP address of the real server.
e. In the Port field, enter the port number to be used for server port address translation (PAT). Valid
entries are from 1 to 65535.
f. In the Weight field, enter the weight to assign to this server in the server farm. Valid entries are from
1 to 100, and the default is 8.
g. In the Redirection Code field, choose the appropriate redirection code. This field appears only for
real servers identified as redirect servers.
– N/A—Indicates that the webhost redirection code is not defined.
– 301—Indicates that the requested resource has been moved permanently. For future references
to this resource, the client should use one of the returned URIs.
– 302—Indicates that the requested resource has been found, but has been moved temporarily to
another location. For future references to this resource, the client should use the request URI
because the resource may be moved to other locations from time to time.
h. In the Web Host Redirection field, enter the URL string used to redirect requests to another server.
This field appears only for real servers identified as redirect servers. Enter the URL and port used to
redirect requests to another server. Valid entries are in the form http://host.com:port where host is the
name of the server and port is the port to be used. Valid host entries are unquoted text strings with no
spaces and a maximum of 255 characters. Valid port numbers are from 1 to 65535.
The relocation string supports the following special characters:
– %h—Inserts the hostname from the request Host header
– %p—Inserts the URL path string from the request
i. In the Rate Bandwidth field, enter the real server bandwidth limit in bytes per second. Valid entries
are from 1 to 300000000 bytes.
j. In the Rate Connection field, enter the limit for connections per second (valid entries are from 1 to
350000) and do one of the following:
– Click OK to accept your entries and add this real server to the server farm. The table refreshes
with updated information.
– Click Cancel to exit this procedure without saving your entries and to return to the Real Servers
table.
Table 7-13 New Server Farm Attributes (continued)
Field Description
7-42
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
k. In the State field, choose the administrative state of this server as follows:
– In Service—The server is to be placed in use as a destination for server load balancing.
– In Service Standby—The server is a backup server and remains inactive unless the primary
server fails. If the primary server fails, the backup server becomes active and starts accepting
connections.
– Out Of Service—The server is not to be placed in use by a server load balancer as a destination
for client connections.
l. In the Fail-On-All field, check this check box to configure a real server to remain in the
OPERATIONAL state unless all probes associated with it fail (AND logic). The Fail-On-All function
is applicable to all probe types. Fail-On-All is applicable only for host real servers.
m. Do one of the following:
– Click OK to accept your entries and add this real server to the server farm. The table refreshes
with updated information.
– Click Cancel to exit this procedure without saving your entries and to return to the Real Servers
table.
To display statistics and status information for an existing real server, choose a real server in the list, and
then click Details. ANM accesses the show rserver name detail CLI command to display detailed real
server information. See the “Displaying Real Server Statistics and Status Information” section on
page 8-9.
Table 7-14 Predictor Methods and Attributes
Predictor Method Description / Action
Hash Address Method that indicates that the ACE is to select the server using a hash value based on the source or
destination IP address.
To configure the hash address predictor method, do the following:
a. In the Mask Type field, indicate whether server selection is based on the source IP address or the
destination IP address:
– N/A—Indicates that this option is not defined.
– Destination—Indicates that the server is selected based on the destination IP address.
– Source—Indicates that the server is selected based on the source IP address.
b. In the IP Netmask field, choose the subnet mask to apply to the address. If none is specified, the
default is 255.255.255.255.
Table 7-13 New Server Farm Attributes (continued)
Field Description
7-43
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Hash Content Method that indicates that the ACE is to select the server by using a hash value based on the specified
content string of the HTTP packet body.
a. In the Begin Pattern field, enter the beginning pattern of the content string and the pattern string to
match before hashing. If you do not specify a beginning pattern, the ACE starts parsing the HTTP
body immediate following the offset byte. You cannot configure different beginning and ending
patterns for different server farms that are part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions. Table 14-33
lists the supported characters that you can use for matching string expressions.
b. In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify either
a length or an end pattern, the ACE continues to parse the data until it reaches the end of the field
or the end of the packet, or until it reaches the maximum body parse length. You cannot configure
different beginning and ending patterns for different server farms that are part of the same traffic
classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions. Table 14-33
lists the supported characters that you can use for matching string expressions.
c. In the Length (Bytes) field, enter the length in bytes of the portion of the content (starting with the
byte after the offset value) that the ACE uses for sticking the client to the server. Valid entries are
from 1 to 1000 bytes.
The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset but
shorter than the offset plus the length of the payload, the ACE sticks the connection based on that
portion of the payload starting with the byte after the offset value and ending with the byte specified
by the offset plus the length. The total of the offset and the length cannot exceed 1000.
Note You cannot specify both the length and the end-pattern options for a Hash Content
predictor.
d. In the HTTP Content Offset (Bytes) field, enter the portion of the content that the ACE uses to stick
the client on a particular server by indicating the bytes to ignore starting with the first byte of the
payload. Valid entries are from 0 to 999 bytes. The default is 0, which indicates that the ACE does
not exclude any portion of the content.
Hash Cookie Method that indicates that the ACE is to select the server by using a hash value based on the cookie
name.
In the Cookie Name field, enter a cookie name in the form of an unquoted text string with no spaces
and a maximum of 64 characters.
Hash Header Method that indicates that the ACE is to select the server by using a hash value based on the header
name.
In the Header Name field, choose the HTTP header to be used for server selection as follows:
• To specify an HTTP header that is not one of the standard HTTP headers, click the first radio button
and enter the HTTP header name in the Header Name field. Valid entries are unquoted text strings
with no spaces and a maximum of 64 characters.
• To specify one of the standard HTTP headers, click the second radio button, and then choose one
of the HTTP headers from the list.
Table 7-14 Predictor Methods and Attributes (continued)
7-44
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Hash Layer 4 Method that indicates that the ACE is to select the server by using a Layer 4 generic protocol
load-balancing method. Use this predictor to load balance packets from protocols that are not explicitly
supported by the ACE.
a. In the Begin Pattern field, enter the beginning pattern of the Layer 4 payload and the pattern string
to match before hashing. If you do not specify a beginning pattern, the ACE starts parsing the HTTP
body immediate following the offset byte. You cannot configure different beginning and ending
patterns for different server farms that are part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions. Table 14-33
lists the supported characters that you can use for matching string expressions.
b. In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify either
a length or an end pattern, the ACE continues to parse the data until it reaches the end of the field
or the end of the packet, or until it reaches the maximum body parse length. You cannot configure
different beginning and ending patterns for different server farms that are part of the same traffic
classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions. Table 14-33
lists the supported characters that you can use for matching string expressions.
c. In the Length (Bytes) field, enter the length in bytes of the portion of the payload (starting with the
byte after the offset value) that the ACE uses for sticking the client to the server. Valid entries are
from 1 to 1000 bytes.
The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset but
shorter than the offset plus the length of the payload, the ACE sticks the connection based on that
portion of the payload starting with the byte after the offset value and ending with the byte specified
by the offset plus the length. The total of the offset and the length cannot exceed 1000.
Note You cannot specify both the length and end-pattern options for a Hash Layer 4 predictor.
d. In the HTTP Content Offset (Bytes) field, enter the portion of the content that the ACE uses to stick
the client on a particular server by indicating the bytes to ignore starting with the first byte of the
payload. Valid entries are from 0 to 999 bytes. The default is 0, which indicates that the ACE does
not exclude any portion of the content.
Hash URL Method that indicates that the ACE is to select the server using a hash value based on the URL. Use this
method to load balance firewalls.
Enter values in one or both of the pattern fields:
• In the URL Begin Pattern field, enter the beginning pattern of the URL and the pattern string to
parse.
• In the URL End Pattern field, enter the ending pattern of the URL and the pattern string to parse.
Valid entries for these fields are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters for each pattern you configure.
Table 7-14 Predictor Methods and Attributes (continued)
7-45
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Least Bandwidth Method that indicates that the ACE is to select the server with the least amount of network traffic over
a specified sampling period.
a. In the Assess Time field, enter the number of seconds for which the ACE is to collect traffic
information. Valid entries are from 1 to 10 seconds.
b. In the Least Bandwidth Samples field, enter the number of samples over which you want to weight
and average the results of the probe query to calculate the final load value. Valid entries are 1, 2, 4,
8, and 16 (values from 1 to 16 that are also a power of 2).
Least Connections Method that indicates that the ACE is to select the server with the fewest number of connections.
In the Slowstart Duration field, enter the slow-start value to be applied to this predictor method. Valid
entries are from 1 to 65535, where 1 is the slowest ramp-up value.
The slow-start mechanism is used to avoid sending a high rate of new connections to servers that you
have just put into service.
Least Loaded Method that indicates that the ACE is to select the server with the lowest load based on information
from SNMP probes.
a. In the SNMP Probe Name field, choose the name of the SNMP probe to use.
b. In the Auto Adjust field, configure the autoadjust feature to assign a maximum load value of 16000
to that server to prevent it from being flooded with new incoming connections. The ACE
periodically adjusts this load value based on feedback from the server's SNMP probe and other
configured options. Options include:
– Average—Instructs the ACE to apply the average load of the server farm to a real server whose
load reaches zero. The average load is the running average of the load values across all real
servers in the server farm. This is the default setting.
– Maxload—Instructs the ACE to apply the maximum load of the server farm to a real server
whose load reaches zero.
The maxload option requires the following ACE software versions:
- ACE appliance—A3(2.7) or A4(1.0) or later
- ACE module—A2(2.4), A2(3.2), or A4(1.0) or later
If you choose the maxload option and the ACE does not support the option, ANM issues a
command parse error message.
– Off—Instructs the ACE to send all new connections to the server that has a load of zero until
the next load update arrives from the SNMP probe for this server. There may be times when
you want the ACE to send all new connections to a real server whose load is zero.
c. In the Weight Connection field, check the check box to instruct the ACE to use the current
connection count in the final load calculation for a real server. When you configure this option, the
ACE includes the current connection count in the total load calculation for each real server in a
server farm. Uncheck the check box to reset the behavior of the ACE to the default of excluding the
current connection count from the load calculation.
Table 7-14 Predictor Methods and Attributes (continued)
7-46
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Step 10 (Optional) If you chose Sticky as the primary action, in the Sticky Group field, choose an existing sticky
group or click *New* to add a new sticky group (Table 7-15).
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
Note If you chose an existing sticky group, you can view, modify, or duplicate the selected object’s
existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for
more information about modifying shared objects in virtual servers.
Response Method that indicates that the ACE is to select the server with the lowest response time for a requested
response-time measurement.
a. In the Response Type field, choose the type of measurement to use:
– App-Req-To-Resp—The response time from when the ACE sends an HTTP request to a server
to the time that the ACE receives a response from the server for that request.
– Syn-To-Close—The response time from when the ACE sends a TCP SYN to a server to the
time that the ACE receives a CLOSE from the server.
– Syn-To-Synack—The response time from when the ACE sends a TCP SYN to a server to the
time that the ACE receives a SYN-ACK from the server.
b. In the Response Samples field, enter the number of samples over which you want to average the
results of the response-time measurement. Valid entries are 1, 2, 4, 8, and 16 (values from 1 to 16
that are also a power of 2).
c. In the Weight Connection field, check the check box to instruct the ACE to use the current
connection count in the final load calculation for a real server. When you configure this option, the
ACE includes the current connection count in the total load calculation for each real server in a
server farm. Uncheck the check box to reset the behavior of the ACE to the default of excluding the
current connection count from the load calculation.
Round Robin Method that indicates that the ACE is to select the next server in the list of servers based on server
weight. This is the default predictor method.
Table 7-14 Predictor Methods and Attributes (continued)
7-47
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Table 7-15 Sticky Group Attributes
Field Description
Group Name Unique identifier for the sticky group. You can either accept the automatically incremented entry that was
provided or you can enter your own. Valid entries are unquoted text strings with no spaces and a maximum
of 64 alphanumeric characters.
Type Method to be used when establishing sticky connections and configure any type-specific attributes:
Note The available selections listed in the Type drop-down list will vary depending on your selection for
Application Protocol in the Properties configuration subset (see Table 7-2). For example, if you
chose HTTP or HTTPS as the application protocol, only IP Netmask, HTTP Cookie, HTTP Header,
and HTTP Content appear as selections in the Type drop-down list.
• HTTP Content—The virtual server is to stick client connections to the same real server based on a
string in the data portion of the HTTP packet. See Table 9-2 for additional configuration options.
• HTTP Cookie—The virtual server is either to learn a cookie from the HTTP header of a client request
or to insert a cookie in the Set-Cookie header of the response from the server to the client, and then use
the learned cookie to provide stickiness between the client and server for the duration of the
transaction. See Table 9-3 for additional configuration options.
• HTTP Header—The virtual server is to stick client connections to the same real server based on HTTP
headers. See Table 9-4 for additional configuration options.
• IP Netmask—The virtual server is to stick a client to the same server for multiple subsequent
connections as needed to complete a transaction using the client source IPv4 address, the destination
IPv4 address, or both. See Table 9-5 for additional configuration options.
Note If an organization uses a megaproxy to load balance client requests across multiple proxy servers
when a client connects to the Internet, the source IP address is no longer a reliable indicator of the
true source of the request. In this situation, you can use cookies or another sticky method to ensure
session persistence.
• V6 Prefix—(Requires ACE module and ACE appliance software Version A5(1.0) or later) Indicates
that the virtual server is to stick a client to the same server for multiple subsequent connections as
needed to complete a transaction using the client source IPv6 address, the destination IPv6 address, or
both. See Table 9-6 for additional configuration options.
• Layer 4 Payload—The virtual server is to stick client connections to the same real server based on a
string in the payload portion of the Layer 4 protocol packet. See Table 9-7 for additional configuration
options.
• RADIUS—The virtual server is to stick client connections to the same real server based on a RADIUS
attribute.
• RTSP Header—The virtual server is to stick client connections to the same real server based on the
RTSP Session header field. Table 9-9 for additional configuration options.
• SIP Header—The virtual server is to stick client connections to the same real server based on the SIP
Call-ID header field.
Sticky Server
Farm
Existing server farm that is to act as the primary server farm for this sticky group. You can choose *New*
to create a new server farm. If you chose *New*, configure the server farm using the information in
Table 7-13.
Backup Server
Farm
Existing server farm that is to act as the backup server farm this sticky group. You can choose *New* to
create a new server farm. If you chose *New*, configure the server farm using the information in
Table 7-13.
7-48
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Step 11 (Optional) If you are using the ACE appliance (all versions) or ACE module version A4(1.0) and later,
in the Compression Method field, choose the HTTP compression method to indicate how the ACE
appliance is to compress packets when a client request indicates that the client browser is capable of
packet compression.
By default, HTTP compression is disabled in the ACE. When you configure HTTP compression using
the ACE, the appliance compresses data in the HTTP GET responses from the real servers. The ACE
does not compress HTTP requests from clients or the HTTP headers in the server responses.
Note By default, the ACE appliance supports HTTP compression at rates of 100 megabits per second
(Mbps). Installing an optional HTTP compression license allows you to increase this value to a
maximum of 2 Gbps. See the Cisco 4700 Series Application Control Engine Appliance
Administration Guide for information on ACE licensing options.
Options are as follows:
• Gzip—Specifies the gzip compression format as the method to use when the client browser supports
both the deflate and gzip compression methods. Gzip is the file format for compression described in
RFC1952.
• Deflate—Specifies the deflate compression format as the method to use when the client browser
supports both the deflate and gzip compression methods. Deflate is the data format for compression
described in RFC1951.
• N/A—HTTP compression is disabled.
Aggregate
State
Check box to indicate that the state of the primary server farm is to be tied to the state of all real servers in
the server farm and in the backup server farm, if configured. The ACE declares the primary server farm
down if all real servers in the primary server farm and all real servers in the backup server farm are down.
Uncheck the check box if the state of the primary server farm is not to be tied to all real servers in the server
farm and in the backup server farm.
Sticky Enabled
On Backup
Server Farm
Check box to indicate that the backup server farm is sticky. Uncheck the check box if the backup server
farm is not sticky.
Replicate On
HA Peer
Check box to indicate that the virtual server is to replicate sticky table entries on the backup server farm.
If a failover occurs and this option is selected, the new active server farm can maintain the existing sticky
connections.
Uncheck the check box to indicate that the virtual server is not to replicate sticky table entries on the backup
server farm.
Timeout
(Minutes)
Number of minutes that the virtual server keeps the sticky information for a client connection in the sticky
table after the latest client connection terminates. Valid entries are from 1 to 65535; the default is 1440
minutes (24 hours).
Timeout Active
Connections
Check box to specify that the virtual server is to time out sticky table entries even if active connections exist
after the sticky timer expires.
Uncheck the check box to specify that the virtual is not to time out sticky table entries even if active
connections exist after the sticky timer expires. This behavior is the default.
Table 7-15 Sticky Group Attributes (continued)
Field Description
7-49
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
When configuring HTTP compression, we recommend that you exclude the following MIME types from
HTTP compression: “.*gif”, “.*css”, “.*js”, “.*class”, “.*jar”, “.*cab”, “.*txt”, “.*ps”, “.*vbs”, “.*xsl”,
“.*xml”, “.*pdf”, “.*swf”, “.*jpg”, “.*jpeg”, “.*jpe”, or “.*png”.
When you enable HTTP compression, the ACE compresses the packets using the following default
compression parameter values:
• Mime type—All text formats (text/*).
• Minimum size—512 bytes.
• User agent—None.
Step 12 In the SSL Initiation field, choose an existing service or choose *New* to create a new service, and do
one of the following:
• If you chose an existing SSL service, you can view, modify, or duplicate the existing configuration.
See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about
modifying shared objects.
• If you chose *New*, configure the service using the information in Table 7-5. For more information
about SSL, see the “Configuring SSL” section on page 11-1.
Step 13 In the Insert HTTP Headers field, enter the name of the HTTP header and the value to be matched using
the header_name=header_value format where:
• header_name represents the name of the HTTP header to insert in the client HTTP request. Valid
entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You
can specify predefined header or any custom header name provided that it does not exceed the
maximum length limit.
• header_value represents the expression string to compare against the value in the specified field in
the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The
ACE supports regular expressions for matching. Header expressions allow spaces, provided that the
spaces are escaped or quoted. All headers in the header map must be matched. Table 14-33 lists the
supported characters that you can use in regular expressions.
For example, you might enter Host=www.cisco.com.
Step 14 Do one of the following:
• Click OK to save your entries and to return to the Rule Match table.
• Click Cancel to exit this procedure without saving your entries and to return to the Rule Match table.
Step 15 If you are adding Rule Match entries for a new virtual server and you want to modify the sequence of
rules in the L7 Load Balancing section of the Virtual Server configuration page, click Up or Down to
change the order of the entries in the Rule Match table.
Note The Up and Down buttons are not available for an existing virtual server, only for a new virtual
server. To reorder the entries in the Rule Match table for an existing virtual server, go to Config
> Expert > Policy Maps and choose the Layer 7 load balancing policy map, delete the rule entry
that you want to reorder, and then add it again by using the Insert Before option to put it in the
correct order. See the “Configuring Rules and Actions for Policy Maps” section on page 14-34
for details.
Step 16 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries.
7-50
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
• Click Deploy Later to save your entries and apply them at a later time.
Related Topics
• Configuring Virtual Servers, page 7-2
• Configuring Virtual Server Properties, page 7-11
• Configuring Virtual Server SSL Termination, page 7-17
• Configuring Virtual Server Protocol Inspection, page 7-18
Configuring Virtual Server Default Layer 7 Load Balancing
You can configure default Layer 7 load-balancing actions for all network traffic that does not meet
previously specified match conditions.
Assumption
Make sure that a virtual server has been configured in the Properties configuration subset. For more
information, see the “Configuring Virtual Server Properties” section on page 7-11. See the “Configuring
Virtual Servers” section on page 7-2 for information on configuring a virtual server.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.
The Virtual Servers table appears.
Step 2 In the Virtual Servers table, choose the virtual server that you want to configure for default Layer 7 load
balancing, and click Edit.
The Virtual Server configuration window appears.
Step 3 In the Virtual Server configuration window, click Default L7 Load-Balancing Action.
The Default L7 Load-Balancing Action configuration pane appears.
Step 4 In the Primary Action field of the Default L7 Load-Balancing Action configuration pane, choose the
default action that the virtual server is to take in response to client requests for content when specified
match conditions are not met:
• Drop—Client requests that do not meet specified match conditions are to be discarded. Continue
with Step 9.
• Forward—Client requests that do not meet specified match conditions are to be forwarded without
performing load balancing on the requests. Continue with Step 9.
• Load Balance—Client requests for content are to be directed to a server farm. Continue with Step 6.
• Sticky—Client requests for content are to be handled by a sticky group when match conditions are
met. Continue with Step 7.
Step 5 (Optional) From the HTTP Header Modify Action List drop-down list, choose an existing Action List or
choose New to display the Action List configuration table and create a new one. For more information,
see the “Configuring an HTTP Header Modify Action List” section on page 14-85.
7-51
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Step 6 (Optional) If you chose Load Balance as the primary action, do the following:
a. In the Server Farm field, choose the primary server farm to use for load balancing, or choose *New*
to configure a new server farm (see Table 7-13).
Note To display statistics and status information for an existing server farm, choose a server farm
in the list, and then click Details. ANM accesses the show serverfarm name detail CLI
command to display detailed server farm information. See the “Displaying Server Farm
Statistics and Status Information” section on page 8-48.
b. In the Backup Server Farm field, choose the server farm to act as the backup server farm for load
balancing if the primary server farm is unavailable, or choose *New* to configure a new backup
server farm (see Table 7-13).
Note If you chose an existing object in either field, you can view, modify, or duplicate the selected
object’s existing configuration. See the “Shared Objects and Virtual Servers” section on
page 7-9 for more information about modifying shared objects in virtual servers.
Step 7 (Optional) If you chose Sticky as the primary action, in the Sticky Group field, choose an existing sticky
group or click *New* to add a new sticky group (see Table 7-15).
Note If you chose an existing sticky group, you can view, modify, or duplicate the selected object’s
existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for
more information about modifying shared objects in virtual servers.
Step 8 (Optional) If you are using the ACE appliance (all versions) or ACE module version A4(1.0) and later,
in the Compression Method field, choose the HTTP compression method to indicate how the ACE
appliance is to compress packets when a client request indicates that the client browser is capable of
packet compression.
By default, HTTP compression is disabled in the ACE. When you configure HTTP compression using
the ACE, the appliance compresses data in the HTTP GET responses from the real servers. The ACE
does not compress HTTP requests from clients or the HTTP headers in the server responses.
Note By default, the ACE appliance supports HTTP compression at rates of 100 megabits per second
(Mbps). Installing an optional HTTP compression license allows you to increase this value to a
maximum of 2 Gbps. See the Cisco 4700 Series Application Control Engine Appliance
Administration Guide for information on ACE licensing options.
Options are as follows:
• Deflate—Specifies the deflate compression format as the method to use when the client browser
supports both the deflate and gzip compression methods. deflate, the data format for compression
described in RFC1951.
• Gzip—Specifies the gzip compression format as the method to use when the client browser supports
both the deflate and gzip compression methods. Gzip is the file format for compression described in
RFC1952.
• N/A—HTTP compression is disabled.
7-52
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Note If you enable the Gzip or Deflate compression format, ANM automatically inserts a L7 Load
Balance Primary Action to exclude the MIME types listed above. However, if you disable HTTP
compression later on, you will need to remove the auto-inserted Load Balance Primary Action.
When you enable HTTP compression, the ACE compresses the packets using the following default
compression parameter values:
• Mime type—All text formats (text/*).
• Minimum size—512 bytes.
• User agent—None.
Step 9 In the SSL Initiation field, choose an existing service or choose *New* to create a new service:
• If you chose an existing SSL service, you can view, modify, or duplicate the existing configuration.
See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about
modifying shared objects.
• If you chose *New*, configure the service using the information in Table 7-5. For more information
about SSL, see the “Configuring SSL” section on page 11-1.
Step 10 In the Insert HTTP Headers field, enter the name of the HTTP header and the value to be matched using
the header_name=header_value format where:
• header_name represents the name of the HTTP header to insert in the client HTTP request. Valid
entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You
can specify predefined header or any custom header name provided that it does not exceed the
maximum length limit.
• header_value represents the expression string to compare against the value in the specified field in
the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The
ACE supports regular expressions for matching. Header expressions allow spaces, provided that the
spaces are escaped or quoted. All headers in the header map must be matched. Table 14-33 lists the
supported characters that you can use in regular expressions.
For example, you might enter Host=www.cisco.com.
Step 11 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers
table.
• Click Deploy Later to save your entries and apply the configuration at a later time.
Related Topics
• Configuring Virtual Server Properties, page 7-11
• Configuring Virtual Server SSL Termination, page 7-17
• Configuring Virtual Server Protocol Inspection, page 7-18
• Configuring Virtual Server Layer 7 Load Balancing, page 7-30
7-53
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Configuring Application Acceleration and Optimization
Note This option is available only for ACE appliances and only in the Advanced View.
You can configure acceleration and optimization on virtual servers that are configured on ACE
appliances. The ACE appliance includes configuration options that allow you to accelerate enterprise
applications, resulting in increased employee productivity, enhanced customer retention, and increased
online revenues. The application acceleration functions of the ACE appliance apply several optimization
technologies to accelerate Web application performance. This application acceleration functionality
enables enterprises to optimize network performance and improve access to critical business
information. It also accelerates the performance of Web applications, including customer relationship
management (CRM), portals, and online collaboration by up to 10 times.
See the “Configuring Application Acceleration and Optimization” section on page 15-1 or the Cisco
4700 Series Application Control Engine Appliance Application Acceleration and Optimization
Configuration Guide for more information about application acceleration and optimization.
Assumption
Make sure that a virtual server has been configured on an ACE appliance with HTTP or HTTPS as the
application protocol. See the “Configuring Virtual Servers” section on page 7-2 for information about
configuring a virtual server.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.
The Virtual Servers table appears.
Step 2 In the Virtual Servers table, choose the virtual server that you want to configure for optimization, and
click Edit.
The Virtual Server configuration window appears.
Step 3 In the Virtual Server configuration window, click Application Acceleration And Optimization.
The Application Acceleration And Optimization configuration pane appears.
Step 4 In the Configuration field of the Application Acceleration And Optimization configuration pane, choose
the method that you want to use to configure application acceleration and optimization:
• EZ—Use standard acceleration and optimization options. Continue with Step 5.
• Custom—Associate specific match criteria, actions, and parameter maps for application
acceleration and optimization for the virtual server. If you choose this option, continue with Step 6
through Step 14.
Step 5 (Optional) If you chose EZ, the Latency Optimization (FlashForward) and Bandwidth Optimization
(Delta) fields appear.
Do the following:
a. Check the Latency Optimization (FlashForward) check box to specify that the ACE appliance is
to use bandwidth reduction and download acceleration techniques to objects embedded within
HTML pages. Uncheck the check box to specify that the ACE appliance is not to employ these
techniques to objects embedded within HTML pages. Latency optimization corresponds to
FlashForward functionality. For more information about FlashForward functionality, see the
“Optimization Overview” section on page 15-2.
7-54
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
b. Check the Bandwidth Optimization (Delta) check box to specify that the ACE appliance is to
dynamically update client browser caches with content differences, or deltas. Uncheck the check
box to specify that the ACE appliance is not to dynamically update client browser caches.
Bandwidth optimization corresponds to action list Delta optimization. For more information about
configuring Delta optimization, see the “Optimization Overview” section on page 15-2 and the
“Configuring an HTTP Optimization Action List” section on page 15-3.
c. Continue with Step 14.
Step 6 (Optional) If you chose Custom, the Actions configuration pane appears with a table listing match
criteria and actions.
Click Add to add an entry to this table or choose an existing entry, and click Edit to modify it. The
configuration pane refreshes with the available configuration options.
Step 7 In the Apply Building Block field, choose one of these configuration building blocks for the type of
optimization that you want to configure, or leave the field blank to configure optimization without a
building block:
• Bandwidth Optimization—Maximizes bandwidth for Web-based traffic.
• Latency Optimization for Embedded Objects—Reduces the latency associated with embedded
objects in Web-based traffic.
• Latency Optimization for Embedded Images—Reduces the latency associated with embedded
images in Web-based traffic.
• Latency Optimization for Containers—Reduces the latency associated with Web containers.
If you chose one of the building blocks, the Rule Match configuration subset displays the configuration
options with selections based on the building block chosen. You can accept the entries as they are or
modify them.
If you do not choose a building block, additional configuration options appear depending on the features
you enable.
Step 8 In the Rule Match field, choose an existing class map or click *New* to specify new match criteria, and
do one of the following:
• If you chose an existing class map, you can view, modify, or duplicate the existing configuration.
See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about
modifying shared objects.
• If you click *New*, the window refreshes so that you can enter new match criteria.
Step 9 Configure match criteria using the information in Table 7-16.
Table 7-16 Optimization Match Criteria Configuration
Field Description/Action
Name Unique name for this match criteria rule.
7-55
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Step 10 In the Actions field, choose an existing action list to use for optimization or click *New* to create a new
action list, and do one of the following:
• If you chose an existing action list, you can view, modify, or duplicate the existing configuration.
See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about
modifying shared objects.
• If you click *New*, the window refreshes so you can configure an action list.
Step 11 Configure the action list using the information in Table 7-17.
Match Method to be used to evaluate multiple match statements when multiple match conditions exist:
• match-any—A match exists if at least one of the match conditions is satisfied.
• match-all—A match exists only if all match conditions are satisfied.
Conditions Field that allows you to add a new set of conditions or choose an existing entry. Click Add to add a new set
of conditions, or choose an existing entry and click Edit to modify it:
a. In the Type field, choose the match condition to be used, then configure any condition-specific options
using the information in Table 7-12.
b. Click OK to save your entries, or Cancel to exit this procedure without saving your entries.
Table 7-16 Optimization Match Criteria Configuration (continued)
Field Description/Action
Table 7-17 Optimization Action List Configuration Options
Field Description
Action List Name Unique name for the action list. Valid entries are unquoted text strings with a maximum of 64
alphanumeric characters.
Enable Delta Check box that enables delta optimization for the specified URLs. Delta optimization that dynamically
updates client browser caches directly with content differences, or deltas, resulting in faster page
downloads.
Uncheck the check box to disable this feature.
If you are configuring optimization without a building block, additional options appear. Configure these
options using the information in Table 7-18.
Enable AppScope Check box that enables AppScope performance monitoring for use with the ACE appliance. AppScope
runs on the Management Console of the optional Cisco AVS 3180A Management Station and measures
end-to-end application performance.
Uncheck the check box to disable this feature.
If you are configuring optimization without a building block, additional options appear. Configure these
options using the information in Table 7-18.
7-56
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Flash Forward Feature that reduces bandwidth usage and accelerates embedded object downloading by combining local
object storage with dynamic renaming of embedded objects, which enforces object freshness within the
parent HTML page.
Choose how the ACE appliance is to implement FlashForward:
• N/A—This feature is not enabled.
• Flash Forward—FlashForward is to be enabled for the specified URLs and embedded objects are
to be transformed.
• Flash Forward Object—FlashForward static caching is to be enabled for the objects that the
corresponding URLs refer to, such as Cascading Style Sheets (CSS), JPEG, and GIF files.
If you are configuring without a building block and chose either FlashForward or FlashForward Object,
an addition option appears. Configure this option using the information in Table 7-18.
Cache Dynamic Check box that enables Adaptive Dynamic Caching for the specified URLs even if the expiration settings
in the response indicate that the content is dynamic. The expiration of cache objects is controlled by the
cache expiration settings based on time or server load.
Uncheck the check box to disable this feature.
Cache Forward Field that specifies how the ACE appliance is to implement cache forwarding:
• N/A—This feature is not enabled.
• With Wait—Cache forwarding is enabled with the wait option for the specified URLs. If the object
has expired but the maximum cache TTL time period has not yet expired, the ACE appliance sends
a request to the origin server for the object. Users requesting this page continue to receive content
from the cache during this time but must wait for the object to be updated before their request is
satisfied. When the fresh object is returned, it is sent to the requesting user and the cache is updated.
• Without Wait—Cache forwarding is enabled without the wait option.
Dynamic Entity
Tag
Check box that specifies that the ACE appliance is to implement just-in-time object acceleration for
embedded objects not able to be cached. This feature enables the acceleration of embedded objects not
able to be cached, which results in improved application response time. When enabled, this feature
eliminates the need for users to download objects not able to be cached on each request.
Uncheck the check box to disable this feature.
Table 7-17 Optimization Action List Configuration Options (continued)
Field Description
7-57
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Step 12 (Optional) If you are configuring optimization without a building block, additional options appear when
you enable specific features.
Configure the additional options using the information in Table 7-18.
Table 7-18 Application Acceleration and Optimization Additional Configuration Options
Field Description
Response Codes To
Ignore (Comma
Separated)
Comma-separated list of HTTP response codes for which the response body must not be read. For
example, an entry of 302 indicates that the ACE is to ignore the response body of a 302 (redirect)
response from the origin server. Valid entries are unquoted text strings with a maximum of 64
alphanumeric characters.
Set Browse Freshness
Period
Method that the ACE is to use to determine the freshness of objects in the client’s browser:
• N/A—This option is not configured.
• Disable Browser Object Freshness Control—Browser freshness control is not to be used.
• Set Freshness Similar To Flash Forward Objects—The ACE is to set freshness similar to
that used for FlashForwarded objects, and to use the values specified in the Maximum Time
for Cache Time-To-Live and Minimum Time For Cache Time-To-Live fields.
Duration For Browser
Freshness (Seconds)
Field that appears if the Set Browser Freshness Period option is not configured.
Enter the number of seconds that objects in the client’s browser are considered fresh. Valid entries
are 0 to 2147483647 seconds.
Enable Delta Options
Max. For Post Data To
Scan For Logging
(kBytes)
Maximum number of kilobytes of POST data the ACE is to scan for parameters for the purpose of
logging transaction parameters in the statistics log.
Valid entries are 0 to 1000 KB.
Base File Anonymous
Level
Feature that enables the ACE to create and deliver condensed base files that contain only
information that is common to a large set of users. No information unique to a particular user, or
across a very small subset of users, is included in anonymous base files.
Information that is common to a large set of users is generally not confidential or user-specific.
Conversely, information that is unique to a specific user or a small set of users is generally
confidential or user-specific.
Enter the value for base file anonymity for the all-user condensation method. Valid entries are from
0 to 50; the default value of 0 disables the base file anonymity feature.
Cache-Key Modifier
Expression
Unique identifier that is used to identify a cached object to be served to a client, replacing a trip
to the origin server. The cache key modifier feature allows you to modify the canonical form of a
URL; that is, the portion before “?” in a URL. For example, the canonical URL of
http://www.xyz.com/somepage.asp?action=browse&level=2 is
http://www.xyz.com/somepage.asp.
Enter a regular expression containing embedded variables as described in Table 7-19. The ACE
transforms URLs specified in class maps for this virtual server with the expression and variable
entered here.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. If the string includes spaces, enclose the string with quotation marks (“).
7-58
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Min. Time For Cache
Time-To-Live
(Seconds)
Minimum number of seconds that an object without an explicit expiration time should be
considered fresh in the ACE cache. This value specifies the minimum time that content can be
cached. If the ACE is configured for FlashForward optimization, this value should normally be 0.
If the ACE is configured for dynamic caching, this value should indicate how long the ACE should
cache the page. (See Table 7-17 for information about these configuration options.)
Valid entries are 0 to 2147483647 seconds.
Max. Time For Cache
Time-To-Live
(Seconds)
Maximum number of seconds that an object without an explicit expiration time should be
considered fresh in the ACE cache. Valid entries are 0 to 2147483647 seconds.
Cache Time-To-Live
Duration (%)
Percent of an object’s age at which an embedded object without an explicit expiration time is
considered fresh.
Valid entries are 0 to 100 percent.
Expression To Modify
Cache Key Query
Parameter
Feature that allows you to modify the query parameter of a URL; that is, the portion after “?” in a
URL. For example, the query parameter portion of
http://www.xyz.com/somepage.asp?action=browse&level=2 is action=browse&level=2.
Enter a regular expression containing embedded variables as described in Table 7-19. The ACE
transforms URLs specified in class maps for this virtual server with the expression and variable
entered here. If no string is specified, the query parameter portion of the URL is used as the default
value for this portion of the cache key.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters.
Canonical URL
Expressions
Canonical URL feature to eliminate the “?” and any characters that follow to identify the general
part of the URL. This general URL is then used to create the base file. In this way, the ACE maps
multiple URLs to a single canonical URL.
Enter a comma-separated list of parameter expander functions as defined in Table 7-19 to identify
the URLs to associate with this parameter map.
Valid entries are unquoted text strings with a maximum of 255 alphanumeric characters.
Enable Cacheable
Content Optimization
Check box that enables delta optimization of content that can be cached. This feature allows the
ACE to detect content that can be cached and perform delta optimization on it.
Uncheck the check box to disable this feature.
Enable Delta
Optimization On First
Visit To Web Page
Check box that enables condensation on the first visit to a Web page. Uncheck the check box to
disable this feature.
Min. Page Size For
Delta Optimization
(Bytes)
Minimum page size, in bytes, that can be condensed. Valid entries are from 1 to 250000 bytes.
Max. Page Size For
Delta Optimization
(Bytes)
Maximum page size, in bytes, that can be condensed. Valid entries are from 1 to 250000 bytes.
Table 7-18 Application Acceleration and Optimization Additional Configuration Options (continued)
Field Description
7-59
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Set Default Client
Script
Scripting language that the ACE is to recognize on condensed content pages:
• N/A—Indicates that this option is not configured.
• Javascript—Indicates that the default scripting language is JavaScript.
• Visual Basic Script—Indicates that the default scripting language is Visual Basic.
Exclude Iframes From
Delta Optimization
Check box to specify that delta optimization is not to be applied to IFrames (inline frames).
Uncheck the check box to indicate that delta optimization is to be applied to IFrames.
Exclude Non-ASCII
Data From Delta
Optimization
Check box to specify that delta optimization is not to be applied to non-ASCII data. Uncheck the
check box to indicate that delta optimization is to be applied to non-ASCII data.
Exclude JavaScripts
From Delta
Optimization
Check box to specify that delta optimization is not to be applied to JavaScript. Uncheck the check
box to indicate that delta optimization is to be applied to JavaScript.
MIME Types To
Exclude From Delta
Optimization
a. In the first field, enter a comma-separated list of the MIME (Multipurpose Internet Mail
Extension) type messages that are not to have delta optimization applied, such as image/Jpeg,
text/html, application/msword, or audio/mpeg. See the “Supported MIME Types” section on
page 10-26 for a list of supported MIME types.
b. Click Add to add the entry to the list box on the right. You can position the entries in the list
box by using the Up and Down buttons.
Remove HTML META
Elements From
Documents
Check box to specify that HTML META elements are to be removed from documents to prevent
them from being condensed. Uncheck the check box to indicate that HTML META elements are
not to be removed from documents.
Rebase Delta
Optimization Threshold
(%)
Delta threshold, expressed as a percent, when rebasing is to be triggered. This entry represents the
size of a page delta relative to total page size, expressed as a percent. This entry triggers rebasing
when the delta response size exceeds the threshold as a percentage of base file size.
Valid entries are 0 to 10000 percent.
Rebase Flash Forward
Threshold (%)
Threshold, expressed as a percent, when rebasing is to be triggered based on the percent of
FlashForwarded URLs in the response. This entry triggers rebasing when the difference between
the percentages of FlashForwarded URLs in the delta response and the base file exceeds the
threshold.
Valid entries are 0 to 10000 percent.
Rebase History Size
(Pages)
Number of pages to be stored before the ACE resets all rebase control parameters to zero and starts
over. This option prevents the base file from becoming too rigid.
Valid entries are 10 to 2147483647.
Rebase Modify
Cool-Off Period
(Seconds)
Number of seconds after the last modification before performing a rebase.
Valid entries are 1 to 14400 seconds (4 hours).
Rebase Reset Period
(Seconds)
Period of time, in seconds, for performing a meta data refresh.
Valid entries are 1 to 900 seconds (15 minutes).
Table 7-18 Application Acceleration and Optimization Additional Configuration Options (continued)
Field Description
7-60
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
UTF-8 Character Set
Threshold
Number of 8-bit Unicode Transformation Format (UTF-8) characters that need to appear on a page
to create a UTF-8 character set page. The UTF-8 character set is an international standard that
allows Web pages to display non-ASCII or non-English multibyte characters. It can represent any
universal character in the Unicode standard and is backwards compatible with ASCII.
Valid entries are from 1 to 1,000,000.
Server Load Threshold
Trigger (%)
Threshold, expressed as a percent, at which the TTL for cached objects is to be changed. The
server load threshold trigger indicates that the time-to-live (TTL) period for cached objects is to
be based dynamically on server load. With this method, TTL periods increase if the current
response time from the origin sever is greater than the average response time and decrease if the
current response time from the origin server is less than the average response time when the
difference in response times exceeds a specified threshold amount.
Valid entries are from 0 to 100 percent.
Server Load
Time-To-Live Change
(%)
Percentage by which the cache TTL is to be increased or decreased when the server load threshold
trigger is met. This option specifies the percentage by which the cache TTL is increased or
decreased in response to a change in server load. For example, if this value is set to 20 and the
current TTL for a response is 300 seconds, and if the current server response times exceeds the
trigger threshold, the cache TTL for the response is raised to 360 seconds.
Valid entries are from 0 to 100 percent.
Delta Optimization
Mode
Method by which delta optimization is to be implemented:
• N/A—Indicates that a delta optimization mode is not configured.
• Enable The All-User Mode For Delta Optimization—Indicates that the ACE is to generate
the delta against a single base file that is shared by all users of the URL. This option is usable
in most cases if the structure of a page is common across all users, and the disk space overhead
is minimal.
• Enable The Per-User Mode For Delta Optimization—Indicates that the ACE is to generate
the delta against a base file that is created specifically for that user. This option is useful when
page contents, including layout elements, are different for each user, and delivers the highest
level of condensation. However, this increases disk space requirements because a copy of the
base page that is delivered to each user is cached. This option is useful when privacy is
required because base pages are not shared among users.
Enable Appscope Options
Appscope Optimize
Rate (%)
Percentage of all requests or sessions to be sampled for performance with acceleration (or
optimization) applied. All applicable optimizations for the class will be performed. Valid entries
are from 0 to 100 percent, with a default of 10 percent. The sum of this value and the value entered
in the Passtthrough Rate Percent field must not exceed 100.
Appscope Passthrough
Rate (%)
Percentage of all requests or sessions to be sampled for performance without optimization. No
optimizations for the class will be performed. Valid entries are from 0 to 100, with a default of 10
percent. The sum of this value and the value entered in the Optimize Rate Percent field must not
exceed 100.
Table 7-18 Application Acceleration and Optimization Additional Configuration Options (continued)
Field Description
7-61
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Table 7-19 lists the parameter expander functions that you can use.
Max Number For
Parameter Summary
Log (Bytes)
Maximum number of bytes that are to be logged for each parameter value in the parameter
summary of a transaction log entry in the statistics log. If a parameter value exceeds this limit, it
is truncated at the specified limit. Valid entries are 0 to 10,000 bytes.
Specify String For
Grouping Requests
String that the ACE is to use to sort requests for AppScope reporting. The string can contain a URL
regular expression that defines a set of URLs in which URLs that differ only by their query
parameters are to be treated as separate URLs in AppScope reports.
For example, to define a string that is used to identify the URLs
http://server/catalog.asp?region=asia and http://server/catalog.asp?region=america as two
separate reporting categories, you would enter http_query_param(region).
Valid entries contain 1 to 255 characters and can contain the parameter expander functions listed
in Table 7-19.
Table 7-18 Application Acceleration and Optimization Additional Configuration Options (continued)
Field Description
Table 7-19 Parameter Expander Functions
Variable Description
$(number) Expands to the corresponding matching subexpression (by number)
in the URL pattern. Subexpressions are marked in a URL pattern
using parentheses (). The numbering of the subexpressions begins
with 1 and is the number of the left-parenthesis “(“ counting from
the left. You can specify any positive integer for the number. $(0)
matches the entire URL. For example, if the URL pattern is
((http://server/.*)/(.*)/)a.jsp, and the URL that matches it is
http://server/main/sub/a.jsp?category=shoes&session=99999, then
the following are correct:
$(0) = http://server/main/sub/a.jsp
$(1) = http://server/main/sub/
$(2) = http://server/main
$(3) = sub
If the specified subexpression does not exist in the URL pattern,
then the variable expands to the empty string.
$http_query_string() Expands to the value of the whole query string in the URL. For
example, if the URL is
http://myhost/dothis?param1=value1¶m2=value2, then the
following is correct:
$http_query_string() = param1=value1¶m2=value2
This function applies to both GET and POST requests.
7-62
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
$http_query_param(query-param-name)
The obsolete syntax is also supported:
$param(query-param-name)
Expands to the value of the named query parameter (case-sensitive).
For example, if the URL is
http://server/main/sub/a.jsp?category=shoes&session=99999, then
the following are correct:
$http_query_param(category) = shoes
$http_query_param(session) = 99999
If the specified parameter does not exist in the query, then the
variable expands to the empty string. This function applies to both
GET and POST requests.
$http_cookie(cookie-name) Evaluates to the value of the named cookie. For example,
$http_cookie(cookiexyz). The cookie name is case-sensitive.
$http_header(request-header-name) Evaluates to the value of the specified HTTP request header. In the
case of multivalued headers, it is the single representation as
specified in the HTTP specification. For example,
$http_header(user-agent). The HTTP header name is not
case-sensitive.
$http_method() Evaluates to the HTTP method used for the request, such as GET or
POST.
Boolean Functions:
$http_query_param_present(query-param-name)
$http_query_param_notpresent(query-param-name)
$http_cookie_present(cookie-name)
$http_cookie_notpresent(cookie-name)
$http_header_present(request-header-name)
$http_header_notpresent(request-header-name)
$http_method_present(method-name)
$http_method_notpresent(method-name)
Evaluates to a Boolean value: True or False, depending on the
presence or absence of the element in the request. The elements are
a specific query parameter (query-param-name), a specific cookie
(cookie-name), a specific request header (request-header-name), or
a specific HTTP method (method-name). All identifiers are
case-sensitive except for the HTTP request header name.
$regex_match(param1, param2) Evaluates to a Boolean value: True if the two parameters match and
False if they do not match. The two parameters can be any two
expressions, including regular expressions, that evaluate to two
strings. For example, this function:
$regex_match($http_query_param(URL), .*Store\.asp.*)
compares the query URL with the regular expression string
.*Store\.asp.*
If the URL matches this regular expression, this function evaluates
to True.
Table 7-19 Parameter Expander Functions (continued)
Variable Description
7-63
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Step 13 When you finish configuring match criteria and actions, do one of the following:
• Click OK to save your entries and to return to the Rule Match and Actions table.
• Click Cancel to exit this procedure without saving your entries and to return to the Rule Match and
Actions table.
Step 14 When you finish configuring virtual server properties, do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The ACE appliance validates the action list
configuration and deploys it.
• Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers
table.
• Click Deploy Later to save your entries and apply the configuration at a later time.
Related Topics
• Optimization Traffic Policies and Typical Configuration Flow, page 15-2
• Configuring Traffic Policies for HTTP Optimization, page 15-6
• Configuring Virtual Server Protocol Inspection, page 7-18
• Configuring Virtual Server Layer 7 Load Balancing, page 7-30
• Configuring Virtual Server Default Layer 7 Load Balancing, page 7-50
Configuring Virtual Server NAT
You can configure Name Address Translation (NAT) for virtual servers.
Assumptions
This topic assumes the following:
• Make sure that a virtual server has been configured in the Properties configuration subset. For more
information, see the “Configuring Virtual Server Properties” section on page 7-11
• Make sure that a VLAN has been configured. See the “Configuring Virtual Context VLAN
Interfaces” section on page 12-6 for information on configuring a VLAN interface.
• Make sure that at least one NAT pool has been configured on a VLAN interface. See the
“Configuring VLAN Interface NAT Pools” section on page 12-26 for information on configuring a
NAT pool.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.
The Virtual Servers table appears.
Step 2 In the Virtual Servers table, choose the virtual server you want to configure for NAT, and click Edit.
The Virtual Server configuration window appears.
Step 3 In the Virtual Server configuration window, click NAT.
The NAT table appears.
7-64
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Step 4 In the NAT table, click Add to add an entry, or choose an existing entry and click Edit to modify it.
Step 5 In the VLAN drop-down list, choose the VLAN that you want to use for NAT.
VLANs that have previously been defined for NAT do not appear in this list. VLAN numbers provide an
indication of available NAT pools.
Step 6 In the NAT Pool ID drop-down list, choose the NAT pool that you want to associate with the selected
VLAN.
Note the following about the NAT pool ID selections:
NAT Pool IDs (Begin IP - End IP: Netmask: PAT) appear in a format that provides the details of the
beginning and ending IP address range, netmask, and the PAT enabled or disabled setting. For example:
2 (10.77.241.2 - 10.77.241.15: 255.255.255.192: PAT Enabled).
If the NAT pool had previously been associated but is no longer defined, then it appears as
“ (Warning: Undefined NAT Pool)”. For example:
2 (Warning: Undefined NAT Pool)
For more information about NAT pools, see the “Configuring VLAN Interface NAT Pools” section on
page 12-26.
Step 7 Do one of the following:
• Click OK to save your entries and to return to the NAT table. The NAT table refreshes with the new
entry.
• Click Cancel to exit the procedure without saving your entries and to return to the NAT table.
Step 8 When you finish configuring virtual server properties, do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers
table.
• Click Deploy Later to save your entries and apply the configuration at a later time.
Related Topics
• Configuring Virtual Servers, page 7-2
• Configuring Virtual Server Properties, page 7-11
• Configuring Virtual Server SSL Termination, page 7-17
• Configuring Virtual Server Protocol Inspection, page 7-18
• Configuring Virtual Server Layer 7 Load Balancing, page 7-30
• Configuring Virtual Server Default Layer 7 Load Balancing, page 7-50
7-65
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Configuring Virtual Servers
Displaying Virtual Servers by Context
You can display all virtual servers associated with a virtual context.
Procedure
Step 1 Choose Config > Devices.
The device tree appears.
Step 2 In the device tree, choose the context associated with the virtual servers that you want to display, and
choose Load Balancing > Virtual Servers.
Table 7-20 describes the information that displays.
Related Topics
• Configuring Virtual Servers, page 7-2
• Managing Virtual Servers, page 7-66
• Displaying Detailed Virtual Server Information, page 7-81
• Displaying Virtual Servers, page 7-81
Displaying Virtual Server Statistics and Status Information
You can display virtual server statistics and status information for a particular virtual server by using the
Details button.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.
The Virtual Servers table appears.
Table 7-20 Virtual Servers Window
Field Description
Name Virtual server name.
Configured State Current configured state, such as In Service or Out Of Service.
Operational State Current operating state (if known), such as In Service or Out Of Service.
Last Polled Date and time that ANM last polled the virtual server for backup statistics.
VIP Address Virtual server IP address.
Port Port that the virtual server uses for TCP or UDP.
VLANs Associated VLANs.
Server Farms Associated server farms.
Owner Owner and context in which the virtual server was created
7-66
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
Step 2 From the Virtual Servers table, choose a virtual server and click Details.
A popup window appears that displays the show service-policy policy_name class-map class_name
detail CLI command output. For details about the displayed fields, see either the Cisco ACE Module
Server Load-Balancing Configuration Guide or the Cisco ACE 4700 Series Appliance Server
Load-Balancing Configuration Guide.
Note This feature requires ACE module software Version A2(1.2), ACE appliance software Version
A3(2.1), or later versions of either software. An error displays with earlier software versions.
Step 3 Click Update Details to refresh the window information.
Step 4 Click Close to return to the Virtual Servers table.
Related Topics
• Configuring Virtual Servers, page 7-2
• Managing Virtual Servers, page 7-66
• Displaying Detailed Virtual Server Information, page 7-81
• Displaying Virtual Servers, page 7-81
Managing Virtual Servers
This section shows how to display and manage the virtual servers from the Virtual Servers window
(Config > Operations > Virtual Servers). This window provides you with information about each virtual
server configured on ANM (see the “Displaying Virtual Servers” section on page 7-81) and provides
access to function buttons that allow you to perform tasks such as activate or suspend a virtual server,
display a virtual server topology map, or display connection statistics graphs.
This section also shows how to display and manage GSS VIP answers (Config > Operations > GSS VIP
Answers) and GSS DNS rules (Config > Operations > GSS DNS Rules).
Guidelines and Restrictions
The Virtual Servers, GSS VIP Answers, and GSS DNS Rules Operations windows contain a Rows per
page option that includes an All setting for displaying all related configured items in one window. Use
the All setting for viewing purposes only. ANM does not allow you to perform any operation from an
Operations window if you have more than 200 items selected. For example, if you use the All option to
display and select more than 200 virtual servers and then attempt to perform the suspend operation,
ANM cancels the request and displays an error message.
This section includes the following topics:
• Managing Virtual Server Groups, page 7-67
• Activating Virtual Servers, page 7-71
• Suspending Virtual Servers, page 7-72
• Managing GSS VIP Answers, page 7-73
• Activating and Suspending DNS Rules Governing GSS Load Balancing, page 7-75
• Managing GSS VIP Answer and DNS Rule Groups, page 7-76
7-67
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
• Displaying Detailed Virtual Server Information, page 7-81
• Displaying Virtual Servers, page 7-81
• Using the Virtual Server Connection Statistics Graph, page 7-84
• Using the Virtual Server Topology Map, page 7-85
• Understanding CLI Commands Sent from Virtual Server Table, page 7-86
Managing Virtual Server Groups
This section describes how to organize virtual servers into groups, which allows you to display and
manage a specific group of virtual servers without having to filter the virtual server display. When
creating a group, you specify whether the group is available to just you or is available globally to all
ANM users.
The virtual server group feature is available from the virtual servers operations window (Config >
Operations > Virtual Servers), which contains the Groups option for managing object groups. Figure 7-1
shows the Groups icon with the following available options for managing object groups:
• Create New Group—Adds a new group.
• Edit Group—Modifies an existing group. This option displays only after you select a group to
display in Group mode.
• Exit Group Mode—Changes the display from the group mode display to the display of all virtual
servers. This option displays only after you select a group and the display enters the Group mode.
• Saved Groups—Lists the currently configured groups along with each group’s privilege level (local
or global) and owner. From this view, you can choose a group to display or delete a group.
Figure 7-1 Object Grouping for Virtual Servers
Guidelines and Restrictions
Object grouping guidelines and restrictions are as follows:
• When you create a global group, other users can see the group if they have access to at least one
object within the group. This rule does not apply to the admin user or a user with the anm-admin
role because they have visibility to all global groups.
• To edit or delete a group, you must be the group owner, a user with the anm-admin role, or the admin
user.
• When you delete a locally authenticated user from the ANM database, ANM deletes all the global
and user-specific groups that the user created. However, when you delete a remotely authorized user
from the remote AAA server database, ANM does not delete the groups that the user created. In this
case, you must manually delete the user’s groups.
7-68
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
This section includes the following topics:
• Creating a Virtual Server Group, page 7-68
• Editing or Copying a Virtual Server Group, page 7-69
• Displaying a Virtual Server Group, page 7-70
• Deleting a Virtual Server Group, page 7-70
Creating a Virtual Server Group
You can create a virtual server group.
Procedure
Step 1 Choose Config > Operations > Virtual Servers.
The Virtual Servers table appears.
Step 2 Click the Groups icon located above the Virtual Servers table.
The Groups menu appears below the icon (see Figure 7-1).
Step 3 From the Groups menu, choose Create New Group.
The display enters the edit mode and the Creating a New Group table appears with the list of the available
virtual servers.
Step 4 From the Creating a New Group table, check the check box next to the virtual servers that you want to
include in the group.
Step 5 (Optional) Check the Hide unselected check box to display only the virtual servers that you have
chosen. Uncheck the check box to display all the available virtual servers.
Step 6 Do one of the following:
• Click Save as to save the group information. The Create Group popup window appears.
From the popup window, do the following:
a. In the Group Name text box, enter a name for the group. Enter 1 to 64 alphanumeric characters.
Special characters and spaces are allowed.
b. Choose the availability of the group by clicking one of the following radio buttons:
– This user only (local)—Only you can view, modify, or delete the group.
– All users (global)—All ANM users can view the group if they have permission to view at least
one of the virtual servers associated with the group. A user with the admin or anm-admin can
view all groups and can also edit or delete any group.
c. Do one of the following:
– Click Save to save the group information. The Create Group popup window closes and the
Viewing Group table appears, displaying the new group’s name and associated virtual servers.
To exit Group mode and return to the Virtual Servers table, click the Groups icon and click Exit
Group Mode from the Groups menu.
– Click Cancel to close the Create Group popup window without saving any information and
return to the Creating a New Group table.
7-69
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
• Click Back to View to exit the Group display mode and return to the Virtual Servers table.
Related Topics
• Managing Virtual Server Groups, page 7-67
• Editing or Copying a Virtual Server Group, page 7-69
• Displaying a Virtual Server Group, page 7-70
• Deleting a Virtual Server Group, page 7-70
Editing or Copying a Virtual Server Group
You can edit a virtual server group or create a copy of a virtual server group under a different name.
Procedure
Step 1 Choose Config > Operations > Virtual Servers.
The Virtual Servers table appears.
Step 2 Click the Groups icon located above the Virtual Servers table.
The Groups menu appears below the icon (see Figure 7-1).
Step 3 From the Groups menu, choose the group that you want to edit.
The Viewing Group table appears, displaying the selected group’s name and associated virtual servers.
Step 4 Click the Groups icon again and from the Groups menu, choose Edit Group.
The Editing Group table appears, displaying the complete list of available virtual servers with the virtual
servers currently associated with the group highlighted and checked.
Step 5 Modify the group as needed by adding (check) or removing (uncheck) virtual servers as needed. Skip
this step if you only want to save a copy of the current group under a different name.
Step 6 Do one of the following:
• Click Save to save the changes and return to the Viewing Group table, where you can view the
changes.
• Click Save as to save the configuration under a new group name. The Create Group popup window
appears.
From the popup window, do the following:
a. In the Group Name text box, enter a name for the group. Enter 1 to 64 alphanumeric characters.
Special characters and spaces are allowed.
b. Choose the availability of the group by clicking one of the following radio buttons:
– This user only (local)—Only you can view, modify, or delete the group.
– All users (global)—All ANM users can view the group if they have permission to view at least
one of the virtual servers associated with the group. The admin user or a user with the
anm-admin role can view all global groups and can also edit or delete these groups.
c. Do one of the following:
– Click Save to save the group information. The Create Group popup window closes and the
Viewing Group table appears, displaying the new group’s name and associated virtual servers.
7-70
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
– Click Cancel to close the Create Group popup window without saving any information and to
return to the Creating a New Group table.
Click Back to View to exit the edit mode and return to the Group mode.
Step 7 (Optional) To exit Group mode and return to the Virtual Servers table, click the Groups icon and click
Exit Group Mode from the Groups menu.
Related Topics
• Managing Virtual Server Groups, page 7-67
• Creating a Virtual Server Group, page 7-68
• Displaying a Virtual Server Group, page 7-70
• Deleting a Virtual Server Group, page 7-70
Displaying a Virtual Server Group
You can display the list of virtual servers associated with a virtual server group.
Procedure
Step 1 Choose Config > Operations > Virtual Servers.
The Virtual Servers table appears.
Step 2 Click the Groups icon located above the Virtual Servers table.
The Groups menu appears below the icon (see Figure 7-1).
Step 3 From the Groups menu, choose the group that you want to display.
The Viewing Group table appears, displaying the selected group’s name and associated virtual servers.
Step 4 (Optional) To exit Group mode and return to the Virtual Servers table, click the Groups icon and click
Exit Group Mode from the Groups menu.
Related Topics
• Managing Virtual Server Groups, page 7-67
• Creating a Virtual Server Group, page 7-68
• Editing or Copying a Virtual Server Group, page 7-69
• Deleting a Virtual Server Group, page 7-70
Deleting a Virtual Server Group
You can delete a virtual server group. Deleting a virtual server group does not delete the group’s
associated virtual servers from the ANM database.
7-71
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
Procedure
Step 1 Choose Config > Operations > Virtual Servers.
The Virtual Servers table appears.
Step 2 Click the Groups icon located above the Virtual Servers table.
The Groups menu appears below the icon (see Figure 7-1).
Step 3 From the Groups menu, click X (delete) next to the group that you want to delete.
The Delete Group confirmation popup window appears.
Step 4 From the Delete Group confirmation popup window, do one of the following:
• Click Delete to removes the virtual server group.
• Click Cancel to ignore the deletion request.
Related Topics
• Managing Virtual Server Groups, page 7-67
• Creating a Virtual Server Group, page 7-68
• Editing or Copying a Virtual Server Group, page 7-69
• Displaying a Virtual Server Group, page 7-70
Activating Virtual Servers
You can activate a virtual server.
Note A missing operation or Admin state on a CSM or CSS device most likely means that the community
string was not enabled on those devices. If the community string is not enabled on a CSM or CSS device,
and any kind of operation is performed on those devices, it will not succeed, and ANM will not provide
any kind of indication.
• For CSM devices, you must enable the community string of the Catalyst 6500 series chassis.
• For CSS devices, you must enable the community string of the CSS device itself.
Guidelines and Restrictions
ANM does not support CSM DNS virtual servers. If you create this type of virtual server, ANM issues
an error message if you attempt to use ANM to activate or suspend it.
Procedure
Step 1 Choose Config > Operations > Virtual Servers.
The Virtual Servers table appears.
Step 2 (Optional) To display only the virtual servers of a specific virtual server group, do the following:
a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the
icon (see Figure 7-1).
7-72
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
b. From the Groups menu, choose the group to display.
Step 3 In the Virtual Servers table, choose the virtual server that you want to activate, and click Activate.
The server is activated and the window refreshes with updated information in the Configured State
column.
Related Topics
• Managing Virtual Servers, page 7-66
• Displaying Virtual Servers, page 7-81
• Suspending Virtual Servers, page 7-72
Suspending Virtual Servers
You can suspend a virtual server.
Note A missing operation or Admin state on a CSM or CSS device most likely means that the community
string was not enabled on those devices. If the community string is not enabled on a CSM or CSS device,
and any kind of operation is performed on those devices, it will not succeed, and ANM will not provide
any kind of indication.
• For CSM devices, you must enable the community string of the Catalyst 6500 series chassis.
• For CSS devices, you must enable the community string of the CSS device itself.
Guidelines and Restrictions
ANM does not support CSM DNS virtual servers. If you create this type of virtual server, ANM issues
an error message if you attempt to use ANM to activate or suspend it.
Procedure
Step 1 Choose Config > Operations > Virtual Servers.
The Virtual Servers table appears.
Step 2 (Optional) To display only the virtual servers of a specific virtual server group, do the following:
a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the
icon (see Figure 7-1).
b. From the Groups menu, choose the group to display.
Step 3 In the Virtual Servers table, choose the virtual server that you want to suspend, and click Suspend.
The Suspend Virtual Server window appears.
Step 4 In the Reason field of the Suspend Virtual Server window, enter the reason for this action.
You might enter a trouble ticket, an order ticket, or a user message.
7-73
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
Note Do not enter a password in this field.
Related Topics
• Managing Virtual Servers, page 7-66
• Displaying Virtual Servers, page 7-81
• Activating Virtual Servers, page 7-71
Managing GSS VIP Answers
This section describes how to manage GSS VIP answers. In a GSS network, the term answers refers to
resources that respond to content queries. When you create an answer using the primary Global Site
Selector Manager (PGSSM), you are simply identifying a resource on your GSS network to which
queries can be directed and that can provide your user’s D-proxy with the address of a valid host to serve
their request.
Virtual IP (VIP) addresses associated with an SLB such as the Cisco CSS, Cisco CSM, Cisco
IOS-compliant SLB, LocalDirector, or a Web server are types of answers that are specified in the ANM
user interface in the GSS VIP Answers table found in ANM under Configuration > Operations. Use this
procedure to poll, activate, or suspend GSS VIP answers.
Prerequisites
Make sure that you have established GSS VIP answers using the PGSSM.
Procedure
Step 1 Choose Config > Operations > GSS VIP Answers.
The GSS Answers table appears. For a list of fields available, see Table 7-21.
Table 7-21 GSS Answer Table
Field Description
Multiple Row Selection Checkbox Check box that selects all entries at the same time, or you can check line items
individually.
IP Address VIP answer IP address.
Name VIP answer name.
Config State VIP answer configured status.
PGSSM Oper State Operational status as shown on the primary GSS manager (PGSSM).
Answer Group Answer group names to which the VIP answer belong.
Location Logical groupings for GSS resources that correspond to geographical entities such as a
city, data center, or content site.
Device Primary GSS device name on ANM.
PGSSM Time Last operational status update time on the primary GSS.
7-74
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
Step 2 (Optional) To display only the answers of a specific GSS VIP Answer group, do the following:
a. Click the Groups icon located above the DNS Rules table. The Groups menu appears below the icon
(see Figure 7-1).
b. From the Groups menu, choose the group to display.
Step 3 In the GSS Answers table, check the check boxes to the left of the answers that you want to poll, activate,
or suspend.
Step 4 Do one of the following:
• Click Active/Suspended hyperlink to view the VIP answer details across the GSS node(s). A popup
window appears listing all nodes associated with the VIP, operational state, hit count, and timestamp
for each node.
• Click Poll Now to query the chosen resource to verify it is still active.
Note If you click Poll Now immediately after you click Activate or Suspend, you might not get the VIP
answer operational status on the PGSSM that reflects your most recent configuration. It might be
necessary to click Poll Now two or three times in succession to get an accurate result.
The ability of Cisco License Manager to update the VIP answer operational status and statistics
accurately in detailed GSS statistics window might depend on the polling interval that has been
configured on the GSS. The polling interval can be configured directly on the GSS device. (The default
is 5 minutes.) Depending on the interval, it can take 5 minutes or more for the ANM server to show an
accurate result.
• Click Activate to reactivate a GSS answer.
• Click Suspend to temporarily stop the GSS from using an associated answer.
If you clicked Activate or Suspend, a dialog box prompts for a Reason. Acceptable text consists of any
characters or nothing at all.
Step 5 Do one of the following:
• Click Deploy Now to complete Activation or Suspension.
• Click Cancel to cancel the Activation or Suspension operation.
Related Topics
• Managing GSS VIP Answer and DNS Rule Groups, page 7-76
• Information About Load Balancing, page 7-1
• Activating and Suspending DNS Rules Governing GSS Load Balancing, page 7-75
7-75
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
Activating and Suspending DNS Rules Governing GSS Load Balancing
You can activate or suspend DNS rules associated with your GSS VIP answers table. The DNS rules table
in Configuration > Operations navigation tree specifies actions for the GSS to take when it receives a
request from a known source (a member of a source address list) for a known hosted domain (a member
of a domain list).
The DNS rule specifies which response (answer) is given to the requesting user’s local DNS host
(D-proxy) and how that answer is chosen. One of a variety of balance methods is used to determine the
best response to the request, based on the status and load of the GSS host devices.
Prerequisites
Make sure that you have established GSS VIP answers and DNS rules using the PGSSM.
Procedure
Step 1 Choose Config > Operations > DNS Rules.
The DNS Rules table appears. For a list of fields available, see Table 7-22.
Step 2 (Optional) To display only the rules of a specific DNS Rules group, do the following:
a. Click the Groups icon located above the DNS Rules table. The Groups menu appears below the icon
(see Figure 7-1).
b. From the Groups menu, choose the group to display.
Step 3 In the DNS Rules table, check the checkbox to the left of the rules that you want to activate or suspend.
Step 4 Click the Activate or Suspend button.
A dialog box prompts for a Reason. Acceptable text consists of any characters or none at all.
Step 5 Do one of the following:
• Click Deploy Now to complete Activation or Suspension.
Table 7-22 DNS Rules Table
Field Description
Multiple Row Selection
Checkbox
Check box that selects all entries at the same time, or you can check line items individually.
Name Name of the DNS rule.
Source Address Collection of IP addresses or address blocks for known client DNS proxies (or D-proxies).
Domains Domain list name containing one or more domain names that point to content for which the GSS
is acting as the authoritative DNS server and for which you wish to use the GSS technology to
balance traffic and user requests.
Config State DNS rules configured status, either Active or Suspended.
Answer Group Lists of GSS resources that are candidates to respond to DNS queries received from a user for a
hosted domain.
Owner Owner names, providing a simple way to organize and identify groups of related GSS resources.
Device Primary GSS device name on ANM.
PGSSM Time Last operational status update time on the GSS.
7-76
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
• Click Cancel to cancel the Activation or Suspension operation.
Related Topics
• Managing GSS VIP Answer and DNS Rule Groups, page 7-76
• Information About Load Balancing, page 7-1
• Managing GSS VIP Answers, page 7-73
Managing GSS VIP Answer and DNS Rule Groups
This section describes how to organize GSS VIP answers or DNS rules into groups, which allows you to
display and manage a specific group of VIP answers or DNS rules without having to filter the display.
When creating a group, you specify whether the group is available to just you or is available globally to
all ANM users.
The GSS object grouping feature is available from the following operations windows:
• Answer VIPs (Config > Operations > GSS VIP Answers)
• DNS Rules (Config > Operations > GSS DNS Rules)
These windows contain the Groups option for managing object groups. Figure 7-2 shows the Groups
icon with the following available options for managing object groups:
• Create New Group—Adds a new group.
• Edit Group—Modifies an existing group. This option displays only after you select a group to
display in Group mode.
• Exit Group Mode—Changes the display from the Group mode display to the display of all VIP
answers or DNS rules. This option displays only after you select a group and the display enters the
Group mode.
• Saved Groups—Lists the currently configured groups with each group’s privilege level (local or
global) and owner. From this view, you can choose a group to display or delete a group.
Figure 7-2 Object Grouping for GSS VIP Answers and DNS Rules
Guidelines and Restrictions
Object grouping guidelines and restrictions are as follows:
• When you create a global group, other users can see the group if they have access to at least one
object within the group. This rule does not apply to the admin user or a user with the anm-admin
role because they have visibility to all global groups.
7-77
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
• To edit or delete a group, you must be the group owner, a user with the anm-admin role, or the admin
user.
• When you delete a locally authenticated user from the ANM database, ANM deletes all the global
and user-specific groups that the user created. However, when you delete a remotely authorized user
from the remote AAA server database, ANM does not delete the groups that the user created. In this
case, you must manually delete the user’s groups.
This section includes the following topics:
• Creating a VIP Answer or DNS Rule Group, page 7-77
• Editing or Copying a VIP Answer or DNS Rule Group, page 7-78
• Displaying a VIP Answer or DNS Rule Group, page 7-79
• Deleting a VIP Answer or DNS Rule Group, page 7-80
Creating a VIP Answer or DNS Rule Group
You can create a GSS answer VIP or DNS rule group.
Procedure
Step 1 Choose one of the following depending on the group type that you want to create:
• Config > Operations > GSS VIP Answers.
• Config > Operations > GSS DNS Rules
Depending on your choice, either the Answer VIPs or DNS Rules object table appears.
Step 2 Click the Groups icon located above the objects table.
The Groups menu appears below the icon (see Figure 7-2).
Step 3 From the Groups menu, choose Create New Group.
The display enters the edit mode and the Creating a New Group table appears with the list of the available
GSS VIP answer or DNS rule objects.
Step 4 From the Creating a New Group table, check the check box next to the GSS objects that you want to
include in the group.
Step 5 (Optional) Check the Hide unselected check box to display only the GSS objects that you have chosen.
Uncheck the check box to display all the available GSS objects.
Step 6 Do one of the following:
• Click Save as to save the group information. The Create Group popup window appears.
From the popup window, do the following:
a. In the Group Name text box, enter a name for the group. Enter 1 to 64 alphanumeric characters.
Special characters and spaces are allowed.
b. Choose the availability of the group by clicking one of the following radio buttons:
– This user only (local)—Only you can view, modify, or delete the group.
– All users (global)—All ANM users can view the group if they have permission to view at least
one of the GSS objects associated with the group. A user with the admin or anm-admin can view
all groups and can also edit or delete any group.
c. Do one of the following:
7-78
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
– Click Save to save the group information. The Create Group popup window closes and the
Viewing Group table appears, displaying the new group’s name and associated objects.
To exit Group mode and return to the Real Servers table, click the Groups icon and click Exit
Group Mode from the Groups menu.
– Click Cancel to close the Create Group popup window without saving any information and to
return to the Creating a New Group table.
• Click Back to View to exit the Group display mode and return to the objects table
Related Topics
• Managing GSS VIP Answer and DNS Rule Groups, page 7-76
• Editing or Copying a VIP Answer or DNS Rule Group, page 7-78
• Displaying a VIP Answer or DNS Rule Group, page 7-79
• Deleting a VIP Answer or DNS Rule Group, page 7-80
• Managing GSS VIP Answers, page 7-73
• Activating and Suspending DNS Rules Governing GSS Load Balancing, page 7-75
Editing or Copying a VIP Answer or DNS Rule Group
You can edit a GSS VIP answer or DNS rule group or create a copy of a group under a different name.
Procedure
Step 1 Choose one of the following depending on the group type that you want to edit or copy:
• Config > Operations > GSS VIP Answers.
• Config > Operations > GSS DNS Rules
Depending on your choice, either the Answer VIPs or DNS Rules object table appears.
Step 2 Click the Groups icon located above the objects table.
The Groups menu appears below the icon (see Figure 7-2).
Step 3 From the Groups menu, choose the group that you want to edit.
The Viewing Group table appears, displaying the selected group’s name and associated GSS VIP answer
or DNS rule objects.
Step 4 Click the Groups icon again and from the Groups menu, choose Edit Group.
The Editing Group table appears, displaying the complete list of available objects with the objects
currently associated with the group highlighted and checked.
Step 5 Modify the group as needed by adding (check) or removing (uncheck) objects as needed. Skip this step
if you only want to save a copy of the current group under a different name.
Step 6 Do one of the following:
• Click Save to save the changes and return to the Viewing Group table, where you can view the
changes.
• Click Save as to save the configuration under a new group name. The Create Group popup window
appears.
7-79
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
From the popup window, do the following:
a. In the Group Name text box, enter a name for the group. Enter 1 to 64 alphanumeric characters.
Special characters and spaces are allowed.
b. Choose the availability of the group by clicking one of the following radio buttons:
– This user only (local)—Only you can view, modify, or delete the group.
– All users (global)—All ANM users can view the group if they have permission to view at least
one of the real servers associated with the group. The admin user or a user with the anm-admin
role can view all global groups and can also edit or delete these groups.
c. Do one of the following:
– Click Save to save the group information. The Create Group popup window closes and the
Viewing Group table appears, displaying the new group’s name and associated objects.
– Click Cancel to close the Create Group popup window without saving any information and to
return to the Creating a New Group table.
Click Back to View to exit the edit mode and return to the Group mode.
Step 7 (Optional) To exit Group mode and return to the GSS objects table, click the Groups icon and click Exit
Group Mode from the Groups menu.
Related Topics
• Managing GSS VIP Answer and DNS Rule Groups, page 7-76
• Creating a VIP Answer or DNS Rule Group, page 7-77
• Displaying a VIP Answer or DNS Rule Group, page 7-79
• Deleting a VIP Answer or DNS Rule Group, page 7-80
• Managing GSS VIP Answers, page 7-73
• Activating and Suspending DNS Rules Governing GSS Load Balancing, page 7-75
Displaying a VIP Answer or DNS Rule Group
You can display the list of GSS objects associated with a VIP answer or DNS rule group.
Procedure
Step 1 Choose one of the following depending on the group type that you want to edit or copy:
• Config > Operations > GSS VIP Answers.
• Config > Operations > GSS DNS Rules
Depending on your choice, either the Answer VIPs or DNS Rules object table appears.
Step 2 Click the Groups icon located above the objects table.
The Groups menu appears below the icon (see Figure 7-2).
Step 3 From the Groups menu, choose the group that you want to display.
The Viewing Group table appears, displaying the selected group’s name and associated objects.
7-80
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
Step 4 (Optional) To exit Group mode and return to the GSS objects table, click the Groups icon and click Exit
Group Mode from the Groups menu.
Related Topics
• Managing GSS VIP Answer and DNS Rule Groups, page 7-76
• Creating a VIP Answer or DNS Rule Group, page 7-77
• Editing or Copying a VIP Answer or DNS Rule Group, page 7-78
• Deleting a VIP Answer or DNS Rule Group, page 7-80
• Managing GSS VIP Answers, page 7-73
• Activating and Suspending DNS Rules Governing GSS Load Balancing, page 7-75
Deleting a VIP Answer or DNS Rule Group
You can delete a GSS VIP answer or DNS rule group. Deleting a group does not delete the group’s
associated objects from the ANM database.
Procedure
Step 1 Choose one of the following depending on the group type that you want to edit or copy:
• Config > Operations > GSS VIP Answers.
• Config > Operations > GSS DNS Rules
Depending on your choice, either the Answer VIPs or DNS Rules object table appears.
Step 2 Click the Groups icon located above the objects table.
The Groups menu appears below the icon (see Figure 7-2).
Step 3 From the Groups menu, click X (delete) next to the group that you want to delete.
The Delete Group confirmation popup window appears.
Step 4 From the Delete Group confirmation popup window, do one of the following:
• Click Delete to remove the selected group.
• Click Cancel to ignore the deletion request.
Related Topics
• Managing GSS VIP Answer and DNS Rule Groups, page 7-76
• Creating a VIP Answer or DNS Rule Group, page 7-77
• Editing or Copying a VIP Answer or DNS Rule Group, page 7-78
• Displaying a VIP Answer or DNS Rule Group, page 7-79
• Activating and Suspending DNS Rules Governing GSS Load Balancing, page 7-75
7-81
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
Displaying Detailed Virtual Server Information
You can display detailed information about the state of a virtual server.
Procedure
Step 1 Choose Config > Operations > Virtual Servers.
The Virtual Servers table appears.
Step 2 (Optional) To display only the virtual servers of a specific virtual server group, do the following:
a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the
icon (see Figure 7-1).
b. From the Groups menu, choose the group to display.
Step 3 In the Virtual Servers table, choose the virtual server whose configuration details that you want to
display.
Click the hyperlinked entry for that virtual server that appears in the Operational State column.
The Details window appears with the following information:
• Current operational status
• Description, if one was entered
• Configured interfaces, such as VLANs
• Configured service policies including:
– Configured class maps, detailed by type (such as load balancing or inspection)
– States of configured options, indicated by word (ACTIVE, DISABLED, OUTOFSERVICE) and
color (green, orange/yellow, and red)
– Associated policy maps with details on their type and action (L7 loadbalance, serverfarm)
– Statistics regarding connections and counts
Related Topics
• Configuring Virtual Servers, page 7-2
• Displaying Virtual Servers by Context, page 7-65
• Displaying Virtual Server Statistics and Status Information, page 7-65
• Managing Virtual Servers, page 7-66
Displaying Virtual Servers
You can display all virtual servers.
Procedure
Step 1 Choose Config > Operations > Virtual Servers.
The Virtual Servers table appears. Table 7-23 describes the Virtual Servers table information.
7-82
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
Table 7-23 Virtual Server Table Fields
Item Description
Name Server farm name sorted by virtual context.
Policy Map Associated policy map.
IP Address:Protocol:Port Server farm IP address, protocol, and port used for communications.
HA Indicators that display when the virtual server is part of a high availability pair. The indicators
are as follows:
• Asterisk (*)—The virtual server is associated with an HA pair and the HA configuration
is complete.
• Red dash (-)—The virtual server is associated with an HA pair; however, the HA
configuration is incomplete. Typically, the HA pair are not properly configured for HA or
only one of the devices has been imported into ANM. Ensure that both devices are
imported into ANM and that they are configured as described in the “Configuring ACE
High Availability” section on page 13-14.
The table displays HA pair virtual servers together in the same row and they remain together
no matter how you sort the information.
SLB Device Associated ACE IP address and context.
Admin Administrative state of the virtual server: Up or Down.
Note For a CSM device, the virtual server Admin State is derived from the Operational
State. In this case, the Operational State may display an Out of Service condition
when the virtual server is configured to be Inservice (if all of the real servers are out
of service).
Oper Operational state of the virtual server: Up or Down.
(ACE devices only) To display detailed information about the virtual server in a popup
window, click the linked state value in this column. For more information about this popup
window, see the “Displaying Virtual Server Statistics and Status Information” section on
page 7-65.
Note The display virtual server details feature requires ACE module software Version
A2(1.2), ACE appliance software Version A3(2.1), or later versions of either
software. An error displays with earlier software versions.
DWS Operating state of Dynamic Workload Scaling for the virtual server, which can be:
• N/A—Not applicable; the server farms associated with the virtual server are not
configured to use Dynamic Workload Scaling.
• Local—At least one server farm associated the virtual server is configured to use
Dynamic Workload Scaling, but the ACE is sending traffic to the VM Controller’s local
VMs only.
• Expanded—At least one server farm associated the virtual server is configured to use
Dynamic Workload Scaling and the ACE is sending traffic to the VM Controller’s local
and remote VMs.
7-83
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
You can activate or suspend virtual servers from this table and obtain additional information about the
state of the virtual server.
Step 2 (Optional) Use the display toggle button ( ) located above the table to control which virtual servers
ANM displays as follows:
• Show ANM recognized Virtual Servers—Displays only virtual servers that match ANM’s virtual
server definition (see the “Virtual Server Configuration and ANM” section on page 7-2).
• Show all Virtual Servers—Displays virtual servers that match ANM’s virtual server definition and
those that do not match this definition but that ANM can recognize as virtual servers using SNMP
polling.
Note The display toggle button displays only when you have the “Display All Virtual Servers in
Monitoring & Operations page” advanced setting feature enabled (see the “Managing the
Display of Virtual Servers in the Operations and Monitoring Windows” section on page 18-66).
Step 3 (Optional) To display only the virtual servers of a specific virtual server group, do the following:
a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the
icon (see Figure 7-1).
b. From the Groups menu, choose the group to display.
You can activate or suspend virtual servers from this table and obtain additional information about the
state of the virtual server.
Related Topics
• Activating Virtual Servers, page 7-71
• Suspending Virtual Servers, page 7-72
Conn Number of active connections.
Note This column is populated for ACE appliances. For ACE devices, the Active
Connections column displays N/A for older versions of the ACE appliance and
module.
Stat Age Age of the statistical information.
Serverfarms Associated server farms.
Note If you have the Details popup window feature enabled, click the value in this
column to open the Details popup window and display detailed information about
the server farm. By default, this feature is disabled. For information about
enabling or disabling this feature, see the “Enabling the ACE Server Farm Details
Popup Window Option for Virtual Servers” section on page 18-65.
VLANs Associated VLANs.
Table 7-23 Virtual Server Table Fields (continued)
Item Description
7-84
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
• Managing Virtual Server Groups, page 7-67
• Displaying Detailed Virtual Server Information, page 7-81
• Displaying Virtual Server Statistics and Status Information, page 7-65
• Displaying Virtual Servers by Context, page 7-65
Using the Virtual Server Connection Statistics Graph
You can display real time and historical statistical information about the connections of a virtual server.
ANM displays the information in graph or chart form. This feature also allows you to compare similar
connection information across multiple virtual servers.
Procedure
Step 1 Choose Config > Operations > Virtual Servers.
The Virtual Servers table appears. You can activate or suspend virtual servers from this table and obtain
additional information about the state of the virtual server.
Step 2 (Optional) To display only the virtual servers of a specific virtual server group, do the following:
a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the
icon (see Figure 7-1).
b. From the Groups menu, choose the group to display.
Step 3 In the Virtual Servers table, check the check box next to server whose connection information you want
to display, and click Graph.
You can choose up to four virtual servers if you want to compare statistical data.
The Virtual Server Graph window appears, displaying the default graph for each selected virtual server.
For details about using the graph feature, see the “Configuring Historical Trend and Real Time Graphs
for Devices” section on page 17-48.
Step 4 Click Exit to return to the Virtual Server widow.
Related Topics
• Configuring Historical Trend and Real Time Graphs for Devices, page 17-48
• Activating Virtual Servers, page 7-71
• Suspending Virtual Servers, page 7-72
• Managing Virtual Server Groups, page 7-67
• Displaying Detailed Virtual Server Information, page 7-81
• Displaying Virtual Servers, page 7-81
• Using the Virtual Server Topology Map, page 7-85
• Displaying Virtual Server Statistics and Status Information, page 7-65
• Displaying Virtual Servers by Context, page 7-65
7-85
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Managing Virtual Servers
Using the Virtual Server Topology Map
You can display the nodes on your network based on the virtual server that you select.
Procedure
Step 1 Choose Config > Operations > Virtual Servers.
The Virtual Servers table appears.
Step 2 (Optional) To display only the virtual servers of a specific virtual server group, do the following:
a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the
icon (see Figure 7-1).
b. From the Groups menu, choose the group to display.
Step 3 Use the display toggle button ( ) to ensure that the Virtual Servers table is set to Show ANM
Recognized Virtual Servers.
Note The topology map feature is not available when the Virtual Server table is set to Show All Virtual
Servers (for more information, see the “Displaying Virtual Servers” section on page 7-81).
Step 4 In the Virtual Servers table, choose the server whose topology map you want to display, and click
Topology.
The ANM Topology map appears. The map includes several tools for navigating the network map and
zooming in and out. For details about using the map tools, see the “Displaying Network Topology Maps”
section on page 17-68.
Step 5 Click Exit to return to the Virtual Server widow.
Related Topics
• Suspending Virtual Servers, page 7-72
• Managing Virtual Server Groups, page 7-67
• Displaying Detailed Virtual Server Information, page 7-81
• Displaying Virtual Servers, page 7-81
• Using the Virtual Server Connection Statistics Graph, page 7-84
• Displaying Virtual Server Statistics and Status Information, page 7-65
• Displaying Virtual Servers by Context, page 7-65
7-86
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Deploying Virtual Servers
Understanding CLI Commands Sent from Virtual Server Table
Table 7-24 displays the CLI commands dispatched to the device for a given Virtual Servers table option,
and is sorted by device.
Deploying Virtual Servers
You can deploy virtual servers on your network at times that are convenient and appropriate for your
environment. For example, if your site prefers to make changes to the network during a specific time
each night, you can modify and save virtual server configurations during the day and then deploy them
when appropriate.
This section includes the following topics:
• Deploying a Virtual Server, page 7-87
• Displaying All Staged Virtual Servers, page 7-87
• Modifying Deployed Virtual Servers, page 7-88
• Modifying Staged Virtual Servers, page 7-88
Table 7-24 CLI Commands Deployed from Virtual Servers Table
Command Sample CLI Sent
ACE Modules and Appliances
Virtual Server Activate policy-map multi-match int25
class VIP3
loadbalance vip inservice
Virtual Server Suspend policy-map multi-match int25 class
VIP3 no loadbalance vip inservice
CSMs
Virtual Server Activate vserver APP1
inservice
Virtual Server Suspend vserver APP1
no inservice
CSS Devices
Virtual Server Activate owner hm
content LB
active
Virtual Server Suspend owner hm
content LB
suspend
7-87
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Deploying Virtual Servers
Deploying a Virtual Server
You can deploy virtual servers on your network at times that are convenient and appropriate for your
environment. For example, if your site prefers to make changes to the network during a specific time
each night, you can modify and save virtual server configurations during the day and then deploy them
when appropriate.
Procedure
Step 1 Choose Config > Deploy.
The Staged Objects table appears.
Step 2 Fro the Staged Objects table, choose the virtual server that you want to deploy on your network, and
click Deploy.
The virtual server is deployed and the table refreshes with updated information.
Related Topics
• Configuring Virtual Servers, page 7-2
• Displaying All Staged Virtual Servers, page 7-87
• Modifying Staged Virtual Servers, page 7-88
Displaying All Staged Virtual Servers
You can display all objects that have been configured but have not yet been deployed on your network.
Procedure
Step 1 Do one of the following:
• Choose Config > Deploy.
The Staged Objects table appears listing the following:
– Virtual server name
– Device ID and virtual context
– Time the virtual server was created
– User who last modified the object
– Time the object was last updated
• Choose Config > Devices > context > Load Balancing > Virtual Servers.
The Virtual Servers table appears. Virtual servers with configurations that have not been deployed
appear with the status Not Deployed in the Configured State column.
Related Topics
• Configuring Virtual Servers, page 7-2
7-88
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Deploying Virtual Servers
• Deploying a Virtual Server, page 7-87
• Modifying Staged Virtual Servers, page 7-88
• Modifying Deployed Virtual Servers, page 7-88
Modifying Deployed Virtual Servers
You can modify the configuration of a deployed virtual server.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers.
The Virtual Servers table appears.
Step 2 In the Virtual Servers table, choose the virtual server you want to modify, and click Edit.
The Virtual Server configuration window appears.
Step 3 In the Virtual Server configuration window, modify the virtual server's configuration as desired.
See Table 7-1 for virtual server configuration options.
Step 4 When you are done modifying the configuration, do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers
table.
Related Topics
• Managing Virtual Servers, page 7-66
• Displaying All Staged Virtual Servers, page 7-87
• Activating Virtual Servers, page 7-71
• Suspending Virtual Servers, page 7-72
Modifying Staged Virtual Servers
You can modify the configuration of a staged virtual server.
Procedure
Step 1 Choose Config > Deploy.
The Staged Objects table appears, listing those virtual servers that have not yet been deployed in the
network.
Step 2 From the Staged Objects table, choose the virtual server you want to modify, and click Edit.
The Virtual server configuration window appears.
Step 3 In the Virtual server configuration window, modify the virtual server configuration as desired.
7-89
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Deploying Virtual Servers
See Table 7-1 for virtual server configuration options.
Step 4 When you are done modifying the configuration, do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers
table.
• Click Deploy Later to save your entries and apply this configuration at a later time.
Related Topics
• Deploying a Virtual Server, page 7-87
• Displaying All Staged Virtual Servers, page 7-87
• Activating Virtual Servers, page 7-71
7-90
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 7 Configuring Virtual Servers
Deploying Virtual Servers
CHAPTER
8-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
8
Configuring Real Servers and Server Farms
Date: 3/28/12
This chapter describes how to configure real servers and server farms on the Cisco Application Control
Engine (ACE) using Cisco Application Networking Manager (ANM).
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
This chapter includes the following sections:
• Information About Server Load Balancing, page 8-1
• Configuring Real Servers, page 8-5
• Managing Real Servers, page 8-9
• Configuring Dynamic Workload Scaling, page 8-26
• Configuring Server Farms, page 8-30
• Configuring Health Monitoring, page 8-49
• Configuring Secure KAL-AP, page 8-77
Information About Server Load Balancing
Server load balancing (SLB) is the process of deciding to which server a load-balancing device should
send a client request for service. For example, a client request can consist of an HTTP GET for a Web
page or an FTP GET to download a file. The job of the load balancer is to select the server that can
successfully fulfill the client request and do so in the shortest amount of time without overloading either
the server or the server farm as a whole.
8-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Information About Server Load Balancing
Depending on the load-balancing algorithm or predictor that you configure, the ACE performs a series
of checks and calculations to determine the server that can best service each client request. The ACE
bases server selection on several factors, including the server with the fewest connections with respect
to load, source or destination address, cookies, URLs, or HTTP headers.
ANM allows you to configure load balancing using:
• Virtual servers—See Configuring Virtual Servers, page 7-2.
• Real servers—See Configuring Real Servers, page 8-5.
• Dynamic Workload Scaling—See Configuring Dynamic Workload Scaling, page 8-26.
• Server farms—See Configuring Server Farms, page 8-30.
• Sticky groups—See Configuring Sticky Groups, page 9-7.
• Parameter maps—See Configuring Parameter Maps, page 10-1.
For more information about SLB as configured and performed by the ACE, see:
• Configuring Virtual Servers, page 7-2
• Load-Balancing Predictors, page 8-2
• Real Servers, page 8-3
• Dynamic Workload Scaling Overview, page 8-4
• Server Farms, page 8-5
• Configuring Health Monitoring, page 8-49
• TCL Scripts, page 8-50
• Configuring Stickiness, page 9-1
This section includes the following topics:
– Load-Balancing Predictors, page 8-2
– Real Servers, page 8-3
– Server Farms, page 8-5
Load-Balancing Predictors
The ACE uses the following predictors to select the best server to satisfy a client request:
• Hash Address—Selects the server using a hash value based on either the source or destination IP
address, or both. Use these predictors for firewall load balancing (FWLB).
Note FWLB allows you to scale firewall protection by distributing traffic across multiple firewalls on
a per-connection basis. All packets belonging to a particular connection must go through the
same firewall. The firewall then allows or denies transmission of individual packets across its
interfaces. For more information about configuring FWLB on the ACE, see the Cisco 4700
Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.
• Hash Content— Selects the server by using a hash value based on the specified content string of the
HTTP packet body
• Hash Cookie—Selects the server using a hash value based on a cookie name.
• Hash Header—Selects the server using a hash value based on the HTTP header name.
8-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Information About Server Load Balancing
• Hash Layer4—Selects the server using a Layer 4 generic protocol load-balancing method.
• Hash URL—Selects the server using a hash value based on the requested URL.
You can specify a beginning pattern and an ending pattern to match in the URL. Use this predictor
method to load-balance cache servers. Cache servers perform better with the URL hash method
because you can divide the contents of the caches evenly if the traffic is random enough. In a
redundant configuration, the cache servers continue to work even if the active ACE switches over to
the standby ACE. For information about configuring redundancy, see the “Configuring High
Availability” section on page 13-1.
• Least Bandwidth—Selects the server with the least amount of network traffic or a specified
sampling period. Use this type for server farms with heavy traffic, such as downloading video clips.
• Least Connections—Selects the server with the fewest number of active connections based on server
weight. For the least connection predictor, you can configure a slow-start mechanism to avoid
sending a high rate of new connections to servers that you have just put into service.
• Least Loaded—Selects the server with the lowest load as determined by information from SNMP
probes.
• Response—Selects the server with the lowest response time for a specific response-time
measurement.
• Round Robin—Selects the next server in the list of real servers based on server weight (weighted
roundrobin). Servers with a higher weight value receive a higher percentage of the connections. This
is the default predictor.
Note The different hash predictor methods do not recognize the weight value that you configure for real
servers. The ACE uses the weight that you assign to real servers only in the round-robin and
least-connections predictor methods.
Related Topics
Configuring the Predictor Method for Server Farms, page 8-39
Real Servers
To provide services to clients, you configure real servers on the ACE. Real servers can be dedicated
physical servers or VMware virtual machines (VMs) that you configure in groups called server farms.
Note VMs that you define as real servers can be VMs associated with a VMware vCenter Server that you
import into ANM (see the “Importing VMware vCenter Servers” section on page 5-24) and VMs that the
ACE recognizes when configured for Dynamic Workload Scaling (see the “Configuring Dynamic
Workload Scaling” section on page 8-26).
Real servers provide client services such as HTTP or XML content, website hosting, FTP file uploads
or downloads, redirection for web pages that have moved to another location, and so on. You identify
real servers with names and characterize them with IP addresses, connection limits, and weight values.
The ACE also allows you to configure backup servers in case a server is taken out of service for any
reason.
After you create and name a real server on the ACE, you can configure several parameters, including
connection limits, health probes, and weight. You can assign a weight to each real server based on its
relative importance to other servers in the server farm. The ACE uses the server weight value for the
8-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Information About Server Load Balancing
weighted round-robin and the least-connections load-balancing predictors. The load-balancing predictor
algorithms (for example, roundrobin, least connections, and so on) determine the servers to which the
ACE sends connection requests. For a listing and brief description of the load-balancing predictors, see
the “Load-Balancing Predictors” section on page 8-2.
The ACE uses traffic classification maps (class maps) within policy maps to identify traffic that meets
defined criteria and to apply specific actions to that traffic based on the SLB configuration.
If a primary real server fails, the ACE takes that server out of service and no longer includes it in
load-balancing decisions. If you configured a backup server for the real server that failed, the ACE
redirects the primary real server connections to the backup server. For information about configuring a
backup server, see the “Configuring Virtual Server Layer 7 Load Balancing” section on page 7-30.
The ACE can take a real server out of service for the following reasons:
• Probe failure
• ARP timeout
• Neighbor Discovery (ND) failure (IPv6 only, which requires ACE module and ACE appliance
software Version A5(1.0) or later)
• Specifying Out Of Service as the administrative state of a real server
• Specifying Inservice Standby as the administrative state of a real server
The Out Of Service and Inservice Standby selections both provide the graceful shutdown of a server.
Related Topics
• Configuring Real Servers, page 8-5
• Configuring Health Monitoring for Real Servers, page 8-51
Dynamic Workload Scaling Overview
Note Dynamic Workload Scaling requires ACE module or appliance software Version A4(2.0) or later and a
pair of the Cisco Nexus 7000 Series switches with Overlay Transport Virtualization (OTV) technology.
The ACE Dynamic Workload Scaling (DWS) feature permits on-demand access to remote resources,
such as VMs, that you own or lease from an Internet service provider or cloud service provider. This
feature uses Cisco Nexus 7000 Series switches with OTV to create a Data Center Interconnect (DCI) on
a Layer 2 link over an existing IP network between geographically distributed data centers (see
Figure 1-1). The local data center Cisco Nexus 7000 Series switch contains an OTV forwarding table
that lists the MAC addresses of the Layer 2 extended virtual private network (VPN) and identifies the
addresses as either local or remote.
When you configure the ACE for DWS, the ACE uses an XML query to poll the Cisco Nexus 7000 Series
switch and obtain the OTV forwarding table information to determine the locality of the VMs (local or
remote). The ACE also uses a health monitor probe that it sends to the local VMware vCenter Server to
monitor the load of the local VMs based on CPU usage, memory usage, or both. When the average CPU
and/or memory usage of the local VMs reaches its configured maximum threshold value, the ACE bursts
traffic to the remote VMs. The ACE stops bursting traffic to the remote VMs when local VM usage drops
below its configured minimum threshold value.
8-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Real Servers
To use DWS, you configure the ACE to connect to the Data Center Interconnect device (Cisco Nexus
7000 Series switch) and the VMware Controller associated with the local and remote VMs. You also
configure the ACE with the probe type VM to monitor a server farm’s local VM CPU and memory usage,
which determines when the ACE bursts traffic to the remote VMs (see the “Configuring Dynamic
Workload Scaling” section on page 8-26).
For more details on this feature, see the Cisco 4700 Series Application Control Engine Appliance Server
Load-Balancing Configuration Guide.
Server Farms
Typically, in data centers, servers are organized into related groups called server farms. Servers within
server farms often contain identical content (referred to as mirrored content) so that if one server
becomes inoperative, another server can take its place immediately. Also, having mirrored content
allows several servers to share the load of increased demand during important local or international
events, such as the Olympic Games. This phenomenon of a sudden large demand for content is called a
flash crowd.
After you create and name a server farm, you can add existing real servers to it and configure other server
farm parameters, such as the load-balancing predictor, server weight, backup server, health probe, and
so on. For a listing and brief description of load-balancing predictors, see the “Load-Balancing
Predictors” section on page 8-2.
Related Topics
Configuring Server Farms, page 8-30
Configuring Real Servers
Real servers are dedicated physical servers that are typically configured in groups called server farms.
These servers provide services to clients, such as HTTP or XML content, streaming media (video or
audio), TFTP or FTP services, and so on. When configuring real servers, you assign names to them and
specify IP addresses, connection limits, and weight values.
The ACE uses traffic classification maps (class maps) within policy maps to filter specified traffic and
to apply specific actions to that traffic based on the load-balancing configuration. A load-balancing
predictor algorithm (such as round-robin or least connections) determines the servers to which the ACE
sends connection requests. For information about configuring class maps, see the “Configuring Virtual
Context Class Maps” section on page 14-6.
This section includes the following topics:
• Configuring Load Balancing on Real Servers, page 8-6
• Displaying Real Server Statistics and Status Information, page 8-9
8-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Real Servers
Configuring Load Balancing on Real Servers
You can configure load balancing on real servers.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Real Servers.
The Real Servers table appears.
Step 2 In the Real Servers table, click Poll Now to instruct ANM to poll the devices and display the current
values, and click OK when prompted if you want to poll the devices for data now.
Step 3 Click Add to add a new real server, or choose a real server you want to modify and click Edit.
The Real Servers configuration window appears.
Step 4 In the Real Servers configuration window, configure the server using the information in Table 8-1.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
Table 8-1 Real Server Attributes
Field Description
Name Field that allows you to either enter a unique name for this server or accept the automatically
incremented value in this field. Valid entries are unquoted text strings with no spaces and a
maximum of 64 characters.
Type Type of server:
• Host—The real server provides content and services to clients.
• Redirect—The server redirects traffic to a new location.
State State of the real server:
• In Service—The real server is in service.
• Out Of Service—The real server is out of service.
Description Brief description for this real server. Valid entries are strings of up to 240 characters. Spaces and
special characters are allowed.
IP Address Type Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later,
which supports IPv4 and IPv6. These selections appear only for real servers specified as hosts.
Select the IP address type of this real server:
• IPv6—The real server has an IPv6 address.
• IPv4—The real server has an IPv4 address.
IPv6/IPv4 Address For ACE module and ACE appliance software versions earlier than A5(1.0), this field does not
include the IP version number. This field appears for only real servers specified as hosts.
Enter a unique IP address as indicated by the IP Address Type field. The IP address cannot be of an
existing virtual IP address (VIP), real server or interface in the context.
8-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Real Servers
Fail-On-All Field that appears only for real servers identified as host servers.
By default, real servers with multiple probes configured for them have an OR logic associated with
them, which means that if one of the real server probes fails, the real server fails and enters the
PROBE-FAILED state.
Check this checkbox to configure a real server to remain in the OPERATIONAL state unless all
probes associated with it fail (AND logic).
The Fail-On-All function is applicable to all probe types.
Min. Connections Minimum number of connections to be allowed on this server before the ACE starts sending
connections again after it has exceeded the Max. Connections limit. This value must be less than or
equal to the Max. Connections value. By default, this value is equal to the Max. Connections value.
Valid entries are from 2 to 4000000.
Max. Connections Maximum number of active connections allowed on this server. When the number of connections
exceeds this value, the ACE stops sending connections to this server until the number of
connections falls below the Min. Connections value. Valid entries are from 2 to 4000000, and the
default is 4000000.
Weight Field that appears only for real servers identified as hosts.
Enter the weight to be assigned to this real server in a server farm. Valid entries are from 1 to 100,
and the default is 8.
Probes Field that appears only as follows:
• For all host real servers. The Available probe list contains all configured probe types.
• For redirect real servers configured on ACE devices that use the following software versions:
– ACE module: A2(3.x) and later releases
– ACE appliance: A3(x) and later releases
The redirect real server Available probe list contains only configured probes of the type
Is Routed, which means that the ACE routes the probe address according to the ACE internal
routing table (see the “Configuring Health Monitoring for Real Servers” section on page 8-51).
In the Probes field, choose the probes to use for health monitoring in the Available Items list, and
click Add. The probes appear in the Selected Items list.
Note The probe must have the same IP address type (IPv6 or IPv4) as the real server. For
example, you cannot configure an IPv6 probe to an IPv4 real server. IPv6 requires ACE
module and ACE appliance software Version A5(1.0) or later.
Note The list of available probes does not include VM probes used to monitor local VM usage.
To remove probes that you do not want to use for health monitoring, choose them in the Selected
Items list, and click Remove. The probes appear in the Available probe list.
Table 8-1 Real Server Attributes (continued)
Field Description
8-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Real Servers
Step 5 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your entries and to return to the Real Servers
table.
• Click Next to deploy your entries and to configure another real server.
Step 6 To display statistics and status information for an existing real server, choose a real server from the Real
Servers table, then click Details. The show rserver name detail CLI command output appears. See the
“Displaying Real Server Statistics and Status Information” section on page 8-9 for details.
Related Topics
• Managing Real Servers, page 8-9
• Configuring Health Monitoring for Real Servers, page 8-51
• Configuring Server Farms, page 8-30
Web Host Redirection URL string used to redirect requests to another server. This field appears only for real servers
identified as redirect servers. Enter the URL and port used to redirect requests to another server.
Valid entries are in the form http://host.com:port where host is the name of the server and port is
the port to be used. Valid host entries are unquoted text strings with no spaces and a maximum of
255 characters. Valid port numbers are from 1 to 65535.
The relocation string supports the following special characters:
• %h—Inserts the hostname from the request Host header
• %p—Inserts the URL path string from the request
Redirection Code Field that appears only for real servers identified as redirect servers.
Choose the appropriate redirection code:
• N/A—Webhost redirection code is not defined.
• 301—Requested resource has been moved permanently. For future references to this resource,
the client should use one of the returned URIs.
• 302—Requested resource has been found, but has been moved temporarily to another location.
For future references to this resource, the client should use the request URI because the
resource may be moved to other locations from time to time.
Rate Bandwidth Bandwidth rate is the number of bytes per second and applies to the network traffic exchanged
between the ACE and the real server in both directions.
Specify the real server bandwidth limit in bytes per second. Valid entries are from 2 to 300000000.
The default is 300000000.
Rate Connection Connection rate is the number of connections per second received by the ACE and applies only to
new connections destined to a real server.
Specify the limit for connections per second. Valid entries are from 2 to 350000. The default is
350000.
Table 8-1 Real Server Attributes (continued)
Field Description
8-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Managing Real Servers
• Configuring Sticky Groups, page 9-7
Displaying Real Server Statistics and Status Information
You can display statistics and status information for a particular real server.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Real Servers.
The Real Servers table appears.
Step 2 In the Real Servers table, choose a real server from the Real Servers table, and click Details.
The show rserver name detail CLI command output appears. For details on the displayed output fields,
see either the Cisco ACE Module Server Load-Balancing Configuration Guide or the Cisco ACE 4700
Series Appliance Server Load-Balancing Configuration Guide, Chapter 2, Configuring Real Servers and
Server Farms.
Step 3 Click Update Details to refresh the output for the show rserver name detail CLI command. The new
information appears in a separate panel with a new timestamp; both the old and the new real server
statistics and status information appear side-by-side to avoid overwriting the last updated information.
Step 4 Click Close to return to the Real Servers table.
Related Topics
• Configuring Real Servers, page 8-5
• Managing Real Servers, page 8-9
• Displaying Real Servers, page 8-18
Managing Real Servers
This section shows how to display and manage the real servers from the Real Servers window (Config >
Operations > Real Servers). This window provides you with information about each real server
configured on ANM (see the “Displaying Real Servers” section on page 8-18) and provides access to
function buttons that allow you to perform tasks such as activate or suspend a real server, display a real
server topology map, or display connection statistics graphs.
Guidelines and Restrictions
The Real Servers window contains a Rows per page option that includes an All setting for displaying all
configured real servers in one window. Use the All setting for viewing purposes only. ANM does not
allow you to perform any operation from this window if you have more than 200 real servers selected.
For example, if you use the All option to display and select more than 200 real servers and then attempt
to perform the suspend operation, ANM cancels the request and displays an error message.
This section includes the following topics:
• Managing Real Server Groups, page 8-10
• Activating Real Servers, page 8-14
• Suspending Real Servers, page 8-15
8-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Managing Real Servers
• Modifying Real Server Weight Value, page 8-17
• Displaying Real Servers, page 8-18
• Using the Real Server Connection Statistics Graph, page 8-22
• Using the Real Server Topology Map, page 8-23
• CLI Commands Sent from the Real Server Table, page 8-23
• Server Weight Ranges, page 8-25
Managing Real Server Groups
This section describes how to organize real servers into groups, which allows you to display and manage
a specific group of real servers without having to filter the real server display. When creating a group,
you specify whether the group is available to just you or is available globally to all ANM users.
The real server group feature is available from the real servers operations window (Config >
Operations > Real Servers), which contains the Groups option for managing object groups. Figure 8-1
shows the Groups icon with the following available options for managing object groups:
• Create New Group—Adds a new group.
• Edit Group—Modifies an existing group. This option displays only after you select a group to
display in Group mode.
• Exit Group Mode—Changes the display from the specific group display to the display of all real
servers. This option displays only after you select a group and the display enters the Group mode.
• Saved Groups—Lists the currently configured groups with each group’s privilege level (local or
global) and owner. From this view, you can choose a group to display or delete a group.
Figure 8-1 Object Grouping for Real Servers
Guidelines and Restrictions
This topic includes the following guidelines and restrictions:
• When you create a global group, other users can see the group if they have access to at least one
object within the group. This rule does not apply to the admin user or a user with the anm-admin
role because they have visibility to all global groups.
• To edit or delete a group, you must be the group owner, a user with the anm-admin role, or the admin
user.
8-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Managing Real Servers
• When you delete a locally authenticated user from the ANM database, ANM deletes all the global
and user-specific groups that the user created. However, when you delete a remotely authorized user
from the remote AAA server database, ANM does not delete the groups that the user created. In this
case, you must manually delete the user’s groups.
This section includes the following topics:
• Creating a Real Server Group, page 8-11
• Editing or Copying a Real Server Group, page 8-12
• Displaying a Real Server Group, page 8-13
• Deleting a Real Server Group, page 8-13
Creating a Real Server Group
You can create a real server group.
Procedure
Step 1 Choose Config > Operations > Real Servers.
The Real Servers table appears.
Step 2 Click the Groups icon located above the Real Servers table.
The Groups menu appears below the icon (see Figure 8-1).
Step 3 From the Groups menu, choose Create New Group.
The display enters the edit mode and the Creating a New Group table appears with the list of the available
real servers.
Step 4 From the Creating a New Group table, check the check box next to the real servers that you want to
include in the group.
Step 5 (Optional) Check the Hide unselected check box to display only the real servers that you have chosen.
Uncheck the check box to display all the available real servers.
Step 6 Do one of the following:
• Click Save as to save the group information. The Create Group popup window appears.
From the popup window, do the following:
a. In the Group Name text box, enter a name for the group. Enter 1 to 64 alphanumeric characters.
Special characters and spaces are allowed.
b. Choose the availability of the group by clicking one of the following radio buttons:
– This user only (local)—Only you can view, modify, or delete the group.
– All users (global)—All ANM users can view the group if they have permission to view at least
one of the real servers associated with the group. A user with the admin or anm-admin can view
all groups and can also edit or delete any group.
c. Do one of the following:
– Click Save to save the group information. The Create Group popup window closes and the
Viewing Group table appears, displaying the new group’s name and associated real servers.
To exit Group mode and return to the Real Servers table, click the Groups icon and click Exit
Group Mode from the Groups menu.
8-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Managing Real Servers
– Click Cancel to close the Create Group popup window without saving any information and to
return to the Creating a New Group table.
• Click Back to View to exit the Group mode and return to the Virtual Servers table.
Related Topics
• Managing Real Server Groups, page 8-10
• Editing or Copying a Real Server Group, page 8-12
• Displaying a Real Server Group, page 8-13
• Deleting a Real Server Group, page 8-13
Editing or Copying a Real Server Group
You can edit a real server group or create a copy of a real server group under a different name.
Procedure
Step 1 Choose Config > Operations > Real Servers.
The Real Servers table appears.
Step 2 Click the Groups icon located above the Real Servers table.
The Groups menu appears below the icon (see Figure 8-1).
Step 3 From the Groups menu, choose the group that you want to edit.
The Viewing Group table appears, displaying the selected group’s name and associated real servers.
Step 4 Click the Groups icon again and from the Groups menu, choose Edit Group.
The Editing Group table appears, displaying the complete list of available real servers with the real
servers currently associated with the group highlighted and checked.
Step 5 Modify the group as needed by adding (check) or removing (uncheck) real servers as needed. Skip this
step if you only want to save a copy of the current group under a different name.
Step 6 Do one of the following:
• Click Save to save the changes and return to the Viewing Group table, where you can view the
changes.
• Click Save as to save the configuration under a new group name. The Create Group popup window
appears.
From the popup window, do the following:
a. In the Group Name text box, enter a name for the group. Enter 1 to 64 alphanumeric characters.
Special characters and spaces are allowed.
b. Choose the availability of the group by clicking one of the following radio buttons:
– This user only (local)—Only you can view, modify, or delete the group.
– All users (global)—All ANM users can view the group if they have permission view at least
one of the real servers associated with the group. The admin user or a user with the anm-admin
role can view all global groups and can also edit or delete these groups.
c. Do one of the following:
8-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Managing Real Servers
– Click Save to save the group information. The Create Group popup window closes and the
Viewing Group table appears, displaying the new group’s name and associated real servers.
– Click Cancel to close the Create Group popup window without saving any information and to
return to the Creating a New Group table.
Click Back to View to exit the edit mode and return to the Group mode.
Step 7 (Optional) To exit Group mode and return to the Real Servers table, click the Groups icon and click Exit
Group Mode from the Groups menu.
Related Topics
• Managing Real Server Groups, page 8-10
• Creating a Real Server Group, page 8-11
• Displaying a Real Server Group, page 8-13
• Deleting a Real Server Group, page 8-13
Displaying a Real Server Group
You can display the list of real servers associated with a real server group.
Procedure
Step 1 Choose Config > Operations > Real Servers.
The Real Servers table appears.
Step 2 Click the Groups icon located above the Real Servers table.
The Groups menu appears below the icon (see Figure 8-1).
Step 3 From the Groups menu, choose the group that you want to display.
The Viewing Group table appears, displaying the selected group’s name and associated real servers.
Step 4 (Optional) To exit Group mode and return to the Real Servers table, click the Groups icon and click Exit
Group Mode from the Groups menu.
Related Topics
• Managing Real Server Groups, page 8-10
• Creating a Real Server Group, page 8-11
• Editing or Copying a Real Server Group, page 8-12
• Deleting a Real Server Group, page 8-13
Deleting a Real Server Group
You can delete a real server group. Deleting a real server group does not delete the group’s associated
real servers from the ANM database.
8-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Managing Real Servers
Procedure
Step 1 Choose Config > Operations > Real Servers.
The Real Servers table appears.
Step 2 Click the Groups icon located above the Real Servers table.
The Groups menu appears below the icon (see Figure 8-1).
Step 3 From the Groups menu, click X (delete) next to the group that you want to delete.
The Delete Group confirmation popup window appears.
Step 4 From the Delete Group confirmation popup window, do one of the following:
• Click Delete to removes the real server group.
• Click Cancel to ignore the deletion request.
Related Topics
• Managing Real Server Groups, page 8-10
• Creating a Real Server Group, page 8-11
• Editing or Copying a Real Server Group, page 8-12
• Displaying a Real Server Group, page 8-13
Activating Real Servers
You can activate a real server.
Note If you are using the ANM plug-in for vCenter Server to access ANM, see the “Activating Real Servers
Using vSphere Client” section on page B-15.
Procedure
Step 1 Choose Config > Operations > Real Servers.
The Real Servers table appears.
Step 2 (Optional) To display only the real servers of a specific real server group, do the following:
a. Click the Groups icon located above the Real Servers table. The Groups menu appears below the
icon (see Figure 8-1).
b. From the Groups menu, choose the group to display.
Step 3 From the Real Servers table, choose the servers that you want to activate, and click Activate.
The Activate Server window appears.
Step 4 In the Reason field of the Activate Server window, enter a reason for this action.
You might enter a trouble ticket, an order ticket, or a user message.
8-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Managing Real Servers
Note Do not enter a password in this field.
Step 5 Do one of the following:
• Click OK to activate the server and to return to the Real Servers table. The server appears in the
table with the status Inservice.
• Click Cancel to exit this procedure without activating the server and to return to the Real Servers
table.
Related Topics
• Managing Real Servers, page 8-9
• Managing Real Server Groups, page 8-10
• Suspending Real Servers, page 8-15
• Displaying Real Servers, page 8-18
• Using the Real Server Connection Statistics Graph, page 8-22
• Using the Real Server Topology Map, page 8-23
Suspending Real Servers
You can suspend a real server.
Note If you are using the ANM plug-in for vCenter Server to access ANM, see the “Suspending Real Servers
Using vSphere Client” section on page B-16.
Procedure
Step 1 Choose Config > Operations > Real Servers.
The Real Servers table appears.
Step 2 (Optional) To display only the real servers of a specific real server group, do the following:
a. Click the Groups icon located above the Real Servers table. The Groups menu appears below the
icon (see Figure 8-1).
b. From the Groups menu, choose the group to display.
Step 3 In the Real Servers table, choose the server that you want to suspend, and click Suspend.
The Suspend Real Servers window appears.
Step 4 In the Reason field of the Suspend Real Servers window, enter the reason for this action.
You might enter a trouble ticket, an order ticket, or a user message.
Note Do not enter a password in this field.
8-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Managing Real Servers
Step 5 From the Suspend Real Servers Type drop-down list, choose one of the following:
• Graceful—When executed on a primary server, the ACE gracefully shuts down the server with
sticky connections as follows:
– Tears down existing non-TCP connections to the server
– Allows current TCP connections to complete
– Allows new sticky connections for existing server connections that match entries in the sticky
database
– Load balances all new connections (other than the matching sticky connections mentioned
above) to the other servers in the server farm
When executed on a backup real server, the ACE places the backup server in service standby mode.
Note For the CSS, when the device is in the In Service admin state and you perform a graceful suspend
operation, ANM saves the last known non-zero service (or real server) weight, and then sets the
weight to zero. ANM references the saved weight when performing an Activate operation. If the
current weight is zero, and a non-zero weight has been saved for that service (or real server), the
Activate operation also sets the weight to the saved value.
To allow ANM to save and reset the weight value when gracefully suspending and then
activating the CSS, you must have the device configured to permit SNMP traffic. For each device
type, see the corresponding configuration guide to configure the device to permit SNMP traffic.
When the CSS is in the In Service Standby admin state and you perform a graceful suspend
operation, ANM does not set the weight to zero.
Note Graceful suspend and suspend options vary by device type. For the commands deployed by the
device type when these options are selected, see the “CLI Commands Sent from the Real Server
Table” section on page 8-23.
• Suspend—The ACE resets all non-TCP connections to the server. For TCP connections, existing
flows are allowed to complete before the ACE takes the real server out of service. No new
connections are allowed. The ACE resets all Secure Sockets Layer (SSL) connections to the real
server.
• Suspend and Clear Connections—Performs the tasks described for Suspend and clears the existing
connections to this server.
Step 6 Do one of the following:
• Click Deploy Now to suspend the server and to return to the Real Servers table. The server appears
in the table with the status Out Of Service.
• Click Cancel to exit this procedure without suspending the server and to return to the Real Servers
table.
Related Topics
• Managing Real Servers, page 8-9
• Managing Real Server Groups, page 8-10
8-17
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Managing Real Servers
• Activating Real Servers, page 8-14
• Displaying Real Servers, page 8-18
• Using the Real Server Connection Statistics Graph, page 8-22
• Using the Real Server Topology Map, page 8-23
Modifying Real Server Weight Value
You can modify the weight value assigned to a real server that defines the connection capacity of the
server in relation to the other real servers. The ACE uses the weight value that you specify for a server
in the weighted round-robin and least-connections load-balancing predictors. Servers with a higher
configured weight value have a higher priority with respect to connections than servers with a lower
weight. For example, a server with a weight of 5 would receive five connections for every one connection
for a server with a weight of 1.
Note If you are using the ANM plug-in for vCenter Server to access ANM, see the “Modifying Real Server
Weight Value Using vSphere Client” section on page B-18.
Procedure
Step 1 Choose Config > Operations > Real Servers.
The Real Servers table appears.
Step 2 (Optional) To display only the real servers of a specific real server group, do the following:
a. Click the Groups icon located above the Real Servers table. The Groups menu appears below the
icon (see Figure 8-1).
b. From the Groups menu, choose the group to display.
Step 3 In the Real Servers table, choose the servers whose configuration you want to modify, and click Change
Weight below the table to the right of Activate and Suspend.
The Change Weight Real Servers window appears.
Step 4 In the Change Weight Real Servers window, enter the following information for the selected server:
• Reason for change such as trouble ticket, order ticket or user message.
Note Do not enter a password in this field.
• Weight value (for allowable ranges for each device type, see Table 8-5).
Step 5 Do one of the following:
• Click Deploy Now to accept your entries and to return to the Real Servers table. The server appears
in the table with the updated information.
• Click Cancel to exit this procedure without saving your entries and to return to the Real Servers
table.
8-18
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Managing Real Servers
Related Topics
• Managing Real Servers, page 8-9
• Managing Real Server Groups, page 8-10
• Activating Real Servers, page 8-14
• Displaying Real Servers, page 8-18
• Using the Real Server Connection Statistics Graph, page 8-22
• Using the Real Server Topology Map, page 8-23
Displaying Real Servers
You can display the list of real servers configured on ANM with information specific to each server.
Procedure
Step 1 Choose Config > Operations > Real Servers.
The Real Servers table appears, which contains the information described in Table 8-2.
Note In the table, N/A indicates that either the information is not available from the database or that
it is not being collected using SNMP.
Table 8-2 Real Server Table Fields
Item Description
Name Real server name.
For CSM real servers only, if you have the reverse DNS lookup feature enabled, ANM displays the
DNS name of the CSM real server in this field. ANM learns and updates the DNS names during the
following operations:
• CSM import
• CSM CLI synchronization
• ANM restart
By default, the reverse DNS lookup feature is disabled. You can enable it by modifying the ANM
properties file and restarting ANM as follows:
a. echo "cisco.anm.enable-csm-dns-lookup=true" >> /opt/CSCOanm/etc/cs-config.properties
b. /opt/CSCOanm/bin/anm-tool restart
IP address Real server IP address.
Port Port used by the real server for communications.
8-19
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Managing Real Servers
VM Virtual machine indicator that specifies if the real server is a VMware vCenter Server virtual machine
(Yes) or is not a virtual machine (–).
If the indicator state is Yes, you can click this link to open the Virtual Machine Details popup window
to display statistical information about the VM. ANM polls the VM on a regular basis to update the
displayed information.
Click OK to close the popup window and return to the Real Servers table.
Vservers Associated virtual servers.
HA Indicators that display when the real server is part of a high availability pair. The indicators are as
follows:
• Asterisk (*)—The real server is associated with an HA pair and the HA configuration is complete.
• Red dash (-)—The real server is associated with an HA pair; however, the HA configuration is
incomplete. Typically, the HA pair are not properly configured for HA or only one of the devices
has been imported into ANM. Ensure that both devices are imported into ANM and that they are
configured as described in the “Configuring ACE High Availability” section on page 13-14.
The table displays HA pair real servers together in the same row and they remain together no matter
how you sort the information.
SLB Device Name of the server load-balancing device.
Admin Administrative state of the real server: In Service, Out Of Service, or In Service Standby.
Table 8-2 Real Server Table Fields (continued)
Item Description
8-20
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Managing Real Servers
Oper Operational state of the real server. Possible states are as follows:
• Failed—Server has failed and is not retried for the amount of time specified by its retry timer.
• Inband probe failed—Server has failed the inband Health Probe agent.
• Inservice—Server is in use as a destination for server load-balancing client connections.
• Inservice standby—Server is the backup real server, which remains inactive unless the primary real
server fails.
• Operation wait—Server is ready to become operational but is waiting for the associated redirect
virtual server to be in service.
• Out of service—Server is not in use by a server load balancer as a destination for client
connections.
• Probe failed—Server load-balancing probe to this server has failed. No new connections are
assigned to this server until a probe to this server succeeds.
• Probe testing—Server has received a test probe from the server load balancer.
• Ready to test —Server has failed and its retry timer has expired; test connections will begin
flowing to it soon.
• Return code failed—Server has been disabled because it returned an HTTP code that matched a
configured value.
• Test wait—Server is ready to be tested. This state is applicable only when the server is used for
HTTP redirect load balancing.
• Testing—Server has failed and has been given another test connection. The success of this
connection is not known.
• Throttle: DFP —DFP has lowered the weight of the server to throttle level; no new connections
are assigned to the server until DFP raises its weight.
• Throttle: max clients—Server has reached its maximum number of allowed clients.
• Throttle: max connections —Server has reached its maximum number of connections and is no
longer being given connections.
• Unknown—State of the server is not known.
Note If you have the Details popup window feature enabled, click the value in this column to
open the Details popup window and display detailed information about the real server. By
default, this feature is disabled. For information about enabling or disabling this feature,
see the “Enabling the ACE Real Server Details Popup Window Option” section on
page 18-64.
Conn Number of current connections.
Wt Current server weight.
Table 8-2 Real Server Table Fields (continued)
Item Description
8-21
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Managing Real Servers
Step 2 (Optional) To display only the real servers of a specific real server group, do the following:
a. Click the Groups icon located above the Real Servers table. The Groups menu appears below the
icon (see Figure 8-1).
b. From the Groups menu, choose the group to display.
Step 3 (Optional) Use the function buttons located at the bottom of the window to activate or suspend a real
server, change the weight assigned to a real server, and so forth. Table 8-3 describes the check box and
function button options.
Step 4 (Optional) To identify any SNMP-related issues, select the real server’s virtual context in the object
selector. If there are problems with SNMP, the SNMP status appears in the upper right above the content
pane.
Locality Item that pertains only to ACE software Version A4(2.0) or later releases on either device type
(appliance or module). Locality also requires that you have the ACE configured for Dynamic Workload
Scaling (see the “Configuring Dynamic Workload Scaling” section on page 8-26).
Location of the real server, which must be a VM and not a physical server. Possible locality states are
as follows:
• N/A—Not available; the ACE cannot determine if the real server is local or remote. A possible
cause for this issue is that Dynamic Workload Scaling is not configured correctly.
• Local—The real server is located in the local network.
• Remote—The real server is located in the remote network. The ACE bursts traffic to this server
when the CPU and/or memory usage of the local real servers reaches the specified maximum
threshold value.
Stat Age Age of the statistical information.
Server Farm Associated server farm.
Table 8-2 Real Server Table Fields (continued)
Item Description
Table 8-3 Real Server Window Check Box and Function Button Options
Check Box/Function Button Description
Poll Now Function button that updates the displayed information.
Activate Function button that activates a suspended real server (see the “Activating Real Servers”
section on page 8-14).
Suspend Function button that suspends an active real server (see the “Suspending Real Servers” section
on page 8-15).
Change Weight Function button used to change the weight assigned to a real server (see the “Server Weight
Ranges” section on page 8-25).
Graph Function button that displays the statistics graph for a selected real server (see the “Using the
Real Server Connection Statistics Graph” section on page 8-22).
Topology Function button that displays the topology map for a selected real server (see the “Using the
Real Server Topology Map” section on page 8-23).
8-22
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Managing Real Servers
Related Topics
• Displaying Real Server Statistics and Status Information, page 8-9
• Using the Real Server Connection Statistics Graph, page 8-22
• Managing Real Server Groups, page 8-10
• Using the Real Server Topology Map, page 8-23
• Activating Real Servers, page 8-14
• Suspending Real Servers, page 8-15
• Modifying Real Server Weight Value, page 8-17
• Enabling the ACE Real Server Details Popup Window Option, page 18-64
• Filtering Entries, page 1-14
Using the Real Server Connection Statistics Graph
You can display real time and historical statistical information about the connections of a real server.
ANM displays the information in graph or chart form. This feature also allows you to compare similar
connection information across multiple real servers.
Procedure
Step 1 Choose Config > Operations > Real Servers.
The Real Servers table appears.
Step 2 (Optional) To display only the real servers of a specific real server group, do the following:
a. Click the Groups icon located above the Real Servers table. The Groups menu appears below the
icon (see Figure 8-1).
b. From the Groups menu, choose the group to display.
Step 3 In the Real Servers table, check the check box next to server whose connection information you want to
display, and click Graph.
You can choose up to four real servers if you want to compare statistical data.
The Real Server Graph window appears, displaying the default graph for each selected real server. For
details about using the graph feature, see the “Configuring Historical Trend and Real Time Graphs for
Devices” section on page 17-48.
Related Topics
• Managing Real Server Groups, page 8-10
• Activating Real Servers, page 8-14
• Suspending Real Servers, page 8-15
• Modifying Real Server Weight Value, page 8-17
• Displaying Real Servers, page 8-18
• Using the Real Server Topology Map, page 8-23
8-23
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Managing Real Servers
Using the Real Server Topology Map
You can display the nodes on your network based on the real server that you select.
Procedure
Step 1 Choose Config > Operations > Real Servers.
The Real Servers table appears.
Step 2 (Optional) To display only the real servers of a specific real server group, do the following:
a. Click the Groups icon located above the Real Servers table. The Groups menu appears below the
icon (see Figure 8-1).
b. From the Groups menu, choose the group to display.
Step 3 In the Real Servers table, choose the server whose topology map you want to display, and click
Topology.
The ANM Topology map appears. The map includes several tools for navigating the network map and
zooming in and out. For details about using the map tools, see the “Displaying Network Topology Maps”
section on page 17-68.
Step 4 Click Exit to return to the Real Server widow.
Related Topics
• Managing Real Server Groups, page 8-10
• Activating Real Servers, page 8-14
• Suspending Real Servers, page 8-15
• Modifying Real Server Weight Value, page 8-17
• Displaying Real Servers, page 8-18
• Using the Real Server Connection Statistics Graph, page 8-22
CLI Commands Sent from the Real Server Table
Table 8-4 displays the CLI commands dispatched to the device for a given Real Servers table option and
is sorted by device type.
Table 8-4 CLI Commands Deployed from the Real Servers Table
Command Sample CLI Sent
ACE Modules and Appliances
Real Server Activation serverfarm host sf1
rserver rs1 80
inservice
8-24
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Managing Real Servers
Real Server Graceful
Suspend
serverfarm host sf1
rserver rs1 80
inservice standby
Real Server Suspend serverfarm host sf1
rserver rs1 80
no inservice
Real Server Suspend
and Clear Connections
serverfarm host sf1
rserver rs1 80
no inservice
clear conn rserver rs1 80 serverfarm sf1
Real Server Change
Weight
serverfarm host sf1
rserver rs1 80
weight 2
CSMs
Real Server Activation serverfarm host sf1
real 10.10.10.10 80
inservice
Real Server Graceful
Suspend
serverfarm host sf1
real 10.10.10.10 80
inservice standby
Real Server Suspend serverfarm host sf1
real 10.10.10.10 80
no inservice
Real Server Suspend
and Clear Connections
serverfarm host sf1
real 10.10.10.10 80
no inservice
clear module contentSwitchingModule 3 connections real 10.10.10.10
Real Server Change
Weight
serverfarm host sf1
rserver 10.10.10.10 80
weight 2
CSM Named Real Commands Sent
Real Server Activation serverfarm host sf1
real name rs1 80
inservice
Real Server Graceful
Suspend
serverfarm host sf1
real name rs1 80
inservice standby
Table 8-4 CLI Commands Deployed from the Real Servers Table (continued)
Command Sample CLI Sent
8-25
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Managing Real Servers
Server Weight Ranges
Table 8-5 displays the allowable server weight ranges by device type.
Real Server Suspend serverfarm host sf1
real name rs1 80
no inservice
Real Server Suspend
and Clear Connections
serverfarm host sf1
real name rs1 80
no inservice
clear module contentSwitchingModule 3 connections real 10.10.10.10
Real Server Change
Weight
serverfarm host sf1
real name rs1 80
weight 2
CSS Devices
Real Server Activation service myReal7
active
Real Server Graceful
Suspend
service myReal7
weight 0
Real Server Suspend service myReal7
suspend
Real Server Suspend
and Clear Connections
service myReal7
suspend
Real Server Change
Weight
service myReal7
weight 2
Table 8-4 CLI Commands Deployed from the Real Servers Table (continued)
Command Sample CLI Sent
Table 8-5 Real Servers Table Server Weight Ranges
Device Type Valid Weight Configurations
ACE Appliances and Modules 1 to 100
CSMs 0 to 100
CSS Devices 0 to 10
8-26
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Dynamic Workload Scaling
Configuring Dynamic Workload Scaling
Note Dynamic Workload Scaling requires ACE software Version A4(2.0) or later release on either device type
(appliance or module).
This section describes how to configure the ACE Dynamic Workload Scaling (DWS) feature, which
enables an ACE to burst traffic to a remote pool of VMs when the average CPU and/or memory usage
of the local VMs has reached a specified maximum threshold value. When the usage drops below a
specified minimum threshold value, the ACE stops bursting traffic to the remote VMs.
Note To enable the ACE to use the VMs associated with DWS for load balancing, you must configure them
as real servers on the ACE (see the “Configuring Real Servers” section on page 8-5).
For more information about DWS, see the “ANM Overview” section on page 1-1 and the “Dynamic
Workload Scaling Overview” section on page 8-4.
Prerequisites
DWS requires the following configuration elements:
• An ACE with software Version A4(2.0) or later and configured with the following items:
– Nexus 7000 Series switch—XML interface IP address of the local Cisco Nexus 7000 Series
switch that the ACE polls to obtain VM location information (local or remote). You can define
up to two switch profiles per Admin context depending on the ACE software version (see
Guidelines and Restrictions). For information about defining a switch profile, see the
“Configuring and Verifying a Cisco Nexus 7000 Series Switch Connection” section on
page 8-27.
Note The Nexus 7000 Series switch must be configured for DCI/OTV in the local data center
and in the remote data center. For details about configuring a Nexus 7000 for DCI/OTV,
see the Cisco Nexus 7000 NX-OS OTV Configuration Guide, Release 5.x.
– VM Controller—IP address of the VM Controller (also known as VMware vCenter Server) that
the ACE sends a health probe to monitor usage of the local VMs associated with a server farm.
– VM probe—Probe that the ACE sends to the VM Controller to monitor local VM usage based
on CPU usage, memory usage, or both (see the “Configuring Health Monitoring” section on
page 8-49).
– Server Farms—Groups of networked real servers (physical servers and VMs) that provide
content delivery (see the “Configuring Server Farms” section on page 8-30).V
• VMware vCenter Server 4.0 or later.
• Multiple local and remote VMs configured as real servers and associated with server farms
configured on the ACE.
• ACE backend interface MTU set to 1430 or less to accommodate DCI encapsulation and the Don’t
Fragment (DF) bit is automatically set on the DCI link. For details about setting the ACE MTU, see
the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration
Guide.
8-27
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Dynamic Workload Scaling
This section includes the following topics:
• Configuring and Verifying a Cisco Nexus 7000 Series Switch Connection, page 8-27
• Configuring and Verifying a VM Controller Connection, page 8-29
Configuring and Verifying a Cisco Nexus 7000 Series Switch Connection
Note This feature requires ACE software Version A4(2.0) or later release on either device type (appliance or
module).
You can configure an ACE with the Cisco Nexus 7000 Series switch attributes required to allow the ACE
to communicate with the switch using SSH. When configured for DWS, the ACE uses the Nexus 7000
Series switch to obtain VM location information (local or remote).
You can also use this procedure to edit the attributes of an existing Nexus 7000 Series switch profile or
remove a switch profile.
Guidelines and Restrictions
The number of Nexus 7000 Series switch profiles that you can define per ACE Admin context is as
follows:
• ACE software Version A4(2.0) to A5(1.1)—One switch profile only.
• ACE software Version A5(1.2) or later—Up to two switch profiles.
Procedure
Step 1 Choose Config > Devices > Admin_context > Load Balancing > Dynamic Workload Scaling > Nexus
7000 Setup.
The Nexus 7000 Setup pane appears.
Note If existing Nexus 7000 Series switch profiles already exist, the Name field lists their profile
names in drop-down list on the right. Multiple switch profiles requires ACE software Version
A5(1.2) or later.
Step 2 From the Nexus 7000 Setup pane, do one of the following:
• To define a new Nexus 7000 series switch profile, do the following:
a. From the Name field, click the text box radio button if it is not already selected and enter a
Nexus 7000 name with a maximum of 64 characters. See the Note at the beginning of this chapter
for ACE object naming specifications.
b. From the Primary IP filed, enter the Nexus 7000 XML interface IP address in dotted-decimal
format (such as 192.168.11.1).
c. From the User Name field, enter the username that the ACE uses for access and authentication on
the Nexus 7000 Series switch. Valid entries are unquoted text strings with a maximum of
64 characters with no spaces.
8-28
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Dynamic Workload Scaling
Note The user must have either the vdc-admin or network-admin role to receive the Nexus 7000
Series switch output for the VM location information in XML format.
d. From the Password field, enter the password that the ACE uses for authentication on the
Nexus 7000 Series switch. Valid entries are unquoted text strings with a maximum of 64 characters
with no spaces.
e. From the Confirm field, reenter the password and go to Step 3.
• To edit an existing Nexus 7000 Series switch profile, do the following:
a. From the Name field, click the radio button for the drop down list that contains the list of existing
switch profile names.
b. From the drop down list, choose the switch profile to edit. The current profile attributes display.
c. Edit the profile fields as described in the procedure above for creating a new profile and go to
Step 3.
Step 3 Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
Note Configuring the ACE for DWS also requires configuring the ACE with the VM Controller
information (see the “Configuring and Verifying a VM Controller Connection” section on
page 8-29) and configuring a VM health probe (see the “Configuring Health Monitoring” section
on page 8-49).
Step 4 (Optional) Click Details to verify connectivity between the ACE and the Nexus 7000 Series switch.
The ACE show nexus-device device_name detail CLI command output displays in a popup window and
includes information such as the device name, IP address, and connection information. For more
information about the command output, see the Cisco 4700 Series Application Control Engine Appliance
Server Load-Balancing Configuration Guide.
Step 5 (Optional) Click Delete to delete the currently configured Cisco Nexus 7000 series switch.
Caution If the ACE is currently configured for DWS, deleting the Nexus 7000 Series switch disables the feature.
Related Topics
• Configuring and Verifying a VM Controller Connection, page 8-29
• Configuring Health Monitoring, page 8-49
• Configuring Dynamic Workload Scaling, page 8-26
• Dynamic Workload Scaling Overview, page 8-4
• Configuring Real Servers, page 8-5
• Configuring Load Balancing Using Server Farms, page 8-31
8-29
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Dynamic Workload Scaling
Configuring and Verifying a VM Controller Connection
Note This feature requires ACE software Version A4(2.0) or later release on either device type (appliance or
module).
You can configure an ACE with the VM Controller (VMware vCenter Server) attributes required to allow
the ACE to communicate with the VM Controller to obtain local VM load information.
Guidelines and Restrictions
Configure only one VM Controller per ACE Admin context.
Prerequisites
The ACE is configured to communicate with the local Cisco Nexus 7000 Series switch that enables the
ACE to discover the locality of the VM Controller VMs (see the “Configuring and Verifying a Cisco
Nexus 7000 Series Switch Connection” section on page 8-27).
Procedure
Step 1 Choose Config > Devices > Admin_context > Load Balancing > Dynamic Workload Scaling > VM
Controller Setup.
The VM Controller Setup pane appears.
Step 2 From the VM Controller Setup pane, define the VM Controller using the information in Table 8-6.
Step 3 Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
Note Configuring the ACE for Dynamic Workload Scaling also requires configuring the ACE with the
Nexus 7000 information (see the “Configuring and Verifying a Cisco Nexus 7000 Series Switch
Connection” section on page 8-27) and configuring a VM health probe (see the “Configuring
Health Monitoring” section on page 8-49).
Table 8-6 VM Controller Setup
Field Description
Name VM Controller name (see the Note at the beginning of this chapter for ACE object naming specifications).
URL IP address or URL for the VM Controller web services API agent. The URL must point to the
VM Controller software development kit (SDK). For example, https://1.2.3.4/sdk. Enter up to 255
characters.
User Name Username that the ACE uses for access and authentication on the VM Controller. The user must have a
read-only role at least or a role with a read privilege. Valid entries are unquoted text strings with a maximum
of 64 characters and no spaces.
Password Password that the ACE uses for authentication on the VM Controller. Valid entries are unquoted text strings
with a maximum of 64 characters and no spaces.
Reenter the password in the Confirm field.
8-30
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Step 4 (Optional) Click Details to verify connectivity between the ACE and the remote VM Controller.
The ACE show vm-controller device_name detail CLI command output displays in a popup window
and includes information such as the VM Controller status, IP address, and connection information.
Step 5 (Optional) Click Delete to delete the currently configured VM Controller.
Note If the ACE is currently configured for Dynamic Workload Scaling, you must delete the
associated VM health probe before you can delete the VM controller (see the “Configuring
Health Monitoring” section on page 8-49).
Related Topics
• Configuring and Verifying a Cisco Nexus 7000 Series Switch Connection, page 8-27
• Configuring Health Monitoring, page 8-49
• Configuring Dynamic Workload Scaling, page 8-26
• Dynamic Workload Scaling Overview, page 8-4
• Configuring Real Servers, page 8-5
• Configuring Load Balancing Using Server Farms, page 8-31
Configuring Server Farms
You can configure load balancing using server farms, which are groups of networked real servers
(physical servers and VMs) that contain the same content and that typically reside in the same physical
location in a data center.
Websites often include groups of servers configured in a server farm. Load-balancing software
distributes client requests for content or services among the real servers based on the configured policy
and traffic classification, server availability and load, and other factors. If one server goes down, another
server can take its place and continue to provide the same content to the clients who requested it.
Guidelines and Restrictions
• With Dynamic Workload Scaling configured on the ACE, the real servers that are VMs can also
reside in a remote datacenter (see the “Configuring Dynamic Workload Scaling” section on
page 8-26).
• A server farm can support a mix of IPv6 and IPv4 real servers, and can be associated with both IPv6
and IPv4 probes. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.
This section includes the following topics:
• Configuring Load Balancing Using Server Farms, page 8-31
• Adding Real Servers to a Server Farm, page 8-37
• Configuring the Predictor Method for Server Farms, page 8-39
• Configuring Server Farm HTTP Return Error-Code Checking, page 8-46
• Displaying All Server Farms, page 8-48
• Displaying Server Farm Statistics and Status Information, page 8-48
8-31
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Configuring Load Balancing Using Server Farms
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Server Farms.
The Server Farms table appears.
Step 2 In the Server Farms table, click Poll Now to instruct ANM to poll the devices and display the current
values, and click OK when prompted if you want to poll the devices for data now.
Step 3 Click Add to add a new server farm, or choose an existing server farm and click Edit.
The Server Farms configuration window appears.
Step 4 In the Server Farms configuration window, configure the server farm using the information in Table 8-7.
Table 8-7 Server Farm Attributes
Field Description
Name Unique name for this server farm or accept the automatically incremented value in this field. Valid
entries are unquoted text strings with no spaces and a maximum of 64 characters.
Type Type of server farm as follows:
• Host—Server farm consists of real servers that provide content and services to clients.
• Redirect—Server farm consists only of real servers that redirect client requests to alternate
locations specified in the real server configuration. (See the “Configuring Real Servers” section
on page 8-5.)
Description Brief description for this server farm. Valid entries are unquoted alphanumeric text strings with no
spaces and a maximum of 240 characters.
Fail Action Action that the ACE is to take with respect to connections if any real server in the server farm fails:
• N/A—The ACE is to take no action if any server in the server farm fails.
• Purge—The ACE is to remove connections to a real server if that real server in the server farm
fails. The ACE sends a reset command to both the client and the server that failed.
• Reassign—The ACE is to reassign the existing server connections to the backup real server (if
configured) if the real server fails after you enter this command. If a backup real server has not
been configured for the failing server, this selection leaves the existing connections untouched
in the failing real server.
8-32
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Failaction Reassign
Across Vlans
Option that is available only for the ACE module A2(3.0), ACE appliance A4(1.0), and later
releases of either device type. This field appears only when the Fail Action is set to Reassign.
Check the check box to specify that the ACE reassigns the existing server connections to the backup
real server on a different VLAN interface (commonly referred to as a bypass VLAN) if the real
server fails. If a backup real server has not been configured for the failing server, this option has no
effect and leaves the existing connections untouched in the failing real server.
Note the following configuration requirements and restrictions when you enable this option:
• Enable the Transparent option (see the next Field) to instruct the ACE not to use NAT to
translate the ACE VIP address to the server IP address. The Failaction Reassign Across Vlans
option is intended for use in stateful firewall load balancing (FWLB) on your ACE, where the
destination IP address for the connection coming in to the ACE is for the end-point real server,
and the ACE reassigns the connection so that it is transmitted through a different next hop.
• Enable the MAC Sticky option on all server-side interfaces to ensure that packets that are going
to and coming from the same server in a flow will traverse the same firewalls or stateful devices
(see the “Configuring Virtual Context VLAN Interfaces” section on page 12-6).
• Configure the Predictor Hash Address option after you add the serverfarm (see the
“Configuring the Predictor Method for Server Farms” section on page 8-39).
• You must configure identical policies on the primary interface and the backup-server interface.
The backup interface must have the same feature configurations as the primary interface.
• If you configure a policy on the backup-server interface that is different from the policies on
the primary-server interface, that policy will be effective only for new connections. The
reassigned connection will always have only the primary-server interface policies.
• Interface-specific features (for example, NAT, application protocol inspection, outbound
ACLs, or SYN cookie) are not supported.
• You cannot reassign connections to the failed real server after it comes back up. This restriction
also applies to same-VLAN backup servers.
• Real servers must be directly connected to the ACE. This requirement also applies to
same-VLAN backup server.
• You must disable sequence number randomization on the firewall (see the “Configuring
Connection Parameter Maps” section on page 10-3).
• Probe configurations should be similar on both ACEs and the interval values should be low. For
example, if you configure a high interval value on ACE-1 and a low interval value on ACE-2,
the reassigned connections may become stuck because of the probe configuration mismatch.
ACE-2 with the low interval value will detect the primary server failure first and will reassign
all its incoming connections to the backup-server interface VLAN. ACE-1 with the high
interval value may not detect the failure before the primary server comes back up and will still
point to the primary server.
To minimize packet loss, we recommend the following probe parameter values on both ACEs:
Interval: 2, Faildetect: 2, Passdetect interval: 2, and Passdetect count: 5.
Table 8-7 Server Farm Attributes (continued)
Field Description
8-33
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Transparent Field that appears only for host server farms.
Specify whether network address translation from the VIP address to the server IP is to occur.
Check the check box to indicate that network address translation from the VIP address to the server
IP address is to occur. Uncheck the check box to indicate that network address translation from the
VIP address to the server IP address is not to occur.
Dynamic Workload
Scaling
Option that is available only for ACE software Version A4(2.0) or later release on either device type
(appliance or module). Field that appears only for host server farms.
Allows the ACE to burst traffic to remote VMs when the average CPU or memory usage of the local
VMs has reached its specified maximum threshold value. The ACE stops bursting traffic to the
remote VMs when the average CPU or memory usage of the local VMs has dropped below its
specified minimum threshold value. This option requires that you have the ACE configured for
Dynamic Workload Scaling using a Nexus 7000, VM Controller, and VM probe (see the
“Configuring Dynamic Workload Scaling” section on page 8-26).
Click one of the following radio button options:
• N/A—Not applicable (default).
• Local—Restricts the ACE to use of local VMs only for server load balancing.
• Burst—Enables the ACE to burst traffic to remote VMs when needed.
When you choose Burst, the VM Probe Name field displays along with a list of available VM
probes. Choose an available VM probe or click Add to display the Health Monitoring popup
window and create or edit a VM probe (see the “Configuring Health Monitoring” section on
page 8-49).
Fail-On-All Field that appears only for host server farms.
By default, real servers that you configure in a server farm inherit the probes that you configure
directly on that server farm. When you configure multiple probes on a server farm, the real servers
in the server farm use an OR logic with respect to the probes, which means that if one of the probes
configured on the server farm fails, all the real servers in that server farm fail and enter the
PROBE-FAILED state. With AND logic, if one server farm probe fails, the real servers in the server
farm remain in the operational state. If all the probes associated with the server farm fail, then all
the real servers in that server farm fail and enter the PROBE-FAILED state.
Check this check box to configure the real servers in a server farm to use AND logic with respect
to multiple server farm probes.
The Fail-On-All function is applicable to all probe types.
Table 8-7 Server Farm Attributes (continued)
Field Description
8-34
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Inband-Health Check Option that is available only for the ACE module A4(1.0), ACE appliance A4(1.0), and later
releases of either device type. Field that appears only for host server farms.
By default, the ACE monitors the health of all real servers in a configuration through the use of
ARPs and health probes. However, there is latency period between when the real server goes down
and when the ACE becomes aware of the state. The inband health monitoring feature allows the
ACE to monitor the health of the real servers in the server farm through the following connection
failures:
• For TCP, resets (RSTs) from the server or SYN timeouts.
• For UDP, ICMP Host, Network, Port, Protocol, and Source Route unreachable messages.
When you configure the failure-count threshold and the number of these failures exceeds the
threshold within the reset-time interval, the ACE immediately marks the server as failed, takes it
out of service, and removes it from load balancing. The server is not considered for load balancing
until the optional resume-service interval expires.
The Inband-Health Check attributes are as follows:
• Count—Tracks the total number of TCP or UDP failures, and increments the counters.
• Log—Logs a syslog error message when the number of events reaches the threshold value that
you set for the Connection Failure Threshold Count attribute.
• Remove—Logs a syslog error message when the number of events reaches the configured
threshold and removes the real server from service.
Connection Failure
Threshold Count
This field appears only when the Inband-Health Check is set to Log or Remove.
Enter the maximum number of connection failures that a real server can exhibit in the reset-time
interval before ACE marks the real server as failed. Valid entries are as follows:
• ACE appliance—1 to 4294967295
• ACE module—4 to 4294967295
Reset Timeout
(Milliseconds)
This field appears only when the Inband-Health Check is set to Log or Remove.
Enter the number of milliseconds for the reset-time interval. Valid entries are integers from 100 to
300000. The default interval is 100.
This interval starts when the ACE detects a connection failure. If the connection failure threshold
is reached during this interval, the ACE generates a syslog message. If you configure the remove
keyword, the ACE also removes the real server from service.
Changing the setting of this option affects the behavior of the real server, as follows:
• When the real server is in the OPERATIONAL state, even if several connection failures have
occurred, the new reset-time interval takes effect the next time that a connection error occurs.
• When the real server in the INBAND-HM-FAILED state, the new reset-time interval takes
effect the next time that a connection error occurs after the server transitions to the
OPERATIONAL state.
Table 8-7 Server Farm Attributes (continued)
Field Description
8-35
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Resume Service
(Seconds)
Field that appears only when the Inband-Health Check is set to Remove.
Enter the number of seconds after a server has been marked as failed to reconsider it for sending
live connections. Valid entries are integers from 30 to 3600. The default setting is 0. The setting of
this option affects the behavior of the real server in the inband failed state, as follows:
• When this field is not configured and has the default setting of 0, the real server remains in the
failed state until you manually suspend and then reactivate it.
• When this field is not configured and has the default setting of 0 and then you configure this
option with an integer between 30 and 3,600, the failed real server immediately transitions to
the Operational state.
• When you configure this field and then increase the value, the real server remains in the failed
state for the duration of the previously-configured value. The new value takes effect the next
time the real server transitions to the failed state.
• When you configure this field and then decrease the value, the failed real server immediately
transitions to the Operational state.
• When you configure this field with an integer between 30 and 3,600 and then reset it to the
default of 0, the real server remains in the failed state for the duration of the
previously-configured value. The default setting takes effect the next time the real server
transitions to the failed state. Then the real server remains in the failed state until you manually
suspend and then reactivate it.
• When you change this field within the reset-time interval the real server in the OPERATIONAL
with several connection failures, the new threshold interval takes effect the next time that a
connection error occurs, even if it occurs within the current reset-time interval.
Partial-Threshold
Percentage
Field that appears only for host server farms.
Enter the minimum percentage of real servers in the primary server farm that must remain active
for the server farm to stay up. If the percentage of active real servers falls below this threshold, the
ACE takes the server farm out of service. Valid entries are from 0 to 99. The default is 0.
Back Inservice Field that appears only for host server farms.
Enter the percentage of real servers in the primary server farm that must be active again for the ACE
to place the server farm back into service. Valid entries are from 0 to 99. The value in this field
should be larger than the value in the Partial Threshold Percentage field. The default is 0.
Table 8-7 Server Farm Attributes (continued)
Field Description
8-36
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Step 5 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
The window refreshes with additional configuration options:
– To add real servers to the server farm, see the “Adding Real Servers to a Server Farm” section
on page 8-37.
– To specify a predictor method for the server farm, see the “Configuring the Predictor Method
for Server Farms” section on page 8-39.
– To configure return code checking, see the “Configuring Server Farm HTTP Return Error-Code
Checking” section on page 8-46.
• Click Cancel to exit the procedure without saving your entries and to return to the Server Farms
table.
• Click Next to deploy your entries and to configure another server farm.
Step 6 (Optional) To display statistics and status information for an existing server farm, choose a server farm
from the Server Farms table, and click Details.
The show serverfarm name detail CLI command output appears. See the “Displaying Server Farm
Statistics and Status Information” section on page 8-48 for details.
Probes Field that appears only as follows:
• For all host server farms. The Available probe list contains all probe types.
• For redirect server farms configured on ACE devices that use the following software versions:
– ACE module: A2(3.x) and later releases
– ACE appliance: A3(x) and later releases
The redirect server farm Available probe list contains only probes of the type Is Routed, which
means that the ACE routes the probe address according to the ACE internal routing table (see
the “Configuring Health Monitoring for Real Servers” section on page 8-51).
In the Available Items list, choose the probes to use for health monitoring, and click Add. The
selected probes appear in the Selected Items list.
Note You can associate both IPv6 and IPv4 probes to a server farm. IPv6 requires ACE module
and ACE appliance software Version A5(1.0) or later.
Note The list of available probes does not include VM health monitoring probes. To choose a VM
probe for monitoring local VM usage, see the Dynamic Workload Scaling field.
To remove probes that you do not want to use for health monitoring, select them in the Selected
Items list, and click Remove. The selected probes appear in the Available Items list.
Table 8-7 Server Farm Attributes (continued)
Field Description
8-37
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Related Topics
• Configuring Health Monitoring for Real Servers, page 8-51
• Configuring Real Servers, page 8-5
• Configuring Sticky Groups, page 9-7
• Configuring the Predictor Method for Server Farms, page 8-39
• Configuring Server Farm HTTP Return Error-Code Checking, page 8-46
• Configuring Dynamic Workload Scaling, page 8-26
Adding Real Servers to a Server Farm
You can add real servers to a server farm. After adding a server farm (see the “Configuring Server Farms”
section on page 8-30), you can associate real servers with it and configure predictors and retcode maps.
The options for these attributes appear after you have successfully added a new server farm.
Assumptions
This topic assumes the following:
• A server farm has been added to ANM (see the “Configuring Server Farms” section on page 8-30).
• At least one real server exists.
Consideration
A server farm can support a mix of IPv6 and IPv4 real servers. IPv6 requires ACE module and ACE
appliance software Version A5(1.0) or later.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Server Farms.
The Server Farms table appears.
Step 2 In the Server Farms table, choose the server farm that you want to associate with real servers.
The Real Servers table appears.
Step 3 In the Real Servers table, click Add to add a new entry, or select an existing server and click Edit to
modify it.
The Real Servers configuration pane appears.
Step 4 In the Real Servers configuration pane, configure the real server using the information in Table 8-8.
Table 8-8 Real Server Configuration Attributes
Field Description
Name Server that you want to associate with the server farm.
Port Port number to be used for server port address translation (PAT). Valid entries are from 1 to 65535.
Backup Server Name Server that is to act as the backup server for the server farm. Leave this field blank to indicate that
there is no designated backup server for the server farm.
Backup Server Port Server port number. If you select a backup server, enter the backup server port number. Valid
entries are from 1 to 65535.
8-38
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Fail-On-All Field that appears only for real servers identified as host servers.
By default, real servers with multiple probes configured for them have an OR logic associated with
them. This means that if one of the real server probes fails, the real server fails and enters the
PROBE-FAILED state.
Check this checkbox to configure a real server to remain in the OPERATIONAL state unless all
probes associated with it fail (AND logic).
The Fail-On-All function is applicable to all probe types.
State State of this server as follows:
• In Service—The server is in service.
• In Service Standby—The server is a backup server and remains inactive unless the primary
server fails. If the primary server fails, the backup server becomes active and starts accepting
connections.
• Out Of Service—The server is out of service.
Min. Connections Minimum number of connections that the number of connections must fall below before the ACE
resumes sending connections to the server after it has exceeded the number in the Max.
Connections field. The number in this field must be less than or equal to the number in the Max.
Connections field.
For ACE appliances, valid entries are from 2 to 4294967295.
For ACE modules, valid entries are from 2 to 4000000.
Max. Connections Maximum number of active connections that can be sent to the server. When the number of
connections exceeds this number, the ACE stops sending connections to the server until the
number of connections falls below the number specified in the Min. Connections field.
For ACE appliances, valid entries are from 2 to 4294967295.
For ACE modules, valid entries are from 2 to 4000000.
Weight Weight to assign to the server. Valid entries are from 1 to 100. The default is 8.
Probes Probes to apply to the server. Choose the probes in the Available Items list that you want to apply
to this server, and click Add. The selected probes appear in the Selected Items list. To remove
probes that you do not want to use, choose the probes in the Selected Items list, and click Remove.
The selected probes appear in the Available Items list.
Note The VM probe type does not display in the Available Items list even if you have one
configured.
Rate Bandwidth Bandwidth rate, which is the number of bytes per second and applies to the network traffic
exchanged between the ACE and the real server in both directions.
Specify the bandwidth limit in bytes per second. Valid entries are from 2 to 300000000. The
default is 300000000.
Rate Connection Connection rate, which is the number of connections per second received by the ACE and applies
only to new connections destined to a real server.
Specify the limit for connections per second. Valid entries are from 2 to 350000. The default is
350000.
Table 8-8 Real Server Configuration Attributes (continued)
Field Description
8-39
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Step 5 When you finish configuring this server for this server farm, do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the Real Servers table.
• Click Cancel to exit this procedure without saving your entries and to return to the Real Servers
table.
• Click Next to deploy your entries and to add another real server for this server farm.
Related Topics
• Configuring Health Monitoring for Real Servers, page 8-51
• Configuring Real Servers, page 8-5
• Configuring Sticky Groups, page 9-7
• Configuring the Predictor Method for Server Farms, page 8-39
• Configuring Server Farm HTTP Return Error-Code Checking, page 8-46
• Configuring Dynamic Workload Scaling, page 8-26
Configuring the Predictor Method for Server Farms
You can configure the predictor method for a server farm. The predictor method specifies how the ACE
is to select a server in the server farm when it receives a client request for a service. After adding a server
farm (see the “Configuring Server Farms” section on page 8-30), you can associate real servers with it
and configure the predictor method and retcode maps. The options for these attributes appear after you
have successfully added a new server farm.
Note You can configure only one predictor method per server farm.
Assumptions
This topic assumes the following:
• A server farm has been added to ANM (see the “Configuring Server Farms” section on page 8-30.)
• At least one real server exists.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Server Farms.
The Server Farms table appears.
Step 2 In the Server Farms table, choose the server farm that you want to configure the predictor method for,
and click the Predictor tab.
The Predictor configuration pane appears.
Step 3 In the Type field of the Predictor configuration pane, choose the method that the ACE is to use to select
a server in this server farm when it receives a client request (see Table 8-9).
Step 4 Enter the required information for the selected predictor method (see Table 8-9).
8-40
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
Table 8-9 Predictor Method Attributes
Predictor Method Description / Action
Hash Address Server selection method that uses a hash value based on the source or destination IP address.
To configure the hash address predictor method, do the following:
a. In the Mask Type field, indicate whether server selection is based on source IP address or the
destination IP address as follows:
– N/A—This option is not defined.
– Destination—The server is selected based on the destination IP address.
– Source—The server is selected based on the source IP address.
Note If you configure the server farm with IPv6 and IPv4 Hash Address predictors at the same time,
both predictors must have the same mask type. IPv6 requires ACE module and ACE appliance
software Version A5(1.0) or later.
b. In the IP Netmask field, choose the subnet mask to apply to the address. If none is specified, the
default is 255.255.255.255.
c. In the IPv6 Prefix-Length field, enter the IPv6 prefix length. If none is specified, the default is 128.
This field appears only for ACE module and ACE appliance software Version A5(1.0) or later.
8-41
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Hash Content Server selection method that uses a hash value based on the specified content string of the HTTP packet
body. Do the following:
a. In the Begin Pattern field, enter the beginning pattern of the content string and the pattern string to
match before hashing. If you do not specify a beginning pattern, the ACE starts parsing the HTTP
body immediate following the offset byte. You cannot configure different beginning and ending
patterns for different server farms that are part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists
the supported characters that you can use for matching string expressions.
b. In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify either
a length or an end pattern, the ACE continues to parse the data until it reaches the end of the field
or the end of the packet, or until it reaches the maximum body parse length. You cannot configure
different beginning and ending patterns for different server farms that are part of the same traffic
classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists
the supported characters that you can use for matching string expressions.
c. In the Length (Bytes) field, enter the length in bytes of the portion of the content (starting with the
byte after the offset value) that the ACE uses for sticking the client to the server. Valid entries are
from 1 to 1000 bytes.
The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset but
shorter than the offset plus the length of the payload, the ACE sticks the connection based on that
portion of the payload starting with the byte after the offset value and ending with the byte specified
by the offset plus the length. The total of the offset and the length cannot exceed 1000.
Note You cannot specify both the length and the end-pattern options for a Hash Content predictor.
d. In the HTTP Content Offset (Bytes) field, enter the portion of the content that the ACE uses to stick
the client on a particular server by indicating the bytes to ignore starting with the first byte of the
payload. Valid entries are integers from 0 to 999 bytes. The default is 0, which indicates that the
ACE does not exclude any portion of the content.
Hash Cookie Server selection method that uses a hash value based on the cookie name.
In the Cookie Name field, enter a cookie name in the form of an unquoted text string with no spaces and
a maximum of 64 characters.
Hash Header Server selection method that uses a hash value based on the header name.
In the Header Name field, choose the HTTP header to be used for server selection as follows:
• To specify an HTTP header that is not one of the standard HTTP headers, click the first radio button
and enter the HTTP header name in the Header Name field. Valid entries are unquoted text strings
with no spaces and a maximum of 64 characters.
• To specify one of the standard HTTP headers, click the second radio button, and then choose one
of the HTTP headers from the list.
Table 8-9 Predictor Method Attributes (continued)
Predictor Method Description / Action
8-42
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Hash Layer4 Layer 4 generic protocol load-balancing method. Use this predictor to load balance packets from
protocols that are not explicitly supported by the ACE.
a. In the Begin Pattern field, enter the beginning pattern of the Layer 4 payload and the pattern string
to match before hashing. If you do not specify a beginning pattern, the ACE starts parsing the HTTP
body immediate following the offset byte. You cannot configure different beginning and ending
patterns for different server farms that are part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists
the supported characters that you can use for matching string expressions.
b. In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify either
a length or an end pattern, the ACE continues to parse the data until it reaches the end of the field
or the end of the packet, or until it reaches the maximum body parse length. You cannot configure
different beginning and ending patterns for different server farms that are part of the same traffic
classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists
the supported characters that you can use for matching string expressions.
c. In the Length (Bytes) field, enter the length in bytes of the portion of the payload (starting with the
byte after the offset value) that the ACE uses for sticking the client to the server. Valid entries are
from 1 to 1000 bytes.
The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset but
shorter than the offset plus the length of the payload, the ACE sticks the connection based on that
portion of the payload starting with the byte after the offset value and ending with the byte specified
by the offset plus the length. The total of the offset and the length cannot exceed 1000.
Note You cannot specify both the length and end-pattern options for a Hash Layer 4 predictor.
d. In the HTTP Content Offset (Bytes) field, enter the portion of the content that the ACE uses to stick
the client on a particular server by indicating the bytes to ignore starting with the first byte of the
payload. Valid entries are from 0 to 999 bytes. The default is 0, which indicates that the ACE does
not exclude any portion of the content.
Hash URL Server selection method that uses a hash value based on the URL. Use this method to load balance
firewalls.
Enter values in one or both of the pattern fields as follows:
• In the URL Begin Pattern field, enter the beginning pattern of the URL and the pattern string to
parse.
• In the URL End Pattern field, enter the ending pattern of the URL and the pattern string to parse.
Valid entries for these fields are unquoted text strings with no spaces and a maximum of 255
alphanumeric characters for each pattern that you configure. The following special characters are also
allowed: @ # $
Table 8-9 Predictor Method Attributes (continued)
Predictor Method Description / Action
8-43
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Least Bandwidth Server with the least amount of network traffic over a specified sampling period. Do the following:
a. In the Assess Time (Seconds) field, enter the number of seconds for which the ACE is to collect
traffic information. Valid entries are from 1 to 10 seconds.
b. In the Least Bandwidth Samples field, enter the number of samples over which you want to weight
and average the results of the probe query to calculate the final load value. Valid entries are 1, 2, 4,
8, and 16 (values from 1 to 16 that are also a power of 2).
Least Connections Server with the fewest number of connections.
In the Slow Start Duration (Seconds) field, enter the slow-start value to be applied to this predictor
method. Valid entries are from 1 to 65535, where 1 is the slowest ramp-up value.
The slow-start mechanism is used to avoid sending a high rate of new connections to servers that you
have just put into service.
Table 8-9 Predictor Method Attributes (continued)
Predictor Method Description / Action
8-44
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Least Loaded Least loaded server based on information from SNMP probes. Do the following:
a. In the SNMP Probe Name field, choose the name of the SNMP probe to use.
b. In the Auto Adjust field, configure the autoadjust feature to instruct the ACE to apply the maximum
load of 16000 to a real server whose load reaches zero or override the default behavior. By default,
the ACE applies the average load of the server farm to a real server whose load is zero. The ACE
periodically adjusts this load value based on feedback from the server SNMP probe and other
configured options. Options include the following:
– Average—Instructs the ACE to apply the average load of the server farm to a real server whose
load is zero. This setting allows the server to participate in load balancing, while preventing it
from being flooded by new connections. This is the default setting.
– Maxload—Instructs the ACE to apply the maximum load of the server farm to a real server
whose load reaches zero.
The maxload option requires the following ACE software versions:
- ACE appliance—A3(2.7) or A4(1.0) or later
- ACE module—A2(2.4), A2(3.2), or A4(1.0) or later
If you choose the maxload option and the ACE does not support the option, ANM issues a
command parse error message.
– Off—Instructs the ACE to send all new connections to the server that has a load of zero until
the next load update arrives from the SNMP probe for this server. There may be times when
you want the ACE to send all new connections to a real server whose load is zero.
c. In the Weight Connection field, check the check box to instruct the ACE to use the current
connection count in the final load calculation for a real server. When you configure this option, the
ACE includes the current connection count in the total load calculation for each real server in a
server farm. Uncheck the check box to reset the behavior of the ACE to the default of excluding the
current connection count from the load calculation.
To instruct the ACE to select the server with the lowest load, use the predictor least-loaded command
in server farm host or redirect configuration mode. With this predictor, the ACE uses SNMP probes to
query the real servers for load parameter values (for example, CPU utilization or memory utilization).
This predictor is considered adaptive because the ACE continuously provides feedback to the
load-balancing algorithm based on the behavior of the real server.
To use this predictor, you must associate an SNMP probe with it. The ACE queries user-specified OIDs
periodically based on a configurable time interval. The ACE uses the retrieved SNMP load value to
determine the server with the lowest load.
The syntax of this predictor command is as follows:
predictor least-loaded probe name
The name argument specifies the identifier of the existing SNMP probe that you want the ACE to use
to query the server. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric
characters.
Table 8-9 Predictor Method Attributes (continued)
Predictor Method Description / Action
8-45
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Step 5 Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
Related Topics
• Configuring Health Monitoring for Real Servers, page 8-51
• Configuring Real Servers, page 8-5
• Configuring Sticky Groups, page 9-7
• Adding Real Servers to a Server Farm, page 8-37
• Configuring Dynamic Workload Scaling, page 8-26
Least Loaded
(continued)
For example, to configure the ACE to select the real server with the lowest load based on feedback from
an SNMP probe called PROBE_SNMP, enter the following commands:
host1/Admin(config)# serverfarm SF1
host1/Admin(config-sfarm-host)# predictor least-loaded probe PROBE_SNMP
host1/Admin(config-sfarm-host-predictor)#
To reset the predictor method to the default of round-robin, enter the following command:
host1/Admin(config-sfarm-host)# no predictor
Response Server selection method based on the lowest response time for a requested response-time measurement.
a. In the Response Type field, select the type of measurement to use as follows:
– App-Req-To-Resp—The response time from when the ACE sends an HTTP request to a server
to the time that the ACE receives a response from the server for that request.
– Syn-To-Close—The response time from when the ACE sends a TCP SYN to a server to the
time that the ACE receives a CLOSE from the server.
– Syn-To-Synack—The response time from when the ACE sends a TCP SYN to a server to the
time that the ACE receives a SYN-ACK from the server.
b. In the Response Samples field, enter the number of samples over which you want to average the
results of the response-time measurement. Valid entries are 1, 2, 4, 8, and 16 (values from 1 to 16
that are also a power of 2).
c. In the Weight Connection field, check the check box to instruct the ACE to use the current
connection count in the final load calculation for a real server. When you configure this option, the
ACE includes the current connection count in the total load calculation for each real server in a
server farm. Uncheck the check box to reset the behavior of the ACE to the default of excluding the
current connection count from the load calculation.
Round Robin Server selection method in which The ACE selects the next server in the list of servers based on server
weight. This method is the default predictor.
Table 8-9 Predictor Method Attributes (continued)
Predictor Method Description / Action
8-46
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Configuring Server Farm HTTP Return Error-Code Checking
Note This feature is available only for server farms configured as hosts. It is not available for server farms
configured with the type Redirect.
You can configure HTTP return error-code checking (retcode map) for a server farm. After adding a
server farm (see the “Configuring Server Farms” section on page 8-30), you can associate real servers
with it and configure the predictor method and retcode maps. These options appear after you have
successfully added a server farm.
Assumption
A host type server farm has been added to ANM (see the “Configuring Server Farms” section on
page 8-30).
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Server Farms.
The Server Farms table appears.
Step 2 In the Server Farms table, choose the server farm that you want to configure for return error-code
checking, and click the Retcode Map tab.
The Retcode Map table appears.
Step 3 In the Retcode Map table, click Add to add a new entry to the table.
The Retcode Map configuration pane appears.
Note You cannot modify an entry in the Retcode Map table. Instead, delete the existing entry, then add
a new one.
Step 4 In the Lowest Retcode field of the Retcode Map configuration pane, enter the minimum value for an
HTTP return error code.
Valid entries are from 100 to 599. This number must be less than or equal to the number in the Highest
Retcode field.
Step 5 In the Highest Retcode field, enter the maximum number for an HTTP return error code.
Valid entries are from 100 to 599. This number must be greater than or equal to the number in the Lowest
Retcode field.
Step 6 In the Type field, specify the action to be taken and related options using the information in Table 8-10.
Note For ACE appliances, the only available option is Count.
Table 8-10 Return-Code Type Configuration Options
Option Description
Count Total number of return codes received for each return code number that you specify.
8-47
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Step 7 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the Retcode Map
table.
• Click Next to deploy your entries and to add another retcode map.
Log Syslog error message generated when the number of events reaches a specified threshold.
a. In the Threshold field, enter the number of events that the ACE is to receive before generating a syslog error
message. Valid entries are as follows:
– ACE appliance (all) and ACE module pre A4(1.0)—1 to 4294967295.
– ACE module A4(1.0)—4 to 4294967295.
b. In the Reset (Seconds) field, enter the time interval in seconds for which the ACE checks for the return code.
Valid entries are as follows:
– ACE appliance or module pre A4(1.0)—1 to 4294967295
– ACE appliance or module A4(1.0) and later—1 to 2147483647
Remove The ACE generates a syslog error message when the number of events reaches a specified threshold and then
removes the server from service.
a. In the Threshold field, enter the number of events that the ACE is to receive before generating a syslog error
message and removing the server from service. Valid entries are from 1 to 4294967295.
b. In the Reset (Seconds) field, enter the time interval in seconds for which the ACE checks for the return code.
Valid entries are from 1 to 4294967295 seconds.
c. In the Resume Service (Seconds) field, enter the number of seconds that the ACE waits before it resumes
service for the real server automatically after taking the real server out of service. Valid entries are 30 to 3600
seconds. The default is 0 seconds. The setting of this field affects the behavior of the real server in the failed
state, as follows:
– When this field is not configured and has the default setting of 0, the real server remains in the failed state
until you manually remove it from service and read it.
– When this field is not configured and has the default setting of 0 and then you configure it with an integer
between 30 and 3,600, the failed real server immediately transitions to the Operational state.
– When you configure this field and then increase the value, the real server remains in the failed state for
the duration of the previously-configured value. The new value takes effect the next time the real server
transitions to the failed state.
– When you configure this field and then decrease the value, the failed real server immediately transitions
to the Operational state.
– When you configure this field with an integer between 30 and 3,600 and then reset it to the default of 0,
the real server remains in the failed state for the duration of the previously-configured value. The default
setting takes effect the next time the real server transitions to the failed state. Then the real server remains
in the failed state until you manually remove it from service and read it.
Table 8-10 Return-Code Type Configuration Options (continued)
Option Description
8-48
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Server Farms
Related Topics
• Information About Virtual Contexts, page 6-2
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
• Configuring Real Servers, page 8-5
• Configuring Sticky Groups, page 9-7
• Configuring Dynamic Workload Scaling, page 8-26
Displaying All Server Farms
You can display all server farms associated with a virtual context.
Procedure
Step 1 Choose Config > Devices.
The Virtual Contexts table appears.
Step 2 In the Virtual Contexts table, choose the virtual context with the server farms you want to display, and
click Load Balancing > Server Farms.
The Server Farms table appears with the following information:
• Server farm name
• Server farm type (either host or redirect)
• Description
• Number of real servers associated with the server farm
• Number of predictor methods for the server farm
• Number of entries in the HTTP retcode map table
You can click on any of the entries in the last three columns to view specific information about those
entries.
Related Topics
• Displaying Server Farm Statistics and Status Information, page 8-48
• Configuring Server Farms, page 8-30
• Adding Real Servers to a Server Farm, page 8-37
• Configuring the Predictor Method for Server Farms, page 8-39
• Configuring Server Farm HTTP Return Error-Code Checking, page 8-46
• Configuring Dynamic Workload Scaling, page 8-26
Displaying Server Farm Statistics and Status Information
You can display statistics and status information for a particular server farm.
8-49
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Server Farms.
The Server Farms table appears.
Step 2 In the Server Farms table, choose a server farm from the Server Farms table, and click Details.
The show serverfarm name detail CLI command output appears. For details about the displayed output
fields, see the Cisco ACE Module Server Load-Balancing Configuration Guide or the Cisco ACE 4700
Series Appliance Server Load-Balancing Configuration Guide, Chapter 2, Configuring Real Servers and
Server Farms.
Step 3 Click Update Details to refresh the output for the show serverfarm name detail CLI command.
The new information appears in a separate panel with a new timestamp; both the old and the new server
farm statistics and status information appear side-by-side to avoid overwriting the last updated
information.
Step 4 Click Close to return to the Server Farms table.
Related Topics
• Displaying All Server Farms, page 8-48
• Configuring Server Farms, page 8-30
• Adding Real Servers to a Server Farm, page 8-37
• Configuring the Predictor Method for Server Farms, page 8-39
• Configuring Server Farm HTTP Return Error-Code Checking, page 8-46
• Configuring Dynamic Workload Scaling, page 8-26
Configuring Health Monitoring
You can instruct the ACE to check the health of servers and server farms by configuring health probes
(sometimes referred to as keepalives). After you create a probe, you assign it to a real server or a server
farm. A probe can be one of many types, including TCP, ICMP, Telnet, HTTP, and so on. You can also
configure scripted probes using the TCL scripting language (see the “TCL Scripts” section on
page 8-50).
The ACE sends out probes periodically to determine the status of a server, verifies the server response,
and checks for other network problems that may prevent a client from reaching a server. Based on the
server response, the ACE can place the server in or out of service, and, based on the status of the servers
in the server farm, it can make reliable load-balancing decisions.
Health monitoring on the ACE tracks the state of a server by sending out probes. Also referred to as
out-of-band health monitoring, the ACE verifies the server response or checks for any network problems
that can prevent a client to reach a server. Based on the server response, the ACE can place the server in
or out of service, and can make reliable load-balancing decisions.
The ACE identifies the health of a server in the following categories:
• Passed—The server returns a valid response.
• Failed—The server fails to provide a valid response to the ACE or the ACE is unable to reach a
server for a specified number of retries.
8-50
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
By configuring the ACE for health monitoring, the ACE sends active probes periodically to determine
the server state.
The ACE supports 4000 unique probe configurations which includes ICMP, TCP, HTTP, and other
predefined health probes. The ACE also allows the opening of 1000 sockets simultaneously.
This section includes the following topics:
• “TCL Scripts” section on page 8-50
• “Configuring Health Monitoring for Real Servers” section on page 8-51
• “Configuring Probe Attributes” section on page 8-56
• “Configuring DNS Probe Expect Addresses” section on page 8-73
• “Configuring Headers for HTTP and HTTPS Probes” section on page 8-74
• “Configuring Health Monitoring Expect Status” section on page 8-74
• “Configuring an OID for SNMP Probes” section on page 8-76
• “Displaying Health Monitoring Statistics and Status Information” section on page 8-77
TCL Scripts
The ACE supports several specific types of health probes (for example HTTP, TCP, or ICMP health
probes) when you need to use a diverse set of applications and health probes to administer your network.
The basic health probe types supported in the current ACE software release may not support the specific
probing behavior that your network requires. To support a more flexible health-probing functionality, the
ACE allows you to upload and execute Toolkit Command Language (TCL) scripts on the ACE.
The TCL interpreter code in the ACE is based on Release 8.44 of the standard TCL distribution. You can
create a script to configure health probes. Script probes operate similar to other health probes available
in the ACE software. As part of a script probe, the ACE executes the script periodically, and the exit code
that is returned by the executing script indicates the relative health and availability of specific real
servers. For information on health probes, see the “Configuring Health Monitoring for Real Servers”
section on page 8-51.
For your convenience, the following sample scripts for the ACE are available to support the TCL feature
and are supported by Cisco TAC:
• ECHO_PROBE_SCRIPT
• FINGER_PROBE_SCRIPT
• FTP_PROBE_SCRIPT
• HTTP_PROBE_SCRIPT
• HTTPCONTENT_PROBE
• HTTPHEADER_PROBE
• HTTPPROXY_PROBE
• IMAP_PROBE
• LDAP_PROBE
• MAIL_PROBE
• POP3_PROBE
• PROBENOTICE_PROBE
8-51
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
• RTSP_PROBE
• SSL_PROBE_SCRIPT
These scripts are located in the probe: directory and are accessible in both the Admin and user contexts.
Note that the script files in the probe: directory are read-only, so you cannot copy or modify them.
However, you can copy files from the probe: directory. For more information, see either the Cisco
Application Control Engine Module Administration Guide or the Cisco 4700 Series Application Control
Engine Appliance Administration Guide.
To load a script into memory on the ACE and enable it for use, use the script file command. For detailed
information on uploading and executing TCL scripts on the ACE, see either the Cisco ACE Module
Server Load-Balancing Configuration Guide or the Cisco ACE 4700 Series Appliance Server
Load-Balancing Configuration Guide.
Configuring Health Monitoring for Real Servers
You can establish monitoring of real servers to determine their viability in load-balancing decisions. To
check the health and availability of a real server, the ACE periodically sends a probe to the real server.
Depending on the server response, the ACE determines whether or not to include the server in its
load-balancing decision.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Health Monitoring.
The Health Monitoring table appears.
Step 2 In the Health Monitoring table, click Add to add a new health monitoring probe, or choose an existing
entry and click Edit to modify it.
The Health Monitoring window appears.
Step 3 In the Name field of the Health Monitoring window, enter a name that identifies the probe and that
associates the probe with the real server.
Valid entries are text strings with a maximum of 64 characters.
Step 4 In the Type field, choose the type of probe that you want to use.
The probe type determines what the probe sends to the real server. See Table 8-11 for the types of probes
and their descriptions.
Table 8-11 Probe Types
Probe Type Description
DNS Sends a request to a DNS server giving it a configured domain. To determine if the server is up, the ACE
must receive the configured IP address for that domain.
ECHO-TCP Sends a string to the server and compares the response with the original string. If the response string
matches the original, the server is marked as passed. If not, the ACE retries as configured before the server
is marked as failed.
ECHO-UDP Sends a string to the server and compares the response with the original string. If the response string
matches the original, the server is marked as passed. If not, the ACE retries as configured before the server
is marked as failed.
FINGER Sends a probe to the server to verify that a defined username is a username on the server.
8-52
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
FTP Initiates an FTP session. By default, this probe is for an anonymous login with the option of configuring
a user ID and password. The ACE performs an FTP GET or LS to determine the outcome of the problem.
This probe supports only active connections.
HTTP Sets up a TCP connection and issues an HTTP request. Any valid HTTP response causes the probe to mark
the real server as passed.
HTTPS Similar to an HTTP probe, but this probe uses SSL to generate encrypted data.
ICMP Sends an ICMP request and listens for a response. If the server returns a response, the ACE marks the real
server as passed. If there is no response and times out, or an ICMP standard error occurs, such as
DESTINATION_UNREACHABLE, the ACE marks the real server as failed.
IMAP Initiates an IMAP session, using a configured user ID and password. Then, the probe attempts to retrieve
email from the server and validates the result of the probe based on the return codes received from the
server.
POP Initiates a POP session, using a configured user ID and password. Then, the probe attempts to retrieve
email from the server and validates the result of the probe based on the return codes received from the
server.
RADIUS Connects to a RADIUS server and logs into it to determine if the server is up.
RTSP Establishes a TCP connection and sends a request packet to the server. The ACE compares the response
with the configured response code to determine whether the probe succeeded.
Scripted Executes probes from a configured script to perform health probing. This method allows you to author
specific scripts with features not present in standard probes. For ACE appliances, the script probe filename
must first be established on the device.
SIP-TCP Establishes a TCP connection and sends an OPTIONS request packet to the user agent on the server. The
ACE compares the response with the configured response code or expected string, or both, to determine
whether the probe has succeeded. If you do not configure an expected status code, any response from the
server is marked as failed.
SIP-UDP Establishes a UDP connection and sends an OPTIONS request packet to the user agent on the server. The
ACE compares the response with the configured response code or expected string, or both, to determine
whether the probe has succeeded. If you do not configure an expected status code, any response from the
server is marked as failed.
SMTP Initiates an SMTP session by logging into the server.
SNMP Establishes a UDP connection and sends a maximum of eight SMNP OID queries to probe the server. The
ACE weighs and averages the load information that is retrieved and uses it as input to the least-loaded
algorithm for load-balancing decisions. If the retrieved value is within the configured threshold, the server
is marked as passed. If the threshold is exceeded, the server is marked as failed.
TCP Initiates a TCP handshake and expects a response. By default, a successful response causes the probe to
mark the server as passed. The probe then sends a FIN to end the session. If the response is not valid, or
if there is no response, the probe marks the real server as failed.
TELNET Establishes a connection to the real server and verifies that a greeting from the application was received.
Table 8-11 Probe Types (continued)
Probe Type Description
8-53
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
Step 5 Enter health monitoring general attributes (see Table 8-12).
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
Note Click More Settings to access the additional general attributes for the selected probe type. By
default, ANM hides the probe attributes with default values and the probe attributes that are not
commonly used.
UDP Sends a UDP packet to a real server. The probe marks the server as failed only if an ICMP Port
Unreachable messages is returned.
VM This probe type requires the following:
• The ACE appliance or module is using software Version A4(2.0) or a later release.
• The ACE is configured with a VM Controller connection (see the “Configuring and Verifying a VM
Controller Connection” section on page 8-29).
Sends a probe to the VMware VM Controller to determine the average amount of both CPU and memory
usage of its associated local VMs. The probe response determines whether the ACE load-balances traffic
to the local VMs only or bursts traffic to the remote VMs due to high usage of the local VMs.
Note You use a VM probe when you configure the ACE for Dynamic Workload Scaling (see the
“Configuring Dynamic Workload Scaling” section on page 8-26).
Table 8-11 Probe Types (continued)
Probe Type Description
Table 8-12 Health Monitoring General Attributes
Field Action
Description Description for this probe. Valid entries are unquoted alphanumeric text strings with no spaces and a
maximum of 240 characters.
Probe Interval
(Seconds)
Number of seconds that the ACE is to wait before sending another probe to a server marked as passed.
Valid entries are from 2 to 65535 for all probe types except the VM probe, which has a range from 300
to 65535. The default values are as follows:
• ACE appliance (all software versions)—Default is 15 seconds for all probe types except the VM
probe, which has a default of 300 seconds.
• ACE module:
– Software Version A4(1.0) and later—Default is 15 seconds for all probe types except the VM
probe, which has a default of 300 seconds.
– All software versions before A4(1.0)—Default is 120 seconds.
Note The VM probe type requires ACE software Version A4(2.0) or later on either device type.
8-54
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
Pass Detect
Interval (Seconds)
Number of seconds that the ACE is to wait before sending another probe to a server marked as failed.
Valid entries are from 2 to 65535. The default values are as follows:
• ACE appliance (all software versions)—Default is 60 seconds.
• ACE module:
– Software Version A4(1.0) and later—Default is 60 seconds.
– All software versions before A4(1.0)—Default is 300 seconds.
Note This field is not applicable for the VM probe type.
Fail Detect Consecutive number of times that an ACE must detect that probes have failed to contact a server before
marking the server as failed. Valid entries are from 1 to 65535. The default is 3.
Note This field is not applicable for the VM probe type.
More Settings (Not applicable for the VM probe type)
Pass Detect Count Number of successful probe responses from the server before the server is marked as passed. Valid
entries are from 1 to 65535. The default is 3.
Receive Timeout
(Seconds)
Number of seconds that the ACE is to wait for a response from a server that has been probed before
marking the server as failed. Valid entries are from 1 to 65535. The default is 10.
Destination
IPv4/IPv6
Address1
The IPv6 option requires ACE module and ACE appliance software Version A5(1.0) or later, which
supports IPv4 and IPv6. Preferred destination IP address. By default, the probe uses the IP address from
the real or virtual server configuration for the destination IP address. To override the destination address
that the probe uses, enter the preferred destination IP address in this field.
Note The following probes support IPv6 destination addresses: DNS, HTTP, HTTPS, ICMP, TCP, and
UDP.
Note When you assign a probe to a real server, they must be configured with the same IP address type
(IPv6 or IPv4).
Is Routed 2 Check box that indicates that the destination IP address is routed according to the ACE internal routing
table. Uncheck the check box to indicate that the destination IP address is not routed according to the
ACE internal routing table.
Port By default, the precedence in which the probe inherits the port number is as follows:
• The port number that you configure for the probe.
• The configured port number from the real server in server farm.
• The configured port number from the VIP in a Layer 3 and Layer 4 class map.
• The default port number. Table 8-13 lists the default port number for each probe type.
If you explicitly configure a default port, the ACE always sends the probe to the default port. The probe
does not dynamically inherit the port number from the real server in a server farm or from the VIP
specified in the class map.
Table 8-12 Health Monitoring General Attributes (continued)
Field Action
8-55
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
Step 6 Enter the attributes for the specific probe type selected as follows:
• For DNS probes, see Table 8-14.
• For Echo-TCP probes, see Table 8-15.
• For Echo-UDP probes, see Table 8-16.
• For Finger probes, see Table 8-17.
• For FTP probes, see Table 8-18.
• For HTTP probes, see Table 8-19.
• For HTTPS probes, see Table 8-20.
• There are no specific attributes for ICMP probes.
• For IMAP probes, see Table 8-21.
• For POP probes, see Table 8-22.
• For RADIUS probes, see Table 8-23.
• For RTSP probes, see Table 8-24.
1. The Dest IP Address field is not applicable to the Scripted probe type.
2. The Is Routed field is not applicable to the RTSP, Scripted, SIP-TCP, and SIP-UDP probe types.
Table 8-13 Default Port Numbers for Probe Types
Probe Type Default Port Number
DNS 53
Echo 7
Finger 79
FTP 21
HTTP 80
HTTPS 443
ICMP Not applicable
IMAP 143
POP3 110
RADIUS 1812
RTSP 554
Scripted 1
SIP (both TCP and UDP) 5060
SMTP 25
SNMP 161
Telnet 23
TCP 80
UDP 53
VM 443
8-56
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
• For Scripted probes, see Table 8-25.
• For SIP-TCP probes, see Table 8-26.
• For SIP-UDP probes, see Table 8-27.
• For SMTP probes, see Table 8-28.
• For SNMP probes, see Table 8-29.
• For TCP probes, see Table 8-30.
• For Telnet probes, see Table 8-31.
• For UDP probes, see Table 8-32.
• For VM probes, see Table 8-33.
Step 7 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the Health
Monitoring table.
• Click Next to deploy your entries and to configure another probe.
Step 8 (Optional) To display statistics and status information for a particular probe, choose the probe from the
Health Monitoring table, and click Details.
The show probe name detail CLI command output appears. See the “Displaying Health Monitoring
Statistics and Status Information” section on page 8-77 for details.
Related Topics
• Configuring DNS Probe Expect Addresses, page 8-73
• Configuring Headers for HTTP and HTTPS Probes, page 8-74
• Configuring Health Monitoring Expect Status, page 8-74
• Displaying Health Monitoring Statistics and Status Information, page 8-77
• Configuring Real Servers, page 8-5
• Configuring Server Farms, page 8-30
• Configuring Sticky Groups, page 9-7
Configuring Probe Attributes
You can configure health monitoring probe-specific attributes.
This section includes the following topics:
• DNS Probe Attributes, page 8-57
• Echo-TCP Probe Attributes, page 8-58
• Echo-UDP Probe Attributes, page 8-58
• Finger Probe Attributes, page 8-58
• FTP Probe Attributes, page 8-59
8-57
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
• HTTP Probe Attributes, page 8-60
• HTTPS Probe Attributes, page 8-61
• IMAP Probe Attributes, page 8-63
• POP Probe Attributes, page 8-64
• RADIUS Probe Attributes, page 8-65
• RTSP Probe Attributes, page 8-65
• Scripted Probe Attributes, page 8-66
• SIP-TCP Probe Attributes, page 8-67
• SIP-UDP Probe Attributes, page 8-68
• SMTP Probe Attributes, page 8-69
• SNMP Probe Attributes, page 8-69
• TCP Probe Attributes, page 8-70
• Telnet Probe Attributes, page 8-70
• UDP Probe Attributes, page 8-71
• VM Probe Attributes, page 8-72
Refer to the following topics for additional configuration options for health-monitoring probes:
• Configuring DNS Probe Expect Addresses, page 8-73
• Configuring Headers for HTTP and HTTPS Probes, page 8-74
• Configuring Health Monitoring Expect Status, page 8-74
• Configuring an OID for SNMP Probes, page 8-76
• Displaying Health Monitoring Statistics and Status Information, page 8-77
DNS Probe Attributes
Table 8-14 lists the DNS probe attributes.
Note Click More Settings to access the additional attributes for the DNS probe type. By default, ANM hides
the probe attributes with default values and the probe attributes that are not commonly used.
To configure expect addresses for DNS probes, see the “Configuring DNS Probe Expect Addresses”
section on page 8-73.
Table 8-14 DNS Probe Attributes
Field Action
Domain Name Domain name that the probe is to send to the DNS server. Valid entries are unquoted text strings
with a maximum of 255 characters.
More Settings
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to
determine the port number. For more information, see the general attribute Port field description.
8-58
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
Echo-TCP Probe Attributes
Table 8-15 lists the Echo-TCP probe attributes.
Note Click More Settings to access the additional attributes for the Echo-TCP probe type. By default, ANM
hides the probe attributes with default values and the probe attributes that are not commonly used.
Echo-UDP Probe Attributes
Table 8-16 lists the Echo-UDP probe attributes.
Note Click More Settings to access the additional attributes for the Echo-UDP probe type. By default, ANM
hides the probe attributes with default values and the probe attributes that are not commonly used.
Finger Probe Attributes
Table 8-17 lists the Finger probe attributes.
Note Click More Settings to access the additional attributes for the Finger probe type. By default, ANM hides
the probe attributes with default values and the probe attributes that are not commonly used.
Table 8-15 Echo-TCP Probe Attributes
Field Action
Send Data ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no
spaces and a maximum of 255 characters.
More Settings
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP connections gracefully by
sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP
connection by sending an RST.
Open Timeout
(Seconds)
Number of seconds to wait when opening a connection with a real server. Valid entries are integers
from 1 to 65535. The default is as follows:
• For ACE module version A2(3.x) and earlier, the default is 10 seconds.
• For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the
default is 1 second.
Table 8-16 Echo-UDP Probe Attributes
Field Action
Send Data ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no
spaces and a maximum of 255 characters.
More Settings
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to
determine the port number. For more information, see the general attribute Port field description.
8-59
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
FTP Probe Attributes
Table 8-18 lists the FTP probe attributes.
Note Click More Settings to access the additional attributes for the FTP probe type. By default, ANM hides
the probe attributes with default values and the probe attributes that are not commonly used.
To configure probe expect statuses for FTP probes, see the “Configuring Health Monitoring Expect
Status” section on page 8-74.
Table 8-17 Finger Probe Attributes
Field Action
Send Data ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no
spaces and a maximum of 255 characters.
More Settings
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to
determine the port number. For more information, see the general attribute Port field description.
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP connections gracefully by
sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP
connection by sending an RST.
Open Timeout
(Seconds)
Number of seconds to wait when opening a connection with a real server. Valid entries are from 1
to 65535. The default is as follows:
• For ACE module version A2(3.x) and earlier, the default is 10 seconds.
• For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the
default is 1 second.
Table 8-18 FTP Probe Attributes
Field Action
More Settings
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to
determine the port number. For more information, see the general attribute Port field
description.
TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully
by sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a
TCP connection by sending an RST.
Open Timeout (Seconds) Number of seconds to wait when opening a connection with a real server. Valid entries are
integers from 1 to 65535. The default is as follows:
• For ACE module version A2(3.x) and earlier, the default is 10 seconds.
• For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later,
the default is 1 second.
8-60
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
HTTP Probe Attributes
Table 8-19 lists the HTTP probe attributes.
Note Click More Settings to access the additional attributes for the HTTP probe type. By default, ANM hides
the probe attributes with default values and the probe attributes which are not commonly used.
Table 8-19 HTTP Probe Attributes
Field Action
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine
the port number. For more information, see the general attribute Port field description.
Request Method Type Type of HTTP request method that is to be used for this probe.
Choose one of the following:
• N/A—This option is not defined.
• Get—The HTTP request method is a GET with a URL of “/”. This request method directs the
server to get the page, and the ACE calculates a hash value for the content of the page. If the
page content information changes, the hash value no longer matches the original hash value and
the ACE assumes the service is down. This is the default request method.
• Head—The server is to only get the header for the page. Using this method can prevent the ACE
from assuming that the service is down due to changed content and therefore changed hash
values.
Request HTTP URL Field that appears if you chose Head or Get in the Request Method Type field.
Enter the URL path on the remote server. Valid entries are strings of up to 255 characters specifying
the URL path. The default path is “/”.
More Settings
Append Port Host Tag Check box that when checked, configures the ACE to append port information in the HTTP Host
header when you configure a nondefault destination port for an HTTP probe. By default, the check
box is unchecked and the ACE does not append this information.
Note This feature requires ACE module software Version A2(3.4) and ACE appliance software
Version A3(2.7) or later releases.
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP connections gracefully by
sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP
connection by sending an RST.
Open Timeout
(Seconds)
Number of seconds to wait when opening a connection with a real server. Valid entries are from 1 to
65535. The default is as follows:
• For ACE module software Version A2(3.x) and earlier, the default is 10 seconds.
• For ACE module software Version A4(1.0) and later or ACE appliance software Version A3(1.x)
and later, the default is 1 second.
User Name User identifier to be used for authentication on the real server. Valid entries are unquoted text strings
with a maximum of 64 characters.
8-61
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
To configure probe headers and expect statuses for HTTP probes, see the following topics:
• Configuring Headers for HTTP and HTTPS Probes, page 8-74
• Configuring Health Monitoring Expect Status, page 8-74
HTTPS Probe Attributes
Table 8-20 lists the HTTPS probe attributes.
Note Click More Settings to access the additional attributes for the HTTPS probe type. By default, ANM
hides the probe attributes with default values and the probe attributes that are not commonly used.
Password Password to be used for authentication on the real server. Valid entries are unquoted text strings with
a maximum of 64 characters.
Reenter the password in the Confirm field.
Expect Regular
Expression
Expected response data from the probe destination. Valid entries are text strings (quotes allowed)
with a maximum of 255 characters.
Expect Regex Offset Number of characters into the received message or buffer where the ACE is to begin looking for the
string specified in the Expect Regular Expression field. Valid entries are from 1 to 4000.
Hash Check box that when checked, configures the ACE to use an MD5 hash for an HTTP GET probe.
Uncheck the check box to configure the ACE not to use an MD5 hash for an HTTP GET probe.
Hash String Field that appears if the Hash check box is selected.
Enter the 32-bit hash value that the ACE is to compare with the hash that is generated from the HTTP
page sent by the server. If you do not provide this value, the ACE generates a value the first time it
queries the server, stores this value, and matches this value with other responses from the server. A
successful comparison causes the probe to maintain an Alive state.
Enter the MD5 hash value as a quoted or unquoted hexadecimal string with 16 characters.
Table 8-19 HTTP Probe Attributes (continued)
Field Action
8-62
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
Table 8-20 HTTPS Probe Attributes
Field Action
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to
determine the port number. For more information, see the general attribute Port field description.
Request Method Type Type of HTTP request method that is to be used for this probe.
Choose one of the following:
• N/A—This option is not defined.
• Get—The HTTP request method is a GET with a URL of “/”. This request method directs the
server to get the page, and the ACE calculates a hash value for the content of the page. If the
page content information changes, the hash value no longer matches the original hash value
and the ACE assumes the service is down. This is the default request method.
• Head—The server is to only get the header for the page. Using this method can prevent the
ACE from assuming that the service is down due to changed content and as a result changed
hash values.
Request HTTP URL Field that appears if you chose Head or Get in the Request Method Type field.
Enter the URL path on the remote server. Valid entries are strings of up to 255 characters specifying
the URL path. The default path is “/’.
Cipher Choose the cipher suite to be used with this HTTPS probe:
• RSA_ANY—The HTTPS probe accepts all RSA-configured cipher suites and that no specific
suite is configured. This is the default action.
• RSA_EXPORT1024_WITH_DES_CBC_SHA
• RSA_EXPORT1024_WITH_RC4_56_MD5
• RSA_EXPORT1024_WITH_RC4_56_SHA
• RSA_EXPORT_WITH_DES40_CBC_SHA
• RSA_EXPORT_WITH_RC4_40_MD5
• RSA_WITH_3DES_EDE_CBC_SHA
• RSA_WITH_AES_128_CBC_SHA
• RSA_WITH_AES_256_CBC_SHA
• RSA_WITH_DES_CBC_SHA
• RSA_WITH_RC4_128_MD5
• RSA_WITH_RC4_128_SHA
SSL Version Version of SSL or TLS to be used in ClientHello messages sent to the server as follows:
• All—The probe is to use all SSL versions.
• SSLv3—The probe is to use SSL version 3.
• TLSv1—The probe is to use TLS version 1.
By default, the probe sends ClientHello messages with an SSL version 3 header and a TLS version
1 message.
More Settings
8-63
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
To configure probe headers and expect statuses for HTTPS probes, see the following topics:
• Configuring Headers for HTTP and HTTPS Probes, page 8-74
• Configuring Health Monitoring Expect Status, page 8-74
IMAP Probe Attributes
Table 8-21 lists the IMAP probe attributes.
Append Port Host Tag Check box that when checked, configures the ACE to append port information in the HTTPS Host
header when you configure a nondefault destination port for an HTTPS probe. By default, the check
box is unchecked and the ACE does not append this information.
Note This feature requires ACE module software Version A2(3.4) and ACE appliance software
Version A3(2.7) or later releases.
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP connections gracefully by
sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP
connection by sending an RST.
Open Timeout
(Seconds)
Number of seconds to wait when opening a connection with a real server. Valid entries are from 1
to 65535. The default is as follows:
• For ACE module version A2(3.x) and earlier, the default is 10 seconds.
• For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the
default is 1 second.
User Name User identifier to be used for authentication on the real server. Valid entries are unquoted text
strings with a maximum of 64 characters.
Password Password to be used for authentication on the real server. Valid entries are unquoted text strings
with a maximum of 64 characters.
Reenter the password in the Confirm field.
Expect Regular
Expression
Expected response data from the probe destination. Valid entries are text strings (quotes allowed)
with a maximum of 255 characters.
Expect Regex Offset Number of characters into the received message or buffer where the ACE is to begin looking for the
string specified in the Expect Regular Expression field. Value entries are from 1 to 4000.
Hash Check box that when checked, configures the ACE to use an MD5 hash for an HTTP GET probe.
Uncheck the check box to configure the ACE not to use an MD5 hash for an HTTP GET probe.
Hash String Field that appears if the Hash check box is selected.
Enter the 32-bit hash value that the ACE is to compare with the hash that is generated from the
HTTP page sent by the server. If you do not provide this value, the ACE generates a value the first
time it queries the server, stores this value, and matches this value with other responses from the
server. A successful comparison causes the probe to maintain an Alive state.
Enter the MD5 hash value as a quoted or unquoted hexadecimal string with 16 characters.
Table 8-20 HTTPS Probe Attributes (continued)
Field Action
8-64
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
Note Click More Settings to access the additional attributes for the IMAP probe type. By default, ANM hides
the probe attributes with default values and the probe attributes are not commonly used.
POP Probe Attributes
Table 8-22 lists the POP probe attributes.
Note Click More Settings to access the additional attributes for the POP probe type. By default, ANM hides
the probe attributes with default values and the probe attributes which are not commonly used.
Table 8-21 IMAP Probe Attributes
Field Action
User Name User identifier to be used for authentication on the real server. Valid entries are unquoted text
strings with a maximum of 64 characters.
Password Password to be used for authentication on the real server. Valid entries are unquoted text strings
with a maximum of 64 characters.
Reenter the password in the Confirm field.
Mailbox Name User mailbox name from which to retrieve email for this IMAP probe. Valid entries are unquoted
text strings with a maximum of 64 characters.
Request Command Request method command for this probe. Valid entries are text strings with a maximum of 32
characters and no spaces.
More Settings
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to
determine the port number. For more information, see the general attribute Port field description.
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP connections gracefully by
sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP
connection by sending an RST.
Open Timeout
(Seconds)
Number of seconds to wait when opening a connection with a real server. Valid entries are from 1
to 65535. The default is as follows:
• For ACE module version A2(3.x) and earlier, the default is 10 seconds.
• For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the
default is 1 second.
Table 8-22 POP Probe Attributes
Field Action
User Name User identifier to be used for authentication on the real server. Valid entries are unquoted text
strings with a maximum of 64 characters.
Password Password to be used for authentication on the real server. Valid entries are unquoted text strings
with a maximum of 64 characters.
Reenter the password in the Confirm field.
8-65
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
RADIUS Probe Attributes
Table 8-23 lists the RADIUS probe attributes.
Note Click More Settings to access the additional attributes for the RADIUS probe type. By default, ANM
hides the probe attributes with default values and the probe attributes that are not commonly used.
RTSP Probe Attributes
Table 8-24 lists the RTSP probe attributes.
Request Command Request method command for this probe. Valid entries are text strings with a maximum of 32
characters and no spaces.
More Settings
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to
determine the port number. For more information, see the general attribute Port field description.
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP connections gracefully by
sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP
connection by sending an RST.
Open Timeout
(seconds)
Number of seconds to wait when opening a connection with a real server. Valid entries are from 1
to 65535. The default is as follows:
• For ACE module version A2(3.x) and earlier, the default is 10 seconds.
• For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the
default is 1 second.
Table 8-22 POP Probe Attributes (continued)
Field Action
Table 8-23 RADIUS Probe Attributes
Field Action
User Secret Shared secret to be used to allow probe access to the RADIUS server. Valid entries are
case-sensitive strings with no spaces and a maximum of 64 characters.
User Name User identifier to be used for authentication on the real server. Valid entries are unquoted text
strings with a maximum of 64 characters.
Password Password to be used for authentication on the real server. Valid entries are unquoted text strings
with a maximum of 64 characters.
Reenter the password in the Confirm field.
More Settings
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to
determine the port number. For more information, see the general attribute Port field description.
NAS IP Address IP address of the Network Access Server (NAS) in dotted-decimal format, such as 192.168.11.1.
8-66
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
Note Click More Settings to access the additional attributes for the RTSP probe type. By default, ANM hides
the probe attributes with default values and the probe attributes that are not commonly used.
To configure probe expect statuses for RTSP probes, see the “Configuring Health Monitoring Expect
Status” section on page 8-74.
Scripted Probe Attributes
Table 8-25 lists the HTTP probe attributes.
Note Click More Settings to access the additional attributes for the Scripted probe type. By default, ANM
hides the probe attributes with default values and the probe attributes that are not commonly used.
Table 8-24 RTSP Probe Attributes
Field Action
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to
determine the port number. For more information, see the general attribute Port field description.
RTSP Require Header
Value
Require header for the probe.
RTSP Proxy Require
Header Value
Proxy-Require header for the probe.
RTSP Request Method
Type
Request method type:
• N/A—No request method is selected.
• Describe—Probe is to use the Describe request type.
More Settings
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP connections gracefully by
sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP
connection by sending an RST.
Open Timeout
(Seconds)
Number of seconds to wait when opening a connection with a real server. Valid entries are from 1
to 65535. The default is as follows:
• For ACE module version A2(3.x) and earlier, the default is 10 seconds.
• For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the
default is 1 second.
8-67
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
SIP-TCP Probe Attributes
Table 8-26 lists the SIP-TCP probe attributes.
Note Click More Settings to access the additional attributes for the SIP-TCP probe type. By default, ANM
hides the probe attributes with default values and the probe attributes that are not commonly used.
Table 8-25 Scripted Probe Attributes
Field Action
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to
determine the port number. For more information, see the general attribute Port field description.
Script Name Local name that you want to assign to this file on the ACE. This file can reside in the disk0:
directory or the probe: directory (if the probe: directory exists).
Note The script file must first be established on the ACE device and the name must be entered
exactly as is appears on the device. See your ACE documentation for more details.
Valid entries are unquoted text strings with no spaces and a maximum of 255 characters.
Script Arguments Valid arguments, which are unquoted text strings with no spaces; separate multiple arguments with
a space. The field limit is 255 characters.
More Settings
Script Needs To Be
Copied From Remote
Location?
Check box that indicates that the file needs to be copied from a remote server. Uncheck this check
box to indicate that the script resides locally.
Protocol Field that appears if the script is to be copied from a remote server.
Choose the protocol to be used for copying the script:
• FTP—The script is to be copied using FTP.
• TFTP—The script is to be copied using TFTP.
User Name Field that appears if FTP is selected in the Protocol field.
Enter the name of the user account on the remote server.
Password Field that appears if FTP is selected in the Protocol field.
Enter the password for the user account on the remote server.
Reenter the password in the Confirm field.
Source File Name Field appears if the script is to be copied from a remote server.
Enter the host IP address, path, and filename of the file on the remote server in the format
host-ip/path/filename where:
• host-ip represents the IP address of the remote server.
• path represents the directory path of the file on the remote server.
• filename represents the filename of the file on the remote server.
For example, your entry might be 192.168.11.2/usr/bin/my-script.ext.
8-68
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
To configure probe expect statuses for SIP-TCP probes, see the “Configuring Health Monitoring Expect
Status” section on page 8-74.
SIP-UDP Probe Attributes
Table 8-27 lists the SIP-UDP probe attributes.
Note Click More Settings to access the additional attributes for the SIP-UDP probe type. By default, ANM
hides the probe attributes with default values and the probe attributes that are not commonly used.
Table 8-26 SIP-TCP Probe Attributes
Field Action
More Settings
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to
determine the port number. For more information, see the general attribute Port field
description.
TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully
by sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a
TCP connection by sending an RST.
Open Timeout (Seconds) Number of seconds to wait when opening a connection with a real server. Valid entries are
from 1 to 65535. The default is as follows
• For ACE module version A2(3.x) and earlier, the default is 10 seconds.
• For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later,
the default is 1 second.
Expect Regular Expression Expected response data from the probe destination. Valid entries are text strings with a
maximum of 255 characters. This field accepts both single and double quotes. Double quotes
are considered delimiters so they don't appear on the device. Single quotes will appear on the
device.
Expect Regex Offset Number of characters into the received message or buffer where the ACE is to begin looking
for the string specified in the Expect Regular Expression field. Value entries are from 1 to
4000.
Table 8-27 SIP-UDP Probe Attributes
Field Action
More Settings
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to
determine the port number. For more information, see the general attribute Port field description.
Expect Regular
Expression
Expected response data from the probe destination. Valid entries are text strings with a maximum
of 255 characters. This field accepts both single and double quotes. Double quotes are considered
delimiters so they don't appear on the device. Single quotes will appear on the device.
Expect Regex Offset Number of characters into the received message or buffer where the ACE is to begin looking for the
string specified in the Expect Regular Expression field. Value entries are from 1 to 4000.
8-69
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
To configure probe expect statuses for SIP-UDP probes, see the “Configuring Health Monitoring Expect
Status” section on page 8-74.
SMTP Probe Attributes
Table 8-28 lists the SMTP probe attributes.
Note Click More Settings to access the additional attributes for the SMTP probe type. By default, ANM hides
the probe attributes with default values and the probe attributes that are not commonly used.
To configure probe expect statuses for SMTP probes, see the “Configuring Health Monitoring Expect
Status” section on page 8-74.
SNMP Probe Attributes
Table 8-29 lists the SNMP probe attributes.
Note Click More Settings to access the additional attributes for the SNMP probe type. By default, ANM hides
the probe attributes with default values and the probe attributes that are not commonly used.
Table 8-28 SMTP Probe Attributes
Field Action
More Settings
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to
determine the port number. For more information, see the general attribute Port field description.
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP connections gracefully by
sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP
connection by sending an RST.
Open Timeout
(Seconds)
Number of seconds to wait when opening a connection with a real server. Valid entries are from 1
to 65535. The default is as follows:
• For ACE module version A2(3.x) and earlier, the default is 10 seconds.
• For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the
default is 1 second.
Table 8-29 SNMP Probe Attributes
Field Action
SNMP Community SNMP community string. Valid entries are unquoted text strings with no spaces and a maximum of
255 characters.
More Settings
8-70
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
To configure the SNMP OID for SNMP probes, see the “Configuring an OID for SNMP Probes” section
on page 8-76.
TCP Probe Attributes
Table 8-30 lists the TCP probe attributes.
Note Click More Settings to access the additional attributes for the TCP probe type. By default, ANM hides
the probe attributes with default values and the probe attributes that are not commonly used.
Telnet Probe Attributes
Table 8-31 lists the Telnet probe attributes.
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to
determine the port number. For more information, see the general attribute Port field description.
SNMP Version SNMP version for the probe:
• N/A—No version is selected.
• SNMPv1—This probe is to use SNMP version 1.
• SNMPv2c—This probe is to use SNMP version 2c.
Table 8-29 SNMP Probe Attributes (continued)
Field Action
Table 8-30 TCP Probe Attributes
Field Action
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to
determine the port number. For more information, see the general attribute Port field description.
Send Data ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no
spaces and a maximum of 255 characters.
More Settings
TCP Connection
Termination
Check box that when checked, configures the ACE to terminate TCP connections gracefully by
sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP
connection by sending an RST.
Open Timeout
(Seconds)
Number of seconds to wait when opening a connection with a real server. Valid entries are from 1
to 65535. The default is as follows:
• For ACE module version A2(3.x) and earlier, the default is 10 seconds.
• For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the
default is 1 second.
Expect Regular
Expression
Expected response data from the probe destination. Valid entries are text strings (quotes allowed)
with a maximum of 255 characters.
Expect Regex Offset Number of characters into the received message or buffer where the ACE is to begin looking for the
string specified in the Expect Regular Expression field. Value entries are from 1 to 4000.
8-71
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
Note Click More Settings to access the additional attributes for the Telnet probe type. By default, ANM hides
the probe attributes with default values and the probe attributes that are not commonly used.
UDP Probe Attributes
Table 8-32 lists the UDP probe attributes.
Note Click More Settings to access the additional attributes for the UDP probe type. By default, ANM hides
the probe attributes with default values and the probe attributes that are not commonly used.
Table 8-31 Telnet Probe Attributes
Field Action
More Settings
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to
determine the port number. For more information, see the general attribute Port field
description.
TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully
by sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a
TCP connection by sending an RST.
Open Timeout (Seconds) Enter the number of seconds to wait when opening a connection with a real server. Valid
entries are from 1 to 65535. The default is as follows:
• For ACE module version A2(3.x) and earlier, the default is 10 seconds.
• For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later,
the default is 1 second.
Table 8-32 UDP Probe Attributes
Field Action
Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to
determine the port number. For more information, see the general attribute Port field description.
Send Data ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no
spaces and a maximum of 255 characters.
More Settings
Expect Regular
Expression
Expected response data from the probe destination. Valid entries are text strings (quotes allowed)
with a maximum of 255 characters.
Expect Regex Offset Number of characters into the received message or buffer where the ACE is to begin looking for the
string specified in the Expect Regular Expression field. Value entries are from 1 to 4000.
8-72
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
VM Probe Attributes
Note You use a VM probe when you configure the ACE for Dynamic Workload Scaling (see the “Configuring
Dynamic Workload Scaling” section on page 8-26), which requires that the ACE appliance or module is
using software Version A4(2.0) or a later release.
You configure the VM probe attributes to control when the ACE bursts traffic to remote VMs based on
an average of local VM CPU usage, memory usage, or both. The ACE obtains the usage information by
sending the VM probe to the specified VM Controller associated with the local VMs (see Figure 1-1). It
calculates the average aggregate load information for all local VMs as a percentage of CPU usage or
memory usage and uses either or both percentages to determine when to burst traffic to the remote data
center. If the server farm consists of both physical servers and VMs, the ACE considers load information
only from the VMs.
By default, the VM probe checks the percentage of usage for either the CPU or memory against the
maximum threshold value. Whichever percentage reaches its maximum threshold value first causes the
ACE to burst traffic to the remote data center. The default maximum burst threshold value of 99 percent
instructs the ACE to always load balance traffic to the local VMs unless the load value is equal to
100 percent or the VMs are not in the Operational state. If you configure the maximum burst threshold
value to 1 percent, the ACE always bursts traffic to the remote data center.
When the usage percentage is less than the minimum threshold value, the ACE stops bursting traffic to
the remote data center and continues to load balance traffic to the local VMs. Any active connections to
the remote data center are allowed to complete.
Table 8-33 lists the VM probe attributes.
To associate the VM probe with a server farm, see the “Configuring Server Farms” section on page 8-30.
Related Topics
• Configuring Dynamic Workload Scaling, page 8-26
• Configuring Server Farms, page 8-30
• Dynamic Workload Scaling Overview, page 8-4
Table 8-33 VM Probe Attributes
Field Action
Max CPU Burst
Threshold
Percentage of CPU usage by the local VMs at which the ACE begins to burst traffic to the remote
VMs. Enter a value from 1 to 99. The default is 99.
Min CPU Burst
Threshold
Percentage of CPU usage by the local VMs below which the ACE stops bursting traffic to the
remote VMs. Enter a value from 1 to 99. The default is 99.
Max Memory Burst
Threshold
Percentage of memory usage by the local VMs at which the ACE begins to burst traffic to the
remote VMs. Enter a value from 1 to 99. The default is 99.
Min Memory Burst
Threshold
Percentage of memory usage by the local VMs below which the ACE stops bursting traffic to the
remote VMs. Enter a value from 1 to 99. The default is 99.
VM Controller Name Identifier of the VM Controller that is associated with the local VMs and that you configured in
the “Configuring and Verifying a VM Controller Connection” section on page 8-29. Click the radio
button for the VM Controller.
8-73
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
Configuring DNS Probe Expect Addresses
You can specify the IP address that the ACE expects to receive in response to a DNS request. When a
DNS probe sends a domain name resolve request to the server, it verifies the returned IP address by
matching the received IP address with the configured addresses.
Assumption
A DNS probe has been configured. See the “Configuring Health Monitoring for Real Servers” section
on page 8-51 for more information.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Health Monitoring.
The Health Monitoring table appears.
Step 2 In the Health Monitoring table, choose the DNS probe that you want to configure with an expected IP
address.
The Expect Addresses table appears.
Step 3 In the Expect Addresses table, click Add to add an entry to the Expect Addresses table.
The Expect Address configuration pane appears.
Note You cannot modify an entry in the Expect Addresses table. Instead, delete the existing entry, then
add a new one.
Step 4 In the IPv4/IPv6 Address field, enter the IP address that the ACE appliance is to expect as a server
response to a DNS request. You can enter multiple addresses in this field. However, you cannot mix IPv4
and IPv6 addresses.
Note IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.
Step 5 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entry and to return to the Expect Addresses
table.
• Click Next to deploy your entry and to add another IP Address to the Expect Addresses table.
Related Topics
• Configuring Health Monitoring for Real Servers, page 8-51
• DNS Probe Attributes, page 8-57
• Displaying Health Monitoring Statistics and Status Information, page 8-77
8-74
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
Configuring Headers for HTTP and HTTPS Probes
You can specify header fields for HTTP and HTTPS probes.
Assumption
An HTTP or HTTPS probe has been configured. See the “Configuring Health Monitoring for Real
Servers” section on page 8-51 for more information.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Health Monitoring.
The Health Monitoring table appears.
Step 2 In the Health Monitoring table, choose the HTTP or HTTPS probe that you want to configure with a
header.
The Probe Headers table appears.
Step 3 In the Probe Headers table, click Add to add an entry, or choose an existing entry and click Edit to
modify it.
The Probe Headers configuration pane appears.
Step 4 In the Header Name field of the Probe Headers configuration pane, choose the HTTP header the probe
is to use.
Step 5 In the Header Value field, enter the string to assign to the header field.
Valid entries are text strings with a maximum of 255 characters. If the string includes spaces, enclose
the string with quotes.
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entry and to return to the Probe Headers
table.
• Click Next to deploy your entry and to add another header entry to the Probe Headers table.
Related Topics
• Configuring Health Monitoring for Real Servers, page 8-51
• HTTP Probe Attributes, page 8-60
• HTTPS Probe Attributes, page 8-61
• Displaying Health Monitoring Statistics and Status Information, page 8-77
Configuring Health Monitoring Expect Status
You can configure a single or range of code responses that the ACE expects from the probe destination.
When the ACE receives a response from the server, it expects a status code to mark a server as passed.
By default, there are no status codes configured on the ACE. If you do not configure a status code, any
response code from the server is marked as failed.
8-75
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
Expect status codes can be configured for FTP, HTTP, HTTPS, RTSP, SIP-TCP, SIP-UDP, and SMTP
probes.
Assumption
An FTP, HTTP, HTTPS, RTSP, SIP-TCP, SIP-UDP or SMTP probe has been configured. See the
“Configuring Health Monitoring for Real Servers” section on page 8-51 for more information.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Health Monitoring.
The Health Monitoring table appears.
Step 2 In the Health Monitoring table, choose the probe that you want to configure for expect status codes, and
click the Expect Status tab.
The Expect Status table appears.
Step 3 In the Expect Status table, click Add to add an entry, or select an existing entry and click Edit to modify
it.
The Expect Status configuration pane appears.
Step 4 In the Expect Status configuration pane, configure a single expect status code as follows:
a. In the Min. Expect Status Code field, enter the expect status code for this probe. Valid entries are
from 0 to 999.
b. In the Max. Expect Status code, enter the same expect status code that you entered in the Min Expect
Status Code field.
Step 5 In the Expect Status configuration pane, configure a range of expect status codes as follows:
a. In the Min. Expect Status Code, enter the lower limit of the range of status codes. Valid entries are
from 0 to 999.
b. In the Max. Expect Status Code, enter the upper limit of a range of status codes. Valid entries are
from 0 to 999. The value in this field must be greater than or equal to the value in the Min Expect
Status Code field.
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the Expect Status
table.
• Click Next to deploy your entries and to add another expect status code to the Expect Status table.
Related Topics
• Configuring Health Monitoring for Real Servers, page 8-51
• FTP Probe Attributes, page 8-59
• HTTP Probe Attributes, page 8-60
• SMTP Probe Attributes, page 8-69
• Displaying Health Monitoring Statistics and Status Information, page 8-77
8-76
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Health Monitoring
Configuring an OID for SNMP Probes
You can configure OID queries to probe the server. When the ACE sends a probe with an SNMP OID
query, the ACE uses the retrieved value as input to the least-loaded algorithm for load-balancing
decisions. Least-loaded load balancing bases the server selection on the server with the lowest load
value. If the retrieved value is within the configured threshold, the server is marked as passed. If the
threshold is exceeded, the server is marked as failed.
The ACE allows a maximum of eight OID queries to probe the server.
Assumption
An SNMP probe has been configured. See the “Configuring Health Monitoring for Real Servers” section
on page 8-51 for more information.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Health Monitoring.
The Health Monitoring table appears.
Step 2 In the Health Monitoring table, choose the SNMP probe for which you want to specify an OID.
The SNMP OID for Server Load Query table appears.
Step 3 In the SNMP OID for Server Load Query table, click Add to add an entry, or choose an existing entry
and click Edit to modify it.
The SNMP OID configuration pane appears.
Step 4 In the SNMP OID field of the SNMP OID configuration pane, enter the OID that the probe is to use to
query the server for a value.
Valid entries are unquoted strings with a maximum of 255 alphanumeric characters in dotted-decimal
notation, such as .1.3.6.1.4.2021.10.1.3.1. The OID string is based on the server type.
Step 5 In the Max. Absolute Server Load Value field, enter the OID value in the form of an integer and to
indicate that the retrieved OID value is an absolute value instead of a percent.
Valid entries are from 1 to 4294967295.
When the ACE sends a probe with an SNMP OID query, the ACE uses the retrieved value as input to the
least-loaded algorithm for load-balancing decisions. By default, the ACE assumes that the retrieved OID
value is a percentile value. Use this option to specify that the retrieved OID value is an absolute value.
Step 6 In the Server Load Threshold Value field, specify the threshold at which the server is to be taken out of
service as follows:
• When the OID value is based on a percent, valid entries are integers from 1 to 100.
• When the OID is based on an absolute value, valid entries are from 1 to the value specified in the
Maximum Absolute Server Load Value field.
Step 7 In the Server Load Weighting field, enter the weight to assign to this OID for the SNMP probe.
Valid entries are from 0 to 16000.
Step 8 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the SNMP OID table.
8-77
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Secure KAL-AP
• Click Next to deploy your entries and to add another item to the SNMP OID table.
Related Topics
• Configuring Health Monitoring for Real Servers, page 8-51
• SNMP Probe Attributes, page 8-69
• Displaying Health Monitoring Statistics and Status Information, page 8-77
Displaying Health Monitoring Statistics and Status Information
You can display statistics and status information for a particular probe.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Health Monitoring.
The Health Monitoring table appears.
Step 2 In the Health Monitoring table, choose a probe from the Health Monitoring table, and click Details.
The show probe name detail CLI command output appears. For details on the displayed output fields,
see the Cisco ACE Module Server Load-Balancing Configuration Guide or the Cisco ACE 4700 Series
Appliance Server Load-Balancing Configuration Guide, Chapter 4, Configuring Health Monitoring.
Note For a DNS probe, the detailed probe results always identify a default DNS domain of
www.Cisco.com.
Step 3 Click Update Details to refresh the output for the show probe name detail CLI command.
Step 4 Click Close to return to the Health Monitoring table.
Related Topics
• Configuring Health Monitoring for Real Servers, page 8-51
Configuring Secure KAL-AP
You can configure a secure keepalive-appliance protocol (KAL-AP) associated with a virtual context. A
KAL-AP on the ACE enables communication between the ACE and a Global Site Selector (GSS), which
sends KAL-AP requests to report the server states and loads for global-server load-balancing (GSLB)
decisions. The ACE uses KAL-AP through a UDP connection to calculate weights and provide
information for server availability to the KAL-AP device. The ACE acts as a server and listens for
KAL-AP requests. When KAL-AP is initialized on the ACE, the ACE listens on the standard 5002 port
for any KAL-AP requests. You cannot configure any other port.
The ACE supports secure KAL-AP for MD5 encryption of data between it and the GSS. For encryption,
you must configure a shared secret as a key for authentication between the GSS and the ACE context.
8-78
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 8 Configuring Real Servers and Server Farms
Configuring Secure KAL-AP
Assumptions
This topic assumes the following:
• You have created a virtual context that specifies the Keepalive Appliance Protocol over UDP.
• You have enabled KAL-AP on the ACE by configuring a management class map and policy map,
and apply it to the appropriate interface.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Secure KAL-AP.
The Secure KAL-AP table appears.
Step 2 In the Secure KAL-AP table, click Add to configure secure KAL-AP for MD5 encryption of data.
The Secure KAL-AP configuration window appears.
Step 3 In the IP Address field of the Secure KAL-AP configuration window, enable secure KAL-AP by
configuring the VIP address for the GSS.
Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).
Step 4 In the Hash Key field, enter the MD5 encryption method shared secret between the KAL-AP device and
the ACE.
Enter the shared secret as a case-sensitive string with no spaces and a maximum of 31 alphanumeric
characters. The ACE supports the following special characters in a shared secret:
, . / = + - ^ @ ! % ~ # $ * ( )
Step 5 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The ACE validates the secure KAL-AP
configuration and deploys it.
• Click Cancel to exit this procedure without accepting your entries and to return to the Secure
KAL-AP table.
• Click Next to accept your entries.
Related Topics
• Creating Virtual Contexts, page 6-2
• Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps, page 14-12
CHAPTER
9-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
9
Configuring Stickiness
Date: 3/28/12
This chapter describes how to configure stickiness on the Cisco Application Control Engine (ACE) using
Cisco Application Networking Manager (ANM).
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
This chapter includes the following sections:
• Information About Stickiness, page 9-1
• Sticky Types, page 9-2
• Sticky Groups, page 9-6
• Sticky Table, page 9-6
• Configuring Sticky Groups, page 9-7
Information About Stickiness
When customers visit an e-commerce site, they usually start out browsing the site. The site may require
that the client become “stuck” to one server once the connection is established, or once client starts to
build a shopping cart.
In either case, once the client adds items to the shopping cart, it is important that all of the client requests
get directed to the same server so that all the items are contained in one shopping cart on one server. An
instance of a customer’s shopping cart is typically local to a particular web server and is not duplicated
across multiple servers.
E-commerce applications are not the only types of applications that require stickiness. Any web
application that maintains client information may require stickiness, such as banking applications or
online trading. Other uses include FTP and HTTP file transfers.
9-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 9 Configuring Stickiness
Sticky Types
Stickiness allows the same client to maintain multiple simultaneous or subsequent TCP or IP
connections with the same real server for the duration of a session. A session is series of transactions
between a client and a server over some finite period of time (from several minutes to several hours).
This feature is particularly useful for e-commerce applications where a client needs to maintain multiple
connections with the same server while shopping online, especially while building a shopping cart and
during the checkout process.
Depending on the configured SLB policy, the ACE sticks a client to an appropriate server after the ACE
has determined which load-balancing method to use. If the ACE determines that a client is already stuck
to a particular server, then the ACE sends that client request to that server, regardless of the
load-balancing criteria specified by the matched policy. If the ACE determines that the client is not stuck
to a particular server, it applies the normal load-balancing rules to the content request.
For information about stickiness, see the following topics:
• Sticky Types, page 9-2
• Sticky Groups, page 9-6
• Sticky Table, page 9-6
Related Topics
• Configuring Virtual Server Default Layer 7 Load Balancing, page 7-50
• Configuring Sticky Groups, page 9-7
Sticky Types
All ACE devices support stickiness based on the following:
• HTTP cookies
• HTTP headers
• IP addresses
• HTTP content
• Layer 4 payloads
• RADIUS attributes
• RTSP headers
• SIP headers
This section includes the following topics:
• HTTP Content Stickiness, page 9-3
• HTTP Cookie Stickiness, page 9-3
• HTTP Header Stickiness, page 9-4
• IP Netmask and IPv6 Prefix Stickiness, page 9-4
• Layer 4 Payload Stickiness, page 9-4
• RADIUS Stickiness, page 9-5
• RTSP Header Stickiness, page 9-5
• SIP Header Stickiness, page 9-5
9-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 9 Configuring Stickiness
Sticky Types
HTTP Content Stickiness
HTTP content stickiness allows you to stick a client to a server based on the content of an HTTP packet.
You can specify a beginning pattern and ending pattern, the number of bytes to parse, and an offset that
specifies how many bytes to ignore from the beginning of the data.
Related Topics
• Configuring Stickiness, page 9-1
• Sticky Types, page 9-2
• Sticky Groups, page 9-6
• Sticky Table, page 9-6
HTTP Cookie Stickiness
Client cookies uniquely identify clients to the ACE and the servers that provide content. A cookie is a
small data structure within the HTTP header that is used by a server to deliver data to a web client and
request that the client store the information. In certain applications, the client returns the information to
the server to maintain the connection state or persistence between the client and the server.
When the ACE examines a request for content and determines through policy matching that the content
is sticky, it examines any cookie or URL present in the content request. The ACE uses the information
in the cookie or URL to direct the content request to the appropriate server.
The ACE supports the following types of cookie stickiness:
• Dynamic cookie learning
You can configure the ACE to look for a specific cookie name and automatically learn its value
either from the client request HTTP header or from the server Set-Cookie message in the server
response. Dynamic cookie learning is useful when dealing with applications that store more than
just the session ID or user ID within the same cookie. Only very specific bytes of the cookie value
are relevant to stickiness.
By default, the ACE learns the entire cookie value. You can optionally specify an offset and length
to instruct the ACE to learn only a portion of the cookie value.
Alternatively, you can specify a secondary cookie value that appears in the URL string in the HTTP
request. This option instructs the ACE to search for (and eventually learn or stick to) the cookie information as part of the URL. URL learning is useful with applications that insert cookie information as part of the HTTP URL. In some cases, you can use this feature to work around clients that
reject cookies.
• Cookie insert
The ACE inserts the cookie on behalf of the server upon the return request, so that the ACE can
perform cookie stickiness even when the servers are not configured to set cookies. The cookie
contains information that the ACE uses to ensure persistence to a specific real server.
Related Topics
• Configuring Stickiness, page 9-1
• Sticky Types, page 9-2
• Sticky Groups, page 9-6
• Sticky Table, page 9-6
9-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 9 Configuring Stickiness
Sticky Types
HTTP Header Stickiness
You can use HTTP-header information to provide stickiness. With HTTP header stickiness, you can
specify a header offset to provide stickiness based on a unique portion of the HTTP header.
Related Topics
• Configuring Stickiness, page 9-1
• Sticky Types, page 9-2
• Sticky Groups, page 9-6
• Sticky Table, page 9-6
IP Netmask and IPv6 Prefix Stickiness
You can use the source IP address, the destination IP address, or both to uniquely identify individual
clients and their requests for stickiness purposes based on their IP netmask or IPv6 prefix. However, if
an enterprise or a service provider uses a megaproxy to establish client connections to the Internet, the
source IP address no longer is a reliable indicator of the true source of the request. In this case, you can
use cookies or one of the other sticky methods to ensure session persistence.
Note IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.
Related Topics
• Configuring Stickiness, page 9-1
• Sticky Types, page 9-2
• Sticky Groups, page 9-6
• Sticky Table, page 9-6
Layer 4 Payload Stickiness
Layer 4 payload stickiness allows you to stick a client to a server based on the data in Layer 4 frames.
You can specify a beginning pattern and ending pattern, the number of bytes to parse, and an offset that
specifies how many bytes to ignore from the beginning of the data.
Related Topics
• Configuring Stickiness, page 9-1
• Sticky Types, page 9-2
• Sticky Groups, page 9-6
• Sticky Table, page 9-6
9-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 9 Configuring Stickiness
Sticky Types
RADIUS Stickiness
RADIUS stickiness can be based on the following RADIUS attributes:
• Calling Station ID
• Username
Related Topics
• Configuring Stickiness, page 9-1
• Sticky Types, page 9-2
• Sticky Groups, page 9-6
• Sticky Table, page 9-6
RTSP Header Stickiness
Real time streaming protocol (RTSP) stickiness is based on information in the RTSP session header.
With RTSP header stickiness, you can specify a header offset to provide stickiness based on a unique
portion of the RTSP header.
Related Topics
• Configuring Stickiness, page 9-1
• Sticky Types, page 9-2
• Sticky Groups, page 9-6
• Sticky Table, page 9-6
SIP Header Stickiness
Session initiation protocol (SIP) header stickiness is based on the SIP Call-ID header field. SIP header
stickiness requires the entire SIP header, so you cannot specify an offset.
Related Topics
• Configuring Stickiness, page 9-1
• Sticky Types, page 9-2
• Sticky Groups, page 9-6
• Sticky Table, page 9-6
9-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 9 Configuring Stickiness
Sticky Groups
Sticky Groups
The ACE uses the concept of sticky groups to configure stickiness. A sticky group allows you to specify
sticky attributes. After you configure a sticky group and its attributes, you associate the sticky group with
a Layer 7 policy-map action in a Layer 7 server load balancing (SLB) policy map.You can create a
maximum of 4096 sticky groups in each context. Each sticky group that you configure on the ACE
contains a series of parameters that determine the following:
• Sticky method
• Timeout
• Replication
• Sticky method-specific attributes
Note The context in which you configure a sticky group must be associated with a resource class that allocates
a portion of ACE resources to stickiness. See the “Using Resource Classes” section on page 6-43 for
information about configuring ACE resources.
Related Topics
• Configuring Stickiness, page 9-1
• Sticky Types, page 9-2
• Sticky Table, page 9-6
Sticky Table
The ACE uses a sticky table to keep track of sticky connections. Table entries are as follows:
• Sticky groups
• Sticky methods
• Sticky connections
• Real servers
The sticky table can hold a maximum of four million entries (four million simultaneous users). When
the table reaches the maximum number of entries, additional sticky connections cause the table to wrap
and the first users become unstuck from their respective servers.
The ACE uses a configurable timeout mechanism to age out sticky table entries. When an entry times
out, it becomes eligible for reuse. High connection rates may cause the premature aging out of sticky
entries. In this case, the ACE reuses the entries that are closest to expiration first.
Sticky entries can be either dynamic (generated by the ACE on demand) or static (user-configured).
When you create a static sticky entry, the ACE places the entry in the sticky table immediately. Static
entries remain in the sticky database until you remove them from the configuration. You can create a
maximum of 4096 static sticky entries in each context.
If the ACE takes a real server out of service for whatever reason (probe failure, no inservice command,
or ARP timeout), the ACE removes from the database any sticky entries that are related to that server.
9-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 9 Configuring Stickiness
Configuring Sticky Groups
Related Topics
• Configuring Stickiness, page 9-1
• Sticky Types, page 9-2
• Sticky Groups, page 9-6
Configuring Sticky Groups
You can configure sticky groups. Stickiness (or session persistence) is a feature that allows the same
client to maintain multiple simultaneous or subsequent TCP connections with the same real server for
the duration of a session. A session is a series of transactions between a client and a server over some
finite period of time (from several minutes to several hours). This feature is particularly useful for
e-commerce applications where a client needs to maintain multiple TCP connections with the same
server while shopping online, especially while building a shopping cart and during the checkout process.
E-commerce applications are not the only types of applications that require stickiness. Any web
application that maintains client information may require stickiness, such as banking applications or
online trading. Other uses include FTP and HTTP file transfers.
The ACE uses the concept of sticky groups to configure stickiness. A sticky group allows you to specify
sticky attributes. After you configure a sticky group and its attributes, you associate the sticky group with
a Layer 7 policy-map action in a Layer 7 SLB policy map.
Note (Pre ACE version A4(1.0) module or appliance only) The context in which you configure a sticky group
must be associated with a resource class that allocates a portion of ACE resources to stickiness. See the
“Using Resource Classes” section on page 6-43 for information about configuring ACE resources.
Assumption
(Pre ACE version A4(1.0) module or appliance only) The context in which you are configuring a sticky
group is associated with a resource class that allocates resources to stickiness.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Stickiness.
The Sticky Groups table appears.
Step 2 In the Sticky Groups table, click Add to add a new sticky group, or choose an existing sticky group that
you want to modify and click Edit.
Step 3 Configure the sticky group using the information in Table 9-1.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
9-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 9 Configuring Stickiness
Configuring Sticky Groups
Table 9-1 Sticky Group Attributes
Field Description
Group Name Sticky group identifier. Valid entries are unquoted text strings with no spaces and a maximum of
64 alphanumeric characters.
Type Method to be used when establishing sticky connections and to configure any type-specific
attributes. The choices are as follows:
• HTTP Content—The ACE sticks client connections to the same real server based on a string
in the data portion of the HTTP packet. See Table 9-2 for additional configuration options.
• HTTP Cookie—The ACE either learns a cookie from the HTTP header of a client request or
inserts a cookie in the Set-Cookie header of the response from the server to the client and then
uses the learned cookie to provide stickiness between the client and server for the duration of
the transaction. See Table 9-3 for additional configuration options.
• HTTP Header—The ACE sticks client connections to the same real server based on HTTP
headers. See Table 9-4 for additional configuration options.
• IP Netmask—The ACE sticks a client to the same server for multiple subsequent connections
as needed to complete a transaction using the client source IPv4 IP address, the destination
IPv4 IP address, or both. You can optionally configure an IPv6 prefix length with this sticky
type. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. See
Table 9-5 for additional configuration options.
Note If an organization uses a megaproxy to load balance client requests across multiple proxy
servers when a client connects to the Internet, the source IP address is no longer a reliable
indicator of the true source of the request. In this situation, you can use cookies or another
sticky method to ensure session persistence.
• V6 Prefix—(Option that appears only for ACE module and ACE appliance software Version
A5(1.0) or later.) The ACE appliance sticks a client to the same server for multiple subsequent
connections as needed to complete a transaction using the client source IP address, the
destination IP address, or both based on their IPv6 prefix. You can optionally configure an
IPv4 netmask with this sticky type. See Table 9-6 for additional configuration options.
• Layer 4 Payload—The ACE sticks client connections to the same real server based on a string
in the payload portion of the Layer 4 protocol packet. See Table 9-7 for additional
configuration options.
• RADIUS—The ACE sticks client connections to the same real server based on a RADIUS
attribute. See Table 9-8 for additional configuration options.
• RTSP Header—The ACE sticks client connections to the same real server based on the RTSP
Session header field. See Table 9-9 for additional configuration options.
• SIP Header—The ACE sticks client connections to the same real server based on the SIP
Call-ID header field.
Cookie Name This option appears for sticky type HTTP Cookie.
Enter a unique identifier for the cookie. Valid entries are unquoted text strings with no spaces and
a maximum of 64 alphanumeric characters.
9-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 9 Configuring Stickiness
Configuring Sticky Groups
Enable Insert This option appears only for sticky type HTTP Cookie.
Check this check box if the ACE appliance is to insert a cookie in the Set-Cookie header of the
response from the server to the client. This option is useful when you want to use a session cookie
for persistence but the server is not currently setting the appropriate cookie. When selected, the
ACE appliance selects a cookie value that identifies the original server from which the client
received a response. For subsequent connections of the same transaction, the client uses the cookie
to stick to the same server.
Clear this check box to disable cookie insertion.
Browser Expire This option appears for sticky type HTTP Cookie and you select Enable Insert.
Check this check box to allow the client's browser to expire a cookie when the session ends. Clear
this check box to disable browser expire.
Offset (Bytes) This option appears for sticky types HTTP Cookie and HTTP Header.
Enter the number of bytes the ACE appliance is to ignore starting with the first byte of the cookie.
Valid entries are integers from 0 to 999. The default is 0 (zero), which indicates that the ACE
appliance does not exclude any portion of the cookie.
Length (Bytes) This option appears for sticky types HTTP Cookie and HTTP Header.
Enter the length of the portion of the cookie (starting with the byte after the offset value) that the
ACE appliance is to use for sticking the client to the server. Valid entries are integers from 1 to
1000.
Secondary Name This option appears only for sticky type HTTP Cookie.
Enter an alternate cookie name that is to appear in the URL string of the Web page on the server.
The ACE appliance uses this cookie to maintain a sticky connection between a client and a server
and adds a secondary entry in the sticky table. Valid entries are unquoted text strings with no
spaces and a maximum of 64 characters.
Header Name This option appears for sticky type HTTP Header.
Select the HTTP header to use for sticking client connections.
Netmask This option appears only for sticky type IP Netmask.
Select the netmask to apply to the source IP address, the destination IP address, or both.
IPv4 Netmask This option appears only for sticky type IP Netmask or IPv6 Prefix (IPv6 requires ACE module
and ACE appliance software Version A5(1.0) or later). This option is mandatory for the sticky type
IP Netmask and optional for the sticky type IPv6 Prefix.
Select the netmask to apply to the source IP address, the destination IP address, or both.
IPv6 Prefix Length This option appears only for ACE module and ACE appliance software Version A5(1.0) or later
and for sticky type IPv6 Prefix or IP Netmask. This option is mandatory for the sticky type IPv
Prefix and optional for the sticky type IP Netmask.
Enter the IPv6 prefix length to apply to the source IP address, the destination IP address, or both.
Table 9-1 Sticky Group Attributes (continued)
Field Description
9-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 9 Configuring Stickiness
Configuring Sticky Groups
Step 4 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. To configure sticky statics, see the
“Configuring Sticky Statics” section on page 9-15.
• Click Cancel to exit the procedure without saving your entries and to return to the Sticky Groups
table.
• Click Next to deploy your entries and to configure another sticky group.
Related Topics
• Configuring Sticky Statics, page 9-15
Address Type This option appears only for sticky type IP Netmask or IPv6 Prefix (IPv6 requires ACE module
and ACE appliance software Version A5(1.0) or later).
Indicate whether this sticky type is to be applied to the client source IP address, the destination IP
address, or both:
• Both—Indicates that this sticky type is to be applied to both the source IP address and the
destination IP address.
• Destination—Indicates that this sticky type is to be applied to the destination IP address only.
Source—Indicates that this sticky type is to be applied to the source IP address only.
Sticky Server Farm Server farm that you want to associate with this sticky group.
Backup Server Farm Backup server farm that is associated with this sticky group. If the primary server farm is down,
the ACE uses the backup server farm.
Aggregate State Field that appears when a server farm and backup server farm are selected.
Check box that indicates that the state of the backup server farm is tied to the virtual server state.
Uncheck this check box if the backup server farm is not tied to the virtual server state.
Sticky Enabled On
Backup Server Farm
Field that appears when a server farm and backup server farm are selected.
Check box that indicates that the backup server farm is sticky. Uncheck this check box if the
backup server farm is not sticky.
Replicate On HA Peer Check box that indicates that the ACE to replicate sticky table entries on the standby ACE. If a
failover occurs and this option is selected, the new active ACE can maintain the existing sticky
connections.
Uncheck this check box to indicate that the ACE is not to replicate sticky table entries on the
standby ACE.
Timeout (Minutes) Number of minutes that the ACE keeps the sticky information for a client connection in the sticky
table after the latest client connection terminates. Valid entries are from 1 to 65535; the default is
1440 minutes (24 hours).
Timeout Active
Connections
Check box that specifies that the ACE is to time out sticky table entries even if active connections
exist after the sticky timer expires.
Uncheck this check box to specify that the ACE is not to time out sticky table entries even if active
connections exist after the sticky timer expires. This behavior is the default.
Table 9-1 Sticky Group Attributes (continued)
Field Description
9-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 9 Configuring Stickiness
Configuring Sticky Groups
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
• Configuring Real Servers, page 8-5
• Configuring Server Farms, page 8-30
Sticky Group Attribute Tables
This section describes the different sticky group type-specific attributes.
Note There are no specific sticky group type-specific attributes for SIP Header.
This section includes the following topics:
• HTTP Content Sticky Group Attributes, page 9-11
• HTTP Cookie Sticky Group Attributes, page 9-12
• HTTP Header Sticky Group Attributes, page 9-13
• IP Netmask Sticky Group Attributes, page 9-13
• V6 Prefix Sticky Group Attributes, page 9-13
• Layer 4 Payload Sticky Group Attributes, page 9-14
• RADIUS Sticky Group Attributes, page 9-14
• RTSP Header Sticky Group Attributes, page 9-15
HTTP Content Sticky Group Attributes
Table 9-2 describes the HTTP content sticky group attributes.
Table 9-2 HTTP Content Sticky Group Attributes
Field Description
HTTP Content Check box that instructs the ACE to use the constant portion of HTTP content to make persistent
connections to a specific server. Uncheck the check box to identify specific content for stickiness
in the Offset, Length, Begin Pattern, and End Pattern fields.
HTTP content may change over time with only a portion remaining constant throughout a
transaction between the client and a server.
Offset Number of bytes that the virtual server is to ignore starting with the first byte of the cookie. Valid
entries are from 0 to 999. The default is 0 (zero), which indicates that the virtual server does not
exclude any portion of the cookie.
Length (Bytes) Length of the portion of the cookie (starting with the byte after the offset value) that the ACE is to
use for sticking the client to the server. Valid entries are from 1 to 1000.
9-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 9 Configuring Stickiness
Configuring Sticky Groups
HTTP Cookie Sticky Group Attributes
Table 9-3 describes the HTTP cookie sticky group attributes.
Begin Pattern Beginning pattern of the HTTP content payload and the pattern string to match before hashing. If
you do not specify a beginning pattern, the ACE begins parsing immediately after the offset byte.
You cannot configure different beginning and ending patterns for different server farms that are part
of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. You can enter a text string with spaces if you enclose the entire string in quotation marks
("). The ACE supports regular expressions for matching string expressions. Table 14-33 lists the
supported characters that you can use for matching string expressions.
End Pattern Pattern that marks the end of hashing. If you do not specify an end pattern or a length, the ACE
continues to parse the data until it reaches the end of the field or packet, or until it reaches the
maximum body parse length. You cannot configure different beginning and ending patterns for
different server farms that are part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. You can enter a text string with spaces if you enclose the entire string in quotation marks
("). The ACE supports regular expressions for matching string expressions. Table 14-33 lists the
supported characters that you can use for matching string expressions.
Table 9-2 HTTP Content Sticky Group Attributes (continued)
Field Description
Table 9-3 HTTP Cookie Sticky Group Attributes
Field Description
Cookie Name Unique identifier for the cookie. Valid entries are unquoted text strings with no spaces and a
maximum of 64 alphanumeric characters.
Enable Insert Check box that determines if the virtual server is to insert a cookie in the Set-Cookie header of the
response from the server to the client. This option is useful when you want to use a session cookie
for persistence but the server is not currently setting the appropriate cookie. When selected, the
virtual server selects a cookie value that identifies the original server from which the client received
a response. For subsequent connections of the same transaction, the client uses the cookie to stick
to the same server.
Uncheck the check box to disable cookie insertion.
Offset Number of bytes that the virtual server is to ignore starting with the first byte of the cookie. Valid
entries are from 0 to 999. The default is 0 (zero), which indicates that the virtual server does not
exclude any portion of the cookie.
Length (Bytes) Length of the portion of the cookie (starting with the byte after the offset value) that the ACE is to
use for sticking the client to the server. Valid entries are from 1 to 1000.
Secondary Name Alternate cookie name that is to appear in the URL string of the web page on the server. The virtual
server uses this cookie to maintain a sticky connection between a client and a server and adds a
secondary entry in the sticky table. Valid entries are unquoted text strings with no spaces and a
maximum of 64 characters.
9-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 9 Configuring Stickiness
Configuring Sticky Groups
HTTP Header Sticky Group Attributes
Table 9-4 describes the HTTP header sticky group attributes.
IP Netmask Sticky Group Attributes
Table 9-5 describes the IP netmask sticky group attributes.
V6 Prefix Sticky Group Attributes
Table 9-5 describes the V6 prefix sticky group attributes, which requires ACE module and ACE
appliance software Version A5(1.0) or later.
Table 9-4 HTTP Header Sticky Group Attributes
Field Description
Header Name HTTP header to use for sticking client connections.
Offset Number of bytes the virtual server is to ignore starting with the first byte of the cookie. Valid entries
are from 0 to 999. The default is 0 (zero), which indicates that the virtual server does not exclude
any portion of the cookie.
Length (Bytes) Length of the portion of the cookie (starting with the byte after the offset value) that the ACE is to
use for sticking the client to the server. Valid entries are from 1 to 1000.
Table 9-5 IP Netmask Sticky Group Attributes
Field Description
Netmask Netmask to apply to the source IP address, destination IP address, or both.
IPv6 Prefix Length (Optional field that requires ACE module and ACE appliance software Version A5(1.0) or later)
IPv6 prefix length to apply to the source IP address, destination IP address, or both.
Address Type Address type that the sticky type is to be applied to as follows:
• Both—Sticky type is applied to both the source IP address and the destination IP address.
• Destination—Sticky type is applied to the destination IP address only.
• Source—Sticky type applied to the source IP address only.
Table 9-6 IV6 Prefix Sticky Group Attributes
Field Description
Prefix Length (Field that requires ACE module and ACE appliance software Version A5(1.0) or later) IPv6 prefix
length to apply to the source IP address, destination IP address, or both.
IPv4 Netmask (Optional) Netmask to apply to the source IP address, destination IP address, or both.
Address Type Address type that the sticky type is to be applied to as follows:
• Both—Sticky type is applied to both the source IP address and the destination IP address.
• Destination—Sticky type is applied to the destination IP address only.
• Source—Sticky type applied to the source IP address only.
9-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 9 Configuring Stickiness
Configuring Sticky Groups
Layer 4 Payload Sticky Group Attributes
Table 9-7 describes the Layer 4 payload sticky group attributes.
RADIUS Sticky Group Attributes
Table 9-8 describes the RADIUS sticky group attributes.
Table 9-7 Layer 4 Payload Sticky Group Attributes
Field Description
Offset Number of bytes the virtual server is to ignore starting with the first byte of the cookie. Valid entries are
from 0 to 999. The default is 0 (zero), which indicates that the virtual server does not exclude any
portion of the cookie.
Length (Bytes) Length of the portion of the cookie (starting with the byte after the offset value) that the ACE is to use
for sticking the client to the server. Valid entries are from 1 to 1000. The default is 1000.
Begin Pattern Beginning pattern of the Layer 4 payload and the pattern string to match before hashing. If you do not
specify a beginning pattern, the ACE begins parsing immediately after the offset byte. You cannot
configure different beginning and ending patterns for different server farms that are part of the same
traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters.
You can enter a text string with spaces provided that you enclose the entire string in quotation marks
("). The ACE supports regular expressions for matching string expressions. Table 14-33 lists the
supported characters that you can use for matching string expressions.
End Pattern Pattern that marks the end of hashing. If you do not specify an end pattern or a length, the ACE continues
to parse the data until it reaches the end of the field or packet, or until it reaches the maximum body
parse length. You cannot configure different beginning and ending patterns for different server farms
that are part of the same traffic classification.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters.
You can enter a text string with spaces provided that you enclose the entire string in quotation marks
("). The ACE supports regular expressions for matching string expressions. Table 14-33 lists the
supported characters that you can use for matching string expressions.
Enable Sticky For
Response
Check box that enables the ACE to parse server responses and perform sticky learning. The ACE uses
a hash of the server response bytes to populate the sticky database. The next time that the ACE receives
a client request with those same bytes, it sticks the client to the same server.
Uncheck the check box to reset the behavior of the ACE to the default of not parsing server responses
and performing sticky learning.
Table 9-8 RADIUS Sticky Group Attributes
Field Description
RADIUS Types Choose the RADIUS attribute to use for sticking client connections:
• N/A—This option is not configured.
• RADIUS Calling ID—Stickiness is based on the RADIUS framed IP attribute and the calling
station ID attribute.
• RADIUS User Name—Stickiness is based on the RADIUS framed IP attribute and the
username attribute.
9-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 9 Configuring Stickiness
Displaying All Sticky Groups by Context
RTSP Header Sticky Group Attributes
Table 9-9 describes the RTSP header sticky group attributes.
Displaying All Sticky Groups by Context
You can display all sticky groups associated with a virtual context.
Procedure
Step 1 Choose Config > Devices.
The Virtual Contexts table appears.
Step 2 In the Virtual Contexts table, choose the virtual context with the sticky groups that you want to display,
and choose Load Balancing > Stickiness.
The Sticky Groups table appears, listing the sticky groups associated with the selected context.
Related Topics
• Configuring Sticky Groups, page 9-7
• Configuring Sticky Statics, page 9-15
Configuring Sticky Statics
You can configure sticky statics.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0)
or later.
Assumption
A sticky group has been configured. See the “Configuring Sticky Groups” section on page 9-7 for more
information.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Stickiness.
Table 9-9 RTSP Header Sticky Group Attributes
Field Description
Offset Number of bytes that the virtual server is to ignore starting with the first byte of the cookie. Valid
entries are from 0 to 999. The default is 0 (zero), which indicates that the virtual server does not
exclude any portion of the cookie.
Length (Bytes) Length of the portion of the cookie (starting with the byte after the offset value) that the ACE is to
use for sticking the client to the server. Valid entries are from 1 to 1000. The default is 1000.
9-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 9 Configuring Stickiness
Configuring Sticky Statics
The Sticky Groups table and Sticky Statics tab appears. If you do not see the Sticky Statics tab beneath
the Sticky Groups table, click the Switch between Configure and Browse Modes button.
Step 2 From the Sticky Groups table, choose the sticky group that you want to configure for sticky statics
Step 3 From the Sticky Statics tab, click Add to add a new entry to the table, or select an existing entry, then
click Edit to modify it.
The Sticky Statics configuration screen appears.
Step 4 In the Sequence Number field, either accept the automatically incremented number for this entry or enter
a new sequence number.The sequence number indicates the order in which multiple sticky static
configurations are applied.
The sequence number indicates the order in which multiple sticky static configurations are applied.
Step 5 From the Type drop-down list, choose the sticky group type.
The choices are as follows:
• HTTP Content—The ACE sticks client connections to the same real server based on a string in the
data portion of the HTTP packet.
• HTTP Cookie—The ACE either learns a cookie from the HTTP header of a client request or inserts
a cookie in the Set-Cookie header of the response from the server to the client, and then uses the
learned cookie to provide stickiness between the client and server for the duration of the transaction.
• HTTP Header—The ACE sticks client connections to the same real server based on HTTP headers.
• IP Netmask—The ACE sticks a client to the same server for multiple subsequent connections as
needed to complete a transaction using the client source IP address, the destination IP address, or
both based on the IPv4 netmask. You can optionally configure an IPv6 prefix length with this sticky
type.
Note If an organization uses a megaproxy to load balance client requests across multiple proxy
servers when a client connects to the Internet, the source IP address is no longer a reliable
indicator of the true source of the request. In this situation, you can use cookies or another
sticky method to ensure session persistence.
• V6 Prefix—(Option that appears only for ACE module and ACE appliance software Version
A5(1.0) or later) The ACE sticks a client to the same server for multiple subsequent connections as
needed to complete a transaction using the client source IP address, the destination IP address, or
both based on the IPv6 prefix length. You can optionally configure an IPv4 netmask with this sticky
type.
• Layer 4 Payload—The ACE sticks client connections to the same real server based on a string in
the payload portion of the Layer 4 protocol packet.
• RADIUS—The ACE sticks client connections to the same real server based on a RADIUS attribute.
• RTSP Header—The ACE sticks client connections to the same real server based on the RTSP
Session header field.
• SIP Header—The ACE sticks client connections to the same real server based on the SIP Call-ID
header field.
Step 6 If you chose HTTP Cookie, HTTP, RTSP, or SIP Header for the sticky type, in the Static Value field,
enter the cookie string value.
Valid entries are unquoted text strings with a maximum of 255 alphanumeric characters. If the string
includes spaces, enclose the string with quotes.
9-17
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 9 Configuring Stickiness
Configuring Sticky Statics
Step 7 If you chose IP Netmask or V6 Prefix for the sticky type, do the following:
a. For the IP Address Type, select either IPv4 or IPv6.
b. In the Static Source field, enter the source IP address of the client.
c. In the Static Destination field, enter the destination IP address of the client.
Step 8 In the Named Real Server field, choose the real server to associate with this static sticky entry.
Step 9 In the Port field, enter the port number of the real server.
Valid entries are from 1 to 65535.
Step 10 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your entries and to return to the Sticky Statics
table.
• Click Next to deploy your entries and to configure another sticky static entry.
Related Topics
Configuring Sticky Groups, page 9-7
9-18
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 9 Configuring Stickiness
Configuring Sticky Statics
CHAPTER
10-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
10
Configuring Parameter Maps
Date: 3/28/12
This chapter describes how to configure parameter maps on the Cisco Application Control Engine (ACE)
using Cisco Application Networking Manager (ANM).
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
This chapter includes the following sections:
• Information About Parameter Maps, page 10-1
• Configuring Connection Parameter Maps, page 10-3
• Configuring Generic Parameter Maps, page 10-8
• Configuring HTTP Parameter Maps, page 10-9
• Configuring Optimization Parameter Maps, page 10-12
• Configuring RTSP Parameter Maps, page 10-20
• Configuring SIP Parameter Maps, page 10-21
• Configuring Skinny Parameter Maps, page 10-23
• Configuring DNS Parameter Maps, page 10-25
• Supported MIME Types, page 10-26
Information About Parameter Maps
Parameter maps allow you to perform actions on traffic that ingresses an ACE interface based on certain
criteria, such as protocol or connection attributes. After you configure a parameter map, you associate it
with a policy map to implement configured behavior. Table 10-1 describes the parameter maps that you
can configure using ANM and the ACE devices that support them.
10-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Information About Parameter Maps
Related Topics
• Configuring Connection Parameter Maps, page 10-3
• Configuring Generic Parameter Maps, page 10-8
• Configuring HTTP Parameter Maps, page 10-9
• Configuring Optimization Parameter Maps, page 10-12
• Configuring RTSP Parameter Maps, page 10-20
• Configuring SIP Parameter Maps, page 10-21
• Configuring Skinny Parameter Maps, page 10-23
• Configuring Generic Parameter Maps, page 10-8
• Configuring Traffic Policies, page 14-1
• Configuring Parameter Maps, page 10-1
• Configuring Virtual Contexts, page 6-8
Table 10-1 Parameter Map Types and ACE Support
Parameter
Map Description
ACE Device
ACE
Module
ACE
Appliance
Connection Connection parameter maps combine all IP and TCP connection-related behaviors
pertaining to:
• TCP normalization, termination, and server reuse
• IP normalization, fragmentation, and reassembly
X X
Generic Generic parameter maps combine related generic protocol actions for server
load-balancing connections.
X X
HTTP HTTP parameter maps configure ACE behavior for HTTP load-balanced
connections.
X X
Optimization Optimization parameter maps specify optimization-related commands that pertain
to application acceleration and optimization functions performed by the ACE.
X
RTSP Real Time Streaming Protocol (RTSP) parameter maps configure advanced RTSP
behavior for server load-balancing connections.
X X
SIP Session Initiation Protocol (SIP) parameter maps configure SIP deep packet
inspection on the ACE.
X X
Skinny Skinny Client Control Protocol (SCCP) parameter maps configure SCCP packet
inspection on the ACE.
X X
DNS Domain Name System (DNS) parameter maps configure DNS actions for DNS
packet inspection.
X X
10-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring Connection Parameter Maps
Configuring Connection Parameter Maps
You can configure a connection parameter map for use with a Layer 3/Layer 4 policy map. Connection
parameter maps combine all IP and TCP connection-related behaviors pertaining to the following:
• TCP normalization, termination, and server reuse
• IP normalization, fragmentation, and reassembly
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > Connection Parameter
Maps.
The Connection Parameter Maps table appears.
Step 2 In the Connection Parameter Maps table, click Add to add a new parameter map, or choose an existing
parameter map and click Edit to modify it.
The Connection Parameter Maps configuration window appears.
Step 3 In the Connection Parameter Maps configuration window, configure the parameter map using the
information in Table 10-2.
Click More Settings to access the additional Connection Parameter Map configuration attributes. By
default, ANM hides the default Connection Parameter Map configuration attributes and the attributes
that are not commonly used.
Table 10-2 Connection Parameter Map Attributes
Field Description
Parameter Name Unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a
maximum of 64 alphanumeric characters.
Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of either
device type. If you attempt to use the Description feature with an ACE that is running an earlier
software version, ANM displays an invalid command detected error message and does not deploy the
parameter map.
Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric
characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double quotes must be
entered as matching pairs.
Inactivity Timeout
(Seconds)
Number of seconds that the ACE is to wait before disconnecting idle connections. Valid entries are
from 0 to 3217203. A value of 0 indicates that the ACE is never to time out a TCP connection.
10-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring Connection Parameter Maps
More Settings
Exceeds MSS Action that the ACE takes to handle segments that exceed the maximum segment size (MSS):
• Allow—The ACE is to permit segments that exceed the configured MSS.
• Drop—The ACE is to discard segments that exceed the configured MSS.
Max. Connection
Limit
Maximum number of concurrent connections to allow for the parameter map. Valid entries are from
0 to 4000000.
Nagle Check box that enables the Nagle algorithm, which instructs a sender to buffer any data to be sent
until all outstanding data has been acknowledged or until there is a full segment of data to send.
Enabling the Nagle algorithm increases throughput, but it can increase latency in your TCP
connection.
Uncheck the check box to disable the Nagle algorithm.
Note Disable the Nagle algorithm when you observe unacceptable delays in TCP connections.
Random Sequence
Number
Check box that enables the use of random TCP sequence numbers, which adds a measure of security
to TCP connections by making it more difficult for a hacker to guess or predict the next sequence
number in a TCP connection.
Uncheck the check box to disable the use of random TCP sequence numbers.
This option is enabled by default.
Bandwidth Rate Limit Option that appears for ACE modules only. Enter the bandwidth-rate limit in bytes per second for the
parameter map. Valid entries are from 0 to 300000000 bytes.
Connection Rate
Limit
Connection-rate limit in connections per second. Valid entries are from 0 to350000.
Reserved Bits Action that the ACE takes to handle segments with the reserved bits set in the TCP header:
• Allow—Segments with the reserved bits are to be permitted.
• Drop—Segments with the reserved bits are to be discarded.
• Clear—Reserved bits in TCP headers are to be cleared and segments are to be allowed.
Type-of-Service IP
Header
Type of service for an IP packet that determines how the network handles the packet and balances its
precedence, throughput, delay, reliability, and cost.
Enter the type-of-service value to be applied to IP packets. Valid entries are from 0 to 255.
For more information about type of service, refer to RFCs 791, 1122, 1349, and 3168.
ACK Delay Time
(Milliseconds)
Number of milliseconds that the ACE is to wait before sending an acknowledgement from a client to
a server. Valid entries are from 0 to 400.
TCP Buffer Share
(Bytes)
Option that appears for only ACE modules. To improve throughput and overall performance, the
ACE buffers the number of bytes you specify before processing received data or transmitting data.
Use this option to increase the default buffer size and thereby realize improved network performance.
Enter the maximum size of the TCP buffer in bytes. Valid entries are from 8192 to 262143 bytes.
Default is 32768.
Note If you enter a value in this field for an ACE device that does not support this option, an error
message appears. Leave this field blank when creating or modifying a connection parameter
map for devices that do not support this option.
Table 10-2 Connection Parameter Map Attributes (continued)
Field Description
10-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring Connection Parameter Maps
Smallest TCP MSS
(Bytes)
Size of the smallest segment of TCP data that the ACE is to accept. Valid entries are from 0 to 65535
bytes. The value 0 indicates that the ACE is not to set a minimum limit.
Largest TCP MSS
(Bytes)
Size of the largest segment of TCP data that the ACE is to accept. Valid entries are from 0 to 65535
bytes. The value 0 indicates that the ACE is not to set a maximum limit.
SYN Retries Number of attempts that the ACE is to make to transmit a TCP segment when initiating a Layer 7
connection. Valid entries are from 1 to 15. The default is 4.
TCP WAN
Optimization RTT
Option that specifies how the ACE is to apply TCP optimizations to packets on a connection
associated with a Layer 7 policy map using a round-trip time (RTT) value.
The choices are as follows:
• An entry of 0 (zero) indicates that the ACE is to apply TCP optimizations to packets for the life
of a connection.
• An entry of 65535 (the default) indicates that the ACE is to perform normal operations (that is,
without optimizations) for the life of a connection.
• Entries from 1 to 65534 indicate that the ACE is to use the following guidelines:
• If the actual client RTT is less than the configured RTT, the ACE performs normal operations
for the life of the connection.
• If the actual client RTT is greater than or equal to the configured RTT, the ACE performs
TCP optimizations on the packets for the life of a connection.
Valid entries are from 0 to 65535.
Timeout For
Embryonic
Connections
(Seconds)
Number of seconds that the ACE is to wait before timing out an embryonic connection, which is a
TCP three-way handshake for a connection that does not complete for some reason.
Valid entries are from 0 to 4294967295. The default is 5. A value of 0 indicates that the ACE is never
to time out an embryonic connection.
Half Closed Timeout
(Seconds)
Number of seconds the ACE is to wait before closing a half-closed connection, which is one in which
the client or server sends a FIN and the server or client acknowledges the FIN without sending a FIN
itself.
Valid entries are from 0 to 4294967295. The default is 3600 (1 hour). A value of 0 indicates that the
ACE is never to time out a half-closed connection.
Slow Start Algorithm Check box that enables the slow start algorithm. When enabled, the slow start algorithm increases
TCP window size as ACK handshakes arrive so that new segments are injected into the network at
the rate at which acknowledgements are returned by the host at the other end of the connection.
Uncheck the check box to disable the slow start algorithm. This option is disabled by default.
SYN Segments With
Data
Action that the ACE takes to handle TCP SYN segments that contain data:
• Allow—The ACE is to permit SYN segments that contain data and mark them for processing.
• Drop—The ACE is to discard SYN segments that contain data.
Table 10-2 Connection Parameter Map Attributes (continued)
Field Description
10-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring Connection Parameter Maps
Urgent Pointer Policy Action that the ACE takes to handle urgent data as identified by the Urgent data control bit. Urgent
data, as indicated by a control bit in the TCP header, indicates that urgent data is to be processed as
soon as possible, even before normal data.
The choices are as follows:
• Allow—The ACE is to permit the status of the Urgent control bit.
• Clear—The ACE is to set the Urgent control bit to 0 (zero) and thereby invalidate the Urgent
Pointer which provides segment information.
TCP Window Scale
Factor
TCP window scale factor. The TCP window scaling extension expands the definition of the TCP
window to 32 bits and uses a scale factor to carry the 32-bit value in the 16-bit window of the TCP
header. Increasing the window size improves TCP performance in network paths with large
bandwidth, long-delay characteristics.
Valid entries are from 0 to 14 (the maximum scale factor).
For more information on TCP window scaling, refer to RFC 1323.
Action For TCP
Options Range
Action that the ACE takes to handle the following TCP options:
• Selective ACK
• Timestamps
• Action For TCP Window Scale Factor
The choices are as follows:
• N/A—This option is not set.
• Allow—The ACE is to allow any segment with the specified option set.
• Drop—The ACE is to discard any segment with the specified option set.
Lower TCP Options Option that appears if you chose Allow or Drop for the Action For TCP Options Range.
Enter the lower limit of the TCP option range. Valid entries are 6, 7, or a value from 9 to 255. See
Table 10-3 for information on TCP options.
Upper TCP Options Option that appears if you chose Allow or Drop for the Action For TCP Options Range.
Enter the upper limit of the TCP option range. Valid entries are 6, 7, or a value from 9 to 255. See
Table 10-3 for information on TCP options.
Selective ACK Action that the ACE takes to handle the selective ACK option that is specified in SYN segments:
• Allow—The ACE allows any segment with the specified option set.
• Clear—The ACE clears the specified option from any segment that has it set and allow the
segment.
Table 10-2 Connection Parameter Map Attributes (continued)
Field Description
10-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring Connection Parameter Maps
Table 10-3 lists the TCP options for connection parameter maps.
Timestamps Action that the ACE takes to handle the time stamp option that is specified in SYN segments:
• Allow—The ACE allows any segment with the specified option set.
• Clear—The ACE clears the specified option from any segment that has it set and allow the
segment.
Action For TCP
Window Scale Factor
Action that the ACE takes to handle the TCP window scale factor option that is specified in SYN
segments:
• Allow—The ACE allows any segment with the specified option set.
• Clear—The ACE clears the specified option from any segment that has it set and allow the
segment.
• Drop—The ACE discards any segment with the specified option set.
Table 10-2 Connection Parameter Map Attributes (continued)
Field Description
Table 10-3 TCP Options for Connection Parameter Maps1
1. For more information about TCP options, see the Cisco 4700 Series Application Control Engine Appliance Security
Configuration Guide.
Type Length Meaning
6 6 Echo (obsoleted by option 8)
7 6 Echo Reply (obsoleted by option 8)
9 2 Partial Order Connection Permitted
10 3 Partial Order Service Profile
11 CC
12 CC.NEW
13 CC.ECHO
14 3 TCP Alternate Checksum Request
15 N TCP Alternate Checksum Data
16 Skeeter
17 Bubba
18 3 Trailer Checksum Option
19 18 MD5 Signature Option
20 SCPS Capabilities
21 Selective Negative Acknowledgements (SNACK)
22 Record Boundaries
23 Corruption Experienced
24 SNAP
25 Unassigned (released 12/18/2000)
26 TCP Compression Filter
10-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring Generic Parameter Maps
Step 4 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without accepting your entries and to return to the Parameter
Map table.
• Click Next to accept your entries and to add another parameter map.
Related Topics
• Configuring Parameter Maps, page 10-1
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Contexts, page 6-8
Configuring Generic Parameter Maps
You configure a generic parameter map, which allows you to specify nonprotocol-specific behavior for
data parsing. Generic parameter maps examine the payload and make decisions regardless of the
protocol.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > Generic Parameter
Maps.
The Generic Parameter Maps table appears.
Step 2 In the Generic Parameter Maps table, click Add to add a new parameter map, or choose an existing
parameter map and click Edit to modify it.
The Parameter Maps configuration window appears.
Step 3 In the Parameter Maps configuration window, configure the parameter map using the information in
Table 10-4.
Table 10-4 Generic Parameter Map Attributes
Field Description
Parameter Name Unique name for the parameter map. Valid entries are unquoted text strings with no spaces and
a maximum of 64 alphanumeric characters.
Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of
either device type. If you attempt to use the Description feature with an ACE that is running
an earlier software version, ANM displays an invalid command detected error message and
does not deploy the parameter map.
Brief description of the parameter map. Enter a text string with a maximum of 240
alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double
quotes must be entered as matching pairs.
10-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring HTTP Parameter Maps
Step 4 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the Generic
Parameter Maps table.
• Click Next to deploy your entries and to configure another generic parameter map.
Related Topics
• Configuring Parameter Maps, page 10-1
• Configuring Traffic Policies, page 14-1
• Configuring Parameter Maps, page 10-1
• Configuring Virtual Contexts, page 6-8
Configuring HTTP Parameter Maps
You can configure an HTTP parameter map for use with a Layer 3/Layer 4 policy map. HTTP parameter
maps allow you to configure ACE behavior for HTTP load-balanced connections.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > HTTP Parameter Maps.
The HTTP Parameter Maps table appears.
Step 2 In the HTTP Parameter Maps table, click Add to add a new parameter map, or choose an existing
parameter map and click Edit to modify it.
The HTTP Parameter Maps configuration window appears.
Step 3 In the HTTP Parameter Maps configuration window, configure the parameter map using the information
in Table 10-5.
Case-Insensitive Check box that instructs the ACE to be case insensitive for the parameter map. Uncheck this
check box to instruct the ACE to be case sensitive for this parameter map.
Max. Parse Length (Bytes) Number of bytes to parse for the total length of all generic headers. Valid entries are from 1 to
65535. The default is 2048 bytes.
Table 10-4 Generic Parameter Map Attributes (continued)
Field Description
10-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring HTTP Parameter Maps
Table 10-5 HTTP Parameter Map Attributes
Field Description
Parameter Name Unique name for the parameter map. Valid entries are unquoted text strings with no spaces
and a maximum of 64 alphanumeric characters.
Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of
either device type. If you attempt to use the Description feature with an ACE that is
running an earlier software version, ANM displays an invalid command detected error
message and does not deploy the parameter map.
Brief description of the parameter map. Enter a text string with a maximum of 240
alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed.
Double quotes must be entered as matching pairs.
Case-Insensitive Check box that instructs the ACE to be case insensitive. Uncheck this check box to
indicate that the ACE is to be case sensitive. This check box is cleared by default.
Header Modify Per-Request Check box to require that SSL information is inserted for every HTTP GET request.
Current functionality only requires that the information be inserted at the first GET
request.
Exceed Max. Parse Length Action that the ACE takes to handle cookies, HTTP headers, and URLs that exceed the
maximum parse length. The choices are as follows:
• Continue—The ACE is to continue load balancing. When this option is selected, the
HTTP Persistence Rebalance option is disabled if the total length of all cookies,
HTTP headers, and URLs exceeds the maximum parse value.
• Drop—The ACE is to stop load balancing and to discard the packet.
HTTP Persistence Rebalance Check box that instructs the ACE to do the following:
• Separately load balance each subsequent HTTP request on the same TCP connection.
• Insert the header and cookie for every request instead of only the first request.
Uncheck this check box to indicate that this option is disabled.
This option is enabled by default.
TCP Server Connection Reuse Check box that instructs the ACE to reduce the number of open connections on a server
by allowing connections to persist and be reused by multiple client connections. If you
enable this feature, perform the following tasks:
• Ensure that the ACE maximum segment size (MSS) is the same as the server
maximum segment size.
• Configure port address translation (PAT) on the interface that is connected to the real
server.
• Configure on the ACE the same TCP options that exist on the TCP server.
• Ensure that each server farm is homogeneous (all real servers within a server farm
have identical configurations).
Uncheck this check box to disable this option.
Content Max. Parse Length
(Bytes)
Maximum number of bytes to parse in HTTP content. Valid entries are from 1 to 65535.
The default is 4096.
Header Max. Parse Length
(Bytes)
Maximum number of bytes to parse for the total length of cookies, HTTP headers, and
URLs. Valid entries are from 1 to 65535. The default is 4096.
10-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring HTTP Parameter Maps
Step 4 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without accepting your entries and to return to the Parameter
Map table.
• Click Next to accept your entries and to add another parameter map.
Related Topics
• Configuring Parameter Maps, page 10-1
• Configuring Traffic Policies, page 14-1
• Configuring Parameter Maps, page 10-1
Secondary Cookie Delimiters ASCII-character delimiters to be used to separate cookies in a URL string. Valid entries
are unquoted text strings with no spaces and a maximum of 4 characters. The default
delimiters are /+.
MIME Type To Compress Option that appears only for ACE appliances (all versions) and ACE modules version
A4(1.0) and later. In the field on the left, enter the Multipurpose Internet Mail Extension
(MIME) type to compress, and click Add. The MIME type appears in the column on the
right. To remove or change a MIME type, choose it in the column on the right, and click
Remove. The selected MIME type appears in the field on the left where you can modify
or delete it.
To specify the sequence in which compression is to be applied, choose MIME types in the
column on the right, and click Up or Down to arrange the MIME types.
The “Supported MIME Types” section on page 10-26 lists the supported MIME types.
You can use an asterisk (*) to indicate a wildcard, such as text/*, which would include all
text MIME types (text/html, text/plain, and so on).
User Agent Not To Compress Option that appears only for ACE appliances (all versions) and ACE modules version
A4(1.0) and later. A user agent is a client that initiates a request. Examples of user agents
include browsers, editors, and other end-user tools. When you specify a user agent string
in this field, the ACE does not compress the response to a request when the request
contains the matching user agent string.
In the field on the left, enter the user agent string to be matched, and click Add. The string
appears in the column on the right. To remove or change a user agent string, choose it in
the column on the right, and click Remove. The selected string appears in the field on the
left where you can modify or delete it.
To specify the sequence in which strings are to be matched, choose strings in the column
on the right, and click Up or Down to arrange the strings in the desired sequence.
Valid entries are 64 characters.
Min. Size To Compress (Bytes) Option that appears only for ACE appliances (all versions) and ACE modules version
A4(1.0) and later. Enter the threshold at which compression is to occur. The ACE
compresses files that are the minimum size or larger. Valid entries are from 1 to 4096
bytes.
Table 10-5 HTTP Parameter Map Attributes (continued)
Field Description
10-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring Optimization Parameter Maps
• Configuring Virtual Contexts, page 6-8
Configuring Optimization Parameter Maps
Note Optimization parameter maps are available for ACE appliances only.
You can configure an optimization parameter map for use with a Layer 3/Layer 4 policy map.
Optimization parameter maps specify optimization-related commands that pertain to application
acceleration and optimization functions performed by the ACE.
See the “Configuring Application Acceleration and Optimization” section on page 15-1 or the Cisco
4700 Series Application Control Engine Appliance Application Acceleration and Optimization
Configuration Guide for more information about application acceleration and optimization.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > Optimization Parameter
Maps.
The Optimization Parameter Maps table appears.
Step 2 In the Optimization Parameter Maps table, click Add to add a new parameter map, or choose an existing
parameter map and click Edit to modify it.
The Optimization Parameter Maps configuration window appears.
Step 3 In the Optimization Parameter Maps configuration window, configure the parameter map using the
information in Table 10-6.
Table 10-6 Optimization Parameter Map Attributes
Field Description
Parameter Name Unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a
maximum of 64 alphanumeric characters.
Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of either
device type. If you attempt to use the Description feature with an ACE that is running an earlier
software version, ANM displays an invalid command detected error message and does not deploy
the parameter map.
Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric
characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double quotes must be
entered as matching pairs.
Set Browser Freshness
Period
Method that the ACE uses to determine the freshness of objects in the client’s browser:
• N/A—This option is not configured.
• Disable Browser Object Freshness Control—Browser freshness control is not used.
• Set Freshness Similar To Flash Forward Objects—The ACE sets freshness similar to that
used for FlashForwarded objects and to use the values specified in the Maximum Time for
Cache Time-To-Live and Minimum Time for Cache Time-To-Live fields.
10-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring Optimization Parameter Maps
Duration For Browser
Freshness (Seconds)
Field that appears if the Set Browser Freshness Period option is not configured.
Enter the number of seconds that objects in the client’s browser are considered fresh. Valid entries
are 0 to 2147483647 seconds.
Response Codes To
Ignore (Comma
Separated)
Comma-separated list of HTTP response codes for which the response body must not be read. For
example, an entry of 302 indicates that the ACE is to ignore the response body of a 302 (redirect)
response from the origin server. Valid entries are unquoted text strings with a maximum of 64
alphanumeric characters from 100 to 599, inclusive.
Appscope Optimize
Rate (%)
Percentage of all requests or sessions to be sampled for performance with acceleration (or
optimization) applied. All applicable optimizations for the class will be performed. Valid entries
are from 0 to 100 percent. The default is 10 percent. The sum of this value and the value entered
in the Passthru Rate Percent field must not exceed 100.
Appscope Passthrough
Rate (%)
Percentage of all requests or sessions to be sampled for performance without optimization. No
optimizations for the class will be performed. Valid entries are from 0 to 100. The default is 10
percent. The sum of this value and the value entered in the Optimize Rate Percent field must not
exceed 100.
Max. Number for
Parameter Summary
Log (Bytes)
Maximum number of bytes that are to be logged for each parameter value in the parameter
summary of a transaction log entry in the statistics log. If a parameter value exceeds this limit, it
is truncated at the specified limit. Valid entries are from 0 to 10,000 bytes.
Max. For Post Data to
Scan for Logging
(KBytes)
Maximum number of kilobytes of POST data that the ACE is to scan for parameters for the purpose
of logging transaction parameters in the statistics log.
Valid entries are from 0 to 1000 KB.
String For Grouping
Requests
String that the ACE uses to sort requests for AppScope reporting. The string can contain a URL
regular expression that defines a set of URLs in which URLs that differ only by their query
parameters are to be treated as separate URLs in AppScope reports.
For example, to define a string that is used to identify the URLs
http://server/catalog.asp?region=asia and http://server/catalog.asp?region=america as two separate
reporting categories, you would enter http_query_param(region).
Valid entries are from 1 to 255 characters and can contain the parameter expander functions listed
in Table 10-7.
Base File Anonymous
Level
Base file anonymous level. Information that is common to a large set of users is generally not
confidential or user-specific. Conversely, information that is unique to a specific user or a small set
of users is generally confidential or user-specific. The anonymous base file feature enables the
ACE to create and deliver condensed base files that contain only information that is common to a
large set of users. No information unique to a particular user, or across a very small subset of users,
is included in anonymous base files.
Enter the value for base file anonymity for the all-user condensation method. Valid entries are from
0 to 50. The default is 0, which disables the base file anonymity feature.
Table 10-6 Optimization Parameter Map Attributes (continued)
Field Description
10-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring Optimization Parameter Maps
Cache-Key Modifier
Expression
Cache key modifier expression. A cache object key is a unique identifier that is used to identify a
cached object to be served to a client, replacing a trip to the origin server. The cache key modifier
feature allows you to modify the canonical form of a URL; that is, the portion before “?” in a URL.
For example, the canonical URL of http://www.xyz.com/somepage.asp?action=browse&level=2 is
http://www.xyz.com/somepage.asp.
Enter a regular expression containing embedded variables as described in Table 10-7. The ACE
transforms URLs specified in class maps for this virtual server with the expression and variable
entered here.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters. If the string includes spaces, enclose the string with quotation marks (“).
Min. Time For Cache
Time-To-Live
(Seconds)
Minimum number of seconds that an object without an explicit expiration time should be
considered fresh in the ACE cache. This value specifies the minimum time that content can be
cached. If the ACE is configured for FlashForward optimization, this value should normally be 0.
If the ACE is configured for dynamic caching, this value should indicate how long the ACE should
cache the page. (See Table 7-17 for information about these configuration options.)
Valid entries are from 0 to 2147483647 seconds.
Max. Time For Cache
Time-To-Live
(Seconds)
Maximum number of seconds that an object without an explicit expiration time should be
considered fresh in the ACE cache. Valid entries are from 0 to 2147483647 seconds.
Cache Time-To-Live
Duration (%)
Percentage of an object’s age at which an embedded object without an explicit expiration time is
considered fresh.
Valid entries are from 0 to 100 percent.
Expression To Modify
Cache Key Query
Parameter
Regular expression that contains embedded variables as described in Table 10-7. The ACE
transforms URLs specified in class maps for this virtual server with the expression and variable
entered here.
The cache parameter feature allows you to modify the query parameter of a URL; that is, the
portion after “?” in a URL. For example, the query parameter portion of
http://www.xyz.com/somepage.asp?action=browse&level=2 is action=browse&level=2.
If no string is specified, the query parameter portion of the URL is used as the default value for
this portion of the cache key.
Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric
characters.
Canonical URL
Expressions (Comma
Separated)
Comma-separated list of parameter expander functions as defined in Table 10-7 to identify the
URLs to associate with this parameter map. The ACE uses the canonical URL feature to eliminate
the “?” and any characters that follow to identify the general part of the URL. This general URL is
then used to create the base file. In this way, the ACE maps multiple URLs to a single canonical
URL.
Valid entries are unquoted text strings with a maximum of 255 alphanumeric characters.
Enable Cacheable
Content Optimization
Check box that enables delta optimization of content that can be cached. This feature allows the
ACE to detect content that can be cached and perform delta optimization on it.
Uncheck the check box to disable this feature.
Table 10-6 Optimization Parameter Map Attributes (continued)
Field Description
10-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring Optimization Parameter Maps
Enable Delta
Optimization On First
Visit To Web Page
Check box that enables condensation on the first visit to a web page. Uncheck the check box to
disable this feature.
Min. Page Size For
Delta Optimization
(Bytes)
Minimum page size, in bytes, that can be condensed. Valid entries are from 1 to 250000 bytes.
Max. Page Size For
Delta Optimization
(Bytes)
Maximum page size, in bytes, that can be condensed. Valid entries are from 1 to 250000 bytes.
Set Default Client
Script
Scripting language that the ACE recognizes on condensed content pages:
• N/A—This option is not configured.
• Javascript—The default scripting language is JavaScript.
• Visual Basic Script—The default scripting language is Visual Basic.
Exclude Iframes From
Delta Optimization
Check box that specifies that delta optimization is not to be applied to IFrames (inline frames).
Uncheck the check box to indicate that delta optimization is to be applied to IFrames.
Exclude Non-ASCII
Data From Delta
Optimization
Check box that specifies that delta optimization is not to be applied to non-ASCII data. Uncheck
the check box to indicate that delta optimization is to be applied to non-ASCII data.
Exclude JavaScripts
From Delta
Optimization
Check box that specifies that delta optimization is not to be applied to JavaScript. Clear the check
box to indicate that delta optimization is to be applied to JavaScript.
MIME Types To
Exclude From Delta
Optimization
Mime types to exclude from delta optimization.
Do the following:
1. In the first field, enter a comma-separated list of the MIME (Multipurpose Internet Mail
Extension) type messages that are not to have delta optimization applied, such as image/Jpeg,
text/html, application/msword, or audio/mpeg. See the “Supported MIME Types” section on
page 10-26 for a list of supported MIME types.
2. Click Add to add the entry to the list box on the right. You can position the entries in the list
box by using the Up and Down buttons.
Remove HTML META
Elements From
Documents
Check box that specifies that HTML META elements are to be removed from documents to prevent
them from being condensed. Uncheck the check box to indicate that HTML META elements are
not to be removed from documents.
Set Flash Forward
Refresh Policy
Method the ACE is to use to refresh stale embedded objects:
• N/A—This option is not configured.
• Allow Flash Forward To Indirect Refresh Of Objects—The ACE uses FlashForward to
indirectly refresh embedded objects.
• Bypass Flash Forward To Direct Refresh Of Objects—The ACE bypasses FlashForward for
stale embedded objects so that they are refreshed directly.
Rebase Delta
Optimization Threshold
(%)
Delta threshold, expressed as a percent, when rebasing is to be triggered. This entry represents the
size of a page delta relative to total page size, expressed as a percent. This entry triggers rebasing
when the delta response size exceeds the threshold as a percentage of base file size.
Valid entries are from 0 to 10000 percent.
Table 10-6 Optimization Parameter Map Attributes (continued)
Field Description
10-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring Optimization Parameter Maps
Rebase Flash Forward
Threshold (%)
Threshold, expressed as a percent, when rebasing is to be triggered based on the percent of
FlashForwarded URLs in the response. This entry triggers rebasing when the difference between
the percentages of FlashForwarded URLs in the delta response and the base file exceeds the
threshold.
Valid entries are from 0 to 10000 percent.
Rebase History Size
(Pages)
Number of pages to be stored before the ACE resets all rebase control parameters to zero and starts
over. This option prevents the base file from becoming too rigid.
Valid entries are from 10 to 2147483647.
Rebase Modify
Cool-Off Period
(Seconds)
Number of seconds after the last modification before performing a rebase.
Valid entries are from 1 to 14400 seconds (4 hours).
Rebase Reset Period
(Seconds)
Period of time, in seconds, for performing a meta data refresh.
Valid entries are from 1 to 900 seconds (15 minutes).
Override Client Request
Headers
Action that the ACE takes to handle client request headers (primarily for embedded objects):
• N/A—This feature is not enabled.
• All Cache Request Headers Are Ignored—The ACE ignores all cache request headers.
• Overrides The Cache Control: No Cache HTTP Header From A Request—The ACE
ignores cache control request headers that state no cache.
Override Server
Response Headers
Action that the ACE takes to handle origin server response headers (primarily for embedded
objects):
• N/A—This feature is not enabled.
• All Cache Request Headers Are Ignored—The ACE ignores all response headers.
• Overrides The Cache Control: Private HTTP Header From A Response—The ACE
ignores cache control response headers that state private.
UTF-8 Character Set
Threshold
UTF-8 (8-bit Unicode Transformation Format) character set, which is an international standard
that allows Web pages to display non-ASCII or non-English multibyte characters. It can represent
any universal character in the Unicode standard and is backwards compatible with ASCII.
Enter the number of UTF-8 characters that need to appear on a page to constitute a UTF-8 character
set page. Valid entries are from 1 to 1,000,000.
Server Load Threshold
Trigger (%)
Server load threshold trigger that indicates that the time-to-live (TTL) period for cached objects is
to be based dynamically on server load. With this method, TTL periods increase if the current
response time from the origin sever is greater than the average response time and decrease if the
current response time from the origin server is less than the average response time when the
difference in response times exceeds a specified threshold amount.
Enter the threshold, expressed as a percent, at which the TTL for cached objects is to be changed.
Valid entries are from 0 to 100 percent.
Table 10-6 Optimization Parameter Map Attributes (continued)
Field Description
10-17
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring Optimization Parameter Maps
Table 10-7 lists the parameter expander functions that you can use.
Server Load
Time-To-Live Change
(%)
Option that specifies the percentage by which the cache TTL is increased or decreased in response
to a change in server load. For example, if this value is set to 20 and the current TTL for a response
is 300 seconds. and if the current server response times exceeds the trigger threshold, the cache
TTL for the response is raised to 360 seconds.
Enter the percent by which the cache TTL is to be increased or decreased when the server load
threshold trigger is met.
Valid entries are from 0 to 100 percent.
Delta Optimization
Mode
Method by which delta optimization is to be implemented.
The choices are as follows:
• N/A—This option is not configured.
• Enable The All-User Mode For Delta Optimization—The ACE is to generate the delta
against a single base file that is shared by all users of the URL. This option is usable in most
cases if the structure of a page is common across all users, and the disk space overhead is
minimal.
• Enable The Per-User Mode For Delta Optimization—The ACE is to generate the delta
against a base file that is created specifically for that user. This option is useful when page
contents, including layout elements, are different for each user, and delivers the highest level
of condensation. However, this increases disk space requirements because a copy of the base
page that is delivered to each user is cached. This option is useful when privacy is required
because base pages are not shared among users.
String To Be Used For
Server HTTP Header
Option that defines a string that is to be sent in the server header for an HTTP response. This option
provides you with a method for uniquely tagging the context or URL match statement by setting
the server header value to a particular string. The server header string can be used when a particular
URL is not being transmitted to the correct target context or match statement.
Enter the string that is to appear in the server header. Valid entries are quoted text strings with a
maximum of 64 alphanumeric characters.
Table 10-6 Optimization Parameter Map Attributes (continued)
Field Description
10-18
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring Optimization Parameter Maps
Table 10-7 Parameter Expander Functions
Variable Description
$(number) Expands to the corresponding matching subexpression (by number)
in the URL pattern. Subexpressions are marked in a URL pattern
using parentheses (). The numbering of the subexpressions begins
with 1 and is the number of the left-parenthesis “(“ counting from
the left. You can specify any positive integer for the number. $(0)
matches the entire URL. For example, if the URL pattern is
((http://server/.*)/(.*)/)a.jsp, and the URL that matches it is
http://server/main/sub/a.jsp?category=shoes&session=99999, then
the following are correct:
$(0) = http://server/main/sub/a.jsp
$(1) = http://server/main/sub/
$(2) = http://server/main
$(3) = sub
If the specified subexpression does not exist in the URL pattern, then
the variable expands to the empty string.
$http_query_string() Expands to the value of the whole query string in the URL. For
example, if the URL is
http://myhost/dothis?param1=value1¶m2=value2, then the
following is correct:
$http_query_string() = param1=value1¶m2=value2
This function applies to both GET and POST requests.
$http_query_param(query-param-name)
The obsolete syntax is also supported:
$param(query-param-name)
Expands to the value of the named query parameter (case sensitive).
For example, if the URL is
http://server/main/sub/a.jsp?category=shoes&session=99999, then
the following are correct:
$http_query_param(category) = shoes
$http_query_param(session) = 99999
If the specified parameter does not exist in the query, then the
variable expands to the empty string. This function applies to both
GET and POST requests.
$http_cookie(cookie-name) Evaluates to the value of the named cookie. For example,
$http_cookie(cookiexyz). The cookie name is case sensitive.
$http_header(request-header-name) Evaluates to the value of the specified HTTP request header. In the
case of multivalued headers, it is the single representation as
specified in the HTTP specification. For example,
$http_header(user-agent). The HTTP header name is not case
sensitive.
$http_method() Evaluates to the HTTP method used for the request, such as GET or
POST.
10-19
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring Optimization Parameter Maps
Step 4 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The ACE validates the parameter map
configuration and deploys it.
• Click Cancel to exit this procedure without accepting your entries and to return to the Parameter
Map table.
• Click Next to accept your entries and to add another parameter map.
Related Topics
• Configuring Parameter Maps, page 10-1
• Configuring Traffic Policies, page 14-1
• Configuring Parameter Maps, page 10-1
• Configuring Virtual Contexts, page 6-8
Boolean Functions:
$http_query_param_present(query-param-name)
$http_query_param_notpresent(query-param-name)
$http_cookie_present(cookie-name)
$http_cookie_notpresent(cookie-name)
$http_header_present(request-header-name)
$http_header_notpresent(request-header-name)
$http_method_present(method-name)
$http_method_notpresent(method-name)
Evaluates to a Boolean value: True or False, depending on the
presence or absence of the element in the request. The elements are
a specific query parameter (query-param-name), a specific cookie
(cookie-name), a specific request header (request-header-name), or
a specific HTTP method (method-name). All identifiers are case
sensitive except for the HTTP request header name.
$regex_match(param1, param2) Evaluates to a Boolean value: True if the two parameters match and
False if they do not match. The two parameters can be any two
expressions, including regular expressions, that evaluate to two
strings. For example, this function:
$regex_match($http_query_param(URL), .*Store\.asp.*)
compares the query URL with the regular expression string
.*Store\.asp.*
If the URL matches this regular expression, this function evaluates
to True.
Table 10-7 Parameter Expander Functions (continued)
Variable Description
10-20
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring RTSP Parameter Maps
Configuring RTSP Parameter Maps
You can configure a Real Time Streaming protocol (RTSP) parameter map, which allows you to
configure advanced RTSP behavior for server load-balancing connections.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > RTSP Parameter Maps.
The RTSP Parameter Maps table appears.
Step 2 In the RTSP Parameter Maps table, click Add to add a new parameter map, or choose an existing
parameter map and click Edit to modify it.
The Parameter Maps configuration window appears.
Step 3 In the Parameter Maps configuration window, configure the parameter map using the information in
Table 10-8.
Step 4 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the RTSP Parameter
Maps table.
• Click Next to deploy your entries and to configure another RTSP parameter map.
Related Topics
• Configuring Parameter Maps, page 10-1
• Configuring Traffic Policies, page 14-1
• Configuring Parameter Maps, page 10-1
Table 10-8 RTSP Parameter Map Attributes
Field Description
Parameter Name Unique name for the parameter map. Valid entries are unquoted text strings with no spaces and
a maximum of 64 alphanumeric characters.
Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of
either device type. If you attempt to use the Description feature with an ACE that is running
an earlier software version, ANM displays an invalid command detected error message and
does not deploy the parameter map.
Brief description of the parameter map. Enter a text string with a maximum of 240
alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double
quotes must be entered as matching pairs.
Case-Insensitive Check box that instructs the ACE to be case insensitive. Uncheck the check box to instruct the
ACE is to be case sensitive.
Header Max. Parse Length
(Bytes)
Number of bytes to parse for the total length of RTSP headers. Valid entries are from 1 to
65535. The default is 2048 bytes.
10-21
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring SIP Parameter Maps
• Configuring Virtual Contexts, page 6-8
Configuring SIP Parameter Maps
You can configure Session Initiation Protocol (SIP) parameter maps, which allow you to configure SIP
deep-packet inspection policy maps on the ACE.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > SIP Parameter Maps.
The SIP Parameter Maps table appears.
Step 2 In the SIP Parameter Maps table, click Add to add a new parameter map, or choose an existing parameter
map and click Edit to modify it.
The Parameter Maps configuration window appears.
Step 3 In the Parameter Maps configuration window, configure the parameter map using the information in
Table 10-9.
Table 10-9 SIP Parameter Map Attributes
Field Description
Parameter Name Unique name for the parameter map. Valid entries are unquoted text strings with no spaces
and a maximum of 64 alphanumeric characters.
Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of
either device type. If you attempt to use the Description feature with an ACE that is running
an earlier software version, ANM displays an invalid command detected error message and
does not deploy the parameter map.
Brief description of the parameter map. Enter a text string with a maximum of 240
alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double
quotes must be entered as matching pairs.
Instant Messaging Check box that enables instant messaging (IM) over SIP after it has been disabled.
Uncheck this check box to disable this feature.
Logging All Check box that appears only for ACE module and ACE appliance software Version A4(1.0)
or later. Check this check box to enable logging of all received and transmitted SIP packets
in the system log (syslog) in addition to the dropped packets, which by default are logged.
The ACE allows all headers sent in the SIP packet, including proprietary headers. In the event
of a failover for SIP sessions over UDP, the ACE continues to process SIP packets for
established SIP sessions.
Uncheck this check box to disable this feature.
10-22
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring SIP Parameter Maps
Max. Forward Validation Option that allows you to configure the ACE to validate the value of the Max-Forward header
field.
Specify how the ACE is to handle the validation of Max-Forward header fields. The choices
are as follows:
• N/A—The ACE is not to validate Max-Forward header fields.
• Drop—The ACE is to drop the SIP message if it does not pass Max-Forward header
validation.
• Deny—The ACE is to reset the SIP connection if it does not pass Max-Forward header
validation.
Log Max. Forward
Validation Event
Check box that instructs the ACE to log Max-Forward validation events.
Uncheck the check box to disable this feature.
Mask UA Software Version Check box that instructs the ACE to mask the user agent software version. If the software
version of a user agent is exposed, that user agent might be vulnerable to attacks from hackers
who exploit the security holes present in that particular software version. This option allows
you to mask or log the user agent software version so that it is not exposed.
Uncheck the check box to disable this feature.
Log UA Software Version Check box that instructs the ACE to log the user agent software version.
Uncheck the check box to disable this feature.
Strict Header Validation Action that the ACE is to take to handle header validation. You can ensure the validity of SIP
packet headers by configuring the ACE to check for the presence of the following mandatory
SIP header fields:
• From
• To
• Call-ID
• CSeq
• Via
• Max-Forwards
If one of the header fields is missing in a SIP packet, the ACE considers that packet invalid.
The ACE also checks for forbidden header fields, according to RFC 3261.
Specify how the ACE is to handle header validation. The choices are as follows:
• N/A—The ACE does not to perform header validation.
• Drop—The ACE drops the SIP message if the SIP packet does not pass header validation.
• Reset—The ACE resets the connection if the SIP packet does not pass header validation.
Log Strict Header Validation Check box that instructs the ACE to log header validation events.
Uncheck the check box to disable this feature.
Mask Non SIP URI Check box that instructs the ACE to mask non-SIP URIs in SIP messages. This option and the
next enable the detection of non-SIP URIs in SIP messages.
Uncheck the check box to disable this feature.
Table 10-9 SIP Parameter Map Attributes (continued)
Field Description
10-23
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring Skinny Parameter Maps
Step 4 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the SIP Parameter
Maps table.
• Click Next to deploy your entries and to configure another SIP parameter map.
Related Topics
• Configuring Parameter Maps, page 10-1
• Configuring Traffic Policies, page 14-1
• Configuring Parameter Maps, page 10-1
• Configuring Virtual Contexts, page 6-8
Configuring Skinny Parameter Maps
You can configure Skinny Client Control Protocol (SCCP or Skinny) parameter maps, which allow you
to configure SCCP packet inspection on the ACE.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > Skinny Parameter
Maps.
The Skinny Parameter Maps table appears.
Step 2 In the Skinny Parameter Maps table, click Add to add a new parameter map, or choose an existing
parameter map and click Edit to modify it.
The Parameter Maps configuration window appears.
Log Non SIP URI Check box that instructs the ACE to log non-SIP URIs in SIP messages.
Uncheck the check box to disable this feature.
SIP Media Pinhole Timeout
(Seconds)
Timeout period for SIP media pinhole (secure port) connections in seconds. Valid entries are
from 1 to 65535 seconds. The default is 5.
Table 10-9 SIP Parameter Map Attributes (continued)
Field Description
10-24
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring Skinny Parameter Maps
Step 3 In the Parameter Maps configuration window, configure the parameter map using the information in
Table 10-10.
Step 4 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the Skinny Parameter
Maps table.
• Click Next to deploy your entries and to configure another Skinny parameter map.
Related Topics
• Configuring Parameter Maps, page 10-1
Table 10-10 Skinny Parameter Map Attributes
Field Description
Parameter Name Unique name for the parameter map. Valid entries are unquoted text strings with no spaces and
a maximum of 64 alphanumeric characters.
Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of
either device type. If you attempt to use the Description feature with an ACE that is running
an earlier software version, ANM displays an invalid command detected error message and
does not deploy the parameter map.
Brief description of the parameter map. Enter a text string with a maximum of 240
alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double
quotes must be entered as matching pairs.
Enforce Registration Check box that enables Skinny registration enforcement. You can configure the ACE to allow
only registered Skinny clients to make calls. To accomplish this task, the ACE maintains the
state of each Skinny client. After a client registers with CCM, the ACE opens a secure port
(pinhole) to allow that client to make a call.
Uncheck the check box to disable this feature.
Message Id Max Maximum value for the station message ID in hexadecimal that the ACE is to accept. Valid
entries are hexadecimal values from 0x0 to 0x4000 with a default value of 0x181. If a packet
arrives with a station message ID greater than the specified value, the ACE drops the packet
and generates a syslog message.
Note The Message Id Max. hexadecimal value should always start with 0x or 0X.
Min. SCCP Prefix Length
(Bytes)
Minimum SCCP prefix length in bytes. By default, the ACE drops SCCP messages that have
an SCCP Prefix length that is less than the message ID. The ACE drops Skinny message
packets that fail this check and generates a syslog message.
Valid entries are from 4 to 4000 bytes.
Max. SCCP Prefix Length
(Bytes)
Maximum SCCP prefix length in bytes. This feature allows you to configure the ACE so that
it checks the maximum SCCP prefix length. The ACE drops Skinny message packets that fail
this check and generates a syslog message.
Valid entries are from 4 to 4000 bytes.
10-25
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Configuring DNS Parameter Maps
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Contexts, page 6-8
Configuring DNS Parameter Maps
You can configure Domain Name System (DNS) parameter maps, which allow you to configure DNS
actions for DNS packet inspection.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > DNS Parameter Maps.
The DNS Parameter Maps table appears.
Step 2 In the DNS Parameter Maps table, click Add to add a new parameter map, or choose an existing
parameter map and click Edit to modify it.
The DNS Parameter Maps configuration window appears.
Step 3 In the DNS Parameter Maps configuration window, configure the parameter map using the information
in Table 10-11.
Step 4 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the DNS Parameter
Maps table.
• Click Next to deploy your entries and to configure another DNS parameter map.
Related Topics
• Configuring Parameter Maps, page 10-1
Table 10-11 DNS Parameter Map Attributes
Field Description
Parameter Name Unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a
maximum of 64 alphanumeric characters.
Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of either
device type. If you attempt to use the Description feature with an ACE that is running an earlier
software version, ANM displays an invalid command detected error message and does not deploy
the parameter map.
Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric
characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double quotes must be
entered as matching pairs.
Timeout (Seconds) Amount of time in seconds that the ACE keeps the query entries without answers in the hash table
before timing them out. Configure the ACE to time out DNS queries that have no matching server
response. Specify the Enter an integer from 2 to 120 seconds. The default is 10 seconds.
10-26
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Supported MIME Types
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Contexts, page 6-1
Supported MIME Types
The ACE supports the following MIME types:
• application/msexcel
• application/mspowerpoint
• application/msword
• application/octet-stream
• application/pdf
• application/postscript
• application/\x-gzip
• application/\x-java-archive
• application/\x-java-vm
• application/\x-messenger
• application/\zip
• audio/*
• audio/basic
• audio/midi
• audio/mpeg
• audio/x-adpcm
• audio/x-aiff
• audio/x-ogg
• audio/x-wav
• image/*
• image/gif
• image/jpeg
• image/png
• image/tiff
• image/x-3ds
• image/x-bitmap
• image/x-niff
• image/x-portable-bitmap
• image/x-portable-greymap
• image/x-xpm
• text/*
• text/css
10-27
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Supported MIME Types
• text/html
• text/plain
• text/richtext
• text/sgml
• text/xmcd
• text/xml
• video/*
• video/flc
• video/mpeg
• video/quicktime
• video/sgi
• video/x-fli
10-28
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 10 Configuring Parameter Maps
Supported MIME Types
CHAPTER
11-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
11
Configuring SSL
Date: 3/28/12
This chapter describes how to configure Secure Sockets Layer (SSL) on the Cisco Application Control
Engine (ACE) using Cisco Application Networking Manager (ANM).
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
This chapter includes the following sections:
• SSL Overview, page 11-2
• SSL Configuration Prerequisites, page 11-2
• Summary of SSL Configuration Tasks, page 11-3
• SSL Setup Sequence, page 11-4
• Using SSL Certificates, page 11-5
• Using SSL Keys, page 11-10
• Configuring SSL Parameter Maps, page 11-18
• Configuring SSL Chain Group Parameters, page 11-23
• Configuring SSL CSR Parameters, page 11-24
• Generating CSRs, page 11-26
• Configuring SSL Proxy Service, page 11-27
• Configuring SSL OCSP Service, page 11-29
• Enabling Client Authentication, page 11-31
11-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
SSL Overview
SSL Overview
SSL is an application-level protocol that provides encryption technology for the Internet, ensuring
secure transactions such as the transmission of credit card numbers for e-commerce websites. SSL
initiation occurs when the ACE device (either an ACE module or an ACE appliance) acts as a client and
initiates the SSL session between it and the SSL server. SSL termination occurs when the ACE, acting
as an SSL server, terminates an SSL connection from a client and then establishes a TCP connection to
an HTTP server.
SSL provides the secure transaction of data between a client and a server through a combination of
privacy, authentication, and data integrity. SSL relies upon certificates and private-public key exchange
pairs for this level of security.
Figure 11-1 shows the following network connections in which the ACE terminates the SSL connection
with the client:
• Client to ACE—SSL connection between a client and the ACE acting as an SSL proxy server
• ACE to Server—TCP connection between the ACE and the HTTP server
Figure 11-1 SSL Termination with Client
The ACE uses parameter maps, SSL proxy services, and class maps to build the policy maps that
determine the flow of information between the client, the ACE, and the server. SSL termination is a
Layer 3 and Layer 4 application because it is based on the destination IP addresses of the inbound traffic
flow from the client. For this type of application, you create a Layer 3 and Layer 4 policy map that the
ACE applies to the inbound traffic.
If you need to delete any of the SSL objects (authorization groups, chain groups, parameter maps, keys,
CRLs, or certificates), you must remove the dependency from within the proxy service first before
removing the SSL object.
Before configuring the ACE for SSL, see the “SSL Configuration Prerequisites” section on page 11-2.
SSL Configuration Prerequisites
This SSL configuration prerequisites are as follows:
• Your ACE hardware is configured for server load balancing (SLB).
Note During the real server and server farm configuration process, when you associate a real server
with a server farm, ensure that you assign an appropriate port number for the real server. The
default behavior by the ACE is to automatically assign the same destination port that was used
by the inbound connection to the outbound server connection if you do not specify a port.
Client
Front-end Back-end
Ciphertext Clear Text
SSL Termination
(ACE as Server)
SSL Termination with a Client
Server
243313
11-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Summary of SSL Configuration Tasks
• Your policy map is configured to define the SSL session parameters and client/server authentication
tools, such as the certificate and RSA key pair.
• Your class map is associated with the policy map to define the virtual SSL server IP address that the
destination IP address of the inbound traffic must match.
• You must import a digital certificate and its corresponding public and private key pair to the desired
ACE context.
• At least one SSL certificate is available.
• If you do not have a certificate and corresponding key pair, you can generate an RSA key pair and
a certificate signing request (CSR). Create a CSR when you need to apply for a certificate from a
certificate authority (CA). The CA signs the CSR and returns the authorized digital certificate to
you.
Note You cannot generate a CSR in Building Blocks (Config > Global > All Building Blocks);
SSL CSR generation is available only in virtual context configuration.
Summary of SSL Configuration Tasks
Table 11-1 describes the tasks for using SSL keys and certificates.
Table 11-1 SSL Key and Certificate Procedure Overview
Task Description
Create an SSL parameter map. Create an SSL parameter map to specify the options that apply to SSL sessions such as the
method to be used to close SSL connections, the cipher suite, and version of SSL or TSL.
See the “Configuring SSL Parameter Maps” section on page 11-18.
Create an SSL key pair file. Create an SSL RSA key pair file to generate a CSR, create a digital signature, and encrypt
packet data during the SSL handshake with an SSL peer.
See the “Generating SSL Key Pairs” section on page 11-14.
Configure CSR parameters. Set CSR parameters to define the distinguished name attributes of a CSR.
See the “Configuring SSL CSR Parameters” section on page 11-24.
Create a CSR. Create a CSR to submit with the key pair file when you apply for an SSL certificate.
See the “Generating CSRs” section on page 11-26.
Copy and paste the CSR into the
Certificate Authority (CA)
web-based application or email
the CSR to the CA.
Using the SSL key pair and CSR, apply for an approved certificate from a Certificate
Authority.
Use the method specified by the CA for submitting your request.
Save the approved certificate
from the CA in its received
format on an FTP, SFTP, or TFTP
server.
When you receive the approved certificate, save it in the format in which it was received
on a network server accessible via FTP, SFTP, or TFTP.
11-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
SSL Setup Sequence
For more information about using SSL with ACE, see the Cisco 4700 Series Application Control Engine
Appliance SSL Configuration Guide or Cisco Application Control Engine Module SSL Configuration
Guide.
SSL Setup Sequence
The SSL setup sequence provides detailed instructions with illustrations for configuring SSL on ACE
devices from ANM (Figure 11-2). The purpose of this option is to provide a visual guide for performing
typical SSL operations, such as SSL CSR generation, SSL proxy creation, and so on. This option does
not replace any existing SSL functions or configuration windows already present in ANM. It is only
intended as an additional guide for anyone unfamiliar or unclear with the SSL operations that need to be
performed on the ACE device. From the SSL setup sequence, you are allowed to configure all SSL
operations, without duplicating the edit/delete/table/view operations that the other SSL configuration
windows provide.
The tools and operations involved in typical SSL operations are as follows:
• SSL Import/Create Keys
• SSL Import Certificates
• SSL CSR generation
• SSL proxy creation
Note The SSL Setup Sequence in ANM uses the terms SSL Policies and SSL Proxy Service interchangeably.
Import the approved certificate
and key pair into the desired
virtual context.
Import the approved certificate and the associated SSL key pair into the appropriate
context using ANM.
For more information, see following sections:
• “Importing SSL Certificates” section on page 11-7
• “Importing SSL Key Pairs” section on page 11-11
Confirm that the public key in the
key pair file matches the public
key in the certificate file.
Examine the contents of the files to confirm that the key pair information is the same in
both the key pair file and the certificate file.
Configure the virtual context for
SSL.
See the “Configuring Traffic Policies” section on page 14-1.
Configure authorization group. Create a group of certificates that are trusted as certificate signers by creating an
authentication group. See the “Configuring SSL Authentication Groups” section on
page 11-31.
Configure CRL. See the “Configuring CRLs for Client Authentication” section on page 11-33.
Table 11-1 SSL Key and Certificate Procedure Overview (continued)
Task Description
11-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Using SSL Certificates
For more information on SSL configuration features, see the “Summary of SSL Configuration Tasks”
section on page 11-3.
Figure 11-2 SSL Setup Sequence
Related Topics
• Configuring SSL, page 11-1
• Importing SSL Certificates, page 11-7
• Importing SSL Key Pairs, page 11-11
• Configuring SSL Parameter Maps, page 11-18
• Configuring SSL Chain Group Parameters, page 11-23
• Configuring SSL Proxy Service, page 11-27
Using SSL Certificates
Digital certificates and key pairs are a form of digital identification for user authentication. Certificate
Authorities issue certificates that attest to the validity of the public keys they contain. A client or server
certificate includes the following identification attributes:
• Name of the Certificate Authority and Certificate Authority digital signature
• Name of the client or server (the certificate subject) that the certificate authenticates
• Issuer
• Time stamps that indicate the certificate’s start date
• Time stamps that indicate the certificate’s expiration date
• CA certificate
A Certificate Authority has one or more signing certificates that it uses for creating SSL certificates and
certificate revocation lists (CRLs). Each signing certificate has a matching private key that is used to
create the Certificate Authority signature. The Certificate Authority makes the signing certificates (with
the public key embedded) available to the public, enabling anyone to access and use the signing
certificates to verify that an SSL certificate or CRL was actually signed by a specific Certificate
Authority.
Note For the ACE module A2(3.0), ACE appliance A4(1.0), or later releases of either device type, the ACE
supports a maximum of eight CRLs for any context. For earlier releases of either device type, the ACE
supports a maximum of four CRLs for any context.
11-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Using SSL Certificates
All certificates have an expiration date, usually one year after the certificate was issued. You can monitor
certificate expiration status by going to Monitor > Devices > context > Dashboard. ANM issues a
warning email daily before the certificate expiration date. You establish how many days before the
expiration date that the warning email messages begin in the Threshold Groups settings window, which
you can access using either of the following methods:
• Choose Monitor > Alarm Notifications > Thresholds Groups.
• Click the Configure Certificate Expiry Threshold Alarms button in the Certificates window
(Config > Devices > context > SSL > Certificates).
Note The Certificates window (Config > Devices > context > SSL > Certificates) contains the Expiry Date
field, which displays the certificate expiration date. Due to a known issue with the ACE module and
appliance, it is possible that this field displays either “Null” or characters that are unparseable or
unreadable. When this issue occurs, ANM is unable to track the certificate expiration date. If the
certificate is defined in a threshold group configured for certificate expiration alarm notifications and
this issue occurs, ANM may not issue an expiration alarm when expected or it may issue a false alarm.
If you encounter this issue, remove the certificate from the ACE, reimport it, and then verify that the
correct expiration date displays in the Certificates window.
For more information about configuring the certificate expiration alarm notification, see the
“Configuring Alarm Notifications on ANM” section on page 17-57.
The ACE requires certificates and corresponding key pairs for the following:
• SSL Termination—The ACE acts as an SSL proxy server and terminates the SSL session between
it and the client. For SSL termination, you must obtain a server certificate and corresponding key
pair.
• SSL Initiation—The ACE acts as a client and initiates the SSL session between it and the SSL server.
For SSL initiation, you must obtain a client certificate and corresponding key pair.
Note The ACE includes a preinstalled sample certificate and corresponding key pair. This feature is available
only for the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of either device type.
The certificate is for demonstration purposes only and does not have a valid domain. It is a self-signed
certificate with basic extensions named cisco-sample-cert. The key pair is an RSA 1024-bit key pair
named cisco-sample-key.
You can display the sample certificate and corresponding key pair files as follows:
• To display the cisco-sample-cert file, choose Config > Devices > context > SSL > Certificates.
• To display the cisco-sample-key file, choose Config > Devices > context > SSL > Keys.
You can add these files to an SSL-proxy service (see the “Configuring SSL Proxy Service” section on
page 11-27) and are available for use in any context with the filenames remaining the same in each
context.
The ACE allows you to export these files but does not allow you to import any files with these names.
When you upgrade the ACE software, these files are overwritten with the files provided in the upgrade
image. You cannot use the crypto delete CLI command to delete these files unless you downgrade the
ACE software because a software downgrade preserves these files as if they were user-installed SSL
files.
11-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Importing SSL Certificates
Related Topics
• Configuring SSL, page 11-1
• Exporting SSL Certificates, page 11-15
• Importing SSL Certificates, page 11-7
• Using SSL Keys, page 11-10
• Importing SSL Key Pairs, page 11-11
• Configuring SSL CSR Parameters, page 11-24
• Generating CSRs, page 11-26
• Configuring SSL Proxy Service, page 11-27
Importing SSL Certificates
You can import SSL certificates from a remote server to the ACE, which can support the following
number of certificates and key pairs depending on the installed software version:
• ACE Module:
– A2(3.x) and earlier—3800 certificates and 3800 key pairs
– A4(1.0)— 4096 certificates and 4096 key pairs
• ACE Appliance:
– A3(1.x) and earlier—3800 certificates and 3800 key pairs
– A3(2.x) and later (including A4(1.0))—4096 certificates and 4096 key pairs
Assumptions
This topic assumes the following:
• You have configured the ACE for server load balancing. (See the “Information About Load
Balancing” section on page 7-1.)
• You have obtained an SSL certificate from a certificate authority (CA) and have placed it on a
network server accessible by the ACE.
Note You cannot import SSL certificates in Building Blocks (Config > Global > All Building Blocks);
SSL certificate imports are available only in virtual context configuration.
Procedure
Step 1 To configure a virtual context, choose Config > Devices > context > SSL > Certificates.
The Certificates table appears, listing any valid SSL certificates.
The cisco-sample-cert certificate is included in the list only for the ACE module A2(3.0), ACE appliance
A4(1.0), and later releases of either device type. For information on this sample certificate, see the
“Using SSL Certificates” section on page 11-5.
Step 2 In the Certificates table, do one of the following:
• To import a single SSL certificate, click Import. The Import dialog box appears.
• To import multiple SSL certificates, click Bulk Import. The Bulk Import dialog box appears.
11-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Importing SSL Certificates
Note The SSL bulk import feature is available only for ACE module A2(2.0), ACE appliance
A4(1.0), or later releases of either device type. If you attempt to use the bulk import feature
with an ACE that is running an earlier software version, ANM displays an invalid command
detected error message and does not deploy the bulk import configuration for the ACE.
Note SSL bulk import can take longer based on the number of SSL certificates being imported. It
will progress to completion on the ACE. To see the imported certificates in ANM, perform
a CLI Sync for this context once the SSL bulk import has completed. For information on
synchronizing contexts, see the “Synchronizing Virtual Context Configurations” section on
page 6-105.
Step 3 Enter the applicable information:
• For the Import dialog box, see Table 11-2.
• For the Bulk Import dialog box, see Table 11-3 (ACE module A2(2.0), ACE appliance A4(1.0), and
later releases of either device type only).
Table 11-2 SSL Certificate Management Import Attributes
Field Description
Protocol Method to use for accessing the network server:
• FTP—FTP is to be used to access the network server when importing the SSL certificate.
• SFTP—SFTP is to be used to access the network server when importing the SSL certificate.
• TERMINAL—You will import the file using cut and paste by pasting the certificate
information to the terminal display. You can use the terminal method to display only PEM files,
which are in ASCII format.
• TFTP—TFTP is to be used to access the network server when importing the SSL certificate.
IP Address Field that appears for FTP, TFTP, and SFTP. Enter the IP address of the remote server on which the
SSL certificate file resides.
Remote File Name Field that appears for single-file SSL certificate importing and FTP, TFTP, and SFTP. Enter the
directory and filename of the single certificate file on the network server.
Local File Name Filename to use for the single SSL certificate file when it is imported to the ACE.
User Name Field that appears for FTP and SFTP. Enter the name of the user account on the network server.
Password Field that appears for FTP and SFTP. Enter the password for the user account on the network server.
Confirm Field that appears for FTP and SFTP. Reenter the password.
Passphrase Field that appears for FTP, TFTP, SFTP, and TERMINAL. Enter the passphrase that was created
with the file. Without this phrase, you cannot use the file. Passphrases are used only with encrypted
PEM and PKCS files.
Confirm Field that appears for FTP, SFTP, and TERMINAL. Reenter the passphrase.
11-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Importing SSL Certificates
Step 4 Do one of the following:
• Click OK to accept your entries and to return to the Certificates table. ANM updates the Certificates
table with the newly installed certificate.
• Click Cancel to exit this procedure without saving your entries and to return to the Certificates table.
Non-Exportable Check box that specifies that this certificate file cannot be exported from the ACE.
The ability to export SSL certificates allows you to copy signed certificates to another server on
your network so that you can then import them onto another ACE or Web server. Exporting is
similar to copying in that the original files are not deleted.
Import Text Field that appears for Terminal. Cut the certificate information from the remote server and paste it
into this field.
Table 11-3 SSL Certificate Management Bulk Import Attributes
Field Description
Protocol SFTP is to be used to access the network server when importing the SSL certificates. SFTP is the
only supported protocol for bulk import.
IP Address IP address of the remote server on which the SSL certificate files reside.
Remote Path Path to the SSL certificate files that reside on the remote server. The ACE fetches only files
specified by the path; it does not recursively fetch remote directories. Enter a filename path
including wildcards (for example, /remote/path/*.pem). The ACE supports POSIX pattern
matching notation, as specified in section 2.13 of the "Shell and Utilities" volume of IEEE Std
1003.1-2004. This notation includes the "*," "?" and "[" metacharacters.
To fetch all files from a remote directory, specify a remote path that ends with a wildcard character
(for example, /remote/path/*). Do not include spaces or the following special characters:
;<>\|`@$&()
The ACE fetches all files on the remote server that matches the wildcard criteria. However, it
imports only files with names that have a maximum of 40 characters. If the name of a file exceeds
40 characters, the ACE does not import the file and discards it.
User Name Name of the user account on the network server.
Password Password for the user account on the network server.
Confirm Password confirmation.
Passphrase Passphrase that was created with the file. Without this phrase, you cannot use the file. Passphrases
are used only with encrypted PEM and PKCS files.
Confirm Passphrase confirmation.
Non-Exportable Check box to specify that this certificate file cannot be exported from the ACE.
The ability to export SSL certificates allows you to copy signed certificates to another server on
your network so that you can then import them onto another ACE or Web server. Exporting is
similar to copying in that the original files are not deleted.
Table 11-2 SSL Certificate Management Import Attributes (continued)
Field Description
11-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Using SSL Keys
Related Topics
• Configuring SSL, page 11-1
• Using SSL Keys, page 11-10
• Importing SSL Key Pairs, page 11-11
• Configuring SSL Parameter Maps, page 11-18
• Configuring SSL Chain Group Parameters, page 11-23
• Configuring SSL CSR Parameters, page 11-24
• Configuring SSL Proxy Service, page 11-27
Using SSL Keys
You can display options for working with SSL and SSL keys. The ACE and its peer use a public key
cryptographic system named Rivest, Shamir, and Adelman Signatures (RSA) for authentication during
the SSL handshake to establish an SSL session. The RSA system uses key pairs that consist of a public
key and a corresponding private (secret) key. During the handshake, the RSA key pairs encrypt the
session key that both devices will use to encrypt the data that follows the handshake.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > SSL > Keys.
• To configure a building block, choose Config > Global > building_block > SSL > Keys.
The Keys table appears.
Step 2 In the Keys table, continue with one of the following options:
• Generate a key pair—See Generating SSL Key Pairs, page 11-14.
• Import a key pair—See Importing SSL Key Pairs, page 11-11.
• Export a key pair—See Exporting SSL Key Pairs, page 11-16.
• Generate a CSR—See Generating CSRs, page 11-26.
Related Topics
• Generating SSL Key Pairs, page 11-14
• Importing SSL Key Pairs, page 11-11
• Generating SSL Key Pairs, page 11-14
• Exporting SSL Key Pairs, page 11-16
• Configuring SSL, page 11-1
11-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Using SSL Keys
Importing SSL Key Pairs
You can import an SSL key pair file from a network server to an ACE, which can support the following
number of certificates and key pairs depending on the installed software version:
• ACE Module:
– A2(3.x) and earlier—3800 certificates and 3800 key pairs
– A4(1.0)— 4096 certificates and 4096 key pairs
• ACE Appliance:
– A3(1.x) and earlier—3800 certificates and 3800 key pairs
– A3(2.x) and later (including A4(1.0))—4096 certificates and 4096 key pairs
Assumptions
This topic assumes the following:
• You have configured the ACE for server load balancing. (See the “Information About Load
Balancing” section on page 7-1.)
• You have obtained an SSL key pair from a certificate authority (CA) and have placed the pair on a
network server accessible by the ACE.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > SSL > Keys.
• To configure a building block, choose Config > Global > building_block > SSL > Keys.
The Keys table appears, listing existing SSL keys.
For the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of both either type, the
cisco-sample-key key pair is included in the list. For information on this sample key pair, see the “Using
SSL Certificates” section on page 11-5.
Step 2 Do one of the following:
• To import a single SSL key pair, in the Keys table, click Import. The Import dialog box appears.
• To import multiple SSL key pairs, click Bulk Import. The Bulk Import dialog box appears.
Note The SSL bulk import feature is available only for ACE module A2(2.0), ACE appliance
A4(1.0), and later releases of either device type. If you attempt to use the bulk import feature
with an ACE that is running an earlier software version, ANM displays an invalid command
detected error message and does not deploy the bulk import configuration for the ACE.
Note SSL bulk import can take longer based on the number of SSL keys being imported. It will
progress to completion on the ACE. To see the imported keys in ANM, perform a CLI Sync
for this context once the SSL bulk import has completed. For information on synchronizing
contexts, see the “Synchronizing Virtual Context Configurations” section on page 6-105.
Step 3 Enter the applicable information as follows:
11-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Using SSL Keys
• For the Import dialog box, see Table 11-4.
• For the Bulk Import dialog box, see Table 11-5 (ACE module A2(2.0), ACE appliance A4(1.0), and
later releases of either device type only).
Table 11-4 SSL Key Pair Import Attributes
Field Description
Protocol Method to use for accessing the network server:
• FTP—FTP is to be used to access the network server when importing the SSL key pair file.
• SFTP—SFTP is to be used to access the network server when importing the SSL key pair file.
• TERMINAL—You will import the file using cut and paste by pasting the certificate and key
pair information to the terminal display. You can use the terminal method to display only PEM
files, which are in ASCII format.
• TFTP—TFTP is to be used to access the network server when importing the SSL key pair file.
IP Address Field that appears for FTP, TFTP, and SFTP. Enter the IP address of the remote server on which the
SSL key pair file resides.
Remote File Name Field that appears for single-file SSL key pair importing and FTP, TFTP, and SFTP. Enter the
directory and filename of the single key pair file on the network server.
Local File Name Filename to be used for the single SSL key pair file when it is imported to the ACE.
User Name This field appears for FTP and SFTP. Enter the name of the user account on the network server.
Password Field that appears for FTP and SFTP. Enter the password for the user account on the network server.
Confirm Field that appears for FTP, SFTP, and TERMINAL. Reenter the password.
Passphrase Field that appears for FTP, TFTP, SFTP, and TERMINAL. Enter the passphrase that was created
with the file. Without this phrase, you cannot use the file. Passphrases are used only with encrypted
PEM and PKCS files.
Confirm Field that appears for FTP and SFTP. Reenter the passphrase.
Non-Exportable Check box to specify that this key pair file cannot be exported from the ACE. The ability to export
SSL key pair files allows you to copy key pair files to another server on your network so that you
can then import them onto another ACE or Web server. Exporting is similar to copying in that the
original files are not deleted.
Uncheck the check box to indicate that this key pair file can be exported from the ACE.
Import Text Field that appears for Terminal. Cut the key pair information from the remote server and paste it
into this field.
Table 11-5 SSL Key Pair Bulk Import Attributes
Field Description
Protocol SFTP is to be used to access the network server when importing the SSL key pairs. SFTP is the only
supported protocol for bulk import.
IP Address IP address of the remote server on which the SSL key pair files resides.
11-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Using SSL Keys
Step 4 Do one of the following:
• Click OK to accept your entries and to return to the Keys table. ANM updates the Keys table with
the imported key pair file information.
• Click Cancel to exit this procedure without saving your entries and to return to the Keys table.
Related Topics
• Configuring SSL, page 11-1
• Importing SSL Certificates, page 11-7
• Configuring SSL Parameter Maps, page 11-18
• Configuring SSL Chain Group Parameters, page 11-23
• Configuring SSL CSR Parameters, page 11-24
• Configuring SSL Proxy Service, page 11-27
Remote Path Path to the key pair files that reside on the remote server. The ACE fetches only files specified by
the path; it does not recursively fetch remote directories. Enter a filename path including wildcards
(for example, /remote/path/*.pem). The ACE module supports POSIX pattern matching notation,
as specified in section 2.13 of the "Shell and Utilities" volume of IEEE Std 1003.1-2004. This
notation includes the "*," "?" and "[" metacharacters.
To fetch all files from a remote directory, specify a remote path that ends with a wildcard character
(for example, /remote/path/*). Do not include spaces or the following special characters:
;<>\|`@$&()
The ACE module fetches all files on the remote server that matches the wildcard criteria. However,
it imports only files with names that have a maximum of 40 characters. If the name of a file exceeds
40 characters, the ACE module does not import the file and discards it.
User Name Name of the user account on the network server.
Password Password for the user account on the network server.
Confirm Password confirmation.
Passphrase Passphrase that was created with the file. Without this phrase, you cannot use the file. Passphrases
are used only with encrypted PEM and PKCS files.
Confirm Passphrase confirmation.
Non-Exportable Check box to specify that this certificate file cannot be exported from the ACE. The ability to export
SSL key pairs allows you to copy signed certificates to another server on your network so that you
can then import them onto another ACE or Web server. Exporting is similar to copying in that the
original files are not deleted.
Table 11-5 SSL Key Pair Bulk Import Attributes (continued)
Field Description
11-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Using SSL Keys
Generating SSL Key Pairs
The ACE can generate SSL RSA key pairs if you do not have any matching key pairs.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > SSL > Keys.
• To configure a building block, choose Config > Global > building_block > SSL > Keys.
The Keys table appears.
For the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of either device type, the
cisco-sample-key key pair is included in the list. For information about this sample key pair, see the
“Using SSL Certificates” section on page 11-5.
Step 2 In the Keys table, click Add to add a new key pair.
The Keys configuration window appears.
Note You cannot modify an existing entry in the Keys table. Instead, delete the existing entry, then
add a new one.
Step 3 In the Keys configuration window, enter the information in Table 11-6.
Step 4 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the Keys table.
Table 11-6 Key Attributes
Field Description
Name Name of the SSL key pair. Valid entries are alphanumeric strings up to 64 characters.
Size (Bits) Key pair security strength. The number of bits in the key pair file defines the size of the RSA key
pair used to secure Web transactions. Longer keys produce more secure implementations by
increasing the strength of the RSA security policy. Options and their relative levels of security are
as follows:
• 512—Least security
• 768—Normal security
• 1024—High security, level 1
• 1536—High security, level 2
• 2048—High security, level 3
Type RSA is a public-key cryptographic system used for authentication.
Exportable Key Check box that specifies that the key pair file can be exported. Uncheck the check box to indicate
that the key pair file cannot be exported.
11-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Exporting SSL Certificates
• Click Next to deploy your entries and to define another RSA key pair.
After generating an RSA key pair, you can do the following:
• Create a CSR parameter set. The CSR parameter set defines the distinguished name attributes for
the ACE to use during the CSR-generating process. For details on defining a CSR parameter set, see
the “Configuring SSL CSR Parameters” section on page 11-24.
• Generate a CSR for the RSA key pair file and transfer the CSR request to the certificate authority
for signing. This provides an added layer of security because the RSA private key originates directly
within the ACE and does not have to be transported externally. Each generated key pair must be
accompanied by a corresponding certificate to work. For details on generating a CSR, see the
“Generating CSRs” section on page 11-26.
Related Topics
• Configuring SSL, page 11-1
• Importing SSL Certificates, page 11-7
• Importing SSL Key Pairs, page 11-11
• Configuring SSL Chain Group Parameters, page 11-23
• Configuring SSL CSR Parameters, page 11-24
• Configuring SSL Proxy Service, page 11-27
Exporting SSL Certificates
You can export SSL certificates from the ACE to a remote server. The ability to export SSL certificates
allows you copy signed certificates to another server on your network so that you can then import them
onto another ACE or Web server. Exporting certificates is similar to copying in that the original
certificates are not deleted.
Assumption
The SSL certificate can be exported (see the “Importing SSL Certificates” section on page 11-7).
Note You can export an SSL certificate in Building Blocks (Config > Global > All Building Blocks);
SSL certificate export is available only in virtual context configuration.
Procedure
Step 1 To configure a virtual context, choose Config > Devices > context > SSL > Certificates.
The Certificates table appears, listing any valid SSL certificates.
The cisco-sample-cert certificate is included in the list only for the ACE module A2(3.0), ACE appliance
4(1.0), and later releases of either device type. For information about this sample certificate, see the
“Using SSL Certificates” section on page 11-5.
Step 2 In the Certificates table, choose the certificate you want to export, and click Export.
The Export dialog box appears.
11-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Exporting SSL Certificates
Step 3 In the Export dialog box, enter the information in Table 11-7.
Step 4 Do one of the following:
• Click OK to export the certificate and to return to the Certificates table.
• Click Cancel to exit this procedure without exporting the certificate and to return to the Certificates
table.
Related Topics
• Configuring SSL, page 11-1
• Importing SSL Certificates, page 11-7
• Importing SSL Key Pairs, page 11-11
• Generating SSL Key Pairs, page 11-14
• Configuring SSL Chain Group Parameters, page 11-23
• Configuring SSL CSR Parameters, page 11-24
• Configuring SSL Proxy Service, page 11-27
Exporting SSL Key Pairs
You can export SSL key pairs from the ACE to a remote server. The ability to export SSL key pairs allows
you copy SSL key pair files to another server on your network so that you can then import them onto
another ACE or Web server. Exporting key pair files is similar to copying in that the original key pairs
are not deleted.
Table 11-7 SSL Certificate Export Attributes
Field Description
Protocol Method to be used for exporting the SSL certificate:
• FTP—FTP is to be used to access the network server when exporting the SSL certificate.
• SFTP—SFTP is to be used to access the network server when exporting the SSL certificate.
• TERMINAL—You will export the certificate using cut and paste by pasting the certificate and
key pair information to the terminal display. You can use the terminal method to display only
PEM files, which are in ASCII format.
• TFTP—TFTP is to be used to access the network server when exporting the SSL certificate.
IP Address Field that appears for FTP, TFTP, and SFTP. Enter the IP address of the remote server to which the
SSL certificate file is to be exported.
Remote File Name Field that appears for FTP, TFTP, and SFTP. Enter the directory and filename to be used for the SSL
certificate file on the remote network server.
User Name Field that appears for FTP and SFTP. Enter the name of the user account on the remote network
server.
Password Field that appears for FTP and SFTP. Enter the password for the user account on the remote network
server.
Confirm Field that appears for FTP and SFTP. Reenter the password.
11-17
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Exporting SSL Certificates
Assumption
The SSL key pair can be exported (see the “Generating SSL Key Pairs” section on page 11-14).
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > SSL > Keys.
• To configure a building block, choose Config > Global > building_block > SSL > Keys.
The Keys table appears. For the ACE module A2(3.0) and later releases only, the cisco-sample-key key
pair is included in the list. For information about this sample key pair, see the “Using SSL Certificates”
section on page 11-5.
Step 2 In the Keys table, choose the key entry you want to export, and click Export.
The Export dialog box appears.
Step 3 In the Export dialog box, enter the information in Table 11-8.
Step 4 Do one of the following:
• Click OK to export the key pair and to return to the Keys table.
• Click Cancel to exit this procedure without exporting the key pair and to return to the Keys table.
Related Topics
• Configuring SSL, page 11-1
• Importing SSL Certificates, page 11-7
Table 11-8 SSL Key Export Attributes
Field Description
Protocol Specify the method to be used for exporting the SSL key pair:
• FTP—FTP is to be used to access the network server when exporting the SSL key pair.
• SFTP—SFTP is to be used to access the network server when exporting the SSL key pair.
• TERMINAL—You will export the key pair using cut and paste by pasting the key pair
information to the terminal display. You can use the terminal method to display only PEM files,
which are in ASCII format.
• TFTP—TFTP is to be used to access the network server when exporting the SSL key pair.
IP Address Field that appears for FTP, TFTP, and SFTP. Enter the IP address of the remote server to which the
SSL key pair is to be exported.
Remote File Name Field that appears for FTP, TFTP, and SFTP. Enter the directory and filename to be used for the SSL
key pair file on the remote network server.
User Name Field that appears for FTP and SFTP. Enter the name of the user account on the remote network
server.
Password Field that appears for FTP and SFTP. Enter the password for the user account on the remote network
server.
Confirm Field that appears for FTP and SFTP. Reenter the password.
11-18
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Configuring SSL Parameter Maps
• Importing SSL Key Pairs, page 11-11
• Generating SSL Key Pairs, page 11-14
• Configuring SSL Chain Group Parameters, page 11-23
• Configuring SSL CSR Parameters, page 11-24
• Configuring SSL Proxy Service, page 11-27
Configuring SSL Parameter Maps
You can create SSL parameter maps., which defines the SSL session parameters that the ACE applies to
an SSL proxy service. SSL parameter maps let you apply the same SSL session parameters to different
proxy services.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > SSL > Parameter Map.
• To configure a building block, choose Config > Global > building_block > SSL > Parameter Map.
The Parameter Map table appears.
Step 2 In the Parameter Map table, click Add to add a new SSL parameter map, or choose an existing entry to
modify and click Edit.
The Parameter Map configuration window appears.
Step 3 In the Parameter Map configuration window, enter the information in Table 11-9.
Table 11-9 SSL Parameter Map Attributes
Field Description
Name Unique name for the parameter map. Valid entries are alphanumeric strings with a maximum of 64
characters.
Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of either
device type. If you attempt to use the Description feature with an ACE that is running an earlier
software version, ANM displays an invalid command detected error message and does not deploy
the parameter map.
Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric
characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double quotes must be
entered as matching pairs.
Queue Delay Timeout
(Milliseconds)
Time (in milliseconds) to wait before emptying the queued data for encryption. Valid entries are 0
to 10000 milliseconds. If disabled (set to 0), the ACE encrypts the data from the server as soon as
it arrives and then sends the encrypted data to the client.
Note The Queue Delay Timeout is only applied to data that the SSL module sends to the client.
This avoids a potentially long delay in passing a small HTTP GET to the real server.
11-19
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Configuring SSL Parameter Maps
Session Cache Timeout
(Milliseconds)
Timeout value of an SSL session ID to remain valid before the ACE requires the full SSL
handshake to establish a new SSL session. This feature allows the ACE to reuse the master key on
subsequent connections with the client, which can speed up the SSL negotiation process.
Valid entries are 0 to 72000 milliseconds. Specifying a value of 0 causes the ACE to implement a
least recently used (LRU) timeout policy. By disabling this option (with the no command), the full
SSL handshake occurs for each new connection with the ACE module.
Reject Expired CRL
Certificates
Check box that instructs the ACE to reject any certificates listed on an expired CRL.
Uncheck the check box to instruct the ACE to accept certificates listed on an expired CRL, which
is the default setting.
Close Protocol
Behavior
Method that the ACE uses to close the SSL connection:
• Disabled—The ACE sends a close-notify alert message to the SSL peer; however, the SSL peer
does not expect a close-notify alert before removing the session. Whether the SSL peer sends
a close-notify alert message or not, the session information is preserved, allowing session
resumption for future SSL connections.
• None—The ACE does not send a close-notify alert message to the SSL peer, nor does the ACE
expect a close-notify alert message from the peer. The ACE preserves the session information
so that SSL resumption can be used for future SSL connections. This is the default.
Note Where ACE 1.0 is already configured with the Strict option, ANM interprets it as the option
None. This is due to the change in ACE 1.0 configuration (which no longer allows the Strict
option).
SSL Version Version of SSL be to used during SSL communications:
• All—The ACE uses both SSL v3 and TLS v1 in its communications with its SSL peer.
• SSL3—The ACE uses only SSL v3 in its communications with its SSL peer.
• TLS1—The ACE uses only TLS v1 in its communications with its SSL peer.
Table 11-9 SSL Parameter Map Attributes (continued)
Field Description
11-20
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Configuring SSL Parameter Maps
Step 4 Click the Parameter Map Cipher tab and click Add to add a cipher, or choose an existing cipher and
click Edit.
Enter the information in Table 11-10.
Ignore Authentication
Failure
Option that enables the ACE to ignore expired or invalid SSL certificates and continue setting up
the connection as follows:
• ACE module versions 3.0(0)A2(1.1) forward and ACE appliance version A3(1.0) only—If
checked, this feature enables the ACE to ignore expired or invalid server certificates and to
continue setting up the back-end connection in an SSL initiation configuration. This option
allows the ACE to ignore the following nonfatal errors with respect to server certificates:
– Certificate not yet valid
– Certificate has expired
– Certificate revoked
– Unknown issuer
• ACE module version A2(3.0) and later only—If checked, this feature enables the ACE to
ignore expired or invalid client or server certificates and to continue setting up the SSL
connection. This options allows the ACE to ignore the following nonfatal errors with respect
to either client certificates for SSL termination configurations, or server certificates for SSL
initiation configurations:
– Certificate not yet valid (both)
– Certificate has expired (both)
– Certificate revoked (both)
– Unknown issuer (both)
– No client certificate (client certificate only)
– CRL not available (client certificate only)
– CRL has expired (client certificate only)
– Certificate has signature failure (client certificate only)
– Certificate other error (client certificate only)
Table 11-9 SSL Parameter Map Attributes (continued)
Field Description
Table 11-10 SSL Parameter Map Cipher Configuration Attributes
Field Description
Cipher Name Cipher to use.
For more information on the SSL cipher suites that ACE supports, see the Cisco 4700 Series
Application Control Engine Appliance SSL Configuration Guide or the Cisco Application Control
Engine Module SSL Configuration Guide.
Cipher Priority Priority that you want to assign to this cipher suite. The priority indicates the cipher’s preference
for use.
Valid entries are from 1 to 10 with 1 indicating the least preferred and 10 indicating the most
preferred. When determining which cipher suite to use, the ACE chooses the cipher suite with the
highest priority.
11-21
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Configuring SSL Parameter Maps
Step 5 In the Parameter Map Cipher table, do one of the following:
• Click Deploy Now to deploy the Parameter Map Cipher on the ACE and save your entries to the
running-configuration and startup-configuration files
• Click Cancel to exit the procedure without saving your entries and to return to the Parameter Map
Cipher table.
• Click Next to deploy your entries and to add another entry to the Parameter Map Cipher table.
Step 6 Click the Redirect Authentication Failure tab and click Add to add a redirect or choose an existing
redirect, and click Edit.
Note This option is available only for the ACE module A2(3.0), ACE appliance A4(1.0), and later
releases of either device type.
Enter the information in Table 11-11.
Note The Redirect Authentication Failure feature is only for SSL termination configurations in which
the ACE performs client authentication. The ACE ignores these attributes if you configure them
for an SSL initiation configuration.
Table 11-11 SSL Parameter Map Redirect Configuration Attributes
Field Description
Client Certificate
Validation
Type of certificate validation failure to redirect. From the drop-down list, choose the type to
redirect:
• Any—Associates any of the certificate failures with the redirect. You can configure the
authentication-failure redirect any command with individual reasons for redirection. When you
do, the ACE attempts to match one of the individual reasons before using the any reason. You
cannot configure the authentication-failure redirect any command with the
authentication-failure ignore command.
• Cert-expired—Associates an expired certificate failure with a redirect.
• Cert-has-signature-failure—Associates a certificate signature failure with a redirect.
• Cert-not-yet-valid—Associates a certificate that is not yet valid failure with the redirect.
• Cert-other-error—Associates a all other certificate failures with a redirect.
• Cert-revoked—Associates a revoked certificate failure with a redirect.
• CRL-has-expired—Associates an expired CRL failure with a redirect.
• CRL-not-available—Associates a CRL that is not available failure with a redirect.
• No-client-cert—Associates no client certificate failure with a redirect.
• Unknown-issuer—Associates an unknown issuer certificate failure with a redirect.
Redirect Type Redirect type to use:
• Server Farm—Specifies a redirect server farm for the redirect.
• URL—Specifies a static URL path for the redirect.
11-22
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Configuring SSL Parameter Maps
Step 7 In the Redirect Authentication Failure table, do one of the following:
• Click Deploy Now to deploy the Redirect Authentication Failure table on the ACE and save your
entries to the running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your entries and to return to the Redirect
Authentication Failure table.
• Click Next to deploy your entries and to add another entry to the Redirect Authentication Failure
table.
Step 8 In the Parameter Map table, do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your entries and to return to the Parameter Map
table.
• Click Next to deploy your entries and to add another entry to the Parameter Map table.
Related Topics
• Configuring SSL, page 11-1
• Importing SSL Certificates, page 11-7
• Importing SSL Key Pairs, page 11-11
• Generating SSL Key Pairs, page 11-14
• Configuring SSL Chain Group Parameters, page 11-23
• Configuring SSL CSR Parameters, page 11-24
• Configuring SSL Proxy Service, page 11-27
Server Farm Name Field that appears when the Redirect Type is set to Server Farm. ANM displays the available server
farms as follows:
• ACE software Version A4(1.0) or later—ANM displays all configured host and redirect server
farms.
• All earlier ACE software versions—ANM displays only those server farms configured as
redirect server farms.
Choose one of the available server farm options or click Plus (+) to open the server farm
configuration popup and configure a redirect server farm (see the “Configuring Server Farms”
section on page 8-30).
Redirect URL Field that appears when the Redirect Type is set to URL. Specifies the static URL path for the
redirect. Enter a string with a maximum of 255 characters and no spaces.
Redirect Code Field appears when the Redirect Type is set to URL.
Enter the redirect code that is sent back to the client:
• 301—Status code for a resource permanently moving to a new location.
• 302—Status code for a resource temporarily moving to a new location.
Table 11-11 SSL Parameter Map Redirect Configuration Attributes
Field Description
11-23
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Configuring SSL Chain Group Parameters
Configuring SSL Chain Group Parameters
You can configure certificate chain groups for a virtual context. A chain group specifies the certificate
chains that the ACE sends to its peer during the handshake process. A certificate chain is a hierarchal
list of certificates that includes the ACE’s certificate, the root certificate authority certificate, and any
intermediate certificate authority certificates. Using the information provided in a certificate chain, the
certificate verifier searches for a trusted authority in the certificate hierarchal list up to and including the
root certificate authority. If the verifier finds a trusted authority before reaching the root certificate
authority certificate, it stops searching further.
Assumption
At least one SSL certificate is available.
Procedure
Step 1 Choose Config > Devices > context > SSL > Chain Group Parameters.
The Chain Group Parameters table appears.
Step 2 In the Chain Group Parameters table, click Add to add a new chain group, or choose an existing chain
group, and click Edit to modify it.
The Chain Group Parameters configuration window appears.
Step 3 In the Name field of the Chain Group Parameters configuration window, enter a unique name for the
chain group.
Valid entries are alphanumeric strings with a maximum of 64 characters.
Step 4 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The updated Chain Group Parameters
window appears along with the Chain Group Certificates table. Continue with Step 5.
• Click Cancel to exit the procedure without saving your entries and to return to the Chain Group
Parameters table.
• Click Next to deploy your entries and to add another entry to the Chain Group Parameters table.
Step 5 In the Chain Group Certificates table, click Add to add an entry.
The Chain Group Certificates configuration window appears.
Note You cannot modify an existing entry in the Chain Group Certificates table. Instead, delete the
entry, then add a new one.
Step 6 In the Certificate Name field, choose the certificate to add to this chain group.
Step 7 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
11-24
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Configuring SSL CSR Parameters
• Click Cancel to exit the procedure without saving your entries and to return to the Chain Group
Certificates table.
• Click Next to deploy your entries and to add another certificate to this chain group table.
Related Topics
• Configuring SSL, page 11-1
• Importing SSL Certificates, page 11-7
• Importing SSL Key Pairs, page 11-11
• Generating SSL Key Pairs, page 11-14
• Configuring SSL Parameter Maps, page 11-18
• Configuring SSL CSR Parameters, page 11-24
• Configuring SSL Proxy Service, page 11-27
Configuring SSL CSR Parameters
A certificate signing request (CSR) is a message you send to a certificate authority such as VeriSign and
Thawte to apply for a digital identity certificate. The CSR contains information that identifies the SSL
site, such as location and a serial number, and a public key that you choose. A corresponding private key
is not included in the CSR, but is used to digitally sign the request. The CSR may be accompanied by
other credentials or proofs of identity required by the certificate authority, and the certificate authority
may contact the applicant for more information.
If the request is successful, the certificate authority returns a digitally signed (with the private key of the
certificate authority) identity certificate.
CSR parameters define the distinguished name attributes the ACE applies to the CSR during the
CSR-generating process. These attributes provide the certificate authority with the information it needs
to authenticate your site. Defining a CSR parameter set lets you to generate multiple CSRs with the same
distinguished name attributes.
Each context on the ACE can contain up to eight CSR parameter sets.
Use this procedure to define the distinguished name attributes for SSL CSRs.
Procedure
Step 1 Choose the item to configure:
• To configure a virtual context, choose Config > Devices > context > SSL > CSR Parameters.
• To configure a building block, choose Config > Global > building_block > SSL > CSR
Parameters.
The CSR Parameters table appears.
Step 2 In the CSR Parameters table, click Add to add new set of CSR attributes, or choose an existing entry to
modify and click Edit.
The CSR Parameters configuration window appears.
11-25
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Configuring SSL CSR Parameters
Step 3 In the CSR Parameters configuration window, enter the information in Table 11-12.
Step 4 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the CSR Parameters
table.
• Click Next to deploy your entries and to define another set of CSR attributes.
Related Topics
• Configuring SSL, page 11-1
• Importing SSL Certificates, page 11-7
• Importing SSL Key Pairs, page 11-11
• Configuring SSL Parameter Maps, page 11-18
• Configuring SSL Chain Group Parameters, page 11-23
• Configuring SSL Proxy Service, page 11-27
Table 11-12 SSL CSR Parameter Attributes
Field Description
Name Unique name for this parameter set. Valid entries are alphanumeric strings with a maximum of 64
characters.
Country Name of the country where the SSL site resides. Valid entries are 2 alphabetic characters
representing the country, such as US for the United States. The International Organization for
Standardization (ISO) maintains the complete list of valid country codes on its Web site
(www.iso.org).
State Name of the state or province where the SSL site resides.
Locality Name of the city where the SSL site resides.
Common Name Name of the domain or host of the SSL site. Valid entries are strings with a maximum of 64
characters. Special characters are allowed.
Serial Number Serial number to assign to the certificate. Valid entries are alphanumeric strings with a maximum
of 16 characters.
Organization Name Name of the organization to include in the certificate. Valid entries are alphanumeric strings with a
maximum of 64 characters.
Email Site email address. Valid entries are text strings, including alphanumeric and special characters (for
example, @ symbol in email address) with a maximum of 40 characters.
Organization Unit Name of the organization to include in the certificate. Valid entries are alphanumeric strings with a
maximum of 64 characters.
11-26
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Configuring SSL CSR Parameters
Generating CSRs
You can generate an SSL certificate signing request (CSR), which is a message that you send to a
certificate authority such as VeriSign and Thawte to apply for a digital identity certificate. Create a CSR
when you need to apply for a certificate from a certificate authority. When the certificate authority
approves a request, it signs the CSR and returns the authorized digital certificate to you. This certificate
includes the private key of the certificate authority. When you receive the authorized certificate and key
pair, you can import them for use (see the “Importing SSL Certificates” section on page 11-7 and the
“Importing SSL Key Pairs” section on page 11-11).
Note You cannot generate a CSR in Building Blocks (Config > Global > All Building Blocks); SSL CSR
generation is available only in virtual context configuration.
Assumption
You have configured SSL CSR parameters (see the “Configuring SSL CSR Parameters” section on
page 11-24).
Procedure
Step 1 Choose Config > Devices > context > SSL > Keys.
The Keys table appears.
Step 2 In the Keys table, choose a key and click Generate CSR.
The Generate a Certificate Signing Request dialog box appears.
Step 3 In the CSR Parameter field of the Generate a Certificate Signing Request dialog box, choose the CSR
parameter to be used.
Step 4 Do one of the following:
• Click OK to generate the CSR. The CSR appears in a popup window which you can now submit to
a certificate authority for approval. Work with your certificate authority to determine the method of
submission, such as email or a Web-based application. Click Close to close the popup window and
to return to the Keys table.
• Click Cancel to exit this procedure without generating the CSR and to return to the Keys table.
Related Topics
• Configuring SSL, page 11-1
• Importing SSL Certificates, page 11-7
• Importing SSL Key Pairs, page 11-11
• Configuring SSL Parameter Maps, page 11-18
• Configuring SSL Chain Group Parameters, page 11-23
• Configuring SSL Proxy Service, page 11-27
11-27
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Configuring SSL Proxy Service
Configuring SSL Proxy Service
You can configure an SSL proxy service that defines the SSL parameter map, key pair, certificate, and
chain group the ACE uses during SSL handshakes. By configuring an SSL proxy server service on the
ACE, the ACE can act as an SSL server.
Assumption
You have configured at least one SSL key pair, certificate, chain group, or parameter map to apply to this
proxy service.
Procedure
Step 1 Choose Config > Devices > context > SSL > Proxy Service.
The Proxy Service table appears.
Step 2 In the Proxy Service table, click Add to add a new proxy service, or choose an existing service and click
Edit to modify it.
The Proxy Service configuration window appears.
Step 3 In the Proxy Service configuration window, enter the information in Table 11-13.
Table 11-13 SSL Proxy Service Attributes
Field Description
Proxy Service Name Unique name for this proxy service. Valid entries are alphanumeric strings with a maximum of 40
to 65 characters, depending on your ACE and hardware version.
Keys Key pair that the ACE is to use during the SSL handshake for data encryption.
Caution When choosing the key pair from the drop-down list, be sure to choose the keys that
correspond to the certificate that you choose.
Note If you use SSL Setup Sequence to create the proxy service, ANM selects the keys that
correspond to the certificate that you choose. If ANM cannot detect a corresponding key
pair, you can select a key pair from the drop-down list and click Verify Key to have ANM
verify that the keys correspond to the selected certificate. ANM displays a message to let
you know that your key pair selection either matches or does not match the selected
certificate. For more information about SSL Setup Sequence, see the “SSL Setup
Sequence” section on page 11-4.
The cisco-sample-key option is available for the ACE module A2(3.0) and later releases only. For
information about this sample key pair, see the “Using SSL Certificates” section on page 11-5.
11-28
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Configuring SSL Proxy Service
Certificates Certificate that the ACE is to use during the SSL handshake to prove its identity.
Caution When choosing the certificate from the drop-down list, be sure to choose the certificate
that corresponds to the keys that you choose.
Note If you use SSL Setup Sequence to create the proxy service, ANM selects the keys that
correspond to the certificate that you choose. If ANM cannot detect a corresponding key
pair, you can select a key pair from the drop-down list and click Verify Key to have ANM
verify that the keys correspond to the selected certificate. ANM displays a message to let
you know that your key pair selection either matches or does not match the selected
certificate. For more information about SSL Setup Sequence, see the “SSL Setup
Sequence” section on page 11-4.
The cisco-sample-cert option is available only for the ACE module A2(3.0), ACE appliance
A4(1.0), and later releases of either device type. For information about this sample certificate, see
the “Using SSL Certificates” section on page 11-5.
Chain Groups Chain group that the ACE is to use during the SSL handshake. To create a chain group, see the
“Configuring SSL Chain Group Parameters” section on page 11-23.
Auth Groups Authorization group name that the ACE is to use during the SSL handshake. To create an
authorization group, see the “Configuring SSL Authentication Groups” section on page 11-31.
CRL Best-Effort Field that displays only when Auth Groups is selected. Allows ANM to search client certificates
for the service to determine if it contains a CRL in the extension. ANM then retrieves the value, if
it exists.
CRL Name Field that displays only when Auth Groups is selected. Do one of the following:
• Choose N/A when the CRL name is not applicable.
• Choose the CRL name that the ACE used for authentication.
OCSP Best-Effort Field that displays for ACE module or appliance software Version A5(1.0) or later, and when Auth
Groups is selected. Check the OCSP Best-Effort checkbox to allow the ACE appliance to extract
the extension to find the OCSP server information from the certificate itself where, from the
revocation status, information about the certificate could be obtained. If this extension is missing
from the certificate and the best effort OCSP server information is configured with the SSL proxy,
the cert is considered revoked.
Uncheck the checkbox to display the OCSP server field to choose the available OCSP server.
OCSP Servers Field that displays for ACE module or appliance software Version A5(1.0) or later, and when the
OCSP Best-Effort checkbox is unchecked. Choose the available OCSP server.
Table 11-13 SSL Proxy Service Attributes (continued)
Field Description
11-29
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Configuring SSL OCSP Service
Step 4 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the Proxy Service
table.
• Click Next to deploy your entries and to add another proxy service.
• Click Delete to remove this configuration on the ACE.
Note When an authorization group is deleted, the CRL Name object (if it exists) is deleted
automatically.
Related Topics
• Configuring SSL, page 11-1
• Importing SSL Certificates, page 11-7
• Importing SSL Key Pairs, page 11-11
• Configuring SSL Parameter Maps, page 11-18
• Configuring SSL Chain Group Parameters, page 11-23
• Configuring SSL CSR Parameters, page 11-24
Configuring SSL OCSP Service
Note The SSL Online Certificate Status Protocol feature requires ACE module and ACE appliance software
Version A5(1.0) or later.
SSL Online Certificate Status Protocol (OCSP) service defines the host server for certificate revocation
checks using OCSP. The OCSP server, also known as the OCSP responder, maintains or obtains the
information about the certificates issued by different CAs that are revoked and possibly non-revoked,
Parameter Maps SSL parameter map to associate with this SSL proxy server service.
Revocation Check
Priority Order
Field that displays for ACE module or appliance software Version A5(1.0) or later. Priority setting
for the revocation check. Choose one of the following:
• N/A—Indicates that this field is not applicable.
• CRL-OCSP—The ACE uses the CRLs first to determine the revocation status, and then the
OCSP servers.
• OCSP-CRL—The ACE uses the OCSP servers first to determine the revocation status, and
then the CRLs.
Table 11-13 SSL Proxy Service Attributes (continued)
Field Description
11-30
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Configuring SSL OCSP Service
and provides this information when requested by OCSP clients. OCSP can provide latest information
about the revocation status of the certificate. Use of OCSP removes the need to download and cache the
CRLs which could be very large in sizes and impose large memory requirements on systems.
You can configure a maximum of 64 OCSP server configurations system-wide on the ACE. You can
configure all of these servers in a single or multiple contexts.
Use this procedure to define the attributes that the ACE appliance is to use during SSL handshakes so
that it can act as an SSL server.
Assumption
Configure OCSP on an associated proxy service.
You can configure both OCSP and CRLs for authentication.
Procedure
Step 1 Select Config > Devices > context > SSL > OCSP Service. The OCSP Service table appears.
Step 2 Click Add to add a new OCSP service, or select an existing service, then click Edit to modify it. The
OCSP Service configuration screen appears.
Step 3 In the Name field, enter a unique name for this OCSP service. Valid entries are alphanumeric strings with
a maximum of 64 characters. This name is used when you apply this configuration to an SSL proxy
service.
Step 4 In the URL field, enter an HTTP based URL for the OCSP host name and optional port ID in the form
of http://ocsp_hostname.com:port_id. If you do not specify a port ID, the ACE uses the default value of
2560.
Step 5 Optionally, in the Request Signer’s Certificate field, you can select a filename for the signer certificate
to sign the requests to the server. By default, the request is not signed.
Step 6 Optionally, in the Response Signer’s Certificate field, you can select a filename for the signer certificate
to verify the signature on the server responses. By default, the responses are not verified.
Step 7 Check the Enable Nonce check box to enable the inclusion of the nonce in the requests to the server. By
default, nonce is disabled.
Clear the checkbox to disable the inclusion of the nonce in requests to the server.
Step 8 In the TCP Connection Inactivity Timeout field, enter an integer from 2 to 3600 to specify the TCP
connection inactivity timeout in seconds. The default is 300 seconds.
Step 9 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE appliance.
• Click Cancel to exit this procedure without saving your entries and to return to the OCSP Service
table.
• Click Next to save your entries and to add another proxy service.
Related Topics
• Configuring SSL, page 11-1
• Configuring SSL Proxy Service, page 11-27
11-31
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Enabling Client Authentication
Enabling Client Authentication
During the flow of a normal SSL handshake, the SSL server sends its certificate to the client. Then the
client verifies the identity of the server through the certificate. However, the client does not send any
identification of its own to the server. When you enable the client authentication feature on the ACE, it
will require that the client send a certificate to the server. Then the server verifies the following
information on the certificate:
• A recognized CA issued the certificate.
• The valid period of the certificate is still in effect.
• The certificate signature is valid and not tampered.
• The CA has not revoked the certificate.
• At least one SSL certificate is available.
Use the following procedures to enable or disable client authentication:
• Configuring SSL Proxy Service, page 11-27
• Configuring SSL Authentication Groups, page 11-31
• Configuring CRLs for Client Authentication, page 11-33
Configuring SSL Authentication Groups
You can specify the certificate authentication groups that the ACE uses during the SSL handshake and
enable client authentication on this SSL-proxy service. The ACE includes the certificates configured in
the group along with the certificate that you specified for the SSL proxy service.
On the ACE, you can implement a group of certificates that are trusted as certificate signers by creating
an authentication group. After creating the authentication group and assigning its certificates, then you
can assign the authentication group to a proxy service in an SSL termination configuration to enable
client authentication. For information on client authentication, see the “Enabling Client Authentication”
section on page 11-31.
For information on server authentication and assigning an authentication group, see the “Configuring
SSL Proxy Service” section on page 11-27.
Note You cannot create an authorization group in Building Blocks (Config > Global > All Building Blocks);
You can only create SSL authentication groups while configuring virtual contexts in specific modules.
Assumptions
• At least one SSL certificate is available.
• Your ACE supports authentication groups. See the Supported Devices Table for Cisco Application
Networking Manager for details.
Procedure
Step 1 Choose Config > Devices > context > SSL > Auth Group Parameters.
The Auth Group Parameters table appears.
11-32
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Enabling Client Authentication
Step 2 In the Auth Group Parameters table, click Add to add an authentication group, or choose an existing
authorization group and click Edit to modify it.
The Auth Group Parameters configuration window appears.
Step 3 In the Name field of the Auth Group Parameters configuration window, enter a unique name for the
authorization group.
Valid entries are alphanumeric strings with a maximum of 64 characters.
Step 4 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The updated Auth Group Parameters window
appears along with the Auth Group Certificates table. Continue with Step 5.
• Click Cancel to exit the procedure without saving your entries and to return to the Auth Group
Parameters table.
• Click Next to deploy your entries and to add another entry to the Auth Group Parameters table.
Step 5 In the Auth Group Certificate field, click Add to add an entry.
The Auth Group Certificates configuration window appears.
Note You cannot modify an existing entry in the Auth Group Certificates table. Instead, delete the
entry, then add a new one.
Step 6 In the Certificate Name field, choose the certificate to add to this authorization group.
Step 7 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your entries and to return to the Auth Group
Parameters table.
• Click Next to deploy your entries and to add another entry to the Auth Group Parameters table.
Step 8 You can repeat the previous step to add more certificates to the authorization group or click Deploy Now.
Step 9 After you configure authorization group parameters, you can configure the SSL proxy service to use a
CRL. See the “Configuring CRLs for Client Authentication” section on page 11-33.
Note When you enable client authentication, a significant performance decrease may occur. Additional
latency may occur when you configure CRL retrieval.
Related Topics
• Configuring SSL Chain Group Parameters, page 11-23
• Configuring CRLs for Client Authentication, page 11-33
11-33
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Enabling Client Authentication
Configuring CRLs for Client Authentication
You can configure the ACE to scan for CRLs and retrieve them. By default, ACE does not use certificate
revocation lists (CRLs) during client authentication. You can configure the SSL proxy service to use a
CRL by having the ACE scan each client certificate for the service to determine if it contains a CRL in
the extension and then retrieve the value, if it exists. For more information about SSL termination on the
ACE, see either the Cisco Application Control Engine Module SSL Configuration Guide or the Cisco
ACE 4700 Series Appliance SSL Configuration Guide.
Note The ACE supports the creation of a maximum of eight CRLs for any context.
Note When you enable client authentication, a significant performance decrease may occur. Additional
latency may occur when you configure CRL retrieval.
Assumption
A CRL cannot be configured on an SSL proxy without first configuring an authorization group.
Procedure
Step 1 Choose Config > Devices > context > SSL > Certificate Revocation Lists (CRLs).
The Certificate Revocation Lists (CRLs) table appears.
Step 2 In the Certificate Revocation Lists (CRLs) table, click Add to add a CRL, or choose an existing CRL
and click Edit to modify it.
The Certificate Revocation Lists (CRLs) window appears.
Step 3 In the Certificate Revocation Lists (CRLs) window, enter the information in Table 11-14.
Step 4 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The updated Certificate Revocation Lists
(CRLs) table appears.
• Click Cancel to exit the procedure without saving your entries and to return to the Certificate
Revocation Lists (CRLs) table.
• Click Next to deploy your entries and to add another entry to the Certificate Revocation Lists
(CRLs) table.
Table 11-14 SSL Certificate Revocation List
Field Description
Name CRL name. Valid entries are unquoted alphanumeric strings with a maximum of 64 characters.
URL URL where the ACE retrieves the CRL. Valid entries are unquoted alphanumeric strings with a maximum
of 255 characters. Only HTTP URLs are supported. ACE checks the URL and displays an error if it does
not match.
11-34
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 11 Configuring SSL
Enabling Client Authentication
Related Topics
• Configuring SSL Proxy Service, page 11-27
• Configuring SSL Authentication Groups, page 11-31
CHAPTER
12-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
12
Configuring Network Access
Date: 3/28/12
This chapter describes how to configure network access using Cisco Application Networking Manager
(ANM).
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
This chapter includes the following sections:
• Information About VLANs, page 12-2
• Configuring VLANs Using Cisco IOS Software (ACE Module), page 12-3
• Configuring Virtual Context VLAN Interfaces, page 12-6
• Configuring Virtual Context BVI Interfaces, page 12-19
• Configuring VLAN Interface NAT Pools, page 12-26
• Configuring Virtual Context Static Routes, page 12-28
• Configuring Global IP DHCP, page 12-29
• Configuring Static VLANs for Over 8000 Static NAT Configurations, page 12-31
• Configuring Gigabit Ethernet Interfaces on the ACE Appliance, page 12-32
• Configuring Port-Channel Interfaces for the ACE Appliance, page 12-35
12-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Information About VLANs
Information About VLANs
This section provides an overview of how the ACE module and appliance use VLANs.
This section includes the following topics:
• ACE Module VLANs, page 12-2
• ACE Appliance VLANs, page 12-2
ACE Module VLANs
The ACE module does not include any external physical interfaces to receive traffic from clients and
servers. Instead, it uses internal VLAN interfaces. You assign VLANs from the supervisor engine to the
ACE. After the VLANs are assigned to the ACE, you can configure the corresponding VLAN interfaces
on the ACE as either routed or bridged for use. When you configure an IP address on an interface, the
ACE automatically makes it a routed mode interface.
Similarly, when you configure a bridge group on an interface VLAN, the ACE automatically makes it a
bridged interface. Then, you associate a bridge-group virtual interface (BVI) with the bridge group. For
more information on bridged groups and BVIs, see the “Configuring Virtual Context BVI Interfaces”
section on page 12-19.
The ACE also supports shared VLANS, which are multiple interfaces in different contexts on the same
VLAN within the same subnet. Only routed interfaces can share VLANs. Note that there is no routing
across contexts even when shared VLANs are configured.
Related Topics
• Configuring VLANs Using Cisco IOS Software (ACE Module), page 12-3
• Configuring Virtual Context VLAN Interfaces, page 12-6
• Configuring Virtual Context BVI Interfaces, page 12-19
• Configuring Virtual Context Static Routes, page 12-28
• Configuring Global IP DHCP, page 12-29
ACE Appliance VLANs
The ACE appliance has four physical Ethernet interface ports. All VLANs are allocated to the physical
ports. After the VLANs are assigned, you can configure the corresponding VLAN interfaces as either
routed or bridged for use. When you configure an IP address on an interface, the ACE appliance
automatically makes it a routed mode interface.
Similarly, when you configure a bridge group on an interface VLAN, the ACE appliance automatically
makes it a bridged interface. Then, you associate a BVI with the bridge group.
The ACE appliance also supports shared VLANs, which are multiple interfaces in different contexts on
the same VLAN within the same subnet. Only routed interfaces can share VLANs. Note that there is no
routing across contexts even when shared VLANs are configured.
In routed mode, the ACE is considered a router hop in the network. In the Admin or user contexts, the
ACE supports static routes only. The ACE supports up to eight equal cost routes for load balancing.
12-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring VLANs Using Cisco IOS Software (ACE Module)
Related Topics
• Configuring Virtual Context VLAN Interfaces, page 12-6
• Configuring Virtual Context BVI Interfaces, page 12-19
• Configuring Gigabit Ethernet Interfaces on the ACE Appliance, page 12-32
• Configuring Port-Channel Interfaces for the ACE Appliance, page 12-35
Configuring VLANs Using Cisco IOS Software (ACE Module)
To allow the ACE module to receive traffic from the supervisor engine in the Catalyst 6500 series switch
or Cisco 7600 series router, you must create VLAN groups on the supervisor engine and then assign the
groups to the ACE module. After the VLAN groups are assigned to the ACE module, you can configure
the VLAN interfaces on the ACE module. By default, all VLANs are allocated to the Admin context on
the ACE module.
This section includes the following topics:
• Creating VLAN Groups Using Cisco IOS Software
• Assigning VLAN Groups to the ACE Module Through Cisco IOS Software
• Adding Switched Virtual Interfaces to the MSFC
Creating VLAN Groups Using Cisco IOS Software
In Cisco IOS software, you can create one or more VLAN groups and then assign the groups to the ACE
module. For example, you can assign all the VLANs to one group, create an inside group and an outside
group, or create a group for each customer.
You cannot assign the same VLAN to multiple groups; however, you can assign up to a maximum of 16
groups to an ACE. VLANs that you want to assign to multiple ACEs, for example, can reside in a
separate group from VLANs that are unique to each ACE.
To assign VLANs to a group using Cisco IOS software on the supervisor engine, use the svclc
vlan-group command. The syntax of this command is as follows:
svclc vlan-group group_number vlan_range
The arguments are as follows:
• group_number—Number of the VLAN group.
• vlan_range—One or more VLANs (2 to 1000 and 1025 to 4094) identified in one of the following
ways:
– A single number (n)
– A range (n-x)
Separate numbers or ranges by commas, as shown in this example:
5,7-10,13,45-100
For example, to create three VLAN groups, 50 with a VLAN range of 55 to 57, 51 with a VLAN range
of 75 to 86, and 52 with VLAN 100, enter:
Router(config)# svclc vlan-group 50 55-57
Router(config)# svclc vlan-group 51 70-86
12-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring VLANs Using Cisco IOS Software (ACE Module)
Router(config)# svclc vlan-group 52 100
Related Topics
• Assigning VLAN Groups to the ACE Module Through Cisco IOS Software, page 12-4
• Adding Switched Virtual Interfaces to the MSFC, page 12-5
Assigning VLAN Groups to the ACE Module Through Cisco IOS Software
The ACE module cannot receive traffic from the supervisor engine unless you assign VLAN groups to
it. To assign the VLAN groups to the ACE module using Cisco IOS software on the supervisor engine,
use the svc module command in configuration mode. The syntax of this command is as follows:
svc module slot_number vlan-group group_number_range
The arguments are as follows:
• slot_number—Slot number where the ACE module resides. To display slot numbers and the devices
in the chassis, use the show module command in Exec mode. The ACE module appears as the
Application Control Engine Module in the Card Type field.
• group_number_range—One or more group numbers that are identified in one of the following ways:
– A single number (n)
– A range (n-x)
Separate numbers or ranges by commas, as shown in this example:
5,7-10
For example, to assign VLAN groups 50 and 52 to the ACE module in slot 5, and VLAN groups 51 and
52 to the ACE module in slot 8, enter the following commands:
Router(config)# svc module 5 vlan-group 50,52
Router(config)# svc module 8 vlan-group 51,52
To view the group configuration for the ACE module and the associated VLANs, use the show svclc
vlan-group command. For example, enter the following commands:
Router(config)# exit
Router# show svclc vlan-group
To view VLAN group numbers for all devices, use the show svc module command. For example, enter
the following command:
Router# show svc module
Note Enter the show vlans command in Exec mode from the Admin context to display the ACE module
VLANs that are downloaded from the supervisor engine.
Related Topics
• Creating VLAN Groups Using Cisco IOS Software, page 12-3
• Adding Switched Virtual Interfaces to the MSFC, page 12-5
12-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring VLANs Using Cisco IOS Software (ACE Module)
Adding Switched Virtual Interfaces to the MSFC
A VLAN defined on the Multilayer Switch Feature Card (MSFC) is called a switched virtual interface
(SVI). If you assign the VLAN used for the SVI to the ACE module, then the MSFC routes between the
ACE module and other Layer 3 VLANs. By default, only one SVI can exist between the MSFC and the
ACE. However, for multiple contexts, you may configure multiple SVIs for unique VLANs on each
context.
Procedure:
Step 1 (Optional) If you need to add more than one SVI to the ACE module, enter the following command:
Router(config)# svclc multiple-vlan-interfaces
Step 2 Add a VLAN interface to the MSFC. For example, to add VLAN 55, enter the following command:
Router(config)# interface vlan 55
Step 3 Set the IP address for this interface on the MSFC. For example, to set the address 10.1.1.1 255.255.255.0,
enter the following command:
Router(config-if)# ip address 10.1.1.1 255.255.255.0
Step 4 Enable the interface. For example, enter the following command:
Router(config-if)# no shut
Note To monitor any VLAN that is associated with more than two trunk ports, physical ports, or
trunk-physical ports on the supervisor engine, enable the autostate feature by using the svclc autostate
command. When you associate a VLAN to these ports, autostate declares that the VLAN is up. When a
VLAN state change occurs on the supervisor engine, autostate sends a notification to the ACE module
to bring the interface up or down.
To view this SVI configuration, use the show interface vlan command. For example, enter the following
command:
Router# show int vlan 55
Related Topics
• Creating VLAN Groups Using Cisco IOS Software, page 12-3
• Assigning VLAN Groups to the ACE Module Through Cisco IOS Software, page 12-4
12-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Configuring Virtual Context VLAN Interfaces
You can configure VLAN interfaces for virtual contexts on the ACE.
Note The options that appear when you choose Config > Devices > context depend on the device associated
with the virtual context and the role associated with your account.
Assumptions
This topic assumes the following:
• A Layer 3/Layer 4 or Management policy map has been configured for this virtual context. For more
information, see the “Configuring Traffic Policies” section on page 14-1.
• An access control list has been configured for this virtual context. Entering an ACL name does not
configure the ACL; you must configure the ACL on the ACE appliance. For more information, see
the “Configuring Security with ACLs” section on page 6-78.
Procedure
Step 1 Choose Config > Devices > context > Network > VLAN Interfaces.
The VLAN Interface table appears.
Step 2 In the VLAN Interface table, click Poll Now to instruct ANM to poll the devices and display the current
values and click OK when prompted if you want to poll the devices for data now.
Step 3 Click Add to add a new VLAN interface, or choose an existing VLAN interface and click Edit to modify
it.
Note If you click Edit, not all of the fields can be modified.
Step 4 Enter the VLAN interface attributes (see Table 12-1). Click More Settings to access the additional
VLAN interface attributes.
By default, ANM hides the default VLAN interface attributes and the VLAN interface attributes that are
not commonly used.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
Note If you create a fault-tolerant VLAN, do not use it for any other network traffic.
Table 12-1 VLAN Interface Attributes
Field Description
VLAN VLAN identifier. Either accept the automatically incremented entry or enter a different value.
Valid entries are from 2 to 4094.
Description Brief description for this interface.
12-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Interface Type Role of the virtual context in the network topology of the VLAN interface:
• Routed—In a routed topology, the ACE virtual context acts as a router between the
client-side network and the server-side network. In this topology, every real server for the
application must be routed through the ACE virtual context, either by setting the default
gateway on each real server to the virtual contexts server-side VLAN interface address, or by
using a separate router with appropriate routes configured between the ACE virtual context
and the real servers.
Note A routed VLAN interface can support both IPv4 and IPv6 addresses at the same time.
IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.
• Bridged—In a bridged topology, the ACE virtual context bridges two VLANs, a client-side
VLAN and a real-server VLAN, on the same subnet using a bridged virtual interface (BVI).
In this case, the real server routing does not change to accommodate the ACE virtual context.
Instead, the ACE virtual context becomes a “bump in the wire” that transparently handles
traffic to and from the real servers.
• Unknown—Choose Unknown if you are unsure of the network topology of the VLAN
interface.
IP Address Field that appears for the Routed Interface Type. Enter the IPv4 address assigned to this interface.
This address must be a unique IP address that is not used in another context. Duplicate IP
addresses in different contexts are not supported.
If this interface is only used for IPv6 traffic, entering an IPv4 address is optional. IPv6 requires
ACE module and ACE appliance software Version A5(1.0) or later.
Alias IP Address Field that appears for the Routed interface type. Enter the IPv4 address of the alias that this
interface is associated with.
Peer IP Address Field that appears for the Routed interface type. Enter the IPv4 address of the remote peer.
Netmask Field that appears for the Routed interface type. Choose the subnet mask to be used.
BVI Field that appears for the Bridged interface type. Enter the number of the bridge group to be
configured on this VLAN. When you configure a bridge group on a VLAN, the ACE
automatically makes it bridged. Valid entries are from 1 to 4094.
Admin Status Administrative state of the interface. Specify whether you want the interface to be Up or Down.
Enable MAC Sticky Check box that instructs the ACE to convert dynamic MAC addresses to sticky secure MAC
addresses and to add this information to the running configuration.
Uncheck the check box to indicate that the ACE is not to convert dynamic MAC addresses to
sticky secure MAC addresses.
Table 12-1 VLAN Interface Attributes (continued)
Field Description
12-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Enable Normalization Check box that specifies that normalization is to be enabled on this interface. Uncheck the check
box to indicate that normalization is to be disabled on this interface for IPv4, IPv6, or both. The
IPv6 option requires ACE module and ACE appliance software Version A5(1.0) or later.
Caution Disabling normalization may expose your ACE and network to potential security risks.
Normalization protects your networking environment from attackers by enforcing
strict security policies that are designed to examine traffic for malformed or malicious
segments.
Enable IPv6 Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later,
and for the Routed interface type. Check the check box to enable IPv6 on this interface. By
default, IPv6 is disabled. The interface cannot be in bridged mode. When you enable IPv6, the
ACE automatically does the following:
• Configures a link-local address (if not previously configured)
• Performs duplicate address detection (DAD)
Clear the check box to indicate that IPv6 is disabled on this interface.
IPv6 Global Address Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later,
and for the Routed interface type. A global address is an IPv6 unicast address that is used for
general IPv6 communication. Each global address is unique across the entire Internet. Therefore,
its scope is global. The low order 64 bits can be assigned in several ways, including
autoconfiguration using the EUI-64 format. You can configure only one globally unique IPv6
address on an interface.
When you configure a global IPv6 address on an interface, the ACE automatically does the
following:
• Configures a link-local address (if not previously configured)
• Performs duplicate address detection (DAD) on both addresses
IPv6 Address To configure an IPv6 global address on an interface, enter a complete IPv6 address with a prefix
of 2000::/3 to 3fff::/3. For example, enter 2001:DB8:1::0.
Check the EUI-64 box to specify that the low order 64 bits are automatically generated in the
IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use EUI-64,
the Prefix Length field must be less than or equal to 64 and the host segment must be all zeros.
Alias IPv6 Address When you configure redundancy with active and standby ACEs, you can configure a VLAN
interface that has an alias global IPv6 address that is shared between the active and standby
ACEs. The alias IPv6 address serves as a shared gateway for the two ACEs in a redundant
configuration. You can configure only one alias global IPv6 address on an interface.
To configure an IPv6 alias global address, enter a complete IPv6 address with a prefix of 2000::/3
to 3fff::/3. For example, enter 2001:DB8:1::0.
Note You must configure redundancy (fault tolerance) on the ACE for the alias global IPv6
address to work.
Table 12-1 VLAN Interface Attributes (continued)
Field Description
12-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Peer IPv6 Address To configure an IPv6 peer global address, enter a complete IPv6 address with a prefix of 2000::/3
to 3fff::/3. For example, enter 2001:DB8:1::0.
Check the EUI-64 box to specify that the low order 64 bits are automatically generated in the
IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use EUI-64,
the Prefix Length field must be less than or equal to 64 and the host segment must be all zeros.
Note The IPv6 peer global address must be unique across multiple contexts on a shared VLAN.
Check the EUI-64 box to specify that the low order 64 bits are automatically generated in the
IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use EUI-64,
the Prefix Length field must be less than or equal to 64 and the host segment must be all zeros.
Prefix Length Enter the prefix length for all global addresses to specify how many of the most significant bits
(MSBs) are used for the network identifier. Enter an integer from 3 to 127. If you use the optional
EUI-64 check box for the global and peer addresses, the prefix must be less than or equal to 64.
IPv6 Unique-Local
Address
Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later,
and for the Routed interface type. A unique local address is an optional IPv6 unicast address that
is used for local communication within an organization and it is similar to a private IPv4 address
(for example, 10.10.2.1). Unique local addresses have a global scope, but they are not routable
on the internet, and they are assigned by a central authority. All unique local addresses have a
predefined prefix of FC00::/7. You can configure only one IPv6 unique local address on an
interface.
IPv6 Address To configure a unique local address, enter a complete IPv6 address with an FC00::/7 prefix in the
first field. In the second field after the /, enter the prefix length to specify how many of the most
significant bits (MSBs) are used for the network identifier.
Check the EUI-64 box to specify that the low order 64 bits are automatically generated in the
IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use EUI-64,
the Prefix Length field must be less than or equal to 64 and the host segment must be all zeros.
Peer IPv6 Address In a redundant configuration, you can configure an IPv6 peer unique local address on the active
that is synchronized to the standby ACE. You can configure only one peer unique local IPv6
address on an interface.
To configure a peer unique local address, enter a complete IPv6 address with an FC00::/7 prefix
in the first field. In the second field after the /, enter the prefix length to specify how many of the
most significant bits (MSBs) are used for the network identifier.
Note The IPv6 peer unique local address must be unique across multiple contexts on a shared
VLAN.
Check the EUI-64 box to specify that the low order 64 bits are automatically generated in the
IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use EUI-64,
the Prefix Length field must be less than or equal to 64 and the host segment must be all zeros.
Prefix Length Enter the prefix length for all unique-local addresses to specify how many of the most significant
bits (MSBs) are used for the network identifier. Enter an integer from 7 to 127. If you use the
optional EUI-64 check box for the global and peer addresses, the prefix must be less than or equal
to 64.
Table 12-1 VLAN Interface Attributes (continued)
Field Description
12-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context VLAN Interfaces
IPv6 Link-Local Address Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later,
and for the Routed interface type. By default, when you enable IPv6 or configure a global IPv6
address on an interface, the ACE automatically creates a link local address for it. Every link local
address must have a predefined prefix of FE80::/10. You can configure only one IPv6 link local
address on an interface. This address always has the prefix of 64.
To manually configure the link local address, enter a complete IPv6 address with an FE80::/10
prefix in this field. For example, enter FE80:DB8:1::1.
IPv6 Peer Link-Local
Address
Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later,
and for the Routed interface type. In a redundant configuration, you can configure an IPv6 peer
link local address for the standby ACE. You can configure only one peer link local address on an
interface.
To configure the peer link local address, enter a complete IPv6 address with an FE80::/10 prefix
in this field.
Note The IPv6 peer link local address must be unique across multiple contexts on a shared
VLAN.
Table 12-1 VLAN Interface Attributes (continued)
Field Description
12-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context VLAN Interfaces
More Settings
Enable ICMP Guard For ACE module and ACE appliance software versions earlier than A5(1.0), this field does not
include the IP version number check boxes and is for enabling the IPv4 version only. Check the
IPv4, IPv6, or both check boxes to indicate that ICMP Guard is to be enabled on the ACE.
Clear the check boxes to indicate that ICMP Guard is not to be enabled on ACE.
Caution Disabling ICMP security checks may expose your ACE and network to potential
security risks. When you disable ICMP Guard, the ACE appliance no longer performs
NAT translations on the ICMP header and payload in error packets, which can
potentially reveal real host IP addresses to attackers.
Enable DHCP Relay For ACE module and ACE appliance software versions earlier than A5(1.0), this field does not
include the IP version number check boxes and is for enabling the IPv4 version only. Check the
IPv4, IPv6, or both check boxes to indicate that the ACE is to accept DHCP requests from clients
on this interface and to enable the DHCP relay agent. For IPv6, link local address for the
Clear the check boxes to indicate that the ACE is not to accept DHCP requests or enable the
DHCP relay agent.
Reverse Path Forwarding
(RPF)
For ACE module and ACE appliance software versions earlier than A5(1.0), this field does not
include the IP version number check boxes and is for enabling the IPv4 version only. Check the
IPv4, IPv6, or both check boxes to indicate that the ACE is to discard IP packets if no reverse
route is found or if the route does not match the interface on which the packets arrived.
Clear the check boxes to indicate that the ACE is not to filter or discard packets based on the
ability to verify the source IP address.
Reassembly Timeout
(Seconds)
Enter the number of seconds that the ACE appliance is to wait before it abandons the fragment
reassembly process if it doesn’t receive any outstanding fragments for the current fragment chain
(that is, fragments belonging to the same packet).
• For IPv4, valid entries are 1 to 30 seconds. The default is 5.
• For IPv6, valid entries are 1 to 60 seconds. The default is 60. IPv6 requires ACE module and
ACE appliance software Version A5(1.0) or later.
Max. Fragment Chains
Allowed
Enter the maximum number of fragments belonging to the same packet that the ACE appliance
is to accept for reassembly. For IPv4 and IPv6, valid entries are integers from 1 to 256. The
default is 24.
Min. Fragment MTU
Value
Enter the minimum fragment size that the ACE appliance accepts for reassembly for a VLAN
interface.
• For IPv4, valid entries are 28 to 9216 bytes. The default is 576.
• For IPv6, valid entries are 56 to 9216 bytes. The default is 1280. IPv6 requires ACE module
and ACE appliance software Version A5(1.0) or later.
Table 12-1 VLAN Interface Attributes (continued)
Field Description
12-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Action For IP Header
Options
For ACE module and ACE appliance software versions earlier than A5(1.0), this field does not
include the IP version number and is for IPv4 only. Choose the IPv4, IPv6, or both action the
ACE appliance is to take when an IP option is set in a packet:
• Allow—Indicates that the ACE appliance is to allow the IP packet with the IP options set.
• Clear—Indicates that the ACE appliance is to clear all IP options from the packet and to
allow the packet.
• Clear-Invalid—Indicates that the ACE appliance is to clear the invalid IP options from the
packet and then allow the packet. This action is the default for IPv4.
• Drop—Indicates that the ACE appliance is to discard the packet regardless of any options
that are set. This action is the default for IPv6.
Enable MAC Address
Autogenerate
MAC address autogenerate option, which allows you to configure a different MAC address for
the VLAN interface.
Min. TTL IP Header Value Minimum number of hops that a packet is allowed to reach its destination. Valid entries are from
1 to 255. This field is applicable for IPv4 and IPv6 traffic. IPv6 requires ACE module and ACE
appliance software Version A5(1.0) or later.
Each router along the path decrements the TTL by one. If the packet TTL reaches zero before the
packet reaches its destination, the packet is discarded.
MTU Value Number of bytes for Maximum Transmission Units (MTUs). Valid entries are from 68 to 9216.
The default is 1500.
Enable Syn Cookie
Threshold Value
Field that is applicable for ACE module software Version A2(1.0) and later, and ACE appliance
software Version A3(1.0) and later. Embryonic connection threshold above which the ACE
applies SYN-cookie DoS protection.
Valid entries are as follows:
• 2 to 65535 for ACE module software versions earlier than A4(1.0).
• 1 to 65535 for ACE module software Version A4(1.0) and later, and ACE appliance software
Version A3(1.0) and later.
Action For DF Bit Action that the ACE takes when a packet has its DF (Don’t Fragment) bit set in the IP header.
Choose one of the following settings:
• Allow—The ACE permits the packet with the DF bit set. If the packet is larger than the
next-hop MTU, ACE discards the packet and sends an ICMP unreachable message to the
source host. This is the default.
• Clear—The ACE clears the DF bit and permit the packet. If the packet is larger than the
next-hop MTU, the ACE fragments the packet.
Table 12-1 VLAN Interface Attributes (continued)
Field Description
12-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context VLAN Interfaces
ARP Inspection Type Type of ARP inspection, which prevents malicious users from impersonating other hosts or
routers, known as ARP spoofing. ARP spoofing can enable a “man-in-the-middle” attack. For
example, a host sends an ARP request to the gateway router. The gateway router responds with
the gateway router MAC address.
By default, ARP inspection is disabled on all interfaces, allowing all ARP packets through the
ACE. When you enable ARP inspection, the ACE appliance uses the IP address and interface ID
(ifID) of an incoming ARP packet as an index into the ARP table. ARP inspection operates only
on ingress bridged interfaces.
Note If ARP inspection fails, then the ACE does not perform source MAC validation.
Choices are as follows:
• N/A—ARP inspection is disabled.
• Flood—Enables ARP forwarding of nonmatching ARP packets. The ACE appliance
forwards all ARP packets to all interfaces in the bridge group. This setting is the default. In
the absence of a static ARP entry, this option bridges all packets.
• No Flood—Disables ARP forwarding for the interface and drops nonmatching ARP packets.
In the absence of a static ARP entry, this option does not bridge any packets.
UDP Config Commands UDP boost command options:
• N/A—Not applicable.
• IP Destination Hash—Performs destination IP hash during connection.
• IP Source Hash—Performs source IP hash during connection lookup.
Table 12-1 VLAN Interface Attributes (continued)
Field Description
12-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Secondary IP Groups Option that is available only for the ACE module A2(3.0), ACE appliance A4(1.0), and later
releases of both device types. This option displays only when Interface Type is set to Routed.
The number of secondary IP groups that you can enter for a VLAN depends on the ACE release
as follows:
• ACE module A2(3.0) and ACE appliance A4(1.0)—Up to 4 secondary IP groups.
• ACE module A2(3.1) and later—Up to 15 secondary IP groups.
The IP, alias IP, and peer IP addresses of each Secondary IP group should be in the same subnet.
Note You cannot configure secondary IP addresses on FT VLANs.
To create secondary IP groups for the VLAN, do the following:
a. Define one or more of the following secondary IP address types:
– IP—Secondary IP address assigned to this interface.The primary address must be active
for the secondary address to be active.
– AliasIP—Secondary IP address of the alias associated with this interface.
– PeerIP—Secondary IP address of the remote peer.
– Netmask—Secondary subnet mask to be used.
The ACE has a system limit of 1,024 for each secondary IP address type.
b. Click Add to selection (right arrow) to add the group to the group display area.
c. Repeat the first two steps for each additional group.
d. (Optional) Rearrange the order in which the groups are listed by selecting one of the group
listings in the group display area and click either Move item up in list (up arrow) or Move
item down in list (down arrow). Note that the ACE does not care what order the groups are
in.
e. (Optional) Edit a group or remove it from the list by selecting the desired group in the group
display area and click Remove from selection (left arrow).
Input Policies Policy map that is associated with this VLAN interface. From the Available list, double-click a
policy map name or use the right arrow to move it to the Selected list. This policy map is to be
applied to the inbound direction of the interface; that is, all traffic received by this interface.
If you choose more than one policy map, use the Up and Down arrows to choose the priority of
the policy map in the Selected list. These arrows modify the order of the policy maps for new
VLANs only; they do not modify the policy map order when editing an existing policy map.
Input Access Group ACL input access group to be associated with this VLAN interface. From the Available list,
double-click an ACL name or use the right arrow to move it to the Selected list. Any ACL group
listed in the Selected list specifies that this access group is to be applied to the inbound direction
of the interface.
Output Access Group ACL output access group that is associated with this VLAN interface. From the Available list,
double-click an ACL name or use the right arrow to move it to the Selected list. Any ACL group
listed in the Selected list specifies that this access group is to be applied to the outbound direction
of the interface; that is, all traffic sent by this interface.
Table 12-1 VLAN Interface Attributes (continued)
Field Description
12-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Static ARP Entry
(IP/MAC Address)
Static ARP entry.
Do the following:
a. In the ARP IP Address field, enter the IP address. This field accepts IPv4 addresses only.
b. In the ARP MAC Address field, enter the hardware MAC address for the ARP table entry (for
example, 00.02.9a.3b.94.d9).
c. When completed, use the right arrow to move the static ARP entry to the list box. Use the
Up and Down arrows to choose the priority of the static ARP entry in the list box. These
arrows modify the order of the static ARPs for new VLANs only; they do not modify the
static ARP order when editing an existing policy map.
DHCP Relay
Configuration
Enter the IPv4 address of the DHCP server to which the DHCP relay agent is to forward client
requests. Enter the IP address in dotted-decimal notation, such as 192.168.11.2.
IPv6 DHCP Forward
Interface VLAN
Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
Enter the VLAN to forward all received client requests with destination being the IPv6 DHCP
address configured in the IPv6 DHCP Relay Configuration field.
IPv6 DHCP Relay
Configuration
Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
Enter the IPv6 address for the DHCP server where the DHCP relay agent forwards client requests.
Select the VLAN when the server address is a link local address.
Note When you enter a DHCPv6 server global IPv6 address, a VLAN is not required.
Managed-Config Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
Check box to indicate that the interface use the stateful autoconfiguration mechanism to
configure IPv6 addresses.
Uncheck the check box to indicate that the interface does not use the stateful autoconfiguration
mechanism to configure IPv6 addresses.
Other-Config Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
Check box to indicate that the interface use the stateful autoconfiguration mechanism to
configure parameters other than IPv6 addresses.
Uncheck the check box to indicate that the interface does not use the stateful autoconfiguration
mechanism to configure parameters other than IPv6 addresses.
NS Interval Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
The ACE sends neighbor solicitation messages through ICMPv6 on the local link to determine
the IPv6 addresses of nearby nodes (hosts or routers). You can configure the rate at which the
ACE sends these neighbor solicitation messages.
By default, the interval at which the ACE sends NS messages for DAD default is 1000
milliseconds (msecs). To configure the interval, enter an integer from 1000 to 2147483647.
NS Reachable Time Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
The neighbor solicitation reachable time is the time period in milliseconds during which a host
considers the peer is reachable after a reachability confirmation from the peer. A reachability
confirmation can include neighbor solicitation or advertisement, or any upper protocol traffic.
By default, this time period is 0 milliseconds. To configure this time, enter an integer from 0 to
3600000.
Table 12-1 VLAN Interface Attributes (continued)
Field Description
12-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Retransmission time Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
By default, the advertised retransmission time is 0 milliseconds.
To configure the retransmission time, enter an integer from 0 to 3600000.
DAD Attempts Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
By default, the number of attempts for sending duplicate address detection (DAD) is 1.
To configure the DAD attempts, enter an integer from 0 to 255.
RA Hop Limit Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
By default, the hop limit that neighbors should use when originating IPv6 packets is 64. To
configure the hop limit in the IPv6 header, enter an integer from 0 to 255.
RA Lifetime Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
The router advertisement lifetime is the length of time that neighboring nodes should consider
the ACE as the default router before they send RS messages again.
By default, this length of time is 1800 seconds (30 minutes). To configure the RA lifetime, enter
an integer from 0 to 9000.
RA Interval Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
By default, the rate at which the ACE sends RA messages is 600 seconds. To configure the rate,
enter an integer from 4 to 1800.
Suppress RA Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
Check box to instruct the ACE to not respond to RS messages. The ACE also stops periodic
unsolicited RAs that it sends at the RA interval.
By default, the ACE automatically responds to RS messages that it receives from neighbors with
RA messages that include, for example, the network prefix. You can instruct the ACE to not
respond to RS messages.
Uncheck the check box to reset the default behavior of automatically responding to RS messages.
IPv6 Router Prefix
Advertisement
Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
Click the Add button to configure the IPv6 prefixes that the ACE advertises in RA messages on
the local link.
IPv6 Address/Prefix
Length
To configure IPv6 address advertised in the RA messages, enter a complete IPv6 address in the
first field. In the second field after the /, enter the prefix length to specify how many of the most
significant bits (MSBs) are used for the network identifier.
No Advertisements Check the check box to indicate that the route prefix is not advertised.
Clear the check box to indicate that the route prefix is advertised.
Table 12-1 VLAN Interface Attributes (continued)
Field Description
12-17
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Step 5 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click Cancel to exit this procedure without saving your entries and to return to the previous window.
Step 6 (Optional) To display statistics and status information for a VLAN interface, choose the VLAN interface
from the VLAN Interface table, then click Details.
The show interface vlan CLI command output appears. See the “Displaying VLAN Interface Statistics
and Status Information” section on page 12-18 for details.
Related Topics
• Configuring VLAN Interface NAT Pools, page 12-26
• Displaying All VLAN Interfaces, page 12-18
• Displaying VLAN Interface Statistics and Status Information, page 12-18
Lifetime Configure the prefix lifetime attributes as follows:
• Lifetime Duration:
– Valid Lifetime—By default, the prefix lifetime is 2592000 seconds (30 days). To
configure the prefix lifetime in seconds, enter an integer from 0 to 2147183647.
Select Infinite to indicate that the prefix never expires.
– Preferred Lifetime—By default, the prefix lifetime is 604800 seconds (10 days).To
configure how long an IPv6 address remains preferred in seconds, enter an integer from
0 to 2147183647. This lifetime must not exceed the Valid Lifetime.
Select Infinite to indicate that the preferred lifetime never expires.
• Lifetime Expiration Date:
– Valid Month/Day/Year/Time—Valid lifetime expiration date and time.
– Preferred Month/Day/Year/Time—Preferred lifetime expiration date and time.
Use the drop-down lists to select a day, month, and year. To specify the time, use the hh:mm
format.
Off-link This option appears when you enter a Preferred Lifetime field.
Check this check box to indicate that the route prefix is on a different subnet for a router to route
to it.
Clear the check box to indicate that the route prefix is on the same subnet for a router to route to it.
No-autoconfig This option appears when you enter a Preferred Lifetime field.
Check this check box to indicate to the host that it cannot use this prefix when creating an
stateless IPv6 address.
Clear the check box to indicate to the host that it can use this prefix when creating an stateless
IPv6 address.
Table 12-1 VLAN Interface Attributes (continued)
Field Description
12-18
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context VLAN Interfaces
Displaying All VLAN Interfaces
You can display all of the VLAN interfaces associated with a specific virtual context by choosing
Config > Devices > context > Network > VLAN Interfaces.
The VLAN Interface table appears with the information shown in Table 12-2.
Related Topics
• Configuring Virtual Context VLAN Interfaces, page 12-6
• Configuring Virtual Context BVI Interfaces, page 12-19
• Displaying VLAN Interface Statistics and Status Information, page 12-18
Displaying VLAN Interface Statistics and Status Information
You can display statistics and status information for a particular VLAN interface.
Procedure
Step 1 Choose Config > Devices > context > Network > VLAN Interfaces.
The VLAN Interfaces table appears.
Step 2 Choose a VLAN interface from the VLAN Interfaces table, and click Details.
The show interface vlan, show ipv6 interface vlan, and show ipv6 neighbors CLI commands appears.
The IPv6 commands require ACE module and ACE appliance software Version A5(1.0) or later. Click
on the command to display its output. For details on the displayed output fields, see either the Cisco ACE
Module Routing and Bridging Configuration Guide or the Cisco ACE 4700 Series Appliance Routing
and Bridging Configuration Guide.
Table 12-2 VLAN Interface Table Fields
Field Description
VLAN VLAN number.
Description Description for this interface.
Interface Type Role of the virtual context in the network topology of the VLAN interface.
IP Address IP address assigned to this interface including the netmask for an IPv4 address or
a prefix length for an IPv6 address. IPv6 requires ACE module and ACE
appliance software Version A5(1.0) or later.
This table does not display the IPv6 link-local, unique-local, and multicast
addresses for the interface. To display these addresses, click Details to display the
output for the show ipv6 vlan command.
IPv6 Config Status The status whether IPv6 is enabled or disabled on the interface. IPv6 requires
ACE module and ACE appliance software Version A5(1.0) or later.
Admin Status Status of the interface, which can be Up or Down.
Operational Status Operational state of the device (Up or Down).
Last Polled Date and time of the last time that ANM polled the device to display the current
values.
12-19
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context BVI Interfaces
Step 3 Click Update Details to refresh the output for the show interface vlan CLI command.
Step 4 Click Close to return to the VLAN Interfaces table.
Related Topics
• Configuring Virtual Context VLAN Interfaces, page 12-6
• Displaying All VLAN Interfaces, page 12-18
Configuring Virtual Context BVI Interfaces
You can configure Bridge-Group Virtual Interfaces (BVI) for virtual contexts. The ACE supports virtual
contexts containing BVI interfaces. You can configure two interface VLANs into a group and bridge
packets between them. All interfaces are in one broadcast domain and packets from one VLAN are
switched to the other VLAN. The ACE bridge mode supports only two Layer 2 VLANs per bridge group.
Note The options that appear when you choose Config > Devices > context depend on the device associated
with the virtual context and the role associated with your account.
This section includes the following topics:
• Configuring BVI Interfaces for a Virtual Context, page 12-19
• Displaying All BVI Interfaces by Context, page 12-25
• Displaying BVI Interface Statistics and Status Information, page 12-26
Configuring BVI Interfaces for a Virtual Context
You can configure BVI interfaces for a virtual context.
Procedure
Step 1 Choose Config > Devices > context > Network > BVI Interfaces.
The BVI Interface configuration table appears.
Step 2 Click Poll Now to instruct ANM to poll the devices and display the current values, and click OK when
prompted if you want to poll the devices for data now.
Step 3 Click Add to add a new BVI interface.
Step 4 Enter the interface attributes (see Table 12-3).
Note When you create or edit a virtual context BVI, if either of the two VLANs do not exist, ANM
creates the VLAN and populates the BVI with the description specified in the BVI Interface
window.
If you delete the BVI and there are values specified in either of the two VLAN fields, ANM
removes the BVI value from the VLAN.
12-20
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context BVI Interfaces
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
Table 12-3 BVI Interface Attributes
Field Description
BVI BVI identifier. Either accept the automatically incremented entry or enter a different, unique
value for the BVI. Valid entries are from 1 to 4094.
Description Brief description for this interface.
IP Address IPv4 address assigned to this interface. This address must be a unique IP address that is not used
in another context. Duplicate IP addresses in different contexts are not supported.
Note If this interface is only used for IPv6 traffic, entering an IPv4 address is optional. IPv6
requires ACE module and ACE appliance software Version A5(1.0) or later.
Alias IP Address IPv4 address of the alias that this interface is associated with.
Peer IP Address IPv4 address of the remote peer.
Netmask Subnet mask to be used.
Admin Status Administrative state of the interface: Up or Down.
Secondary IP Groups Option that is available only for the ACE module A2(3.0), ACE appliance A4(1.0), and later
releases of either device type. The number of secondary IP groups that you can enter for a BVI
depends on the ACE release as follows:
• ACE module A2(3.0) and ACE appliance A4(1.0)—Up to 4 secondary IP groups.
• ACE module A2(3.1) and later—Up to 15 secondary IP groups.
To create secondary IP groups for this BVI, do the following:
a. Define one or more of the following secondary IP address types:
– IP—Secondary IP address assigned to this interface.The primary address must be
active for the secondary address to be active.
– AliasIP—Secondary IP address of the alias associated with this interface.
– PeerIP—Secondary IP address of the remote peer.
– Netmask—Secondary subnet mask to be used.
The ACE has a system limit of 1,024 for each secondary IP address type.
b. Click Add to selection (right arrow) to add the group to the group display area.
c. Repeat the first two steps for each additional group.
d. (Optional) Rearrange the order in which the groups are listed by selecting one of the group
listings in the group display area and click either Move item up in list (up arrow) or Move
item down in list (down arrow). Note that the ACE does not care what order the groups are
in.
e. (Optional) Edit a group or remove it from the list by selecting the desired group in the group
display area and click Remove from selection (left arrow).
First VLAN First VLAN whose bridge group is to be configured with this BVI. This VLAN can be the server
or client VLAN. Valid entries are from 2 to 4094.
12-21
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context BVI Interfaces
First VLAN Description Brief description for the first VLAN.
Second VLAN Second VLAN whose bridge group is to be configured with this BVI. This VLAN can be the
server or client VLAN. Valid entries are from 2 to 4094.
Second VLAN Description Brief description for the second VLAN.
Enable IPv6 Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
Check box to enable IPv6 on this interface. By default, IPv6 is disabled. The interface cannot
be in bridged mode. When you enable IPv6, the ACE automatically does the following:
• Configures a link-local address (if not previously configured)
• Performs duplicate address detection (DAD) on both addresses
Uncheck the check box to indicate that IPv6 is disabled on this interface.
IPv6 Global Address Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
A global address is an IPv6 unicast address that is used for general IPv6 communication. Each
global address is unique across the entire Internet. Therefore, its scope is global. The low order
64 bits can be assigned in several ways, including autoconfiguration using the EUI-64 format.
You can configure only one globally unique IPv6 address on an interface.
When you configure a global address, the ACE automatically does the following:
• Configures a link-local address (if not previously configured)
• Performs duplicate address detection (DAD) on both addresses
IPv6 Address To configure an IPv6 global address on an interface, enter a complete IPv6 address with a prefix
of 2000::/3 to 3fff::/3. For example, enter 2001:DB8:1::0.
Check the EUI-64 check box to specify that the low order 64 bits are automatically generated
in the IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use
EUI-64, the Prefix Length field must be less than or equal to 64 and the host segment must be
all zeros.
Alias IPv6 Address When you configure redundancy with active and standby devices, you can configure a VLAN
interface that has an alias global IPv6 address that is shared between the active and standby
devices. The alias IPv6 address serves as a shared gateway for the two ACEs in a redundant
configuration. You can configure only one alias global IPv6 address on an interface.
To configure an IPv6 alias global address, enter a complete IPv6 address with a prefix of
2000::/3 to 3fff::/3. For example, enter 2001:DB8:1::0.
Note You must configure redundancy (fault tolerance) on the ACE for the alias global IPv6
address to work.
Table 12-3 BVI Interface Attributes (continued)
Field Description
12-22
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context BVI Interfaces
Peer IPv6 Address To configure an IPv6 peer global address, enter a complete IPv6 address with a prefix of
2000::/3 to 3fff::/3. For example, enter 2001:DB8:1::0.
Check the EUI-64 box to specify that the low order 64 bits are automatically generated in the
IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use
EUI-64, the Prefix Length field must be less than or equal to 64 and the host segment must be
all zeros.
Note The IPv6 peer global address must be unique across multiple contexts on a shared
VLAN.
Prefix Length Enter the prefix length for all global addresses to specify how many of the most significant bits
(MSBs) are used for the network identifier. Enter an integer from 1 to 128. If you use the
optional EUI-64 check box for the global and peer addresses, the prefix must be less than or
equal to 64.
IPv6 Unique-Local Address Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
A unique local address is an optional IPv6 unicast address that is used for local communication
within an organization and it is similar to a private IPv4 address (for example, 10.10.2.1).
Unique local addresses have a global scope, but they are not routable on the internet, and they
are assigned by a central authority. All unique local addresses have a predefined prefix of
FC00::/7. You can configure only one IPv6 unique local address on an interface.
IPv6 Address To configure a unique local address, enter a complete IPv6 address with an FC00::/7 prefix in
the first field. In the second field after the /, enter the prefix length to specify how many of the
most significant bits (MSBs) are used for the network identifier.
Check the EUI-64 box to specify that the low order 64 bits are automatically generated in the
IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use
EUI-64, the Prefix Length field must be less than or equal to 64 and the host segment must be
all zeros.
Peer IPv6 Address In a redundant configuration, you can configure an IPv6 peer unique local address on the active
that is synchronized to the standby ACE. You can configure only one peer unique local IPv6
address on an interface.
To configure a peer unique local address, enter a complete IPv6 address with an FC00::/7 prefix
in the first field. In the second field after the /, enter the prefix length to specify how many of
the most significant bits (MSBs) are used for the network identifier.
Note The IPv6 peer unique local address must be unique across multiple contexts on a shared
VLAN.
Check the EUI-64 box to specify that the low order 64 bits are automatically generated in the
IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use
EUI-64, the Prefix Length field must be less than or equal to 64 and the host segment must be
all zeros.
Prefix Length Enter the prefix length for all global addresses to specify how many of the most significant bits
(MSBs) are used for the network identifier. Enter an integer from 1 to 128. If you use the
optional EUI-64 check box for the global and peer addresses, the prefix must be less than or
equal to 64.
Table 12-3 BVI Interface Attributes (continued)
Field Description
12-23
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context BVI Interfaces
IPv6 Link-Local Address Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
By default, when you enable IPv6 or configure any other valid IPv6 address on an interface, the
ACE automatically creates a link local address for it. Every link local address must have a
predefined prefix of FE80::/10. You can configure only one IPv6 link local address on an
interface. This address always has the prefix of 64.
To manually configure the link local address, enter a complete IPv6 address with an FE80::/10
prefix in this field. For example, enter FE80:DB8:1::1
IPv6 Peer Link-Local
Address
Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later.
In a redundant configuration, you can configure an IPv6 peer link local address for the standby
ACE. You can configure only one peer link local address on an interface.
To configure the peer link local address, enter a complete IPv6 address with an FE80::/10 prefix
in this field.
Note The IPv6 peer link local address must be unique across multiple contexts on a shared
VLAN.
More Settings (The More Seetings option appears only for ACE module and ACE appliance software Version A5(1.0) or
later.)
Managed-Config Check box to indicate that the interface use the stateful autoconfiguration mechanism to
configure IPv6 addresses.
Uncheck the check box to indicate that the interface does not use the stateful autoconfiguration
mechanism to configure IPv6 addresses.
Other-Config Check box to indicate that the interface use the stateful autoconfiguration mechanism to
configure parameters other than IPv6 addresses.
Clear the check box to indicate that the interface does not use the stateful autoconfiguration
mechanism to configure parameters other than IPv6 addresses.
NS Interval The ACE sends neighbor solicitation messages through ICMPv6 on the local link to determine
the IPv6 addresses of nearby nodes (hosts or routers). You can configure the rate at which the
ACE sends these neighbor solicitation messages.
By default, the interval at which the ACE sends NS messages for DAD default is 1000
milliseconds (msecs). To configure the interval, enter an integer from 1000 to 2147483647.
NS Reachable Time The neighbor solicitation reachable time is the time period in milliseconds during which a host
considers the peer is reachable after a reachability confirmation from the peer. A reachability
confirmation can include neighbor solicitation or advertisement, or any upper protocol traffic.
By default, this time period is 0 milliseconds. To configure this time, enter an integer from 0 to
3600000.
Retransmission time By default, the advertised retransmission time is 0 milliseconds.
To configure the retransmission time, enter an integer from 0 to 3600000.
DAD Attempts By default, the number of attempts for sending duplicate address detection (DAD) is 1.
To configure the DAD attempts, enter an integer from 0 to 255.
RA Hop Limit By default, the hop limit that neighbors should use when originating IPv6 packets is 64. To
configure the hop limit in the IPv6 header, enter an integer from 0 to 255.
Table 12-3 BVI Interface Attributes (continued)
Field Description
12-24
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context BVI Interfaces
RA Lifetime The RA lifetime is the length of time that neighboring nodes should consider the ACE as the
default router before they send RS messages again.
By default, this length of time is 1800 seconds (30 minutes). To configure the RA lifetime, enter
an integer from 0 to 9000.
RA Interval By default, the rate at which the ACE sends RA messages is 600 seconds. To configure the rate,
enter an integer from 4 to 1800.
Suppress RA By default, the ACE automatically responds to RS messages that it receives from neighbors with
RA messages that include, for example, the network prefix. You can instruct the ACE to not
respond to RS messages.
Check the check box to instruct the ACE to not respond to RS messages.
Clear the check box to reset the default behavior of automatically responding to RS messages.
IPv6 Router Advertisement
Settings
Click the Add button to configure the IPv6 prefixes that the ACE advertises in RA messages on
the local link.
IPv6 Address/Prefix
Length
To configure IPv6 address advertised in the RA messages, enter a complete IPv6 address in the
first field. In the second field after the /, enter the prefix length to specify how many of the most
significant bits (MSBs) are used for the network identifier.
No Advertisements Check the check box to indicate that the route prefix is not advertised.
Clear the check box to indicate that the route prefix is advertised.
Lifetime Configure the prefix lifetime attributes as follows:
• Lifetime Duration:
– Valid Lifetime—By default, the prefix lifetime is 2592000 seconds (30 days). To
configure the prefix lifetime in seconds, enter an integer from 0 to 2147183647.
Select Infinite to indicate that the prefix never expires.
– Preferred Lifetime—By default, the prefix lifetime is 604800 seconds (10 days).To
configure how long an IPv6 address remains preferred in seconds, enter an integer from
0 to 2147183647. This lifetime must not exceed the Valid Lifetime.
Select Infinite to indicate that the preferred lifetime never expires.
• Lifetime Expiration Date:
– Valid Month/Day/Year/Time—Valid lifetime expiration date and time.
– Preferred Month/Day/Year/Time—Preferred lifetime expiration date and time.
Use the drop-down lists to select a day, month, and year. To specify the time, use the hh:mm
format.
Table 12-3 BVI Interface Attributes (continued)
Field Description
12-25
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context BVI Interfaces
Step 5 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click Cancel to exit this procedure without saving your entries and to return to the previous table.
Step 6 To display statistics and status information for a BVI interface, choose the BVI interface from the BVI
Interface table, and click Details.
The show interface bvi, show ipv6 interface bvi, and show ipv6 neighbors CLI command outputs
appears. IPv6 commands requires ACE module and ACE appliance software Version A5(1.0) or later.
See the “Displaying BVI Interface Statistics and Status Information” section on page 12-26 for details.
Related Topics
• Configuring Network Access, page 12-1
• Configuring Virtual Context Primary Attributes, page 6-14
Displaying All BVI Interfaces by Context
You can display all of the BVI interfaces associated with a specific context by choosing Config >
Devices > context > Network > BVI Interfaces.
The BVI Interface table appears with the information shown in Table 12-4.
Off-link This option appears when you enter a Preferred Lifetime field.
Check this check box to indicate that the route prefix is on a different subnet for a router to route
to it.
Clear the check box to indicate that the route prefix is on the same subnet for a router to route
to it.
No-autoconfig This option appears when you enter a Preferred Lifetime field.
Check this check box to indicate to the host that it cannot use this prefix when creating an
stateless IPv6 address.
Clear the check box to indicate to the host that it can use this prefix when creating an stateless
IPv6 address.
Table 12-3 BVI Interface Attributes (continued)
Field Description
Table 12-4 BVI Interface Fields
Field Description
BVI Name of the BVI interface.
Description Description for the BVI interface.
IP Address IP address assigned to this interface including the netmask for an IPv4 address or a prefix length for
an IPv6 address. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later.
IPv6 Config Status The status whether IPv6 is enabled or disabled on the interface. IPv6 requires ACE module and ACE
appliance software Version A5(1.0) or later.
12-26
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring VLAN Interface NAT Pools
Related Topics
• Displaying BVI Interface Statistics and Status Information, page 12-26
Displaying BVI Interface Statistics and Status Information
You can display statistics and status information for a particular BVI interface by using the Details
button.
Procedure
Step 1 Choose Config > Devices > context > Network > BVI Interfaces.
The BVI Interface table appears.
Step 2 In the BVI Interface table, choose a BVI interface from the BVI Interface table, and click Details.
The show interface bvi, show ipv6 interface bvi, and show ipv6 neighbors CLI command outputs
appear. The IPv6 commands require ACE module and ACE appliance software Version A5(1.0) or later.
For details about the displayed output fields, see either the Cisco ACE Module Routing and Bridging
Configuration Guide or the Cisco ACE 4700 Series Appliance Routing and Bridging Configuration
Guide.
Step 3 Click Update Details to refresh the command output.
Step 4 Click Close to return to the BVI Interface table.
Related Topics
• Displaying All BVI Interfaces by Context, page 12-25
Configuring VLAN Interface NAT Pools
You can configure Network Address Translation (NAT) pools for a VLAN interface. NAT is designed to
simplify and conserve IP addresses. It allows private IP networks that use unregistered IP addresses to
connect to the Internet. NAT operates on a router, usually connecting two networks, and translates the
private (not globally unique) addresses in the internal network into legal addresses before the packets
are forwarded to another network.
The ACE allows you to configure NAT so that it advertises only one address for the entire network to
the outside world. This feature, which effectively hides the entire internal network behind that address,
offers both security and address conservation.
Admin Status Status of the interface, which can be Up or Down.
Operational Status Operational state of the device (Up or Down).
Last Polled Date and time of the last time that ANM polled the device to display the current values.
Table 12-4 BVI Interface Fields (continued)
Field Description
12-27
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring VLAN Interface NAT Pools
Several internal addresses can be translated to only one or a few external addresses by using Port Address
Translation (PAT) in conjunction with NAT. With PAT, you can configure static address translations at
the port level and use the remainder of the IP address for other translations. PAT effectively extends NAT
from one-to-one to many-to-one by associating the source port with each flow.
Note The options that appear when you choose Config > Devices > context depend on the device associated
with the virtual context and the role associated with your account.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0)
or later.
Note When server load balancing is IPv6 to IPv4 or IPv4 to IPv6, you must configure source NAT.
Assumption
You have successfully configured at least one VLAN interface (see the “Configuring Virtual Context
VLAN Interfaces” section on page 12-6).
Procedure
Step 1 Choose Config > Devices > context > Network > NAT Pools.
The NAT Pools table appears.
Step 2 In the NAT Pools table, click Add to add a new NAT pool, or choose an existing NAT pool and click Edit
to modify it.
Note If you click Edit, not all of the fields can be modified.
Step 3 Choose the VLAN interface that you want to configure a NAT pool for and click the NAT Pool tab.
The NAT Pool configuration table appears.
Step 4 In the NAT Pool configuration table, click Add to add a new entry.
Step 5 In the VLAN ID field, from the drop-down list, choose a VLAN entry.
Step 6 In the NAT Pool ID field, either accept the automatically incremented entry or enter a new number to
uniquely identify this pool.
Valid entries are from 1 to 2147483647.
Step 7 In the IP Address Type field, choose either IPv4 or IPv6.
This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which
supports IPv4 and IPv6.
Step 8 In the Start IP Address field, enter an IP address for the selected IP Address Type.
This entry identifies either a single IP address or, if using a range of IP addresses, the first IP address in
a range of global addresses for this NAT pool.
Step 9 In the End IP Address field, enter the highest IP address in a range of global IP addresses for this NAT pool.
12-28
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Virtual Context Static Routes
Enter the IP address for the selected IP Address Type. Leave this field blank if you want to identify only
the single IP address in the Start IP Address field.
Step 10 Depending on the IP address type that you chose, do one of the following:
• For IPv4, in the Netmask field, choose the subnet mask for the global IP addresses in the NAT pool.
• For IPv6, in the Prefix Length field, enter the prefix length for the global IP addresses in the NAT
pool.
Step 11 Check the PAT Enabled check box to instruct the ACE to perform port address translation (PAT) in addition
to NAT.
Uncheck the check box to indicate that the ACE is not to perform port address translation (PAT) in
addition to NAT.
Step 12 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click Cancel to exit this procedure without saving your entries and to return to the NAT Pools table.
• Click Next to deploy your entries and to add another NAT Pool entry.
Related Topics
• Configuring Virtual Context VLAN Interfaces, page 12-6
• Configuring Virtual Context BVI Interfaces, page 12-19
Configuring Virtual Context Static Routes
You can configure context static routes. Admin and user context modes do not support dynamic routing,
therefore you must use static routes for any networks to which the ACE is not directly connected, such
as when there is a router between a network and the ACE.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0)
or later.
Procedure
Step 1 Choose Config > Devices > context > Network > Static Routes.
The Static Routes configuration table appears and displays the following information:
• Destination prefix
• Destination prefix mask
• Next hop IP address
Step 2 In the Static Routes configuration table, click Add to add a new static route.
Note You cannot modify an existing static route. To make changes to an existing static route, you must
delete the static route and then add it back.
12-29
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Global IP DHCP
Step 3 In the IP Address Type, choose either IPv4 or IPv6 for the route.
This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which
supports IPv4 or IPv6.
Step 4 In the Destination Prefix field, enter the IP address based on the address type (IPv4 or IPv6) for the route.
The address that you specify for the static route is the address that is in the packet before entering the
ACE and performing network address translation.
Step 5 Depending on the IP address type that you chose, do one of the following:
• For IPv4, in the Destination Prefix Mask field, choose the subnet to use for this route.
• For IPv6, in the Destination Prefix-length field, enter the prefix length from 0 to 128 to use for this
route.
Step 6 (IPv6 IP address type only) For the Forward Interface Type, choose one of the following:
• N/A (Not applicable)
• VLAN
• BVI
If you select VLAN or BVI, select its number from the drop down menu. To configure an interface, click
Plus. After configuring it, select its number from the drop down menu.
Step 7 In the Next Hop field, enter the IP address of the gateway router based on the address type (IPv4 or IPv6)
for this route.
The gateway address must be in the same network as a VLAN interface for this context.
Step 8 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click Cancel to exit this procedure without saving your entries and to return to the previous table.
• Click Next to deploy your entries and to add another static route.
Related Topics
• Configuring Virtual Contexts, page 6-8
• Configuring Virtual Context Primary Attributes, page 6-14
Configuring Global IP DHCP
You can configure the Dynamic Host Configuration (DHCP) relay agent at the context level so the
configuration applies to all interfaces associated with the context. When you configure the ACE as a
DHCP relay agent, it is responsible for forwarding the requests and responses that are negotiated
between the DHCP clients and the server. By default, the DHCP relay agent is disabled. You must
configure a DHCP server when you enable the DHCP relay agent.
Note The options that appear when you choose Config > Devices > context depend on the device associated
with the virtual context and the role associated with your account.
12-30
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Global IP DHCP
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0)
or later.
Procedure
Step 1 Choose Config > Devices > context > Network > Global IP DHCP.
The Global IP DHCP configuration table appears.
Step 2 From the Global IP DHCP configuration table, in the Enable DHCP Relay For The Context field, click
IPv4, IPv6, or both to enable DHCP relay for the context and all interfaces associated with this context.
For ACE module and ACE appliance software versions earlier than A5(1.0), this field does not include
the IP version number and is for IPv4 only.
Step 3 In the Relay Agent Information Reforwarding Policy field, choose a relay agent information forwarding
policy:
• N/A—Specifies to not configure the DHCP relay to identify what is to be performed if a forwarded
message already contains relay information.
• Keep—Specifies that existing information is left unchanged on the DHCP relay agent.
• Replace—Specifies that existing information is overwritten on the DHCP relay agent.
Step 4 In the IP DHCP Server field, choose the IP DHCP server to which the DHCP relay agent is to forward
client requests.
Step 5 In the IPv6 Forward Interface VLAN field, you can optionally enter the VLAN interface number that
you configured in the IPv6 DHCP Forward Interface VLAN field on the interface where the multicast
DHCP relay message is sent.
This field appears only for ACE module and ACE appliance software Version A5(1.0) or later.
Step 6 In the IPv6 DHCP server, specify one or more IP DHCP servers and IPv6 addresses to which the DHCP
relay agent is to forward client requests.
This field appears only for ACE module and ACE appliance software Version A5(1.0) or later.
Step 7 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click Cancel to exit this procedure without saving your entries and to return to the previous table.
• Click Next to deploy your entries and to add another DHCP relay entry.
12-31
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Static VLANs for Over 8000 Static NAT Configurations
Configuring Static VLANs for Over 8000 Static NAT
Configurations
Note This feature applies to ACE modules only and was deprecated beginning with ACE software Version
A5(1.0).
You can create more than 8,000 static NAT configurations (one static NAT configuration with a netmask
is counted as one configuration). In addition, follow these restrictions and guidelines when using this
feature:
• This feature is supported in routed mode only.
• Only one mapped interface is allowed per virtual context. However, each static NAT configuration
must have a different mapped IP address.
• At any point, you can configure no more than one next-hop on the mapped interface.
• Bidirectional NAT, or in other words, source-address as well as destination-address translation, for
the same flow is not supported.
• You must have fewer than 1,000 real IP addresses on the same subnet as the real interface. In
addition, you must have fewer than 1,000 mapped IP address on the same subnet as the mapped
interface.
• If you use this feature, we recommended that you do not use MP-based NAT for the same virtual
context.
Procedure
Step 1 Choose Config > Devices > context > Network > Static NAT Overwrite.
The Static NAT Overwrite configuration table appears.
Step 2 In the Static NAT Overwrite configuration table, click Add to add a new static NAT.
Step 3 In the Mapped IP Address field, enter the IP address to which the real IP address is translated.
In a context, the mapped IP address must be different in each static NAT configuration.
Step 4 In the Real VLAN Number field, choose the VLAN number of the interface connected to the real IP
address network.
The list of available real VLANs includes routed mode VLANs only (for more information, see Interface
Type).
Step 5 In the Mapped VLAN Number field, choose the VLAN number of the interface connected to the mapped
IP address network.
The list of available mapped VLANs includes routed mode VLANs only (for more information, see
Interface Type). In a context, the mapped interface must be the same in each static NAT configuration.
Step 6 In the Real IP Address field, enter the real server IP address to be translated.
In a context, you must configure a different address for configurations that have the same real server
interface.
Step 7 In the Real IP Netmask field, choose the subnet mask for the real server address.
Step 8 Do one of the following:
12-32
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Gigabit Ethernet Interfaces on the ACE Appliance
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. This option appears for virtual contexts.
• Click Cancel to exit this procedure without saving your entries and to return to the previous table.
• Click Next to deploy your entries and to add another DHCP relay entry.
Configuring Gigabit Ethernet Interfaces on the ACE Appliance
Note This feature is for ACE appliances only.
You can configure a Gigabit Ethernet interface on the ACE appliance, which provides physical Ethernet
ports to connect servers, PCs, routers, and other devices to the ACE appliance. The ACE appliance
supports four Layer 2 Ethernet ports for performing Layer 2 switching. You can configure the four
Ethernet ports to provide an interface for connecting to 10-Mbps, 100-Mbps, or 1000-Mbps networks.
Each Layer 2 Ethernet port supports autonegotiate, full-duplex, or half-duplex operation on an Ethernet
LAN, and can carry traffic within a designated VLAN.
A Layer 2 Ethernet port can be configured as follows:
• Member of Port-Channel Group—The port is configured as a member of a port-channel group,
which associates a physical port on the ACE appliance to a logical port to create a port-channel
logical interface. The VLAN association is derived from port-channel configuration. The port is
configured as a Layer 2 EtherChannel, where each EtherChannel bundles the individual physical
Ethernet data ports into a single logical link that provides the aggregate bandwidth of up to four
physical links on the ACE.
• Access VLAN—The port is assigned to a single VLAN. This port is referred to as an access port
and provides a connection for end users or node devices, such as a router or server.
• Trunk port—The port is associated with IEEE 802.1Q encapsulation-based VLAN trunking to
allocate VLANs to ports and to pass VLAN information (including VLAN identification) between
switches for all Ethernet channels defined in a Layer 2 Ethernet data port or a Layer 2 EtherChannel
(port-channel) group on the ACE appliance.
This section includes the following topics:
• Configuring Gigabit Ethernet Interfaces, page 12-32
• Displaying Gigabit Ethernet Interface Statistics and Status Information, page 12-35
Configuring Gigabit Ethernet Interfaces
This section describes how to configure Gigabit Interfaces on the ACE.
Procedure
Step 1 Choose Config > Devices > context > Network > GigabitEthernet Interfaces.
The GigabitEthernet Interfaces table appears.
Step 2 In the GigabitEthernet Interfaces table, click Poll Now to instruct ANM to poll the devices and display
the current values, and click OK when prompted to poll the devices for data.
12-33
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Gigabit Ethernet Interfaces on the ACE Appliance
Step 3 Choose an existing gigabit Ethernet interface, and click Edit to modify it.
Step 4 Enter the gigabit Ethernet physical interface attributes (see Table 12-5).
Table 12-5 Physical Interface Attributes
Field Description
Interface Name Name of the Gigabit Ethernet interface, which is in the format slot_number/port_number where
slot_number is the physical slot on the ACE for the specified port, and port_number is the physical Ethernet
data port on the ACE for the specified port.
Description Brief description for this interface.
Admin Status Administrative state of the interface: Up or Down.
Speed Port speed:
• Auto—Autonegotiate with other devices
• 10 Mbps
• 100 Mbps
• 1000 Mbps
Duplex Interface duplex mode:
• Auto—Resets the specified Ethernet port to automatically negotiate port speed and duplex of incoming
signals. This is the default setting.
• Full—Configures the specified Ethernet port for full-duplex operation, which allows data to travel in
both directions at the same time.
• Half—Configures the specified Ethernet port for half-duplex operation. A half-duplex setting ensures
that data only travels in one direction at any given time.
Port Operation
Mode
Port operation mode:
• N/A—Specifies that this option is not to be used.
• Channel Group—Specifies to map the port to a port channel. You must specify:
• Port Channel Group Number—Specifies the port channel group number.
• HA VLAN—Specifies the high availability (HA) VLAN used for communication between the
members of the FT group.
• Switch Port—Specifies the interface switch port type:
• Access—Specifies that the port interface is an access port. You must specify a VLAN as an access
port in the Access VLAN field.
• Trunk—Specifies that the port interface is a trunk port. When you choose Trunk, you must
complete one or both of the following fields:
- Trunk Native VLAN—Identifies the 802.1Q native VLAN for a trunk.
- Trunk Allowed VLANs—Selectively allocates individual VLANs to a trunk link.
HA LAN High availability (HA) VLAN used for communication between the members of the FT group.
12-34
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Gigabit Ethernet Interfaces on the ACE Appliance
Step 5 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your changes and to return to the Physical
Interface table.
• Click Next or Previous to go to the next or previous physical channel.
• Click Delete to remove this entry from the Physical Interface table and to return to the table.
Step 6 (Optional) To display statistics and status information for a particular Gigabit Ethernet interface, choose
the interface from the GigabitEthernet Interfaces table, and click Details.
The show interface gigabitEthernet CLI command output appears. See the “Displaying Gigabit
Ethernet Interface Statistics and Status Information” section on page 12-35 for details.
Related Topics
• Configuring Virtual Context VLAN Interfaces, page 12-6
• Configuring Virtual Context BVI Interfaces, page 12-19
• Configuring Port-Channel Interfaces for the ACE Appliance, page 12-35
Carrier Delay Configurable delay at the physical port level to address any issues with transition time, based on the variety
of peers. Valid values are from 0 to 120 seconds. The default is 0 (no carrier delay).
Note If you connect an ACE to a Catalyst 6500 series switch, your configuration on the switch may
include the Spanning-Tree Protocol (STP). However, the ACE does not support STP. In this case,
you may find that the Layer 2 convergence time is much longer than the physical port up time. For
example, the physical port would normally be up within 3 seconds, but STP moving to the forward
state may need approximately 30 seconds. During this transitional time, although the ACE declares
the port to be up, the traffic does not pass. In this case, you should specify a carrier delay.
QoS Trust COS Quality of Service (QoS) for the physical Ethernet port. By default, QoS is disabled for each physical
Ethernet port on the ACE.
QoS for a configured physical Ethernet port is based on VLAN Class of Service (CoS) bits (priority bits
that segment the traffic in eight different classes of service). When you enable QoS on a port (a trusted
port), traffic is mapped into different ingress queues based on their VLAN CoS bits. If there are no VLAN
CoS bits, or QoS is not enabled on the port (untrusted port), the traffic is then mapped into the lowest
priority queue.
You can enable QoS for an Ethernet port configured for fault tolerance. In this case, heartbeat packets are
always tagged with CoS bits set to 7 (a weight of High).
Note We recommend that you enable QoS on the FT VLAN port to provide higher priority for FT traffic.
Table 12-5 Physical Interface Attributes (continued)
Field Description
12-35
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Port-Channel Interfaces for the ACE Appliance
Displaying Gigabit Ethernet Interface Statistics and Status Information
You can display statistics and status information for a particular Gigabit Ethernet interface.
Procedure
Step 1 Choose Config > Devices > context > Network > GigabitEthernet Interfaces.
The GigabitEthernet Interfaces table appears.
Step 2 In the GigabitEthernet Interfaces table, choose a Gigabit Ethernet interface from the GigabitEthernet
Interfaces table, and click Details.
The show interface gigabitEthernet CLI command output appears. For details on the displayed output
fields, see the Cisco ACE 4700 Series Appliance Routing and Bridging Configuration Guide.
Step 3 (Optional) Click Update Details to refresh the display.
Step 4 Click Close to return to the GigabitEthernet Interfaces table.
Related Topics
Configuring Gigabit Ethernet Interfaces on the ACE Appliance, page 12-32
Configuring Port-Channel Interfaces for the ACE Appliance
This section discusses how to configure port channel interfaces for the ACE appliance. It consists of the
following topics:
• Why Use Port Channels?, page 12-35
• Configuring a Port-Channel Interface, page 12-36
• Configuring a Catalyst 6500 Series Switch for an ACE Appliance Port-Channel Interface
Connection, page 12-38
• Displaying Port Channel Interface Statistics and Status Information, page 12-40
Why Use Port Channels?
A port channel groups multiple physical ports into a single logical port. This is also called port
aggregation or channel aggregation. A port channel containing multiple physical ports has several
advantages:
• Improves link reliability through physical redundancy.
• Allows greater total throughput to the ACE appliance. For example, four 1-Gigabit Ethernet
interfaces can be aggregated into a single 4-Gigabit channel.
• Allows traffic capacity to be scaled up in the future, without network disruption at that time. A port
channel can do everything a switched port can do, but a switched port cannot do everything a port
channel can do. We recommend that you use a port channel.
• Provides maximum flexibility of network configuration and focuses network configuration on
VLANs rather than physical cabling.
12-36
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Port-Channel Interfaces for the ACE Appliance
The disadvantage of a port channel is that it requires additional configuration on the switch the ACE is
connected to, as well as the ACE itself. There are many methods of port aggregation implemented by
different switches, and not every method works with ACE. For an example of how to configure a Cisco
Catalyst 6500 switch to enable a port channel connection to ACE, see the “Configuring a Catalyst 6500
Series Switch for an ACE Appliance Port-Channel Interface Connection” section on page 12-38.
Using a port channel also requires more detailed knowledge of your network's VLANs, because all
“cabling” to and from the ACE will be handled over VLANs rather than using physical cables.
Nonetheless, use of port channels is highly recommended, especially in a production deployment of
ACE.
Figure 12-1 illustrates a port channel interface.
Figure 12-1 Example of a Port Channel Interface
Related Topics
Configuring a Port-Channel Interface, page 12-36
Displaying Port Channel Interface Statistics and Status Information, page 12-40
Configuring a Port-Channel Interface
Note This feature is for ACE appliances only.
You can group physical ports together on the ACE appliance to form a logical Layer 2 interface called
the port channel. All the ports belonging to the same port channel must be configured with same values;
for example, port parameters, VLAN membership, and trunk configuration. Only one port channel in a
channel group is allowed, and a physical port can belong to a single port-channel interface only.
Step 1 Choose Config > Devices > context > Network > Port Channel Interfaces.
The Port Channel Interface table appears.
Step 2 In the Port Channel Interface table, click Poll Now to instruct ANM to poll the devices and display the
current values, and click OK when prompted to poll the devices for data.
Step 3 Click Add to add a port channel interface, or choose an existing port channel interface and click Edit to
modify it.
247843
Switch ACE Appliance
Port Channel
VLANs Ethernet
Ports
12-37
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Port-Channel Interfaces for the ACE Appliance
Note If you click Edit, not all of the fields can be modified.
Step 4 Enter the port channel interface attributes (see Table 12-6).
Step 5 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your changes and to return to the Port Channel
Interface table.
• Click Next to deploy your entries and to add another port-channel interface.
Table 12-6 Port Channel Interface Attributes
Field Description
Interface Number Channel number for the port-channel interface, which can be from 1 to 255.
Description Brief description for this interface.
Fault Tolerant
VLAN
Fault tolerant (FT) VLAN used for communication between the members of the FT group.
Admin Status Administrative state of the interface: Up or Down.
Load Balancing
Method
Load balancing method:
• Dst-IP—Loads distribution on the destination IP address.
• Dst-MAC—Loads distribution on the destination MAC address.
• Dst-Port—Loads distribution on the destination TCP or UDP port.
• Src-Dst-IP—Loads distribution on the source or destination IP address.
• Src-Dst-MAC—Loads distribution on the source or destination MAC address.
• Src-Dst-Port—Loads distribution on the source or destination port.
• Src-IP—Loads distribution on the source IP address.
• Src-MAC—Loads distribution on the source MAC address.
• Src-Port—Loads distribution on the TCP or UDP source port.
Switch Port Type Interface switchport type:
• N/A—Indicates that the switchport type is not specified.
• Access—Specifies that the port interface is an access port. You must specify a VLAN as an access
port in the Access VLAN field.
• Trunk—Specifies that the port interface is a trunk port. When you choose Trunk, you must
complete the following fields:
– Trunk Native VLAN—Identifies the 802.1Q native VLAN for a trunk.
– Trunk Allowed VLANs—Selectively allocate individual VLANs to a trunk link.
12-38
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Port-Channel Interfaces for the ACE Appliance
Step 6 (Optional) To display statistics and status information for a particular port-channel interface, choose the
interface from the Port Channel Interfaces table, and click Details.
The show interface port-channel CLI command output appears. See the “Displaying Port Channel
Interface Statistics and Status Information” section on page 12-40 for details.
Related Topics
• Configuring Port-Channel Interfaces for the ACE Appliance, page 12-35
• Configuring Port-Channel Interfaces for the ACE Appliance, page 12-35
• Displaying Port Channel Interface Statistics and Status Information, page 12-40
• Configuring Virtual Context VLAN Interfaces, page 12-6
Configuring a Catalyst 6500 Series Switch for an ACE Appliance Port-Channel
Interface Connection
This section provides information for you to configure a port-channel interface on a network device such
as the Catalyst 6500 Series switch. After you configure the port channels for the ACE appliance through
ANM and you physically connect the Gigabit Ethernet physical interfaces on the ACE appliance to the
Catalyst 6500 Series switch ports, configure the port channels on the switch. The information outlined
in this topic is intended as an example of configuring port channels on a switch. You can adapt this
information for whatever switch the ACE appliance is connected to in your network.
For specific details on configuring the Catalyst 6500 Series switch, see the documentation set on
www.Cisco.com.
This section includes the following topics:
• Creating the Port Channel Interface on the Catalyst 6500
• Adding Interfaces to the Port Channel
Creating the Port Channel Interface on the Catalyst 6500
This section contains and example in which a Catalyst 6500 Series switch is configured with a port
channel using an 802.1q trunk that allows the associated VLANs. The native VLAN of the trunk is
VLAN 10.
Note Default VLAN 1 should not be used for the native VLAN because this VLAN is used internally on the
ACE appliance.
Port-channel load balancing is used to distribute the traffic load across each of the links in the port
channel to ensure efficient utilization of each link. Port-channel load balancing on the Catalyst 6500
Series switch can use MAC addresses or IP addresses, Layer 4 port numbers, source addresses,
destination addresses, or both source and destination addresses. By default, the ACE appliance uses
Src-Dst-MAC to make a load balancing decision (see Table 12-6). We recommend that you use the
source and destination Layer 4 port for the load-balancing decision.
12-39
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Port-Channel Interfaces for the ACE Appliance
The following example illustrates the CLI commands used to configure a port channel interface for the
Catalyst 6500 Series switch:
Switch(config)# port-channel load-balance src-dst-port
Switch(config)# interface port-channel 1
Switch(config-if)# description For Connection with ACE Appliance
Switch(config-if)# switchport
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk native vlan 10
Switch(config-if)# switchport trunk allowed vlan 10,20,30,31, 40,50
Switch(config-if)# switchport nonegotiate
Switch(config-if)# mls qos trust cos
After you configure the port channel on the Catalyst 6500 Series switch, you can then add it to the
configuration of the four interfaces as described in the “Adding Interfaces to the Port Channel” section
on page 12-39.
Note The ACE appliance does not support Port Aggregation Protocol (PAgP) or Link Aggregate Control
Protocol (LACP) so the port-channel interface is configured using mode on.
Adding Interfaces to the Port Channel
The following example illustrates the CLI commands used to configure the four switch ports 3/9 through
3/12 as members of the port channel on the Catalyst 6500 Series switch:
Switch(config-if)# int range Gig 3/9 - 12
Switch(config-if-range)# channel-group 1 mode on
Switch(config-if-range)# speed 1000
Switch(config-if-range)# spanning-tree portfast trunk
Switch(config-if-range)# no shut
On the ACE appliance, you can configure the Ethernet port speed for a setting of 10, 100, or 1000 Mbps
by configuring the Speed field for a Gigabit Ethernet physical interface attributes (see Table 12-5). The
default for the ACE appliance is the auto-negotiate interface speed. We recommend that you configure
the speed to 1000 on both the Catalyst 6500 Series switch and the ACE appliance to avoid relying on
auto negotiation of the interface speed. A speed setting of 1000 helps to avoid the possibility of the
interface operating below the expected Gigabit speed and ensures that the port-channel interface reaches
the maximum 4 Gbps throughput.
The ACE appliance does not implement Spanning-Tree protocol and does not take part in Spanning-Tree
root bridge election process. PortFast is configured on the Catalyst 6500 Series switch to reduce the time
required for spanning tree to allow traffic on the port connected to the ACE interface by immediately
moving to the forwarding state, bypassing the block, listening, and learning states. The average time for
switch port moving into a forward state is approximately 30 seconds. Using PortFast reduces this time
to approximately 5 seconds.
Note In virtual partitions operating in bridge mode, the ACE offers an option to bridge Spanning-Tree BPDUs
between two VLANs to prevent the possibility of a loop. Such a loop may occur when two partitions
actively forward traffic. This should not happen during normal operation; however, the option to bridge
BPDUs provides a safeguard against this condition. Upon detecting BPDUs, the switch connected to the
ACE appliance immediately blocks the port/VLAN from which the loop originated from. We
recommend that you configure an ethertype ACL that includes the BPDU protocol and apply the ACL
to Layer 2 interfaces in bridge mode.
12-40
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 12 Configuring Network Access
Configuring Port-Channel Interfaces for the ACE Appliance
Displaying Port Channel Interface Statistics and Status Information
You can display statistics and status information for a particular port-channel interface.
Procedure
Step 1 Choose Config > Devices > context > Network > Port Channel Interfaces.
The Port Channel Interfaces table appears.
Step 2 In the Port Channel Interfaces table, choose a port-channel interface from the Port Channel Interfaces
table, and click Details.
The show interface port-channel CLI command output appears. For details about the displayed output
fields, see the Cisco ACE 4700 Series Appliance Routing and Bridging Configuration Guide.
Step 3 (Optional) Click Update Details to refresh the display.
Step 4 Click Close to return to the Port Channel Interfaces table.
Related Topics
Configuring Port-Channel Interfaces for the ACE Appliance, page 12-35
CHAPTER
13-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
13
Configuring High Availability
Date: 3/28/12
This chapter describes how to configure high availability for ANM servers and ACE devices.
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
This chapter includes the following sections:
• Understanding ANM High Availability, page 13-2
• Understanding ACE Redundancy, page 13-6
• Configuring ACE High Availability, page 13-14
• Configuring ACE High Availability Peers, page 13-15
• Clearing ACE High Availability Pairs, page 13-17
• Configuring ACE High Availability Groups, page 13-17
• Displaying High Availability Group Statistics and Status, page 13-21
• Switching Over an ACE High Availability Group, page 13-22
• Deleting ACE High Availability Groups, page 13-23
• ACE High Availability Tracking and Failure Detection Overview, page 13-23
• Tracking ACE VLAN Interfaces for High Availability, page 13-24
• Tracking Hosts for High Availability, page 13-25
• Configuring Host Tracking Probes, page 13-26
• Configuring ACE Peer Host Tracking Probes, page 13-28
• Configuring ACE HSRP Groups, page 13-29
• Synchronizing ACE High Availability Configurations, page 13-30
• Synchronizing SSL Certificate and Key Pairs on Both ACE Peers, page 13-32
13-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Understanding ANM High Availability
Understanding ANM High Availability
ANM high availability (or fault tolerance) ensures that your network services and applications are
always available. High availability (HA) provides seamless switchover of flows in case an ANM server
becomes unresponsive or a critical host or interface fails. High availability uses two ANM nodes, where
one node is the active node and the other is the standby node.
The ANM high availability features are as follows:
• Automatic determination of node status, whether active or standby, using heartbeat counts.
• Designation of the virtual IP address (VIP), which is associated with the active node.
• Near real-time replication of ANM configuration and events after a failover occurs.
• Automatic inspection of certificate/key presence on HA peer upon SSL certificate or key import.
During normal operation, ANM high availability performs the following actions:
• The two nodes constantly exchange heartbeat packets over both interfaces.
• Database operations that occur on the active node’s database are replicated on the standby node’s
database.
• The monitor function ensures that the necessary processes are running on both the active and
standby node. For example, not all processes necessarily run on the standby node, so after a node
changes from active to standby, ANM high availability function stops certain processes on the
standby node.
When you log into ANM, you log in using a virtual IP address (VIP) that associates with the active node.
The VIP is the only IP address you need to remember. If the current active node fails, the standby node
takes over as the active node and the VIP automatically associates with the node that has just become
active. When a failover occurs and the standby node becomes the active node, all existing web sessions
are lost. In addition, there is a slight delay while the standby node takes over as the active node. After
the switchover is complete and the ANM fully initializes, you can log into ANM using the same VIP. All
ANM functions remain the same.
ANM uses heartbeat counts to determine when a failover should occur. Because both nodes are
constantly sending and receiving heartbeat packets, if heartbeat packets are no longer being received on
a node, its peer node is determined to be dead. If this peer node was the active node, then the standby
node takes over as the active node. The VIP automatically associates with the newly active node, and the
monitoring process starts any necessary processes on the newly active node that were not already
running.
Similarly, if you manually issue a failover to cause the active node to become the standby node, the
heartbeat process disassociates the VIP from the node and tells the monitoring function to stop processes
that are not normally run on the standby node.
Related Topics
• Understanding ANM High Availability Processes, page 13-3
• Configuring ANM High Availability Overview, page 13-3
• CLI Commands for ANM High Availability Processes, page 13-4
• Recovering From an HA Database Replication Failure, page 13-6
13-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Understanding ANM High Availability
Understanding ANM High Availability Processes
During normal high availability operation, the active node runs all ANM processes required for normal
operation of ANM. The standby node runs only a minimal set of processes. Table 13-1 lists the
processes, their descriptions, and on which node they run.
Note If you are running standalone ANM, all processes show in Table 13-1, with the exception of the heartbeat
process, are constantly running.
Related Topics
• CLI Commands for ANM High Availability Processes, page 13-4
• Understanding ANM High Availability, page 13-2
• Configuring ACE High Availability, page 13-14
• Understanding ACE Redundancy, page 13-6
Configuring ANM High Availability Overview
Configuring ANM high availabitly depends on whether you are using ANM Virtual Appliance or ANM
server.
ANM Vitual Appliance
You can implement redundancy for ANM Virtual Appliance using the high availability feature of the
underlying VMware vSphere platform. VMware HA (High Availability) detects faults in the operation
of managed virtual machines and provides redundancy in case of a failure.
You implement VMware HA for ANM Virtual Appliance in the same manner as for any VM-based
application running on VMware infrastructure; that is, ANM Virtual Appliance does not impose any
special requirements for implementing VMware HA.
For additional information about installing ANM Virtual Appliance, see the Installation Guide for the
Cisco Application Networking Manager 5.2 Virtual Appliance.
Table 13-1 ANM High Availability Processes
Process Description
Node on Which Process
Runs
Monit Starts, stops, restarts, and monitors local ANM processes Active and standby
Heartbeat Provides UDP-based heartbeat between nodes, helps
determine active vs. standby states, and associates the VIP
Active and standby
Mysql Provides persistent storage and implements database
replication between active and standby nodes
Active and standby
ANM Java process Active node only
DAL Java process Active node only
Ip-disc Java process Active node only
Licman Java process for license management Active and standby
13-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Understanding ANM High Availability
ANM Server
ANM high availability consists of two nodes, which both run the ANM software. Each node must have
at least two network interfaces as follows:
• A primary interface, normally used to access the node.
• A heartbeat interface, which is used to provide additional redundancy. The heartbeat interfaces of
the two nodes must be connected via a crossover Ethernet connection.
• The two Ethernet interfaces used on one of the hosts should match the two interfaces used on the
other host, with regard to the subnets they participate in. For example, if HA Node 1 uses eth0 for
the primary interface and eth1 for the heartbeat interface, then HA Node 2 should also use eth0 for
the primary interface and eth1 for the heartbeat interface.
Note ANM does not configure the primary and heartbeat IP addresses of the nodes’ interfaces. You must
manually configure the node’s interfaces.
When you installed ANM, you provided values for high availability parameters, determined the node IDs
of the two nodes designated as Node 1 and Node 2. For additional information about the installation
parameters, see the Installation Guide for Cisco Application Networking Manager 5.2.
Related Topics
• Understanding ANM High Availability, page 13-2
• Configuring ACE High Availability Groups, page 13-17
• Configuring ACE High Availability, page 13-14
CLI Commands for ANM High Availability Processes
You use two commands to view ANM processes:
• Use the /opt/CSCOanm/bin/anm-tool command to start and stop the ANM processes and to view
the status of the ANM processes.
• Use the /opt/CSCOanm/bin/anm-ha command to check high availability configuration or to force
a node to become standby or active.
Table 13-2 lists the sub-commands and their descriptions.
13-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Understanding ANM High Availability
Related Topics
• Understanding ANM High Availability Processes, page 13-3
Table 13-2 CLI Sub-commands for Processes
Command Sub-command Description
/opt/CSCOanm/bin/anm-tool info-services Indicates the state of all ANM processes. This command does not return
process status if monit is not running.
stop-services Stops all ANM processes, including monit.
Note Monit must be running in order for the info-services command
to provide status information.
Note When ANM is running in HA mode and the standby ANM is just
starting up, the active ANM copies its entire database to the
standby ANM. During the copy process, the active ANM cannot
be stopped or restarted using the anm-tool command. Check the
Admin > ANM Management page for the HA Replication Status
and wait until the status is set to OK before attempting to stop
ANM.
start-services Starts the relevant ANM processes.
restart-services Restarts the relevant ANM processes.
Note When ANM is running in HA mode and the standby ANM is just
starting up, the active ANM copies its entire database to the
standby ANM. During the copy process, the active ANM cannot
be stopped or restarted using the anm-tool command. Check the
Admin > ANM Management page for the HA Replication Status
and wait until the status is set to OK before attempting to restart
ANM.
info Provides additional information (state, whether running or stopped, start
time, and PID) regarding the Java processes. Monit need not be running
for this command to return information.
/opt/CSCOanm/bin/anm-ha check Checks the local node’s high availability configuration. If errors are
returned, HA might not function correctly until you fix the errors.
Note You must run this command on both the active and standby node.
While errors might indicate a problem, they could also simply indicate
a known condition. For example, you receive a warning if the ANM
cannot ping the peer node via either of the specified IP addresses;
however, if the peer is down, the warning can be ignored because this is
a known issue. It is also possible that no error might be returned even
though there is a configuration problem. For example, the configuration
of the two nodes must match; however the check sub-command cannot
validate that the configurations match.
active Forces the local node to become active and the peer node to become the
standby node.
standby Forces the local node to become standby and the peer node to become
the active node.
13-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Understanding ACE Redundancy
• Understanding ANM High Availability, page 13-2
• Configuring ACE High Availability, page 13-14
• Understanding ACE Redundancy, page 13-6
Recovering From an HA Database Replication Failure
This section provides an overview of the database replication process that occurs between ANM HA
active and standby nodes and how to recover from a replication failure.
When the active ANM is running and the standby ANM is just starting up, the active ANM copies its
entire database to the standby ANM. This process normally takes from a few seconds to a few minutes
depending on the size of the configuration data and monitoring data. During the replication process, the
active ANM database is locked and the active ANM cannot be stopped or restarted using the anm-tool
command nor can it perform a failover.
It is possible for the database replication process to fail if the standby ANM is stopped or powered down,
the connectivity is down, or the active ANM is powered down. The failure of the replication process does
not affect the integrity of the active ANM database. The procedure in this section describes what to do
if you encounter a replication failure.
Procedure
Step 1 Check the standby ANM and make sure that it has stopped.
If the standby ANM is still running, stop it because its database might be incomplete due to the
replication failure.
Step 2 Check the connectivity between the active ANM and standby ANM and make sure that both links are up
and connected.
Step 3 Do one of the following:
• If the active ANM is still running, login and check to see that its configuration is normal.
• If the active ANM has stopped or powered down, restart it now.
Step 4 After the active ANM is running normally, restart the standby ANM.
Caution Do not restart the standby ANM before the active ANM is running and operating normally.
Step 5 From the standby ANM GUI, choose Admin > ANM Management to display the ANM Server window
and make sure that the HA Replication Status is set to OK before performing any daily management
tasks.
Understanding ACE Redundancy
ACE module redundancy (or fault tolerance) uses a maximum of two ACEs in the same Catalyst 6500
switch or in separate switches to ensure that your network remains operational even if one of the modules
becomes unresponsive.
13-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Understanding ACE Redundancy
ACE appliance redundancy uses a maximum of two ACEs to ensure that your network remains
operational even if one of the ACE appliances becomes unresponsive.
Note Redundancy is supported between ACEs of the same type only. Redundancy is not supported between
an ACE appliance and an ACE module operating as peers. Redundancy must be of the same ACE device
type and software version.
For additional information about ACE redundancy, see either the Cisco Application Control Engine
Module Administration Guide or the Cisco 4700 Series Application Control Engine Appliance
Administration Guide.
This section includes the following topics:
• ACE High Availability Polling, page 13-7
• ACE Redundancy Protocol, page 13-8
• ACE Stateful Failover, page 13-9
• ACE Fault-Tolerant VLAN, page 13-10
• ACE Configuration Synchronization, page 13-11
• ACE Redundancy Configuration Requirements and Restrictions, page 13-12
• ACE High Availability Troubleshooting Guidelines, page 13-12
ACE High Availability Polling
Approximately every two minutes, the ANM issues the show ft group command to the ACE to gather
the redundancy statistics of each virtual context. The state information is displayed in the HA State and
HA Autosync fields when you click Config > Devices > virtual context.
Note To display statistics and status information for a particular high availability group displayed in the High
Availability (HA) Setup window (Config > Devices > admin_context > High Availability (HA) > Setup),
see the “Displaying High Availability Group Statistics and Status” section on page 13-21.
The possible HA states are as follows:
• Active—Local member of the FT group is active and processing flows.
• Standby Cold—Indicates if the FT VLAN is down but the peer ACE is still alive, or the
configuration or application state synchronization failed. When a context is in this state and a
switchover occurs, the transition to the ACTIVE state is stateless.
• Standby Bulk—Local standby context is waiting to receive state information from its active peer
context. The active peer context receives a notification to send a snapshot of the current state
information for all applications to the standby context.
• Standby Hot—Local standby context has all the state information it needs to statefully assume the
active state if a switchover occurs.
• Standby Warm—Allows the configuration and state synchronization process to continue on a
best-effort basis when you upgrade or downgrade the ACE software.
13-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Understanding ACE Redundancy
• Inconclusive—Indicates that ANM was able to determine that the given ACE was configured in HA,
however ANM was able to find more than one ACE module or ACE appliance that appeared to be a
peer. In this case, ANM was unable to conclusively find a unique HA peer for the given ACE module
or ACE appliance. For additional details on addressing this state, see the “ANM Requirements for
ACE High Availability” section on page 5-8 for details.
Inconclusive is not shown in the HA State field but is shown in the HA Peer field. It is possible that
a context HA peer is inconclusive, but its HA State and HA Peer state are still shown normally
because these states are from context polling from the ACE device.
Note When you upgrade or downgrade the ACE from one software version to another, there is a point
in the process when the two ACEs have different software versions and, therefore, a software
incompatibility. When the Standby Warm state appears, this means that the active ACE will
continue to synchronize configuration and state information to the standby even though the
standby may not recognize or understand the software commands or state information. This
standby state allows the standby ACE to come up with best-effort support.
Related Topics
• ACE High Availability Polling, page 13-7
• ACE Redundancy Protocol, page 13-8
ACE Redundancy Protocol
You can configure a maximum of two ACEs of the same type (peers) for redundancy in the same Catalyst
6500 switch or in different chassis for redundancy. Each peer ACE can contain one or more fault-tolerant
(FT) groups. Each FT group consists of two members: one active context and one standby context. An
FT group has a unique group ID that you assign.
Note For the replication process to function properly and successfully replicate the configuration for a user
context when switching from the active context to the standby context, ensure that each user context has
been added to the FT group. All applicable user contexts must be part of an FT group for redundancy to
function properly.
One virtual MAC address (VMAC) is associated with each FT group. The format of the VMAC is:
00-0b-fc-fe-1b-groupID. Because a VMAC does not change upon switchover, the client and server ARP
tables does not require updating. The ACE selects a VMAC from a pool of virtual MACs available to it.
For more information, see the “Configuring Virtual Contexts” section on page 6-8.
Each FT group acts as an independent redundancy instance. When a switchover occurs, the active
member in the FT group becomes the standby member and the original standby member becomes the
active member. A switchover can occur for the following reasons:
• The active member becomes unresponsive.
• A tracked host or interface fails.
• You force a switchover for a high availability group by clicking Switchover in the HA Groups table
(see the “Switching Over an ACE High Availability Group” section on page 13-22).
13-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Understanding ACE Redundancy
To outside nodes (clients and servers), the active and standby FT group members appear as one node
with respect to their IP addresses and associated VMAC. ACE provides active-active redundancy with
multiple contexts only when there are multiple FT groups configured on each ACE and both devices
contain at least one active group member (context). With a single context, the ACE supports
active-backup redundancy and each group member is an Admin context.
The ACE sends and receives all redundancy-related traffic (protocol packets, configuration data,
heartbeats, and state replication packets) on a dedicated FT VLAN. You cannot use this dedicated VLAN
for normal traffic.
To optimize the transmission of heartbeat packets for multiple FT groups and to minimize network
traffic, the ACE sends and receives heartbeat messages using a separate process. The ACE uses the
heartbeat to probe the peer ACE, rather than probe each context. When an ACE does not receive a
heartbeat from the peer ACE, all the contexts in the standby state become active. The ACE sends
heartbeat packets over UDP. You can set the frequency with which the ACE sends heartbeat packets as
part of the FT peer configuration. For details about configuring the heartbeat, see the “Configuring ACE
High Availability Peers” section on page 13-15.
The election of the active member within each FT group is based on a priority scheme. The member
configured with the higher priority is elected as the active member. If a member with a higher priority is
found after the other member becomes active, the new member becomes active because it has a higher
priority. This behavior is known as preemption and is enabled by default. You can override this default
behavior by disabling preemption. To disable preemption, use the Preempt parameter. Enabling Preempt
causes the member with the higher priority to assert itself and become active. For details about
configuring preemption, see the “Configuring ACE High Availability Groups” section on page 13-17.
For additional information about ACE redundancy, see either the Cisco Application Control Engine
Module Administration Guide or the Cisco 4700 Series Application Control Engine Appliance
Administration Guide.
Related Topics
• Understanding ACE Redundancy, page 13-6
• ACE High Availability Polling, page 13-7
ACE Stateful Failover
The ACE replicates flows on the active FT group member to the standby group member per connection
for each context. The replicated flows contain all the flow-state information necessary for the standby
member to take over the flow if the active member becomes unresponsive. If the active member becomes
unresponsive, the replicated flows on the standby member become active when the standby member
assumes mastership of the context. The active flows on the former active member transition to a standby
state to fully back up the active flows on the new active member.
Note For the replication process to function properly and successfully replicate the configuration for a user
context when switching from the active context to the standby context, ensure that the user context has
been added to the FT group. All applicable user contexts must be part of an FT group for redundancy to
function properly.
Note By default, connection replication is enabled in the ACE.
13-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Understanding ACE Redundancy
After a switchover occurs, the same connection information is available on the new active member.
Supported end-user applications do not need to reconnect to maintain the same network session.
The state information passed to the standby ACE includes the following data:
• Network Address Translation (NAT) table based on information synchronized with the connection
record
• All Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections not
terminated by the ACE
• HTTP connection states (Optional)
• Sticky table
Note In a user context, the ACE allows a switchover only of the FT group that belongs to that context. In the
Admin context, the ACE allows a switchover of all FT groups in all configured contexts in the ACE.
To ensure that bridge learning occurs quickly upon a switchover in a Layer 2 configuration in the case
where a VMAC moves to a new location, the new active member sends a gratuitous ARP on every
interface associated with the active context. Also, when there are two VLANs on the same subnet and
servers need to send packets to clients directly, the servers must know the location of the gateway on the
client-side VLAN. The active member acts as the bridge for the two VLANs. In order to initiate learning
of the new location of the gateway, the new active member sends an ARP request to the gateway on the
client VLAN and bridges the ARP response onto the server VLAN.
For additional information about ACE redundancy, see either the Cisco Application Control Engine
Module Administration Guide or Cisco 4700 Series Application Control Engine Appliance
Administration Guide.
Related Topics
• Understanding ACE Redundancy, page 13-6
ACE Fault-Tolerant VLAN
ACE redundancy uses a dedicated fault-tolerant VLAN between redundant ACEs of the same type to
transmit flow-state information and the redundancy heartbeat. Do not use this dedicated VLAN for
normal network traffic. You must configure this same VLAN on both peers. You also must configure a
different IP address within the same subnet on each ACE for the fault-tolerant VLAN.
The two redundant ACEs constantly communicate over the fault-tolerant VLAN to determine the
operating status of each ACE. The standby member uses the heartbeat packet to monitor the health of
the active member. The active member uses the heartbeat packet to monitor the health of the standby
member.
Communications over the switchover link include the following data:
• Redundancy protocol packets
• State information replication data
• Configuration synchronization information
• Heartbeat packets
13-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Understanding ACE Redundancy
For multiple contexts, the fault-tolerant VLAN resides in the system configuration data. Each
fault-tolerant VLAN on the ACE has one unique MAC address associated with it. The ACE uses these
ACE MAC addresses as the source or destination MACs for sending or receiving redundancy protocol
state and configuration replication packets.
Note The IP address and the MAC address of the fault-tolerant VLAN do not change at switchover.
For additional information about ACE redundancy, see either the Cisco Application Control Engine
Module Administration Guide or the Cisco 4700 Series Application Control Engine Appliance
Administration Guide.
Related Topics
Understanding ACE Redundancy, page 13-6
ACE Configuration Synchronization
For redundancy to function properly, both members of an fault-tolerant group must have identical
configurations. The ACE automatically replicates the active configuration on the standby member using
a process called configuration synchronization (config sync). Config sync automatically replicates any
changes made to the configuration of the active member to the standby member. After the ACE
synchronizes the redundancy configuration from the active member to the standby peer, it disables
configuration mode on the standby. See the “Configuring ACE High Availability Peers” section on
page 13-15.
Note The Application Networking Manager manages local configurations only.
When ANM detects a pair of ACE peers operating in high availability (HA), ANM allows you to make
configuration changes on either the active or standby ACE. ANM then automatically (and seamlessly)
pushes the configuration to the active ACE and locally replicates the configuration on the standby
imported into ANM. This action is similar to what is performed by the ACE to the peers.
Note Keep in mind that the configuration pushed while the standby ACE has been selected does not mean that
ANM pushed the configuration to the standby ACE. Typically, with auto-sync turned off, configuration
changes are disabled on the standby ACE. In this case, ANM tries to push the configuration to the active
ACE in the HA device pair.
For additional information about ACE redundancy, see either the Cisco Application Control Engine
Module Administration Guide or Cisco 4700 Series Application Control Engine Appliance
Administration Guide.
Related Topics
• Understanding ACE Redundancy, page 13-6
• Synchronizing ACE High Availability Configurations, page 13-30
• Synchronizing SSL Certificate and Key Pairs on Both ACE Peers, page 13-32
13-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Understanding ACE Redundancy
ACE Redundancy Configuration Requirements and Restrictions
Follow these requirements and restrictions when configuring the ACE redundancy feature.
• In bridged mode (Layer 2), two contexts cannot share the same VLAN.
• To achieve active-active redundancy, a minimum of two contexts and two fault-tolerant groups are
required on each ACE.
• When you configure redundancy, the ACE keeps all interfaces that do not have an IP address in the
Down state. The IP address and the peer IP address that you assign to a VLAN interface should be
in the same subnet, but different IP addresses. For more information about configuring VLAN
interfaces, see the “Configuring Virtual Context VLAN Interfaces” section on page 12-6.
• When importing an ACE HA pair into ANM, follow one of the configuration requirements outlined
below for ANM to uniquely identify the ACE HA pair:
– Use a unique combination of FT interface VLAN and FT IP address/peer IP address for every
ACE HA pair imported into ANM. For HA, it is critical that the combination of FT interface
VLAN and IP address/peer IP address always be unique across every pair of ACE peer devices.
– Define a peer IP address in the management interface, using the management IP address of the
peer ACE (module or appliance). Note that the management IP address and management peer
IP address used for this definition should be the management IP address used to import both
ACE devices into ANM.
For more information about the use of multiple HA pairs imported into ANM, see the “ANM
Requirements for ACE High Availability” section on page 5-8
For additional information about ACE redundancy, see either the Cisco Application Control Engine
Module Administration Guide or the Cisco 4700 Series Application Control Engine Appliance
Administration Guide.
Related Topics
• Understanding ANM High Availability, page 13-2
ACE High Availability Troubleshooting Guidelines
This section provides the following set of guidelines for troubleshooting an ACE high availability (or
redundancy) configuration in ANM:
• If the high availability setup of two ACE devices is successful, the HA State field of the ACE HA
Management table should indicate no errors. If the HA State field does not read Compatible, verify
that both ACE devices are the same type of hardware. ACE modules cannot be synchronized with
ACE appliances.
• If the high availability setup of two ACE devices is successful, the License Compatibility and SRG
Compatibility fields of the show ft peer CLI command output on the ACE (module or appliance)
should indicate no errors. See either the Cisco Application Control Engine Module Administration
Guide or Cisco 4700 Series Application Control Engine Appliance Administration Guide for details
on the show ft peer CLI command.
– If the SRG Compatibility field indicates a problem, this means that the versions of the ACE
software running on the devices are not compatible with each other. One or both of the devices
will need to have an appropriate version of the ACE software installed before they can be
synchronized.
13-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Understanding ACE Redundancy
– If the License Compatibility field indicates a licensing problem, go to the Licenses page of ACE
Hardware Setup (see the “Using ACE Hardware Setup” section on page 3-5) and make sure each
ACE device has a valid license installed. Licenses must be installed on each device separately
because each license is only valid for one hardware device.
For proper HA functionality, the licenses on both ACEs in the pair must be also compatible with
each other. This means both licenses must permit the same bandwidth and the same number of
virtual contexts.
Note If the licenses' bandwidth limits do not match, configuration synchronization may appear to
work (although Admin context synchronization may actually not be functional), and the License
Compatibility field may not show an error. However, failover from the higher bandwidth ACE
to a lower bandwidth ACE could result in loss of traffic.
13-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Configuring ACE High Availability
Configuring ACE High Availability
The tasks involved with configuring high availability on ACE devices are described in Table 13-3.
Related Topics
• Understanding ACE Redundancy, page 13-6
• Configuring ACE High Availability Peers, page 13-15
• Configuring ACE High Availability Groups, page 13-17
• ACE High Availability Tracking and Failure Detection Overview, page 13-23
• Synchronizing ACE High Availability Configurations, page 13-30
• Synchronizing SSL Certificate and Key Pairs on Both ACE Peers, page 13-32
Table 13-3 High Availability Task Overview
Task Reference
Step 1 Create a fault-tolerant VLAN and identify peer
IP addresses and configure peer devices for
heartbeat count and interval.
Configuring ACE High Availability Peers,
page 13-15
Step 2 Reconcile SSL certificates and keys, create a
fault-tolerant group, assign peer priorities,
associate the group with a context, place the
group in service, and enable automatic
synchronization.
Configuring ACE High Availability Groups,
page 13-17
Step 3 Configure tracking for switchover. ACE High Availability Tracking and Failure
Detection Overview, page 13-23
13-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Configuring ACE High Availability Peers
Configuring ACE High Availability Peers
Note This functionality is available for only Admin contexts.
Fault-tolerant peers transmit and receive heartbeat packets and state and configuration replication
packets. The standby member uses the heartbeat packet to monitor the health of the active member, while
the active member uses the heartbeat packet to monitor the health of the standby member. When the
heartbeat packets are not received from the active member when expected, switchover occurs and the
standby member assumes all active communications previously on the active member.
Use this procedure to do the following tasks:
• Identify the two members of a high availability pair.
• Assign IP addresses to the peer ACEs.
• Assign a fault-tolerant VLAN to high availability peers and bind a physical gigabit Ethernet
interface to the FT VLAN.
• Configure heartbeat frequency and count on the ACEs in a fault-tolerant VLAN.
Note For ANM to properly manage high availability peers, ensure that the combination of FT interface VLAN
along with IP and peer IP address always be unique across every pair of ACE devices in high availability
when those devices are imported into ANM. For details, see the “ANM Requirements for ACE High
Availability” section on page 5-8.
Assumption
At least one fault-tolerant VLAN has been configured.
Note A fault-tolerant VLAN cannot be used for other network traffic.
Procedure
Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup.
The HA Management window appears with two columns; one for the selected ACE and one for a peer
ACE.
Step 2 Click Edit and enter the information for the primary ACE and the peer ACE as described in Table 13-4.
Table 13-4 High Availability Management Configuration Attributes
Field This Device Peer Device
Module Name of the ACE Not applicable.
VLAN Fault-tolerant VLAN to be used for this high availability pair. Valid
entries are from 1 to 4094.
Note This VLAN cannot be used for other network traffic.
Not applicable.
13-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Configuring ACE High Availability Peers
Step 3 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. Continue with configuring high availability
groups. The HA Management window appears at the top of the content area and the HA Groups table
appears at the bottom. See the “Configuring ACE High Availability Groups” section on page 13-17
to configure a high availability group.
• Click Cancel to exit this procedure without saving your entries and to view the HA Management
window.
Related Topics
• Understanding ANM High Availability, page 13-2
• Configuring ACE High Availability, page 13-14
• Configuring ACE High Availability Groups, page 13-17
• Synchronizing ACE High Availability Configurations, page 13-30
IP Address IP address for the fault-tolerant VLAN in dotted-decimal format, such
as 192.168.11.2.
Enter the IP address of the peer
interface in dotted-decimal
format so that the peer ACE can
communicate on the
fault-tolerant VLAN.
Netmask Subnet mask that is to be used for the fault-tolerant VLAN. Not applicable.
Query VLAN VLAN that the standby ACE is to use to determine whether the active
ACE is down or if there is a connectivity problem with the
fault-tolerant VLAN.
Choose the VLAN that the
standby ACE is to use to
determine whether the active
ACE is down or if there is a
connectivity problem with the
fault-tolerant VLAN.
Heartbeat Count Number of heartbeat intervals that must occur with no heartbeat packet
received by the standby ACE before the standby ACE determines that
the active member is not available. Valid entries are from 10 to 50.
Not applicable.
Heartbeat
Interval
Number of milliseconds that the active ACE is to wait between each
heartbeat it sends to the standby ACE. Valid entries are from 100 to
1000.
Not applicable.
Interface Enabled Interface Enabled check box that enables the high availability interface.
Uncheck the check box to disable the high availability interface.
Not applicable.
Shared VLAN
Host ID
Specific bank of MAC addresses that the ACE uses. Enter a number
from 1 to 16. Be sure to configure different bank numbers for multiple
ACEs.
Not applicable.
Peer Shared
VLAN Host ID
Specific bank of MAC addresses for the same ACE in a redundant
configuration. Valid entries are from 1 to 16. Be sure to configure
different bank numbers for multiple ACEs.
Not applicable.
HA State Read-only field with the current state of high availability on the ACE. Not applicable.
Table 13-4 High Availability Management Configuration Attributes (continued)
Field This Device Peer Device
13-17
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Clearing ACE High Availability Pairs
• Synchronizing SSL Certificate and Key Pairs on Both ACE Peers, page 13-32
• Tracking ACE VLAN Interfaces for High Availability, page 13-24
Clearing ACE High Availability Pairs
Note This functionality is available for only Admin contexts.
You can remove a high availability link between two ACEs.
Procedure
Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup.
The HA Management window appears.
Step 2 Choose the ACE pair whose high availability configuration that you want to remove, and click Clear.
A message appears asking you to confirm the clearing of the high availability link.
Step 3 Do one of the following:
• Click OK to confirm the removal of this high availability link and to return to the HA Management
window.
• Click Cancel to exit this procedure without removing this high availability link and to return to the
HA Management window.
Related Topics
• Understanding ANM High Availability, page 13-2
• Configuring ACE High Availability Peers, page 13-15
• Editing High Availability Groups, page 13-19
• ACE High Availability Tracking and Failure Detection Overview, page 13-23
• Tracking ACE VLAN Interfaces for High Availability, page 13-24
• Tracking Hosts for High Availability, page 13-25
Configuring ACE High Availability Groups
Note This functionality is available for only Admin contexts.
You can configure a high availability group, or fault-tolerant group, which consists of a maximum of two
contexts: One active context on one ACE and one standby context on the peer ACE. You can create
multiple fault-tolerant groups on each ACE up to a maximum of:
• For the ACE module—251 groups (250 user contexts and 1 Admin context).
• For the ACE appliance—21 groups (20 user contexts and 1 Admin context).
13-18
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Configuring ACE High Availability Groups
Note For the replication process to function properly and successfully replicate the configuration for a user
context when switching from the active context to the standby context, ensure that each user context has
been added to the FT group. All applicable user contexts must be part of an FT group for redundancy to
function properly.
Assumption
At least one high availability pair has been configured (see the “Configuring ACE High Availability
Peers” section on page 13-15).
Procedure
Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup.
The HA Management window appears at the top of the content area and the HA Groups table appears at
the bottom.
Step 2 In the HA Groups table of the HA Management window, click Add to add a new high availability group.
The table refreshes with the configurable fields.
Step 3 Check the Enabled check box to enable the high availability group.
Uncheck the Enabled check box to disable the high availability group.
Step 4 In the Context field, choose the virtual context to associate with this high availability group.
Step 5 In the Priority (Actual) field, enter the priority that you want to assign to the first device in the group.
Valid entries are from 1 to 255.
A member of a fault-tolerant group becomes the active member through a process based on the priority
assigned. In this process, the group member with the higher priority becomes the active member. When
you set up a fault-tolerant pair, use a higher priority for the group where the active member initially
resides.
Step 6 Check the Preempt check box to specify that the group member with the higher priority is to always
assert itself and become the active member.
Uncheck the Preempt check box to specify that you do not want the group member with the higher
priority to always become the active member.
Step 7 In the Peer Priority (Actual) field, enter the priority that you want to assign to the peer device in the
group.
Valid entries are from 1 to 255.
A member of a fault-tolerant group becomes the active member through a process based on the priority
assigned. In this process, the group member with the higher priority becomes the active member. When
you set up a fault-tolerant pair, use a higher priority for the group where the active member initially
resides.
Step 8 Check the Autosync Run check box to enable automatic synchronization of the running configuration
files.
Uncheck the Autosync Run check box to disable automatic synchronization of the running configuration
files. If you disable automatic synchronization, you need to update the configuration of the standby
context manually. See the “Synchronizing Virtual Context Configurations” section on page 6-105.
13-19
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Configuring ACE High Availability Groups
Note If you check Autosync Run for the HA group, you must manually sync the standby context in
order for ANM to allow subsequent configuration changes. Until you have done this, the standby
context will be marked out of sync. See the “Synchronizing Virtual Context Configurations in
High Availability Mode” section on page 13-31.
Step 9 Check the Autosync Startup check box to enable automatic synchronization of the startup configuration
files.
Uncheck the Autosync Run check box to disable automatic synchronization of the startup configuration
files. If you disable automatic synchronization, you need to update the configuration of the standby
context manually. See the “Synchronizing Virtual Context Configurations” section on page 6-105.
Step 10 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The HA Groups table refreshes with the new
high availability group.
• Click Cancel to exit this procedure without saving your entries and to return to the HA Management
window and HA Groups table.
Step 11 (Optional) To display statistics and status information for a particular high availability group, choose the
group from the ACE HA Groups table, and click Details.
The show ft group group_id detail CLI command output appears. See the “Displaying High Availability
Group Statistics and Status” section on page 13-21 for details.
Related Topics
• Configuring ACE High Availability Peers, page 13-15
• Editing High Availability Groups, page 13-19
• Synchronizing Virtual Context Configurations, page 6-105
• Synchronizing SSL Certificate and Key Pairs on Both ACE Peers, page 13-32
• Tracking ACE VLAN Interfaces for High Availability, page 13-24
• Tracking Hosts for High Availability, page 13-25
Editing High Availability Groups
Note This functionality is available for only Admin contexts.
You can modify the attributes of a high availability group.
Note If you need to modify a fault-tolerant group, take the group out of service before making any other
changes (see the “Taking a High Availability Group Out of Service” section on page 13-20). When you
finish making all changes, place the group back into service (see the “Enabling a High Availability
Group” section on page 13-21).
13-20
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Configuring ACE High Availability Groups
Procedure
Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup.
The HA Management window appears at the top of the content area and the HA Groups table appears at
the bottom.
Step 2 In the HA Groups table, choose the high availability group that you want to modify, and click Edit.
The table refreshes with configurable fields.
Step 3 Modify the fields as desired. For information on these fields, see the “Configuring ACE High
Availability Groups” section on page 13-17.
Note If you leave unchecked Autosync Run for the HA group, you must manually sync the standby
context in order for ANM to allow subsequent configuration changes. Until you have done this,
the standby context will be marked out of sync. See the “Synchronizing Virtual Context
Configurations in High Availability Mode” section on page 13-31.
Step 4 When you finish modifying this group, do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the HA Groups table.
• Click Cancel to exit this procedure without saving your entries and to return to the HA Management
window.
Related Topics
• Configuring ACE High Availability Groups, page 13-17
• Taking a High Availability Group Out of Service, page 13-20
• Enabling a High Availability Group, page 13-21
• Configuring ACE High Availability Peers, page 13-15
• ACE High Availability Tracking and Failure Detection Overview, page 13-23
Taking a High Availability Group Out of Service
Note This functionality is available for only Admin contexts.
You can take a high availability group out of service, which you must do before you can modify it.
Procedure
Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup.
The HA Management window appears at the top of the content area and the HA Groups table appears at
the bottom.
13-21
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Displaying High Availability Group Statistics and Status
Step 2 In the HA Groups table, choose the high availability group you want to take out of service, and click
Edit.
The table refreshes with configurable fields.
Step 3 Uncheck the Enabled check box.
Step 4 Click Deploy Now to take the high availability group out of service and to return to the HA Groups table.
You can now make the necessary modifications to the high availability group. To put the high availability
group back in service, see the “Enabling a High Availability Group” section on page 13-21.
Related Topics
Enabling a High Availability Group, page 13-21
Enabling a High Availability Group
Note This functionality is available for only Admin contexts.
You can put a high availability group back into service after taking it out of service.
Procedure
Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup.
The HA Management window appears at the top of the content area and the HA Groups table appears at
the bottom.
Step 2 In the HA Groups table, choose the high availability group you want to take out of service, and click
Edit.
The table refreshes with configurable fields.
Step 3 Check the Enabled check box.
Step 4 Click Deploy Now to put the high availability group in service and to return to the HA Groups table.
Related Topics
Taking a High Availability Group Out of Service, page 13-20
Displaying High Availability Group Statistics and Status
You can display statistics and status information for a particular high availability group by using the
Details button. ANM accesses the show ft group group_id detail CLI command to display detailed ACE
HA group information.
Procedure
Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup.
13-22
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Switching Over an ACE High Availability Group
The HA Management window appears at the top of the content area and the HA Groups table appears at
the bottom.
Step 2 Choose an ACE HA group from the ACE HA Groups table and click Details.
The show ft group group_id detail CLI command output appears. For details on the displayed output
fields, see either the Cisco ACE Module Administration Guide or the Cisco ACE 4700 Series Appliance
Administration Guide.
Step 3 Click Update Details to refresh the output for the show ft group group_id detail CLI command.
Step 4 Click Close to return to the VLAN Interfaces table.
Switching Over an ACE High Availability Group
Note This functionality is available for only Admin contexts.
You can force the failover of a high availability group. You may need to force a switchover when you
want to make a particular context the standby (for example, for maintenance or a software upgrade on
the currently active context). If the standby group member can statefully become the active member of
the high availability group, a switchover occurs.
Procedure
Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup.
The HA Management window appears at the top of the content area and the HA Groups table appears at
the bottom.
Step 2 In the HA Groups table, choose the group that you want to switch over, and click Switchover.
The standby group member becomes active, while the previously active group member becomes the
standby member.
Note You must manually sync the standby context in order for ANM to allow subsequent
configuration changes. Until you have done this, the standby context will be marked out of sync.
See the “Synchronizing Virtual Context Configurations in High Availability Mode” section on
page 13-31.
Related Topics
• Understanding ANM High Availability, page 13-2
• Configuring ACE High Availability Peers, page 13-15
• Configuring ACE High Availability Groups, page 13-17
• Synchronizing SSL Certificate and Key Pairs on Both ACE Peers, page 13-32
• Tracking ACE VLAN Interfaces for High Availability, page 13-24
13-23
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Deleting ACE High Availability Groups
Related Topics
• Understanding ANM High Availability, page 13-2
• Configuring ACE High Availability Peers, page 13-15
• Configuring ACE High Availability Groups, page 13-17
Deleting ACE High Availability Groups
Note This functionality is available for only Admin contexts.
You can remove a high availability group from ANM management.
Procedure
Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup.
The HA Management window appears at the top of the content area and the HA Groups table appears at
the bottom.
Step 2 In the HA Groups table, choose the high availability group that you want to remove, and click Delete.
A message appears asking you to confirm the deletion.
Step 3 Do one of the following:
• Click Deploy Now to delete the high availability group and to return to the HA Groups table. The
selected group no longer appears.
• Click Cancel to exit this procedure without deleting the high availability group and to return to the
HA Groups table.
Related Topics
• Configuring ACE High Availability Peers, page 13-15
• Configuring ACE High Availability Groups, page 13-17
• Tracking ACE VLAN Interfaces for High Availability, page 13-24
ACE High Availability Tracking and Failure Detection Overview
ANM supports the tracking and detection of failures to ensure that switchover occurs as soon as the
criteria are met (see Configuring ACE High Availability Peers, page 13-15). You can track and detect
failures on the following:
• Hosts—See Tracking Hosts for High Availability, page 13-25.
• Interfaces—See Tracking ACE VLAN Interfaces for High Availability, page 13-24.
When the active member of a fault-tolerant group becomes unresponsive, the following occurs:
1. The active member’s priority is reduced by 10.
13-24
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Tracking ACE VLAN Interfaces for High Availability
2. If the resulting priority value is less than that of the standby member, the active member switches
over and the standby member becomes the new active member. All active flows continue
uninterrupted.
3. When the failed member comes back up, its priority is incremented by 10.
4. If the resulting priority value is greater than that of the currently active member, a switchover occurs
again, returning the flows to the originally active member.
Note In a user context, the ACE allows a switchover only of the fault-tolerant groups belonging to that context.
In an Admin context, the ACE allows a switchover of all fault-tolerant groups on all configured contexts
on the ACE.
Related Topics
• Configuring ACE High Availability Groups, page 13-17
• Tracking ACE VLAN Interfaces for High Availability, page 13-24
• Tracking Hosts for High Availability, page 13-25
Tracking ACE VLAN Interfaces for High Availability
You can configure a tracking and failure detection process for a VLAN interface.
Procedure
Step 1 Choose Config > Devices > admin_context > HA Tracking And Failure Detection > Interfaces.
The Track Interface table appears.
Step 2 Click Add to add a new tracking process to this table, or choose an existing entry and click Edit to
modify it.
The Track Interface configuration window appears.
Step 3 In the Track Object Name field of the Track Interface configuration window, enter a unique identifier for
the tracking process.
Valid entries are unquoted text strings with no spaces.
Step 4 In the Priority field, enter the priority for the interface on the active member.
Valid entries are from 0 to 255 with higher values indicating higher priorities. The values that you enter
here and in the Interface Peer Priority field (see Step 6) reflect the point at which you want switchover
to occur. If the tracked interface goes down, the priority of that fault-tolerant group is decremented by
the value entered in the Priority field. If the priority of the fault-tolerant group on the active member falls
below that of the standby member, a switchover occurs.
Step 5 In the VLAN Interface field, choose the fault-tolerant VLAN that you want the active member to track.
Step 6 In the Interface Peer Priority field, enter the priority for the interface on the standby member.
Valid entries are from 0 to 255 with higher values indicating higher priorities. The values that you enter
here and in the Priority field (See Step 4) reflect the point at which you want switchover to occur. If the
tracked interface goes down, the priority of that fault-tolerant group is decremented by the value entered
in the Interface Peer Priority field. If the priority of the fault-tolerant group on the active member falls
below that of the standby member, a switchover occurs.
13-25
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Tracking Hosts for High Availability
Step 7 In the Peer VLAN Interface field, enter the identifier of an existing fault-tolerant VLAN that you want
the standby member to track.
Valid entries are from 1 to 4096.
Step 8 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the Track Interface table.
• Click Cancel to exit this procedure without saving your entries and to return to the Track Interface
table.
• Click Next to deploy your entries and to configure the next entry in the Track Interface table.
Related Topics
• Configuring ACE High Availability Peers, page 13-15
• Configuring ACE High Availability Groups, page 13-17
• Tracking Hosts for High Availability, page 13-25
Tracking Hosts for High Availability
You can configure a tracking and failure detection process for a gateway or host.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0)
or later.
Procedure
Step 1 Choose Config > Devices > admin_context > HA Tracking And Failure Detection > Hosts.
The Track Host table appears.
Step 2 In the Track Host table, click Add to add a new tracking process to the table, or choose an existing entry
and click Edit to modify it.
The Track Host configuration window appears.
Step 3 In the Track Object Name field of the Track Host configuration window, enter a unique identifier for the
tracking process.
Valid entries are unquoted text strings with no spaces.
Step 4 In the IP Address Type field, choose either IPv4 or IPv6 for the host address type.
This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which
supports IPv4 and IPv6.
Step 5 In the Track Host/IP Address field, enter the IPv4 or IPv6 address or hostname of the gateway or host
that you want the active member of the high availability group to track.
Step 6 In the Priority field, enter the priority of the probe sent by the active member.
13-26
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Configuring Host Tracking Probes
Valid entries are from 0 to 255. Higher values indicate higher priorities. Assign a priority value based
on the relative importance of the host that the probe is tracking. If the probe goes down, the ACE
decrements the priority of the fault-tolerant group on the active member by the value in the Priority field.
Step 7 In the Peer Host/IP Address field, enter the IPv4 or IPv6 address or hostname of the host that you want
the standby member to track.
Step 8 In the Peer Priority field, enter the priority of the probe sent by the standby member.
Valid entries are from 0 to 255. Higher values indicate higher priorities. Assign a priority value based
on the relative importance of the host that the probe is tracking. If the probe goes down, the ACE
decrements the priority of the fault-tolerant group on the standby member by the value in the Priority
field.
Step 9 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. Continue with configuring track host probes.
See Configuring Host Tracking Probes, page 13-26.
• Click Cancel to exit this procedure without saving your entries and to return to the Track Host table.
• Click Next to deploy your entries and to configure another tracking process.
Related Topics
• Configuring Host Tracking Probes, page 13-26
• Configuring ACE High Availability Peers, page 13-15
• Configuring ACE High Availability Groups, page 13-17
• Tracking ACE VLAN Interfaces for High Availability, page 13-24
Configuring Host Tracking Probes
You can configure probes on the active high availability group member to track the health of the gateway
or host.
Assumptions
This topic assumes the following:
• At least one host tracking process for high availability has been configured (see Tracking Hosts for
High Availability, page 13-25.)
• At least one health monitoring probe has been configured (see Configuring Health Monitoring for
Real Servers, page 8-51).
Procedure
Step 1 Choose Config > Devices > admin_context > HA Tracking And Failure Detection > Hosts.
The Track Host table appears.
Step 2 Choose the tracking process that you want to modify, and click the Peer Track Host Probe tab.
The Peer Track Host Probes table appears.
13-27
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Configuring Host Tracking Probes
Step 3 In the Peer Track Host Probes table, click Add to add a peer host tracking probe, or choose an existing
peer host tracking probe and click Edit to modify it.
The Peer Track Host Probes configuration window appears.
Step 4 In the Probe Name field, choose the name of the probe to be used for the peer host tracking process.
Step 5 In the Priority field, enter a priority for the host that you are tracking by the active member.
Valid entries are from 1 to 255 with higher values indicating higher priorities. Assign a priority value
based on the relative importance of the gateway or host that the probes are tracking. If the host goes
down, the ACE decrements the priority of the high availability group on the standby member by the value
in this Priority field.
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the Track Host Probe table. The
table includes the added probe.
• Click Cancel to exit this procedure without saving your entries and to return to the Track Host Probe
table.
• Click Next to deploy your entries and to configure another track host probe.
Related Topics
• Configuring ACE Peer Host Tracking Probes, page 13-28
• Configuring ACE High Availability Peers, page 13-15
• Configuring ACE High Availability Groups, page 13-17
• Tracking ACE VLAN Interfaces for High Availability, page 13-24
Deleting Host Tracking Probes
You can remove a high availability host tracking probe.
Procedure
Step 1 Choose Config > Devices > ACE admin_context > HA Tracking And Failure Detection > Hosts.
The Track Host table appears.
Step 2 In the Track Host table, choose the tracking process you want to modify, and click the Track Host Probe
tab.
The Track Host Probe table appears.
Step 3 In the Track Host table, choose the probe that you want to remove, and click Delete.
The probe is deleted and the Track Host Probe table refreshes without the deleted probe.
Related Topics
• Configuring ACE Peer Host Tracking Probes, page 13-28
• Configuring ACE High Availability Peers, page 13-15
13-28
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Configuring ACE Peer Host Tracking Probes
• Configuring ACE High Availability Groups, page 13-17
• Tracking ACE VLAN Interfaces for High Availability, page 13-24
Configuring ACE Peer Host Tracking Probes
You can configure probes on the standby member of a high availability group to track the health of the
gateway or host.
Assumptions
This topic assumes the following:
• At least one host tracking process for high availability has been configured (see Tracking Hosts for
High Availability, page 13-25.)
• At least one health monitoring probe has been configured (see Configuring Health Monitoring for
Real Servers, page 8-51).
Procedure
Step 1 Choose Config > Devices > ACE admin_context > HA Tracking And Failure Detection > Hosts.
The Track Host table appears.
Step 2 In the Track Host table, choose the tracking process that you want to modify, and click the Peer Track
Host Probe tab.
The Peer Track Host Probes table appears.
If the Track Host Probe and Peer Track Host Probes tabs do not appear below the Track Host table, click
Show Tabs below the Track Host table name.
Step 3 In the Peer Track Host Probes table, click Add to add a peer host tracking probe, or choose an existing
peer host tracking probe and click Edit to modify it.
The Peer Track Host Probes configuration window appears.
Step 4 In the Probe Name field of the Peer Track Host Probes configuration window, choose the name of the
probe to be used for the peer host tracking process.
Step 5 In the Priority field, enter a priority for the host you are tracking by the standby member of the high
availability group.
Valid entries are from 0 to 255 with higher values indicating higher priorities. Assign a priority value
based on the relative importance of the gateway or host that the probes are tracking. If the host goes
down, the ACE decrements the priority of the high availability group on the standby member by the value
in this Priority field.
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the Peer Track Host Probes
table. The table includes the added probe.
• Click Cancel to exit this procedure without saving your entries and to return to the Peer Track Host
Probes table.
• Click Next to deploy your entries and to configure another peer track host probe.
13-29
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Configuring ACE HSRP Groups
Related Topics
• Configuring Host Tracking Probes, page 13-26
• Configuring ACE High Availability Peers, page 13-15
• Configuring ACE High Availability Groups, page 13-17
• Tracking ACE VLAN Interfaces for High Availability, page 13-24
Deleting Peer Host Tracking Probes
You can remove a high availability peer host tracking probe.
Procedure
Step 1 Choose Config > Devices > ACE admin_context > HA Tracking And Failure Detection > Hosts.
The Track Host table appears.
Step 2 In the Track Host table, choose the tracking process that you want to modify and click the Peer Track
Host Probe tab.
The Peer Track Host Probes table appears.
If the Track Host Probe and Peer Track Host Probes tabs do not appear below the Track Host table, click
Show Tabs below the Track Host table name.
Step 3 In the Peer Track Host Probes table, choose the probe that you want to remove, and click Delete.
The probe is deleted and the Peer Track Host Probes table refreshes without the deleted probe.
Related Topics
• Configuring ACE Peer Host Tracking Probes, page 13-28
• Configuring Host Tracking Probes, page 13-26
• Tracking ACE VLAN Interfaces for High Availability, page 13-24
Configuring ACE HSRP Groups
You can add or edit a Hot Standby Router Protocol (HSRP) group.
Assumptions
This topic assumes the following:
• At least one host tracking process for high availability has been configured (see Tracking Hosts for
High Availability, page 13-25.)
• Before you configure an HSRP tracking and failure detection process on the ACE, you must
configure the HSRP group on the Catalyst 6500 Supervisor.
13-30
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Synchronizing ACE High Availability Configurations
Procedure
Step 1 Choose Config > Devices > ACE admin_context > HA Tracking And Failure Detection > HSRP
Groups.
The HSRP Groups table appears.
Step 2 In the HSRP Groups table, click Add to add a new HSRP group, or choose an existing entry and click
Edit to modify it.
The HSRP Group configuration window appears.
Step 3 In the Track Object Name field of the HSRP Group configuration window, enter a unique identifier for
the tracking process.
Valid entries are unquoted text strings with no spaces.
Step 4 In the Priority field, enter the priority of the HSRP group as an from 0 to 255.
The default is 0. Higher values indicate higher priorities. Assign a priority value based on the relative
importance of the HSRP group that you are tracking. If the HSRP group goes down, the ACE decrements
the priority of the FT group on the active member. If the priority of the FT group on the active member
falls below the priority of the FT group on the standby member, a switchover occurs.
Step 5 In the HSRP Group Name, enter a name for the HSRP group.
Step 6 In the HSRP Peer Priority field, enter the priority of the HSRP group as a value from 0 to 255.
The default is 0. Higher values indicate higher priorities. Assign a priority value based on the relative
importance of the HSRP group you are tracking. If the HSRP group goes down, the ACE decrements the
priority of the FT group on the standby member.
Step 7 In the HSRP Group Name of Peer field, enter a name for the HSRP group on the peer ACE.
Step 8 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the HSRP Groups table. The
table includes the added HSRP group.
• Click Cancel to exit this procedure without saving your entries and to return to the HSRP Groups
table.
Synchronizing ACE High Availability Configurations
When two ACE devices are configured as high availability peers, their configurations must be
synchronized at all times so that the standby member can take over for the active member seamlessly.
As they synchronize, however, the configuration on the hot standby ACE can become out of sync with
the ANM-maintained configuration data for that ACE.
Note ANM manages local configurations only.
13-31
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Synchronizing ACE High Availability Configurations
Note Although a context might have been configured for syslog notification, changes applied to the standby
ACE configuration can change syslog notification configuration so that you are not notified of the
out-of-sync configurations. As a result, it is important for you to manually synchronize ANM with the
standby ACE.
Synchronizing configuration files for the standby ACE requires the following:
1. Auditing the standby ACE to confirm that its configuration does not agree with the
ANM-maintained configuration data for the ACE. See Synchronizing Virtual Context
Configurations, page 6-105.
2. Uploading the configuration from the standby ACE to the ANM server. See Synchronizing Virtual
Context Configurations, page 6-105.
3. Ensuring that the SSL certificate/keys are imported and identical for the pair. See Synchronizing
SSL Certificate and Key Pairs on Both ACE Peers, page 13-32.
4. For an Admin context, uploading configurations on any newly imported user contexts. If new user
contexts are not updated, they cannot be managed using ANM.
Synchronizing Virtual Context Configurations in High Availability Mode
When configuration changes are made from ANM on any of the ACE devices in a HA pair, ANM
automatically detects the active HA peer and deploys the configuration changes to the active ACE alone.
ANM does not attempt to deploy a configuration to a standby ACE even if you selected the standby ACE
from the ANM device tree. ANM detects the active ACE and will always deploy configuration changes
only to the active ACE. In addition, if ACE HA auto-sync is enabled, after the deployment is successful,
ANM will locally replicate the configuration in the ANM database on the standby as well to ensure that
the ANM configuration is in synchronization with that of the two ACE peers.
In a high availability pair, the two configured virtual contexts synchronize with each other as part of their
ongoing communications. However, their copies do not synchronize in ANM and the configuration on
the standby member may become out-of-sync with the configuration on the ACE.
After the active member of a high availability pair fails and the standby member becomes active, the
newly active member detects any out-of-sync virtual context configurations and reports that status in the
Virtual Contexts table so that you can synchronize the virtual context configurations.
Note If a context is put into an out-of-sync state, this context will be automatically synchronized by the
backend ANM. It is not necessary for you to perform an explicit synchronization to take care of the
out-of-sync state.
For information on synchronizing virtual context configurations, see Synchronizing Virtual Context
Configurations, page 6-105.
Related Topics
• Configuring ACE High Availability Peers, page 13-15
• Configuring ACE High Availability Groups, page 13-17
• Synchronizing Virtual Context Configurations, page 6-105
13-32
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Synchronizing SSL Certificate and Key Pairs on Both ACE Peers
Synchronizing SSL Certificate and Key Pairs on Both ACE Peers
You can reconcile the SSL certificates and key pairs. When SSL certificate/key import is attempted on
a peer that is configured in HA, ANM detects the HA state and also imports the same certificate/key into
the other HA peer. In addition, when you are configuring two peers in HA from ANM, a warning
message appears asking you to perform certificate/key reconciliation and offers the appropriate window
enabling you to do this.
Guidelines and Restrictions
The certificate/key reconciliation feature is available from the Admin context only; however, executing
this feature from the Admin context also reconciles the SSL certificates and key pairs on all the virtual
contexts associated with the ACE peers.
Procedure
Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup.
The HA Management window appears at the top of the content area and the HA Groups table appears at
the bottom.
Step 2 In the HA Groups table, choose the group that you want to reconcile the SSL certificates and key pairs
on the two HA pairs after a switchover occurs, and click SSL Certificate/Key Reconcile.
The SSL Certificate/Key Reconciliation popup window appears. Information appears in this popup
window for the primary ACE and the peer ACE as described in Table 13-5.
Table 13-5 SSL Certificate/Key Reconciliation Popup Window Attributes
Field Description
This Device IP address for the fault-tolerant VLAN.
Peer Device Fault-tolerant VLAN to be used for this high availability pair. Valid entries are from 1 to 4094.
Note This VLAN cannot be used for other network traffic.
Context Name Unique name for the virtual context
Matched State Feature that indicates a match between the SSL certificates and key pairs on the active ACE and the
standby ACE peer.
Not Matched
State
Feature that indicates that there is not a match between the SSL certificates and key pairs on the active
ACE and the standby ACE peer.
SSL Certificates/Keys On Both HA Peers
File Type Format of the file: PEM, DER, or PKCS12.
Name Name of the file that contains the certificate or key pair.
Exportable Field that indicates whether or not you can export the file from the ACE. Choices are as follows:
• Yes—You can export the file to an FTP, SFTP, or TFP server (see Chapter 11, “Configuring SSL”).
• No—You cannot export the file as it is protected.
Matched Field that indicates that the SSL certificate and key pair is a match on the peer ACE.
Available On Field that identifies the ACE devices that contain the SSL certificate and key pair.
13-33
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Synchronizing SSL Certificate and Key Pairs on Both ACE Peers
Step 3 To copy an SSL certificate and key pair to the ACE peer device, choose it from the SSL Certificates/Keys
On Both HA Peers list, and then click Copy To Peer (or click Cancel to close the SSL Certificate/Key
Reconciliation popup window without performing the copy).
Step 4 To delete an SSL certificate and key pair from the ACE HA pair, choose it from the SSL
Certificates/Keys On Both HA Peers list, and click Delete (or click Cancel to close the SSL
Certificate/Key Reconciliation popup window without performing the deletion).
Related Topics
• Understanding ANM High Availability, page 13-2
• Configuring ACE High Availability Peers, page 13-15
• Configuring ACE High Availability Groups, page 13-17
• Synchronizing ACE High Availability Configurations, page 13-30
13-34
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 13 Configuring High Availability
Synchronizing SSL Certificate and Key Pairs on Both ACE Peers
CHAPTER
14-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
14
Configuring Traffic Policies
Date: 3/28/12
Cisco Application Networking Manager helps you configure class maps and policy maps to provide a
global level of classification for filtering traffic received by or passing through the ACE.
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
This chapter includes the following sections:
• Traffic Policy Overview, page 14-1
• Class Map and Policy Map Overview, page 14-2
• Configuring Virtual Context Class Maps, page 14-6
• Setting Match Conditions for Class Maps, page 14-8
• Configuring Virtual Context Policy Maps, page 14-32
• Configuring Rules and Actions for Policy Maps, page 14-34
• Configuring Actions Lists, page 14-85
Traffic Policy Overview
Cisco Application Networking Manager helps you configure class maps and policy maps to provide a
global level of classification for filtering traffic received by or passing through the ACE. You create
traffic policies and attach these policies to one or more VLAN interfaces associated with the ACE to
apply feature-specific actions to the matching traffic. The ACE uses the individual traffic policies to
implement functions such as:
• FTP command inspection
• IP normalization and fragment reassembly
• Network Address Translation (NAT)
14-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Class Map and Policy Map Overview
• Optimization of HTTP traffic
• Protocol deep packet inspection
• Remote access using Secure Shell (SSH) or Telnet
• Secure Socket Layer (SSL) security services between a Web browser (the client) and the HTTP
connection (the server)
• Server load balancing
• TCP termination, normalization, and reuse
Related Topics
• Class Map and Policy Map Overview, page 14-2
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
Class Map and Policy Map Overview
You classify inbound network traffic destined to, or passing through, the ACE based on a series of flow
match criteria specified by a class map. Each class map defines a traffic classification; that is, network
traffic that is of interest to you. A policy map defines a series of actions (functions) that you want applied
to a set of classified inbound traffic.
Class maps enable you to classify network traffic based on the following criteria:
• Layer 3 and Layer 4 traffic flow information—Source or destination IP address, source or
destination port, virtual IP address, or IP protocol
• Layer 7 protocol information—HTTP cookie, HTTP URL, HTTP header, HTTP content, FTP
request commands, RADIUS, RDP, RTSP, Skinny, or SIP
The policies that you can configure depend on the ACE you are configuring. Table 14-1 lists the
available policies and the ACE devices that support them.
Table 14-1 Traffic Policies and ACE Device Support
Policy Map Type Description
ACE Device
ACE
Module
ACE
Appliance
Layer 3/4 Management Traffic (First-Match) Layer 3 and Layer 4 policy map for network
management traffic received by the ACE
X X
Layer 3/4 Network Traffic (First-Match) Layer 3 and Layer 4 policy map for traffic
passing through the ACE
X X
Layer 7 Command Inspection - FTP
(First-Match)
Layer 7 policy map for inspection of FTP
commands
X X
Layer 7 Deep Packet Inspection - HTTP
(All-Match)
Layer 7 policy map for inspection of HTTP
packets
X X
Layer 7 Deep Packet Inspection - SIP
(All-Match)
Layer 7 policy map for inspection of SIP
packets
X X
Layer 7 Deep Packet Inspection - Skinny Layer 7 policy map for inspection of Skinny
Client Control Protocol (SCCP)
X X
14-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Class Map and Policy Map Overview
The traffic classification process consists of the following three steps:
1. Creating a class map, which comprise a set of match criteria related to Layer 3 and Layer 4 traffic
classifications or Layer 7 protocol classifications.
2. Creating a policy map, which refers to the class maps and identifies a series of actions to perform
based on the traffic match criteria.
3. Activating the policy map and attaching it to a specific VLAN interface or globally to all VLAN
interfaces associated with a context by configuring a virtual context global traffic policy to filter
traffic received by the ACE.
The following overview topics describe the components that define a traffic policy:
• Class Maps, page 14-3
• Policy Maps, page 14-4
• Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps, page 14-5
• Applying a Policy Map Globally to All VLAN Interfaces, page 6-35
Class Maps
A class map defines each type of Layer 3 and Layer 4 traffic class and each Layer 7 protocol class. You
create class maps to classify the traffic received and transmitted by the ACE as follows:
• Layer 3 and Layer 4 traffic classes contain match criteria that identify the IP network traffic that can
pass through the ACE or network management traffic that can be received by the ACE.
• Layer 7 protocol-specific classes identify:
– Server load-balancing traffic on generic, HTTP, RADIUS, RTSP, or SIP traffic
– HTTP or SIP traffic for deep packet inspection
– FTP traffic for inspection of commands
Layer 7 HTTP Optimization (First-Match) Layer 7 policy map for optimizing HTTP traffic X
Layer 7 Server Load Balancing (First-Match) Layer 7 policy map for HTTP server load
balancing
X X
Server Load Balancing - Generic (First-Match) Generic Layer 7 policy map for server load
balancing
X X
Server Load Balancing - RADIUS (First-Match) Layer 7 policy map for RADIUS server load
balancing
X X
Server Load Balancing - RDP (First-Match) Layer 7 policy map for RDP server load
balancing
X X
Server Load Balancing - RTSP (First-Match) Layer 7 policy map for RTSP server load
balancing
X X
Server Load Balancing - SIP (First-Match) Layer 7 policy map for SIP server load
balancing
X X
Table 14-1 Traffic Policies and ACE Device Support (continued)
Policy Map Type Description
ACE Device
ACE
Module
ACE
Appliance
14-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Class Map and Policy Map Overview
A traffic class contains the following components:
• Class map name
• Class map type
• One or more match conditions that define the match criteria for the class map
• Instructions on how the ACE evaluates match conditions when you specify more than one match
statement in a traffic class (match-any, match-all)
The individual match conditions specify the criteria for classifying Layer 3 and Layer 4 network traffic
as well as the Layer 7 server load balancing and application protocol-specific fields. The ACE evaluates
the packets to determine whether they match the specified criteria. If a statement matches, the ACE
considers that packet to be a member of the class and forwards the packet according to the specifications
set in the traffic policy. Packets that fail to meet any of the matching criteria are classified as members
of the default traffic class if one is specified.
The ACE allows you to configure two Layer 7 load-balancing class maps in a nested traffic class
configuration to create a single traffic class. You can nest Layer 7 class maps to achieve complex logical
expressions. The ACE restricts the nesting of class maps to two levels to prevent you from including one
nested class map under a different class map.
Related Topics
• Class Map and Policy Map Overview, page 14-2
• Policy Maps, page 14-4
• Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps, page 14-5
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Context Class Maps, page 14-6
Policy Maps
A policy map creates the traffic policy. The purpose of a traffic policy is to implement specific ACE
functions associated with a traffic class. A traffic policy contains the following components:
• Policy map name
• Previously created traffic class map or, optionally, the class-default class map
• One or more of the individual Layer 3 and Layer 4 or Layer 7 policies that specify the actions to be
performed by the ACE
A Layer 7 policy map is always associated within a Layer 3 and Layer 4 policy map to provide an entry
point for traffic classification. Layer 7 policy maps are considered to be child policies and can only be
nested under a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated
on a VLAN interface; a Layer 7 policy map cannot be directly applied on an interface. For example, to
associate a Layer 7 load-balancing policy map, you nest the load-balancing policy map by using the
Layer 3 and Layer 4 Policy map action type.
If none of the classifications specified in policy maps match, then the ACE executes the default actions
specified against the class map configured with the Use Class Default option to use a default class map
(if specified). All traffic that fails to meet the other matching criteria in the named class map belongs to
the default traffic class. The Use Class Default feature has an implicit match-any match statement and
is used to match any traffic classification.
14-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Class Map and Policy Map Overview
The ACE supports flexible class map ordering within a policy map. The ACE executes only the actions
for the first matching traffic classification, so the order of class maps within a policy map is very
important. The policy lookup order is based on the security features of the ACE. The policy lookup order
is implicit, irrespective of the order in which you configure policies on the interface.
The policy lookup order of the ACE is as follows:
1. Access control (permit or deny a packet)
2. Permit or deny management traffic
3. TCP/UDP connection parameters
4. Load balancing based on a virtual IP (VIP)
5. Application protocol inspection
6. Source NAT
7. Destination NAT
The sequence in which the ACE applies the actions for a specific policy is independent of the actions
configured for a class map inside a policy.
Related Topics
• Class Map and Policy Map Overview, page 14-2
• Class Maps, page 14-3
• Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps, page 14-5
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Context Policy Maps, page 14-32
Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps
Parameter maps allow you to combine related actions in a Layer 3 and Layer 4 policy map. For example,
an HTTP parameter map provides a means of performing actions on traffic ingressing an ACE interface
based on certain criteria such as HTTP header and cookie settings, server connection reuse, action to be
taken when an HTTP header, cookie, or URL exceeds a configured maximum length, and so on.
The ACE uses policy maps to combine class maps and parameter maps into traffic policies and to
perform certain configured actions on the traffic that matches the specified criteria in the policies.
See Table 10-1 for a list of the available parameter maps and the ACE devices that support them.
Related Topics
• Configuring Parameter Maps, page 10-1
• Class Map and Policy Map Overview, page 14-2
• Class Maps, page 14-3
• Policy Maps, page 14-4
14-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Virtual Context Class Maps
Protocol Inspection Overview
Certain applications require special handling of the data portion of a packet as the packets pass through
the ACE. Application protocol inspection helps to verify the protocol behavior and identify unwanted or
malicious traffic passing through the ACE. Based on the specifications of the traffic policy, the ACE
accepts or rejects the packets to ensure the secure use of applications and services.
For information about application protocol inspection as configured and performed by the ACE, see the
related topics.
Related Topics
• Configuring Virtual Context Policy Maps, page 14-32
• Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps, page 14-22
• Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection, page 14-51
• Setting Policy Map Rules and Actions for Layer 7 SIP Deep Packet Inspection, page 14-68
Configuring Virtual Context Class Maps
You can create a class map to classify the traffic received and transmitted by the ACE. For more
information about class maps, see the “Class Maps” section on page 14-3.
Note To delete a class map from a context, the class map must no longer be in use. To delete multiple class
maps, none of the class maps must be in use. If you attempt to delete multiple class maps and one of the
class maps is still in use, none of the class maps are deleted and a message appears stating that one of
the class maps is in use. Remove the class map that is still in use from your selection, then click Delete.
The selected class maps are removed.
Procedure
Step 1 Choose Config > Devices > context > Expert > Class Maps.
The Class Maps table appears.
Step 2 In the Class Maps table, click Add to add a new class map, or choose an existing class map and click
Edit to modify it.
Step 3 (Optional) Enter a class map identifier number.
The Name field contains an automatically incremented number for the class map. You can leave the
number as it is or enter a different, unique number.
Step 4 In the Class Map Type field, choose the type of class map that you are creating.
The types that are available depend on the ACE that you are configuring. Table 14-2 lists the available
class map types and the ACE devices that support them.
14-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Virtual Context Class Maps
Step 5 In the Match Type field, choose the method to be used to evaluate multiple match statements when
multiple match conditions exist:
• All—A match exists only if all match conditions are satisfied. If you choose All, you can specify
multiple types of match conditions.
• Any—A match exists if at least one of the match conditions is satisfied. If you choose Any, you can
specify only one type of match condition.
This field does not appear for Layer 7 Command Inspection - FTP class maps.
Step 6 In the Description field, enter a brief description for the class map.
Step 7 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and to configure match conditions for
the class map. See Setting Match Conditions for Class Maps, page 14-8 for more information.
• Click Cancel to exit the procedure without saving your entries and to return to the Class Maps table.
• Click Next to deploy your entries and to configure another class map.
Related Topics
• Information About Virtual Contexts, page 6-2
• Deleting Class Maps, page 14-8
• Setting Match Conditions for Class Maps, page 14-8
• Configuring Virtual Context Policy Maps, page 14-32
Table 14-2 Class Maps and ACE Device Support
Class Map
ACE Devices
ACE
Module
ACE
Appliance
Layer 3/4 Management Traffic X X
Layer 3/4 Network Traffic X X
Layer 7 Command Inspection - FTP X X
Layer 7 Deep Packet Inspection - HTTP X X
Layer 7 Deep Packet Inspection - SIP X X
Layer 7 Server Load Balancing X X
Server Load Balancing - Generic X X
Server Load Balancing - RADIUS X X
Server Load Balancing - RTSP X X
Server Load Balancing - SIP X X
14-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Deleting Class Maps
You can delete a class map. To delete a class map from a context, the class map must no longer be in use.
To delete multiple class maps, none of the class maps must be in use.
Assumption
The class map to be deleted is not being used.
Procedure
Step 1 Choose Config > Devices > context > Expert > Class Maps.
The Class Maps table appears.
Step 2 In the Class Maps table, choose the class maps that you want to delete and click Delete.
A confirmation popup window appears, asking you to confirm the deletion.
If you attempt to delete multiple class maps and one of the class maps is still in use, none of the class
maps are deleted and a message appears stating that one of the class map is in use. Remove the class map
that is still in use from your selection, then click Delete. The Class Maps table refreshes and the deleted
class maps no longer appear.
Step 3 Do one of the following:
• Click OK to confirm the deletion.
• Click Cancel to retain the class map and to return to the Class Maps table.
Related Topics
• Class Map and Policy Map Overview, page 14-2
• Configuring Virtual Context Class Maps, page 14-6
Setting Match Conditions for Class Maps
Table 14-3 lists the class maps available for all ACE devices and provides links to topics for setting
match conditions:
Table 14-3 Class Maps Available for All ACE Devices
Class Map Related Topic
Layer 3/Layer 4 management traffic Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps,
page 14-12
Layer 3/Layer 4 network traffic Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps, page 14-9
Layer 7 FTP command inspection Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps,
page 14-22
Layer 7 HTTP deep packet inspection Setting Match Conditions for Layer 7 HTTP Deep Packet Inspection Class Maps,
page 14-17
Layer 7 server load balancing Setting Match Conditions for Layer 7 Server Load Balancing Class Maps, page 14-14
14-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps
You can match criteria for a Layer 3/Layer 4 network traffic class map on the ACE.
Assumption
You have configured a Layer 3/Layer 4 network traffic class map and want to establish match conditions.
Procedure
Step 1 Choose Config > Devices > context > Expert > Class Maps.
The Class Maps table appears.
Step 2 In the Class Maps table, choose the Layer 3/4 network traffic class map that you want to set match
conditions for.
The Match Condition table appears.
Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition you want
to modify and click Edit.
The Match Condition configuration window appears.
Step 4 In the Sequence Number field of the Match Condition configuration window, enter a value from 2 to 255.
Step 5 In the Match Condition Type field, choose the type of match condition to use for this class map and
configure any match-specific attributes as described in Table 14-4.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
Generic server load balancing Setting Match Conditions for Generic Server Load Balancing Class Maps,
page 14-23
Layer 7 SIP deep packet inspection Setting Match Conditions for Layer 7 SIP Deep Packet Inspection Class Maps,
page 14-30
RADIUS server load balancing Setting Match Conditions for RADIUS Server Load Balancing Class Maps,
page 14-25
RTSP server load balancing Setting Match Conditions for RTSP Server Load Balancing Class Maps, page 14-26
SIP server load balancing Setting Match Conditions for SIP Server Load Balancing Class Maps, page 14-27
Table 14-3 Class Maps Available for All ACE Devices (continued)
Class Map Related Topic
Table 14-4 Layer 3/Layer 4 Network Traffic Class Map Match Conditions
Match Condition Description
Access List Access list that is the match type for this match condition.
In the Extended ACL field, choose the ACL to use as the match condition.
Any Any Layer 3 or Layer 4 IPv4 traffic passing through the ACE meets the match condition.
14-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Anyv6 Any Layer 3 or Layer 4 IPv6 traffic passing through the ACE meets the match condition. This
option requires ACE module and ACE appliance software Version A5(1.0) or later, which supports
IPv4 and IPv6.
Destination Address Destination address that is the match type for this match condition.
Do the following:
a. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE
module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6.
b. In the Destination Address field, enter the destination IP address for this match condition in
the format based on the address type (IPv4 or IPv6).
c. Depending on the destination IP address type that you chose, do one of the following:
– For IPv4, in the Destination Netmask field, select the subnet mask of the IP address.
– For IPv6, in the Destination Prefix-length field, enter the prefix length for the address.
Port UDP or TCP port or range of ports for IPv4 traffic that is the match type for this match condition.
Do the following:
a. In the Port Protocol field, choose TCP or UDP as the protocol to match.
b. In the Port Operator field, choose the match criteria for the port.
Choices are as follows:
– Any—Any port using the selected protocol meets the match condition.
– Equal To—Specific port using the protocol meets the match condition.
– In the Port Number field, enter the port to be matched. Valid entries are integers from 0
to 65535. A value of 0 indicates that the ACE is to include all ports.
– Range—Port must be one of a range of ports to meet the match condition. Do the
following:
1. In the Lower Port Number field, enter the first port number in the port range for the
match condition.
2. In the Upper Port Number field, enter the last port number in the port range for the
match condition.
Valid entries are integers from 0 to 65535. A value of 0 indicates that the ACE is to include
all ports.
Portv6 UDP or TCP port or range of ports for IPv6 traffic that is the match type for this match condition.
This option requires ACE module and ACE appliance software Version A5(1.0) or later, which
supports IPv4 and IPv6.
For port configuration information, see Port.
Table 14-4 Layer 3/Layer 4 Network Traffic Class Map Match Conditions (continued)
Match Condition Description
14-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Source Address Source IP address that is the match type for this match condition.
Do the following:
a. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE
module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6.
b. In the Source IP Address field, enter the source IP address for this match condition in the
format based on the address type (IPv4 or IPv6).
c. Depending on the source IP address type that you chose, do one of the following:
– For IPv4, in the Source Netmask field, select the subnet mask of the IP address.
– For IPv6, in the Source Prefix-length field, enter the prefix length for the address.
Virtual Address Virtual IP address that is the match type for this match condition.
Do the following:
a. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE
module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6.
a. In the Virtual IP Address field, enter the virtual IP address for this match condition in the
format based on the address type (IPv4 or IPv6).
b. Depending on the IP address type that you chose, do one of the following:
– For IPv4, in the Virtual IP Netmask field, choose the subnet mask for the virtual IP
address.
– For IPv6, in the Virtual Prefix-length field, enter the prefix length for the address.
c. In the Virtual Address Protocol field, choose the protocol to be used for this match condition.
For a list of protocols and their respective numbers, see Table 6-20.
Note Depending on the protocol that you choose, such as TCP or UDP, additional fields
appear. If they appear, enter the information described in the following steps.
d. In the Port Operator field, choose the match criteria for the port:
– Any—Any port using the selected protocol meets the match condition.
– Equal To—A specific port using the protocol meets the match condition.
– In the Port Number field, enter the port to be matched. Valid entries are from 0 to 65535.
A value of 0 indicates that the ACE is to include all ports.
– Range—The port must be one of a range of ports to meet the match condition. Valid
entries are from 0 to 65535. A value of 0 indicates that the ACE is to include all ports.
Do the following:
1. In the Lower Port Number field, enter the first port number in the port range for the
match condition.
2. In the Upper Port Number field, enter the last port number in the port range for the
match condition.
Table 14-4 Layer 3/Layer 4 Network Traffic Class Map Match Conditions (continued)
Match Condition Description
14-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the Match Condition table.
Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not
made changes. If you have not altered existing match conditions, click Cancel instead of
Deploy Now to ensure uninterrupted traffic.
• Click Cancel to exit the procedure without saving your entries and to return to the Match Condition
table.
• Click Next to deploy your entries and to configure additional match conditions.
Related Topics
• Configuring Traffic Policies, page 14-1
• Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps, page 14-12
• Setting Match Conditions for Layer 7 Server Load Balancing Class Maps, page 14-14
• Configuring Virtual Context Policy Maps, page 14-32
• Configuring Virtual Context Class Maps, page 14-6
Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps
You can identify the network management protocols that can be received by the ACE.
Assumption
You have configured a Layer 3/Layer 4 network management class map and want to establish match
conditions.
Procedure
Step 1 Choose Config > Devices > context > Expert > Class Maps.
The Class Maps table appears.
Step 2 In the Class Maps table, choose the Layer 3/Layer 4 management class map that you want to set match
conditions for.
The Match Condition table appears.
Step 3 In the Match Condition table, click Add to add match criteria, or choose the match conditions that you
want to modify and click Edit.
The Match Condition configuration window appears.
Step 4 Enter the match conditions (see Table 14-5).
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
14-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Step 5 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the Match Condition table.
Table 14-5 Layer 3/Layer 4 Management Traffic Class Map Match Conditions
Field Description
Sequence Number Number from 2 to 255 as the line number. The number entered here does not indicate a priority or
sequence for the match conditions.
Match Condition Type Confirm that Management is selected.
Note To change the type of match condition, you must delete the class map and add it again with
the correct match type.
Management Protocol
Type
Field that identifies the network management protocols that can be received by the ACE. Choose
the allowed protocol for this match condition as follows:
• HTTP—Specifies the Hypertext Transfer Protocol (HTTP).
• HTTPS—Specifies the secure (SSL) Hypertext Transfer Protocol (HTTP) for connectivity
with the ANM GUI on the ACE.
• ICMP—Specifies the Internet Control Message Protocol (ICMP), commonly referred to as
ping.
• ICMPv6—Specifies the Internet Control Message Protocol version 6 (ICMPv6).
• SNMP—Specifies the Simple Network Management Protocol (SNMP).
• SSH—Specifies a Secure Shell (SSH) connection to the ACE.
• TELNET—Specifies a Telnet connection to the ACE.
• KAL-AP-UDP—Specifies the KeepAlive Appliance Protocol over UDP.
• XML-HTTPS—Specifies HTTPS as the transfer protocol for sending and receiving XML
documents between the ACE and a Network Management System (NMS). Communication is
performed using port 10443. This option is available for ACE appliances only.
Traffic Type Type of traffic:
• Any—Any client source IP address meets the match condition.
• Source Address—A specific source IP address is part of the match condition.
Source Address Field that appears if Source Address is selected for Traffic Type.
Depending on the management protocol type that you chose, do one of the following
• For ICMP, enter the source IP address of the client in dotted-decimal notation, such as
192.168.11.1.
• For ICMPv6, enter a complete IPv6 address.
Source Netmask Field that appears if Source Address is selected for Traffic Type. Choose the subnet mask for the
source IP address.
Source Prefix-length This field appears if ICMPv6 is selected for the Management Protocol Type and Source Address is
selected for Traffic Type.
Enter the prefix length for the source IPv6 address.
14-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not
made changes. If you have not altered existing match conditions, click Cancel instead of
Deploy Now to ensure uninterrupted traffic.
• Click Cancel to exit the procedure without saving your entries and to return to the Match Condition
table.
• Click Next to deploy your entries and to configure additional match conditions.
Related Topics
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Real Servers, page 8-5
• Configuring Server Farms, page 8-30
• Configuring Sticky Groups, page 9-7
Setting Match Conditions for Layer 7 Server Load Balancing Class Maps
You can set match conditions for Layer 7 server load balancing class maps.
Assumption
You have configured a load-balancing class map and want to establish the match conditions.
Procedure
Step 1 Choose Config > Devices > context > Expert > Class Maps.
The Class Maps table appears.
Step 2 In the Class Maps table, choose the Layer 7 server load balancing class map you want to set match
conditions for.
The Match Condition table appears.
Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition that you
want to modify and click Edit.
The Match Condition configuration window appears.
Step 4 In the Sequence Number field, enter a value from 2 to 255 as the line number.
The number entered here does not indicate a priority or sequence for the match conditions.
Step 5 In the Match Condition Type field, choose the type of match to use and configure condition-specific
attributes as described in Table 14-6.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
14-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 14-6 Layer 7 Server Load Balancing Class Map Match Conditions
Match Condition Description
Class Map Class map that is to be used to establish a match condition.
In the Class Map field, choose the class map to apply to this match condition.
HTTP Content Specific content contained within the HTTP entity-body that is used to establish a match condition.
Do the following:
a. In the Content Expression field, enter the content that is to be matched. Valid entries are
alphanumeric strings from 1 to 255 characters.
b. In the Content Offset (Bytes) field, enter the number of bytes to be ignored starting with the
first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and
the body of the message. Valid entries are from 1 to 255.
HTTP Cookie HTTP cookie that is to be used to establish a match condition.
Do the following:
a. In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings
with no spaces and a maximum of 64 alphanumeric characters.
b. In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted
text strings with no spaces and a maximum of 255 alphanumeric characters.
c. Check the Secondary Cookie Matching check box to instruct the ACE to use both the cookie
name and the cookie value to satisfy this match condition. Uncheck this check box to indicate
that the ACE is to use either the cookie name or the cookie value to satisfy this match
condition.
HTTP Header HTTP header that is to be used to establish a match condition.
Do the following:
a. In the Header Name field, specify the header to match in one of the following ways:
– To specify an HTTP header that is not one of the standard HTTP headers, click the first
radio button, and enter the HTTP header name in the Header Name field. Valid entries are
unquoted text strings with no spaces and a maximum of 64 characters.
– To specify a standard HTTP header, click the second radio button, and choose an HTTP
header from the list.
b. In the Header Value (Bytes) field, enter the header value expression string to compare against
the value in the specified field in the HTTP header. Valid entries are text strings with a
maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching. If the string includes spaces, enclose the string in quotes. See Table 14-33 for a list
of the supported characters that you can use in regular expressions.
14-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the Match Condition table.
Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not
made changes. If you have not altered existing match conditions, click Cancel instead of
Deploy Now to ensure uninterrupted traffic.
• Click Cancel to exit the procedure without saving your entries and to return to the Match Condition
table.
• Click Next to deploy your entries and to configure additional match conditions.
Related Topics
• Information About Virtual Contexts, page 6-2
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
HTTP URL Portion of an HTTP URL that is to be used to establish a match condition.
Do the following:
a. In the URL Expression field, enter a URL or a portion of a URL to match. Valid entries are
URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL
following www.hostname.domain. For example, in the URL
www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.
b. In the Method Expression field, enter the HTTP method to match. Valid entries are method
names entered as unquoted text strings with no spaces and a maximum of 15 alphanumeric
characters. You can enter either one of the standard HTTP 1.1 method names (OPTIONS,
GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be
matched exactly (for example, CORVETTE).
Source Address Source IP address that is to be used to establish a match condition.
Do the following:
a. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE
module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6.
b. In the Source Address field, enter the source IP address for this match condition in the format
based on the address type (IPv4 or IPv6).
c. Depending on the IP address type that you chose, do one of the following:
– For IPv4, in the Source Netmask field, choose the subnet mask of the source IP address.
– For IPv6, in the Source Prefix-length field, enter the prefix length for the address.
Table 14-6 Layer 7 Server Load Balancing Class Map Match Conditions (continued)
Match Condition Description
14-17
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Setting Match Conditions for Layer 7 HTTP Deep Packet Inspection Class Maps
You can configure a Layer 7 class map for deep packet inspection of HTTP traffic by the ACE. When
these features are configured, the ACE performs a stateful deep packet inspection of the HTTP protocol
and permits or restricts traffic based on the actions in the defined policy maps. You can configure the
following security features as part of HTTP deep packet inspection to be performed by the ACE:
• Regular expression matching on name in an HTTP header, URL name, or content expressions in an
HTTP entity body
• Content, URL, and HTTP header length checks
• MIME-type message inspection
• Transfer-encoding methods
• Content type verification and filtering
• Port 80 misuse by tunneling protocols
• RFC compliance monitoring and RFC method filtering
Use this procedure to configure a Layer 7 class map for deep packet inspection of HTTP traffic.
Assumption
You have configured a Layer 7 HTTP deep packet inspection class map and want to establish match
conditions.
Procedure
Step 1 Choose Config > Devices > context > Expert > Class Maps.
The Class Maps table appears.
Step 2 In the Class Maps table, choose the Layer 7 HTTP deep packet inspection class map that you want to set
match conditions for.
The Match Condition table appears.
Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition that you
want to modify and click Edit.
The Match Condition configuration window appears.
Step 4 In the Sequence Number field of the Match Condition configuration window, enter a value from 2 to 255
as the line number.
The number entered here does not indicate a priority or sequence for the match conditions.
Step 5 In the Match Condition Type field, choose the method that match decisions are to be made and configure
condition-specific attributes as described in Table 14-7.
14-18
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Table 14-7 Layer 7 HTTP Deep Packet Inspection Class Map Match Conditions
Match Condition Description
Content Specific content contained within the HTTP entity-body that is to be used for protocol inspection
decisions.
Do the following:
a. In the Content Expression field, enter the content that is to be matched. Valid entries are
alphanumeric strings from 1 to 255 characters.
b. In the Content Offset (Bytes) field, enter the number of bytes to be ignored starting with the first
byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body
of the message. Valid entries are from 1 to 255.
Content Length Content parse length in an HTTP message that is to be used for protocol inspection decisions.
Do the following:
a. In the Content Length Operator field, choose the operand to use to compare content length as
follows:
– Equal To—The content length must equal the number in the Content Length Value (Bytes)
field.
– Greater Than—The content length must be greater than the number in the Content Length
Value (Bytes) field.
– Less Than—The content length must be less than the number in the Content Length Value
(Bytes) field.
– Range—The content length must be within the range specified in the Content Length Lower
Value (Bytes) field and the Content Length Higher Value (Bytes) field.
b. Enter values to apply for content length comparison as follows:
– If you chose Equal To, Greater Than, or Less Than in the Content Length Operator field, the
Content Length Value (Bytes) field appears. In the Content Length Value (Bytes) field, enter
the number of bytes for comparison. Valid entries are from 0 to 4294967295.
– If you chose Range in the Content Length Operator field, the Content Length Lower Value
(Bytes) and the Content Length Higher Value (Bytes) fields appear. Do the following:
1. In the Content Length Lower Value (Bytes) field, enter the lowest number of bytes to be
used for this match condition. Valid entries are from 0 to 4294967295. The number in this field
must be less than the number entered in the Content Length Higher Value (Bytes) field.
2. In the Content Length Higher Value (Bytes) field, enter the highest number of bytes to be
used for this match condition. Valid entries are from 0 to 4294967295. The number in this field
must be greater than the number entered in the Content Length Lower Value (Bytes) field.
14-19
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Header Name and value in an HTTP header that are to be used for protocol inspection decisions.
Do the following:
a. In the Header field, choose one of the predefined HTTP headers to be matched, or choose HTTP
Header to specify a different HTTP header.
b. If you chose HTTP Header, in the Header Name field, enter the name of the HTTP header to match.
Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric
characters.
c. In the Header Value (Bytes) field, enter the header value expression string to compare against the
value in the specified field in the HTTP header. Valid entries are text strings with a maximum of
255 alphanumeric characters. The ACE supports regular expressions for matching. If the string
includes spaces, enclose the string with quotes. All headers in the header map must be matched.
See Table 14-33 for a list of the supported characters that you can use in regular expressions.
Header Length Length of the header in the HTTP message that is to be used for protocol inspection decisions.
Do the following:
a. In the Header Length Type field, specify whether HTTP header request or response messages are
to be used for protocol inspection decisions as follows:
– Request—HTTP header request messages are to be checked for header length.
– Response—HTTP header response messages are to be checked for header length.
b. In the Header Length Operator field, choose the operand to use to compare header length:
– Equal To—The header length must equal the number in the Header Length Value (Bytes)
field.
– Greater Than—The header length must be greater than the number in the Header Length
Value (Bytes) field.
– Less Than—The header length must be less than the number in the Header Length Value
(Bytes) field.
– Range—The header length must be within the range specified in the Header Length Lower
Value (Bytes) field and the Header Length Higher Value (Bytes) field.
c. Enter values to apply for header length comparison as follows:
– If you chose Equal To, Greater Than, or Less Than in the Header Length Operator field, the
Header Length Value (Bytes) field appears. In the Header Length Value (Bytes) field, enter
the number of bytes for comparison. Valid entries are from 0 to 255.
– If you chose Range in the Header Length Operator field, the Header Length Lower Value
(Bytes) and the Header Length Higher Value (Bytes) fields appear. Do the following:
1. In the Header Length Lower Value (Bytes) field, enter the lowest number of bytes to be used
for this match condition. Valid entries are from 0 to 255. The number in this field must be less
than the number entered in the Header Length Higher Value (Bytes) field.
2. In the Header Length Higher Value (Bytes) field, enter the highest number of bytes to be
used for this match condition. Valid entries are from 1 to 255. The number in this field must
be greater than the number entered in the Header Length Lower Value (Bytes) field.
Table 14-7 Layer 7 HTTP Deep Packet Inspection Class Map Match Conditions (continued)
Match Condition Description
14-20
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Header MIME Type Multipurpose Internet Mail Extension (MIME) message types that are to be used for protocol
inspection decisions.
In the Header MIME Type field, choose the MIME message type to use for this match condition.
Port Misuse Feature that specifies that the misuse of port 80 (or any other port running HTTP) is to be used for
protocol inspection decisions.
Choose the application category to use for this match condition:
• IM—Instant messaging applications are to be used for this match condition.
• P2P—Peer-to-peer applications are to be used for this match condition.
• Tunneling—Tunneling applications are to be used for this match condition.
Request Method Request method that is to be used for protocol inspection decisions.
By default, ACEs allow all request and extension methods. This option allows you to configure class
maps that define protocol inspection decisions based on compliance to request methods defined in RFC
2616 and by HTTP extension methods.
Do the following:
a. In the Request Method Type field, choose the type of compliance to be used for protocol inspection
decision. Choices are as follows:
– Ext—HTTP extension method is to be used for protocol inspection decisions.
– RFC—Request method defined in RFC 2616 is to be used for protocol inspection decisions.
Depending on your selection, the Ext Request Method field or the RFC Request Method field
appears.
b. In the Request Method field, choose the specific request method to be used.
Transfer Encoding Field that appears when an HTTP transfer-encoding type is used for protocol inspection decisions. The
transfer-encoding general-header field indicates the type of transformation, if any, that has been
applied to the HTTP message body to safely transfer it between the sender and the recipient.
In the Transfer Encoding field, choose the type of encoding that is to be checked:
• Chunked—The message body is transferred as a series of chunks.
• Compress—The encoding format that is produced by the UNIX file compression program
compress.
• Deflate—The .zlib format that is defined in RFC 1950 in combination with the DEFLATE
compression mechanism described in RFC 1951.
• Gzip—The encoding format that is produced by the file compression program GZIP (GNU zip) as
described in RFC 1952.
• Identity—The default (identity) encoding which does not require the use of transformation.
URL URL name used for protocol inspection decisions.
In the URL field, enter a URL or a portion of a URL to match. Valid entries are URL strings from 1 to
255 alphanumeric characters and include only the portion of the URL following
www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html, include
only /latest/whatsnew.html.
Table 14-7 Layer 7 HTTP Deep Packet Inspection Class Map Match Conditions (continued)
Match Condition Description
14-21
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
Note If you click Deploy Now, the ACE drops the traffic, then restarts it, even if you have not
made changes. If you have not altered existing match conditions, click Cancel instead of
Deploy Now to ensure uninterrupted traffic.
• Click Cancel to exit this procedure without saving your entries and to return to the Match Condition
table.
• Click Next to configure another match condition for this class map.
Related Topics
• Configuring Virtual Context Policy Maps, page 14-32
• Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps, page 14-9
• Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps, page 14-12
URL Length URL length to be used for protocol inspection decisions.
Do the following:
a. In the URL Length Operator field, choose the operand to be used to compare URL length:
– Equal To—The URL length must equal the number in the URL Length Value (Bytes) field.
– Greater Than—The URL length must be greater than the number in the URL Length Value
(Bytes) field.
– Less Than—The URL length must be less than the number in the URL Length Value (Bytes)
field.
– Range—The URL length must be within the range specified in the URL Length Lower Value
(Bytes) field and the URL Length Higher Value (Bytes) field.
b. Enter values to apply for URL length comparison as follows:
– If you chose Equal To, Greater Than, or Less Than in the URL Length Operator field, the URL
Length Value (Bytes) field appears. In the URL Length Value (Bytes) field, enter the value for
comparison. Valid entries are from 1 to 65535 bytes.
– If you chose Range in the URL Length Operator field, the URL Length Lower Value (Bytes)
and the URL Length Higher Value (Bytes) fields appear. Do the following:
1. In the URL Length Lower Value (Bytes) field, enter the lowest number of bytes to be used
for this match condition. Valid entries are integers from 1 to 65535. The number in this field
must be less than the number entered in the URL Length Higher Value (Bytes) field.
2. In the URL Length Higher Value (Bytes) field, enter the highest number of bytes to be used
for this match condition. Valid entries are integers from 1 to 65535. The number in this field
must be greater than the number entered in the URL Length Lower Value (Bytes) field.
Table 14-7 Layer 7 HTTP Deep Packet Inspection Class Map Match Conditions (continued)
Match Condition Description
14-22
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
• Setting Match Conditions for Layer 7 Server Load Balancing Class Maps, page 14-14
• Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps, page 14-22
Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps
You can set match conditions for a Layer 7 FTP command inspection class map.
Assumption
You have configured a Layer 7 FTP command inspection class map and want to establish match criteria.
Procedure
Step 1 Choose Config > Devices > context > Expert > Class Maps.
The Class Maps table appears.
Step 2 In the Class Maps table, choose the Layer 7 FTP command inspection class map that you want to set
match conditions for.
The Match Condition table appears.
Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition that you
want to modify and click Edit.
The Match Condition configuration window appears.
Step 4 In the Sequence Number field of the Match Condition configuration window, enter a value from 2 to 255.
Step 5 In the Match Condition Type field, confirm that Request Method Name is selected as the match condition
type for this class map.
Step 6 In the Request Method Name field, choose the FTP command to be inspected.
Table 14-8 identifies the FTP commands that can be inspected.
Table 14-8 FTP Commands for Inspection
FTP Command Description
Appe Append data to the end of the specified file on the remote host.
Cdup Change to the parent of the current directory.
Dele Delete the specified file.
Get Copy the specified file from the remote host to the local system.
Help List all available FTP commands.
Mkd Create a directory using the specified path and directory name.
Put Copy the specified file from the local system to the remote host.
Rmd Remove the specified directory.
Rnfr Rename a file, specifying the current file name. Used with rnto.
Rnto Rename a file, specifying the new file name. Used with rnfr.
Site Execute a site-specific command.
Stou Store a file on the remote host and give it a unique name.
Syst Query the remote host for operating system information.
14-23
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Step 7 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the Match Condition table.
Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not
made changes. If you have not altered existing match conditions, click Cancel instead of
Deploy Now to ensure uninterrupted traffic.
• Click Cancel to exit this procedure without saving your entries and to return to the Match Condition
table.
• Click Next to configure another match condition for this class map.
Related Topics
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
Setting Match Conditions for Generic Server Load Balancing Class Maps
You can set match conditions for a generic server load balancing class map.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0)
or later.
Assumption
You have configured a generic server load balancing class map and want to establish match criteria.
Procedure
Step 1 Choose Config > Devices > context > Expert > Class Maps.
The Class Maps table appears.
Step 2 In the Class Maps table, choose the generic server load balancing class map that you want to set match
conditions for.
The Match Condition table appears.
Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition that you
want to modify and click Edit.
The Match Condition configuration window appears.
Step 4 In the Sequence Number field of the Match Condition configuration window, enter a value from 2 to 255.
Step 5 In the Match Condition Type field, choose the match condition type for this class map and configure any
match-specific criteria as described in Table 14-9.
14-24
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the Match Condition table.
Note If you click Deploy Now, the ACE drops the traffic and then restarts it even if you have not
made changes. If you have not altered existing match conditions, click Cancel instead of
Deploy Now to ensure uninterrupted traffic.
• Click Cancel to exit this procedure without saving your entries and to return to the Match Condition
table.
• Click Next to configure another match condition for this class map.
Related Topics
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
Table 14-9 Generic Server Load Balancing Class Map Match Conditions
Match Condition Description
Class Map Class map that is used to establish a match condition. In the Class Map field, choose the class map
to use for this match condition.
Layer 4 Payload Generic data parsing that is used to establish a match condition.
Do the following:
a. In the Layer 4 Payload Regex field, enter the Layer 4 payload expression contained within the
TCP or UDP entity body to use for this match condition. Valid entries are text strings with a
maximum of 255 alphanumeric characters. See Table 14-33 for a list of the supported
characters that you can use for matching string expressions.
b. In the Layer 4 Payload Offset field, enter the absolute offset where the Layer 4 payload
expression search starts. The offset starts at the first byte of the TCP or UDP body. Valid
entries are from 0 to 999.
Source Address Source IP address that is used to establish a match condition.
Do the following:
a. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE
module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6.
b. In the Source Address field, enter the source IP address for this match condition in the format
based on the address type (IPv4 or IPv6).
c. Depending on the IP address type that you chose, do one of the following:
– For IPv4, in the Source Netmask field, choose the subnet mask for the source IP address.
– For IPv6, in the Source Prefix-length field, enter the prefix length for the address.
14-25
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Setting Match Conditions for RADIUS Server Load Balancing Class Maps
You can set match conditions for a RADIUS server load balancing class map.
Assumption
You have configured a RADIUS server load balancing class map and want to establish match criteria.
Procedure
Step 1 Choose Config > Devices > context > Expert > Class Maps.
The Class Maps table appears.
Step 2 In the Class Maps table, choose the RADIUS server load balancing class map that you want to set match
conditions for.
The Match Condition table appears.
Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition that you
want to modify and click Edit.
The Match Condition configuration window appears.
Step 4 In the Sequence Number field, enter a value from 2 to 255.
Step 5 In the Match Condition Type field, choose the match condition type for this class map and configure any
match-specific criteria as described in Table 14-10.
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the Match Condition table.
Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not
made changes. If you have not altered existing match conditions, click Cancel instead of
Deploy Now to ensure uninterrupted traffic.
• Click Cancel to exit this procedure without saving your entries and to return to the Match Condition
table.
• Click Next to configure another match condition for this class map.
Table 14-10 RADIUS Server Load Balancing Class Map Match Conditions
Match Condition Description
Calling Station ID Unique identifier of the calling station that is used to establish a match condition. In the RADIUS
Calling Station ID field, enter the calling station identifier to match. Valid entries are strings
containing 1 to 64 alphanumeric characters. See Table 14-33 for a list of the supported characters
that you can use for matching string expressions.
User Name Username that is used to establish a match condition. In the User Name field, enter the name to
match. Valid entries are strings containing 1 to 64 alphanumeric characters. See Table 14-33 for a
list of the supported characters that you can use for matching string expressions.
14-26
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Related Topics
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
Setting Match Conditions for RTSP Server Load Balancing Class Maps
You can set match conditions for a RTSP server load balancing class map.
Assumption
You have configured a RTSP server load balancing class map and want to establish match criteria.
Procedure
Step 1 Choose Config > Devices > context > Expert > Class Maps.
The Class Maps table appears.
Step 2 In the Class Maps table, choose the RTSP server load balancing class map that you want to set match
conditions for.
The Match Condition table appears.
Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition that you
want to modify and click Edit.
The Match Condition configuration window appears.
Step 4 In the Sequence Number field, enter a value from 2 to 255.
Step 5 In the Match Condition Type field, choose the match condition type for this class map and configure any
match-specific criteria as described in Table 14-11.
Table 14-11 RTSP Server Load Balancing Class Map Match Conditions
Match Condition Description
Class Map Class map that is used to establish a match condition. In the Class Map field, choose the class map
to use for this match condition.
RTSP Header Name and value in an RTSP header that is used to establish a match condition.
Do the following
a. In the Header Name field, specify the header in one of the following ways:
– To specify an RTSP header that is not one of the standard RSTP headers, choose the first
radio button and enter the RTSP header name in the Header Name field. Valid entries are
unquoted text strings with no spaces and a maximum of 64 characters.
– To specify one of the standard RTSP headers, choose the second radio button and choose
one of the RTSP headers from the list.
b. In the Header Value (Bytes) field, enter the header value expression string to compare against
the value in the specified field in the RTSP header. Valid entries are text strings with a
maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching. If the string includes spaces, enclose the string with quotes. All headers in the
header map must be matched. See Table 14-33 for a list of the supported characters that you
can use in regular expressions.
14-27
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the Match Condition table.
Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not
made changes. If you have not altered existing match conditions, click Cancel instead of
Deploy Now to ensure uninterrupted traffic.
• Click Cancel to exit this procedure without saving your entries and to return to the Match Condition
table.
• Click Next to configure another match condition for this class map.
Related Topics
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
Setting Match Conditions for SIP Server Load Balancing Class Maps
You can set match conditions for a SIP server load balancing class map.
Assumption
You have configured a SIP server load balancing class map and want to establish match criteria.
RTSP URL URL or portion of a URL that is used to establish a match condition.
Do the following:
a. In the URL Expr field, enter a URL, or portion of a URL, to match. The ACE performs
matching on whatever URL string appears after the RTSP method, regardless of whether the
URL includes the host name. The ACE supports regular expressions for matching URL
strings. See Table 14-33 for a list of the supported characters that you can use in regular
expressions.
b. In the Method field, enter the RTSP method to match. Valid entries are unquoted text strings
with no spaces and a maximum of 64 alphanumeric characters. The method can be either one
of the standard RTSP method names (DESCRIBE, ANNOUNCE, GET_PARAMETER,
OPTIONS, PAUSE, PLAY, RECORD, REDIRECT, SETUP, SET_PARAMETER,
TEARDOWN) or a text string that must be matched exactly (for example, STINGRAY).
Source Address Source IP address that is used to establish a match condition.
Do the following:
a. In the Source Address field, enter the source IP address for this match condition in
dotted-decimal format, such as 192.168.11.1.
b. In the Source Netmask field, choose the subnet mask for the source IP address.
Table 14-11 RTSP Server Load Balancing Class Map Match Conditions (continued)
Match Condition Description
14-28
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Procedure
Step 1 Choose Config > Devices > context > Expert > Class Maps.
The Class Maps table appears.
Step 2 In the Class Maps table, choose the SIP server load balancing class map that you want to set match
conditions for.
The Match Condition table appears.
Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition that you
want to modify and click Edit.
The Match Condition configuration window appears.
Step 4 In the Sequence Number field of the Match Condition configuration window, enter a value from 2 to 255.
Step 5 In the Match Condition Type field, choose the match condition type for this class map and configure any
match-specific criteria as described in Table 14-12.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
Table 14-12 SIP Server Load Balancing Class Map Match Conditions
Match Condition Description
Class Map Class map that is used to establish a match condition. In the Class Map field, choose the class map
to use for this match condition.
14-29
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the Match Condition table.
Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not
made changes. If you have not altered existing match conditions, click Cancel instead of
Deploy Now to ensure uninterrupted traffic.
• Click Cancel to exit this procedure without saving your entries and to return to the Match Condition
table.
• Click Next to configure another match condition for this class map.
Related Topics
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
SIP Header SIP header name and value that are used to establish a match condition.
Do the following:
a. In the Header Name field, specify the header in one of the following ways:
– To specify a SIP header that is not one of the standard SIP headers, choose the first radio
button and enter the SIP header name in the Header Name field. Enter an unquoted text
string with no spaces and a maximum of 64 characters.
– To specify one of the standard SIP headers, choose the second radio button and choose
one of the SIP headers from the list.
b. In the Header Value (Bytes) field, enter the header value expression string to compare against
the value in the specified field in the SIP header. Valid entries are text strings with a maximum
of 255 alphanumeric characters. The ACE supports regular expressions for matching. If the
string includes spaces, enclose the string with quotes. All headers in the header map must be
matched. See Table 14-33 for a list of the supported characters that you can use in regular
expressions.
Source Address Source IP address that is used to establish a match condition.
Do the following:
a. In the IP Address Type field, select either IPv4 or IPv6. This field appears only for ACE
module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6.
b. In the Source Address field, enter the source IP address for this match condition in the format
based on the address type (IPv4 or IPv6).
c. Depending on the IP address type that you chose, do one of the following:
– For IPv4, in the Source Netmask field, choose the subnet mask for the source IP address.
– For IPv6, in the Source Prefix-length field, enter the prefix length for the address.
Table 14-12 SIP Server Load Balancing Class Map Match Conditions (continued)
Match Condition Description
14-30
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Setting Match Conditions for Layer 7 SIP Deep Packet Inspection Class Maps
You can set match conditions for a SIP deep packet inspection class map.
Assumption
You have configured a SIP deep packet inspection class map and want to establish match criteria.
Procedure
Step 1 Choose Config > Devices > context > Expert > Class Maps.
The Class Maps table appears.
Step 2 In the Class Maps table, choose the SIP deep packet inspection class map that you want to set match
conditions for.
The Match Condition table appears.
Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition that you
want to modify and click Edit.
The Match Condition configuration window appears.
Step 4 In the Sequence Number field of the Match Condition configuration window, enter a value from 2 to 255.
Step 5 In the Match Condition Type field, choose the match condition type for this class map and configure any
match-specific criteria as described in Table 14-13.
Table 14-13 Layer 7 SIP Deep Packet Inspection Class Map Match Conditions
Match Condition Description
Called Party Destination or called party in the URI of the SIP To header that is used to establish a match
condition. In the Called Party field, enter a regular expression that identifies the called party in the
URI of the SIP To header for this match condition. Valid entries are unquoted text strings with no
spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching string expressions. Table 14-33 lists the supported characters that you can use for
matching string expressions.
Calling Party Source or calling party in the URI of the SIP From header that is used to establish a match
condition. In the Calling Party field, enter a regular expression that identifies the called party in
the URI of the SIP To header for this match condition. Valid entries are unquoted text strings with
no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions
for matching string expressions. Table 14-33 lists the supported characters that you can use for
matching string expressions.
IM Subscriber IM (instant messaging) subscriber that is used to establish a match condition. In the IM Subscriber
field, enter a regular expression that identifies the IM subscriber for this match condition. Valid
entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters.
The ACE supports regular expressions for matching string expressions. Table 14-33 lists the
supported characters that you can use for matching string expressions.
Message Path Message coming from or transiting through certain SIP proxy servers that is used to establish a
match condition. In the Message Path field, enter a regular expression that identifies the SIP proxy
server for this match condition. Valid entries are unquoted text strings with no spaces and a
maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching
string expressions. Table 14-33 lists the supported characters that you can use for matching string
expressions.
14-31
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Setting Match Conditions for Class Maps
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. You return to the Match Condition table.
Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not
made changes. If you have not altered existing match conditions, click Cancel instead of
Deploy Now to ensure uninterrupted traffic.
• Click Cancel to exit this procedure without saving your entries and to return to the Match Condition
table.
SIP Content Length SIP message body length that is used to establish a match condition.
Do the following:
a. In the Content Operator field, confirm that Greater Than is selected.
b. In the Content Length field, enter the maximum size of a SIP message body in bytes that the
ACE is to allow without performing SIP protocol inspection. If a SIP message exceeds the
specified value, the ACE performs SIP protocol inspection as defined in an associated policy
map. Valid entries are from 0 to 65534 bytes.
SIP Content Type Content type in the SIP message body that is used to establish a match condition. In the Content
Type field, enter the a regular expression that identifies the content type in the SIP message body
to use for this match condition. Valid entries are unquoted text strings with no spaces and a
maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching
string expressions. Table 14-33 lists the supported characters that you can use for matching string
expressions.
SIP Request Method SIP request method that is used to establish a match condition. In the Request Method field, choose
the request method that is to be matched.
Third Party Third party who is authorized to register other users on their behalf that is used to establish a match
condition. In the Third Party Registration Entities field, enter a regular expression that identifies
a privileged user authorized for third-party registrations for this match condition. Valid entries are
unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE
supports regular expressions for matching string expressions. Table 14-33 lists the supported
characters that you can use for matching string expressions.
URI Length SIP URI or user identifier that is used to establish a match condition.
Do the following:
a. In the URI Type field, choose the type of URI to use:
– SIP URI—The calling party URI is used for this match condition.
– Tel URI—A telephone number is used for this match condition.
b. In the URI Operator field, confirm that Greater Than is selected.
c. In the URI Length field, enter the maximum length of the SIP URI or Tel URI in bytes. Valid
entries are integers from 0 to 254 bytes.
Table 14-13 Layer 7 SIP Deep Packet Inspection Class Map Match Conditions (continued)
Match Condition Description
14-32
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Virtual Context Policy Maps
• Click Next to configure another match condition for this class map.
Related Topics
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
Configuring Virtual Context Policy Maps
You can create policy maps for a context that establish traffic policy for the ACE. The purpose of a traffic
policy is to implement specific ACE functions associated with a traffic class.
A traffic policy contains the following:
• A policy map name.
• A previously created traffic class map or, optionally, the class-default class map.
• One or more of the individual Layer 3/Layer 4 or Layer 7 policies that specify the actions to be
performed by the ACE.
The ACE executes actions specified in a policy map on a first-match, multi-match, or all-match basis as
follows:
• First-match—With a first-match policy map, the ACE executes only the action specified against the
first classification that it matches. Layer 3/Layer 4 Management Traffic, Layer 7 Server Load
Balancing, Layer 7 Command Inspection - FTP, and Layer 7 HTTP Optimization policy maps are
first-match policy maps.
• Multi-match—With a multi-match policy map, the ACE executes all possible actions applicable for
a specific classification. Layer 3/Layer 4 Network Traffic policy maps are multi-match policy maps.
• All-match—With an all-match policy map, the ACE attempts to match all specified conditions
against the matching classification and executes the actions of all matching classes until it
encounters a deny for a match request.
You can display a context’s policy maps and their types in the Policy Maps table (Config > Virtual
Contexts > context > Expert > Policy Maps.)
The types of policy maps that you can configure depend on the ACE device type. Table 14-14 lists the
types of policy maps with brief descriptions and the ACE devices that support them.
Table 14-14 Policy Maps and ACE Device Support
Policy Map Type Description
ACE Device
ACE
Module
ACE
Appliance
Layer 3/4 Management Traffic (First-Match) Layer 3 and Layer 4 policy map for network
management traffic received by the ACE
X X
Layer 3/4 Network Traffic (First-Match) Layer 3 and Layer 4 policy map for traffic
passing through the ACE
X X
Layer 7 Command Inspection - FTP
(First-Match)
Layer 7 policy map for inspection of FTP
commands
X X
14-33
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Virtual Context Policy Maps
Procedure
Step 1 Choose Config > Devices > context > Expert > Policy Maps.
The Policy Maps table appears.
Step 2 In the Policy Maps table, click Add to add a new policy map, or choose an existing policy map and click
Edit to modify it.
Step 3 The Policy Map Name field contains an automatically incremented number for the policy map. Either
leave the entry as it is or enter a different, unique number.
Step 4 In the Type field, choose the type of policy map to create. See Table 14-14 for a list of the policy maps
and their availability for the different ACE models.
Step 5 In the Description field, enter a brief description of the policy map.
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. To define rules and actions for the policy
map, see Configuring Rules and Actions for Policy Maps, page 14-34.
• Click Cancel to exit this procedure without saving your entries and to return to the Policy Maps
table.
• Click Next to deploy your entries and to configure another policy map.
Layer 7 Deep Packet Inspection - HTTP
(All-Match)
Layer 7 policy map for inspection of HTTP
packets
X X
Layer 7 Deep Packet Inspection - SIP
(All-Match)
Layer 7 policy map for inspection of SIP packets X X
Layer 7 Deep Packet Inspection - Skinny Layer 7 policy map for inspection of Skinny
Client Control Protocol (SCCP)
X X
Layer 7 HTTP Optimization (First-Match) Layer 7 policy map for optimizing HTTP traffic X
Layer 7 Server Load Balancing (First-Match) Layer 7 policy map for HTTP server load
balancing
X X
Server Load Balancing - Generic Generic Layer 7 policy map for server load
balancing
X X
Server Load Balancing - RADIUS
(First-Match)
Layer 7 policy map for RADIUS server load
balancing
X X
Server Load Balancing - RDP (First-Match) Layer 7 policy map for RDP server load
balancing
X X
Server Load Balancing - RTSP (First-Match) Layer 7 policy map for RTSP server load
balancing
X X
Server Load Balancing - SIP (First-Match) Layer 7 policy map for SIP server load balancing X X
Table 14-14 Policy Maps and ACE Device Support (continued)
Policy Map Type Description
ACE Device
ACE
Module
ACE
Appliance
14-34
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Related Topics
• Information About Virtual Contexts, page 6-2
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Rules and Actions for Policy Maps, page 14-34
Configuring Rules and Actions for Policy Maps
Table 14-15 lists the policy maps and related topics for setting rules and actions.
Table 14-15 Topic Reference for Policy Map Rules and Actions
Policy Map Type Topic for Setting Rules and Actions
Layer 3/4 Management Traffic
(First-Match)
Setting Policy Map Rules and Actions for Layer 3/Layer 4 Management Traffic,
page 14-39
Layer 3/4 Network Traffic (First-Match) Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic,
page 14-41
Layer 7 Command Inspection - FTP
(First-Match)
Setting Policy Map Rules and Actions for Layer 7 FTP Command Inspection,
page 14-48
Layer 7 Deep Packet Inspection - HTTP
(All-Match)
Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection,
page 14-51
Layer 7 Deep Packet Inspection - SIP
(All-Match)
Setting Policy Map Rules and Actions for Layer 7 SIP Deep Packet Inspection,
page 14-68
Layer 7 Deep Packet Inspection - Skinny Setting Policy Map Rules and Actions for Layer 7 Skinny Deep Packet Inspection,
page 14-71
Layer 7 HTTP Optimization
(First-Match)
Setting Policy Map Rules and Actions for Layer 7 HTTP Optimization,
page 14-57
Layer 7 Server Load Balancing
(First-Match)
Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic,
page 14-61
Server Load Balancing - Generic
(First-Match)
Setting Policy Map Rules and Actions for Generic Server Load Balancing,
page 14-35
Server Load Balancing - RADIUS
(First-Match)
Setting Policy Map Rules and Actions for RADIUS Server Load Balancing,
page 14-73
Server Load Balancing - RDP
(First-Match)
Setting Policy Map Rules and Actions for RDP Server Load Balancing,
page 14-75
Server Load Balancing - RTSP
(First-Match)
Setting Policy Map Rules and Actions for RTSP Server Load Balancing,
page 14-76
Server Load Balancing - SIP
(First-Match)
Setting Policy Map Rules and Actions for SIP Server Load Balancing, page 14-79
14-35
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Setting Policy Map Rules and Actions for Generic Server Load Balancing
You can configure the rules and actions for generic traffic received by the ACE.
Assumptions
This topic assumes the following:
• A generic traffic policy map has been configured.
• A class map has been defined for a class map rule if you do not want to use the class-default class
map.
Procedure
Step 1 Choose Config > Devices > context > Expert > Policy Maps.
The Policy Maps table appears.
Step 2 In the Policy Maps table, choose the generic traffic policy map that you want to set rules and actions for.
The Rule table appears.
Step 3 In the Rule table, click Add to add a new rule, or choose the rule that you want to modify and click Edit.
The Rule window appears.
Step 4 In the Type field of the Rule window, configure rules using the information in Table 14-16.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version
A5(1.0) or later.
Table 14-16 Generic Server Load Balancing Policy Map Rules
Option Description
Class Map Class map to use for this traffic policy.
From the Use Class Map field, do one of the following:
• To use the default class map, choose class-default.
The class-default class map is a reserved, well-known class map created by the ACE. You cannot
delete or modify this class. All traffic that fails to meet the other matching criteria in the named class
map belongs to the default traffic class. If none of the specified classifications matches the traffic,
then the ACE performs the action specified by the class-default class map. The class-default class
map has an implicit match any statement that enables it to match all traffic.
• To use a previously created class map, do the following:
1. Choose others.
2. In the Class Map Name field, choose the class map to use.
14-36
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Match Condition Match condition is used for this traffic policy.
Match Condition Name Enter a name for this match condition. Valid entries are unquoted text strings
with no spaces and a maximum of 64 alphanumeric characters.
Match Condition Type Layer 4 Payload Layer 4 payload data that is used for the network matching
criteria.
Do the following:
a. In the Layer 4 Payload RegexMatch Condition field,
enter a Layer 4 payload expression that is contained
within the TCP or UDP entity body. Valid entries are
strings containing 1 to 255 alphanumeric characters.
Table 14-33 lists the supported characters that you can
use for matching string expressions.
b. In the Layer 4 Payload Offset field, enter the absolute
offset in the data where the Layer 4 payload expression
search string starts. The offset starts at the first byte of
the TCP or UDP body. Valid entries are from 0 to 999.
Source Address Client source host IP address and subnet mask that are used
for the network traffic matching criteria.
Do the following:
a. In the IP Address Type field, choose either IPv4 or IPv6.
This field appears only for ACE module and ACE
appliance software Version A5(1.0) or later, which
supports IPv4 and IPv6.
b. In the Source IP v4/v6 Address field, enter the source IP
address of the client in the format based on the address
type (IPv4 or IPv6).
c. Depending on the IP address type that you chose, do one
of the following:
– For IPv4, in the Source Netmask field, choose the
subnet mask for the source IP address.
– For IPv6, in the Source Prefix-length field, enter the
prefix length for the address.
Insert Before a. Indicate whether this rule is to precede another rule for this policy map:
– N/A—This option is not configured.
– False—This rule is not to precede another rule in this policy map.
– True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule field
appears.
b. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current
rule to precede.
Table 14-16 Generic Server Load Balancing Policy Map Rules (continued)
Option Description
14-37
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 5 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The window refreshes and the Action table
appears. Continue with Step 6.
• Click Cancel to exit this procedure without saving your entries and to return to the Rule table.
Note If you chose the Insert Before option described in Table 14-16 and specified True, perform the
following steps to refresh the Rule tab before adding an action for this rule:
1. Click the Rule tab to refresh the Rule table.
2. In the Rule table, choose the newly added rule.
When the window refreshes, an empty action list appears.
Step 6 In the Action table, click Add to add an entry or choose an existing entry to modify and click Edit.
Step 7 In the Id field, accept the automatically incremented entry or assign a unique identifier for this action.
Step 8 In the Action Type field, configure actions for this rule using the information in Table 14-17.
Table 14-17 Generic Server Load Balancing Policy Map Actions
Action Description
Drop Field that instructs the ACE to discard packets that match this policy map. In the Action Log field,
specify whether or not the dropped packets are to be logged in the software:
• N/A—This option is not configured.
• False—Dropped packets are not to be logged in the software.
• True—Dropped packets are to be logged in the software.
Forward Field that instructs the ACE to forward the traffic that matches this policy map to its destination.
Reverse Sticky Feature that applies only to the ACE module version 3.0(0)A2(1.1), ACE appliance version
A4(1.0), or later releases of either device type. Reverse IP stickiness is an enhancement to regular
stickiness and is used mainly in FWLB. It ensures that multiple distinct connections that are
opened by hosts at both ends (client and server) are load-balanced and stuck to the same firewall.
Reverse stickiness applies to such protocols as FTP, RTSP, SIP, and so on where there are separate
control channels and data channels opened by the client and the server, respectively. For complete
details about reverse stickiness, see the Release Note for the Cisco Application Control Engine
Module (Software Version 3.0(0)A2(X)).
In the Sticky Group field, choose an existing IP netmask sticky group that you want to associate
with reverse IP stickiness.
14-38
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 9 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your entries and to return to the Action table.
• Click Next to deploy your entries and to configure another action.
Related Topics
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
Server Farm Serverfarm that the ACE is to load balance client requests for content.
Do the following:
a. In the Server Farm field, choose the server farm for this policy map action.
b. In the Backup Server Farm field, choose the backup server farm for this action.
c. Check the Sticky Enabled check box to indicate that the backup server farm is sticky.
Uncheck this check box if the backup server farm is not sticky.
d. Check the Aggregate State Enabled check box to indicate that the operational state of the
backup server farm is taken into consideration when evaluating the state of the load-balancing
class in a policy map. Uncheck this check box to indicate that the operational state of the
backup server farm is not taken into consideration when evaluating the state of the
load-balancing class in a policy map.
Server Farm-NAT Dynamic NAT that the ACE is to apply to traffic for this policy map.
Do the following:
a. In the NAT Pool ID field, enter the number of the pool of IP addresses that exist under the
VLAN specified in the VLAN Id field. Valid entries are from 1 to 2147483647. For
information about configuring NAT pools, see “Configuring Virtual Context BVI Interfaces”
section on page 12-19.
b. In the VLAN ID field, choose the VLAN to use for NAT. Valid entries are from 1 to 4094.
c. In the Server Farm Type field, indicate whether the server farm is a backup or primary server
farm.
Set-IP-TOS IP Differentiated Services Code Point (DSCP) bit in the Type of Service (ToS) byte that the ACE
is to set. After the IP DSCP bit is set, other Quality of Service (QoS) services can then operate on
the bit settings.
In the IP TOS Rewrite Value field, enter the IP DSCP value. Valid entries are from 0 to 255.
Sticky Group Sticky group that you want to associate with reverse stickiness.
Sticky Server Farm Sticky server farm that the ACE is to load balance client requests for content.
In the Sticky Group field, choose the sticky server farm that is to be used for requests that match
this policy map.
Table 14-17 Generic Server Load Balancing Policy Map Actions (continued)
Action Description
14-39
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
• Configuring Rules and Actions for Policy Maps, page 14-34
Setting Policy Map Rules and Actions for Layer 3/Layer 4 Management Traffic
You can configure the rules and actions for IP management traffic received by the ACE.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0)
or later.
Assumptions
This topic assumes the following:
• A network management policy map has been configured.
• A class map has been defined for a class map rule if you do not want to use the class-default class
map.
Procedure
Step 1 Choose Config > Devices > context > Expert > Policy Maps.
The Policy Maps table appears.
Step 2 In the Policy Maps table, choose the Layer 3/Layer 4 management traffic policy map that you want to
set rules and actions for.
The Rule table appears.
Step 3 In the Rule table, click Add to add a new rule, or choose the rule that you want to modify and click Edit.
The Rule window appears.
Step 4 In the Type field of the Rule window, confirm that classmap is selected.
Step 5 In the Use Class Map field, do one of the following:
• For an IPv4 default class map, choose the class-default radio button.
• For an IPv6 default class map, choose the class-default-v6 radio button.
• For a previously created class map, go to Step 6.
Step 6 To use a previously created class map for this rule, do the following:
a. In the Use Class Map field, choose the others radio button.
b. In the Class Map Name field, choose the class map to be used.
c. In the Insert Before field, specify whether this rule is to precede another rule in this policy map:
– N/A—This option is not configured.
– False—This rule is not to precede another rule in this policy map.
– True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule
field appears
d. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current
rule to precede.
14-40
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 7 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The Action table appears. To define actions
for this rule, continue with Step 8.
• Click Cancel to exit this procedure without saving your entries and to return to the Policy Maps
table.
• Click Next to deploy your entries and to configure another rule.
Note If you chose the Insert Before option in Step 6 and specified True, perform the following steps
to refresh the Rule tab before adding an action for this rule:
1. Click the Rule tab to refresh the Rule table.
2. In the Rule table, choose the newly added rule.
When the window refreshes, an empty action list appears.
Step 8 In the Action table, click Add to add an action or choose an existing action, and click Edit to modify it.
The Action configuration window appears.
Step 9 In the Id field of the Action configuration window, either accept the automatically incremented entry or
assign a unique identifier for this action.
Step 10 In the Action Type field, confirm that Management Permit is selected to indicate that this action permits
or denies network management traffic.
Step 11 In the Action field, specify the action that is to occur:
• Deny—The ACE is to deny network management traffic when this rule is met.
• Permit—The ACE is to accept network management traffic when this rule is met.
Step 12 Do the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your entries and to return to the Action table.
• Click Next to deploy your entries and to configure another action.
Related Topics
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
• Configuring Rules and Actions for Policy Maps, page 14-34
14-41
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic
You can configure rules and actions for Layer 3/Layer 4 traffic other than network management traffic.
Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0)
or later.
Assumptions
This topic assumes the following:
• You have configured a Layer 3/Layer 4 policy map.
• A class map has been defined if you do not want to use the class-default class map.
Procedure
Step 1 Choose Config > Devices > context > Expert > Policy Maps.
The Policy Maps table appears.
Step 2 In the Policy Maps table, choose the Layer 3/Layer 4 network traffic policy map that you want to set
rules and actions for.
The Rule table appears.
Step 3 In the Rule table, click Add to add a new rule, or choose the rule that you want to modify and click Edit.
The Rule configuration window appears.
Step 4 In the Type field of the Rule configuration window, confirm that Class Map is selected.
Step 5 In the Use Class Map field, choose one of the following:
• For an IPv4 default class map, choose the class-default radio button.
• For an IPv6 default class map, choose the class-default-v6 radio button.
• For a previously created class map, go to Step 6.
Step 6 To use a previously created class map for this rule, do the following:
a. In the Use Class Map field, choose the others radio button.
b. In the Class Map Name field, choose the class map to be used.
c. In the Insert Before field, choose one of the following to indicate whether this rule is to precede
another rule in this policy map:
– N/A—Indicates that this option is not configured.
– False—Indicates that this rule is not to precede another rule in this policy map.
– True—Indicates that this rule is to precede another rule in this policy map.
If you select True, the Insert Before Policy Rule field appears. Select the rule that you want the
current rule to precede.
14-42
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 7 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The window refreshes and the Action field
appears. To configure actions for this rule, continue with Step 8.
• Click Cancel to exit this procedure without saving your entries and to return to the Policy Maps
table.
• Click Next to deploy your entries and to configure another rule.
Note If you chose the Insert Before option in Step 6 and specified True, perform the following steps
to refresh the Rule tab before adding an action for this rule:
1. Click the Rule tab to refresh the Rule table.
2. In the Rule table, choose the newly added rule.
When the window refreshes, an empty action list appears.
Step 8 In the Action field, click Edit. The Action table appears.
Step 9 In the Action table, click Add to add an action or choose an existing action and click Edit to modify it.
The Action configuration window appears.
Step 10 In the Id field, either accept the automatically incremented entry or assign a unique identifier for this
action.
Step 11 In the Action Type field, choose the type of action to be taken for this rule and configure the related
attributes. See Table 14-18.
Table 14-18 Layer 3/Layer 4 Network Traffic Policy Map Actions
Action Description/Steps
Appl-Parameter-DNS DNS parameter map that contains DNS-related actions that is to be implemented for this rule.
In the Parameter Map field, specify the name of the DNS parameter map to use.
Appl-Parameter-Generic Generic parameter map that is to be implemented for this rule.
In the Parameter Map field, specify the name of the generic parameter map to use.
Appl-Parameter-HTTP HTTP parameter map that contains HTTP-related actions that is to be implemented for this rule.
In the Parameter Map field, specify the name of the HTTP parameter map to use.
Appl-Parameter-RTSP RTSP parameter map that contains RTSP-related actions that is to be implemented for this rule.
In the Parameter Map field, specify the name of the RTSP parameter map to use.
Appl-Parameter-SIP SIP parameter map that contains SIP-related actions that is to be implemented for this rule.
In the Parameter Map field, specify the name of the SIP parameter map to use.
Appl-Parameter-Skinny Skinny parameter map that contains Skinny-related actions that is to be implemented for this rule.
In the Parameter Map field, specify the name of the Skinny parameter map to use.
Connection Connection parameter map that contains TCP/IP connection-related commands that pertain to
normalization and termination that is to be implemented for this rule.
In the Connection Parameter Maps field, choose the Connection parameter map that is to be used.
14-43
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
HTTP Optimize Option that appears for ACE appliances only.
In the HTTP Optimization Policy field, choose the HTTP optimization policy map to use.
Inspect Application inspection that is to be implemented for this rule.
Do the following:
a. In the Inspect Type field, choose the protocol that is to be inspected.
b. Provide any protocol-specific information.
Table 14-19 describes the available options for application inspection actions.
KAL-ap-Primary-Out-of
-Service
Feature that is supported only for ACE module software Version A2(3.1), ACE appliance
software Version A4(1.0), and later versions of either device type. This feature enables the ACE
to notify a Global Site Selector (GSS) that the primary server farm is down when the backup
server farm is in use.
By default, when you configure a redirect server farm as a backup server farm on the ACE and
the primary server farm fails, the backup server farm redirects client requests to another data
center; however, the VIP remains in the INSERVICE state.
When you configure the ACE to communicate with a GSS, it provides information for server
availability. When a backup server is in use after the primary server farm is down, this feature
enables the ACE to inform the GSS that the VIP for the primary server farm is out of service by
returning a load value of 255. The GSS recognizes that the primary server farm is down and sends
future DNS requests with the IP address of the other data center.
KAL-AP-TAG Feature that is supported only for the ACE module software Version A2(2.0), ACE appliance
software Version A4(1.0), and later versions for both device types. The KAL-AP-TAG feature
allows the Cisco Global Site Selector (GSS) proprietary KAL-AP protocol to extract load and
availability information from the ACE when a firewall is positioned between the GSS and the
ACE. This feature allows you to configure a tag (name) per VIP for a maximum of 4096 tags on
an ACE. This feature does not replace the tag per domain feature. For more information about this
feature, see the Release Note for the Cisco Application Control Engine Module (Software Version
A2(2.0)) or the Cisco Application Control Engine Module Server Load-Balancing Configuration
Guide (Software Version A2(3.0)), the Configuring Health Monitoring chapter.
Note The KAL-AP-TAG selection is not available for the class-default class map.
In the KAL-AP-Tag Name field, enter the name as an unquoted text string with no spaces and a
maximum of 76 alphanumeric characters.
The following scenarios are not supported and will result in an error:
• You cannot configure a tag name for a VIP that already has a tag configuration as part of a
different policy configuration.
• You cannot associate the same tag name with more than one VIP.
• You cannot associate the same tag name with a domain and a VIP.
• You cannot assign two different tags to two different Layer 3 class maps that have the same
VIP, but different port numbers. The KAL-AP protocol considers these class maps to have
the same VIP and calculates the load for both Layer 3 rules together when the GSS queries
the VIP.
Table 14-18 Layer 3/Layer 4 Network Traffic Policy Map Actions (continued)
Action Description/Steps
14-44
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
NAT Network address translation (NAT) that the ACE is to use for this rule.
Do the following:
a. In the NAT Mode field, choose the type of NAT to be used:
– Dynamic NAT—NAT is to translate local addresses to a pool of global addresses.
Continue with Step c.
– Static NAT—NAT is to translate each local address to a fixed global address. Continue
with Step b.
b. If you chose Static NAT, do the following:
1. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for
ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4
and IPv6.
2. In the Static Mapped Address field, enter the IP address to use for static NAT
translation. This entry establishes the globally unique IP address of a host as it appears
to the outside world. The policy map performs the global IP address translation for the
source IP address specified in the ACL (as part of the class-map traffic classification).
3. Depending on the IP address type that you chose, do one of the following:
- For IPv4, in the Static Mapped Netmask field, choose the subnet mask to apply to the
static mapped address.
- For IPv6, in the Static Mapped Prefix-length field, enter the prefix length for the static
mapped address.
4. In the NAT Protocol field, choose the protocol to use for NAT. Choices are as follows:
- N/A—This attribute is not set.
- TCP—The ACE is to use TCP for NAT.
- UDP—The ACE is to use UDP for NAT.
5. In the Static Port field, enter the TCP or UDP port to use for static port redirection.
Valid entries are from 0 to 65535.
6. In the VLAN Id field, choose the VLAN to use for NAT.
c. If you chose Dynamic NAT, do the following:
1. In the NAT Pool Id field, enter the number of the pool of IP addresses that exist under
the VLAN specified in the VLAN Id field. Valid entries are from 1 to 2147483647. See
the “Configuring Virtual Context BVI Interfaces” section on page 12-19.
2. In the VLAN Id field, choose the VLAN to use for NAT.
Note For dynamic NAT, ACE allows you to associate a non-configured NAT pool ID to the
dynamic NAT action. However, the ANM will not discover the dynamic NAT action when
the NAT pool ID is not configured. You must associate the configured NAT pool ID to the
dynamic NAT action for ANM discovery to complete successfully.
Policymap Layer 7 server load-balancing policy map that the ACE is to associate with this Layer 3/Layer 4
policy map.
In the Policy Map field, choose the Layer 7 policy map.
Table 14-18 Layer 3/Layer 4 Network Traffic Policy Map Actions (continued)
Action Description/Steps
14-45
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
SSL-Proxy SSL proxy server service that defines the SSL parameters that the ACE is to use during the
handshake and subsequent SSL session.
Do the following:
a. In the SSL Proxy field, choose the SSL proxy server service to use in the handshake and
subsequent SSL session when the ACE engages with an SSL client.
b. In the SSL Proxy Type field, confirm that Server is selected to indicate that the ACE is to be
configured so that it is recognized as an SSL server.
UDP-Fast-Age Option that appears for ACE modules only. The ACE is to close the connection immediately after
sending a response to the client, thereby enabling per-packet load balancing for UDP traffic.
VIP-Advertise Option that appears for ACE modules release only. The ACE is to advertise the IP address of a
virtual server as the host route.
Do the following:
a. In the Active field, check the checkbox if you want the ACE to advertises the IP address of
the virtual server as the host route only if there is at least one active real server in the server
farm.
Note Uncheck the Active field check box if you want the ACE to always advertises the IP
address of the virtual server whether there is any active real server associated with the
VIP.
b. If you check the Active field check box, in the Metric Distance field, enter the administrative
distance to include in the routing table. Valid entries are from 1 to 254.
VIP-ICMP-Reply VIP is to send an ICMP ECHO-REPLY response to ICMP requests.
Do the following:
a. In the Active field, check the checkbox to instruct the ACE to reply to an ICMP request only
if the configured VIP is active. If the VIP is not active and the active option is specified, the
ACE discards the ICMP request and the request times out.
b. In the Primary Inservice field, check the checkbox to instruct the ACE to reply to an ICMP
ping only if the primary server farm state is UP, regardless of the state of the backup server
farm. If this option is enabled and the primary server farm state is DOWN, the ACE discards
the ICMP request and the request times out.
VIP-In-Service VIP is to be enabled for server load-balancing operations.
Table 14-18 Layer 3/Layer 4 Network Traffic Policy Map Actions (continued)
Action Description/Steps
14-46
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 14-19 Layer 3/Layer 4 Network Traffic Policy Map Application Inspection Options
Option Description
DNS Domain Name System (DNS) query inspection is to be implemented. DNS requires application
inspection so that DNS queries will not be subject to the generic UDP handling based on activity
timeouts. Instead, the UDP connections associated with DNS queries and responses are torn down as
soon as a reply to a DNS query has been received. The ACE performs the reassembly of DNS packets
to verify that the packet length is less than the configured maximum length.
In the DNS Max. Length field, enter the maximum length of a DNS reply in bytes. Default for all
modules and ACE 4710 devices is 512. Valid range for ACE 1.0 modules is 64 to 65535, and for all
other supported modules and ACE 4710 devices, 64 to 65535.
FTP FTP inspection is to be implemented. The ACE inspects FTP packets, translates the address and port
embedded in the payload, and opens up secondary channel for data.
a. In the Parameter Map field, specify a previously created parameter map used to define parameters
for FTP inspection.
b. In the FTP Strict field, specify whether or not the ACE is to check for protocol RFC compliance
and prevent Web browsers from sending embedded commands in FTP requests:
– N/A—This attribute is not set.
– False—The ACE is not to check for RFC compliance or prevent Web browsers from sending
embedded commands in FTP requests.
– True—The ACE is to check for RFC compliance and prevent Web browsers from sending
embedded commands in FTP requests.
c. If you chose True, in the FTP Inspect Policy field, choose the Layer 7 FTP command inspection
policy to be implemented for this rule.
HTTP Enhanced Hypertext Transfer Protocol (HTTP) inspection is to be performed on HTTP traffic. The
inspection checks are based on configured parameters in an existing Layer 7 policy map and internal
RFC compliance checks performed by the ACE. By default, the ACE allows all request methods.
Do the following:
a. In the HTTP Inspect Policy field, choose the HTTP inspection policy map to be implemented for
this rule. If you do not specify a Layer 7 policy map, the ACE performs a general set of Layer 3
and Layer 4 protocol fixup actions and internal RFC compliance checks.
b. In the URL Logging field, specify whether or not Layer 3 and Layer 4 traffic is to be monitored:
– N/A—This attribute is not set.
– False—Layer 3 and Layer 4 traffic is not to be monitored.
– True—Layer 3 and Layer 4 traffic is to be monitored. When enabled, this function logs every
URL request that is sent in the specified class of traffic, including the source or destination IP
address and the URL that is accessed.
14-47
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
ICMP Internet Control Message Protocol (ICMP) payload inspection is to be performed. ICMP inspection
allows ICMP traffic to have a “session” so that it can be inspected similarly to TCP and UDP traffic.
In the ICMP Error field, specify whether or not the ACE is to perform name address translation on
ICMP error messages:
• N/A—This attribute is not set.
• False—The ACE is not to perform NAT on ICMP error messages.
• True—The ACE is to perform NAT on ICMP error messages. When enabled, the ACE creates
translation sessions for intermediate or endpoint nodes that send ICMP error messages based on
the NAT configuration. The ACE overwrites the packet with the translated IP addresses.
ILS Internet Locator Service (ILS) protocol inspection is to be implemented.
RTSP Real Time Streaming Protocol (RTSP) packet inspection is to be implemented. RTSP is used by
RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. The ACE
monitors Setup and Response (200 OK) messages in the control channel established using TCP port
554 (no UDP support).
In the Parameter Map field, choose a previously defined parameter map used to define parameters for
RTSP inspection.
SIP SIP protocol inspection is to be implemented. SIP is used for call handling sessions and instant
messaging. The ACE inspects signaling messages for media connection addresses, media ports, and
embryonic connections. The ACE also uses NAT to translate IP addresses that are embedded in the
user-data portion of the packet.
Do the following:
a. In the Parameter Map field, specify a previously created parameter map used to define parameters
for SIP inspection.
b. In the SIP Inspect Policy field, choose a previously created Layer 7 SIP inspection policy map to
implement packet inspection of Layer 7 SIP application traffic.
If you do not specify a Layer 7 policy map, the ACE performs a general set of Layer 3 and Layer
4 HTTP fixup actions and internal RFC compliance checks.
Skinny Cisco Skinny Client Control Protocol (SCCP) protocol inspection is to be implemented. The SCCP is
a Cisco proprietary protocol that is used between Cisco CallManager and Cisco VOiP phones. The
ACE uses NAT to translate embedded IP addresses and port numbers in SCCP packet data.
Do the following:
a. In the Parameter Map field, specify a previously created connection parameter map used to define
parameters for Skinny inspection.
b. In the Skinny Inspect Policy field, choose a previously created Layer 7 Skinny inspection policy
map to implement packet inspection of Layer 7 Skinny application traffic.
If you do not specify a Layer 7 policy map, the ACE performs a general set of Layer 3 and Layer
4 HTTP fixup actions and internal RFC compliance checks.
Table 14-19 Layer 3/Layer 4 Network Traffic Policy Map Application Inspection Options (continued)
Option Description
14-48
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 12 Do the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the Action table.
• Click Next to deploy your entries and to configure another Action.
Related Topics
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
Setting Policy Map Rules and Actions for Layer 7 FTP Command Inspection
You can add rules and actions for Layer 7 FTP command inspection policy maps.
File Transfer Protocol (FTP) inspection inspects FTP sessions for address translation in a message,
dynamic opening of ports, and stateful tracking of request and response messages. Each specified FTP
command must be acknowledged before the ACE allows a new command. Command filtering allows you
to restrict specific commands by the ACE. When the ACE denies a command, it closes the connection.
The FTP command inspection process, as performed by the ACE:
• Prepares a dynamic secondary data connection. The channels are allocated in response to a file
upload, a file download, or a directory listing event and must be prenegotiated. The port is negotiated
through the PORT or PASV commands.
• Tracks the FTP command-response sequence. The ACE performs the command checks listed below.
If you specify the FTP Strict field in a Layer 3 and Layer 4 policy map, the ACE tracks each FTP
command and response sequence for the anomalous activity outlined below. The FTP Strict
parameter is used in conjunction with a Layer 7 FTP policy map (nested within the Layer 3 and
Layer 4 policy map) to deny certain FTP commands or to mask the server reply for SYST command.
Note The use of the FTP Strict parameter may affect FTP clients that do not comply with the RFC
standards.
– Truncated command—Checks the number of commas in the PORT and PASV reply command
against a fixed value of five. If the value is not five, the ACE assumes that the PORT command
is truncated and issues a warning message and closes the TCP connection.
– Incorrect command—Checks the FTP command to verify if it ends with characters,
as required by RFC 959. If the FTP command does not end with those characters, the ACE
closes the connection.
– Size of RETR and STOR commands—Checked the size of the RETR and STOR commands
against a fixed constant of 256. If the size is greater, the ACE logs an error message and closes
the connection.
– Command spoofing—Verifies that the PORT command is always sent from the client. If a PORT
command is sent from the server, the ACE denies the TCP connection.
14-49
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
– Reply spoofing—Verifies that the PASV reply command (227) is always sent from the server.
If a PASV reply command is sent from the client, the ACE denies the TCP connection. This
denial prevents a security hole when the user executes “227 xxxxx a1, a2, a3, a4, p1, p2.”
– Invalid port negotiation—Checks the negotiated dynamic port value to verify that it is greater
than 1024 (port numbers in the range from 2 to 1024 are reserved for well-known connections).
If the negotiated port falls in this range, the ACE closes the TCP connection.
– Command pipelining—Checks the number of characters present after the port numbers in the
PORT and PASV reply command against a constant value of 8. If the number of characters is
greater than 8, the ACE closes the TCP connection.
• Translates embedded IP addresses in conjunction with NAT. FTP command inspection translates the
IP address within the application payload. Refer to RFC 959 for background details.
Procedure
Step 1 Choose Config > Devices > context > Expert > Policy Maps.
The Policy Maps table appears.
Step 2 In the Policy Maps table, choose the Layer 7 FTP command inspection policy map that you want to set
rules and actions for.
The Rule table appears.
Step 3 In the Rule table, click Add to add a new rule, or choose an existing rule and click Edit to modify it.
The Rule configuration window appears.
Step 4 In the Type field of the Rule configuration window, configure rules using the information in Table 14-20.
Table 14-20 Layer 7 FTP Command Inspection Policy Map Rules
Option Description
Class Map Class map to use for this traffic policy.
Do the following:
a. To use the class-default class map, check the Use Class Default check box.
The class-default class map is a reserved, well-known class map created by the ACE. You cannot
delete or modify this class. All traffic that fails to meet the other matching criteria in the named
class map belongs to the default traffic class. If none of the specified classifications matches the
traffic, then the ACE performs the action specified by the class-default class map. The
class-default class map has an implicit match any statement that enables it to match all traffic.
b. To use a previously created class map, do the following:
1. Clear the Use Class Default check box.
2. In the Class Map Name field, choose the class map to be used.
14-50
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 5 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The window refreshes and the Action table
appears. Continue with Step 6.
• Click Cancel to exit this procedure without saving your entries and to return to the Policy Maps
table.
• Click Next to deploy your entries and to configure another rule.
Note If you chose the Insert Before option described in Table 14-20 and specified True, perform the
following steps to refresh the Rule tab before adding an action for this rule:
1. Click the Rule tab to refresh the Rule table.
2. In the Rule table, choose the newly added rule.
When the window refreshes, an empty action list appears.
Step 6 In the Action table, click Add to add an entry, or choose an existing entry and click Edit to modify it.
The Action configuration window appears.
Step 7 In the Id field of the Action configuration window, either accept the automatically incremented entry or
assign a unique identifier for this action.
Step 8 In the Action Type field, specify the action to be taken for this rule:
• Deny—The ACE is to deny the specified FTP command when this rule is met.
Match Condition Match condition to use for this traffic policy.
Do the following:
a. In the Match Condition Name field, enter a name for this match condition. Valid entries are
unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
b. In the Match Condition Type field, confirm that Request Method Name is selected.
c. In the Request Method Name field, choose the FTP command to be inspected for this rule.
Table 14-8 describes the FTP commands that can be inspected.
Insert Before Order of the rules in the policy map.
Do the following:
a. Specify whether or not this rule is to precede another rule for this policy map. Choices are as
follows:
– N/A—This option is not configured.
– False—This rule is not to precede another rule in this policy map.
– True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule
field appears.
b. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current
rule to precede.
Table 14-20 Layer 7 FTP Command Inspection Policy Map Rules (continued)
Option Description
14-51
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
• Mask Reply—The ACE is to mask the reply to the FTP syst command by filtering sensitive
information from the command output. The action applies to the FTP syst command only.
Step 9 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the Action table.
• Click Next to deploy your entries and to configure another action for this rule.
Related Topics
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection
You can add rules and actions for Layer 7 HTTP deep packet inspection policy maps.
The ACE performs a stateful deep packet inspection of the HTTP protocol. Deep packet inspection is a
special case of application inspection where the ACE examines the application payload of a packet or a
traffic stream and makes decisions based on the content of the data. During HTTP deep inspection, the
main focus of the application inspection process is on HTTP attributes such as HTTP header, URL, and
to a limited extent, the payload. User-defined regular expressions can also be used to detect “signatures”
in the payload.
You define policies to permit or deny the traffic, or to send a TCP reset message to the client or server
to close the connection.
The security features covered by HTTP application inspection include:
• RFC compliance monitoring and RFC method filtering
• Content, URL, and HTTP header length checks
• Transfer-encoding methods
• Content type verification and filtering
• Port 80 misuse
Procedure
Step 1 Choose Config > Devices > context > Expert > Policy Maps.
The Policy Maps table appears.
Step 2 In the Policy Maps table, choose the Layer 7 deep packet inspection policy map that you want to set rules
and actions for.
The Rule table appears.
Step 3 In the Rule table, click Add to add a new rule, or choose an existing rule and click Edit to modify it.
The Rule configuration window appears.
Step 4 In the Type field of the Rule configuration window, configure rules using the information in Table 14-21.
14-52
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 14-21 Layer 7 HTTP Deep Packet Inspection Policy Map Rules
Option Description
Class Map Class map to use for this traffic policy.
From the Use Class Map field, do one of the following:
• To use the default class map, choose class-default.
The class-default class map is a reserved, well-known class map created by the ACE. You cannot
delete or modify this class. All traffic that fails to meet the other matching criteria in the named
class map belongs to the default traffic class. If none of the specified classifications matches the
traffic, then the ACE performs the action specified by the class-default class map. The
class-default class map has an implicit match any statement that enables it to match all traffic.
• To use a previously created class map, do the following:
1. Choose others.
2. In the Class Map Name field, choose the class map to use.
Match Condition Match condition to use for this traffic policy.
Do the following:
a. In the Match Condition Name field, enter a name for this match condition. Valid entries are
unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
b. In the Match Condition Type field, choose the method by which match decisions are to be made
and their corresponding conditions. See Table 14-22 for information about these selections.
Insert Before Order of the rules in the policy map.
Do the following:
a. Specify whether or not this rule is to precede another rule for this policy map. Choices are as
follows:
– N/A—This option is not configured.
– False—This rule is not to precede another rule in this policy map.
– True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule
field appears.
b. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current
rule to precede.
14-53
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 14-22 Layer 7 HTTP Deep Packet Inspection Policy Map Match Conditions
Match Condition Description
Content Content contained within the HTTP entity-body that is used for protocol inspection decisions.
Do the following:
a. In the Content Expression field, enter the content that is to be matched. Valid entries are
alphanumeric strings from 1 to 255 characters.
b. In the Content Offset (Bytes) field, enter the number of bytes to be ignored starting with the
first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and
the body of the message. Valid entries are from 1 to 255 bytes.
Content Length Content parse length in an HTTP message that is used for protocol inspection decisions.
Do the following:
a. In the Content Length Operator field, choose the operand to be used to compare content
length:
– Equal To—Content length must equal the number in the Content Length Value (Bytes)
field.
– Greater Than—Content length must be greater than the number in the Content Length
Value (Bytes) field.
– Less Than—Content length must be less than the number in the Content Length Value
(Bytes) field.
– Range—Content length must be within the range specified in the Content Length Lower
Value (Bytes) field and the Content Length Higher Value (Bytes) field.
b. Enter values to apply for content length comparison as follows:
– If you chose Equal To, Greater Than, or Less Than in the Content Length Operator field,
the Content Length Value (Bytes) field appears. In the Content Length Value (Bytes) field,
enter the number of bytes for comparison. Valid entries are from 0 to 4294967295.
– If you chose Range in the Content Length Operator field, the Content Length Lower Value
(Bytes) and the Content Length Higher Value (Bytes) fields appear:
1. In the Content Length Lower Value (Bytes) field, enter the lowest number of bytes to
be used for this match condition. Valid entries are from 0 to 4294967295. The number in
this field must be less than the number entered in the Content Length Higher Value
(Bytes) field.
2. In the Content Length Higher Value (Bytes) field, enter the highest number of bytes to
be used for this match condition. Valid entries are from 1 to 4294967295. The number in
this field must be greater than the number entered in the Content Length Lower Value
(Bytes) field.
Content Type
Verification
Match command that verifies the content MIME-type messages with the header MIME-type. This
inline match command limits the MIME-types in HTTP messages allowed through the ACE. It
verifies that the header MIME-type value is in the internal list of supported MIME-types and the
header MIME-type matches the actual content in the data or entity body portion of the message.
If they do not match, the ACE performs the specified Layer 7 policy map action.
14-54
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Header Name and value in an HTTP header that are used for protocol inspection decisions.
Do the following:
a. In the Header field, choose one of the predefined HTTP headers to be matched, or choose
HTTP Header to specify a different HTTP header.
b. If you chose HTTP Header, in the Header Name field, enter the name of the HTTP header to
match. Valid entries are unquoted text strings with no spaces and a maximum of 64
alphanumeric characters.
c. In the Header Value (Bytes) field, enter the header value expression string to compare against
the value in the specified field in the HTTP header. Valid entries are text strings with a
maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching. To include spaces in the string, enclose the entire string in quotes. All headers in
the header map must be matched. See Table 14-33 for a list of the supported characters that
you can use in regular expressions.
Header Length Length of the header in the HTTP message that is used for protocol inspection decisions.
Do the following:
a. In the Header Length Type field, specify whether or not HTTP header request or response
messages are to be used for protocol inspection decisions:
– Request—HTTP header request messages are to be checked for header length.
– Response—HTTP header response messages are to be checked for header length.
b. In the Header Length Operator field, choose the operand to be used to compare header length:
– Equal To—The header length must equal the number in the Header Length Value (Bytes)
field.
– Greater Than—The header length must be greater than the number in the Header Length
Value (Bytes) field.
– Less Than—The header length must be less than the number in the Header Length Value
(Bytes) field.
– Range—The header length must be within the range specified in the Header Length
Lower Value (Bytes) field and the Header Length Higher Value (Bytes) field.
c. Enter values to apply for header length comparison as follows:
– If you chose Equal To, Greater Than, or Less Than in the Header Length Operator field,
the Header Length Value (Bytes) field appears. In the Header Length Value (Bytes) field,
enter the number of bytes for comparison. Valid entries are from 0 to 255.
– If you chose Range in the Header Length Operator field, the Header Length Lower Value
(Bytes) and the Header Length Higher Value (Bytes) fields appear.
Do the following:
1. In the Header Length Lower Value (Bytes) field, enter the lowest number of bytes to be
used for this match condition. Valid entries are from 0 to 255. The number in this field
must be less than the number entered in the Header Length Higher Value (Bytes) field.
2. In the Header Length Higher Value (Bytes) field, enter the highest number of bytes to
be used for this match condition. Valid entries are from 1 to 255. The number in this field
must be greater than the number entered in the Header Length Lower Value (Bytes) field.
Table 14-22 Layer 7 HTTP Deep Packet Inspection Policy Map Match Conditions (continued)
Match Condition Description
14-55
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Header MIME Type Multipurpose Internet Mail Extension (MIME) message types that are used for protocol inspection
decisions. In the Header MIME Type field, choose the MIME message type to be used for this
match condition.
Port Misuse Misuse of port 80 (or any other port running HTTP) that is used for protocol inspection decisions.
In the Port Misuse field, choose the application category to be used for this match condition:
• IM—Instant messaging applications are to be used for this match condition.
• P2P—Peer-to-peer applications are to be used for this match condition.
• Tunneling—Tunneling applications are to be used for this match condition.
Request Method Request method that is used for protocol inspection decisions. By default, ACEs allow all request
and extension methods. This option allows you to configure class maps that define protocol
inspection decisions based on compliance to request methods defined in RFC 2616 and by HTTP
extension methods.
a. In the Request Method Type field, choose the type of compliance to be used for protocol
inspection decision:
– Ext—An HTTP extension method is to be used for protocol inspection decisions.
Note The list of available HTTP extension methods from which to choose varies
depending on the version of software installed in the ACE.
– RFC—A request method defined in RFC 2616 is to be used for protocol inspection
decisions.
b. In the Request Method field, choose the specific request method to be used.
Strict HTTP Internal compliance checks that are performed to verify that a message is compliant with the HTTP
RFC standard, RFC 2616. If the HTTP message is not compliant, the ACE performs the specified
Layer 7 policy map action.
Transfer Encoding HTTP transfer-encoding type that is used for protocol inspection decisions. The transfer-encoding
general-header field indicates the type of transformation, if any, that has been applied to the HTTP
message body to safely transfer it between the sender and the recipient.
In the Transfer Encoding field, choose the type of encoding that is to be checked:
• Chunked—Message body is transferred as a series of chunks.
• Compress—Encoding format that is produced by the UNIX file compression program
compress.
• Deflate—The .zlib format that is defined in RFC 1950 in combination with the DEFLATE
compression mechanism described in RFC 1951.
• Gzip—Encoding format that is produced by the file compression program GZIP (GNU zip)
as described in RFC 1952.
• Identity—Default (identity) encoding which does not require the use of transformation.
Table 14-22 Layer 7 HTTP Deep Packet Inspection Policy Map Match Conditions (continued)
Match Condition Description
14-56
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 5 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The window refreshes and the Action table
appears. To define actions for this rule, continue with Step 6.
• Click Cancel to exit this procedure without saving your entries and to return to the Policy Maps
table.
• Click Next to deploy your entries and to configure another rule.
URL URL names are used for protocol inspection decisions. In the URL field, enter a URL or a portion
of a URL to match. Valid entries are URL strings from 1 to 255 alphanumeric characters and
include only the portion of the URL following www.hostname.domain. For example, in the URL
www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.
URL Length URL length that is used for protocol inspection decisions.
Do the following:
a. In the URL Length Operator field, choose the operand to be used to compare URL length:
– Equal To—URL length must equal the number in the URL Length Value (Bytes) field.
– Greater Than—URL length must be greater than the number in the URL Length Value
(Bytes) field.
– Less Than—URL length must be less than the number in the URL Length Value (Bytes)
field.
– Range—URL length must be within the range specified in the URL Length Lower Value
(Bytes) field and the URL Length Higher Value (Bytes) field.
b. Enter values to apply for URL length comparison as follows:
– If you chose Equal To, Greater Than, or Less Than in the URL Length Operator field, the
URL Length Value (Bytes) field appears. In the URL Length Value (Bytes) field, enter the
value for comparison. Valid entries are from 1 to 65535 bytes.
– If you chose Range in the URL Length Operator field, the URL Length Lower Value
(Bytes) and the URL Length Higher Value (Bytes) fields appear.
Do the following:
1. In the URL Length Lower Value (Bytes) field, enter the lowest number of bytes to be
used for this match condition. Valid entries are from 1 to 65535. The number in this field
must be less than the number entered in the URL Length Higher Value (Bytes) field.
2. In the URL Length Higher Value (Bytes) field, enter the highest number of bytes to be
used for this match condition. Valid entries are from 1 to 65535. The number in this field
must be greater than the number entered in the URL Length Lower Value (Bytes) field.
Table 14-22 Layer 7 HTTP Deep Packet Inspection Policy Map Match Conditions (continued)
Match Condition Description
14-57
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Note If you chose the Insert Before option described in Table 14-21 and specified True, perform the
following steps to refresh the Rule tab before adding an action for this rule:
1. Click the Rule tab to refresh the Rule table.
2. In the Rule table, choose the newly added rule.
When the window refreshes, an empty action list appears.
Step 6 In the Action table, click Add to add a new action, or choose an existing action and click Edit to modify
it.
The Action configuration window appears.
Step 7 In the Id field of the Action configuration window, either accept the automatically incremented entry or
assign a unique identifier for this action.
Step 8 In the Action Type field, choose the action to be taken for this rule:
• Permit—The HTTP traffic is to be allowed if it meets the match criteria.
• Reset—The HTTP traffic is to be denied if it meets the match criteria. A TCP reset message is sent
to the client or server to close the connection.
Step 9 In the Action Log field, specify whether or not the action taken is to be logged:
• N/A—This option is not configured.
• False—Dropped packets are not to be logged in the software.
• True—Dropped packets are to be logged in the software.
Step 10 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the Action table.
• Click Next to configure another action for this policy map and rule.
Related Topics
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
• Configuring Rules and Actions for Policy Maps, page 14-34
Setting Policy Map Rules and Actions for Layer 7 HTTP Optimization
Note HTTP optimization policy maps are available for ACE appliances only.
You can add rules and actions for Layer 7 HTTP optimization policy maps.
14-58
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Assumptions
This topic assumes the following:
• An action list has been configured. See Configuring an HTTP Optimization Action List, page 15-3
for more information.
• A class map has been defined if you are not using the class-default class map. See Configuring
Virtual Context Class Maps, page 14-6 for more information.
Procedure
Step 1 Choose Config > Devices > context > Expert > Policy Maps.
The Policy Maps table appears.
Step 2 In the Policy Maps table, choose the Layer 7 HTTP optimization policy map that you want to set rules
and actions for.
The Rule table appears.
Step 3 In the Rule table, click Add to add a new rule, or choose an existing rule and click Edit to modify it.
The Rule configuration window appears.
Step 4 In the Type field of the Rule configuration window, configure rules using the information in Table 14-23.
Table 14-23 Layer 7 HTTP Optimization Policy Map Rules
Option Description
Class Map Class map to use for this traffic policy.
From the Use Class Map field, do one of the following:
• To use the default class map, choose class-default.
The class-default class map is a reserved, well-known class map created by the ACE. You cannot
delete or modify this class. All traffic that fails to meet the other matching criteria in the named
class map belongs to the default traffic class. If none of the specified classifications matches the
traffic, then the ACE performs the action specified by the class-default class map. The
class-default class map has an implicit match any statement that enables it to match all traffic.
• To use a previously created class map, do the following:
1. Choose others.
2. In the Class Map Name field, choose the class map to use.
14-59
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Match Condition Match condition to use for this traffic policy.
Do the following:
a. In the Match Condition Name field, enter a name for this match condition. Valid entries are
unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
b. In the Match Condition Type field, choose the method by which match decisions are to be made
and their corresponding conditions. See Table 14-24 for information about these selections.
Insert Before Order of the rules in the policy map.
Do the following:
a. Specify whether or not this rule is to precede another rule for this policy map:
– N/A—This option is not configured.
– False—This rule is not to precede another rule in this policy map.
– True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule
field appears.
b. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current
rule to precede.
Table 14-23 Layer 7 HTTP Optimization Policy Map Rules (continued)
Option Description
14-60
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 5 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The window refreshes and the Action table
appears. To define actions for this rule, continue with Step 6.
• Click Cancel to exit this procedure without saving your entries and to return to the Rule table.
• Click Next to deploy your entries and to configure another rule.
Table 14-24 Layer 7 HTTP Optimization Policy Map Match Conditions
Match Condition Procedure
Cookie HTTP cookie that is to be used to establish a match condition.
Do the following:
a. In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings
with no spaces and a maximum of 64 alphanumeric characters.
b. In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted
text strings with no spaces and a maximum of 255 alphanumeric characters.
c. In the Secondary Cookie field, check the checkbox to specify that the ACE is to use either the
cookie name or the cookie value to satisfy this match condition. Uncheck this check box to
indicate that the ACE is to use either the cookie name or the cookie value to satisfy this match
condition.
Header HTTP header that is to be used to establish a match condition.
Do the following:
a. In the Header field, choose one of the predefined HTTP headers to be matched, or choose
HTTP Header to specify a different HTTP header.
b. If you chose HTTP Header, in the Header Name field, enter the name of the HTTP header to
match. Valid entries are unquoted text strings with no spaces and a maximum of 64
alphanumeric characters.
c. In the Header Value (Bytes) field, enter the header value expression string to compare against
the value in the specified field in the HTTP header. Valid entries are text strings with a
maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching. To include spaces in the string, enclose the entire string in quotes. All headers in
the header map must be matched. See Table 14-33 for a list of the supported characters that
you can use in regular expressions.
HTTP URL Portion of an HTTP URL that is to be used to establish a match condition.
Do the following:
a. In the URL Expression field, enter a URL or a portion of a URL to match. Valid entries are
URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL
following www.hostname.domain. For example, in the URL
www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.
b. In the Method Expression field, enter the HTTP method to match. Valid entries are method
names entered as unquoted text strings with no spaces and a maximum of 15 alphanumeric
characters. You can enter either one of the standard HTTP 1.1 method names (OPTIONS,
GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be
matched exactly (for example, CORVETTE).
14-61
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Note If you chose the Insert Before option described in Table 14-23 and specified True, perform the
following steps to refresh the Rule tab before adding an action for this rule:
1. Click the Rule tab to refresh the Rule table.
2. In the Rule table, choose the newly added rule.
When the window refreshes, an empty action list appears.
Step 6 In the Action table, click Add to add a new action, or choose an existing action and click Edit to modify
it.
The Action configuration window appears.
Step 7 In the Id field of the Action configuration window, either accept the automatically incremented entry or
assign a unique identifier for this action.
Step 8 In the Action Type field, confirm that Action List is selected.
Step 9 In the Action List field, choose the action list to apply to this policy map and rule.
Step 10 In the Optimization Parameter Map field, choose the optimization parameter map to apply to this policy
map and rule.
Step 11 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries and to return to the Action table.
• Click Next to deploy your entries and to configure another action for this rule.
Related Topics
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
• Configuring Rules and Actions for Policy Maps, page 14-34
Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic
You can set rules and actions for Layer 7 server load-balancing policy maps.
Assumptions
This topic assumes the following:
• You have configured a load-balancing policy map and want to establish the corresponding rules and
actions.
• If you want to configure an SSL proxy action, you have configured SSL proxy service for this
context.
14-62
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
• If you want to insert, rewrite, and delete HTTP headers, ensure that an HTTP header modify action
list has been configured (see the “Configuring an HTTP Header Modify Action List” section on
page 14-85).
Procedure
Step 1 Choose Config > Devices > context > Expert > Policy Maps.
The Policy Maps table appears.
Step 2 In the Policy Maps table, choose the load-balancing policy map you want to set rules and actions for.
The Rule table appears.
Step 3 In the Rule table, click Add to add a new rule, or choose an existing rule and Edit to modify it.
The Rule configuration window appears.
Step 4 From the Type field, choose one of the following rule types to use:
• Class Map—Indicates that the ACE appliance is to use an existing class map that identifies the rules
and corresponding actions. If you choose this rule type, go to Step 5.
• Match Condition—Indicates that the ACE appliance is to use a set of conditions to identify the
rules and corresponding actions. If you choose this rule type, go to Step 6.
Step 5 If you chose Class Map rule type, from the Use Class Map field, either choose class-default to use the
default class map or specify a previously created class map as follows:
a. From the Use Class Map field, choose others. The Class Map field appears.
b. From the Class Map field, choose the class map to use.
c. In the Insert Before field, indicate whether this rule is to precede another rule in this policy map by
choosing on of the following options:
– N/A—Indicates that this option is not configured.
– False—Indicates that this rule is not to precede another rule in this policy map.
– True—Indicates that this rule is to precede another rule in this policy map.
d. If you chose True, the Insert Before Policy Rule field appears. Select the rule that you want the
current rule to precede.
Step 6 If you chose the Match Conditions rule type, do the following:
a. In the Match Condition Name field enter a name for the match condition. Valid entries are unquoted
text strings with no spaces and a maximum of 64 alphanumeric characters.
b. In the Match Condition Type field, select the method by which match decisions are to be made and
their corresponding conditions. See Table 14-25 for information about these selections.
Note Fields and information related to IPv6 require ACE module and ACE appliance software
Version A5(1.0) or later.
14-63
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Table 14-25 Layer 7 Server Load Balancing Policy Map Match Conditions
Match Condition Description
HTTP Content Option that appears for ACE modules only. Specific content contained within the HTTP
entity-body is used to establish a match condition.
Do the following:
a. In the Content Expression field, enter the content that is to be matched. Valid entries are
alphanumeric strings from 1 to 255 characters.
b. In the Content Offset (Bytes) field, enter the number of bytes to be ignored starting with the
first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and
the body of the message. Valid entries are from 1 to 255.
HTTP Cookie HTTP cookies are to be used for this match condition.
Do the following:
a. In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings
with no spaces and a maximum of 64 alphanumeric characters.
b. In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted
text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports
regular expressions for matching string expressions. Table 14-33 lists the supported characters
that you can use for matching string expressions.
HTTP Header HTTP header and a corresponding value are to be used for this match condition.
Do the following:
a. In the Header Name field, specify the header to match in one of the following ways:
– To specify an HTTP header that is not one of the standard HTTP headers, choose the first
radio button, then enter the HTTP header name in the Header Name field. Valid entries
are unquoted text strings with no spaces and a maximum of 64 characters.
– To specify a standard HTTP header, click the second radio button, then choose an HTTP
header from the list.
b. In the Header Value (Bytes) field, enter the header-value expression string to compare against
the value in the specified field in the HTTP header. Valid entries are text strings with a
maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching. To include spaces, enclose the entire string in quotes. All headers in the header map
must be matched. See Table 14-33 for a list of the supported characters that you can use in
regular expressions.
14-64
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 7 For specific class maps and match conditions, in the Insert Before field, indicate whether this rule is to
precede another defined policy rule by choosing one of the following:
• N/A—Indicates that this option is not applicable.
• False—Indicates that this rule is not to precede another defined policy rule.
• True—Indicates that this rule is to precede another policy rule.
If you select True, in the Insert Before Policy Rule field, select the policy rule that this rule is to
precede.
Step 8 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The window refreshes and the Action table
appears. To define the actions for this rule, continue with Step 9.
• Click Cancel to exit this procedure without saving your entries and to return to the Rule table.
• Click Next to deploy your entries and to configure another rule.
HTTP URL Rule that performs regular expression matching against the received packet data from a particular
connection based on the HTTP URL string.
Do the following:
a. In the URL Expression field, enter a URL, or portion of a URL, to match. Valid entries are
URL strings from 1 to 255 alphanumeric characters. Include only the portion of the URL
following www.hostname.domain in the match statement. For example, in the URL
www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the
www.anydomain.com portion, the URL string can take the form of a URL regular expression.
The ACE supports regular expressions for matching URL strings. See Table 14-33 for a list of
the supported characters that you can use in regular expressions.
b. In the Method Expression field, enter the HTTP method to match. Valid entries are unquoted
text strings with no spaces and a maximum of 15 alphanumeric characters. The method can
either be one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT,
DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example,
CORVETTE).
Source Address Client source IP address that is used to establish match conditions.
Do the following:
a. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE
module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6.
b. In the Source IP v4/v6 Address field, enter the source IP address of the client in the format
based on the address type (IPv4 or IPv6).
c. Depending on the IP address type that you chose, do one of the following:
– For IPv4, from the Source Netmask field, choose the subnet mask of the IP address.
– For IPv6, from the Source Prefix-length field, enter the prefix length for the address.
Table 14-25 Layer 7 Server Load Balancing Policy Map Match Conditions (continued)
Match Condition Description
14-65
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Note If you chose the Insert Before option described in Step 7 and specified True, perform the
following steps to refresh the Rule tab before adding an action for this rule:
1. Click the Rule tab to refresh the Rule table.
2. In the Rule table, choose the newly added rule.
When the window refreshes, an empty action list appears.
Step 9 In the Action table, click Add to add a new action, or choose an existing action and click Edit to modify
it.
Step 10 In the Id field, either accept the automatically incremented entry or assign a unique identifier for this
action.
Step 11 In the Action Type field, choose the action to be taken and configure any action-specific attributes as
described in Table 14-26.
Table 14-26 Layer 7 Server Load Balancing Policy Map Actions
Action Description
Action Action that the ACE is to implement for the rule. In the Action List field, choose an action list to
associate with this rule.
Compress Option that appears for ACE appliances (all versions) and ACE modules version A4(1.0) and later.
The ACE is to compress packets that match this policy map. This option is available only when
you associate an HTTP-type class map with a policy map.
In the Compress Method field, specify the method that the ACE is to use to compress packets:
• Deflate—Indicates that the ACE is to use the DEFLATE compression method when the client
browser supports both the DEFLATE and GZIP compression methods.
• Gzip—Indicates that ACE is to use the GZIP compression method when the client browser
supports both the DEFLATE and GZIP compression methods.
Drop Field that instructs the ACE to discard packets that match the rule. In the Action Log field, specify
whether or not the dropped packets are to be logged in the software:
• N/A—This option is not configured.
• False—Dropped packets are not to be logged in the software.
• True—Dropped packets are to be logged in the software.
Forward Field that instructs the ACE to forward requests that match this policy map without load balancing
the requests.
14-66
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Insert-HTTP Field that instructs the ACE to insert an HTTP header for Layer 7 load balancing for requests that
match this policy map. This option allows the ACE to identify a client whose IP address has been
translated using NAT by inserting a generic header and string value in the client HTTP request.
Do the following:
a. In the HTTP Header Name field, enter the name of the generic field in the HTTP header. Valid
entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric
characters.
b. In the HTTP Header Value field, enter the value to be inserted into the HTTP header. Valid
entries are unquoted text strings with a maximum of 255 alphanumeric characters. The ACE
supports regular expressions for matching. To include spaces, enclose the entire string in
quotes. All headers in the header map must be matched. See Table 14-33 for a list of the
supported characters that you can use in regular expressions.
Reverse Sticky Feature that applies only to the ACE module version 3.0(0)A2(1.1), ACE appliance version
A4(1.0), or later releases of either device type. Reverse IP stickiness is an enhancement to regular
stickiness and is used mainly in firewall load balancing (FWLB). It ensures that multiple distinct
connections that are opened by hosts at both ends (client and server) are load-balanced and stuck
to the same firewall. Reverse stickiness applies to such protocols as FTP, RTSP, SIP, and so on
where there are separate control channels and data channels opened by the client and the server,
respectively. For complete details about reverse stickiness, see the Release Note for the Cisco
Application Control Engine Module (Software Version 3.0(0)A2(X)).
In the Sticky Group field, choose the name of a an existing IP netmask sticky group that you want
to associate with reverse IP stickiness.
Server Farm Field that instructs the ACE to load balance client requests for content to a server farm.
Do the following:
a. In the Server Farm field, choose the server farm to which requests for content are to be sent.
b. In the Backup Server Farm field, choose the backup server farm to which requests for content
are to be sent.
Choose N/A to indicate that no backup server farm is to be used.
c. Choose the Sticky Enabled check box to indicate that the sticky group associated with this
policy and applied to the primary server farm is applied to the backup server farm. Clear the
Sticky Enabled check box to indicate that the sticky group associated with this policy and
applied to the primary server farm in that policy is not applied to the backup server farm.
d. Choose the Aggregate State Enabled check box to indicate that the operational state of the
backup server farm is taken into consideration when evaluating the state of the load-balancing
class in a policy map. Clear this check box to indicate that the operational state of the backup
server farm is not taken into consideration when evaluating the state of the load-balancing
class in a policy map.
Table 14-26 Layer 7 Server Load Balancing Policy Map Actions (continued)
Action Description
14-67
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Server Farm-NAT Option that appears for ACE modules only. The ACE is to apply dynamic NAT to traffic for this
policy map.
Do the following:
a. In the NAT Pool ID field, enter the number of the pool of IP addresses that exist under the
VLAN specified in the VLAN Id field. Valid entries are from 1 to 2147483647. For
information on configuring NAT pools, see Configuring Virtual Context BVI Interfaces,
page 12-19.
b. In the VLAN ID field, choose the VLAN to use for NAT. Valid entries are from 1 to 4094.
c. In the Server Farm Type field, indicate whether the server farm is a backup or primary server
farm.
Set IP-TOS Set the IP Differentiated Services Code Point (DSCP) bit in the Type of Service (ToS) byte. After
the IP DSCP bit is set, other Quality of Service (QoS) services can then operate on the bit settings.
In the IP TOS Rewrite Value (Bytes) field, enter the IP DSCP value. Valid entries are from 0 to 255.
SSL-Proxy SSL proxy client service that defines the SSL parameters that the ACE is to use during the
handshake and subsequent SSL session.
Do the following:
a. In the SSL Proxy field, choose the SSL proxy service to be used for this action.
b. In the SSL Proxy Type field, confirm that Client is selected to indicate that the ACE is to be
configured so that it is recognized as an SSL client.
Sticky-Server Farm Field that instructs the ACE to load balance requests that match this policy to a sticky server farm.
In the Sticky Group field, choose the sticky server farm that is to be used for requests that match
this policy map.
Table 14-26 Layer 7 Server Load Balancing Policy Map Actions (continued)
Action Description
14-68
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 12 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your entries and to return to the Action table.
• Click Next to deploy your entries and to configure another action.
Related Topics
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
• Configuring Rules and Actions for Policy Maps, page 14-34
Setting Policy Map Rules and Actions for Layer 7 SIP Deep Packet Inspection
You can configure the rules and actions for a SIP deep packet inspection policy map.
Assumptions
This topic assumes the following:
• A SIP deep packet inspection policy map has been configured.
• A class map has been defined for a class map rule if you do not want to use the class-default class
map.
Procedure
Step 1 Choose Config > Devices > context > Expert > Policy Maps.
The Policy Maps table appears.
Step 2 In the Policy Maps table, choose the SIP deep packet inspection policy map that you want to set rules
and actions for.
The Rule table appears.
Step 3 In the Rule table, click Add to add a new rule, or choose the rule that you want to modify and click Edit.
The Rule window appears.
Step 4 In the Type field of the Rule window, configure rules using the information in Table 14-27.
14-69
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 5 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The window refreshes and the Action table
appears. Continue with Step 6.
• Click Cancel to exit this procedure without saving your entries and to return to the Rule table.
• Click Next to deploy your entries and to add another rule.
Table 14-27 Layer 7 SIP Deep Packet Inspection Policy Map Rules
Option Description
Class Map Class map to use for this traffic policy.
From the Use Class Map field, do one of the following:
• To use the default class map, choose class-default.
The class-default class map is a reserved, well-known class map created by the ACE. You
cannot delete or modify this class. All traffic that fails to meet the other matching criteria in
the named class map belongs to the default traffic class. If none of the specified classifications
matches the traffic, then the ACE performs the action specified by the class-default class map.
The class-default class map has an implicit match any statement that enables it to match all
traffic.
• To use a previously created class map, do the following:
1. Choose others.
2. In the Class Map Name field, choose the class map to use.
Match Condition Match condition to use for this traffic policy.
Do the following:
a. In the Match Condition field, enter a name for this match condition. Valid entries are unquoted
text strings with no spaces and a maximum of 64 alphanumeric characters.
b. In the Match Condition Type field, choose the type of match condition to use for this policy
map and configure any type-specific options using the information in Table 7-10.
Insert Before Order of the rules in the policy map.
Do the following:
a. Specify whether or not this rule is to precede another rule for this policy map:
– N/A—This option is not configured.
– False—This rule is not to precede another rule in this policy map.
– True—This rule is to precede another rule in this policy map. The Insert Before Policy
Rule field appears.
b. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the
current rule to precede.
14-70
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Note If you chose the Insert Before option described in Table 14-27 and specified True, perform the
following steps to refresh the Rule tab before adding an action for this rule:
1. Click the Rule tab to refresh the Rule table.
2. In the Rule table, choose the newly added rule.
When the window refreshes, an empty action list appears.
Step 6 In the Action table, click Add to add an entry or choose an existing entry to modify and click Edit.
Step 7 In the Id field, either accept the automatically incremented entry or assign a unique identifier for this
action.
Step 8 In the Action Type field, choose the action to be taken for this rule:
• Drop—The SIP traffic is to be dropped if it meets the specified match criteria.
• Permit—The SIP traffic is to be allowed if it meets the specified match criteria.
• Reset—The SIP traffic is to be denied if it meets the specified match criteria. A TCP reset message
is sent to the client or server to close the connection.
Step 9 In the Action Log field, specify whether the action taken is to be logged:
• N/A—This option is not configured.
• False—Dropped packets are not to be logged in the software.
• True—Dropped packets are to be logged in the software.
Step 10 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your entries and to return to the Action table.
• Click Next to deploy your entries and to configure another action.
Related Topics
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
• Configuring Rules and Actions for Policy Maps, page 14-34
14-71
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Setting Policy Map Rules and Actions for Layer 7 Skinny Deep Packet
Inspection
You can configure the rules and actions for a Skinny Client Control Protocol (SCCP) deep packet
inspection policy map.
Assumptions
This topic assumes the following:
• A Skinny deep packet inspection policy map has been configured.
• A class map has been defined for a class map rule if you do not want to use the class-default class
map.
Procedure
Step 1 Choose Config > Devices > context > Expert > Policy Maps.
The Policy Maps table appears.
Step 2 In the Policy Maps table, choose the Skinny deep packet inspection policy map that you want to set rules
and actions for.
The Rule table appears.
Step 3 In the Rule table, click Add to add a new rule, or choose the rule you want to modify, then click Edit.
The Rule window appears.
Step 4 In the Type field of the Rule window, confirm that Match Condition is selected.
Step 5 In the Match Condition Name field, enter a name for this match condition.
Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
Step 6 In the Match Condition Type field, confirm that Message ID is selected.
Step 7 In the Message ID Operator field, specify whether of not the match criteria is for a single message
identifier or for a range of message identifiers:
• Equal To—A single message identifier is used for this match condition.
In the Message ID Value field, enter the numerical identifier of a SCCP message. Valid entries are
from 0 to 65535.
• Range—A range of message identifiers is used for this match condition.
Do the following:
a. In the Message ID Low Range Value field, enter the lowest numerical identifier of a range of
SCCP messages. Valid entries are from 0 to 65535.
b. In the Message ID High Range Value field, enter the highest numerical identifier of a range of
SCCP messages. Valid entries are integers from 0 to 65535, and the value in this field must equal or
be greater than the value in the Message ID Low Range Value field.
Step 8 In the Insert Before field, specify whether or not this rule is to precede another rule in this policy map:
• N/A—This option is not configured.
• False—This rule is not to precede another rule in this policy map.
14-72
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
• True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule field
appears.
Step 9 If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current rule
to precede.
Step 10 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The window refreshes and the Action table
appears. To define the actions for this rule, continue with Step 11.
• Click Cancel to exit this procedure without saving your entries and to return to the Rule table.
• Click Next to deploy your entries and to configure another rule.
Note If you chose the Insert Before option in Step 8 and specified True, perform the following steps
to refresh the Rule tab before adding an action for this rule:
1. Click the Rule tab to refresh the Rule table.
2. In the Rule table, choose the newly added rule.
When the window refreshes, an empty action list appears.
Step 11 In Action table, click Add to add a new action, or choose an existing action and click Edit to modify it.
The Action configuration window appears.
Step 12 In the ID field, accept the automatically incremented entry or assign a unique identifier for this action.
Step 13 In the Action Type field, confirm that Reset is selected.
Step 14 In the Action Log field, specify whether the action taken is to be logged:
• N/A—This option is not configured.
• False—Dropped packets are not to be logged in the software.
• True—Dropped packets are to be logged in the software.
Step 15 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your entries and to return to the Action table.
• Click Next to deploy your entries and to configure another action.
Related Topics
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
• Configuring Rules and Actions for Policy Maps, page 14-34
14-73
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Setting Policy Map Rules and Actions for RADIUS Server Load Balancing
You can configure the rules and actions for RADIUS traffic received by the ACE.
Assumptions
This topic assumes the following:
• A RADIUS server load balancing traffic policy map has been configured.
• A class map has been defined for a class map rule if you do not want to use the class-default class
map.
Procedure
Step 1 Choose Config > Devices > context > Expert > Policy Maps.
The Policy Maps table appears.
Step 2 In the Policy Maps table, choose the RADIUS server load balancing policy map that you want to set rules
and actions for.
The Rule table appears.
Step 3 In the Rule table, click Add to add a new rule, or choose the rule you want to modify and click Edit.
The Rule window appears.
Step 4 In the Type field of the Rule window, configure rules using the information in Table 14-28.
Table 14-28 RADIUS Server Load Balancing Policy Map Rules
Option Description
Class Map Class map to use for this traffic policy.
From the Use Class Map field, do one of the following:
• To use the default class map, choose class-default.
The class-default class map is a reserved, well-known class map created by the ACE. You cannot
delete or modify this class. All traffic that fails to meet the other matching criteria in the named
class map belongs to the default traffic class. If none of the specified classifications matches the
traffic, then the ACE performs the action specified by the class-default class map. The class-default
class map has an implicit match any statement that enables it to match all traffic.
• To use a previously created class map, do the following:
1. Choose others.
2. In the Class Map Name field, choose the class map to use.
14-74
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 5 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The window refreshes and the Action table
appears. To enter actions for this rule, continue with Step 6.
• Click Cancel to exit this procedure without saving your entries and to return to the Rule table.
• Click Next to deploy your entries and to configure another rule.
Note If you chose the Insert Before option described in Table 14-28 and specified True, perform the
following steps to refresh the Rule tab before adding an action for this rule:
1. Click the Rule tab to refresh the Rule table.
2. In the Rule table, choose the newly added rule.
When the window refreshes, an empty action list appears.
Step 6 In the Action table, click Add to add an entry or choose an existing entry to modify and click Edit.
Match Condition Match condition to use for this traffic policy.
Do the following:
a. In the Match Condition Name field, enter a name for this match condition. Valid entries are
unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
b. In the Match Condition Type field, choose the type of match condition to use for this policy map:
– Calling Station ID—A unique identifier of the calling station is used to establish a match
condition.
In the RADIUS Calling Station ID field, enter the calling station identifier to match. Valid
entries are strings containing 1 to 64 alphanumeric characters. See Table 14-33 for a list of the
supported characters that you can use for matching string expressions.
– User Name—A username is used to establish a match condition.
In the User Name field, enter the name to match. Valid entries are strings containing 1 to 64
alphanumeric characters. See Table 14-33 for a list of the supported characters that you can
use for matching string expressions.
Insert Before Order of the rules in the policy map.
Do the following:
a. Indicate whether this rule is to precede another rule for this policy map:
– N/A—This option is not configured.
– False—This rule is not to precede another rule in this policy map.
– True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule
field appears.
b. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current
rule to precede.
Table 14-28 RADIUS Server Load Balancing Policy Map Rules (continued)
Option Description
14-75
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 7 In the Id field, accept the automatically incremented entry or assign a unique identifier for this action.
Step 8 In the Action Type field, configure actions for this rule using the information in Table 14-17.
Step 9 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your entries and to return to the Action table.
• Click Next to deploy your entries and to configure another action.
Related Topics
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
• Configuring Rules and Actions for Policy Maps, page 14-34
Setting Policy Map Rules and Actions for RDP Server Load Balancing
Use this procedure to configure the rules and actions for RDP traffic received by the ACE.
Assumptions
This topic assumes the following:
• An RDP server load balancing traffic policy map has been configured.
• A class map has been defined for a class map rule if you do not want to use the class-default class
map.
Procedure
Step 1 Choose Config > Devices > context > Expert > Policy Maps.
The Policy Maps table appears.
Step 2 In the Policy Maps table, choose the RDP server load balancing policy map that you want to set rules
and actions for.
The Rule table appears.
Step 3 In the Rule table, click Add to add a new rule.
The Rule window appears.
Step 4 In the Type field of the Rule window, confirm that Class Map is selected.
Step 5 Check the Use Class Default check box.
Note You can only use the default class map (Class Default) with an RDP server load balancing policy
map.
14-76
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
The class-default class map is a reserved, well-known class map created by the ACE. You cannot delete
or modify this class. The class-default class map has an implicit match any statement that enables it to
match all traffic.
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The window refreshes and the Action table
appears. To enter actions for this rule, continue with Step 7.
• Click Cancel to exit this procedure without saving your entries and to return to the Rule table.
• Click Next to deploy your entries and to configure another rule.
Step 7 In the Action table, click Add to add an entry, or choose an existing entry to modify and click Edit.
Step 8 In the Id field, accept the automatically incremented entry or assign a unique identifier for this action.
Step 9 In the Action Type field, configure actions for this rule using the information in Table 14-17.
Step 10 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your entries and to return to the Action table.
• Click Next to deploy your entries and to configure another action.
Related Topics
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
• Configuring Rules and Actions for Policy Maps, page 14-34
Setting Policy Map Rules and Actions for RTSP Server Load Balancing
You can configure the rules and actions for RTSP traffic received by the ACE.
Assumptions
This topic assumes the following:
• An RTSP server load balancing traffic policy map has been configured.
• A class map has been defined for a class map rule if you do not want to use the class-default class
map.
Procedure
Step 1 Choose Config > Devices > context > Expert > Policy Maps.
The Policy Maps table appears.
Step 2 In the Policy Maps table, choose the RTSP server load balancing policy map that you want to set rules
and actions for.
The Rule table appears.
14-77
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 3 In the Rule table, click Add to add a new rule, or choose the rule that you want to modify and click Edit.
The Rule window appears.
Step 4 In the Type field of the Rule window, configure rules using the information in Table 14-29.
Table 14-29 RTSP Server Load Balancing Policy Map Rules
Option Description
Class Map Class map to use for this traffic policy.
From the Use Class Map field, do one of the following:
• To use the default class map, choose class-default.
The class-default class map is a reserved, well-known class map created by the ACE. You cannot
delete or modify this class. All traffic that fails to meet the other matching criteria in the named
class map belongs to the default traffic class. If none of the specified classifications matches the
traffic, then the ACE performs the action specified by the class-default class map. The
class-default class map has an implicit match any statement that enables it to match all traffic.
• To use a previously created class map, do the following:
1. Choose others.
2. In the Class Map Name field, choose the class map to use.
Match Condition Match condition to use for this traffic policy.
Do the following:
a. In the Match Condition Name field, enter a name for this match condition. Valid entries are
unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
b. In the Match Condition Type field, choose the type of match condition to use for this policy map
and configure any type-specific options using the information in Table 14-30.
Note Fields and information related to IPv6 require ACE module and ACE appliance software
Version A5(1.0) or later.
Insert Before Order of the rules in the policy map.
Do the following:
a. Indicate whether or not this rule is to precede another rule for this policy map by choosing one of
the following options:
– N/A—This option is not configured.
– False—This rule is not to precede another rule in this policy map.
– True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule
field appears.
b. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current
rule to precede.
14-78
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 5 In the Insert Before field, indicate whether or not this rule is to precede another rule for this policy map:
• N/A—This option is not configured.
• False—This rule is not to precede another rule in this policy map.
Table 14-30 RTSP Policy Map Match Conditions
Match Condition Description
RTSP Header RTSP header information that is used for matching criteria.
Do the following:
a. In the Header Name field, specify the header to match in one of the following ways:
– To specify an RTSP header that is not one of the standard RTSP headers, choose the first
radio button, then enter the RTSP header name in the Header Name field. Valid entries are
unquoted text strings with no spaces and a maximum of 64 characters.
– To specify a standard RTSP header, click the second radio button, then choose an RTSP
header from the list.
b. In the Header Value (Bytes) field, enter the header value expression string to compare against
the value in the specified field in the RTSP header. Valid entries are text strings with a
maximum of 255 alphanumeric characters. The ACE supports regular expressions for
matching. If the string includes spaces, enclose the string with quotes. All headers in the
header map must be matched. See Table 14-33 for a list of the supported characters that you
can use in regular expressions.
RTSP URL URL or portion of a URL that is used for match criteria.
Do the following:
a. In the URL Expr field, enter a URL, or portion of a URL, to match. The ACE performs
matching on whatever URL string appears after the RTSP method, regardless of whether the
URL includes the host name. The ACE supports regular expressions for matching URL
strings. See Table 14-33 for a list of the supported characters that you can use in regular
expressions.
b. In the Method Expr field, enter the RTSP method to match. Valid entries are unquoted text
strings with no spaces and a maximum of 64 alphanumeric characters. The method can be
either one of the standard RTSP method names (DESCRIBE, ANNOUNCE,
GET_PARAMETER, OPTIONS, PAUSE, PLAY, RECORD, REDIRECT, SETUP,
SET_PARAMETER, TEARDOWN) or a text string that must be matched exactly (for
example, STINGRAY).
Source Address Source IP address that is used for match criteria.
Do the following:
a. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE
module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6.
b. In the Source Address field, enter the source IP address for this match condition in the format
based on the address type (IPv4 or IPv6).
c. Depending of the IP address type that you chose, do one of the following:
– For IPv4, In the Source Netmask field, choose the subnet mask for the source IP address.
– For IPv6, in the Source Prefix-length field, enter the prefix length for the address.
14-79
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
• True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule field
appears.
If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current
rule to precede.
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The window refreshes and the Action table
appears. Continue with Step 7.
• Click Cancel to exit this procedure without saving your entries and to return to the Rule table.
• Click Next to deploy your entries and to add another rule.
Note If you chose the Insert Before option in Table 14-30 and specified True, perform the following
steps to refresh the Rule tab before adding an action for this rule:
1. Click the Rule tab to refresh the Rule table.
2. In the Rule table, choose the newly added rule.
When the window refreshes, an empty action list appears.
Step 7 In the Action table, click Add to add an entry, or choose an existing entry to modify and click Edit.
Step 8 In the Id field, accept the automatically incremented entry or assign a unique identifier for this action.
Step 9 In the Action Type field, configure actions for this rule using the information in Table 14-17.
Step 10 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your entries and to return to the Action table.
• Click Next to deploy your entries and to configure another action.
Related Topics
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
• Configuring Rules and Actions for Policy Maps, page 14-34
Setting Policy Map Rules and Actions for SIP Server Load Balancing
You can configure the rules and actions for SIP traffic received by the ACE.
Assumptions
This topic assumes the following:
14-80
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
• A SIP server load balancing traffic policy map has been configured.
• A class map has been defined for a class map rule if you do not want to use the class-default class
map.
Procedure
Step 1 Choose Config > Devices > context > Expert > Policy Maps.
The Policy Maps table appears.
Step 2 In the Policy Maps table, choose the SIP server load balancing policy map that you want to set rules and
actions for.
The Rule table appears.
Step 3 In the Rule table, click Add to add a new rule, or choose the rule that you want to modify and click Edit.
The Rule window appears.
Step 4 In the Type field of the Rule window, configure rules using the information in Table 14-31.
Table 14-31 SIP Server Load Balancing Policy Map Rules
Option Description
Class Map Class map to use for this traffic policy.
From the Use Class Map field, do one of the following:
• To use the default class map, choose class-default.
The class-default class map is a reserved, well-known class map created by the ACE. You cannot
delete or modify this class. All traffic that fails to meet the other matching criteria in the named
class map belongs to the default traffic class. If none of the specified classifications matches the
traffic, then the ACE performs the action specified by the class-default class map. The
class-default class map has an implicit match any statement that enables it to match all traffic.
• To use a previously created class map, do the following:
1. Choose others.
2. In the Class Map Name field, choose the class map to use.
14-81
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Match Condition Match condition to use for this traffic policy.
Do the following:
a. In the Match Condition field, enter a name for this match condition. Valid entries are unquoted text
strings with no spaces and a maximum of 64 alphanumeric characters.
b. In the Match Condition Type field, choose the type of match condition to use for this policy map
and configure any type-specific options using the information in Table 14-32.
Note Fields and information related to IPv6 require ACE module and ACE appliance software
Version A5(1.0) or later.
Insert Before Order of the rules in the policy map.
Do the following:
a. Indicate whether or not this rule is to precede another rule for this policy map. Choices are as
follows:
– N/A—This option is not configured.
– False—This rule is not to precede another rule in this policy map.
– True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule
field appears.
b. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current
rule to precede.
Table 14-31 SIP Server Load Balancing Policy Map Rules (continued)
Option Description
14-82
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 5 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The window refreshes and the Action table
appears so you can enter actions for this rule. Continue with Step 6.
• Click Cancel to exit this procedure without saving your entries and to return to the Rule table.
• Click Next to deploy your entries and to add another rule.
Step 6 In the Action table, click Add to add an entry, or choose an existing entry to modify and click Edit.
Step 7 In the Id field, accept the automatically incremented entry or assign a unique identifier for this action.
Step 8 In the Action Type field, configure actions for this rule using the information in Table 14-17.
Table 14-32 SIP Server Load Balancing Policy Map Match Conditions
Match Condition Description
SIP Header SIP header information that is used for matching criteria.
Do the following:
a. In the Header Name field, specify the header to match in one of the following ways:
– To specify a SIP header that is not one of the standard SIP headers, choose the first radio
button, then enter the SIP header name in the Header Name field. Valid entries are
unquoted text strings with no spaces and a maximum of 64 characters.
– To specify a standard SIP header, click the second radio button, then choose an SIP header
from the list.
b. In the Header Value (Bytes) field, enter the header value expression string to compare against
the value in the specified field in the SIP header. Valid entries are text strings with a maximum
of 255 alphanumeric characters. The ACE supports regular expressions for matching. If the
string includes spaces, enclose the string with quotes. All headers in the header map must be
matched. See Table 14-33 for a list of the supported characters that you can use in regular
expressions.
Source Address Source IP address is used for match criteria.
Do the following:
a. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE
module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6.
b. In the Source Address field, enter the source IP address for this match condition in the format
based on the address type (IPv4 or IPv6).
c. Depending on the IP address type that you chose, do one of the following:
– For IPv4, in the Source Netmask field, choose the subnet mask for the source IP address.
– For IPv6, in the Source Prefix-length field, enter the prefix length for the address.
14-83
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Step 9 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit the procedure without saving your entries and to return to the Action table.
• Click Next to deploy your entries and to configure another action.
Note If you chose the Insert Before option in Table 14-31 and specified True, perform the following
steps to refresh the Rule tab before adding an action for this rule:
1. Click the Rule tab to refresh the Rule table.
2. In the Rule table, choose the newly added rule.
When the window refreshes, an empty action list appears.
Related Topics
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
• Configuring Rules and Actions for Policy Maps, page 14-34
14-84
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Special Characters for Matching String Expressions
Table 14-33 identifies the special characters that can be used in matching string expressions.
Related Topics
• Configuring Traffic Policies, page 14-1
• Configuring Virtual Context Class Maps, page 14-6
• Configuring Virtual Context Policy Maps, page 14-32
• Configuring Rules and Actions for Policy Maps, page 14-34
Table 14-33 Special Characters for Matching String Expressions
Convention Description
. One of any character.
.* Zero or more of any character.
\. Period (escaped).
\xhh Non-printable character.
[charset] Match any single character from the range.
[^charset] Do not match any character in the range. All other
characters represent themselves.
() Expression grouping.
expr1 | expr2 OR of expressions.
(expr)* 0 or more of expression.
(expr)+ 1 or more of expression.
.\a Alert (ASCII 7).
.\b Backspace (ASCII 8).
.\f Form-feed (ASCII 12).
.\n New line (ASCII 10).
.\r Carriage return (ASCII 13).
.\t Tab (ASCII 9).
.\v Vertical tab (ASCII 11).
.\0 Null (ASCII 0).
.\\ Backslash.
.\x## Any ASCII character as specified in two-digit
hexadecimal notation.
14-85
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Actions Lists
Configuring Actions Lists
An action list is a named group of actions that you associate with a Layer 7 policy map. The ACE
supports the following types action lists:
• An HTTP optimization action list groups a series of individual application acceleration and
optimization operations that you want the ACE to perform. The HTTP optimization action list is
associated with a Layer 7 HTTP optimization policy map (see the “Setting Policy Map Rules and
Actions for Layer 7 HTTP Optimization” section on page 14-57).
• An HTTP header modify action list performs the following operations:
– Groups a series of individual functions to insert, rewrite, or delete HTTP headers.
– Configures the SSL URL rewrite function.
– Inserts SSL session parameters, client certificate fields, and server certificate fields into the
HTTP requests that the ACE receives over the connection.
The HTTP header action list is associated with a Layer 7 server load-balancing policy map (see the
“Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic” section on
page 14-61).
Table 14-34 lists the action lists that you can configure using the ACE.
Configuring an HTTP Header Modify Action List
An HTTP header modify action list groups a series of individual functions to insert, rewrite, or delete
HTTP headers. It can also be used to configure the SSL URL rewrite function.
This section includes the following topics:
• Configuring HTTP Header Insertion, Deletion, and Rewrite, page 14-85
• Configuring SSL URL Rewrite, page 14-88
• Configuring SSL Header Insertion, page 14-89
Configuring HTTP Header Insertion, Deletion, and Rewrite
You can configure an HTTP header modify action list that inserts, rewrites, or deletes HTTP headers.
Procedure
Step 1 Choose Config > Devices > context > Expert > HTTP Header Modify Action Lists.
The HTTP Header Modify Action Lists table appears.
Step 2 In the HTTP Header Modify Action Lists table, click Add to add a new action list, or choose an existing
action list and click Edit to modify it.
Table 14-34 Action Lists
Action List Topic
Optimization Action List Configuring an HTTP Optimization Action List, page 15-3
HTTP Header Modify Action List Configuring an HTTP Header Modify Action List, page 14-85
14-86
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Actions Lists
Step 3 For a new action list, in the Action List Name field, enter a unique name for the action list.
Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters. Click Deploy
Now when completed to save the configuration and display the editing tabs.
Step 4 Click the Header Action tab.
The Header Action table appears.
Step 5 In the Header Action table, click Add to add a new entry to the table.
The Header Action configuration window appears. Enter the required information as shown in
Table 14-35.
Table 14-35 Header Action Configuration Window Fields
Header Action Field Description / Action
Operator HTTP header modify action that the ACE is to take in an HTTP request from a client, a response from
a server, or both. Choices are as follows:
• Delete—Deletes an HTTP header in a request from a client, in a response from a server, or both.
• Insert—Insert a header name and value in an HTTP request from a client, a response from a server,
or both. When the ACE uses Network Address Translation (NAT) to translate the source IP address
of a client to a VIP, servers need a way to identify that client for the TCP and IP return traffic. To
identify a client whose source IP address has been translated using NAT, you can instruct the ACE
to insert a generic header and string value of your choice in the client HTTP request.
• Rewrite—Rewrite an HTTP header in request packets from a client, response packets from a
server, or both.
14-87
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Actions Lists
Direction HTTP header modify action that the ACE is to take with respect to the selected operator (Insert, Delete,
or Rewrite). Choices are as follows:
Insert:
• Both—Specifies that the ACE insert an HTTP header in both HTTP request packets and response
packets.
• Request—Specifies that the ACE insert an HTTP header only in HTTP request packets from
clients.
• Response—Specifies that the ACE insert an HTTP header only in HTTP response packets from
servers.
Delete:
• Both—Specifies that the ACE delete the header in both HTTP request packets and response
packets.
• Request—Specifies that the ACE delete the header only in HTTP request packets from clients.
• Response—Specifies that the ACE delete the header only in HTTP response packets from servers.
Rewrite:
• Both—Specifies that the ACE rewrite an HTTP header string in both HTTP request packets and
response packets.
• Request—Specifies that the ACE rewrite an HTTP header string only in HTTP request packets
from clients.
• Response—Specifies that the ACE rewrite an HTTP header string only in HTTP response packets
from servers.
Header Name Identifier of an HTTP header. Enter an unquoted text string with a maximum of 255 alphanumeric
characters.
Header Value Value of the HTTP header that you want to insert or replace in request packets, response packets, or
both. Enter an unquoted text string with no spaces and a maximum of 255 alphanumeric characters.
You can also use the following dynamic replacement strings:
• %is—Inserts the source IP address in the HTTP header
• %id—Inserts the destination IP address in the HTTP header
• %ps—Inserts the source port in the HTTP header
• %pd—Inserts the destination port in the HTTP header
The ACE supports regular expressions for matching. To include spaces in the string, enclose the entire
string in quotes. All headers in the header map must be matched. See Table 14-33 for a list of the
supported characters that you can use in regular expressions.
Replace Pattern string that you want to substitute for the header value regular expression. For dynamic
replacement of the first and second parenthesized expressions from the header value, use %1 and %2,
respectively.
Table 14-35 Header Action Configuration Window Fields (continued)
Header Action Field Description / Action
14-88
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Actions Lists
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries.
• Click Next to save your entries.
Related Topics
Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic, page 14-61,
Table 14-26
Configuring SSL URL Rewrite
You can configure an HTTP header modify action list that performs SSL URL rewrite.
When a client sends encrypted traffic to the ACE in an SSL termination configuration, the ACE
terminates the SSL traffic and then sends clear text to the server. Because the server is unaware of the
encrypted traffic flowing between the client and the ACE, the server may return to the client a URL in
the Location header of HTTP redirect responses (301: Moved Permanently or 302: Found) in the form
http://www.cisco.com instead of https://www.cisco.com. In this case, the client makes a request to the
unencrypted insecure URL, even though the original request was for a secure URL. Because the client
connection changes to HTTP, the requested data may not be available from the server using a clear text
connection.
To solve this problem, the ACE provides SSLURL rewrite, which changes the redirect URL from http://
to https:// in the Location response header from the server before sending the response to the client. By
using URL rewrite, you can avoid nonsecure HTTP redirects. All client connections to the web server
will be SSL, ensuring the secure delivery of HTTPS content back to the client. The ACE uses regular
expression matching to determine whether the URL needs rewriting. If a Location response header
matches the specified regular expression, the ACE rewrites the URL. In addition, the ACE provides
parameters to add or change the SSL and the clear port numbers.
Procedure
Step 1 Choose Config > Devices > context > Expert > HTTP Header Modify Action Lists.
The HTTP Header Modify Action Lists table appears.
Step 2 In the HTTP Header Modify Action Lists table, click Add to add a new action list, or choose an existing
action list and click Edit to modify it.
Step 3 For a new action list, in the Action List Name field enter a unique name for the action list.
Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters. Click Deploy
Now when completed to save the configuration and display the editing tabs.
Step 4 Click the SSL Action tab.
The SSL Action table appears.
Step 5 In the SSL Action table, click Add to add a new entry to the SSL Action table.
The SSL Action configuration window appears. Enter the required information as shown in Table 14-36.
14-89
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Actions Lists
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries.
• Click Next to save your entries.
Related Topics
• Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic, page 14-61,
Table 14-26
Configuring SSL Header Insertion
Note This option is available only for the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of
either device type.
You can configure an HTTP header modify action list that performs SSL header insertion.
When a client sends encrypted traffic to the ACE in an SSL termination configuration, the ACE
terminates the SSL traffic and then sends clear text to the server, which is unaware of the encrypted
traffic flowing between the client and the ACE. Using an action list associated with a Layer 7 HTTP
load-balancing policy map, you can instruct the ACE to perform SSL HTTP header insertion. The ACE
provides the server with the following SSL session information by inserting HTTP headers into the
HTTP requests that it receives over the connection:
Table 14-36 SSL Action Configuration Window Fields
Header Action Field Description / Action
URL Expression Field that specifies the rewriting of the URL in the Location response header based on a URL
regular expression match. If the URL in the Location header matches the URL regular expression
string that you specify, the ACE rewrites the URL from http:// to https:// and rewrites the port
number. Enter an unquoted text string with no spaces and a maximum of 255 alphanumeric
characters. Alternatively, you can enter a text string with spaces if you enclose the entire string in
quotation marks (“).
The location regex that you enter must be a pure URL (for example, www\.cisco\.com) with no
port or path designations. To match a port, use the SSL Port and Clear Port parameters. If you need
to match a path, use the HTTP header rewrite feature to rewrite the string. For information about
the HTTP header rewrite feature, see the “Configuring HTTP Header Insertion, Deletion, and
Rewrite” section on page 14-85.
The ACE supports regular expressions for matching. To include spaces in the string, enclose the
entire string in quotes. All headers in the header map must be matched. See Table 14-33 for a list
of the supported characters that you can use in regular expressions.
SSL Port SSL port number from which the ACE translates a clear port number before sending the server
redirect response to the client. Enter a value from 1 to 65535. The default is 443.
Clear Port Clear port number to which the ACE translates the SSL port number before sending a server
redirect response to the client. Enter a value from 1 to 65535. The default is 80.
14-90
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Actions Lists
• Session Parameters—SSL session parameters that the ACE and client negotiate during the SSL
handshake.
• Server Certificate Fields—Information regarding the SSL server certificate that resides on the ACE.
• Client Certificate Fields—Information regarding the SSL client certificate that the ACE retrieves
from the client when you configure the ACE to perform client authentication.
Note To prevent HTTP header spoofing, the ACE deletes any incoming HTTP headers that match one of the
headers that it is going to insert into the HTTP request.
By default, the ACE inserts the SSL header information into the first HTTP request only that it receives
over the connection. When the ACE and client need to renegotiate their connection, the ACE updates the
HTTP header information that it send to the server to reflect the new session parameters. You can also
instruct the ACE to insert the session information into every HTTP request that it receives over the
connection by creating an HTTP parameter map with either the Header Modify Per-Request or HTTP
Persistence Rebalance options enabled (see the “Configuring HTTP Parameter Maps” section on
page 10-9).
Note The maximum amount of data that the ACE can insert is 512 bytes. The ACE truncates the data if it
exceeds this limit.
Procedure
Step 1 Choose Config > Devices > context > Expert > HTTP Header Modify Action Lists.
The HTTP Header Modify Action Lists table appears.
Step 2 In the HTTP Header Modify Action Lists table, do one of the following:
• To add a new action list, click Add. In the Action List Name field, enter a unique name for the action
list. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters. Click
Deploy Now when completed to save the configuration and display the editing tabs.
• To edit an existing action list, choose the action list and click Edit to display the editing tabs.
Step 3 Click the SSL Header Insert tab.
The SSL Header Insert table appears.
Step 4 In the SSL Header Insert table, click Add to add a new entry to the SSL Header Insert table.
The SSL Header Insert configuration window appears. Enter the required information as shown in
Table 14-37.
Table 14-37 SSL Action Configuration Window Fields
Header Action Field Description / Action
Request Type of SSL header information to insert into the HTTP request:
• Client-Certificate—Information about the client certificate that the ACE retrieves from the
client.
• Server-Certificate—Information about the server certificate that resides on the ACE.
• Session—Information about the session parameters that the ACE and client negotiated during the
SSL handshake.
14-91
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Actions Lists
Algorithm Field that appears only when the Request field is set to either Client-Certificate or Server-Certificate.
Specify the following certificate field information to insert into the HTTP request:
• Authority-Key-Id—X.509 authority key identifier.
• Basic-Constraints—X.509 basic constraints.
• Certificate-Version—X.509 certificate version.
• Data-Signature-Algorithm—X.509 hashing and encryption method.
• Fingerprint-SHA1—SHA1 hash of the certificate.
• Issuer—X.509 certificate issuer's distinguished name.
• Issuer-CN—X.509 certificate issuer's common name.
• Not-After—Date after which the certificate is not valid.
• Not-Before—Date before which the certificate is not valid.
• Public-Key-Algorithm—Algorithm used for the public key.
• RSA-Exponent—Public RSA exponent.
• RSA-Modulus—RSA algorithm modulus.
• RSA-Modulus-Size—Size of the RSA public key.
• Serial-Number—Certificate serial number.
• Signature—Certificate signature.
• Signature-Algorithm—Certificate signature algorithm.
• Subject—X.509 subject's distinguished name.
• Subject-CN—X.509 subject's common name.
• Subject-Key-Id—X.509 subject key identifier.
For more information, see the Cisco Application Control Engine Module SSL Configuration Guide.
Table 14-37 SSL Action Configuration Window Fields (continued)
Header Action Field Description / Action
14-92
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Actions Lists
CipherKey Field that appears only when the Request field is set to Session. Indicate the following session
parameters to insert into the HTTP request:
• Cipher-Key-Size—Symmetric cipher key size.
• Cipher-Name—Symmetric cipher suite name.
• Cipher-Use-Size—Symmetric cipher use size.
• Id—SSL Session ID. The default is 0.
• Protocol-Version—Version of SSL or TLS.
• Step-Up—Use of SGC or StepUp cryptography to increase the level of security by using 128-bit
encryption.
• Verify-Result—SSL session verify result. Possible values are as follows:
– ok—The SSL session is established.
– certificate is not yet valid—The client certificate is not yet valid.
– certificate is expired—The client certificate has expired.
– bad key size—The client certificate has a bad key size.
– invalid not before field—The client certificate notBefore field is in an unrecognized format.
– invalid not after field—The client certificate notAfter field is in an unrecognized format.
– certificate has unknown issuer—The client certificate issuer is unknown.
– certificate has bad signature—The client certificate contains a bad signature.
– certificate has bad leaf signature—The client certificate contains a bad leaf signature.
– unable to decode issuer public key—The ACE is unable to decode the issuer public key.
– unsupported certificate—The client certificate is not supported.
– certificate revoked— The client certificate has been revoked.
– internal error—An internal error exists.
For more information, see the Cisco Application Control Engine Module SSL Configuration Guide.
Value Field that appears only when the Request field is set to either Client-Certificate or Server-Certificate.
Choose one of the following options:
• N/A—Specifies that the selected algorithm or cipher key is inserted without adding a prefix to it
or renaming it.
• Prefix—Enables you to specify a prefix string to place before the specified certificate or session
field name. For example, if you specify the prefix Acme-SSL for the SSL session field name
Cipher-Name, then the field name becomes Acme-SSL-Session-Cipher-Name.
• Rename—Enables you to specify a new name for the specified certificate or session field name.
Prefix Field that appears only when the Value field is set to Prefix. Enter a quoted text string to place before
the specified certificate or session field name. The maximum combined number of prefix string and
field name characters that the ACE permits is 32.
Rename Field that appears only when the Value field is set to Rename. Enter a new name to the specified
certificate or session field name. The name must be an unquoted text string with no spaces. The
maximum number of field name string characters that the ACE permits is 32.
Table 14-37 SSL Action Configuration Window Fields (continued)
Header Action Field Description / Action
14-93
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Actions Lists
Step 5 Repeat Step 4 for each certificate field or session parameter that you want the ACE to insert.
Step 6 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
• Click Cancel to exit this procedure without saving your entries.
• Click Next to deploy your entries and to add another entry to the SSL Header Insert table.
Related Topics
Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic, page 14-61,
Table 14-26
14-94
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 14 Configuring Traffic Policies
Configuring Actions Lists
CHAPTER
15-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
15
Configuring Application Acceleration and
Optimization
Date: 3/28/12
With application acceleration and optimization features on ACE appliances, you can configure
application delivery and application acceleration options that increase productivity and efficiency. The
application acceleration features optimize network performance and improve access to critical business
information. This capability accelerates the performance of Web applications, including customer
relationship management, portals, and online collaboration by up to 10 times.
Note Application acceleration performance on the ACE appliance is 50 to 100 Mbps throughput. With typical
page sizes and browser usage patterns, this equates to roughly 1,000 concurrent connections. Subsequent
connections bypass the application acceleration engine. This limitation applies only to traffic that is
explicitly configured to receive application acceleration processing (for example, FlashForward, Delta
Optimization). Traffic that is not configured to receive application acceleration processing is not subject
to these limitations. Also, because the ACE HTTP compression is implemented separately in hardware,
it is not subject to these limitations. For example, if you have a mix of application-accelerated and
non-application-accelerated traffic, the former is limited; the latter is not. If you have 50 Mbps of
application-accelerated traffic, the ACE can still deliver up to 1.9 Gbps throughput for the
non-application-accelerated traffic.
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
This chapter includes the following sections:
• Optimization Overview, page 15-2
• Optimization Traffic Policies and Typical Configuration Flow, page 15-2
• Configuring an HTTP Optimization Action List, page 15-3
• Configuring Optimization Parameter Maps, page 15-6
15-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 15 Configuring Application Acceleration and Optimization
Optimization Overview
• Configuring Traffic Policies for HTTP Optimization, page 15-6
• Enabling HTTP Optimization Using Virtual Servers, page 15-9
• Configuring Global Application Acceleration and Optimization, page 15-9
Optimization Overview
The application acceleration functions of the ACE appliance apply several optimization technologies to
accelerate application performance. This functionality enables enterprises to optimize network
performance and improve access to critical business information.
The ACE appliance provides the following application acceleration and optimization functionality:
• Delta optimization eliminates redundant traffic on the network by computing and transmitting only
the changes that occur in a Web page between successive downloads of the same page or similar
pages.
• FlashForward object acceleration technology eliminates network delays associated with embedded
Web objects able to be cached. such as images, style sheets, and JavaScript files by placing the
responsibility for validating object freshness on the ACE appliance, rather than on the client, making
the client more efficient.
• Just-in-time object acceleration enables acceleration of non-cacheable embedded objects, resulting
in improved application response time by eliminating the need for clients to download these objects
on each request.
• Adaptive dynamic caching accelerates enterprise application performance and improves server
system scalability by enabling the ACE appliance itself to fulfill requests for dynamic content,
which offloads application servers and databases.
Refer to Configuring Application Acceleration and Optimization, page 15-1 or the Cisco 4700 Series
Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide
for more information about application acceleration and optimization.
Related Topics
• Optimization Traffic Policies and Typical Configuration Flow, page 15-2
• Configuring Traffic Policies for HTTP Optimization, page 15-6
• Configuring Global Application Acceleration and Optimization, page 15-9
Optimization Traffic Policies and Typical Configuration Flow
To define the different optimization and application acceleration functions that you want the ACE
appliance to perform, you must configure at least one each of the following:
• HTTP optimization action list—This action list specifies the actions that the ACE is to perform for
application acceleration and optimization. You can configure action lists when configuring a virtual
server, or as a separate procedure. See:
– Configuring Application Acceleration and Optimization, page 7-53
– Configuring an HTTP Optimization Action List, page 15-3
15-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 15 Configuring Application Acceleration and Optimization
Configuring an HTTP Optimization Action List
• Layer 7 server load-balancing class map—This class map identifies the Layer 7 server
load-balancing match criteria to apply to incoming traffic, such as URL, HTTP cookie, HTTP
header, or source IP address. See Configuring Virtual Context Policy Maps, page 14-32
• Layer 7 HTTP optimization policy map—This policy map applies the HTTP optimization action list
and optionally an optimization parameter map to Layer 7 HTTP traffic. See Configuring Virtual
Context Policy Maps, page 14-32.
• Layer 3 and Layer 4 class map—By using match criteria, this class map identifies the network traffic
that can pass through the ACE appliance. The match criteria includes the VIP address for the
network traffic. The ACE appliance uses these Layer 3 and Layer 4 traffic classes to perform server
load balancing. See Configuring Virtual Context Policy Maps, page 14-32.
• Layer 3 and Layer 4 policy map—This policy map associates server load-balancing actions and
HTTP optimization action lists with the VIP. See Setting Policy Map Rules and Actions for Layer
3/Layer 4 Network Traffic, page 14-41 and Configuring Traffic Policies for HTTP Optimization,
page 15-6.
• Layer 7 server load-balancing policy map—This policy map specifies the server load-balancing
actions that the ACE appliance is to perform. See Configuring Virtual Context Policy Maps,
page 14-32.
You can also configure:
• Optimization parameter maps—Optimization parameter maps allow you to configure specific
options for action list items. You can configure optimization parameter maps when configuring a
virtual server or as a separate procedure.
When you configure a parameter map with an action list for a class map, the ACE appliance validates
the action list and parameter map configurations before deploying them.
See:
– Configuring Application Acceleration and Optimization, page 7-53
– Configuring Optimization Parameter Maps, page 10-12.
• Global application acceleration and optimization options—The acceleration and optimization
options allow you to apply specific acceleration and optimization features for logging and
debugging on a global level on the ACE appliance. See Configuring Global Application
Acceleration and Optimization, page 15-9.
Related Topics
• Configuring Traffic Policies for HTTP Optimization, page 15-6
• Optimization Overview, page 15-2
Configuring an HTTP Optimization Action List
An HTTP optimization action list groups a series of individual application acceleration and optimization
operations that you want the ACE to perform.
Use this procedure to configure an HTTP optimization action list.
Tip You can also configure action lists when configuring a virtual server. For more information, see
“Configuring Application Acceleration and Optimization” section on page 7-53.
15-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 15 Configuring Application Acceleration and Optimization
Configuring an HTTP Optimization Action List
Procedure
Step 1 Choose Config > Devices > context > Expert > Optimization Action List.
The Action List table appears.
Step 2 Click Add to add a new optimization action list, or choose an existing action list and click Edit to modify
it.
Step 3 Configure the optimization action list using the information in Table 15-1.
Table 15-1 Action List Configuration Options
Field Description
Action List Name Unique name for the action list. Valid entries are unquoted text strings with a maximum of 64
alphanumeric characters.
Enable Delta Check box that enables delta optimization for the specified URLs. Delta optimization dynamically
updates client browser caches directly with content differences, or deltas, resulting in faster page
downloads.
Uncheck the check box to disable delta optimization for the specified URLs.
Note The ACE restricts you from enabling delta optimization if you have previously specified
either Cache Dynamic or Dynamic Dynamic Entity Tag.
Enable AppScope Check box that enables AppScope performance monitoring for use with the ACE appliance.
AppScope runs on the Management Console of the optional Cisco AVS 3180A Management Station
and measures end-to-end application performance.
Uncheck the check box to disable AppScope performance monitoring for use with the ACE
appliance.
Flash Forward Feature that reduces bandwidth usage and accelerates embedded object downloading by combining
local object storage with dynamic renaming of embedded objects, thereby enforcing object
freshness within the parent HTML page.
Specify how the ACE appliance is to implement FlashForward:
• N/A—Indicates that this feature is not enabled.
• FlashForward—Indicates that FlashForward is to be enabled for the specified URLs and that
embedded objects are to be transformed.
• FlashForward Object—Indicates that FlashForward static caching is to be enabled for the
objects that the corresponding URLs refer to, such as Cascading Style Sheets (CSS), JPEG, and
GIF files.
Cache Dynamic Check box that enables Adaptive Dynamic Caching for the specified URLs even if the expiration
settings in the response indicate that the content is dynamic. The expiration of cache objects is
controlled by the cache expiration settings based on time or server load.
Uncheck the check box to disable this feature.
Note The ACE restricts you from enabling Cache Dynamic if you have previously specified
either Enable Delta or Dynamic Dynamic Entity Tag.
15-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 15 Configuring Application Acceleration and Optimization
Configuring an HTTP Optimization Action List
Step 4 Do one of the following:
• Click Deploy Now to deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files. The ACE appliance validates the action list
configuration.
• Click Cancel to exit this procedure without saving your entries.
• Click Next to save your entries and to configure another action list.
Related Topics
• Optimization Traffic Policies and Typical Configuration Flow, page 15-2
• Configuring Optimization Parameter Maps, page 15-6
• Configuring Traffic Policies for HTTP Optimization, page 15-6
• Configuring Global Application Acceleration and Optimization, page 15-9
Cache Forward Check box that enables the cache forward feature for the corresponding URLs. Cache forward
allows the ACE to serve the object from its cache (static or dynamic) even when the object has
expired if the maximum cache TTL time period has not yet expired (set by specifying the Cache
Time-To-Live Duration (%): field in an Optimization parameter map). At the same time, the ACE
sends an asynchronous request to the origin server to refresh its cache of the object.
Uncheck this check box to disable this feature.
Dynamic Dynamic
Entity Tag
Check box that enables the acceleration of noncacheable embedded objects, which results in
improved application response time. When enabled, this feature eliminates the need for users to
download noncacheable objects on each request.
Check the check box to indicate that the ACE appliance is to implement just-in-time object
acceleration for noncacheable embedded objects.
Uncheck this check box to disable this feature.
Note The ACE restricts you from enabling Dynamic Dynamic Entity Tag if you have previously
specified either Enable Delta or Cache Dynamic.
Table 15-1 Action List Configuration Options
Field Description
15-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 15 Configuring Application Acceleration and Optimization
Configuring Optimization Parameter Maps
Configuring Optimization Parameter Maps
You can configure an Optimization parameter map for use with a Layer 3/Layer 4 policy map.
Tip You can also configure optimization parameter maps when configuring a virtual server. For more
information, see “Configuring Application Acceleration and Optimization” section on page 7-53.
Procedure
Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > Optimization Parameter
Maps.
The Optimization Parameter Maps table appears.
Step 2 Click Add to add a new parameter map, or choose an existing parameter map and click Edit to modify it.
The Optimization Parameter Maps configuration window appears.
Step 3 In the Parameter Name field, enter a unique name for this parameter map.
Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.
Step 4 Configure optimization using the information in Table 10-6.
Step 5 Do one of the following:
• Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to
the running-configuration and startup-configuration files. The ACE validates the parameter map
configuration and deploys it. This option appears for virtual contexts.
• Click Cancel to exit this procedure without saving your entries and to return to the Parameter Map
table.
• Click Next to accept your entries and to add another parameter map.
Related Topics
• Optimization Traffic Policies and Typical Configuration Flow, page 15-2
• Configuring an HTTP Optimization Action List, page 15-3
• Configuring Traffic Policies for HTTP Optimization, page 15-6
• Configuring Global Application Acceleration and Optimization, page 15-9
Configuring Traffic Policies for HTTP Optimization
Table 15-2 provides a high-level overview of the steps required to configure HTTP optimization on an
ACE appliance.
Note Table 15-2 includes only the significant steps in each task. For detailed information on configuring these
items, select the links provided, click Help in the ANM GUI, or refer to Configuring Traffic Policies,
page 14-1.
15-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 15 Configuring Application Acceleration and Optimization
Configuring Traffic Policies for HTTP Optimization
Assumption
A virtual IP address has been configured for the context in which you configure HTTP optimization.
Table 15-2 Configuring Traffic Policies for HTTP Optimization
Task Procedure
Step 1 Create a Layer 7 class map for
server load balancing.
a. Choose Config > Devices > context > Expert > Class Maps.
b. Click Add to add a new class map.
c. In the Class Map Type field, choose Layer 7 Server Load Balancing.
d. In the Match Type field, choose the method the ACE appliance is to use to
evaluate multiple match statements when multiple match conditions exist in
the class map.
e. Click Deploy Now to deploy this configuration on the ACE and save your
entries to the running-configuration and startup-configuration files.
f. Configure match conditions for this class map.
For more information, see:
• Configuring Virtual Context Class Maps, page 14-6
• Setting Match Conditions for Layer 7 Server Load Balancing Class Maps,
page 14-14
Step 2 Create an HTTP optimization
action list to specify the
optimization actions that are to
be performed.
a. Choose Config > Devices > context > Expert > Action Lists.
b. Click Add to add a new action list.
c. Configure the action list using the information in Table 15-1.
d. Click Deploy Now to deploy this configuration on the ACE and save your
entries to the running-configuration and startup-configuration files.
For more information, see Configuring an HTTP Optimization Action List,
page 15-3.
Step 3 Create a Layer 7 HTTP
optimization policy map and
associate it with the server
load-balancing class map in
Step 1 and the action list
configured in Step 2.
a. Choose Config > Devices > context > Expert > Policy Maps.
b. Click Add to add a new policy map.
c. In the Type field, choose Layer 7 HTTP Optimization.
d. Click Deploy Now to deploy this configuration on the ACE and save your
entries to the running-configuration and startup-configuration files.
e. In the Rules table, add the server load-balancing class map created in
Step 1.
f. In the Action table, add the action list created in Step 2.
For more information, see:
• Configuring Virtual Context Policy Maps, page 14-32
• Setting Policy Map Rules and Actions for Layer 7 HTTP Optimization,
page 14-57
15-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 15 Configuring Application Acceleration and Optimization
Configuring Traffic Policies for HTTP Optimization
Step 4 Create a Layer 3/Layer 4 class
map for server load balancing.
a. Choose Config > Devices > context > Expert > Class Maps.
b. Click Add to add a new class map.
c. In the Class Map Type field, choose Layer 3/4 Network Traffic.
d. In the Match Type field, choose the method the ACE appliance is to use to
evaluate multiple match statements when multiple match conditions exist in
the class map.
e. Click Deploy Now to deploy this configuration on the ACE and save your
entries to the running-configuration and startup-configuration files.
f. Configure Virtual Address match conditions for this class map.
For more information, see:
• Configuring Virtual Context Class Maps, page 14-6
• Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps,
page 14-9
Step 5 Create a Layer 7 policy map for
server load balancing and
associate it with the Layer 7
server load-balancing class map
from Step 1.
a. Choose Config > Devices > context > Expert > Policy Maps.
b. Click Add to add a new policy map.
c. In the Type field, choose Layer 7 Server Load Balancing.
d. Click Deploy Now to deploy this configuration on the ACE and save your
entries to the running-configuration and startup-configuration files.
e. Associate the Layer 7 server load-balancing class map configured in Step 1
with this policy map by adding it to the Rule table.
For more information, see:
• Configuring Virtual Context Policy Maps, page 14-32
• Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing
Traffic, page 14-61
Step 6 Create a Layer 3/Layer 4
network traffic policy map and
associate it with the:
• Layer 3/Layer 4 server
load-balancing class map
configured in Step 4
• Layer 7 server
load-balancing policy map
configured in Step 5
• HTTP optimization policy
map configured in Step 3
a. Choose Config > Devices > context > Expert > Policy Maps.
b. Click Add to add a new policy map.
c. In the Type field, choose Layer 3/4 Network Traffic.
d. Click Deploy Now to deploy this configuration on the ACE and save your
entries to the running-configuration and startup-configuration files.
e. In the Rule table, add the Layer 3/Layer 4 server load-balancing class map
configured in Step 4.
f. In the Action table, add the:
– Layer 7 server load-balancing policy map created in Step 5
– HTTP optimization policy map created in Step 3
For more information, see:
• Configuring Virtual Context Policy Maps, page 14-32
• Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic,
page 14-41
Table 15-2 Configuring Traffic Policies for HTTP Optimization (continued)
Task Procedure
15-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 15 Configuring Application Acceleration and Optimization
Enabling HTTP Optimization Using Virtual Servers
Related Topics
• Optimization Traffic Policies and Typical Configuration Flow, page 15-2
• Configuring an HTTP Optimization Action List, page 15-3
• Optimization Overview, page 15-2
Enabling HTTP Optimization Using Virtual Servers
You can configure HTTP optimization using virtual servers.
Procedure
Step 1 Create a virtual server by following the instructions in “Configuring Virtual Servers” section on
page 7-2.
Step 2 Configure HTTP optimization by following the instructions in “Configuring Application Acceleration
and Optimization” section on page 7-53.
Related Topics
• Configuring Traffic Policies for HTTP Optimization, page 15-6
• Optimization Traffic Policies and Typical Configuration Flow, page 15-2
Configuring Global Application Acceleration and Optimization
Note This functionality is available for Admin contexts only and only on ACE appliances.
ANM allows you to configure global application acceleration and optimization options for logging and
debugging as performed by the ACE appliance.
Procedure
Step 1 Choose Config > Virtual Contexts > admin_context > System > Application Acceleration And
Optimization. The Application Acceleration And Optimization configuration window appears.
Step 2 In the Debug Level field, enter the maximum level of system log messages to be sent to the syslog server,
using the values in Table 6-5. The severity level that you specify indicates that you want syslog messages
at that level and the more severe levels. For example, if you enter 3 for Error, syslog displays Error,
Critical, Alert, and Emergency messages.
Step 3 Check the AppScope Log check box to indicate that the ACE appliance is to upload optimization
statistical log information to the optional AVS 3180A Management station. Clear the check box to
indicate that the ACE appliance is not to upload this information.
Step 4 Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the
running-configuration and startup-configuration files.
15-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 15 Configuring Application Acceleration and Optimization
Configuring Global Application Acceleration and Optimization
Related Topics
• Optimization Overview, page 15-2
• Optimization Traffic Policies and Typical Configuration Flow, page 15-2
CHAPTER
16-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
16
Using Configuration Building Blocks
Date: 3/28/12
Note Beginning with ANM software Version 5.1, the building block feature by default is hidden. If you have
used the building block feature in the past and want to continuing using it after upgrading to ANM 5.1,
you must enable it (see the “Enabling the Building Block Feature” section on page 16-5).
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
Building blocks allow authorized users to create and design reusable configuration attributes which can
then be applied to virtual contexts. The ANM also allows you to extract the configuration of an existing
virtual context and tag it as a building block.
In many cases, the same configuration settings can be used in several virtual contexts (for example, it
can offer the same service bundle to many customers). To avoid repeating virtual context configuration
and testing each time you create a virtual context, you can create a building block of many configuration
attributes that can be applied to virtual contexts as appropriate or as needed.
With building blocks, you can also create a variety of configurations that address customers’ differing
needs. The ability to customize configurations to customer needs also allows you to use network
resources most efficiently.
Benefits of configuration building blocks include:
• You can establish baseline versions of working configurations.
• Users can make real-time changes to configurations and roll back to a previously working
configuration, if needed.
• Building blocks can be extracted from proven, working configurations.
• Building blocks can be placed under version control, with tagged versions that cannot be modified.
16-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 16 Using Configuration Building Blocks
Table 16-1 lists the configuration options that are available for each building block type and provides
links to related topics. For descriptive information about the menu options, see “Configuring Virtual
Contexts” section on page 6-8.
Table 16-1 Building Block Configuration Options
Menu Option
Building Block Type
ACE 2.0 Related Topic
ACE 4710
Appliance
System
Primary Attributes X X Configuring Building Block Primary Attributes, page 16-8
Syslog X X Configuring Virtual Context Syslog Settings, page 6-19
SNMP X X Configuring SNMP for Virtual Contexts, page 6-27
Global Policies X X Applying a Policy Map Globally to All VLAN Interfaces, page 6-35
Licenses
Application Acceleration
and Optimization
Resource Classes
Checkpoints
Backup/Restore1
Load Balancing
Virtual Servers
Real Servers X X Configuring Real Servers, page 8-5
Server Farms X X Configuring Server Farms, page 8-30
Health Monitoring X X Configuring Health Monitoring for Real Servers, page 8-51
Stickiness X X Configuring Sticky Groups, page 9-7
HTTP Parameter Map X X Configuring HTTP Parameter Maps, page 10-9
Connection Parameter
Maps
X X Configuring Connection Parameter Maps, page 10-3
Optimization Parameter
Maps
X Configuring Optimization Parameter Maps, page 10-12
Generic Parameter Maps X X Configuring Generic Parameter Maps, page 10-8
RTSP Parameter Maps X X Configuring RTSP Parameter Maps, page 10-20
SIP Parameter Maps X X Configuring SIP Parameter Maps, page 10-21
Skinny Parameter Maps X X Configuring Skinny Parameter Maps, page 10-23
DNS Parameter Maps X X
Secure KAL-AP X X Configuring Secure KAL-AP, page 8-77
SSL
Setup Sequence
Certificates
Keys X X Using SSL Keys, page 11-10
16-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 16 Using Configuration Building Blocks
Parameter Maps X X Configuring SSL Parameter Maps, page 11-18
Chain Group Parameters
CSR Parameters X X Configuring SSL CSR Parameters, page 11-24
Proxy Service
Auth Group Parameters X X Configuring SSL Authentication Groups, page 11-31
Certificate Revocation
Lists (CSL)
X X Configuring CRLs for Client Authentication, page 11-33
Security
ACLs X X Creating ACLs, page 6-79
Object Groups X X Configuring Object Groups, page 6-89
Network
Port Channel
Gigabit Ethernet
Interfaces
VLAN Interfaces X X Configuring Virtual Context VLAN Interfaces, page 12-6
BVI Interfaces X X Configuring Virtual Context BVI Interfaces, page 12-19
NAT Pools2 X Configuring VLAN Interface NAT Pools, page 12-26
Static Routes X X Configuring Virtual Context Static Routes, page 12-28
Global IP DHCP X X Configuring Global IP DHCP, page 12-29
Static NAT Overwrite X Configuring Static VLANs for Over 8000 Static NAT Configurations,
page 12-31
High Availability
Setup
HA Tracking and Failure Detection
Interfaces
Hosts
HSRP Groups
Role-Based Access Control
Users X X Configuring Device RBAC Users, page 5-53
Roles X X Configuring Device RBAC Roles, page 5-56
Domains X X Configuring Device RBAC Domains, page 5-61
Expert
Class Map X X Configuring Virtual Context Class Maps, page 14-6
Policy Map X X Configuring Virtual Context Policy Maps, page 14-32
HTTP Header Modify
Action Lists
X X Configuring an HTTP Header Modify Action List, page 14-85
Table 16-1 Building Block Configuration Options (continued)
Menu Option
Building Block Type
ACE 2.0 Related Topic
ACE 4710
Appliance
16-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 16 Using Configuration Building Blocks
Information About Building Block Versions and Tagging
This chapter includes the following sections:
• Information About Building Block Versions and Tagging, page 16-4
• Enabling the Building Block Feature, page 16-5
• Creating Building Blocks, page 16-5
• Extracting Building Blocks from Virtual Contexts, page 16-6
• Configuring Building Blocks, page 16-7
• Tagging Building Blocks, page 16-9
• Applying Building Blocks, page 16-9
• Displaying Building Block Use, page 16-11
Information About Building Block Versions and Tagging
The ANM maintains version history for the building blocks that you create, design, and tag. You can tag
a working building block version at any point during design or configuration, and reuse any tagged
version of a building block.
A building block is not available for deployment until it has been tagged. When you tag a building block,
the ANM publishes it with a version tag, such as 1.0 or 1.1.
You cannot edit tagged versions of a building block. After a building block is tagged, it is “frozen” and
can no longer be modified in any way. When you open a tagged building block for editing, the ANM
does not modify the tagged version, but instead creates a new working copy of the building block for you
to work in. Any changes you make to the working copy are not available for deployment until you tag
the building block under a new version tag.
Related Topics
• Enabling the Building Block Feature, page 16-5
• Using Configuration Building Blocks, page 16-1
• Creating Building Blocks, page 16-5
• Extracting Building Blocks from Virtual Contexts, page 16-6
• Applying Building Blocks, page 16-9
• Tagging Building Blocks, page 16-9
• Displaying Building Block Use, page 16-11
Optimization Action Lists X Configuring an HTTP Optimization Action List, page 15-3
Building Block Audit
1. Backup/Restore is only supported for software version A2(3.0) and higher for the ACE module.
2. NAT pools as a selection under Network is only supported for software version A2(3.0) and higher for the ACE module.
Table 16-1 Building Block Configuration Options (continued)
Menu Option
Building Block Type
ACE 2.0 Related Topic
ACE 4710
Appliance
16-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 16 Using Configuration Building Blocks
Enabling the Building Block Feature
Enabling the Building Block Feature
Beginning with ANM software Version 5.1, the building block feature by default is hidden because it has
been replaced with the application template feature introduced in the same release. The application
template feature provides a more efficient and easier way of configuring ACE devices (see Chapter 4,
“Using Application Template Definitions”). If you have used the building block feature in the past and
want to continuing using it after upgrading to ANM 5.1, you must enable it.
This procedure shows how to enable the building block feature on ANM server and ANM Virtual
Appliance.
Procedure
Step 1 Enable the building block feature as follows:
• ANM Server—Open the /opt/CSCOanm/etc/cs-config.properties file in a text editor and add the
following line:
web.buildingblocks.enable=true
• ANM Virtual Appliance—Enter the following command:
anm-property set web.buildingblocks.enable true
Step 2 Restart ANM as follows:
• ANM Server—Enter the following command:
/opt/CSCOanm/bin/anm-tool restart
• ANM Virtual Appliance—Enter the following command:
anm-tool restart
Step 3 From the ANM client devices, close all open ANM browser instances, clear the browser cache, and log
in again.
Failure to clear the browser cache after enabling the building block feature can result in the Extract
Building Block function buttons not displaying.
Creating Building Blocks
Use this procedure to create a building block without using an existing configuration.
To create a building block from an existing virtual context, see Extracting Building Blocks from Virtual
Contexts, page 16-6.
Procedure
Step 1 Choose Config > Building Blocks.
The All Building Blocks table appears.
Step 2 In the All Building Blocks table, click Add.
The New Building Block window appears.
Step 3 In the Name field of the New Building Block window, enter a unique name for this building block.
16-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 16 Using Configuration Building Blocks
Extracting Building Blocks from Virtual Contexts
Step 4 In the Type field, choose the type of building block to create:
• ACE v1.0—Use with virtual contexts on ACE modules using the specified software version.
• ACE v2.0—Use with virtual contexts on ACE modules using the specified software version.
• ACE v2.3—Use with virtual contexts on ACE modules using the specified software version.
• ACE v4.1—Use with virtual contexts on ACE modules using the specified software version.
• ACE v4.2—Use with virtual contexts on ACE modules using the specified software version.
• ACE4710 V 1.0—Use with virtual contexts on ACE appliances using the specified software version.
• ACE4710 V 2.0—Use with virtual contexts on ACE appliances using the specified software version.
• ACE4710 V 4.1—Use with virtual contexts on ACE appliances using the specified software version.
• ACE4710 V 4.2—Use with virtual contexts on ACE appliances using the specified software version.
See Table 16-1 for a list of the available configuration options for each building block type.
Step 5 In the Description field, enter a brief description for this building block.
Step 6 Do one of the following:
• Click Save to save your entries and to continue with building block configuration. The Primary
Attributes configuration window appears.
• Click Cancel to exit this procedure without saving your entries and to return to the All Building
Blocks table.
• Click Tag to save your entries and tag the building block. After you tag a building block, the window
refreshes and provides fields for applying the building block. For more information, see Applying
Building Blocks, page 16-9.
Related Topics
• Enabling the Building Block Feature, page 16-5
• Using Configuration Building Blocks, page 16-1
• Extracting Building Blocks from Virtual Contexts, page 16-6
• Information About Building Block Versions and Tagging, page 16-4
• Applying Building Blocks, page 16-9
• Tagging Building Blocks, page 16-9
• Displaying Building Block Use, page 16-11
Extracting Building Blocks from Virtual Contexts
An alternative to creating a new configuration building block and configuring each attribute individually
is to extract a configuration building block from an existing virtual context. By extracting a building
block from a virtual context, you can reduce the time you spend configuring and testing the
configuration.
16-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 16 Using Configuration Building Blocks
Configuring Building Blocks
Use this procedure to create a working building block from a virtual context configuration.
Procedure
Step 1 Choose Config > Devices.
The device tree appears.
Step 2 In the device tree, choose the ACE with the virtual context whose configuration you want to use as a
building block.
The Virtual Contexts table appears.
Step 3 In the Virtual Contexts table, choose the context with the configuration that you want to extract, and click
Extract Building Block.
A popup window appears, asking for a building block name.
Step 4 In the Name field of the popup window, enter a name for this building block, and click OK. The window
refreshes with the Primary Attributes window for the newly created building block (Config > Global >
building_block).
Step 5 Modify the building block as desired using the information in Table 16-1, or tag and deploy it as
described in “Tagging Building Blocks” section on page 16-9 and “Applying Building Blocks” section
on page 16-9).
Related Topics
• Enabling the Building Block Feature, page 16-5
• Applying Building Blocks, page 16-9
• Tagging Building Blocks, page 16-9
• Displaying Building Block Use, page 16-11
Configuring Building Blocks
You can modify a working version of a configuration building block.
Note You can modify only working versions of building blocks; you cannot modify tagged versions
of building blocks. If you select a tagged building block version, and then select a configuration
option (such as Load Balancing > Health Monitoring), you can view the entries for that tagged
version, but you cannot modify them.
Procedure
Step 1 Choose Config > Building Blocks.
The All Building Blocks table appears.
Step 2 Choose the working version of the building block that you want to modify, then choose the attributes that
you want to configure. For information about building block configuration options, see Table 16-1.
16-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 16 Using Configuration Building Blocks
Configuring Building Blocks
Note While it is possible to configure VLAN and BVI interfaces in a building block, we recommend
that you do not do so. Applying a building block with these attributes configured to a virtual
context with different settings can disrupt network traffic.
Step 3 To apply this building block, tag it, and deploy it as described in “Tagging Building Blocks” section on
page 16-9 and “Applying Building Blocks” section on page 16-9.
Related Topics
• Enabling the Building Block Feature, page 16-5
• Using Configuration Building Blocks, page 16-1
• Information About Building Block Versions and Tagging, page 16-4
• Creating Building Blocks, page 16-5
• Extracting Building Blocks from Virtual Contexts, page 16-6
• Tagging Building Blocks, page 16-9
• Displaying Building Block Use, page 16-11
Configuring Building Block Primary Attributes
Use this procedure to change the description of a configuration building block.
Procedure
Step 1 Choose Config > Building Blocks.
The All Building Blocks table appears.
Step 2 In the All Building Blocks table, choose the building block that you want to modify, and choose
System > Primary Attributes.
The Primary Attributes window appears.
Step 3 In the Description field of the Primary Attributes window, modify the description as desired.
Step 4 Do one of the following:
• Click Save to save your entries. The window refreshes with the saved information.
• Click Tag to tag the building block. To deploy the tagged building block, see “Applying Building
Blocks” section on page 16-9.
Related Topics
• Enabling the Building Block Feature, page 16-5
• Creating Building Blocks, page 16-5
• Configuring Building Blocks, page 16-7
• Tagging Building Blocks, page 16-9
16-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 16 Using Configuration Building Blocks
Tagging Building Blocks
Tagging Building Blocks
You can tag a working copy of a building block. After creating a building block, you must tag it before
you can apply it to virtual contexts.
Procedure
Step 1 Choose Config > Building Blocks.
The All Building Blocks table appears.
Step 2 In the All Building Blocks table, choose the working copy of the building block that you want to tag,
and click Tag.
The All Building Blocks table refreshes with the newly tagged building block identified by its version,
such as 1.2 or 1.3. A working copy of the building block remains available so that you can use it for
future building block versions.
To apply the tagged building block to virtual contexts on your network, see “Applying Building Blocks”
section on page 16-9.
Related Topics
• Enabling the Building Block Feature, page 16-5
• Using Configuration Building Blocks, page 16-1
• Information About Building Block Versions and Tagging, page 16-4
• Creating Building Blocks, page 16-5
• Applying Building Blocks, page 16-9
• Extracting Building Blocks from Virtual Contexts, page 16-6
• Displaying Building Block Use, page 16-11
Applying Building Blocks
You can apply building blocks in two ways:
• By selecting a virtual context, then applying the building block. See “Applying a Building Block to
a Single Virtual Context” section on page 16-10.
• By selecting the tagged building block, then applying it to one or more virtual contexts. See
“Applying a Building Block to Multiple Virtual Contexts” section on page 16-10.
16-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 16 Using Configuration Building Blocks
Applying Building Blocks
Applying a Building Block to a Single Virtual Context
You can apply a tagged building block to a virtual context using virtual context configuration screens.
Note Before applying a building block to a virtual context, confirm that the VLAN and BVI interfaces are
defined correctly for the virtual context. If needed, remove VLAN and BVI interface configuration
information from the building block and then apply it.
Procedure
Step 1 Choose Config > Devices > All Devices.
The device tree appears.
Step 2 Choose the virtual context that you want to apply a building block to, and choose System > Primary
Attributes.
The Primary Attributes window appears.
Step 3 In the Tagged Building Block to Apply field, choose the building block you want to apply to the virtual
context.
Step 4 Click Deploy Now.
Related Topics
• Enabling the Building Block Feature, page 16-5
• Applying a Building Block to Multiple Virtual Contexts, page 16-10
• Using Configuration Building Blocks, page 16-1
• Information About Building Block Versions and Tagging, page 16-4
• Extracting Building Blocks from Virtual Contexts, page 16-6
• Tagging Building Blocks, page 16-9
Applying a Building Block to Multiple Virtual Contexts
You can apply a tagged building block to one or more contexts by using the building block configuration
screens.
Note Before applying a building block to a virtual context, confirm that the VLAN and BVI interfaces are
defined correctly for the virtual context. If needed, remove VLAN and BVI interface configuration
information from the building block and then apply it.
Procedure
Step 1 Choose Config > Building Blocks.
The All Building Blocks table appears.
16-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 16 Using Configuration Building Blocks
Displaying Building Block Use
Step 2 In the All Building Blocks table, choose the tagged building block that you want to apply to one or more
virtual contexts.
Step 3 Choose System > Primary Attributes.
The Primary Attributes configuration window appears.
Step 4 In the Push Building Block to VCs field of the Primary Attributes configuration window, choose the
contexts that you want to apply the building block to in the Available Items list, and click Add.
They appear in the Selected Items list.
To remove contexts that you do not want to apply the building block to, choose them in the Selected
Items list, then click Remove. They items appear in the Available Items list.
Step 5 Click Save. A progress bar reports status and the window refreshes when the operation is complete.
Related Topics
• Enabling the Building Block Feature, page 16-5
• Applying a Building Block to a Single Virtual Context, page 16-10
• Using Configuration Building Blocks, page 16-1
• Information About Building Block Versions and Tagging, page 16-4
• Creating Building Blocks, page 16-5
Displaying Building Block Use
You can identify the virtual contexts using a building block.
Procedure
Step 1 Choose Config > Devices.
The device tree appears.
Step 2 In the device tree, choose All VC.
The Virtual Contexts table appears.
Step 3 In the Virtual Contexts table, use one of the following methods to display the building blocks being used:
• For a small number of contexts, scan the Building Block column to see which building blocks are in
use on virtual contexts.
• For a large number of contexts, click Filter. The window refreshes so that you can enter search
criteria. In the field beneath the Building Block column heading, enter a building block name or
search string, then click Go. The table refreshes with entries that match the search criteria.
Related Topics
• Enabling the Building Block Feature, page 16-5
• Using Configuration Building Blocks, page 16-1
• Information About Building Block Versions and Tagging, page 16-4
16-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 16 Using Configuration Building Blocks
Displaying Building Block Use
• Creating Building Blocks, page 16-5
• Extracting Building Blocks from Virtual Contexts, page 16-6
• Tagging Building Blocks, page 16-9
CHAPTER
17-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
17
Monitoring Your Network
Date: 3/28/12
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
The ANM Monitor function allows you to monitor key areas of system usage. The following
functionality is provided under Monitor in ANM:
• Dashboards—Operate as a central location for you to view monitoring results and track potential
issues. There are three types of dashboards in ANM: ANM/Group Dashboard, ACE Dashboard, and
Context Dashboard. Each dashboard provides quick access to all relevant monitoring pages. See
“Using Dashboards to Monitor Devices and Virtual Contexts” section on page 17-4.
• Events—Lists events originated from devices through syslog, SNMP traps. See “Monitoring
Events” section on page 17-55.
• Alarm Notifications—Allows you to define thresholds and view alarms. See “Configuring Alarm
Notifications on ANM” section on page 17-57 and “Displaying Alarm Notifications” section on
page 17-65.
• Settings—Allows you to do the following:
– Display the current polling status of all the objects that ANM manages. See the “Displaying the
Polling Status of All Managed Objects” section on page 17-44.
– Set global polling and SMTP configurations. See “Setting Polling Parameters” section on
page 17-46.
– Export historical data. See “Exporting Historical Data” section on page 52.
• Topology maps—Allows you to display a network topology map based on a selected virtual or real
server. See “Displaying Network Topology Maps” section on page 68.
• Tools—Allows you to verify connectivity (using the ping command) between a virtual context and
an IP address that you specify. See “Testing Connectivity” section on page 71.
17-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Setting Up Devices for Monitoring
Note When ANM is unable to retrieve information for a monitored statistic, it displays one of the following
status conditions in the table cell:
• N/A (Not Available)—Indicates that ANM was unable to poll the device for the information for one
of the following reasons:
– ANM is experiencing polling errors with the device.
– ANM is not able to communicate with the device.
– If a poll was recently initiated, ANM is in the process of gathering information from the device.
• Not Supported—Indicates that the device does not have the capability to provide the information.
This condition can be caused when the device does not have the necessary SNMP instrumentation.
It is possible that another similar device type is able to provide the statistical information because it
has been updated with the necessary SNMP instrumentation.
• Not Applicable—Indicates that the particular information is not valid or not applicable for the
device type, or ANM is unable to retrieve the information from the device because the information
is not available through SNMP for the device type.
Before using the Monitoring functions, make sure that your devices are properly configured for polling
(see “Setting Up Devices for Monitoring” section on page 17-2).
Setting Up Devices for Monitoring
In order for ANM to successfully monitor your devices, you must configure the devices correctly for
polling as show in Table 17-1.
Table 17-1 Configuring Devices for Monitoring
Device Type How to Configure Parameters to Configure
ACE modules Configure parameters on the Admin context
only.
• All devices must have a routable IP address from
the ANM.
• The management policy with the SNMP protocol
must be associated to the IP address.
• You must enable SNMPv2c with a matching
SNMP community string between ANM and the
devices to be polled. (See the “Configuring
Virtual Contexts” section on page 6-1.)
• Before using the Monitoring functions, you must
enable monitoring on all devices that you want
ANM to monitor (see the “Setting Polling
Parameters” section on page 17-46).
ACE appliances Configure parameters on the Admin context
only.
17-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Device Monitoring Features
Related Topics
• Device Monitoring Features, page 17-3
• Using Dashboards to Monitor Devices and Virtual Contexts, page 17-4
• Monitoring Devices, page 17-24
Device Monitoring Features
ANM provides several features that allow you to monitor your devices when you click Monitor:
• Dashboards—Operate as a central location for you to view device and context monitoring results
and track potential issues. There are three types of Dashboards in ANM: ANM/Group Dashboard,
ACE Dashboard, and ACE Virtual Context Dashboard. Each Dashboard provides quick access to all
relevant monitoring pages. See “Using Dashboards to Monitor Devices and Virtual Contexts”
section on page 17-4.
• System View—Provides device information and a general overview of your system as a whole,
including High Availability (HA) information and licensing information. System View is available
only for CSS and CSM devices. See “Monitoring the System” section on page 17-25.
• Resource Usage—Provides resource usage information on connections and features. See
“Monitoring Resource Usage” section on page 17-26. Resource usage is not available for CSS or
CSM devices.
• Traffic Summary—Provides traffic information for your devices. Traffic Summary is available only
for the ACE module, ACE appliance, and CSS. See “Monitoring Traffic” section on page 17-30.
• Load Balancing—Provides virtual server information and load balancing statistics. See “Monitoring
Load Balancing” section on page 17-33 and “Monitoring Load Balancing Statistics” section on
page 17-41.
CSS Configure parameters on the CSS devices that
you want ANM to monitor. You cannot use
ANM to configure the CSS.
• All devices must have a routable IP address from
the ANM.
• For CSS devices, you must enable SNMPv2c with
a matching SNMP community string between
ANM and the devices to be polled. (See the
“Configuring CSS Primary Attributes” section on
page 5-35.)
• For CSM devices, you must enable SNMPv2c
with a matching SNMP community string on the
Cat6K chassis in which the CSM resides. (See the
“Configuring CSM Primary Attributes” section on
page 5-34.)
• Before using the Monitoring functions, you must
enable monitoring on all devices that you want
ANM to monitor (see the “Setting Polling
Parameters” section on page 17-46).
CSM Configure parameters on the Cat6K chassis (in
which the CSM resides) that you want ANM to
monitor. You cannot use ANM to configure the
CSM.
Table 17-1 Configuring Devices for Monitoring (continued)
Device Type How to Configure Parameters to Configure
17-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
• Application Acceleration—Displays optimization statistics for ACE appliances on which you have
configured application acceleration functions. See the “Monitoring Application Acceleration”
section on page 17-43. This feature is only available on ACE appliances.
• Polling Settings—Allows you to set polling parameters. See the “Setting Polling Parameters”
section on page 17-46.
• Historical Graphs—Allows you to view historical data for a group of monitoring page statistics. See
the “Configuring Historical Trend and Real Time Graphs for Devices” section on page 17-48.
Using Dashboards to Monitor Devices and Virtual Contexts
ANM dashboards allow for faster and more accurate assessment and analysis of device and virtual
context health and usage, as well as performance. Corresponding monitoring views allow for quick
access to details for further investigation into potential problems highlighted in the dashboards. Graphs,
as well as monitoring screens, allow you to view historical data and compare the performance with the
peer objects.
Note All client browsers require that you enable Adobe Flash Player 9 to properly display the monitoring
graphs provided in ANM.
Dashboards in ANM provide:
• A central location for you to view monitoring highlights.
• Emphasis on potential issues that require your attention.
• Quick access to relevant ANM pages for more detailed monitoring data.
In each dashboard, there are a relevant set of dashboard panes. The information shown in the dashboard
panes differ based on the device or groups that you select in the device tree. The dashboard panes are
moveable element inside the dashboard that can be minimized/maximized, moved, and, if desired,
removed from view. You can also display a larger (full) window view for a dashboard window.
Note Changes made to dashboard layout or pane selections are only applicable for the current session. Those
changes are not maintained by ANM the next time you access an ANM dashboard.
The dashboard tables and graphs autorefresh every two minutes. If desired, you can disable autofreshing
by clicking the Pause Autofresh button in the upper-right corner of the dashboard.
Note All dashboard contents are under Role-Based Access Control (RBAC). Options will be grayed or not
displayed if proper permission has not been granted to the logged in user by the administrator. See the
“How ANM Handles Role-Based Access Control” section on page 18-8 for more information about
RBAC in ANM.
This section includes the following topics:
• ACE Dashboard, page 17-5
• ACE Virtual Context Dashboard, page 17-12
• ANM Group Dashboard, page 17-16
17-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
ACE Dashboard
The ACE Dashboard displays the information related to the ACE module or ACE appliance that is
selected in the device tree. You access the ACE Dashboard by selecting Monitor > Devices > ACE >
Dashboard.
Figure 17-1 illustrates the individual components of the ACE Dashboard.
Note The ANM software version that displays across the top of the window varies depending on your version
of ANM.
Figure 17-1 Example ACE Device Dashboard
To enhance your viewing of the monitoring information in the ACE Dashboard, you can perform the
following actions:
• Click and drag an individual dashboard pane to move it to another location within the ACE
Dashboard.
• Use the Collapse/Expand buttons at the top right side of each dashboard pane to minimize/maximize
a pane within the ACE Dashboard.
• Click the Remove button to remove a dashboard pane from the ACE Dashboard. Click the Bring
Back Closed Dashboard Panes button at the top of the ACE Dashboard to open the closed
dashboard pane.
Note When you close any of the panes in a dashboard by clicking the Remove button, all of the headers
in the other dashboard panes turn black to indicate that a pane has been closed. To return the
dashboard panes to normal, click the Bring Back Closed Dashboard Panes button to reload the
removed dashboard pane.
• Click the Screen View (Full)/Screen View (Normal) buttons to display a larger (full) window view
for the ACE Dashboard.
17-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
Changes made to dashboard layout or pane selections are only applicable for the current session. Those
changes are not maintained by ANM the next time you access the ACE Dashboard.
The components of the individual ACE Dashboard panes are described in the following sections.
• Device Information Table, page 17-6
• License Status Table, page 17-6
• High Availability Table, page 17-7
• ACE Device Configuration Summary Table, page 17-7
• Context With Denied Resource Usage Detected Table, page 17-8
• Device Resource Usage Graph, page 17-9
• Top 10 Current Resources Table, page 17-10
• Control Plane CPU/Memory Graphs, page 17-11
Device Information Table
The Device Information table lists the details that will identify the status of the selected ACE. It includes
the following fields:
• Host Name—Host name of the ACE module or ACE appliance.
• Device Status—Device reachability status through SNMP and XML connectivity (Up or Down).
• Device Type—ACE device specifics for the ACE module or ACE appliance.
• Management IP—Management IP address of the admin virtual context.
• Number of Contexts—Number of configured contexts, including the Admin context and configured
user contexts.
• Software Version—Release software version of the ACE module or ACE appliance.
• Last Boot Reason—Reason for the last reboot of the ACE (if available).
• Uptime—Length of time that the ACE has been up and running.
The data shown in this table is collected during device discovery as well as during periodic monitor
polling. The timestamp shown in the status bar is from the last polled time of the Admin virtual context.
License Status Table
The License Status table lists the license status of the selected ACE device. ANM uses the ACE show
license status CLI command to obtain the license details. The timestamp shown in the status bar is from
the last polled time of the Admin virtual context.
17-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
High Availability Table
The HA Peer Information table lists the details of the HA peer, if configured in HA mode. It includes
the following information:
• HA/FT Interface State—State of the local ACE. See the “ACE High Availability Polling” section on
page 13-7.
• My IP Address—IP address of the local ACE.
• Peer IP Address—IP address of the peer ACE.
• Software Compatibility—Status of whether the software version of the local ACE and the software
version of the peer ACE are compatible. Possible states are the INIT, COMPATIBLE, or
INCOMPATIBLE state.
• License Compatibility—Status of whether the license of the local ACE and the license of the peer
ACE are compatible. Possible states are the INIT, COMPATIBLE, or INCOMPATIBLE state.
• Number of FT Groups—Number of configured FT groups.
• Number of Heartbeats Transmitted—Total number of heartbeat packets transmitted.
• Number of Heartbeats Received—Total number of heartbeat packets received.
This data is collected during periodic monitoring polling. The timestamp shown in the status bar is from
the last polled time of the Admin virtual context.
ACE Device Configuration Summary Table
The Device Configuration Summary table displays the following information:
• Virtual Servers—Total count of virtual servers configured in all contexts and the count of virtual
servers that are in the In Service or Out of Service state. ANM also identifies virtual servers that
have a Status Not Available state (due to polled failing, polled disable, and so on) and have a Status
Not Supported state (due to a lack of ACE SNMP support). A hyperlink enables you to view load
balancing virtual server monitoring information based on the identified state (see the “Monitoring
Load Balancing on Virtual Servers” section on page 17-33). For example, if you click the In Service
hyperlink, you will see only the virtual servers that are currently in service.
• Real Servers—Total count of real servers configured in all contexts and the count of real servers that
are in In Service and Out of Service. A hyperlink enables you to view load balancing real server
monitoring information based on the identified state (see the “Monitoring Load Balancing on Real
Servers” section on page 17-37). For example, if you click the In Service hyperlink, you will see
only the real servers that are currently in service.
• Probes—Total count of probes configured in all contexts and the count of probes that are in the In
Service and Out of Service state. A hyperlink enables you to view load balancing probe monitoring
information based on the identified state (see the “Monitoring Load Balancing on Probes” section
on page 17-40). For example, if you click the In Service hyperlink, you will see only the probes that
are currently in service.
• Gigabit Ethernets—(ACE appliance only) Total count of Gigabit Ethernet physical interfaces
configured on the ACE appliance based on their operational status of Up and Down. A hyperlink
enables you to view traffic summary information based on the identified state (see the “Monitoring
Traffic” section on page 17-30). For example, if you click the Up hyperlink, you will see only the
Gigabit Ethernet physical interfaces that currently have an operational status of Up.
17-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
• VLANs—Total count of VLANs configured and the count of VLANs based on operational status -
Up and Down. A hyperlink enables you to view traffic summary information based on the identified
state (see the “Monitoring Traffic” section on page 17-30). For example, if you click the Up
hyperlink, you will see only the VLAN interfaces that currently have an operational status of Up.
• Port Channels—(ACE appliance only) Total count of port channels configured on the ACE appliance
based on their operational status of Up and Down. A hyperlink enables you to view traffic summary
information based on the identified state (see the “Monitoring Traffic” section on page 17-30). For
example, if you click the Up hyperlink, you will see only the port channels that currently have an
operational status of Up.
• BVIs—Total count of BVI interfaces and the count of BVI interfaces based on their operational
status of Up and Down. A hyperlink enables you to view traffic summary information based on the
identified state (see the “Monitoring Traffic” section on page 17-30). For example, if you click the
Up hyperlink, you will see only the BVI interfaces that currently have an operational status of Up.
• Certificates—Total count of SSL certificates and the count of SSL certificates that are expiring
beyond 30 days, expired, or that are expiring within 30 days. A hyperlink accesses a popup window
for you to view the SSL certificates list based on the selection, displaying the certificate name,
device name, days to expire, expiration date, and the date it was evaluated for you to determine the
days to expire. Certificates are considered expired it their expiration date is within the next day
(rounded down the next day). A hyperlink in the device name allows you to navigate to the
context-based SSL Certificate configuration page (see the “Using SSL Certificates” section on
page 11-5).
This data is collected during discovery as well as during periodic monitoring polling. The timestamp
shown in the status bar indicates a varying poll time; that is, different virtual contexts were polled and
those context had different time stamps. The earliest time stamp of the polled virtual contexts is
displayed in the status bar.
All counts shown in the Device Configuration Summary table are based on the operational status of the
monitored objects listed above.
• Out Of Service—Indicates any status other than In Service (for example, Out Of Service, Failed, or
Disabled).
• Status not available—Indicates that ANM was unable to poll the operational status of this object.
The display of this operational status could be due to polling errors or the device was unreachable.
Also, if a poll was recently initiated, this operational status could indicate that ANM is in the process
of collecting data.
• Status not supported—Indicates that the device does not have the capability to provide an
operational status of this object. The display of this operational status could be due to missing
SNMP instrumentation on earlier ACE devices.
Context With Denied Resource Usage Detected Table
The Context With Denied Resource Usage Detected table lists all contexts for which the resource request
is denied after reaching the maximum limit. An increase in the deny count (that is, the deny rate) results
in the relevant context resource type appearing in this table. ANM obtains the count information by using
the ACE show resource usage CLI command, which collects the information from the following MIBs:
crlResourceLimitReqsDeniedCount and crlRateLimitResourceReqsDeniedCount.
This table includes the following information:
• Context—Name of the configured context that contains a denied resource.
• Resource Type—Type of system resource in the context.
17-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
• Denies/Second—Number of denied resources (per second) as a result of oversubscription or
resource depletion.
• Total Deny Count—Number of denied uses of the resource since the resource statistics were last
cleared.
• Last Polled Count—Date and time of the last time that ANM polled the device to display the current
values.
Note The Context With Denied Resource Usage Detected table does not display the sticky denied resource
count because this count does not increment when the ACE sticky resources are exhausted. The ACE’s
sticky table can hold a maximum of four million entries (four million simultaneous users). When the
table reaches the maximum number of entries, additional sticky connections cause the table to wrap and
the first users become unstuck from their respective servers.
A hyperlink allows you to access the Resource Usage monitoring page to view a detailed list of resources
used and denied counts (see the “Monitoring Resource Usage” section on page 17-26).
Device Resource Usage Graph
For each resource type, the ACE Dashboard displays the Top 3 virtual contexts that consume the
resources in the Device Resource Usage graph (Figure 17-2). A tooltip is added to display the Top 3
context names and their consumption, consumption of the resource by rest of the contexts and the total
consumption by all contexts. This data is collected by ANM by using the ACE show resource usage CLI
command. The timestamp shown in the status bar indicates a varying poll time; that is, different virtual
contexts were polled and those context had different time stamps. The earliest time stamp of the polled
virtual contexts is displayed in the status bar.
Figure 17-2 Device Resource Usage Graph
To toggle the display of the Device Resource Usage graph in the monitoring window:
• Click View As Chart to display the object data as a graph.
• Click View As Grid to display the object data as a numerical line grid.
Note If you want to save the graph as a JPEG file for archive or other purposes, click the Show As Image
button. When you mouse over the graph, the Image Toolbar appears. From the Image Toolbar, you can
save the graph as a JPEG or send it in an email. You can also print the graph if desired.
If you want to export object data to Microsoft Excel for archive or other purposes, click the Export to
Excel link in the View As Grid object display.
17-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
Hyperlinks allow you to access the individual resource usage page for more details (see the “Monitoring
Resource Usage” section on page 17-26).
Note ACL Memory (for ACE module and ACE appliance) and Application Acceleration (for ACE appliance
only) do not appear in the Device Resource Usage graph. To view the detailed counters, click the
hyperlink to access individual resource usage page.
Top 10 Current Resources Table
The Top 10 Resource Usage table (Figure 17-3) displays the Top 10 resource types that have been
evaluated for high resource utilization. The resource with highest utilization appears at the top. This data
is collected by ANM by using the ACE show resource usage CLI command.
Figure 17-3 Top 10 Current Resources Table—ACE Dashboard
This table includes the following information:
• Last Hour—Plot of high resource utilization during the past hour.
• Resource Name—Type of system resource in the context.
• Used By—Name of the virtual context that is placing the high demands on the resource. The Global
Pool usage is critical in the setup where one or more contexts are configured to make use of the
global pool once their reserved resource are depleted and resource is free in the global pool. In this
situation, if the global pool is depleted, multiple contexts may be starved for resource.
Note Contexts configured to make use of the global pool will not be evaluated for the Top 10 Resource
Usage table.
• Current Usage—Active concurrent instances or the current rate of the resource.
• Average—Average value of resource usage (based on the last hour).
• Max.—Highest value of resource usage (based on the last hour).
• Last Polled Time—Date and time of the last time that ANM polled the device to display the current
values.
Hyperlinks allow you to access the individual resource usage page for more details (see the “Monitoring
Resource Usage” section on page 17-26).
You can choose to show or hide the syslog buffer information that displays in the Top 10 Current
Resources pane. You may want to hide this information because it will always show 100 percent after
the buffer becomes full and starts to wrap. For more information, see the “Managing the Syslog Buffer
Display in the All Devices Dashboard” section on page 18-66.
17-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
Control Plane CPU/Memory Graphs
The Control Plane CPU/Memory graphs (Figure 17-4) show the utilization of the ACE CPU. This data
consists of two graphs:
• The Control Plane CPU Usage graph shows the utilization of the ACE CPU as a percentage.
• The Control Plane Memory graph displays the consumed memory on Kbytes. A tooltip is added to
display the Cache Memory, Total Memory, Shared Memory, Buffer Memory, and Free Memory
usage as a percentage.
To toggle the display of the Control Plane CPU/Memory graph in the monitoring window:
• Click View As Chart to display the object data as a graph.
• Click View As Grid to display the object data as a numerical line grid.
Note If you want to save the graph as a JPEG file for archive or other purposes, click the Show As Image
button. When you mouse over the graph, the Image Toolbar appears. From the Image Toolbar, you can
save the graph as a JPEG or send it in an email. You can also print the graph if desired.
If you want to export object data to Microsoft Excel for archive or other purposes, click the Export to
Excel link in the View As Grid object display.
Figure 17-4 Control Plane CPU/Memory Graphs
17-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
ACE Virtual Context Dashboard
The ACE Virtual Context Dashboard displays monitoring information for an ACE virtual context
selected from the device tree,. You access the ACE Virtual Context Dashboard by selecting Monitor >
Devices > virtual_context > Dashboard.
Figure 17-5 illustrates the individual components of the ACE Virtual Context Dashboard.
Note The ANM software version that displays across the top of the window varies depending on your version
of ANM.
Figure 17-5 ACE Virtual Context Dashboard
To enhance your viewing of the monitoring information in the ACE Virtual Context Dashboard, you can
perform the following actions:
• Click and drag an individual dashboard pane to move it to another location within the ACE Virtual
Context Dashboard.
• Use the Collapse/Expand buttons at the top right side of each dashboard pane to minimize/maximize
a pane within the ACE Virtual Context Dashboard.
• Click the Remove button to remove a dashboard pane from the ACE Virtual Context Dashboard.
Click the Bring Back Closed Dashboard Panes button at the top of the ACE Virtual Context
Dashboard to open the closed dashboard pane.
Note When you close any of the panes in a dashboard by clicking the Remove button, all of the headers
in the other dashboard panes turn black to indicate that a pane has been closed. To return the
dashboard panes to normal, click the Bring Back Closed Dashboard Panes button to reload the
removed dashboard pane.
• Click the Screen View (Full)/Screen View (Normal) buttons to display a larger (full) window view
for the ACE Dashboard.
17-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
Changes made to dashboard layout or pane selections are only applicable for the current session. Those
changes are not maintained by ANM the next time you access the ACE Virtual Context Dashboard.
The components of the individual ACE Virtual Context Dashboard panes are described in the following
sections.
• ACE Virtual Context Device Configuration Summary Table, page 17-13
• Context With Denied Resource Usage Detected Table, page 17-14
• Context Resource Usage Graph, page 17-15
• Load Balancing Servers Performance Graphs, page 17-15
ACE Virtual Context Device Configuration Summary Table
The Device Configuration Summary table displays the following information:
• Virtual Servers—Total count of virtual servers configured in all contexts and the count of virtual
servers that are in the In Service and Out of Service state. ANM also identifies virtual servers that
have a Status Not Available state (due to polled failing, polled disable, and so on) and have a Status
Not Supported state (due to a lack of ACE SNMP support). A hyperlink enables you to view load
balancing virtual server monitoring information based on the identified state (see the “Monitoring
Load Balancing on Virtual Servers” section on page 17-33). For example, if you click the In Service
hyperlink, you will see only the virtual servers that are currently in service.
• Real Servers—Total count of real servers configured in all contexts and the count of real servers that
are in In Service and Out of Service. A hyperlink enables you to view load balancing real server
monitoring information based on the identified state (see the “Monitoring Load Balancing on Real
Servers” section on page 17-37). For example, if you click the In Service hyperlink, you will see
only the real servers that are currently in service.
• Probes—Total count of probes configured in all contexts and the count of probes that are in the In
Service and Out of Service state. A hyperlink enables you to view load balancing probe monitoring
information based on the identified state (see the “Monitoring Load Balancing on Probes” section
on page 17-40). For example, if you click the In Service hyperlink, you will see only the probes that
are currently in service.
• Gigabit Ethernets—(ACE appliance only) Total count of Gigabit Ethernet physical interfaces
configured on the ACE appliance based on their operational status of Up and Down. A hyperlink
enables you to view traffic summary information based on the identified state (see the “Monitoring
Traffic” section on page 17-30). For example, if you click the Up hyperlink, you will see only the
Gigabit Ethernet physical interfaces that currently have an operational status of Up.
• VLANs—Total count of VLANs configured and the count of VLANs based on operational status -
Up and Down. A hyperlink enables you to view traffic summary information based on the identified
state (see the “Monitoring Traffic” section on page 17-30). For example, if you click the Up
hyperlink, you will see only the VLAN interfaces that currently have an operational status of Up.
• Port Channels—(ACE appliance only) Total count of port channels configured on the ACE appliance
based on their operational status of Up and Down. A hyperlink enables you to view traffic summary
information based on the identified state (see the “Monitoring Traffic” section on page 17-30). For
example, if you click the Up hyperlink, you will see only the port channels that currently have an
operational status of Up.
• BVIs—Total count of BVI interfaces and the count of BVI interfaces based on their operational
status of Up and Down. A hyperlink enables you to view traffic summary information based on the
identified state (see the “Monitoring Traffic” section on page 17-30). For example, if you click the
Up hyperlink, you will see only the BVI interfaces that currently have an operational status of Up.
17-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
• Certificates—Total count of SSL certificates and the count of SSL certificates that are expiring
beyond 30 days, expired, or that are expiring within 30 days. A hyperlink accesses a popup window
for you to view the SSL certificates list based on the selection, displaying the certificate name,
device name, days to expire, expiration date, and the date it was evaluated for you to determine the
days to expire. Certificates are considered expired it their expiration date is within the next day
(rounded down the next day). A hyperlink in the device name allows you to navigate to the
context-based SSL Certificate configuration page (see the “Using SSL Certificates” section on
page 11-5).
Counts are based on the selected ACE virtual context and not for all ACE virtual contexts.
This data is collected during discovery as well as during periodic monitoring polling. The timestamp
shown in the status bar indicates a varying poll time; that is, different virtual contexts were polled and
the contexts had different time stamps. The earliest time stamp of the polled virtual contexts is displayed
in the status bar.
All counts shown in the Device Configuration Summary table are based on the operational status of the
monitored objects listed above.
• Out Of Service—Indicates any status other than In Service (for example, Out Of Service, Failed, or
Disabled).
• Status not available—Indicates that ANM was unable to poll the operational status of this object.
The display of this operational status could be due to polling errors or the device was unreachable.
Also, if a poll was recently initiated, this operational status could indicate that ANM is in the process
of collecting data.
• Status not supported—Indicates that the device does not have the capability to provide an
operational status of this object. The display of this operational status could be due to missing
SNMP instrumentation on earlier ACE devices.
Context With Denied Resource Usage Detected Table
The Context With Denied Resource Usage Detected table lists all contexts for which the resource request
is denied after reaching the maximum limit. An increase in the deny count (that is, the deny rate) will
result in the relevant context resource type to appear in this table. This data is collected by ANM by using
the ACE show resource usage CLI command.
This table includes the following information:
• Context—Name of the configured context that contains a denied resource.
• Resource Type—Type of system resource in the context.
• Denies/Second—Number of denied resources (per second) as a result of oversubscription or
resource depletion.
• Total Deny Count—Number of denied uses of the resource since the resource statistics were last
cleared.
• Last Polled Count—Date and time of the last time that ANM polled the device to display the current
values.
Note This information is collected from the following MIBs: crlResourceLimitReqsDeniedCount and
crlRateLimitResourceReqsDeniedCount.
A hyperlink allows you to access the Resource Usage monitoring page to view a detailed list of resources
used and denied counts (see the “Monitoring Resource Usage” section on page 17-26).
17-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
Context Resource Usage Graph
The Context Resource Usage graph (see Figure 17-5) displays the details of each resource type utilized
by the selected contexts. For each resource type, the graph includes the following monitoring statistics:
Used, Global Available, and Guaranteed. This data is collected by ANM by using the ACE show
resource usage CLI command.
To toggle the display of the Context Resource Usage graph in the monitoring window:
• Click View As Chart to display the object data as a graph.
• Click View As Grid to display the object data as a numerical line grid.
Note If you want to save the graph as a JPEG file for archive or other purposes, click the Show As Image
button. When you mouse over the graph, the Image Toolbar appears. From the Image Toolbar, you can
save the graph as a JPEG or send it in an email. You can also print the graph if desired.
If you want to export object data to Microsoft Excel for archive or other purposes, click the Export to
Excel link in the View As Grid object display.
Hyperlinks allow you to access the individual resource usage page for more details (see the “Monitoring
Resource Usage” section on page 17-26).
Note ACL Memory (for ACE module and ACE appliance) and Application Acceleration (for ACE appliance
only) do not appear in the Device Resource Usage graph. To view the detailed counters, click the
hyperlink to access individual resource usage page.
Load Balancing Servers Performance Graphs
The Load Balancing Servers Performance graphs (Figure 17-6) include:
• Top 5 Virtual Servers—Displays the top five virtual servers in the selected virtual context. You can
select from server statistics (such as High Connection Rate, Dropped Connection Rate, and so on)
that are collected by ANM polling for top performance evaluation.
• Top 5 Real Servers—Displays the top five real servers in the selected virtual context. You can select
from server statistics (such as High Connection Rate, Dropped Connection Rate, and so on) that are
collected by ANM polling for top performance evaluation.
You select the statistic from the Select Statistics drop-down list.
To toggle the display of a Load Balancing Servers Performance graph in the monitoring window:
• Click View As Chart to display the object data as a graph.
• Click View As Grid to display the object data as a numerical line grid.
Note If you want to save the graph as a JPEG file for archive or other purposes, click the Show As Image
button. When you mouse over the graph, the Image Toolbar appears. From the Image Toolbar, you can
save the graph as a JPEG or send it in an email. You can also print the graph if desired.
If you want to export object data to Microsoft Excel for archive or other purposes, click the Export to
Excel link in the View As Grid object display.
17-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
Hyperlinks allow you to access the corresponding monitoring screens for more details:
• Monitoring Load Balancing on Virtual Servers, page 17-33
• Monitoring Load Balancing on Real Servers, page 17-37
Figure 17-6 Load Balancing Servers Performance Graphs
ANM Group Dashboard
The ANM Group Dashboard displays overall information of the ANM server. You can specify to view
details for the ANM-created All Devices Group and for a user-defined ANM device group (see the
“Monitoring Device Groups” section on page 17-23). You access the ANM Group Dashboard by
choosing Monitor > Devices > Groups > All Devices > Dashboard.
Figure 17-7 illustrates the individual components of the ANM Group Dashboard.
Note The ANM software version that displays across the top of the window varies depending on your version
of ANM.
Figure 17-7 ANM Group Dashboard
17-17
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
To enhance your viewing of the monitoring information in the ANM Group Dashboard, you can perform
the following actions:
• Click and drag an individual dashboard pane to move it to another location within the ANM Group
Dashboard.
• Use the Collapse/Expand buttons at the top right side of each dashboard pane to minimize/maximize
a pane within the ANM Group Dashboard.
• Click the Remove button to remove a dashboard pane from the ANM Group Dashboard. Click the
Bring Back Closed Dashboard Panes button at the top of the ANM Group Dashboard to open the
closed dashboard pane.
Note When you close any of the panes in a dashboard by clicking the Remove button, all of the headers
in the other dashboard panes turn black to indicate that a pane has been closed. To return the
dashboard panes to normal, click the Bring Back Closed Dashboard Panes button to reload the
removed dashboard pane.
• Click the Screen View (Full)/Screen View (Normal) buttons to display a larger (full) window view
for the ACE Dashboard.
Changes made to dashboard layout or pane selections are only applicable for the current session. Those
changes are not maintained by ANM the next time you access the ANM Group Dashboard.
The components of the individual ANM Group Dashboard panes are described in the following sections.
• Managed Devices Table, page 17-17
• Context With Denied Resource Usage Detected Table, page 17-18
• ANM Group Device Configuration Summary Table, page 17-18
• Top 10 Current Resources Table, page 17-20
• Latest 5 Alarms Notifications Table, page 17-21
• Latest 5 Critical Events Table, page 17-21
• Contexts Performance Overview Graph, page 17-22
Managed Devices Table
The Managed Devices table displays the total count of devices in the selected ANM device group and
the count based on the state (Up or Down) of the imported ACE modules, ACE appliances, CSM, GSS,
and CSS devices. The data shown in this table are collected during device discovery as well as during
periodic monitor polling. The state of the individual device is identified from its XML connectivity and
SNMP status (whichever is applicable). The most recent information is used to identify device status.
Click the Device Details hyperlink to view a popup window containing the following device
information:
• Device Name—Name of the device managed by ANM.
• State—Operational state of the device (Up or Down). If the State is Down, ANM displays whether
the state has been detected through SNMP or XML.
• Device Type—Device type assigned to the imported device by ANM (for example, ACE v 2.0).
• # of VCs—Number of configured ACE virtual contexts, including the Admin context and configured
user contexts. This value is only applicable for the ACE module and ACE appliance.
17-18
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
• Last Polled Time—Date and time of the last time that ANM polled the device to display the current
values.
The data shown in this table is collected during device discovery as well as during periodic monitor
polling. The timestamp shown in the status bar indicates a varying poll time; that is, different virtual
contexts were polled and the contexts had different time stamps. The earliest time stamp of the polled
virtual contexts is displayed in the status bar.
Hyperlinks in the popup window allow you to access the individual ACE Device Dashboard for more
details (see the “ACE Dashboard” section on page 17-5).
Context With Denied Resource Usage Detected Table
The Context With Denied Resource Usage Detected table lists all contexts for which the resource request
is denied after reaching the maximum limit. An increase in the deny count (that is, the deny rate) will
result in the relevant context resource type to appear in this table. This data is collected by ANM by using
the ACE show resource usage CLI command.
This table includes the following information:
• Context—Name of the configured context that contains a denied resource.
• Resource Type—Type of system resource in the context.
• Denies/Second—Number of denied resources (per second) as a result of oversubscription or
resource depletion.
• Total Deny Count—Number of denied uses of the resource since the resource statistics were last
cleared.
• Last Polled Count—Date and time of the last time that ANM polled the device to display the current
values.
Note This information is collected from the following MIBs: crlResourceLimitReqsDeniedCount and
crlRateLimitResourceReqsDeniedCount.
A hyperlink allows you to access to Resource Usage monitoring page to view a detailed list of resources
used and denied counts (see the “Monitoring Resource Usage” section on page 17-26).
ANM Group Device Configuration Summary Table
The Device Configuration Summary table displays the following information:
• Virtual Servers—(ACE only) Total count of virtual servers configured in all contexts and the count
of virtual servers that are in the In Service and Out of Service state. ANM also identifies virtual
servers that have a Status Not Available state (due to polled failing, polled disable, and so on) and
have a Status Not Supported state (due to a lack of ACE SNMP support). A hyperlink enables you
to view load balancing virtual server monitoring information based on the identified state (see the
“Monitoring Load Balancing on Virtual Servers” section on page 17-33). For example, if you click
the In Service hyperlink, you will see only the virtual servers that are currently in service.
• Real Servers—(ACE only) Total count of real servers configured in all contexts and the count of real
servers that are in In Service and Out of Service. A hyperlink enables you to view load balancing
real server monitoring information based on the identified state (see the “Monitoring Load
Balancing on Real Servers” section on page 17-37). For example, if you click the In Service
hyperlink, you will see only the real servers that are currently in service.
17-19
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
• Probes—(ACE only) Total count of probes configured in all contexts and the count of probes that
are in the In Service and Out of Service state. A hyperlink enables you to view load balancing probe
monitoring information based on the identified state (see the “Monitoring Load Balancing on
Probes” section on page 17-40). For example, if you click the In Service hyperlink, you will see only
the probes that are currently in service.
• Gigabit Ethernets—(ACE appliance only) Total count of Gigabit Ethernet physical interfaces
configured on the ACE appliance based on their operational status of Up and Down. A hyperlink
enables you to view traffic summary information based on the identified state (see the “Monitoring
Traffic” section on page 17-30). For example, if you click the Up hyperlink, you will see only the
Gigabit Ethernet physical interfaces that currently have an operational status of Up.
• VLANs—(ACE only) Total count of VLANs configured and the count of VLANs based on
operational status - Up and Down. A hyperlink enables you to view traffic summary information
based on the identified state (see the “Monitoring Traffic” section on page 17-30). For example, if
you click the Up hyperlink, you will see only the VLAN interfaces that currently have an operational
status of Up.
• Port Channels—(ACE appliance only) Total count of port channels configured on the ACE appliance
based on their operational status of Up and Down. A hyperlink enables you to view traffic summary
information based on the identified state (see the “Monitoring Traffic” section on page 17-30). For
example, if you click the Up hyperlink, you will see only the port channels that currently have an
operational status of Up.
• BVIs—(ACE only) Total count of BVI interfaces and the count of BVI interfaces based on their
operational status of Up and Down. A hyperlink enables you to view traffic summary information
based on the identified state (see the “Monitoring Traffic” section on page 17-30). For example, if
you click the Up hyperlink, you will see only the BVI interfaces that currently have an operational
status of Up.
• Certificates—(ACE only) Total count of SSL certificates and the count of SSL certificates that are
valid, expired, or that are expiring within 30 days. A hyperlink accesses a popup window for you to
view the SSL certificates list based on the selection, displaying the certificate name, device name,
days to expire, expiration date, and the date it was evaluated for you to determine the days to expire.
Certificates are considered expired it their expiration date is within the next day (rounded down the
next day). A hyperlink in the device name allows you to navigate to the context-based SSL
Certificate configuration page (see the “Using SSL Certificates” section on page 11-5).
• GSS VIP Answers—(GSS only) Total number of configured VIP answers and their operating state,
which is either Active or Other. The Other state can indicate any of the following states: Suspended,
Operational Suspended, Unknown, Failed, or N/A.
• GSS DNS Rules—(GSS only) Total number of configured DNS rules and their operating state,
which is either Active or Other. The Other state can indicate either the Suspended or N/A states.
This data is collected during discovery as well as during periodic monitoring polling. The timestamp
shown in the status bar indicates a varying poll time; that is, different virtual contexts were polled and
the contexts had different time stamps. The earliest time stamp of the polled virtual contexts is displayed
in the status bar.
All counts shown in the Device Configuration Summary table are based on the operational status of the
monitored objects listed above.
• Out Of Service—Indicates any status other than In Service (for example, Out Of Service, Failed, or
Disabled).
17-20
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
• Status not available—Indicates that ANM was unable to poll the operational status of this object.
The display of this operational status could be due to polling errors or the device was unreachable.
Also, if a poll was recently initiated, this operational status could indicate that ANM is in the process
of collecting data.
• Status not supported—Indicates that the device does not have the capability to provide an
operational status of this object. The display of this operational status could be due to missing
SNMP instrumentation on the CSS or on earlier ACE devices.
Top 10 Current Resources Table
The Top 10 Resource Usage table (Figure 17-8) displays the top 10 resource types that have been
evaluated for high resource utilization. The resource with highest utilization appears at the top. This data
is collected by ANM by using the ACE show resource usage CLI command.
Figure 17-8 Top 10 Current Resources Table—ANM Group Dashboard
This table includes the following information:
• Last Hour—Plot of high resource utilization during the past hour.
• Resource Name—Type of system resource in the context.
• Used By—Name of the virtual context that is placing the high demands on the resource. The Global
Pool usage is critical in the setup where one or more contexts are configured to make use of the
global pool once their reserved resource are depleted and resource is free in the global pool. In this
situation, if the global pool is depleted, multiple contexts may be starved for resource.
Note Contexts configured to make use of the global pool will not be evaluated for the Top 10 Resource
Usage table.
• Current Usage—Active concurrent instances or the current rate of the resource.
• Average—Average value of resource usage (based on the last hour).
17-21
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
• Max.—Highest value of resource usage (based on the last hour).
• Last Polled Time—Date and time of the last time that ANM polled the device to display the current
values.
Hyperlinks allow you to access the individual resource usage page for more details (see the “Monitoring
Resource Usage” section on page 17-26).
You can choose to show or hide the syslog buffer information that displays in the Top 10 Current
Resources pane. You may want to hide this information because it will always show 100 percent after
the buffer becomes full and starts to wrap (see the “Managing the Syslog Buffer Display in the All
Devices Dashboard” section on page 18-66).
Latest 5 Alarms Notifications Table
The Latest 5 Alarm Notification table (Figure 17-9) displays the most recent five alarms for ANM along
with a summary that explains the number of Critical, Major, Minor, and Informational alarms. This
function interacts with the user-configured ANM alarm and threshold features (see the “Configuring
Alarm Notifications on ANM” section on page 17-57).
Figure 17-9 Latest 5 Alarms Notifications Table
Note By default, no thresholds are configured in ANM.
This table includes the following information:
• Device—Name of the ACE device (appliance or module).
• Severity— Severity level of the threshold, which can be one of the following: Info, Critical, Major,
Minor.
• Time—ANM timestamp at which the alarm occurred.
• Category—Alarm name.
• Details—Additional information about the alarm.
A hyperlink allow you to view alarm notifications (see the “Displaying Alarm Notifications” section on
page 17-65).
Latest 5 Critical Events Table
The Latest 5 Critical Events table display most recent five critical events that ANM receives from
devices, including traps and high severity syslogs. ANM displays a summary that explains the number
of Emergency, Alert, and Critical alarms. ANM displays critical events if the imported ACE device has
been configured to send syslogs and traps to ANM. For information about configuring the ACE to send
syslogs and traps, see either the Cisco Application Control Engine Module System Message Guide or the
Cisco 4700 Series Application Control Engine Appliance System Message Guide.
17-22
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Using Dashboards to Monitor Devices and Virtual Contexts
Figure 17-10 Latest 5 Critical Events Table
The following details are shown in the Critical Events table:
• Device/Context—ACE device name and virtual context where the event occurred.
• Time—ANM timestamp at which the alarm occurred.
• Type—Displays if the event appears in a syslog or a trap.
• Details—Additional information about the critical event.
A hyperlink allow you to view all events collected by ANM (see the “Monitoring Events” section on
page 17-55).
Contexts Performance Overview Graph
The Contexts Performance Overview graph displays the top five virtual contexts based on
user-configurable resource statistic such as ACL Memory, Bandwidth, and so on. You select the resource
from the Select Statistics drop-down list. This data is collected by ANM by using the ACE show
resource usage CLI command.
Figure 17-11 Context Performance Graph
To toggle the display of the top five virtual context chart in the Contexts Performance Overview graph:
• Click View As Chart to display the resource statistic as a graph.
• Click View As Grid to display the resource statistic as a numerical line grid.
Note If you want to save the graph as a JPEG file for archive or other purposes, click the Show As Image
button. When you mouse over the graph, the Image Toolbar appears. From the Image Toolbar, you can
save the graph as a JPEG or send it in an email. You can also print the graph if desired.
If you want to export object data to Microsoft Excel for archive or other purposes, click the Export to
Excel link in the View As Grid object display.
17-23
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Device Groups
Monitoring Device Groups
You can display monitoring information for device groups that you create in Cisco License Manager (see
Configuring User-Defined Groups, page 5-72). When you choose Monitor > Devices > Groups >
device_group, all monitoring features that are supported on any of the devices in the device group are
displayed. Because some monitoring features, for example, Application Acceleration, are not supported
on all device types, you can click the following buttons at the bottom of the Monitor screens to change
what information appears:
• Show Polled Devices—By default, only the devices in the device group that support the specified
feature are displayed.
• Show All Devices—All devices in the device group are shown on the Monitoring results window,
whether or not the feature you selected is supported on all the devices.
For example, if you create a device group that contains an ACE appliance and several other different
device types, then choose Monitor > Devices > Groups > device_group > Application Acceleration,
by default, only the ACE appliance appears in the Application Acceleration window because the other
device types in the device group do not support this feature. If you click Show Polled Devices, all
devices in the device group are displayed.
When viewing monitoring information, you might see N/A, which indicates that ACE Device Manager
was not able to obtain the specified value. In addition, the monitoring window displays N/A in certain
fields for which polling has not been executed.
Related Topics
• Setting Up Devices for Monitoring, page 17-2
• Device Monitoring Features, page 17-3
• Using Dashboards to Monitor Devices and Virtual Contexts, page 17-4
• Monitoring Devices, page 17-24
17-24
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Devices
Monitoring Devices
ANM monitors activities on ACE, CSS, and CSM devices. When you choose Monitor > Devices, you
can view device information. Using SNMP and CLI commands, ANM gathers information about your
devices and displays the information.
Note If you get a warning message indicating that monitoring is not enabled or functioning, you must enable
statistic monitoring on the device. See the “Setting Polling Parameters” section on page 17-46.
Table 17-2 lists the features that appear under Monitor > Devices, depending on which device type you
choose in the device tree.
Related Topics
• Using Dashboards to Monitor Devices and Virtual Contexts, page 17-4
• Monitoring the System, page 17-25
• Setting Up Devices for Monitoring, page 17-2
• Device Monitoring Features, page 17-3
• Setting Polling Parameters, page 17-46
• Configuring Historical Trend and Real Time Graphs for Devices, page 17-48
Table 17-2 Supported Features According to Device Type
Device Type Selected in
the
Device Tree
Supported Features Displayed Under
Dashboard System View
Resource
Usage1
1. See the “Monitoring Resource Usage” section on page 17-26 for information about the options available under Resource Usage.
Traffic
Summary
Load
Balancing
Application
Acceleration
Polling
Settings
ACE
module
X – X X X – –
Admin
context
X – X X X – X
User context X – X X X – X
ACE
appliance
X – X X X X –
Admin
context
X – X X X X X
User context X – X X X X X
CSS – X – X X2
2. CSS devices support Virtual Servers only, so you do not see the Load Balancing > Statistics menu option.
– X
CSM – X – – X – X
GSS – – – – – – X
Groups3
3. By default, all monitoring features that are supported on any of the devices in the device group appear when you select a device group. See the “Using
Dashboards to Monitor Devices and Virtual Contexts” section on page 17-4 for more information about monitoring various device types within a device
group.
X – X X X X –
17-25
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring the System
Monitoring the System
Cisco License Manager provides a System View that displays device information and a general overview
of your system as a whole. System View is available only for CSS and CSM devices. If a CSM has
crashed, you can use the System View to find out when and why the crash occurred and display
information that affects the module. The System View also displays High Availability (HA) information
and licensing information.
Note To monitor the ACE module or appliance, use the Device Dashboard function of ANM. See the “Using
Dashboards to Monitor Devices and Virtual Contexts” section on page 17-4 for details.
Note ANM does not support monitoring of chassis.
Procedure
Step 1 Choose Monitor > Devices > device > System View.
The information that appears depends on what device type you select in the device tree.
The System View displays the following information:
• Device Information
• High Availability
• License Status
• Module Information (for CSS devices only)
Note You can sort the information displayed in the table by clicking on a column heading.
Step 2 Click Poll Now to instruct ANM to poll the devices and display the current values.
Step 3 Click OK when asked if you want to poll the devices for data now.
Related Topics
• Setting Up Devices for Monitoring, page 17-2
• Device Monitoring Features, page 17-3
• Setting Polling Parameters, page 17-46
• Monitoring Traffic, page 17-30
• Configuring Historical Trend and Real Time Graphs for Devices, page 17-48
17-26
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Resource Usage
Monitoring Resource Usage
ANM provides resource usage so that you can easily determine if you need to reallocate resources to a
particular virtual context, view traffic usage in your contexts, or determine available usage for your
contexts. There are three modes in which ANM provides resource usage for ACEs:
• Virtual-context based resource usage—You must select a virtual context from the device tree to view
resource usage specific to the context (see the “Monitoring Virtual Context Resource Usage” section
on page 17-26).
• System-wide resource usage—You must select an ACE module or appliance from the device tree to
view system-wide information and to display the following options:
– Connections—Displays traffic resource usage information. See the “Monitoring System Traffic
Resource Usage” section on page 17-27.
– Features—Displays non-connection based resource usage information. See the “Monitoring
System Non-Connection Based Resource Usage” section on page 17-29.
• Dashboard usage—You can select an ACE module, ACE appliance, or ACE virtual context from the
device tree, and then choose Monitor > Devices > ACE > Dashboard. See the “Using Dashboards
to Monitor Devices and Virtual Contexts” section on page 17-4.
See the “Configuring Virtualization” chapter of either the Cisco Application Control Engine Module
Virtualization Configuration Guide or the Cisco 4700 Series Application Control Engine Appliance
Virtualization Configuration Guide for the maximum resource usage value for each attribute.
Monitoring Virtual Context Resource Usage
ANM displays resource usage for virtual contexts as explained in the following steps.
See the “Configuring Virtualization” chapter of either the Cisco Application Control Engine Module
Virtualization Configuration Guide or the Cisco 4700 Series Application Control Engine Appliance
Virtualization Configuration Guide for the maximum resource usage value for each attribute.
Procedure
Step 1 Choose Monitor > Devices > virtual_context > Resource Usage.
The information in Table 17-3 appears in the Resource Usage window.
Table 17-3 Virtual Context Resource Usage Field Descriptions
Field Description
ACL Memory (Bytes) ACL memory usage
Application Acceleration (Connections) Number of application acceleration connections.
Note This field displays if you selected an ACE appliance in the device
tree.
Bandwidth (Bytes/Sec) Bandwidth in bytes per second.
Concurrent Connections (Connections) Number of simultaneous connections.
Connection Rate (Connections/Sec) Connections per second.
17-27
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Resource Usage
Step 2 (Optional) Click Poll Now to instruct ANM to poll the devices and display the current values, and click
OK when prompted if you want to poll the devices for data now.
Step 3 (Optional) To display a historical trend graph of resource data for the virtual context, select up to four
resources from the list and click Graph.
The Resource Usage Graph appears (see the “Configuring Historical Trend and Real Time Graphs for
Devices” section on page 17-48 for details).
Related Topics
• Monitoring System Traffic Resource Usage, page 17-27
• Monitoring System Non-Connection Based Resource Usage, page 17-29
• Configuring Historical Trend and Real Time Graphs for Devices, page 17-48
Monitoring System Traffic Resource Usage
ANM displays system-wide traffic resource usage as explained in the following steps. See the
“Configuring Virtualization” chapter of either the Cisco Application Control Engine Module
Virtualization Configuration Guide or the Cisco 4700 Series Application Control Engine Appliance
Virtualization Configuration Guide for the maximum resource usage value for each attribute.
HTTP-comp rate HTTP compression rate.
Note This field displays when you select one of the following device
types from the device tree: An ACE appliance (any version) or an
ACE module version A4(1.0) or later.
Inspect Connection Rate (Connections/Sec) RTSP/FTP inspection connections per second.
MAC Miss Rate (Connections/Sec) MAC miss traffic punted to CP packets per second.
Management Connection Rate (Connections) Number of management connections.
Management Traffic Rate (Connections/Sec) Management traffic bytes per second.
Proxy Connection Rate (Connections) Proxy connections.
Regular Expression Memory (Bytes) Regular expressions usage in bytes.
SSL Connection Rate (Transactions/Sec) SSL (Secure Sockets Layer) connections per second.
Sticky Entries Number of sticky table entries.
Syslog Buffer Size (Bytes) Syslog message buffer size in bytes.
Syslog Message Rate (Messages/Sec) Syslog messages transmitted in messages per seconds.
Throughput (Bytes/Sec) Displays through-the-ACE traffic. This is a derived value (you cannot
configure it directly) and it is equal to the bandwidth rate minus the
mgmt-traffic rate for the 1-Gbps and 2-Gbps licenses.
Translation Entries Current number of network and port address translations.
Table 17-3 Virtual Context Resource Usage Field Descriptions (continued)
Field Description
17-28
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Resource Usage
Note You must select an ACE module or appliance from the device tree to view system-wide traffic resource
usage information as shown in the following steps.
Procedure
Step 1 Choose Monitor > Devices > ACE > Resource Usage > Connections.
The current resource usage information appears as shown in Table 17-4.
Note There might be a slight delay because the resource usage information is gathered in real-time.
Note If any of the percentages that display in the Resource Usage Connections table exceed 100 percent, this
is an indication that a license on the ACE was recently installed or uninstalled using either ANM or the
CLI. To correct the display problem, manually synchronize the Admin context of the ACE with the CLI
(see the “Synchronizing Virtual Context Configurations” section on page 6-105).
Step 2 Click Poll Now to instruct ANM to poll the devices and display the current values.
Table 17-4 Resource Usage Connections Field Descriptions
Field Description
Context Name of the virtual context
Conc. Conn. % Number of simultaneous connections
Mgmt. Conn. % Number of management connections
Proxy Conn. % Proxy connections
Bandwidth (Bytes/S) % Bandwidth in bytes per second
Throughput (Bytes/S) Note This field appears when you select an ACE in the device tree.
Throughput in bytes per second
Conn. Rate (Conn./S) % Connections per second
SSL Conn. Rate (Trans./S) % SSL (Secure Sockets Layer) connections per second
Mgmt. Traffic Rate
(Conn./S) %
Management traffic connections per second
MAC Miss Rate (Conn./S) % MAC miss traffic punted to CP packets per second
Insp. Conn. Rate (Conn./S) % RTSP/FTP inspection connections per second
App. Acc. Conn. % Number of application acceleration connections.
Note This field appears when you select an ACE appliance in the device tree.
HTTP-Comp Rate % HTTP compression rate.
Note This field appears when you select one of the following device types from the device
tree: An ACE appliance (any version) or an ACE module version A4(1.0) or later.
17-29
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Resource Usage
Step 3 Click OK when asked if you want to poll the devices for data now.
Related Topics
• Monitoring Virtual Context Resource Usage, page 17-26
• Monitoring System Non-Connection Based Resource Usage, page 17-29
Monitoring System Non-Connection Based Resource Usage
ANM displays system-wide, non-connection-based resource usage as explained in the following steps.
Note You must select an ACE module or appliance from the device tree to view the non-connection based
resource usage information as shown in the following steps.
Step 1 Choose Monitor > Devices > ACE > Resource Usage > Features.
The current resource usage information appears shown in Table 17-5.
Note There might be a slight delay because the resource usage information is gathered real-time.
Step 2 Click Poll Now to instruct ANM to poll the devices and display the current values.
Step 3 Click OK when asked if you want to poll the devices for data now.
Related Topics
• Monitoring Virtual Context Resource Usage, page 17-26
• Monitoring System Traffic Resource Usage, page 17-27
• Configuring Historical Trend and Real Time Graphs for Devices, page 17-48
Table 17-5 Resource Usage Features Field Descriptions
Field Description
Context Name of the virtual context
Translation Entries % Current number of network and port address translations
ACL Memory (Bytes) % ACL memory usage in bytes
RegEx Memory (Bytes) % Regular expressions memory usage in bytes
Syslog Buffer Size (Bytes) % Syslog message buffer size in bytes
Syslog Message Rate (Messages/S) % Syslog messages per second
17-30
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Traffic
Monitoring Traffic
ANM determines traffic information for your ACE module, ACE appliance, or CSS devices by
calculating the delta traffic values since the last polling cycle and displays the resulting values. You can
view traffic summary information as shown in the steps below.
Note To get traffic data polled directly from a device, click on an interface name that appears in the Interface
column. See Displaying Device-Specific Traffic Data, page 17-31.
Procedure
Step 1 Choose Monitor > Devices > device > Traffic Summary.
The information shown in Table 17-6 appears in the Traffic Summary page.
Note You can click on any column heading to sort the table by that column.
Table 17-6 Traffic Summary Fields
Field Description
Device Fully-qualified device name. This field does not appear for CSS devices.
Interface Name of the interface. Click the interface hyperlink to get traffic data polled directly from the device
as shown in Table 17-7.
Admin Status User-specified status of the device, which can be one of the following states:
• Up
• Down
• Testing, which indicates that no operational packets can be passed.
Operational Status Current operational status of the device, which can be one of the following states:
• Up
• Down
• Testing, which indicates that no operational packets can be passed
• Unknown
• Dormant, which indicates the interface is waiting for external actions (such as a serial line
waiting for an incoming connection)
• Not present, which indicates the interface has missing components
Packets In / Sec This field appears for ACEs only.
Per second, the number of packets delivered by this sub-layer to a higher (sub-)layer, which were not
addressed to a multicast or broadcast address at this sub-layer.
Packets Out / Sec This field appears for ACEs only.
Per second, the total number of packets that higher-level protocol requested be transmitted, and which
were not addressed to a multicast or broadcast address at this sub-layer, including those that were
discarded or not sent.
17-31
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Traffic
Step 2 (Optional) Click Poll Now to instruct ANM to poll the devices and display the current values and click
OK when prompted if you want to poll the devices for data now.
Step 3 (Optional) To display a historical trend graph of traffic information, select up to four interfaces from the
list and click Graph.
The Resource Usage Graph appears (see the “Configuring Historical Trend and Real Time Graphs for
Devices” section on page 17-48 for details).
Step 4 (Optional) Choose a device, and click Details to see specific traffic information for the selected device
(see the “Displaying Device-Specific Traffic Data” section on page 17-31).
Related Topic
• Displaying Device-Specific Traffic Data, page 17-31
• Configuring Historical Trend and Real Time Graphs for Devices, page 17-48
Displaying Device-Specific Traffic Data
You can display device-specific traffic data.
Procedure
Step 1 Choose Monitor > Devices > device > Traffic Summary.
Hyperlinked device names appear in the Interface column.
Step 2 Choose a hyperlinked device name.
The Traffic Summary Details window appears. The information shown in Table 17-7 appears.
Note You can click on a column heading to sort the table by that column.
Bytes In / Sec Number of octets received, including framing characters, per second.
Bytes Out / Sec Number of octets per second transmitted out of the interface, including framing characters.
Errors In / Sec Number of inbound packets discarded per second because they contained errors or because of an
unknown or unsupported protocol.
Errors Out / Sec Number of outbound packets discarded per second because they contained errors or because of an
unknown or unsupported protocol.
Last Polled Date and time of the last time that ANM polled the device to display the current values. This field
appears if viewing traffic summary data at a device level or at a device group level in the device tree.
Note The Last Polled time stamp appears in the table heading if viewing traffic summary data at a
virtual context level.
Table 17-6 Traffic Summary Fields (continued)
Field Description
17-32
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Traffic
Step 3 Click OK to close the window and return to the Traffic Summary window.
Related Topic
Monitoring Traffic, page 17-30
Table 17-7 Traffic Summary Details Window Description
Device Type Field Description
ACE and CSS Bytes In Total number of octets received on the interface, including framing characters
Bytes Out Total number of octets transmitted out of the interface, including framing
characters
Discarded Inbound
Packets
Number of inbound packets which were discarded even though no errors were
detected to prevent their being delivered to a higher-layer protocol
Discarded Outbound
Packets
Number of outbound packets which were discarded even though no errors were
detected to prevent their being transmitted
Inbound Packet Errors Total number of inbound packet errors
Inbound Packets with
Unknown Protocol
Total number of packets received via the interface which were discarded
because of an unknown or unsupported protocol
Outbound Packet Errors Total number of outbound packet errors
Packets In Number of packets delivered by this sub-layer to a higher (sub-)layer, which
were not addressed to a multicast or broadcast address at this sub-layer.
Packets Out Number of packets that higher-level protocols requested be transmitted, and
which were not addressed to a multicast or broadcast address at this sub-layer,
including those that were discarded or not sent.
CSS only Active TCP Current number of active TCP flows on the interface
Active UDP Current number of active UDP flows on the interface
FCB Count Number of unused fastpath flow control blocks for the interface
TCP Average Five second moving average of TCP flows per second on the interface
TCP Current Number of new TCP flows within last second on the interface
TCP High Maximum number of TCP flows in any one second interval on the interface
TCP Total Total TCP flows on the interface
UDP Average Five second moving average of UCP flows per second on the interface
UDP Current Number of new UDP flows within last second on the interface
UDP High Maximum number of UDP flows in any one second interval on the interface
UDP Total Total UDP flows on the interface
17-33
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Load Balancing
Monitoring Load Balancing
ANM monitors load balancing and allows you to view the information associated with virtual servers,
real servers, probes, and load balancing statistics.
This section includes the following topics:
• Monitoring Load Balancing on Virtual Servers, page 17-33
• Monitoring Load Balancing on Real Servers, page 17-37
• Monitoring Load Balancing on Probes, page 17-40
• Monitoring Load Balancing Statistics, page 17-41
Monitoring Load Balancing on Virtual Servers
ANM monitors load balancing and allows you to display the associated virtual server information as
shown in the following steps.
Note You can display additional load-balancing information about real servers, such as the number of servers
that are functioning properly, and probes, such as viewing if an excessing number of probes are failing,
by clicking the hyperlink in the respective columns in Table 17-8.
Procedure
Step 1 Choose Monitor > Devices > device > Load Balancing > Virtual Servers.
Depending on the device type you selected in the device tree, the information described in Table 17-8
appears.
Note For the ACE appliance and the ACE module running A2(3.0), click the Advanced Editing
Mode button to show/hide additional load balancing virtual server monitoring fields.
Note If you select a CSS device from the device tree, the navigation path does not include Load
Balancing; the path is Monitor > Devices > CSS_device > Virtual Servers.
17-34
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Load Balancing
Table 17-8 Load Balancing Virtual Server Monitoring Information
Device Type Field Description
All Virtual Server Name of the virtual server.
Note If a virtual server is associated with primary and backup server farms, two
entries appear in the table: One for the primary server farm and one for the
backup server farm.
To view statistics for a selected virtual server, click the virtual server hyperlink. The
Virtual Server Details popup window appears containing the individual statistic,
associated counter value, and a description of the statistic. Click OK to close the
popup window.
IP Address IP address of the virtual server.
Port Port to be used for the specified protocol.
# Rservers Up Number of servers up/Number of total servers configured.
Note You can click on the hyperlink in this column to view statistics for the real
servers configured for the specified virtual server. See the “Monitoring
Load Balancing on Real Servers” section on page 17-37.
ACEs, CSM # Probes Failed For the ACE, this field displays Number of probes failed/Number of probes
configured.
For the CSM, this field displays Number of probes failed.
Note For an ACE, you can click on the number displayed to view the statistics
for the probes configured for the specified virtual server. See the
“Monitoring Load Balancing on Probes” section on page 17-40.
Operational Status The state of the server, which can be:
• Inservice—Indicates the server is in service.
• Out of Service—Indicates the server is out of service.
Current
Connections
Current number of connections.
Conns/Sec. Number of connections per second that the device receives.
17-35
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Load Balancing
ACEs only Device Fully-qualified device name.
Protocol Protocol the virtual server supports, which can be:
• Any—Indicates the virtual server is to accept connections using any IP
protocol.
• TCP—Indicates that the virtual server is to accept connections that use TCP.
• UDP—Indicates that the virtual server is to accept connections that use UDP.
Service Policy Policy map applied to the device.
DWS Operating state of the Dynamic Workload Scaling feature for the associated server
farm, which can be:
• N/A—Not applicable; the virtual server’s server farm is not configured for
Dynamic Workload Scaling.
• Local—The server farm is configured for Dynamic Workload Scaling, but the
ACE is load-balancing traffic to the local VM Controller VMs only.
• Expanded—The server farm is configured for Dynamic Workload Scaling and
the ACE is sending traffic to the local and remote VM Controller VMs.
Dropped
Conns/Sec.
Number of connections per second that the ACE discarded.
Server Farm Name of the server farm associated with the virtual server.
Action Indicates if the device is functioning as a primary server (Primary) or a backup
server (Backup).
Algorithm Type of predictor algorithm specified on the load balancer, which can be:
• Roundrobin
• Leastconn
• Hash URL
• Hash Address
• Hash Cookie
• Hash Header
Last Polled Date and time of the last time that ANM polled the device to display the current
values. This field appears if viewing virtual server data at a device level or at a
device group level in the device tree.
Note The Last Polled time stamp appears in the table heading if viewing virtual
server data at a virtual context level.
Table 17-8 Load Balancing Virtual Server Monitoring Information (continued)
Device Type Field Description
17-36
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Load Balancing
Step 2 (Optional) Use the display toggle button ( ) located above the table to control which virtual servers
ANM displays as follows:
• Show ANM Recognized Virtual Servers—Displays only virtual servers that match ANM’s virtual
server definition (see the “Virtual Server Configuration and ANM” section on page 7-2).
• Show All Virtual Servers—Displays virtual servers that match ANM’s virtual server definition and
those that do not match this definition but that ANM can recognize as virtual servers using SNMP
polling.
Note The display toggle button displays only when you have the “Display All Virtual Servers in
Monitoring & Operations page” advanced setting feature enabled (see the “Managing the
Display of Virtual Servers in the Operations and Monitoring Windows” section on page 18-66).
Step 3 (Optional) Use the function buttons described in Table 17-9 to update the virtual server information
displayed, view graph information, or view the topology map.
ACE appliance,
ACE module
running A2(3.0)
(Advanced Editing
Mode button)
Client Packets/Sec Number of packets per second received from the client.
Client Bytes/Sec Number of bytes per second received from the client.
Server Packets/Sec Number of packets per second received from the server.
Server Bytes/Sec Number of bytes per second received from the server.
Drops/Sec Conn
Rate Limit
Number of active connection drops per second based on the connection rate limit
of the real server
Drops/Sec Max
Conn Limit
Number of active connection drops per second based on the maximum allowable
number of active connections to a real server.
ACEs, CSS, CSM Admin Status User-specified status of the virtual server, which can be:
• In Service—Indicates the server is in service.
• Out of Service—Indicates the server is out of service.
Table 17-8 Load Balancing Virtual Server Monitoring Information (continued)
Device Type Field Description
17-37
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Load Balancing
Related Topics
• Monitoring Load Balancing on Real Servers, page 17-37
• Monitoring Load Balancing on Probes, page 17-40
• Configuring Historical Trend and Real Time Graphs for Devices, page 17-48
Monitoring Load Balancing on Real Servers
ANM monitors load balancing and allows you to view the associated real server information.
Procedure
Step 1 Choose Monitor > Devices > device > Load Balancing > Real Servers.
Depending on the device type you selected in the device tree, the information described in Table 17-10
appears.
Table 17-9 Virtual Server Monitoring Window Function Buttons
Function Button Description
Poll Now Instructs ANM to poll the devices and display the current values. Choose one or
more virtual servers and click Poll Now.
Graph Displays a historical trend graph of virtual server information for a specific virtual
server. Choose 1 to 4 virtual servers and click Graph.
For more information, see the “Configuring Historical Trend and Real Time
Graphs for Devices” section on page 17-48.
Topology Displays the network topology map for a specific virtual server. Choose a virtual
server and click Topology.
Note The topology map feature is not available when the Virtual Server table
is set to Show All Virtual Servers. Use the display toggle button ( )
to ensure that the Virtual Servers table is set to Show ANM
Recognized Virtual Servers (see Step 2).
The ANM Topology window appears, displaying the virtual server and associated
network nodes. For information about using the topology map, see the
“Displaying Network Topology Maps” section on page 17-68.
17-38
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Load Balancing
Table 17-10 Load Balancing Real Server Monitoring Information
Device Type Field Description
All Real Server Name of the real server. To view statistics for a selected real server, click the real
server hyperlink. The Real Server Details popup window appears containing the
individual statistic, associated counter value, and a description of the statistic.
Click OK to close the popup window.
IP Address IP address of the real server. This field appears only for real servers specified as
hosts.
Port Port number used for the server port address translation (PAT).
Admin Status The specified state of the server, which can be:
• Inservice—Indicates the server is in service.
• Out of Service—Indicates the server is out of service.
• In Service Standby—Indicates the server is a backup server and remains
inactive unless the primary server fails. If the primary server fails, the backup
server becomes active and starts accepting connections.
Operational Status The state of the server, which can be:
• Inservice—Indicates the server is in service.
• Out of Service—Indicates the server is out of service.
• Inservice Standby—Indicates the server is a backup server and remains
inactive unless the primary server fails. If the primary server fails, the backup
server becomes active and starts accepting connections.
• Probe Failed—Indicates that ANM did not receive a response to a health
probe that it sent to the server.
VM Indicator that the real server is, or is not, a VMware virtual machine as follows:
• – (dash)—The real server is not a VMware VM.
• Yes—The real server is a VMware VM. To view details about the VM, click
Yes. The Virtual Machine Details popup window appears and provides the
following information about the VM:
– Full path—Full path to the VM.
– DNS Name—DNS name of the VM.
– IP Address—VM IP address.
– State—Operating state of the VM (for example, poweredOn).
– Guest OS—Guest operating system (for example, Red Hat Enterprise
Linux 5 (32-bit)).
– Host—Host IP address.
– Memory (MB)—Amount of memory.
– CPU (MHz)—CPU frequency.
– Triggered Alarms—Number of recorded triggered alarm conditions.
Click OK to close the Virtual Machine Details popup window.
Weight Weight assigned to the real server.
17-39
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Load Balancing
Step 2 (Optional) Use the function buttons described in Table 17-11 to update or change the real server
information displayed.
ACE, CSM Server Farm Primary server farm to use for load balancing.
Current
Connections
Number of current connections to this server. If this field indicates N/A, the
database does not have any information about current connections. If this field is
0, the database received an SNMP response of 0.
Connections Rate Connections per second.
Dropped
Connections Rate
Dropped connections per second.
ACEs Only Device Fully qualified device name.
Locality Field that pertains to the ACE module A4(2.0), ACE appliance A4(2.0), and later
releases of either device type only. Locality also requires that you have the ACE
configured for Dynamic Workload Scaling (see the “Configuring Dynamic
Workload Scaling” section on page 8-26).
Possible values for real server locality are as follows:
• N/A—Not available; the ACE cannot determine the real server location
(local or remote). A possible cause for this issue is that Dynamic Workload
Scaling is not configured correctly.
• Local—The real server is located in the local network.
• Remote—The real server is located in the remote network. The ACE bursts
traffic to this server when the local real server's CPU and/or memory usage
reaches the specified maximum threshold value.
Last Polled Date and time of the last time that ANM polled the device to display the current
values. This field appears if viewing virtual server data at a device level or at a
device group level in the device tree.
Note The Last Polled time stamp appears in the table heading if viewing virtual
server data at a virtual context level.
CSSs Only Total Connections Total number of connections.
Table 17-10 Load Balancing Real Server Monitoring Information (continued)
Device Type Field Description
17-40
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Load Balancing
Related Topics
• Monitoring Load Balancing, page 17-33
• Monitoring Load Balancing on Probes, page 17-40
• Configuring Historical Trend and Real Time Graphs for Devices, page 17-48
Monitoring Load Balancing on Probes
To check the health and availability of a real server, the ACE periodically sends a probe to the real server.
If you notice an excessive number of probes failing, you can view the monitoring information as shown
in the following steps.
Procedure
Step 1 Choose Monitor > Devices > ACE > Load Balancing > Probes.
The probe information described in Table 17-12 appears.
Table 17-11 Real Server Monitoring Window Function Buttons
Function Button Description
Poll Now Instructs ANM to poll the devices and display the current values. Choose one or more real servers and
click Poll Now. Click OK when asked if you want to poll the devices for data now.
Graph Displays a historical trend graph of real server information for the specified real servers. Choose 1 to
4 real servers and click Graph. Choosing multiple real servers allows you to compare information.
For more information, see the “Configuring Historical Trend and Real Time Graphs for Devices”
section on page 17-48.
Topology Displays the network topology map for the specified real server. Choose a real server and click
Topology.
The ANM Topology window appears, displaying the real server and associated network nodes. For
information about using the topology map, see the “Displaying Network Topology Maps” section on
page 17-68.
17-41
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Load Balancing
Step 2 (Optional) Click Poll Now to instruct ANM to poll the devices and display the current values.
Step 3 (Optional) To view the details associated with a specific probe, choose a probe from the list and click
Details.
The show probe probe_name detail CLI command output appears in a popup window.
Step 4 Click OK when asked if you want to poll the devices for data now.
Related Topics
• Monitoring Load Balancing, page 17-33
• Monitoring Load Balancing Statistics, page 17-41
• Configuring Historical Trend and Real Time Graphs for Devices, page 17-48
Monitoring Load Balancing Statistics
You can monitor load balancing on your ACE and CSM devices as shown in the following procedure.
Table 17-12 Load Balancing Probes Monitoring Information
Field Description
Device Name of the ACE managed by ANM.
Probe Name of the probe.
To view statistics for a selected probe, click the probe hyperlink. The Probe Details popup window appears
containing the following probe statistics:
• Failed Probes—Total number of failed probes.
• Health of Probes—Health of the probe. Possible values are PASSED or FAILED.
• Probes Passed—Total number of passed probes.
Click OK to close the Probe Details popup window.
Type Type of probe. For a complete list of probe types and their descriptions, see Table 8-11.
Real Server Name of the real server that the probe is associated with.
Server Farm Name of the server farm that the probe is associated with.
Port Port number that the probe uses. By default, the probe uses the port number based on its type.
Probe IP
Address
Destination or source address for the probe.
Probed Port Source of the probe's port number.
Probe Health Health of the probe. Possible values are PASSED or FAILED.
Passed Rate Rate of passed probes
Failed Rate Rate of failed probes
Last Polled Time stamp for the last probe. This field appears if viewing probe data at a device level or at a device group
level in the device tree.
Note The Last Polled time stamp appears in the table heading if viewing probe data at a virtual context
level.
17-42
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Load Balancing
Procedure
Step 1 Choose Monitor > Devices > device > Load Balancing > Statistics.
The Load Balancing Statistics Monitoring Information window displays the information described in
Table 17-13.
Step 2 (Optional) Click Poll Now to instruct ANM to poll the devices and display the current values and click
OK when prompted if you want to poll the devices for data now.
Step 3 (Optional) To display a historical trend graph of load balancing statistics, select up to four objects from
the list and click Graph.
The Resource Usage Graph appears (see the “Configuring Historical Trend and Real Time Graphs for
Devices” section on page 17-48 for details).
Related Topic
• Testing Connectivity, page 17-71
• Configuring Historical Trend and Real Time Graphs for Devices, page 17-48
Table 17-13 Load Balancing Statistics Monitoring Information
Device Type Field Description
ACEs only Device Name of the device
L4 Policy Connections Number of Layer 4 policy connections
L7 Policy Connections Number of Layer 7 policy connections
Failed Connections Number of failed connections
Dropped L4 Policy
Connections
Number of dropped Layer 4 policy connections
Dropped L7 Policy
Connections
Number of dropped Layer 7 policy connections
Rejected Connections Due
To No Policy Match
Number of connections rejected because they did not match policies
Rejected Connections Due
To ACL Deny
Number of connections rejected due to ACL parameters
Rejected Connections Due
To L7 Config Changes
Number of rejected connections due to Layer 7 configuration changes
Connection Timed Out Number of times the connection timed out.
Last Polled Date and time of the last time that ANM polled the device to display the
current values.
CSM only Statistic Name of the monitored statistic.
Value Statistic value.
Rate Statistic rate.
Description Explanation of the monitored CSM statistic.
17-43
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Application Acceleration
Monitoring Application Acceleration
If you have configured application acceleration functions on the ACE, you can monitor the optimization
statistics as shown in the following steps.
Step 1 Choose Monitor > Devices > device > Application Acceleration.
The Application Acceleration information appears as shown in Table 17-14.
Note For connection-based syslogs, the following additional parameters are displayed: Source IP,
Source Port, Destination IP, Destination Port, and Protocol Information. This allows you to sort
and filter on these fields if desired.
.
Table 17-14 Application Acceleration Monitoring View
Field Statistic Description
Condenser Information Total HTTP Unoptimized
Requests Received
Total number of end-user HTTP request the condenser has
received that cannot be optimized
Accumulated Bytes Received Accumulated size (in bytes) of each end-user requested object
Total Responses in Bytes Accumulated size (in bytes) of responses, both for condensable
and non-condensable end-user HTTP requests
Total Abandons of Delta
Optimization
Total number of abandons of delta optimization requests
Cacheable Objects
Statistics
Total Objects Served from
Cache
Total number of cacheable objects served from the cache,
excluding the not-modified replies
Accumulated Bytes Served Accumulated size (in bytes) of the cacheable objects served from
the cache, excluding not-modified replies
Total Objects Not Found in
Cache
Total number of cacheable objects not found in the cache
Accumulated Bytes Not Found Accumulated size (in bytes) of the cacheable objects not found in
the cache
Total IMS Requests for Valid
Cache
Total number of IMS requests for valid copies of objects in the
cache
Total Missed IMS Requests Total number of IMS request for objects that either do not exist
or are stale in the cache
Total Non-Cacheable Object
Requests
Total number of non-cacheable object requests
Total Requests with Not
Modified Responses
Total number of requests for stale objects that have the response
from the origin server as not modified
17-44
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Displaying the Polling Status of All Managed Objects
Step 2 Click Poll Now to instruct ANM to poll the devices and display the current values.
Step 3 Click OK when asked if you want to poll the devices for data now.
Related Topics
Configuring Application Acceleration and Optimization, page 15-1
Displaying the Polling Status of All Managed Objects
You can display the polling status of the following objects that ANM manages: ACE virtual contexts and
CSS, CSM, and GSS devices. Because ACE devices are partitioned into virtual contexts that can be
polled individually, the polling status window displays the status of each ACE virtual context. From the
polling status window, you have the option to restart polling to a virtual context or device that currently
has polling disabled.
Guidelines and Restrictions
The time it takes the Polling Status window to reflect global changes that you make to the polling status
or polling interval varies depending on the number of managed objects being polled. For information
about making global polling changes, see the “Enabling Polling on All Devices” section on page 17-47.
Procedure
Step 1 Choose Monitor > Settings > Polling Status.
The Polling Status window appears.
Flash Forward Objects
Statistics
Successful Transformations Total number of successful transformations for FlashForward
objects
Unsuccessful Transformations Total number of unsuccessful transformations for FlashForward
objects
Total HTTP Requests Total number of HTTP requests (excluding the IMS requests) for
the transformed FlashForward objects
Total IMS Requests Total number of IMS requests for transformed FlashForward
objects
Table 17-14 Application Acceleration Monitoring View (continued)
Field Statistic Description
Table 17-15 Polling Status Window
Field Description
Name Name of the object polled. For all ACE devices, the context names associated with each
ACE. For all other object types, such as a GSS, the device name.
Type Type of object polled. The type will either be Virtual Context to indicate an ACE virtual
context or a specific device type, such as GSS.
17-45
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Displaying the Polling Status of All Managed Objects
Polling Config Polling configuration operational state: Enabled or Disabled. For more information, see
the “Setting Polling Parameters” section on page 17-46.
Polling Interval Frequency at which ANM polls the object.
Polling Status Current polling status of the managed object:
• Missing SNMP Credentials—SNMP credentials are not configured for this object;
statistics are not collected. Add SNMPv2c credentials to fix this error.
• Not Polled—SNMP polling has not started. For a virtual context, this problem might
occur when the virtual context is first created from ANM and the SNMP credentials
are not configured. Add SNMPv2c credentials to fix this error.
• Polling Failed—SNMP polling failed due to some internal error. Try restarting
polling to enable SNMP collection again.
• Polling Started—No action is required. Everything is working properly. Polling
states will display activity.
• Polling Timed Out—SNMP polling has timed out. This problem might occur if the
wrong credentials were configured or might be caused by an internal error (such as
SNMP was configured incorrectly or the destination is not reachable). Verify that
SNMP credentials are correct. If the problem persists, restart polling to enable SNMP
collection again.
• Unknown—SNMP polling is not working due to one of the above-mentioned
conditions. Check the SNMPv2c credential configuration.
Last Polled Time Time stamp of the last time ANM polled the object.
CLI Sync Status (ACE virtual contexts only) Administrative configuration status of the context as follows:
• Import Failed—The context did not import successfully. This problem could have
occurred when the device was added to ANM or when the context was synchronized.
Synchronize the context so that you can manage it (Config > Devices > ACE >
context > Sync).
• OK—The context is synchronized with the ACE CLI.
• Out of Sync—The context is managed by ANM but the configuration for the context
on the device differs from the configuration managed by ANM. For information on
synchronizing contexts, see the “Synchronizing Virtual Context Configurations”
section on page 6-105.
• Unprovisioned—The context has been removed from the ACE using the CLI but has
not been removed from ANM. To remove unprovisioned contexts, synchronize the
associated Admin context.
For all polled objects that are not virtual contexts, the value N/A appears in this column
because ANM does not support auto synchronization for the CSS, CSM, or GSS devices.
Last CLI Sync Status Change (ACE virtual contexts only) Time stamp of the last CLI synchronization with ANM.
For all polled objects that are not virtual contexts, the value N/A appears in this column
because ANM does not support auto synchronization for the CSS, CSM, or GSS devices.
Table 17-15 Polling Status Window (continued)
Field Description
17-46
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Setting Polling Parameters
Step 2 (Optional) To restart polling of an object, check the check box associated with the object and click
Restart Polling.
Related Topics
Setting Polling Parameters, page 17-46
Setting Polling Parameters
You set polling parameters differently depending on the device type:
• ACE devices—You set polling on specific virtual contexts or configure global polling.
• CSM devices—You specify a single polling setting used by ANM.
• CSS devices—You specify a single polling setting used by ANM.
• GSS devices—You specify a single polling setting used by ANM for VIP Answers operation and
configuration states and DNS Rules configuration states.
When you choose Monitoring, the monitoring data for your devices is extracted from cache. The
Monitoring window refreshes every two minutes as new monitoring data is gathered.
When you import a context or device into ANM, the polling interval is set to 5 minutes by default. You
can modify the polling parameter on each device (see the “Enabling Polling on Specific Devices” section
on page 17-46) or you can modify the global parameter polling setting to change the polling parameters
for all devices (see the “Enabling Polling on All Devices” section on page 17-47).
This section includes the following topics:
• Enabling Polling on All Devices, page 17-47
• Disabling Polling on Specific Devices, page 17-47
• Enabling Polling on Specific Devices, page 17-46
• Disabling Polling on All Devices, page 17-48
Enabling Polling on Specific Devices
Procedure
Step 1 Choose Monitor > Devices > context > Polling Settings.
Step 2 In the Polling Stats field, click Enable.
Step 3 From the Background Polling Interval field, choose a polling interval.
Step 4 Click Deploy Now to save and apply the polling parameters.
Related Topics
• Disabling Polling on Specific Devices, page 17-47
• Enabling Polling on All Devices, page 17-47
• Disabling Polling on All Devices, page 17-48
17-47
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Setting Polling Parameters
• Displaying the Polling Status of All Managed Objects, page 17-44
Disabling Polling on Specific Devices
Procedure
Step 1 Choose Monitor > Devices > context > Polling Settings.
Step 2 In the Polling Stats field, click Disable.
Step 3 Click Deploy Now to disable polling.
Related Topics
• Enabling Polling on Specific Devices, page 17-46
• Enabling Polling on All Devices, page 17-47
• Disabling Polling on All Devices, page 17-48
• Displaying the Polling Status of All Managed Objects, page 17-44
Enabling Polling on All Devices
You can enable polling and set the polling interval for all devices as shown in the following procedure.
Guidelines and Restrictions
This topic includes the following guidelines and restrictions:
• Currently this feature is available for any user under the ANM Inventory role task. When a user is
assigned this task, global polling configuration changes made are applied to all devices, irrespective
of the domains that are assigned for this user.
• The time it takes the Polling Status window to reflect global changes that you make to the polling
status or polling interval varies depending on the number of managed objects being polled. For
information about viewing polling information, see the “Displaying the Polling Status of All
Managed Objects” section on page 17-44.
Procedure
Step 1 Choose Monitor > Settings > Global Polling Configuration.
Step 2 In the Polling Stats field, click Enable.
Step 3 From the Background Polling Interval field, choose a polling interval.
Step 4 Click OK to save and apply the polling parameters.
Related Topics
• Enabling Polling on Specific Devices, page 17-46
• Disabling Polling on Specific Devices, page 17-47
17-48
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Configuring Historical Trend and Real Time Graphs for Devices
• Disabling Polling on All Devices, page 17-48
• Displaying the Polling Status of All Managed Objects, page 17-44
Disabling Polling on All Devices
You can disable polling all devices as shown in the following steps.
Procedure
Step 1 Choose Monitor > Settings > Global Polling Configuration.
Step 2 In the Polling Stats field, click Disable.
Step 3 Click OK.
Polling is disabled.
Related Topics
• Enabling Polling on Specific Devices, page 17-46
• Disabling Polling on Specific Devices, page 17-47
• Enabling Polling on All Devices, page 17-47
• Displaying the Polling Status of All Managed Objects, page 17-44
Configuring Historical Trend and Real Time Graphs for Devices
ANM allows you to store historical data for a selected list of statistics calculated over the last hour,
2-hour, 4-hour, 8-hour, 24-hour, or month interval. You can view this historical data as a statistical graph
from specific Monitor > Devices monitoring screens. For each monitoring page, default statistics are
defined and the graph is drawn for the selected object(s) from the page. ANM also allows you to display
real-time statistical information related to the selected monitoring window.
Note All client browsers require that you enable Adobe Flash Player 9 to properly display the monitoring
graphs provided in ANM.
Historical graphs are available from the following Monitor > Device monitoring windows:
• Traffic Summary window (CSS and ACE devices)
• Load Balancing > Virtual Server window (CSM and ACE)
• Load Balancing > Real Server window (CSM, CSS, and ACE devices)
• Load Balancing > Statistics window (ACE and CSM devices)
• Virtual Context-Based Resource Usage (ACE devices)
In each monitoring view window, click the Graph button to view the Graph page. From this page, you
can view up to a maximum of four individual graphs of object data. Tooltips appears within each graph
to allow you to see the datapoint values used for plotting.
17-49
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Configuring Historical Trend and Real Time Graphs for Devices
If you choose, you can overlay multiple objects for comparison on the same graph. Each graph grid
provides a comma-separated list of select statistics.
ANM supports a maximum of four lines per historical graph. The number of lines in a graph indicates
the number of combinations of statistics and the objects (which can be a virtual server, real server, virtual
context, and so on). For example, if you select two statistics and two real servers, then the number of
possible combinations that can be displayed in a graph is four.
Note The time displayed in all graphs is shown in ANM server time, not in client time.
Procedure
Step 1 Choose Monitor > Devices to view device information.
Step 2 Choose the specific monitoring window from which you want to display historical data graphs for a
selected list of items.
Table 17-16 shows the different monitoring window types and how to select one.
Step 3 Check the check boxes of up to four objects in the selected monitoring window that you want to view
and click Graph.
The graph window appears. ANM updates the monitoring window with the graph of the selected objects
(see Figure 17-12).
Note The ANM software version that displays across the top of the window varies depending on your
version of ANM.
Table 17-16 Selecting a Monitoring Window
To Access.... Select...
Resource Usage window Monitor > Devices > virtual_context > Resource Usage
Traffic Summary window Monitor > Devices > Traffic Summary
Virtual Servers window Monitor > Devices > Load Balancing > Virtual Servers
Real Servers window Monitor > Devices > Load Balancing > Real Servers
Statistics window Monitor > Devices > Load Balancing > Statistics
17-50
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Configuring Historical Trend and Real Time Graphs for Devices
Figure 17-12 Displaying Historical Graphs
Step 4 (Optional) To enhance your viewing of the graphs, use the Collapse/Expand buttons to minimize or
maximize a graph in the monitoring window.
Step 5 (Optional) Use the graphing tools described in Table 17-17 to modify the display.
Table 17-17 Historical Graph Tools
Tool Description
Add Graph button Adds a graph to the selected monitoring window.
View As Chart
and
View As Grid icons
Toggles the display of an object graph in the monitoring window between a
grid and a graph.
The grid displays include the Export to Excel hyperlink that allows you to
export object data to Microsoft Excel for archiving or other purposes.
Show As Image icon Allows you to save the graph as a JPEG file for archiving or other purposes.
When you mouse over the graph, the Image Toolbar appears. From the Image
Toolbar, you can save the graph as a JPEG or send it in an e-mail. You can
also print the graph if desired.
17-51
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Configuring Historical Trend and Real Time Graphs for Devices
Select button (upper) Allows you to add one or more objects to a graph in the monitoring window
to compare the performance of one object with its peer for the selected
statistics. Do the following:
a. In the graph that contains the object you want to replace, click the upper
Select button.
Note You cannot perform this function from the Resource Usage
graph window, which contains only one Select button. This
button is used for selecting multiple statistics (see Select button
(lower)).
The Objects Selector popup window appears.
b. From the Objects Selector popup window, choose up to four objects and
do one of the following:
– Click OK to return to the graph window, which displays your
selected objects.
– Click Cancel to ignore any selections and return to the original
graph.
Select button (lower) To select multiple statistics for display in a graph in the monitoring window,
perform the following steps:
a. In the graph of the object that you want to add statistics, click the lower
Select button within the graph.
The Select Stats popup window appears.
Note The Resource Usage graph window contains only one Select
button; click this button.
b. From the Select Stats popup window, choose the statistics to add to the
graph.
You can choose up to four statistics for display in a graph and the object
statistics must be of the same unit of measure (for example, bytes/sec.).
The selected statistics appear in the existing object graph in the
monitoring window.
Do one of the following:
– Click OK to return to the graph window, which displays your
selected statistics.
– Click Set As Default And Draw Graph to set the current selections
as the default objects to graph and return to the graph window, which
displays your selected statistics.
– Click Cancel to ignore any selections and return to the original
graph.
Table 17-17 Historical Graph Tools
Tool Description
17-52
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Exporting Historical Data
Step 6 To exit the display of graphs, click Exit Graph.
Exporting Historical Data
Note The data export feature requires either the ANM_ADMIN role or a role with a ANM_System privilege
other than no-access.
You can enable or disable the data export feature that allows ANM to export the historical data that it
collects on the network devices that it manages. You create a data file purging policy to enable or disable
the data export feature and define the purging attributes associated with this feature.
By default, the data export feature is enabled, allowing ANM to export the raw statistical data that it
collects during a polling session to the comma-separated values (CSV) data files in the following
directory:
/var/lib/anm/export/historical-data/date-stamp
where date-stamp is the directory name, which is based on the date when the file was created and uses
the format YYYY-MM-DD. For example, 2010-05-25. The exported data is saved to the files according
to device type (for example, ACE_MODULE, CSS, or CSM) and its record type (for example, RT_INT
or RT_CPU).
Time drop-down list Modifies the time interval for the accumulated statistics displayed in a graph.
Time interval choices include the average data calculated during the last
hour, 2-hour, 4-hour, 8-hour, 24-hour, or 30-day (last month) interval. The
time choices also include the Real Time option, which displays a maximum
of 3 minutes of data at 10-second intervals (not configurable).
Note the following usage considerations for the time interval for
accumulated statistics:
• When you specify to view average data calculated during the last hour,
2-hour, 4-hour, or 8-hour interval, raw data points collected by ANM
within the selected time period will be displayed. For example, when you
specify to view the data of the last hour, if ANM has been collecting data
for over an hour at a default 5-minute interval, you will see 12 data points
on the graph.
• When you specify to view average data calculated during the last
24-hour interval, consolidated hourly data points will be displayed. For
example, if ANM has been collecting data for more than 24 hours, you
will see 24 data points on the graph.
• When you specify to view average data calculated during the last 30-day
interval, consolidated daily data points will be displayed. For example,
if ANM has been collecting data for over 30 days, you will see 30 data
points on the graph.
Table 17-17 Historical Graph Tools
Tool Description
17-53
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Exporting Historical Data
The data export feature includes a data dictionary (stats-export.dict), which defines the device type and
record type and can be used to interpret the data content and format of the exported files. You can
download the data dictionary, which is written in XML, and display its content using IE browser or any
XML editor/viewer, such as Stylus Studio. The data dictionary can be used as a tool when writing a script
to extract specific data from a data file. For example, you can create a script that extracts data based on
a device type, such as an ACE, that shows interface statistics for a virtual context within the ACE.
Each record/row in the exported data file contains the following information:
• Timestamp (in the format defined by the data dictionary)
• Device-type
• Optional record-type (defined in the data dictionary and used to define the format of each record)
• Managed entity name (fully qualified name of the managed object with which the statistical data is
associated; it should have the same name shown in the historical graph)
• List of statistical data (list order is defined in the data dictionary associated with the record-type)
The first line of each exported data file is a header describing the column of each row. Each field of the
record is separated by the separator character, which is currently defined in the data dictionary as the
comma. If the metric value is unknown, its value is left empty. Each record is separated by a new line
character.
The following data file content sample shows the data file header followed by the statistical information:
DeviceType, RecordType, Timestamp, ManagedEntity, Current Connections, Total Connections,
Dropped Connections, Total Client Packets, Total Server Packets, Total Client Bytes, Total
Server Bytes, Total Drops Due To Maximum Connection Limit, Total Drops Due To Connection
Rate Limit, Total Drops Due To Bandwidth Limit
DT-ACE-VC,RT-VS,2010-05-28-14:21:08,172.23.244.130:2:Admin/test/global,0,0,0,0,0,0,0,0,0,0
DT-ACE-APPLIANCE-VC,RT-VS,2010-05-28-14:21:08,172.23.244.212:Admin/test_vs_3/global,0,0,0,
0,0,0,0,0,0,0
The header column names DeviceType, RecordType, Timestamp, and ManagedEntity are mandatory.
The definitions of the mandatory headers can be found in the following data dictionary XML tags:
• DeviceType definition is inside the device-type tag.
• RecordType definition is inside the record-type tag.
• ManagedEntity definition is inside the managed-entity tag.
The column names that follow the mandatory names are the display names of the statistic.
Guidelines and Restrictions:
The data export guidelines and restrictions are as follows:
• The time at which ANM exports the data file is not configurable.
• By default, ANM exports raw historical data only. Snapshots and consolidated historical data
(average, minimum, maximum) are not exported.
The data export purging operation guidelines and restrictions are as follows:
• ANM purges exported data according to the configurable purging policy. By default, the purging
policy instructs ANM to purge the data file if it stays for more than 32 days or the total combined
export data is bigger than 10000 M (10 G) of disk space or the disk usage is more than 80 percent.
• You can configure ANM to send an email notification to up to five recipients when the disk space
usage is higher than the defined threshold.
• Each purge action removes at least one day of exported statistical data.
17-54
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Exporting Historical Data
Procedure
Step 1 Choose Monitor > Settings > Historical Data Export.
The Historical Data Export window appears.
Step 2 Configure the data export purging policy as shown in Table 17-18.
Table 17-18 Historical Data Export Fields
Item Description
Retention Period (In Days) Maximum number of days that ANM is to keep the exported data files. The
valid range is 1 to 365 days. The default is 32.
Maximum Size Of Exported Data (In MBytes) Maximum allowable size of the data file to export. The valid range is 100 MB
to 100000 MB. The default is 10000 MB.
Current Size Of Exported Data (In MBytes) (Read only) Current size of the data file.
Disk Space Utilization Threshold (In %) Percentage of disk space that the data file can utilize.
Current Disk Space Utilization (In %) (Read only) Current amount of disk space that the data file is utilizing.
Do You Want To Disable Data Export Check box for enabling or disabling the data export feature as follows:
• Unchecked—Data export is enabled. This is the default setting.
• Checked—Data export is disabled.
E-mail Address To Send Notification When
Disk Usage Is Greater Than Disk Space
Utilization Threshold Setting
Email addresses that ANM sends a notification to when the amount of disk
space utilized by the data file exceeds the specified Disk Space Utilization
Threshold value. ANM sends an email notification only once every 24 hours
even when threshold-exceeding condition persists.
Enter an email address and click the right arrow to add it to the list of email
addresses to receive notifications. You can specify up to five email addresses.
To edit or remove an address from the list, use the left arrow or double-click
the address to move it to the edit box where you can modify or delete it.
Note For email notifications, you must specify an SMTP server to use for
outgoing emails (see the “Configuring SMTP for Email
Notifications” section on page 17-68).
Status Current status of the data export feature as follows:
• RUNNING—Data export is enabled. An alert message may display in
parenthesis next to the Running status.
• STOP—Data export is disabled.
To change the status, see the Do You Want To Disable Data Export checkbox.
Statistical Data Last Purge At (Read only) Server time when ANM last purged the data file.
Reason For Purging (Read only) Reason why ANM purged the data file; retention period, total
size of the exported data file, or disk space usage.
Location Of Exported Data (Read only) Path to the exported data files:
/var/lib/anm/export/historical-data.
17-55
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Events
Step 3 (Optional) To download a copy of the data dictionary in zip file format, click Download Data
Dictionary.
Step 4 To save the current data file purging policy, click Save.
Related Topics
• Configuring SMTP for Email Notifications, page 17-68
Monitoring Events
The events captured in the Events table include both ACE syslog events and SNMP trap events. A
procedure for viewing both types of events and details of information extracted from the syslog are
shown below. Fields providing traffic-oriented sorting capability, specifically the information signified
by the column heads in the Events Fields window, shown in Table 17-19 (Source IP, Source Port,
Destination IP, Destination Port, and Protocol) are only available for the ACE syslogs.
Note We do not recommend that you send a high volume of syslogs to ANM. ANM will only process and
persist syslogs at 100 messages per second. Any additional syslogs sent to ANM beyond that rate will
be discarded. To address this behavior, set the syslog severity level to a setting that is no higher than the
warning level (a severity level of 4-Warning). See the “Configuring Virtual Context Syslog Settings”
section on page 6-19 for details.
Assumptions
To receive events from devices, the devices must have syslog and SNMP traps configured correctly. See
the “Configuring Virtual Context Syslog Settings” section on page 6-19 and the “Configuring SNMP for
Virtual Contexts” section on page 6-27.
Procedure
Step 1 Choose Monitor > Events.
ANM displays all events received from ACE for Syslog and SNMP traps for all virtual contexts. See
Table 17-19 for a description of the displayed information, which is extracted from the syslog.
You can sort information in the table by clicking on a column heading. This allows you to group events
and help troubleshooting traffic information.
Table 17-19 Monitor > Events Fields
Field Description
Syslog ID/SNMP
ID
Displays the Syslog ID and SNMP ID. If the event is a trap, this field is empty.
Severity Indicates the syslog severity level as described in Table 6-5.
Origination Time Date and time that the event was last changed in the database.
Source IP Displays the source name that is reporting the event, for example, :virtual_context.
Source Port Displays the source port.
Destination IP Displays the IP address of the destination if available.
17-56
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Monitoring Events
Table 17-20 displays the complete list of published ACE syslogs where source and destination IP, ports
and protocols are parsed so that the designated table fields populate.
Note Only the ACE syslog messages shown in this table will populate the Events window fields explained in
Table 17-19. Syslogs and traps not in this table will populate fields with a 0.
Destination Port Displays the destination port if available.
Protocol Protocol used in the syslog.
Detail Provides additional detail about the event.
Table 17-19 Monitor > Events Fields (continued)
Field Description
17-57
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Configuring Alarm Notifications on ANM
Related Topics
• Monitoring Devices, page 17-24
• Performing Device Audit Trail Logging, page 18-59
Configuring Alarm Notifications on ANM
To set up Monitoring alarm notifications, you define a threshold group and specify the statistics to be
monitored by ANM for the threshold group. When the value for a specific statistic rises above the setting
you specify, an alarm is issued to alert you.
Note CISCO-EPM-NOTIFICAITON-MIB is used for ANM alarms notification.
Table 17-20 ACE Syslogs Fields with Perishable Traffic Oriented Sorting Information
Syslog Message Contents
ACE-1-106021 Deny protocol reverse path check from source_address to dest_address on interface
interface_name
ACE-4-106023 Deny protocol number | name src incoming-interface:src-ip dst outgoing-interface:dst-ip
by access-group "acl-name" (hash 1, hash 2)
ACE-6-302022 Built TCP connection id for interface:real-address/real-port
(mapped-address/mapped-port) to interface:real-address/real-port
(mapped-address/mapped-port)
ACE-6-302023 Teardown TCP connection id for interface:real-address/real-port to
interface:real-address/real-port duration hh:mm:ss bytes bytes [reason]
ACE-6-302024 Built UDP connection id for interface:real-address/real-port
(mapped-address/mapped-port) to interface:real-address/real-port
(mapped-address/mapped-port)
ACE-6-302025 Teardown UDP connection id for interface:real-address/real-port to
interface:real-address/real-port duration hh:mm:ss bytes bytes
ACE-6-302026 Built ICMP connection for faddr/NATed_ID gaddr/icmp_type laddr/icmpID
ACE-6-302027 Teardown ICMP connection for faddr/NATed ID gaddr/icmp_type laddr/icmpID
ACE-6-302028 Built TCP connection id for interface: real-address/real-port
(mapped-address/mapped-port) to interface: real-address/real-port
(mapped-address/mapped-port)
ACE-6-302029 Teardown TCP connection id for interface: real-address/real-port to interface:
real-address/real-port duration hh:mm:ss bytes bytes [reason]
ACE-6-302030 Built UDP connection id for interface: real-address/real-port
(mapped-address/mapped-port) to interface: real-address/real-port
(mapped-address/mapped-port)
ACE-6-302031 Teardown UDP connection id for interface: real-address/real-port to interface:
real-address/real-port duration hh:mm:ss bytes bytes
ACE-4-313004 Denied ICMP type=icmp_type, from source_address on interface interface_name to
dest_address:no matching session
ACE-4-410001 Dropped UDP DNS packet_type from source_interface:source_address/source_port to
dest_interface:dest_address/dest_port; error_length_type length length bytes exceeds
max_length_type limit of maximum_length bytes.
17-58
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Configuring Alarm Notifications on ANM
You can specify how you are notified when thresholds are crossed:
• Alarm notification, which you view at Monitor > Alarm Notifications > Alarms.
• Email notification.
• Traps.
• Mobile device alarm notification. This method requires ANM 5.1 or later and a supported mobile
device with the Cisco ANM Mobile app. For more information about ANM Mobile, see Chapter 19,
“Using ANM Mobile.”
Note Threshold crossing is detected using periodic polling. If a threshold is crossed between polling cycles,
it is possible that ANM License Manager might not issue an alert if the condition recovers before the
next polling cycle.
Guidelines and Restrictions
For certificates that you have loaded on the ACE, you can configure ANM to issue an alarm notification
when the certificate expiration date is approaching. ANM performs certificate expiration computations
every 24 hours. The computation begins each time ANM is started. Every subsequent computation
occurs 24 hours thereafter.
Note The Certificates window (Config > Devices > context > SSL > Certificates) contains the Expiry Date
field, which displays the certificate expiration date. Due to a known issue with the ACE module and
appliance, it is possible that this field displays either “Null” or characters that cannot be parsed or that
are unreadable. When this issue occurs, ANM cannot track the certificate expiration date. If the
certificate is defined in a threshold group configured for certificate expiration alarm notifications and
this issue occurs, ANM may not issue an expiration alarm when expected or it may issue a false alarm.
If you encounter this issue, remove the certificate from the ACE, reimport it, and then verify that the
correct expiration date appears in the Certificates window.
Prerequisites
For email notifications, you have specified an SMTP server to use for outgoing emails (see the
“Configuring SMTP for Email Notifications” section on page 17-68).
Procedure
Step 1 Choose Monitor > Alarm Notifications > Threshold Groups, and click Add.
Step 2 In the Properties section, enter the name and description for the threshold group.
Step 3 In the Threshold Settings section, click Add and then enter the following information shown in
Table 17-21.
17-59
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Configuring Alarm Notifications on ANM
Table 17-22 provides details for the Category field found in Table 17-21.
Table 17-21 Threshold Settings Fields
Field Description
Device Type Choose the device type to include in the threshold group. VC indicates ACE virtual context.
Category Choose a statistic to include in the threshold group. Table 17-22 identifies and describes the types of
statistics available for each device type.
Note We do not recommend that you include ACL Memory (ACE module and ACE appliance) or
Current Application Acceleration Connections (ACE appliance only) as statistics in a threshold
group. The values provide through the associated show resource usage CLI command regarding
the utilization of these two threshold parameters does not accurately reflect the real usage of
these two resources.
Assert on Value Enter a value to define the threshold. When the statistic exceeds this value, an alarm is issued. Some
values are displayed as percentages as indicated by the percent sign (%).
In the case of SSL certificate expiration, assert on value indicates the number of days before certificate
expiration. Alarms will be updated daily to indicate the number of days remaining until certificate
expiration. If the email is configured, you will be sent email daily alerting you to the number of days
left before expiration.
Clear Value Enter a value on which to clear the alarm.
In the case of SSL certificate expiration, the setting has no relevance. When an expired certificate is
deleted, the alarm is removed from ANM on the subsequent certificate evaluation. This happens every
24 hours.
Notify on Clear Check the Notify on Clear check box to receive an email notification to the specified address when the
alarm is cleared.
Severity Choose a severity level for this threshold, which can be Critical, Info, Major, or Minor.
17-60
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Configuring Alarm Notifications on ANM
Table 17-22 Monitoring Thresholds by Device Type
Category Threshold Description
ACE 4710 Appliance
ACL Memory Percentage of memory allocated for ACLs.
Note We do not recommend that you include ACL
Memory as a statistic in a threshold group. The
value provided through the associated show
resource usage CLI command regarding the
utilization of ACL memory does not accurately
reflect the real usage of this resource.
Bandwidth Percentage of throughput.
Concurrent Connections Percentage of simultaneous connections.
Current Application
Acceleration Connections
Percentage of application acceleration connections.
Note We do not recommend that you include Current
Application Acceleration Connections as a
statistic in a threshold group. The value
provided through the associated show
resource usage CLI command regarding the
utilization of application acceleration
connections does not accurately reflect the real
usage of this resource.
Current Connection Rate Percentage of connections of any kind.
Current HTTP Compression
Rate
Percentage of compression for HTTP data.
Inspect Connection Rate Percentage of application protocol inspection
connections.
MAC Miss Rate Percentage of messages destined for the ACE that are
sent to the control plane when the encapsulation is not
correct in packets.
Management Connections Percentage of management connections.
Management Traffic Rate Percentage of management traffic connections.
Proxy Connections Rate Percentage of proxy connections.
Regular Expression Memory Percentage of regular expression memory.
SSL Connection Rate Percentage of SSL connections.
Syslog Buffer Size Percentage of the syslog buffer.
Syslog Message Rate Percentage of syslog messages per second.
Translation Entries Percentage of network and port address translations.
Device Device Status ACE operating status changes from Up to Down and
vice versa.
ACE 4710 Appliance VC
Application Acceleration Condenser State State of the condenser.
17-61
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Configuring Alarm Notifications on ANM
HA Redundancy State ACE virtual context HA or fault tolerance (FT) state
changes. Possible FT states are Active, Standby Hot,
and Other, which represents all other FT states,
including the following:
• Non-Redundant—Virtual context is not included
in any FT group.
• Unknown—Virtual context becomes inaccessible,
for example if the ACE that it resides in becomes
unresponsive.
Interface Interface Operational State Operational state of the interface.
Probes Probe Health State Operational health of the health monitoring probe.
Real Server1 Real Server Current Connections Number of current connections on a real server.
Real Server Operational State Operational state of a real server.
SLB Stat Layer 4 Policy Connections Number of Layer 4 policy connections.
Layer 7 Policy Connections Number of Layer 7 policy connections.
SSL Certificate Management SSL certificate expiration (in
days)
Number of days left before SSL certificate expires
whose value minus one will send a warning email with
the specified severity. ANM updates this field daily.
Virtual Server1 Virtual Server Current
Connections
Number of active virtual server connections.
Virtual Server Operational State Operational state of a virtual server.
Table 17-22 Monitoring Thresholds by Device Type (continued)
Category Threshold Description
17-62
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Configuring Alarm Notifications on ANM
ACE Module
ACL Memory Percentage of memory allocated for ACLs.
Note We do not recommend that you include ACL
Memory as a statistic in a threshold group. The
value provided through the associated show
resource usage CLI command regarding the
utilization of ACL memory does not accurately
reflect the real usage of this resource.
Bandwidth Percentage of bandwidth.
Concurrent Connections Percentage of simultaneous connections.
Current Connection Rate Percentage of connections of any kind.
Current HTTP Compression
Rate
Percentage of compression for HTTP data. This field
appears only for an ACE module version A4(1.0) or
later.
Inspect Connection Rate Percentage of application protocol inspection
connections.
MAC Miss Rate Percentage of messages destined for the ACE that are
sent to the control plane when the encapsulation is not
correct in packets.
Management Connections Percentage of management connections.
Management Traffic Rate Percentage of management traffic connections.
Proxy Connections Rate Percentage of proxy connections.
Regular Expression Memory Percentage of regular expression memory.
SSL Connection Rate Percentage of SSL connections.
Syslog Buffer Size Percentage of the syslog buffer.
Syslog Message Rate Percentage of syslog messages per second.
Throughput Percentage of throughput.
Translation Entries Percentage of network and port address translations.
Device Device Status ACE operating status changes from Up to Down and
vice versa.
ACE VC
HA Redundancy State ACE virtual context HA or fault tolerance (FT) state
changes. Possible FT states are Active, Standby Hot,
and Other, which represents all other FT states,
including the following:
• Non-Redundant—Virtual context is not included
in any FT group.
• Unknown—Context becomes inaccessible, for
example if the ACE that it resides in becomes
unresponsive.
Interface Interface Operational State Operational state of the interface.
Table 17-22 Monitoring Thresholds by Device Type (continued)
Category Threshold Description
17-63
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Configuring Alarm Notifications on ANM
Probes Probe Health State Operational health of the health monitoring probe.
Real Server1 Real Server Current Connections Number of current connections on a real server.
Real Server Operational State Operational state of a real server.
SLB Stat Layer 4 Policy Connections Number of Layer 4 policy connections.
Layer 7 Policy Connections Number of Layer 7 policy connections.
SSL Certificate Management SSL certificate expiration (in
days)
Number of days left before SLL certificate expires
whose value minus one will send a warning email with
the specified severity. ANM updates this field daily.
Virtual Server1 Virtual Server Current
Connections
Number of active virtual server connections.
Virtual Server Operational State Operational state of a virtual server.
CSM Module
Real Server Real Server Connections Number of real server connections.
Real Server Current State Operational state of a real server.
SLB Stat Current Opened Connections Number of open connections.
Layer 4 Policy Connections Number of Layer 4 policy connections.
Layer 7 Policy Connections Number of Layer 7 policy connections.
SLB Virtual Server Virtual Server Connections Number of virtual server connections.
Virtual Server State Operational state of a virtual server.
System CSM Fault Tolerance State Fault tolerance state of the CSM.
Device Device Status CSM operating status changes from Up to Down and
vice versa.
CSS
Interface Average TCP Packets Average number of TCP packets.
Interface Operational State Operational state of the interface.
Max TCP Packets Maximum number of TCP packets.
Real Server Active Service Connections Number of active real server connections.
Real Server State State of a real server.
System CSS Fault Tolerance State Fault tolerance state of the CSS.
CSS Module State State of a CSS module.
Virtual Server Virtual Server State Current state of a virtual server.
Device Device Status CSS operating status changes from Up to Down and
vice versa.
GSS
Device Device Status GSS operating status changes from Up to Down and
vice versa.
1. Category choices support mobile device notifications.
Table 17-22 Monitoring Thresholds by Device Type (continued)
Category Threshold Description
17-64
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Configuring Alarm Notifications on ANM
Step 4 Click OK.
Step 5 In Device Selection, choose the device type to include in the threshold group.
The available devices appear in the Available Items field.
Note Make sure that the device type you select in this field is supported by the threshold that you
selected in the Category field in Step 3. If the device type you select is not supported by the
threshold you selected, you will not receive alarm notifications.
Step 6 Click on a device in the Available Items field, and then the arrow (>) to move the device to the Selected
Items field.
Step 7 In the Notify By section, do the following:
a. In the E-mail field, enter the email address that you want to receive notification email.
See the “Displaying Email Notifications” section on page 17-66 for information contained in the
email notifications. If you do not select this field, you must view alarm notifications by selecting
Monitor > Alarm Notifications > Alarm.
Note You must configure the required host parameters, IP address and port, to send email
notifications. See the “Configuring SMTP for Email Notifications” section on page 17-68.
b. Check the Domain sensitive email notification check box to receive filtered email about certificate
expirations for the certificates defined in the current domain only. The emails are sent to the email
address configured for the RBAC user definition (see the “Managing User Accounts” section on
page 18-17). Uncheck this check box to disable this feature.
Note This attribute appears only when the selected device type is either the ACE 4710 VC or the
ACE VC and the category type is set to SSL Certificate expirations (in days).
c. In the Traps field, enter the host IP Address and port number of the machine to which the traps are
sent.
See the “Displaying Traps” section on page 17-67 for information contained in the traps.
d. Check the Mobile Notifications check box to allow ANM to send alarm notifications to supported
smart devices that use the ANM Mobile app. This notification option is available when you choose
threshold settings in Step 3 for real or virtual servers for device types ACE 4710 VC and ACE VC.
See the “Setting Up and Viewing Mobile Device Alarm Notifications” section on page 19-13 for
information about setting up alarm notifications on your mobile device.
Step 8 Do one of the following:
• Click Save to save the threshold group settings.
• Click Cancel to cancel the threshold group settings and return to the Threshold Groups page.
Related Topics
• Configuring SMTP for Email Notifications, page 17-68
• Displaying Alarm Notifications, page 17-65
17-65
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Displaying Alarm Notifications
Displaying Alarm Notifications
You can display the alarm notification that ANM issues when the value for a statistic exceeds a specified
threshold value. Depending on how you specified to be notified when a threshold is crossed, you can
view all alarm notifications, email notifications, or alarm traps.
Guidelines and Restrictions
Threshold crossing is detected using periodic polling. If a threshold is crossed between polling cycles,
it is possible that ANM License Manager might not issue an alert if the condition recovers before the
next polling cycle.
Prerequisites
You have configured alarm notifications as described in the “Configuring Alarm Notifications on ANM”
section on page 17-57.
This section includes the following topics:
• Displaying Alarms in ANM, page 17-65.
• Displaying Email Notifications, page 17-66.
• Displaying Traps, page 17-67.
Displaying Alarms in ANM
You can display the alarms that ANM issues when the value for a statistic exceeds a specified threshold
value.
Guidelines and Restrictions
This topic includes the following guidelines and restrictions:
• ANM displays only the alarms for the devices that are in the domain definition of the RBAC user
logged into ANM.
• If an alarm has been cleared, it does not appear on the Monitor > Alarm Notifications > Alarms page.
This page displays active alarms only.
Prerequisites
You have configured alarm notifications as described in the “Configuring Alarm Notifications on ANM”
section on page 17-57.
Procedure
Step 1 Choose Monitor > Alarm Notifications > Alarms.
The Alarms window appears, displaying the list of alarm notifications issued by ANM. Table 17-23
describes the information displayed for each notification.
17-66
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Displaying Alarm Notifications
:
Step 2 (Optional) To view a statistical graph of a component with an issue, choose an alarm notification and
click Graph The Component With Issue.
The Graph popup window appears, showing an analysis of the default statistical units being measured
(y-axis) to date and time (x-axis). The component type determines the default statistical units being
measured. For example, the units being measured for the real server component type is the number of
connections.
Note This button can only be used with alarm notifications for the following component types: real
server, virtual server, or interface.
Related Topics
• Configuring SMTP for Email Notifications, page 17-68
• Configuring Alarm Notifications on ANM, page 17-57
• Displaying Email Notifications, page 17-66
Displaying Email Notifications
After you configure alarm notifications (see the “Configuring Alarm Notifications on ANM” section on
page 17-57) and specify to receive notification email, when the value for a specific statistic rises above
the setting you specify, ANM sends an email to alert you.
Table 17-24 describes the information contained in the email alarm notification.
Table 17-23 ANM Alarm Notification Content
Field Description
Source ID ANM server IP address that issued the alarm
Severity Specified severity level of the threshold, which can be one of the following:
• Info
• Critical
• Major
• Minor
Origination Time Time the alarm was issued
Threshold Group Specified threshold group name
Category Alarm name
Component Component name, for example, VLAN20
State/Value Specified state or value of the alarm
Detail Displays additional information about the alarm.
Notes Allows you to add any notes to this alarm.
17-67
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Displaying Alarm Notifications
Related Topics
• Configuring Alarm Notifications on ANM, page 17-57
• Displaying Alarm Notifications, page 17-65
Displaying Traps
After you configure alarm notifications (see the “Configuring Alarm Notifications on ANM” section on
page 17-57) and specify to send traps to a trap receiver, when the value for a specific statistic rises above
the setting you specify, ANM issues a trap to alert you.
Related Topics
• Configuring Alarm Notifications on ANM, page 17-57
• Displaying Alarm Notifications, page 17-65
Table 17-24 Email Alarm Notification Content
Field Description
ANM Server Host Name ANM server host name
ANM Server IP Address ANM server IP address
Device ID Device name
Component Name Component name, for example, VLAN20
Severity Specified severity level of the threshold, which can be one of the
following:
• Info
• Critical
• Major
• Minor
Time Time the alarm was issued
Alarm Name Specified name of the alarm
Alarm Value Specified value of the alarm
Threshold Assert Value Specified value on when to issue the alarm
Threshold Group Name Specified threshold group name
Alarm State State of the alarm which can be one of the following:
• Active
• Clear
17-68
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Configuring SMTP for Email Notifications
Configuring SMTP for Email Notifications
You can specify that email notifications be sent each time a monitoring threshold is crossed. You can
request alert emails when configuring a threshold group (Monitor > Alarm Notifications > Threshold
Groups) or when enabling the historical data export feature (Monitor > Settings > Historical Data
Export).
Note You must configure ANM with your SMTP server information to receive email notifications.
Assumption
You have configured threshold crossing alerts (see the “Configuring Alarm Notifications on ANM”
section on page 17-57) or enabled the historical data export feature (see the “Exporting Historical Data”
section on page 17-52).
Procedure
Step 1 Choose Monitor > Settings > SMTP Configuration.
Step 2 In the SMTP Server to Send E-mail Notifications field, enter your SMTP server.
Step 3 (Optional) In the MAIL FROM for all Email notifications field, enter the source email address to use for
email notifications.
By default, the Mail From address is anm@hostname.
Step 4 Click Deploy Now to apply the SMTP configuration.
Related Topics
• Exporting Historical Data, page 17-52
• Monitoring Events, page 17-55
• Configuring Alarm Notifications on ANM, page 17-57
• Displaying Email Notifications, page 17-66
Displaying Network Topology Maps
This section shows how to display and use the network topology maps that display the nodes on your
network based on the virtual or real server that you select. Figure 17-13 shows a sample network
topology map.
Note The ANM software version that displays across the top of the window varies depending on your version
of ANM.
17-69
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Displaying Network Topology Maps
Figure 17-13 Sample ANM Topology Map
Table 17-25 describes the callouts shown in Figure 17-13.
279805
3 3a 3b
1 2
Table 17-25 Network Topology Map Components
Item Description
1 Topology map tool bar that contains the following tools:
• Layout—Changes the direction in which the network map appears. Choose one of the following options from the
drop-down list: Top to Bottom or Left to Right.
• Zoom—Modifies the size of the network map. Click and drag the slide bar pointer to adjust the map size.
• Magnifier—Toggle button that enables or disables the magnifier tool. When enabled, moving your mouse over the
the topology map magnifies the area that the mouse is over.
• Fit Content—Fits the topology map to the window.
• Overview—Toggle button that enables or disables the Overview Window tool (see Callout 3).
• Undo—Sets the network node icons back to their previous positions.
• Redo—Redoes the changes that you made before you clicked Undo.
• Print—Sends the topology map to the network printer.
• Exit—Closes the topology map and returns to the previous window.
17-70
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Displaying Network Topology Maps
Table 17-26 shows the locations in the ANM GUI where you can access the topology maps for real
servers and virtual servers.
2 Topology Map—Displays network node mapping.
The node icons display the following information related to the node:
• Name
• IP address (virtual and real servers only)
• Port (real servers only)
• Operational state (virtual and real servers only)
When you hover over a network node icon, the node type appears, for example ACE Virtual Server, Server Farm, or
Real Server. Other possible operations when you hover over a network node icon are as follows:
• Real servers only—When you have an ACE configured for Dynamic Workload Scaling and you mouseover an
associated real server icon, information appears that identifies which data center the real server is located in: local
or remote. A timestamp also appears that specifies when the information was obtained.
• Server farms only—When you mouseover a server farm icon, the following Dynamic Workload Scaling status
information appears:
– Local—The ACE is using the server farm’s local real servers only for load balancing. A timestamp specifies
when the information was obtained.
– Burst—The ACE is bursting traffic to the server farm’s remote real servers because the load of the local real
servers has exceeded the specified usage threshold (based on the average CPU and/or memory usage). A
timestamp specifies when the information was obtained.
– N/A—Not applicable (Dynamic Workload Scaling is not available).
For more information about Dynamic Workload Scaling, see the “Dynamic Workload Scaling Overview” section on
page 8-4.
To view details about a network node, right-click on the node and choose Show Details from the popup menu. To
reposition a node in the map, click and drag the node icon to a new position. The node interconnect lines move with
the node.
3 Overview Window—Provides a combined functionality of the scroll bars and zoom tool as follows:
• Position tool (a)—Click and drag the shaded box to move around the topology map.
• Zoom tool (b)—Click and drag the shaded box handle (located in lower right corner) and to zoom in or out of the
topology map.
Click the Overview toggle button in the map tool bar to display or hide the Overview window.
Table 17-25 Network Topology Map Components (continued)
Item Description
Table 17-26 ANM Topology Map GUI Locations
GUI location For more information, see . . .
Config > Operations > Real Servers Using the Real Server Topology Map, page 8-23
Config > Operations > Virtual Servers Using the Virtual Server Topology Map, page 7-85
Monitor > Devices > Loadbalancing > Real Servers This section.
Monitor > Devices > Loadbalancing > Virtual Servers
17-71
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Testing Connectivity
Procedure
Step 1 Do one of the following:
• Display the list of virtual servers by choosing Monitor > Devices > context > Loadbalancing >
Virtual Servers.
The Virtual Servers window appears with the table of configured virtual servers.
• Display the list of real servers, choose Monitor > Devices > context > Loadbalancing > Real
Servers.
The Real Servers window appears with the table of configured virtual servers.
Step 2 From the servers table, check the check box next to the server whose topology map you want to display.
Step 3 From the servers window, click Topology.
The ANM Topology window displays the topology map for the selected virtual or real server. For
information about using the topology map tools, see Figure 17-13 and Table 17-25.
Step 4 (Optional) To close the topology map and return to the previous window, from the ANM Topology
window, click Exit.
Testing Connectivity
You can verify the connectivity (using the ping command) between ANM and the IP address you specify.
Note The Ping feature is disabled if you have not imported any devices into the ANM server.
Procedure
Step 1 Choose Monitor > Tools > Ping.
Step 2 From the object selector field, choose the device you want to test.
Step 3 Enter the information shown in Table 17-27.
Step 4 Click Start to run the connectivity test.
Table 17-27 Ping Fields
Field Description
IP Address Type Choose either IPv4 or IPv6 for the address type of the real server. This field
appears only for ACE module and ACE appliance software version A5(1.0) or
later, which supports IPv4 and IPv6.
IP Address IP address of the real server to which you want to ping.
Elapsed Time Elapsed time before the ping request is declared a failure.
Repeat Number of times to repeat the test.
Datagram Size Value for the argument size (size of the packet) of the ping command.
17-72
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 17 Monitoring Your Network
Testing Connectivity
After the test completes, the results are displayed.
Step 5 Do one of the following:
• Click New to enter new parameters and create a new ping test.
• Click Restart to rerun the connectivity test.
Related Topic
Setting Up Devices for Monitoring, page 17-2
CHAPTER
18-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
18
Administering the Cisco Application Networking
Manager
Date: 3/28/12
This chapter describes how to administer, maintain, and manage the ANM management system. Previous
topics described how to manage your network devices on ANM, while this topic describes how to
perform procedures on the system itself.
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
This chapter includes the following sections:
• Overview of the Admin Function, page 18-2
• Controlling Access to Cisco ANM, page 18-3
• How ANM Handles Role-Based Access Control, page 18-8
• Configuring User Authentication and Authorization, page 18-9
• Managing User Accounts, page 18-17
• Displaying or Terminating Current User Sessions, page 18-24
• Managing User Roles, page 18-25
• Managing Domains, page 18-32
• Using an AAA Server for Remote User Authentication and Authorization, page 18-38
• Disabling the ANM Login Window Change Password Feature, page 18-50
• Managing ANM, page 18-51
• Administering the ANM Mobile Feature, page 18-67
• Lifeline Management, page 18-72
18-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Overview of the Admin Function
Overview of the Admin Function
Note Some of the Admin options might not be visible to some users; the roles assigned to your login determine
which options are available.
Table 18-1 describes the options that are displayed when you click Admin.
Table 18-1 Admin Menu Options
Menu Option Description Reference
Role-Based Access
Control
Organizations Manage organizations, configure
remote authentication mechanisms
“Configuring User Authentication and
Authorization” section on page 18-9
Users Manage users “Managing User Accounts” section on
page 18-17
Active Users Display active users “Displaying or Terminating Current User
Sessions” section on page 18-24
Roles Manage user roles “Managing User Roles” section on
page 18-25
Domains Manage domains “Managing Domains” section on
page 18-32
18-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Controlling Access to Cisco ANM
Controlling Access to Cisco ANM
Access to ANM is based on usernames and passwords, which can be authenticated to a local database
on the ANM system or to a remote RADIUS, Active Directory/Lightweight Directory Access Protocol
(AD/LDAPS), or TACACS+ server. For detailed procedures about remote authentication, see the
“Configuring Authentication and Accounting Services” chapter of either the Cisco ACE Module Security
Configuration Guide or Cisco ACE 4700 Series Appliance Security Configuration Guide on
www.cisco.com.
Note ANM supports LDAPS through Active Directory (AD) only.
ANM Management ANM Checks the status of the ANM
server.
“Checking the Status of the ANM Server”
section on page 18-52
License
Management
Views ANM license state, add more
licenses, and tracks license
information on your ACE
“Using ANM License Manager to Manage
ANM Server or Demo Licenses” section on
page 18-54
Statistics Displays ACE statistics (for
example, CPU, disk, and memory
usage).
“Displaying ANM Server Statistics” section
on page 18-56
Statistics
Collection
Enables ACE server statistics
polling.
“Configuring ANM Statistics Collection”
section on page 18-57
Audit Log
Settings
Allows you to specify number of
audit logs saved and how many days
logs are saved.
“Configuring Audit Log Settings” section
on page 18-58
ANM Change
Audit Log
Allows you to display audit logs
recording any user input.
“Displaying Change Audit Logs” section on
page 18-61
ANM Auto-Sync
Settings
Allows you to specify ANM server
auto sync settings
“Configuring Auto Sync Settings” section
on page 18-61
Advanced
Settings
Allows you to configure the
following Advanced Settings
functions:
• Enable or disable overwrite of
the ACE logging device-id
while setting up syslog for
autosync using Config >
Devices > Setup Syslog for
Autosync.
• Enable or disable write memory
on a Config > Operations
configuration.
“Configuring Advanced Settings” section
on page 18-62
Lifeline Management Use this tool to report a problem to
the Cisco support line and generate a
diagnostic package
“Lifeline Management” section on
page 18-72
Table 18-1 Admin Menu Options (continued)
Menu Option Description Reference
18-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Controlling Access to Cisco ANM
When a user logs into the system, the specific tasks they can perform and areas of the system that they
can use are controlled by organizations, roles, and domains. An organization is a virtual group of users,
their roles, and domains managed by a specific server that provides authentication to its users. Each
organization has its own set of users. See the “Understanding Organizations” section on page 18-7 for
information about organizations.
The role assigned to a user defines the tasks that a user can perform and the items in the hierarchy that
they can see. Roles are either pre-defined or set up by the system administrator. See the “Understanding
Roles” section on page 18-6 for more information.
A domain is a collection of managed objects. When a user is given access to a domain, it acts as a filter
for a sub-set of objects on the network which are displayed as a virtual context. The types of objects in
the system that are domain controlled are as follows:
• Chassis (with VLANs)
• Virtual contexts
• Resource classes
• Real servers
• Virtual servers
Thus, role-based access control ensures that a user or organization can view only the devices or services
or perform the actions that are included in the domains to which they have been given access (see
Figure 18-1).
Figure 18-1 Role-Based Access Control Containment Overview
Default Organization
System Objects
AAA Setup
Roles
1 to 1
Users
Tasks Network Objects
All associations are one to many,
reading from topto bottom
(unless noted otherwise)
Objects contained within an organization
Domains
240741
Organization
used by service providers
to resell management
18-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Controlling Access to Cisco ANM
The following is an example of RBAC containment.
All other user interfaces, such as configuration and monitoring, respect this role-based access control
policy:
• Roles limit the screens (or functions on those screens) that a user can see.
• Domains limit the objects that are listed on any window that the roles allow.
• Users (other than the system administrator) can only create subdomains of the domains to which
they are assigned.
• The system administrator user can see and modify all objects. All other users are subject to the
role-based access controls illustrated in Figure 18-1.
Related Topics
• Types of Users, page 18-5
• Understanding Roles, page 18-6
• Understanding Operations Privileges, page 18-6
• Understanding Domains, page 18-7
• Understanding Organizations, page 18-7
• Managing User Accounts, page 18-17
Types of Users
Two types of users configure and monitor the ANM system:
• Default users—Individuals associated with the data center or IT department where ANM is
installed. The default administrative account (user ID is admin) is a system user account that is
preconfigured on ANM. The default administrative password (admin) is also preconfigured on
ANM. You can change the password for the admin user account in the same manner as any other
user password (see the “Managing User Accounts” section on page 18-17).
System roles are defined by the system administrator when ANM is first set up. System roles are
specified in terms of resource types and operations privileges. For each system role, the system
administrator specifies which resource types a role can work with and what operations a role can
perform on each resource type.
Organization
Webmasters
Domains
East Coast servers Central servers West Coast servers
Role
Web server administrator
Users
User A User B User C
Note Each association is one-to-many. Because the organization itself is a
collection, it is possible for a role to be used in many organizations.
18-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Controlling Access to Cisco ANM
• Organization users—Users who work for the customer of a service provider or AAA server that
segments your users and to whom you want to grant access to ANM. Organization users
automatically have their access limited to the organization to which they belong.
Related Topics
• Configuring User Authentication and Authorization, page 18-9
• Managing User Accounts, page 18-17
• Using an AAA Server for Remote User Authentication and Authorization, page 18-38
Understanding Roles
Roles in ANM are defined by the system administrator. Roles are specified in terms of resource types
and operations privileges. For each role, the system administrator specifies which resource types a role
can work with and what operations a role can perform on each resource type.
When users are created, they are assigned at least one system role and inherit the operations privileges
specified for each of the resource types assigned to that role.
The options a user sees in the menu are filtered according to that user’s role (see the “Displaying User
Roles and Associated Tasks and ANM Menu Privileges” section on page 18-28).
Roles can be applied to both default and organization users. All users are strictly limited by the
combination of their operations privileges and user access. For example, a user cannot create another
user who has greater privileges or access.
Related Topics
• Configuring User Authentication and Authorization, page 18-9
• Managing User Accounts, page 18-17
• Managing User Roles, page 18-25
Understanding Operations Privileges
Operations privileges define what users can do in the designated resource types. For example, each
command and function on ANM has an assigned privilege. If a user’s privileges are not sufficient, the
command or function will not be available to them. The following operations privileges can be granted:
• No Access—The user has no access to this command or function.
Note If a user is configured with no access to virtual contexts, it means absolutely no access to
them. The most a user with this access can do is activate or suspend real servers.
• View—Allows the user to view statistics and specify parameter collection and threshold settings.
Gives the user read-only or view access to system objects and information.
• Modify—Allows the user to change the persistent information associated with system objects, such
as an organization record, or configuration.
• Debug—Gives the user read-only or view access to system objects and information.
18-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Controlling Access to Cisco ANM
• Create—Allows the user to control system objects, for example, creating them, enabling them, or
powering up. Also allows the user to control system objects, for example, deleting them, disabling
them, or powering down.
Note The Create privilege includes the functions associated with the Modify privilege; however,
the reverse is not true (a user with Modify privileges cannot create items).
Privileges are hierarchical. If a user has Modify privileges, they have View privileges as well. If a user
has Create or Debug privileges, they have View privileges as well.
Related Topics
• How ANM Handles Role-Based Access Control, page 18-8
• Managing User Roles, page 18-25
• Guidelines for Managing User Roles, page 18-25
• Understanding Predefined Roles, page 18-26
• Using an AAA Server for Remote User Authentication and Authorization, page 18-38
Understanding Domains
Domains in ANM are defined by the system administrator. A domain is a collection of managed objects
to which a user is given access. By setting up a domain, you are filtering for a subset of objects on the
network. The user is then given access to this virtual context.
The table rows that a user sees in any table are filtered according to the domain to which that user has
access.
Understanding Organizations
An organization allows you to configure AAA server lookup for your users or set up users who work for
a service provider customer. Organizations in ANM are defined by the system administrator.
When you use an ACE device as a AAA server, you may want to segment them for customer, business,
or security reasons. If you use more than one authentication server, then you can use organizations to
configure them to authenticate your users.
For example, if your company has four servers, one each for local, RADIUS, TACACS+, and LDAPS
authentication, then organizations could reflect that. The Default organization in ANM is set up to act
as the local server.
ANM supports different device types that have unique ways of configuring authentication access, which
helps with future device support. ANM can configure which users are authenticated by which
authentication servers, but does not act as an AAA server itself because this would be in conflict of its
role as a RBAC administrator and allows for the separation of authority that is needed to perform RBAC
successfully.
Related Topics
• Using an AAA Server for Remote User Authentication and Authorization, page 18-38
18-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
How ANM Handles Role-Based Access Control
How ANM Handles Role-Based Access Control
This section describes how and why a system administrator might want to use the ANM RBAC features.
ANM supports two distinct, but related RBAC capabilities as follows:
• ANM RBAC—ANM acts as a system and network device overseer allowing it to globally implement
its use of RBAC.
• Device RBAC—ANM devices enforce RBAC.
Understanding ANM RBAC
ANM is a central place where you can globally set the RBAC for users, roles, and domains (as well as
for virtual contexts or device types using device RBAC).
As a system administrator, you may need to delegate authority to allow another administrator to perform
specific tasks on specific devices, such as activating, suspending, and monitoring traffic flow to specific
real servers, yet restrict them from accessing all other capabilities. ANM enables you to accomplish this
delegation with more control. For a description of how the roles map to the functions, see “Displaying
User Roles and Associated Tasks and ANM Menu Privileges” section on page 18-28.
Understanding Device RBAC
ANM’s device RBAC allows you to set up device permission levels of a more granular nature. You no
longer have to provide “all-or-nothing” roles-based access of devices and device modules. Without
ANM, some devices may be open to users who can perform every task on that device or module,
regardless of their authorization due to permission level requirements on modules and or switches. ANM
provides a central place to grant special access to users you specify. Device users, roles, and domain data
are not part of, nor can they be used by ANM. Device RBAC is only for CLI access directly to the
context.
For example, some users may need level 3 access when direct troubleshooting of ACE hardware is
required. You can set up these users with or without ANM, but ANM centralizes the capability to do so.
If you want to configure a network engineer with a special role, for example either ACE-Admin or
Network-Admin, to provide the level 3 access. ANM accesses the ACE as a level 15 user and an admin
supervisor and uses the RBAC to determine the level of access (to device types, segments, elements,
subelements, and so on).
Some Cisco devices have the ability to configure RBAC directly on the device, for example the ACE.
The CSS and CSM are examples of Cisco devices that do not have the capability to have its their own
RBAC.
When you configure remote authentication (AAA, RADIUS, LDAPS, or TACACs+) for the ACE
through ANM, users no longer have to log out to access their device using Telnet. When you manually
log into a CSS, the CSS performs user authentication in a Telnet session. Telnet does not provide any
domain enforcement, so it is less secure. For an overview of the steps that you perform to configure
remote authentication using an AAA server, see the “Using an AAA Server for Remote User
Authentication and Authorization” section on page 18-38.
If you are an admin using a CSS module outside of the ANM application, then you might have
permission to do anything on this switch. If you are using ANM, you can set up better authorization for
your administrators for specific devices. Better authorization controls are one of the advantages of using
the ANM rather than using only the CLI on the ACE hardware. You can now configure separate access
for one function for this user in this domain only. ANM allows this high level of granularity and with it,
more control over who does what to your devices.
18-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Configuring User Authentication and Authorization
Note When configuring device RBAC though Config > Devices, a message displays reminding you that you
are configuring RBAC outside of ANM for direct access. Be aware that this may contradict your ANM
settings.
For more information on centralizing direct access to devices through RBAC on individual devices, see
the “Configuring ACE Module and Appliance Role-Based Access Controls” section on page 5-53.
Case Example
In this example, a CSM device must have a level 15 access which by default makes the admin a
supervisor on everything in the switch (and everything in the module). Another way of looking at this is
providing read-only access to everything or configuration access to everything.
ACE hardware can be configured on a virtual context to perform that task on a subset domain for every
individual module, on every context, but this type of configuration must be configured individually.
A system administrator might need to configure a network admin to manage two CSM modules, one out
of six virtual contexts, and all East Coast web servers. With ANM, the admin could create one
configuration set that includes a user account with a Network-Admin role and a domain that includes
these objects. ANM then becomes the security window through which this user passes to get to their
destination for that domain and for that virtual context.
If there were six users, nine domains, and three virtual contexts, there would be 54 entries required into
a AAA Server and ACE module. In ANM there is one entry completed for each of the six users.
Configuring User Authentication and Authorization
In ANM, you can configure authentication for your users by specifying the authentication method to use
for specific user; the local method using ANM or a remote method using an AAA servers. You do this
through organizations. An organization allows you to configure your local or AAA server lookup for
your users, then associate specific users, roles, and domains with those organizations.
The following sections describe the organization authentication tasks that you can complete in ANM:
• Adding a New Organization, page 18-10
• Configuring AAA Server lookup for your users—See Adding a New Organization, page 18-10
• Changing server passwords—See Changing Authentication Server Passwords, page 18-14
• Modifying Organizations, page 18-14
• Duplicating an Organization, page 18-15
• Displaying Authentication Server Organizations, page 18-16
• Deleting Organizations, page 18-16
The Default organization (in which all users belong) authenticates users through the ANM internal
mechanism, which is based on the RBAC security model. This mechanism authenticates users through
the local authentication module and a local database of user IDs and passwords. If you choose to use a
remote authentication method, you must specify the authentication server and port.
Many organizations, however, already have an authentication service. To use your own authentication
service instead of the local module, you can choose one of the alternate modules:
• TACACS+
• RADIUS
18-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Configuring User Authentication and Authorization
• AD/LDAPS
Note For detailed procedures about remote authentication, see the “Configuring Authentication and
Accounting Services” chapter of either the Cisco ACE Module Security Configuration Guide or Cisco
ACE 4700 Series Appliance Security Configuration Guide on www.cisco.com.
After you configure an organization, all authentication transactions are performed by the authentication
service associated with that organization. Users log in with the user ID and password associated with the
current authentication module.
Related Topics
• Managing User Accounts, page 18-17
• Managing User Roles, page 18-25
• Managing Domains, page 18-32
• Using an AAA Server for Remote User Authentication and Authorization, page 18-38
Adding a New Organization
You can add organizations, which define the mechanism for authenticating ANM users: local using
ANM or remote using RADIUS, TACACS+, or AD/LDAPS. When you configure an organization for
remote authentication, users within that organization have their passwords validated using the specified
remote AAA server.
You can also configure an organization to use a TACACS+ server for remote authorization of ANM
users. To use remote authorization, you must also configure the TACACS+ server with the role and
domains associated with a user or user group (see the “Configuring Remote User Authorization Using a
TACACS+ Server” section on page 18-45).
When you use the services of a a remote AAA server, you can configure the organization to fall back to
using local authentication and authorization when the remote AAA server becomes unavailable.
Procedure
Step 1 Choose Admin > Role-Based Access Control > All Organizations.
Step 2 Click Add.
Step 3 Enter the name of the new organization and notes if required, and click Save.
Step 4 Enter the attributes described in Table 18-2.
Certain attributes will display when specific options are selected.
18-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Configuring User Authentication and Authorization
Table 18-2 Organization Attributes
Attribute Description
Notes Description of the organization or notes to administrator.
Organization Name Company, department, or division of the organization that administers the ANM server.
This can be different from the organization name above. Default name entered appears.
Account Number Account number for the organization.
Contact Name Name of the individual who is the contact in the organization.
Email Address for the organization’s contact person.
Telephone # Telephone number for the organization’s contact person. The format is free text with
no embedded spaces.
Alternative Telephone # Alternative telephone number for the organization’s contact person.
Street Address Street for the organization.
City City where the organization is located.
Zip Code Zip code for the organization’s address.
Country Country where the organization is located.
Authentication Mechanism that the system uses to authenticate users. The default authentication
mechanism is ANM's internal mechanism (local), which is based on ANM's security
model. For remote authentication, you must specify the authentication server and port
number.
Options are as follows:
• Local—Specifies the use of the local database.
• RADIUS
• TACACS+
• AD/LDAPS (ANM requires that a Domain Controller Server certificate be
installed on the Active Directory Server. For a document containing the detailed
instructions, see the “Configuring an LDAP Server” section in the “Configuring
Authentication and Accounting Services” chapter of either the Cisco ACE Module
Security Configuration Guide or Cisco ACE 4700 Series Appliance Security
Configuration Guide on www.cisco.com.)
Note: The attributes listed below appear only when the Authentication attribute is set to AD/LDAPS, RADIUS, or TACACS+.
For detailed instructions about configuring these attributes, see the “Configuring Authentication and Accounting Services”
chapter of either the Cisco ACE Module Security Configuration Guide or Cisco ACE 4700 Series Appliance Security
Configuration Guide on www.cisco.com.
18-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Configuring User Authentication and Authorization
Authentication Server Hostname or IP address of a RADIUS, TACACS+, or LDAPS server for remote user
authentication.
Note Setting the server with this command is mandatory if you set the Authentication
attribute to anything other than the default (local).
If you select a remote authentication method, you might need to specify a separate user
ID for the authentication server.
For AD/LDAPS, you must provide the FQDN of the server (which must be in the users
authenticating domain).
Note ANM supports LDAPS only through Active Directory (AD).
Authentication Port (Optional) Destination port for communicating authentication requests to the
authentication server as follows:
• RADIUS—By default, the RADIUS authentication port is 1812 (as defined in RFC
2138 and RFC 2139). If your RADIUS server uses a port other than 1812,
configure ANM for the appropriate port. Valid values are from 1 to 65535.
• TACACS+—By default, the TACACS+ authentication port is 49 (as defined in
RFC 1492). If your TACACS+ server uses a port other than 49, configure ANM for
the appropriate port. Valid values are from 1 to 65535.
• LDAPS—By default, the LDAP server port is 636. If your LDAP server uses a port
other than 636, configure ANM for the appropriate port. Valid values are from 1 to
65535.
Secondary Authentication Server (Optional) Hostname or IP address for the secondary RADIUS, TACACS+, or LDAPS
server used for authentication in case the primary server is unavailable.
Secondary Authentication Port (Optional) Destination port on the secondary RADIUS, TACACS+, or LDAPS server
for communicating authentication requests if the primary server is unavailable.
Authentication Secret String used to encrypt the traffic between Cisco ANM and the AAA server. This string
must be identical on both servers.
Remote Authorization (Optional) Field that appears only when the Authentication attribute is set to
TACACS+.
Determines whether ANM or the TACACS+ server performs user authorization.
Uncheck the check box to have ANM perform user authorization locally (this is the
default setting). Check the check box to enable remote authorization by the TACACS+
server.
If you enable remote authorization, you must configure the TACACS+ server with the
role and domain information associated with each user (see the “Configuring Remote
User Authorization Using a TACACS+ Server” section on page 18-45).
Note All role and domain definitions are stored locally on ANM (see the “Managing
User Roles” section on page 18-25 and the “Managing Domains” section on
page 18-32).
Table 18-2 Organization Attributes (continued)
Attribute Description
18-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Configuring User Authentication and Authorization
Step 5 Click Save.
Related Topics
• Managing User Accounts, page 18-17
ANM Unique IDs Field that appears only when the Remote Authorization check box is checked for a
TACACS+ server. Enter the value that matches the ANM identifier that you configure
on the TACACS+ server (see the “Configuring Remote User Authorization Using a
TACACS+ Server” section on page 18-45). The default value is ANM.
Depending on how you configure the TACACS+ server for user authorization, you may
need to specify multiple, comma-separated ANM IDs in the ANM Unique IDs field as
follows:
anm_1,anm2,anm3
For example, when configuring ANM user authorization on the TACACS+ server, you
can use a maximum of 160 characters to specify an ANM unique ID and associated user
role and user domain information. To work around this limitation, on the TACACS+
server you can specify additional domain information for the role by entering multiple
ANM identifiers.
When multiple ANM organizations share the same TACACS+ server, specify a
different ANM identifier for each organization.
When multiple ANMs share the same TACACS+ server, specify a different ANM
identifier for each ANM.
Fallback to Local Enables ANM to use local authentication (and local user authorization for TACACS+
applications) if the remote primary and secondary AAA servers are not available, such
as when there is a timeout issue, connectivity issue, wrong IP address, and so forth.
Note To use the fallback option, you must configure a local user on ANM that ANM
can use when fallback is invoked.
When you enable Fallback to Local for RADIUS and AD/LDAP, ANM falls back to
local user authentication only when the AAA server is unreachable. If the AAA server
is reachable but remote authentication fails, ANM does not fall back to local and the
login is rejected.
When you enable Fallback to Local for TACACS+, ANM falls back to local user
authentication and authorization only when the AAA server is unreachable. If the
remote server is reachable but remote authentication fails, ANM does not fall back to
local and the login is rejected. If Remote Authorization is not enabled, after remote
authentication is complete, ANM performs user authorization by checking the local
user for role and domain information. If Remote Authorization is enabled and no valid
role or domain information is found on the TACACS+ server, including the ANM IP
attributes not being set on the TACACS+ server, ANM does not fall back to the local
user and rejects the login (see the “Configuring Remote User Authorization Using a
TACACS+ Server” section on page 18-45).
Table 18-2 Organization Attributes (continued)
Attribute Description
18-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Configuring User Authentication and Authorization
• Changing the Admin Password, page 18-14
Changing Authentication Server Passwords
Note Your user role determines whether you can use this option.
You can change the authentication server password.
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organization.
Step 2 Choose the organization that you want to modify and click Edit.
Step 3 Change the password attribute in the attributes table (see Table 18-5).
Step 4 Click Save.
The Edit User Details window appears.
Step 5 Make any changes and click Save.
Step 6 When all the details are correct, click Cancel.
The User Management table is displayed.
Related Topics
• Managing User Accounts, page 18-17
• Changing the Admin Password, page 18-14
Changing the Admin Password
Each ANM has an admin user account built into the device. The root user ID is admin, and the password
is set when the system is installed. For information about changing the Admin password, see the
“Changing Your Account Password” section on page 1-6.
Note For details about resetting the Admin password, see the Installation Guide for Cisco Application
Networking Manager 3.0.
Modifying Organizations
Note Your user role determines whether you can use this option.
You can modify an existing organization.
18-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Configuring User Authentication and Authorization
Assumptions
This topic assumes the following:
• ANM is installed and running.
• The organization exists in the ANM database.
• You have reviewed the guidelines for managing customer organizations (see the “Adding a New
Organization” section on page 18-10).
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organizations.
Step 2 Choose the organization that you want to modify and click Edit.
The Edit Organization window appears.
Step 3 In the attributes table of the Edit Organization window, modify any of the attributes in the attributes table
(see Table 18-2).
Step 4 Click Save.
Related Topics
• Configuring User Authentication and Authorization, page 18-9
Duplicating an Organization
Note Your user role determines whether you can use this option.
You can create a new organization from an existing one.
Assumptions
This topics assumes the following:
• ANM is installed and running.
• The organization exists in the ANM database.
• You have reviewed the guidelines for managing customer organizations (see the “Adding a New
Organization” section on page 18-10).
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organizations.
The Organizations window appears.
Step 2 In the Organizations window, choose the organization that you want to copy.
Step 3 Click Duplicate.
A script popup window appears.
Step 4 At the prompt in the popup window, enter a name for the new organization.
18-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Configuring User Authentication and Authorization
Step 5 Click OK.
The popup window closes and the new organization copy is added to the Organization window.
Step 6 (Optional) Choose the new organization and click Edit to make changes to the organization settings.
The Edit Organization window appears.
Step 7 In the attributes table of the Edit Organization window, modify any of the attributes in the attributes table
(see Table 18-2).
Step 8 Click Save.
Related Topics
• Configuring User Authentication and Authorization, page 18-9
Displaying Authentication Server Organizations
Note Your user role determines whether you can use this option.
To display the authentication server organizations, choose Admin > Role-Based Access Control > All
Organizations. The Organizations window appears with a list of customer organizations. From this
window you can create a users, roles, and domains that are associated with this specific organization.
You can also access organizations by selecting the organization from the object selector that displays in
the top right portion of the content area.
Related Topics
• Understanding Organizations, page 18-7
• Configuring User Authentication and Authorization, page 18-9
Deleting Organizations
Note Your user role determines whether you can use this option.
You can delete an organization.
Assumptions
This topic assumes the following:
• ANM is installed and running.
• The organization exists in the ANM database.
• You have reviewed the guidelines for managing customer organizations (see Adding a New
Organization, page 18-10).
18-17
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing User Accounts
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organizations.
The Organizations window appears.
Step 2 In the Organizations window, choose the organization to delete.
Step 3 Click Delete.
All users, domains, and roles within that organization are removed.
Related Topics
Configuring User Authentication and Authorization, page 18-9
Managing User Accounts
You use the User Management feature to specify the people that are allowed to log onto the system.
Note You can create users in the organization in which you are a member. You will see users only in the
organizations in which you are a member.
This section includes the following topics:
• Guidelines for Managing User Accounts, page 18-17
• Displaying a List of Users, page 18-18
• Creating User Accounts, page 18-19
• Duplicating a User Account, page 18-20
• Modifying User Accounts, page 18-21
• Resetting Another User’s Password, page 18-22
• Deleting User Accounts, page 18-23
Guidelines for Managing User Accounts
This topic includes the following guidelines:
• A user cannot log in until they have one domain and one user role associated through an
organization. This can be the Default domain but a role must be specified.
• Users cannot be moved from one organization to another. Organizations are designed to be separate
and distinct.
• Only users with create permissions can reset other user's password. See the “Resetting Another
User’s Password” section on page 18-22.
18-18
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing User Accounts
Displaying a List of Users
You can display a list of ANM users, which includes ANM Mobile users if you have ANM configured
to use this feature (for more information, see Chapter 19, “Using ANM Mobile”).
Guidelines and Restrictions
The list of ANM users does not include users that are remotely authenticated and authorized using a
AAA server unless ANM is configured as a backup for user authentication and authorization.
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organization > Active Users.
The Users table appears. Table 18-3 describes the default user information that displays.
Step 2 (Optional: Mobile ANM users only) To display the list of mobile devices used by a user, choose a user
from the list and click Mobile Notifications.
The Mobile Devices popup window appears, displaying device-specific information (see Table 18-18).
Step 3 (Optional: Mobile ANM users only) To display the list of favorite objects associated with a user, choose
the user from the list and click Favorites.
The User Favorites popup window appears. Table 18-4 describes the information displayed.
Step 4 (Optional) To specify the user information that displays in the Users table, hover over the Customize
button ( ) to display and choose one of the following options:
• Default—Displays only the fields described in Table 18-3.
• Configure—Opens the Users List Configuration popup window that allows you to specify the user
information that displays (see the “Customizing Tables” section on page 1-15).
Note The list of user fields that you can choose from includes the Available Objects option, which
lists the domain objects available to the user. Because the list of available domain objects
for a user can be too extensive to display in the User table, the Excel spreadsheet is the only
output format that displays this information (see Step 5).
Table 18-3 Users Table Default Fields
Field Description
Login Name Full name of the user.
Role Role assigned to the user.
Domains Domains to which the user belongs.
Table 18-4 Mobile Device User’s Favorites
Field Description
Object Type ACE object type accessed by the user, such a real server or virtual server.
Device Name ACE device (virtual context) name accessed by the user.
Object Name Name assigned to the object.
18-19
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing User Accounts
Step 5 (Optional) To output the user information as raw data or in an Excel spreadsheet, hover over the Save
button ( ) to display and choose one of the following output options:
• Raw data—Displays the user information as raw data in a new window.
• Excel spreadsheet—Displays user information in an Excel spreadsheet in a new window.
Related Topics
• Creating User Accounts, page 18-19
• Duplicating a User Account, page 18-20
• Modifying User Accounts, page 18-21
• Resetting Another User’s Password, page 18-22
• Deleting User Accounts, page 18-23
• Displaying Mobile Device Notifications and Testing the Notification Channel, page 18-70
• Chapter 19, “Using ANM Mobile”
Creating User Accounts
Note Your user role determines whether or not you can use this option.
You can create new user accounts for an organization.
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organization > Users.
The Users table appears.
Step 2 Click Add.
The New Organization User window appears.
Step 3 In the New Organization User window, configure the user attributes as described in Table 18-5:
Note If your web browser supports the Remember Passwords option and you enable this option, the
web browser may fill in the Name and Password fields when the New Organization User window
loads. By default, these fields should be empty. You can change the name and password fields
from whatever the web browser inserts into the two fields.
Table 18-5 User Attributes
Field Description
Login Name Name by which the user is to be identified in the system (up to 24 characters). Only letters, numbers,
underscore (_), and backslash (\) can be used. The field is case sensitive.
Name Full name of the user. The format is free text.
Password Password for the user account.
18-20
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing User Accounts
Step 4 Click Save to save the user account information.
Related Topics
• Displaying a List of Users, page 18-18
• Duplicating a User Account, page 18-20
• Modifying User Accounts, page 18-21
• Resetting Another User’s Password, page 18-22
• Deleting User Accounts, page 18-23
Duplicating a User Account
Note Your user role determines whether you can use this option.
You can create a new user account using settings from an existing user.
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organization > Users.
The Users table appears.
Step 2 Choose the user account you want to copy and click Duplicate.
Confirm Password confirmation for the account.
Email Email address for the user.
Telephone# Telephone number for the user. The format is free text with no embedded spaces.
Role Predefined role from the drop-down list.
Domains Domains to which this user belongs. Use the Add and Remove buttons to choose the domains to which
this user belongs.
Allowed Login IP IP address or a subnetwork from which the user is allowed to log in. You can define up to ten different
addresses for a single user. Unless you specifically define IP addresses or subnetworks using this option,
the user can log in from any IP address. When you enter an allowed single IP address or an allowed
subnet, then the user is only allowed to log in from the specified addresses. To restrict access to a
specific subnetwork, enter the IP address and the mask, for example, 10.1.200.60/255.255.255.0.
Note IP addresses 1.1.1.1 and 0.0.0.0 cannot be entered in this field.
Description Notes about the user.
First menu Menu that displays when this user first logs in. Choose one from the drop-down list.
Last Login Last time (local time) this user logged in.
Table 18-5 User Attributes (continued)
Field Description
18-21
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing User Accounts
A script popup window appears.
Step 3 At the prompt in the popup window, enter a name for the new user account and click OK.
The popup window closes and the Users table displays the new user account.
Step 4 (Optional) To make changes to the user account, from the Users table, choose the user account and click
Edit.
The Edit Organization User window appears.
Step 5 In the Edit Organization User window, modify the user account settings as described in Table 18-6.
Step 6 Click Save to save the user account information.
The Users window appears.
Related Topics
• Displaying a List of Users, page 18-18
• Creating User Accounts, page 18-19
• Modifying User Accounts, page 18-21
• Resetting Another User’s Password, page 18-22
• Deleting User Accounts, page 18-23
Modifying User Accounts
Note Your user role determines whether you can use this option.
You can modify existing user accounts.
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organization > Users.
The Users table appears.
Step 2 Choose the user account you want to modify and click Edit.
The Edit Organization User window appears.
Step 3 In the Edit Organization User window, modify any of the attributes in the attributes table (see
Table 18-6).
.
Table 18-6 Modify User Attributes
Field Description
Login Name Name you specified when you created the user you want to duplicate. This is the name by which the user
is to be identified in the system (up to 24 characters). Only letters, numbers, and underscore can be used.
The field is case sensitive.
Name Full name of the user. The format is free text.
Email Email address for this user.
18-22
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing User Accounts
Step 4 Click Save to save the user account information.
Related Topics
• Displaying a List of Users, page 18-18
• Creating User Accounts, page 18-19
• Duplicating a User Account, page 18-20
• Resetting Another User’s Password, page 18-22
• Deleting User Accounts, page 18-23
Resetting Another User’s Password
Note You must have create permissions in order to reset another user’s password.
Use this procedure to reset another users’s password.
Step 1 Log in to Cisco License Manager making sure the login username has create permissions.
Step 2 Choose Admin > Users.
The Users window appears.
Step 3 In the Users window, choose the username for which the password needs to be reset and click the Reset
Password button.
The Reset Password popup window appears with the selected username in the username field.
Step 4 Enter and confirm the new password.
Telephone# Telephone number for this user. The format is free text with no embedded spaces.
Role Predefined role from the list.
Domains Domains to which this user belongs. Use the Add and Remove buttons to choose domains to which this
user belongs.
Allowed Login IP IP address or a subnetwork from which the user is allowed to log in. You can define up to ten different
addresses for a single user. Unless you specifically define IP addresses or subnetworks using this option,
the user can log in from any IP address. When you enter an allowed single IP address or an allowed
subnet, then the user is only allowed to log in from the specified addresses. To restrict access to a specific
subnetwork, enter the IP address and the mask, for example, 10.1.200.60/255.255.255.0.
Note IP addresses 1.1.1.1 and 0.0.0.0 cannot be entered in this field.
Description Notes about the user.
First Menu Menu that is displayed when this user first logs in. Choose one from the drop-down list.
Last Login Last time (local time) that this user logged in and the IP address that was used.
Table 18-6 Modify User Attributes (continued)
Field Description
18-23
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing User Accounts
Step 5 Click OK to save the password information.
The Password has been reset message displays if there are no errors.
Related Topics
• Displaying a List of Users, page 18-18
• Creating User Accounts, page 18-19
• Duplicating a User Account, page 18-20
• Modifying User Accounts, page 18-21
• Deleting User Accounts, page 18-23
• Displaying or Terminating Current User Sessions, page 18-24
Deleting User Accounts
Note Your user role determines whether you can use this option.
You can delete a user account.
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organization > Users.
The Users table appears.
Step 2 Choose the user account to delete and click Delete.
Step 3 The confirmation popup window appears.
Step 4 In the confirmation popup window, do one of the following:
• Click OK to confirm the deletion request. The user account is removed from the ANM database.
• Click Cancel to ignore the deletion request.
Related Topics
• Displaying a List of Users, page 18-18
• Creating User Accounts, page 18-19
• Duplicating a User Account, page 18-20
• Modifying User Accounts, page 18-21
• Resetting Another User’s Password, page 18-22
18-24
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Displaying or Terminating Current User Sessions
Displaying or Terminating Current User Sessions
Note Your user role determines whether you can use this option.
You can display a list of the users currently logged into the system and end their sessions, if required.
You can only display the users in your organization.
Procedure
Step 1 Choose Admin > Role-Based Access Control > Active Users.
The Active User Sessions window displays the following information for each active user who is logged
in:
Step 2 (Optional) To terminate an active session, click Terminate.
When a user session is terminated, the user is logged out of the interface from which the user session
was initiated. If the user was making changes to a configuration, the configuration lock is released and
any uncommitted configuration change is discarded.
If a user session is terminated while an operation is in progress, the current operation is not stopped, but
any subsequent operation is denied.
For more details on terminating active users, see the “Displaying or Terminating Current User Sessions”
section on page 18-24.
Related Topics
• Controlling Access to Cisco ANM, page 18-3
• Managing User Accounts, page 18-17
Table 18-7 Active User Session Information
Column Description
Name Name used to log into the Cisco ANM.
Type Of Login Method used to log in, for example WEB.
User Type Method used to authenticate and authorize the user:
• Local—ANM is used to authenticate and/or authorize the user.
• Remote— AAA server is used to both authenticate and authorize
the user.
Login From IP IP address of host.
Time Of Login Time user logged in.
18-25
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing User Roles
Managing User Roles
You use the Roles Management feature to add, modify, and delete user-defined roles and to modify
predefined roles.A user’s role determines the tasks the user can access. Each role is associated with
permissions or rules that define what feature access this role contains. For example, if you design a role
that provides access to virtual servers, the role automatically includes access to all real servers that could
be included in the virtual server.
ANM provides several predefined user roles that you can modify but not delete. For more information
about predefined user roles, including the list of the predefined user roles, see the “Understanding
Predefined Roles” section on page 18-26.
This section includes the following topics:
• Guidelines for Managing User Roles, page 18-25
• Understanding Predefined Roles, page 18-26
• Displaying User Role Relationships, page 18-27
• Displaying User Roles and Associated Tasks and ANM Menu Privileges, page 18-28
• Creating User Roles, page 18-29
• Duplicating a User Role, page 18-31
• Modifying User Roles, page 18-31
• Deleting User Roles, page 18-32
Guidelines for Managing User Roles
This topic includes the following guidelines:
• System Administrators can view and modify all roles.
• Organization administrator users can only see and modify the users, roles, and domains in their
organization.
• Other users can only view the user, roles, and domains assigned to them.
• User-defined roles can be created but follow strict rules about which tasks can be selected or
deselected. See the user interface for specific dependencies or the “Displaying User Roles and
Associated Tasks and ANM Menu Privileges” section on page 18-28 for role to task mapping
information.
• You must have the ability to create real servers in your role and at least one virtual context in your
domain before you can create real servers.
• You must have the ability to create virtual contexts in your role and an Admin context in your
domain before you can create virtual contexts.
• If you upgrade to ANM 2.2 any custom roles that are migrated retain their associations but have
different role definitions. We encourage you to use the ANM 2.2 predefined default roles.
18-26
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing User Roles
Understanding Predefined Roles
You must have one of the predefined roles in the Admin context in order to use the changeto command,
which allows users to visit other contexts. Non-admin/user contexts do not have access to the changeto
command; they can only visit their home context. Context administrators, who have access to multiple
contexts, must explicitly log in to other contexts to which they have access.
The predefined roles and their default privileges are defined in Table 18-8. For information about
viewing user role details, see the “Displaying User Roles and Associated Tasks and ANM Menu
Privileges” section on page 18-28. For detailed information on RBAC, see either the Cisco Application
Control Engine Module Virtualization Configuration Guide or the Cisco 4700 Series Application
Control Engine Appliance Virtualization Configuration Guide.
Table 18-8 ANM Predefined Role Tasks
Predefined Role Description Role Tasks/Operation Privileges1
ACE-Admin Access to create virtual contexts and monitor threshold
information.
• View Threshold
• Create Device Events
• Create Virtual Context+
ANM-Admin Access to create virtual contexts and monitor threshold
information. Provides access to all features and
functions.
• Create ANM System
• Create ANM User Access
• Create VM Mapping
• Create ANM Inventory+
Network-Admin Admin for L3 (IP and Routes) and L4 VIPs • View Threshold
• Create Device Events
• Create Switch
• Create Routing
• Create Interface
• Create NAT
• Create Connection
Network-Monitor Monitoring for all features • View ANM Inventory+
Org-Admin Access to create role-based access control and import
and update device data.
• Create ANM User
• Create VM Mapping
• Create ANM Inventory+
Security-Admin Security features • Create AAA
• Modify Interface
• Create NAT
• Create Inspect
• Create Connection
18-27
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing User Roles
Displaying User Role Relationships
Note Your user role determines whether you can use this option.
You can display which users are associated to specific roles.
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organizations > Roles.
The Roles table appears.
Step 2 In the Roles table, choose a role and click Users.
Server-Appln-Maintenance Server maintenance and L7 policy application • View Threshold
• View VIP
• View Virtual Inservice
• Create LoadBalancer+
Server-Maintenance Server maintenance, monitoring, and debugging • View Threshold
• View VIP+
• Modify Real Server
• Debug Probe
• Create Real Inservice
SLB-Admin Load-balancing features • View Threshold
• Create Building Block
• Modify Interface
• Create Expert+
SSL-Admin SSL features • Create SSL+
SSL-Cert-Key-Admin SSL certificate and key management features • Import, generate, or delete
keys
• Import or delete certificates
• Generate a certificate signing
request (CSR)
• Monitor certificate expiration
though the dashboard GUI
and threshold modifications
VM-Mapper Virtual machine (VM) mapping feature • Create VM to real server map
1. Where the plus sign (+) is indicated, all permissions included in this folder are included at the same privilege level, unless otherwise noted. For example,
Virtual Contexts tasks are comprised of tasks such as AAA, Building Blocks, and so on. These tasks are depicted as columns in the Roles table.
Table 18-8 ANM Predefined Role Tasks (continued)
Predefined Role Description Role Tasks/Operation Privileges1
18-28
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing User Roles
The Users With Role window appears. From this window you can delete or duplicate a user. For
information about how roles map to users, see the “Displaying User Roles and Associated Tasks and
ANM Menu Privileges” section on page 18-28.
Related Topics
• Duplicating a User Account, page 18-20
• Managing User Roles, page 18-25
Displaying User Roles and Associated Tasks and ANM Menu Privileges
Note Your user role determines whether you can use this option.
You can view the list of predefined and user defined roles and see how each role is configured to manage
what a user can do within ANM. Figure 18-2 shows a sample of the role information available for the
predefined ANM-Admin role. Each Role Task is assigned a privilege level (No Access, View, Modify,
Debug, or Create) that determines what displays in the Resulting Menu Items list on the right. This list
indicates which ANM GUI items the role allows a user to access.
Figure 18-2 Edit Role Window
Procedure
Step 1 Choosing Admin > Role-Based Access Control > Organizations > Roles.
The Roles table appears, displaying the list of predefined and user defined roles. The table includes the
available role tasks and associated privilege level: No Access, View, Modify, Debug, or Create.
Step 2 To view the ANM menu items available to a specific user role, choose a user role and click the Edit icon.
18-29
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing User Roles
The Edit Role window appears (see Figure 18-2), displaying the Role Task tree and list of Resulting
Menu Items, which is based on the privilege levels selected for each role task.
Note The information available from the Edit Role window can vary depending on the version of
ANM being used.
Step 3 (Optional) Click Cancel to return to the Roles table where you can perform the following tasks:
• Create a new role (see the “Creating User Roles” section on page 18-29).
• View the users assigned to a role (see the “Displaying User Role Relationships” section on
page 18-27).
• Modify an existing role to which you have access (see the “Modifying User Roles” section on
page 18-31).
• Duplicate any existing role to which you have access (see the “Duplicating a User Role” section on
page 18-31).
• Delete any existing role to which you have access (see the “Deleting User Roles” section on
page 18-32).
Related Topics
• Understanding Operations Privileges, page 18-6
• Managing User Roles, page 18-25
Creating User Roles
Note Your user role determines whether you can use this option.
You can edit the predefined roles, or you can create new, user-defined roles. When you create a new role,
you specify a name and description of the new role, then choose the privileges for each task. You can
also assign this role to one or more users.
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organization > Roles.
The Roles table appears.
Step 2 Click Add.
The New Role window appears.
18-30
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing User Roles
Step 3 Enter the following attributes as shown in Table 18-9.
Step 4 Click Save.
The new role is added to the list of user roles.
Step 5 (Optional) To assign this new role to one or more users, go to Admin > Organizations > Users.
For detailed steps, see the “Modifying User Accounts” section on page 18-21.
Related Topics
• Understanding Operations Privileges, page 18-6
• Managing User Roles, page 18-25
Table 18-9 Role Attributes
Attribute Description
Name Name of the role.
Description Brief description of the role.
Role Tasks Role task tree that defines the operation privileges associated with each task. The tasks are
arranged in a hierarchy of parent and subordinate tasks. Click on the + sign of a parent task to
display its subordinate tasks as shown in the following example for the ANM Inventory task.
– ANM Inventory -->parent task
Threshold -->subordinate tasks
DNS Answer
UDG
Device Events
Switch
+ Virtual Context -->subordinate task that has its own set of subordinate tasks as
indicated by the + sign
You assign one of the following operating privileges to each of the tasks: No Access, View,
Modify, Debug, or Create. When you assign an operating privilege to a parent task, by default,
the same privilege is assigned the subordinates. You can assign a different operating privilege to
the subordinates if needed; however, you can only assign an operating privilege that is greater
than or equal to the operating privilege assigned to the parent task.
If you set the parent task to Modify or Debug, the Create privilege is the only privilege allowed
for the subordinate tasks and by default, is assigned to the subordinate tasks.
For more information about operating privileges, see the “Understanding Operations Privileges”
section on page 18-6.
Resulting Menu Items Synchronized list of features in the form of menus that this role is able to access after setting the
role task operation privileges.
18-31
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing User Roles
Duplicating a User Role
Note Your user role determines whether you can use this option.
You can create a new user-defined role from an existing one.
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organization > Roles.
The Roles table appears.
Step 2 In the Roles table, choose the role you want to copy and click Duplicate.
A script popup window appears.
Step 3 At the prompt in the script popup window, enter a name for the new role.
Step 4 Click OK.
Step 5 The script popup window closes and Roles tables displays the new role.
Step 6 (Optional) To make changes to the new role’s attributes, in the Roles table, choose the role and click
Edit.
The Edit Role window appears.
Step 7 Make the required changes and click Save to save the changes.
Related Topics
• Understanding Operations Privileges, page 18-6
• Managing User Roles, page 18-25
Modifying User Roles
Note Your user role determines whether you can use this option.
You can modify any user-defined roles.
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organization > Roles.
The Roles table appears.
Step 2 Choose the role you want to modify and click Edit.
The Edit Role window appears.
Step 3 Make the required modifications.
18-32
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing Domains
Step 4 Click Save.
Related Topics
• Understanding Operations Privileges, page 18-6
• Managing User Roles, page 18-25
Deleting User Roles
Note Your user role determines whether you can use this option.
You can delete any user-defined roles.
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organization > Roles.
The Users table appears.
Step 2 Choose the role to delete and click Delete.
Step 3 The confirmation popup window appears.
Step 4 In the confirmation popup window, click OK to confirm the deletion.
Users that have the deleted role no longer have that access.
Related Topics
Managing User Roles, page 18-25
Managing Domains
Network domains provide a means for organizing the devices and their components (physical and
logical) in your network and permitting access according to the way your site is organized. You can allow
access to a domain by assigning it to an organization. Examples are specific virtual contexts or specific
servers within a context.
The following sections describe how to manage domains:
• Guidelines for Managing Domains, page 18-33
• Displaying Network Domains, page 18-33
• Creating a Domain, page 18-34
• Duplicating a Domain, page 18-35
• Modifying a Domain, page 18-36
• Deleting a Domain, page 18-37
18-33
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing Domains
Guidelines for Managing Domains
This topic includes the following guidelines:
• Domains are logical concepts. You do not delete a member of a domain when you delete the domain.
• Domains can include supported Cisco chassis, ACE modules, ACE appliances, and CSS or CSM
devices, as well as their virtual contexts, building blocks, resource classes, and real and virtual
servers.
• Choose the Allow All setting to include current and future device objects in a domain.
• Objects must already exist in ANM. To add objects, see the “Importing Network Devices into ANM”
section on page 5-10.
• You must have the ability to create real servers in your role and at least one virtual context in your
domain before you can create real servers.
• You must have the ability to create virtual contexts in your role and an Admin context in your
domain before you can create virtual contexts.
• Domains continue to display device information even after you remove that device from ANM. This
allows the domain information to be easily reassociated if you reimport the device. The device name
must remain the same for this to work properly.
• (GSS domain objects only) ANM does not allow you to add a VIP answer to a domain if the answer
contains a space in its name.
Caution Domain objects are hierarchical. If you include a parent object in a domain, the child object is also
included even though they do not display in the Object selector tree when you add or edit domains.
For example:
– Inclusion of a Catalyst 6500 series switch includes all cards, virtual contexts, real servers and
virtual servers.
– Inclusion of an ACE 4710 includes all virtual contexts, real servers, and virtual servers.
– Inclusion of a virtual context, CSM module or CSS device includes all associated objects.
Related Topics
• Creating a Domain, page 18-34
• Modifying a Domain, page 18-36
• Displaying Network Domains, page 18-33
• Duplicating a Domain, page 18-35
• Deleting a Domain, page 18-37
Displaying Network Domains
Note Your user role determines whether you can use this option.
You can display the network domains and a domain’s attributes.
18-34
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing Domains
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organization > Domains.
The Domains table appears.
Step 2 Expand the table until you can see all the network domains.
Step 3 Choose a domain from the Domains table to view and click Edit.
The Edit Domains window appears, displaying the domain’s attributes.
Related Topics
• Managing Domains, page 18-32
• Guidelines for Managing Domains, page 18-33
• Creating a Domain, page 18-34
• Duplicating a Domain, page 18-35
• Modifying a Domain, page 18-36
• Deleting a Domain, page 18-37
Creating a Domain
Note Your user role determines whether you can use this option.
You can create a new domain.
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organization > Domains.
The Domains table appears.
Step 2 Click Add.
Step 3 Define the domain attributes as described in Table 18-10.
Table 18-10 Domain Attributes
Field Description
Name Name of the domain.
Description Description of the domain.
18-35
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing Domains
Step 4 Click Save.
The Domains Edit window updates and displays the total object number next to the object name.
Related Topics
• Managing Domains, page 18-32
• Guidelines for Managing Domains, page 18-33
• Displaying Network Domains, page 18-33
• Creating a Domain, page 18-34
• Duplicating a Domain, page 18-35
• Modifying a Domain, page 18-36
• Deleting a Domain, page 18-37
Duplicating a Domain
Note Your user role determines whether you can use this option.
You can create a new domain from an existing one.
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organization > Domains.
The Domains table appears.
Step 2 Choose the domain to copy and click Duplicate.
Step 3 A script popup window appears.
Allow All Check box that enables all objects within this domain (current and future objects). If this check box is left
unchecked, the Objects tree displays.
Objects Collection of objects that comprise this domain. Choose an object name and use the arrows to move it from
the available to selected column.
For example, selecting a virtual context selects all real servers within that virtual context, or selecting a
chassis selects the virtual contexts on that chassis. The interface does not explicitly display this in the table,
but the objects are, in fact, selected.
Note When you add objects such as real servers to a domain on an ACE that has an HA peer, ANM
automatically adds the redundant objects from the HA peer to the list of selected objects.
See the “Guidelines for Managing Domains” section on page 18-33 for domain rules about creating virtual
contexts and real servers.
Table 18-10 Domain Attributes (continued)
Field Description
18-36
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing Domains
Step 4 At the prompt in the script popup window, enter a name for the new domain and click OK.
The script popup window closes and the Domains table displays the new domain.
Step 5 Click Save.
Related Topics
• Managing Domains, page 18-32
• Guidelines for Managing Domains, page 18-33
• Displaying Network Domains, page 18-33
• Creating a Domain, page 18-34
• Modifying a Domain, page 18-36
• Deleting a Domain, page 18-37
Modifying a Domain
Note Your user role determines whether you can use this option.
You can modify the settings in a domain.
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organization > Domains.
The Domains table appears.
Step 2 In the Domains table, choose the domain you want to change and click Edit.
The Edit Domains window appears.
Step 3 In the Edit Domains window, modify the domain settings.
For detailed domain attribute descriptions, see Table 18-10 on page 18-34.
Step 4 Click Save.
Related Topics
• Managing Domains, page 18-32
• Guidelines for Managing Domains, page 18-33
• Displaying Network Domains, page 18-33
• Creating a Domain, page 18-34
• Duplicating a Domain, page 18-35
• Deleting a Domain, page 18-37
18-37
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing Domains
Deleting a Domain
Note Your user role determines whether you can use this option.
You can delete a network domain from the systems. You do not delete objects associated with that
domain when you delete the domain.
Procedure
Step 1 Choose Admin > Role-Based Access Control > Organization > Domains.
The Domains table appears.
Step 2 In the Domains table, choose the domain to delete and click Delete.
The confirmation popup window appears.
Step 3 In the confirmation popup window, click OK.
The domain is removed from the ANM database.
Related Topics
• Managing Domains, page 18-32
• Guidelines for Managing Domains, page 18-33
• Displaying Network Domains, page 18-33
• Creating a Domain, page 18-34
• Duplicating a Domain, page 18-35
• Modifying a Domain, page 18-36
18-38
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Using an AAA Server for Remote User Authentication and Authorization
Using an AAA Server for Remote User Authentication and
Authorization
ANM allows you to centrally control user authentication and authorization. User authentication, which
manages access to ANM, can be performed locally using a database that resides in ANM or remotely
using a database that resides on an AAA server, such as an Active Directory (AD) server using LDAPS,
RADIUS, or TACACS+. In ANM, you can configure authentication for your users by specifying which
AAA servers are used for specific users. You configure authentication through organizations. An
organization allows you to configure your AAA server lookup for your users and then associate specific
users, roles, and domains with those organizations.
User authorization, which manages access to different ANM functionality, can also be performed locally
using a database that resides in ANM or remotely using a database that resides on a TACACS+ server.
ANM supports the use of a TACACS+ server only for remote authorization.
The information provided in this section is intended as a guide to help you ensure proper communication
with the AAA server and ANM operating as the AAA client. For details about configuring the Cisco
Secure ACS, Active Directory, or another AAA server, see the documentation that is provided with the
software.
This section includes the following topics:
• Information About Using AD/LDAPS for Remote User Authentication, page 18-38
• Configuring Remote User Authentication Using a TACACS+ Server, page 18-39
• Configuring Remote User Authorization Using a TACACS+ Server, page 18-45
Information About Using AD/LDAPS for Remote User Authentication
This section describes how ANM uses AD/LDAPS for remote user authentication. ANM performs the
following steps to authenticate and authorize a user when configured to use AD/LDAPS for user
authentication:
1. ANM verifies that the user organization exists locally on the ANM database. ANM makes this
determination based on the part of the user login name that follows the @ character.
2. ANM uses the configured AD server to authenticate the user.
3. ANM authorizes the user locally. ANM verifies that the user’s name is associated with one of the
defined roles in the Roles table (Admin > Role-Based Access Control > Organization > Roles).
After ANM completes these three steps, the user is permitted access according to their account settings
in the Roles table and Domains table (Admin > Role-Based Access Control > Organization > Domains).
If any of the authentication and authorization checks fail, ANM logs the error in the audit log (Admin >
ANM Management > ANM Change Audit Log).
One of the following error messages display depending on when the failure occurs:
• If Step 1 fails, the message is as follows:
User authentication failed: Organization does not exist.
• If Step 2 fails, the message is as follows:
User authentication failed: ... , reason=User password check failed - error code XXX -
.
18-39
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Using an AAA Server for Remote User Authentication and Authorization
This message means that the AD server rejected the user. The list of possible error codes and
respective descriptions are as follows:
– 525—User is not found
– 52e—User credentials are invalid
– 530—User is not permitted to log on at this time
– 531—User is not permitted to log on from this workstation
– 532—Password has expired
– 533—Account is disabled
– 701—Account has expired
– 773—User must reset their password
– 775—Account is locked out
• If Step 3 fails, the message is as follows:
User authorization failed: User is not defined in the organization.
Configuring Remote User Authentication Using a TACACS+ Server
This section describes how to configure ANM and a TACACS+ server for remote user authentication.
Note For background information about configuring an AAA server, see the “Configuring Authentication and
Accounting Services” chapter of either the Cisco ACE Module Security Configuration Guide or Cisco
ACE 4700 Series Appliance Security Configuration Guide on www.cisco.com.
Assumptions
This topic assumes the following:
• For purposes of this example, assume usage of a Cisco Secure ACS version 4.1 server.
• Your user role determines whether you can perform the procedures outlined in this section.
• Administrative login rights are required to access the Cisco Secure ACS HTML interface.
Table 18-11 provides a high-level overview of the steps required to authenticate ANM users with a
TACACS+ server.
18-40
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Using an AAA Server for Remote User Authentication and Authorization
Table 18-11 Authenticating ANM Users with a TACACS+ Server
Task Procedure
Step 1 Create an organization and
define the remote TACACS+
server used
(ANM)
Note Your user role determines whether you can use this option.
Remote authentication servers are defined in ANM as organizations. A single
server can be used in multiple organizations. To configure authentication for
your users by creating an organization and defining TACACS+ as the method of
authentication, do the following:
a. Choose Admin > Role-Based Access Control > All Organizations. The
Organizations window appears.
b. Click Add.
c. Enter the name of the new organization and notes if required.
d. Click Save.
e. Choose the new organization and click Edit.
f. Enter the attributes as described in Table 18-2. Certain attributes appear
when you choose specific options. Include the following organization
attributes to authenticate ANM users with a TACACS+ server:
– Organization name
– TACACS+ as authentication method
– IP address of TACACS+ server
– Authentication port number
– Authentication secret
g. Click Save.
See the “Adding a New Organization” section on page 18-10 for details about
this procedure.
Step 2 Creating a role for RBAC
(ANM)
Note Your user role determines whether you can use this option.
You can edit the predefined roles or you can create user-defined roles. When you
create a role, you specify a name and description of the new role, and then
choose the privileges for each task. You can also assign this role to one or more
users.
Do the following:
a. Choose Admin > Role-Based Access Control > Organization > Roles.
The Roles table appears.
b. Click Add. The New Role form appears.
c. Enter the attributes as described in Table 18-9.
d. Click Save. The new role is added to the list of user roles.
See the “Creating User Roles” section on page 18-29 for details on this
procedure.
18-41
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Using an AAA Server for Remote User Authentication and Authorization
Step 3 Create a domain for an RBAC
user
(ANM)
Note Your user role determines whether you can use this option.
A domain defines which objects that the RBAC user will have access to. The
assigned role defines which actions that user will be able to perform on those
objects.
To configure a domain for an RBAC user, do the following:
a. Choose Admin > Role-Based Access Control > Organization > Domains.
The Domains table appears.
b. In the Domains table, click Add.
c. For the new domain, enter the attributes as described in Table 18-10.
Note If you check the Allow All checkbox, this selection enables all
objects within this domain (current and future objects). If you leave
this check box unchecked, the Objects tree displays. To allow a user
to have access to the entire context, highlight the Virtual Contexts
folder in the Objects tree, locate the specific user context, and then
click the arrow to send it to the Selected box. The context name
format is ::
d. Click Save when all the objects that you want to allow access to are listed
in the Selected box.
See the “Creating a Domain” section on page 18-34 for details on this
procedure.
Step 4 Create an organization user
(ANM)
Note Your user role determines whether you can use this option.
Organization users are users who work for the customer of a service provider or
AAA server that segments your users and to whom you want to grant access to
ANM.
Do the following:
a. Choose Admin > Role-Based Access Control > Organization > Users.
The Users window appears.
b. In the Users window, click Add.
c. Enter the attributes as described in Table 18-5. Include the following
organization user attributes:
– Login name
– Predefined role
– Domains to which this user belongs
d. Click Save. The Users table appears.
See the “Creating User Accounts” section on page 18-19 for details on this
procedure.
Table 18-11 Authenticating ANM Users with a TACACS+ Server (continued)
Task Procedure
18-42
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Using an AAA Server for Remote User Authentication and Authorization
Step 5 Access the AAA server
(Cisco Secure ACS server)
Note Administrative login rights are required to access the Cisco Secure ACS
HTML interface.
To access the Cisco Secure ACS HTML interface, do the following:
a. Open a web browser for the URL of the Cisco Secure ACS HTML interface.
b. In the Username box, type a valid Cisco Secure ACS administrator name.
c. In the Password box, type the password for the administrator name that you
specified.
d. Click Login. The Cisco Secure ACS HTML interface appears.
For details on configuring the Cisco Secure ACS HTML server, see the
documentation that is provided with the software.
Step 6 Create a network device group
(Cisco Secure ACS Server)
To create a group of TACACS+ clients and servers on the Cisco Secure ACS
HTML server, do the following:
a. Go to the Network Configuration section of the Cisco Secure ACS HTML
interface.
b. In the navigation bar, click the Network Configuration button. The
Network Configuration page appears in the Cisco Secure ACS HTML
interface.
c. Under the Network Device Groups table, click the Add Entry button to
create a new group of TACACS+ clients and servers. Type the name of the
new group (for example ANM).
d. Click Submit.
For details on configuring the Cisco Secure ACS HTML server, see the
documentation that is provided with the software.
Table 18-11 Authenticating ANM Users with a TACACS+ Server (continued)
Task Procedure
18-43
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Using an AAA Server for Remote User Authentication and Authorization
Step 7 Specify the AAA client setup for
ANM
(Cisco Secure ACS Server)
To define the AAA client setup for ANM on the Cisco Secure ACS HTML
server, do the following:
a. Click Add Entry below the AAA Clients table. The Add AAA Client
window appears.
b. In the Add AAA Client window, specify the following attributes:
– AAA Client IP Address—Client IP address of ANM that will be used
for communicating with the TACACS+ server
– Shared Secret—Shared secret specified on ANM
– Network Device Group—ANM
– Authenticate Using—TACACS+ (Cisco IOS)
Note The TACACS+ (Cisco IOS) drop-down item specifies the Cisco
TACACS+ authentication function. This selection activates the
TACACS+ option when using Cisco Systems access servers,
routers, and firewalls that support the TACACS+ authentication
protocol, including support for ANM as well.
c. Click Submit + Apply.
For details on configuring the Cisco Secure ACS HTML server, see the
documentation that is provided with the software.
Step 8 Specify the AAA server setup
(Cisco Secure ACS Server)
To define the AAA server setup for ANM on the Cisco Secure ACS HTML
server, do the following:
a. Click Add Entry below the AAA Servers table. The Add AAA Servers
window appears.
b. In the Add AAA Servers window, specify the following attributes:
– AAA Server IP Address—IP address of the TACACS+ server
– Key—Shared secret specified on ANM
– Log Update/Watchdog Packets from This Remote AAA
Server—Enabled
– Network Device Group—ANM
– AAA Server Type—TACACS+
– Traffic Type—Inbound/Outbound
c. Click Submit + Apply.
For details on configuring the Cisco Secure ACS HTML server, see the
documentation that is provided with the software.
Table 18-11 Authenticating ANM Users with a TACACS+ Server (continued)
Task Procedure
18-44
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Using an AAA Server for Remote User Authentication and Authorization
Step 9 Create the ANM user on the
TACACS+ server
(Cisco Secure ACS Server)
To create the ANM user on the Cisco Secure ACS HTML server, do the
following:
a. Click the User Setup button. The User Setup window appears.
b. In the User text box of the User Setup window, enter the user name of the
organization user that you created in ANM (see Step 3, the Create an
domain for a RBAC user task).
c. Click the Add/Edit button.
d. Specify the following user attributes:
– Real Name—Real name of the ANM user.
– Description—Brief description of the user for the administrator.
– Password Authentication—ACS Internal Database.
– Password—Password for this user account. Enter this password a
second time in the Confirm Password text box.
For details on configuring the Cisco Secure ACS HTML server, see the
documentation that is provided with the software.
Table 18-11 Authenticating ANM Users with a TACACS+ Server (continued)
Task Procedure
18-45
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Using an AAA Server for Remote User Authentication and Authorization
Figure 18-3 Example of Authentication Communication Between ANM and a TACACS+ Server
Related Topics
• Controlling Access to Cisco ANM, page 18-3
• How ANM Handles Role-Based Access Control, page 18-8
• Configuring Remote User Authorization Using a TACACS+ Server, page 18-45
Configuring Remote User Authorization Using a TACACS+ Server
You can configure a TACACS+ server to perform remote authorization of ANM users by configuring the
authorization settings on the AAA server, which includes a unique ANM identifier, user role, and domain
information. After you configure the TACACS+ server and ANM for remote authorization, when ANM
authorizes a user, it sends an authorization request to the TACACS+ server, which returns with the names
of the role and domains that are assigned to the user and defined on ANM.
Guidelines and Restrictions
This topic includes the following guidelines and restrictions:
• You can configure ANM remote authorization on a TACACS+ server only. This feature is not
available for AD/LDAPS or RADIUS.
• Cisco has approved the use of Cisco Secure Access Control System (ACS) only for remote
authorization (Cisco has not approved the use of other TACACS+ servers for this purpose). The
Cisco Secure ACS can accept an authorization request and send the following attribute in the
request:
Step 10 Log in to ANM using the newly
created account
To test the new login credentials for user authentication, do the following:
a. Log in to ANM by entering the new user account in the ANM login window.
Enter the username using the following format:
@.
b. Click Login. Authentication occurs between ANM and the TACACS+
server (see Figure 18-3). All authentication transactions are performed by
the TACACS+ authentication service associated with the associated
organization.
c. ANM appears with the virtual contexts that you included as part of the
domain for the RBAC user in Step 3 (the Create an domain for a RBAC user
task).
Table 18-11 Authenticating ANM Users with a TACACS+ Server (continued)
Task Procedure
18-46
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Using an AAA Server for Remote User Authentication and Authorization
ANM_UniqueID=RoleNameDomain1Domain2 . . .
ANM/IP should be used as the TACACS_Service/TACACS_Protocol pair for an authorization
request and response.
• You configure the user authorization attributes on the TACACS+ server using the following format:
ANM_UniqueID=RoleNameDomain1Domain2 . . .
The number of characters allowed for the ANM identifier, role, and domain information is limited
to 160 characters, including spaces. You can use additional characters by adding a new ANM Unique
ID entry for domain attributes as follows:
ANM_UniqueID_1=RoleNameDomain1Domain2
ANM_UniqueID_2=Domain3Domain4
ANM_UniqueID_3=Domain5
You must assign a different ANM identifier to each entry. Make sure that you configure the ANM
organization with each ANM unique ID (see the “Adding a New Organization” section on
page 18-10).
• You can define user authorization at the user level, user group level, or both. We recommend
configuring authorization at the user group level, which allows you to assign a common set of
authorization attributes to multiple users. When you configure the authorization attributes at both
the user level and user group level, the user attributes take precedence over user group attributes.
The procedure in this section includes all three configuration options.
• You can configure ANM to revert to local user authorization if the TACACS+ server becomes
unavailable (see the “Adding a New Organization” section on page 18-10).
Prerequisites
ANM has a user organization that is configured for remote authorization (see the “Adding a New
Organization” section on page 18-10).
This section includes the following topics:
• Configuring Remote User Authorization Using Cisco Secure ACS Version 5.1, page 18-46
• Configuring Remote User Authorization Using Cisco Secure ACS Version 4.2, page 18-48
Configuring Remote User Authorization Using Cisco Secure ACS Version 5.1
You can use Cisco Secure ACS Version 5.1 for configuring a remote server to perform remote
authorization of ANM users.
Note This procedure describes only the ANM-specific attributes for creating user groups and users on Cisco
Secure ACS. For information about configuring the other attributes, see the User Guide for Cisco Secure
Access Control Server located on Cisco.com.
Procedure
Step 1 From the Cisco Secure ACS HTML GUI, create a new Device Type to identify requests coming from the
ANM server.
18-47
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Using an AAA Server for Remote User Authentication and Authorization
Do the following:
a. From the sidebar menu, choose Network Device Groups > Device Type. The Device Group
General window appears.
b. In the Name field, enter ANM.
c. (Optional) In the Description Field, enter a description. For example, ANM Server.
d. In the Parent field, select All Device Types.
e. Click Submit.
Step 2 From the sidebar menu, choose Network Device Groups > Network Devices and AAA Clients to add
a device. The Network Devices and AAA Clients window appears.
Do the following:
a. In the Name field, enter ANM.
b. From the Network Device Groups pane, do the following:
– In the Location field, select All Locations.
– In the Device Type field, select All device Types:ANM, which is the device type that you
created in Step 1.
c. From the IP Address pane, do the following:
– Choose the IP Range(s) radio button.
– From the IP and Mask fields, enter the IP address and Mask to use and click Add to add the
values to the IP/Mask table.
d. From the Authentication Options pane, check the TACACS+ check box.
e. Click Submit.
Step 3 From the sidebar menu, choose Users and Identity Stores > Identity Groups to create an Identity
Group, which will be used later to map users to a specific role. The Identity Groups General window
appears.
Do the following:
a. In the Name field, enter a name for the group. For example, ACE-Admin.
b. (Optional) In the Description field, enter a description for the group. For example, ACE devices
admin.
c. In the Parent field, select ALL Groups:ANM-Groups.
d. Click Submit. The Identity Groups window appears.
e. From the Identity Groups window, drill down and check the check box of an organization
division/roll to associate with the group. For example, check the ACE-Groups check box (All
Groups > ANM-Groups > ACE-Admin).
f. Click Create.
g. Repeat Step 3 for every Identity Group that you need to create.
Step 4 From the sidebar menu, choose Users and Identity Stores > Internal Identity Stores > Users to create
a user. The Users General window appears.
Do the following:
a. In the Name field, enter a user name.
b. From the Status drop-down list, set the status for the user account. For example, Enabled.
18-48
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Using an AAA Server for Remote User Authentication and Authorization
c. (Optional) In the Description field, enter a description for the user account.
d. In the Identity Group field, select one of the groups created in Step 3 to associate with the user.
e. Click Submit.
Step 5 From the sidebar menu, choose Policy Elements > Authorization and Permissions > Device
Administration > Shell Profiles to create a shell profile for each Identity Group that you created in
Step 3. The shell is used to pass the user’s role and domain list to the ANM server. The Shell Profiles
window appears.
Do the following:
a. Click the Custom Attributes tab.
b. From the Attribute field, enter the attribute name, which is the ANM unique ID that you configured
in the ANM organization on ANM. The ANM unique ID is followed by the role and domain names
as a name/value pair (NV Pair) using the following format:
ANM_UniqueID=RoleNameDomain1Domain2 . . .
For example:
ANM=Role1 Domain1 Domain2 Domain6
The ANM_UniqueID variable must match the ANM unique ID that you configured in the ANM
organization on ANM (see the “Adding a New Organization” section on page 18-10). This line
cannot exceed 254 characters. If you need to use more than 254 characters, add another ANM
Unique ID entry to specify the domains associated with the role specified in the first entry (for
details, see the Guidelines and Restrictions associated with this topic).
c. Click Add. The attribute name is added to the Manually Entered pane.
d. Click Submit.
Related Topics
• Managing User Roles, page 18-25
• Managing Domains, page 18-32
• Adding a New Organization, page 18-10
• Using an AAA Server for Remote User Authentication and Authorization, page 18-38
• Configuring Remote User Authorization Using Cisco Secure ACS Version 4.2, page 18-48
Configuring Remote User Authorization Using Cisco Secure ACS Version 4.2
You can use Cisco Secure ACS Version 4.2 for configuring a remote server to perform remote
authorization of ANM users.
Note This procedure describes only the ANM-specific attributes for creating user groups and users on Cisco
Secure ACS. For information about configuring the other attributes, see the User Guide for Cisco Secure
Access Control Server located on Cisco.com.
18-49
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Using an AAA Server for Remote User Authentication and Authorization
Procedure
Step 1 From the Cisco Secure ACS HTML GUI, configure the interface as follows:
a. From the side menu bar, click Interface Configuration.
The Interface Configuration window appears.
b. From the Advanced Options pane of the Interface Configuration window, check the Per-user
TACACS+/RADIUS Attributes check box and click Submit.
c. From the New Services pane of the Interface Configuration window, check the Service and Protocol
check boxes and add a new service as follows:
– In the Service text box, enter ANM.
– In the Protocol text box, enter IP.
d. Click Submit.
Step 2 Do one of the following:
• Configure a user group for the users that you create—Go to Step 3.
• Configure a user only—Skip to Step 4.
Step 3 To configure a user group, do the following:
a. From the side menu bar, click Group Setup.
The Group Setup window appears.
b. From the Group Setup window, create a user group and set the following ANM attributes:
– Check the ANM IP service check box.
– Check the Custom attributes check box and enter the ANM unique identifier followed by the
role and domain names as a name/value pair (NV Pair) in the Custom Attributes pane using the
following format:
ANM_UniqueID=RoleNameDomain1Domain2 . . .
For example:
ANM=Role1 Domain1 Domain2 Domain6
The ANM_UniqueID variable must match the ANM unique ID that you configured in the ANM
organization on ANM (see the “Adding a New Organization” section on page 18-10). This line
cannot exceed 160 characters. If you need to use more than 160 characters, add another ANM
Unique ID entry to specify the domains associated with the role specified in the first entry (for
details, see the Guidelines and Restrictions associated with this topics).
c. Click Submit.
The user group is now ready for adding users (go to Step 4).
Step 4 Create a user as follows:
a. From the side menu bar, click User Setup.
The User Setup window appears.
b. To assign the user to the user group that you created in Step 3, from the User Setup window, choose
the group from the following drop-down list: Group to which the user is assigned.
Skip this step if the user is not to be included in a user group.
18-50
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Disabling the ANM Login Window Change Password Feature
c. Configure the ANM-specific attributes. Perform this step for either of the following reasons;
otherwise, skip this step:
– The user is not to be included in a user group.
– The user is included in a user group but requires different authorization attributes (user
attributes have precedence over user group attributes).
To configure the ANM-specific attributes, from the User Setup window, do the following:
– Check the ANM IP service check box.
– Check the Custom attributes check box, enter the ANM unique ID and role and domain names
as NV Pair in the Custom Attributes pane using the following format:
ANM_UniqueID=RoleNameDomain1Domain2 . . .
For example:
ANM=Role1 Domain1 Domain2 Domain6
The ANM_UniqueID variable must match the ANM Unique ID that you configured in the ANM
organization (see the “Adding a New Organization” section on page 18-10). This line cannot
exceed 160 characters. If you need to use more that 160 characters, add another ANM Unique
ID entry to specify the domains associated with the role (for details, see this topic’s Guidelines
and Restrictions):
d. Click Submit.
Related Topics
• Managing User Roles, page 18-25
• Managing Domains, page 18-32
• Adding a New Organization, page 18-10
• Using an AAA Server for Remote User Authentication and Authorization, page 18-38
• Configuring Remote User Authorization Using Cisco Secure ACS Version 5.1, page 18-46
Disabling the ANM Login Window Change Password Feature
When you log into ANM from the login window, you have the option to change your password at that
time. This feature is enabled by default; however, you can disable it by modifying the ANM
cs-config.properties file. When disabled, the login window no longer displays the Change Password
hyperlink.
Procedure
Step 1 Disable the Change Password option on the ANM login window as follows:
• ANM Server—Open the /opt/CSCOanm/etc/cs-config.properties file in a text editor and change the
state of the following line from true to false:
changeANMPassword.enable=false
18-51
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing ANM
• ANM Virtual Appliance—Enter the following command:
anm-property set changeANMPassword.enable false
Step 2 Restart ANM as follows:
• ANM Server—Enter the following command:
/opt/CSCOanm/bin/anm-tool restart
• ANM Virtual Appliance—Enter the following command:
anm-tool restart
Related Topics
• Logging In To the Cisco Application Networking Manager, page 1-5
• Changing Your Account Password, page 1-6
Managing ANM
When you choose Admin > ANM Management, you can display the following information:
• ANM—Allows you to check the status of your ANM server. See the “Checking the Status of the
ANM Server” section on page 18-52.
• License Management—Displays the ANM license information. See the “Using ANM License
Manager to Manage ANM Server or Demo Licenses” section on page 18-54.
• Statistics—Displays the ANM server statistics. See the “Displaying ANM Server Statistics” section
on page 18-56.
• Statistics Collection—Allows you to enable or disable ANM server statistic collection. See the
“Configuring ANM Statistics Collection” section on page 18-57.
• Audit Log Settings—Allows you to determine how long audit log records are kept. See the
“Configuring Audit Log Settings” section on page 18-58.
• Change Audit Log—Displays ANM server logs. See the “Displaying Change Audit Logs” section
on page 18-61.
• Auto Sync Settings—Allows you to allow ANM to automatically sync with CLI when it detects out
of band changes between itself and the ACE. See the “Configuring Auto Sync Settings” section on
page 18-61.
• Advanced Settings—Allows you to set the following advanced settings for ANM:
– Enable or disable overwrite of the ACE logging device-id while setting up syslog for autosync
using Config > Devices > Setup Syslog for Autosync.
– Enable or disable write memory on a Config > Operations configuration.
– Enable features for displaying details about real or virtual servers.
– Enable mobile notifications from ANM.
– Hide syslog buffer details in the Dashboard pane Top 10 Current Resources.
– Display all virtual servers that have class-map and policy-map definitions in the monitoring and
operations windows.
See the “Configuring Advanced Settings” section on page 18-62.
18-52
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing ANM
• Virtual Center Plugin Registration—Allows you register the ANM plugin to integrate ANM in a
VMware virtual data center environment. See Appendix B, “Using the ANM Plug-In With Virtual
Data Centers.”
Checking the Status of the ANM Server
Note Your user role determines whether you can use this option.
You can check if ANM has a backup server and to view the server status.
The ANM server can be configured as either of the following:
• A non-HA ANM. The non-HA ANM consists of only one host and is referred to as a standalone
ANM.
• An HA (high availability or fault-tolerant) ANM, which consists of two hosts: an active ANM and
a standby ANM. An HA ANM has a virtual IP address that is always assigned to the active ANM.
Users log into this virtual IP address—they never log into the real IP addresses of the hosts. In
addition, an HA ANM has a secondary NIC and IP address on each host over which “heartbeat”
messages are used to arbitrate which host is active and which is standby.
Procedure
Step 1 Choose Admin > ANM Management > ANM.
The ANM Server status window appears. This window contains the following information:
Table 18-12 ANM Server Status Information
Field Description
HA Replication State HA replication state as follows:
• OK—This is an HA ANM and is running properly.
• Standalone—This is a non-HA ANM; therefore, the HA attributes and operations are not
meaningful.
• Stopped—This is HA ANM and this state indicates that the active ANM is copying its
entire database contents to the standby ANM. This normally happens when the standby
ANM initially starts up or it has been stopped and restarted later. This process normally
takes a few seconds to a few minutes depending on the size of the ANM configuration data
and monitoring data. During this time, the active ANM cannot be stopped, restarted, or
failover.
• Failed—This is an HA ANM and database replication cannot proceed. Most likely this is
because the standby ANM is unresponsive or is unreachable.
Version Version of the ANM software.
Build Number and Build
Timestamp
Build identification information.
Time Server Started Date and time the ANM server started.
18-53
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing ANM
Related Topics
• Using ANM License Manager to Manage ANM Server or Demo Licenses, page 18-54
• Displaying ANM Server Statistics, page 18-56
Virtual IP Address Virtual IP address that associates with the active host. This IP address must be on the same
subnet as the primary IP addresses of both Node 1 and Node 2.
Active Name Name of Node 1, which can be displayed by issuing the uname -n command on the host.
Active IP IP address used by Node 1 for normal (non-heartbeat related) communication. This IP address
must be on the same subnet as the primary address for Node 2.
Active Heartbeat IP IP address associated with the crossover network interface for Node 1. This IP address must
be on the same subnet as the Heartbeat IP address for Node 2.
Standby Name Name of Node 2, which can be returned by issuing the uname -n command on the host.
Standby IP IP address used by Node 2 for normal (non-heartbeat related) communication. This IP address
must be on the same subnet as the primary IP address for Node 1.
Standby Heartbeat IP IP address associated with the crossover network interface for Node 2. This IP address must
be on the same subnet as the Heartbeat IP address for Node 1.
License Server State License server state as follows:
• OK—There is a valid license on the host.
• Invalid—The host either contains an invalid license or there is no license present.
• Unknown—It is not possible to communicate with the host's license manager, therefore,
the license state is unknown.
Note The Unknown and Invalid states will not display for the active (local) ANM. If the
standby ANM has an Invalid license state, you should install a valid license. If the
standby ANM has an Unknown license state, check that the standby ANM has been
installed correctly.
• DEMO—Used for the demonstration purposes. It lasts for 30, 60, or 90 days from the
issue day of the license. It allows you to use all features.
Standby License Server State Standby license server state as follows:
• OK—There is a valid license on Node 2.
• Invalid—Node 2 either contains an invalid license or there is no license present.
• Unknown—It is not possible to communicate with the license manager on Node 2,
therefore, the license state is unknown.
Note The Unknown and Invalid states will not display for the active (local) ANM. If the
standby ANM has an Invalid license state, you should install a valid license. If the
standby ANM has an Unknown license state, check that the standby ANM has been
installed correctly.
• DEMO—Used for the demonstration purposes. It lasts for 30, 60, or 90 days from the
issue day of the license. It allows you to use all features.
Table 18-12 ANM Server Status Information (continued)
Field Description
18-54
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing ANM
• Configuring ANM Statistics Collection, page 18-57
Using ANM License Manager to Manage ANM Server or Demo Licenses
You can use the ANM License Manager feature to manage to the ANM license required to use ANM
beyond the 90-day evaluation period.
Note Your user role determines whether you can use this option.
Table 18-13 describes the available ANM licenses and their purpose.
ANM licenses are available at no charge. When you install the ANM software, you are provided with a
90-day evaluation period that does not require a license; however, to continue using ANM beyond the
evaluation period, you must install the ANM server license as follows:
• To install the server license before the evaluation period expires, you can use ANM License Manager
(see the “Displaying and Adding ANM Licenses to License Management” section on page 18-54).
Optionally, you can use the CLI to install the license as described in the next bullet.
• To install the server license after the evaluation period expires, you must use the CLI (see the
Installation Guide for Cisco Application Networking Manager 5.2 or the Installation Guide for the
Cisco Application Networking Manager 5.2 Virtual Appliance for instructions).
Note ANM uses TCP port 10444 for the ANM License Manager. For other port numbers, see Appendix A,
“ANM Ports Reference.”
This section includes the following topics:
• Displaying and Adding ANM Licenses to License Management, page 18-54
• Removing an ANM License File, page 18-55
Displaying and Adding ANM Licenses to License Management
Note Your user role determines whether you can use this option.
You can add a license to the license manager. You need to add a license before the 90-day evaluation
period expires or when you convert from a demo license to an ANM server license.
Table 18-13 ANM License Descriptions
License Name Description
ANM-DEMO or DEMO Used for demonstration purposes. It lasts for 90 days from the issue day of the license and allows
you to use all features.
ANM-SERVER-50-K9 Used to allow access to the ANM server. Beginning with ANM 4.1, ANM does not perform a
license version number check; it will accept any version ANM license.
18-55
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing ANM
Guidelines and Restrictions
The license manager does not display information related to the 90-day evaluation period that allows you
to use ANM immediately after you install the software. When there are 10 days or less remaining to the
evaluation period, ANM issues daily warnings that the evaluation period is about to expire. You must
install the ANM server license to continue using ANM.
Procedure
Step 1 Choose Admin > ANM Management > License Management.
The Licenses table appears. Table 18-14 describes the contents of this table.
Step 2 To add new license, from the Licenses table, click Add.
The New License window appears.
Step 3 In the New License window, click Browse to locate the new license name.
Use the browser to choose the license file.
Step 4 Click Upload to install the license you added onto the ANM Server or Cancel to exit.
The license file appears in the License Files table.
From the License Files table you can see the Install Status of the license file and if there are any errors.
Related Topics
• ANM Licenses, page 1-7
• Managing ACE Licenses, page 6-36
• Using ANM License Manager to Manage ANM Server or Demo Licenses, page 18-54
• Removing an ANM License File, page 18-55
Removing an ANM License File
For ANM server, if your license file does not work in ANM due to file errors, you need to remove it from
the ANM host and request another license file from Cisco. There is no ANM GUI remove license
command. You must remove the license from the operating system by deleting the file.
Table 18-14 License Files
Field Description
File Name Name of the ANM server or demo license file that you have installed on the ANM host.
Install Status Status of the license file. Any licensing errors display here. For ANM server, if errors display,
see the “Removing an ANM License File” section on page 18-55 for details about how to
remove this file and import a working file. You cannot remove a license from ANM Virtual
Appliance; however, a license that displays in error is not a probelm as long as a valid license
is also installed.
18-56
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing ANM
Guidelines and Restrictions
You can remove a license file from ANM server; however, you cannot remove a license file from ANM
Virtual Appliance. If you are using ANM Virtual Appliance and have a license that displays in error, it
is not an issue as long as a valid license is also installed.
Procedure
Step 1 Log in as the root user.
Step 2 To remove the license file, enter the following:
rm /opt/CSCOanm/etc/license/
The license file is removed from the ANM host.
Step 3 Restart ANM to allow it to update the licenses table data.
To restart ANM, see instructions in the Installation Guide forCisco Application Networking Manager
5.2.
To request another license from Cisco to replace the one that had errors, open a service request using the
TAC Service Request Tool or call the Technical Assistance Center. Add the license into ANM.
Related Topics
• ANM Licenses, page 1-7
• Using ANM License Manager to Manage ANM Server or Demo Licenses, page 18-54
• Displaying and Adding ANM Licenses to License Management, page 18-54
Displaying ANM Server Statistics
You can display ANM statistics (for example, CPU, disk, and memory usage on the ACE).
Procedure
Step 1 Choose Admin > ANM Management > Statistics.
The statistics viewer displays the fields in Table 18-15.
18-57
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing ANM
Related Topics
• Checking the Status of the ANM Server, page 18-52
• Configuring ANM Statistics Collection, page 18-57
Configuring ANM Statistics Collection
You can enable ACE server statistics polling.
Procedure
Step 1 Choose Admin > ANM Management > Statistics Collection.
The Primary Attributes configuration window appears.
Step 2 In the Polling Stats field, click Enable to start background polling or Disable to stop background
polling.
Step 3 In the Background Polling Interval field, choose the polling interval appropriate for your networking
environment.
Step 4 Click Deploy Now to save your entries.
Related Topics
• Checking the Status of the ANM Server, page 18-52
• Displaying ANM Server Statistics, page 18-56
Table 18-15 ACE Server Statistics
Name Description
Owner Process where statistics are collected.
Statistic Statistical information, includes the following:
• CPU Usage—Overall ACE CPU busy percentage in the last 5-minute period.
• Disk Usage—Amount of disk space being used by the ANM server or ACE device.
• Memory Usage—Amount of memory being used by the ANM server or ACE hardware.
• Process Uptime—Amount of time since this system was last initialized, or the amount of time
since the network management portion of the system was last reinitialized.
Value Value of the statistic.
Description Information that the statistic gathered.
18-58
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing ANM
Configuring Audit Log Settings
You can determine how long audit logs are kept in the database.
Audit Log Purge Settings allow you to specify the following:
• How many days the log records in the database will be kept (default is 31).
• The maximum of log records that will be stored in the ANM database (default 100,000).
Audit Log File Purge Settings allows you to specify the following:
• The number of days worth of log record files that will be stored in the ANM database (default 31
days).
• The number of daily rolling files that will be stored in the ANM database (default 10 files each day,
allowable file size is 2 Megabytes and is not configurable).
Procedure
Step 1 Choose Admin > ANM Management > Audit Log Settings.
The Audit Log Settings configuration window appears. Audit Log Purge Settings fields let you
determine whether audit log table entries will be deleted after a certain number of days (default is 31
days) or after the table entries reach a certain size (default is 100 entries).
Step 2 Enter the greatest number of days that you would like entries to be retained in the Number of Days field.
Step 3 Enter the maximum amount of log records to be stored in the ANM database in the audit log tables in
the Number of Entries (Thousand) field (default 100,000).
Audit Log File Purge Settings fields let you determine whether to retain log files according by age
(default is 31 days) or by amount saved in a given day (default is 10 entries).
Step 4 Enter the greatest number of days that you would like entries to be retained in Number of Days field.
Step 5 Enter the greatest number of log files that you would like retained in the Number of Daily Rolling Log
Files field.
Step 6 Do one of the following:
• Click Reset to Default to erase changes and restore the default values.
• Click Save Now to save your entries.
Related Topics
• Performing Device Audit Trail Logging, page 18-59
• Displaying Change Audit Logs, page 18-61
18-59
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing ANM
Performing Device Audit Trail Logging
Certain configuration and deployment changes are logged in the ANM database and available for
displaying according to your role, which is restricted by the ACE virtual context as established by
RBAC. Log files are located /var/lib/anm/events/date/audit, where date is in YYYYMMDD format (for
example, 20091109 for November 9, 2009).
The following changes are logged in ANM:
• Configuration deployments to devices
• Device or virtual context synchronization operations
• Device or virtual context import and deletions
• Creation/updates/deletion of the to-be-deployed later by the virtual server
Procedure
Step 1 Choose Config > device(s) to view > Device Audit.
ANM displays all operations described above on the specified devices. See Table 18-16 for a description
of the displayed information, some of which is extracted from the syslog.
You can sort information in the table by clicking on a column heading, adjust the viewable time range
using the drop-down list, and export the table for reporting and troubleshooting purposes.
18-60
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing ANM
Table 18-16 Config > Device Audit Fields
Field Description
Time ANM server timestamp when the action is complete.
Client IP Source IP address initiating action.
User Email address in the following format: username@organization name for
example, admin@cisco.com.
Device Device or ACE virtual context target of user action.
Action The action name of the operation, including the following:
• add staging object
• allocate vlan
• change credential
• create
• create vc
• create vc-template
• create-vip
• delete
• delete-vip
• deploy staging object
• disable polling
• enable polling
• export-certificate-key
• generate-csr
• import device
• import-certificate-key
• import module
• remove device
• remove vc
• restart monitoring
• syncup config
• syslog-setup
• unmanage module
• update
• update staging object
• update-vip
Target Name of the target configuration object (for example, Serverfarm sf1).
Status Indicates whether operation succeeded or not.
18-61
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing ANM
Related Topics
• Configuring Audit Log Settings, page 18-58
• Displaying Change Audit Logs, page 18-61
Displaying Change Audit Logs
You can display ANM change audit logs for example, user login attempts, create/update/delete objects
such as RBAC, Global Resource Class, Credential, device group, and threshold setting. Any key or
change related activities to the ANM server will be logged and viewed according to your role.
To display the change audit logs, choose Admin > ANM Management > ANM Change Audit Log. The
audit log displays the fields in Table 18-17.
Related Topics
• Checking the Status of the ANM Server, page 18-52
• Configuring Audit Log Settings, page 18-58
• Performing Device Audit Trail Logging, page 18-59
Configuring Auto Sync Settings
You can configure ANM server auto sync settings.
Procedure
Step 1 Choose Admin > ANM Management > ANM Auto Sync Settings.
The Setup ANM Auto-Sync Settings window appears.
Step 2 In the ANM Auto-Sync field of the Setup ANM Auto-Sync Settings window, do one of the following:
Detail CLI commands sent to the device and/or error messages. ANM truncates the
display if the number of characters for the CLI commands exceeds 100,000
characters. You can view the complete audit output in the audit log file.
Table 18-16 Config > Device Audit Fields (continued)
Field Description
Table 18-17 Server Audit Log
Name Description
Time Server time stamp when user action is complete.
Client IP IP address where action originated.
User Email address in the following format: username@organization name for example, admin@cisco.com.
Message Boilerplate text descriptive of action taken, usually self-explanatory (for example “User authentication
succeeded.”
18-62
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing ANM
• Click Enable to have the ANM server automatically sync with ACE CLI when it detects out of band
changes.
• Click Disable to have the ANM server warn but not take independent action when it detects out of
band changes between the server and ACE CLI.
Step 3 In the Polling Interval field, choose the polling interval you want the ANM server to employ.
Step 4 Click OK to save your entries.
Related Topic
Synchronizing Virtual Context Configurations, page 6-105
Configuring Advanced Settings
This section discusses the Advanced Settings window.
This section includes the following topics:
• Configuring the Overwrite ACE Logging device-id for the Syslog Option, page 18-62
• Configuring the Enable Write Mem on the Config > Operations Option, page 18-63
• Enabling the ACE Real Server Details Popup Window Option, page 18-64
• Enabling the ACE Server Farm Details Popup Window Option for Virtual Servers, page 18-65
• Enable Mobile Notifications from ANM, page 18-66
• Managing the Syslog Buffer Display in the All Devices Dashboard, page 18-66
• Managing the Display of Virtual Servers in the Operations and Monitoring Windows, page 18-66
Configuring the Overwrite ACE Logging device-id for the Syslog Option
Yo can overwrite the ACE logging device-id.
By default, ANM Autosync relies on the ACE logging device-id to be of type “String.” A device-id
setting adds explicit information that is appended to the syslog message and is used by ANM to identify
the source of a syslog message. If you configure ANM to manage syslog settings for Autosync on a
virtual context (Config > Devices > Setup Syslog for Autosync) and the logging device-id is defined as
something other than type “String” for the context, the operation fails and ANM displays “Syslog device
is already configured for other purpose.”
You can instruct ANM to overwrite the ACE logging device-id when you enable the synchronization of
syslog messages setup of syslog for Autosync from the ACE. If any of the contexts that you are trying
to set up a syslog the syslog for Autosync has a device-id setup for a type other than string, ANM will
override the device-id with the ANM preferred string.
Procedure
Step 1 Choose Admin > ANM Management > Advanced Settings.
The Advanced Settings configuration window appears.
Step 2 In the Overwrite ACE Logging Device ID field of the Advanced Settings configuration window, do one
of the following:
18-63
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing ANM
• Click Enable to overwrite the logging device-id during Setup Syslog for Autosync.
• Click Disable to prevent overwriting the existing logging device-id if it has been previously set up
with a type other than string. If the selected context from Setup Syslog for Autosync already has a
device-id that is set up with a type other than string, then the operation reports an error and ANM
does not overwrite this setting. This is the default setting.
Step 3 Click OK to accept your entries on the Advanced Settings configuration window.
Related Topics
• Enabling a Setup Syslog for Autosync for Use With an ACE, page 5-27
Configuring the Enable Write Mem on the Config > Operations Option
You can configure the Enable Write Mem on the Config > Operations feature.
By default, ANM initiates a write memory command action after you activate or suspend changes on
the ACE, CSM, or CSS through the different ANM Operations Pages (Config > Operations). In certain
situations, such as those that involve large configurations, a write memory action can take an extended
period of time to complete. In this case, the ANM GUI may time out. If a write memory action is not
performed before a device reload occurs, the changes will be lost. You can instruct ANM to enable or
disable write memory on a Config > Operations configuration.
Note The write memory command is the same as the copy running-config startup-config command; both
commands save changes to the configuration.
Note The CSS Expert mode must be disabled if you wish to disable the Write Mem on Config > Operations
feature. The Expert mode allows you to turn the CSS confirmation capability on or off; turning Expert
mode on disables the CSS from prompting for confirmation when configuration changes are made. If
Expert mode is enabled on the CSS, this function will cause the CSS to perform an implicit write
memory action after each operational change.
Procedure
Step 1 Choose Admin > ANM Management > Advanced Settings.
The Advanced Settings configuration window appears.
Step 2 In the Enable Write Mem on Config > Operations field of the Advanced Settings configuration window,
do one of the following:
• Click Enable to instruct ANM to activate the write memory action on the Config > Operations
window. This is the default.
• Click Disable to deactivate the write memory action on the Config > Operations window. This
option will require you to periodically access the CLI for the ACE context, the CSM, or the CSS and
enter the write memory command to commit the change to the startup-configuration file.
Step 3 Click OK to accept your entries on the Advanced Settings configuration window.
18-64
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing ANM
Enabling the ACE Real Server Details Popup Window Option
You can enable the ACE real server Details popup window option that displays real server details by
issuing the show rserver detail command to the selected ACE in the real servers operation window
(Config > Operations > Real Servers). This top level real server show command displays information
that includes total statistics about every serverfarm real server associated with the selected rserver. The
ACE real server Details popup window feature is disabled by default.
Caution When you enable the ACE real server Details popup window option, the information that displays in the
Details popup window may exceed the RBAC restrictions assigned to the user.
The following example shows how enabling the ACE real server Details popup window option in ANM
can display information that may exceed the RBAC restrictions assigned to a user. In the following CLI
example, the ACE displays information for rbac-test:80 and rbac-test:443 in response to the show
rserver rbac-test detail command:
switch/Admin# sh rserver rbac-test detail
rserver : rbac-test, type: HOST
state : OUTOFSERVICE
---------------------------------
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: sf-rbac-test
0.0.0.0:80 8 OUTOFSERVICE 0 0
serverfarm: sf1-rbac-test
0.0.0.0:443 8 OUTOFSERVICE 0 0
switch/Admin(config-sfarm-host-rs)#
When you enable the Details option in ANM, the popup window displays the same information even if
the user requesting the information is configured in ANM to have access to rbac-test:80 only.
Procedure
Step 1 Choose Admin > ANM Management > Advanced Settings.
The Advanced Settings configuration window appears.
Step 2 In the Enable Details popup window for Config > Operations > Real Servers field of the Advanced
Settings configuration window, do one of the following:
• Click Enable to enable the ACE real server Details popup window option.
• Click Disable to disable the ACE real server Details popup window option. This is the default.
Step 3 Click OK to accept your entries on the Advanced Settings configuration window.
Related Topics
• Displaying Real Servers, page 8-18
18-65
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing ANM
Enabling the ACE Server Farm Details Popup Window Option for Virtual Servers
You can enable the ACE Server Farm Details popup window option that displays details about the server
farms associated with a virtual server. When you enable this feature, the server farms listed in the virtual
servers operation window (Config > Operations > Virtual Servers) become hyperlinks that open a popup
details window. When you click a server farm associated with a virtual server, ANM issues the show
serverfarm detail command to the ACE and displays the command output in the popup window.
This top level virtual server show command displays information that includes statistical information
related to the real servers associated with the server farm. The ACE Server Farm Details popup window
feature is disabled by default.
Caution When you enable the ACE Server Farm Details popup window option, the information that displays in
the popup window may exceed the RBAC restrictions assigned to the user. For example, information
related to real severs that a user is not permitted to access may display.
The following is an example of the show serverfarm test-sf detail command output:
serverfarm : test-sf, type: REDIRECT
total rservers : 1
active rservers: 0
description : -
state : INACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 0
total conn-dropcount : 0
---------------------------------
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: anm-vm-119
0.0.0.0:0 8 OUTOFSERVICE 0 0 0
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
Procedure
Step 1 Choose Admin > ANM Management > Advanced Settings.
The Advanced Settings configuration window appears.
Step 2 In the “Enable Details popup window for Config > Operations > Virtual Servers” field of the Advanced
Settings configuration window, do one of the following:
• Click Enable to enable the ACE Server Farm Details popup window option.
• Click Disable to disable the ACE Server Farm Details popup window option. This is the default.
Step 3 Click OK to accept your entries on the Advanced Settings configuration window.
18-66
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Managing ANM
Related Topic
“Displaying Virtual Servers” section on page 7-81
Enable Mobile Notifications from ANM
You can enable ANM to send alarm notifications to supported mobile devices that are using the ANM
Mobile app. By default, this feature is disabled. For details about the enabling this advanced setting, see
the “Globally Enabling or Disabling Mobile Device Notifications” section on page 18-69.
Related Topics
• Globally Enabling or Disabling Mobile Device Notifications, page 18-69
• Configuring Alarm Notifications on ANM, page 17-57
• Administering the ANM Mobile Feature, page 18-67
• Chapter 19, “Using ANM Mobile”
Managing the Syslog Buffer Display in the All Devices Dashboard
You can choose to show or hide the syslog buffer information that displays in the Top 10 Current
Resources pane of the All Devices Dashboard window (Monitor > Devices > Dashboard >All Devices).
You may want to hide this information because it will always show 100 percent after the buffer becomes
full and starts to wrap.
Procedure
Step 1 Choose Admin > ANM Management > Advanced Settings.
The Advanced Settings configuration window appears.
Step 2 Check the Hide 'Syslog Buffer' details in 'Top 10 Current Resources' in Dashboard Pane (All
devices dashboard) check box to hide the syslog information. Uncheck the check box to display the
syslog information.
Step 3 Click OK to accept your entries on the Advanced Settings configuration window.
Step 4 (Optional) Choose Monitor > Devices > Dashboard >All Device to view the change to the Top 10
Current Resources pane. For more information, see the “Top 10 Current Resources Table” section on
page 17-20.
Managing the Display of Virtual Servers in the Operations and Monitoring Windows
You can choose to show only ANM recognized virtual servers or all virtual servers in the virtual server
windows for Config Operations (Config > Operations > Virtual Servers) and Monitor Devices (Monitor
> Devices > Load Balancing > Virtual Servers).
ANM recognized virtual servers are virtual servers that match ANM’s virtual server definition (see
“Virtual Server Configuration and ANM” section on page 7-2). When you have the display set to display
all virtual servers, it includes virtual servers that match ANM’s virtual server definition and those that
do not match this definition but that ANM can recognize as virtual servers using SNMP polling
18-67
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Administering the ANM Mobile Feature
Procedure
Step 1 Choose Admin > ANM Management > Advanced Settings.
The Advanced Settings configuration window appears.
Step 2 Do one of the following to specify the virtual server types that display in the Operations and Monitor
windows for virtual servers:
• Check the Display All Virtual Servers in Monitoring & Operations page (Virtual Servers that
have class-map/policy-map definitions) check box to display virtual servers that match ANM’s
virtual server definition and those that do not match this definition but that ANM can recognize as
virtual servers using SNMP polling.
When this option is checked, the virtual server windows for Config Operations and Monitor Devices
includes a display toggle button ( ) located above the table that allows you to change from
viewing all virtual servers to viewing only ANM recognized virtual servers.
• Uncheck the check box to display only virtual servers that match ANM’s virtual server definition
(see the “Information About Using ANM to Configure Virtual Servers” section on page 7-4. This is
the default.
Step 3 Click OK to accept your entries on the Advanced Settings configuration window.
Step 4 (Optional) Choose Config > Operations > Virtual Servers to view the change.
Administering the ANM Mobile Feature
ANM Mobile is a mobile device app that allows supported mobile devices to access your ANM server
or ANM Virtual Appliance and manage the network objects in much the same way you do from an ANM
client as described in Chapter 19, “Using ANM Mobile.” This section describes how to configure ANM
to send alarm notifications to ANM Mobile, which requires configuring ANM with a push notification
proxy server and globally enabling the mobile notification feature. For remotely authorized users, you
must also modify the ANM configuration to allow ANM to send this user type mobile notifications.
After you have ANM configured to issue mobile notifications, you can send a test message to test the
notification channel between ANM and the mobile device. You can also view a list that shows the last
notification that ANM issued to each mobile device.
This section includes the following topics:
• Configuring ANM with a Proxy Server for ANM Mobile Push Notifications, page 18-67
• Enabling Mobile Device Notifications for Remotely Authorized Users, page 18-69
• Globally Enabling or Disabling Mobile Device Notifications, page 18-69
• Displaying Mobile Device Notifications and Testing the Notification Channel, page 18-70
Configuring ANM with a Proxy Server for ANM Mobile Push Notifications
You can modify the ANM properties file for ANM Mobile push (or alarm) notifications. ANM is
preconfigured to send ANM Mobile notifications directly to the Cisco proxy service. If your network
does not allow direct access to the proxy service, you can configure ANM to send notifications to your
proxy server, which in turn forwards the notifications to the Cisco proxy service.
18-68
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Administering the ANM Mobile Feature
Prerequisites
ANM has alarm threshold groups configured for mobile device alarm notifications (see the “Configuring
Alarm Notifications on ANM” section on page 17-57).
Procedure
Step 1 Specify a proxy server to use as follows:
• ANM Server—Open the /opt/CSCOanm/etc/cs-config.properties file in a text editor and modify the
following lines:
– proxy-type=type
Specify a type of either ssl or socks depending on your network requirements.
– proxy-server=proxy_IPaddress
Specify the IP address of your proxy server.
– proxy-server-port=port_number
Specify the port to use to communicate with your proxy server.
• ANM Virtual Appliance—Enter the following commands:
– anm-property set proxy-type type
Specify a type of either ssl or socks depending on your network requirements.
– anm-property set proxy-server proxy_IPaddress
Specify the IP address of your proxy server.
– anm-property set proxy-server-port port_number
Specify the port to use to communicate with your proxy server.
Step 2 Restart ANM as follows:
• ANM Server—Enter the following command:
/opt/CSCOanm/bin/anm-tool restart
• ANM Virtual Appliance—Enter the following command:
anm-tool restart
Step 3 Allow ANM to send alarm notifications to supported mobile devices.
For more information, see the “Globally Enabling or Disabling Mobile Device Notifications” section on
page 18-69.
Step 4 (Optional) Send a test notification to a mobile device.
For more information, see the “Displaying Mobile Device Notifications and Testing the Notification
Channel” section on page 18-70.
Related Topics
• Enabling Mobile Device Notifications for Remotely Authorized Users, page 18-69
• Globally Enabling or Disabling Mobile Device Notifications, page 18-69
• Displaying Mobile Device Notifications and Testing the Notification Channel, page 18-70
• Chapter 19, “Using ANM Mobile”
18-69
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Administering the ANM Mobile Feature
Enabling Mobile Device Notifications for Remotely Authorized Users
You can modify the ANM configuration when you need to send mobile device alarm notifications to
users that are authorized remotely using an AAA server.
Guidelines and Restrictions
When you enable alarm notifications to remotely authorized users, ANM does not perform any RBAC
filtering of alarms to users, which means that remotely authorized users receive all alarm notifications
regardless of the roles and domains assigned to them.
Procedure
Step 1 Enable mobile device notifications for remotely authorized users as follows:
• ANM Server—Open the /opt/CSCOanm/etc/cs-config.properties file in a text editor and change the
state of the following line from false to true:
send.mobile.notifications.to.remote.users=true
• ANM Virtual Appliance—Enter the following command:
anm-property set send.mobile.notifications.to.remote.users true
Step 2 Restart ANM as follows:
• ANM Server—Enter the following command:
/opt/CSCOanm/bin/anm-tool restart
• ANM Virtual Appliance—Enter the following command:
anm-tool restart
Step 3 Globally enable ANM to send mobile device alarm notifications (see the “Globally Enabling or
Disabling Mobile Device Notifications” section on page 18-69).
Related Topics
• Configuring ANM with a Proxy Server for ANM Mobile Push Notifications, page 18-67
• Globally Enabling or Disabling Mobile Device Notifications, page 18-69
• Displaying Mobile Device Notifications and Testing the Notification Channel, page 18-70
• Chapter 19, “Using ANM Mobile”
Globally Enabling or Disabling Mobile Device Notifications
You can globally enable or disable mobile device notifications from ANM.
Prerequisites
This topic includes the following prerequisites:
• ANM has alarm threshold groups configured for mobile device alarm notifications (see the
“Configuring Alarm Notifications on ANM” section on page 17-57).
18-70
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Administering the ANM Mobile Feature
• ANM is allowed to send alarm notifications outside your network to the Cisco proxy service either
directly (default) or through a specified proxy server (see the “Configuring ANM with a Proxy
Server for ANM Mobile Push Notifications” section on page 18-67).
• For remotely authorized users only, you must modify the ANM config.properties file to allow ANM
to send notifications to this user type (see the “Enabling Mobile Device Notifications for Remotely
Authorized Users” section on page 18-69).
Procedure
Step 1 Choose Admin > ANM Management > Advanced Settings.
The Advanced Settings configuration window appears.
Step 2 In the “Enable mobile notifications from ANM” field of the Advanced Settings configuration window,
do one of the following:
• Click Enable to allow ANM to send alarm notifications to mobile devices using ANM Mobile.
• Click Disable to not allow ANM to send alarm notification to mobile devices. This is the default.
Step 3 Click OK to accept your entries on the Advanced Settings configuration window.
Step 4 (Optional) Send a test notification to a mobile device.
For more information, see the “Displaying Mobile Device Notifications and Testing the Notification
Channel” section on page 18-70.
Related Topics
• Configuring Advanced Settings, page 18-62
• Configuring ANM with a Proxy Server for ANM Mobile Push Notifications, page 18-67
• Enabling Mobile Device Notifications for Remotely Authorized Users, page 18-69
• Displaying Mobile Device Notifications and Testing the Notification Channel, page 18-70
• Chapter 19, “Using ANM Mobile”
Displaying Mobile Device Notifications and Testing the Notification Channel
You can display the list of ANM Mobile alarm notifications and send a customized test message to a
mobile device.
Guidelines and Restrictions
This topic includes the following guidelines and restrictions:
• ANM displays only the last notification sent to a mobile device.
• You can send a test message to a mobile device even when you have globally disabled mobile device
alarm notifications in ANM. For information about managing mobile device alarm notifications, see
the “Globally Enabling or Disabling Mobile Device Notifications” section on page 18-69.
Procedure
Step 1 Choose Admin > Role-Based Access Control > Mobile Notifications.
18-71
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Administering the ANM Mobile Feature
The Mobile Notifications window appears. Table 18-18 describes the information displayed.
Step 2 (Optional) To manage which fields display in the Mobile Notifications window, do the following:
a. Click the Customize button ( ) and choose Configure from the menu that appears. The Mobile
Notifications List Configuration popup window appears.
b. From the popup window, choose the fields that you want to display and make any other display
modifications that you want to see. Be sure to enter a name in the List Customization Name field if
you want to assign a name to the customized display. This option allows you to recall the customized
display if you return to the default display.
c. Do one of the following:
– Click Save to save the settings to the name that you provided in the List Customization Name
field.
– Click Cancel to exit the popup window without making any changes.
– Click Apply to apply the changes to the Mobile Notifications window without saving the
display settings to a new name.
Step 3 (Optional) To test the notification channel between ANM and a mobile device, send the device a test
message by doing the following:
a. Choose the device from the Mobile Devices window and click Send Test Message.
The Send Test Message to Device dialog box appears.
b. In the dialog box, enter a message (150 characters maximum) to send the device and click Send.
ANM sends the test message, which can be verified on the targeted device.
Related Topics
• Displaying a List of Users, page 18-18
• Configuring ANM with a Proxy Server for ANM Mobile Push Notifications, page 18-67
• Enabling Mobile Device Notifications for Remotely Authorized Users, page 18-69
• Globally Enabling or Disabling Mobile Device Notifications, page 18-69
• Chapter 19, “Using ANM Mobile”
Table 18-18 Mobile Notifications Window
Field Description
Owner Mobile device owner.
UUID Unique ID of the user who last logged in to ANM from the mobile device.
Device Type Mobile device type.
Device OS Mobile device operating system information.
Last Registration Time Last time the mobile device passed a device token to ANM.
Time Zone1
1. This field is not shown in the default view of the Mobile Notifications window. See Step 2 to manage which fields display.
Time zone associated with the mobile device.
Last Notification Time1 Last time that ANM sent an alarm notification to the mobile device.
18-72
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 18 Administering the Cisco Application Networking Manager
Lifeline Management
Lifeline Management
You can use the troubleshooting and diagnostics tools provided by the Lifeline feature to report a critical
problem to the Cisco support line and generate a diagnostic package. For more information about this
feature, see the “Using Lifeline” section on page 20-7.
CHAPTER
19-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
19
Using ANM Mobile
Date: 3/28/12
This chapter describes Cisco ANM Mobile, which allows you to access your ANM server or ANM
Virtual Appliance and manage your devices using a mobile device such as an iPhone or Android
smartphone.
This chapter contains the following sections:
• Information About ANM Mobile, page 19-2
• ANM Mobile Prerequisites and Supported Devices, page 19-4
• Guidelines and Restrictions, page 19-5
• Using ANM Mobile, page 19-5
19-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 19 Using ANM Mobile
Information About ANM Mobile
Information About ANM Mobile
ANM Mobile allows supported mobile devices to access to your ANM server or ANM Virtual Appliance
and manage the network objects in much the same way you do from an ANM client. Using a mobile
device, you can run ANM Mobile as a native application (app) or inside the mobile device browser.
Using either the native app or the mobile device browser, you can perform the following tasks:
• Activate or suspend a real server, virtual server, VIP answer, or DNS rule.
• Access the status and details of a real server, virtual server, VIP answer, or DNS rule.
• Change the weight of a real server.
• Display a real-time chart of a real or virtual server statistical metric, such as the number of
connections.
• Display the Operation Summary (similar to the Device Configuration Summary Panel inside the
ANM dashboard) by object type (Real Server, Virtual Server, VIP Answer or DNS Rule) in category
of healthy, unhealthy, and others. You can drill down to see the list of objects in the selected category
and object type.
• (Native app only) Receive alarm notifications from ANM when conditions exist that require your
attention.
• Add frequently accessed objects to the Favorite screen.
• Use the search feature to find managed objects, such as a device, real server, virtual server, VIP
answer, or DNS rule.
• View the alarm summary and details.
• Change the real time chart polling interval and connection time out values.
• Save your access credentials.
• From ANM’s Mobile Devices window (Admin > Role-Based Access Control > Mobile Devices),
system administrators can view the list of registered mobile users and send a test push notification
message to a user’s mobile device.
Table 19-1 shows the main differences between using ANM Mobile as a native app or using it in the
mobile device’s browser.
Figure 19-1 provides an overview of ANM Mobile, including the components that are available with the
native app only.
Table 19-1 Major ANM Mobile Differences Between Native App and Mobile Browser
Category Native Application Mobile Browser
ANM Notification Service
(native app only)
Supported Not supported
Client application (ANM
Mobile) download and
installation
Required Not required1
1. When using a mobile device browser, you enter the ANM server IP address in the browser address bar, at which point you
are redirected to ANM Mobile.
Upgrade Required download and installation
of latest version
Part of the ANM server upgrade
process
19-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 19 Using ANM Mobile
Information About ANM Mobile
Figure 19-1 ANM Mobile Overview
The components in Figure 19-1 are as follows:
1. ANM Mobile app—Obtain the no-cost Cisco ANM Mobile app from the app store or market
associated with the mobile device.
2. Mobile device login—Enter ANM IP address, username, and password to log in to ANM server or
ANM Virtual Appliance from the mobile device. After a successful login, ANM associates the
mobile device with the user (see the “Displaying a List of Users” section on page 18-18).
3. Access ANM—Access ANM functionality to monitor your network and perform operational tasks.
For more information, see the “Using ANM Mobile” section on page 19-5.
4. Alarm Notifications—ANM sends alarm notifications to a mobile device (native app required)
through a proxy service.
For more information, see the “Setting Up and Viewing Mobile Device Alarm Notifications” section
on page 19-13.
5. Cisco Proxy Service—Standalone server (managed by Cisco IT) that forwards notification messages
from ANM to the Apple or Google Push Notification Service. The proxy service, which is hosted
by Cisco and used for alarm notifications, manages the push notification messages that ANM issues
by forwarding them to the Apple or Android Push Notification Services.
For more information, see the “Configuring ANM with a Proxy Server for ANM Mobile Push
Notifications” section on page 18-67.
6. Push notification service—Allows a third-party server, such as the ANM server, to send notification
messages securely to a mobile device. The push notification services provided by APPLE and
Google are used for alarm notifications and are best effort; therefore, the push notification service
provided by Cisco is also best-effort.
19-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 19 Using ANM Mobile
ANM Mobile Prerequisites and Supported Devices
Related Topics
• ANM Mobile Prerequisites and Supported Devices, page 19-4
• Guidelines and Restrictions, page 19-5
• Using ANM Mobile, page 19-5
ANM Mobile Prerequisites and Supported Devices
This section describes the ANM and mobile device requirements needed to use ANM Mobile.
ANM Server and ANM Virtual Appliance Requirements
Your ANM server or ANM Virtual Appliance must be using ANM software Version 5.1 or later to access
ANM Mobile. To utilize the alarm notification feature, ANM must be configured to send notifications
(see the “Administering the ANM Mobile Feature” section on page 18-67).
Mobile Device Requirements
Table 19-2 shows the mobiles devices that ANM Mobile version 1.0 supports.
Use following links to download the ANM Mobile app to your smartphone:
• ANM Mobile on iPhone
• ANM Mobile on Android
• ANM Mobile on Cisco Cius
Related Topics
• Information About ANM Mobile, page 19-2
• Guidelines and Restrictions, page 19-5
• Using ANM Mobile, page 19-5
Table 19-2 Supported Devices
OS Platform Tested Version
Native
Application Mobile Browser Tested Device Types
Apple iOS 4.2 and 4.3 Yes Safari iPhone, iPod, iPad
Android 2.2, 2.3.3, 2.3.6 Yes Default Android
Browser
Tested on the following
Android handsets: HTC
Inspire 4G, HTC Desire,
Google Nexus One, Cisco
Cius
Note ANM Mobile may
also work on other
Android devices,
but testing was
performed on the
above-mentioned
set of Android
handsets.
19-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 19 Using ANM Mobile
Guidelines and Restrictions
Guidelines and Restrictions
ANM Mobile includes the following guidelines and restrictions:
• Communication guidelines are as follows:
– Communication between ANM Mobile and ANM is secure over HTTPS.
Note Ensure that your mobile device network setting permits access to ANM.
– User authentication is required to access the web services.
– The existing ANM user account is used to log in to ANM from the mobile device.
– All the existing RBAC (role-based access control) for the login user are enforced.
• The alarm notification feature requires access to the Internet. Depending on your network
requirements, ANM can communicate directly with the Cisco proxy service or you can configure
ANM to use your proxy server when issuing alarm notifications to the proxy service. For more
information, see the “Configuring ANM with a Proxy Server for ANM Mobile Push Notifications”
section on page 18-67.
• The number of ANM Mobile users that can simultaneously connect to a single ANM server or ANM
Virtual Appliance is limited to 35.
• (Android devices only) When navigating within the ANM Mobile native app, you must use the
navigation tools provided by the native app because the native Android navigation tools are not
supported.
Related Topics
• Information About ANM Mobile, page 19-2
• ANM Mobile Prerequisites and Supported Devices, page 19-4
• Using ANM Mobile, page 19-5
Using ANM Mobile
This section shows how to log in to ANM Mobile from your mobile device and then use its features to
manage your network. If you are using the ANM Mobile app and want to use the alarm notification
feature, this section also describes how to configure ANM and the ANM Mobile to enable this feature.
This section includes the following topics:
• Logging In and Out of ANM Mobile, page 19-6
• Using the Favorites Feature, page 19-6
• Monitoring Managed Object Status, page 19-7
• Modifying an Object’s Operating State or Weight, page 19-10
• Displaying Real Time Charts, page 19-12
• Using the ANM Mobile Setting Feature, page 19-12
• Setting Up and Viewing Mobile Device Alarm Notifications, page 19-13
19-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 19 Using ANM Mobile
Using ANM Mobile
Logging In and Out of ANM Mobile
This section shows how to log in to and out of ANM Mobile from your mobile device.
Prerequisite
If you want to log in and use the native app version of ANM Mobile, you must have the Cisco ANM
Mobile app loaded on your mobile device. This no-charge app is available at the application store or
market associated with any supported mobile device type.
Procedure
Step 1 From your mobile device, do one of the following depending on whether you are using a browser to
access ANM Mobile or using the ANM Mobile native app:
• Browser—Open the browser and in the address box, enter the IP address of the ANM server or
ANM VA using the following format:
https://ANM_IPaddress
The Login window appears. Enter your username and password.
• ANM Mobile app—Do the following:
a. Click the ANM Mobile app icon to launch the application. The Login window appears.
b. From the login window, enter the IP address and port number of the ANM server or ANM Virtual
Appliance and your username and password.
c. (Optional) Change the Save Credentials setting by doing the following:
- Click ON to save your user credentials. This is the default. When set to ON, you just have to click
Log In to log back in to ANM Mobile.
- Click OFF to not save your user credentials.
Step 2 Click Log In.
The monitor page appears unless you have at least one favorite object specified, in which case the
Favorites windows appears (see the “Using the Favorites Feature” section on page 19-6).
Step 3 To log out of ANM Mobile, click Settings and click Log Out.
Using the Favorites Feature
The favorites feature allows you to create short cuts to ANM objects that you frequently access. When
you specify at least one favorite object, the Favorites window becomes the home page that appears when
you log in to ANM Mobile.
Guidelines and Restrictions
• Favorite objects that are no longer available are grayed out. Object may no longer be available for
the following reasons:
– The object no longer exists in the ANM server because the object or the object’s host Virtual
Context was deleted.
– An RBAC change was made that prevents access by the user.
19-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 19 Using ANM Mobile
Using ANM Mobile
To remove a grayed out object from the favorites list, you must delete it.
• If you are using the ANM Mobile native app and want to receive alarm notifications from ANM, you
must specify favorites on ANM Mobile that match the objects that you select for alarm notifications
when configuring an alarm threshold group on ANM. For more information, see the “Setting Up and
Viewing Mobile Device Alarm Notifications” section on page 19-13.
Procedure
Step 1 Display the Favorites window by clicking the Favorites button located at the bottom of the window.
The Favorites window appears.
Step 2 To view a favorite object, click the object from the Favorites list.
Step 3 To add an object to the Favorites window, do one of the following:
• From the Favorites window, click the Add icon (+) to open the search GUI, from which you can
locate and choose the object. To add multiple objects, repeat this step for each object.
• From the detailed managed object window, click the Add icon (+). For more information, see the
“Monitoring Managed Object Status” section on page 19-7.
Step 4 To delete a favorite from the list, do the following:
a. Click the favorite to delete and click Edit. The Edit view appears.
b. From the Edit view, click the red Delete icon (–) located next to the favorite listing to delete. ANM
Mobile removes the favorite from the list.
Monitoring Managed Object Status
You can monitor the operating status of the managed objects and drill down for details. Figure 19-2
shows a sample of the Device Monitor windows, which can display objects sorted as follows:
• Service—Displays objects sorted by the following service types: Real Server, Virtual Servers, VIP
Answers, and DNS Rules.
• Device—Displays objects sorted by the following device types: ACE Modules, ACE Appliance,
CSS, CSM, and GSS.
19-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 19 Using ANM Mobile
Using ANM Mobile
Figure 19-2 ANM Mobile Monitor Windows: Service Type and Device Type
Each object type includes three color-coded status function buttons that list the number of object types
in each of the following operational states:
• Up (green)—Objects in service.
• Down (red)—Objects out of service.
• Unknown (yellow)—Object operating state cannot be determined by ANM.
The status function buttons allow you to display only the objects of the specified object type and
operating state.
Table 19-3 lists the details that you can view for each object type when you set the monitor display to
Service.
Table 19-3 Managed Object Details
Object Type Attribute
Virtual Server Name
Policy Map
IP address, protocol, and port number
Device
Admin status
Operating status
Server Farm
Current Connections
Connections per second
Dropped Connections per second
Dynamic Workload Scaling (DWS)
Stat Age
19-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 19 Using ANM Mobile
Using ANM Mobile
Guidelines and Restrictions
ANM Mobile is limited to approximately 7 KB of memory for the monitored objects list. If you have
more than 100 monitored objects, ANM Mobile may exhibit performance issues. To avoid performance
issues associated with a large number of monitored objects, do the following:
• Do not drill down to the detail list screen from the Monitor home page (see Figure 19-2). To display
the detail information or the health status of a monitored object, use the search function from the
Monitor home page by clicking the search icon (magnifying glass) and entering the object identifier.
Real Server Name
IP address
Port
Server Farm
Device
Admin status
Operating status
Weight
Current connections
Connections per second
Dropped connections per second
Virtual Machine (indicates if the real server is a virtual machine)
Locality (OTV)
Statistics Age
VIP Answer SLB name
VIP answer name
IP address
Config state
PGSSM operation status
Answer group
Location
PGSSM time
DNS Rule Device name
DNS Rule name
Source name
Domains
Config state
Answer group
Owner
PGSSM time
Table 19-3 Managed Object Details (continued)
Object Type Attribute
19-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 19 Using ANM Mobile
Using ANM Mobile
If needed, refine your search criteria until the number of objects displayed is reduced to less than
100.
When in the search window, limit your use of the drill down (>) option, which can also create
performance issues.
• For monitored objects that you track frequently, add them to your list of Favorites and access their
information from there (see the “Using the Favorites Feature” section on page 19-6).
Procedure
Step 1 Click Monitor.
The View All window appears.
Step 2 Click one of the color-coded function buttons associated with an object type to drill down and display a
list of objects associated with an object type and operating state (up, down, or unknown).
The specified object type details windows appears, displaying a list of the objects in the chosen operating
state (up, down, or unknown).
Step 3 Do any of the following:
• Click a specific object from the list to display details about the object. The information that displays
varies depending on the object type (see Table 19-3).
From the object details window, you can do the following:
– Activate, suspend, or change the weight of an object (see the “Modifying an Object’s Operating
State or Weight” section on page 19-10).
– Display a real time chart of monitored statistics (see the “Displaying Real Time Charts” section
on page 19-12).
• Click the Search icon to open the search text box and search for a specific object. Begin entering
the search criteria. Object matches display and become more specific as you narrow the search by
entering additional search criteria.
• Click the Refresh icon to refresh the display.
• Click Back to return to the object details window.
Related Topics
• Modifying an Object’s Operating State or Weight, page 19-10
• Displaying Real Time Charts, page 19-12
Modifying an Object’s Operating State or Weight
You can use ANM Mobile to activate or suspend a real server, virtual server, VIP answer or DNS rule.
For real servers only, you can change the weight assigned to the server.
Procedure
Step 1 Use one of the following methods to display the details window of a specific object:
19-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 19 Using ANM Mobile
Using ANM Mobile
• Choose Monitor > Service, choose a specific device type, and drill down (>) to the object details
window.
• Click Favorites, choose a specific favorite and drill down (>) to the object details window.
• Click the Search icon (magnifying glass), enter the device search criteria, choose the device, and
drill down (>) to the object details window.
• Click Alarm, choose a specific device type and drill down (>) to the object details window.
Step 2 From the object details window, do one of the following:
• Click Activate to activate an object that s currently suspended. The Activate dialog box appears. In
the dialog box, do the following:
a. Enter a reason for the change.
b. Click Deploy to execute the change or Cancel to ignore the change.
• Click Suspend to suspend an object currently activated. The Suspend dialog box appears. In the
dialog box, do the following:
a. Enter a reason for the change.
b. Choose one of the following types of suspend operations from the drop-down list:
- Suspend—Takes the object out of service.
For a real server, the ACE resets all non-TCP connections to the server. For TCP connections,
existing flows are allowed to complete before the ACE takes the real server out of service. No
new connections are allowed. The ACE resets all Secure Sockets Layer (SSL) connections to
the real server.
- Graceful—When executed on a primary server, the ACE gracefully shuts down the server with
sticky connections as follows:
– Tears down existing non-TCP connections to the server.
– Allows current TCP connections to complete.
– Allows new sticky connections for existing server connections that match entries in the sticky
database.
– Load balances all new connections (other than the matching sticky connections mentioned
above) to the other servers in the server farm.
– When executed on a backup real server, the ACE places the backup server in service standby
mode.
- Suspend and Clear Connections—The ACE performs the tasks described for Suspend and
clears the existing connections to this server.
c. Click Deploy to execute the change or Cancel to ignore the change.
• (Real server only) Click Change Weight to change weight assigned to a real server. The Change
Weight dialog box appears. In the dialog box, do the following:
a. Enter a reason for the change.
b. Enter the new weight value. The valid range is 1 to 100.
c. Click Deploy to execute the change or Cancel to ignore the change.
The activity indicator appears for 30 seconds until it is determined that the operation succeeded, failed,
or timed out. If the operation is successful, the object detail window is reloaded with the latest data and
updated timestamp.
19-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 19 Using ANM Mobile
Using ANM Mobile
Displaying Real Time Charts
You can display real time statistical information about the connections of a real server or a virtual server.
Information that you can display in chart form are current connections, connections per second, or
dropped connections per second.
Guidelines and Restrictions
The chart never displays more than 5 minutes worth of statistical information.
Procedure
Step 1 Use one of the following methods to display the details window of a specific real server or a virtual
server:
• Choose Monitor > Service, choose a specific device type, and drill down (>) to the object details
window.
• Click Favorites, choose a specific favorite and drill down (>) to the object details window.
• Click the Search icon (magnifying glass), enter the device search criteria, choose the device, and
drill down (>) to the object details window.
• Click Alarm, choose a specific device type and drill down (>) to the object details window.
Step 2 From the details window, click the Chart icon located next to the statistic to chart.
The chart window appears.
Step 3 Do the following:
• Click the Refresh icon to refresh the display.
• To adjust the polling time, click Settings (see the“Using the ANM Mobile Setting Feature” section
on page 19-12). The default polling time is 10 seconds.
• Click Back to return to the object details window.
Using the ANM Mobile Setting Feature
The ANM Mobile Setting feature allows you to do the following:
• Display the ANM IP address.
• Display ANM Mobile software information.
• Adjust the connection timeout value and polling interval.
• Enable or disable push notifications, sound, and alerts.
• Submit an ANM user feedback form to Cisco.
Procedure
Step 1 From the All Devices or Favorites window, click Settings.
The Settings window appears.
Step 2 From the Settings window, do the following:
19-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 19 Using ANM Mobile
Using ANM Mobile
• Click About to do the following:
– Display details about the version of ANM Mobile that you are using and the version of ANM
software being used by the ANM server or ANM Virtual Appliance that you are accessing.
– Click UDID to display the unique device ID (UDID).
• Click Advanced to access the Advanced Details window and modify the following settings:
– Connection Timeout—Sets the amount of idle time (in seconds) at which the connection closes.
Choose 10, 30 (default), or 60.
– Polling Interval—Sets the frequency (in seconds) at which real time information, such as graph
information, is updated. Choose 5, 10 (default), or 30.
• Click the ON/OFF toggle buttons to enable or disable the following features:
– Push Notifications—When enabled (ON), allows your mobile device to receive alarm
notifications that ANM issues to a push notification service. For more information, see the
“Setting Up and Viewing Mobile Device Alarm Notifications” section on page 19-13.
– Sound—(Android only) When enabled (ON), your mobile device sounds an alert to let you
know that it received an alarm notification from ANM.
Note To modify this setting on an iPod, see the “Managing iPod Alarm Notification Sound
and Alerts” section on page 19-16.
– Alert—(Android only) When enabled (ON), your mobile device displays an alert message to let
you know that it received an alarm notification from ANM.
Note To modify this setting on an iPod, see the “Managing iPod Alarm Notification Sound
and Alerts” section on page 19-16.
• Click the Form pen icon ( ) to fill out and submit the ANM user feedback form hosted on
www.ciscofeedback.vovici.com.
Setting Up and Viewing Mobile Device Alarm Notifications
Note The alarm notifications feature requires the ANM Mobile app on your mobile device.
You can receive alarm notifications that ANM sends to your mobile device (see Figure 19-1) when
specific virtual context alarm thresholds are exceeded. ANM Mobile app users can enable or disable the
alarm notification feature, which allows them to choose when to receive alarm notifications from ANM.
ANM administrators can enable or disable the alarm notification feature, which allows them to choose
when to transmit alarm notifications to the ANM Mobile app.
Supported real and virtual server alarm conditions are as follows:
• Current connections—ANM can send an alarm notification when the number of active connections
to a server exceeds a specific amount.
• Operational state—ANM can send an alarm when a server’s operational state changes.
19-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 19 Using ANM Mobile
Using ANM Mobile
Guidelines and Restrictions
This topics includes the following guidelines and restrictions:
• The ANM objects that you select for alarm notifications when configuring an alarm threshold group
must match objects that you select as favorites on ANM Mobile. Alarm threshold groups are
configured at the virtual context level; therefore, to receive alarm notifications for an object that you
specify as a favorite, the object favorite must be part of the virtual context in the threshold group.
• The alarms that ANM Mobile displays depends on how the user is authorized as follows:
– Locally authorized users—ANM displays only alarms that are permitted based on the domains
and roles assigned to the user account (see the Prerequisites for this topic).
– Remotely authorized users—By default, ANM does not send alarm notifications to remotely
authorized user accounts; however, you can modify the ANM configuration so that ANM sends
all alarm notifications to this user type regardless of the domains and roles assigned to them (see
the Prerequisites for this topic).
• From ANM, you can do the following:
– Enable or disable the alarm notification feature, which allows you to choose when to transmit
alarm notifications to the ANM Mobile app (see the “Enabling Alarm Notifications on ANM
Mobile” section on page 19-15).
– Send a test alarm notification to a mobile device to test the notification channel (see the
“Displaying Mobile Device Notifications and Testing the Notification Channel” section on
page 18-70). You can send a test message to a mobile device even when you have globally
disabled mobile alarm notifications in ANM.
Prerequisites
The prerequisites for this topic are as follows:
• ANM prerequisites:
– ANM software Version 5.1 or later.
– Alarm threshold groups are configured on ANM for mobile device alarm notifications. For
details about creating an alarm threshold group, see the “Configuring Alarm Notifications on
ANM” section on page 17-57.
– Alarm notifications are enabled globally in ANM. For details, see the “Enable Mobile
Notifications from ANM” section on page 18-66.
– For locally authorized users, their user account has the required role and domains associated
with it.
Note The user role must have the anm_threshold attribute set at least to View.
For more information, see the “Managing User Accounts” section on page 18-17.
– For remotely authorized users, the ANM configuration is modified to enable ANM to send these
users alarm notifications. For more information, see the “Enabling Mobile Device Notifications
for Remotely Authorized Users” section on page 18-69.
• Mobile device prerequisites:
– The ANM Mobile app is loaded on your supported mobile device.
– ANM objects specified as favorites on your mobile device match the objects in an ANM alarm
threshold group. For example, specific real or virtual servers that are favorites on your mobile
device are also specified as objects in an ANM alarm threshold group.
19-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 19 Using ANM Mobile
Using ANM Mobile
For information about specifying favorites on your mobile device, see the “Using the Favorites
Feature” section on page 19-6.
This section includes the following topics:
• Enabling Alarm Notifications on ANM Mobile, page 19-15
• Viewing Alarm Notifications from ANM Mobile, page 19-15
Enabling Alarm Notifications on ANM Mobile
From your mobile device, you can specify whether to receive or not receive alarm notifications from
ANM by using the Setting button to modify the ANM Mobile operational settings. For details about
using this button, see the “Using the ANM Mobile Setting Feature” section on page 19-12.
Related Topics
• Using the ANM Mobile Setting Feature, page 19-12
• Setting Up and Viewing Mobile Device Alarm Notifications, page 19-13
• Viewing Alarm Notifications from ANM Mobile, page 19-15
• Managing iPod Alarm Notification Sound and Alerts, page 19-16
Viewing Alarm Notifications from ANM Mobile
From your mobile device, you can view alarm notifications that ANM sends to the device. For each
notification, you can drill down to view the device details.
Procedure
Step 1 Click Alarms.
The Alarm Summary window appears, displaying the list of received alarms that you are permitted to
view (see the Prerequisites for this topic).
Step 2 (Optional) Click the drill-down icon (>) associated with a specific alarm to display details about the
alarm.
The Alarm Detail window appears, displaying the following information:
• Timestamp
• Severity
• Device
• Service
• Threshold Group
• Category
• Stat/Value
Step 3 (Optional) From the Service category, click the drill-down (>) icon to display the object Details window
related to the real or virtual server associated with the alarm notification.
Step 4 (Optional) From the object Details window, do any of the following:
19-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 19 Using ANM Mobile
Using ANM Mobile
• Click View Graph to display the graphs associated the following real server and virtual server
items: Current Connections, Connections/Sec, or Dropped Connection/Sec. For more information,
see the “Displaying Real Time Charts” section on page 19-12.
• Click Activate, Suspend, or Change Weight to change the object’s operating state or weight. For
more information, see the “Modifying an Object’s Operating State or Weight” section on
page 19-10.
Related Topics
• Setting Up and Viewing Mobile Device Alarm Notifications, page 19-13
• Enabling Alarm Notifications on ANM Mobile, page 19-15
• Managing iPod Alarm Notification Sound and Alerts, page 19-16
• Using the ANM Mobile Setting Feature, page 19-12
Managing iPod Alarm Notification Sound and Alerts
You can manage the alarm notification sound and alert features on your iPod that let you know when an
alarm notification is received from ANM.
Note To manage the alarm notification sound and alert features on your Android device, see the “Using the
ANM Mobile Setting Feature” section on page 19-12.
Procedure
Step 1 From your IPod Setting window, choose Notifications > ANM Mobile to drill down to the ANM Mobile
settings.
The Notifications, ANM Mobile window appears.
Step 2 From the Notifications, ANM Mobile window, click the ON/OFF toggle buttons to enable or disable the
following features:
– Sound—When enabled (ON), your iPod sounds an alert to let you know that it received an alarm
notification from ANM.
– Alert—When enabled (ON), your iPod displays an alert message to let you know that it received
an alarm notification from ANM.
Related Topics
• Enabling Alarm Notifications on ANM Mobile, page 19-15
• Viewing Alarm Notifications from ANM Mobile, page 19-15
CHAPTER
20-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
20
Troubleshooting Cisco Application Networking
Manager Problems
Date: 3/28/12
This chapter describes how to troubleshoot ANM issues.
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
This chapter includes the following sections:
• Changing ANM Software Configuration Attributes, page 20-1
• Discovering and Adding a Device Does Not Work, page 20-7
• Cisco License Manager Server Not Receiving Syslog Messages, page 20-7
• Using Lifeline, page 20-7
• Backing Up and Restoring Your ANM Configuration, page 20-11
For additional troubleshooting information, see the Installation Guide forCisco Application Networking
Manager 5.2 or the Installation Guide forCisco Application Networking Manager 5.2 Virtual Appliance
Changing ANM Software Configuration Attributes
After you have installed the ANM, you can reconfigure ANM software configuration attributes, such as
enabling HTTP(S) for Web Services, or the ports that ANM uses for communication with the network
devices. For information about the ports that ANM uses, see Appendix A, “ANM Ports Reference.”
This section includes the following topics:
• Changing ANM Configuration Properties, page 20-2
• Example ANM Standalone Configuration, page 20-4
• Example ANM HA Configuration, page 20-5
20-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 20 Troubleshooting Cisco Application Networking Manager Problems
Changing ANM Software Configuration Attributes
• Example ANM Advanced Options Configuration Session, page 20-6
Changing ANM Configuration Properties
This section shows how to change the ANM configuration properties. The procedure varies slightly
depending on the ANM application type; ANM server or ANM Virtual Appliance.
Procedure
Step 1 Do one of the following depending on the ANM application type:
• ANM server: From the Linux command line, log in as the root user.
• ANM Virtual Appliance: Log in as administrator using SSH or console.
Step 2 Do one of the following:
• For a standard configuration change, enter the following depending on the ANM application type:
– ANM server: /opt/CSCOanm/bin/anm-tool configure
– ANM Virtual Appliance: anm-tool configure
• To reconfigure with the advanced-options, enter the following depending on the ANM application
type:
– ANM server: /opt/CSCOanm/bin/anm-tool --advanced-options=1 configure
– ANM Virtual Appliance: anm-tool configure advanced-options
• (ANM server only) To switch between an HA and a non-HA system configuration, do one of the
following:
– To switch from a HA to a non-HA system configuration, enter the following:
/opt/CSCOanm/bin/anm-tool --ha=0 configure
– To switch from a non-HA to a HA system configuration, enter the following:
/opt/CSCOanm/bin/anm-tool --ha=1 configure
The Keep existing ANM configuration? [y/n]: prompt appears.
Step 3 At the prompt, enter n (no).
The current configuration information appears. For each configuration property, the current value is
displayed in square brackets.
Step 4 Do one of the following:
• To accept the current value for a configuration property, press Enter.
• To change a configuration property, enter the appropriate information.
When reconfiguring ANM using the advanced-options command, the configuration sequence includes
prompts applicable to the web server that serves requests for the ANM Web Service API. The Web
Service API provides SOAP-based programmatic access to the functionality of ANM. By default, it is
disabled. You can enable it using this option.
The advanced options attributes and their default setting are as follows:
• Enable HTTP for Web Server: false
20-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 20 Troubleshooting Cisco Application Networking Manager Problems
Changing ANM Software Configuration Attributes
Caution Remember that enabling HTTP makes the connection to ANM less secure.
• Inbound Port for HTTP traffic to ANM Default: 80
• Enable HTTPS for Web Server: true
• Inbound Port for HTTPS traffic to ANM Default: 443
• HTTP Port of Web Services: 8080
• Enable HTTP for Web Services: false
• HTTPS Port of Web Services: 8443
• Enable HTTPS for Web Services: false
• Idle session timeout in msec: 1800000
The idle session timeout applies to user sessions for the ANM GUI. Users who are idle for an amount
of time greater than this value are automatically logged off the application. By default, this setting
is 1800000 milliseconds, or 30 minutes.
• Change the memory available to ANM process: low
Check the available physical memory; if it is less than 3.5 G, then set the memory size to low (1 G),
which is the default. If the available physical memory is greater than 3.5 G, set the memory size to
high (2 G).
Note If you set the memory size to high and ANM determines that there is not enough available
physical memory, it sets the memory size to low.
Note (ANM server only) When modifying the memory size in an ANM HA configuration,
perform the change as follows:
a. Stop both ANM servers (active and standby).
b. Change the memory size on both ANM servers (Steps 1 to 4 above).
c. Restart the ANM server that you want to operate in the active state (Step 5 below).
d. Restart the standby ANM server (Step 5 below).
After you have accepted or changed all of the configuration property values, a list of all the properties
appears and the “Commit these values? [y/n/q]” prompt appears.
Step 5 At the Commit prompt, do one of the following:
• To accept the value and restart the ANM, enter y (yes).
Note If you modified the advanced options, restarting ANM may interfere with active sessions in
the ANM web interface.
Note If you receive errors when attempting to change the HA properties configuration values,
check the node ID to be sure they are not switched.
• To go through the list of configuration properties again, enter n (no).
20-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 20 Troubleshooting Cisco Application Networking Manager Problems
Changing ANM Software Configuration Attributes
• To retain the original property values and exit the configuration session, enter q (quit).
Example ANM Standalone Configuration
This section contains an example of a configuration session for an ANM standalone system.The values
shown in the brackets are the currently configured values.
/opt/CSCOanm/bin/anm-tool configure
Configuring ANM
Checking ANM configuration files
Keep existing ANM configuration? [y/n]: n
Creating config file (/opt/CSCOanm/etc/cs-config.properties)
Enable HTTP for Web Server [true]:
Inbound Port for HTTP traffic to ANM Default [80]:
Enable HTTPS for Web Server [true]:
Inbound Port for HTTPS traffic to ANM Default [443]:
These are the values:
Enable HTTP for Web Server: true
Inbound Port for HTTP traffic to ANM Default: 80
Enable HTTPS for Web Server: true
Inbound Port for HTTPS traffic to ANM Default: 443
Commit these values? [y/n/q]: y
Committing values ... done
Keeping existing configuration: /opt/CSCOanm/lib/java/thirdparty/ctm_config.txt
Stopping services
Stopping monit services (/etc/monit.conf) ... (0)
Stopping monit ... Stopped
Stopping heartbeat ... Stopped
Installing system configuration files
Backing up //opt/CSCOanm/etc/my-local.cnf
Setting service attributes
Enabling mysql for SELinux
setsebool: SELinux is disabled.
Service monit is started by OS at boot time
Starting mysql ... Started
mysql status ... Ready
Configuring mysql
Checking mysql user/password
Setting mysql privileges
Disabling mysql replication
Starting services
Starting monit ...Starting monit daemon with http interface at [*:2812]
Started
20-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 20 Troubleshooting Cisco Application Networking Manager Problems
Changing ANM Software Configuration Attributes
Example ANM HA Configuration
Note The information in this section pertains to the ANM server application only.
The following is an example of a configuration session for an ANM HA system. Standalone systems will
not contain any HA properties but will include a limited property value configuration. The values shown
in the brackets are the currently configured values.
/opt/CSCOanm/bin/anm-tool configure
Configuring ANM
Checking ANM configuration files
Keep existing ANM configuration? [y/n]: n
Creating config file (/opt/CSCOanm/etc/cs-config.properties)
Enable HTTP for Web Server [false]: true
Inbound Port for HTTP traffic to ANM Default [80]: 80
Enable HTTPS for Web Server [true]:
Inbound Port for HTTPS traffic to ANM Default [443]:
Database Password [nI4ewPbmV51S]: passme
HA Node 1 UName []: anm49.cisco.com
HA Node 2 UName []: anm50.cisco.com
HA Node 1 Primary IP [0.0.0.0]: 10.77.240.126
HA Node 2 Primary IP [0.0.0.0]: 10.77.240.100
HA Node 1 HeartBeat IP [0.0.0.0]: 10.10.10.1
HA Node 2 HeartBeat IP [0.0.0.0]: 10.10.10.2
HA Virtual IP [0.0.0.0]: 10.77.240.101
HA Node ID [1 or 2] []: 1
These are the values:
Enable HTTP for Web Server: true
Inbound Port for HTTP traffic to ANM Default: 80
Enable HTTPS for Web Server: true
Inbound Port for HTTPS traffic to ANM Default: 443
Database Password: passme
HA Node 1 UName: anm49.cisco.com
HA Node 2 UName: anm50.cisco.com
HA Node 1 Primary IP: 10.77.240.126
HA Node 2 Primary IP: 10.77.240.100
HA Node 1 HeartBeat IP: 10.10.10.1
HA Node 2 HeartBeat IP: 10.10.10.2
HA Virtual IP: 10.77.240.101
HA Node ID [1 or 2]: 1
Commit these values? [y/n/q]: y
Committing values ... done
Keeping existing configuration: /opt/CSCOanm/lib/java/thirdparty/ctm_config.txt
Stopping services
Stopping monit services (/etc/monit.conf) ... (0)
Stopping monit ... Stopped
Stopping heartbeat ... Stopped
Installing system configuration files
Setting service attributes
Enabling mysql for SELinux
Service monit is started by OS at boot time
20-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 20 Troubleshooting Cisco Application Networking Manager Problems
Changing ANM Software Configuration Attributes
Starting mysql ... Started
Configuring mysql
Checking mysql user/password
Setting mysql privileges
Enabling mysql replication
Setting up database
executing /opt/CSCOanm/lib/install/etc/dcmdb.sql ... done
Starting services
Starting monit ... Started
Example ANM Advanced Options Configuration Session
The following is an example of a configuration session for an ANM advanced options.The values shown
in the brackets are the currently configured values.
Note The anm-tool command in the example uses the ANM server version of the command for modifying the
advanced options. The ANM Virtual Appliance version of the command is anm-tool configure
advanced-options. The information that displays after entering the command is the same for both
applications.
/opt/CSCOanm/bin/anm-tool --advanced-options=1 configure
Configuring ANM
Checking ANM configuration files
Keep existing ANM configuration? [y/n]: n
Creating config file (/opt/CSCOanm/etc/cs-config.properties)
Enable HTTP for Web Server [false]:
Inbound Port for HTTP traffic to ANM Default [80]:
Enable HTTPS for Web Server [true]:
Inbound Port for HTTPS traffic to ANM Default [443]:
HTTP Port of Web Services [8080]:
Enable HTTP for Web Services [false]:
HTTPS Port of Web Services [8443]:
Enable HTTPS for Web Services [false]:
Idle session timeout in msec [1800000]:
Change the memory available to ANM process [low|high] [low]:
These are the values:
Enable HTTP for Web Server: false
Inbound Port for HTTP traffic to ANM Default: 80
Enable HTTPS for Web Server: true
Inbound Port for HTTPS traffic to ANM Default: 443
HTTP Port of Web Services: 8080
Enable HTTP for Web Services: false
HTTPS Port of Web Services: 8443
Enable HTTPS for Web Services: false
Idle session timeout in msec: 1800000
20-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 20 Troubleshooting Cisco Application Networking Manager Problems
Discovering and Adding a Device Does Not Work
Change the memory available to ANM process [low|high]: low
Commit these values? [y/n/q]: y
Committing values ... done
Keeping existing configuration: /opt/CSCOanm/lib/java/thirdparty/ctm_config.txt
Stopping services
Stopping monit services (/etc/monit.conf) ... (0)
Discovering and Adding a Device Does Not Work
After IP discovery has checked the network and made a list of devices of each type, the device import
may have failed when you tried to import the device. The device import may not have worked because
IP discovery uses Telnet and SNMP to discover potential devices, while ANM requires SSH to import a
device. So it is likely that IP discovery may have found some devices that cannot be imported or may not
have found devices that could be imported.
To update the device so that it can be imported by ANM, see the “Preparing Devices for Import” section
on page 5-4.
To add the device, use the Config > Devices > Add method. For detailed procedures, see the “Importing
Network Devices into ANM” section on page 5-10.
Cisco License Manager Server Not Receiving Syslog Messages
Firewall settings are implemented as IP tables with Red Hat Enterprise Linux 5.2, and might drop syslog
traffic.
If you are not receiving syslog messages even after following the procedure documented in the “Enabling
a Setup Syslog for Autosync for Use With an ACE” section on page 5-27, perform the procedure in this
section.
Procedure
Step 1 Update the rules in your IP tables using the command line.
Step 2 Make sure the default syslog port 514 is open as noted in Appendix A, “ANM Ports Reference.”
Using Lifeline
Diagnosing network or system-related problems that happen in real time can consume a considerable
amount of time and lead to frustration even for a system expert. When a critical problem occurs within
the ANM system or the network components managed by the ANM, you can use the troubleshooting and
diagnostics tools provided by the Lifeline feature to report to the Cisco support line and generate a
diagnostic package. Support engineers and developers can subsequently reconstruct your system and
debug the problem using the comprehensive information captured in the lifeline.
20-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 20 Troubleshooting Cisco Application Networking Manager Problems
Using Lifeline
Lifeline takes a snapshot of the running system configuration, status, buffers, logs, thread dumps,
messages, CLI device configuration commands, device show run commands, and so on. It gathers a
period of historical network and system events that have been recorded directly preceding the event. If
required, Lifeline can back up and package the ANM database or a file subdirectory or trace and package
a period of traffic flow packets for a specified virtual context.
The following sections describe how to use the Lifeline feature:
• Guidelines for Using Lifeline, page 20-8
• Creating a Lifeline Package, page 20-8
• Downloading a Lifeline Package, page 20-9
• Adding a Lifeline Package, page 20-10
• Deleting a Lifeline Package, page 20-11
Guidelines for Using Lifeline
Lifelines can be created when unwanted events occur. Under such circumstances, available resources
could be extremely low (CPU and memory could be nearly drained). You should be aware of the
following:
• Create a Lifeline package after you encounter a problem that might require customer support
assistance. The package is meant to be viewed by customer support.
• Lifeline collects debug data from diagnostic generators based on priority – most important to least
important. When the total data size reaches 200 MB, the collector stops collecting, and data from
generators with lower priorities can be lost. For details on content, size, time, state, and any dropped
data, see the Readme file included in each Lifeline package.
• Lifeline collects the last 25 MB of data from the file and truncates the beginning content.
• Lifelines are automatically packaged by the system in zip files. The naming convention for a lifeline
package is “lifeline-yyMMdd-hhmmss.zip”. For example, lifeline-07062-152140.zip is a Lifeline
package created at 3:21:40 PM, June 22, 2007.
• Only one Lifeline package is created at a time. The system will reject a second request made before
the first Lifeline has been packaged.
• Lifeline times out in 60 minutes.
• A maximum of 20 Lifeline packages are stored at a time.
Creating a Lifeline Package
You can create a lifeline package.
Assumptions
This section assumes the following:
• ANM is installed and running.
• You have reviewed the guidelines for managing lifelines (see the “Guidelines for Using Lifeline”
section on page 20-8).
20-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 20 Troubleshooting Cisco Application Networking Manager Problems
Using Lifeline
• You have opened a case with Cisco technical support.
Procedure
Note Your user role determines whether you can use this option.
Step 1 Choose Admin > Lifeline Management.
Step 2 Enter a description for the package (required).
The description can include information about why the package is being created, who requested the
package, and so forth.
Step 3 Click Save.
The package is created in the following format: lifeline-yyMMdd-hhmmss.zip, and displays in the
Lifelines pane.The package size, name, and generation date display in the New Lifeline window.
Note Do not perform any module maintenance until the package is created.
Step 4 After the package is created, do one of the following:
• Click Download to save the package to a directory on your computer or to view the package
contents. See the “Downloading a Lifeline Package” section on page 20-9.
• Click Add to add the package to the ANM database. See the “Adding a Lifeline Package” section
on page 20-10.
• Click Delete to delete the package. See the “Deleting a Lifeline Package” section on page 20-11.
Related Topics
• Using Lifeline, page 20-7
• Creating a Lifeline Package, page 20-8
• Adding a Lifeline Package, page 20-10
• Downloading a Lifeline Package, page 20-9
Downloading a Lifeline Package
Note Your user role determines whether you can use this option.
You can download a package for displaying or saving to your local drive.
Assumption
You have created a package (see the “Creating a Lifeline Package” section on page 20-8).
Procedure
Step 1 Choose Admin > Lifeline Management.
20-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 20 Troubleshooting Cisco Application Networking Manager Problems
Using Lifeline
Step 2 Choose the package (Lifeline) from the list.
Step 3 Click Download.
The package is sent to your web browser, with which you can save or view the package.
Note Do not perform any module maintenance until the package download to your web browser has
completed.
Related Topics
• Using Lifeline, page 20-7
• Creating a Lifeline Package, page 20-8
• Adding a Lifeline Package, page 20-10
• Deleting a Lifeline Package, page 20-11
Adding a Lifeline Package
Note Your user role determines whether you can use this option.
You can add a package to the ANM database.
Assumption
You have created a package (see the “Creating a Lifeline Package” section on page 20-8).
Procedure
Step 1 Choose Admin > Lifeline Management.
The Lifeline Management window appears.
Step 2 In the Lifeline Management window, enter a description and click Add.
The package is added to the Lifelines list, and the window refreshes.
Note Do not perform any module maintenance until the package is added to the list.
Related Topics
• Using Lifeline, page 20-7
• Creating a Lifeline Package, page 20-8
• Downloading a Lifeline Package, page 20-9
• Deleting a Lifeline Package, page 20-11
20-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 20 Troubleshooting Cisco Application Networking Manager Problems
Backing Up and Restoring Your ANM Configuration
Deleting a Lifeline Package
Note Your user role determines whether you can use this option.
You can delete a package.
Procedure
Step 1 Choose Admin > Others > Lifeline Management.
The Lifeline Management window appears.
Step 2 From the list of lifelines in the Lifeline Management window, choose a lifeline to delete.
The details of the lifeline display.
Step 3 Click Delete.
A confirmation popup window displays that requests you confirm the deletion.
Step 4 Click OK to delete the package.
The Lifeline Management window display updates.
Related Topics
• Using Lifeline, page 20-7
• Creating a Lifeline Package, page 20-8
• Adding a Lifeline Package, page 20-10
• Downloading a Lifeline Package, page 20-9
Backing Up and Restoring Your ANM Configuration
You can create a backup of your ANM configuration and restore it if necessary. We recommend that you
periodically create a backup of ANM.
The procedures for creating a backup and restoring your ANM configuration vary depending on which
of the following ANM applications you are using:
• ANM server: See the Installation Guide forCisco Application Networking Manager 5.2 for the
backup and restore procedures.
• ANM Virtual Appliance: See the Installation Guide forCisco Application Networking Manager 5.2
Virtual Appliance for the backup and restore procedures.
Note For details about using the ACE device backup and restore functions in ANM, see the “Performing
Device Backup and Restore Functions” section on page 6-59. The backup and restore functions allow
you to back up or restore the configuration and dependencies of an entire ACE or of a particular virtual
context.
20-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Chapter 20 Troubleshooting Cisco Application Networking Manager Problems
Backing Up and Restoring Your ANM Configuration
A-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
APPENDIX A
ANM Ports Reference
Date: 3/28/12
ANM uses specific ports for its processes. Figure A-1 illustrates a typical ANM server deployment in a
network. This illustration identifies the protocols and ports used by the different network devices in a
typical deployment.
• Table A-1 lists the ports used for ANM client (browser) or ANM server and ANM high availability
communication.
• Table A-2 lists the ports used for communication between ANM and managed devices.
A-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix A ANM Ports Reference
Figure A-1 ANM Server Deployment
HTTP (TCP:80) or
HTTPS (TCP:443)
ANM
(HA Primary)
ANM
(HA Secondary)
SSH (TCP:22)
HA (TCP:10444 & TCP: 10445)
GSS Java RMI (TCP:2001 & TCP:3009)
CSS
DB (TCP: 3306)
SSH (TCP:22) or Telnet (TCP:23)
SNMP (UDP:161 & UDP:162)
ACE module SSH (TCP:22) & HTTPS (TCP:443)
SNMP (UDP:161 & UDP:162)
SYSLOG (UDP:514)
Chassis
(C6K switch
or 7600 router)
SSH (TCP:22) or Telnet (TCP:23)
CSM SNMP (UDP:161 & UDP:162)
Note: For CSM, all communication is performed
with the Chassis (Cat6K or 7600).
SMTP (TCP: 25)
User
Email Gateway
External
NMS application
SNMP (UDP: 162)
199929
ACE appliance SSH (TCP:22) & HTTPS (TCP:10443)
SNMP (UDP:161 & UDP:162)
SYSLOG (UDP:514)
VMware Default HTTPS (TCP:443) vCenter
Server
A-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix A ANM Ports Reference
Table A-1 Ports Used by ANM in a Network Deployment1
1. It is highly recommended that you run ANM on a stand-alone device. However, if you run ANM on a shared
device, please note that ANM locally opens the following ports for internal communication:
TCP Ports: 8980, 10003, 10004, 10023, 10443, 40000, 40001, 40002, 40003
UDP Ports: 6120, 10003
Port Description
TCP (80) Default port if ANM is configured for access using HTTP (using
anm-installer).
TCP (443) Default port if ANM is configured for access using HTTPS (using
default install option).
TCP (3306) MySQL Database system (ANM HA installation opens this port to
communicate with the peer ANM).
TCP (10444) and
TCP (10445)
ANM License Manager (ANM HA installation opens these two
ports to communicate with the peer ANM).
TCP (25) Port used by ANM server to communicate to Email Gateway
through SMTP.
UDP (162) Port used by ANM server to send out trap notification to external
NMS application.
HTTP(8080) and
HTTPS (8443)
Web service ports.
Table A-2 Ports Used by ANM for Communication with Managed Devices
Device Type Port Description
Chassis (Catalyst
6500 switch or
Cisco 7600 router)
SSH (TCP:22) or Telnet
(TCP:23)
Discover chassis configuration.
ACE (appliance or
module)
HTTPS (TCP:443) For ACE module: XML/HTTPS interface on
the device used to discover, configure, and
monitor using specific show CLI commands.
HTTPS (TCP:10443) For ACE appliance: XML/HTTPS interface on
the device used to discover, configure, and
monitor using specific show CLI commands.
SSH (TCP: 22) Discovery and configuration of ACE licenses,
certificates/keys (crypto) licensing, scripts, and
checkpoints.
SNMP (UDP: 161 & UDP:162) Monitor ACE through SNMP requests
(UDP: 161) and receive trap notifications
(UDP: 162).
CSM SNMP (UDP: 161 & UDP:162) Monitor CSM through SNMP requests
(UDP: 161) and receive trap notifications
(UDP: 162).
A-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix A ANM Ports Reference
CSS SSH (TCP:22) or Telnet
(TCP:23)
Discover chassis configuration.
SNMP (UDP: 161 & UDP:162) Monitor CSS through SNMP requests
(UDP: 161) and receive trap notifications
(UDP: 162)
GSS SSH (TCP:22) Discover chassis configuration and monitoring
operational status of DNS rules and VIP
answers.
RMI (TCP:2001 & TCP:3009) Activate/suspend DNS rules and VIP answers.
vCenter Server Default HTTPS (TCP:443) Communicate with the vCenter Server and
vSphere Client in a VMware virtual data center
environment.
For more information about using the plug-in
that is available with ANM to integrate ANM
with a VMware virtual data center environment,
see Appendix B, “Using the ANM Plug-In With
Virtual Data Centers.”
Table A-2 Ports Used by ANM for Communication with Managed Devices (continued)
Device Type Port Description
B-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
APPENDIX B
Using the ANM Plug-In With Virtual Data Centers
Date: 3/28/12
This appendix describes how to integrate ANM sever with VMware vCenter Server, which is a
third-party product for creating and managing virtual data centers. Using VMware vSphere Client, you
can access ANM functionality and manage the ACE real servers that provide load-balancing services for
the virtual machines in your virtual data center.
Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe,
and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special
characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
If you are using ANM with an ACE module or ACE appliance and you configure a named object at the
ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows
you to use when configuring a named object. If you use special characters that ANM does not support,
you may not be able to import or manage the ACE using ANM.
This appendix includes the following sections:
• Information About Using ANM With VMware vCenter Server, page B-2
• Information About the Cisco ACE SLB Tab in vSphere Client, page B-3
• Prerequisites for Using ANM With VMware vSphere Client, page B-4
• Guidelines and Restrictions, page B-5
• Registering or Unregistering the ANM Plug-in, page B-5
• Logging In To ANM from VMware vSphere Client, page B-7
• Using the Cisco ACE SLB Tab, page B-8
• Managing ACE Real Servers From vSphere Client, page B-12
• Using the VMware vSphere Plug-in Manager, page B-22
B-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Information About Using ANM With VMware vCenter Server
Information About Using ANM With VMware vCenter Server
This section describes how you can integrate ANM server into a VMware virtual data center
environment. This feature enables you to access ANM functionality from within the VMware
environment to provision the application delivery services that the ACE real servers provide.
ANM version 3.1and later includes the ANM plug-in for vCenter Server that enables the integration of
ANM with the VMware environment as shown in Figure B-1.
Figure B-1 ANM Integrated With VMware vCenter Server and vSphere Client
From the ANM GUI, you register the ANM plug-in by specifying a VMware vCenter Server and ANM
server attributes that enables ANM to communicate with VMware vCenter Server and vSphere Client
using HTTPS and default port 443. When the plug-in is registered, the VMware vSphere Client GUI
displays the Cisco ACE SLB tab when you select a virtual machine (VM) from the client GUI.
You click on the Cisco ACE SLB tab to log into ANM from the VMware vSphere Client and perform
the following tasks:
• Define a virtual machine (VM) as a real server on ANM and associate it with an existing ACE virtual
context and server farm.
• Monitor application traffic flow for virtual machines through the ACE.
• Activate and suspend application traffic flows through the ACE for the associated real servers.
• Add or delete real servers from the list of servers associated with a VM.
VM VM VM
199935
VMware
vCenter
VMware
vSphere
Client
Cisco
Application
Control Engine
(ACE)
Client
Client
Client Network
Infrastructure
Cisco
ANM
Dedicated Server
or
Virtual Appliance
VMware
ESX (i) Host
VM VM VM
VMware
ESX (i) Host
B-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Information About the Cisco ACE SLB Tab in vSphere Client
Note In addition to ACE devices, the Cisco ACE SLB tab also displays services on the Content Services
Switch (CSS) and real servers on the Cisco Content Switching Module (CSM) devices associated with
a virtual machine. For these device types, from the Cisco ACE SLB tab, you can activate or suspend the
services or real servers but you cannot add or delete these items.
For information about how ANM maps real servers to VMware virtual machines, see the “Mapping Real
Servers to VMware Virtual Machines” section on page 5-68.
For more information about the Cisco ACE SLB tab, see the “Information About the Cisco ACE SLB
Tab in vSphere Client” section on page B-3 and “Using the Cisco ACE SLB Tab” section on page B-8.
Information About the Cisco ACE SLB Tab in vSphere Client
This section describes the components of the Cisco ACE SLB tab that display in vSphere Client when
you choose a VM from the VM tree (see Figure B-2).
Figure B-2 Cisco ACE SLB Tab in vSphere Client
Table B-1 describes the callouts in Figure B-2.
B-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Prerequisites for Using ANM With VMware vSphere Client
Prerequisites for Using ANM With VMware vSphere Client
The prerequisites for integrating ANM with VMware vCenter Server and vSphere Client are as follows:
• You must use ANM version 3.1 or later with VMware vSphere 4 or vSphere 5.
• You must register the ANM plug-in from within ANM to enable communication between the two
applications (see the “Registering or Unregistering the ANM Plug-in” section on page B-5).
• If you are running VMware vSphere Client on a Windows Server 2003 or 2008 operating system,
make sure that the following Internet security options (Internet options > Security setting) are
enabled:
– Allow META REFRESH
– Allow scripting of Internet Explorer web browser control
These options are not enabled by default. If they are disabled, the ANM plug-in will not allow you
to log in to ANM for security reasons or you may encounter refresh problems with the Cisco ACE
SLB tab.
Note We recommend that you have VMware Tools installed on the guest OS of each VM to allow ANM to
match a real server with a VM based on the IP address rather than a server name (see the “Mapping Real
Servers to VMware Virtual Machines” section on page 5-68).
Table B-1 Cisco ACE SLB Tab Components
Item Description
1 Content area that displays the ACE real servers associated with the VM that you select from the VM tree located
on the left (see the “Using the Cisco ACE SLB Tab” section on page B-8).
2 Upper set of function buttons that enable you to add or delete real servers from the content area and manage the
displayed information (see the “Using the Cisco ACE SLB Tab” section on page B-8).
3 Cisco ACE SLB tab that you click to display and manage the ACE real servers for the selected VM.
4 Session information that provides the following information and functions:
• Current user logged into ANM.
• Logout link that you click on to close the session.
• Help link that you click on to open the ANM online help for the Cisco ACE SLB tab.
• ANM server time stamp of when the information displayed in the tab was last updated.
5 Recent Tasks area that displays VMware tasks.
6 Lower set of function buttons that you use to update the information displayed, activate or suspend a real sever,
change the weight assigned to a real server, view real server connection information in graph form, view the
topology map associated with a real server.
For more information about these function buttons, see the following sections:
• “Using the Cisco ACE SLB Tab” section on page B-8
• “Managing ACE Real Servers From vSphere Client” section on page B-12).
B-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Guidelines and Restrictions
Guidelines and Restrictions
Follow these guidelines and restrictions when integrating ANM with VMware vCenter Server and
vSphere Client:
• There are no shared logins or trust established between ANM and vCenter Server when you open a
session between the two servers.
• You can configure both ANM and vCenter Server to use Active Directory for authentication.
• From ANM, you must register the ANM plug-in before you can see the Cisco ACE SLB tab from
VMware vSphere Client (see the “Registering or Unregistering the ANM Plug-in” section on
page B-5). When you register the plug-in, the VMware vSphere Client display refreshes and
displays the Cisco ACE SLB tab.
• ANM supports one registered ANM plug-in instance only, which means that you can register only
one plug-in at any given time.
For example, if you register the plug-in from ANM Server A and then register the plug-in from ANM
Server B, the following actions occur:
– The ANM Server A plug-in is unregistered.
– Any VMware vSphere Client that was running when the ANM Server B plug-in was registered
will continue to display ANM Server A’s information in the Cisco ACE SLB tab. You must
restart VMware vSphere Client to access and display ANM Server B’s information.
• If you are going to uninstall ANM from the ANM server, make sure that you unregister the ANM
plug-in before you uninstall ANM. If you do not unregister the plug-in before the uninstall, from
VMware vSphere Client, the plug-in will display as registered but will fail to load.
For information about unregistering the ANM plug-in, see the “Registering or Unregistering the
ANM Plug-in” section on page B-5. For information about uninstalling ANM, see one of the
following guides depending on your ANM application:
– Installation Guide for Cisco Application Networking Manager 5.2
– Installation Guide for the Cisco Application Networking Manager 5.2 Virtual Appliance
Registering or Unregistering the ANM Plug-in
Note This feature requires the admin role for ANM.
This section describes how to register the ANM plug-in from ANM, which allows you to access ANM
ACE real server functionality from VMware vSphere Client. Registering the plug-in provides the client
with a URL to access ANM and retrieve the required XML definition file. ANM uses HTTPS for
communication with VMware vCenter Server.
You can also unregister the ANM plug-in from ANM.
Note Unregistering the ANM plug-in does not prevent access to the ANM server or remove the Cisco ACE
SLB tab from any VMware vSphere Client display that was running when you unregistered the plug-in.
You must restart the client to remove the Cisco ACE SLB tab from the display. A VMware vSphere
Client restart is also required when you unregister a ANM plug-in from one ANM server and register
another plug-in from a second ANM server.
B-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Registering or Unregistering the ANM Plug-in
Guidelines and Restrictions
When registering the ANM plug-in, you specify the VMware vCenter Server and ANM server. If you
specify the servers using server names rather than IP addresses, the names must be in DNS and must be
consistent throughout the network. If the server names reside only in local /etc/host files, then use IP
addresses in place of the server names; otherwise, the ANM server and vCenter Server may not be able
to communicate and errors may occur, including the inability to enable the plug-in or the inability for
real server mapping (empty tables).
Procedure
Step 1 From ANM, choose Admin > ANM Management > Virtual Center Plugin Registration.
The VMware Virtual Center PlugIn Registration window appears.
Step 2 Register or unregister the ANM plug-in using the information in Table B-2.
Table B-2 Virtual Center Plugin Registration
Field Description
Virtual Center Server IP address of the VMware vCenter Server.
Note Do not use a DNS name to specify the vCenter Server.
Port Port number of the VMware vCenter Server.
Virtual Center Server Username VMware vCenter Server username that has the administrator role or an equivalent role that
has privilege on “Extension.”
Virtual Center Server Password Password that corresponds to the VMware vCenter Server username.
ANM Server DNS name or IP address of the ANM server that will be used by VMware vSphere Client.
By default, ANM populates this field with the virtual IP address or hostname or all of the
available IP addresses. If you enter a DNS name, make sure that the name can be resolved
on the VMware vSphere Client side of the network.
Note For ANM servers operating in an HA configuration, choose the shared alias IP
address or VIP address for the HA pair so that the plug-in can still be used after
an HA failover occurs.
Status Current status of the registration or unregistration operation.
Possible status states are as follows:
• Blank (no status displayed)—The registration operation has not been invoked.
• Success in registration—ANM has successfully completed the registration operation.
• Failure—ANM is unable to complete the registration operation and displays an error
message that indicates the problem encountered (see Table B-3).
• Registering—ANM is in the process of registering the ANM plug-in. This state
displays when you click the Registration button a second time before the process is
complete.
• Success in unregistration—ANM has successfully completed the unregistration
operation.
B-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Logging In To ANM from VMware vSphere Client
Step 3 Do one of the following:
• Click Register to register the ANM plug-in. ANM can now be accessed through VMware vSphere
Client (see the “Logging In To ANM from VMware vSphere Client” section on page B-7).
• Click UnRegister to unregister the ANM plug-in.
Table B-3 describes the error messages that ANM can display when it encounters a problem with
registering the plug-in.
Logging In To ANM from VMware vSphere Client
This section describes how to log into ANM from VMware vSphere Client and establish a session for
accessing ANM functionality. The session remains active unless there is a web timeout, you log out, or
there is an ANM or VMware vCenter Server restart. The default web session inactivity timeout is 30
minutes.
Prerequisites
From ANM, you must have the ANM plug-in registered before you can log into ANM from VMware
vSphere Client (see the “Registering or Unregistering the ANM Plug-in” section on page B-5).
Guidelines and Restrictions
This topic includes the following guidelines and restrictions:
• When registering the ANM plug-in, you specify the VMware vCenter Server and ANM server. If
you specify the servers using server names rather than IP addresses, the names must be in DNS and
must be consistent throughout the network. If the server names reside only in local /etc/host files,
then use IP addresses in place of the server names; otherwise, the ANM server and vCenter Server
may not be able to communicate and errors may occur, including the inability to enable the plug-in
and log in to ANM or the inability for real server mapping (empty tables). For information about
registering the plug-in, see the “Registering or Unregistering the ANM Plug-in” section on
page B-5.
Table B-3 Virtual Center Registration Failure Messages
Error Message Root Cause
Virtual center is not reachable, please correct value
for the virtual center IP address or DNS name.
The ANM server is unable to ping the specified VMware vCenter Server
DNS name or IP address.
Cannot access virtual center web service interface,
please make sure that the value of the virtual center
server is correct or the virtual server is up and
running.
The ANM server is able to ping VMware vCenter Server but it cannot
connect to the webservice API. Most likely, the specified DNS name or
IP address does not have the virtual center server running or the virtual
server is not running.
Invalid username or password for virtual center,
please make sure that the username and password
is correct.
The specified username or password for VMware vCenter Server is not
valid.
User does not have permission to register or
unregister plugin on virtual center server.
The specified username is not the VMware vCenter Server administrator
or does not have privilege on extension (plugin
register/unregister/update).
B-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Using the Cisco ACE SLB Tab
• When logging into ANM from VMware vSphere Client and you have ANM configured to use remote
authentication, such as RADIUS, TACACS+, or LDAPS/AD, use the credentials assigned to you for
the specific remote authentication method.
Procedure
Step 1 From VMware vSphere Client, do one of the following:
• To access ANM within the VMware vSphere Client window, choose a VM from the VM tree and
click the Cisco ACE SLB tab.
• To access ANM in a new browser window, right-click on a VM in the VM tree to open the submenu
and choose Cisco ACE Activate/Suspend.
The Security Alert popup window appears. This popup appears because ANM uses a Cisco self-signed
certificate.
Step 2 From the Security Alert popup window, click Yes to proceed.
The popup window closes and the ANM login window appears. By default, the name of the user
currently logged into VMware vSphere Client displays in the User Name field.
Step 3 Enter your username (if it is not already displayed) and password.
Step 4 Click Login.
The Cisco Application Networking Manager window appears in the Cisco ACE SLB tab. For information
about what displays in this window, see the “Using the Cisco ACE SLB Tab” section on page B-8. For
information about how to use this window to manage the real servers, see the “Managing ACE Real
Servers From vSphere Client” section on page B-12.
Step 5 (Optional) To log out of ANM, click Logout.
The session closes and the ANM login window appears in the Cisco ACE SLB tab.
Using the Cisco ACE SLB Tab
This section describes the Cisco device information and management functionality that is available when
you click the Cisco ACE SLB tab.
Note The ACE real server information displays only after you log into ANM from VMware vSphere Client
(see the “Logging In To ANM from VMware vSphere Client” section on page B-7).
The Cisco ACE SLB tab contains the ACE Reals (real servers) table. Table B-4 describes the real server
information available in the table.
B-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Using the Cisco ACE SLB Tab
Table B-4 ACE Reals Table Fields
Field Description
Name Name of real server on the ACE, CSS, CSM, or CSM-S. Although the Cisco ACE SLB tab is primarily
used to monitor and manage ACE real servers, you can also monitor, activate, and suspend CSS, CSM,
and CSM-S devices from this tab.
The real server name is a link that displays the Real Server Details popup window, which provides
operating information about the server (see the “Monitoring Real Server Details Using vSphere Client”
section on page B-19).
IP Address Real server IP address.
Port Real server port number.
Admin State Administrative state of the real server as follows:
• In Service
• Out Of Service
• In Service Standby.
Note For CSM and CSM-S real servers, ANM infers the admin state based on the operational state
that it receives through SNMP rather than the CLI, which may result in an admin state display
that is not correct. For example, when you change the operational state of a CSM real server
from Out of Service to Inservice, the admin state display should also change to In Service;
however, the admin state display may remain set to Out of Service.
B-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Using the Cisco ACE SLB Tab
Oper State Operational state of the real server as follows:
• ARP Failed—Corresponding VLAN interface is not configured for the real server.
• Failed—Server has failed and will not be retried for the amount of time specified by its retry timer.
• Inband probe failed—Server has failed the inband Health Probe agent.
• Inservice—Server is in use as a destination for server load balancing client connections.
• Inservice standby—Server is the backup real server, which remains inactive unless the primary
real server fails.
• Operation wait—Server is ready to become operational but is waiting for the associated redirect
virtual server to be in service.
• Out of service—Server is not in use by a server load balancer as a destination for client
connections.
• Probe failed—Server load-balancing probe to this server has failed. No new connections will be
assigned to this server until a probe to this server succeeds.
• Probe testing—Server has received a test probe from the server load balancer.
• Ready to test—Server has failed and its retry timer has expired; test connections will begin flowing
to it soon.
• Return code failed—Server has been disabled because it returned an HTTP code that matched a
configured value.
• Test wait—Server is ready to be tested. This state is applicable only when the server is used for
HTTP redirect load balancing.
• Testing—Server has failed and has been given another test connection. The success of this
connection is not known.
• Throttle: DFP—DFP has lowered the weight of the server to throttle level; no new connections
will be assigned to the server until DFP raises its weight.
• Throttle: max clients—Server has reached its maximum number of allowed clients.
• Throttle: max connections—Server has reached its maximum number of connections and is no
longer being given connections.
• Unknown—State of the server is not known.
Conns Number of concurrent connections.
Weight Weight assigned to the real server.
Server Farm Server farm that the real server is associated with.
Vserver Name of the Vserver.
Table B-4 ACE Reals Table Fields (continued)
Field Description
B-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Using the Cisco ACE SLB Tab
In the table, N/A indicates that either the information is not available from the database or that it is not
being collected through SNMP.
The Cisco ACE SLB tab also contains a number of function buttons that enable you to manage the
displayed information and the real servers. Figure B-3 shows the function buttons that are located at the
top of the ACE Reals table.
Figure B-3 Cisco ACE SLB Tab Upper Function Buttons
Table B-5 describes each of the function buttons shown in Figure B-3
Device ACE, CSS, CSM, or CSM-S on which the real server is configured.
HA Indicators that display when the real server is part of a high availability pair. The indicators are as
follows:
• Asterisk (*)—The real server is associated with an HA pair and the HA configuration is complete.
• Red dash (-)—The real server is associated with an HA pair; however, the HA configuration is
incomplete. Typically, the HA pair are not properly configured for HA or only one of the servers
has been imported into ANM. Ensure that both servers are imported into ANM and that they are
configured as described in the “Configuring ACE High Availability” section on page 13-14.
The table displays HA pair real servers together in the same row and they remain together no matter
how you sort the information.
Table B-4 ACE Reals Table Fields (continued)
Field Description
248665
1 2 3 4 5 6
Table B-5 The Cisco ACE SLB Tab Upper Function Button Descriptions
Number Function Description
1 Add Adds a real server to the list of servers that can service the VM (see the “Adding a Real Server”
section on page B-13).
Note This feature is available for ACE devices only.
2 Delete Deletes the selected server from the list of servers that can service the VM (see the “Deleting a Real
Server Using vSphere Client” section on page B-14).
Note This feature is available for ACE devices only.
3 AutoRefresh Enables the auto refresh feature and sets the refresh cycle time. Values are Off, 30 seconds, 1 minute,
2 minutes, or 5 minutes.
4 Filter Enables the column filter and provides access to saved filters.
B-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Managing ACE Real Servers From vSphere Client
Table B-6 describes the function buttons located across the bottom of the Cisco ACE SLB tab.
Related Topics
• Information About Using ANM With VMware vCenter Server, page B-2
• Logging In To ANM from VMware vSphere Client, page B-7
• Managing ACE Real Servers From vSphere Client, page B-12
• Using the VMware vSphere Plug-in Manager, page B-22
Managing ACE Real Servers From vSphere Client
This section describes how to perform real server management tasks from the Cisco ACE SLB tab after
you log into ANM from VMware vSphere Client (see the “Logging In To ANM from VMware vSphere
Client” section on page B-7). These tasks include adding a VM as a real server to an existing server farm
or suspending and activating the operation of a real server associated with a VM.
This section includes the following topics:
• Adding a Real Server, page B-13
• Deleting a Real Server Using vSphere Client, page B-14
• Activating Real Servers Using vSphere Client, page B-15
• Suspending Real Servers Using vSphere Client, page B-16
• Modifying Real Server Weight Value Using vSphere Client, page B-18
• Monitoring Real Server Details Using vSphere Client, page B-19
5 Refresh Refreshes the window.
6 Filter tool Filters over all columns.
Table B-5 The Cisco ACE SLB Tab Upper Function Button Descriptions
Number Function Description
Table B-6 Cisco ACE SLB Tab Lower Function Button Descriptions
Function Description
Poll Now Polls the device to update the displayed information (see the “Refreshing the Displayed Real Server
Information” section on page B-20.
Activate Activates the services of the selected server (see the “Activating Real Servers Using vSphere Client”
section on page B-15).
Suspend Suspends the services of the selected server (see the “Suspending Real Servers Using vSphere Client”
section on page B-16).
Change Weight Changes the weight of the selected server (see the “Modifying Real Server Weight Value Using vSphere
Client” section on page B-18).
Graph Displays connection information for a selected real server in graph form. To exit a graph view and return
to the ACE Real Server table, click Exit Graph.
Topology Displays a network topology map for a selected real server (see “Displaying Network Topology Maps”
section on page 17-68). To exit a topology map and return to the ACE Real Server table, click Exit.
B-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Managing ACE Real Servers From vSphere Client
• Refreshing the Displayed Real Server Information, page B-20
Adding a Real Server
You can add one or more real servers to the list of ACE real servers associated with a VM. The Cisco
ACE SLB tab allows you select a VM and define it as a real server on ANM, associating it with an
existing ACE virtual context and server farm.
Guidelines and Limitations
You can add only one real server at a time. Repeat the procedure in this section for each real server that
you want to add.
Procedure
Step 1 From the VM tree in VMware vSphere Client, do one of the following:
• To display the ACE real server information in the current window, click on a VM and then click the
Cisco ACE SLB tab.
• To display the ACE real server information in a new window, right-click on a VM to open the
submenu and choose Cisco ACE Activate/Suspend.
The Security Alert popup window appears. This popup window appears because ANM uses a Cisco
self-signed certificate.
Step 2 From the Security Alert popup window, click Yes to proceed.
The popup window closes and the Cisco Application Networking Manager window appears, displaying
the ACE Reals table.
Step 3 From the ACE Reals table, click Add.
The Real Server Configurations dialog box appears.
Step 4 From the Real Server Configurations dialog window, configure the real server to add using the
information in Table B-7.
Table B-7 Real Server Attributes
Field Description
Real Server Name Unique name for this server. By default, the name of the selected VM is displayed. Valid
entries are unquoted text strings with no spaces and a maximum of 64 characters.
Real Server IP Address Unique IP address in dotted-decimal format (such as 192.168.11.1). The drop-down list is
populated with the IP address or addresses assigned to the selected VM. If no IP addresses
were found for the VM, you can manually enter an IP address in this field.
Real Server Port Real server port number. Valid entries are from 1 to 65535.
Real Server Weight Weight to assign to this real server in a server farm. Valid entries are 1 to 100. The default is 8.
B-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Managing ACE Real Servers From vSphere Client
Step 5 Do one of the following:
• Click Deploy Now. The Real Server Configurations dialog box closes and ANM adds the real server
to the list of servers that can service the VM depending on how you set the Real Server State
attribute.
• Click Cancel. The Real Server Configurations dialog box closes and no real server is added.
Related Topics
• Logging In To ANM from VMware vSphere Client, page B-7
• Using the Cisco ACE SLB Tab, page B-8
• Deleting a Real Server Using vSphere Client, page B-14
• Activating Real Servers Using vSphere Client, page B-15
• Suspending Real Servers Using vSphere Client, page B-16
• Modifying Real Server Weight Value Using vSphere Client, page B-18
• Monitoring Real Server Details Using vSphere Client, page B-19
• Refreshing the Displayed Real Server Information, page B-20
Deleting a Real Server Using vSphere Client
You can remove a real server from the list of servers that service the VM.
Procedure
Step 1 From the VM tree in VMware vSphere Client, do one of the following:
• To display the ACE real server information in the current window, click on a VM and then click the
Cisco ACE SLB tab.
• To display the ACE real server information in a new window, right-click on a VM to open the
submenu and choose Cisco ACE Activate/Suspend.
Real Server State State of the real server:
• In Service—ANM places the real server in the in service state when it is added. This is
the default setting.
• In Service Standby—ANM places the real server in the service standby state when it is
added.
• Out Of Service—ANM places the real server in the out of service state when it is added.
ACE Virtual Context ACE virtual context that has the server farm that the real server is to be associated with.
Serverfarm Server farms associated with the selected ACE virtual context.
Virtual Servers Virtual server names and VIPs that are associated with the selected server farm.
Table B-7 Real Server Attributes (continued)
Field Description
B-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Managing ACE Real Servers From vSphere Client
The Security Alert popup window appears. This popup window appears because ANM uses a Cisco
self-signed certificate.
Step 2 From the Security Alert popup window, click Yes to proceed.
The popup window closes and the Cisco Application Networking Manager window appears, displaying
the ACE Reals table.
Step 3 From the ACE Reals table, check the checkbox of each server that you want to delete from the table.
Step 4 Click Delete.
The confirmation popup window appears requesting you to verify that you want to delete the server.
Step 5 In the confirmation popup window, click OK.
The popup window closes and ANM removes the selected servers from the list of real servers.
Related Topics
• Logging In To ANM from VMware vSphere Client, page B-7
• Using the Cisco ACE SLB Tab, page B-8
• Adding a Real Server, page B-13
• Activating Real Servers Using vSphere Client, page B-15
• Suspending Real Servers Using vSphere Client, page B-16
• Modifying Real Server Weight Value Using vSphere Client, page B-18
• Monitoring Real Server Details Using vSphere Client, page B-19
• Refreshing the Displayed Real Server Information, page B-20
Activating Real Servers Using vSphere Client
You can activate a real server that services a VM.
Note If you are not using the ANM plug-in for vCenter Server to access ANM, see the “Activating Real
Servers” section on page 8-14.
Procedure
Step 1 From the VM tree in VMware vSphere Client, do one of the following:
• To display the ACE real server information in the current window, click on a VM and then click the
Cisco ACE SLB tab.
• To display the ACE real server information in a new window, right-click on a VM to open the
submenu and choose Cisco ACE Activate/Suspend.
The Security Alert popup window appears. This popup window appears because ANM uses a Cisco
self-signed certificate.
Step 2 From the Security Alert popup window, click Yes to proceed.
The popup window closes and the Cisco Application Networking Manager window appears, displaying
the ACE Reals table.
B-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Managing ACE Real Servers From vSphere Client
Step 3 From the ACE Reals table, check the check box of the servers that you want to activate and click
Activate.
The Activate Server window appears.
Step 4 In the Reason field of the Activate Server window, enter a reason for this action.
You might enter a trouble ticket, an order ticket, or a user message.
Note Do not enter a password in this field.
Step 5 Do one of the following:
• Click OK to activate the server and to return to the ACE Reals table. The server appears in the table
with the status Inservice.
• Click Cancel to exit this procedure without activating the server and to return to the ACE Reals
table.
Related Topics
• Logging In To ANM from VMware vSphere Client, page B-7
• Using the Cisco ACE SLB Tab, page B-8
• Suspending Real Servers Using vSphere Client, page B-16
• Modifying Real Server Weight Value Using vSphere Client, page B-18
• Monitoring Real Server Details Using vSphere Client, page B-19
• Refreshing the Displayed Real Server Information, page B-20
Suspending Real Servers Using vSphere Client
You can suspend a real server that services a VM.
Note If you are not using the ANM plug-in for vCenter Server to access ANM, see the “Suspending Real
Servers” section on page 8-15.
Procedure
Step 1 From the VM tree in VMware vSphere Client, do one of the following:
• To display the ACE real server information in the current window, click on a VM and then click the
Cisco ACE SLB tab.
• To display the ACE real server information in a new window, right-click on a VM to open the
submenu and choose Cisco ACE Activate/Suspend.
The Security Alert popup window appears. This popup window appears because ANM uses a Cisco
self-signed certificate.
Step 2 From the Security Alert popup window, click Yes to proceed.
The popup window closes and the Cisco Application Networking Manager window appears, displaying
the ACE Reals table.
B-17
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Managing ACE Real Servers From vSphere Client
Step 3 In the ACE Reals table, check the check box of the servers that you want to suspend and click Suspend.
The Suspend Real Servers window appears.
Step 4 In the Reason field of the Suspend Real Servers window, enter the reason for this action.
You might enter a trouble ticket, an order ticket, or a user message.
Note Do not enter a password in this field.
Step 5 From the Suspend Real Servers Type drop-down list, choose one of the following:
• Graceful—When executed on a primary server, the ACE gracefully shuts down the server with
sticky connections as follows:
– Tears down existing non-TCP connections to the server
– Allows current TCP connections to complete
– Allows new sticky connections for existing server connections that match entries in the sticky
database
– Load balances all new connections (other than the matching sticky connections mentioned
above) to the other servers in the server farm
When executed on a backup real server, the ACE places the backup server in service standby mode.
Note For the CSS, when the device is in the In Service admin state and you perform a graceful suspend
operation, ANM saves the last known non-zero service (or real server) weight, and then sets the
weight to zero. ANM references the saved weight when performing an Activate operation. If the
current weight is zero, and a non-zero weight has been saved for that service (or real server), the
Activate operation also sets the weight to the saved value.
To allow ANM to save and reset the weight value when gracefully suspending and then
activating the CSS, you must have the device configured to permit SNMP traffic. For each device
type, see the corresponding configuration guide to configure the device to permit SNMP traffic.
When the CSS is in the In Service Standby admin state and you perform a graceful suspend
operation, ANM does not set the weight to zero.
• Suspend—The ACE resets all non-TCP connections to the server. For TCP connections, existing
flows are allowed to complete before the ACE takes the real server out of service. No new
connections are allowed. The ACE resets all Secure Sockets Layer (SSL) connections to the real
server.
• Suspend and Clear Connections—The ACE performs the tasks described for Suspend and clears
the existing connections to this server.
B-18
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Managing ACE Real Servers From vSphere Client
Step 6 Do one of the following:
• Click Deploy Now to suspend the server and to return to the ACE Reals table. The server appears
in the table with the status Out Of Service.
• Click Cancel to exit this procedure without suspending the server and to return to the ACE Reals
table.
Related Topics
• Logging In To ANM from VMware vSphere Client, page B-7
• Using the Cisco ACE SLB Tab, page B-8
• Adding a Real Server, page B-13
• Deleting a Real Server Using vSphere Client, page B-14
• Activating Real Servers Using vSphere Client, page B-15
• Modifying Real Server Weight Value Using vSphere Client, page B-18
• Monitoring Real Server Details Using vSphere Client, page B-19
• Refreshing the Displayed Real Server Information, page B-20
Modifying Real Server Weight Value Using vSphere Client
You can modify the weight value assigned to a real server that defines the connection capacity of the
server in relation to the other real servers. The ACE uses the weight value that you specify for a server
in the weighted round-robin and least-connections load-balancing predictors. Servers with a higher
configured weight value have a higher priority with respect to connections than servers with a lower
weight. For example, a server with a weight of 5 would receive five connections for every one connection
for a server with a weight of 1.
Note If you are not using the ANM plug-in for vCenter Server to access ANM, see the “Modifying Real Server
Weight Value” section on page 8-17.
Procedure
Step 1 From the VM tree in VMware vSphere Client, do one of the following:
• To display the ACE real server information in the current window, click on a VM and then click the
Cisco ACE SLB tab.
• To display the ACE real server information in a new window, right-click on a VM tree to open the
submenu and choose Cisco ACE Activate/Suspend.
The Security Alert popup window appears. This popup window appears because ANM uses a Cisco
self-signed certificate.
Step 2 From the Security Alert popup window, click Yes to proceed.
The popup window closes and the Cisco Application Networking Manager window appears, displaying
the ACE Reals table.
Step 3 In the ACE Reals table, check the check box of the server that you want modify and click Change
Weight.
B-19
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Managing ACE Real Servers From vSphere Client
The Change Weight Real Servers window appears.
Step 4 In the Change Weight Real Servers window, enter the following information for the selected server:
• Reason for change such as trouble ticket, order ticket, or user message.
Note Do not enter a password in this field.
• Weight value (for allowable ranges for each device type, see Table 8-5).
Step 5 Do one of the following:
• Click Deploy Now to accept your entries and to return to the ACE Reals table. The server appears
in the table with the updated information.
• Click Cancel to exit this procedure without saving your entries and to return to the ACE Reals table.
Related Topics
• Logging In To ANM from VMware vSphere Client, page B-7
• Using the Cisco ACE SLB Tab, page B-8
• Adding a Real Server, page B-13
• Deleting a Real Server Using vSphere Client, page B-14
• Activating Real Servers Using vSphere Client, page B-15
• Monitoring Real Server Details Using vSphere Client, page B-19
• Refreshing the Displayed Real Server Information, page B-20
Monitoring Real Server Details Using vSphere Client
You can display detailed operating information about a real server.
Procedure
Step 1 From the VM tree in VMware vSphere Client, do one of the following:
• To display the ACE real server information in the current window, click on a VM and then click the
Cisco ACE SLB tab.
• To display the ACE real server information in a new window, right-click on a VM to open the
submenu and choose Cisco ACE Activate/Suspend.
The Security Alert popup window appears. This popup window appears because ANM uses a Cisco
self-signed certificate.
Step 2 From the Security Alert popup window, click Yes to proceed.
The popup window closes and the Cisco Application Networking Manager window appears, displaying
the ACE Reals table.
Step 3 In the ACE Reals table, click on the name of the real server whose details you want to view.
The Real Server Details popup window appears and displays the following ACE statistical information:
• Total Connections—Total number of load-balanced connections to this real server in the serverfarm.
B-20
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Managing ACE Real Servers From vSphere Client
• Connections Rate—Connections per second.
• Dropped Connections—Total number of dropped connections because the current connection count
exceeds the maximum number of allowed connections.
• Dropped Connections Rate—Dropped connections per second.
• Minimum Connections—Minimum number of connections that need to be supported by the real
server in the serverfarm.
• Maximum Connections—Maximum number of connections that can be supported by this real server
in the serverfarm.
Note The statistical information that ANM displays for the CSM and CSM-S is different from the ACE
information described above. Also, ANM does not display the Real Server Details popup window for the
CSS.
Note To close the Real Server Details popup window, you may need to expand the display to access
the “X” (close) located in the upper right hand section of the window.
Related Topics
• Logging In To ANM from VMware vSphere Client, page B-7
• Using the Cisco ACE SLB Tab, page B-8
• Adding a Real Server, page B-13
• Deleting a Real Server Using vSphere Client, page B-14
• Activating Real Servers Using vSphere Client, page B-15
• Suspending Real Servers Using vSphere Client, page B-16
• Modifying Real Server Weight Value Using vSphere Client, page B-18
• Refreshing the Displayed Real Server Information, page B-20
Refreshing the Displayed Real Server Information
You can refresh the information that ANM displays for a real server.
Procedure
Step 1 From the VM tree in VMware vSphere Client, do one of the following:
• To display the ACE real server information in the current window, click on a VM and then click the
Cisco ACE SLB tab.
• To display the ACE real server information in a new window, right-click on a VM to open the
submenu and choose Cisco ACE Activate/Suspend.
The Security Alert popup window appears. This popup window appears because ANM uses a Cisco
self-signed certificate.
B-21
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Managing ACE Real Servers From vSphere Client
Step 2 From the Security Alert popup window, click Yes to proceed.
The popup window closes and the Cisco Application Networking Manager window appears, displaying
the ACE Reals table.
Step 3 In the ACE Reals table, check the checkbox next to the name of the real server whose information you
want to refresh.
Step 4 Click Poll Now.
ANM polls the selected device and updates the displayed information.
Related Topics
• Logging In To ANM from VMware vSphere Client, page B-7
• Using the Cisco ACE SLB Tab, page B-8
• Adding a Real Server, page B-13
• Deleting a Real Server Using vSphere Client, page B-14
• Activating Real Servers Using vSphere Client, page B-15
• Suspending Real Servers Using vSphere Client, page B-16
• Modifying Real Server Weight Value Using vSphere Client, page B-18
B-22
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Appendix B Using the ANM Plug-In With Virtual Data Centers
Using the VMware vSphere Plug-in Manager
Using the VMware vSphere Plug-in Manager
You can use the VMware vSphere Client Plug-in Manager to verify that the ANM plug-in (Cisco ACE)
is registered, view error messages, and enable or disable the plug-in.
Procedure
Step 1 From the VMware vSphere Client main menu, choose Plug-ins > Manage Plug-ins.
The Plug-in Manager window appears. Table B-8 describes the Cisco plug-in information that displays
in the Plug-in Manager window.
Step 2 (Optional) To enable or disable the plug-in, from the list of plug-ins, right-click on the Cisco ACE
plug-in and do one of the following:
• Choose Enable. The Cisco ACE SLB tab appears in the VMware vSphere Client content area. This
is the default setting.
• Choose Disable. The Cisco ACE SLB tab is removed from the VMware vSphere Client content area.
Related Topics
Registering or Unregistering the ANM Plug-in, page B-5
Table B-8 VMware vSphere Client Plug-in Manager
Item Description
Plug-in Name Name of the Cisco plug-in, which is Cisco ACE.
Vendor This field is blank. The vendor name, Cisco, is included in the plug-in name.
Version Plug-in version number.
Status Plug-in operating status: Enabled or Disabled.
Description Plug-in description, which is Cisco ACE.
Progress N/A
Errors Errors related to the Cisco ACE plug-in, such as when the VMware vSphere Client cannot find the
ANM server because it cannot resolve the server name.
GL-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
GLOSSARY
Date: 3/28/12
A
ACE Cisco Application Control Engine, available as a module that resides in a Cisco Catalyst 6500 series
chassis, Cisco 7600 series router, or as a standalone appliance. The ACE offers high-performance
server load balancing (SLB), routing and bridging configuration, traffic policies, redundancy (high
availability), virtualization for resource management, SSL, security features, and application
acceleration and optimization.
ACL Access Control List. A mechanism in computer security used to enforce privilege separation. An ACL
identifies the privileges and access rights a user or client has to a particular object, such as a server, file
system, or application.
activate Places an entity into the resource pool for load balancing content requests or connections and starts the
keepalive function. See also suspend.
administrative
distance
The first criterion a router uses to determine which routing protocol to use if two protocols provide
route information for the same destination. Administrative distance is a measure of the trustworthiness
of the source of the routing information. Administrative distance has only local significance, and is not
advertised in routing updates.
The smaller the administrative distance value, the more reliable the protocol. The values range from 0
(zero) for a connected interface and 1 for a static route, to 255 for an unknown protocol.
AES Advanced Encryption Standard. One of the possible encryption algorithms available for use in SNMP
communications.
ANM Mobile ANM feature that allows supported mobile devices to access to your ANM server or ANM Virtual
Appliance and manage the network objects in much the same way you do from an ANM client. Using
a mobile device, you can run ANM Mobile as a native application (app) or inside the mobile device
browser.
ANM server Dedicated server with ANM server software and Red Hat Enterprise Linux (RHEL) operating system
installed on it.
ANM Virtual
Appliance
VMware virtual appliance with ANM server software and Cisco Application Delivery Engine
Operating System (ADE OS) installed on it. Cisco distributes ANM Virtual Appliance in Open Virtual
Appliance (.OVA) format.
ARP Address Resolution Protocol. Internet protocol used to map an IP address to a MAC address. Defined
in RFC 826.
Glossary
GL-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
B
building block Reusable configuration attributes that can be applied to virtual contexts for consistent, standardized
implementation.
BVI Bridge-Group Virtual Interface. Logical Layer 3-only interface associated with a bridge group when
integrated routing and bridging (IRB) is configured.
C
CCM Cisco CallManager. A Cisco product that provides the software-based, call-processing component of
the Cisco IP Telephony Solutions for the Enterprise, part of Cisco AVVID (Architecture for Voice,
Video, and Integrated Data). CallManager acts as a signaling proxy for call events initiated over other
common protocols such as SIP, ISDN (Integrated Services Digital Network), or MGCP (Media
Gateway Control Protocol).
certificate chain A certificate chain is a hierarchal list of certificates used in SSL that includes the subject’s certificate,
the root CA certificate, and any intermediate CA certificates.
certificate signing
request
See CSR.
checkpoint A snapshot in time of a known stable ACE running configuration before you begin to modify it. If you
encounter a problem with the modifications to the running configuration, you can roll back the
configuration to the previous stable configuration checkpoint.
Cisco.com Replaces the Cisco Connection Online website. Use this site to access customer service and support.
class map A mechanism for classifying types of network traffic. The ANM uses class maps to classify the network
traffic that is received and transmitted by the ACE. Types of traffic include Layer 3/Layer 4 traffic that
can pass through the ACE, network management traffic that can be received by the ACE, and Layer 7
HTTP load-balancing traffic.
CSR Certificate Signing Request. A message sent to a certificate authority, such as VeriSign and Thawte to
a apply for a digital identity certificate for use with SSL. The request includes information that
identifies the SSL site, such as location and serial number, and a public key that you choose. The
request may also provide any additional proof of identity required by the certificate authority.
Cisco IOS Software The Cisco system software that allows centralized, integrated, and automated installation and
management of internetworks, while ensuring support for a wide variety of protocols, media, services,
and platforms.
context See virtual context.
D
DES Data Encryption Standard. One of the possible encryption algorithms available for use in SNMP
communications.
Glossary
GL-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
DFP Dynamic Feedback Protocol. A protocol that allows load-balanced servers (both local and remote) to
dynamically report changes in their status and their ability to provide services.
distinguished name Used for SSL, a set of attributes that provides the certificate authority with the information it needs to
authenticate your site.
Dynamic Workload
Scaling (DWS)
ACE feature that permits on-demand access to remote resources, such as VMs, that you own or lease
from an Internet service provider or cloud service provider.
E
event A message from the ANM that informs you of activities on parts of the system, including each virtual
context, the management system, and hardware components.
event type Alarm, Log, Audit, Attack Log
exception A group of related faults.
F
fault An abnormal condition that occurs when a system component exceeds a performance threshold or is
not functioning properly.
File Transfer
Protocol
See FTP.
FTP File Transfer Protocol. Application protocol, part of the TCP/IP protocol stack, used for transferring
files between network nodes. FTP is defined in RFC 959.
H
H.323 An umbrella recommendation from the ITU Telecommunication Standardization Sector (ITU-T) that
defines the protocols that provide audio-visual communication sessions on any packet network. It is a
part of the H.32x series of protocols which also address communications over Integrated Services
Digital Network (ISDN), Public switched telephone network (PSTN) or Signaling System 7 (SS7).
H.323 is commonly used in Voice over IP (VoIP, Internet Telephony, or IP Telephony) and Internet
Protocol (IP)-based videoconferencing.H.323 defines a common set of CODECs, call setup and
negotiating procedures, and basic data transport methods.
HSRP Hot Standby Router Protocol. A networking protocol that provides network redundancy for IP
networks, ensuring that user traffic immediately and transparently recovers from first hop failures in
network edge devices or access circuits.
Glossary
GL-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
I
ICMP Internet Control Message Protocol. Network layer Internet protocol that reports errors and provides
other information relevant to IP packet processing. Documented in RFC 792.
Internet Control
Message Protocol
See ICMP.
interface 1. A network connection.
2. A connection between two systems or devices.
3. In telephony, a shared boundary defined by common physical interconnection characteristics, signal
characteristics, and meanings of interchanged signals.
L
load balancing An action that spreads network requests among available servers within a cluster of servers, based on
a variety of algorithms.
M
MD5 Message Digest 5 or Message-Digest Algorithm. One of the possible encryption algorithms available
for use in SNMP communications.
MIB Database of network management information that is used and maintained by a network management
protocol, such as SNMP or CMIP. The value of a MIB object can be changed or retrieved using SNMP
or CMIP commands, usually through a GUI network management system. MIB objects are organized
in a tree structure that includes public (standard) and private (proprietary) branches.
N
NAT Name Address Translation. A method of connecting multiple computers to the Internet (or any other IP
network) using one IP address.
O
object group A logical grouping of similar objects, such as servers, clients, services, or networks. Creating an object
group allows you to apply common attributes to a number of objects without specifying each object
individually.
organizations An organization allows you to configure AAA server lookup for your users or set up users who work
for a service provider customer. Organizations in the Cisco ANM system are defined by the system
administrator.
Glossary
GL-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
P
PAT Port Address Translation. A mechanism that allows many devices on a LAN to share one IP address by
allocating a unique port address at Layer 4.
ping A common method for troubleshooting the accessibility of devices.
A ping tests an ICMP echo message and its reply. Because ping is the simplest test for a device, it is
the first to be used. If ping fails, try using traceroute.
Run ping to view the packets transmitted, packets received, percentage of packet loss, and round-trip
time in milliseconds.
port 1. An interface on an internetworking device (such as a router); a physical entity.
2. In IP terminology, an upper-layer process that receives information from lower layers. Ports are
numbered, and each numbered port is associated with a specific process. For example, SMTP is
associated with port 25. A port number is also called a well-known address.
3. To rewrite software or microcode so that it will run on a different hardware platform or in a different
software environment than that for which it was originally designed.
R
RAS Registration, Admission, and Status Protocol. Protocol that is used between endpoints and the
gatekeeper to perform management functions. RAS signalling function performs registration,
admissions, bandwidth changes, status, and disengage procedures between the VoIP gateway and the
gatekeeper.
RBAC Role-Based Access Control. A mechanism that allows privileges to be assigned to defined roles. The
roles are then assigned to real users, allowing or limiting access to specific features as appropriate for
each role.
real server A real server is a physical device assigned to a server farm.
redundancy In internetworking, the duplication of devices, services, or connections so that, in the event of a failure,
the redundant devices, services, or connections can perform the work of those that failed.
resource class A defined set of resources and allocations available for use by a device (such as an ACE). Using
resource classes prevents a single device from using all available resources.
role See user role.
RSA Rivest, Shamir, and Adelman Signatures. A public-key cryptographic system used for authentication.
RTSP Real Time Streaming Protocol. A client-server multimedia presentation control protocol, designed to
address the needs for efficient delivery of streamed multimedia over IP networks.
Glossary
GL-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
S
SCCP Skinny Client Control Protocol. A proprietary terminal control protocol owned and defined by Cisco
as a messaging set between a skinny client and the Cisco CallManager (CCM). Examples of skinny
clients include the Cisco 7900 series of IP phone such as the Cisco 7960, Cisco 7940 and the 802.11b
wireless Cisco 7920, along with Cisco Unity voicemail server. See also Skinny.
server farm A collection of servers that contain the same content.
Server Load
Balancer
See SLB.
service A destination location where a piece of content resides physically. Also referred to in general terms for
this release as including content rules, owners, virtual servers, real servers, and so on.
Simple Message
Transfer Protocol
See SMTP.
SIP Session Initiation Protocol. Protocol developed by the IETF MMUSIC Working Group as an alternative
to H.323. SIP features are compliant with IETF RFC 2543, published in March 1999. SIP equips
platforms to signal the setup of voice and multimedia calls over IP networks.
Skinny Skinny is a lightweight protocol which allows for efficient communication with Cisco CallManager.
See also SCCP.
SLB Server Load Balancer. A device that makes load balancing decisions based on application availability,
server capacity, and load distribution algorithms, such as round robin or least connections. Using load
balancing and server/application feedback, an SLB device determines a real server for the packet flow
and sends this information to the requesting forwarding agent. After the optimal destination is decided
on, all other packets in the packet flow are directed to a real server by the forwarding agent, increasing
packet throughput.
special
configuration file
Managed file resource on an ACE module, such as a piece of a configuration file or a keep-alive script.
SMTP Simple Message Transfer Protocol. Internet protocol that provides email services.
sticky A feature that ensures that the same client gets the same server for multiple connections. It is used when
applications require a consistent and constant connection to the same server. If you are connecting to
a system that keeps state tables about your connection, sticky allows you to get back to the same real
server again and retain the statefulness of the system.
suspend Removes an entity from the resource pool for future load-balancing content requests or connections.
Suspending a service or device does not affect existing content flows, but it prevents additional
connections from accessing the suspended entity or content. See also activate.
T
TCP Transport Control Protocol. Connection-oriented transport layer protocol that provides reliable
full-duplex data transmission. TCP is part of the TCP/IP protocol stack.
template See building block.
Glossary
GL-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
threshold A range in which you expect your network to perform. If a threshold is exceeded or goes below the
expected bounds, you examine the areas for potential problems. You can create thresholds for a specific
device.
traceroute A diagnostic tool that helps you understand why ping fails or why applications time out. Using it, you
can view each hop (or gateway) on the route to your device and how long each took.
Transport Control
Protocol
See TCP.
U
URI Uniform Resource Identifier. Type of formatted identifier that encapsulates the name of an Internet
object, and labels it with an identification of the name space, thus producing a member of the universal
set of names in registered name spaces and of addresses referring to registered protocols or name
spaces. [RFC 1630]
user role A mechanism for granting access to features and functionality to a user account. The Cisco Application
Networking Manager includes four predefined roles: System Administrator, Server Manager, Network
Manager, and Service Provider Customer.
V
virtual context A concept that allows users to partition an ACE into multiple virtual devices. Each virtual context
contains its own set of policies, interfaces, resources, and administrators, allowing administrators to
more efficiently manage system resources and services.
There are two types of contexts; the Admin context and a user context. The Admin context is the default
context that the ACE provides. The Admin context, which contains the basic settings for each virtual
device or context, allows a user to configure and manage all contexts. When a user logs into the Admin
context, he or she has full system administrator access to the entire ACE and all contexts and objects
within it. The Admin context provides access to network-wide resources, for example, a syslog server
or context configuration server. All global commands for ACE settings, contexts, resource classes, and
so on, are available only in the Admin context.
A user context, which is created by a user, has access to the resources in which the context was created.
For example, a user context that was created by an administrator while in Admin context, by default,
has access to all resources in an ACE device. Any user created by someone in a user-defined context,
only has access to the resources within that context. In addition, roles are assigned to users, which
determine the commands and resources that are available to that user.
VLAN Virtual LAN. Group of devices on one or more LANs that are configured (using management software)
so that they can communicate as if they were attached to the same wire, when in fact they are located
on a number of different LAN segments. Because VLANs are based on logical instead of physical
connections, they are extremely flexible.
VLAN Trunking
Protocol
See VTP.
virtual server A virtual server represents groups of real servers and are associated with a real server farm.
Glossary
GL-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
VMware vCenter
Server
Third-party product for creating and managing virtual data centers, which includes VMware vSphere
Client and virtual machines.
VTP VLAN Trunking Protocol. A Layer 2 messaging protocol that maintains VLAN configuration
consistency by managing the addition, deletion, and renaming of VLANs within a VTP domain. VTP
minimizes misconfigurations and configuration inconsistencies that can result in a number of problems,
such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations.
VTP domain Also called a VLAN management domain, a domain composed of one or more network devices that
share the same VTP domain name and that are interconnected with trunks.
W
Web server A machine that contains Web pages that are accessible by others.
IN-1
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
INDEX
Numerics
7600 series router
adding VLANs 5-48
configuring
access ports 5-43
interfaces 5-42
primary attributes 5-38
routed ports 5-46
switch virtual interfaces 5-45
trunk ports 5-44
managing 5-66
synchronizing configurations 5-66
viewing
all modules 5-79
ports 5-42
VLAN
managing 5-48
modifying 5-51
viewing 5-49
A
AAA server, authenticating ANM users 18-38
About button 1-9
acceleration
configuring 7-53
configuring globally on ACE appliances 15-9
FlashForward 15-2
traffic policies 15-2
typical configuration flow 15-2
access control, configuring on VLAN interfaces 12-14
access control list (ACL) 6-78
access credentials, configuring 5-29
access ports, configuring 5-43
account password 1-6
accounts
user, managing 18-17
ACE
changing passwords 5-77
class map
configuring 14-7
match conditions 14-8
configuration options 6-11
definition GL-1
license
ANM license requirements 6-36
details 6-42
managing 6-36
removing 6-39
updating 6-40
viewing 6-36
parameter maps 10-2
policy map
configuring 14-32
rules and actions 14-34
traffic policies 14-2
viewing license details 6-42
virtual server protocols 7-11
ACE 1.0 module
class maps 14-7
configuration building block 16-6
parameter maps 10-2
policy maps 14-32
traffic policies 14-2
virtual server protocols 7-11
Index
IN-2
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
ACE 2.0 module
class map
types 14-7
configuration building block 16-6
parameter map
generic 10-8
RTSP 10-20
SIP 10-21
Skinny 10-23
parameter maps 10-2
policy maps 14-32
sticky types 9-2
traffic policies 14-2
virtual server protocols 7-11
ACE appliance
changing passwords 5-75
class maps 14-7
configuration building block 16-6
configuring 5-34
licenses
configuration 6-42
statistics 6-42
optimization parameter map 10-12
parameter maps 10-2
policy maps 14-32
synchronizing configurations 5-66
traffic policies 14-2
updating passwords 5-75
virtual server protocols 7-11
ACE appliances
SSH, enabling 5-6
ACE license
and required ANM licenses 6-36
details 6-42
managing 6-36
removing 6-39
updating 6-40
viewing 6-36
ACE module
configuring 5-34
configuring access credentials 5-29
discovery
enabling SSH access 5-28
process 5-31
monitoring discovery status 5-33
replace 5-82
synchronizing configurations 5-67
viewing
by 7600 series router 5-79
by chassis 5-79
ACE modules
ACE 2.0 SNMP polling 5-7
adding to ANM 5-16
HTTPS, enabling 5-6
OK/Pass state requirement 5-16
SSH, enabling 5-6
ACE network topology
overview 3-12
ACL
configuration overview 6-78
configuring
EtherType attributes 6-87
extended ACL attributes 6-82
for VLANs 12-14
object groups 6-89
creating 6-79
deleting 6-100
managing 6-99
objects
ICMP service parameters 6-97
IP addresses 6-91
protocols 6-93
subnet objects 6-92
TCP/UDP service parameters 6-94
resequencing 6-87
viewing by context 6-99
ACL object group
configuring 6-89
Index
IN-3
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
network objects
IP addresses 6-91
subnet objects 6-92
service objects
ICMP service parameters 6-97
protocols 6-93
TCP/UDP service parameters 6-94
ACLs, creating 6-79
action, setting for policy maps 14-34
action list
application acceleration, configuring 14-85, 15-3
configuration options 7-55
HTTP header modify, configuring 14-85
HTTP header modify, SSL header insertion,
configuring 14-85
HTTP header modify, SSL URL rewrite,
configuring 14-85
activate, definition GL-1
activating
DNS rules for GSS 7-75
real servers 8-14, B-15
virtual servers 7-71
adding
ACE modules 5-16
CSM 5-19, 5-20
devices to ANM 5-10
domains 5-63
resource classes 6-46
SSL
CSR parameters 11-25
parameter map cipher info 11-20
parameter maps 11-18, 11-27
user-defined groups 5-72
Admin context, first virtual context 6-2
administrative distance, definition GL-1
admin password 18-14
advanced editing mode 1-16
AES, definition GL-1
alarms
configuring for notification 17-57
viewing 17-65
all-match policy map 14-32
ANM
customizing default page 2-4
homepage 2-1, 2-3
ANM applications 1-2
ANM interface
logging in 1-5
overview 1-8
password, changing
account 1-7
login 1-7
table
conventions 1-14
customizing 1-15
ANM server
auto-sync settings 18-61
change audit logs 18-61
change audit logs, viewing 18-61
configuring
attributes 18-57
license file name 18-54
polling, enabling 18-57
statistics 18-56
ANM template editor
edit application template definition 4-18
overview 4-29
application acceleration
configuring 7-53
action lists 7-55
globally on ACE appliances 15-9
monitoring 17-43
overview 15-2
traffic policies 15-2
typical configuration flow 15-2
virtual server, additional configuration options 7-57
application definition definitions
create 4-20
Index
IN-4
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
delete 4-29
export 4-26
import 4-26
test 4-28
application template definitions
ANM template editor 4-29
edit 4-15
edit with ANM template editor 4-18
edit with external editor 4-19
managing 4-15
overview 4-1
system template 4-1
user-defined template 4-2
application template instance
overview 4-2
application template instances
create 4-4
delete
deleting
application template instance 4-13
deploy 4-7
duplicate 4-10
edit 4-9
list of instances 4-3
managing 4-3
view details 4-12
applying configuration building blocks 16-9
Appscope, configuration options 7-60
ARP
definition GL-1
attributes
BVI interfaces 12-20
DNS probes 8-57
Echo-TCP probes 8-58
Echo-UDP probes 8-58
Finger probes 8-58
for sticky group types 9-11
FTP probes 8-59
health monitoring 8-53
high availability 13-15
HTTP content sticky group 9-11
HTTP cookie sticky group 9-12
HTTP header sticky group 9-13
HTTP probes 8-60
HTTPS probes 8-61
IMAP probes 8-63
IP netmask sticky group 9-13
Layer 4 payload sticky group 9-14
new device 5-12
parameter map
connection 10-3
DNS 10-25
generic 10-8
HTTP 10-10
optimization 10-12
RTSP 10-20
SIP 10-21
Skinny 10-24
POP probes 8-64
predictor method 7-42, 8-40
RADIUS
sticky groups 9-14
RADIUS probes 8-65
real servers 8-6, 8-37
resource class 6-45
resource classes 6-45
RTSP
header sticky groups 9-15
probes 8-65
scripted probes 8-66
server farms 7-34, 8-31
SIP-TCP probes 8-67
SIP-UDP probes 8-68
SMTP probes 8-69
SNMP 6-27
SNMP probes 8-69
SSL
certificate export 11-16
Index
IN-5
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
certificate import 11-8, 11-9
CSR parameters 11-25
for virtual servers 7-17
key export 11-17
key pair import 11-12
parameter map cipher info 11-20
parameter maps 11-18, 11-27
sticky group 9-8
TCP probes 8-70
Telnet probes 8-70
UDP probes 8-71
V6 prefix sticky group 9-13
virtual context 6-3, 6-13, 6-14
virtual servers 7-8
VLAN interfaces 12-6
VM probes 8-72
auditing
building block configuration 6-101
resource classes 6-49
audit log
configuring
purge settings 18-58
audit logs
ANM server change audit 18-61
audit sync settings
configuring 18-61
authenticating ANM users with AAA server 18-38
authorization group certificate, configuring for SSL 11-32
autostate, enabling supervisor VLAN notification 12-5
autosync
setting up syslog settings for 6-105
B
backup
defaults 6-61
bandwidth optimization, configuring 7-53
building block
applying 16-9
configuration
audit 6-101
changes and version numbers 16-4
options 16-2
primary attributes 16-8
configuring 16-7
creating 16-5
enable feature 16-5
extracting from virtual contexts 16-6
overview 16-1
primary attributes 16-8
tagging 16-4, 16-9
types 16-6
using 16-1
versions 16-4
viewing use 16-11
buttons
descriptions 1-11
Graph The Component With Issue 17-66
BVI, definition GL-2
BVI interfaces
attributes 12-20
configuring 12-19
viewing by context 12-25
C
caching, dynamic 15-2
certificate
exporting for SSL 11-15
importing for SSL 11-7
SSL 11-5
certificate chain, definition GL-2
certificate signing request, definition GL-2
chain group certificate, configuring for SSL 11-23
chain group parameters, configuring for SSL 11-23
changing
account password 1-7
admin password 18-14
Index
IN-6
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
domain information 5-63
login password 1-7
role rules 5-61
user passwords 18-14
chassis
adding VLANs 5-48
changing passwords 5-75
configuring 5-34
access credentials 5-29
access ports 5-43
interfaces 5-42
primary attributes 5-38
routed ports 5-46
switch virtual interfaces 5-45
trunk ports 5-44
discovery process 5-31
managing 5-66
monitoring
discovery status 5-33
running discovery 5-31
SSH, enabling 5-5
synchronizing configurations 5-66
Telnet default 5-5
viewing
all modules 5-79
ports 5-42
VLAN
managing 5-48
modifying 5-51
viewing 5-49
checking status of the Cisco ANM server 18-52
checkpoint, configuration
creating 6-55
deleting 6-56
displaying 6-57
rolling back to 6-56
Cisco IOS software, definition GL-2
cisco-sample-cert 11-6
cisco-sample-key 11-6
class map
ACE device support 14-7, 14-8
configuring 14-6
definition GL-2
deleting 14-6, 14-8
match conditions
generic server load balancing 14-23
Layer 3/4 management traffic 14-12
Layer 3/4 network traffic 14-9
Layer 7 FTP command inspection 14-22
Layer 7 HTTP deep packet inspection 14-17
Layer 7 server load balancing 14-14
Layer 7 SIP deep packet inspection 14-30
RADIUS server load balancing 14-25
RTSP server load balancing 14-26
SIP server load balancing 14-27
overview 14-2, 14-3
setting match conditions 14-8
use with real servers 8-3
command inspection, FTP commands 14-22
configuration
back up and restore overview 6-59
create a backup 6-62
restore 6-66
configuration attributes
Appscope 7-60
delta optimization 7-57
device VLAN 5-48
extended ACL 6-83
health monitoring 8-53
high availability 13-15
HTTP return code maps 8-46
parameter map
connection 10-3
DNS 10-25
generic 10-8
HTTP 10-10
optimization 10-12
RTSP 10-20
Index
IN-7
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
SIP 10-21
Skinny 10-24
predictor method 7-42, 8-40
probe
DNS 8-57
Echo-TCP 8-58
Echo-UDP 8-58
Finger 8-58
FTP 8-59
HTTP 8-60
HTTPS 8-61
IMAP 8-63
POP 8-64
RADIUS 8-65
RTSP 8-65
scripted 8-66
SIP-TCP 8-67
SIP-UDP 8-68
SMTP 8-69
SNMP 8-69
TCP 8-70
Telnet 8-70
UDP 8-71
VM 8-72
real server 8-6, 8-37
resource class 6-45
server farm 7-34, 8-31
SNMP users 6-30
SSL 7-17
sticky group 9-8
sticky type 7-47
syslog 6-20
trunk ports 5-44
virtual context 6-3
virtual server 7-8
configuration building block
applying 16-9
configuring 16-7
creating 16-5
options 16-2
overview 16-1
tagging 16-4, 16-9
using 16-1
versions 16-4
configuration checkpoint and rollback service
creating configuration checkpoint 6-55
deleting configuration checkpoint 6-56
displaying checkpoint information 6-57
overview 6-54
rolling back configuration 6-56
configuration options
building blocks 16-2
by ACE device type 6-11
virtual contexts 6-9
configuration primary attributes
virtual context 6-14
configurations
synchronizing
for ACE modules 5-67
for devices 5-66
for high availability 13-30
for virtual contexts 6-105
configuration synchronization 13-11
configuration template. See building block.
configuration values, changing 20-1
configuring
7600 series router 5-34, 5-38
access ports 5-43
interfaces 5-42
switch virtual interfaces 5-45
trunk ports 5-44
acceleration 7-53
access credentials 5-29
access ports 5-43
ACE appliance passwords 5-75
ACE passwords 5-77
ACE SNMP for polling 5-7
ACE syslog messages 5-27, 18-62
Index
IN-8
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
ACLs 6-79, 12-14
EtherType 6-87
extended 6-82
object groups 6-89
resequencing 6-87
action lists 7-55
action lists for application acceleration 15-3
action lists for HTTP header modify 14-85
application acceleration action lists 7-55
bandwidth optimization 7-53
building block primary attributes 16-8
building blocks 16-7
BVI interfaces 12-19
chassis 5-34, 5-38
access ports 5-43
interfaces 5-42
trunk ports 5-44
chassis passwords 5-75
class map match conditions
generic server load balancing 14-23
Layer 3/4 management traffic 14-12
Layer 3/4 network traffic 14-9
Layer 7 FTP command inspection 14-22
Layer 7 HTTP deep packet inspection 14-17
Layer 7 server load balancing 14-14
Layer 7 SIP deep packet inspection 14-30
RADIUS server load balancing 14-25
RTSP server load balancing 14-26
SIP server load balancing 14-27
class maps 14-6
CSM 5-34
CSS 5-34, 5-35
CSS passwords 5-75
devices 5-34
DNS probe expect address 8-73
gigabit Ethernet interfaces 12-32
global
application acceleration on ACE appliances 15-9
optimization on ACE appliances 15-9
GSS 5-36
GSS passwords 5-75
health monitoring general attributes 8-53
high availability
groups 13-17, 13-19
host tracking 13-25
interface tracking 13-24
peer host probes 13-28
peers 13-15
synchronization 13-11
tracking and failure detection 13-23
host probes for high availability 13-26
HTTP probe headers 8-74
HTTP retcode maps 8-46
HTTPS probe headers 8-74
latency optimization 7-53
Layer 2 VLANs 5-50
Layer 3 VLANs 5-51
Layer 7 default load balancing 7-50
load balancing
real servers 8-5
server farms 8-30
sticky groups 9-7
virtual servers 7-30
NAT 7-63, 12-26
object groups
ICMP service parameters 6-97
IP addresses 6-91
protocols 6-93
subnet objects 6-92
TCP/UDP service parameters 6-94
OID for SNMP probes 8-76
optimization 7-53
action lists 7-55
traffic policies 15-6
organization passwords 18-10
parameter maps
connection 10-3
DNS 10-25
Index
IN-9
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
generic 10-8
HTTP 10-9
optimization 10-12, 15-6
RTSP 10-20
SIP 10-21
Skinny 10-23
PAT 12-27
policy map rules and actions 14-34
generic server load balancing 14-35
Layer 3/4 management traffic 14-39
Layer 3/4 network traffic 14-41
Layer 7 FTP command inspection 14-48
Layer 7 HTTP deep packet inspection 14-51
Layer 7 HTTP optimization 14-57
Layer 7 server load balancing 14-61
Layer 7 SIP deep packet inspection 14-68
Layer 7 Skinny deep packet inspection 14-71
RADIUS server load balancing 14-73
RDP server load balancing 14-75
RTSP server load balancing 14-76
SIP server load balancing 14-79
policy maps 14-32
port channel interfaces 12-35
probe attributes 8-56
probe expect status 8-74
protocol inspection 7-18
real servers 8-17, B-18
resource classes
global 6-46
local 6-52
routed ports 5-46
server farm predictor method 8-39
shared objects 7-10
SNMP 6-27
communities 6-28
credentials 5-30
notification 6-33
on virtual contexts 6-27
trap destination hosts 6-32
version 3 users 6-29
SSL
chain group parameters 11-23
CSR parameters 11-24
for virtual servers 7-17
OCSP service 11-29
parameter map 11-18
parameter map cipher 11-20
proxy service 11-27
static routes 5-39, 12-28
sticky groups 7-47, 9-7
sticky statics 9-15
switch virtual interfaces 5-45
syslog
logging 6-19
log hosts 6-23
log messages 6-24
log rate limits 6-26
Telnet
credentials 5-29
Telnet on chassis 5-5
traffic policies 14-1
trunk ports 5-44
virtual context 6-1, 6-8, 6-106
class maps 14-6
global policies 6-35
policy maps 14-32
primary attributes 6-14
resource classes 6-52
system attributes 6-13
virtual server
configuration overview 7-2
default load balancing 7-50
Layer 7 load balancing 7-30
NAT 7-63
optimization 15-9
properties 7-11
protocol inspection 7-18
shared objects 7-9
Index
IN-10
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
SSL termination service 7-17
VLAN
interface access control 12-14
interface policy maps 12-14
interfaces 12-6
Layer 2 5-50
Layer 3 5-51
VLAN groups 5-52
VSS passwords 5-75
connection parameter map
attributes 10-3
configuring 10-3
TCP options 10-7
using 8-77
connectivity, testing between devices 17-71
context
back up and restore overview 6-59
configuration options 6-9
configuring 6-8
application acceleration 15-1
BVI interfaces 12-19
global policies 6-35
load balancing 7-1
optimization 15-1
primary attributes 6-14
resource classes 6-52
static routes 12-28
traffic policies 14-1
virtual servers 7-1
VLAN interfaces 12-6
create a configuration backup 6-62
creating 6-2
definition GL-7
deleting 6-107
editing 6-106
extracting configurations for building blocks 16-6
modifying 6-106
polling
restarting 6-108
viewing status 6-104
restore a configuration 6-66
synchronizing configurations 6-105
sync status 6-103
upgrading 6-107
using for configuration building blocks 16-6
controlling access to Cisco ANM 18-3
conventions in ANM
table 1-14
cookie
client 9-3
sticky client identification 9-3
copying
ACE licenses 6-37
creating
ACLs 6-79
application template definition 4-20
application template instance 4-4
building blocks 16-5
domains 18-34
user accounts 18-19
user roles 18-29
virtual contexts 6-2
creating ACLs 6-79
credentials
modifying 5-30
SNMP 5-30
Telnet 5-29
CSM
adding to ANM 5-19, 5-20
configuring 5-34
primary attributes 5-34
viewing by chassis 5-79
CSR
configuring parameters 11-24
definition GL-2
generating for SSL 11-26
CSS
changing passwords 5-75
Index
IN-11
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
configuring 5-34
primary attributes 5-35
synchronizing configurations 5-66
customizing
tables 1-15
D
Data Center Interconnect (DCI)
overview 1-3
data dictionary 17-53
deep packet inspection
HTTP
class map match conditions 14-17
policy map rules and actions 14-51
SIP
class map match conditions 14-30
policy map rules and actions 14-68
Skinny policy map rules and actions 14-71
default distance values 5-40
deleting
ACLs 6-100
application template definition 4-29
class map in use 14-6
device RBAC user accounts 5-56
domains 5-65, 18-37
high availability groups 13-23
host probes for high availability 13-27
organizations 18-16
peer host probes 13-29
resource classes 6-51, 6-53
role rules 5-61
roles or domains 5-54
SSL objects 11-2
user accounts 18-23
user-defined groups 5-75
user roles 5-60, 18-32
virtual contexts 6-107
delta optimization
configuration options 7-57
description 15-2
deploying
application template instance 4-7
configuration building blocks 16-9
staged virtual servers 7-87
DES, definition GL-2
device
adding to ANM 5-10
back up and restore overview 6-59
configuring 5-34
create a configuration backup 6-62
management overview 5-2
managing 5-1
monitoring 17-24
polling
restarting 5-78
status 5-79
restore a configuration 6-66
viewing
All Devices table 5-78
device audit trail logs
monitoring 18-59
device groups, monitoring 17-23
device tree
overview 1-10
discovery
enabling
SSH on ACE modules 5-28
monitoring progress 5-31, 5-33
process 5-31
running 5-31
displaying
current user sessions 18-24
list of users 18-18
network domains 18-33
organizations 18-16
user roles 18-28
users who have a selected role 18-29
Index
IN-12
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
distinguished name, definition GL-3
DNS
configuring protocol inspection 7-19
parameter map
attributes 10-25
configuring 10-25
probe
attributes 8-57
expect address 8-73
DNS rules, and GSS 7-75
domains
deleting 5-54
duplicate
application template instance 4-10
duplicating
domains 18-35
organizations 18-15
user accounts 18-20
user-defined groups 5-74
user roles 18-31
dynamic caching 15-2
Dynamic Workload Scaling
brief summary and illustration 1-3
configure
Nexus 7000 8-27
overview 8-26
VM controller 8-29
server farm 7-36, 8-33
E
Echo-TCP probe attributes 8-58
Echo-UDP probe attributes 8-58
e-commerce
applications, sticky requirements 9-1
using stickiness 9-4
edit
application template definition 4-15
application template instance 4-9
role rules 5-61
enabling
ACE syslog messages 5-27
setup syslog for Autosync 5-27
SNMP polling from ANM 5-7
write mem on Config > Operations 18-63
Ethernet interfaces, configuring 12-32
EtherType ACL, configuring 6-87
event
definition GL-3
monitoring 17-55
event type, definition GL-3
exception, definition GL-3
expert options, for virtual contexts 6-101
export
application template definition 4-26
export historical statistics 17-52
exporting
SSL
certificates 11-15
key 11-17
key pair 11-16
extended ACL
configuration options 6-83
resequencing entries 6-87
F
failover 13-9
fault, definition GL-3
fault tolerance
groups 13-8
task overview 13-14
Feedback button 1-9
filtering tables 1-14
Finger probe attributes 8-58
first-match policy map 14-32
FlashForward object acceleration 15-2
FTP, configuring protocol inspection 7-19
Index
IN-13
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
FTP command inspection
available commands 14-22
class map match conditions 14-22
policy map rules and actions 14-48
FTP probe attributes 8-59
FTP strict, and RFP standards 14-48
FT VLAN 13-10
G
generic parameter map
attributes 10-8
configuring 10-8
generic server load balancing
class map match conditions 14-23
policy map rules and actions 14-35
global acceleration and optimization, ACE
appliances 15-9
global policies, configuring for virtual contexts 6-35
global resource class 6-44
applying to contexts 6-47
auditing 6-49
configuring 6-46
deleting 6-51
deploying 6-48
modifying 6-50
using 6-46
graphs, historical trend and real time 17-48
Graph The Component With Issue button 17-66
groups
GSS DNS rules, managing 7-76
GSS VIP answers, managing 7-76
real servers, managing 8-10
virtual servers, managing 7-67
VLAN, assigning 12-4
VLAN, creating 12-3
GSS
Answer Table 7-73, 7-75
changing passwords 5-75
DNS rules, activating suspending 7-75
DNS rules groups, managing 7-76
primary attributes 5-36
VIP answer groups, managing 7-76
VIP Answer table, managing 7-73
guided setup
ACE hardware setup 3-5
ACE network topology overview 3-12
application setup 3-14
importing devices 3-4
operating considerations 3-4
overview 3-1
tasks and related topics 3-2
virtual context setup 3-10
guidelines for managing
domains 18-33
user accounts 18-17
user roles 18-25
H
hash load-balancing methods
address 8-2
cookie 8-2
header 8-2
url 8-3
header
deletion 14-86
insertion 14-85, 14-86
rewrite 14-85, 14-86
health monitoring
configuring 8-49
for real servers 8-51
general attributes 8-53
inband 7-37, 8-34
overview 8-49
probe types 8-51
TCL scripts 8-50
heartbeat packets 13-9
Index
IN-14
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Help button 1-9
high availability
ANM requirements 5-8
clearing
links between ACE appliances 13-17
pairs 13-17
configuration attributes 13-15
configuring
groups 13-17
host probes 13-26
host tracking process 13-25
interface tracking process 13-24
overview 13-6
peer host probes 13-28
peers 13-15
deleting
groups 13-23
host probes 13-27
peer host probes 13-29
failover detection 13-23
importance of synchronizing configurations 13-30
modifying groups 13-19
protocol 13-8
reconciling an SSL certificate/key pair 13-32
switching over a group 13-22
task overview 13-14
tracking status 13-23
historical statistics, export 17-52
historical trend graph 17-48
homepage
customizing default page 2-4
link descriptions 2-1
overview 2-1
pages in ANM 2-3
HSRP, definition GL-3
HTTP
configuring protocol inspection 7-20
content
sticky group attributes 9-11
sticky type 9-3
cookie
sticky group attributes 9-12
sticky type 9-3
deep packet inspection
class map match conditions 14-17
policy map rules and actions 14-51
header
sticky client identification 9-4
sticky group attributes 9-13
sticky type 9-4
load balancing conditions and options 7-32
optimization policy map rules and actions 14-57
parameter map
attributes 10-10
configuring 10-9
parameter maps 8-77
probe
attributes 8-60
configuring headers 8-74
retcode maps 8-46
return code map configuration options 8-46
protocol inspection conditions and options 7-23
HTTP header
deletion 14-86
insertion 14-85, 14-86
rewrite 14-85, 14-86
HTTP header insertion 14-85
HTTPS
ACE modules, enabling 5-6
configuring protocol inspection 7-20
load balancing conditions and options 7-32
probe
attributes 8-61
configuring headers 8-74
protocol inspection conditions and options 7-23
Index
IN-15
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
I
ICMP service parameters, for object groups 6-97
IMAP probe attributes 8-63
import
application definition definition 4-26
Import Failed, configuration status 6-103, 6-105
importing
ACE licenses 6-37
ACE modules 5-16
CSM 5-19, 5-20
device failures 20-7
overview 5-10
SSL
certificates 11-7
keys 11-11
inband health monitoring 7-37, 8-34
connection failure count 7-37, 8-34
reset timeout 7-37, 8-34
resume service 7-38, 8-35
installing ACE appliance licenses 6-37
interface
ANM 1-8
buttons 1-11
configuring
on 7600 series routers 5-42
on chassis 5-42
definition GL-4
gigabit Ethernet, configuring 12-32
table conventions 1-14
IP addresses, for object groups 6-91
IP discovery
failure 20-7
IP netmask
for sticky client identification 9-4
sticky group attributes 9-13
sticky type 9-4
IPv6 considerations 1-3
IPv6 prefix
sticky type 9-4
K
key
exporting for SSL 11-17
importing for SSL 11-11
SSL 11-10
key pair, generating 11-14
L
latency optimization, configuring 7-53
Layer 2 VLANs, configuring 5-50
Layer 3/4
management traffic
class map match conditions 14-12
policy map rules and actions 14-39
network traffic
class map match conditions 14-9
policy map rules and actions 14-41
Layer 3 VLANs, configuring 5-51
Layer 4 payload
sticky group attributes 9-14
sticky type 9-4
Layer 7
configuring load balancing 7-30
default load balancing on virtual servers 7-50
FTP command inspection
class map match conditions 14-22
policy map rules and actions 14-48
HTTP deep packet inspection
class map match conditions 14-17
policy map rules and actions 14-51
HTTP optimization policy map rules and
actions 14-57
load balancing
HTTP/HTTPS conditions and options 7-32
setting match conditions 7-31
Index
IN-16
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
server load balancing
class map match conditions 14-14
policy map rules and actions 14-61
SIP deep packet inspection
class map match conditions 14-30
policy map rules and actions 14-68
Skinny deep packet inspection policy map rules and
actions 14-71
least bandwidth, load-balancing method 8-3
leastconns, load-balancing method 8-3
least loaded, load-balancing method 8-3
license
errors, removing 18-55
managing for ACE devices 6-36
relationship between ANM and ACE licenses 6-36
removing ACE licenses 6-39
updating ACE licenses 6-40
viewing ACE license details 6-42
licenses
ANM, removing 18-55
installing 6-37
lifeline
guidelines for use 20-8
overview 20-7
lifeline management 18-72
load balancing
configuration overview 7-1
configuring
real servers 8-1, 8-5
server farms 8-1, 8-30
sticky groups 9-7
virtual servers 7-30
definition GL-4
hash address 8-2
hash cookie 8-2
hash header 8-2
hash url 8-3
least bandwidth 8-3
leastconns 8-3
least loaded 8-3
monitoring on probes 17-40
monitoring on real servers 17-37
monitoring on statistics 17-41
monitoring on virtual servers 17-33
overview 7-1, 8-1
predictors 8-2
response 8-3
roundrobin 8-3
local resource class 6-44
auditing 6-49
configuring 6-52
deleting 6-53
using 6-51
logging, syslog levels 6-19
logging in
to ANM 1-5
Logout button 1-9
M
managing
7600 series routers 5-66
ACLs 6-99
ANM 18-51
chassis 5-66
devices 5-1
domains 18-32
organizations 18-9
real servers 8-9
resource classes 6-43
user accounts 18-17
user roles 18-25
virtual contexts 6-103
virtual servers 7-66
VLANs 5-48
map real server to vCenter Server 5-68
match condition
class map
Index
IN-17
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
generic server load balancing 14-23
Layer 3/4 management traffic 14-12
Layer 3/4 network traffic 14-9
Layer 7 FTP command inspection 14-22
Layer 7 HTTP deep packet inspection 14-17
Layer 7 server load balancing 14-14
Layer 7 SIP deep packet inspection 14-30
RADIUS server load balancing 14-25
RTSP server load balancing 14-26
SIP server load balancing 14-27
setting for
class maps 14-8
Layer 7 load balancing 7-31
optimization 7-54
SIP protocol inspection 7-27
MD5, definition GL-4
menus, understanding 1-9
merged ACL 6-78
MIB, definition GL-4
MIME types, supported 10-26
mobile device
registered devices 18-70
modifying
deployed virtual servers 7-88
domains 5-65, 18-36
global resource class 6-50
high availability groups 13-19
organizations 18-14
real servers 8-17, B-18
staged virtual servers 7-88
user accounts 5-55, 18-21
user-defined groups 5-73
user roles 5-60, 18-31
virtual contexts 6-106
module
configuring access credentials 5-29
discovery process 5-31
monitoring discovery progress 5-31
running discovery 5-31
viewing
by chassis 5-79
by router 5-79
monitoring
alarms 17-65
device audit trail logs 18-59
devices 17-3
events 17-55
load balancing 17-33, 17-37, 17-40
load balancing statistics 17-41
traffic 17-30
MSFC, adding switched virtual interface to 12-5
multi-match policy map 14-32
N
Name Address Translation
configuring 12-26
definition GL-4
NAT
configuring 12-26
configuring for virtual servers 7-63
definition GL-4
Navigation pane 1-9
network object group
configuring 6-89
IP addresses 6-91
subnet objects 6-92
network topology maps 17-68
O
object, configuring for virtual servers 7-9
object group
configuring
for ACLs 6-89
GSS VIP answers and DNS rules 7-76
real servers 8-10
Index
IN-18
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
virtual servers 7-67
ICMP service parameters 6-97
IP addresses 6-91
protocols 6-93
subnet objects 6-92
TCP/UDP service parameters 6-94
OCSP service, configuring for SSL 11-29
optimization
additional configuration options 7-57
configuration overview 15-6
configuring 7-53
action lists 7-55
globally on ACE appliances 15-9
match conditions 7-54
parameter maps 15-6
traffic policies 15-6
delta optimization 15-2
enabling on virtual servers 15-9
match criteria 7-54
overview 15-2
parameter maps 8-77
traffic policies 15-2
typical configuration flow 15-2
virtual server, additional configuration options 7-57
optimization parameter map
attributes 10-12
configuring 10-12
organizations
definition GL-4
Out of Sync, configuration status 6-103, 6-105
Overlay Transport Virtualization (OTV) 1-3
overview
ACL configuration 6-78
adding supported devices 5-10
admin icon 18-2
application acceleration 15-2
building blocks 16-1
class maps 14-2, 14-3
configuration building blocks 16-1
global and local resource classes 6-44
health monitoring 8-49
importing devices 5-10
load balancing 7-1, 8-1
load-balancing predictors 8-2
managing devices 5-2
optimization 15-2
optimization traffic policies 15-6
parameter maps 10-1
policy maps 14-2, 14-4
protocol inspection 14-6
real server 8-3
resource classes 6-43
server farm 8-3, 8-5
server health monitoring 8-49
server load balancing 8-1
SSL 11-1
stickiness 9-1
sticky group 9-6
sticky table 9-6
traffic policies 14-1
user-defined groups 5-72
using SSL keys and certificates 11-3
virtual server 7-2
P
parameter expander functions 7-61, 10-18
parameter map
ACE device support 10-2
attributes
connection 10-3
DNS 10-25
generic 10-8
HTTP 10-10
optimization 10-12
RTSP 10-20
SIP 10-21
Skinny 10-24
Index
IN-19
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
configuring
connection 10-3
DNS 10-25
for SSL 11-18
generic 10-8
HTTP 10-9
optimization 10-12, 15-6
RTSP 10-20
SIP 10-21
Skinny 10-23
overview 10-1
types of 10-2
using with
Layer 3/Layer 4 policy maps 14-5
policy maps 10-1
using with Layer 3/Layer 4 policy maps 8-77
parameter map cipher, configuring for SSL 11-20
passwords, changing
admin 18-14
for accounts 1-7
for ACE appliance 5-75
for chassis 5-75
for CSS 5-75
for GSS 5-75
for the ACE 5-77
for VSS 5-75
in login window 1-7
PAT
configuring 12-27
definition GL-5
peers, high availability 13-15
ping
between devices 17-71
definition GL-5
policy map 14-34
ACE device support 14-32
associating with VLAN interface 12-14
configuring 14-32
match type
all-match 14-32
first-match 14-32
multi-match 14-32
overview 14-2, 14-4
rule and action topic reference 14-34
rules and actions
generic server load balancing 14-35
Layer 3/4 management traffic 14-39
Layer 3/4 network traffic 14-41
Layer 7 FTP command inspection 14-48
Layer 7 HTTP deep packet inspection 14-51
Layer 7 HTTP optimization 14-57
Layer 7 server load balancing 14-61
Layer 7 SIP deep packet inspection 14-68
Layer 7 Skinny deep packet inspection 14-71
RADIUS server load balancing 14-73
RDP server load balancing 14-75
RTSP server load balancing 14-76
SIP server load balancing 14-79
setting rules and actions 14-34
polling
enabling 18-57
parameters, setting 17-46
restarting
for devices 5-78
for virtual contexts 6-108
status
for devices 5-79
for virtual contexts 6-104
POP probe attributes 8-64
port
number, configuring for probes 8-54
Port Address Translation
configuring 12-27
definition GL-5
port channel interfaces
attributes 12-37
configuring 12-35
ports
Index
IN-20
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
ANM, used for ANM client (browser) to ANM server
communication A-1
ANM, used for managed device communication A-1
definition GL-5
reference A-1
predictor
hash address 8-2
hash cookie 8-2
hash header 8-2
hash url 8-3
least bandwidth 8-3
leastconns 8-3
least loaded 8-3
response 8-3
roundrobin 8-3
predictor method
attributes 7-42, 8-40
configuring for server farms 8-39
primary attributes
7600 series routers 5-38
chassis 5-38
configuration building blocks 16-8
CSM 5-34
CSS 5-35
GSS 5-36
virtual contexts 6-14
probe
attribute tables 8-56
configuring expect status 8-74
configuring for health monitoring 8-51
configuring SNMP OIDs 8-76
DNS 8-57
Echo-TCP 8-58
Echo-UDP 8-58
Finger 8-58
FTP 8-59
HTTP 8-60
HTTPS 8-61
IMAP 8-63
POP 8-64
port number 8-54
RADIUS 8-65
RTSP 8-65
scripted 8-66
scripting using TCL 8-50
SIP-TCP 8-67
SIP-UDP 8-68
SMTP 8-69
SNMP 8-69
TCP 8-70
Telnet 8-70
types for real server monitoring 8-51
UDP 8-71
VM 8-72
process, for traffic classification 14-3
protocol inspection
configuring for virtual servers 7-18
configuring match criteria
HTTP and HTTPS 7-22
SIP 7-27
HTTP/HTTPS conditions and options 7-23
overview 14-6
SIP conditions and options 7-28
virtual server options 7-19
protocol names and numbers 6-86
protocols
for object groups 6-93
for virtual servers 7-11
proxy service, configuring for SSL 11-27
R
RADIUS
probe attributes 8-65
server load balancing
class map match conditions 14-25
policy map rules and actions 14-73
sticky group attributes 9-14
Index
IN-21
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
sticky type 9-5
RBAC, definition GL-5
RDP server load balancing policy map rules and
actions 14-75
real server
activating 8-14, B-15
adding to server farm 8-37
configuration attributes 8-6, 8-37
configuring 8-5
load balancing service 8-1
definition GL-5
groups 8-10
health monitoring 8-49, 8-51
modifying 8-17, B-18
overview 8-3
suspending 8-15, B-16
viewing all 8-18
real time graph 17-48
redundancy
configuration requirements 13-12
configuration synchronization 13-11
definition GL-5
FT VLAN 13-10
protocol 13-8
task overview 13-14
registered mobile device list 18-70
removing
ACE license 6-39
ANM license files 18-55
rules from roles 5-61
resource, required for sticky groups 9-7
resource class
adding 6-46
allocation constraints 6-44
applying global resource classes 6-47
attributes 6-45
auditing local and global resource classes 6-49
configuring
globally 6-46
locally 6-52
definition GL-5
deleting
global resource class 6-51
local resource class 6-53
deploying global resource class 6-48
global 6-44
local 6-44
managing 6-43
modifying 6-50
overview 6-43
using
global classes 6-46
local classes 6-51
viewing use by contexts 6-54
resources, allocation constraints 6-44
resource usage, viewing 17-26
response load-balancing method 8-3
restarting
ANM (see the Installation Guide) 18-56
restarting device polling 5-78
restore
defaults 6-61
role
definition GL-7
deleting 5-54
role-based access control
authenticating ANM users with AA server 18-38
containment overview 18-4
definition GL-5
roundrobin, load-balancing predictor 8-3
routed ports, configuring 5-46
routes, configuring static routes 5-39
RSA, definition GL-5
RTSP
header
sticky group attributes 9-15
sticky type 9-5
parameter map
Index
IN-22
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
attributes 10-20
configuring 10-20
probe attributes 8-65
server load balancing
class map match conditions 14-26
policy map rules and actions 14-76
rule
changing for roles 5-61
setting for policy maps 14-34
S
sample SSL certificate and key pair 11-6
screens, understanding 1-9
scripted probe
attributes 8-66
overview 8-50
secondary IP addresses 12-14
secondary IP groups 12-14
security ACL 6-78
server
activating
real 8-14, B-15
virtual 7-71
managing 8-9
suspending
real 8-15, B-16
virtual 7-72
server farm
adding real servers 8-37
configuration attributes 7-34, 8-31
configuring
HTTP return error-code checking 8-46
load balancing 8-1, 8-30
predictor method 8-39
definition GL-6
Dynamic Workload Scaling 7-36, 8-33
health monitoring 8-49
inband health monitoring 7-37, 8-34
overview 8-3, 8-5
predictor method attributes 7-42, 8-40
viewing list of 8-48
Server Load Balancer (SLB), definition GL-6
server load balancing
generic class map match conditions 14-23
generic policy map rules and actions 14-35
Layer 7 class map match conditions 14-14
Layer 7 policy map rules and actions 14-61
overview 7-1, 8-1
RADIUS class map match conditions 14-25
RADIUS policy map rules and actions 14-73
RDP policy map rules and actions 14-75
RTSP class map match conditions 14-26
RTSP policy map rules and actions 14-76
SIP class map match conditions 14-27
SIP policy map rules and actions 14-79
service, definition GL-6
service object group
configuring 6-89
ICMP service parameters 6-97
protocols 6-93
TCP/UDP service parameters 6-94
setup sequence
SSL 11-4
setup syslog for Autosync, enabling 5-27
shared object
and deleting virtual servers 7-10
configuring 7-10
configuring for virtual servers 7-9
SIP
configuring protocol inspection 7-21
deep packet inspection
class map match conditions 14-30
policy map rules and actions 14-68
header sticky type 9-5
parameter map
attributes 10-21
configuring 10-21
Index
IN-23
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
protocol inspection conditions and options 7-28
server load balancing
class map match conditions 14-27
policy map rules and actions 14-79
SIP-TCP probe attributes 8-67
SIP-UDP probe attributes 8-68
Skinny
deep packet inspection policy map rules and
actions 14-71
parameter map
attributes 10-24
configuring 10-23
SMTP
configuring for email notifications 17-68
probe attributes 8-69
SNMP
configuration attributes 6-27
configuring
communities 6-28
for virtual contexts 6-27
notification 6-33
trap destination hosts 6-32
version 3 users 6-29
credentials 5-30
enabling collection 6-108
enabling polling 5-7
probe attributes 8-69
supported versions 5-7
trap destination host configuration 6-32
user configuration attributes 6-30
special characters for matching string expressions 14-84
special configuration file, definition GL-6
SSH
ACE appliance, enabling 5-6
ACE modules, enabling 5-6
chassis, enabling 5-5
enabling on ACE modules for discovery 5-28
SSHv2, chassis requirement in ANM 5-6
SSL
certificate
exporting 11-15
exporting attributes 11-16
importing 11-7
importing attributes 11-8, 11-9
overview 11-3
sample 11-6
using 11-5
configuring
authorization group certificates 11-32
chain group certificates 11-23
chain group parameters 11-23
CSR parameters 11-24
for virtual servers 7-17
OCSPservice 11-29
parameter map 11-18
parameter map cipher 11-20
proxy service 11-27
CSR parameters 11-25
editing
CSR parameters 11-25
parameter map cipher info 11-20
parameter maps 11-18, 11-27
exporting
certificates 11-15
key pairs 11-16
keys 11-17
generating
CSR 11-26
key pair 11-14
header insertion, configuring 14-89
importing
certificates 11-7
keys 11-11
key
exporting 11-17
importing 11-11
overview 11-3
using 11-10
Index
IN-24
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
key pair
exporting 11-16
generating 11-14
importing attributes 11-12
sample 11-6
objects, deleting 11-2
overview 11-1
parameter map cipher table 11-20
parameter maps 11-18, 11-27
procedure overview 11-3
redirect authentication failure 11-21
sample certificate and key pair 11-6
setup sequence
using 11-4
URL rewrite, configuring 14-88
SSL certificate, using 11-5
SSL header insertion, configuring 14-85, 14-89
SSL key, using 11-10
SSL setup sequence, using 11-4
SSL URL rewrite, configuring 14-85
staged virtual server
deploying 7-87
viewing all 7-87
static route
configuring 5-39, 12-28
statistics
ANM server 18-56
status, Cisco ANM server 18-52
Status bar 1-9
stickiness
cookie-based 9-3
HTTP content 9-3
HTTP cookie 9-3
HTTP header 9-4
IP netmask 9-4
IPv6 prefix 9-4
Layer 4 payload 9-4
overview 9-1
RADIUS 9-5
RTSP header 9-5
SIP header 9-5
sticky group 9-6
sticky table 9-6
types 9-2
sticky
cookies for client identification 9-3
definition GL-6
e-commerce application requirements 9-1
groups 9-6
HTTP header for client identification 9-4
IP netmask for client identification 9-4
overview 9-2
types 9-2
sticky group
attributes
HTTP content 9-11
HTTP cookie 9-12
HTTP header 9-13
IP netmask 9-13
Layer 4 payload 9-14
RADIUS 9-14
RTSP header 9-15
V6 prefix 9-13
configuration options 7-47, 9-8
configuring
load balancing 9-7
sticky statics 9-15
overview 9-6
required resource allocation 9-7
type-specific attributes 9-11
viewing 9-15
sticky statics, configuring for sticky groups 9-15
sticky table overview 9-6
sticky type
IP netmask 9-4
HTTP content 9-3
HTTP cookie 9-3
Index
IN-25
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
HTTP header 9-4
IPv6 prefix 9-4
Layer 4 payload 9-4
RADIUS 9-5
RTSP header 9-5
SIP header 9-5
string expression, special characters 14-84
subnet objects, for object groups 6-92
supervisor
assigning VLAN groups to the ACE 12-4
supervisor module, viewing by chassis 5-79
suspend, definition GL-6
suspending
DNS rules for GSS 7-75
real servers 8-15, B-16
virtual servers 7-72
switched virtual interface, adding to MSFC 12-5
switchover 13-9
switch virtual interfaces, configuring 5-45
synchronization of configuration 13-11
synchronizing
ACE module configurations 5-67
configurations for high availability 13-30
contexts created in CLI 7-2, 7-4
device configurations 5-66
virtual context configurations 6-105
sync status, virtual contexts 6-103
syslog
configuration attributes 6-20
configuring
logging 6-19
logging levels 6-19
log hosts 6-23
log messages 6-24
log rate limits 6-26
settings for synchronizing with ACE CLI
autosync 6-105
syslog, setup for Autosync 5-27
syslog logging, configuring 6-19
syslog messages
enabling ACE 5-27
overwriting the ACE logging device-id 18-62
system templates 4-1
T
table
conventions 1-14
customizing 1-15
default distance values 5-40
filtering information in 1-14
ICMP type numbers and names 6-98
protocol names and numbers 6-86
topic reference for policy map rules and actions 14-34
table conventions 1-14
tables
for probe attributes 8-56
for sticky group attributes 9-11
TACACS+ server, authenticating ANM users 18-38
tagging building blocks 16-4, 16-9
takeover, forcing in high availability 13-22
task overview, redundancy 13-14
TCL script
health monitoring 8-50
overview 8-50
TCP
options for connection parameter maps 10-7
probe attributes 8-70
service parameters for object groups 6-94
Telnet
configuring credentials 5-29
import method for chassis 5-5
probe attributes 8-70
template. See building block.
template editor 4-29
edit application template definition 4-18
templates
system 4-1
Index
IN-26
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
user-defined 4-2
terminating
current user sessions 18-24
test
application definition definition 4-28
threshold, definition GL-7
topic reference for configuring rules and actions 14-34
topology maps 17-68
traceroute, definition GL-7
traffic, monitoring 17-30
traffic class components 14-4
traffic classification process 14-3
traffic policy
ACE device support 14-2
components 14-4
configuring 14-1
for application acceleration 15-2
for optimization 15-2
lookup order 14-5
overview 14-1
troubleshooting
importing, ACE module state 5-16
IP discovery 20-7
troubleshooting, using lifeline 20-7
trunk ports, configuring 5-44
types of user 18-5
U
UDP probe attributes 8-71
UDP service parameters, for object groups 6-94
understanding
domains 18-7
operations privileges 18-6
roles 18-6
user groups 18-7
Unprovisioned, configuration status 6-103, 6-105
updating, configuration values 20-1
updating ACE licenses 6-40
upgrading virtual contexts 6-107
URL rewrite, configuring 14-88
user-defined groups
adding 5-72
deleting 5-75
duplicating 5-74
modifying 5-73
overview 5-72
user-defined templates 4-2
user roles, definition GL-7
using
ACLs 6-78
building blocks 16-1
virtual contexts 6-2
V
V6 prefix
sticky group attributes 9-13
versions of building blocks 16-4
view
application template instance details 4-12
viewing 18-61
7600 series router VLANs 5-49
ACE license details 6-36
ACLs by context 6-99
all devices 5-78
all real servers 8-18
all server farms 8-48
all sticky groups 9-15
all virtual servers 7-81
building block use 16-11
BVI interfaces by context 12-25
chassis VLANs 5-49
configuration building block use 16-11
current user sessions 18-24
license information 6-42
ports 5-42
resource class use on contexts 6-54
Index
IN-27
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
staged virtual servers 7-87
virtual server details 7-81
virtual servers by context 7-65
VLAN interfaces by context 12-18
VIP Answer table, and GSS 7-73
virtual context
back up and restore overview 6-59
comparing configuration with building block 6-101
configuration
attributes 6-3
audit 6-101
options 6-8, 6-9
primary attributes 6-14
configuring 6-1
BVI interfaces 12-19
class map match conditions 14-8
class maps 14-6
global policies 6-35
load balancing services 7-1
policy map rules and actions 14-34
policy maps 14-32
primary attributes 6-14
resource classes 6-52
SNMP 6-27
static routes 12-28
syslog 6-19
system attributes 6-13
VLAN interfaces 12-6
create a configuration backup 6-62
creating 6-2
definition GL-7
deleting 6-107
description 6-2
expert options 6-101
managing 6-103
modifying 6-106
monitoring resource usage 17-26
polling
restarting 6-108
viewing status 6-104
restore a configuration 6-66
synchronizing configurations 6-105
sync status 6-103
syslog setup for autosync 6-105
upgrading 6-107
using
for configuration building blocks 16-6
overview 6-2
viewing
all contexts 6-103
BVI interfaces 12-25
polling status 6-104
resource class use 6-54
sync status 6-103
VLANS 12-18
virtual data center B-1, B-2
Virtual Local Area Network (VLAN), definition GL-7
virtual server 7-30, 7-57
activating 7-71
additional options 7-3
advanced view properties 7-12
and user roles 7-3
application acceleration 7-53
application acceleration, additional configuration
options 7-57
basic view properties 7-16
configuration
methods 7-4
recommendations 7-4
configuration subsets 7-8
configuring 7-1, 7-2, 7-7
application acceleration 7-53
default Layer 7 load balancing 7-50
in ANM 7-2
in CLI 7-2, 7-4
Layer 7 load balancing 7-30
NAT 7-63
optimization 7-53, 15-9
Index
IN-28
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
properties 7-11
protocol inspection 7-18
shared objects 7-9
SSL 7-17
definition GL-7
deleting and shared objects 7-10
deployed servers, modifying 7-88
deploying staged servers 7-87
groups 7-67
GSS answer table 7-73, 7-75
load balancing
default 7-50
Layer 7 7-30
managing 7-66
minimum configuration 7-2
modifying
deployed servers 7-88
staged servers 7-88
optimization 7-53
overview 7-2
properties
advanced view 7-12
basic view 7-16
protocols 7-11
recommendations for configuring 7-4
shared objects 7-5, 7-9
SSL attributes 7-17
staged servers
deploying 7-87
modifying 7-88
viewing 7-87
suspending 7-72
viewing
all 7-81
by context 7-65
details 7-81
servers 7-65
staged servers 7-87
VLAN
adding to 7600 series router 5-48
adding to chassis 5-48
configuring
access control 12-14
ACLs 12-14
Layer 2 VLANs 5-50
Layer 3 VLANs 5-51
NAT 12-26
policy maps 12-14
creating VLAN groups 5-52
definition GL-7
FT VLAN for redundancy 13-10
interface
access control 12-14
attributes 12-6
configuring 12-6
NAT pools 12-26
policy maps 12-14
viewing 12-18
managing 5-48
modifying
on 7600 series router 5-51
on chassis 5-51
viewing
by 7600 series router 5-49
by chassis 5-49
VLAN group, creating 5-52
VLAN interfaces
attributes 12-6
configuring 12-6
access control 12-14
for virtual contexts 12-6
policy maps 12-14
viewing by context 12-18
VLANs
configuring 12-3
configuring on the supervisor 12-3
enabling autostate supervisor notification 12-5
groups, assigning 12-4
Index
IN-29
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
groups, creating 12-3
secondary IP addresses, configuring 12-14
switched virtual interfaces, adding to MSFC 12-5
VLAN Trunking Protocol, definition GL-8
VM probe attributes 8-72
VMware
ANM plug-in B-2
Cisco ACE SLB tab
details B-3
overview B-3
information about B-2
mananging real servers B-12
map real server to vCenter Server 5-68
vCenter Server B-2
vSphere Client B-2
VSS
changing passwords 5-75
VTP, definition GL-8
VTP domain, definition GL-8
W
Web server, definition GL-8
weighted roundrobin. See roundrobin
write mem on Config > Operations, enabling 18-63
Index
IN-30
User Guide for the Cisco Application Networking Manager 5.2
OL-26572-01
Cloud Computing à serviço
da Educação Profissional.
C A S O D E S U C E S S O
www.teltecnetworks.com.br
Agilidade no provisionamento de novos serviços de
TI;
Aumento de disponibilidade dos serviços prestados
pela TI;
Facilidade da manutenção dos serviços
virtualizados;
Aumento no desempenho da rede, passando o
backbone do datacenter de 1 para 10 Gbps;
Redução da complexidade do datacenter;
Facilidade de crescimento (escalabilidade);
Integração entre hardware (UCS) e software
(VMware), permitindo um ganho de desempenho,
se comparado a outras soluções de mercado.
O SENAI de Santa Catarina tem uma ampla rede de
unidades, são 35 escolas distribuídas por todo o
Estado, mais de 100.000 alunos matriculados por
ano, um total de 900 ambientes de ensino incluindo
salas de aula, laboratórios didáticos e bibliotecas.
Além disso existem todos os processos
administrativos e canais de relacionamento com os
estudantes. Tudo isso está amparado numa rede
corporativa. Uma infra-estrutura de tecnologia da
informação que precisa ter excelente desempenho,
confiabilidade e também segurança.
Sobre o SENAI/SC
Ganhos para o SENAI/SC
Implantar uma solução tecnológica que permitisse o atendimento da
crescente demanda por novos serviços de TI, através da
virtualização de servidores e adequação da infraestrutura de TI para
o private cloud computing.
Com a necessidade de prover serviços de alta qualidade aos seus
clientes, o SENAI/SC precisava aumentar sua estrutura para
atendimento das demandas do negócio. Para tal, elegeu a
virtualização de seus servidores como a melhor tecnologia para
garantir qualidade e disponibilidade dos serviços e a facilidade de
crescimento da estrutura (escalabilidade). A solução foi implantada
com a arquitetura Cisco UCS – Unified Computing System, Switches
Nexus 5000 e Vmware vSphere.
O parceiro na implantação da solução foi a TELTEC Networks.
Com o objetivo de melhorar o atendimento aos seus clientes, o
SENAI/SC elegeu uma nova solução em seu datacenter, que visa:
Prover a estrutura necessária para a virtualização de servidores
objetivando um uso mais efetivo do hardware adquirido bem como a
redução do investimento e do consumo de energia elétrica;
Preparar seu ambiente para suportar o cloud computing, dando à
solução a flexibilidade e agilidade necessárias para a escalabilidade
da estrutura;
Agilizar o processo de configuração e implantação de novos
servidores, diminuindo o tempo de provisionamento e exigindo
menos tempo de trabalho para esta atividade;
Uma solução simplificada, de uma única interface de
gerenciamento, capaz de crescer sem a necessidade de grandes
manobras de cabos dentro do datacenter;
Uma solução totalmente integrada com o ambiente de
virtualização, permitindo um uso mais efetivo e com maior
desempenho dos recursos;
Um ambiente que permita, em projetos futuros, a virtualização de
desktops.
A solução Cisco UCS foi a escolhida por melhor atender os requisitos
acima. É uma solução que traz uma nova arquitetura ao datacenter,
permitindo integração e flexibilidade para ambientes virtualizados.
Além disso traz simplicidade, facilitando as atividades diárias dos
administradores da estrutura.
Segundo Paulo Alberto Violada, coordenador de TI do SENAI/SC,
com a implantação do projeto, o tempo de provisionamento de novos
serviços/servidores será reduzido de 8 para 1 uma hora, além da
possibilidade de realizar manutenções nos serviços durante o
horário comercial, sem degradação na qualidade dos serviços. O
tempo de provisionamento e a possibilidade de realizar novas
manutenções sem parada nos serviços é de vital importância já que
muitos serviços são críticos para a instituição, como sua plataforma
de Educação à Distância e seu Sistema de Gestão do Negócio
(SGN).
Além do rápido provisionamento, a solução permitirá a ampliação da
quantidade de servidores nos momentos de divulgação de listas de
aprovados, e fechamento de semestres escolares, situações que
geram grande carga de acesso aos servidores do SENAI/SC.
Nesta etapa, o SENAI pretende migrar todos os servidores para a
nova plataforma, virtualizando-os. Com isso conseguirá dar início ao
seu projeto de private cloud computing que poderá ter continuidade
com projeto de virtualização de desktops.
Desafio
Virtualização de servidores do Datacenter
Equipamentos adquiridos e suas funcionalidades:
Cisco UCS B-Series (servidores B-200 M2): os
servidores foram utilizados para a virtualização do
datacenter. A taxa de virtualização dos sevidores
conseguida foi de aproximadamente 7:1 (7
servidores físicos virtualizados em um único
servidor UCS).
A solução implementa o recurso VN-Link em
hardware (característica do UCS B-Series).
Cisco Nexus 5020: ampliando a velocidade do
backbone do datacenter em 10 vezes (de 1 para 10
Gbps). Os switches Nexus são redundantes,
configurados em vPC (Virtual PortChannel) para
eliminar a necessidade do spanning-tree na
estrutura (simplificando o ambiente e garantindo
mais desempenho);
Cisco MDS 9148: utilizado para a criação de
caminhos redundantes ao ambiente de
armazenamento (storage).
Dados técnicos da solução:
Solução
C A S O D E S U C E S S O
A-1
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
APPENDIX A
Power Supply Specifications
Revised: April 9, 2015
This appendix describes the Catalyst 6500 series power supplies and provides their specifications. This
appendix contains the following sections:
• Power Supply Compatibility Matrix, page A-2
• 950 W AC-Input and DC-Input Power Supplies, page A-5
• 1000 W AC-Input Power Supply, page A-10
• 1300 W AC-Input and DC-Input Power Supplies, page A-13
• 1400 W AC-Input Power Supply, page A-18
• 2500 W AC-Input and DC-Input Power Supplies, page A-23
• 2700 W AC-Input and DC-Input Power Supplies, page A-29
• 3000 W AC-Input Power Supply, page A-36
• 4000 W AC-Input and DC-Input Power Supplies, page A-41
• 6000 W AC-Input and DC-Input Power Supplies, page A-46
• 8700 W AC-Input Power Supply, page A-54
• AC Power Cord Illustrations, page A-63
• Power Supply Redundancy, page A-73
Table A-1 lists the currently available Catalyst 6500 series switch power supplies and the power supply
description location.
Table A-1 Catalyst 6500 Series Power Supplies
Power Supply
Rating
AC-Input Model
Product Number
DC-Input Model
Product Number
950 W1 PWR-950-AC PWR-950-DC
1000 W WS-CAC-1000W Not Available
1300 W WS-CAC-1300W WS-CDC-1300W
1400 W1 PWR-1400-AC Not Available
2500 W WS-CAC-2500W WS-CDC-2500W
2700 W2 PWR-2700-AC/4 PWR-2700-DC/4
A-2
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
Power Supply Compatibility Matrix
Note The Catalyst 6500 series switches allow you to mix AC-input and DC-input power supplies in the same
chassis.
Note Many telco organizations require a –48 VDC power supply to accommodate their power distribution
systems. From an operational perspective, the DC-input power supply has the same characteristics as the
AC-input version.
Power Supply Compatibility Matrix
Table A-2 lists the compatibility of the power supplies with the Catalyst 6500 switch chassis.
3000 W WS-CAC-3000W Not Available
4000 W WS-CAC-4000W-US1
WS-CAC-4000W-INT
PWR-4000-DC
6000 W WS-CAC-6000W PWR-6000-DC
8700 W WS-CAC-8700W-E Not Available
1. For use with the Catalyst 6503 and Catalyst 6503-E switches only.
2. For use with the Catalyst 6504-E switch only.
Table A-1 Catalyst 6500 Series Power Supplies (continued)
Power Supply
Rating
AC-Input Model
Product Number
DC-Input Model
Product Number
Table A-2 Catalyst 6500 Series Switch Supported Power Supply Configurations
Platform Supported Power Supplies Chassis/Power Supply Restrictions
Catalyst 6503 • 950 W AC-input and DC-input
• 1400 W AC-input
• The 950 W AC-input power
supply requires a PEM-15A-AC
Power Entry Module (PEM).
• The 1400 W AC-input power
supply requires a
PEM-20A-AC+ Power Entry
Module (PEM).
Catalyst 6503-E • 950 W AC-input and DC-input
• 1400 W AC-input
• The 950 W AC-input power
supply requires a PEM-15A-AC
Power Entry Module (PEM).
• The 1400 W AC-input power
supply requires a
PEM-20A-AC+ Power Entry
Module (PEM).
Catalyst 6504-E • 2700 W AC-input and DC-input No restrictions
A-3
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
Power Supply Compatibility Matrix
Catalyst 6506 • 1000 W AC-input
• 1300 W AC-input and DC-input
• 2500 W AC-input and DC-input
• 3000 W AC-input
• 4000 W AC-input and DC-input
• 6000 W AC-input and DC-input
• 8700 W AC-input
The 6000 W AC-input, 6000 W
DC-input, and the 8700 W AC-input
power supplies are limited to
4000 W when they are installed in
the Catalyst 6506 switch chassis.
Catalyst 6506-E • 2500 W AC-input and DC-input
• 3000 W AC-input
• 4000 W AC-input and DC-input
• 6000 W AC-input and DC-input
• 8700 W AC-input
No restrictions.
Catalyst 6509 • 1000 W AC-input
• 1300 W AC-input, and DC-input
• 2500 W AC-input and DC-input
• 3000 W AC-input
• 4000 W AC-input and DC-input
• 6000 W AC-input and DC-input
• 8700 W AC-input
The 6000 W AC-input, 6000 W
DC-input, and the 8700 W AC-input
power supplies are limited to
4000 W when they are installed in
the Catalyst 6509 switch chassis.
Catalyst 6509-E • 2500 W AC-input and DC-input
• 3000 W AC-input
• 4000 W AC-input and DC-input
• 6000 W AC-input and DC-input
• 8700 W AC-input
No restrictions.
Catalyst 6509-NEB • 1000 W AC-input
• 1300 W AC-input and DC-input
• 2500 W AC-input and DC-input
• 3000 W AC-input
• 4000 W AC-input and DC-input
• 6000 W AC-input and DC-input
• 8700 W AC-input
The 6000 W AC-input, 6000 W
DC-input, and the 8700 W AC-input
power supplies are limited to
4000 W when they are installed in
the Catalyst 6509-NEB switch
chassis.
Table A-2 Catalyst 6500 Series Switch Supported Power Supply Configurations (continued)
Platform Supported Power Supplies Chassis/Power Supply Restrictions
A-4
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
Power Supply Compatibility Matrix
Catalyst 6509-NEB-A • 2500 W AC-input and DC-input
• 3000 W AC-input
• 4000 W AC-input and DC-input
• 6000 W AC-input and DC-input
• 8700 W AC-input
The 6000 W AC-input, 6000 W
DC-input, and the 8700 W AC-input
power supplies are limited to
4500 W maximum output when they
are installed in the
Catalyst 6509-NEB-A switch
chassis.
Catalyst 6509-V-E • 2500 W AC-input and DC-input
• 3000 W AC-input
• 4000 W AC-input and DC-input
• 6000 W AC-input and DC-input
• 8700 W AC-input
No restrictions.
Catalyst 6513 • 2500 W AC-input and DC-input
• 3000 W AC-input
• 4000 W AC-input and DC-input
• 6000 W AC-input and DC-input
• 8700 W AC-input
The 8700 W AC-input power supply
is limited to 6000 W maximum
output when it is installed in the
Catalyst 6513 switch chassis.
Catalyst 6513-E • 2500 W DC-input
• 3000 W AC-input
• 4000 W AC-input and DC-input
• 6000 W AC-input and DC-input
• 8700 W AC-input
No restrictions.
Table A-2 Catalyst 6500 Series Switch Supported Power Supply Configurations (continued)
Platform Supported Power Supplies Chassis/Power Supply Restrictions
A-5
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
950 W AC-Input and DC-Input Power Supplies
950 W AC-Input and DC-Input Power Supplies
The 950 W AC-input (PWR-950-AC) and DC-input (PWR-950-DC) power supplies can be installed in
the Catalyst 6503 and Catalyst 6503-E switch chassis only. Due to form factor differences, the 950 W
AC-input and DC-input power supplies cannot be installed in any other Catalyst 6500 series switch
chassis.
The 950 W power supplies (see Figure A-1) do not connect directly to source AC or source DC but use
Power Entry Modules (PEMs), located on the front of the Catalyst 6503 and Catalyst 6503-E switch
chassis, to connect the site power source to the power supply located in the back of the chassis. The form
factor is the same for the AC-input and DC-input power supplies.
The AC-input PEM (shown in Figure A-2) and DC-input PEM (shown in Figure A-3) provide an input
power connection on the front of the switch chassis to connect the site power source to the power supply.
You can connect the DC-input power supply to the power source with heavy gauge wiring connected to
a terminal block. The actual wire gauge size is determined by local electrical codes and restrictions.
Note The system (NEBS) ground serves as the primary safety ground for Catalyst 6503 and Catalyst 6503-E
chassis that are equipped with 950 W DC-input power supplies and DC-input PEMs. The DC-input
power supplies for these chassis do not have a separate ground.
The PEMs have an illuminated power switch (AC-input model only), current protection, surge and EMI
suppression, and filtering functions.
Figure A-1 950 W AC- and DC-Input Power Supplies
Figure A-2 950 W AC-Input PEM (PEM-15A-AC)
63183
INPUT
OK
FAN
OK
OUTPUT
FAIL
Captive installation screws
Status LEDs
Captive installation screws
130058
IEC 60320 C15 connector
AC power switch
A-6
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
950 W AC-Input and DC-Input Power Supplies
Figure A-3 DC Power Entry Module (PEM)
950 W Power Supply Specifications
Table A-3 lists the specifications for the 950 W AC-input power supply.
Captive installation screws
Catalyst 6503 DC PEM
79980
Table A-3 950 W AC-Input Power Supply Specifications
Specification Description
AC-input type Autoranging input with power factor correction (PFC)
Note Power factor correction is a standard feature on all Catalyst 6500
series AC-input power supplies. PFC reduces the reactive
component in the source AC current allowing higher power
factors (typically 99 percent or better) and lower harmonic
current components.
AC-input voltage • Low-line (120 VAC nominal)—90 VAC (min) to 132 VAC (max)
• High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max)
AC-input current • 12 A @ 120 VAC
• 6 A @ 230 VAC
AC-input frequency 50/60 Hz (nominal)
A-7
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
950 W AC-Input and DC-Input Power Supplies
Branch circuit requirement Each chassis power supply should have its own dedicated, fused-branch
circuit:
• For North America—15 A
• For International—Circuits sized to local and national codes
• All Catalyst 6500 series AC-input power supplies require
single-phase source AC.
• All AC power supply inputs are fully isolated.
– Source AC can be out of phase between multiple power supplies
in the same chassis, which means that PS1 can be operating
from phase A and PS2 can be operating from phase B.
– For high-line operation, the power supply operates with the hot
conductor wired to a source AC phase and the neutral conductor
wired either to ground or to another source AC phase as long as
the net input voltage is in the range of 170 to 264 VAC.
– Source AC can be out of phase between AC inputs on power
supplies that are equipped with multiple AC inputs, which
means that power cord 1 can be plugged into phase A and
power cord 2 can be plugged into phase B.
Power supply output
capacity
950 W maximum (100–240 VAC)
Power supply output • 15 A @ +1.5 VDC
• 2.5 A @ +3.3 VDC
• 19.15 A @ +50 VDC
Output holdup time 20 ms minimum
kVA rating1 1.32 kVA
Heat dissipation 4441 BTU/hour (approx.)
Weight 8.2 lb (3.7 kg)
1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard
circuits and transformers to power a switch.
Table A-3 950 W AC-Input Power Supply Specifications (continued)
Specification Description
A-8
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
950 W AC-Input and DC-Input Power Supplies
Table A-4 lists the specifications for the 950 W DC-input power supply.
Table A-5 lists the power supply LEDs and their meanings.
Table A-4 950 W DC-Input Power Supply Specifications
Specification Description
DC-input voltage –48 VDC to –60 VDC continuous
DC-input current • 28 A @ –48 VDC
• 23 A @ –60 VDC
Power supply output
capacity
950 W
Power supply output • 15 A @ +1.5 VDC
• 2.5 A @ +3.3 VDC
• 19.15 A @ +50 VDC
Output holdup time 8 ms
Heat dissipation 4632 BTU/hour (approx.)
Weight 8.4 lb (3.8 kg)
Table A-5 950 W AC-Input and DC-Input Power Supply LEDs
LED Meaning
INPUT OK AC-input power supplies:
• Green—Source AC voltage is OK. (Input voltage is 85 VAC or
greater.)
• Off—Source AC voltage falls below 70 VAC, is not present, or the
PEM is turned off.
DC-input power supplies:
• Green—Source DC voltage is OK. (–40.5 VDC or greater.)
• Off—Source DC voltage falls below –33 VDC or is not present at
the PEM.
FAN OK Green—Power supply fan is operating properly.
Off—Power supply fan failure is detected.
OUTPUT FAIL Red—Problem with one or more of the DC-output voltages of the power
supply is detected.
Off—DC-output voltages within acceptable margins.
Note For proper operation of the OUTPUT FAIL LED, systems with
single power supplies must be configured with a minimum of
one fan tray and one supervisor engine. Systems with dual power
supplies must have a minimum configuration of one fan tray, one
supervisor engine, and one additional module. Failure to meet
these minimum configuration requirements can cause a false
power supply output fail signal.
A-9
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
950 W AC-Input and DC-Input Power Supplies
950 W Power Supply AC Power Cords
Table A-6 lists the 950 W AC-input power supply AC power cords specifications. These power cords
plug into the 950 W PEM(PEM-15A-AC), not directly into the power supply. The table includes
references to power cord illustrations.
Note All 950 W power supply power cords are 8 feet 2 inches (2.5 meters) in length.
Note All 950 W power supply power cords have an IEC60320/C15 appliance connector at one end. The
appliance connector has a 90° left bend.
Table A-6 950 W AC-Input Power Supply Power Cords
Locale Power Cord
Part Number
AC Source Plug Type Cordset Rating Power Cord
Reference
Illustration
Argentina CAB-7KACR= IRAM 2073 10 A, 250 VAC Figure A-25
Australia, New Zealand CAB-AC10A-90L-AU= SAA AS 3112 10 A, 250 VAC Figure A-20
Continental Europe CAB-AC10A-90L-EU= CEE 7/7 10 A, 250 VAC Figure A-21
Italy CAB-AC10A-90L-IT= CEI 23-16/7 10 A, 250 VAC Figure A-22
Japan, North America CAB-AC15A-90L-US= NEMA 5-15 15 A, 125 VAC Figure A-23
United Kingdom CAB-AC10A-90L-UK= BS 13631
1. Plug contains a 13 A fuse.
10 A, 250 VAC Figure A-24
A-10
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
1000 W AC-Input Power Supply
1000 W AC-Input Power Supply
The 1000 W AC-input power supply (WS-CAC-1000W) is supported in the following Catalyst 6500
series switches:
• Catalyst 6506
• Catalyst 6509
• Catalyst 6509-NEB
The 1000 W power supply (shown in Figure A-4) shares the same form factor as the 1300 W, 2500 W,
3000 W, 4000 W, and 6000 W AC-input power supplies.
Figure A-4 1000 W AC-Input Power Supply
Power
switch
Cable
retention
device
AC power
connection
INPUT
OK
FAN
OK
OUTPUT
FAIL
Captive installation
screw
Status LEDs
16029
I
0
A-11
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
1000 W AC-Input Power Supply
1000 W Power Supply Specifications
Table A-7 lists the specifications for the 1000 W AC-input power supply.
Table A-7 1000 W Power Supply Specifications
Specification Description
AC-input type Autoranging input with power factor correction (PFC)
Note Power factor correction is a standard feature on all Catalyst 6500
series AC-input power supplies. PFC reduces the reactive
component in the source AC current allowing higher power
factors (typically 99 percent or better) and lower harmonic
current components.
AC-input voltage • Low-line (120 VAC nominal)—90 VAC (min) to 132 VAC (max)
• High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max)
AC-input current • 12 A @ 120 VAC
• 6 A @ 230 VAC
AC-input frequency 50/60 Hz (nominal)
Branch circuit requirement Each chassis power supply should have its own dedicated, fused-branch
circuit:
• For North America—15 A or 20 A
• For International—Circuits sized to local and national codes
• All Catalyst 6500 series AC-input power supplies require
single-phase source AC.
• All AC power supply inputs are fully isolated.
– Source AC can be out of phase between multiple power supplies
in the same chassis, which means that PS1 can be operating
from phase A and PS2 can be operating from phase B.
– For high-line operation, the power supply operates with the hot
conductor wired to a source AC phase and the neutral conductor
wired either to ground or to another source AC phase as long as
the net input voltage is in the range of 170 to 264 VAC.
– Source AC can be out of phase between AC inputs on power
supplies that are equipped with multiple AC inputs, which
means that power cord 1 can be plugged into phase A and
power cord 2 can be plugged into phase B.
A-12
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
1000 W AC-Input Power Supply
Table A-8 list the power supply LEDs and their meanings.
Power supply output
capacity
1000 W
Power supply output • 15 A @ +3.3 VDC
• 5 A @ +5 VDC
• 6 A @ +12 VDC
• 20.3 A @ +42 VDC
Output holdup time 20 ms minimum
kVA rating1 1.25 kVA
Heat dissipation 4213 BTU/hour (approx.)
Weight 14.8 lb (6.7 kg)
1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard
circuits and transformers to power a switch.
Table A-7 1000 W Power Supply Specifications (continued)
Specification Description
Table A-8 1000 W Power Supply LEDs
LED Meaning
INPUT OK • Green—Source AC voltage is OK. (Input voltage is 85 VAC or
greater.)
• Off—Source AC voltage falls below 70 VAC, is not present, or the
power supply is turned off.
FAN OK • Green—Power supply fan is operating properly.
• Off—Power supply fan failure is detected.
OUTPUT FAIL • Red—Problem with one or more of the DC-output voltages of the
power supply is detected.
• Off—DC-output voltage with acceptable margins.
Note For proper operation of the OUTPUT FAIL LED, systems with
single power supplies must be configured with a minimum of
one fan tray and one supervisor engine. Systems with dual power
supplies must have a minimum configuration of one fan tray, one
supervisor engine, and one additional module. Failure to meet
these minimum configuration requirements can cause a false
power supply output fail signal.
A-13
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
1300 W AC-Input and DC-Input Power Supplies
1000 W Power Supply AC Power Cords
Table A-9 lists the specifications for the AC power cords that are available for the 1000 W AC-input
power supply. The table includes references to power cord illustrations.
Note All 1000 W power supply power cords are 8 feet 2 inches (2.5 meters) in length.
Note All 1000 W power supply power cords have an IEC60320/C15 appliance plug at one end.
1300 W AC-Input and DC-Input Power Supplies
The 1300 W AC-input power supply (WS-CAC-1300W) and 1300 W DC-input power supply
(WS-CDC-1300W) are supported in the following Catalyst 6500 series switches:
• Catalyst 6506
• Catalyst 6509
• Catalyst 6509-NEB
The 1300 W power supply (see Figure A-5 for the 1300 W AC-input power supply and Figure A-6 for
the 1300 W DC-input power supply) shares the same form factor as the 1000 W, 2500 W, 3000 W,
4000 W, and 6000 W AC-input power supplies.
Table A-9 1000 W AC-Input Power Supply Power Cords
Locale Power Cord
Part Number
AC Source Plug Type Cordset Rating Power Cord
Reference
Illustration
Argentina CAB-7KACR= IRAM 2073 10 A, 250 VAC Figure A-25
Australia, New Zealand CAB-7KACA= SAA AS 3112 15 A, 250 VAC Figure A-26
Continental Europe CAB-7KACE= CEE 7/7 16 A, 250 VAC Figure A-27
Italy CAB-7KACI= CEI 23-16/7 10 A, 250 VAC Figure A-28
Japan, North America CAB-7KAC-15= NEMA 5-15 15 A, 125 VAC Figure A-29
United Kingdom CAB-7KACU= BS 13631
1. Plug contains a 13 A fuse.
10 A, 250 VAC Figure A-30
A-14
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
1300 W AC-Input and DC-Input Power Supplies
Figure A-5 1300 W AC-input Power Supply
Figure A-6 1300 W DC-Input Power Supply
Power
switch
Cable
retention
device
AC power
connection
INPUT
OK
FAN
OK
OUTPUT
FAIL
Captive installation
screw
Status LEDs
16029
I
0
Terminal
block
cover
Captive installation screw
o
16030
INPUT
OK
FAN
OK
OUTPUT
FAIL
A-15
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
1300 W AC-Input and DC-Input Power Supplies
1300 W Power Supply Specifications
Table A-11 lists the specifications for the 1300 W AC-input power supply.
Table A-10 1300 W AC-Input Power Supply Specifications
Specification Description
AC-input type Autoranging input with power factor correction (PFC).
Note Power factor correction is a standard feature on all Catalyst 6500
series AC-input power supplies. PFC reduces the reactive
component in the source AC current allowing higher power
factors (typically 99 percent or better) and lower harmonic
current components.
AC-input voltage • Low-line (120 VAC nominal)—90 VAC (min) to 132 VAC (max)
• High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max)
AC-input current • 16 A @ 120 VAC
• 8 A @ 230 VAC
AC-input frequency 50/60 Hz (nominal) (±3 Hz for full range)
Branch circuit requirement Each chassis power supply should have its own dedicated, fused-branch
circuit:
• For North America—15 A or 20 A
• For International—Circuits sized to local and national codes
• All Catalyst 6500 series AC-input power supplies require
single-phase source AC.
• All AC power supply inputs are fully isolated.
– Source AC can be out of phase between multiple power supplies
in the same chassis, which means that PS1 can be operating
from phase A and PS2 can be operating from phase B.
– For high-line operation, the power supply operates with the hot
conductor wired to a source AC phase and the neutral conductor
wired either to ground or to another source AC phase as long as
the net input voltage is in the range of 170 to 264 VAC.
– Source AC can be out of phase between AC inputs on power
supplies that are equipped with multiple AC inputs, which
means that power cord 1 can be plugged into phase A and
power cord 2 can be plugged into phase B.
Power supply output
capacity
• 1300 W maximum (AC-input)
• 1360 W maximum (DC-input)
Power supply output • 15 A @ +3.3 VDC
• 5 A @ +5 VDC
• 6 A @ +12 VDC
• 27.46 A @ +42 VDC
Output holdup time 20 ms minimum
A-16
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
1300 W AC-Input and DC-Input Power Supplies
Table A-11 lists the specifications for the 1300 W DC-input power supply.
Table A-12 lists the 1300 W power supply LEDS and their meanings.
kVA rating1 1.625 kVA
Heat dissipation 5478 BTU/hour (approx.)
Weight 18.4 lb (8.3 kg)
1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard
circuits and transformers to power a switch.
Table A-10 1300 W AC-Input Power Supply Specifications (continued)
Specification Description
Table A-11 1300 W DC-Input Power Supply Specifications
Specification Description
DC-input voltage –48 VDC to –60 VDC continuous
DC-input current • 39 A @ –48 VDC
• 31 A @ –60 VDC
Power supply output
capacity
1360 W maximum (DC-input)
Power supply output • 15 A @ +3.3 VDC
• 5 A @ +5 VDC
• 6 A @ +12 VDC
• 28.9 A @ +42 VDC
DC input terminal block Accepts 3 AWG to 10 AWG copper conductors. Actual size of the wire
needed is determined by the installer or local electrician. Terminal block
material is rated at 120°C.
Output holdup time 8 ms
Heat dissipation 6447 BTU/hour (approx.)
Weight 21.0 lb (9.5 kg)
A-17
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
1300 W AC-Input and DC-Input Power Supplies
1300 W Power Supply AC Power Cords
Table A-13 lists the specifications for the AC power cords that are available for the 1300 W AC-input
power supply. The table includes references to power cord illustrations.
Note All 1300 W power supply power cords are 14 feet (4.3 meters) in length.
Note All 1300 W power supply power cords have an IEC60320/C19 appliance connector at one end.
Table A-12 1300 W AC-Input and DC-Input Power Supply LEDs
LED Meaning
INPUT OK AC-input power supplies:
• Green—Source AC voltage is OK. (Input voltage is 85 VAC or
greater.)
• Off—Source AC voltage falls below 70 VAC, is not present, or the
power supply turned off.
DC-input power supplies:
• Green—Source DC voltage is OK. (Input voltage is –40.5 VDC or
greater.)
• Off—Source DC voltage falls below –33 VDC, is not present, or the
power supply is turned off.
FAN OK • Green—Power supply fan is operating properly.
• Off—Power supply fan failure is detected.
OUTPUT FAIL • Red—Problem with one or more of the DC-output voltages of the
power supply is detected.
• Off—DC-output voltages within acceptable margins.
Note For proper operation of the OUTPUT FAIL LED, systems with
single power supplies must be configured with a minimum of
one fan tray and one supervisor engine. Systems with dual power
supplies must have a minimum configuration of one fan tray, one
supervisor engine, and one additional module. Failure to meet
these minimum configuration requirements can cause a false
power supply output fail signal.
A-18
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
1400 W AC-Input Power Supply
1400 W AC-Input Power Supply
The 1400 W AC-input power supply (PWR-1400-AC) can be installed in the Catalyst 6503 switch and
Catalyst 6503-E switch chassis only. Due to form factor differences, the 1400 W AC-input power supply
cannot be installed in any other Catalyst 6500 series switch chassis.
The 1400 W power supplies (see Figure A-7) do not connect directly to source AC but use power entry
modules (PEMs), located on the front of the Catalyst 6503 and Catalyst 6503-E switch chassis, to
connect the site power source to the power supply located in the back of the chassis.
The AC-input PEM (PEM-20A-AC+) (shown in Figure A-8) provides an input power connection on the
front of the router chassis to connect the site power source to the power supply.
The PEMs have an illuminated power switch, current protection, surge and EMI suppression, and filtering
functions.
Table A-13 1300 W Power Supply AC Power Cords
Locale Power Cord
Part Number
AC Source Plug Type Cordset Rating Power Cord
Reference
Illustration
Argentina CAB-7513ACR= IRAM 2073 10 A, 250 VAC Figure A-31
Australia, New Zealand CAB-7513ACA= SAA AS 3112 15 A, 250 VAC Figure A-32
Continental Europe CAB-7513ACE= CEE 7/7 16 A, 250 VAC Figure A-33
Israel CAB-AC-2500W-ISRL= SI16S3 16 A, 250 VAC Figure A-34
Italy CAB-7513ACI= CEI 23-16/7 16 A, 250 VAC Figure A-35
Japan, North America CAB-7513AC= NEMA 5-201
1. For Japan, ask your local electrical contractor to prepare the NEMA 5-20 power plug.
20 A, 125 VAC Figure A-36
People’s Republic of
China
CAB-AC16A-CH= GB16C 16 A, 250 VAC Figure A-37
South Africa CAB-7513ACSA= IEC 884-1 16 A, 250 VAC Figure A-38
Switzerland CAB-ACS-10= SEV 1011 10 A, 250 VAC Figure A-39
United Kingdom CAB-7513ACU= BS 13632
2. Plug contains a 13 A fuse.
13 A, 250 VAC Figure A-40
Power Distribution Unit
(PDU)3
3. The PDU power cable is designed for users who power their switch from a PDU. The end of the cable that plugs into the chassis power supply has
a C19 connector; the other end of the cable that connects to the PDU has a C20 connector.
CAB-C19-CBN= IEC 60320 C19
IEC 60320 C20
16 A, 250 VAC Figure A-47
A-19
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
1400 W AC-Input Power Supply
Figure A-7 1400 W AC-Input Power Supply (PWR-1400-AC)
Figure A-8 1400 W AC-Input PEM (PEM-20A-AC+)
1400 W Power Supply Specifications
Table A-14 lists the specifications for the 1400 W AC-input power supply. 63183
INPUT
OK
FAN
OK
OUTPUT
FAIL
Captive installation screws
Status LEDs
Captive installation screws
IEC 60320 C19 connector
AC power
switch
130057
PEM-20A-AC+
50-60 Hz
120-240V 15A
Table A-14 1400 W AC-Input Power Supply Specifications
Specification Description
AC-input type Autoranging input with power factor correction (PFC).
Note Power factor correction is a standard feature on all Catalyst 6500
series AC-input power supplies. PFC reduces the reactive
component in the source AC current allowing higher power
factors (typically 99 percent or better) and lower harmonic
current components.
AC-input voltage • Low-line (120 VAC nominal)—90 VAC (min) to 132 VAC (max)
• High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max)
AC-input current • 16 A @ 120 VAC
• 8 A @ 230 VAC
AC-input frequency 50/60 Hz (nominal) (±3 Hz for full range)
A-20
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
1400 W AC-Input Power Supply
Table A-15 lists the 1400 W AC-input power supply LEDs and their meanings.
Branch circuit requirement Each chassis power supply should have its own dedicated, fused-branch
circuit:
• For North America—20 A
• For International—Circuits sized to local and national codes
• All AC power supply inputs are fully isolated.
– Source AC can be out of phase between multiple power supplies
in the same chassis, which means that PS1 can be operating
from phase A and PS2 can be operating from phase B.
– For high-line operation, the power supply operates with the hot
conductor wired to a source AC phase and the neutral conductor
wired either to ground or to another source AC phase as long as
the net input voltage is in the range of 170 to 264 VAC.
– Source AC can be out of phase between AC inputs on power
supplies that are equipped with multiple AC inputs, which
means that power cord 1 can be plugged into phase A and
power cord 2 can be plugged into phase B.
Power supply output
capacity
1400 W
Power supply output • 15 A @ +1.5 V
• 2.5 A @ +3.3 V
• 27.4 A @ +50 V
Output holdup time 20 ms minimum
kVA rating1 1.75 kVA
Heat dissipation 5976 BTU/hour (approx.)
Weight 7.8 lb (3.5 kg)
1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard
circuits and transformers to power a switch.
Table A-14 1400 W AC-Input Power Supply Specifications (continued)
Specification Description
A-21
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
1400 W AC-Input Power Supply
1400 W Power Supply AC Power Cords
Table A-16 lists the specifications for the AC power cords that are available for the 1400 W AC-input
power supply. These power cords plug into the 1400 W PEM (PEM-20A-AC+); not directly into the
power supply. The table includes references to power cord illustrations.
Note All 1400 W power supply power cords are 14 feet (4.3 meters) in length.
Note All 1400 W power supply power cords have an IEC60320/C19 appliance plug at one end.
Table A-15 1400 W AC-Input Power Supply LEDs
LED Meaning
INPUT OK • Green—Source AC voltage is OK. (Input voltage is 85 VAC or
greater.)
• Off—Source AC voltage falls below 70 VAC, is not present, or the
power supply is turned off.
FAN OK • Green—Power supply fan is operating properly.
• Off—Power supply fan failure is detected.
OUTPUT FAIL • Red—Problem with one or more of the DC-output voltages of the
power supply is detected.
• DC-output voltages within acceptable margins.
Note For proper operation of the OUTPUT FAIL LED, systems with
single power supplies must be configured with a minimum of
one fan tray and one supervisor engine. Systems with dual power
supplies must have a minimum configuration of one fan tray, one
supervisor engine, and one additional module. Failure to meet
these minimum configuration requirements can cause a false
power supply output fail signal.
A-22
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
1400 W AC-Input Power Supply
Table A-16 1400 W Power Supply AC Power Cords
Locale Power Cord
Part Number
AC Source Plug Type Cordset Rating Power Cord
Reference
Illustration
Argentina CAB-7513ACR=
CAB-IR2073-C19-AR=
IRAM 2073 16 A, 250 VAC Figure A-31
Australia, New Zealand CAB-7513ACA= SAA AS 3112 15 A, 250 VAC Figure A-32
People’s Republic of
China
CAB-AC16A-CH= GB16C 16 A, 250 VAC Figure A-37
Continental Europe CAB-7513ACE=
CAB-AC-2500W-EU=
CEE 7/7
CEE 7/7
16 A, 250 VAC
16 A, 250 VAC
Figure A-33
Figure A-41
International CAB-AC-2500W-INT= IEC 309 16 A, 250 VAC Figure A-42
Israel CAB-AC-2500W-ISRL= SI16S3 16 A, 250 VAC Figure A-34
Italy CAB-7513ACI= CEI 23-16/7 16 A, 250 VAC Figure A-35
Japan, North America CAB-7513AC=
CAB-AC-2500W-US1=
CAB-AC-C6K-TWLK=
NEMA 5-201
NEMA 6-202
NEMA L6-203
1. For operation in Japan, ask your local electrical contractor to prepare the NEMA 5-20 power plug.
2. For operation in Japan, ask your local electrical contractor to prepare the NEMA 6-20 power plug.
3. For operation in Japan, ask your local electrical contractor to prepare the NEMA L6-20 power plug.
20 A, 125 VAC
16 A, 250 VAC
16 A, 250 VAC
Figure A-36
Figure A-43
Figure A-44
South Africa CAB-7513ACSA= IEC 884-1 16 A, 250 VAC Figure A-38
Switzerland CAB-ACS-10= SEV 1011 10 A, 250 VAC Figure A-39
Switzerland CAB-ACS-16= SEV 5934-2 Type 23 16 A, 250 VAC Figure A-45
United Kingdom CAB-7513ACU= BS 1363 13 A, 250 VAC4
4. Plug contains a 13 A fuse.
Figure A-40
Power Distribution Unit
(PDU)5
5. The PDU power cable is designed for users who power their switch from a PDU. The end of the cable that plugs into the chassis power supply has
a C19 connector; the other end of the cable that connects to the PDU has a C20 connector.
CAB-C19-CBN= IEC 60320 C19
IEC 60320 C20
16 A, 250 VAC Figure A-47
A-23
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
2500 W AC-Input and DC-Input Power Supplies
2500 W AC-Input and DC-Input Power Supplies
The 2500 W AC-input power supply (WS-CAC-2500W) and 2500 W DC-input power supply
(WS-CDC-2500W) are supported in the following Catalyst 6500 series switches:
• Catalyst 6506
• Catalyst 6506-E
• Catalyst 6509
• Catalyst 6509-E
• Catalyst 6509-NEB
• Catalyst 6509-NEB-A
• Catalyst 6509-V-E
• Catalyst 6513
• Catalyst 6513-E (DC-input power supply only)
The 2500 W power supplies, shown in Figure A-9 and Figure A-10, share the same form factor as the
1000 W, 1300 W, 3000 W, 4000 W, and 6000 W AC-input power supplies.
Note With a fully populated Catalyst 6513 switch, two 2500 W power supplies are not fully redundant. If you
operate the 2500 W power supply at the low range input (100 to 120 VAC), it is not redundant in a fully
populated Catalyst 6509, Catalyst 6509-E, Catalyst 6509-NEB, Catalyst 6509-NEB-A, or
Catalyst 6509-V-E switch.
Note The 2500 W AC-input power supply needs 220 VAC to deliver 2500 W of power. When powered with
110 VAC, it delivers only 1300 W. In addition, the power supply needs 16 A, regardless of whether it is
plugged into 110 VAC or 220 VAC.
Figure A-9 2500 W AC-Input Power Supply
Power
switch
Cable
retention
device
AC power
connection
INPUT
OK
FAN
OK
OUTPUT
FAIL
Captive installation
screw
Status LEDs
16029
I
0
A-24
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
2500 W AC-Input and DC-Input Power Supplies
Figure A-10 2500 W DC-input Power Supply
2500 W Power Supply Specifications
Table A-17 lists the specifications for the 2500 W AC-input and DC-input power supplies.
Terminal
block
cover
Captive installation screw
o
16030
INPUT
OK
FAN
OK
OUTPUT
FAIL
Table A-17 2500 W AC-Input Power Supply Specifications
Specification Description
AC-input type Autoranging input with power factor correction (PFC).
Note Power factor correction is a standard feature on all Catalyst 6500
series AC-input power supplies. PFC reduces the reactive
component in the source AC current allowing higher power
factors (typically 99 percent or better) and lower harmonic
current components.
AC-input voltage • Low-line (120 VAC nominal)—90 VAC (min) to 132 VAC (max)
• High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max)
AC-input current 16 A maximum at 230 VAC at 2500 W output
16 A maximum at 120 VAC at 1300 W output
AC-input frequency 50/60 Hz (nominal) (±3% for full range)
A-25
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
2500 W AC-Input and DC-Input Power Supplies
Table A-18 lists the specifications for the 2500 W DC-input power supply.
Branch circuit requirement Each chassis power supply should have its own dedicated, fused-branch
circuit:
• For North America—20 A
• For International—Circuits sized to local and national codes
• All AC power supply inputs are fully isolated.
– Source AC can be out of phase between multiple power supplies
in the same chassis, which means that PS1 can be operating
from phase A and PS2 can be operating from phase B.
– For high-line operation, the power supply operates with the hot
conductor wired to a source AC phase and the neutral conductor
wired either to ground or to another source AC phase as long as
the net input voltage is in the range of 170 to 264 VAC.
– Source AC can be out of phase between AC inputs on power
supplies that are equipped with multiple AC inputs, which
means that power cord 1 can be plugged into phase A and
power cord 2 can be plugged into phase B.
Power supply output
capacity
• 1300 W maximum (100–120 VAC)
• 2500 W maximum (200–240 VAC)
Power supply output • 100/120 VAC operation
– 15.5 A @ +3.3 VDC
– 5 A @ +5 VDC
– 10 A @ +12 VDC
– 27.5 A @ +42 VDC
• 200/240 VAC operation
– 15 A @ +3.3 VDC
– 5 A @ +5 VDC
– 10 A @ +12 VDC
– 55.5 A @ +42 VDC
Output holdup time 20 ms minimum
kVA rating1 3520 W (total input power) or 3.6 KVA (high-line operation)
Heat dissipation 10,939 BTU/hour (approx.)
Weight 17.0 lb (7.7 kg)
1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard
circuits and transformers to power a switch.
Table A-17 2500 W AC-Input Power Supply Specifications (continued)
Specification Description
A-26
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
2500 W AC-Input and DC-Input Power Supplies
Table A-19 lists the power supply LEDs and their meanings.
Table A-18 2500 W DC-Input Power Supply Specifications
Specification Description
DC-input voltage North America: –48 VDC (nominal) (–40.5 VDC to –56 VDC)
International: –60 VDC (nominal) (–55 VDC to –72 VDC)
DC-input current • 70 A @ –48 VDC
• 55 A @ –60 VDC
Power supply output
capacity
2500 W maximum (–48 to –60 VDC)
Power supply output • 15 A @ +3.3 VDC
• 5 A @ +5 VDC
• 10 A @ +12 VDC
• 55.5 A @ +42 VDC
DC input terminal block Accepts 2–14 AWG copper conductors. Actual size of the wire needed
is determined by the installer or local electrician. Terminal block
material rated at 150°C.
Output holdup time • 20 ms minimum (AC-input power supply)
• 4 ms (DC-input power supply)
Heat dissipation • 10,939 BTU/hour (approx.) AC-input power supply
• 11,377 BTU/hour (approx.) DC-input power supply
Weight 20.2 lb (9.2 kg)
A-27
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
2500 W AC-Input and DC-Input Power Supplies
Table A-19 2500 W AC-Input and DC-Input Power Supply LEDs
LED Meaning
INPUT OK AC-input power supplies:
• Green—Source AC voltage is OK. (Input voltage is 85 VAC or
greater.)
• Off—Source AC voltage falls below 70 VAC, is not present, or the
power supply is turned off.
DC-input power supplies:
• Green—Source DC voltage is OK. (Input voltage is –40.5 VDC or
greater.)
• Off—Source DC voltage falls below –33 VDC, is not present, or the
power supply is turned off.
FAN OK • Green—Power supply fan is operating properly.
• Off—Power supply fan failure is detected.
OUTPUT FAIL • Red—Problem with one or more of the DC-output voltages of the
power supply.
• Off—DC-output voltages within acceptable margins.
Note For proper operation of the OUTPUT FAIL LED, systems with
single power supplies must be configured with a minimum of
one fan tray and one supervisor engine. Systems with dual power
supplies must have a minimum configuration of one fan tray, one
supervisor engine, and one additional module. Failure to meet
these minimum configuration requirements can cause a false
power supply output fail signal.
A-28
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
2500 W AC-Input and DC-Input Power Supplies
2500 W Power Supply AC Power Cords
Table A-20 lists the specifications for the AC power cords that are available for the 2500 W AC-input
power supply. The table includes references to power cord illustrations.
Note All 2500 W power supply power cords are 14 feet (4.3 meters) in length.
Note All 2500 W power supply power cords have an IEC60320/C19 appliance connector at one end.
Table A-20 2500 W Power Supply AC Power Cords
Locale Power Cord
Part Number
AC Source Plug Type Cordset Rating Power Cord
Reference
Illustration
Argentina CAB-7513ACR= or
CAB-IR2073-C19-AR=
IRAM 2073 16 A, 250 VAC Figure A-31
Australia, New Zealand CAB-AC-16A-AUS= AU20S3 16 A, 250 VAC Figure A-46
People’s Republic of China CAB-AC16A-CH= GB16C 16 A, 250 VAC Figure A-37
Continental Europe CAB-AC-2500W-EU= CEE 7/7 16 A, 250 VAC Figure A-41
International CAB-AC-2500W-INT= IEC 309 16 A, 250 VAC Figure A-42
Israel CAB-AC-2500W-ISRL= SI16S3 16 A, 250 VAC Figure A-34
Japan, North America
200–240 VAC operation
CAB-AC-2500W-US1= NEMA 6-20
(nonlocking plug)
16 A, 250 VAC Figure A-43
Japan, North America
200–240 VAC operation
CAB-AC-C6K-TWLK= NEMA L6-20
(locking plug)
16 A, 250 VAC Figure A-44
Japan, North America
100–120 VAC operation1
1. The 2500 W power supply operating on 110 VAC delivers 1300 W.
CAB-7513AC= NEMA 5-20 20 A, 125 VAC Figure A-36
Power Distribution Unit
(PDU)2
2. The PDU power cable is designed for users who power their switch from a PDU. The end of the cable that plugs into the chassis power supply has a
C19 connector; the other end of the cable that connects to the PDU has a C20 connector.
CAB-C19-CBN IEC 60320 C19
IEC 60320 C20
16 A, 250 VAC Figure A-47
Switzerland CAB-ACS-16= SEV 5934-2 Type 23 16 A, 250 VAC Figure A-45
A-29
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
2700 W AC-Input and DC-Input Power Supplies
2700 W AC-Input and DC-Input Power Supplies
The 2700 W AC-input power supply (PWR-2700-AC/4) and 2700 W DC-input power supply
(PWR-2700-DC/4) are supported only in the Catalyst 6504-E switch. See Figure A-11 for the 2700 W
AC-input power supply and Figure A-12 for the 2700 W DC-input power supply.
Note The 2700 W AC-input power supply needs 220 VAC to deliver 2700 W of power. When powered with
110 VAC, it delivers only 1350 W. In addition, the power supply needs 16 A, regardless of whether it is
plugged into 110 VAC or 220 VAC.
Figure A-11 2700 W AC-Input Power Supply
1 Power on/off switch (|/O) 4 Status LEDs
2 Power supply fan 5 AC In receptacle
3 Captive installation screw (4x)
154028
ALL FASTENERS MUST BE FULLY ENGAGED PRIOR TO OPERATING THE POWER SUPPLY
PWR-2700-AC/4
1
2
4
5
3
3
A-30
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
2700 W AC-Input and DC-Input Power Supplies
Figure A-12 2700 W DC-Input Power Supply
1 Captive installation screw (4x) 7 Fixed cable guide, top half
2 Source DC terminal block 8 Detached cable guide, bottom half
3 Status LEDs 9 Tie-wrap (for source DC cables)
4 Terminal block cover 10 Fixed cable guide, bottom half
5 Detached cable guide, top half 11 Tie-wrap (for ground cable)
6 Ground terminal block
132219
PWR-2700-DC/4
-VE-1
-VE-1
-VE-2
-VE-2
INPUT1
OK
48V-60V
=40A
INPUT2
OK
48V-60V
=40A
FAN
OK
OUTPUT
FAIL
ALL FASTENERS MUST BE FULLY ENGAGED
PRIOR TO OPERATING THE POWER SUPPLY
3
2
6
4
10
1
8
5 7
9 11
A-31
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
2700 W AC-Input and DC-Input Power Supplies
2700 W Power Supply Specifications
Table A-22 lists the specifications for the 2700 W AC-input power supply.
Table A-21 2700 W AC-Input Power Supply Specifications
Specification Description
AC-input type Autoranging input with power factor correction (PFC).
Note Power factor correction is a standard feature on all Catalyst 6500
series AC-input power supplies. PFC reduces the reactive
component in the source AC current allowing higher power
factors (typically 99 percent or better) and lower harmonic
current components.
AC-input voltage • Low-line (120 VAC nominal)—90 VAC (min) to 132 VAC (max)
• High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max)
AC-input current • 16 A maximum at 230 VAC at 2700 W output
• 16 A maximum at 120 VAC at 1350 W output
AC-input frequency 50/60 Hz (nominal) (±3% for full range)
Branch circuit requirement Each chassis power supply should have its own dedicated, fused-branch
circuit:
• For North America—20 A
• For International—Circuits sized to local and national codes
• All AC power supply inputs are fully isolated.
– Source AC can be out of phase between multiple power supplies
in the same chassis, which means that PS1 can be operating
from phase A and PS2 can be operating from phase B.
– For high-line operation, the power supply operates with the hot
conductor wired to a source AC phase and the neutral conductor
wired either to ground or to another source AC phase as long as
the net input voltage is in the range of 170 to 264 VAC.
– Source AC can be out of phase between AC inputs on power
supplies that are equipped with multiple AC inputs, which
means that power cord 1 can be plugged into phase A and
power cord 2 can be plugged into phase B.
Power supply output
capacity
• 1350 W maximum (100–120 VAC)
• 2700 W maximum (200–240 VAC)
A-32
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
2700 W AC-Input and DC-Input Power Supplies
Table A-22 lists the 2700 W DC-input power supply specifications.
Power supply output • 100/120 VAC operation
– 15 A @ +1.5 VDC
– 2.5 A @ +3.3 VDC
– 27.49 A @ +50 VDC
• 200/240 VAC operation
– 15 A @ +1.5 VDC
– 2.5 A @ +3.3 VDC
– 55.61 A @ +50 VDC
Output holdup time 20 ms minimum
kVA rating1 3.4 KVA (high-line operation)
Heat dissipation 10,841 BTU/hour (approx.)
Weight 18.5 lb (8.4 kg)
1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard
circuits and transformers to power a switch.
Table A-21 2700 W AC-Input Power Supply Specifications (continued)
Specification Description
Table A-22 2700 W DC-Input Power Supply Specifications
Specification Description
DC-input voltage • –48 VDC @ 37 A for nominal –48 V battery backup system
(operating range: –40.5 VDC to –56 VDC)
• –60 VDC @ 29 A for nominal –60 V battery backup system
(operating range: –55 VDC to –72 VDC)
DC-input current (per DC
input)
• 43 A @ –40.5 VDC
• 37 A @ –48 VDC
• 29 A @ –60 VDC
Note For multiple DC input power supplies, each DC input must be
protected by a dedicated circuit breaker or a fuse. The circuit
breaker or the fuse must be sized according to the power supply
input power rating and any local or national electrical code
requirements.
Power supply output
capacity
• 1350 W maximum (–48 to –60 VDC, with one DC input)
• 2700 W maximum (–48 to –60 VDC, with two DC inputs)
A-33
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
2700 W AC-Input and DC-Input Power Supplies
Table A-23 lists the power supply LEDs and their meanings.
Power supply output • One DC input operation (1350 W operation)
– 15 A @ +1.5 VDC
– 5 A @ +3.3 VDC
– 27.49 A @ +50 VDC
• Two DC inputs operation (2700 W operation
– 15 A @ +1.5 VDC
– 5 A @ +3.3 VDC
– 55.61 A @ +50 VDC
DC input terminal block Accepts 2–14 AWG copper conductors. Actual size of the wire needed
is determined by the installer or local electrician. Terminal block
material rated at 150°C.
Output holdup time 4 ms
kVA rating1 3.5 KW
Heat dissipation 11,968 BTU/hour (approx.)
Weight 21.0 lb (9.5 kg)
1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard
circuits and transformers to power a switch.
Table A-22 2700 W DC-Input Power Supply Specifications (continued)
Specification Description
A-34
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
2700 W AC-Input and DC-Input Power Supplies
Table A-23 2700 W AC-Input and DC-Input Power Supply LEDs
LED Meaning
INPUT 1 OK
INPUT 2 OK (DC-input
power supply only)
AC-input power supplies:
• Green—Source AC voltage is OK. (Input voltage is 85 VAC or
greater.)
• Off—Source AC voltage falls below 70 VAC, is not present, or the
power supply is turned off.
DC-input power supplies:
• Green—Source DC is OK. (Input voltage is –40.5 VDC or greater.)
• Off—Source DC voltage falls below –33 VDC, is not present, or the
power supply is turned off.
FAN OK • Green—Power supply fan is operating properly.
• Off—Power supply fan failure is detected.
OUTPUT FAIL • Red—Problem with one or more of the DC-output voltages of the
power supply.
• Off—DC-output voltages within acceptable margins.
Note For proper operation of the OUTPUT FAIL LED, systems with
single power supplies must be configured with a minimum of
one fan tray and one supervisor engine. Systems with dual power
supplies must have a minimum configuration of one fan tray, one
supervisor engine, and one additional module. Failure to meet
these minimum configuration requirements can cause a false
power supply output fail signal.
A-35
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
2700 W AC-Input and DC-Input Power Supplies
2700 W Power Supply AC Power Cords
Table A-24 lists the specifications for the AC power cords that are available for the 2700 W AC-input
power supply. The table includes references to power cord illustrations.
Note All 2700 W power supply power cords are 14 feet (4.3 meters) in length.
Note All 2700 W power supply power cords have an IEC60320/C19 appliance connector at one end.
Table A-24 2700 W Power Supply AC Power Cords
Locale Power Cord
Part Number
AC Source Plug Type Cordset Rating Power Cord
Reference
Illustration
Argentina CAB-7513ACR= or
CAB-IR2073-C19-AR=
IRAM 2073 16 A, 250 VAC Figure A-31
Australia, New Zealand CAB-AC-16A-AUS= AU20S3 16 A, 250 VAC Figure A-45
People’s Republic of China CAB-AC16A-CH= GB16C 16 A, 250 VAC Figure A-37
Continental Europe CAB-AC-2500W-EU= CEE 7/7 16 A, 250 VAC Figure A-41
International CAB-AC-2500W-INT= IEC 309 16 A, 250 VAC Figure A-42
Israel CAB-AC-2500W-ISRL= SI16S3 16 A, 250 VAC Figure A-34
Italy CAB-7513ACI= CEI 23-16/7 16 A, 250 VAC Figure A-35
Japan, North America
200–240 VAC operation
CAB-AC-2500W-US1= NEMA 6-20
(nonlocking plug)
16 A, 250 VAC Figure A-43
Japan, North America
200–240 VAC operation
CAB-AC-C6K-TWLK= NEMA L6-20
(locking plug)
16 A, 250 VAC Figure A-44
Japan, North America
100–120 VAC operation
CAB-7513AC= NEMA 5-20 20 A, 125 VAC Figure A-36
Power Distribution Unit
(PDU)1
1. The PDU power cable is designed for users who power their switch from a PDU. The end of the cable that plugs into the chassis power supply has a
C19 connector; the other end of the cable that connects to the PDU has a C20 connector.
CAB-C19-CBN= IEC 60320 C19
IEC 60320 C20
16 A, 250 VAC Figure A-47
South Africa CAB-7513ACSA= IEC 884-1 16 A, 250 VAC Figure A-38
Switzerland CAB-ACS-16= SEV 5934-2 Type 23 16 A, 250 VAC Figure A-45
A-36
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
3000 W AC-Input Power Supply
3000 W AC-Input Power Supply
The 3000 W AC-input power supply (WS-CAC-3000W) is supported in the following Catalyst 6500
series switches:
• Catalyst 6506
• Catalyst 6506-E
• Catalyst 6509
• Catalyst 6509-E
• Catalyst 6509-NEB
• Catalyst 6509-NEB-A
• Catalyst 6509-V-E
• Catalyst 6513
• Catalyst 6513-E
The 3000 W power supply (see Figure A-13) shares the same form factor as the 1000 W, 1300 W,
2500 W, 4000 W, and 6000 W AC-input power supplies.
Note The 3000 W AC-input power supply needs 220 VAC to deliver 3000 W of power. When operating with
110 VAC, it delivers only 1400 W. In addition, the power supply needs 16 A, regardless of whether it is
plugged into 110 VAC or 220 VAC.
Figure A-13 3000 W AC-Input Power Supply
INPUT
OK
FAN
OK
OUTPUT
FAIL
OUTPUT 42V /17A
42V /17A OK
I INSTALL
RUN
O
110-120V - 15A
200-240V - 15A
60/50HZ
+
105069
Power
switch
Cable
retention
device
AC power
connection
Captive installation
screw
Status LEDs (3)
External power
connector cover
A-37
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
3000 W AC-Input Power Supply
3000 W Power Supply Specifications
Table A-25 lists the specifications for the 3000 W AC-input power supply.
Table A-25 3000 W Power Supply Specifications
Specification Description
AC-input type Autoranging input with power factor correction (PFC).
Note Power factor correction is a standard feature on all Catalyst 6500
series AC-input power supplies. PFC reduces the reactive
component in the source AC current allowing higher power
factors (typically 99 percent or better) and lower harmonic
current components.
AC-input voltage • Low-line (120 VAC nominal)—90 VAC (min) to 132 VAC (max)
• High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max)
AC-input current • 16 A @ 200 VAC (3000 W output)
• 16 A @ 100 VAC (1400 W output)
AC-input frequency 50/60 Hz (nominal) (±3% for full range)
Branch circuit requirement Each chassis power supply should have its own dedicated, fused-branch
circuit:
• For North America—20 A
• For International—Circuits sized to local and national codes
• All AC power supply inputs are fully isolated.
– Source AC can be out of phase between multiple power supplies
in the same chassis, which means that PS1 can be operating
from phase A and PS2 can be operating from phase B.
– For high-line operation, the power supply operates with the hot
conductor wired to a source AC phase and the neutral conductor
wired either to ground or to another source AC phase as long as
the net input voltage is in the range of 170 to 264 VAC.
– Source AC can be out of phase between AC inputs on power
supplies that are equipped with multiple AC inputs, which
means that power cord 1 can be plugged into phase A and
power cord 2 can be plugged into phase B.
Power supply output
capacity
• 1400 W maximum (100–120 VAC)
• 3000 W maximum (200–240 VAC)
A-38
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
3000 W AC-Input Power Supply
Table A-26 lists the power supply LEDs and their meanings.
Power supply output • 100/120 VAC operation
– 25.0 A @ +3.3 V
– 5 A @ +5 V
– 12 A @ +12 V
– 27.89 A @ +42 V
• 200/240 VAC operation
– 25.0 A @ +3.3 V
– 5 A @ +5 V
– 12 A @ +12 V
– 65.98 A @ +42 V
Front panel power
connector
A two-pin male Molex connector is located in the lower right corner of
the power supply front panel. The connector provides 42 VDC at a
maximum of 17 A. This connector provides power to the
WS-6509-NEB-UPGRD kit fan assembly through a power harness also
provided in the kit. A hinged protective flap secured by a captive screw
covers the connector when it is not in use.
Output holdup time 20 ms minimum
kVA rating1 3520 W (total input power) or 3.6 KVA (high-line operation)
Heat dissipation 12,046 BTU/hour (approx.)
Weight 15.8 lb (7.2 kg)
1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard
circuits and transformers to power a switch.
Table A-25 3000 W Power Supply Specifications (continued)
Specification Description
A-39
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
3000 W AC-Input Power Supply
Table A-26 3000 W AC-Input Power Supply LEDs
LED Meaning
INPUT OK • Green—Source AC voltage is OK. (Input voltage is 85 VAC or
greater.)
• Off—Source AC voltage falls below 70 VAC, is not present, or the
power supply is turned off.
FAN OK • Green—Power supply fan is operating properly.
• Off—Power supply fan failure is detected.
OUTPUT FAIL • Red—Problem with one or more of the DC-output voltages of the
power supply.
• Off—DC-output voltages within acceptable margins.
Note For proper operation of the OUTPUT FAIL LED, systems with
single power supplies must be configured with a minimum of
one fan tray and one supervisor engine. Systems with dual power
supplies must have a minimum configuration of one fan tray, one
supervisor engine, and one additional module. Failure to meet
these minimum configuration requirements can cause a false
power supply output fail signal.
42V OK • Green—42 VDC is present at the fan power connector.
• Off—42 VDC is not present at the fan power connector.
A-40
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
3000 W AC-Input Power Supply
3000 W Power Supply AC Power Cords
Table A-27 lists the specifications for the AC power cords that are available for the 3000 W AC-input
power supply. The table includes references to power cord illustrations.
Note All 3000 W power supply power cords are 14 feet (4.3 meters) in length.
Note All 3000 W power supply power cords have an IEC60320/C19 appliance connector at one end.
Table A-27 3000 W Power Supply AC Power Cords
Locale Power Cord
Part Number
AC Source Plug Type Cordset Rating Power Cord
Reference
Illustration
Argentina CAB-7513ACR= or
CAB-IR2073-C19-AR=
IRAM 2073 16 A, 250 VAC Figure A-31
Australia, New Zealand CAB-AC-16A-AUS= AU20S3 16 A, 250 VAC Figure A-46
People’s Republic of China CAB-AC16A-CH= GB16C 16 A, 250 VAC Figure A-37
Continental Europe CAB-AC-2500W-EU= CEE 7/7 16 A, 250 VAC Figure A-41
International CAB-AC-2500W-INT= IEC 309 16 A, 250 VAC Figure A-42
Israel CAB-AC-2500W-ISRL= SI16S3 16 A, 250 VAC Figure A-34
Italy CAB-7513ACI= CEI 23-16/7 16 A, 250 VAC Figure A-35
Japan, North America
(nonlocking plug)
200–240 VAC operation
CAB-AC-2500W-US1= NEMA 6-20 16 A, 250 VAC Figure A-43
Japan, North America
(locking plug)
200–240 VAC operation
CAB-AC-C6K-TWLK= NEMA L6-20 16 A, 250 VAC Figure A-44
Japan, North America
100–120 VAC operation1
1. The 3000 W power supply operating on 110 VAC delivers 1400 W.
CAB-7513AC= NEMA 5-20 20 A, 125 VAC Figure A-36
Power Distribution Unit
(PDU)2
2. The PDU power cable is designed for users who power their switch from a PDU. The end of the cable that plugs into the chassis power supply has a
C19 connector; the other end of the cable that connects to the PDU has a C20 connector.
CAB-C19-CBN= IEC 60320 C19
IEC 60320 C20
16 A, 250 VAC Figure A-47
Switzerland CAB-ACS-16= SEV 5934-2 Type 23 16 A, 250 VAC Figure A-45
A-41
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
4000 W AC-Input and DC-Input Power Supplies
4000 W AC-Input and DC-Input Power Supplies
The 4000 W AC-input and DC-input power supplies, (WS-CAC-4000W-US, WS-CAC-4000W-INT, and
PWR-4000-DC) are supported in the following Catalyst 6500 series switches:
• Catalyst 6506
• Catalyst 6506-E
• Catalyst 6509
• Catalyst 6509-E
• Catalyst 6509-NEB
• Catalyst 6509-NEB-A
• Catalyst 6509-V-E
• Catalyst 6513
• Catalyst 6513-E
The 4000 W AC-input and DC-input power supplies, shown in Figure A-14 and Figure A-15, share the
same form factor as the 1000 W, 1300 W, 2500 W, and 3000 W power supplies.
Figure A-14 4000 W AC-Input Power Supply
Power
switch INPUT
OK
FAN
OK
OUTPUT
FAIL
Captive installation
screw
Status LEDs
85756
I
0
A-42
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
4000 W AC-Input and DC-Input Power Supplies
Figure A-15 4000 W DC-Input Power Supply
4000 W Power Supply Specifications
Table A-29 lists the specifications for the 4000 W AC-input power supply.
INPUT OK FAN
OK
OUTPUT
FAIL
I
0
97297
1 2 3
+VE-1
-VE-1
+VE-2
-VE-2
+VE-3
-VE-3
Table A-28 4000 W AC-Input Power Supply Specifications
Specification Description
AC-input type High-line input with power factor correction (PFC).
Note Power factor correction is a standard feature on all Catalyst 6500
series AC-input power supplies. PFC reduces the reactive
component in the source AC current allowing higher power
factors (typically 99 percent or better) and lower harmonic
current components.
AC-input voltage High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max)
AC-input current 23 A
AC-input frequency 50/60 Hz (nominal) (±3% for full range)
A-43
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
4000 W AC-Input and DC-Input Power Supplies
Table A-29 list the specification for the 4000 W DC-input power supply.
Branch circuit requirement Each chassis power supply should have its own dedicated, fused-branch
circuit:
• For North America—30 A
• For International—Circuits should be sized according to local and
national codes
• All AC power supply inputs are fully isolated.
– Source AC can be out of phase between multiple power supplies
in the same chassis, which means that PS1 can be operating
from phase A and PS2 can be operating from phase B.
– For high-line operation, the power supply operates with the hot
conductor wired to a source AC phase and the neutral conductor
wired either to ground or to another source AC phase as long as
the net input voltage is in the range of 170 to 264 VAC.
– Source AC can be out of phase between AC inputs on power
supplies that are equipped with multiple AC inputs, which
means that power cord 1 can be plugged into phase A and
power cord 2 can be plugged into phase B.
Output capacity 4000 W maximum
Power supply output • 15 A @ +3.3 VDC
• 5 A @ +5 VDC
• 10 A @ +12 VDC
• 90.36 A @ +42 VDC
Output holdup time 20 ms minimum
kVA rating1 5.4 kVA maximum
Heat dissipation 17,065 BTU/hour (approx.)
Weight 22.2 lb (10.1 kg)
1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard
circuits and transformers to power a switch.
Table A-28 4000 W AC-Input Power Supply Specifications (continued)
Specification Description
A-44
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
4000 W AC-Input and DC-Input Power Supplies
Table A-30 lists the power supply LEDs and their meanings.
Table A-29 4000 W DC-Input Power Supply Specifications
Specification Description
DC-input voltage • –48 VDC @ 37 A for nominal –48 V battery backup system
(operating range: –40.5 VDC to –56 VDC)
• –60 VDC @ 29 A for nominal –60 V battery backup system
(operating range: –55 VDC to –72 VDC)
Note The 4000 W DC-input power supply requires two source
DC-inputs to be connected; it cannot operate with only one
positive (+)/negative (-) source DC terminal pair installed.
DC-input current 40 A per each DC input (three inputs)
Note For multiple DC input power supplies, each DC input must be
protected by a dedicated circuit breaker or a fuse. The circuit
breaker or the fuse must be sized according to the power supply
input power rating and any local or national electrical code
requirements.
Power supply output
capacity
• 4000 W with three inputs active
• 2700 W with two inputs active
Note The 4000 W power supply cannot operate with only one source
DC-input connected.
Power supply output • 15 A @ + 3.3 VDC
• 5 A @ + 5 VDC
• 12 A @ +12 VDC
• 90.63 A (three inputs) or 59.68 A (two inputs)
@ +42 VDC
Note The 4000 W power supply cannot operate with only one source
DC-input connected.
DC input terminal block Accepts 4 AWG copper conductors. Actual size of the wire needed is
determined by the installer or local electrician.
Output holdup time 8 ms
kVA rating1
1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard
circuits and transformers to power a switch.
5.4 kVA maximum
Heat dissipation 17,730 BTU/hour (approx.)
Weight 30.8 lb (14.0 kg)
A-45
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
4000 W AC-Input and DC-Input Power Supplies
Table A-30 4000 W AC-Input and DC-Input Power Supplies LEDs
LED Meaning
INPUT OK AC-input power supplies:
• Green—Source AC voltage is OK. (Input
voltage is 85 VAC or greater.)
• Off—Source AC voltage falls below 70 VAC,
is not present, or the power supply is turned
off.
DC-input power supplies:
• Green—Source DC voltage is OK. (Input
voltage is –40.5 VDC or greater.)
• Off—Source DC voltage falls below
–33 VDC, is not present, or the power supply
is turned off.
FAN OK • Green—Power supply fan is operating
properly.
• Off—Power supply fan failure is detected.
OUTPUT FAIL • Red—Problem with one or more of the
DC-output voltages of the power supply.
• Off—DC-output voltages within acceptable
margins.
Note For proper operation of the OUTPUT
FAIL LED, systems with single power
supplies must be configured with a
minimum of one fan tray and one
supervisor engine. Systems with dual
power supplies must have a minimum
configuration of one fan tray, one
supervisor engine, and one additional
module. Failure to meet these minimum
configuration requirements can cause a
false power supply output fail signal.
A-46
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
6000 W AC-Input and DC-Input Power Supplies
4000 W Power Supply AC Power Cords
Table A-31 lists the specifications for the AC power cords that are available for the 4000 W AC-input
power supply. Included in the table are references to illustrations of the power cords.
Note The AC power cords for the 4000 W AC-input power supply are hardwired directly to the power supply;
they do not have an IEC 60320 C19 appliance plug and cannot be removed from the power supply.
6000 W AC-Input and DC-Input Power Supplies
Catalyst 6500 series switch support for the 6000 W AC-input (WS-CAC-6000W) and the 6000 W
DC-input (PWR-6000-DC) power supplies along with any power supply output restrictions are listed in
Table A-32.
The 6000 W AC-input power supply, shown in Figure A-16, and the 6000 W DC-input power supply,
shown in Figure A-17, share the same form factor as the 1000 W, 1300 W, 2500 W, 3000 W, and 4000 W
power supplies.
Table A-31 4000 W Power Supply AC Power Cords
Locale Power Cord
Part Number1
1. This is the part number for the power supply. The AC power cords are hardwired to the 4000 W power supplies.
AC Source Plug Type Cordset Rating Power Cord
Reference
Illustration
International WS-CAC-4000W-INT= IEC 60309 32 A, 250 VAC Figure A-48
North America, Japan WS-CAC-4000W-US= NEMA L6-302
2. For Japan, ask your local electrical contractor to prepare the NEMA L6-30 power plug.
30 A, 250 VAC Figure A-49
Table A-32 Chassis Support for the 6000 W AC-Input and DC-Input Power Supplies
Catalyst 6500 Series Chassis 6000 W AC-Input Power Supply
Restriction
6000 W DC-Input Power Supply
Restriction
Catalyst 6506 Output limited to 4000 W Output limited to 4000 W
Catalyst 6506-E No restrictions No restrictions
Catalyst 6509 Output limited to 4000 W Output limited to 4000 W
Catalyst 6509-E No restrictions No restrictions
Catalyst 6509-NEB Output limited to 4000 W Output limited to 4000 W
Catalyst 6509-NEB-A Output limited to 4500 W Output limited to 4500 W
Catalyst 6509-V-E No restrictions No restrictions
Catalyst 6513 No restrictions No restrictions
Catalyst 6513-E No restrictions No restrictions
A-47
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
6000 W AC-Input and DC-Input Power Supplies
Note Because of form-factor differences, the 6000 W AC-input and the 6000 W DC-input power supplies
cannot be installed in the Catalyst 6503, Catalyst 6503-E, and Catalyst 6504-E switch chassis.
Figure A-16 6000 W AC-Input Power Supply
Figure A-17 6000 W DC-Input Power Supply
Power
switch
Cable
retention
device
INPUT
OK
INPUT 1
100 - 240V
15A
50/60 Hz
INPUT 1
100 - 240V
15A
50/60 Hz
FAN
OK
OUTPUT
FAIL
Captive installation
screw
Status LEDs
130056
AC power
connection 2
AC power
connection 1
I
0
INSTALL
RUN
191307
RU
I
N
NSTALL
CISCO SYSTEMS, INC 1 2 3 4
INPUT OK
FAN
OK OUTPUT
FAIL
A-48
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
6000 W AC-Input and DC-Input Power Supplies
6000 W Power Supply Specifications
Table A-34 lists the specifications for the 6000 W AC-input power supply.
Table A-33 6000 W AC-Input Power Supply Specifications
Specification Description
AC-input type 2 AC-inputs per power supply. High-line input
with power factor correction (PFC) included.
Note Power factor correction is a standard
feature on all Catalyst 6500 series
AC-input power supplies. PFC reduces
the reactive component in the source AC
current allowing higher power factors
(typically 99 percent or better) and lower
harmonic current components.
AC-input voltage • Low-line (120 VAC nominal)—90 VAC
(min) to 132 VAC (max)
• High-line (230 VAC nominal)—170 VAC
(min) to 264 VAC (max)
AC-input current 16 A each input
AC-input frequency 50/60 Hz (nominal) (±3% for full range)
A-49
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
6000 W AC-Input and DC-Input Power Supplies
Branch circuit requirement Each power supply input should have its own
dedicated, fused-branch circuit:
• For North America—20 A
• For International—Circuits should be sized
according to local and national codes
• All Catalyst 6500 series AC-input power
supplies require single-phase source AC.
• All AC power supply inputs are fully isolated.
– Source AC can be out of phase between
multiple power supplies in the same
chassis, which means that PS1 can be
operating from phase A and PS2 can be
operating from phase B.
– For high-line operation, the power supply
operates with the hot conductor wired to
a source AC phase and the neutral
conductor wired either to ground or to
another source AC phase as long as the
net input voltage is in the range of 170 to
264 VAC.
– Source AC can be out of phase between
AC inputs on power supplies that are
equipped with multiple AC inputs, which
means that power cord 1 can be plugged
into phase A and power cord 2 can be
plugged into phase B.
Table A-33 6000 W AC-Input Power Supply Specifications (continued)
Specification Description
A-50
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
6000 W AC-Input and DC-Input Power Supplies
Power supply output capacity The 6000 W power supply can operate at either
2900 W or 6000 W depending on the number of
AC power cords attached and the source AC
voltage.
Note The 6000 W AC-input power supply is
limited to 4000 W maximum output when
it is installed in a Catalyst 6506,
Catalyst 6509, or Catalyst 6509-NEB
switch chassis. The power supply is
limited to 4500 W maximum output when
it is installed in the Catalyst 6509-NEB-A
switch chassis.
• 2900 W maximum with the following source
AC arrangements:
– INPUT 1 and INPUT 2 both connected to
low-line (120 VAC nominal)
– INPUT 1 connected to high-line
(230 VAC nominal); INPUT 2 not
connected
– INPUT 1 not connected; INPUT 2
connected to high-line (230 VAC
nominal)
– INPUT 1 connected to high-line
(230 VAC nominal); INPUT 2 connected
to low-line (120 VAC nominal)
– INPUT 1 connected to low-line
(120 VAC nominal); INPUT 2 connected
to high-line (230 VAC nominal)
• 6000 W maximum with the following source
AC arrangements:
– INPUT 1 and INPUT 2 both connected to
high-line (230 VAC nominal)
Note The 6000 W power supply will not power
up if you have only one power cord
plugged into either INPUT 1 or INPUT 2
and source AC is low-line (120 VAC
nominal).
Table A-33 6000 W AC-Input Power Supply Specifications (continued)
Specification Description
A-51
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
6000 W AC-Input and DC-Input Power Supplies
Table A-34 list the specifications for the 6000 W DC-input power supply.
Power supply output capacity • 2900 W operation (one 220 VAC source or
two 110 VAC sources)
– 25 A @ +3.3 VDC
– 12 A @ +12 VDC
– 63.6 A @ +42 VDC
• 6000 W operation (two 220 VAC sources)
– 25 A @ +3.3 VDC
– 12 A @ +12 VDC
– 137.4 A @ +42 VDC
Output holdup time 20 ms minimum
kVA rating1 7.5 kVA
Heat dissipation 23,812 BTU/hour (approx.)
System power dissipation 7034 W
Weight 25.4 lb (11.5 kg)
1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard
circuits and transformers to power a switch.
Table A-33 6000 W AC-Input Power Supply Specifications (continued)
Specification Description
Table A-34 6000 W DC-Input Power Supply Specifications
Specification Description
Input voltage • –48 VDC nominal @ 37 A in North America (operating range:
–40.5 VDC to –56 VDC)
• –60 VDC nominal @ 30 A for international (operating range:
–55 VDC to –72 VDC)
Input current 40 A per DC input @ –48 VDC input voltage (total of 4 inputs)
Power supply output
capacity
The 6000 W DC-input power supply can operate at either:
• 2800 W—2 DC inputs active
• 4500 W—3 DC inputs active
• 6000 W—4 DC inputs active
A-52
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
6000 W AC-Input and DC-Input Power Supplies
Table A-35 list the 6000 W AC-input and DC-input power supply LEDs and their meanings.
Power supply output The 6000 W DC-input power supply can operate at either 2800 W,
4500 W, or 6000 W depending on the number of source DC power
cables attached.
Note The 6000 W DC-input power supply is limited to 4000 W
maximum output when it is installed in a Catalyst 6506,
Catalyst 6509, or Catalyst 6509-NEB switch chassis. The power
supply is limited to 4500 W maximum output when it is installed
in the Catalyst 6509-NEB-A switch chassis.
• 2800 W operation (two DC inputs)
– 25.0 A @ 3.3 VDC
– 12.0 A @ 12 VDC
– 61.2 A @ 42 VDC
• 4500 W operation (three DC inputs)
– 25.0 A @ 3.3 VDC
– 12.0 A @ 12 VDC
– 101.9 A @ 42 VDC
• 6000 W operation (four DC inputs)
– 25.0 A @ 3.3 VDC
– 12.0 A @ 12 VDC
– 137.4 A @ 42 VDC
DC input terminal block • Accepts 2-hole copper compression-type lugs.
Note The actual size of the wire needed is determined by the power
engineer or local electrician in accordance with national or local
electrical codes.
• Terminal posts accept 1/4-inch-20 hex nuts.
Output holdup time 20 ms minimum
Weight 35 lbs (16 kg)
Table A-34 6000 W DC-Input Power Supply Specifications (continued)
Specification Description
A-53
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
6000 W AC-Input and DC-Input Power Supplies
6000 W Power Supply AC Power Cords
Table A-36 lists the specifications for the AC power cords that are available for the 6000 W AC-input
power supply. Included in the table are references to illustrations of the power cords.
Table A-35 6000 W AC-Input and DC-Input Power Supply LEDs
LED Meaning
INPUT OK 1, INPUT OK 2
(AC-input power supply
only)
• Green—Source voltage is OK. Input voltage is 85 VAC or greater.
• Off—Source AC voltage falls below 70 VAC, is not present, or the
power supply is turned off.
INPUT OK 1, INPUT OK 2,
INPUT OK 3, and INPUT
OK 4
(DC-input power supply
only)
• Green—Source DC voltage is greater than or equal to –40.5 VDC.
• Off—Source DC voltage is less than or equal to –37.5 VDC.
• Green, off, or flashing—Source DC voltage is between –37.5 and
–40.5 VDC.
FAN OK • Green—Power supply fan is operating properly.
• Off—Power supply fan failure is detected.
OUTPUT FAIL • Red—Problem with one or more of the DC-output voltages of the
power supply.
• Off—DC-output voltages within acceptable margins.
Note For proper operation of the OUTPUT FAIL LED, systems with
single power supplies must be configured with a minimum of
one fan tray and one supervisor engine. Systems with dual power
supplies must have a minimum configuration of one fan tray, one
supervisor engine, and one additional module. Failure to meet
these minimum configuration requirements can cause a false
power supply output fail signal.
Table A-36 6000 W Power Supply AC Power Cords
Locale Power Cord
Part Number
AC Source Plug Type Cordset Rating Power Cord
Reference
Illustration
Argentina CAB-7513ACR= or
CAB-IR2073-C19-AR=
IRAM 2073 16 A, 250 VAC Figure A-31
Australia, New Zealand CAB-AC-16A-AUS= AU20S3 16 A, 250 VAC Figure A-46
People’s Republic of China CAB-AC16A-CH= GB16C 16 A, 250 VAC Figure A-37
Continental Europe CAB-AC-2500W-EU= CEE 7/7 16 A, 250 VAC Figure A-41
International CAB-AC-2500W-INT= IEC 309 16 A, 250 VAC Figure A-42
Israel CAB-AC-2500W-ISRL= SI16S3 16 A, 250 VAC Figure A-34
Italy CAB-7513ACI= CEI 23-16/7 16 A, 250 VAC Figure A-35
A-54
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
8700 W AC-Input Power Supply
8700 W AC-Input Power Supply
Catalyst 6500 series switch support for the 8700 W AC-input (WS-CAC-8700W-E) power supply along
with any power supply output restrictions are listed in Table A-37.
The 8700 W AC-input power supply, shown in Figure A-18, shares a similar, but not identical,
form-factor as the 1000 W, 1300 W, 2500 W, 3000 W, 4000 W, and 6000 W power supplies.
Japan, North America
(nonlocking plug)
200–240 VAC operation
CAB-AC-2500W-US1= NEMA 6-20 16 A, 250 VAC Figure A-43
Japan, North America
(locking plug)
200–240 VAC operation
CAB-AC-C6K-TWLK= NEMA L6-20 16 A, 250 VAC Figure A-44
Japan, North America
100–120 VAC operation1
CAB-7513AC=2 NEMA 5-20 16 A, 125 VAC Figure A-36
Power Distribution Unit
(PDU)3
CAB-C19-CBN= IEC 60320 C19
IEC 60320 C20
16 A, 250 VAC Figure A-47
Switzerland CAB-ACS-16= SEV 5934-2 Type 23 16 A, 250 VAC Figure A-45
1. The 6000 W power supply operating on two 110 VAC inputs delivers 2900 W.
2. When operating with 100–120 VAC, you must use two AC power cords and the power supply output is limited to 2900 W.
3. The PDU power cable is designed for users who power their switch from a PDU. The end of the cable that plugs into the chassis power supply has a
C19 connector; the other end of the cable that connects to the PDU has a C20 connector.
Table A-36 6000 W Power Supply AC Power Cords (continued)
Locale Power Cord
Part Number
AC Source Plug Type Cordset Rating Power Cord
Reference
Illustration
Table A-37 Chassis Support for the 8700 W Power Supply
Catalyst 6500 Series Chassis 8700 W Power Supply Restriction
Catalyst 6506 Output limited to 4000 W
Catalyst 6506-E No restrictions
Catalyst 6509 Output limited to 4000 W
Catalyst 6509-E No restrictions
Catalyst 6509-NEB Output limited to 4000 W
Catalyst 6509-NEB-A Output limited to 4500 W
Catalyst 6509-V-E No restrictions
Catalyst 6513 Output is limited to 6000 W
Catalyst 6513-E No restrictions
A-55
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
8700 W AC-Input Power Supply
Note Because of the form-factor difference, when you install an 8700 W power supply in a Catalyst 6506,
Catalyst 6509, or Catalyst 6509-NEB chassis you must relocate the system ground connection from the
chassis ground pad connection to the two system ground studs located on the 8700 W power supply
faceplate. Installing an 8700 W power supply in the other Catalyst 6500 series chassis does not require
that you move the chassis system ground connection to the power supply.
The 8700 W power supply cannot be installed in the Catalyst 6503, Catalyst 6503-E, and
Catalyst 6504-E switch chassis.
Figure A-18 8700 W AC-Input Power Supply
8700 W Power Supply Specifications
Table A-38 lists the specifications for the 8700 W AC-input power supply.
Captive installation
screw Remote power on/off
feature terminal block
Remote power on/off
feature relay switch
Status LEDs
o
182076
INPUT
OK
1 2 3
CISCO SYSTEMS, INC.
FAN
OK
220VAC
OUTPUT
FAIL
1 2 3 DEFAULT
NC RELAY
NO RELAY
Power
switch
Cable
retention
device
AC power
connection 2
AC power
connection 1
AC power
connection 3
System ground studs
Table A-38 8700 W AC-Input Power Supply Specifications
Specification Description
AC-input type 3 AC-inputs per power supply. High-line input with power factor
correction (PFC) included.
Note Power factor correction is a standard feature on all Catalyst 6500
series AC-input power supplies. PFC reduces the reactive
component in the source AC current allowing higher power
factors (typically 99 percent or better) and lower harmonic
current components.
AC-input voltage
(One-phase)
• Low-line (120 VAC nominal)—90 VAC (min) to 132 VAC (max)
• High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max)
A-56
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
8700 W AC-Input Power Supply
AC-input current 16 A each input
AC-input frequency 50/60 Hz (nominal) (±3% for full range)
Branch circuit requirement Each power supply input should have its own dedicated, fused-branch
circuit:
• For North America—20 A
• For International—Circuits should be sized according to local and
national codes
• All Catalyst 6500 series AC-input power supplies require
single-phase source AC.
• All AC power supply inputs are fully isolated. This means that
source AC can be out of phase between multiple AC inputs on the
same power supply or different AC power supplies that are installed
in the same chassis. For the 8700 W power supply, this means that
power cord 1 can be plugged into phases A-B, power cord 2 can be
plugged into phases B-C, and power cord 3 can be plugged into
phases C-A, A-B, or B-C.
Table A-38 8700 W AC-Input Power Supply Specifications (continued)
Specification Description
A-57
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
8700 W AC-Input Power Supply
Power supply output
capacity
The power supply output capacity is dependent on the number of AC
power cords (1, 2, or 3) attached and the source AC voltage (110 VAC
[low-line] or 220 VAC [high-line]) applied to the power supply inputs.
The 8700 W AC-input power supply is limited to reduced wattage
ratings when it is installed in the following Catalyst 6500 series chassis:
• 4000 W maximum output when it is installed in a Catalyst 6506,
Catalyst 6509, or Catalyst 6509-NEB switch chassis.
• 4500 W maximum output when it is installed in the
Catalyst 6509-NEB-A switch chassis.
• 6000 W maximum output when it is installed in the Catalyst 6513
switch chassis.
Note The power supply will not power up if you attach only one power
cord and the power cord is connected to low-line (110 VAC
nominal) source AC.
2800 W operation 2800 W maximum with the following combinations of power cords and
source AC voltage applied to the power supply inputs:
• Two AC inputs are connected to low-line (110 VAC nominal); the
third AC input is not connected.
• One AC input is connected to low-line (110 VAC nominal); one AC
input is connected to high-line (220 VAC nominal); the third AC
input is not connected.
• One AC input is connected to high-line (220 VAC nominal); two AC
inputs are not connected.
4200 W operation 4200 W maximum with the following combinations of power cords and
source AC voltage applied to the power supply inputs:
• All three AC inputs are connected to low-line (110 VAC nominal).
• Two AC inputs are connected to low-line (110 VAC nominal); one
AC input is connected to high-line (220 VAC nominal).
5800 W operation 5800 W maximum with the following combinations of power cords and
source AC voltage applied to the power supply inputs:
• Two AC inputs are connected to high-line (220 VAC nominal); the
third AC input is connected to low-line (110 VAC nominal).
• Two AC inputs are connected to high-line (220 VAC nominal); the
third AC input is not connected.
8700 W operation 8700 W maximum with the following combinations of power cords and
source AC voltage applied to the power supply inputs:
• All three AC inputs are connected to high-line (220 VAC nominal).
Table A-38 8700 W AC-Input Power Supply Specifications (continued)
Specification Description
A-58
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
8700 W AC-Input Power Supply
Table A-39 lists the power supply LEDs and their meanings.
Power supply output • 2800 W operation
– 25.0 A @ +3.3 VDC
– 12.0 A @ +12 VDC
– 61.29 A @ +42 VDC
• 4200 W operation
– 25.0 A @ +3.3 VDC
– 12.0 A @ +12 VDC
– 94.62 A @ +42 VDC
• 5800 W operation
– 25.0 A @ +3.3 VDC
– 12.0 A @ +12 VDC
– 132.71 A @ +42 VDC
• 8700 W operation
– 25.0 A @ +3.3 VDC
– 12.0 A @ +12 VDC
– 201.75 A @ +42 VDC
Output holdup time 20 ms minimum
kVA rating1 10.4 kVA
Heat dissipation • 11,200 BTU/hour @ 2800 W
• 16,800 BTU/hour @ 4200 W
• 23,200 BTU/hour @ 5800 W
• 34,800 BTU/hour @ 8700 W
System power dissipation 10,360 W
Weight 39.7 lb (18 kg)
1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard
circuits and transformers to power a switch.
Table A-38 8700 W AC-Input Power Supply Specifications (continued)
Specification Description
A-59
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
8700 W AC-Input Power Supply
Table A-39 8700 W AC-Input Power Supply LEDs
LED Meaning
INPUT OK 1, INPUT OK 2,
and
INPUT OK 3
• Green—Source voltage is OK. (Input voltage is 85 VAC or greater.)
• Off—Source AC voltage falls below 70 VAC, is not present, or the
power supply is turned off.
220VAC 1, 2, and 3 • Green—High-line AC is present on the respective AC inputs. (Input
voltage is 170 VAC or higher.)
• Off—Source AC voltage falls below 170 VAC (running at low-line
voltage), is not present, or the power supply is turned off.
FAN OK • Green—Power supply fan is operating properly.
• Off—Power supply fan failure is detected.
OUTPUT FAIL • Red—One or more of the power supply DC-output voltages is out
of the normal operating range:
– For +3.3 VDC output: 2.7–3.0 VDC (min); 3.6–3.8 VDC (max)
– For +12 VDC output: 10.5–11.5 VDC (min); 12.6–13.0 VDC
(max)
– For +42 VDC output: 38.0–40.0 VDC (min); 45.0–52.0 VDC
(max)
• Off—All DC-output voltages are within normal operating ranges.
Note For proper operation of the OUTPUT FAIL LED, systems with
single power supplies must be configured with a minimum of
one fan tray and one supervisor engine. Systems with dual power
supplies must have a minimum configuration of one fan tray, one
supervisor engine, and one additional module. Failure to meet
these minimum configuration requirements can cause a false
power supply output fail signal.
A-60
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
8700 W AC-Input Power Supply
Remote Power Cycling Feature
The 8700 W power supply is equipped with a remote power cycling feature that allows you to remotely
turn on or turn off the power supply through an external relay controller box. Figure A-19 shows a
typical remote power on/off setup. A three-position terminal block and a switch, located on the lower
right quadrant of the power supply faceplate (see Figure A-18), provide the interface to the external relay
controller box.
Figure A-19 Remote Power On/Off Feature Components
Terminal Block
The terminal block has three contacts labeled 1, 2, and 3. Two control wires from an external relay
controller box attach to either positions 1 and 2 or positions 2 and 3. Positions 1 and 2 are used when the
relay controller box contains a normally-open (NO) type of relay. Positions 2 and 3 are used when the
relay controller box contains a normally-closed (NC) type of relay.
Relay Controller Box Switch
The relay controller box switch, located next to the terminal block, allows you to match the power supply
power control signal’s active state with the type of relay contained in the external relay controller box
(either a normally-open type of relay or a normally-closed type of relay).
Ferrite Bead
A plastic bag containing one ferrite bead and two 4-inch plastic ties is included with the 8700 W power
supply AC power cords. The ferrite bead is a passive device that limits high-frequency interference on
interface and control cables, and is only required when you install the remote power-cycling feature that
is supported by the 8700 Watt power supply. The ferrite bead is installed on the two control wires that
come from the relay controller box to the terminal block on the 8700 W power supply. The ferrite bead
should be installed as close as possible to the power supply terminal block for the bead to be effective.
You do not need the ferrite bead for 8700 Watt power supply installations that do not include the remote
power-cycling feature. If you need to install the ferrite bead, refer to “Installing the Ferrite Bead”
procedure on page 1-100.
181878
Remote
power on/off
terminal block
Ferrite
bead
Relay controller
8700 Watt power supply
Network
Relay
controller
power
A-61
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
8700 W AC-Input Power Supply
Remote Power-Cycling Operation
This feature allows you to remotely power cycle the Catalyst 6500 series switch using any appropriate
third-party relay controller. This eliminates the need for you to have access to the supervisor engine
console or CLI to control power cycling. Table A-40 lists the relay controller box relay type, the
corresponding power supply terminal block positions, and a description of the power-cycling operation.
Table A-40 8700 W Power Supply Relay Controller Switch Settings and Operation
External Relay
Controller Box Relay
Type
Power Supply Relay
Controller Switch
Setting
Power Supply Terminal
Block Positions Used
Remote Power-Cycling Operation
Normally open (NO)
relay.
NO RELAY
(DEFAULT)
Control wires from the
external relay controller
box attach to terminal
block positions 1 and 2.
• Power supply cycled from on to off—The
power supply is powered off by energizing
the relay (relay contacts go from open to
closed) for more than 30 seconds.
• Power supply cycled from off to on—The
power supply is powered on by deenergizing
the relay (relay contacts go from closed to
open) for more than 10 seconds.
Normally closed (NC)
relay.
NC RELAY Control wires from the
external relay controller
box attach to terminal
block positions 2 and 3.
• Power supply cycles from on to off—The
power supply is powered off by energizing
the relay (relay contacts go from closed to
open) for more than 30 seconds.
• Power supply cycles from off to on— The
power supply is powered on by deenergizing
the relay (relay contacts go from open to
closed) for more than 10 seconds.
No relay attached.
Remote power-cycling
feature not installed.
NO RELAY
(DEFAULT)
— —
A-62
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
8700 W AC-Input Power Supply
8700 W Power Supply AC Power Cords
Table A-41 lists the specifications for the AC power cords that are available for the 8700 W AC-input
power supply. Included in the table are references to illustrations of the power cords.
Table A-41 8700 W Power Supply AC Power Cords
Locale Power Cord
Part Number
AC Source Plug Type Cordset Rating Power Cord
Reference
Illustration
Argentina CAB-7513ACR= or
CAB-IR2073-C19-AR=
IRAM 2073 16 A, 250 VAC Figure A-31
Australia, New Zealand CAB-AC-16A-AUS= AU20S3 16 A, 250 VAC Figure A-46
People’s Republic of China CAB-AC16A-CH= GB16C 16 A, 250 VAC Figure A-37
Continental Europe CAB-AC-2500W-EU= CEE 7/7 16 A, 250 VAC Figure A-41
International CAB-AC-2500W-INT= IEC 309 16 A, 250 VAC Figure A-42
Israel CAB-AC-2500W-ISRL= SI16S3 16 A, 250 VAC Figure A-34
Italy CAB-7513ACI= CEI 23-16/7 16 A, 250 VAC Figure A-35
Japan, North America
(nonlocking plug)
200–240 VAC operation
CAB-AC-2500W-US1= NEMA 6-20 16 A, 250 VAC Figure A-43
Japan, North America
(locking plug)
200–240 VAC operation
CAB-AC-C6K-TWLK= NEMA L6-20 16 A, 250 VAC Figure A-44
Japan, North America
100–120 VAC operation
CAB-7513AC=1
1. When operating with 100–120 VAC, you must use two or three AC power cords and the power supply output is limited to either 2800 W (2 inputs) or
4200 W (3 inputs).
NEMA 5-20 16 A, 125 VAC Figure A-36
Power Distribution Unit
(PDU2
2. The PDU power cable is designed for users who power their switch from a PDU. The end of the cable that plugs into the chassis power supply has a
C19 connector; the other end of the cable that connects to the PDU has a C20 connector.
CAB-C19-CBN= IEC 60320 C19
IEC 60320 C20
16 A, 250 VAC Figure A-47
Switzerland CAB-ACS-16= SEV 5934-2 Type 23 16 A, 250 VAC Figure A-45
A-63
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
AC Power Cord Illustrations
AC Power Cord Illustrations
This section contains the AC power cord illustrations (see Figures A-19 through A-48). An AC power
cord may be used with several power supplies. See the power supply specifications tables for the AC
power cord illustrations that are applicable for your power supply.
Figure A-20 CAB-AC10A-90L-AU= (Australia and New Zealand)
Figure A-21 CAB-AC10A-90L-EU= (Continental Europe)
Connector: IEC 60320 C15
Plug: SAA AS 3112
Cordset rating: 10 A, 250 V
Length: 8 ft 2 in. (2.5 m)
113341
Connector: IEC 60320 C15
Cordset rating: 10 A, 250 V
Plug: CEE 7/7 Length: 8 ft 2 in. (2.5 m)
113342
A-64
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
AC Power Cord Illustrations
Figure A-22 CAB-AC10A-90L-IT= (Italy)
Figure A-23 CAB-AC15A-90L-US= (Japan and United States)
Figure A-24 CAB-AC10A-90L-UK= (United Kingdom)
Connector: IEC 60320 C15
Cordset rating: 10 A, 250 V
Length: 8 ft 2 in. (2.5 m) Plug: CEI 23-16/7
113343
Connector: IEC 60320 C15
Cordset rating: 15 A, 125 V
Length: 8 ft 2 in. (2.5 m) Plug: NEMA 5-15
113344
Connector: IEC 60320 C15
Cordset rating: 10 A, 250 V
Length: 8 ft 2 in. (2.5 m)
Plug: BS 1363
113345
13 A
fuse
A-65
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
AC Power Cord Illustrations
Figure A-25 CAB-7KACR= (Argentina)
Figure A-26 CAB-7KACA= (Australia and New Zealand)
Figure A-27 CAB-7KACE= (Continental Europe)
Plug: IRAM 2073
Cordset rating: 10 A, 250 V
Length: 8 ft 2 in. (2.5 m)
113346
Connector: IEC 60320 C15
Connector: IEC 60320 C15
Cordset rating: 10 A, 250 V
Plug: SAA AS 3112 Length: 8 ft 2 in. (2.5 m)
113347
Connector: IEC 60320 C15
Cordset rating: 16 A, 250 V
Length: 8 ft 2 in. (2.5 m) Plug: CEE 7/7
113348
A-66
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
AC Power Cord Illustrations
Figure A-28 CAB-7KACI= (Italy)
Figure A-29 CAB-7KAC-15= (Japan and United States)
Figure A-30 CAB-7KACU= (United Kingdom)
Plug: CEI 23-16/7
Cordset rating: 10 A, 250 V
Length: 8 ft 2 in. (2.5 m)
113349
Connector: IEC 60320 C15
Cordset rating: 15 A, 125 V
Length: 8 ft 2 in. (2.5 m)
113350
Connector: IEC 60320 C15
Plug: NEMA 5-15
Cordset rating: 10 A, 250 V
Length: 8 ft 2 in. (2.5 m)
113351
Plug: BS 1363 Connector: IEC 60320 C15
13A
fuse
A-67
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
AC Power Cord Illustrations
Figure A-31 CAB-7513ACR= and CAB-IR2073-C19-AR= (Argentina)
Figure A-32 CAB-7513ACA= (Australia and New Zealand)
Figure A-33 CAB-7513ACE= (Continental Europe)
Plug: IRAM 2073
Cordset rating: 10 A, 250 V
Length: 14 ft 0 in. (4.26 m)
113352
Connector: IEC 60320 C19
Cordset rating: 15 A, 250 V
Length: 14 ft 0 in. (4.26 m)
113353
Connector: IEC 60320 C19
Plug: SAA AS 3112
Cordset rating: 16 A, 250 V
Length: 14 ft 0 in. (4.26 m)
113354
Connector: IEC 60320 C19
Plug: CEE 7/7
A-68
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
AC Power Cord Illustrations
Figure A-34 CAB-AC-2500W-ISRL (Israel)
Figure A-35 CAB-7513ACI= (Italy)
Figure A-36 CAB-7513AC= (Japan and United States)
Plug: SI16S3
Cordset rating: 16 A, 250 V
Length: 14 ft 0 in. (4.26 m)
130113
Connector: IEC 60320 C19
Cordset rating: 16 A, 250 V
Plug: CEI 23-16/7 Length: 14 ft 0 in. (4.26 m)
113355
Connector: IEC 60320 C19
Cordset rating: 20 A, 125 V
Length: 14 ft 0 in. (4.26 m)
113356
Connector: IEC 60320 C19
Plug: NEMA 5-20
A-69
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
AC Power Cord Illustrations
Figure A-37 CAB-AC16A-CH= (People’s Republic of China)
Figure A-38 CAB-7513ACSA= (South Africa)
Figure A-39 CAB-ACS-10= (Switzerland)
126792
Cordset rating: 16A, 250V
Length: 14 ft 0 in. (4.26 m) Plug: GB16C Connector: IEC
60320-1 C19
Cordset rating: 16 A, 250 V
Length: 14 ft 0 in. (4.26 m)
113357
Connector: IEC 60320 C19
Plug: IEC 884
Plug: SEV 1011
Cordset rating: 10 A, 250 V
Length: 7 ft 0 in. (2.13 m)
113358
Connector: IEC 60320 C19
A-70
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
AC Power Cord Illustrations
Figure A-40 CAB-7513ACU (United Kingdom)
Figure A-41 CAB-AC-2500W-EU (Continental Europe)
Figure A-42 CAB-AC-2500W-INT= (International)
Cordset rating: 13 A, 250 V
Length: 14 ft 0 in. (4.26 m)
113359
Plug: BS 1363
13A replaceable fuse Connector: IEC 60320 C19
Cordset rating: 16 A, 250 V
Length: 14 ft 0 in. (4.26 m)
113360
Connector: IEC 60320 C19
Plug: CEE 7/7
Cordset rating: 16 A, 250 V
Length: 14 ft 0 in. (4.26 m)
113361
Connector: IEC 60320 C19
Plug: IEC 309
A-71
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
AC Power Cord Illustrations
Figure A-43 CAB-AC-2500W-US1= (Japan and United States)
Figure A-44 CAB-AC-C6K-TWLK= (Japan and United States)
Cordset rating: 16 A, 250 V
Length: 14 ft 0 in. (4.26 m)
Cordset rating: 16 A, 250 V
Length: 14 ft 0 in. (4.26 m)
187845
Connector: IEC 60320 C19
Connector: IEC 60320 C19
Plug: NEMA L6-20
Alternate plug:
NEMA L6-20
The form factor for these two plugs differ but functionally they are the same TURN
&
PULL
A-72
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
AC Power Cord Illustrations
Figure A-45 CAB-ACS-16= (Switzerland)
Figure A-46 CAB-AC-16A-AUS= (Australia and New Zealand)
Figure A-47 CAB-C19-CBN= (PDU)
Plug: SEV 5934-2
Type 23
Cordset rating: 16 A, 250 V
Length: 8 ft 2 in. (2.5 m)
192844
Connector: IEC 60320 C19
Cordset rating: 16 A, 250 V
Length: 14 ft 0 in. (4.26 m)
140586
Connector: IEC 60320 C19
Plug: AU20S3
Cordset rating: 16 A, 250 V
Length: 9 ft 0 in. (2.7 m)
140587
Connector:
IEC 60320 C19
Connector:
IEC 60320 C20
A-73
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
Power Supply Redundancy
Figure A-48 WS-CAC-4000W-INT= (International)
Figure A-49 WS-CAC-4000W-US= (United States)
Power Supply Redundancy
Catalyst 6500 series switching modules have different power requirements. Depending upon the wattage
of the power supply, certain switch configurations might require more power than a single power supply
can provide. Although the power management feature allows you to supply power to all installed
modules with two power supplies, redundancy is not supported in this configuration. Redundant and
combined power configurations are summarized in Table A-42. The effects of changing the power
supply configurations are summarized in Table A-43.
Note For proper load-sharing operation in a redundant power supply configuration, you must install two
modules in the chassis. If you fail to install two modules, you might receive spurious OUTPUT FAIL
indications on the power supply.
Note In systems that have two different sized power supplies installed, you may not have true redundancy. If
the larger wattage power supply fails, the smaller wattage power supply might not be able to handle the
entire load by itself.
Cordset rating: 32 A, 250 V
Length: 12 ft 0 in. (3.65 m)
Plug: IEC 60309
113365
Hardwired to
power
supply
Cordset rating: 30 A, 250 V
Length: 12 ft 0 in. (3.65 m)
Hardwired to
power
supply
Plug: NEMA L6-30
113366
A-74
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
Power Supply Redundancy
Table A-42 Power Supply Redundancy
If you have two
power supplies of
and redundancy is Then
Equal wattage Enabled The total power drawn from both supplies is never greater than the
capability of one supply. If one supply malfunctions, the other supply
can take over the entire system load. Each power supply provides
approximately half of the required power to the system. Load sharing
and redundancy are enabled automatically; no software configuration is
required.
Unequal wattage Enabled Both power supplies initially come online. For the Catalyst operating
system, if the difference between the two power supply’s output
wattage is less than 10 percent of the higher output wattage power
supply, redundancy is enabled. If the difference is greater than
10 percent, the lesser wattage power supply is disabled.
For Cisco IOS, both power supplies come on. The total available
wattage is the output wattage of the higher wattage power supply.
Equal or unequal
wattage
Disabled The total power available to the system is approximately 167 percent of
the lower-wattage power supply. The system powers up as many
modules as the combined capacity allows. If the higher-wattage power
supply fails, the lower-wattage supply might also shut down due to
overcurrent protection to prevent damage to the lower-wattage power
supply.
Table A-43 Effects of Power Supply Configuration Changes
Configuration Change Effect
Redundant to combined • System log and syslog messages are generated.
• System power is increased to approximately 167 percent of the
lower-wattage power supply.
• The modules marked as power-deny in the show module Status field
are powered up if there is sufficient power.
Combined to redundant • System log and syslog messages are generated.
• System power is the power capability of the higher-wattage supply.
• If there is not enough power for all previously powered-up modules,
some modules are powered down and marked as power-deny in the
show module Status field.
Equal wattage power
supply is inserted with
redundancy enabled
• System log and syslog messages are generated.
• System power equals the power capability of one supply. (Both
supplies provide approximately one half of the total current.)
• No change in the module status because the power capability is
unchanged.
A-75
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
Power Supply Redundancy
Equal wattage power
supply is inserted with
redundancy disabled
• System log and syslog messages are generated.
• System power is the combined power capability of both supplies.
• The modules marked as power-deny in the show module Status field
are brought up if there is sufficient power.
Higher wattage power
supply is inserted with
redundancy enabled
• System log and syslog messages are generated.
• The system disables the lower-wattage power supply; the
higher-wattage supply powers the system (Catalyst operating
system).
• For Cisco IOS, both power supplies come on. The total available
wattage is the output wattage of the higher wattage power supply.
Lower wattage power
supply is inserted with
redundancy enabled
• System log and syslog messages are generated.
• The system disables the lower-wattage power supply; the
higher-wattage supply powers the system (Catalyst operating
system).
• For Cisco IOS, both power supplies come on. The total available
wattage is the output wattage of the higher wattage power supply.
Higher or lower wattage
power supply is inserted
with redundancy disabled
• System log and syslog messages are generated.
• System power is increased to the combined power capability of both
supplies.
• The modules marked as power-deny in the show module Status field
are brought up if there is sufficient power.
Power supply is removed
with redundancy enabled
• System log and syslog messages are generated.
• If the power supplies are of equal wattage, there is no change in the
module status because the power capability is unchanged.
If the power supplies are of unequal wattage and the lower-wattage
supply is removed, there is no change in the module status.
If the power supplies are of unequal wattage and the higher-wattage
supply is removed, the lower-wattage power supply must be turned on
manually. (The system had previously turned off the lower-wattage
power supply.)
Power supply is removed
with redundancy disabled
• System log and syslog messages are generated.
• System power is decreased to the power capability of one supply.
• If there is not enough power for all previously powered-up modules,
some modules are powered down and marked as power-deny in the
show module Status field.
Table A-43 Effects of Power Supply Configuration Changes (continued)
Configuration Change Effect
A-76
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
Power Supply Redundancy
When running redundant 4000 W, 6000 W, or 8700 W power supplies in Catalyst 6506 and
Catalyst 6509 non-E series systems, if you remove the power supply in bay 1, the total system power
will be reduced to 2940 W (70 A at 42 VDC) after 180 seconds (3 minutes). You can avoid this reduction
in the total system power by leaving the power supply in bay 1, even in a powered down state.
If the total system power usage is greater than 2940 W, the following scenario will apply if a 4000 W,
6000 W, or a 8700 W power supply is removed from bay 1 (these scenarios are specific to only these
three power supplies running in redundant mode in either the Catalyst 6506 or Catalyst 6509 non-E
series systems).
• If the power supplies in bay 1 and bay 2 are running in redundant mode, the total system power will
be 4000 W.
• If power supply 1 is running and you power off or remove power supply 2, the total system power
will be 4000 W. The system will issue a normal power supply 2 down/remove indication warning.
• If you power down power supply 1 while power supply 2 is operating, the system will issue a normal
power supply 1 down indication warning with another warning asking the user not to remove power
supply 1. If power supply 1 is left in the system, even if it is powered off, the total system power
will be 4000 W.
• If you remove power supply 1 from the system, a major alarm will be issued to warn that the total
system power will be reduced to 2940 W and that any modules or PoE devices that cause the system
to exceed 2940 W will power down in 180 seconds (3 minutes). If you insert a replacement power
supply 1 in the 180-second timeframe, no action will be taken.
System is booted with
power supplies of different
wattage installed and
redundancy enabled
• System log and syslog messages are generated.
• The lower-wattage supply is disabled (Catalyst operating system).
• For Cisco IOS, both power supplies come on. The total available
wattage is the output wattage of the higher wattage power supply.
System is booted with
power supplies of equal or
different wattage installed
and redundancy disabled
• System log and syslog messages are generated.
• System power equals the combined power capability of both supplies.
• The system powers up as many modules as the combined capacity
allows.
Table A-43 Effects of Power Supply Configuration Changes (continued)
Configuration Change Effect
A-77
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
Power Supply Redundancy
Note In systems that are equipped with two power supplies, if one power supply fails and the other power
supply cannot fully power all of the installed modules, system power management will shut down
devices in the following order:
• Power over Ethernet (PoE) devices— The system will power down PoE devices in descending order,
starting with the highest numbered port on the module in the highest numbered slot.
• Modules—If additional power savings are needed, the system will power down modules in
descending order, starting with the highest numbered slot. Slots containing supervisor engines or
Switch Fabric Modules are bypassed and are not powered down.
This shut down order is fixed and cannot be changed.
You can change the configuration of the power supplies to redundant or combined at any time. If you
switch from a redundant to a combined configuration, both power supplies are enabled (even a power
supply that was disabled because it was of a lower wattage than the other power supply). If you change
from a combined to a redundant configuration, both power supplies are initially enabled, and if they are
of the same wattage, they remain enabled. If they are of different wattage, a syslog message displays and
the lower wattage supply is disabled.
For additional information about the power management feature and individual module power
consumption, refer to your software configuration guide.
A-78
Catalyst 6500 Series Switches Installation Guide
OL-5781-08
Appendix A Power Supply Specifications
Power Supply Redundancy
4-1
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
CHAPITRE 4
Configuration et câblage des gammes
de routeurs d'accès Cisco 850 et
Cisco 870 – Guide de démarrage
rapide
Table des matières
• Garantie limitée Cisco d'un an sur le matériel, page 4-2
• Localisation de la référence du produit, page 4-4
• Vérification des éléments livrés avec le routeur, page 4-5
• Routeurs câblés, page 4-7
• Lecture des mises en garde et recommandations relatives à la sécurité,
page 4-7
• Connexion de l'antenne au routeur sans fil (opération facultative), page 4-8
• Connexion du module PoE (Power-over-Ethernet) au routeur (opération
facultative), page 4-10
• Installations types des gammes de routeurs Cisco 850 et Cisco 870, page 4-12
• Connexion du routeur, page 4-17
• Installation du logiciel SDM et configuration du routeur, page 4-19
• Documentation associée, page 4-20
• Obtention de documentation, page 4-21
Français
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Garantie limitée Cisco d'un an sur le matériel
4-2
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
• Vos commentaires sur la documentation, page 4-22
• Assistance technique, page 4-22
• Obtention de publications et d'informations complémentaires, page 4-25
Garantie limitée Cisco d'un an sur le matériel
Des conditions spécifiques s'appliquent à la garantie de votre matériel et aux
prestations de services dont vous pouvez bénéficier pendant la période de validité
de cette garantie. Votre déclaration formelle de garantie, qui inclut la garantie et
les accords de licence applicables aux logiciels Cisco, est disponible sur le site
Cisco.com. Pour accéder aux informations Cisco (Cisco Information Packet), à la
garantie et aux accords de licence et les télécharger à partir du site Cisco.com,
procédez comme suit :
1. Démarrez votre navigateur et accédez à l'URL suivante :
http://www.cisco.com/univercd/cc/td/doc/es_inpck/cetrans.htm
La page relative aux accords de licence et aux garanties s'affiche.
2. Pour consulter le Cisco Information Packet, procédez comme suit :
a. Dans le champ Information Packet Number (Référence des
informations), sélectionnez la référence 78-5235-03A0.
b. Sélectionnez la langue souhaitée pour le document.
c. Cliquez sur Go (Aller à).
La page relative à la garantie limitée Cisco et à la licence d'utilisation du
logiciel pour la référence sélectionnée s'affiche.
d. Vous pouvez alors consulter le document en ligne ou cliquer sur l'icône
PDF pour télécharger et imprimer le document au format PDF (Adobe
Portable Document Format).
Remarque Vous devez disposer d'Adobe Acrobat Reader pour pouvoir
afficher et imprimer les fichiers PDF. Ce programme peut
être téléchargé à partir du site Web d'Adobe à l'adresse :
http://www.adobe.com
4-3
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Garantie limitée Cisco d'un an sur le matériel
3. Pour obtenir une traduction des informations relatives à la garantie
s'appliquant à votre produit, procédez comme suit :
a. Dans le champ correspondant au numéro du document de la garantie,
indiquez la référence suivante :
78-10747-01C0
b. Sélectionnez la langue désirée pour le document.
c. Cliquez sur Go (Aller à).
La page relative à la garantie Cisco s'affiche.
d. Vous pouvez alors consulter le document en ligne ou cliquer sur l'icône
PDF pour télécharger et imprimer le document au format PDF (Adobe
Portable Document Format).
Vous pouvez également vous rendre sur le site Web de l'assistance technique et
des services Cisco pour obtenir une aide :
http://www.cisco.com/public/Support_root.shtml.
Durée de la garantie sur le matériel
Un (1) an
Procédure de remplacement, réparation ou remboursement du matériel
Cisco ou son centre de service sera en mesure d'expédier une pièce de rechange
dans un délai de dix (10) jours suivant la réception de la demande d'autorisation
de retour de matériel (ARM). Le délai effectif de livraison pourra varier en
fonction de la destination.
Cisco se réserve le droit de rembourser le prix d'achat comme seule garantie.
Pour recevoir un numéro d'autorisation de retour de matériel (ARM)
Contactez la société auprès de laquelle vous avez acheté le produit. Si vous avez
acheté le produit directement auprès de Cisco, contactez votre responsable des
ventes Cisco.
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Localisation de la référence du produit
4-4
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Complétez les informations ci-dessous et conservez-les comme référence.
Localisation de la référence du produit
L'étiquette mentionnant la référence du routeur se trouve à l'arrière du châssis,
au-dessus des ports réseau Ethernet. (Reportez-vous à la Figure 4-1.)
Figure 4-1 Emplacement de la référence du produit
Vendeur du produit
Numéro de téléphone du vendeur
Modèle du produit
Référence du produit
Numéro du contrat de maintenance
120729, 78-16262-01 Rev A0
G.SHDSL ISDN S/T LAN
FE0 FE1 FE2 FE3
Cisco 878
CONSOLE
AUX
RESET
+5,+9 VDC
SN: AAANNNNXXXX
SN: AAANNNNXXXX
4-5
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Vérification des éléments livrés avec le routeur
Vérification des éléments livrés avec le routeur
Le Tableau 4-1 répertorie le nombre d'éléments fournis avec chaque modèle de
routeur des gammes Cisco 850 et Cisco 870. La Figure 4-2 représente les
différents éléments.
Assurez-vous que les éléments indiqués dans le Tableau 4-1 ont bien été livrés
avec le routeur. Si l'un des éléments manque ou est endommagé, contactez votre
service clientèle.
Tableau 4-1 Éléments fournis avec les gammes de routeurs Cisco 850 et Cisco 870
Élément
Cisco 851 et
Cisco 871
Cisco 857 et
Cisco 877 Cisco 876 Cisco 878
Câble Ethernet (direct) 1 1 1 1
Câble DSL1 (pour ADSL et
G.SHDSL)
1. DSL = ligne d'abonné numérique. Utilisé pour une ligne d'abonné numérique asynchrone (ADSL) ou une ligne d'abonné
numérique symétrique haut débit (G.SHDSL). Un câble RJ-11 à RJ-11 est fourni, à moins que le câble RJ-11 à RJ-45 ne soit
spécifié.
Non applicable Facultatif Facultatif Facultatif
Câble de console 1 1 1 1
Adaptateur secteur 1 1 1 1
Cordon d'alimentation2
2. Les cordons d'alimentation sont commandés en fonction du pays ou de la zone géographique.
1 1 1 1
Documentation Cisco3
3. Inclut le document Regulatory Compliance and Safety Information for Cisco 800 Series Routers (Gamme de routeurs
Cisco 800 – Informations relatives au respect des réglementations et à la sécurité) ainsi que le présent document
Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide.
1 1 1 1
CD Cisco Router and Security
Device Manager (SDM)
1111
Antenne doublet pivotante (pour
routeurs sans fil uniquement)
Cisco 851 :
1 antenne
Cisco 871 :
2 antennes
Cisco 857 :
1 antenne
Cisco 877 :
2 antennes
2 2
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Vérification des éléments livrés avec le routeur
4-6
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Figure 4-2 Éléments fournis avec les gammes de routeurs Cisco 850 et Cisco 870
Les câbles ci-après ne sont pas fournis avec le routeur. Vous devez les commander
séparément.
• Câble modem : permet de connecter le port console du routeur à un modem
asynchrone pour doter le routeur de fonctionnalités de sauvegarde et de
gestion à distance.
• Câble S/T RNIS orange : permet de connecter des périphériques au port
S/T RNIS.
1 Câble Ethernet jaune 5 Cordon d'alimentation noir pour adaptateur
2 Câble DSL bleu lavande (facultatif) 6 Documentation produit
3 Câble de console bleu clair 7 CD Cisco SDM
4 Adaptateur secteur du routeur 8 Antenne doublet pivotante (pour routeurs sans
fil uniquement)
4-7
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Routeurs câblés
Routeurs câblés
Le présent document contient des sections non applicables aux modèles câblés
des gammes de routeurs Cisco 850 et Cisco 870. Certaines illustrations présentent
le routeur doté d'antennes, alors que les routeurs câblés ne sont pas équipés
d'antennes ni de connecteurs d'antenne sur le panneau arrière. Toutefois, à
l'exception de la section « Connexion de l'antenne au routeur sans fil (opération
facultative) », la procédure de connexion des routeurs sans fil est identique à celle
des routeurs câblés.
Lecture des mises en garde et recommandations
relatives à la sécurité
Avant d'entreprendre de connecter votre routeur, lisez le document Regulatory
Compliance and Safety Information for Cisco 800 Series Routers (Gamme de
routeurs Cisco 800 – Informations relatives au respect des réglementations et à la
sécurité) fourni avec le routeur. Ce document contient d'importantes mises en
garde et recommandations en matière de sécurité.
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Connexion de l'antenne au routeur sans fil (opération facultative)
4-8
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Connexion de l'antenne au routeur sans fil
(opération facultative)
Les routeurs sans fil de la gamme Cisco 850 doivent être utilisés avec une seule
antenne de 2,4 GHz. (Reportez-vous à la Figure 4-3.) Les routeurs sans fil de la
gamme Cisco 870 sont utilisables avec deux antennes de 2,4 GHz.
(Reportez-vous à la Figure 4-4.)
Figure 4-3 Routeur sans fil Cisco 857 doté d'une seule antenne
LAN ADSLoPOTS
FE0 FE1 FE2 FE3
Cisco 857W
CONSOLE
AUX
RESET
+5,+12 VDC
122242
SN: XXXNNNNXXXX
4-9
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Connexion de l'antenne au routeur sans fil (opération facultative)
Figure 4-4 Routeur sans fil Cisco 871 doté de deux antennes
Pour connecter une ou plusieurs antennes à un routeur sans fil, procédez
comme suit :
Étape 1 Fixez chaque antenne à un connecteur Neill-Concelman vissé de polarité inversée
(RP-TNC) situé à l'arrière du routeur, puis verrouillez le connecteur
manuellement.
Étape 2 Après avoir fixé l'antenne à l'arrière du routeur, positionnez-la à la verticale.
LAN
FE0 FE1 FE2 FE3
Cisco 871W
CONSOLE
AUX
RESET
+5,+12 VDC
LEFT RIGHT / PRIMARY
1
0
WAN
FE4
122241
SN: XXXNNNNXXXX
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Connexion du module PoE (Power-over-Ethernet) au routeur (opération facultative)
4-10
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Connexion du module PoE (Power-over-Ethernet) au
routeur (opération facultative)
Si vous avez acheté un module d'alimentation par câble Ethernet (PoE), connectez
les quatre câbles Ethernet jaunes du module aux quatre ports Ethernet LAN du
routeur. (Reportez-vous à la Figure 4-5.) Assurez-vous de bien connecter les
quatre câbles Ethernet.
Si les câbles sont trop rapprochés les uns des autres pour cette opération, éloignez
le protège-câble en plastique de l'extrémité des câbles équipée des connecteurs.
Prudence Pour assurer le bon fonctionnement du module d'alimentation par câble Ethernet
(PoE), ne le reliez pas à l'adaptateur secteur avant de l'avoir connecté au routeur.
La Figure 4-5 présente le routeur Cisco 871 relié à un module PoE. Notez
toutefois que cette connexion fonctionne pour tous les modèles de routeur des
gammes Cisco 870.
Remarque Lorsque vous connectez un appareil (tel qu'un PC ou un téléphone IP) au module
d'alimentation par câble Ethernet (PoE), vous pouvez attendre une à deux
secondes avant que le voyant lumineux indique que le port est activé.
4-11
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Connexion du module PoE (Power-over-Ethernet) au routeur (opération facultative)
Figure 4-5 Connexion du module PoE au routeur
1 Routeur de la gamme Cisco 870 5 Adaptateur secteur du routeur
2 Câbles Ethernet du module PoE 6 Fiche secteur PoE
3 Module PoE 7 Fiche secteur du routeur
4 Adaptateur secteur PoE
122351
+5,+12 VDC
LEFT RIGHT / PRIMARY
LAN
FE0 FE1 FE2 FE3
Cisco 871W
CONSOLE
AUX
RESET
1
0
WAN
FE4
1
2
4
6
To LAN 0 1 2 3
PWR
3
5
7
SN: XXXNNNNXXXX
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Installations types des gammes de routeurs Cisco 850 et Cisco 870
4-12
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Installations types des gammes de routeurs
Cisco 850 et Cisco 870
Les installations types des gammes de routeurs Cisco 850 et Cisco 870 sont
illustrées de la Figure 4-6 à la Figure 4-9, dans l'ordre suivant :
• routeurs Cisco 851 et Cisco 871 : voir la Figure 4-6 ;
• routeurs Cisco 857 et Cisco 87 : voir la Figure 4-7 ;
• routeur Cisco 876 : voir la Figure 4-8 ;
• routeur Cisco 878 : voir la Figure 4-9.
La Figure 4-6 présente l'installation type d'un routeur Cisco 851 ou Cisco 871.
Cette figure illustre le panneau arrière d'un routeur Cisco 871, équipé de deux
ports USB (Universal Serial Bus). Le routeur Cisco 851 ne comporte aucun port
USB ; toutefois, les connexions des autres ports du routeur Cisco 851 sont
identiques à celles du routeur Cisco 871.
4-13
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Installations types des gammes de routeurs Cisco 850 et Cisco 870
Figure 4-6 Installation type d'un routeur Cisco 851 ou Cisco 871
1 Connexion Ethernet à un commutateur externe 4 Port console
2 Connexion Ethernet à un PC 5 Adaptateur secteur
3 Connexion WAN (réseau étendu) à Internet à
l'aide d'un modem à large bande
LAN
4 3 2 1
Cisco 871W
CONSOLE
AUX
RESET
+5,+12 VDC
LEFT RIGHT / PRIMARY
1
0
WAN
FE0 FE1 FE2 FE3 FE4
1X
2X
1X
2X
1
Internet
1 2 3 4 5
122237
SN: XXXNNNNXXXX
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Installations types des gammes de routeurs Cisco 850 et Cisco 870
4-14
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
La Figure 4-7 présente l'installation type d'un routeur Cisco 857 ou Cisco 877.
Figure 4-7 Installation type d'un routeur Cisco 857 ou Cisco 877
1 Connexion Ethernet à un commutateur externe 4 Port console
2 Connexion Ethernet à un PC 5 Adaptateur secteur
3 Connexion ADSL sur POTS (service
téléphonique traditionnel)
RIGHT / PRIMARY
ETHERNET LAN ADSLoPOTS
3 2 1 0
Cisco 877W
CONSOLE
AUX
RESET
+5,+12 VDC
LEFT
FE4 FE3 FE2 FE1
1X
2X
1X
2X
1
1 2 3 5
122238
4
SN: XXXNNNNXXXX
4-15
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Installations types des gammes de routeurs Cisco 850 et Cisco 870
La Figure 4-8 présente l'installation type d'un routeur Cisco 876.
Figure 4-8 Installation type d'un routeur Cisco 876
1 Connexion Ethernet à un commutateur externe 4 Connexion ADSL sur RNIS
2 Connexion Ethernet à un PC 5 Port console
3 Connexion S/T RNIS 6 Adaptateur secteur
LAN ISDN S/T ADSL o ISDN
FE0 FE1 FE2 FE3
Cisco 876W
CONSOLE
AUX
RESET
+5,+12 VDC
LEFT RIGHT / PRIMARY
1X
2X
1X
2X
1
1 2 6
122239
3 4 5
SN: XXXNNNNXXXX
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Installations types des gammes de routeurs Cisco 850 et Cisco 870
4-16
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
La Figure 4-9 présente l'installation type d'un routeur Cisco 878.
Figure 4-9 Installation type d'un routeur Cisco 878
1 Connexion Ethernet à un commutateur externe 4 Connexion G.SHDSL
2 Connexion Ethernet à un PC 5 Port console
3 Connexion S/T RNIS 6 Adaptateur secteur
LAN ISDN S/T G.SHDSL
FE0 FE1 FE2 FE3
Cisco 878W
CONSOLE
AUX
RESET
+5,+12 VDC
LEFT RIGHT / PRIMARY
1X
2X
1X
2X
1
1 2 3 4 6
122240
5
SN: XXXNNNNXXXX
4-17
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Connexion du routeur
Connexion du routeur
Connectez le routeur en vous reportant à l'installation type de votre modèle de
routeur illustrée à la section « Installations types des gammes de routeurs
Cisco 850 et Cisco 870 » la section sur la page 4-12.
Procédez comme suit pour connecter le routeur à l'adaptateur secteur, à votre
réseau local et au réseau de votre fournisseur d'accès :
Étape 1 Modèles sans fil uniquement : vérifiez que les antennes ont été fixées au routeur
conformément aux instructions de la section « Connexion de l'antenne au routeur
sans fil (opération facultative) » la section sur la page 4-8.
Étape 2 Si vous utilisez un module PoE, assurez-vous qu'il est connecté au routeur
(reportez-vous à la section « Connexion du module PoE (Power-over-Ethernet) au
routeur (opération facultative) » la section sur la page 4-10). Connectez les
périphériques Ethernet au module PoE, mais non au routeur.
Étape 3 Si vous connectez plus de quatre PC au routeur, raccordez ce dernier à un
commutateur ou à un concentrateur à l'aide d'un câble Ethernet jaune, comme
illustré de la Figure 4-6 à la Figure 4-9.
Étape 4 Connectez un PC directement au routeur, comme illustré de la Figure 4-6 à la
Figure 4-9. Mettez le PC hors tension afin qu'il obtienne une adresse IP du routeur
lorsqu'il sera remis sous tension. Vous pouvez connecter d'autres PC aux ports
Ethernet numérotés restants.
Étape 5 Le port console est un port de service auquel vous pouvez connecter un terminal
ou un PC pour configurer le logiciel à l'aide de l'interface CLI (interface de ligne
de commande) ou pour résoudre les problèmes rencontrés avec le routeur. Si vous
avez besoin d'accéder à la console du routeur, connectez un PC ou un terminal au
port console.
Remarque En connectant le port console à un modem asynchrone à l'aide du
câble modem pour routeur disponible en option, vous pouvez doter le
routeur de fonctionnalités de sauvegarde et de gestion à distance.
Étape 6 Routeurs Cisco 851 et Cisco 871 uniquement : connectez le second câble Ethernet
jaune entre le port WAN Ethernet du routeur et un port disponible sur un modem
DSL, câblé ou Ethernet LRE (longue portée) déjà installé, comme illustré à la
Figure 4-6.
Pour choisir le port de connexion sur le modem, suivez les instructions livrées
avec votre modem à large bande. Si ce dernier est éteint, mettez-le sous tension.
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Connexion du routeur
4-18
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Étape 7 Routeur Cisco 871 uniquement : Connectez les périphériques USB pris en charge,
tels que des modules de mémoire Flash ou des eTokens, aux deux ports USB. Pour
plus d'informations, reportez-vous au document Cisco Access Router USB Flash
Module and USB eToken Hardware Installation Guide (Modules Flash USB et
eTokens USB pour routeurs d'accès Cisco – Guide d'installation matérielle), puis
passez à l'Étape 12.
Étape 8 Routeurs Cisco 857 et Cisco 877 uniquement : connectez le port ADSLoPOTS du
routeur à la prise téléphonique murale à l'aide du câble DSL bleu lavande. Si la
ligne ADSL sert aussi à la communication vocale, vous pouvez empêcher toute
interruption de la transmission de données en connectant le routeur à un filtre
ADSL ou en installant des microfiltres entre les téléphones ou les télécopieurs et
la prise murale. Passez à l'Étape 12.
Étape 9 Routeurs Cisco 876 et Cisco 878 uniquement : pour disposer de fonctions de
sauvegarde et de gestion à distance, vous pouvez connecter le port S/T RNIS à une
terminaison réseau (NT1) ou à un filtre ADSL à l'aide du câble S/T RNIS orange
(disponible en option). Passez à l'Étape 10 ou à l'Étape 11, selon le modèle de
routeur dont vous disposez.
Étape 10 Routeurs Cisco 876 uniquement : branchez le câble DSL sur le port ADSLoRNIS
du routeur et sur le filtre ADSL ou sur la prise murale. Si vous utilisez un filtre
ADSL, connectez-le à la prise murale à l'aide d'un câble à paire torsadée non
blindée de catégorie 5. Passez à l'Étape 12.
Étape 11 Routeurs Cisco 878 uniquement : branchez le câble DSL sur le port G.SHDSL du
routeur et sur la prise murale.
Étape 12 Tous les modèles de routeurs : raccordez le cordon d'alimentation au routeur, puis
mettez le routeur sous tension. Assurez-vous d'utiliser l'adaptateur secteur livré
avec le routeur. Le routeur n'accepte pas d'autres adaptateurs secteur.
Lorsque vous connectez le routeur à une source d'alimentation, le témoin vert OK
du panneau avant du routeur doit s'allumer. Le routeur est alors prêt à l'emploi.
Si le témoin vert OK ne s'allume pas, reportez-vous au chapitre
« Troubleshooting » (« Dépannage ») du document Cisco 850 Series and
Cisco 870 Series Routers Hardware Installation Guide (Gammes de routeurs
Cisco 850 et Cisco 870 – Guide d'installation matérielle).
4-19
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Installation du logiciel SDM et configuration du routeur
Remarque Dans le cas des routeurs Cisco 857, Cisco 876, Cisco 877 et
Cisco 878, la ligne DSL doit avoir été fournie par votre fournisseur
d'accès et être correctement configurée. Vérifiez l'état de détection de
porteuse (CD) indiqué par le témoin CD ADSL ou G.SHDSL du
routeur. Si le témoin CD ADSL ou G.SHDSL ne s'allume pas,
contactez votre fournisseur d'accès.
Étape 13 Si vous avez connecté un module PoE au routeur, branchez l'adaptateur secteur du
module PoE sur la prise d'entrée située sur le panneau arrière du module. Le
témoin vert situé sur le panneau avant du module PoE s'allume et les périphériques
connectés au module sont alimentés.
Pour obtenir des instructions de connexion détaillées, reportez-vous au document
Cisco 850 Series and Cisco 870 Series Routers Hardware Installation Guide
(Gammes de routeurs Cisco 850 et Cisco 870 – Guide d'installation matérielle).
Installation du logiciel SDM et configuration du
routeur
Pour installer le logiciel Cisco SDM permettant de configurer le routeur, procédez
comme suit :
Étape 1 Connectez un PC à n'importe quel port LAN du routeur, comme illustré de la
Figure 4-7, Figure 4-8 et Figure 4-9.
Étape 2 Insérez le CD du logiciel Cisco SDM dans le lecteur de CD du PC. Un assistant
d'installation s'exécute à partir du CD. Installez le logiciel Cisco SDM en suivant
les instructions de l'interface utilisateur de l'assistant d'installation.
Étape 3 Utilisez le logiciel Cisco SDM pour configurer le routeur conformément aux
instructions du document Cisco Router and Security Device Manager (SDM)
Quick Start Guide (Guide de démarrage rapide de SDM).
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Documentation associée
4-20
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Documentation associée
Le présent document décrit les procédures élémentaires de câblage et de
configuration des gammes de routeurs Cisco 850 et Cisco 870. Pour plus
d'informations, reportez-vous aux documents suivants :
• Cisco 850 Series and Cisco 870 Series Access Routers Hardware Installation
Guide (Gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide
d'installation matérielle) : fournit des informations détaillées concernant le
câblage et le matériel des routeurs Cisco 850 et Cisco 870.
• Cisco Router and Security Device Manager (SDM) Quick Start Guide (Guide
de démarrage rapide de SDM) : fournit des instructions détaillées concernant
la configuration du routeur et des fonctionnalités sans fil de ce dernier à l'aide
de l'interface utilisateur graphique Cisco SDM.
• Cisco 850 Series and Cisco 870 Series Access Routers Software
Configuration Guide (Gammes de routeurs d'accès Cisco 850 et Cisco 870 –
Guide de configuration logicielle) : fournit des informations et des exemples
de configuration logicielle des routeurs Cisco 850 et Cisco 870.
• Cisco Access Router Wireless Configuration Guide (Routeurs d'accès
Cisco – Guide de configuration sans fil) : fournit des informations
concernant la configuration logicielle sans fil des routeurs d'accès Cisco,
englobant les gammes de routeurs Cisco 850 et Cisco 870.
• Upgrading Memory in Cisco 800 Series Routers (Routeurs Cisco 800 – Mise
à niveau de la mémoire) : fournit des informations sur la mise à niveau de la
mémoire des routeurs Cisco 800.
• Regulatory Compliance and Safety Information for Cisco 800 Series and
SOHO Series Routers (Routeurs des gammes Cisco 800 et SOHO –
Informations relatives au respect des réglementations et à la sécurité) : fournit
des informations sur les normes de sécurité et les réglementations
internationales pour les routeurs des gammes Cisco 800 et SOHO.
• Cisco Access Router USB Flash Module and USB eToken Hardware
Installation Guide (Modules Flash USB et eTokens USB pour routeurs
d'accès Cisco – Guide d'installation matérielle) fournit des informations
concernant l'installation de modules de mémoire Flash et d'eTokens USB.
4-21
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Obtention de documentation
Ces documents sont tous disponibles sur Internet. La documentation Cisco la plus
récente est disponible sur Internet à partir des sites suivants :
• http://www.cisco.com
• http://www-china.cisco.com
• http://www-europe.cisco.com
Obtention de documentation
La documentation Cisco est disponible sur le site Cisco.com. Cisco propose
également divers moyens pour obtenir une assistance technique et d'autres
ressources techniques. Les sections qui suivent expliquent comment obtenir des
informations techniques de Cisco Systems.
Cisco.com
Vous pouvez accéder à la documentation Cisco la plus récente à l'adresse
suivante :
http://www.cisco.com/cisco/web/psa/default.html?mode=prod
Vous pouvez accéder au site Web de Cisco à l'adresse suivante :
http://www.cisco.com
Vous pouvez accéder aux sites Web internationaux de Cisco à l'adresse suivante :
http://www.cisco.com/public/countries_languages.shtml
Commande de documentation
Vous trouverez les instructions de commande de documentation à l'adresse
suivante :
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Vos commentaires sur la documentation
4-22
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Vous pouvez commander de la documentation Cisco en procédant comme suit :
• Les utilisateurs inscrits sur Cisco.com (clients directs de Cisco) peuvent
commander de la documentation à l'adresse suivante :
http://www.cisco.com/en/US/partner/ordering/index.shtml
• Les utilisateurs non inscrits sur Cisco.com peuvent se procurer de la
documentation par l'intermédiaire d'un représentant de compte local en
appelant le siège social de Cisco Systems (Californie, États-Unis) au numéro
408 526-7208 ou, en dehors des États-Unis, en composant le
1 800 553-NETS (6387).
Vos commentaires sur la documentation
Vous pouvez envoyer vos commentaires sur la documentation technique à
l'adresse bug-doc@cisco.com.
Pour envoyer vos commentaires par courrier ordinaire, utilisez le coupon-réponse
situé au verso de la couverture de votre document ou, à défaut, écrivez à l'adresse
suivante :
Cisco Systems
Attn : Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
Vos commentaires sont les bienvenus.
Assistance technique
Pour tous les clients, partenaires, revendeurs et distributeurs en possession de
contrats de service Cisco valides, le centre d'assistance technique Cisco propose
une assistance hors pair disponible 24 heures sur 24. Le site Web d'assistance
technique Cisco sur Cisco.com offre des ressources en ligne très complètes. En
outre, le centre d'assistance technique (TAC) Cisco fournit une assistance
téléphonique. Si vous ne disposez pas d'un contrat de service Cisco valide,
contactez votre revendeur.
4-23
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Assistance technique
Site Web d'assistance technique Cisco
Ce site propose des documents et outils en ligne pour dépanner et résoudre les
problèmes techniques liés aux technologies et produits Cisco. Il est disponible
24 heures sur 24, 365 jours par an, à l'adresse suivante :
http://www.cisco.com/techsupport
Pour accéder aux outils du site, vous devez être inscrit à Cisco.com et posséder un
ID utilisateur ainsi qu'un mot de passe. Si vous êtes en possession d'un contrat de
service valide, mais que vous n'avez ni ID utilisateur ni mot de passe,
connectez-vous à l'adresse suivante pour vous inscrire :
http://tools.cisco.com/RPF/register/register.do
Remarque Avant de demander une assistance par Internet ou par téléphone, utilisez l'outil
d'identification produit Cisco (CPI) pour déterminer votre référence produit. Pour
accéder à l'outil CPI à partir du site Web d'assistance technique Cisco, cliquez sur
le lien Tools & Resources (Outils et ressources) sous Documentation & Tools
(Documentation et outils). Sélectionnez l'option Cisco Product Identification
Tool (Outil d'identification produit Cisco) dans la liste déroulante Alphabetical
Index (Index alphabétique), ou cliquez sur le lien Cisco Product Identification
Tool sous Alerts & RMAs (Alertes et RMA). L'outil CPI vous propose trois
options de recherche : par ID produit ou nom de modèle, par arborescence, ou,
dans le cas de certains produits, par copier-coller du résultat de la commande
show (afficher). Les résultats de la recherche vous présentent votre produit en
mettant en surbrillance l'étiquette mentionnant sa référence. Localisez cette
étiquette sur votre produit, puis notez cette information avant d'effectuer votre
demande d'assistance.
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Assistance technique
4-24
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Soumission d'une demande de service
L'outil de demande de service en ligne sur le TAC constitue le moyen le plus
rapide de soumettre des demandes de service S3 et S4. (Ces demandes
correspondent à une dégradation minimale du fonctionnement de votre réseau ou
à une demande d'information produit.) Lorsque vous avez décrit la situation,
l'outil de demande de service du TAC vous propose les solutions recommandées.
Si ces solutions ne permettent pas de résoudre le problème, votre demande de
service est affectée à un ingénieur du TAC Cisco. Vous trouverez l'outil de
demande de service du TAC à l'adresse suivante :
http://www.cisco.com/techsupport/servicerequest
Pour les demandes de service S1 ou S2 ou dans le cas où vous n'avez pas d'accès
à Internet, contactez le TAC Cisco par téléphone. (Vous soumettez ce type de
demandes lorsque votre réseau d'exploitation est très dégradé ou paralysé.) Ces
demandes sont immédiatement affectées aux ingénieurs du TAC Cisco pour
préserver le bon fonctionnement de vos activités.
Pour soumettre une demande de service par téléphone, composez l'un des
numéros suivants :
Asie-Pacifique : +61 2 8446 7411 (Australie : 1 800 805 227)
Zone EMEA : +32 2 704 55 55
États-Unis : 1 800 553-2447
Pour consulter la liste complète des contacts du TAC Cisco, rendez-vous à
l'adresse :
http://www.cisco.com/techsupport/contacts
Définition de la gravité des demandes de service
Cisco a défini des niveaux de gravité afin que toutes les demandes de service
soient soumises dans un format standard.
Gravité 1 (S1) : votre réseau est « paralysé » ou la situation a un impact très
négatif sur vos activités professionnelles. Vous et Cisco engagerez 24 heures sur
24 toutes les ressources nécessaires pour résoudre le problème.
4-25
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Obtention de publications et d'informations complémentaires
Gravité 2 (S2) : le fonctionnement d'un réseau existant est très dégradé ou des
aspects importants de vos activités professionnelles sont affectés par les
performances inadéquates des produits Cisco. Vous et Cisco engagerez des
ressources à temps plein pendant les heures de bureau normales pour résoudre le
problème.
Gravité 3 (S3) : les performances de votre réseau sont affectées mais la plupart de
vos activités professionnelles restent fonctionnelles. Vous et Cisco engagerez des
ressources pendant les heures de bureau normales pour rétablir des niveaux de
service satisfaisants.
Gravité 4 (S4) : vous avez besoin d'informations ou d'assistance concernant des
fonctionnalités, l'installation ou la configuration de produits Cisco. L'impact sur
vos activités professionnelles est faible, voire nul.
Obtention de publications et d'informations
complémentaires
Des informations sur les produits, les technologies et les solutions réseau Cisco
sont disponibles en ligne et sous forme imprimée.
• La boutique Cisco Marketplace offre un grand choix d'ouvrages, de guides de
référence et de produits Cisco. Pour la découvrir, rendez-vous à l'adresse
suivante :
http://www.cisco.com/go/marketplace/
• Le Catalogue des produits Cisco détaille les produits réseau proposés par
Cisco Systems, ainsi que les services clients gérant les commandes et les
demandes d'assistance. Vous pouvez accéder au Catalogue des produits Cisco
à l'adresse suivante :
http://cisco.com/univercd/cc/td/doc/pcat/
• Cisco Press publie une large gamme d'ouvrages traitant de l'administration
réseau, des formations et des certifications. Les utilisateurs débutants comme
les plus expérimentés y trouveront des informations utiles. Pour connaître les
dernières publications de Cisco Press et consulter d'autres informations,
visitez le site de Cisco Press à l'adresse suivante :
http://www.ciscopress.com
Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide
Obtention de publications et d'informations complémentaires
4-26
Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide
78-16262-04
• Le magazine Packet destiné aux utilisateurs techniques de Cisco Systems
détaille comment optimiser les investissements Internet et réseau. Chaque
trimestre, il présente les dernières tendances en matière de réseaux, les
innovations technologiques ainsi que les produits et solutions Cisco. Il donne
des conseils pour le déploiement et le dépannage des réseaux et propose des
exemples de configuration, des études de cas relatives à la clientèle, des
informations sur les certifications et les formations, ainsi que des liens vers
des ressources plus détaillées accessibles en ligne. Vous pouvez accéder au
magazine Packet à l'adresse suivante :
http://www.cisco.com/packet
• Le journal trimestriel Internet Protocol Journal publié par Cisco Systems
s'adresse aux ingénieurs concernés par la conception, le développement et
l'exploitation de réseaux Internet et intranet publics et privés. Vous pouvez y
accéder à l'adresse suivante :
http://www.cisco.com/ipj
• Cisco propose des formations de niveau international sur les réseaux. Les
programmes en vigueur sont présentés à l'adresse suivante :
http://www.cisco.com/en/US/learning/index.html